Provided by: openssl_3.3.1-2ubuntu2.1_amd64 bug

NAME
       EVP_MD-SHAKE, EVP_MD-KECCAK-KMAC - The SHAKE / KECCAK family EVP_MD implementations


DESCRIPTION
       Support for computing SHAKE or KECCAK-KMAC digests through the EVP_MD API.

       KECCAK-KMAC is an Extendable Output Function (XOF), with a definition similar to SHAKE, used by the KMAC
       EVP_MAC implementation (see EVP_MAC-KMAC(7)).

   Identities
       This implementation is available in the FIPS provider as well as the default provider, and includes the
       following varieties:

       KECCAK-KMAC-128
           Known names are "KECCAK-KMAC-128" and "KECCAK-KMAC128".  This is used by EVP_MAC-KMAC128(7).  Using
           the notation from NIST FIPS 202 (Section 6.2), we have KECCAK-KMAC-128(M, d) =
           KECCAK[256](M || 00, d) (see the description of KMAC128 in Appendix A of NIST SP 800-185).

       KECCAK-KMAC-256
           Known names are "KECCAK-KMAC-256" and "KECCAK-KMAC256".  This is used by EVP_MAC-KMAC256(7).  Using
           the notation from NIST FIPS 202 (Section 6.2), we have KECCAK-KMAC-256(M, d) =
           KECCAK[512](M || 00, d) (see the description of KMAC256 in Appendix A of NIST SP 800-185).

       SHAKE-128
           Known names are "SHAKE-128" and "SHAKE128".

       SHAKE-256
           Known names are "SHAKE-256" and "SHAKE256".

   Gettable Parameters
       This implementation supports the common gettable parameters described in EVP_MD-common(7).

   Settable Context Parameters
       These implementations support the following OSSL_PARAM(3) entries, settable for an EVP_MD_CTX with
       EVP_MD_CTX_set_params(3):

       "xoflen" (OSSL_DIGEST_PARAM_XOFLEN) <unsigned integer>
           Sets the digest length for extendable output functions.  The length of the "xoflen" parameter should
           not exceed that of a size_t.

           For backwards compatibility reasons the default xoflen length for SHAKE-128 is 16 (bytes) which
           results in a security strength of only 64 bits. To ensure the maximum security strength of 128 bits,
           the xoflen should be set to at least 32.

           For backwards compatibility reasons the default xoflen length for SHAKE-256 is 32 (bytes) which
           results in a security strength of only 128 bits. To ensure the maximum security strength of 256 bits,
           the xoflen should be set to at least 64.

           This parameter may be used when calling either EVP_DigestFinal_ex() or EVP_DigestFinal(), since these
           functions were not designed to handle variable length output. It is recommended to either use
           EVP_DigestSqueeze() or EVP_DigestFinalXOF() instead.


NOTES
       For SHAKE-128, to ensure the maximum security strength of 128 bits, the output length passed to
       EVP_DigestFinalXOF() should be at least 32.

       For SHAKE-256, to ensure the maximum security strength of 256 bits, the output length passed to
       EVP_DigestFinalXOF() should be at least 64.


SEE ALSO
       EVP_MD_CTX_set_params(3), provider-digest(7), OSSL_PROVIDER-default(7)


COPYRIGHT
       Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.

       Licensed under the Apache License 2.0 (the "License").  You may not use this file except in compliance
       with the License.  You can obtain a copy in the file LICENSE in the source distribution or at
       <https://www.openssl.org/source/license.html>.