diff options
author | Thomas Voss <mail@thomasvoss.com> | 2024-11-27 20:54:24 +0100 |
---|---|---|
committer | Thomas Voss <mail@thomasvoss.com> | 2024-11-27 20:54:24 +0100 |
commit | 4bfd864f10b68b71482b35c818559068ef8d5797 (patch) | |
tree | e3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc4503.txt | |
parent | ea76e11061bda059ae9f9ad130a9895cc85607db (diff) |
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc4503.txt')
-rw-r--r-- | doc/rfc/rfc4503.txt | 675 |
1 files changed, 675 insertions, 0 deletions
diff --git a/doc/rfc/rfc4503.txt b/doc/rfc/rfc4503.txt new file mode 100644 index 0000000..e9d62ca --- /dev/null +++ b/doc/rfc/rfc4503.txt @@ -0,0 +1,675 @@ + + + + + + +Network Working Group M. Boesgaard +Request for Comments: 4503 M. Vesterager +Category: Informational E. Zenner + Cryptico A/S + May 2006 + + + A Description of the Rabbit Stream Cipher Algorithm + +Status of This Memo + + This memo provides information for the Internet community. It does + not specify an Internet standard of any kind. Distribution of this + memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (2006). + +Abstract + + This document describes the encryption algorithm Rabbit. It is a + stream cipher algorithm with a 128-bit key and 64-bit initialization + vector (IV). The method was published in 2003 and has been subject + to public security and performance revision. Its high performance + makes it particularly suited for the use with Internet protocols + where large amounts of data have to be processed. + +Table of Contents + + 1. Introduction ....................................................2 + 2. Algorithm Description ...........................................2 + 2.1. Notation ...................................................2 + 2.2. Inner State ................................................3 + 2.3. Key Setup Scheme ...........................................3 + 2.4. IV Setup Scheme ............................................3 + 2.5. Counter System .............................................4 + 2.6. Next-State Function ........................................4 + 2.7. Extraction Scheme ..........................................5 + 2.8. Encryption/Decryption Scheme ...............................5 + 3. Security Considerations .........................................6 + 3.1. Message Length .............................................6 + 3.2. Initialization Vector ......................................6 + 4. Informative References ..........................................7 + Appendix A: Test Vectors ...........................................8 + A.1. Testing without IV Setup ...................................8 + A.2. Testing with IV Setup ......................................8 + Appendix B: Debugging Vectors ......................................9 + + + +Boesgaard, et al. Informational [Page 1] + +RFC 4503 Rabbit Encryption May 2006 + + + B.1. Testing Round Function and Key Setup .......................9 + B.2. Testing the IV setup ......................................10 + +1. Introduction + + Rabbit is a stream cipher algorithm that has been designed for high + performance in software implementations. Both key setup and + encryption are very fast, making the algorithm particularly suited + for all applications where large amounts of data or large numbers of + data packages have to be encrypted. Examples include, but are not + limited to, server-side encryption, multimedia encryption, hard-disk + encryption, and encryption on limited-resource devices. + + The cipher is based on ideas derived from the behavior of certain + chaotic maps. These maps have been carefully discretized, resulting + in a compact stream cipher. Rabbit has been openly published in 2003 + [1] and has not displayed any weaknesses as of the time of this + writing. To ensure ongoing security evaluation, it was also + submitted to the ECRYPT eSTREAM project[2]. + + Technically, Rabbit consists of a pseudorandom bitstream generator + that takes a 128-bit key and a 64-bit initialization vector (IV) as + input and generates a stream of 128-bit blocks. Encryption is + performed by combining this output with the message, using the + exclusive-OR operation. Decryption is performed in exactly the same + way as encryption. + + Further information about Rabbit, including reference implementation, + test vectors, performance figures, and security white papers, is + available from http://www.cryptico.com/. + +2. Algorithm Description + +2.1. Notation + + This document uses the following elementary operators: + + + integer addition. + * integer multiplication. + div integer division. + mod integer modulus. + ^ bitwise exclusive-OR operation. + <<< left rotation operator. + || concatenation operator. + + When labeling bits of a variable, A, the least significant bit is + denoted by A[0]. The notation A[h..g] represents bits h through g of + variable A, where h is more significant than g. Similar variables + + + +Boesgaard, et al. Informational [Page 2] + +RFC 4503 Rabbit Encryption May 2006 + + + are labeled by A0,A1,... with the notation A(0),A(1),... being used + to denote those same variables if this improves readability. + + Given a 64-bit word, the function MSW extracts the most significant + 32 bits, whereas the function LSW extracts the least significant 32 + bits. + + Constants prefixed with 0x are in hexadecimal notation. In + particular, the constant WORDSIZE is defined to be 0x100000000. + +2.2. Inner State + + The internal state of the stream cipher consists of 513 bits. 512 + bits are divided between eight 32-bit state variables, X0,...,X7 and + eight 32-bit counter variables, C0,...,C7. In addition, there is one + counter carry bit, b. + +2.3. Key Setup Scheme + + The counter carry bit b is initialized to zero. The state and + counter words are derived from the key K[127..0]. + + The key is divided into subkeys K0 = K[15..0], K1 = K[31..16], ... K7 + = K[127..112]. The initial state is initialized as follows: + + for j=0 to 7: + if j is even: + Xj = K(j+1 mod 8) || Kj + Cj = K(j+4 mod 8) || K(j+5 mod 8) + else: + Xj = K(j+5 mod 8) || K(j+4 mod 8) + Cj = Kj || K(j+1 mod 8) + + The system is then iterated four times, each iteration consisting of + counter update (Section 2.5) and next-state function (Section 2.6). + After that, the counter variables are reinitialized to + + for j=0 to 7: + Cj = Cj ^ X(j+4 mod 8) + +2.4. IV Setup Scheme + + If an IV is used for encryption, the counter variables are modified + after the key setup. Denoting the IV bits by IV[63..0], the setup + proceeds as follows: + + C0 = C0 ^ IV[31..0] C1 = C1 ^ (IV[63..48] || IV[31..16]) + C2 = C2 ^ IV[63..32] C3 = C3 ^ (IV[47..32] || IV[15..0]) + + + +Boesgaard, et al. Informational [Page 3] + +RFC 4503 Rabbit Encryption May 2006 + + + C4 = C4 ^ IV[31..0] C5 = C5 ^ (IV[63..48] || IV[31..16]) + C6 = C6 ^ IV[63..32] C7 = C7 ^ (IV[47..32] || IV[15..0]) + + The system is then iterated another 4 times, each iteration + consisting of counter update (Section 2.5) and next-state function + (Section 2.6). + + The relationship between key and IV setup is as follows: + + - After the key setup, the resulting inner state is saved as a master + state. Then the IV setup is run to obtain the first encryption + starting state. + + - Whenever re-initialization under a new IV is necessary, the IV + setup is run on the master state again to derive the next + encryption starting state. + +2.5. Counter System + + Before each execution of the next-state function (Section 2.6), the + counter system has to be updated. This system uses constants + A1,...,A7, as follows: + + A0 = 0x4D34D34D A1 = 0xD34D34D3 + A2 = 0x34D34D34 A3 = 0x4D34D34D + A4 = 0xD34D34D3 A5 = 0x34D34D34 + A6 = 0x4D34D34D A7 = 0xD34D34D3 + + It also uses the counter carry bit b to update the counter system, as + follows: + + for j=0 to 7: + temp = Cj + Aj + b + b = temp div WORDSIZE + Cj = temp mod WORDSIZE + + Note that on exiting this loop, the variable b has to be preserved + for the next iteration of the system. + +2.6. Next-State Function + + The core of the Rabbit algorithm is the next-state function. It is + based on the function g, which transforms two 32-bit inputs into one + 32-bit output, as follows: + + g(u,v) = LSW(square(u+v)) ^ MSW(square(u+v)) + + where square(u+v) = ((u+v mod WORDSIZE) * (u+v mod WORDSIZE)). + + + +Boesgaard, et al. Informational [Page 4] + +RFC 4503 Rabbit Encryption May 2006 + + + Using this function, the algorithm updates the inner state as + follows: + + for j=0 to 7: + Gj = g(Xj,Cj) + + X0 = G0 + (G7 <<< 16) + (G6 <<< 16) mod WORDSIZE + X1 = G1 + (G0 <<< 8) + G7 mod WORDSIZE + X2 = G2 + (G1 <<< 16) + (G0 <<< 16) mod WORDSIZE + X3 = G3 + (G2 <<< 8) + G1 mod WORDSIZE + X4 = G4 + (G3 <<< 16) + (G2 <<< 16) mod WORDSIZE + X5 = G5 + (G4 <<< 8) + G3 mod WORDSIZE + X6 = G6 + (G5 <<< 16) + (G4 <<< 16) mod WORDSIZE + X7 = G7 + (G6 <<< 8) + G5 mod WORDSIZE + +2.7. Extraction Scheme + + After the key and IV setup are concluded, the algorithm is iterated + in order to produce one 128-bit output block, S, per round. Each + round consists of executing steps 2.5 and 2.6 and then extracting an + output S[127..0] as follows: + + S[15..0] = X0[15..0] ^ X5[31..16] + S[31..16] = X0[31..16] ^ X3[15..0] + S[47..32] = X2[15..0] ^ X7[31..16] + S[63..48] = X2[31..16] ^ X5[15..0] + S[79..64] = X4[15..0] ^ X1[31..16] + S[95..80] = X4[31..16] ^ X7[15..0] + S[111..96] = X6[15..0] ^ X3[31..16] + S[127..112] = X6[31..16] ^ X1[15..0] + +2.8. Encryption/Decryption Scheme + + Given a 128-bit message block, M, encryption E and decryption M' are + computed via + + E = M ^ S and + M' = E ^ S. + + If S is the same in both operations (as it should be if the same key + and IV are used), then M = M'. + + The encryption/decryption scheme is repeated until all blocks in the + message have been encrypted/decrypted. If the message size is not a + multiple of 128 bits, only the needed amount of least significant + bits from the last output block S is used for the last message block + M. + + + + +Boesgaard, et al. Informational [Page 5] + +RFC 4503 Rabbit Encryption May 2006 + + + If the application requires the encryption of smaller blocks (or even + individual bits), a 128-bit buffer is used. The buffer is + initialized by generating a new value, S, and copying it into the + buffer. After that, all data blocks are encrypted using the least + significant bits in this buffer. Whenever the buffer is empty, a new + value S is generated and copied into the buffer. + +3. Security Considerations + + For an encryption algorithm, the security provided is, of course, the + most important issue. No security weaknesses have been found to + date, neither by the designers nor by independent cryptographers + scrutinizing the algorithms after its publication in [1]. Note that + a full discussion of Rabbit's security against known cryptanalytic + techniques is provided in [3]. + + In the following, we restrict ourselves to some rules on how to use + the Rabbit algorithm properly. + +3.1. Message Length + + Rabbit was designed to encrypt up to 2 to the power of 64 128-bit + message blocks under the same the key. Should this amount of data + ever be exceeded, the key has to be replaced. It is recommended to + follow this rule even when the IV is changed on a regular basis. + +3.2. Initialization Vector + + It is possible to run Rabbit without the IV setup. However, in this + case, the generator must never be reset under the same key, since + this would destroy its security (for a recent example, see [4]). + However, in order to guarantee synchronization between sender and + receiver, ciphers are frequently reset in practice. This means that + both sender and receiver set the inner state of the cipher back to a + known value and then derive the new encryption state using an IV. If + this is done, it is important to make sure that no IV is ever reused + under the same key. + + + + + + + + + + + + + + +Boesgaard, et al. Informational [Page 6] + +RFC 4503 Rabbit Encryption May 2006 + + +4. Informative References + + [1] M. Boesgaard, M. Vesterager, T. Pedersen, J. Christiansen, O. + Scavenius. "Rabbit: A New High-Performance Stream Cipher". + Proc. Fast Software Encryption 2003, Lecture Notes in Computer + Science 2887, p. 307-329. Springer, 2003. + + [2] ECRYPT eSTREAM project, available from + http://www.ecrypt.eu.org/stream/ + + [3] M. Boesgaard, T. Pedersen, M. Vesterager, E. Zenner. "The + Rabbit Stream Cipher - Design and Security Analysis". Proc. + SASC Workshop 2004, available from + http://www.isg.rhul.ac.uk/research/ + projects/ecrypt/stvl/sasc.html. + + [4] H. Wu. "The Misuse of RC4 in Microsoft Word and Excel". IACR + eprint archive 2005/007, available from + http://eprint.iacr.org/2005/007.pdf. + + [5] Jonsson, J. and B. Kaliski, "Public-Key Cryptography Standards + (PKCS) #1: RSA Cryptography Specifications Version 2.1", RFC + 3447, February 2003. + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Boesgaard, et al. Informational [Page 7] + +RFC 4503 Rabbit Encryption May 2006 + + +Appendix A: Test Vectors + + This is a set of test vectors for conformance testing, given in octet + form. For use with Rabbit, they have to be transformed into integers + by the conversion primitives OS2IP and I2OSP, as described in [5]. + +A.1. Testing without IV Setup + + key = [00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00] + S[0] = [B1 57 54 F0 36 A5 D6 EC F5 6B 45 26 1C 4A F7 02] + S[1] = [88 E8 D8 15 C5 9C 0C 39 7B 69 6C 47 89 C6 8A A7] + S[2] = [F4 16 A1 C3 70 0C D4 51 DA 68 D1 88 16 73 D6 96] + + key = [91 28 13 29 2E 3D 36 FE 3B FC 62 F1 DC 51 C3 AC] + S[0] = [3D 2D F3 C8 3E F6 27 A1 E9 7F C3 84 87 E2 51 9C] + S[1] = [F5 76 CD 61 F4 40 5B 88 96 BF 53 AA 85 54 FC 19] + S[2] = [E5 54 74 73 FB DB 43 50 8A E5 3B 20 20 4D 4C 5E] + + key = [83 95 74 15 87 E0 C7 33 E9 E9 AB 01 C0 9B 00 43] + S[0] = [0C B1 0D CD A0 41 CD AC 32 EB 5C FD 02 D0 60 9B] + S[1] = [95 FC 9F CA 0F 17 01 5A 7B 70 92 11 4C FF 3E AD] + S[2] = [96 49 E5 DE 8B FC 7F 3F 92 41 47 AD 3A 94 74 28] + +A.2. Testing with IV Setup + + mkey = [00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00] + iv = [00 00 00 00 00 00 00 00] + S[0] = [C6 A7 27 5E F8 54 95 D8 7C CD 5D 37 67 05 B7 ED] + S[1] = [5F 29 A6 AC 04 F5 EF D4 7B 8F 29 32 70 DC 4A 8D] + S[2] = [2A DE 82 2B 29 DE 6C 1E E5 2B DB 8A 47 BF 8F 66] + + iv = [C3 73 F5 75 C1 26 7E 59] + S[0] = [1F CD 4E B9 58 00 12 E2 E0 DC CC 92 22 01 7D 6D] + S[1] = [A7 5F 4E 10 D1 21 25 01 7B 24 99 FF ED 93 6F 2E] + S[2] = [EB C1 12 C3 93 E7 38 39 23 56 BD D0 12 02 9B A7] + + iv = [A6 EB 56 1A D2 F4 17 27] + S[0] = [44 5A D8 C8 05 85 8D BF 70 B6 AF 23 A1 51 10 4D] + S[1] = [96 C8 F2 79 47 F4 2C 5B AE AE 67 C6 AC C3 5B 03] + S[2] = [9F CB FC 89 5F A7 1C 17 31 3D F0 34 F0 15 51 CB] + + + + + + + + + + + +Boesgaard, et al. Informational [Page 8] + +RFC 4503 Rabbit Encryption May 2006 + + +Appendix B: Debugging Vectors + + The following set of vectors describes the inner state of Rabbit + during key and iv setup. It is meant mainly for debugging purposes. + Octet strings are written according to I2OSP conventions. + +B.1. Testing Round Function and Key Setup + + key = [91 28 13 29 2E ED 36 FE 3B FC 62 F1 DC 51 C3 AC] + + Inner state after key expansion: + b = 0 + X0 = 0xDC51C3AC, X1 = 0x13292E3D, X2 = 0x3BFC62F1, X3 = 0xC3AC9128, + X4 = 0x2E3D36FE, X5 = 0x62F1DC51, X6 = 0x91281329, X7 = 0x36FE3BFC, + C0 = 0x36FE2E3D, C1 = 0xDC5162F1, C2 = 0x13299128, C3 = 0x3BFC36FE, + C4 = 0xC3ACDC51, C5 = 0x2E3D1329, C6 = 0x62F13BFC, C7 = 0x9128C3AC + + Inner state after first key setup iteration: + b = 1 + X0 = 0xF2E8C8B1, X1 = 0x38E06FA7, X2 = 0x9A0D72C0, X3 = 0xF21F5334, + X4 = 0xCACDCCC3, X5 = 0x4B239CBE, X6 = 0x0565DCCC, X7 = 0xB1587C8D, + C0 = 0x8433018A, C1 = 0xAF9E97C4, C2 = 0x47FCDE5D, C3 = 0x89310A4B, + C4 = 0x96FA1124, C5 = 0x6310605E, C6 = 0xB0260F49, C7 = 0x6475F87F + + Inner state after fourth key setup iteration: + b = 0 + X0 = 0x1D059312, X1 = 0xBDDC3E45, X2 = 0xF440927D, X3 = 0x50CBB553, + X4 = 0x36709423, X5 = 0x0B6F0711, X6 = 0x3ADA3A7B, X7 = 0xEB9800C8, + C0 = 0x6BD17B74, C1 = 0x2986363E, C2 = 0xE676C5FC, C3 = 0x70CF8432, + C4 = 0x10E1AF9E, C5 = 0x018A47FD, C6 = 0x97C48931, C7 = 0xDE5D96F9 + + Inner state after final key setup xor: + b = 0 + X0 = 0x1D059312, X1 = 0xBDDC3E45, X2 = 0xF440927D, X3 = 0x50CBB553, + X4 = 0x36709423, X5 = 0x0B6F0711, X6 = 0x3ADA3A7B, X7 = 0xEB9800C8, + C0 = 0x5DA1EF57, C1 = 0x22E9312F, C2 = 0xDCACFF87, C3 = 0x9B5784FA, + C4 = 0x0DE43C8C, C5 = 0xBC5679B8, C6 = 0x63841B4C, C7 = 0x8E9623AA + + Inner state after generation of 48 bytes of output: + b = 1 + X0 = 0xB5428566, X1 = 0xA2593617, X2 = 0xFF5578DE, X3 = 0x7293950F, + X4 = 0x145CE109, X5 = 0xC93875B0, X6 = 0xD34306E0, X7 = 0x43FEEF87, + C0 = 0x45406940, C1 = 0x9CD0CFA9, C2 = 0x7B26E725, C3 = 0x82F5FEE2, + C4 = 0x87CBDB06, C5 = 0x5AD06156, C6 = 0x4B229534, C7 = 0x087DC224 + + + + + + + +Boesgaard, et al. Informational [Page 9] + +RFC 4503 Rabbit Encryption May 2006 + + + The 48 output bytes: + S[0] = [3D 2D F3 C8 3E F6 27 A1 E9 7F C3 84 87 E2 51 9C] + S[1] = [F5 76 CD 61 F4 40 5B 88 96 BF 53 AA 85 54 FC 19] + S[2] = [E5 54 74 73 FB DB 43 50 8A E5 3B 20 20 4D 4C 5E] + +B.2. Testing the IV Setup + + key = [91 28 13 29 2E ED 36 FE 3B FC 62 F1 DC 51 C3 AC] + iv = [C3 73 F5 75 C1 26 7E 59] + + Inner state during key setup: + as above + + Inner state after IV expansion: + b = 0 + X0 = 0x1D059312, X1 = 0xBDDC3E45, X2 = 0xF440927D, X3 = 0x50CBB553, + X4 = 0x36709423, X5 = 0x0B6F0711, X6 = 0x3ADA3A7B, X7 = 0xEB9800C8, + C0 = 0x9C87910E, C1 = 0xE19AF009, C2 = 0x1FDF0AF2, C3 = 0x6E22FAA3, + C4 = 0xCCC242D5, C5 = 0x7F25B89E, C6 = 0xA0F7EE39, C7 = 0x7BE35DF3 + + Inner state after first IV setup iteration: + b = 1 + X0 = 0xC4FF831A, X1 = 0xEF5CD094, X2 = 0xC5933855, X3 = 0xC05A5C03, + X4 = 0x4A50522F, X5 = 0xDF487BE4, X6 = 0xA45FA013, X7 = 0x05531179, + C0 = 0xE9BC645B, C1 = 0xB4E824DC, C2 = 0x54B25827, C3 = 0xBB57CDF0, + C4 = 0xA00F77A8, C5 = 0xB3F905D3, C6 = 0xEE2CC186, C7 = 0x4F3092C6 + + Inner state after fourth IV setup iteration: + b = 1 + X0 = 0x6274E424, X1 = 0xE14CE120, X2 = 0xDA8739D9, X3 = 0x65E0402D, + X4 = 0xD1281D10, X5 = 0xBD435BAA, X6 = 0x4E9E7A02, X7 = 0x9B467ABD, + C0 = 0xD15ADE44, C1 = 0x2ECFC356, C2 = 0xF32C3FC6, C3 = 0xA2F647D7, + C4 = 0x19F71622, C5 = 0x5272ED72, C6 = 0xD5CB3B6E, C7 = 0xC9183140 + + + + + + + + + + + + + + + + + + +Boesgaard, et al. Informational [Page 10] + +RFC 4503 Rabbit Encryption May 2006 + + +Authors' Addresses + + Martin Boesgaard + Cryptico A/S + Fruebjergvej 3 + 2100 Copenhagen + Denmark + + Phone: +45 39 17 96 06 + EMail: mab@cryptico.com + URL: http://www.cryptico.com + + + Mette Vesterager + Cryptico A/S + Fruebjergvej 3 + 2100 Copenhagen + Denmark + + Phone: +45 39 17 96 06 + EMail: mvp@cryptico.com + URL: http://www.cryptico.com + + + Erik Zenner + Cryptico A/S + Fruebjergvej 3 + 2100 Copenhagen + Denmark + + Phone: +45 39 17 96 06 + EMail: ez@cryptico.com + URL: http://www.cryptico.com + + + + + + + + + + + + + + + + + + +Boesgaard, et al. Informational [Page 11] + +RFC 4503 Rabbit Encryption May 2006 + + +Full Copyright Statement + + Copyright (C) The Internet Society (2006). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78, and except as set forth therein, the authors + retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET + ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, + INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE + INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at + ietf-ipr@ietf.org. + +Acknowledgement + + Funding for the RFC Editor function is provided by the IETF + Administrative Support Activity (IASA). + + + + + + + +Boesgaard, et al. Informational [Page 12] + |