]>
KangarooTwelve and TurboSHAKEABN AMRO BankGroenelaan 2AmstelveenThe Netherlandscs.ru.nl@viguier.nlO(1) Labsdavidwong.crypto@gmail.comSTMicroelectronicsgilles.vanassche@st.comNational Institute of Standards and Technologyquynh.dang@nist.govRadboud Universityjoan@cs.ru.nlCrypto ForumKeccakSakuraKangarooTwelveTurboSHAKECryptographic HasheXtendable Output FunctionThis document defines three eXtendable Output Functions (XOF),
hash functions with output of arbitrary length, named TurboSHAKE128,
TurboSHAKE256 and KangarooTwelve.All three functions provide efficient and secure hashing primitives,
and the last is able to exploit the parallelism of the implementation
in a scalable way.This document builds up on the definitions of the permutations and of the
sponge construction in [FIPS 202], and is meant to serve as a stable reference
and an implementation guide.This document defines the TurboSHAKE128, TurboSHAKE256 and
KangarooTwelve eXtendable Output Functions (XOF),
i.e., a hash function generalization that can return an output of arbitrary length.
Both TurboSHAKE128 and TurboSHAKE256 are based on a Keccak-p permutation specified in and have a higher speed than the SHA-3 and SHAKE functions.TurboSHAKE is a sponge function family that makes use of Keccak-p[n_r=12,b=1600], a round-reduced
version of the permutation used in SHA-3. Similarly to the SHAKE's, it proposes two security strengths:
128 bits for TurboSHAKE128 and 256 bits for TurboSHAKE256.
Halving the number of rounds compared to the original SHAKE functions makes TurboSHAKE roughly twice
faster.The SHA-3 and SHAKE functions process data in a serial manner and are strongly
limited in exploiting available parallelism in modern CPU architectures.
Similar to ParallelHash , KangarooTwelve splits
the input message into fragments. It then applies TurboSHAKE128 on each of them
separately before applying TurboSHAKE128 again on the combination of the first
fragment and the digests.
It makes use of Sakura coding for ensuring soundness of the tree hashing
mode .
The use of TurboSHAKE128 in KangarooTwelve makes it faster than ParallelHash.The security of TurboSHAKE128, TurboSHAKE256 and KangarooTwelve builds up on the
scrutiny that Keccak has received since its
publication .With respect to and
functions, TurboSHAKE128, TurboSHAKE256 and KangarooTwelve feature the following advantages:Unlike SHA3-224, SHA3-256, SHA3-384, SHA3-512, the TurboSHAKE and
KangarooTwelve functions have an extendable output.Unlike any defined function, similarly to
functions defined in , KangarooTwelve
allows the use of a customization string.Unlike any and
functions but ParallelHash, KangarooTwelve exploits available parallelism.Unlike ParallelHash, KangarooTwelve does not have overhead when
processing short messages.The permutation in the TurboSHAKE functions has half
the number of rounds compared to the one in the SHA-3 and SHAKE functions,
making it faster than any function defined in .
KangarooTwelve immediately benefits from the same speed up, improving over
and .The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 .The following notations are used throughout the document:denotes a string of bytes given in
hexadecimal. For example, `0B 80`.denotes the length of a byte string `s`.
For example, |`FF FF`| = 2.denotes a byte string consisting of the concatenation
of b bytes `00`. For example, `00`^7 = `00 00 00 00 00 00 00`.denotes the empty byte-string.denotes the concatenation of two strings a and b.
For example, `10`||`F1` = `10 F1`denotes the selection of bytes from n (inclusive) to m
(exclusive) of a string s. The indexing of a byte-string starts at 0.
For example, for s = `A5 C6 D7`, s[0:1] = `A5` and s[1:3] = `C6 D7`.denotes the selection of bytes from n to the end of
a string s.
For example, for s = `A5 C6 D7`, s[0:] = `A5 C6 D7` and s[2:] = `D7`.In the following, x and y are byte strings of equal length: denotes x takes the value x XOR y. denotes x AND y.In the following, x and y are integers: denotes x takes the value x + y. denotes x takes the value x - y. denotes the exponentiation of x by y. denotes reminder of the division of x by y. denotes the integer dividend of the division of x by y.TurboSHAKE is a family of eXtendable Output Functions (XOF).
This document focuses on only two instances, namely, TurboSHAKE128 and TurboSHAKE256,
although the original definition includes a wider range of instances parameterized by their capacity .
An instance of TurboSHAKE takes as parameters a byte-string M, an OPTIONAL byte D and a positive integer L
where byte-string, is the Message and byte in the range [`01`, `02`, .. , `7F`], is an OPTIONAL Domain separation byte and positive integer, the requested number of output bytes.By default, the Domain separation byte is `1F`. For an API that
does not support a domain separation byte, D MUST be the `1F`.TurboSHAKE makes use of the permutation Keccak-p[1600,n_r=12],
i.e., the permutation used in SHAKE and SHA-3 functions reduced
to its last n_r=12 rounds and specified in FIPS 202, Sections
3.3 and 3.4 .
KP denotes this permutation.Similarly to SHAKE128, TurboSHAKE128 is a sponge function
calling this permutation KP with a rate of 168 bytes
or 1344 bits. It follows that TurboSHAKE128 has a capacity of
1600 - 1344 = 256 bits or 32 bytes. Respectively to SHAKE256, TurboSHAKE256 makes use
of a rate of 136 bytes or 1088 bits, and has a capacity of 512 bits or 64 bytes.We now describe the operations inside TurboSHAKE128.First the input M' is formed by appending the domain separation byte D to the message M.Non-multiple of 168-bytes-length M' are padded with zeroes to the next
multiple of 168 bytes while M' with length multiple of 168 bytes are kept as is.
Then a byte `80` is XORed to the last byte of the padded input M'
and the resulting string is split into a sequence of 168-byte blocks.
M' never has a length of 0 bytes due to the presence of the domain separation byte.As defined by the sponge construction, the process operates on a state
and consists of two phases: the absorbing phase that processes the padded input M'
and the squeezing phase that produces the output.In the absorbing phase the state is initialized to all-zero. The
message blocks are XORed into the first 168 bytes of the state.
Each block absorbed is followed with an application of KP to the state.In the squeezing phase output is formed by taking the first 168 bytes
of the state, repeated as many times as necessary until outputByteLen
bytes are obtained, interleaved with the application of KP to the state.TurboSHAKE256 performs the same steps but makes use of 136-byte blocks with respect
to padding, absorbing, and squeezing phases.The definition of the TurboSHAKE functions equivalently implements the pad10*1 rule.
While M can be empty, the D byte is always present and is in the `01`-`7F` range.
This last byte serves as domain separation and integrates the first bit of padding
of the pad10*1 rule (hence it cannot be `00`).
Additionally, it must leave room for the second bit of padding
(hence it cannot have the MSB set to 1), should it be the last byte of the block.
For more details, refer to Section 6.1 of and Section 3 of .The pseudocode versions of TurboSHAKE128 and TurboSHAKE256 are provided respectively in and .KangarooTwelve is an eXtendable Output Function (XOF).
It takes as parameters two byte-strings (M, C) and a positive integer L
where byte-string, is the Message and byte-string, is an OPTIONAL Customization string and positive integer, the requested number of output bytes.The Customization string MAY serve as domain separation.
It is typically a short string such as a name or an identifier (e.g. URI,
ODI...)By default, the Customization string is the empty string. For an API that
does not support a customization string parameter, C MUST be the empty string.On top of the sponge function TurboSHAKE128, KangarooTwelve uses a
Sakura-compatible tree hash mode .
First, merge M and the OPTIONAL C to a single input string S in a
reversible way. length_encode( |C| ) gives the length in bytes of C as a
byte-string.
See .Then, split S into n chunks of 8192 bytes.From S_1 .. S_(n-1), compute the 32-byte Chaining Values CV_1 .. CV_(n-1).
In order to be optimally efficient, this computation SHOULD exploit the
parallelism available on the platform such as SIMD instructions.Compute the final node: FinalNode.
If |S| <= 8192 bytes, FinalNode = SOtherwise compute FinalNode as follows:Finally, KangarooTwelve output is retrieved:
If |S| <= 8192 bytes, from TurboSHAKE128( FinalNode, `07`, L )Otherwise from TurboSHAKE128( FinalNode, `06`, L )The following figure illustrates the computation flow of KangarooTwelve
for |S| <= 8192 bytes:The following figure illustrates the computation flow of KangarooTwelve
for |S| > 8192 bytes and where TurboSHAKE128 and length_encode( x ) are
abbreviated as respectively TSHK128 and l_e( x ) :A pseudocode version is provided in .The table below gathers the values of the domain separation
bytes used by the tree hash mode:The function length_encode takes as inputs a non-negative integer x
< 256**255 and outputs a string of bytes x_(n-1) || .. || x_0 || n whereand where n is the smallest non-negative integer such that x < 256**n.
n is also the length of x_(n-1) || .. || x_0.As example, length_encode(0) = `00`, length_encode(12) = `0C 01` and
length_encode(65538) = `01 00 02 03`A pseudocode version is as follows where { b } denotes the byte of numerical value b.Implementing a MAC with KangarooTwelve SHOULD use a HASH-then-MAC construction.
This document recommends a method called HopMAC, defined as follows:Similarly to HMAC, HopMAC consists of two calls: an inner call compressing the
message M and the optional customization string C to a digest,
and an outer call computing the tag from the key and the digest.Unlike HMAC, the inner call to KangarooTwelve in HopMAC is keyless
and does not require additional protection against side channel attacks (SCA).
Consequently, in an implementation that has to protect the HopMAC key
against SCA only the outer call does need protection,
and this amounts to a single execution of the underlying permutation.In any case, KangarooTwelve MAY be used to compute a MAC with the key
reversibly prepended or appended to the input. For instance, one MAY
compute a MAC on short messages simply calling KangarooTwelve with the
key as the customization string, i.e., MAC = K12(M, Key, L).Test vectors are based on the repetition of the pattern `00 01 .. FA`
with a specific length. ptn(n) defines a string by repeating the pattern
`00 01 .. FA` as many times as necessary and truncated to n bytes e.g.
None.This document is meant to serve as a stable reference and an
implementation guide for the KangarooTwelve and TurboSHAKE eXtendable Output Functions.
It relies on the cryptanalysis of Keccak and provides with the same security
strength as their respective SHAKE functions.
To be more precise, KangarooTwelve is made of two layers:
The inner function TurboSHAKE128. This layer relies on cryptanalysis.
The TurboSHAKE128 function is exactly Keccak[r=1344, c=256] (as in SHAKE128)
reduced to 12 rounds. Any reduced-round cryptanalysis on Keccak
is also a reduced-round cryptanalysis of TurboSHAKE128
(provided the number of rounds attacked is not higher than 12).The tree hashing over TurboSHAKE128. This layer is a mode on top
of TurboSHAKE128 that does not introduce any vulnerability thanks to
the use of Sakura coding proven secure in .This reasoning is detailed and formalized in .To achieve 128-bit security strength, the output L must be chosen long
enough so that there are no generic attacks that violate 128-bit security.
So for 128-bit (second) preimage security the output should be at least 128 bits,
for 128-bit of security against multi-target preimage attacks with T targets
the output should be at least 128+log_2(T) bits
and for 128-bit collision security the output should be at least 256 bits.Furthermore, when the output length is at least 256 bits,
KangarooTwelve achieves NIST's post-quantum security level 2 .As a XOF, KangarooTwelve, TurboSHAKE128 or TurboSHAKE256 can naturally be used as a key derivation function.
The input must be an injective encoding of secret and diversification material, and the output can be taken as the derived key(s).Lastly, as KangarooTwelve uses TurboSHAKE128 with three values for D,
namely 0x06, 0x07, and 0x0B. Protocols that use both KangarooTwelve and TurboSHAKE128,
SHOULD avoid using these three values for D.
&rfc2119;
FIPS PUB 202 - SHA-3 Standard: Permutation-Based Hash and
Extendable-Output FunctionsNational Institute of Standards and Technology
NIST Special Publication 800-185 SHA-3 Derived Functions:
cSHAKE, KMAC, TupleHash and ParallelHashNational Institute of Standards and Technology
TurboSHAKEKangarooTwelve: fast hashing based on Keccak-pSakura: a flexible coding for tree hashingSummary of Third-party cryptanalysis of KeccakKeccak TeameXtended Keccak Code PackageSubmission Requirements and Evaluation Criteria for the Post-Quantum Cryptography Standardization ProcessNational Institute of Standards and Technology
The sub-sections of this appendix contain pseudocode definitions of
TurboSHAKE128, TurboSHAKE256 and KangarooTwelve.
Standalone Python versions are also available in the Keccak Code Package
and in where ROL64(x, y) is a rotation of the 'x' 64-bit word toward the bits
with higher indexes by 'y' positions. The 8-bytes byte-string x is
interpreted as a 64-bit word in little-endian format.