Misplaced Pages

#566433

29-456: The BLAKE2 hash function, based on BLAKE, was announced in 2012. The BLAKE3 hash function, based on BLAKE2, was announced in 2020. BLAKE was submitted to the NIST hash function competition by Jean-Philippe Aumasson, Luca Henzen, Willi Meier, and Raphael C.-W. Phan. In 2008, there were 51 entries. BLAKE made it to the final round consisting of five candidates but lost to Keccak in 2012, which

58-494: A binary tree structure, so it supports a practically unlimited degree of parallelism (both SIMD and multithreading) given long enough input. The official Rust and C implementations are dual-licensed as public domain ( CC0 ) and the Apache License . BLAKE3 is designed to be as fast as possible. It is consistently a few times faster than BLAKE2. The BLAKE3 compression function is closely based on that of BLAKE2s, with

87-503: A conference in late February 2009 where submitters presented their algorithms and NIST officials discussed criteria for narrowing down the field of candidates for Round 2. The list of 14 candidates accepted to Round 2 was published on July 24, 2009. Another conference was held on August 23–24, 2010 (after CRYPTO 2010) at the University of California, Santa Barbara , where the second-round candidates were discussed. The announcement of

116-427: A constant is used as a random seed, a large number of hash function candidates also exist for selection, such as SHA-1, SHA-256, SHA-384, SHA-512, SHA-512/256, SHA3-256, or SHA3-384. If there are enough adjustable parameters in the object selection procedure, combinatorial explosion ensures that the universe of possible design choices and of apparently simple constants can be large enough so that an automatic search of

145-696: A random oracle, etc. BLAKE2 removes addition of constants to message words from BLAKE round function, changes two rotation constants, simplifies padding, adds parameter block that is XOR'ed with initialization vectors, and reduces the number of rounds from 16 to 12 for BLAKE2b (successor of BLAKE-512), and from 14 to 10 for BLAKE2s (successor of BLAKE-256). BLAKE2 supports keying, salting, personalization, and hash tree modes, and can output digests from 1 up to 64 bytes for BLAKE2b, or up to 32 bytes for BLAKE2s. There are also parallel versions designed for increased performance on multi-core processors ; BLAKE2bp (4-way parallel) and BLAKE2sp (8-way parallel). BLAKE2X

174-406: A single bit causes each bit in the output to change with 50% probability, demonstrating an avalanche effect : (In this example 266 matching bits out of 512 is about 52% due to the random nature of the avalanche.) BLAKE2 is a cryptographic hash function based on BLAKE, created by Jean-Philippe Aumasson, Samuel Neves, Zooko Wilcox-O'Hearn , and Christian Winnerlein. The design goal was to replace

203-431: A way that demonstrates the constants were not selected for a nefarious purpose, for example, to create a backdoor to the algorithm. These fears can be allayed by using numbers created in a way that leaves little room for adjustment. An example would be the use of initial digits from the number π as the constants. Using digits of π millions of places after the decimal point would not be considered trustworthy because

232-413: Is a cryptographic hash function based on Bao and BLAKE2, created by Jack O'Connor, Jean-Philippe Aumasson, Samuel Neves, and Zooko Wilcox-O'Hearn . It was announced on January 9, 2020, at Real World Crypto . BLAKE3 is a single algorithm with many desirable features (parallelism, XOF , KDF , PRF and MAC ), in contrast to BLAKE and BLAKE2, which are algorithm families with multiple variants. BLAKE3 has

261-416: Is a family of extendable-output functions (XOFs). Whereas BLAKE2 is limited to 64-byte digests, BLAKE2X allows for digests of up to 256 GiB. BLAKE2X is itself not an instance of a hash function, and must be based on an actual BLAKE2 instance. An example of a BLAKE2X instance could be BLAKE2Xb16MiB , which would be a BLAKE2X version based on BLAKE2b producing 16,777,216-byte digests (or exactly 16 MiB , hence

290-507: The ChaCha quarter-round function are: "BLAKE reuses the permutation of the ChaCha stream cipher with rotations done in the opposite directions. Some have suspected an advanced optimization, but in fact it originates from a typo in the original BLAKE specifications", Jean-Philippe Aumasson explains in his "Crypto Dictionary". The 64-bit version (which does not exist in ChaCha) is identical, but

319-930: The NIST's P curve constants led to concerns that the NSA had chosen values that gave them an advantage in finding private keys. Since then, many protocols and programs started to use Curve25519 as an alternative to NIST P-256 curve. Bernstein and coauthors demonstrate that use of nothing-up-my-sleeve numbers as the starting point in a complex procedure for generating cryptographic objects, such as elliptic curves, may not be sufficient to prevent insertion of back doors. For example, many candidates of seemingly harmless and "uninteresting" simple mathematical constants exist, such as π , e , Euler gamma , √2 , √3 , √5 , √7, log(2), (1 + √5)/2 , ζ(3) , ζ(5), sin(1), sin(2), cos(1), cos(2), tan(1), or tan(2). For these constants, there also exists several different binary representations to choose. If

SECTION 10

#1732791646567

348-744: The US National Institute of Standards and Technology (NIST) to develop a new hash function called SHA-3 to complement the older SHA-1 and SHA-2 . The competition was formally announced in the Federal Register on November 2, 2007. "NIST is initiating an effort to develop one or more additional hash algorithms through a public competition, similar to the development process for the Advanced Encryption Standard (AES)." The competition ended on October 2, 2012, when NIST announced that Keccak would be

377-481: The algorithm designer might have selected that starting point because it created a secret weakness the designer could later exploit—though even with natural-seeming selections, enough entropy exists in the possible choices that the utility of these numbers has been questioned . Digits in the positional representations of real numbers such as π , e , and irrational roots are believed to appear with equal frequency (see normal number ). Such numbers can be viewed as

406-475: The biggest difference being that the number of rounds is reduced from 10 to 7, a change based on the assumption that current cryptography is too conservative. In addition to providing parallelism, the Merkle tree format also allows for verified streaming (on-the-fly verifying) and incremental updates. NIST hash function competition The NIST hash function competition was an open competition held by

435-467: The competition by their submitters; they are considered broken according to the NIST official round one candidates web site. As such, they are withdrawn from the competition. Several submissions received by NIST were not accepted as first-round candidates, following an internal review by NIST. In general, NIST gave no details as to why each was rejected. NIST also has not given a comprehensive list of rejected algorithms; there are known to be 13, but only

464-410: The final round candidates occurred on December 10, 2010. On October 2, 2012, NIST announced its winner, choosing Keccak , created by Guido Bertoni, Joan Daemen, and Gilles Van Assche of STMicroelectronics and Michaël Peeters of NXP. This is an incomplete list of known submissions. NIST selected 51 entries for round 1. 14 of them advanced to round 2, from which 5 finalists were selected. The winner

493-580: The final round. As noted in the announcement of the finalists, "none of these candidates was clearly broken". The following hash function submissions were accepted for round one but did not pass to round two. They have neither been conceded by the submitters nor have had substantial cryptographic weaknesses. However, most of them have some weaknesses in the design components, or performance issues. The following non-conceded round one entrants have had substantial cryptographic weaknesses announced: The following round one entrants have been officially retracted from

522-536: The first 64 bits of the fractional parts of the positive square roots of the first eight prime numbers. Pseudocode for the BLAKE2b algorithm. The BLAKE2b algorithm uses 8-byte (UInt64) words, and 128-byte chunks. The Compress function takes a full 128-byte chunk of the input message and mixes it into the ongoing state array: The Mix function is called by the Compress function, and mixes two 8-byte words from

551-424: The following are public. Nothing-up-my-sleeve number In cryptography , nothing-up-my-sleeve numbers are any numbers which, by their construction, are above suspicion of hidden properties. They are used in creating cryptographic functions such as hashes and ciphers . These algorithms often need randomized constants for mixing or initialization purposes. The cryptographer may wish to pick these values in

580-409: The fractional part of π ), and a table of 10 16-element permutations: The core operation, equivalent to ChaCha's quarter round, operates on a 4-word column or diagonal a b c d , which is combined with 2 words of message m[] and two constant words n[] . It is performed 8 times per full round: In the above, r is the round number (0–13), and i varies from 0 to 7. The differences from

609-408: The message into the hash state. In most implementations this function would be written inline, or as an inlined function. Hash values of an empty string: Changing a single bit causes each bit in the output to change with 50% probability, demonstrating an avalanche effect : In addition to the reference implementation, the following cryptography libraries provide implementations of BLAKE2: BLAKE3

SECTION 20

#1732791646567

638-496: The name of such an instance). BLAKE2b and BLAKE2s are specified in RFC 7693. Optional features using the parameter block (salting, personalized hashes, tree hashing, et cetera), are not specified, and thus neither is support for BLAKE2bp, BLAKE2sp, or BLAKE2X. BLAKE2b uses an initialization vector that is the same as the IV used by SHA-512. These values are transparently obtained by taking

667-565: The new SHA-3 hash algorithm. The winning hash function has been published as NIST FIPS 202 the "SHA-3 Standard", to complement FIPS 180-4, the Secure Hash Standard . The NIST competition has inspired other competitions such as the Password Hashing Competition . Submissions were due October 31, 2008 and the list of candidates accepted for the first round was published on December 9, 2008. NIST held

696-413: The opposite extreme of Chaitin–Kolmogorov random numbers in that they appear random but have very low information entropy . Their use is motivated by early controversy over the U.S. Government's 1975 Data Encryption Standard , which came under criticism because no explanation was supplied for the constants used in its S-box (though they were later found to have been carefully selected to protect against

725-455: The rotation amounts are 32, 25, 16 and 11, respectively, and the number of rounds is increased to 16. Throughout the NIST hash function competition, entrants are permitted to "tweak" their algorithms to address issues that are discovered. Changes that have been made to BLAKE are: the number of rounds was increased from 10/14 to 14/16. This is to be more conservative about security while still being fast. Hash values of an empty string: Changing

754-501: The then-classified technique of differential cryptanalysis ). Thus a need was felt for a more transparent way to generate constants used in cryptography. "Nothing up my sleeve" is a phrase associated with magicians , who sometimes preface a magic trick by holding open their sleeves to show they have no objects hidden inside. Although not directly related, after the backdoor in Dual_EC_DRBG had been exposed, suspicious aspects of

783-554: The widely used, but broken, MD5 and SHA-1 algorithms in applications requiring high performance in software. BLAKE2 was announced on December 21, 2012. A reference implementation is available under CC0 , the OpenSSL License , and the Apache License 2.0 . BLAKE2b is faster than MD5, SHA-1, SHA-2, and SHA-3, on 64-bit x86-64 and ARM architectures. BLAKE2 provides better security than SHA-2 and similar to that of SHA-3: immunity to length extension , indifferentiability from

812-407: Was announced to be Keccak on October 2, 2012. NIST selected five SHA-3 candidate algorithms to advance to the third (and final) round: NIST noted some factors that figured into its selection as it announced the finalists: NIST has released a report explaining its evaluation algorithm-by-algorithm. The following hash function submissions were accepted for round two, but did not make it to

841-510: Was selected for the SHA-3 algorithm. Like SHA-2 , BLAKE comes in two variants: one that uses 32-bit words, used for computing hashes up to 256 bits long, and one that uses 64-bit words, used for computing hashes up to 512 bits long. The core block transformation combines 16 words of input with 16 working variables, but only 8 words (256 or 512 bits) are preserved between blocks. It uses a table of 16 constant words (the leading 512 or 1024 bits of

#566433