a0u
commented
5 years ago To quote [1]:
The padding change is the only difference, this allows future tree hashing modes as well as the current SHAKE outputs to generate different digests given the same security parameters and message inputs. Up to 4 additional bits are added, which keeps the full padding inside a byte boundary, making implementations with octet only input able to switch to SHA-3 from Keccak with change to only a single line of code.
[1] https://crypto.stackexchange.com/a/15728 [2] https://keccak.team/2013/yes_this_is_keccak.html ("First, about suffixes" section)
FIPS 202 differs from Keccak in the initial padding value (see section B.2).
To reduce confusion, this becomes the default behavior, although Keccak is still supported in RTL and spike as a configuration option.
The one test vector has been verified against
openssl dgst -sha3-256.