U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.


We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

This is an archive
(replace .gov by .rip)

Hash Functions


Approved Algorithms

Approved hash algorithms for generating a condensed representation of a message (message digest) are specified in two Federal Information Processing Standards: FIPS 180-4, Secure Hash Standard and FIPS 202, SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions.

 FIPS 180-4 specifies seven hash algorithms:

  • SHA-1 (Secure Hash Algorithm-1), and the
  • SHA-2 family of hash algorithms: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256.

FIPS 202 specifies the new SHA-3 family of permutation-based functions based on KECCAK as a result of the “SHA-3” Cryptographic Hash Algorithm Competition. FIPS 202 specifies:

  • Four fixed-length hash algorithms: SHA3-224, SHA3-256, SHA3-384, and SHA3-512; and
  • Two closely related, “extendable-output” functions (XOFs): SHAKE128 and SHAKE256.

Currently only the four fixed-length SHA-3 algorithms are approved hash algorithms, providing alternatives to the SHA-2 family of hash functions. The XOFs can be specialized to hash functions, subject to additional security considerations. Guideline for using the XOFs will be provided in the future.

SHA-3 Derived Functions

NIST SP 800-185, SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash and ParallelHash

In addition to four fixed-length hash functions, FIPS 202 also defines two eXtendable Output Functions, SHAKE128 and SHAKE256. Unlike the fixed-length hash functions, these SHAKE functions support variable-length outputs, and are named for their expected security level.

FIPS 202 also supports a flexible scheme for domain separation between different functions derived from KECCAK, ensuring that different named functions will produce unrelated outputs. NIST extends this flexibility further to allow users to customize their use of the functions by defining a customizable version of SHAKE, called cSHAKE.


Related Special Publications

NIST SP 800-106, Randomized Hashing for Digital Signatures provides recommendation for randomizing the hash input messages prior to signature generation to strengthen the security of the digital signatures being generated.

NIST SP 800-107 Revision 1, Recommendation for Using Approved Hash Algorithms provides security guidelines for achieving the required or desired security strengths when using cryptographic applications that employ the approved hash functions. These include applications such as digital signatures, Keyed-hash Message Authentication Codes (HMACs) and Hash-based Key Derivation Functions (Hash-based KDFs).


Testing Hash Function Implementations

Testing requirements and validation lists are available from the Cryptographic Algorithm Validation Program (CAVP).


Implementation-related References

Created January 04, 2017, Updated June 22, 2020