It's faster and stronger — but the US government won't touch it. Here's why, and what it would take to change that.
The bureaucracy
Imagine your school has a rule: you can only play with toys on the Approved Toy List. Even if you have the coolest, safest toy ever made, you can't bring it to school unless it's on the list. The list is made by a special committee (called NIST), and they only add new toys when they decide to — you can't just ask.
When NIST decides to add a new hash function, they hold a big competition. Cryptographers from around the world submit their designs. NIST tests them for years — poking, prodding, trying to break them. The last competition took 8 years from start to finish. And NIST only starts one when they think it's necessary.
They publish a notice saying "we need a new hash function." This only happens when there's a reason — like worries about existing ones.
For SHA-3, 64 designs were submitted from all over the world. Each one gets tested and attacked by other experts.
64 became 14, then 5 finalists, then 1 winner. The whole process took from 2007 to 2015.
NIST publishes it as an official Federal Information Processing Standard. Only then can government systems use it.
The approved list today
Right now, the only FIPS-approved hash functions are SHA-2 (including SHA-256) and SHA-3 (Keccak). That's it. No BLAKE variant has ever been on this list — not BLAKE, not BLAKE2, not BLAKE3.
The politics
When NIST held the SHA-3 competition, BLAKE's parent (called BLAKE, the original) was one of the 5 finalists out of 64 submissions. Experts rated it among the best for both security and speed. Many cryptographers publicly said BLAKE was the stronger overall candidate.
Here's the twist: BLAKE's design is similar to SHA-256 under the hood. They're like cousins. NIST wanted SHA-3 to be a completely different kind of algorithm — so that if someone found a flaw in the SHA-256 family's approach, SHA-3 wouldn't have the same flaw. They picked Keccak, which uses a radically different "sponge" design. BLAKE lost not because it was worse, but because it was too similar to what they already had.
SHA-256 was designed by the NSA (yes, the spy agency) and published by NIST. That's the official record — not a conspiracy theory. SHA-3 was designed by a European team through an open competition. BLAKE3 was designed by independent cryptographers with no government involvement. Some people trust government-designed algorithms less after the NSA was caught hiding a backdoor in a different NIST-approved tool in 2013.
The backdoor scandal
In 2013, leaked documents revealed the NSA had secretly placed a backdoor in a NIST-approved random number generator called Dual_EC_DRBG — and paid RSA Security $10 million to make it the default in their products. NIST withdrew the algorithm, but the damage to trust was done. This is important context for why some experts prefer algorithms designed outside government influence.
The consequences
When a government computer runs in FIPS mode, any software that tries to use BLAKE3 is literally stopped from working. The system won't run it. It's like a bouncer checking your ID against the approved list — if you're not on it, you don't get in. Period.
WireGuard — one of the most popular modern VPN tools — uses BLAKE3 internally. On government systems in FIPS mode, WireGuard simply cannot run. Red Hat's official documentation says: disable FIPS mode to use WireGuard.
The btrfs and OpenZFS filesystems use BLAKE for data integrity. In FIPS mode, these filesystem operations fail. Government systems are stuck with older filesystem technology.
Banks, hospitals, defense contractors, and cloud providers serving federal agencies all need FIPS compliance. If you sell software to the government, you can't use BLAKE3 anywhere in your cryptographic stack.
Using non-approved algorithms can mean lost contracts, failed audits, penalties, and expensive recertification. Companies choose slower, older algorithms specifically to stay compliant.
| Sector | Why they need FIPS |
|---|---|
| Federal agencies | Required by law (FISMA) |
| Defense / DoD | Mandatory for all systems |
| Cloud (FedRAMP) | Required to serve gov clients |
| Healthcare | HIPAA encryption standards |
| Finance | PCI DSS references NIST |
| Gov contractors | Contract requirements |
The future
In 2023, a Linux developer formally asked NIST to consider approving BLAKE, pointing out that FIPS mode breaks real software like WireGuard and modern filesystems. NIST didn't act on it. Their current focus is on post-quantum cryptography — preparing for the day quantum computers can break today's encryption. Hash functions aren't on their radar right now.
In July 2024, the BLAKE3 creators submitted a draft to the IETF (the group that manages internet standards, separate from NIST). But it expired in January 2025 without advancing — and even if it had, an IETF standard doesn't equal FIPS approval. They're different clubs with different membership lists.
The Catch-22
BLAKE3 can't get approved without NIST starting a process. NIST won't start a process unless they see a need. SHA-256 isn't broken. So the fastest, most modern hash function in the world sits outside the approved list — not because anything is wrong with it, but because nothing is wrong enough with what's already there.
Possible, but there's no sign of it. Their plate is full with post-quantum cryptography through at least 2027.
Theoretically, but they've never added an externally-designed algorithm without a formal competition. It would be unprecedented.
Even if NIST started tomorrow: minimum 3-5 years for the standardization process alone. If they held a full competition first, add another 5-8 years.
The takeaway
BLAKE3 is faster, structurally stronger, and free of government influence in its design. But the US government's approval system moves on its own schedule, for its own reasons. Until NIST decides to act — and right now, they have no plans to — BLAKE3 remains the best hash function you're not allowed to use if you work with the federal government.