Geralt
Search…
Message authentication

Purpose

BLAKE2b is a cryptographic hash function and message authentication code (MAC). As a MAC, it takes a message of any size and a 256-bit to 512-bit key and produces a 128-bit to 512-bit tag.
This tag allows you to verify that a message has not been tampered with. A change to the message or the use of a different key will result in a different tag, at which point you should throw an error.
A tag size of at least 256 bits is strongly recommended to obtain committing security, which requires collision resistance.
A 256-bit key is recommended regardless of the tag size. Larger keys are unnecessary.

Usage

ComputeTag

Fills a span with a tag computed from a message and a key.
BLAKE2b.ComputeTag(Span<byte> tag, ReadOnlySpan<byte> message, ReadOnlySpan<byte> key)

Exceptions

tag has a length less than MinTagSize or greater than MaxTagSize.
key has a length less than MinKeySize or greater than MaxKeySize.
The tag could not be computed.

VerifyTag

Verifies that a tag is correct in constant time for a given message and key. It returns true if the tag is valid and false otherwise.
BLAKE2b.VerifyTag(ReadOnlySpan<byte> tag, ReadOnlySpan<byte> message, ReadOnlySpan<byte> key)

Exceptions

tag has a length less than MinTagSize or greater than MaxTagSize.
key has a length less than MinKeySize or greater than MaxKeySize.
The tag could not be recomputed.

IncrementalBLAKE2b

Provides support for computing a tag from several messages and a key.
using var blake2b = new IncrementalBLAKE2b(int hashSize, ReadOnlySpan<byte> key);
blake2b.Update(ReadOnlySpan<byte> message1);
blake2b.Update(ReadOnlySpan<byte> message2);
blake2b.Finalize(Span<byte> hash);
After Finalize() has been called, do NOT call Update() or Finalize() again.
This function can also be used for unkeyed hashing, so make sure you specify a key.

Exceptions

hashSize is less than BLAKE2b.MinHashSize or greater than BLAKE2b.MaxHashSize.
key has a length less than BLAKE2b.MinKeySize or greater than BLAKE2b.MaxKeySize.
hash has a length not equal to hashSize.
The tag could not be computed.

BLAKE2bHashAlgorithm

Returns a byte array tag for a Stream message and a key.
using var blake2b = new BLAKE2bHashAlgorithm(int hashSize, ReadOnlySpan<byte> key);
Span<byte> tag = blake2b.ComputeHash(Stream message);
This function can also be used for unkeyed hashing, so make sure you specify a key.

Exceptions

hashSize is less than BLAKE2b.MinHashSize or greater than BLAKE2b.MaxHashSize.
key has a length less than BLAKE2b.MinKeySize or greater than BLAKE2b.MaxKeySize.
The tag could not be computed.

Notes

Tags MUST be compared in constant time to avoid leaking information, so use the VerifyTag() function.​
With Encrypt-then-MAC, you MUST include the nonce in the message when computing the tag.
If you intend to feed multiple variable-length inputs into the message, beware of canonicalization attacks. Please read the Concat page for more information.
The key MUST be uniformly random. It should be the output of a KDF, NOT randomly generated.
Do NOT use the same key for multiple purposes (e.g. encryption and authentication). You should derive separate keys using the same input keying material and personalisation but different salts and/or info.
The same key can be reused for multiple messages, but it is good practice to derive a unique key each time.
The security level of BLAKE2b against a generic attack on hash-based MACs is 1/2 the output length (e.g. 128-bit security for a 256-bit tag).​ However, the security level is equal to the output length for typical attacks against MACs (e.g. 256-bit security for a 256-bit tag). Both types of attacks are completely impractical.
Copy link
On this page
Purpose
Usage
ComputeTag
VerifyTag
IncrementalBLAKE2b
BLAKE2bHashAlgorithm
Notes