Keyed cryptographic (MAC)
KMAC
Keccak Message Authentication Code, defined in NIST SP 800-185 (2016). Built directly on the SHA-3 sponge, KMAC absorbs the key as the first input block followed by the message and a length encoding. The result is a cleaner, single-pass construction than HMAC , no ipad/opad gymnastics needed because the sponge is not vulnerable to length-extension.
The two variants
| Variant | Underlying | Security |
|---|---|---|
| KMAC128 | cSHAKE128 | 128-bit |
| KMAC256 | cSHAKE256 | 256-bit |
Both produce variable-length output (you pick at call time), and both support optional customization strings for domain separation.
At a glance
| Construction | cSHAKE sponge with key prefix and length encoding |
|---|---|
| Output | Variable (XOF mode) |
| Standard | NIST SP 800-185 |
| Length extension | No (sponge) |
| Status | Modern; NIST-standardized |
vs HMAC-SHA-3-256
HMAC over SHA-3-256 is double-the-sponge-work. KMAC256 achieves the same security with a single sponge pass, so it’s roughly twice as fast. New designs that already use SHA-3 should pick KMAC over HMAC-SHA-3 for that reason.
Where it is used
- NIST post-quantum tooling , auxiliary MAC alongside SHAKE-based primitives.
- NIST SP 800-185 ecosystem , cSHAKE, TupleHash, ParallelHash siblings.
- Some recent protocols selecting SHA-3 family primitives end-to-end.
References
Quick quiz
Test yourself on kmac
10 multiple-choice questions. Pick an answer for each, then submit to see explanations.
Q1.Which standard defines KMAC?
Q2.KMAC is built on:
Q3.KMAC variants:
Q4.KMAC output length:
Q5.vs HMAC-SHA-3-256:
Q6.Customization strings in KMAC are used for:
Q7.Is KMAC vulnerable to length-extension?
Q8.KMAC is sister to which derived functions?
Q9.Which library exposes KMAC most prominently?
Q10.Year KMAC was standardized: