The Hash Function BLAKE

This is a comprehensive description of the cryptographic hash function BLAKE, one of the five final contenders in the NIST SHA3 competition, and of BLAKE2, an improved version popular among developers. It describes how BLAKE was designed and why BLAKE2 was developed, and it offers guidelines on implementing and using BLAKE, with a focus on software implementation. In the first two chapters, the authors offer a short introduction to cryptographic hashing, the SHA3 competition, and BLAKE. They review applications of cryptographic hashing, they describe some basic notions such as security definitions and state-of-the-art collision search methods, and they present SHA1, SHA2, and the SHA3 finalists. In the chapters that follow, the authors give a complete description of the four instances BLAKE-256, BLAKE-512, BLAKE-224, and BLAKE-384; they describe applications of BLAKE, including simple hashing with or without a salt, and HMAC and PBKDF2 constructions; they review implementation techniques, from portable C and Python to AVR assembly and vectorized code using SIMD CPU instructions; they describe BLAKEs properties with respect to hardware design for implementation in ASICs or FPGAs; they explain BLAKE's design rationale in detail, from NISTs requirements to the choice of internal parameters; they summarize the known security properties of BLAKE and describe the best attacks on reduced or modified variants; and they present BLAKE2, the successor of BLAKE, starting with motivations and also covering its performance and security aspects. The book concludes with detailed test vectors, a reference portable C implementation of BLAKE, and a list of third-party software implementations of BLAKE and BLAKE2. The book is oriented towards practice engineering and craftsmanship rather than theory. It is suitable for developers, engineers, and security professionals engaged with BLAKE and cryptographic hashing in general, and for applied cryptography researchers and students who need a consolidated reference and a detailed description of the design process, or guidelines on how to design a cryptographic algorithm.

[1]  Antoine Joux,et al.  Algorithmic Cryptanalysis , 2009 .

[2]  Philippe Dumas,et al.  On the Additive Differential Probability of Exclusive-Or , 2004, FSE.

[3]  D. Bernstein Cost analysis of hash collisions : will quantum computers make SHARCS obsolete? , 2009 .

[4]  Paulo S. L. M. Barreto,et al.  The MAELSTROM-0 Hash Function , 2006, Anais do VI Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais (SBSeg 2006).

[5]  Marc Stevens,et al.  New Collision Attacks on SHA-1 Based on Optimal Joint Local-Collision Analysis , 2013, EUROCRYPT.

[6]  Willi Meier,et al.  VLSI Characterization of the Cryptographic Hash Function BLAKE , 2011, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[7]  Willi Meier,et al.  Differential and Invertibility Properties of BLAKE , 2010, FSE.

[8]  Jean-Sébastien Coron,et al.  The Random Oracle Model and the Ideal Cipher Model Are Equivalent , 2008, CRYPTO.

[9]  Kris Gaj,et al.  Lessons Learned from Designing a 65 nm ASIC for Evaluating Third Round SHA-3 Candidates , 2012 .

[10]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[11]  Hugo Krawczyk,et al.  Strengthening Digital Signatures Via Randomized Hashing , 2006, CRYPTO.

[12]  Simon Josefsson PKCS #5: Password-Based Key Derivation Function 2 (PBKDF2) Test Vectors , 2011, RFC.

[13]  Xuejia Lai,et al.  Hash Function Based on Block Ciphers , 1992, EUROCRYPT.

[14]  Charlie Kaufman,et al.  Internet Key Exchange (IKEv2) Protocol , 2005, RFC.

[15]  Bruce Schneier,et al.  Description of a New Variable-Length Key, 64-bit Block Cipher (Blowfish) , 1993, FSE.

[16]  Laurie A. Williams,et al.  Is complexity really the enemy of software security? , 2008, QoP '08.

[17]  Morris J. Dworkin,et al.  SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions , 2015 .

[18]  Alex Biryukov,et al.  Related-Key Cryptanalysis of the Full AES-192 and AES-256 , 2009, ASIACRYPT.

[19]  Arjen K. Lenstra,et al.  Predicting the winner of the 2008 US Presidential Elections using a Sony PlayStation 3 , 2007 .

[20]  François Durvaux,et al.  Compact FPGA Implementations of the Five SHA-3 Finalists , 2011, CARDIS.

[21]  Willi Meier,et al.  Improved Differential Attacks on RC5 , 1996, CRYPTO.

[22]  Bruce Schneier,et al.  Cryptography Engineering - Design Principles and Practical Applications , 2010 .

[23]  Dengguo Feng,et al.  Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD , 2004, IACR Cryptol. ePrint Arch..

[24]  Eli Biham,et al.  Differential Cryptanalysis , 2005, Encyclopedia of Cryptography and Security.

[25]  Eli Biham,et al.  A Framework for Iterative Hash Functions - HAIFA , 2007, IACR Cryptol. ePrint Arch..

[26]  Gilles Brassard,et al.  Quantum Cryptanalysis of Hash and Claw-Free Functions , 1998, LATIN.

[27]  James Coke,et al.  Improvements in the Intel CoreTM 2 Penryn Processor Family Architecture and Microarchitecture , 2008 .

[28]  Marcin Rogawski,et al.  Use of Embedded FPGA Resources in Implementations of Five Round Three SHA-3 Candidates , 2011 .

[29]  Jean-Sébastien Coron,et al.  Merkle-Damgård Revisited: How to Construct a Hash Function , 2005, CRYPTO.

[30]  Bart Preneel,et al.  Cryptanalysis of Dynamic SHA(2) , 2009, Selected Areas in Cryptography.

[31]  Joos Vandewalle,et al.  Hash Functions Based on Block Ciphers: A Synthetic Approach , 1993, CRYPTO.

[32]  Guido Bertoni,et al.  On the Indifferentiability of the Sponge Construction , 2008, EUROCRYPT.

[33]  Thomas Peyrin,et al.  Hash Functions and the (Amplified) Boomerang Attack , 2007, CRYPTO.

[34]  Shi Bai,et al.  On the Efficiency of Pollard's Rho Method for Discrete Logarithms , 2008, CATS.

[35]  Samuel Neves,et al.  BLAKE2: Simpler, Smaller, Fast as MD5 , 2013, ACNS.

[36]  Bart Preneel,et al.  Practical Collisions for SHAMATA-256 , 2009, Selected Areas in Cryptography.

[37]  Bruce Schneier,et al.  Second Preimages on n-bit Hash Functions for Much Less than 2n Work , 2005, IACR Cryptol. ePrint Arch..

[38]  Shiho Moriai,et al.  Efficient Algorithms for Computing Differential Properties of Addition , 2001, FSE.

[39]  Enes Pasalic,et al.  Collisions for variants of the BLAKE hash function , 2010, Inf. Process. Lett..

[40]  Stefan Lucks,et al.  A Failure-Friendly Design Principle for Hash Functions , 2005, ASIACRYPT.

[41]  Jean-Jacques Quisquater,et al.  2n-Bit Hash-Functions Using n-Bit Symmetric Block Cipher Algorithms , 1990, EUROCRYPT.

[42]  Jakob Jonsson,et al.  Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 , 2003, RFC.

[43]  Gaëtan Leurent,et al.  Analysis of Differential Attacks in ARX Constructions , 2012, ASIACRYPT.

[44]  Edlyn Teske,et al.  Speeding Up Pollard's Rho Method for Computing Discrete Logarithms , 1998, ANTS.

[45]  David A. Wagner,et al.  Tweakable Block Ciphers , 2002, CRYPTO.

[46]  Hovav Shacham,et al.  Careful with Composition: Limitations of the Indifferentiability Framework , 2011, EUROCRYPT.

[47]  Eli Biham,et al.  The Rectangle Attack - Rectangling the Serpent , 2001, EUROCRYPT.

[48]  Florian Mendel,et al.  Improving Local Collisions: New Attacks on Reduced SHA-256 , 2013, EUROCRYPT.

[49]  Bruce Schneier,et al.  Secure Applications of Low-Entropy Keys , 1997, ISW.

[50]  Ted Krovetz,et al.  UMAC: Message Authentication Code using Universal Hashing , 2006, RFC.

[51]  Dag Arne Osvik Fast Embedded Software Hashing , 2012, IACR Cryptol. ePrint Arch..

[52]  Hugo Krawczyk,et al.  HMAC: Keyed-Hashing for Message Authentication , 1997, RFC.

[53]  Alex Biryukov,et al.  Boomerang Attacks on BLAKE-32 , 2011, FSE.

[54]  Eli Biham,et al.  Miss in the Middle Attacks on IDEA and Khufu , 1999, FSE.

[55]  Peter Schwabe,et al.  SHA-3 on ARM11 Processors , 2012, AFRICACRYPT.

[56]  Eli Biham,et al.  Related-Key Impossible Differential Attacks on 8-Round AES-192 , 2006, CT-RSA.

[57]  David A. Wagner,et al.  The Boomerang Attack , 1999, FSE.

[58]  Marc Stevens,et al.  Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate , 2009, CRYPTO.

[59]  Bruce Schneier,et al.  The Twofish Encryption Algorithm , 1999 .

[60]  Leonid A. Levin,et al.  The Tale of One-Way Functions , 2000, Probl. Inf. Transm..

[61]  Markku-Juhani O. Saarinen Security of VSH in the Real World , 2006, INDOCRYPT.

[62]  Thomas Eisenbarth,et al.  Evaluation of SHA-3 Candidates for 8-bit Embedded Processors , 2010 .

[63]  Dag Arne Osvik Speeding up Serpent , 2000, AES Candidate Conference.

[64]  Jean-Philippe Aumasson,et al.  SipHash: A Fast Short-Input PRF , 2012, INDOCRYPT.

[65]  Ueli Maurer,et al.  Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology , 2004, TCC.

[66]  John Black,et al.  On the Impossibility of Highly-Efficient Blockcipher-Based Hash Functions , 2005, EUROCRYPT.

[67]  Andris Ambainis,et al.  Polynomial Degree and Lower Bounds in Quantum Complexity: Collision and Element Distinctness with Small Range , 2003, Theory Comput..

[68]  Patrick Schaumont,et al.  ASIC implementations of five SHA-3 finalists , 2012, 2012 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[69]  P. Gaborit,et al.  SHA-3 proposal: FSB , 2008 .

[70]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[71]  G. Leurent ARXtools : A toolkit for ARX analysis , 2012 .

[72]  Atul Luykx,et al.  Provable Security of BLAKE with Non-ideal Compression Function , 2012, Selected Areas in Cryptography.

[73]  Martin Boesgaard,et al.  Rabbit: A New High-Performance Stream Cipher , 2003, FSE.

[74]  John Kelsey,et al.  Third-Round Report of the SHA-3 Cryptographic Hash Algorithm Competition , 2012 .

[75]  Eiji Okamoto,et al.  Compact implementations of BLAKE-32 and BLAKE-64 on FPGA , 2010, 2010 International Conference on Field-Programmable Technology.

[76]  Thomas Peyrin Cryptanalysis of Grindahl , 2007, ASIACRYPT.

[77]  Lov K. Grover A fast quantum mechanical algorithm for database search , 1996, STOC '96.

[78]  Stéphane Manuel,et al.  Classification and generation of disturbance vectors for collision attacks against SHA-1 , 2011, Des. Codes Cryptogr..

[79]  Danilo Gligoroski,et al.  Generic Collision Attacks on Narrow-pipe Hash Functions Faster than Birthday Paradox, Applicable to MDx, SHA-1, SHA-2, and SHA-3 Narrow-pipe Candidates , 2010, IACR Cryptol. ePrint Arch..

[80]  John P. Steinberger,et al.  Constructing Cryptographic Hash Functions from Fixed-Key Blockciphers , 2008, CRYPTO.

[81]  Stefan Lucks,et al.  The Skein Hash Function Family , 2009 .

[82]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[83]  Arthur David Olson Lisa '12: 26th Large Installation System Administration Conference Opening Remarks and Awards Papers and Reports: Storage and Data Hss: a Simple File Storage System for Web Applications , .

[84]  Xuejia Lai,et al.  Markov Ciphers and Differential Cryptanalysis , 1991, EUROCRYPT.

[85]  Stefano Tessaro,et al.  The equivalence of the random oracle model and the ideal cipher model, revisited , 2010, STOC '11.

[86]  David Mazières,et al.  The Advanced Computing Systems Association a Future-adaptable Password Scheme a Future-adaptable Password Scheme , 2022 .

[87]  Samuel Neves,et al.  BLAKE and 256-bit advanced vector extensions , 2012 .

[88]  Ji Li,et al.  Attacks on Round-Reduced BLAKE , 2009, IACR Cryptol. ePrint Arch..

[89]  Josef Pieprzyk,et al.  Differential Path for SHA-1 with complexity O(252) , 2009, IACR Cryptol. ePrint Arch..

[90]  Burton S. Kaliski,et al.  PKCS #5: Password-Based Cryptography Specification Version 2.0 , 2000, RFC.

[91]  Colin Percival STRONGER KEY DERIVATION VIA SEQUENTIAL MEMORY-HARD FUNCTIONS , 2009 .

[92]  Moti Yung,et al.  Indifferentiability of the Hash Algorithm BLAKE , 2011, IACR Cryptol. ePrint Arch..

[93]  Willi Meier,et al.  Quark: A Lightweight Hash , 2010, Journal of Cryptology.

[94]  Shuang Wu,et al.  Near-Collisions on the Reduced-Round Compression Functions of Skein and BLAKE , 2010, CANS.

[95]  Martin Feldhofer,et al.  High-Speed Hardware Implementations of BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue, Gröstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein , 2009, IACR Cryptol. ePrint Arch..

[96]  Rostyslav Slipetskyy Security Issues in OpenStack , 2011 .

[97]  Charanjit S. Jutla,et al.  A Matching Lower Bound on the Minimum Weight of SHA-1 Expansion Code , 2005, IACR Cryptol. ePrint Arch..

[98]  Jian Guo,et al.  Round-Reduced Collisions of BLAKE-32 , 2009 .

[99]  Willi Meier,et al.  The Hash Function Family LAKE , 2008, FSE.

[100]  Thai Duong,et al.  Flickr's API Signature Forgery Vulnerability , 2009 .

[101]  Andrew Chi-Chih Yao,et al.  The Complexity of Finding Cycles in Periodic Functions , 1982, SIAM J. Comput..

[102]  Guido Bertoni,et al.  Sufficient conditions for sound tree and sequential hashing modes , 2013, International Journal of Information Security.

[103]  Vincent Rijmen,et al.  The Design of Rijndael , 2002, Information Security and Cryptography.

[104]  Yvo Desmedt,et al.  Related-Key Differential Cryptanalysis of 192-bit Key AES Variants , 2003, Selected Areas in Cryptography.

[105]  Jean-Luc Beuchat,et al.  Compact Implementation of Threefish and Skein on FPGA , 2012, 2012 5th International Conference on New Technologies, Mobility and Security (NTMS).

[106]  Elaine B. Barker,et al.  The Keyed-Hash Message Authentication Code (HMAC) | NIST , 2002 .

[107]  Ron Steinfeld,et al.  VSH, an Efficient and Provable Collision Resistant Hash Function , 2006, IACR Cryptol. ePrint Arch..

[108]  Steven Myers,et al.  On Seed-Incompressible Functions , 2008, TCC.

[109]  Hugo Krawczyk,et al.  UMAC: Fast and Secure Message Authentication , 1999, CRYPTO.

[110]  John P. Steinberger,et al.  Security/Efficiency Tradeoffs for Permutation-Based Hashing , 2008, EUROCRYPT.

[111]  Bart Preneel,et al.  Collisions and other Non-Random Properties for Step-Reduced SHA-256 , 2009, IACR Cryptol. ePrint Arch..

[112]  Willi Meier,et al.  SHA-3 proposal BLAKE , 2009 .

[113]  Vincent Rijmen,et al.  The WHIRLPOOL Hashing Function , 2003 .

[114]  Samuel Kutin,et al.  Quantum Lower Bound for the Collision Problem with Small Range , 2005, Theory Comput..

[115]  Sheila Frankel,et al.  Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with IPsec , 2007, RFC.

[116]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[117]  Eli Biham,et al.  Related-Key Boomerang and Rectangle Attacks , 2005, EUROCRYPT.

[118]  Daniel J. Bernstein,et al.  The Poly1305-AES Message-Authentication Code , 2005, FSE.

[119]  Marc Fischlin,et al.  Hash Function Combiners in TLS and SSL , 2010, CT-RSA.

[120]  Jean-Philippe Aumasson,et al.  Faster Multicollisions , 2008, INDOCRYPT.

[121]  Robert W. Floyd,et al.  Nondeterministic Algorithms , 1967, JACM.

[122]  Alex Biryukov,et al.  The Boomerang Attack on 5 and 6-Round Reduced AES , 2004, AES Conference.

[123]  Elaine B. Barker Digital Signature Standard (DSS) [includes Change Notice 1 from 12/30/1996] | NIST , 1994 .

[124]  Dan S. Wallach,et al.  Denial of Service via Algorithmic Complexity Attacks , 2003, USENIX Security Symposium.

[125]  Lars R. Knudsen,et al.  The Grindahl Hash Functions , 2007, FSE.

[126]  John Black,et al.  An Analysis of the Blockcipher-Based Hash Functions from PGV , 2010, Journal of Cryptology.

[127]  Bart Preneel,et al.  The First 30 Years of Cryptographic Hash Functions and the NIST SHA-3 Competition , 2010, CT-RSA.

[128]  Andrey Bogdanov,et al.  PRESENT: An Ultra-Lightweight Block Cipher , 2007, CHES.

[129]  Jian Guo,et al.  Preimages for Step-Reduced SHA-2 , 2009, IACR Cryptol. ePrint Arch..

[130]  Quynh H. Dang,et al.  Randomized Hashing for Digital Signatures | NIST , 2009 .

[131]  Dmitry Khovratovich,et al.  Bicliques for Preimages: Attacks on Skein-512 and the SHA-2 family , 2012, IACR Cryptol. ePrint Arch..

[132]  Antoine Joux,et al.  Differential Collisions in SHA-0 , 1998, CRYPTO.

[133]  Kris Gaj,et al.  Comprehensive Evaluation of High-Speed and Medium-Speed Implementations of Five SHA-3 Finalists Using Xilinx and Altera FPGAs , 2012, IACR Cryptol. ePrint Arch..

[134]  Florian Mendel,et al.  Cryptanalysis of Vortex , 2009, AFRICACRYPT.

[135]  Andrew W. Appel,et al.  Formal aspects of mobile code security , 1999 .

[136]  Jean-Jacques Quisquater,et al.  How Easy is Collision Search? Application to DES (Extended Summary) , 1990, EUROCRYPT.

[137]  Bruce Schneier,et al.  Amplified Boomerang Attacks Against Reduced-Round MARS and Serpent , 2000, FSE.

[138]  Shuang Wu,et al.  Analysis of BLAKE2 , 2014, CT-RSA.

[139]  John Kelsey,et al.  Status Report on the Second Round of the SHA-3 Cryptographic Hash Algorithm Competition , 2011 .

[140]  Paul C. van Oorschot,et al.  Parallel Collision Search with Cryptanalytic Applications , 2013, Journal of Cryptology.

[141]  John Pham,et al.  Lightweight Implementations of SHA-3 Candidates on FPGAs , 2011, INDOCRYPT.

[142]  Dorothy E. Denning,et al.  Cryptography and Data Security , 1982 .

[143]  Hugo Krawczyk,et al.  Randomness Extraction and Key Derivation Using the CBC, Cascade and HMAC Modes , 2004, CRYPTO.