SHA3-256
Keccak under the SHA-3 banner: a totally different sponge construction from SHA-2, immune to length-extension by design.
By Deepak Gupta ·
After SHA-1's weakness became clear, NIST ran a public competition (2007–2012) to pick the next hash standard. The winner (Keccak, by Bertoni, Daemen, Peeters, and Van Assche) was standardized as SHA-3 in 2015. Its internal sponge construction is structurally different from SHA-2's Merkle–Damgård design, which means length-extension attacks don't apply, and it's a useful insurance policy: if a theoretical break ever lands on SHA-2, SHA-3 doesn't fall with it. SHA-3 is slower than SHA-256 on CPUs with SHA-NI hardware acceleration, so SHA-2 is still the practical default for most work. Reach for SHA-3 when you want defense-in-depth or when you need the bonus modes Keccak enables (SHAKE-128/256 as a variable-length XOF, cSHAKE for domain separation, KMAC for MACs).
Recommended uses
- ·Defense-in-depth (use alongside SHA-256 for separate signatures)
- ·Variable-length output via SHAKE-128 / SHAKE-256
- ·Domain-separated MACs via KMAC
Known attacks / caveats
- ·None practical. Best academic attack reaches ~5 of 24 rounds.
Designed by
Bertoni, Daemen, Peeters, Van Assche (Keccak team), published 2015.