Try the new and let us know what you think!
(Note: Beta site content may not be complete.)

View the beta site
NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage

SHA-3 derived functions

In addition to four fixed-length hash functions, FIPS 202 also defines two eXtendable Output Functions, SHAKE128 and SHAKE256. Unlike the fixed-length hash functions, these SHAKE functions support variable-length outputs, and are named for their expected security level.

FIPS 202 also supports a flexible scheme for domain separation between different functions derived from Keccak, ensuring that different named functions will produce unrelated outputs. NIST extends this flexibility further to allow users to customize their use of the functions by defining a customizable version of SHAKE, called cSHAKE.

December 23, 2016: NIST Releaased Special Publication (SP) 800-185, SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and ParallelHash

NIST SP 800-185 specifies four types of SHA-3-derived functions: cSHAKE, KMAC, TupleHash, and ParallelHash, each defined for a 128- and 256-bit security strength. cSHAKE is a customizable variant of the SHAKE function, as defined in FIPS 202. KMAC (for KECCAK Message Authentication Code) is a pseudorandom function and keyed hash function based on KECCAK. TupleHash is a variable-length hash function designed to hash tuples of input strings without trivial collisions. ParallelHash is a variable-length hash function that can hash very long messages in parallel.

Comments received on Draft NIST SP 800-185 (September 2016)

August 2016: In DRAFT SP 800-185, SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash and ParallelHash published in August 2016, NIST defines two cSHAKE variants, cSHAKE128 and cSHAKE256, and three additional SHA-3-derived functions to provide new functionalities. They are:

      • KMAC128 and KMAC256, providing pseudorandom functions and keyed hash functions with variable-length outputs;
      • TupleHash128 and TupleHash256, providing functions that hash tuples of input strings without trivial collisions; and
      • ParallelHash128 and ParallelHash256, providing efficient hash functions to hash long messages in parallel.

The public comment period of DRAFT SP 800-185 runs from August 4, 2016 through September 30, 2016; comments should be sent to: