Internet Engineering Task Force J-P. Aumasson, Ed. Internet-Draft Taurus SA Intended status: Informational S. Neves Expires: 21 January 2025 University of Coimbra J. O'Connor SpaceX Z. Wilcox Electric Coin Co 20 July 2024 The BLAKE3 Hashing Framework draft-aumasson-blake3-00 Abstract This document specifies the cryptographic hashing primitive BLAKE3, a secure algorithm designed to be fast and highly parallelizable. Apart from the standard hashing functionality, BLAKE3 can serve to realize the following cryptographic functionalities: extendable- output function (XOF), key derivation function (KDF), pseudo-random function (PRF), and message authentication code (MAC). Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 21 January 2025. Copyright Notice Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Aumasson, et al. Expires 21 January 2025 [Page 1] Internet-Draft The BLAKE3 Hashing Framework July 2024 Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction and Terminology . . . . . . . . . . . . . . . . 2 1.1. Hashing Modes . . . . . . . . . . . . . . . . . . . . . . 3 1.2. Hashing Structure . . . . . . . . . . . . . . . . . . . . 4 2. Conventions and Constants . . . . . . . . . . . . . . . . . . 4 2.1. Arithmetic Notation . . . . . . . . . . . . . . . . . . . 4 2.2. Little-Endian Convention . . . . . . . . . . . . . . . . 5 2.3. Initial Value (IV) . . . . . . . . . . . . . . . . . . . 5 2.4. Message Word Permutation . . . . . . . . . . . . . . . . 6 2.5. Compression Function Flags . . . . . . . . . . . . . . . 6 3. Compression Function . . . . . . . . . . . . . . . . . . . . 7 3.1. Compression Function Input Values . . . . . . . . . . . . 7 3.2. Quarter-Round Function G . . . . . . . . . . . . . . . . 7 3.3. Compression Function Processing . . . . . . . . . . . . . 8 4. Tree Mode of Operation . . . . . . . . . . . . . . . . . . . 10 4.1. Chunk Processing . . . . . . . . . . . . . . . . . . . . 10 4.2. Binary Tree Processing . . . . . . . . . . . . . . . . . 11 4.3. Extendable Output . . . . . . . . . . . . . . . . . . . . 12 5. Implementation Considerations . . . . . . . . . . . . . . . . 12 5.1. Incremental Hashing Implementation . . . . . . . . . . . 12 5.2. Compression Function Implementation . . . . . . . . . . . 13 5.3. Multi-Thread Implementation . . . . . . . . . . . . . . . 13 5.4. Extendable Output Implementation . . . . . . . . . . . . 13 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 7. Security Considerations . . . . . . . . . . . . . . . . . . . 14 8. Informative References . . . . . . . . . . . . . . . . . . . 14 Appendix A. Implementation status . . . . . . . . . . . . . . . 15 Appendix B. Examples of BLAKE3 Computation . . . . . . . . . . . 15 B.1. Single Chunk in hash Mode . . . . . . . . . . . . . . . . 15 B.2. Multiple Chunks in keyed_hash Mode . . . . . . . . . . . 16 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 1. Introduction and Terminology The [BLAKE3] cryptographic hash function was designed by Jack O'Connor, Jean-Philippe Aumasson, Samuel Neves, and Zooko Wilcox- O'Hearn. BLAKE3 is an evolution from its predecessors [BLAKE] and [BLAKE2][RFC7693]. BLAKE2 is widely used in open-source software and in proprietary software. For example, the Linux kernel (from version 5.17) uses BLAKE2 in its cryptographic pseudorandom generator, and the WireGuard secure tunnel protocol uses BLAKE2 for hashing and Aumasson, et al. Expires 21 January 2025 [Page 2] Internet-Draft The BLAKE3 Hashing Framework July 2024 keyed hashing. BLAKE3 was designed to be as secure as BLAKE2, yet considerably faster, thanks to 1) a compression function with a reduced number of rounds, and 2) a tree-based mode allowing implementations to leverage parallel processing. BLAKE3 was designed to take advantage of multi- thread and multi-core processing, as well as of single-instruction multiple-data (SIMD) instructions of modern processor architectures. At the time of its publication, BLAKE3 was demonstrated to be approximately five times faster than BLAKE2 when hashing 16 kibibyte messages and using a single thread. When using multiple threads and hashing large messages, BLAKE3 can be more than twenty times faster than BLAKE2. 1.1. Hashing Modes BLAKE3 was also designed to instantiate multiple cryptographic primitives, to offer a simpler and more efficient alternative to dedicated legacy modes and algorithms such as those in [RFC6234]. These primitives include: Unkeyed hashing (hash): This is the general-purpose hashing mode, taking a single input of arbitrary size. BLAKE3 in this mode can be used whenever a preimage- or collision-resistant hash function is needed, and to instantiate random oracles in cryptographic protocols. For example, BLAKE3 can replace SHA-3, as well as any SHA-2 instance, in applications such as digital signatures. Keyed hashing (keyed_hash): The keyed mode takes a 32-byte key, in addition to the arbitrary size input. BLAKE3 in this mode can be used whenever a pseudorandom function (PRF) or message authentication code (MAC) is needed. For example, keyed BLAKE3 can replace HMAC instances. Key derivation (derive_key): The key derivation mode takes two input values, each of arbitrary size: a context string, and key material. BLAKE3 in this mode can be used whenever a key derivation function (KDF) is needed. For example, BLAKE3 in key derivation mode can replace HKDF. Further, all 3 modes can produce an output of arbitrary size. The hash mode can thus be used as an extendable-output-function (XOF); the keyed hash mode can thus be used as a deterministic random bit generator (DRBG). By default, each mode returns a 32-byte output. Applications and use cases of BLAKE3 are further discussed in Section 6 in [BLAKE3]. Aumasson, et al. Expires 21 January 2025 [Page 3] Internet-Draft The BLAKE3 Hashing Framework July 2024 1.2. Hashing Structure We provide a high-level overview of BLAKE3's internal structure, and introduce the associated terminology. BLAKE3 processes input data according to a binary tree structure. It first splits its input into 1024-byte chunks, processing each chunk independently of the other chunks, using a compression function iterating over each of the 16 consecutive 16-byte blocks of a chunk. From the hash of each chunk, a binary hash tree is built to compute the root of the tree, which determines the BLAKE3 output. In the simplest case, there is only one chunk. In this case, this node is seen as the tree's root and its output determines BLAKE3's output. If the number of chunks is a power of 2, the binary tree is a complete tree and all leaves are at the same level. If the number of chunks is not a power of 2, not all chunks will be at the same level (or layer) of the tree. 2. Conventions and Constants The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 2.1. Arithmetic Notation For real-valued x we define the following functions: floor(x) Floor, the largest integer less than or equal to x. ceil(x) Ceiling, the smallest integer greater than or equal to x. frac(x) Positive fractional part of x, frac(x) = x - floor(x). Operator notation in pseudocode: 2**n = 2 to the power "n". 2**0=1, 2**1=2, 2**2=4, 2**3=8, etc. a ^ b = Bitwise exclusive-or operation between "a" and "b". a mod b = Remainder "a" modulo "b", always in range [0, b-1]. x >> n = floor(x / 2**n). Logical shift "x" right by "n" bits. x << n = (x * 2**n) mod (2**w). Logical shift "x" left by "n". Aumasson, et al. Expires 21 January 2025 [Page 4] Internet-Draft The BLAKE3 Hashing Framework July 2024 x >>> n = (x >> n) ^ (x << (w - n)). Rotate "x" right by "n". 2.2. Little-Endian Convention BLAKE3 performs operations on 32-bit words, and on arrays of words. Array indexing is zero-based; the first element of an n-element array "v" is v[0] and the last one is v[n - 1]. All elements is denoted by v[0..n-1]. Byte (octet) streams are interpreted as words in little-endian order, with the least significant byte first. Consider this sequence of eight hexadecimal bytes: x = 0x01 0x23 0x45 0x67 0x89 0xab 0xcd 0xef When interpreted as a 32-bit word from the beginning memory address, x contains two 32-bit words x[0] and x[1], respectively equal to 0x67452301 and 0xefcdab89 in hexadecimal, or 1732584193 and 4023233417 in decimal. 2.3. Initial Value (IV) The initial value (IV) of BLAKE3 is the same as SHA-256 IV, namely the 8-word IV[0..7]: [RFC6234]. 0x6a09e667 0xbb67ae85 0x3c6ef372 0xa54ff53a 0x510e527f 0x9b05688c 0x1f83d9ab 0x5be0cd19 This IV is set to the initial chaining value of BLAKE3 when no key is used. Otherwise the 256-bit key is set as the initial chaining value. This IV is also used as part of the compression function, where the first four words, IV[0..3] are copied into the 16-word local initial state, at positions v[8..11]. Aumasson, et al. Expires 21 January 2025 [Page 5] Internet-Draft The BLAKE3 Hashing Framework July 2024 2.4. Message Word Permutation BLAKE3 uses a permutation of the 16 indices (0 to 15). This permutation must be following one, where the second line shows the index of the word move to the position indexed on the first line: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 2, 6, 3, 10, 7, 0, 4, 13, 1, 11, 12, 5, 9, 14, 15, 8 For example, after applying the permutation to an array v[0..15] consisting of elements v[0], v[1], ..., v[15], the permuted array shall consist of v[2] at the first position, v[6] at the second position, and so on. 2.5. Compression Function Flags The compression function of BLAKE3 uses a set of flags to control various aspects of its operation. These flags are defined as follows: CHUNK_START (0x01): This flag must set for the first block of each chunk, and only for this block. CHUNK_END (0x02): This flag signals the end of the chunk. It must be set for the compression function of the last block within a chunk, and only for this block. If a chunk contains only one block, that block must set both CHUNK_START and CHUNK_END. PARENT (0x04): In the binary tree structure, this flag must be set on parent nodes (non-chunk nodes), and only for parent nodes. It signals that the node combines the 32-byte outputs of nodes in the tree (chunks of parents). A parent node always processes exactly 64 bytes, that is, the concatenation of two 32-byte output values from a child node. ROOT (0x08): This flag must be set to the final compression in the tree, representing the root, and only for such nodes. The root node may be a parent node, but may also be the last compression of a chunk processing leaf (if there is a single chunk). In this latter case, only the last compression function sets the ROOT flag. In the case of a parent node, there is a single compression function, which sets the ROOT flag. KEYED_HASH (0x10): This flag must be set to all compression functions when using BLAKE3 in the keyed_hash mode, and only in this mode. In this mode, a 256-bit key must be used as initial chaining value instead of IV. Aumasson, et al. Expires 21 January 2025 [Page 6] Internet-Draft The BLAKE3 Hashing Framework July 2024 DERIVE_KEY_CONTEXT (0x20) and DERIVE_KEY_MATERIAL (0x40): These flags are used in BLAKE3's derive_key mode, where the context string is first hashed by a (non-keyed) BLAKE3 instance must set the DERIVE_KEY_CONTEXT to all compression functions; the 32-byte output is then used as the key of a keyed BLAKE3 instance hashing the key material, which must set DERIVE_KEY_MATERIAL (but not DERIVE_KEY_CONTEXT) to all compression functions. If two or more flags are set, then all their respective bits shall appear in the flags compression function input. This combination may be implemented as an XOR or integer addition between the flags. For example, if CHUNK_START and KEYED_HASH are set, then the flags input word will be the 32-bit word 0x00000011, where 0x11 = 0x10 + 0x01 = 0x10 ^ 0x01. 3. Compression Function BLAKE3 uses the compression function when processing chunks, when computing parent nodes within its tree, and when producing output bytes from the root node(s). 3.1. Compression Function Input Values These variables are used in the algorithm description. h[0..7] The hash chaining value, 8 words of 32 bits. m[0..15] The message block processed, 16 words of 32 bits. t[0..1] A 64-bit counter whose lower-order 32-bit word is t[0] and higher-order 32-bit word is t[1]. len 32-bit word encoding the number of application data bytes in the block, at least 1 and at most 64. That is, len is equal to 64 minus the number of padding bytes, which are set to zero (0x00). flags 32-bit word encoding the flags defined for a given compression function call, see Section 2.5. 3.2. Quarter-Round Function G The G function mixes two input words x and y into four words indexed by a, b, c, and d in the working array v[0..15]. The full modified array is returned. Aumasson, et al. Expires 21 January 2025 [Page 7] Internet-Draft The BLAKE3 Hashing Framework July 2024 FUNCTION G( v[0..15], a, b, c, d, x, y ) | | v[a] := (v[a] + v[b] + x) mod 2**32 | v[d] := (v[d] ^ v[a]) >>> 16 | v[c] := (v[c] + v[d]) mod 2**32 | v[b] := (v[b] ^ v[c]) >>> 12 | v[a] := (v[a] + v[b] + y) mod 2**32 | v[d] := (v[d] ^ v[a]) >>> 8 | v[c] := (v[c] + v[d]) mod 2**32 | v[b] := (v[b] ^ v[c]) >>> 7 | | RETURN v[0..15] | END FUNCTION. 3.3. Compression Function Processing BLAKE3's compression function takes as input an 8-word state h, a 16-word message m, a 2-word counter t, a data length word len, and a word flags (as a bit field encoding flags). BLAKE3's compression must do exactly 7 rounds, which are numbered 0 to 6 in the pseudocode below. Each round includes 8 calls to the G function. Aumasson, et al. Expires 21 January 2025 [Page 8] Internet-Draft The BLAKE3 Hashing Framework July 2024 FUNCTION BLAKE3_COMPRESS( h[0..7], m[0..15], t, len, flags ) | | // Initialize local 16-word array v[0..15] | v[0..7] := h[0..7] // First half from state. | v[8..11] := IV[0..3] // Second half from IV. | | v[12] := t[0] // Low word of the counter. | v[13] := t[1] // High word of the counter. | v[14] := len // Application data length. | v[15] := flags // Flags. | | // Cryptographic mixing | FOR i = 0 TO 6 DO // 7 rounds. | | | | v := G( v, 0, 4, 8, 12, m[ 0], m[ 1] ) | | v := G( v, 1, 5, 9, 13, m[ 2], m[ 3] ) | | v := G( v, 2, 6, 10, 14, m[ 4], m[ 5] ) | | v := G( v, 3, 7, 11, 15, m[ 6], m[ 7] ) | | | | v := G( v, 0, 5, 10, 15, m[ 8], m[ 9] ) | | v := G( v, 1, 6, 11, 12, m[10], m[11] ) | | v := G( v, 2, 7, 8, 13, m[12], m[13] ) | | v := G( v, 3, 4, 9, 14, m[15], m[15] ) | | | | PERMUTE(m) // Apply the permutation. | | | END FOR | | // Compute the output state (untruncated) | FOR i = 0 TO 7 DO | | v[i] := v[i] ^ v[i + 8] | | v[i + 8] := v[i + 8] ^ h[i] | END FOR. | | RETURN v | END FUNCTION. When processing chunks or computing parent nodes, the output is always truncated to the first 8 words v[0..7]. When computing the output value, all the 16 words may be used (see Section 4.3). Aumasson, et al. Expires 21 January 2025 [Page 9] Internet-Draft The BLAKE3 Hashing Framework July 2024 4. Tree Mode of Operation The following describes BLAKE3's tree mode of operation, first specifying the processing of input data as chunks in Section 4.1, then describing how the binary hash tree structure is formed for a given number of chunks in Section 4.2. Finally, Section 4.3 describes how BLAKE3 can produce an output of arbitrary length without committing to a length when starting processing data. 4.1. Chunk Processing BLAKE3's chunk processing divides the BLAKE3 input into 1024-byte chunks, which will be leaves of a binary tree. The last chunk will be of less than 1024 bytes if the message byte length is not a multiple of 1024. Chunks are divided into 64-byte blocks. The last block of the last chunk may be shorter, but not empty, unless the entire input is empty. If necessary, the last block is padded with zeros to be 64-byte. Each chunk is processed by iterating the compression function (1024/64 = 16 times for a full 1024-byte chunk) to process 64-byte blocks, each parsed as 16 32-bit little-endian words. The output of each compression function is h[0..7], the 8-word truncated output, which is the input of the next compression function (and the output of the chunk processing for the last compression function call). Compression function input arguments are set as follows: h[0..7] For the first block of a chunk, this is set either to the key, or to the IV if no key is defined. For subsequent block, h is set to the output of the previous block's compression. m[0..15] This is the block processed by the compression function. t[0..1] The counter t for each block is the chunk index, that is, 0 for all blocks in the first chunk, 1 for all blocks in the second chunk, and so on. len The block length is set to 64 for all blocks except the last block of a chunk, where it is the number of data bytes (thus excluding padding zeros.) flag The first block of each chunk sets the CHUNK_START flag (cf. Aumasson, et al. Expires 21 January 2025 [Page 10] Internet-Draft The BLAKE3 Hashing Framework July 2024 Table 3), and the last block of each chunk sets the CHUNK_END flag. If a chunk contains only one block, that block sets both CHUNK_START and CHUNK_END. If a chunk is the root of its tree, the last block of that chunk also sets the ROOT flag. Multiple flags may thus be set. Flags are set as specified in Section 2.5. More than one flag may be set, for example the first compression of the first chunk will have CHUNK_START and KEYED_HASH set. If a chunk is only 64-byte, then its only compression will in addition have the CHUNK_END flag set. 4.2. Binary Tree Processing From the chunk processing of input data, BLAKE3 computes its output following a binary hash tree (a.k.a. Merkle tree) structure. Parent nodes process 64-byte messages that consist of the concatenation of two 32-byte hash values from child nodes (chunk nodes of other parent nodes). Processing such a 64-byte message requires only one call to the compression function. The compression function used by parent nodes thus uses the following arguments: h[0..7] This is set either to the key (in keyed_hash mode), and to the IV otherwise. m[0..15] This is the 64-byte block consisting in the concatenated 32-byte output of the two child nodes. t[0..1] The counter t is set to zero (0). len The block length is set to 64. flag The PARENT flag is set for all parent nodes. If a parent is the root of the tree, then it also sets the ROOT flag (and keeps the PARENT flag). Parent nodes never set CHUNK_START and CHUNK_END. The mode flags (KEYED_HASH, DERIVE_KEY_CONTEXT, DERIVE_KEY_MATERIAL) must be set for a parent node when operating if the respective modes. When the number of chunks is not a power of 2 (that is, when the binary tree is not complete), the tree structure is created according to the following rules: * If there is only one chunk, that chunk is the root node and only node of the tree. Otherwise, the chunks are assembled with parent nodes, each parent node having exactly two children. Aumasson, et al. Expires 21 January 2025 [Page 11] Internet-Draft The BLAKE3 Hashing Framework July 2024 * Left subtrees are full, that is, each left subtree is a complete binary tree, with all its chunks at the same depth, and a number of chunks that is a power of 2. * Left subtrees are big, that is, each left subtree contains a number of chunks greater than or equal to the number of chunks in its sibling right subtree. The implementation of this logic, especially regarding the assignment of a chunk to a position in the tree, is discussed in Section 5. The root of the tree determines the final hash output. By default, the BLAKE3 output is the 32-byte output of the root node (that is, the final values of v[0..7] in the compression function). Output of up to 64 bytes is formed by taking as many bytes as required from the final v[0..15] of the root's compression function. See Section 4.3 for the case of output values larger than 64 bytes. 4.3. Extendable Output BLAKE3, in any of its three modes, can produce outputs of any byte length up to 2**64 - 1. This is done by repeating the root compression with incrementing values of the counter t. The results of these repeated root compressions are then concatenated to form the output. 5. Implementation Considerations Detailed implementation and optimization guidelines are given in Section 5 of [BLAKE3]. This section providers a brief overview of these, as a starting point to implementers, covering the most salient points. 5.1. Incremental Hashing Implementation BLAKE3 may be implemented using an application programming interface (API) allowing for incremental hashing, that is, where the caller provides input data via multiple repeated calls to an "update" function, as opposed to a single call providing all the input data. Such an API typically consists of an "init" function call to initialize an internal context state, followed by a series of "update" function calls, eventually followed by a "finalize" function call that that returns the output. Aumasson, et al. Expires 21 January 2025 [Page 12] Internet-Draft The BLAKE3 Hashing Framework July 2024 To implement incremental hashing, an implementation must maintain an internal state, which must keep track of the state of the current chunk (if any) and of chaining values of the tree in formation. A stack data structure may be used for this purpose, as proposed in Section 5.1 of [BLAKE3]. 5.2. Compression Function Implementation In the compression function, the first four calls to G may be computed in parallel. Likewise, the last four calls to G may be computed in parallel. A parallel implementation of the compression function may leverage single-instruction multiple-date (SIMD) processing, as described in Section 5.3 of [BLAKE3]. The permutation of words may be implemented by pre-computing the indices corresponding to 0, 1, 2, ..., 7 iterations of the permutation, and then applying each of these 7 permutations to the initial message at each of the 7 rounds. These 7 permutations would then be: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 2, 6, 3, 10, 7, 0, 4, 13, 1, 11, 12, 5, 9, 14, 15, 8 3, 4, 10, 12, 13, 2, 7, 14, 6, 5, 9, 0, 11, 15, 8, 1 10, 7, 12, 9, 14, 3, 13, 15, 4, 0, 11, 2, 5, 8, 1, 6 12, 13, 9, 11, 15, 10, 14, 8, 7, 2, 5, 3, 0, 1, 6, 4 9, 14, 11, 5, 8, 12, 15, 1, 13, 3, 0, 10, 2, 6, 4, 7 11, 15, 5, 0, 1, 9, 8, 6, 14, 10, 2, 12, 3, 4, 7, 13 5.3. Multi-Thread Implementation In addition to the potential parallel computing of the compression function internals via SIMD processing, BLAKE3 can benefit from multi-threaded software implementation. Different approaches may be implemented, the performance-optimal one depending on the expected input data length. Section 5.2 in [BLAKE3] provides further guidelines to implementers. 5.4. Extendable Output Implementation Because the repeated root compressions differ only in the value of t, the implementation can execute any number of them in parallel. The caller can also adjust t to seek to any point in the output stream. For example, computing the third 64-byte block of output (that is, the last 64 bytes of a 192-byte output) does not require the computation of the first 128 bytes. Aumasson, et al. Expires 21 January 2025 [Page 13] Internet-Draft The BLAKE3 Hashing Framework July 2024 BLAKE3 does not domain separate outputs of different lengths: shorter outputs are prefixes of longer ones. The caller can extract as much output as needed, without knowing the final length in advance. 6. IANA Considerations This memo includes no request to IANA at the moment, but may in further versions of this I-D. 7. Security Considerations BLAKE3 with an output of at least 32 bytes targets a security level of at least 128 bits for all its security goals. BLAKE3 may be used in any of the modes described in this document to provide cryptographically secure hashing functionality. BLAKE3 must not be used as a password-based hash function or password-based key derivation function, functionalities for which dedicated algorithms must be used, such as Argon2 as defined in [RFC9106]. We refer the reader to [BLAKE3] for detailed cryptographic rationale and security analysis of BLAKE3. 8. Informative References [BLAKE] Aumasson, J-P., Meier, W., Phan, R C-W., and L. Henzen, "The Hash Function BLAKE", October 2008, <https://aumasson.jp/blake/>. [BLAKE2] Aumasson, J-P., Neves, S., Wilcox-O'Hearn, Z., and C. Winnerlein, "BLAKE2: simpler, smaller, fast as MD5", January 2013, <https://www.blake2.net/>. [BLAKE3] O'Connor, J., Aumasson, J-P., Neves, S., and Z. Wilcox- O'Hearn, "BLAKE3", January 2020, <https://github.com/BLAKE3-team/BLAKE3>. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, BCP 14, March 1997, <https://www.rfc-editor.org/rfc/rfc2119>. [RFC6234] Eastlake, D. and T. Hansen, "US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)", RFC 6234, May 2011, <https://www.rfc-editor.org/rfc/rfc6234>. [RFC7693] Saarinen, M-J. and J-P. Aumasson, "The BLAKE2 Cryptographic Hash and Message Authentication Code (MAC)", RFC 7693, November 2015, <https://www.rfc-editor.org/rfc/rfc7693>. Aumasson, et al. Expires 21 January 2025 [Page 14] Internet-Draft The BLAKE3 Hashing Framework July 2024 [RFC9106] Biryukov, A-B., Dinu, D-D., Khovratovich, D-K., and S-J. Josefsson, "Argon2 Memory-Hard Function for Password Hashing and Proof-of-Work Applications", RFC 9106, September 2021, <https://www.rfc-editor.org/rfc/rfc9106>. Appendix A. Implementation status Reference implementations of BLAKE3 in the C and Rust languages are available online at https://github.com/BLAKE3-team/BLAKE3/. These implementations include parallel implementations leveraging multi- threading and different SIMD processing technologies. At the time of writing, a number of prominent projects have integrated BLAKE3, due to its combination of security, speed, and versatility (see the README on https://github.com/BLAKE3-team/BLAKE3. For the sake of document size, these implementations are not copied into the present document. However, they are expected to remain permanently available, for the foreseeable future. Appendix B. Examples of BLAKE3 Computation We provide execution traces for simple examples of BLAKE3 hashing. More complex tests can be obtained from the reference source code. B.1. Single Chunk in hash Mode In this first example, BLAKE3 in hash mode processes the 4-byte message "IETF", padded with 60 zero bytes to form a 64-byte block. Below we show the execution trace, including compression function input and output values, and showing intermediate values of the 7 compression function rounds. == COMPRESS: CHUNK 1, BLOCK 0 == h: 6a09e667 bb67ae85 3c6ef372 a54ff53a 510e527f 9b05688c 1f83d9ab 5be0cd19 m: 46544549 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 t: 00000000 00000000 4 Aumasson, et al. Expires 21 January 2025 [Page 15] Internet-Draft The BLAKE3 Hashing Framework July 2024 flags: 0b after round 0: d7737c52 a0d29b6a d3b4f608 e20caed2 49091c17 b1abb189 961f03ba c3474f4e a7590324 9c110e95 f77c59cc b47c3370 9c1aed89 b7c28f82 bab6db43 e634ca3e after round 1: 4cce55f2 9cdfa58b 297f68b4 887fd036 4e620c26 321af343 b8e634b0 72737ae9 6f6ecf4a 628788fb df9428c1 a2c42d78 a51ddf7b 6cf97481 72dccb9c 1878acb8 after round 2: 8e99a713 bd202a18 d70c8d18 603ba3ad f411ae76 88ff9580 03db2909 a12e939f 19b81233 69787f12 d2b0c5b7 52034613 21baaea8 84e5fe6d c8c96ae8 422a96d8 after round 3: eeb6ec2a 22f4289a 64900193 d9f751b3 216a610d f5aadf41 ddf5584d ae312167 c8f40fb3 97f06701 6eee4503 4827825d 3c59d243 473585da 90d24798 c5957f9d after round 4: 11876617 4a71dc87 23a5b774 185e51fa a1ed35c0 729a3348 6da19311 9716237c f66bbb71 f303cf35 585dd137 e5c9c363 8b2b32ed 6add0d37 12b87a10 f96fde3e after round 5: 02b010fc 345f4920 ce96e963 018a8afd c0e0faca 651d2baf 0b24a23d d1ffa8fc aa7de2ee d80796c0 ff96b6bd 7cfbf53a 292b8630 8d8e1a78 31c6cb9d b471de23 after round 6: a4839e1a 064b478f bb47c942 3f4a0350 efd0bb79 61167ed0 356b01f5 b40f5364 ba5d3c99 adadb369 9fcea12a f08a4ddf 7ba07e35 9e94d896 e3dfca24 568e0272 compress output: 1edea283 abe6f4e6 24896868 cfc04e8f 9470c54c ff82a646 d6b4cbd1 e2815116 hash value: 83a2de1ee6f4e6ab686889248f4ec0cf4cc5709446a682ffd1cbb4d6165181e2 B.2. Multiple Chunks in keyed_hash Mode In this second example, BLAKE3 in keyed hash mode processes a message composed of two 1024-byte chunks, the first consisting only of 0xaa bytes and the second consisting only of 0xbb bytes. Below we show the execution trace, including compression function input and output values for each compression function: the 16 + 16 = 32 compressions of the two chunks, and the compression of the root parent node. We only show the message block for the first compression of a chunk, as all the subsequent blocks hash the same block value (respectively, Aumasson, et al. Expires 21 January 2025 [Page 16] Internet-Draft The BLAKE3 Hashing Framework July 2024 all 0xaa and all 0xbb for the two chunks). Likewise, we only show the counter value and flags when they changes (the counter is, 0, 1, and 0 respectively for the two chunks and for the root). The len compression function argument is always 64, so we don't show it. Chunks and blocks are numbered from 0. == COMPRESS: CHUNK 0, BLOCK 0 == h: 6a09e667 bb67ae85 3c6ef372 a54ff53a 510e527f 9b05688c 1f83d9ab 5be0cd19 m: aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa t: 00000000 00000000 flags: 01 compress output: db668896 8e557d4d 684294f4 ae36d8ae eaec1efd 5f5fc3ec d8d1abc5 10094488 == COMPRESS: CHUNK 0, BLOCK 1 == h: db668896 8e557d4d 684294f4 ae36d8ae eaec1efd 5f5fc3ec d8d1abc5 10094488 flags: 00 compress output: 68f7c3a8 8aaed76b f0decee2 d1b5993d 9564cba3 85b6c1ee baffea5b 0be671fb == COMPRESS: CHUNK 0, BLOCK 2 == h: 68f7c3a8 8aaed76b f0decee2 d1b5993d 9564cba3 85b6c1ee baffea5b 0be671fb compress output: e79aed24 3ad3caa0 199ce8a2 31155523 f9e84a64 e5bc14a9 9af2e334 9985ca87 == COMPRESS: CHUNK 0, BLOCK 3 == h: Aumasson, et al. Expires 21 January 2025 [Page 17] Internet-Draft The BLAKE3 Hashing Framework July 2024 e79aed24 3ad3caa0 199ce8a2 31155523 f9e84a64 e5bc14a9 9af2e334 9985ca87 compress output: 35e722a9 0872b994 7a05884c 2968d0cd 08e92372 bc87969c d32d20e9 a5eb0ef6 == COMPRESS: CHUNK 0, BLOCK 4 == h: 35e722a9 0872b994 7a05884c 2968d0cd 08e92372 bc87969c d32d20e9 a5eb0ef6 compress output: 0e618a8d 4c17b3a3 bf17a81a fae109b3 435486f5 7854e7ac 4b0e41f3 1b0a773a == COMPRESS: CHUNK 0, BLOCK 5 == h: 0e618a8d 4c17b3a3 bf17a81a fae109b3 435486f5 7854e7ac 4b0e41f3 1b0a773a compress output: 689e8525 38241f4c 93c85386 8b89a303 200d341e cb4e0c76 0e4a9834 4ce07f14 == COMPRESS: CHUNK 0, BLOCK 6 == h: 689e8525 38241f4c 93c85386 8b89a303 200d341e cb4e0c76 0e4a9834 4ce07f14 compress output: ae51c883 e29a64b4 573eb2c4 324a0bb3 458f4c80 312ff7f1 9e194290 65c78a4d == COMPRESS: CHUNK 0, BLOCK 7 == h: ae51c883 e29a64b4 573eb2c4 324a0bb3 458f4c80 312ff7f1 9e194290 65c78a4d compress output: 082b24c1 4c09407c 9b80a3d9 ef173f4b f3f68d34 8afe0066 ed3c5f7e 83cf95d4 == COMPRESS: CHUNK 0, BLOCK 8 == h: 082b24c1 4c09407c 9b80a3d9 ef173f4b f3f68d34 8afe0066 ed3c5f7e 83cf95d4 compress output: fafc4be2 0bb87f3b ca34144b 1103ce02 d6cb4c49 1f20eab9 3593d1cf 3742859e == COMPRESS: CHUNK 0, BLOCK 9 == h: Aumasson, et al. Expires 21 January 2025 [Page 18] Internet-Draft The BLAKE3 Hashing Framework July 2024 fafc4be2 0bb87f3b ca34144b 1103ce02 d6cb4c49 1f20eab9 3593d1cf 3742859e compress output: 51b45ba4 dd1b242a 002689c1 cfcd1997 073e3f21 3fe38ccb c59e4bcc 6c91298d == COMPRESS: CHUNK 0, BLOCK 10 == h: 51b45ba4 dd1b242a 002689c1 cfcd1997 073e3f21 3fe38ccb c59e4bcc 6c91298d compress output: dc832743 8edfe4dc 2434e697 17460dde 6dbf6b54 614f9af3 ca696833 6ee12fcd == COMPRESS: CHUNK 0, BLOCK 11 == h: dc832743 8edfe4dc 2434e697 17460dde 6dbf6b54 614f9af3 ca696833 6ee12fcd compress output: 86bda24a fc967396 ff8cf6db 017c4b90 ff72ef63 1bb302e4 0fe2b9cc 2a4470b7 == COMPRESS: CHUNK 0, BLOCK 12 == h: 86bda24a fc967396 ff8cf6db 017c4b90 ff72ef63 1bb302e4 0fe2b9cc 2a4470b7 compress output: bba75e83 28bac312 8a1565c6 66972f60 95ebb0a3 5ebf7a85 a4de1420 bbccd8ba == COMPRESS: CHUNK 0, BLOCK 13 == h: bba75e83 28bac312 8a1565c6 66972f60 95ebb0a3 5ebf7a85 a4de1420 bbccd8ba compress output: 37df0dd2 5521517f 2374fbfa 3811d80b 68f109d3 abf8cbf6 209efbdc 3432507b == COMPRESS: CHUNK 0, BLOCK 14 == h: 37df0dd2 5521517f 2374fbfa 3811d80b 68f109d3 abf8cbf6 209efbdc 3432507b compress output: 996b6a0c e8dbdaeb da6a97ef 4391c111 12c223ba 3c092120 289dfbaa ed3ac2a5 == COMPRESS: CHUNK 0, BLOCK 15 == h: Aumasson, et al. Expires 21 January 2025 [Page 19] Internet-Draft The BLAKE3 Hashing Framework July 2024 996b6a0c e8dbdaeb da6a97ef 4391c111 12c223ba 3c092120 289dfbaa ed3ac2a5 flags: 02 compress output: c8d63b32 b1d9fecb dbf2dac7 7fba1e91 a71a614b 022d5eb6 43b88567 5fb98dbb == COMPRESS: CHUNK 1, BLOCK 0 == h: 6a09e667 bb67ae85 3c6ef372 a54ff53a 510e527f 9b05688c 1f83d9ab 5be0cd19 m: bbbbbbbb bbbbbbbb bbbbbbbb bbbbbbbb bbbbbbbb bbbbbbbb bbbbbbbb bbbbbbbb bbbbbbbb bbbbbbbb bbbbbbbb bbbbbbbb bbbbbbbb bbbbbbbb bbbbbbbb bbbbbbbb t: 00000000 00000001 flags: 01 compress output: 4643287b d85bed11 5487228d a44a56de 4731717c cc6838ee 197aa105 db612375 == COMPRESS: CHUNK 1, BLOCK 1 == h: 4643287b d85bed11 5487228d a44a56de 4731717c cc6838ee 197aa105 db612375 flags: 00 compress output: e5be3ee8 6b8a6388 c6f1bb2d 96c4422a 69c5e773 08f62b86 8e0ac6ef 60053eb3 == COMPRESS: CHUNK 1, BLOCK 2 == h: e5be3ee8 6b8a6388 c6f1bb2d 96c4422a 69c5e773 08f62b86 8e0ac6ef 60053eb3 compress output: f14e85f1 7e3dd3cd 21821aea 13a60dd9 ed703026 6d162747 f486ce97 3b802292 == COMPRESS: CHUNK 1, BLOCK 3 == Aumasson, et al. Expires 21 January 2025 [Page 20] Internet-Draft The BLAKE3 Hashing Framework July 2024 h: f14e85f1 7e3dd3cd 21821aea 13a60dd9 ed703026 6d162747 f486ce97 3b802292 compress output: 434b8c2f 418e7faa 7161b184 adc28577 2952f240 a88b1cf8 7bec7d73 c051765d == COMPRESS: CHUNK 1, BLOCK 4 == h: 434b8c2f 418e7faa 7161b184 adc28577 2952f240 a88b1cf8 7bec7d73 c051765d compress output: 421facc4 d3e21e47 c3a23dd3 610bd719 ecdb7a26 8c62e787 fe48f954 938aa686 == COMPRESS: CHUNK 1, BLOCK 5 == h: 421facc4 d3e21e47 c3a23dd3 610bd719 ecdb7a26 8c62e787 fe48f954 938aa686 compress output: d6923df3 467f1fd5 0a819a24 abec94ae 9c302aa5 327db5ff 1ba49bc0 165a5863 == COMPRESS: CHUNK 1, BLOCK 6 == h: d6923df3 467f1fd5 0a819a24 abec94ae 9c302aa5 327db5ff 1ba49bc0 165a5863 compress output: f666bec1 6fbbcaea 12a6ebd2 1739df2e 88b9ac50 1ef02104 36bc1314 f7fe8b33 == COMPRESS: CHUNK 1, BLOCK 7 == h: f666bec1 6fbbcaea 12a6ebd2 1739df2e 88b9ac50 1ef02104 36bc1314 f7fe8b33 compress output: 967ea734 133aca4b 5f97ef2c cd0077bc acae43c3 2c84abb0 1105580a 494dc582 == COMPRESS: CHUNK 1, BLOCK 8 == h: 967ea734 133aca4b 5f97ef2c cd0077bc acae43c3 2c84abb0 1105580a 494dc582 compress output: e1785148 4419c2b9 94dd4c1d 77a352d6 1e2a6e08 316cea7d efe58124 eaa512b0 == COMPRESS: CHUNK 1, BLOCK 9 == Aumasson, et al. Expires 21 January 2025 [Page 21] Internet-Draft The BLAKE3 Hashing Framework July 2024 h: e1785148 4419c2b9 94dd4c1d 77a352d6 1e2a6e08 316cea7d efe58124 eaa512b0 compress output: fb402a99 554f18e8 ffabb223 42d1c5c1 ff0241f7 13fb6f1b 23af7e2c 2ce45cb7 == COMPRESS: CHUNK 1, BLOCK 10 == h: fb402a99 554f18e8 ffabb223 42d1c5c1 ff0241f7 13fb6f1b 23af7e2c 2ce45cb7 compress output: c5cbd479 30417e86 e1150c46 2d3ea9be c1b8b0d1 c3968e0a a6d74d02 7571b930 == COMPRESS: CHUNK 1, BLOCK 11 == h: c5cbd479 30417e86 e1150c46 2d3ea9be c1b8b0d1 c3968e0a a6d74d02 7571b930 compress output: 279a13a8 69c61d6f 0a93894c be859817 9f0790fc 4c096ad4 e4398002 df9b93a5 == COMPRESS: CHUNK 1, BLOCK 12 == h: 279a13a8 69c61d6f 0a93894c be859817 9f0790fc 4c096ad4 e4398002 df9b93a5 compress output: a8d114db b86a7942 1e7419c1 6a452196 758a05ca b744e642 93e41248 7cc614e1 == COMPRESS: CHUNK 1, BLOCK 13 == h: a8d114db b86a7942 1e7419c1 6a452196 758a05ca b744e642 93e41248 7cc614e1 compress output: b6e7e6bb 6d3e124f 5dedef9e bde7f593 7a0400d5 50daf53d 49377ad8 dbd6a61f == COMPRESS: CHUNK 1, BLOCK 14 == h: b6e7e6bb 6d3e124f 5dedef9e bde7f593 7a0400d5 50daf53d 49377ad8 dbd6a61f compress output: a40be2e1 a5101d8e 902ad7c3 dbac4a0f a1062d4f dbb1d38a 3ef37b7d 0a46f93e == COMPRESS: CHUNK 1, BLOCK 15 == Aumasson, et al. Expires 21 January 2025 [Page 22] Internet-Draft The BLAKE3 Hashing Framework July 2024 h: a40be2e1 a5101d8e 902ad7c3 dbac4a0f a1062d4f dbb1d38a 3ef37b7d 0a46f93e flags: 02 compress output: 70dc03d8 be50bb38 4a0f7bf3 db9d008b c02b11fb f2ae5f91 4c20d218 5f7db224 == COMPRESS: PARENT == h: 6a09e667 bb67ae85 3c6ef372 a54ff53a 510e527f 9b05688c 1f83d9ab 5be0cd19 m: c8d63b32 b1d9fecb dbf2dac7 7fba1e91 a71a614b 022d5eb6 43b88567 5fb98dbb 70dc03d8 be50bb38 4a0f7bf3 db9d008b c02b11fb f2ae5f91 4c20d218 5f7db224 t: 00000000 00000000 flags: 0c compress output: 38289de7 d3cc5a91 bab01bb2 f8edb576 d7d308dc 5bb60d8d 370f3f71 46c358ec hash value: e79d2838915accd3b21bb0ba76b5edf8dc08d3d78d0db65b713f0f37ec58c346 Authors' Addresses Jean-Philippe Aumasson (editor) Taurus SA Taurus SA Place Ruth Boesiger 6 CH-1201 Geneva Switzerland Email: jeanphilippe.aumasson@gmail.com URI: https://taurushq.com Aumasson, et al. Expires 21 January 2025 [Page 23] Internet-Draft The BLAKE3 Hashing Framework July 2024 Samuel Neves University of Coimbra Polo II Pinhal de Marrocos 3030-290 Coimbra Portugal Email: sneves@dei.uc.pt Jack O'Connor SpaceX 356 167th Ave NE Bellevue WA 98008 United States of America Email: oconnor663@gmail.com URI: https://jacko.io Zooko Wilcox Electric Coin Co 1750 30th St. apt #217 Colorado 80301 United States of America Email: zookog@gmail.com Aumasson, et al. Expires 21 January 2025 [Page 24]