Welcome to the Acumen Security Blog


NIST published a Federal Register Notice, on August 5, 2015 to announce the publication of Federal Information Processing Standard (FIPS) 202, SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions based on KECCAK algorithm. FIPS 202 specifies the SHA-3 family of hash functions, as well as mechanisms for other cryptographic functions to be specified in the future. The SHA-3 family consists of four cryptographic hash functions, called SHA3-224, SHA3-256, SHA3-384, and SHA3-512, and two extendable-output functions (XOFs), called SHAKE128 and SHAKE256. XOF is a function on bit strings in which the output can be extended to any desired length. According to NIST, SHAKE functions are approved but there are exceptions to this proposal –

1) You can still implement them and get FIPS 140-2 certification
2) But not if you use them in place of existing Approved hash functions, PRFs etc.

As a practice NIST suggests either using this new standard or Federal Information Processing Standard (FIPS) 180 to be implemented wherever a secure hash algorithm is required for Federal applications, including as a component within other cryptographic algorithms and protocols. This Standard may be adopted and used by non-Federal Government organizations also.

Acumen expects an updated FIPS 140-2 Implementation Guidance from CMVP on how SHA-3 will be rolled into the FIPS validation process. Based on past experience, we believe initially SHA-3 will be vendor affirmed and once algorithm testing is available, testing will be mandatory after a transition period.
Please do not hesitate to contact us with any questions.