Home

XOFs

Extensible Output Functions (XOFs) are a class of cryptographic functions that, given an input message, can produce an output of any chosen length. Unlike fixed-output hash functions, an XOF allows the user to request as many bits as needed, while ensuring that the output remains deterministic for the same input and length. The same input with different requested lengths yields different outputs, and the function is designed to be extendable without reprocessing the original data.

XOFs are typically built from sponge constructions. An internal state is repeatedly updated as the input is

Prominent XOFs include SHAKE128 and SHAKE256, which are part of the SHA-3 standard. Other related XOFs include

Applications of XOFs encompass hashing messages of arbitrary length, generating pseudorandom numbers, and serving as building

absorbed,
and
output
is
produced
by
squeezing
bits
from
the
state.
A
key
parameter
is
the
capacity,
c,
which
relates
to
the
state
size
and
limits
the
security
level.
The
rate,
r,
is
the
portion
available
for
absorbing
input
or
squeezing
output,
with
c
=
b
−
r
where
b
is
the
total
state
size
in
bits.
In
general,
larger
capacity
increases
resistance
to
preimage
and
collision
attacks,
while
allowing
longer
or
more
secure
outputs
to
be
generated
from
the
same
input.
cSHAKE,
which
provides
domain
separation,
and
KMAC,
a
keyed
XOF
used
for
message
authentication.
There
are
also
variants
optimized
for
parallel
processing
and
specific
security
profiles,
all
sharing
the
extendable-output
property.
blocks
for
key
derivation
and
message
authentication
(notably
when
used
with
a
secret
key
in
KMAC).
Their
ability
to
produce
variable-length
outputs
makes
them
versatile
for
flexible
cryptographic
protocols,
while
correct
usage
requires
attention
to
padding,
domain
separation,
and
capacity-based
security
considerations.