Analysis of BLAKE2

We present a thorough security analysis of the hash function family BLAKE2, a recently proposed and already in use tweaked version of the SHA-3 finalist BLAKE. We study how existing attacks on BLAKE apply to BLAKE2 and to what extent the modifications impact the attacks. We design and run two improved searches for (impossible) differential attacks — the outcomes suggest higher number of attacked rounds in the case of impossible differentials (in fact we improve the best results for BLAKE as well), and slightly higher for the differential attacks on the hash/compression function (which gives an insight into the quality of the tweaks). We emphasize the importance of each of the modifications, in particular we show that an improper initialization could lead to collisions and near-collisions for the full-round compression function. We analyze the permutation of the new hash function and give rotational attacks and internal differentials for the whole design. We conclude that the tweaks in BLAKE2 were chosen properly and, despite having weaknesses in the theoretical attack frameworks of permutations and of fully-chosen state input compression functions, the hash function of BLAKE2 has only slightly lower (in terms of attacked rounds) security margin than BLAKE.

[1]  Thomas Peyrin Improved Dierential Attacks for ECHO and Grstl , 2010 .

[2]  Eli Biham,et al.  A Framework for Iterative Hash Functions - HAIFA , 2007, IACR Cryptol. ePrint Arch..

[3]  Alex Biryukov,et al.  Cryptanalysis of the LAKE Hash Family , 2009, FSE.

[4]  Alex Biryukov,et al.  Boomerang Attacks on BLAKE-32 , 2011, FSE.

[5]  Samuel Neves,et al.  BLAKE2: Simpler, Smaller, Fast as MD5 , 2013, ACNS.

[6]  Christophe De Cannière,et al.  Finding SHA-1 Characteristics: General Results and Applications , 2006, ASIACRYPT.

[7]  Adi Shamir,et al.  Self-Differential Cryptanalysis of Up to 5 Rounds of SHA-3 , 2012, IACR Cryptol. ePrint Arch..

[8]  Willi Meier,et al.  Differential and Invertibility Properties of BLAKE , 2010, FSE.

[9]  Ivica Nikolic,et al.  Rotational Cryptanalysis of ARX , 2010, FSE.

[10]  Thomas Peyrin,et al.  Improved Differential Attacks for ECHO and Grostl , 2010, IACR Cryptol. ePrint Arch..

[11]  Willi Meier,et al.  The Hash Function Family LAKE , 2008, FSE.

[12]  Daniel J. Bernstein,et al.  The Salsa20 Family of Stream Ciphers , 2008, The eSTREAM Finalists.

[13]  Jian Guo,et al.  Deterministic Differential Properties of the Compression Function of BMW , 2010, Selected Areas in Cryptography.

[14]  John Kelsey,et al.  Third-Round Report of the SHA-3 Cryptographic Hash Algorithm Competition , 2012 .

[15]  Ji Li,et al.  Attacks on Round-Reduced BLAKE , 2009, IACR Cryptol. ePrint Arch..

[16]  Enes Pasalic,et al.  Collisions for variants of the BLAKE hash function , 2010, Inf. Process. Lett..

[17]  Seokhie Hong,et al.  Fast Software Encryption, 17th International Workshop, FSE 2010, Seoul, Korea, February 7-10, 2010, Revised Selected Papers , 2010, FSE.

[18]  Adi Shamir,et al.  Collision Attacks on Up to 5 Rounds of SHA-3 Using Generalized Internal Differentials , 2013, FSE.