From Wikipedia, the free encyclopedia
  (Redirected from Keccak)
Jump to: navigation, search
Designers Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche.
Series (SHA-0), SHA-1, SHA-2, SHA-3
Certification FIPS PUB 180-4
Digest sizes arbitrary
Structure sponge construction
Speed 12.5 cpb on Core 2 [r=1024, c=576].

SHA-3 (Secure Hash Algorithm 3), a subset of the cryptographic primitive family Keccak (/ˈkætʃæk/, or /kɛtʃɑːk/),[1][2] is a cryptographic hash function designed by Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche, building upon RadioGatún. SHA-3 is a member of the Secure Hash Algorithm family. The SHA-3 standard was released by NIST on August 5, 2015.[3][4]


On October 2, 2012, Keccak was selected as the winner of the NIST hash function competition.[1] SHA-3 is not meant to replace SHA-2, as no significant attack on SHA-2 has been demonstrated. Because of the successful attacks on MD5 and SHA-0 and theoretical attacks on SHA-1,[5] NIST perceived a need for an alternative, dissimilar cryptographic hash, which became SHA-3.

In 2014, the NIST has published a draft FIPS 202 "SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions".[6] FIPS 202 was approved on August 5, 2015.[7]

The Keccak algorithm (which NIST say is pronounced "catch-ack"[1] but Dr. Dobb's Journal says is pronounced "ket-chak"[8]) is the work of Guido Bertoni, Joan Daemen (who also co-designed the Rijndael cipher with Vincent Rijmen[9]), Michael Peters, and Gilles Van Assche.[8]

On August 5, 2015 NIST announced that SHA-3 had become a hashing standard.[10]


SHA-3 uses the sponge construction,[11][12] in which message blocks are XORed into a subset of the state, which is then transformed as a whole. In the version used in SHA-3, the state consists of a 5 × 5 array of 64-bit words, 1600 bits total. The authors claim 12.5 cycles per byte[13] on an Intel Core 2 CPU. However, in hardware implementations, it is notably faster than all other finalists.[14]

Keccak's authors have proposed additional, not-yet-standardized uses for the function, including an authenticated encryption system and a "tree" hash for faster hashing on certain architectures.[15] Keccak is also defined for smaller power-of-2 word sizes w down to 1 bit (25 bits total state). Small state sizes can be used to test cryptanalytic attacks, and intermediate state sizes (from w = 8, 200 bits, to w = 32, 800 bits) can be used in practical, lightweight applications.[16][17]

The block permutation[edit]

This is defined for any power-of-two word size, w = 2 bits. The main SHA-3 submission uses 64-bit words, ℓ = 6.

The state can be considered to be a 5 × 5 × w array of bits. Let a[i][j][k] be bit (5i + j) × w + k of the input, using a little-endian bit numbering convention and row-major indexing. I.e. i selects the column, j the row, and k the bit.

Index arithmetic is performed modulo 5 for the first two dimensions and modulo w for the third.

The basic block permutation function consists of 12 + 2ℓ iterations of five sub-rounds, each individually very simple:

Compute the parity of each of the 5w (320, when w = 64) 5-bit columns, and exclusive-or that into two nearby columns in a regular pattern. To be precise, a[i][j][k] ← a[i][j][k] ⊕ parity(a[0...4][j−1][k]) ⊕ parity(a[0...4][j+1][k−1])
Bitwise rotate each of the 25 words by a different triangular number 0, 1, 3, 6, 10, 15, .... To be precise, a[0][0] is not rotated, and for all 0 ≤ t < 24, a[i][j][k] ← a[i][j][k−(t+1)(t+2)/2], where \begin{pmatrix} i \\ j \end{pmatrix} = \begin{pmatrix} 3 & 2 \\ 1 & 0 \end{pmatrix}^t \begin{pmatrix} 0 \\ 1 \end{pmatrix}.
Permute the 25 words in a fixed pattern. a[j][2i+3j] ← a[i][j].
Bitwise combine along rows, using aa ⊕ (¬b & c). To be precise, a[i][j][k] ← a[i][j][k] ⊕ ¬a[i][j+1][k] & a[i][j+2][k]. This is the only non-linear operation in SHA-3.
Exclusive-or a round constant into one word of the state. To be precise, in round n, for 0 ≤ m ≤ ℓ, a[0][0][2m−1] is exclusive-ORed with bit m + 7n of a degree-8 LFSR sequence. This breaks the symmetry that is preserved by the other sub-rounds.

Hashing variable-length messages[edit]

Illustration of the sponge construction
The sponge construction for hash functions. pi are input, zi are hashed output. The unused "capacity" c should be twice the desired resistance to collision or preimage attacks.

SHA-3 uses the "sponge construction", where input is "absorbed" into the hash state at a given rate, then an output hash is "squeezed" from it at the same rate.

To absorb r bits of data, the data is XORed into the leading bits of the state, and the block permutation is applied. To squeeze, the first r bits of the state are produced as output, and the block permutation is applied if additional output is desired.

Central to this is the "capacity" of the hash function, which is the c = 25wr state bits that are not touched by input or output. This can be adjusted based on security requirements. The maximum security level is half the capacity.

To ensure the message can be evenly divided into r-bit blocks, padding is required. Keccak uses the pattern 10*1: a 1 bit, zero or more 0 bits (maximum r − 1), and a final 1 bit. The final 1 bit is required because the sponge construction security proof requires that the rate is encoded in the final block ("multi rate padding").

To compute a hash, initialize the state to 0, pad the input, and break it into r-bit pieces. Absorb the input into the state; that is, for each piece, XOR it into the state and then apply the block permutation.

After the final block permutation, the desired n number of bits is squeezed. For the SHA3 instances, r is always greater than n, thus there is never a need for additional block permutations in the squeezing phase. The leading n bits of the state are the desired hash. However, arbitrary output length may be useful in applications such as optimal asymmetric encryption padding.

Although not part of the SHA-3 standard, smaller variants of the block permutation can be used, for hash output sizes up to half their state size, if the rate r is limited appropriately. For example, a 256-bit hash can be computed using 25 32-bit words if r = 800 − 2 × 256 = 288 (36 bytes per iteration).


The NIST standard defines the following instances.

Keccak[capacity](M, d) is defined as the sponge construction using Keccak-f[1600, capacity], message M and output length d.

Instance Definition
SHA3-224(M) Keccak[448](M||01, 224)
SHA3-256(M) Keccak[512](M||01, 256)
SHA3-384(M) Keccak[768](M||01, 384)
SHA3-512(M) Keccak[1024](M||01, 512)
SHAKE128(M, d) Keccak[256](M||1111, d)
SHAKE256(M, d) Keccak[512](M||1111, d)

The SHA3 instances are the drop-in replacements for SHA2, with identical security claims. SHAKE instances are so called XOF's, Extendible Output Functions. For example SHAKE128(M, 256) can be used as a hash function with 128 bit overall security.

Note that all instances append some bits to the message. Since 10*1 padding always adds at least two bits, in byte aligned libraries we always have six unused zero bits. Therefore these appended extra bits never make the padded message longer.


Throughout the NIST hash function competition, entrants were permitted to "tweak" their algorithms to address issues that were discovered. Changes that have been made to Keccak are:[18][19]

  • The number of rounds was increased from 12 + ℓ to 12 + 2ℓ to be more conservative about security.
  • The message padding was changed from a more complex scheme to the simple 10*1 pattern described above.
  • The rate r was increased to the security limit, rather than rounding down to the nearest power of 2.

NIST announcement controversy[edit]

In February 2013 at the RSA Conference, and then in August 2013 at CHES, NIST announced they would select different values for the capacity, i.e. the security parameter, for the SHA-3 standard, compared to the submission.[20][21] The changes caused some turmoil.

In September 2013, Daniel J. Bernstein suggested on the NIST hash-forum mailing list[22] to strengthen the security to the 576-bit capacity that was originally proposed as the default Keccak.[23] In late September, the Keccak team responded by stating that they proposed 128-bit security by setting c = 256 as an option already in their SHA-3 proposal.[24] However, in the light of the uproar in the cryptographic community, they proposed raising the capacity to 512 bits for all instances.[25]

In early October 2013, Bruce Schneier criticized NIST's decision on the basis of its possible detrimental effects on the acceptance of the algorithm, saying

There is too much mistrust in the air. NIST risks publishing an algorithm that no one will trust and no one (except those forced) will use.[26]

Paul Crowley, a senior developer at an independent software development company, expressed his support of the decision, saying that Keccak is supposed to be tunable and there is no reason for different security levels within one primitive. He also added:

Yes, it’s a bit of a shame for the competition that they demanded a certain security level for entrants, then went to publish a standard with a different one. But there’s nothing that can be done to fix that now, except re-opening the competition. Demanding that they stick to their mistake doesn’t improve things for anyone.[27]

There was also some confusion that internal changes were made to Keccak. The Keccak team clarified this, stating that NIST's proposal for SHA-3 is a subset of the Keccak family, for which one can generate test vectors using their reference code submitted to the contest, and that this proposal was the result of a series of discussions between them and the NIST hash team.[28] Also, Bruce Schneier corrected his earlier statement, saying

I misspoke when I wrote that NIST made "internal changes" to the algorithm. That was sloppy of me. The Keccak permutation remains unchanged. What NIST proposed was reducing the hash function's capacity in the name of performance. One of Keccak's nice features is that it's highly tunable.[26]

In November 2013, in the light of the uproar in the cryptographic community, John Kelsey of NIST proposed to go back to the original c = 2n proposal for all SHA-2 drop-in replacement instances.[29] These changes were confirmed in the April 2014 draft.[30] This proposal was implemented in the final release standard in August 2015.[3]

Examples of SHA-3 variants[edit]

SHAKE128("", 256)
SHAKE256("", 512)

Changing a single bit results in each bit in the output to change with 50% probability, demonstrating an avalanche effect:

SHAKE128("The quick brown fox jumps over the lazy dog", 256)
SHAKE128("The quick brown fox jumps over the lazy dof", 256)

Comparison of SHA functions[edit]

In the table below, internal state means the number of bits that are carried over to the next block.

Comparison of SHA functions
Algorithm and variant Output size
Internal state size
Block size
Max message size
Rounds Operations Security
Example performance[32]
MD5 (as reference) 128 128
(4 × 32)
512 264 − 1 64 And, Xor, Rot,
Add (mod 232),
(collisions found)
SHA-0 160 160
(5 × 32)
512 264 − 1 80 And, Xor, Rot,
Add (mod 232),
(collisions found)
SHA-1 160 160
(5 × 32)
512 264 − 1 80 <80
(theoretical attack[33] in 261 operations)
SHA-2 SHA-224
(8 × 32)
512 264 − 1 64 And, Xor, Rot,
Add (mod 232),
Or, Shr
(8 × 64)
1024 2128 − 1 80 And, Xor, Rot,
Add (mod 264),
Or, Shr
SHA-3 SHA3-224
(5 × 5 × 64)
Unlimited 24 And, Xor, Rot,
d (arbitrary)
d (arbitrary)
min(d/2, 128)
min(d/2, 256)


  1. ^ a b c "NIST Selects Winner of Secure Hash Algorithm (SHA-3) Competition". NIST. 2012-10-02. Retrieved 2012-10-02. 
  2. ^ Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. "The Keccak sponge function family: Specifications summary". Retrieved 2011-05-11. 
  3. ^ a b
  4. ^
  5. ^ Stevens, Marc. "Cryptanalysis of MD5 & SHA-1" (PDF). Retrieved 28 January 2015. 
  6. ^ "SHA-3 standardization". NIST. Retrieved 2015-04-16. 
  7. ^ National Institute of Standards and Technology (Aug 5, 2015). "Federal Information Processing Standards: Permutation-Based Hash and Extendable-Output Functions, etc.". Retrieved 5 Aug 2015. 
  8. ^ a b "Keccak: The New SHA-3 Encryption Standard". Dr. Dobbs. 
  9. ^ "Joan Daemen". Wikipedia. 
  10. ^ "". 2015-08-05. 
  11. ^ Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. "Sponge Functions". Ecrypt Hash Workshop 2007. 
  12. ^ Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. "On the Indifferentiability of the Sponge Construction". EuroCrypt 2008. 
  13. ^ Keccak implementation overview Version 3.2
  14. ^ Guo, Xu; Huang, Sinan; Nazhandali, Leyla; Schaumont, Patrick (Aug 2010), "Fair and Comprehensive Performance Evaluation of 14 Second Round SHA-3 ASIC Implementations" (PDF), NIST 2nd SHA-3 Candidate Conference: 12, retrieved 2011-02-18  Keccak is second only to Luffa, which did not advance to the final round.
  15. ^ NIST, Third-Round Report of the SHA-3 Cryptographic Hash Algorithm Competition, sections (mentioning "tree mode"), 6.2 ("other features", mentioning authenticated encryption), and 7 (saying "extras" may be standardized in the future)
  16. ^ Daemen, Joan, CAESAR submission: Ketje v1 (PDF) 
  17. ^ Daemen, Joan, CAESAR submission: Keyak v1 (PDF) 
  18. ^ "Keccak parameter changes for round 2". 
  19. ^ "Simplifying Keccak's padding rule for round 3". 
  20. ^ John Kelsey. "SHA3, Where We've Been, Where We're Going" (PDF). RSA Conference 2013. 
  21. ^ John Kelsey. "SHA3, Past, Present, and Future". CHES 2013. 
  22. ^ "NIST hash forum mailing list". 
  23. ^ "The Keccak SHA-3 submission" (PDF). 2011-01-14. Retrieved 2014-02-08. 
  24. ^ "On 128-bit security". 
  25. ^ "A concrete proposal". 
  26. ^ a b "Schneier on Security: Will Keccak = SHA-3?". 
  27. ^ "LShift: Why I support the US Government making a cryptography standard weaker". 
  28. ^ "Yes, this is Keccak!". 
  29. ^ "Moving Forward with SHA-3" (PDF). 
  30. ^ NIST Computer Security Division (CSD). "SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions" (PDF). NIST. 
  31. ^ "Crypto++ 5.6.0 Benchmarks". Retrieved 2013-06-13. 
  32. ^ Found on an AMD Opteron 8354 2.2 GHz processor running 64-bit Linux[31]
  33. ^ "Cryptanalysis of MD5 & SHA-1" (PDF). Retrieved 2013-04-25. 

External links[edit]