proposal: x/crypto: Add KangarooTwelve and TurboSHAKE support

[sorairolake]

Proposal Details

• KangarooTwelve is a family of fast and secure extendable-output functions (XOFs), the generalization of hash functions to arbitrary output lengths, with two instances: KT128 and KT256. Derived from Keccak, these functions aim at higher speeds than FIPS 202's SHA-3 and SHAKE functions, while retaining their flexibility and basis of security.
• TurboSHAKE is a family of fast and secure extendable-output functions (XOFs). In a nutshell, these are just like the SHAKE functions, but with the Keccak-p permutation reduced to 12 rounds (instead of 24), so about twice faster. Keccak has received quite a large amount of cryptanalysis since its publication, and it has sufficient safety margin so that we can confidently halve the number of rounds without compromising security.

These cryptographic hash functions are defined in RFC 9861, which was officially published in October 2025.

Implementations of SHA-3 and SHAKE functions already exist as crypto/sha3 package in the standard library and golang.org/x/crypto/sha3 package in the x/crypto. So KangarooTwelve and TurboSHAKE may be easy to implement.

[seankhliao]

Just because something has an RFC doesn't mean it's worthwhile to implement.
What actually uses these algorithms, and why should the Go team maintain this?
https://go.dev/doc/faq#x_in_std