diff options
author | aqua <aqua@iserlohn-fortress.net> | 2022-07-24 18:49:43 +0300 |
---|---|---|
committer | aqua <aqua@iserlohn-fortress.net> | 2022-12-28 21:01:39 +0200 |
commit | e5d541428e910a5df98728bc46d80a612603cf13 (patch) | |
tree | a5d0a9c497ff7b67ae60815a7450253023db6c05 /com/BLAKE2/rfc7693.txt | |
parent | Add test and valgrind targets to rules.mk (diff) | |
download | kernel-e5d541428e910a5df98728bc46d80a612603cf13.tar.xz |
Add BLAKE2s implementation
Diffstat (limited to 'com/BLAKE2/rfc7693.txt')
-rw-r--r-- | com/BLAKE2/rfc7693.txt | 1683 |
1 files changed, 1683 insertions, 0 deletions
diff --git a/com/BLAKE2/rfc7693.txt b/com/BLAKE2/rfc7693.txt new file mode 100644 index 0000000..d9d3b97 --- /dev/null +++ b/com/BLAKE2/rfc7693.txt @@ -0,0 +1,1683 @@ + + + + + + +Independent Submission M-J. Saarinen, Ed. +Request for Comments: 7693 Queen's University Belfast +Category: Informational J-P. Aumasson +ISSN: 2070-1721 Kudelski Security + November 2015 + + + The BLAKE2 Cryptographic Hash and Message Authentication Code (MAC) + +Abstract + + This document describes the cryptographic hash function BLAKE2 and + makes the algorithm specification and C source code conveniently + available to the Internet community. BLAKE2 comes in two main + flavors: BLAKE2b is optimized for 64-bit platforms and BLAKE2s for + smaller architectures. BLAKE2 can be directly keyed, making it + functionally equivalent to a Message Authentication Code (MAC). + +Status of This Memo + + This document is not an Internet Standards Track specification; it is + published for informational purposes. + + This is a contribution to the RFC Series, independently of any other + RFC stream. The RFC Editor has chosen to publish this document at + its discretion and makes no statement about its value for + implementation or deployment. Documents approved for publication by + the RFC Editor are not a candidate for any level of Internet + Standard; see Section 2 of RFC 5741. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + http://www.rfc-editor.org/info/rfc7693. + +Copyright Notice + + Copyright (c) 2015 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. + + + + + + +Saarinen & Aumasson Informational [Page 1] + +RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 + + +Table of Contents + + 1. Introduction and Terminology . . . . . . . . . . . . . . . . 3 + 2. Conventions, Variables, and Constants . . . . . . . . . . . . 4 + 2.1. Parameters . . . . . . . . . . . . . . . . . . . . . . . 4 + 2.2. Other Constants and Variables . . . . . . . . . . . . . . 4 + 2.3. Arithmetic Notation . . . . . . . . . . . . . . . . . . . 4 + 2.4. Little-Endian Interpretation of Words as Bytes . . . . . 5 + 2.5. Parameter Block . . . . . . . . . . . . . . . . . . . . . 5 + 2.6. Initialization Vector . . . . . . . . . . . . . . . . . . 6 + 2.7. Message Schedule SIGMA . . . . . . . . . . . . . . . . . 6 + 3. BLAKE2 Processing . . . . . . . . . . . . . . . . . . . . . . 7 + 3.1. Mixing Function G . . . . . . . . . . . . . . . . . . . . 7 + 3.2. Compression Function F . . . . . . . . . . . . . . . . . 8 + 3.3. Padding Data and Computing a BLAKE2 Digest . . . . . . . 9 + 4. Standard Parameter Sets and Algorithm Identifiers . . . . . . 10 + 5. Security Considerations . . . . . . . . . . . . . . . . . . . 11 + 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 + 6.1. Normative References . . . . . . . . . . . . . . . . . . 11 + 6.2. Informative References . . . . . . . . . . . . . . . . . 11 + Appendix A. Example of BLAKE2b Computation . . . . . . . . . . . 13 + Appendix B. Example of BLAKE2s Computation . . . . . . . . . . . 15 + Appendix C. BLAKE2b Implementation C Source . . . . . . . . . . 16 + C.1. blake2b.h . . . . . . . . . . . . . . . . . . . . . . . . 16 + C.2. blake2b.c . . . . . . . . . . . . . . . . . . . . . . . . 17 + Appendix D. BLAKE2s Implementation C Source . . . . . . . . . . 21 + D.1. blake2s.h . . . . . . . . . . . . . . . . . . . . . . . . 21 + D.2. blake2s.c . . . . . . . . . . . . . . . . . . . . . . . . 22 + Appendix E. BLAKE2b and BLAKE2s Self-Test Module C Source . . . 26 + Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 29 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 30 + + + + + + + + + + + + + + + + + + + + +Saarinen & Aumasson Informational [Page 2] + +RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 + + +1. Introduction and Terminology + + The BLAKE2 cryptographic hash function [BLAKE2] was designed by Jean- + Philippe Aumasson, Samuel Neves, Zooko Wilcox-O'Hearn, and Christian + Winnerlein. + + BLAKE2 comes in two basic flavors: + + o BLAKE2b (or just BLAKE2) is optimized for 64-bit platforms and + produces digests of any size between 1 and 64 bytes. + + o BLAKE2s is optimized for 8- to 32-bit platforms and produces + digests of any size between 1 and 32 bytes. + + Both BLAKE2b and BLAKE2s are believed to be highly secure and perform + well on any platform, software, or hardware. BLAKE2 does not require + a special "HMAC" (Hashed Message Authentication Code) construction + for keyed message authentication as it has a built-in keying + mechanism. + + The BLAKE2 hash function may be used by digital signature algorithms + and message authentication and integrity protection mechanisms in + applications such as Public Key Infrastructure (PKI), secure + communication protocols, cloud storage, intrusion detection, forensic + suites, and version control systems. + + The BLAKE2 suite provides a more efficient alternative to US Secure + Hash Algorithms SHA and HMAC-SHA [RFC6234]. BLAKE2s-128 is + especially suited as a fast and more secure drop-in replacement to + MD5 and HMAC-MD5 in legacy applications [RFC6151]. + + To aid implementation, we provide a trace of BLAKE2b-512 hash + computation in Appendix A and a trace of BLAKE2s-256 hash computation + in Appendix B. Due to space constraints, this document does not + contain a full set of test vectors for BLAKE2. + + A reference implementation in C programming language for BLAKE2b can + be found in Appendix C and for BLAKE2s in Appendix D of this + document. These implementations MAY be validated with the more + exhaustive Test Module contained in Appendix E. + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in [RFC2119]. + + + + + + + +Saarinen & Aumasson Informational [Page 3] + +RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 + + +2. Conventions, Variables, and Constants + +2.1. Parameters + + The following table summarizes various parameters and their ranges: + + | BLAKE2b | BLAKE2s | + --------------+------------------+------------------+ + Bits in word | w = 64 | w = 32 | + Rounds in F | r = 12 | r = 10 | + Block bytes | bb = 128 | bb = 64 | + Hash bytes | 1 <= nn <= 64 | 1 <= nn <= 32 | + Key bytes | 0 <= kk <= 64 | 0 <= kk <= 32 | + Input bytes | 0 <= ll < 2**128 | 0 <= ll < 2**64 | + --------------+------------------+------------------+ + G Rotation | (R1, R2, R3, R4) | (R1, R2, R3, R4) | + constants = | (32, 24, 16, 63) | (16, 12, 8, 7) | + --------------+------------------+------------------+ + +2.2. Other Constants and Variables + + These variables are used in the algorithm description: + + IV[0..7] Initialization Vector (constant). + + SIGMA[0..9] Message word permutations (constant). + + p[0..7] Parameter block (defines hash and key sizes). + + m[0..15] Sixteen words of a single message block. + + h[0..7] Internal state of the hash. + + d[0..dd-1] Padded input blocks. Each has "bb" bytes. + + t Message byte offset at the end of the current block. + + f Flag indicating the last block. + +2.3. Arithmetic Notation + + For real-valued x, we define the following functions: + + floor(x) Floor, the largest integer <= x. + + ceil(x) Ceiling, the smallest integer >= x. + + frac(x) Positive fractional part of x, frac(x) = x - floor(x). + + + +Saarinen & Aumasson Informational [Page 4] + +RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 + + + Operator notation in pseudocode: + + 2**n = 2 to the power "n". 2**0=1, 2**1=2, 2**2=4, 2**3=8, etc. + + a ^ b = Bitwise exclusive-or operation between "a" and "b". + + a mod b = Remainder "a" modulo "b", always in range [0, b-1]. + + x >> n = floor(x / 2**n). Logical shift "x" right by "n" bits. + + x << n = (x * 2**n) mod (2**w). Logical shift "x" left by "n". + + x >>> n = (x >> n) ^ (x << (w - n)). Rotate "x" right by "n". + +2.4. Little-Endian Interpretation of Words as Bytes + + All mathematical operations are on 64-bit words in BLAKE2b and on + 32-bit words in BLAKE2s. + + We may also perform operations on vectors of words. Vector indexing + is zero based; the first element of an n-element vector "v" is v[0] + and the last one is v[n - 1]. All elements are denoted by v[0..n-1]. + + Byte (octet) streams are interpreted as words in little-endian order, + with the least-significant byte first. Consider this sequence of + eight hexadecimal bytes: + + x[0..7] = 0x01 0x23 0x45 0x67 0x89 0xAB 0xCD 0xEF + + When interpreted as a 32-bit word from the beginning memory address, + x[0..3] has a numerical value of 0x67452301 or 1732584193. + + When interpreted as a 64-bit word, bytes x[0..7] have a numerical + value of 0xEFCDAB8967452301 or 17279655951921914625. + +2.5. Parameter Block + + We specify the parameter block words p[0..7] as follows: + + byte offset: 3 2 1 0 (otherwise zero) + p[0] = 0x0101kknn p[1..7] = 0 + + Here the "nn" byte specifies the hash size in bytes. The second + (little-endian) byte of the parameter block, "kk", specifies the key + size in bytes. Set kk = 00 for unkeyed hashing. Bytes 2 and 3 are + set as 01. All other bytes in the parameter block are set as zero. + + + + + +Saarinen & Aumasson Informational [Page 5] + +RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 + + + Note: [BLAKE2] defines additional variants of BLAKE2 with features + such as salting, personalized hashes, and tree hashing. These + OPTIONAL features use fields in the parameter block that are not + defined in this document. + +2.6. Initialization Vector + + We define the Initialization Vector constant IV mathematically as: + + IV[i] = floor(2**w * frac(sqrt(prime(i+1)))), where prime(i) + is the i:th prime number ( 2, 3, 5, 7, 11, 13, 17, 19 ) + and sqrt(x) is the square root of x. + + The numerical values of IV can also be found in implementations in + Appendices C and D for BLAKE2b and BLAKE2s, respectively. + + Note: BLAKE2b IV is the same as SHA-512 IV, and BLAKE2s IV is the + same as SHA-256 IV; see [RFC6234]. + +2.7. Message Schedule SIGMA + + Message word schedule permutations for each round of both BLAKE2b and + BLAKE2s are defined by SIGMA. For BLAKE2b, the two extra + permutations for rounds 10 and 11 are SIGMA[10..11] = SIGMA[0..1]. + + Round | 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | + ----------+-------------------------------------------------+ + SIGMA[0] | 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | + SIGMA[1] | 14 10 4 8 9 15 13 6 1 12 0 2 11 7 5 3 | + SIGMA[2] | 11 8 12 0 5 2 15 13 10 14 3 6 7 1 9 4 | + SIGMA[3] | 7 9 3 1 13 12 11 14 2 6 5 10 4 0 15 8 | + SIGMA[4] | 9 0 5 7 2 4 10 15 14 1 11 12 6 8 3 13 | + SIGMA[5] | 2 12 6 10 0 11 8 3 4 13 7 5 15 14 1 9 | + SIGMA[6] | 12 5 1 15 14 13 4 10 0 7 6 3 9 2 8 11 | + SIGMA[7] | 13 11 7 14 12 1 3 9 5 0 15 4 8 6 2 10 | + SIGMA[8] | 6 15 14 9 11 3 0 8 12 2 13 7 1 4 10 5 | + SIGMA[9] | 10 2 8 4 7 6 1 5 15 11 9 14 3 12 13 0 | + ----------+-------------------------------------------------+ + + + + + + + + + + + + + +Saarinen & Aumasson Informational [Page 6] + +RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 + + +3. BLAKE2 Processing + +3.1. Mixing Function G + + The G primitive function mixes two input words, "x" and "y", into + four words indexed by "a", "b", "c", and "d" in the working vector + v[0..15]. The full modified vector is returned. The rotation + constants (R1, R2, R3, R4) are given in Section 2.1. + + FUNCTION G( v[0..15], a, b, c, d, x, y ) + | + | v[a] := (v[a] + v[b] + x) mod 2**w + | v[d] := (v[d] ^ v[a]) >>> R1 + | v[c] := (v[c] + v[d]) mod 2**w + | v[b] := (v[b] ^ v[c]) >>> R2 + | v[a] := (v[a] + v[b] + y) mod 2**w + | v[d] := (v[d] ^ v[a]) >>> R3 + | v[c] := (v[c] + v[d]) mod 2**w + | v[b] := (v[b] ^ v[c]) >>> R4 + | + | RETURN v[0..15] + | + END FUNCTION. + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Saarinen & Aumasson Informational [Page 7] + +RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 + + +3.2. Compression Function F + + Compression function F takes as an argument the state vector "h", + message block vector "m" (last block is padded with zeros to full + block size, if required), 2w-bit offset counter "t", and final block + indicator flag "f". Local vector v[0..15] is used in processing. F + returns a new state vector. The number of rounds, "r", is 12 for + BLAKE2b and 10 for BLAKE2s. Rounds are numbered from 0 to r - 1. + + FUNCTION F( h[0..7], m[0..15], t, f ) + | + | // Initialize local work vector v[0..15] + | v[0..7] := h[0..7] // First half from state. + | v[8..15] := IV[0..7] // Second half from IV. + | + | v[12] := v[12] ^ (t mod 2**w) // Low word of the offset. + | v[13] := v[13] ^ (t >> w) // High word. + | + | IF f = TRUE THEN // last block flag? + | | v[14] := v[14] ^ 0xFF..FF // Invert all bits. + | END IF. + | + | // Cryptographic mixing + | FOR i = 0 TO r - 1 DO // Ten or twelve rounds. + | | + | | // Message word selection permutation for this round. + | | s[0..15] := SIGMA[i mod 10][0..15] + | | + | | v := G( v, 0, 4, 8, 12, m[s[ 0]], m[s[ 1]] ) + | | v := G( v, 1, 5, 9, 13, m[s[ 2]], m[s[ 3]] ) + | | v := G( v, 2, 6, 10, 14, m[s[ 4]], m[s[ 5]] ) + | | v := G( v, 3, 7, 11, 15, m[s[ 6]], m[s[ 7]] ) + | | + | | v := G( v, 0, 5, 10, 15, m[s[ 8]], m[s[ 9]] ) + | | v := G( v, 1, 6, 11, 12, m[s[10]], m[s[11]] ) + | | v := G( v, 2, 7, 8, 13, m[s[12]], m[s[13]] ) + | | v := G( v, 3, 4, 9, 14, m[s[14]], m[s[15]] ) + | | + | END FOR + | + | FOR i = 0 TO 7 DO // XOR the two halves. + | | h[i] := h[i] ^ v[i] ^ v[i + 8] + | END FOR. + | + | RETURN h[0..7] // New state. + | + END FUNCTION. + + + + +Saarinen & Aumasson Informational [Page 8] + +RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 + + +3.3. Padding Data and Computing a BLAKE2 Digest + + We refer the reader to Appendices C and D for reference C language + implementations of BLAKE2b and BLAKE2s, respectively. + + Key and data input are split and padded into "dd" message blocks + d[0..dd-1], each consisting of 16 words (or "bb" bytes). + + If a secret key is used (kk > 0), it is padded with zero bytes and + set as d[0]. Otherwise, d[0] is the first data block. The final + data block d[dd-1] is also padded with zero to "bb" bytes (16 words). + + The number of blocks is therefore dd = ceil(kk / bb) + ceil(ll / bb). + However, in the special case of an unkeyed empty message (kk = 0 and + ll = 0), we still set dd = 1 and d[0] consists of all zeros. + + The following procedure processes the padded data blocks into an + "nn"-byte final hash value. See Section 2 for a description of + various variables and constants used. + + FUNCTION BLAKE2( d[0..dd-1], ll, kk, nn ) + | + | h[0..7] := IV[0..7] // Initialization Vector. + | + | // Parameter block p[0] + | h[0] := h[0] ^ 0x01010000 ^ (kk << 8) ^ nn + | + | // Process padded key and data blocks + | IF dd > 1 THEN + | | FOR i = 0 TO dd - 2 DO + | | | h := F( h, d[i], (i + 1) * bb, FALSE ) + | | END FOR. + | END IF. + | + | // Final block. + | IF kk = 0 THEN + | | h := F( h, d[dd - 1], ll, TRUE ) + | ELSE + | | h := F( h, d[dd - 1], ll + bb, TRUE ) + | END IF. + | + | RETURN first "nn" bytes from little-endian word array h[]. + | + END FUNCTION. + + + + + + + +Saarinen & Aumasson Informational [Page 9] + +RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 + + +4. Standard Parameter Sets and Algorithm Identifiers + + An implementation of BLAKE2b and/or BLAKE2s MAY support the following + digest size parameters for interoperability (e.g., digital + signatures), as long as a sufficient level of security is attained by + the parameter selections. These parameters and identifiers are + intended to be suitable as drop-in replacements to MD5 and + corresponding SHA algorithms. + + Developers adapting BLAKE2 to ASN.1-based message formats SHOULD use + the OID tree at x = 1.3.6.1.4.1.1722.12.2. The same OID can be used + for both keyed and unkeyed hashing since in the latter case the key + simply has zero length. + + Algorithm | Target | Collision | Hash | Hash ASN.1 | + Identifier | Arch | Security | nn | OID Suffix | + ---------------+--------+-----------+------+------------+ + id-blake2b160 | 64-bit | 2**80 | 20 | x.1.5 | + id-blake2b256 | 64-bit | 2**128 | 32 | x.1.8 | + id-blake2b384 | 64-bit | 2**192 | 48 | x.1.12 | + id-blake2b512 | 64-bit | 2**256 | 64 | x.1.16 | + ---------------+--------+-----------+------+------------+ + id-blake2s128 | 32-bit | 2**64 | 16 | x.2.4 | + id-blake2s160 | 32-bit | 2**80 | 20 | x.2.5 | + id-blake2s224 | 32-bit | 2**112 | 28 | x.2.7 | + id-blake2s256 | 32-bit | 2**128 | 32 | x.2.8 | + ---------------+--------+-----------+------+------------+ + + hashAlgs OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) dod(6) internet(1) + private(4) enterprise(1) kudelski(1722) cryptography(12) 2 + } + macAlgs OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) dod(6) internet(1) + private(4) enterprise(1) kudelski(1722) cryptography(12) 3 + } + + -- the two BLAKE2 variants -- + blake2b OBJECT IDENTIFIER ::= { hashAlgs 1 } + blake2s OBJECT IDENTIFIER ::= { hashAlgs 2 } + + -- BLAKE2b Identifiers -- + id-blake2b160 OBJECT IDENTIFIER ::= { blake2b 5 } + id-blake2b256 OBJECT IDENTIFIER ::= { blake2b 8 } + id-blake2b384 OBJECT IDENTIFIER ::= { blake2b 12 } + id-blake2b512 OBJECT IDENTIFIER ::= { blake2b 16 } + + + + + +Saarinen & Aumasson Informational [Page 10] + +RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 + + + -- BLAKE2s Identifiers -- + id-blake2s128 OBJECT IDENTIFIER ::= { blake2s 4 } + id-blake2s160 OBJECT IDENTIFIER ::= { blake2s 5 } + id-blake2s224 OBJECT IDENTIFIER ::= { blake2s 7 } + id-blake2s256 OBJECT IDENTIFIER ::= { blake2s 8 } + +5. Security Considerations + + This document is intended to provide convenient open-source access by + the Internet community to the BLAKE2 cryptographic hash algorithm. + We wish to make no independent assertion to its security in this + document. We refer the reader to [BLAKE] and [BLAKE2] for detailed + cryptanalytic rationale behind its design. + + In order to avoid bloat, the reference implementations in Appendices + C and D may not erase all sensitive data (such as secret keys) + immediately from process memory after use. Such cleanup can be added + if needed. + +6. References + +6.1. Normative References + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, + DOI 10.17487/RFC2119, March 1997, + <http://www.rfc-editor.org/info/rfc2119>. + +6.2. Informative References + + [BLAKE] Aumasson, J-P., Meier, W., Phan, R., and L. Henzen, "The + Hash Function BLAKE", January 2015, + <https://131002.net/blake/book>. + + [BLAKE2] Aumasson, J-P., Neves, S., Wilcox-O'Hearn, Z., and C. + Winnerlein, "BLAKE2: simpler, smaller, fast as MD5", + January 2013, <https://blake2.net/blake2.pdf>. + + [FIPS140-2IG] + NIST, "Implementation Guidance for FIPS PUB 140-2 and the + Cryptographic Module Validation Program", September 2015, + <http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/ + FIPS1402IG.pdf/>. + + [RFC6151] Turner, S. and L. Chen, "Updated Security Considerations + for the MD5 Message-Digest and the HMAC-MD5 Algorithms", + RFC 6151, DOI 10.17487/RFC6151, March 2011, + <http://www.rfc-editor.org/info/rfc6151>. + + + +Saarinen & Aumasson Informational [Page 11] + +RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 + + + [RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms + (SHA and SHA-based HMAC and HKDF)", RFC 6234, + DOI 10.17487/RFC6234, May 2011, + <http://www.rfc-editor.org/info/rfc6234>. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Saarinen & Aumasson Informational [Page 12] + +RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 + + +Appendix A. Example of BLAKE2b Computation + + We compute the unkeyed hash of three ASCII bytes "abc" with + BLAKE2b-512 and show internal values during computation. + + m[16] = 0000000000636261 0000000000000000 0000000000000000 + 0000000000000000 0000000000000000 0000000000000000 + 0000000000000000 0000000000000000 0000000000000000 + 0000000000000000 0000000000000000 0000000000000000 + 0000000000000000 0000000000000000 0000000000000000 + 0000000000000000 + + (i= 0) v[16] = 6A09E667F2BDC948 BB67AE8584CAA73B 3C6EF372FE94F82B + A54FF53A5F1D36F1 510E527FADE682D1 9B05688C2B3E6C1F + 1F83D9ABFB41BD6B 5BE0CD19137E2179 6A09E667F3BCC908 + BB67AE8584CAA73B 3C6EF372FE94F82B A54FF53A5F1D36F1 + 510E527FADE682D2 9B05688C2B3E6C1F E07C265404BE4294 + 5BE0CD19137E2179 + + (i= 1) v[16] = 86B7C1568029BB79 C12CBCC809FF59F3 C6A5214CC0EACA8E + 0C87CD524C14CC5D 44EE6039BD86A9F7 A447C850AA694A7E + DE080F1BB1C0F84B 595CB8A9A1ACA66C BEC3AE837EAC4887 + 6267FC79DF9D6AD1 FA87B01273FA6DBE 521A715C63E08D8A + E02D0975B8D37A83 1C7B754F08B7D193 8F885A76B6E578FE + 2318A24E2140FC64 + + (i= 2) v[16] = 53281E83806010F2 3594B403F81B4393 8CD63C7462DE0DFF + 85F693F3DA53F974 BAABDBB2F386D9AE CA5425AEC65A10A8 + C6A22E2FF0F7AA48 C6A56A51CB89C595 224E6A3369224F96 + 500E125E58A92923 E9E4AD0D0E1A0D48 85DF9DC143C59A74 + 92A3AAAA6D952B7F C5FDF71090FAE853 2A8A40F15A462DD0 + 572D17EFFDD37358 + + (i= 3) v[16] = 60ED96AA7AD41725 E46A743C71800B9D 1A04B543A01F156B + A2F8716E775C4877 DA0A61BCDE4267EA B1DD230754D7BDEE + 25A1422779E06D14 E6823AE4C3FF58A5 A1677E19F37FD5DA + 22BDCE6976B08C51 F1DE8696BEC11BF1 A0EBD586A4A1D2C8 + C804EBAB11C99FA9 8E0CEC959C715793 7C45557FAE0D4D89 + 716343F52FDD265E + + (i= 4) v[16] = BB2A77D3A8382351 45EB47971F23B103 98BE297F6E45C684 + A36077DEE3370B89 8A03C4CB7E97590A 24192E49EBF54EA0 + 4F82C9401CB32D7A 8CCD013726420DC4 A9C9A8F17B1FC614 + 55908187977514A0 5B44273E66B19D27 B6D5C9FCA2579327 + 086092CFB858437E 5C4BE2156DBEECF9 2EFEDE99ED4EFF16 + 3E7B5F234CD1F804 + + + + + +Saarinen & Aumasson Informational [Page 13] + +RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 + + + (i= 5) v[16] = C79C15B3D423B099 2DA2224E8DA97556 77D2B26DF1C45C55 + 8934EB09A3456052 0F6D9EEED157DA2A 6FE66467AF88C0A9 + 4EB0B76284C7AAFB 299C8E725D954697 B2240B59E6D567D3 + 2643C2370E49EBFD 79E02EEF20CDB1AE 64B3EED7BB602F39 + B97D2D439E4DF63D C718E755294C9111 1F0893F2772BB373 + 1205EA4A7859807D + + (i= 6) v[16] = E58F97D6385BAEE4 7640AA9764DA137A DEB4C7C23EFE287E + 70F6F41C8783C9F6 7127CD48C76A7708 9E472AF0BE3DB3F6 + 0F244C62DDF71788 219828AA83880842 41CCA9073C8C4D0D + 5C7912BC10DF3B4B A2C3ABBD37510EE2 CB5668CC2A9F7859 + 8733794F07AC1500 C67A6BE42335AA6F ACB22B28681E4C82 + DB2161604CBC9828 + + (i= 7) v[16] = 6E2D286EEADEDC81 BCF02C0787E86358 57D56A56DD015EDF + 55D899D40A5D0D0A 819415B56220C459 B63C479A6A769F02 + 258E55E0EC1F362A 3A3B4EC60E19DFDC 04D769B3FCB048DB + B78A9A33E9BFF4DD 5777272AE1E930C0 5A387849E578DBF6 + 92AAC307CF2C0AFC 30AACCC4F06DAFAA 483893CC094F8863 + E03C6CC89C26BF92 + + (i= 8) v[16] = FFC83ECE76024D01 1BE7BFFB8C5CC5F9 A35A18CBAC4C65B7 + B7C2C7E6D88C285F 81937DA314A50838 E1179523A2541963 + 3A1FAD7106232B8F 1C7EDE92AB8B9C46 A3C2D35E4F685C10 + A53D3F73AA619624 30BBCC0285A22F65 BCEFBB6A81539E5D + 3841DEF6F4C9848A 98662C85FBA726D4 7762439BD5A851BD + B0B9F0D443D1A889 + + (i= 9) v[16] = 753A70A1E8FAEADD 6B0D43CA2C25D629 F8343BA8B94F8C0B + BC7D062B0DB5CF35 58540EE1B1AEBC47 63C5B9B80D294CB9 + 490870ECAD27DEBD B2A90DDF667287FE 316CC9EBEEFAD8FC + 4A466BCD021526A4 5DA7F7638CEC5669 D9C8826727D306FC + 88ED6C4F3BD7A537 19AE688DDF67F026 4D8707AAB40F7E6D + FD3F572687FEA4F1 + + (i=10) v[16] = E630C747CCD59C4F BC713D41127571CA 46DB183025025078 + 6727E81260610140 2D04185EAC2A8CBA 5F311B88904056EC + 40BD313009201AAB 0099D4F82A2A1EAB 6DD4FBC1DE60165D + B3B0B51DE3C86270 900AEE2F233B08E5 A07199D87AD058D8 + 2C6B25593D717852 37E8CA471BEAA5F8 2CFC1BAC10EF4457 + 01369EC18746E775 + + (i=11) v[16] = E801F73B9768C760 35C6D22320BE511D 306F27584F65495E + B51776ADF569A77B F4F1BE86690B3C34 3CC88735D1475E4B + 5DAC67921FF76949 1CDB9D31AD70CC4E 35BA354A9C7DF448 + 4929CBE45679D73E 733D1A17248F39DB 92D57B736F5F170A + 61B5C0A41D491399 B5C333457E12844A BD696BE010D0D889 + 02231E1A917FE0BD + + + +Saarinen & Aumasson Informational [Page 14] + +RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 + + + (i=12) v[16] = 12EF8A641EC4F6D6 BCED5DE977C9FAF5 733CA476C5148639 + 97DF596B0610F6FC F42C16519AD5AFA7 AA5AC1888E10467E + 217D930AA51787F3 906A6FF19E573942 75AB709BD3DCBF24 + EE7CE1F345947AA4 F8960D6C2FAF5F5E E332538A36B6D246 + 885BEF040EF6AA0B A4939A417BFB78A3 646CBB7AF6DCE980 + E813A23C60AF3B82 + + h[8] = 0D4D1C983FA580BA E9F6129FB697276A B7C45A68142F214C + D1A2FFDB6FBB124B 2D79AB2A39C5877D 95CC3345DED552C2 + 5A92F1DBA88AD318 239900D4ED8623B9 + + BLAKE2b-512("abc") = BA 80 A5 3F 98 1C 4D 0D 6A 27 97 B6 9F 12 F6 E9 + 4C 21 2F 14 68 5A C4 B7 4B 12 BB 6F DB FF A2 D1 + 7D 87 C5 39 2A AB 79 2D C2 52 D5 DE 45 33 CC 95 + 18 D3 8A A8 DB F1 92 5A B9 23 86 ED D4 00 99 23 + +Appendix B. Example of BLAKE2s Computation + + We compute the unkeyed hash of three ASCII bytes "abc" with + BLAKE2s-256 and show internal values during computation. + + m[16] = 00636261 00000000 00000000 00000000 00000000 00000000 + 00000000 00000000 00000000 00000000 00000000 00000000 + 00000000 00000000 00000000 00000000 + + (i=0) v[16] = 6B08E647 BB67AE85 3C6EF372 A54FF53A 510E527F 9B05688C + 1F83D9AB 5BE0CD19 6A09E667 BB67AE85 3C6EF372 A54FF53A + 510E527C 9B05688C E07C2654 5BE0CD19 + + (i=1) v[16] = 16A3242E D7B5E238 CE8CE24B 927AEDE1 A7B430D9 93A4A14E + A44E7C31 41D4759B 95BF33D3 9A99C181 608A3A6B B666383E + 7A8DD50F BE378ED7 353D1EE6 3BB44C6B + + (i=2) v[16] = 3AE30FE3 0982A96B E88185B4 3E339B16 F24338CD 0E66D326 + E005ED0C D591A277 180B1F3A FCF43914 30DB62D6 4847831C + 7F00C58E FB847886 C544E836 524AB0E2 + + (i=3) v[16] = 7A3BE783 997546C1 D45246DF EDB5F821 7F98A742 10E864E2 + D4AB70D0 C63CB1AB 6038DA9E 414594B0 F2C218B5 8DA0DCB7 + D7CD7AF5 AB4909DF 85031A52 C4EDFC98 + + (i=4) v[16] = 2A8B8CB7 1ACA82B2 14045D7F CC7258ED 383CF67C E090E7F9 + 3025D276 57D04DE4 994BACF0 F0982759 F17EE300 D48FC2D5 + DC854C10 523898A9 C03A0F89 47D6CD88 + + (i=5) v[16] = C4AA2DDB 111343A3 D54A700A 574A00A9 857D5A48 B1E11989 + 6F5C52DF DD2C53A3 678E5F8E 9718D4E9 622CB684 92976076 + 0E41A517 359DC2BE 87A87DDD 643F9CEC + + + +Saarinen & Aumasson Informational [Page 15] + +RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 + + + (i=6) v[16] = 3453921C D7595EE1 592E776D 3ED6A974 4D997CB3 DE9212C3 + 35ADF5C9 9916FD65 96562E89 4EAD0792 EBFC2712 2385F5B2 + F34600FB D7BC20FB EB452A7B ECE1AA40 + + (i=7) v[16] = BE851B2D A85F6358 81E6FC3B 0BB28000 FA55A33A 87BE1FAD + 4119370F 1E2261AA A1318FD3 F4329816 071783C2 6E536A8D + 9A81A601 E7EC80F1 ACC09948 F849A584 + + (i=8) v[16] = 07E5B85A 069CC164 F9DE3141 A56F4680 9E440AD2 9AB659EA + 3C84B971 21DBD9CF 46699F8C 765257EC AF1D998C 75E4C3B6 + 523878DC 30715015 397FEE81 4F1FA799 + + (i=9) v[16] = 435148C4 A5AA2D11 4B354173 D543BC9E BDA2591C BF1D2569 + 4FCB3120 707ADA48 565B3FDE 32C9C916 EAF4A1AB B1018F28 + 8078D978 68ADE4B5 9778FDA3 2863B92E + + (i=10) v[16] = D9C994AA CFEC3AA6 700D0AB2 2C38670E AF6A1F66 1D023EF3 + 1D9EC27D 945357A5 3E9FFEBD 969FE811 EF485E21 A632797A + DEEF082E AF3D80E1 4E86829B 4DEAFD3A + + h[8] = 8C5E8C50 E2147C32 A32BA7E1 2F45EB4E 208B4537 293AD69E + 4C9B994D 82596786 + + BLAKE2s-256("abc") = 50 8C 5E 8C 32 7C 14 E2 E1 A7 2B A3 4E EB 45 2F + 37 45 8B 20 9E D6 3A 29 4D 99 9B 4C 86 67 59 82 + +Appendix C. BLAKE2b Implementation C Source + +C.1. blake2b.h + + <CODE BEGINS> + // blake2b.h + // BLAKE2b Hashing Context and API Prototypes + + #ifndef BLAKE2B_H + #define BLAKE2B_H + + #include <stdint.h> + #include <stddef.h> + + // state context + typedef struct { + uint8_t b[128]; // input buffer + uint64_t h[8]; // chained state + uint64_t t[2]; // total number of bytes + size_t c; // pointer for b[] + size_t outlen; // digest size + } blake2b_ctx; + + + +Saarinen & Aumasson Informational [Page 16] + +RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 + + + // Initialize the hashing context "ctx" with optional key "key". + // 1 <= outlen <= 64 gives the digest size in bytes. + // Secret key (also <= 64 bytes) is optional (keylen = 0). + int blake2b_init(blake2b_ctx *ctx, size_t outlen, + const void *key, size_t keylen); // secret key + + // Add "inlen" bytes from "in" into the hash. + void blake2b_update(blake2b_ctx *ctx, // context + const void *in, size_t inlen); // data to be hashed + + // Generate the message digest (size given in init). + // Result placed in "out". + void blake2b_final(blake2b_ctx *ctx, void *out); + + // All-in-one convenience function. + int blake2b(void *out, size_t outlen, // return buffer for digest + const void *key, size_t keylen, // optional secret key + const void *in, size_t inlen); // data to be hashed + + #endif + <CODE ENDS> + +C.2. blake2b.c + + <CODE BEGINS> + // blake2b.c + // A simple BLAKE2b Reference Implementation. + + #include "blake2b.h" + + // Cyclic right rotation. + + #ifndef ROTR64 + #define ROTR64(x, y) (((x) >> (y)) ^ ((x) << (64 - (y)))) + #endif + + // Little-endian byte access. + + #define B2B_GET64(p) \ + (((uint64_t) ((uint8_t *) (p))[0]) ^ \ + (((uint64_t) ((uint8_t *) (p))[1]) << 8) ^ \ + (((uint64_t) ((uint8_t *) (p))[2]) << 16) ^ \ + (((uint64_t) ((uint8_t *) (p))[3]) << 24) ^ \ + (((uint64_t) ((uint8_t *) (p))[4]) << 32) ^ \ + (((uint64_t) ((uint8_t *) (p))[5]) << 40) ^ \ + (((uint64_t) ((uint8_t *) (p))[6]) << 48) ^ \ + (((uint64_t) ((uint8_t *) (p))[7]) << 56)) + + + + +Saarinen & Aumasson Informational [Page 17] + +RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 + + + // G Mixing function. + + #define B2B_G(a, b, c, d, x, y) { \ + v[a] = v[a] + v[b] + x; \ + v[d] = ROTR64(v[d] ^ v[a], 32); \ + v[c] = v[c] + v[d]; \ + v[b] = ROTR64(v[b] ^ v[c], 24); \ + v[a] = v[a] + v[b] + y; \ + v[d] = ROTR64(v[d] ^ v[a], 16); \ + v[c] = v[c] + v[d]; \ + v[b] = ROTR64(v[b] ^ v[c], 63); } + + // Initialization Vector. + + static const uint64_t blake2b_iv[8] = { + 0x6A09E667F3BCC908, 0xBB67AE8584CAA73B, + 0x3C6EF372FE94F82B, 0xA54FF53A5F1D36F1, + 0x510E527FADE682D1, 0x9B05688C2B3E6C1F, + 0x1F83D9ABFB41BD6B, 0x5BE0CD19137E2179 + }; + + // Compression function. "last" flag indicates last block. + + static void blake2b_compress(blake2b_ctx *ctx, int last) + { + const uint8_t sigma[12][16] = { + { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }, + { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }, + { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 }, + { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 }, + { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 }, + { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 }, + { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 }, + { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 }, + { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 }, + { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 }, + { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }, + { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 } + }; + int i; + uint64_t v[16], m[16]; + + for (i = 0; i < 8; i++) { // init work variables + v[i] = ctx->h[i]; + v[i + 8] = blake2b_iv[i]; + } + + + + + +Saarinen & Aumasson Informational [Page 18] + +RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 + + + v[12] ^= ctx->t[0]; // low 64 bits of offset + v[13] ^= ctx->t[1]; // high 64 bits + if (last) // last block flag set ? + v[14] = ~v[14]; + + for (i = 0; i < 16; i++) // get little-endian words + m[i] = B2B_GET64(&ctx->b[8 * i]); + + for (i = 0; i < 12; i++) { // twelve rounds + B2B_G( 0, 4, 8, 12, m[sigma[i][ 0]], m[sigma[i][ 1]]); + B2B_G( 1, 5, 9, 13, m[sigma[i][ 2]], m[sigma[i][ 3]]); + B2B_G( 2, 6, 10, 14, m[sigma[i][ 4]], m[sigma[i][ 5]]); + B2B_G( 3, 7, 11, 15, m[sigma[i][ 6]], m[sigma[i][ 7]]); + B2B_G( 0, 5, 10, 15, m[sigma[i][ 8]], m[sigma[i][ 9]]); + B2B_G( 1, 6, 11, 12, m[sigma[i][10]], m[sigma[i][11]]); + B2B_G( 2, 7, 8, 13, m[sigma[i][12]], m[sigma[i][13]]); + B2B_G( 3, 4, 9, 14, m[sigma[i][14]], m[sigma[i][15]]); + } + + for( i = 0; i < 8; ++i ) + ctx->h[i] ^= v[i] ^ v[i + 8]; + } + + // Initialize the hashing context "ctx" with optional key "key". + // 1 <= outlen <= 64 gives the digest size in bytes. + // Secret key (also <= 64 bytes) is optional (keylen = 0). + + int blake2b_init(blake2b_ctx *ctx, size_t outlen, + const void *key, size_t keylen) // (keylen=0: no key) + { + size_t i; + + if (outlen == 0 || outlen > 64 || keylen > 64) + return -1; // illegal parameters + + for (i = 0; i < 8; i++) // state, "param block" + ctx->h[i] = blake2b_iv[i]; + ctx->h[0] ^= 0x01010000 ^ (keylen << 8) ^ outlen; + + ctx->t[0] = 0; // input count low word + ctx->t[1] = 0; // input count high word + ctx->c = 0; // pointer within buffer + ctx->outlen = outlen; + + + + + + + + +Saarinen & Aumasson Informational [Page 19] + +RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 + + + for (i = keylen; i < 128; i++) // zero input block + ctx->b[i] = 0; + if (keylen > 0) { + blake2b_update(ctx, key, keylen); + ctx->c = 128; // at the end + } + + return 0; + } + + // Add "inlen" bytes from "in" into the hash. + + void blake2b_update(blake2b_ctx *ctx, + const void *in, size_t inlen) // data bytes + { + size_t i; + + for (i = 0; i < inlen; i++) { + if (ctx->c == 128) { // buffer full ? + ctx->t[0] += ctx->c; // add counters + if (ctx->t[0] < ctx->c) // carry overflow ? + ctx->t[1]++; // high word + blake2b_compress(ctx, 0); // compress (not last) + ctx->c = 0; // counter to zero + } + ctx->b[ctx->c++] = ((const uint8_t *) in)[i]; + } + } + + // Generate the message digest (size given in init). + // Result placed in "out". + + void blake2b_final(blake2b_ctx *ctx, void *out) + { + size_t i; + + ctx->t[0] += ctx->c; // mark last block offset + if (ctx->t[0] < ctx->c) // carry overflow + ctx->t[1]++; // high word + + while (ctx->c < 128) // fill up with zeros + ctx->b[ctx->c++] = 0; + blake2b_compress(ctx, 1); // final block flag = 1 + + + + + + + + +Saarinen & Aumasson Informational [Page 20] + +RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 + + + // little endian convert and store + for (i = 0; i < ctx->outlen; i++) { + ((uint8_t *) out)[i] = + (ctx->h[i >> 3] >> (8 * (i & 7))) & 0xFF; + } + } + + // Convenience function for all-in-one computation. + + int blake2b(void *out, size_t outlen, + const void *key, size_t keylen, + const void *in, size_t inlen) + { + blake2b_ctx ctx; + + if (blake2b_init(&ctx, outlen, key, keylen)) + return -1; + blake2b_update(&ctx, in, inlen); + blake2b_final(&ctx, out); + + return 0; + } + <CODE ENDS> + +Appendix D. BLAKE2s Implementation C Source + +D.1. blake2s.h + + <CODE BEGINS> + // blake2s.h + // BLAKE2s Hashing Context and API Prototypes + + #ifndef BLAKE2S_H + #define BLAKE2S_H + + #include <stdint.h> + #include <stddef.h> + + // state context + typedef struct { + uint8_t b[64]; // input buffer + uint32_t h[8]; // chained state + uint32_t t[2]; // total number of bytes + size_t c; // pointer for b[] + size_t outlen; // digest size + } blake2s_ctx; + + + + + +Saarinen & Aumasson Informational [Page 21] + +RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 + + + // Initialize the hashing context "ctx" with optional key "key". + // 1 <= outlen <= 32 gives the digest size in bytes. + // Secret key (also <= 32 bytes) is optional (keylen = 0). + int blake2s_init(blake2s_ctx *ctx, size_t outlen, + const void *key, size_t keylen); // secret key + + // Add "inlen" bytes from "in" into the hash. + void blake2s_update(blake2s_ctx *ctx, // context + const void *in, size_t inlen); // data to be hashed + + // Generate the message digest (size given in init). + // Result placed in "out". + void blake2s_final(blake2s_ctx *ctx, void *out); + + // All-in-one convenience function. + int blake2s(void *out, size_t outlen, // return buffer for digest + const void *key, size_t keylen, // optional secret key + const void *in, size_t inlen); // data to be hashed + + #endif + <CODE ENDS> + +D.2. blake2s.c + + <CODE BEGINS> + // blake2s.c + // A simple blake2s Reference Implementation. + + #include "blake2s.h" + + // Cyclic right rotation. + + #ifndef ROTR32 + #define ROTR32(x, y) (((x) >> (y)) ^ ((x) << (32 - (y)))) + #endif + + // Little-endian byte access. + + #define B2S_GET32(p) \ + (((uint32_t) ((uint8_t *) (p))[0]) ^ \ + (((uint32_t) ((uint8_t *) (p))[1]) << 8) ^ \ + (((uint32_t) ((uint8_t *) (p))[2]) << 16) ^ \ + (((uint32_t) ((uint8_t *) (p))[3]) << 24)) + + + + + + + + +Saarinen & Aumasson Informational [Page 22] + +RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 + + + // Mixing function G. + + #define B2S_G(a, b, c, d, x, y) { \ + v[a] = v[a] + v[b] + x; \ + v[d] = ROTR32(v[d] ^ v[a], 16); \ + v[c] = v[c] + v[d]; \ + v[b] = ROTR32(v[b] ^ v[c], 12); \ + v[a] = v[a] + v[b] + y; \ + v[d] = ROTR32(v[d] ^ v[a], 8); \ + v[c] = v[c] + v[d]; \ + v[b] = ROTR32(v[b] ^ v[c], 7); } + + // Initialization Vector. + + static const uint32_t blake2s_iv[8] = + { + 0x6A09E667, 0xBB67AE85, 0x3C6EF372, 0xA54FF53A, + 0x510E527F, 0x9B05688C, 0x1F83D9AB, 0x5BE0CD19 + }; + + // Compression function. "last" flag indicates last block. + + static void blake2s_compress(blake2s_ctx *ctx, int last) + { + const uint8_t sigma[10][16] = { + { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }, + { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }, + { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 }, + { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 }, + { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 }, + { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 }, + { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 }, + { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 }, + { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 }, + { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 } + }; + int i; + uint32_t v[16], m[16]; + + for (i = 0; i < 8; i++) { // init work variables + v[i] = ctx->h[i]; + v[i + 8] = blake2s_iv[i]; + } + + v[12] ^= ctx->t[0]; // low 32 bits of offset + v[13] ^= ctx->t[1]; // high 32 bits + if (last) // last block flag set ? + v[14] = ~v[14]; + + + +Saarinen & Aumasson Informational [Page 23] + +RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 + + + for (i = 0; i < 16; i++) // get little-endian words + m[i] = B2S_GET32(&ctx->b[4 * i]); + + for (i = 0; i < 10; i++) { // ten rounds + B2S_G( 0, 4, 8, 12, m[sigma[i][ 0]], m[sigma[i][ 1]]); + B2S_G( 1, 5, 9, 13, m[sigma[i][ 2]], m[sigma[i][ 3]]); + B2S_G( 2, 6, 10, 14, m[sigma[i][ 4]], m[sigma[i][ 5]]); + B2S_G( 3, 7, 11, 15, m[sigma[i][ 6]], m[sigma[i][ 7]]); + B2S_G( 0, 5, 10, 15, m[sigma[i][ 8]], m[sigma[i][ 9]]); + B2S_G( 1, 6, 11, 12, m[sigma[i][10]], m[sigma[i][11]]); + B2S_G( 2, 7, 8, 13, m[sigma[i][12]], m[sigma[i][13]]); + B2S_G( 3, 4, 9, 14, m[sigma[i][14]], m[sigma[i][15]]); + } + + for( i = 0; i < 8; ++i ) + ctx->h[i] ^= v[i] ^ v[i + 8]; + } + + // Initialize the hashing context "ctx" with optional key "key". + // 1 <= outlen <= 32 gives the digest size in bytes. + // Secret key (also <= 32 bytes) is optional (keylen = 0). + + int blake2s_init(blake2s_ctx *ctx, size_t outlen, + const void *key, size_t keylen) // (keylen=0: no key) + { + size_t i; + + if (outlen == 0 || outlen > 32 || keylen > 32) + return -1; // illegal parameters + + for (i = 0; i < 8; i++) // state, "param block" + ctx->h[i] = blake2s_iv[i]; + ctx->h[0] ^= 0x01010000 ^ (keylen << 8) ^ outlen; + + ctx->t[0] = 0; // input count low word + ctx->t[1] = 0; // input count high word + ctx->c = 0; // pointer within buffer + ctx->outlen = outlen; + + for (i = keylen; i < 64; i++) // zero input block + ctx->b[i] = 0; + if (keylen > 0) { + blake2s_update(ctx, key, keylen); + ctx->c = 64; // at the end + } + + return 0; + } + + + +Saarinen & Aumasson Informational [Page 24] + +RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 + + + // Add "inlen" bytes from "in" into the hash. + + void blake2s_update(blake2s_ctx *ctx, + const void *in, size_t inlen) // data bytes + { + size_t i; + + for (i = 0; i < inlen; i++) { + if (ctx->c == 64) { // buffer full ? + ctx->t[0] += ctx->c; // add counters + if (ctx->t[0] < ctx->c) // carry overflow ? + ctx->t[1]++; // high word + blake2s_compress(ctx, 0); // compress (not last) + ctx->c = 0; // counter to zero + } + ctx->b[ctx->c++] = ((const uint8_t *) in)[i]; + } + } + + // Generate the message digest (size given in init). + // Result placed in "out". + + void blake2s_final(blake2s_ctx *ctx, void *out) + { + size_t i; + + ctx->t[0] += ctx->c; // mark last block offset + if (ctx->t[0] < ctx->c) // carry overflow + ctx->t[1]++; // high word + + while (ctx->c < 64) // fill up with zeros + ctx->b[ctx->c++] = 0; + blake2s_compress(ctx, 1); // final block flag = 1 + + // little endian convert and store + for (i = 0; i < ctx->outlen; i++) { + ((uint8_t *) out)[i] = + (ctx->h[i >> 2] >> (8 * (i & 3))) & 0xFF; + } + } + + // Convenience function for all-in-one computation. + + int blake2s(void *out, size_t outlen, + const void *key, size_t keylen, + const void *in, size_t inlen) + { + blake2s_ctx ctx; + + + +Saarinen & Aumasson Informational [Page 25] + +RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 + + + if (blake2s_init(&ctx, outlen, key, keylen)) + return -1; + blake2s_update(&ctx, in, inlen); + blake2s_final(&ctx, out); + + return 0; + } + <CODE ENDS> + +Appendix E. BLAKE2b and BLAKE2s Self-Test Module C Source + + This module computes a series of keyed and unkeyed hashes from + deterministically generated pseudorandom data and computes a hash + over those results. This is a fairly exhaustive, yet compact and + fast method for verifying that the hashing module is functioning + correctly. + + Such testing is RECOMMENDED, especially when compiling the + implementation for a new a target platform configuration. + Furthermore, some security standards, such as FIPS-140, may require a + Power-On Self Test (POST) to be performed every time the + cryptographic module is loaded [FIPS140-2IG]. + + <CODE BEGINS> + // test_main.c + // Self test Modules for BLAKE2b and BLAKE2s -- and a stub main(). + + #include <stdio.h> + + #include "blake2b.h" + #include "blake2s.h" + + // Deterministic sequences (Fibonacci generator). + + static void selftest_seq(uint8_t *out, size_t len, uint32_t seed) + { + size_t i; + uint32_t t, a , b; + + a = 0xDEAD4BAD * seed; // prime + b = 1; + + for (i = 0; i < len; i++) { // fill the buf + t = a + b; + a = b; + b = t; + out[i] = (t >> 24) & 0xFF; + } + + + +Saarinen & Aumasson Informational [Page 26] + +RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 + + + } + + // BLAKE2b self-test validation. Return 0 when OK. + + int blake2b_selftest() + { + // grand hash of hash results + const uint8_t blake2b_res[32] = { + 0xC2, 0x3A, 0x78, 0x00, 0xD9, 0x81, 0x23, 0xBD, + 0x10, 0xF5, 0x06, 0xC6, 0x1E, 0x29, 0xDA, 0x56, + 0x03, 0xD7, 0x63, 0xB8, 0xBB, 0xAD, 0x2E, 0x73, + 0x7F, 0x5E, 0x76, 0x5A, 0x7B, 0xCC, 0xD4, 0x75 + }; + // parameter sets + const size_t b2b_md_len[4] = { 20, 32, 48, 64 }; + const size_t b2b_in_len[6] = { 0, 3, 128, 129, 255, 1024 }; + + size_t i, j, outlen, inlen; + uint8_t in[1024], md[64], key[64]; + blake2b_ctx ctx; + + // 256-bit hash for testing + if (blake2b_init(&ctx, 32, NULL, 0)) + return -1; + + for (i = 0; i < 4; i++) { + outlen = b2b_md_len[i]; + for (j = 0; j < 6; j++) { + inlen = b2b_in_len[j]; + + selftest_seq(in, inlen, inlen); // unkeyed hash + blake2b(md, outlen, NULL, 0, in, inlen); + blake2b_update(&ctx, md, outlen); // hash the hash + + selftest_seq(key, outlen, outlen); // keyed hash + blake2b(md, outlen, key, outlen, in, inlen); + blake2b_update(&ctx, md, outlen); // hash the hash + } + } + + // compute and compare the hash of hashes + blake2b_final(&ctx, md); + for (i = 0; i < 32; i++) { + if (md[i] != blake2b_res[i]) + return -1; + } + + return 0; + + + +Saarinen & Aumasson Informational [Page 27] + +RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 + + + } + + // BLAKE2s self-test validation. Return 0 when OK. + + int blake2s_selftest() + { + // Grand hash of hash results. + const uint8_t blake2s_res[32] = { + 0x6A, 0x41, 0x1F, 0x08, 0xCE, 0x25, 0xAD, 0xCD, + 0xFB, 0x02, 0xAB, 0xA6, 0x41, 0x45, 0x1C, 0xEC, + 0x53, 0xC5, 0x98, 0xB2, 0x4F, 0x4F, 0xC7, 0x87, + 0xFB, 0xDC, 0x88, 0x79, 0x7F, 0x4C, 0x1D, 0xFE + }; + // Parameter sets. + const size_t b2s_md_len[4] = { 16, 20, 28, 32 }; + const size_t b2s_in_len[6] = { 0, 3, 64, 65, 255, 1024 }; + + size_t i, j, outlen, inlen; + uint8_t in[1024], md[32], key[32]; + blake2s_ctx ctx; + + // 256-bit hash for testing. + if (blake2s_init(&ctx, 32, NULL, 0)) + return -1; + + for (i = 0; i < 4; i++) { + outlen = b2s_md_len[i]; + for (j = 0; j < 6; j++) { + inlen = b2s_in_len[j]; + + selftest_seq(in, inlen, inlen); // unkeyed hash + blake2s(md, outlen, NULL, 0, in, inlen); + blake2s_update(&ctx, md, outlen); // hash the hash + + selftest_seq(key, outlen, outlen); // keyed hash + blake2s(md, outlen, key, outlen, in, inlen); + blake2s_update(&ctx, md, outlen); // hash the hash + } + } + + // Compute and compare the hash of hashes. + blake2s_final(&ctx, md); + for (i = 0; i < 32; i++) { + if (md[i] != blake2s_res[i]) + return -1; + } + + return 0; + + + +Saarinen & Aumasson Informational [Page 28] + +RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 + + + } + + // Test driver. + + int main(int argc, char **argv) + { + printf("blake2b_selftest() = %s\n", + blake2b_selftest() ? "FAIL" : "OK"); + printf("blake2s_selftest() = %s\n", + blake2s_selftest() ? "FAIL" : "OK"); + + return 0; + } + <CODE ENDS> + +Acknowledgements + + The editor wishes to thank the [BLAKE2] team for their encouragement: + Jean-Philippe Aumasson, Samuel Neves, Zooko Wilcox-O'Hearn, and + Christian Winnerlein. We have borrowed passages from [BLAKE] and + [BLAKE2] with permission. + + [BLAKE2] is based on the SHA-3 proposal [BLAKE], designed by Jean- + Philippe Aumasson, Luca Henzen, Willi Meier, and Raphael C.-W. Phan. + BLAKE2, like BLAKE, relies on a core algorithm borrowed from the + ChaCha stream cipher, designed by Daniel J. Bernstein. + + + + + + + + + + + + + + + + + + + + + + + + + +Saarinen & Aumasson Informational [Page 29] + +RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 + + +Authors' Addresses + + Markku-Juhani O. Saarinen (editor) + Queen's University Belfast + Centre for Secure Information Technologies, ECIT + Northern Ireland Science Park + Queen's Road, Queen's Island + Belfast BT3 9DT + United Kingdom + + Email: m.saarinen@qub.ac.uk + URI: http://www.csit.qub.ac.uk + + + Jean-Philippe Aumasson + Kudelski Security + 22-24, Route de Geneve + Case Postale 134 + Cheseaux 1033 + Switzerland + + Email: jean-philippe.aumasson@nagra.com + URI: https://www.kudelskisecurity.com + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Saarinen & Aumasson Informational [Page 30] + |