Crypto Forum B. Viguier
Internet-Draft Radboud University
Intended status: Informational D. Wong, Ed.
Expires: 23 February 2022 Facebook
G. Van Assche, Ed.
STMicroelectronics
Q. Dang, Ed.
NIST
J. Daemen, Ed.
Radboud University
22 August 2021
KangarooTwelve
draft-irtf-cfrg-kangarootwelve-06
Abstract
This document defines the KangarooTwelve eXtendable Output Function
(XOF), a hash function with output of arbitrary length. It provides
an efficient and secure hashing primitive, which is able to exploit
the parallelism of the implementation in a scalable way. It uses
tree hashing over a round-reduced version of SHAKE128 as underlying
primitive.
This document builds up on the definitions of the permutations and of
the sponge construction in [FIPS 202], and is meant to serve as a
stable reference and an implementation guide.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 23 February 2022.
Viguier, et al. Expires 23 February 2022 [Page 1]
Internet-Draft KangarooTwelve August 2021
Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Simplified BSD License text
as described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Conventions . . . . . . . . . . . . . . . . . . . . . . . 3
2. Specifications . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Inner function F . . . . . . . . . . . . . . . . . . . . 5
2.2. Tree hashing over F . . . . . . . . . . . . . . . . . . . 6
2.3. length_encode( x ) . . . . . . . . . . . . . . . . . . . 9
3. Test vectors . . . . . . . . . . . . . . . . . . . . . . . . 9
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
5. Security Considerations . . . . . . . . . . . . . . . . . . . 11
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 13
6.1. Normative References . . . . . . . . . . . . . . . . . . 13
6.2. Informative References . . . . . . . . . . . . . . . . . 13
Appendix A. Pseudocode . . . . . . . . . . . . . . . . . . . . . 14
A.1. Keccak-p[1600,n_r=12] . . . . . . . . . . . . . . . . . . 14
A.2. KangarooTwelve . . . . . . . . . . . . . . . . . . . . . 15
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16
1. Introduction
This document defines the KangarooTwelve eXtendable Output Function
(XOF) [K12], i.e. a generalization of a hash function that can return
an output of arbitrary length. KangarooTwelve is based on a Keccak-p
permutation specified in [FIPS202] and has a higher speed than SHAKE
and SHA-3.
The SHA-3 functions process data in a serial manner and are unable to
optimally exploit parallelism available in modern CPU architectures.
Similar to ParallelHash [SP800-185], KangarooTwelve splits the input
message into fragments to exploit available parallelism. It then
applies an inner hash function F on each of them separately before
applying F again on the concatenation of the digests. It makes use
of Sakura coding for ensuring soundness of the tree hashing mode
Viguier, et al. Expires 23 February 2022 [Page 2]
Internet-Draft KangarooTwelve August 2021
[SAKURA]. The inner hash function F is a sponge function and uses a
round-reduced version of the permutation Keccak-f used in SHA-3,
making it faster than ParallelHash. Its security builds up on the
scrutiny that Keccak has received since its publication
[KECCAK_CRYPTANALYSIS].
With respect to [FIPS202] and [SP800-185] functions, KangarooTwelve
features the following advantages:
* Unlike SHA3-224, SHA3-256, SHA3-384, SHA3-512, KangarooTwelve has
an extendable output.
* Unlike any [FIPS202] defined function, similarly to functions
defined in [SP800-185], KangarooTwelve allows the use of a
customization string.
* Unlike any [FIPS202] and [SP800-185] functions but ParallelHash,
KangarooTwelve splits the input message into fragments to exploit
available parallelism.
* Unlike ParallelHash, KangarooTwelve does not have overhead when
processing short messages.
* The Keccak-f permutation in KangarooTwelve has half the number of
rounds of the one used in SHA3, making it faster than any function
defined in [FIPS202] and [SP800-185].
1.1. Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
The following notations are used throughout the document:
`...` denotes a string of bytes given in hexadecimal. For example,
`0B 80`.
|s| denotes the length of a byte string `s`. For example, |`FF FF`|
= 2.
`00`^b denotes a byte string consisting of the concatenation of b
bytes `00`. For example, `00`^7 = `00 00 00 00 00 00 00`.
`00`^0 denotes the empty byte-string.
a||b denotes the concatenation of two strings a and b. For example,
`10`||`F1` = `10 F1`
Viguier, et al. Expires 23 February 2022 [Page 3]
Internet-Draft KangarooTwelve August 2021
s[n:m] denotes the selection of bytes from n (inclusive) to m
(exclusive) of a string s. The indexing of a byte-string starts
at 0. For example, for s = `A5 C6 D7`, s[0:1] = `A5` and s[1:3] =
`C6 D7`.
s[n:] denotes the selection of bytes from n to the end of a string
s. For example, for s = `A5 C6 D7`, s[0:] = `A5 C6 D7` and s[2:]
= `D7`.
In the following, x and y are byte strings of equal length:
x^=y denotes x takes the value x XOR y.
x & y denotes x AND y.
In the following, x and y are integers:
x+=y denotes x takes the value x + y.
x-=y denotes x takes the value x - y.
x**y denotes the exponentiation of x by y.
2. Specifications
KangarooTwelve is an eXtendable Output Function (XOF). It takes as
input two byte-strings (M, C) and a positive integer L where
M byte-string, is the Message and
C byte-string, is an OPTIONAL Customization string and
L positive integer, the requested number of output bytes.
The Customization string MAY serve as domain separation. It is
typically a short string such as a name or an identifier (e.g. URI,
ODI...)
By default, the Customization string is the empty string. For an API
that does not support a customization string input, C MUST be the
empty string.
Viguier, et al. Expires 23 February 2022 [Page 4]
Internet-Draft KangarooTwelve August 2021
2.1. Inner function F
The inner function F makes use of the permutation Keccak-
p[1600,n_r=12], i.e., a version of the permutation Keccak-f[1600]
used in SHAKE and SHA-3 instances reduced to its last n_r=12 rounds
and specified in FIPS 202, sections 3.3 and 3.4 [FIPS202]. KP
denotes this permutation.
F is a sponge function calling this permutation KP with a rate of 168
bytes or 1344 bits. It follows that F has a capacity of 1600 - 1344
= 256 bits or 32 bytes.
The sponge function F takes:
input byte-string of positive length, the input bytes and
outputByteLen positive integer, the length of the output in bytes
First non-multiple of 168-bytes-length inputs are padded with zeroes
to the next multiple of 168 bytes while inputs multiple of 168 bytes
are kept as is. Then a byte `80` is XORed to the last byte of the
padded message and the resulting string is split into a sequence of
168-byte blocks.
Inputs of length 0 bytes do not happen as a result of the tree
hashing mode defined in section 2.2.
As defined by the sponge construction, the process operates on a
state and consists of two phases: the absorbing phase that processes
the input and the squeezing phase that produces the output.
In the absorbing phase the state is initialized to all-zero. The
message blocks are XORed into the first 168 bytes of the state. Each
block absorbed is followed with an application of KP to the state.
In the squeezing phase output is formed by taking the first 168 bytes
of the state, repeated as many times as necessary until outputByteLen
bytes are obtained, interleaved with the application of KP to the
state.
The definition of the function F equivalently implements the pad10*1
rule. It assumes an at least one-byte-long input where the last byte
is in the `01`-`7F` range, and this is the case in KangarooTwelve.
This last byte serves as domain separation and integrates the first
bit of padding of the pad10*1 rule (hence it cannot be `00`).
Additionally, it must leave room for the second bit of padding (hence
it cannot have the MSB set to 1), should it be the last byte of the
block. For more details, refer to Section 6.1 of [K12].
Viguier, et al. Expires 23 February 2022 [Page 5]
Internet-Draft KangarooTwelve August 2021
A pseudocode version is available as follows:
F(input, outputByteLen):
offset = 0
state = `00`^200
# === Absorb complete blocks ===
while offset < |input| - 168
state ^= input[offset : offset + 168] || `00`^32
state = KP(state)
offset += 168
# === Absorb last block and treatment of padding ===
LastBlockLength = |input| - offset
state ^= input[offset:] || `00`^(200-LastBlockLength)
state ^= `00`^167 || `80` || `00`^32
state = KP(state)
# === Squeeze ===
output = `00`^0
while outputByteLen > 168
output = output || state[0:168]
outputByteLen -= 168
state = KP(state)
output = output || state[0:outputByteLen]
return output
end
2.2. Tree hashing over F
On top of the sponge function F, KangarooTwelve uses a Sakura-
compatible tree hash mode [SAKURA]. First, merge M and the OPTIONAL
C to a single input string S in a reversible way. length_encode( |C|
) gives the length in bytes of C as a byte-string. See Section 2.3.
S = M || C || length_encode( |C| )
Then, split S into n chunks of 8192 bytes.
S = S_0 || .. || S_(n-1)
|S_0| = .. = |S_(n-2)| = 8192 bytes
|S_(n-1)| <= 8192 bytes
Viguier, et al. Expires 23 February 2022 [Page 6]
Internet-Draft KangarooTwelve August 2021
From S_1 .. S_(n-1), compute the 32-byte Chaining Values CV_1 ..
CV_(n-1). In order to be optimally efficient, this computation
SHOULD exploit the parallelism available on the platform such as SIMD
instructions.
CV_i = F( S_i||`0B`, 32 )
Compute the final node: FinalNode.
* If |S| <= 8192 bytes, FinalNode = S
* Otherwise compute FinalNode as follows:
FinalNode = S_0 || `03 00 00 00 00 00 00 00`
FinalNode = FinalNode || CV_1
..
FinalNode = FinalNode || CV_(n-1)
FinalNode = FinalNode || length_encode(n-1)
FinalNode = FinalNode || `FF FF`
Finally, KangarooTwelve output is retrieved:
* If |S| <= 8192 bytes, from F( FinalNode||`07`, L )
KangarooTwelve( M, C, L ) = F( FinalNode||`07`, L )
* Otherwise from F( FinalNode||`06`, L )
KangarooTwelve( M, C, L ) = F( FinalNode||`06`, L )
The following figure illustrates the computation flow of
KangarooTwelve for |S| <= 8192 bytes:
+--------------+ F(..||`07`, L)
| S |-----------------> output
+--------------+
The following figure illustrates the computation flow of
KangarooTwelve for |S| > 8192 bytes and where length_encode( x ) is
abbreviated as l_e( x ):
Viguier, et al. Expires 23 February 2022 [Page 7]
Internet-Draft KangarooTwelve August 2021
+--------------+
| S_0 |
+--------------+
||
+--------------+
| `03`||`00`^7 |
+--------------+
||
+---------+ F(..||`0B`,32) +--------------+
| S_1 |----------------->| CV_1 |
+---------+ +--------------+
||
+---------+ F(..||`0B`,32) +--------------+
| S_2 |----------------->| CV_2 |
+---------+ +--------------+
||
... ...
||
+---------+ F(..||`0B`,32) +--------------+
| S_(n-1) |----------------->| CV_(n-1) |
+---------+ +--------------+
||
+--------------+
| l_e( n-1 ) |
+--------------+
||
+--------------+ F(..||`06`, L)
| `FF FF` |-----------------> output
+--------------+
A pseudocode version is provided in Appendix A.2.
The table below gathers the values of the domain separation bytes
used by the tree hash mode:
+--------------------+------------------+
| Type | Byte |
+--------------------+------------------+
| SingleNode | `07` |
| | |
| IntermediateNode | `0B` |
| | |
| FinalNode | `06` |
+--------------------+------------------+
Viguier, et al. Expires 23 February 2022 [Page 8]
Internet-Draft KangarooTwelve August 2021
2.3. length_encode( x )
The function length_encode takes as inputs a non negative integer x <
256**255 and outputs a string of bytes x_(n-1) || .. || x_0 || n
where
x = sum from i=0..n-1 of 256**i * x_i
and where n is the smallest non-negative integer such that x <
256**n. n is also the length of x_(n-1) || .. || x_0.
As example, length_encode(0) = `00`, length_encode(12) = `0C 01` and
length_encode(65538) = `01 00 02 03`
A pseudocode version is as follows.
length_encode(x):
S = `00`^0
while x > 0
S = x mod 256 || S
x = x / 256
S = S || length(S)
return S
end
3. Test vectors
Test vectors are based on the repetition of the pattern `00 01 .. FA`
with a specific length. ptn(n) defines a string by repeating the
pattern `00 01 .. FA` as many times as necessary and truncated to n
bytes e.g.
Pattern for a length of 17 bytes:
ptn(17) =
`00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10`
Viguier, et al. Expires 23 February 2022 [Page 9]
Internet-Draft KangarooTwelve August 2021
Pattern for a length of 17**2 bytes:
ptn(17**2) =
`00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F
30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F
40 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F
50 51 52 53 54 55 56 57 58 59 5A 5B 5C 5D 5E 5F
60 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F
70 71 72 73 74 75 76 77 78 79 7A 7B 7C 7D 7E 7F
80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F
90 91 92 93 94 95 96 97 98 99 9A 9B 9C 9D 9E 9F
A0 A1 A2 A3 A4 A5 A6 A7 A8 A9 AA AB AC AD AE AF
B0 B1 B2 B3 B4 B5 B6 B7 B8 B9 BA BB BC BD BE BF
C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF
D0 D1 D2 D3 D4 D5 D6 D7 D8 D9 DA DB DC DD DE DF
E0 E1 E2 E3 E4 E5 E6 E7 E8 E9 EA EB EC ED EE EF
F0 F1 F2 F3 F4 F5 F6 F7 F8 F9 FA
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
20 21 22 23 24 25`
KangarooTwelve(M=`00`^0, C=`00`^0, 32):
`1A C2 D4 50 FC 3B 42 05 D1 9D A7 BF CA 1B 37 51
3C 08 03 57 7A C7 16 7F 06 FE 2C E1 F0 EF 39 E5`
KangarooTwelve(M=`00`^0, C=`00`^0, 64):
`1A C2 D4 50 FC 3B 42 05 D1 9D A7 BF CA 1B 37 51
3C 08 03 57 7A C7 16 7F 06 FE 2C E1 F0 EF 39 E5
42 69 C0 56 B8 C8 2E 48 27 60 38 B6 D2 92 96 6C
C0 7A 3D 46 45 27 2E 31 FF 38 50 81 39 EB 0A 71`
KangarooTwelve(M=`00`^0, C=`00`^0, 10032), last 32 bytes:
`E8 DC 56 36 42 F7 22 8C 84 68 4C 89 84 05 D3 A8
34 79 91 58 C0 79 B1 28 80 27 7A 1D 28 E2 FF 6D`
KangarooTwelve(M=ptn(1 bytes), C=`00`^0, 32):
`2B DA 92 45 0E 8B 14 7F 8A 7C B6 29 E7 84 A0 58
EF CA 7C F7 D8 21 8E 02 D3 45 DF AA 65 24 4A 1F`
KangarooTwelve(M=ptn(17 bytes), C=`00`^0, 32):
`6B F7 5F A2 23 91 98 DB 47 72 E3 64 78 F8 E1 9B
0F 37 12 05 F6 A9 A9 3A 27 3F 51 DF 37 12 28 88`
KangarooTwelve(M=ptn(17**2 bytes), C=`00`^0, 32):
`0C 31 5E BC DE DB F6 14 26 DE 7D CF 8F B7 25 D1
E7 46 75 D7 F5 32 7A 50 67 F3 67 B1 08 EC B6 7C`
Viguier, et al. Expires 23 February 2022 [Page 10]
Internet-Draft KangarooTwelve August 2021
KangarooTwelve(M=ptn(17**3 bytes), C=`00`^0, 32):
`CB 55 2E 2E C7 7D 99 10 70 1D 57 8B 45 7D DF 77
2C 12 E3 22 E4 EE 7F E4 17 F9 2C 75 8F 0D 59 D0`
KangarooTwelve(M=ptn(17**4 bytes), C=`00`^0, 32):
`87 01 04 5E 22 20 53 45 FF 4D DA 05 55 5C BB 5C
3A F1 A7 71 C2 B8 9B AE F3 7D B4 3D 99 98 B9 FE`
KangarooTwelve(M=ptn(17**5 bytes), C=`00`^0, 32):
`84 4D 61 09 33 B1 B9 96 3C BD EB 5A E3 B6 B0 5C
C7 CB D6 7C EE DF 88 3E B6 78 A0 A8 E0 37 16 82`
KangarooTwelve(M=ptn(17**6 bytes), C=`00`^0, 32):
`3C 39 07 82 A8 A4 E8 9F A6 36 7F 72 FE AA F1 32
55 C8 D9 58 78 48 1D 3C D8 CE 85 F5 8E 88 0A F8`
KangarooTwelve(M=`00`^0, C=ptn(1 bytes), 32):
`FA B6 58 DB 63 E9 4A 24 61 88 BF 7A F6 9A 13 30
45 F4 6E E9 84 C5 6E 3C 33 28 CA AF 1A A1 A5 83`
KangarooTwelve(M=`FF`, C=ptn(41 bytes), 32):
`D8 48 C5 06 8C ED 73 6F 44 62 15 9B 98 67 FD 4C
20 B8 08 AC C3 D5 BC 48 E0 B0 6B A0 A3 76 2E C4`
KangarooTwelve(M=`FF FF FF`, C=ptn(41**2), 32):
`C3 89 E5 00 9A E5 71 20 85 4C 2E 8C 64 67 0A C0
13 58 CF 4C 1B AF 89 44 7A 72 42 34 DC 7C ED 74`
KangarooTwelve(M=`FF FF FF FF FF FF FF`, C=ptn(41**3 bytes), 32):
`75 D2 F8 6A 2E 64 45 66 72 6B 4F BC FC 56 57 B9
DB CF 07 0C 7B 0D CA 06 45 0A B2 91 D7 44 3B CF`
4. IANA Considerations
None.
5. Security Considerations
This document is meant to serve as a stable reference and an
implementation guide for the KangarooTwelve eXtendable Output
Function. It relies on the cryptanalysis of Keccak and provides with
the same security strength as SHAKE128, i.e., 128 bits of security
against all attacks.
To be more precise, KangarooTwelve is made of two layers:
Viguier, et al. Expires 23 February 2022 [Page 11]
Internet-Draft KangarooTwelve August 2021
* The inner function F. This layer relies on cryptanalysis.
KangarooTwelve's F function is exactly Keccak[r=1344, c=256] (as
in SHAKE128) reduced to 12 rounds. Any reduced-round
cryptanalysis on Keccak is also a reduced-round cryptanalysis of
KangarooTwelve's F (provided the number of rounds attacked is not
higher than 12).
* The tree hashing over F. This layer is a mode on top of F that
does not introduce any vulnerability thanks to the use of Sakura
coding proven secure in [SAKURA].
This reasoning is detailed and formalized in [K12].
To achieve 128-bit security strength, the output L must be chosen
long enough so that there are no generic attacks that violate 128-bit
security. So for 128-bit (second) preimage security the output
should be at least 128 bits, for 128-bit of security against multi-
target preimage attacks with T targets the output should be at least
128+log_2(T) bits and for 128-bit collision security the output
should be at least 256 bits.
Furthermore, when the output length is at least 256 bits,
KangarooTwelve achieves NIST's post-quantum security level 2
[NISTPQ].
Implementing a MAC with KangarooTwelve SHOULD use a HASH-then-MAC
construction. This document recommends a method called HopMAC,
defined as follows:
HopMAC(Key, M, C, L) = K12(Key, K12(M, C, 32), L)
Similarly to HMAC, HopMAC consists of two calls: an inner call
compressing the message M and the optional customization string C to
a digest, and an outer call computing the tag from the key and the
digest.
Unlike HMAC, the inner call to KangarooTwelve in HopMAC is keyless
and does not require additional protection against side channel
attacks (SCA). Consequently, in an implementation that has to
protect the HopMAC key against SCA only the outer call does need
protection, and this amounts to a single execution of the underlying
permutation.
In any case, KangarooTwelve MAY be used to compute a MAC with the key
reversibly prepended or appended to the input. For instance, one MAY
compute a MAC on short messages simply calling KangarooTwelve with
the key as the customization string, i.e., MAC = K12(M, Key, L).
Viguier, et al. Expires 23 February 2022 [Page 12]
Internet-Draft KangarooTwelve August 2021
6. References
6.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
.
[FIPS202] National Institute of Standards and Technology, "FIPS PUB
202 - SHA-3 Standard: Permutation-Based Hash and
Extendable-Output Functions",
WWW http://dx.doi.org/10.6028/NIST.FIPS.202, August 2015.
[SP800-185]
National Institute of Standards and Technology, "NIST
Special Publication 800-185 SHA-3 Derived Functions:
cSHAKE, KMAC, TupleHash and ParallelHash",
WWW https://doi.org/10.6028/NIST.SP.800-185, December
2016.
6.2. Informative References
[K12] Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., and
R. Van Keer, "KangarooTwelve: fast hashing based on
Keccak-p", WWW https://link.springer.com/
chapter/10.1007/978-3-319-93387-0_21,
WWW http://eprint.iacr.org/2016/770.pdf, July 2018.
[SAKURA] Bertoni, G., Daemen, J., Peeters, M., and G. Van Assche,
"Sakura: a flexible coding for tree hashing", WWW
https://link.springer.com/
chapter/10.1007/978-3-319-07536-5_14,
WWW http://eprint.iacr.org/2013/231.pdf, June 2014.
[KECCAK_CRYPTANALYSIS]
Keccak Team, "Summary of Third-party cryptanalysis of
Keccak", WWW https://www.keccak.team/third_party.html,
2017.
[XKCP] Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., and
R. Van Keer, "eXtended Keccak Code Package",
WWW https://github.com/XKCP/XKCP, September 2018.
Viguier, et al. Expires 23 February 2022 [Page 13]
Internet-Draft KangarooTwelve August 2021
[NISTPQ] National Institute of Standards and Technology,
"Submission Requirements and Evaluation Criteria for the
Post-Quantum Cryptography Standardization Process", WWW
https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-
Cryptography/documents/call-for-proposals-final-dec-
2016.pdf, December 2016.
Appendix A. Pseudocode
The sub-sections of this appendix contain pseudocode definitions of
KangarooTwelve. A standalone Python version is also available in the
Keccak Code Package [XKCP] and in [K12]
A.1. Keccak-p[1600,n_r=12]
KP(state):
RC[0] = `8B 80 00 80 00 00 00 00`
RC[1] = `8B 00 00 00 00 00 00 80`
RC[2] = `89 80 00 00 00 00 00 80`
RC[3] = `03 80 00 00 00 00 00 80`
RC[4] = `02 80 00 00 00 00 00 80`
RC[5] = `80 00 00 00 00 00 00 80`
RC[6] = `0A 80 00 00 00 00 00 00`
RC[7] = `0A 00 00 80 00 00 00 80`
RC[8] = `81 80 00 80 00 00 00 80`
RC[9] = `80 80 00 00 00 00 00 80`
RC[10] = `01 00 00 80 00 00 00 00`
RC[11] = `08 80 00 80 00 00 00 80`
for x from 0 to 4
for y from 0 to 4
lanes[x][y] = state[8*(x+5*y):8*(x+5*y)+8]
for round from 0 to 11
# theta
for x from 0 to 4
C[x] = lanes[x][0]
C[x] ^= lanes[x][1]
C[x] ^= lanes[x][2]
C[x] ^= lanes[x][3]
C[x] ^= lanes[x][4]
for x from 0 to 4
D[x] = C[(x+4) mod 5] ^ ROL64(C[(x+1) mod 5], 1)
for y from 0 to 4
for x from 0 to 4
lanes[x][y] = lanes[x][y]^D[x]
# rho and pi
Viguier, et al. Expires 23 February 2022 [Page 14]
Internet-Draft KangarooTwelve August 2021
(x, y) = (1, 0)
current = lanes[x][y]
for t from 0 to 23
(x, y) = (y, (2*x+3*y) mod 5)
(current, lanes[x][y]) =
(lanes[x][y], ROL64(current, (t+1)*(t+2)/2))
# chi
for y from 0 to 4
for x from 0 to 4
T[x] = lanes[x][y]
for x from 0 to 4
lanes[x][y] = T[x] ^((not T[(x+1) mod 5]) & T[(x+2) mod 5])
# iota
lanes[0][0] ^= RC[round]
state = `00`^0
for x from 0 to 4
for y from 0 to 4
state = state || lanes[x][y]
return state
end
where ROL64(x, y) is a rotation of the 'x' 64-bit word toward the
bits with higher indexes by 'y' positions. The 8-bytes byte-string x
is interpreted as a 64-bit word in little-endian format.
A.2. KangarooTwelve
Viguier, et al. Expires 23 February 2022 [Page 15]
Internet-Draft KangarooTwelve August 2021
KangarooTwelve(inputMessage, customString, outputByteLen):
S = inputMessage || customString
S = S || length_encode( |customString| )
if |S| <= 8192
return F(S || `07`, outputByteLen)
else
# === Kangaroo hopping ===
FinalNode = S[0:8192] || `03` || `00`^7
offset = 8192
numBlock = 0
while offset < |S|
blockSize = min( |S| - offset, 8192)
CV = F(S[offset : offset + blockSize] || `0B`, 32)
FinalNode = FinalNode || CV
numBlock += 1
offset += blockSize
FinalNode = FinalNode || length_encode( numBlock ) || `FF FF`
return F(FinalNode || `06`, outputByteLen)
end
Authors' Addresses
BenoĆ®t Viguier
Radboud University
Toernooiveld 212
Nijmegen
Email: cs.ru.nl@viguier.nl
David Wong (editor)
Facebook
Email: davidwong.crypto@gmail.com
Gilles Van Assche (editor)
STMicroelectronics
Email: gilles.vanassche@st.com
Quynh Dang (editor)
National Institute of Standards and Technology
Viguier, et al. Expires 23 February 2022 [Page 16]
Internet-Draft KangarooTwelve August 2021
Email: quynh.dang@nist.gov
Joan Daemen (editor)
Radboud University
Email: joan@cs.ru.nl
Viguier, et al. Expires 23 February 2022 [Page 17]