]>
KangarooTwelveRadboud UniversityToernooiveld 212NijmegenThe Netherlandsb.viguier@cs.ru.nlInternet Research Task Force (IRTF)KeccakSakuraKangarooTwelveCryptographic HasheXtendable Output FunctionThis document defines the KangarooTwelve eXtendable Output Function (XOF),
a hash function with arbitrary output length.
It provides an efficient and secure hashing primitive, which is able to
exploit the parallelism of the implementation in a scalable way.
It uses tree hashing over a round-reduced version of SHAKE128 as underlying
primitive.This document builds up on the definitions of the permutations and of the
sponge construction in [FIPS 202], and is meant to serve as a stable reference
and an implementation guide.This document defines the KangarooTwelve eXtendable Output Function (XOF)
, i.e. a generalization of a hash function that
can return arbitrary output length.
KangarooTwelve is based on a Keccak-p permutation specified in and aims at higher speed than SHAKE and SHA-3.The SHA-3 functions process data in a serial manner and are unable to
optimally exploit parallelism available in modern CPU architectures.
KangarooTwelve splits the input message in fragments and applies an inner
hash function F on each of them separately.
It then applies F again on the concatenation of the digests.
It makes use of Sakura coding for ensuring soundness of the tree hashing
mode .
The inner hash function F is a sponge function and uses a round-reduced
version of the permutation Keccak-f used in SHA-3.
Its security builds up on the scrutiny that Keccak has received since its
publication .The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 .The following notations are used throughout the document:denotes a string of bytes given in
hexadecimal. For example, `0B 80`.denotes the length of a byte string `s`.
For example, |`FF FF`| = 2.denotes a byte string consisting of the concatenation
of b bytes `00`. For example, `00`^7 = `00 00 00 00 00 00 00`.denotes the empty byte-string.denotes the concatenation of two strings a and b.
For example, `10`||`F1` = `10 F1`denotes the selection of bytes from n to m
exclusive of a string s.
For example, for s = `A5 C6 D7`, s[0:1] = `A5` and s[1:3] = `C6 D7`.denotes the selection of bytes from n to the end of
a string s.
For example, for s = `A5 C6 D7`, s[0:] = `A5 C6 D7` and s[2:] = `D7`.In the following, x and y are byte strings of equal length: denotes x takes the value x XOR y. denotes x AND y.In the following, x and y are integers: denotes x takes the value x + y. denotes x takes the value x - y. denotes x multiplied by itself y times.KangarooTwelve is an eXtendable Output Function (XOF).
It takes as an input a couple of byte-strings (M, C) and a positive integer L
where byte-string, is the Message and byte-string, is a OPTIONAL Customization string and positive integer, the number of output bytes requested.The Customization string MAY serves as domain separation.
It is typically a short string such as a name or an identifier (e.g. URI,
ODI...)By default, the Customization string is the empty string. For an API does
that not support a customization string input, C MUST be the empty string.The inner function F makes use of the permutation
Keccak-p[1600,n_r=12], i.e., a version of the permutation Keccak-f[1600]
used in SHAKE and SHA-3 instances reduced to its last n_r=12 rounds and
specified in FIPS 202, sections 3.3 and 3.4 .
KP denotes this permutation.F is a sponge function calling this permutation KP with a rate of 168 bytes
or 1344 bits. It follows that F has a capacity of 1600 - 1344 = 256 bits
or 32 bytes.The sponge function F takes: byte-string, the input bytes and positive integer, the Length of the output in bytesFirst the message is padded with zeroes to the closest multiple of 168
bytes. Then a byte `80` is XORed to the last byte of the padded message.
and the resulting string is split into a sequence of 168-byte blocks.As defined by the sponge construction, the process operates on a state
and consists of two phases.In the absorbing phase the state is initialized to all-zero. The
message blocks are XORed into the first 168 bytes of the state.
Each block absorbed is followed with an application of KP to the state.In the squeezing phase output is formed by taking the first 168 bytes
of the state, repeated as many times as necessary until outputByteLen
bytes are obtained, interleaved with the application of KP to the state.This definition of the sponge construction assumes a at least
one-byte-long input where the last byte is in the `01`-`7F` range.
This is the case in KangarooTwelve.A pseudo-code version is available as follows:On top of the sponge function F, KangarooTwelve uses a
Sakura-compatible tree hash mode .
First, merge M and the OPTIONAL C to a single input string S in a
reversible way. length_encode( |C| ) gives the length in bytes of C as a
byte-string. See .Then, split S into n chunks of 8192 bytes.From S_1 .. S_n-1, compute the 32-bytes Chaining Values CV_1 .. CV_n-1.
This computation SHOULD exploit the parallelism available on the platform
in order to be optimally efficient.Compute the final node: FinalNode.
If |S| <= 8192 bytes, FinalNode = SOtherwise compute FinalNode as follow:Finally, KangarooTwelve output is retrieved:
If |S| <= 8192 bytes, from F( FinalNode||`07`, L )Otherwise from F( FinalNode||`06`, L )The following figure illustrates the computation flow of KangarooTwelve
for |S| <= 8192 bytes:The following figure illustrates the computation flow of KangarooTwelve
for |S| > 8192 bytes:We provide a pseudo code version in .In the table below are gathered the values of the domain separation
bytes used by the tree hash mode:The function length_encode takes as inputs a non negative integer x
< 256**255 and outputs a string of bytes x_n-1 || .. || x_0 || n whereand where n is the smallest non-negative integer such that x < 256**n.
n is also the length of x_n-1 || .. || x_0.As example, length_encode(0) = `00`, length_encode(12) = `0C 01` and
length_encode(65538) = `01 00 02 03`A pseudo code version is as follow.Test vectors are based on the repetition of the pattern `00 01 .. FA`
with a specific length. ptn(n) defines a string by repeating the pattern
`00 01 .. FA` as many times as necessary and truncated to n bytes e.g.
None.This document is meant to serve as a stable reference and an
implementation guide for the KangarooTwelve eXtendable Output Function.
It makes no assertion to its security and relies on the cryptanalysis of
Keccak .
&rfc2119;
FIPS PUB 202 - SHA-3 Standard: Permutation-Based Hash and
Extendable-Output FunctionsNational Institute of Standards and Technology
KangarooTwelve: fast hashing based on Keccak-pSakura: a flexible coding for tree hashingSummary of Third-party cryptanalysis of KeccakKeccak TeamKeccak Code PackageThe sub-sections of this appendix contain pseudo code definitions of
KangarooTwelve. A standalone Python version is also available in the
Keccak Code Package and in where ROL64(x, y) is a rotation of the 'x' 64-bit word toward the bits
with higher indexes by 'y' positions. The 8-bytes byte-string x is
interpreted as a 64-bit word in little-endian format.