The first Blake version was released around 2008 and was created for a hash function competition. Blake made it to the final round but lost against Keccak witch was chosed to build SHA-3. It is a pretty fast function (faster than md5, SHA-2, SHA-3) on ARM architectures. It is nowadays used by many for exemple Argon2 which won the Password Hashing Competition uses Blake2, RAR file also uses blake2 in some situations.
The first Blake version was released around 2008 and was created for a hash function competition. Blake made it to the final round but lost against Keccak witch was chosed to build SHA-3.
The first version is based on chacha stream cipher, in 2012 a second version, Blake2, was announced. In 2020 Blake3 is in turn announced. One of the strengths of Blake2 is its speed,when run on 64-bit x64 and ARM architectures, BLAKE2b is faster than SHA-3, SHA-2, SHA-1, and MD5. It is also very secured since Blake2 provides security superior to SHA-2 and similar to the security of SHA-3.There are several versions of Blake2(b) providing 224,256,384 or 512
How does it works?
In this part we will focus on the Blake2b operation. In this part we will only give the highlights of Blake2 running, however if you want more details you can check https://eprint.iacr.org/2013/467.pdf . Blake2 uses several rounds, in each round it compress the actual state of the hash (at the beginning the input) with an initialization vector. Blake uses its own compression algorithm which adds some salts in order to counter some attacks (such as length extension). In each compression round there are twelve rounds of mixing calling a mix function as well as some other calculations like xor.
Like each hash function there are no proof that Blake2 is secure, however we have many reasons to think it is today the case. The best knowned attack is a Boomerang attack, reducing the number of security bits for Blake2b from 512bits to 481 bits which is clearly not doable in reality.
Cost of an attack
There are several versions of blake. According to the Blake website the fastest attack found on blake-512 which is a boomrang attack has a complexity of 2^242. For Blake-256 the collision resistance is 128 bits.
On paper blake2b has an output size of 256 bits so its collision security should be 128 bits. However according to Blake2 website with a specific attack the collision security can be reduce to 112bits (which is still very good, its similar to the security of 2048-bit RSA).
How to estimate the cost of an attack?
In order to estimate the cost of a Blake2b attack (to get a collision) we are going to take the numbers of the official Blake2 website. They claim that the most efficient attack can downgrade the blake2b security from 512bits to 481 bits if you are using the 512 bits version. We are going to estimate the costs with the 256 and 512 bits version with this idea. We know that a n bit hash provides n/2 bits of security. So blake2b provide respectively 128 and 256 bits of security or in average 2^128 and 2^256 try to get a collision. So we will calculate the time needed to create as much blake2 hashes and then convert this time in money. In order to be as fast as possible we will not make everything in python. We are going to use rust to creat our blake2 hashes.
With our python script which execute bash command executing a rust script, we need in average 3.7second with a relatively small processor (i5) to generate 1000 random hashes. So we would need
(2^128)/(1000 * 3.7) seconds or approximatly 9.19E34 seconds or 2.55E31 hours or 8E24 years.
Should I use Blake2?
It depends on what you want to do. If you want to hash a password, no you shouldn’t but you shouldn’t use any general purpose hash function (not Md5, SHA1/2/3) to hash a password but specialized ones like Argon2. However for other usage yes you can consider Blake2 as a solid option. It is fast and most secured on many ways than SHA-256 (for exemple you cant not make length extension attack on Blake2).