idnits 2.17.1 draft-viguier-kangarootwelve-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([FIPS202]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 193 has weird spacing: '... input byte-...' == Line 194 has weird spacing: '...ByteLen posit...' -- The document date (February 7, 2019) is 1904 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: 'FIPS 202' is mentioned on line 20, but not defined -- Looks like a reference, but probably isn't: '1600' on line 182 -- Looks like a reference, but probably isn't: '0' on line 593 -- Looks like a reference, but probably isn't: '1' on line 567 -- Looks like a reference, but probably isn't: '2' on line 568 -- Looks like a reference, but probably isn't: '3' on line 569 -- Looks like a reference, but probably isn't: '4' on line 570 -- Looks like a reference, but probably isn't: '5' on line 551 -- Looks like a reference, but probably isn't: '6' on line 552 -- Looks like a reference, but probably isn't: '7' on line 553 -- Looks like a reference, but probably isn't: '8' on line 554 -- Looks like a reference, but probably isn't: '9' on line 555 -- Looks like a reference, but probably isn't: '10' on line 556 -- Looks like a reference, but probably isn't: '11' on line 557 Summary: 1 error (**), 0 flaws (~~), 4 warnings (==), 15 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Research Task Force (IRTF) B. Viguier 3 Internet-Draft Radboud University 4 Intended status: Informational February 7, 2019 5 Expires: August 11, 2019 7 KangarooTwelve 8 draft-viguier-kangarootwelve-04 10 Abstract 12 This document defines the KangarooTwelve eXtendable Output Function 13 (XOF), a hash function with output of arbitrary length. It provides 14 an efficient and secure hashing primitive, which is able to exploit 15 the parallelism of the implementation in a scalable way. It uses 16 tree hashing over a round-reduced version of SHAKE128 as underlying 17 primitive. 19 This document builds up on the definitions of the permutations and of 20 the sponge construction in [FIPS 202], and is meant to serve as a 21 stable reference and an implementation guide. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on August 11, 2019. 40 Copyright Notice 42 Copyright (c) 2019 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (https://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 1.1. Conventions . . . . . . . . . . . . . . . . . . . . . . . 3 59 2. Specifications . . . . . . . . . . . . . . . . . . . . . . . 4 60 2.1. Inner function F . . . . . . . . . . . . . . . . . . . . 4 61 2.2. Tree hashing over F . . . . . . . . . . . . . . . . . . . 6 62 2.3. length_encode( x ) . . . . . . . . . . . . . . . . . . . 9 63 3. Test vectors . . . . . . . . . . . . . . . . . . . . . . . . 9 64 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 65 5. Security Considerations . . . . . . . . . . . . . . . . . . . 11 66 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 67 6.1. Normative References . . . . . . . . . . . . . . . . . . 12 68 6.2. Informative References . . . . . . . . . . . . . . . . . 12 69 Appendix A. Pseudo code . . . . . . . . . . . . . . . . . . . . 14 70 A.1. Keccak-p[1600,n_r=12] . . . . . . . . . . . . . . . . . . 14 71 A.2. KangarooTwelve . . . . . . . . . . . . . . . . . . . . . 15 72 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 16 74 1. Introduction 76 This document defines the KangarooTwelve eXtendable Output Function 77 (XOF) [K12], i.e. a generalization of a hash function that can return 78 an output of arbitrary length. KangarooTwelve is based on a Keccak-p 79 permutation specified in [FIPS202] and has a higher speed than SHAKE 80 and SHA-3. 82 The SHA-3 functions process data in a serial manner and are unable to 83 optimally exploit parallelism available in modern CPU architectures. 84 Similar to ParallelHash [SP800-185], KangarooTwelve splits the input 85 message in fragments to exploit available parallelism. It then 86 applies an inner hash function F on each of them separately before 87 applying F again on the concatenation of the digests. It makes use 88 of Sakura coding for ensuring soundness of the tree hashing mode 89 [SAKURA]. The inner hash function F is a sponge function and uses a 90 round-reduced version of the permutation Keccak-f used in SHA-3, 91 making it faster than ParallelHash. Its security builds up on the 92 scrutiny that Keccak has received since its publication 93 [KECCAK_CRYPTANALYSIS]. 95 With respect to [FIPS202] and [SP800-185] functions, KangarooTwelve 96 features the following advantages: 98 o Unlike SHA3-224, SHA3-256, SHA3-384, SHA3-512, KangarooTwelve has 99 an extendable output. 101 o Unlike any [FIPS202] defined function, similarly to functions 102 defined in [SP800-185], KangarooTwelve allows the use of a 103 customization string. 105 o Unlike any [FIPS202] and [SP800-185] functions but ParallelHash, 106 KangarooTwelve splits the input message in fragments to exploit 107 available parallelism. 109 o Unlike ParallelHash, KangarooTwelve does not have overhead when 110 processing short messages. 112 o The Keccak-f permutation in KangarooTwelve has half the number of 113 rounds of the one used in SHA3, making it faster than any function 114 defined in [FIPS202] and [SP800-185]. 116 1.1. Conventions 118 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 119 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 120 document are to be interpreted as described in RFC 2119 [RFC2119]. 122 The following notations are used throughout the document: 124 `...` denotes a string of bytes given in hexadecimal. For example, 125 `0B 80`. 127 |s| denotes the length of a byte string `s`. For example, |`FF FF`| 128 = 2. 130 `00`^b denotes a byte string consisting of the concatenation of b 131 bytes `00`. For example, `00`^7 = `00 00 00 00 00 00 00`. 133 `00`^0 denotes the empty byte-string. 135 a||b denotes the concatenation of two strings a and b. For example, 136 `10`||`F1` = `10 F1` 138 s[n:m] denotes the selection of bytes from n to m exclusive of a 139 string s. For example, for s = `A5 C6 D7`, s[0:1] = `A5` and 140 s[1:3] = `C6 D7`. 142 s[n:] denotes the selection of bytes from n to the end of a string 143 s. For example, for s = `A5 C6 D7`, s[0:] = `A5 C6 D7` and s[2:] 144 = `D7`. 146 In the following, x and y are byte strings of equal length: 148 x^=y denotes x takes the value x XOR y. 150 x & y denotes x AND y. 152 In the following, x and y are integers: 154 x+=y denotes x takes the value x + y. 156 x-=y denotes x takes the value x - y. 158 x**y denotes x multiplied by itself y times. 160 2. Specifications 162 KangarooTwelve is an eXtendable Output Function (XOF). It takes as 163 input two byte-strings (M, C) and a positive integer L where 165 M byte-string, is the Message and 167 C byte-string, is an OPTIONAL Customization string and 169 L positive integer, the number of output bytes requested. 171 The Customization string MAY serve as domain separation. It is 172 typically a short string such as a name or an identifier (e.g. URI, 173 ODI...) 175 By default, the Customization string is the empty string. For an API 176 that does not support a customization string input, C MUST be the 177 empty string. 179 2.1. Inner function F 181 The inner function F makes use of the permutation Keccak- 182 p[1600,n_r=12], i.e., a version of the permutation Keccak-f[1600] 183 used in SHAKE and SHA-3 instances reduced to its last n_r=12 rounds 184 and specified in FIPS 202, sections 3.3 and 3.4 [FIPS202]. KP 185 denotes this permutation. 187 F is a sponge function calling this permutation KP with a rate of 168 188 bytes or 1344 bits. It follows that F has a capacity of 1600 - 1344 189 = 256 bits or 32 bytes. 191 The sponge function F takes: 193 input byte-string, the input bytes and 194 outputByteLen positive integer, the Length of the output in bytes 196 First the message is padded with zeroes to the closest multiple of 197 168 bytes. Then a byte `80` is XORed to the last byte of the padded 198 message. and the resulting string is split into a sequence of 199 168-byte blocks. 201 As defined by the sponge construction, the process operates on a 202 state and consists of two phases. 204 In the absorbing phase the state is initialized to all-zero. The 205 message blocks are XORed into the first 168 bytes of the state. Each 206 block absorbed is followed with an application of KP to the state. 208 In the squeezing phase output is formed by taking the first 168 bytes 209 of the state, repeated as many times as necessary until outputByteLen 210 bytes are obtained, interleaved with the application of KP to the 211 state. 213 This definition of the sponge construction assumes a at least one- 214 byte-long input where the last byte is in the `01`-`7F` range. This 215 is the case in KangarooTwelve. 217 A pseudo-code version is available as follows: 219 F(input, outputByteLen): 220 offset = 0 221 state = `00`^200 223 # === Absorb complete blocks === 224 while offset < |input| - 168 225 state ^= inputBytes[offset : offset + 168] || `00`^32 226 state = KP(state) 227 offset += 168 229 # === Absorb last block and treatment of padding === 230 LastBlockLength = |input| - offset 231 state ^= inputBytes[offset:] || `00`^(200-LastBlockLength) 232 state ^= `00`^167 || `80` || `00`^32 233 state = KP(state) 235 # === Squeeze === 236 output = `00`^0 237 while outputByteLen > 168 238 output = output || state[0:168] 239 outputByteLen -= 168 240 state = KP(state) 242 output = output || state[0:outputByteLen] 244 return output 245 end 247 2.2. Tree hashing over F 249 On top of the sponge function F, KangarooTwelve uses a Sakura- 250 compatible tree hash mode [SAKURA]. First, merge M and the OPTIONAL 251 C to a single input string S in a reversible way. length_encode( |C| 252 ) gives the length in bytes of C as a byte-string. length_encode( x ) 253 may be abbreviated as l_e( x ). See Section 2.3. 255 S = M || C || length_encode( |C| ) 257 Then, split S into n chunks of 8192 bytes. 259 S = S_0 || .. || S_n-1 260 |S_0| = .. = |S_n-2| = 8192 bytes 261 |S_n-1| <= 8192 bytes 263 From S_1 .. S_n-1, compute the 32-bytes Chaining Values CV_1 .. CV_n- 264 1. This computation SHOULD exploit the parallelism available on the 265 platform in order to be optimally efficient. 267 CV_i = F( S_i||`0B`, 32 ) 269 Compute the final node: FinalNode. 271 o If |S| <= 8192 bytes, FinalNode = S 273 o Otherwise compute FinalNode as follows: 275 FinalNode = S_0 || `03 00 00 00 00 00 00 00` 276 FinalNode = FinalNode || CV_1 277 .. 278 FinalNode = FinalNode || CV_n-1 279 FinalNode = FinalNode || length_encode(n-1) 280 FinalNode = FinalNode || `FF FF` 282 Finally, KangarooTwelve output is retrieved: 284 o If |S| <= 8192 bytes, from F( FinalNode||`07`, L ) 286 KangarooTwelve( M, C, L ) = F( FinalNode||`07`, L ) 288 o Otherwise from F( FinalNode||`06`, L ) 290 KangarooTwelve( M, C, L ) = F( FinalNode||`06`, L ) 292 The following figure illustrates the computation flow of 293 KangarooTwelve for |S| <= 8192 bytes: 295 +--------------+ F(..||`07`, L) 296 | S |-----------------> output 297 +--------------+ 299 The following figure illustrates the computation flow of 300 KangarooTwelve for |S| > 8192 bytes: 302 +--------------+ 303 | S_0 | 304 +--------------+ 305 || 306 +--------------+ 307 | `03`||`00`^7 | 308 +--------------+ 309 || 310 +---------+ F(..||`0B`,32) +--------------+ 311 | S_1 |----------------->| CV_1 | 312 +---------+ +--------------+ 313 || 314 +---------+ F(..||`0B`,32) +--------------+ 315 | S_2 |----------------->| CV_2 | 316 +---------+ +--------------+ 317 || 318 ... ... 319 || 320 +---------+ F(..||`0B`,32) +--------------+ 321 | S_n-1 |----------------->| CV_n-1 | 322 +---------+ +--------------+ 323 || 324 +--------------+ 325 | l_e( n-1 ) | 326 +--------------+ 327 || 328 +------------+ F(..||`06`, L) 329 | `FF FF` |-----------------> output 330 +------------+ 332 We provide a pseudo code version in Appendix A.2. 334 In the table below are gathered the values of the domain separation 335 bytes used by the tree hash mode: 337 +--------------------+------------------+ 338 | Type | Byte | 339 +--------------------+------------------+ 340 | SingleNode | `07` | 341 | | | 342 | IntermediateNode | `0B` | 343 | | | 344 | FinalNode | `06` | 345 +--------------------+------------------+ 347 2.3. length_encode( x ) 349 The function length_encode takes as inputs a non negative integer x < 350 256**255 and outputs a string of bytes x_n-1 || .. || x_0 || n where 352 x = sum from i=0..n-1 of 256**i * x_i 354 and where n is the smallest non-negative integer such that x < 355 256**n. n is also the length of x_n-1 || .. || x_0. 357 As example, length_encode(0) = `00`, length_encode(12) = `0C 01` and 358 length_encode(65538) = `01 00 02 03` 360 A pseudo code version is as follows. 362 length_encode(x): 363 S = `00`^0 365 while x > 0 366 S = x mod 256 || S 367 x = x / 256 369 S = S || length(S) 371 return S 372 end 374 3. Test vectors 376 Test vectors are based on the repetition of the pattern `00 01 .. FA` 377 with a specific length. ptn(n) defines a string by repeating the 378 pattern `00 01 .. FA` as many times as necessary and truncated to n 379 bytes e.g. 381 Pattern for a length of 17 bytes: 382 ptn(17) = 383 `00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10` 385 Pattern for a length of 17**2 bytes: 386 ptn(17**2) = 387 `00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 388 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 389 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 390 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F 391 40 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 392 50 51 52 53 54 55 56 57 58 59 5A 5B 5C 5D 5E 5F 393 60 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 394 70 71 72 73 74 75 76 77 78 79 7A 7B 7C 7D 7E 7F 395 80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F 396 90 91 92 93 94 95 96 97 98 99 9A 9B 9C 9D 9E 9F 397 A0 A1 A2 A3 A4 A5 A6 A7 A8 A9 AA AB AC AD AE AF 398 B0 B1 B2 B3 B4 B5 B6 B7 B8 B9 BA BB BC BD BE BF 399 C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF 400 D0 D1 D2 D3 D4 D5 D6 D7 D8 D9 DA DB DC DD DE DF 401 E0 E1 E2 E3 E4 E5 E6 E7 E8 E9 EA EB EC ED EE EF 402 F0 F1 F2 F3 F4 F5 F6 F7 F8 F9 FA 403 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 404 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 405 20 21 22 23 24 25` 407 KangarooTwelve(M=`00`^0, C=`00`^0, 32): 408 `1A C2 D4 50 FC 3B 42 05 D1 9D A7 BF CA 1B 37 51 409 3C 08 03 57 7A C7 16 7F 06 FE 2C E1 F0 EF 39 E5` 411 KangarooTwelve(M=`00`^0, C=`00`^0, 64): 412 `1A C2 D4 50 FC 3B 42 05 D1 9D A7 BF CA 1B 37 51 413 3C 08 03 57 7A C7 16 7F 06 FE 2C E1 F0 EF 39 E5 414 42 69 C0 56 B8 C8 2E 48 27 60 38 B6 D2 92 96 6C 415 C0 7A 3D 46 45 27 2E 31 FF 38 50 81 39 EB 0A 71` 417 KangarooTwelve(M=`00`^0, C=`00`^0, 10032), last 32 bytes: 418 `E8 DC 56 36 42 F7 22 8C 84 68 4C 89 84 05 D3 A8 419 34 79 91 58 C0 79 B1 28 80 27 7A 1D 28 E2 FF 6D` 421 KangarooTwelve(M=ptn(1 bytes), C=`00`^0, 32): 422 `2B DA 92 45 0E 8B 14 7F 8A 7C B6 29 E7 84 A0 58 423 EF CA 7C F7 D8 21 8E 02 D3 45 DF AA 65 24 4A 1F` 425 KangarooTwelve(M=ptn(17 bytes), C=`00`^0, 32): 426 `6B F7 5F A2 23 91 98 DB 47 72 E3 64 78 F8 E1 9B 427 0F 37 12 05 F6 A9 A9 3A 27 3F 51 DF 37 12 28 88` 429 KangarooTwelve(M=ptn(17**2 bytes), C=`00`^0, 32): 430 `0C 31 5E BC DE DB F6 14 26 DE 7D CF 8F B7 25 D1 431 E7 46 75 D7 F5 32 7A 50 67 F3 67 B1 08 EC B6 7C` 433 KangarooTwelve(M=ptn(17**3 bytes), C=`00`^0, 32): 434 `CB 55 2E 2E C7 7D 99 10 70 1D 57 8B 45 7D DF 77 435 2C 12 E3 22 E4 EE 7F E4 17 F9 2C 75 8F 0D 59 D0` 437 KangarooTwelve(M=ptn(17**4 bytes), C=`00`^0, 32): 438 `87 01 04 5E 22 20 53 45 FF 4D DA 05 55 5C BB 5C 439 3A F1 A7 71 C2 B8 9B AE F3 7D B4 3D 99 98 B9 FE` 441 KangarooTwelve(M=ptn(17**5 bytes), C=`00`^0, 32): 442 `84 4D 61 09 33 B1 B9 96 3C BD EB 5A E3 B6 B0 5C 443 C7 CB D6 7C EE DF 88 3E B6 78 A0 A8 E0 37 16 82` 445 KangarooTwelve(M=ptn(17**6 bytes), C=`00`^0, 32): 446 `3C 39 07 82 A8 A4 E8 9F A6 36 7F 72 FE AA F1 32 447 55 C8 D9 58 78 48 1D 3C D8 CE 85 F5 8E 88 0A F8` 449 KangarooTwelve(M=`00`^0, C=ptn(1 bytes), 32): 450 `FA B6 58 DB 63 E9 4A 24 61 88 BF 7A F6 9A 13 30 451 45 F4 6E E9 84 C5 6E 3C 33 28 CA AF 1A A1 A5 83` 453 KangarooTwelve(M=`FF`, C=ptn(41 bytes), 32): 454 `D8 48 C5 06 8C ED 73 6F 44 62 15 9B 98 67 FD 4C 455 20 B8 08 AC C3 D5 BC 48 E0 B0 6B A0 A3 76 2E C4` 457 KangarooTwelve(M=`FF FF FF`, C=ptn(41**2), 32): 458 `C3 89 E5 00 9A E5 71 20 85 4C 2E 8C 64 67 0A C0 459 13 58 CF 4C 1B AF 89 44 7A 72 42 34 DC 7C ED 74` 461 KangarooTwelve(M=`FF FF FF FF FF FF FF`, C=ptn(41**3 bytes), 32): 462 `75 D2 F8 6A 2E 64 45 66 72 6B 4F BC FC 56 57 B9 463 DB CF 07 0C 7B 0D CA 06 45 0A B2 91 D7 44 3B CF` 465 4. IANA Considerations 467 None. 469 5. Security Considerations 471 This document is meant to serve as a stable reference and an 472 implementation guide for the KangarooTwelve eXtendable Output 473 Function. It relies on the cryptanalysis of Keccak 474 [KECCAK_CRYPTANALYSIS] and provides with the same security strength 475 as SHAKE128, i.e., 128 bits of security against all attacks 477 To achieve 128-bit security strength, the output L must be chosen 478 long enough so that there are no generic attacks that violate 128-bit 479 security. So for 128-bit (second) preimage security the output 480 should be at least 128 bits, for 128-bit of security against multi- 481 target preimage attacks with T targets the output should be at least 482 128+log_2(T) bits and for 128-bit collision security the output 483 should be at least 256 bits. 485 Furthermore, when the output length is at least 256 bits, 486 KangarooTwelve achieves NIST's post-quantum security level 2 487 [NISTPQ]. 489 6. References 491 6.1. Normative References 493 [FIPS202] National Institute of Standards and Technology, "FIPS PUB 494 202 - SHA-3 Standard: Permutation-Based Hash and 495 Extendable-Output Functions", 496 WWW http://dx.doi.org/10.6028/NIST.FIPS.202, August 2015. 498 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 499 Requirement Levels", BCP 14, RFC 2119, 500 DOI 10.17487/RFC2119, March 1997, 501 . 503 [SP800-185] 504 National Institute of Standards and Technology, "NIST 505 Special Publication 800-185 SHA-3 Derived Functions: 506 cSHAKE, KMAC, TupleHash and ParallelHash", 507 WWW https://doi.org/10.6028/NIST.SP.800-185, December 508 2016. 510 6.2. Informative References 512 [K12] Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., and 513 R. Van Keer, "KangarooTwelve: fast hashing based on 514 Keccak-p", WWW http://eprint.iacr.org/2016/770.pdf, August 515 2016. 517 [KECCAK_CRYPTANALYSIS] 518 Keccak Team, "Summary of Third-party cryptanalysis of 519 Keccak", WWW https://www.keccak.team/third_party.html, 520 2017. 522 [NISTPQ] National Institute of Standards and Technology, 523 "Submission Requirements and Evaluation Criteria for the 524 Post-Quantum Cryptography Standardization Process", WWW 525 https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum- 526 Cryptography/documents/call-for-proposals-final-dec- 527 2016.pdf, December 2016. 529 [SAKURA] Bertoni, G., Daemen, J., Peeters, M., and G. Van Assche, 530 "Sakura: a flexible coding for tree hashing", 531 WWW http://eprint.iacr.org/2013/231.pdf, April 2013. 533 [XKCP] Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., and 534 R. Van Keer, "eXtended Keccak Code Package", 535 WWW https://github.com/XKCP/XKCP, September 2018. 537 Appendix A. Pseudo code 539 The sub-sections of this appendix contain pseudo code definitions of 540 KangarooTwelve. A standalone Python version is also available in the 541 Keccak Code Package [XKCP] and in [K12] 543 A.1. Keccak-p[1600,n_r=12] 545 KP(state): 546 RC[0] = `8B 80 00 80 00 00 00 00` 547 RC[1] = `8B 00 00 00 00 00 00 80` 548 RC[2] = `89 80 00 00 00 00 00 80` 549 RC[3] = `03 80 00 00 00 00 00 80` 550 RC[4] = `02 80 00 00 00 00 00 80` 551 RC[5] = `80 00 00 00 00 00 00 80` 552 RC[6] = `0A 80 00 00 00 00 00 00` 553 RC[7] = `0A 00 00 80 00 00 00 80` 554 RC[8] = `81 80 00 80 00 00 00 80` 555 RC[9] = `80 80 00 00 00 00 00 80` 556 RC[10] = `01 00 00 80 00 00 00 00` 557 RC[11] = `08 80 00 80 00 00 00 80` 559 for x from 0 to 4 560 for y from 0 to 4 561 lanes[x][y] = state[8*(x+5*y):8*(x+5*y)+8] 563 for round from 0 to 11 564 # theta 565 for x from 0 to 4 566 C[x] = lanes[x][0] 567 C[x] ^= lanes[x][1] 568 C[x] ^= lanes[x][2] 569 C[x] ^= lanes[x][3] 570 C[x] ^= lanes[x][4] 571 for x from 0 to 4 572 D[x] = C[(x+4) mod 5] ^ ROL64(C[(x+1) mod 5], 1) 573 for y from 0 to 4 574 for x from 0 to 4 575 lanes[x][y] = lanes[x][y]^D[x] 577 # rho and pi 578 (x, y) = (1, 0) 579 current = lanes[x][y] 580 for t from 0 to 23 581 (x, y) = (y, (2*x+3*y) mod 5) 582 (current, lanes[x][y]) = 583 (lanes[x][y], ROL64(current, (t+1)*(t+2)/2)) 585 # chi 586 for y from 0 to 4 587 for x from 0 to 4 588 T[x] = lanes[x][y] 589 for x from 0 to 4 590 lanes[x][y] = T[x] ^((not T[(x+1) mod 5]) & T[(x+2) mod 5]) 592 # iota 593 lanes[0][0] ^= RC[round] 595 state = `00`^0 596 for x from 0 to 4 597 for y from 0 to 4 598 state = state || lanes[x][y] 600 return state 601 end 603 where ROL64(x, y) is a rotation of the 'x' 64-bit word toward the 604 bits with higher indexes by 'y' positions. The 8-bytes byte-string x 605 is interpreted as a 64-bit word in little-endian format. 607 A.2. KangarooTwelve 609 KangarooTwelve(inputMessage, customString, outputByteLen): 610 S = inputMessage || customString 611 S = S || length_encode( |customString| ) 613 if |S| <= 8192 614 return F(S || `07`, outputByteLen) 615 else 616 # === Kangaroo hopping === 617 FinalNode = S[0:8192] || `03` || `00`^7 618 offset = 8192 619 numBlock = 0 620 while offset < |S| 621 blockSize = min( |S| - offset, 8192) 622 CV = F(S[offset : offset + blockSize] || `0B`, 32) 623 FinalNode = FinalNode || CV 624 numBlock += 1 625 offset += blockSize 627 FinalNode = FinalNode || length_encode( numBlock ) || `FF FF` 629 return F(FinalNode || `06`, outputByteLen) 630 end 632 Author's Address 634 Benoit Viguier 635 Radboud University 636 Toernooiveld 212 637 Nijmegen 638 The Netherlands 640 EMail: b.viguier@cs.ru.nl