[cryptography] Keccak and the one algorithm to rule them all

Jack Lloyd lloyd at randombit.net
Wed Jan 23 10:48:11 EST 2013


On Wed, Jan 23, 2013 at 10:20:23AM +0300, ianG wrote:
> If one skims this presentation by Joan Daemen, co-inventer of Keccak, it 
> seems that the algorithm can also be used for the other modes -- 
> encryption, (h)mac, authenticated encryption as well as message digest.

In addition to HMAC, Keccak is safe to use in simple constructions
like H(K||M) because of the sponge design (no message extension
attack).

Te core of Keccak is a (somewhat slow) unkeyed permutation which
probably could be converted to a block cipher somehow, allowing it to
be used in a generic AE construction like EAX or SIP. However I don't
recall any of the Keccak documentation proposing how it would be used
as a keyed permutation.

Keccak could also be used as a stream cipher, with for instance each
H(Key||IV||Ctr) producing 4K bytes of output. Though the SHA-3
specification only supports specific output lengths, Keccak can
produce arbitrary length keyed outputs and this seems easy to convert
to an AE mode by composing it (carefully) with Keccak-MAC.

-Jack



More information about the cryptography mailing list