idnits 2.17.1 draft-rfced-info-gutmann-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Cannot find the required boilerplate sections (Copyright, IPR, etc.) in this document. Expected boilerplate is as follows today (2024-04-19) according to https://trustee.ietf.org/license-info : IETF Trust Legal Provisions of 28-dec-2009, Section 6.a: This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 2: Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 3: This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. == No 'Intended status' indicated for this document; assuming Proposed Standard == The page length should not exceed 58 lines per page, but there was 1 longer page, the longest (page 1) being 292 lines Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Abstract section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (June 16, 1997) is 9804 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Missing reference section? 'RC5' on line 272 looks like a reference Summary: 7 errors (**), 0 flaws (~~), 2 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 INTERNET-DRAFT INTERNET-DRAFT 3 Internet Draft Peter Gutmann 4 draft-rfced-info-gutmann-00.txt 5 June 16, 1997 6 Expires December, 1997 8 Description of the EP2 Cipher 9 11 Status of this memo 13 This document is an Internet-Draft. Internet-Drafts are working 14 documents of the Internet Engineering Task Force (IETF), its areas, 15 and its working groups. Note that other groups may also distribute 16 working documents as Internet-Drafts. 18 Internet-Drafts are draft documents valid for a maximum of six months 19 and may be updated, replaced, or obsoleted by other documents at any 20 time. It is inappropriate to use Internet-Drafts as reference material 21 or to cite them other than as "work in progress." 23 To learn the current status of any Internet-Draft, please check the 24 "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow 25 Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), 26 munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or 27 ftp.isi.edu (US West Coast). 29 1. Introduction 31 The EP2 cipher is a block cipher that is useful in many cryptographic 32 applications. It is believed to be interoperable with the RC2 cipher 33 from RSA Data Security, Inc., which has been specified for use in many 34 Internet protocols. 36 2. Description 38 The EP2 cipher is word oriented, operating on a block of 64 bits 39 divided into four 16-bit words, with a key table of 64 words. All 40 data units are little-endian. This functional description of the 41 algorithm is based on [RC5], using the same general layout, 42 terminology, and pseudocode style. 44 3. Notation and Primitive Operations 46 EP2 uses the following primitive operations: 48 1. Two's-complement addition of words, denoted by "+". The inverse 49 operation, subtraction, is denoted by "-". 50 2. Bitwise exclusive OR, denoted by "^". 51 3. Bitwise AND, denoted by "&". 52 4. Bitwise NOT, denoted by "~". 53 5. A left-rotation of words; the rotation of word x left by y is 54 denoted by "x <<< y". The inverse operation, right-rotation, 55 is denoted by "x >>> y". 57 These operations are directly and efficiently supported by most 58 processors. 60 3. EP2 Algorithm 62 EP2 consists of three components, a key expansion algorithm, an 63 encryption algorithm, and a decryption algorithm. 65 3.1 Key Expansion 67 The purpose of the key-expansion routine is to expand the user's key K 68 to fill the expanded key array S, so S resembles an array of random 69 binary words determined by the user's secret key K. 71 3.1.1 Initialising the S-box 73 EP2 uses a single 256-byte S-box derived from the ciphertext contents 74 of Beale Cipher No.1 XOR'd with a one-time pad. The Beale Ciphers 75 predate modern cryptography by enough time that there should be no 76 concerns about trapdoors hidden in the data. They have been published 77 widely, and the S-box can be easily recreated from the one-time pad 78 values and the Beale Cipher data taken from a standard source. To 79 initialise the S-box: 81 for i = 0 to 255 do 82 sBox[ i ] = ( beale[ i ] mod 256 ) ^ pad[ i ] 84 The contents of Beale Cipher No.1 and the necessary one-time pad are 85 given as an appendix at the end of this document. For efficiency, 86 implementors may wish to skip the Beale Cipher expansion and store the 87 sBox table directly. 89 3.1.2 Expanding the Secret Key to 128 Bytes 91 The secret key is first expanded to fill 128 bytes (64 words). The 92 expansion consists of taking the sum of the first and last bytes in 93 the user key, looking up the sum (modulo 256) in the S-box, and 94 appending the result to the key. The operation is repeated with the 95 second byte and new last byte of the key until all 128 bytes have been 96 generated. Note that the following pseudocode treats the S array as 97 an array of 128 bytes rather than 64 words. 99 for j = 0 to length-1 do 100 S[ j ] = K[ j ] 101 for j = length to 127 do 102 s[ j ] = sBox[ ( S[ j-length ] + S[ j-1 ] ) mod 256 ] 104 3.1.3 Reducing the Effective Key Length 106 At this point it is possible to perform a truncation of the effective 107 key length to ease the creation of espionage-enabled software 108 products. To use a key with an effective size of 'reducedLength' 109 bytes, the following transformation is used. 111 maxValue = 128 - reducedLength 112 S[ maxValue ] = sBox[ S[ maxValue ] ] 113 for j = maxValue - 1 to 0 step -1 do 114 S[ j ] = sBox[ S[ j + 1 ] ^ S[ j + len ] ] 116 For example to reduce a key to an effective size of 40 bits the 117 transformation is: 119 S[ 88 ] = sBox[ S[ 88 ] ] 120 for j = 87 to 0 step -1 do 121 S[ j ] = sBox[ S[ j + 1 ] ^ S[ j + len ] ] 123 If no reduction of effective keysize is required, the above can be 124 simplified to replacing the first byte of S with the entry selected 125 from the S-box: 127 S[ 0 ] = sBox[ S[ 0 ] ] 129 3.2 Encryption 131 The cipher has 16 full rounds, each divided into 4 subrounds. Two of 132 the full rounds perform an additional transformation on the data. 133 Note that the following pseudocode treats the S array as an array of 134 64 words rather than 128 bytes. 136 for i = 0 to 15 do 137 j = i * 4; 138 word0 = ( word0 + ( word1 & ~word3 ) + 139 ( word2 & word3 ) + S[ j+0 ] ) <<< 1 140 word1 = ( word1 + ( word2 & ~word0 ) + 141 ( word3 & word0 ) + S[ j+1 ] ) <<< 2 142 word2 = ( word2 + ( word3 & ~word1 ) + 143 ( word0 & word1 ) + S[ j+2 ] ) <<< 3 144 word3 = ( word3 + ( word0 & ~word2 ) + 145 ( word1 & word2 ) + S[ j+3 ] ) <<< 5 147 In addition, the fifth and eleventh rounds add the contents of the 148 S-box indexed by one of the data words to another of the data words 149 following the four subrounds as follows: 151 word0 = word0 + S[ word3 & 63 ]; 152 word1 = word1 + S[ word0 & 63 ]; 153 word2 = word2 + S[ word1 & 63 ]; 154 word3 = word3 + S[ word2 & 63 ]; 156 3.3 Decryption 158 The decryption operation is simply the inverse of the encryption 159 operation. Note that the following pseudocode treats the S array as 160 an array of 64 words rather than 128 bytes. 162 for i = 15 downto 0 do 163 j = i * 4; 164 word3 = ( word3 >>> 5 ) - ( word0 & ~word2 ) - 165 ( word1 & word2 ) - S[ j+3 ] 166 word2 = ( word2 >>> 3 ) - ( word3 & ~word1 ) - 167 ( word0 & word1 ) - S[ j+2 ] 168 word1 = ( word1 >>> 2 ) - ( word2 & ~word0 ) - 169 ( word3 & word0 ) - S[ j+1 ] 170 word0 = ( word0 >>> 1 ) - ( word1 & ~word3 ) - 171 ( word2 & word3 ) - S[ j+0 ] 173 In addition, the fifth and eleventh rounds subtract the contents of 174 the S-box indexed by one of the data words from another one of the 175 data words following the four subrounds as follows: 177 word3 = word3 - S[ word2 & 63 ] 178 word2 = word2 - S[ word1 & 63 ] 179 word1 = word1 - S[ word0 & 63 ] 180 word0 = word0 - S[ word3 & 63 ] 182 4. Test Vectors 184 The following test vectors may be used to test the correctness of an 185 EP2 implementation: 187 Key: 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 188 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 189 Plain: 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 190 Cipher: 0x1C, 0x19, 0x8A, 0x83, 0x8D, 0xF0, 0x28, 0xB7 192 Key: 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 193 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 194 Plain: 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 195 Cipher: 0x21, 0x82, 0x9C, 0x78, 0xA9, 0xF9, 0xC0, 0x74 197 Key: 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 198 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 199 Plain: 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF 200 Cipher: 0x13, 0xDB, 0x35, 0x17, 0xD3, 0x21, 0x86, 0x9E 202 Key: 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 203 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F 204 Plain: 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 205 Cipher: 0x50, 0xDC, 0x01, 0x62, 0xBD, 0x75, 0x7F, 0x31 207 The following ciphertext is produced from the first key/plaintext 208 combination given above if the 128-bit effective key length is reduced 209 to the given lengths using the algorithm in section 3.1.3: 211 Effective key 212 Bits Bytes Ciphertext 214 40 5 0x65, 0x8A, 0x83, 0x3A, 0x5D, 0xE3, 0x45, 0x55 215 48 6 0x94, 0x42, 0x96, 0x80, 0xD5, 0xD6, 0xFE, 0xD2 216 56 7 0xD0, 0xDC, 0x8D, 0x97, 0xB3, 0x2C, 0xC8, 0xB7 217 64 8 0x93, 0xCC, 0x73, 0xC9, 0xF7, 0x4E, 0x32, 0x82 219 5. Security 221 This paper was first widely published in early 1996, and there have 222 been no known successful attacks on the algorithm since then. Further, 223 there have been no known successful attacks on the RC2 algorithm, with 224 which the algorithm described in this paper is thought to be 225 interoperable. 227 A. Beale Cipher No.1, "The Locality of the Vault" 229 Beale Cipher No.1. 231 71, 194, 38,1701, 89, 76, 11, 83, 1629, 48, 94, 63, 132, 16, 111, 95, 232 84, 341, 975, 14, 40, 64, 27, 81, 139, 213, 63, 90,1120, 8, 15, 3, 233 126, 2018, 40, 74, 758, 485, 604, 230, 436, 664, 582, 150, 251, 284, 234 308, 231, 124, 211, 486, 225, 401, 370, 11, 101, 305, 139, 189, 17, 235 33, 88, 208, 193, 145, 1, 94, 73, 416, 918, 263, 28, 500, 538, 356, 236 117, 136, 219, 27, 176, 130, 10, 460, 25, 485, 18, 436, 65, 84, 200, 237 283, 118, 320, 138, 36, 416, 280, 15, 71, 224, 961, 44, 16, 401, 39, 238 88, 61, 304, 12, 21, 24, 283, 134, 92, 63, 246, 486, 682, 7, 219, 184, 239 360, 780, 18, 64, 463, 474, 131, 160, 79, 73, 440, 95, 18, 64, 581, 240 34, 69, 128, 367, 460, 17, 81, 12, 103, 820, 62, 110, 97, 103, 862, 241 70, 60, 1317, 471, 540, 208, 121, 890, 346, 36, 150, 59, 568, 614, 13, 242 120, 63, 219, 812, 2160, 1780, 99, 35, 18, 21, 136, 872, 15, 28, 170, 243 88, 4, 30, 44, 112, 18, 147, 436, 195, 320, 37, 122, 113, 6, 140, 8, 244 120, 305, 42, 58, 461, 44, 106, 301, 13, 408, 680, 93, 86, 116, 530, 245 82, 568, 9, 102, 38, 416, 89, 71, 216, 728, 965, 818, 2, 38, 121, 195, 246 14, 326, 148, 234, 18, 55, 131, 234, 361, 824, 5, 81, 623, 48, 961, 247 19, 26, 33, 10, 1101, 365, 92, 88, 181, 275, 346, 201, 206 249 B. One-time Pad for Creating the S-Box 251 158, 186, 223, 97, 64, 145, 190, 190, 117, 217, 163, 70, 206, 176, 252 183, 194, 146, 43, 248, 141, 3, 54, 72, 223, 233, 153, 91, 210, 36, 253 131, 244, 161, 105, 120, 113, 191, 113, 86, 19, 245, 213, 221, 43, 27, 254 242, 157, 73, 213, 193, 92, 166, 10, 23, 197, 112, 110, 193, 30, 156, 255 51, 125, 51, 158, 67, 197, 215, 59, 218, 110, 246, 181, 0, 135, 76, 256 164, 97, 47, 87, 234, 108, 144, 127, 6, 6, 222, 172, 80, 144, 22, 245, 257 207, 70, 227, 182, 146, 134, 119, 176, 73, 58, 135, 69, 23, 198, 0, 258 170, 32, 171, 176, 129, 91, 24, 126, 77, 248, 0, 118, 69, 57, 60, 190, 259 171, 217, 61, 136, 169, 196, 84, 168, 167, 163, 102, 223, 64, 174, 260 178, 166, 239, 242, 195, 249, 92, 59, 38, 241, 46, 236, 31, 59, 114, 261 23, 50, 119, 186, 7, 66, 212, 97, 222, 182, 230, 118, 122, 86, 105, 262 92, 179, 243, 255, 189, 223, 164, 194, 215, 98, 44, 17, 20, 53, 153, 263 137, 224, 176, 100, 208, 114, 36, 200, 145, 150, 215, 20, 87, 44, 252, 264 20, 235, 242, 163, 132, 63, 18, 5, 122, 74, 97, 34, 97, 142, 86, 146, 265 221, 179, 166, 161, 74, 69, 182, 88, 120, 128, 58, 76, 155, 15, 30, 266 77, 216, 165, 117, 107, 90, 169, 127, 143, 181, 208, 137, 200, 127, 267 170, 195, 26, 84, 255, 132, 150, 58, 103, 250, 120, 221, 237, 37, 8, 268 99 270 C. References 272 [RC5] Ron Rivest, "The RC5 Encryption Algorithm", Proceedings of the 273 Second International Workshop on Fast Software Encryption, 274 Springer-Verlag LNCS No.1008. 276 D. Author's Address 278 Peter Gutmann 279 University of Auckland 280 Private Bag 92019 281 Auckland 282 New Zealand 284 Phone: +64 9 373-7599 285 Email: pgut001@cs.auckland.ac.nz