This project has moved and is read-only. For the latest updates, please go here.

sha3 - Keccak

Topics: Feature Requests
Jan 30, 2015 at 7:27 AM
When NIST finalizes fips-202 (ie domain and other additional uses), I will issue a pull request for the code. I have implemented Keccak both as a stream cipher and a hash (both completely configurable) to TC. Besides being high speed implementations, you can set both the rate and capacity. Hashing the header with sha3 and using a cascade like serpent-Keccak-twofish provides equivalent security for strap 3 documents. Duplex mode can be used to extend its birthday.
Jan 30, 2015 at 9:07 AM
Once SHA-3 is finalized, its integration into VeraCrypt will be important and for that your proposal of help is more than welcomed.

Concerning the use of Keccak as a stream cipher, there is a promising attack that currently work on few rounds but that has the potential to evolve to more complete attack in the future. That's why I think it is preferable to stick to the use of Keccas as a hash in the near future.

Anyway, it is taking an usual long time to finalize the SHA-3 standard and the controversy surrounding the change in parameters that NIST wanted to introduce (but later backtracked) doesn't help building confidence on the future standard.
Jan 30, 2015 at 3:59 PM
Hello Mounir,

Will you consider implementing the winner and one or two of the runner-ups from the independent hash competition which is purposely being held separate from NIST due to the heavy influence of the NSA?

Finalists have been announced on December 8, 2014 and are (in alphabetical order): Argon, battcrypt, Catena, Lyra2, Makwa, Parallel, POMELO, Pufferfish, yescrypt.

Thank you!
Jan 31, 2015 at 1:12 PM
Hi Enigma2Illusion,

Yes, I'm following PHC. Having another alternative to PBKDF2 has always been on the table and till now only scrypt was proposed but it was not practical because of its memory footprint. Once the final result if the competition is announced, I'll starting experimenting to see how to efficiently integrate the new algorithm.
Jan 31, 2015 at 2:32 PM
The sha3 modules are already implemented.

Even the best attacks are no where near breaching the margin of safety - I would even wager that data is safer with Keccak than for AES-512 as even more items are coming to light about its key schedule - but like Keccak, those attacks are more scholarly than effective.

This is exactly why cascades are used.
Jan 31, 2015 at 9:49 PM
JoeBlowerd - I am not a cryptographer, but I haven't seen anywhere on the net even a hint that there may be security issues with SHA512 while doing key expansion.
I'd appreciate a link.

If there are no issues for the foreseable time with SHA512, and realizing that we have whirlpool as a backup, I wonder if the main development effort should divert any energy toward the inclusion of another hash function, even if it's highly modern and capable, with the derived requirement to audit the new implementation and usage of such code.
Feb 2, 2015 at 10:48 AM
I wasn't commenting on sha-512 hash, but AES encryption. I did mistype though - I meant to say AES-256.
Feb 5, 2015 at 3:06 PM
you could add the option to combine SHA-3 with other algorithms such skein BLAKE
Aug 7, 2015 at 9:01 AM
NIST has just released the final SHA-3 standard (FIPS PUB 202):

I didn't check yet to see if there is any difference with regards to the previous draft. Now we can start working towards integrating its support in VeraCrypt.
May 31, 2016 at 3:45 PM
Any progress on this ? I would also welcome SKEIN support
Jun 8, 2016 at 4:42 PM
Anyone reading these forums ?
Jun 8, 2016 at 5:22 PM
SHA-3 inclusion is still planned but no advance have been made on it.
No external contribution about SHA-3 integration was received and all resources are focused now on UEFI support for system encryption.

I will update this discussion with any update on this.

As for SKEIN, I don't see it as a necessary addition for now.
Jun 8, 2016 at 5:47 PM
Thanks for the quick update.

UEFI is definitely hight on the priority list.

As for SKEIN I would say that it is not NIST tainted... but just my 2c. And unfortunately I don't have the expertise to contribute any decent coding there.