| |
| |
| |
| |
| |
| |
| |
| |
| Crypto Forum Research Group David A. McGrew |
| Internet Draft Cisco Systems, Inc. |
| Expires April, 2003 October, 2002 |
| |
| |
| |
| Integer Counter Mode |
| <draft-irtf-cfrg-icm-00.txt> |
| |
| |
| Status of this Memo |
| |
| This document is an Internet Draft and is in full conformance with |
| all provisions of Section 10 of RFC-2026. Internet Drafts are working |
| documents of the Internet Engineering Task Force (IETF), its areas, |
| and working groups. Note that other groups may also distribute |
| working documents as Internet Drafts. |
| |
| Internet Drafts are draft documents valid for a maximum of six months |
| and may be updated, replaced, or obsoleted by other documents at any |
| time. It is inappropriate to use Internet Drafts as reference |
| material or to cite them other than as "work in progress." |
| |
| The list of current Internet-Drafts can be accessed at |
| http://www.ietf.org/ietf/1id-abstracts.txt |
| |
| The list of Internet-Draft Shadow Directories can be accessed at |
| http://www.ietf.org/shadow.html. |
| |
| |
| 1. Abstract |
| |
| |
| This document specifies Integer Counter Mode (ICM), a mode of |
| operation of a block cipher which defines an indexed keystream |
| generator (which generates a keystream segment given an index). |
| This mode is efficient, parallelizable, and has been proven secure |
| given realistic assumptions about the block cipher. Test vectors |
| are provided for AES. |
| |
| Counter Mode admits many variations. The variant specified in |
| this document is secure and flexible, yet it enables a single |
| implementation of a keystream generator to suffice in different |
| application domains. |
| |
| |
| |
| |
| |
| |
| McGrew [Page 1] |
| |
| |
| Internet Draft Integer Counter Mode October, 2002 |
| |
| |
| 2. Notational Conventions |
| |
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", |
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in |
| this document are to be interpreted as described in RFC-2119 [B97]. |
| |
| |
| 3. Introduction |
| |
| Counter Mode is a way to define a pseudorandom keystream generator |
| using a block cipher [CTR]. The keystream can be used for additive |
| encryption, key derivation, or any other application requiring |
| pseudorandom data. |
| |
| In ICM, the keystream is logically broken into segments. Each |
| segment is identified with a segment index, and the segments have |
| equal lengths. This segmentation makes ICM especially appropriate |
| for securing packet-based protocols. |
| |
| |
| 4. ICM |
| |
| In this section, ICM keystream generation and encryption are |
| defined. |
| |
| |
| 4.1. ICM Parameters |
| |
| The following parameters are used in ICM. These parameters MUST |
| remain fixed for any given use of a key. |
| |
| Parameter Meaning |
| ----------------------------------------------------------------- |
| BLOCK_LENGTH the number of octets in the cipher block |
| KEY_LENGTH the number of octets in the cipher key |
| OFFSET_LENGTH the number of octets in the offset |
| SEGMENT_INDEX_LENGTH the number of octets in the segment index |
| BLOCK_INDEX_LENGTH the number of octets in the block index |
| |
| |
| 4.2. Keystream Segments |
| |
| Conceptually, ICM is a keystream generator that takes a secret key |
| and a segment index as an input and then outputs a keystream |
| segment. The segmentation lends itself to packet encryption, as |
| each keystream segment can be used to encrypt a distinct packet. |
| |
| A counter is a value containing BLOCK_LENGTH octets which is |
| |
| |
| |
| McGrew [Page 2] |
| |
| |
| Internet Draft Integer Counter Mode October, 2002 |
| |
| |
| incremented using an increment function based on integer addition, |
| to produce a sequence of distinct values which are used as inputs to |
| the block cipher. (In the context of this specification, an integer |
| is an octet string, the most significant of which is the first.) |
| The output blocks of the cipher are concatenated to form the |
| keystream segment. The first octet of the segment is the first |
| octet of the first output block, and so on. A schematic of this |
| process is shown in Figure 1. |
| |
| |
| Figure 1. The generation of a keystream segment given a segment |
| index and a block cipher key K. Here C[i] and S[i] denote the ith |
| counter and keystream block, respectively. |
| |
| segment |
| index |
| | |
| v |
| C[0] -----> C[1] -----> C[2] -----> ... |
| | | | |
| v v v |
| +---+ +---+ +---+ |
| K->| E | K->| E | K->| E | ... |
| +---+ +---+ +---+ |
| | | | |
| v v v |
| S[0] S[1] S[2] ... |
| |
| The ith counter C[i] of the keystream segment with segment index s |
| is defined as |
| |
| C[i] = (i + s * (256^BLOCK_INDEX_LENGTH)) (+) r |
| |
| where r denotes the shifted Offset, which is defined as the Offset |
| times 256^(BLOCK_LENGTH - OFFSET_LENGTH). (This multiplication |
| left-shifts the Offset so that it is aligned with the leftmost |
| edge of the block.) Here ^ denotes exponentiation and (+) denotes |
| the bitwise exclusive-or operation. |
| |
| The number of blocks in any segment MUST NOT exceed |
| 256^BLOCK_INDEX_LENGTH. The number of segments MUST NOT exceed |
| 256^SEGMENT_INDEX_LENGTH. These restrictions ensure the uniqueness |
| of each block cipher input. They also imply that each segment |
| contains no more than (256^BLOCK_INDEX_LENGTH)*BLOCK_LENGTH octets. |
| |
| The sum of SEGMENT_INDEX_LENGTH and BLOCK_INDEX_LENGTH MUST NOT |
| exceed BLOCK_LENGTH / 2. This requirement protects the ICM |
| keystream generator from potentially failing to be pseudorandom (see |
| |
| |
| |
| McGrew [Page 3] |
| |
| |
| Internet Draft Integer Counter Mode October, 2002 |
| |
| |
| the rationale). |
| |
| Figure 2. An illustration of the structure of a counter with |
| BLOCK_LENGTH = 8, SEGMENT_INDEX_LENGTH = 2, and BLOCK_INDEX_LENGTH |
| = 2. The field marked `null' is not part of either the block |
| or segment indices. |
| |
| 0 1 2 3 |
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| | null | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| | segment index | block index | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| |
| |
| 4.3. ICM Encryption |
| |
| Unless otherwise specified, ICM encryption consists of bitwise |
| exclusive-oring the keystream into the plaintext to produce |
| the ciphertext. |
| |
| |
| 4.4 ICM KEY |
| |
| An ICM key consists of the block cipher key and an Offset. The |
| Offset is an integer with OFFSET_LENGTH octets, which is used to |
| `randomize' the logical starting point of keystream. The Offset is |
| crucial to providing security; see the rationale. The value of |
| OFFSET_LENGTH SHOULD be at least half that of BLOCK_LENGTH. |
| |
| For the purposes of transporting an ICM key, e.g. in a signaling |
| protocol, that key SHOULD be considered a sequence of octets in |
| which the block cipher key precedes the Offset. |
| |
| |
| 5. Implementation Considerations |
| |
| Implementation of the `add one modulo 2^m' operation is simple. For |
| example, with BLOCK_LENGTH = 8 (m=64), it can be implemented in C as |
| |
| if (!++x) ++y; |
| |
| where x and y are 32-bit unsigned integers in network byte order. |
| The implementation of general purpose addition modulo 2^m is |
| slightly more complicated. |
| |
| The fact that the Offset is left-aligned enables an implementation |
| |
| |
| |
| McGrew [Page 4] |
| |
| |
| Internet Draft Integer Counter Mode October, 2002 |
| |
| |
| to avoid propagating carry values outside of the block index and/or |
| the segment index. Choosing an OFFSET_LENGTH value equal to half |
| that of BLOCK_LENGTH avoids all of these carries, since the Offset |
| is then shifted so that it occupies the most significant octets of |
| the block, while the block and segment indices occupy the least |
| significant ones. |
| |
| |
| 6. Parameters and Test Vectors for AES |
| |
| This section provides ICM parameters and test vectors for AES |
| with a 128 bit block size and 128 bit key (that is, with a |
| BLOCK_LENGTH and KEY_LENGTH of 16). |
| |
| All integers are expressed in hexadecimal. Each consecutive pair of |
| hex digits corresponds to an octet, so that the integer |
| 000102030405060708090A0B0C0D0E0F corresponds to the octet sequence |
| { 00, 01, 02, 02 ... }. |
| |
| BLOCK_LENGTH 16 |
| KEY_LENGTH 16 |
| OFFSET_LENGTH 14 |
| SEGMENT_INDEX_LENGTH 6 |
| BLOCK_INDEX_LENGTH 2 |
| |
| Block Cipher Key: 2b7e151628aed2a6abf7158809cf4f3c |
| Offset: f0f1f2f3f4f5f6f7f8f9fafbfcfd |
| Segment Index: 000000000000 |
| Keystream: e03ead0935c95e80e166b16dd92b4eb4 |
| d23513162b02d0f72a43a2fe4a5f97ab |
| ... |
| |
| The counter values that correspond to the keystream blocks are |
| outlined below. |
| |
| Counter Keystream |
| |
| f0f1f2f3f4f5f6f7f8f9fafbfcfd0000 e03ead0935c95e80e166b16dd92b4eb4 |
| f0f1f2f3f4f5f6f7f8f9fafbfcfd0001 d23513162b02d0f72a43a2fe4a5f97ab |
| f0f1f2f3f4f5f6f7f8f9fafbfcfd0002 41e95b3bb0a2e8dd477901e4fca894c0 |
| ... ... |
| |
| |
| 7. Security Considerations |
| |
| Each block cipher input is distinct for any segment and any block |
| index. To see this fact, subtract any two counter values with |
| distinct segment or block indices; the result is non-zero. |
| |
| |
| |
| McGrew [Page 5] |
| |
| |
| Internet Draft Integer Counter Mode October, 2002 |
| |
| |
| The limitation on the number of segments which can be generated |
| ensures that the probability with which an adversary can distinguish |
| the keystream generator from random is negligible. For a |
| theoretical justification of this fact, see Bellare et. al. [BR98]. |
| Their analysis shows that if the block cipher cannot be |
| distinguished from a random permutation, then the keystream |
| generated by ICM cannot be distinguished from keystream generated by |
| a truly random process, as long as the length of keystream which is |
| generated is kept below some threshold. The threshold defined in |
| Section 4.2 is sufficient for most uses of ICM for encryption. This |
| specification refrains from dictating a lower threshold in order to |
| refrain from dictating a particular policy, and to avoid a |
| complicated digression. |
| |
| The use of the Offset, a key-dependent value which randomizes the |
| starting position of the keystream, is essential for security. The |
| omission of this mechanism leaves the door open for practical |
| attacks, such as the key collision attack and Hellman's time-memory |
| tradeoff attack; see McGrew and Fluhrer [MF00] for a description of |
| these attacks which is applicable to ICM. Several counter mode |
| proposals do not include an offset, and are thus vulnerable to these |
| attacks. |
| |
| |
| 8. Rationale |
| |
| This speficiation includes input from implementation experience with |
| several counter mode variants. The goals of ICM are to provide: |
| |
| o a secure keystream generator and cipher, and |
| |
| o a definition flexible enough that a single implementation can be |
| used for a variety of applications (e.g., Secure RTP [SRTP], |
| IPsec ESP [KA96]). |
| |
| The Offset slightly increases the key management overhead, but this |
| minor disadvantage is well outweighed by other savings. The Offset |
| is no larger than a CBC mode IV, and ICM enables the use of an |
| explicit IV (as is commonly used with CBC [MD98]) to be avoided. |
| |
| |
| 9. History |
| |
| This draft is based on draft-mcgrew-saag-icm-00.txt, which was |
| submitted to SAAG on November, 2001 and which expired in May, 2002. |
| |
| The current definition of ICM has changed from the earlier one; the |
| counter formation is different and the specifications are |
| |
| |
| |
| McGrew [Page 6] |
| |
| |
| Internet Draft Integer Counter Mode October, 2002 |
| |
| |
| unfortunately not interoperable. This change was motivated by a |
| considerable amount of feedback on the desirability of admitting |
| optimizations of the sort described in Section 5, in which the carry |
| operations of counter addition need not be propagated across a large |
| register. |
| |
| The current definition of ICM is interoperable with that defined in |
| Secure RTP [SRTP]. |
| |
| |
| 10. Acknowledgements |
| |
| Thanks are due to Helger Lipmaa, Jerome Etienne, Scott Fluhrer and |
| Mats Naslund for their helpful discussion and comments. |
| |
| |
| 11. Contact Information |
| |
| Questions and comments on this draft SHOULD be sent to: |
| |
| David A. McGrew |
| Cisco Systems, Inc. |
| mcgrew@cisco.com |
| |
| and copied to the Crypto Forum Research Group at: |
| |
| cfrg@ietf.org. |
| |
| |
| 12. References |
| |
| |
| [BR98] M. Bellare, A. Desai, E. Lokipii and P. Rogaway, A |
| Concrete Security Treatment of Symmetric Encryption: |
| Analysis of DES Modes of Operation, Proceedings of |
| the 38th Symposium on Foundations of Computer |
| Science, IEEE, 1997. |
| |
| [B97] S. Bradner, Key words for use in RFCs to Indicate |
| Requirement Levels, RFC 2119, March 1997. |
| |
| [AES] The Advanced Encryption Standard, United States |
| National Institute for Standards and Technology (NIST), |
| http://www.nist.gov/aes/. |
| |
| [CTR] M. Dworkin, NIST Special Publication 800-38A, |
| "Recommendation for Block Cipher Modes of Operation: Methods |
| and Techniques", 2001. Online at |
| |
| |
| |
| McGrew [Page 7] |
| |
| |
| Internet Draft Integer Counter Mode October, 2002 |
| |
| |
| http://csrc.nist.gov/publications/nistpubs/800-38a/sp800- |
| 38a.pdf. |
| |
| [MD98] Madson, C., and Doraswamy, N., "The ESP DES-CBC Cipher |
| Algorithm With Explicit IV", RFC 2405, November 1998. |
| |
| [MF00] D. McGrew and S. Fluhrer, Attacks on Additive Encryption and |
| Implications on Internet Security, Selected Areas in |
| Cryptography 2000. |
| |
| [SRTP] The Secure Real-time Transport Protocol, Baugher et. al., |
| Internet Draft, draft-ietf-avt-srtp-05.txt. |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| McGrew [Page 8] |
| |
| |