🔐 Introduction
As cryptography continues to evolve to meet the demands of post-quantum security, extendable-output functions (XOFs) like SHAKE-128 and SHAKE-256 have become increasingly important. They’re not just “another hash function” — they offer a level of flexibility that standard hashes like SHA-2 or SHA-3 don’t provide.
In this post, we’ll explore what SHAKE-128 and SHAKE-256 are, how they work, when to use them, and how they differ from traditional hashing.
🧠 What Is SHAKE?
SHAKE stands for Secure Hash Algorithm KECCAK Extendable-output, and it’s part of the SHA-3 family standardized by NIST in FIPS 202.
Unlike fixed-output hash functions (like SHA-256 or SHA3-512), SHAKE functions can generate outputs of any length you need.
🔢 SHAKE vs SHA-3
| Feature | SHA3-256 | SHAKE-256 |
|---|---|---|
| Output Size | Fixed (256 bits) | Flexible (X bits) |
| Algorithm Type | Hash function | XOF (Extendable) |
| Based On | Keccak (sponge) | Keccak (sponge) |
| Custom Output? | ❌ No | ✅ Yes |
📦 SHAKE-128 vs SHAKE-256: The Key Differences
| Property | SHAKE-128 | SHAKE-256 |
|---|---|---|
| Security Strength | 128 bits | 256 bits |
| Output Flexibility | Any length | Any length |
| Input Rate | 168 bytes/block | 136 bytes/block |
| Use Case | Low/medium security needs | High-security applications |
🔐 SHAKE-128: Comparable to the security of AES-128
🔐 SHAKE-256: Comparable to the security of AES-256
⚙️ How Does SHAKE Work?
SHAKE is built on the Keccak sponge construction. Think of it like a sponge that:
- Absorbs input bits into an internal state.
- Squeezes out as many bits of output as you want.
You can ask for 128 bits… or 10,000 bits. It’s up to you.
SHAKE128(message, outputLength)
SHAKE256(message, outputLength)
For example, SHAKE128(input, 256) gives a 256-bit output from the SHAKE-128 algorithm.
🔐 Why Use SHAKE?
✅ Flexible Output Sizes
Generate exactly the number of bits you need — no more, no less. Great for generating:
- Variable-length keys
- Domain-separated identifiers
- Padding-resistant hashes
✅ Cryptographic Strength
SHAKE-128 provides 128-bit collision resistance, while SHAKE-256 offers 256-bit — suitable even for post-quantum use cases.
✅ Standardized and Well-Vetted
SHAKE is part of FIPS 202 and is widely implemented in libraries like:
- OpenSSL
- BouncyCastle
- libsodium
- pycryptodome
🧪 Real-World Use Cases
| Application | SHAKE-128 or SHAKE-256? | Reason |
|---|---|---|
| Post-quantum cryptography | SHAKE-256 | Higher security margin |
| Random key generation | SHAKE-128 or 256 | Custom key lengths |
| Deterministic hashing | SHAKE-256 | Squeeze arbitrary-length digest |
| Hash-based signatures (e.g., LMS, XMSS) | SHAKE-256 | Required in NIST PQC schemes |
| Embedded devices | SHAKE-128 | Smaller memory footprint |
🔧 Sample Code (Python using pycryptodome)
from Crypto.Hash import SHAKE128, SHAKE256
# SHAKE-128: Get 32-byte digest
shake128 = SHAKE128.new()
shake128.update(b'hello world')
digest = shake128.read(32)
print(digest.hex())
# SHAKE-256: Get 64-byte digest
shake256 = SHAKE256.new()
shake256.update(b'hello world')
digest = shake256.read(64)
print(digest.hex())
🔚 Conclusion
SHAKE-128 and SHAKE-256 aren’t just flexible — they’re powerful tools for modern cryptography. With their customizable output lengths and solid security foundations, SHAKE functions are already being adopted in post-quantum algorithms and advanced digital signature schemes.
Whether you’re building next-gen security systems or optimizing for lightweight environments, SHAKE gives you the control traditional hash functions lack.