Score:1

Crypto

Is BLAKE2X suitable for generating keys with any security in bits event if BLAKE2 having only 256/512-bits?

phantomcraft

11/28/23, 6:36 PM

I can generate a key of any security in bits with any hash function from random source with enough entropy by using the following scheme:

$$H(00||S) || H(01||S) || H(02||S) || H(03||S) || \cdots$$

/\ H is the hash, S the seed and 00, 01, 02 the counters.

BLAKE2X hashes are computed as follows:

$$\operatorname{B2}(0,64,H_0)\mathbin\|\operatorname{B2}(1,64,H_0)\mathbin\|\ldots\mathbin\|\operatorname{B2}(\lfloor\ell/64\rfloor,\ell\bmod64,H_0)$$

/\ $B2(i,j,X)$ is the hash of $X$ with node offset $i$ and digest lenght $j$.

These two schemes looks similar each other, so that I have a question.

Is BLAKE2X suitable for generating keys with more security bits than the internal state of the underlying hash function (BLAKE2) as $H(00||S) || H(01||S) || H(02||S) || H(03||S) || \cdots$ is with any hash function?

PS: I mean any hash function that is not susceptible to length extension attacks.

1 + 5

key-size

blake2

seed

samuel-lucas6

11/28/23, 6:58 PM

The [paper](https://www.blake2.net/blake2x.pdf) says BLAKE2X can be used as a KDF up to ~4GiB.

phantomcraft

11/28/23, 7:06 PM

But the question is: Is this KDF capped to security of underlying hash function?

phantomcraft

11/28/23, 7:17 PM

I didn't have time to study HKDF (in which BLAKE2X is similar) but I got after reading its IETF paper: https://www.ietf.org/rfc/rfc5869.txt -- I still have doubts if BLAKE2X is suitable to generate keys larger than BLAKE2 internal state size.

samuel-lucas6

11/28/23, 8:11 PM

Respectfully, your question was 'Is BLAKE2X suitable for generating keys larger than the internal state of the underlying hash function?' The answer is yes because 4 GiB is larger than the size of the state. This really seems to be about having excessively large keys like your [previous](https://crypto.stackexchange.com/questions/102977/is-the-security-of-output-of-skein-when-using-arbitrary-output-size-similar-to-t) question. However, you don't need '1536-bit security', which you yourself admitted. So, what's the concern?

phantomcraft

11/28/23, 8:26 PM

Pardon me, I corrected the title and the question.

Score:2

Crypto

bk2204

11/28/23, 11:10 PM

BLAKE2X can be used to generate arbitrary keying material from a suitable, secure input. That is, it can be used securely as a key-derivation function up to 4 GiB of data.

However, the security of such a key derivation function is limited to the entropy of the input and the state size of your BLAKE2 instance. For example, if you have only 32 bits of entropy in your seed, then the security of the construction is only 32 bits. Similarly, BLAKE2Xb cannot provide more than 512 bits of security, and BLAKE2Xs cannot provide more than 256 bits of security, because these are the limitations of their internal state sizes.

Fortunately, though, this isn't a problem because 256 bits of security is expected to be secure for the indefinite future. As long as you choose a seed with an appropriate amount of entropy (e.g., your system CSPRNG or a secure Diffie-Hellman key exchange, whether EC or not), then you don't need to worry.

The practical reason we use a key-derivation function to generate larger outputs is that sometimes we need larger amounts of keying material. For example, TLS and SSH both need encryption keys, nonces, and possibly MAC keys for both directions, which should be uncorrelated and may add up to over 1024 bytes, but the security of the entire connection remains no more than probably 128 or 256 bits (due to the key exchange). Similarly, expanding the seed of a Curve448 key into its two private components requires a substantial amount of output, but not more than 224 bits of security.

Technically, the construction you mention at first doesn't suffer from the limitations of the internal state size like BLAKE2X does. However, as I mentioned, this is only a theoretical consideration because BLAKE2X provides a completely adequate state of security. HKDF, which uses a structurally similar approach (extract and expand), is used in TLS 1.3 and is considered to be robust and secure.

+ 1

phantomcraft

11/29/23, 6:36 PM

HKDF is a good option, indeed. SHAKE-256 is a good choice also. The construction I mentioned is also good, but it's by far more slow than HKDF/BLAKE2X/SHAKE.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Is BLAKE2X suitable for generating keys with any security in bits event if BLAKE2 having only 256/512-bits?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.