blake3 keyed hash compression output xor'ed with key secure?

Question

I'm currently trying to write the blake3 algorithm in JS using the official whitepaper or what it's called.

If I understand correctly then... after the 7 round keyed permutation (at the end of the compression function) the first half of the output values is then xor'ed with the latter half to get the NEW first half. And the latter half is xor'ed with "h0... h7", which AFAIK are the chaining values or the key from the state.

Now, if I only had one block and would hash it in keyed_hash mode, then at the end of the compression function, the last 8 values of the output block would be my key but xor'ed with the compressed values right? And that'd be basically the hash then. Feels a bit unsecure if I'm honest. Could this potentially reveal anything about the key? Especially when it comes to authenticated encryption?

score 2 · Accepted Answer · answered Jan 10 '23 at 00:27

That xor is what makes it secure. Without it, you could invert the compression function and directly obtain the key.

Instead, that xor prevents inversion in the same way as the Davies-Meyer construction does. If the compression function is good enough such that its output is indistinguishable from random when keyed, xoring the key at the end gives you no useful information about it.

This has been independently shown to be secure in the specific case of BLAKE3, under the assumption that the underlying block cipher is ideal.

blake3 keyed hash compression output xor'ed with key secure?

1 Answers1