Paper 2016/827

Security Analysis of BLAKE2's Modes of Operation

Atul Luykx, Bart Mennink, and Samuel Neves


BLAKE2 is a hash function introduced at ACNS 2013, which has been adopted in many constructions and applications. It is a successor to the SHA-3 finalist BLAKE, which received a significant amount of security analysis. Nevertheless, BLAKE2 introduces sufficient changes so that not all results from BLAKE carry over, meaning new analysis is necessary. To date, all known cryptanalysis done on BLAKE2 has focused on its underlying building blocks, with little focus placed on understanding BLAKE2's generic security. We prove that BLAKE2's compression function is indifferentiable from a random function in a weakly ideal cipher model, which was not the case for BLAKE. This implies that there are no generic attacks against any of the modes that BLAKE2 uses.

Note: Updated IACRtrans class file.

Available format(s)
Publication info
A minor revision of an IACR publication in FSE 2017
BLAKEBLAKE2hash functionindifferentiabilityPRF
Contact author(s)
atul luykx @ esat kuleuven be
bart mennink @ esat kuleuven be
sneves @ dei uc pt
2016-08-31: last of 2 revisions
2016-08-30: received
See all versions
Short URL
Creative Commons Attribution


      author = {Atul Luykx and Bart Mennink and Samuel Neves},
      title = {Security Analysis of BLAKE2's Modes of Operation},
      howpublished = {Cryptology ePrint Archive, Paper 2016/827},
      year = {2016},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.