NIST - FIPS PUB 202
SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions
|Publication Date:||1 August 2015|
This Standard specifies a new family of functions that supplement SHA-1 and the SHA-2 family of hash functions specified in FIPS 180-4 . This family, called SHA-3 (Secure Hash Algorithm-3), is based on KECCAK -the algorithm1 that NIST selected as the winner of the public SHA-3 Cryptographic Hash Algorithm Competition . The SHA-3 family consists of four cryptographic hash functions and two extendable-output functions. These six functions share the structure that is described in , namely, the sponge construction; functions with this structure are called sponge functions.
A hash function is a function on binary data (i.e., bit strings) for which the length of the output is fixed.2 The input to a hash function is called the message, and the output is called the (message) digest or hash value. The digest often serves as a condensed representation of the message. The four SHA-3 hash functions are named SHA3-224, SHA3-256, SHA3-384, and SHA3-512; in each case, the suffix after the dash indicates the fixed length of the digest, e.g., SHA3-256 produces 256-bit digests. The SHA-2 functions, i.e., SHA-224, SHA-256, SHA-384 SHA-512, SHA-512/224, and SHA-512/256, offer the same set of digest lengths. Thus, the SHA-3 hash functions can be implemented as alternatives to the SHA-2 functions, or vice versa.
An extendable-output function (XOF) is a function on bit strings (also called messages) in which the output can be extended to any desired length. The two SHA-3 XOFs are named SHAKE128 and SHAKE256.3 The suffixes "128" and "256" indicate the security strengths that these two functions can generally4 support, in contrast to the suffixes for the hash functions, which indicate the digest lengths. SHAKE128 and SHAKE256 are the first XOFs that NIST has standardized.
The six SHA-3 functions are designed to provide special properties, such as resistance to collision, preimage, and second preimage attacks. The level of resistance to these three types of attacks is summarized in Sec. A.1. Cryptographic hash functions are fundamental components in a variety of information security applications, such as digital signature generation and verification, key derivation, and pseudorandom bit generation.
The digest lengths in FIPS-approved hash functions are 160, 224, 256, 384, and 512 bits. When an application requires a cryptographic hash function with a non-standard digest length, an XOF is a natural alternative to constructions that involve multiple invocations of a hash function and/or truncation of the output bits. However, XOFs are subject to the additional security consideration that is described in Sec. A.2. Each of the six SHA-3 functions employs the same underlying permutation as the main component in the sponge construction. In effect, the SHA-3 functions are modes of operation (modes) of the permutation. In this Standard, the permutation is specified as an instance of a family of permutations, called KECCAK-p, in order to provide the flexibility to modify its size and security parameters in the development of any additional modes in future documents.
The four SHA-3 hash functions differ slightly from the instances of KECCAK that were proposed for the SHA-3 competition . In particular, a two-bit suffix is appended to the messages, in order to distinguish the SHA-3 hash functions from the SHA-3 XOFs, and to facilitate the development of new variants of the SHA-3 functions that can be dedicated to individual application domains.
The two SHA-3 XOFs are also specified in a manner that allows for the development of dedicated variants. Moreover, the SHA-3 XOFs are compatible with the Sakura coding scheme  for tree hashing , in order to support the development of parallelizable variants of the XOFs, to be specified in a separate document.
Most of the notation and terminology in this Standard is consistent with the specification of KECCAK in