> Do people realize that Keccak replaces a lot of complexity and offers powerful composable primitive already?
It’s a bit more complicated than that. If you look at the various constructions proposed by the Keccak team, most notably Farfalle and Kangaroo12 I believe, you’ll notice they adjust the number of rounds given the use case. That is, they’re not just proposing a secure permutation that let us compose any construction for which we could devise a security reduction. I mean you could do that, but the results would likely be slower than ideal. https://eprint.iacr.org/2019/1492.pdf
Instead they are tailoring their constructions to lower the requirements on the underlying permutation, in some cases allowing reduced rounds. The price they pay for that is re-doing the entire cryptanalysis: their constructions are effectively new primitives.
The actual simplification is more for implementers: with one permutation to rule them all our source code becomes quite a bit smaller.
It’s a bit more complicated than that. If you look at the various constructions proposed by the Keccak team, most notably Farfalle and Kangaroo12 I believe, you’ll notice they adjust the number of rounds given the use case. That is, they’re not just proposing a secure permutation that let us compose any construction for which we could devise a security reduction. I mean you could do that, but the results would likely be slower than ideal. https://eprint.iacr.org/2019/1492.pdf
Instead they are tailoring their constructions to lower the requirements on the underlying permutation, in some cases allowing reduced rounds. The price they pay for that is re-doing the entire cryptanalysis: their constructions are effectively new primitives.
The actual simplification is more for implementers: with one permutation to rule them all our source code becomes quite a bit smaller.