Guido Bertoni3, Joan Daemen2, Seth Hoffert, Michaël Peeters1, Gilles Van Assche1 and Ronny Van Keer1
1STMicroelectronics - 2Radboud University - 3Security Pattern
Keccak is a versatile cryptographic function. Best known as a hash function, it nevertheless can also be used for authentication, (authenticated) encryption and pseudo-random number generation. Its structure is the extremely simple sponge construction and internally it uses the innovative Keccak-f cryptographic permutation.
After its selection as the winner of the SHA-3 competition, Keccak has been standardized in 3GPP TS 35.231 for mobile telephony (TUAK), and in NIST standards FIPS 202 and SP 800-185. Consequently, it has received extensive public scrutiny and third-party cryptanalysis.
We derived from Keccak the schemes Ketje, Keyak and KangarooTwelve, also listed in these pages. The scheme Kravatte uses a different construction but the same Keccak-f permutation. Keccak also inspired many third-party designs.
| Synopsis | The Keccak sponge functions |
|---|---|
| Designed by | Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche |
| Implements | An extendable-output function (XOF), i.e., the generalization of a cryptographic hash function with arbitrary output length |
| Construction | The sponge construction |
| Primitive | One of the Keccak-f[b] permutations, where b is 25, 50, 100, 200, 400, 800 or 1600 bits. In the scope of the FIPS 202 and SP 800-185 standards, the largest permutation Keccak-f[1600] is used. Nevertheless, smaller (or more “lightweight”) permutations can be used in constrained environments. |
| Parameterized by | The capacity c and by the bitrate r |
| Instances | The instances are denoted Keccak[r, c]. The capacity c determines the proven security strength against generic attacks, i.e., for a security level of n bits, the capacity must be c=2n. When summed, r+c must be the width of the permutation among 25, 50, 100, 200, 400, 800 and 1600 bits. The standard instances are listed in the table below. |
| Status | Winner of the SHA-3 competition, standardized in 3GPP TS 35.231, FIPS 202 and SP 800-185 |
We refer to the Keccak reference for the specification of Keccak, including our design rationale and own cryptanalysis. It is also defined in the FIPS 202 standard.
For more information, please refer to:
| Instance | used in FIPS 202 and SP 800-185 by |
|---|---|
| Keccak[r=1344, c=256] | SHAKE128 [FIPS 202], cSHAKE128, KMAC128, KMACXOF128, TupleHash128, TupleHashXOF128, ParallelHash128, ParallelHashXOF128 [SP 800-185] |
| Keccak[r=1152, c=448] | SHA3-224 [FIPS 202] |
| Keccak[r=1088, c=512] | SHAKE256, SHA3-256 [FIPS 202], cSHAKE256, KMAC256, KMACXOF256, TupleHash256, TupleHashXOF256, ParallelHash256, ParallelHashXOF256 [SP 800-185] |
| Keccak[r=832, c=768] | SHA3-384 [FIPS 202] |
| Keccak[r=576, c=1024] | SHA3-512 [FIPS 202] |