Document Type: Informational
Document Title: KangarooTwelve and TurboSHAKE
Technical Summary:
The document titled "KangarooTwelve and TurboSHAKE"
(draft-irtf-cfrg-kangarootwelve-11) is an informational Internet-Draft that
defines four eXtendable output functions (XOFs): TurboSHAKE128, TurboSHAKE256,
and KangarooTwelve (128bit, 256bit). These functions have outputs of arbitrary
length and provide implementers with efficient, secure hashing primitives.
Notably, KangarooTwelve can exploit the parallelism of implementations in a
scalable manner. The document builds upon the definitions of permutations and
sponge construction detailed in FIPS 202, and serves as a reference and guide
for implementation​. The document includes test vectors and pseudocode.
Research Group:
This document is a product of the Crypto Forum Research Group (CFRG) and brings
a new cryptographic technique to the Internet community.
Document Quality:
The document is a technically robust and precise piece of work, showcasing a
high level of expertise in its domain. It provides detailed specifications and
builds on established cryptographic standards, demonstrating a clear
understanding and advancement of cryptographic practices. The document offers
in-depth insights into the workings of the specified functions. There are test
vectors for KangarooTwelve and TurboSHAKE as well as independent validation of
the test vectors with multiple implementations.
Research Group Summary:
This document was adopted as a Research Group working item on March 19, 2019
after extensive discussion on the mailing list
(https://mailarchive.ietf.org/arch/msg/cfrg/epxJhs5B9wIpTb5lgQihA9ZPHyA/). This
document has gone through extensive review and modification since adopted by
the Research Group since then. This includes two RGLCs.
After a thorough review by crypto panel member Thomas Pornin in July 2020
(https://mailarchive.ietf.org/arch/msg/crypto-panel/B4zejfpzyl70idp-AFpE4ZV1uB4/)
and the incorporation of changes into the draft, the first RGLC was announced
in February 2021. This RGLC was inconclusive due to a lack of affirmative
support for publication on the list.
In January 2023, the draft received renewed interest from the group and several
supportive comments in favor of publication, including from adoption advocate
John Mattsson. Discussions of the relevance of this document to ongoing work at
NIST
(https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/5HveEPBsbxY/m/WNbAg-EnCgAJ)
prompted the document to be updated to include three eXtendable Output
Functions (XOF), hash functions with output of arbitrary length, named
TurboSHAKE128, TurboSHAKE256 and KangarooTwelve (previously specified). This
change was discussed on the list and incorporated with the support of the
community after questions about parallelization and implementation details were
discussed. More than one independent implementation was discussed on the list,
including an implementation that leverages SIMD instructions. There was no
second formal Crypto Panel review for this document after the first RGLC.
The final RGLC was announced in September 2023. This RGLC was announced as
complete at the end of September 2023. Pending feedback from the shepherd,
additional discussion was solicited and version -13 was produced to address the
feedback given.
Intellectual Property:
There have been no IPR disclosures pertaining to this document.
Dependencies on this document:
There is one current draft at the CFRG that depends on the publication of this
document. draft-irtf-cfrg-vdaf: currently uses SHAKE-3 and cSHAKE, but authors
indicated on the list that they are moving to TurboSHAKE, making this document
a dependency. The CFRG VDAF document is a dependency of draft-ietf-ppm-dap in
the PPM working group at the IETF.
Another draft, draft-cfrg-schwabe-kyber-03, which tracks the work at NIST in
FIPS 203, currently uses SHAKE-3. There was discussion on the NIST mailing list
of moving from SHAKE to TurboSHAKE for this algorithm, but this change
ultimately wasn’t adopted
(https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/W2VOzy0wz_E/m/UGeTmPCqBAAJ).