## FIPS 202 is out: SHA-3 and Keccak beyond hashing

5 August 2015

NIST officially released the FIPS 202 standard. Although it represents the target of the SHA-3 competition for a fresh hash function, the new standard provides more than just a successor to SHA-2: It comes as a toolbox with all the necessary ingredients for defining other uses of Keccak. About 2.5 years after the SHA-3 competition concluded, we recap on what the FIPS 202 standard contains.

The purpose of the FIPS 202 standard is twofold: It gives all the definitions needed to specify Keccak-based functions and it approves the use of six specific instances. The document is written bottom-up, starting with the bit-level operations in the Keccak-*p* permutations, a generalization of the Keccak-*f* permutations with a parameterized number of rounds, then moving to the sponge construction and, building on it, the Keccak family of sponge functions, and finally specifying the approved instances:

- four SHA-2 drop-in replacements with fixed output length SHA3-224 to SHA3-512, and
- two future-oriented
*extendable-output functions*SHAKE128 and SHAKE256.

**Extendable ouput functions**

The introduction of extendable-output functions (or XOFs, pronounced *zoff*) is a particularly nice feature of the standard. A XOF like SHAKE128 or SHAKE256 can be seen as a generalization of hash functions where the output length is not fixed but is potentially infinite. Concretely, XOFs can be used instead of complex constructions involving hash functions and counters such as MGF1. With RSA, this is of immediate benefit to full domain hashing, to RSA OAEP (Optimal Asymmetric Encryption Padding) and to RSA PSS (Probabilistic Signature Scheme). Other use cases are key derivation functions and stream ciphers.

Another important conceptual difference is that a XOF's security strength can be chosen (e.g., through Keccak's capacity value) and is not bound to its output length, as is traditionally the case for hash functions. This flexibility allows for better security-performance trade-offs. For instance, with a key derivation function, the length of the derived key material can greatly vary from one application to another, in a way that is in general not related to the required security strength.

**Future plans**

NIST expressed their intention to approve other modes of use of Keccak (or potentially other functions based on the Keccak-*p* permutations) as they are developed, by way of *special publications* in the NIST SP 800-*XX* series and referring to FIPS 202. At the SHA-3 2014 Workshop, NIST presented more details on the following topics:

- parallelizable hashing,
- message authentication codes (MACs) and key derivation functions,
- authenticated encryption,
- generic domain separation mechanisms on top of these.

**Code package**

The latest version of the Keccak Code Package is in line with the standard and contains test vectors for the six aforementioned instances.