nisse@lysator.liu.se (Niels Möller) writes:
I think it may be easiest to write some new code based on the pseudocode description at http://keccak.noekeon.org/specs_summary.html.
I just commited an initial implementation. With this code, sha3-256 is about an order of magnitude slower than either sha1 or sha2. I haven't yet thought carefully on how to optimize it; I think the current indexing can be simplified a bit, and it would make sense to unroll some of the shorter loops inside the round loop (not sure it makes sense to completely unroll everything except the outer loop).
For naming: I called it sha3_256 (since in nettle "sha256" is sha2. I guess we should have named it sha2_256 back then). Any other suggestions?
I haven't looked into other types of uses. E.g, does hmac-sha3 make sense? The Keccak paper mentions keyed modes of operation, maybe that would be preferable.
I put the interface declarations in sha3.h. I think it makes for better consistency if we split the current sha.h into sha1.h and sha2.h (and then we can keep a deprecated sha.h including both, for backwards compatibility).
Regards, /Niels