Skip to content

SHA-3 Hash Generator (Keccak SHA3-256)

Generate SHA-3 hashes online free. NIST FIPS 202 sponge construction — the post-SHA-2 standard. SHA3-256 output in 64 hex chars. Browser-only via lazy-loaded js-sha3; zero uploads.

No Tracking Runs in Browser Free
SHA-3 hashing runs in your browser via the js-sha3 library. No data is transmitted to any server.
Algorithm
Reviewed for SHA3-256 correctness against NIST FIPS 202 CAVP test vectors; Keccak vs SHA-3 padding distinction verified — Go Tools Engineering Team · May 28, 2026

What Is SHA-3?

SHA-3 (Secure Hash Algorithm 3) is the third generation of NIST's Secure Hash Standard, standardized in FIPS 202 in August 2015. Unlike SHA-1 and SHA-2, which are based on the Merkle-Damgård construction, SHA-3 uses a radically different design called the sponge construction — a choice NIST made deliberately to ensure that a cryptanalytic break of SHA-2 would not automatically compromise SHA-3.

The NIST SHA-3 competition (2007–2012): NIST solicited public submissions worldwide in 2007. After three evaluation rounds, 64 candidates were narrowed to five finalists: BLAKE, Grøstl, JH, Keccak, and Skein. In October 2012, Keccak — designed by Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche from STMicroelectronics and NXP Semiconductors — was selected as the winner. All five finalists were considered secure; Keccak's unique sponge-based design gave it the structural diversity NIST prioritized.

The sponge construction: SHA-3 absorbs input into a 1600-bit state (the Keccak-f[1600] permutation) in the absorb phase, then squeezes output bits from the state in the squeeze phase. For SHA3-256, the rate/capacity split is 1088/512 bits. Because only 256 of the 1600 internal state bits appear in the output, an attacker cannot reconstruct the full state from the hash — making length-extension attacks structurally impossible. This contrasts with SHA-256, where the full internal state is exposed in the output, requiring HMAC to prevent length-extension.

SHA-3 vs. Keccak — the padding difference: NIST modified the original Keccak submission by changing the domain separation padding from 0x01 to 0x06. This means NIST SHA3-256 and original Keccak-256 produce different 64-hex-character outputs for every input. This is not a theoretical concern — it is why Ethereum's keccak256 (frozen before FIPS 202 was finalized) differs from this tool's SHA3-256 output for the same string. Never use this tool to replicate Ethereum address derivation.

FIPS 202 defines four SHA-3 variants: SHA3-224 (56 hex chars), SHA3-256 (64 hex chars), SHA3-384 (96 hex chars), SHA3-512 (128 hex chars). This tool implements SHA3-256, the most common variant and the one most directly comparable to SHA-256.

Library note: SHA-3 is not yet in the browser's Web Crypto API spec (crypto.subtle supports SHA-1, SHA-256, SHA-384, SHA-512 only). This tool lazy-loads the js-sha3 JavaScript library (~10 KB gzipped) on first use. After that single download, all computation runs locally in your browser — no input data is ever transmitted.

When to use SHA-3: new protocols requiring structural diversity from SHA-2; keyed MACs without the HMAC wrapper (KMAC128/256 per NIST SP 800-185); post-quantum hedging as a SHA-2 backup; compliance with systems that mandate FIPS 202. When to stick with SHA-256: universal library support, hardware acceleration (SHA-NI extensions), existing protocol compatibility, and most everyday integrity use cases where SHA-256 is already the established standard.

// SHA-3 (NIST FIPS 202 SHA3-256) using js-sha3 library
import { sha3_256 } from 'js-sha3';

const hash = sha3_256('Hello, World!');
// → '882f4b6991a775295186a4e3cc5ece9fc0b618c8c3e7a7beafdd0f56f13ae43b'

// Note: this differs from Ethereum's keccak256 for the same input:
// keccak256('Hello, World!') = 'acaf3289d7b601cbd114fb36c4d29c85bbfd5e133f14cb355c3fd8d99367964f'
// The difference is the padding byte: 0x06 (SHA-3) vs 0x01 (original Keccak)

SHA-3 Examples

Verify NIST FIPS 202 test vector

abc
3a985da74fe225b2045c172d6bd390bd855f086e3e9d525b46bfe24511431532

SHA3-256("abc") = 3a985da74fe225b2045c172d6bd390bd855f086e3e9d525b46bfe24511431532 — this is the official NIST FIPS 202 test vector. Paste "abc" into the tool and confirm this exact output to verify you are computing NIST SHA-3 (not original Keccak). This single test distinguishes a FIPS-compliant SHA-3 implementation from one using the older Keccak padding byte.

Keccak vs SHA-3 distinction — same input, different output

Hello

SHA3-256("Hello") from this tool (NIST FIPS 202) = 8ca66ee6b2fe4bb928a8e3cd2f508de4119c0895f22df86f0ab7e30e487e4500. Ethereum's keccak256("Hello") = 06b3dfaec148fb1bb2b066f10ec285e7c9bf402ab32aa78a5d38e34566810cd2. Same input, different 64-hex-char outputs. The difference is the padding suffix: NIST SHA-3 uses 0x06 while original Keccak (what Ethereum froze in 2013) uses 0x01. Ethereum predates NIST's 2015 standardization and permanently forked from the FIPS 202 variant.

Post-quantum archival hash

NIST SP 800-57 Part 1 Rev 5 — Recommendation for Key Management

SHA3-256 provides 128-bit pre-image resistance against Grover's algorithm on a quantum computer — the same effective security level as SHA-256 against quantum attack. For data that must remain tamper-evident beyond 2050, using SHA-3 alongside SHA-256 provides defense in depth: if a break is found in one algorithm's construction (Merkle-Damgård for SHA-2; Keccak sponge for SHA-3), the other remains secure. Institutional archives and government documents increasingly use dual-hash manifests (SHA-256 + SHA3-256) as a hedge. See also SHA-256 Generator for the SHA-2 side of this hedge.

HMAC-SHA3-256 keyed authentication

POST /api/ledger
{"amount":250000,"from":"acct-A","to":"acct-B"}

HMAC-SHA3-256 is a modern alternative to HMAC-SHA-256 for keyed message authentication. Because SHA-3's sponge construction is natively resistant to length-extension attacks (the squeezing phase discards internal state), a plain SHA3-256 keyed MAC (KMAC, defined in NIST SP 800-185) is also safe — unlike raw SHA-256, which requires the HMAC wrapper to defend against length-extension. For new high-assurance APIs and financial systems, HMAC-SHA3-256 (or KMAC128) provides stronger architectural guarantees than HMAC-SHA-256. Paste a canonical request body here to inspect the SHA3-256 fingerprint before applying HMAC.

How to Generate SHA-3 Hashes

  1. 1

    Paste text into the input field

    Select the Text tab and type or paste any string. The SHA3-256 hash updates live as you type. On first use, the js-sha3 library (~10 KB) is fetched and cached — you may notice a brief delay on the very first hash; all subsequent hashes are instant. The algorithm is already set to SHA-3 (NIST FIPS 202 SHA3-256).

  2. 2

    Copy the 64-character hex output

    Click the Copy button next to the hash result. The 64-character lowercase hex string is copied to your clipboard. Use the Uppercase toggle if your target system requires uppercase. This output matches what any FIPS 202-compliant SHA3-256 implementation produces — but note it differs from Ethereum's keccak256 for the same input.

  3. 3

    Verify with the Compare tab

    Switch to the Compare tab and paste two SHA3-256 hashes side by side. The tool uses constant-time comparison to report match or mismatch without leaking timing information. Useful for verifying NIST CAVP test vectors, checking archive manifests, or confirming that two SHA3-256 implementations produce identical output.

Technical Details

Algorithm: Keccak-f[1600] sponge construction
SHA3-256 applies the Keccak-f[1600] permutation (24 rounds of theta, rho, pi, chi, iota operations on a 5×5×64 state array) in a sponge construction with rate=1088 bits and capacity=512 bits. Input is absorbed in 136-byte (1088-bit) blocks; 256 bits of output are squeezed. The FIPS 202 domain separator appends 0x06 before padding. Implementation: NIST FIPS 202 (2015) section 6.
Output: SHA3-256 by default, 64 hex characters (FIPS 202 also defines 224/384/512)
This tool outputs SHA3-256: always exactly 64 hexadecimal characters (256 bits = 32 bytes). NIST FIPS 202 also standardizes SHA3-224 (56 chars), SHA3-384 (96 chars), and SHA3-512 (128 chars) — all using the same Keccak-f[1600] permutation with different rate/capacity splits. The output length is fixed regardless of input size.
Performance: lazy-loaded js-sha3 (~10 KB); ~150–400 MB/s in browser
Unlike SHA-2 routes (which use the browser's native Web Crypto API), SHA-3 is not in the Web Crypto spec. This tool loads the js-sha3 library (~10 KB gzipped) on first use, then caches it. Typical throughput: 150–400 MB/s in JavaScript, versus 400–700 MB/s for SHA-256 via Web Crypto. For text hashing (kilobytes) the difference is imperceptible. The main bundle for other SHA routes is unaffected by this lazy load.
Standards: NIST FIPS 202 (2015), NIST SP 800-185 (KMAC), NIST IR 8105
Standardized in FIPS 202 (August 2015). NIST SP 800-185 (2016) defines KMAC128 and KMAC256 — SHA-3-based keyed MAC functions that are natively length-extension immune without the HMAC wrapper. NIST IR 8105 recommends SHA-3 variants for post-quantum security margin. Currently approved for all security strength levels through 2030 and beyond under NIST SP 800-131A Rev 2.

Best Practices

Do not confuse SHA3-256 with Ethereum's keccak256
They are different algorithms with different outputs for every input. This tool computes NIST FIPS 202 SHA3-256 (padding byte 0x06). Ethereum's keccak256 uses original Keccak padding (0x01). If you are computing Ethereum address hashes, EVM storage slots, or Solidity keccak256() results, you need a keccak256-specific tool — this tool will give you wrong answers for those use cases.
Use SHA-3 as a hedge alongside SHA-256, not as a replacement
SHA-3 and SHA-2 use structurally different designs (sponge vs. Merkle-Damgård). A dual-hash manifest (SHA-256 + SHA3-256) gives defense in depth: if a cryptanalytic break is ever found in one family's construction, the other remains secure. For long-term archival data and government records, NIST recommends considering this dual-algorithm approach. For everyday use, SHA-256 alone remains perfectly sufficient.
Prefer KMAC over HMAC-SHA3-256 for new keyed MAC designs
NIST SP 800-185 defines KMAC128 and KMAC256 — purpose-built keyed MACs based on SHA-3. Because the sponge construction is natively length-extension immune, KMAC does not need the double-hashing wrapper that HMAC requires for safety. For new protocols that have flexibility in MAC algorithm choice, KMAC128 (128-bit security) or KMAC256 (256-bit security) are cleaner and slightly more efficient than HMAC-SHA3-256.
Use constant-time comparison when verifying SHA-3 hashes in code
When comparing two SHA3-256 hashes in code, always use a constant-time equality function: Node.js crypto.timingSafeEqual(), Python hmac.compare_digest(), Go subtle.ConstantTimeCompare(). Naive string equality (=== or ==) leaks timing information that can allow an attacker to reconstruct the expected hash byte-by-byte. This applies equally to SHA-3 and all other hash functions. This tool's Compare tab already uses constant-time comparison.

SHA-3 FAQ

Is SHA-3 the same as Keccak?
Close, but not identical. SHA-3 is based on the Keccak algorithm, which won the 2007-2012 NIST SHA-3 competition, but NIST changed the padding rule during standardization. Original Keccak appends a 0x01 suffix byte before padding; NIST SHA-3 (FIPS 202, 2015) appends 0x06. This single-byte difference means SHA3-256 and Keccak-256 produce different 64-character outputs for every input. The algorithms are structurally identical otherwise — same Keccak-f[1600] permutation, same sponge construction. When someone says "Keccak" in the Ethereum/blockchain context, they almost always mean the original pre-FIPS padding variant, not NIST SHA-3.
Why does Ethereum use keccak256, not SHA-3?
Ethereum was designed in 2013–2014 and launched in 2015 — before NIST finalized SHA-3 in August 2015. When Ethereum's protocol was frozen, the Keccak team's original proposal was the reference implementation. NIST then changed the padding during standardization, but Ethereum could not retroactively adopt the FIPS 202 variant without breaking consensus (every node must compute identical hashes). The result is a permanent fork: Ethereum's keccak256 uses the original Keccak padding (0x01), while this tool's SHA3-256 uses the NIST FIPS 202 padding (0x06). Same structural algorithm, different outputs. Never use this tool to replicate Ethereum address derivation or EVM keccak256 — you will get wrong results.
What is the sponge construction?
The sponge construction is SHA-3's alternative to SHA-2's Merkle-Damgård chaining. Instead of compressing input block-by-block into a running hash state (Merkle-Damgård), the sponge has two phases: absorb (input is XORed into a portion of the state and mixed with the Keccak-f[1600] permutation repeatedly) and squeeze (output bits are read from the state). The critical security benefit: the internal state is larger than the output — SHA3-256 uses a 1600-bit state but only outputs 256 bits, leaving 1344 bits of hidden state. An attacker who sees only the 256-bit output cannot reconstruct the full state to extend the message, making length-extension attacks structurally impossible without a wrapper. This differs from SHA-256, which requires HMAC to prevent length-extension.
Should I use SHA-3 instead of SHA-2?
Not by default — both SHA-256 and SHA3-256 are currently secure and NIST-approved. SHA-3 is designed as a structural backup for SHA-2: because they use completely different designs (Merkle-Damgård vs. sponge), a break in one algorithm does not compromise the other. Use SHA-3 when: (1) your protocol explicitly requires it, (2) you need length-extension immunity without the HMAC wrapper, (3) you are building a new system that wants future-proof algorithm agility, or (4) your organization mandates a SHA-3 backup hash alongside SHA-256. For everyday file checksums and certificate fingerprints, SHA-256 remains the universal standard with better library and hardware support.
Is SHA-3 faster than SHA-256?
In software, usually slower. SHA3-256 typically achieves 150–400 MB/s in browser JavaScript, compared to 400–700 MB/s for SHA-256 via the Web Crypto API (which uses the browser's native, C-level SHA-2 implementation). In dedicated hardware and ASICs (e.g., custom security chips), SHA-3's Keccak-f[1600] permutation is often faster because it parallelizes better and uses only simple bitwise operations (XOR, AND, rotate) — no modular addition. SHA-3 also outperforms SHA-2 on 32-bit embedded hardware in many cases. For browser-based tools this performance gap is imperceptible; for bulk file hashing it matters.
How long is a SHA-3 hash from this tool?
This tool defaults to SHA3-256, which always produces exactly 64 hexadecimal characters (256 bits = 32 bytes, 2 hex chars per byte). NIST FIPS 202 also defines SHA3-224 (56 hex chars), SHA3-384 (96 hex chars), and SHA3-512 (128 hex chars). All share the same Keccak-f[1600] permutation; only the capacity/rate split and output length differ. For comparison: SHA-256 also produces 64 hex chars, but they are different 64-character strings for the same input.
Is SHA-3 quantum-resistant?
Partially. Grover's algorithm on a quantum computer can square-root the search space of any hash function, effectively halving the security level. SHA3-256 has 256 bits of pre-image resistance, which is reduced to 128 bits under a quantum attack — still secure under any near-term threat model. The important advantage over SHA-2: SHA-3's sponge construction is unrelated to Merkle-Damgård, so it is unaffected by any cryptanalytic technique specific to SHA-2's compression function. NIST's post-quantum guidance recommends SHA-3 as the preferred hash for new protocols that want design diversity alongside SHA-2.
Is my data sent to a server when I use this tool?
No. After the initial library load (the js-sha3 script is fetched once from a CDN, ~10 KB), all hashing runs entirely in your browser in JavaScript. Open DevTools → Network tab while hashing text — you will see zero outgoing requests carrying your input data. Unlike the SHA-2 tools on this site (which use the browser-built-in Web Crypto API), SHA-3 is not yet in the Web Crypto spec, so a JavaScript library is required. The library download is the only network request; your text never leaves the page. See also: the SHA-256 generator and MD5 generator use no external library at all.
What was the NIST SHA-3 competition?
NIST ran an open competition from 2007 to 2012 to select a third Secure Hash Algorithm standard — not to replace SHA-2 (which remains secure), but to diversify the hash algorithm landscape in case SHA-2 was ever broken. 64 initial submissions were narrowed to 5 finalists: BLAKE, Grøstl, JH, Keccak, and Skein. Keccak, designed by Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche (from STMicroelectronics and NXP Semiconductors), was selected as the winner in October 2012 and standardized as SHA-3 in NIST FIPS 202 in August 2015. Its selection was notable for choosing a fundamentally different design from SHA-2 rather than an evolutionary variant.
Is SHA-3 vulnerable to length-extension attacks?
No — by design. Length-extension attacks exploit the fact that Merkle-Damgård constructions (SHA-256, SHA-512, MD5) expose the internal state in the hash output, allowing an attacker to append data to a hashed message without knowing the secret prefix. SHA-3's sponge construction avoids this entirely: the 1600-bit internal state is larger than the 256-bit output, so the output does not reveal enough state to extend the message. This means you can use plain SHA3-256 as a keyed MAC primitive (KMAC) safely, whereas using raw SHA-256 as a keyed MAC (HASH(key || message)) is insecure without the HMAC wrapper.

Related Tools

View all tools →

JWT Decoder

Security Tools

Decode JWT tokens online with our free JWT decoder. Instantly inspect header, payload, signature, expiration, algorithm, and claims. 100% browser-based — your token never leaves your device. No signup, no tracking.

MD5 Hash Generator & File Checksum Tool

Security Tools

Generate MD5, SHA-256, SHA-1 & SHA-512 hashes online for free. Hash text or files in your browser, verify checksums and copy results. No signup needed.

Random Password Generator — Customizable, Strong & Secure

Security Tools

Generate strong random passwords instantly — free, 100% in your browser. Customize length & characters, batch up to 50 with entropy analysis.

SHA-1 Hash Generator (160-bit Legacy)

Security Tools

Generate SHA-1 hashes in your browser — 40-character hex output, no upload. Legacy tool for Git fingerprints, old certificate checks, and migration audits. Data never leaves your device.

SHA-256 Hash Generator & Checksum Tool

Security Tools

Generate SHA-256 hashes online for free. Hash text or files in your browser, verify checksums, and copy 64-character hex output. No signup; data never leaves the page.

SHA-384 Hash Generator (TLS Suite B Hash)

Security Tools

Generate SHA-384 hashes online — 96-character hex output, length-extension immune, NSA Suite B compliant. Paired with AES-256-GCM in TLS. All hashing runs in your browser via Web Crypto API.