top | item 46049992

(no title)

robobully | 3 months ago

> trading a conservative security margin for speed

That's what precisely happened to BLAKE with BLAKE2/3, isn't it?

discuss

scatbot|3 months ago

Not really. BLAKE3 isn’t a reduced-round tweak of BLAKE2 like K12 is for Keccak. It's a different construction that still meets its full security target. K12 and TurboSHAKE on the other hand are literally the same permutation with fewer rounds, which actually reduces Keccak's security margin. The situations are not really comparable.

oconnor663|3 months ago

BLAKE3 does reduce the round count relative to BLAKE2, and the underlying compression functions are similar enough that it is an apples-to-apples comparison. Our rationale for doing that was described in https://eprint.iacr.org/2019/1492.pdf, which also argued that Keccak could reduce their round count even farther than they did.

robobully|3 months ago

> BLAKE3 isn’t a reduced-round tweak of BLAKE2 <...> It's a different construction

My initial argument was meant to highlight the difference between BLAKE and its successors. However, I have no idea what you back your statements with, BLAKE3 in fact _is_ BLAKE2s with reduced round + tree-based structure on top of it. The authors even directly mention it in the spec.

> K12 and TurboSHAKE on the other hand are literally the same permutation with fewer rounds

It's true for TurboSHAKE, but as for K12, it builds a tree-based structure on top of TurboSHAKE by the virtue of Sakura encoding (similar to what Bao encoding is used for in BLAKE3).

IANAC, so I won't make any claims about cryptographical strengths of the functions.