EVP_MD-SHAKE(7SSL) OpenSSL EVP_MD-SHAKE(7SSL)
NAME
EVP_MD-SHAKE, EVP_MD-KECCAK-KMAC - The SHAKE / KECCAK family EVP_MD
implementations
DESCRIPTION
Support for computing SHAKE or KECCAK-KMAC digests through the EVP_MD
API.
KECCAK-KMAC is an Extendable Output Function (XOF), with a definition
similar to SHAKE, used by the KMAC EVP_MAC implementation (see
EVP_MAC-KMAC(7)).
Identities
This implementation is available in the FIPS provider as well as the
default provider, and includes the following varieties:
KECCAK-KMAC-128
Known names are "KECCAK-KMAC-128" and "KECCAK-KMAC128". This is
used by EVP_MAC-KMAC128(7). Using the notation from NIST FIPS 202
(Section 6.2), we have KECCAK-KMAC-128(M, d) =
KECCAK[256](M || 00, d) (see the description of KMAC128 in Appendix
A of NIST SP 800-185).
KECCAK-KMAC-256
Known names are "KECCAK-KMAC-256" and "KECCAK-KMAC256". This is
used by EVP_MAC-KMAC256(7). Using the notation from NIST FIPS 202
(Section 6.2), we have KECCAK-KMAC-256(M, d) =
KECCAK[512](M || 00, d) (see the description of KMAC256 in Appendix
A of NIST SP 800-185).
SHAKE-128
Known names are "SHAKE-128" and "SHAKE128".
SHAKE-256
Known names are "SHAKE-256" and "SHAKE256".
Parameters
This implementation supports the following OSSL_PARAM(3) entries:
"xoflen" (OSSL_DIGEST_PARAM_XOFLEN) <unsigned integer>
Sets or Gets the digest length for extendable output functions. The
length of the "xoflen" parameter should not exceed that of a size_t.
The SHAKE-128 and SHAKE-256 implementations do not have any default
digest length.
This parameter must be set before calling either
EVP_DigestFinal_ex() or EVP_DigestFinal(), since these functions
were not designed to handle variable length output. It is
recommended to either use EVP_DigestSqueeze() or
EVP_DigestFinalXOF() instead.
"size" (OSSL_DIGEST_PARAM_SIZE) <unsigned integer>
An alias of "xoflen".
See "PARAMETERS" in EVP_DigestInit(3) for further information related to
parameters
NOTES
For SHAKE-128, to ensure the maximum security strength of 128 bits, the
output length passed to EVP_DigestFinalXOF() should be at least 32.
For SHAKE-256, to ensure the maximum security strength of 256 bits, the
output length passed to EVP_DigestFinalXOF() should be at least 64.
SEE ALSO
EVP_MD_CTX_set_params(3), provider-digest(7), OSSL_PROVIDER-default(7)
HISTORY
Since OpenSSL 3.4 the SHAKE-128 and SHAKE-256 implementations have no
default digest length.
COPYRIGHT
Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
<https://www.openssl.org/source/license.html>.
3.5.4 2025-09-30 EVP_MD-SHAKE(7SSL)
Generated by dwww version 1.16 on Tue Dec 16 04:20:13 CET 2025.