SNIP-32: Expose Keccak-f[1600] Permutation Syscall

Hello StarkNet community,

I am proposing a new SNIP to add a keccak_f1600_process_block syscall to the Starknet OS.

The Goal: The proposal is to expose the raw keccak-f[1600] permutation, which is already implemented and used by the Cairo VM, as a direct syscall. This would be analogous to the existing sha256_process_block syscall.

Why is this important?

• Enables Efficient PQC: Unlocks the ability to implement post-quantum signature schemes like Falcon cost-effectively.
• Supports Modern Crypto: Allows for gas-efficient implementations of SHAKE, cSHAKE, and other Keccak-family functions.
• Improves Developer Experience: Provides a low-level, reusable primitive for building custom cryptographic protocols without relying on expensive pure Cairo implementations.

This is a small change to the OS that opens up a huge design space for developers. I believe it’s a critical addition for the long-term cryptographic flexibility of Starknet.

The full draft of the SNIP is pasted below for review. I look forward to your feedback, questions, and discussion.

Simple Summary

A new syscall, keccak_f1600_process_block, should be added to expose the raw keccak-f[1600] permutation on a given 1600-bit state.

Abstract

This proposal details the addition of a low-level syscall that provides direct access to the keccak-f[1600] state permutation, an operation already implemented within the Starknet OS for the keccak builtin. Exposing this function directly enables efficient and gas-cheap implementations of various Keccak-family hash functions (e.g., SHAKE, cSHAKE) and is a critical enabler for advanced cryptographic primitives, such as certain Post-Quantum signature schemes. The proposed syscall mirrors the functionality of sha256_process_block, ensuring a consistent and developer-friendly interface for core cryptographic operations.

Motivation

The Starknet OS contains a highly optimized implementation of the keccak-f[1600] permutation. However, developers cannot access this function directly, forcing any project requiring other Keccak-family functions—most notably the SHAKE extendable-output functions (XOFs)—to implement the entire permutation in pure Cairo. A pure Cairo implementation is significantly more expensive in terms of gas and computation, acting as a major barrier to the adoption of important cryptographic schemes. The key motivations are:

1. Enable Efficient PQC: Several NIST-selected Post-Quantum Cryptography (PQC) signature schemes, such as Falcon, rely heavily on SHAKE. The high cost of a pure Cairo SHAKE implementation makes these PQC schemes prohibitively expensive. This syscall is a foundational step to bringing practical PQC to Starknet.
2. Support Modern Cryptography: SHAKE128 and SHAKE256 are critical components in modern cryptographic standards. A native, gas-efficient implementation would make a wide range of protocols economically viable on Starknet.
3. API Consistency: The Starknet syscall interface already provides sha256_process_block. Adding a corresponding keccak_f1600_process_block creates a more complete and consistent cryptographic toolkit.

Rationale

The keccak builtin is a memory-mapped interface designed for the specific task of Keccak-256 hashing. It is unsuitable for constructing other hash functions that require direct manipulation of the state between permutations, such as the squeeze phase of SHAKE.

An alternative considered was to add distinct syscalls for each desired Keccak-family function. This approach was rejected because it is not modular and leads to significant API bloat. Every new cryptographic primitive requiring a Keccak variant would necessitate a new set of dedicated syscalls.

The proposed solution—a new, discrete syscall—is the most direct and minimal approach. It provides a single, well-defined function that developers can use as a “black box” permutation. This mirrors the design of the sha256_process_block syscall, establishing a clear pattern for low-level cryptographic primitives. It provides maximum flexibility to developers with minimal changes to the Starknet OS.

Specification

A new syscall, keccak_f1600_process_block, will be added to the Starknet OS. To provide a developer-friendly interface that aligns with Cairo’s memory model, the syscall will operate on a mutable struct reference rather than an array, which is cumbersome to modify.

State Representation: The 1600-bit Keccak state will be represented by a KeccakState struct, allowing for direct and efficient member access.

#[derive(Drop, Serde)]
pub struct KeccakState {
    s0: u64, s1: u64, s2: u64, s3: u64, s4: u64,
    s5: u64, s6: u64, s7: u64, s8: u64, s9: u64,
    s10: u64, s11: u64, s12: u64, s13: u64, s14: u64,
    s15: u64, s16: u64, s17: u64, s18: u64, s19: u64,
    s20: u64, s21: u64, s22: u64, s23: u64, s24: u64
}

Interface:
The syscall takes a mutable reference to a KeccakState struct and permutes its members in place.

// Cairo corelib representation
pub extern fn keccak_f1600_process_block_syscall(ref state: KeccakState) -> SyscallResult<()>;

Inputs:

• state: A mutable reference to a KeccakState struct.

Behavior:

1. The syscall reads the 25 u64 members from the referenced KeccakState struct.
2. It applies the keccak-f[1600] permutation to this state.
3. It writes the 25 u64 values of the permuted state back into the members of the original state struct.
4. The syscall does not need to perform a length check, as the KeccakState struct has a fixed, compile-time-validated size.

Backwards Compatibility

This proposal is fully backwards compatible. It introduces a new syscall and does not alter any existing functionality or state. Existing contracts will be unaffected.

Test Cases

Test cases are mandatory for this SNIP as it affects consensus.

The core keccak-f[1600] permutation logic is already implemented and utilized by the existing keccak builtin. As such, it is presumed to be thoroughly tested against established cryptographic standards.

The testing effort for this SNIP should therefore focus on the integration and correctness of the new syscall interface, not on re-validating the underlying permutation. The required tests must verify the end-to-end data path:

1. Data Marshalling: Verify that the syscall correctly reads the state from the KeccakState struct passed from a Cairo contract.
2. Test vectors from the official Keccak specification and the FIPS 202 standard.
3. Return State: Verify that the syscall correctly writes the permuted state back into the original KeccakState struct.

Implementation

The Starknet OS already contains an optimized implementation of the keccak-f[1600] permutation. This proposal requires exposing that existing logic through a new syscall. The implementation should be analogous to the existing sha256_process_block syscall.

Security Considerations

The security of the keccak-f[1600] permutation is well-established and standardized by NIST. This proposal does not modify the underlying cryptographic algorithm. The primary security consideration shifts to the application layer. Developers using this low-level primitive are responsible for correctly implementing the padding, domain separation, and state management required by the specific protocol they are building. Documentation must clearly state that this syscall is a raw primitive and must be used with care to avoid creating insecure implementations.

Hey @wh173-c47 thanks for bringing this interesting direction up!!

If the main motivation is to allow PQ signature schemes such as falcon to be widely used, this direction alone is not enough as NTT implementation could also take many 100Ks of Cairo steps. Do you have any directions to explore around that?

Hi thanks for your interest, indeed, saw it as a first step toward it. As you pointed out, both butterfly operations and hash to point constant time are also costly (as of now I can’t verify under 2M n steps and am already reaching max contract size, but was trying to push step forward to reduce it further).

I wasn’t sure about the idea of submitting a SNIP for a complete Falcon512 integration at once as it might lead to much more changes and impl on starknet side than what I submitted (which is simply sticking to existing sha256 syscall impl), should I have? Next steps would have been the NTT operations.

But actually it’s a good idea to go there straight too, appart from the potential changes / tests etc… (I’m not yet familiar enough with the constraints of Cairo VM / proving) but falcon verification is pretty much a “light flow” with SIMDs, while it’s anyway costly on EVM (3M gas for a low level Huff impl) or SNVM (more than the max 1M steps for account validate, gas price wasn’t that bad a while ago when tested on mainnet).
Thing is I’m not sure about what could be doable or not at the core level, but the original C impl being pretty efficient and my rust version being even faster (due to the removal of Falcon1024 logic among with few constraints like single shake inject call etc…). This could work considering ECDSA verification resources cost under same hardware.

I will rely on your feedback on that latest one.

Sorry for the late (and partial) response, didn’t want to leave this one hanging. As a mindset I think its better if we aim to get to the point where Falcon512 is highly/efficiently usable on Starknet (and then we need to think how much work it entails, and see if use cases this diffrentiator may attract are justifying the work)

I hope to come out with the “how much work it will entail part” early next week (which is why I apologized for being partial)

Do you have ideas for strong use-cases you think/hope having Falcon will attract?

No problem, thanks for your time!

I agree on that point, my underlying aim here is to make it the most efficient as possible, incurring the least gas and least overhead on the network too.

I will look forward to it and am willing to help as much as I can.

Around the potential use-cases, as of now and tied to Falcon use-case itself is post-quantum safety, this because day by day it becomes a more and more concrete threat, so far barely 5 bits keys had been broken, but still proving Shor algorithm efficiency, something to keep an eye on, the fastest the best (before any real exploits).

Besides the fact that being one of the first top public chain implementing it in its core, starknet itself is also post quantum safe itself (zkSTARKS), but not it’s user wallets. This would make Starknet such a safe heaven for storing assets, ahead of tomorrow’s threats already, potentially bringing TVL, activity, maybe institutions…

Why Falcon? Well, I could efficiently (maybe) do fishing with explosives, but that might be a bit overkill… zkSTARKS are, in my opinion the best used as they already are securing Starknet state/transitions etc… Leveraging them to handle PQS on a user tx basis would require much computations for both generating and verifying those proofs.
That role seems more suitable for Falcon to me which, while being computationally intensive, remains acceptable, usable (both on/offchain) allowing users to replace ECDSA for their smart accounts.

I don’t wanna be that alarmist the-end-is-near-guy or so (really), even if being just in time is already being late to me, especially in the security field, but I really think that it would be an incredible combo for both Starknet and its users.