GENWiki

Premier IT Outsourcing and Support Services within the UK

User Tools

Site Tools


rfc:rfc7693

Independent Submission M-J. Saarinen, Ed. Request for Comments: 7693 Queen's University Belfast Category: Informational J-P. Aumasson ISSN: 2070-1721 Kudelski Security

                                                         November 2015
The BLAKE2 Cryptographic Hash and Message Authentication Code (MAC)

Abstract

 This document describes the cryptographic hash function BLAKE2 and
 makes the algorithm specification and C source code conveniently
 available to the Internet community.  BLAKE2 comes in two main
 flavors: BLAKE2b is optimized for 64-bit platforms and BLAKE2s for
 smaller architectures.  BLAKE2 can be directly keyed, making it
 functionally equivalent to a Message Authentication Code (MAC).

Status of This Memo

 This document is not an Internet Standards Track specification; it is
 published for informational purposes.
 This is a contribution to the RFC Series, independently of any other
 RFC stream.  The RFC Editor has chosen to publish this document at
 its discretion and makes no statement about its value for
 implementation or deployment.  Documents approved for publication by
 the RFC Editor are not a candidate for any level of Internet
 Standard; see Section 2 of RFC 5741.
 Information about the current status of this document, any errata,
 and how to provide feedback on it may be obtained at
 http://www.rfc-editor.org/info/rfc7693.

Copyright Notice

 Copyright (c) 2015 IETF Trust and the persons identified as the
 document authors.  All rights reserved.
 This document is subject to BCP 78 and the IETF Trust's Legal
 Provisions Relating to IETF Documents
 (http://trustee.ietf.org/license-info) in effect on the date of
 publication of this document.  Please review these documents
 carefully, as they describe your rights and restrictions with respect
 to this document.

Saarinen & Aumasson Informational [Page 1] RFC 7693 BLAKE2 Crypto Hash and MAC November 2015

Table of Contents

 1.  Introduction and Terminology  . . . . . . . . . . . . . . . .   3
 2.  Conventions, Variables, and Constants . . . . . . . . . . . .   4
   2.1.  Parameters  . . . . . . . . . . . . . . . . . . . . . . .   4
   2.2.  Other Constants and Variables . . . . . . . . . . . . . .   4
   2.3.  Arithmetic Notation . . . . . . . . . . . . . . . . . . .   4
   2.4.  Little-Endian Interpretation of Words as Bytes  . . . . .   5
   2.5.  Parameter Block . . . . . . . . . . . . . . . . . . . . .   5
   2.6.  Initialization Vector . . . . . . . . . . . . . . . . . .   6
   2.7.  Message Schedule SIGMA  . . . . . . . . . . . . . . . . .   6
 3.  BLAKE2 Processing . . . . . . . . . . . . . . . . . . . . . .   7
   3.1.  Mixing Function G . . . . . . . . . . . . . . . . . . . .   7
   3.2.  Compression Function F  . . . . . . . . . . . . . . . . .   8
   3.3.  Padding Data and Computing a BLAKE2 Digest  . . . . . . .   9
 4.  Standard Parameter Sets and Algorithm Identifiers . . . . . .  10
 5.  Security Considerations . . . . . . . . . . . . . . . . . . .  11
 6.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  11
   6.1.  Normative References  . . . . . . . . . . . . . . . . . .  11
   6.2.  Informative References  . . . . . . . . . . . . . . . . .  11
 Appendix A.  Example of BLAKE2b Computation . . . . . . . . . . .  13
 Appendix B.  Example of BLAKE2s Computation . . . . . . . . . . .  15
 Appendix C.  BLAKE2b Implementation C Source  . . . . . . . . . .  16
   C.1.  blake2b.h . . . . . . . . . . . . . . . . . . . . . . . .  16
   C.2.  blake2b.c . . . . . . . . . . . . . . . . . . . . . . . .  17
 Appendix D.  BLAKE2s Implementation C Source  . . . . . . . . . .  21
   D.1.  blake2s.h . . . . . . . . . . . . . . . . . . . . . . . .  21
   D.2.  blake2s.c . . . . . . . . . . . . . . . . . . . . . . . .  22
 Appendix E.  BLAKE2b and BLAKE2s Self-Test Module C Source  . . .  26
 Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .  29
 Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  30

Saarinen & Aumasson Informational [Page 2] RFC 7693 BLAKE2 Crypto Hash and MAC November 2015

1. Introduction and Terminology

 The BLAKE2 cryptographic hash function [BLAKE2] was designed by Jean-
 Philippe Aumasson, Samuel Neves, Zooko Wilcox-O'Hearn, and Christian
 Winnerlein.
 BLAKE2 comes in two basic flavors:
 o  BLAKE2b (or just BLAKE2) is optimized for 64-bit platforms and
    produces digests of any size between 1 and 64 bytes.
 o  BLAKE2s is optimized for 8- to 32-bit platforms and produces
    digests of any size between 1 and 32 bytes.
 Both BLAKE2b and BLAKE2s are believed to be highly secure and perform
 well on any platform, software, or hardware.  BLAKE2 does not require
 a special "HMAC" (Hashed Message Authentication Code) construction
 for keyed message authentication as it has a built-in keying
 mechanism.
 The BLAKE2 hash function may be used by digital signature algorithms
 and message authentication and integrity protection mechanisms in
 applications such as Public Key Infrastructure (PKI), secure
 communication protocols, cloud storage, intrusion detection, forensic
 suites, and version control systems.
 The BLAKE2 suite provides a more efficient alternative to US Secure
 Hash Algorithms SHA and HMAC-SHA [RFC6234].  BLAKE2s-128 is
 especially suited as a fast and more secure drop-in replacement to
 MD5 and HMAC-MD5 in legacy applications [RFC6151].
 To aid implementation, we provide a trace of BLAKE2b-512 hash
 computation in Appendix A and a trace of BLAKE2s-256 hash computation
 in Appendix B.  Due to space constraints, this document does not
 contain a full set of test vectors for BLAKE2.
 A reference implementation in C programming language for BLAKE2b can
 be found in Appendix C and for BLAKE2s in Appendix D of this
 document.  These implementations MAY be validated with the more
 exhaustive Test Module contained in Appendix E.
 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
 document are to be interpreted as described in [RFC2119].

Saarinen & Aumasson Informational [Page 3] RFC 7693 BLAKE2 Crypto Hash and MAC November 2015

2. Conventions, Variables, and Constants

2.1. Parameters

 The following table summarizes various parameters and their ranges:
                          | BLAKE2b          | BLAKE2s          |
            --------------+------------------+------------------+
             Bits in word | w = 64           | w = 32           |
             Rounds in F  | r = 12           | r = 10           |
             Block bytes  | bb = 128         | bb = 64          |
             Hash bytes   | 1 <= nn <= 64    | 1 <= nn <= 32    |
             Key bytes    | 0 <= kk <= 64    | 0 <= kk <= 32    |
             Input bytes  | 0 <= ll < 2**128 | 0 <= ll < 2**64  |
            --------------+------------------+------------------+
             G Rotation   | (R1, R2, R3, R4) | (R1, R2, R3, R4) |
              constants = | (32, 24, 16, 63) | (16, 12,  8,  7) |
            --------------+------------------+------------------+

2.2. Other Constants and Variables

 These variables are used in the algorithm description:
 IV[0..7]  Initialization Vector (constant).
 SIGMA[0..9]  Message word permutations (constant).
 p[0..7]  Parameter block (defines hash and key sizes).
 m[0..15]  Sixteen words of a single message block.
 h[0..7]  Internal state of the hash.
 d[0..dd-1]  Padded input blocks.  Each has "bb" bytes.
 t  Message byte offset at the end of the current block.
 f  Flag indicating the last block.

2.3. Arithmetic Notation

 For real-valued x, we define the following functions:
 floor(x)  Floor, the largest integer <= x.
 ceil(x)  Ceiling, the smallest integer >= x.
 frac(x)  Positive fractional part of x, frac(x) = x - floor(x).

Saarinen & Aumasson Informational [Page 4] RFC 7693 BLAKE2 Crypto Hash and MAC November 2015

 Operator notation in pseudocode:
 2**n =  2 to the power "n". 2**0=1, 2**1=2, 2**2=4, 2**3=8, etc.
 a ^ b =  Bitwise exclusive-or operation between "a" and "b".
 a mod b =  Remainder "a" modulo "b", always in range [0, b-1].
 x >> n =  floor(x / 2**n).  Logical shift "x" right by "n" bits.
 x << n =  (x * 2**n) mod (2**w).  Logical shift "x" left by "n".
 x >>> n =  (x >> n) ^ (x << (w - n)).  Rotate "x" right by "n".

2.4. Little-Endian Interpretation of Words as Bytes

 All mathematical operations are on 64-bit words in BLAKE2b and on
 32-bit words in BLAKE2s.
 We may also perform operations on vectors of words.  Vector indexing
 is zero based; the first element of an n-element vector "v" is v[0]
 and the last one is v[n - 1].  All elements are denoted by v[0..n-1].
 Byte (octet) streams are interpreted as words in little-endian order,
 with the least-significant byte first.  Consider this sequence of
 eight hexadecimal bytes:
      x[0..7] = 0x01 0x23 0x45 0x67 0x89 0xAB 0xCD 0xEF
 When interpreted as a 32-bit word from the beginning memory address,
 x[0..3] has a numerical value of 0x67452301 or 1732584193.
 When interpreted as a 64-bit word, bytes x[0..7] have a numerical
 value of 0xEFCDAB8967452301 or 17279655951921914625.

2.5. Parameter Block

 We specify the parameter block words p[0..7] as follows:
      byte offset:    3 2 1 0     (otherwise zero)
            p[0] = 0x0101kknn     p[1..7] = 0
 Here the "nn" byte specifies the hash size in bytes.  The second
 (little-endian) byte of the parameter block, "kk", specifies the key
 size in bytes.  Set kk = 00 for unkeyed hashing.  Bytes 2 and 3 are
 set as 01.  All other bytes in the parameter block are set as zero.

Saarinen & Aumasson Informational [Page 5] RFC 7693 BLAKE2 Crypto Hash and MAC November 2015

 Note: [BLAKE2] defines additional variants of BLAKE2 with features
 such as salting, personalized hashes, and tree hashing.  These
 OPTIONAL features use fields in the parameter block that are not
 defined in this document.

2.6. Initialization Vector

 We define the Initialization Vector constant IV mathematically as:
        IV[i] = floor(2**w * frac(sqrt(prime(i+1)))), where prime(i)
        is the i:th prime number ( 2, 3, 5, 7, 11, 13, 17, 19 )
        and sqrt(x) is the square root of x.
 The numerical values of IV can also be found in implementations in
 Appendices C and D for BLAKE2b and BLAKE2s, respectively.
 Note: BLAKE2b IV is the same as SHA-512 IV, and BLAKE2s IV is the
 same as SHA-256 IV; see [RFC6234].

2.7. Message Schedule SIGMA

 Message word schedule permutations for each round of both BLAKE2b and
 BLAKE2s are defined by SIGMA.  For BLAKE2b, the two extra
 permutations for rounds 10 and 11 are SIGMA[10..11] = SIGMA[0..1].
        Round   |  0  1  2  3  4  5  6  7  8  9 10 11 12 13 14 15 |
      ----------+-------------------------------------------------+
       SIGMA[0] |  0  1  2  3  4  5  6  7  8  9 10 11 12 13 14 15 |
       SIGMA[1] | 14 10  4  8  9 15 13  6  1 12  0  2 11  7  5  3 |
       SIGMA[2] | 11  8 12  0  5  2 15 13 10 14  3  6  7  1  9  4 |
       SIGMA[3] |  7  9  3  1 13 12 11 14  2  6  5 10  4  0 15  8 |
       SIGMA[4] |  9  0  5  7  2  4 10 15 14  1 11 12  6  8  3 13 |
       SIGMA[5] |  2 12  6 10  0 11  8  3  4 13  7  5 15 14  1  9 |
       SIGMA[6] | 12  5  1 15 14 13  4 10  0  7  6  3  9  2  8 11 |
       SIGMA[7] | 13 11  7 14 12  1  3  9  5  0 15  4  8  6  2 10 |
       SIGMA[8] |  6 15 14  9 11  3  0  8 12  2 13  7  1  4 10  5 |
       SIGMA[9] | 10  2  8  4  7  6  1  5 15 11  9 14  3 12 13  0 |
      ----------+-------------------------------------------------+

Saarinen & Aumasson Informational [Page 6] RFC 7693 BLAKE2 Crypto Hash and MAC November 2015

3. BLAKE2 Processing

3.1. Mixing Function G

 The G primitive function mixes two input words, "x" and "y", into
 four words indexed by "a", "b", "c", and "d" in the working vector
 v[0..15].  The full modified vector is returned.  The rotation
 constants (R1, R2, R3, R4) are given in Section 2.1.
     FUNCTION G( v[0..15], a, b, c, d, x, y )
     |
     |   v[a] := (v[a] + v[b] + x) mod 2**w
     |   v[d] := (v[d] ^ v[a]) >>> R1
     |   v[c] := (v[c] + v[d])     mod 2**w
     |   v[b] := (v[b] ^ v[c]) >>> R2
     |   v[a] := (v[a] + v[b] + y) mod 2**w
     |   v[d] := (v[d] ^ v[a]) >>> R3
     |   v[c] := (v[c] + v[d])     mod 2**w
     |   v[b] := (v[b] ^ v[c]) >>> R4
     |
     |   RETURN v[0..15]
     |
     END FUNCTION.

Saarinen & Aumasson Informational [Page 7] RFC 7693 BLAKE2 Crypto Hash and MAC November 2015

3.2. Compression Function F

 Compression function F takes as an argument the state vector "h",
 message block vector "m" (last block is padded with zeros to full
 block size, if required), 2w-bit offset counter "t", and final block
 indicator flag "f".  Local vector v[0..15] is used in processing.  F
 returns a new state vector.  The number of rounds, "r", is 12 for
 BLAKE2b and 10 for BLAKE2s.  Rounds are numbered from 0 to r - 1.
     FUNCTION F( h[0..7], m[0..15], t, f )
     |
     |      // Initialize local work vector v[0..15]
     |      v[0..7] := h[0..7]              // First half from state.
     |      v[8..15] := IV[0..7]            // Second half from IV.
     |
     |      v[12] := v[12] ^ (t mod 2**w)   // Low word of the offset.
     |      v[13] := v[13] ^ (t >> w)       // High word.
     |
     |      IF f = TRUE THEN                // last block flag?
     |      |   v[14] := v[14] ^ 0xFF..FF   // Invert all bits.
     |      END IF.
     |
     |      // Cryptographic mixing
     |      FOR i = 0 TO r - 1 DO           // Ten or twelve rounds.
     |      |
     |      |   // Message word selection permutation for this round.
     |      |   s[0..15] := SIGMA[i mod 10][0..15]
     |      |
     |      |   v := G( v, 0, 4,  8, 12, m[s[ 0]], m[s[ 1]] )
     |      |   v := G( v, 1, 5,  9, 13, m[s[ 2]], m[s[ 3]] )
     |      |   v := G( v, 2, 6, 10, 14, m[s[ 4]], m[s[ 5]] )
     |      |   v := G( v, 3, 7, 11, 15, m[s[ 6]], m[s[ 7]] )
     |      |
     |      |   v := G( v, 0, 5, 10, 15, m[s[ 8]], m[s[ 9]] )
     |      |   v := G( v, 1, 6, 11, 12, m[s[10]], m[s[11]] )
     |      |   v := G( v, 2, 7,  8, 13, m[s[12]], m[s[13]] )
     |      |   v := G( v, 3, 4,  9, 14, m[s[14]], m[s[15]] )
     |      |
     |      END FOR
     |
     |      FOR i = 0 TO 7 DO               // XOR the two halves.
     |      |   h[i] := h[i] ^ v[i] ^ v[i + 8]
     |      END FOR.
     |
     |      RETURN h[0..7]                  // New state.
     |
     END FUNCTION.

Saarinen & Aumasson Informational [Page 8] RFC 7693 BLAKE2 Crypto Hash and MAC November 2015

3.3. Padding Data and Computing a BLAKE2 Digest

 We refer the reader to Appendices C and D for reference C language
 implementations of BLAKE2b and BLAKE2s, respectively.
 Key and data input are split and padded into "dd" message blocks
 d[0..dd-1], each consisting of 16 words (or "bb" bytes).
 If a secret key is used (kk > 0), it is padded with zero bytes and
 set as d[0].  Otherwise, d[0] is the first data block.  The final
 data block d[dd-1] is also padded with zero to "bb" bytes (16 words).
 The number of blocks is therefore dd = ceil(kk / bb) + ceil(ll / bb).
 However, in the special case of an unkeyed empty message (kk = 0 and
 ll = 0), we still set dd = 1 and d[0] consists of all zeros.
 The following procedure processes the padded data blocks into an
 "nn"-byte final hash value.  See Section 2 for a description of
 various variables and constants used.
      FUNCTION BLAKE2( d[0..dd-1], ll, kk, nn )
      |
      |     h[0..7] := IV[0..7]          // Initialization Vector.
      |
      |     // Parameter block p[0]
      |     h[0] := h[0] ^ 0x01010000 ^ (kk << 8) ^ nn
      |
      |     // Process padded key and data blocks
      |     IF dd > 1 THEN
      |     |       FOR i = 0 TO dd - 2 DO
      |     |       |       h := F( h, d[i], (i + 1) * bb, FALSE )
      |     |       END FOR.
      |     END IF.
      |
      |     // Final block.
      |     IF kk = 0 THEN
      |     |       h := F( h, d[dd - 1], ll, TRUE )
      |     ELSE
      |     |       h := F( h, d[dd - 1], ll + bb, TRUE )
      |     END IF.
      |
      |     RETURN first "nn" bytes from little-endian word array h[].
      |
      END FUNCTION.

Saarinen & Aumasson Informational [Page 9] RFC 7693 BLAKE2 Crypto Hash and MAC November 2015

4. Standard Parameter Sets and Algorithm Identifiers

 An implementation of BLAKE2b and/or BLAKE2s MAY support the following
 digest size parameters for interoperability (e.g., digital
 signatures), as long as a sufficient level of security is attained by
 the parameter selections.  These parameters and identifiers are
 intended to be suitable as drop-in replacements to MD5 and
 corresponding SHA algorithms.
 Developers adapting BLAKE2 to ASN.1-based message formats SHOULD use
 the OID tree at x = 1.3.6.1.4.1.1722.12.2.  The same OID can be used
 for both keyed and unkeyed hashing since in the latter case the key
 simply has zero length.
          Algorithm     | Target | Collision | Hash | Hash ASN.1 |
             Identifier |  Arch  |  Security |  nn  | OID Suffix |
         ---------------+--------+-----------+------+------------+
          id-blake2b160 | 64-bit |   2**80   |  20  |   x.1.5    |
          id-blake2b256 | 64-bit |   2**128  |  32  |   x.1.8    |
          id-blake2b384 | 64-bit |   2**192  |  48  |   x.1.12   |
          id-blake2b512 | 64-bit |   2**256  |  64  |   x.1.16   |
         ---------------+--------+-----------+------+------------+
          id-blake2s128 | 32-bit |   2**64   |  16  |   x.2.4    |
          id-blake2s160 | 32-bit |   2**80   |  20  |   x.2.5    |
          id-blake2s224 | 32-bit |   2**112  |  28  |   x.2.7    |
          id-blake2s256 | 32-bit |   2**128  |  32  |   x.2.8    |
         ---------------+--------+-----------+------+------------+
        hashAlgs OBJECT IDENTIFIER ::= {
            iso(1) identified-organization(3) dod(6) internet(1)
            private(4) enterprise(1) kudelski(1722) cryptography(12) 2
        }
        macAlgs OBJECT IDENTIFIER ::= {
            iso(1) identified-organization(3) dod(6) internet(1)
            private(4) enterprise(1) kudelski(1722) cryptography(12) 3
        }
  1. - the two BLAKE2 variants –

blake2b OBJECT IDENTIFIER ::= { hashAlgs 1 }

        blake2s OBJECT IDENTIFIER ::= { hashAlgs 2 }
  1. - BLAKE2b Identifiers –

id-blake2b160 OBJECT IDENTIFIER ::= { blake2b 5 }

        id-blake2b256 OBJECT IDENTIFIER ::= { blake2b 8 }
        id-blake2b384 OBJECT IDENTIFIER ::= { blake2b 12 }
        id-blake2b512 OBJECT IDENTIFIER ::= { blake2b 16 }

Saarinen & Aumasson Informational [Page 10] RFC 7693 BLAKE2 Crypto Hash and MAC November 2015

  1. - BLAKE2s Identifiers –

id-blake2s128 OBJECT IDENTIFIER ::= { blake2s 4 }

        id-blake2s160 OBJECT IDENTIFIER ::= { blake2s 5 }
        id-blake2s224 OBJECT IDENTIFIER ::= { blake2s 7 }
        id-blake2s256 OBJECT IDENTIFIER ::= { blake2s 8 }

5. Security Considerations

 This document is intended to provide convenient open-source access by
 the Internet community to the BLAKE2 cryptographic hash algorithm.
 We wish to make no independent assertion to its security in this
 document.  We refer the reader to [BLAKE] and [BLAKE2] for detailed
 cryptanalytic rationale behind its design.
 In order to avoid bloat, the reference implementations in Appendices
 C and D may not erase all sensitive data (such as secret keys)
 immediately from process memory after use.  Such cleanup can be added
 if needed.

6. References

6.1. Normative References

 [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
            Requirement Levels", BCP 14, RFC 2119,
            DOI 10.17487/RFC2119, March 1997,
            <http://www.rfc-editor.org/info/rfc2119>.

6.2. Informative References

 [BLAKE]    Aumasson, J-P., Meier, W., Phan, R., and L. Henzen, "The
            Hash Function BLAKE", January 2015,
            <https://131002.net/blake/book>.
 [BLAKE2]   Aumasson, J-P., Neves, S., Wilcox-O'Hearn, Z., and C.
            Winnerlein, "BLAKE2: simpler, smaller, fast as MD5",
            January 2013, <https://blake2.net/blake2.pdf>.
 [FIPS140-2IG]
            NIST, "Implementation Guidance for FIPS PUB 140-2 and the
            Cryptographic Module Validation Program", September 2015,
            <http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/
            FIPS1402IG.pdf/>.
 [RFC6151]  Turner, S. and L. Chen, "Updated Security Considerations
            for the MD5 Message-Digest and the HMAC-MD5 Algorithms",
            RFC 6151, DOI 10.17487/RFC6151, March 2011,
            <http://www.rfc-editor.org/info/rfc6151>.

Saarinen & Aumasson Informational [Page 11] RFC 7693 BLAKE2 Crypto Hash and MAC November 2015

 [RFC6234]  Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms
            (SHA and SHA-based HMAC and HKDF)", RFC 6234,
            DOI 10.17487/RFC6234, May 2011,
            <http://www.rfc-editor.org/info/rfc6234>.

Saarinen & Aumasson Informational [Page 12] RFC 7693 BLAKE2 Crypto Hash and MAC November 2015

Appendix A. Example of BLAKE2b Computation

 We compute the unkeyed hash of three ASCII bytes "abc" with
 BLAKE2b-512 and show internal values during computation.
        m[16] = 0000000000636261 0000000000000000 0000000000000000
                0000000000000000 0000000000000000 0000000000000000
                0000000000000000 0000000000000000 0000000000000000
                0000000000000000 0000000000000000 0000000000000000
                0000000000000000 0000000000000000 0000000000000000
                0000000000000000
 (i= 0) v[16] = 6A09E667F2BDC948 BB67AE8584CAA73B 3C6EF372FE94F82B
                A54FF53A5F1D36F1 510E527FADE682D1 9B05688C2B3E6C1F
                1F83D9ABFB41BD6B 5BE0CD19137E2179 6A09E667F3BCC908
                BB67AE8584CAA73B 3C6EF372FE94F82B A54FF53A5F1D36F1
                510E527FADE682D2 9B05688C2B3E6C1F E07C265404BE4294
                5BE0CD19137E2179
 (i= 1) v[16] = 86B7C1568029BB79 C12CBCC809FF59F3 C6A5214CC0EACA8E
                0C87CD524C14CC5D 44EE6039BD86A9F7 A447C850AA694A7E
                DE080F1BB1C0F84B 595CB8A9A1ACA66C BEC3AE837EAC4887
                6267FC79DF9D6AD1 FA87B01273FA6DBE 521A715C63E08D8A
                E02D0975B8D37A83 1C7B754F08B7D193 8F885A76B6E578FE
                2318A24E2140FC64
 (i= 2) v[16] = 53281E83806010F2 3594B403F81B4393 8CD63C7462DE0DFF
                85F693F3DA53F974 BAABDBB2F386D9AE CA5425AEC65A10A8
                C6A22E2FF0F7AA48 C6A56A51CB89C595 224E6A3369224F96
                500E125E58A92923 E9E4AD0D0E1A0D48 85DF9DC143C59A74
                92A3AAAA6D952B7F C5FDF71090FAE853 2A8A40F15A462DD0
                572D17EFFDD37358
 (i= 3) v[16] = 60ED96AA7AD41725 E46A743C71800B9D 1A04B543A01F156B
                A2F8716E775C4877 DA0A61BCDE4267EA B1DD230754D7BDEE
                25A1422779E06D14 E6823AE4C3FF58A5 A1677E19F37FD5DA
                22BDCE6976B08C51 F1DE8696BEC11BF1 A0EBD586A4A1D2C8
                C804EBAB11C99FA9 8E0CEC959C715793 7C45557FAE0D4D89
                716343F52FDD265E
 (i= 4) v[16] = BB2A77D3A8382351 45EB47971F23B103 98BE297F6E45C684
                A36077DEE3370B89 8A03C4CB7E97590A 24192E49EBF54EA0
                4F82C9401CB32D7A 8CCD013726420DC4 A9C9A8F17B1FC614
                55908187977514A0 5B44273E66B19D27 B6D5C9FCA2579327
                086092CFB858437E 5C4BE2156DBEECF9 2EFEDE99ED4EFF16
                3E7B5F234CD1F804

Saarinen & Aumasson Informational [Page 13] RFC 7693 BLAKE2 Crypto Hash and MAC November 2015

 (i= 5) v[16] = C79C15B3D423B099 2DA2224E8DA97556 77D2B26DF1C45C55
                8934EB09A3456052 0F6D9EEED157DA2A 6FE66467AF88C0A9
                4EB0B76284C7AAFB 299C8E725D954697 B2240B59E6D567D3
                2643C2370E49EBFD 79E02EEF20CDB1AE 64B3EED7BB602F39
                B97D2D439E4DF63D C718E755294C9111 1F0893F2772BB373
                1205EA4A7859807D
 (i= 6) v[16] = E58F97D6385BAEE4 7640AA9764DA137A DEB4C7C23EFE287E
                70F6F41C8783C9F6 7127CD48C76A7708 9E472AF0BE3DB3F6
                0F244C62DDF71788 219828AA83880842 41CCA9073C8C4D0D
                5C7912BC10DF3B4B A2C3ABBD37510EE2 CB5668CC2A9F7859
                8733794F07AC1500 C67A6BE42335AA6F ACB22B28681E4C82
                DB2161604CBC9828
 (i= 7) v[16] = 6E2D286EEADEDC81 BCF02C0787E86358 57D56A56DD015EDF
                55D899D40A5D0D0A 819415B56220C459 B63C479A6A769F02
                258E55E0EC1F362A 3A3B4EC60E19DFDC 04D769B3FCB048DB
                B78A9A33E9BFF4DD 5777272AE1E930C0 5A387849E578DBF6
                92AAC307CF2C0AFC 30AACCC4F06DAFAA 483893CC094F8863
                E03C6CC89C26BF92
 (i= 8) v[16] = FFC83ECE76024D01 1BE7BFFB8C5CC5F9 A35A18CBAC4C65B7
                B7C2C7E6D88C285F 81937DA314A50838 E1179523A2541963
                3A1FAD7106232B8F 1C7EDE92AB8B9C46 A3C2D35E4F685C10
                A53D3F73AA619624 30BBCC0285A22F65 BCEFBB6A81539E5D
                3841DEF6F4C9848A 98662C85FBA726D4 7762439BD5A851BD
                B0B9F0D443D1A889
 (i= 9) v[16] = 753A70A1E8FAEADD 6B0D43CA2C25D629 F8343BA8B94F8C0B
                BC7D062B0DB5CF35 58540EE1B1AEBC47 63C5B9B80D294CB9
                490870ECAD27DEBD B2A90DDF667287FE 316CC9EBEEFAD8FC
                4A466BCD021526A4 5DA7F7638CEC5669 D9C8826727D306FC
                88ED6C4F3BD7A537 19AE688DDF67F026 4D8707AAB40F7E6D
                FD3F572687FEA4F1
 (i=10) v[16] = E630C747CCD59C4F BC713D41127571CA 46DB183025025078
                6727E81260610140 2D04185EAC2A8CBA 5F311B88904056EC
                40BD313009201AAB 0099D4F82A2A1EAB 6DD4FBC1DE60165D
                B3B0B51DE3C86270 900AEE2F233B08E5 A07199D87AD058D8
                2C6B25593D717852 37E8CA471BEAA5F8 2CFC1BAC10EF4457
                01369EC18746E775
 (i=11) v[16] = E801F73B9768C760 35C6D22320BE511D 306F27584F65495E
                B51776ADF569A77B F4F1BE86690B3C34 3CC88735D1475E4B
                5DAC67921FF76949 1CDB9D31AD70CC4E 35BA354A9C7DF448
                4929CBE45679D73E 733D1A17248F39DB 92D57B736F5F170A
                61B5C0A41D491399 B5C333457E12844A BD696BE010D0D889
                02231E1A917FE0BD

Saarinen & Aumasson Informational [Page 14] RFC 7693 BLAKE2 Crypto Hash and MAC November 2015

 (i=12) v[16] = 12EF8A641EC4F6D6 BCED5DE977C9FAF5 733CA476C5148639
                97DF596B0610F6FC F42C16519AD5AFA7 AA5AC1888E10467E
                217D930AA51787F3 906A6FF19E573942 75AB709BD3DCBF24
                EE7CE1F345947AA4 F8960D6C2FAF5F5E E332538A36B6D246
                885BEF040EF6AA0B A4939A417BFB78A3 646CBB7AF6DCE980
                E813A23C60AF3B82
         h[8] = 0D4D1C983FA580BA E9F6129FB697276A B7C45A68142F214C
                D1A2FFDB6FBB124B 2D79AB2A39C5877D 95CC3345DED552C2
                5A92F1DBA88AD318 239900D4ED8623B9
 BLAKE2b-512("abc") = BA 80 A5 3F 98 1C 4D 0D 6A 27 97 B6 9F 12 F6 E9
                      4C 21 2F 14 68 5A C4 B7 4B 12 BB 6F DB FF A2 D1
                      7D 87 C5 39 2A AB 79 2D C2 52 D5 DE 45 33 CC 95
                      18 D3 8A A8 DB F1 92 5A B9 23 86 ED D4 00 99 23

Appendix B. Example of BLAKE2s Computation

 We compute the unkeyed hash of three ASCII bytes "abc" with
 BLAKE2s-256 and show internal values during computation.
        m[16] = 00636261 00000000 00000000 00000000 00000000 00000000
                00000000 00000000 00000000 00000000 00000000 00000000
                00000000 00000000 00000000 00000000
 (i=0)  v[16] = 6B08E647 BB67AE85 3C6EF372 A54FF53A 510E527F 9B05688C
                1F83D9AB 5BE0CD19 6A09E667 BB67AE85 3C6EF372 A54FF53A
                510E527C 9B05688C E07C2654 5BE0CD19
 (i=1)  v[16] = 16A3242E D7B5E238 CE8CE24B 927AEDE1 A7B430D9 93A4A14E
                A44E7C31 41D4759B 95BF33D3 9A99C181 608A3A6B B666383E
                7A8DD50F BE378ED7 353D1EE6 3BB44C6B
 (i=2)  v[16] = 3AE30FE3 0982A96B E88185B4 3E339B16 F24338CD 0E66D326
                E005ED0C D591A277 180B1F3A FCF43914 30DB62D6 4847831C
                7F00C58E FB847886 C544E836 524AB0E2
 (i=3)  v[16] = 7A3BE783 997546C1 D45246DF EDB5F821 7F98A742 10E864E2
                D4AB70D0 C63CB1AB 6038DA9E 414594B0 F2C218B5 8DA0DCB7
                D7CD7AF5 AB4909DF 85031A52 C4EDFC98
 (i=4)  v[16] = 2A8B8CB7 1ACA82B2 14045D7F CC7258ED 383CF67C E090E7F9
                3025D276 57D04DE4 994BACF0 F0982759 F17EE300 D48FC2D5
                DC854C10 523898A9 C03A0F89 47D6CD88
 (i=5)  v[16] = C4AA2DDB 111343A3 D54A700A 574A00A9 857D5A48 B1E11989
                6F5C52DF DD2C53A3 678E5F8E 9718D4E9 622CB684 92976076
                0E41A517 359DC2BE 87A87DDD 643F9CEC

Saarinen & Aumasson Informational [Page 15] RFC 7693 BLAKE2 Crypto Hash and MAC November 2015

 (i=6)  v[16] = 3453921C D7595EE1 592E776D 3ED6A974 4D997CB3 DE9212C3
                35ADF5C9 9916FD65 96562E89 4EAD0792 EBFC2712 2385F5B2
                F34600FB D7BC20FB EB452A7B ECE1AA40
 (i=7)  v[16] = BE851B2D A85F6358 81E6FC3B 0BB28000 FA55A33A 87BE1FAD
                4119370F 1E2261AA A1318FD3 F4329816 071783C2 6E536A8D
                9A81A601 E7EC80F1 ACC09948 F849A584
 (i=8)  v[16] = 07E5B85A 069CC164 F9DE3141 A56F4680 9E440AD2 9AB659EA
                3C84B971 21DBD9CF 46699F8C 765257EC AF1D998C 75E4C3B6
                523878DC 30715015 397FEE81 4F1FA799
 (i=9)  v[16] = 435148C4 A5AA2D11 4B354173 D543BC9E BDA2591C BF1D2569
                4FCB3120 707ADA48 565B3FDE 32C9C916 EAF4A1AB B1018F28
                8078D978 68ADE4B5 9778FDA3 2863B92E
 (i=10) v[16] = D9C994AA CFEC3AA6 700D0AB2 2C38670E AF6A1F66 1D023EF3
                1D9EC27D 945357A5 3E9FFEBD 969FE811 EF485E21 A632797A
                DEEF082E AF3D80E1 4E86829B 4DEAFD3A
         h[8] = 8C5E8C50 E2147C32 A32BA7E1 2F45EB4E 208B4537 293AD69E
                4C9B994D 82596786
 BLAKE2s-256("abc") = 50 8C 5E 8C 32 7C 14 E2 E1 A7 2B A3 4E EB 45 2F
                      37 45 8B 20 9E D6 3A 29 4D 99 9B 4C 86 67 59 82

Appendix C. BLAKE2b Implementation C Source

C.1. blake2b.h

 <CODE BEGINS>
 // blake2b.h
 // BLAKE2b Hashing Context and API Prototypes
 #ifndef BLAKE2B_H
 #define BLAKE2B_H
 #include <stdint.h>
 #include <stddef.h>
 // state context
 typedef struct {
     uint8_t b[128];                     // input buffer
     uint64_t h[8];                      // chained state
     uint64_t t[2];                      // total number of bytes
     size_t c;                           // pointer for b[]
     size_t outlen;                      // digest size
 } blake2b_ctx;

Saarinen & Aumasson Informational [Page 16] RFC 7693 BLAKE2 Crypto Hash and MAC November 2015

 // Initialize the hashing context "ctx" with optional key "key".
 //      1 <= outlen <= 64 gives the digest size in bytes.
 //      Secret key (also <= 64 bytes) is optional (keylen = 0).
 int blake2b_init(blake2b_ctx *ctx, size_t outlen,
     const void *key, size_t keylen);    // secret key
 // Add "inlen" bytes from "in" into the hash.
 void blake2b_update(blake2b_ctx *ctx,   // context
     const void *in, size_t inlen);      // data to be hashed
 // Generate the message digest (size given in init).
 //      Result placed in "out".
 void blake2b_final(blake2b_ctx *ctx, void *out);
 // All-in-one convenience function.
 int blake2b(void *out, size_t outlen,   // return buffer for digest
     const void *key, size_t keylen,     // optional secret key
     const void *in, size_t inlen);      // data to be hashed
 #endif
 <CODE ENDS>

C.2. blake2b.c

 <CODE BEGINS>
 // blake2b.c
 // A simple BLAKE2b Reference Implementation.
 #include "blake2b.h"
 // Cyclic right rotation.
 #ifndef ROTR64
 #define ROTR64(x, y)  (((x) >> (y)) ^ ((x) << (64 - (y))))
 #endif
 // Little-endian byte access.
 #define B2B_GET64(p)                            \
     (((uint64_t) ((uint8_t *) (p))[0]) ^        \
     (((uint64_t) ((uint8_t *) (p))[1]) << 8) ^  \
     (((uint64_t) ((uint8_t *) (p))[2]) << 16) ^ \
     (((uint64_t) ((uint8_t *) (p))[3]) << 24) ^ \
     (((uint64_t) ((uint8_t *) (p))[4]) << 32) ^ \
     (((uint64_t) ((uint8_t *) (p))[5]) << 40) ^ \
     (((uint64_t) ((uint8_t *) (p))[6]) << 48) ^ \
     (((uint64_t) ((uint8_t *) (p))[7]) << 56))

Saarinen & Aumasson Informational [Page 17] RFC 7693 BLAKE2 Crypto Hash and MAC November 2015

 // G Mixing function.
 #define B2B_G(a, b, c, d, x, y) {   \
     v[a] = v[a] + v[b] + x;         \
     v[d] = ROTR64(v[d] ^ v[a], 32); \
     v[c] = v[c] + v[d];             \
     v[b] = ROTR64(v[b] ^ v[c], 24); \
     v[a] = v[a] + v[b] + y;         \
     v[d] = ROTR64(v[d] ^ v[a], 16); \
     v[c] = v[c] + v[d];             \
     v[b] = ROTR64(v[b] ^ v[c], 63); }
 // Initialization Vector.
 static const uint64_t blake2b_iv[8] = {
     0x6A09E667F3BCC908, 0xBB67AE8584CAA73B,
     0x3C6EF372FE94F82B, 0xA54FF53A5F1D36F1,
     0x510E527FADE682D1, 0x9B05688C2B3E6C1F,
     0x1F83D9ABFB41BD6B, 0x5BE0CD19137E2179
 };
 // Compression function. "last" flag indicates last block.
 static void blake2b_compress(blake2b_ctx *ctx, int last)
 {
     const uint8_t sigma[12][16] = {
         { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 },
         { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 },
         { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 },
         { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 },
         { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 },
         { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 },
         { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 },
         { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 },
         { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 },
         { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 },
         { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 },
         { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }
     };
     int i;
     uint64_t v[16], m[16];
     for (i = 0; i < 8; i++) {           // init work variables
         v[i] = ctx->h[i];
         v[i + 8] = blake2b_iv[i];
     }

Saarinen & Aumasson Informational [Page 18] RFC 7693 BLAKE2 Crypto Hash and MAC November 2015

     v[12] ^= ctx->t[0];                 // low 64 bits of offset
     v[13] ^= ctx->t[1];                 // high 64 bits
     if (last)                           // last block flag set ?
         v[14] = ~v[14];
     for (i = 0; i < 16; i++)            // get little-endian words
         m[i] = B2B_GET64(&ctx->b[8 * i]);
     for (i = 0; i < 12; i++) {          // twelve rounds
         B2B_G( 0, 4,  8, 12, m[sigma[i][ 0]], m[sigma[i][ 1]]);
         B2B_G( 1, 5,  9, 13, m[sigma[i][ 2]], m[sigma[i][ 3]]);
         B2B_G( 2, 6, 10, 14, m[sigma[i][ 4]], m[sigma[i][ 5]]);
         B2B_G( 3, 7, 11, 15, m[sigma[i][ 6]], m[sigma[i][ 7]]);
         B2B_G( 0, 5, 10, 15, m[sigma[i][ 8]], m[sigma[i][ 9]]);
         B2B_G( 1, 6, 11, 12, m[sigma[i][10]], m[sigma[i][11]]);
         B2B_G( 2, 7,  8, 13, m[sigma[i][12]], m[sigma[i][13]]);
         B2B_G( 3, 4,  9, 14, m[sigma[i][14]], m[sigma[i][15]]);
     }
     for( i = 0; i < 8; ++i )
         ctx->h[i] ^= v[i] ^ v[i + 8];
 }
 // Initialize the hashing context "ctx" with optional key "key".
 //      1 <= outlen <= 64 gives the digest size in bytes.
 //      Secret key (also <= 64 bytes) is optional (keylen = 0).
 int blake2b_init(blake2b_ctx *ctx, size_t outlen,
     const void *key, size_t keylen)        // (keylen=0: no key)
 {
     size_t i;
     if (outlen == 0 || outlen > 64 || keylen > 64)
         return -1;                      // illegal parameters
     for (i = 0; i < 8; i++)             // state, "param block"
         ctx->h[i] = blake2b_iv[i];
     ctx->h[0] ^= 0x01010000 ^ (keylen << 8) ^ outlen;
     ctx->t[0] = 0;                      // input count low word
     ctx->t[1] = 0;                      // input count high word
     ctx->c = 0;                         // pointer within buffer
     ctx->outlen = outlen;

Saarinen & Aumasson Informational [Page 19] RFC 7693 BLAKE2 Crypto Hash and MAC November 2015

     for (i = keylen; i < 128; i++)      // zero input block
         ctx->b[i] = 0;
     if (keylen > 0) {
         blake2b_update(ctx, key, keylen);
         ctx->c = 128;                   // at the end
     }
     return 0;
 }
 // Add "inlen" bytes from "in" into the hash.
 void blake2b_update(blake2b_ctx *ctx,
     const void *in, size_t inlen)       // data bytes
 {
     size_t i;
     for (i = 0; i < inlen; i++) {
         if (ctx->c == 128) {            // buffer full ?
             ctx->t[0] += ctx->c;        // add counters
             if (ctx->t[0] < ctx->c)     // carry overflow ?
                 ctx->t[1]++;            // high word
             blake2b_compress(ctx, 0);   // compress (not last)
             ctx->c = 0;                 // counter to zero
         }
         ctx->b[ctx->c++] = ((const uint8_t *) in)[i];
     }
 }
 // Generate the message digest (size given in init).
 //      Result placed in "out".
 void blake2b_final(blake2b_ctx *ctx, void *out)
 {
     size_t i;
     ctx->t[0] += ctx->c;                // mark last block offset
     if (ctx->t[0] < ctx->c)             // carry overflow
         ctx->t[1]++;                    // high word
     while (ctx->c < 128)                // fill up with zeros
         ctx->b[ctx->c++] = 0;
     blake2b_compress(ctx, 1);           // final block flag = 1

Saarinen & Aumasson Informational [Page 20] RFC 7693 BLAKE2 Crypto Hash and MAC November 2015

     // little endian convert and store
     for (i = 0; i < ctx->outlen; i++) {
         ((uint8_t *) out)[i] =
             (ctx->h[i >> 3] >> (8 * (i & 7))) & 0xFF;
     }
 }
 // Convenience function for all-in-one computation.
 int blake2b(void *out, size_t outlen,
     const void *key, size_t keylen,
     const void *in, size_t inlen)
 {
     blake2b_ctx ctx;
     if (blake2b_init(&ctx, outlen, key, keylen))
         return -1;
     blake2b_update(&ctx, in, inlen);
     blake2b_final(&ctx, out);
     return 0;
 }
 <CODE ENDS>

Appendix D. BLAKE2s Implementation C Source

D.1. blake2s.h

 <CODE BEGINS>
 // blake2s.h
 // BLAKE2s Hashing Context and API Prototypes
 #ifndef BLAKE2S_H
 #define BLAKE2S_H
 #include <stdint.h>
 #include <stddef.h>
 // state context
 typedef struct {
     uint8_t b[64];                      // input buffer
     uint32_t h[8];                      // chained state
     uint32_t t[2];                      // total number of bytes
     size_t c;                           // pointer for b[]
     size_t outlen;                      // digest size
 } blake2s_ctx;

Saarinen & Aumasson Informational [Page 21] RFC 7693 BLAKE2 Crypto Hash and MAC November 2015

 // Initialize the hashing context "ctx" with optional key "key".
 //      1 <= outlen <= 32 gives the digest size in bytes.
 //      Secret key (also <= 32 bytes) is optional (keylen = 0).
 int blake2s_init(blake2s_ctx *ctx, size_t outlen,
     const void *key, size_t keylen);    // secret key
 // Add "inlen" bytes from "in" into the hash.
 void blake2s_update(blake2s_ctx *ctx,   // context
     const void *in, size_t inlen);      // data to be hashed
 // Generate the message digest (size given in init).
 //      Result placed in "out".
 void blake2s_final(blake2s_ctx *ctx, void *out);
 // All-in-one convenience function.
 int blake2s(void *out, size_t outlen,   // return buffer for digest
     const void *key, size_t keylen,     // optional secret key
     const void *in, size_t inlen);      // data to be hashed
 #endif
 <CODE ENDS>

D.2. blake2s.c

 <CODE BEGINS>
 // blake2s.c
 // A simple blake2s Reference Implementation.
 #include "blake2s.h"
 // Cyclic right rotation.
 #ifndef ROTR32
 #define ROTR32(x, y)  (((x) >> (y)) ^ ((x) << (32 - (y))))
 #endif
 // Little-endian byte access.
 #define B2S_GET32(p)                            \
     (((uint32_t) ((uint8_t *) (p))[0]) ^        \
     (((uint32_t) ((uint8_t *) (p))[1]) << 8) ^  \
     (((uint32_t) ((uint8_t *) (p))[2]) << 16) ^ \
     (((uint32_t) ((uint8_t *) (p))[3]) << 24))

Saarinen & Aumasson Informational [Page 22] RFC 7693 BLAKE2 Crypto Hash and MAC November 2015

 // Mixing function G.
 #define B2S_G(a, b, c, d, x, y) {   \
     v[a] = v[a] + v[b] + x;         \
     v[d] = ROTR32(v[d] ^ v[a], 16); \
     v[c] = v[c] + v[d];             \
     v[b] = ROTR32(v[b] ^ v[c], 12); \
     v[a] = v[a] + v[b] + y;         \
     v[d] = ROTR32(v[d] ^ v[a], 8);  \
     v[c] = v[c] + v[d];             \
     v[b] = ROTR32(v[b] ^ v[c], 7); }
 // Initialization Vector.
 static const uint32_t blake2s_iv[8] =
 {
     0x6A09E667, 0xBB67AE85, 0x3C6EF372, 0xA54FF53A,
     0x510E527F, 0x9B05688C, 0x1F83D9AB, 0x5BE0CD19
 };
 // Compression function. "last" flag indicates last block.
 static void blake2s_compress(blake2s_ctx *ctx, int last)
 {
     const uint8_t sigma[10][16] = {
         { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 },
         { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 },
         { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 },
         { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 },
         { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 },
         { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 },
         { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 },
         { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 },
         { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 },
         { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 }
     };
     int i;
     uint32_t v[16], m[16];
     for (i = 0; i < 8; i++) {           // init work variables
         v[i] = ctx->h[i];
         v[i + 8] = blake2s_iv[i];
     }
     v[12] ^= ctx->t[0];                 // low 32 bits of offset
     v[13] ^= ctx->t[1];                 // high 32 bits
     if (last)                           // last block flag set ?
         v[14] = ~v[14];

Saarinen & Aumasson Informational [Page 23] RFC 7693 BLAKE2 Crypto Hash and MAC November 2015

     for (i = 0; i < 16; i++)            // get little-endian words
         m[i] = B2S_GET32(&ctx->b[4 * i]);
     for (i = 0; i < 10; i++) {          // ten rounds
         B2S_G( 0, 4,  8, 12, m[sigma[i][ 0]], m[sigma[i][ 1]]);
         B2S_G( 1, 5,  9, 13, m[sigma[i][ 2]], m[sigma[i][ 3]]);
         B2S_G( 2, 6, 10, 14, m[sigma[i][ 4]], m[sigma[i][ 5]]);
         B2S_G( 3, 7, 11, 15, m[sigma[i][ 6]], m[sigma[i][ 7]]);
         B2S_G( 0, 5, 10, 15, m[sigma[i][ 8]], m[sigma[i][ 9]]);
         B2S_G( 1, 6, 11, 12, m[sigma[i][10]], m[sigma[i][11]]);
         B2S_G( 2, 7,  8, 13, m[sigma[i][12]], m[sigma[i][13]]);
         B2S_G( 3, 4,  9, 14, m[sigma[i][14]], m[sigma[i][15]]);
     }
     for( i = 0; i < 8; ++i )
         ctx->h[i] ^= v[i] ^ v[i + 8];
 }
 // Initialize the hashing context "ctx" with optional key "key".
 //      1 <= outlen <= 32 gives the digest size in bytes.
 //      Secret key (also <= 32 bytes) is optional (keylen = 0).
 int blake2s_init(blake2s_ctx *ctx, size_t outlen,
     const void *key, size_t keylen)     // (keylen=0: no key)
 {
     size_t i;
     if (outlen == 0 || outlen > 32 || keylen > 32)
         return -1;                      // illegal parameters
     for (i = 0; i < 8; i++)             // state, "param block"
         ctx->h[i] = blake2s_iv[i];
     ctx->h[0] ^= 0x01010000 ^ (keylen << 8) ^ outlen;
     ctx->t[0] = 0;                      // input count low word
     ctx->t[1] = 0;                      // input count high word
     ctx->c = 0;                         // pointer within buffer
     ctx->outlen = outlen;
     for (i = keylen; i < 64; i++)       // zero input block
         ctx->b[i] = 0;
     if (keylen > 0) {
         blake2s_update(ctx, key, keylen);
         ctx->c = 64;                    // at the end
     }
     return 0;
 }

Saarinen & Aumasson Informational [Page 24] RFC 7693 BLAKE2 Crypto Hash and MAC November 2015

 // Add "inlen" bytes from "in" into the hash.
 void blake2s_update(blake2s_ctx *ctx,
     const void *in, size_t inlen)       // data bytes
 {
     size_t i;
     for (i = 0; i < inlen; i++) {
         if (ctx->c == 64) {             // buffer full ?
             ctx->t[0] += ctx->c;        // add counters
             if (ctx->t[0] < ctx->c)     // carry overflow ?
                 ctx->t[1]++;            // high word
             blake2s_compress(ctx, 0);   // compress (not last)
             ctx->c = 0;                 // counter to zero
         }
         ctx->b[ctx->c++] = ((const uint8_t *) in)[i];
     }
 }
 // Generate the message digest (size given in init).
 //      Result placed in "out".
 void blake2s_final(blake2s_ctx *ctx, void *out)
 {
     size_t i;
     ctx->t[0] += ctx->c;                // mark last block offset
     if (ctx->t[0] < ctx->c)             // carry overflow
         ctx->t[1]++;                    // high word
     while (ctx->c < 64)                 // fill up with zeros
         ctx->b[ctx->c++] = 0;
     blake2s_compress(ctx, 1);           // final block flag = 1
     // little endian convert and store
     for (i = 0; i < ctx->outlen; i++) {
         ((uint8_t *) out)[i] =
             (ctx->h[i >> 2] >> (8 * (i & 3))) & 0xFF;
     }
 }
 // Convenience function for all-in-one computation.
 int blake2s(void *out, size_t outlen,
     const void *key, size_t keylen,
     const void *in, size_t inlen)
 {
     blake2s_ctx ctx;

Saarinen & Aumasson Informational [Page 25] RFC 7693 BLAKE2 Crypto Hash and MAC November 2015

     if (blake2s_init(&ctx, outlen, key, keylen))
         return -1;
     blake2s_update(&ctx, in, inlen);
     blake2s_final(&ctx, out);
     return 0;
 }
 <CODE ENDS>

Appendix E. BLAKE2b and BLAKE2s Self-Test Module C Source

 This module computes a series of keyed and unkeyed hashes from
 deterministically generated pseudorandom data and computes a hash
 over those results.  This is a fairly exhaustive, yet compact and
 fast method for verifying that the hashing module is functioning
 correctly.
 Such testing is RECOMMENDED, especially when compiling the
 implementation for a new a target platform configuration.
 Furthermore, some security standards, such as FIPS-140, may require a
 Power-On Self Test (POST) to be performed every time the
 cryptographic module is loaded [FIPS140-2IG].
 <CODE BEGINS>
 // test_main.c
 // Self test Modules for BLAKE2b and BLAKE2s -- and a stub main().
 #include <stdio.h>
 #include "blake2b.h"
 #include "blake2s.h"
 // Deterministic sequences (Fibonacci generator).
 static void selftest_seq(uint8_t *out, size_t len, uint32_t seed)
 {
     size_t i;
     uint32_t t, a , b;
     a = 0xDEAD4BAD * seed;              // prime
     b = 1;
     for (i = 0; i < len; i++) {         // fill the buf
         t = a + b;
         a = b;
         b = t;
         out[i] = (t >> 24) & 0xFF;
     }

Saarinen & Aumasson Informational [Page 26] RFC 7693 BLAKE2 Crypto Hash and MAC November 2015

 }
 // BLAKE2b self-test validation. Return 0 when OK.
 int blake2b_selftest()
 {
     // grand hash of hash results
     const uint8_t blake2b_res[32] = {
         0xC2, 0x3A, 0x78, 0x00, 0xD9, 0x81, 0x23, 0xBD,
         0x10, 0xF5, 0x06, 0xC6, 0x1E, 0x29, 0xDA, 0x56,
         0x03, 0xD7, 0x63, 0xB8, 0xBB, 0xAD, 0x2E, 0x73,
         0x7F, 0x5E, 0x76, 0x5A, 0x7B, 0xCC, 0xD4, 0x75
     };
     // parameter sets
     const size_t b2b_md_len[4] = { 20, 32, 48, 64 };
     const size_t b2b_in_len[6] = { 0, 3, 128, 129, 255, 1024 };
     size_t i, j, outlen, inlen;
     uint8_t in[1024], md[64], key[64];
     blake2b_ctx ctx;
     // 256-bit hash for testing
     if (blake2b_init(&ctx, 32, NULL, 0))
         return -1;
     for (i = 0; i < 4; i++) {
         outlen = b2b_md_len[i];
         for (j = 0; j < 6; j++) {
             inlen = b2b_in_len[j];
             selftest_seq(in, inlen, inlen);     // unkeyed hash
             blake2b(md, outlen, NULL, 0, in, inlen);
             blake2b_update(&ctx, md, outlen);   // hash the hash
             selftest_seq(key, outlen, outlen);  // keyed hash
             blake2b(md, outlen, key, outlen, in, inlen);
             blake2b_update(&ctx, md, outlen);   // hash the hash
         }
     }
     // compute and compare the hash of hashes
     blake2b_final(&ctx, md);
     for (i = 0; i < 32; i++) {
         if (md[i] != blake2b_res[i])
             return -1;
     }
     return 0;

Saarinen & Aumasson Informational [Page 27] RFC 7693 BLAKE2 Crypto Hash and MAC November 2015

 }
 // BLAKE2s self-test validation. Return 0 when OK.
 int blake2s_selftest()
 {
     // Grand hash of hash results.
     const uint8_t blake2s_res[32] = {
         0x6A, 0x41, 0x1F, 0x08, 0xCE, 0x25, 0xAD, 0xCD,
         0xFB, 0x02, 0xAB, 0xA6, 0x41, 0x45, 0x1C, 0xEC,
         0x53, 0xC5, 0x98, 0xB2, 0x4F, 0x4F, 0xC7, 0x87,
         0xFB, 0xDC, 0x88, 0x79, 0x7F, 0x4C, 0x1D, 0xFE
     };
     // Parameter sets.
     const size_t b2s_md_len[4] = { 16, 20, 28, 32 };
     const size_t b2s_in_len[6] = { 0,  3,  64, 65, 255, 1024 };
     size_t i, j, outlen, inlen;
     uint8_t in[1024], md[32], key[32];
     blake2s_ctx ctx;
     // 256-bit hash for testing.
     if (blake2s_init(&ctx, 32, NULL, 0))
         return -1;
     for (i = 0; i < 4; i++) {
         outlen = b2s_md_len[i];
         for (j = 0; j < 6; j++) {
             inlen = b2s_in_len[j];
             selftest_seq(in, inlen, inlen);     // unkeyed hash
             blake2s(md, outlen, NULL, 0, in, inlen);
             blake2s_update(&ctx, md, outlen);   // hash the hash
             selftest_seq(key, outlen, outlen);  // keyed hash
             blake2s(md, outlen, key, outlen, in, inlen);
             blake2s_update(&ctx, md, outlen);   // hash the hash
         }
     }
     // Compute and compare the hash of hashes.
     blake2s_final(&ctx, md);
     for (i = 0; i < 32; i++) {
         if (md[i] != blake2s_res[i])
             return -1;
     }
     return 0;

Saarinen & Aumasson Informational [Page 28] RFC 7693 BLAKE2 Crypto Hash and MAC November 2015

 }
 // Test driver.
 int main(int argc, char **argv)
 {
     printf("blake2b_selftest() = %s\n",
          blake2b_selftest() ? "FAIL" : "OK");
     printf("blake2s_selftest() = %s\n",
          blake2s_selftest() ? "FAIL" : "OK");
     return 0;
 }
 <CODE ENDS>

Acknowledgements

 The editor wishes to thank the [BLAKE2] team for their encouragement:
 Jean-Philippe Aumasson, Samuel Neves, Zooko Wilcox-O'Hearn, and
 Christian Winnerlein.  We have borrowed passages from [BLAKE] and
 [BLAKE2] with permission.
 [BLAKE2] is based on the SHA-3 proposal [BLAKE], designed by Jean-
 Philippe Aumasson, Luca Henzen, Willi Meier, and Raphael C.-W. Phan.
 BLAKE2, like BLAKE, relies on a core algorithm borrowed from the
 ChaCha stream cipher, designed by Daniel J. Bernstein.

Saarinen & Aumasson Informational [Page 29] RFC 7693 BLAKE2 Crypto Hash and MAC November 2015

Authors' Addresses

 Markku-Juhani O. Saarinen (editor)
 Queen's University Belfast
 Centre for Secure Information Technologies, ECIT
 Northern Ireland Science Park
 Queen's Road, Queen's Island
 Belfast  BT3 9DT
 United Kingdom
 Email: m.saarinen@qub.ac.uk
 URI:   http://www.csit.qub.ac.uk
 Jean-Philippe Aumasson
 Kudelski Security
 22-24, Route de Geneve
 Case Postale 134
 Cheseaux  1033
 Switzerland
 Email: jean-philippe.aumasson@nagra.com
 URI:   https://www.kudelskisecurity.com

Saarinen & Aumasson Informational [Page 30]

/data/webs/external/dokuwiki/data/pages/rfc/rfc7693.txt · Last modified: 2015/11/04 04:12 by 127.0.0.1

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki