Provided by: openssl_3.5.0-2ubuntu1_amd64 bug

NAME
       EVP_MD-SHAKE, EVP_MD-KECCAK-KMAC - The SHAKE / KECCAK family EVP_MD implementations


DESCRIPTION
       Support for computing SHAKE or KECCAK-KMAC digests through the EVP_MD API.

       KECCAK-KMAC is an Extendable Output Function (XOF), with a definition similar to SHAKE, used by the KMAC
       EVP_MAC implementation (see EVP_MAC-KMAC(7)).

   Identities
       This implementation is available in the FIPS provider as well as the default provider, and includes the
       following varieties:

       KECCAK-KMAC-128
           Known  names  are "KECCAK-KMAC-128" and "KECCAK-KMAC128".  This is used by EVP_MAC-KMAC128(7).  Using
           the   notation   from   NIST   FIPS   202   (Section   6.2),   we   have   KECCAK-KMAC-128(M, d)    =
           KECCAK[256](M || 00, d) (see the description of KMAC128 in Appendix A of NIST SP 800-185).

       KECCAK-KMAC-256
           Known  names  are "KECCAK-KMAC-256" and "KECCAK-KMAC256".  This is used by EVP_MAC-KMAC256(7).  Using
           the   notation   from   NIST   FIPS   202   (Section   6.2),   we   have   KECCAK-KMAC-256(M, d)    =
           KECCAK[512](M || 00, d) (see the description of KMAC256 in Appendix A of NIST SP 800-185).

       SHAKE-128
           Known names are "SHAKE-128" and "SHAKE128".

       SHAKE-256
           Known names are "SHAKE-256" and "SHAKE256".

   Parameters
       This implementation supports the following OSSL_PARAM(3) entries:

       "xoflen" (OSSL_DIGEST_PARAM_XOFLEN) <unsigned integer>
           Sets or Gets the digest length for extendable output functions.  The length of the "xoflen" parameter
           should not exceed that of a size_t.

           The SHAKE-128 and SHAKE-256 implementations do not have any default digest length.

           This  parameter  must  be  set before calling either EVP_DigestFinal_ex() or EVP_DigestFinal(), since
           these functions were not designed to handle variable length output. It is recommended to  either  use
           EVP_DigestSqueeze() or EVP_DigestFinalXOF() instead.

       "size" (OSSL_DIGEST_PARAM_SIZE) <unsigned integer>
           An alias of "xoflen".

       See "PARAMETERS" in EVP_DigestInit(3) for further information related to parameters


NOTES
       For  SHAKE-128,  to  ensure  the  maximum  security  strength  of  128  bits, the output length passed to
       EVP_DigestFinalXOF() should be at least 32.

       For SHAKE-256, to ensure the maximum  security  strength  of  256  bits,  the  output  length  passed  to
       EVP_DigestFinalXOF() should be at least 64.


SEE ALSO
       EVP_MD_CTX_set_params(3), provider-digest(7), OSSL_PROVIDER-default(7)


HISTORY
       Since OpenSSL 3.4 the SHAKE-128 and SHAKE-256 implementations have no default digest length.


COPYRIGHT
       Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.

       Licensed  under  the  Apache License 2.0 (the "License").  You may not use this file except in compliance
       with the License.  You can obtain  a  copy  in  the  file  LICENSE  in  the  source  distribution  or  at
       <https://www.openssl.org/source/license.html>.

3.5.0                                              2025-06-04                                 EVP_MD-SHAKE(7SSL)