SHA-3 Derived Functions: Cshake, KMAC, Tuplehash, and Parallelhash

Home , Message authentication

NIST Special Publication 800-185

SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash and ParallelHash

John Kelsey Shu-jen Chang Ray Perlner

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-185

C O M P U T E R S E C U R I T Y

NIST Special Publication 800-185

SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash and ParallelHash

John Kelsey Shu-jen Chang Ray Perlner Computer Security Division Information Technology Laboratory

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-185

December 2016

U.S. Department of Commerce Penny Pritzker, Secretary

National Institute of Standards and Technology Willie May, Under Secretary of Commerce for Standards and Technology and Director Authority

This publication has been developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130.

Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, Director of the OMB, or any other federal official. This publication may be used by nongovernmental organizations on a voluntary basis and is not subject to copyright in the United States. Attribution would, however, be appreciated by NIST.

National Institute of Standards and Technology Special Publication 800-185 Natl. Inst. Stand. Technol. Spec. Publ. 800-185, 32 pages (December 2016) CODEN: NSPUE2

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-185

Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. There may be references in this publication to other publications currently under development by NIST in accordance with its assigned statutory responsibilities. The information in this publication, including concepts and methodologies, may be used by federal agencies even before the completion of such companion publications. Thus, until each publication is completed, current requirements, guidelines, and procedures, where they exist, remain operative. For planning and transition purposes, federal agencies may wish to closely follow the development of these new publications by NIST. Organizations are encouraged to review all draft publications during public comment periods and provide feedback to NIST. Many NIST cybersecurity publications, other than the ones noted above, are available at http://csrc.nist.gov/publications.

Comments on this publication may be submitted to:

National Institute of Standards and Technology Attn: Computer Security Division, Information Technology Laboratory 100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930 Email: [email protected]

All comments are subject to release under the Freedom of Information Act (FOIA).

ing ASH long long H length length SHAKE, KMAC, C very : review

ARALLEL . cSHAKE is for P AND UNCTIONS , - is a variable F : cSHAKE, ) ASH related information in information related H - colleagues colleagues

ERIVED ERIVED be used as a pseudorandom used pseudorandom asbe a UPLE D

T 3

bit security strength security bit SHA- series reports on ITL’s research, research, ITL’s reports on series - KMAC,

it can also

s derived function ; put strings in tuples of to hash designed

3- - and 256 Federal Information Processing Processing efined in Information Federal

echnology. ITL’s echnology. include responsibilities the that can hash can function that length hash ECCAK 3; tuple SHAKE; TupleHash. hashing; SHA- -

Systems Technology

ii Message Authentication Code

The authors also thank th thank eirThe authors also Abstract Keywords function as d , parallel hashing; hashing; parallel code; authentication message ; KMAC; types of types

- is a variable

ECCAK

ing to its development. Acknowledgements K length hash function length hash - ECCAK cSHAKE; customizable SHAKE function; function; SHAKE hash customizable cSHAKE; team members: Guido Bertoni, Joan Daemen, Michaël Peeters, Michaël Peeters, Daemen, Joan Bertoni, Guido members: team

K SHAKE (for (for ; , each defined for a 128- defined for , each ParallelHash pecifies four

ECCAK K Reports on Computer KMAC systems. The Special Publication 800 systems.

202. ParallelHash

) 185 FIPS TupleHash is a variable a is TupleHash ( effective security and privacy of other than national security national than other of privacy and security effective 800- -

feedback. their for , Van Assche illes ederal information ederal a customizable variant of the of variant a customizable Standard collisions. trivial without in parallel. messages and contribut drafts this document of TupleHash, and function. authentication; cryptography; integrity security; information pseudorandom pseudorandom function; PRF; SHA ParallelHash; and G

This Recommendation s This Recommendation K on based algorithm code authentication message the thank The authors NISTSP The Information Laboratory at(ITL) Technology theStandards National Institute of and andpubliceconomy (NIST) promotesTechnology U.S. the by pro technical viding welfare test tests, develops ITL infrastructure. standards and measurement the Nation’s for leadership to advance technical analyses and implementations, concept of proof referencemethods, data, and productive informationthe t of development use development of management, administrative, technical, and physical standards and guidelines for guidelines for physical and administrative, standards and management, technical, of development the cost f guidelines, and outreach efforts in information system security, and its collaborative activities security, collaborative system and its information efforts in andoutreach guidelines, organizations. government,with and industry, academic

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-185

3 4 4 7 7 8 8 9 1 3 5 5 6 6 7 14 14 10 10 10 12 12 12 14 13 14 17 10 12 15 11 ASH H SHAKE, C : ARALLEL P AND UNCTIONS , F ASH H ERIVED ERIVED UPLE D

T 3

......

...... SHA-

KMAC, ......

......

Length Output

- iii Length Output ...... -

......

...... Length OutputLength - bitrary ......

Table of Contents ......

......

Name Input ......

......

w ...... TupleHash with Ar ParallelHash with Arbitrary KMAC with Arbitrary Padding Substrings IntegerByte to String Encoding String Encoding ......

......

arameters ...... 185

Overview P Definition Overvie Parameters Definition Parameters Definition Using theUsing Function- theUsing CustomizationString Overview Overview Parameters Definition Terms Acronymsand Basic Operations Other Internal Functions 6.3.1 5.3.1 4.3.1 2.3.1 2.3.2 2.3.3 2.3.4

800- MAC 6.1 6.2 6.3 5.1 5.2 5.3 4.2 4.3 3.4 3.5 4.1 3.1 3.2 3.3 2.1 2.2 2.3 Implementation Considerations ParallelHash...... TupleHash K cSHAKE Glossary Introduction

7 6 5 4 3 1 2 NISTSP

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-185

20 17 17 17 19 19 20 19 19 20 22 26 21 19 20 25 ASH H SHAKE, ...... C

: ......

] ARALLEL c [ P AND UNCTIONS , F ......

ECCAK ASH H ERIVED ERIVED and S

UPLE D

......

SHA-3 KMAC,

and Customization Strings ......

......

...... Name

iv AKE for Legal Any N ...... st Tables of ...... Li

...... st Appendices of

...... Give Unrelated Outputs

Li ......

t Length and S ......

......

N ......

Security Strength Security

KMAC Key Length KMAC Outpu Equivalent Security to SH Different Hashing into (Informative)Range a References KMAC, TupleHash, ParallelHash and Terms in K of

— — — 185 Collisions and Preimages Guidance for KMAC Using Securely Claimed Security Properties for the Function- Precomputation Limited Implementations Exploiting Parallelism in ParallelHash 8.4.2 8.2.2 8.4.1 8.2.1 algorithms

800- 8.3 8.4 8.1 8.2 7.1 7.2 7.3 Security Considerations

Appendix B Appendix C Table 1:Table Equivalent security settings for previously KMAC and standardized MAC 8 Appendix A NISTSP

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-185

, ) ASH 224, H users

strings

directly SHAKE,

C : additional , in Sec. 3, 3, , in Sec. Based Hash ARALLEL -

P functions a functions are and keyed hash knowing one of one of knowing : AND UNCTIONS , such customization customization such F are named for their ;

ASH PRFs) ( ECCAK) H cSHAKE256

functionality not functionality ERIVED ERIVED UPLE D and

T with different customization customization different with 3

will be will 512 and SHAKE128) - 3 Standard is Domain based. are unrelated are -

sble Function (XOFs Output ) xtends this scheme to allow to scheme this xtends a SHA- length- functions (SHA3 hash KMAC, - —e 3 Standard: Permutation - HAKE128 eXtend fixed cS SHA

, computations s

two

202,

function with two different customization different two with function pseudorandom functions pseudorandom 1 Secure Hash Algorithm K Algorithm Hash Secure

earlier hash functions, they functions, hash earlier

variant ; . It then defines three three defines 202. definedIt then in FIPS

on which the SHA

providing functions that hash tuples of input strings tuples of that hash providing functions cSHAKE . They are: 512), and providing two SHAKE [1], defines four

ion, as below. described ion, length outputs These SHAKE ( - . Thus,

from one input string to an adjacent one, or removing an empty string from the the from string empty an removing or one, adjacent an to string input one from

. new6, that provide 4 through , in Secs. a flexible scheme for domain separation between different functions functions different between separation for domain scheme a flexible sponge function [3] MessageAuthentication . Code the funct

; and f ] [2] —the algorithm 2 c a key fingerprint and an email signature email and an key fingerprint a [ and KMAC256, 128 and ParallelHash256, providing efficient to hash hash functions long 384, and- SHA3 the customizable version of SHAKE of —the version customizable

that different named functions (such as SHA3 as (such functions named different that nalogous to strong typing in a programming language typing a programming to in strong nalogous 1 ECCAK

strength s ve these properties in common: ve these properties K ctions Fun Output with variable with functions ECCAK

- he more he more basic functions ryptographic primitive; unlike unlike primitive; ryptographic ECCAK K 185 —ha the same answer same the ensure

. cSHAKE extremely unlikely that computing one unlikely extremely 800- derived example, (for KMAC128 the specified in 202. derived functions FIPS They are all from cSHAKE. of terms in are defined cSHAKE except the functions All unambiguously functions , TupleHash128 and TupleHash256 ParallelHash messages more quickly by taking advantage of parallelism in the processors. in parallelism of advantage taking by quickly more messages 256,- SHA3 it

- Introduction 3- s yield • • • • • number of strings, and the specific content of each string in the calculation of the resulting hash value. Thus, any any Thus, value. hash resulting the of calculation the in string each of content specific the and strings, of number bytes moving as (such change inputextremelylikely tuple) to is different lead a to result. KMAC stands for for stands KMAC upleHash processes a tuple of one or more input strings, and incorporates the contents of all the strings, the the strings, the all of contents the incorporates and strings, input more or one of tuple a processes TupleHash

available from t from available 1 2 new kind of c kindnew of based on the SHA- KMAC, TupleHash, and this Recommendation—cSHAKE, in defined All functions four ParallelHash and Extendable SHA3 SHAKE128 and SHAKE256. security expected separation unrelated o use their to customize a is Customization make will strings 1 (FIPS) Standard Processing Information Federal NISTSP 202 alsoFIPS supports K derived from these results will give an attacker no information about the other. the about information no attacker an give will results these defines twoThis Recommendation c

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-185

ASH H yield

, SHAKE, C : ARALLEL P is specified inis specified in general AND

UNCTIONS , , F is almost uniformly uniformly almost is ASH

H method a ERIVED ERIVED KMAC, TupleHash,KMAC, and

. UPLE D

T . 3

ngths, will output that SHA- KMAC, In addition, In

: 128 and 256 bits.: 128 positive integerR any1} for positive − strengths length outputs of any outputs of length bit length

- the the change property additional in requested that any length output

defined customization strings. customization defined -

the integers {0, 1, 2, ..., R the integers 185 800- All support variable support All have ParallelHash completely changes these function. any withthe Even of identical inputs otherwise, calledwhen withfunctions, output different requested le All support user All support two securityAll supporttwo unrelated outputs. uted on uted • • • NISTSP These functions are detailed in the specific sections below. sections specific in the are detailed These functions toAppendix facilitate B using to pro these functions duce distrib

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-185

ASH

H quotes. SHAKE, - C : ARALLEL permutation P

f - AND UNCTIONS ,

F ASH

ECCAK

order bit first, while in in while first, order bit H K - [2], and standardized in

ERIVED ERIVED

UPLE D

e. rate padding as the padding rate padding T 3

order digit first. E.g., 0x01 =E.g., digit order first. SHA-

KMAC, with the low the with

high- . function. font. Bytes are typically written as two- as typically written are Bytes font.

. ordering conventions follow the conventions the follow conventions ordering 1 -

SHAKE

3 or

essage Authentication Code. bits, consisting of a of 8 bits, consisting of is a multiple length whose 0

was originally specified in in specified originally was

Courier New Courier

. Message Authentication Cod

based M Hash Message Authentication Code. Authentication Message Hash ECCAK - Character strings appear in this document inCharacter in double this strings appear document -

amily of allwithamily functions a of sponge . K Pseudorandom Function Pseudorandom ECCAK K Code. Message Authentication Technology. National StandardsInstitute and of See Federal Information ProcessingFederalInformation Standard. the isof output the in length function which A on bit strings of representation condensed serves as a often output The fixed. the input. Keyed The f and as multi the function underlying A binary digit: digit: binary A Cipher customizable The For a function, a the partitioning of inputs to different application one domain. is than assigned to domains so more that no input function be extended to A on bit in output strings which the can any desired length. rule. FIPS 202 bit ASCII representation of each successive character. successive each of representation bit ASCII

and =. 00000001 0x80 These bit 185 Output -

800- Separatio

Terms and Acronyms Glossary

tendable PS ECCAK MAC

MAC NIST PRF K KMAC Hash Function HMAC eX Function (XOF) FI cSHAKE Domain 2.1 Bit C ASCII characters 0 through 9 and A through F, preceded by preceded by through 9 and A F, characters ASCII 0 through the from numbers hexadecimal digit are written representation, bytes In binary the “0x”. prefix the with are written bytes representation, hexadecimal 2 the in indicated are bits document, this In NISTSP 10000000 of FIPS 202 B.1 Sec. in established bit strings bit as interpreted are strings Character the by 0 bit, 7- followed

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-185

i 0 ASH H SHAKE, example, C :

processed returns the the returns

ARALLEL For P ”

ctly less than . consecutive consecutive b

bits Y s

AND UNCTIONS , fining a function F and mod mod y indistinguishable

input

ASH

a H of

6. is the byte encoding of of the encoding byte is of

. “ ERIVED ERIVED

) =

] for de i b . ⌉ UPLE D ( 3 6 8 T in bits. in 3

⌈

X and

number

SHA- a KMAC, 3, and the −

concatenation =

⌉

3. - the

3.2 is the string that consists of of consists that is the string the least integer that is not stri is not that integer the least functions used in the definition definition the in used functions and substring

− is s

⌈ a by b. of integers integers of is order bit of the byteorder the of bit

0 Y

) is the length of of length the ) is

⌉ , 4, 4

|| s x

X Output FunctionOutput ⌈ =

construction, X , ⌉

, x padding padding Y

11001010. , len( 3.2 ranging from 0 to 255, enc 0 to 255, from ranging ⌈ X i and

sponge

X ction that according isto construction, the defined sponge

010 =

eXtendable the ||

arbitrarily long. arbitrarily A fun possibly to specialized a fixed output length. bits. of sequence A See seed is such computationall that theoutput truly output.from random In the per underlying of function. invocation Algorithm Hash Secure [ specified in originally The method a of strings bit function on underlying an the 1) following: from fixed length, 2) rule, a3) padding and a rate. and Both the input bestrings arethat can bit the resulting function of the output A function that can be used to generate output from a random from output usedto generate thatcan be function A

strings

s. ding divi after mainder , encoding string . For example, 11001 For a bit string For a bit string For For a real number number a real For x For integer a positive bit operationThe modulo re integer an For low thewith bit 0 being

derived functions. 185 3- - 800-

Construction

Other Internal Functions Basic Operations ) 3 )

( X Y 8

⌉ mod mod

x enc len( X 0 a the describes section This the of SHA 2.2 ⌈ String XOF Sponge Function Rate SHA Sponge Pseudorandom Function Pseudorandom (PRF) NISTSP 2.3

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-185

ASH will rsed rsed H

SHAKE, C :

1. ARALLEL − P 2040 t_encode(0) AND UNCTIONS , lef F ASH H and ERIVED ERIVED UPLE D

T 3

SHA-

KMAC,

10000000, . . x x

, are defined to encode integers as byte byte as integers encode to defined are , > > 8n 8n 2 2 . The function is defined as is follows: . The function defined satisfying:

satisfying:

x 5 x

0 0000000

which which right_encode for for

. yield . n

as a byte string in a way that can be unambiguously that parsed be in a can as way string a byte rting the length of the byte string after the byte string string byte the after string byte the of length the rting and +1

as a byte string in a way that can be unambiguously thatcan pa be in a as way string a byte n

x O 2040 ||

will O 1

integer n. n. − || integer of 256 encoding

n. n. S. n n of 256 encoding || < 2 - O O 2040 2040

|| || 1 to 1 to 1 to 1 to S)) - base < 2 < 2 = = = = left_encode base () to the these() bytes, encode defined individual as functions two are x len(S) x … … positive i i i i

positive 8 || || the 2 1 . the function is used to bit be encode in parsed used that strings a is way function may for for

O O 0 ≤ 0 ≤ 0 ≤ , for , for

i i be n) : ), ), n i i ( x x

. . be || || ) ) 8 n). : n x x i i ctions, right_encode(0)

1 0 - - ( ) ( ( x :

n n 8 8 8 smallest S

O O smallest ions:

) encodes the encodes integer ) : 8( 8( x) enc x ) encodes the integer x integer the ) encodes 2 2 = = x) 185 , …, x = x ,…, enc

2 enc enc the 2 the O O = x ∑ ∑ left_encode(len(

+1 = = , x 0 i i n , be 1 1 800- = =

Condit Conditions: Conditions O O O x O x String EncodingString Integer to Byte String Encoding Byte to Integer x x n be example, n

eturn encode_string 0 00000000. 1000000 an Return R Let Let Let Let Return Let Let Let Let

yield from the beginningfrom the of string by inserting byte byte before length the string the the string of x representation of right_encode( by inse the string of the end from x representation of Using the function enc left_encode( Validity 5. 2.3.2 The the the beginning string, S unambiguously of from Validity 1. strings. Both functions can encode integers up to an extremely large maximum, 2 extremely largean encode functions maximum, up tostrings. integers can Both left_encode( 4. 1. 3. 4. As encode_string( 5. Validity 1. follows: right_encode( 2. 3. 2. 2.3.1 fun internal Two NISTSP

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-185

. ) 8, X

the ASH

1. of zero. H

string

S),

SHAKE, operates string ining bit C

a from In general, , then pads , then pads bit 0 1000000 . ARALLEL X

the

P a multiple cont

a n− position 8), X in

function AND

yield is UNCTIONS , in indexed of

is S) ASH are string

H will

position len( of bit

ERIVED ERIVED

substring "" string if UPLE D

multiple

T 3

the strings bit to an input stringinput an to a

the

n- specific not string SHA-

ple multi from 1, inclusive. an a

a KMAC,

−

e in )

However,

X S) be 1, inclusive. and output precisely, bit

empty denot len( b− len(

substring last

the input a —the byte string bytepad(encode_string(

that More oriented.

(i.e., also will - 6 s

is the S)

, whereas bytepad does not provide provide doesbeginning, whereas not bytepad

position position S and the

byte in

returns

to to 0, integer

: not oriented inclusive. s - where 1,

also byte positions

b−

function S)

is position position a position a negative

bit

encode_string( ..., not

S) 0: a, of is all

non-

≠

from from S . X, a+1,

0: w be X X string. X ): that

tring

|| a, >

X b

) s of of output 8 ≠ w ): w a string : mod

encode_string( X Note in and ) function prepends an encoding of the w of integer an prepends encoding ) function len( the

empty bits bits

bit mod w a substring(

)/8)

encode_string( of : , ) z the the the s len(

) 00000000 bit a ≥ z

X a, b): positions || 185 he the || 0

, w below X, z z b ≤ if

bit X

f first len( (len( b or from

800- length = = z

example, i

Conditions Substrings Padding return z z return return at left_encode(

that a ≥

= an parameter If

z while return while Else Else:

defined as Thus, the values Informally, substring( the result with zeros until it is a byte string whose length in bytes is a multiple of w of multiple a is bytes in length whose string byte a is it until zeros with result the 2.3.4 Let 1. Validity The bytepad( 1. 2. 4. returned then the 2.3.3 dedbytepad used strings intended to on enco is be can its be parsed unambiguously from bytepad()The definition of as follow is bytepad( 3. 2. 3. As NISTSP unambiguous paddingstrings. all input for 0. 0000000 Note

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-185

. . bit ASH H of theof y apply y

SHAKE, C : ARALLEL

P 1 bits)1 ma − . AND UNCTIONS , 5 2040

F that is is that length output ASH n H . ERIVED ERIVED UPLE D

T 3

in bits. SHA- 4 are defined in terms of the of defined256—are interms , including zero. tural wayimplement tural to this function would KMAC, 3 is set to the empty string. empty the to set is

, S) is as equivalent SHAKE to defined in is set to the empty string empty the to set is and . bit security strength security bit , N ) )

, L , L , L

X X

and cSHAKE 7 (

a request for a for request a or string input

In the remainder of this document, absurdly large limits like document, this of remainder the In

128 =0, cSHAKE, KMAC, TupleHash, and ParallelHash KMAC, TupleHash, return and the cSHAKE, =0,

: instances ” in this document, in a theoretical” limit (e.g.,2 byte . The user selects this string to define a variant a to define string this user selects The .

, cSHAKE two SHAKE128( SHAKE256( to empty strings. to

string and , = = S any —cSHAKE 1) 2) bit string, used by NIST to define functions based on cSHAKE. on cSHAKE. to by NIST define functionsbit based string, used bit "") "")

and interchangeablyatall. with nolimit

for N 1, S 2, S functions specified 202. FIPS in cSHAKE128 provides a 128-

, "", , "", ] that

name c reated 1, N 1, N [ , L , L X X so en no customization is desired,en is no customization S - ; if so, a fractional 1, L 1, L X X

, the string cannot be encoded. be cannot string the , 128( 256( ( ( while cSHAKE256 provides 256- cSHAKE256 , while a ECCAK

- function K

185 a S are string both empty s designed willoften bet

is limit is Thus, customization is a customization and is

is the main input any length be string. of bit may It the length output requested representing is integer an 800-

and strength S When no function other than cSHAKE is no function desired,than N When cSHAKE other X N L function. Wh cSHAKE cSHAKE cSHAKE cSHAKE 1 bits 1 Parameters cSHAKE Overview − • • • • 2040 be to set the default values for for values default the set to be empty string as the output. the as string empty This limit is imposed by the integer encoding schemes left_encode and right_encode, defined in Sec. 2.3.1. Sec. in defined right_encode, and left_encode schemes encoding integer the by imposed is limit This Beyond th 2 In computing languages that support default values for parameters, a na a parameters, for values default support that languages computing In When the requested output length is zero, i.e., L i.e., zero, is length output requested the When

When a string is specified to be “of any length any “of be to specified is string a When

5 4 3

SHAKE 3.2 parameters: four take functions cSHAKE Both 3 3.1 cSHAKE of variants two The NISTSP security support cSHAKE reasonably input implementation lengths may andAn of only output strings that are wholethat are bytes 8 would resulterror. of innot an a multiple FIPS 202. When N When cSHAKE

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-185

] ) ). c ( N ASH

H [512 could ). ).

SHAKE, includes - domain

C ECCAK : definitions definitions is

00, L 00, L ECCAK ARALLEL this

se P || || K X X

|| || that

AND and UNCTIONS ,

F returns the result of a of result the returns tomization ASH Note 168) 136) H font infont the [256]

S), S), ERIVED ERIVED g( either either

UPLE D .

any cus Nonstandard values of N of Nonstandard values outputs. ECCAK

the result of a call K to 202. SHA- that kind of customization is the the is customization of kind —that of domain separation by function domain separation function of by with

KMAC, FIPS Courier New encode_string( encode_strin

unrelated

|| || in follows: it as follows: ,

] ) ) derived functions, and derived should only be set to c N N cSHAKE [

3- in the - defined functions. -

is,

2040 2040 8 that may be used to provide a function name ( name function provide a used to be that may produce

(in bytes) of the K the of bytes) (in 00 2 2

ECCAK s

oriented value. oriented provides a level )< )< - K . That

S S string abyte to be discussed in Sec. 3.5. to in be Sec. discussed len( len(

instances function specified

strings S, input input

and and ith future NIST future ith parameter parameter two an

the characters characters the SHAKE or

ame Input ); ); 2040 2040 the N 2 2 and S concatenated to theX input string , L , L are both empty strings), or returns or strings), empty both are This SHAKE ](bytepad(encode_string( X X )< )< S

. ( should not make up their own names own up their make should not S2, 6

): ):

includes = 512 [ [256](bytepad(encode_string( S S and

. "": "": S1 len(N len(N , N, , N, ordinary

1 and are S1 empty S = S =

and , L , L ECCAK ECCAK the N X X 2 ( SHAKE256 K SHAKE128( K 185 N

= is defined in terms of terms in defined is "" and "" and from

800- 1 Conditions: Conditions: = = return return return return N Users of cSHAKE of Users

Using the Function- Definition N N lse: lse: f f I E I E case where NIST will always make the function name name the function make always will NIST

cSHAKE256 Validity This use in for is by NIST intended defining SHA 6 1. 2. separated 3.4 functionThe cSHAKE values by NIST defined name. 1. the 3.3 cSHAKE N (if SHAKE to call N of with encoding a padded cSHAKE128( Validity 2. 168 numbers Note and 136 are thatthe rate sponge functions, respectively; two zero bits specify customizationpurpose the string of unless NISTSP cause interoperability problems w problems interoperability cause

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-185

an are ASH —it H SHAKE, C : values signing

ARALLEL P for AND UNCTIONS , F ASH H ERIVED ERIVED ifdifferent values of S computation UPLE D

T 3

owever, implementations may however, implementations may

; SHA- KMAC, 2040

cSHAKE , 2

to allow users to customize their use of their of use customize to users to allow

e email signature) to signature) one computation (th email e

S) ( 128 to compute a key fingerprint (the hash (the hash a key fingerprint 128 tocompute

S. different

a S. 9 fingerprint") a collision between these cSHAKEa collision between two

, signature") , "email cSHAKE

"" an input string customize

, 256, l accept. to of any length less than less length of any

, 256, "", "key

includes includes decide

may be may

fingerprint) key (the computation other the

also as email_contents public_key might

128( 128(

user result result

function

For example, someone using someone For example, 185 same

800- cSHAKE cSHAKE the

Usingthe Customization String

the same for might use: a public key)

. yield used string customization The email: string customization the is signature" "email where is intendedThe customizationto avoid string forceto somehow an attacker for difficult very be will they wil S that of length the restrict 3.5 The cSHAKE NISTSP the function. Later, value string is a customization fingerprint" "key where

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-185

the ASH H nd XOF, as as XOF, a SHAKE, , C 9 : keyed hash ARALLEL P AND UNCTIONS , F

ASH H and an encoding of the the of encoding and an strength, as discussed in Sec. Sec. in discussed as strength,

ERIVED ERIVED

. KMAC has KMAC variants,two . in this document, as specified in in specified as document, this in UPLE D

T 3

2040

). t firstt L in bits. < 2 SHA- 8 ) , and unlike SHAKE and, and unlike SHAKE cSHAKE, up to 256 bits security, of provided KMAC,

(S ated output algorithm and is a PRF

order bi order

- with the input X input the with

low trength and len right_encode(

2040 10110010 10000010 11000010

length output ||

- 10

of any length, including zero. any length, including of with the X

< 2

|| to beto at least the required security , S).

L , including zero. 7 0 ≤ 168) ), K 11010010 and

, “KMAC”

1 bits of output from this function unless the function is used as a used is function the unless function this from output of bits 1 2040 − , L 2040 < 2 . It provides variable . The result is then passed to cSHAKE, along. The result with is to cSHAKE, requested then the output passed newX L ): set to the empty string. empty to set the ="KMAC"

len(K) ECCAK is , S : N

, L

Message Authentication Code (KMAC) Code Authentication Message , X

name name key bit string of any length any key string bit of 185

K bytepad(encode_string( n binary representation, bytes are written written are bytes representation, n binary inSec. 4.3.1. cSHAKE128(

the If no customization customization no If zero. any length, including of string bit customization optional is an = is a is the main input string bit . be It may is an integer representing the requested output length output the requested representing is integer an 800- concatenates a padded version of the key K key the of padded version concatenates a , Conditions S S is desired, K X L

ECCAK L

Definition Parameters KMAC Overview K • newX return • • • discussed Note that is there a limit of 2 Sec. 2. 8.4.1. Approved uses of KMAC require the length of K of length the require KMAC of uses Approved

Note i that

9 7 8

KMAC requested length output length 1. 2. 4.3 4.2 Both KMAC functions parameters: take following the function based on K function on based unrel a new, alteringrequested generates the output length The two cSHAKE128 respectively. KMAC128 and and KMAC256, built cSHAKE256, from most for Nonetheless, properties. security technical their in somewhat differ variants both variantsapplications, can support s any security optional string customization . S KMAC128( 4 4.1 The NISTSP Validity a long enough key is used, keyis as long8.4.1. discussed enough in a Sec. that

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-185

, ] S) or 12 ASH , S) H L [5

, , L SHAKE, X runcated runcated , C , : X K , ECCAK ARALLEL K P length output length output K - 128( AND and UNCTIONS ,

F ASH H [256] ERIVED ERIVED

UPLE D

T 3

2040

ECCAK ).

0). 0). L

SHA-

< 2 KMAC, S) and KMACXOF256( 2040 , 2040 L , < 2 < 2 X , and len(S) K right_encode( right_encode( right_encode(

which mimics the behavior of cSHAKE. cSHAKE. behavior, which of mimics the

2040 ) || || ||

(in bytes) of the K the of bytes) (in

produces an infinite in produces an XOF mode X X X s and len(S)

and len(S) < 2 || || || , S). , S). , S). ) ) L L L 0 ≤ 168) 136 136 0 ≤ 0 ≤ ), ), ), K K K and and and , “KMAC” , “KMAC” , “KMAC” 2040

2040 2040 is computed by setting the length output as in encoded shown to 0,

, L , L , L -Length Output ): ): <2 <2 < 2 , S , S newX newX newX given by the following pseudocode: the, S) given following by L L ( ( ): , , Conceptually, KMAC KMAC Conceptually, , L , KMAC len(K) len(K) len(K) , S : : : , X , X , X K K K , L (

, X below. 128( 185

K s ( bytepad(encode_string( bytepad(encode_string( bytepad(encode_string( cSHAKE128( cSHAKE256 cSHAKE256

= = = 800- Conditions Conditions Conditions KMAC with Arbitrary ity newX return newX return newX return When used used as a XOF When 1. 2. 1. 2. Some applications of KMAC may not applications theSome KMAC may know number of output of will until bits they need after the outputsbegin to be produced. (i.e. can also For as a XOF these used be applications, KMAC sponge functions, respectively. 4.3.1 belengththe extended to can any desired output right_encode(0) 1 of inthe Step KMACXOF128( KMACXOF256 Validity KMAC256 NISTSP Valid 1. 2. 168 numbers andNote 136 are thatthe rate pseudocode string, and the caller simply uses as many bits the of output many uses are string as string, T as callerand needed. the simply by the KMACXOF in can be function XOF computed outputs KMAC mode of KMACXOF256( KMACXOF Validity

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-185

ASH will

H n an )

SHAKE, , i ) in this ” C ,"d" : z along with TupleHash TupleHash

, ARALLEL output. even though even

P , the optional optional the ,...,“ ) ” "abc" "abc" The ( c

“ AND UNCTIONS , , ,"cd" F and b” ASH “

H , "ab" ( ”

a ERIVED ERIVED “ Changing any input to the

UPLE D

T 3

tuple way to combine a sequence of a sequence of toway combine length output that is designedis thatlength output to SHA- - KMAC, , numbering from 0. from numbering , resistant resistant se-

bit string bit

2040 .

12 X , misu

strings in an unambiguous way, then encodes theencodes then way, an unambiguous in strings

< 2 : 128 bits: 128 and 256 bits. 00101010 10101110 00001110 00110110

= tuple input ] be the] i the i

[ s or variables in parentheses ( like in s or parentheses variables in . s and len(S) ) ]

i [ , let X let , ). 2040 string X L , for example, a TupleHash example, , for tuple computed on the string

“TupleHash” or more bit strings, any or all of which of be an anymay empty string. or or strings, more bit all < 2 derived hash function withderived variable hash L

of , and the strings, two resulting concatenated the same kept are parameters ):

) - set to the empty string. empty to set the input zero in pseudocode as follows: , S N it strings bit 0 ≤ Such a tuple consist any number strings,may of of including, andzero is is : of of

, L

X :

right_encode( n encode_string( defin || 185 ||

z number z

1 to If no customization customization no If zero. any length, including of string bit customization optional is an = is a tuple is an integer representing the requested output length in bits. in length output requested the representing integer an is 800- = = Conditions z X L S S is desired, the "". i Definition Parameters TupleHash Overview is a tuple of n of tuple is a = function name ( name function

newX

n = • • • z for

4. 2. . unambiguous way 5.3 of the sequence encodes TupleHash 1. 3. represented as a sequence as of a sequence represented 5.2 parameters: following the TupleHash takes simply hash a tuple of input strings, any or all of which may be empty strings be empty which may of input all anyof or strings, hash atuple simply on the computed TupleHash a thanvalue hash produce different a allremaining input the the final change certainly almost length, will function, including requested the output the and the cSHAKE passes into of string, result at end requested the length output the functions are TupleHash128( 5 5.1 a SHA is TupleHash withoutare encoding, string identical. TupleHash supports security strengths two NISTSP , 10100110 00010010 10000110 11001110 00010110 Validity strings hashing for such that S. string customization If document. provide generic to TupleHash designed a is

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-185

e ASH H SHAKE, S) and C havior of havior of : , ARALLEL be used as a as a used be L P in XOF mod ,

X AND UNCTIONS , F can also also can ASH

H y the following given following by the ERIVED ERIVED S) UPLE D

T , 3

L which mimics which mimics the be , , X SHA- the encoded output length to output 0, asthe encoded KMAC, Conceptually, TupleHash

. . 2040 .

13 X X X

< 2 2040 2040 tuple tuple tuple or TupleHashXOF256( , S). eHash” the the the

is computed by setting by setting computed is S) in in in Length Output -Length ,

may not may know outputthe number of bits need until they will . s and len(S) L ). , S). , “TupleHash” , S). , “TupleHash” , “Tupl , S). , “TupleHash” ]) ]). ]

i i i , [ [ [ ). 2040 X , L , L , L , L X X X 0). 0). L ): ): strings strings string S) pseudocodes below.

and len(S) < 2 < 2 and len(S) < 2 , S , S , 128( L L L newX newX newX newX

runcated TupleHash outputs of in can XOF mode be computed by the ( ( ): , L , L , TupleHash T , input input input X X

length output string,caller uses and the simply as bits many the of output , S X 0 ≤ 0 ≤ 0 ≤ - : : : of of of , L 256( 128(

X : : :

right_encode( right_encode( right_encode( n n n encode_string( encode_string( encode_string( tions TupleHash of || || || 185 || || ||

) desired length any extended to bethe can output z z z number number number

z z z cSHAKE128( cSHAKE256 cSHAKE256 cSHAKE128(

1 to 1 to 1 to

= = = 800- ======Conditions Conditions Conditions TupleHash withTupleHash Arbitrary z z z the the the used as a XOF used "". "". "". i i i

= = = newX return newX return newX return

n = n = z for z for

n = z for return When 4. 5. 4. 5. 4. 5. 2. TupleHashXOF 2. shown in theshown Step right_encode(0) TupleHashXOF128( 1 of in 1. 3. Validity 1. 3. 2. 5.3.1 applica Some TupleHash256( 1. 3. TupleHash For be produced. these applications, to after begin the outputs cSHAKE. TupleHashXOF256( produces infinite an needed. are string as pseudocode: TupleHashXOF 5. function TupleHashXOF NISTSP Validity Validity XOF (i.e.,XOF

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-185

ASH and

Like H name in thein

SHAKE, selected selected - C : overlapping ARALLEL output. P below function non- he AND UNCTIONS ,

. shown Changing any inputChanging supports the 128- ASH

each block separately. block each

supports user H

as ERIVED ERIVED for ECCAK

UPLE

D K

also T 3

value SHA- If no customization customization no If zero. including , including zero. ParallelHash ce of contiguous, KMAC,

. 11 and length output. - having no limit atall. havingnolimit 2040

as follows:

with < 2 ⌉

2040

14 into a sequen into < 2 of any length of

hashing of very long strings, by taking by taking strings, verylong of hashing efficient the

X approved hash functions may be developed in the future. The The future. the in developed be may functions hash approved - pseudocode len(X)/B ⌈ in string string as interchangeable and

and len(S) and some encoded integer values ( values integer encoded some and bit is the block size in bytes as defined in Sec. 6.2. As specified in Footnote 2, 2, Footnote in specified As 6.2. Sec. in defined as bytes in size block the is 2040 hash the computes then and ,

2040

is to support

B and also provides variable provides also and available in modern processors in modern available 10

): < 2 00001010 10000110 01001110 10000110 00110110 < 2 , are defined and bytes

, even the requested output length, will result length, , evenrequested the output in unrelated , S

L es are combined and along passed toes are combined cSHAKE with t

L B mode for other NIST other for mode 2040 , ⌉. 0 ≤ 0 < B

set to the empty string. empty to set the It may inputbe string bit may . It

< 2 B , B is valu

: absurdlylarge limit hash

parameters: following the / ⌉ X

parallelism functions

block size in bytes parallel for . It hashing be anymay integer such that 0

the . ), len(X)/B len(X)/B

is is an optional customization bit string of any length, of string bit customization optional is an is the is

⌈ llelHash r representing the requested output length in bits. in length output requested the r representing is intege an 2040 800- "ParallelHash" = "ParallelHash" X (len( Conditions ⌈ 2 S L X B S is desired,

Definition Parameters ParallelHash Overview of generic parallel bit security strengths security bit Para • n = • • •

Where Where ) A

function here (i.e., ParallelHash) is specifically based on cSHAKE, and thus, on thus, based and oncSHAKE, specifically is here(i.e.,functionParallelHash) NISTwilltreat such

N Finally, these hash these Finally, ( 00110110 10100110 00110110 00010010 10000110 11001110 00010110, the00110110 10100110 00110110 S, string customization optional 10 11 ParallelHash length of each blocks, pseudocode The ParallelHash128( 1. 6.3 advantage of theadvantage of Validity 6.2 takes ParallelHash 256- 6 6.1 ParallelHash of The purpose NISTSP parameter to ParallelHash to parameter the in other functions this document, ParallelHash defined strings. tion customiza

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-185

ASH H SHAKE, to as 0, S) and C : , L ARALLEL given by the P in XOF mode ,

B S) AND UNCTIONS , , , F L X be used as a as used be also can

, ASH B H

, ERIVED ERIVED X UPLE D

""). ""). ""). T 3

which mimics which mimics the behavior of , ) SHA- KMAC, 256, "", 512, "", 256, "", and and *8), *8), *8), 2040 2040 Conceptually, ParallelHash Conceptually, B B B

* * *

. . < 2 < 2 ⌉ ⌉

2040 +1) +1) +1)

i i i

15 < 2

or ParallelHashXOF256(

*8, ( *8, ( *8, ( ). ). B B B 2040 L 0). L * * * S) len(X)/B len(X)/B ⌈ ⌈ , , i , i , i L < 2 X X is computed by setting the by setting encoded outputis length computed -Length Output ,

and and may not know the number of output bits they will need until need will they bits output of not the know number may and len(S) B

): ): , S). , , “ParallelHash” , S) , “ParallelHash” , S) , “ParallelHash” 2040 2040 2040 X , S , S S) pseudocodes below. , L , L , L , ): , L , L L right_encode( right_encode( < 2 right_encode( < 2 and len(S) < 2 128( , || || || , S L L ) ) ) , B , B B n n n newX newX newX

, X 256(substring( X X ( ( ( runcated outputs of ParallelHash in XOF mode uted comp canmode be XOF by the ParallelHash in of runcated outputs can be extended to any desired length desired any to extended be can , ⌉. ⌉.

0 ≤ 0 < B 0 ≤ 0 < B

T ). ). ). length output string,caller uses and the simply as bits many the of output

B B , B ode ode ode B B B 128( 128(

: : 128( / / X 1: 1: 1: − − −

)/8) )/8) n n n cSHAKE128(substring( cSHAKE cSHAKE128(substring( XOF . . . 185 || || ||

the output z z z

right_enc right_enc right_enc z z z cSHAKE256( cSHAKE cSHAKE 0 to 0 to 0 to

ashXOF256( = = = || || || 800- = = = X (len( X (len(

= = = Conditions Conditions ⌈ ⌈ ParallelHash with Arbitrary z z z

left_encode( z z left_encode( left_encode( z i i i ======newX return for z newX return z z n = for newX return n = z z for z ( arallelHashXOF256 arallelHash256( When used as a XOF, ParallelHash as a XOF, used When 5. 6. cSHAKE. the 1 of ParallelHashXOF128( inStep right_encode(0) in shown ParallelH produces infinite an needed. are as string P 3. 2. 5. 6. P 4. (i.e.,XOF ParallelHashXOF function 4. Validity 6.3.1 ParallelHash applications of Some ParallelHash For be applications, these produced. to after begin the outputs 1. 3. 5. 6. 1. 2. 2. 3. NISTSP 4. following pseudocode: ParallelHash Validity

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-185

ASH H SHAKE, C : ARALLEL P AND UNCTIONS , F ASH H

ERIVED ERIVED UPLE D

""). T 3

SHA- KMAC, , 512, "", and *8) 2040 B *

< 2 ⌉

+1)

*8, ( B 2040 0). * len(X)/B ⌈ , i < 2 X and , S). , “ParallelHash” 2040

, L right_encode( < 2 and len(S) || L ) n newX

( ⌉.

0 ≤ 0 < B

B ode B

: / 1: −

)/8) n cSHAKE256(substring( . 185 ||

z right_enc z cSHAKE256( 0 to

= || 800- = X (len(

= Conditions ⌈ z

z left_encode( i = = newX return z for z n =

5. 6. 4. 3. 2. Validity NISTSP 1.

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-185

. it ASH bits, H

SHAKE, ble for a C : is designed is designed

ARALLEL P to accommodate to accommodate AND UNCTIONS , F [1] tuple of strings, and and strings,tuple of

K theing key process ASH that n a set inputs of that H ParallelHash The choice block of size

ERIVED ERIVED UPLE D

function T 3

f - in parallel and a machine that can can that a machine and parallel in SHA-

n parallel. n KMAC, in this case. in will process, and the allowed output output and the allowed will process,

ECCAK S, and the of result value. will suffer no performance penalty will suffer when an integer multiple of multiple integer an will process and four blocks four

. the K underlying

to that same to same that on to a smallon to implementati their restrict to permitted are in multiple cSHAKE executions. Since TupleHash and and Sinceexecutions. TupleHash cSHAKE in multiple However, a much faster implementation is possible when when is possible implementation faster a much However, if it were only expected to interoperate with another another with interoperate to expected only were it if

s to

n implementation can the precompute processing result of this and

A N . acceptable to limit an implementation of any of these functions to these of functions any of an implementation limit acceptable to with cSHAKE, and thus,with cSHAKE,

the customization string S string customization the

hash hash can that a machine S

and ple,

and

N N

can be implemented in a straightforward and reasonably efficient way even when when even way efficient reasonably and a straightforward in implemented be can or exam name 185

F is the rate parameter 800-

r ExploitingParallelism in ParallelHash Limited Implementations Implementation Considerations Precomputation function can have a huge impact on the efficiency of ParallelHash of efficiency the on impact a huge have can

7.3 the it that inputs possible the limit to implementation specific it produce. that will lengths would be it For example, ParallelHash of implementations Specific subset allowed the it values. For of example, implementation a would be acceptable for particular B of value a single allow to only B restricted similarly that implementation 7.2 wideaccept a to defined are The functions cSHAK and ParallelHash KMAC, TupleHash, E, range possible of unreasonably (including long inputs, inputs and fractional inputs involving is accepta it lengths. output However, possible of range wide a produce to bytes), and output, output, onlyto of 65536 bytes or whole of to bytes orproducing than producing no more implementations inputs. Additionally, bytes) as (neverfractional strings accepting byte only intended only a specific, limited usefurther may for restrict sets the inputs of they process. will a 6- to process TupleHash256 used only of an implementation For example, call the that all so is defined cSHAKE "addressof bealways acceptable. a customization tuple", using would string itIf is possible one an of for implementation of these to functions be give ParallelHash B 7 7.1 NISTSP is available. processing sequential only each the of individual the of blocks can be handledmessage i where where cannot then the process, implementation shall signal an and refuseerror tocondition produce an output. that parallel benefit from principle, thatparallel processing in applymachine can, can so that any processing. padded of block reusing the same choices of the same reusing to is available precomputation this same cSHAKE, of in terms are defined ParallelHash functions well those implementations as of processing of result the precompute can KMAC Thus, KMAC128 usingstring customization a precomputed fixed, will and key process an input as SHAKE128. as efficiently string

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-185

is ASH H that SHAKE, C : ARALLEL P AND UNCTIONS , F ASH H ERIVED ERIVED UPLE D

T 3

SHA- KMAC,

185

blocks in parallel can each benefit from all the parallel processing ability ability processing parallel the all from benefit each can parallel in blocks 800- 32 . available hash NISTSP

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-185

. . a a ≠ to

X N,

S. has ASH and , will

n1 have

H L of these

Then, or

S) , output 2) inputs) 2), output

SHAKE,

s X security s strength strength N

( inding

require C

cSHAKE N, f of : functions. on one of on one of

for , either

n2, n with ARALLEL

L inherit the , set output. P susceptible will ,

L functions X and q2, other

of (

be expected , unrelated claimed 2), 2,

any

AND they 2, s x UNCTIONS values ,

x the F an

not are Similarly,

eric attack pairs cSHAKE128 l ASH (for n2, two .

of functions, KE, 128( ) 2) H requested

s S, strength

unrelated wil L gen

, 128 gives ERIVED ERIVED for any 2 L

the 2,

UPLE

D 2, as string

x ,

x cSHA T cSHAKE256 cSHAKE( 3

no "weak" of ferent of B

KMAC

string ; L ,

= )

cSHAKE dif X string and are L

of 2 security

256(

gainst generic attacks. gainst generic SHA- k

= , from 1 :

defined treated

a KMAC, x X

min(2 ( . 1) outputs )

lengths , there is no s

be and and all

There that , and Customization Strings of 256 128

). N the outputs

the 1)

claimed

n1, customization cSHAKE can

, 2 s derived , L

are , /2 to

completely

are X the

= L

customization L rder

the

ParallelHash( quantities o s n1, and

are customization

, Name

1, 1)

SHAKE s the x example, two 19 256( and

n2, q1, the than min(2

and q2

n1, 1, 1) name and 128(

between s x unrelated related of , q2, on

were q1 less , N L ,

different work that does not also exist for any hash function with anyalso hash work that function exist for does not L X

two ParallelHash , but SHAKE 1,

Function-

, for means x B that 128 order

as they , ParallelHash

are

name is

outputs X properties and cSHAKE

if inputs). the

cSHAKE( 2)

using

secret, s and . Th of

as = relationship complexity for complexity

cSHAKE( that .

suppose 1 gives

set

n2, k , no ( Give Unrelated Outputs Unrelated Give

function from

security properties and S

such

(with cSHAKE256( an 256 bits.

treated

and the more 1)

functions, s TupleHash, ParallelHash( where ame and

of 1) s

be (for

that TupleHash, s

functions and 2, on the complexity 2,

derived

n1, example, k security

relationship

attacks these the ≠ Further n1, q2, respectively

can

computational collision are bits (

for

1 such q1,

185 and of these

2. choice s a , ,

KMAC, s key and same

is X if

128

k of KMAC, ≠ that they : keys

800-

any Different Different Equivalent Security to SHAKE for Any Legal to for SHAKE Any Security Equivalent 1 , exactly q1

the s

given Security Properties SecurityConsiderations Claimed Security Strength

a or related Finding both function.) For Keys Each require collision no particular computational Thus, There and TupleHash

has

• S) • • Because Suppose For 8.2.2 8.2 8.2.1 • the same output length. Similarly, cSHAKE256, KMAC256, TupleHash256, and KMAC256, TupleHash256, and cSHAKE256, length. Similarly, output the same bits 256 of strength a security provides each ParallelHash256 exactly properties. Specifically: 8 8.1 cSHAKE, NISTSP security provide a each and ParallelHash128 TupleHash128, KMAC128, cSHAKE128, strengths length L output a that, given 128 bits.This means for of n2, cSHAKE( these functions requiring less than 2 lessthan requiring these functions That lengths

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-185

the ASH

H sized sized make make fix - of

XOFs. treated

SHAKE, pre C

can be : additional remaining a

rticular, an an rticular,

ARALLEL other is

P can the ) work.

their S) size selection size selection is

instances S) 128 and

AND

of UNCTIONS , N,

, 2 F have L q2, it determines the the —it determines

etc., , ASH q1,

, B H , , may be vulnerable, tomay a

, X X SHAKE ERIVED ERIVED , whose length is less than than is less whose length , key

bits, a collision attack will will attack a collision bits, UPLE D

functions T

L rallelHash with of

Pa ing the number of ing total limit by SHA- q1 and q2, respectively. cSHAKE(

FIPS 202. KMAC,

blocksize, and unrelated shares

q2, of

ParallelHash(

lengths q1< s. The difficulty of an attacker finding a a finding difficulty an attacker of s. The and

string,

. However, not all such output and key output lengths. However, not all such and S)

) For

, select an input key,input select an

cSHAKE

treated 20

q1 invalid (message, MAC) pairs for each successful successful each pairs MAC) for invalid (message, TupleHash, ,

be L 1 bits

B that A.2 Appendix and output − , X X in can property.

2040

work regardless—a longeroutput itsoutput of length does 2

KMAC, customization

this 128 input detail property .

orithm and cryptographic for alg keyGuidance orithm - important security parameter for KMAC for parameter security important lengths a (up to (up to

same variable output length output variable with is mode,

share

more

ParallelHash( the in , not

output

This at least min(2 at least require attackork, will and a preimage

XOF

) w with S). in under a given under key. a allowed functions only affects online attacks, a system that uses KMAC for message KMAC for that uses message a system online attacks, affects only does

128 example N,

improve its security against these attacks. However, a against shorter its these attacks. output security improve

, 2 discussed

different even Output Length Length Key hash ,

used /2 for L

q2, , 185 ,

2 failures failures ,

X with cSHAKE that

800- when . Given a small number of plaintext) number of (MAC, a pairs, small known requires. Given an at attacker most KMAC KMAC Thus

Guidance for SecurelyKMAC Using Collisions and Preimages that operations key to K the find )

in general is property K , len( cSHAKE( This in [4] . available Note their security required strength. functions as independent this shall of Applications Recommendation not In pa tag. MAC a in forging succeed will guessing attack online probability that an needattacker to submit, will on average, 2 8.4.2 lengthThe output another is For maximum flexibility and usefulness, the KMAC functions are defined for arbitrary for functions defined are KMAC the flexibility and usefulness, For maximum output and key lengths lengths 8.4.1 security a into translated straightforwardly most is that parameter the is length key input The strength 2 forgery. Since L L short a exploit that attacks mitigate can authentication verification 8.4 8.3 inputs. All support these functions security strength claimed both depends the functions these on any for of preimage collision or and the length. output 128 bits of function with a securityA like cSHAKE128, claimed strength 2 with attack preimage or collision not an output With vulnerable attacks. these tothe more function require min( are secure. Except NISTSP property

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-185

ASH H a few a few SHAKE, C : bit tag for for tag bit - careful risk risk careful

ARALLEL P 256 AND the UNCTIONS ,

) ) ) F . Note example as an S S S

, , , ASH

H select length an output L

ERIVED ERIVED , 128 , 256 , 512 , CMAC, ed in the listed algorithms, algorithms, listed the in ed - UPLE D

T S 3

text text text , , , K K K assum SHA- is KMAC,

KMACEquivalent bit tag for AE for tag bit KMAC128 ( KMAC128 ( KMAC256 ( KMAC256 SHA512) -

128-

21 the

) )

text tex ) s (i.e., , , K K text , only select an output length less than 64 bits lessoutput a select after 64 than an length only along with equivalent KMAC for settings K

(

ted tag ted bittag for HMAC

SHA256 ( SHA512 ( - - 512- CMAC -

AES HMAC HMAC Existing MAC Algorithm MAC Existing

185 Equivalent security settings for KMAC and previously standardized MAC algorithms standardized previously KMACsettingsand for security Equivalent

: 1 800- do not result in the same output.the different same do notin result of algorithms MAC settings equivalent SHA256, and the no no truncation theof associa

Table Table

thatisand 32 bits, shallless than other algorithms MAC approved that When used this as When of a MAC, shall Recommendation applications not NISTSP analysis is performed. analysis lists 1 Table settings, parameter given for KMAC of properties security the illustrate To HMAC- and that

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-185

are ASH

H ied in SHAKE, C : ARALLEL P

] AND UNCTIONS , F [c ASH H ERIVED ERIVED

ECCAK UPLE D

T 3

3 and SHAKE functions3 and SHAKE are

2040 2040

). ). ). , 168). 0). 0). L L

SHA-

S) 168). 136 168). 136). KMAC, 2040 and these functions in XOF theseinand XOF mode functions 2040 S), S), S), S),

ing( < 2 < 2 and len(S) < 2 and len(S) 2 <

right_encode( right_encode( right_encode( right_encode(

2040 2040 2040 .

|| || || ||

22 encode_str X ParallelHash X X X X || < 2 < 2 and len(S)

< 2 ) and len(S) || || || ||

encode_string( encode_string( encode_string( encode_string( ) L L L ]. These definitions are exactly equivalent to the the to equivalent exactly are These definitions ]. || || || || L ). ). ). ). ).

c ) ) ) ) tuple [ L L L L L 0 ≤ 0 ≤ 0 ≤ 168) 136 168) 136) 0 ≤ len(S) the

), ), ), ), 00, 00, 00, 00, 00, K K K K ] function, SHA on whichthe and and and in || || || || || and ECCAK c . and s [

KMAC” KMAC” KMAC” KMAC” ]) i 2040 2040 2040 “TupleHash” “ “ “ “ ). 2040 [ 2040 L X newX newX newX newX newX string ): ):

<2 < 2 < 2 < 2 ECCAK || || || || || < 2 , S , S T T T T T L

L L ): ]( ): ): , , input , S len(K) len(K) 0 ≤ len(K) len(K) , S , S : : : : : , X , X of [256]( [256]( [512 [256]( [512]( , L K K , L , L

encode_string( encode_string( X :

KMAC, TupleHash, K of KMAC, and ParallelHash in Terms right_encode(

n encode_string( , X , X — || 128( 185 || K K ECCAK ECCAK ECCAK ECCAK ECCAK

z ( bytepad(encode_string( bytepad(encode_string( bytepad(encode_string( bytepad(encode_string( number z h128( K K K K

1 to = K

= = = = 800- = = Conditions Conditions Conditions Conditions Conditions XOF z bytepad(encode_string( bytepad(encode_string( bytepad(encode_string( bytepad( bytepad( the "". i C ======newX T return

n = newX T return newX T z for newX newX T T return return return Appendix A Appendix 4. 5. 6. 2. 1. 2. 3. 1. 2. 1. 3. KMACXOF256( Validity TupleHas built. KMAC, TupleHash, and ParallelHash are defined in terms of cSHAKE, as specif cSHAKE, of terms in defined are ParallelHash and TupleHash, KMAC, built. TupleHash,Sec. 3. In KMAC, appendix, this defined directly in terms of K 1. 1. Validity FIPS 202 specifies the K specifies 202 the FIPS NISTSP of interms cSHAKE inmade Secs. 5, and 4, definitions 6. KMAC128( KMAC256 KMA Validity Validity 2. Validity 2. 3. 3. 3.

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-185

ASH H SHAKE, C : ARALLEL P AND UNCTIONS , F ASH H

ERIVED ERIVED UPLE D

T 3

, 168). 136). , 136). , 168). S) SHA- , 256). 1111 S) S) S), KMAC, || and

*8) B 2040 *

< 2 ⌉ i+

2040

encode_string( 2040 . . .

|| encode_string( encode_string( 23

encode_string( < 2 X X X

*8, (

|| || ||

< 2 ) ) ) B ).

* L ). ). ). ). len(X)/B , i 2040 2040 tuple tuple tuple L L L L ⌈ X len(S) the the the

00, 00, 00, 00, and and len(S) in in in

|| || || || . . and s 2040 ]) ]) ]). 2040

i i i “TupleHash” “TupleHash” “TupleHash” ) “ParallelHash” [ [ [ ). 2040 X X X substring( L 0). 0). newX newX newX newX ): ): ): ): right_encode( < 2 strings string strings < 2

]( || || || || || and len(S) < 2 and len(S) < 2 < 2 , S , S , S , S L ) T T T T L L L ode( n L L

): , L , L , , ⌉. [256

0 ≤ 0 < B

input input input X X ). , S 0 ≤ 0 ≤ 0 ≤

B , B , B B

: : : : of of of / [256]( [512]( [256]( [512]( X X , L 1: 128( 256(

encode_string( X − : : :

ECCAK )/8) right_enc right_encode( right_encode( n n n n encode_string( encode_string( encode_string(

|| || || 185 || K || || || ECCAK ECCAK ECCAK ECCAK

z z z z. number number number right_encode( z z z z

0 to 1 to 1 to 1 to K K K K e = = = = || 800- = = = =

= = = = Conditions Conditions Conditions Conditions z z z z bytepad(encode_string( bytepad(encode_string( bytepad(encode_string( bytepad( X ⌈ (len( th the the "". left_encode( "". "". z i i i i ======T newX newX T newX T z for return return z return n = newX T return n =

n = n = z for z for for z idity 5. 4. 4. 5. 4. 5. 2. 3. 6. 6. 1. 6. 1. 5. 6. 7. 2. ParallelHash128( ParallelHash256( 2. 2. 1. 3. 1. 3. 3. 4. TupleHash256( NISTSP TupleHashXOF Validity TupleHashXOF Validity Val Validity

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-185

ASH H SHAKE, C : ARALLEL P AND UNCTIONS , F

ASH . H

ERIVED ERIVED UPLE D

T 3

168). 136). , 136). S), S), S) SHA- , 256) 1111 , 512). 1111 , 512). 1111 KMAC, || || || and and and

*8) *8) *8) B B B 2040 2040 2040 * * *

1) 1) 1) < 2 < 2 < 2 ⌉ ⌉ ⌉ i+ i+ i+

2040

encode_string( encode_string( encode_string(

|| || || 24

< 2

*8, ( *8, ( *8, (

B B B ).

* * * . 2040 2040 0). 0). L ). ) ). len(X)/B len(X)/B len(X)/B , i , i , i L L L ⌈ ⌈ ⌈ X X X < 2 < 2 00, 00, 00, and and and and len(S) || || || ): ): 2040 2040 2040 2040 ) “ParallelHash” , S , S

substring( substring( substring( newX newX newX , L , L right_encode( right_encode( right_encode( < 2 < 2 < 2 and len(S) < 2 and len(S) ]( ]( || || || || || || L L L ) ) ) , B , B T T T n n n

X X 512 ( ( ⌉. ⌉. ⌉. [512]( [256 [ 0 ≤ 0 ≤ 0 ≤ 0 < B 0 < B 0 < B

). ). ).

B B B ode ode B B B

: : : 128( / / / [512]( [256]( [512]( 1: 1: 1: − − −

ECCAK ECCAK ECCAK )/8) )/8) )/8) n n n XOF

. . 185 || K || K || K ECCAK ECCAK ECCAK

z z z. _encode( right_enc right_enc right_encode( z z z 0 to 0 to 0 to K K K = = = || || || 800- = = = X (len( X (len(

= = = Conditions Conditions Conditions ⌈ ⌈ z z z bytepad(encode_string( ”) bytepad(encode_string(“ParallelHash bytepad(encode_string(“ParallelHash”)

X ⌈ (len(

left_encode( left_encode( z left z z i i i ======newX T for return z return for z z n = newX T z for n = newX T z n = z return ( arallelHashXOF256 5. 6. 3. 7. 2. 7. 3. 2. 4. 1. 5. 6. 2. 3. 1. 5. 6. 4. Validity NISTSP ParallelHash 1. P 4. 7. Validity Validity

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-185

be the the ASH

, 1,..., H ), then then ), being R

integer

SHAKE, denoted denoted < {0, to

resulting string

, C t

: an

+ 128+

very much ≤

⌉

bit ARALLEL the ) ParallelHash

be P below.

had

close

least significant least for or lg(

integers ≤ ⌈ that

AND

UNCTIONS , will ≥

F the that , assuming that been,

the

w resulting defined ASH

such H

on t value

the extremely have

1, inclusive. ERIVED ERIVED acceptable in bits in ( −

UPLE D is

TupleHash, T Let Z is 3

value

it function is would that

bias. bits. as SHA- it

0 and R

k within the range 0

KMAC, ger distribution

output

KMAC, . The following method will produce . The following will produce method long following: most significant to significant most than

integer R least

so as follows: integer

the at an

very small

between uniform an

possible of a

process 1, do the to

bits_to_inte from the − length output like cSHAKE, KMAC, KMAC, TupleHash,likelength output cSHAKE, 25 cSHAKE,

he length of the bitstring bitstring the of length he - needed, any

this

the = t = is

contains

length integers

0..R

string w For of from N

the 1. (Informative) bit integer positive − range bit string bit a

, where SHAKE, R range result

from 0.. to

requested the

have will process variable the deviation a

for anyfor

mod specific as )

the this . range n a Z

( 12 with . random of small applied R

the at /

integer ,…, b true appear in 2 128. 128 be

− within an . very

is ) be the bits a of

function converts process, , b to -w 2 n output

⌉ +

function b ) ≤ i.

can |

this a Range into Hashing into b R

) R this i | ≤ 2 ≤ R| -

— integer uniformly ,…, b n are extremely close a uniform to distribution over that range

likely 185 1/ (

2 . 1/

hash

of )

⌈ lg( bits_to_integer 2 – in this document, thisin document,

x – distributed have hash an ) 1

, b )

t = t 1 = 800- less the to that = 𝑛𝑛 𝑖𝑖=

the words, to b = end −1

N k

N ∑

. N

or technique s

. der selected

= _to_integer ( _to_integer bits_to_integer Z Let Call Let the 1}. bit e Let (

Infact, bound the isslightly tighter than this.If 𝑥𝑥 other or

|Prob( −

Appendix B Appendix following statement integer R bits Th been whenever more 12 3. Return ( |Prob( In This 1. 2. as 0..R outputs random a uniform variable.approximate above functions In 3. uniformly XOFs, PRFs,XOFs, variable and hash functions with NISTSP X integer an generate to used be easily can ParallelHash and 2. 1. At

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-185

. ASH H . ecial ecial Based SHAKE, - 3.0.pdf 0.1.pdf - - C : , version version , ARALLEL 57pt1r4 P sing Standards Standards sing , NIST Sp , AND reference UNCTIONS , reference F

ASH H Cryptographicsponge ECCAK ERIVED ERIVED UPLE D K

T 3

The 3 Standard: Permutation Part 1: General - SHA-

, KMAC, SHA http://sponge.noekeon.org/CSF http://dx.doi.org/10.6028/NIST.FIPS.202 , Federal Information Proces, Federal Information 93 pp.

http://dx.doi.org/10.6028/NIST.SP.800- Revision 4, National Institute of Standards and Standards and of Institute NationalRevision 4, http://keccak.noekeon.org/Keccak- 2011, t 1 , 69 pp. OutputFunctions 57 Par - - .

2011 on 0.1, January 14, 14, 21/2016]. 21/2016] / / Recommendation for Key Management forRecommendation Key y , versi ,

References — 185 Barker, Barker, , Januar

. 800- Technology, January 160 pp. Technology, 2016, G. Bertoni, J. Daemen, M. Peeters, and G. Van Assche, Assche, Van G. and Peeters, M. Daemen, J. Bertoni, G. functions 12 [accessed E 800 (SP) Publication (FIPS)August 2015, 37 pp. Publication 202, Van G. and Assche, Peeters, M. Daemen, J. Bertoni, G. 3.0 12 [accessed National Institute of Standards and Technology, StandardsNationalInstituteTechnology, of and and Hash Extendable

Appendix C Appendix

[3] [4] [2] [1] NISTSP

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-185