## Tune Keccak to your requirements

The capacity parameter and chosen output length in Keccak can be freely chosen. Their combination determines the attainable security and the capacity has an impact on performance. This page gives you the optimal capacity and output length values, given the classical hash function criteria.

Please specify your requirements…

The optimal choice of parameters is:

**Keccak[***r*=0,*c*=0] with a least **0 bits** of output.

### Security claim

In line with our hermetic sponge strategy, we make a flat sponge claim with *c*=0 bits of capacity: for any output length, we claim this Keccak sponge function resists any attack up to **2**^{0} operations (each of complexity equivalent to one call to Keccak-*f*), unless easier on a random oracle. For 0 bits of output specifically, this translates into the following claimed security level:

| Claimed security level |

Collision resistance |
2^{0} |

(Second) preimage resistance |
2^{0} |

### Speed

For long messages, this function is **0% slower than faster than as fast as** Keccak[] (Keccak with the default parameters). On the reference processor proposed by NIST, long messages should take about **0 cycles/byte**.

If no security is requested, you can use Keccak[*r*=1600,*c*=0] as a checksum, but there exist faster checksums.

If your security request cannot directly be expressed in terms of collision resistance and (second) preimage resistance, we suggest to look at the flat sponge claim in the Keccak specifications and select a value for the capacity *c* accordingly.