up:: SHA-3

SHAKE128

SHAKE128 is one of the two extendable-output functions (XOFs) defined in NIST’s SHA-3 standard, FIPS 202, built on the same Keccak sponge as the rest of the family, and it differs from a fixed hash in one decisive way: instead of producing a set-length digest, it squeezes out as many pseudorandom bits as the caller asks for. The “128” is its security level, meaning it caps out at about 128 bits of collision and preimage strength no matter how much output you request. It is a load-bearing internal building block of the post-quantum standards ML-KEM and ML-DSA, where it expands small seeds into the large matrices and sampled values those schemes need. Like the rest of SHA-3, its only real quantum pressure comes from Grover’s algorithm, which square-root-dents preimage search and barely touches collision resistance, which is the opposite of what Shor’s algorithm does to public-key algorithms like RSA.

Source: NIST, “SHA-3 Standard, Permutation-Based Hash and Extendable-Output Functions,” FIPS 202, August 2015, csrc.nist.gov/pubs/fips/202/final.

The short version:

  • SHAKE128 is an extendable-output function (XOF): you feed it a message, then squeeze out any number of output bits, from a handful to many thousands.
  • It is built on the Keccak sponge, the same 1600-bit permutation as the rest of SHA-3, with a 1344-bit rate and a 256-bit capacity, run for 24 rounds.
  • Its security level is 128 bits: collision resistance is min(d/2, 128) and preimage resistance is min(d, 128), where d is the requested output length in bits, so past a point more output does not add strength.
  • It is a core internal component of ML-KEM and ML-DSA, used to expand seeds into matrices and to sample pseudorandom values, which is one reason SHA-3 carries forward into the quantum era.
  • Grover’s algorithm gives only a square-root speedup on preimage search, so SHAKE128 survives the quantum transition on the same terms as every other SHA-3 function.
  • A fixed hash gives one digest of a set length; a XOF like SHAKE128 is a general-purpose source of pseudorandom bits, which is a job a fixed hash cannot do directly.

What is an extendable-output function?

An extendable-output function is a hash whose output length is not fixed. A normal hash like SHA-256 always gives you exactly 256 bits, no more and no less. A XOF like SHAKE128 lets you decide at call time how much output you want, and it will produce a stream of that length that is deterministic from the input and pseudorandom to anyone who does not know the input. The picture is a kitchen sponge: SHA-3 absorbs your whole message into one large internal state, mixing thoroughly, and then squeezes output bits back out. A fixed hash squeezes once for a set length. SHAKE128 keeps squeezing for as many bits as you ask for.

That flexibility is what makes a XOF a general-purpose building block rather than just an integrity check. You can use SHAKE128 to derive a key of any length, to expand a small random seed into a much larger pseudorandom value, to generate a stream of sampling bits for an algorithm, or to produce many independent outputs from one seed by tagging each use. Those are the jobs that show up constantly inside modern cryptographic protocol design, and they are exactly the jobs the post-quantum standards hand to SHAKE.

Source: NIST, “SHA-3 Standard, Permutation-Based Hash and Extendable-Output Functions,” FIPS 202, August 2015, csrc.nist.gov/pubs/fips/202/final.

How does SHAKE128 work?

SHAKE128 uses the sponge construction, built around the single 1600-bit Keccak-f permutation shared by the whole SHA-3 family. The state is split into a rate (the bits the message touches) and a capacity (the bits held back, where the security margin lives). SHAKE128 uses a 1344-bit rate and a 256-bit capacity. The process runs in three stages:

  1. Padding. The message is padded with the sponge’s padding rule plus a domain-separation suffix that marks the input as a SHAKE XOF rather than a fixed SHA-3 hash. SHAKE uses the suffix bits 1111, while the fixed SHA-3 hashes use 01, so the same message run through SHAKE128 and through a SHA-3 hash produces unrelated output.
  2. Absorbing. The padded message is split into 1344-bit rate-sized blocks. Each block is combined into the state with XOR, and then the full Keccak-f permutation runs over all 1600 bits for 24 rounds, mixing the block into both the rate and the capacity. This repeats block by block until the whole message is absorbed.
  3. Squeezing. The function reads out the 1344-bit rate portion of the state as output. If more output is needed, it runs Keccak-f again and reads the rate again, repeating until the requested number of bits is produced. This is the step that makes it extendable: the caller can ask for any length, and the sponge keeps squeezing.

The security intuition is that an attacker never gets to see or touch the 256-bit capacity directly, so recovering the internal state or forcing a collision means defeating the full permutation. Because the capacity stays hidden, the sponge also closes the length-extension weakness that bare SHA-256 carries. The 256-bit capacity is what caps SHAKE128’s security at 128 bits, since the sponge’s provable security bound is tied to half the capacity.

Source: NIST, “SHA-3 Standard, Permutation-Based Hash and Extendable-Output Functions,” FIPS 202, August 2015 (SHAKE128: rate 1344, capacity 256, 1600-bit state, 24 rounds, suffix 1111), csrc.nist.gov/pubs/fips/202/final.

What security does SHAKE128 provide?

SHAKE128 provides up to 128 bits of security, and the exact figure depends on how much output you request. FIPS 202 gives the strength as a function of the output length d in bits:

PropertyStrength (bits)
Collision resistancemin(d/2, 128)
Preimage resistancemin(d, 128)
Second-preimage resistancemin(d, 128)

The practical consequence is that squeezing more output never pushes SHAKE128 past 128 bits of security, because the 256-bit capacity caps it there. If you request a short output, you can end up with less: a 128-bit SHAKE128 output gives only about 64 bits of collision resistance, because collision strength is half the output length until the 128-bit cap. This is why a SHAKE used for a security-critical purpose is squeezed to a wide enough output for the target strength, and why SHAKE128 is chosen when 128 bits of security is the goal, with SHAKE256 reached for when the target is higher.

Source: NIST, “SHA-3 Standard, Permutation-Based Hash and Extendable-Output Functions,” FIPS 202, August 2015 (Table of security strengths: SHAKE128 collision min(d/2, 128), preimage min(d, 128)), csrc.nist.gov/pubs/fips/202/final.

Is SHAKE128 quantum-vulnerable?

No, not in the way public-key cryptography is. SHAKE128 is not structurally broken by a quantum computer, because it does not rest on a hidden mathematical structure the way factoring or the discrete logarithm do. Shor’s algorithm, the quantum attack that actually breaks cryptography, has nothing to grip on a sponge permutation. The only relevant quantum pressure comes from Grover’s algorithm, and Grover only weakens, it does not break:

  1. Preimage resistance takes a square-root hit. Grover searches an unstructured space of N possibilities in about √N steps. Against SHAKE128 at its full 128-bit preimage strength, that reduces the effective work toward about 2^64 in an idealized model, which is the same square-root pressure every hash faces. For most uses that call for extra margin the answer is to move to SHAKE256, whose higher security level absorbs Grover comfortably.
  2. Collision resistance is barely touched. Collision-finding was already bounded by the birthday effect, and realistic quantum collision attacks buy little or no practical advantage once memory and hardware costs are counted, so the collision side is roughly unchanged.

NIST states the general case plainly: Grover’s quadratic speedup “does not render cryptographic technologies obsolete,” but “can have the effect of requiring larger key sizes, even in the symmetric key case,” and for hash functions the remedy is a larger output or a higher security level rather than a new algorithm. Inside the post-quantum standards, this is exactly why the higher-security parameter sets lean on SHAKE256 while SHAKE128 is used where 128-bit security is the design target.

Sources: NIST, “Report on Post-Quantum Cryptography,” NISTIR 8105, April 2016, csrc.nist.gov/pubs/ir/8105/final; NIST, “SHA-3 Standard,” FIPS 202, August 2015, csrc.nist.gov/pubs/fips/202/final.

Where is SHAKE128 load-bearing in post-quantum cryptography?

SHAKE128 is not a side note in the post-quantum standards. It is a core internal component that the security and correctness of ML-KEM and ML-DSA depend on, which is one of the clearest signs that SHA-3 carries forward into the quantum era rather than being left behind:

  1. ML-KEM uses SHAKE128 to expand the public matrix. ML-KEM’s public key would be large if it transmitted its full matrix, so instead it transmits a small seed and both sides expand that seed into the matrix using SHAKE128 as the extendable-output source. The XOF is what lets the scheme send a tiny seed instead of the whole matrix, which keeps key sizes down. This is the sampling step often written as the matrix A being generated from a seed ρ.
  2. ML-DSA uses SHAKE128 for matrix expansion too. ML-DSA expands its public matrix from a seed with SHAKE128, alongside its heavier use of SHAKE256 for message hashing and challenge derivation.

In both schemes, SHAKE128 sits on the correctness-critical path: if two parties expanded the seed differently, they would derive different matrices and the scheme would fail, and if the expansion were not pseudorandom, the security argument would not hold. Far from being a casualty of the transition, SHAKE128 is part of the machinery that makes the transition work.

Sources: NIST, “Module-Lattice-Based Key-Encapsulation Mechanism Standard,” FIPS 203, August 2024, csrc.nist.gov/pubs/fips/203/final; NIST, “Module-Lattice-Based Digital Signature Standard,” FIPS 204, August 2024, csrc.nist.gov/pubs/fips/204/final.

How is SHAKE128 different from SHAKE256 and a fixed hash?

The three are all SHA-3 functions on the same Keccak permutation, and they differ in security level and in whether the output length is fixed:

FunctionTypeRate / capacity (bits)Security levelOutput
SHA3-256Fixed hash1088 / 512128-bit256-bit, fixed
SHAKE128XOF1344 / 256up to 128-bitany length
SHAKE256XOF1088 / 512up to 256-bitany length

SHAKE128’s larger rate (1344 bits versus SHAKE256’s 1088) makes it absorb and squeeze more data per permutation call, so it is faster, at the cost of the lower 128-bit security ceiling. The choice between the two XOFs is a security-level decision: SHAKE128 where 128 bits is the target and speed matters, SHAKE256 where a higher security level is needed. The choice between a XOF and a fixed hash is about whether you need a variable-length pseudorandom stream (use a XOF) or a single set-length fingerprint (use a fixed hash like SHA3-256 or SHA-256).

Source: NIST, “SHA-3 Standard, Permutation-Based Hash and Extendable-Output Functions,” FIPS 202, August 2015, csrc.nist.gov/pubs/fips/202/final.

Common misconceptions

  1. “Quantum computers will break SHAKE128.” They will not. The only relevant quantum attack is Grover’s, which square-root-dents preimage search and barely touches collision resistance, so SHAKE128 survives on the same terms as every SHA-3 function.
  2. “SHAKE128 is just a longer hash.” It is an extendable-output function, a flexible source of any number of pseudorandom bits, which is why post-quantum schemes use it to expand seeds and sample values, jobs a fixed hash cannot do directly.
  3. “More SHAKE128 output means more security.” Only up to a point. Its security caps at 128 bits regardless of output length, because the 256-bit capacity bounds it there. Requesting a short output gives less, since collision strength is half the output length until the cap.
  4. “SHAKE128 needs a post-quantum replacement.” It does not. There is no separate post-quantum hash family to migrate to, and SHAKE128 is itself a building block of the post-quantum KEM and signature standards.
  5. “SHAKE128 provides 128 bits and SHAKE256 provides 256 bits of the same thing.” The numbers are security levels. SHAKE128 caps at 128-bit security and SHAKE256 at 256-bit, and each is chosen to match the target strength of the surrounding design.

Questions people ask

Is SHAKE128 quantum-safe? Yes. It faces only Grover’s algorithm, which square-root-dents preimage search and leaves collision resistance about where it was. It is not the kind of primitive a quantum computer breaks, and it is a building block of the post-quantum standards themselves.

What does the “128” in SHAKE128 mean? It is the security level, capping the function at about 128 bits of collision and preimage strength no matter how much output you request. It is not the output length, which is variable. SHAKE256 is the 256-bit-security sibling.

Why do ML-KEM and ML-DSA use SHAKE128? They need to expand a small seed into a large pseudorandom matrix, and a XOF does exactly that in one primitive. SHAKE128 is the extendable-output source that lets the schemes transmit a tiny seed instead of a full matrix, which keeps key sizes down.

Can I use SHAKE128 as a regular hash? Yes. Requesting a fixed output length turns it into a fixed hash, though its security still caps at 128 bits and a short output caps collision strength at half that length. For a standard fixed 256-bit digest, SHA3-256 or SHA-256 is the more conventional choice.

Is SHAKE128 approved by NIST? Yes. SHAKE128 is one of the two extendable-output functions specified in NIST’s SHA-3 Standard, FIPS 202.

Should I use SHAKE128 or SHAKE256? SHAKE128 where 128 bits of security is the target and speed matters, since its larger rate makes it faster. SHAKE256 where a higher security level is needed, or where a spec you are implementing calls for it.


Everything here is the map, given freely. When your team needs its own cryptography sorted into what survives the quantum transition and what has to move, that’s what an alignment briefing is for.

Last verified 2026-07-12 · Maintained by Addie LaMarr, LaMarr Labs.