Cryptographic
SHA3-256
A 256-bit hash function based on the Keccak sponge construction, designed by Bertoni, Daemen, Peeters, and Van Assche; selected as the SHA-3 standard by NIST in 2015 (FIPS 202). A drop-in alternative to SHA-256 with a fundamentally different internal design , chosen precisely so a future attack on SHA-2 would not also break SHA-3.
At a glance
| Output | 256 bits (32 bytes, 64 hex chars) |
|---|---|
| State | 1600 bits (5×5×64) |
| Rate / capacity | 1088 / 512 bits |
| Construction | Sponge over the Keccak-f[1600] permutation |
| Rounds | 24 |
| Standard | NIST FIPS 202 (2015) |
| Collision security | 2128 generic |
| Preimage security | 2256 generic |
| Length extension | No |
| Status | Modern, recommended |
Sponge construction, in two paragraphs
SHA3-256 maintains a 1600-bit state, partitioned into a 1088-bit “rate” and a 512-bit “capacity”. To absorb a message, XOR rate-sized blocks into the state and apply the Keccak-f[1600] permutation between blocks. To squeeze output, take rate-sized chunks of the state (possibly applying the permutation again between chunks). For SHA3-256 only one squeeze block is needed because the digest is 256 bits.
The capacity is never directly exposed to the attacker: input mixes with the rate, and only after the permutation can the capacity affect the output. That construction (with capacity at least 2× the security level) gives SHA-3 its main differentiators over SHA-2: a clean security proof in the random-permutation model, and immunity to length-extension.
Where it is used
- NIST hash-based signatures , SLH-DSA / SPHINCS+ uses SHA-3 / SHAKE variants.
- Post-quantum protocols , CRYSTALS-Kyber and CRYSTALS-Dilithium use SHAKE-128 / SHAKE-256 (Keccak family) for randomness extraction.
- Some TLS suites and libsodium primitives when authors want length-extension immunity.
- Note: Ethereum’s “keccak256” is the original Keccak submission’s padding scheme, not NIST SHA-3-256. They produce different digests for the same input.
Security status
No collision or preimage attack better than the generic bound is known on full SHA-3. The most progress has come on reduced-round Keccak variants and on related-key / structural distinguishers that do not translate to real attacks on the standard.
SHA-3 family relationships
- SHA3-224 / 256 / 384 / 512 , fixed-output cousins, differ only in rate / capacity and output truncation.
- SHAKE128 / SHAKE256 , extendable-output functions (XOFs) based on the same permutation; produce any number of output bits.
- cSHAKE / KMAC / TupleHash / ParallelHash , domain-separated building blocks defined in NIST SP 800-185.
- KangarooTwelve / TurboSHAKE , faster, reduced-round Keccak-family hashes proposed by the original Keccak team.
Try it
The multi-algorithm hasher includes SHA3-256 alongside SHA-256, BLAKE2b, and BLAKE3, so the lengths and family differences are visible at a glance.
References
- NIST FIPS 202 , SHA-3 Standard
- The Keccak reference (Bertoni, Daemen, Peeters, Van Assche)
- NIST SP 800-185 , cSHAKE, KMAC, TupleHash, ParallelHash
- KangarooTwelve / TurboSHAKE
Visualize
SHA3-256 on your input
11 bytes · 0-bit digest
Hex digest
Bit grid (0 bits, teal = 1, slate = 0)
Byte pixel art (0 bytes, hue = byte value mod 360°)
Avalanche , flipping the lowest bit of the first input byte changed 0 of 0 output bits
Quick quiz
Test yourself on sha3-256
10 multiple-choice questions. Pick an answer for each, then submit to see explanations.
Q1.What construction underlies SHA-3?
Q2.What is the SHA-3 standardization document?
Q3.Who designed the Keccak permutation underlying SHA-3?
Q4.What is the rate for SHA3-256?
Q5.How many rounds in Keccak-f[1600]?
Q6.Is SHA3-256 vulnerable to length-extension?
Q7.Is Ethereum's `keccak256` the same as NIST SHA3-256?
Q8.What is the state size of Keccak-f used by SHA-3?
Q9.Which step of a Keccak round is the only nonlinear one?
Q10.Which is NOT a SHA-3 family extendable-output function (XOF)?