The Keccak sponge function family

Guido Bertoni¹, Joan Daemen¹, Michaël Peeters² and Gilles Van Assche¹

Notes

Files

Figures

Keccak-f state [ODG] [PDF] [PNG]
Pieces of state [ODG] [PDF] [PNG]
Step θ [ODG] [PDF] [PNG]
Step ρ [ODG] [PDF] [PNG]
Step π [ODG] [PDF] [PNG]
Step χ [ODG] [PDF] [PNG]

The figures above are available under the Creative Commons Attribution license. In short, they can be freely used, provided that attribution is properly done in the figure caption, either by linking to this webpage or by citing the article where the particular figure first appeared.

Links

This page is dedicated to the cryptographic hash function family called Keccak, which we submit as a SHA-3 candidate.

The reference specification, analysis, reference and optimized code and test vectors for Keccak can be found in the file section.

For a quick introduction, a pseudo-code description of Keccak is given here.

Keccak in a nutshell

Keccak makes use of the sponge construction and is hence a sponge function family.

The design philosophy of Keccak is the hermetic sponge strategy. It uses the sponge construction for having provable security against all generic attacks. It calls a permutation that should not have structural properties with the exception of a compact description. By structural properties we mean properties that a typical random permutation does not have.

Keccak can be considered as a successor of RadioGatún. However, it has a very different design philosophy. The transformation applied to the state of RadioGatún in between the insertion of input blocks or extraction of output blocks is a simple round function. This round function has algebraic degree two and thus does not attempt to be free of structural properties. Therefore, unlike Keccak, RadioGatún requires blank rounds. Moreover, RadioGatún is not a sponge function as its iteration mode does not follow the sponge construction.

The permutation Keccak-f has the following properties:

It consists of the iteration of a simple round function, similar to a block cipher without a key schedule.
The nominal version of Keccak-f operates on a 1600-bit state. There are 6 other state widths, though: 25, 50, ..., 800.
The choice of operations is limited to bitwise XOR, AND and NOT and rotations. There is no need for table-lookups, arithmetic operations, or data-dependent rotations.

About the performance of Keccak:

In software, Keccak[] takes about 13 cycles per byte on the reference platform defined by NIST.
In hardware, it is fast and compact, with area/speed trade-offs.
It is suitable for DPA-resistant implementations both in hardware and software.

Keccak can be used for:

keyed or randomized modes simply by prepending a key or salt to the input message;
generating infinite outputs, making it suitable as a stream cipher or mask generating function.

In these cases, the usage of the sponge construction allows for modes that are provably secure against generic attacks.

Finally, Keccak is flexible. Using the same Keccak-f permutation, different combinations of bitrate and capacity allow for a security/speed trade-off.

Latest news

19 June 2010 — New versions of the main document and of KeccakTools

We release new versions of the Keccak main document and of KeccakTools.

Besides some restructuring and editorial improvements, Keccak main document v2.1 brings new contents, such as a complete new chapter specifically dedicated to differential and linear trail search, new cryptanalysis experiments and new hardware implementation results. Note that the specifications have not changed since the second-round submission.

At the same time, we release KeccakTools v2.1, a set of documented C++ classes that can help analyze Keccak-f. Compared to v2.0, the new version adds several important classes aimed at the linear and differential cryptanalysis of Keccak-f. Essentially, these classes provide ways to represent and process linear and differential trails and to extend them forwards or backwards. They also support the generation of equations for the conditions imposed by a differential trail on its pairs. As much as possible, linear and differential trails are considered on an equal footing, and most methods can be applied to both kinds of trails.

17 June 2010 — Deadline extension of the fourth cryptanalysis and Hex-Hot-Ticks prizes

In February, we announced the Hex-Hot-Ticks prize for the most interesting implementation of Keccak on exotic platforms and one month later the fourth prize for the best cryptanalysis to encourage third-party analysis of Keccak. The deadline for both prizes was set to June 30, 2010.

However, as we planned to announce the winners during the rump session of the SHA-3 workshop in Santa Barbara on August 23-24, we have decided to extend the deadline to midnight August 20. This will allow the submission of results obtained during the summer, including the SAC workshop and the CHES and CRYPTO conferences.

The results must be publicly available on an URL that is sent to keccak -at- noekeon -dot- org before Friday August 20, 2010 at 23:59 PDT (GMT-7).

4 March 2010 — Fourth cryptanalysis prize

We announce the fourth prize for the most interesting cryptanalysis of Keccak. The results must be publicly available on an URL that is sent to keccak -at- noekeon -dot- org before June 30, 2010 at 12:00 GMT+2.

The fourth prize consists of chocolate and more exactly of pralines from one of the finest Belgian chocolate craftsmen. The first Belgian praline has been made in 1912 by Jean Neuhaus, and since then the praline has become one of the most renowned quality products from Belgium. The prize consists of a box of 600g (the number of rounds times the number of lanes in Keccak) of the finest Belgian pralines.

Like for the previous prizes, who wins will be decided by consensus in the Keccak team, based internally on a system of points. Some hints:

Innovative ideas get more points than incremental results or applying standard techniques;
For attacks with innovations that are comparable, the earlier ones get more points;
Cryptanalysis or attack techniques applicable to a wider range of valid parameters r, c get more points (see the specifications for the definition of valid parameters);
- Larger Keccak-f width gets more points;
- Larger capacity gets more points;
Attacks on reduced-round versions are allowed but more rounds get more points;
For the same number of rounds, a distinguisher or attack on the Keccak sponge function gets more points than a distinguisher on Keccak-f only.

We reserve the right to extend the deadline in the absence of interesting results or when we consider that the presented results are too small increments compared to known results.

We hope analyzing Keccak is a fun and interesting challenge, and we appreciate any submitted work!

25 February 2010 — Note on Keccak parameters and usage

The Keccak sponge function family is characterized by three parameters: the bitrate r, the capacity c and the diversifier d. In the Keccak specifications we propose four instances that can be taken as functions for the four (fixed) output lengths NIST requires for SHA-3 and a variable-output-length instance, with default values for the parameters.

Whilst we are happy with our choice, there are other valid parameter choices that NIST or others may prefer. We publish a new note, in which we discuss our choice of parameters and other possible ways of using the Keccak family.

16 February 2010 — Congratulations to the winners of the third Keccak cryptanalysis prize

We are happy to announce that Christina Boura and Anne Canteaut are the winners of the third Keccak cryptanalysis prize for their paper entitled A zero-sum property for the Keccak-f permutation with 18 rounds. We are currently arranging practical details with the winners to give them the awarded Lambic-based beers and book. Congratulations to them!

We will soon announce a new prize with a new deadline.

all news items…

Contact Information

Email: keccak-at-noekeon-dot-org