About

SHA-3 (Secure Hash Algorithm 3) is the latest member of the Secure Hash Algorithm family, standardized by NIST in FIPS 202 (2015). Unlike SHA-2, which uses a Merkle - Damgård construction, SHA-3 is built on the Keccak sponge function with a permutation width of 1600 bits and 24 rounds. This architectural difference provides resilience against length-extension attacks without requiring HMAC wrappers. Using this generator incorrectly - for instance, confusing SHA-3-256 with SHAKE256 or assuming SHA-3 output is interchangeable with SHA-2 - can break protocol compliance in TLS certificate pinning, blockchain address derivation, or digital forensics chain-of-custody logs.

This tool generates hashes from cryptographically secure random input via crypto.getRandomValues(), then applies the full Keccak-f[1600] permutation. Each hash is computed from 32 bytes of fresh entropy. The implementation covers all four SHA-3 fixed-length variants: 224, 256, 384, and 512 bits. Note: this tool does not implement SHAKE128/SHAKE256 (extendable-output functions), which use a different domain separation byte (0x1F vs 0x06).

Formulas

SHA-3 is based on the Keccak sponge construction. The state is a 5 × 5 matrix of 64-bit lanes, totaling 1600 bits. The permutation Keccak-f[1600] applies 24 rounds of five step mappings.

b = r + c = 1600

The rate r determines how many bits are absorbed per block. For SHA-3-d:

r = 1600 − 2 ⋅ d

Each round i ∈ {0, ..., 23} applies:

R = ι ∘ χ ∘ π ∘ ρ ∘ θ

Where θ computes column parities and XORs them with adjacent columns. ρ rotates each lane by a fixed offset. π permutes lane positions. χ is the only non-linear step: A[x] = A[x] ⊕ (¬A[x+1] ∧ A[x+2]). ι XORs a round constant into lane [0,0]. After absorbing and permuting, the output is squeezed from the first d bits of the state.

Where b = state width (1600 bits), r = rate (bits absorbed per block), c = capacity (security parameter), d = output digest length in bits, A[x] = state lane at position x.

Reference Data

Variant	Output (bits)	Output (hex chars)	Rate r (bits)	Capacity c (bits)	Security (bits)	Domain Byte	Block Size (bytes)
SHA-3-224	224	56	1152	448	112	0x06	144
SHA-3-256	256	64	1088	512	128	0x06	136
SHA-3-384	384	96	832	768	192	0x06	104
SHA-3-512	512	128	576	1024	256	0x06	72
SHAKE128	Variable	Variable	1344	256	min(d/2, 128)	0x1F	168
SHAKE256	Variable	Variable	1088	512	min(d/2, 256)	0x1F	136
SHA-2-256	256	64	N/A (MD)	N/A (MD)	128	N/A	64
SHA-2-512	512	128	N/A (MD)	N/A (MD)	256	N/A	128
MD5 (broken)	128	32	N/A (MD)	N/A (MD)	0 (collisions)	N/A	64
BLAKE2b-256	256	64	N/A (HAIFA)	N/A	128	N/A	128
BLAKE3	256	64	N/A (Merkle)	N/A	128	N/A	64
Keccak-256 (Ethereum)	256	64	1088	512	128	0x01	136

Frequently Asked Questions

They share the same Keccak-f[1600] permutation but differ in domain separation. SHA-3-256 (FIPS 202) pads the message with byte 0x06, while the pre-standardization Keccak-256 used in Ethereum pads with 0x01. This means identical inputs produce different digests. If you need Ethereum-compatible hashes, this tool's output is not directly usable - you would need to change the domain separation byte.

Yes. Each hash is computed from 32 bytes generated by crypto.getRandomValues(), which is backed by the operating system's CSPRNG (e.g., /dev/urandom on Linux, BCryptGenRandom on Windows). The output passes NIST SP 800-22 randomness tests. However, the browser environment cannot guarantee the absence of side-channel leaks - do not use this for key generation in high-security contexts.

SHA-3-512 outputs exactly 512 bits, which is 128 hexadecimal characters. Each hex digit encodes 4 bits: 512 ÷ 4 = 128. If you see fewer, check if your display is truncating. The tool shows the full digest. SHA-3-256 produces 64 hex characters, SHA-3-384 produces 96, and SHA-3-224 produces 56.

Theoretically, yes. For SHA-3-256, the probability of a collision among n hashes is approximately n² ÷ 2²⁵⁷ (birthday bound). For 1000 hashes, this is roughly 10⁻⁷¹ - far below the probability of a hardware bit-flip corrupting your output. In practice, collision is impossible for any quantity this tool generates.

The capacity c = 2 ⋅ d guarantees that collision resistance is d ÷ 2 bits and preimage resistance is d bits. A larger capacity means a smaller rate, which makes hashing slower (more blocks needed). SHA-3-512 has the largest capacity (1024 bits) and the smallest rate (576 bits), making it the slowest but most secure variant.

No. SHA-3 is a fast hash function. Password storage requires deliberately slow algorithms like Argon2id, bcrypt, or scrypt to resist brute-force attacks. A modern GPU can compute billions of SHA-3-256 hashes per second. Use these hashes for checksums, unique identifiers, commitment schemes, or random tokens - not for protecting passwords.