1、INCITS/ISO/IEC 18033-4-2005 (ISO/IEC 18033-4:2005, IDT) Information technology Securitytechniques Encryption algorithms Part 4: Stream ciphersINCITS/ISO/IEC 18033-4-2005(ISO/IEC 18033-4:2005, IDT)INCITS/ISO/IEC 18033-4-2005 ii ITIC 2005 All rights reserved PDF disclaimer This PDF file may contain em
2、bedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility o
3、f not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameter
4、s were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. Adopted by INCITS (InterNational Committee for In
5、formation Technology Standards) as an American National Standard. Date of ANSI Approval: 10/7/2005 Published by American National Standards Institute, 25 West 43rd Street, New York, New York 10036 Copyright 2005 by Information Technology Industry Council (ITI). All rights reserved. These materials a
6、re subject to copyright claims of International Standardization Organization (ISO), International Electrotechnical Commission (IEC), American National Standards Institute (ANSI), and Information Technology Industry Council (ITI). Not for resale. No part of this publication may be reproduced in any f
7、orm, including an electronic retrieval system, without the prior written permission of ITI. All requests pertaining to this standard should be submitted to ITI, 1250 Eye Street NW, Washington, DC 20005. Printed in the United States of America iiiContents PageForewordivIntroduction. v1 Scope . 12 Nor
8、mative references . 13 Terms and definitions. 14Symbols and abbreviated terms44.1 Left-truncation of bits. 54.2 Shift operation. 64.3 Variable I(k). 65 General models for stream ciphers 65.1 Keystream generators 65.1.1 Synchronous keystream generators 65.1.2 Self-synchronizing keystream generators .
9、 65.2 Output functions. 75.2.1 Binary-additive output function 75.2.2 MULTI-S01 output function 86 Constructing keystream generators from block ciphers 106.1 Modes of a block cipher for a synchronous keystream generator 106.1.1 OFB mode 116.1.2 CTR mode 116.2 Mode of a block cipher for a self-synchr
10、onizing keystream generator 126.2.1 CFB mode 127 Dedicated keystream generators 137.1 MUGI keystream generator 137.1.1Initialization function Init147.1.2 Next-state function Next. 157.1.3 Keystream function Strm . 157.1.4 Function 1157.1.5 Function 1. 167.1.6 Function F 167.1.7 Function SR177.1.8 Fu
11、nction M. 187.2 SNOW 2.0 keystream generator 187.2.1 Initialization function Init 197.2.2 Next-state function Next. 207.2.3 Keystream function Strm . 217.2.4 Function T 217.2.5 Multiplications of in finite field arithmetic. 227.2.6 Multiplications of 1in finite field arithmetic. 227.2.7 Function FSM
12、(x, y, z) . 23Annex A (informative) Examples. 24A.1 Operations over the finite field GF(2n) 24A.2 Example for MUGI. 24A.2.1 Key, initialization vector, and keystream triplets 24A.2.2 Sample internal states 24A.3 Example for SNOW 2.0 . 30A.3.1 128-bit key 30A.3.2 256-bit key 34INCITS/ISO/IEC 18033-4-
13、2005 ITIC 2005 All rights reservediv Annex B (informative) Security information . 39 B.1 Security levels of stream ciphers 39 B.1.1 Security-efficiency trade-off in MULTI-S01 40 B.2 Implementation examples of dedicated keystream generators. 40 Annex C (normative) Object identifiers 41 Bibliography.
14、43 INCITS/ISO/IEC 18033-4-2005 ITIC 2005 All rights reservedvForeword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate
15、 in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and
16、non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The ma
17、in task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies cast
18、ing a vote. ISO/IEC 18033-4 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. ISO/IEC 18033 consists of the following parts, under the general title Information technology Security techniques Encryption algorithms: Part 1: Ge
19、neral Part 2: Asymmetric ciphers Part 3: Block ciphers Part 4: Stream ciphers INCITS/ISO/IEC 18033-4-2005 ITIC 2005 All rights reservedvi IntroductionThe International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC)draw attention to the fact that it is clai
20、med that compliance with this International Standard may involve theuse of patents.The ISO and IEC take no position concerning the evidence, validity and scope of these patent rights.The holders of these patent rights have assured the ISO and IEC that they are willing to negotiate licences underreas
21、onable and non-discriminatory terms and conditions with applicants throughout the world. In this respect,the statements of the holders of these patent rights are registered with the ISO and IEC. Information may beobtained from:ISO/IEC JTC 1/SC 27 Standing Document 8 (SD8) “Patent Information“Standin
22、g Document 8 (SD8) is publicly available at: http:/www.ni.din.de/sc27Attention is drawn to the possibility that some of the elements of this International Standard may be thesubject of patent rights other than those identified above. ISO and IEC shall not be held responsible foridentifying any or al
23、l such patent rights.INCITS/ISO/IEC 18033-4-2005 ITIC 2005 All rights reserved11 ScopeThis part of ISO/IEC 18033 specifies stream cipher algorithms. A stream cipher is an encryption mechanismthat uses a keystream to encrypt a plaintext in bitwise or block-wise manner. There are two types of streamci
24、pher: a synchronous stream cipher, in which the keystream is only generated from the secret key (and aninitialization vector) and a self-synchronizing stream cipher, in which the keystream is generated from thesecret key and some past ciphertexts (and an initialization vector). Typically the encrypt
25、ion operation is theadditive bitwise XOR operation between a keystream and the message. This part of ISO/IEC 18033 describes both pseudorandom number generators for producing keystream, and output functions for stream ciphers.The algorithms specified in this part of ISO/IEC 18033 have been assigned
26、object identifiers in accordance withISO/IEC 9834. The list of assigned object identifiers is given in Annex C. Any change to the specificationof the algorithms resulting in a change of functional behaviour will result in a change of the object identifierassigned to the algorithm.NOTE 1 In applicati
27、ons where a combination of algorithms is being used, or when an algorithm is parameterized by thechoice of a combination of other algorithms, the combination may be specified as a sequence of object identifiers.Alternatively, the object identifiers of lower layer algorithms may be included in the pa
28、rameter field of the higher layeralgorithms identifier structure. For example, the object identifier of a block cipher could be included as a parameter in thealgorithm identifier structure for a keystream generator. The algorithm identifier structure is defined in ISO/IEC 9594-8.NOTE 2 The encoding
29、of object identifiers is application dependent.3.1big-endiana method of storage of multi-byte numbers with the most significant bytes at the lowest memory addresses.ISO/IEC 10118-1: 2000Information technology Security techniques Encryption algorithms Part 4: Stream ciphers 2 Normative references The
30、 following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 18033-1, Information technology Security tec
31、hniques Encryption algorithms Part 1: General ISO/IEC 18033-3, Information technology Security techniques Encryption algorithms Part 3: Block ciphers For the purposes of this document, the terms and definitions given in ISO/IEC 18033-1 and the following apply. 3 Terms and definitionsAMERICANAMERICAN
32、 NATIONAL STANDARD INCITS/ISO/IEC 18033-4-2005 ITIC 2005 All rights reserved2 3.2blockstring of bits of defined length. ISO/IEC 18033-1: 20053.3block ciphersymmetric encipherment system with the property that the encryption algorithm operates on a block ofplaintext, i.e. a string of bits of a define
33、d length, to yield a block of ciphertext. ISO/IEC 18033-1: 20053.4cipheralternative term for encipherment system. ISO/IEC 18033-1: 20053.5ciphertextdata which has been transformed to hide its information content. ISO/IEC 10116: 19973.6confidentialitythe property that information is not made availabl
34、e or disclosed to unauthorized individuals, entities, orprocesses. ISO/IEC 13335-1: 20043.7data integritythe property that data has not been altered or destroyed in an unauthorized manner. ISO/IEC 9797-1: 19993.8deciphermentalternative term for decryption. ISO/IEC 18033-1: 20053.9decryptionreversal
35、of a corresponding encipherment. ISO/IEC 11770-1: 19963.10enciphermentalternative term for encryption. ISO/IEC 18033-1: 20053.11encryption(reversible) transformation of data by a cryptographic algorithm to produce ciphertext, i.e., to hide theinformation content of the data. ISO/IEC 9797-1: 19963.12
36、initialization valuevalue used in defining the starting point of an encipherment process. ISO 8372: 19873.13keysequence of symbols that controls the operation of a cryptographic transformation (e.g. encipherment,decipherment). ISO/IEC 11770-1: 19963.14keystreampseudorandom sequence of symbols, inten
37、ded to be secret, used by the encryption and decryption algorithmsof a stream cipher. If a portion of the keystream is known by an attacker, then it shall be computationallyinfeasible for the attacker to deduce any information about the remainder of the keystream. ISO/IEC 18033-1:2005INCITS/ISO/IEC
38、18033-4-2005 ITIC 2005 All rights reserved33.15keystream functionfunction that takes as input the current state of the keystream generator and (optionally) part of thepreviously output ciphertext, and gives as output the next part of the keystream.3.16keystream generatorstate-based process (i.e. a f
39、inite state machine) that takes as inputs a key, an initialization vector, and ifnecessary the ciphertext, and that outputs a keystream, i.e. a sequence of bits or blocks of bits, of arbitrarylength.3.17n-bit block cipherblock cipher with the property that plaintext blocks and ciphertext blocks are
40、n bits in length. ISO/IEC 10116:19973.18next-state functionfunction that takes as input the current state of the keystream generator and (optionally) part of thepreviously output ciphertext, and gives as output a new state for the keystream generator.3.19output functionoutput function that combines
41、the keystream and the plaintext to produce the ciphertext. This function is oftenbitwise XOR.3.20paddingappending extra bits to a data string. ISO/IEC 10118-1: 20003.22secret keykey used with symmetric cryptographic techniques by a specified set of entities. ISO/IEC 11770-3: 19993.24statecurrent int
42、ernal state of a keystream generator.3.26synchronous stream cipherstream cipher with the property that the keystream symbols are generated as a function of a secret key, andare independent of the plaintext and ciphertext. ISO/IEC 18033-1: 20053.21plaintextunenciphered information. ISO/IEC 9797-1: 19
43、993.23 self-synchronizing stream cipher stream cipher with the property that the keystream symbols are generated as a function of a secret key and a fixed number of previous ciphertext bits. ISO/IEC 18033-1: 2005 3.25 stream cipher symmetric encryption system with the property that the encryption al
44、gorithm involves combining a sequence of plaintext symbols with a sequence of keystream symbols one symbol at a time, using an invertible function. Two types of stream cipher can be identified: synchronous stream ciphers and self-synchronizing stream ciphers, distinguished by the method to obtain th
45、e keystream. ISO/IEC 18033-1: 2005 INCITS/ISO/IEC 18033-4-2005 ITIC 2005 All rights reserved4 4 Symbols and abbreviated terms0(n)n-bit variable where 0 is assigned to every bit.0x Prefix for hexadecimal values.aiVariables in an internal state of a keystream generator.biVariables in an internal state
46、 of a keystream generator.CiCiphertext block.CFB Cipher FeedBack mode of a block cipher.CTR CounTeR mode of a block cipher.Di64-bit constants used for MUGI.eKSymmetric block cipher encryption function using secret key K.F Subfunction used for MUGI.FSM Subfunction used for SNOW 2.0.Fx The polynomial
47、ring over the finite field F.GF(2n) Finite field of exactly 2nelements.Init Function which generates the initial internal state of a keystream generator.IV Initialization vector.K Key.M Subfunction used for MUGI.n Block length.Next Next-state function of a keystream generator.OFB Output FeedBack mod
48、e of a block cipher.OR Bitwise or operation.Out Output function combining keystream and plaintext in order to generate ciphertext.P Plaintext.PiPlaintext block.R Additional input to Out.SiInternal state of a keystream generator.NOTE During normal operation of the cipher, i will increase monotonicall
49、y starting from zero. However, duringinitialization of the ciphers, it is convenient from a notational point of view to let i take negative values and define the startingstate S0in terms of Sivalues for intt-bit right shift in an n-bit register.ntt-bit right circular rotation in an n-bit register.4.1 Left-truncation of bitsThe operation of selecting the j leftmost bits of an array A=(a0, a1,., am1) to generat