The Boomerang Attacks on BLAKE and BLAKE2

  • Yonglin HaoEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8957)


In this paper, we study the security margins of hash functions BLAKE and BLAKE2 against the boomerang attack. We launch boomerang attacks on all four members of BLAKE and BLAKE2, and compare their complexities. We propose 8.5-round boomerang attacks on both BLAKE-512 and BLAKE2b with complexities \(2^{464}\) and \(2^{474}\) respectively. We also propose 8-round attacks on BLAKE-256 with complexity \(2^{198}\) and 7.5-round attacks on BLAKE2s with complexity \(2^{184}\). We verify the correctness of our analysis by giving practical 6.5-round Type I boomerang quartets for each member of BLAKE and BLAKE2. According to our analysis, some tweaks introduced by BLAKE2 have increased its resistance against boomerang attacks to a certain extent. But on the whole, BLAKE still has higher a secure margin than BLAKE2.


Boomerang Attack Security Margin Hash Function Boomerang Quartet Boomerang Distinguisher 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



This work has been supported by the National Natural Science Foundation of China (Grant No. 61133013) and by 973 Program (Grant No. 2013CB834205).

Supplementary material


  1. 1.
    Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005) Google Scholar
  2. 2.
    Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005) Google Scholar
  3. 3.
    Bertoni, G., Daemen, J., Peeters, M., Assche, G.: The keccak reference. Submission to NIST (Round 3) 13 (2011)Google Scholar
  4. 4.
    Aumasson, J.P., Henzen, L., Meier, W., Phan, R.C.W.: SHA-3 proposal blake. Submission to NIST (2008)Google Scholar
  5. 5.
    Chang, S.j., Perlner, R., Burr, W.E., Turan, M.S., Kelsey, J.M., Paul, S., Bassham, L.E.: Third-round report of the SHA-3 cryptographic hash algorithm competition. Citeseer (2012)Google Scholar
  6. 6.
    Aumasson, J.-P., Neves, S., Wilcox-O’Hearn, Z., Winnerlein, C.: BLAKE2: Simpler, smaller, fast as MD5. In: Jacobson, M., Locasto, M., Mohassel, P., Safavi-Naini, R. (eds.) ACNS 2013. LNCS, vol. 7954, pp. 119–135. Springer, Heidelberg (2013) Google Scholar
  7. 7.
    Aumasson, J.-P., Guo, J., Knellwolf, S., Matusiewicz, K., Meier, W.: Differential and invertibility properties of BLAKE. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 318–332. Springer, Heidelberg (2010) Google Scholar
  8. 8.
    Dunkelman, O., Khovratovich, D.: Iterative differentials, symmetries, and message modification in blake-256. In: ECRYPT2 Hash Workshop, vol. 2011 (2011)Google Scholar
  9. 9.
    Ji, L., Liangyu, X.: Attacks on round-reduced blake. Technical Report, Citeseer (2009)Google Scholar
  10. 10.
    Biryukov, A., Nikolić, I., Roy, A.: Boomerang attacks on BLAKE-32. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 218–237. Springer, Heidelberg (2011) Google Scholar
  11. 11.
    Leurent, G.: Arxtools: A toolkit for arx analysis. In: The Third SHA-3 Candidate Conference (2012)Google Scholar
  12. 12.
    Bai, D., Yu, H., Wang, G., Wang, X.: Improved boomerang attacks on round-reduced sm3 and blake-256 (2013).
  13. 13.
    Guo, J., Karpman, P., Nikolić, I., Wang, L., Wu, S.: Analysis of BLAKE2. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 402–423. Springer, Heidelberg (2014) Google Scholar
  14. 14.
    Wagner, D.: The boomerang attack. In: Knudsen, L.R. (ed.) FSE 1999. LNCS, vol. 1636, pp. 156–170. Springer, Heidelberg (1999) Google Scholar
  15. 15.
    Kelsey, J., Kohno, T., Schneier, B.: Amplified boomerang attacks against reduced-round MARS and serpent. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 75–93. Springer, Heidelberg (2001) Google Scholar
  16. 16.
    Biham, E., Dunkelman, O., Keller, N.: The rectangle attack - rectangling the serpent. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 340–357. Springer, Heidelberg (2001) Google Scholar
  17. 17.
    Biham, E., Dunkelman, O., Keller, N.: Related-key boomerang and rectangle attacks. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 507–525. Springer, Heidelberg (2005) Google Scholar
  18. 18.
    Lamberger, M., Mendel, F.: Higher-order differential attack on reduced SHA-256. IACR Cryptology ePrint Archive 2011, 37 (2011)Google Scholar
  19. 19.
    Biryukov, A., Lamberger, M., Mendel, F., Nikolić, I.: Second-order differential collisions for reduced SHA-256. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 270–287. Springer, Heidelberg (2011) Google Scholar
  20. 20.
    Mendel, F., Nad, T.: Boomerang distinguisher for the SIMD-512 compression function. In: Bernstein, D.J., Chatterjee, S. (eds.) INDOCRYPT 2011. LNCS, vol. 7107, pp. 255–269. Springer, Heidelberg (2011) Google Scholar
  21. 21.
    Sasaki, Y., Wang, L., Takasaki, Y., Sakiyama, K., Ohta, K.: Boomerang distinguishers for full HAS-160 compression function. In: Hanaoka, G., Yamauchi, T. (eds.) IWSEC 2012. LNCS, vol. 7631, pp. 156–169. Springer, Heidelberg (2012) Google Scholar
  22. 22.
    Sasaki, Y., Wang, L.: Distinguishers beyond three rounds of the RIPEMD-128/-160 compression functions. In: Bao, F., Samarati, P., Zhou, J. (eds.) ACNS 2012. LNCS, vol. 7341, pp. 275–292. Springer, Heidelberg (2012) Google Scholar
  23. 23.
    Leurent, G., Roy, A.: Boomerang attacks on hash function using auxiliary differentials. In: Dunkelman, O. (ed.) CT-RSA 2012. LNCS, vol. 7178, pp. 215–230. Springer, Heidelberg (2012) Google Scholar
  24. 24.
    Yu, H., Chen, J., Wang, X.: The boomerang attacks on the round-reduced skein-512. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 287–303. Springer, Heidelberg (2013) Google Scholar
  25. 25.
    Kircanski, A., Shen, Y., Wang, G., Youssef, A.M.: Boomerang and slide-rotational analysis of the SM3 hash function. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 304–320. Springer, Heidelberg (2013) Google Scholar
  26. 26.
    Bai, D., Yu, H., Wang, G., Wang, X.: Improved boomerang attacks on SM3. In: Boyd, C., Simpson, L. (eds.) ACISP. LNCS, vol. 7959, pp. 251–266. Springer, Heidelberg (2013) Google Scholar
  27. 27.
    Wagner, D.: A generalized birthday problem. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 288–304. Springer, Heidelberg (2002) Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.Department of Computer Science and TechnologyTsinghua UniverstiyBeijingChina

Personalised recommendations