SHAKE

SHAKE are extendable-output functions from the KECCAK family.

Overview

Standardised in FIPS 202, SHAKE128 and SHAKE256 are two algorithms from the KECCAK family. They are based on a sponge construction. As extendable-output functions (XOFs), they take an arbitrarily long message as input and output a digest. As the name suggests, contrary to hash functions, the output of a XOF can also be arbitrarily long. From FIPS 202:

The suffixes “128” and “256” indicate the security strengths that these two
functions can generally support, in contrast to the suffixes for the hash
functions, which indicate the digest lengths.

Security levels of SHAKE functions, with SHA-256 for comparison

Function name	Output size (bits)	Collision resistance	Preimage resistance	2nd preimage resistance
SHAKE128	Variable \(d\)	\(\min(d/2, 128)\)	\(\ge \min(d/2, 128)\)	\(\min(d/2, 128)\)
SHAKE256	Variable \(d\)	\(\min(d/2, 256)\)	\(\ge \min(d/2, 256)\)	\(\min(d/2, 256)\)
SHA-256	256	128	256	256

While FIPS 202 does not approve any particular usage, SP 800-185 specifies four SHA-3 derived functions, based on SHAKE:

• cSHAKE, a customizable variant of the SHAKE functions;

• KMAC (KECCAK Message Authentication Code), based on cSHAKE;

• TupleHash, a hash function based on cSHAKE to hash a tuple of input strings in an unambiguous way;

• ParallelHash, for efficiently hashing very long strings.

Another possible usage is as a key derivation function (KDF), in which case we note that XOFs produce related outputs: producing a shorter digest of a previously hashed message is simply the truncation of the first digest, e.g. XOF(K, 32) == XOF(K, 64)[:32].

ANSSI rules and recommendations

Source: ANSSI - Guide des mécanismes cryptographiques.

There are currently no rules or recommendations.

ANSSI notes and recommendations

Source: ANSSI - Guide de sélection d’algorithmes cryptographiques.

There are currently no notes or recommendations.