aboutsummaryrefslogtreecommitdiff
path: root/com/BLAKE2/rfc7693.txt
diff options
context:
space:
mode:
authoraqua <aqua@iserlohn-fortress.net>2022-07-24 18:49:43 +0300
committeraqua <aqua@iserlohn-fortress.net>2022-12-28 21:01:39 +0200
commite5d541428e910a5df98728bc46d80a612603cf13 (patch)
treea5d0a9c497ff7b67ae60815a7450253023db6c05 /com/BLAKE2/rfc7693.txt
parentAdd test and valgrind targets to rules.mk (diff)
downloadkernel-e5d541428e910a5df98728bc46d80a612603cf13.tar.xz
Add BLAKE2s implementation
Diffstat (limited to 'com/BLAKE2/rfc7693.txt')
-rw-r--r--com/BLAKE2/rfc7693.txt1683
1 files changed, 1683 insertions, 0 deletions
diff --git a/com/BLAKE2/rfc7693.txt b/com/BLAKE2/rfc7693.txt
new file mode 100644
index 0000000..d9d3b97
--- /dev/null
+++ b/com/BLAKE2/rfc7693.txt
@@ -0,0 +1,1683 @@
+
+
+
+
+
+
+Independent Submission M-J. Saarinen, Ed.
+Request for Comments: 7693 Queen's University Belfast
+Category: Informational J-P. Aumasson
+ISSN: 2070-1721 Kudelski Security
+ November 2015
+
+
+ The BLAKE2 Cryptographic Hash and Message Authentication Code (MAC)
+
+Abstract
+
+ This document describes the cryptographic hash function BLAKE2 and
+ makes the algorithm specification and C source code conveniently
+ available to the Internet community. BLAKE2 comes in two main
+ flavors: BLAKE2b is optimized for 64-bit platforms and BLAKE2s for
+ smaller architectures. BLAKE2 can be directly keyed, making it
+ functionally equivalent to a Message Authentication Code (MAC).
+
+Status of This Memo
+
+ This document is not an Internet Standards Track specification; it is
+ published for informational purposes.
+
+ This is a contribution to the RFC Series, independently of any other
+ RFC stream. The RFC Editor has chosen to publish this document at
+ its discretion and makes no statement about its value for
+ implementation or deployment. Documents approved for publication by
+ the RFC Editor are not a candidate for any level of Internet
+ Standard; see Section 2 of RFC 5741.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ http://www.rfc-editor.org/info/rfc7693.
+
+Copyright Notice
+
+ Copyright (c) 2015 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document.
+
+
+
+
+
+
+Saarinen & Aumasson Informational [Page 1]
+
+RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
+
+
+Table of Contents
+
+ 1. Introduction and Terminology . . . . . . . . . . . . . . . . 3
+ 2. Conventions, Variables, and Constants . . . . . . . . . . . . 4
+ 2.1. Parameters . . . . . . . . . . . . . . . . . . . . . . . 4
+ 2.2. Other Constants and Variables . . . . . . . . . . . . . . 4
+ 2.3. Arithmetic Notation . . . . . . . . . . . . . . . . . . . 4
+ 2.4. Little-Endian Interpretation of Words as Bytes . . . . . 5
+ 2.5. Parameter Block . . . . . . . . . . . . . . . . . . . . . 5
+ 2.6. Initialization Vector . . . . . . . . . . . . . . . . . . 6
+ 2.7. Message Schedule SIGMA . . . . . . . . . . . . . . . . . 6
+ 3. BLAKE2 Processing . . . . . . . . . . . . . . . . . . . . . . 7
+ 3.1. Mixing Function G . . . . . . . . . . . . . . . . . . . . 7
+ 3.2. Compression Function F . . . . . . . . . . . . . . . . . 8
+ 3.3. Padding Data and Computing a BLAKE2 Digest . . . . . . . 9
+ 4. Standard Parameter Sets and Algorithm Identifiers . . . . . . 10
+ 5. Security Considerations . . . . . . . . . . . . . . . . . . . 11
+ 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 11
+ 6.1. Normative References . . . . . . . . . . . . . . . . . . 11
+ 6.2. Informative References . . . . . . . . . . . . . . . . . 11
+ Appendix A. Example of BLAKE2b Computation . . . . . . . . . . . 13
+ Appendix B. Example of BLAKE2s Computation . . . . . . . . . . . 15
+ Appendix C. BLAKE2b Implementation C Source . . . . . . . . . . 16
+ C.1. blake2b.h . . . . . . . . . . . . . . . . . . . . . . . . 16
+ C.2. blake2b.c . . . . . . . . . . . . . . . . . . . . . . . . 17
+ Appendix D. BLAKE2s Implementation C Source . . . . . . . . . . 21
+ D.1. blake2s.h . . . . . . . . . . . . . . . . . . . . . . . . 21
+ D.2. blake2s.c . . . . . . . . . . . . . . . . . . . . . . . . 22
+ Appendix E. BLAKE2b and BLAKE2s Self-Test Module C Source . . . 26
+ Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 29
+ Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 30
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Saarinen & Aumasson Informational [Page 2]
+
+RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
+
+
+1. Introduction and Terminology
+
+ The BLAKE2 cryptographic hash function [BLAKE2] was designed by Jean-
+ Philippe Aumasson, Samuel Neves, Zooko Wilcox-O'Hearn, and Christian
+ Winnerlein.
+
+ BLAKE2 comes in two basic flavors:
+
+ o BLAKE2b (or just BLAKE2) is optimized for 64-bit platforms and
+ produces digests of any size between 1 and 64 bytes.
+
+ o BLAKE2s is optimized for 8- to 32-bit platforms and produces
+ digests of any size between 1 and 32 bytes.
+
+ Both BLAKE2b and BLAKE2s are believed to be highly secure and perform
+ well on any platform, software, or hardware. BLAKE2 does not require
+ a special "HMAC" (Hashed Message Authentication Code) construction
+ for keyed message authentication as it has a built-in keying
+ mechanism.
+
+ The BLAKE2 hash function may be used by digital signature algorithms
+ and message authentication and integrity protection mechanisms in
+ applications such as Public Key Infrastructure (PKI), secure
+ communication protocols, cloud storage, intrusion detection, forensic
+ suites, and version control systems.
+
+ The BLAKE2 suite provides a more efficient alternative to US Secure
+ Hash Algorithms SHA and HMAC-SHA [RFC6234]. BLAKE2s-128 is
+ especially suited as a fast and more secure drop-in replacement to
+ MD5 and HMAC-MD5 in legacy applications [RFC6151].
+
+ To aid implementation, we provide a trace of BLAKE2b-512 hash
+ computation in Appendix A and a trace of BLAKE2s-256 hash computation
+ in Appendix B. Due to space constraints, this document does not
+ contain a full set of test vectors for BLAKE2.
+
+ A reference implementation in C programming language for BLAKE2b can
+ be found in Appendix C and for BLAKE2s in Appendix D of this
+ document. These implementations MAY be validated with the more
+ exhaustive Test Module contained in Appendix E.
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in [RFC2119].
+
+
+
+
+
+
+
+Saarinen & Aumasson Informational [Page 3]
+
+RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
+
+
+2. Conventions, Variables, and Constants
+
+2.1. Parameters
+
+ The following table summarizes various parameters and their ranges:
+
+ | BLAKE2b | BLAKE2s |
+ --------------+------------------+------------------+
+ Bits in word | w = 64 | w = 32 |
+ Rounds in F | r = 12 | r = 10 |
+ Block bytes | bb = 128 | bb = 64 |
+ Hash bytes | 1 <= nn <= 64 | 1 <= nn <= 32 |
+ Key bytes | 0 <= kk <= 64 | 0 <= kk <= 32 |
+ Input bytes | 0 <= ll < 2**128 | 0 <= ll < 2**64 |
+ --------------+------------------+------------------+
+ G Rotation | (R1, R2, R3, R4) | (R1, R2, R3, R4) |
+ constants = | (32, 24, 16, 63) | (16, 12, 8, 7) |
+ --------------+------------------+------------------+
+
+2.2. Other Constants and Variables
+
+ These variables are used in the algorithm description:
+
+ IV[0..7] Initialization Vector (constant).
+
+ SIGMA[0..9] Message word permutations (constant).
+
+ p[0..7] Parameter block (defines hash and key sizes).
+
+ m[0..15] Sixteen words of a single message block.
+
+ h[0..7] Internal state of the hash.
+
+ d[0..dd-1] Padded input blocks. Each has "bb" bytes.
+
+ t Message byte offset at the end of the current block.
+
+ f Flag indicating the last block.
+
+2.3. Arithmetic Notation
+
+ For real-valued x, we define the following functions:
+
+ floor(x) Floor, the largest integer <= x.
+
+ ceil(x) Ceiling, the smallest integer >= x.
+
+ frac(x) Positive fractional part of x, frac(x) = x - floor(x).
+
+
+
+Saarinen & Aumasson Informational [Page 4]
+
+RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
+
+
+ Operator notation in pseudocode:
+
+ 2**n = 2 to the power "n". 2**0=1, 2**1=2, 2**2=4, 2**3=8, etc.
+
+ a ^ b = Bitwise exclusive-or operation between "a" and "b".
+
+ a mod b = Remainder "a" modulo "b", always in range [0, b-1].
+
+ x >> n = floor(x / 2**n). Logical shift "x" right by "n" bits.
+
+ x << n = (x * 2**n) mod (2**w). Logical shift "x" left by "n".
+
+ x >>> n = (x >> n) ^ (x << (w - n)). Rotate "x" right by "n".
+
+2.4. Little-Endian Interpretation of Words as Bytes
+
+ All mathematical operations are on 64-bit words in BLAKE2b and on
+ 32-bit words in BLAKE2s.
+
+ We may also perform operations on vectors of words. Vector indexing
+ is zero based; the first element of an n-element vector "v" is v[0]
+ and the last one is v[n - 1]. All elements are denoted by v[0..n-1].
+
+ Byte (octet) streams are interpreted as words in little-endian order,
+ with the least-significant byte first. Consider this sequence of
+ eight hexadecimal bytes:
+
+ x[0..7] = 0x01 0x23 0x45 0x67 0x89 0xAB 0xCD 0xEF
+
+ When interpreted as a 32-bit word from the beginning memory address,
+ x[0..3] has a numerical value of 0x67452301 or 1732584193.
+
+ When interpreted as a 64-bit word, bytes x[0..7] have a numerical
+ value of 0xEFCDAB8967452301 or 17279655951921914625.
+
+2.5. Parameter Block
+
+ We specify the parameter block words p[0..7] as follows:
+
+ byte offset: 3 2 1 0 (otherwise zero)
+ p[0] = 0x0101kknn p[1..7] = 0
+
+ Here the "nn" byte specifies the hash size in bytes. The second
+ (little-endian) byte of the parameter block, "kk", specifies the key
+ size in bytes. Set kk = 00 for unkeyed hashing. Bytes 2 and 3 are
+ set as 01. All other bytes in the parameter block are set as zero.
+
+
+
+
+
+Saarinen & Aumasson Informational [Page 5]
+
+RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
+
+
+ Note: [BLAKE2] defines additional variants of BLAKE2 with features
+ such as salting, personalized hashes, and tree hashing. These
+ OPTIONAL features use fields in the parameter block that are not
+ defined in this document.
+
+2.6. Initialization Vector
+
+ We define the Initialization Vector constant IV mathematically as:
+
+ IV[i] = floor(2**w * frac(sqrt(prime(i+1)))), where prime(i)
+ is the i:th prime number ( 2, 3, 5, 7, 11, 13, 17, 19 )
+ and sqrt(x) is the square root of x.
+
+ The numerical values of IV can also be found in implementations in
+ Appendices C and D for BLAKE2b and BLAKE2s, respectively.
+
+ Note: BLAKE2b IV is the same as SHA-512 IV, and BLAKE2s IV is the
+ same as SHA-256 IV; see [RFC6234].
+
+2.7. Message Schedule SIGMA
+
+ Message word schedule permutations for each round of both BLAKE2b and
+ BLAKE2s are defined by SIGMA. For BLAKE2b, the two extra
+ permutations for rounds 10 and 11 are SIGMA[10..11] = SIGMA[0..1].
+
+ Round | 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
+ ----------+-------------------------------------------------+
+ SIGMA[0] | 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
+ SIGMA[1] | 14 10 4 8 9 15 13 6 1 12 0 2 11 7 5 3 |
+ SIGMA[2] | 11 8 12 0 5 2 15 13 10 14 3 6 7 1 9 4 |
+ SIGMA[3] | 7 9 3 1 13 12 11 14 2 6 5 10 4 0 15 8 |
+ SIGMA[4] | 9 0 5 7 2 4 10 15 14 1 11 12 6 8 3 13 |
+ SIGMA[5] | 2 12 6 10 0 11 8 3 4 13 7 5 15 14 1 9 |
+ SIGMA[6] | 12 5 1 15 14 13 4 10 0 7 6 3 9 2 8 11 |
+ SIGMA[7] | 13 11 7 14 12 1 3 9 5 0 15 4 8 6 2 10 |
+ SIGMA[8] | 6 15 14 9 11 3 0 8 12 2 13 7 1 4 10 5 |
+ SIGMA[9] | 10 2 8 4 7 6 1 5 15 11 9 14 3 12 13 0 |
+ ----------+-------------------------------------------------+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Saarinen & Aumasson Informational [Page 6]
+
+RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
+
+
+3. BLAKE2 Processing
+
+3.1. Mixing Function G
+
+ The G primitive function mixes two input words, "x" and "y", into
+ four words indexed by "a", "b", "c", and "d" in the working vector
+ v[0..15]. The full modified vector is returned. The rotation
+ constants (R1, R2, R3, R4) are given in Section 2.1.
+
+ FUNCTION G( v[0..15], a, b, c, d, x, y )
+ |
+ | v[a] := (v[a] + v[b] + x) mod 2**w
+ | v[d] := (v[d] ^ v[a]) >>> R1
+ | v[c] := (v[c] + v[d]) mod 2**w
+ | v[b] := (v[b] ^ v[c]) >>> R2
+ | v[a] := (v[a] + v[b] + y) mod 2**w
+ | v[d] := (v[d] ^ v[a]) >>> R3
+ | v[c] := (v[c] + v[d]) mod 2**w
+ | v[b] := (v[b] ^ v[c]) >>> R4
+ |
+ | RETURN v[0..15]
+ |
+ END FUNCTION.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Saarinen & Aumasson Informational [Page 7]
+
+RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
+
+
+3.2. Compression Function F
+
+ Compression function F takes as an argument the state vector "h",
+ message block vector "m" (last block is padded with zeros to full
+ block size, if required), 2w-bit offset counter "t", and final block
+ indicator flag "f". Local vector v[0..15] is used in processing. F
+ returns a new state vector. The number of rounds, "r", is 12 for
+ BLAKE2b and 10 for BLAKE2s. Rounds are numbered from 0 to r - 1.
+
+ FUNCTION F( h[0..7], m[0..15], t, f )
+ |
+ | // Initialize local work vector v[0..15]
+ | v[0..7] := h[0..7] // First half from state.
+ | v[8..15] := IV[0..7] // Second half from IV.
+ |
+ | v[12] := v[12] ^ (t mod 2**w) // Low word of the offset.
+ | v[13] := v[13] ^ (t >> w) // High word.
+ |
+ | IF f = TRUE THEN // last block flag?
+ | | v[14] := v[14] ^ 0xFF..FF // Invert all bits.
+ | END IF.
+ |
+ | // Cryptographic mixing
+ | FOR i = 0 TO r - 1 DO // Ten or twelve rounds.
+ | |
+ | | // Message word selection permutation for this round.
+ | | s[0..15] := SIGMA[i mod 10][0..15]
+ | |
+ | | v := G( v, 0, 4, 8, 12, m[s[ 0]], m[s[ 1]] )
+ | | v := G( v, 1, 5, 9, 13, m[s[ 2]], m[s[ 3]] )
+ | | v := G( v, 2, 6, 10, 14, m[s[ 4]], m[s[ 5]] )
+ | | v := G( v, 3, 7, 11, 15, m[s[ 6]], m[s[ 7]] )
+ | |
+ | | v := G( v, 0, 5, 10, 15, m[s[ 8]], m[s[ 9]] )
+ | | v := G( v, 1, 6, 11, 12, m[s[10]], m[s[11]] )
+ | | v := G( v, 2, 7, 8, 13, m[s[12]], m[s[13]] )
+ | | v := G( v, 3, 4, 9, 14, m[s[14]], m[s[15]] )
+ | |
+ | END FOR
+ |
+ | FOR i = 0 TO 7 DO // XOR the two halves.
+ | | h[i] := h[i] ^ v[i] ^ v[i + 8]
+ | END FOR.
+ |
+ | RETURN h[0..7] // New state.
+ |
+ END FUNCTION.
+
+
+
+
+Saarinen & Aumasson Informational [Page 8]
+
+RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
+
+
+3.3. Padding Data and Computing a BLAKE2 Digest
+
+ We refer the reader to Appendices C and D for reference C language
+ implementations of BLAKE2b and BLAKE2s, respectively.
+
+ Key and data input are split and padded into "dd" message blocks
+ d[0..dd-1], each consisting of 16 words (or "bb" bytes).
+
+ If a secret key is used (kk > 0), it is padded with zero bytes and
+ set as d[0]. Otherwise, d[0] is the first data block. The final
+ data block d[dd-1] is also padded with zero to "bb" bytes (16 words).
+
+ The number of blocks is therefore dd = ceil(kk / bb) + ceil(ll / bb).
+ However, in the special case of an unkeyed empty message (kk = 0 and
+ ll = 0), we still set dd = 1 and d[0] consists of all zeros.
+
+ The following procedure processes the padded data blocks into an
+ "nn"-byte final hash value. See Section 2 for a description of
+ various variables and constants used.
+
+ FUNCTION BLAKE2( d[0..dd-1], ll, kk, nn )
+ |
+ | h[0..7] := IV[0..7] // Initialization Vector.
+ |
+ | // Parameter block p[0]
+ | h[0] := h[0] ^ 0x01010000 ^ (kk << 8) ^ nn
+ |
+ | // Process padded key and data blocks
+ | IF dd > 1 THEN
+ | | FOR i = 0 TO dd - 2 DO
+ | | | h := F( h, d[i], (i + 1) * bb, FALSE )
+ | | END FOR.
+ | END IF.
+ |
+ | // Final block.
+ | IF kk = 0 THEN
+ | | h := F( h, d[dd - 1], ll, TRUE )
+ | ELSE
+ | | h := F( h, d[dd - 1], ll + bb, TRUE )
+ | END IF.
+ |
+ | RETURN first "nn" bytes from little-endian word array h[].
+ |
+ END FUNCTION.
+
+
+
+
+
+
+
+Saarinen & Aumasson Informational [Page 9]
+
+RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
+
+
+4. Standard Parameter Sets and Algorithm Identifiers
+
+ An implementation of BLAKE2b and/or BLAKE2s MAY support the following
+ digest size parameters for interoperability (e.g., digital
+ signatures), as long as a sufficient level of security is attained by
+ the parameter selections. These parameters and identifiers are
+ intended to be suitable as drop-in replacements to MD5 and
+ corresponding SHA algorithms.
+
+ Developers adapting BLAKE2 to ASN.1-based message formats SHOULD use
+ the OID tree at x = 1.3.6.1.4.1.1722.12.2. The same OID can be used
+ for both keyed and unkeyed hashing since in the latter case the key
+ simply has zero length.
+
+ Algorithm | Target | Collision | Hash | Hash ASN.1 |
+ Identifier | Arch | Security | nn | OID Suffix |
+ ---------------+--------+-----------+------+------------+
+ id-blake2b160 | 64-bit | 2**80 | 20 | x.1.5 |
+ id-blake2b256 | 64-bit | 2**128 | 32 | x.1.8 |
+ id-blake2b384 | 64-bit | 2**192 | 48 | x.1.12 |
+ id-blake2b512 | 64-bit | 2**256 | 64 | x.1.16 |
+ ---------------+--------+-----------+------+------------+
+ id-blake2s128 | 32-bit | 2**64 | 16 | x.2.4 |
+ id-blake2s160 | 32-bit | 2**80 | 20 | x.2.5 |
+ id-blake2s224 | 32-bit | 2**112 | 28 | x.2.7 |
+ id-blake2s256 | 32-bit | 2**128 | 32 | x.2.8 |
+ ---------------+--------+-----------+------+------------+
+
+ hashAlgs OBJECT IDENTIFIER ::= {
+ iso(1) identified-organization(3) dod(6) internet(1)
+ private(4) enterprise(1) kudelski(1722) cryptography(12) 2
+ }
+ macAlgs OBJECT IDENTIFIER ::= {
+ iso(1) identified-organization(3) dod(6) internet(1)
+ private(4) enterprise(1) kudelski(1722) cryptography(12) 3
+ }
+
+ -- the two BLAKE2 variants --
+ blake2b OBJECT IDENTIFIER ::= { hashAlgs 1 }
+ blake2s OBJECT IDENTIFIER ::= { hashAlgs 2 }
+
+ -- BLAKE2b Identifiers --
+ id-blake2b160 OBJECT IDENTIFIER ::= { blake2b 5 }
+ id-blake2b256 OBJECT IDENTIFIER ::= { blake2b 8 }
+ id-blake2b384 OBJECT IDENTIFIER ::= { blake2b 12 }
+ id-blake2b512 OBJECT IDENTIFIER ::= { blake2b 16 }
+
+
+
+
+
+Saarinen & Aumasson Informational [Page 10]
+
+RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
+
+
+ -- BLAKE2s Identifiers --
+ id-blake2s128 OBJECT IDENTIFIER ::= { blake2s 4 }
+ id-blake2s160 OBJECT IDENTIFIER ::= { blake2s 5 }
+ id-blake2s224 OBJECT IDENTIFIER ::= { blake2s 7 }
+ id-blake2s256 OBJECT IDENTIFIER ::= { blake2s 8 }
+
+5. Security Considerations
+
+ This document is intended to provide convenient open-source access by
+ the Internet community to the BLAKE2 cryptographic hash algorithm.
+ We wish to make no independent assertion to its security in this
+ document. We refer the reader to [BLAKE] and [BLAKE2] for detailed
+ cryptanalytic rationale behind its design.
+
+ In order to avoid bloat, the reference implementations in Appendices
+ C and D may not erase all sensitive data (such as secret keys)
+ immediately from process memory after use. Such cleanup can be added
+ if needed.
+
+6. References
+
+6.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119,
+ DOI 10.17487/RFC2119, March 1997,
+ <http://www.rfc-editor.org/info/rfc2119>.
+
+6.2. Informative References
+
+ [BLAKE] Aumasson, J-P., Meier, W., Phan, R., and L. Henzen, "The
+ Hash Function BLAKE", January 2015,
+ <https://131002.net/blake/book>.
+
+ [BLAKE2] Aumasson, J-P., Neves, S., Wilcox-O'Hearn, Z., and C.
+ Winnerlein, "BLAKE2: simpler, smaller, fast as MD5",
+ January 2013, <https://blake2.net/blake2.pdf>.
+
+ [FIPS140-2IG]
+ NIST, "Implementation Guidance for FIPS PUB 140-2 and the
+ Cryptographic Module Validation Program", September 2015,
+ <http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/
+ FIPS1402IG.pdf/>.
+
+ [RFC6151] Turner, S. and L. Chen, "Updated Security Considerations
+ for the MD5 Message-Digest and the HMAC-MD5 Algorithms",
+ RFC 6151, DOI 10.17487/RFC6151, March 2011,
+ <http://www.rfc-editor.org/info/rfc6151>.
+
+
+
+Saarinen & Aumasson Informational [Page 11]
+
+RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
+
+
+ [RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms
+ (SHA and SHA-based HMAC and HKDF)", RFC 6234,
+ DOI 10.17487/RFC6234, May 2011,
+ <http://www.rfc-editor.org/info/rfc6234>.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Saarinen & Aumasson Informational [Page 12]
+
+RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
+
+
+Appendix A. Example of BLAKE2b Computation
+
+ We compute the unkeyed hash of three ASCII bytes "abc" with
+ BLAKE2b-512 and show internal values during computation.
+
+ m[16] = 0000000000636261 0000000000000000 0000000000000000
+ 0000000000000000 0000000000000000 0000000000000000
+ 0000000000000000 0000000000000000 0000000000000000
+ 0000000000000000 0000000000000000 0000000000000000
+ 0000000000000000 0000000000000000 0000000000000000
+ 0000000000000000
+
+ (i= 0) v[16] = 6A09E667F2BDC948 BB67AE8584CAA73B 3C6EF372FE94F82B
+ A54FF53A5F1D36F1 510E527FADE682D1 9B05688C2B3E6C1F
+ 1F83D9ABFB41BD6B 5BE0CD19137E2179 6A09E667F3BCC908
+ BB67AE8584CAA73B 3C6EF372FE94F82B A54FF53A5F1D36F1
+ 510E527FADE682D2 9B05688C2B3E6C1F E07C265404BE4294
+ 5BE0CD19137E2179
+
+ (i= 1) v[16] = 86B7C1568029BB79 C12CBCC809FF59F3 C6A5214CC0EACA8E
+ 0C87CD524C14CC5D 44EE6039BD86A9F7 A447C850AA694A7E
+ DE080F1BB1C0F84B 595CB8A9A1ACA66C BEC3AE837EAC4887
+ 6267FC79DF9D6AD1 FA87B01273FA6DBE 521A715C63E08D8A
+ E02D0975B8D37A83 1C7B754F08B7D193 8F885A76B6E578FE
+ 2318A24E2140FC64
+
+ (i= 2) v[16] = 53281E83806010F2 3594B403F81B4393 8CD63C7462DE0DFF
+ 85F693F3DA53F974 BAABDBB2F386D9AE CA5425AEC65A10A8
+ C6A22E2FF0F7AA48 C6A56A51CB89C595 224E6A3369224F96
+ 500E125E58A92923 E9E4AD0D0E1A0D48 85DF9DC143C59A74
+ 92A3AAAA6D952B7F C5FDF71090FAE853 2A8A40F15A462DD0
+ 572D17EFFDD37358
+
+ (i= 3) v[16] = 60ED96AA7AD41725 E46A743C71800B9D 1A04B543A01F156B
+ A2F8716E775C4877 DA0A61BCDE4267EA B1DD230754D7BDEE
+ 25A1422779E06D14 E6823AE4C3FF58A5 A1677E19F37FD5DA
+ 22BDCE6976B08C51 F1DE8696BEC11BF1 A0EBD586A4A1D2C8
+ C804EBAB11C99FA9 8E0CEC959C715793 7C45557FAE0D4D89
+ 716343F52FDD265E
+
+ (i= 4) v[16] = BB2A77D3A8382351 45EB47971F23B103 98BE297F6E45C684
+ A36077DEE3370B89 8A03C4CB7E97590A 24192E49EBF54EA0
+ 4F82C9401CB32D7A 8CCD013726420DC4 A9C9A8F17B1FC614
+ 55908187977514A0 5B44273E66B19D27 B6D5C9FCA2579327
+ 086092CFB858437E 5C4BE2156DBEECF9 2EFEDE99ED4EFF16
+ 3E7B5F234CD1F804
+
+
+
+
+
+Saarinen & Aumasson Informational [Page 13]
+
+RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
+
+
+ (i= 5) v[16] = C79C15B3D423B099 2DA2224E8DA97556 77D2B26DF1C45C55
+ 8934EB09A3456052 0F6D9EEED157DA2A 6FE66467AF88C0A9
+ 4EB0B76284C7AAFB 299C8E725D954697 B2240B59E6D567D3
+ 2643C2370E49EBFD 79E02EEF20CDB1AE 64B3EED7BB602F39
+ B97D2D439E4DF63D C718E755294C9111 1F0893F2772BB373
+ 1205EA4A7859807D
+
+ (i= 6) v[16] = E58F97D6385BAEE4 7640AA9764DA137A DEB4C7C23EFE287E
+ 70F6F41C8783C9F6 7127CD48C76A7708 9E472AF0BE3DB3F6
+ 0F244C62DDF71788 219828AA83880842 41CCA9073C8C4D0D
+ 5C7912BC10DF3B4B A2C3ABBD37510EE2 CB5668CC2A9F7859
+ 8733794F07AC1500 C67A6BE42335AA6F ACB22B28681E4C82
+ DB2161604CBC9828
+
+ (i= 7) v[16] = 6E2D286EEADEDC81 BCF02C0787E86358 57D56A56DD015EDF
+ 55D899D40A5D0D0A 819415B56220C459 B63C479A6A769F02
+ 258E55E0EC1F362A 3A3B4EC60E19DFDC 04D769B3FCB048DB
+ B78A9A33E9BFF4DD 5777272AE1E930C0 5A387849E578DBF6
+ 92AAC307CF2C0AFC 30AACCC4F06DAFAA 483893CC094F8863
+ E03C6CC89C26BF92
+
+ (i= 8) v[16] = FFC83ECE76024D01 1BE7BFFB8C5CC5F9 A35A18CBAC4C65B7
+ B7C2C7E6D88C285F 81937DA314A50838 E1179523A2541963
+ 3A1FAD7106232B8F 1C7EDE92AB8B9C46 A3C2D35E4F685C10
+ A53D3F73AA619624 30BBCC0285A22F65 BCEFBB6A81539E5D
+ 3841DEF6F4C9848A 98662C85FBA726D4 7762439BD5A851BD
+ B0B9F0D443D1A889
+
+ (i= 9) v[16] = 753A70A1E8FAEADD 6B0D43CA2C25D629 F8343BA8B94F8C0B
+ BC7D062B0DB5CF35 58540EE1B1AEBC47 63C5B9B80D294CB9
+ 490870ECAD27DEBD B2A90DDF667287FE 316CC9EBEEFAD8FC
+ 4A466BCD021526A4 5DA7F7638CEC5669 D9C8826727D306FC
+ 88ED6C4F3BD7A537 19AE688DDF67F026 4D8707AAB40F7E6D
+ FD3F572687FEA4F1
+
+ (i=10) v[16] = E630C747CCD59C4F BC713D41127571CA 46DB183025025078
+ 6727E81260610140 2D04185EAC2A8CBA 5F311B88904056EC
+ 40BD313009201AAB 0099D4F82A2A1EAB 6DD4FBC1DE60165D
+ B3B0B51DE3C86270 900AEE2F233B08E5 A07199D87AD058D8
+ 2C6B25593D717852 37E8CA471BEAA5F8 2CFC1BAC10EF4457
+ 01369EC18746E775
+
+ (i=11) v[16] = E801F73B9768C760 35C6D22320BE511D 306F27584F65495E
+ B51776ADF569A77B F4F1BE86690B3C34 3CC88735D1475E4B
+ 5DAC67921FF76949 1CDB9D31AD70CC4E 35BA354A9C7DF448
+ 4929CBE45679D73E 733D1A17248F39DB 92D57B736F5F170A
+ 61B5C0A41D491399 B5C333457E12844A BD696BE010D0D889
+ 02231E1A917FE0BD
+
+
+
+Saarinen & Aumasson Informational [Page 14]
+
+RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
+
+
+ (i=12) v[16] = 12EF8A641EC4F6D6 BCED5DE977C9FAF5 733CA476C5148639
+ 97DF596B0610F6FC F42C16519AD5AFA7 AA5AC1888E10467E
+ 217D930AA51787F3 906A6FF19E573942 75AB709BD3DCBF24
+ EE7CE1F345947AA4 F8960D6C2FAF5F5E E332538A36B6D246
+ 885BEF040EF6AA0B A4939A417BFB78A3 646CBB7AF6DCE980
+ E813A23C60AF3B82
+
+ h[8] = 0D4D1C983FA580BA E9F6129FB697276A B7C45A68142F214C
+ D1A2FFDB6FBB124B 2D79AB2A39C5877D 95CC3345DED552C2
+ 5A92F1DBA88AD318 239900D4ED8623B9
+
+ BLAKE2b-512("abc") = BA 80 A5 3F 98 1C 4D 0D 6A 27 97 B6 9F 12 F6 E9
+ 4C 21 2F 14 68 5A C4 B7 4B 12 BB 6F DB FF A2 D1
+ 7D 87 C5 39 2A AB 79 2D C2 52 D5 DE 45 33 CC 95
+ 18 D3 8A A8 DB F1 92 5A B9 23 86 ED D4 00 99 23
+
+Appendix B. Example of BLAKE2s Computation
+
+ We compute the unkeyed hash of three ASCII bytes "abc" with
+ BLAKE2s-256 and show internal values during computation.
+
+ m[16] = 00636261 00000000 00000000 00000000 00000000 00000000
+ 00000000 00000000 00000000 00000000 00000000 00000000
+ 00000000 00000000 00000000 00000000
+
+ (i=0) v[16] = 6B08E647 BB67AE85 3C6EF372 A54FF53A 510E527F 9B05688C
+ 1F83D9AB 5BE0CD19 6A09E667 BB67AE85 3C6EF372 A54FF53A
+ 510E527C 9B05688C E07C2654 5BE0CD19
+
+ (i=1) v[16] = 16A3242E D7B5E238 CE8CE24B 927AEDE1 A7B430D9 93A4A14E
+ A44E7C31 41D4759B 95BF33D3 9A99C181 608A3A6B B666383E
+ 7A8DD50F BE378ED7 353D1EE6 3BB44C6B
+
+ (i=2) v[16] = 3AE30FE3 0982A96B E88185B4 3E339B16 F24338CD 0E66D326
+ E005ED0C D591A277 180B1F3A FCF43914 30DB62D6 4847831C
+ 7F00C58E FB847886 C544E836 524AB0E2
+
+ (i=3) v[16] = 7A3BE783 997546C1 D45246DF EDB5F821 7F98A742 10E864E2
+ D4AB70D0 C63CB1AB 6038DA9E 414594B0 F2C218B5 8DA0DCB7
+ D7CD7AF5 AB4909DF 85031A52 C4EDFC98
+
+ (i=4) v[16] = 2A8B8CB7 1ACA82B2 14045D7F CC7258ED 383CF67C E090E7F9
+ 3025D276 57D04DE4 994BACF0 F0982759 F17EE300 D48FC2D5
+ DC854C10 523898A9 C03A0F89 47D6CD88
+
+ (i=5) v[16] = C4AA2DDB 111343A3 D54A700A 574A00A9 857D5A48 B1E11989
+ 6F5C52DF DD2C53A3 678E5F8E 9718D4E9 622CB684 92976076
+ 0E41A517 359DC2BE 87A87DDD 643F9CEC
+
+
+
+Saarinen & Aumasson Informational [Page 15]
+
+RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
+
+
+ (i=6) v[16] = 3453921C D7595EE1 592E776D 3ED6A974 4D997CB3 DE9212C3
+ 35ADF5C9 9916FD65 96562E89 4EAD0792 EBFC2712 2385F5B2
+ F34600FB D7BC20FB EB452A7B ECE1AA40
+
+ (i=7) v[16] = BE851B2D A85F6358 81E6FC3B 0BB28000 FA55A33A 87BE1FAD
+ 4119370F 1E2261AA A1318FD3 F4329816 071783C2 6E536A8D
+ 9A81A601 E7EC80F1 ACC09948 F849A584
+
+ (i=8) v[16] = 07E5B85A 069CC164 F9DE3141 A56F4680 9E440AD2 9AB659EA
+ 3C84B971 21DBD9CF 46699F8C 765257EC AF1D998C 75E4C3B6
+ 523878DC 30715015 397FEE81 4F1FA799
+
+ (i=9) v[16] = 435148C4 A5AA2D11 4B354173 D543BC9E BDA2591C BF1D2569
+ 4FCB3120 707ADA48 565B3FDE 32C9C916 EAF4A1AB B1018F28
+ 8078D978 68ADE4B5 9778FDA3 2863B92E
+
+ (i=10) v[16] = D9C994AA CFEC3AA6 700D0AB2 2C38670E AF6A1F66 1D023EF3
+ 1D9EC27D 945357A5 3E9FFEBD 969FE811 EF485E21 A632797A
+ DEEF082E AF3D80E1 4E86829B 4DEAFD3A
+
+ h[8] = 8C5E8C50 E2147C32 A32BA7E1 2F45EB4E 208B4537 293AD69E
+ 4C9B994D 82596786
+
+ BLAKE2s-256("abc") = 50 8C 5E 8C 32 7C 14 E2 E1 A7 2B A3 4E EB 45 2F
+ 37 45 8B 20 9E D6 3A 29 4D 99 9B 4C 86 67 59 82
+
+Appendix C. BLAKE2b Implementation C Source
+
+C.1. blake2b.h
+
+ <CODE BEGINS>
+ // blake2b.h
+ // BLAKE2b Hashing Context and API Prototypes
+
+ #ifndef BLAKE2B_H
+ #define BLAKE2B_H
+
+ #include <stdint.h>
+ #include <stddef.h>
+
+ // state context
+ typedef struct {
+ uint8_t b[128]; // input buffer
+ uint64_t h[8]; // chained state
+ uint64_t t[2]; // total number of bytes
+ size_t c; // pointer for b[]
+ size_t outlen; // digest size
+ } blake2b_ctx;
+
+
+
+Saarinen & Aumasson Informational [Page 16]
+
+RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
+
+
+ // Initialize the hashing context "ctx" with optional key "key".
+ // 1 <= outlen <= 64 gives the digest size in bytes.
+ // Secret key (also <= 64 bytes) is optional (keylen = 0).
+ int blake2b_init(blake2b_ctx *ctx, size_t outlen,
+ const void *key, size_t keylen); // secret key
+
+ // Add "inlen" bytes from "in" into the hash.
+ void blake2b_update(blake2b_ctx *ctx, // context
+ const void *in, size_t inlen); // data to be hashed
+
+ // Generate the message digest (size given in init).
+ // Result placed in "out".
+ void blake2b_final(blake2b_ctx *ctx, void *out);
+
+ // All-in-one convenience function.
+ int blake2b(void *out, size_t outlen, // return buffer for digest
+ const void *key, size_t keylen, // optional secret key
+ const void *in, size_t inlen); // data to be hashed
+
+ #endif
+ <CODE ENDS>
+
+C.2. blake2b.c
+
+ <CODE BEGINS>
+ // blake2b.c
+ // A simple BLAKE2b Reference Implementation.
+
+ #include "blake2b.h"
+
+ // Cyclic right rotation.
+
+ #ifndef ROTR64
+ #define ROTR64(x, y) (((x) >> (y)) ^ ((x) << (64 - (y))))
+ #endif
+
+ // Little-endian byte access.
+
+ #define B2B_GET64(p) \
+ (((uint64_t) ((uint8_t *) (p))[0]) ^ \
+ (((uint64_t) ((uint8_t *) (p))[1]) << 8) ^ \
+ (((uint64_t) ((uint8_t *) (p))[2]) << 16) ^ \
+ (((uint64_t) ((uint8_t *) (p))[3]) << 24) ^ \
+ (((uint64_t) ((uint8_t *) (p))[4]) << 32) ^ \
+ (((uint64_t) ((uint8_t *) (p))[5]) << 40) ^ \
+ (((uint64_t) ((uint8_t *) (p))[6]) << 48) ^ \
+ (((uint64_t) ((uint8_t *) (p))[7]) << 56))
+
+
+
+
+Saarinen & Aumasson Informational [Page 17]
+
+RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
+
+
+ // G Mixing function.
+
+ #define B2B_G(a, b, c, d, x, y) { \
+ v[a] = v[a] + v[b] + x; \
+ v[d] = ROTR64(v[d] ^ v[a], 32); \
+ v[c] = v[c] + v[d]; \
+ v[b] = ROTR64(v[b] ^ v[c], 24); \
+ v[a] = v[a] + v[b] + y; \
+ v[d] = ROTR64(v[d] ^ v[a], 16); \
+ v[c] = v[c] + v[d]; \
+ v[b] = ROTR64(v[b] ^ v[c], 63); }
+
+ // Initialization Vector.
+
+ static const uint64_t blake2b_iv[8] = {
+ 0x6A09E667F3BCC908, 0xBB67AE8584CAA73B,
+ 0x3C6EF372FE94F82B, 0xA54FF53A5F1D36F1,
+ 0x510E527FADE682D1, 0x9B05688C2B3E6C1F,
+ 0x1F83D9ABFB41BD6B, 0x5BE0CD19137E2179
+ };
+
+ // Compression function. "last" flag indicates last block.
+
+ static void blake2b_compress(blake2b_ctx *ctx, int last)
+ {
+ const uint8_t sigma[12][16] = {
+ { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 },
+ { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 },
+ { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 },
+ { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 },
+ { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 },
+ { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 },
+ { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 },
+ { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 },
+ { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 },
+ { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 },
+ { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 },
+ { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }
+ };
+ int i;
+ uint64_t v[16], m[16];
+
+ for (i = 0; i < 8; i++) { // init work variables
+ v[i] = ctx->h[i];
+ v[i + 8] = blake2b_iv[i];
+ }
+
+
+
+
+
+Saarinen & Aumasson Informational [Page 18]
+
+RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
+
+
+ v[12] ^= ctx->t[0]; // low 64 bits of offset
+ v[13] ^= ctx->t[1]; // high 64 bits
+ if (last) // last block flag set ?
+ v[14] = ~v[14];
+
+ for (i = 0; i < 16; i++) // get little-endian words
+ m[i] = B2B_GET64(&ctx->b[8 * i]);
+
+ for (i = 0; i < 12; i++) { // twelve rounds
+ B2B_G( 0, 4, 8, 12, m[sigma[i][ 0]], m[sigma[i][ 1]]);
+ B2B_G( 1, 5, 9, 13, m[sigma[i][ 2]], m[sigma[i][ 3]]);
+ B2B_G( 2, 6, 10, 14, m[sigma[i][ 4]], m[sigma[i][ 5]]);
+ B2B_G( 3, 7, 11, 15, m[sigma[i][ 6]], m[sigma[i][ 7]]);
+ B2B_G( 0, 5, 10, 15, m[sigma[i][ 8]], m[sigma[i][ 9]]);
+ B2B_G( 1, 6, 11, 12, m[sigma[i][10]], m[sigma[i][11]]);
+ B2B_G( 2, 7, 8, 13, m[sigma[i][12]], m[sigma[i][13]]);
+ B2B_G( 3, 4, 9, 14, m[sigma[i][14]], m[sigma[i][15]]);
+ }
+
+ for( i = 0; i < 8; ++i )
+ ctx->h[i] ^= v[i] ^ v[i + 8];
+ }
+
+ // Initialize the hashing context "ctx" with optional key "key".
+ // 1 <= outlen <= 64 gives the digest size in bytes.
+ // Secret key (also <= 64 bytes) is optional (keylen = 0).
+
+ int blake2b_init(blake2b_ctx *ctx, size_t outlen,
+ const void *key, size_t keylen) // (keylen=0: no key)
+ {
+ size_t i;
+
+ if (outlen == 0 || outlen > 64 || keylen > 64)
+ return -1; // illegal parameters
+
+ for (i = 0; i < 8; i++) // state, "param block"
+ ctx->h[i] = blake2b_iv[i];
+ ctx->h[0] ^= 0x01010000 ^ (keylen << 8) ^ outlen;
+
+ ctx->t[0] = 0; // input count low word
+ ctx->t[1] = 0; // input count high word
+ ctx->c = 0; // pointer within buffer
+ ctx->outlen = outlen;
+
+
+
+
+
+
+
+
+Saarinen & Aumasson Informational [Page 19]
+
+RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
+
+
+ for (i = keylen; i < 128; i++) // zero input block
+ ctx->b[i] = 0;
+ if (keylen > 0) {
+ blake2b_update(ctx, key, keylen);
+ ctx->c = 128; // at the end
+ }
+
+ return 0;
+ }
+
+ // Add "inlen" bytes from "in" into the hash.
+
+ void blake2b_update(blake2b_ctx *ctx,
+ const void *in, size_t inlen) // data bytes
+ {
+ size_t i;
+
+ for (i = 0; i < inlen; i++) {
+ if (ctx->c == 128) { // buffer full ?
+ ctx->t[0] += ctx->c; // add counters
+ if (ctx->t[0] < ctx->c) // carry overflow ?
+ ctx->t[1]++; // high word
+ blake2b_compress(ctx, 0); // compress (not last)
+ ctx->c = 0; // counter to zero
+ }
+ ctx->b[ctx->c++] = ((const uint8_t *) in)[i];
+ }
+ }
+
+ // Generate the message digest (size given in init).
+ // Result placed in "out".
+
+ void blake2b_final(blake2b_ctx *ctx, void *out)
+ {
+ size_t i;
+
+ ctx->t[0] += ctx->c; // mark last block offset
+ if (ctx->t[0] < ctx->c) // carry overflow
+ ctx->t[1]++; // high word
+
+ while (ctx->c < 128) // fill up with zeros
+ ctx->b[ctx->c++] = 0;
+ blake2b_compress(ctx, 1); // final block flag = 1
+
+
+
+
+
+
+
+
+Saarinen & Aumasson Informational [Page 20]
+
+RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
+
+
+ // little endian convert and store
+ for (i = 0; i < ctx->outlen; i++) {
+ ((uint8_t *) out)[i] =
+ (ctx->h[i >> 3] >> (8 * (i & 7))) & 0xFF;
+ }
+ }
+
+ // Convenience function for all-in-one computation.
+
+ int blake2b(void *out, size_t outlen,
+ const void *key, size_t keylen,
+ const void *in, size_t inlen)
+ {
+ blake2b_ctx ctx;
+
+ if (blake2b_init(&ctx, outlen, key, keylen))
+ return -1;
+ blake2b_update(&ctx, in, inlen);
+ blake2b_final(&ctx, out);
+
+ return 0;
+ }
+ <CODE ENDS>
+
+Appendix D. BLAKE2s Implementation C Source
+
+D.1. blake2s.h
+
+ <CODE BEGINS>
+ // blake2s.h
+ // BLAKE2s Hashing Context and API Prototypes
+
+ #ifndef BLAKE2S_H
+ #define BLAKE2S_H
+
+ #include <stdint.h>
+ #include <stddef.h>
+
+ // state context
+ typedef struct {
+ uint8_t b[64]; // input buffer
+ uint32_t h[8]; // chained state
+ uint32_t t[2]; // total number of bytes
+ size_t c; // pointer for b[]
+ size_t outlen; // digest size
+ } blake2s_ctx;
+
+
+
+
+
+Saarinen & Aumasson Informational [Page 21]
+
+RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
+
+
+ // Initialize the hashing context "ctx" with optional key "key".
+ // 1 <= outlen <= 32 gives the digest size in bytes.
+ // Secret key (also <= 32 bytes) is optional (keylen = 0).
+ int blake2s_init(blake2s_ctx *ctx, size_t outlen,
+ const void *key, size_t keylen); // secret key
+
+ // Add "inlen" bytes from "in" into the hash.
+ void blake2s_update(blake2s_ctx *ctx, // context
+ const void *in, size_t inlen); // data to be hashed
+
+ // Generate the message digest (size given in init).
+ // Result placed in "out".
+ void blake2s_final(blake2s_ctx *ctx, void *out);
+
+ // All-in-one convenience function.
+ int blake2s(void *out, size_t outlen, // return buffer for digest
+ const void *key, size_t keylen, // optional secret key
+ const void *in, size_t inlen); // data to be hashed
+
+ #endif
+ <CODE ENDS>
+
+D.2. blake2s.c
+
+ <CODE BEGINS>
+ // blake2s.c
+ // A simple blake2s Reference Implementation.
+
+ #include "blake2s.h"
+
+ // Cyclic right rotation.
+
+ #ifndef ROTR32
+ #define ROTR32(x, y) (((x) >> (y)) ^ ((x) << (32 - (y))))
+ #endif
+
+ // Little-endian byte access.
+
+ #define B2S_GET32(p) \
+ (((uint32_t) ((uint8_t *) (p))[0]) ^ \
+ (((uint32_t) ((uint8_t *) (p))[1]) << 8) ^ \
+ (((uint32_t) ((uint8_t *) (p))[2]) << 16) ^ \
+ (((uint32_t) ((uint8_t *) (p))[3]) << 24))
+
+
+
+
+
+
+
+
+Saarinen & Aumasson Informational [Page 22]
+
+RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
+
+
+ // Mixing function G.
+
+ #define B2S_G(a, b, c, d, x, y) { \
+ v[a] = v[a] + v[b] + x; \
+ v[d] = ROTR32(v[d] ^ v[a], 16); \
+ v[c] = v[c] + v[d]; \
+ v[b] = ROTR32(v[b] ^ v[c], 12); \
+ v[a] = v[a] + v[b] + y; \
+ v[d] = ROTR32(v[d] ^ v[a], 8); \
+ v[c] = v[c] + v[d]; \
+ v[b] = ROTR32(v[b] ^ v[c], 7); }
+
+ // Initialization Vector.
+
+ static const uint32_t blake2s_iv[8] =
+ {
+ 0x6A09E667, 0xBB67AE85, 0x3C6EF372, 0xA54FF53A,
+ 0x510E527F, 0x9B05688C, 0x1F83D9AB, 0x5BE0CD19
+ };
+
+ // Compression function. "last" flag indicates last block.
+
+ static void blake2s_compress(blake2s_ctx *ctx, int last)
+ {
+ const uint8_t sigma[10][16] = {
+ { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 },
+ { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 },
+ { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 },
+ { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 },
+ { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 },
+ { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 },
+ { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 },
+ { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 },
+ { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 },
+ { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 }
+ };
+ int i;
+ uint32_t v[16], m[16];
+
+ for (i = 0; i < 8; i++) { // init work variables
+ v[i] = ctx->h[i];
+ v[i + 8] = blake2s_iv[i];
+ }
+
+ v[12] ^= ctx->t[0]; // low 32 bits of offset
+ v[13] ^= ctx->t[1]; // high 32 bits
+ if (last) // last block flag set ?
+ v[14] = ~v[14];
+
+
+
+Saarinen & Aumasson Informational [Page 23]
+
+RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
+
+
+ for (i = 0; i < 16; i++) // get little-endian words
+ m[i] = B2S_GET32(&ctx->b[4 * i]);
+
+ for (i = 0; i < 10; i++) { // ten rounds
+ B2S_G( 0, 4, 8, 12, m[sigma[i][ 0]], m[sigma[i][ 1]]);
+ B2S_G( 1, 5, 9, 13, m[sigma[i][ 2]], m[sigma[i][ 3]]);
+ B2S_G( 2, 6, 10, 14, m[sigma[i][ 4]], m[sigma[i][ 5]]);
+ B2S_G( 3, 7, 11, 15, m[sigma[i][ 6]], m[sigma[i][ 7]]);
+ B2S_G( 0, 5, 10, 15, m[sigma[i][ 8]], m[sigma[i][ 9]]);
+ B2S_G( 1, 6, 11, 12, m[sigma[i][10]], m[sigma[i][11]]);
+ B2S_G( 2, 7, 8, 13, m[sigma[i][12]], m[sigma[i][13]]);
+ B2S_G( 3, 4, 9, 14, m[sigma[i][14]], m[sigma[i][15]]);
+ }
+
+ for( i = 0; i < 8; ++i )
+ ctx->h[i] ^= v[i] ^ v[i + 8];
+ }
+
+ // Initialize the hashing context "ctx" with optional key "key".
+ // 1 <= outlen <= 32 gives the digest size in bytes.
+ // Secret key (also <= 32 bytes) is optional (keylen = 0).
+
+ int blake2s_init(blake2s_ctx *ctx, size_t outlen,
+ const void *key, size_t keylen) // (keylen=0: no key)
+ {
+ size_t i;
+
+ if (outlen == 0 || outlen > 32 || keylen > 32)
+ return -1; // illegal parameters
+
+ for (i = 0; i < 8; i++) // state, "param block"
+ ctx->h[i] = blake2s_iv[i];
+ ctx->h[0] ^= 0x01010000 ^ (keylen << 8) ^ outlen;
+
+ ctx->t[0] = 0; // input count low word
+ ctx->t[1] = 0; // input count high word
+ ctx->c = 0; // pointer within buffer
+ ctx->outlen = outlen;
+
+ for (i = keylen; i < 64; i++) // zero input block
+ ctx->b[i] = 0;
+ if (keylen > 0) {
+ blake2s_update(ctx, key, keylen);
+ ctx->c = 64; // at the end
+ }
+
+ return 0;
+ }
+
+
+
+Saarinen & Aumasson Informational [Page 24]
+
+RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
+
+
+ // Add "inlen" bytes from "in" into the hash.
+
+ void blake2s_update(blake2s_ctx *ctx,
+ const void *in, size_t inlen) // data bytes
+ {
+ size_t i;
+
+ for (i = 0; i < inlen; i++) {
+ if (ctx->c == 64) { // buffer full ?
+ ctx->t[0] += ctx->c; // add counters
+ if (ctx->t[0] < ctx->c) // carry overflow ?
+ ctx->t[1]++; // high word
+ blake2s_compress(ctx, 0); // compress (not last)
+ ctx->c = 0; // counter to zero
+ }
+ ctx->b[ctx->c++] = ((const uint8_t *) in)[i];
+ }
+ }
+
+ // Generate the message digest (size given in init).
+ // Result placed in "out".
+
+ void blake2s_final(blake2s_ctx *ctx, void *out)
+ {
+ size_t i;
+
+ ctx->t[0] += ctx->c; // mark last block offset
+ if (ctx->t[0] < ctx->c) // carry overflow
+ ctx->t[1]++; // high word
+
+ while (ctx->c < 64) // fill up with zeros
+ ctx->b[ctx->c++] = 0;
+ blake2s_compress(ctx, 1); // final block flag = 1
+
+ // little endian convert and store
+ for (i = 0; i < ctx->outlen; i++) {
+ ((uint8_t *) out)[i] =
+ (ctx->h[i >> 2] >> (8 * (i & 3))) & 0xFF;
+ }
+ }
+
+ // Convenience function for all-in-one computation.
+
+ int blake2s(void *out, size_t outlen,
+ const void *key, size_t keylen,
+ const void *in, size_t inlen)
+ {
+ blake2s_ctx ctx;
+
+
+
+Saarinen & Aumasson Informational [Page 25]
+
+RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
+
+
+ if (blake2s_init(&ctx, outlen, key, keylen))
+ return -1;
+ blake2s_update(&ctx, in, inlen);
+ blake2s_final(&ctx, out);
+
+ return 0;
+ }
+ <CODE ENDS>
+
+Appendix E. BLAKE2b and BLAKE2s Self-Test Module C Source
+
+ This module computes a series of keyed and unkeyed hashes from
+ deterministically generated pseudorandom data and computes a hash
+ over those results. This is a fairly exhaustive, yet compact and
+ fast method for verifying that the hashing module is functioning
+ correctly.
+
+ Such testing is RECOMMENDED, especially when compiling the
+ implementation for a new a target platform configuration.
+ Furthermore, some security standards, such as FIPS-140, may require a
+ Power-On Self Test (POST) to be performed every time the
+ cryptographic module is loaded [FIPS140-2IG].
+
+ <CODE BEGINS>
+ // test_main.c
+ // Self test Modules for BLAKE2b and BLAKE2s -- and a stub main().
+
+ #include <stdio.h>
+
+ #include "blake2b.h"
+ #include "blake2s.h"
+
+ // Deterministic sequences (Fibonacci generator).
+
+ static void selftest_seq(uint8_t *out, size_t len, uint32_t seed)
+ {
+ size_t i;
+ uint32_t t, a , b;
+
+ a = 0xDEAD4BAD * seed; // prime
+ b = 1;
+
+ for (i = 0; i < len; i++) { // fill the buf
+ t = a + b;
+ a = b;
+ b = t;
+ out[i] = (t >> 24) & 0xFF;
+ }
+
+
+
+Saarinen & Aumasson Informational [Page 26]
+
+RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
+
+
+ }
+
+ // BLAKE2b self-test validation. Return 0 when OK.
+
+ int blake2b_selftest()
+ {
+ // grand hash of hash results
+ const uint8_t blake2b_res[32] = {
+ 0xC2, 0x3A, 0x78, 0x00, 0xD9, 0x81, 0x23, 0xBD,
+ 0x10, 0xF5, 0x06, 0xC6, 0x1E, 0x29, 0xDA, 0x56,
+ 0x03, 0xD7, 0x63, 0xB8, 0xBB, 0xAD, 0x2E, 0x73,
+ 0x7F, 0x5E, 0x76, 0x5A, 0x7B, 0xCC, 0xD4, 0x75
+ };
+ // parameter sets
+ const size_t b2b_md_len[4] = { 20, 32, 48, 64 };
+ const size_t b2b_in_len[6] = { 0, 3, 128, 129, 255, 1024 };
+
+ size_t i, j, outlen, inlen;
+ uint8_t in[1024], md[64], key[64];
+ blake2b_ctx ctx;
+
+ // 256-bit hash for testing
+ if (blake2b_init(&ctx, 32, NULL, 0))
+ return -1;
+
+ for (i = 0; i < 4; i++) {
+ outlen = b2b_md_len[i];
+ for (j = 0; j < 6; j++) {
+ inlen = b2b_in_len[j];
+
+ selftest_seq(in, inlen, inlen); // unkeyed hash
+ blake2b(md, outlen, NULL, 0, in, inlen);
+ blake2b_update(&ctx, md, outlen); // hash the hash
+
+ selftest_seq(key, outlen, outlen); // keyed hash
+ blake2b(md, outlen, key, outlen, in, inlen);
+ blake2b_update(&ctx, md, outlen); // hash the hash
+ }
+ }
+
+ // compute and compare the hash of hashes
+ blake2b_final(&ctx, md);
+ for (i = 0; i < 32; i++) {
+ if (md[i] != blake2b_res[i])
+ return -1;
+ }
+
+ return 0;
+
+
+
+Saarinen & Aumasson Informational [Page 27]
+
+RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
+
+
+ }
+
+ // BLAKE2s self-test validation. Return 0 when OK.
+
+ int blake2s_selftest()
+ {
+ // Grand hash of hash results.
+ const uint8_t blake2s_res[32] = {
+ 0x6A, 0x41, 0x1F, 0x08, 0xCE, 0x25, 0xAD, 0xCD,
+ 0xFB, 0x02, 0xAB, 0xA6, 0x41, 0x45, 0x1C, 0xEC,
+ 0x53, 0xC5, 0x98, 0xB2, 0x4F, 0x4F, 0xC7, 0x87,
+ 0xFB, 0xDC, 0x88, 0x79, 0x7F, 0x4C, 0x1D, 0xFE
+ };
+ // Parameter sets.
+ const size_t b2s_md_len[4] = { 16, 20, 28, 32 };
+ const size_t b2s_in_len[6] = { 0, 3, 64, 65, 255, 1024 };
+
+ size_t i, j, outlen, inlen;
+ uint8_t in[1024], md[32], key[32];
+ blake2s_ctx ctx;
+
+ // 256-bit hash for testing.
+ if (blake2s_init(&ctx, 32, NULL, 0))
+ return -1;
+
+ for (i = 0; i < 4; i++) {
+ outlen = b2s_md_len[i];
+ for (j = 0; j < 6; j++) {
+ inlen = b2s_in_len[j];
+
+ selftest_seq(in, inlen, inlen); // unkeyed hash
+ blake2s(md, outlen, NULL, 0, in, inlen);
+ blake2s_update(&ctx, md, outlen); // hash the hash
+
+ selftest_seq(key, outlen, outlen); // keyed hash
+ blake2s(md, outlen, key, outlen, in, inlen);
+ blake2s_update(&ctx, md, outlen); // hash the hash
+ }
+ }
+
+ // Compute and compare the hash of hashes.
+ blake2s_final(&ctx, md);
+ for (i = 0; i < 32; i++) {
+ if (md[i] != blake2s_res[i])
+ return -1;
+ }
+
+ return 0;
+
+
+
+Saarinen & Aumasson Informational [Page 28]
+
+RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
+
+
+ }
+
+ // Test driver.
+
+ int main(int argc, char **argv)
+ {
+ printf("blake2b_selftest() = %s\n",
+ blake2b_selftest() ? "FAIL" : "OK");
+ printf("blake2s_selftest() = %s\n",
+ blake2s_selftest() ? "FAIL" : "OK");
+
+ return 0;
+ }
+ <CODE ENDS>
+
+Acknowledgements
+
+ The editor wishes to thank the [BLAKE2] team for their encouragement:
+ Jean-Philippe Aumasson, Samuel Neves, Zooko Wilcox-O'Hearn, and
+ Christian Winnerlein. We have borrowed passages from [BLAKE] and
+ [BLAKE2] with permission.
+
+ [BLAKE2] is based on the SHA-3 proposal [BLAKE], designed by Jean-
+ Philippe Aumasson, Luca Henzen, Willi Meier, and Raphael C.-W. Phan.
+ BLAKE2, like BLAKE, relies on a core algorithm borrowed from the
+ ChaCha stream cipher, designed by Daniel J. Bernstein.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Saarinen & Aumasson Informational [Page 29]
+
+RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
+
+
+Authors' Addresses
+
+ Markku-Juhani O. Saarinen (editor)
+ Queen's University Belfast
+ Centre for Secure Information Technologies, ECIT
+ Northern Ireland Science Park
+ Queen's Road, Queen's Island
+ Belfast BT3 9DT
+ United Kingdom
+
+ Email: m.saarinen@qub.ac.uk
+ URI: http://www.csit.qub.ac.uk
+
+
+ Jean-Philippe Aumasson
+ Kudelski Security
+ 22-24, Route de Geneve
+ Case Postale 134
+ Cheseaux 1033
+ Switzerland
+
+ Email: jean-philippe.aumasson@nagra.com
+ URI: https://www.kudelskisecurity.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Saarinen & Aumasson Informational [Page 30]
+