idnits 2.16.02
/tmp/draft-zenner-rabbit-02.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
** It looks like you're using RFC 3978 boilerplate. You should update this
to the boilerplate described in the IETF Trust License Policy document
(see https://trustee.ietf.org/license-info), which is required now.
-- Found old boilerplate from RFC 3978, Section 5.1 on line 16.
-- Found old boilerplate from RFC 3978, Section 5.5 on line 440.
** This document has an original RFC 3978 Section 5.4 Copyright Line,
instead of the newer IETF Trust Copyright according to RFC 4748.
** This document has an original RFC 3978 Section 5.5 Disclaimer, instead
of the newer disclaimer which includes the IETF Trust according to RFC
4748.
** The document seems to lack an RFC 3979 Section 5, para. 1 IPR Disclosure
Acknowledgement.
** The document seems to lack an RFC 3979 Section 5, para. 2 IPR Disclosure
Acknowledgement.
** The document seems to lack an RFC 3979 Section 5, para. 3 IPR Disclosure
Invitation.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
== No 'Intended status' indicated for this document; assuming Proposed
Standard
== It seems as if not all pages are separated by form feeds - found 0 form
feeds but 9 pages
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
** The document seems to lack separate sections for Informative/Normative
References. All references will be assumed normative when checking for
downward references.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the RFC 3978 Section 5.4 Copyright Line does not
match the current year
== Line 81 has weird spacing: '... div inte...'
== Line 82 has weird spacing: '... mod inte...'
== Couldn't figure out when the document was first submitted -- there may
comments or warnings related to the use of a disclaimer for pre-RFC5378
work that could not be issued because of this. Please check the Legal
Provisions document at https://trustee.ietf.org/license-info to determine
if you need the pre-RFC5378 disclaimer.
-- The document date (May 22, 2006) is 4772 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Missing Reference: '0' is mentioned on line 361, but not defined
-- Possible downref: Non-RFC (?) normative reference: ref. '1'
-- Possible downref: Non-RFC (?) normative reference: ref. '2'
-- Possible downref: Non-RFC (?) normative reference: ref. '3'
-- Possible downref: Non-RFC (?) normative reference: ref. '4'
** Obsolete normative reference: RFC 2437 (ref. '5') (Obsoleted by RFC 3447)
Summary: 8 errors (**), 0 flaws (~~), 7 warnings (==), 7 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 Internet Draft M. Boesgaard, M. Vesterager, E. Zenner
3 Cryptico A/S
4 November 22, 2005
6 This document expires May 22, 2006
8 A Description of the Rabbit Stream Cipher Algorithm
9
11 IPR Statement
13 By submitting this Internet-Draft, each author represents that any
14 applicable patent or other IPR claims of which he or she is aware
15 have been or will be disclosed, and any of which he or she becomes
16 aware will be disclosed, in accordance with Section 6 of BCP 79.
18 Internet-Draft Boilerplate
20 Internet-Drafts are working documents of the Internet Engineering
21 Task Force (IETF), its areas, and its working groups. Note that
22 other groups may also distribute working documents as Internet-
23 Drafts.
25 Internet-Drafts are draft documents valid for a maximum of six months
26 and may be updated, replaced, or obsoleted by other documents at any
27 time. It is inappropriate to use Internet-Drafts as reference
28 material or to cite them other than as "work in progress."
30 The list of current Internet-Drafts can be accessed at
31 http://www.ietf.org/1id-abstracts.txt
33 The list of Internet-Draft Shadow Directories can be accessed at
34 http://www.ietf.org/shadow.html
36 Abstract
38 This document describes the encryption algorithm Rabbit. It is a
39 stream cipher algorithm with a 128-bit key and 64-bit IV. The method
40 was published in 2003 and has been subject to public security and
41 performance revision. Its high performance makes it particularly
42 suited for the use with internet protocols where large amounts of
43 data have to be processed.
45 1. Introduction
47 Rabbit is a stream cipher algorithm that has been designed for high
48 performance in software implementations. Both key setup and
49 encryption are very fast, making the algorithm particularly suited
50 for all applications where large amounts of data or large numbers of
51 data packages have to be encrypted. Examples include, but are not
52 limited to, server-side encryption, multimedia encryption, hard-disk
53 encryption, and encryption on limited-resource devices.
55 The cipher is based on ideas derived from the behavior of certain
56 chaotic maps. These maps have been carefully discretized, resulting
57 in a compact stream cipher. Rabbit has been openly published in 2003
58 [1] and has not displayed any weaknesses to the time of this writing.
59 To ensure ongoing security evaluation, it was also submitted to the
60 ECRYPT eSTREAM project[2].
62 Technically, Rabbit consists of a pseudorandom bitstream generator
63 that takes a 128-bit key and a 64-bit initialization vector (IV) as
64 input and generates a stream of 128-bit blocks. Encryption is
65 performed by combining this output with the message, using the
66 exclusive-OR operation. Decryption is performed in exactly the same
67 way as encryption.
69 Further information about Rabbit, including reference implementation,
70 test vectors, performance figures, and security white papers, is
71 available from http://www.cryptico.com/.
73 2. Algorithm Description
75 2.1 Notation
77 This document uses the following elementary operators:
79 + integer addition.
80 * integer multiplication.
81 div integer division.
82 mod integer modulus.
83 ^ bitwise exclusive-OR operation.
84 <<< left rotation operator.
85 || concatenation operator.
87 When labeling bits of a variable A, the least significant bit is
88 denoted by A[0]. The notation A[h..g] represents bits h through g of
89 variable A, where h is more significant than g. Similar variables
90 are labeled by A0,A1,..., with the notation A(0),A(1),... being used
91 to denote those same variables if this improves readability.
93 Given a 64-bit word, the function MSW extracts the most significant
94 32 bits, while the function LSW extracts the least significant 32
95 bits.
97 Constants prefixed with 0x are in hexadecimal notation. In
98 particular, the constant WORDSIZE is defined to be 0x100000000.
100 2.2 Inner State
102 The internal state of the stream cipher consists of 513 bits. 512
103 bits are divided between eight 32-bit state variables X0,...,X7 and
104 eight 32-bit counter variables C0,...,C7. In addition, there is one
105 counter carry bit b.
107 2.3 Key Setup Scheme
109 The counter carry bit b is initialized to zero. The state and
110 counter words are derived from the key K[127..0].
112 The key is divided into subkeys K0 = K[15..0], K1 = K[31..16], ...
113 K7 = K[127..112]. The initial state is initialized as follows:
115 for j=0 to 7:
116 if j is even:
117 Xj = K(j+1 mod 8) || Kj
118 Cj = K(j+4 mod 8) || K(j+5 mod 8)
119 else:
120 Xj = K(j+5 mod 8) || K(j+4 mod 8)
121 Cj = Kj || K(j+1 mod 8)
123 The system is then iterated four times, each iteration consisting
124 of counter update (section 2.5) and next-state function (section
125 2.6). After that, the counter variables are reinitialized to:
127 for j=0 to 7:
128 Cj = Cj ^ X(j+4 mod 8)
130 2.4 IV Setup Scheme
132 If an IV is used for encryption, the counter variables are modified
133 after the key setup. Denoting the IV bits by IV[63..0], the setup
134 proceeds as follows:
136 C0 = C0 ^ IV[31..0] C1 = C1 ^ (IV[63..48] || IV[31..16])
137 C2 = C2 ^ IV[63..32] C3 = C3 ^ (IV[47..32] || IV[15..0])
138 C4 = C4 ^ IV[31..0] C5 = C5 ^ (IV[63..48] || IV[31..16])
139 C6 = C6 ^ IV[63..32] C7 = C7 ^ (IV[47..32] || IV[15..0])
141 The system is then iterated another 4 times, each iteration
142 consisting of counter update (section 2.5) and next-state function
143 (section 2.6).
145 The relationship between key and IV setup is as follows:
146 - After the key setup, the resulting inner state is saved as a master
147 state. Then the IV setup is run to obtain the first encryption
148 starting state.
149 - Whenever re-initialization under a new IV is necessary, the IV
150 setup is run on the master state again to derive the next
151 encryption starting state.
153 2.5 Counter System
155 Before each execution of the next-state function (section 2.6), the
156 counter system has to be updated. This system uses constants
157 A1,...,A7, as follows:
159 A0 = 0x4D34D34D A1 = 0xD34D34D3
160 A2 = 0x34D34D34 A3 = 0x4D34D34D
161 A4 = 0xD34D34D3 A5 = 0x34D34D34
162 A6 = 0x4D34D34D A7 = 0xD34D34D3
164 It also uses the counter carry bit b to update the counter system, as
165 follows:
167 for j=0 to 7:
168 temp = Cj + Aj + b
169 b = temp div WORDSIZE
170 Cj = temp mod WORDSIZE
172 Note that on exiting this loop, the variable b has to be preserved
173 for the next iteration of the system.
175 2.6 Next-State Function
177 The core of the Rabbit algorithm is the next-state function. It is
178 based on the function g, which transforms two 32-bit inputs into one
179 32-bit output, as follows:
181 g(u,v) = LSW(square(u+v)) ^ MSW(square(u+v))
183 where square(u+v) = ((u+v mod WORDSIZE) * (u+v mod WORDSIZE)).
185 Using this function, the algorithm updates the inner state as
186 follows:
188 for j=0 to 7:
189 Gj = g(Xj,Cj)
191 X0 = G0 + (G7 <<< 16) + (G6 <<< 16) mod WORDSIZE
192 X1 = G1 + (G0 <<< 8) + G7 mod WORDSIZE
193 X2 = G2 + (G1 <<< 16) + (G0 <<< 16) mod WORDSIZE
194 X3 = G3 + (G2 <<< 8) + G1 mod WORDSIZE
195 X4 = G4 + (G3 <<< 16) + (G2 <<< 16) mod WORDSIZE
196 X5 = G5 + (G4 <<< 8) + G3 mod WORDSIZE
197 X6 = G6 + (G5 <<< 16) + (G4 <<< 16) mod WORDSIZE
198 X7 = G7 + (G6 <<< 8) + G5 mod WORDSIZE
200 2.7 Extraction Scheme
202 After the key and IV setup are concluded, the algorithm is iterated
203 in order to produce one 128-bit output block S per round. Each round
204 consists of executing steps 2.5 and 2.6 and then extracting an output
205 S[127..0] as follows:
207 S[15..0] = X0[15..0] ^ X5[31..16]
208 S[31..16] = X0[31..16] ^ X3[15..0]
209 S[47..32] = X2[15..0] ^ X7[31..16]
210 S[63..48] = X2[31..16] ^ X5[15..0]
211 S[79..64] = X4[15..0] ^ X1[31..16]
212 S[95..80] = X4[31..16] ^ X7[15..0]
213 S[111..96] = X6[15..0] ^ X3[31..16]
214 S[127..112] = X6[31..16] ^ X1[15..0]
216 2.8 Encryption / Decryption Scheme
218 Given a 128-bit message block M, encryption E and decryption M' are
219 computed via
221 E = M ^ S and
222 M' = E ^ S.
224 If S is the same in both operations (as it should if the same key and
225 IV are used), then M = M'.
227 The encryption/decryption scheme is repeated until all blocks in the
228 message have been encrypted/decrypted. If the message size is not a
229 multiple of 128 bit, only the needed amount of least significant bits
230 from the last output block S is used for the last message block M.
232 In case the application requires the encryption of smaller blocks (or
233 even individual bits), a 128-bit buffer is used. The buffer is
234 initialized by generating a new value S and copying it into the
235 buffer. After that, all data blocks are encrypted using the least
236 significant bits in this buffer. Whenever the buffer is empty, a new
237 value S is generated and copied into the buffer.
239 3. Security Considerations
241 For an encryption algorithm, the security provided is of course the
242 most important issue. No security weaknesses have been found to
243 date, neither by the designers nor by independent cryptographers
244 scrutinizing the algorithms after its publication in [1]. Note that a
245 full discussion of Rabbit's security against known cryptanalytic
246 techniques is provided in [3].
248 In the following, we restrict ourselves to some rules on how to use
249 the Rabbit algorithm properly.
251 3.1 Message length
253 Rabbit was designed to encrypt up to 2 to the power of 64 128-bit
254 message blocks under the same the key. Should this amount of data
255 ever be exceeded, the key has to be replaced. It is recommended to
256 follow this rule even when the IV is changed on a regular basis.
258 3.2 Initialization vector
260 It is possible to run Rabbit without the IV setup. However, in this
261 case, the generator must never be reset under the same key, since
262 this would destroy its security (for a recent example, see [4]).
263 However, in order to guarantee synchronization between sender and
264 receiver, ciphers are frequently reset in practice. This means that
265 both sender and receiver set the inner state of the cipher back to a
266 known value and then derive the new encryption state using an IV. If
267 this is done, it is important to make sure that no IV is ever reused
268 under the same key.
270 4. IANA Consideration
272 No IANA considerations.
274 Appendix A. Test Vectors
276 This is a set of test vectors for conformance testing, given in
277 octet form. For use with Rabbit, they have to be transformed into
278 integers by the conversion primitives OS2IP and I2OSP, as described
279 in [5].
281 A.1 Testing without IV setup
283 key = [00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00]
284 S[0] = [B1 57 54 F0 36 A5 D6 EC F5 6B 45 26 1C 4A F7 02]
285 S[1] = [88 E8 D8 15 C5 9C 0C 39 7B 69 6C 47 89 C6 8A A7]
286 S[2] = [F4 16 A1 C3 70 0C D4 51 DA 68 D1 88 16 73 D6 96]
288 key = [91 28 13 29 2E 3D 36 FE 3B FC 62 F1 DC 51 C3 AC]
289 S[0] = [3D 2D F3 C8 3E F6 27 A1 E9 7F C3 84 87 E2 51 9C]
290 S[1] = [F5 76 CD 61 F4 40 5B 88 96 BF 53 AA 85 54 FC 19]
291 S[2] = [E5 54 74 73 FB DB 43 50 8A E5 3B 20 20 4D 4C 5E]
293 key = [83 95 74 15 87 E0 C7 33 E9 E9 AB 01 C0 9B 00 43]
294 S[0] = [0C B1 0D CD A0 41 CD AC 32 EB 5C FD 02 D0 60 9B]
295 S[1] = [95 FC 9F CA 0F 17 01 5A 7B 70 92 11 4C FF 3E AD]
296 S[2] = [96 49 E5 DE 8B FC 7F 3F 92 41 47 AD 3A 94 74 28]
298 A.2 Testing with IV setup
300 mkey = [00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00]
301 iv = [00 00 00 00 00 00 00 00]
302 S[0] = [C6 A7 27 5E F8 54 95 D8 7C CD 5D 37 67 05 B7 ED]
303 S[1] = [5F 29 A6 AC 04 F5 EF D4 7B 8F 29 32 70 DC 4A 8D]
304 S[2] = [2A DE 82 2B 29 DE 6C 1E E5 2B DB 8A 47 BF 8F 66]
306 iv = [C3 73 F5 75 C1 26 7E 59]
307 S[0] = [1F CD 4E B9 58 00 12 E2 E0 DC CC 92 22 01 7D 6D]
308 S[1] = [A7 5F 4E 10 D1 21 25 01 7B 24 99 FF ED 93 6F 2E]
309 S[2] = [EB C1 12 C3 93 E7 38 39 23 56 BD D0 12 02 9B A7]
311 iv = [A6 EB 56 1A D2 F4 17 27]
312 S[0] = [44 5A D8 C8 05 85 8D BF 70 B6 AF 23 A1 51 10 4D]
313 S[1] = [96 C8 F2 79 47 F4 2C 5B AE AE 67 C6 AC C3 5B 03]
314 S[2] = [9F CB FC 89 5F A7 1C 17 31 3D F0 34 F0 15 51 CB]
316 Appendix B. Debugging Vectors
318 The following set of vectors describes the inner state of Rabbit
319 during key and iv setup. It is meant mainly for debugging
320 purposes. Octet strings are written according to I2OSP conventions.
322 B.1 Testing round function and key setup
324 key = [91 28 13 29 2E ED 36 FE 3B FC 62 F1 DC 51 C3 AC]
326 Inner state after key expansion:
327 b = 0
328 X0 = 0xDC51C3AC, X1 = 0x13292E3D, X2 = 0x3BFC62F1, X3 = 0xC3AC9128,
329 X4 = 0x2E3D36FE, X5 = 0x62F1DC51, X6 = 0x91281329, X7 = 0x36FE3BFC,
330 C0 = 0x36FE2E3D, C1 = 0xDC5162F1, C2 = 0x13299128, C3 = 0x3BFC36FE,
331 C4 = 0xC3ACDC51, C5 = 0x2E3D1329, C6 = 0x62F13BFC, C7 = 0x9128C3AC
333 Inner state after first key setup iteration:
334 b = 1
335 X0 = 0xF2E8C8B1, X1 = 0x38E06FA7, X2 = 0x9A0D72C0, X3 = 0xF21F5334,
336 X4 = 0xCACDCCC3, X5 = 0x4B239CBE, X6 = 0x0565DCCC, X7 = 0xB1587C8D,
337 C0 = 0x8433018A, C1 = 0xAF9E97C4, C2 = 0x47FCDE5D, C3 = 0x89310A4B,
338 C4 = 0x96FA1124, C5 = 0x6310605E, C6 = 0xB0260F49, C7 = 0x6475F87F
340 Inner state after fourth key setup iteration:
341 b = 0
342 X0 = 0x1D059312, X1 = 0xBDDC3E45, X2 = 0xF440927D, X3 = 0x50CBB553,
343 X4 = 0x36709423, X5 = 0x0B6F0711, X6 = 0x3ADA3A7B, X7 = 0xEB9800C8,
344 C0 = 0x6BD17B74, C1 = 0x2986363E, C2 = 0xE676C5FC, C3 = 0x70CF8432,
345 C4 = 0x10E1AF9E, C5 = 0x018A47FD, C6 = 0x97C48931, C7 = 0xDE5D96F9
346 Inner state after final key setup xor:
347 b = 0
348 X0 = 0x1D059312, X1 = 0xBDDC3E45, X2 = 0xF440927D, X3 = 0x50CBB553,
349 X4 = 0x36709423, X5 = 0x0B6F0711, X6 = 0x3ADA3A7B, X7 = 0xEB9800C8,
350 C0 = 0x5DA1EF57, C1 = 0x22E9312F, C2 = 0xDCACFF87, C3 = 0x9B5784FA,
351 C4 = 0x0DE43C8C, C5 = 0xBC5679B8, C6 = 0x63841B4C, C7 = 0x8E9623AA
353 Inner state after generation of 48 bytes of output:
354 b = 1
355 X0 = 0xB5428566, X1 = 0xA2593617, X2 = 0xFF5578DE, X3 = 0x7293950F,
356 X4 = 0x145CE109, X5 = 0xC93875B0, X6 = 0xD34306E0, X7 = 0x43FEEF87,
357 C0 = 0x45406940, C1 = 0x9CD0CFA9, C2 = 0x7B26E725, C3 = 0x82F5FEE2,
358 C4 = 0x87CBDB06, C5 = 0x5AD06156, C6 = 0x4B229534, C7 = 0x087DC224
360 The 48 output bytes:
361 S[0] = [3D 2D F3 C8 3E F6 27 A1 E9 7F C3 84 87 E2 51 9C]
362 S[1] = [F5 76 CD 61 F4 40 5B 88 96 BF 53 AA 85 54 FC 19]
363 S[2] = [E5 54 74 73 FB DB 43 50 8A E5 3B 20 20 4D 4C 5E]
365 B.2 Testing the IV setup
367 key = [91 28 13 29 2E ED 36 FE 3B FC 62 F1 DC 51 C3 AC]
368 iv = [C3 73 F5 75 C1 26 7E 59]
370 Inner state during key setup:
371 as above
373 Inner state after IV expansion:
374 b = 0
375 X0 = 0x1D059312, X1 = 0xBDDC3E45, X2 = 0xF440927D, X3 = 0x50CBB553,
376 X4 = 0x36709423, X5 = 0x0B6F0711, X6 = 0x3ADA3A7B, X7 = 0xEB9800C8,
377 C0 = 0x9C87910E, C1 = 0xE19AF009, C2 = 0x1FDF0AF2, C3 = 0x6E22FAA3,
378 C4 = 0xCCC242D5, C5 = 0x7F25B89E, C6 = 0xA0F7EE39, C7 = 0x7BE35DF3
380 Inner state after first IV setup iteration:
381 b = 1
382 X0 = 0xC4FF831A, X1 = 0xEF5CD094, X2 = 0xC5933855, X3 = 0xC05A5C03,
383 X4 = 0x4A50522F, X5 = 0xDF487BE4, X6 = 0xA45FA013, X7 = 0x05531179,
384 C0 = 0xE9BC645B, C1 = 0xB4E824DC, C2 = 0x54B25827, C3 = 0xBB57CDF0,
385 C4 = 0xA00F77A8, C5 = 0xB3F905D3, C6 = 0xEE2CC186, C7 = 0x4F3092C6
387 Inner state after fourth IV setup iteration:
388 b = 1
389 X0 = 0x6274E424, X1 = 0xE14CE120, X2 = 0xDA8739D9, X3 = 0x65E0402D,
390 X4 = 0xD1281D10, X5 = 0xBD435BAA, X6 = 0x4E9E7A02, X7 = 0x9B467ABD,
391 C0 = 0xD15ADE44, C1 = 0x2ECFC356, C2 = 0xF32C3FC6, C3 = 0xA2F647D7,
392 C4 = 0x19F71622, C5 = 0x5272ED72, C6 = 0xD5CB3B6E, C7 = 0xC9183140
394 References
396 [1] M. Boesgaard, M. Vesterager, T. Pedersen, J. Christiansen,
397 O. Scavenius. "Rabbit: A New High-Performance Stream Cipher".
398 Proc. Fast Software Encryption 2003, Lecture Notes in Computer
399 Science 2887, p. 307-329. Springer, 2003.
401 [2] ECRYPT eSTREAM project, available from
402 http://www.ecrypt.eu.org/stream/
404 [3] M. Boesgaard, T. Pedersen, M. Vesterager, E. Zenner. "The
405 Rabbit Stream Cipher - Design and Security Analysis". Proc.
406 SASC Workshop 2004, available from http://www.isg.rhul.ac.uk/
407 research/projects/ecrypt/stvl/sasc.html.
409 [4] H. Wu. "The Misuse of RC4 in Microsoft Word and Excel".
410 IACR eprint archive 2005/007, available from
411 http://eprint.iacr.org/2005/007.pdf.
413 [5] B. Kaliski, J. Staddon. "PKCS #1: RSA Cryptography
414 Specifications, Version 2.0". RFC 2437. 1998.
416 Authors' Address
418 Martin Boesgaard, Mette Vesterager, Erik Zenner
419 Cryptico A/S
420 Fruebjergvej 3
421 2100 Copenhagen
422 Denmark
424 phone: +45 39 17 96 06
425 email: {mab,mvp,ez}@cryptico.com
426 URL: http://wwww.cryptico.com
428 Copyright Notice
430 Copyright (C) The Internet Society (2005). This document is subject
431 to the rights, licenses and restrictions contained in BCP 78, and
432 except as set forth therein, the authors retain all their rights.
434 This document and the information contained herein are provided on an
435 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
436 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
437 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
438 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
439 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
440 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
442 This document expires May 22, 2006