SHAKE256 is an Extendable Output Function (XOF) based on the Keccak sponge construction, standardized in NIST FIPS 202. Unlike traditional hash functions with fixed output lengths, SHAKE256 can generate output of any desired length while providing 256-bit security strength. It's part of the SHA-3 family and offers exceptional flexibility for cryptographic applications.

How is SHAKE different from SHA-3?

While both are based on the Keccak sponge construction, SHA-3 produces fixed-length outputs (224, 256, 384, or 512 bits), while SHAKE is an Extendable Output Function (XOF) that can produce output of any length. SHAKE128 and SHAKE256 are essentially 'variable-length' versions of SHA-3, offering the same security guarantees but with the flexibility to generate as many bits as needed.

What is SHAKE256 used for?

SHAKE256 is used in various cryptographic applications including: key derivation functions (KDFs), mask generation functions (MGFs), random bit generation, digital signatures (like Ed25519), stream ciphers, and any application requiring variable-length output. Its flexibility makes it particularly useful in protocols where different output lengths are needed from a single primitive.

What security level does SHAKE256 provide?

SHAKE256 provides 256-bit security strength against all attacks. This means it offers 256 bits of preimage resistance and 128 bits of collision resistance (due to the birthday bound). This high security level makes it suitable for the most demanding cryptographic applications, including government and military use.

Can SHAKE256 produce arbitrary length output?

Yes, SHAKE256 can produce output of any desired length up to 2^128 bits (theoretically). This is its key advantage over traditional hash functions. You can request 1 bit or 1 million bits - the algorithm can generate exactly the amount needed, making it incredibly flexible for various cryptographic protocols and applications.

SHAKE256 Generator

Generate variable-length cryptographic hashes with SHAKE - the extendable output function (XOF) from the SHA-3 family. Perfect for applications requiring custom hash lengths.

Input Text

SHAKE AlgorithmSHAKE is an Extendable Output Function (XOF)

Output LengthVariable output length: 64 bytes = 512 bits

Output Format

SHAKE128 Hash (64 bytes)

SHAKE128 hash will appear here...

About SHAKE (Secure Hash Algorithm Keccak)

SHAKE128 and SHAKE256 are Extendable Output Functions (XOFs) based on the same Keccak sponge construction as SHA-3. Unlike traditional hash functions with fixed output lengths, SHAKE can generate output of any desired length, making it incredibly flexible for various cryptographic applications. SHAKE128 provides 128-bit security strength, while SHAKE256 provides 256-bit security.

Extendable Output: Variable length up to 2^128 bits

Sponge Construction: Based on Keccak (SHA-3)

NIST Standard: FIPS 202 compliant

Note: This is a demonstration interface. For production use with actual SHAKE implementation, you would need to integrate a cryptographic library like noble-hashes, crypto-js, or implement the Keccak sponge function directly. The Web Crypto API does not currently support SHAKE natively.

Understanding SHAKE (Extendable Output Functions)

SHAKE128 and SHAKE256 are Extendable Output Functions (XOFs) standardized in NIST FIPS 202. They are based on the same Keccak sponge construction as SHA-3 but offer a crucial advantage: the ability to generate output of any desired length. This makes them incredibly versatile for modern cryptographic applications.

The Sponge Construction

Like SHA-3, SHAKE uses a sponge construction with two phases:

Absorbing Phase: The input message is absorbed into the sponge state block by block
Squeezing Phase: Output is squeezed out in blocks until the requested length is achieved

SHAKE vs Traditional Hash Functions

Feature	Traditional Hash (SHA-2/3)	SHAKE (XOF)
Output Length	Fixed (e.g., 256, 384, 512 bits)	Variable (any length up to 2^128 bits)
Flexibility	Different algorithms for different lengths	Single algorithm for any length
Use Cases	Digital signatures, integrity checks	KDFs, MGFs, stream ciphers, random oracles
Standard	FIPS 180-4 (SHA-2), FIPS 202 (SHA-3)	FIPS 202

Common Applications

Key Derivation Functions (KDFs): Generate cryptographic keys of exact required lengths from passwords or shared secrets
Mask Generation Functions (MGFs): Used in RSA-OAEP and PSS padding schemes
Random Oracles: Ideal for protocols requiring random oracle model security proofs
Stream Ciphers: Can be used as a secure stream cipher by generating keystream of arbitrary length
Digital Signatures: Ed25519 and other modern signature schemes use SHAKE for flexibility

Security Note: SHAKE128 provides 128-bit security strength, while SHAKE256 provides 256-bit security. Choose based on your security requirements: SHAKE128 for most applications, SHAKE256 for high-security or quantum-resistant needs.

Quick Features

SHAKE128 & SHAKE256
Variable Output Length
Custom Length Support
One-click Copy
Client-side Only

Why Choose SHAKE?

SHAKE represents a paradigm shift in cryptographic hashing. Instead of multiple fixed-length hash functions, you get a single primitive that can generate any output length you need. This reduces code complexity, simplifies protocol design, and provides a clean interface for applications requiring variable-length output.

Key Advantage: One algorithm for all hash lengths - from 1 bit to gigabytes of output, with the same security guarantees as SHA-3.

SHAKE256 Implementation Examples

Node.js (with noble-hashes)

import { shake256 } from '@noble/hashes/sha3';

// Generate 64 bytes (512 bits) of output
const hash = shake256(new TextEncoder().encode('message'), 64);
console.log(Buffer.from(hash).toString('hex'));

// Generate custom length
const custom = shake256(new TextEncoder().encode('message'), 32); // 256 bits

Python (with hashlib)

import hashlib

# Python 3.6+ supports SHAKE through hashlib
def shake256(message, output_length):
    return hashlib.shake_256(
        message.encode()
    ).digest(output_length)

# Generate 64 bytes of output
hash = shake256("message", 64)
print(hash.hex())

Java (with Bouncy Castle)

import org.bouncycastle.jcajce.provider.digest.SHA3;
import org.bouncycastle.util.encoders.Hex;

// SHAKEDigest supports variable output length
SHA3.SHAKEDigest shake256 = new SHA3.SHAKEDigest(256);
byte[] message = "message".getBytes("UTF-8");
shake256.update(message, 0, message.length);

byte[] output = new byte[64]; // Request 64 bytes
shake256.doFinal(output, 0);

System.out.println(Hex.toHexString(output));

Go

import (
    "golang.org/x/crypto/sha3"
    "encoding/hex"
)

func shake256Example() {
    // Create a SHAKE256 instance
    h := sha3.NewShake256()
    
    // Write the message
    h.Write([]byte("message"))
    
    // Read 64 bytes of output
    output := make([]byte, 64)
    h.Read(output)
    
    println(hex.EncodeToString(output))
}

Practical Use Cases for SHAKE

Key Derivation

Derive encryption keys of exact lengths from a master secret. Need a 256-bit AES key and a 128-bit IV? SHAKE can generate exactly 384 bits (48 bytes) in one call, simplifying key derivation protocols.

Digital Signatures

Modern signature schemes like Ed25519 use SHAKE-256 for hashing messages and generating nonces. The flexibility of SHAKE allows for clean implementations without multiple hash functions.

Random Number Generation

Use SHAKE as a deterministic random bit generator (DRBG). Seed it once and squeeze out as many random bits as needed, perfect for simulations or testing environments.

Stream Encryption

Implement a stream cipher by using SHAKE as a keystream generator. Combine a key and nonce, then squeeze out keystream of exactly the same length as your plaintext.

Frequently Asked Questions

The main difference is the security level. SHAKE128 provides 128-bit security strength, while SHAKE256 provides 256-bit security. This affects their resistance to attacks: SHAKE128 is sufficient for most applications, but SHAKE256 is recommended for high-security scenarios or when quantum resistance is desired. They also have different performance characteristics, with SHAKE128 being slightly faster.

Theoretically, SHAKE256 can produce up to 2^128 bits of output (about 4.3×10^37 bytes). Practically, you're limited by memory and computational resources. Most implementations support generating megabytes or even gigabytes of output by streaming the results. For typical applications, generating a few thousand bytes is more than sufficient.

SHAKE256 offers good resistance against quantum attacks. Grover's algorithm could theoretically reduce its security from 256 bits to 128 bits, which is still considered secure. Additionally, its sponge construction provides flexibility that may be valuable in post-quantum cryptography. Many post-quantum signature schemes actually use SHAKE as a building block.

Yes! SHAKE's sponge construction makes it naturally resistant to length extension attacks, so you can use it directly for message authentication without the HMAC construction. Simply use a keyed mode: concatenate the key and message, then use SHAKE to generate the authentication tag. This is simpler and often more efficient than HMAC.

Choose SHAKE128 for general-purpose applications where 128-bit security is sufficient (most commercial applications). Choose SHAKE256 when you need higher security margins, such as in government/military applications, or when future-proofing against quantum computers. Also consider compliance requirements: some standards explicitly require 256-bit security levels.

Related Cryptographic Tools

SHA3-256

SHA3-384

SHA3-512

SHAKE128

SHAKE256

HMAC

Note: This tool demonstrates the SHAKE interface. For production use, please integrate a proper cryptographic library like noble-hashes. All processing is done client-side for privacy.