BLAKE2 is one of the most popular hash functions today, it’s more secure than the legacy standard SHA-2, and it’s faster than the newer standard SHA-3. BLAKE2 is also used in the latest cryptocurrency Zcash, in the Argon2 password hashing scheme, and is available in popular libraries such as OpenSSL of libsodium.
But BLAKE2 didn’t cut it for certain applications, because it can only hash values of at most 512 bits. For example, Ed521 signatures need a 1056-bit hash; RSA-FDH needs a 4096-bit hash when using a 4096-bit modulus. Because of this limitation, and based on user demand, we present BLAKE2X, a family of extensible-output functions (XOFs) based on BLAKE2 instances. BLAKE2X can securely produce hash values of arbitrary size.
We designed BLAKE2X to minimize the changes from an existing BLAKE2 implementation. BLAKE2X only needs to change the value of certain parameters in BLAKE2’s parameter block, and the implementation of a simple counter-like logic. As a by-product, BLAKE2X provides two additional functionalities:
- Deterministic random bit generator (DRBG): given a high-entropy seed, BLAKE2X produces a stream of up to 256 GiB.
- Key derivation function (KDF): given input key material (and an optional salt, as allowed by the BLAKE2 parameter block), BLAKE2X computes a key of up to 232 − 2 bytes (about 4 GiB). BLAKE2X’s extract-then-expand scheme is similar (but not identical) to that of HKDF
Today we published BLAKE2X’ specification as well as its reference source code. Try it and please report any bugs.
This is a joint collaboration with Samuel Neves.
Kudelski Security Research 
I’d add that the Noise Protocol Framework uses it, (consequently WhatsApp and a bunch of others should use it)