Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [blake3]

BLAKE3 is an evolution of the BLAKE2 cryptographic hash that is both faster and also more consistently fast across different platforms and input sizes.

BLAKE3 is an evolution of the BLAKE2 cryptographic hash that is both faster and also more consistently fast across different platforms and input sizes. It supports an unbounded degree of parallelism, using a tree structure that scales up to any number of SIMD lanes and CPU cores.

BLAKE3 is a cryptographic hash function that is:

  • Much faster than MD5, SHA-1, SHA-2, SHA-3, and BLAKE2.
  • Secure, unlike MD5 and SHA-1. And secure against length extension, unlike SHA-2.
  • Highly parallelizable across any number of threads and SIMD lanes, because it's a Merkle tree on the inside.
  • Capable of verified streaming and incremental updates, again because it's a Merkle tree.
  • A PRF, MAC, KDF, and XOF, as well as a regular hash.
  • One algorithm with no variants, which is fast on x86-64 and also on smaller architectures.

BLAKE3 is based on an optimized instance of the established hash function BLAKE2 and on the original Bao tree mode. The specifications and design rationale are available in the BLAKE3 paper. The default output size is 256 bits. The current version of Bao implements verified streaming with BLAKE3.

BLAKE3 website // BLAKE3 paper

12 questions
5
votes
1 answer

Can I get a Merkle proof out of blake3?

The overview of Blake3 states that Blake3 is internally a Merkle tree. Diving a bit deeper into the paper one finds out that Blake3 splits its input in chunks of 1 KiB (1024 B), organizing chunks in a binary tree whose root is used as the Blake3…
Matteo Monti
  • 1,477
  • 2
  • 14
  • 19
4
votes
1 answer

Post quantum security of the BLAKE family

Is there any proof that BLAKE (including 2 and 3) is post-quantum secure? We know that as Merkle–Damgård (with proper padding) preserves collapse sha2 is post-quantum secure. I know that the sponge-based winner of the sha3 competition does not have…
augustus
  • 97
  • 4
4
votes
2 answers

How to correctly use KMAC for password stretching with PBKDF2?

Looking at NIST SP 800-108 and NIST SP 800-132 it is not clear to me how to best use Keccak properties for PBKDF2. As in how to implement iteration counts and password stretching similar in goals of PBKDF2 but when underlying PRF is a sponge…
Dima
  • 161
  • 3
2
votes
1 answer

Can Blake2 be a replacement for double SHA-256?

Is it a good choice to drop double SHA-256 and use straight Blake2 in a Bitcoin-like blockchain (more POS oriented so it's not a mining problem)? I'm talking about Blake2 because I've read more about it than Blake3, so this question may even…
Not Important
  • 123
  • 5
2
votes
1 answer

blake3 keyed hash compression output xor'ed with key secure?

I'm currently trying to write the blake3 algorithm in JS using the official whitepaper or what it's called. If I understand correctly then... after the 7 round keyed permutation (at the end of the compression function) the first half of the output…
slee69
  • 25
  • 3
1
vote
2 answers

Does the Blake3 hash have identities, due to its merkle tree structure?

I've read that the Blake3 hash uses a Merkle Tree. Does it follow that there are identities such as: b3sum("This is ") xor b3sum("a test.") == b3sum("This is a test.") The example above does not work, perhaps because the block size is not eight…
fadedbee
  • 968
  • 1
  • 11
  • 31
1
vote
1 answer

BLAKE3 for Block and Stream ciphers?

When assuming the following idea for ciphers: For a block cipher, a 4-round balanced Feistel network where the PRF is BLAKE3 and the key schedule is: input key, input key with every odd bit flipped, input key with every even bit flipped, input key…
user115528
  • 11
  • 2
1
vote
0 answers

Would this 3AES-192 scheme achieve 384-bit key security with just a 384-bit key?

For starters, I don't need any don't-roll-your-crypto stuff. We're discussing a hypothetical. So the idea is 3DES needs 3x the key size and achieves only 2x key size bit security. So using the 3x keyspace is essential for achieving the 2x bit…
Bobboidsquoomy
  • 11
  • 1
0
votes
0 answers

Adding salt to Blake3 Key derive function

According to the whitepaper, Blake3 can be used as a key derivation function (function key_derive). Currently, as a key derivation function, I used Rust's Hkdf:: which takes as input the master key and salt. Adding salt allows to ensure that…
Ziva
  • 235
  • 1
  • 7
0
votes
1 answer

Using platform-level RNGs for key derivation with hash functions like BLAKE3?

So I've read stack overflow questions like this one. What I'm wondering is a bit more specific though: I'm really liking what I'm seeing with BLAKE3. (I suspect that this hash function is relatively unknown, though that's not surprising given its…
Ethin
  • 33
  • 5
0
votes
1 answer

Which is faster, PRF based on AES-CTR and PRF based on BLAKE{2,3}?

Recently Blake3 has been announced, which can be used as PRF. I'm wondering which PRF is faster, namely PRF based on Blake3 or the one based on AES-CTR?
user9414424
  • 257
  • 1
  • 6
0
votes
1 answer

How good is blake3 compared to a random oracle?

How good is blake3 for generating pseudo-random bitstrings in comparison to a random oracle? Let's say we generated an arbitrarily long pseudo-random bitstring by concatenating blake3 hashes together in the following manner: blake3(seed) ||…
TypicalHog
  • 133
  • 9