On Wed, Jan 23, 2013 at 10:20:23AM +0300, ianG wrote: > If one skims this presentation by Joan Daemen, co-inventer of Keccak, it > seems that the algorithm can also be used for the other modes -- > encryption, (h)mac, authenticated encryption as well as message digest.
In addition to HMAC, Keccak is safe to use in simple constructions like H(K||M) because of the sponge design (no message extension attack). Te core of Keccak is a (somewhat slow) unkeyed permutation which probably could be converted to a block cipher somehow, allowing it to be used in a generic AE construction like EAX or SIP. However I don't recall any of the Keccak documentation proposing how it would be used as a keyed permutation. Keccak could also be used as a stream cipher, with for instance each H(Key||IV||Ctr) producing 4K bytes of output. Though the SHA-3 specification only supports specific output lengths, Keccak can produce arbitrary length keyed outputs and this seems easy to convert to an AE mode by composing it (carefully) with Keccak-MAC. -Jack _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
