botan icon indicating copy to clipboard operation
botan copied to clipboard
verified publisher icon randombit

Should `keccak` support be removed in Botan4

Open randombit opened this issue 10 months ago • 3 comments

@Tarkath writes in #4666

What's the reasoning for removing keccak?

It is widely used in the Ethereum crypto currency.

randombit avatar Feb 27 '25 11:02 randombit

I was aware of Eth's use of Keccak but beyond that I have not seen any protocols using it. I'm not sure that Botan is, or ever will be, positioned to be popular in the Eth ecosystem, so this didn't seem too relevant to me.

The rationale for removing would largely be, at least on occasion, people using the wrong hash (Keccak when they really wanted SHA-3). It is very little code to support, since it shares the permutation code with SHA-3, and doesn't introduce additional complications to the codebase (vs say Kyber 90s, where removing it allows significant simplification of the now highly critical ML-KEM implementation.)

So we have a situation where there is a least someone using the algorithm in a real world protocol, even if they are not using our implementation. Supporting it is not onerous on us, aside from being sure everywhere to document that Keccak is not SHA-3. And it doesn't bring up any security issues. OTOH Keccak does not have any benefit at all vs SHA-3; literally the only difference between them is some changed padding bits, because NIST had to leave their mark. So the only users we'd ever see for this would come from Eth or related ecosystems. But will we? To me the answer seems likely no - new code in this space leans heavily to Go or Rust.

If there is anyone using Botan's Keccak for Eth related code then sure it's an easy one to keep. Otherwise ... eh? Could go any direction here imo: removed in Botan4, continued on as deprecated, or even un-deprecated.

randombit avatar Feb 27 '25 11:02 randombit

I'm not using Botan in production yet but I'm in the process of adding it to a project as an optional alternative to OpenSSL and some other libraries.

We need to generate Eth-compatibile hashes, and we also need Siphash 2-4 for a network protocol which uses it as a lossy compression algorithm.

justusranvier avatar Aug 01 '25 20:08 justusranvier

One more vote for keeping Keccak around, I'm currently implementing compatibility support for proxycrypt which uses Keccak.

huven avatar Nov 03 '25 18:11 huven