Home

XOF

An extendable-output function, or XOF, is a type of cryptographic function that takes a fixed input and can produce an output of arbitrary length. XOFs are typically built from sponge constructions, such as the Keccak family, which absorb input data into a fixed-size state and then squeeze out as much output as needed. This ability to extend the output length without reinitializing the function makes XOFs versatile for many cryptographic tasks.

In a sponge-based XOF, data are absorbed into the state with a padding scheme, then the state

Common examples and standards include SHAKE128 and SHAKE256, which are part of the SHA-3 family and are

Applications of XOFs include deriving keys and cryptographic material, generating pseudorandom streams, digital signatures, and message

is
repeatedly
squeezed
to
generate
output
bits.
The
amount
of
output
that
can
be
produced
is
not
limited
by
a
single
fixed
length;
more
output
can
be
generated
on
demand
by
continuing
the
squeezing
process.
The
security
properties
of
an
XOF
depend
on
the
underlying
sponge’s
state
size
and
permutation;
the
“capacity”
parameter
controls
resistance
to
certain
attacks,
influencing
the
achievable
security
level.
widely
used
as
XOFs.
Other
XOF-based
constructions
include
cSHAKE
(customizable)
and
KMAC
(an
XOF-based
MAC),
as
well
as
TupleHash
and
ParallelHash.
These
algorithms
are
described
in
standards
such
as
NIST
FIPS
202
and
SP
800-185,
which
define
how
to
use
XOFs
in
various
cryptographic
contexts
and
how
to
ensure
domain
separation.
authentication.
They
offer
flexibility
for
protocols
requiring
outputs
of
variable
lengths
while
maintaining
security
properties
tied
to
the
underlying
sponge
function.
Proper
implementation
requires
attention
to
padding,
domain
separation,
and
parameter
choices
to
meet
the
desired
security
level.