Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [keccak]

SHA-3, originally known as Keccak, is a cryptographic hash function designed by Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche.

SHA-3, originally known as Keccak, is a cryptographic hash function designed by Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche. SHA-3 uses the sponge construction in which message blocks are XORed into the initial bits of the state, which is then invertibly permuted. In the version used in SHA-3, the state consists of a 5×5 array of 64-bit words, 1600 bits total.

113 questions
60
votes
2 answers

What advantages does Keccak/SHA-3 have over BLAKE2?

Keccak/SHA-3 is new NIST standard for cryptographic hash functions. However, it is much slower than BLAKE2 in software implementations. Does Keccak have compensating advantages?
Demi
  • 4,853
  • 1
  • 22
  • 40
36
votes
5 answers

What security do Cryptographic Sponges offer against generic quantum attacks?

In the face of non-quantum attacker, Keccak[r=1088,c=512] with 512 bits of output provides: Collision resistance up to $2^{256}$ operations Preimage resistance up to $2^{256}$ operations Second preimage resistance up to $2^{256}$ operations In…
Nakedible
  • 1,460
  • 11
  • 15
30
votes
1 answer

How secure would HMAC-SHA3 be?

It would be possible to implement the HMAC construction with (draft) SHA-3, leading to HMAC-SHA3-224, HMAC-SHA3-256, HMAC-SHA3-384, HMAC-SHA3-512 (the last 3 digits are the output size $\ell$, where $\ell/8$ is the $L$ parameter in HMAC). All that's…
fgrieu
  • 149,326
  • 13
  • 324
  • 622
26
votes
2 answers

Is HMAC needed for a SHA-3 based MAC?

HMAC does nested hashing in order to prevent Length Extension Attacks. Given that you use the SHA-3 hash (which is resistant against length extension attacks), would you still need to go through that procedure in order to produce a secure…
hl3mukkel
  • 509
  • 5
  • 10
24
votes
3 answers

Are NIST's changes to Keccak/SHA-3 problematic?

NIST is working on standardizing SHA-3. They have selected Keccak as the basis for SHA-3, and they plan to make some small changes to it; the result (with NIST's changes) will be standardized as SHA-3. A blog post from the CDT raises concerns over…
D.W.
  • 36,982
  • 13
  • 107
  • 196
23
votes
1 answer

What is the origin of the word "Keccak"?

Where does the word or acronym Keccak come from? Guido Bertoni, Joan Daemen, Michael Peeters, and Gilles Van Assche. Keccak sponge function family main document. Submission to NIST (updated), 2009. "NIST Selects Winner of Secure Hash Algorithm…
user8131
  • 231
  • 2
  • 3
18
votes
2 answers

Why are the constants so simple in Keccak?

Keccak, the construction selected for SHA-3 is very interesting. It seems unlike other primitives and has chosen very simple constants. (Keccak talk PDF) The initial values of the state in Keccak is all zero, why? The round constants have just a few…
u0b34a0f6ae
  • 283
  • 2
  • 6
18
votes
1 answer

What are the key differences between the draft SHA-3 standard and the Keccak submission?

I just noticed that on the NIST website there is a PDF with a draft of the SHA-3 standard (i.e. FIPS 202) (marked as "new", and seemingly the page was last changed on April 7, 2014). Previously it was discussed here that NIST would be changing stuff…
Paŭlo Ebermann
  • 22,946
  • 7
  • 82
  • 119
16
votes
1 answer

Where did the SHAKEs come from in SHA3?

Where did SHAKE128 and SHAKE256 originate from? I am trying to find them in the original Keccak documentation but can't find them. Is it some special mode of Keccak referenced in the documentation? Or something invented by NIST and added to the SHA3…
kimi
  • 193
  • 1
  • 6
12
votes
2 answers

Why is SHA-3 a Sponge function?

A sponge function is supposed to be able to generate an arbitrary length of output. Yet, SHA3 (Bouncycastle) constrains me to choose an output length between 224, 256, 384, and 512. Evidently, these are not arbitrary lengths. How then is SHA3 a…
user56848
  • 121
  • 1
  • 3
12
votes
1 answer

Why does KangarooTwelve only use 12 rounds?

The initial Keccak submission used 18 rounds, which was bumped up to 24 rounds for the final version after distinguishers were found for a reduced 16 round variant. However, the Keccak team has recently released a spate of cryptographic primitives…
Indolering
  • 361
  • 1
  • 8
12
votes
2 answers

Should I use HMAC or KMAC for SHA-3?

I am planning to implement a MAC function for the SHA-3. I read that its latest variant is KMAC. I am confused by the comments on the Keccak website. It says: Unlike SHA-1 and SHA-2, Keccak does not have the length-extension weakness, hence does…
ajith
  • 121
  • 1
  • 3
12
votes
1 answer

Why restricting SHA3 to have only two possible capacities?

I just read the presentation slides of John M. Kesley (from NIST) for his invited talk at CHES 2013 about SHA-3 and learned that NIST is going to standardize Keccak with a possibly modified padding scheme. Ok, so far so good. But what I don't…
sellibitze
  • 321
  • 1
  • 9
11
votes
3 answers

Padding in Keccak SHA3 hashing algorithm

In FIPS-202 specification, the padding required for SHA3 were not clearly mentioned. so we have analyzed the NIST test vectors for SHA3, which states that append "0x06" (never used 1 followed by 'j'zeros and then 1 specified in FIPS-202) to the…
Vani
  • 111
  • 1
  • 3
10
votes
3 answers

What criteria make the theta step of Keccak's round function reversible?

From what I've been reading, Keccak's round function is reversible. That's pretty obvious for the $\rho$, $\pi$ and $\iota$ transforms. For $\chi$ to be reversible, $x$'s range has to be odd — but that's alright since Keccak's $x$ has a range of 5.…
Mike Edward Moras
  • 18,161
  • 12
  • 87
  • 240
1
2 3 4 5 6 7 8