b3chain / Testing & Verification / BLAKE3 vs SHA-256 / Attack surface

Attack surface — SHA-256 vs BLAKE3

What known cryptanalytic attacks exist against each algorithm, what margin remains, and what construction-level safety properties each algorithm exposes (or doesn't).

Source: compare-attack-surface.md Type: structural / data-only

1. Cryptanalysis status (full algorithm)

AttackSHA-256BLAKE3
Collision (full rounds)none, target 2128none, target 2128
Preimage (full rounds)none, target 2256none, target 2256
Length extensiontrivial (MD construction)n/a (immune by design)
Multi-collisionJoux 2004 appliesresistant (tree mode)
Multi-target preimageamortisable (Grover × #targets)resistant (key as IV)

2. Round-reduced cryptanalysis

PropertySHA-256BLAKE3
Compression rounds647 (BLAKE2 round, modified)
Best collision31/64 rounds (theoretical, > 2180)7/10 rounds on BLAKE2 (> 2160)
Best preimage52/64 rounds2.5/7 rounds
Headroom (rounds attacked / total)~48%~36%

BLAKE3's narrower round headroom (7 used vs ~10 attacked on BLAKE2) reflects a deliberate trade for speed. The BLAKE3 designers argue this is acceptable because the security target is 128-bit collision / 256-bit preimage, both still uncomfortably far from any attack.

3. Construction-level safety

PropertySHA-256 (Merkle-Damgård)BLAKE3 (Bao tree)
Length-extension resistant by defaultNOYES
Multi-target resistantNOYES
Domain-separated keyed modeNO (need HMAC)YES (built-in)
Domain-separated KDF modeNO (need HKDF)YES (built-in)
Tree-hashable for parallelismNOYES
Designed for SIMDNO (after-the-fact)YES

4. CVE history

  • SHA-256 the algorithm: zero CVEs.
  • SHA-256 implementations: implementation CVEs in OpenSSL / NSS / nettle exist but are buffer-handling bugs, not algorithm flaws.
  • BLAKE3 the algorithm: zero CVEs.
  • BLAKE3 implementations: CVE-2023-28447 in the official Rust crate — AVX-512 SIMD path buffer handling, fixed in v1.4.1. Also caught by static analysis; no exploit reported in the wild.

5. Quantum considerations

  • Both algorithms have the same Grover bound: 256-bit preimage becomes ~128 effective bits.
  • Quantum collision attacks (BHT) cannot do better than ~285 work for either algorithm; collision security target (2128 classical / 285 quantum) is well above any practical concern.
  • Neither algorithm is broken by Shor's algorithm (which targets factoring / discrete log, not hashes).

6. Side channels

  • Both algorithms are constant-time in standard implementations.
  • SHA-256 has been deployed for two decades with no published timing or power side-channel attack on a standard implementation.
  • BLAKE3 is similar: the reference C library is straight-line code; SIMD implementations are constant-time for the same reasons. The Rust crate has had one buffer-handling CVE (above) but no side-channel CVE.

7. Bottom line

Both algorithms are unbroken at the full-round level. The argument for BLAKE3 over SHA-256 is not "BLAKE3 has fewer rounds and is therefore weaker" — that is technically true but BLAKE3 was designed for that round count. The argument is construction-level safety: BLAKE3 exposes fewer misuse footguns (no length extension, built-in keyed mode, built-in KDF, built-in tree parallelism). This is the property that matters when designing future protocol layers on top of the hash.

8. Sources

IACR cryptodb SHA-2 entries, BLAKE3 paper (O'Connor et al. 2020), BLAKE2 cryptanalysis (Khovratovich, Nikolic 2012), NIST SHA-3 selection rationale, CVE-2023-28447. Full citations in compare-attack-surface.md.