Home

cSHAKE

cSHAKE is a customizable variant of the SHA-3 family’s extendable-output functions (XOFs), designed to provide domain separation for applications. Defined in NIST SP 800-185, cSHAKE allows two additional strings to influence its output: a function-name string N and a customization string S. The same underlying Keccak sponge used by SHAKE is retained, but before processing the input message M, the strings N and S are incorporated in a dedicated encoding. This makes cSHAKE outputs depend on both the message and the chosen domain parameters, preventing cross-domain collisions.

In practice, cSHAKE has two main flavors: cSHAKE128 and cSHAKE256, corresponding to the security levels associated

Applications of cSHAKE include constructing domain-specific hash functions and enabling customizable hashing within protocols. It also

Availability and standards: cSHAKE128 and cSHAKE256 are implemented in cryptographic libraries and are specified alongside SHA-3

with
SHAKE128
and
SHAKE256.
If
both
N
and
S
are
empty,
cSHAKE
reduces
to
the
corresponding
SHAKE
function,
providing
no
additional
domain
separation.
When
N
and/or
S
are
non-empty,
different
domains
(for
example,
different
protocols
or
components)
produce
distinct
outputs
even
for
identical
messages.
serves
as
the
basis
for
related
constructs
like
KMAC,
where
a
key
and
a
customization
string
are
integrated
into
the
same
cSHAKE-based
framework
to
produce
keyed
outputs.
Like
other
SHA-3
primitives,
cSHAKE
relies
on
the
Keccak
permutation
and
sponge
model,
with
security
governed
by
the
chosen
output
length
and
the
underlying
parameters.
and
other
SHA-3
family
components
in
SP
800-185.