keccak256¶

Overview¶

Keccak256 is the core hash function used by Ethereum, based on the Keccak algorithm (the SHA-3 competition winner). It is important to note that Ethereum's Keccak256 differs slightly from the NIST-standardized SHA3-256, primarily in the padding method.

The Keccak algorithm was designed in 2007 by Guido Bertoni, Joan Daemen, Michael Peeters, and Gilles Van Assche. It won the NIST SHA-3 competition in 2012, but NIST modified the padding parameters during standardization, making it incompatible with the original Keccak.

Core Properties¶

Fixed Output Length: Keccak256 accepts input of arbitrary length and outputs a fixed 256-bit (32-byte) hash value.

One-Way Property: The original input cannot be reverse-engineered from the hash value.

Collision Resistance: Finding two different inputs that produce the same output is computationally infeasible, with collision probability approximately 2^(-256).

Avalanche Effect: A tiny change in the input causes a completely different output.

Sponge Construction: Keccak uses a Sponge Construction, divided into absorbing and squeezing phases, which differs from the traditional Merkle-Damgard structure (SHA-1/SHA-2).

Applications in Ethereum¶

Address Generation: 1. Generate the public key from the private key (elliptic curve secp256k1) 2. Apply Keccak256 hash to the public key (64 bytes without prefix) 3. Take the last 20 bytes (160 bits) of the hash result as the address 4. Add the 0x prefix to get the final address

Transaction Hash: The unique identifier for each transaction is the Keccak256 hash of its RLP encoding.

Block Hash: The Keccak256 hash of the block header serves as the block identifier.

Merkle Patricia Trie: Ethereum's state tree, transaction tree, and receipt tree all use Keccak256.

Smart Contracts: - Function selector: The first 4 bytes of the Keccak256 hash of the function signature - Event topic: The Keccak256 hash of the event signature - Storage slot computation: Storage locations for mapping types

Keccak256 vs SHA3-256¶

Feature	Keccak256 (Ethereum)	SHA3-256 (NIST)
Core Algorithm	Keccak	Keccak
Padding Method	Original Keccak padding	NIST-modified padding
Result	Different	Different
Standardization	Ethereum standard	NIST standard

Important Note: Due to padding differences, the same input produces different results under Keccak256 and SHA3-256; they are not interchangeable.

Usage in Solidity¶

// Compute hash of a string
bytes32 hash = keccak256(abi.encodePacked("Hello World"));

// Compute hash of multiple parameters
bytes32 hash = keccak256(abi.encodePacked(address, uint256, string));

// Function selector
bytes4 selector = bytes4(keccak256("transfer(address,uint256)"));

// Event signature
bytes32 topic = keccak256("Transfer(address,address,uint256)");

Gas Cost¶

On-Chain Computation: Calling Keccak256 on Ethereum consumes Gas: - Base cost: 30 Gas - Per 32 bytes of data: 6 Gas - For example, 64 bytes of input: 30 + 2 x 6 = 42 Gas

Efficiency: Compared to other cryptographic operations (such as elliptic curve operations), Keccak256 is relatively cheap and fast.

Security¶

Cryptographic Strength: Keccak256 is considered cryptographically secure with no known practical attack methods.

Quantum Resistance: Grover's algorithm reduces search complexity from 2^256 to 2^128, but it remains secure for the foreseeable future.

Extensive Review: As the SHA-3 competition winner, Keccak has undergone extensive review by the cryptographic community.

Common Pitfalls¶

abi.encodePacked Collision:

// Dangerous: may produce identical hashes
keccak256(abi.encodePacked(a, b)) == keccak256(abi.encodePacked(c, d))
// When a="AA", b="BB" and c="AAB", d="B"

Solution: Use abi.encode instead of abi.encodePacked, or add fixed-length separators between parameters.

Tools and Libraries¶

Web3.js: web3.utils.keccak256("Hello World")

Ethers.js: ethers.utils.keccak256(ethers.utils.toUtf8Bytes("Hello World"))

Python: from eth_hash.auto import keccak