Keccak vs SHA-3

by CyberTest

---

Posted on October 2, 2020

---

---

If you work in information/cyber security space then you most likely have used SHA-1, SHA-2(SHA-224, SHA-256, SHA-384, SHA-512) or other hashing algorithms. Both SHA-1 and SHA-2 were selected by NIST(National Institute of Standards and Technology) as the algorithm of choice to be used by both public and private sectors. However SHA1 (160 bits hash) algorithm was officially found to have collisions in 2017. The new hash standard and recommendation was to use SHA2 (using 224-512 bits hash) in cryptographic usage.

The SHA-2 algorithm was first published in 2001 and until this day remains the facto choice of hash for digital signatures and other cryptographic uses. In 2006 NIST started to create a new hash standard called SHA-3. SHA-3 is not meant to replace SHA-2, as no significant attack on SHA-2 has been found. However because of the successful attacks on MD5, SHA-0 and SHA-1 NIST perceived a need for an alternative, dissimilar cryptographic hash, which became known as SHA-3. One of the advantages of SHA-3 is that it's built to be immune to length extension attacks. You can get similar immunity with SHA-2 if you use with HMAC or you have to make sure the secret/password is at the end of the message you are hashing. However the main thing is that SHA-3 was built to be different than SHA-2 and that is good alternative to have just in case weakness is found in SHA-2 algorithm.

NIST started the SHA-3 project in 2006 and on October 2, 2012, Keccak was selected as the winner of the competition to be come the SHA-3 (256-512 bits hash). On August 2015 NIST announced that SHA-3 had become a hashing standard additional to SHA-2. However the hash from Keccak differs from SHA-3 hash and this became controversial among security communities and forums. Some argued that NIST made the algorithm weaker than the original Keccak and other said NIST put backdoor. The irony of all these arguments was that no one looked at the details of the code to see what actually changed. The Keccak team who created the algorithm confirmed that the actual algorithm was not changed in SHA-3. NIST only changed the padding thus it's the reason that changes the hash from Keccak. The security of the algorithm is not changed from the original Keccak. So we can all be sure NIST did not make the algorithm weaker and SHA-3 is as strong as Keccak. There are still questions why NIST changed the padding but seems like what we know NIST wanted the hash output to be different for SHA-3. Whatever the reason is we want to show what is the change so you can see it yourself.

If you have used the C/C++ Keccak code from https://keccak.team/index.html then to change the code to output SHA-3 hash modify the file KeccakSponge.cpp in the function PadAndSwitchToSqueezingPhase change the padding to 6 from 1. Notice the 6 in bold.

Example: state->dataQueue[state->bitsInQueue/8 ] |= 6 << (state->bitsInQueue % 8);

If you used Crypto-JS then in sha3.js change the padding to also 6 from 1.

Example: dataWords[nBitsLeft >>> 5] |= 0x6 << (24 - nBitsLeft % 32);

Make sure you test the code with other SHA-3 tools and check if hash matches. From the changes we showed now you can see that rest of the Keccak algorithm is not modified.