From Wikipedia, the free encyclopedia
  (Redirected from Talk:Keccak)
Jump to: navigation, search
WikiProject Cryptography / Computer science  (Rated Start-class, High-importance)
WikiProject icon This article is within the scope of WikiProject Cryptography, a collaborative effort to improve the coverage of Cryptography on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
Start-Class article Start  This article has been rated as Start-Class on the quality scale.
 High  This article has been rated as High-importance on the importance scale.
Taskforce icon
This article is supported by WikiProject Computer science (marked as High-importance).

Presentation of the Block Permutation[edit]

The presentation of the block permutation differs from the reference in presentation. The mapping between bits in the state and the matrix is specified on page 8 as follows:

"The mapping between the bits of s and those of a is s[w(5y + x) + z] = a[x][y][z]."

The wikipedia page basically switches the second and first coordinate:

"Let a[i][j][k] be bit (i×5 + j)×w + k of the input,[..]"

The following description of the algorithm is correct, but confusing for those comparing reference, implementation guidelines and other sources. I think it would be helpful to stay closer to the reference in this regard, especially as I don't see an advantage in presenting it with the coordinates switch.

If there is no sign of disagreement, I will come back and change the section accordingly. — Preceding unsigned comment added by Deejaydarvin (talkcontribs) 10:12, 25 June 2013 (UTC)

Requested move[edit]

The following discussion is an archived discussion of the proposal. Please do not modify it. Subsequent comments should be made in a new section on the talk page. No further edits should be made to this section.

The result of the proposal was moved. --BDD (talk) 19:19, 11 October 2012 (UTC) (non-admin closure)

KeccakSHA-3 – Now that Keccak is the official SHA-3 algorithm, this article should be moved to SHA-3 (and perhaps recreate Keccak as a redirect to SHA-3 if it's felt warranted.) moof (talk) 16:56, 4 October 2012 (UTC)

Support, just like Rijndael redirects to Advanced Encryption Standard (and not Advanced Encryption Standard process) -- intgr [talk] 17:01, 4 October 2012 (UTC)
Support move. @moof: A move will automatically leave a redirect from Keccak. Nageh (talk) 12:35, 5 October 2012 (UTC)
Support. SHA-3 will become the much more commonly used name for this algorithm, like AES. Make Keccak a redirect here, and include in in the history as the origin of SHA-3 —fudoreaper (talk) 06:09, 9 October 2012 (UTC)
I was just about to suggest this. BrokenSegue 21:14, 10 October 2012 (UTC)
The above discussion is preserved as an archive of the proposal. Please do not modify it. Subsequent comments should be made in a new section on this talk page. No further edits should be made to this section.

Not yet finalized[edit]

Update: SHA-3 was added to the Secure Hash Standard by NIST today. ( — Preceding unsigned comment added by Rbrightwell (talkcontribs) 17:50, 5 August 2015 (UTC)

SHA-3 standard does not not exist yet: Secure Hash Standard (SHS) is not yet updated. Only thing which is 100 % sure is that SHA-3 will be based on Keccak. This fact was pointed by the Keccak authors at FOSDEM 2013 (

At what time of the video do they make that statement? I am watching, but the video is pretty long. —fudoreaper (talk) 03:07, 13 February 2013 (UTC)
Ha, i just found it. 40:45 is the time when he mentions this clearly. We may need to modify this article then... —fudoreaper (talk) 03:19, 13 February 2013 (UTC)
I tried to see if Wikipedia has a template for upcoming standards or similar but couldn't find one. If such template doesn't exists then perhaps something along lines:
As of [date] NIST hasn't yet published final SHA-3 specification. Contents of this article are subject to change once the final standard is published.Woupsi (talk) 22:06, 13 February 2013 (UTC)
Yes, something like this should be clearly stated in the beginning. What happened was the article called Keccak was moved to SHA-3, so a lot of the text comes from the days it was only talking about Keccak. Go ahead and make some changes! —fudoreaper (talk) 08:12, 19 February 2013 (UTC)
Updated the article to not mention any particular variants like "SHA3-256", because the standard is not published, and so it is not final! -- Sverdrup (talk) 16:04, 18 February 2013 (UTC)

news on finalization (talk) 22:04, 27 August 2013 (UTC)

Can we delete rhash sample data? SHA-3 not standardized and the trickle of changes during the standardization process is changing the test values; moreover the current text suggest they're from a non-standard rhash utility. — Preceding unsigned comment added by (talk) 00:52, 6 December 2014 (UTC)

I think it could be reasonable to remove the RHASH algorithm. I changed it, because when researching the algorithm, I found this example only matched the FIPS standard and the competition output on an empty string. The original block simply gave the examples as if there was no difference. I could give sample data to prove the point of the small change for the FIPS standard, but I'm not aware of it being published, so I hesitate to do so. I think that is why the RHASH algorithm has become so popular, because they have a far greater list of example inputs and outputs than the FIPS examples that consist of a few bits. I've already seen the RHASH algorithm popping up in other applications, probably because it is easier to test. It may be useful to instead have a section that shows the difference between the standards, the problem still exists however that the only published input example that is the same between all three is the empty string, and that just happens to be the worst example to use. It will be interesting if early adopters of SHA-3 mostly get it wrong, simply because RHASH got it wrong. The fact that it is wrong seems to be important. (talk) 14:35, 1 May 2015 (UTC)

seconded. examples should be kept minimum, and only official values, the latest draft in our case. Krisztián Pintér (talk) 14:39, 1 May 2015 (UTC)
removed the RHASH. also the "keccak" examples, unclear what they were. kept only the standardized ones, plus added the obligatory avalanche showcase. Pintér Krisztián (talk) 20:26, 15 August 2015 (UTC)

reopen the case for separate keccak article[edit]

in the light of recent documents, i suggest keccak and sha-3 to be separated. rationale: in this document authors suggest a wide array of uses for keccak outside the scope of a hash function. also there are different usage modes, namely the overwrite mode absorbing (as opposed to the xor method), reduced rounds for first Keccak-f in special cases like keyed mode, and sakura tree hashing with special padding. as of now, it is impossible to incorporate these into wikipedia, because they are not related to SHA-3, and there is no keccak article. (talk) 14:32, 26 July 2013 (UTC)

It's not necessary to create a separate article for that, just create a subsection about the non-SHA features and make that clear in text. As an example, the Advanced Encryption Standard article also discusses the Rijndael-specific block and key lengths which are not in AES. -- intgr [talk] 06:37, 28 July 2013 (UTC)
not necessary but reasonable (talk) 11:16, 29 July 2013 (UTC)
The variant of Keccak now being proposed by NIST for SHA-3 standardization is a specific implementation of Keccak ( I believe separating Keccak and SHA-3 into two articles would be wise. Even if that can't be accomodated, the differences between Keccak as a family of primitives, Keccak as suggested for use as a hash function, and SHA-3 as defined by NIST should really be clarified. Now that the standardization process is nearing completion, they are diverging and are no longer equivalent. Rbpolsen ·

more: CAESAR contestants ketje and keyak are based on smaller state and reduced round keccak. (i am above) Krisztián Pintér (talk) 12:34, 19 March 2014 (UTC)

now what? now we have the SHAKE's as well. where to put it? Krisztián Pintér (talk) 18:59, 7 May 2014 (UTC)

controversy section[edit]

added a little bit of info about the fuss that is going on. sadly, due to US government inaptness, i can't cite the djb mail from the NIST mailing list, it is not available. — Preceding unsigned comment added by (talk) 16:53, 13 October 2013 (UTC)

turns out that it is a registration only site, and they don't seem to hand out accounts as easily as they claim. does anyone have an alternative source? (talk) 22:14, 3 November 2013 (UTC)

Removing statements by Paul Crowley[edit]

I've never heard of "Paul Crowley", and he doesn't have a Wikipedia article (in contrast to e.g. Bruce Schneier who is cited in the same section). A Google search for "Paul Crowley" doesn't turn up any cryptologist (there's an Irish football player, and a lawyer that comes on the first page). The citation itself seems to be a blog site. I'm being bold and removing the statement, particularly considering the controversy around the weakening of Keccak by NIST. We need to be careful who is being cited and their weight in the cryptologic community. Please cite who he is before adding him back. (talk) 14:16, 16 February 2014 (UTC)

Paul Crowley cryptanalyzed Salsa20 and was awarded a prize for it. His comments on the controversy are technically substantiated and can bring another light to the controversy, so they are worth adding back. (talk) 16:17, 3 March 2014 (UTC)
i personally have no objection, but i made it a little shorter Krisztián Pintér (talk) 17:22, 3 March 2014 (UTC)

Problem with the third item of the references[edit]

I think there is a little problem on the item three of the section "References" because it is showing the follow string in red

"|first1= missing |last1= in Authors list (help)"

I'm sorry, but I don't know how to fix it, so, I'm reporting here.


Lp.vitor (talk) 22:39, 21 October 2014 (UTC)

Free implementations available already?[edit]

For the previous hash algorithms, there have been free implementations available under the BSD license. Is there such an implementation available for SHA-3 already? Schily (talk) 15:56, 18 August 2015 (UTC)


i suggest the deletion of the tweaks session, or merging it into the history section. now that the standard is out, tweaks does not seem all that relevant. Krisztián Pintér (talk) 08:51, 8 September 2015 (UTC)

I think deletion is not good, but I support moving it to the history. --mafutrct (talk) 10:59, 8 October 2015 (UTC)


AFAIK the padding is 1...0...1 for Keccak, 011...0...1 for SHA3 and 11111...0...1 for SHAKE. — Preceding unsigned comment added by (talk) 12:13, 11 October 2015 (UTC)

those bits are not part of the paddig, though obviously it will be implemented as one step in libraries. for example the rule for sha3 is: M || 01 || 10*1. this is practically equivalent to M || 0110*1. this is already covered in the article. Krisztián Pintér (talk) 12:36, 11 October 2015 (UTC)

Is the example section correct?[edit]

I made an implementation of SHA3, and ran SHA3-224(""), and I get: d46b7676dc1570d228520b1b9dd5caa1319ec425e2775ec399f96fb7.

I've noticed that there's no in-line citation in the examples section, so I doubt it's correct.

Do we have a reference implementation we can defer to? — Preceding unsigned comment added by Dannyniu (talkcontribs) 12:20, 14 May 2016 (UTC)

i'm not really in the mood to track down more, but specifically empty-224 is here:
Krisztián Pintér (talk) 13:40, 14 May 2016 (UTC)
and some more empty here Krisztián Pintér (talk) 13:41, 14 May 2016 (UTC)