diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 7a37dc2f61b..0c090728940 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -66,4 +66,3 @@ updates:
       - dependency-name: serde_cbor
       - dependency-name: sha2
       - dependency-name: snow
-      - dependency-name: tiny-keccak
diff --git a/Cargo.lock b/Cargo.lock
index 7de819524b3..8838f42d8f7 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1177,7 +1177,7 @@ dependencies = [
  "rand",
  "sgx-isa",
  "sp800-185",
- "tiny-keccak",
+ "tiny-keccak 2.0.2",
  "x25519-dalek 1.1.0",
  "zeroize 1.1.0",
 ]
@@ -1223,7 +1223,7 @@ dependencies = [
  "sp800-185",
  "tempfile",
  "thiserror",
- "tiny-keccak",
+ "tiny-keccak 2.0.2",
  "tokio-current-thread",
  "tokio-executor",
  "untrusted",
@@ -1959,7 +1959,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c0b18e3b1ddbf090b195425aca6edf8efb8e9b1fd42708131adf0f882db24fc9"
 dependencies = [
  "byteorder",
- "tiny-keccak",
+ "tiny-keccak 1.5.0",
 ]
 
 [[package]]
@@ -2114,6 +2114,15 @@ dependencies = [
  "crunchy",
 ]
 
+[[package]]
+name = "tiny-keccak"
+version = "2.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2c9d3793400a45f954c52e73d068316d76b6f4e36977e3fcebb13a2721e80237"
+dependencies = [
+ "crunchy",
+]
+
 [[package]]
 name = "tokio"
 version = "0.1.22"
diff --git a/keymanager-lib/Cargo.toml b/keymanager-lib/Cargo.toml
index 8f8ebedc353..07222b6e799 100644
--- a/keymanager-lib/Cargo.toml
+++ b/keymanager-lib/Cargo.toml
@@ -16,6 +16,6 @@ io-context = "0.2.0"
 rand = "0.7.3"
 sgx-isa = { version = "0.3.2", features = ["sgxstd"] }
 sp800-185 = "0.2.0"
-tiny-keccak = "1.4.2"
+tiny-keccak = { version = "2.0.2", features = ["sha3"] }
 x25519-dalek = "1.1.0"
 zeroize = "1.1"
diff --git a/keymanager-lib/src/policy.rs b/keymanager-lib/src/policy.rs
index 3b21a9490a7..0f0259e1370 100644
--- a/keymanager-lib/src/policy.rs
+++ b/keymanager-lib/src/policy.rs
@@ -7,7 +7,7 @@ use std::{
 use anyhow::Result;
 use lazy_static::lazy_static;
 use sgx_isa::Keypolicy;
-use tiny_keccak::sha3_256;
+use tiny_keccak::{Hasher, Sha3};
 
 use oasis_core_keymanager_api_common::*;
 use oasis_core_runtime::{
@@ -209,7 +209,11 @@ impl CachedPolicy {
         let policy = untrusted_policy.verify()?;
 
         let mut cached_policy = Self::default();
-        cached_policy.checksum = sha3_256(&raw).to_vec();
+
+        let mut sha3 = Sha3::v256();
+        sha3.update(&raw);
+        sha3.finalize(&mut cached_policy.checksum);
+
         cached_policy.serial = policy.serial;
         cached_policy.runtime_id = policy.id;
 
diff --git a/runtime/Cargo.toml b/runtime/Cargo.toml
index c694e8d8941..d0d53d3a1a9 100644
--- a/runtime/Cargo.toml
+++ b/runtime/Cargo.toml
@@ -39,7 +39,7 @@ io-context = "0.2.0"
 x25519-dalek = "1.1.0"
 ed25519-dalek = "1.0.0-pre.3"
 deoxysii = { git = "https://github.com/oasisprotocol/deoxysii-rust" }
-tiny-keccak = "1.4.2"
+tiny-keccak = { version = "2.0.2", features = ["sha3"] }
 sp800-185 = "0.2.0"
 zeroize = "1.1"
 intrusive-collections = "0.8"
diff --git a/runtime/src/common/sgx/egetkey.rs b/runtime/src/common/sgx/egetkey.rs
index 580a6ab214d..c88ebd3d662 100644
--- a/runtime/src/common/sgx/egetkey.rs
+++ b/runtime/src/common/sgx/egetkey.rs
@@ -6,16 +6,7 @@ use sp800_185::KMac;
 #[cfg(target_env = "sgx")]
 use sgx_isa::{Keyname, Keyrequest};
 #[cfg(target_env = "sgx")]
-use tiny_keccak::sha3_256;
-
-// This crate is not portable due to dependencies, even when using the mock
-// key derivation:
-//
-//  * sp800_185 relies on tiny_keccak, which as of 1.4.2, will produce
-//    incorrect results on big endian targets, and will crash on any
-//    architecture that requires aligned 64 bit loads and stores.
-#[cfg(not(target_arch = "x86_64"))]
-error!("Only x86_64 is supported");
+use tiny_keccak::{Hasher, Sha3};
 
 #[cfg(not(target_env = "sgx"))]
 const MOCK_MRENCLAVE_KEY: &[u8] = b"Ekiden Test MRENCLAVE KEY";
@@ -30,9 +21,12 @@ const SEAL_KDF_CUSTOM: &[u8] = b"Ekiden Expand SGX Seal Key";
 fn egetkey_impl(key_policy: Keypolicy, context: &[u8]) -> [u8; 16] {
     let mut req = Keyrequest::default();
 
+    let mut sha3 = Sha3::v256();
+    sha3.update(context);
+    sha3.finalize(&mut req.keyid);
+
     req.keyname = Keyname::Seal as u16;
     req.keypolicy = key_policy;
-    req.keyid = sha3_256(context);
     // Fucking sgx_isa::Attributes doesn't have a -> [u64;2].
     req.attributemask[0] = 1 | 2 | 4; // SGX_FLAGS_INITTED | SGX_FLAGS_DEBUG | SGX_FLAGS_MODE64BIT
     req.attributemask[1] = 3; // SGX_XFRM_LEGACY