The BLAKE2 Cryptographic Hash and Message Authentication Code (MAC)
RFC 7693
| Document | Type |
RFC - Informational
(November 2015; No errata)
Was draft-saarinen-blake2 (individual)
|
|
|---|---|---|---|
| Authors | Markku-Juhani Saarinen , Jean-Philippe Aumasson | ||
| Last updated | 2015-11-03 | ||
| Stream | Independent Submission | ||
| Formats | plain text html pdf htmlized bibtex | ||
| IETF conflict review | conflict-review-saarinen-blake2 | ||
| Stream | ISE state | Published RFC | |
| Consensus Boilerplate | Unknown | ||
| Document shepherd | Adrian Farrel | ||
| Shepherd write-up | Show (last changed 2015-06-18) | ||
| IESG | IESG state | RFC 7693 (Informational) | |
| Telechat date | |||
| Responsible AD | (None) | ||
| Send notices to | (None) | ||
| IANA | IANA review state | Version Changed - Review Needed | |
| IANA action state | No IANA Actions | ||
Independent Submission M-J. Saarinen, Ed.
Request for Comments: 7693 Queen's University Belfast
Category: Informational J-P. Aumasson
ISSN: 2070-1721 Kudelski Security
November 2015
The BLAKE2 Cryptographic Hash and Message Authentication Code (MAC)
Abstract
This document describes the cryptographic hash function BLAKE2 and
makes the algorithm specification and C source code conveniently
available to the Internet community. BLAKE2 comes in two main
flavors: BLAKE2b is optimized for 64-bit platforms and BLAKE2s for
smaller architectures. BLAKE2 can be directly keyed, making it
functionally equivalent to a Message Authentication Code (MAC).
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This is a contribution to the RFC Series, independently of any other
RFC stream. The RFC Editor has chosen to publish this document at
its discretion and makes no statement about its value for
implementation or deployment. Documents approved for publication by
the RFC Editor are not a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7693.
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
Saarinen & Aumasson Informational [Page 1]
RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
Table of Contents
1. Introduction and Terminology . . . . . . . . . . . . . . . . 3
2. Conventions, Variables, and Constants . . . . . . . . . . . . 4
2.1. Parameters . . . . . . . . . . . . . . . . . . . . . . . 4
2.2. Other Constants and Variables . . . . . . . . . . . . . . 4
2.3. Arithmetic Notation . . . . . . . . . . . . . . . . . . . 4
2.4. Little-Endian Interpretation of Words as Bytes . . . . . 5
2.5. Parameter Block . . . . . . . . . . . . . . . . . . . . . 5
2.6. Initialization Vector . . . . . . . . . . . . . . . . . . 6
2.7. Message Schedule SIGMA . . . . . . . . . . . . . . . . . 6
3. BLAKE2 Processing . . . . . . . . . . . . . . . . . . . . . . 7
3.1. Mixing Function G . . . . . . . . . . . . . . . . . . . . 7
3.2. Compression Function F . . . . . . . . . . . . . . . . . 8
3.3. Padding Data and Computing a BLAKE2 Digest . . . . . . . 9
4. Standard Parameter Sets and Algorithm Identifiers . . . . . . 10
5. Security Considerations . . . . . . . . . . . . . . . . . . . 11
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 11
6.1. Normative References . . . . . . . . . . . . . . . . . . 11
6.2. Informative References . . . . . . . . . . . . . . . . . 11
Appendix A. Example of BLAKE2b Computation . . . . . . . . . . . 13
Appendix B. Example of BLAKE2s Computation . . . . . . . . . . . 15
Appendix C. BLAKE2b Implementation C Source . . . . . . . . . . 16
C.1. blake2b.h . . . . . . . . . . . . . . . . . . . . . . . . 16
C.2. blake2b.c . . . . . . . . . . . . . . . . . . . . . . . . 17
Appendix D. BLAKE2s Implementation C Source . . . . . . . . . . 21
D.1. blake2s.h . . . . . . . . . . . . . . . . . . . . . . . . 21
D.2. blake2s.c . . . . . . . . . . . . . . . . . . . . . . . . 22
Appendix E. BLAKE2b and BLAKE2s Self-Test Module C Source . . . 26
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 29
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 30
Saarinen & Aumasson Informational [Page 2]
RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
1. Introduction and Terminology
The BLAKE2 cryptographic hash function [BLAKE2] was designed by Jean-
Philippe Aumasson, Samuel Neves, Zooko Wilcox-O'Hearn, and Christian
Winnerlein.
BLAKE2 comes in two basic flavors:
o BLAKE2b (or just BLAKE2) is optimized for 64-bit platforms and
produces digests of any size between 1 and 64 bytes.
o BLAKE2s is optimized for 8- to 32-bit platforms and produces
digests of any size between 1 and 32 bytes.
Both BLAKE2b and BLAKE2s are believed to be highly secure and perform
well on any platform, software, or hardware. BLAKE2 does not require
a special "HMAC" (Hashed Message Authentication Code) construction
for keyed message authentication as it has a built-in keying
mechanism.
The BLAKE2 hash function may be used by digital signature algorithms
and message authentication and integrity protection mechanisms in
applications such as Public Key Infrastructure (PKI), secure
communication protocols, cloud storage, intrusion detection, forensic
suites, and version control systems.
The BLAKE2 suite provides a more efficient alternative to US Secure
Hash Algorithms SHA and HMAC-SHA [RFC6234]. BLAKE2s-128 is
especially suited as a fast and more secure drop-in replacement to
MD5 and HMAC-MD5 in legacy applications [RFC6151].
To aid implementation, we provide a trace of BLAKE2b-512 hash
computation in Appendix A and a trace of BLAKE2s-256 hash computation
in Appendix B. Due to space constraints, this document does not
contain a full set of test vectors for BLAKE2.
A reference implementation in C programming language for BLAKE2b can
be found in Appendix C and for BLAKE2s in Appendix D of this
document. These implementations MAY be validated with the more
exhaustive Test Module contained in Appendix E.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
Saarinen & Aumasson Informational [Page 3]
RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
2. Conventions, Variables, and Constants
2.1. Parameters
The following table summarizes various parameters and their ranges:
| BLAKE2b | BLAKE2s |
--------------+------------------+------------------+
Bits in word | w = 64 | w = 32 |
Rounds in F | r = 12 | r = 10 |
Block bytes | bb = 128 | bb = 64 |
Hash bytes | 1 <= nn <= 64 | 1 <= nn <= 32 |
Key bytes | 0 <= kk <= 64 | 0 <= kk <= 32 |
Input bytes | 0 <= ll < 2**128 | 0 <= ll < 2**64 |
--------------+------------------+------------------+
G Rotation | (R1, R2, R3, R4) | (R1, R2, R3, R4) |
constants = | (32, 24, 16, 63) | (16, 12, 8, 7) |
--------------+------------------+------------------+
2.2. Other Constants and Variables
These variables are used in the algorithm description:
IV[0..7] Initialization Vector (constant).
SIGMA[0..9] Message word permutations (constant).
p[0..7] Parameter block (defines hash and key sizes).
m[0..15] Sixteen words of a single message block.
h[0..7] Internal state of the hash.
d[0..dd-1] Padded input blocks. Each has "bb" bytes.
t Message byte offset at the end of the current block.
f Flag indicating the last block.
2.3. Arithmetic Notation
For real-valued x, we define the following functions:
floor(x) Floor, the largest integer <= x.
ceil(x) Ceiling, the smallest integer >= x.
frac(x) Positive fractional part of x, frac(x) = x - floor(x).
Saarinen & Aumasson Informational [Page 4]
RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
Operator notation in pseudocode:
2**n = 2 to the power "n". 2**0=1, 2**1=2, 2**2=4, 2**3=8, etc.
a ^ b = Bitwise exclusive-or operation between "a" and "b".
a mod b = Remainder "a" modulo "b", always in range [0, b-1].
x >> n = floor(x / 2**n). Logical shift "x" right by "n" bits.
x << n = (x * 2**n) mod (2**w). Logical shift "x" left by "n".
x >>> n = (x >> n) ^ (x << (w - n)). Rotate "x" right by "n".
2.4. Little-Endian Interpretation of Words as Bytes
All mathematical operations are on 64-bit words in BLAKE2b and on
32-bit words in BLAKE2s.
We may also perform operations on vectors of words. Vector indexing
is zero based; the first element of an n-element vector "v" is v[0]
and the last one is v[n - 1]. All elements are denoted by v[0..n-1].
Byte (octet) streams are interpreted as words in little-endian order,
with the least-significant byte first. Consider this sequence of
eight hexadecimal bytes:
x[0..7] = 0x01 0x23 0x45 0x67 0x89 0xAB 0xCD 0xEF
When interpreted as a 32-bit word from the beginning memory address,
x[0..3] has a numerical value of 0x67452301 or 1732584193.
When interpreted as a 64-bit word, bytes x[0..7] have a numerical
value of 0xEFCDAB8967452301 or 17279655951921914625.
2.5. Parameter Block
We specify the parameter block words p[0..7] as follows:
byte offset: 3 2 1 0 (otherwise zero)
p[0] = 0x0101kknn p[1..7] = 0
Here the "nn" byte specifies the hash size in bytes. The second
(little-endian) byte of the parameter block, "kk", specifies the key
size in bytes. Set kk = 00 for unkeyed hashing. Bytes 2 and 3 are
set as 01. All other bytes in the parameter block are set as zero.
Saarinen & Aumasson Informational [Page 5]
RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
Note: [BLAKE2] defines additional variants of BLAKE2 with features
such as salting, personalized hashes, and tree hashing. These
OPTIONAL features use fields in the parameter block that are not
defined in this document.
2.6. Initialization Vector
We define the Initialization Vector constant IV mathematically as:
IV[i] = floor(2**w * frac(sqrt(prime(i+1)))), where prime(i)
is the i:th prime number ( 2, 3, 5, 7, 11, 13, 17, 19 )
and sqrt(x) is the square root of x.
The numerical values of IV can also be found in implementations in
Appendices C and D for BLAKE2b and BLAKE2s, respectively.
Note: BLAKE2b IV is the same as SHA-512 IV, and BLAKE2s IV is the
same as SHA-256 IV; see [RFC6234].
2.7. Message Schedule SIGMA
Message word schedule permutations for each round of both BLAKE2b and
BLAKE2s are defined by SIGMA. For BLAKE2b, the two extra
permutations for rounds 10 and 11 are SIGMA[10..11] = SIGMA[0..1].
Round | 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
----------+-------------------------------------------------+
SIGMA[0] | 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
SIGMA[1] | 14 10 4 8 9 15 13 6 1 12 0 2 11 7 5 3 |
SIGMA[2] | 11 8 12 0 5 2 15 13 10 14 3 6 7 1 9 4 |
SIGMA[3] | 7 9 3 1 13 12 11 14 2 6 5 10 4 0 15 8 |
SIGMA[4] | 9 0 5 7 2 4 10 15 14 1 11 12 6 8 3 13 |
SIGMA[5] | 2 12 6 10 0 11 8 3 4 13 7 5 15 14 1 9 |
SIGMA[6] | 12 5 1 15 14 13 4 10 0 7 6 3 9 2 8 11 |
SIGMA[7] | 13 11 7 14 12 1 3 9 5 0 15 4 8 6 2 10 |
SIGMA[8] | 6 15 14 9 11 3 0 8 12 2 13 7 1 4 10 5 |
SIGMA[9] | 10 2 8 4 7 6 1 5 15 11 9 14 3 12 13 0 |
----------+-------------------------------------------------+
Saarinen & Aumasson Informational [Page 6]
RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
3. BLAKE2 Processing
3.1. Mixing Function G
The G primitive function mixes two input words, "x" and "y", into
four words indexed by "a", "b", "c", and "d" in the working vector
v[0..15]. The full modified vector is returned. The rotation
constants (R1, R2, R3, R4) are given in Section 2.1.
FUNCTION G( v[0..15], a, b, c, d, x, y )
|
| v[a] := (v[a] + v[b] + x) mod 2**w
| v[d] := (v[d] ^ v[a]) >>> R1
| v[c] := (v[c] + v[d]) mod 2**w
| v[b] := (v[b] ^ v[c]) >>> R2
| v[a] := (v[a] + v[b] + y) mod 2**w
| v[d] := (v[d] ^ v[a]) >>> R3
| v[c] := (v[c] + v[d]) mod 2**w
| v[b] := (v[b] ^ v[c]) >>> R4
|
| RETURN v[0..15]
|
END FUNCTION.
Saarinen & Aumasson Informational [Page 7]
RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
3.2. Compression Function F
Compression function F takes as an argument the state vector "h",
message block vector "m" (last block is padded with zeros to full
block size, if required), 2w-bit offset counter "t", and final block
indicator flag "f". Local vector v[0..15] is used in processing. F
returns a new state vector. The number of rounds, "r", is 12 for
BLAKE2b and 10 for BLAKE2s. Rounds are numbered from 0 to r - 1.
FUNCTION F( h[0..7], m[0..15], t, f )
|
| // Initialize local work vector v[0..15]
| v[0..7] := h[0..7] // First half from state.
| v[8..15] := IV[0..7] // Second half from IV.
|
| v[12] := v[12] ^ (t mod 2**w) // Low word of the offset.
| v[13] := v[13] ^ (t >> w) // High word.
|
| IF f = TRUE THEN // last block flag?
| | v[14] := v[14] ^ 0xFF..FF // Invert all bits.
| END IF.
|
| // Cryptographic mixing
| FOR i = 0 TO r - 1 DO // Ten or twelve rounds.
| |
| | // Message word selection permutation for this round.
| | s[0..15] := SIGMA[i mod 10][0..15]
| |
| | v := G( v, 0, 4, 8, 12, m[s[ 0]], m[s[ 1]] )
| | v := G( v, 1, 5, 9, 13, m[s[ 2]], m[s[ 3]] )
| | v := G( v, 2, 6, 10, 14, m[s[ 4]], m[s[ 5]] )
| | v := G( v, 3, 7, 11, 15, m[s[ 6]], m[s[ 7]] )
| |
| | v := G( v, 0, 5, 10, 15, m[s[ 8]], m[s[ 9]] )
| | v := G( v, 1, 6, 11, 12, m[s[10]], m[s[11]] )
| | v := G( v, 2, 7, 8, 13, m[s[12]], m[s[13]] )
| | v := G( v, 3, 4, 9, 14, m[s[14]], m[s[15]] )
| |
| END FOR
|
| FOR i = 0 TO 7 DO // XOR the two halves.
| | h[i] := h[i] ^ v[i] ^ v[i + 8]
| END FOR.
|
| RETURN h[0..7] // New state.
|
END FUNCTION.
Saarinen & Aumasson Informational [Page 8]
RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
3.3. Padding Data and Computing a BLAKE2 Digest
We refer the reader to Appendices C and D for reference C language
implementations of BLAKE2b and BLAKE2s, respectively.
Key and data input are split and padded into "dd" message blocks
d[0..dd-1], each consisting of 16 words (or "bb" bytes).
If a secret key is used (kk > 0), it is padded with zero bytes and
set as d[0]. Otherwise, d[0] is the first data block. The final
data block d[dd-1] is also padded with zero to "bb" bytes (16 words).
The number of blocks is therefore dd = ceil(kk / bb) + ceil(ll / bb).
However, in the special case of an unkeyed empty message (kk = 0 and
ll = 0), we still set dd = 1 and d[0] consists of all zeros.
The following procedure processes the padded data blocks into an
"nn"-byte final hash value. See Section 2 for a description of
various variables and constants used.
FUNCTION BLAKE2( d[0..dd-1], ll, kk, nn )
|
| h[0..7] := IV[0..7] // Initialization Vector.
|
| // Parameter block p[0]
| h[0] := h[0] ^ 0x01010000 ^ (kk << 8) ^ nn
|
| // Process padded key and data blocks
| IF dd > 1 THEN
| | FOR i = 0 TO dd - 2 DO
| | | h := F( h, d[i], (i + 1) * bb, FALSE )
| | END FOR.
| END IF.
|
| // Final block.
| IF kk = 0 THEN
| | h := F( h, d[dd - 1], ll, TRUE )
| ELSE
| | h := F( h, d[dd - 1], ll + bb, TRUE )
| END IF.
|
| RETURN first "nn" bytes from little-endian word array h[].
|
END FUNCTION.
Saarinen & Aumasson Informational [Page 9]
RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
4. Standard Parameter Sets and Algorithm Identifiers
An implementation of BLAKE2b and/or BLAKE2s MAY support the following
digest size parameters for interoperability (e.g., digital
signatures), as long as a sufficient level of security is attained by
the parameter selections. These parameters and identifiers are
intended to be suitable as drop-in replacements to MD5 and
corresponding SHA algorithms.
Developers adapting BLAKE2 to ASN.1-based message formats SHOULD use
the OID tree at x = 1.3.6.1.4.1.1722.12.2. The same OID can be used
for both keyed and unkeyed hashing since in the latter case the key
simply has zero length.
Algorithm | Target | Collision | Hash | Hash ASN.1 |
Identifier | Arch | Security | nn | OID Suffix |
---------------+--------+-----------+------+------------+
id-blake2b160 | 64-bit | 2**80 | 20 | x.1.5 |
id-blake2b256 | 64-bit | 2**128 | 32 | x.1.8 |
id-blake2b384 | 64-bit | 2**192 | 48 | x.1.12 |
id-blake2b512 | 64-bit | 2**256 | 64 | x.1.16 |
---------------+--------+-----------+------+------------+
id-blake2s128 | 32-bit | 2**64 | 16 | x.2.4 |
id-blake2s160 | 32-bit | 2**80 | 20 | x.2.5 |
id-blake2s224 | 32-bit | 2**112 | 28 | x.2.7 |
id-blake2s256 | 32-bit | 2**128 | 32 | x.2.8 |
---------------+--------+-----------+------+------------+
hashAlgs OBJECT IDENTIFIER ::= {
iso(1) identified-organization(3) dod(6) internet(1)
private(4) enterprise(1) kudelski(1722) cryptography(12) 2
}
macAlgs OBJECT IDENTIFIER ::= {
iso(1) identified-organization(3) dod(6) internet(1)
private(4) enterprise(1) kudelski(1722) cryptography(12) 3
}
-- the two BLAKE2 variants --
blake2b OBJECT IDENTIFIER ::= { hashAlgs 1 }
blake2s OBJECT IDENTIFIER ::= { hashAlgs 2 }
-- BLAKE2b Identifiers --
id-blake2b160 OBJECT IDENTIFIER ::= { blake2b 5 }
id-blake2b256 OBJECT IDENTIFIER ::= { blake2b 8 }
id-blake2b384 OBJECT IDENTIFIER ::= { blake2b 12 }
id-blake2b512 OBJECT IDENTIFIER ::= { blake2b 16 }
Saarinen & Aumasson Informational [Page 10]
RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
-- BLAKE2s Identifiers --
id-blake2s128 OBJECT IDENTIFIER ::= { blake2s 4 }
id-blake2s160 OBJECT IDENTIFIER ::= { blake2s 5 }
id-blake2s224 OBJECT IDENTIFIER ::= { blake2s 7 }
id-blake2s256 OBJECT IDENTIFIER ::= { blake2s 8 }
5. Security Considerations
This document is intended to provide convenient open-source access by
the Internet community to the BLAKE2 cryptographic hash algorithm.
We wish to make no independent assertion to its security in this
document. We refer the reader to [BLAKE] and [BLAKE2] for detailed
cryptanalytic rationale behind its design.
In order to avoid bloat, the reference implementations in Appendices
C and D may not erase all sensitive data (such as secret keys)
immediately from process memory after use. Such cleanup can be added
if needed.
6. References
6.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
6.2. Informative References
[BLAKE] Aumasson, J-P., Meier, W., Phan, R., and L. Henzen, "The
Hash Function BLAKE", January 2015,
<https://131002.net/blake/book>.
[BLAKE2] Aumasson, J-P., Neves, S., Wilcox-O'Hearn, Z., and C.
Winnerlein, "BLAKE2: simpler, smaller, fast as MD5",
January 2013, <https://blake2.net/blake2.pdf>.
[FIPS140-2IG]
NIST, "Implementation Guidance for FIPS PUB 140-2 and the
Cryptographic Module Validation Program", September 2015,
<http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/
FIPS1402IG.pdf/>.
[RFC6151] Turner, S. and L. Chen, "Updated Security Considerations
for the MD5 Message-Digest and the HMAC-MD5 Algorithms",
RFC 6151, DOI 10.17487/RFC6151, March 2011,
<http://www.rfc-editor.org/info/rfc6151>.
Saarinen & Aumasson Informational [Page 11]
RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
[RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms
(SHA and SHA-based HMAC and HKDF)", RFC 6234,
DOI 10.17487/RFC6234, May 2011,
<http://www.rfc-editor.org/info/rfc6234>.
Saarinen & Aumasson Informational [Page 12]
RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
Appendix A. Example of BLAKE2b Computation
We compute the unkeyed hash of three ASCII bytes "abc" with
BLAKE2b-512 and show internal values during computation.
m[16] = 0000000000636261 0000000000000000 0000000000000000
0000000000000000 0000000000000000 0000000000000000
0000000000000000 0000000000000000 0000000000000000
0000000000000000 0000000000000000 0000000000000000
0000000000000000 0000000000000000 0000000000000000
0000000000000000
(i= 0) v[16] = 6A09E667F2BDC948 BB67AE8584CAA73B 3C6EF372FE94F82B
A54FF53A5F1D36F1 510E527FADE682D1 9B05688C2B3E6C1F
1F83D9ABFB41BD6B 5BE0CD19137E2179 6A09E667F3BCC908
BB67AE8584CAA73B 3C6EF372FE94F82B A54FF53A5F1D36F1
510E527FADE682D2 9B05688C2B3E6C1F E07C265404BE4294
5BE0CD19137E2179
(i= 1) v[16] = 86B7C1568029BB79 C12CBCC809FF59F3 C6A5214CC0EACA8E
0C87CD524C14CC5D 44EE6039BD86A9F7 A447C850AA694A7E
DE080F1BB1C0F84B 595CB8A9A1ACA66C BEC3AE837EAC4887
6267FC79DF9D6AD1 FA87B01273FA6DBE 521A715C63E08D8A
E02D0975B8D37A83 1C7B754F08B7D193 8F885A76B6E578FE
2318A24E2140FC64
(i= 2) v[16] = 53281E83806010F2 3594B403F81B4393 8CD63C7462DE0DFF
85F693F3DA53F974 BAABDBB2F386D9AE CA5425AEC65A10A8
C6A22E2FF0F7AA48 C6A56A51CB89C595 224E6A3369224F96
500E125E58A92923 E9E4AD0D0E1A0D48 85DF9DC143C59A74
92A3AAAA6D952B7F C5FDF71090FAE853 2A8A40F15A462DD0
572D17EFFDD37358
(i= 3) v[16] = 60ED96AA7AD41725 E46A743C71800B9D 1A04B543A01F156B
A2F8716E775C4877 DA0A61BCDE4267EA B1DD230754D7BDEE
25A1422779E06D14 E6823AE4C3FF58A5 A1677E19F37FD5DA
22BDCE6976B08C51 F1DE8696BEC11BF1 A0EBD586A4A1D2C8
C804EBAB11C99FA9 8E0CEC959C715793 7C45557FAE0D4D89
716343F52FDD265E
(i= 4) v[16] = BB2A77D3A8382351 45EB47971F23B103 98BE297F6E45C684
A36077DEE3370B89 8A03C4CB7E97590A 24192E49EBF54EA0
4F82C9401CB32D7A 8CCD013726420DC4 A9C9A8F17B1FC614
55908187977514A0 5B44273E66B19D27 B6D5C9FCA2579327
086092CFB858437E 5C4BE2156DBEECF9 2EFEDE99ED4EFF16
3E7B5F234CD1F804
Saarinen & Aumasson Informational [Page 13]
RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
(i= 5) v[16] = C79C15B3D423B099 2DA2224E8DA97556 77D2B26DF1C45C55
8934EB09A3456052 0F6D9EEED157DA2A 6FE66467AF88C0A9
4EB0B76284C7AAFB 299C8E725D954697 B2240B59E6D567D3
2643C2370E49EBFD 79E02EEF20CDB1AE 64B3EED7BB602F39
B97D2D439E4DF63D C718E755294C9111 1F0893F2772BB373
1205EA4A7859807D
(i= 6) v[16] = E58F97D6385BAEE4 7640AA9764DA137A DEB4C7C23EFE287E
70F6F41C8783C9F6 7127CD48C76A7708 9E472AF0BE3DB3F6
0F244C62DDF71788 219828AA83880842 41CCA9073C8C4D0D
5C7912BC10DF3B4B A2C3ABBD37510EE2 CB5668CC2A9F7859
8733794F07AC1500 C67A6BE42335AA6F ACB22B28681E4C82
DB2161604CBC9828
(i= 7) v[16] = 6E2D286EEADEDC81 BCF02C0787E86358 57D56A56DD015EDF
55D899D40A5D0D0A 819415B56220C459 B63C479A6A769F02
258E55E0EC1F362A 3A3B4EC60E19DFDC 04D769B3FCB048DB
B78A9A33E9BFF4DD 5777272AE1E930C0 5A387849E578DBF6
92AAC307CF2C0AFC 30AACCC4F06DAFAA 483893CC094F8863
E03C6CC89C26BF92
(i= 8) v[16] = FFC83ECE76024D01 1BE7BFFB8C5CC5F9 A35A18CBAC4C65B7
B7C2C7E6D88C285F 81937DA314A50838 E1179523A2541963
3A1FAD7106232B8F 1C7EDE92AB8B9C46 A3C2D35E4F685C10
A53D3F73AA619624 30BBCC0285A22F65 BCEFBB6A81539E5D
3841DEF6F4C9848A 98662C85FBA726D4 7762439BD5A851BD
B0B9F0D443D1A889
(i= 9) v[16] = 753A70A1E8FAEADD 6B0D43CA2C25D629 F8343BA8B94F8C0B
BC7D062B0DB5CF35 58540EE1B1AEBC47 63C5B9B80D294CB9
490870ECAD27DEBD B2A90DDF667287FE 316CC9EBEEFAD8FC
4A466BCD021526A4 5DA7F7638CEC5669 D9C8826727D306FC
88ED6C4F3BD7A537 19AE688DDF67F026 4D8707AAB40F7E6D
FD3F572687FEA4F1
(i=10) v[16] = E630C747CCD59C4F BC713D41127571CA 46DB183025025078
6727E81260610140 2D04185EAC2A8CBA 5F311B88904056EC
40BD313009201AAB 0099D4F82A2A1EAB 6DD4FBC1DE60165D
B3B0B51DE3C86270 900AEE2F233B08E5 A07199D87AD058D8
2C6B25593D717852 37E8CA471BEAA5F8 2CFC1BAC10EF4457
01369EC18746E775
(i=11) v[16] = E801F73B9768C760 35C6D22320BE511D 306F27584F65495E
B51776ADF569A77B F4F1BE86690B3C34 3CC88735D1475E4B
5DAC67921FF76949 1CDB9D31AD70CC4E 35BA354A9C7DF448
4929CBE45679D73E 733D1A17248F39DB 92D57B736F5F170A
61B5C0A41D491399 B5C333457E12844A BD696BE010D0D889
02231E1A917FE0BD
Saarinen & Aumasson Informational [Page 14]
RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
(i=12) v[16] = 12EF8A641EC4F6D6 BCED5DE977C9FAF5 733CA476C5148639
97DF596B0610F6FC F42C16519AD5AFA7 AA5AC1888E10467E
217D930AA51787F3 906A6FF19E573942 75AB709BD3DCBF24
EE7CE1F345947AA4 F8960D6C2FAF5F5E E332538A36B6D246
885BEF040EF6AA0B A4939A417BFB78A3 646CBB7AF6DCE980
E813A23C60AF3B82
h[8] = 0D4D1C983FA580BA E9F6129FB697276A B7C45A68142F214C
D1A2FFDB6FBB124B 2D79AB2A39C5877D 95CC3345DED552C2
5A92F1DBA88AD318 239900D4ED8623B9
BLAKE2b-512("abc") = BA 80 A5 3F 98 1C 4D 0D 6A 27 97 B6 9F 12 F6 E9
4C 21 2F 14 68 5A C4 B7 4B 12 BB 6F DB FF A2 D1
7D 87 C5 39 2A AB 79 2D C2 52 D5 DE 45 33 CC 95
18 D3 8A A8 DB F1 92 5A B9 23 86 ED D4 00 99 23
Appendix B. Example of BLAKE2s Computation
We compute the unkeyed hash of three ASCII bytes "abc" with
BLAKE2s-256 and show internal values during computation.
m[16] = 00636261 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000
(i=0) v[16] = 6B08E647 BB67AE85 3C6EF372 A54FF53A 510E527F 9B05688C
1F83D9AB 5BE0CD19 6A09E667 BB67AE85 3C6EF372 A54FF53A
510E527C 9B05688C E07C2654 5BE0CD19
(i=1) v[16] = 16A3242E D7B5E238 CE8CE24B 927AEDE1 A7B430D9 93A4A14E
A44E7C31 41D4759B 95BF33D3 9A99C181 608A3A6B B666383E
7A8DD50F BE378ED7 353D1EE6 3BB44C6B
(i=2) v[16] = 3AE30FE3 0982A96B E88185B4 3E339B16 F24338CD 0E66D326
E005ED0C D591A277 180B1F3A FCF43914 30DB62D6 4847831C
7F00C58E FB847886 C544E836 524AB0E2
(i=3) v[16] = 7A3BE783 997546C1 D45246DF EDB5F821 7F98A742 10E864E2
D4AB70D0 C63CB1AB 6038DA9E 414594B0 F2C218B5 8DA0DCB7
D7CD7AF5 AB4909DF 85031A52 C4EDFC98
(i=4) v[16] = 2A8B8CB7 1ACA82B2 14045D7F CC7258ED 383CF67C E090E7F9
3025D276 57D04DE4 994BACF0 F0982759 F17EE300 D48FC2D5
DC854C10 523898A9 C03A0F89 47D6CD88
(i=5) v[16] = C4AA2DDB 111343A3 D54A700A 574A00A9 857D5A48 B1E11989
6F5C52DF DD2C53A3 678E5F8E 9718D4E9 622CB684 92976076
0E41A517 359DC2BE 87A87DDD 643F9CEC
Saarinen & Aumasson Informational [Page 15]
RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
(i=6) v[16] = 3453921C D7595EE1 592E776D 3ED6A974 4D997CB3 DE9212C3
35ADF5C9 9916FD65 96562E89 4EAD0792 EBFC2712 2385F5B2
F34600FB D7BC20FB EB452A7B ECE1AA40
(i=7) v[16] = BE851B2D A85F6358 81E6FC3B 0BB28000 FA55A33A 87BE1FAD
4119370F 1E2261AA A1318FD3 F4329816 071783C2 6E536A8D
9A81A601 E7EC80F1 ACC09948 F849A584
(i=8) v[16] = 07E5B85A 069CC164 F9DE3141 A56F4680 9E440AD2 9AB659EA
3C84B971 21DBD9CF 46699F8C 765257EC AF1D998C 75E4C3B6
523878DC 30715015 397FEE81 4F1FA799
(i=9) v[16] = 435148C4 A5AA2D11 4B354173 D543BC9E BDA2591C BF1D2569
4FCB3120 707ADA48 565B3FDE 32C9C916 EAF4A1AB B1018F28
8078D978 68ADE4B5 9778FDA3 2863B92E
(i=10) v[16] = D9C994AA CFEC3AA6 700D0AB2 2C38670E AF6A1F66 1D023EF3
1D9EC27D 945357A5 3E9FFEBD 969FE811 EF485E21 A632797A
DEEF082E AF3D80E1 4E86829B 4DEAFD3A
h[8] = 8C5E8C50 E2147C32 A32BA7E1 2F45EB4E 208B4537 293AD69E
4C9B994D 82596786
BLAKE2s-256("abc") = 50 8C 5E 8C 32 7C 14 E2 E1 A7 2B A3 4E EB 45 2F
37 45 8B 20 9E D6 3A 29 4D 99 9B 4C 86 67 59 82
Appendix C. BLAKE2b Implementation C Source
C.1. blake2b.h
<CODE BEGINS>
// blake2b.h
// BLAKE2b Hashing Context and API Prototypes
#ifndef BLAKE2B_H
#define BLAKE2B_H
#include <stdint.h>
#include <stddef.h>
// state context
typedef struct {
uint8_t b[128]; // input buffer
uint64_t h[8]; // chained state
uint64_t t[2]; // total number of bytes
size_t c; // pointer for b[]
size_t outlen; // digest size
} blake2b_ctx;
Saarinen & Aumasson Informational [Page 16]
RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
// Initialize the hashing context "ctx" with optional key "key".
// 1 <= outlen <= 64 gives the digest size in bytes.
// Secret key (also <= 64 bytes) is optional (keylen = 0).
int blake2b_init(blake2b_ctx *ctx, size_t outlen,
const void *key, size_t keylen); // secret key
// Add "inlen" bytes from "in" into the hash.
void blake2b_update(blake2b_ctx *ctx, // context
const void *in, size_t inlen); // data to be hashed
// Generate the message digest (size given in init).
// Result placed in "out".
void blake2b_final(blake2b_ctx *ctx, void *out);
// All-in-one convenience function.
int blake2b(void *out, size_t outlen, // return buffer for digest
const void *key, size_t keylen, // optional secret key
const void *in, size_t inlen); // data to be hashed
#endif
<CODE ENDS>
C.2. blake2b.c
<CODE BEGINS>
// blake2b.c
// A simple BLAKE2b Reference Implementation.
#include "blake2b.h"
// Cyclic right rotation.
#ifndef ROTR64
#define ROTR64(x, y) (((x) >> (y)) ^ ((x) << (64 - (y))))
#endif
// Little-endian byte access.
#define B2B_GET64(p) \
(((uint64_t) ((uint8_t *) (p))[0]) ^ \
(((uint64_t) ((uint8_t *) (p))[1]) << 8) ^ \
(((uint64_t) ((uint8_t *) (p))[2]) << 16) ^ \
(((uint64_t) ((uint8_t *) (p))[3]) << 24) ^ \
(((uint64_t) ((uint8_t *) (p))[4]) << 32) ^ \
(((uint64_t) ((uint8_t *) (p))[5]) << 40) ^ \
(((uint64_t) ((uint8_t *) (p))[6]) << 48) ^ \
(((uint64_t) ((uint8_t *) (p))[7]) << 56))
Saarinen & Aumasson Informational [Page 17]
RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
// G Mixing function.
#define B2B_G(a, b, c, d, x, y) { \
v[a] = v[a] + v[b] + x; \
v[d] = ROTR64(v[d] ^ v[a], 32); \
v[c] = v[c] + v[d]; \
v[b] = ROTR64(v[b] ^ v[c], 24); \
v[a] = v[a] + v[b] + y; \
v[d] = ROTR64(v[d] ^ v[a], 16); \
v[c] = v[c] + v[d]; \
v[b] = ROTR64(v[b] ^ v[c], 63); }
// Initialization Vector.
static const uint64_t blake2b_iv[8] = {
0x6A09E667F3BCC908, 0xBB67AE8584CAA73B,
0x3C6EF372FE94F82B, 0xA54FF53A5F1D36F1,
0x510E527FADE682D1, 0x9B05688C2B3E6C1F,
0x1F83D9ABFB41BD6B, 0x5BE0CD19137E2179
};
// Compression function. "last" flag indicates last block.
static void blake2b_compress(blake2b_ctx *ctx, int last)
{
const uint8_t sigma[12][16] = {
{ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 },
{ 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 },
{ 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 },
{ 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 },
{ 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 },
{ 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 },
{ 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 },
{ 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 },
{ 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 },
{ 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 },
{ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 },
{ 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }
};
int i;
uint64_t v[16], m[16];
for (i = 0; i < 8; i++) { // init work variables
v[i] = ctx->h[i];
v[i + 8] = blake2b_iv[i];
}
Saarinen & Aumasson Informational [Page 18]
RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
v[12] ^= ctx->t[0]; // low 64 bits of offset
v[13] ^= ctx->t[1]; // high 64 bits
if (last) // last block flag set ?
v[14] = ~v[14];
for (i = 0; i < 16; i++) // get little-endian words
m[i] = B2B_GET64(&ctx->b[8 * i]);
for (i = 0; i < 12; i++) { // twelve rounds
B2B_G( 0, 4, 8, 12, m[sigma[i][ 0]], m[sigma[i][ 1]]);
B2B_G( 1, 5, 9, 13, m[sigma[i][ 2]], m[sigma[i][ 3]]);
B2B_G( 2, 6, 10, 14, m[sigma[i][ 4]], m[sigma[i][ 5]]);
B2B_G( 3, 7, 11, 15, m[sigma[i][ 6]], m[sigma[i][ 7]]);
B2B_G( 0, 5, 10, 15, m[sigma[i][ 8]], m[sigma[i][ 9]]);
B2B_G( 1, 6, 11, 12, m[sigma[i][10]], m[sigma[i][11]]);
B2B_G( 2, 7, 8, 13, m[sigma[i][12]], m[sigma[i][13]]);
B2B_G( 3, 4, 9, 14, m[sigma[i][14]], m[sigma[i][15]]);
}
for( i = 0; i < 8; ++i )
ctx->h[i] ^= v[i] ^ v[i + 8];
}
// Initialize the hashing context "ctx" with optional key "key".
// 1 <= outlen <= 64 gives the digest size in bytes.
// Secret key (also <= 64 bytes) is optional (keylen = 0).
int blake2b_init(blake2b_ctx *ctx, size_t outlen,
const void *key, size_t keylen) // (keylen=0: no key)
{
size_t i;
if (outlen == 0 || outlen > 64 || keylen > 64)
return -1; // illegal parameters
for (i = 0; i < 8; i++) // state, "param block"
ctx->h[i] = blake2b_iv[i];
ctx->h[0] ^= 0x01010000 ^ (keylen << 8) ^ outlen;
ctx->t[0] = 0; // input count low word
ctx->t[1] = 0; // input count high word
ctx->c = 0; // pointer within buffer
ctx->outlen = outlen;
Saarinen & Aumasson Informational [Page 19]
RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
for (i = keylen; i < 128; i++) // zero input block
ctx->b[i] = 0;
if (keylen > 0) {
blake2b_update(ctx, key, keylen);
ctx->c = 128; // at the end
}
return 0;
}
// Add "inlen" bytes from "in" into the hash.
void blake2b_update(blake2b_ctx *ctx,
const void *in, size_t inlen) // data bytes
{
size_t i;
for (i = 0; i < inlen; i++) {
if (ctx->c == 128) { // buffer full ?
ctx->t[0] += ctx->c; // add counters
if (ctx->t[0] < ctx->c) // carry overflow ?
ctx->t[1]++; // high word
blake2b_compress(ctx, 0); // compress (not last)
ctx->c = 0; // counter to zero
}
ctx->b[ctx->c++] = ((const uint8_t *) in)[i];
}
}
// Generate the message digest (size given in init).
// Result placed in "out".
void blake2b_final(blake2b_ctx *ctx, void *out)
{
size_t i;
ctx->t[0] += ctx->c; // mark last block offset
if (ctx->t[0] < ctx->c) // carry overflow
ctx->t[1]++; // high word
while (ctx->c < 128) // fill up with zeros
ctx->b[ctx->c++] = 0;
blake2b_compress(ctx, 1); // final block flag = 1
Saarinen & Aumasson Informational [Page 20]
RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
// little endian convert and store
for (i = 0; i < ctx->outlen; i++) {
((uint8_t *) out)[i] =
(ctx->h[i >> 3] >> (8 * (i & 7))) & 0xFF;
}
}
// Convenience function for all-in-one computation.
int blake2b(void *out, size_t outlen,
const void *key, size_t keylen,
const void *in, size_t inlen)
{
blake2b_ctx ctx;
if (blake2b_init(&ctx, outlen, key, keylen))
return -1;
blake2b_update(&ctx, in, inlen);
blake2b_final(&ctx, out);
return 0;
}
<CODE ENDS>
Appendix D. BLAKE2s Implementation C Source
D.1. blake2s.h
<CODE BEGINS>
// blake2s.h
// BLAKE2s Hashing Context and API Prototypes
#ifndef BLAKE2S_H
#define BLAKE2S_H
#include <stdint.h>
#include <stddef.h>
// state context
typedef struct {
uint8_t b[64]; // input buffer
uint32_t h[8]; // chained state
uint32_t t[2]; // total number of bytes
size_t c; // pointer for b[]
size_t outlen; // digest size
} blake2s_ctx;
Saarinen & Aumasson Informational [Page 21]
RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
// Initialize the hashing context "ctx" with optional key "key".
// 1 <= outlen <= 32 gives the digest size in bytes.
// Secret key (also <= 32 bytes) is optional (keylen = 0).
int blake2s_init(blake2s_ctx *ctx, size_t outlen,
const void *key, size_t keylen); // secret key
// Add "inlen" bytes from "in" into the hash.
void blake2s_update(blake2s_ctx *ctx, // context
const void *in, size_t inlen); // data to be hashed
// Generate the message digest (size given in init).
// Result placed in "out".
void blake2s_final(blake2s_ctx *ctx, void *out);
// All-in-one convenience function.
int blake2s(void *out, size_t outlen, // return buffer for digest
const void *key, size_t keylen, // optional secret key
const void *in, size_t inlen); // data to be hashed
#endif
<CODE ENDS>
D.2. blake2s.c
<CODE BEGINS>
// blake2s.c
// A simple blake2s Reference Implementation.
#include "blake2s.h"
// Cyclic right rotation.
#ifndef ROTR32
#define ROTR32(x, y) (((x) >> (y)) ^ ((x) << (32 - (y))))
#endif
// Little-endian byte access.
#define B2S_GET32(p) \
(((uint32_t) ((uint8_t *) (p))[0]) ^ \
(((uint32_t) ((uint8_t *) (p))[1]) << 8) ^ \
(((uint32_t) ((uint8_t *) (p))[2]) << 16) ^ \
(((uint32_t) ((uint8_t *) (p))[3]) << 24))
Saarinen & Aumasson Informational [Page 22]
RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
// Mixing function G.
#define B2S_G(a, b, c, d, x, y) { \
v[a] = v[a] + v[b] + x; \
v[d] = ROTR32(v[d] ^ v[a], 16); \
v[c] = v[c] + v[d]; \
v[b] = ROTR32(v[b] ^ v[c], 12); \
v[a] = v[a] + v[b] + y; \
v[d] = ROTR32(v[d] ^ v[a], 8); \
v[c] = v[c] + v[d]; \
v[b] = ROTR32(v[b] ^ v[c], 7); }
// Initialization Vector.
static const uint32_t blake2s_iv[8] =
{
0x6A09E667, 0xBB67AE85, 0x3C6EF372, 0xA54FF53A,
0x510E527F, 0x9B05688C, 0x1F83D9AB, 0x5BE0CD19
};
// Compression function. "last" flag indicates last block.
static void blake2s_compress(blake2s_ctx *ctx, int last)
{
const uint8_t sigma[10][16] = {
{ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 },
{ 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 },
{ 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 },
{ 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 },
{ 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 },
{ 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 },
{ 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 },
{ 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 },
{ 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 },
{ 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 }
};
int i;
uint32_t v[16], m[16];
for (i = 0; i < 8; i++) { // init work variables
v[i] = ctx->h[i];
v[i + 8] = blake2s_iv[i];
}
v[12] ^= ctx->t[0]; // low 32 bits of offset
v[13] ^= ctx->t[1]; // high 32 bits
if (last) // last block flag set ?
v[14] = ~v[14];
Saarinen & Aumasson Informational [Page 23]
RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
for (i = 0; i < 16; i++) // get little-endian words
m[i] = B2S_GET32(&ctx->b[4 * i]);
for (i = 0; i < 10; i++) { // ten rounds
B2S_G( 0, 4, 8, 12, m[sigma[i][ 0]], m[sigma[i][ 1]]);
B2S_G( 1, 5, 9, 13, m[sigma[i][ 2]], m[sigma[i][ 3]]);
B2S_G( 2, 6, 10, 14, m[sigma[i][ 4]], m[sigma[i][ 5]]);
B2S_G( 3, 7, 11, 15, m[sigma[i][ 6]], m[sigma[i][ 7]]);
B2S_G( 0, 5, 10, 15, m[sigma[i][ 8]], m[sigma[i][ 9]]);
B2S_G( 1, 6, 11, 12, m[sigma[i][10]], m[sigma[i][11]]);
B2S_G( 2, 7, 8, 13, m[sigma[i][12]], m[sigma[i][13]]);
B2S_G( 3, 4, 9, 14, m[sigma[i][14]], m[sigma[i][15]]);
}
for( i = 0; i < 8; ++i )
ctx->h[i] ^= v[i] ^ v[i + 8];
}
// Initialize the hashing context "ctx" with optional key "key".
// 1 <= outlen <= 32 gives the digest size in bytes.
// Secret key (also <= 32 bytes) is optional (keylen = 0).
int blake2s_init(blake2s_ctx *ctx, size_t outlen,
const void *key, size_t keylen) // (keylen=0: no key)
{
size_t i;
if (outlen == 0 || outlen > 32 || keylen > 32)
return -1; // illegal parameters
for (i = 0; i < 8; i++) // state, "param block"
ctx->h[i] = blake2s_iv[i];
ctx->h[0] ^= 0x01010000 ^ (keylen << 8) ^ outlen;
ctx->t[0] = 0; // input count low word
ctx->t[1] = 0; // input count high word
ctx->c = 0; // pointer within buffer
ctx->outlen = outlen;
for (i = keylen; i < 64; i++) // zero input block
ctx->b[i] = 0;
if (keylen > 0) {
blake2s_update(ctx, key, keylen);
ctx->c = 64; // at the end
}
return 0;
}
Saarinen & Aumasson Informational [Page 24]
RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
// Add "inlen" bytes from "in" into the hash.
void blake2s_update(blake2s_ctx *ctx,
const void *in, size_t inlen) // data bytes
{
size_t i;
for (i = 0; i < inlen; i++) {
if (ctx->c == 64) { // buffer full ?
ctx->t[0] += ctx->c; // add counters
if (ctx->t[0] < ctx->c) // carry overflow ?
ctx->t[1]++; // high word
blake2s_compress(ctx, 0); // compress (not last)
ctx->c = 0; // counter to zero
}
ctx->b[ctx->c++] = ((const uint8_t *) in)[i];
}
}
// Generate the message digest (size given in init).
// Result placed in "out".
void blake2s_final(blake2s_ctx *ctx, void *out)
{
size_t i;
ctx->t[0] += ctx->c; // mark last block offset
if (ctx->t[0] < ctx->c) // carry overflow
ctx->t[1]++; // high word
while (ctx->c < 64) // fill up with zeros
ctx->b[ctx->c++] = 0;
blake2s_compress(ctx, 1); // final block flag = 1
// little endian convert and store
for (i = 0; i < ctx->outlen; i++) {
((uint8_t *) out)[i] =
(ctx->h[i >> 2] >> (8 * (i & 3))) & 0xFF;
}
}
// Convenience function for all-in-one computation.
int blake2s(void *out, size_t outlen,
const void *key, size_t keylen,
const void *in, size_t inlen)
{
blake2s_ctx ctx;
Saarinen & Aumasson Informational [Page 25]
RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
if (blake2s_init(&ctx, outlen, key, keylen))
return -1;
blake2s_update(&ctx, in, inlen);
blake2s_final(&ctx, out);
return 0;
}
<CODE ENDS>
Appendix E. BLAKE2b and BLAKE2s Self-Test Module C Source
This module computes a series of keyed and unkeyed hashes from
deterministically generated pseudorandom data and computes a hash
over those results. This is a fairly exhaustive, yet compact and
fast method for verifying that the hashing module is functioning
correctly.
Such testing is RECOMMENDED, especially when compiling the
implementation for a new a target platform configuration.
Furthermore, some security standards, such as FIPS-140, may require a
Power-On Self Test (POST) to be performed every time the
cryptographic module is loaded [FIPS140-2IG].
<CODE BEGINS>
// test_main.c
// Self test Modules for BLAKE2b and BLAKE2s -- and a stub main().
#include <stdio.h>
#include "blake2b.h"
#include "blake2s.h"
// Deterministic sequences (Fibonacci generator).
static void selftest_seq(uint8_t *out, size_t len, uint32_t seed)
{
size_t i;
uint32_t t, a , b;
a = 0xDEAD4BAD * seed; // prime
b = 1;
for (i = 0; i < len; i++) { // fill the buf
t = a + b;
a = b;
b = t;
out[i] = (t >> 24) & 0xFF;
}
Saarinen & Aumasson Informational [Page 26]
RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
}
// BLAKE2b self-test validation. Return 0 when OK.
int blake2b_selftest()
{
// grand hash of hash results
const uint8_t blake2b_res[32] = {
0xC2, 0x3A, 0x78, 0x00, 0xD9, 0x81, 0x23, 0xBD,
0x10, 0xF5, 0x06, 0xC6, 0x1E, 0x29, 0xDA, 0x56,
0x03, 0xD7, 0x63, 0xB8, 0xBB, 0xAD, 0x2E, 0x73,
0x7F, 0x5E, 0x76, 0x5A, 0x7B, 0xCC, 0xD4, 0x75
};
// parameter sets
const size_t b2b_md_len[4] = { 20, 32, 48, 64 };
const size_t b2b_in_len[6] = { 0, 3, 128, 129, 255, 1024 };
size_t i, j, outlen, inlen;
uint8_t in[1024], md[64], key[64];
blake2b_ctx ctx;
// 256-bit hash for testing
if (blake2b_init(&ctx, 32, NULL, 0))
return -1;
for (i = 0; i < 4; i++) {
outlen = b2b_md_len[i];
for (j = 0; j < 6; j++) {
inlen = b2b_in_len[j];
selftest_seq(in, inlen, inlen); // unkeyed hash
blake2b(md, outlen, NULL, 0, in, inlen);
blake2b_update(&ctx, md, outlen); // hash the hash
selftest_seq(key, outlen, outlen); // keyed hash
blake2b(md, outlen, key, outlen, in, inlen);
blake2b_update(&ctx, md, outlen); // hash the hash
}
}
// compute and compare the hash of hashes
blake2b_final(&ctx, md);
for (i = 0; i < 32; i++) {
if (md[i] != blake2b_res[i])
return -1;
}
return 0;
Saarinen & Aumasson Informational [Page 27]
RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
}
// BLAKE2s self-test validation. Return 0 when OK.
int blake2s_selftest()
{
// Grand hash of hash results.
const uint8_t blake2s_res[32] = {
0x6A, 0x41, 0x1F, 0x08, 0xCE, 0x25, 0xAD, 0xCD,
0xFB, 0x02, 0xAB, 0xA6, 0x41, 0x45, 0x1C, 0xEC,
0x53, 0xC5, 0x98, 0xB2, 0x4F, 0x4F, 0xC7, 0x87,
0xFB, 0xDC, 0x88, 0x79, 0x7F, 0x4C, 0x1D, 0xFE
};
// Parameter sets.
const size_t b2s_md_len[4] = { 16, 20, 28, 32 };
const size_t b2s_in_len[6] = { 0, 3, 64, 65, 255, 1024 };
size_t i, j, outlen, inlen;
uint8_t in[1024], md[32], key[32];
blake2s_ctx ctx;
// 256-bit hash for testing.
if (blake2s_init(&ctx, 32, NULL, 0))
return -1;
for (i = 0; i < 4; i++) {
outlen = b2s_md_len[i];
for (j = 0; j < 6; j++) {
inlen = b2s_in_len[j];
selftest_seq(in, inlen, inlen); // unkeyed hash
blake2s(md, outlen, NULL, 0, in, inlen);
blake2s_update(&ctx, md, outlen); // hash the hash
selftest_seq(key, outlen, outlen); // keyed hash
blake2s(md, outlen, key, outlen, in, inlen);
blake2s_update(&ctx, md, outlen); // hash the hash
}
}
// Compute and compare the hash of hashes.
blake2s_final(&ctx, md);
for (i = 0; i < 32; i++) {
if (md[i] != blake2s_res[i])
return -1;
}
return 0;
Saarinen & Aumasson Informational [Page 28]
RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
}
// Test driver.
int main(int argc, char **argv)
{
printf("blake2b_selftest() = %s\n",
blake2b_selftest() ? "FAIL" : "OK");
printf("blake2s_selftest() = %s\n",
blake2s_selftest() ? "FAIL" : "OK");
return 0;
}
<CODE ENDS>
Acknowledgements
The editor wishes to thank the [BLAKE2] team for their encouragement:
Jean-Philippe Aumasson, Samuel Neves, Zooko Wilcox-O'Hearn, and
Christian Winnerlein. We have borrowed passages from [BLAKE] and
[BLAKE2] with permission.
[BLAKE2] is based on the SHA-3 proposal [BLAKE], designed by Jean-
Philippe Aumasson, Luca Henzen, Willi Meier, and Raphael C.-W. Phan.
BLAKE2, like BLAKE, relies on a core algorithm borrowed from the
ChaCha stream cipher, designed by Daniel J. Bernstein.
Saarinen & Aumasson Informational [Page 29]
RFC 7693 BLAKE2 Crypto Hash and MAC November 2015
Authors' Addresses
Markku-Juhani O. Saarinen (editor)
Queen's University Belfast
Centre for Secure Information Technologies, ECIT
Northern Ireland Science Park
Queen's Road, Queen's Island
Belfast BT3 9DT
United Kingdom
Email: m.saarinen@qub.ac.uk
URI: http://www.csit.qub.ac.uk
Jean-Philippe Aumasson
Kudelski Security
22-24, Route de Geneve
Case Postale 134
Cheseaux 1033
Switzerland
Email: jean-philippe.aumasson@nagra.com
URI: https://www.kudelskisecurity.com
Saarinen & Aumasson Informational [Page 30]