This page uses content from Wikipedia and is licensed under CC BY-SA.

General | |
---|---|

Designers | Jean-Philippe Aumasson, Luca Henzen, Willi Meier, Raphael C.-W. Phan |

Successors | BLAKE2 |

Certification | SHA-3 finalist |

Detail | |

Digest sizes | 224, 256, 384 or 512 bits |

Structure | HAIFA construction |

Rounds | 14 or 16 |

Speed | 8.4 cpb on Core 2 for BLAKE-256; 7.8 cpb for BLAKE-512 |

**BLAKE** and **BLAKE2** are cryptographic hash functions based on Dan Bernstein's ChaCha stream cipher, but a permuted copy of the input block, XORed with some round constants, is added before each ChaCha round. Like SHA-2, there are two variants differing in the word size. ChaCha operates on a 4×4 array of words. BLAKE repeatedly combines an 8-word hash value with 16 message words, truncating the ChaCha result to obtain the next hash value. **BLAKE-256** and **BLAKE-224** use 32-bit words and produce digest sizes of 256 bits and 224 bits, respectively, while **BLAKE-512** and **BLAKE-384** use 64-bit words and produce digest sizes of 512 bits and 384 bits, respectively.^{[1]}. When run on 64-bit x64 and ARM architectures, BLAKE2b is faster than SHA-3, SHA-2, SHA-1, and MD5.^{[2]}

BLAKE was submitted to the NIST hash function competition by Jean-Philippe Aumasson, Luca Henzen, Willi Meier, and Raphael C.-W. Phan. In 2008, there were 51 entries. BLAKE made it to the final round consisting of five candidate but lost to *Keccak* in 2012, which was selected for the SHA-3 algorithm.

Like SHA-2, BLAKE comes in two variants: one that uses 32-bit words, used for computing hashes up to 256 bits long, and one that uses 64-bit words, used for computing hashes up to 512 bits long. The core block transformation combines 16 words of input with 16 working variables, but only 8 words (256 or 512 bits) are preserved between blocks.

It uses a table of 16 constant words (the leading 512 or 1024 bits of the fractional part of π), and a table of 10 16-element permutations:

σ[0] = 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 σ[1] = 14 10 4 8 9 15 13 6 1 12 0 2 11 7 5 3 σ[2] = 11 8 12 0 5 2 15 13 10 14 3 6 7 1 9 4 σ[3] = 7 9 3 1 13 12 11 14 2 6 5 10 4 0 15 8 σ[4] = 9 0 5 7 2 4 10 15 14 1 11 12 6 8 3 13 σ[5] = 2 12 6 10 0 11 8 3 4 13 7 5 15 14 1 9 σ[6] = 12 5 1 15 14 13 4 10 0 7 6 3 9 2 8 11 σ[7] = 13 11 7 14 12 1 3 9 5 0 15 4 8 6 2 10 σ[8] = 6 15 14 9 11 3 0 8 12 2 13 7 1 4 10 5 σ[9] = 10 2 8 4 7 6 1 5 15 11 9 14 3 12 13 0

The core operation, equivalent to ChaCha's quarter round, operates on a 4-word column or diagonal `a b c d`

, which is combined with 2 words of message `m[]`

and two constant words `n[]`

. It is performed 8 times per full round:

j ← σ[r%10][2×i] // Index computations k ← σ[r%10][2×i+1] a ← a + b + (m[j] ⊕ n[k]) // Step 1 (with input) d ← (d ⊕ a) >>> 16 c ← c + d // Step 2 (no input) b ← (b ⊕ c) >>> 12 a ← a + b + (m[k] ⊕ n[j]) // Step 3 (with input) d ← (d ⊕ a) >>> 8 c ← c + d // Step 4 (no input) b ← (b ⊕ c) >>> 7

In the above, `r`

is the round number (0–13), and `i`

varies from 0 to 7.

The differences from the ChaCha quarter-round function are:

- The addition of the message words has been added.
- The rotation directions have been reversed.

The 64-bit version (which does not exist in ChaCha) is identical, but the rotation amounts are 32, 25, 16 and 11, respectively, and the number of rounds is increased to 16.

Throughout the NIST hash function competition, entrants are permitted to "tweak" their algorithms to address issues that are discovered. Changes that have been made to BLAKE are: the number of rounds was increased from 10/14 to 14/16. This is to be more conservative about security while still being fast.

BLAKE-512("") = A8CFBBD73726062DF0C6864DDA65DEFE58EF0CC52A5625090FA17601E1EECD1B 628E94F396AE402A00ACC9EAB77B4D4C2E852AAAA25A636D80AF3FC7913EF5B8

BLAKE-512("The quick brown fox jumps over the lazy dog") = 1F7E26F63B6AD25A0896FD978FD050A1766391D2FD0471A77AFB975E5034B7AD 2D9CCF8DFB47ABBBE656E1B82FBC634BA42CE186E8DC5E1CE09A885D41F43451

General | |
---|---|

Designers | Jean-Philippe Aumasson, Samuel Neves, Zooko Wilcox-O'Hearn, Christian Winnerlein |

Derived from | BLAKE |

Detail | |

Digest sizes | up to 64 bytes (BLAKE2b); up to 32 bytes (BLAKE2s); arbitrary (BLAKE2X) |

Rounds | 10 or 12 |

Speed |
3.5 cpb on Core i5 (Ivy Bridge) for BLAKE2b^{[3]} |

An improved version of BLAKE called BLAKE2 was announced in December 21, 2012. It was created by Jean-Philippe Aumasson, Samuel Neves, Zooko Wilcox-O'Hearn, and Christian Winnerlein with the goal to replace widely used, but broken MD5 and SHA-1 algorithms.^{[4]} The reference implementation code was released under CC0.^{[2]}

BLAKE2 removes addition of constants to message words from BLAKE round function, changes two rotation constants, simplifies padding, adds parameter block that is XOR'ed with initialization vectors, and reduces the number of rounds from 16 to 12 for **BLAKE2b** (successor of BLAKE-512), and from 14 to 10 for **BLAKE2s** (successor of BLAKE-256).

BLAKE2 supports keying, salting, personalization, and hash tree modes, and can output digests from 1 up to 64 bytes for BLAKE2b or up to 32 bytes for BLAKE2s. There are also parallel versions designed for increased performance on multi-core processors; **BLAKE2bp** (4-way parallel) and **BLAKE2sp** (8-way parallel).

There is an "Extendable-Output Function" (XOF) variant of BLAKE2 called "BLAKE2X", which is able to output a very large number of random bits (instead of just 256 or 512).^{[5]}

BLAKE2b uses an initialization vector that is the same as the IV used by SHA-512. These values are obtained by taking the first 64 bits of the fractional parts of the square roots of the first eight prime numbers.

IV_{0}= 0x6A09E667F3BCC908 //Frac(Sqrt(2)) IV_{1}= 0xBB67AE8584CAA73B //Frac(Sqrt(3)) IV_{2}= 0x3C6EF372FE94F82B //Frac(Sqrt(5)) IV_{3}= 0xA54FF53A5F1D36F1 //Frac(Sqrt(7)) IV_{4}= 0x510E527FADE682D1 //Frac(Sqrt(11)) IV_{5}= 0x9B05688C2B3E6C1F //Frac(Sqrt(13)) IV_{6}= 0x1F83D9ABFB41BD6B //Frac(Sqrt(17)) IV_{7}= 0x5BE0CD19137E2179 //Frac(Sqrt(19))

Pseudocode for the BLAKE2b algorithm. The BLAKE2b algorithm uses 8-byte (UInt64) words, and 128-byte chunks.^{[citation needed]}

AlgorithmBLAKE2bInput:MMessage to be hashedcbMessageLen: Number, (0..2^{128})Length of the message in bytesKeyOptional 0..64 byte keycbKeyLen: Number, (0..64)Length of optional key in bytescbHashLen: Number, (1..64)Desired hash length in bytesOutput:HashHash of cbHashLen bytesInitialize State vectorhhwithIV_{0..7}← IV_{0..7}Mix key size (cbKeyLen) and desired hash length (cbHashLen) into hh_{0}_{0}← h_{0}xor 0x0101kknnwherekkis Key Length (in bytes)nnis Desired Hash Length (in bytes)Each time we Compress we record how many bytes have been compressedcBytesCompressed ← 0 cBytesRemaining ← cbMessageLenIf there was a key supplied (i.e. cbKeyLen > 0)then pad with trailing zeros to make it 128-bytes (i.e. 16 words) and prepend it to the messageMif(cbKeyLen > 0)thenM ← Pad(Key, 128) || M cBytesRemaining ← cBytesRemaining + 128end ifCompress whole 128-byte chunks of the message, except the last chunkwhile(cBytesRemaining > 128)dochunk ← get next 128 bytes of messageMcBytesCompressed ← cBytesCompressed + 128increase count of bytes that have been compressedcBytesRemaining ← cBytesRemaining - 128decrease count of bytes inh ← Compress(h, chunk, cBytesCompressed, false)Mremaining to be processedfalse ⇒ this is not the last chunkend whileCompress the final bytes fromchunk ← get next 128 bytes of messageMMWe will get cBytesRemaining bytes (i.e. 0..128 bytes)cBytesCompressed ← cBytesCompressed+cBytesRemainingThe actual number of bytes leftover inchunk ← Pad(chunk, 128)MIfh ← Compress(h, chunk, cBytesCompressed, true)Mwas empty, then we will still compress a final chunk of zerostrue ⇒ this is the last chunkResult← first cbHashLen bytes of little endian state vector hEnd AlgorithmBLAKE2b

The **Compress** function takes a full 128-byte chunk of the input message and mixes it into the ongoing state array:

FunctionCompressInput:hPersistent state vectorchunk128-byte (16 double word) chunk of message to compresst: Number, 0..2^{128}Count of bytes that have been fed into the CompressionIsLastBlock: BooleanIndicates if this is the final round of compressionOutput:hUpdated persistent state vectorSetup local work vector VV_{0..7}← h_{0..7}First eight items are copied from persistent state vectorVh_{8..15}← IV_{0..7}Remaining eight items are initialized from theIVMix the 128-bit counterVtinto V_{12}:V_{13}_{12}← V_{12}xorLo(t)Lo 64-bits of UInt128Vt_{13}← V_{13}xorHi(t)Hi 64-bits of UInt128tIf this is the last block then invert all the bits in V_{14}ifIsLastBlockthenV_{14}← V_{14}xor0xFFFFFFFFFFFFFFFFTreat each 128-byte messagemchunkas sixteen 8-byte (64-bit) wordsm_{0..15}← chunkTwelve rounds of cryptographic message mixingforifrom0to11doSelect message mixing schedule for this round.BLAKE2b uses 12 rounds, while SIGMA has only 10 entries. S_{0..15}← SIGMA[imod10]Rounds 10 and 11 use SIGMA[0] and SIGMA[1] respectivelyMix(V_{0}, V_{4}, V_{8}, V_{12}, m[S_{0}], m[S_{1}]) Mix(V_{1}, V_{5}, V_{9}, V_{13}, m[S_{2}], m[S_{3}]) Mix(V_{2}, V_{6}, V_{10}, V_{14}, m[S_{4}], m[S_{5}]) Mix(V_{3}, V_{7}, V_{11}, V_{15}, m[S_{6}], m[S_{7}]) Mix(V_{0}, V_{5}, V_{10}, V_{15}, m[S_{8}], m[S_{9}]) Mix(V_{1}, V_{6}, V_{11}, V_{12}, m[S_{10}], m[S_{11}]) Mix(V_{2}, V_{7}, V_{8}, V_{13}, m[S_{12}], m[S_{13}]) Mix(V_{3}, V_{4}, V_{9}, V_{14}, m[S_{14}], m[S_{15}])end forMix the upper and lower halves of V into ongoing state vector hh_{0..7}← h_{0..7}xorV_{0..7}h_{0..7}← h_{0..7}xorV_{8..15}Result← hEnd FunctionCompress

The **Mix** function is called by the **Compress** function, and mixes two 8-byte words from the message into the hash state. In most implementations this function would be written inline, or as an inlined function.

FunctionMixInputs:V_{a}, V_{b}, V_{c}, V_{d}four 8-byte word entries from the work vector Vx, ytwo 8-byte word entries from padded message mOutput:V_{a}, V_{b}, V_{c}, V_{d}the modified versions of VV_{a}, V_{b}, V_{c}, V_{d}_{a}← V_{a}+ V_{b}+ xwith inputV_{d}← (V_{d}xorV_{a})rotateright32 V_{c}← V_{c}+ V_{d}no inputV_{b}← (V_{b}xorV_{c})rotateright24 V_{a}← V_{a}+ V_{b}+ ywith inputV_{d}← (V_{d}xorV_{a})rotateright16 V_{c}← V_{c}+ V_{d}no inputV_{b}← (V_{b}xorV_{c})rotateright63Result← V_{a}, V_{b}, V_{c}, V_{d}End AlgorithmMix

BLAKE2b-512("") = 786A02F742015903C6C6FD852552D272912F4740E15847618A86E217F71F5419 D25E1031AFEE585313896444934EB04B903A685B1448B755D56F701AFE9BE2CE

BLAKE2b-512("The quick brown fox jumps over the lazy dog") = A8ADD4BDDDFD93E4877D2746E62817B116364A1FA7BC148D95090BC7333B3673 F82401CF7AA2E4CB1ECD90296E3F14CB5413F8ED77BE73045B13914CDCD6A918

- GNU Core Utilities implements BLAKE2 in its b2sum command
- Argon2, the winner of the Password Hashing Competition uses BLAKE2
- Noise (cryptographic protocol), which is used in WhatsApp includes BLAKE2 as an option.
^{[6]} - RAR file archive format version 5 supports an optional 256-bit BLAKE2sp file checksum instead of the default 32-bit CRC32; it was implemented in WinRAR v5+
^{[7]} - librsync uses BLAKE2
- Chef's Habitat deployment system uses BLAKE2 for package signing
^{[8]} - Several crypto libraries, including OpenSSL, Crypto++, libsodium, Botan, and Bouncy Castle include BLAKE2
- Zcash, a cryptocurrency, uses BLAKE2b in the Equihash proof of work, and as a key derivation function
- FreeBSD Ports package management tool uses BLAKE2b

**^**Saarinen, M-J; Aumasson, J-P (November 2015).*The BLAKE2 Cryptographic Hash and Message Authentication Code (MAC)*. IETF. doi:10.17487/RFC7693. RFC 7693. [tools.ietf.org]. Retrieved 4 December 2015.- ^
^{a}^{b}"BLAKE2".*blake2.net*. **^**"BLAKE2 – an alternative to MD5/SHA-1".**^**O'Whielacronx, Zooko (21 December 2012). "introducing BLAKE2 – an alternative to SHA-3, SHA-2 and MD5".**^**"BLAKE2X" (PDF).**^**"WhatsApp Security Whitepaper" (PDF).**^**"WinRAR archiver, a powerful tool to process RAR and ZIP files".*rarsoft.com*.**^**Habitat Internals: Cryptography

- The BLAKE web site
- The BLAKE2 web site
- VHDL source code developed by the Cryptographic Engineering Research Group (CERG) at George Mason University