KangarooTwelve and TurboSHAKE
draft-irtf-cfrg-kangarootwelve-13

Document Type: Informational

Document Title: KangarooTwelve and TurboSHAKE


Technical Summary:
The document titled "KangarooTwelve and TurboSHAKE" (draft-irtf-cfrg-kangarootwelve-11) is an informational Internet-Draft that defines four eXtendable output functions (XOFs): TurboSHAKE128, TurboSHAKE256, and KangarooTwelve (128bit, 256bit). These functions have outputs of arbitrary length and provide implementers with efficient, secure hashing primitives. Notably, KangarooTwelve can exploit the parallelism of implementations in a scalable manner. The document builds upon the definitions of permutations and sponge construction detailed in FIPS 202, and serves as a reference and guide for implementation​. The document includes test vectors and pseudocode.


Research Group:
This document is a product of the Crypto Forum Research Group (CFRG) and brings a new cryptographic technique to the Internet community.


Document Quality:
The document is a technically robust and precise piece of work, showcasing a high level of expertise in its domain. It provides detailed specifications and builds on established cryptographic standards, demonstrating a clear understanding and advancement of cryptographic practices. The document offers in-depth insights into the workings of the specified functions. There are test vectors for KangarooTwelve and TurboSHAKE as well as independent validation of the test vectors with multiple implementations.


Research Group Summary:
This document was adopted as a Research Group working item on March 19, 2019 after extensive discussion on the mailing list (https://mailarchive.ietf.org/arch/msg/cfrg/epxJhs5B9wIpTb5lgQihA9ZPHyA/). This document has gone through extensive review and modification since adopted by the Research Group since then. This includes two RGLCs.

After a thorough review by crypto panel member Thomas Pornin in July 2020 (https://mailarchive.ietf.org/arch/msg/crypto-panel/B4zejfpzyl70idp-AFpE4ZV1uB4/) and the incorporation of changes into the draft, the first RGLC was announced in February 2021. This RGLC was inconclusive due to a lack of affirmative support for publication on the list.

In January 2023, the draft received renewed interest from the group and several supportive comments in favor of publication, including from adoption advocate John Mattsson. Discussions of the relevance of this document to ongoing work at NIST (https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/5HveEPBsbxY/m/WNbAg-EnCgAJ) prompted the document to be updated to include three eXtendable Output Functions (XOF), hash functions with output of arbitrary length, named TurboSHAKE128, TurboSHAKE256 and KangarooTwelve (previously specified). This change was discussed on the list and incorporated with the support of the community after questions about parallelization and implementation details were discussed. More than one independent implementation was discussed on the list, including an implementation that leverages SIMD instructions. There was no second formal Crypto Panel review for this document after the first RGLC.

The final RGLC was announced in September 2023. This RGLC was announced as complete at the end of September 2023. Pending feedback from the shepherd, additional discussion was solicited and version -13 was produced to address the feedback given.


Intellectual Property:
There have been no IPR disclosures pertaining to this document.


Dependencies on this document:
There is one current draft at the CFRG that depends on the publication of this document. draft-irtf-cfrg-vdaf: currently uses SHAKE-3 and cSHAKE, but authors indicated on the list that they are moving to TurboSHAKE, making this document a dependency. The CFRG VDAF document is a dependency of draft-ietf-ppm-dap in the PPM working group at the IETF.

Another draft, draft-cfrg-schwabe-kyber-03, which tracks the work at NIST in FIPS 203, currently uses SHAKE-3. There was discussion on the NIST mailing list of moving from SHAKE to TurboSHAKE for this algorithm, but this change ultimately wasn’t adopted (https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/W2VOzy0wz_E/m/UGeTmPCqBAAJ).

Request for posting confirmation emailed to previous authors: Benoit Viguier , David Wong , Giles Van Assche , Joan Daemen , Quynh Dang , cfrg-chairs@ietf.org, irtf-chair@irtf.org