12/28/23, 4:14 PM SHA-3 - Wikipedia

SHA-3
(Redirected from KangarooTwelve)

SHA-3 (Secure Hash Algorithm 3) is the latest member of the Secure Hash Algorithm family of
standards, released by NIST on August 5, 2015.[4][5][6] Although part of the same series of standards,
Secure Hash Algorithms
SHA-3 is internally different from the MD5-like structure of SHA-1 and SHA-2. Concepts

SHA-3 is a subset of the broader cryptographic primitive family Keccak (/ˈkɛtʃæk/ or /ˈkɛtʃɑːk/),[7][8] hash functions, SHA, DSA
designed by Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche, building upon Main standards
RadioGatún. Keccak's authors have proposed additional uses for the function, not (yet) standardized by SHA-0, SHA-1, SHA-2, SHA-3
NIST, including a stream cipher, an authenticated encryption system, a "tree" hashing scheme for faster
hashing on certain architectures,[9][10] and AEAD ciphers Keyak and Ketje.[11][12]

Keccak is based on a novel approach called sponge construction.[13] Sponge construction is based on a SHA-3
wide random function or random permutation, and allows inputting ("absorbing" in sponge (Keccak)
terminology) any amount of data, and outputting ("squeezing") any amount of data, while acting as a General
pseudorandom function with regard to all previous inputs. This leads to great flexibility.
Designers Guido Bertoni, Joan
NIST does not currently plan to withdraw SHA-2 or remove it from the revised Secure Hash Standard. Daemen, Michaël
The purpose of SHA-3 is that it can be directly substituted for SHA-2 in current applications if Peeters, and Gilles
necessary, and to significantly improve the robustness of NIST's overall hash algorithm toolkit.[14] van Assche.
First 2016
For small message sizes, the creators of the Keccak algorithms and the SHA-3 functions suggest using
the faster function KangarooTwelve with adjusted parameters and a new tree hashing mode without published
extra overhead. Series (SHA-0), SHA-1,
SHA-2, SHA-3
History Certification FIPS PUB 202
Detail
The Keccak algorithm is the work of Guido Bertoni, Joan Daemen (who also co-designed the Rijndael
cipher with Vincent Rijmen), Michaël Peeters, and Gilles Van Assche. It is based on earlier hash function Digest sizes arbitrary
designs PANAMA and RadioGatún. PANAMA was designed by Daemen and Craig Clapp in 1998. Structure sponge construction
RadioGatún, a successor of PANAMA, was designed by Daemen, Peeters, and Van Assche, and was Speed 12.6 cpb on a typical
presented at the NIST Hash Workshop in 2006.[15] The reference implementation source code was x86-64-based
dedicated to public domain via CC0 waiver.[16] machine for Keccak-
In 2006, NIST started to organize the NIST hash function competition to create a new hash standard, f[1600] plus XORing
SHA-3. SHA-3 is not meant to replace SHA-2, as no significant attack on SHA-2 has been demonstrated 1024 bits,[1] which
. Because of the successful attacks on MD5, SHA-0 and SHA-1,[17][18] NIST perceived a need for an roughly corresponds
alternative, dissimilar cryptographic hash, which became SHA-3. to SHA2-256.
Best public cryptanalysis
After a setup period, admissions were to be submitted by the end of 2008. Keccak was accepted as one of
the 51 candidates. In July 2009, 14 algorithms were selected for the second round. Keccak advanced to Preimage attack on Keccak-512
the last round in December 2010.[19] reduced to 8 rounds, requiring 2511.5
time and 2508 memory.[2] Zero-sum
During the competition, entrants were permitted to "tweak" their algorithms to address issues that were distinguishers exist for the full 24-
round Keccak-f[1600], though they
discovered. Changes that have been made to Keccak are:[20][21]
cannot be used to attack the hash
function itself[3]
The number of rounds was increased from 12 + ℓ to 12 + 2ℓ to be more conservative about security.
The message padding was changed from a more complex scheme to the simple 10*1 pattern described below.
The rate r was increased to the security limit, rather than rounding down to the nearest power of 2.

On October 2, 2012, Keccak was selected as the winner of the competition.[7]

In 2014, the NIST published a draft FIPS 202 "SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions".[22] FIPS 202
was approved on August 5, 2015.[23]

On August 5, 2015, NIST announced that SHA-3 had become a hashing standard.[24]

Weakening controversy

https://en.wikipedia.org/wiki/SHA-3#KangarooTwelve 1/10
12/28/23, 4:14 PM SHA-3 - Wikipedia
In early 2013 NIST announced they would select different values for the "capacity", the overall strength vs. speed parameter, for the SHA-3
standard, compared to the submission.[25][26] The changes caused some turmoil.

The hash function competition called for hash functions at least as secure as the SHA-2 instances. It means that a d-bit output should have
d/2-bit resistance to collision attacks and d-bit resistance to preimage attacks, the maximum achievable for d bits of output. Keccak's
security proof allows an adjustable level of security based on a "capacity" c, providing c/2-bit resistance to both collision and preimage
attacks. To meet the original competition rules, Keccak's authors proposed c = 2d. The announced change was to accept the same d/2-bit
security for all forms of attack and standardize c = d. This would have sped up Keccak by allowing an additional d bits of input to be hashed
each iteration. However, the hash functions would not have been drop-in replacements with the same preimage resistance as SHA-2 any
more; it would have been cut in half, making it vulnerable to advances in quantum computing, which effectively would cut it in half once
more.[27]

In September 2013, Daniel J. Bernstein suggested on the NIST hash-forum mailing list[28] to strengthen the security to the 576-bit capacity
that was originally proposed as the default Keccak, in addition to and not included in the SHA-3 specifications.[29] This would have provided
at least a SHA3-224 and SHA3-256 with the same preimage resistance as their SHA-2 predecessors, but SHA3-384 and SHA3-512 would
have had significantly less preimage resistance than their SHA-2 predecessors. In late September, the Keccak team responded by stating that
they had proposed 128-bit security by setting c = 256 as an option already in their SHA-3 proposal.[30] Although the reduced capacity was
justifiable in their opinion, in the light of the negative response, they proposed raising the capacity to c = 512 bits for all instances. This
would be as much as any previous standard up to the 256-bit security level, while providing reasonable efficiency,[31] but not the 384-/512-
bit preimage resistance offered by SHA2-384 and SHA2-512. The authors stated that "claiming or relying on security strength levels above
256 bits is meaningless".

In early October 2013, Bruce Schneier criticized NIST's decision on the basis of its possible detrimental effects on the acceptance of the
algorithm, saying:

There is too much mistrust in the air. NIST risks publishing an algorithm that no one will trust and no one (except those forced)
will use.[32]

He later retracted his earlier statement, saying:

I misspoke when I wrote that NIST made "internal changes" to the algorithm. That was sloppy of me. The Keccak permutation
remains unchanged. What NIST proposed was reducing the hash function's capacity in the name of performance. One of Keccak's
nice features is that it's highly tunable.[32]

Paul Crowley, a cryptographer and senior developer at an independent software development company, expressed his support of the
decision, saying that Keccak is supposed to be tunable and there is no reason for different security levels within one primitive. He also
added:

Yes, it's a bit of a shame for the competition that they demanded a certain security level for entrants, then went to publish a
standard with a different one. But there's nothing that can be done to fix that now, except re-opening the competition.
Demanding that they stick to their mistake doesn't improve things for anyone.[33]

There was some confusion that internal changes may have been made to Keccak, which were cleared up by the original team, stating that
NIST's proposal for SHA-3 is a subset of the Keccak family, for which one can generate test vectors using their reference code submitted to
the contest, and that this proposal was the result of a series of discussions between them and the NIST hash team.[34]

In response to the controversy, in November 2013 John Kelsey of NIST proposed to go back to the original c = 2d proposal for all SHA-2
drop-in replacement instances.[35] The reversion was confirmed in subsequent drafts[36] and in the final release.[4]

Design
SHA-3 uses the sponge construction,[13] in which data is "absorbed" into the sponge, then the
result is "squeezed" out. In the absorbing phase, message blocks are XORed into a subset of
the state, which is then transformed as a whole using a permutation function . (Calling a
permutation may be confusing. It is technically a permutation of the state space, thus a
permutation of a set with elements, but it does more than merely permute
the bits of the state vector.) In the "squeeze" phase, output blocks are read from the same
subset of the state, alternated with the state transformation function . The size of the part of
the state that is written and read is called the "rate" (denoted ), and the size of the part that The sponge construction for hash functions. Pi
is untouched by input/output is called the "capacity" (denoted ). The capacity determines the are input, Zi are hashed output. The unused
security of the scheme. The maximum security level is half the capacity. "capacity" c should be twice the desired
resistance to collision or preimage attacks.

https://en.wikipedia.org/wiki/SHA-3#KangarooTwelve 2/10
12/28/23, 4:14 PM SHA-3 - Wikipedia
Given an input bit string , a padding function , a permutation function that operates on bit blocks of width , a rate and an output
length , we have capacity and the sponge construction , yielding a bit string of length , works as
follows:[5]: 18

pad the input N using the pad function, yielding a padded bit string P with a length divisible by (such that is an integer)
break P into n consecutive r-bit pieces P0, ..., Pn−1
initialize the state S to a string of b zero bits
absorb the input into the state: for each block Pi:

extend Pi at the end by a string of c zero bits, yielding one of length b

XOR that with S
apply the block permutation f to the result, yielding a new state S
initialize Z to be the empty string
while the length of Z is less than d:
append the first r bits of S to Z
if Z is still less than d bits long, apply f to S, yielding a new state S
truncate Z to d bits

The fact that the internal state S contains c additional bits of information in addition to what is output to Z prevents the length extension
attacks that SHA-2, SHA-1, MD5 and other hashes based on the Merkle–Damgård construction are susceptible to.

In SHA-3, the state S consists of a 5 × 5 array of w-bit words (with w = 64), b = 5 × 5 × w = 5 × 5 × 64 = 1600 bits total. Keccak is also
defined for smaller power-of-2 word sizes w down to 1 bit (total state of 25 bits). Small state sizes can be used to test cryptanalytic attacks,
and intermediate state sizes (from w = 8, 200 bits, to w = 32, 800 bits) can be used in practical, lightweight applications.[11][12]

For SHA3-224, SHA3-256, SHA3-384, and SHA3-512 instances, r is greater than d, so there is no need for additional block permutations in
the squeezing phase; the leading d bits of the state are the desired hash. However, SHAKE128 and SHAKE256 allow an arbitrary output
length, which is useful in applications such as optimal asymmetric encryption padding.

Padding
To ensure the message can be evenly divided into r-bit blocks, padding is required. SHA-3 uses the pattern 10*1 in its padding function: a 1
bit, followed by zero or more 0 bits (maximum r − 1) and a final 1 bit.

The maximum of r − 1 zero bits occurs when the last message block is r − 1 bits long. Then another block is added after the initial 1 bit,
containing r − 1 zero bits before the final 1 bit.

The two 1 bits will be added even if the length of the message is already divisible by r.[5]: 5.1 In this case, another block is added to the
message, containing a 1 bit, followed by a block of r − 2 zero bits and another 1 bit. This is necessary so that a message with length divisible
by r ending in something that looks like padding does not produce the same hash as the message with those bits removed.

The initial 1 bit is required so messages differing only in a few additional 0 bits at the end do not produce the same hash.

The position of the final 1 bit indicates which rate r was used (multi-rate padding), which is required for the security proof to work for
different hash variants. Without it, different hash variants of the same short message would be the same up to truncation.

The block permutation

The block transformation f, which is Keccak-f[1600] for SHA-3, is a permutation that uses XOR, AND and NOT operations, and is designed
for easy implementation in both software and hardware.

It is defined for any power-of-two word size, w = 2ℓ bits. The main SHA-3 submission uses 64-bit words, ℓ = 6.

The state can be considered to be a 5 × 5 × w array of bits. Let a[i][ j][k] be bit (5i + j) × w + k of the input, using a little-endian bit
numbering convention and row-major indexing. I.e. i selects the row, j the column, and k the bit.

Index arithmetic is performed modulo 5 for the first two dimensions and modulo w for the third.

The basic block permutation function consists of 12 + 2ℓ rounds of five steps:

θ (theta)
Compute the parity of each of the 5w (320, when w = 64) 5-bit columns, and exclusive-or that into two nearby columns in a regular
pattern. To be precise, a[i][ j][k] ← a[i][ j][k] ⊕ parity(a[0...4][j-1][k]) ⊕ parity(a[0...4][j+1][k−1])
ρ (rho)
Bitwise rotate each of the 25 words by a different triangular number 0, 1, 3, 6, 10, 15, .... To be precise, a[0][0] is not rotated, and for all

0 ≤ t < 24, a[i][ j][k] ← a[i][ j][k−(t+1)(t+2)/2], where .

https://en.wikipedia.org/wiki/SHA-3#KangarooTwelve 3/10
12/28/23, 4:14 PM SHA-3 - Wikipedia
π (pi)
Permute the 25 words in a fixed pattern. a[3i+2j][i] ← a[ i][j].
χ (chi)
Bitwise combine along rows, using x ← x ⊕ (¬y & z). To be precise, a[i][ j][k] ← a[i][ j][k] ⊕ (¬a[i][ j+1][k] & a[i][ j+2][k]).
This is the only non-linear operation in SHA-3.
ι (iota)
Exclusive-or a round constant into one word of the state. To be precise, in round n, for 0 ≤ m ≤ ℓ, a[0][0][2m−1] is XORed with bit
m + 7n of a degree-8 LFSR sequence. This breaks the symmetry that is preserved by the other steps.

Speed
The speed of SHA-3 hashing of long messages is dominated by the computation of f = Keccak-f[1600] and XORing S with the extended Pi, an
operation on b = 1600 bits. However, since the last c bits of the extended Pi are 0 anyway, and XOR with 0 is a NOP, it is sufficient to
perform XOR operations only for r bits (r = 1600 − 2 × 224 = 1152 bits for SHA3-224, 1088 bits for SHA3-256, 832 bits for SHA3-384 and
576 bits for SHA3-512). The lower r is (and, conversely, the higher c = b − r = 1600 − r), the less efficient but more secure the hashing
becomes since fewer bits of the message can be XORed into the state (a quick operation) before each application of the computationally
expensive f. The authors report the following speeds for software implementations of Keccak-f[1600] plus XORing 1024 bits,[1] which
roughly corresponds to SHA3-256:

57.4 cpb on IA-32, Intel Pentium 3[37]

41 cpb on IA-32+MMX, Intel Pentium 3
20 cpb on IA-32+SSE, Intel Core 2 Duo or AMD Athlon 64
12.6 cpb on a typical x86-64-based machine
6–7 cpb on IA-64[1]

For the exact SHA3-256 on x86-64, Bernstein measures 11.7–12.25 cpb depending on the CPU.[38]: 7 SHA-3 has been criticized for being
slow on instruction set architectures (CPUs) which do not have instructions meant specially for computing Keccak functions faster – SHA2-
512 is more than twice as fast as SHA3-512, and SHA-1 is more than three times as fast on an Intel Skylake processor clocked at 3.2 GHz.[39]
The authors have reacted to this criticism by suggesting to use SHAKE128 and SHAKE256 instead of SHA3-256 and SHA3-512, at the
expense of cutting the preimage resistance in half (but while keeping the collision resistance). With this, performance is on par with SHA2-
256 and SHA2-512.

However, in hardware implementations, SHA-3 is notably faster than all other finalists,[40] and also faster than SHA-2 and SHA-1.[39]

As of 2018, ARM's ARMv8[41] and IBM's s390x architectures include special instructions which enable Keccak algorithms to execute faster.

Instances
The NIST standard defines the following instances, for message M and output length d:[5]: 20, 23

Output Rate r Security strength in bits of resistance against

Instance Capacity c Definition
size d = block size Collision Preimage 2nd preimage

SHA3-224(M) 224 1152 448 Keccak[448](M || 01, 224) 112 224 224

SHA3-256(M) 256 1088 512 Keccak[512](M || 01, 256) 128 256 256
SHA3-384(M) 384 832 768 Keccak[768](M || 01, 384) 192 384 384

SHA3-512(M) 512 576 1024 Keccak[1024](M || 01, 512) 256 512 512

SHAKE128(M, d) d 1344 256 Keccak[256](M || 1111, d) min(d/2,128) ≥min(d,128) min(d,128)

SHAKE256(M, d) d 1088 512 Keccak[512](M || 1111, d) min(d/2,256) ≥min(d,256) min(d,256)

With the following definitions

Keccak[c](N, d) = sponge[Keccak-f[1600], pad10*1, r](N, d)[5]: 20

Keccak-f[1600] = Keccak-p[1600, 24][5]: 17
c is the capacity
r is the rate = 1600 − c
N is the input bit string

SHA-3 instances are drop-in replacements for SHA-2, intended to have identical security properties.

SHAKE will generate as many bits from its sponge as requested, thus being extendable-output functions (XOFs). For example,
SHAKE128(M, 256) can be used as a hash function with a 256 character bitstream with 128-bit security strength. Arbitrarily large lengths
can be used as pseudo-random number generators. Alternately, SHAKE256(M, 128) can be used as a hash function with a 128-bit length and
128-bit resistance.[5]

https://en.wikipedia.org/wiki/SHA-3#KangarooTwelve 4/10
12/28/23, 4:14 PM SHA-3 - Wikipedia
All instances append some bits to the message, the rightmost of which represent the domain separation suffix. The purpose of this is to
ensure that it is not possible to construct messages that produce the same hash output for different applications of the Keccak hash function.
The following domain separation suffixes exist:[5][42]

Suffix Meaning

...0 reserved for future use

01 SHA-3
...11 RawSHAKE

1111 SHAKE

Additional instances
In December 2016 NIST published a new document, NIST SP.800-185,[43] describing additional SHA-3 derived functions:

Instance Description

cSHAKE128(X, L, N, S)
A version of SHAKE supporting explicit domain separation via customization parameters.
cSHAKE256(X, L, N, S)

KMAC128(K, X, L, S)

KMAC256(K, X, L, S)
A keyed hash function based on Keccak. Can also be used without a key as a regular hash function.
KMACXOF128(K, X, L, S)

KMACXOF256(K, X, L, S)

TupleHash128(X, L, S)
TupleHash256(X, L, S) A function for hashing tuples of strings. The output of this function depends on both the contents and the sequence of input
TupleHashXOF128(X, L, S) strings.

TupleHashXOF256(X, L, S)

ParallelHash128(X, B, L, S)

ParallelHash256(X, B, L, S) A function designed to exploit parallelism in modern processors for faster hashing. Unlike KangarooTwelve, does not use reduced-
ParallelHashXOF128(X, B, L, S) round Keccak.

ParallelHashXOF256(X, B, L, S)

• X is the main input bit string. It may be of any length, including zero.

• L is an integer representing the requested output length in bits.

• N is a function-name bit string, used by NIST to define functions based on cSHAKE. When no function other than cSHAKE is desired, N is
set to the empty string.

• S is a customization bit string. The user selects this string to define a variant of the function. When no customization is desired, S is set to
the empty string.

• K is a key bit string of any length, including zero.

• B is the block size in bytes for parallel hashing. It may be any integer such that 0 < B < 22040.

Later developments

KangarooTwelve

In 2016 the same team that made the SHA-3 functions and the Keccak algorithm introduced faster KangarooTwelve
reduced-rounds (reduced to 12 and 14 rounds, from the 24 in SHA-3) alternatives which can exploit the General
availability of parallel execution because of using tree hashing: KangarooTwelve and
Designers Guido Bertoni, Joan
MarsupilamiFourteen.[45]
Daemen, Michaël
These functions differ from ParallelHash, the FIPS standardized Keccak-based parallelizable hash Peeters, Gilles Van
function, with regard to the parallelism, in that they are faster than ParallelHash for small message sizes. Assche, Ronny Van
Keer, Benoît Viguier
The reduced number of rounds is justified by the huge cryptanalytic effort focused on Keccak which did
First August 10, 2016
not produce practical attacks on anything close to twelve-round Keccak. These higher-speed algorithms
are not part of SHA-3 (as they are a later development), and thus are not FIPS compliant; but because published
they use the same Keccak permutation they are secure for as long as there are no attacks on SHA-3
reduced to 12 rounds.[45]
https://en.wikipedia.org/wiki/SHA-3#KangarooTwelve 5/10
12/28/23, 4:14 PM SHA-3 - Wikipedia
KangarooTwelve is a higher-performance reduced-round (from 24 to 12 rounds) version of Keccak which Derived Keccak
claims to have 128 bits of security[46] while having performance as high as 0.55 cycles per byte on a from
Skylake CPU.[47] This algorithm is an IETF RFC draft.[48]
Detail
MarsupilamiFourteen, a slight variation on KangarooTwelve, uses 14 rounds of the Keccak permutation Digest arbitrary
and claims 256 bits of security. Note that 256-bit security is not more useful in practice than 128-bit sizes
security, but may be required by some standards.[46] 128 bits are already sufficient to defeat brute-force Structure sponge construction
attacks on current hardware, so having 256-bit security does not add practical value, unless the user is
and tree hashing with
worried about significant advancements in the speed of classical computers. For resistance against
kangaroo hopping
quantum computers, see below.
Rounds 12
KangarooTwelve and MarsupilamiFourteen are Extendable-Output Functions, similar to SHAKE, Speed 0.51 cpb on SkylakeX
therefore they generate closely related output for a common message with different output length (the
with AVX-512[44]
longer output is an extension of the shorter output). Such property is not exhibited by hash functions
such as SHA-3 or ParallelHash (except of XOF variants).[5] Best public cryptanalysis
Same as Keccak's

The Farfalle construction

In 2016, the Keccak team released a different construction called Farfalle construction, and Kravatte, an instance of Farfalle using the
Keccak-p permutation,[49] as well as two authenticated encryption algorithms Kravatte-SANE and Kravatte-SANSE[50]

Sakura tree hashing

RawSHAKE is the basis for the Sakura coding for tree hashing, which has not been standardized yet. Sakura uses a suffix of 1111 for single
nodes, equivalent to SHAKE, and other generated suffixes depending on the shape of the tree.[42]: 16

Security against quantum attacks

There is a general result (Grover's algorithm) that quantum computers can perform a structured preimage attack in , while a
classical brute-force attack needs 2d. A structured preimage attack implies a second preimage attack[27] and thus a collision attack. A
[51]
quantum computer can also perform a birthday attack, thus break collision resistance, in (although that is disputed).[52]
Noting that the maximum strength can be , this gives the following upper[53] bounds on the quantum security of SHA-3:

Security strength in bits of resistance against

Instance Collision Collision
Preimage 2nd preimage
(Brassard et al.) (Bernstein)
SHA3-224(M) 742⁄3 112 112 112
1
SHA3-256(M) 85 ⁄3 128 128 128

SHA3-384(M) 128 192 192 192

SHA3-512(M) 1702⁄3 256 256 256

SHAKE128(M, d) min(d/3,128) min(d/2,128) ≥min(d/2,128) min(d/2,128)

SHAKE256(M, d) min(d/3,256) min(d/2,256) ≥min(d/2,256) min(d/2,256)

It has been shown that the Merkle–Damgård construction, as used by SHA-2, is collapsing and, by consequence, quantum collision-
resistant,[54] but for the sponge construction used by SHA-3, the authors provide proofs only for the case when the block function f is not
efficiently invertible; Keccak-f[1600], however, is efficiently invertible, and so their proof does not apply.[55]

Examples of SHA-3 variants

The following hash values are from NIST.gov:[56]

SHA3-224("")
6b4e03423667dbb73b6e15454f0eb1abd4597f9a1b078e3f5b5a6bc7
SHA3-256("")
a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
SHA3-384("")
0c63a75b845e4f7d01107d852e4c2485c51a50aaaa94fc61995e71bbee983a2ac3713831264adb47fb6bd1e058d5f004
SHA3-512("")
a69f73cca23a9ac5c8b567dc185a756e97c982164fe25859e0d1dcc1475c80a615b2123af1f5f94c11e3e9402c3ac558f500199d95b6d3e301758586281dcd26
SHAKE128("", 256)
7f9c2ba4e88f827d616045507605853ed73b8093f6efbc88eb1a6eacfa66ef26
SHAKE256("", 512)
46b9dd2b0ba88d13233b3feb743eeb243fcd52ea62b81b82b50c27646ed5762fd75dc4ddd8c0f200cb05019d67b592f6fc821c49479ab48640292eacb3b7c4be

Changing a single bit causes each bit in the output to change with 50% probability, demonstrating an avalanche effect:

https://en.wikipedia.org/wiki/SHA-3#KangarooTwelve 6/10
12/28/23, 4:14 PM SHA-3 - Wikipedia

SHAKE128("The quick brown fox jumps over the lazy dog", 256)
f4202e3c5852f9182a0430fd8144f0a74b95e7417ecae17db0f8cfeed0e3e66e
SHAKE128("The quick brown fox jumps over the lazy dof", 256)
853f4538be0db9621a6cea659a06c1107b1f83f02b13d18297bd39d7411cf10c

Comparison of SHA functions

In the table below, internal state means the number of bits that are carried over to the next block.

Comparison of SHA functions

Security Performance on
Security against Skylake (median
against length cpb)[57]
Output Internal Block collision extension
Algorithm and size state size size attacks attacks Long First
variant (bits) (bits) (bits) Rounds Operations (bits) (bits) messages 8 bytes published
MD5 (as reference) 128 128 512 4 And, Xor, Or, ≤ 18 4.99 55.00 1992
(4 × 32) (16 operations Rot, (collisions 0
in each round) Add (mod 232) found)[58]
SHA-0 160 160 512 80 And, Xor, Or, < 34 ≈ SHA-1 ≈ SHA-1 1993
(5 × 32) Rot, (collisions
Add (mod 232) found)
0
SHA-1 < 63 3.47 52.00 1995
(collisions
found)[59]
SHA-2 SHA-224 224 256 512 64 And, Xor, Or, 7.62 84.50 2004
SHA-256 256 (8 × 32) Rot, Shr, 112 32 7.63 85.25 2001
128 0
Add (mod 232)
SHA-384 384 512 1024 80 And, Xor, Or, 192 128 5.12 135.75 2001
(8 × 64) Rot, Shr,
SHA-512 512 256 [60] 5.06 135.50 2001
Add (mod 264) 0
SHA-512/224 224 112 288 ≈ SHA-384 ≈ SHA-384 2012
SHA-512/256 256 128 256

SHA-3 SHA3-224 224 1600 1152 24[61] And, Xor, Rot, 112 448 8.12 154.25 2015
SHA3-256 256 (5 × 5 × 64) 1088 Not 128 512 8.59 155.50
SHA3-384 384 832 192 768 11.06 164.00
SHA3-512 512 576 256 1024 15.88 164.00
SHAKE128 d (arbitrary) 1344 min(d/2, 128) 256 7.08 155.25
SHAKE256 d (arbitrary) 1088 min(d/2, 256) 512 8.59 155.50

Optimized implementation using AVX-512VL (i.e. from OpenSSL, running on Skylake-X CPUs) of SHA3-256 do achieve about 6.4 cycles per
byte for large messages,[62] and about 7.8 cycles per byte when using AVX2 on Skylake CPUs.[63] Performance on other x86, Power and
ARM CPUs depending on instructions used, and exact CPU model varies from about 8 to 15 cycles per byte,[64][65][66] with some older x86
CPUs up to 25–40 cycles per byte.[67]

Implementations
Below is a list of cryptography libraries that support SHA-3:

Rust's sha3 (https://docs.rs/sha3)

Botan
Bouncy Castle
Crypto++
Libgcrypt
Nettle
OpenSSL
wolfSSL
MIRACL Cryptographic SDK (https://github.com/miracl/MIRACL)
Golang's x/crypto/sha3 (https://godoc.org/golang.org/x/crypto/sha3)
libkeccak (https://github.com/maandree/libkeccak)

Hardware acceleration
Apple A13 ARMv8 six-core SoC CPU cores have support[68] for accelerating SHA-3 (and SHA-512) using specialized instructions (EOR3,
RAX1, XAR, BCAX) from ARMv8.2-SHA crypto extension set.[69]

https://en.wikipedia.org/wiki/SHA-3#KangarooTwelve 7/10
12/28/23, 4:14 PM SHA-3 - Wikipedia
Some software libraries use vectorization facilities of CPUs to accelerate usage of SHA-3. For example, Crypto++ can use SSE2 on x86 for
accelerating SHA3,[70] and OpenSSL can use MMX, AVX-512 or AVX-512VL on many x86 systems too.[71] Also POWER8 CPUs implement
2x64-bit vector rotate, defined in PowerISA 2.07, which can accelerate SHA-3 implementations.[72] Most implementations for ARM do not
use Neon vector instructions as scalar code is faster. ARM implementations can however be accelerated using SVE and SVE2 vector
instructions; these are available in the Fujitsu A64FX CPU for instance.[73]

The IBM z/Architecture supports SHA-3 since 2017 as part of the Message-Security-Assist Extension 6.[74] The processors support a
complete implementation of the entire SHA-3 and SHAKE algorithms via the KIMD and KLMD instructions using a hardware assist engine
built into each core.

Usage in protocols
Ethereum § Ether

See also
Ethash – another Keccak-based hash

References
1. Bertoni, Guido; Daemen, Joan; Peeters, Michaël; van Assche, 10. Chang, Shu-jen; Perlner, Ray; Burr, William E.; Sonmez Turan,
Gilles (May 29, 2012). "Keccak implementation overview" (http Meltem; Kelsey, John M.; Paul, Souradyuti; Bassham, Lawrence
s://keccak.team/files/Keccak-implementation-3.2.pdf) (PDF). E. (November 2012). Third-Round Report of the SHA-3
p. 25. Retrieved March 27, 2023. Cryptographic Hash Algorithm Competition (https://nvlpubs.nist.g
2. Morawiecki, Paweł; Pieprzyk, Josef; Srebrny, Marian (2013). ov/nistpubs/ir/2012/NIST.IR.7896.pdf) (PDF).
"Rotational Cryptanalysis of Round-Reduced Keccak" (https://epr doi:10.6028/NIST.IR.7896 (https://doi.org/10.6028%2FNIST.IR.78
ints.qut.edu.au/82454/2/__staffhome.qut.edu.au_staffgroupm%2 96). Retrieved February 29, 2020. Sections 5.1.2.1 (mentioning
4_meaton_Desktop_Draft%20paper_Pieprzyk.pdf) (PDF). In "tree mode"), 6.2 ("other features", mentioning authenticated
Moriai, S (ed.). Fast Software Encryption. Fast Software encryption), and 7 (saying "extras" may be standardized in the
Encryption Lecture Notes in Computer Science. Vol. 8424. future).
pp. 241–262. doi:10.1007/978-3-662-43933-3_13 (https://doi.org/ 11. Bertoni, Guido; Daemen, Joan; Peeters, Michaël; Van Assche,
10.1007%2F978-3-662-43933-3_13). ISBN 978-3-662-43932-6. Gilles; Van Keer, Ronny (March 13, 2014). "CAESAR
Archived (https://web.archive.org/web/20130108011253/https://e submission: Ketje v1" (https://competitions.cr.yp.to/round1/ketjev
print.iacr.org/2012/546.pdf) (PDF) from the original on January 8, 1.pdf) (PDF). Retrieved February 29, 2020.
2013. Retrieved February 8, 2019. 12. Bertoni, Guido; Daemen, Joan; Peeters, Michaël; Van Assche,
3. Bertoni, Guido; Daemen, Joan; Peeters, Michaël; van Assche, Gilles; Van Keer, Ronny (March 13, 2014). "CAESAR
Giles (January 14, 2011). "The Keccak SHA-3 submission" (http submission: Keyak v1" (https://competitions.cr.yp.to/round1/keya
s://keccak.team/files/Keccak-submission-3.pdf) (PDF). kv1.pdf) (PDF). Retrieved February 29, 2020.
keccak.team. Archived (https://web.archive.org/web/2011081908 13. Bertoni, Guido; Daemen, Joan; Peeters, Michaël; van Assche,
4908/http://keccak.noekeon.org/Keccak-submission-3.pdf) (PDF) Giles. "The sponge and duplex constructions" (https://keccak.tea
from the original on August 19, 2011. Retrieved March 27, 2023. m/sponge_duplex.html). Retrieved March 27, 2023.
4. "Hash Functions" (https://csrc.nist.gov/projects/hash-functions). 14. "Announcing Request for Candidate Algorithm Nominations for a
NIST. June 22, 2020. Retrieved February 17, 2021. New Cryptographic Hash Algorithm (SHA-3) Family [U.S. Federal
5. Information Technology Laboratory (August 2015). SHA-3 Register Vol. 72 No. 212)]" (http://csrc.nist.gov/groups/ST/hash/d
Standard: Permutation-Based Hash and Extendable-Output ocuments/FR_Notice_Nov07.pdf) (PDF). November 2, 2007.
Functions (https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202. Archived (https://web.archive.org/web/20110331175556/http://csr
pdf) (PDF). National Institute of Standards and Technology. c.nist.gov/groups/ST/hash/documents/FR_Notice_Nov07.pdf)
doi:10.6028/NIST.FIPS.202 (https://doi.org/10.6028%2FNIST.FIP (PDF) from the original on March 31, 2011. Retrieved July 18,
S.202). S2CID 64734386 (https://api.semanticscholar.org/Corpus 2017.
ID:64734386). Federal Information Processing Standard 15. Bertoni, Guido; Daemen, Joan; Peeters, Michaël; Van Assche,
Publication 202. Retrieved February 29, 2020. Gilles. "The road from Panama to Keccak via RadioGatún" (http
6. Dworkin, Morris J. (August 4, 2015). "SHA-3 Standard: s://keccak.team/files/TheRoadFromPanamaToKeccak.pdf)
Permutation-Based Hash and Extendable-Output Functions" (htt (PDF). Retrieved March 27, 2023.
ps://www.nist.gov/manuscript-publication-search.cfm?pub_id=91 16. KeccakReferenceAndOptimized-3.2.zip (https://keccak.team/obs
9061). Federal Information Processing Standards (NIST FIPS). olete/KeccakReferenceAndOptimized-3.2.zip) mainReference.c
7. "NIST Selects Winner of Secure Hash Algorithm (SHA-3) "The Keccak sponge function, designed by Guido Bertoni, Joan
Competition" (https://www.nist.gov/itl/csd/sha-100212.cfm). NIST. Daemen, Michaël Peeters and Gilles Van Assche. For more
October 2, 2012. Retrieved October 2, 2012. information, feedback or questions, please refer to our website:
8. Cruz, José R.C. (May 7, 2013). "Keccak: The New SHA-3 http://keccak.noekeon.org/Implementation by the designers,
Encryption Standard" (http://www.drdobbs.com/security/keccak-t hereby denoted as "the implementer". To the extent possible
he-new-sha-3-encryption-standard/240154037). Dr. Dobbs. under law, the implementer has waived all copyright and related
or neighboring rights to the source code in this file.
9. Bertoni, Guido; Daemen, Joan; Peeters, Michaël; Van Assche,
https://creativecommons.org/publicdomain/zero/1.0/"
Gilles. "Keccak specifications summary" (https://keccak.team/kec
cak_specs_summary.html). Retrieved March 27, 2023. 17. Stevens, Marc; Bursztein, Elie; Karpman, Pierre; Albertini, Ange;
Markov, Yarik. "The first collision for full SHA-1" (https://shattere
d.io/static/shattered.pdf) (PDF). Retrieved February 23, 2017.
18. Leurent, Gaëtan; Peyrin, Thomas. "SHA-1 is a Shambles" (http
s://sha-mbles.github.io/). Retrieved January 8, 2020.

https://en.wikipedia.org/wiki/SHA-3#KangarooTwelve 8/10
12/28/23, 4:14 PM SHA-3 - Wikipedia
19. "NIST Computer Security Division – The SHA-3 Cryptographic 40. Guo, Xu; Huang, Sinan; Nazhandali, Leyla; Schaumont, Patrick
Hash Algorithm Competition, November 2007 – October 2012" (h (August 2010), "Fair and Comprehensive Performance
ttp://csrc.nist.gov/groups/ST/hash/sha-3/index.html). January 4, Evaluation of 14 Second Round SHA-3 ASIC Implementations"
2017. (http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/doc
20. "Keccak parameter changes for round 2" (https://keccak.team/20 uments/papers/SCHAUMONT_SHA3.pdf) (PDF), NIST 2nd SHA-
09/version_2.0.html). Keccak Team. September 22, 2009. 3 Candidate Conference: 12, retrieved February 18, 2011 Keccak
Archived (https://web.archive.org/web/20171113003333/https://ke is second only to Luffa, which did not advance to the final round.
ccak.team/2009/version_2.0.html) from the original on November 41. ARM corporation, ARM architecture reference manual ARMv8,
13, 2017. Retrieved February 29, 2020. for ARMv8-A architecture profile, document ARM DDI 0487C.a
21. "Simplifying Keccak's padding rule for round 3" (https://keccak.te (ID121917), https://www.arm.com
am/2011/version_3.0.html). Keccak Team. January 17, 2011. 42. "Sakura: A Flexible Coding for Tree Hashing" (https://keccak.tea
Retrieved March 27, 2023. m/files/Sakura.pdf) (PDF). Keccak Team. 2014. Retrieved
22. "SHA-3 standardization" (http://csrc.nist.gov/groups/ST/hash/sha February 29, 2020.
-3/sha-3_standardization.html). NIST. Retrieved April 16, 2015. 43. SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash and
23. National Institute of Standards and Technology (August 5, 2015). ParallelHash (http://nvlpubs.nist.gov/nistpubs/SpecialPublication
"Federal Information Processing Standards: Permutation-Based s/NIST.SP.800-185.pdf) This article incorporates text from this
Hash and Extendable-Output Functions, etc" (https://federalregist source, which is in the public domain.
er.gov/a/2015-19181). Retrieved August 5, 2015. 44. "Software performance figures" (https://keccak.team/sw_perform
24. "Announcing Approval of Federal Information Processing ance.html).
Standard (FIPS) 202, SHA-3 Standard: Permutation-Based Hash 45. "Keccak Team: KangarooTwelve" (https://keccak.team/kangaroot
and Extendable-Output Functions, and Revision of the welve.html). Keccak Team.
Applicability Clause of FIPS 180-4, Secure Hash Standard" (http 46. "KangarooTwelve: fast hashing based on Keccak-p" (https://eprin
s://www.federalregister.gov/articles/2015/08/05/2015-19181/anno t.iacr.org/2016/770.pdf) (PDF). International Association for
uncing-approval-of-federal-information-processing-standard-fips- Cryptologic Research. 2016.
202-sha-3-standard). August 5, 2015.
47. "KangarooTwelve slides presented at ACNS 2018" (https://kecca
25. Kelsey, John. "SHA3, Where We've Been, Where We're Going" k.team/files/K12atACNS.pdf) (PDF). Keccak Team.
(http://csrc.nist.gov/groups/ST/hash/sha-3/documents/burr_dima
48. "draft-irtf-cfrg-kangarootwelve-00 – KangarooTwelve" (https://dat
cs2013_presentation.pdf) (PDF). RSA Conference 2013. atracker.ietf.org/doc/draft-irtf-cfrg-kangarootwelve/). Ietf
26. Kelsey, John. "SHA3, Past, Present, and Future" (https://docs.go Datatracker. IETF. Retrieved January 17, 2020.
ogle.com/file/d/0BzRYQSHuuMYOQXdHWkRiZXlURVE). CHES
49. Bertoni, Guido; Daemen, Joan; Hoffert, Seth; Peeters, Michaël;
2013. Van Assche, Gilles; Van Keer, Ronny (December 29, 2016).
27. "Abstract" (http://cr.yp.to/hash/quantumsha3-20101112.pdf) "Farfalle: parallel permutation-based cryptography" (https://eprint.
(PDF). cr.yp.to. iacr.org/2016/1188). Cryptology ePrint Archive.
28. "NIST hash forum mailing list" (http://csrc.nist.gov/groups/ST/has 50. Guido Bertoni; Joan Daemen; Seth Hoffert; Michaël Peeters;
h/email_list.html). January 4, 2017. Gilles Van Assche; Ronny Van Keer (October 12, 2018). "The
29. "The Keccak SHA-3 submission" (https://keccak.team/files/Kecca authenticated encryption schemes Kravatte-SANE and Kravatte-
k-submission-3.pdf) (PDF). January 14, 2011. Retrieved SANSE" (https://eprint.iacr.org/2018/1012). Cryptology ePrint
March 27, 2023. Archive.
30. "On 128-bit security" (https://keccak.team/2013/on_128bit_securi 51. Brassard, Gilles; Høyer, Peter; Tapp, Alain (1998). "Quantum
ty.html). October 2, 2013. Retrieved March 27, 2023. cryptanalysis of hash and claw-free functions". Abstract. Lecture
31. "A concrete proposal" (https://keccak.team/2013/a_concrete_pro Notes in Computer Science. Vol. 1380. pp. 163–169.
posal.html). October 2, 2013. Retrieved March 27, 2023. arXiv:quant-ph/9705002 (https://arxiv.org/abs/quant-ph/970500
2). doi:10.1007/BFb0054319 (https://doi.org/10.1007%2FBFb005
32. "Schneier on Security: Will Keccak = SHA-3?" (https://www.schn
4319). ISBN 978-3-540-64275-6. S2CID 118940551 (https://api.s
eier.com/blog/archives/2013/10/will_keccak_sha-3.html).
emanticscholar.org/CorpusID:118940551).
33. "LShift: Why I support the US Government making a
52. "Cost Analysis" (http://cr.yp.to/hash/collisioncost-20090823.pdf)
cryptography standard weaker" (http://www.lshift.net/blog/2013/1
0/01/why-i-support-the-us-government-making-a-cryptography-st (PDF). cr.yp.to.
andard-weaker). 53. "Collision problem" (http://www.scottaaronson.com/papers/collisi
34. "Yes, this is Keccak!" (https://keccak.team/2013/yes_this_is_kecc on.pdf) (PDF). scottaaronson.com.
ak.html). October 4, 2013. Retrieved March 27, 2023. 54. "Paper" (https://eprint.iacr.org/2016/508.pdf) (PDF).
eprint.iacr.org. 2016.
35. "Moving Forward with SHA-3" (http://csrc.nist.gov/groups/ST/has
h/sha-3/documents/kelsey-email-moving-forward-110113.pdf) 55. "Abstract" (https://eprint.iacr.org/2017/282.pdf) (PDF).
(PDF). eprint.iacr.org. 2017.
36. NIST Computer Security Division (CSD). "SHA-3 Standard: 56. "NIST.gov – Computer Security Division – Computer Security
Permutation-Based Hash and Extendable-Output Functions" (htt Resource Center" (http://csrc.nist.gov/groups/ST/toolkit/example
p://csrc.nist.gov/publications/drafts/fips-202/fips_202_draft.pdf) s.html#aHashing). December 29, 2016.
(PDF). NIST. 57. "Measurements table" (http://bench.cr.yp.to/results-hash.html#a
37. "about 41 cycles/byte [...] represents a 40% speedup compared md64-skylake). bench.cr.yp.to.
to an implementation using only 32-bit instructions". By formula 58. Tao, Xie; Liu, Fanbao; Feng, Dengguo (2013). Fast Collision
Attack on MD5 (https://eprint.iacr.org/2013/170.pdf) (PDF).
we obtain Cryptology ePrint Archive (Technical report). IACR.
38. Bernstein, Daniel J. (January 4, 2012). "Optimization failures in
SHA-3 software" (https://cr.yp.to/hash/sha3opt-20120104.pdf)
(PDF). cr.yp.to. Retrieved February 29, 2020.
39. "Is SHA-3 slow?" (https://keccak.team/2017/is_sha3_slow.html).
June 12, 2017. Retrieved March 27, 2023.

https://en.wikipedia.org/wiki/SHA-3#KangarooTwelve 9/10
12/28/23, 4:14 PM SHA-3 - Wikipedia
59. Stevens, Marc; Bursztein, Elie; Karpman, Pierre; Albertini, Ange; 66. "openssl/openssl – keccak1600-ppc64.pl" (https://github.com/ope
Markov, Yarik. The first collision for full SHA-1 (https://shattered.i nssl/openssl/blob/33388b44b67145af2181b1e9528c381c8ea0d1
o/static/shattered.pdf) (PDF) (Technical report). Google b6/crypto/sha/asm/keccak1600-ppc64.pl#L30). GitHub.
Research. Retrieved June 25, 2020.
67. "openssl/openssl – kccak1600-mmx.pl" (https://github.com/opens
Marc Stevens; Elie Bursztein; Pierre Karpman; Ange Albertini;
sl/openssl/blob/33388b44b67145af2181b1e9528c381c8ea0d1b
Yarik Markov; Alex Petit Bianco; Clement Baisse (February
23, 2017). "Announcing the first SHA1 collision" (https://secur 6/crypto/sha/asm/keccak1600-mmx.pl#L45). GitHub. Retrieved
ity.googleblog.com/2017/02/announcing-first-sha1-collision.ht June 25, 2020.
ml). Google Security Blog. 68. "llvm/llvm-project – AArch64.td" (https://github.com/llvm/llvm-proj
ect/blob/c35ed40f4f1bd8afd709c5342b36f33c7c5b0fbd/llvm/lib/T
60. Without truncation, the full internal state of the hash function is
arget/AArch64/AArch64.td#L724). GitHub. Retrieved June 24,
known, regardless of collision resistance. If the output is 2020.
truncated, the removed part of the state must be searched for
and found before the hash function can be resumed, allowing the 69. "ARMv8 – ARM – WikiChip" (https://en.wikichip.org/wiki/arm/arm
attack to proceed. v8#ARMv8_Extensions_and_Processor_Features).
en.wikichip.org. Retrieved June 24, 2020.
61. "The Keccak sponge function family" (http://keccak.noekeon.org/
specs_summary.html). Retrieved January 27, 2016. 70. "weidai11/cryptopp" (https://github.com/weidai11/cryptopp/blob/m
aster/keccak_simd.cpp#L83). GitHub. Retrieved June 25, 2020.
62. "openssl/openssl – kecak1600-avx512vl.pl" (https://github.com/o
penssl/openssl/blob/33388b44b67145af2181b1e9528c381c8ea0 71. "openssl/openssl" (https://github.com/openssl/openssl/blob/3338
d1b6/crypto/sha/asm/keccak1600-avx512vl.pl#L29). GitHub. 8b44b67145af2181b1e9528c381c8ea0d1b6/crypto/sha/asm/kec
Retrieved June 25, 2020. cak1600-avx512vl.pl). GitHub. Retrieved June 25, 2020.
63. "openssl/openssl – keccak1600-avx2.pl" (https://github.com/open 72. "openssl/openssl" (https://github.com/openssl/openssl/blob/3338
ssl/openssl/blob/33388b44b67145af2181b1e9528c381c8ea0d1b 8b44b67145af2181b1e9528c381c8ea0d1b6/crypto/sha/asm/kec
6/crypto/sha/asm/keccak1600-avx2.pl#L115). GitHub. November cak1600-ppc64.pl#L20). GitHub. November 2021.
2021. 73. "apple/llvm-project – lib/Target/AArch64/AArch64SVEInstrInfo.td"
64. "openssl/openssl – keccak1600-x86_64.pl" (https://github.com/op (https://github.com/apple/llvm-project/blob/apple/master/llvm/lib/T
enssl/openssl/blob/33388b44b67145af2181b1e9528c381c8ea0d arget/AArch64/AArch64SVEInstrInfo.td#L2389). GitHub.
1b6/crypto/sha/asm/keccak1600-x86_64.pl). GitHub. Retrieved Retrieved June 25, 2020.
June 25, 2020. 74. IBM z/Architecture Principles of Operation, publication number
65. "openssl/openssl – keccak1600-armv8.pl" (https://github.com/op SA22-7832. See KIMD and KLMD instructions in Chapter 7.
enssl/openssl/blob/33388b44b67145af2181b1e9528c381c8ea0d
1b6/crypto/sha/asm/keccak1600-armv8.pl). GitHub. November
2021.

External links
The Keccak web site (https://keccak.team/)
SHA-3 Standard (https://www.nist.gov/publications/sha-3-standard-permutation-based-hash-and-extendable-output-functions)

Retrieved from "https://en.wikipedia.org/w/index.php?title=SHA-3&oldid=1191675613#KangarooTwelve"

https://en.wikipedia.org/wiki/SHA-3#KangarooTwelve 10/10