blake3

Function derive_key

Source
pub fn derive_key(context: &str, key_material: &[u8]) -> [u8; 32]
Expand description

The key derivation function.

Given cryptographic key material of any length and a context string of any length, this function outputs a 32-byte derived subkey. The context string should be hardcoded, globally unique, and application-specific. A good default format for such strings is "[application] [commit timestamp] [purpose]", e.g., "example.com 2019-12-25 16:18:03 session tokens v1".

Key derivation is important when you want to use the same key in multiple algorithms or use cases. Using the same key with different cryptographic algorithms is generally forbidden, and deriving a separate subkey for each use case protects you from bad interactions. Derived keys also mitigate the damage from one part of your application accidentally leaking its key.

As a rare exception to that general rule, however, it is possible to use derive_key itself with key material that you are already using with another algorithm. You might need to do this if you’re adding features to an existing application, which does not yet use key derivation internally. However, you still must not share key material with algorithms that forbid key reuse entirely, like a one-time pad. For more on this, see sections 6.2 and 7.8 of the BLAKE3 paper.

Note that BLAKE3 is not a password hash, and derive_key should never be used with passwords. Instead, use a dedicated password hash like Argon2. Password hashes are entirely different from generic hash functions, with opposite design requirements.

For an incremental version that accepts multiple writes, see Hasher::new_derive_key, Hasher::update, and Hasher::finalize. These two statements are equivalent:

let key = blake3::derive_key(CONTEXT, b"key material, not a password");

let key: [u8; 32] = blake3::Hasher::new_derive_key(CONTEXT)
    .update(b"key material, not a password")
    .finalize()
    .into();

For output sizes other than 32 bytes, see Hasher::finalize_xof, and OutputReader.

This function is always single-threaded. For multithreading support, see Hasher::update_rayon.