fbpx
Wikipedia

BLAKE (hash function)

April 18, 2024

BLAKE is a cryptographic hash function based on Daniel J. Bernstein's ChaCha stream cipher, but a permuted copy of the input block, XORed with round constants, is added before each ChaCha round. Like SHA-2, there are two variants differing in the word size. ChaCha operates on a 4×4 array of words. BLAKE repeatedly combines an 8-word hash value with 16 message words, truncating the ChaCha result to obtain the next hash value. BLAKE-256 and BLAKE-224 use 32-bit words and produce digest sizes of 256 bits and 224 bits, respectively, while BLAKE-512 and BLAKE-384 use 64-bit words and produce digest sizes of 512 bits and 384 bits, respectively.

BLAKE
General
DesignersJean-Philippe Aumasson, Luca Henzen, Willi Meier, Raphael C.-W. Phan
SuccessorsBLAKE2
CertificationSHA-3 finalist
Detail
Digest sizes224, 256, 384 or 512 bits
StructureHAIFA construction
Rounds14 or 16
Speed8.4 cpb on Core 2 for BLAKE-256; 7.8 cpb for BLAKE-512

The BLAKE2 hash function, based on BLAKE, was announced in 2012. The BLAKE3 hash function, based on BLAKE2, was announced in 2020.

History edit

BLAKE was submitted to the NIST hash function competition by Jean-Philippe Aumasson, Luca Henzen, Willi Meier, and Raphael C.-W. Phan. In 2008, there were 51 entries. BLAKE made it to the final round consisting of five candidates but lost to Keccak in 2012, which was selected for the SHA-3 algorithm.

Algorithm edit

Like SHA-2, BLAKE comes in two variants: one that uses 32-bit words, used for computing hashes up to 256 bits long, and one that uses 64-bit words, used for computing hashes up to 512 bits long. The core block transformation combines 16 words of input with 16 working variables, but only 8 words (256 or 512 bits) are preserved between blocks.

It uses a table of 16 constant words (the leading 512 or 1024 bits of the fractional part of π), and a table of 10 16-element permutations: 

σ[0] = 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 σ[1] = 14 10 4 8 9 15 13 6 1 12 0 2 11 7 5 3 σ[2] = 11 8 12 0 5 2 15 13 10 14 3 6 7 1 9 4 σ[3] = 7 9 3 1 13 12 11 14 2 6 5 10 4 0 15 8 σ[4] = 9 0 5 7 2 4 10 15 14 1 11 12 6 8 3 13 σ[5] = 2 12 6 10 0 11 8 3 4 13 7 5 15 14 1 9 σ[6] = 12 5 1 15 14 13 4 10 0 7 6 3 9 2 8 11 σ[7] = 13 11 7 14 12 1 3 9 5 0 15 4 8 6 2 10 σ[8] = 6 15 14 9 11 3 0 8 12 2 13 7 1 4 10 5 σ[9] = 10 2 8 4 7 6 1 5 15 11 9 14 3 12 13 0

The core operation, equivalent to ChaCha's quarter round, operates on a 4-word column or diagonal a b c d, which is combined with 2 words of message m[] and two constant words n[]. It is performed 8 times per full round: 

j ← σ[r%10][2×i] // Index computations k ← σ[r%10][2×i+1] a ← a + b + (m[j] ⊕ n[k]) // Step 1 (with input) d ← (d ⊕ a) >>> 16 c ← c + d // Step 2 (no input) b ← (b ⊕ c) >>> 12 a ← a + b + (m[k] ⊕ n[j]) // Step 3 (with input) d ← (d ⊕ a) >>> 8 c ← c + d // Step 4 (no input) b ← (b ⊕ c) >>> 7

In the above, r is the round number (0–13), and i varies from 0 to 7.

The differences from the ChaCha quarter-round function are:

  • The addition of the message words has been added.
  • The rotation directions have been reversed.

"BLAKE reuses the permutation of the ChaCha stream cipher with rotations done in the opposite directions. Some have suspected an advanced optimization, but in fact it originates from a typo in the original BLAKE specifications", Jean-Philippe Aumasson explains in his "Crypto Dictionary".[1]

The 64-bit version (which does not exist in ChaCha) is identical, but the rotation amounts are 32, 25, 16 and 11, respectively, and the number of rounds is increased to 16.

Tweaks edit

Throughout the NIST hash function competition, entrants are permitted to "tweak" their algorithms to address issues that are discovered. Changes that have been made to BLAKE are: the number of rounds was increased from 10/14 to 14/16. This is to be more conservative about security while still being fast.

Example digests edit

Hash values of an empty string: 

BLAKE-224("") = 7dc5313b1c04512a174bd6503b89607aecbee0903d40a8a569c94eed BLAKE-256("") = 716f6e863f744b9ac22c97ec7b76ea5f5908bc5b2f67c61510bfc4751384ea7a BLAKE-384("") = c6cbd89c926ab525c242e6621f2f5fa73aa4afe3d9e24aed727faaadd6af38b620bdb623dd2b4788b1c8086984af8706 BLAKE-512("") = a8cfbbd73726062df0c6864dda65defe58ef0cc52a5625090fa17601e1eecd1b628e94f396ae402a00acc9eab77b4d4c2e852aaaa25a636d80af3fc7913ef5b8

Changing a single bit causes each bit in the output to change with 50% probability, demonstrating an avalanche effect: 

BLAKE-512("The quick brown fox jumps over the lazy dog") = 1f7e26f63b6ad25a0896fd978fd050a1766391d2fd0471a77afb975e5034b7ad2d9ccf8dfb47abbbe656e1b82fbc634ba42ce186e8dc5e1ce09a885d41f43451 BLAKE-512("The quick brown fox jumps over the lazy dof") = a701c2a1f9baabd8b1db6b75aee096900276f0b86dc15d247ecc03937b370324a16a4ffc0c3a85cd63229cfa15c15f4ba6d46ae2e849ed6335e9ff43b764198a

BLAKE2 edit

BLAKE2
General
DesignersJean-Philippe Aumasson, Samuel Neves, Zooko Wilcox-O'Hearn, Christian Winnerlein
Derived fromBLAKE
Detail
Digest sizesup to 64 bytes (BLAKE2b); up to 32 bytes (BLAKE2s); arbitrary (BLAKE2X)
Rounds10 or 12
Speed3.5 cpb on Core i5 (Ivy Bridge) for BLAKE2b[2]

BLAKE2 is a cryptographic hash function based on BLAKE, created by Jean-Philippe Aumasson, Samuel Neves, Zooko Wilcox-O'Hearn, and Christian Winnerlein. The design goal was to replace the widely used, but broken, MD5 and SHA-1 algorithms in applications requiring high performance in software. BLAKE2 was announced on December 21, 2012.[3] A reference implementation is available under CC0, the OpenSSL License, and the Apache License 2.0.[4][5]

BLAKE2b is faster than MD5, SHA-1, SHA-2, and SHA-3, on 64-bit x86-64 and ARM architectures.[4] BLAKE2 provides better security than SHA-2 and similar to that of SHA-3: immunity to length extension, indifferentiability from a random oracle, etc.[6]

BLAKE2 removes addition of constants to message words from BLAKE round function, changes two rotation constants, simplifies padding, adds parameter block that is XOR'ed with initialization vectors, and reduces the number of rounds from 16 to 12 for BLAKE2b (successor of BLAKE-512), and from 14 to 10 for BLAKE2s (successor of BLAKE-256).

BLAKE2 supports keying, salting, personalization, and hash tree modes, and can output digests from 1 up to 64 bytes for BLAKE2b, or up to 32 bytes for BLAKE2s. There are also parallel versions designed for increased performance on multi-core processors; BLAKE2bp (4-way parallel) and BLAKE2sp (8-way parallel).

BLAKE2X is a family of extendable-output functions (XOFs). Whereas BLAKE2 is limited to 64-byte digests, BLAKE2X allows for digests of up to 256 GiB. BLAKE2X is itself not an instance of a hash function, and must be based on an actual BLAKE2 instance. An example of a BLAKE2X instance could be BLAKE2Xb16MiB, which would be a BLAKE2X version based on BLAKE2b producing 16,777,216-byte digests (or exactly 16 MiB, hence the name of such an instance).[7]

BLAKE2b and BLAKE2s are specified in RFC 7693. Optional features using the parameter block (salting, personalized hashes, tree hashing, et cetera), are not specified, and thus neither is support for BLAKE2bp, BLAKE2sp, or BLAKE2X.[8]

Initialization vector edit

BLAKE2b uses an initialization vector that is the same as the IV used by SHA-512. These values are transparently obtained by taking the first 64 bits of the fractional parts of the positive square roots of the first eight prime numbers. 

IV0 = 0x6a09e667f3bcc908 // Frac(sqrt(2)) IV1 = 0xbb67ae8584caa73b // Frac(sqrt(3)) IV2 = 0x3c6ef372fe94f82b // Frac(sqrt(5)) IV3 = 0xa54ff53a5f1d36f1 // Frac(sqrt(7)) IV4 = 0x510e527fade682d1 // Frac(sqrt(11)) IV5 = 0x9b05688c2b3e6c1f // Frac(sqrt(13)) IV6 = 0x1f83d9abfb41bd6b // Frac(sqrt(17)) IV7 = 0x5be0cd19137e2179 // Frac(sqrt(19))

BLAKE2b algorithm edit

Pseudocode for the BLAKE2b algorithm. The BLAKE2b algorithm uses 8-byte (UInt64) words, and 128-byte chunks. 

Algorithm BLAKE2b Input: M Message to be hashed cbMessageLen: Number, (0..2128) Length of the message in bytes Key Optional 0..64 byte key cbKeyLen: Number, (0..64) Length of optional key in bytes cbHashLen: Number, (1..64) Desired hash length in bytes Output: Hash Hash of cbHashLen bytes Initialize State vector h with IV h0..7 ← IV0..7Mix key size (cbKeyLen) and desired hash length (cbHashLen) into h0 h0 ← h0 xor 0x0101kknn where kk is Key Length (in bytes) nn is Desired Hash Length (in bytes) Each time we Compress we record how many bytes have been compressed cBytesCompressed ← 0 cBytesRemaining ← cbMessageLen If there was a key supplied (i.e. cbKeyLen > 0) then pad with trailing zeros to make it 128-bytes (i.e. 16 words)  and prepend it to the message M if (cbKeyLen > 0) then M ← Pad(Key, 128) || M cBytesRemaining ← cBytesRemaining + 128 end if Compress whole 128-byte chunks of the message, except the last chunk while (cBytesRemaining > 128) do chunk ← get next 128 bytes of message M cBytesCompressed ← cBytesCompressed + 128 increase count of bytes that have been compressed cBytesRemaining ← cBytesRemaining - 128 decrease count of bytes in M remaining to be processed h ← Compress(h, chunk, cBytesCompressed, false) false ⇒ this is not the last chunk end while Compress the final bytes from M chunk ← get next 128 bytes of message M We will get cBytesRemaining bytes (i.e. 0..128 bytes) cBytesCompressed ← cBytesCompressed+cBytesRemaining The actual number of bytes leftover in M chunk ← Pad(chunk, 128) If M was empty, then we will still compress a final chunk of zeros h ← Compress(h, chunk, cBytesCompressed, true) true ⇒ this is the last chunk Result ← first cbHashLen bytes of little endian state vector h End Algorithm BLAKE2b

Compress edit

The Compress function takes a full 128-byte chunk of the input message and mixes it into the ongoing state array: 

Function Compress Input: h Persistent state vector chunk 128-byte (16 double word) chunk of message to compress t: Number, 0..2128Count of bytes that have been fed into the Compression IsLastBlock: Boolean Indicates if this is the final round of compression Output: h Updated persistent state vector Setup local work vector V V0..7 ← h0..7First eight items are copied from persistent state vector h V8..15 ← IV0..7 Remaining eight items are initialized from the IV Mix the 128-bit counter t into V12:V13 V12 ← V12 xor Lo(t) Lo 64-bits of UInt128 t V13 ← V13 xor Hi(t) Hi 64-bits of UInt128 t If this is the last block then invert all the bits in V14 if IsLastBlock then V14 ← V14 xor 0xFFFFFFFFFFFFFFFF Treat each 128-byte message chunk as sixteen 8-byte (64-bit) words m m0..15 ← chunk Twelve rounds of cryptographic message mixing for i from 0 to 11 do Select message mixing schedule for this round. BLAKE2b uses 12 rounds, while SIGMA has only 10 entries. S0..15 ← SIGMA[i mod 10] Rounds 10 and 11 use SIGMA[0] and SIGMA[1] respectively Mix(V0, V4, V8, V12, m[S0], m[S1]) Mix(V1, V5, V9, V13, m[S2], m[S3]) Mix(V2, V6, V10, V14, m[S4], m[S5]) Mix(V3, V7, V11, V15, m[S6], m[S7]) Mix(V0, V5, V10, V15, m[S8], m[S9]) Mix(V1, V6, V11, V12, m[S10], m[S11]) Mix(V2, V7, V8, V13, m[S12], m[S13]) Mix(V3, V4, V9, V14, m[S14], m[S15]) end for Mix the upper and lower halves of V into ongoing state vector h h0..7 ← h0..7 xor V0..7 h0..7 ← h0..7 xor V8..15Result ← h End Function Compress

Mix edit

The Mix function is called by the Compress function, and mixes two 8-byte words from the message into the hash state. In most implementations this function would be written inline, or as an inlined function. 

Function Mix Inputs: Va, Vb, Vc, Vdfour 8-byte word entries from the work vector V x, y two 8-byte word entries from padded message m Output: Va, Vb, Vc, Vdthe modified versions of Va, Vb, Vc, Vd Va ← Va + Vb + x with input Vd ← (Vd xor Va) rotateright 32 Vc ← Vc + Vdno input Vb ← (Vb xor Vc) rotateright 24 Va ← Va + Vb + y with input Vd ← (Vd xor Va) rotateright 16 Vc ← Vc + Vdno input Vb ← (Vb xor Vc) rotateright 63 Result ← Va, Vb, Vc, Vd End Function Mix

Example digests edit

Hash values of an empty string: 

BLAKE2s-224("") = 1fa1291e65248b37b3433475b2a0dd63d54a11ecc4e3e034e7bc1ef4 BLAKE2s-256("") = 69217a3079908094e11121d042354a7c1f55b6482ca1a51e1b250dfd1ed0eef9 BLAKE2b-384("") = b32811423377f52d7862286ee1a72ee540524380fda1724a6f25d7978c6fd3244a6caf0498812673c5e05ef583825100 BLAKE2b-512("") = 786a02f742015903c6c6fd852552d272912f4740e15847618a86e217f71f5419d25e1031afee585313896444934eb04b903a685b1448b755d56f701afe9be2ce

Changing a single bit causes each bit in the output to change with 50% probability, demonstrating an avalanche effect: 

BLAKE2b-512("The quick brown fox jumps over the lazy dog") = a8add4bdddfd93e4877d2746e62817b116364a1fa7bc148d95090bc7333b3673f82401cf7aa2e4cb1ecd90296e3f14cb5413f8ed77be73045b13914cdcd6a918 BLAKE2b-512("The quick brown fox jumps over the lazy dof") = ab6b007747d8068c02e25a6008db8a77c218d94f3b40d2291a7dc8a62090a744c082ea27af01521a102e42f480a31e9844053f456b4b41e8aa78bbe5c12957bb

Users of BLAKE2 edit

Implementations edit

In addition to the reference implementation,[5] the following cryptography libraries provide implementations of BLAKE2:

BLAKE3 edit

BLAKE3
General
DesignersJack O'Connor, Samuel Neves, Jean-Philippe Aumasson, Zooko Wilcox-O'Hearn
First publishedJanuary 9, 2020; 4 years ago (2020-01-09)
Derived fromBao, BLAKE2
Detail
Digest sizes256 bits, arbitrarily extensible
StructureMerkle tree
Rounds7
Speed0.49 cpb on Cascade Lake-SP with AVX-512[23]

BLAKE3 is a cryptographic hash function based on Bao and BLAKE2, created by Jack O'Connor, Jean-Philippe Aumasson, Samuel Neves, and Zooko Wilcox-O'Hearn.[24] It was announced on January 9, 2020, at Real World Crypto.[25]

BLAKE3 is a single algorithm with many desirable features (parallelism, XOF, KDF, PRF and MAC), in contrast to BLAKE and BLAKE2, which are algorithm families with multiple variants. BLAKE3 has a binary tree structure, so it supports a practically unlimited degree of parallelism (both SIMD and multithreading) given long enough input. The official Rust and C implementations[26] are dual-licensed as public domain (CC0) and the Apache License.[27]

BLAKE3 is designed to be as fast as possible. It is consistently a few times faster than BLAKE2. The BLAKE3 compression function is closely based on that of BLAKE2s, with the biggest difference being that the number of rounds is reduced from 10 to 7, a change based on the assumption that current cryptography is too conservative.[28] In addition to providing parallelism, the Merkle tree format also allows for verified streaming (on-the-fly verifying) and incremental updates.[26]

References edit

  1. ^ Aumasson, Jean-Philippe (2021). Crypto Dictionary: 500 Tasty Tidbits for the Curious Cryptographer. No Starch Press. ISBN 9781718501409.
  2. ^ "BLAKE2 – an alternative to MD5/SHA-1".
  3. ^ O'Whielacronx, Zooko (21 December 2012). . Archived from the original on 5 October 2016. Retrieved 27 January 2016.
  4. ^ a b "BLAKE2". blake2.net.
  5. ^ a b "BLAKE2 official implementations". GitHub. Retrieved 7 July 2019.
  6. ^ Aumasson, Jean-Philippe; Neves, Samuel; Wilcox-O’Hearn, Zooko; Winnerlein, Christian (2013). "BLAKE2: simpler, smaller, fast as MD5" (PDF). Cryptology ePrint Archive. IACR.
  7. ^ "BLAKE2X" (PDF).
  8. ^ Saarinen, M-J; Aumasson, J-P (November 2015). The BLAKE2 Cryptographic Hash and Message Authentication Code (MAC). IETF. doi:10.17487/RFC7693. RFC 7693. Retrieved 4 December 2015.
  9. ^ "About Chef Habitat". docs.chef.io.
  10. ^ "coreutils/src/blake2/". github.com.
  11. ^ "librsync/src/blake2/". github.com.
  12. ^ "WhatsApp Security Whitepaper" (PDF).
  13. ^ "WinRAR archiver, a powerful tool to process RAR and ZIP files". rarsoft.com.
  14. ^ "Igor Pavlov's response to a user request for BLAKE3 support in 7-Zip". sourceforge.net.
  15. ^ "rmlint — rmlint (2.8.0 Maidenly Moose) documentation". rmlint.readthedocs.io.
  16. ^ "WireGuard: Next Generation Kernel Network Tunnel" (PDF).
  17. ^ "work". docs.nano.org.
  18. ^ "signatures". docs.nano.org.
  19. ^ "key derivation". docs.nano.org.
  20. ^ "Autolykos: The Ergo Platform PoW Puzzle" (PDF). ergoplatform.org.
  21. ^ "Linux 5.17 Random Number Generator Seeing Speed-Ups, Switching From SHA1 To BLAKE2s". www.phoronix.com.
  22. ^ "Subscriber Signing - Beckn".
  23. ^ "BLAKE3 – one function, fast everywhere" (PDF). GitHub.
  24. ^ "An earlier version of Bao specified its own custom tree mode, which eventually grew into BLAKE3". GitHub.
  25. ^ "JPA and I announced BLAKE3 at the RWC lightning talks..." Hacker News.
  26. ^ a b "BLAKE3 official implementations". GitHub. Retrieved 12 January 2020.
  27. ^ "This work is released into the public domain with CC0 1.0. Alternatively, it is licensed under the Apache License 2.0". GitHub.
  28. ^ Aumasson, Jean-Philippe (2020). Too Much Crypto (PDF). Real World Crypto Symposium.

External links edit

  • The BLAKE web site
  • The BLAKE2 web site
  • The BLAKE3 web site

April 18, 2024
blake, hash, function, blake, cryptographic, hash, function, based, daniel, bernstein, chacha, stream, cipher, permuted, copy, input, block, xored, with, round, constants, added, before, each, chacha, round, like, there, variants, differing, word, size, chacha. BLAKE is a cryptographic hash function based on Daniel J Bernstein s ChaCha stream cipher but a permuted copy of the input block XORed with round constants is added before each ChaCha round Like SHA 2 there are two variants differing in the word size ChaCha operates on a 4 4 array of words BLAKE repeatedly combines an 8 word hash value with 16 message words truncating the ChaCha result to obtain the next hash value BLAKE 256 and BLAKE 224 use 32 bit words and produce digest sizes of 256 bits and 224 bits respectively while BLAKE 512 and BLAKE 384 use 64 bit words and produce digest sizes of 512 bits and 384 bits respectively BLAKEGeneralDesignersJean Philippe Aumasson Luca Henzen Willi Meier Raphael C W PhanSuccessorsBLAKE2CertificationSHA 3 finalistDetailDigest sizes224 256 384 or 512 bitsStructureHAIFA constructionRounds14 or 16Speed8 4 cpb on Core 2 for BLAKE 256 7 8 cpb for BLAKE 512The BLAKE2 hash function based on BLAKE was announced in 2012 The BLAKE3 hash function based on BLAKE2 was announced in 2020 Contents 1 History 2 Algorithm 3 Tweaks 4 Example digests 5 BLAKE2 5 1 Initialization vector 5 2 BLAKE2b algorithm 5 2 1 Compress 5 2 2 Mix 5 3 Example digests 5 4 Users of BLAKE2 5 5 Implementations 6 BLAKE3 7 References 8 External linksHistory editBLAKE was submitted to the NIST hash function competition by Jean Philippe Aumasson Luca Henzen Willi Meier and Raphael C W Phan In 2008 there were 51 entries BLAKE made it to the final round consisting of five candidates but lost to Keccak in 2012 which was selected for the SHA 3 algorithm Algorithm editLike SHA 2 BLAKE comes in two variants one that uses 32 bit words used for computing hashes up to 256 bits long and one that uses 64 bit words used for computing hashes up to 512 bits long The core block transformation combines 16 words of input with 16 working variables but only 8 words 256 or 512 bits are preserved between blocks It uses a table of 16 constant words the leading 512 or 1024 bits of the fractional part of p and a table of 10 16 element permutations s 0 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 s 1 14 10 4 8 9 15 13 6 1 12 0 2 11 7 5 3 s 2 11 8 12 0 5 2 15 13 10 14 3 6 7 1 9 4 s 3 7 9 3 1 13 12 11 14 2 6 5 10 4 0 15 8 s 4 9 0 5 7 2 4 10 15 14 1 11 12 6 8 3 13 s 5 2 12 6 10 0 11 8 3 4 13 7 5 15 14 1 9 s 6 12 5 1 15 14 13 4 10 0 7 6 3 9 2 8 11 s 7 13 11 7 14 12 1 3 9 5 0 15 4 8 6 2 10 s 8 6 15 14 9 11 3 0 8 12 2 13 7 1 4 10 5 s 9 10 2 8 4 7 6 1 5 15 11 9 14 3 12 13 0 The core operation equivalent to ChaCha s quarter round operates on a 4 word column or diagonal a b c d which is combined with 2 words of message m and two constant words n It is performed 8 times per full round j s r 10 2 i Index computations k s r 10 2 i 1 a a b m j n k Step 1 with input d d a gt gt gt 16 c c d Step 2 no input b b c gt gt gt 12 a a b m k n j Step 3 with input d d a gt gt gt 8 c c d Step 4 no input b b c gt gt gt 7 In the above r is the round number 0 13 and i varies from 0 to 7 The differences from the ChaCha quarter round function are The addition of the message words has been added The rotation directions have been reversed BLAKE reuses the permutation of the ChaCha stream cipher with rotations done in the opposite directions Some have suspected an advanced optimization but in fact it originates from a typo in the original BLAKE specifications Jean Philippe Aumasson explains in his Crypto Dictionary 1 The 64 bit version which does not exist in ChaCha is identical but the rotation amounts are 32 25 16 and 11 respectively and the number of rounds is increased to 16 Tweaks editThroughout the NIST hash function competition entrants are permitted to tweak their algorithms to address issues that are discovered Changes that have been made to BLAKE are the number of rounds was increased from 10 14 to 14 16 This is to be more conservative about security while still being fast Example digests editHash values of an empty string BLAKE 224 7dc5313b1c04512a174bd6503b89607aecbee0903d40a8a569c94eed BLAKE 256 716f6e863f744b9ac22c97ec7b76ea5f5908bc5b2f67c61510bfc4751384ea7a BLAKE 384 c6cbd89c926ab525c242e6621f2f5fa73aa4afe3d9e24aed727faaadd6af38b620bdb623dd2b4788b1c8086984af8706 BLAKE 512 a8cfbbd73726062df0c6864dda65defe58ef0cc52a5625090fa17601e1eecd1b628e94f396ae402a00acc9eab77b4d4c2e852aaaa25a636d80af3fc7913ef5b8 Changing a single bit causes each bit in the output to change with 50 probability demonstrating an avalanche effect BLAKE 512 The quick brown fox jumps over the lazy dog 1f7e26f63b6ad25a0896fd978fd050a1766391d2fd0471a77afb975e5034b7ad2d9ccf8dfb47abbbe656e1b82fbc634ba42ce186e8dc5e1ce09a885d41f43451 BLAKE 512 The quick brown fox jumps over the lazy dof a701c2a1f9baabd8b1db6b75aee096900276f0b86dc15d247ecc03937b370324a16a4ffc0c3a85cd63229cfa15c15f4ba6d46ae2e849ed6335e9ff43b764198aBLAKE2 editBLAKE2GeneralDesignersJean Philippe Aumasson Samuel Neves Zooko Wilcox O Hearn Christian WinnerleinDerived fromBLAKEDetailDigest sizesup to 64 bytes BLAKE2b up to 32 bytes BLAKE2s arbitrary BLAKE2X Rounds10 or 12Speed3 5 cpb on Core i5 Ivy Bridge for BLAKE2b 2 BLAKE2 is a cryptographic hash function based on BLAKE created by Jean Philippe Aumasson Samuel Neves Zooko Wilcox O Hearn and Christian Winnerlein The design goal was to replace the widely used but broken MD5 and SHA 1 algorithms in applications requiring high performance in software BLAKE2 was announced on December 21 2012 3 A reference implementation is available under CC0 the OpenSSL License and the Apache License 2 0 4 5 BLAKE2b is faster than MD5 SHA 1 SHA 2 and SHA 3 on 64 bit x86 64 and ARM architectures 4 BLAKE2 provides better security than SHA 2 and similar to that of SHA 3 immunity to length extension indifferentiability from a random oracle etc 6 BLAKE2 removes addition of constants to message words from BLAKE round function changes two rotation constants simplifies padding adds parameter block that is XOR ed with initialization vectors and reduces the number of rounds from 16 to 12 for BLAKE2b successor of BLAKE 512 and from 14 to 10 for BLAKE2s successor of BLAKE 256 BLAKE2 supports keying salting personalization and hash tree modes and can output digests from 1 up to 64 bytes for BLAKE2b or up to 32 bytes for BLAKE2s There are also parallel versions designed for increased performance on multi core processors BLAKE2bp 4 way parallel and BLAKE2sp 8 way parallel BLAKE2X is a family of extendable output functions XOFs Whereas BLAKE2 is limited to 64 byte digests BLAKE2X allows for digests of up to 256 GiB BLAKE2X is itself not an instance of a hash function and must be based on an actual BLAKE2 instance An example of a BLAKE2X instance could be BLAKE2Xb16MiB which would be a BLAKE2X version based on BLAKE2b producing 16 777 216 byte digests or exactly 16 MiB hence the name of such an instance 7 BLAKE2b and BLAKE2s are specified in RFC 7693 Optional features using the parameter block salting personalized hashes tree hashing et cetera are not specified and thus neither is support for BLAKE2bp BLAKE2sp or BLAKE2X 8 Initialization vector edit BLAKE2b uses an initialization vector that is the same as the IV used by SHA 512 These values are transparently obtained by taking the first 64 bits of the fractional parts of the positive square roots of the first eight prime numbers IV0 0x6a09e667f3bcc908 Frac sqrt 2 IV1 0xbb67ae8584caa73b Frac sqrt 3 IV2 0x3c6ef372fe94f82b Frac sqrt 5 IV3 0xa54ff53a5f1d36f1 Frac sqrt 7 IV4 0x510e527fade682d1 Frac sqrt 11 IV5 0x9b05688c2b3e6c1f Frac sqrt 13 IV6 0x1f83d9abfb41bd6b Frac sqrt 17 IV7 0x5be0cd19137e2179 Frac sqrt 19 BLAKE2b algorithm edit Pseudocode for the BLAKE2b algorithm The BLAKE2b algorithm uses 8 byte UInt64 words and 128 byte chunks Algorithm BLAKE2b Input M Message to be hashed cbMessageLen Number 0 2128 Length of the message in bytes Key Optional 0 64 byte key cbKeyLen Number 0 64 Length of optional key in bytes cbHashLen Number 1 64 Desired hash length in bytes Output Hash Hash of cbHashLen bytes Initialize State vector h with IV h0 7 IV0 7Mix key size cbKeyLen and desired hash length cbHashLen into h0 h0 h0 xor 0x0101kknn where kk is Key Length in bytes nn is Desired Hash Length in bytes Each time we Compress we record how many bytes have been compressed cBytesCompressed 0 cBytesRemaining cbMessageLen If there was a key supplied i e cbKeyLen gt 0 then pad with trailing zeros to make it 128 bytes i e 16 words and prepend it to the message M if cbKeyLen gt 0 then M Pad Key 128 M cBytesRemaining cBytesRemaining 128 end if Compress whole 128 byte chunks of the message except the last chunk while cBytesRemaining gt 128 do chunk get next 128 bytes of message M cBytesCompressed cBytesCompressed 128 increase count of bytes that have been compressed cBytesRemaining cBytesRemaining 128 decrease count of bytes in M remaining to be processed h Compress h chunk cBytesCompressed false false this is not the last chunk end while Compress the final bytes from M chunk get next 128 bytes of message M We will get cBytesRemaining bytes i e 0 128 bytes cBytesCompressed cBytesCompressed cBytesRemaining The actual number of bytes leftover in M chunk Pad chunk 128 If M was empty then we will still compress a final chunk of zeros h Compress h chunk cBytesCompressed true true this is the last chunk Result first cbHashLen bytes of little endian state vector h End Algorithm BLAKE2b Compress edit The Compress function takes a full 128 byte chunk of the input message and mixes it into the ongoing state array Function Compress Input h Persistent state vector chunk 128 byte 16 double word chunk of message to compress t Number 0 2128Count of bytes that have been fed into the Compression IsLastBlock Boolean Indicates if this is the final round of compression Output h Updated persistent state vector Setup local work vector V V0 7 h0 7First eight items are copied from persistent state vector h V8 15 IV0 7 Remaining eight items are initialized from the IV Mix the 128 bit counter t into V12 V13 V12 V12 xor Lo t Lo 64 bits of UInt128 t V13 V13 xor Hi t Hi 64 bits of UInt128 t If this is the last block then invert all the bits in V14 if IsLastBlock then V14 V14 xor 0xFFFFFFFFFFFFFFFF Treat each 128 byte message chunk as sixteen 8 byte 64 bit words m m0 15 chunk Twelve rounds of cryptographic message mixing for i from 0 to 11 do Select message mixing schedule for this round BLAKE2b uses 12 rounds while SIGMA has only 10 entries S0 15 SIGMA i mod 10 Rounds 10 and 11 use SIGMA 0 and SIGMA 1 respectively Mix V0 V4 V8 V12 m S0 m S1 Mix V1 V5 V9 V13 m S2 m S3 Mix V2 V6 V10 V14 m S4 m S5 Mix V3 V7 V11 V15 m S6 m S7 Mix V0 V5 V10 V15 m S8 m S9 Mix V1 V6 V11 V12 m S10 m S11 Mix V2 V7 V8 V13 m S12 m S13 Mix V3 V4 V9 V14 m S14 m S15 end for Mix the upper and lower halves of V into ongoing state vector h h0 7 h0 7 xor V0 7 h0 7 h0 7 xor V8 15Result h End Function Compress Mix edit The Mix function is called by the Compress function and mixes two 8 byte words from the message into the hash state In most implementations this function would be written inline or as an inlined function Function Mix Inputs Va Vb Vc Vdfour 8 byte word entries from the work vector V x y two 8 byte word entries from padded message m Output Va Vb Vc Vdthe modified versions of Va Vb Vc Vd Va Va Vb x with input Vd Vd xor Va rotateright 32 Vc Vc Vdno input Vb Vb xor Vc rotateright 24 Va Va Vb y with input Vd Vd xor Va rotateright 16 Vc Vc Vdno input Vb Vb xor Vc rotateright 63 Result Va Vb Vc VdEnd Function Mix Example digests edit Hash values of an empty string BLAKE2s 224 1fa1291e65248b37b3433475b2a0dd63d54a11ecc4e3e034e7bc1ef4 BLAKE2s 256 69217a3079908094e11121d042354a7c1f55b6482ca1a51e1b250dfd1ed0eef9 BLAKE2b 384 b32811423377f52d7862286ee1a72ee540524380fda1724a6f25d7978c6fd3244a6caf0498812673c5e05ef583825100 BLAKE2b 512 786a02f742015903c6c6fd852552d272912f4740e15847618a86e217f71f5419d25e1031afee585313896444934eb04b903a685b1448b755d56f701afe9be2ce Changing a single bit causes each bit in the output to change with 50 probability demonstrating an avalanche effect BLAKE2b 512 The quick brown fox jumps over the lazy dog a8add4bdddfd93e4877d2746e62817b116364a1fa7bc148d95090bc7333b3673f82401cf7aa2e4cb1ecd90296e3f14cb5413f8ed77be73045b13914cdcd6a918 BLAKE2b 512 The quick brown fox jumps over the lazy dof ab6b007747d8068c02e25a6008db8a77c218d94f3b40d2291a7dc8a62090a744c082ea27af01521a102e42f480a31e9844053f456b4b41e8aa78bbe5c12957bb Users of BLAKE2 edit Argon2 the winner of the Password Hashing Competition uses BLAKE2b Chef s Habitat deployment system uses BLAKE2b for package signing 9 FreeBSD Ports package management tool uses BLAKE2b GNU Core Utilities implements BLAKE2b in its b2sum command 10 IPFS allows use of BLAKE2b for tree hashing librsync uses BLAKE2b 11 Noise cryptographic protocol which is used in WhatsApp includes BLAKE2 as an option 12 citation needed RAR archive format version 5 supports an optional 256 bit BLAKE2sp file checksum instead of the default 32 bit CRC32 it was implemented in WinRAR v5 13 7 Zip in order to support the RAR archive format version 5 14 can generate the BLAKE2sp signature for each file in the Explorer shell via CRC SHA context menu and choosing rmlint uses BLAKE2b for duplicate file detection 15 WireGuard uses BLAKE2s for hashing 16 Zcash a cryptocurrency uses BLAKE2b in the Equihash proof of work and as a key derivation function NANO a cryptocurrency uses BLAKE2b in the proof of work for hashing digital signatures and as a key derivation function 17 18 19 Polkadot a multi chain blockchain uses BLAKE2b as its hashing algorithm PCI Vault uses BLAKE2b as its hashing algorithm for the purpose of PCI compliant PCD tokenization Ergo a cryptocurrency uses BLAKE2b256 as a subroutine of its hashing algorithm called Autolykos 20 Linux kernel version 5 17 replaced SHA 1 with BLAKE2s for hashing the entropy pool in the random number generator 21 Open Network for Digital Commerce a Government of India initiative uses BLAKE 512 to sign API requests 22 Implementations edit In addition to the reference implementation 5 the following cryptography libraries provide implementations of BLAKE2 Botan Bouncy Castle Crypto Libgcrypt libsodium OpenSSL wolfSSLBLAKE3 editBLAKE3GeneralDesignersJack O Connor Samuel Neves Jean Philippe Aumasson Zooko Wilcox O HearnFirst publishedJanuary 9 2020 4 years ago 2020 01 09 Derived fromBao BLAKE2DetailDigest sizes256 bits arbitrarily extensibleStructureMerkle treeRounds7Speed0 49 cpb on Cascade Lake SP with AVX 512 23 BLAKE3 is a cryptographic hash function based on Bao and BLAKE2 created by Jack O Connor Jean Philippe Aumasson Samuel Neves and Zooko Wilcox O Hearn 24 It was announced on January 9 2020 at Real World Crypto 25 BLAKE3 is a single algorithm with many desirable features parallelism XOF KDF PRF and MAC in contrast to BLAKE and BLAKE2 which are algorithm families with multiple variants BLAKE3 has a binary tree structure so it supports a practically unlimited degree of parallelism both SIMD and multithreading given long enough input The official Rust and C implementations 26 are dual licensed as public domain CC0 and the Apache License 27 BLAKE3 is designed to be as fast as possible It is consistently a few times faster than BLAKE2 The BLAKE3 compression function is closely based on that of BLAKE2s with the biggest difference being that the number of rounds is reduced from 10 to 7 a change based on the assumption that current cryptography is too conservative 28 In addition to providing parallelism the Merkle tree format also allows for verified streaming on the fly verifying and incremental updates 26 References edit Aumasson Jean Philippe 2021 Crypto Dictionary 500 Tasty Tidbits for the Curious Cryptographer No Starch Press ISBN 9781718501409 BLAKE2 an alternative to MD5 SHA 1 O Whielacronx Zooko 21 December 2012 introducing BLAKE2 an alternative to SHA 3 SHA 2 and MD5 Archived from the original on 5 October 2016 Retrieved 27 January 2016 a b BLAKE2 blake2 net a b BLAKE2 official implementations GitHub Retrieved 7 July 2019 Aumasson Jean Philippe Neves Samuel Wilcox O Hearn Zooko Winnerlein Christian 2013 BLAKE2 simpler smaller fast as MD5 PDF Cryptology ePrint Archive IACR BLAKE2X PDF Saarinen M J Aumasson J P November 2015 The BLAKE2 Cryptographic Hash and Message Authentication Code MAC IETF doi 10 17487 RFC7693 RFC 7693 Retrieved 4 December 2015 About Chef Habitat docs chef io coreutils src blake2 github com librsync src blake2 github com WhatsApp Security Whitepaper PDF WinRAR archiver a powerful tool to process RAR and ZIP files rarsoft com Igor Pavlov s response to a user request for BLAKE3 support in 7 Zip sourceforge net rmlint rmlint 2 8 0 Maidenly Moose documentation rmlint readthedocs io WireGuard Next Generation Kernel Network Tunnel PDF work docs nano org signatures docs nano org key derivation docs nano org Autolykos The Ergo Platform PoW Puzzle PDF ergoplatform org Linux 5 17 Random Number Generator Seeing Speed Ups Switching From SHA1 To BLAKE2s www phoronix com Subscriber Signing Beckn BLAKE3 one function fast everywhere PDF GitHub An earlier version of Bao specified its own custom tree mode which eventually grew into BLAKE3 GitHub JPA and I announced BLAKE3 at the RWC lightning talks Hacker News a b BLAKE3 official implementations GitHub Retrieved 12 January 2020 This work is released into the public domain with CC0 1 0 Alternatively it is licensed under the Apache License 2 0 GitHub Aumasson Jean Philippe 2020 Too Much Crypto PDF Real World Crypto Symposium External links editThe BLAKE web site The BLAKE2 web site The BLAKE3 web site Retrieved from https en wikipedia org w index php title BLAKE hash function amp oldid 1199239394 BLAKE3, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.