KeccakTools

KeccakTools Documentation

KeccakTools is a set of C++ classes that can help analyze the Keccak sponge function family, designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. For more information, please refer to our website: http://keccak.noekeon.org/

KeccakTools provides the following features:

  • the parameterized implementation of the seven Keccak-f permutations, from Keccak-f[25] to Keccak-f[1600], possibly with a specific number of rounds;
  • the implementation of the inverses of the Keccak-f permutations;
  • the generation of look-up tables for Keccak-f[25];
  • the generation of GF(2) equations of the round functions and step mappings in the Keccak-f permutations and their inverses;
  • the generation of optimized C code for the Keccak-f round functions, including several implementation techniques described in our document Keccak implementation overview:
    • bit interleaving,
    • lane complementing,
    • plane-per-plane processing,
    • early parity,
    • in-place processing;
  • the implementation of the sponge construction using any transformation or permutation, and of the Keccak sponge function family;
  • many classes and methods to assist differential and linear cryptanalysis (DC, LC).

Regarding DC and LC, KeccakTools supports the processing of linear and differential trails. This includes:

  • for χ, the representation as an affine space of
    • the output differences compatible with a given input difference, and
    • the input masks compatible with a given output mask;
  • for θ:
    • the representation of column parities in runs;
    • lower bounding the weight of any 2-round trail core with a given parity;
    • the exhaustive generation of 2-round trail cores with a given parity;
  • for the round function, the iteration through all
    • the output differences compatible with a given input difference,
    • the input differences compatible with a given output difference (possibly up to a specified weight),
    • the input masks compatible with a given output mask,
    • the output masks compatible with a given input mask (possibly up to a specified weight);
  • the representation and serialization of linear and differential trails;
    • including trail prefixes and trail cores;
  • the generation of the conditions, expressed as equations(1) in GF(2), for a pair to follow a given differential trail;
  • the exhaustive forward and backward extension of trails up to a given weight and given number of rounds;
  • the exhaustive generation of 2-round trail cores with a small number of active rows;
  • the exhaustive generation of 3-round trail cores in the kernel up to a given weight:
    • the generation of knots and chains between knots;
    • the generation of vortices and their combination with knots and chains;
    • the implementation of a lower bound on the weight while adding knots, chains and vortices to limit the search.

Related to the DC and LC classes, the reader can refer to the following documents for more detailed explanations:

(1) Note that the equations can be generated in a format compatible with SAGE.

Implementation by the designers, hereby denoted as "the implementer". To the extent possible under law, the implementer has waived all copyright and related or neighboring rights to KeccakTools. http://creativecommons.org/publicdomain/zero/1.0/

KeccakTools version 3.3, April 2012.