KangarooTwelve
draft-irtf-cfrg-kangarootwelve-06

Document Type Active Internet-Draft (cfrg RG)
Authors =?utf-8?q?Beno=C3=AEt_Viguier?=  , David Wong  , Giles Van Assche  , Quynh Dang  , Joan Daemen 
Last updated 2021-08-22
Replaces draft-viguier-kangarootwelve
Stream Internet Research Task Force (IRTF)
Intended RFC status Informational
Formats plain text html xml pdf htmlized bibtex
Stream IRTF state In RG Last Call
Consensus Boilerplate Yes
Document shepherd Nick Sullivan
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to Nick Sullivan <nick@cloudflare.com>
Crypto Forum                                                  B. Viguier
Internet-Draft                                        Radboud University
Intended status: Informational                              D. Wong, Ed.
Expires: 23 February 2022                                       Facebook
                                                      G. Van Assche, Ed.
                                                      STMicroelectronics
                                                            Q. Dang, Ed.
                                                                    NIST
                                                          J. Daemen, Ed.
                                                      Radboud University
                                                          22 August 2021

                             KangarooTwelve
                   draft-irtf-cfrg-kangarootwelve-06

Abstract

   This document defines the KangarooTwelve eXtendable Output Function
   (XOF), a hash function with output of arbitrary length.  It provides
   an efficient and secure hashing primitive, which is able to exploit
   the parallelism of the implementation in a scalable way.  It uses
   tree hashing over a round-reduced version of SHAKE128 as underlying
   primitive.

   This document builds up on the definitions of the permutations and of
   the sponge construction in [FIPS 202], and is meant to serve as a
   stable reference and an implementation guide.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 23 February 2022.

Viguier, et al.         Expires 23 February 2022                [Page 1]
Internet-Draft               KangarooTwelve                  August 2021

Copyright Notice

   Copyright (c) 2021 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Simplified BSD License text
   as described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Conventions . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Specifications  . . . . . . . . . . . . . . . . . . . . . . .   4
     2.1.  Inner function F  . . . . . . . . . . . . . . . . . . . .   5
     2.2.  Tree hashing over F . . . . . . . . . . . . . . . . . . .   6
     2.3.  length_encode( x )  . . . . . . . . . . . . . . . . . . .   9
   3.  Test vectors  . . . . . . . . . . . . . . . . . . . . . . . .   9
   4.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  11
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .  11
   6.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  13
     6.1.  Normative References  . . . . . . . . . . . . . . . . . .  13
     6.2.  Informative References  . . . . . . . . . . . . . . . . .  13
   Appendix A.  Pseudocode . . . . . . . . . . . . . . . . . . . . .  14
     A.1.  Keccak-p[1600,n_r=12] . . . . . . . . . . . . . . . . . .  14
     A.2.  KangarooTwelve  . . . . . . . . . . . . . . . . . . . . .  15
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  16

1.  Introduction

   This document defines the KangarooTwelve eXtendable Output Function
   (XOF) [K12], i.e. a generalization of a hash function that can return
   an output of arbitrary length.  KangarooTwelve is based on a Keccak-p
   permutation specified in [FIPS202] and has a higher speed than SHAKE
   and SHA-3.

   The SHA-3 functions process data in a serial manner and are unable to
   optimally exploit parallelism available in modern CPU architectures.
   Similar to ParallelHash [SP800-185], KangarooTwelve splits the input
   message into fragments to exploit available parallelism.  It then
   applies an inner hash function F on each of them separately before
   applying F again on the concatenation of the digests.  It makes use
   of Sakura coding for ensuring soundness of the tree hashing mode

Viguier, et al.         Expires 23 February 2022                [Page 2]
Internet-Draft               KangarooTwelve                  August 2021

   [SAKURA].  The inner hash function F is a sponge function and uses a
   round-reduced version of the permutation Keccak-f used in SHA-3,
   making it faster than ParallelHash.  Its security builds up on the
   scrutiny that Keccak has received since its publication
   [KECCAK_CRYPTANALYSIS].

   With respect to [FIPS202] and [SP800-185] functions, KangarooTwelve
   features the following advantages:

   *  Unlike SHA3-224, SHA3-256, SHA3-384, SHA3-512, KangarooTwelve has
      an extendable output.

   *  Unlike any [FIPS202] defined function, similarly to functions
      defined in [SP800-185], KangarooTwelve allows the use of a
      customization string.

   *  Unlike any [FIPS202] and [SP800-185] functions but ParallelHash,
      KangarooTwelve splits the input message into fragments to exploit
      available parallelism.

   *  Unlike ParallelHash, KangarooTwelve does not have overhead when
      processing short messages.

   *  The Keccak-f permutation in KangarooTwelve has half the number of
      rounds of the one used in SHA3, making it faster than any function
      defined in [FIPS202] and [SP800-185].

1.1.  Conventions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

   The following notations are used throughout the document:

   `...`  denotes a string of bytes given in hexadecimal.  For example,
      `0B 80`.

   |s|  denotes the length of a byte string `s`.  For example, |`FF FF`|
      = 2.

   `00`^b  denotes a byte string consisting of the concatenation of b
      bytes `00`. For example, `00`^7 = `00 00 00 00 00 00 00`.

   `00`^0  denotes the empty byte-string.

   a||b  denotes the concatenation of two strings a and b.  For example,
      `10`||`F1` = `10 F1`

Viguier, et al.         Expires 23 February 2022                [Page 3]
Internet-Draft               KangarooTwelve                  August 2021

   s[n:m]  denotes the selection of bytes from n (inclusive) to m
      (exclusive) of a string s.  The indexing of a byte-string starts
      at 0.  For example, for s = `A5 C6 D7`, s[0:1] = `A5` and s[1:3] =
      `C6 D7`.

   s[n:]  denotes the selection of bytes from n to the end of a string
      s.  For example, for s = `A5 C6 D7`, s[0:] = `A5 C6 D7` and s[2:]
      = `D7`.

   In the following, x and y are byte strings of equal length:

   x^=y  denotes x takes the value x XOR y.

   x & y  denotes x AND y.

   In the following, x and y are integers:

   x+=y  denotes x takes the value x + y.

   x-=y  denotes x takes the value x - y.

   x**y  denotes the exponentiation of x by y.

2.  Specifications

   KangarooTwelve is an eXtendable Output Function (XOF).  It takes as
   input two byte-strings (M, C) and a positive integer L where

   M  byte-string, is the Message and

   C  byte-string, is an OPTIONAL Customization string and

   L  positive integer, the requested number of output bytes.

   The Customization string MAY serve as domain separation.  It is
   typically a short string such as a name or an identifier (e.g.  URI,
   ODI...)

   By default, the Customization string is the empty string.  For an API
   that does not support a customization string input, C MUST be the
   empty string.

Viguier, et al.         Expires 23 February 2022                [Page 4]
Internet-Draft               KangarooTwelve                  August 2021

2.1.  Inner function F

   The inner function F makes use of the permutation Keccak-
   p[1600,n_r=12], i.e., a version of the permutation Keccak-f[1600]
   used in SHAKE and SHA-3 instances reduced to its last n_r=12 rounds
   and specified in FIPS 202, sections 3.3 and 3.4 [FIPS202].  KP
   denotes this permutation.

   F is a sponge function calling this permutation KP with a rate of 168
   bytes or 1344 bits.  It follows that F has a capacity of 1600 - 1344
   = 256 bits or 32 bytes.

   The sponge function F takes:

   input  byte-string of positive length, the input bytes and

   outputByteLen  positive integer, the length of the output in bytes

   First non-multiple of 168-bytes-length inputs are padded with zeroes
   to the next multiple of 168 bytes while inputs multiple of 168 bytes
   are kept as is.  Then a byte `80` is XORed to the last byte of the
   padded message and the resulting string is split into a sequence of
   168-byte blocks.

   Inputs of length 0 bytes do not happen as a result of the tree
   hashing mode defined in section 2.2.

   As defined by the sponge construction, the process operates on a
   state and consists of two phases: the absorbing phase that processes
   the input and the squeezing phase that produces the output.

   In the absorbing phase the state is initialized to all-zero.  The
   message blocks are XORed into the first 168 bytes of the state.  Each
   block absorbed is followed with an application of KP to the state.

   In the squeezing phase output is formed by taking the first 168 bytes
   of the state, repeated as many times as necessary until outputByteLen
   bytes are obtained, interleaved with the application of KP to the
   state.

   The definition of the function F equivalently implements the pad10*1
   rule.  It assumes an at least one-byte-long input where the last byte
   is in the `01`-`7F` range, and this is the case in KangarooTwelve.
   This last byte serves as domain separation and integrates the first
   bit of padding of the pad10*1 rule (hence it cannot be `00`).
   Additionally, it must leave room for the second bit of padding (hence
   it cannot have the MSB set to 1), should it be the last byte of the
   block.  For more details, refer to Section 6.1 of [K12].

Viguier, et al.         Expires 23 February 2022                [Page 5]
Internet-Draft               KangarooTwelve                  August 2021

   A pseudocode version is available as follows:

     F(input, outputByteLen):
       offset = 0
       state = `00`^200

       # === Absorb complete blocks ===
       while offset < |input| - 168
           state ^= input[offset : offset + 168] || `00`^32
           state = KP(state)
           offset += 168

       # === Absorb last block and treatment of padding ===
       LastBlockLength = |input| - offset
       state ^= input[offset:] || `00`^(200-LastBlockLength)
       state ^= `00`^167 || `80` || `00`^32
       state = KP(state)

       # === Squeeze ===
       output = `00`^0
       while outputByteLen > 168
           output = output || state[0:168]
           outputByteLen -= 168
           state = KP(state)

       output = output || state[0:outputByteLen]

       return output
       end

2.2.  Tree hashing over F

   On top of the sponge function F, KangarooTwelve uses a Sakura-
   compatible tree hash mode [SAKURA].  First, merge M and the OPTIONAL
   C to a single input string S in a reversible way. length_encode( |C|
   ) gives the length in bytes of C as a byte-string.  See Section 2.3.

             S = M || C || length_encode( |C| )

   Then, split S into n chunks of 8192 bytes.

             S = S_0 || .. || S_(n-1)
               |S_0| = .. = |S_(n-2)| = 8192 bytes
               |S_(n-1)| <= 8192 bytes

Viguier, et al.         Expires 23 February 2022                [Page 6]
Internet-Draft               KangarooTwelve                  August 2021

   From S_1 .. S_(n-1), compute the 32-byte Chaining Values CV_1 ..
   CV_(n-1).  In order to be optimally efficient, this computation
   SHOULD exploit the parallelism available on the platform such as SIMD
   instructions.

                CV_i    = F( S_i||`0B`, 32 )

   Compute the final node: FinalNode.

   *  If |S| <= 8192 bytes, FinalNode = S

   *  Otherwise compute FinalNode as follows:

             FinalNode = S_0 || `03 00 00 00 00 00 00 00`
             FinalNode = FinalNode || CV_1
                   ..
             FinalNode = FinalNode || CV_(n-1)
             FinalNode = FinalNode || length_encode(n-1)
             FinalNode = FinalNode || `FF FF`

   Finally, KangarooTwelve output is retrieved:

   *  If |S| <= 8192 bytes, from F( FinalNode||`07`, L )

         KangarooTwelve( M, C, L ) = F( FinalNode||`07`, L )

   *  Otherwise from F( FinalNode||`06`, L )

         KangarooTwelve( M, C, L ) = F( FinalNode||`06`, L )

   The following figure illustrates the computation flow of
   KangarooTwelve for |S| <= 8192 bytes:

             +--------------+  F(..||`07`, L)
             |      S       |----------------->  output
             +--------------+

   The following figure illustrates the computation flow of
   KangarooTwelve for |S| > 8192 bytes and where length_encode( x ) is
   abbreviated as l_e( x ):

Viguier, et al.         Expires 23 February 2022                [Page 7]
Internet-Draft               KangarooTwelve                  August 2021

                              +--------------+
                              |     S_0      |
                              +--------------+
                                    ||
                              +--------------+
                              | `03`||`00`^7 |
                              +--------------+
                                    ||
 +---------+  F(..||`0B`,32)  +--------------+
 |   S_1   |----------------->|     CV_1     |
 +---------+                  +--------------+
                                    ||
 +---------+  F(..||`0B`,32)  +--------------+
 |   S_2   |----------------->|     CV_2     |
 +---------+                  +--------------+
                                    ||
           ...                      ...
                                    ||
 +---------+  F(..||`0B`,32)  +--------------+
 | S_(n-1) |----------------->|   CV_(n-1)   |
 +---------+                  +--------------+
                                    ||
                              +--------------+
                              |  l_e( n-1 )  |
                              +--------------+
                                    ||
                              +--------------+  F(..||`06`, L)
                              |   `FF FF`    |----------------->  output
                              +--------------+

   A pseudocode version is provided in Appendix A.2.

   The table below gathers the values of the domain separation bytes
   used by the tree hash mode:

           +--------------------+------------------+
           |   Type             |       Byte       |
           +--------------------+------------------+
           |  SingleNode        |       `07`       |
           |                    |                  |
           |  IntermediateNode  |       `0B`       |
           |                    |                  |
           |  FinalNode         |       `06`       |
           +--------------------+------------------+

Viguier, et al.         Expires 23 February 2022                [Page 8]
Internet-Draft               KangarooTwelve                  August 2021

2.3.  length_encode( x )

   The function length_encode takes as inputs a non negative integer x <
   256**255 and outputs a string of bytes x_(n-1) || .. || x_0 || n
   where

                x = sum from i=0..n-1 of 256**i * x_i

   and where n is the smallest non-negative integer such that x <
   256**n.  n is also the length of x_(n-1) || .. || x_0.

   As example, length_encode(0) = `00`, length_encode(12) = `0C 01` and
   length_encode(65538) = `01 00 02 03`

   A pseudocode version is as follows.

     length_encode(x):
       S = `00`^0

       while x > 0
           S = x mod 256 || S
           x = x / 256

       S = S || length(S)

       return S
       end

3.  Test vectors

   Test vectors are based on the repetition of the pattern `00 01 .. FA`
   with a specific length. ptn(n) defines a string by repeating the
   pattern `00 01 .. FA` as many times as necessary and truncated to n
   bytes e.g.

       Pattern for a length of 17 bytes:
       ptn(17) =
         `00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10`

Viguier, et al.         Expires 23 February 2022                [Page 9]
Internet-Draft               KangarooTwelve                  August 2021

       Pattern for a length of 17**2 bytes:
       ptn(17**2) =
         `00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
          10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
          20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F
          30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F
          40 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F
          50 51 52 53 54 55 56 57 58 59 5A 5B 5C 5D 5E 5F
          60 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F
          70 71 72 73 74 75 76 77 78 79 7A 7B 7C 7D 7E 7F
          80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F
          90 91 92 93 94 95 96 97 98 99 9A 9B 9C 9D 9E 9F
          A0 A1 A2 A3 A4 A5 A6 A7 A8 A9 AA AB AC AD AE AF
          B0 B1 B2 B3 B4 B5 B6 B7 B8 B9 BA BB BC BD BE BF
          C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF
          D0 D1 D2 D3 D4 D5 D6 D7 D8 D9 DA DB DC DD DE DF
          E0 E1 E2 E3 E4 E5 E6 E7 E8 E9 EA EB EC ED EE EF
          F0 F1 F2 F3 F4 F5 F6 F7 F8 F9 FA
          00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
          10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
          20 21 22 23 24 25`

     KangarooTwelve(M=`00`^0, C=`00`^0, 32):
       `1A C2 D4 50 FC 3B 42 05 D1 9D A7 BF CA 1B 37 51
        3C 08 03 57 7A C7 16 7F 06 FE 2C E1 F0 EF 39 E5`

     KangarooTwelve(M=`00`^0, C=`00`^0, 64):
       `1A C2 D4 50 FC 3B 42 05 D1 9D A7 BF CA 1B 37 51
        3C 08 03 57 7A C7 16 7F 06 FE 2C E1 F0 EF 39 E5
        42 69 C0 56 B8 C8 2E 48 27 60 38 B6 D2 92 96 6C
        C0 7A 3D 46 45 27 2E 31 FF 38 50 81 39 EB 0A 71`

     KangarooTwelve(M=`00`^0, C=`00`^0, 10032), last 32 bytes:
       `E8 DC 56 36 42 F7 22 8C 84 68 4C 89 84 05 D3 A8
        34 79 91 58 C0 79 B1 28 80 27 7A 1D 28 E2 FF 6D`

     KangarooTwelve(M=ptn(1 bytes), C=`00`^0, 32):
       `2B DA 92 45 0E 8B 14 7F 8A 7C B6 29 E7 84 A0 58
        EF CA 7C F7 D8 21 8E 02 D3 45 DF AA 65 24 4A 1F`

     KangarooTwelve(M=ptn(17 bytes), C=`00`^0, 32):
       `6B F7 5F A2 23 91 98 DB 47 72 E3 64 78 F8 E1 9B
        0F 37 12 05 F6 A9 A9 3A 27 3F 51 DF 37 12 28 88`

     KangarooTwelve(M=ptn(17**2 bytes), C=`00`^0, 32):
       `0C 31 5E BC DE DB F6 14 26 DE 7D CF 8F B7 25 D1
        E7 46 75 D7 F5 32 7A 50 67 F3 67 B1 08 EC B6 7C`

Viguier, et al.         Expires 23 February 2022               [Page 10]
Internet-Draft               KangarooTwelve                  August 2021

     KangarooTwelve(M=ptn(17**3 bytes), C=`00`^0, 32):
       `CB 55 2E 2E C7 7D 99 10 70 1D 57 8B 45 7D DF 77
        2C 12 E3 22 E4 EE 7F E4 17 F9 2C 75 8F 0D 59 D0`

     KangarooTwelve(M=ptn(17**4 bytes), C=`00`^0, 32):
       `87 01 04 5E 22 20 53 45 FF 4D DA 05 55 5C BB 5C
        3A F1 A7 71 C2 B8 9B AE F3 7D B4 3D 99 98 B9 FE`

     KangarooTwelve(M=ptn(17**5 bytes), C=`00`^0, 32):
       `84 4D 61 09 33 B1 B9 96 3C BD EB 5A E3 B6 B0 5C
        C7 CB D6 7C EE DF 88 3E B6 78 A0 A8 E0 37 16 82`

     KangarooTwelve(M=ptn(17**6 bytes), C=`00`^0, 32):
       `3C 39 07 82 A8 A4 E8 9F A6 36 7F 72 FE AA F1 32
        55 C8 D9 58 78 48 1D 3C D8 CE 85 F5 8E 88 0A F8`

     KangarooTwelve(M=`00`^0, C=ptn(1 bytes), 32):
       `FA B6 58 DB 63 E9 4A 24 61 88 BF 7A F6 9A 13 30
        45 F4 6E E9 84 C5 6E 3C 33 28 CA AF 1A A1 A5 83`

     KangarooTwelve(M=`FF`, C=ptn(41 bytes), 32):
       `D8 48 C5 06 8C ED 73 6F 44 62 15 9B 98 67 FD 4C
        20 B8 08 AC C3 D5 BC 48 E0 B0 6B A0 A3 76 2E C4`

     KangarooTwelve(M=`FF FF FF`, C=ptn(41**2), 32):
       `C3 89 E5 00 9A E5 71 20 85 4C 2E 8C 64 67 0A C0
        13 58 CF 4C 1B AF 89 44 7A 72 42 34 DC 7C ED 74`

     KangarooTwelve(M=`FF FF FF FF FF FF FF`, C=ptn(41**3 bytes), 32):
       `75 D2 F8 6A 2E 64 45 66 72 6B 4F BC FC 56 57 B9
        DB CF 07 0C 7B 0D CA 06 45 0A B2 91 D7 44 3B CF`

4.  IANA Considerations

   None.

5.  Security Considerations

   This document is meant to serve as a stable reference and an
   implementation guide for the KangarooTwelve eXtendable Output
   Function.  It relies on the cryptanalysis of Keccak and provides with
   the same security strength as SHAKE128, i.e., 128 bits of security
   against all attacks.

   To be more precise, KangarooTwelve is made of two layers:

Viguier, et al.         Expires 23 February 2022               [Page 11]
Internet-Draft               KangarooTwelve                  August 2021

   *  The inner function F.  This layer relies on cryptanalysis.
      KangarooTwelve's F function is exactly Keccak[r=1344, c=256] (as
      in SHAKE128) reduced to 12 rounds.  Any reduced-round
      cryptanalysis on Keccak is also a reduced-round cryptanalysis of
      KangarooTwelve's F (provided the number of rounds attacked is not
      higher than 12).

   *  The tree hashing over F.  This layer is a mode on top of F that
      does not introduce any vulnerability thanks to the use of Sakura
      coding proven secure in [SAKURA].

   This reasoning is detailed and formalized in [K12].

   To achieve 128-bit security strength, the output L must be chosen
   long enough so that there are no generic attacks that violate 128-bit
   security.  So for 128-bit (second) preimage security the output
   should be at least 128 bits, for 128-bit of security against multi-
   target preimage attacks with T targets the output should be at least
   128+log_2(T) bits and for 128-bit collision security the output
   should be at least 256 bits.

   Furthermore, when the output length is at least 256 bits,
   KangarooTwelve achieves NIST's post-quantum security level 2
   [NISTPQ].

   Implementing a MAC with KangarooTwelve SHOULD use a HASH-then-MAC
   construction.  This document recommends a method called HopMAC,
   defined as follows:

      HopMAC(Key, M, C, L) = K12(Key, K12(M, C, 32), L)

   Similarly to HMAC, HopMAC consists of two calls: an inner call
   compressing the message M and the optional customization string C to
   a digest, and an outer call computing the tag from the key and the
   digest.

   Unlike HMAC, the inner call to KangarooTwelve in HopMAC is keyless
   and does not require additional protection against side channel
   attacks (SCA).  Consequently, in an implementation that has to
   protect the HopMAC key against SCA only the outer call does need
   protection, and this amounts to a single execution of the underlying
   permutation.

   In any case, KangarooTwelve MAY be used to compute a MAC with the key
   reversibly prepended or appended to the input.  For instance, one MAY
   compute a MAC on short messages simply calling KangarooTwelve with
   the key as the customization string, i.e., MAC = K12(M, Key, L).

Viguier, et al.         Expires 23 February 2022               [Page 12]
Internet-Draft               KangarooTwelve                  August 2021

6.  References

6.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [FIPS202]  National Institute of Standards and Technology, "FIPS PUB
              202 - SHA-3 Standard: Permutation-Based Hash and
              Extendable-Output Functions",
              WWW http://dx.doi.org/10.6028/NIST.FIPS.202, August 2015.

   [SP800-185]
              National Institute of Standards and Technology, "NIST
              Special Publication 800-185 SHA-3 Derived Functions:
              cSHAKE, KMAC, TupleHash and ParallelHash",
              WWW https://doi.org/10.6028/NIST.SP.800-185, December
              2016.

6.2.  Informative References

   [K12]      Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., and
              R. Van Keer, "KangarooTwelve: fast hashing based on
              Keccak-p", WWW https://link.springer.com/
              chapter/10.1007/978-3-319-93387-0_21,
              WWW http://eprint.iacr.org/2016/770.pdf, July 2018.

   [SAKURA]   Bertoni, G., Daemen, J., Peeters, M., and G. Van Assche,
              "Sakura: a flexible coding for tree hashing", WWW
              https://link.springer.com/
              chapter/10.1007/978-3-319-07536-5_14,
              WWW http://eprint.iacr.org/2013/231.pdf, June 2014.

   [KECCAK_CRYPTANALYSIS]
              Keccak Team, "Summary of Third-party cryptanalysis of
              Keccak", WWW https://www.keccak.team/third_party.html,
              2017.

   [XKCP]     Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., and
              R. Van Keer, "eXtended Keccak Code Package",
              WWW https://github.com/XKCP/XKCP, September 2018.

Viguier, et al.         Expires 23 February 2022               [Page 13]
Internet-Draft               KangarooTwelve                  August 2021

   [NISTPQ]   National Institute of Standards and Technology,
              "Submission Requirements and Evaluation Criteria for the
              Post-Quantum Cryptography Standardization Process", WWW 
              https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-
              Cryptography/documents/call-for-proposals-final-dec-
              2016.pdf, December 2016.

Appendix A.  Pseudocode

   The sub-sections of this appendix contain pseudocode definitions of
   KangarooTwelve.  A standalone Python version is also available in the
   Keccak Code Package [XKCP] and in [K12]

A.1.  Keccak-p[1600,n_r=12]

   KP(state):
     RC[0]  = `8B 80 00 80 00 00 00 00`
     RC[1]  = `8B 00 00 00 00 00 00 80`
     RC[2]  = `89 80 00 00 00 00 00 80`
     RC[3]  = `03 80 00 00 00 00 00 80`
     RC[4]  = `02 80 00 00 00 00 00 80`
     RC[5]  = `80 00 00 00 00 00 00 80`
     RC[6]  = `0A 80 00 00 00 00 00 00`
     RC[7]  = `0A 00 00 80 00 00 00 80`
     RC[8]  = `81 80 00 80 00 00 00 80`
     RC[9]  = `80 80 00 00 00 00 00 80`
     RC[10] = `01 00 00 80 00 00 00 00`
     RC[11] = `08 80 00 80 00 00 00 80`

     for x from 0 to 4
       for y from 0 to 4
         lanes[x][y] = state[8*(x+5*y):8*(x+5*y)+8]

     for round from 0 to 11
       # theta
       for x from 0 to 4
         C[x] = lanes[x][0]
         C[x] ^= lanes[x][1]
         C[x] ^= lanes[x][2]
         C[x] ^= lanes[x][3]
         C[x] ^= lanes[x][4]
       for x from 0 to 4
         D[x] = C[(x+4) mod 5] ^ ROL64(C[(x+1) mod 5], 1)
       for y from 0 to 4
         for x from 0 to 4
           lanes[x][y] = lanes[x][y]^D[x]

       # rho and pi

Viguier, et al.         Expires 23 February 2022               [Page 14]
Internet-Draft               KangarooTwelve                  August 2021

       (x, y) = (1, 0)
       current = lanes[x][y]
       for t from 0 to 23
         (x, y) = (y, (2*x+3*y) mod 5)
         (current, lanes[x][y]) =
             (lanes[x][y], ROL64(current, (t+1)*(t+2)/2))

       # chi
       for y from 0 to 4
         for x from 0 to 4
           T[x] = lanes[x][y]
         for x from 0 to 4
           lanes[x][y] = T[x] ^((not T[(x+1) mod 5]) & T[(x+2) mod 5])

       # iota
       lanes[0][0] ^= RC[round]

     state = `00`^0
     for x from 0 to 4
       for y from 0 to 4
         state = state || lanes[x][y]

     return state
     end

   where ROL64(x, y) is a rotation of the 'x' 64-bit word toward the
   bits with higher indexes by 'y' positions.  The 8-bytes byte-string x
   is interpreted as a 64-bit word in little-endian format.

A.2.  KangarooTwelve

Viguier, et al.         Expires 23 February 2022               [Page 15]
Internet-Draft               KangarooTwelve                  August 2021

   KangarooTwelve(inputMessage, customString, outputByteLen):
     S = inputMessage || customString
     S = S || length_encode( |customString| )

     if |S| <= 8192
         return F(S || `07`, outputByteLen)
     else
         # === Kangaroo hopping ===
         FinalNode = S[0:8192] || `03` || `00`^7
         offset = 8192
         numBlock = 0
         while offset < |S|
             blockSize = min( |S| - offset, 8192)
             CV = F(S[offset : offset + blockSize] || `0B`, 32)
             FinalNode = FinalNode || CV
             numBlock += 1
             offset   += blockSize

         FinalNode = FinalNode || length_encode( numBlock ) || `FF FF`

         return F(FinalNode || `06`, outputByteLen)
     end

Authors' Addresses

   BenoƮt Viguier
   Radboud University
   Toernooiveld 212
   Nijmegen

   Email: cs.ru.nl@viguier.nl

   David Wong (editor)
   Facebook

   Email: davidwong.crypto@gmail.com

   Gilles Van Assche (editor)
   STMicroelectronics

   Email: gilles.vanassche@st.com

   Quynh Dang (editor)
   National Institute of Standards and Technology

Viguier, et al.         Expires 23 February 2022               [Page 16]
Internet-Draft               KangarooTwelve                  August 2021

   Email: quynh.dang@nist.gov

   Joan Daemen (editor)
   Radboud University

   Email: joan@cs.ru.nl

Viguier, et al.         Expires 23 February 2022               [Page 17]