Skip to main content

The BLAKE2 Cryptographic Hash and Message Authentication Code (MAC)
RFC 7693

Document Type RFC - Informational (November 2015)
Was draft-saarinen-blake2 (individual)
Authors Markku-Juhani O. Saarinen , Jean-Philippe Aumasson
Last updated 2015-11-03
RFC stream Independent Submission
Formats
IESG Responsible AD (None)
Send notices to (None)
RFC 7693
Independent Submission                                M-J. Saarinen, Ed.
Request for Comments: 7693                    Queen's University Belfast
Category: Informational                                    J-P. Aumasson
ISSN: 2070-1721                                        Kudelski Security
                                                           November 2015

  The BLAKE2 Cryptographic Hash and Message Authentication Code (MAC)

Abstract

   This document describes the cryptographic hash function BLAKE2 and
   makes the algorithm specification and C source code conveniently
   available to the Internet community.  BLAKE2 comes in two main
   flavors: BLAKE2b is optimized for 64-bit platforms and BLAKE2s for
   smaller architectures.  BLAKE2 can be directly keyed, making it
   functionally equivalent to a Message Authentication Code (MAC).

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This is a contribution to the RFC Series, independently of any other
   RFC stream.  The RFC Editor has chosen to publish this document at
   its discretion and makes no statement about its value for
   implementation or deployment.  Documents approved for publication by
   the RFC Editor are not a candidate for any level of Internet
   Standard; see Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc7693.

Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.

Saarinen & Aumasson           Informational                     [Page 1]
RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015

Table of Contents

   1.  Introduction and Terminology  . . . . . . . . . . . . . . . .   3
   2.  Conventions, Variables, and Constants . . . . . . . . . . . .   4
     2.1.  Parameters  . . . . . . . . . . . . . . . . . . . . . . .   4
     2.2.  Other Constants and Variables . . . . . . . . . . . . . .   4
     2.3.  Arithmetic Notation . . . . . . . . . . . . . . . . . . .   4
     2.4.  Little-Endian Interpretation of Words as Bytes  . . . . .   5
     2.5.  Parameter Block . . . . . . . . . . . . . . . . . . . . .   5
     2.6.  Initialization Vector . . . . . . . . . . . . . . . . . .   6
     2.7.  Message Schedule SIGMA  . . . . . . . . . . . . . . . . .   6
   3.  BLAKE2 Processing . . . . . . . . . . . . . . . . . . . . . .   7
     3.1.  Mixing Function G . . . . . . . . . . . . . . . . . . . .   7
     3.2.  Compression Function F  . . . . . . . . . . . . . . . . .   8
     3.3.  Padding Data and Computing a BLAKE2 Digest  . . . . . . .   9
   4.  Standard Parameter Sets and Algorithm Identifiers . . . . . .  10
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .  11
   6.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  11
     6.1.  Normative References  . . . . . . . . . . . . . . . . . .  11
     6.2.  Informative References  . . . . . . . . . . . . . . . . .  11
   Appendix A.  Example of BLAKE2b Computation . . . . . . . . . . .  13
   Appendix B.  Example of BLAKE2s Computation . . . . . . . . . . .  15
   Appendix C.  BLAKE2b Implementation C Source  . . . . . . . . . .  16
     C.1.  blake2b.h . . . . . . . . . . . . . . . . . . . . . . . .  16
     C.2.  blake2b.c . . . . . . . . . . . . . . . . . . . . . . . .  17
   Appendix D.  BLAKE2s Implementation C Source  . . . . . . . . . .  21
     D.1.  blake2s.h . . . . . . . . . . . . . . . . . . . . . . . .  21
     D.2.  blake2s.c . . . . . . . . . . . . . . . . . . . . . . . .  22
   Appendix E.  BLAKE2b and BLAKE2s Self-Test Module C Source  . . .  26
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .  29
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  30

Saarinen & Aumasson           Informational                     [Page 2]
RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015

1.  Introduction and Terminology

   The BLAKE2 cryptographic hash function [BLAKE2] was designed by Jean-
   Philippe Aumasson, Samuel Neves, Zooko Wilcox-O'Hearn, and Christian
   Winnerlein.

   BLAKE2 comes in two basic flavors:

   o  BLAKE2b (or just BLAKE2) is optimized for 64-bit platforms and
      produces digests of any size between 1 and 64 bytes.

   o  BLAKE2s is optimized for 8- to 32-bit platforms and produces
      digests of any size between 1 and 32 bytes.

   Both BLAKE2b and BLAKE2s are believed to be highly secure and perform
   well on any platform, software, or hardware.  BLAKE2 does not require
   a special "HMAC" (Hashed Message Authentication Code) construction
   for keyed message authentication as it has a built-in keying
   mechanism.

   The BLAKE2 hash function may be used by digital signature algorithms
   and message authentication and integrity protection mechanisms in
   applications such as Public Key Infrastructure (PKI), secure
   communication protocols, cloud storage, intrusion detection, forensic
   suites, and version control systems.

   The BLAKE2 suite provides a more efficient alternative to US Secure
   Hash Algorithms SHA and HMAC-SHA [RFC6234].  BLAKE2s-128 is
   especially suited as a fast and more secure drop-in replacement to
   MD5 and HMAC-MD5 in legacy applications [RFC6151].

   To aid implementation, we provide a trace of BLAKE2b-512 hash
   computation in Appendix A and a trace of BLAKE2s-256 hash computation
   in Appendix B.  Due to space constraints, this document does not
   contain a full set of test vectors for BLAKE2.

   A reference implementation in C programming language for BLAKE2b can
   be found in Appendix C and for BLAKE2s in Appendix D of this
   document.  These implementations MAY be validated with the more
   exhaustive Test Module contained in Appendix E.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

Saarinen & Aumasson           Informational                     [Page 3]
RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015

2.  Conventions, Variables, and Constants

2.1.  Parameters

   The following table summarizes various parameters and their ranges:

                            | BLAKE2b          | BLAKE2s          |
              --------------+------------------+------------------+
               Bits in word | w = 64           | w = 32           |
               Rounds in F  | r = 12           | r = 10           |
               Block bytes  | bb = 128         | bb = 64          |
               Hash bytes   | 1 <= nn <= 64    | 1 <= nn <= 32    |
               Key bytes    | 0 <= kk <= 64    | 0 <= kk <= 32    |
               Input bytes  | 0 <= ll < 2**128 | 0 <= ll < 2**64  |
              --------------+------------------+------------------+
               G Rotation   | (R1, R2, R3, R4) | (R1, R2, R3, R4) |
                constants = | (32, 24, 16, 63) | (16, 12,  8,  7) |
              --------------+------------------+------------------+

2.2.  Other Constants and Variables

   These variables are used in the algorithm description:

   IV[0..7]  Initialization Vector (constant).

   SIGMA[0..9]  Message word permutations (constant).

   p[0..7]  Parameter block (defines hash and key sizes).

   m[0..15]  Sixteen words of a single message block.

   h[0..7]  Internal state of the hash.

   d[0..dd-1]  Padded input blocks.  Each has "bb" bytes.

   t  Message byte offset at the end of the current block.

   f  Flag indicating the last block.

2.3.  Arithmetic Notation

   For real-valued x, we define the following functions:

   floor(x)  Floor, the largest integer <= x.

   ceil(x)  Ceiling, the smallest integer >= x.

   frac(x)  Positive fractional part of x, frac(x) = x - floor(x).

Saarinen & Aumasson           Informational                     [Page 4]
RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015

   Operator notation in pseudocode:

   2**n =  2 to the power "n". 2**0=1, 2**1=2, 2**2=4, 2**3=8, etc.

   a ^ b =  Bitwise exclusive-or operation between "a" and "b".

   a mod b =  Remainder "a" modulo "b", always in range [0, b-1].

   x >> n =  floor(x / 2**n).  Logical shift "x" right by "n" bits.

   x << n =  (x * 2**n) mod (2**w).  Logical shift "x" left by "n".

   x >>> n =  (x >> n) ^ (x << (w - n)).  Rotate "x" right by "n".

2.4.  Little-Endian Interpretation of Words as Bytes

   All mathematical operations are on 64-bit words in BLAKE2b and on
   32-bit words in BLAKE2s.

   We may also perform operations on vectors of words.  Vector indexing
   is zero based; the first element of an n-element vector "v" is v[0]
   and the last one is v[n - 1].  All elements are denoted by v[0..n-1].

   Byte (octet) streams are interpreted as words in little-endian order,
   with the least-significant byte first.  Consider this sequence of
   eight hexadecimal bytes:

        x[0..7] = 0x01 0x23 0x45 0x67 0x89 0xAB 0xCD 0xEF

   When interpreted as a 32-bit word from the beginning memory address,
   x[0..3] has a numerical value of 0x67452301 or 1732584193.

   When interpreted as a 64-bit word, bytes x[0..7] have a numerical
   value of 0xEFCDAB8967452301 or 17279655951921914625.

2.5.  Parameter Block

   We specify the parameter block words p[0..7] as follows:

        byte offset:    3 2 1 0     (otherwise zero)
              p[0] = 0x0101kknn     p[1..7] = 0

   Here the "nn" byte specifies the hash size in bytes.  The second
   (little-endian) byte of the parameter block, "kk", specifies the key
   size in bytes.  Set kk = 00 for unkeyed hashing.  Bytes 2 and 3 are
   set as 01.  All other bytes in the parameter block are set as zero.

Saarinen & Aumasson           Informational                     [Page 5]
RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015

   Note: [BLAKE2] defines additional variants of BLAKE2 with features
   such as salting, personalized hashes, and tree hashing.  These
   OPTIONAL features use fields in the parameter block that are not
   defined in this document.

2.6.  Initialization Vector

   We define the Initialization Vector constant IV mathematically as:

          IV[i] = floor(2**w * frac(sqrt(prime(i+1)))), where prime(i)
          is the i:th prime number ( 2, 3, 5, 7, 11, 13, 17, 19 )
          and sqrt(x) is the square root of x.

   The numerical values of IV can also be found in implementations in
   Appendices C and D for BLAKE2b and BLAKE2s, respectively.

   Note: BLAKE2b IV is the same as SHA-512 IV, and BLAKE2s IV is the
   same as SHA-256 IV; see [RFC6234].

2.7.  Message Schedule SIGMA

   Message word schedule permutations for each round of both BLAKE2b and
   BLAKE2s are defined by SIGMA.  For BLAKE2b, the two extra
   permutations for rounds 10 and 11 are SIGMA[10..11] = SIGMA[0..1].

          Round   |  0  1  2  3  4  5  6  7  8  9 10 11 12 13 14 15 |
        ----------+-------------------------------------------------+
         SIGMA[0] |  0  1  2  3  4  5  6  7  8  9 10 11 12 13 14 15 |
         SIGMA[1] | 14 10  4  8  9 15 13  6  1 12  0  2 11  7  5  3 |
         SIGMA[2] | 11  8 12  0  5  2 15 13 10 14  3  6  7  1  9  4 |
         SIGMA[3] |  7  9  3  1 13 12 11 14  2  6  5 10  4  0 15  8 |
         SIGMA[4] |  9  0  5  7  2  4 10 15 14  1 11 12  6  8  3 13 |
         SIGMA[5] |  2 12  6 10  0 11  8  3  4 13  7  5 15 14  1  9 |
         SIGMA[6] | 12  5  1 15 14 13  4 10  0  7  6  3  9  2  8 11 |
         SIGMA[7] | 13 11  7 14 12  1  3  9  5  0 15  4  8  6  2 10 |
         SIGMA[8] |  6 15 14  9 11  3  0  8 12  2 13  7  1  4 10  5 |
         SIGMA[9] | 10  2  8  4  7  6  1  5 15 11  9 14  3 12 13  0 |
        ----------+-------------------------------------------------+

Saarinen & Aumasson           Informational                     [Page 6]
RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015

3.  BLAKE2 Processing

3.1.  Mixing Function G

   The G primitive function mixes two input words, "x" and "y", into
   four words indexed by "a", "b", "c", and "d" in the working vector
   v[0..15].  The full modified vector is returned.  The rotation
   constants (R1, R2, R3, R4) are given in Section 2.1.

       FUNCTION G( v[0..15], a, b, c, d, x, y )
       |
       |   v[a] := (v[a] + v[b] + x) mod 2**w
       |   v[d] := (v[d] ^ v[a]) >>> R1
       |   v[c] := (v[c] + v[d])     mod 2**w
       |   v[b] := (v[b] ^ v[c]) >>> R2
       |   v[a] := (v[a] + v[b] + y) mod 2**w
       |   v[d] := (v[d] ^ v[a]) >>> R3
       |   v[c] := (v[c] + v[d])     mod 2**w
       |   v[b] := (v[b] ^ v[c]) >>> R4
       |
       |   RETURN v[0..15]
       |
       END FUNCTION.

Saarinen & Aumasson           Informational                     [Page 7]
RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015

3.2.  Compression Function F

   Compression function F takes as an argument the state vector "h",
   message block vector "m" (last block is padded with zeros to full
   block size, if required), 2w-bit offset counter "t", and final block
   indicator flag "f".  Local vector v[0..15] is used in processing.  F
   returns a new state vector.  The number of rounds, "r", is 12 for
   BLAKE2b and 10 for BLAKE2s.  Rounds are numbered from 0 to r - 1.

       FUNCTION F( h[0..7], m[0..15], t, f )
       |
       |      // Initialize local work vector v[0..15]
       |      v[0..7] := h[0..7]              // First half from state.
       |      v[8..15] := IV[0..7]            // Second half from IV.
       |
       |      v[12] := v[12] ^ (t mod 2**w)   // Low word of the offset.
       |      v[13] := v[13] ^ (t >> w)       // High word.
       |
       |      IF f = TRUE THEN                // last block flag?
       |      |   v[14] := v[14] ^ 0xFF..FF   // Invert all bits.
       |      END IF.
       |
       |      // Cryptographic mixing
       |      FOR i = 0 TO r - 1 DO           // Ten or twelve rounds.
       |      |
       |      |   // Message word selection permutation for this round.
       |      |   s[0..15] := SIGMA[i mod 10][0..15]
       |      |
       |      |   v := G( v, 0, 4,  8, 12, m[s[ 0]], m[s[ 1]] )
       |      |   v := G( v, 1, 5,  9, 13, m[s[ 2]], m[s[ 3]] )
       |      |   v := G( v, 2, 6, 10, 14, m[s[ 4]], m[s[ 5]] )
       |      |   v := G( v, 3, 7, 11, 15, m[s[ 6]], m[s[ 7]] )
       |      |
       |      |   v := G( v, 0, 5, 10, 15, m[s[ 8]], m[s[ 9]] )
       |      |   v := G( v, 1, 6, 11, 12, m[s[10]], m[s[11]] )
       |      |   v := G( v, 2, 7,  8, 13, m[s[12]], m[s[13]] )
       |      |   v := G( v, 3, 4,  9, 14, m[s[14]], m[s[15]] )
       |      |
       |      END FOR
       |
       |      FOR i = 0 TO 7 DO               // XOR the two halves.
       |      |   h[i] := h[i] ^ v[i] ^ v[i + 8]
       |      END FOR.
       |
       |      RETURN h[0..7]                  // New state.
       |
       END FUNCTION.

Saarinen & Aumasson           Informational                     [Page 8]
RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015

3.3.  Padding Data and Computing a BLAKE2 Digest

   We refer the reader to Appendices C and D for reference C language
   implementations of BLAKE2b and BLAKE2s, respectively.

   Key and data input are split and padded into "dd" message blocks
   d[0..dd-1], each consisting of 16 words (or "bb" bytes).

   If a secret key is used (kk > 0), it is padded with zero bytes and
   set as d[0].  Otherwise, d[0] is the first data block.  The final
   data block d[dd-1] is also padded with zero to "bb" bytes (16 words).

   The number of blocks is therefore dd = ceil(kk / bb) + ceil(ll / bb).
   However, in the special case of an unkeyed empty message (kk = 0 and
   ll = 0), we still set dd = 1 and d[0] consists of all zeros.

   The following procedure processes the padded data blocks into an
   "nn"-byte final hash value.  See Section 2 for a description of
   various variables and constants used.

        FUNCTION BLAKE2( d[0..dd-1], ll, kk, nn )
        |
        |     h[0..7] := IV[0..7]          // Initialization Vector.
        |
        |     // Parameter block p[0]
        |     h[0] := h[0] ^ 0x01010000 ^ (kk << 8) ^ nn
        |
        |     // Process padded key and data blocks
        |     IF dd > 1 THEN
        |     |       FOR i = 0 TO dd - 2 DO
        |     |       |       h := F( h, d[i], (i + 1) * bb, FALSE )
        |     |       END FOR.
        |     END IF.
        |
        |     // Final block.
        |     IF kk = 0 THEN
        |     |       h := F( h, d[dd - 1], ll, TRUE )
        |     ELSE
        |     |       h := F( h, d[dd - 1], ll + bb, TRUE )
        |     END IF.
        |
        |     RETURN first "nn" bytes from little-endian word array h[].
        |
        END FUNCTION.

Saarinen & Aumasson           Informational                     [Page 9]
RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015

4.  Standard Parameter Sets and Algorithm Identifiers

   An implementation of BLAKE2b and/or BLAKE2s MAY support the following
   digest size parameters for interoperability (e.g., digital
   signatures), as long as a sufficient level of security is attained by
   the parameter selections.  These parameters and identifiers are
   intended to be suitable as drop-in replacements to MD5 and
   corresponding SHA algorithms.

   Developers adapting BLAKE2 to ASN.1-based message formats SHOULD use
   the OID tree at x = 1.3.6.1.4.1.1722.12.2.  The same OID can be used
   for both keyed and unkeyed hashing since in the latter case the key
   simply has zero length.

            Algorithm     | Target | Collision | Hash | Hash ASN.1 |
               Identifier |  Arch  |  Security |  nn  | OID Suffix |
           ---------------+--------+-----------+------+------------+
            id-blake2b160 | 64-bit |   2**80   |  20  |   x.1.5    |
            id-blake2b256 | 64-bit |   2**128  |  32  |   x.1.8    |
            id-blake2b384 | 64-bit |   2**192  |  48  |   x.1.12   |
            id-blake2b512 | 64-bit |   2**256  |  64  |   x.1.16   |
           ---------------+--------+-----------+------+------------+
            id-blake2s128 | 32-bit |   2**64   |  16  |   x.2.4    |
            id-blake2s160 | 32-bit |   2**80   |  20  |   x.2.5    |
            id-blake2s224 | 32-bit |   2**112  |  28  |   x.2.7    |
            id-blake2s256 | 32-bit |   2**128  |  32  |   x.2.8    |
           ---------------+--------+-----------+------+------------+

          hashAlgs OBJECT IDENTIFIER ::= {
              iso(1) identified-organization(3) dod(6) internet(1)
              private(4) enterprise(1) kudelski(1722) cryptography(12) 2
          }
          macAlgs OBJECT IDENTIFIER ::= {
              iso(1) identified-organization(3) dod(6) internet(1)
              private(4) enterprise(1) kudelski(1722) cryptography(12) 3
          }

          -- the two BLAKE2 variants --
          blake2b OBJECT IDENTIFIER ::= { hashAlgs 1 }
          blake2s OBJECT IDENTIFIER ::= { hashAlgs 2 }

          -- BLAKE2b Identifiers --
          id-blake2b160 OBJECT IDENTIFIER ::= { blake2b 5 }
          id-blake2b256 OBJECT IDENTIFIER ::= { blake2b 8 }
          id-blake2b384 OBJECT IDENTIFIER ::= { blake2b 12 }
          id-blake2b512 OBJECT IDENTIFIER ::= { blake2b 16 }

Saarinen & Aumasson           Informational                    [Page 10]
RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015

          -- BLAKE2s Identifiers --
          id-blake2s128 OBJECT IDENTIFIER ::= { blake2s 4 }
          id-blake2s160 OBJECT IDENTIFIER ::= { blake2s 5 }
          id-blake2s224 OBJECT IDENTIFIER ::= { blake2s 7 }
          id-blake2s256 OBJECT IDENTIFIER ::= { blake2s 8 }

5.  Security Considerations

   This document is intended to provide convenient open-source access by
   the Internet community to the BLAKE2 cryptographic hash algorithm.
   We wish to make no independent assertion to its security in this
   document.  We refer the reader to [BLAKE] and [BLAKE2] for detailed
   cryptanalytic rationale behind its design.

   In order to avoid bloat, the reference implementations in Appendices
   C and D may not erase all sensitive data (such as secret keys)
   immediately from process memory after use.  Such cleanup can be added
   if needed.

6.  References

6.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <http://www.rfc-editor.org/info/rfc2119>.

6.2.  Informative References

   [BLAKE]    Aumasson, J-P., Meier, W., Phan, R., and L. Henzen, "The
              Hash Function BLAKE", January 2015,
              <https://131002.net/blake/book>.

   [BLAKE2]   Aumasson, J-P., Neves, S., Wilcox-O'Hearn, Z., and C.
              Winnerlein, "BLAKE2: simpler, smaller, fast as MD5",
              January 2013, <https://blake2.net/blake2.pdf>.

   [FIPS140-2IG]
              NIST, "Implementation Guidance for FIPS PUB 140-2 and the
              Cryptographic Module Validation Program", September 2015,
              <http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/
              FIPS1402IG.pdf/>.

   [RFC6151]  Turner, S. and L. Chen, "Updated Security Considerations
              for the MD5 Message-Digest and the HMAC-MD5 Algorithms",
              RFC 6151, DOI 10.17487/RFC6151, March 2011,
              <http://www.rfc-editor.org/info/rfc6151>.

Saarinen & Aumasson           Informational                    [Page 11]
RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015

   [RFC6234]  Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms
              (SHA and SHA-based HMAC and HKDF)", RFC 6234,
              DOI 10.17487/RFC6234, May 2011,
              <http://www.rfc-editor.org/info/rfc6234>.

Saarinen & Aumasson           Informational                    [Page 12]
RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015

Appendix A.  Example of BLAKE2b Computation

   We compute the unkeyed hash of three ASCII bytes "abc" with
   BLAKE2b-512 and show internal values during computation.

          m[16] = 0000000000636261 0000000000000000 0000000000000000
                  0000000000000000 0000000000000000 0000000000000000
                  0000000000000000 0000000000000000 0000000000000000
                  0000000000000000 0000000000000000 0000000000000000
                  0000000000000000 0000000000000000 0000000000000000
                  0000000000000000

   (i= 0) v[16] = 6A09E667F2BDC948 BB67AE8584CAA73B 3C6EF372FE94F82B
                  A54FF53A5F1D36F1 510E527FADE682D1 9B05688C2B3E6C1F
                  1F83D9ABFB41BD6B 5BE0CD19137E2179 6A09E667F3BCC908
                  BB67AE8584CAA73B 3C6EF372FE94F82B A54FF53A5F1D36F1
                  510E527FADE682D2 9B05688C2B3E6C1F E07C265404BE4294
                  5BE0CD19137E2179

   (i= 1) v[16] = 86B7C1568029BB79 C12CBCC809FF59F3 C6A5214CC0EACA8E
                  0C87CD524C14CC5D 44EE6039BD86A9F7 A447C850AA694A7E
                  DE080F1BB1C0F84B 595CB8A9A1ACA66C BEC3AE837EAC4887
                  6267FC79DF9D6AD1 FA87B01273FA6DBE 521A715C63E08D8A
                  E02D0975B8D37A83 1C7B754F08B7D193 8F885A76B6E578FE
                  2318A24E2140FC64

   (i= 2) v[16] = 53281E83806010F2 3594B403F81B4393 8CD63C7462DE0DFF
                  85F693F3DA53F974 BAABDBB2F386D9AE CA5425AEC65A10A8
                  C6A22E2FF0F7AA48 C6A56A51CB89C595 224E6A3369224F96
                  500E125E58A92923 E9E4AD0D0E1A0D48 85DF9DC143C59A74
                  92A3AAAA6D952B7F C5FDF71090FAE853 2A8A40F15A462DD0
                  572D17EFFDD37358

   (i= 3) v[16] = 60ED96AA7AD41725 E46A743C71800B9D 1A04B543A01F156B
                  A2F8716E775C4877 DA0A61BCDE4267EA B1DD230754D7BDEE
                  25A1422779E06D14 E6823AE4C3FF58A5 A1677E19F37FD5DA
                  22BDCE6976B08C51 F1DE8696BEC11BF1 A0EBD586A4A1D2C8
                  C804EBAB11C99FA9 8E0CEC959C715793 7C45557FAE0D4D89
                  716343F52FDD265E

   (i= 4) v[16] = BB2A77D3A8382351 45EB47971F23B103 98BE297F6E45C684
                  A36077DEE3370B89 8A03C4CB7E97590A 24192E49EBF54EA0
                  4F82C9401CB32D7A 8CCD013726420DC4 A9C9A8F17B1FC614
                  55908187977514A0 5B44273E66B19D27 B6D5C9FCA2579327
                  086092CFB858437E 5C4BE2156DBEECF9 2EFEDE99ED4EFF16
                  3E7B5F234CD1F804

Saarinen & Aumasson           Informational                    [Page 13]
RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015

   (i= 5) v[16] = C79C15B3D423B099 2DA2224E8DA97556 77D2B26DF1C45C55
                  8934EB09A3456052 0F6D9EEED157DA2A 6FE66467AF88C0A9
                  4EB0B76284C7AAFB 299C8E725D954697 B2240B59E6D567D3
                  2643C2370E49EBFD 79E02EEF20CDB1AE 64B3EED7BB602F39
                  B97D2D439E4DF63D C718E755294C9111 1F0893F2772BB373
                  1205EA4A7859807D

   (i= 6) v[16] = E58F97D6385BAEE4 7640AA9764DA137A DEB4C7C23EFE287E
                  70F6F41C8783C9F6 7127CD48C76A7708 9E472AF0BE3DB3F6
                  0F244C62DDF71788 219828AA83880842 41CCA9073C8C4D0D
                  5C7912BC10DF3B4B A2C3ABBD37510EE2 CB5668CC2A9F7859
                  8733794F07AC1500 C67A6BE42335AA6F ACB22B28681E4C82
                  DB2161604CBC9828

   (i= 7) v[16] = 6E2D286EEADEDC81 BCF02C0787E86358 57D56A56DD015EDF
                  55D899D40A5D0D0A 819415B56220C459 B63C479A6A769F02
                  258E55E0EC1F362A 3A3B4EC60E19DFDC 04D769B3FCB048DB
                  B78A9A33E9BFF4DD 5777272AE1E930C0 5A387849E578DBF6
                  92AAC307CF2C0AFC 30AACCC4F06DAFAA 483893CC094F8863
                  E03C6CC89C26BF92

   (i= 8) v[16] = FFC83ECE76024D01 1BE7BFFB8C5CC5F9 A35A18CBAC4C65B7
                  B7C2C7E6D88C285F 81937DA314A50838 E1179523A2541963
                  3A1FAD7106232B8F 1C7EDE92AB8B9C46 A3C2D35E4F685C10
                  A53D3F73AA619624 30BBCC0285A22F65 BCEFBB6A81539E5D
                  3841DEF6F4C9848A 98662C85FBA726D4 7762439BD5A851BD
                  B0B9F0D443D1A889

   (i= 9) v[16] = 753A70A1E8FAEADD 6B0D43CA2C25D629 F8343BA8B94F8C0B
                  BC7D062B0DB5CF35 58540EE1B1AEBC47 63C5B9B80D294CB9
                  490870ECAD27DEBD B2A90DDF667287FE 316CC9EBEEFAD8FC
                  4A466BCD021526A4 5DA7F7638CEC5669 D9C8826727D306FC
                  88ED6C4F3BD7A537 19AE688DDF67F026 4D8707AAB40F7E6D
                  FD3F572687FEA4F1

   (i=10) v[16] = E630C747CCD59C4F BC713D41127571CA 46DB183025025078
                  6727E81260610140 2D04185EAC2A8CBA 5F311B88904056EC
                  40BD313009201AAB 0099D4F82A2A1EAB 6DD4FBC1DE60165D
                  B3B0B51DE3C86270 900AEE2F233B08E5 A07199D87AD058D8
                  2C6B25593D717852 37E8CA471BEAA5F8 2CFC1BAC10EF4457
                  01369EC18746E775

   (i=11) v[16] = E801F73B9768C760 35C6D22320BE511D 306F27584F65495E
                  B51776ADF569A77B F4F1BE86690B3C34 3CC88735D1475E4B
                  5DAC67921FF76949 1CDB9D31AD70CC4E 35BA354A9C7DF448
                  4929CBE45679D73E 733D1A17248F39DB 92D57B736F5F170A
                  61B5C0A41D491399 B5C333457E12844A BD696BE010D0D889
                  02231E1A917FE0BD

Saarinen & Aumasson           Informational                    [Page 14]
RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015

   (i=12) v[16] = 12EF8A641EC4F6D6 BCED5DE977C9FAF5 733CA476C5148639
                  97DF596B0610F6FC F42C16519AD5AFA7 AA5AC1888E10467E
                  217D930AA51787F3 906A6FF19E573942 75AB709BD3DCBF24
                  EE7CE1F345947AA4 F8960D6C2FAF5F5E E332538A36B6D246
                  885BEF040EF6AA0B A4939A417BFB78A3 646CBB7AF6DCE980
                  E813A23C60AF3B82

           h[8] = 0D4D1C983FA580BA E9F6129FB697276A B7C45A68142F214C
                  D1A2FFDB6FBB124B 2D79AB2A39C5877D 95CC3345DED552C2
                  5A92F1DBA88AD318 239900D4ED8623B9

   BLAKE2b-512("abc") = BA 80 A5 3F 98 1C 4D 0D 6A 27 97 B6 9F 12 F6 E9
                        4C 21 2F 14 68 5A C4 B7 4B 12 BB 6F DB FF A2 D1
                        7D 87 C5 39 2A AB 79 2D C2 52 D5 DE 45 33 CC 95
                        18 D3 8A A8 DB F1 92 5A B9 23 86 ED D4 00 99 23

Appendix B.  Example of BLAKE2s Computation

   We compute the unkeyed hash of three ASCII bytes "abc" with
   BLAKE2s-256 and show internal values during computation.

          m[16] = 00636261 00000000 00000000 00000000 00000000 00000000
                  00000000 00000000 00000000 00000000 00000000 00000000
                  00000000 00000000 00000000 00000000

   (i=0)  v[16] = 6B08E647 BB67AE85 3C6EF372 A54FF53A 510E527F 9B05688C
                  1F83D9AB 5BE0CD19 6A09E667 BB67AE85 3C6EF372 A54FF53A
                  510E527C 9B05688C E07C2654 5BE0CD19

   (i=1)  v[16] = 16A3242E D7B5E238 CE8CE24B 927AEDE1 A7B430D9 93A4A14E
                  A44E7C31 41D4759B 95BF33D3 9A99C181 608A3A6B B666383E
                  7A8DD50F BE378ED7 353D1EE6 3BB44C6B

   (i=2)  v[16] = 3AE30FE3 0982A96B E88185B4 3E339B16 F24338CD 0E66D326
                  E005ED0C D591A277 180B1F3A FCF43914 30DB62D6 4847831C
                  7F00C58E FB847886 C544E836 524AB0E2

   (i=3)  v[16] = 7A3BE783 997546C1 D45246DF EDB5F821 7F98A742 10E864E2
                  D4AB70D0 C63CB1AB 6038DA9E 414594B0 F2C218B5 8DA0DCB7
                  D7CD7AF5 AB4909DF 85031A52 C4EDFC98

   (i=4)  v[16] = 2A8B8CB7 1ACA82B2 14045D7F CC7258ED 383CF67C E090E7F9
                  3025D276 57D04DE4 994BACF0 F0982759 F17EE300 D48FC2D5
                  DC854C10 523898A9 C03A0F89 47D6CD88

   (i=5)  v[16] = C4AA2DDB 111343A3 D54A700A 574A00A9 857D5A48 B1E11989
                  6F5C52DF DD2C53A3 678E5F8E 9718D4E9 622CB684 92976076
                  0E41A517 359DC2BE 87A87DDD 643F9CEC

Saarinen & Aumasson           Informational                    [Page 15]
RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015

   (i=6)  v[16] = 3453921C D7595EE1 592E776D 3ED6A974 4D997CB3 DE9212C3
                  35ADF5C9 9916FD65 96562E89 4EAD0792 EBFC2712 2385F5B2
                  F34600FB D7BC20FB EB452A7B ECE1AA40

   (i=7)  v[16] = BE851B2D A85F6358 81E6FC3B 0BB28000 FA55A33A 87BE1FAD
                  4119370F 1E2261AA A1318FD3 F4329816 071783C2 6E536A8D
                  9A81A601 E7EC80F1 ACC09948 F849A584

   (i=8)  v[16] = 07E5B85A 069CC164 F9DE3141 A56F4680 9E440AD2 9AB659EA
                  3C84B971 21DBD9CF 46699F8C 765257EC AF1D998C 75E4C3B6
                  523878DC 30715015 397FEE81 4F1FA799

   (i=9)  v[16] = 435148C4 A5AA2D11 4B354173 D543BC9E BDA2591C BF1D2569
                  4FCB3120 707ADA48 565B3FDE 32C9C916 EAF4A1AB B1018F28
                  8078D978 68ADE4B5 9778FDA3 2863B92E

   (i=10) v[16] = D9C994AA CFEC3AA6 700D0AB2 2C38670E AF6A1F66 1D023EF3
                  1D9EC27D 945357A5 3E9FFEBD 969FE811 EF485E21 A632797A
                  DEEF082E AF3D80E1 4E86829B 4DEAFD3A

           h[8] = 8C5E8C50 E2147C32 A32BA7E1 2F45EB4E 208B4537 293AD69E
                  4C9B994D 82596786

   BLAKE2s-256("abc") = 50 8C 5E 8C 32 7C 14 E2 E1 A7 2B A3 4E EB 45 2F
                        37 45 8B 20 9E D6 3A 29 4D 99 9B 4C 86 67 59 82

Appendix C.  BLAKE2b Implementation C Source

C.1.  blake2b.h

   <CODE BEGINS>
   // blake2b.h
   // BLAKE2b Hashing Context and API Prototypes

   #ifndef BLAKE2B_H
   #define BLAKE2B_H

   #include <stdint.h>
   #include <stddef.h>

   // state context
   typedef struct {
       uint8_t b[128];                     // input buffer
       uint64_t h[8];                      // chained state
       uint64_t t[2];                      // total number of bytes
       size_t c;                           // pointer for b[]
       size_t outlen;                      // digest size
   } blake2b_ctx;

Saarinen & Aumasson           Informational                    [Page 16]
RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015

   // Initialize the hashing context "ctx" with optional key "key".
   //      1 <= outlen <= 64 gives the digest size in bytes.
   //      Secret key (also <= 64 bytes) is optional (keylen = 0).
   int blake2b_init(blake2b_ctx *ctx, size_t outlen,
       const void *key, size_t keylen);    // secret key

   // Add "inlen" bytes from "in" into the hash.
   void blake2b_update(blake2b_ctx *ctx,   // context
       const void *in, size_t inlen);      // data to be hashed

   // Generate the message digest (size given in init).
   //      Result placed in "out".
   void blake2b_final(blake2b_ctx *ctx, void *out);

   // All-in-one convenience function.
   int blake2b(void *out, size_t outlen,   // return buffer for digest
       const void *key, size_t keylen,     // optional secret key
       const void *in, size_t inlen);      // data to be hashed

   #endif
   <CODE ENDS>

C.2.  blake2b.c

   <CODE BEGINS>
   // blake2b.c
   // A simple BLAKE2b Reference Implementation.

   #include "blake2b.h"

   // Cyclic right rotation.

   #ifndef ROTR64
   #define ROTR64(x, y)  (((x) >> (y)) ^ ((x) << (64 - (y))))
   #endif

   // Little-endian byte access.

   #define B2B_GET64(p)                            \
       (((uint64_t) ((uint8_t *) (p))[0]) ^        \
       (((uint64_t) ((uint8_t *) (p))[1]) << 8) ^  \
       (((uint64_t) ((uint8_t *) (p))[2]) << 16) ^ \
       (((uint64_t) ((uint8_t *) (p))[3]) << 24) ^ \
       (((uint64_t) ((uint8_t *) (p))[4]) << 32) ^ \
       (((uint64_t) ((uint8_t *) (p))[5]) << 40) ^ \
       (((uint64_t) ((uint8_t *) (p))[6]) << 48) ^ \
       (((uint64_t) ((uint8_t *) (p))[7]) << 56))

Saarinen & Aumasson           Informational                    [Page 17]
RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015

   // G Mixing function.

   #define B2B_G(a, b, c, d, x, y) {   \
       v[a] = v[a] + v[b] + x;         \
       v[d] = ROTR64(v[d] ^ v[a], 32); \
       v[c] = v[c] + v[d];             \
       v[b] = ROTR64(v[b] ^ v[c], 24); \
       v[a] = v[a] + v[b] + y;         \
       v[d] = ROTR64(v[d] ^ v[a], 16); \
       v[c] = v[c] + v[d];             \
       v[b] = ROTR64(v[b] ^ v[c], 63); }

   // Initialization Vector.

   static const uint64_t blake2b_iv[8] = {
       0x6A09E667F3BCC908, 0xBB67AE8584CAA73B,
       0x3C6EF372FE94F82B, 0xA54FF53A5F1D36F1,
       0x510E527FADE682D1, 0x9B05688C2B3E6C1F,
       0x1F83D9ABFB41BD6B, 0x5BE0CD19137E2179
   };

   // Compression function. "last" flag indicates last block.

   static void blake2b_compress(blake2b_ctx *ctx, int last)
   {
       const uint8_t sigma[12][16] = {
           { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 },
           { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 },
           { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 },
           { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 },
           { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 },
           { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 },
           { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 },
           { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 },
           { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 },
           { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 },
           { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 },
           { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }
       };
       int i;
       uint64_t v[16], m[16];

       for (i = 0; i < 8; i++) {           // init work variables
           v[i] = ctx->h[i];
           v[i + 8] = blake2b_iv[i];
       }

Saarinen & Aumasson           Informational                    [Page 18]
RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015

       v[12] ^= ctx->t[0];                 // low 64 bits of offset
       v[13] ^= ctx->t[1];                 // high 64 bits
       if (last)                           // last block flag set ?
           v[14] = ~v[14];

       for (i = 0; i < 16; i++)            // get little-endian words
           m[i] = B2B_GET64(&ctx->b[8 * i]);

       for (i = 0; i < 12; i++) {          // twelve rounds
           B2B_G( 0, 4,  8, 12, m[sigma[i][ 0]], m[sigma[i][ 1]]);
           B2B_G( 1, 5,  9, 13, m[sigma[i][ 2]], m[sigma[i][ 3]]);
           B2B_G( 2, 6, 10, 14, m[sigma[i][ 4]], m[sigma[i][ 5]]);
           B2B_G( 3, 7, 11, 15, m[sigma[i][ 6]], m[sigma[i][ 7]]);
           B2B_G( 0, 5, 10, 15, m[sigma[i][ 8]], m[sigma[i][ 9]]);
           B2B_G( 1, 6, 11, 12, m[sigma[i][10]], m[sigma[i][11]]);
           B2B_G( 2, 7,  8, 13, m[sigma[i][12]], m[sigma[i][13]]);
           B2B_G( 3, 4,  9, 14, m[sigma[i][14]], m[sigma[i][15]]);
       }

       for( i = 0; i < 8; ++i )
           ctx->h[i] ^= v[i] ^ v[i + 8];
   }

   // Initialize the hashing context "ctx" with optional key "key".
   //      1 <= outlen <= 64 gives the digest size in bytes.
   //      Secret key (also <= 64 bytes) is optional (keylen = 0).

   int blake2b_init(blake2b_ctx *ctx, size_t outlen,
       const void *key, size_t keylen)        // (keylen=0: no key)
   {
       size_t i;

       if (outlen == 0 || outlen > 64 || keylen > 64)
           return -1;                      // illegal parameters

       for (i = 0; i < 8; i++)             // state, "param block"
           ctx->h[i] = blake2b_iv[i];
       ctx->h[0] ^= 0x01010000 ^ (keylen << 8) ^ outlen;

       ctx->t[0] = 0;                      // input count low word
       ctx->t[1] = 0;                      // input count high word
       ctx->c = 0;                         // pointer within buffer
       ctx->outlen = outlen;

Saarinen & Aumasson           Informational                    [Page 19]
RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015

       for (i = keylen; i < 128; i++)      // zero input block
           ctx->b[i] = 0;
       if (keylen > 0) {
           blake2b_update(ctx, key, keylen);
           ctx->c = 128;                   // at the end
       }

       return 0;
   }

   // Add "inlen" bytes from "in" into the hash.

   void blake2b_update(blake2b_ctx *ctx,
       const void *in, size_t inlen)       // data bytes
   {
       size_t i;

       for (i = 0; i < inlen; i++) {
           if (ctx->c == 128) {            // buffer full ?
               ctx->t[0] += ctx->c;        // add counters
               if (ctx->t[0] < ctx->c)     // carry overflow ?
                   ctx->t[1]++;            // high word
               blake2b_compress(ctx, 0);   // compress (not last)
               ctx->c = 0;                 // counter to zero
           }
           ctx->b[ctx->c++] = ((const uint8_t *) in)[i];
       }
   }

   // Generate the message digest (size given in init).
   //      Result placed in "out".

   void blake2b_final(blake2b_ctx *ctx, void *out)
   {
       size_t i;

       ctx->t[0] += ctx->c;                // mark last block offset
       if (ctx->t[0] < ctx->c)             // carry overflow
           ctx->t[1]++;                    // high word

       while (ctx->c < 128)                // fill up with zeros
           ctx->b[ctx->c++] = 0;
       blake2b_compress(ctx, 1);           // final block flag = 1

Saarinen & Aumasson           Informational                    [Page 20]
RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015

       // little endian convert and store
       for (i = 0; i < ctx->outlen; i++) {
           ((uint8_t *) out)[i] =
               (ctx->h[i >> 3] >> (8 * (i & 7))) & 0xFF;
       }
   }

   // Convenience function for all-in-one computation.

   int blake2b(void *out, size_t outlen,
       const void *key, size_t keylen,
       const void *in, size_t inlen)
   {
       blake2b_ctx ctx;

       if (blake2b_init(&ctx, outlen, key, keylen))
           return -1;
       blake2b_update(&ctx, in, inlen);
       blake2b_final(&ctx, out);

       return 0;
   }
   <CODE ENDS>

Appendix D.  BLAKE2s Implementation C Source

D.1.  blake2s.h

   <CODE BEGINS>
   // blake2s.h
   // BLAKE2s Hashing Context and API Prototypes

   #ifndef BLAKE2S_H
   #define BLAKE2S_H

   #include <stdint.h>
   #include <stddef.h>

   // state context
   typedef struct {
       uint8_t b[64];                      // input buffer
       uint32_t h[8];                      // chained state
       uint32_t t[2];                      // total number of bytes
       size_t c;                           // pointer for b[]
       size_t outlen;                      // digest size
   } blake2s_ctx;

Saarinen & Aumasson           Informational                    [Page 21]
RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015

   // Initialize the hashing context "ctx" with optional key "key".
   //      1 <= outlen <= 32 gives the digest size in bytes.
   //      Secret key (also <= 32 bytes) is optional (keylen = 0).
   int blake2s_init(blake2s_ctx *ctx, size_t outlen,
       const void *key, size_t keylen);    // secret key

   // Add "inlen" bytes from "in" into the hash.
   void blake2s_update(blake2s_ctx *ctx,   // context
       const void *in, size_t inlen);      // data to be hashed

   // Generate the message digest (size given in init).
   //      Result placed in "out".
   void blake2s_final(blake2s_ctx *ctx, void *out);

   // All-in-one convenience function.
   int blake2s(void *out, size_t outlen,   // return buffer for digest
       const void *key, size_t keylen,     // optional secret key
       const void *in, size_t inlen);      // data to be hashed

   #endif
   <CODE ENDS>

D.2.  blake2s.c

   <CODE BEGINS>
   // blake2s.c
   // A simple blake2s Reference Implementation.

   #include "blake2s.h"

   // Cyclic right rotation.

   #ifndef ROTR32
   #define ROTR32(x, y)  (((x) >> (y)) ^ ((x) << (32 - (y))))
   #endif

   // Little-endian byte access.

   #define B2S_GET32(p)                            \
       (((uint32_t) ((uint8_t *) (p))[0]) ^        \
       (((uint32_t) ((uint8_t *) (p))[1]) << 8) ^  \
       (((uint32_t) ((uint8_t *) (p))[2]) << 16) ^ \
       (((uint32_t) ((uint8_t *) (p))[3]) << 24))

Saarinen & Aumasson           Informational                    [Page 22]
RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015

   // Mixing function G.

   #define B2S_G(a, b, c, d, x, y) {   \
       v[a] = v[a] + v[b] + x;         \
       v[d] = ROTR32(v[d] ^ v[a], 16); \
       v[c] = v[c] + v[d];             \
       v[b] = ROTR32(v[b] ^ v[c], 12); \
       v[a] = v[a] + v[b] + y;         \
       v[d] = ROTR32(v[d] ^ v[a], 8);  \
       v[c] = v[c] + v[d];             \
       v[b] = ROTR32(v[b] ^ v[c], 7); }

   // Initialization Vector.

   static const uint32_t blake2s_iv[8] =
   {
       0x6A09E667, 0xBB67AE85, 0x3C6EF372, 0xA54FF53A,
       0x510E527F, 0x9B05688C, 0x1F83D9AB, 0x5BE0CD19
   };

   // Compression function. "last" flag indicates last block.

   static void blake2s_compress(blake2s_ctx *ctx, int last)
   {
       const uint8_t sigma[10][16] = {
           { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 },
           { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 },
           { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 },
           { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 },
           { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 },
           { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 },
           { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 },
           { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 },
           { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 },
           { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 }
       };
       int i;
       uint32_t v[16], m[16];

       for (i = 0; i < 8; i++) {           // init work variables
           v[i] = ctx->h[i];
           v[i + 8] = blake2s_iv[i];
       }

       v[12] ^= ctx->t[0];                 // low 32 bits of offset
       v[13] ^= ctx->t[1];                 // high 32 bits
       if (last)                           // last block flag set ?
           v[14] = ~v[14];

Saarinen & Aumasson           Informational                    [Page 23]
RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015

       for (i = 0; i < 16; i++)            // get little-endian words
           m[i] = B2S_GET32(&ctx->b[4 * i]);

       for (i = 0; i < 10; i++) {          // ten rounds
           B2S_G( 0, 4,  8, 12, m[sigma[i][ 0]], m[sigma[i][ 1]]);
           B2S_G( 1, 5,  9, 13, m[sigma[i][ 2]], m[sigma[i][ 3]]);
           B2S_G( 2, 6, 10, 14, m[sigma[i][ 4]], m[sigma[i][ 5]]);
           B2S_G( 3, 7, 11, 15, m[sigma[i][ 6]], m[sigma[i][ 7]]);
           B2S_G( 0, 5, 10, 15, m[sigma[i][ 8]], m[sigma[i][ 9]]);
           B2S_G( 1, 6, 11, 12, m[sigma[i][10]], m[sigma[i][11]]);
           B2S_G( 2, 7,  8, 13, m[sigma[i][12]], m[sigma[i][13]]);
           B2S_G( 3, 4,  9, 14, m[sigma[i][14]], m[sigma[i][15]]);
       }

       for( i = 0; i < 8; ++i )
           ctx->h[i] ^= v[i] ^ v[i + 8];
   }

   // Initialize the hashing context "ctx" with optional key "key".
   //      1 <= outlen <= 32 gives the digest size in bytes.
   //      Secret key (also <= 32 bytes) is optional (keylen = 0).

   int blake2s_init(blake2s_ctx *ctx, size_t outlen,
       const void *key, size_t keylen)     // (keylen=0: no key)
   {
       size_t i;

       if (outlen == 0 || outlen > 32 || keylen > 32)
           return -1;                      // illegal parameters

       for (i = 0; i < 8; i++)             // state, "param block"
           ctx->h[i] = blake2s_iv[i];
       ctx->h[0] ^= 0x01010000 ^ (keylen << 8) ^ outlen;

       ctx->t[0] = 0;                      // input count low word
       ctx->t[1] = 0;                      // input count high word
       ctx->c = 0;                         // pointer within buffer
       ctx->outlen = outlen;

       for (i = keylen; i < 64; i++)       // zero input block
           ctx->b[i] = 0;
       if (keylen > 0) {
           blake2s_update(ctx, key, keylen);
           ctx->c = 64;                    // at the end
       }

       return 0;
   }

Saarinen & Aumasson           Informational                    [Page 24]
RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015

   // Add "inlen" bytes from "in" into the hash.

   void blake2s_update(blake2s_ctx *ctx,
       const void *in, size_t inlen)       // data bytes
   {
       size_t i;

       for (i = 0; i < inlen; i++) {
           if (ctx->c == 64) {             // buffer full ?
               ctx->t[0] += ctx->c;        // add counters
               if (ctx->t[0] < ctx->c)     // carry overflow ?
                   ctx->t[1]++;            // high word
               blake2s_compress(ctx, 0);   // compress (not last)
               ctx->c = 0;                 // counter to zero
           }
           ctx->b[ctx->c++] = ((const uint8_t *) in)[i];
       }
   }

   // Generate the message digest (size given in init).
   //      Result placed in "out".

   void blake2s_final(blake2s_ctx *ctx, void *out)
   {
       size_t i;

       ctx->t[0] += ctx->c;                // mark last block offset
       if (ctx->t[0] < ctx->c)             // carry overflow
           ctx->t[1]++;                    // high word

       while (ctx->c < 64)                 // fill up with zeros
           ctx->b[ctx->c++] = 0;
       blake2s_compress(ctx, 1);           // final block flag = 1

       // little endian convert and store
       for (i = 0; i < ctx->outlen; i++) {
           ((uint8_t *) out)[i] =
               (ctx->h[i >> 2] >> (8 * (i & 3))) & 0xFF;
       }
   }

   // Convenience function for all-in-one computation.

   int blake2s(void *out, size_t outlen,
       const void *key, size_t keylen,
       const void *in, size_t inlen)
   {
       blake2s_ctx ctx;

Saarinen & Aumasson           Informational                    [Page 25]
RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015

       if (blake2s_init(&ctx, outlen, key, keylen))
           return -1;
       blake2s_update(&ctx, in, inlen);
       blake2s_final(&ctx, out);

       return 0;
   }
   <CODE ENDS>

Appendix E.  BLAKE2b and BLAKE2s Self-Test Module C Source

   This module computes a series of keyed and unkeyed hashes from
   deterministically generated pseudorandom data and computes a hash
   over those results.  This is a fairly exhaustive, yet compact and
   fast method for verifying that the hashing module is functioning
   correctly.

   Such testing is RECOMMENDED, especially when compiling the
   implementation for a new a target platform configuration.
   Furthermore, some security standards, such as FIPS-140, may require a
   Power-On Self Test (POST) to be performed every time the
   cryptographic module is loaded [FIPS140-2IG].

   <CODE BEGINS>
   // test_main.c
   // Self test Modules for BLAKE2b and BLAKE2s -- and a stub main().

   #include <stdio.h>

   #include "blake2b.h"
   #include "blake2s.h"

   // Deterministic sequences (Fibonacci generator).

   static void selftest_seq(uint8_t *out, size_t len, uint32_t seed)
   {
       size_t i;
       uint32_t t, a , b;

       a = 0xDEAD4BAD * seed;              // prime
       b = 1;

       for (i = 0; i < len; i++) {         // fill the buf
           t = a + b;
           a = b;
           b = t;
           out[i] = (t >> 24) & 0xFF;
       }

Saarinen & Aumasson           Informational                    [Page 26]
RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015

   }

   // BLAKE2b self-test validation. Return 0 when OK.

   int blake2b_selftest()
   {
       // grand hash of hash results
       const uint8_t blake2b_res[32] = {
           0xC2, 0x3A, 0x78, 0x00, 0xD9, 0x81, 0x23, 0xBD,
           0x10, 0xF5, 0x06, 0xC6, 0x1E, 0x29, 0xDA, 0x56,
           0x03, 0xD7, 0x63, 0xB8, 0xBB, 0xAD, 0x2E, 0x73,
           0x7F, 0x5E, 0x76, 0x5A, 0x7B, 0xCC, 0xD4, 0x75
       };
       // parameter sets
       const size_t b2b_md_len[4] = { 20, 32, 48, 64 };
       const size_t b2b_in_len[6] = { 0, 3, 128, 129, 255, 1024 };

       size_t i, j, outlen, inlen;
       uint8_t in[1024], md[64], key[64];
       blake2b_ctx ctx;

       // 256-bit hash for testing
       if (blake2b_init(&ctx, 32, NULL, 0))
           return -1;

       for (i = 0; i < 4; i++) {
           outlen = b2b_md_len[i];
           for (j = 0; j < 6; j++) {
               inlen = b2b_in_len[j];

               selftest_seq(in, inlen, inlen);     // unkeyed hash
               blake2b(md, outlen, NULL, 0, in, inlen);
               blake2b_update(&ctx, md, outlen);   // hash the hash

               selftest_seq(key, outlen, outlen);  // keyed hash
               blake2b(md, outlen, key, outlen, in, inlen);
               blake2b_update(&ctx, md, outlen);   // hash the hash
           }
       }

       // compute and compare the hash of hashes
       blake2b_final(&ctx, md);
       for (i = 0; i < 32; i++) {
           if (md[i] != blake2b_res[i])
               return -1;
       }

       return 0;

Saarinen & Aumasson           Informational                    [Page 27]
RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015

   }

   // BLAKE2s self-test validation. Return 0 when OK.

   int blake2s_selftest()
   {
       // Grand hash of hash results.
       const uint8_t blake2s_res[32] = {
           0x6A, 0x41, 0x1F, 0x08, 0xCE, 0x25, 0xAD, 0xCD,
           0xFB, 0x02, 0xAB, 0xA6, 0x41, 0x45, 0x1C, 0xEC,
           0x53, 0xC5, 0x98, 0xB2, 0x4F, 0x4F, 0xC7, 0x87,
           0xFB, 0xDC, 0x88, 0x79, 0x7F, 0x4C, 0x1D, 0xFE
       };
       // Parameter sets.
       const size_t b2s_md_len[4] = { 16, 20, 28, 32 };
       const size_t b2s_in_len[6] = { 0,  3,  64, 65, 255, 1024 };

       size_t i, j, outlen, inlen;
       uint8_t in[1024], md[32], key[32];
       blake2s_ctx ctx;

       // 256-bit hash for testing.
       if (blake2s_init(&ctx, 32, NULL, 0))
           return -1;

       for (i = 0; i < 4; i++) {
           outlen = b2s_md_len[i];
           for (j = 0; j < 6; j++) {
               inlen = b2s_in_len[j];

               selftest_seq(in, inlen, inlen);     // unkeyed hash
               blake2s(md, outlen, NULL, 0, in, inlen);
               blake2s_update(&ctx, md, outlen);   // hash the hash

               selftest_seq(key, outlen, outlen);  // keyed hash
               blake2s(md, outlen, key, outlen, in, inlen);
               blake2s_update(&ctx, md, outlen);   // hash the hash
           }
       }

       // Compute and compare the hash of hashes.
       blake2s_final(&ctx, md);
       for (i = 0; i < 32; i++) {
           if (md[i] != blake2s_res[i])
               return -1;
       }

       return 0;

Saarinen & Aumasson           Informational                    [Page 28]
RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015

   }

   // Test driver.

   int main(int argc, char **argv)
   {
       printf("blake2b_selftest() = %s\n",
            blake2b_selftest() ? "FAIL" : "OK");
       printf("blake2s_selftest() = %s\n",
            blake2s_selftest() ? "FAIL" : "OK");

       return 0;
   }
   <CODE ENDS>

Acknowledgements

   The editor wishes to thank the [BLAKE2] team for their encouragement:
   Jean-Philippe Aumasson, Samuel Neves, Zooko Wilcox-O'Hearn, and
   Christian Winnerlein.  We have borrowed passages from [BLAKE] and
   [BLAKE2] with permission.

   [BLAKE2] is based on the SHA-3 proposal [BLAKE], designed by Jean-
   Philippe Aumasson, Luca Henzen, Willi Meier, and Raphael C.-W. Phan.
   BLAKE2, like BLAKE, relies on a core algorithm borrowed from the
   ChaCha stream cipher, designed by Daniel J. Bernstein.

Saarinen & Aumasson           Informational                    [Page 29]
RFC 7693               BLAKE2 Crypto Hash and MAC          November 2015

Authors' Addresses

   Markku-Juhani O. Saarinen (editor)
   Queen's University Belfast
   Centre for Secure Information Technologies, ECIT
   Northern Ireland Science Park
   Queen's Road, Queen's Island
   Belfast  BT3 9DT
   United Kingdom

   Email: m.saarinen@qub.ac.uk
   URI:   http://www.csit.qub.ac.uk

   Jean-Philippe Aumasson
   Kudelski Security
   22-24, Route de Geneve
   Case Postale 134
   Cheseaux  1033
   Switzerland

   Email: jean-philippe.aumasson@nagra.com
   URI:   https://www.kudelskisecurity.com

Saarinen & Aumasson           Informational                    [Page 30]