Fix carry handling in the g function in blake.ts

[thogiti]

Incorrect Carry Handling in the g Function

The g function in Implementation in blake.ts uses ~~(lo / 0x0100000000) to compute the carry from the lower 32 bits of a 64-bit word.

Since lo can be up to 0x2FFFFFFFC (i.e., approximately 3 times 0x0100000000), the carry can erroneously be 2 or 3.

Impact

• Functional Integrity: Incorrect carry values can corrupt the internal state, leading to wrong hash outputs.
• Security Risks: The integrity of the hash function is compromised, potentially allowing for hash collisions or predictable outputs, which undermines the cryptographic strength of Blake2-512.

Recommendation

• Modify the carry calculation to ensure that only a single carry bit (0 or 1) is propagated. For example:

const carry = lo >= 0x100000000 ? 1 : 0;
v[a * 2] = (v[a * 2] + ((m[sigma[i][e] * 2] ^ u512[sigma[i][e + 1] * 2]) >>> 0) + v[b * 2] + carry) >>> 0;

• Alternatively, use BigInt for precise 64-bit arithmetic operations as in the original Blake implementation in the npm repo, which TypeScript supports, to handle carries correctly without manual intervention.

[cedoor]

A better solution for this issue might be to use the original Blake implementation directly, wrapping it with a TS class.

[hannahredler]

Hey, if you need someone to work on this I would be happy to do so and replace the custom implementation with a wrapper over this implementation