Add std.crypto.hash.sha3.{KT128,KT256} - RFC 9861. (#25593)

KT128 and KT256 are fast, secure cryptographic hash functions based on Keccak (SHA-3).

They can be seen as the modern version of SHA-3, and evolution of SHAKE, with better performance.

After the SHA-3 competition, the Keccak team proposed these variants in 2016, and the constructions underwent 8 years of public scrutiny before being standardized in October 2025 as RFC 9861.

They uses a tree-hashing mode on top of TurboSHAKE, providing both high security and excellent performance, especially on large inputs.

They support arbitrary-length output and optional customization strings.

Hashing of very large inputs can be done using multiple threads, for high throughput.

KT128 provides 128-bit security strength, equivalent to AES-128 and SHAKE128, which is sufficient for virtually all applications.

KT256 provides 256-bit security strength, equivalent to SHA-512. For virtually all applications, KT128 is enough (equivalent to SHA-256 or BLAKE3).

For small inputs, TurboSHAKE128 and TurboSHAKE256 (which KT128 and KT256 are based on) can be used instead as they have less overhead.

Author: jedisct1

lib/std/crypto/benchmark.zig

@@ -37,6 +37,7 @@ const hashes = [_]Crypto{
 
 const parallel_hashes = [_]Crypto{
     Crypto{ .ty = crypto.hash.Blake3, .name = "blake3-parallel" },
+    Crypto{ .ty = crypto.hash.sha3.KT128, .name = "kt128-parallel" },
 };
 
 const block_size: usize = 8 * 8192;