News feed (atom)This page is dedicated to the cryptographic hash function family called Keccak, which we submit as a SHA-3 candidate.
The reference specification, analysis, reference and optimized code and test vectors for Keccak can be found in the file section.
For a quick introduction, a pseudo-code description of Keccak is given here.
Keccak in a nutshell
Keccak makes use of the sponge construction and is hence a sponge function family.
The design philosophy of Keccak is the following. It uses the sponge construction for having provable security against all generic attacks. It calls a permutation that should not have structural properties with the exception of a compact description. By structural properties we mean properties that a typical random permutation does not have.
Keccak can be considered as a successor of RadioGatún. However, it has a very different design philosophy. The transformation applied to the state of RadioGatún in between the insertion of input blocks or extraction of output blocks is a simple round function. This round function has algebraic degree two and thus does not attempt to be free of structural properties. Therefore, unlike Keccak, RadioGatún requires blank rounds. Moreover, RadioGatún is not a sponge function as its iteration mode does not follow the sponge construction.
The permutation Keccak-f has the following properties:
- It consists of the iteration of a simple round function, similar to a block cipher without a key schedule.
- The nominal version of Keccak-f operates on a 1600-bit state. There are 6 other state widths, though: 25, 50, ..., 800.
- The choice of operations is limited to bitwise XOR, AND and NOT and rotations. There is no need for table-lookups, arithmetic operations, or data-dependent rotations.
About the performance of Keccak:
- In software, Keccak[r=1024,c=576] takes about 10 cycles per byte on the reference platform defined by NIST.
- In hardware, it is fast and compact, with area/speed trade-offs.
- It is suitable for DPA-resistant implementations both in hardware and software.
Keccak can be used for:
- keyed or randomized modes simply by prepending a key or salt to the input message;
- generating infinite outputs, making it suitable as a stream cipher or mask generating function.
In these cases, the usage of the sponge construction allows for modes that are provably secure against generic attacks.
Finally, Keccak is flexible. Using the same Keccak-f permutation, different combinations of bitrate and capacity allow for a security/speed trade-off.
Latest news
3 July 2009 — Second cryptanalysis prize deadline extension
In May, we announced the second prize for the best cryptanalysis on Keccak to encourage third-party analysis. As no submission has been received yet, we have decided to extend the deadline: the results must be publicly available on an URL that is sent to keccak -at- noekeon -dot- org before Monday August 31st, 2009 at 23:59 GMT+2.
The prize itself is also extended and now consists of the full travel set, including the Bialetti coffee machine, cups, spoons, a canister for sugar, some of the best Italian coffee and a case for easy carry to cryptographic conferences.
Again, we hope analyzing Keccak is a fun and interesting challenge, and we appreciate any submitted work!
13 June 2009 — Third-party analysis and implementation page
We provide a new page listing the third-party papers, studies and implementations related to Keccak in the scope of the SHA-3 contest or otherwise.
We plan on updating this page whenever needed.
14 May 2009 — Second cryptanalysis prize
We announce the second prize for the most interesting cryptanalysis of Keccak. The results must be publicly available on an URL that is sent to keccak -at- noekeon -dot- org before June 30, 2009 at 23:59 GMT+2. We reserve the right to extend this deadline in the absence of interesting results.
This time, the prize is a Bialetti coffee machine of fine Italian design, plus a set of some of the best Italian coffee.
Like for the previous prize, who wins will be decided by consensus in the Keccak team, based internally on a system of points. Some hints:
- Innovative ideas get more points than incremental results or applying standard techniques;
- For attacks with innovations that are comparable, the earlier ones get more points;
- Cryptanalysis or attack techniques applicable to a wider range of valid parameters r, c get more points (see the specifications for the definition of valid parameters);
- Larger Keccak-f width gets more points;
- Larger capacity gets more points;
- Attacks on reduced-round versions are allowed but more rounds get more points.
We hope analyzing Keccak is a fun and interesting challenge, and we appreciate any submitted work!
29 April 2009 — Congratulations to the winners of the first Keccak cryptanalysis prize
We are happy to announce that Jean-Philippe Aumasson and Dmitry Khovratovich are the winners of the first Keccak cryptanalysis prize for their paper entitled First Analysis of Keccak. The case of beers was handed over to Dmitry yesterday at the rump session of Eurocrypt in Köln. Congratulations to them!
We will soon announce a new prize with a new deadline.
Contact Information
Email: keccak-at-noekeon-dot-org