Unkeyed cryptographic

SHAKE128 / SHAKE256

SHA-3’s extendable-output functions, defined alongside the fixed-output SHA-3 variants in NIST FIPS 202 (2015). Same Keccak sponge, but the output is variable-length , you ask for any number of bits at finalization. The post-quantum cryptography deployment leans heavily on SHAKE for randomness extraction.

At a glance

How XOFs differ from fixed-output hashes

A fixed-output hash like SHA3-256 produces exactly 256 bits. An XOF like SHAKE128 produces any number of bits , same security per bit up to the capacity, then degrades gracefully. This lets one primitive replace separate hash + KDF + DRBG calls.

Where it shows up

• SLH-DSA / SPHINCS+ (FIPS 205) , post-quantum signatures built on SHAKE.
• ML-KEM / CRYSTALS-Kyber (FIPS 203) , key encapsulation uses SHAKE-128 / 256.
• ML-DSA / CRYSTALS-Dilithium (FIPS 204) , signatures.
• cSHAKE family (NIST SP 800-185) , customized variants for domain separation.
• Some TLS 1.3 KEMs and noise variants.

cSHAKE / KMAC / TupleHash / ParallelHash

NIST SP 800-185 builds four derived functions on top of SHAKE: cSHAKE (customizable / domain-separated SHAKE), KMAC (keyed MAC), TupleHash (hashes an ordered list of strings unambiguously), and ParallelHash (tree-parallel hashing for large inputs). All rely on SHAKE under the hood.

References

• NIST FIPS 202 , SHA-3 Standard (defines SHAKE128 / 256)
• NIST SP 800-185 , SHA-3 Derived Functions
• SHA3-256 · KMAC