BLAKE (hash function)

BLAKE is a cryptographic hash function based on Daniel J. Bernstein's ChaCha stream cipher, but a permuted copy of the input block, XORed with round constants, is added before each ChaCha round. Like SHA-2, there are two variants differing in the word size. ChaCha operates on a 4×4 array of words. BLAKE repeatedly combines an 8-word hash value with 16 message words, truncating the ChaCha result to obtain the next hash value. BLAKE-256 and BLAKE-224 use 32-bit words and produce digest sizes of 256 bits and 224 bits, respectively, while BLAKE-512 and BLAKE-384 use 64-bit words and produce digest sizes of 512 bits and 384 bits, respectively.
The BLAKE2 hash function, based on BLAKE, was announced in 2012. The BLAKE3 hash function, based on BLAKE2, was announced in 2020.

History

BLAKE was submitted to the NIST hash function competition by Jean-Philippe Aumasson, Luca Henzen, Willi Meier, and Raphael C.-W. Phan. In 2008, there were 51 entries. BLAKE made it to the final round consisting of five candidates but lost to Keccak in 2012, which was selected for the SHA-3 algorithm.

Algorithm

Like SHA-2, BLAKE comes in two variants: one that uses 32-bit words, used for computing hashes up to 256 bits long, and one that uses 64-bit words, used for computing hashes up to 512 bits long. The core block transformation combines 16 words of input with 16 working variables, but only 8 words are preserved between blocks.
It uses a table of 16 constant words, and a table of 10 16-element permutations:
σ = 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
σ = 14 10 4 8 9 15 13 6 1 12 0 2 11 7 5 3
σ = 11 8 12 0 5 2 15 13 10 14 3 6 7 1 9 4
σ = 7 9 3 1 13 12 11 14 2 6 5 10 4 0 15 8
σ = 9 0 5 7 2 4 10 15 14 1 11 12 6 8 3 13
σ = 2 12 6 10 0 11 8 3 4 13 7 5 15 14 1 9
σ = 12 5 1 15 14 13 4 10 0 7 6 3 9 2 8 11
σ = 13 11 7 14 12 1 3 9 5 0 15 4 8 6 2 10
σ = 6 15 14 9 11 3 0 8 12 2 13 7 1 4 10 5
σ = 10 2 8 4 7 6 1 5 15 11 9 14 3 12 13 0
The core operation, equivalent to ChaCha's quarter round, operates on a 4-word column or diagonal a b c d, which is combined with 2 words of message m and two constant words n. It is performed 8 times per full round:
j ← σ // Index computations
k ← σ
a ← a + b + // Step 1
d ← >>> 16
c ← c + d // Step 2
b ← >>> 12
a ← a + b + // Step 3
d ← >>> 8
c ← c + d // Step 4
b ← >>> 7
In the above, r is the round number, and i varies from 0 to 7.
The differences from the ChaCha quarter-round function are:

The addition of the message words has been added.
The rotation directions have been reversed.

"BLAKE reuses the permutation of the ChaCha stream cipher with rotations done in the opposite directions. Some have suspected an advanced optimization, but in fact it originates from a typo in the original BLAKE specifications", Jean-Philippe Aumasson explains in his "Crypto Dictionary".
The 64-bit version is identical, but the rotation amounts are 32, 25, 16 and 11, respectively, and the number of rounds is increased to 16.

Tweaks

Throughout the NIST hash function competition, entrants are permitted to "tweak" their algorithms to address issues that are discovered. Changes that have been made to BLAKE are: the number of rounds was increased from 10/14 to 14/16. This is to be more conservative about security while still being fast.

Example digests

Hash values of an empty string:
=
7dc5313b1c04512a174bd6503b89607aecbee0903d40a8a569c94eed
=
716f6e863f744b9ac22c97ec7b76ea5f5908bc5b2f67c61510bfc4751384ea7a
=
c6cbd89c926ab525c242e6621f2f5fa73aa4afe3d9e24aed727faaadd6af38b620bdb623dd2b4788b1c8086984af8706
=
a8cfbbd73726062df0c6864dda65defe58ef0cc52a5625090fa17601e1eecd1b628e94f396ae402a00acc9eab77b4d4c2e852aaaa25a636d80af3fc7913ef5b8
Changing a single bit causes each bit in the output to change with 50% probability, demonstrating an avalanche effect:
=
1f7e26f63b6ad25a0896fd978fd050a1766391d2fd0471a77afb975e5034b7ad2d9ccf8dfb47abbbe656e1b82fbc634ba42ce186e8dc5e1ce09a885d41f43451
=
a701c2a1f9baabd8b1db6b75aee096900276f0b86dc15d247ecc03937b370324a16a4ffc0c3a85cd63229cfa15c15f4ba6d46ae2e849ed6335e9ff43b764198a

BLAKE2

BLAKE2 is a cryptographic hash function based on BLAKE, created by Jean-Philippe Aumasson, Samuel Neves, Zooko Wilcox-O'Hearn, and Christian Winnerlein. The design goal was to replace the widely used, but broken, MD5 and SHA-1 algorithms in applications requiring high performance in software. BLAKE2 was announced on December 21, 2012. A reference implementation is available under CC0, the OpenSSL License, and the Apache License 2.0.
BLAKE2b is faster than MD5, SHA-1, SHA-2, and SHA-3, on 64-bit x86-64 and ARM architectures. Its creators state that BLAKE2 provides better security than SHA-2 and similar to that of SHA-3: immunity to length extension, indifferentiability from a random oracle, etc.
BLAKE2 removes addition of constants to message words from BLAKE round function, changes two rotation constants, simplifies padding, adds parameter block that is XOR'ed with initialization vectors, and reduces the number of rounds from 16 to 12 for BLAKE2b, and from 14 to 10 for BLAKE2s.
BLAKE2 supports keying, salting, personalization, and hash tree modes, and can output digests from 1 up to 64 bytes for BLAKE2b, or up to 32 bytes for BLAKE2s. There are also parallel versions designed for increased performance on multi-core processors; BLAKE2bp and BLAKE2sp.
BLAKE2X is a family of extendable-output functions. Whereas BLAKE2 is limited to 64-byte digests, BLAKE2X allows for digests of up to 256 GiB. BLAKE2X is itself not an instance of a hash function, and must be based on an actual BLAKE2 instance. An example of a BLAKE2X instance could be BLAKE2Xb16MiB, which would be a BLAKE2X version based on BLAKE2b producing 16,777,216-byte digests.
BLAKE2b and BLAKE2s are specified in RFC 7693. Optional features using the parameter block, are not specified, and thus neither is support for BLAKE2bp, BLAKE2sp, or BLAKE2X.

Initialization vector

BLAKE2b uses an initialization vector that is the same as the IV used by SHA-512. These values are transparently obtained by taking the first 64 bits of the fractional parts of the positive square roots of the first eight prime numbers.
IV₀ = 0x6a09e667f3bcc908 // Frac
IV₁ = 0xbb67ae8584caa73b // Frac
IV₂ = 0x3c6ef372fe94f82b // Frac
IV₃ = 0xa54ff53a5f1d36f1 // Frac
IV₄ = 0x510e527fade682d1 // Frac
IV₅ = 0x9b05688c2b3e6c1f // Frac
IV₆ = 0x1f83d9abfb41bd6b // Frac
IV₇ = 0x5be0cd19137e2179 // Frac

BLAKE2b algorithm

for the BLAKE2b algorithm. The BLAKE2b algorithm uses 8-byte words, and 128-byte chunks.
Algorithm BLAKE2b
Input:
M Message to be hashed
cbMessageLen: Number, Length of the message in bytes
Key Optional 0..64 byte key
cbKeyLen: Number, Length of optional key in bytes
cbHashLen: Number, Desired hash length in bytes
Output:
Hash Hash of cbHashLen bytes
Initialize State vector h with IV
h_0..7 ← IV_0..7
Mix key size and desired hash length into h₀
h₀ ← h₀ xor 0x0101kknn
where kk is Key Length
nn is Desired Hash Length
Each time we Compress we record how many bytes have been compressed
cBytesCompressed ← 0
cBytesRemaining ← cbMessageLen
If there was a key supplied
then pad with trailing zeros to make it 128-bytes
and prepend it to the message M
if then
M ← Pad || M
cBytesRemaining ← cBytesRemaining + 128
end if
Compress whole 128-byte chunks of the message, except the last chunk
while do
chunk ← get next 128 bytes of message M
cBytesCompressed ← cBytesCompressed + 128 increase count of bytes that have been compressed
cBytesRemaining ← cBytesRemaining - 128 decrease count of bytes in M remaining to be processed
h ← Compress false ⇒ this is not the last chunk
end while
Compress the final bytes from M
chunk ← get next 128 bytes of message M' We will get cBytesRemaining bytes
cBytesCompressed ← cBytesCompressed+cBytesRemaining The actual number of bytes leftover in M
chunk ← Pad If M' was empty, then we will still compress a final chunk of zeros
h ← Compress true ⇒ this is the last chunk
Result ← first cbHashLen bytes of little endian state vector h
End Algorithm BLAKE2b