diff --git a/README.md b/README.md
index f6cca72..c36230f 100644
--- a/README.md
+++ b/README.md
@@ -112,8 +112,8 @@ Below are the algorithms built in (based on Web Cryptography) and their runtime
 | HKDF-SHA512 <sub>`0x0003`</sub>   |    ✓    |  ✓   |  ✓  |     ✓      |      ✓       |         ✓         |
 | SHAKE128 <sub>`0x0010`</sub>      |    ✓    |      |     |            |              |         ✓         |
 | SHAKE256 <sub>`0x0011`</sub>      |    ✓    |      |     |            |              |         ✓         |
-| TurboSHAKE128 <sub>`0x0012`</sub> |         |      |     |            |              |         ✓         |
-| TurboSHAKE256 <sub>`0x0013`</sub> |         |      |     |            |              |         ✓         |
+| TurboSHAKE128 <sub>`0x0012`</sub> |    ✓    |      |     |            |              |         ✓         |
+| TurboSHAKE256 <sub>`0x0013`</sub> |    ✓    |      |     |            |              |         ✓         |
 
 ### Authenticated Encryption (AEAD)
 
diff --git a/docs/README.md b/docs/README.md
index c298cc6..db986ab 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -64,6 +64,8 @@ console.log(new TextDecoder().decode(decrypted)) // "Hello, World!"
 - [KDF\_HKDF\_SHA512](variables/KDF_HKDF_SHA512.md)
 - [KDF\_SHAKE128](variables/KDF_SHAKE128.md)
 - [KDF\_SHAKE256](variables/KDF_SHAKE256.md)
+- [KDF\_TurboSHAKE128](variables/KDF_TurboSHAKE128.md)
+- [KDF\_TurboSHAKE256](variables/KDF_TurboSHAKE256.md)
 
 ## AEAD Algorithms
 
diff --git a/docs/type-aliases/KDFFactory.md b/docs/type-aliases/KDFFactory.md
index a2ebe2d..edde16d 100644
--- a/docs/type-aliases/KDFFactory.md
+++ b/docs/type-aliases/KDFFactory.md
@@ -12,6 +12,8 @@ exported by this module:
 - [HKDF-SHA512](../variables/KDF_HKDF_SHA512.md)
 - [SHAKE128](../variables/KDF_SHAKE128.md)
 - [SHAKE256](../variables/KDF_SHAKE256.md)
+- [TurboSHAKE128](../variables/KDF_TurboSHAKE128.md)
+- [TurboSHAKE256](../variables/KDF_TurboSHAKE256.md)
 
 > \[!TIP]\
 > [CipherSuite](../classes/CipherSuite.md) is not limited to using only these exported KDF implementations. Any function
diff --git a/docs/variables/KDF_TurboSHAKE128.md b/docs/variables/KDF_TurboSHAKE128.md
new file mode 100644
index 0000000..3626c71
--- /dev/null
+++ b/docs/variables/KDF_TurboSHAKE128.md
@@ -0,0 +1,22 @@
+# Variable: KDF\_TurboSHAKE128
+
+> `const` **KDF\_TurboSHAKE128**: [`KDFFactory`](../type-aliases/KDFFactory.md)
+
+TurboSHAKE128 key derivation function.
+
+A one-stage KDF using the TurboSHAKE128 extendable-output function (XOF) with an output length
+(Nh) of 32 bytes.
+
+Depends on the following Web Cryptography algorithms being supported in the runtime:
+
+- TurboSHAKE128 digest
+
+This is a factory function that must be passed to the [CipherSuite](../classes/CipherSuite.md) constructor.
+
+> \[!TIP]\
+> An implementation of this algorithm not reliant on Web Cryptography is also exported by
+> [`@panva/hpke-noble`](https://www.npmjs.com/package/@panva/hpke-noble)
+
+## See
+
+[HPKE-PQ One-Stage KDFs](https://datatracker.ietf.org/doc/html/draft-ietf-hpke-pq-04.html#section-5)
diff --git a/docs/variables/KDF_TurboSHAKE256.md b/docs/variables/KDF_TurboSHAKE256.md
new file mode 100644
index 0000000..17de45e
--- /dev/null
+++ b/docs/variables/KDF_TurboSHAKE256.md
@@ -0,0 +1,22 @@
+# Variable: KDF\_TurboSHAKE256
+
+> `const` **KDF\_TurboSHAKE256**: [`KDFFactory`](../type-aliases/KDFFactory.md)
+
+TurboSHAKE256 key derivation function.
+
+A one-stage KDF using the TurboSHAKE256 extendable-output function (XOF) with an output length
+(Nh) of 64 bytes.
+
+Depends on the following Web Cryptography algorithms being supported in the runtime:
+
+- TurboSHAKE256 digest
+
+This is a factory function that must be passed to the [CipherSuite](../classes/CipherSuite.md) constructor.
+
+> \[!TIP]\
+> An implementation of this algorithm not reliant on Web Cryptography is also exported by
+> [`@panva/hpke-noble`](https://www.npmjs.com/package/@panva/hpke-noble)
+
+## See
+
+[HPKE-PQ One-Stage KDFs](https://datatracker.ietf.org/doc/html/draft-ietf-hpke-pq-04.html#section-5)
diff --git a/index.html b/index.html
index 900a621..a7c8718 100644
--- a/index.html
+++ b/index.html
@@ -2010,7 +2010,12 @@ <h1>HPKE</h1>
           'KEM_MLKEM768_P256',
           'KEM_MLKEM1024_P384',
         ],
-        kdf: ['KDF_SHAKE128', 'KDF_SHAKE256'],
+        kdf: [
+          'KDF_SHAKE128',
+          'KDF_SHAKE256',
+          'KDF_TurboSHAKE128',
+          'KDF_TurboSHAKE256',
+        ],
         aead: ['AEAD_ChaCha20Poly1305'],
       }
 
diff --git a/index.ts b/index.ts
index 453f903..0722a91 100644
--- a/index.ts
+++ b/index.ts
@@ -1331,6 +1331,8 @@ export type KEMFactory = () => Readonly<KEM>
  * - {@link KDF_HKDF_SHA512 | HKDF-SHA512}
  * - {@link KDF_SHAKE128 | SHAKE128}
  * - {@link KDF_SHAKE256 | SHAKE256}
+ * - {@link KDF_TurboSHAKE128 | TurboSHAKE128}
+ * - {@link KDF_TurboSHAKE256 | TurboSHAKE256}
  *
  * > [!TIP]\
  * > {@link CipherSuite} is not limited to using only these exported KDF implementations. Any function
@@ -2532,6 +2534,66 @@ export const KDF_SHAKE256: KDFFactory = function (): SHAKE {
   }
 }
 
+/**
+ * TurboSHAKE128 key derivation function.
+ *
+ * A one-stage KDF using the TurboSHAKE128 extendable-output function (XOF) with an output length
+ * (Nh) of 32 bytes.
+ *
+ * Depends on the following Web Cryptography algorithms being supported in the runtime:
+ *
+ * - TurboSHAKE128 digest
+ *
+ * This is a factory function that must be passed to the {@link CipherSuite} constructor.
+ *
+ * > [!TIP]\
+ * > An implementation of this algorithm not reliant on Web Cryptography is also exported by
+ * > [`@panva/hpke-noble`](https://www.npmjs.com/package/@panva/hpke-noble)
+ *
+ * @group KDF Algorithms
+ * @see [HPKE-PQ One-Stage KDFs](https://datatracker.ietf.org/doc/html/draft-ietf-hpke-pq-04.html#section-5)
+ */
+export const KDF_TurboSHAKE128: KDFFactory = function (): SHAKE {
+  return {
+    id: 0x0012,
+    type: 'KDF',
+    name: 'TurboSHAKE128',
+    Nh: 32,
+    algorithm: 'TurboSHAKE128',
+    ...SHAKE_SHARED(),
+  }
+}
+
+/**
+ * TurboSHAKE256 key derivation function.
+ *
+ * A one-stage KDF using the TurboSHAKE256 extendable-output function (XOF) with an output length
+ * (Nh) of 64 bytes.
+ *
+ * Depends on the following Web Cryptography algorithms being supported in the runtime:
+ *
+ * - TurboSHAKE256 digest
+ *
+ * This is a factory function that must be passed to the {@link CipherSuite} constructor.
+ *
+ * > [!TIP]\
+ * > An implementation of this algorithm not reliant on Web Cryptography is also exported by
+ * > [`@panva/hpke-noble`](https://www.npmjs.com/package/@panva/hpke-noble)
+ *
+ * @group KDF Algorithms
+ * @see [HPKE-PQ One-Stage KDFs](https://datatracker.ietf.org/doc/html/draft-ietf-hpke-pq-04.html#section-5)
+ */
+export const KDF_TurboSHAKE256: KDFFactory = function (): SHAKE {
+  return {
+    id: 0x0013,
+    type: 'KDF',
+    name: 'TurboSHAKE256',
+    Nh: 64,
+    algorithm: 'TurboSHAKE256',
+    ...SHAKE_SHARED(),
+  }
+}
+
 async function getPublicKeyByExport(
   name: string,
   key: CryptoKey,
diff --git a/test/run-workerd.js b/test/run-workerd.js
index 6afe3b1..a1fcca0 100644
--- a/test/run-workerd.js
+++ b/test/run-workerd.js
@@ -17,7 +17,7 @@ const unsupported = {
     'KEM_MLKEM768_P256',
     'KEM_MLKEM1024_P384',
   ],
-  kdf: ['KDF_SHAKE128', 'KDF_SHAKE256'],
+  kdf: ['KDF_SHAKE128', 'KDF_SHAKE256', 'KDF_TurboSHAKE128', 'KDF_TurboSHAKE256'],
   aead: ['AEAD_ChaCha20Poly1305'],
 }
 
diff --git a/test/support.ts b/test/support.ts
index d381f20..fa39298 100644
--- a/test/support.ts
+++ b/test/support.ts
@@ -58,6 +58,14 @@ export const supported: Record<string, () => boolean | undefined> = {
     // @ts-expect-error
     return supports('digest', { name: 'cSHAKE256', outputLength: 512, length: 512 })
   },
+  KDF_TurboSHAKE128() {
+    // @ts-expect-error
+    return supports('digest', { name: 'TurboSHAKE128', outputLength: 256 })
+  },
+  KDF_TurboSHAKE256() {
+    // @ts-expect-error
+    return supports('digest', { name: 'TurboSHAKE256', outputLength: 512 })
+  },
   KEM_ML_KEM_512() {
     return supports('generateKey', 'ML-KEM-512')
   },