The Keccak sponge function family

Guido Bertoni1, Joan Daemen1,2, Michaël Peeters1 and Gilles Van Assche1

2Radboud University




Software and other files


The figures above are available under the Creative Commons Attribution license. In short, they can be freely used, provided that attribution is properly done in the figure caption, either by linking to this webpage or by citing the article where the particular figure first appeared.


Our papers and presentations

This page lists our papers and presentations on Keccak and briefly describes what they are about. For convenience, a bibtex file is also available here. For papers on the sponge construction and related subjects, please refer to this page instead. The presentations can be found at the bottom of this page.

G. Bertoni, J. Daemen, M. Peeters and G. Van Assche, The Keccak reference, round 3 submission to NIST SHA-3, 2011

This is the document that defines Keccak. It gives the full specifications, the design rationale, the properties of the step mappings in Keccak-f, and our own detailed cryptanalysis.

G. Bertoni, J. Daemen, M. Peeters and G. Van Assche, The Keccak SHA-3 submission, round 3 submission to NIST SHA-3, 2011

In this document, we define the instances that comply to the SHA-3 requirements, discuss alternate options together with their rationale, describe what can be done to adjust the safety margin or how to deal with existing usage scenarios, and link the implemented API with NIST's.

G. Bertoni, J. Daemen, M. Peeters, G. Van Assche and R. Van Keer, Keccak implementation overview, round 3 submission to NIST SHA-3, 2011

This document gives technical details on the implementations of Keccak, for software, hardware and protection against side-channel attacks. It also gathers a bunch of implementation techniques, such as the bit interleaving technique (e.g., how to implement Keccak-f[1600] in 32 bits) or the in-place processing to minimize memory usage. It is a must-read for anyone wishing to optimize his/her implementation.

G. Bertoni, J. Daemen, M. Peeters and G. Van Assche, The road from Panama to Keccak via RadioGatún, Dagstuhl Seminar Proceedings, January 2009

In this paper, we explain the design choices of Panama and RadioGatún, which lead to Keccak. We focus on three important aspects: the role of the belt in the light of differential trails, the relative advantages of a block mode hash function compared to a stream mode one, and the design philosophy differences between Keccak and its predecessors.

G. Bertoni, J. Daemen, M. Peeters and G. Van Assche, Note on side-channel attacks and their countermeasures, NIST hash forum, May 2009

This note discusses the relevance of protecting against side-channel attacks in the scope of keyed modes, and argues the high benefit of using bitwise Boolean operations, in contrast to addition-rotation-XOR (ARX) operations.

G. Bertoni, J. Daemen, M. Peeters and G. Van Assche, Note on zero-sum distinguishers of Keccak-f, NIST hash forum, January 2010

This note discusses the zero-sum distinguishers found on Keccak-f. It shows that the generic construction of a zero-sum set is at most a factor 2 slower than for the proposed distinguishers, which limits their impact. The note explains why we nevertheless decided to increase the number of rounds from 18 to 24 in Keccak-f[1600]. Note that in the meantime, zero-sum distinguishers were extended to the full 24 rounds, but due to apparent lack of impact and extreme complexity (zero-sum set size 21575 by Duan and Lai), we decided not to further increase the number of rounds.

G. Bertoni, J. Daemen, M. Peeters and G. Van Assche, Note on Keccak parameters and usage, NIST hash forum, February 2010

This note discusses different options of parameters and usage for Keccak. Except for a discussion on the width of Keccak-f and on the benefits of parallel hashing on modern CPUs, this note has been integrated into the Keccak SHA-3 submission document.

G. Bertoni, J. Daemen, M. Peeters and G. Van Assche, KeccakTools, Ecrypt II Workshop on Tools for Cryptanalysis, June 2010

This documented set of C++ classes covers many aspects of Keccak, from a reference implementation to methods for cryptanalysis. See the documentation page for more information.

G. Bertoni, J. Daemen, M. Peeters and G. Van Assche, Building power analysis resistant implementations of Keccak, Second SHA-3 Candidate Conference, August 2010

This paper proposes countermeasures against side-channel attacks, and more precisely, differential power analysis and variants. A more up-to-date content can be found in the Keccak implementation overview.

G. Bertoni, J. Daemen, M. Peeters and G. Van Assche, On alignment in Keccak, Ecrypt II Hash Workshop, May 2011

This paper discusses an aspect of symmetric cryptographic primitives that we call alignment. We define this term and show that there are important differences between primitives that have strong and weak alignment. For strong alignment, the propagation of truncated differences or linear masks is predictable, and for weak alignment it is hard to predict. We show that Keccak has weak alignment with respect to rows and discuss the benefits of weak alignment for rebound attacks, trail clustering and plateau trails. The paper contains figures that can also illustrate the differential and linear propagation inside Keccak-f.

J. Daemen and G. Van Assche, Differential trail propagation of Keccak, Fast Software Encryption, March 2012

This article aims to prove that low-weight differential trails in Keccak-f[1600] do not exist. It does so by showing how to efficiently and exhaustively scan the space of such trails. As a by-product, it introduces new concepts that help read and understand differential trails. In particular, it elegantly characterizes the trails that exploit the kernel, i.e., the worst-case diffusion scenario where the mixing layer acts as the identity.

G. Bertoni, J. Daemen, M. Peeters, G. Van Assche and R. Van Keer, 1001 ways to implement Keccak, Third SHA-3 Candidate Conference, March 2012

This note gives a short overview of the different implementation techniques. There is nothing new compared to the Keccak implementation overview document, but it provides a good summary of different implementation aspects.

G. Bertoni, J. Daemen, M. Peeters and G. Van Assche, Permutation-based encryption, authentication and authenticated encryption, Directions in Authenticated Ciphers, July 2012

This article explores variants of Keccak, sponge functions and duplex objects in the scope of encryption, authentication and authenticated encryption.

G. Bertoni, J. Daemen, M. Peeters and G. Van Assche, Sakura: a flexible coding for tree hashing, Cryptology ePrint Archive, Report 2013/231

In this paper, we propose a flexible, fairly general, coding for tree hash modes. The coding does not define a tree hash mode, but instead specifies a way to format the message blocks and chaining values into inputs to the underlying function for any topology, including sequential hashing. The main benefit is to avoid input clashes between different tree growing strategies, even before the hashing modes are defined, and to make the SHA-3 standard tree-hashing ready.


We here list some presentations we made on Keccak.