Very compact (or tweetable) implementations of Keccak, written by D. J. Bernstein, Peter Schwabe and Gilles, are now available. In their most compact form, the 6 instances of SHA-3 and SHAKE can fit in just 9 tweets.

We published a series of compact implementations, from the more readable one to the most compact one.

• First, a readable and compact implementation of all the Keccak instances approved in the FIPS 202 standard, where we focused on clarity and on source-code compactness (excluding the comments), rather than on the performance. As much as possible, we used the same notation as in the specifications.
• Second, a more compact (but less readable) implementation, demonstrating that Keccak is conceptually simple.
• Third, a very compact implementation aimed at minimizing the number of tweets (i.e., lines of up to 140 characters each). With just 9 tweets, this means an average of 1.5 tweets per instance! As a comparison, SHA-512 alone takes about 27 tweets when extracted from TweetNaCl.

Dan presented the tweetable implementation at the rump session of Crypto 2015 [slides].

NIST officially released the FIPS 202 standard. Although it represents the target of the SHA-3 competition for a fresh hash function, the new standard provides more than just a successor to SHA-2: It comes as a toolbox with all the necessary ingredients for defining other uses of Keccak. About 2.5 years after the SHA-3 competition concluded, we recap on what the FIPS 202 standard contains.

The purpose of the FIPS 202 standard is twofold: It gives all the definitions needed to specify Keccak-based functions and it approves the use of six specific instances. The document is written bottom-up, starting with the bit-level operations in the Keccak-p permutations, a generalization of the Keccak-f permutations with a parameterized number of rounds, then moving to the sponge construction and, building on it, the Keccak family of sponge functions, and finally specifying the approved instances:

• four SHA-2 drop-in replacements with fixed output length SHA3-224 to SHA3-512, and
• two future-oriented extendable-output functions SHAKE128 and SHAKE256.

Extendable ouput functions

The introduction of extendable-output functions (or XOFs, pronounced zoff) is a particularly nice feature of the standard. A XOF like SHAKE128 or SHAKE256 can be seen as a generalization of hash functions where the output length is not fixed but is potentially infinite. Concretely, XOFs can be used instead of complex constructions involving hash functions and counters such as MGF1. With RSA, this is of immediate benefit to full domain hashing, to RSA OAEP (Optimal Asymmetric Encryption Padding) and to RSA PSS (Probabilistic Signature Scheme). Other use cases are key derivation functions and stream ciphers.

Another important conceptual difference is that a XOF's security strength can be chosen (e.g., through Keccak's capacity value) and is not bound to its output length, as is traditionally the case for hash functions. This flexibility allows for better security-performance trade-offs. For instance, with a key derivation function, the length of the derived key material can greatly vary from one application to another, in a way that is in general not related to the required security strength.

Future plans

NIST expressed their intention to approve other modes of use of Keccak (or potentially other functions based on the Keccak-p permutations) as they are developed, by way of special publications in the NIST SP 800-XX series and referring to FIPS 202. At the SHA-3 2014 Workshop, NIST presented more details on the following topics:

• parallelizable hashing,
• message authentication codes (MACs) and key derivation functions,
• authenticated encryption,
• generic domain separation mechanisms on top of these.

Code package

The latest version of the Keccak Code Package is in line with the standard and contains test vectors for the six aforementioned instances.