Keccak in libgcrypt
Gilles Van Assche
gilles.vanassche at st.com
Tue Oct 13 10:59:41 CEST 2015
As an everyday user of GPG and co-designer of Keccak, I am happy to see
that you recently added Keccak/SHA-3 to libgcrypt's development branch. :-)
As I went through your code, I had some comments—please see below.
Anyway, please let me know if I can help.
Best wishes and happy coding,
My comments are the following:
1) The piece of code that you started from (i.e.,
Keccak-readable-and-compact.c) is not meant to be fast. There are faster
alternatives available in the Keccak Code Package. In particular, you
can find implementations aiming for speed on 32-bit platforms (including
ARM assembly code) and on 64-bit platforms. These implementations are
organized in a way that only the code for the Keccak-f permutation
and state input/output depends on the target platform. The rest is
implemented using platform-independent code.
2) It would be great to add support for the SHAKE's. I understand that
they are a new kind of functions (“extendable-output functions”), so
requiring a different interface compared to traditional hash functions,
but they can become really useful in the context of RSA (replacing the
MGF) and ECDSA (or EdDSA).
3) The type KECCAK_CONTEXT contains a buffer (byte
buf[MD_BLOCK_MAX_BLOCKSIZE]) that is quite large. In fact, the sponge
construction does not need such a buffer, namely, the input bytes can be
XORed into the state as they arrive. The Keccak Code Package readily
More information about the Gcrypt-devel