Researchers Announce BLAKE3 Hash Function

Leo Dorrendorf  January 23, 2020

The new BLAKE3 hash function, which was just recently announced, warrants some attention. IoT devices often suffer from slow-down, especially if they hash their entire firmware image as part of Secure Boot which is a vital security feature. A hash function that's focused on performance, but still provides a full security guarantee, can help avoid that problem.

BLAKE3’s performance is amazing - over 12 times that of SHA-256 based on the authors' benchmarks. Those numbers are based on the Intel architecture, while on ARM the advantage is less pronounced with a speedup factor of around 6.

BLAKE3 benchmarks

The BLAKE family of functions were originally based on ChaCha, which is a stream cipher designed by the renowned cryptographer D.J. Bernstein. ChaCha is somewhat notable because all its code fits in just a bit more than a single page. It's also very efficient on modern hardware. Today, ChaCha and several related functions are widely used on the Internet and deployed in embedded devices, browsers and servers by industry giants like Google and Apple.

BLAKE2 was a candidate for SHA-3 in the NIST hash function competition but lost to Keccak. In fact, no version of BLAKE has so far been recognized by NIST as part of their standards. Although no weaknesses have been discovered in the BLAKE family of functions, it's generally accepted that non-standard functions receive less public scrutiny and fewer research efforts compared to more widely used standard functions. As a result, most device manufacturers (especially those concerned with IoT security certifications) should continue to use SHA-256 for signature verification.

While on smaller messages and objects the performance benefits offered by BLAKE would be negligible, it is recommended for use in functions such as bulk hashing. For example, when computing hashes to verify the signature on a firmware image or an executable, performance might trump security, especially because these flows involve either device or process startup where time can be critical. An important caveat is to never use BLAKE for password hashing. Where password hashes are computed for storage or comparison, slower and heavier hashing functions are actually better, because they increase the effort required to crack passwords. Hashes that were specifically designed for this purpose remain the functions of choice including PBKDF2 (which is NIST-approved), Argon2 (which consumes lo of memory in addition to CPU), and bcrypt (which is the Linux de-facto standard).

Share this post
Leo Dorrendorf, Security Researcher

Leo Dorrendorf

Security Architecture Team Leader

Leo Dorrendorf is a security researcher with experience in the academy and the industry, including a diversity of topics from reverse-engineering and breaking to designing and implementing connected systems. Currently part of the Vdoo security team, Leo deals with creating engines for automated threat modeling, binary scanning, and requirement generation which incorporates a growing number of standards from the world of embedded security.

Our latest updates