The Keccak sponge function family

Guido Bertoni1, Joan Daemen1,2, Michaël Peeters1 and Gilles Van Assche1

1STMicroelectronics
2Radboud University

2016-07-15
Another 5-round collision found in our crypto challenge

2016-05-31
New solutions to collision challenges

2016-05-12
High-speed Keccak-FPH

2016-04-27
New solutions to pre-image challenges

2016-03-16
Reorganized Keccak Code Package

2015-08-19
Tweetable FIPS 202

all news items…

News feed icon News feed (atom)

Pages

Documents

Notes

Software and other files

Figures

The figures above are available under the Creative Commons Attribution license. In short, they can be freely used, provided that attribution is properly done in the figure caption, either by linking to this webpage or by citing the article where the particular figure first appeared.

Links

This page is dedicated to the cryptographic sponge function family called Keccak, which has become the FIPS 202 (SHA-3) standard.

Keccak in a nutshell

Keccak is a family of sponge functions. The sponge function is a generalization of the concept of cryptographic hash function with infinite output and can perform quasi all symmetric cryptographic functions, from hashing to pseudo-random number generation to authenticated encryption.

For a quick introduction, we propose a pseudo-code description of Keccak. The reference specification, analysis, reference and optimized code and test vectors for Keccak can be found in the file section.

As primitive used in the sponge construction, the Keccak instances call one of seven permutations named Keccak-f[b], with b=25, 50, 100, 200, 400, 800 or 1600. In the scope of the SHA-3 contest, we proposed the largest permutation, namely Keccak-f[1600], but smaller (or more “lightweight”) permutations can be used in constrained environments. Each permutation consists of the iteration of a simple round function, similar to a block cipher without a key schedule. The choice of operations is limited to bitwise XOR, AND and NOT and rotations. There is no need for table-lookups, arithmetic operations, or data-dependent rotations.

Keccak has a very different design philosophy from its predecessor RadioGatún. This is detailed in our paper presented at Dagstuhl in 2009.

Strengths of Keccak

Flexibility

Keccak inherits the flexibility of the sponge and duplex constructions.

Design and security

Implementation

Latest news

15 July 2016 — Another 5-round collision found in our crypto challenge

We congratulate Jian Guo1, Meicheng Liu1,2, Ling Song1,2,3 and Kexin Qiao2,3,1,4 for solving another 5-round collision challenge in the Keccak Crunchy Crypto Collision and Pre-image Contest!

They generated a collision for a Keccak variant with capacity 160 bits, calling the Keccak-f permutation with width 800 and 5 rounds.

This solution happens less than two months after their team published the solution for the 5-round collision challenge with width 1600. We are looking forward to seeing the details of this attack, how much it differs from their previous one and whether their method can be adapted for the two remaining collision challenges in the 5-round category.

  1. Cryptanalysis Taskforce, Temasek Laboratories @ Nanyang Technological University, Singapore
  2. State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, China
  3. Data Assurance and Communication Security Research Center, Chinese Academy of Sciences, China
  4. University of Chinese Academy of Sciences, China

31 May 2016 — New solutions to collision challenges

We congratulate Jian Guo1, Meicheng Liu1,2, Ling Song1,2,3 and Kexin Qiao2,3,1,4 for being the first ones to solve a 5-round collision challenge in the Keccak Crunchy Crypto Collision and Pre-image Contest!

They generated a collision for a Keccak variant with capacity 160 bits, calling the Keccak-f permutation with width 1600 and 5 rounds.

Remarkably, this breakthrough came only one month after two members of the same team, Jian and Meicheng, generated the first 3-round pre-images in our contest. [More details…]

  1. Cryptanalysis Taskforce, Temasek Laboratories @ Nanyang Technological University, Singapore
  2. State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, China
  3. Data Assurance and Communication Security Research Center, Chinese Academy of Sciences, China
  4. University of Chinese Academy of Sciences, China

12 May 2016 — High-speed Keccak-FPH

When implemented on ASICs or on FPGAs, Keccak is significantly more efficient than other primitives with a similar security level, and allows efficient protections against side-channel attacks. Another area where Keccak's performance shines is on processors that exploit parallelism.

Recently, the NIST posted on the hash forum two draft special publications SP 800-XXX including proposals for customized SHAKE instances (Cshake), pseudo-random functions (KMAC), hash functions taking multiple strings as input (TupleHash) and a parallelized hash mode (Fast Parallel Hash, or FPH).

We implemented FPH in the Keccak Code Package and measured the following speeds for long messages:

HaswellSkylake
Keccak-FPH1282.732.31
Keccak-FPH2563.412.88

Performance in cycles per byte (single core) on Intel® Core™ i5-4570 (Haswell) and i5-6500 (Skylake), both at 3.2GHz

Keccak-FPH beats the speed line drawn by the legacy algorithms MD5 and SHA-1, usually considered fast.

Our implementation exploits the AVX-2 256-bit SIMD instruction set.

27 April 2016 — New solutions to pre-image challenges

We congratulate Jian Guo (Nanyang Technological University, Singapore) and Meicheng Liu (Nanyang Technological University, Singapore and State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, China) for solving two 3-round pre-image challenges in the Keccak Crunchy Crypto Collision and Pre-image Contest!

Jian and Meicheng solved the 3-round pre-image challenges for widths 800 and 1600. There remains two others, i.e., those for widths 200 and 400, plus of course all the challenges with more rounds!!! [More details…]

16 March 2016 — Reorganized Keccak Code Package

The Keccak Code Package (or KCP) contains different free and open-source implementations of Keccak and closely related variants such as Ketje and Keyak.

We reorganized it to make it easier to use and to develop in or on it. More specifically, the main changes are the following.

To sum up, the KCP contains:

19 August 2015 — Tweetable FIPS 202

Very compact (or tweetable) implementations of Keccak, written by D. J. Bernstein, Peter Schwabe and Gilles, are now available. In their most compact form, the 6 instances of SHA-3 and SHAKE can fit in just 9 tweets.

Compact code implementing FIPS 202

We published a series of compact implementations, from the more readable one to the most compact one.

Dan presented the tweetable implementation at the rump session of Crypto 2015 [slides].

all news items…

Contact Information

Email: keccak-at-noekeon-dot-org