KMAC vs. SHAKE: Key Differences

Both KMAC and SHAKE are based on the Keccak algorithm, but they serve different cryptographic purposes. KMAC provides keyed message authentication functionality while SHAKE is an extendable-output hash function without key requirements.

Feature	KMAC (KECCAK Message Auth Code)	SHAKE (Secure Hash Algorithm-Keccak)
Type	Keyed MAC/PRF (NIST SP 800-185)	Extendable-Output Function (XOF)
Security Focus	Message authentication, key derivation	Customizable hashing, stream cipher-like output
Key Requirement	Mandatory secret key (`K`)	No key (unkeyed)
Output Customization	Optional `S` (customization string)	Supports domain separation via `cSHAKE`
Collision Resistance	128/256-bit (KMAC128/KMAC256)	128/256-bit (SHAKE128/SHAKE256)
Use Cases	MACs, PRFs, KDFs, AEAD (e.g., IKEv2)	Checksums, KDFs, post-quantum crypto
Performance	Slower (additional key processing)	Faster (no key overhead)
Standardization	NIST SP 800-185	FIPS 202

1. Core Design

KMAC:
- Built on cSHAKE with a mandatory key (K) and optional customization (S)
- Uses bytepad(encode_string(K)) to preprocess keys
- Provides PRF functionality (e.g., for IKEv2 key derivation)
SHAKE:
- Unkeyed XOF with variable output length
- Two variants: SHAKE128 (128-bit security) and SHAKE256 (256-bit security)
- Basis for cSHAKE (customizable via N and S strings)

2. Security Properties

Property	KMAC	SHAKE
Keyed Security	Authenticated encryption	Unkeyed integrity checks
Quantum Resistance	Yes (Keccak-based)	Yes (Keccak-based)
Length Extension	Not applicable (key blocks it)	Protected via domain separation

3. Performance Considerations

KMAC:
- Adds 2+ KECCAK operations during initialization vs. 1 for cSHAKE
- Used in protocols like IPsec/IKEv2 where MAC speed is secondary to security
SHAKE:
- Faster for non-keyed tasks (e.g., checksums)
- Parallelization: Limited (sponge construction), unlike BLAKE3

4. When to Use Which

Choose KMAC when:

You need message authentication (e.g., firmware updates)
NIST compliance is required (e.g., government systems)
Deriving session keys from master keys

Choose SHAKE when:

You need variable-length hashes (e.g., KDFs)
Custom domain separation is required (via cSHAKE)
Post-quantum readiness without key management overhead

5. Example Workflows

KMAC in IKEv2:

# KMAC256 as PRF for IKEv2 key derivation
skeyseed = KMAC256(master_key, nonce, 
             output_len=256, S="IKEv2")

SHAKE for Checksums:

# SHAKE256 truncated to 64-bit checksum
checksum = SHAKE256(file_data, output_len=64)

6. Common Misconceptions

"KMAC is just keyed SHAKE"

KMAC adds key preprocessing and output-length encoding, making it a true PRF.

"SHAKE replaces HMAC"

SHAKE lacks keyed authentication; use KMAC or HMAC-SHA3 instead.

7. Related Functions

cSHAKE: Customizable SHAKE (adds N/S strings for domain separation)
TupleHash: Hashes structured data (e.g., JSON) using cSHAKE
ParallelHash: Processes large data in parallel (NIST SP 800-185)

8. Why This Comparison Matters

Protocol Design: Avoid pitfalls like using unkeyed SHAKE for authentication
Compliance: NIST SP 800-185 mandates KMAC for certain keyed operations
Performance Tradeoffs: KMAC's security vs. SHAKE's speed for non-critical tasks

Conclusion: While both KMAC and SHAKE are based on the Keccak algorithm, they serve different cryptographic purposes. KMAC provides authenticated encryption with mandatory key usage, while SHAKE offers flexible hash output without key requirements. Choose the appropriate function based on your specific security needs and performance considerations.