up:: Classical Cryptography MOC
SHA-3
SHA-3 is the NIST-standardized family of cryptographic hash functions defined in FIPS 202, made up of the four fixed-output functions SHA3-224, SHA3-256, SHA3-384, and SHA3-512, plus the two extendable-output functions (XOFs) SHAKE128 and SHAKE256, all built on the Keccak sponge construction. It turns an input of any size into a digest that acts as a tamper-evident fingerprint, and it survives the quantum transition intact.
SHA-3 rests on a completely different internal design from SHA-2: a sponge that absorbs data into a large internal state and squeezes output back out, rather than the Merkle-Damgard chaining that SHA-2 uses. NIST standardized it in 2015 as an approved alternative to SHA-2, chosen so the world would have a structurally independent hash family ready if a weakness ever surfaced in the SHA-2 line. Like SHA-2, its only real quantum pressure comes from Grover’s algorithm, which square-root-dents preimage search and leaves collision resistance about where it already sat. That is the opposite of what Shor’s algorithm does to public-key algorithms like RSA, which it breaks outright.
Source: NIST, “SHA-3 Standard, Permutation-Based Hash and Extendable-Output Functions,” FIPS 202, August 2015, csrc.nist.gov/pubs/fips/202/final.
The short version:
- SHA-3 is a family of six functions in one standard (FIPS 202): four hashes (SHA3-224, SHA3-256, SHA3-384, SHA3-512) and two extendable-output functions (SHAKE128, SHAKE256).
- It uses the Keccak sponge construction, so it works differently on the inside from SHA-2, which chains a compression function with Merkle-Damgard.
- The sponge design closes the length-extension weakness that bare SHA-2 carries, which is one reason newer protocols reach for it.
- Grover’s algorithm gives only a square-root speedup on preimage search, so each fixed-output member keeps about half its output size in effective strength, and collision resistance is barely affected.
- NIST approves SHA-3 as an alternative to SHA-2, and both families stay standardized, because SHA-2 has no practical break that would force a switch.
- SHAKE is everywhere in post-quantum cryptography: ML-KEM, ML-DSA, and SLH-DSA all use SHA-3 or SHAKE functions as internal building blocks.
What is the everyday picture of a sponge hash?
Picture a kitchen sponge you use to measure and mix. You pour in as much water as you want, a splash or a full bucket, and the sponge soaks all of it up into the same body of material, sloshing and mixing as it absorbs. When you have poured in everything, you start squeezing, and out comes a stream of water you can make as short or as long as you need. SHA-3 works the same way. It absorbs your whole message, of any length, into one large internal state, mixing thoroughly at every step, and then squeezes out digest bits. A fixed hash squeezes once for a set length. A SHAKE function keeps squeezing for as many bits as you ask for. The mixing is so thorough that changing a single input bit scrambles the entire output unpredictably.
What is SHA-3?
SHA-3 is a family of cryptographic hash functions published by NIST in FIPS 202, the “SHA-3 Standard, Permutation-Based Hash and Extendable-Output Functions,” in August 2015. A hash function takes a message of arbitrary length and deterministically compresses it into a fixed output called a digest, and a cryptographic one is built so the digest behaves like a fingerprint: the same input always gives the same digest, a different input almost always gives a different one, and the process cannot be run backward to recover the input. The “3” marks this as the third generation of NIST secure-hash standards, after the retired SHA-0 and SHA-1 and the still-current SHA-2.
The family has two kinds of members:
- Fixed-output hash functions. SHA3-224, SHA3-256, SHA3-384, and SHA3-512 each produce a digest of the fixed length named in the function, exactly the way a SHA-2 member does.
- Extendable-output functions (XOFs). SHAKE128 and SHAKE256 produce output of any length the caller requests. They are a flexible primitive you can squeeze for 32 bytes or 32,000 bytes, which makes them a general-purpose source of pseudorandom bits for other cryptographic constructions.
Every function is based on the Keccak algorithm, which NIST selected in 2012 as the winner of a public multi-year SHA-3 competition, chosen specifically to be structurally different from SHA-2 so a future attack on one family would leave the other standing. SHA-3 is a hash family and nothing more. It is not an encryption scheme and not a public-key primitive, though signatures, message authentication codes, and key-derivation functions get built on top of it.
Source: NIST, “SHA-3 Standard, Permutation-Based Hash and Extendable-Output Functions,” FIPS 202, August 2015, csrc.nist.gov/pubs/fips/202/final.
How does SHA-3 work?
SHA-3 uses the sponge construction, which is built around a single fixed permutation called Keccak-f applied to a 1600-bit internal state. The state is split into two conceptual parts: the rate (the bits that touch the message directly) and the capacity (the bits held back from the message, which is where the security margin lives). The larger the capacity, the stronger the function and the less message you process per permutation call. The whole process runs in a fixed sequence:
- Padding. The message is padded with a specific pattern (the
pad10*1rule, plus a domain-separation suffix that distinguishes a SHA3 hash from a SHAKE XOF) so its length is a multiple of the rate. - Absorbing. The padded message is split into rate-sized blocks. Each block is combined into the state with XOR, and then the full Keccak-f permutation runs over all 1600 bits, mixing the block thoroughly into both the rate and the capacity. This repeats block by block until the whole message is absorbed.
- Squeezing. The function reads out the rate portion of the state as output. If more output is needed, it runs Keccak-f again and reads the rate again, repeating until enough bits are produced. A fixed hash squeezes exactly its output length. A SHAKE XOF squeezes for whatever length the caller asked for.
The security intuition is that an attacker never gets to see or touch the capacity bits directly, so recovering the internal state or forcing a collision means defeating the full permutation, not a smaller compression function. Because the message only ever enters through the rate and the capacity stays hidden, the sponge has a clean, provable security bound tied to the capacity size. The deep, round-by-round internals of Keccak-f (theta, rho, pi, chi, and iota, run for 24 rounds) are what give SHA-3 its avalanche behavior, and they are the same permutation across every member, with only the rate and capacity split changing between variants.
Source: NIST, “SHA-3 Standard, Permutation-Based Hash and Extendable-Output Functions,” FIPS 202, August 2015, csrc.nist.gov/pubs/fips/202/final.
How is SHA-3 different from SHA-2?
SHA-3 and SHA-2 do the same job with entirely different machinery, and the difference matters most in two places: the internal construction and the length-extension property. Both are NIST-approved, both survive the quantum transition, and neither is broken.
- Construction. SHA-2 uses the Merkle-Damgard construction, chaining a compression function over message blocks and carrying a chaining value forward. SHA-3 uses the Keccak sponge, absorbing the whole message into one large permuted state and squeezing output back out. They rest on different mathematical foundations, which is exactly why NIST wanted both: a break in one construction leaves the other family untouched.
- Length extension. Bare Merkle-Damgard hashes like SHA-2 are open to a length-extension attack, where someone who knows
hash(secret || message)and the length of the secret can computehash(secret || message || extra)without knowing the secret. The sponge closes this by design, because the capacity bits are never exposed in the output, so an attacker cannot reconstruct the internal state from a digest. This is why SHA-2 needs the HMAC wrapper to authenticate messages safely, while SHA-3 can be used more directly in some constructions. - Flexibility. SHA-3 ships with the SHAKE extendable-output functions, which have no direct equivalent in the SHA-2 standard. A single SHAKE call can produce any output length, which is why post-quantum algorithms lean on it as a pseudorandom bit source.
The table below lays the two families side by side.
| Property | SHA-2 | SHA-3 |
|---|---|---|
| Standard | FIPS 180-4 | FIPS 202 |
| Standardized | 2002 (revised 2015) | 2015 |
| Construction | Merkle-Damgard chaining | Keccak sponge |
| Length-extension weakness | Present in bare use, closed by HMAC | Closed by the sponge design |
| Extendable output (XOF) | Not in the standard | SHAKE128, SHAKE256 |
| Fixed-output members | SHA-224, SHA-256, SHA-384, SHA-512, plus truncated variants | SHA3-224, SHA3-256, SHA3-384, SHA3-512 |
| Quantum posture | Survives, Grover dents preimage only | Survives, Grover dents preimage only |
| NIST status | Approved | Approved alternative |
Sources: NIST, “SHA-3 Standard,” FIPS 202, August 2015, csrc.nist.gov/pubs/fips/202/final; NIST, “Secure Hash Standard (SHS),” FIPS 180-4, August 2015, csrc.nist.gov/pubs/fips/180-4/final.
What is SHA-3 used for?
SHA-3 does the same integrity-and-trust jobs SHA-2 does, and its extendable-output functions add a few jobs SHA-2 cannot do on its own. Its common uses:
- Integrity verification. Comparing the SHA-3 digest of a file, package, or firmware image against a published value confirms the bytes were not altered.
- Digital signature preprocessing. A digital signature is computed over a small digest, not the whole document, and SHA-3 or SHAKE can produce that digest.
- Message authentication. KMAC, a keyed authentication function defined in NIST SP 800-185, is built directly on SHAKE, giving a MAC that needs no HMAC-style nesting because the sponge already resists length extension.
- Key derivation and pseudorandom expansion. SHAKE is a natural extendable-output source, so it is used to expand a seed into as many key or nonce bits as a scheme needs.
- Domain separation. The XOFs make it easy to derive many independent outputs from one seed by tagging each use, which is heavily used inside modern protocol design.
- Post-quantum algorithm internals. This is where SHAKE shows up most, covered in its own section below.
The pattern is the same as SHA-2: SHA-3 is an integrity-and-trust workhorse that proves data is what it claims to be, rather than keeping it secret. SHA-3 is less pervasive than SHA-2 in older, deployed systems, and more common in newer designs that value its construction or its extendable output.
Sources: NIST, “SHA-3 Standard,” FIPS 202, August 2015, csrc.nist.gov/pubs/fips/202/final; NIST, “SHA-3 Derived Functions, cSHAKE, KMAC, TupleHash, and ParallelHash,” SP 800-185, December 2016, csrc.nist.gov/pubs/sp/800/185/final.
Is SHA-3 quantum-vulnerable?
No, not in the way public-key cryptography is. SHA-3 is not structurally broken by a quantum computer, because it does not rest on a hidden mathematical structure the way factoring or the discrete logarithm do. Shor’s algorithm, the quantum attack that actually breaks cryptography, solves those number-theoretic problems and has nothing to grip on a sponge permutation. The only relevant quantum pressure on SHA-3 comes from Grover’s algorithm, and Grover weakens rather than breaks. The two properties that matter:
- Preimage resistance takes a square-root hit. Grover searches an unstructured space of
Npossibilities in about√Nsteps. Finding a preimage for ann-bit digest is a search over roughly2^ninputs, which Grover reduces to about2^(n/2)work. So each fixed-output member keeps about half its output size in effective preimage strength: SHA3-256 holds near 128 bits, SHA3-384 near 192, and SHA3-512 near 256, all astronomically out of reach. - Collision resistance is barely touched. Collision-finding was never a
2^nproblem. The birthday effect already lets a classical attacker find a collision in ann-bit hash in about2^(n/2)work, so SHA3-256 offers roughly 128 bits of collision resistance even today. Quantum collision algorithms exist, but in realistic cost models that account for the enormous memory and hardware they need, they buy little or no practical advantage over the classical birthday attack.
NIST states the general case plainly: Grover’s quadratic speedup on unstructured search “does not render cryptographic technologies obsolete,” but “can have the effect of requiring larger key sizes, even in the symmetric key case,” and for hash functions the remedy is a larger output rather than a new algorithm. The practical read is that every SHA-3 member keeps about half its output size in security on both counts, which stays strong for the overwhelming majority of uses. The right move for a long-lived, high-assurance workflow is a larger output (SHA3-384, SHA3-512, or a wide SHAKE256 output), not a switch to a different family.
Sources: NIST, “Report on Post-Quantum Cryptography,” NISTIR 8105, April 2016, csrc.nist.gov/pubs/ir/8105/final; NIST, “SHA-3 Standard,” FIPS 202, August 2015, csrc.nist.gov/pubs/fips/202/final.
What are the SHA-3 variants and parameters?
FIPS 202 defines six functions built on the same 1600-bit Keccak-f permutation, differing only in the rate-and-capacity split (and, for the XOFs, in whether the output is fixed or extendable). A larger capacity gives a stronger security margin and processes less message per permutation call. The table gives each function, its rate and capacity, its output, and its quantum-adjusted strength.
| Function | Type | Rate / capacity (bits) | Output size | Effective quantum preimage strength | Collision strength |
|---|---|---|---|---|---|
| SHA3-224 | Fixed hash | 1152 / 448 | 224-bit | ~112-bit | ~112-bit |
| SHA3-256 | Fixed hash | 1088 / 512 | 256-bit | ~128-bit | ~128-bit |
| SHA3-384 | Fixed hash | 832 / 768 | 384-bit | ~192-bit | ~192-bit |
| SHA3-512 | Fixed hash | 576 / 1024 | 512-bit | ~256-bit | ~256-bit |
| SHAKE128 | XOF (variable output) | 1344 / 256 | Any length | Up to ~128-bit | Up to ~128-bit |
| SHAKE256 | XOF (variable output) | 1088 / 512 | Any length | Up to ~256-bit | Up to ~256-bit |
The fixed-hash preimage numbers come from halving the output under an idealized Grover attack, and the collision numbers from the birthday bound of about half the output. For the XOFs the security is capped by the capacity: SHAKE128 provides up to 128 bits and SHAKE256 up to 256 bits of security, bounded also by however much output you actually request. A short SHAKE output caps its own strength at half the output length, which is why a SHAKE used for a security-critical purpose is squeezed to a wide enough output for the target.
Source: NIST, “SHA-3 Standard, Permutation-Based Hash and Extendable-Output Functions,” FIPS 202, August 2015, csrc.nist.gov/pubs/fips/202/final.
Where does SHAKE show up in post-quantum cryptography?
SHAKE is a core internal building block of the NIST post-quantum standards, which is one of the clearest signs that SHA-3 carries forward into the quantum era rather than being left behind. The three finalized algorithms all reach for SHA-3 or SHAKE for their internal hashing and pseudorandom generation:
- ML-KEM (the key-encapsulation standard). ML-KEM uses SHA3-256, SHA3-512, and SHAKE256 for its internal hashing and key derivation, and SHAKE128 as the extendable-output function that expands a small seed into the large public matrix at the heart of the scheme. The XOF lets the scheme transmit a tiny seed instead of the full matrix, which keeps key sizes down.
- ML-DSA (the primary signature standard). ML-DSA uses SHAKE256 and SHAKE128 throughout, for hashing the message, deriving challenge values, and expanding seeds into the scheme’s matrices and masking vectors.
- SLH-DSA (the hash-based signature standard). SLH-DSA is defined with two interchangeable instantiations of its internal functions, one built on SHA-2 and one built on SHAKE256, so an implementer can pick whichever hash family their platform accelerates. This is hash-based cryptography, where the entire signature scheme’s security reduces to the strength of the underlying hash.
The takeaway is that the post-quantum algorithms depend on a strong, quantum-resistant hash as their foundation, and SHA-3 and SHAKE are the functions they were built on. Far from being a casualty of the transition, SHA-3 is part of the machinery that makes the transition work.
Sources: NIST, “Module-Lattice-Based Key-Encapsulation Mechanism Standard,” FIPS 203, August 2024, csrc.nist.gov/pubs/fips/203/final; NIST, “Module-Lattice-Based Digital Signature Standard,” FIPS 204, August 2024, csrc.nist.gov/pubs/fips/204/final; NIST, “Stateless Hash-Based Digital Signature Standard,” FIPS 205, August 2024, csrc.nist.gov/pubs/fips/205/final.
Does SHA-3 replace SHA-2?
No. NIST approves SHA-3 as an alternative to SHA-2, and both families stay fully standardized and recommended. The original 2007 SHA-3 competition was launched as insurance: at the time, related hash functions in the SHA-1 lineage were falling to new collision techniques, and NIST wanted a structurally different backup ready in case SHA-2 followed. SHA-2 held up, so SHA-3 arrived as a strong sibling rather than a rescue. FIPS 202 itself describes the SHA-3 functions as supplementing, not superseding, the SHA-2 family in FIPS 180-4.
That leaves a real, low-stakes choice rather than a forced migration. SHA-2 is more widely deployed, hardware-accelerated nearly everywhere, and perfectly secure, so most systems have no reason to move. SHA-3 is the pick when a design values its sponge construction, its built-in length-extension resistance, or its SHAKE extendable output, and it is increasingly the default inside new post-quantum protocol designs for exactly those reasons. Both survive the quantum transition on the same terms, so the decision is about engineering fit, not about which one is safe.
Source: NIST, “SHA-3 Standard, Permutation-Based Hash and Extendable-Output Functions,” FIPS 202, August 2015, csrc.nist.gov/pubs/fips/202/final.
Common misconceptions
- “SHA-3 replaces SHA-2.” It does not. NIST approves SHA-3 as an alternative, and both stay standardized. SHA-2 has no practical break, so there is no forced migration off it.
- “SHA-3 is stronger than SHA-2 because it is newer.” At matched output sizes, both offer comparable security, and both survive the quantum transition on the same Grover terms. SHA-3’s advantages are structural (a different construction and native length-extension resistance), not a higher security level.
- “Quantum computers will break SHA-3.” They will not. The only relevant quantum attack is Grover’s, which halves the preimage margin of each fixed member and barely touches collision resistance, both still far out of reach.
- “SHAKE is just a longer hash.” It is an extendable-output function, a flexible source of any number of pseudorandom bits, which is why post-quantum schemes use it to expand seeds and derive keys, jobs a fixed hash cannot do directly.
- “SHA-3 needs a post-quantum replacement.” It does not. There is no separate post-quantum hash family to migrate to. SHA-3 already carries enough margin, and it is itself a building block of the post-quantum signature and KEM standards.
- “SHA-3 fixes a security hole in SHA-2.” SHA-2 has no hole to fix. SHA-3 closes the length-extension quirk of the Merkle-Damgard construction by design, which is a convenience for some protocols, and HMAC already handles that quirk safely for SHA-2.
Questions people ask
Is SHA-3 safe to use today? Yes. Every SHA-3 function is strong against classical attackers and keeps roughly half its output size in security against a quantum attacker, so SHA3-256 holds about 128 bits and SHA3-512 about 256, both wide margins. It is a fully approved NIST standard.
Should I switch from SHA-2 to SHA-3? There is no security reason you must. SHA-2 is secure, faster on most deployed hardware, and more widely supported. Choose SHA-3 when you specifically want its sponge construction, its native length-extension resistance, or its SHAKE extendable output, or when a protocol you are implementing already specifies it.
What is the difference between SHA-3 and SHAKE? SHA3-224 through SHA3-512 are fixed-output hash functions that always give a digest of the named length. SHAKE128 and SHAKE256 are extendable-output functions from the same standard that let you request any output length, which makes them a general-purpose pseudorandom-bit source used inside other cryptographic schemes.
Does a quantum computer break SHA-3 the way it breaks RSA? No. RSA falls to Shor’s algorithm, which solves the exact math it rests on, so it stops working entirely. SHA-3 faces only Grover’s algorithm, which merely halves the preimage margin and leaves collision resistance about where it was.
Why do the post-quantum standards use SHAKE? ML-KEM, ML-DSA, and SLH-DSA all need a strong hash and a way to expand a small seed into many pseudorandom bits, and SHAKE does both in one primitive. Building on a quantum-resistant hash is part of what makes those schemes quantum-resistant.
Which SHA-3 variant should I use? SHA3-256 is a sensible default for general integrity and signature work. Move to SHA3-384 or SHA3-512 for high-assurance and long-retention workflows where you want more margin. Reach for SHAKE128 or SHAKE256 when you need extendable output or are following a spec that calls for it.
Is SHA-3 the same as Keccak? Almost. SHA-3 is NIST’s standardized version of the Keccak algorithm that won the SHA-3 competition, with a small padding change (an added domain-separation suffix) that NIST introduced during standardization. So the two are closely related but not byte-for-byte identical outputs.
Does SHA-3 have the length-extension weakness that SHA-2 has? No. The sponge construction hides the capacity bits, so an attacker cannot reconstruct the internal state from a digest, which closes the length-extension attack that bare SHA-2 is open to. SHA-2 handles the same issue safely by using HMAC.
Go deeper
The extendable-output functions: SHAKE128 · SHAKE256
The SHA-2 family it stands alongside: SHA-2 · SHA-256 · SHA-384 · SHA-512 · 256
Where SHAKE is load-bearing: FIPS 203 (ML-KEM) · FIPS 204 (ML-DSA) · FIPS 205 (SLH-DSA) · Number-Theoretic Transform (NTT)
The standard and the quantum mechanics: FIPS 202 · Grover’s Algorithm · Cryptographic Hash Function
Everything here is the map, given freely. When your team needs its own cryptography sorted into what survives the quantum transition and what has to move, that’s what an alignment briefing is for.
Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.