3

I am preparing a presentation about Keccak (http://keccak.noekeon.org/).

In that presentation, I would like to encrypt a plain-text – which brings up the following questions:

  1. What is the exact role of the padding function (how do we obtain a cube of 1600 bits from 64 bit)?
  2. After encrypting the text, how can we decrypt it again?
e-sushi
  • 13,786
  • 10
  • 38
  • 57
user2404953
  • 41
  • 1
  • 1
  • 2
  • 1
    Wait, do I have this right? You are preparing a presentation for Keccak in which you are presenting it as an **encryption** function? – Nik Bougalis May 21 '13 at 16:42
  • 1
    @NikBougalis I'm sure the OP is talking about the duplex mode of Keccak which can be used for authenticated encryption. :P – CodesInChaos May 22 '13 at 21:53

2 Answers2

10

You cannot "decrypt" the output of Keccak, since it isn't an encryption algorithm, but a one way hash function. Instead, you use it for verifying that a hash value is indeed the hash output of a particular text (which you must know already), simply by calculating the hash of the text, and comparing the output to the first hash value.

Henrick Hellström
  • 2,556
  • 16
  • 18
  • While I doubt OP was hinting to that implementation… there is a “decrypt” when using Keccak in its authenticated-encryption mode (by using the duplex construction, not the sponge one). ;) – e-sushi Jul 14 '14 at 00:56
  • 1
    Yes, although this mode is only hinted in the Keccak reference, not fully specified, so the question is still not possible to answer in an unequivocal way. – Henrick Hellström Jul 14 '14 at 07:16
  • 2
    That’s true… (“unequivocal” = good word!) I guess the urge to post a comment was influenced by the fact that I’ve been meeting too many people lately who’re running with scissors ([a scissors example](https://pypi.python.org/pypi/spongeshaker)) just to get their hands on SpongeWrap as AEAD cipher, and/or a Keccak-based stream cipher. And papers like [this one](http://eprint.iacr.org/2013/791.pdf) frequently motivate small crowds to yell “Keccak” and ask about “decryption” while the paper merely mentions Spongent as one of many. We better brace for a future with *Confused-About-Keccak* Q&As. ;) – e-sushi Jul 14 '14 at 14:52
4

The padding is needed for sponge function since Keccak uses the sponge construction. Depending on the width of permutation r, here I'm guessing you use 1600 bits, the padding function appends 10*1 to the input text to form a padded string of length in multiple of r. This is why you get 1600 bit from 64-bit text.

When you apply Keccak algorithm on a text message, you get a "message digest". Keccak is the winner of SHA3, where SHA stands for Secure Hash Algorithm. You can tell by its name that Keccak is a cryptographic hash function which has three properties:

  • Pre-image resistance
  • Second pre-image resistance
  • Collision resistance

These basically mean that Keccek is a one-way function and it is extremely hard to find two message having the same message digest, and vice versa. And the first point simply tells you that you can't recover the message from the message digest.

Chiara Hsieh
  • 3,273
  • 23
  • 32