News feed (atom)This page is dedicated to the cryptographic hash function family called Keccak, which we submit as a SHA-3 candidate.
The reference specification, analysis, reference and optimized code and test vectors for Keccak can be found in the file section.
For a quick introduction, a pseudo-code description of Keccak is given here.
Keccak in a nutshell
Keccak makes use of the sponge construction and is hence a sponge function family.
The design philosophy of Keccak is the hermetic sponge strategy. It uses the sponge construction for having provable security against all generic attacks. It calls a permutation that should not have structural properties with the exception of a compact description. By structural properties we mean properties that a typical random permutation does not have.
Keccak can be considered as a successor of RadioGatún. However, it has a very different design philosophy. The transformation applied to the state of RadioGatún in between the insertion of input blocks or extraction of output blocks is a simple round function. This round function has algebraic degree two and thus does not attempt to be free of structural properties. Therefore, unlike Keccak, RadioGatún requires blank rounds. Moreover, RadioGatún is not a sponge function as its iteration mode does not follow the sponge construction.
The permutation Keccak-f has the following properties:
- It consists of the iteration of a simple round function, similar to a block cipher without a key schedule.
- The nominal version of Keccak-f operates on a 1600-bit state. There are 6 other state widths, though: 25, 50, ..., 800.
- The choice of operations is limited to bitwise XOR, AND and NOT and rotations. There is no need for table-lookups, arithmetic operations, or data-dependent rotations.
About the performance of Keccak:
- In software, Keccak[] takes about 13 cycles per byte on the reference platform defined by NIST.
- In hardware, it is fast and compact, with area/speed trade-offs.
- It is suitable for DPA-resistant implementations both in hardware and software.
Keccak can be used for:
- keyed or randomized modes simply by prepending a key or salt to the input message;
- generating infinite outputs, making it suitable as a stream cipher or mask generating function.
In these cases, the usage of the sponge construction allows for modes that are provably secure against generic attacks.
Finally, Keccak is flexible. Using the same Keccak-f permutation, different combinations of bitrate and capacity allow for a security/speed trade-off.
Latest news
2 February 2010 — Hex-Hot-Ticks Keccak prize
We are looking for implementations of Keccak on exotic platforms! We offer a prize for the most interesting implementation of Keccak on:
- graphic cards or GPU,
- embedded processors (e.g., ARM, Cell processor…),
- or any other analog/digital computing device.
The prize consists in a Himitsu-Bako secret box.
Who wins the prize will be decided by consensus in the Keccak team. We will internally use a system of points. Some hints:
- fast implementations get more points;
- uncommon devices get more points.
We give freedom in the way Keccak is used. It is allowed to implement, for instance, tree hashing or batch hashing (several messages hashed in parallel), instead of plain sequential hashing, to take advantage of parallel computing and get better performance.
The results and source code must be publicly available on an URL that is sent to keccak -at- noekeon -dot- org before June 30, 2010 at 12:00 GMT+2. No specific licensing condition is requested (pick up the one you like!). We reserve the right to extend this deadline in the absence of interesting results. Otherwise, the winner will be announced during the rump session of the second SHA-3 candidate conference in Santa Barbara.
16 January 2010 — Note on zero-sum distinguishers
In September last year, Jean-Philippe Aumasson and Willi Meier introduced zero-sum distinguishers, a method to generate zero-sum structures for reduced-round versions of Keccak-f up to 16 rounds. Recently, Christina Boura and Anne Canteaut extended this to 18 rounds. (See the page on third-party cryptanalyis for references and more details.)
We publish a note, in which we give technical details and put these distinguishers into perspective. We also relate their existence to our decision to increase the number of rounds to 24, in line with the hermetic sponge strategy, in which we tolerate no structural distinguisher for the permutation used in the sponge construction.
8 December 2009 — Third cryptanalysis prize deadline extension
In September, we announced the third prize for the best cryptanalysis on Keccak to encourage third-party analysis. As no submission has been received yet, we have decided to extend the deadline: the results must be publicly available on an URL that is sent to keccak -at- noekeon -dot- org before Saturday February 13th, 2010 at 23:59 GMT+1 (i.e., before the carnival).
In addition to the bottles of Lambic-based beer, the prize also comes with a guide about Brussels' beers to better enjoy their special taste.
As always, we hope analyzing Keccak is a fun and interesting challenge, and we appreciate any submitted work!
12 November 2009 — Tune Keccak to your requirements
We provide a new page to help choose the best parameters of Keccak by specifying one's requirements in terms of collision and (second) preimage resistance. A simple application in JavaScript computes the optimal values of bitrate, capacity and output length. Have fun!
Contact Information
Email: keccak-at-noekeon-dot-org