idnits 2.17.1 draft-irtf-cfrg-kangarootwelve-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == There is 1 instance of lines with non-ascii characters in the document. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([FIPS202]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 201 has weird spacing: '... input byte-...' == Line 203 has weird spacing: '...ByteLen posit...' -- The document date (22 August 2021) is 977 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: 'FIPS 202' is mentioned on line 27, but not defined -- Looks like a reference, but probably isn't: '1600' on line 190 -- Looks like a reference, but probably isn't: '0' on line 655 -- Looks like a reference, but probably isn't: '1' on line 629 -- Looks like a reference, but probably isn't: '2' on line 630 -- Looks like a reference, but probably isn't: '3' on line 631 -- Looks like a reference, but probably isn't: '4' on line 632 -- Looks like a reference, but probably isn't: '5' on line 613 -- Looks like a reference, but probably isn't: '6' on line 614 -- Looks like a reference, but probably isn't: '7' on line 615 -- Looks like a reference, but probably isn't: '8' on line 616 -- Looks like a reference, but probably isn't: '9' on line 617 -- Looks like a reference, but probably isn't: '10' on line 618 -- Looks like a reference, but probably isn't: '11' on line 619 Summary: 1 error (**), 0 flaws (~~), 5 warnings (==), 15 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Crypto Forum B. Viguier 3 Internet-Draft Radboud University 4 Intended status: Informational D. Wong, Ed. 5 Expires: 23 February 2022 Facebook 6 G. Van Assche, Ed. 7 STMicroelectronics 8 Q. Dang, Ed. 9 NIST 10 J. Daemen, Ed. 11 Radboud University 12 22 August 2021 14 KangarooTwelve 15 draft-irtf-cfrg-kangarootwelve-06 17 Abstract 19 This document defines the KangarooTwelve eXtendable Output Function 20 (XOF), a hash function with output of arbitrary length. It provides 21 an efficient and secure hashing primitive, which is able to exploit 22 the parallelism of the implementation in a scalable way. It uses 23 tree hashing over a round-reduced version of SHAKE128 as underlying 24 primitive. 26 This document builds up on the definitions of the permutations and of 27 the sponge construction in [FIPS 202], and is meant to serve as a 28 stable reference and an implementation guide. 30 Status of This Memo 32 This Internet-Draft is submitted in full conformance with the 33 provisions of BCP 78 and BCP 79. 35 Internet-Drafts are working documents of the Internet Engineering 36 Task Force (IETF). Note that other groups may also distribute 37 working documents as Internet-Drafts. The list of current Internet- 38 Drafts is at https://datatracker.ietf.org/drafts/current/. 40 Internet-Drafts are draft documents valid for a maximum of six months 41 and may be updated, replaced, or obsoleted by other documents at any 42 time. It is inappropriate to use Internet-Drafts as reference 43 material or to cite them other than as "work in progress." 45 This Internet-Draft will expire on 23 February 2022. 47 Copyright Notice 49 Copyright (c) 2021 IETF Trust and the persons identified as the 50 document authors. All rights reserved. 52 This document is subject to BCP 78 and the IETF Trust's Legal 53 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 54 license-info) in effect on the date of publication of this document. 55 Please review these documents carefully, as they describe your rights 56 and restrictions with respect to this document. Code Components 57 extracted from this document must include Simplified BSD License text 58 as described in Section 4.e of the Trust Legal Provisions and are 59 provided without warranty as described in the Simplified BSD License. 61 Table of Contents 63 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 64 1.1. Conventions . . . . . . . . . . . . . . . . . . . . . . . 3 65 2. Specifications . . . . . . . . . . . . . . . . . . . . . . . 4 66 2.1. Inner function F . . . . . . . . . . . . . . . . . . . . 5 67 2.2. Tree hashing over F . . . . . . . . . . . . . . . . . . . 6 68 2.3. length_encode( x ) . . . . . . . . . . . . . . . . . . . 9 69 3. Test vectors . . . . . . . . . . . . . . . . . . . . . . . . 9 70 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 71 5. Security Considerations . . . . . . . . . . . . . . . . . . . 11 72 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 73 6.1. Normative References . . . . . . . . . . . . . . . . . . 13 74 6.2. Informative References . . . . . . . . . . . . . . . . . 13 75 Appendix A. Pseudocode . . . . . . . . . . . . . . . . . . . . . 14 76 A.1. Keccak-p[1600,n_r=12] . . . . . . . . . . . . . . . . . . 14 77 A.2. KangarooTwelve . . . . . . . . . . . . . . . . . . . . . 15 78 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16 80 1. Introduction 82 This document defines the KangarooTwelve eXtendable Output Function 83 (XOF) [K12], i.e. a generalization of a hash function that can return 84 an output of arbitrary length. KangarooTwelve is based on a Keccak-p 85 permutation specified in [FIPS202] and has a higher speed than SHAKE 86 and SHA-3. 88 The SHA-3 functions process data in a serial manner and are unable to 89 optimally exploit parallelism available in modern CPU architectures. 90 Similar to ParallelHash [SP800-185], KangarooTwelve splits the input 91 message into fragments to exploit available parallelism. It then 92 applies an inner hash function F on each of them separately before 93 applying F again on the concatenation of the digests. It makes use 94 of Sakura coding for ensuring soundness of the tree hashing mode 96 [SAKURA]. The inner hash function F is a sponge function and uses a 97 round-reduced version of the permutation Keccak-f used in SHA-3, 98 making it faster than ParallelHash. Its security builds up on the 99 scrutiny that Keccak has received since its publication 100 [KECCAK_CRYPTANALYSIS]. 102 With respect to [FIPS202] and [SP800-185] functions, KangarooTwelve 103 features the following advantages: 105 * Unlike SHA3-224, SHA3-256, SHA3-384, SHA3-512, KangarooTwelve has 106 an extendable output. 108 * Unlike any [FIPS202] defined function, similarly to functions 109 defined in [SP800-185], KangarooTwelve allows the use of a 110 customization string. 112 * Unlike any [FIPS202] and [SP800-185] functions but ParallelHash, 113 KangarooTwelve splits the input message into fragments to exploit 114 available parallelism. 116 * Unlike ParallelHash, KangarooTwelve does not have overhead when 117 processing short messages. 119 * The Keccak-f permutation in KangarooTwelve has half the number of 120 rounds of the one used in SHA3, making it faster than any function 121 defined in [FIPS202] and [SP800-185]. 123 1.1. Conventions 125 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 126 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 127 document are to be interpreted as described in RFC 2119 [RFC2119]. 129 The following notations are used throughout the document: 131 `...` denotes a string of bytes given in hexadecimal. For example, 132 `0B 80`. 134 |s| denotes the length of a byte string `s`. For example, |`FF FF`| 135 = 2. 137 `00`^b denotes a byte string consisting of the concatenation of b 138 bytes `00`. For example, `00`^7 = `00 00 00 00 00 00 00`. 140 `00`^0 denotes the empty byte-string. 142 a||b denotes the concatenation of two strings a and b. For example, 143 `10`||`F1` = `10 F1` 145 s[n:m] denotes the selection of bytes from n (inclusive) to m 146 (exclusive) of a string s. The indexing of a byte-string starts 147 at 0. For example, for s = `A5 C6 D7`, s[0:1] = `A5` and s[1:3] = 148 `C6 D7`. 150 s[n:] denotes the selection of bytes from n to the end of a string 151 s. For example, for s = `A5 C6 D7`, s[0:] = `A5 C6 D7` and s[2:] 152 = `D7`. 154 In the following, x and y are byte strings of equal length: 156 x^=y denotes x takes the value x XOR y. 158 x & y denotes x AND y. 160 In the following, x and y are integers: 162 x+=y denotes x takes the value x + y. 164 x-=y denotes x takes the value x - y. 166 x**y denotes the exponentiation of x by y. 168 2. Specifications 170 KangarooTwelve is an eXtendable Output Function (XOF). It takes as 171 input two byte-strings (M, C) and a positive integer L where 173 M byte-string, is the Message and 175 C byte-string, is an OPTIONAL Customization string and 177 L positive integer, the requested number of output bytes. 179 The Customization string MAY serve as domain separation. It is 180 typically a short string such as a name or an identifier (e.g. URI, 181 ODI...) 183 By default, the Customization string is the empty string. For an API 184 that does not support a customization string input, C MUST be the 185 empty string. 187 2.1. Inner function F 189 The inner function F makes use of the permutation Keccak- 190 p[1600,n_r=12], i.e., a version of the permutation Keccak-f[1600] 191 used in SHAKE and SHA-3 instances reduced to its last n_r=12 rounds 192 and specified in FIPS 202, sections 3.3 and 3.4 [FIPS202]. KP 193 denotes this permutation. 195 F is a sponge function calling this permutation KP with a rate of 168 196 bytes or 1344 bits. It follows that F has a capacity of 1600 - 1344 197 = 256 bits or 32 bytes. 199 The sponge function F takes: 201 input byte-string of positive length, the input bytes and 203 outputByteLen positive integer, the length of the output in bytes 205 First non-multiple of 168-bytes-length inputs are padded with zeroes 206 to the next multiple of 168 bytes while inputs multiple of 168 bytes 207 are kept as is. Then a byte `80` is XORed to the last byte of the 208 padded message and the resulting string is split into a sequence of 209 168-byte blocks. 211 Inputs of length 0 bytes do not happen as a result of the tree 212 hashing mode defined in section 2.2. 214 As defined by the sponge construction, the process operates on a 215 state and consists of two phases: the absorbing phase that processes 216 the input and the squeezing phase that produces the output. 218 In the absorbing phase the state is initialized to all-zero. The 219 message blocks are XORed into the first 168 bytes of the state. Each 220 block absorbed is followed with an application of KP to the state. 222 In the squeezing phase output is formed by taking the first 168 bytes 223 of the state, repeated as many times as necessary until outputByteLen 224 bytes are obtained, interleaved with the application of KP to the 225 state. 227 The definition of the function F equivalently implements the pad10*1 228 rule. It assumes an at least one-byte-long input where the last byte 229 is in the `01`-`7F` range, and this is the case in KangarooTwelve. 230 This last byte serves as domain separation and integrates the first 231 bit of padding of the pad10*1 rule (hence it cannot be `00`). 232 Additionally, it must leave room for the second bit of padding (hence 233 it cannot have the MSB set to 1), should it be the last byte of the 234 block. For more details, refer to Section 6.1 of [K12]. 236 A pseudocode version is available as follows: 238 F(input, outputByteLen): 239 offset = 0 240 state = `00`^200 242 # === Absorb complete blocks === 243 while offset < |input| - 168 244 state ^= input[offset : offset + 168] || `00`^32 245 state = KP(state) 246 offset += 168 248 # === Absorb last block and treatment of padding === 249 LastBlockLength = |input| - offset 250 state ^= input[offset:] || `00`^(200-LastBlockLength) 251 state ^= `00`^167 || `80` || `00`^32 252 state = KP(state) 254 # === Squeeze === 255 output = `00`^0 256 while outputByteLen > 168 257 output = output || state[0:168] 258 outputByteLen -= 168 259 state = KP(state) 261 output = output || state[0:outputByteLen] 263 return output 264 end 266 2.2. Tree hashing over F 268 On top of the sponge function F, KangarooTwelve uses a Sakura- 269 compatible tree hash mode [SAKURA]. First, merge M and the OPTIONAL 270 C to a single input string S in a reversible way. length_encode( |C| 271 ) gives the length in bytes of C as a byte-string. See Section 2.3. 273 S = M || C || length_encode( |C| ) 275 Then, split S into n chunks of 8192 bytes. 277 S = S_0 || .. || S_(n-1) 278 |S_0| = .. = |S_(n-2)| = 8192 bytes 279 |S_(n-1)| <= 8192 bytes 281 From S_1 .. S_(n-1), compute the 32-byte Chaining Values CV_1 .. 282 CV_(n-1). In order to be optimally efficient, this computation 283 SHOULD exploit the parallelism available on the platform such as SIMD 284 instructions. 286 CV_i = F( S_i||`0B`, 32 ) 288 Compute the final node: FinalNode. 290 * If |S| <= 8192 bytes, FinalNode = S 292 * Otherwise compute FinalNode as follows: 294 FinalNode = S_0 || `03 00 00 00 00 00 00 00` 295 FinalNode = FinalNode || CV_1 296 .. 297 FinalNode = FinalNode || CV_(n-1) 298 FinalNode = FinalNode || length_encode(n-1) 299 FinalNode = FinalNode || `FF FF` 301 Finally, KangarooTwelve output is retrieved: 303 * If |S| <= 8192 bytes, from F( FinalNode||`07`, L ) 305 KangarooTwelve( M, C, L ) = F( FinalNode||`07`, L ) 307 * Otherwise from F( FinalNode||`06`, L ) 309 KangarooTwelve( M, C, L ) = F( FinalNode||`06`, L ) 311 The following figure illustrates the computation flow of 312 KangarooTwelve for |S| <= 8192 bytes: 314 +--------------+ F(..||`07`, L) 315 | S |-----------------> output 316 +--------------+ 318 The following figure illustrates the computation flow of 319 KangarooTwelve for |S| > 8192 bytes and where length_encode( x ) is 320 abbreviated as l_e( x ): 322 +--------------+ 323 | S_0 | 324 +--------------+ 325 || 326 +--------------+ 327 | `03`||`00`^7 | 328 +--------------+ 329 || 330 +---------+ F(..||`0B`,32) +--------------+ 331 | S_1 |----------------->| CV_1 | 332 +---------+ +--------------+ 333 || 334 +---------+ F(..||`0B`,32) +--------------+ 335 | S_2 |----------------->| CV_2 | 336 +---------+ +--------------+ 337 || 338 ... ... 339 || 340 +---------+ F(..||`0B`,32) +--------------+ 341 | S_(n-1) |----------------->| CV_(n-1) | 342 +---------+ +--------------+ 343 || 344 +--------------+ 345 | l_e( n-1 ) | 346 +--------------+ 347 || 348 +--------------+ F(..||`06`, L) 349 | `FF FF` |-----------------> output 350 +--------------+ 352 A pseudocode version is provided in Appendix A.2. 354 The table below gathers the values of the domain separation bytes 355 used by the tree hash mode: 357 +--------------------+------------------+ 358 | Type | Byte | 359 +--------------------+------------------+ 360 | SingleNode | `07` | 361 | | | 362 | IntermediateNode | `0B` | 363 | | | 364 | FinalNode | `06` | 365 +--------------------+------------------+ 367 2.3. length_encode( x ) 369 The function length_encode takes as inputs a non negative integer x < 370 256**255 and outputs a string of bytes x_(n-1) || .. || x_0 || n 371 where 373 x = sum from i=0..n-1 of 256**i * x_i 375 and where n is the smallest non-negative integer such that x < 376 256**n. n is also the length of x_(n-1) || .. || x_0. 378 As example, length_encode(0) = `00`, length_encode(12) = `0C 01` and 379 length_encode(65538) = `01 00 02 03` 381 A pseudocode version is as follows. 383 length_encode(x): 384 S = `00`^0 386 while x > 0 387 S = x mod 256 || S 388 x = x / 256 390 S = S || length(S) 392 return S 393 end 395 3. Test vectors 397 Test vectors are based on the repetition of the pattern `00 01 .. FA` 398 with a specific length. ptn(n) defines a string by repeating the 399 pattern `00 01 .. FA` as many times as necessary and truncated to n 400 bytes e.g. 402 Pattern for a length of 17 bytes: 403 ptn(17) = 404 `00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10` 406 Pattern for a length of 17**2 bytes: 407 ptn(17**2) = 408 `00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 409 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 410 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 411 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F 412 40 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 413 50 51 52 53 54 55 56 57 58 59 5A 5B 5C 5D 5E 5F 414 60 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 415 70 71 72 73 74 75 76 77 78 79 7A 7B 7C 7D 7E 7F 416 80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F 417 90 91 92 93 94 95 96 97 98 99 9A 9B 9C 9D 9E 9F 418 A0 A1 A2 A3 A4 A5 A6 A7 A8 A9 AA AB AC AD AE AF 419 B0 B1 B2 B3 B4 B5 B6 B7 B8 B9 BA BB BC BD BE BF 420 C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF 421 D0 D1 D2 D3 D4 D5 D6 D7 D8 D9 DA DB DC DD DE DF 422 E0 E1 E2 E3 E4 E5 E6 E7 E8 E9 EA EB EC ED EE EF 423 F0 F1 F2 F3 F4 F5 F6 F7 F8 F9 FA 424 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 425 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 426 20 21 22 23 24 25` 428 KangarooTwelve(M=`00`^0, C=`00`^0, 32): 429 `1A C2 D4 50 FC 3B 42 05 D1 9D A7 BF CA 1B 37 51 430 3C 08 03 57 7A C7 16 7F 06 FE 2C E1 F0 EF 39 E5` 432 KangarooTwelve(M=`00`^0, C=`00`^0, 64): 433 `1A C2 D4 50 FC 3B 42 05 D1 9D A7 BF CA 1B 37 51 434 3C 08 03 57 7A C7 16 7F 06 FE 2C E1 F0 EF 39 E5 435 42 69 C0 56 B8 C8 2E 48 27 60 38 B6 D2 92 96 6C 436 C0 7A 3D 46 45 27 2E 31 FF 38 50 81 39 EB 0A 71` 438 KangarooTwelve(M=`00`^0, C=`00`^0, 10032), last 32 bytes: 439 `E8 DC 56 36 42 F7 22 8C 84 68 4C 89 84 05 D3 A8 440 34 79 91 58 C0 79 B1 28 80 27 7A 1D 28 E2 FF 6D` 442 KangarooTwelve(M=ptn(1 bytes), C=`00`^0, 32): 443 `2B DA 92 45 0E 8B 14 7F 8A 7C B6 29 E7 84 A0 58 444 EF CA 7C F7 D8 21 8E 02 D3 45 DF AA 65 24 4A 1F` 446 KangarooTwelve(M=ptn(17 bytes), C=`00`^0, 32): 447 `6B F7 5F A2 23 91 98 DB 47 72 E3 64 78 F8 E1 9B 448 0F 37 12 05 F6 A9 A9 3A 27 3F 51 DF 37 12 28 88` 450 KangarooTwelve(M=ptn(17**2 bytes), C=`00`^0, 32): 451 `0C 31 5E BC DE DB F6 14 26 DE 7D CF 8F B7 25 D1 452 E7 46 75 D7 F5 32 7A 50 67 F3 67 B1 08 EC B6 7C` 454 KangarooTwelve(M=ptn(17**3 bytes), C=`00`^0, 32): 455 `CB 55 2E 2E C7 7D 99 10 70 1D 57 8B 45 7D DF 77 456 2C 12 E3 22 E4 EE 7F E4 17 F9 2C 75 8F 0D 59 D0` 458 KangarooTwelve(M=ptn(17**4 bytes), C=`00`^0, 32): 459 `87 01 04 5E 22 20 53 45 FF 4D DA 05 55 5C BB 5C 460 3A F1 A7 71 C2 B8 9B AE F3 7D B4 3D 99 98 B9 FE` 462 KangarooTwelve(M=ptn(17**5 bytes), C=`00`^0, 32): 463 `84 4D 61 09 33 B1 B9 96 3C BD EB 5A E3 B6 B0 5C 464 C7 CB D6 7C EE DF 88 3E B6 78 A0 A8 E0 37 16 82` 466 KangarooTwelve(M=ptn(17**6 bytes), C=`00`^0, 32): 467 `3C 39 07 82 A8 A4 E8 9F A6 36 7F 72 FE AA F1 32 468 55 C8 D9 58 78 48 1D 3C D8 CE 85 F5 8E 88 0A F8` 470 KangarooTwelve(M=`00`^0, C=ptn(1 bytes), 32): 471 `FA B6 58 DB 63 E9 4A 24 61 88 BF 7A F6 9A 13 30 472 45 F4 6E E9 84 C5 6E 3C 33 28 CA AF 1A A1 A5 83` 474 KangarooTwelve(M=`FF`, C=ptn(41 bytes), 32): 475 `D8 48 C5 06 8C ED 73 6F 44 62 15 9B 98 67 FD 4C 476 20 B8 08 AC C3 D5 BC 48 E0 B0 6B A0 A3 76 2E C4` 478 KangarooTwelve(M=`FF FF FF`, C=ptn(41**2), 32): 479 `C3 89 E5 00 9A E5 71 20 85 4C 2E 8C 64 67 0A C0 480 13 58 CF 4C 1B AF 89 44 7A 72 42 34 DC 7C ED 74` 482 KangarooTwelve(M=`FF FF FF FF FF FF FF`, C=ptn(41**3 bytes), 32): 483 `75 D2 F8 6A 2E 64 45 66 72 6B 4F BC FC 56 57 B9 484 DB CF 07 0C 7B 0D CA 06 45 0A B2 91 D7 44 3B CF` 486 4. IANA Considerations 488 None. 490 5. Security Considerations 492 This document is meant to serve as a stable reference and an 493 implementation guide for the KangarooTwelve eXtendable Output 494 Function. It relies on the cryptanalysis of Keccak and provides with 495 the same security strength as SHAKE128, i.e., 128 bits of security 496 against all attacks. 498 To be more precise, KangarooTwelve is made of two layers: 500 * The inner function F. This layer relies on cryptanalysis. 501 KangarooTwelve's F function is exactly Keccak[r=1344, c=256] (as 502 in SHAKE128) reduced to 12 rounds. Any reduced-round 503 cryptanalysis on Keccak is also a reduced-round cryptanalysis of 504 KangarooTwelve's F (provided the number of rounds attacked is not 505 higher than 12). 507 * The tree hashing over F. This layer is a mode on top of F that 508 does not introduce any vulnerability thanks to the use of Sakura 509 coding proven secure in [SAKURA]. 511 This reasoning is detailed and formalized in [K12]. 513 To achieve 128-bit security strength, the output L must be chosen 514 long enough so that there are no generic attacks that violate 128-bit 515 security. So for 128-bit (second) preimage security the output 516 should be at least 128 bits, for 128-bit of security against multi- 517 target preimage attacks with T targets the output should be at least 518 128+log_2(T) bits and for 128-bit collision security the output 519 should be at least 256 bits. 521 Furthermore, when the output length is at least 256 bits, 522 KangarooTwelve achieves NIST's post-quantum security level 2 523 [NISTPQ]. 525 Implementing a MAC with KangarooTwelve SHOULD use a HASH-then-MAC 526 construction. This document recommends a method called HopMAC, 527 defined as follows: 529 HopMAC(Key, M, C, L) = K12(Key, K12(M, C, 32), L) 531 Similarly to HMAC, HopMAC consists of two calls: an inner call 532 compressing the message M and the optional customization string C to 533 a digest, and an outer call computing the tag from the key and the 534 digest. 536 Unlike HMAC, the inner call to KangarooTwelve in HopMAC is keyless 537 and does not require additional protection against side channel 538 attacks (SCA). Consequently, in an implementation that has to 539 protect the HopMAC key against SCA only the outer call does need 540 protection, and this amounts to a single execution of the underlying 541 permutation. 543 In any case, KangarooTwelve MAY be used to compute a MAC with the key 544 reversibly prepended or appended to the input. For instance, one MAY 545 compute a MAC on short messages simply calling KangarooTwelve with 546 the key as the customization string, i.e., MAC = K12(M, Key, L). 548 6. References 550 6.1. Normative References 552 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 553 Requirement Levels", BCP 14, RFC 2119, 554 DOI 10.17487/RFC2119, March 1997, 555 . 557 [FIPS202] National Institute of Standards and Technology, "FIPS PUB 558 202 - SHA-3 Standard: Permutation-Based Hash and 559 Extendable-Output Functions", 560 WWW http://dx.doi.org/10.6028/NIST.FIPS.202, August 2015. 562 [SP800-185] 563 National Institute of Standards and Technology, "NIST 564 Special Publication 800-185 SHA-3 Derived Functions: 565 cSHAKE, KMAC, TupleHash and ParallelHash", 566 WWW https://doi.org/10.6028/NIST.SP.800-185, December 567 2016. 569 6.2. Informative References 571 [K12] Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., and 572 R. Van Keer, "KangarooTwelve: fast hashing based on 573 Keccak-p", WWW https://link.springer.com/ 574 chapter/10.1007/978-3-319-93387-0_21, 575 WWW http://eprint.iacr.org/2016/770.pdf, July 2018. 577 [SAKURA] Bertoni, G., Daemen, J., Peeters, M., and G. Van Assche, 578 "Sakura: a flexible coding for tree hashing", WWW 579 https://link.springer.com/ 580 chapter/10.1007/978-3-319-07536-5_14, 581 WWW http://eprint.iacr.org/2013/231.pdf, June 2014. 583 [KECCAK_CRYPTANALYSIS] 584 Keccak Team, "Summary of Third-party cryptanalysis of 585 Keccak", WWW https://www.keccak.team/third_party.html, 586 2017. 588 [XKCP] Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., and 589 R. Van Keer, "eXtended Keccak Code Package", 590 WWW https://github.com/XKCP/XKCP, September 2018. 592 [NISTPQ] National Institute of Standards and Technology, 593 "Submission Requirements and Evaluation Criteria for the 594 Post-Quantum Cryptography Standardization Process", WWW 595 https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum- 596 Cryptography/documents/call-for-proposals-final-dec- 597 2016.pdf, December 2016. 599 Appendix A. Pseudocode 601 The sub-sections of this appendix contain pseudocode definitions of 602 KangarooTwelve. A standalone Python version is also available in the 603 Keccak Code Package [XKCP] and in [K12] 605 A.1. Keccak-p[1600,n_r=12] 607 KP(state): 608 RC[0] = `8B 80 00 80 00 00 00 00` 609 RC[1] = `8B 00 00 00 00 00 00 80` 610 RC[2] = `89 80 00 00 00 00 00 80` 611 RC[3] = `03 80 00 00 00 00 00 80` 612 RC[4] = `02 80 00 00 00 00 00 80` 613 RC[5] = `80 00 00 00 00 00 00 80` 614 RC[6] = `0A 80 00 00 00 00 00 00` 615 RC[7] = `0A 00 00 80 00 00 00 80` 616 RC[8] = `81 80 00 80 00 00 00 80` 617 RC[9] = `80 80 00 00 00 00 00 80` 618 RC[10] = `01 00 00 80 00 00 00 00` 619 RC[11] = `08 80 00 80 00 00 00 80` 621 for x from 0 to 4 622 for y from 0 to 4 623 lanes[x][y] = state[8*(x+5*y):8*(x+5*y)+8] 625 for round from 0 to 11 626 # theta 627 for x from 0 to 4 628 C[x] = lanes[x][0] 629 C[x] ^= lanes[x][1] 630 C[x] ^= lanes[x][2] 631 C[x] ^= lanes[x][3] 632 C[x] ^= lanes[x][4] 633 for x from 0 to 4 634 D[x] = C[(x+4) mod 5] ^ ROL64(C[(x+1) mod 5], 1) 635 for y from 0 to 4 636 for x from 0 to 4 637 lanes[x][y] = lanes[x][y]^D[x] 639 # rho and pi 640 (x, y) = (1, 0) 641 current = lanes[x][y] 642 for t from 0 to 23 643 (x, y) = (y, (2*x+3*y) mod 5) 644 (current, lanes[x][y]) = 645 (lanes[x][y], ROL64(current, (t+1)*(t+2)/2)) 647 # chi 648 for y from 0 to 4 649 for x from 0 to 4 650 T[x] = lanes[x][y] 651 for x from 0 to 4 652 lanes[x][y] = T[x] ^((not T[(x+1) mod 5]) & T[(x+2) mod 5]) 654 # iota 655 lanes[0][0] ^= RC[round] 657 state = `00`^0 658 for x from 0 to 4 659 for y from 0 to 4 660 state = state || lanes[x][y] 662 return state 663 end 665 where ROL64(x, y) is a rotation of the 'x' 64-bit word toward the 666 bits with higher indexes by 'y' positions. The 8-bytes byte-string x 667 is interpreted as a 64-bit word in little-endian format. 669 A.2. KangarooTwelve 670 KangarooTwelve(inputMessage, customString, outputByteLen): 671 S = inputMessage || customString 672 S = S || length_encode( |customString| ) 674 if |S| <= 8192 675 return F(S || `07`, outputByteLen) 676 else 677 # === Kangaroo hopping === 678 FinalNode = S[0:8192] || `03` || `00`^7 679 offset = 8192 680 numBlock = 0 681 while offset < |S| 682 blockSize = min( |S| - offset, 8192) 683 CV = F(S[offset : offset + blockSize] || `0B`, 32) 684 FinalNode = FinalNode || CV 685 numBlock += 1 686 offset += blockSize 688 FinalNode = FinalNode || length_encode( numBlock ) || `FF FF` 690 return F(FinalNode || `06`, outputByteLen) 691 end 693 Authors' Addresses 695 BenoƮt Viguier 696 Radboud University 697 Toernooiveld 212 698 Nijmegen 700 Email: cs.ru.nl@viguier.nl 702 David Wong (editor) 703 Facebook 705 Email: davidwong.crypto@gmail.com 707 Gilles Van Assche (editor) 708 STMicroelectronics 710 Email: gilles.vanassche@st.com 712 Quynh Dang (editor) 713 National Institute of Standards and Technology 714 Email: quynh.dang@nist.gov 716 Joan Daemen (editor) 717 Radboud University 719 Email: joan@cs.ru.nl