The Keccak sponge function family

Guido Bertoni1, Joan Daemen1, Michaël Peeters2 and Gilles Van Assche1

1STMicroelectronics

2NXP Semiconductors

2010-02-02
Hex-Hot-Ticks Keccak prize

2010-01-16
Note on zero-sum distinguishers

2009-12-08
Third cryptanalysis prize deadline extension

2009-11-12
Tune Keccak to your requirements

all news items…

News feed icon News feed (atom)

Pages

Notes

Files

Links

This page is dedicated to the cryptographic hash function family called Keccak, which we submit as a SHA-3 candidate.

The reference specification, analysis, reference and optimized code and test vectors for Keccak can be found in the file section.

For a quick introduction, a pseudo-code description of Keccak is given here.

Keccak in a nutshell

Keccak makes use of the sponge construction and is hence a sponge function family.

The design philosophy of Keccak is the hermetic sponge strategy. It uses the sponge construction for having provable security against all generic attacks. It calls a permutation that should not have structural properties with the exception of a compact description. By structural properties we mean properties that a typical random permutation does not have.

Keccak can be considered as a successor of RadioGatún. However, it has a very different design philosophy. The transformation applied to the state of RadioGatún in between the insertion of input blocks or extraction of output blocks is a simple round function. This round function has algebraic degree two and thus does not attempt to be free of structural properties. Therefore, unlike Keccak, RadioGatún requires blank rounds. Moreover, RadioGatún is not a sponge function as its iteration mode does not follow the sponge construction.

The permutation Keccak-f has the following properties:

About the performance of Keccak:

Keccak can be used for:

In these cases, the usage of the sponge construction allows for modes that are provably secure against generic attacks.

Finally, Keccak is flexible. Using the same Keccak-f permutation, different combinations of bitrate and capacity allow for a security/speed trade-off.

Latest news

2 February 2010 — Hex-Hot-Ticks Keccak prize

We are looking for implementations of Keccak on exotic platforms! We offer a prize for the most interesting implementation of Keccak on:

The prize consists in a Himitsu-Bako secret box.

Who wins the prize will be decided by consensus in the Keccak team. We will internally use a system of points. Some hints:

We give freedom in the way Keccak is used. It is allowed to implement, for instance, tree hashing or batch hashing (several messages hashed in parallel), instead of plain sequential hashing, to take advantage of parallel computing and get better performance.

The results and source code must be publicly available on an URL that is sent to keccak -at- noekeon -dot- org before June 30, 2010 at 12:00 GMT+2. No specific licensing condition is requested (pick up the one you like!). We reserve the right to extend this deadline in the absence of interesting results. Otherwise, the winner will be announced during the rump session of the second SHA-3 candidate conference in Santa Barbara.

16 January 2010 — Note on zero-sum distinguishers

In September last year, Jean-Philippe Aumasson and Willi Meier introduced zero-sum distinguishers, a method to generate zero-sum structures for reduced-round versions of Keccak-f up to 16 rounds. Recently, Christina Boura and Anne Canteaut extended this to 18 rounds. (See the page on third-party cryptanalyis for references and more details.)

We publish a note, in which we give technical details and put these distinguishers into perspective. We also relate their existence to our decision to increase the number of rounds to 24, in line with the hermetic sponge strategy, in which we tolerate no structural distinguisher for the permutation used in the sponge construction.

8 December 2009 — Third cryptanalysis prize deadline extension

In September, we announced the third prize for the best cryptanalysis on Keccak to encourage third-party analysis. As no submission has been received yet, we have decided to extend the deadline: the results must be publicly available on an URL that is sent to keccak -at- noekeon -dot- org before Saturday February 13th, 2010 at 23:59 GMT+1 (i.e., before the carnival).

In addition to the bottles of Lambic-based beer, the prize also comes with a guide about Brussels' beers to better enjoy their special taste.

As always, we hope analyzing Keccak is a fun and interesting challenge, and we appreciate any submitted work!

12 November 2009 — Tune Keccak to your requirements

We provide a new page to help choose the best parameters of Keccak by specifying one's requirements in terms of collision and (second) preimage resistance. A simple application in JavaScript computes the optimal values of bitrate, capacity and output length. Have fun!

all news items…

Contact Information

Email: keccak-at-noekeon-dot-org