Keccak is a versatile cryptographic function. Best known as a hash function, it nevertheless can also be used for authentication, (authenticated) encryption and pseudo-random number generation. Its structure is the extremely simple sponge construction and internally it uses the innovative Keccak-f cryptographic permutation.

After its selection as the winner of the SHA-3 competition, Keccak has been standardized in 3GPP TS 35.231 for mobile telephony (TUAK), and in NIST standards FIPS 202 and SP 800-185. Consequently, it has received extensive public scrutiny and third-party cryptanalysis.

We derived from Keccak the schemes Ketje, Keyak and KangarooTwelve, also listed in these pages. The scheme Kravatte uses a different construction but the same Keccak-f permutation. Keccak also inspired many third-party designs.

Technical details

SynopsisThe Keccak sponge functions
Designed byGuido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche
ImplementsAn extendable-output function (XOF), i.e., the generalization of a cryptographic hash function with arbitrary output length
ConstructionThe sponge construction
PrimitiveOne of the Keccak-f[b] permutations, where b is 25, 50, 100, 200, 400, 800 or 1600 bits. In the scope of the FIPS 202 and SP 800-185 standards, the largest permutation Keccak-f[1600] is used. Nevertheless, smaller (or more “lightweight”) permutations can be used in constrained environments.
Parameterized byThe capacity c and by the bitrate r
InstancesThe instances are denoted Keccak[r, c]. The capacity c determines the proven security strength against generic attacks, i.e., for a security level of n bits, the capacity must be c=2n. When summed, r+c must be the width of the permutation among 25, 50, 100, 200, 400, 800 and 1600 bits. The standard instances are listed in the table below.
StatusWinner of the SHA-3 competition, standardized in 3GPP TS 35.231, FIPS 202 and SP 800-185

We refer to the Keccak reference for the specification of Keccak, including our design rationale and own cryptanalysis. It is also defined in the FIPS 202 standard.

For more information, please refer to:

Standard instances

Instanceused in FIPS 202 and SP 800-185 by
Keccak[r=1344, c=256]SHAKE128 [FIPS 202], cSHAKE128, KMAC128, KMACXOF128, TupleHash128, TupleHashXOF128, ParallelHash128, ParallelHashXOF128 [SP 800-185]
Keccak[r=1152, c=448]SHA3-224 [FIPS 202]
Keccak[r=1088, c=512]SHAKE256, SHA3-256 [FIPS 202], cSHAKE256, KMAC256, KMACXOF256, TupleHash256, TupleHashXOF256, ParallelHash256, ParallelHashXOF256 [SP 800-185]
Keccak[r=832, c=768]SHA3-384 [FIPS 202]
Keccak[r=576, c=1024]SHA3-512 [FIPS 202]