summary refs log tree commit diff
path: root/crypto/src
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/src')
-rw-r--r--crypto/src/asn1/misc/MiscObjectIdentifiers.cs9
-rw-r--r--crypto/src/asn1/ua/UAObjectIdentifiers.cs107
-rw-r--r--crypto/src/crypto/digests/Blake2bDigest.cs531
-rw-r--r--crypto/src/crypto/digests/Blake2sDigest.cs552
-rw-r--r--crypto/src/security/DigestUtilities.cs111
5 files changed, 1282 insertions, 28 deletions
diff --git a/crypto/src/asn1/misc/MiscObjectIdentifiers.cs b/crypto/src/asn1/misc/MiscObjectIdentifiers.cs
index 8128b6952..d344393dd 100644
--- a/crypto/src/asn1/misc/MiscObjectIdentifiers.cs
+++ b/crypto/src/asn1/misc/MiscObjectIdentifiers.cs
@@ -75,5 +75,14 @@ namespace Org.BouncyCastle.Asn1.Misc
         public static readonly DerObjectIdentifier id_blake2b256 = blake2.Branch("1.8");
         public static readonly DerObjectIdentifier id_blake2b384 = blake2.Branch("1.12");
         public static readonly DerObjectIdentifier id_blake2b512 = blake2.Branch("1.16");
+
+        public static readonly DerObjectIdentifier id_blake2s128 = blake2.Branch("2.4");
+        public static readonly DerObjectIdentifier id_blake2s160 = blake2.Branch("2.5");
+        public static readonly DerObjectIdentifier id_blake2s224 = blake2.Branch("2.7");
+        public static readonly DerObjectIdentifier id_blake2s256 = blake2.Branch("2.8");
+
+        //
+        // Scrypt
+        public static readonly DerObjectIdentifier id_scrypt = new DerObjectIdentifier("1.3.6.1.4.1.11591.4.11");
     }
 }
diff --git a/crypto/src/asn1/ua/UAObjectIdentifiers.cs b/crypto/src/asn1/ua/UAObjectIdentifiers.cs
new file mode 100644
index 000000000..9beca3af5
--- /dev/null
+++ b/crypto/src/asn1/ua/UAObjectIdentifiers.cs
@@ -0,0 +1,107 @@
+namespace Org.BouncyCastle.Asn1.UA
+{
+    /**
+     * Ukrainian object identifiers
+     * <p>
+     * {iso(1) member-body(2) Ukraine(804) root(2) security(1) cryptography(1) pki(1)}
+     * <p>
+     * { ...  pki-alg(1) pki-alg-sym(3) Dstu4145WithGost34311(1) PB(1)}
+     * <p>
+     * DSTU4145 in polynomial basis has 2 oids, one for little-endian representation and one for big-endian
+     */
+    public abstract class UAObjectIdentifiers
+    {
+        /** Base OID: 1.2.804.2.1.1.1 */
+        public static readonly DerObjectIdentifier UaOid = new DerObjectIdentifier("1.2.804.2.1.1.1");
+
+        /** DSTU4145 Little Endian presentation.  OID: 1.2.804.2.1.1.1.1.3.1.1 */
+        public static readonly DerObjectIdentifier dstu4145le = UaOid.Branch("1.3.1.1");
+        /** DSTU4145 Big Endian presentation.  OID: 1.2.804.2.1.1.1.1.3.1.1.1 */
+        public static readonly DerObjectIdentifier dstu4145be = UaOid.Branch("1.3.1.1.1.1");
+    
+        /** DSTU7564 256-bit digest presentation. */
+        public static readonly DerObjectIdentifier dstu7564digest_256 = UaOid.Branch("1.2.2.1");
+        /** DSTU7564 384-bit digest presentation. */
+        public static readonly DerObjectIdentifier dstu7564digest_384 = UaOid.Branch("1.2.2.2");
+        /** DSTU7564 512-bit digest presentation. */
+        public static readonly DerObjectIdentifier dstu7564digest_512 = UaOid.Branch("1.2.2.3");
+
+        /** DSTU7564 256-bit mac presentation. */
+        public static readonly DerObjectIdentifier dstu7564mac_256 = UaOid.Branch("1.2.2.4");
+        /** DSTU7564 384-bit mac presentation. */
+        public static readonly DerObjectIdentifier dstu7564mac_384 = UaOid.Branch("1.2.2.5");
+        /** DSTU7564 512-bit mac presentation. */
+        public static readonly DerObjectIdentifier dstu7564mac_512 = UaOid.Branch("1.2.2.6");
+
+
+        /** DSTU7624 in ECB mode with 128 bit block/key presentation */
+        public static readonly DerObjectIdentifier dstu7624ecb_128 = UaOid.Branch("1.1.3.1.1");
+        /** DSTU7624 in ECB mode with 256 bit block/key presentation */
+        public static readonly DerObjectIdentifier dstu7624ecb_256 = UaOid.Branch("1.1.3.1.2");
+        /** DSTU7624 in ECB mode with 512 bit block/key presentation */
+        public static readonly DerObjectIdentifier dstu7624ecb_512 = UaOid.Branch("1.1.3.1.3");
+
+        /** DSTU7624 in CTR mode with 128 bit block/key presentation */
+        public static readonly DerObjectIdentifier dstu7624ctr_128 = UaOid.Branch("1.1.3.2.1");
+        /** DSTU7624 in CTR mode with 256 bit block/key presentation */
+        public static readonly DerObjectIdentifier dstu7624ctr_256 = UaOid.Branch("1.1.3.2.2");
+        /** DSTU7624 in CTR mode with 512 bit block/key presentation */
+        public static readonly DerObjectIdentifier dstu7624ctr_512 = UaOid.Branch("1.1.3.2.3");
+
+        /** DSTU7624 in CFB mode with 128 bit block/key presentation */
+        public static readonly DerObjectIdentifier dstu7624cfb_128 = UaOid.Branch("1.1.3.3.1");
+        /** DSTU7624 in CFB mode with 256 bit block/key presentation */
+        public static readonly DerObjectIdentifier dstu7624cfb_256 = UaOid.Branch("1.1.3.3.2");
+        /** DSTU7624 in CFB mode with 512 bit block/key presentation */
+        public static readonly DerObjectIdentifier dstu7624cfb_512 = UaOid.Branch("1.1.3.3.3");
+
+        /** DSTU7624 in MAC mode with 128 bit block/key presentation */
+        public static readonly DerObjectIdentifier dstu7624cmac_128 = UaOid.Branch("1.1.3.4.1");
+        /** DSTU7624 in MAC mode with 256 bit block/key presentation */
+        public static readonly DerObjectIdentifier dstu7624cmac_256 = UaOid.Branch("1.1.3.4.2");
+        /** DSTU7624 in MAC mode with 512 bit block/key presentation */
+        public static readonly DerObjectIdentifier dstu7624cmac_512 = UaOid.Branch("1.1.3.4.3");
+
+        /** DSTU7624 in CBC mode with 128 bit block/key presentation */
+        public static readonly DerObjectIdentifier dstu7624cbc_128 = UaOid.Branch("1.1.3.5.1");
+        /** DSTU7624 in CBC mode with 256 bit block/key presentation */
+        public static readonly DerObjectIdentifier dstu7624cbc_256 = UaOid.Branch("1.1.3.5.2");
+        /** DSTU7624 in CBC mode with 512 bit block/key presentation */
+        public static readonly DerObjectIdentifier dstu7624cbc_512 = UaOid.Branch("1.1.3.5.3");
+
+        /** DSTU7624 in OFB mode with 128 bit block/key presentation */
+        public static readonly DerObjectIdentifier dstu7624ofb_128 = UaOid.Branch("1.1.3.6.1");
+        /** DSTU7624 in OFB mode with 256 bit block/key presentation */
+        public static readonly DerObjectIdentifier dstu7624ofb_256 = UaOid.Branch("1.1.3.6.2");
+        /** DSTU7624 in OFB mode with 512 bit block/key presentation */
+        public static readonly DerObjectIdentifier dstu7624ofb_512 = UaOid.Branch("1.1.3.6.3");
+
+        /** DSTU7624 in GMAC (GCM witout encryption) mode with 128 bit block/key presentation */
+        public static readonly DerObjectIdentifier dstu7624gmac_128 = UaOid.Branch("1.1.3.7.1");
+        /** DSTU7624 in GMAC (GCM witout encryption) mode with 256 bit block/key presentation */
+        public static readonly DerObjectIdentifier dstu7624gmac_256 = UaOid.Branch("1.1.3.7.2");
+        /** DSTU7624 in GMAC (GCM witout encryption) mode with 512 bit block/key presentation */
+        public static readonly DerObjectIdentifier dstu7624gmac_512 = UaOid.Branch("1.1.3.7.3");
+
+        /** DSTU7624 in CCM mode with 128 bit block/key presentation */
+        public static readonly DerObjectIdentifier dstu7624ccm_128 = UaOid.Branch("1.1.3.8.1");
+        /** DSTU7624 in CCM mode with 256 bit block/key presentation */
+        public static readonly DerObjectIdentifier dstu7624ccm_256 = UaOid.Branch("1.1.3.8.2");
+        /** DSTU7624 in CCM mode with 512 bit block/key presentation */
+        public static readonly DerObjectIdentifier dstu7624ccm_512 = UaOid.Branch("1.1.3.8.3");
+
+        /** DSTU7624 in XTS mode with 128 bit block/key presentation */
+        public static readonly DerObjectIdentifier dstu7624xts_128 = UaOid.Branch("1.1.3.9.1");
+        /** DSTU7624 in XTS mode with 256 bit block/key presentation */
+        public static readonly DerObjectIdentifier dstu7624xts_256 = UaOid.Branch("1.1.3.9.2");
+        /** DSTU7624 in XTS mode with 512 bit block/key presentation */
+        public static readonly DerObjectIdentifier dstu7624xts_512 = UaOid.Branch("1.1.3.9.3");
+
+        /** DSTU7624 in key wrap (KW) mode with 128 bit block/key presentation */
+        public static readonly DerObjectIdentifier dstu7624kw_128 = UaOid.Branch("1.1.3.10.1");
+        /** DSTU7624 in key wrap (KW) mode with 256 bit block/key presentation */
+        public static readonly DerObjectIdentifier dstu7624kw_256 = UaOid.Branch("1.1.3.10.2");
+        /** DSTU7624 in key wrap (KW) mode with 512 bit block/key presentation */
+        public static readonly DerObjectIdentifier dstu7624kw_512 = UaOid.Branch("1.1.3.10.3");
+    }
+}
diff --git a/crypto/src/crypto/digests/Blake2bDigest.cs b/crypto/src/crypto/digests/Blake2bDigest.cs
new file mode 100644
index 000000000..b8e4f272e
--- /dev/null
+++ b/crypto/src/crypto/digests/Blake2bDigest.cs
@@ -0,0 +1,531 @@
+using System;
+
+using Org.BouncyCastle.Crypto.Utilities;
+using Org.BouncyCastle.Utilities;
+
+namespace Org.BouncyCastle.Crypto.Digests
+{
+    /*  The BLAKE2 cryptographic hash function was designed by Jean-
+     Philippe Aumasson, Samuel Neves, Zooko Wilcox-O'Hearn, and Christian
+     Winnerlein.
+   
+     Reference Implementation and Description can be found at: https://blake2.net/      
+     Internet Draft: https://tools.ietf.org/html/draft-saarinen-blake2-02
+
+     This implementation does not support the Tree Hashing Mode. 
+ 
+       For unkeyed hashing, developers adapting BLAKE2 to ASN.1 - based
+       message formats SHOULD use the OID tree at x = 1.3.6.1.4.1.1722.12.2.
+
+             Algorithm     | Target | Collision | Hash | Hash ASN.1 |
+                Identifier |  Arch  |  Security |  nn  | OID Suffix |
+            ---------------+--------+-----------+------+------------+
+             id-blake2b160 | 64-bit |   2**80   |  20  |   x.1.20   |
+             id-blake2b256 | 64-bit |   2**128  |  32  |   x.1.32   |
+             id-blake2b384 | 64-bit |   2**192  |  48  |   x.1.48   |
+             id-blake2b512 | 64-bit |   2**256  |  64  |   x.1.64   |
+            ---------------+--------+-----------+------+------------+
+     */
+
+    /**
+     * Implementation of the cryptographic hash function Blakbe2b.
+     * <p>
+     * Blake2b offers a built-in keying mechanism to be used directly
+     * for authentication ("Prefix-MAC") rather than a HMAC construction.
+     * <p>
+     * Blake2b offers a built-in support for a salt for randomized hashing
+     * and a personal string for defining a unique hash function for each application.
+     * <p>
+     * BLAKE2b is optimized for 64-bit platforms and produces digests of any size
+     * between 1 and 64 bytes.
+     */
+    public class Blake2bDigest
+        : IDigest
+    {
+        // Blake2b Initialization Vector:
+        private static readonly ulong[] blake2b_IV =
+            // Produced from the square root of primes 2, 3, 5, 7, 11, 13, 17, 19.
+            // The same as SHA-512 IV.
+            {
+                0x6a09e667f3bcc908UL, 0xbb67ae8584caa73bUL, 0x3c6ef372fe94f82bUL,
+                0xa54ff53a5f1d36f1UL, 0x510e527fade682d1UL, 0x9b05688c2b3e6c1fUL,
+                0x1f83d9abfb41bd6bUL, 0x5be0cd19137e2179UL
+            };
+
+        // Message word permutations:
+        private static readonly byte[,] blake2b_sigma =
+        {
+            { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 },
+            { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 },
+            { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 },
+            { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 },
+            { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 },
+            { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 },
+            { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 },
+            { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 },
+            { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 },
+            { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 },
+            { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 },
+            { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }
+        };
+
+        private const int ROUNDS = 12; // to use for Catenas H'
+        private const int BLOCK_LENGTH_BYTES = 128;// bytes
+
+        // General parameters:
+        private int digestLength = 64; // 1- 64 bytes
+        private int keyLength = 0; // 0 - 64 bytes for keyed hashing for MAC
+        private byte[] salt = null;// new byte[16];
+        private byte[] personalization = null;// new byte[16];
+
+        // the key
+        private byte[] key = null;
+
+        // Tree hashing parameters:
+        // Because this class does not implement the Tree Hashing Mode,
+        // these parameters can be treated as constants (see init() function)
+	    /*
+	     * private int fanout = 1; // 0-255 private int depth = 1; // 1 - 255
+	     * private int leafLength= 0; private long nodeOffset = 0L; private int
+	     * nodeDepth = 0; private int innerHashLength = 0;
+	     */
+
+        // whenever this buffer overflows, it will be processed
+        // in the Compress() function.
+        // For performance issues, long messages will not use this buffer.
+        private byte[] buffer = null;// new byte[BLOCK_LENGTH_BYTES];
+        // Position of last inserted byte:
+        private int bufferPos = 0;// a value from 0 up to 128
+
+        private ulong[] internalState = new ulong[16]; // In the Blake2b paper it is
+        // called: v
+        private ulong[] chainValue = null; // state vector, in the Blake2b paper it
+        // is called: h
+
+        private ulong t0 = 0UL; // holds last significant bits, counter (counts bytes)
+        private ulong t1 = 0UL; // counter: Length up to 2^128 are supported
+        private ulong f0 = 0UL; // finalization flag, for last block: ~0L
+
+        // For Tree Hashing Mode, not used here:
+        // private long f1 = 0L; // finalization flag, for last node: ~0L
+
+        public Blake2bDigest()
+            : this(512)
+        {
+        }
+
+        public Blake2bDigest(Blake2bDigest digest)
+        {
+            this.bufferPos = digest.bufferPos;
+            this.buffer = Arrays.Clone(digest.buffer);
+            this.keyLength = digest.keyLength;
+            this.key = Arrays.Clone(digest.key);
+            this.digestLength = digest.digestLength;
+            this.chainValue = Arrays.Clone(digest.chainValue);
+            this.personalization = Arrays.Clone(digest.personalization);
+            this.salt = Arrays.Clone(digest.salt);
+            this.t0 = digest.t0;
+            this.t1 = digest.t1;
+            this.f0 = digest.f0;
+        }
+
+        /**
+         * Basic sized constructor - size in bits.
+         *
+         * @param digestSize size of the digest in bits
+         */
+        public Blake2bDigest(int digestSize)
+        {
+            if (digestSize != 160 && digestSize != 256 && digestSize != 384 && digestSize != 512)
+                throw new ArgumentException("BLAKE2b digest restricted to one of [160, 256, 384, 512]");
+
+            buffer = new byte[BLOCK_LENGTH_BYTES];
+            keyLength = 0;
+            this.digestLength = digestSize / 8;
+            Init();
+        }
+
+        /**
+         * Blake2b for authentication ("Prefix-MAC mode").
+         * After calling the doFinal() method, the key will
+         * remain to be used for further computations of
+         * this instance.
+         * The key can be overwritten using the clearKey() method.
+         *
+         * @param key A key up to 64 bytes or null
+         */
+        public Blake2bDigest(byte[] key)
+        {
+            buffer = new byte[BLOCK_LENGTH_BYTES];
+            if (key != null)
+            {
+                this.key = new byte[key.Length];
+                Array.Copy(key, 0, this.key, 0, key.Length);
+
+                if (key.Length > 64)
+                    throw new ArgumentException("Keys > 64 are not supported");
+
+                keyLength = key.Length;
+                Array.Copy(key, 0, buffer, 0, key.Length);
+                bufferPos = BLOCK_LENGTH_BYTES; // zero padding
+            }
+            digestLength = 64;
+            Init();
+        }
+
+        /**
+         * Blake2b with key, required digest length (in bytes), salt and personalization.
+         * After calling the doFinal() method, the key, the salt and the personal string
+         * will remain and might be used for further computations with this instance.
+         * The key can be overwritten using the clearKey() method, the salt (pepper)
+         * can be overwritten using the clearSalt() method.
+         *
+         * @param key             A key up to 64 bytes or null
+         * @param digestLength    from 1 up to 64 bytes
+         * @param salt            16 bytes or null
+         * @param personalization 16 bytes or null
+         */
+        public Blake2bDigest(byte[] key, int digestLength, byte[] salt, byte[] personalization)
+        {
+            if (digestLength < 1 || digestLength > 64)
+                throw new ArgumentException("Invalid digest length (required: 1 - 64)");
+
+            this.digestLength = digestLength;
+            this.buffer = new byte[BLOCK_LENGTH_BYTES];
+
+            if (salt != null)
+            {
+                if (salt.Length != 16)
+                    throw new ArgumentException("salt length must be exactly 16 bytes");
+
+                this.salt = new byte[16];
+                Array.Copy(salt, 0, this.salt, 0, salt.Length);
+            }
+            if (personalization != null)
+            {
+                if (personalization.Length != 16)
+                    throw new ArgumentException("personalization length must be exactly 16 bytes");
+
+                this.personalization = new byte[16];
+                Array.Copy(personalization, 0, this.personalization, 0, personalization.Length);
+            }
+            if (key != null)
+            {
+                if (key.Length > 64)
+                    throw new ArgumentException("Keys > 64 are not supported");
+
+                this.key = new byte[key.Length];
+                Array.Copy(key, 0, this.key, 0, key.Length);
+
+                keyLength = key.Length;
+                Array.Copy(key, 0, buffer, 0, key.Length);
+                bufferPos = BLOCK_LENGTH_BYTES; // zero padding
+            }
+            Init();
+        }
+
+        // initialize chainValue
+        private void Init()
+        {
+            if (chainValue == null)
+            {
+                chainValue = new ulong[8];
+
+                chainValue[0] = blake2b_IV[0] ^ (ulong)(digestLength | (keyLength << 8) | 0x1010000);
+
+                // 0x1010000 = ((fanout << 16) | (depth << 24) | (leafLength <<
+                // 32));
+                // with fanout = 1; depth = 0; leafLength = 0;
+                chainValue[1] = blake2b_IV[1];// ^ nodeOffset; with nodeOffset = 0;
+                chainValue[2] = blake2b_IV[2];// ^ ( nodeDepth | (innerHashLength << 8) );
+                // with nodeDepth = 0; innerHashLength = 0;
+
+                chainValue[3] = blake2b_IV[3];
+
+                chainValue[4] = blake2b_IV[4];
+                chainValue[5] = blake2b_IV[5];
+                if (salt != null)
+                {
+                    chainValue[4] ^= Pack.LE_To_UInt64(salt, 0);
+                    chainValue[5] ^= Pack.LE_To_UInt64(salt, 8);
+                }
+
+                chainValue[6] = blake2b_IV[6];
+                chainValue[7] = blake2b_IV[7];
+                if (personalization != null)
+                {
+                    chainValue[6] ^= Pack.LE_To_UInt64(personalization, 0);
+                    chainValue[7] ^= Pack.LE_To_UInt64(personalization, 8);
+                }
+            }
+        }
+
+        private void InitializeInternalState()
+        {
+            // initialize v:
+            Array.Copy(chainValue, 0, internalState, 0, chainValue.Length);
+            Array.Copy(blake2b_IV, 0, internalState, chainValue.Length, 4);
+            internalState[12] = t0 ^ blake2b_IV[4];
+            internalState[13] = t1 ^ blake2b_IV[5];
+            internalState[14] = f0 ^ blake2b_IV[6];
+            internalState[15] = blake2b_IV[7];// ^ f1 with f1 = 0
+        }
+
+        /**
+         * update the message digest with a single byte.
+         *
+         * @param b the input byte to be entered.
+         */
+        public virtual void Update(byte b)
+        {
+            int remainingLength = 0; // left bytes of buffer
+
+            // process the buffer if full else add to buffer:
+            remainingLength = BLOCK_LENGTH_BYTES - bufferPos;
+            if (remainingLength == 0)
+            { // full buffer
+                t0 += BLOCK_LENGTH_BYTES;
+                if (t0 == 0)
+                { // if message > 2^64
+                    t1++;
+                }
+                Compress(buffer, 0);
+                Array.Clear(buffer, 0, buffer.Length);// clear buffer
+                buffer[0] = b;
+                bufferPos = 1;
+            }
+            else
+            {
+                buffer[bufferPos] = b;
+                bufferPos++;
+                return;
+            }
+        }
+
+        /**
+         * update the message digest with a block of bytes.
+         *
+         * @param message the byte array containing the data.
+         * @param offset  the offset into the byte array where the data starts.
+         * @param len     the length of the data.
+         */
+        public virtual void BlockUpdate(byte[] message, int offset, int len)
+        {
+            if (message == null || len == 0)
+                return;
+
+            int remainingLength = 0; // left bytes of buffer
+
+            if (bufferPos != 0)
+            { // commenced, incomplete buffer
+
+                // complete the buffer:
+                remainingLength = BLOCK_LENGTH_BYTES - bufferPos;
+                if (remainingLength < len)
+                { // full buffer + at least 1 byte
+                    Array.Copy(message, offset, buffer, bufferPos,
+                        remainingLength);
+                    t0 += BLOCK_LENGTH_BYTES;
+                    if (t0 == 0)
+                    { // if message > 2^64
+                        t1++;
+                    }
+                    Compress(buffer, 0);
+                    bufferPos = 0;
+                    Array.Clear(buffer, 0, buffer.Length);// clear buffer
+                }
+                else
+                {
+                    Array.Copy(message, offset, buffer, bufferPos, len);
+                    bufferPos += len;
+                    return;
+                }
+            }
+
+            // process blocks except last block (also if last block is full)
+            int messagePos;
+            int blockWiseLastPos = offset + len - BLOCK_LENGTH_BYTES;
+            for (messagePos = offset + remainingLength; messagePos < blockWiseLastPos; messagePos += BLOCK_LENGTH_BYTES)
+            { // block wise 128 bytes
+                // without buffer:
+                t0 += BLOCK_LENGTH_BYTES;
+                if (t0 == 0)
+                {
+                    t1++;
+                }
+                Compress(message, messagePos);
+            }
+
+            // fill the buffer with left bytes, this might be a full block
+            Array.Copy(message, messagePos, buffer, 0, offset + len
+                - messagePos);
+            bufferPos += offset + len - messagePos;
+        }
+
+        /**
+         * close the digest, producing the final digest value. The doFinal
+         * call leaves the digest reset.
+         * Key, salt and personal string remain.
+         *
+         * @param out       the array the digest is to be copied into.
+         * @param outOffset the offset into the out array the digest is to start at.
+         */
+        public virtual int DoFinal(byte[] output, int outOffset)
+        {
+            f0 = 0xFFFFFFFFFFFFFFFFUL;
+            t0 += (ulong)bufferPos;
+            if (bufferPos > 0 && t0 == 0)
+            {
+                t1++;
+            }
+            Compress(buffer, 0);
+            Array.Clear(buffer, 0, buffer.Length);// Holds eventually the key if input is null
+            Array.Clear(internalState, 0, internalState.Length);
+
+            for (int i = 0; i < chainValue.Length && (i * 8 < digestLength); i++)
+            {
+                byte[] bytes = Pack.UInt64_To_LE(chainValue[i]);
+
+                if (i * 8 < digestLength - 8)
+                {
+                    Array.Copy(bytes, 0, output, outOffset + i * 8, 8);
+                }
+                else
+                {
+                    Array.Copy(bytes, 0, output, outOffset + i * 8, digestLength - (i * 8));
+                }
+            }
+
+            Array.Clear(chainValue, 0, chainValue.Length);
+
+            Reset();
+
+            return digestLength;
+        }
+
+        /**
+         * Reset the digest back to it's initial state.
+         * The key, the salt and the personal string will
+         * remain for further computations.
+         */
+        public virtual void Reset()
+        {
+            bufferPos = 0;
+            f0 = 0L;
+            t0 = 0L;
+            t1 = 0L;
+            chainValue = null;
+            Array.Clear(buffer, 0, buffer.Length);
+            if (key != null)
+            {
+                Array.Copy(key, 0, buffer, 0, key.Length);
+                bufferPos = BLOCK_LENGTH_BYTES; // zero padding
+            }
+            Init();
+        }
+
+        private void Compress(byte[] message, int messagePos)
+        {
+            InitializeInternalState();
+
+            ulong[] m = new ulong[16];
+            for (int j = 0; j < 16; j++)
+            {
+                m[j] = Pack.LE_To_UInt64(message, messagePos + j * 8);
+            }
+
+            for (int round = 0; round < ROUNDS; round++)
+            {
+                // G apply to columns of internalState:m[blake2b_sigma[round][2 * blockPos]] /+1
+                G(m[blake2b_sigma[round,0]], m[blake2b_sigma[round,1]], 0, 4, 8, 12);
+                G(m[blake2b_sigma[round,2]], m[blake2b_sigma[round,3]], 1, 5, 9, 13);
+                G(m[blake2b_sigma[round,4]], m[blake2b_sigma[round,5]], 2, 6, 10, 14);
+                G(m[blake2b_sigma[round,6]], m[blake2b_sigma[round,7]], 3, 7, 11, 15);
+                // G apply to diagonals of internalState:
+                G(m[blake2b_sigma[round,8]], m[blake2b_sigma[round,9]], 0, 5, 10, 15);
+                G(m[blake2b_sigma[round,10]], m[blake2b_sigma[round,11]], 1, 6, 11, 12);
+                G(m[blake2b_sigma[round,12]], m[blake2b_sigma[round,13]], 2, 7, 8, 13);
+                G(m[blake2b_sigma[round,14]], m[blake2b_sigma[round,15]], 3, 4, 9, 14);
+            }
+
+            // update chain values:
+            for (int offset = 0; offset < chainValue.Length; offset++)
+            {
+                chainValue[offset] = chainValue[offset] ^ internalState[offset] ^ internalState[offset + 8];
+            }
+        }
+
+        private void G(ulong m1, ulong m2, int posA, int posB, int posC, int posD)
+        {
+            internalState[posA] = internalState[posA] + internalState[posB] + m1;
+            internalState[posD] = Rotr64(internalState[posD] ^ internalState[posA], 32);
+            internalState[posC] = internalState[posC] + internalState[posD];
+            internalState[posB] = Rotr64(internalState[posB] ^ internalState[posC], 24); // replaces 25 of BLAKE
+            internalState[posA] = internalState[posA] + internalState[posB] + m2;
+            internalState[posD] = Rotr64(internalState[posD] ^ internalState[posA], 16);
+            internalState[posC] = internalState[posC] + internalState[posD];
+            internalState[posB] = Rotr64(internalState[posB] ^ internalState[posC], 63); // replaces 11 of BLAKE
+        }
+
+        private static ulong Rotr64(ulong x, int rot)
+        {
+            return x >> rot | x << -rot;
+        }
+
+        /**
+         * return the algorithm name
+         *
+         * @return the algorithm name
+         */
+        public virtual string AlgorithmName
+        {
+            get { return "BLAKE2b"; }
+        }
+
+        /**
+         * return the size, in bytes, of the digest produced by this message digest.
+         *
+         * @return the size, in bytes, of the digest produced by this message digest.
+         */
+        public virtual int GetDigestSize()
+        {
+            return digestLength;
+        }
+
+        /**
+         * Return the size in bytes of the internal buffer the digest applies it's compression
+         * function to.
+         *
+         * @return byte length of the digests internal buffer.
+         */
+        public virtual int GetByteLength()
+        {
+            return BLOCK_LENGTH_BYTES;
+        }
+
+        /**
+         * Overwrite the key
+         * if it is no longer used (zeroization)
+         */
+        public virtual void ClearKey()
+        {
+            if (key != null)
+            {
+                Array.Clear(key, 0, key.Length);
+                Array.Clear(buffer, 0, buffer.Length);
+            }
+        }
+
+        /**
+         * Overwrite the salt (pepper) if it
+         * is secret and no longer used (zeroization)
+         */
+        public virtual void ClearSalt()
+        {
+            if (salt != null)
+            {
+                Array.Clear(salt, 0, salt.Length);
+            }
+        }
+    }
+}
diff --git a/crypto/src/crypto/digests/Blake2sDigest.cs b/crypto/src/crypto/digests/Blake2sDigest.cs
new file mode 100644
index 000000000..f31032874
--- /dev/null
+++ b/crypto/src/crypto/digests/Blake2sDigest.cs
@@ -0,0 +1,552 @@
+using System;
+
+using Org.BouncyCastle.Crypto.Utilities;
+using Org.BouncyCastle.Utilities;
+
+namespace Org.BouncyCastle.Crypto.Digests
+{
+    /*
+      The BLAKE2 cryptographic hash function was designed by Jean-
+      Philippe Aumasson, Samuel Neves, Zooko Wilcox-O'Hearn, and Christian
+      Winnerlein.
+
+      Reference Implementation and Description can be found at: https://blake2.net/
+      RFC: https://tools.ietf.org/html/rfc7693
+
+      This implementation does not support the Tree Hashing Mode.
+
+      For unkeyed hashing, developers adapting BLAKE2 to ASN.1 - based
+      message formats SHOULD use the OID tree at x = 1.3.6.1.4.1.1722.12.2.
+
+             Algorithm     | Target | Collision | Hash | Hash ASN.1 |
+                Identifier |  Arch  |  Security |  nn  | OID Suffix |
+            ---------------+--------+-----------+------+------------+
+             id-blake2s128 | 32-bit |   2**64   |  16  |   x.2.4    |
+             id-blake2s160 | 32-bit |   2**80   |  20  |   x.2.5    |
+             id-blake2s224 | 32-bit |   2**112  |  28  |   x.2.7    |
+             id-blake2s256 | 32-bit |   2**128  |  32  |   x.2.8    |
+            ---------------+--------+-----------+------+------------+
+     */
+
+    /**
+     * Implementation of the cryptographic hash function BLAKE2s.
+     * <p/>
+     * BLAKE2s offers a built-in keying mechanism to be used directly
+     * for authentication ("Prefix-MAC") rather than a HMAC construction.
+     * <p/>
+     * BLAKE2s offers a built-in support for a salt for randomized hashing
+     * and a personal string for defining a unique hash function for each application.
+     * <p/>
+     * BLAKE2s is optimized for 32-bit platforms and produces digests of any size
+     * between 1 and 32 bytes.
+     */
+    public class Blake2sDigest
+        : IDigest
+    {
+        /**
+         * BLAKE2s Initialization Vector
+         **/
+        private static readonly uint[] blake2s_IV =
+            // Produced from the square root of primes 2, 3, 5, 7, 11, 13, 17, 19.
+            // The same as SHA-256 IV.
+            {
+                0x6a09e667, 0xbb67ae85, 0x3c6ef372,
+                0xa54ff53a, 0x510e527f, 0x9b05688c,
+                0x1f83d9ab, 0x5be0cd19
+            };
+
+        /**
+         * Message word permutations
+         **/
+        private static readonly byte[,] blake2s_sigma =
+            {
+                { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 },
+                { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 },
+                { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 },
+                { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 },
+                { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 },
+                { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 },
+                { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 },
+                { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 },
+                { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 },
+                { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 }
+            };
+
+        private const int ROUNDS = 10; // to use for Catenas H'
+        private const int BLOCK_LENGTH_BYTES = 64;// bytes
+
+        // General parameters:
+        private int digestLength = 32; // 1- 32 bytes
+        private int keyLength = 0; // 0 - 32 bytes for keyed hashing for MAC
+        private byte[] salt = null;
+        private byte[] personalization = null;
+        private byte[] key = null;
+
+        // Tree hashing parameters:
+        // Because this class does not implement the Tree Hashing Mode,
+        // these parameters can be treated as constants (see Init() function)
+	    /*
+	     * private int fanout = 1; // 0-255
+	     * private int depth = 1; // 1 - 255
+	     * private int leafLength= 0;
+	     * private long nodeOffset = 0L;
+	     * private int nodeDepth = 0;
+	     * private int innerHashLength = 0;
+	     */
+
+        /**
+         * Whenever this buffer overflows, it will be processed in the Compress()
+         * function. For performance issues, long messages will not use this buffer.
+         */
+        private byte[] buffer = null;
+        /**
+         * Position of last inserted byte
+         **/
+        private int bufferPos = 0;// a value from 0 up to BLOCK_LENGTH_BYTES
+
+        /**
+         * Internal state, in the BLAKE2 paper it is called v
+         **/
+        private uint[] internalState = new uint[16];
+        /**
+         * State vector, in the BLAKE2 paper it is called h
+         **/
+        private uint[] chainValue = null;
+
+        // counter (counts bytes): Length up to 2^64 are supported
+        /**
+         * holds least significant bits of counter
+         **/
+        private uint t0 = 0;
+        /**
+         * holds most significant bits of counter
+         **/
+        private uint t1 = 0;
+        /**
+         * finalization flag, for last block: ~0
+         **/
+        private uint f0 = 0;
+
+        // For Tree Hashing Mode, not used here:
+        // private long f1 = 0L; // finalization flag, for last node: ~0L
+
+        /**
+         * BLAKE2s-256 for hashing.
+         */
+        public Blake2sDigest()
+            : this(256)
+        {
+        }
+
+        public Blake2sDigest(Blake2sDigest digest)
+        {
+            this.bufferPos = digest.bufferPos;
+            this.buffer = Arrays.Clone(digest.buffer);
+            this.keyLength = digest.keyLength;
+            this.key = Arrays.Clone(digest.key);
+            this.digestLength = digest.digestLength;
+            this.chainValue = Arrays.Clone(digest.chainValue);
+            this.personalization = Arrays.Clone(digest.personalization);
+        }
+
+        /**
+         * BLAKE2s for hashing.
+         *
+         * @param digestBits the desired digest length in bits. Must be one of
+         *                   [128, 160, 224, 256].
+         */
+        public Blake2sDigest(int digestBits)
+        {
+            if (digestBits != 128 && digestBits != 160 && digestBits != 224 && digestBits != 256)
+                throw new ArgumentException("BLAKE2s digest restricted to one of [128, 160, 224, 256]");
+
+            buffer = new byte[BLOCK_LENGTH_BYTES];
+            keyLength = 0;
+            digestLength = digestBits / 8;
+            Init();
+        }
+
+        /**
+         * BLAKE2s for authentication ("Prefix-MAC mode").
+         * <p/>
+         * After calling the doFinal() method, the key will remain to be used for
+         * further computations of this instance. The key can be overwritten using
+         * the clearKey() method.
+         *
+         * @param key a key up to 32 bytes or null
+         */
+        public Blake2sDigest(byte[] key)
+        {
+            buffer = new byte[BLOCK_LENGTH_BYTES];
+            if (key != null)
+            {
+                if (key.Length > 32)
+                    throw new ArgumentException("Keys > 32 are not supported");
+
+                this.key = new byte[key.Length];
+                Array.Copy(key, 0, this.key, 0, key.Length);
+
+                keyLength = key.Length;
+                Array.Copy(key, 0, buffer, 0, key.Length);
+                bufferPos = BLOCK_LENGTH_BYTES; // zero padding
+            }
+            digestLength = 32;
+            Init();
+        }
+
+        /**
+         * BLAKE2s with key, required digest length, salt and personalization.
+         * <p/>
+         * After calling the doFinal() method, the key, the salt and the personal
+         * string will remain and might be used for further computations with this
+         * instance. The key can be overwritten using the clearKey() method, the
+         * salt (pepper) can be overwritten using the clearSalt() method.
+         *
+         * @param key             a key up to 32 bytes or null
+         * @param digestBytes     from 1 up to 32 bytes
+         * @param salt            8 bytes or null
+         * @param personalization 8 bytes or null
+         */
+        public Blake2sDigest(byte[] key, int digestBytes, byte[] salt,
+                             byte[] personalization)
+        {
+            if (digestBytes < 1 || digestBytes > 32)
+                throw new ArgumentException("Invalid digest length (required: 1 - 32)");
+
+            this.digestLength = digestBytes;
+            this.buffer = new byte[BLOCK_LENGTH_BYTES];
+
+            if (salt != null)
+            {
+                if (salt.Length != 8)
+                    throw new ArgumentException("Salt length must be exactly 8 bytes");
+
+                this.salt = new byte[8];
+                Array.Copy(salt, 0, this.salt, 0, salt.Length);
+            }
+            if (personalization != null)
+            {
+                if (personalization.Length != 8)
+                    throw new ArgumentException("Personalization length must be exactly 8 bytes");
+
+                this.personalization = new byte[8];
+                Array.Copy(personalization, 0, this.personalization, 0, personalization.Length);
+            }
+            if (key != null)
+            {
+                if (key.Length > 32)
+                    throw new ArgumentException("Keys > 32 bytes are not supported");
+
+                this.key = new byte[key.Length];
+                Array.Copy(key, 0, this.key, 0, key.Length);
+
+                keyLength = key.Length;
+                Array.Copy(key, 0, buffer, 0, key.Length);
+                bufferPos = BLOCK_LENGTH_BYTES; // zero padding
+            }
+            Init();
+        }
+
+        // initialize chainValue
+        private void Init()
+        {
+            if (chainValue == null)
+            {
+                chainValue = new uint[8];
+
+                chainValue[0] = blake2s_IV[0] ^ (uint)(digestLength | (keyLength << 8) | 0x1010000);
+                // 0x1010000 = ((fanout << 16) | (depth << 24));
+                // with fanout = 1; depth = 0;
+                chainValue[1] = blake2s_IV[1];// ^ leafLength; with leafLength = 0;
+                chainValue[2] = blake2s_IV[2];// ^ nodeOffset; with nodeOffset = 0;
+                chainValue[3] = blake2s_IV[3];// ^ ( (nodeOffset << 32) | (nodeDepth << 16) | (innerHashLength << 24) );
+                // with nodeDepth = 0; innerHashLength = 0;
+
+                chainValue[4] = blake2s_IV[4];
+                chainValue[5] = blake2s_IV[5];
+                if (salt != null)
+                {
+                    chainValue[4] ^= Pack.LE_To_UInt32(salt, 0);
+                    chainValue[5] ^= Pack.LE_To_UInt32(salt, 4);
+                }
+
+                chainValue[6] = blake2s_IV[6];
+                chainValue[7] = blake2s_IV[7];
+                if (personalization != null)
+                {
+                    chainValue[6] ^= Pack.LE_To_UInt32(personalization, 0);
+                    chainValue[7] ^= Pack.LE_To_UInt32(personalization, 4);
+                }
+            }
+        }
+
+        private void InitializeInternalState()
+        {
+            // initialize v:
+            Array.Copy(chainValue, 0, internalState, 0, chainValue.Length);
+            Array.Copy(blake2s_IV, 0, internalState, chainValue.Length, 4);
+            internalState[12] = t0 ^ blake2s_IV[4];
+            internalState[13] = t1 ^ blake2s_IV[5];
+            internalState[14] = f0 ^ blake2s_IV[6];
+            internalState[15] = blake2s_IV[7];// ^ f1 with f1 = 0
+        }
+
+        /**
+         * Update the message digest with a single byte.
+         *
+         * @param b the input byte to be entered.
+         */
+        public virtual void Update(byte b)
+        {
+            int remainingLength; // left bytes of buffer
+
+            // process the buffer if full else add to buffer:
+            remainingLength = BLOCK_LENGTH_BYTES - bufferPos;
+            if (remainingLength == 0)
+            { // full buffer
+                t0 += BLOCK_LENGTH_BYTES;
+                if (t0 == 0)
+                { // if message > 2^32
+                    t1++;
+                }
+                Compress(buffer, 0);
+                Array.Clear(buffer, 0, buffer.Length);// clear buffer
+                buffer[0] = b;
+                bufferPos = 1;
+            }
+            else
+            {
+                buffer[bufferPos] = b;
+                bufferPos++;
+            }
+        }
+
+        /**
+         * Update the message digest with a block of bytes.
+         *
+         * @param message the byte array containing the data.
+         * @param offset  the offset into the byte array where the data starts.
+         * @param len     the length of the data.
+         */
+        public virtual void BlockUpdate(byte[] message, int offset, int len)
+        {
+            if (message == null || len == 0)
+                return;
+
+            int remainingLength = 0; // left bytes of buffer
+
+            if (bufferPos != 0)
+            { // commenced, incomplete buffer
+
+                // complete the buffer:
+                remainingLength = BLOCK_LENGTH_BYTES - bufferPos;
+                if (remainingLength < len)
+                { // full buffer + at least 1 byte
+                    Array.Copy(message, offset, buffer, bufferPos, remainingLength);
+                    t0 += BLOCK_LENGTH_BYTES;
+                    if (t0 == 0)
+                    { // if message > 2^32
+                        t1++;
+                    }
+                    Compress(buffer, 0);
+                    bufferPos = 0;
+                    Array.Clear(buffer, 0, buffer.Length);// clear buffer
+                }
+                else
+                {
+                    Array.Copy(message, offset, buffer, bufferPos, len);
+                    bufferPos += len;
+                    return;
+                }
+            }
+
+            // process blocks except last block (also if last block is full)
+            int messagePos;
+            int blockWiseLastPos = offset + len - BLOCK_LENGTH_BYTES;
+            for (messagePos = offset + remainingLength;
+                 messagePos < blockWiseLastPos;
+                 messagePos += BLOCK_LENGTH_BYTES)
+            { // block wise 64 bytes
+                // without buffer:
+                t0 += BLOCK_LENGTH_BYTES;
+                if (t0 == 0)
+                {
+                    t1++;
+                }
+                Compress(message, messagePos);
+            }
+
+            // fill the buffer with left bytes, this might be a full block
+            Array.Copy(message, messagePos, buffer, 0, offset + len
+                - messagePos);
+            bufferPos += offset + len - messagePos;
+        }
+
+        /**
+         * Close the digest, producing the final digest value. The doFinal() call
+         * leaves the digest reset. Key, salt and personal string remain.
+         *
+         * @param out       the array the digest is to be copied into.
+         * @param outOffset the offset into the out array the digest is to start at.
+         */
+        public virtual int DoFinal(byte[] output, int outOffset)
+        {
+            f0 = 0xFFFFFFFFU;
+            t0 += (uint)bufferPos;
+            // bufferPos may be < 64, so (t0 == 0) does not work
+            // for 2^32 < message length > 2^32 - 63
+            if ((t0 < 0) && (bufferPos > -t0))
+            {
+                t1++;
+            }
+            Compress(buffer, 0);
+            Array.Clear(buffer, 0, buffer.Length);// Holds eventually the key if input is null
+            Array.Clear(internalState, 0, internalState.Length);
+
+            for (int i = 0; i < chainValue.Length && (i * 4 < digestLength); i++)
+            {
+                byte[] bytes = Pack.UInt32_To_LE(chainValue[i]);
+
+                if (i * 4 < digestLength - 4)
+                {
+                    Array.Copy(bytes, 0, output, outOffset + i * 4, 4);
+                }
+                else
+                {
+                    Array.Copy(bytes, 0, output, outOffset + i * 4, digestLength - (i * 4));
+                }
+            }
+
+            Array.Clear(chainValue, 0, chainValue.Length);
+
+            Reset();
+
+            return digestLength;
+        }
+
+        /**
+         * Reset the digest back to its initial state. The key, the salt and the
+         * personal string will remain for further computations.
+         */
+        public virtual void Reset()
+        {
+            bufferPos = 0;
+            f0 = 0;
+            t0 = 0;
+            t1 = 0;
+            chainValue = null;
+            Array.Clear(buffer, 0, buffer.Length);
+            if (key != null)
+            {
+                Array.Copy(key, 0, buffer, 0, key.Length);
+                bufferPos = BLOCK_LENGTH_BYTES; // zero padding
+            }
+            Init();
+        }
+
+        private void Compress(byte[] message, int messagePos)
+        {
+            InitializeInternalState();
+
+            uint[] m = new uint[16];
+            for (int j = 0; j < 16; j++)
+            {
+                m[j] = Pack.LE_To_UInt32(message, messagePos + j * 4);
+            }
+
+            for (int round = 0; round < ROUNDS; round++)
+            {
+
+                // G apply to columns of internalState:m[blake2s_sigma[round][2 *
+                // blockPos]] /+1
+                G(m[blake2s_sigma[round,0]], m[blake2s_sigma[round,1]], 0, 4, 8, 12);
+                G(m[blake2s_sigma[round,2]], m[blake2s_sigma[round,3]], 1, 5, 9, 13);
+                G(m[blake2s_sigma[round,4]], m[blake2s_sigma[round,5]], 2, 6, 10, 14);
+                G(m[blake2s_sigma[round,6]], m[blake2s_sigma[round,7]], 3, 7, 11, 15);
+                // G apply to diagonals of internalState:
+                G(m[blake2s_sigma[round,8]], m[blake2s_sigma[round,9]], 0, 5, 10, 15);
+                G(m[blake2s_sigma[round,10]], m[blake2s_sigma[round,11]], 1, 6, 11, 12);
+                G(m[blake2s_sigma[round,12]], m[blake2s_sigma[round,13]], 2, 7, 8, 13);
+                G(m[blake2s_sigma[round,14]], m[blake2s_sigma[round,15]], 3, 4, 9, 14);
+            }
+
+            // update chain values:
+            for (int offset = 0; offset < chainValue.Length; offset++)
+            {
+                chainValue[offset] = chainValue[offset] ^ internalState[offset] ^ internalState[offset + 8];
+            }
+        }
+
+        private void G(uint m1, uint m2, int posA, int posB, int posC, int posD)
+        {
+            internalState[posA] = internalState[posA] + internalState[posB] + m1;
+            internalState[posD] = rotr32(internalState[posD] ^ internalState[posA], 16);
+            internalState[posC] = internalState[posC] + internalState[posD];
+            internalState[posB] = rotr32(internalState[posB] ^ internalState[posC], 12);
+            internalState[posA] = internalState[posA] + internalState[posB] + m2;
+            internalState[posD] = rotr32(internalState[posD] ^ internalState[posA], 8);
+            internalState[posC] = internalState[posC] + internalState[posD];
+            internalState[posB] = rotr32(internalState[posB] ^ internalState[posC], 7);
+        }
+
+        private uint rotr32(uint x, int rot)
+        {
+            return x >> rot | x << -rot;
+        }
+
+        /**
+         * Return the algorithm name.
+         *
+         * @return the algorithm name
+         */
+        public virtual string AlgorithmName
+        {
+            get { return "BLAKE2s"; }
+        }
+
+        /**
+         * Return the size in bytes of the digest produced by this message digest.
+         *
+         * @return the size in bytes of the digest produced by this message digest.
+         */
+        public virtual int GetDigestSize()
+        {
+            return digestLength;
+        }
+
+        /**
+         * Return the size in bytes of the internal buffer the digest applies its
+         * compression function to.
+         *
+         * @return byte length of the digest's internal buffer.
+         */
+        public virtual int GetByteLength()
+        {
+            return BLOCK_LENGTH_BYTES;
+        }
+
+        /**
+         * Overwrite the key if it is no longer used (zeroization).
+         */
+        public virtual void ClearKey()
+        {
+            if (key != null)
+            {
+                Array.Clear(key, 0, key.Length);
+                Array.Clear(buffer, 0, buffer.Length);
+            }
+        }
+
+        /**
+         * Overwrite the salt (pepper) if it is secret and no longer used
+         * (zeroization).
+         */
+        public virtual void ClearSalt()
+        {
+            if (salt != null)
+            {
+                Array.Clear(salt, 0, salt.Length);
+            }
+        }
+    }
+}
diff --git a/crypto/src/security/DigestUtilities.cs b/crypto/src/security/DigestUtilities.cs
index 7ddf6c8e4..c6adbdd95 100644
--- a/crypto/src/security/DigestUtilities.cs
+++ b/crypto/src/security/DigestUtilities.cs
@@ -3,10 +3,14 @@ using System.Collections;
 
 using Org.BouncyCastle.Asn1;
 using Org.BouncyCastle.Asn1.CryptoPro;
+using Org.BouncyCastle.Asn1.GM;
+using Org.BouncyCastle.Asn1.Misc;
 using Org.BouncyCastle.Asn1.Nist;
 using Org.BouncyCastle.Asn1.Pkcs;
 using Org.BouncyCastle.Asn1.Oiw;
+using Org.BouncyCastle.Asn1.Rosstandart;
 using Org.BouncyCastle.Asn1.TeleTrust;
+using Org.BouncyCastle.Asn1.UA;
 using Org.BouncyCastle.Security;
 using Org.BouncyCastle.Crypto.Digests;
 using Org.BouncyCastle.Crypto;
@@ -20,7 +24,11 @@ namespace Org.BouncyCastle.Security
     public sealed class DigestUtilities
     {
         private enum DigestAlgorithm {
+            BLAKE2B_160, BLAKE2B_256, BLAKE2B_384, BLAKE2B_512,
+            BLAKE2S_128, BLAKE2S_160, BLAKE2S_224, BLAKE2S_256,
+            DSTU7564_256, DSTU7564_384, DSTU7564_512,
             GOST3411,
+            GOST3411_2012_256, GOST3411_2012_512,
             KECCAK_224, KECCAK_256, KECCAK_288, KECCAK_384, KECCAK_512,
             MD2, MD4, MD5,
             RIPEMD128, RIPEMD160, RIPEMD256, RIPEMD320,
@@ -28,6 +36,7 @@ namespace Org.BouncyCastle.Security
             SHA_512_224, SHA_512_256,
             SHA3_224, SHA3_256, SHA3_384, SHA3_512,
             SHAKE128, SHAKE256,
+            SM3,
             TIGER,
             WHIRLPOOL,
         };
@@ -81,6 +90,24 @@ namespace Org.BouncyCastle.Security
             algorithms[NistObjectIdentifiers.IdShake128.Id] = "SHAKE128";
             algorithms[NistObjectIdentifiers.IdShake256.Id] = "SHAKE256";
 
+            algorithms[GMObjectIdentifiers.sm3.Id] = "SM3";
+
+            algorithms[MiscObjectIdentifiers.id_blake2b160.Id] = "BLAKE2B-160";
+            algorithms[MiscObjectIdentifiers.id_blake2b256.Id] = "BLAKE2B-256";
+            algorithms[MiscObjectIdentifiers.id_blake2b384.Id] = "BLAKE2B-384";
+            algorithms[MiscObjectIdentifiers.id_blake2b512.Id] = "BLAKE2B-512";
+            algorithms[MiscObjectIdentifiers.id_blake2s128.Id] = "BLAKE2S-128";
+            algorithms[MiscObjectIdentifiers.id_blake2s160.Id] = "BLAKE2S-160";
+            algorithms[MiscObjectIdentifiers.id_blake2s224.Id] = "BLAKE2S-224";
+            algorithms[MiscObjectIdentifiers.id_blake2s256.Id] = "BLAKE2S-256";
+
+            algorithms[RosstandartObjectIdentifiers.id_tc26_gost_3411_12_256.Id] = "GOST3411-2012-256";
+            algorithms[RosstandartObjectIdentifiers.id_tc26_gost_3411_12_512.Id] = "GOST3411-2012-512";
+
+            algorithms[UAObjectIdentifiers.dstu7564digest_256.Id] = "DSTU7564-256";
+            algorithms[UAObjectIdentifiers.dstu7564digest_384.Id] = "DSTU7564-384";
+            algorithms[UAObjectIdentifiers.dstu7564digest_512.Id] = "DSTU7564-512";
+
             oids["MD2"] = PkcsObjectIdentifiers.MD2;
             oids["MD4"] = PkcsObjectIdentifiers.MD4;
             oids["MD5"] = PkcsObjectIdentifiers.MD5;
@@ -101,6 +128,20 @@ namespace Org.BouncyCastle.Security
             oids["RIPEMD160"] = TeleTrusTObjectIdentifiers.RipeMD160;
             oids["RIPEMD256"] = TeleTrusTObjectIdentifiers.RipeMD256;
             oids["GOST3411"] = CryptoProObjectIdentifiers.GostR3411;
+            oids["SM3"] = GMObjectIdentifiers.sm3;
+            oids["BLAKE2B-160"] = MiscObjectIdentifiers.id_blake2b160;
+            oids["BLAKE2B-256"] = MiscObjectIdentifiers.id_blake2b256;
+            oids["BLAKE2B-384"] = MiscObjectIdentifiers.id_blake2b384;
+            oids["BLAKE2B-512"] = MiscObjectIdentifiers.id_blake2b512;
+            oids["BLAKE2S-128"] = MiscObjectIdentifiers.id_blake2s128;
+            oids["BLAKE2S-160"] = MiscObjectIdentifiers.id_blake2s160;
+            oids["BLAKE2S-224"] = MiscObjectIdentifiers.id_blake2s224;
+            oids["BLAKE2S-256"] = MiscObjectIdentifiers.id_blake2s256;
+            oids["GOST3411-2012-256"] = RosstandartObjectIdentifiers.id_tc26_gost_3411_12_256;
+            oids["GOST3411-2012-512"] = RosstandartObjectIdentifiers.id_tc26_gost_3411_12_512;
+            oids["DSTU7564-256"] = UAObjectIdentifiers.dstu7564digest_256;
+            oids["DSTU7564-384"] = UAObjectIdentifiers.dstu7564digest_384;
+            oids["DSTU7564-512"] = UAObjectIdentifiers.dstu7564digest_512;
         }
 
         /// <summary>
@@ -153,34 +194,48 @@ namespace Org.BouncyCastle.Security
 
                 switch (digestAlgorithm)
                 {
-                    case DigestAlgorithm.GOST3411:      return new Gost3411Digest();
-                    case DigestAlgorithm.KECCAK_224:    return new KeccakDigest(224);
-                    case DigestAlgorithm.KECCAK_256:    return new KeccakDigest(256);
-                    case DigestAlgorithm.KECCAK_288:    return new KeccakDigest(288);
-                    case DigestAlgorithm.KECCAK_384:    return new KeccakDigest(384);
-                    case DigestAlgorithm.KECCAK_512:    return new KeccakDigest(512);
-                    case DigestAlgorithm.MD2:           return new MD2Digest();
-                    case DigestAlgorithm.MD4:		    return new MD4Digest();
-                    case DigestAlgorithm.MD5:		    return new MD5Digest();
-                    case DigestAlgorithm.RIPEMD128:	    return new RipeMD128Digest();
-                    case DigestAlgorithm.RIPEMD160:	    return new RipeMD160Digest();
-                    case DigestAlgorithm.RIPEMD256:	    return new RipeMD256Digest();
-                    case DigestAlgorithm.RIPEMD320:	    return new RipeMD320Digest();
-                    case DigestAlgorithm.SHA_1:		    return new Sha1Digest();
-                    case DigestAlgorithm.SHA_224:	    return new Sha224Digest();
-                    case DigestAlgorithm.SHA_256:	    return new Sha256Digest();
-                    case DigestAlgorithm.SHA_384:	    return new Sha384Digest();
-                    case DigestAlgorithm.SHA_512:	    return new Sha512Digest();
-                    case DigestAlgorithm.SHA_512_224:   return new Sha512tDigest(224);
-                    case DigestAlgorithm.SHA_512_256:   return new Sha512tDigest(256);
-                    case DigestAlgorithm.SHA3_224:      return new Sha3Digest(224);
-                    case DigestAlgorithm.SHA3_256:      return new Sha3Digest(256);
-                    case DigestAlgorithm.SHA3_384:      return new Sha3Digest(384);
-                    case DigestAlgorithm.SHA3_512:      return new Sha3Digest(512);
-                    case DigestAlgorithm.SHAKE128:      return new ShakeDigest(128);
-                    case DigestAlgorithm.SHAKE256:      return new ShakeDigest(256);
-                    case DigestAlgorithm.TIGER:         return new TigerDigest();
-                    case DigestAlgorithm.WHIRLPOOL:     return new WhirlpoolDigest();
+                    case DigestAlgorithm.BLAKE2B_160: return new Blake2bDigest(160);
+                    case DigestAlgorithm.BLAKE2B_256: return new Blake2bDigest(256);
+                    case DigestAlgorithm.BLAKE2B_384: return new Blake2bDigest(384);
+                    case DigestAlgorithm.BLAKE2B_512: return new Blake2bDigest(512);
+                    case DigestAlgorithm.BLAKE2S_128: return new Blake2sDigest(128);
+                    case DigestAlgorithm.BLAKE2S_160: return new Blake2sDigest(160);
+                    case DigestAlgorithm.BLAKE2S_224: return new Blake2sDigest(224);
+                    case DigestAlgorithm.BLAKE2S_256: return new Blake2sDigest(256);
+                    case DigestAlgorithm.DSTU7564_256: return new Dstu7564Digest(256);
+                    case DigestAlgorithm.DSTU7564_384: return new Dstu7564Digest(384);
+                    case DigestAlgorithm.DSTU7564_512: return new Dstu7564Digest(512);
+                    case DigestAlgorithm.GOST3411: return new Gost3411Digest();
+                    case DigestAlgorithm.GOST3411_2012_256: return new GOST3411_2012_256Digest();
+                    case DigestAlgorithm.GOST3411_2012_512: return new GOST3411_2012_512Digest();
+                    case DigestAlgorithm.KECCAK_224: return new KeccakDigest(224);
+                    case DigestAlgorithm.KECCAK_256: return new KeccakDigest(256);
+                    case DigestAlgorithm.KECCAK_288: return new KeccakDigest(288);
+                    case DigestAlgorithm.KECCAK_384: return new KeccakDigest(384);
+                    case DigestAlgorithm.KECCAK_512: return new KeccakDigest(512);
+                    case DigestAlgorithm.MD2: return new MD2Digest();
+                    case DigestAlgorithm.MD4: return new MD4Digest();
+                    case DigestAlgorithm.MD5: return new MD5Digest();
+                    case DigestAlgorithm.RIPEMD128: return new RipeMD128Digest();
+                    case DigestAlgorithm.RIPEMD160: return new RipeMD160Digest();
+                    case DigestAlgorithm.RIPEMD256: return new RipeMD256Digest();
+                    case DigestAlgorithm.RIPEMD320: return new RipeMD320Digest();
+                    case DigestAlgorithm.SHA_1: return new Sha1Digest();
+                    case DigestAlgorithm.SHA_224: return new Sha224Digest();
+                    case DigestAlgorithm.SHA_256: return new Sha256Digest();
+                    case DigestAlgorithm.SHA_384: return new Sha384Digest();
+                    case DigestAlgorithm.SHA_512: return new Sha512Digest();
+                    case DigestAlgorithm.SHA_512_224: return new Sha512tDigest(224);
+                    case DigestAlgorithm.SHA_512_256: return new Sha512tDigest(256);
+                    case DigestAlgorithm.SHA3_224: return new Sha3Digest(224);
+                    case DigestAlgorithm.SHA3_256: return new Sha3Digest(256);
+                    case DigestAlgorithm.SHA3_384: return new Sha3Digest(384);
+                    case DigestAlgorithm.SHA3_512: return new Sha3Digest(512);
+                    case DigestAlgorithm.SHAKE128: return new ShakeDigest(128);
+                    case DigestAlgorithm.SHAKE256: return new ShakeDigest(256);
+                    case DigestAlgorithm.SM3: return new SM3Digest();
+                    case DigestAlgorithm.TIGER: return new TigerDigest();
+                    case DigestAlgorithm.WHIRLPOOL: return new WhirlpoolDigest();
                 }
             }
             catch (ArgumentException)