Generate high-security SHAKE256 XOF output with arbitrary length.
About
SHAKE256 is a high-security XOF that produces variable-length output using Keccak-f[1600] with 512-bit capacity, providing 256-bit security and arbitrary output length.
Specifications
Output SizeVariable
StandardFIPS 202
Standard Year2015
Origin Keccak submission to NIST SHA-3 competition
Origin Year 2008
Use Cases
—Variable-length key derivation
—High-security masking functions
—Arbitrary-length pseudorandom generation
Frequently Asked Questions
SHAKE256 provides 256-bit security versus SHAKE128's 128-bit security. SHAKE256 uses a 512-bit capacity in the Keccak sponge, while SHAKE128 uses 256-bit capacity. Both are XOFs (Extendable-Output Functions) supporting arbitrary output lengths. Use SHAKE256 for high-security applications and post-quantum cryptography preparations.
Use SHAKE256 when you need: (1) 256-bit security for high-assurance applications, (2) Post-quantum cryptography preparations (SHAKE128's 128-bit security may be reduced by quantum computers), (3) Long-term protection (10+ years), (4) Maximum security margin for key derivation and masking functions.
SHAKE256 is simpler for XOF needs—just specify desired output length. HKDF uses extract-expand stages with HMAC and is more established for key derivation. SHAKE256 provides built-in domain separation via the cSHAKE variant. Both are secure; SHAKE256 is often faster in software, while HKDF has wider implementation support.