The Boomerang Attacks on BLAKE and BLAKE2

Abstract

In this paper, we study the security margins of hash functions BLAKE and BLAKE2 against the boomerang attack. We launch boomerang attacks on all four members of BLAKE and BLAKE2, and compare their complexities. We propose 8.5-round boomerang attacks on both BLAKE-512 and BLAKE2b with complexities \(2^{464}\) and \(2^{474}\) respectively. We also propose 8-round attacks on BLAKE-256 with complexity \(2^{198}\) and 7.5-round attacks on BLAKE2s with complexity \(2^{184}\). We verify the correctness of our analysis by giving practical 6.5-round Type I boomerang quartets for each member of BLAKE and BLAKE2. According to our analysis, some tweaks introduced by BLAKE2 have increased its resistance against boomerang attacks to a certain extent. But on the whole, BLAKE still has higher a secure margin than BLAKE2.

Appendices

A The Bottom and Top Differential Characteristics for BLAKE and BLAKE2

Table 4. The bottom characteristic for BLAKE-512. \(\varDelta ^b m_{11}=(63)\).

Table 5. The bottom characteristic for BLAKE2b. \(\varDelta ^b m_{11}=(63)\).

Table 6. The bottom characteristic for BLAKE-256. \(\varDelta ^b m_{11}=(31)\).

Table 7. The bottom characteristic for BLAKE2s. \(\varDelta ^b m_{11}=(31)\).

Table 8. The top characteristic for BLAKE-512. Message difference is \(\varDelta ^t m_{5}=(y)\) where \(y\in \mathbb {X}_{512}\)

Table 9. The top characteristic for BLAKE2b. Message difference is \(\varDelta ^t m_{5}=(y)\) where \(y\in \mathbb {X}_{2b}\)

Table 10. The top characteristic for BLAKE-256. Message difference is \(\varDelta ^t m_{5}=(y)\) where \(y\in \mathbb {X}_{256}\).

Table 11. The top characteristic for BLAKE2s. Message difference is \(\varDelta ^t m_{5}=(y)\) where \(y\in \mathbb {X}_{2s}\).

B 6.5-Round Examples for BLAKE and BLAKE2

The main difference between BLAKE-256 and BLAKE2s (BLAKE-512 and BLAKE2b) is at \(\varDelta ^t v^{3.5}_1\), where \(\varDelta ^t v^{3.5}_{1}=(29)\) for BLAKE-2s (\(\varDelta ^t v^{3.5}_{1}=(10)\) for BLAKE-2b) and \(\phi \) for BLAKE-256 (BLAKE-512). We specifically emphasize this part with bold dark format.

Table 12. Example for 6.5-round BLAKE-256 with \(y=28\in \mathbb {X}_{256}\bigcap \mathbb {X}_{2s}\).

Table 13. Example for 6.5-round BLAKE2s with \(y=28\in \mathbb {X}_{256}\bigcap \mathbb {X}_{2s}\).

Table 14. Example for 6.5-round BLAKE-512 with \(y=9\in \mathbb {X}_{512}\bigcap \mathbb {X}_{2b}\).

Table 15. Example for 6.5-round BLAKE2b with \(y=9\in \mathbb {X}_{512}\bigcap \mathbb {X}_{2b}\).