What is the KCP?
The Keccak Code Package (abbreviated as KCP) gathers different free and open-source implementations of the Keccak sponge function family and closely related variants, such as
- the SHAKE extendable-output functions and SHA-3 hash functions from FIPS 202,
- the Ketje v2 and Keyak v2 authenticated encryption schemes,
- the fast KangarooTwelve extendable-output function.
What does the KCP contain?
First, the services available in this package are divided into high-level and low-level services. In a nutshell, the low level corresponds to Keccak-f and basic state manipulation, while the high level contains the constructions and the modes for, e.g., sponge functions, hashing or authenticated encryption. For more details, please see the section "How is the code organized?" below.
Then, the KCP also contains some utilities for testing and illustration purposes.
Finally, the project contains some standalone implementations.
When used as a library or directly from the sources, the KCP offers the high-level services documented in the following header files:
SimpleFIPS202.h, the six approved FIPS 202 instances (SHAKE128, SHAKE256 and the SHA-3 hash functions) through simple functions.
KeccakHash.h, the six approved FIPS 202 instances, as well as any Keccak instance based on Keccak-f. This more advanced interface proposes a message queue (init-update-final) and supports bit-level inputs if needed.
SP800-185.h, the cSHAKE functions according to the official SP 800-185 standard.
KeccakSponge.h, all Keccak sponge functions, with or without a message queue.
KeccakDuplex.h, all Keccak duplex objects.
KeccakPRG.h, a pseudo-random number generator based on Keccak duplex objects.
KeccakFPH.h, NIST's fast parallel hash (FPH) proposal. Warning: this is based on a draft specification, which is subject to changes.
Keyakv2.h, the authenticated encryption schemes River, Lake, Sea, Ocean and Lunar Keyak.
Ketjev2.h, the lightweight authenticated encryption schemes Ketje Jr, Ketje Sr, Ketje Minor and Ketje Major.
KangarooTwelve.h, the fast hashing mode based on Keccak-p[1600, 12] and Sakura coding.
The low-level services implement the different permutations Keccak-f[200 to 1600] and Keccak-p[200 to 1600]. Note that these two permutation families are closely related. In Keccak-p the number of rounds is a parameter while in Keccak-f it is fixed. As Keccak-f are just instances of Keccak-p, we focus on the latter here.
The low-level services provide an opaque representation of the state together with functions to add data into and extract data from the state. Together with the permutations themselves, the low-level services implement what we call the state and permutation interface (abbreviated SnP). For parallelized implementation, we similarly use the parallel state and permutation interface or PlSnP.
SnP/, one can find implementations of the following permutations for different platforms.
PlSnP/, one can find the implementation of parallelized permutations. There are both implementations based on SIMD instructions and "fallback" implementations relying on a parallelized with a lower degree implementation or on a serial one.
In both cases, the hierarchy first selects a permutation (or a permutation and a degree of parallelism) and then a given implementation. E.g., one finds in
PlSnP/KeccakP-1600-times4/ the implementations of 4 parallel instances of Keccak-p and in
PlSnP/KeccakP-1600-times4/SIMD256/ a 256-bit SIMD implementation.
The package contains:
- The possibility to create a library
- Self-tests that ensure that the implementation is working properly;
- KeccakSum that computes a hash of the file (or multiple files) given in parameter.
The KCP also provides a number of standalone implementations, including:
- a very compact C code of the FIPS 202 (SHA-3) standard in
- a compact implementation in Python in
Under which license is the KCP distributed?
Most of the source and header files in the KCP are released to the public domain and associated to the CC0 deed. The exceptions are the following:
Common/brg_endian.his copyrighted by Brian Gladman and comes with a BSD 3-clause license;
Tests/genKAT.cis based on SHA-3 contest's code by Larry Bassham, NIST, which he licensed under a BSD 3-clause license;
Tests/timing.his based on code by Doug Whiting, which he released to the public domain.
How can I build the KCP?
To build, the following tools are needed:
- GNU make
The different targets are defined in
Makefile.build. This file is expanded into a regular makefile using xsltproc. To use it, simply type, e.g.,
to build KeccakTests generically optimized for 64-bit platforms. The name before the slash indicates the platform, while the part after the slash is the executable to build. As another example, the static library is built by typing
make generic64/libkeccak.a or similarly with
generic64 replaced with the appropriate platform name. An alternate C compiler can be specified via the
CC environment variable.
Instead of building an executable with GCC, one can choose to select the files needed and make a package. For this, simply append
.pack to the target name, e.g.,
This creates a
.tar.gz archive with all the necessary files to build the given target.
The list of targets can be found at the end of
Makefile.build or by running
make without parameters.
How is the code organized?
The code is organized as illustrated in the following figure:
At the top, the high-level cryptographic services are implemented in plain C, without any specific optimizations. At the bottom, the low-level services implement the permutations and the state input/output functions, which can be optimized for a given platform. The interface between the two layers is called SnP.
The idea is to have a single, portable, code base for the high level and the possibility to dedicate the low level to certain platforms for best performance.
The situation is similar for parallelized services, as illustrated on the following figure. The interface is adapated to the parallelism and is called PlSnP, with the implementations in
Disclaimer: the above figures aim at illustrative purposes only, as not all modes, constructions or permutations are currently implemented in the KCP or represented on the figures.
Where can I find more information?
About the KCP, we gave a presentation on its motivation and structure
The KCP follows an improved version of the structure proposed in the note "A software interface for Keccak".
More information on the cryptographic aspects can be found:
- on Keccak in general at
- on the FIPS 202 standard at
- on Ketje at
- on Keyak at
- and on cryptographic sponge functions at
How can I contribute?
We welcome contributions in various forms, e.g., general feedback, bug reports, improvements and optimized implementations on your favorite platforms. The best is to do this through GitHub. Alternatively, you can send us a mail at
How can I use the standard FIPS 202 functions?
If you need to implement the standard FIPS 202 functions, the functions in
SimpleFIPS202.h provide an easy way to get started. If a message queue and/or bit-level inputs are needed, then the macros in
KeccakHash.h can be helpful.
Differences between Keccak and the standard FIPS 202 functions
Compared to the (plain) Keccak sponge function, the FIPS 202 standard adds suffixes to ensure that the hash functions (SHA-3) and the XOFs (SHAKE) are domain separated (i.e., so that their outputs are unrelated even with equal inputs), as well as to make the SHAKE functions compatible with the Sakura tree hashing coding.
A brief summary:
- For the SHA-3 functions, append the bits "01" to the message prior to applying the pad10*1 rule.
- For the SHAKE functions, append the bits "1111" to the message prior to applying the pad10*1 rule.
genKAT.cbased on the SHA-3 contest's genKAT.c by Larry Bassham, NIST
brg_endian.hby Brian Gladman
timing.hbased on code by Doug Whiting
SnP/KeccakP-1600/OptimizedAVX2/*by Vladimir Sedach
TweetableFIPS202.cby D. J. Bernstein, Peter Schwabe and Gilles Van Assche
SnP/KeccakP-800/Optimized64AsmARM/*by Andre C. de Moraes
And thanks to all contributors!
The Keccak, Keyak and Ketje Teams: Guido Bertoni, Joan Daemen, Michaël Peeters, Gilles Van Assche, and Ronny Van Keer.