Cryptology ePrint Archive: Report 2013/467

Analysis of BLAKE2

Jian Guo and Pierre Karpman and Ivica Nikolic and Lei Wang and Shuang Wu

Abstract: We present a thorough security analysis of the hash function family BLAKE2, a recently proposed and already in use tweaked version of the SHA-3 finalist BLAKE. We study how existing attacks on BLAKE apply to BLAKE2 and to what extent the modifications impact the attacks. We design and run two improved searches for (impossible) differential attacks — the outcomes suggest higher number of attacked rounds in the case of impossible differentials (in fact we improve the best results for BLAKE as well), and slightly higher for the differential attacks on the hash/compression function (which gives an insight into the quality of the tweaks). We emphasize the importance of each of the modifications, in particular we show that an improper initialization could lead to collisions and near-collisions for the full-round compression function. We analyze the permutation of the new hash function and give rotational attacks and internal differentials for the whole design. We conclude that the tweaks in BLAKE2 were chosen properly and, despite having weaknesses in the theoretical attack frameworks of permutations and of fully-chosen state input compression functions, the hash function of BLAKE2 has only slightly lower security margin than BLAKE.

Category / Keywords: secret-key cryptography / BLAKE2, BLAKE, hash function, rotational cryptanalysis, impossible differential cryptanalysis, differential cryptanalysis, internal differential, iterative differential

Original Publication (with major differences): CT-RSA 2014

Date: received 29 Jul 2013, last revised 26 Apr 2014

Contact author: ntu guo at gmail com

Available format(s): PDF | BibTeX Citation

Version: 20140426:104140 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]