├── README.md ├── Makefile ├── blake2b.h ├── blake2s.h ├── test_main.c ├── blake2s.c ├── blake2b.c ├── LICENSE └── rfc7693.txt /README.md: -------------------------------------------------------------------------------- 1 | # blake2_mjosref 2 | 3 | 29-Jan-15 Markku-Juhani O. Saarinen 4 | 5 | This is just an another -- somewhat smaller -- implementation of BLAKE2, 6 | written while working on the RFC text. Some stuff regarding parameter 7 | handling has been simplified. The API is little different from the 8 | original Reference implementation (after consultation with BLAKE2 authors). 9 | 10 | See [blake2.net](https://blake2.net) for more information. 11 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | # Makefile 2 | # 25-Jan-15 Markku-Juhani O. Saarinen 3 | 4 | DIST = blake2_mjosref 5 | BIN = xb2test 6 | OBJS = blake2b.o blake2s.o test_main.o 7 | 8 | CC = gcc 9 | CFLAGS = -Wall -O 10 | LIBS = 11 | LDFLAGS = 12 | INCS = 13 | 14 | $(BIN): $(OBJS) 15 | $(CC) $(LDFLAGS) -o $(BIN) $(OBJS) $(LIBS) 16 | 17 | .c.o: 18 | $(CC) $(CFLAGS) $(INCS) -c $< -o $@ 19 | 20 | clean: 21 | rm -f $(DIST)-*.t?z $(OBJS) $(BIN) *~ 22 | 23 | dist: clean 24 | cd ..; \ 25 | tar cfvJ $(DIST)/$(DIST)-`date "+%Y%m%d%H%M00"`.txz $(DIST)/* 26 | -------------------------------------------------------------------------------- /blake2b.h: -------------------------------------------------------------------------------- 1 | // blake2b.h 2 | // BLAKE2b Hashing Context and API Prototypes 3 | 4 | #ifndef BLAKE2B_H 5 | #define BLAKE2B_H 6 | 7 | #include 8 | #include 9 | 10 | // state context 11 | typedef struct { 12 | uint8_t b[128]; // input buffer 13 | uint64_t h[8]; // chained state 14 | uint64_t t[2]; // total number of bytes 15 | size_t c; // pointer for b[] 16 | size_t outlen; // digest size 17 | } blake2b_ctx; 18 | 19 | // Initialize the hashing context "ctx" with optional key "key". 20 | // 1 <= outlen <= 64 gives the digest size in bytes. 21 | // Secret key (also <= 64 bytes) is optional (keylen = 0). 22 | int blake2b_init(blake2b_ctx *ctx, size_t outlen, 23 | const void *key, size_t keylen); // secret key 24 | 25 | // Add "inlen" bytes from "in" into the hash. 26 | void blake2b_update(blake2b_ctx *ctx, // context 27 | const void *in, size_t inlen); // data to be hashed 28 | 29 | // Generate the message digest (size given in init). 30 | // Result placed in "out". 31 | void blake2b_final(blake2b_ctx *ctx, void *out); 32 | 33 | // All-in-one convenience function. 34 | int blake2b(void *out, size_t outlen, // return buffer for digest 35 | const void *key, size_t keylen, // optional secret key 36 | const void *in, size_t inlen); // data to be hashed 37 | 38 | #endif 39 | 40 | -------------------------------------------------------------------------------- /blake2s.h: -------------------------------------------------------------------------------- 1 | // blake2s.h 2 | // BLAKE2s Hashing Context and API Prototypes 3 | 4 | #ifndef BLAKE2S_H 5 | #define BLAKE2S_H 6 | 7 | #include 8 | #include 9 | 10 | // state context 11 | typedef struct { 12 | uint8_t b[64]; // input buffer 13 | uint32_t h[8]; // chained state 14 | uint32_t t[2]; // total number of bytes 15 | size_t c; // pointer for b[] 16 | size_t outlen; // digest size 17 | } blake2s_ctx; 18 | 19 | // Initialize the hashing context "ctx" with optional key "key". 20 | // 1 <= outlen <= 32 gives the digest size in bytes. 21 | // Secret key (also <= 32 bytes) is optional (keylen = 0). 22 | int blake2s_init(blake2s_ctx *ctx, size_t outlen, 23 | const void *key, size_t keylen); // secret key 24 | 25 | // Add "inlen" bytes from "in" into the hash. 26 | void blake2s_update(blake2s_ctx *ctx, // context 27 | const void *in, size_t inlen); // data to be hashed 28 | 29 | // Generate the message digest (size given in init). 30 | // Result placed in "out". 31 | void blake2s_final(blake2s_ctx *ctx, void *out); 32 | 33 | // All-in-one convenience function. 34 | int blake2s(void *out, size_t outlen, // return buffer for digest 35 | const void *key, size_t keylen, // optional secret key 36 | const void *in, size_t inlen); // data to be hashed 37 | 38 | #endif 39 | 40 | -------------------------------------------------------------------------------- /test_main.c: -------------------------------------------------------------------------------- 1 | // test_main.c 2 | // Self test Modules for BLAKE2b and BLAKE2s -- and a stub main(). 3 | 4 | #include 5 | 6 | #include "blake2b.h" 7 | #include "blake2s.h" 8 | 9 | // Deterministic sequences (Fibonacci generator). 10 | 11 | static void selftest_seq(uint8_t *out, size_t len, uint32_t seed) 12 | { 13 | size_t i; 14 | uint32_t t, a , b; 15 | 16 | a = 0xDEAD4BAD * seed; // prime 17 | b = 1; 18 | 19 | for (i = 0; i < len; i++) { // fill the buf 20 | t = a + b; 21 | a = b; 22 | b = t; 23 | out[i] = (t >> 24) & 0xFF; 24 | } 25 | } 26 | 27 | // BLAKE2b self-test validation. Return 0 when OK. 28 | 29 | int blake2b_selftest() 30 | { 31 | // grand hash of hash results 32 | const uint8_t blake2b_res[32] = { 33 | 0xC2, 0x3A, 0x78, 0x00, 0xD9, 0x81, 0x23, 0xBD, 34 | 0x10, 0xF5, 0x06, 0xC6, 0x1E, 0x29, 0xDA, 0x56, 35 | 0x03, 0xD7, 0x63, 0xB8, 0xBB, 0xAD, 0x2E, 0x73, 36 | 0x7F, 0x5E, 0x76, 0x5A, 0x7B, 0xCC, 0xD4, 0x75 37 | }; 38 | // parameter sets 39 | const size_t b2b_md_len[4] = { 20, 32, 48, 64 }; 40 | const size_t b2b_in_len[6] = { 0, 3, 128, 129, 255, 1024 }; 41 | 42 | size_t i, j, outlen, inlen; 43 | uint8_t in[1024], md[64], key[64]; 44 | blake2b_ctx ctx; 45 | 46 | // 256-bit hash for testing 47 | if (blake2b_init(&ctx, 32, NULL, 0)) 48 | return -1; 49 | 50 | for (i = 0; i < 4; i++) { 51 | outlen = b2b_md_len[i]; 52 | for (j = 0; j < 6; j++) { 53 | inlen = b2b_in_len[j]; 54 | 55 | selftest_seq(in, inlen, inlen); // unkeyed hash 56 | blake2b(md, outlen, NULL, 0, in, inlen); 57 | blake2b_update(&ctx, md, outlen); // hash the hash 58 | 59 | selftest_seq(key, outlen, outlen); // keyed hash 60 | blake2b(md, outlen, key, outlen, in, inlen); 61 | blake2b_update(&ctx, md, outlen); // hash the hash 62 | } 63 | } 64 | 65 | // compute and compare the hash of hashes 66 | blake2b_final(&ctx, md); 67 | for (i = 0; i < 32; i++) { 68 | if (md[i] != blake2b_res[i]) 69 | return -1; 70 | } 71 | 72 | return 0; 73 | } 74 | 75 | // BLAKE2s self-test validation. Return 0 when OK. 76 | 77 | int blake2s_selftest() 78 | { 79 | // Grand hash of hash results. 80 | const uint8_t blake2s_res[32] = { 81 | 0x6A, 0x41, 0x1F, 0x08, 0xCE, 0x25, 0xAD, 0xCD, 82 | 0xFB, 0x02, 0xAB, 0xA6, 0x41, 0x45, 0x1C, 0xEC, 83 | 0x53, 0xC5, 0x98, 0xB2, 0x4F, 0x4F, 0xC7, 0x87, 84 | 0xFB, 0xDC, 0x88, 0x79, 0x7F, 0x4C, 0x1D, 0xFE 85 | }; 86 | // Parameter sets. 87 | const size_t b2s_md_len[4] = { 16, 20, 28, 32 }; 88 | const size_t b2s_in_len[6] = { 0, 3, 64, 65, 255, 1024 }; 89 | 90 | size_t i, j, outlen, inlen; 91 | uint8_t in[1024], md[32], key[32]; 92 | blake2s_ctx ctx; 93 | 94 | // 256-bit hash for testing. 95 | if (blake2s_init(&ctx, 32, NULL, 0)) 96 | return -1; 97 | 98 | for (i = 0; i < 4; i++) { 99 | outlen = b2s_md_len[i]; 100 | for (j = 0; j < 6; j++) { 101 | inlen = b2s_in_len[j]; 102 | 103 | selftest_seq(in, inlen, inlen); // unkeyed hash 104 | blake2s(md, outlen, NULL, 0, in, inlen); 105 | blake2s_update(&ctx, md, outlen); // hash the hash 106 | 107 | selftest_seq(key, outlen, outlen); // keyed hash 108 | blake2s(md, outlen, key, outlen, in, inlen); 109 | blake2s_update(&ctx, md, outlen); // hash the hash 110 | } 111 | } 112 | 113 | // Compute and compare the hash of hashes. 114 | blake2s_final(&ctx, md); 115 | for (i = 0; i < 32; i++) { 116 | if (md[i] != blake2s_res[i]) 117 | return -1; 118 | } 119 | 120 | return 0; 121 | } 122 | 123 | // Test driver. 124 | 125 | int main(int argc, char **argv) 126 | { 127 | printf("blake2b_selftest() = %s\n", 128 | blake2b_selftest() ? "FAIL" : "OK"); 129 | printf("blake2s_selftest() = %s\n", 130 | blake2s_selftest() ? "FAIL" : "OK"); 131 | 132 | return 0; 133 | } 134 | 135 | -------------------------------------------------------------------------------- /blake2s.c: -------------------------------------------------------------------------------- 1 | // blake2s.c 2 | // A simple blake2s Reference Implementation. 3 | 4 | #include "blake2s.h" 5 | 6 | // Cyclic right rotation. 7 | 8 | #ifndef ROTR32 9 | #define ROTR32(x, y) (((x) >> (y)) ^ ((x) << (32 - (y)))) 10 | #endif 11 | 12 | // Little-endian byte access. 13 | 14 | #define B2S_GET32(p) \ 15 | (((uint32_t) ((uint8_t *) (p))[0]) ^ \ 16 | (((uint32_t) ((uint8_t *) (p))[1]) << 8) ^ \ 17 | (((uint32_t) ((uint8_t *) (p))[2]) << 16) ^ \ 18 | (((uint32_t) ((uint8_t *) (p))[3]) << 24)) 19 | 20 | // Mixing function G. 21 | 22 | #define B2S_G(a, b, c, d, x, y) { \ 23 | v[a] = v[a] + v[b] + x; \ 24 | v[d] = ROTR32(v[d] ^ v[a], 16); \ 25 | v[c] = v[c] + v[d]; \ 26 | v[b] = ROTR32(v[b] ^ v[c], 12); \ 27 | v[a] = v[a] + v[b] + y; \ 28 | v[d] = ROTR32(v[d] ^ v[a], 8); \ 29 | v[c] = v[c] + v[d]; \ 30 | v[b] = ROTR32(v[b] ^ v[c], 7); } 31 | 32 | // Initialization Vector. 33 | 34 | static const uint32_t blake2s_iv[8] = 35 | { 36 | 0x6A09E667, 0xBB67AE85, 0x3C6EF372, 0xA54FF53A, 37 | 0x510E527F, 0x9B05688C, 0x1F83D9AB, 0x5BE0CD19 38 | }; 39 | 40 | // Compression function. "last" flag indicates last block. 41 | 42 | static void blake2s_compress(blake2s_ctx *ctx, int last) 43 | { 44 | const uint8_t sigma[10][16] = { 45 | { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }, 46 | { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }, 47 | { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 }, 48 | { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 }, 49 | { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 }, 50 | { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 }, 51 | { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 }, 52 | { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 }, 53 | { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 }, 54 | { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 } 55 | }; 56 | int i; 57 | uint32_t v[16], m[16]; 58 | 59 | for (i = 0; i < 8; i++) { // init work variables 60 | v[i] = ctx->h[i]; 61 | v[i + 8] = blake2s_iv[i]; 62 | } 63 | 64 | v[12] ^= ctx->t[0]; // low 32 bits of offset 65 | v[13] ^= ctx->t[1]; // high 32 bits 66 | if (last) // last block flag set ? 67 | v[14] = ~v[14]; 68 | 69 | for (i = 0; i < 16; i++) // get little-endian words 70 | m[i] = B2S_GET32(&ctx->b[4 * i]); 71 | 72 | for (i = 0; i < 10; i++) { // ten rounds 73 | B2S_G( 0, 4, 8, 12, m[sigma[i][ 0]], m[sigma[i][ 1]]); 74 | B2S_G( 1, 5, 9, 13, m[sigma[i][ 2]], m[sigma[i][ 3]]); 75 | B2S_G( 2, 6, 10, 14, m[sigma[i][ 4]], m[sigma[i][ 5]]); 76 | B2S_G( 3, 7, 11, 15, m[sigma[i][ 6]], m[sigma[i][ 7]]); 77 | B2S_G( 0, 5, 10, 15, m[sigma[i][ 8]], m[sigma[i][ 9]]); 78 | B2S_G( 1, 6, 11, 12, m[sigma[i][10]], m[sigma[i][11]]); 79 | B2S_G( 2, 7, 8, 13, m[sigma[i][12]], m[sigma[i][13]]); 80 | B2S_G( 3, 4, 9, 14, m[sigma[i][14]], m[sigma[i][15]]); 81 | } 82 | 83 | for( i = 0; i < 8; ++i ) 84 | ctx->h[i] ^= v[i] ^ v[i + 8]; 85 | } 86 | 87 | // Initialize the hashing context "ctx" with optional key "key". 88 | // 1 <= outlen <= 32 gives the digest size in bytes. 89 | // Secret key (also <= 32 bytes) is optional (keylen = 0). 90 | 91 | int blake2s_init(blake2s_ctx *ctx, size_t outlen, 92 | const void *key, size_t keylen) // (keylen=0: no key) 93 | { 94 | size_t i; 95 | 96 | if (outlen == 0 || outlen > 32 || keylen > 32) 97 | return -1; // illegal parameters 98 | 99 | for (i = 0; i < 8; i++) // state, "param block" 100 | ctx->h[i] = blake2s_iv[i]; 101 | ctx->h[0] ^= 0x01010000 ^ (keylen << 8) ^ outlen; 102 | 103 | ctx->t[0] = 0; // input count low word 104 | ctx->t[1] = 0; // input count high word 105 | ctx->c = 0; // pointer within buffer 106 | ctx->outlen = outlen; 107 | 108 | for (i = keylen; i < 64; i++) // zero input block 109 | ctx->b[i] = 0; 110 | if (keylen > 0) { 111 | blake2s_update(ctx, key, keylen); 112 | ctx->c = 64; // at the end 113 | } 114 | 115 | return 0; 116 | } 117 | 118 | // Add "inlen" bytes from "in" into the hash. 119 | 120 | void blake2s_update(blake2s_ctx *ctx, 121 | const void *in, size_t inlen) // data bytes 122 | { 123 | size_t i; 124 | 125 | for (i = 0; i < inlen; i++) { 126 | if (ctx->c == 64) { // buffer full ? 127 | ctx->t[0] += ctx->c; // add counters 128 | if (ctx->t[0] < ctx->c) // carry overflow ? 129 | ctx->t[1]++; // high word 130 | blake2s_compress(ctx, 0); // compress (not last) 131 | ctx->c = 0; // counter to zero 132 | } 133 | ctx->b[ctx->c++] = ((const uint8_t *) in)[i]; 134 | } 135 | } 136 | 137 | // Generate the message digest (size given in init). 138 | // Result placed in "out". 139 | 140 | void blake2s_final(blake2s_ctx *ctx, void *out) 141 | { 142 | size_t i; 143 | 144 | ctx->t[0] += ctx->c; // mark last block offset 145 | if (ctx->t[0] < ctx->c) // carry overflow 146 | ctx->t[1]++; // high word 147 | 148 | while (ctx->c < 64) // fill up with zeros 149 | ctx->b[ctx->c++] = 0; 150 | blake2s_compress(ctx, 1); // final block flag = 1 151 | 152 | // little endian convert and store 153 | for (i = 0; i < ctx->outlen; i++) { 154 | ((uint8_t *) out)[i] = 155 | (ctx->h[i >> 2] >> (8 * (i & 3))) & 0xFF; 156 | } 157 | } 158 | 159 | // Convenience function for all-in-one computation. 160 | 161 | int blake2s(void *out, size_t outlen, 162 | const void *key, size_t keylen, 163 | const void *in, size_t inlen) 164 | { 165 | blake2s_ctx ctx; 166 | 167 | if (blake2s_init(&ctx, outlen, key, keylen)) 168 | return -1; 169 | blake2s_update(&ctx, in, inlen); 170 | blake2s_final(&ctx, out); 171 | 172 | return 0; 173 | } 174 | 175 | -------------------------------------------------------------------------------- /blake2b.c: -------------------------------------------------------------------------------- 1 | // blake2b.c 2 | // A simple BLAKE2b Reference Implementation. 3 | 4 | #include "blake2b.h" 5 | 6 | // Cyclic right rotation. 7 | 8 | #ifndef ROTR64 9 | #define ROTR64(x, y) (((x) >> (y)) ^ ((x) << (64 - (y)))) 10 | #endif 11 | 12 | // Little-endian byte access. 13 | 14 | #define B2B_GET64(p) \ 15 | (((uint64_t) ((uint8_t *) (p))[0]) ^ \ 16 | (((uint64_t) ((uint8_t *) (p))[1]) << 8) ^ \ 17 | (((uint64_t) ((uint8_t *) (p))[2]) << 16) ^ \ 18 | (((uint64_t) ((uint8_t *) (p))[3]) << 24) ^ \ 19 | (((uint64_t) ((uint8_t *) (p))[4]) << 32) ^ \ 20 | (((uint64_t) ((uint8_t *) (p))[5]) << 40) ^ \ 21 | (((uint64_t) ((uint8_t *) (p))[6]) << 48) ^ \ 22 | (((uint64_t) ((uint8_t *) (p))[7]) << 56)) 23 | 24 | // G Mixing function. 25 | 26 | #define B2B_G(a, b, c, d, x, y) { \ 27 | v[a] = v[a] + v[b] + x; \ 28 | v[d] = ROTR64(v[d] ^ v[a], 32); \ 29 | v[c] = v[c] + v[d]; \ 30 | v[b] = ROTR64(v[b] ^ v[c], 24); \ 31 | v[a] = v[a] + v[b] + y; \ 32 | v[d] = ROTR64(v[d] ^ v[a], 16); \ 33 | v[c] = v[c] + v[d]; \ 34 | v[b] = ROTR64(v[b] ^ v[c], 63); } 35 | 36 | // Initialization Vector. 37 | 38 | static const uint64_t blake2b_iv[8] = { 39 | 0x6A09E667F3BCC908, 0xBB67AE8584CAA73B, 40 | 0x3C6EF372FE94F82B, 0xA54FF53A5F1D36F1, 41 | 0x510E527FADE682D1, 0x9B05688C2B3E6C1F, 42 | 0x1F83D9ABFB41BD6B, 0x5BE0CD19137E2179 43 | }; 44 | 45 | // Compression function. "last" flag indicates last block. 46 | 47 | static void blake2b_compress(blake2b_ctx *ctx, int last) 48 | { 49 | const uint8_t sigma[12][16] = { 50 | { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }, 51 | { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }, 52 | { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 }, 53 | { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 }, 54 | { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 }, 55 | { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 }, 56 | { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 }, 57 | { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 }, 58 | { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 }, 59 | { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 }, 60 | { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }, 61 | { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 } 62 | }; 63 | int i; 64 | uint64_t v[16], m[16]; 65 | 66 | for (i = 0; i < 8; i++) { // init work variables 67 | v[i] = ctx->h[i]; 68 | v[i + 8] = blake2b_iv[i]; 69 | } 70 | 71 | v[12] ^= ctx->t[0]; // low 64 bits of offset 72 | v[13] ^= ctx->t[1]; // high 64 bits 73 | if (last) // last block flag set ? 74 | v[14] = ~v[14]; 75 | 76 | for (i = 0; i < 16; i++) // get little-endian words 77 | m[i] = B2B_GET64(&ctx->b[8 * i]); 78 | 79 | for (i = 0; i < 12; i++) { // twelve rounds 80 | B2B_G( 0, 4, 8, 12, m[sigma[i][ 0]], m[sigma[i][ 1]]); 81 | B2B_G( 1, 5, 9, 13, m[sigma[i][ 2]], m[sigma[i][ 3]]); 82 | B2B_G( 2, 6, 10, 14, m[sigma[i][ 4]], m[sigma[i][ 5]]); 83 | B2B_G( 3, 7, 11, 15, m[sigma[i][ 6]], m[sigma[i][ 7]]); 84 | B2B_G( 0, 5, 10, 15, m[sigma[i][ 8]], m[sigma[i][ 9]]); 85 | B2B_G( 1, 6, 11, 12, m[sigma[i][10]], m[sigma[i][11]]); 86 | B2B_G( 2, 7, 8, 13, m[sigma[i][12]], m[sigma[i][13]]); 87 | B2B_G( 3, 4, 9, 14, m[sigma[i][14]], m[sigma[i][15]]); 88 | } 89 | 90 | for( i = 0; i < 8; ++i ) 91 | ctx->h[i] ^= v[i] ^ v[i + 8]; 92 | } 93 | 94 | // Initialize the hashing context "ctx" with optional key "key". 95 | // 1 <= outlen <= 64 gives the digest size in bytes. 96 | // Secret key (also <= 64 bytes) is optional (keylen = 0). 97 | 98 | int blake2b_init(blake2b_ctx *ctx, size_t outlen, 99 | const void *key, size_t keylen) // (keylen=0: no key) 100 | { 101 | size_t i; 102 | 103 | if (outlen == 0 || outlen > 64 || keylen > 64) 104 | return -1; // illegal parameters 105 | 106 | for (i = 0; i < 8; i++) // state, "param block" 107 | ctx->h[i] = blake2b_iv[i]; 108 | ctx->h[0] ^= 0x01010000 ^ (keylen << 8) ^ outlen; 109 | 110 | ctx->t[0] = 0; // input count low word 111 | ctx->t[1] = 0; // input count high word 112 | ctx->c = 0; // pointer within buffer 113 | ctx->outlen = outlen; 114 | 115 | for (i = keylen; i < 128; i++) // zero input block 116 | ctx->b[i] = 0; 117 | if (keylen > 0) { 118 | blake2b_update(ctx, key, keylen); 119 | ctx->c = 128; // at the end 120 | } 121 | 122 | return 0; 123 | } 124 | 125 | // Add "inlen" bytes from "in" into the hash. 126 | 127 | void blake2b_update(blake2b_ctx *ctx, 128 | const void *in, size_t inlen) // data bytes 129 | { 130 | size_t i; 131 | 132 | for (i = 0; i < inlen; i++) { 133 | if (ctx->c == 128) { // buffer full ? 134 | ctx->t[0] += ctx->c; // add counters 135 | if (ctx->t[0] < ctx->c) // carry overflow ? 136 | ctx->t[1]++; // high word 137 | blake2b_compress(ctx, 0); // compress (not last) 138 | ctx->c = 0; // counter to zero 139 | } 140 | ctx->b[ctx->c++] = ((const uint8_t *) in)[i]; 141 | } 142 | } 143 | 144 | // Generate the message digest (size given in init). 145 | // Result placed in "out". 146 | 147 | void blake2b_final(blake2b_ctx *ctx, void *out) 148 | { 149 | size_t i; 150 | 151 | ctx->t[0] += ctx->c; // mark last block offset 152 | if (ctx->t[0] < ctx->c) // carry overflow 153 | ctx->t[1]++; // high word 154 | 155 | while (ctx->c < 128) // fill up with zeros 156 | ctx->b[ctx->c++] = 0; 157 | blake2b_compress(ctx, 1); // final block flag = 1 158 | 159 | // little endian convert and store 160 | for (i = 0; i < ctx->outlen; i++) { 161 | ((uint8_t *) out)[i] = 162 | (ctx->h[i >> 3] >> (8 * (i & 7))) & 0xFF; 163 | } 164 | } 165 | 166 | // Convenience function for all-in-one computation. 167 | 168 | int blake2b(void *out, size_t outlen, 169 | const void *key, size_t keylen, 170 | const void *in, size_t inlen) 171 | { 172 | blake2b_ctx ctx; 173 | 174 | if (blake2b_init(&ctx, outlen, key, keylen)) 175 | return -1; 176 | blake2b_update(&ctx, in, inlen); 177 | blake2b_final(&ctx, out); 178 | 179 | return 0; 180 | } 181 | 182 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | CC0 1.0 Universal 2 | 3 | Statement of Purpose 4 | 5 | The laws of most jurisdictions throughout the world automatically confer 6 | exclusive Copyright and Related Rights (defined below) upon the creator and 7 | subsequent owner(s) (each and all, an "owner") of an original work of 8 | authorship and/or a database (each, a "Work"). 9 | 10 | Certain owners wish to permanently relinquish those rights to a Work for the 11 | purpose of contributing to a commons of creative, cultural and scientific 12 | works ("Commons") that the public can reliably and without fear of later 13 | claims of infringement build upon, modify, incorporate in other works, reuse 14 | and redistribute as freely as possible in any form whatsoever and for any 15 | purposes, including without limitation commercial purposes. These owners may 16 | contribute to the Commons to promote the ideal of a free culture and the 17 | further production of creative, cultural and scientific works, or to gain 18 | reputation or greater distribution for their Work in part through the use and 19 | efforts of others. 20 | 21 | For these and/or other purposes and motivations, and without any expectation 22 | of additional consideration or compensation, the person associating CC0 with a 23 | Work (the "Affirmer"), to the extent that he or she is an owner of Copyright 24 | and Related Rights in the Work, voluntarily elects to apply CC0 to the Work 25 | and publicly distribute the Work under its terms, with knowledge of his or her 26 | Copyright and Related Rights in the Work and the meaning and intended legal 27 | effect of CC0 on those rights. 28 | 29 | 1. Copyright and Related Rights. A Work made available under CC0 may be 30 | protected by copyright and related or neighboring rights ("Copyright and 31 | Related Rights"). Copyright and Related Rights include, but are not limited 32 | to, the following: 33 | 34 | i. the right to reproduce, adapt, distribute, perform, display, communicate, 35 | and translate a Work; 36 | 37 | ii. moral rights retained by the original author(s) and/or performer(s); 38 | 39 | iii. publicity and privacy rights pertaining to a person's image or likeness 40 | depicted in a Work; 41 | 42 | iv. rights protecting against unfair competition in regards to a Work, 43 | subject to the limitations in paragraph 4(a), below; 44 | 45 | v. rights protecting the extraction, dissemination, use and reuse of data in 46 | a Work; 47 | 48 | vi. database rights (such as those arising under Directive 96/9/EC of the 49 | European Parliament and of the Council of 11 March 1996 on the legal 50 | protection of databases, and under any national implementation thereof, 51 | including any amended or successor version of such directive); and 52 | 53 | vii. other similar, equivalent or corresponding rights throughout the world 54 | based on applicable law or treaty, and any national implementations thereof. 55 | 56 | 2. Waiver. To the greatest extent permitted by, but not in contravention of, 57 | applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and 58 | unconditionally waives, abandons, and surrenders all of Affirmer's Copyright 59 | and Related Rights and associated claims and causes of action, whether now 60 | known or unknown (including existing as well as future claims and causes of 61 | action), in the Work (i) in all territories worldwide, (ii) for the maximum 62 | duration provided by applicable law or treaty (including future time 63 | extensions), (iii) in any current or future medium and for any number of 64 | copies, and (iv) for any purpose whatsoever, including without limitation 65 | commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes 66 | the Waiver for the benefit of each member of the public at large and to the 67 | detriment of Affirmer's heirs and successors, fully intending that such Waiver 68 | shall not be subject to revocation, rescission, cancellation, termination, or 69 | any other legal or equitable action to disrupt the quiet enjoyment of the Work 70 | by the public as contemplated by Affirmer's express Statement of Purpose. 71 | 72 | 3. Public License Fallback. Should any part of the Waiver for any reason be 73 | judged legally invalid or ineffective under applicable law, then the Waiver 74 | shall be preserved to the maximum extent permitted taking into account 75 | Affirmer's express Statement of Purpose. In addition, to the extent the Waiver 76 | is so judged Affirmer hereby grants to each affected person a royalty-free, 77 | non transferable, non sublicensable, non exclusive, irrevocable and 78 | unconditional license to exercise Affirmer's Copyright and Related Rights in 79 | the Work (i) in all territories worldwide, (ii) for the maximum duration 80 | provided by applicable law or treaty (including future time extensions), (iii) 81 | in any current or future medium and for any number of copies, and (iv) for any 82 | purpose whatsoever, including without limitation commercial, advertising or 83 | promotional purposes (the "License"). The License shall be deemed effective as 84 | of the date CC0 was applied by Affirmer to the Work. Should any part of the 85 | License for any reason be judged legally invalid or ineffective under 86 | applicable law, such partial invalidity or ineffectiveness shall not 87 | invalidate the remainder of the License, and in such case Affirmer hereby 88 | affirms that he or she will not (i) exercise any of his or her remaining 89 | Copyright and Related Rights in the Work or (ii) assert any associated claims 90 | and causes of action with respect to the Work, in either case contrary to 91 | Affirmer's express Statement of Purpose. 92 | 93 | 4. Limitations and Disclaimers. 94 | 95 | a. No trademark or patent rights held by Affirmer are waived, abandoned, 96 | surrendered, licensed or otherwise affected by this document. 97 | 98 | b. Affirmer offers the Work as-is and makes no representations or warranties 99 | of any kind concerning the Work, express, implied, statutory or otherwise, 100 | including without limitation warranties of title, merchantability, fitness 101 | for a particular purpose, non infringement, or the absence of latent or 102 | other defects, accuracy, or the present or absence of errors, whether or not 103 | discoverable, all to the greatest extent permissible under applicable law. 104 | 105 | c. Affirmer disclaims responsibility for clearing rights of other persons 106 | that may apply to the Work or any use thereof, including without limitation 107 | any person's Copyright and Related Rights in the Work. Further, Affirmer 108 | disclaims responsibility for obtaining any necessary consents, permissions 109 | or other rights required for any use of the Work. 110 | 111 | d. Affirmer understands and acknowledges that Creative Commons is not a 112 | party to this document and has no duty or obligation with respect to this 113 | CC0 or use of the Work. 114 | 115 | For more information, please see 116 | 117 | -------------------------------------------------------------------------------- /rfc7693.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | Independent Submission M-J. Saarinen, Ed. 8 | Request for Comments: 7693 Queen's University Belfast 9 | Category: Informational J-P. Aumasson 10 | ISSN: 2070-1721 Kudelski Security 11 | November 2015 12 | 13 | 14 | The BLAKE2 Cryptographic Hash and Message Authentication Code (MAC) 15 | 16 | Abstract 17 | 18 | This document describes the cryptographic hash function BLAKE2 and 19 | makes the algorithm specification and C source code conveniently 20 | available to the Internet community. BLAKE2 comes in two main 21 | flavors: BLAKE2b is optimized for 64-bit platforms and BLAKE2s for 22 | smaller architectures. BLAKE2 can be directly keyed, making it 23 | functionally equivalent to a Message Authentication Code (MAC). 24 | 25 | Status of This Memo 26 | 27 | This document is not an Internet Standards Track specification; it is 28 | published for informational purposes. 29 | 30 | This is a contribution to the RFC Series, independently of any other 31 | RFC stream. The RFC Editor has chosen to publish this document at 32 | its discretion and makes no statement about its value for 33 | implementation or deployment. Documents approved for publication by 34 | the RFC Editor are not a candidate for any level of Internet 35 | Standard; see Section 2 of RFC 5741. 36 | 37 | Information about the current status of this document, any errata, 38 | and how to provide feedback on it may be obtained at 39 | http://www.rfc-editor.org/info/rfc7693. 40 | 41 | Copyright Notice 42 | 43 | Copyright (c) 2015 IETF Trust and the persons identified as the 44 | document authors. All rights reserved. 45 | 46 | This document is subject to BCP 78 and the IETF Trust's Legal 47 | Provisions Relating to IETF Documents 48 | (http://trustee.ietf.org/license-info) in effect on the date of 49 | publication of this document. Please review these documents 50 | carefully, as they describe your rights and restrictions with respect 51 | to this document. 52 | 53 | 54 | 55 | 56 | 57 | 58 | Saarinen & Aumasson Informational [Page 1] 59 | 60 | RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 61 | 62 | 63 | Table of Contents 64 | 65 | 1. Introduction and Terminology . . . . . . . . . . . . . . . . 2 66 | 2. Conventions, Variables, and Constants . . . . . . . . . . . . 3 67 | 2.1. Parameters . . . . . . . . . . . . . . . . . . . . . . . 3 68 | 2.2. Other Constants and Variables . . . . . . . . . . . . . . 4 69 | 2.3. Arithmetic Notation . . . . . . . . . . . . . . . . . . . 4 70 | 2.4. Little-Endian Interpretation of Words as Bytes . . . . . 5 71 | 2.5. Parameter Block . . . . . . . . . . . . . . . . . . . . . 5 72 | 2.6. Initialization Vector . . . . . . . . . . . . . . . . . . 5 73 | 2.7. Message Schedule SIGMA . . . . . . . . . . . . . . . . . 6 74 | 3. BLAKE2 Processing . . . . . . . . . . . . . . . . . . . . . . 6 75 | 3.1. Mixing Function G . . . . . . . . . . . . . . . . . . . . 6 76 | 3.2. Compression Function F . . . . . . . . . . . . . . . . . 7 77 | 3.3. Padding Data and Computing a BLAKE2 Digest . . . . . . . 8 78 | 4. Standard Parameter Sets and Algorithm Identifiers . . . . . . 9 79 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 10 80 | 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 81 | 6.1. Normative References . . . . . . . . . . . . . . . . . . 10 82 | 6.2. Informative References . . . . . . . . . . . . . . . . . 11 83 | Appendix A. Example of BLAKE2b Computation . . . . . . . . . . . 11 84 | Appendix B. Example of BLAKE2s Computation . . . . . . . . . . . 13 85 | Appendix C. BLAKE2b Implementation C Source . . . . . . . . . . 15 86 | C.1. blake2b.h . . . . . . . . . . . . . . . . . . . . . . . . 15 87 | C.2. blake2b.c . . . . . . . . . . . . . . . . . . . . . . . . 16 88 | Appendix D. BLAKE2s Implementation C Source . . . . . . . . . . 20 89 | D.1. blake2s.h . . . . . . . . . . . . . . . . . . . . . . . . 20 90 | D.2. blake2s.c . . . . . . . . . . . . . . . . . . . . . . . . 21 91 | Appendix E. BLAKE2b and BLAKE2s Self-Test Module C Source . . . 25 92 | Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 28 93 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 29 94 | 95 | 1. Introduction and Terminology 96 | 97 | The BLAKE2 cryptographic hash function [BLAKE2] was designed by Jean- 98 | Philippe Aumasson, Samuel Neves, Zooko Wilcox-O'Hearn, and Christian 99 | Winnerlein. 100 | 101 | BLAKE2 comes in two basic flavors: 102 | 103 | o BLAKE2b (or just BLAKE2) is optimized for 64-bit platforms and 104 | produces digests of any size between 1 and 64 bytes. 105 | 106 | o BLAKE2s is optimized for 8- to 32-bit platforms and produces 107 | digests of any size between 1 and 32 bytes. 108 | 109 | Both BLAKE2b and BLAKE2s are believed to be highly secure and perform 110 | well on any platform, software, or hardware. BLAKE2 does not require 111 | 112 | 113 | 114 | Saarinen & Aumasson Informational [Page 2] 115 | 116 | RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 117 | 118 | 119 | a special "HMAC" (Hashed Message Authentication Code) construction 120 | for keyed message authentication as it has a built-in keying 121 | mechanism. 122 | 123 | The BLAKE2 hash function may be used by digital signature algorithms 124 | and message authentication and integrity protection mechanisms in 125 | applications such as Public Key Infrastructure (PKI), secure 126 | communication protocols, cloud storage, intrusion detection, forensic 127 | suites, and version control systems. 128 | 129 | The BLAKE2 suite provides a more efficient alternative to US Secure 130 | Hash Algorithms SHA and HMAC-SHA [RFC6234]. BLAKE2s-128 is 131 | especially suited as a fast and more secure drop-in replacement to 132 | MD5 and HMAC-MD5 in legacy applications [RFC6151]. 133 | 134 | To aid implementation, we provide a trace of BLAKE2b-512 hash 135 | computation in Appendix A and a trace of BLAKE2s-256 hash computation 136 | in Appendix B. Due to space constraints, this document does not 137 | contain a full set of test vectors for BLAKE2. 138 | 139 | A reference implementation in C programming language for BLAKE2b can 140 | be found in Appendix C and for BLAKE2s in Appendix D of this 141 | document. These implementations MAY be validated with the more 142 | exhaustive Test Module contained in Appendix E. 143 | 144 | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 145 | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 146 | document are to be interpreted as described in [RFC2119]. 147 | 148 | 2. Conventions, Variables, and Constants 149 | 150 | 2.1. Parameters 151 | 152 | The following table summarizes various parameters and their ranges: 153 | 154 | | BLAKE2b | BLAKE2s | 155 | --------------+------------------+------------------+ 156 | Bits in word | w = 64 | w = 32 | 157 | Rounds in F | r = 12 | r = 10 | 158 | Block bytes | bb = 128 | bb = 64 | 159 | Hash bytes | 1 <= nn <= 64 | 1 <= nn <= 32 | 160 | Key bytes | 0 <= kk <= 64 | 0 <= kk <= 32 | 161 | Input bytes | 0 <= ll < 2**128 | 0 <= ll < 2**64 | 162 | --------------+------------------+------------------+ 163 | G Rotation | (R1, R2, R3, R4) | (R1, R2, R3, R4) | 164 | constants = | (32, 24, 16, 63) | (16, 12, 8, 7) | 165 | --------------+------------------+------------------+ 166 | 167 | 168 | 169 | 170 | Saarinen & Aumasson Informational [Page 3] 171 | 172 | RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 173 | 174 | 175 | 2.2. Other Constants and Variables 176 | 177 | These variables are used in the algorithm description: 178 | 179 | IV[0..7] Initialization Vector (constant). 180 | 181 | SIGMA[0..9] Message word permutations (constant). 182 | 183 | p[0..7] Parameter block (defines hash and key sizes). 184 | 185 | m[0..15] Sixteen words of a single message block. 186 | 187 | h[0..7] Internal state of the hash. 188 | 189 | d[0..dd-1] Padded input blocks. Each has "bb" bytes. 190 | 191 | t Message byte offset at the end of the current block. 192 | 193 | f Flag indicating the last block. 194 | 195 | 2.3. Arithmetic Notation 196 | 197 | For real-valued x, we define the following functions: 198 | 199 | floor(x) Floor, the largest integer <= x. 200 | 201 | ceil(x) Ceiling, the smallest integer >= x. 202 | 203 | frac(x) Positive fractional part of x, frac(x) = x - floor(x). 204 | 205 | Operator notation in pseudocode: 206 | 207 | 2**n = 2 to the power "n". 2**0=1, 2**1=2, 2**2=4, 2**3=8, etc. 208 | 209 | a ^ b = Bitwise exclusive-or operation between "a" and "b". 210 | 211 | a mod b = Remainder "a" modulo "b", always in range [0, b-1]. 212 | 213 | x >> n = floor(x / 2**n). Logical shift "x" right by "n" bits. 214 | 215 | x << n = (x * 2**n) mod (2**w). Logical shift "x" left by "n". 216 | 217 | x >>> n = (x >> n) ^ (x << (w - n)). Rotate "x" right by "n". 218 | 219 | 220 | 221 | 222 | 223 | 224 | 225 | 226 | Saarinen & Aumasson Informational [Page 4] 227 | 228 | RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 229 | 230 | 231 | 2.4. Little-Endian Interpretation of Words as Bytes 232 | 233 | All mathematical operations are on 64-bit words in BLAKE2b and on 234 | 32-bit words in BLAKE2s. 235 | 236 | We may also perform operations on vectors of words. Vector indexing 237 | is zero based; the first element of an n-element vector "v" is v[0] 238 | and the last one is v[n - 1]. All elements are denoted by v[0..n-1]. 239 | 240 | Byte (octet) streams are interpreted as words in little-endian order, 241 | with the least-significant byte first. Consider this sequence of 242 | eight hexadecimal bytes: 243 | 244 | x[0..7] = 0x01 0x23 0x45 0x67 0x89 0xAB 0xCD 0xEF 245 | 246 | When interpreted as a 32-bit word from the beginning memory address, 247 | x[0..3] has a numerical value of 0x67452301 or 1732584193. 248 | 249 | When interpreted as a 64-bit word, bytes x[0..7] have a numerical 250 | value of 0xEFCDAB8967452301 or 17279655951921914625. 251 | 252 | 2.5. Parameter Block 253 | 254 | We specify the parameter block words p[0..7] as follows: 255 | 256 | byte offset: 3 2 1 0 (otherwise zero) 257 | p[0] = 0x0101kknn p[1..7] = 0 258 | 259 | Here the "nn" byte specifies the hash size in bytes. The second 260 | (little-endian) byte of the parameter block, "kk", specifies the key 261 | size in bytes. Set kk = 00 for unkeyed hashing. Bytes 2 and 3 are 262 | set as 01. All other bytes in the parameter block are set as zero. 263 | 264 | Note: [BLAKE2] defines additional variants of BLAKE2 with features 265 | such as salting, personalized hashes, and tree hashing. These 266 | OPTIONAL features use fields in the parameter block that are not 267 | defined in this document. 268 | 269 | 2.6. Initialization Vector 270 | 271 | We define the Initialization Vector constant IV mathematically as: 272 | 273 | IV[i] = floor(2**w * frac(sqrt(prime(i+1)))), where prime(i) 274 | is the i:th prime number ( 2, 3, 5, 7, 11, 13, 17, 19 ) 275 | and sqrt(x) is the square root of x. 276 | 277 | The numerical values of IV can also be found in implementations in 278 | Appendices C and D for BLAKE2b and BLAKE2s, respectively. 279 | 280 | 281 | 282 | Saarinen & Aumasson Informational [Page 5] 283 | 284 | RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 285 | 286 | 287 | Note: BLAKE2b IV is the same as SHA-512 IV, and BLAKE2s IV is the 288 | same as SHA-256 IV; see [RFC6234]. 289 | 290 | 2.7. Message Schedule SIGMA 291 | 292 | Message word schedule permutations for each round of both BLAKE2b and 293 | BLAKE2s are defined by SIGMA. For BLAKE2b, the two extra 294 | permutations for rounds 10 and 11 are SIGMA[10..11] = SIGMA[0..1]. 295 | 296 | Round | 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | 297 | ----------+-------------------------------------------------+ 298 | SIGMA[0] | 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | 299 | SIGMA[1] | 14 10 4 8 9 15 13 6 1 12 0 2 11 7 5 3 | 300 | SIGMA[2] | 11 8 12 0 5 2 15 13 10 14 3 6 7 1 9 4 | 301 | SIGMA[3] | 7 9 3 1 13 12 11 14 2 6 5 10 4 0 15 8 | 302 | SIGMA[4] | 9 0 5 7 2 4 10 15 14 1 11 12 6 8 3 13 | 303 | SIGMA[5] | 2 12 6 10 0 11 8 3 4 13 7 5 15 14 1 9 | 304 | SIGMA[6] | 12 5 1 15 14 13 4 10 0 7 6 3 9 2 8 11 | 305 | SIGMA[7] | 13 11 7 14 12 1 3 9 5 0 15 4 8 6 2 10 | 306 | SIGMA[8] | 6 15 14 9 11 3 0 8 12 2 13 7 1 4 10 5 | 307 | SIGMA[9] | 10 2 8 4 7 6 1 5 15 11 9 14 3 12 13 0 | 308 | ----------+-------------------------------------------------+ 309 | 310 | 3. BLAKE2 Processing 311 | 312 | 3.1. Mixing Function G 313 | 314 | The G primitive function mixes two input words, "x" and "y", into 315 | four words indexed by "a", "b", "c", and "d" in the working vector 316 | v[0..15]. The full modified vector is returned. The rotation 317 | constants (R1, R2, R3, R4) are given in Section 2.1. 318 | 319 | FUNCTION G( v[0..15], a, b, c, d, x, y ) 320 | | 321 | | v[a] := (v[a] + v[b] + x) mod 2**w 322 | | v[d] := (v[d] ^ v[a]) >>> R1 323 | | v[c] := (v[c] + v[d]) mod 2**w 324 | | v[b] := (v[b] ^ v[c]) >>> R2 325 | | v[a] := (v[a] + v[b] + y) mod 2**w 326 | | v[d] := (v[d] ^ v[a]) >>> R3 327 | | v[c] := (v[c] + v[d]) mod 2**w 328 | | v[b] := (v[b] ^ v[c]) >>> R4 329 | | 330 | | RETURN v[0..15] 331 | | 332 | END FUNCTION. 333 | 334 | 335 | 336 | 337 | 338 | Saarinen & Aumasson Informational [Page 6] 339 | 340 | RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 341 | 342 | 343 | 3.2. Compression Function F 344 | 345 | Compression function F takes as an argument the state vector "h", 346 | message block vector "m" (last block is padded with zeros to full 347 | block size, if required), 2w-bit offset counter "t", and final block 348 | indicator flag "f". Local vector v[0..15] is used in processing. F 349 | returns a new state vector. The number of rounds, "r", is 12 for 350 | BLAKE2b and 10 for BLAKE2s. Rounds are numbered from 0 to r - 1. 351 | 352 | FUNCTION F( h[0..7], m[0..15], t, f ) 353 | | 354 | | // Initialize local work vector v[0..15] 355 | | v[0..7] := h[0..7] // First half from state. 356 | | v[8..15] := IV[0..7] // Second half from IV. 357 | | 358 | | v[12] := v[12] ^ (t mod 2**w) // Low word of the offset. 359 | | v[13] := v[13] ^ (t >> w) // High word. 360 | | 361 | | IF f = TRUE THEN // last block flag? 362 | | | v[14] := v[14] ^ 0xFF..FF // Invert all bits. 363 | | END IF. 364 | | 365 | | // Cryptographic mixing 366 | | FOR i = 0 TO r - 1 DO // Ten or twelve rounds. 367 | | | 368 | | | // Message word selection permutation for this round. 369 | | | s[0..15] := SIGMA[i mod 10][0..15] 370 | | | 371 | | | v := G( v, 0, 4, 8, 12, m[s[ 0]], m[s[ 1]] ) 372 | | | v := G( v, 1, 5, 9, 13, m[s[ 2]], m[s[ 3]] ) 373 | | | v := G( v, 2, 6, 10, 14, m[s[ 4]], m[s[ 5]] ) 374 | | | v := G( v, 3, 7, 11, 15, m[s[ 6]], m[s[ 7]] ) 375 | | | 376 | | | v := G( v, 0, 5, 10, 15, m[s[ 8]], m[s[ 9]] ) 377 | | | v := G( v, 1, 6, 11, 12, m[s[10]], m[s[11]] ) 378 | | | v := G( v, 2, 7, 8, 13, m[s[12]], m[s[13]] ) 379 | | | v := G( v, 3, 4, 9, 14, m[s[14]], m[s[15]] ) 380 | | | 381 | | END FOR 382 | | 383 | | FOR i = 0 TO 7 DO // XOR the two halves. 384 | | | h[i] := h[i] ^ v[i] ^ v[i + 8] 385 | | END FOR. 386 | | 387 | | RETURN h[0..7] // New state. 388 | | 389 | END FUNCTION. 390 | 391 | 392 | 393 | 394 | Saarinen & Aumasson Informational [Page 7] 395 | 396 | RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 397 | 398 | 399 | 3.3. Padding Data and Computing a BLAKE2 Digest 400 | 401 | We refer the reader to Appendices C and D for reference C language 402 | implementations of BLAKE2b and BLAKE2s, respectively. 403 | 404 | Key and data input are split and padded into "dd" message blocks 405 | d[0..dd-1], each consisting of 16 words (or "bb" bytes). 406 | 407 | If a secret key is used (kk > 0), it is padded with zero bytes and 408 | set as d[0]. Otherwise, d[0] is the first data block. The final 409 | data block d[dd-1] is also padded with zero to "bb" bytes (16 words). 410 | 411 | The number of blocks is therefore dd = ceil(kk / bb) + ceil(ll / bb). 412 | However, in the special case of an unkeyed empty message (kk = 0 and 413 | ll = 0), we still set dd = 1 and d[0] consists of all zeros. 414 | 415 | The following procedure processes the padded data blocks into an 416 | "nn"-byte final hash value. See Section 2 for a description of 417 | various variables and constants used. 418 | 419 | FUNCTION BLAKE2( d[0..dd-1], ll, kk, nn ) 420 | | 421 | | h[0..7] := IV[0..7] // Initialization Vector. 422 | | 423 | | // Parameter block p[0] 424 | | h[0] := h[0] ^ 0x01010000 ^ (kk << 8) ^ nn 425 | | 426 | | // Process padded key and data blocks 427 | | IF dd > 1 THEN 428 | | | FOR i = 0 TO dd - 2 DO 429 | | | | h := F( h, d[i], (i + 1) * bb, FALSE ) 430 | | | END FOR. 431 | | END IF. 432 | | 433 | | // Final block. 434 | | IF kk = 0 THEN 435 | | | h := F( h, d[dd - 1], ll, TRUE ) 436 | | ELSE 437 | | | h := F( h, d[dd - 1], ll + bb, TRUE ) 438 | | END IF. 439 | | 440 | | RETURN first "nn" bytes from little-endian word array h[]. 441 | | 442 | END FUNCTION. 443 | 444 | 445 | 446 | 447 | 448 | 449 | 450 | Saarinen & Aumasson Informational [Page 8] 451 | 452 | RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 453 | 454 | 455 | 4. Standard Parameter Sets and Algorithm Identifiers 456 | 457 | An implementation of BLAKE2b and/or BLAKE2s MAY support the following 458 | digest size parameters for interoperability (e.g., digital 459 | signatures), as long as a sufficient level of security is attained by 460 | the parameter selections. These parameters and identifiers are 461 | intended to be suitable as drop-in replacements to MD5 and 462 | corresponding SHA algorithms. 463 | 464 | Developers adapting BLAKE2 to ASN.1-based message formats SHOULD use 465 | the OID tree at x = 1.3.6.1.4.1.1722.12.2. The same OID can be used 466 | for both keyed and unkeyed hashing since in the latter case the key 467 | simply has zero length. 468 | 469 | Algorithm | Target | Collision | Hash | Hash ASN.1 | 470 | Identifier | Arch | Security | nn | OID Suffix | 471 | ---------------+--------+-----------+------+------------+ 472 | id-blake2b160 | 64-bit | 2**80 | 20 | x.1.5 | 473 | id-blake2b256 | 64-bit | 2**128 | 32 | x.1.8 | 474 | id-blake2b384 | 64-bit | 2**192 | 48 | x.1.12 | 475 | id-blake2b512 | 64-bit | 2**256 | 64 | x.1.16 | 476 | ---------------+--------+-----------+------+------------+ 477 | id-blake2s128 | 32-bit | 2**64 | 16 | x.2.4 | 478 | id-blake2s160 | 32-bit | 2**80 | 20 | x.2.5 | 479 | id-blake2s224 | 32-bit | 2**112 | 28 | x.2.7 | 480 | id-blake2s256 | 32-bit | 2**128 | 32 | x.2.8 | 481 | ---------------+--------+-----------+------+------------+ 482 | 483 | 484 | 485 | 486 | 487 | 488 | 489 | 490 | 491 | 492 | 493 | 494 | 495 | 496 | 497 | 498 | 499 | 500 | 501 | 502 | 503 | 504 | 505 | 506 | Saarinen & Aumasson Informational [Page 9] 507 | 508 | RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 509 | 510 | 511 | hashAlgs OBJECT IDENTIFIER ::= { 512 | iso(1) identified-organization(3) dod(6) internet(1) 513 | private(4) enterprise(1) kudelski(1722) cryptography(12) 2 514 | } 515 | macAlgs OBJECT IDENTIFIER ::= { 516 | iso(1) identified-organization(3) dod(6) internet(1) 517 | private(4) enterprise(1) kudelski(1722) cryptography(12) 3 518 | } 519 | 520 | -- the two BLAKE2 variants -- 521 | blake2b OBJECT IDENTIFIER ::= { hashAlgs 1 } 522 | blake2s OBJECT IDENTIFIER ::= { hashAlgs 2 } 523 | 524 | -- BLAKE2b Identifiers -- 525 | id-blake2b160 OBJECT IDENTIFIER ::= { blake2b 5 } 526 | id-blake2b256 OBJECT IDENTIFIER ::= { blake2b 8 } 527 | id-blake2b384 OBJECT IDENTIFIER ::= { blake2b 12 } 528 | id-blake2b512 OBJECT IDENTIFIER ::= { blake2b 16 } 529 | 530 | -- BLAKE2s Identifiers -- 531 | id-blake2s128 OBJECT IDENTIFIER ::= { blake2s 4 } 532 | id-blake2s160 OBJECT IDENTIFIER ::= { blake2s 5 } 533 | id-blake2s224 OBJECT IDENTIFIER ::= { blake2s 7 } 534 | id-blake2s256 OBJECT IDENTIFIER ::= { blake2s 8 } 535 | 536 | 5. Security Considerations 537 | 538 | This document is intended to provide convenient open-source access by 539 | the Internet community to the BLAKE2 cryptographic hash algorithm. 540 | We wish to make no independent assertion to its security in this 541 | document. We refer the reader to [BLAKE] and [BLAKE2] for detailed 542 | cryptanalytic rationale behind its design. 543 | 544 | In order to avoid bloat, the reference implementations in Appendices 545 | C and D may not erase all sensitive data (such as secret keys) 546 | immediately from process memory after use. Such cleanup can be added 547 | if needed. 548 | 549 | 6. References 550 | 551 | 6.1. Normative References 552 | 553 | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 554 | Requirement Levels", BCP 14, RFC 2119, 555 | DOI 10.17487/RFC2119, March 1997, 556 | . 557 | 558 | 559 | 560 | 561 | 562 | Saarinen & Aumasson Informational [Page 10] 563 | 564 | RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 565 | 566 | 567 | 6.2. Informative References 568 | 569 | [BLAKE] Aumasson, J-P., Meier, W., Phan, R., and L. Henzen, "The 570 | Hash Function BLAKE", January 2015, 571 | . 572 | 573 | [BLAKE2] Aumasson, J-P., Neves, S., Wilcox-O'Hearn, Z., and C. 574 | Winnerlein, "BLAKE2: simpler, smaller, fast as MD5", 575 | January 2013, . 576 | 577 | [FIPS140-2IG] 578 | NIST, "Implementation Guidance for FIPS PUB 140-2 and the 579 | Cryptographic Module Validation Program", September 2015, 580 | . 582 | 583 | [RFC6151] Turner, S. and L. Chen, "Updated Security Considerations 584 | for the MD5 Message-Digest and the HMAC-MD5 Algorithms", 585 | RFC 6151, DOI 10.17487/RFC6151, March 2011, 586 | . 587 | 588 | [RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms 589 | (SHA and SHA-based HMAC and HKDF)", RFC 6234, 590 | DOI 10.17487/RFC6234, May 2011, 591 | . 592 | 593 | Appendix A. Example of BLAKE2b Computation 594 | 595 | We compute the unkeyed hash of three ASCII bytes "abc" with 596 | BLAKE2b-512 and show internal values during computation. 597 | 598 | m[16] = 0000000000636261 0000000000000000 0000000000000000 599 | 0000000000000000 0000000000000000 0000000000000000 600 | 0000000000000000 0000000000000000 0000000000000000 601 | 0000000000000000 0000000000000000 0000000000000000 602 | 0000000000000000 0000000000000000 0000000000000000 603 | 0000000000000000 604 | 605 | (i= 0) v[16] = 6A09E667F2BDC948 BB67AE8584CAA73B 3C6EF372FE94F82B 606 | A54FF53A5F1D36F1 510E527FADE682D1 9B05688C2B3E6C1F 607 | 1F83D9ABFB41BD6B 5BE0CD19137E2179 6A09E667F3BCC908 608 | BB67AE8584CAA73B 3C6EF372FE94F82B A54FF53A5F1D36F1 609 | 510E527FADE682D2 9B05688C2B3E6C1F E07C265404BE4294 610 | 5BE0CD19137E2179 611 | 612 | (i= 1) v[16] = 86B7C1568029BB79 C12CBCC809FF59F3 C6A5214CC0EACA8E 613 | 0C87CD524C14CC5D 44EE6039BD86A9F7 A447C850AA694A7E 614 | DE080F1BB1C0F84B 595CB8A9A1ACA66C BEC3AE837EAC4887 615 | 616 | 617 | 618 | Saarinen & Aumasson Informational [Page 11] 619 | 620 | RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 621 | 622 | 623 | 6267FC79DF9D6AD1 FA87B01273FA6DBE 521A715C63E08D8A 624 | E02D0975B8D37A83 1C7B754F08B7D193 8F885A76B6E578FE 625 | 2318A24E2140FC64 626 | 627 | (i= 2) v[16] = 53281E83806010F2 3594B403F81B4393 8CD63C7462DE0DFF 628 | 85F693F3DA53F974 BAABDBB2F386D9AE CA5425AEC65A10A8 629 | C6A22E2FF0F7AA48 C6A56A51CB89C595 224E6A3369224F96 630 | 500E125E58A92923 E9E4AD0D0E1A0D48 85DF9DC143C59A74 631 | 92A3AAAA6D952B7F C5FDF71090FAE853 2A8A40F15A462DD0 632 | 572D17EFFDD37358 633 | 634 | (i= 3) v[16] = 60ED96AA7AD41725 E46A743C71800B9D 1A04B543A01F156B 635 | A2F8716E775C4877 DA0A61BCDE4267EA B1DD230754D7BDEE 636 | 25A1422779E06D14 E6823AE4C3FF58A5 A1677E19F37FD5DA 637 | 22BDCE6976B08C51 F1DE8696BEC11BF1 A0EBD586A4A1D2C8 638 | C804EBAB11C99FA9 8E0CEC959C715793 7C45557FAE0D4D89 639 | 716343F52FDD265E 640 | 641 | (i= 4) v[16] = BB2A77D3A8382351 45EB47971F23B103 98BE297F6E45C684 642 | A36077DEE3370B89 8A03C4CB7E97590A 24192E49EBF54EA0 643 | 4F82C9401CB32D7A 8CCD013726420DC4 A9C9A8F17B1FC614 644 | 55908187977514A0 5B44273E66B19D27 B6D5C9FCA2579327 645 | 086092CFB858437E 5C4BE2156DBEECF9 2EFEDE99ED4EFF16 646 | 3E7B5F234CD1F804 647 | 648 | (i= 5) v[16] = C79C15B3D423B099 2DA2224E8DA97556 77D2B26DF1C45C55 649 | 8934EB09A3456052 0F6D9EEED157DA2A 6FE66467AF88C0A9 650 | 4EB0B76284C7AAFB 299C8E725D954697 B2240B59E6D567D3 651 | 2643C2370E49EBFD 79E02EEF20CDB1AE 64B3EED7BB602F39 652 | B97D2D439E4DF63D C718E755294C9111 1F0893F2772BB373 653 | 1205EA4A7859807D 654 | 655 | (i= 6) v[16] = E58F97D6385BAEE4 7640AA9764DA137A DEB4C7C23EFE287E 656 | 70F6F41C8783C9F6 7127CD48C76A7708 9E472AF0BE3DB3F6 657 | 0F244C62DDF71788 219828AA83880842 41CCA9073C8C4D0D 658 | 5C7912BC10DF3B4B A2C3ABBD37510EE2 CB5668CC2A9F7859 659 | 8733794F07AC1500 C67A6BE42335AA6F ACB22B28681E4C82 660 | DB2161604CBC9828 661 | 662 | (i= 7) v[16] = 6E2D286EEADEDC81 BCF02C0787E86358 57D56A56DD015EDF 663 | 55D899D40A5D0D0A 819415B56220C459 B63C479A6A769F02 664 | 258E55E0EC1F362A 3A3B4EC60E19DFDC 04D769B3FCB048DB 665 | B78A9A33E9BFF4DD 5777272AE1E930C0 5A387849E578DBF6 666 | 92AAC307CF2C0AFC 30AACCC4F06DAFAA 483893CC094F8863 667 | E03C6CC89C26BF92 668 | 669 | (i= 8) v[16] = FFC83ECE76024D01 1BE7BFFB8C5CC5F9 A35A18CBAC4C65B7 670 | B7C2C7E6D88C285F 81937DA314A50838 E1179523A2541963 671 | 672 | 673 | 674 | Saarinen & Aumasson Informational [Page 12] 675 | 676 | RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 677 | 678 | 679 | 3A1FAD7106232B8F 1C7EDE92AB8B9C46 A3C2D35E4F685C10 680 | A53D3F73AA619624 30BBCC0285A22F65 BCEFBB6A81539E5D 681 | 3841DEF6F4C9848A 98662C85FBA726D4 7762439BD5A851BD 682 | B0B9F0D443D1A889 683 | 684 | (i= 9) v[16] = 753A70A1E8FAEADD 6B0D43CA2C25D629 F8343BA8B94F8C0B 685 | BC7D062B0DB5CF35 58540EE1B1AEBC47 63C5B9B80D294CB9 686 | 490870ECAD27DEBD B2A90DDF667287FE 316CC9EBEEFAD8FC 687 | 4A466BCD021526A4 5DA7F7638CEC5669 D9C8826727D306FC 688 | 88ED6C4F3BD7A537 19AE688DDF67F026 4D8707AAB40F7E6D 689 | FD3F572687FEA4F1 690 | 691 | (i=10) v[16] = E630C747CCD59C4F BC713D41127571CA 46DB183025025078 692 | 6727E81260610140 2D04185EAC2A8CBA 5F311B88904056EC 693 | 40BD313009201AAB 0099D4F82A2A1EAB 6DD4FBC1DE60165D 694 | B3B0B51DE3C86270 900AEE2F233B08E5 A07199D87AD058D8 695 | 2C6B25593D717852 37E8CA471BEAA5F8 2CFC1BAC10EF4457 696 | 01369EC18746E775 697 | 698 | (i=11) v[16] = E801F73B9768C760 35C6D22320BE511D 306F27584F65495E 699 | B51776ADF569A77B F4F1BE86690B3C34 3CC88735D1475E4B 700 | 5DAC67921FF76949 1CDB9D31AD70CC4E 35BA354A9C7DF448 701 | 4929CBE45679D73E 733D1A17248F39DB 92D57B736F5F170A 702 | 61B5C0A41D491399 B5C333457E12844A BD696BE010D0D889 703 | 02231E1A917FE0BD 704 | 705 | (i=12) v[16] = 12EF8A641EC4F6D6 BCED5DE977C9FAF5 733CA476C5148639 706 | 97DF596B0610F6FC F42C16519AD5AFA7 AA5AC1888E10467E 707 | 217D930AA51787F3 906A6FF19E573942 75AB709BD3DCBF24 708 | EE7CE1F345947AA4 F8960D6C2FAF5F5E E332538A36B6D246 709 | 885BEF040EF6AA0B A4939A417BFB78A3 646CBB7AF6DCE980 710 | E813A23C60AF3B82 711 | 712 | h[8] = 0D4D1C983FA580BA E9F6129FB697276A B7C45A68142F214C 713 | D1A2FFDB6FBB124B 2D79AB2A39C5877D 95CC3345DED552C2 714 | 5A92F1DBA88AD318 239900D4ED8623B9 715 | 716 | BLAKE2b-512("abc") = BA 80 A5 3F 98 1C 4D 0D 6A 27 97 B6 9F 12 F6 E9 717 | 4C 21 2F 14 68 5A C4 B7 4B 12 BB 6F DB FF A2 D1 718 | 7D 87 C5 39 2A AB 79 2D C2 52 D5 DE 45 33 CC 95 719 | 18 D3 8A A8 DB F1 92 5A B9 23 86 ED D4 00 99 23 720 | 721 | Appendix B. Example of BLAKE2s Computation 722 | 723 | We compute the unkeyed hash of three ASCII bytes "abc" with 724 | BLAKE2s-256 and show internal values during computation. 725 | 726 | m[16] = 00636261 00000000 00000000 00000000 00000000 00000000 727 | 728 | 729 | 730 | Saarinen & Aumasson Informational [Page 13] 731 | 732 | RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 733 | 734 | 735 | 00000000 00000000 00000000 00000000 00000000 00000000 736 | 00000000 00000000 00000000 00000000 737 | 738 | (i=0) v[16] = 6B08E647 BB67AE85 3C6EF372 A54FF53A 510E527F 9B05688C 739 | 1F83D9AB 5BE0CD19 6A09E667 BB67AE85 3C6EF372 A54FF53A 740 | 510E527C 9B05688C E07C2654 5BE0CD19 741 | 742 | (i=1) v[16] = 16A3242E D7B5E238 CE8CE24B 927AEDE1 A7B430D9 93A4A14E 743 | A44E7C31 41D4759B 95BF33D3 9A99C181 608A3A6B B666383E 744 | 7A8DD50F BE378ED7 353D1EE6 3BB44C6B 745 | 746 | (i=2) v[16] = 3AE30FE3 0982A96B E88185B4 3E339B16 F24338CD 0E66D326 747 | E005ED0C D591A277 180B1F3A FCF43914 30DB62D6 4847831C 748 | 7F00C58E FB847886 C544E836 524AB0E2 749 | 750 | (i=3) v[16] = 7A3BE783 997546C1 D45246DF EDB5F821 7F98A742 10E864E2 751 | D4AB70D0 C63CB1AB 6038DA9E 414594B0 F2C218B5 8DA0DCB7 752 | D7CD7AF5 AB4909DF 85031A52 C4EDFC98 753 | 754 | (i=4) v[16] = 2A8B8CB7 1ACA82B2 14045D7F CC7258ED 383CF67C E090E7F9 755 | 3025D276 57D04DE4 994BACF0 F0982759 F17EE300 D48FC2D5 756 | DC854C10 523898A9 C03A0F89 47D6CD88 757 | 758 | (i=5) v[16] = C4AA2DDB 111343A3 D54A700A 574A00A9 857D5A48 B1E11989 759 | 6F5C52DF DD2C53A3 678E5F8E 9718D4E9 622CB684 92976076 760 | 0E41A517 359DC2BE 87A87DDD 643F9CEC 761 | 762 | (i=6) v[16] = 3453921C D7595EE1 592E776D 3ED6A974 4D997CB3 DE9212C3 763 | 35ADF5C9 9916FD65 96562E89 4EAD0792 EBFC2712 2385F5B2 764 | F34600FB D7BC20FB EB452A7B ECE1AA40 765 | 766 | (i=7) v[16] = BE851B2D A85F6358 81E6FC3B 0BB28000 FA55A33A 87BE1FAD 767 | 4119370F 1E2261AA A1318FD3 F4329816 071783C2 6E536A8D 768 | 9A81A601 E7EC80F1 ACC09948 F849A584 769 | 770 | (i=8) v[16] = 07E5B85A 069CC164 F9DE3141 A56F4680 9E440AD2 9AB659EA 771 | 3C84B971 21DBD9CF 46699F8C 765257EC AF1D998C 75E4C3B6 772 | 523878DC 30715015 397FEE81 4F1FA799 773 | 774 | (i=9) v[16] = 435148C4 A5AA2D11 4B354173 D543BC9E BDA2591C BF1D2569 775 | 4FCB3120 707ADA48 565B3FDE 32C9C916 EAF4A1AB B1018F28 776 | 8078D978 68ADE4B5 9778FDA3 2863B92E 777 | 778 | (i=10) v[16] = D9C994AA CFEC3AA6 700D0AB2 2C38670E AF6A1F66 1D023EF3 779 | 1D9EC27D 945357A5 3E9FFEBD 969FE811 EF485E21 A632797A 780 | DEEF082E AF3D80E1 4E86829B 4DEAFD3A 781 | 782 | h[8] = 8C5E8C50 E2147C32 A32BA7E1 2F45EB4E 208B4537 293AD69E 783 | 784 | 785 | 786 | Saarinen & Aumasson Informational [Page 14] 787 | 788 | RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 789 | 790 | 791 | 4C9B994D 82596786 792 | 793 | BLAKE2s-256("abc") = 50 8C 5E 8C 32 7C 14 E2 E1 A7 2B A3 4E EB 45 2F 794 | 37 45 8B 20 9E D6 3A 29 4D 99 9B 4C 86 67 59 82 795 | 796 | Appendix C. BLAKE2b Implementation C Source 797 | 798 | C.1. blake2b.h 799 | 800 | 801 | 802 | 803 | 804 | 805 | 806 | 807 | 808 | 809 | 810 | 811 | 812 | 813 | 814 | 815 | 816 | 817 | 818 | 819 | 820 | 821 | 822 | 823 | 824 | 825 | 826 | 827 | 828 | 829 | 830 | 831 | 832 | 833 | 834 | 835 | 836 | 837 | 838 | 839 | 840 | 841 | 842 | Saarinen & Aumasson Informational [Page 15] 843 | 844 | RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 845 | 846 | 847 | 848 | // blake2b.h 849 | // BLAKE2b Hashing Context and API Prototypes 850 | 851 | #ifndef BLAKE2B_H 852 | #define BLAKE2B_H 853 | 854 | #include 855 | #include 856 | 857 | // state context 858 | typedef struct { 859 | uint8_t b[128]; // input buffer 860 | uint64_t h[8]; // chained state 861 | uint64_t t[2]; // total number of bytes 862 | size_t c; // pointer for b[] 863 | size_t outlen; // digest size 864 | } blake2b_ctx; 865 | 866 | // Initialize the hashing context "ctx" with optional key "key". 867 | // 1 <= outlen <= 64 gives the digest size in bytes. 868 | // Secret key (also <= 64 bytes) is optional (keylen = 0). 869 | int blake2b_init(blake2b_ctx *ctx, size_t outlen, 870 | const void *key, size_t keylen); // secret key 871 | 872 | // Add "inlen" bytes from "in" into the hash. 873 | void blake2b_update(blake2b_ctx *ctx, // context 874 | const void *in, size_t inlen); // data to be hashed 875 | 876 | // Generate the message digest (size given in init). 877 | // Result placed in "out". 878 | void blake2b_final(blake2b_ctx *ctx, void *out); 879 | 880 | // All-in-one convenience function. 881 | int blake2b(void *out, size_t outlen, // return buffer for digest 882 | const void *key, size_t keylen, // optional secret key 883 | const void *in, size_t inlen); // data to be hashed 884 | 885 | #endif 886 | 887 | 888 | C.2. blake2b.c 889 | 890 | 891 | // blake2b.c 892 | // A simple BLAKE2b Reference Implementation. 893 | 894 | #include "blake2b.h" 895 | 896 | 897 | 898 | Saarinen & Aumasson Informational [Page 16] 899 | 900 | RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 901 | 902 | 903 | // Cyclic right rotation. 904 | 905 | #ifndef ROTR64 906 | #define ROTR64(x, y) (((x) >> (y)) ^ ((x) << (64 - (y)))) 907 | #endif 908 | 909 | // Little-endian byte access. 910 | 911 | #define B2B_GET64(p) \ 912 | (((uint64_t) ((uint8_t *) (p))[0]) ^ \ 913 | (((uint64_t) ((uint8_t *) (p))[1]) << 8) ^ \ 914 | (((uint64_t) ((uint8_t *) (p))[2]) << 16) ^ \ 915 | (((uint64_t) ((uint8_t *) (p))[3]) << 24) ^ \ 916 | (((uint64_t) ((uint8_t *) (p))[4]) << 32) ^ \ 917 | (((uint64_t) ((uint8_t *) (p))[5]) << 40) ^ \ 918 | (((uint64_t) ((uint8_t *) (p))[6]) << 48) ^ \ 919 | (((uint64_t) ((uint8_t *) (p))[7]) << 56)) 920 | 921 | // G Mixing function. 922 | 923 | #define B2B_G(a, b, c, d, x, y) { \ 924 | v[a] = v[a] + v[b] + x; \ 925 | v[d] = ROTR64(v[d] ^ v[a], 32); \ 926 | v[c] = v[c] + v[d]; \ 927 | v[b] = ROTR64(v[b] ^ v[c], 24); \ 928 | v[a] = v[a] + v[b] + y; \ 929 | v[d] = ROTR64(v[d] ^ v[a], 16); \ 930 | v[c] = v[c] + v[d]; \ 931 | v[b] = ROTR64(v[b] ^ v[c], 63); } 932 | 933 | // Initialization Vector. 934 | 935 | static const uint64_t blake2b_iv[8] = { 936 | 0x6A09E667F3BCC908, 0xBB67AE8584CAA73B, 937 | 0x3C6EF372FE94F82B, 0xA54FF53A5F1D36F1, 938 | 0x510E527FADE682D1, 0x9B05688C2B3E6C1F, 939 | 0x1F83D9ABFB41BD6B, 0x5BE0CD19137E2179 940 | }; 941 | 942 | // Compression function. "last" flag indicates last block. 943 | 944 | static void blake2b_compress(blake2b_ctx *ctx, int last) 945 | { 946 | const uint8_t sigma[12][16] = { 947 | { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }, 948 | { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }, 949 | { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 }, 950 | { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 }, 951 | 952 | 953 | 954 | Saarinen & Aumasson Informational [Page 17] 955 | 956 | RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 957 | 958 | 959 | { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 }, 960 | { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 }, 961 | { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 }, 962 | { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 }, 963 | { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 }, 964 | { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 }, 965 | { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }, 966 | { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 } 967 | }; 968 | int i; 969 | uint64_t v[16], m[16]; 970 | 971 | for (i = 0; i < 8; i++) { // init work variables 972 | v[i] = ctx->h[i]; 973 | v[i + 8] = blake2b_iv[i]; 974 | } 975 | 976 | v[12] ^= ctx->t[0]; // low 64 bits of offset 977 | v[13] ^= ctx->t[1]; // high 64 bits 978 | if (last) // last block flag set ? 979 | v[14] = ~v[14]; 980 | 981 | for (i = 0; i < 16; i++) // get little-endian words 982 | m[i] = B2B_GET64(&ctx->b[8 * i]); 983 | 984 | for (i = 0; i < 12; i++) { // twelve rounds 985 | B2B_G( 0, 4, 8, 12, m[sigma[i][ 0]], m[sigma[i][ 1]]); 986 | B2B_G( 1, 5, 9, 13, m[sigma[i][ 2]], m[sigma[i][ 3]]); 987 | B2B_G( 2, 6, 10, 14, m[sigma[i][ 4]], m[sigma[i][ 5]]); 988 | B2B_G( 3, 7, 11, 15, m[sigma[i][ 6]], m[sigma[i][ 7]]); 989 | B2B_G( 0, 5, 10, 15, m[sigma[i][ 8]], m[sigma[i][ 9]]); 990 | B2B_G( 1, 6, 11, 12, m[sigma[i][10]], m[sigma[i][11]]); 991 | B2B_G( 2, 7, 8, 13, m[sigma[i][12]], m[sigma[i][13]]); 992 | B2B_G( 3, 4, 9, 14, m[sigma[i][14]], m[sigma[i][15]]); 993 | } 994 | 995 | for( i = 0; i < 8; ++i ) 996 | ctx->h[i] ^= v[i] ^ v[i + 8]; 997 | } 998 | 999 | // Initialize the hashing context "ctx" with optional key "key". 1000 | // 1 <= outlen <= 64 gives the digest size in bytes. 1001 | // Secret key (also <= 64 bytes) is optional (keylen = 0). 1002 | 1003 | int blake2b_init(blake2b_ctx *ctx, size_t outlen, 1004 | const void *key, size_t keylen) // (keylen=0: no key) 1005 | { 1006 | size_t i; 1007 | 1008 | 1009 | 1010 | Saarinen & Aumasson Informational [Page 18] 1011 | 1012 | RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 1013 | 1014 | 1015 | if (outlen == 0 || outlen > 64 || keylen > 64) 1016 | return -1; // illegal parameters 1017 | 1018 | for (i = 0; i < 8; i++) // state, "param block" 1019 | ctx->h[i] = blake2b_iv[i]; 1020 | ctx->h[0] ^= 0x01010000 ^ (keylen << 8) ^ outlen; 1021 | 1022 | ctx->t[0] = 0; // input count low word 1023 | ctx->t[1] = 0; // input count high word 1024 | ctx->c = 0; // pointer within buffer 1025 | ctx->outlen = outlen; 1026 | 1027 | for (i = keylen; i < 128; i++) // zero input block 1028 | ctx->b[i] = 0; 1029 | if (keylen > 0) { 1030 | blake2b_update(ctx, key, keylen); 1031 | ctx->c = 128; // at the end 1032 | } 1033 | 1034 | return 0; 1035 | } 1036 | 1037 | // Add "inlen" bytes from "in" into the hash. 1038 | 1039 | void blake2b_update(blake2b_ctx *ctx, 1040 | const void *in, size_t inlen) // data bytes 1041 | { 1042 | size_t i; 1043 | 1044 | for (i = 0; i < inlen; i++) { 1045 | if (ctx->c == 128) { // buffer full ? 1046 | ctx->t[0] += ctx->c; // add counters 1047 | if (ctx->t[0] < ctx->c) // carry overflow ? 1048 | ctx->t[1]++; // high word 1049 | blake2b_compress(ctx, 0); // compress (not last) 1050 | ctx->c = 0; // counter to zero 1051 | } 1052 | ctx->b[ctx->c++] = ((const uint8_t *) in)[i]; 1053 | } 1054 | } 1055 | 1056 | // Generate the message digest (size given in init). 1057 | // Result placed in "out". 1058 | 1059 | void blake2b_final(blake2b_ctx *ctx, void *out) 1060 | { 1061 | size_t i; 1062 | 1063 | 1064 | 1065 | 1066 | Saarinen & Aumasson Informational [Page 19] 1067 | 1068 | RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 1069 | 1070 | 1071 | ctx->t[0] += ctx->c; // mark last block offset 1072 | if (ctx->t[0] < ctx->c) // carry overflow 1073 | ctx->t[1]++; // high word 1074 | 1075 | while (ctx->c < 128) // fill up with zeros 1076 | ctx->b[ctx->c++] = 0; 1077 | blake2b_compress(ctx, 1); // final block flag = 1 1078 | 1079 | // little endian convert and store 1080 | for (i = 0; i < ctx->outlen; i++) { 1081 | ((uint8_t *) out)[i] = 1082 | (ctx->h[i >> 3] >> (8 * (i & 7))) & 0xFF; 1083 | } 1084 | } 1085 | 1086 | // Convenience function for all-in-one computation. 1087 | 1088 | int blake2b(void *out, size_t outlen, 1089 | const void *key, size_t keylen, 1090 | const void *in, size_t inlen) 1091 | { 1092 | blake2b_ctx ctx; 1093 | 1094 | if (blake2b_init(&ctx, outlen, key, keylen)) 1095 | return -1; 1096 | blake2b_update(&ctx, in, inlen); 1097 | blake2b_final(&ctx, out); 1098 | 1099 | return 0; 1100 | } 1101 | 1102 | 1103 | Appendix D. BLAKE2s Implementation C Source 1104 | 1105 | D.1. blake2s.h 1106 | 1107 | 1108 | 1109 | 1110 | 1111 | 1112 | 1113 | 1114 | 1115 | 1116 | 1117 | 1118 | 1119 | 1120 | 1121 | 1122 | Saarinen & Aumasson Informational [Page 20] 1123 | 1124 | RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 1125 | 1126 | 1127 | 1128 | // blake2s.h 1129 | // BLAKE2s Hashing Context and API Prototypes 1130 | 1131 | #ifndef BLAKE2S_H 1132 | #define BLAKE2S_H 1133 | 1134 | #include 1135 | #include 1136 | 1137 | // state context 1138 | typedef struct { 1139 | uint8_t b[64]; // input buffer 1140 | uint32_t h[8]; // chained state 1141 | uint32_t t[2]; // total number of bytes 1142 | size_t c; // pointer for b[] 1143 | size_t outlen; // digest size 1144 | } blake2s_ctx; 1145 | 1146 | // Initialize the hashing context "ctx" with optional key "key". 1147 | // 1 <= outlen <= 32 gives the digest size in bytes. 1148 | // Secret key (also <= 32 bytes) is optional (keylen = 0). 1149 | int blake2s_init(blake2s_ctx *ctx, size_t outlen, 1150 | const void *key, size_t keylen); // secret key 1151 | 1152 | // Add "inlen" bytes from "in" into the hash. 1153 | void blake2s_update(blake2s_ctx *ctx, // context 1154 | const void *in, size_t inlen); // data to be hashed 1155 | 1156 | // Generate the message digest (size given in init). 1157 | // Result placed in "out". 1158 | void blake2s_final(blake2s_ctx *ctx, void *out); 1159 | 1160 | // All-in-one convenience function. 1161 | int blake2s(void *out, size_t outlen, // return buffer for digest 1162 | const void *key, size_t keylen, // optional secret key 1163 | const void *in, size_t inlen); // data to be hashed 1164 | 1165 | #endif 1166 | 1167 | 1168 | D.2. blake2s.c 1169 | 1170 | 1171 | // blake2s.c 1172 | // A simple blake2s Reference Implementation. 1173 | 1174 | #include "blake2s.h" 1175 | 1176 | 1177 | 1178 | Saarinen & Aumasson Informational [Page 21] 1179 | 1180 | RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 1181 | 1182 | 1183 | // Cyclic right rotation. 1184 | 1185 | #ifndef ROTR32 1186 | #define ROTR32(x, y) (((x) >> (y)) ^ ((x) << (32 - (y)))) 1187 | #endif 1188 | 1189 | // Little-endian byte access. 1190 | 1191 | #define B2S_GET32(p) \ 1192 | (((uint32_t) ((uint8_t *) (p))[0]) ^ \ 1193 | (((uint32_t) ((uint8_t *) (p))[1]) << 8) ^ \ 1194 | (((uint32_t) ((uint8_t *) (p))[2]) << 16) ^ \ 1195 | (((uint32_t) ((uint8_t *) (p))[3]) << 24)) 1196 | 1197 | // Mixing function G. 1198 | 1199 | #define B2S_G(a, b, c, d, x, y) { \ 1200 | v[a] = v[a] + v[b] + x; \ 1201 | v[d] = ROTR32(v[d] ^ v[a], 16); \ 1202 | v[c] = v[c] + v[d]; \ 1203 | v[b] = ROTR32(v[b] ^ v[c], 12); \ 1204 | v[a] = v[a] + v[b] + y; \ 1205 | v[d] = ROTR32(v[d] ^ v[a], 8); \ 1206 | v[c] = v[c] + v[d]; \ 1207 | v[b] = ROTR32(v[b] ^ v[c], 7); } 1208 | 1209 | // Initialization Vector. 1210 | 1211 | static const uint32_t blake2s_iv[8] = 1212 | { 1213 | 0x6A09E667, 0xBB67AE85, 0x3C6EF372, 0xA54FF53A, 1214 | 0x510E527F, 0x9B05688C, 0x1F83D9AB, 0x5BE0CD19 1215 | }; 1216 | 1217 | // Compression function. "last" flag indicates last block. 1218 | 1219 | static void blake2s_compress(blake2s_ctx *ctx, int last) 1220 | { 1221 | const uint8_t sigma[10][16] = { 1222 | { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }, 1223 | { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }, 1224 | { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 }, 1225 | { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 }, 1226 | { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 }, 1227 | { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 }, 1228 | { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 }, 1229 | { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 }, 1230 | { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 }, 1231 | 1232 | 1233 | 1234 | Saarinen & Aumasson Informational [Page 22] 1235 | 1236 | RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 1237 | 1238 | 1239 | { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 } 1240 | }; 1241 | int i; 1242 | uint32_t v[16], m[16]; 1243 | 1244 | for (i = 0; i < 8; i++) { // init work variables 1245 | v[i] = ctx->h[i]; 1246 | v[i + 8] = blake2s_iv[i]; 1247 | } 1248 | 1249 | v[12] ^= ctx->t[0]; // low 32 bits of offset 1250 | v[13] ^= ctx->t[1]; // high 32 bits 1251 | if (last) // last block flag set ? 1252 | v[14] = ~v[14]; 1253 | 1254 | for (i = 0; i < 16; i++) // get little-endian words 1255 | m[i] = B2S_GET32(&ctx->b[4 * i]); 1256 | 1257 | for (i = 0; i < 10; i++) { // ten rounds 1258 | B2S_G( 0, 4, 8, 12, m[sigma[i][ 0]], m[sigma[i][ 1]]); 1259 | B2S_G( 1, 5, 9, 13, m[sigma[i][ 2]], m[sigma[i][ 3]]); 1260 | B2S_G( 2, 6, 10, 14, m[sigma[i][ 4]], m[sigma[i][ 5]]); 1261 | B2S_G( 3, 7, 11, 15, m[sigma[i][ 6]], m[sigma[i][ 7]]); 1262 | B2S_G( 0, 5, 10, 15, m[sigma[i][ 8]], m[sigma[i][ 9]]); 1263 | B2S_G( 1, 6, 11, 12, m[sigma[i][10]], m[sigma[i][11]]); 1264 | B2S_G( 2, 7, 8, 13, m[sigma[i][12]], m[sigma[i][13]]); 1265 | B2S_G( 3, 4, 9, 14, m[sigma[i][14]], m[sigma[i][15]]); 1266 | } 1267 | 1268 | for( i = 0; i < 8; ++i ) 1269 | ctx->h[i] ^= v[i] ^ v[i + 8]; 1270 | } 1271 | 1272 | // Initialize the hashing context "ctx" with optional key "key". 1273 | // 1 <= outlen <= 32 gives the digest size in bytes. 1274 | // Secret key (also <= 32 bytes) is optional (keylen = 0). 1275 | 1276 | int blake2s_init(blake2s_ctx *ctx, size_t outlen, 1277 | const void *key, size_t keylen) // (keylen=0: no key) 1278 | { 1279 | size_t i; 1280 | 1281 | if (outlen == 0 || outlen > 32 || keylen > 32) 1282 | return -1; // illegal parameters 1283 | 1284 | for (i = 0; i < 8; i++) // state, "param block" 1285 | ctx->h[i] = blake2s_iv[i]; 1286 | ctx->h[0] ^= 0x01010000 ^ (keylen << 8) ^ outlen; 1287 | 1288 | 1289 | 1290 | Saarinen & Aumasson Informational [Page 23] 1291 | 1292 | RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 1293 | 1294 | 1295 | ctx->t[0] = 0; // input count low word 1296 | ctx->t[1] = 0; // input count high word 1297 | ctx->c = 0; // pointer within buffer 1298 | ctx->outlen = outlen; 1299 | 1300 | for (i = keylen; i < 64; i++) // zero input block 1301 | ctx->b[i] = 0; 1302 | if (keylen > 0) { 1303 | blake2s_update(ctx, key, keylen); 1304 | ctx->c = 64; // at the end 1305 | } 1306 | 1307 | return 0; 1308 | } 1309 | 1310 | // Add "inlen" bytes from "in" into the hash. 1311 | 1312 | void blake2s_update(blake2s_ctx *ctx, 1313 | const void *in, size_t inlen) // data bytes 1314 | { 1315 | size_t i; 1316 | 1317 | for (i = 0; i < inlen; i++) { 1318 | if (ctx->c == 64) { // buffer full ? 1319 | ctx->t[0] += ctx->c; // add counters 1320 | if (ctx->t[0] < ctx->c) // carry overflow ? 1321 | ctx->t[1]++; // high word 1322 | blake2s_compress(ctx, 0); // compress (not last) 1323 | ctx->c = 0; // counter to zero 1324 | } 1325 | ctx->b[ctx->c++] = ((const uint8_t *) in)[i]; 1326 | } 1327 | } 1328 | 1329 | // Generate the message digest (size given in init). 1330 | // Result placed in "out". 1331 | 1332 | void blake2s_final(blake2s_ctx *ctx, void *out) 1333 | { 1334 | size_t i; 1335 | 1336 | ctx->t[0] += ctx->c; // mark last block offset 1337 | if (ctx->t[0] < ctx->c) // carry overflow 1338 | ctx->t[1]++; // high word 1339 | 1340 | while (ctx->c < 64) // fill up with zeros 1341 | ctx->b[ctx->c++] = 0; 1342 | blake2s_compress(ctx, 1); // final block flag = 1 1343 | 1344 | 1345 | 1346 | Saarinen & Aumasson Informational [Page 24] 1347 | 1348 | RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 1349 | 1350 | 1351 | // little endian convert and store 1352 | for (i = 0; i < ctx->outlen; i++) { 1353 | ((uint8_t *) out)[i] = 1354 | (ctx->h[i >> 2] >> (8 * (i & 3))) & 0xFF; 1355 | } 1356 | } 1357 | 1358 | // Convenience function for all-in-one computation. 1359 | 1360 | int blake2s(void *out, size_t outlen, 1361 | const void *key, size_t keylen, 1362 | const void *in, size_t inlen) 1363 | { 1364 | blake2s_ctx ctx; 1365 | 1366 | if (blake2s_init(&ctx, outlen, key, keylen)) 1367 | return -1; 1368 | blake2s_update(&ctx, in, inlen); 1369 | blake2s_final(&ctx, out); 1370 | 1371 | return 0; 1372 | } 1373 | 1374 | 1375 | Appendix E. BLAKE2b and BLAKE2s Self-Test Module C Source 1376 | 1377 | This module computes a series of keyed and unkeyed hashes from 1378 | deterministically generated pseudorandom data and computes a hash 1379 | over those results. This is a fairly exhaustive, yet compact and 1380 | fast method for verifying that the hashing module is functioning 1381 | correctly. 1382 | 1383 | Such testing is RECOMMENDED, especially when compiling the 1384 | implementation for a new a target platform configuration. 1385 | Furthermore, some security standards, such as FIPS-140, may require a 1386 | Power-On Self Test (POST) to be performed every time the 1387 | cryptographic module is loaded [FIPS140-2IG]. 1388 | 1389 | 1390 | // test_main.c 1391 | // Self test Modules for BLAKE2b and BLAKE2s -- and a stub main(). 1392 | 1393 | #include 1394 | 1395 | #include "blake2b.h" 1396 | #include "blake2s.h" 1397 | 1398 | // Deterministic sequences (Fibonacci generator). 1399 | 1400 | 1401 | 1402 | Saarinen & Aumasson Informational [Page 25] 1403 | 1404 | RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 1405 | 1406 | 1407 | static void selftest_seq(uint8_t *out, size_t len, uint32_t seed) 1408 | { 1409 | size_t i; 1410 | uint32_t t, a , b; 1411 | 1412 | a = 0xDEAD4BAD * seed; // prime 1413 | b = 1; 1414 | 1415 | for (i = 0; i < len; i++) { // fill the buf 1416 | t = a + b; 1417 | a = b; 1418 | b = t; 1419 | out[i] = (t >> 24) & 0xFF; 1420 | } 1421 | } 1422 | 1423 | // BLAKE2b self-test validation. Return 0 when OK. 1424 | 1425 | int blake2b_selftest() 1426 | { 1427 | // grand hash of hash results 1428 | const uint8_t blake2b_res[32] = { 1429 | 0xC2, 0x3A, 0x78, 0x00, 0xD9, 0x81, 0x23, 0xBD, 1430 | 0x10, 0xF5, 0x06, 0xC6, 0x1E, 0x29, 0xDA, 0x56, 1431 | 0x03, 0xD7, 0x63, 0xB8, 0xBB, 0xAD, 0x2E, 0x73, 1432 | 0x7F, 0x5E, 0x76, 0x5A, 0x7B, 0xCC, 0xD4, 0x75 1433 | }; 1434 | // parameter sets 1435 | const size_t b2b_md_len[4] = { 20, 32, 48, 64 }; 1436 | const size_t b2b_in_len[6] = { 0, 3, 128, 129, 255, 1024 }; 1437 | 1438 | size_t i, j, outlen, inlen; 1439 | uint8_t in[1024], md[64], key[64]; 1440 | blake2b_ctx ctx; 1441 | 1442 | // 256-bit hash for testing 1443 | if (blake2b_init(&ctx, 32, NULL, 0)) 1444 | return -1; 1445 | 1446 | for (i = 0; i < 4; i++) { 1447 | outlen = b2b_md_len[i]; 1448 | for (j = 0; j < 6; j++) { 1449 | inlen = b2b_in_len[j]; 1450 | 1451 | selftest_seq(in, inlen, inlen); // unkeyed hash 1452 | blake2b(md, outlen, NULL, 0, in, inlen); 1453 | blake2b_update(&ctx, md, outlen); // hash the hash 1454 | 1455 | 1456 | 1457 | 1458 | Saarinen & Aumasson Informational [Page 26] 1459 | 1460 | RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 1461 | 1462 | 1463 | selftest_seq(key, outlen, outlen); // keyed hash 1464 | blake2b(md, outlen, key, outlen, in, inlen); 1465 | blake2b_update(&ctx, md, outlen); // hash the hash 1466 | } 1467 | } 1468 | 1469 | // compute and compare the hash of hashes 1470 | blake2b_final(&ctx, md); 1471 | for (i = 0; i < 32; i++) { 1472 | if (md[i] != blake2b_res[i]) 1473 | return -1; 1474 | } 1475 | 1476 | return 0; 1477 | } 1478 | 1479 | // BLAKE2s self-test validation. Return 0 when OK. 1480 | 1481 | int blake2s_selftest() 1482 | { 1483 | // Grand hash of hash results. 1484 | const uint8_t blake2s_res[32] = { 1485 | 0x6A, 0x41, 0x1F, 0x08, 0xCE, 0x25, 0xAD, 0xCD, 1486 | 0xFB, 0x02, 0xAB, 0xA6, 0x41, 0x45, 0x1C, 0xEC, 1487 | 0x53, 0xC5, 0x98, 0xB2, 0x4F, 0x4F, 0xC7, 0x87, 1488 | 0xFB, 0xDC, 0x88, 0x79, 0x7F, 0x4C, 0x1D, 0xFE 1489 | }; 1490 | // Parameter sets. 1491 | const size_t b2s_md_len[4] = { 16, 20, 28, 32 }; 1492 | const size_t b2s_in_len[6] = { 0, 3, 64, 65, 255, 1024 }; 1493 | 1494 | size_t i, j, outlen, inlen; 1495 | uint8_t in[1024], md[32], key[32]; 1496 | blake2s_ctx ctx; 1497 | 1498 | // 256-bit hash for testing. 1499 | if (blake2s_init(&ctx, 32, NULL, 0)) 1500 | return -1; 1501 | 1502 | for (i = 0; i < 4; i++) { 1503 | outlen = b2s_md_len[i]; 1504 | for (j = 0; j < 6; j++) { 1505 | inlen = b2s_in_len[j]; 1506 | 1507 | selftest_seq(in, inlen, inlen); // unkeyed hash 1508 | blake2s(md, outlen, NULL, 0, in, inlen); 1509 | blake2s_update(&ctx, md, outlen); // hash the hash 1510 | 1511 | 1512 | 1513 | 1514 | Saarinen & Aumasson Informational [Page 27] 1515 | 1516 | RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 1517 | 1518 | 1519 | selftest_seq(key, outlen, outlen); // keyed hash 1520 | blake2s(md, outlen, key, outlen, in, inlen); 1521 | blake2s_update(&ctx, md, outlen); // hash the hash 1522 | } 1523 | } 1524 | 1525 | // Compute and compare the hash of hashes. 1526 | blake2s_final(&ctx, md); 1527 | for (i = 0; i < 32; i++) { 1528 | if (md[i] != blake2s_res[i]) 1529 | return -1; 1530 | } 1531 | 1532 | return 0; 1533 | } 1534 | 1535 | // Test driver. 1536 | 1537 | int main(int argc, char **argv) 1538 | { 1539 | printf("blake2b_selftest() = %s\n", 1540 | blake2b_selftest() ? "FAIL" : "OK"); 1541 | printf("blake2s_selftest() = %s\n", 1542 | blake2s_selftest() ? "FAIL" : "OK"); 1543 | 1544 | return 0; 1545 | } 1546 | 1547 | 1548 | 1549 | 1550 | 1551 | Acknowledgements 1552 | 1553 | The editor wishes to thank the [BLAKE2] team for their encouragement: 1554 | Jean-Philippe Aumasson, Samuel Neves, Zooko Wilcox-O'Hearn, and 1555 | Christian Winnerlein. We have borrowed passages from [BLAKE] and 1556 | [BLAKE2] with permission. 1557 | 1558 | [BLAKE2] is based on the SHA-3 proposal [BLAKE], designed by Jean- 1559 | Philippe Aumasson, Luca Henzen, Willi Meier, and Raphael C.-W. Phan. 1560 | BLAKE2, like BLAKE, relies on a core algorithm borrowed from the 1561 | ChaCha stream cipher, designed by Daniel J. Bernstein. 1562 | 1563 | 1564 | 1565 | 1566 | 1567 | 1568 | 1569 | 1570 | Saarinen & Aumasson Informational [Page 28] 1571 | 1572 | RFC 7693 BLAKE2 Crypto Hash and MAC November 2015 1573 | 1574 | 1575 | Authors' Addresses 1576 | 1577 | Markku-Juhani O. Saarinen (editor) 1578 | Queen's University Belfast 1579 | Centre for Secure Information Technologies, ECIT 1580 | Northern Ireland Science Park 1581 | Queen's Road, Queen's Island 1582 | Belfast BT3 9DT 1583 | United Kingdom 1584 | 1585 | Email: m.saarinen@qub.ac.uk 1586 | URI: http://www.csit.qub.ac.uk 1587 | 1588 | 1589 | Jean-Philippe Aumasson 1590 | Kudelski Security 1591 | 22-24, Route de Geneve 1592 | Case Postale 134 1593 | Cheseaux 1033 1594 | Switzerland 1595 | 1596 | Email: jean-philippe.aumasson@nagra.com 1597 | URI: https://www.kudelskisecurity.com 1598 | 1599 | 1600 | 1601 | 1602 | 1603 | 1604 | 1605 | 1606 | 1607 | 1608 | 1609 | 1610 | 1611 | 1612 | 1613 | 1614 | 1615 | 1616 | 1617 | 1618 | 1619 | 1620 | 1621 | 1622 | 1623 | 1624 | 1625 | 1626 | Saarinen & Aumasson Informational [Page 29] 1627 | --------------------------------------------------------------------------------