Network Working Group M. Boesgaard
Request for Comments: 4503 M. Vesterager
Category: Informational E. Zenner
Cryptico A/S
May 2006
Network Working Group M. Boesgaard
Request for Comments: 4503 M. Vesterager
Category: Informational E. Zenner
Cryptico A/S
May 2006
A Description of the Rabbit Stream Cipher Algorithm
Rabbit流密码算法的描述
Status of This Memo
关于下段备忘
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2006).
版权所有(C)互联网协会(2006年)。
Abstract
摘要
This document describes the encryption algorithm Rabbit. It is a stream cipher algorithm with a 128-bit key and 64-bit initialization vector (IV). The method was published in 2003 and has been subject to public security and performance revision. Its high performance makes it particularly suited for the use with Internet protocols where large amounts of data have to be processed.
本文档介绍加密算法Rabbit。它是一种具有128位密钥和64位初始化向量(IV)的流密码算法。该方法于2003年发布,并已接受公共安全和绩效修订。它的高性能使其特别适用于需要处理大量数据的Internet协议。
Table of Contents
目录
1. Introduction ....................................................2
2. Algorithm Description ...........................................2
2.1. Notation ...................................................2
2.2. Inner State ................................................3
2.3. Key Setup Scheme ...........................................3
2.4. IV Setup Scheme ............................................3
2.5. Counter System .............................................4
2.6. Next-State Function ........................................4
2.7. Extraction Scheme ..........................................5
2.8. Encryption/Decryption Scheme ...............................5
3. Security Considerations .........................................6
3.1. Message Length .............................................6
3.2. Initialization Vector ......................................6
4. Informative References ..........................................7
Appendix A: Test Vectors ...........................................8
A.1. Testing without IV Setup ...................................8
A.2. Testing with IV Setup ......................................8
Appendix B: Debugging Vectors ......................................9
1. Introduction ....................................................2
2. Algorithm Description ...........................................2
2.1. Notation ...................................................2
2.2. Inner State ................................................3
2.3. Key Setup Scheme ...........................................3
2.4. IV Setup Scheme ............................................3
2.5. Counter System .............................................4
2.6. Next-State Function ........................................4
2.7. Extraction Scheme ..........................................5
2.8. Encryption/Decryption Scheme ...............................5
3. Security Considerations .........................................6
3.1. Message Length .............................................6
3.2. Initialization Vector ......................................6
4. Informative References ..........................................7
Appendix A: Test Vectors ...........................................8
A.1. Testing without IV Setup ...................................8
A.2. Testing with IV Setup ......................................8
Appendix B: Debugging Vectors ......................................9
B.1. Testing Round Function and Key Setup .......................9
B.2. Testing the IV setup ......................................10
B.1. Testing Round Function and Key Setup .......................9
B.2. Testing the IV setup ......................................10
Rabbit is a stream cipher algorithm that has been designed for high performance in software implementations. Both key setup and encryption are very fast, making the algorithm particularly suited for all applications where large amounts of data or large numbers of data packages have to be encrypted. Examples include, but are not limited to, server-side encryption, multimedia encryption, hard-disk encryption, and encryption on limited-resource devices.
Rabbit是一种流密码算法,专为软件实现中的高性能而设计。密钥设置和加密都非常快,因此该算法特别适合于需要加密大量数据或大量数据包的所有应用程序。示例包括但不限于服务器端加密、多媒体加密、硬盘加密和有限资源设备上的加密。
The cipher is based on ideas derived from the behavior of certain chaotic maps. These maps have been carefully discretized, resulting in a compact stream cipher. Rabbit has been openly published in 2003 [1] and has not displayed any weaknesses as of the time of this writing. To ensure ongoing security evaluation, it was also submitted to the ECRYPT eSTREAM project[2].
该密码基于某些混沌映射行为的思想。这些映射经过仔细的离散化,得到了一个紧凑的流密码。Rabbit已于2003年公开发表[1],截至撰写本文时,并未显示出任何弱点。为了确保持续的安全评估,还将其提交给了ECRYPT eSTREAM项目[2]。
Technically, Rabbit consists of a pseudorandom bitstream generator that takes a 128-bit key and a 64-bit initialization vector (IV) as input and generates a stream of 128-bit blocks. Encryption is performed by combining this output with the message, using the exclusive-OR operation. Decryption is performed in exactly the same way as encryption.
从技术上讲,Rabbit由一个伪随机比特流生成器组成,该生成器接受128位密钥和64位初始化向量(IV)作为输入,并生成128位块的流。通过使用异或操作将此输出与消息组合来执行加密。解密的执行方式与加密完全相同。
Further information about Rabbit, including reference implementation, test vectors, performance figures, and security white papers, is available from http://www.cryptico.com/.
有关Rabbit的更多信息,包括参考实现、测试向量、性能数据和安全白皮书,请访问http://www.cryptico.com/.
This document uses the following elementary operators:
本文档使用以下基本运算符:
+ integer addition. * integer multiplication. div integer division. mod integer modulus. ^ bitwise exclusive-OR operation. <<< left rotation operator. || concatenation operator.
+整数加法。*整数乘法。div整数除法。模整数模。^按位异或运算。<<<左旋转运算符。||串联运算符。
When labeling bits of a variable, A, the least significant bit is denoted by A[0]. The notation A[h..g] represents bits h through g of variable A, where h is more significant than g. Similar variables
标记变量a的位时,最低有效位用a[0]表示。符号A[h..g]表示变量A的位h到g,其中h比g更重要。相似变量
are labeled by A0,A1,... with the notation A(0),A(1),... being used to denote those same variables if this improves readability.
标记为A0、A1、,。。。用符号A(0),A(1),。。。用于表示那些相同的变量,如果这样可以提高可读性的话。
Given a 64-bit word, the function MSW extracts the most significant 32 bits, whereas the function LSW extracts the least significant 32 bits.
给定64位字,函数MSW提取最高有效32位,而函数LSW提取最低有效32位。
Constants prefixed with 0x are in hexadecimal notation. In particular, the constant WORDSIZE is defined to be 0x100000000.
前缀为0x的常量采用十六进制表示法。具体而言,常量字号定义为0x100000000。
The internal state of the stream cipher consists of 513 bits. 512 bits are divided between eight 32-bit state variables, X0,...,X7 and eight 32-bit counter variables, C0,...,C7. In addition, there is one counter carry bit, b.
流密码的内部状态由513位组成。512位被分成八个32位状态变量X0、…、X7和八个32位计数器变量C0、…、C7。此外,还有一个计数器进位b。
The counter carry bit b is initialized to zero. The state and counter words are derived from the key K[127..0].
计数器进位b初始化为零。状态字和计数器字来自键K[127..0]。
The key is divided into subkeys K0 = K[15..0], K1 = K[31..16], ... K7 = K[127..112]. The initial state is initialized as follows:
该键分为子键K0=K[15..0],K1=K[31..16]。。。K7=K[127..112]。初始状态初始化如下:
for j=0 to 7:
if j is even:
Xj = K(j+1 mod 8) || Kj
Cj = K(j+4 mod 8) || K(j+5 mod 8)
else:
Xj = K(j+5 mod 8) || K(j+4 mod 8)
Cj = Kj || K(j+1 mod 8)
for j=0 to 7:
if j is even:
Xj = K(j+1 mod 8) || Kj
Cj = K(j+4 mod 8) || K(j+5 mod 8)
else:
Xj = K(j+5 mod 8) || K(j+4 mod 8)
Cj = Kj || K(j+1 mod 8)
The system is then iterated four times, each iteration consisting of counter update (Section 2.5) and next-state function (Section 2.6). After that, the counter variables are reinitialized to
然后对系统进行四次迭代,每次迭代包括计数器更新(第2.5节)和下一状态函数(第2.6节)。之后,计数器变量将重新初始化为
for j=0 to 7:
Cj = Cj ^ X(j+4 mod 8)
for j=0 to 7:
Cj = Cj ^ X(j+4 mod 8)
If an IV is used for encryption, the counter variables are modified after the key setup. Denoting the IV bits by IV[63..0], the setup proceeds as follows:
如果IV用于加密,则在密钥设置后修改计数器变量。通过IV[63..0]表示IV位,设置过程如下:
C0 = C0 ^ IV[31..0] C1 = C1 ^ (IV[63..48] || IV[31..16])
C2 = C2 ^ IV[63..32] C3 = C3 ^ (IV[47..32] || IV[15..0])
C0 = C0 ^ IV[31..0] C1 = C1 ^ (IV[63..48] || IV[31..16])
C2 = C2 ^ IV[63..32] C3 = C3 ^ (IV[47..32] || IV[15..0])
C4 = C4 ^ IV[31..0] C5 = C5 ^ (IV[63..48] || IV[31..16])
C6 = C6 ^ IV[63..32] C7 = C7 ^ (IV[47..32] || IV[15..0])
C4 = C4 ^ IV[31..0] C5 = C5 ^ (IV[63..48] || IV[31..16])
C6 = C6 ^ IV[63..32] C7 = C7 ^ (IV[47..32] || IV[15..0])
The system is then iterated another 4 times, each iteration consisting of counter update (Section 2.5) and next-state function (Section 2.6).
然后系统再迭代4次,每次迭代包括计数器更新(第2.5节)和下一状态函数(第2.6节)。
The relationship between key and IV setup is as follows:
钥匙和IV设置之间的关系如下:
- After the key setup, the resulting inner state is saved as a master state. Then the IV setup is run to obtain the first encryption starting state.
- 密钥设置后,生成的内部状态保存为主状态。然后运行IV设置以获得第一个加密开始状态。
- Whenever re-initialization under a new IV is necessary, the IV setup is run on the master state again to derive the next encryption starting state.
- 每当需要在新IV下重新初始化时,IV设置将在主状态下再次运行,以导出下一个加密启动状态。
Before each execution of the next-state function (Section 2.6), the counter system has to be updated. This system uses constants A1,...,A7, as follows:
在每次执行下一状态功能(第2.6节)之前,必须更新计数器系统。该系统使用常数A1、…、A7,如下所示:
A0 = 0x4D34D34D A1 = 0xD34D34D3
A2 = 0x34D34D34 A3 = 0x4D34D34D
A4 = 0xD34D34D3 A5 = 0x34D34D34
A6 = 0x4D34D34D A7 = 0xD34D34D3
A0 = 0x4D34D34D A1 = 0xD34D34D3
A2 = 0x34D34D34 A3 = 0x4D34D34D
A4 = 0xD34D34D3 A5 = 0x34D34D34
A6 = 0x4D34D34D A7 = 0xD34D34D3
It also uses the counter carry bit b to update the counter system, as follows:
它还使用计数器进位b更新计数器系统,如下所示:
for j=0 to 7:
temp = Cj + Aj + b
b = temp div WORDSIZE
Cj = temp mod WORDSIZE
for j=0 to 7:
temp = Cj + Aj + b
b = temp div WORDSIZE
Cj = temp mod WORDSIZE
Note that on exiting this loop, the variable b has to be preserved for the next iteration of the system.
请注意,退出此循环时,必须为系统的下一次迭代保留变量b。
The core of the Rabbit algorithm is the next-state function. It is based on the function g, which transforms two 32-bit inputs into one 32-bit output, as follows:
兔子算法的核心是下一个状态函数。它基于函数g,该函数将两个32位输入转换为一个32位输出,如下所示:
g(u,v) = LSW(square(u+v)) ^ MSW(square(u+v))
g(u,v) = LSW(square(u+v)) ^ MSW(square(u+v))
where square(u+v) = ((u+v mod WORDSIZE) * (u+v mod WORDSIZE)).
where square(u+v) = ((u+v mod WORDSIZE) * (u+v mod WORDSIZE)).
Using this function, the algorithm updates the inner state as follows:
使用此函数,算法更新内部状态,如下所示:
for j=0 to 7:
Gj = g(Xj,Cj)
for j=0 to 7:
Gj = g(Xj,Cj)
X0 = G0 + (G7 <<< 16) + (G6 <<< 16) mod WORDSIZE
X1 = G1 + (G0 <<< 8) + G7 mod WORDSIZE
X2 = G2 + (G1 <<< 16) + (G0 <<< 16) mod WORDSIZE
X3 = G3 + (G2 <<< 8) + G1 mod WORDSIZE
X4 = G4 + (G3 <<< 16) + (G2 <<< 16) mod WORDSIZE
X5 = G5 + (G4 <<< 8) + G3 mod WORDSIZE
X6 = G6 + (G5 <<< 16) + (G4 <<< 16) mod WORDSIZE
X7 = G7 + (G6 <<< 8) + G5 mod WORDSIZE
X0 = G0 + (G7 <<< 16) + (G6 <<< 16) mod WORDSIZE
X1 = G1 + (G0 <<< 8) + G7 mod WORDSIZE
X2 = G2 + (G1 <<< 16) + (G0 <<< 16) mod WORDSIZE
X3 = G3 + (G2 <<< 8) + G1 mod WORDSIZE
X4 = G4 + (G3 <<< 16) + (G2 <<< 16) mod WORDSIZE
X5 = G5 + (G4 <<< 8) + G3 mod WORDSIZE
X6 = G6 + (G5 <<< 16) + (G4 <<< 16) mod WORDSIZE
X7 = G7 + (G6 <<< 8) + G5 mod WORDSIZE
After the key and IV setup are concluded, the algorithm is iterated in order to produce one 128-bit output block, S, per round. Each round consists of executing steps 2.5 and 2.6 and then extracting an output S[127..0] as follows:
密钥和IV设置结束后,迭代该算法,以便每轮生成一个128位输出块S。每轮包括执行步骤2.5和2.6,然后提取输出S[127..0],如下所示:
S[15..0] = X0[15..0] ^ X5[31..16]
S[31..16] = X0[31..16] ^ X3[15..0]
S[47..32] = X2[15..0] ^ X7[31..16]
S[63..48] = X2[31..16] ^ X5[15..0]
S[79..64] = X4[15..0] ^ X1[31..16]
S[95..80] = X4[31..16] ^ X7[15..0]
S[111..96] = X6[15..0] ^ X3[31..16]
S[127..112] = X6[31..16] ^ X1[15..0]
S[15..0] = X0[15..0] ^ X5[31..16]
S[31..16] = X0[31..16] ^ X3[15..0]
S[47..32] = X2[15..0] ^ X7[31..16]
S[63..48] = X2[31..16] ^ X5[15..0]
S[79..64] = X4[15..0] ^ X1[31..16]
S[95..80] = X4[31..16] ^ X7[15..0]
S[111..96] = X6[15..0] ^ X3[31..16]
S[127..112] = X6[31..16] ^ X1[15..0]
Given a 128-bit message block, M, encryption E and decryption M' are computed via
给定128位消息块,通过
E = M ^ S and M' = E ^ S.
E=M^S和M'=E^S。
If S is the same in both operations (as it should be if the same key and IV are used), then M = M'.
如果两个操作中的S相同(如果使用相同的键和IV,则应如此),则M=M'。
The encryption/decryption scheme is repeated until all blocks in the message have been encrypted/decrypted. If the message size is not a multiple of 128 bits, only the needed amount of least significant bits from the last output block S is used for the last message block M.
重复加密/解密方案,直到消息中的所有块都已加密/解密。如果消息大小不是128位的倍数,则只有来自最后一个输出块S的所需最低有效位量用于最后一个消息块M。
If the application requires the encryption of smaller blocks (or even individual bits), a 128-bit buffer is used. The buffer is initialized by generating a new value, S, and copying it into the buffer. After that, all data blocks are encrypted using the least significant bits in this buffer. Whenever the buffer is empty, a new value S is generated and copied into the buffer.
如果应用程序需要加密较小的块(甚至单个位),则使用128位缓冲区。通过生成一个新值S并将其复制到缓冲区中来初始化缓冲区。然后,使用该缓冲区中的最低有效位对所有数据块进行加密。只要缓冲区为空,就会生成一个新值S并将其复制到缓冲区中。
For an encryption algorithm, the security provided is, of course, the most important issue. No security weaknesses have been found to date, neither by the designers nor by independent cryptographers scrutinizing the algorithms after its publication in [1]. Note that a full discussion of Rabbit's security against known cryptanalytic techniques is provided in [3].
对于加密算法,提供的安全性当然是最重要的问题。到目前为止,无论是设计者还是独立的密码学家,在[1]中公布算法后,都没有发现任何安全漏洞。请注意,[3]中对Rabbit针对已知密码分析技术的安全性进行了全面讨论。
In the following, we restrict ourselves to some rules on how to use the Rabbit algorithm properly.
在下文中,我们将自己局限于一些关于如何正确使用兔子算法的规则。
Rabbit was designed to encrypt up to 2 to the power of 64 128-bit message blocks under the same the key. Should this amount of data ever be exceeded, the key has to be replaced. It is recommended to follow this rule even when the IV is changed on a regular basis.
Rabbit设计用于在同一密钥下加密多达2到64 128位消息块的幂。如果超过此数据量,则必须更换钥匙。即使定期更换IV,也建议遵循此规则。
It is possible to run Rabbit without the IV setup. However, in this case, the generator must never be reset under the same key, since this would destroy its security (for a recent example, see [4]). However, in order to guarantee synchronization between sender and receiver, ciphers are frequently reset in practice. This means that both sender and receiver set the inner state of the cipher back to a known value and then derive the new encryption state using an IV. If this is done, it is important to make sure that no IV is ever reused under the same key.
可以在没有IV设置的情况下运行Rabbit。但是,在这种情况下,不得在同一密钥下重置生成器,因为这会破坏其安全性(最近的示例,请参见[4])。然而,为了保证发送方和接收方之间的同步,密码在实践中经常被重置。这意味着发送方和接收方都将密码的内部状态设置回一个已知值,然后使用IV派生新的加密状态。如果这样做,则确保在同一密钥下不会重复使用IV是很重要的。
[1] M. Boesgaard, M. Vesterager, T. Pedersen, J. Christiansen, O. Scavenius. "Rabbit: A New High-Performance Stream Cipher". Proc. Fast Software Encryption 2003, Lecture Notes in Computer Science 2887, p. 307-329. Springer, 2003.
[1] 博斯加德先生、维斯特拉格先生、彼得森先生、克里斯蒂安森先生、斯加维纳斯先生。“兔子:一种新的高性能流密码”。过程。Fast Software Encryption 2003,《计算机科学课堂讲稿》2887页。307-329. 斯普林格,2003年。
[2] ECRYPT eSTREAM project, available from
http://www.ecrypt.eu.org/stream/
[2] ECRYPT eSTREAM project, available from
http://www.ecrypt.eu.org/stream/
[3] M. Boesgaard, T. Pedersen, M. Vesterager, E. Zenner. "The Rabbit Stream Cipher - Design and Security Analysis". Proc. SASC Workshop 2004, available from http://www.isg.rhul.ac.uk/research/ projects/ecrypt/stvl/sasc.html.
[3] 博斯加德先生、彼得森先生、维斯特拉格先生、泽纳先生。“兔子流密码-设计和安全性分析”。过程。国资委2004年研讨会,可从http://www.isg.rhul.ac.uk/research/ projects/ecrypt/stvl/sasc.html。
[4] H. Wu. "The Misuse of RC4 in Microsoft Word and Excel". IACR eprint archive 2005/007, available from http://eprint.iacr.org/2005/007.pdf.
[4] 吴先生。“在Microsoft Word和Excel中滥用RC4”。IACR eprint存档2005/007,可从http://eprint.iacr.org/2005/007.pdf.
[5] Jonsson, J. and B. Kaliski, "Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1", RFC 3447, February 2003.
[5] Jonsson,J.和B.Kaliski,“公钥密码标准(PKCS)#1:RSA密码规范版本2.1”,RFC 3447,2003年2月。
Appendix A: Test Vectors
附录A:测试向量
This is a set of test vectors for conformance testing, given in octet form. For use with Rabbit, they have to be transformed into integers by the conversion primitives OS2IP and I2OSP, as described in [5].
这是一致性测试的一组测试向量,以八位字节形式给出。对于Rabbit,必须通过转换原语OS2IP和I2OSP将它们转换为整数,如[5]所述。
key = [00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00]
S[0] = [B1 57 54 F0 36 A5 D6 EC F5 6B 45 26 1C 4A F7 02]
S[1] = [88 E8 D8 15 C5 9C 0C 39 7B 69 6C 47 89 C6 8A A7]
S[2] = [F4 16 A1 C3 70 0C D4 51 DA 68 D1 88 16 73 D6 96]
key = [00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00]
S[0] = [B1 57 54 F0 36 A5 D6 EC F5 6B 45 26 1C 4A F7 02]
S[1] = [88 E8 D8 15 C5 9C 0C 39 7B 69 6C 47 89 C6 8A A7]
S[2] = [F4 16 A1 C3 70 0C D4 51 DA 68 D1 88 16 73 D6 96]
key = [91 28 13 29 2E 3D 36 FE 3B FC 62 F1 DC 51 C3 AC]
S[0] = [3D 2D F3 C8 3E F6 27 A1 E9 7F C3 84 87 E2 51 9C]
S[1] = [F5 76 CD 61 F4 40 5B 88 96 BF 53 AA 85 54 FC 19]
S[2] = [E5 54 74 73 FB DB 43 50 8A E5 3B 20 20 4D 4C 5E]
key = [91 28 13 29 2E 3D 36 FE 3B FC 62 F1 DC 51 C3 AC]
S[0] = [3D 2D F3 C8 3E F6 27 A1 E9 7F C3 84 87 E2 51 9C]
S[1] = [F5 76 CD 61 F4 40 5B 88 96 BF 53 AA 85 54 FC 19]
S[2] = [E5 54 74 73 FB DB 43 50 8A E5 3B 20 20 4D 4C 5E]
key = [83 95 74 15 87 E0 C7 33 E9 E9 AB 01 C0 9B 00 43]
S[0] = [0C B1 0D CD A0 41 CD AC 32 EB 5C FD 02 D0 60 9B]
S[1] = [95 FC 9F CA 0F 17 01 5A 7B 70 92 11 4C FF 3E AD]
S[2] = [96 49 E5 DE 8B FC 7F 3F 92 41 47 AD 3A 94 74 28]
key = [83 95 74 15 87 E0 C7 33 E9 E9 AB 01 C0 9B 00 43]
S[0] = [0C B1 0D CD A0 41 CD AC 32 EB 5C FD 02 D0 60 9B]
S[1] = [95 FC 9F CA 0F 17 01 5A 7B 70 92 11 4C FF 3E AD]
S[2] = [96 49 E5 DE 8B FC 7F 3F 92 41 47 AD 3A 94 74 28]
mkey = [00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00]
iv = [00 00 00 00 00 00 00 00]
S[0] = [C6 A7 27 5E F8 54 95 D8 7C CD 5D 37 67 05 B7 ED]
S[1] = [5F 29 A6 AC 04 F5 EF D4 7B 8F 29 32 70 DC 4A 8D]
S[2] = [2A DE 82 2B 29 DE 6C 1E E5 2B DB 8A 47 BF 8F 66]
mkey = [00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00]
iv = [00 00 00 00 00 00 00 00]
S[0] = [C6 A7 27 5E F8 54 95 D8 7C CD 5D 37 67 05 B7 ED]
S[1] = [5F 29 A6 AC 04 F5 EF D4 7B 8F 29 32 70 DC 4A 8D]
S[2] = [2A DE 82 2B 29 DE 6C 1E E5 2B DB 8A 47 BF 8F 66]
iv = [C3 73 F5 75 C1 26 7E 59]
S[0] = [1F CD 4E B9 58 00 12 E2 E0 DC CC 92 22 01 7D 6D]
S[1] = [A7 5F 4E 10 D1 21 25 01 7B 24 99 FF ED 93 6F 2E]
S[2] = [EB C1 12 C3 93 E7 38 39 23 56 BD D0 12 02 9B A7]
iv = [C3 73 F5 75 C1 26 7E 59]
S[0] = [1F CD 4E B9 58 00 12 E2 E0 DC CC 92 22 01 7D 6D]
S[1] = [A7 5F 4E 10 D1 21 25 01 7B 24 99 FF ED 93 6F 2E]
S[2] = [EB C1 12 C3 93 E7 38 39 23 56 BD D0 12 02 9B A7]
iv = [A6 EB 56 1A D2 F4 17 27]
S[0] = [44 5A D8 C8 05 85 8D BF 70 B6 AF 23 A1 51 10 4D]
S[1] = [96 C8 F2 79 47 F4 2C 5B AE AE 67 C6 AC C3 5B 03]
S[2] = [9F CB FC 89 5F A7 1C 17 31 3D F0 34 F0 15 51 CB]
iv = [A6 EB 56 1A D2 F4 17 27]
S[0] = [44 5A D8 C8 05 85 8D BF 70 B6 AF 23 A1 51 10 4D]
S[1] = [96 C8 F2 79 47 F4 2C 5B AE AE 67 C6 AC C3 5B 03]
S[2] = [9F CB FC 89 5F A7 1C 17 31 3D F0 34 F0 15 51 CB]
Appendix B: Debugging Vectors
附录B:调试向量
The following set of vectors describes the inner state of Rabbit during key and iv setup. It is meant mainly for debugging purposes. Octet strings are written according to I2OSP conventions.
以下向量集描述了按键和iv设置期间兔子的内部状态。它主要用于调试目的。八位字节字符串是根据I2OSP约定编写的。
key = [91 28 13 29 2E ED 36 FE 3B FC 62 F1 DC 51 C3 AC]
key = [91 28 13 29 2E ED 36 FE 3B FC 62 F1 DC 51 C3 AC]
Inner state after key expansion:
b = 0
X0 = 0xDC51C3AC, X1 = 0x13292E3D, X2 = 0x3BFC62F1, X3 = 0xC3AC9128,
X4 = 0x2E3D36FE, X5 = 0x62F1DC51, X6 = 0x91281329, X7 = 0x36FE3BFC,
C0 = 0x36FE2E3D, C1 = 0xDC5162F1, C2 = 0x13299128, C3 = 0x3BFC36FE,
C4 = 0xC3ACDC51, C5 = 0x2E3D1329, C6 = 0x62F13BFC, C7 = 0x9128C3AC
Inner state after key expansion:
b = 0
X0 = 0xDC51C3AC, X1 = 0x13292E3D, X2 = 0x3BFC62F1, X3 = 0xC3AC9128,
X4 = 0x2E3D36FE, X5 = 0x62F1DC51, X6 = 0x91281329, X7 = 0x36FE3BFC,
C0 = 0x36FE2E3D, C1 = 0xDC5162F1, C2 = 0x13299128, C3 = 0x3BFC36FE,
C4 = 0xC3ACDC51, C5 = 0x2E3D1329, C6 = 0x62F13BFC, C7 = 0x9128C3AC
Inner state after first key setup iteration:
b = 1
X0 = 0xF2E8C8B1, X1 = 0x38E06FA7, X2 = 0x9A0D72C0, X3 = 0xF21F5334,
X4 = 0xCACDCCC3, X5 = 0x4B239CBE, X6 = 0x0565DCCC, X7 = 0xB1587C8D,
C0 = 0x8433018A, C1 = 0xAF9E97C4, C2 = 0x47FCDE5D, C3 = 0x89310A4B,
C4 = 0x96FA1124, C5 = 0x6310605E, C6 = 0xB0260F49, C7 = 0x6475F87F
Inner state after first key setup iteration:
b = 1
X0 = 0xF2E8C8B1, X1 = 0x38E06FA7, X2 = 0x9A0D72C0, X3 = 0xF21F5334,
X4 = 0xCACDCCC3, X5 = 0x4B239CBE, X6 = 0x0565DCCC, X7 = 0xB1587C8D,
C0 = 0x8433018A, C1 = 0xAF9E97C4, C2 = 0x47FCDE5D, C3 = 0x89310A4B,
C4 = 0x96FA1124, C5 = 0x6310605E, C6 = 0xB0260F49, C7 = 0x6475F87F
Inner state after fourth key setup iteration:
b = 0
X0 = 0x1D059312, X1 = 0xBDDC3E45, X2 = 0xF440927D, X3 = 0x50CBB553,
X4 = 0x36709423, X5 = 0x0B6F0711, X6 = 0x3ADA3A7B, X7 = 0xEB9800C8,
C0 = 0x6BD17B74, C1 = 0x2986363E, C2 = 0xE676C5FC, C3 = 0x70CF8432,
C4 = 0x10E1AF9E, C5 = 0x018A47FD, C6 = 0x97C48931, C7 = 0xDE5D96F9
Inner state after fourth key setup iteration:
b = 0
X0 = 0x1D059312, X1 = 0xBDDC3E45, X2 = 0xF440927D, X3 = 0x50CBB553,
X4 = 0x36709423, X5 = 0x0B6F0711, X6 = 0x3ADA3A7B, X7 = 0xEB9800C8,
C0 = 0x6BD17B74, C1 = 0x2986363E, C2 = 0xE676C5FC, C3 = 0x70CF8432,
C4 = 0x10E1AF9E, C5 = 0x018A47FD, C6 = 0x97C48931, C7 = 0xDE5D96F9
Inner state after final key setup xor:
b = 0
X0 = 0x1D059312, X1 = 0xBDDC3E45, X2 = 0xF440927D, X3 = 0x50CBB553,
X4 = 0x36709423, X5 = 0x0B6F0711, X6 = 0x3ADA3A7B, X7 = 0xEB9800C8,
C0 = 0x5DA1EF57, C1 = 0x22E9312F, C2 = 0xDCACFF87, C3 = 0x9B5784FA,
C4 = 0x0DE43C8C, C5 = 0xBC5679B8, C6 = 0x63841B4C, C7 = 0x8E9623AA
Inner state after final key setup xor:
b = 0
X0 = 0x1D059312, X1 = 0xBDDC3E45, X2 = 0xF440927D, X3 = 0x50CBB553,
X4 = 0x36709423, X5 = 0x0B6F0711, X6 = 0x3ADA3A7B, X7 = 0xEB9800C8,
C0 = 0x5DA1EF57, C1 = 0x22E9312F, C2 = 0xDCACFF87, C3 = 0x9B5784FA,
C4 = 0x0DE43C8C, C5 = 0xBC5679B8, C6 = 0x63841B4C, C7 = 0x8E9623AA
Inner state after generation of 48 bytes of output:
b = 1
X0 = 0xB5428566, X1 = 0xA2593617, X2 = 0xFF5578DE, X3 = 0x7293950F,
X4 = 0x145CE109, X5 = 0xC93875B0, X6 = 0xD34306E0, X7 = 0x43FEEF87,
C0 = 0x45406940, C1 = 0x9CD0CFA9, C2 = 0x7B26E725, C3 = 0x82F5FEE2,
C4 = 0x87CBDB06, C5 = 0x5AD06156, C6 = 0x4B229534, C7 = 0x087DC224
Inner state after generation of 48 bytes of output:
b = 1
X0 = 0xB5428566, X1 = 0xA2593617, X2 = 0xFF5578DE, X3 = 0x7293950F,
X4 = 0x145CE109, X5 = 0xC93875B0, X6 = 0xD34306E0, X7 = 0x43FEEF87,
C0 = 0x45406940, C1 = 0x9CD0CFA9, C2 = 0x7B26E725, C3 = 0x82F5FEE2,
C4 = 0x87CBDB06, C5 = 0x5AD06156, C6 = 0x4B229534, C7 = 0x087DC224
The 48 output bytes:
S[0] = [3D 2D F3 C8 3E F6 27 A1 E9 7F C3 84 87 E2 51 9C]
S[1] = [F5 76 CD 61 F4 40 5B 88 96 BF 53 AA 85 54 FC 19]
S[2] = [E5 54 74 73 FB DB 43 50 8A E5 3B 20 20 4D 4C 5E]
The 48 output bytes:
S[0] = [3D 2D F3 C8 3E F6 27 A1 E9 7F C3 84 87 E2 51 9C]
S[1] = [F5 76 CD 61 F4 40 5B 88 96 BF 53 AA 85 54 FC 19]
S[2] = [E5 54 74 73 FB DB 43 50 8A E5 3B 20 20 4D 4C 5E]
key = [91 28 13 29 2E ED 36 FE 3B FC 62 F1 DC 51 C3 AC]
iv = [C3 73 F5 75 C1 26 7E 59]
key = [91 28 13 29 2E ED 36 FE 3B FC 62 F1 DC 51 C3 AC]
iv = [C3 73 F5 75 C1 26 7E 59]
Inner state during key setup: as above
钥匙设置期间的内部状态:如上所述
Inner state after IV expansion:
b = 0
X0 = 0x1D059312, X1 = 0xBDDC3E45, X2 = 0xF440927D, X3 = 0x50CBB553,
X4 = 0x36709423, X5 = 0x0B6F0711, X6 = 0x3ADA3A7B, X7 = 0xEB9800C8,
C0 = 0x9C87910E, C1 = 0xE19AF009, C2 = 0x1FDF0AF2, C3 = 0x6E22FAA3,
C4 = 0xCCC242D5, C5 = 0x7F25B89E, C6 = 0xA0F7EE39, C7 = 0x7BE35DF3
Inner state after IV expansion:
b = 0
X0 = 0x1D059312, X1 = 0xBDDC3E45, X2 = 0xF440927D, X3 = 0x50CBB553,
X4 = 0x36709423, X5 = 0x0B6F0711, X6 = 0x3ADA3A7B, X7 = 0xEB9800C8,
C0 = 0x9C87910E, C1 = 0xE19AF009, C2 = 0x1FDF0AF2, C3 = 0x6E22FAA3,
C4 = 0xCCC242D5, C5 = 0x7F25B89E, C6 = 0xA0F7EE39, C7 = 0x7BE35DF3
Inner state after first IV setup iteration:
b = 1
X0 = 0xC4FF831A, X1 = 0xEF5CD094, X2 = 0xC5933855, X3 = 0xC05A5C03,
X4 = 0x4A50522F, X5 = 0xDF487BE4, X6 = 0xA45FA013, X7 = 0x05531179,
C0 = 0xE9BC645B, C1 = 0xB4E824DC, C2 = 0x54B25827, C3 = 0xBB57CDF0,
C4 = 0xA00F77A8, C5 = 0xB3F905D3, C6 = 0xEE2CC186, C7 = 0x4F3092C6
Inner state after first IV setup iteration:
b = 1
X0 = 0xC4FF831A, X1 = 0xEF5CD094, X2 = 0xC5933855, X3 = 0xC05A5C03,
X4 = 0x4A50522F, X5 = 0xDF487BE4, X6 = 0xA45FA013, X7 = 0x05531179,
C0 = 0xE9BC645B, C1 = 0xB4E824DC, C2 = 0x54B25827, C3 = 0xBB57CDF0,
C4 = 0xA00F77A8, C5 = 0xB3F905D3, C6 = 0xEE2CC186, C7 = 0x4F3092C6
Inner state after fourth IV setup iteration:
b = 1
X0 = 0x6274E424, X1 = 0xE14CE120, X2 = 0xDA8739D9, X3 = 0x65E0402D,
X4 = 0xD1281D10, X5 = 0xBD435BAA, X6 = 0x4E9E7A02, X7 = 0x9B467ABD,
C0 = 0xD15ADE44, C1 = 0x2ECFC356, C2 = 0xF32C3FC6, C3 = 0xA2F647D7,
C4 = 0x19F71622, C5 = 0x5272ED72, C6 = 0xD5CB3B6E, C7 = 0xC9183140
Inner state after fourth IV setup iteration:
b = 1
X0 = 0x6274E424, X1 = 0xE14CE120, X2 = 0xDA8739D9, X3 = 0x65E0402D,
X4 = 0xD1281D10, X5 = 0xBD435BAA, X6 = 0x4E9E7A02, X7 = 0x9B467ABD,
C0 = 0xD15ADE44, C1 = 0x2ECFC356, C2 = 0xF32C3FC6, C3 = 0xA2F647D7,
C4 = 0x19F71622, C5 = 0x5272ED72, C6 = 0xD5CB3B6E, C7 = 0xC9183140
Authors' Addresses
作者地址
Martin Boesgaard Cryptico A/S Fruebjergvej 3 2100 Copenhagen Denmark
Martin Boesgaard Cryptico A/S Fruebjergvej 3 2100丹麦哥本哈根
Phone: +45 39 17 96 06
EMail: mab@cryptico.com
URL: http://www.cryptico.com
Phone: +45 39 17 96 06
EMail: mab@cryptico.com
URL: http://www.cryptico.com
Mette Vesterager Cryptico A/S Fruebjergvej 3 2100 Copenhagen Denmark
丹麦哥本哈根Mette Vesterager Cryptico A/S Fruebjergvej 3 2100
Phone: +45 39 17 96 06
EMail: mvp@cryptico.com
URL: http://www.cryptico.com
Phone: +45 39 17 96 06
EMail: mvp@cryptico.com
URL: http://www.cryptico.com
Erik Zenner Cryptico A/S Fruebjergvej 3 2100 Copenhagen Denmark
Erik Zenner Cryptico A/S Fruebjergvej 3 2100丹麦哥本哈根
Phone: +45 39 17 96 06
EMail: ez@cryptico.com
URL: http://www.cryptico.com
Phone: +45 39 17 96 06
EMail: ez@cryptico.com
URL: http://www.cryptico.com
Full Copyright Statement
完整版权声明
Copyright (C) The Internet Society (2006).
版权所有(C)互联网协会(2006年)。
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息是按“原样”提供的,贡献者、他/她所代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.
Acknowledgement
确认
Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA).
RFC编辑器功能的资金由IETF行政支持活动(IASA)提供。