idnits 2.17.1 draft-viguier-kangarootwelve-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([FIPS202]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 194 has weird spacing: '... input byte-...' == Line 196 has weird spacing: '...ByteLen posit...' -- The document date (March 19, 2018) is 2224 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: 'FIPS 202' is mentioned on line 20, but not defined -- Looks like a reference, but probably isn't: '1600' on line 183 -- Looks like a reference, but probably isn't: '0' on line 584 -- Looks like a reference, but probably isn't: '1' on line 558 -- Looks like a reference, but probably isn't: '2' on line 559 -- Looks like a reference, but probably isn't: '3' on line 560 -- Looks like a reference, but probably isn't: '4' on line 561 -- Looks like a reference, but probably isn't: '5' on line 542 -- Looks like a reference, but probably isn't: '6' on line 543 -- Looks like a reference, but probably isn't: '7' on line 544 -- Looks like a reference, but probably isn't: '8' on line 545 -- Looks like a reference, but probably isn't: '9' on line 546 -- Looks like a reference, but probably isn't: '10' on line 547 -- Looks like a reference, but probably isn't: '11' on line 548 Summary: 1 error (**), 0 flaws (~~), 4 warnings (==), 15 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Research Task Force (IRTF) B. Viguier 3 Internet-Draft Radboud University 4 Intended status: Informational March 19, 2018 5 Expires: September 20, 2018 7 KangarooTwelve 8 draft-viguier-kangarootwelve-02 10 Abstract 12 This document defines the KangarooTwelve eXtendable Output Function 13 (XOF), a hash function with arbitrary output length. It provides an 14 efficient and secure hashing primitive, which is able to exploit the 15 parallelism of the implementation in a scalable way. It uses tree 16 hashing over a round-reduced version of SHAKE128 as underlying 17 primitive. 19 This document builds up on the definitions of the permutations and of 20 the sponge construction in [FIPS 202], and is meant to serve as a 21 stable reference and an implementation guide. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on September 20, 2018. 40 Copyright Notice 42 Copyright (c) 2018 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (https://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 1.1. Conventions . . . . . . . . . . . . . . . . . . . . . . . 3 59 2. Specifications . . . . . . . . . . . . . . . . . . . . . . . 4 60 2.1. Inner function F . . . . . . . . . . . . . . . . . . . . 4 61 2.2. Tree hashing over F . . . . . . . . . . . . . . . . . . . 6 62 2.3. length_encode( x ) . . . . . . . . . . . . . . . . . . . 9 63 3. Test vectors . . . . . . . . . . . . . . . . . . . . . . . . 9 64 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 65 5. Security Considerations . . . . . . . . . . . . . . . . . . . 11 66 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 67 6.1. Normative References . . . . . . . . . . . . . . . . . . 12 68 6.2. Informative References . . . . . . . . . . . . . . . . . 12 69 Appendix A. Pseudo code . . . . . . . . . . . . . . . . . . . . 13 70 A.1. Keccak-p[1600,n_r=12] . . . . . . . . . . . . . . . . . . 13 71 A.2. KangarooTwelve . . . . . . . . . . . . . . . . . . . . . 14 72 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 15 74 1. Introduction 76 This document defines the KangarooTwelve eXtendable Output Function 77 (XOF) [K12], i.e. a generalization of a hash function that can return 78 arbitrary output length. KangarooTwelve is based on a Keccak-p 79 permutation specified in [FIPS202] and has a higher speed than SHAKE 80 and SHA-3. 82 The SHA-3 functions process data in a serial manner and are unable to 83 optimally exploit parallelism available in modern CPU architectures. 84 Similar to ParallelHash [SP800-185], KangarooTwelve splits the input 85 message in fragments to exploit available parallelism. It then 86 applies an inner hash function F on each of them separately before 87 applying F again on the concatenation of the digests. It makes use 88 of Sakura coding for ensuring soundness of the tree hashing mode 89 [SAKURA]. The inner hash function F is a sponge function and uses a 90 round-reduced version of the permutation Keccak-f used in SHA-3, 91 making it faster than ParallelHash. Its security builds up on the 92 scrutiny that Keccak has received since its publication 93 [KECCAK_CRYPTANALYSIS]. 95 With respect to [FIPS202] and [SP800-185] functions, KangarooTwelve 96 features the following advantages: 98 o Unlike SHA3-224, SHA3-256, SHA3-384, SHA3-512, KangarooTwelve has 99 an extendable output. 101 o Unlike any [FIPS202] defined function, similarly to functions 102 defined in [SP800-185], KangarooTwelve allows the use of a 103 customization string. 105 o Unlike any [FIPS202] and [SP800-185] functions but ParallelHash, 106 KangarooTwelve splits the input message in fragments to exploit 107 available parallelism. 109 o Unlike ParallelHash, KangarooTwelve does not have overhead when 110 processing short messages. 112 o The Keccak-f permutation in KangarooTwelve has half the number of 113 rounds of the one used in SHA3, making it faster than any function 114 defined in [FIPS202] and [SP800-185]. 116 1.1. Conventions 118 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 119 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 120 document are to be interpreted as described in RFC 2119 [RFC2119]. 122 The following notations are used throughout the document: 124 `...` denotes a string of bytes given in hexadecimal. For example, 125 `0B 80`. 127 |s| denotes the length of a byte string `s`. For example, |`FF FF`| 128 = 2. 130 `00`^b denotes a byte string consisting of the concatenation of b 131 bytes `00`. For example, `00`^7 = `00 00 00 00 00 00 00`. 133 `00`^0 denotes the empty byte-string. 135 a||b denotes the concatenation of two strings a and b. For example, 136 `10`||`F1` = `10 F1` 138 s[n:m] denotes the selection of bytes from n to m exclusive of a 139 string s. For example, for s = `A5 C6 D7`, s[0:1] = `A5` and 140 s[1:3] = `C6 D7`. 142 s[n:] denotes the selection of bytes from n to the end of a string 143 s. For example, for s = `A5 C6 D7`, s[0:] = `A5 C6 D7` and s[2:] 144 = `D7`. 146 In the following, x and y are byte strings of equal length: 148 x^=y denotes x takes the value x XOR y. 150 x & y denotes x AND y. 152 In the following, x and y are integers: 154 x+=y denotes x takes the value x + y. 156 x-=y denotes x takes the value x - y. 158 x**y denotes x multiplied by itself y times. 160 2. Specifications 162 KangarooTwelve is an eXtendable Output Function (XOF). It takes as 163 an input a couple of byte-strings (M, C) and a positive integer L 164 where 166 M byte-string, is the Message and 168 C byte-string, is a OPTIONAL Customization string and 170 L positive integer, the number of output bytes requested. 172 The Customization string MAY serves as domain separation. It is 173 typically a short string such as a name or an identifier (e.g. URI, 174 ODI...) 176 By default, the Customization string is the empty string. For an API 177 does that not support a customization string input, C MUST be the 178 empty string. 180 2.1. Inner function F 182 The inner function F makes use of the permutation Keccak- 183 p[1600,n_r=12], i.e., a version of the permutation Keccak-f[1600] 184 used in SHAKE and SHA-3 instances reduced to its last n_r=12 rounds 185 and specified in FIPS 202, sections 3.3 and 3.4 [FIPS202]. KP 186 denotes this permutation. 188 F is a sponge function calling this permutation KP with a rate of 168 189 bytes or 1344 bits. It follows that F has a capacity of 1600 - 1344 190 = 256 bits or 32 bytes. 192 The sponge function F takes: 194 input byte-string, the input bytes and 196 outputByteLen positive integer, the Length of the output in bytes 198 First the message is padded with zeroes to the closest multiple of 199 168 bytes. Then a byte `80` is XORed to the last byte of the padded 200 message. and the resulting string is split into a sequence of 201 168-byte blocks. 203 As defined by the sponge construction, the process operates on a 204 state and consists of two phases. 206 In the absorbing phase the state is initialized to all-zero. The 207 message blocks are XORed into the first 168 bytes of the state. Each 208 block absorbed is followed with an application of KP to the state. 210 In the squeezing phase output is formed by taking the first 168 bytes 211 of the state, repeated as many times as necessary until outputByteLen 212 bytes are obtained, interleaved with the application of KP to the 213 state. 215 This definition of the sponge construction assumes a at least one- 216 byte-long input where the last byte is in the `01`-`7F` range. This 217 is the case in KangarooTwelve. 219 A pseudo-code version is available as follows: 221 F(input, outputByteLen): 222 offset = 0 223 state = `00`^200 225 # === Absorb complete blocks === 226 while offset < |input| - 168 227 state ^= inputBytes[offset : offset + 168] || `00`^32 228 state = KP(state) 229 offset += 168 231 # === Absorb last block and treatment of padding === 232 LastBlockLength = |input| - offset 233 state ^= inputBytes[offset:] || `00`^(200-LastBlockLength) 234 state ^= `00`^167 || `80` || `00`^32 235 state = KP(state) 237 # === Squeeze === 238 output = `00`^0 239 while outputByteLen > 168 240 output = output || state[0:168] 241 outputByteLen -= 168 242 state = KP(state) 244 output = output || state[0:outputByteLen] 246 return output 247 end 249 2.2. Tree hashing over F 251 On top of the sponge function F, KangarooTwelve uses a Sakura- 252 compatible tree hash mode [SAKURA]. First, merge M and the OPTIONAL 253 C to a single input string S in a reversible way. length_encode( |C| 254 ) gives the length in bytes of C as a byte-string. See Section 2.3. 256 S = M || C || length_encode( |C| ) 258 Then, split S into n chunks of 8192 bytes. 260 S = S_0 || .. || S_n-1 261 |S_0| = .. = |S_n-2| = 8192 bytes 262 |S_n-1| <= 8192 bytes 264 From S_1 .. S_n-1, compute the 32-bytes Chaining Values CV_1 .. CV_n- 265 1. This computation SHOULD exploit the parallelism available on the 266 platform in order to be optimally efficient. 268 CV_i = F( S_i||`0B`, 32 ) 270 Compute the final node: FinalNode. 272 o If |S| <= 8192 bytes, FinalNode = S 274 o Otherwise compute FinalNode as follow: 276 FinalNode = S_0 || `03 00 00 00 00 00 00 00` 277 FinalNode = FinalNode || CV_1 278 .. 279 FinalNode = FinalNode || CV_n-1 280 FinalNode = FinalNode || length_encode(n-1) 281 FinalNode = FinalNode || `FF FF` 283 Finally, KangarooTwelve output is retrieved: 285 o If |S| <= 8192 bytes, from F( FinalNode||`07`, L ) 287 KangarooTwelve( M, C, L ) = F( FinalNode||`07`, L ) 289 o Otherwise from F( FinalNode||`06`, L ) 291 KangarooTwelve( M, C, L ) = F( FinalNode||`06`, L ) 293 The following figure illustrates the computation flow of 294 KangarooTwelve for |S| <= 8192 bytes: 296 +--------------+ F(..||`07`, L) 297 | S |-----------------> output 298 +--------------+ 300 The following figure illustrates the computation flow of 301 KangarooTwelve for |S| > 8192 bytes: 303 +--------------+ 304 | S_0 | 305 +--------------+ 306 || 307 +--------------+ 308 | `03`||`00`^7 | 309 +--------------+ 310 || 311 +---------+ F(..||`0B`,32) +--------------+ 312 | S_1 |----------------->| CV_1 | 313 +---------+ +--------------+ 314 || 315 +---------+ F(..||`0B`,32) +--------------+ 316 | S_2 |----------------->| CV_2 | 317 +---------+ +--------------+ 318 || 319 ... ... 320 || 321 +---------+ F(..||`0B`,32) +--------------+ 322 | S_n-1 |----------------->| CV_n-1 | 323 +---------+ +--------------+ 324 || 325 +--------------+ 326 | l_e(n-1) | 327 +--------------+ 328 || 329 +------------+ F(..||`06`, L) 330 | `FF FF` |-----------------> output 331 +------------+ 333 We provide a pseudo code version in Appendix A.2. 335 In the table below are gathered the values of the domain separation 336 bytes used by the tree hash mode: 338 +--------------------+------------------+ 339 | Type | Byte | 340 +--------------------+------------------+ 341 | SingleNode | `07` | 342 | | | 343 | IntermediateNode | `0B` | 344 | | | 345 | FinalNode | `06` | 346 +--------------------+------------------+ 348 2.3. length_encode( x ) 350 The function length_encode takes as inputs a non negative integer x < 351 256**255 and outputs a string of bytes x_n-1 || .. || x_0 || n where 353 x = sum from i=0..n-1 of 256**i * x_i 355 and where n is the smallest non-negative integer such that x < 356 256**n. n is also the length of x_n-1 || .. || x_0. 358 As example, length_encode(0) = `00`, length_encode(12) = `0C 01` and 359 length_encode(65538) = `01 00 02 03` 361 A pseudo code version is as follow. 363 length_encode(x): 364 S = `00`^0 366 while x > 0 367 S = x mod 256 || S 368 x = x / 256 370 S = S || length(S) 372 return S 373 end 375 3. Test vectors 377 Test vectors are based on the repetition of the pattern `00 01 .. FA` 378 with a specific length. ptn(n) defines a string by repeating the 379 pattern `00 01 .. FA` as many times as necessary and truncated to n 380 bytes e.g. 382 Pattern for a length of 17 bytes: 383 ptn(17) = 384 `00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10` 386 Pattern for a length of 17**2 bytes: 387 ptn(17**2) = 388 `00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 389 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 390 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 391 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F 392 40 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 393 50 51 52 53 54 55 56 57 58 59 5A 5B 5C 5D 5E 5F 394 60 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 395 70 71 72 73 74 75 76 77 78 79 7A 7B 7C 7D 7E 7F 396 80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F 397 90 91 92 93 94 95 96 97 98 99 9A 9B 9C 9D 9E 9F 398 A0 A1 A2 A3 A4 A5 A6 A7 A8 A9 AA AB AC AD AE AF 399 B0 B1 B2 B3 B4 B5 B6 B7 B8 B9 BA BB BC BD BE BF 400 C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF 401 D0 D1 D2 D3 D4 D5 D6 D7 D8 D9 DA DB DC DD DE DF 402 E0 E1 E2 E3 E4 E5 E6 E7 E8 E9 EA EB EC ED EE EF 403 F0 F1 F2 F3 F4 F5 F6 F7 F8 F9 FA 404 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 405 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 406 20 21 22 23 24 25` 408 KangarooTwelve(M=`00`^0, C=`00`^0, 32): 409 `1A C2 D4 50 FC 3B 42 05 D1 9D A7 BF CA 1B 37 51 410 3C 08 03 57 7A C7 16 7F 06 FE 2C E1 F0 EF 39 E5` 412 KangarooTwelve(M=`00`^0, C=`00`^0, 64): 413 `1A C2 D4 50 FC 3B 42 05 D1 9D A7 BF CA 1B 37 51 414 3C 08 03 57 7A C7 16 7F 06 FE 2C E1 F0 EF 39 E5 415 42 69 C0 56 B8 C8 2E 48 27 60 38 B6 D2 92 96 6C 416 C0 7A 3D 46 45 27 2E 31 FF 38 50 81 39 EB 0A 71` 418 KangarooTwelve(M=`00`^0, C=`00`^0, 10032), last 32 bytes: 419 `E8 DC 56 36 42 F7 22 8C 84 68 4C 89 84 05 D3 A8 420 34 79 91 58 C0 79 B1 28 80 27 7A 1D 28 E2 FF 6D` 422 KangarooTwelve(M=ptn(1 bytes), C=`00`^0, 32): 423 `2B DA 92 45 0E 8B 14 7F 8A 7C B6 29 E7 84 A0 58 424 EF CA 7C F7 D8 21 8E 02 D3 45 DF AA 65 24 4A 1F` 426 KangarooTwelve(M=ptn(17 bytes), C=`00`^0, 32): 427 `6B F7 5F A2 23 91 98 DB 47 72 E3 64 78 F8 E1 9B 428 0F 37 12 05 F6 A9 A9 3A 27 3F 51 DF 37 12 28 88` 430 KangarooTwelve(M=ptn(17**2 bytes), C=`00`^0, 32): 431 `0C 31 5E BC DE DB F6 14 26 DE 7D CF 8F B7 25 D1 432 E7 46 75 D7 F5 32 7A 50 67 F3 67 B1 08 EC B6 7C` 434 KangarooTwelve(M=ptn(17**3 bytes), C=`00`^0, 32): 435 `CB 55 2E 2E C7 7D 99 10 70 1D 57 8B 45 7D DF 77 436 2C 12 E3 22 E4 EE 7F E4 17 F9 2C 75 8F 0D 59 D0` 438 KangarooTwelve(M=ptn(17**4 bytes), C=`00`^0, 32): 439 `87 01 04 5E 22 20 53 45 FF 4D DA 05 55 5C BB 5C 440 3A F1 A7 71 C2 B8 9B AE F3 7D B4 3D 99 98 B9 FE` 442 KangarooTwelve(M=ptn(17**5 bytes), C=`00`^0, 32): 443 `84 4D 61 09 33 B1 B9 96 3C BD EB 5A E3 B6 B0 5C 444 C7 CB D6 7C EE DF 88 3E B6 78 A0 A8 E0 37 16 82` 446 KangarooTwelve(M=ptn(17**6 bytes), C=`00`^0, 32): 447 `3C 39 07 82 A8 A4 E8 9F A6 36 7F 72 FE AA F1 32 448 55 C8 D9 58 78 48 1D 3C D8 CE 85 F5 8E 88 0A F8` 450 KangarooTwelve(M=`00`^0, C=ptn(1 bytes), 32): 451 `FA B6 58 DB 63 E9 4A 24 61 88 BF 7A F6 9A 13 30 452 45 F4 6E E9 84 C5 6E 3C 33 28 CA AF 1A A1 A5 83` 454 KangarooTwelve(M=`FF`, C=ptn(41 bytes), 32): 455 `D8 48 C5 06 8C ED 73 6F 44 62 15 9B 98 67 FD 4C 456 20 B8 08 AC C3 D5 BC 48 E0 B0 6B A0 A3 76 2E C4` 458 KangarooTwelve(M=`FF FF FF`, C=ptn(41**2), 32): 459 `C3 89 E5 00 9A E5 71 20 85 4C 2E 8C 64 67 0A C0 460 13 58 CF 4C 1B AF 89 44 7A 72 42 34 DC 7C ED 74` 462 KangarooTwelve(M=`FF FF FF FF FF FF FF`, C=ptn(41**3 bytes), 32): 463 `75 D2 F8 6A 2E 64 45 66 72 6B 4F BC FC 56 57 B9 464 DB CF 07 0C 7B 0D CA 06 45 0A B2 91 D7 44 3B CF` 466 4. IANA Considerations 468 None. 470 5. Security Considerations 472 This document is meant to serve as a stable reference and an 473 implementation guide for the KangarooTwelve eXtendable Output 474 Function. It relies on the cryptanalysis of Keccak 475 [KECCAK_CRYPTANALYSIS] and provides with the same security strength 476 as SHAKE128, i.e., 128 bits of security against all attacks 478 To achieve 128-bit security strength, the output L must be chosen 479 long enough so that there are no generic attacks that violate 128-bit 480 security. So for 128-bit (second) preimage security the output 481 should be at least 128 bits, for 128-bit of security against multi- 482 target preimage attacks with T targets the output should be at least 483 128+log_2(T) bits and for 128-bit collision security the output 484 should be at least 256 bits. 486 6. References 488 6.1. Normative References 490 [FIPS202] National Institute of Standards and Technology, "FIPS PUB 491 202 - SHA-3 Standard: Permutation-Based Hash and 492 Extendable-Output Functions", 493 WWW http://dx.doi.org/10.6028/NIST.FIPS.202, August 2015. 495 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 496 Requirement Levels", BCP 14, RFC 2119, 497 DOI 10.17487/RFC2119, March 1997, 498 . 500 [SP800-185] 501 National Institute of Standards and Technology, "NIST 502 Special Publication 800-185 SHA-3 Derived Functions: 503 cSHAKE, KMAC, TupleHash and ParallelHash", 504 WWW https://doi.org/10.6028/NIST.SP.800-185, December 505 2016. 507 6.2. Informative References 509 [K12] Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., and 510 R. Van Keer, "KangarooTwelve: fast hashing based on 511 Keccak-p", WWW http://eprint.iacr.org/2016/770.pdf, August 512 2016. 514 [KCP] Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., and 515 R. Van Keer, "Keccak Code Package", 516 WWW https://github.com/KeccakTeam/KeccakCodePackage, 517 December 2017. 519 [KECCAK_CRYPTANALYSIS] 520 Keccak Team, "Summary of Third-party cryptanalysis of 521 Keccak", WWW https://www.keccak.team/third_party.html, 522 2017. 524 [SAKURA] Bertoni, G., Daemen, J., Peeters, M., and G. Van Assche, 525 "Sakura: a flexible coding for tree hashing", 526 WWW http://eprint.iacr.org/2013/231.pdf, April 2013. 528 Appendix A. Pseudo code 530 The sub-sections of this appendix contain pseudo code definitions of 531 KangarooTwelve. A standalone Python version is also available in the 532 Keccak Code Package [KCP] and in [K12] 534 A.1. Keccak-p[1600,n_r=12] 536 KP(state): 537 RC[0] = `8B 80 00 80 00 00 00 00` 538 RC[1] = `8B 00 00 00 00 00 00 80` 539 RC[2] = `89 80 00 00 00 00 00 80` 540 RC[3] = `03 80 00 00 00 00 00 80` 541 RC[4] = `02 80 00 00 00 00 00 80` 542 RC[5] = `80 00 00 00 00 00 00 80` 543 RC[6] = `0A 80 00 00 00 00 00 00` 544 RC[7] = `0A 00 00 80 00 00 00 80` 545 RC[8] = `81 80 00 80 00 00 00 80` 546 RC[9] = `80 80 00 00 00 00 00 80` 547 RC[10] = `01 00 00 80 00 00 00 00` 548 RC[11] = `08 80 00 80 00 00 00 80` 550 for x from 0 to 4 551 for y from 0 to 4 552 lanes[x][y] = state[8*(x+5*y):8*(x+5*y)+8] 554 for round from 0 to 11 555 # theta 556 for x from 0 to 4 557 C[x] = lanes[x][0] 558 C[x] ^= lanes[x][1] 559 C[x] ^= lanes[x][2] 560 C[x] ^= lanes[x][3] 561 C[x] ^= lanes[x][4] 562 for x from 0 to 4 563 D[x] = C[(x+4) mod 5] ^ ROL64(C[(x+1) mod 5], 1) 564 for y from 0 to 4 565 for x from 0 to 4 566 lanes[x][y] = lanes[x][y]^D[x] 568 # rho and pi 569 (x, y) = (1, 0) 570 current = lanes[x][y] 571 for t from 0 to 23 572 (x, y) = (y, (2*x+3*y) mod 5) 573 (current, lanes[x][y]) = 574 (lanes[x][y], ROL64(current, (t+1)*(t+2)/2)) 576 # chi 577 for y from 0 to 4 578 for x from 0 to 4 579 T[x] = lanes[x][y] 580 for x from 0 to 4 581 lanes[x][y] = T[x] ^((not T[(x+1) mod 5]) & T[(x+2) mod 5]) 583 # iota 584 lanes[0][0] ^= RC[round] 586 state = `00`^0 587 for x from 0 to 4 588 for y from 0 to 4 589 state = state || lanes[x][y] 591 return state 592 end 594 where ROL64(x, y) is a rotation of the 'x' 64-bit word toward the 595 bits with higher indexes by 'y' positions. The 8-bytes byte-string x 596 is interpreted as a 64-bit word in little-endian format. 598 A.2. KangarooTwelve 600 KangarooTwelve(inputMessage, customString, outputByteLen): 601 S = inputMessage || customString 602 S = S || length_encode( |customString| ) 604 if |S| <= 8192 605 return F(S || `07`, outputByteLen) 606 else 607 # === Kangaroo hopping === 608 FinalNode = S[0:8192] || `03` || `00`^7 609 offset = 8192 610 numBlock = 0 611 while offset < |S| 612 blockSize = min( |S| - offset, 8192) 613 CV = F(S[offset : offset + blockSize] || `0B`, 32) 614 FinalNode = FinalNode || CV 615 numBlock += 1 616 offset += blockSize 618 FinalNode = FinalNode || length_encode( numBlock ) || `FF FF` 620 return F(FinalNode || `06`, outputByteLen) 621 end 623 Author's Address 625 Benoit Viguier 626 Radboud University 627 Toernooiveld 212 628 Nijmegen 629 The Netherlands 631 EMail: b.viguier@cs.ru.nl