What is the XKCP?
The eXtended Keccak Code Package (or the Xoodoo and Keccak Code Package, in both cases abbreviated as XKCP) gathers different free and open-source implementations of the Keccak sponge function family and closely related variants, such as
- the SHAKE extendable-output functions and SHA-3 hash functions from FIPS 202,
- the cSHAKE, KMAC, ParallelHash and TupleHash functions from NIST SP 800-185,
- the Ketje v2 and Keyak v2 authenticated encryption schemes,
- the fast KangarooTwelve extendable-output function,
- the Kravatte pseudo-random function and its modes.
In addition, the XKCP contains implementations of
- the Xoodoo permutation,
- the Xoofff pseudo-random function and its modes (experimental).
What does the XKCP contain?
First, the services available in this package are divided into high-level and low-level services. In a nutshell, the low level corresponds to Keccak-f and basic state manipulation, while the high level contains the constructions and the modes for, e.g., sponge functions, hashing or authenticated encryption. For more details, please see the section "How is the code organized?" below.
Then, the XKCP also contains some utilities for testing and illustration purposes.
Finally, the project contains some standalone implementations.
When used as a library or directly from the sources, the XKCP offers the high-level services documented in the following header files:
SimpleFIPS202, the six approved FIPS 202 instances (SHAKE128, SHAKE256 and the SHA-3 hash functions) through simple functions.
KeccakHash, the six approved FIPS 202 instances, as well as any Keccak instance based on Keccak-f. This more advanced interface proposes a message queue (init-update-final) and supports bit-level inputs if needed.
SP800-185, the functions (cSHAKE, KMAC, ParallelHash and TupleHash) in the official NIST SP 800-185 standard.
KeccakSponge, all Keccak sponge functions, with or without a message queue.
KeccakDuplex, all Keccak duplex objects.
KeccakPRG, a pseudo-random number generator based on Keccak duplex objects.
Keyakv2, the authenticated encryption schemes River, Lake, Sea, Ocean and Lunar Keyak.
Ketjev2, the lightweight authenticated encryption schemes Ketje Jr, Ketje Sr, Ketje Minor and Ketje Major.
KangarooTwelve, the fast hashing mode based on Keccak-p[1600, 12] and Sakura coding.
KravatteModes, the pseudo-random function Kravatte, as well as the modes on top of it (SAE, SIV, WBC and WBC-AE).
The low-level services implement the different permutations Keccak-f[200 to 1600] and Keccak-p[200 to 1600]. Note that these two permutation families are closely related. In Keccak-p the number of rounds is a parameter while in Keccak-f it is fixed. As Keccak-f are just instances of Keccak-p, we focus on the latter here.
The low-level services provide an opaque representation of the state together with functions to add data into and extract data from the state. Together with the permutations themselves, the low-level services implement what we call the state and permutation interface (abbreviated SnP). For parallelized implementation, we similarly use the parallel state and permutation interface or PlSnP.
lib/low/, one can find implementations of the following permutations for different platforms.
In addition, one can find the implementation of parallelized permutations. There are both implementations based on SIMD instructions and "fallback" implementations relying on a parallelized with a lower degree implementation or on a serial one.
In both cases, the hierarchy first selects a permutation (or a permutation and a degree of parallelism) and then a given implementation. E.g., one finds in
lib/low/KeccakP-1600-times4/ the implementations of 4 parallel instances of Keccak-p and in
lib/low/KeccakP-1600-times4/SIMD256/ a 256-bit SIMD implementation.
The package contains:
- The possibility to create a library
- Self-tests that ensure that the implementation is working properly;
- KeccakSum that computes a hash of the file (or multiple files) given in parameter.
The XKCP also provides a number of standalone implementations, including:
- a very compact C code of the FIPS 202 (SHA-3) standard in
- a compact implementation in Python in
- the reference code of KangarooTwelve in Python in
Under which license is the XKCP distributed?
Most of the source and header files in the XKCP are released to the public domain and associated to the CC0 deed. The exceptions are the following:
lib/common/brg_endian.his copyrighted by Brian Gladman and comes with a BSD 3-clause license;
tests/UnitTests/genKAT.cis based on SHA-3 contest's code by Larry Bassham, NIST, which he licensed under a BSD 3-clause license;
tests/UnitTests/timing.his based on code by Doug Whiting, which he released to the public domain;
KeccakP-1600-AVX2.sis licensed under the CRYPTOGAMS license (BSD-like).
How can I build the XKCP?
To build, the following tools are needed:
- GNU make
The different targets are defined in
Makefile.build. This file is expanded into a regular makefile using xsltproc. To use it, simply type, e.g.,
to build KeccakTests generically optimized for 64-bit platforms. The name before the slash indicates the platform, while the part after the slash is the executable to build. As another example, the static library is built by typing
make generic64/libkeccak.a or similarly with
generic64 replaced with the appropriate platform name. An alternate C compiler can be specified via the
CC environment variable.
Instead of building an executable with GCC, one can choose to select the files needed and make a package. For this, simply append
.pack to the target name, e.g.,
This creates a
.tar.gz archive with all the necessary files to build the given target.
The list of targets can be found at the end of
Makefile.build or by running
make without parameters.
How do I build/extract just the part I need?
If you wish to make a custom target that integrates the cryptographic functions you need and nothing else, or if you just wish to get the source files to integrate them in another project, you can do this by following the steps described in
doc/HOWTO-customize.build. Some examples illustrate the process.
How is the code organized?
The code is organized as illustrated in the following figure:
At the top, the high-level cryptographic services are implemented in plain C, without any specific optimizations. At the bottom, the low-level services implement the permutations and the state input/output functions, which can be optimized for a given platform. The interface between the two layers is called SnP.
The idea is to have a single, portable, code base for the high level and the possibility to dedicate the low level to certain platforms for best performance.
The situation is similar for parallelized services, as illustrated on the following figure. The interface is adapated to the parallelism and is called PlSnP, with the implementations in
Disclaimer: the above figures aim at illustrative purposes only, as not all modes, constructions or permutations are currently implemented in the XKCP or represented on the figures.
Where can I find more information?
About the XKCP, we gave some presentations on its motivation and structure, e.g.,
- at FOSDEM in February 2017 (slides),
- at SPEED-B in October 2016 (slides) (paper),
- at the SHA-3 Workshop in Santa Barbara in August 2014 (slides).
The XKCP follows an improved version of the structure proposed in the note "A software interface for Keccak".
More information on the cryptographic aspects can be found:
- on Keccak in general at
- on the FIPS 202 standard at
- on the NIST SP 800-185 standard at
- on Ketje at
- on Keyak at
- on KangarooTwelve at
- on cryptographic sponge functions at
- on Kravatte at
How can I contribute?
We welcome contributions in various forms, e.g., general feedback, bug reports, improvements and optimized implementations on your favorite platforms. The best is to do this through GitHub. Alternatively, you can send us a mail at
How can I use the standard FIPS 202 functions?
If you need to implement the standard FIPS 202 functions, the functions in
SimpleFIPS202.h provide an easy way to get started. If a message queue and/or bit-level inputs are needed, then the macros in
KeccakHash.h can be helpful.
Differences between Keccak and the standard FIPS 202 functions
Compared to the (plain) Keccak sponge function, the FIPS 202 standard adds suffixes to ensure that the hash functions (SHA-3) and the XOFs (SHAKE) are domain separated (i.e., so that their outputs are unrelated even with equal inputs), as well as to make the SHAKE functions compatible with the Sakura tree hashing coding.
A brief summary:
- For the SHA-3 functions, append the bits "01" to the message prior to applying the pad10*1 rule.
- For the SHAKE functions, append the bits "1111" to the message prior to applying the pad10*1 rule.
genKAT.cbased on the SHA-3 contest's genKAT.c by Larry Bassham, NIST
brg_endian.hby Brian Gladman
timing.hbased on code by Doug Whiting
lib/low/KeccakP-1600/OptimizedAVX2/KeccakP-1600-AVX2.sby Andy Polyakov and Ronny Van Keer
TweetableFIPS202.cby D. J. Bernstein, Peter Schwabe and Gilles Van Assche
lib/low/KeccakP-800/Optimized64AsmARM/*by Andre C. de Moraes
And thanks to all contributors!
The Keccak, Keyak and Ketje Teams: Guido Bertoni, Joan Daemen, Michaël Peeters, Gilles Van Assche, and Ronny Van Keer.