Hashing

Purpose

BLAKE2b is a cryptographic hash function. It takes a message of any size and produces a 128-bit to 512-bit hash.

This hash acts as a fingerprint for the data. Hashes can be used to uniquely identify messages, detect corruption, detect duplicate data, and index data in a hash table.

However, unkeyed hashes do not provide authentication (e.g. for Encrypt-then-MAC). Furthermore, they should be avoided for key derivation. Use the linked APIs instead.

BLAKE2b is NOT suitable for hashing passwords. Use Argon2id instead.

A hash size of at least 256 bits is strongly recommended to obtain collision resistance.

Usage

ComputeHash

Fills a span with a hash computed from a message.

BLAKE2b.ComputeHash(Span<byte> hash, ReadOnlySpan<byte> message)

Exceptions

ArgumentOutOfRangeException

hash has a length less than MinHashSize or greater than MaxHashSize.

CryptographicException

The hash could not be computed.

ComputeHash

Fills a span with a hash computed from a Stream message. This is useful for hashing files.

BLAKE2b.ComputeHash(Span<byte> hash, Stream message)

Exceptions

ArgumentOutOfRangeException

hash has a length less than MinHashSize or greater than MaxHashSize.

ArgumentNullException

message is null.

CryptographicException

The hash could not be computed.

IncrementalBLAKE2b

Provides support for computing a hash from several messages.

using var blake2b = new IncrementalBLAKE2b(int hashSize);
blake2b.Update(ReadOnlySpan<byte> message1);
blake2b.Update(ReadOnlySpan<byte> message2);
blake2b.Finalize(Span<byte> hash);

// Avoid another using statement
blake2b.Reinitialize(int hashSize);
blake2b.Update(ReadOnlySpan<byte> message3);
blake2b.Finalize(Span<byte> hash);

Exceptions

ArgumentOutOfRangeException

hashSize is less than MinHashSize or greater than MaxHashSize.

ArgumentOutOfRangeException

hash has a length not equal to hashSize.

CryptographicException

The hash could not be computed.

InvalidOperationException

Cannot update after finalizing or finalize twice (without reinitializing).

Constants

These are used for validation and/or save you defining your own constants.

public const int HashSize = 32;
public const int MinHashSize = 16;
public const int MaxHashSize = 64;

Notes

Do NOT use ComputeHash() for key derivation. Read the Key derivation page instead.

Do NOT manually truncate a hash. Instead, specify the hash size you want directly. The hash size affects the output, which provides domain separation.

Unlike older hash functions (e.g. MD5, SHA-1, SHA-256, and SHA-512), BLAKE2b is immune to length extension attacks.

The security level of BLAKE2b is 1/2 the output length (e.g. 128-bit security for a 256-bit hash).​

Last updated