up:: Classical Cryptography MOC

FIPS 202

FIPS 202 is the NIST standard titled “SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions,” published in August 2015, and it is the document that officially defines the SHA-3 family. It specifies four fixed-output hash functions (SHA3-224, SHA3-256, SHA3-384, and SHA3-512) and two extendable-output functions (XOFs), SHAKE128 and SHAKE256, all built on the same Keccak sponge construction with a 1600-bit internal state run for 24 rounds. It is the sibling standard to FIPS 180-4, which defines the older SHA-2 family, and NIST published it so the world would have a structurally independent hash family standing alongside SHA-2.

FIPS 202 matters well beyond ordinary hashing. Its SHAKE functions are load-bearing internal machinery inside the post-quantum standards ML-KEM and ML-DSA, where they expand small seeds into large matrices and sample the pseudorandom values those schemes run on. Everything in the standard survives the quantum transition on the same terms as the rest of symmetric cryptography: the only real quantum pressure is Grover’s algorithm, which square-root-dents preimage search and barely touches collision resistance. That is the opposite of what Shor’s algorithm does to public-key algorithms like RSA, which it breaks outright.

Source: NIST, “SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions,” FIPS 202, August 2015, csrc.nist.gov/pubs/fips/202/final.

The short version:

  • FIPS 202 is the NIST standard that defines SHA-3: four fixed hashes (SHA3-224, SHA3-256, SHA3-384, SHA3-512) and two extendable-output functions (SHAKE128, SHAKE256).
  • Every function is built on the Keccak sponge, a 1600-bit permutation called Keccak-f run for 24 rounds, so the whole standard rests on one shared design.
  • The sponge splits its state into a rate (the bits the message touches) and a capacity (the bits held back, where the security margin lives), which is a structurally different design from the Merkle-Damgard chaining that SHA-2 uses in FIPS 180-4.
  • Because the capacity is never exposed in the output, FIPS 202 functions are immune to the length-extension weakness that bare SHA-2 carries, which is one reason newer protocols reach for them.
  • Grover’s algorithm gives only a square-root speedup on preimage search, so each fixed member keeps about half its output size in effective strength, and collision resistance is barely affected. There is no separate post-quantum hash to migrate to.
  • The SHAKE128 and SHAKE256 XOFs defined here are internal building blocks of ML-KEM and ML-DSA, which is a clear sign FIPS 202 carries forward into the quantum era.

Picture a kitchen sponge you use to measure and mix. You pour in as much water as you want, a splash or a full bucket, and the sponge soaks all of it into the same body of material, sloshing and mixing as it absorbs. When you have poured in everything, you start squeezing, and out comes a stream of water you can make as short or as long as you need. The functions in FIPS 202 work the same way. They absorb your whole message, of any length, into one large internal state, mix it thoroughly, and then squeeze out digest bits. A fixed hash squeezes once for a set length. A SHAKE function keeps squeezing for as many bits as you ask for. The mixing is so thorough that changing a single input bit scrambles the entire output unpredictably.

What is FIPS 202?

FIPS 202 is a Federal Information Processing Standard, published by NIST in August 2015, that specifies the SHA-3 family of hash functions and the two SHAKE extendable-output functions. Its full title is “SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions,” and the “permutation-based” phrase is the tell: every function in the standard is built on a single fixed permutation rather than on the compression-function-and-chaining design of earlier hash standards. NIST assigns it the identifier FIPS PUB 202, and it supplements rather than replaces FIPS 180-4, the Secure Hash Standard that defines SHA-2.

The standard defines six functions in two categories:

  1. Fixed-output hash functions. SHA3-224, SHA3-256, SHA3-384, and SHA3-512 each produce a digest of the fixed length named in the function, exactly the way a SHA-2 member does. They are drop-in cryptographic hashes for integrity, signatures, and fingerprinting.
  2. Extendable-output functions (XOFs). SHAKE128 and SHAKE256 produce output of any length the caller requests. They are a flexible primitive you can squeeze for 32 bytes or 32,000 bytes, which makes them a general-purpose source of pseudorandom bits for other cryptographic constructions.

Every one of these functions is based on the Keccak algorithm, which NIST selected in 2012 as the winner of a public multi-year SHA-3 competition, chosen specifically to be structurally distinct from SHA-2 so that a future attack on one family would leave the other standing. FIPS 202 is a hash standard and nothing more. It does not define an encryption scheme or a public-key primitive, though signatures, message authentication codes, and key-derivation functions get built on top of the functions it specifies.

Source: NIST, “SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions,” FIPS 202, August 2015, csrc.nist.gov/pubs/fips/202/final.

How does the sponge construction in FIPS 202 work?

FIPS 202 builds every function on the sponge construction, which is organized around a single fixed permutation called Keccak-f applied to a 1600-bit internal state. The state is split into two conceptual parts: the rate, the bits that touch the message directly, and the capacity, the bits held back from the message where the security margin lives. The larger the capacity, the stronger the function and the less message it processes per permutation call. The whole process runs in a fixed sequence:

  1. Padding. The message is padded with the sponge’s pad10*1 rule, plus a domain-separation suffix that distinguishes the inputs. The fixed SHA-3 hashes append the suffix bits 01, while the SHAKE XOFs append 1111, so the same message run through a SHA-3 hash and through a SHAKE function produces unrelated output.
  2. Absorbing. The padded message is split into rate-sized blocks. Each block is combined into the state with XOR, and then the full Keccak-f permutation runs over all 1600 bits, mixing the block thoroughly into both the rate and the capacity. This repeats block by block until the whole message is absorbed.
  3. Squeezing. The function reads out the rate portion of the state as output. If more output is needed, it runs Keccak-f again and reads the rate again, repeating until enough bits are produced. A fixed hash squeezes exactly its output length. A SHAKE XOF squeezes for whatever length the caller asked for.

The security intuition is that an attacker never gets to see or touch the capacity bits directly, so recovering the internal state or forcing a collision means defeating the full permutation, not a smaller compression function. Because the message only ever enters through the rate and the capacity stays hidden, the sponge has a clean, provable security bound tied to the capacity size. The round-by-round internals of Keccak-f (the five steps theta, rho, pi, chi, and iota, run for 24 rounds on the 1600-bit state) are what give the standard its avalanche behavior, and they are the same permutation across every function, with only the rate-and-capacity split changing between members.

Source: NIST, “SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions,” FIPS 202, August 2015 (1600-bit state, 24 rounds, pad10*1, domain-separation suffixes 01 and 1111), csrc.nist.gov/pubs/fips/202/final.

What functions and parameters does FIPS 202 define?

FIPS 202 specifies six functions built on the same 1600-bit Keccak-f permutation, differing only in the rate-and-capacity split and, for the XOFs, in whether the output is fixed or extendable. A larger capacity gives a stronger security margin and processes less message per permutation call. The table gives each function, its rate and capacity, its output, and its quantum-adjusted strength.

FunctionTypeRate / capacity (bits)Output sizeEffective quantum preimage strengthCollision strength
SHA3-224Fixed hash1152 / 448224-bit~112-bit~112-bit
SHA3-256Fixed hash1088 / 512256-bit~128-bit~128-bit
SHA3-384Fixed hash832 / 768384-bit~192-bit~192-bit
SHA3-512Fixed hash576 / 1024512-bit~256-bit~256-bit
SHAKE128XOF (variable output)1344 / 256Any lengthUp to ~128-bitUp to ~128-bit
SHAKE256XOF (variable output)1088 / 512Any lengthUp to ~256-bitUp to ~256-bit

The fixed-hash preimage numbers come from halving the output under an idealized Grover attack, and the collision numbers from the birthday bound of about half the output. For the XOFs the security is capped by the capacity: SHAKE128 provides up to 128 bits and SHAKE256 up to 256 bits of security, bounded also by however much output you actually request. FIPS 202 gives the exact strengths for the XOFs as a function of the requested output length d in bits: collision resistance is min(d/2, c/2) and preimage resistance is min(d, c/2), where c is the capacity. A short SHAKE output therefore caps its own strength, which is why a SHAKE used for a security-critical purpose is squeezed to a wide enough output for the target.

Source: NIST, “SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions,” FIPS 202, August 2015 (rate/capacity per function; SHAKE strengths min(d/2, c/2) collision and min(d, c/2) preimage), csrc.nist.gov/pubs/fips/202/final.

How is FIPS 202 different from FIPS 180-4?

FIPS 202 and FIPS 180-4 are the two current NIST hash standards, and they define families that do the same job with entirely different machinery. FIPS 180-4 specifies the SHA-2 family (SHA-224, SHA-256, SHA-384, SHA-512, and truncated variants), built on the Merkle-Damgard construction. FIPS 202 specifies SHA-3 and SHAKE, built on the Keccak sponge. Both are approved, both survive the quantum transition, and neither is broken. The difference matters most in two places:

  1. Construction. SHA-2 chains a compression function over message blocks and carries a chaining value forward. The FIPS 202 functions absorb the whole message into one large permuted state and squeeze output back out. They rest on different mathematical foundations, which is exactly why NIST wanted both: a break in one construction leaves the other family untouched.
  2. Length extension. Bare Merkle-Damgard hashes like SHA-2 are open to a length-extension attack, where someone who knows hash(secret || message) and the length of the secret can compute hash(secret || message || extra) without knowing the secret. The sponge closes this by design, because the capacity bits are never exposed in the output, so an attacker cannot reconstruct the internal state from a digest. This is why SHA-2 needs the HMAC wrapper to authenticate messages safely, while FIPS 202 functions can be used more directly in some constructions.

FIPS 202 also adds the SHAKE extendable-output functions, which have no direct equivalent in FIPS 180-4. A single SHAKE call can produce any output length, which is why post-quantum algorithms lean on it as a pseudorandom bit source. The table below lays the two standards side by side.

PropertyFIPS 180-4 (SHA-2)FIPS 202 (SHA-3)
Published2002, revised 2015August 2015
ConstructionMerkle-Damgard chainingKeccak sponge
Length-extension weaknessPresent in bare use, closed by HMACClosed by the sponge design
Extendable output (XOF)Not in the standardSHAKE128, SHAKE256
Fixed-output membersSHA-224, SHA-256, SHA-384, SHA-512SHA3-224, SHA3-256, SHA3-384, SHA3-512
Quantum postureSurvives, Grover dents preimage onlySurvives, Grover dents preimage only
NIST statusApprovedApproved alternative

Sources: NIST, “SHA-3 Standard,” FIPS 202, August 2015, csrc.nist.gov/pubs/fips/202/final; NIST, “Secure Hash Standard (SHS),” FIPS 180-4, August 2015, csrc.nist.gov/pubs/fips/180-4/final.

Is FIPS 202 quantum-vulnerable?

No, not in the way public-key cryptography is. The functions in FIPS 202 are not structurally broken by a quantum computer, because they do not rest on a hidden mathematical structure the way factoring or the discrete logarithm do. Shor’s algorithm, the quantum attack that actually breaks cryptography, solves those number-theoretic problems and has nothing to grip on a sponge permutation. The only relevant quantum pressure comes from Grover’s algorithm, and Grover weakens rather than breaks. The two properties that matter:

  1. Preimage resistance takes a square-root hit. Grover searches an unstructured space of N possibilities in about √N steps. Finding a preimage for an n-bit digest is a search over roughly 2^n inputs, which Grover reduces to about 2^(n/2) work. So each fixed-output member keeps about half its output size in effective preimage strength: SHA3-256 holds near 128 bits, SHA3-384 near 192, and SHA3-512 near 256, all astronomically out of reach.
  2. Collision resistance is barely touched. Collision-finding was never a 2^n problem. The birthday effect already lets a classical attacker find a collision in an n-bit hash in about 2^(n/2) work, so SHA3-256 offers roughly 128 bits of collision resistance even today. Quantum collision algorithms exist, but in realistic cost models that account for the enormous memory and hardware they need, they buy little or no practical advantage over the classical birthday attack.

NIST states the general case plainly: Grover’s quadratic speedup on unstructured search “does not render cryptographic technologies obsolete,” but “can have the effect of requiring larger key sizes, even in the symmetric key case,” and for hash functions the remedy is a larger output rather than a new algorithm. The practical read is that every FIPS 202 function keeps about half its output size in security on both counts, which stays strong for the overwhelming majority of uses. The right move for a long-lived, high-assurance workflow is a larger output (SHA3-384, SHA3-512, or a wide SHAKE256 output), not a switch to a different family.

Sources: NIST, “Report on Post-Quantum Cryptography,” NISTIR 8105, April 2016, csrc.nist.gov/pubs/ir/8105/final; NIST, “SHA-3 Standard,” FIPS 202, August 2015, csrc.nist.gov/pubs/fips/202/final.

Why are the FIPS 202 functions load-bearing in post-quantum cryptography?

The SHAKE functions defined in FIPS 202 are core internal building blocks of the NIST post-quantum standards, which is one of the clearest signs that the standard carries forward into the quantum era rather than being left behind. The finalized post-quantum algorithms all reach for SHA-3 or SHAKE for their internal hashing and pseudorandom generation:

  1. ML-KEM (the key-encapsulation standard). ML-KEM uses SHA3-256, SHA3-512, and SHAKE256 for its internal hashing and key derivation, and SHAKE128 as the extendable-output function that expands a small seed into the large public matrix at the heart of the scheme. The XOF lets ML-KEM transmit a tiny seed instead of the full matrix, which keeps key sizes down.
  2. ML-DSA (the primary signature standard). ML-DSA uses SHAKE256 and SHAKE128 throughout, for hashing the message, deriving challenge values, and expanding seeds into the scheme’s matrices and masking vectors.
  3. SLH-DSA (the hash-based signature standard). SLH-DSA is defined with two interchangeable instantiations of its internal functions, one built on SHA-2 and one built on SHAKE256, so an implementer can pick whichever hash family their platform accelerates. This is hash-based cryptography, where the entire signature scheme’s security reduces to the strength of the underlying hash.

The takeaway is that the post-quantum algorithms depend on a strong, quantum-resistant hash as their foundation, and the functions in FIPS 202 are what they were built on. Far from being a casualty of the transition, FIPS 202 is part of the machinery that makes the transition work.

Sources: NIST, “Module-Lattice-Based Key-Encapsulation Mechanism Standard,” FIPS 203, August 2024, csrc.nist.gov/pubs/fips/203/final; NIST, “Module-Lattice-Based Digital Signature Standard,” FIPS 204, August 2024, csrc.nist.gov/pubs/fips/204/final; NIST, “Stateless Hash-Based Digital Signature Standard,” FIPS 205, August 2024, csrc.nist.gov/pubs/fips/205/final.

Does FIPS 202 replace FIPS 180-4 and SHA-2?

No. FIPS 202 supplements FIPS 180-4, and both standards stay fully approved and recommended. The original SHA-3 competition was launched as insurance: at the time, related hash functions in the SHA-1 lineage were falling to new collision techniques, and NIST wanted a structurally different backup ready in case SHA-2 followed. SHA-2 held up, so SHA-3 arrived as a strong sibling rather than a rescue. FIPS 202 itself describes the SHA-3 functions as supplementing the SHA-2 family in FIPS 180-4, which stays in force alongside it.

That leaves a real, low-stakes choice rather than a forced migration. SHA-2 is more widely deployed, hardware-accelerated nearly everywhere, and perfectly secure, so most systems have no reason to move. The FIPS 202 functions are the pick when a design values the sponge construction, its built-in length-extension resistance, or the SHAKE extendable output, and they are increasingly the default inside new post-quantum protocol designs for exactly those reasons. Both standards survive the quantum transition on the same terms, so the decision is about engineering fit, not about which one is safe.

Source: NIST, “SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions,” FIPS 202, August 2015, csrc.nist.gov/pubs/fips/202/final.

Common misconceptions

  1. “FIPS 202 replaces FIPS 180-4.” It does not. FIPS 202 supplements the older standard, and both SHA-2 and SHA-3 stay approved. SHA-2 has no practical break, so there is no forced migration off it.
  2. “SHA-3 is stronger than SHA-2 because FIPS 202 is newer.” At matched output sizes, both families offer comparable security, and both survive the quantum transition on the same Grover terms. The FIPS 202 advantages are structural (a different construction and native length-extension resistance), not a higher security level.
  3. “Quantum computers will break the functions in FIPS 202.” They will not. The only relevant quantum attack is Grover’s, which halves the preimage margin of each fixed member and barely touches collision resistance, both still far out of reach.
  4. “SHAKE is just a longer hash.” It is an extendable-output function, a flexible source of any number of pseudorandom bits, which is why post-quantum schemes use it to expand seeds and derive keys, jobs a fixed hash cannot do directly.
  5. “The functions in FIPS 202 need a post-quantum replacement.” They do not. There is no separate post-quantum hash family to migrate to. SHA-3 already carries enough margin, and its SHAKE functions are themselves building blocks of the post-quantum KEM and signature standards.
  6. “FIPS 202 fixes a security hole in SHA-2.” SHA-2 has no hole to fix. The sponge closes the length-extension quirk of the Merkle-Damgard construction by design, which is a convenience for some protocols, and HMAC already handles that quirk safely for SHA-2.

Questions people ask

What is FIPS 202? It is the NIST standard, published in August 2015, titled “SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions.” It defines the four SHA3 fixed hashes and the two SHAKE extendable-output functions, all built on the Keccak sponge construction.

What functions does FIPS 202 define? Four fixed-output hashes (SHA3-224, SHA3-256, SHA3-384, SHA3-512) and two extendable-output functions, SHAKE128 and SHAKE256. All six are built on the same 1600-bit Keccak-f permutation, run for 24 rounds, differing only in their rate-and-capacity split.

Is FIPS 202 quantum-safe? Yes. Every function it defines faces only Grover’s algorithm, which square-root-dents preimage search and leaves collision resistance about where it was, so SHA3-256 keeps about 128 bits and SHA3-512 about 256. These are not the kind of primitives a quantum computer breaks, and the SHAKE functions are building blocks of the post-quantum standards themselves.

How is FIPS 202 different from FIPS 180-4? FIPS 180-4 defines the SHA-2 family on the Merkle-Damgard construction. FIPS 202 defines SHA-3 and SHAKE on the Keccak sponge. Both are approved and both survive the quantum transition, and the FIPS 202 sponge design is immune to the length-extension weakness that bare SHA-2 carries.

Does FIPS 202 replace SHA-2? No. It supplements FIPS 180-4, and both stay standardized. SHA-2 has no practical break, so most systems have no reason to move. FIPS 202 is the pick when a design wants the sponge construction, native length-extension resistance, or SHAKE extendable output.

Why do the post-quantum standards use the SHAKE functions from FIPS 202? ML-KEM, ML-DSA, and SLH-DSA all need a strong hash and a way to expand a small seed into many pseudorandom bits, and SHAKE does both in one primitive. Building on a quantum-resistant hash is part of what makes those schemes quantum-resistant.

Is FIPS 202 the same as Keccak? Almost. The SHA-3 functions are NIST’s standardized version of the Keccak algorithm that won the SHA-3 competition, with a small padding change (an added domain-separation suffix) that NIST introduced during standardization. So the two are closely related but not byte-for-byte identical outputs.

Which FIPS 202 function should I use? SHA3-256 is a sensible default for general integrity and signature work. Move to SHA3-384 or SHA3-512 for high-assurance and long-retention workflows where you want more margin. Reach for SHAKE128 or SHAKE256 when you need extendable output or are following a spec that calls for it.


Everything here is the map, given freely. When your team needs its own cryptography sorted into what survives the quantum transition and what has to move, that’s what an alignment briefing is for.

Last verified 2026-07-12 · Maintained by Addie LaMarr, LaMarr Labs.