Skip to content
— CH. 1 · INTRODUCTION —

SHA-3

~6 min read · Ch. 1 of 6
6 sections
  • SHA-3 sits at the heart of nearly every secure digital transaction on the internet, yet most people have never heard its name. It is the latest member of the Secure Hash Algorithm family, and the National Institute of Standards and Technology released it as an official standard on the 5th of August, 2015. But the story of how it got there stretches back years further, through a public competition, a controversy that drew in some of the world's most respected cryptographers, and a mathematical structure so different from everything before it that its creators had to invent new vocabulary just to describe how it works. What exactly is a sponge? Why did experts publicly argue about whether NIST was weakening its own standard? And what does any of this have to do with a marsupial?

  • At SHA-3's core is something its designers call a sponge construction. The name is literal in spirit: the algorithm absorbs input data of any length, just as a sponge soaks up water, and then squeezes out a fixed or variable-length result. Earlier hash algorithms like SHA-1 and SHA-2 used a structure closely related to MD5, a design that dates back decades. SHA-3 breaks with that lineage entirely. Its foundation is a permutation function called Keccak-f, and the main version used in SHA-3 operates on a state of 1,600 bits, arranged as a five-by-five array of 64-bit words. The absorbing phase works by taking chunks of the input message, applying an XOR operation against part of that 1,600-bit state, and then running the entire state through a permutation. The squeezing phase then reads output from the same portion of the state. The part of the state that the input and output actually touch is called the rate; the part that stays hidden is the capacity. The capacity determines the security level, with the maximum achievable security being half the capacity. This hidden buffer is precisely what prevents a class of vulnerability, known as length extension attacks, that affects SHA-2, SHA-1, and MD5.

  • Keccak did not arrive fully formed. It descended from a line of earlier hash function experiments, beginning with PANAMA, a design created by Joan Daemen and Craig Clapp in 1998. Daemen is the same cryptographer who co-designed the Rijndael cipher alongside Vincent Rijmen; Rijndael later became the basis for the Advanced Encryption Standard. RadioGatun followed PANAMA as its successor, developed by Daemen alongside Michaël Peeters and Gilles Van Assche, and it was presented at a NIST Hash Workshop in 2006. Keccak itself was built by the same four-person team: Daemen, Peeters, Van Assche, and Guido Bertoni. When NIST launched its public hash function competition in 2006 to find a new standard, Keccak was one of 51 candidate algorithms accepted for consideration. By July 2009, the field had narrowed to 14 algorithms in the second round. Keccak reached the final round in December 2010, and on the 2nd of October, 2012, it was named the competition's winner. The reference implementation was released to the public domain from the start.

  • Winning the competition did not end the debate. In early 2013, NIST announced it intended to adjust Keccak's capacity parameter for the final standard, effectively trading some security for speed. The original competition rules required hash functions to offer preimage resistance matching their SHA-2 counterparts, meaning a 256-bit hash should resist preimage attacks at the full 256-bit level. The proposed change would have cut preimage resistance in half for some variants, creating a vulnerability that quantum computing could exploit further. In September 2013, Daniel J. Bernstein raised the issue on the NIST hash-forum mailing list, arguing for restoring the 576-bit capacity originally proposed as Keccak's default. The Keccak team responded in late September, acknowledging the proposal and offering to raise the capacity to provide up to 256-bit security across all instances. They also stated directly that claiming or relying on security strength levels above 256 bits is meaningless. In early October 2013, Bruce Schneier publicly criticized the direction, warning that NIST risked publishing an algorithm no one would trust and no one except those forced would use. He later walked that back, clarifying that NIST had not altered the Keccak permutation itself but had proposed reducing the hash function's capacity in the name of performance. Paul Crowley, a cryptographer and senior developer at an independent software development company, took a different view, arguing that Keccak is tunable by design and there is no reason for uniform security levels within one primitive. In November 2013, John Kelsey of NIST proposed reverting to the original capacity for all SHA-2 drop-in replacement instances, and that reversion held through the final release.

  • SHA-3 carries a well-documented reputation for being slower than SHA-2 on general-purpose processors. On an Intel Skylake processor clocked at 3.2 GHz, SHA2-512 runs more than twice as fast as SHA3-512, and SHA-1 runs more than three times as fast. The authors have suggested that SHAKE128 and SHAKE256, the extendable-output variants, can match SHA2-256 and SHA2-512 in performance at the cost of cutting preimage resistance in half. Hardware tells a different story. In hardware implementations, SHA-3 is notably faster than all other finalists from the competition, and faster than SHA-2 and SHA-1 as well. As of 2018, ARM's ARMv8 architecture added special instructions to accelerate Keccak, and IBM's z/Architecture included a complete SHA-3 and SHAKE implementation in a single instruction. The Apple A13 SoC's ARMv8 cores support SHA-3 acceleration through four specialized instructions: EOR3, RAX, XAR, and BCAX. On ARMv4 and above, handwritten scalar code delivers double to triple the performance of compiler output. The IBM z/Architecture has supported SHA-3 since 2017 through Message-Security-Assist Extension 6, running the full algorithm via KIMD and KLMD instructions through a hardware assist engine built into each processor core.

  • The Keccak team did not stop at SHA-3. In 2016, they introduced two faster reduced-round alternatives: KangarooTwelve and MarsupilamiFourteen. Both exploit parallel execution using tree hashing. KangarooTwelve cuts the number of permutation rounds from 24 down to 12 and claims 128-bit security, with performance reaching 0.55 cycles per byte on a Skylake CPU. It is now specified in IETF RFC 9861. MarsupilamiFourteen uses 14 rounds and claims 256-bit security, though the authors note that 256-bit security offers no practical advantage over 128 bits against current hardware. Neither algorithm is FIPS-compliant since they postdate the SHA-3 standard, but because they use the same Keccak permutation, they carry its security for as long as no practical attack exists on 12-round Keccak. Also in 2016, the team released the Farfalle construction and Kravatte, an instance using the Keccak-p permutation, along with two authenticated encryption algorithms, Kravatte-SANE and Kravatte-SANSE. In December 2016, NIST published SP 800-185, adding derived functions including KMAC, a keyed hash function based on Keccak, and TupleHash, designed specifically for hashing sequences of strings where both the content and the order of inputs matter. Ethereum uses the Keccak-256 hash function, drawn from version 3 of the original competition submission, which differs from the finalized SHA-3 specification.

Common questions

What is SHA-3 and when was it released?

SHA-3 (Secure Hash Algorithm 3) is the latest member of the Secure Hash Algorithm family of standards, released by NIST on the 5th of August, 2015. It is internally different from SHA-1 and SHA-2, using a sponge construction rather than the MD5-like structure of its predecessors.

Who designed the Keccak algorithm that became SHA-3?

Keccak was designed by Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche. Daemen also co-designed the Rijndael cipher with Vincent Rijmen, which became the basis for AES.

How did SHA-3 win the NIST hash function competition?

NIST launched its hash function competition in 2006 and accepted 51 candidate algorithms, including Keccak. The field narrowed to 14 in July 2009 and to a final round in December 2010. On the 2nd of October, 2012, Keccak was selected as the winner.

What controversy surrounded the SHA-3 standardization process?

In early 2013, NIST proposed reducing SHA-3's capacity parameter for speed, which would have halved preimage resistance for some variants. Cryptographers including Daniel J. Bernstein and Bruce Schneier publicly criticized the change. NIST's John Kelsey proposed reverting to the original capacity in November 2013, and that reversion was confirmed in the final standard.

How does SHA-3 perform compared to SHA-2 on different hardware?

On a 3.2 GHz Intel Skylake processor, SHA2-512 is more than twice as fast as SHA3-512 and SHA-1 is more than three times as fast. In hardware implementations, however, SHA-3 is notably faster than SHA-2 and SHA-1. As of 2018, ARM's ARMv8 and IBM's z/Architecture both added dedicated instructions to accelerate SHA-3.

What is KangarooTwelve and how does it relate to SHA-3?

KangarooTwelve is a higher-performance variant introduced by the Keccak team in 2016 that reduces the permutation rounds from 24 to 12 and claims 128-bit security, reaching 0.55 cycles per byte on a Skylake CPU. It is not FIPS-compliant and not part of the SHA-3 standard, but uses the same Keccak permutation. It is specified in IETF RFC 9861.

All sources

70 references cited across the entry

  1. 1bookFast Software EncryptionPaweł Morawiecki et al. — 2013
  2. 2webThe Keccak SHA-3 submissionGuido Bertoni et al. — January 14, 2011
  3. 3webHash Functions CSRC CSRCInformation Technology Laboratory Computer Security Division — 2017-01-04
  4. 5citationSHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions((Information Technology Laboratory)) — National Institute of Standards and Technology — August 2015
  5. 6webSHA-3 Standard: Permutation-Based Hash and Extendable-Output FunctionsMorris J. Dworkin — Federal Information Processing Standards (NIST FIPS) — 2015-08-04
  6. 7webKeccak: The New SHA-3 Encryption StandardJosé R.C. Cruz — 2013-05-07
  7. 8webKeccak specifications summaryGuido Bertoni et al.
  8. 10webCAESAR submission: Ketje v1Guido Bertoni et al. — 2014-03-13
  9. 11webCAESAR submission: Keyak v1Guido Bertoni et al. — 2014-03-13
  10. 12webNIST Transitioning Away from SHA-1 for All Applications CSRCInformation Technology Laboratory Computer Security Division — 2022-12-14
  11. 16webThe first collision for full SHA-1Marc Stevens et al.
  12. 17webSHA-1 is a ShamblesGaëtan Leurent et al.
  13. 25webSHA3, Where We've Been, Where We're GoingKelsey — RSA Conference 2013
  14. 26webSHA3, Past, Present, and FutureKelsey — CHES 2013
  15. 29webOn 128-bit security2013-10-02
  16. 30webA concrete proposal2013-10-02
  17. 33webYes, this is Keccak!2013-10-04
  18. 35webSHA-3 Standard: Permutation-Based Hash and Extendable-Output FunctionsNIST Computer Security Division (CSD) — NIST
  19. 36webThe sponge and duplex constructionsGuido Bertoni et al.
  20. 37webKeccak implementation overviewGuido Bertoni et al. — 2012-05-29
  21. 38webOptimization failures in SHA-3 softwareDaniel J. Bernstein — 2012-01-04
  22. 39webIs SHA-3 slow?2017-06-12
  23. 42inlinep. 672
  24. 43journalVector Instruction Set Extensions for Efficient Computation of KeccakHemendra Rawat et al. — 2017
  25. 48webKangarooTwelve: fast hashing based on Keccak-pInternational Association for Cryptologic Research — 2016
  26. 50ietfKangarooTwelve and TurboSHAKEBenoît Viguier et al. — IETF — 2025-10-12
  27. 51journalFarfalle: parallel permutation-based cryptographyGuido Bertoni et al. — 29 December 2016
  28. 54bookAbstractGilles Brassard et al. — 1998
  29. 72webopenssl/opensslNovember 2021