Overview
Keccak-256 is the cryptographic hash function at the core of Ethereum. Despite being named “SHA3” in the EVM, it is actually the original Keccak-256 specification (not the NIST-standardized SHA3-256, which differs slightly). 1 opcode:- 0x20 - SHA3/KECCAK256 - Compute Keccak-256 hash of memory region
Why “SHA3” but Actually Keccak-256?
Ethereum adopted the original Keccak-256 algorithm before NIST finalized and modified the Secure Hash Algorithm 3 (SHA3) standard. NIST’s final SHA3-256 includes different padding and constants than Keccak-256. Key difference:- Ethereum/Keccak256: Domain separation suffix = 0x01
- NIST SHA3-256: Domain separation suffix = 0x06
keccak256("data") in Solidity produces a different hash than SHA3_256("data") from crypto libraries expecting the NIST standard. Ethereum locked in Keccak-256 permanently at genesis to avoid breaking existing contracts.
Specifications
| Opcode | Name | Gas | Stack In → Out | Description |
|---|---|---|---|---|
| 0x20 | SHA3 | 30 + 6/word + memory | offset, size → hash | Keccak-256(memory[offset:offset+size]) |
Usage in Smart Contracts
Keccak-256 is the primary hash function for:-
Function Selectors - First 4 bytes of
keccak256("functionName(argTypes)") -
Event Signatures -
indexedtopic hashes -
Storage Keys - Deterministic key generation
- State Root Computation - Merkle tree hashing for account state
- Transaction Hashing - Hash of transaction data for signatures
- Commit-Reveal Schemes - Hiding data with keccak256(data + secret)
Gas Model
Base cost: 30 gas Per-word cost: 6 gas per 32-byte word (rounded up) Memory expansion: Charged for accessing memory region Formula:30 + 6 * ceil(size / 32) + memory_expansion_cost
Examples:
- Empty data: 30 gas (base only)
- 1 byte: 30 + 6*1 = 36 gas (rounded to 1 word)
- 32 bytes: 30 + 6*1 = 36 gas (exactly 1 word)
- 33 bytes: 30 + 6*2 = 42 gas (rounded to 2 words)
- 256 bytes: 30 + 6*8 = 78 gas (8 words)
Implementation
TypeScript
Zig
Special Cases
Empty Input
Hashing 0 bytes returns the constant Keccak-256 of empty data:Zero Bytes in Memory
Uninitialized memory reads as zeros:Security
Preimage Resistance
Keccak-256 is a cryptographically secure one-way function:- Given hash
h, finding data such thatkeccak256(data) = hrequires ~2^256 operations - Used for security-critical operations (transaction hashing, signature verification)
Collision Resistance
Finding two different inputs with the same Keccak-256 hash requires ~2^128 operations (birthday bound). Ethereum relies on this for state roots and merkle trees.Length Extension
Keccak-256 is NOT vulnerable to length extension attacks (unlike SHA-1/SHA-256). Safe to use for:- Message authentication without additional nonce
- Deterministic key derivation
Hash-Based Randomness
⚠️ WARNING: Do NOT usekeccak256(block.timestamp, block.number) for randomness—this is predictable:
References
- EVM Codes - KECCAK256 - Interactive reference
- Yellow Paper - Section 9.1 (Cryptographic Functions)
- Keccak Specification - Official Keccak docs
- NIST SHA3 Standard - Shows difference from Ethereum’s Keccak
- Solidity Docs - keccak256 - Solidity wrapper
Related Documentation
- SHA256 Precompile - Alternative hash function (rarely used in Ethereum)
- Keccak256 Cryptography Module - Full Keccak-256 implementation details
- ABI Encoding - Uses Keccak-256 for function selectors
- Transaction Hashing - Keccak-256 of transaction data