Keccak in libgcrypt

[Gilles Van Assche]

Dear all,

As an everyday user of GPG and co-designer of Keccak, I am happy to see
that you recently added Keccak/SHA-3 to libgcrypt's development branch. :-)

As I went through your code, I had some comments—please see below.

Anyway, please let me know if I can help.

Best wishes and happy coding,
Gilles


My comments are the following:

1) The piece of code that you started from (i.e.,
Keccak-readable-and-compact.c) is not meant to be fast. There are faster
alternatives available in the Keccak Code Package. In particular, you
can find implementations aiming for speed on 32-bit platforms (including
ARM assembly code) and on 64-bit platforms. These implementations are
organized in a way that only the code for the Keccak-f[1600] permutation
and state input/output depends on the target platform. The rest is
implemented using platform-independent code.

2) It would be great to add support for the SHAKE's. I understand that
they are a new kind of functions (“extendable-output functions”), so
requiring a different interface compared to traditional hash functions,
but they can become really useful in the context of RSA (replacing the
MGF) and ECDSA (or EdDSA).

3) The type KECCAK_CONTEXT contains a buffer (byte
buf[MD_BLOCK_MAX_BLOCKSIZE]) that is quite large. In fact, the sponge
construction does not need such a buffer, namely, the input bytes can be
XORed into the state as they arrive. The Keccak Code Package readily
implements this.