The Keccak sponge function family

Pages

• Home
• News
• Files
• Specifications summary
• Tune Keccak to your requirements
• Third-party cryptanalysis
• Our papers and presentations
• Keccak Crunchy Crypto Collision and Pre-image Contest
• The Keccak Team

Documents

• The Keccak reference
• Files for the Keccak reference
• The Keccak SHA-3 submission
• Keccak implementation overview
• Cryptographic sponge functions
• all files…

Notes

• Note on side-channel attacks and their countermeasures
• Note on zero-sum distinguishers of Keccak-f
• Note on Keccak parameters and usage
• On alignment in Keccak
• Sakura: a flexible coding for tree hashing

Software and other files

• Reference and optimized code in C
• Hardware implementation in VHDL
• Known-answer and Monte Carlo test results
• KeccakTools
• Keccak in Python
• all files…

Figures

• Keccak-f state [ODG] [PDF] [PNG]
• Pieces of state [ODG] [PDF] [PNG]
• Step θ [ODG] [PDF] [PNG]
• Step ρ [ODG] [PDF] [PNG]
• Step π [ODG] [PDF] [PNG]
• Step χ [ODG] [PDF] [PNG]

The figures above are available under the Creative Commons Attribution license. In short, they can be freely used, provided that attribution is properly done in the figure caption, either by linking to this webpage or by citing the article where the particular figure first appeared.

Links

• KeccakTools documentation
• RadioGatún
• Cryptographic sponges
• NIST SHA-3 hash function competition
• The SHA-3 zoo
• eBASH
• Animated Keccak (in German)

The optimal choice of parameters is:

Keccak[r=0,c=0] with a least 0 bits of output.

Security claim

In line with our hermetic sponge strategy, we make a flat sponge claim with c=0 bits of capacity: for any output length, we claim this Keccak sponge function resists any attack up to 2⁰ operations (each of complexity equivalent to one call to Keccak-f), unless easier on a random oracle. For 0 bits of output specifically, this translates into the following claimed security level:

Speed

For long messages, this function is 0% slower than faster than as fast as Keccak[] (Keccak with the default parameters). On the reference processor proposed by NIST, long messages should take about 0 cycles/byte.

If no security is requested, you can use Keccak[r=1600,c=0] as a checksum, but there exist faster checksums.

If your security request cannot directly be expressed in terms of collision resistance and (second) preimage resistance, we suggest to look at the flat sponge claim in the Keccak specifications and select a value for the capacity c accordingly.