idnits 2.17.1 draft-irtf-cfrg-kangarootwelve-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([FIPS202]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 201 has weird spacing: '... input byte-...' == Line 203 has weird spacing: '...ByteLen posit...' -- The document date (September 21, 2020) is 1306 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: 'FIPS 202' is mentioned on line 27, but not defined -- Looks like a reference, but probably isn't: '1600' on line 190 -- Looks like a reference, but probably isn't: '0' on line 650 -- Looks like a reference, but probably isn't: '1' on line 624 -- Looks like a reference, but probably isn't: '2' on line 625 -- Looks like a reference, but probably isn't: '3' on line 626 -- Looks like a reference, but probably isn't: '4' on line 627 -- Looks like a reference, but probably isn't: '5' on line 608 -- Looks like a reference, but probably isn't: '6' on line 609 -- Looks like a reference, but probably isn't: '7' on line 610 -- Looks like a reference, but probably isn't: '8' on line 611 -- Looks like a reference, but probably isn't: '9' on line 612 -- Looks like a reference, but probably isn't: '10' on line 613 -- Looks like a reference, but probably isn't: '11' on line 614 Summary: 1 error (**), 0 flaws (~~), 4 warnings (==), 15 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Crypto Forum B. Viguier 3 Internet-Draft Radboud University 4 Intended status: Informational D. Wong, Ed. 5 Expires: March 25, 2021 Facebook 6 G. Van Assche, Ed. 7 STMicroelectronics 8 Q. Dang, Ed. 9 NIST 10 J. Daemen, Ed. 11 Radboud University 12 September 21, 2020 14 KangarooTwelve 15 draft-irtf-cfrg-kangarootwelve-04 17 Abstract 19 This document defines the KangarooTwelve eXtendable Output Function 20 (XOF), a hash function with output of arbitrary length. It provides 21 an efficient and secure hashing primitive, which is able to exploit 22 the parallelism of the implementation in a scalable way. It uses 23 tree hashing over a round-reduced version of SHAKE128 as underlying 24 primitive. 26 This document builds up on the definitions of the permutations and of 27 the sponge construction in [FIPS 202], and is meant to serve as a 28 stable reference and an implementation guide. 30 Status of This Memo 32 This Internet-Draft is submitted in full conformance with the 33 provisions of BCP 78 and BCP 79. 35 Internet-Drafts are working documents of the Internet Engineering 36 Task Force (IETF). Note that other groups may also distribute 37 working documents as Internet-Drafts. The list of current Internet- 38 Drafts is at https://datatracker.ietf.org/drafts/current/. 40 Internet-Drafts are draft documents valid for a maximum of six months 41 and may be updated, replaced, or obsoleted by other documents at any 42 time. It is inappropriate to use Internet-Drafts as reference 43 material or to cite them other than as "work in progress." 45 This Internet-Draft will expire on March 25, 2021. 47 Copyright Notice 49 Copyright (c) 2020 IETF Trust and the persons identified as the 50 document authors. All rights reserved. 52 This document is subject to BCP 78 and the IETF Trust's Legal 53 Provisions Relating to IETF Documents 54 (https://trustee.ietf.org/license-info) in effect on the date of 55 publication of this document. Please review these documents 56 carefully, as they describe your rights and restrictions with respect 57 to this document. Code Components extracted from this document must 58 include Simplified BSD License text as described in Section 4.e of 59 the Trust Legal Provisions and are provided without warranty as 60 described in the Simplified BSD License. 62 Table of Contents 64 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 65 1.1. Conventions . . . . . . . . . . . . . . . . . . . . . . . 3 66 2. Specifications . . . . . . . . . . . . . . . . . . . . . . . 4 67 2.1. Inner function F . . . . . . . . . . . . . . . . . . . . 5 68 2.2. Tree hashing over F . . . . . . . . . . . . . . . . . . . 6 69 2.3. length_encode( x ) . . . . . . . . . . . . . . . . . . . 9 70 3. Test vectors . . . . . . . . . . . . . . . . . . . . . . . . 9 71 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 72 5. Security Considerations . . . . . . . . . . . . . . . . . . . 11 73 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 74 6.1. Normative References . . . . . . . . . . . . . . . . . . 12 75 6.2. Informative References . . . . . . . . . . . . . . . . . 13 76 Appendix A. Pseudocode . . . . . . . . . . . . . . . . . . . . . 14 77 A.1. Keccak-p[1600,n_r=12] . . . . . . . . . . . . . . . . . . 14 78 A.2. KangarooTwelve . . . . . . . . . . . . . . . . . . . . . 15 79 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16 81 1. Introduction 83 This document defines the KangarooTwelve eXtendable Output Function 84 (XOF) [K12], i.e. a generalization of a hash function that can return 85 an output of arbitrary length. KangarooTwelve is based on a Keccak-p 86 permutation specified in [FIPS202] and has a higher speed than SHAKE 87 and SHA-3. 89 The SHA-3 functions process data in a serial manner and are unable to 90 optimally exploit parallelism available in modern CPU architectures. 91 Similar to ParallelHash [SP800-185], KangarooTwelve splits the input 92 message into fragments to exploit available parallelism. It then 93 applies an inner hash function F on each of them separately before 94 applying F again on the concatenation of the digests. It makes use 95 of Sakura coding for ensuring soundness of the tree hashing mode 96 [SAKURA]. The inner hash function F is a sponge function and uses a 97 round-reduced version of the permutation Keccak-f used in SHA-3, 98 making it faster than ParallelHash. Its security builds up on the 99 scrutiny that Keccak has received since its publication 100 [KECCAK_CRYPTANALYSIS]. 102 With respect to [FIPS202] and [SP800-185] functions, KangarooTwelve 103 features the following advantages: 105 o Unlike SHA3-224, SHA3-256, SHA3-384, SHA3-512, KangarooTwelve has 106 an extendable output. 108 o Unlike any [FIPS202] defined function, similarly to functions 109 defined in [SP800-185], KangarooTwelve allows the use of a 110 customization string. 112 o Unlike any [FIPS202] and [SP800-185] functions but ParallelHash, 113 KangarooTwelve splits the input message into fragments to exploit 114 available parallelism. 116 o Unlike ParallelHash, KangarooTwelve does not have overhead when 117 processing short messages. 119 o The Keccak-f permutation in KangarooTwelve has half the number of 120 rounds of the one used in SHA3, making it faster than any function 121 defined in [FIPS202] and [SP800-185]. 123 1.1. Conventions 125 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 126 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 127 document are to be interpreted as described in RFC 2119 [RFC2119]. 129 The following notations are used throughout the document: 131 `...` denotes a string of bytes given in hexadecimal. For example, 132 `0B 80`. 134 |s| denotes the length of a byte string `s`. For example, |`FF FF`| 135 = 2. 137 `00`^b denotes a byte string consisting of the concatenation of b 138 bytes `00`. For example, `00`^7 = `00 00 00 00 00 00 00`. 140 `00`^0 denotes the empty byte-string. 142 a||b denotes the concatenation of two strings a and b. For example, 143 `10`||`F1` = `10 F1` 145 s[n:m] denotes the selection of bytes from n (inclusive) to m 146 (exclusive) of a string s. The indexing of a byte-string starts 147 at 0. For example, for s = `A5 C6 D7`, s[0:1] = `A5` and s[1:3] = 148 `C6 D7`. 150 s[n:] denotes the selection of bytes from n to the end of a string 151 s. For example, for s = `A5 C6 D7`, s[0:] = `A5 C6 D7` and s[2:] 152 = `D7`. 154 In the following, x and y are byte strings of equal length: 156 x^=y denotes x takes the value x XOR y. 158 x & y denotes x AND y. 160 In the following, x and y are integers: 162 x+=y denotes x takes the value x + y. 164 x-=y denotes x takes the value x - y. 166 x**y denotes the exponentiation of x by y. 168 2. Specifications 170 KangarooTwelve is an eXtendable Output Function (XOF). It takes as 171 input two byte-strings (M, C) and a positive integer L where 173 M byte-string, is the Message and 175 C byte-string, is an OPTIONAL Customization string and 177 L positive integer, the requested number of output bytes. 179 The Customization string MAY serve as domain separation. It is 180 typically a short string such as a name or an identifier (e.g. URI, 181 ODI...) 183 By default, the Customization string is the empty string. For an API 184 that does not support a customization string input, C MUST be the 185 empty string. 187 2.1. Inner function F 189 The inner function F makes use of the permutation Keccak- 190 p[1600,n_r=12], i.e., a version of the permutation Keccak-f[1600] 191 used in SHAKE and SHA-3 instances reduced to its last n_r=12 rounds 192 and specified in FIPS 202, sections 3.3 and 3.4 [FIPS202]. KP 193 denotes this permutation. 195 F is a sponge function calling this permutation KP with a rate of 168 196 bytes or 1344 bits. It follows that F has a capacity of 1600 - 1344 197 = 256 bits or 32 bytes. 199 The sponge function F takes: 201 input byte-string of positive length, the input bytes and 203 outputByteLen positive integer, the length of the output in bytes 205 First non-multiple of 168-bytes-length inputs are padded with zeroes 206 to the next multiple of 168 bytes while inputs multiple of 168 bytes 207 are kept as is. Then a byte `80` is XORed to the last byte of the 208 padded message and the resulting string is split into a sequence of 209 168-byte blocks. 211 Inputs of length 0 bytes do not happen as a result of the tree 212 hashing mode defined in section 2.2. 214 As defined by the sponge construction, the process operates on a 215 state and consists of two phases: the absorbing phase that processes 216 the input and the squeezing phase that produces the output. 218 In the absorbing phase the state is initialized to all-zero. The 219 message blocks are XORed into the first 168 bytes of the state. Each 220 block absorbed is followed with an application of KP to the state. 222 In the squeezing phase output is formed by taking the first 168 bytes 223 of the state, repeated as many times as necessary until outputByteLen 224 bytes are obtained, interleaved with the application of KP to the 225 state. 227 The definition of the function F equivalently implements the pad10*1 228 rule. It assumes an at least one-byte-long input where the last byte 229 is in the `01`-`7F` range, and this is the case in KangarooTwelve. 230 This last byte serves as domain separation and integrates the first 231 bit of padding of the pad10*1 rule (hence it cannot be `00`). 232 Additionally, it must leave room for the second bit of padding (hence 233 it cannot have the MSB set to 1), should it be the last byte of the 234 block. For more details, refer to Section 6.1 of [K12]. 236 A pseudocode version is available as follows: 238 F(input, outputByteLen): 239 offset = 0 240 state = `00`^200 242 # === Absorb complete blocks === 243 while offset < |input| - 168 244 state ^= input[offset : offset + 168] || `00`^32 245 state = KP(state) 246 offset += 168 248 # === Absorb last block and treatment of padding === 249 LastBlockLength = |input| - offset 250 state ^= input[offset:] || `00`^(200-LastBlockLength) 251 state ^= `00`^167 || `80` || `00`^32 252 state = KP(state) 254 # === Squeeze === 255 output = `00`^0 256 while outputByteLen > 168 257 output = output || state[0:168] 258 outputByteLen -= 168 259 state = KP(state) 261 output = output || state[0:outputByteLen] 263 return output 264 end 266 2.2. Tree hashing over F 268 On top of the sponge function F, KangarooTwelve uses a Sakura- 269 compatible tree hash mode [SAKURA]. First, merge M and the OPTIONAL 270 C to a single input string S in a reversible way. length_encode( |C| 271 ) gives the length in bytes of C as a byte-string. See Section 2.3. 273 S = M || C || length_encode( |C| ) 275 Then, split S into n chunks of 8192 bytes. 277 S = S_0 || .. || S_(n-1) 278 |S_0| = .. = |S_(n-2)| = 8192 bytes 279 |S_(n-1)| <= 8192 bytes 281 From S_1 .. S_(n-1), compute the 32-byte Chaining Values CV_1 .. 282 CV_(n-1). In order to be optimally efficient, this computation 283 SHOULD exploit the parallelism available on the platform such as SIMD 284 instructions. 286 CV_i = F( S_i||`0B`, 32 ) 288 Compute the final node: FinalNode. 290 o If |S| <= 8192 bytes, FinalNode = S 292 o Otherwise compute FinalNode as follows: 294 FinalNode = S_0 || `03 00 00 00 00 00 00 00` 295 FinalNode = FinalNode || CV_1 296 .. 297 FinalNode = FinalNode || CV_(n-1) 298 FinalNode = FinalNode || length_encode(n-1) 299 FinalNode = FinalNode || `FF FF` 301 Finally, KangarooTwelve output is retrieved: 303 o If |S| <= 8192 bytes, from F( FinalNode||`07`, L ) 305 KangarooTwelve( M, C, L ) = F( FinalNode||`07`, L ) 307 o Otherwise from F( FinalNode||`06`, L ) 309 KangarooTwelve( M, C, L ) = F( FinalNode||`06`, L ) 311 The following figure illustrates the computation flow of 312 KangarooTwelve for |S| <= 8192 bytes: 314 +--------------+ F(..||`07`, L) 315 | S |-----------------> output 316 +--------------+ 318 The following figure illustrates the computation flow of 319 KangarooTwelve for |S| > 8192 bytes and where length_encode( x ) is 320 abbreviated as l_e( x ): 322 +--------------+ 323 | S_0 | 324 +--------------+ 325 || 326 +--------------+ 327 | `03`||`00`^7 | 328 +--------------+ 329 || 330 +---------+ F(..||`0B`,32) +--------------+ 331 | S_1 |----------------->| CV_1 | 332 +---------+ +--------------+ 333 || 334 +---------+ F(..||`0B`,32) +--------------+ 335 | S_2 |----------------->| CV_2 | 336 +---------+ +--------------+ 337 || 338 ... ... 339 || 340 +---------+ F(..||`0B`,32) +--------------+ 341 | S_(n-1) |----------------->| CV_(n-1) | 342 +---------+ +--------------+ 343 || 344 +--------------+ 345 | l_e( n-1 ) | 346 +--------------+ 347 || 348 +--------------+ F(..||`06`, L) 349 | `FF FF` |-----------------> output 350 +--------------+ 352 A pseudocode version is provided in Appendix A.2. 354 The table below gathers the values of the domain separation bytes 355 used by the tree hash mode: 357 +--------------------+------------------+ 358 | Type | Byte | 359 +--------------------+------------------+ 360 | SingleNode | `07` | 361 | | | 362 | IntermediateNode | `0B` | 363 | | | 364 | FinalNode | `06` | 365 +--------------------+------------------+ 367 2.3. length_encode( x ) 369 The function length_encode takes as inputs a non negative integer x < 370 256**255 and outputs a string of bytes x_(n-1) || .. || x_0 || n 371 where 373 x = sum from i=0..n-1 of 256**i * x_i 375 and where n is the smallest non-negative integer such that x < 376 256**n. n is also the length of x_(n-1) || .. || x_0. 378 As example, length_encode(0) = `00`, length_encode(12) = `0C 01` and 379 length_encode(65538) = `01 00 02 03` 381 A pseudocode version is as follows. 383 length_encode(x): 384 S = `00`^0 386 while x > 0 387 S = x mod 256 || S 388 x = x / 256 390 S = S || length(S) 392 return S 393 end 395 3. Test vectors 397 Test vectors are based on the repetition of the pattern `00 01 .. FA` 398 with a specific length. ptn(n) defines a string by repeating the 399 pattern `00 01 .. FA` as many times as necessary and truncated to n 400 bytes e.g. 402 Pattern for a length of 17 bytes: 403 ptn(17) = 404 `00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10` 406 Pattern for a length of 17**2 bytes: 407 ptn(17**2) = 408 `00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 409 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 410 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 411 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F 412 40 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 413 50 51 52 53 54 55 56 57 58 59 5A 5B 5C 5D 5E 5F 414 60 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 415 70 71 72 73 74 75 76 77 78 79 7A 7B 7C 7D 7E 7F 416 80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F 417 90 91 92 93 94 95 96 97 98 99 9A 9B 9C 9D 9E 9F 418 A0 A1 A2 A3 A4 A5 A6 A7 A8 A9 AA AB AC AD AE AF 419 B0 B1 B2 B3 B4 B5 B6 B7 B8 B9 BA BB BC BD BE BF 420 C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF 421 D0 D1 D2 D3 D4 D5 D6 D7 D8 D9 DA DB DC DD DE DF 422 E0 E1 E2 E3 E4 E5 E6 E7 E8 E9 EA EB EC ED EE EF 423 F0 F1 F2 F3 F4 F5 F6 F7 F8 F9 FA 424 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 425 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 426 20 21 22 23 24 25` 428 KangarooTwelve(M=`00`^0, C=`00`^0, 32): 429 `1A C2 D4 50 FC 3B 42 05 D1 9D A7 BF CA 1B 37 51 430 3C 08 03 57 7A C7 16 7F 06 FE 2C E1 F0 EF 39 E5` 432 KangarooTwelve(M=`00`^0, C=`00`^0, 64): 433 `1A C2 D4 50 FC 3B 42 05 D1 9D A7 BF CA 1B 37 51 434 3C 08 03 57 7A C7 16 7F 06 FE 2C E1 F0 EF 39 E5 435 42 69 C0 56 B8 C8 2E 48 27 60 38 B6 D2 92 96 6C 436 C0 7A 3D 46 45 27 2E 31 FF 38 50 81 39 EB 0A 71` 438 KangarooTwelve(M=`00`^0, C=`00`^0, 10032), last 32 bytes: 439 `E8 DC 56 36 42 F7 22 8C 84 68 4C 89 84 05 D3 A8 440 34 79 91 58 C0 79 B1 28 80 27 7A 1D 28 E2 FF 6D` 442 KangarooTwelve(M=ptn(1 bytes), C=`00`^0, 32): 443 `2B DA 92 45 0E 8B 14 7F 8A 7C B6 29 E7 84 A0 58 444 EF CA 7C F7 D8 21 8E 02 D3 45 DF AA 65 24 4A 1F` 446 KangarooTwelve(M=ptn(17 bytes), C=`00`^0, 32): 447 `6B F7 5F A2 23 91 98 DB 47 72 E3 64 78 F8 E1 9B 448 0F 37 12 05 F6 A9 A9 3A 27 3F 51 DF 37 12 28 88` 450 KangarooTwelve(M=ptn(17**2 bytes), C=`00`^0, 32): 451 `0C 31 5E BC DE DB F6 14 26 DE 7D CF 8F B7 25 D1 452 E7 46 75 D7 F5 32 7A 50 67 F3 67 B1 08 EC B6 7C` 454 KangarooTwelve(M=ptn(17**3 bytes), C=`00`^0, 32): 455 `CB 55 2E 2E C7 7D 99 10 70 1D 57 8B 45 7D DF 77 456 2C 12 E3 22 E4 EE 7F E4 17 F9 2C 75 8F 0D 59 D0` 458 KangarooTwelve(M=ptn(17**4 bytes), C=`00`^0, 32): 459 `87 01 04 5E 22 20 53 45 FF 4D DA 05 55 5C BB 5C 460 3A F1 A7 71 C2 B8 9B AE F3 7D B4 3D 99 98 B9 FE` 462 KangarooTwelve(M=ptn(17**5 bytes), C=`00`^0, 32): 463 `84 4D 61 09 33 B1 B9 96 3C BD EB 5A E3 B6 B0 5C 464 C7 CB D6 7C EE DF 88 3E B6 78 A0 A8 E0 37 16 82` 466 KangarooTwelve(M=ptn(17**6 bytes), C=`00`^0, 32): 467 `3C 39 07 82 A8 A4 E8 9F A6 36 7F 72 FE AA F1 32 468 55 C8 D9 58 78 48 1D 3C D8 CE 85 F5 8E 88 0A F8` 470 KangarooTwelve(M=`00`^0, C=ptn(1 bytes), 32): 471 `FA B6 58 DB 63 E9 4A 24 61 88 BF 7A F6 9A 13 30 472 45 F4 6E E9 84 C5 6E 3C 33 28 CA AF 1A A1 A5 83` 474 KangarooTwelve(M=`FF`, C=ptn(41 bytes), 32): 475 `D8 48 C5 06 8C ED 73 6F 44 62 15 9B 98 67 FD 4C 476 20 B8 08 AC C3 D5 BC 48 E0 B0 6B A0 A3 76 2E C4` 478 KangarooTwelve(M=`FF FF FF`, C=ptn(41**2), 32): 479 `C3 89 E5 00 9A E5 71 20 85 4C 2E 8C 64 67 0A C0 480 13 58 CF 4C 1B AF 89 44 7A 72 42 34 DC 7C ED 74` 482 KangarooTwelve(M=`FF FF FF FF FF FF FF`, C=ptn(41**3 bytes), 32): 483 `75 D2 F8 6A 2E 64 45 66 72 6B 4F BC FC 56 57 B9 484 DB CF 07 0C 7B 0D CA 06 45 0A B2 91 D7 44 3B CF` 486 4. IANA Considerations 488 None. 490 5. Security Considerations 492 This document is meant to serve as a stable reference and an 493 implementation guide for the KangarooTwelve eXtendable Output 494 Function. It relies on the cryptanalysis of Keccak and provides with 495 the same security strength as SHAKE128, i.e., 128 bits of security 496 against all attacks. 498 To be more precise, KangarooTwelve is made of two layers: 500 o The inner function F. This layer relies on cryptanalysis. 501 KangarooTwelve's F function is exactly Keccak[r=1344, c=256] (as 502 in SHAKE128) reduced to 12 rounds. Any reduced-round 503 cryptanalysis on Keccak is also a reduced-round cryptanalysis of 504 KangarooTwelve's F (provided the number of rounds attacked is not 505 higher than 12). 507 o The tree hashing over F. This layer is a mode on top of F that 508 does not introduce any vulnerability thanks to the use of Sakura 509 coding proven secure in [SAKURA]. 511 This reasoning is detailed and formalized in [K12]. 513 To achieve 128-bit security strength, the output L must be chosen 514 long enough so that there are no generic attacks that violate 128-bit 515 security. So for 128-bit (second) preimage security the output 516 should be at least 128 bits, for 128-bit of security against multi- 517 target preimage attacks with T targets the output should be at least 518 128+log_2(T) bits and for 128-bit collision security the output 519 should be at least 256 bits. 521 Furthermore, when the output length is at least 256 bits, 522 KangarooTwelve achieves NIST's post-quantum security level 2 523 [NISTPQ]. 525 Implementing a MAC with KangarooTwelve SHOULD use a HASH-then-MAC 526 construction. This document recommends a method called HopMAC, 527 defined as follows: 529 HopMAC(Key, M, C, L) = K12(Key, K12(M, C, 32), L) 531 Similarly to HMAC, HopMAC consists of two calls: an inner call 532 compressing the message M and the optional customization string C to 533 a digest, and an outer call computing the tag from the key and the 534 digest. 536 Unlike HMAC, the inner call to KangarooTwelve in HopMAC is keyless 537 and does not require additional protection against side channel 538 attacks (SCA). Consequently, in an implementation that has to 539 protect the HopMAC key against SCA only the outer call does need 540 protection, and this amounts to a single execution of the underlying 541 permutation. 543 6. References 545 6.1. Normative References 547 [FIPS202] National Institute of Standards and Technology, "FIPS PUB 548 202 - SHA-3 Standard: Permutation-Based Hash and 549 Extendable-Output Functions", 550 WWW http://dx.doi.org/10.6028/NIST.FIPS.202, August 2015. 552 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 553 Requirement Levels", BCP 14, RFC 2119, 554 DOI 10.17487/RFC2119, March 1997, 555 . 557 [SP800-185] 558 National Institute of Standards and Technology, "NIST 559 Special Publication 800-185 SHA-3 Derived Functions: 560 cSHAKE, KMAC, TupleHash and ParallelHash", 561 WWW https://doi.org/10.6028/NIST.SP.800-185, December 562 2016. 564 6.2. Informative References 566 [K12] Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., and 567 R. Van Keer, "KangarooTwelve: fast hashing based on 568 Keccak-p", WWW https://link.springer.com/ 569 chapter/10.1007/978-3-319-93387-0_21, 570 WWW http://eprint.iacr.org/2016/770.pdf, July 2018. 572 [KECCAK_CRYPTANALYSIS] 573 Keccak Team, "Summary of Third-party cryptanalysis of 574 Keccak", WWW https://www.keccak.team/third_party.html, 575 2017. 577 [NISTPQ] National Institute of Standards and Technology, 578 "Submission Requirements and Evaluation Criteria for the 579 Post-Quantum Cryptography Standardization Process", WWW 580 https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum- 581 Cryptography/documents/call-for-proposals-final-dec- 582 2016.pdf, December 2016. 584 [SAKURA] Bertoni, G., Daemen, J., Peeters, M., and G. Van Assche, 585 "Sakura: a flexible coding for tree hashing", WWW 586 https://link.springer.com/ 587 chapter/10.1007/978-3-319-07536-5_14, 588 WWW http://eprint.iacr.org/2013/231.pdf, June 2014. 590 [XKCP] Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., and 591 R. Van Keer, "eXtended Keccak Code Package", 592 WWW https://github.com/XKCP/XKCP, September 2018. 594 Appendix A. Pseudocode 596 The sub-sections of this appendix contain pseudocode definitions of 597 KangarooTwelve. A standalone Python version is also available in the 598 Keccak Code Package [XKCP] and in [K12] 600 A.1. Keccak-p[1600,n_r=12] 602 KP(state): 603 RC[0] = `8B 80 00 80 00 00 00 00` 604 RC[1] = `8B 00 00 00 00 00 00 80` 605 RC[2] = `89 80 00 00 00 00 00 80` 606 RC[3] = `03 80 00 00 00 00 00 80` 607 RC[4] = `02 80 00 00 00 00 00 80` 608 RC[5] = `80 00 00 00 00 00 00 80` 609 RC[6] = `0A 80 00 00 00 00 00 00` 610 RC[7] = `0A 00 00 80 00 00 00 80` 611 RC[8] = `81 80 00 80 00 00 00 80` 612 RC[9] = `80 80 00 00 00 00 00 80` 613 RC[10] = `01 00 00 80 00 00 00 00` 614 RC[11] = `08 80 00 80 00 00 00 80` 616 for x from 0 to 4 617 for y from 0 to 4 618 lanes[x][y] = state[8*(x+5*y):8*(x+5*y)+8] 620 for round from 0 to 11 621 # theta 622 for x from 0 to 4 623 C[x] = lanes[x][0] 624 C[x] ^= lanes[x][1] 625 C[x] ^= lanes[x][2] 626 C[x] ^= lanes[x][3] 627 C[x] ^= lanes[x][4] 628 for x from 0 to 4 629 D[x] = C[(x+4) mod 5] ^ ROL64(C[(x+1) mod 5], 1) 630 for y from 0 to 4 631 for x from 0 to 4 632 lanes[x][y] = lanes[x][y]^D[x] 634 # rho and pi 635 (x, y) = (1, 0) 636 current = lanes[x][y] 637 for t from 0 to 23 638 (x, y) = (y, (2*x+3*y) mod 5) 639 (current, lanes[x][y]) = 640 (lanes[x][y], ROL64(current, (t+1)*(t+2)/2)) 642 # chi 643 for y from 0 to 4 644 for x from 0 to 4 645 T[x] = lanes[x][y] 646 for x from 0 to 4 647 lanes[x][y] = T[x] ^((not T[(x+1) mod 5]) & T[(x+2) mod 5]) 649 # iota 650 lanes[0][0] ^= RC[round] 652 state = `00`^0 653 for x from 0 to 4 654 for y from 0 to 4 655 state = state || lanes[x][y] 657 return state 658 end 660 where ROL64(x, y) is a rotation of the 'x' 64-bit word toward the 661 bits with higher indexes by 'y' positions. The 8-bytes byte-string x 662 is interpreted as a 64-bit word in little-endian format. 664 A.2. KangarooTwelve 666 KangarooTwelve(inputMessage, customString, outputByteLen): 667 S = inputMessage || customString 668 S = S || length_encode( |customString| ) 670 if |S| <= 8192 671 return F(S || `07`, outputByteLen) 672 else 673 # === Kangaroo hopping === 674 FinalNode = S[0:8192] || `03` || `00`^7 675 offset = 8192 676 numBlock = 0 677 while offset < |S| 678 blockSize = min( |S| - offset, 8192) 679 CV = F(S[offset : offset + blockSize] || `0B`, 32) 680 FinalNode = FinalNode || CV 681 numBlock += 1 682 offset += blockSize 684 FinalNode = FinalNode || length_encode( numBlock ) || `FF FF` 686 return F(FinalNode || `06`, outputByteLen) 687 end 689 Authors' Addresses 691 Benoit Viguier 692 Radboud University 693 Toernooiveld 212 694 Nijmegen 695 The Netherlands 697 EMail: b.viguier@cs.ru.nl 699 David Wong (editor) 700 Facebook 702 EMail: davidwong.crypto@gmail.com 704 Gilles Van Assche (editor) 705 STMicroelectronics 707 EMail: gilles.vanassche@st.com 709 Quynh Dang (editor) 710 National Institute of Standards and Technology 712 EMail: quynh.dang@nist.gov 714 Joan Daemen (editor) 715 Radboud University 717 EMail: joan@cs.ru.nl