idnits 2.17.1 draft-viguier-kangarootwelve-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([FIPS202]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 171 has weird spacing: '... input byte-...' == Line 173 has weird spacing: '...ByteLen posit...' -- The document date (December 14, 2017) is 2318 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: 'FIPS 202' is mentioned on line 20, but not defined -- Looks like a reference, but probably isn't: '1600' on line 160 -- Looks like a reference, but probably isn't: '0' on line 544 -- Looks like a reference, but probably isn't: '1' on line 518 -- Looks like a reference, but probably isn't: '2' on line 519 -- Looks like a reference, but probably isn't: '3' on line 520 -- Looks like a reference, but probably isn't: '4' on line 521 -- Looks like a reference, but probably isn't: '5' on line 502 -- Looks like a reference, but probably isn't: '6' on line 503 -- Looks like a reference, but probably isn't: '7' on line 504 -- Looks like a reference, but probably isn't: '8' on line 505 -- Looks like a reference, but probably isn't: '9' on line 506 -- Looks like a reference, but probably isn't: '10' on line 507 -- Looks like a reference, but probably isn't: '11' on line 508 Summary: 1 error (**), 0 flaws (~~), 4 warnings (==), 15 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Research Task Force (IRTF) B. Viguier 3 Internet-Draft Radboud University 4 Intended status: Informational December 14, 2017 5 Expires: June 17, 2018 7 KangarooTwelve 8 draft-viguier-kangarootwelve-01 10 Abstract 12 This document defines the KangarooTwelve eXtendable Output Function 13 (XOF), a hash function with arbitrary output length. It provides an 14 efficient and secure hashing primitive, which is able to exploit the 15 parallelism of the implementation in a scalable way. It uses tree 16 hashing over a round-reduced version of SHAKE128 as underlying 17 primitive. 19 This document builds up on the definitions of the permutations and of 20 the sponge construction in [FIPS 202], and is meant to serve as a 21 stable reference and an implementation guide. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on June 17, 2018. 40 Copyright Notice 42 Copyright (c) 2017 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (https://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 1.1. Conventions . . . . . . . . . . . . . . . . . . . . . . . 3 59 2. Specifications . . . . . . . . . . . . . . . . . . . . . . . 4 60 2.1. Inner function F . . . . . . . . . . . . . . . . . . . . 4 61 2.2. Tree hashing over F . . . . . . . . . . . . . . . . . . . 5 62 2.3. length_encode( x ) . . . . . . . . . . . . . . . . . . . 8 63 3. Test vectors . . . . . . . . . . . . . . . . . . . . . . . . 8 64 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 65 5. Security Considerations . . . . . . . . . . . . . . . . . . . 10 66 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 67 6.1. Normative References . . . . . . . . . . . . . . . . . . 11 68 6.2. Informative References . . . . . . . . . . . . . . . . . 11 69 Appendix A. Pseudo code . . . . . . . . . . . . . . . . . . . . 12 70 A.1. Keccak-p[1600,n_r=12] . . . . . . . . . . . . . . . . . . 12 71 A.2. KangarooTwelve . . . . . . . . . . . . . . . . . . . . . 13 72 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 14 74 1. Introduction 76 This document defines the KangarooTwelve eXtendable Output Function 77 (XOF) [K12], i.e. a generalization of a hash function that can return 78 arbitrary output length. KangarooTwelve is based on a Keccak-p 79 permutation specified in [FIPS202] and aims at higher speed than 80 SHAKE and SHA-3. 82 The SHA-3 functions process data in a serial manner and are unable to 83 optimally exploit parallelism available in modern CPU architectures. 84 KangarooTwelve splits the input message in fragments and applies an 85 inner hash function F on each of them separately. It then applies F 86 again on the concatenation of the digests. It makes use of Sakura 87 coding for ensuring soundness of the tree hashing mode [SAKURA]. The 88 inner hash function F is a sponge function and uses a round-reduced 89 version of the permutation Keccak-f used in SHA-3. Its security 90 builds up on the scrutiny that Keccak has received since its 91 publication [KECCAK_CRYPTANALYSIS]. 93 1.1. Conventions 95 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 96 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 97 document are to be interpreted as described in RFC 2119 [RFC2119]. 99 The following notations are used throughout the document: 101 `...` denotes a string of bytes given in hexadecimal. For example, 102 `0B 80`. 104 |s| denotes the length of a byte string `s`. For example, |`FF FF`| 105 = 2. 107 `00`^b denotes a byte string consisting of the concatenation of b 108 bytes `00`. For example, `00`^7 = `00 00 00 00 00 00 00`. 110 `00`^0 denotes the empty byte-string. 112 a||b denotes the concatenation of two strings a and b. For example, 113 `10`||`F1` = `10 F1` 115 s[n:m] denotes the selection of bytes from n to m exclusive of a 116 string s. For example, for s = `A5 C6 D7`, s[0:1] = `A5` and 117 s[1:3] = `C6 D7`. 119 s[n:] denotes the selection of bytes from n to the end of a string 120 s. For example, for s = `A5 C6 D7`, s[0:] = `A5 C6 D7` and s[2:] 121 = `D7`. 123 In the following, x and y are byte strings of equal length: 125 x^=y denotes x takes the value x XOR y. 127 x & y denotes x AND y. 129 In the following, x and y are integers: 131 x+=y denotes x takes the value x + y. 133 x-=y denotes x takes the value x - y. 135 x**y denotes x multiplied by itself y times. 137 2. Specifications 139 KangarooTwelve is an eXtendable Output Function (XOF). It takes as 140 an input a couple of byte-strings (M, C) and a positive integer L 141 where 143 M byte-string, is the Message and 145 C byte-string, is a OPTIONAL Customization string and 147 L positive integer, the number of output bytes requested. 149 The Customization string MAY serves as domain separation. It is 150 typically a short string such as a name or an identifier (e.g. URI, 151 ODI...) 153 By default, the Customization string is the empty string. For an API 154 does that not support a customization string input, C MUST be the 155 empty string. 157 2.1. Inner function F 159 The inner function F makes use of the permutation Keccak- 160 p[1600,n_r=12], i.e., a version of the permutation Keccak-f[1600] 161 used in SHAKE and SHA-3 instances reduced to its last n_r=12 rounds 162 and specified in FIPS 202, sections 3.3 and 3.4 [FIPS202]. KP 163 denotes this permutation. 165 F is a sponge function calling this permutation KP with a rate of 168 166 bytes or 1344 bits. It follows that F has a capacity of 1600 - 1344 167 = 256 bits or 32 bytes. 169 The sponge function F takes: 171 input byte-string, the input bytes and 173 outputByteLen positive integer, the Length of the output in bytes 175 First the message is padded with zeroes to the closest multiple of 176 168 bytes. Then a byte `80` is XORed to the last byte of the padded 177 message. and the resulting string is split into a sequence of 178 168-byte blocks. 180 As defined by the sponge construction, the process operates on a 181 state and consists of two phases. 183 In the absorbing phase the state is initialized to all-zero. The 184 message blocks are XORed into the first 168 bytes of the state. Each 185 block absorbed is followed with an application of KP to the state. 187 In the squeezing phase output is formed by taking the first 168 bytes 188 of the state, repeated as many times as necessary until outputByteLen 189 bytes are obtained, interleaved with the application of KP to the 190 state. 192 This definition of the sponge construction assumes a at least one- 193 byte-long input where the last byte is in the `01`-`7F` range. This 194 is the case in KangarooTwelve. 196 A pseudo-code version is available as follows: 198 F(input, outputByteLen): 199 offset = 0 200 state = `00`^200 202 # === Absorb complete blocks === 203 while offset < |input| - 168 204 state ^= inputBytes[offset : offset + 168] || `00`^32 205 state = KP(state) 206 offset += 168 208 # === Absorb last block and treatment of padding === 209 LastBlockLength = |input| - offset 210 state ^= inputBytes[offset:] || `00`^(200-LastBlockLength) 211 state ^= `00`^167 || `80` || `00`^32 212 state = KP(state) 214 # === Squeeze === 215 output = `00`^0 216 while outputByteLen > 168 217 output = output || state[0:168] 218 outputByteLen -= 168 219 state = KP(state) 221 output = output || state[0:outputByteLen] 223 return output 224 end 226 2.2. Tree hashing over F 228 On top of the sponge function F, KangarooTwelve uses a Sakura- 229 compatible tree hash mode [SAKURA]. First, merge M and the OPTIONAL 230 C to a single input string S in a reversible way. length_encode( |C| 231 ) gives the length in bytes of C as a byte-string. See Section 2.3. 233 S = M || C || length_encode( |C| ) 235 Then, split S into n chunks of 8192 bytes. 237 S = S_0 || .. || S_n-1 238 |S_0| = .. = |S_n-2| = 8192 bytes 239 |S_n-1| <= 8192 bytes 241 From S_1 .. S_n-1, compute the 32-bytes Chaining Values CV_1 .. CV_n- 242 1. This computation SHOULD exploit the parallelism available on the 243 platform in order to be optimally efficient. 245 CV_i = F( S_i||`0B`, 32 ) 247 Compute the final node: FinalNode. 249 o If |S| <= 8192 bytes, FinalNode = S 251 o Otherwise compute FinalNode as follow: 253 FinalNode = S_0 || `03 00 00 00 00 00 00 00` 254 FinalNode = FinalNode || CV_1 255 .. 256 FinalNode = FinalNode || CV_n-1 257 FinalNode = FinalNode || length_encode(n-1) 258 FinalNode = FinalNode || `FF FF` 260 Finally, KangarooTwelve output is retrieved: 262 o If |S| <= 8192 bytes, from F( FinalNode||`07`, L ) 264 KangarooTwelve( M, C, L ) = F( FinalNode||`07`, L ) 266 o Otherwise from F( FinalNode||`06`, L ) 268 KangarooTwelve( M, C, L ) = F( FinalNode||`06`, L ) 270 The following figure illustrates the computation flow of 271 KangarooTwelve for |S| <= 8192 bytes: 273 +--------------+ F(..||`07`, L) 274 | S |-----------------> output 275 +--------------+ 277 The following figure illustrates the computation flow of 278 KangarooTwelve for |S| > 8192 bytes: 280 +--------------+ 281 | S_0 | 282 +--------------+ 283 || 284 +--------------+ 285 | `03`||`00`^7 | 286 +--------------+ 287 || 288 +---------+ F(..||`0B`,32) +--------------+ 289 | S_1 |----------------->| CV_1 | 290 +---------+ +--------------+ 291 || 292 +---------+ F(..||`0B`,32) +--------------+ 293 | S_2 |----------------->| CV_2 | 294 +---------+ +--------------+ 295 || 296 ... ... 297 || 298 +---------+ F(..||`0B`,32) +--------------+ 299 | S_n-1 |----------------->| CV_n-1 | 300 +---------+ +--------------+ 301 || 302 +--------------+ 303 | l_e(n-1) | 304 +--------------+ 305 || 306 +------------+ F(..||`06`, L) 307 | `FF FF` |-----------------> output 308 +------------+ 310 We provide a pseudo code version in Appendix A.2. 312 In the table below are gathered the values of the domain separation 313 bytes used by the tree hash mode: 315 +--------------------+------------------+ 316 | Type | Byte | 317 +--------------------+------------------+ 318 | SingleNode | `07` | 319 | | | 320 | IntermediateNode | `0B` | 321 | | | 322 | FinalNode | `06` | 323 +--------------------+------------------+ 325 2.3. length_encode( x ) 327 The function length_encode takes as inputs a non negative integer x < 328 256**255 and outputs a string of bytes x_n-1 || .. || x_0 || n where 330 x = sum from i=0..n-1 of 256**i * x_i 332 and where n is the smallest non-negative integer such that x < 333 256**n. n is also the length of x_n-1 || .. || x_0. 335 As example, length_encode(0) = `00`, length_encode(12) = `0C 01` and 336 length_encode(65538) = `01 00 02 03` 338 A pseudo code version is as follow. 340 length_encode(x): 341 S = `00`^0 343 while x > 0 344 S = x mod 256 || S 345 x = x / 256 347 S = S || length(S) 349 return S 350 end 352 3. Test vectors 354 Test vectors are based on the repetition of the pattern `00 01 .. FA` 355 with a specific length. ptn(n) defines a string by repeating the 356 pattern `00 01 .. FA` as many times as necessary and truncated to n 357 bytes e.g. 359 Pattern for a length of 17 bytes: 360 ptn(17) = 361 `00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10` 363 Pattern for a length of 17**2 bytes: 364 ptn(17**2) = 365 `00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 366 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 367 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 368 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F 369 40 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 370 50 51 52 53 54 55 56 57 58 59 5A 5B 5C 5D 5E 5F 371 60 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 372 70 71 72 73 74 75 76 77 78 79 7A 7B 7C 7D 7E 7F 373 80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F 374 90 91 92 93 94 95 96 97 98 99 9A 9B 9C 9D 9E 9F 375 A0 A1 A2 A3 A4 A5 A6 A7 A8 A9 AA AB AC AD AE AF 376 B0 B1 B2 B3 B4 B5 B6 B7 B8 B9 BA BB BC BD BE BF 377 C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF 378 D0 D1 D2 D3 D4 D5 D6 D7 D8 D9 DA DB DC DD DE DF 379 E0 E1 E2 E3 E4 E5 E6 E7 E8 E9 EA EB EC ED EE EF 380 F0 F1 F2 F3 F4 F5 F6 F7 F8 F9 FA 381 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 382 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 383 20 21 22 23 24 25` 385 KangarooTwelve(M=`00`^0, C=`00`^0, 32): 386 `1A C2 D4 50 FC 3B 42 05 D1 9D A7 BF CA 1B 37 51 387 3C 08 03 57 7A C7 16 7F 06 FE 2C E1 F0 EF 39 E5` 389 KangarooTwelve(M=`00`^0, C=`00`^0, 64): 390 `1A C2 D4 50 FC 3B 42 05 D1 9D A7 BF CA 1B 37 51 391 3C 08 03 57 7A C7 16 7F 06 FE 2C E1 F0 EF 39 E5 392 42 69 C0 56 B8 C8 2E 48 27 60 38 B6 D2 92 96 6C 393 C0 7A 3D 46 45 27 2E 31 FF 38 50 81 39 EB 0A 71` 395 KangarooTwelve(M=`00`^0, C=`00`^0, 10032), last 32 bytes: 396 `E8 DC 56 36 42 F7 22 8C 84 68 4C 89 84 05 D3 A8 397 34 79 91 58 C0 79 B1 28 80 27 7A 1D 28 E2 FF 6D` 399 KangarooTwelve(M=ptn(1 bytes), C=`00`^0, 32): 400 `2B DA 92 45 0E 8B 14 7F 8A 7C B6 29 E7 84 A0 58 401 EF CA 7C F7 D8 21 8E 02 D3 45 DF AA 65 24 4A 1F` 403 KangarooTwelve(M=ptn(17 bytes), C=`00`^0, 32): 404 `6B F7 5F A2 23 91 98 DB 47 72 E3 64 78 F8 E1 9B 405 0F 37 12 05 F6 A9 A9 3A 27 3F 51 DF 37 12 28 88` 407 KangarooTwelve(M=ptn(17**2 bytes), C=`00`^0, 32): 408 `0C 31 5E BC DE DB F6 14 26 DE 7D CF 8F B7 25 D1 409 E7 46 75 D7 F5 32 7A 50 67 F3 67 B1 08 EC B6 7C` 411 KangarooTwelve(M=ptn(17**3 bytes), C=`00`^0, 32): 412 `CB 55 2E 2E C7 7D 99 10 70 1D 57 8B 45 7D DF 77 413 2C 12 E3 22 E4 EE 7F E4 17 F9 2C 75 8F 0D 59 D0` 415 KangarooTwelve(M=ptn(17**4 bytes), C=`00`^0, 32): 416 `87 01 04 5E 22 20 53 45 FF 4D DA 05 55 5C BB 5C 417 3A F1 A7 71 C2 B8 9B AE F3 7D B4 3D 99 98 B9 FE` 419 KangarooTwelve(M=ptn(17**5 bytes), C=`00`^0, 32): 420 `84 4D 61 09 33 B1 B9 96 3C BD EB 5A E3 B6 B0 5C 421 C7 CB D6 7C EE DF 88 3E B6 78 A0 A8 E0 37 16 82` 423 KangarooTwelve(M=ptn(17**6 bytes), C=`00`^0, 32): 424 `3C 39 07 82 A8 A4 E8 9F A6 36 7F 72 FE AA F1 32 425 55 C8 D9 58 78 48 1D 3C D8 CE 85 F5 8E 88 0A F8` 427 KangarooTwelve(M=`00`^0, C=ptn(1 bytes), 32): 428 `FA B6 58 DB 63 E9 4A 24 61 88 BF 7A F6 9A 13 30 429 45 F4 6E E9 84 C5 6E 3C 33 28 CA AF 1A A1 A5 83` 431 KangarooTwelve(M=`FF`, C=ptn(41 bytes), 32): 432 `D8 48 C5 06 8C ED 73 6F 44 62 15 9B 98 67 FD 4C 433 20 B8 08 AC C3 D5 BC 48 E0 B0 6B A0 A3 76 2E C4` 435 KangarooTwelve(M=`FF FF FF`, C=ptn(41**2), 32): 436 `C3 89 E5 00 9A E5 71 20 85 4C 2E 8C 64 67 0A C0 437 13 58 CF 4C 1B AF 89 44 7A 72 42 34 DC 7C ED 74` 439 KangarooTwelve(M=`FF FF FF FF FF FF FF`, C=ptn(41**3 bytes), 32): 440 `75 D2 F8 6A 2E 64 45 66 72 6B 4F BC FC 56 57 B9 441 DB CF 07 0C 7B 0D CA 06 45 0A B2 91 D7 44 3B CF` 443 4. IANA Considerations 445 None. 447 5. Security Considerations 449 This document is meant to serve as a stable reference and an 450 implementation guide for the KangarooTwelve eXtendable Output 451 Function. It makes no assertion to its security and relies on the 452 cryptanalysis of Keccak [KECCAK_CRYPTANALYSIS]. 454 6. References 455 6.1. Normative References 457 [FIPS202] National Institute of Standards and Technology, "FIPS PUB 458 202 - SHA-3 Standard: Permutation-Based Hash and 459 Extendable-Output Functions", 460 WWW http://dx.doi.org/10.6028/NIST.FIPS.202, August 2015. 462 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 463 Requirement Levels", BCP 14, RFC 2119, 464 DOI 10.17487/RFC2119, March 1997, 465 . 467 6.2. Informative References 469 [K12] Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., and 470 R. Van Keer, "KangarooTwelve: fast hashing based on 471 Keccak-p", WWW http://eprint.iacr.org/2016/770.pdf, August 472 2016. 474 [KCP] Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., and 475 R. Van Keer, "Keccak Code Package", 476 WWW https://github.com/KeccakTeam/KeccakCodePackage, 477 December 2017. 479 [KECCAK_CRYPTANALYSIS] 480 Keccak Team, "Summary of Third-party cryptanalysis of 481 Keccak", WWW https://www.keccak.team/third_party.html, 482 2017. 484 [SAKURA] Bertoni, G., Daemen, J., Peeters, M., and G. Van Assche, 485 "Sakura: a flexible coding for tree hashing", 486 WWW http://eprint.iacr.org/2013/231.pdf, April 2013. 488 Appendix A. Pseudo code 490 The sub-sections of this appendix contain pseudo code definitions of 491 KangarooTwelve. A standalone Python version is also available in the 492 Keccak Code Package [KCP] and in [K12] 494 A.1. Keccak-p[1600,n_r=12] 496 KP(state): 497 RC[0] = `8B 80 00 80 00 00 00 00` 498 RC[1] = `8B 00 00 00 00 00 00 80` 499 RC[2] = `89 80 00 00 00 00 00 80` 500 RC[3] = `03 80 00 00 00 00 00 80` 501 RC[4] = `02 80 00 00 00 00 00 80` 502 RC[5] = `80 00 00 00 00 00 00 80` 503 RC[6] = `0A 80 00 00 00 00 00 00` 504 RC[7] = `0A 00 00 80 00 00 00 80` 505 RC[8] = `81 80 00 80 00 00 00 80` 506 RC[9] = `80 80 00 00 00 00 00 80` 507 RC[10] = `01 00 00 80 00 00 00 00` 508 RC[11] = `08 80 00 80 00 00 00 80` 510 for x from 0 to 4 511 for y from 0 to 4 512 lanes[x][y] = state[8*(x+5*y):8*(x+5*y)+8] 514 for round from 0 to 11 515 # theta 516 for x from 0 to 4 517 C[x] = lanes[x][0] 518 C[x] ^= lanes[x][1] 519 C[x] ^= lanes[x][2] 520 C[x] ^= lanes[x][3] 521 C[x] ^= lanes[x][4] 522 for x from 0 to 4 523 D[x] = C[(x+4) mod 5] ^ ROL64(C[(x+1) mod 5], 1) 524 for y from 0 to 4 525 for x from 0 to 4 526 lanes[x][y] = lanes[x][y]^D[x] 528 # rho and pi 529 (x, y) = (1, 0) 530 current = lanes[x][y] 531 for t from 0 to 23 532 (x, y) = (y, (2*x+3*y) mod 5) 533 (current, lanes[x][y]) = 534 (lanes[x][y], ROL64(current, (t+1)*(t+2)/2)) 536 # chi 537 for y from 0 to 4 538 for x from 0 to 4 539 T[x] = lanes[x][y] 540 for x from 0 to 4 541 lanes[x][y] = T[x] ^((not T[(x+1) mod 5]) & T[(x+2) mod 5]) 543 # iota 544 lanes[0][0] ^= RC[round] 546 state = `00`^0 547 for x from 0 to 4 548 for y from 0 to 4 549 state = state || lanes[x][y] 551 return state 552 end 554 where ROL64(x, y) is a rotation of the 'x' 64-bit word toward the 555 bits with higher indexes by 'y' positions. The 8-bytes byte-string x 556 is interpreted as a 64-bit word in little-endian format. 558 A.2. KangarooTwelve 560 KangarooTwelve(inputMessage, customString, outputByteLen): 561 S = inputMessage || customString 562 S = S || length_encode( |customString| ) 564 if |S| <= 8192 565 return F(S || `07`, outputByteLen) 566 else 567 # === Kangaroo hopping === 568 FinalNode = S[0:8192] || `03` || `00`^7 569 offset = 8192 570 numBlock = 0 571 while offset < |S| 572 blockSize = min( |S| - offset, 8192) 573 CV = F(S[offset : offset + blockSize] || `0B`, 32) 574 FinalNode = FinalNode || CV 575 numBlock += 1 576 offset += blockSize 578 FinalNode = FinalNode || length_encode( numBlock ) || `FF FF` 580 return F(FinalNode || `06`, outputByteLen) 581 end 583 Author's Address 585 Benoit Viguier 586 Radboud University 587 Toernooiveld 212 588 Nijmegen 589 The Netherlands 591 EMail: b.viguier@cs.ru.nl