BLAKE2 — fast secure hashing


The cryptographic hash function BLAKE2 is an improved version of the SHA-3 finalist BLAKE. Like SHA-3, BLAKE2 offers the highest security, yet is fast as MD5 on 64-bit platforms and requires at least 33% less RAM than SHA-2 or SHA-3 on low-end systems. The core algorithm of BLAKE2 is derived from ChaCha, a stream cipher designed by Daniel J. Bernstein that has been proposed as a standard cipher for TLS.

BLAKE2 comes in two flavors: BLAKE2 includes the 4-way parallel BLAKE2bp and 8-way parallel BLAKE2sp designed for increased performance on multicore or SIMD CPUs. BLAKE2 offers these algorithms tuned to your specific requirements, such as keyed hashing (that is, MAC or PRF), hashing with a salt, updatable or incremental tree-hashing, or any combination thereof.

BLAKE2 shines on 64-bit CPUs, with for example BLAKE2 is extremely fast both when hashing a single large file and when hashing many small files. For example, BLAKE2s hashes 64-byte files quicker than SHA-1, MD5, and even MD4.

As the bar plot below illustrates, BLAKE2 outperforms MD5, SHA-1, SHA-2, and SHA-3 on recent Intel CPUs. Note that SHA-3 and BLAKE2 have no known security issues, whereas SHA-1, MD5, and SHA-512 are susceptible to length-extension. SHA-1 and MD5 are vulnerable to collision attacks, which are expensive for SHA-1, but which are cheap and allow chosen-prefixes for MD5.



BLAKE2 was designed by a team of experts in cryptanalysis, implementation, and cryptographic engineering:
BLAKE2 is based on the SHA-3 proposal BLAKE, designed by Jean-Philippe Aumasson, Luca Henzen, Willi Meier, and Raphael C.-W. Phan. BLAKE2, like BLAKE, relies on a core algorithm borrowed from the ChaCha stream cipher, designed by Daniel J. Bernstein.


You may contact us on Twitter if 140 characters are enough and if a public discussion is okay. Otherwise, please email us to [email protected], which forwards to the four designers.

We created a mailing list for BLAKE2 discussions (security, performance, bug reports, etc.): to subscribe, please send an empty message to [email protected].


Non-exhaustive list of systems using BLAKE2:

Third-party software


Test vectors

blake2b, blake2s, blake2bp, blake2sp

Test vectors are also included in BLAKE2's code package.


Q: How can I be sure the BLAKE2 is secure?

A: We have no proof that BLAKE2 is as secure as we claim, but there are good reasons to believe it: BLAKE2 relies on (essentially) the same core algorithm as BLAKE, which has been intensively analyzed since 2008 within the SHA-3 competition, and which was one of the 5 finalists. NIST's final report writes that BLAKE has a "very large security margin", and that the the cryptanalysis performed on it has "a great deal of depth". The best academic attack on BLAKE (and BLAKE2) works on a reduced version with 2.5 rounds, whereas BLAKE2b does 12 rounds, and BLAKE2s does 10 rounds. But even this attack is not practical: it only shows for example that with 2.5 rounds, the preimage security of BLAKE2b is downgraded from 512 bits to 481 bits, or that the collision security of BLAKE2s is downgraded from 128 bits to 112 bits (which is similar to the security of 2048-bit RSA).

Q: Why is BLAKE2 so fast?

A: BLAKE2 is fast in software because it exploits features of modern CPUs, namely instruction-level parallelism, SIMD instruction set extensions, and multiple cores. BLAKE2 also benefits from the optimization work performed during the SHA-3 competition (see for example this paper by two of the designers of BLAKE2).

Q: Why do you want BLAKE2 to be fast? Aren't fast hashes bad?

A: You want your hash function to be fast if you are using it to compute the secure hash of a large amount of data, such as in distributed filesystems (e.g. Tahoe-LAFS), cloud storage systems (e.g. OpenStack Swift), intrusion detection systems (e.g. Samhain), integrity-checking local filesystems (e.g. ZFS), peer-to-peer file-sharing tools (e.g. BitTorrent), or version control systems (e.g. git). You only want your hash function to be slow if you're using it to "stretch" user-supplied passwords, in which case see the next question.

Q: So I shouldn't use BLAKE2 for hashing user passwords?

A: You shouldn't use *any* general-purpose hash function for user passwords, not BLAKE2, and not MD5, SHA-1, SHA-256, or SHA-3. Instead you should use a password-based key derivation function such as PBKDF2 or scrypt with an appropriate number of iterations so as to slow down hashing, which mitigates the risk of bruteforce attacks.

Note that PBKDF2 takes a PRF as parameter, so you may use it in combination with keyed BLAKE2, which is much simpler than using (say) HMAC-SHA-1. Also note that scrypt uses PBKDF2-HMAC-SHA-256, so you may use it with PBKDF2-BLAKE2 instead.

Q: BLAKE2bp gives different results from BLAKE2b. Is that normal?

A: Yes. BLAKE2bp is a different algorithm from BLAKE2b and BLAKE2sp is a different algorithm from BLAKE2s. Each algorithm produces a different hash value.

BLAKE2b and BLAKE2s are designed to be efficient on a single CPU core (BLAKE2b is more efficient on 64-bit CPUs and BLAKE2s is more efficient on 8-bit, 16-bit, or 32-bit CPUs). BLAKE2bp and BLAKE2sp are designed to be efficient on multicore or SIMD chips, by processing the input in parallel. This parallel approach results in different secure hash values from the single-core variants.

More generally, two instances of BLAKE2b or BLAKE2s with two distinct sets of parameters will produce diffent results. For example, BLAKE2b in some tree mode (say, with fanout 2) will produce different results than BLAKE2b in a modified tree mode (say, with fanout 3).

Q: Which should I use? BLAKE2b, BLAKE2s, BLAKE2bp, or BLAKE2sp?

A: A rule of thumb is that on 64-bit platforms the best choice is BLAKE2b, whereas on 32-bit (or smaller) platforms BLAKE2s is recommended. Or, you could try each of the four of them and see which one performs best on your deployment platform. If you do that, please write to us and let us know what you found.

Q: The BLAKE2 documentation only describes differences with the original BLAKE, where can I find a complete specification?

A: The Internet draft includes a complete specification of BLAKE2b and BLAKE2s (though not of the tree mode).

Modified: 2015-06-16