feat: Implement BLAKE2X XOF (Blake2Xb and Blake2Xs) #704
Conversation
huitseeker
force-pushed
the
blake2x-pr
branch
5 times, most recently
from
80960a4 to
af5b7a5
Compare
|
@newpavlov Happy to add a CHANGELOG line as part of this PR, or remove the b2rs unit tests, or anything else you might think needs adapting. |
|
Hey @newpavlov, are there any blockers for this PR to get reviewed and merged? Can we help in any way? |
|
@LesnyRumcajs needs a rebase |
huitseeker
force-pushed
the
blake2x-pr
branch
from
af5b7a5 to
fde6114
Compare
This commit introduces an implementation of Blake2X, the extensible-output function (XOF) variant of the BLAKE2 hash function. Blake2X is specified in the official BLAKE2 paper and is designed to produce hash outputs of arbitrary length. It is useful for applications requiring digests longer than the standard BLAKE2 output sizes, such as in certain digital signature schemes (e.g., EdDSA with large curves) or as a Key Derivation Function (KDF). The implementation provides `Blake2xb` (64-bit) and `Blake2xs` (32-bit) variants, along with their corresponding `XofReader`s. Both are accessible under a new `blake2x` feature flag. The core logic is consolidated within a `blake2x_impl!` macro to generate the necessary structures and trait implementations for both variants, minimizing code duplication. The implementation correctly handles the Blake2X tree-hashing mode: - The initial root hash is computed using a standard BLAKE2 core with the XOF output length encoded in the parameter block. - Subsequent output blocks are generated by creating and hashing expansion nodes using the root hash as input, as per the specification. Keyed hashing is supported through `new_with_key` constructors for both `Blake2xb` and `Blake2xs`. A comprehensive test suite has been added, including: - Test vectors) for both keyed and unkeyed hashing, sourced from new JSON test vector files. - Comparison tests against the `b2rs` reference implementation to ensure correctness. - Functional tests for progressive output reads and constructor parameterization.
huitseeker
force-pushed
the
blake2x-pr
branch
from
fde6114 to
ead64dd
Compare
huitseeker
force-pushed
the
blake2x-pr
branch
from
ead64dd to
4d3debf
Compare
|
Will be great to get this merged! Thanks for the effort here. |
|
Thanks for rebasing. This is a very large PR which makes it difficult to review. Another issue is we'd like to replace the entire BLAKE2 implementation: #228 |
|
@tarcieri The splits present in the top of the PR description should make clear most of the PR is test vector files, which are extracted directly from the RFC repo. Specifically the test vector files are the result of running Please let me know if you would like me to programmatically download those test vector files from that repo upon testing, thereby removing them here (it could look like that +172/-6149) — I haven't because considering the contents of Re: implementation replacement, the blake2x implementation in the current form of the PR now uses only the public API of blake2 (this is the point I address in this comment). Consequently, it should survive a switch to some new implementation of blake2 without requiring code changes. |
This PR introduces an implementation of Blake2X – inspired from, but greatly extends on #677. This contributes to #1.
This is a complete implementation of the Blake2X extensible-output function (XOF) for both its 64-bit (
Blake2Xb) and 32-bit (Blake2Xs) variants. This new functionality is gated behind theblake2xcargo feature flag.1. Implementation and Design
The implementation follows the design principles of the existing crate, utilizing a macro-driven approach to provide generic logic for both Blake2Xb and Blake2Xs, which minimizes code duplication.
Core Logic (
macros.rs): A new macro,blake2x_impl!, has been introduced.Algorithm (
blake2x.rs): The implementation follows the two-phase process specified by the Blake2X algorithm:H₀) using the underlyingBlake2bVarCoreorBlake2sVarCore. Crucially, it incorporates the total desired output length (xof_len) into the parameter block during this phase. This ensures that outputs of different lengths are cryptographically distinct, a key security feature of Blake2X.finalize_xof()method returns aReaderstruct. This reader generates the final hash output incrementally. For each block of output requested, it computes a new hash by feeding the root hashH₀into the base BLAKE2 function, but with a unique parameter block for each "expansion node" (differentiated by an incrementingnode_offset). This logic is encapsulated in theexpand_nodehelper function.Public API: New public-facing structs
Blake2xb,Blake2xs, and their correspondingReadertypes are exposed.2. Testing and Validation
The implementation is supported by a comprehensive test suite in
tests/blake2x.rsthat validates correctness through two primary resources: official test vectors and a reference implementation.Test Vectors:
tests/data/directory now includesblake2xb-kat.jsonandblake2xs-kat.json. These are the test vectors sourced directly from the BLAKE2 RFC repository.Reference Implementation (
b2rs):b2rscrate as a reference implementation. This crate is maintained on GitHub by Jean-Philippe Aumasson (@veorq), one of the original authors of the BLAKE2 algorithm.b2rsin two ways:b2rs.Internal State Validation: The tests go a step further by usingEdit: removed in 4d3debfb2rsto verify intermediate values of the Blake2X computation, such as the value of the root hash (H₀) and the output of the first expansion node. This confirms that our internal parameter block construction and hashing logic are correct, not just the final result.All tests, including functional checks for progressive reads and constructor behavior, are passing.
Edit: the last 2 commits of the PR respectively fix a typo-detection CI false positive, and unrelated clippy warnings.