NIST announced Keccak as the winner of the SHA-3 Cryptographic Hash Algorithm Competition and the new SHA-3 hash algorithm in a press release issued on October 2, 2012. Keccak was designed by a team of cryptographers from Belgium and Italy, they are:
- Guido Bertoni (Italy) of STMicroelectronics,
- Joan Daemen (Belgium) of STMicroelectronics,
- Michaël Peeters (Belgium) of NXP Semiconductors, and
- Gilles Van Assche (Belgium) of STMicroelectronics.
From keccak web site:
Keccak makes use of the sponge construction and is hence a sponge function family.
The design philosophy of Keccak is the hermetic sponge strategy. It uses the sponge construction for having provable security against all generic attacks. It calls a permutation that should not have structural properties with the exception of a compact description. By structural properties we mean properties that a typical random permutation does not have.
Keccak can be considered as a successor of RadioGatún. However, it has a very different design philosophy. The transformation applied to the state of RadioGatún in between the insertion of input blocks or extraction of output blocks is a simple round function. This round function has algebraic degree two and thus does not attempt to be free of structural properties. Therefore, unlike Keccak, RadioGatún requires blank rounds. Moreover, RadioGatún is not a sponge function as its iteration mode does not follow the sponge construction.
The permutation Keccak-f has the following properties:
About the performance of Keccak:
- It consists of the iteration of a simple round function, similar to a block cipher without a key schedule.
- The nominal version of Keccak-f operates on a 1600-bit state. There are 6 other state widths, though: 25, 50, …, 800.
- The choice of operations is limited to bitwise XOR, AND and NOT and rotations. There is no need for table-lookups, arithmetic operations, or data-dependent rotations.
Keccak can be used for:
- In software, Keccak takes about 13 cycles per byte on the reference platform defined by NIST.
- In hardware, it is fast and compact, with area/speed trade-offs.
- It is suitable for DPA-resistant implementations both in hardware and software.
In these cases, the usage of the sponge construction allows for modes that are provably secure against generic attacks.
- keyed or randomized modes simply by prepending a key or salt to the input message;
- generating infinite outputs, making it suitable as a stream cipher or mask generating function.