diff options
Diffstat (limited to 'lib/blake2')
| -rw-r--r-- | lib/blake2/README.md | 7 | ||||
| -rw-r--r-- | lib/blake2/blake2s.c | 123 | ||||
| -rw-r--r-- | lib/blake2/blake2s.h | 56 | ||||
| -rw-r--r-- | lib/blake2/rfc7693.txt | 1683 | 
4 files changed, 1869 insertions, 0 deletions
| diff --git a/lib/blake2/README.md b/lib/blake2/README.md new file mode 100644 index 0000000..223324e --- /dev/null +++ b/lib/blake2/README.md @@ -0,0 +1,7 @@ +## BLAKE2 +BLAKE2 is a cryptographic hash function faster than MD5, SHA-1, SHA-2, and SHA-3, yet is at least as secure as the +latest standard SHA-3. + +## BLAKE2s +BLAKE2s is optimized for 8 to 32-bit platforms and produces digests of any size between 1 and 32 bytes. + diff --git a/lib/blake2/blake2s.c b/lib/blake2/blake2s.c new file mode 100644 index 0000000..b924a1e --- /dev/null +++ b/lib/blake2/blake2s.c @@ -0,0 +1,123 @@ +#include "blake2s.h" +#include <endian.h> +#include <stdlib.h> +#include <string.h> + +const uint32_t IV[8] = {0x6A09E667, 0xBB67AE85, 0x3C6EF372, 0xA54FF53A, 0x510E527F, 0x9B05688C, 0x1F83D9AB, 0x5BE0CD19}; + +const uint8_t SIGMA[10][16] = { +    {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}, {14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3}, +    {11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4}, {7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8}, +    {9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13}, {2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9}, +    {12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11}, {13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10}, +    {6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5}, {10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0}}; + +uint32_t +rotr_u32(uint32_t word, uint8_t c) +{ +  return (word >> c) | (word << (32 - c)); +} + +void +G(uint32_t v[16], unsigned a, unsigned b, unsigned c, unsigned d, uint32_t x, uint32_t y) +{ +  v[a] = v[a] + v[b] + x; +  v[d] = rotr_u32(v[d] ^ v[a], 16); +  v[c] = v[c] + v[d]; +  v[b] = rotr_u32(v[b] ^ v[c], 12); +  v[a] = v[a] + v[b] + y; +  v[d] = rotr_u32(v[d] ^ v[a], 8); +  v[c] = v[c] + v[d]; +  v[b] = rotr_u32(v[b] ^ v[c], 7); +} + +void +F(struct BLAKE2s_ctx *ctx, uint32_t m[16], uint32_t f) +{ +  // Initialize local work vector v +  uint32_t v[16] = {ctx->h[0],         ctx->h[1],         ctx->h[2], ctx->h[3], ctx->h[4], ctx->h[5], +                    ctx->h[6],         ctx->h[7],         IV[0],     IV[1],     IV[2],     IV[3], +                    IV[4] ^ ctx->t[0], IV[5] ^ ctx->t[1], IV[6],     IV[7]}; +  if (f) v[14] = ~v[14]; // if last block flag, invert all bits + +  // cryptographic mixing +  for (unsigned i = 0; i < 10; ++i) { +    G(v, 0, 4, 8, 12, m[SIGMA[i][0]], m[SIGMA[i][1]]); +    G(v, 1, 5, 9, 13, m[SIGMA[i][2]], m[SIGMA[i][3]]); +    G(v, 2, 6, 10, 14, m[SIGMA[i][4]], m[SIGMA[i][5]]); +    G(v, 3, 7, 11, 15, m[SIGMA[i][6]], m[SIGMA[i][7]]); + +    G(v, 0, 5, 10, 15, m[SIGMA[i][8]], m[SIGMA[i][9]]); +    G(v, 1, 6, 11, 12, m[SIGMA[i][10]], m[SIGMA[i][11]]); +    G(v, 2, 7, 8, 13, m[SIGMA[i][12]], m[SIGMA[i][13]]); +    G(v, 3, 4, 9, 14, m[SIGMA[i][14]], m[SIGMA[i][15]]); +  } + +  // xor the two halves +  for (unsigned i = 0; i < 8; ++i) ctx->h[i] ^= (v[i] ^ v[i + 8]); +} + +int +BLAKE2s_init(struct BLAKE2s_ctx *ctx, uint8_t outlen, const void *key, uint8_t keylen) +{ +  if (outlen == 0 || outlen > 32 || keylen > 32) { +    return -1; +  } + +  memset(ctx, 0, sizeof(struct BLAKE2s_ctx)); +  ctx->param.outlen = outlen; +  ctx->param.keylen = keylen; +  ctx->param.fanout = 1; +  ctx->param.depth = 1; + +  // copy IV into state vector h +  memcpy(ctx->h, IV, 32); +  // copy param block 0 onto h[0] +  ctx->h[0] ^= (ctx->param.depth << 24) ^ (ctx->param.fanout << 16) ^ (keylen << 8) ^ outlen; + +  if (keylen > 0) { +    BLAKE2s_update(ctx, key, keylen); +    ctx->c = 64; // at the end +  } + +  return 0; +} + +#define MIN(a, b) ((a < b) ? a : b) + +void +BLAKE2s_update(struct BLAKE2s_ctx *ctx, const void *d, size_t dd) +{ +  for (unsigned i = 0; i < dd;) { + +    if (ctx->c == 64) { // if block is full, consume block +      ctx->t[0] += ctx->c; +      if (ctx->t[0] < ctx->c) ctx->t[1] += 1; +      ctx->c = 0; // reset counter + +      uint32_t *m = (uint32_t *)ctx->b; +      for (unsigned j = 0; j < 16; ++j) m[j] = htole32(m[j]); +      F(ctx, m, 0); +    } + +    const uint8_t len = MIN(64 - ctx->c, dd - i); +    memcpy(&ctx->b[ctx->c], &((uint8_t *)d)[i], len); +    ctx->c += len; +    i += len; +  } +} + +void +BLAKE2s_final(struct BLAKE2s_ctx *ctx, void *out) +{ +  ctx->t[0] += ctx->c; +  if (ctx->t[0] < ctx->c) ctx->t[1] += 1; +  for (; ctx->c < 64; ++(ctx->c)) ctx->b[ctx->c] = 0; // fill up block with zeroes + +  uint32_t *m = (uint32_t *)ctx->b; +  for (unsigned i = 0; i < 16; ++i) m[i] = htole32(m[i]); +  F(ctx, m, 1); + +  for (unsigned i = 0; i < ctx->param.outlen; ++i) ((uint8_t *)out)[i] = (ctx->h[i >> 2] >> (8 * (i & 3))) & 0xff; +} + diff --git a/lib/blake2/blake2s.h b/lib/blake2/blake2s.h new file mode 100644 index 0000000..64b4156 --- /dev/null +++ b/lib/blake2/blake2s.h @@ -0,0 +1,56 @@ +#pragma once + +#include <stddef.h> +#include <stdint.h> + +struct BLAKE2s_param { +  uint8_t outlen; // digest length +  uint8_t keylen; // key length +  uint8_t fanout; +  uint8_t depth; +  uint32_t leaf_length; +  uint32_t node_offset; +  uint16_t node_offset_ex; +  uint8_t node_depth; +  uint8_t inner_length; +  uint64_t salt; +  uint64_t personalization; +}; + +struct BLAKE2s_ctx { +  uint8_t b[64]; // input buffer +  size_t c;      // pointer for b[] +  uint32_t h[8]; // chained state vector h +  uint32_t t[2]; // total number of bytes +  struct BLAKE2s_param param; // parameter block +}; + +/** + * 3.1 Mixing Function G + */ +void G(uint32_t V[16], unsigned a, unsigned b, unsigned c, unsigned d, uint32_t x, uint32_t y); + +/** + * 3.2 Compression Function F + * @param t: 2w-bit offset counter t + * @param f: final block indicator flag f + */ +void F(struct BLAKE2s_ctx *context, uint32_t m[16], uint32_t f); + +int BLAKE2s_init(struct BLAKE2s_ctx *ctx, uint8_t outlen, const void *key, uint8_t keylen); +void BLAKE2s_update(struct BLAKE2s_ctx *ctx, const void *d, size_t dd); +void BLAKE2s_final(struct BLAKE2s_ctx *ctx, void *out); + +// All-in-one convenience function. +static inline int +BLAKE2s(void *out, uint8_t outlen,       // return buffer for digest +        const void *key, uint8_t keylen, // optional secret key +        const void *in, size_t inlen)    // data to be hashed +{ +  struct BLAKE2s_ctx ctx; +  if (BLAKE2s_init(&ctx, outlen, key, keylen)) return -1; +  BLAKE2s_update(&ctx, in, inlen); +  BLAKE2s_final(&ctx, out); + +  return 0; +} diff --git a/lib/blake2/rfc7693.txt b/lib/blake2/rfc7693.txt new file mode 100644 index 0000000..d9d3b97 --- /dev/null +++ b/lib/blake2/rfc7693.txt @@ -0,0 +1,1683 @@ + + + + + + +Independent Submission                                M-J. Saarinen, Ed. +Request for Comments: 7693                    Queen's University Belfast +Category: Informational                                    J-P. Aumasson +ISSN: 2070-1721                                        Kudelski Security +                                                           November 2015 + + +  The BLAKE2 Cryptographic Hash and Message Authentication Code (MAC) + +Abstract + +   This document describes the cryptographic hash function BLAKE2 and +   makes the algorithm specification and C source code conveniently +   available to the Internet community.  BLAKE2 comes in two main +   flavors: BLAKE2b is optimized for 64-bit platforms and BLAKE2s for +   smaller architectures.  BLAKE2 can be directly keyed, making it +   functionally equivalent to a Message Authentication Code (MAC). + +Status of This Memo + +   This document is not an Internet Standards Track specification; it is +   published for informational purposes. + +   This is a contribution to the RFC Series, independently of any other +   RFC stream.  The RFC Editor has chosen to publish this document at +   its discretion and makes no statement about its value for +   implementation or deployment.  Documents approved for publication by +   the RFC Editor are not a candidate for any level of Internet +   Standard; see Section 2 of RFC 5741. + +   Information about the current status of this document, any errata, +   and how to provide feedback on it may be obtained at +   http://www.rfc-editor.org/info/rfc7693. + +Copyright Notice + +   Copyright (c) 2015 IETF Trust and the persons identified as the +   document authors.  All rights reserved. + +   This document is subject to BCP 78 and the IETF Trust's Legal +   Provisions Relating to IETF Documents +   (http://trustee.ietf.org/license-info) in effect on the date of +   publication of this document.  Please review these documents +   carefully, as they describe your rights and restrictions with respect +   to this document. + + + + + + +Saarinen & Aumasson           Informational                     [Page 1] + +RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015 + + +Table of Contents + +   1.  Introduction and Terminology  . . . . . . . . . . . . . . . .   3 +   2.  Conventions, Variables, and Constants . . . . . . . . . . . .   4 +     2.1.  Parameters  . . . . . . . . . . . . . . . . . . . . . . .   4 +     2.2.  Other Constants and Variables . . . . . . . . . . . . . .   4 +     2.3.  Arithmetic Notation . . . . . . . . . . . . . . . . . . .   4 +     2.4.  Little-Endian Interpretation of Words as Bytes  . . . . .   5 +     2.5.  Parameter Block . . . . . . . . . . . . . . . . . . . . .   5 +     2.6.  Initialization Vector . . . . . . . . . . . . . . . . . .   6 +     2.7.  Message Schedule SIGMA  . . . . . . . . . . . . . . . . .   6 +   3.  BLAKE2 Processing . . . . . . . . . . . . . . . . . . . . . .   7 +     3.1.  Mixing Function G . . . . . . . . . . . . . . . . . . . .   7 +     3.2.  Compression Function F  . . . . . . . . . . . . . . . . .   8 +     3.3.  Padding Data and Computing a BLAKE2 Digest  . . . . . . .   9 +   4.  Standard Parameter Sets and Algorithm Identifiers . . . . . .  10 +   5.  Security Considerations . . . . . . . . . . . . . . . . . . .  11 +   6.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  11 +     6.1.  Normative References  . . . . . . . . . . . . . . . . . .  11 +     6.2.  Informative References  . . . . . . . . . . . . . . . . .  11 +   Appendix A.  Example of BLAKE2b Computation . . . . . . . . . . .  13 +   Appendix B.  Example of BLAKE2s Computation . . . . . . . . . . .  15 +   Appendix C.  BLAKE2b Implementation C Source  . . . . . . . . . .  16 +     C.1.  blake2b.h . . . . . . . . . . . . . . . . . . . . . . . .  16 +     C.2.  blake2b.c . . . . . . . . . . . . . . . . . . . . . . . .  17 +   Appendix D.  BLAKE2s Implementation C Source  . . . . . . . . . .  21 +     D.1.  blake2s.h . . . . . . . . . . . . . . . . . . . . . . . .  21 +     D.2.  blake2s.c . . . . . . . . . . . . . . . . . . . . . . . .  22 +   Appendix E.  BLAKE2b and BLAKE2s Self-Test Module C Source  . . .  26 +   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .  29 +   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  30 + + + + + + + + + + + + + + + + + + + + +Saarinen & Aumasson           Informational                     [Page 2] + +RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015 + + +1.  Introduction and Terminology + +   The BLAKE2 cryptographic hash function [BLAKE2] was designed by Jean- +   Philippe Aumasson, Samuel Neves, Zooko Wilcox-O'Hearn, and Christian +   Winnerlein. + +   BLAKE2 comes in two basic flavors: + +   o  BLAKE2b (or just BLAKE2) is optimized for 64-bit platforms and +      produces digests of any size between 1 and 64 bytes. + +   o  BLAKE2s is optimized for 8- to 32-bit platforms and produces +      digests of any size between 1 and 32 bytes. + +   Both BLAKE2b and BLAKE2s are believed to be highly secure and perform +   well on any platform, software, or hardware.  BLAKE2 does not require +   a special "HMAC" (Hashed Message Authentication Code) construction +   for keyed message authentication as it has a built-in keying +   mechanism. + +   The BLAKE2 hash function may be used by digital signature algorithms +   and message authentication and integrity protection mechanisms in +   applications such as Public Key Infrastructure (PKI), secure +   communication protocols, cloud storage, intrusion detection, forensic +   suites, and version control systems. + +   The BLAKE2 suite provides a more efficient alternative to US Secure +   Hash Algorithms SHA and HMAC-SHA [RFC6234].  BLAKE2s-128 is +   especially suited as a fast and more secure drop-in replacement to +   MD5 and HMAC-MD5 in legacy applications [RFC6151]. + +   To aid implementation, we provide a trace of BLAKE2b-512 hash +   computation in Appendix A and a trace of BLAKE2s-256 hash computation +   in Appendix B.  Due to space constraints, this document does not +   contain a full set of test vectors for BLAKE2. + +   A reference implementation in C programming language for BLAKE2b can +   be found in Appendix C and for BLAKE2s in Appendix D of this +   document.  These implementations MAY be validated with the more +   exhaustive Test Module contained in Appendix E. + +   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", +   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this +   document are to be interpreted as described in [RFC2119]. + + + + + + + +Saarinen & Aumasson           Informational                     [Page 3] + +RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015 + + +2.  Conventions, Variables, and Constants + +2.1.  Parameters + +   The following table summarizes various parameters and their ranges: + +                            | BLAKE2b          | BLAKE2s          | +              --------------+------------------+------------------+ +               Bits in word | w = 64           | w = 32           | +               Rounds in F  | r = 12           | r = 10           | +               Block bytes  | bb = 128         | bb = 64          | +               Hash bytes   | 1 <= nn <= 64    | 1 <= nn <= 32    | +               Key bytes    | 0 <= kk <= 64    | 0 <= kk <= 32    | +               Input bytes  | 0 <= ll < 2**128 | 0 <= ll < 2**64  | +              --------------+------------------+------------------+ +               G Rotation   | (R1, R2, R3, R4) | (R1, R2, R3, R4) | +                constants = | (32, 24, 16, 63) | (16, 12,  8,  7) | +              --------------+------------------+------------------+ + +2.2.  Other Constants and Variables + +   These variables are used in the algorithm description: + +   IV[0..7]  Initialization Vector (constant). + +   SIGMA[0..9]  Message word permutations (constant). + +   p[0..7]  Parameter block (defines hash and key sizes). + +   m[0..15]  Sixteen words of a single message block. + +   h[0..7]  Internal state of the hash. + +   d[0..dd-1]  Padded input blocks.  Each has "bb" bytes. + +   t  Message byte offset at the end of the current block. + +   f  Flag indicating the last block. + +2.3.  Arithmetic Notation + +   For real-valued x, we define the following functions: + +   floor(x)  Floor, the largest integer <= x. + +   ceil(x)  Ceiling, the smallest integer >= x. + +   frac(x)  Positive fractional part of x, frac(x) = x - floor(x). + + + +Saarinen & Aumasson           Informational                     [Page 4] + +RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015 + + +   Operator notation in pseudocode: + +   2**n =  2 to the power "n". 2**0=1, 2**1=2, 2**2=4, 2**3=8, etc. + +   a ^ b =  Bitwise exclusive-or operation between "a" and "b". + +   a mod b =  Remainder "a" modulo "b", always in range [0, b-1]. + +   x >> n =  floor(x / 2**n).  Logical shift "x" right by "n" bits. + +   x << n =  (x * 2**n) mod (2**w).  Logical shift "x" left by "n". + +   x >>> n =  (x >> n) ^ (x << (w - n)).  Rotate "x" right by "n". + +2.4.  Little-Endian Interpretation of Words as Bytes + +   All mathematical operations are on 64-bit words in BLAKE2b and on +   32-bit words in BLAKE2s. + +   We may also perform operations on vectors of words.  Vector indexing +   is zero based; the first element of an n-element vector "v" is v[0] +   and the last one is v[n - 1].  All elements are denoted by v[0..n-1]. + +   Byte (octet) streams are interpreted as words in little-endian order, +   with the least-significant byte first.  Consider this sequence of +   eight hexadecimal bytes: + +        x[0..7] = 0x01 0x23 0x45 0x67 0x89 0xAB 0xCD 0xEF + +   When interpreted as a 32-bit word from the beginning memory address, +   x[0..3] has a numerical value of 0x67452301 or 1732584193. + +   When interpreted as a 64-bit word, bytes x[0..7] have a numerical +   value of 0xEFCDAB8967452301 or 17279655951921914625. + +2.5.  Parameter Block + +   We specify the parameter block words p[0..7] as follows: + +        byte offset:    3 2 1 0     (otherwise zero) +              p[0] = 0x0101kknn     p[1..7] = 0 + +   Here the "nn" byte specifies the hash size in bytes.  The second +   (little-endian) byte of the parameter block, "kk", specifies the key +   size in bytes.  Set kk = 00 for unkeyed hashing.  Bytes 2 and 3 are +   set as 01.  All other bytes in the parameter block are set as zero. + + + + + +Saarinen & Aumasson           Informational                     [Page 5] + +RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015 + + +   Note: [BLAKE2] defines additional variants of BLAKE2 with features +   such as salting, personalized hashes, and tree hashing.  These +   OPTIONAL features use fields in the parameter block that are not +   defined in this document. + +2.6.  Initialization Vector + +   We define the Initialization Vector constant IV mathematically as: + +          IV[i] = floor(2**w * frac(sqrt(prime(i+1)))), where prime(i) +          is the i:th prime number ( 2, 3, 5, 7, 11, 13, 17, 19 ) +          and sqrt(x) is the square root of x. + +   The numerical values of IV can also be found in implementations in +   Appendices C and D for BLAKE2b and BLAKE2s, respectively. + +   Note: BLAKE2b IV is the same as SHA-512 IV, and BLAKE2s IV is the +   same as SHA-256 IV; see [RFC6234]. + +2.7.  Message Schedule SIGMA + +   Message word schedule permutations for each round of both BLAKE2b and +   BLAKE2s are defined by SIGMA.  For BLAKE2b, the two extra +   permutations for rounds 10 and 11 are SIGMA[10..11] = SIGMA[0..1]. + +          Round   |  0  1  2  3  4  5  6  7  8  9 10 11 12 13 14 15 | +        ----------+-------------------------------------------------+ +         SIGMA[0] |  0  1  2  3  4  5  6  7  8  9 10 11 12 13 14 15 | +         SIGMA[1] | 14 10  4  8  9 15 13  6  1 12  0  2 11  7  5  3 | +         SIGMA[2] | 11  8 12  0  5  2 15 13 10 14  3  6  7  1  9  4 | +         SIGMA[3] |  7  9  3  1 13 12 11 14  2  6  5 10  4  0 15  8 | +         SIGMA[4] |  9  0  5  7  2  4 10 15 14  1 11 12  6  8  3 13 | +         SIGMA[5] |  2 12  6 10  0 11  8  3  4 13  7  5 15 14  1  9 | +         SIGMA[6] | 12  5  1 15 14 13  4 10  0  7  6  3  9  2  8 11 | +         SIGMA[7] | 13 11  7 14 12  1  3  9  5  0 15  4  8  6  2 10 | +         SIGMA[8] |  6 15 14  9 11  3  0  8 12  2 13  7  1  4 10  5 | +         SIGMA[9] | 10  2  8  4  7  6  1  5 15 11  9 14  3 12 13  0 | +        ----------+-------------------------------------------------+ + + + + + + + + + + + + + +Saarinen & Aumasson           Informational                     [Page 6] + +RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015 + + +3.  BLAKE2 Processing + +3.1.  Mixing Function G + +   The G primitive function mixes two input words, "x" and "y", into +   four words indexed by "a", "b", "c", and "d" in the working vector +   v[0..15].  The full modified vector is returned.  The rotation +   constants (R1, R2, R3, R4) are given in Section 2.1. + +       FUNCTION G( v[0..15], a, b, c, d, x, y ) +       | +       |   v[a] := (v[a] + v[b] + x) mod 2**w +       |   v[d] := (v[d] ^ v[a]) >>> R1 +       |   v[c] := (v[c] + v[d])     mod 2**w +       |   v[b] := (v[b] ^ v[c]) >>> R2 +       |   v[a] := (v[a] + v[b] + y) mod 2**w +       |   v[d] := (v[d] ^ v[a]) >>> R3 +       |   v[c] := (v[c] + v[d])     mod 2**w +       |   v[b] := (v[b] ^ v[c]) >>> R4 +       | +       |   RETURN v[0..15] +       | +       END FUNCTION. + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Saarinen & Aumasson           Informational                     [Page 7] + +RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015 + + +3.2.  Compression Function F + +   Compression function F takes as an argument the state vector "h", +   message block vector "m" (last block is padded with zeros to full +   block size, if required), 2w-bit offset counter "t", and final block +   indicator flag "f".  Local vector v[0..15] is used in processing.  F +   returns a new state vector.  The number of rounds, "r", is 12 for +   BLAKE2b and 10 for BLAKE2s.  Rounds are numbered from 0 to r - 1. + +       FUNCTION F( h[0..7], m[0..15], t, f ) +       | +       |      // Initialize local work vector v[0..15] +       |      v[0..7] := h[0..7]              // First half from state. +       |      v[8..15] := IV[0..7]            // Second half from IV. +       | +       |      v[12] := v[12] ^ (t mod 2**w)   // Low word of the offset. +       |      v[13] := v[13] ^ (t >> w)       // High word. +       | +       |      IF f = TRUE THEN                // last block flag? +       |      |   v[14] := v[14] ^ 0xFF..FF   // Invert all bits. +       |      END IF. +       | +       |      // Cryptographic mixing +       |      FOR i = 0 TO r - 1 DO           // Ten or twelve rounds. +       |      | +       |      |   // Message word selection permutation for this round. +       |      |   s[0..15] := SIGMA[i mod 10][0..15] +       |      | +       |      |   v := G( v, 0, 4,  8, 12, m[s[ 0]], m[s[ 1]] ) +       |      |   v := G( v, 1, 5,  9, 13, m[s[ 2]], m[s[ 3]] ) +       |      |   v := G( v, 2, 6, 10, 14, m[s[ 4]], m[s[ 5]] ) +       |      |   v := G( v, 3, 7, 11, 15, m[s[ 6]], m[s[ 7]] ) +       |      | +       |      |   v := G( v, 0, 5, 10, 15, m[s[ 8]], m[s[ 9]] ) +       |      |   v := G( v, 1, 6, 11, 12, m[s[10]], m[s[11]] ) +       |      |   v := G( v, 2, 7,  8, 13, m[s[12]], m[s[13]] ) +       |      |   v := G( v, 3, 4,  9, 14, m[s[14]], m[s[15]] ) +       |      | +       |      END FOR +       | +       |      FOR i = 0 TO 7 DO               // XOR the two halves. +       |      |   h[i] := h[i] ^ v[i] ^ v[i + 8] +       |      END FOR. +       | +       |      RETURN h[0..7]                  // New state. +       | +       END FUNCTION. + + + + +Saarinen & Aumasson           Informational                     [Page 8] + +RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015 + + +3.3.  Padding Data and Computing a BLAKE2 Digest + +   We refer the reader to Appendices C and D for reference C language +   implementations of BLAKE2b and BLAKE2s, respectively. + +   Key and data input are split and padded into "dd" message blocks +   d[0..dd-1], each consisting of 16 words (or "bb" bytes). + +   If a secret key is used (kk > 0), it is padded with zero bytes and +   set as d[0].  Otherwise, d[0] is the first data block.  The final +   data block d[dd-1] is also padded with zero to "bb" bytes (16 words). + +   The number of blocks is therefore dd = ceil(kk / bb) + ceil(ll / bb). +   However, in the special case of an unkeyed empty message (kk = 0 and +   ll = 0), we still set dd = 1 and d[0] consists of all zeros. + +   The following procedure processes the padded data blocks into an +   "nn"-byte final hash value.  See Section 2 for a description of +   various variables and constants used. + +        FUNCTION BLAKE2( d[0..dd-1], ll, kk, nn ) +        | +        |     h[0..7] := IV[0..7]          // Initialization Vector. +        | +        |     // Parameter block p[0] +        |     h[0] := h[0] ^ 0x01010000 ^ (kk << 8) ^ nn +        | +        |     // Process padded key and data blocks +        |     IF dd > 1 THEN +        |     |       FOR i = 0 TO dd - 2 DO +        |     |       |       h := F( h, d[i], (i + 1) * bb, FALSE ) +        |     |       END FOR. +        |     END IF. +        | +        |     // Final block. +        |     IF kk = 0 THEN +        |     |       h := F( h, d[dd - 1], ll, TRUE ) +        |     ELSE +        |     |       h := F( h, d[dd - 1], ll + bb, TRUE ) +        |     END IF. +        | +        |     RETURN first "nn" bytes from little-endian word array h[]. +        | +        END FUNCTION. + + + + + + + +Saarinen & Aumasson           Informational                     [Page 9] + +RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015 + + +4.  Standard Parameter Sets and Algorithm Identifiers + +   An implementation of BLAKE2b and/or BLAKE2s MAY support the following +   digest size parameters for interoperability (e.g., digital +   signatures), as long as a sufficient level of security is attained by +   the parameter selections.  These parameters and identifiers are +   intended to be suitable as drop-in replacements to MD5 and +   corresponding SHA algorithms. + +   Developers adapting BLAKE2 to ASN.1-based message formats SHOULD use +   the OID tree at x = 1.3.6.1.4.1.1722.12.2.  The same OID can be used +   for both keyed and unkeyed hashing since in the latter case the key +   simply has zero length. + +            Algorithm     | Target | Collision | Hash | Hash ASN.1 | +               Identifier |  Arch  |  Security |  nn  | OID Suffix | +           ---------------+--------+-----------+------+------------+ +            id-blake2b160 | 64-bit |   2**80   |  20  |   x.1.5    | +            id-blake2b256 | 64-bit |   2**128  |  32  |   x.1.8    | +            id-blake2b384 | 64-bit |   2**192  |  48  |   x.1.12   | +            id-blake2b512 | 64-bit |   2**256  |  64  |   x.1.16   | +           ---------------+--------+-----------+------+------------+ +            id-blake2s128 | 32-bit |   2**64   |  16  |   x.2.4    | +            id-blake2s160 | 32-bit |   2**80   |  20  |   x.2.5    | +            id-blake2s224 | 32-bit |   2**112  |  28  |   x.2.7    | +            id-blake2s256 | 32-bit |   2**128  |  32  |   x.2.8    | +           ---------------+--------+-----------+------+------------+ + +          hashAlgs OBJECT IDENTIFIER ::= { +              iso(1) identified-organization(3) dod(6) internet(1) +              private(4) enterprise(1) kudelski(1722) cryptography(12) 2 +          } +          macAlgs OBJECT IDENTIFIER ::= { +              iso(1) identified-organization(3) dod(6) internet(1) +              private(4) enterprise(1) kudelski(1722) cryptography(12) 3 +          } + +          -- the two BLAKE2 variants -- +          blake2b OBJECT IDENTIFIER ::= { hashAlgs 1 } +          blake2s OBJECT IDENTIFIER ::= { hashAlgs 2 } + +          -- BLAKE2b Identifiers -- +          id-blake2b160 OBJECT IDENTIFIER ::= { blake2b 5 } +          id-blake2b256 OBJECT IDENTIFIER ::= { blake2b 8 } +          id-blake2b384 OBJECT IDENTIFIER ::= { blake2b 12 } +          id-blake2b512 OBJECT IDENTIFIER ::= { blake2b 16 } + + + + + +Saarinen & Aumasson           Informational                    [Page 10] + +RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015 + + +          -- BLAKE2s Identifiers -- +          id-blake2s128 OBJECT IDENTIFIER ::= { blake2s 4 } +          id-blake2s160 OBJECT IDENTIFIER ::= { blake2s 5 } +          id-blake2s224 OBJECT IDENTIFIER ::= { blake2s 7 } +          id-blake2s256 OBJECT IDENTIFIER ::= { blake2s 8 } + +5.  Security Considerations + +   This document is intended to provide convenient open-source access by +   the Internet community to the BLAKE2 cryptographic hash algorithm. +   We wish to make no independent assertion to its security in this +   document.  We refer the reader to [BLAKE] and [BLAKE2] for detailed +   cryptanalytic rationale behind its design. + +   In order to avoid bloat, the reference implementations in Appendices +   C and D may not erase all sensitive data (such as secret keys) +   immediately from process memory after use.  Such cleanup can be added +   if needed. + +6.  References + +6.1.  Normative References + +   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate +              Requirement Levels", BCP 14, RFC 2119, +              DOI 10.17487/RFC2119, March 1997, +              <http://www.rfc-editor.org/info/rfc2119>. + +6.2.  Informative References + +   [BLAKE]    Aumasson, J-P., Meier, W., Phan, R., and L. Henzen, "The +              Hash Function BLAKE", January 2015, +              <https://131002.net/blake/book>. + +   [BLAKE2]   Aumasson, J-P., Neves, S., Wilcox-O'Hearn, Z., and C. +              Winnerlein, "BLAKE2: simpler, smaller, fast as MD5", +              January 2013, <https://blake2.net/blake2.pdf>. + +   [FIPS140-2IG] +              NIST, "Implementation Guidance for FIPS PUB 140-2 and the +              Cryptographic Module Validation Program", September 2015, +              <http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/ +              FIPS1402IG.pdf/>. + +   [RFC6151]  Turner, S. and L. Chen, "Updated Security Considerations +              for the MD5 Message-Digest and the HMAC-MD5 Algorithms", +              RFC 6151, DOI 10.17487/RFC6151, March 2011, +              <http://www.rfc-editor.org/info/rfc6151>. + + + +Saarinen & Aumasson           Informational                    [Page 11] + +RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015 + + +   [RFC6234]  Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms +              (SHA and SHA-based HMAC and HKDF)", RFC 6234, +              DOI 10.17487/RFC6234, May 2011, +              <http://www.rfc-editor.org/info/rfc6234>. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Saarinen & Aumasson           Informational                    [Page 12] + +RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015 + + +Appendix A.  Example of BLAKE2b Computation + +   We compute the unkeyed hash of three ASCII bytes "abc" with +   BLAKE2b-512 and show internal values during computation. + +          m[16] = 0000000000636261 0000000000000000 0000000000000000 +                  0000000000000000 0000000000000000 0000000000000000 +                  0000000000000000 0000000000000000 0000000000000000 +                  0000000000000000 0000000000000000 0000000000000000 +                  0000000000000000 0000000000000000 0000000000000000 +                  0000000000000000 + +   (i= 0) v[16] = 6A09E667F2BDC948 BB67AE8584CAA73B 3C6EF372FE94F82B +                  A54FF53A5F1D36F1 510E527FADE682D1 9B05688C2B3E6C1F +                  1F83D9ABFB41BD6B 5BE0CD19137E2179 6A09E667F3BCC908 +                  BB67AE8584CAA73B 3C6EF372FE94F82B A54FF53A5F1D36F1 +                  510E527FADE682D2 9B05688C2B3E6C1F E07C265404BE4294 +                  5BE0CD19137E2179 + +   (i= 1) v[16] = 86B7C1568029BB79 C12CBCC809FF59F3 C6A5214CC0EACA8E +                  0C87CD524C14CC5D 44EE6039BD86A9F7 A447C850AA694A7E +                  DE080F1BB1C0F84B 595CB8A9A1ACA66C BEC3AE837EAC4887 +                  6267FC79DF9D6AD1 FA87B01273FA6DBE 521A715C63E08D8A +                  E02D0975B8D37A83 1C7B754F08B7D193 8F885A76B6E578FE +                  2318A24E2140FC64 + +   (i= 2) v[16] = 53281E83806010F2 3594B403F81B4393 8CD63C7462DE0DFF +                  85F693F3DA53F974 BAABDBB2F386D9AE CA5425AEC65A10A8 +                  C6A22E2FF0F7AA48 C6A56A51CB89C595 224E6A3369224F96 +                  500E125E58A92923 E9E4AD0D0E1A0D48 85DF9DC143C59A74 +                  92A3AAAA6D952B7F C5FDF71090FAE853 2A8A40F15A462DD0 +                  572D17EFFDD37358 + +   (i= 3) v[16] = 60ED96AA7AD41725 E46A743C71800B9D 1A04B543A01F156B +                  A2F8716E775C4877 DA0A61BCDE4267EA B1DD230754D7BDEE +                  25A1422779E06D14 E6823AE4C3FF58A5 A1677E19F37FD5DA +                  22BDCE6976B08C51 F1DE8696BEC11BF1 A0EBD586A4A1D2C8 +                  C804EBAB11C99FA9 8E0CEC959C715793 7C45557FAE0D4D89 +                  716343F52FDD265E + +   (i= 4) v[16] = BB2A77D3A8382351 45EB47971F23B103 98BE297F6E45C684 +                  A36077DEE3370B89 8A03C4CB7E97590A 24192E49EBF54EA0 +                  4F82C9401CB32D7A 8CCD013726420DC4 A9C9A8F17B1FC614 +                  55908187977514A0 5B44273E66B19D27 B6D5C9FCA2579327 +                  086092CFB858437E 5C4BE2156DBEECF9 2EFEDE99ED4EFF16 +                  3E7B5F234CD1F804 + + + + + +Saarinen & Aumasson           Informational                    [Page 13] + +RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015 + + +   (i= 5) v[16] = C79C15B3D423B099 2DA2224E8DA97556 77D2B26DF1C45C55 +                  8934EB09A3456052 0F6D9EEED157DA2A 6FE66467AF88C0A9 +                  4EB0B76284C7AAFB 299C8E725D954697 B2240B59E6D567D3 +                  2643C2370E49EBFD 79E02EEF20CDB1AE 64B3EED7BB602F39 +                  B97D2D439E4DF63D C718E755294C9111 1F0893F2772BB373 +                  1205EA4A7859807D + +   (i= 6) v[16] = E58F97D6385BAEE4 7640AA9764DA137A DEB4C7C23EFE287E +                  70F6F41C8783C9F6 7127CD48C76A7708 9E472AF0BE3DB3F6 +                  0F244C62DDF71788 219828AA83880842 41CCA9073C8C4D0D +                  5C7912BC10DF3B4B A2C3ABBD37510EE2 CB5668CC2A9F7859 +                  8733794F07AC1500 C67A6BE42335AA6F ACB22B28681E4C82 +                  DB2161604CBC9828 + +   (i= 7) v[16] = 6E2D286EEADEDC81 BCF02C0787E86358 57D56A56DD015EDF +                  55D899D40A5D0D0A 819415B56220C459 B63C479A6A769F02 +                  258E55E0EC1F362A 3A3B4EC60E19DFDC 04D769B3FCB048DB +                  B78A9A33E9BFF4DD 5777272AE1E930C0 5A387849E578DBF6 +                  92AAC307CF2C0AFC 30AACCC4F06DAFAA 483893CC094F8863 +                  E03C6CC89C26BF92 + +   (i= 8) v[16] = FFC83ECE76024D01 1BE7BFFB8C5CC5F9 A35A18CBAC4C65B7 +                  B7C2C7E6D88C285F 81937DA314A50838 E1179523A2541963 +                  3A1FAD7106232B8F 1C7EDE92AB8B9C46 A3C2D35E4F685C10 +                  A53D3F73AA619624 30BBCC0285A22F65 BCEFBB6A81539E5D +                  3841DEF6F4C9848A 98662C85FBA726D4 7762439BD5A851BD +                  B0B9F0D443D1A889 + +   (i= 9) v[16] = 753A70A1E8FAEADD 6B0D43CA2C25D629 F8343BA8B94F8C0B +                  BC7D062B0DB5CF35 58540EE1B1AEBC47 63C5B9B80D294CB9 +                  490870ECAD27DEBD B2A90DDF667287FE 316CC9EBEEFAD8FC +                  4A466BCD021526A4 5DA7F7638CEC5669 D9C8826727D306FC +                  88ED6C4F3BD7A537 19AE688DDF67F026 4D8707AAB40F7E6D +                  FD3F572687FEA4F1 + +   (i=10) v[16] = E630C747CCD59C4F BC713D41127571CA 46DB183025025078 +                  6727E81260610140 2D04185EAC2A8CBA 5F311B88904056EC +                  40BD313009201AAB 0099D4F82A2A1EAB 6DD4FBC1DE60165D +                  B3B0B51DE3C86270 900AEE2F233B08E5 A07199D87AD058D8 +                  2C6B25593D717852 37E8CA471BEAA5F8 2CFC1BAC10EF4457 +                  01369EC18746E775 + +   (i=11) v[16] = E801F73B9768C760 35C6D22320BE511D 306F27584F65495E +                  B51776ADF569A77B F4F1BE86690B3C34 3CC88735D1475E4B +                  5DAC67921FF76949 1CDB9D31AD70CC4E 35BA354A9C7DF448 +                  4929CBE45679D73E 733D1A17248F39DB 92D57B736F5F170A +                  61B5C0A41D491399 B5C333457E12844A BD696BE010D0D889 +                  02231E1A917FE0BD + + + +Saarinen & Aumasson           Informational                    [Page 14] + +RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015 + + +   (i=12) v[16] = 12EF8A641EC4F6D6 BCED5DE977C9FAF5 733CA476C5148639 +                  97DF596B0610F6FC F42C16519AD5AFA7 AA5AC1888E10467E +                  217D930AA51787F3 906A6FF19E573942 75AB709BD3DCBF24 +                  EE7CE1F345947AA4 F8960D6C2FAF5F5E E332538A36B6D246 +                  885BEF040EF6AA0B A4939A417BFB78A3 646CBB7AF6DCE980 +                  E813A23C60AF3B82 + +           h[8] = 0D4D1C983FA580BA E9F6129FB697276A B7C45A68142F214C +                  D1A2FFDB6FBB124B 2D79AB2A39C5877D 95CC3345DED552C2 +                  5A92F1DBA88AD318 239900D4ED8623B9 + +   BLAKE2b-512("abc") = BA 80 A5 3F 98 1C 4D 0D 6A 27 97 B6 9F 12 F6 E9 +                        4C 21 2F 14 68 5A C4 B7 4B 12 BB 6F DB FF A2 D1 +                        7D 87 C5 39 2A AB 79 2D C2 52 D5 DE 45 33 CC 95 +                        18 D3 8A A8 DB F1 92 5A B9 23 86 ED D4 00 99 23 + +Appendix B.  Example of BLAKE2s Computation + +   We compute the unkeyed hash of three ASCII bytes "abc" with +   BLAKE2s-256 and show internal values during computation. + +          m[16] = 00636261 00000000 00000000 00000000 00000000 00000000 +                  00000000 00000000 00000000 00000000 00000000 00000000 +                  00000000 00000000 00000000 00000000 + +   (i=0)  v[16] = 6B08E647 BB67AE85 3C6EF372 A54FF53A 510E527F 9B05688C +                  1F83D9AB 5BE0CD19 6A09E667 BB67AE85 3C6EF372 A54FF53A +                  510E527C 9B05688C E07C2654 5BE0CD19 + +   (i=1)  v[16] = 16A3242E D7B5E238 CE8CE24B 927AEDE1 A7B430D9 93A4A14E +                  A44E7C31 41D4759B 95BF33D3 9A99C181 608A3A6B B666383E +                  7A8DD50F BE378ED7 353D1EE6 3BB44C6B + +   (i=2)  v[16] = 3AE30FE3 0982A96B E88185B4 3E339B16 F24338CD 0E66D326 +                  E005ED0C D591A277 180B1F3A FCF43914 30DB62D6 4847831C +                  7F00C58E FB847886 C544E836 524AB0E2 + +   (i=3)  v[16] = 7A3BE783 997546C1 D45246DF EDB5F821 7F98A742 10E864E2 +                  D4AB70D0 C63CB1AB 6038DA9E 414594B0 F2C218B5 8DA0DCB7 +                  D7CD7AF5 AB4909DF 85031A52 C4EDFC98 + +   (i=4)  v[16] = 2A8B8CB7 1ACA82B2 14045D7F CC7258ED 383CF67C E090E7F9 +                  3025D276 57D04DE4 994BACF0 F0982759 F17EE300 D48FC2D5 +                  DC854C10 523898A9 C03A0F89 47D6CD88 + +   (i=5)  v[16] = C4AA2DDB 111343A3 D54A700A 574A00A9 857D5A48 B1E11989 +                  6F5C52DF DD2C53A3 678E5F8E 9718D4E9 622CB684 92976076 +                  0E41A517 359DC2BE 87A87DDD 643F9CEC + + + +Saarinen & Aumasson           Informational                    [Page 15] + +RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015 + + +   (i=6)  v[16] = 3453921C D7595EE1 592E776D 3ED6A974 4D997CB3 DE9212C3 +                  35ADF5C9 9916FD65 96562E89 4EAD0792 EBFC2712 2385F5B2 +                  F34600FB D7BC20FB EB452A7B ECE1AA40 + +   (i=7)  v[16] = BE851B2D A85F6358 81E6FC3B 0BB28000 FA55A33A 87BE1FAD +                  4119370F 1E2261AA A1318FD3 F4329816 071783C2 6E536A8D +                  9A81A601 E7EC80F1 ACC09948 F849A584 + +   (i=8)  v[16] = 07E5B85A 069CC164 F9DE3141 A56F4680 9E440AD2 9AB659EA +                  3C84B971 21DBD9CF 46699F8C 765257EC AF1D998C 75E4C3B6 +                  523878DC 30715015 397FEE81 4F1FA799 + +   (i=9)  v[16] = 435148C4 A5AA2D11 4B354173 D543BC9E BDA2591C BF1D2569 +                  4FCB3120 707ADA48 565B3FDE 32C9C916 EAF4A1AB B1018F28 +                  8078D978 68ADE4B5 9778FDA3 2863B92E + +   (i=10) v[16] = D9C994AA CFEC3AA6 700D0AB2 2C38670E AF6A1F66 1D023EF3 +                  1D9EC27D 945357A5 3E9FFEBD 969FE811 EF485E21 A632797A +                  DEEF082E AF3D80E1 4E86829B 4DEAFD3A + +           h[8] = 8C5E8C50 E2147C32 A32BA7E1 2F45EB4E 208B4537 293AD69E +                  4C9B994D 82596786 + +   BLAKE2s-256("abc") = 50 8C 5E 8C 32 7C 14 E2 E1 A7 2B A3 4E EB 45 2F +                        37 45 8B 20 9E D6 3A 29 4D 99 9B 4C 86 67 59 82 + +Appendix C.  BLAKE2b Implementation C Source + +C.1.  blake2b.h + +   <CODE BEGINS> +   // blake2b.h +   // BLAKE2b Hashing Context and API Prototypes + +   #ifndef BLAKE2B_H +   #define BLAKE2B_H + +   #include <stdint.h> +   #include <stddef.h> + +   // state context +   typedef struct { +       uint8_t b[128];                     // input buffer +       uint64_t h[8];                      // chained state +       uint64_t t[2];                      // total number of bytes +       size_t c;                           // pointer for b[] +       size_t outlen;                      // digest size +   } blake2b_ctx; + + + +Saarinen & Aumasson           Informational                    [Page 16] + +RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015 + + +   // Initialize the hashing context "ctx" with optional key "key". +   //      1 <= outlen <= 64 gives the digest size in bytes. +   //      Secret key (also <= 64 bytes) is optional (keylen = 0). +   int blake2b_init(blake2b_ctx *ctx, size_t outlen, +       const void *key, size_t keylen);    // secret key + +   // Add "inlen" bytes from "in" into the hash. +   void blake2b_update(blake2b_ctx *ctx,   // context +       const void *in, size_t inlen);      // data to be hashed + +   // Generate the message digest (size given in init). +   //      Result placed in "out". +   void blake2b_final(blake2b_ctx *ctx, void *out); + +   // All-in-one convenience function. +   int blake2b(void *out, size_t outlen,   // return buffer for digest +       const void *key, size_t keylen,     // optional secret key +       const void *in, size_t inlen);      // data to be hashed + +   #endif +   <CODE ENDS> + +C.2.  blake2b.c + +   <CODE BEGINS> +   // blake2b.c +   // A simple BLAKE2b Reference Implementation. + +   #include "blake2b.h" + +   // Cyclic right rotation. + +   #ifndef ROTR64 +   #define ROTR64(x, y)  (((x) >> (y)) ^ ((x) << (64 - (y)))) +   #endif + +   // Little-endian byte access. + +   #define B2B_GET64(p)                            \ +       (((uint64_t) ((uint8_t *) (p))[0]) ^        \ +       (((uint64_t) ((uint8_t *) (p))[1]) << 8) ^  \ +       (((uint64_t) ((uint8_t *) (p))[2]) << 16) ^ \ +       (((uint64_t) ((uint8_t *) (p))[3]) << 24) ^ \ +       (((uint64_t) ((uint8_t *) (p))[4]) << 32) ^ \ +       (((uint64_t) ((uint8_t *) (p))[5]) << 40) ^ \ +       (((uint64_t) ((uint8_t *) (p))[6]) << 48) ^ \ +       (((uint64_t) ((uint8_t *) (p))[7]) << 56)) + + + + +Saarinen & Aumasson           Informational                    [Page 17] + +RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015 + + +   // G Mixing function. + +   #define B2B_G(a, b, c, d, x, y) {   \ +       v[a] = v[a] + v[b] + x;         \ +       v[d] = ROTR64(v[d] ^ v[a], 32); \ +       v[c] = v[c] + v[d];             \ +       v[b] = ROTR64(v[b] ^ v[c], 24); \ +       v[a] = v[a] + v[b] + y;         \ +       v[d] = ROTR64(v[d] ^ v[a], 16); \ +       v[c] = v[c] + v[d];             \ +       v[b] = ROTR64(v[b] ^ v[c], 63); } + +   // Initialization Vector. + +   static const uint64_t blake2b_iv[8] = { +       0x6A09E667F3BCC908, 0xBB67AE8584CAA73B, +       0x3C6EF372FE94F82B, 0xA54FF53A5F1D36F1, +       0x510E527FADE682D1, 0x9B05688C2B3E6C1F, +       0x1F83D9ABFB41BD6B, 0x5BE0CD19137E2179 +   }; + +   // Compression function. "last" flag indicates last block. + +   static void blake2b_compress(blake2b_ctx *ctx, int last) +   { +       const uint8_t sigma[12][16] = { +           { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }, +           { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }, +           { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 }, +           { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 }, +           { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 }, +           { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 }, +           { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 }, +           { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 }, +           { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 }, +           { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 }, +           { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }, +           { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 } +       }; +       int i; +       uint64_t v[16], m[16]; + +       for (i = 0; i < 8; i++) {           // init work variables +           v[i] = ctx->h[i]; +           v[i + 8] = blake2b_iv[i]; +       } + + + + + +Saarinen & Aumasson           Informational                    [Page 18] + +RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015 + + +       v[12] ^= ctx->t[0];                 // low 64 bits of offset +       v[13] ^= ctx->t[1];                 // high 64 bits +       if (last)                           // last block flag set ? +           v[14] = ~v[14]; + +       for (i = 0; i < 16; i++)            // get little-endian words +           m[i] = B2B_GET64(&ctx->b[8 * i]); + +       for (i = 0; i < 12; i++) {          // twelve rounds +           B2B_G( 0, 4,  8, 12, m[sigma[i][ 0]], m[sigma[i][ 1]]); +           B2B_G( 1, 5,  9, 13, m[sigma[i][ 2]], m[sigma[i][ 3]]); +           B2B_G( 2, 6, 10, 14, m[sigma[i][ 4]], m[sigma[i][ 5]]); +           B2B_G( 3, 7, 11, 15, m[sigma[i][ 6]], m[sigma[i][ 7]]); +           B2B_G( 0, 5, 10, 15, m[sigma[i][ 8]], m[sigma[i][ 9]]); +           B2B_G( 1, 6, 11, 12, m[sigma[i][10]], m[sigma[i][11]]); +           B2B_G( 2, 7,  8, 13, m[sigma[i][12]], m[sigma[i][13]]); +           B2B_G( 3, 4,  9, 14, m[sigma[i][14]], m[sigma[i][15]]); +       } + +       for( i = 0; i < 8; ++i ) +           ctx->h[i] ^= v[i] ^ v[i + 8]; +   } + +   // Initialize the hashing context "ctx" with optional key "key". +   //      1 <= outlen <= 64 gives the digest size in bytes. +   //      Secret key (also <= 64 bytes) is optional (keylen = 0). + +   int blake2b_init(blake2b_ctx *ctx, size_t outlen, +       const void *key, size_t keylen)        // (keylen=0: no key) +   { +       size_t i; + +       if (outlen == 0 || outlen > 64 || keylen > 64) +           return -1;                      // illegal parameters + +       for (i = 0; i < 8; i++)             // state, "param block" +           ctx->h[i] = blake2b_iv[i]; +       ctx->h[0] ^= 0x01010000 ^ (keylen << 8) ^ outlen; + +       ctx->t[0] = 0;                      // input count low word +       ctx->t[1] = 0;                      // input count high word +       ctx->c = 0;                         // pointer within buffer +       ctx->outlen = outlen; + + + + + + + + +Saarinen & Aumasson           Informational                    [Page 19] + +RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015 + + +       for (i = keylen; i < 128; i++)      // zero input block +           ctx->b[i] = 0; +       if (keylen > 0) { +           blake2b_update(ctx, key, keylen); +           ctx->c = 128;                   // at the end +       } + +       return 0; +   } + +   // Add "inlen" bytes from "in" into the hash. + +   void blake2b_update(blake2b_ctx *ctx, +       const void *in, size_t inlen)       // data bytes +   { +       size_t i; + +       for (i = 0; i < inlen; i++) { +           if (ctx->c == 128) {            // buffer full ? +               ctx->t[0] += ctx->c;        // add counters +               if (ctx->t[0] < ctx->c)     // carry overflow ? +                   ctx->t[1]++;            // high word +               blake2b_compress(ctx, 0);   // compress (not last) +               ctx->c = 0;                 // counter to zero +           } +           ctx->b[ctx->c++] = ((const uint8_t *) in)[i]; +       } +   } + +   // Generate the message digest (size given in init). +   //      Result placed in "out". + +   void blake2b_final(blake2b_ctx *ctx, void *out) +   { +       size_t i; + +       ctx->t[0] += ctx->c;                // mark last block offset +       if (ctx->t[0] < ctx->c)             // carry overflow +           ctx->t[1]++;                    // high word + +       while (ctx->c < 128)                // fill up with zeros +           ctx->b[ctx->c++] = 0; +       blake2b_compress(ctx, 1);           // final block flag = 1 + + + + + + + + +Saarinen & Aumasson           Informational                    [Page 20] + +RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015 + + +       // little endian convert and store +       for (i = 0; i < ctx->outlen; i++) { +           ((uint8_t *) out)[i] = +               (ctx->h[i >> 3] >> (8 * (i & 7))) & 0xFF; +       } +   } + +   // Convenience function for all-in-one computation. + +   int blake2b(void *out, size_t outlen, +       const void *key, size_t keylen, +       const void *in, size_t inlen) +   { +       blake2b_ctx ctx; + +       if (blake2b_init(&ctx, outlen, key, keylen)) +           return -1; +       blake2b_update(&ctx, in, inlen); +       blake2b_final(&ctx, out); + +       return 0; +   } +   <CODE ENDS> + +Appendix D.  BLAKE2s Implementation C Source + +D.1.  blake2s.h + +   <CODE BEGINS> +   // blake2s.h +   // BLAKE2s Hashing Context and API Prototypes + +   #ifndef BLAKE2S_H +   #define BLAKE2S_H + +   #include <stdint.h> +   #include <stddef.h> + +   // state context +   typedef struct { +       uint8_t b[64];                      // input buffer +       uint32_t h[8];                      // chained state +       uint32_t t[2];                      // total number of bytes +       size_t c;                           // pointer for b[] +       size_t outlen;                      // digest size +   } blake2s_ctx; + + + + + +Saarinen & Aumasson           Informational                    [Page 21] + +RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015 + + +   // Initialize the hashing context "ctx" with optional key "key". +   //      1 <= outlen <= 32 gives the digest size in bytes. +   //      Secret key (also <= 32 bytes) is optional (keylen = 0). +   int blake2s_init(blake2s_ctx *ctx, size_t outlen, +       const void *key, size_t keylen);    // secret key + +   // Add "inlen" bytes from "in" into the hash. +   void blake2s_update(blake2s_ctx *ctx,   // context +       const void *in, size_t inlen);      // data to be hashed + +   // Generate the message digest (size given in init). +   //      Result placed in "out". +   void blake2s_final(blake2s_ctx *ctx, void *out); + +   // All-in-one convenience function. +   int blake2s(void *out, size_t outlen,   // return buffer for digest +       const void *key, size_t keylen,     // optional secret key +       const void *in, size_t inlen);      // data to be hashed + +   #endif +   <CODE ENDS> + +D.2.  blake2s.c + +   <CODE BEGINS> +   // blake2s.c +   // A simple blake2s Reference Implementation. + +   #include "blake2s.h" + +   // Cyclic right rotation. + +   #ifndef ROTR32 +   #define ROTR32(x, y)  (((x) >> (y)) ^ ((x) << (32 - (y)))) +   #endif + +   // Little-endian byte access. + +   #define B2S_GET32(p)                            \ +       (((uint32_t) ((uint8_t *) (p))[0]) ^        \ +       (((uint32_t) ((uint8_t *) (p))[1]) << 8) ^  \ +       (((uint32_t) ((uint8_t *) (p))[2]) << 16) ^ \ +       (((uint32_t) ((uint8_t *) (p))[3]) << 24)) + + + + + + + + +Saarinen & Aumasson           Informational                    [Page 22] + +RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015 + + +   // Mixing function G. + +   #define B2S_G(a, b, c, d, x, y) {   \ +       v[a] = v[a] + v[b] + x;         \ +       v[d] = ROTR32(v[d] ^ v[a], 16); \ +       v[c] = v[c] + v[d];             \ +       v[b] = ROTR32(v[b] ^ v[c], 12); \ +       v[a] = v[a] + v[b] + y;         \ +       v[d] = ROTR32(v[d] ^ v[a], 8);  \ +       v[c] = v[c] + v[d];             \ +       v[b] = ROTR32(v[b] ^ v[c], 7); } + +   // Initialization Vector. + +   static const uint32_t blake2s_iv[8] = +   { +       0x6A09E667, 0xBB67AE85, 0x3C6EF372, 0xA54FF53A, +       0x510E527F, 0x9B05688C, 0x1F83D9AB, 0x5BE0CD19 +   }; + +   // Compression function. "last" flag indicates last block. + +   static void blake2s_compress(blake2s_ctx *ctx, int last) +   { +       const uint8_t sigma[10][16] = { +           { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }, +           { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }, +           { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 }, +           { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 }, +           { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 }, +           { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 }, +           { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 }, +           { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 }, +           { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 }, +           { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 } +       }; +       int i; +       uint32_t v[16], m[16]; + +       for (i = 0; i < 8; i++) {           // init work variables +           v[i] = ctx->h[i]; +           v[i + 8] = blake2s_iv[i]; +       } + +       v[12] ^= ctx->t[0];                 // low 32 bits of offset +       v[13] ^= ctx->t[1];                 // high 32 bits +       if (last)                           // last block flag set ? +           v[14] = ~v[14]; + + + +Saarinen & Aumasson           Informational                    [Page 23] + +RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015 + + +       for (i = 0; i < 16; i++)            // get little-endian words +           m[i] = B2S_GET32(&ctx->b[4 * i]); + +       for (i = 0; i < 10; i++) {          // ten rounds +           B2S_G( 0, 4,  8, 12, m[sigma[i][ 0]], m[sigma[i][ 1]]); +           B2S_G( 1, 5,  9, 13, m[sigma[i][ 2]], m[sigma[i][ 3]]); +           B2S_G( 2, 6, 10, 14, m[sigma[i][ 4]], m[sigma[i][ 5]]); +           B2S_G( 3, 7, 11, 15, m[sigma[i][ 6]], m[sigma[i][ 7]]); +           B2S_G( 0, 5, 10, 15, m[sigma[i][ 8]], m[sigma[i][ 9]]); +           B2S_G( 1, 6, 11, 12, m[sigma[i][10]], m[sigma[i][11]]); +           B2S_G( 2, 7,  8, 13, m[sigma[i][12]], m[sigma[i][13]]); +           B2S_G( 3, 4,  9, 14, m[sigma[i][14]], m[sigma[i][15]]); +       } + +       for( i = 0; i < 8; ++i ) +           ctx->h[i] ^= v[i] ^ v[i + 8]; +   } + +   // Initialize the hashing context "ctx" with optional key "key". +   //      1 <= outlen <= 32 gives the digest size in bytes. +   //      Secret key (also <= 32 bytes) is optional (keylen = 0). + +   int blake2s_init(blake2s_ctx *ctx, size_t outlen, +       const void *key, size_t keylen)     // (keylen=0: no key) +   { +       size_t i; + +       if (outlen == 0 || outlen > 32 || keylen > 32) +           return -1;                      // illegal parameters + +       for (i = 0; i < 8; i++)             // state, "param block" +           ctx->h[i] = blake2s_iv[i]; +       ctx->h[0] ^= 0x01010000 ^ (keylen << 8) ^ outlen; + +       ctx->t[0] = 0;                      // input count low word +       ctx->t[1] = 0;                      // input count high word +       ctx->c = 0;                         // pointer within buffer +       ctx->outlen = outlen; + +       for (i = keylen; i < 64; i++)       // zero input block +           ctx->b[i] = 0; +       if (keylen > 0) { +           blake2s_update(ctx, key, keylen); +           ctx->c = 64;                    // at the end +       } + +       return 0; +   } + + + +Saarinen & Aumasson           Informational                    [Page 24] + +RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015 + + +   // Add "inlen" bytes from "in" into the hash. + +   void blake2s_update(blake2s_ctx *ctx, +       const void *in, size_t inlen)       // data bytes +   { +       size_t i; + +       for (i = 0; i < inlen; i++) { +           if (ctx->c == 64) {             // buffer full ? +               ctx->t[0] += ctx->c;        // add counters +               if (ctx->t[0] < ctx->c)     // carry overflow ? +                   ctx->t[1]++;            // high word +               blake2s_compress(ctx, 0);   // compress (not last) +               ctx->c = 0;                 // counter to zero +           } +           ctx->b[ctx->c++] = ((const uint8_t *) in)[i]; +       } +   } + +   // Generate the message digest (size given in init). +   //      Result placed in "out". + +   void blake2s_final(blake2s_ctx *ctx, void *out) +   { +       size_t i; + +       ctx->t[0] += ctx->c;                // mark last block offset +       if (ctx->t[0] < ctx->c)             // carry overflow +           ctx->t[1]++;                    // high word + +       while (ctx->c < 64)                 // fill up with zeros +           ctx->b[ctx->c++] = 0; +       blake2s_compress(ctx, 1);           // final block flag = 1 + +       // little endian convert and store +       for (i = 0; i < ctx->outlen; i++) { +           ((uint8_t *) out)[i] = +               (ctx->h[i >> 2] >> (8 * (i & 3))) & 0xFF; +       } +   } + +   // Convenience function for all-in-one computation. + +   int blake2s(void *out, size_t outlen, +       const void *key, size_t keylen, +       const void *in, size_t inlen) +   { +       blake2s_ctx ctx; + + + +Saarinen & Aumasson           Informational                    [Page 25] + +RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015 + + +       if (blake2s_init(&ctx, outlen, key, keylen)) +           return -1; +       blake2s_update(&ctx, in, inlen); +       blake2s_final(&ctx, out); + +       return 0; +   } +   <CODE ENDS> + +Appendix E.  BLAKE2b and BLAKE2s Self-Test Module C Source + +   This module computes a series of keyed and unkeyed hashes from +   deterministically generated pseudorandom data and computes a hash +   over those results.  This is a fairly exhaustive, yet compact and +   fast method for verifying that the hashing module is functioning +   correctly. + +   Such testing is RECOMMENDED, especially when compiling the +   implementation for a new a target platform configuration. +   Furthermore, some security standards, such as FIPS-140, may require a +   Power-On Self Test (POST) to be performed every time the +   cryptographic module is loaded [FIPS140-2IG]. + +   <CODE BEGINS> +   // test_main.c +   // Self test Modules for BLAKE2b and BLAKE2s -- and a stub main(). + +   #include <stdio.h> + +   #include "blake2b.h" +   #include "blake2s.h" + +   // Deterministic sequences (Fibonacci generator). + +   static void selftest_seq(uint8_t *out, size_t len, uint32_t seed) +   { +       size_t i; +       uint32_t t, a , b; + +       a = 0xDEAD4BAD * seed;              // prime +       b = 1; + +       for (i = 0; i < len; i++) {         // fill the buf +           t = a + b; +           a = b; +           b = t; +           out[i] = (t >> 24) & 0xFF; +       } + + + +Saarinen & Aumasson           Informational                    [Page 26] + +RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015 + + +   } + +   // BLAKE2b self-test validation. Return 0 when OK. + +   int blake2b_selftest() +   { +       // grand hash of hash results +       const uint8_t blake2b_res[32] = { +           0xC2, 0x3A, 0x78, 0x00, 0xD9, 0x81, 0x23, 0xBD, +           0x10, 0xF5, 0x06, 0xC6, 0x1E, 0x29, 0xDA, 0x56, +           0x03, 0xD7, 0x63, 0xB8, 0xBB, 0xAD, 0x2E, 0x73, +           0x7F, 0x5E, 0x76, 0x5A, 0x7B, 0xCC, 0xD4, 0x75 +       }; +       // parameter sets +       const size_t b2b_md_len[4] = { 20, 32, 48, 64 }; +       const size_t b2b_in_len[6] = { 0, 3, 128, 129, 255, 1024 }; + +       size_t i, j, outlen, inlen; +       uint8_t in[1024], md[64], key[64]; +       blake2b_ctx ctx; + +       // 256-bit hash for testing +       if (blake2b_init(&ctx, 32, NULL, 0)) +           return -1; + +       for (i = 0; i < 4; i++) { +           outlen = b2b_md_len[i]; +           for (j = 0; j < 6; j++) { +               inlen = b2b_in_len[j]; + +               selftest_seq(in, inlen, inlen);     // unkeyed hash +               blake2b(md, outlen, NULL, 0, in, inlen); +               blake2b_update(&ctx, md, outlen);   // hash the hash + +               selftest_seq(key, outlen, outlen);  // keyed hash +               blake2b(md, outlen, key, outlen, in, inlen); +               blake2b_update(&ctx, md, outlen);   // hash the hash +           } +       } + +       // compute and compare the hash of hashes +       blake2b_final(&ctx, md); +       for (i = 0; i < 32; i++) { +           if (md[i] != blake2b_res[i]) +               return -1; +       } + +       return 0; + + + +Saarinen & Aumasson           Informational                    [Page 27] + +RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015 + + +   } + +   // BLAKE2s self-test validation. Return 0 when OK. + +   int blake2s_selftest() +   { +       // Grand hash of hash results. +       const uint8_t blake2s_res[32] = { +           0x6A, 0x41, 0x1F, 0x08, 0xCE, 0x25, 0xAD, 0xCD, +           0xFB, 0x02, 0xAB, 0xA6, 0x41, 0x45, 0x1C, 0xEC, +           0x53, 0xC5, 0x98, 0xB2, 0x4F, 0x4F, 0xC7, 0x87, +           0xFB, 0xDC, 0x88, 0x79, 0x7F, 0x4C, 0x1D, 0xFE +       }; +       // Parameter sets. +       const size_t b2s_md_len[4] = { 16, 20, 28, 32 }; +       const size_t b2s_in_len[6] = { 0,  3,  64, 65, 255, 1024 }; + +       size_t i, j, outlen, inlen; +       uint8_t in[1024], md[32], key[32]; +       blake2s_ctx ctx; + +       // 256-bit hash for testing. +       if (blake2s_init(&ctx, 32, NULL, 0)) +           return -1; + +       for (i = 0; i < 4; i++) { +           outlen = b2s_md_len[i]; +           for (j = 0; j < 6; j++) { +               inlen = b2s_in_len[j]; + +               selftest_seq(in, inlen, inlen);     // unkeyed hash +               blake2s(md, outlen, NULL, 0, in, inlen); +               blake2s_update(&ctx, md, outlen);   // hash the hash + +               selftest_seq(key, outlen, outlen);  // keyed hash +               blake2s(md, outlen, key, outlen, in, inlen); +               blake2s_update(&ctx, md, outlen);   // hash the hash +           } +       } + +       // Compute and compare the hash of hashes. +       blake2s_final(&ctx, md); +       for (i = 0; i < 32; i++) { +           if (md[i] != blake2s_res[i]) +               return -1; +       } + +       return 0; + + + +Saarinen & Aumasson           Informational                    [Page 28] + +RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015 + + +   } + +   // Test driver. + +   int main(int argc, char **argv) +   { +       printf("blake2b_selftest() = %s\n", +            blake2b_selftest() ? "FAIL" : "OK"); +       printf("blake2s_selftest() = %s\n", +            blake2s_selftest() ? "FAIL" : "OK"); + +       return 0; +   } +   <CODE ENDS> + +Acknowledgements + +   The editor wishes to thank the [BLAKE2] team for their encouragement: +   Jean-Philippe Aumasson, Samuel Neves, Zooko Wilcox-O'Hearn, and +   Christian Winnerlein.  We have borrowed passages from [BLAKE] and +   [BLAKE2] with permission. + +   [BLAKE2] is based on the SHA-3 proposal [BLAKE], designed by Jean- +   Philippe Aumasson, Luca Henzen, Willi Meier, and Raphael C.-W. Phan. +   BLAKE2, like BLAKE, relies on a core algorithm borrowed from the +   ChaCha stream cipher, designed by Daniel J. Bernstein. + + + + + + + + + + + + + + + + + + + + + + + + + +Saarinen & Aumasson           Informational                    [Page 29] + +RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015 + + +Authors' Addresses + +   Markku-Juhani O. Saarinen (editor) +   Queen's University Belfast +   Centre for Secure Information Technologies, ECIT +   Northern Ireland Science Park +   Queen's Road, Queen's Island +   Belfast  BT3 9DT +   United Kingdom + +   Email: m.saarinen@qub.ac.uk +   URI:   http://www.csit.qub.ac.uk + + +   Jean-Philippe Aumasson +   Kudelski Security +   22-24, Route de Geneve +   Case Postale 134 +   Cheseaux  1033 +   Switzerland + +   Email: jean-philippe.aumasson@nagra.com +   URI:   https://www.kudelskisecurity.com + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Saarinen & Aumasson           Informational                    [Page 30] + | 
