LLMpediaThe first transparent, open encyclopedia generated by LLMs

Keccak

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: SHA-1 Hop 4
Expansion Funnel Raw 52 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted52
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
Keccak
NameKeccak
DesignerGuido Bertoni; Joan Daemen; Michaël Peeters; Gilles Van Assche
Introduced2008
RelatedRijndael; SHA-3
Digest sizes224, 256, 384, 512 bits (and extendable)
TypeCryptographic hash function; sponge construction; permutation-based

Keccak is a family of cryptographic hash functions and a sponge-based permutation designed by Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche. It was selected as the winner of the NIST SHA-3 competition and standardized as SHA-3, providing an alternative to the SHA-2 family. Keccak introduced a sponge construction combined with the Keccak-f permutation, influencing later work in authenticated encryption and permutation design.

History and Design Goals

Keccak was developed by a team including Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche. Its design goals emphasized security against collision and preimage attacks considered in the aftermath of weaknesses found in MD5, SHA-0, and SHA-1. The project participated in the NIST hash function competition alongside submissions by teams associated with Ronald Rivest, Niels Ferguson, Daniel J. Bernstein, and Tadayoshi Kohno; Keccak was chosen by a panel including representatives from NIST, NSA observers, and academic reviewers. The selection followed earlier standardization efforts exemplified by AES selection processes and the community scrutiny seen in eCRYPT. Keccak's authors prioritized simple, parallel-friendly primitives to resist attacks similar to those against SHA-1 exploited in collisions published by researchers at Google and CWI Amsterdam.

Sponge Construction and Keccak-f Permutation

Keccak is built around the sponge construction, a framework proposed by the designers to absorb and squeeze variable-length input and output. The sponge construction concept was evaluated in the context of works by Claude Shannon on diffusion and confusion, and it shares conceptual lineage with constructions used in PHOTON and Blake. Central to Keccak is the Keccak-f family of permutations: Keccak-f[b] operates on a b-bit state with a fixed sequence of round functions including theta, rho, pi, chi, and iota steps. These steps were designed to provide nonlinear mixing and symmetry breaking comparable to operations used in Rijndael but distinct in structure. The permutation design balances diffusion across lanes and resistance to differential and linear cryptanalysis studied by groups at École Polytechnique, KU Leuven, and EPFL.

Variants and Parameters

Keccak offers multiple parameterizations: rate r and capacity c define the sponge's throughput and security level, with b = r + c. Standardized SHA-3 variants map to Keccak parameters for digest sizes 224, 256, 384, and 512 bits; extendable-output functions (XOFs) like SHAKE128 and SHAKE256 are built on Keccak with different c values. The designers also proposed families Keccak-p and Keccak-f with widths such as 25, 50, 100, 200, 400, 800, and 1600 bits, enabling implementations tailored for constrained environments like those addressed by ARM Holdings, Intel, and Atmel microcontrollers. Parameters influence resistance against multi-target and length-extension attacks analyzed by researchers at CWI and NIST.

Security Analysis and Cryptanalysis

Keccak's security has been subjected to intensive cryptanalysis by academics and industry experts including teams from NIST, Cryptology ePrint Archive contributors, and researchers associated with ANSSI and INRIA. Analyses investigated differential, rotational, and algebraic attacks against reduced-round Keccak-f permutations; practical preimage or collision attacks have not broken the full-round standardized variants. Security proofs relate the capacity c to collision and preimage bounds, and researchers from University of Luxembourg, KU Leuven, and ETH Zurich examined bounds and multicollision strategies. Side-channel concerns prompted countermeasures studied by groups at Radboud University and University College London.

Implementations and Performance

Keccak implementations span software and hardware, with notable implementations from Bouncy Castle, OpenSSL contributors, and vendors like Intel offering optimized routines. In software, Keccak benefits from bitwise operations and SIMD-friendly scheduling used on x86-64 and ARMv8 platforms; hardware implementations employ compact gate counts for IoT targets exemplified by work at TU Graz and Delft University of Technology. Performance comparisons with SHA-2 show Keccak often has higher throughput for long messages when implemented with wide lanes and parallelism; however, performance varies with platform instruction sets and memory hierarchy considerations investigated by researchers at Google and Microsoft Research.

Applications and Adoption

Following NIST standardization, Keccak underlies SHA-3 and XOFs used in cryptographic libraries, security protocols, and blockchain projects. Keccak-based primitives appear in standards and specifications authored by ISO, IETF, and industry consortia, and have been considered in post-quantum signature and key-derivation contexts researched at NIST and PQCrypto. Blockchain and ledger projects, academic prototypes in secure messaging from IETF drafts, and storage integrity tools by organizations like The Linux Foundation have integrated Keccak variants. Academic uses include randomness extractors and provable-security constructions studied at ETH Zurich and RWTH Aachen.

Keccak was submitted to NIST under terms addressing intellectual property, leading to its adoption as SHA-3 by NIST without encumbering licensing for the standard. The designers disclosed patent considerations during the competition, and subsequent statements clarified ownership and licensing similar to prior debates during AES standardization. Legal reviews by industry standards bodies including ISO and consortia like IEEE examined implementers' obligations, while companies such as ARM and Intel evaluated patent clearance for optimized cores. Keccak's selection helped assuage concerns that had arisen in earlier standard processes involving algorithms linked to entities like RSA Security and prompted further discussions about royalty-free cryptographic standards.

Category:Cryptographic hash functions