Menu
Home
People
Places
Arts
History
Plants & Animals
Science
Life & Culture
Technology
Reference.org
BLAKE (hash function)
open-in-new
<h2 id="history">History</h2> <p>BLAKE was submitted to the <a href="/facts/NIST_hash_function_competition/DFxbPNbx">NIST hash function competition</a> by Jean-Philippe Aumasson, Luca Henzen, Willi Meier, and Raphael C.-W. Phan. In 2008, there were 51 entries. BLAKE made it to the final round consisting of five candidates but lost to <i><a href="/facts/Keccak/bA3BCp7K">Keccak</a></i> in 2012, which was selected for the <a href="/facts/SHA-3/bA3BCp7K">SHA-3</a> algorithm. </p> <h2 id="algorithm">Algorithm</h2> <p>Like <a href="/facts/SHA-2/P59oPeGq">SHA-2</a>, BLAKE comes in two variants: one that uses 32-bit words, used for computing hashes up to 256 bits long, and one that uses 64-bit words, used for computing hashes up to 512 bits long. The core block transformation combines 16 words of input with 16 working variables, but only 8 words (256 or 512 bits) are preserved between blocks. </p><p>It uses a table of 16 constant words (the leading 512 or 1024 bits of the fractional part of <a href="/facts/Pi/vC0UBj1q">π</a>), and a table of 10 16-element permutations: </p> σ[0] = 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 σ[1] = 14 10 4 8 9 15 13 6 1 12 0 2 11 7 5 3 σ[2] = 11 8 12 0 5 2 15 13 10 14 3 6 7 1 9 4 σ[3] = 7 9 3 1 13 12 11 14 2 6 5 10 4 0 15 8 σ[4] = 9 0 5 7 2 4 10 15 14 1 11 12 6 8 3 13 σ[5] = 2 12 6 10 0 11 8 3 4 13 7 5 15 14 1 9 σ[6] = 12 5 1 15 14 13 4 10 0 7 6 3 9 2 8 11 σ[7] = 13 11 7 14 12 1 3 9 5 0 15 4 8 6 2 10 σ[8] = 6 15 14 9 11 3 0 8 12 2 13 7 1 4 10 5 σ[9] = 10 2 8 4 7 6 1 5 15 11 9 14 3 12 13 0 <p>The core operation, equivalent to ChaCha's quarter round, operates on a 4-word column or diagonal a b c d, which is combined with 2 words of message m[] and two constant words n[]. It is performed 8 times per full round: </p> j ← σ[r%10][2×i] // Index computations k ← σ[r%10][2×i+1] a ← a + b + (m[j] ⊕ n[k]) // Step 1 (with input) d ← (d ⊕ a) >>> 16 c ← c + d // Step 2 (no input) b ← (b ⊕ c) >>> 12 a ← a + b + (m[k] ⊕ n[j]) // Step 3 (with input) d ← (d ⊕ a) >>> 8 c ← c + d // Step 4 (no input) b ← (b ⊕ c) >>> 7 <p>In the above, r is the round number (0–13), and i varies from 0 to 7. </p><p>The differences from the ChaCha quarter-round function are: </p> <ul><li>The addition of the message words has been added.</li> <li>The rotation directions have been reversed.</li></ul> <p>"BLAKE reuses the permutation of the ChaCha stream cipher with rotations done in the opposite directions. Some have suspected an advanced optimization, but in fact it originates from a typo in the original BLAKE specifications", Jean-Philippe Aumasson explains in his "Crypto Dictionary".<a class="footnote-ref" id="fnref:1" href="#fn:1"><sup>1</sup></a> </p><p>The 64-bit version (which does not exist in ChaCha) is identical, but the rotation amounts are 32, 25, 16 and 11, respectively, and the number of rounds is increased to 16. </p> <h2 id="tweaks">Tweaks</h2> <p>Throughout the NIST hash function competition, entrants are permitted to "tweak" their algorithms to address issues that are discovered. Changes that have been made to BLAKE are: the number of rounds was increased from 10/14 to 14/16. This is to be more conservative about security while still being fast. </p> <h2 id="example-digests">Example digests</h2> <p>Hash values of an empty string: </p> BLAKE-224("") = 7dc5313b1c04512a174bd6503b89607aecbee0903d40a8a569c94eed BLAKE-256("") = 716f6e863f744b9ac22c97ec7b76ea5f5908bc5b2f67c61510bfc4751384ea7a BLAKE-384("") = c6cbd89c926ab525c242e6621f2f5fa73aa4afe3d9e24aed727faaadd6af38b620bdb623dd2b4788b1c8086984af8706 BLAKE-512("") = a8cfbbd73726062df0c6864dda65defe58ef0cc52a5625090fa17601e1eecd1b628e94f396ae402a00acc9eab77b4d4c2e852aaaa25a636d80af3fc7913ef5b8 <p>Changing a single bit causes each bit in the output to change with 50% probability, demonstrating an <a href="/facts/Avalanche_effect/hpYX5zu5">avalanche effect</a>: </p> BLAKE-512("The quick brown fox jumps over the lazy dog") = 1f7e26f63b6ad25a0896fd978fd050a1766391d2fd0471a77afb975e5034b7ad2d9ccf8dfb47abbbe656e1b82fbc634ba42ce186e8dc5e1ce09a885d41f43451 BLAKE-512("The quick brown fox jumps over the lazy dof") = a701c2a1f9baabd8b1db6b75aee096900276f0b86dc15d247ecc03937b370324a16a4ffc0c3a85cd63229cfa15c15f4ba6d46ae2e849ed6335e9ff43b764198a <p>(In this example 266 matching bits out of 512 is about 52% due to the random nature of the avalanche.) </p> <h2 id="blake2">BLAKE2</h2> <p>BLAKE2 is a cryptographic hash function based on BLAKE, created by Jean-Philippe Aumasson, Samuel Neves, <a href="/facts/Zooko_Wilcox-O%2527Hearn/ExWJbk5m">Zooko Wilcox-O'Hearn</a>, and Christian Winnerlein. The design goal was to replace the widely used, but broken, <a href="/facts/MD5/8WIXb9Dq">MD5</a> and <a href="/facts/SHA-1/LDYCV1je">SHA-1</a> algorithms in applications requiring high performance in software. BLAKE2 was announced on December 21, 2012.<a class="footnote-ref" id="fnref:2" href="#fn:2"><sup>2</sup></a> A <a href="/facts/Reference_implementation/k9B97xel">reference implementation</a> is available under <a href="/facts/CC0/6AV3V7UJ">CC0</a>, the <a href="/facts/OpenSSL_license/aXvs5fo2">OpenSSL License</a>, and the <a href="/facts/Apache_License/5AeIjas8">Apache License 2.0</a>.<a class="footnote-ref" id="fnref:3" href="#fn:3"><sup>3</sup></a><a class="footnote-ref" id="fnref:4" href="#fn:4"><sup>4</sup></a> </p><p>BLAKE2b is faster than MD5, SHA-1, SHA-2, and SHA-3, on 64-bit x86-64 and ARM architectures.<a class="footnote-ref" id="fnref:5" href="#fn:5"><sup>5</sup></a> Its creators state that BLAKE2 provides better security than SHA-2 and similar to that of SHA-3: immunity to <a href="/facts/Length_extension_attack/PvQtI1TD">length extension</a>, indifferentiability from a random oracle, etc.<a class="footnote-ref" id="fnref:6" href="#fn:6"><sup>6</sup></a> </p><p>BLAKE2 removes addition of constants to message words from BLAKE round function, changes two rotation constants, simplifies padding, adds parameter block that is XOR'ed with initialization vectors, and reduces the number of rounds from 16 to 12 for BLAKE2b (successor of BLAKE-512), and from 14 to 10 for BLAKE2s (successor of BLAKE-256). </p><p>BLAKE2 supports keying, salting, personalization, and hash tree modes, and can output digests from 1 up to 64 bytes for BLAKE2b, or up to 32 bytes for BLAKE2s. There are also parallel versions designed for increased performance on <a href="/facts/Multi-core_processor/ABNb65hQ">multi-core processors</a>; BLAKE2bp (4-way parallel) and BLAKE2sp (8-way parallel). </p><p>BLAKE2X is a family of <a href="/facts/Extendable-output_function/EefbSTfz">extendable-output functions</a> (XOFs). Whereas BLAKE2 is limited to 64-byte digests, BLAKE2X allows for digests of up to 256 GiB. BLAKE2X is itself not an instance of a hash function, and must be based on an actual BLAKE2 instance. An example of a BLAKE2X instance could be BLAKE2Xb16MiB, which would be a BLAKE2X version based on BLAKE2b producing 16,777,216-byte digests (or exactly 16 <a href="/facts/Mebibyte/BNHUp9Qq">MiB</a>, hence the name of such an instance).<a class="footnote-ref" id="fnref:7" href="#fn:7"><sup>7</sup></a> </p><p>BLAKE2b and BLAKE2s are specified in RFC 7693. Optional features using the parameter block (salting, personalized hashes, tree hashing, et cetera), are not specified, and thus neither is support for BLAKE2bp, BLAKE2sp, or BLAKE2X.<a class="footnote-ref" id="fnref:8" href="#fn:8"><sup>8</sup></a> </p> <h3>Initialization vector</h3> <p>BLAKE2b uses an initialization vector that is the same as the IV used by SHA-512. These values are <a href="/facts/Nothing-up-my-sleeve_number/AwqF2wkR">transparently obtained</a> by taking the first 64 bits of the fractional parts of the positive square roots of the first eight prime numbers. </p> IV0 = 0x6a09e667f3bcc908 // Frac(sqrt(2)) IV1 = 0xbb67ae8584caa73b // Frac(sqrt(3)) IV2 = 0x3c6ef372fe94f82b // Frac(sqrt(5)) IV3 = 0xa54ff53a5f1d36f1 // Frac(sqrt(7)) IV4 = 0x510e527fade682d1 // Frac(sqrt(11)) IV5 = 0x9b05688c2b3e6c1f // Frac(sqrt(13)) IV6 = 0x1f83d9abfb41bd6b // Frac(sqrt(17)) IV7 = 0x5be0cd19137e2179 // Frac(sqrt(19)) <h3>BLAKE2b algorithm</h3> <p><a href="/facts/Pseudocode/XgN19duK">Pseudocode</a> for the BLAKE2b algorithm. The BLAKE2b algorithm uses 8-byte (UInt64) words, and 128-byte chunks. </p> Algorithm BLAKE2b Input: M <i>Message to be hashed</i> cbMessageLen: Number, (0..2128) <i>Length of the message in bytes</i> Key <i>Optional 0..64 byte key</i> cbKeyLen: Number, (0..64) <i>Length of optional key in bytes</i> cbHashLen: Number, (1..64) <i>Desired hash length in bytes</i> Output: Hash <i>Hash of cbHashLen bytes</i> <i>Initialize State vector h with IV</i> h0..7 ← IV0..7 <i>Mix key size (cbKeyLen) and desired hash length (cbHashLen) into h0</i> h0 ← h0 xor 0x0101kknn <i>where kk is Key Length (in bytes)</i> nn <i>is Desired Hash Length (in bytes)</i> <i>Each time we Compress we record how many bytes have been compressed</i> cBytesCompressed ← 0 cBytesRemaining ← cbMessageLen <i>If there was a key supplied (i.e. cbKeyLen > 0)</i> <i>then pad with trailing zeros to make it 128-bytes (i.e. 16 words) </i> <i>and prepend it to the message M</i> if (cbKeyLen > 0) then M ← Pad(Key, 128) || M cBytesRemaining ← cBytesRemaining + 128 end if <i>Compress whole 128-byte chunks of the message, except the last chunk</i> while (cBytesRemaining > 128) do chunk ← get next 128 bytes of message M cBytesCompressed ← cBytesCompressed + 128 <i>increase count of bytes that have been compressed</i> cBytesRemaining ← cBytesRemaining - 128 <i>decrease count of bytes in M remaining to be processed</i> h ← Compress(h, chunk, cBytesCompressed, false) <i>false ⇒ this is not the last chunk</i> end while <i>Compress the final bytes from M</i> chunk ← get next 128 bytes of message M <i>We will get cBytesRemaining bytes (i.e. 0..128 bytes)</i> cBytesCompressed ← cBytesCompressed+cBytesRemaining <i>The actual number of bytes leftover in M</i> chunk ← Pad(chunk, 128) <i>If M was empty, then we will still compress a final chunk of zeros</i> h ← Compress(h, chunk, cBytesCompressed, true) <i>true ⇒ this is the last chunk</i> Result ← first cbHashLen bytes of little endian state vector h End Algorithm BLAKE2b <h4>Compress</h4> <p>The Compress function takes a full 128-byte chunk of the input message and mixes it into the ongoing state array: </p> Function Compress Input: h <i>Persistent state vector</i> chunk <i>128-byte (16 double word) chunk of message to compress</i> t: Number, 0..2128 <i>Count of bytes that have been fed into the Compression</i> IsLastBlock: Boolean <i>Indicates if this is the final round of compression</i> Output: h <i>Updated persistent state vector</i> <i>Setup local work vector V</i> V0..7 ← h0..7 <i>First eight items are copied from persistent state vector h</i> V8..15 ← IV0..7 <i>Remaining eight items are initialized from the IV</i> <i>Mix the 128-bit counter t into V</i>12:V13 V12 ← V12 xor Lo(t) <i>Lo 64-bits of UInt128 t</i> V13 ← V13 xor Hi(t) <i>Hi 64-bits of UInt128 t</i> <i>If this is the last block then invert all the bits in V14</i> if IsLastBlock then V14 ← V14 xor 0xFFFFFFFFFFFFFFFF <i>Treat each 128-byte message chunk as sixteen 8-byte (64-bit) words m</i> m0..15 ← chunk <i>Twelve rounds of cryptographic message mixing</i> for i from 0 to 11 do <i>Select message mixing schedule for this round.</i> <i>BLAKE2b uses 12 rounds, while SIGMA has only 10 entries.</i> S0..15 ← SIGMA[i mod 10] <i>Rounds 10 and 11 use SIGMA[0] and SIGMA[1] respectively</i> Mix(V0, V4, V8, V12, m[S0], m[S1]) Mix(V1, V5, V9, V13, m[S2], m[S3]) Mix(V2, V6, V10, V14, m[S4], m[S5]) Mix(V3, V7, V11, V15, m[S6], m[S7]) Mix(V0, V5, V10, V15, m[S8], m[S9]) Mix(V1, V6, V11, V12, m[S10], m[S11]) Mix(V2, V7, V8, V13, m[S12], m[S13]) Mix(V3, V4, V9, V14, m[S14], m[S15]) end for <i>Mix the upper and lower halves of V into ongoing state vector h</i> h0..7 ← h0..7 xor V0..7 h0..7 ← h0..7 xor V8..15 Result ← h End Function Compress <h4>Mix</h4> <p>The Mix function is called by the Compress function, and mixes two 8-byte words from the message into the hash state. In most implementations this function would be written inline, or as an inlined function. </p> Function Mix Inputs: Va, Vb, Vc, Vd <i>four 8-byte word entries from the work vector V</i> x, y <i>two 8-byte word entries from padded message m</i> Output: Va, Vb, Vc, Vd <i>the modified versions of Va, Vb, Vc, Vd</i> Va ← Va + Vb + x <i>with input</i> Vd ← (Vd xor Va) rotateright 32 Vc ← Vc + Vd <i>no input</i> Vb ← (Vb xor Vc) rotateright 24 Va ← Va + Vb + y <i>with input</i> Vd ← (Vd xor Va) rotateright 16 Vc ← Vc + Vd <i>no input</i> Vb ← (Vb xor Vc) rotateright 63 Result ← Va, Vb, Vc, Vd End Function Mix <h3>Example digests</h3> <p>Hash values of an empty string: </p> BLAKE2s-224("") = 1fa1291e65248b37b3433475b2a0dd63d54a11ecc4e3e034e7bc1ef4 BLAKE2s-256("") = 69217a3079908094e11121d042354a7c1f55b6482ca1a51e1b250dfd1ed0eef9 BLAKE2b-384("") = b32811423377f52d7862286ee1a72ee540524380fda1724a6f25d7978c6fd3244a6caf0498812673c5e05ef583825100 BLAKE2b-512("") = 786a02f742015903c6c6fd852552d272912f4740e15847618a86e217f71f5419d25e1031afee585313896444934eb04b903a685b1448b755d56f701afe9be2ce <p>Changing a single bit causes each bit in the output to change with 50% probability, demonstrating an <a href="/facts/Avalanche_effect/hpYX5zu5">avalanche effect</a>: </p> BLAKE2b-512("The quick brown fox jumps over the lazy dog") = a8add4bdddfd93e4877d2746e62817b116364a1fa7bc148d95090bc7333b3673f82401cf7aa2e4cb1ecd90296e3f14cb5413f8ed77be73045b13914cdcd6a918 BLAKE2b-512("The quick brown fox jumps over the lazy dof") = ab6b007747d8068c02e25a6008db8a77c218d94f3b40d2291a7dc8a62090a744c082ea27af01521a102e42f480a31e9844053f456b4b41e8aa78bbe5c12957bb <h3>Users of BLAKE2</h3> <ul><li><a href="/facts/Argon2/8sAkGSch">Argon2</a>, the winner of the <a href="/facts/Password_Hashing_Competition/tufKsBYs">Password Hashing Competition</a>, uses BLAKE2b</li> <li><a href="/facts/Chef_(company)/wL693IoF">Chef</a>'s Habitat deployment system uses BLAKE2b for package signing<a class="footnote-ref" id="fnref:9" href="#fn:9"><sup>9</sup></a></li> <li><a href="/facts/FreeBSD_Ports/CBfftt3v">FreeBSD Ports</a> package management tool uses BLAKE2b</li> <li><a href="/facts/GNU_Core_Utilities/Q9cop5U5">GNU Core Utilities</a> implements BLAKE2b in its b2sum command<a class="footnote-ref" id="fnref:10" href="#fn:10"><sup>10</sup></a></li> <li><a href="/facts/IPFS/VUhdLRdm">IPFS</a> allows use of BLAKE2b for tree hashing</li> <li><a href="/facts/Librsync/H4UlsQ3U">librsync</a> uses BLAKE2b<a class="footnote-ref" id="fnref:11" href="#fn:11"><sup>11</sup></a></li> <li>Noise (cryptographic protocol), which is used in <a href="/facts/WhatsApp/VMlSeFb6">WhatsApp</a> includes BLAKE2 as an option.<a class="footnote-ref" id="fnref:12" href="#fn:12"><sup>12</sup></a></li> <li><a href="/facts/RAR_(file_format)/cgHI6gnw">RAR</a> archive format version 5 supports an optional 256-bit BLAKE2sp file checksum instead of the default 32-bit <a href="/facts/CRC32/u2exo4sv">CRC32</a>; it was implemented in <a href="/facts/WinRAR/74MRE7H6">WinRAR</a> v5+<a class="footnote-ref" id="fnref:13" href="#fn:13"><sup>13</sup></a></li> <li><a href="/facts/7-Zip/0Y8ItlHs">7-Zip</a> (in order to support the RAR archive format version 5<a class="footnote-ref" id="fnref:14" href="#fn:14"><sup>14</sup></a>) can generate the BLAKE2sp signature for each file in the Explorer shell via "CRC SHA" context menu, and choosing '*'</li> <li>rmlint uses BLAKE2b for duplicate file detection<a class="footnote-ref" id="fnref:15" href="#fn:15"><sup>15</sup></a></li> <li><a href="/facts/WireGuard/zSJv87LA">WireGuard</a> uses BLAKE2s for hashing<a class="footnote-ref" id="fnref:16" href="#fn:16"><sup>16</sup></a></li> <li><a href="/facts/Zcash/t36Edlhr">Zcash</a>, a cryptocurrency, uses BLAKE2b in the <a href="/facts/Equihash/LgqLBujF">Equihash</a> <a href="/facts/Proof_of_work/GKI1LcQU">proof of work</a>, and as a <a href="/facts/Key_derivation_function/3jL2jTTb">key derivation function</a></li> <li><a href="/facts/Nano_(cryptocurrency)/uytNU2WD">NANO</a>, a cryptocurrency, uses BLAKE2b in the proof of work, for hashing digital signatures and as a <a href="/facts/Key_derivation_function/3jL2jTTb">key derivation function</a><a class="footnote-ref" id="fnref:17" href="#fn:17"><sup>17</sup></a><a class="footnote-ref" id="fnref:18" href="#fn:18"><sup>18</sup></a><a class="footnote-ref" id="fnref:19" href="#fn:19"><sup>19</sup></a></li> <li><a href="/facts/Polkadot_(cryptocurrency)/Ir0g1cXI">Polkadot</a>, a multi-chain blockchain uses BLAKE2b as its hashing algorithm.</li> <li>Kadena (cryptocurrency), a scalable proof of work blockchain that uses Blake2s_256 as its hashing algorithm.</li> <li>PCI Vault, uses BLAKE2b as its hashing algorithm for the purpose of PCI compliant PCD tokenization.</li> <li>Ergo, a cryptocurrency, uses BLAKE2b256 as a subroutine of its hashing algorithm called Autolykos.<a class="footnote-ref" id="fnref:20" href="#fn:20"><sup>20</sup></a></li> <li><a href="/facts/Linux_kernel/dlkduHuA">Linux kernel</a>, version 5.17 replaced SHA-1 with BLAKE2s for hashing the <a href="/facts/Entropy_pool/Kc7HIkgJ">entropy pool</a> in the <a href="/facts/Random_number_generator/RtXEfbzd">random number generator</a>.<a class="footnote-ref" id="fnref:21" href="#fn:21"><sup>21</sup></a></li> <li><a href="/facts/Open_Network_for_Digital_Commerce/fRThhJuJ">Open Network for Digital Commerce</a>, a Government of India initiative, uses BLAKE-512 to sign API requests.<a class="footnote-ref" id="fnref:22" href="#fn:22"><sup>22</sup></a></li> <li><a href="/facts/Checksum/AqxQ0I8g">checksum</a>, a Windows file hashing program has Blake2s as one of its algorithms<a class="footnote-ref" id="fnref:23" href="#fn:23"><sup>23</sup></a></li></ul> <h3>Implementations</h3> <p>In addition to the reference implementation,<a class="footnote-ref" id="fnref:24" href="#fn:24"><sup>24</sup></a> the following cryptography libraries provide implementations of BLAKE2: </p> <ul><li><a href="/facts/Botan_(programming_library)/IehRkvcn">Botan</a></li> <li><a href="/facts/Bouncy_Castle_(cryptography)/uwEYp9tT">Bouncy Castle</a></li> <li><a href="/facts/Crypto%252B%252B/cCWAwUmX">Crypto++</a></li> <li><a href="/facts/Libgcrypt/Fsj9wNw3">Libgcrypt</a></li> <li><a href="/facts/NaCl_(software)/0J9zoeHH">libsodium</a></li> <li><a href="/facts/OpenSSL/aXvs5fo2">OpenSSL</a></li> <li><a href="/facts/WolfSSL/26UD7dQE">wolfSSL</a></li></ul> <h2 id="blake3">BLAKE3</h2> <p>BLAKE3 is a cryptographic hash function based on Bao and BLAKE2, created by Jack O'Connor, Jean-Philippe Aumasson, Samuel Neves, and <a href="/facts/Zooko_Wilcox-O%2527Hearn/ExWJbk5m">Zooko Wilcox-O'Hearn</a>.<a class="footnote-ref" id="fnref:25" href="#fn:25"><sup>25</sup></a> It was announced on January 9, 2020, at <a href="/facts/Real_World_Crypto/TgVIMDmb">Real World Crypto</a>.<a class="footnote-ref" id="fnref:26" href="#fn:26"><sup>26</sup></a> </p><p>BLAKE3 is a single algorithm with many desirable features (parallelism, <a href="/facts/Extendable-output_function/EefbSTfz">XOF</a>, <a href="/facts/Key_derivation_function/3jL2jTTb">KDF</a>, <a href="/facts/Pseudorandom_function_family/Y2PpjPeF">PRF</a> and <a href="/facts/HMAC/Qy9WD4V9">MAC</a>), in contrast to BLAKE and BLAKE2, which are algorithm families with multiple variants. BLAKE3 has a <a href="/facts/Binary_tree/TDV7GMpu">binary tree</a> structure, so it supports a practically unlimited degree of parallelism (both SIMD and multithreading) given long enough input. The official <a href="/facts/Rust_(programming_language)/8JNMV19F">Rust</a> and <a href="/facts/C_(programming_language)/Ky2No763">C</a> implementations<a class="footnote-ref" id="fnref:27" href="#fn:27"><sup>27</sup></a> are <a href="/facts/Multi-licensing/4PvsDgfB">dual-licensed</a> as public domain (<a href="/facts/CC0/6AV3V7UJ">CC0</a>) and the <a href="/facts/Apache_License/5AeIjas8">Apache License</a>.<a class="footnote-ref" id="fnref:28" href="#fn:28"><sup>28</sup></a> </p><p>BLAKE3 is designed to be as fast as possible. It is consistently a few times faster than BLAKE2. The BLAKE3 compression function is closely based on that of BLAKE2s, with the biggest difference being that the number of rounds is reduced from 10 to 7, a change based on the assumption that current cryptography is too conservative.<a class="footnote-ref" id="fnref:29" href="#fn:29"><sup>29</sup></a> In addition to providing parallelism, the Merkle tree format also allows for verified streaming (on-the-fly verifying) and incremental updates.<a class="footnote-ref" id="fnref:30" href="#fn:30"><sup>30</sup></a> </p> <h3>Users of BLAKE3</h3> <ul><li><a href="/facts/Total_Commander/QB9TrQBR">Total Commander</a> supports BLAKE3 for file checksums.</li> <li><a href="/facts/OpenZFS/HcC7EaMU">OpenZFS</a> supports BLAKE3 from version 2.2<a class="footnote-ref" id="fnref:31" href="#fn:31"><sup>31</sup></a></li></ul> <h2 id="external-links">External links</h2> <ul><li><a href="https://131002.net/blake/">The BLAKE web site</a></li> <li><a href="https://blake2.net/">The BLAKE2 web site</a></li> <li><a href="https://blake3.io/">The BLAKE3 web site</a></li></ul> <h2 id="references">References</h2> <ol> <li id="fn:1"><p>Aumasson, Jean-Philippe (2021). Crypto Dictionary: 500 Tasty Tidbits for the Curious Cryptographer. No Starch Press. ISBN 9781718501409. <a href="9781718501409" target="_blank">9781718501409</a> <a href="#fnref:1" class="footnote-back-ref">↩</a></p></li> <li id="fn:2"><p>O'Whielacronx, Zooko (21 December 2012). "introducing BLAKE2 – an alternative to SHA-3, SHA-2 and MD5". Archived from the original on 5 October 2016. Retrieved 27 January 2016. <a href="https://web.archive.org/web/20161005024333/https://lists.randombit.net/pipermail/cryptography/2012-December/003562.html" target="_blank">https://web.archive.org/web/20161005024333/https://lists.randombit.net/pipermail/cryptography/2012-December/003562.html</a> <a href="#fnref:2" class="footnote-back-ref">↩</a></p></li> <li id="fn:3"><p>"BLAKE2". blake2.net. <a href="https://blake2.net/" target="_blank">https://blake2.net/</a> <a href="#fnref:3" class="footnote-back-ref">↩</a></p></li> <li id="fn:4"><p>"BLAKE2 official implementations". GitHub. Retrieved 7 July 2019. <a href="https://github.com/BLAKE2/BLAKE2" target="_blank">https://github.com/BLAKE2/BLAKE2</a> <a href="#fnref:4" class="footnote-back-ref">↩</a></p></li> <li id="fn:5"><p>"BLAKE2". blake2.net. <a href="https://blake2.net/" target="_blank">https://blake2.net/</a> <a href="#fnref:5" class="footnote-back-ref">↩</a></p></li> <li id="fn:6"><p>Aumasson, Jean-Philippe; Neves, Samuel; Wilcox-O’Hearn, Zooko; Winnerlein, Christian (2013). "BLAKE2: simpler, smaller, fast as MD5" (PDF). Cryptology ePrint Archive. IACR. <a href="https://eprint.iacr.org/2013/322.pdf" target="_blank">https://eprint.iacr.org/2013/322.pdf</a> <a href="#fnref:6" class="footnote-back-ref">↩</a></p></li> <li id="fn:7"><p>"BLAKE2X" (PDF). <a href="https://blake2.net/blake2x.pdf" target="_blank">https://blake2.net/blake2x.pdf</a> <a href="#fnref:7" class="footnote-back-ref">↩</a></p></li> <li id="fn:8"><p>Saarinen, M-J; Aumasson, J-P (November 2015). The BLAKE2 Cryptographic Hash and Message Authentication Code (MAC). IETF. doi:10.17487/RFC7693. RFC 7693. Retrieved 4 December 2015. <a href="https://datatracker.ietf.org/doc/html/rfc7693" target="_blank">https://datatracker.ietf.org/doc/html/rfc7693</a> <a href="#fnref:8" class="footnote-back-ref">↩</a></p></li> <li id="fn:9"><p>"About Chef Habitat". docs.chef.io. <a href="https://docs.chef.io/habitat/" target="_blank">https://docs.chef.io/habitat/</a> <a href="#fnref:9" class="footnote-back-ref">↩</a></p></li> <li id="fn:10"><p>"coreutils/src/blake2/". github.com. <a href="https://github.com/coreutils/coreutils/tree/master/src/blake2" target="_blank">https://github.com/coreutils/coreutils/tree/master/src/blake2</a> <a href="#fnref:10" class="footnote-back-ref">↩</a></p></li> <li id="fn:11"><p>"librsync/src/blake2/". github.com. <a href="https://github.com/librsync/librsync/tree/master/src/blake2" target="_blank">https://github.com/librsync/librsync/tree/master/src/blake2</a> <a href="#fnref:11" class="footnote-back-ref">↩</a></p></li> <li id="fn:12"><p>"WhatsApp Security Whitepaper" (PDF). <a href="https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf" target="_blank">https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf</a> <a href="#fnref:12" class="footnote-back-ref">↩</a></p></li> <li id="fn:13"><p>"WinRAR archiver, a powerful tool to process RAR and ZIP files". rarsoft.com. <a href="https://rarsoft.com/rarnew.htm" target="_blank">https://rarsoft.com/rarnew.htm</a> <a href="#fnref:13" class="footnote-back-ref">↩</a></p></li> <li id="fn:14"><p>"Igor Pavlov's response to a user request for BLAKE3 support in 7-Zip". sourceforge.net. <a href="https://sourceforge.net/p/sevenzip/feature-requests/1489/#320e" target="_blank">https://sourceforge.net/p/sevenzip/feature-requests/1489/#320e</a> <a href="#fnref:14" class="footnote-back-ref">↩</a></p></li> <li id="fn:15"><p>"rmlint — rmlint (2.8.0 Maidenly Moose) documentation". rmlint.readthedocs.io. <a href="https://rmlint.readthedocs.io/en/latest/rmlint.1.html" target="_blank">https://rmlint.readthedocs.io/en/latest/rmlint.1.html</a> <a href="#fnref:15" class="footnote-back-ref">↩</a></p></li> <li id="fn:16"><p>"WireGuard: Next Generation Kernel Network Tunnel" (PDF). <a href="https://www.wireguard.com/papers/wireguard.pdf" target="_blank">https://www.wireguard.com/papers/wireguard.pdf</a> <a href="#fnref:16" class="footnote-back-ref">↩</a></p></li> <li id="fn:17"><p>"work". docs.nano.org. <a href="https://docs.nano.org/integration-guides/work-generation/?h=+blake2b#work-equation" target="_blank">https://docs.nano.org/integration-guides/work-generation/?h=+blake2b#work-equation</a> <a href="#fnref:17" class="footnote-back-ref">↩</a></p></li> <li id="fn:18"><p>"signatures". docs.nano.org. <a href="https://docs.nano.org/whitepaper/english/?h=+blake2b#signing-algorithm" target="_blank">https://docs.nano.org/whitepaper/english/?h=+blake2b#signing-algorithm</a> <a href="#fnref:18" class="footnote-back-ref">↩</a></p></li> <li id="fn:19"><p>"key derivation". docs.nano.org. <a href="https://docs.nano.org/integration-guides/the-basics/?h=+blake2b#seed" target="_blank">https://docs.nano.org/integration-guides/the-basics/?h=+blake2b#seed</a> <a href="#fnref:19" class="footnote-back-ref">↩</a></p></li> <li id="fn:20"><p>"Autolykos: The Ergo Platform PoW Puzzle" (PDF). ergoplatform.org. <a href="https://ergoplatform.org/docs/ErgoPow.pdf" target="_blank">https://ergoplatform.org/docs/ErgoPow.pdf</a> <a href="#fnref:20" class="footnote-back-ref">↩</a></p></li> <li id="fn:21"><p>"Linux 5.17 Random Number Generator Seeing Speed-Ups, Switching From SHA1 To BLAKE2s". www.phoronix.com. <a href="https://www.phoronix.com/scan.php?page=news_item&px=Linux-5.17-RNG" target="_blank">https://www.phoronix.com/scan.php?page=news_item&px=Linux-5.17-RNG</a> <a href="#fnref:21" class="footnote-back-ref">↩</a></p></li> <li id="fn:22"><p>"Subscriber Signing - Beckn". <a href="https://developers.becknprotocol.io/docs/infrastructure-layer-specification/authentication/subscriber-signing" target="_blank">https://developers.becknprotocol.io/docs/infrastructure-layer-specification/authentication/subscriber-signing</a> <a href="#fnref:22" class="footnote-back-ref">↩</a></p></li> <li id="fn:23"><p>"checksum for Windows". corz.org. <a href="https://corz.org/windows/software/checksum/" target="_blank">https://corz.org/windows/software/checksum/</a> <a href="#fnref:23" class="footnote-back-ref">↩</a></p></li> <li id="fn:24"><p>"BLAKE2 official implementations". GitHub. Retrieved 7 July 2019. <a href="https://github.com/BLAKE2/BLAKE2" target="_blank">https://github.com/BLAKE2/BLAKE2</a> <a href="#fnref:24" class="footnote-back-ref">↩</a></p></li> <li id="fn:25"><p>"An earlier version of Bao specified its own custom tree mode, which eventually grew into BLAKE3". GitHub. <a href="https://github.com/oconnor663/bao/blob/ae247d2aff286dfe0a31d41b6afc02b263956091/docs/spec.md" target="_blank">https://github.com/oconnor663/bao/blob/ae247d2aff286dfe0a31d41b6afc02b263956091/docs/spec.md</a> <a href="#fnref:25" class="footnote-back-ref">↩</a></p></li> <li id="fn:26"><p>"JPA and I announced BLAKE3 at the RWC lightning talks..." Hacker News. <a href="https://news.ycombinator.com/item?id=22023152" target="_blank">https://news.ycombinator.com/item?id=22023152</a> <a href="#fnref:26" class="footnote-back-ref">↩</a></p></li> <li id="fn:27"><p>"BLAKE3 official implementations". GitHub. Retrieved 12 January 2020. <a href="https://github.com/BLAKE3-team/BLAKE3" target="_blank">https://github.com/BLAKE3-team/BLAKE3</a> <a href="#fnref:27" class="footnote-back-ref">↩</a></p></li> <li id="fn:28"><p>"This work is released into the public domain with CC0 1.0. Alternatively, it is licensed under the Apache License 2.0". GitHub. <a href="https://github.com/BLAKE3-team/BLAKE3/blob/master/LICENSE" target="_blank">https://github.com/BLAKE3-team/BLAKE3/blob/master/LICENSE</a> <a href="#fnref:28" class="footnote-back-ref">↩</a></p></li> <li id="fn:29"><p>Aumasson, Jean-Philippe (2020). Too Much Crypto (PDF). Real World Crypto Symposium. <a href="https://eprint.iacr.org/2019/1492.pdf" target="_blank">https://eprint.iacr.org/2019/1492.pdf</a> <a href="#fnref:29" class="footnote-back-ref">↩</a></p></li> <li id="fn:30"><p>"BLAKE3 official implementations". GitHub. Retrieved 12 January 2020. <a href="https://github.com/BLAKE3-team/BLAKE3" target="_blank">https://github.com/BLAKE3-team/BLAKE3</a> <a href="#fnref:30" class="footnote-back-ref">↩</a></p></li> <li id="fn:31"><p>Larabel, Michael (13 October 2023). "OpenZFS 2.2 Released With Block Clning, Linux Container Support & Better Performanceo". Phoronix. Retrieved 21 May 2025. <a href="https://www.phoronix.com/news/OpenZFS-2.2-Released" target="_blank">https://www.phoronix.com/news/OpenZFS-2.2-Released</a> <a href="#fnref:31" class="footnote-back-ref">↩</a></p></li> </ol>