up:: SHA-3
SHAKE256
SHAKE256 is one of the two extendable-output functions (XOFs) defined in NIST’s SHA-3 standard, FIPS 202, built on the same Keccak sponge as the rest of the family, and it differs from a fixed hash in one decisive way: instead of producing a set-length digest, it squeezes out as many pseudorandom bits as the caller asks for. The “256” is its security level, meaning it caps out at about 256 bits of collision and preimage strength no matter how much output you request, so it is the higher-assurance of the two SHAKE functions. It is a load-bearing internal building block of the post-quantum standards ML-KEM, ML-DSA, and SLH-DSA, where it does the heavy hashing, seed expansion, and value sampling those schemes need. Like the rest of SHA-3, its only real quantum pressure comes from Grover’s algorithm, which square-root-dents preimage search and barely touches collision resistance, which is the opposite of what Shor’s algorithm does to public-key algorithms like RSA.
Source: NIST, “SHA-3 Standard, Permutation-Based Hash and Extendable-Output Functions,” FIPS 202, August 2015, csrc.nist.gov/pubs/fips/202/final.
The short version:
- SHAKE256 is an extendable-output function (XOF): you feed it a message, then squeeze out any number of output bits, from a handful to many thousands.
- It is built on the Keccak sponge, the same 1600-bit permutation as the rest of SHA-3, with a 1088-bit rate and a 512-bit capacity, run for 24 rounds.
- Its security level is 256 bits: collision resistance is
min(d/2, 256)and preimage resistance ismin(d, 256), wheredis the requested output length in bits, so it is the higher-assurance XOF. - It is a core internal component of ML-KEM, ML-DSA, and SLH-DSA, used for message hashing, seed expansion, and sampling, which is one reason SHA-3 carries forward into the quantum era.
- Grover’s algorithm gives only a square-root speedup on preimage search, and SHAKE256’s 256-bit level absorbs it comfortably, so it survives the quantum transition with a wide margin.
- A fixed hash gives one digest of a set length; a XOF like SHAKE256 is a general-purpose source of pseudorandom bits, a job a fixed hash cannot do directly.
What is an extendable-output function?
An extendable-output function is a hash whose output length is not fixed. A normal hash like SHA-256 always gives exactly 256 bits, no more and no less. A XOF like SHAKE256 lets you decide at call time how much output you want, and it will produce a stream of that length that is deterministic from the input and pseudorandom to anyone who does not know the input. The picture is a kitchen sponge: SHA-3 absorbs your whole message into one large internal state, mixing thoroughly, and then squeezes output bits back out. A fixed hash squeezes once for a set length. SHAKE256 keeps squeezing for as many bits as you ask for.
That flexibility is what makes a XOF a general-purpose building block rather than just an integrity check. You can use SHAKE256 to derive a key of any length, to expand a small random seed into a much larger pseudorandom value, to hash a message down to a challenge, or to produce many independent outputs from one seed by tagging each use. Those are the jobs that show up constantly inside modern cryptographic protocol design, and they are exactly the jobs the post-quantum standards hand to SHAKE at their higher security levels.
Source: NIST, “SHA-3 Standard, Permutation-Based Hash and Extendable-Output Functions,” FIPS 202, August 2015, csrc.nist.gov/pubs/fips/202/final.
How does SHAKE256 work?
SHAKE256 uses the sponge construction, built around the single 1600-bit Keccak-f permutation shared by the whole SHA-3 family. The state is split into a rate (the bits the message touches) and a capacity (the bits held back, where the security margin lives). SHAKE256 uses a 1088-bit rate and a 512-bit capacity, so it holds back more of the state than SHAKE128, trading some speed for a higher security ceiling. The process runs in three stages:
- Padding. The message is padded with the sponge’s padding rule plus a domain-separation suffix that marks the input as a SHAKE XOF rather than a fixed SHA-3 hash. SHAKE uses the suffix bits
1111, while the fixed SHA-3 hashes use01, so the same message run through SHAKE256 and through a SHA-3 hash produces unrelated output. - Absorbing. The padded message is split into 1088-bit rate-sized blocks. Each block is combined into the state with XOR, and then the full Keccak-f permutation runs over all 1600 bits for 24 rounds, mixing the block into both the rate and the capacity. This repeats block by block until the whole message is absorbed.
- Squeezing. The function reads out the 1088-bit rate portion of the state as output. If more output is needed, it runs Keccak-f again and reads the rate again, repeating until the requested number of bits is produced. This is the step that makes it extendable: the caller can ask for any length, and the sponge keeps squeezing.
The security intuition is that an attacker never gets to see or touch the 512-bit capacity directly, so recovering the internal state or forcing a collision means defeating the full permutation. Because the capacity stays hidden, the sponge also closes the length-extension weakness that bare SHA-256 carries. The 512-bit capacity is what lifts SHAKE256’s security ceiling to 256 bits, since the sponge’s provable security bound is tied to half the capacity.
Source: NIST, “SHA-3 Standard, Permutation-Based Hash and Extendable-Output Functions,” FIPS 202, August 2015 (SHAKE256: rate 1088, capacity 512, 1600-bit state, 24 rounds, suffix 1111), csrc.nist.gov/pubs/fips/202/final.
What security does SHAKE256 provide?
SHAKE256 provides up to 256 bits of security, and the exact figure depends on how much output you request. FIPS 202 gives the strength as a function of the output length d in bits:
| Property | Strength (bits) |
|---|---|
| Collision resistance | min(d/2, 256) |
| Preimage resistance | min(d, 256) |
| Second-preimage resistance | min(d, 256) |
The practical consequence is that SHAKE256 tops out at 256 bits of security, the highest of any SHA-3 function, because its 512-bit capacity caps it there. If you request a short output, you can end up with less: a 256-bit SHAKE256 output gives only about 128 bits of collision resistance, because collision strength is half the output length until the 256-bit cap. This is why a SHAKE used for a security-critical purpose is squeezed to a wide enough output for the target strength, and why SHAKE256 is the reach-for XOF when the target strength is above 128 bits or when the design wants maximum margin.
Source: NIST, “SHA-3 Standard, Permutation-Based Hash and Extendable-Output Functions,” FIPS 202, August 2015 (Table of security strengths: SHAKE256 collision min(d/2, 256), preimage min(d, 256)), csrc.nist.gov/pubs/fips/202/final.
Is SHAKE256 quantum-vulnerable?
No, not in the way public-key cryptography is. SHAKE256 is not structurally broken by a quantum computer, because it does not rest on a hidden mathematical structure the way factoring or the discrete logarithm do. Shor’s algorithm, the quantum attack that actually breaks cryptography, has nothing to grip on a sponge permutation. The only relevant quantum pressure comes from Grover’s algorithm, and Grover only weakens, it does not break:
- Preimage resistance takes a square-root hit. Grover searches an unstructured space of
Npossibilities in about√Nsteps. Against SHAKE256 at its full 256-bit preimage strength, that reduces the effective work toward about2^128in an idealized model, which is still astronomically out of reach. SHAKE256’s high security level is exactly why the higher-assurance post-quantum parameter sets lean on it. - Collision resistance is barely touched. Collision-finding was already bounded by the birthday effect, and realistic quantum collision attacks buy little or no practical advantage once memory and hardware costs are counted, so the collision side is roughly unchanged.
NIST states the general case plainly: Grover’s quadratic speedup “does not render cryptographic technologies obsolete,” but “can have the effect of requiring larger key sizes, even in the symmetric key case,” and for hash functions the remedy is a larger output or a higher security level rather than a new algorithm. SHAKE256 already provides the highest security level in the SHA-3 family, so it keeps a wide quantum-adjusted margin, which is why it is the workhorse hashing primitive inside the post-quantum standards.
Sources: NIST, “Report on Post-Quantum Cryptography,” NISTIR 8105, April 2016, csrc.nist.gov/pubs/ir/8105/final; NIST, “SHA-3 Standard,” FIPS 202, August 2015, csrc.nist.gov/pubs/fips/202/final.
Where is SHAKE256 load-bearing in post-quantum cryptography?
SHAKE256 is the most heavily used hashing primitive across the post-quantum standards, which is one of the clearest signs that SHA-3 carries forward into the quantum era rather than being left behind. All three finalized standards reach for it:
- ML-KEM uses SHAKE256 for hashing and key derivation. ML-KEM uses SHAKE256 (alongside SHA3-256 and SHA3-512) for internal hashing and deriving the shared secret, with SHAKE128 handling the public-matrix expansion. The scheme’s correctness and its IND-CCA2 security argument depend on these functions behaving as strong pseudorandom primitives.
- ML-DSA uses SHAKE256 throughout. ML-DSA hashes the message, derives its challenge values, and expands seeds into its masking vectors using SHAKE256 (with SHAKE128 for matrix expansion). The signature and verification paths run through SHAKE256 repeatedly.
- SLH-DSA can be built entirely on SHAKE256. SLH-DSA is defined with two interchangeable instantiations of its internal functions, one built on SHA-2 and one built on SHAKE256, so an implementer can pick whichever hash family their platform accelerates. This is hash-based cryptography, where the entire signature scheme’s security reduces to the strength of the underlying hash, so SHAKE256 is not a helper there but the security foundation itself.
The takeaway is that the post-quantum algorithms depend on a strong, quantum-resistant hash as their foundation, and SHAKE256 is the high-security-level function they were built on. Far from being a casualty of the transition, SHAKE256 is part of the machinery that makes the transition work.
Sources: NIST, “Module-Lattice-Based Key-Encapsulation Mechanism Standard,” FIPS 203, August 2024, csrc.nist.gov/pubs/fips/203/final; NIST, “Module-Lattice-Based Digital Signature Standard,” FIPS 204, August 2024, csrc.nist.gov/pubs/fips/204/final; NIST, “Stateless Hash-Based Digital Signature Standard,” FIPS 205, August 2024, csrc.nist.gov/pubs/fips/205/final.
How is SHAKE256 different from SHAKE128 and a fixed hash?
The three are all SHA-3 functions on the same Keccak permutation, and they differ in security level and in whether the output length is fixed:
| Function | Type | Rate / capacity (bits) | Security level | Output |
|---|---|---|---|---|
| SHA3-512 | Fixed hash | 576 / 1024 | 256-bit | 512-bit, fixed |
| SHAKE128 | XOF | 1344 / 256 | up to 128-bit | any length |
| SHAKE256 | XOF | 1088 / 512 | up to 256-bit | any length |
SHAKE256’s smaller rate (1088 bits versus SHAKE128’s 1344) means it processes less data per permutation call, so it is slower than SHAKE128, in exchange for its higher 256-bit security ceiling. The choice between the two XOFs is a security-level decision: SHAKE128 where 128 bits is the target and speed matters, SHAKE256 where a higher security level is needed, which is why the post-quantum standards use SHAKE256 for their security-critical hashing. The choice between a XOF and a fixed hash is about whether you need a variable-length pseudorandom stream (use a XOF) or a single set-length fingerprint (use a fixed hash like SHA3-512 or SHA-512).
Source: NIST, “SHA-3 Standard, Permutation-Based Hash and Extendable-Output Functions,” FIPS 202, August 2015, csrc.nist.gov/pubs/fips/202/final.
Common misconceptions
- “Quantum computers will break SHAKE256.” They will not. The only relevant quantum attack is Grover’s, which square-root-dents preimage search to about 128 bits of effective work at SHAKE256’s full strength and barely touches collision resistance, both far out of reach.
- “SHAKE256 is just a longer hash.” It is an extendable-output function, a flexible source of any number of pseudorandom bits, which is why the post-quantum schemes use it to hash messages, expand seeds, and sample values, jobs a fixed hash cannot do directly.
- “More SHAKE256 output means more security.” Only up to a point. Its security caps at 256 bits regardless of output length, because the 512-bit capacity bounds it there. Requesting a short output gives less, since collision strength is half the output length until the cap.
- “SHAKE256 needs a post-quantum replacement.” It does not. There is no separate post-quantum hash family to migrate to, and SHAKE256 is itself the hashing foundation of the post-quantum KEM and signature standards, including all of hash-based SLH-DSA on its SHAKE instantiation.
- “SHAKE256 is slower, so it is worse than SHAKE128.” It is slower because it holds back more capacity, which is precisely what buys its higher 256-bit security level. Each is chosen to match the target strength of the surrounding design.
Questions people ask
Is SHAKE256 quantum-safe? Yes, with a wide margin. It faces only Grover’s algorithm, which reduces its 256-bit preimage strength toward about 128 bits of effective work and leaves collision resistance about where it was. It is not the kind of primitive a quantum computer breaks, and it is a building block of the post-quantum standards themselves.
What does the “256” in SHAKE256 mean? It is the security level, capping the function at about 256 bits of collision and preimage strength no matter how much output you request. It is not the output length, which is variable. SHAKE128 is the faster 128-bit-security sibling.
Why do the post-quantum standards use SHAKE256? They need a strong hash and a way to expand a small seed into many pseudorandom bits, and SHAKE256 does both in one primitive at a high security level. Hash-based SLH-DSA can be built entirely on SHAKE256, so its whole security rests on that function.
Can I use SHAKE256 as a regular hash? Yes. Requesting a fixed output length turns it into a fixed hash, though a short output caps collision strength at half that length. For a standard fixed 512-bit digest, SHA3-512 or SHA-512 is the more conventional choice.
Is SHAKE256 approved by NIST? Yes. SHAKE256 is one of the two extendable-output functions specified in NIST’s SHA-3 Standard, FIPS 202.
Should I use SHAKE256 or SHAKE128? SHAKE256 where a security level above 128 bits is needed, or where maximum margin is wanted, which is why the post-quantum standards use it for security-critical hashing. SHAKE128 where 128 bits is the target and its larger rate makes it faster.
Everything here is the map, given freely. When your team needs its own cryptography sorted into what survives the quantum transition and what has to move, that’s what an alignment briefing is for.
Last verified 2026-07-12 · Maintained by Addie LaMarr, LaMarr Labs.