Sakura: A Flexible Coding for Tree Hashing

  • Guido Bertoni
  • Joan Daemen
  • Michaël Peeters
  • Gilles Van Assche
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8479)


We propose a flexible, fairly general, coding for tree hash modes. The coding does not define a tree hash mode, but instead specifies a way to format the message blocks and chaining values into inputs to the underlying function for any topology, including sequential hashing. The main benefit is to avoid input clashes between different tree growing strategies, even before the hashing modes are defined, and to make the SHA-3 standard tree-hashing ready.


hash function tree hashing indifferentiability SHA-3 


  1. 1.
    Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: ACM Conference on Computer and Communications Security 1993, pp. 62–73. ACM (1993)Google Scholar
  2. 2.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the indifferentiability of the sponge construction. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008), CrossRefGoogle Scholar
  3. 3.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sufficient conditions for sound tree hashing modes, Symmetric Cryptography. In: Handschuh, H., Lucks, S., Preneel, B., Rogaway, P. (eds.) Dagstuhl Seminar Proceedings, no. 09031, Dagstuhl, Germany. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, Germany (2009)Google Scholar
  4. 4.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: The Keccak reference (January 2011),
  5. 5.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Keccak and the SHA3 standardization, presentation at NIST (February 2013),
  6. 6.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sufficient conditions for sound tree and sequential hashing modes. International Journal of Information Security (2013),
  7. 7.
    Coron, J.-S., Dodis, Y., Malinaud, C., Puniya, P.: Merkle-damgård revisited: How to construct a hash function. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 430–448. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  8. 8.
    Damgård, I.: A design principle for hash functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990)Google Scholar
  9. 9.
    Dodis, Y., Reyzin, L., Rivest, R.L., Shen, E.: Indifferentiability of permutation-based compression functions and tree-based modes of operation, with applications to MD6. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 104–121. Springer, Heidelberg (2009)Google Scholar
  10. 10.
    Ferguson, N., Lucks, S., Schneier, B., Whiting, D., Bellare, M., Kohno, T., Callas, J., Walker, J.: The Skein hash function family, Submission to NIST (2008),
  11. 11.
    Gueron, S.: A j-lanes tree hashing mode and j-lanes SHA-256. Journal of Information Security 4, 4–11 (2013)CrossRefGoogle Scholar
  12. 12.
    Kelsey, J.: Moving forward with SHA3, NIST hash forum (November 2013),
  13. 13.
    RSA Laboratories, PKCS # 1 v2.2 RSA Cryptography Standard (2012)Google Scholar
  14. 14.
    Lucks, S.: Tree hashing: A simple generic tree hashing mode designed for SHA-2 and SHA-3, applicable to other hash functions, Early Symmetric Crypto (ESC) (2013)Google Scholar
  15. 15.
    Lucks, S., McGrew, D., Whiting, D.: Batteries included: Features and modes for next generation hash functions. In: The Third SHA-3 Candidate Conference (2012)Google Scholar
  16. 16.
    Maurer, U., Renner, R., Holenstein, C.: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  17. 17.
    Merkle, R.C.: Secrecy, authentication, and public key systems, PhD thesis. UMI Research Press (1982)Google Scholar
  18. 18.
    NIST, Mailing list on NIST’s cryptographic hash workshops and hash algorithm competition,
  19. 19.
    Merkle, R.C.: NIST special publication 800-57, recommendation for key management (March 2007) (revised)Google Scholar
  20. 20.
    Overell, P.: Augmented BNF for syntax specifications: ABNF, Internet Request for Comments, RFC 5234 (January 2008)Google Scholar
  21. 21.
    Rivest, R., Agre, B., Bailey, D.V., Cheng, S., Crutchfield, C., Dodis, Y., Fleming, K.E., Khan, A., Krishnamurthy, J., Lin, Y., Reyzin, L., Shen, E., Sukha, J., Sutherland, D., Tromer, E., Yin, Y.L.: The MD6 hash function – a proposal to NIST for SHA-3, Submission to NIST (2008),
  22. 22.
    Sarkar, P., Schellenberg, P.J.: A parallelizable design principle for cryptographic hash functions, Cryptology ePrint Archive, Report 2002/031 (2002),
  23. 23.
    Torgerson, M., Schroeppel, R., Draelos, T., Dautenhahn, N., Malone, S., Walker, A., Collins, M., Orman, H.: The SANDstorm hash, Submission to NIST (2008),

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Guido Bertoni
    • 1
  • Joan Daemen
    • 1
  • Michaël Peeters
    • 2
  • Gilles Van Assche
    • 1
  1. 1.STMicroelectronicsSwitzerland
  2. 2.NXP SemiconductorsBelgium

Personalised recommendations