Documente Academic
Documente Profesional
Documente Cultură
Algorithm Specification
CRYPTICO A/S
Fruebjergvej 3
2100 Copenhagen
Denmark
info@cryptico.com
Cryptico A/S Badger MAC, Algorithm Specification
Copyright Notice
c 2003-2005 Cryptico A/S. All rights reserved. All title and copyrights in and to this document
Copyright °
are owned by Cryptico A/S and/or its suppliers. Any commercial use or redistribution of this document is not
allowed without the prior written consent of Cryptico A/S. Non-commercial redistribution of this document is
allowed provided that the document is redistributed in its entirety and that this legal notice is not removed or
altered in any way. Cryptico A/S shall not in any way be liable for any use of the document. This document
is provided “as is” without any express or implied warranty for its contents.
Some or all of the work described or mentioned in this document may be patented or patent pending. All title
and intellectual property rights in and to the work, including, but not limited to, patent rights and copyrights,
are owned by Cryptico A/S and/or its suppliers. For further information on licensing terms and conditions,
please contact Cryptico at info@cryptico.com.
Cryptico, CryptiCore, the Cryptico logo and “Re-thinking encryption” are trademarks of Cryptico A/S.
2
Cryptico A/S Badger MAC, Algorithm Specification
1 Introduction
This document describes the Badger Message Authentication Code (MAC), including the key
setup and IV setup schemes. It furthermore describes the Application Programming Interface
(API) of the C example source code presented in Appendix A. Appendix B presents some
test vectors.
The Badger source code and a test program are available in a zip-file at www.cryptico.com.
1.1 Notation
In the following, p will denote the prime number 232 −5. We define Zp to be the set {0, . . . , p−1}
and {0, 1}n to be the set {0, . . . , 2n − 1} (for any positive integer n). By +n , we mean addition
modulo 2n , while + and · denote standard addition and multiplication over the integers. Given
a 2n-bit string x, we denote its least significant n bits by L(x) and its most significant n bits
by U (x). 0n is the binary string consisting of n zeroes. By M , we denote the message to be
hashed, and |M | denotes its length in bits. Mmax is the largest possible input message.
When the stream cipher Rabbit is used in algorithmic descriptions, the following pseudo-code
function calls are used:
• RabbitKeySetup(K): Initializes Rabbit with the 128-bit key K.
• RabbitIVSetup(N ): Initializes Rabbit with the 64-bit nonce N .
• RabbitNextbit(n): Returns n bits of pseudorandom output.
By a||b, we denote the concatenation of the two bitstrings a and b. For n-byte values, the
least significant byte (LSByte) is written to the right, e.g. if a has n bytes, we have a =
an || . . . ||a1 . In particular, if a and b are n-byte values, then a||b results in the byte order
an || . . . ||a1 ||bn || . . . ||b1 .
This byte order corresponds to the natural byte order of little endian processors. Likewise,
the C code found in appendix A is written for little endian machines. For a big endian, byte
order has to be swapped where appropriate.
The Badger message authentication code processes a message of length up to 264 − 1 bit into
an authentication tag of length u · 32 bit, where u (1 ≤ u ≤ 5) can be chosen by the user
according to the security needs1 . The value u defines the number of parallel hash trees within
Badger. The algorithm uses a 128-bit key, and the number of messages to be processed under
this key is limited to 264 .
In order to run the Badger algorithm under a given key, the key setup has to be run just once.
The resulting internal state of the MAC can be saved for use with any other message that is
to be processed later. For every message, two steps have to be executed: In the processing
phase, the data is hashed onto a 64-bit string, and in the finalize phase, this string is
transformed into the desired MAC tag.
1
Note that larger values for u are also possible, but they do not contribute further to the security of the
MAC.
3
Cryptico A/S Badger MAC, Algorithm Specification
RabbitKeySetup(K)
words used = 0
// Empty buffer
while(words used mod 4 6= 0):
discard RabbitNextbit(32)
words used++
Using this function and denoting level key[j][i] by kji , the processing of a message can
proceed as described in figure 2.
4
Cryptico A/S Badger MAC, Algorithm Specification
L = |M |
if L = 0
M1 = . . . = Mu = 0
Go to finalization
r = L mod 64
if r 6= 0:
M = 064−r ||M
for i = 1 to u:
Mi = M
v 0 = max{1, dlog2 Le − 6}
for j = 1 to v 0 :
divide M i into 64-bit blocks, M i = mit || . . . ||mi1
if t is even:
M i = h(kji , mit , mit−1 )|| . . . ||h(kji , mi2 , mi1 )
else:
M i = mit ||h(kji , mit−1 , mit−2 )|| . . . ||h(kji , mi2 , mi1 )
Denoting the finalization key final key[j][i] by Kji , the overall finalization phase can be
described as in figure 3.
RabbitKeySetup(K)
RabbitIVSetup(N )
for i = 1 to u:
Qi = 07 ||L||M i
divide³ Qi into 27-bit i i i
´ blocks , Q = q5 || . . . ||q1
5
Si = i i i
P
j=1 qj Kj + K6 mod p
S = S u || . . . ||S 1
S = S⊕ RabbitNextbit(u · 32)
return S
5
Cryptico A/S Badger MAC, Algorithm Specification
The API of the Badger source code, provided in Appendix A, consists of four functions:
badger key setup, badger init, badger process, and badger finalize mac. All four func-
tions return the value 0 if the function call was successful and -1 if an error occurred. The key
material needed by the algorithm is kept in an instance of the badger key instance struc-
ture. Current state information obtained through previous processing of data, e.g., number of
bits processed, is kept in an instance of badger mac instance. Both of these structures are
defined in badger.h.
Generates the key material needed for processing of the data to be authenticated and puts it
into the key instance. badger key setup is invoked every time the key is changed. However,
it is not necessary to call it for every message to be authenticated.
• p key instance: Pointer to the key instance used to hold the key material.
• p key: Pointer to the key to be used for generating the key material.
• key size: Size of the key in bytes. The size must be 16 bytes.
3.2 Initialize
Used to initialize the MAC instance. Must be used before processing a new message.
• p mac instance: Pointer to the MAC instance used for this data authentication.
The process function is called to do the intermediate processing of the data to be authen-
ticated. Processing of a message can be done either by calling badger process once, with
p data pointing to the full message, or by calling it several times, with the respective p data
pointing to successive substrings of the message (see example in section 4). It is, however,
still required that the data is processed in the proper order.
6
Cryptico A/S Badger MAC, Algorithm Specification
Finalizes computation of the MAC value. The MAC value is written at the address pointed
to by p mac. The value of mac size has to be a multiple of 4, and the memory required to
store the MAC value must be allocated by the caller in advance.
4 Coding Examples
/* ... */
/* Set up the key instance, process the message, and produce the MAC value */
badger_key_setup(&key_instance, p_key, 16);
badger_init(&mac_instance);
badger_process(&key_instance, &mac_instance, p_data, data_size);
badger_finalize_mac(&key_instance, &mac_instance, p_iv, 8, p_mac, 16);
/* ... */
In some applications it may be necessary to process the data in parts. The example be-
low produces the same MAC value as above, assuming that data size1 + data size2 =
data size:
badger_key_instance key_instance;
badger_mac_instance mac_instance;
cc_byte p_key[16] = {...};
cc_byte p_iv[8] = {...};
7
Cryptico A/S Badger MAC, Algorithm Specification
cc_byte p_mac[16];
/* ... */
/* Set up the key instance, process the message and produce the MAC value */
badger_key_setup(&key_instance, p_key, 16);
badger_init(&mac_instance);
badger_process(&key_instance, &mac_instance, p_data, data_size1);
badger_process(&key_instance, &mac_instance,
p_data + data_size1, data_size2);
badger_finalize_mac(&key_instance, &mac_instance, p_iv, 8, p_mac, 16);
/* ... */
When computing MAC values for several sets of data using the same set of key material, a
unique IV should be applied for each set of data. The IV does not have to be secret and
can, for instance, simply be a counter value or a block/package number. The procedure can
be performed as follows:
badger_key_instance key_instance;
badger_mac_instance mac_instance;
cc_byte p_key[16] = {...};
cc_byte p_iv1[8] = {...};
cc_byte p_iv2[8] = {...};
cc_byte p_mac1[16], p_mac2[16];
/* ... */
/* ... */
/* Process input and compute MAC value for the first set of data */
badger_init(&mac_instance);
badger_process(&key_instance, &mac_instance, p_data1, data_size1);
badger_finalize_mac(&key_instance, &mac_instance, p_iv1, 8, p_mac1, 16);
/* ... */
/* Process input and produce MAC value for the second set of data */
badger_init(&mac_instance);
badger_process(&key_instance, &mac_instance, p_data2, data_size2);
badger_finalize_mac(&key_instance, &mac_instance, p_iv2, 8, p_mac2, 16);
8
Cryptico A/S Badger MAC, Algorithm Specification
This appendix presents the ANSI C source code for Badger. The API and the arguments to
the functions are described in section 3.
badger.h
Below the badger.h header file is listed:
/******************************************************************************/
/* File name: badger.h */
/*----------------------------------------------------------------------------*/
/* Header file for reference C version of the Badger MAC function. */
/* */
/* For further documentation, see "Badger Message Authentication Code, */
/* Algorithm Specification" which can be found at http://www.cryptico.com/. */
/* */
/* This source code is for little-endian processors (e.g. x86). */
/*----------------------------------------------------------------------------*/
/* Copyright (C) Cryptico A/S. All rights reserved. */
/* */
/* YOU SHOULD CAREFULLY READ THIS LEGAL NOTICE BEFORE USING THIS SOFTWARE. */
/* */
/* This software is developed by Cryptico A/S and/or its suppliers. */
/* All title and intellectual property rights in and to the software, */
/* including but not limited to patent rights and copyrights, are owned by */
/* Cryptico A/S and/or its suppliers. */
/* */
/* The software may be used solely for non-commercial purposes */
/* without the prior written consent of Cryptico A/S. For further */
/* information on licensing terms and conditions please contact Cryptico A/S */
/* at info@cryptico.com */
/* */
/* Cryptico, CryptiCore, the Cryptico logo and "Re-thinking encryption" are */
/* either trademarks or registered trademarks of Cryptico A/S. */
/* */
/* Cryptico A/S shall not in any way be liable for any use of this software. */
/* The software is provided "as is" without any express or implied warranty. */
/* */
/******************************************************************************/
/******************************************************************************/
/* USAGE OF DEFINES: */
/*----------------------------------------------------------------------------*/
/* BADGER_NO_OF_TREES: Number of parallel trees. */
/* MAC tag size [bytes] = 4 * no_of_trees */
/* Minimum value: 1 */
/*----------------------------------------------------------------------------*/
/* BADGER_NO_OF_LEVELS: Maximum number of levels in each tree. */
/* Max. message size [bytes] = 8 * 2^no_of_levels */
/* Allowed values: 2 - 58 (even numbers only) */
/* Overall maximum message size: 2^61-1 bytes. */
/******************************************************************************/
#ifndef _BADGER_H
#define _BADGER_H
9
Cryptico A/S Badger MAC, Algorithm Specification
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
#ifdef __cplusplus
extern "C" {
#endif
10
Cryptico A/S Badger MAC, Algorithm Specification
#ifdef __cplusplus
}
#endif
/* -------------------------------------------------------------------------- */
#endif
badger.c
Below the badger.c file is listed:
/******************************************************************************/
/* File name: badger.c */
/*----------------------------------------------------------------------------*/
/* Source file for reference C version of the Badger MAC function. */
/* */
/* For further documentation, see "Badger Message Authentication Code, */
/* Algorithm Specification" which can be found at http://www.cryptico.com/. */
/* */
/* This source code is for little-endian processors (e.g. x86). */
/*----------------------------------------------------------------------------*/
/* Copyright (C) Cryptico A/S. All rights reserved. */
/* */
/* YOU SHOULD CAREFULLY READ THIS LEGAL NOTICE BEFORE USING THIS SOFTWARE. */
/* */
/* This software is developed by Cryptico A/S and/or its suppliers. */
/* All title and intellectual property rights in and to the software, */
/* including but not limited to patent rights and copyrights, are owned by */
/* Cryptico A/S and/or its suppliers. */
/* */
/* The software may be used solely for non-commercial purposes */
/* without the prior written consent of Cryptico A/S. For further */
/* information on licensing terms and conditions please contact Cryptico A/S */
/* at info@cryptico.com */
/* */
/* Cryptico, CryptiCore, the Cryptico logo and "Re-thinking encryption" are */
/* either trademarks or registered trademarks of Cryptico A/S. */
/* */
/* Cryptico A/S shall not in any way be liable for any use of this software. */
/* The software is provided "as is" without any express or implied warranty. */
/* */
/******************************************************************************/
#include "badger.h"
/* -------------------------------------------------------------------------- */
/* Hash two blocks and propagate the result recursively through the tree */
static void badger_hash_node(const cc_uint64 *p_mac_key, cc_uint64 *p_mac_buffer,
cc_uint64 buf_mask, const cc_uint64 *p_left, const cc_uint64 *p_right)
{
/* Temporary variables */
cc_uint32 t1, t2;
cc_uint64 t3;
11
Cryptico A/S Badger MAC, Algorithm Specification
/* Hash */
t1 = *((cc_uint32*)p_mac_key+0) + *((cc_uint32*)p_left+0);
t2 = *((cc_uint32*)p_mac_key+1) + *((cc_uint32*)p_left+1);
t3 = (cc_uint64)t1 * (cc_uint64)t2 + *p_right;
/* -------------------------------------------------------------------------- */
12
Cryptico A/S Badger MAC, Algorithm Specification
if (res)
return res;
return res;
}
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
/* Process data */
int badger_process(const badger_key_instance *p_key_instance,
badger_mac_instance *p_mac_instance,
const cc_byte *p_data, size_t data_size)
13
Cryptico A/S Badger MAC, Algorithm Specification
{
/* Temporary variables */
int i;
return 0;
}
/* -------------------------------------------------------------------------- */
14
Cryptico A/S Badger MAC, Algorithm Specification
/* Initialize variables */
buf_mask = p_mac_instance->bit_count >> 7;
p_left = &p_mac_instance->tree_buffer[0][0];
p_mac_key = &p_key_instance->level_key[1][0];
right_filled = 0;
/* Copy the 8-byte block into each position of the right[] array */
for (i=0; i<BADGER_NO_OF_TREES; i++)
right[i] = *(cc_uint64*)p_mac_instance->buffer;
}
else
/* Else the buffer contains between 9 and 15 bytes... */
{
/* Append zeroes to fill the block */
while (p_mac_instance->buffer_index<16)
p_mac_instance->buffer[p_mac_instance->buffer_index++] = 0;
15
Cryptico A/S Badger MAC, Algorithm Specification
p_left += BADGER_NO_OF_TREES;
p_mac_key += BADGER_NO_OF_TREES;
buf_mask >>= 1;
}
/* Finish tree */
while (buf_mask)
{
/* If the buffer at this level is full... */
if (buf_mask&1)
{
/* Hash this level in all trees */
for (i=0; i<BADGER_NO_OF_TREES; i++)
{
t1 = *((cc_uint32*)p_mac_key+0) + *((cc_uint32*)p_left+0);
t2 = *((cc_uint32*)p_mac_key+1) + *((cc_uint32*)p_left+1);
right[i] += (cc_uint64)t1 * (cc_uint64)t2;
p_mac_key++;
p_left++;
}
}
else
{
/* Correct pointers to point at next level */
p_left += BADGER_NO_OF_TREES;
p_mac_key += BADGER_NO_OF_TREES;
}
/* Correct buf_mask to represent remaining levels */
buf_mask >>= 1;
}
}
16
Cryptico A/S Badger MAC, Algorithm Specification
t += (cc_uint64)p_key_instance->final_key[2][i] *
((right[i] >> 54) |
((p_mac_instance->bit_count & 0x0001FFFF) << 10));
t += (cc_uint64)p_key_instance->final_key[3][i] *
((p_mac_instance->bit_count >> 17) & 0x07FFFFFF);
t += (cc_uint64)p_key_instance->final_key[4][i] *
(p_mac_instance->bit_count >> 44);
t += (cc_uint64)p_key_instance->final_key[5][i];
/* mod p32 */
low = (cc_uint32)(t&0xFFFFFFFF);
high = (cc_uint32)(t>>32);
r = low + 5*high;
if ((low > r) || (r > 0xFFFFFFFA)) /* Note: both conditions will never */
r -= 0xFFFFFFFB; /* be met at the same time. */
/* Cipher IV setup */
res = rabbit_iv_setup(&(p_key_instance->rabbit_master_instance), &encr_inst, p_iv, iv_size);
if (res)
return res;
return res;
}
/* -------------------------------------------------------------------------- */
17
Cryptico A/S Badger MAC, Algorithm Specification
B Testing
Below some test vectors are presented. A program testing the keys, IV’s and the corresponding
output is included in the zip-file available from www.cryptico.com. It does also contain test
vectors for larger messages. The keys and outputs are presented byte-wise. The leftmost byte
of key is K [7..0] .
iv = [00 01 02 03 04 05 06 07]
msg0 = []
mac0 = [54 6D 3A 85 F8 CB FA D9 E0 58 50 58 2C AC 3D E4]
msg1 = [00]
mac1 = [5F AA AB 85 AC BE 04 48 1D D6 34 D0 FA D9 FA FA]
msg2 = [01]
mac2 = [47 EA 18 A1 99 AE 07 31 7C A5 AC C9 37 2F 55 85]
18