top | item 46049729

(no title)

scatbot | 3 months ago

Honestly, I'm skeptical of the whole Keccak-derived ecosystem. The reduced-rounds variants like K12 and TurboShake are trading a conservative security margin for speed, which kinda feels odd when compared to BLAKE3. Meanwhile, BLAKE3 covers everything for real-world use. It's super fast on any input, fully parallelizable and has a built-in key mode. The only real advantage Keccak-based functions seem to have is standardization and potential hardware acceleration.

If you care about speed, security and simplicity, and you don't care about NIST compliance, BLAKE3 is hard to beat.

discuss

15155|3 months ago

Keccak is substantially more simple/elegant from a hardware design standpoint because it has no addition operations - there's no comparison. fMax is way, way easier to obtain, and it's way easier to implement and understand.

On legacy hardware, BLAKE performs well because ALUs perform well.

robobully|3 months ago

> trading a conservative security margin for speed

That's what precisely happened to BLAKE with BLAKE2/3, isn't it?

scatbot|3 months ago

Not really. BLAKE3 isn’t a reduced-round tweak of BLAKE2 like K12 is for Keccak. It's a different construction that still meets its full security target. K12 and TurboSHAKE on the other hand are literally the same permutation with fewer rounds, which actually reduces Keccak's security margin. The situations are not really comparable.