On alignment in Keccak
We wrote a paper, in which we investigate the ability to predict the propagation of truncated differences and linear masks in cryptographic primitives. We speak of strong alignment if this propagation...
View ArticleKeccak Crunchy Crypto Collision and Pre-image Contest
After four rounds of Keccak cryptanalysis prizes, we now take an initiative that solicits attacks relevant in a hash function setting: the Keccak Crunchy Crypto Collision and Pre-image Contest. In...
View ArticleKeccak crunchy crypto contest: first solutions received!
About 6 weeks after the launch of the Keccak Crunchy Crypto Collision and Pre-image contest, we have received the first solutions.Last Friday, July 29, Paweł Morawiecki sent us 12 solutions: one for...
View ArticleNew implementation techniques, packages and documentation
We release a set of new implementation packages and documentation, which together describes and provides examples of optimization techniques for Keccak on various platforms. Among the implementation...
View ArticleNew Keccak mid-range core hardware implementation
We released the VHDL code of a new mid-range core hardware implementation of Keccak.The new implementation takes inspiration from the work of Bernhard Jungk and Jürgen Apfelbeck presented at ReConFig...
View ArticleReadable C code for Keccak
Markku-Juhani O. Saarinen posted an implementation of Keccak in C aimed at readability and clarity, as an alternative to our specifications summary. We appreciate Markku's support.
View ArticleThe Keccak crunchy crypto contest continues through end 2012
Immediately after posting the results of the contest, we announce that the Keccak Crunchy Crypto Collision and Pre-image contest re-opens and continues through end 2012.The challenges remain the same,...
View ArticleCongratulations to the winners of the Keccak crunchy crypto contest
We announced the winners of the Keccak Crunchy Crypto Collision and Pre-image contest during the Fast Software Encryption 2012 workshop.The winners are:Paweł Morawiecki for solving the preimage and...
View ArticleUpdated version of KeccakTools available
We release KeccakTools v3.3, a set of documented C++ classes that can help analyze Keccak. This new version is a major update, as it adds important classes and methods related to differential and...
View ArticleUpdated implementation overview
We release version 3.2 of our document Keccak implementation overview, together with an updated implementation package. The differences with version 3.1 include slice-based implementations, comments on...
View ArticleNIST selects Keccak for SHA-3
We are very proud to announce that NIST selected Keccak as the winner of the SHA-3 competition!It was a pleasure to participate to the competition. Being confronted with ideas from a wide diversity of...
View ArticleUpdated home page
We updated the home page of this site and added a picture of the Keccak Team.
View ArticleThe Keccak crunchy crypto contest continues through end 2013
In a previous announcement, we re-opened the Keccak Crunchy Crypto Collision and Pre-image contest until end 2012. As no new challenges were solved between March and December 2012, we decided to leave...
View ArticleSakura: a flexible coding for tree hashing
Recently, we released a paper on Sakura, a flexible, fairly general, coding for tree hash modes. The coding does not define a tree hash mode, but instead specifies a way to format the message blocks...
View ArticleA software interface for Keccak
We published a new note in which we propose an interface to Keccak at the level of the sponge and duplex constructions, and inside Keccak at the level of the Keccak-f permutation. The purpose is...
View ArticleOn 128-bit security
This article is a copy of a message we posted on the NIST hash-forum mailing list on September 30, 2013.SUMMARY: Keccak instances with a capacity of 256 bits offer a generic security strength level of...
View ArticleA concrete proposal
This article is a copy of a message we posted on the NIST hash-forum mailing list on September 30, 2013.SUMMARY: In the SHA-3 standard, we propose to set the capacity of all four SHA-2 drop-in...
View ArticleYes, this is Keccak!
SUMMARY: NIST's current proposal for SHA-3 is a subset of the Keccak family, and one can generate test vectors for that proposal using our reference code submitted to the contest.In the end, it will be...
View ArticleKeccakTools moved to GitHub
Recently, we decided to move KeccakTools to GitHub. This allows easier updates as well as an easier integration of potential contributions from others.As a reminder, KeccakTools is a set of documented...
View ArticleThe FIPS 202 draft is available
Last Friday, NIST released the draft of the FIPS 202 standard. It proposes six instances: the four SHA-2 drop-in replacements with fixed output length SHA3-224 to SHA3-512, and the two future-oriented...
View ArticlePractical complexity cube attacks
Recently, Itai Dinur, Paweł Morawiecki, Josef Pieprzyk, Marian Srebrny and Michał Straus published new attacks on keyed instances of Keccak, i.e., when it is used as a stream cipher or to compute a...
View ArticleThe Keccak crunchy crypto contest re-opens
We are happy to announce that from today the Keccak Crunchy Crypto Collision and Pre-image Contest re-opens without limit of time.There are two minor changes.We have simplified the rules for the...
View ArticleFIPS 202 is out: SHA-3 and Keccak beyond hashing
NIST officially released the FIPS 202 standard. Although it represents the target of the SHA-3 competition for a fresh hash function, the new standard provides more than just a successor to SHA-2: It...
View ArticleTweetable FIPS 202
Very compact (or tweetable) implementations of Keccak, written by D. J. Bernstein, Peter Schwabe and Gilles, are now available. In their most compact form, the 6 instances of SHA-3 and SHAKE can fit in...
View ArticleReorganized Keccak Code Package
The Keccak Code Package (or KCP) contains different free and open-source implementations of Keccak and closely related variants such as Ketje and Keyak.We reorganized it to make it easier to use and to...
View ArticleNew solutions to pre-image challenges
We congratulate Jian Guo (Nanyang Technological University, Singapore) and Meicheng Liu (Nanyang Technological University, Singapore and State Key Laboratory of Information Security, Institute of...
View ArticleHigh-speed Keccak-FPH
When implemented on ASICs or on FPGAs, Keccak is significantly more efficient than other primitives with a similar security level, and allows efficient protections against side-channel attacks. Another...
View ArticleNew solutions to collision challenges
We congratulate Jian Guo1, Meicheng Liu1,2, Ling Song1,2,3 and Kexin Qiao2,3,1,4 for being the first ones to solve a 5-round collision challenge in the Keccak Crunchy Crypto Collision and Pre-image...
View ArticleAnother 5-round collision found in our crypto challenge
We congratulate Jian Guo1, Meicheng Liu1,2, Ling Song1,2,3 and Kexin Qiao2,3,1,4 for solving another 5-round collision challenge in the Keccak Crunchy Crypto Collision and Pre-image Contest!They...
View ArticleKangarooTwelve: fast hashing based on Keccak-p
We propose a fast and secure arbitrary output-length hash function aiming at a higher speed than the FIPS 202's SHA-3 and SHAKE functions, while retaining their flexibility and basis of security....
View ArticleKetje and Keyak for CAESAR round 3
Ketje and Keyak are authenticated encryption schemes based on Keccak-p. Both were accepted in round 3 of the CAESAR competition. We slightly modified Ketje (now v2) in a way that encourages...
View ArticleFirst 4-round pre-image challenge solved
We congratulate Meicheng Liu1 and Jian Guo2 for being the first ones to solve a 4-round pre-image challenge in the Keccak Crunchy Crypto Collision and Pre-image Contest!They found a pre-image of a...
View ArticleNIST SP 800-185 officially released
NIST released the SP 800-185 standard with useful new functions based on Keccak: cSHAKE, KMAC, TupleHash and ParallelHash.Yesterday, NIST published the SP 800-185 standard [PDF]. It contains the...
View ArticleFirst 6-round collision challenge solved
We congratulate Ling Song1,2,3, Guohong Liao4,1 and Jian Guo1 for solving the 6-round collision challenge on Keccak[r=1440, c=160].The collision search took a computational effort of about 250...
View ArticleAnnouncing the Ketje cryptanalysis prize
We are happy to announce a new cryptanalysis prize! The subject of the stress-test is the authenticated encryption scheme Ketje.We are particularly interested in attacks aiming at recovering the...
View ArticleNew bounds on differential trails in Keccak-f
In a joint work with Silvia Mella (STMicroelectronics and University of Milano), we propose a framework for bounding the weight of differential trails. We apply this on Keccak-f with widths of 200,...
View ArticleIs SHA-3 slow?
In a recent post, Adam Langley complains that “SHA-3 is slow”. Similar comments appear from time to time on the web (see also David Wong's post). But what does it mean precisely? Let us dig into...
View ArticleA fresh new web site
We are happy to announce that we moved the contents from {keccak, sponge, ketje, keyak}.noekeon.org to our new domain keccak.team. Many thanks to Benoit Viguier for designing the engine behind these...
View ArticlePre-image challenge solved on 3-round 400-bit version
We congratulate Yao Sun1 and Ting Li1 for solving the 3-round pre-image challenge on Keccak[r=240, c=160].The previous pre-image challenge on the 400-bit version was solved on 2 rounds by Paweł...
View ArticleWhy Keccak is not ARX
If SHA-2 is not broken, why would one switch to SHA-3 and not just stay with SHA-2? There are several arguments why Keccak/SHA-3 is a better choice than SHA-2. In this post, we come back on a...
View ArticleKeccak: open-source cryptography
If SHA-2 is not broken, why would one switch to SHA-3 and not just stay with SHA-2? In this post, we highlight another argument why Keccak/SHA-3 is a better choice than SHA-2, namely openness, in...
View ArticleFarfalle construction and Kravatte pseudo-random function
We are glad to announce the final version of the Farfalle construction and of the Kravatte pseudo-random function and encryption schemes.First published in late 2016 on IACR ePrint, an update of our...
View ArticleResults of the Ketje cryptanalysis prize
At the rump session of FSE 2018 that took place last week in Brugge, Belgium, we announced the outcome of the Ketje cryptanalysis prize.There were three submissions:Cube-like Attack on Round-Reduced...
View ArticleKravatte-SANE and -SANSE
We released the specifications of two authenticated encryption schemes built on top of Kravatte, namely Kravatte-SANE and Kravatte-SANSE, replacing Kravatte-SAE and Kravatte-SIV, respectively.The...
View ArticleStateless deck-based modes
We often receive questions as to whether Deck-SANSE can be used in a stateless way; that is, for a single message. A common use case for this is a UDP-based VPN. In such an application, sessions are...
View ArticleUpdated bounds on differential and linear trails in Xoodoo
Making sure that our primitives are not susceptible to differential or linear cryptanalysis has been a constant target for us. In this scope, differential and linear trails specify how differences or...
View ArticleRefactoring symmetric cryptography with deck functions
Currently, the vast majority of symmetric-key cryptographic schemes are built as modes of block ciphers. What would cryptography look like if it was built around another primitive? In this note, we...
View ArticleTighter trail bounds for Xoodoo
Looking back at 2022, we further improved the bounds of differential and linear trails in Xoodoo. In the article Tighter trail bounds for Xoodoo available on the IACR Cryptology ePrint Archive, we...
View ArticleCrunchy Contest: new challenges solved!
Started in June 2011, the Crunchy Contest proposes concrete collision and pre-images challenges based on reduced-round Keccak. After about 13 years, it is still active and the recent months have seen...
View Article
More Pages to Explore .....