ISO/IEC 18033-4:2005/Amd 1:2009

INTERNATIONAL ISO/IEC
STANDARD 18033-4
First edition
2005-07-15
AMENDMENT 1
2009-12-15


Information technology — Security
techniques — Encryption algorithms —
Part 4:
Stream ciphers
AMENDMENT 1: Rabbit and Decim
Technologies de l'information — Techniques de sécurité — Algorithmes
de chiffrement —
Partie 4: Chiffrements en flot
AMENDEMENT 1: Rabbit et Decim





Reference number
ISO/IEC 18033-4:2005/Amd.1:2009(E)
©
ISO/IEC 2009

---------------------- Page: 1 ----------------------
ISO/IEC 18033-4:2005/Amd.1:2009(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.


COPYRIGHT PROTECTED DOCUMENT


©  ISO/IEC 2009
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO/IEC 2009 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 18033-4:2005/Amd.1:2009(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
Amendment 1 to ISO/IEC 18033-4:2005 was prepared by Joint Technical Committee ISO/IEC JTC 1,
Information technology, Subcommittee SC 27, IT Security techniques.
This Amendment introduces two additional keystream generators for use as stream ciphers: Rabbit and
v2
Decim .
Rabbit is specified in 7.3, and test vectors are given in A.4.
v2
Decim is specified in 7.4, and test vectors are given in A.5.
For all keystream generators, security statements are given in Annex B, and object identifiers are given in
Annex C.
© ISO/IEC 2009 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC 18033-4:2005/Amd.1:2009(E)

Information technology — Security techniques — Encryption
algorithms —
Part 4:
Stream ciphers
AMENDMENT 1: Rabbit and Decim
Page 4, Clause 4, immediately before b
i
Add the following:
AND Bitwise logical AND operation.

Page 4, Clause 4, line 21
Replace with the following:
OR Bitwise logical OR operation.

Page 5, immediately before 4.1
Add the following note:
NOTE Additional variables and notation specific to a given keystream generator are introduced with the algorithm.
Page 23, after 7.2.7
Add the following new subclauses:
7.3 Rabbit keystream generator
Rabbit is a keystream generator which uses a 128-bit secret key K, a 64-bit initialization vector IV, and a 513-
bit internal state variable S (i ≥ 0). It outputs a 128-bit keystream block Z at every iteration of the function Strm.
i i
(i) (i)
The 513 bits of the internal state S are divided between eight 32-bit state variables X , .,X , eight 32-bit
i 0 7
(i) (i) (i)
counter variables C , .,C , and one counter carry bit b .
0 7
The description uses the notation defined in Section 4 of the standard. In addition, a special notation for bit
arrays is used to enhance readability: when labeling the bits of a variable A, the least significant bit is denoted
[0] [h.g]
by A . The notation A represents bits h through g of variable A, where bit position h is more significant
than bit position g.
64
NOTE 1 For Rabbit, the maximum recommended amount of keystream produced from a given key K is 2 keystream
blocks. This provides a large security margin against cryptanalysis, while at the same time implying no practical limitations
on the applicability of the algorithm.
NOTE 2 We refer to [1] for the original proposal of the cipher and to [2] for an overview of its cryptographic security.
© ISO/IEC 2009 – All rights reserved 1

---------------------- Page: 4 ----------------------
ISO/IEC 18033-4:2005/Amd.1:2009(E)
7.3.1 Additional variables and notation
In the specification of the Rabbit keystream generator, the following specific notation is used:
A Constant for Rabbit
b Carry bit for Rabbit
C Counter variable for Rabbit
g Subfunction used for Rabbit
X Inner state variable for Rabbit
In addition, a number of other symbols are used for auxiliary local variables in algorithm descriptions. These
symbols occur only within a given function specification and do not have a global meaning. They are thus
described in the function declaration.
7.3.2 Initialization function Init
In the following, the initialization function Init of Rabbit is specified.
INPUT: 128-bit key K, 64-bit initialization vector IV.
(0) (0) (0) (0) (0)
OUTPUT: Initial value of the state variable S = (b , X , .,X , C , .,C ).
0 0 7 0 7
Local variables: counters i, j
[15.0] [31.16] [127.112]
1. Let K = K , K = K , ., and K = K .
0 1 7
2. Set S as follows:
-9
(-9)
2.1. Set b = 0.
2.2. For j = 0, 1, ., 7:
2.2.1. If j is even:
(-9)
2.2.1.1. Set X = K || K .
j (j+1 mod 8) j
(-9)
2.2.1.2. Set C = K || K .
j (j+4 mod 8) (j+5 mod 8)
2.2.2. Else:
(-9)
2.2.2.1. Set X = K || K .
j (j+5 mod 8) (j+4 mod 8)
(-9)
2.2.2.2. Set C = K || K .
j j (j+1 mod 8)
3. Iterate the next-state function Next four times:
3.1. For i = -8, -7, -6, -5:
3.1.1. S = Next (S )
i i-1
4. Set S as follows:
-4
4.1. Modify the counters as follows:
(-4) (-5) (-5) [31.0] (-4) (-5) (-5) [63.48] [31.16]
C = C ⊕ X ⊕ IV C = C ⊕ X ⊕ (IV || IV )
0 0 4 1 1 5
(-4) (-5) (-5) [63.32] (-4) (-5) (-5) [47.32] [15.0]
C = C ⊕ X ⊕ IV C = C ⊕ X ⊕ (IV || IV )
2 2 6 3 3 7
(-4) (-5) (-5) [31.0] (-4) (-5) (-5) [63.48] [31.16]
C = C ⊕ X ⊕ IV C = C ⊕ X ⊕ (IV || IV )
4 4 0 5 5 1
(-4) (-5) (-5) [63.32] (-4) (-5) (-5) [47.32] [15.0]
C = C ⊕ X ⊕ IV C = C ⊕ X ⊕ (IV || IV )
6 6 2 7 7 3
2 © ISO/IEC 2009 – All rights reserved

---------------------- Page: 5 ----------------------
ISO/IEC 18033-4:2005/Amd.1:2009(E)
(-4) (-5) (-4) (-5) (-4) (-5)
4.2. Set X = X , ., X = X , b = b .
0 0 7 7
5. Iterate the next-state function Next four times:
5.1. For i = -3, -2, -1, 0:
5.1.1. S = Next (S )
i i-1
(0) (0) (0) (0) (0)
6. Output S = (b , X , .,X , C , .,C ).
0 0 7 0 7
NOTE The IV is mixed into the internal state in steps 4 and 5 of the algorithm. If the application requires
frequent re-initialization under the same key, it makes sense to store the internal state after step 3 as master
state and to perform only steps 4 through 6 for re-initialization.
7.3.3 Next-state function Next
The next-state function Next of Rabbit is specified as follows:
(i) (i) (i) (i) (i)
INPUT: State variable S = (b , X , .,X , C , .,C ).
i 0 7 0 7
(i+1) (i+1) (i+1) (i+1) (i+1)
OUTPUT: State variable S = (b , X , .,X , C , .,C ).
i+1 0 7 0 7
Local variables: counter j, 33-bit positive integer temp
1. Set constants A , ., A as follows:
0 7
A = 0x4D34D34D A = 0xD34D34D3
0 1
A = 0x34D34D34 A = 0x4D34D34D
2 3
A = 0xD34D34D3 A = 0x34D34D34
4 5
A = 0x4D34D34D A = 0xD34D34D3
6 7
(i+1) (i)
2. Let b = b
0
3. For j = 0, 1, ., 7:
(i) (i+1)
3.1. Let temp = C + A + b ; this results in a 33-bit value.
j j j
(i+1) [32]
3.2. Let b = temp .
j+1
(i+1) [31.0]
3.3. Let C = temp .
j
(i+1) (i+1)
4. Let b = b
8
5. For j = 0, 1, ., 7:
(i) (i+1)
5.1. Let G = g(X , C ). The detailed description of the function g is given in 7.3.5.
j j j
6. Modify internal state as follows:
(i+1)
X = G + (G <<< 16) + (G <<< 16)
0 0 32 7 32 32 6 32
(i+1)
X = G + (G <<< 8) + G
1 1 32 0 32 32 7
(i+1)
X = G + (G <<< 16) + (G <<< 16)
2 2 32 1 32 32 0 32
(i+1)
X = G + (G <<< 8) + G
3 3 32 2 32 32 1
(i+1)
X = G + (G <<< 16) + (G <<< 16)
4 4 32 3 32 32 2 32
(i+1)
X = G + (G <<< 8) + G
5 5 32 4 32 32 3
(i+1)
X = G + (G <<< 16) + (G <<< 16)
6 6 32 5 32 32 4 32
(i+1)
X = G + (G <<< 8) + G
7 7 32 6 32 32 5
(i+1) (i+1) (i+1) (i+1) (i+1)
7. Output S = (b , X , .,X , C , .,C ).
i+1 0 7 0 7
© ISO/IEC 2009 – All rights reserved 3

---------------------- Page: 6 ----------------------
ISO/IEC 18033-4:2005/Amd.1:2009(E)
7.3.4 Keystream function Strm
The keystream function Strm of Rabbit is specified as follows:
(i) (i) (i) (i) (i)
INPUT: State variable S = (b , X , .,X , C , .,C ).
i 0 7 0 7
OUTPUT: Keystream block Z.
i
1. Set Z as follows:
i
[15.0] (i) [15.0] (i) [31.16]
Z = X ⊕ X
i 0 5
[31.16] (i) [31.16] (i) [15.0]
Z = X ⊕ X
i 0 3
[47.32] (i) [15.0] (i) [31.16]
Z = X ⊕ X
i 2 7
[63.48] (i) [31.16] (i) [15.0]
Z = X ⊕ X
i 2 5
[79.64] (i) [15.0] (i) [31.16]
Z = X ⊕ X
i 4 1
[95.80] (i) [31.16] (i) [15.0]
Z = X ⊕ X
i 4 7
[111.96] (i) [15.0] (i) [31.16]
Z = X ⊕ X
i 6 3
[127.112] (i) [31.16] (i) [15.0]
Z = X ⊕ X
i 6 1
2. Output Z .
i
7.3.5 Function g
The function g is specified as follows:
INPUT: Two 32-bit parameters u and v.
OUTPUT: 32-bit result g(u,v).
Local variables: 64-bit positive integer temp
2
1. Let temp = (u + v) ; this results in a 64-bit value.
32
[31.0] [63.32]
2. Let g(u,v) = temp ⊕ temp .
3. Output g(u,v).
v2
7.4 Decim keystream generator
v2
Decim is a keystream generator which uses an 80-bit secret key K and a 64-bit initialization vector IV.
v2
Decim is composed of a 192-bit maximum length linear feedback shift register A, filtered by a 14-variable
Boolean function F. In keystream generation mode, the output of F is used to feed a compression block which
is a function called ABSG, whose output finally passes through a 32-bit long buffer B to regulate the
keystream output rate.
v2
NOTE 1 See Reference [3] for the theoretical background on the design rationale of Decim .
v2 (i) (i) (i) (i)
The state variable S of Decim consists of the 192-bit value a = (a , a ,…, a ) of register A, a 3-bit
0 1 191
i
(i) (i) (i) (i)
variable T which corresponds to the state of the compression function ABSG, the 32 bits b = (b , b ,…,
0 1
(i) (i)
b ) in buffer B, and the number I of bits in buffer B that are ready to be output.
31
4 © ISO/IEC 2009 – All rights reserved

---------------------- Page: 7 ----------------------
ISO/IEC 18033-4:2005/Amd.1:2009(E)

v2
Figure 10 — Schematic drawing of Decim .

The Init function, defined in detail in 7.4.2, takes as input the 80-bit key K and the 64-bit initialization vector IV ,
(0) (0) (0) (0)
and produces the initial value of the state variable S = (a , T , b , I ).
0
(i) (i) (i)
The Next function, defined in detail in 7.4.4, takes as an input the value of the state variable S = (a , T , b ,
i
(i) (i+1) (i+1) (i+1) (i+1)
I ) and produces as output the next value of the state variable S = (a , T , b , I ). The Next function
i+1
can operate in any of three different modes, depending on whether the iteration performed is part of the
initialization of the register, the initialization of the buffer, or the subsequent keystream generation.
(i) (i) (i)
The Strm function, defined in detail in 7.4.5, takes as an input the value of the state variable S = (a , T , b ,
i
(i)
I ), and produces as output a keystream bit Z.
i
v2
NOTE 2 The standard output rate of Decim is 1/4. Therefore, in order to synchronize the state variable and the
v2
keystream output, the Next function performs four standard iterations of Decim as specified in [3].
v2
NOTE 3 The compression function of Decim has a variable output rate, equal to 1/3 on average. Therefore, a buffer
mechanism is used to ensure a constant output rate. The differences between the buffer output rate and the
compression function output rate, as well as the buffer length, have been chosen to ensure that the buffer
always functions as expected with overwhelming probability, as described in Section 7.4.2.
7.4.1 Additional variables and notation
V2
In the specification of the Decim keystream generator, the following specific notation is used:
v2
a
Inner state variable for Decim
v2
ABSG Compression function used for Decim
v2
b, b' Inner state variables for Decim
v2
B Buffering function used for Decim
v2
F Linear feedback function used for Decim
© ISO/IEC 2009 – All rights reserved 5

---------------------- Page: 8 ----------------------
ISO/IEC 18033-4:2005/Amd.1:2009(E)
v2
I, I' Inner state variables for Decim
v2
L Filtering function used for Decim
v2
T, T' Inner state variables for Decim
v2
Y Boolean function used for Decim
In addition, a number of other symbols are used for auxiliary local variables in algorithm descriptions. These
symbols occur only within a given function specification and do not have a global meaning. They are thus
described in the function declaration.
7.4.2 Initialization function Init
The Initialization function Init is defined as follows.
INPUT: 80-bit key K, 64-bit initialization vector IV.
(0) (0) (0) (0)
OUTPUT: Initial value of the state variable S = (a , T , b , I ).
0
Local variables: counters i, j
a) Initialize the register with the key K and the initialization vector IV.
(-256)
1) Set a = K for j =0,1,…,79.
j j
(-256)
2) Set a = K ⊕ IV for j =80,81,…,143.
j j-80 j-80
(-256)
3) Set a = K ⊕ IV ⊕ IV ⊕ IV ⊕ IV for j =144,145,…,159.
j j-80 j-144 j-128 j-112 j-96
(-256)
4) Set a = IV ⊕ IV ⊕ 1 for j =160,161,…,191.
j j-160 j-128
b) Initialize the buffer and the compression function:
(-256)
1) Set T = 000.
(-256)
2) Set b = 0 for j =0,1,…,31.
j
(-256)
3) Set I = 0.
192
c) Set S = InitNext (S , LFSR).
-64 -256
d) Set i = -64.
(i)
e) While I < 32 and i<0:

1) Set S = InitNext(S , BUFF).
i+1 i
2) Set i=i+1.

f) Set S = S .
0 i
g) Output S .
0
v2
NOTE Steps d), e) and f) of the Decim initialization involve filling the buffer before starting the keystream output. As
the output rate of the compression function varies, the number of steps required to fill the buffer may vary. In
step e), the InitNext(BUFF) function is iterated 64 times at most, which guarantees that the buffer is full with
-97
probability more than 1-2 . On average, the buffer is full after 24 iterations. If a fixed, constant number of
(i)
steps in the Init function is needed for implementation, the test I < 32 in step e) can be removed.
6 © ISO/IEC 2009 – All rights reserved

---------------------- Page: 9 ----------------------
ISO/IEC 18033-4:2005/Amd.1:2009(E)

Figure 11 — Initialization mechanism.
7.4.3 Initialization Next-state function InitNext
v2
Decim has two modes for the InitNext function: one mode is used during the initialization of the register A
and the second during the initial filling of the buffer.
(i) (i) (i) (i)
INPUT: State variable S = (a , T , b , I ), mode ∈ {LFSR, BUFF}.
i
(i+1) (i+1) (i+1) (i+1)
OUTPUT: Next value of the state variable S = (a , T , b , I ).
i+1
, r, c,
Local variables:  counters j, k, buffers f
k
(0) (4) (0) (4) (0) (4) (0) (4)
   state buffers α , ., α , τ , ., τ , β , ., β , ι , ., ι .
LFSR mode (execute if mode = LFSR):
a) Update the state of the register A with the following steps:
(0) (i)
1) Set α =a .
2) For k = 0, 1, 2, 3:
(k) (k)
i) Set f = F(α ) and r = L(α ) ⊕ f .
k k
(k+1) (k)
ii) For j =0,1,…,190 set α = α .
j j+1
(k+1)
iii) Set α = r.
191
(i+1) (4)
3) Set a = α .
BUFF mode (execute if mode = BUFF):
a) Update the state of the register A with the following steps:
(0) (i)
1) Set α =a .
2) For k = 0, 1, 2, 3:
(k) (k) (k)
i) Set f = α ⊕ F(α ) and r = L(α ).
k 1
(k+1) (k)
ii) For j =0,1,…,190 set α = α .
j j+1
(k+1)
iii) Set α = r.
191
(i+1) (4)
3) Set a = α .
© ISO/IEC 2009 – All rights reserved 7

---------------------- Page: 10 ----------------------
ISO/IEC 18033-4:2005/Amd.1:2009(E)
(0) (i) (0) (i) (0) (i)
b) Set τ = T , β = b , ι = I .
c) For k = 0, 1, 2, 3:
1) Update the state of the compression block with the following steps:
(k)
i) Set c = f ⊕ τ .
k 0
(k+1) (k)
ii) Set τ = ABSG(τ , f ).
k
(k+1)
iii) If τ = 0 , set output = TRUE , otherwise set output = FALSE.
0
(k+1) (k+1) (k) (k)
2) Update the state of the buffer by (β , ι ) = B(β , ι , output, c ).
(i+1) (4)
d) Set T = τ .
(i+1) (4) (i+1) (4)
e) Set b = β and I = ι .
7.4.4 Next-state function Next
(i) (i) (i) (i)
INPUT: State variable S = (a , T , b , I ).
i
(i+1) (i+1) (i+1) (i+1)
OUTPUT: Next value of the state variable S = (a , T , b , I ).
i+1
Local variables:  counters j, k, buffers f , r, c,
k
(0) (4) (0) (4) (0) (4) (0) (4)
   state buffers α , ., α , τ , ., τ , β , ., β , ι , ., ι .
a) Update the state of the register A with the following steps:
(0) (i)
1) Set α =a .
2) For k = 0, 1, 2, 3:
(k) (k) (k)
i) Set f = α ⊕ F(α ) and r = L(α ).
k 1
(k+1) (k)
ii) For j = 0, 1, …,190 set α = α .
j j+1
(k+1)
iii) Set α = r.
191
(i+1) (4)
3) Set a = α .
(0) (i) (0) (i) (0) (i)
b) Set τ = T , β = b , ι = I -1.
(0) (0) (i)
c) For j = 0, 1, …, ι -1 , set β = b
j j+1
d) For k = 0, 1, 2, 3:
(0) (k+1) (k)
1) If ι = 0 , set τ = τ , output = TRUE and c = f , otherwise update the state of the compression
k
block with the following steps:
(k)
i) Set c = f ⊕ τ .
k 0
(k+1) (k)
ii) Set τ = ABSG(τ , f ).
k
(k+1)
iii) If τ = 0 , set output = TRUE , otherwise set output = FALSE.
0
(k+1) (k+1) (k) (k)
2) Update the state of the buffer by (β , ι ) = B(β , ι , output, c ).
(i+1) (4) (i+1) (4) (i+1) (4)
e) Set T = τ , b = β and I = ι .
8 © ISO/IEC 2009 – All rights reserved

---------------------- Page: 11 ----------------------
ISO/IEC 18033-4:2005/Amd.1:2009(E)
(0)
NOTE 1 The condition ι = 0 in step 1) should never be satisfied; if it is, this means that the buffer has become empty
-80
during the keystream generation. This happens with probability less than 2 at every state update, see [3] for
details. Also, this probability is higher if the buffer is not full after the Init function, but, as mentioned in 7.4.2
(NOTE), this also happens with negligible probability.
NOTE 2 The InitNext function and the Next function share many computations steps. Indeed, the LFSR mode of the
InitNext function mainly consists of the LFSR update of the BUFF mode and of the Next function, the only
difference being that the Boolean function output is added to the feedback bit. The BUFF mode of the InitNext
function and the Next function differ only in that the buffer B is shifted only in the latter.
7.4.5 Keystream function Strm
(i) (i) (i) (i)
INPUT: State variable S = (a , T , b , I ).
i
OUTPUT: Keystream bit Z .
i
(i)
a) Set Z = b .
i 0
b) Output Z .
i
7.4.6 Linear feedback function L
INPUT: 192-bit tuple w = (w ,w ,…,w ).
0 1 191
OUTPUT: Bit q=L(w).
Set q=w ⊕ w ⊕ w ⊕ w ⊕ w ⊕ w ⊕ w ⊕ w ⊕ w ⊕ w ⊕ w ⊕ w ⊕ w ⊕ w .
0 3 4 23 36 37 60 61 98 115 146 175 176 187
7.4.7 Filtering function F
INPUT: 192-bit tuple w = (w ,w ,…,w ).
0 1 191
OUTPUT: Bit q=F(w).
Set q = Y((w ,w ,w ,w ,w ,w ,w ,w ,w ,w ,w ,w ,w )).
13 28 45 54 65 104 111 144 162 172 178 186 191
7.4.8 Boolean function Y
INPUT: 13-bit tuple w = (w ,w ,…,w ).
0 1 12
OUTPUT: Bit q=Y(w).
Set q = (⊕ w ) ⊕ (⊕ w w ).
0≤j≤12 j 0≤j NOTE Equivalently, q is given by q = 0 if X = 0 or X = 3, and q = 1 otherwise, with X = w + w +…+ w mod 4.
0 1 12
7.4.9 Compression function ABSG
INPUT: 3-bit state T, input bit c.
OUTPUT: 3-bit state T'=ABSG(T,c).
a) If T = 1, set T' =T , otherwise set T' = c.
0 1 1 1
b) Set T' = T AND (T ⊕ c).
2 0 1
c) Set T' = (T ⊕ 1) OR T' .
0 0 2
© ISO/IEC 2009 – All rights reserved 9

---------------------- Page: 12 ----------------------
ISO/IEC 18033-4:2005/Amd.1:2009(E)
7.4.10 Buffering function B
INPUT: 32-bit tuple b = (b ,b ,…, b ) , index I , Boolean output, input bit c.
0 1 31
'
OUTPUT: 32-bit tuple b = (b' , b' ,…, b' ) , index I'.
0 1 31
a) Set I' = I, b' = b.
b) If output = TRUE and I' < 32, do the following:
1) Set b' = c.
I'
2) Set I' = I' + 1.
c) Output B(b, I, output, c) = (b', I').


Page 38, after A.3.2.2
Insert the following new subclauses:
A.4 Examples for Rabbit
All test vectors for Rabbit are given in little-endian notation, i.e. for multi-byte numbers, the most significant
bytes are stored at the highest memory addresses.
A.4.1 Key, initialization vector and keystream triplets
K = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
IV= 00 00 00 00 00 00 00 00
Z = ED B7 05 67 37 5D CD 7C D8 95 54 F8 5E 27 A7 C6 8D 4A DC 70 32 29 8F 7B D4 EF F5 04 AC A6 29 5F
  66 8F BF 47 8A DB 2B E5 1E 6C DE 29 2B 82 DE 2A B4 8D 2A C6 56 59 79 22 0E C9 09 A7 E7 57 60 98

K = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
IV= 00 01 02 03 04 05 06 07
Z = 98 71 C7 BA 4E A3 08 07 CD AA 49 64 66 39 2D 2F 4A FF 43 55 EF 90 69 56 10 9B 96 65 97 8D AC ED
  9B 7C 6F 7F C8 2C 67 D2 73 22 CB DE 9D B0 16 45 8C 38 2C 9C 7D 30 44 E6 52 0B B9 2A 13 53 C0 FF

K = 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
IV= 00 00 00 00 00 00 00 00
Z = A8 F7 E6 9B 69 40 A7 8D 13 6A 5C 15 4A 15 79 52 A6 E4 23 58 59 E3 02 20 EA 68 64 36 BB 38 EF 53
  9C 29 40 55 6B 09 EC D7 FE A2 B0 AC 83 07 F1 69 62 65 A3 D6 44 28 1C 39 C9 CD 5E 1E 2F 9B E4 D0

K = 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
IV= 00 01 02 03 04 05 06 07
Z = F2 89 19 DD A1 28 F8 F9 0A 30 34 6E 97 94 D2 B7 4C 69 A2 D9 91 37 27 BC 5A 30 18 E6 33 2A F7 F3
  BE 3A C3 EF B3 68 F4 3A 4C B8 58 67 B8 1C 91 F9 24 29 0C 81 6B 8B 57 88 98 C5 7F B4 C0 BA 05 BD

A.4.2 Sample internal states
K = 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
IV= 00 01 02 03 04 05 06 07
Z = F2 89 19 DD A1 28 F8 F9 0A 30 34 6E 97 94 D2 B7 4C 69 A2 D9 91 37 27 BC 5A 30 18 E6 33 2A F7 F3
  BE 3A C3 EF B3 68 F4 3A 4C B8 58 67 B8 1C 91 F9 24 29 0C 81 6B 8B 57 88 98 C5 7F B4 C0 BA 05 BD
10 © ISO/IEC 2009 – All rights reserved

---------------------- Page: 13 ----------------------
ISO/IEC 18033-4:2005/Amd.1:2009(E)
After key expansion (Internal state S(-9))
x0:03020100 x1:0D0C0B0A x2:07060504 x3:01000F0E x4:0B0A0908 x5:05040302 x6:0F0E0D0C x7:09080706
c0:09080B0A c1:03020504 c2:0D0C0F0E c3:07060908 c4:01000302 c5:0B0A0D0C c6:05040706 c7:0F0E0100
carry:0

After key setup iteration 1 (Internal state S(-8))
x0:05783933 x1:162113C0 x2:B38F168E x3:F08A919E x4:7F2CDA94 x5:ACBEB878 x6:0D5257A9 x7:4FF46B46
c0:563CDE57 c1:D64F39D7 c2:41DF5C42 c3:543ADC55 c4:D44D37D5 c5:3FDD5A40 c6:5238DA53 c7:E25B35D3
carry:0

After key setup iteration 2 (Internal state S(-7))
x0:798C2CEC x1:CC05FFD4 x2:50D68324 x3:2C306745 x4:AD519559 x5:81595E7A x6:29A589E2 x7:15212B97
c0:A371B1A4 c1:A99C6EAA c2:76B2A977 c3:A16FAFA2 c4:A79A6CA8 c5:74B0A775 c6:9F6DADA0 c7:B5A86AA6
carry:1

After key setup iteration 3 (Internal state S(-6))
x0:CD328957 x1:66D5AB1F x2:0D115824 x3:FCCEB784 x4:12E900D7 x5:36A46997 x6:9F40C5BC x7:AB1C8A08
c0:F0A684F2 c1:7CE9A37D c2:AB85F6AC c3:EEA482EF c4:7AE7A17B c5:A983F4AA c6:ECA280ED c7:88F59F79
carry:1

After key setup iteration 4 (Internal state S(-5))
x0:A31515F8 x1:5DFD3AC6 x2:33CD6AD2 x3:4BD778E5 x4:89708269 x5:D93095C1 x6:5E495F60 x7:C197863A
c0:3DDB5840 c1:5036D851 c2:E05943E1 c3:3BD9563C c4:4E34D64F c5:DE5741DF c6:39D7543A c7:5C42D44D
carry:1

After counter modification / IV setup (Internal state S(-4))
x0:A31515F8 x1:5DFD3AC6 x2:33CD6AD2 x3:4BD778E5 x4:89708269 x5:D93095C1 x6:5E495F60 x7:C197863A
c0:B7A9DB29 c1:8E004E92 c2:B9161985 c3:FF4AD106 c4:EE23C2B7 c5:84AC781B c6:0D1C3BEC c7:1291ADA8
carry:1

After IV setup iteration 1 (Internal state S(-3))
x0:054A3F2F x1:BE444CDE x2:573425A4 x3:9347FAD1 x4:29036A2F x5:DD3C6B50 x6:12CC3803 x7:6F7847C0
c0:04DEAE77 c1:614D8366 c2:EDE966BA c3:4C7FA453 c4:C170F78B c5:B97FC550 c6:5A510F39 c7:E5DEE27B
carry:0

After IV setup iteration 2 (Internal state S(-2))
x0:0FDB9A3A x1:334807E8 x2:E66BCC98 x3:0FDA371C x4:9C3E3036 x5:7774E657 x6:C6FCBB4C x7:A8D1AC4F
c0:521381C4 c1:349AB839 c2:22BCB3EF c3:99B477A1 c4:94BE2C5E c5:EE531285 c6:A785E286 c7:B92C174E
carry:1

After IV setup iteration 3 (Internal state S(-1))
x0:1A2EF77E x1:FDEEE287 x2:A918F5A1 x3:D6414F76 x4:4848D473 x5:BCE9BD30 x6:3E524094 x7:16242C51
c0:9F485512 c1:07E7ED0C c2:57900124 c3:E6E94AEE c4:680B6131 c5:23265FBA c6:F4BAB5D4 c7:8C794C21
carry:1

After IV setup iteration 4 (Internal state S(0))
x0:987651C2 x1:FF5F0007 x2:5C48C79E x3:661B3E75 x4:49247B9A x5:3C7AA744 x6:4AEF3F40 x7:D117584E
c0:EC7D2860 c1:DB3521DF c2:8C634E58 c3:341E1E3B c4:3B589605 c5:57F9ACEF c6:41EF8921 c7:5FC680F5
carry:1

After keystream iteration 1 (Internal state S(1))
x0:2A158BE4 x1:D93EC5A4 x2:298B7C1B x3:01F4F70C x4:E241E934 x5:0216D073 x6:72769563 x7:54BA8C75
c0:39B1FBAE c1:AE8256B3 c2:C1369B8D c3:8152F188 c4:0EA5CAD8 c5:8CCCFA24 c6:8F245C6E c7:3313B5C8
carry:1
output F2 89 19 DD A1 28 F8 F9 0A 30 34 6E 97 94 D2 B7

After keystream iteration 2 (Internal state S(2))
x0:46EC0492 x1:A4B5D46E x2:7B374C9E x3:93249F4E x4:E93894EF x5:6DDEC710 x6:2799B917 x7:7B0F0F20
c0:86E6CEFC c1:81CF8B86 c2:F609E8C2 c3:CE87C4D5 c4:E1F2FFAB c5:C1A04758 c6:DC592FBB c7:0660EA9B
carry:1
© ISO/IEC 2009 – All rights reserved 11

---------------------- Page: 14 ----------------------
ISO/IEC 18033-4:2005/Amd.1:2009(E)
output 4C 69 A2 D9 91 37 27 BC 5A 30 18 E6 33 2A F7 F3

After keystream iteration 3 (Internal state S(3))
x0:98C27422 x1:0D5B5EC2 x2:FEEC9F8D x3:423F7701 x4:E22AB517 x5:4E9CC418 x6:A7535E87 x7:F73E8572
c0:D41BA24A c1:551CC059 c2:2ADD35F7 c3:1BBC9823 c4:B540347F c5:F673948D c6:298E0308 c7:D9AE1F6F
carry:0
output BE 3A C3 EF B3 68 F4 3A 4C B8 58 67 B8 1C 91 F9

After keystream iteration 4 (Internal state S(4))
x0:3B844C36 x1:AF5CD78B x2:2619A0AC x3:774FBA88 x4:D16C6AC4 x5:6512AE4E x6:6A8ECD8F x7:2BC76513
c0:21507597 c1:2869F52D c2:5FB0832C c3:68F16B70 c4:888D6952 c5:2B46E1C2 c6:76C2D656 c7:ACFB5442
carry:1
output 24 29 0C 81 6B 8B 57 88 98 C5 7F B4 C0 BA 05 BD
v2
A.5 Examples for Decim
The byte-values and binary decomposition of bytes follow the big-endian notation, i.e. for multi-byte numbers,
the most significant bytes are stored at the lowest memory addresses. In particular, this holds for the key, IV,
keystream, register and buffer byte- and binary values given below.
Thus, we write
K = K … K
79 0
IV= IV … IV
63 0
Z = Z … Z
n 0
a = a … a
191 0
b = b … b
31 0
T = T T T
2 1 0

and, for instance, given the key
K = de aa 00 40 00 30 00 0f 08 80,

we have
K …K ]=de, [K …K ]=aa … [K …K ]=80,
79 72 71 64 7 0

with bit-decomposition as follows:
K … K = 11011110 10101010 00000000 01000000 00000000
79 0
  00110000 00000000 00001111 00001000 10000000

A.5.1 Key, initialization vector and keystream triplets
K = 00 00 00 00 00 00 00 00 00 80
IV= 00 00 00 00 00 00 00 00
Z = 76 e3 89 be 1b fb ad d5 3c ce a0 fe 43 b8 c8 fb d3 92 b8 0b 52 94 60 f8

K = 00 00 00 00 00 00 00 00 00 00
IV= 00 00 00 00 00 00 00 80
Z = 4c ec bd b3 0e cd c9 c0 8b 41 8f 7f 28 ff 83 48 75 40 ff c5 cb 0a 33 da

K = 09 09 09 09 09 09 09 09 09 09
IV= 00 00 00 00 00 00 00 00
Z = 43 9b ba f8 a7 84 dc f9 e6 d2 90 1d 12 4d 43 09 22 33 f2 47 60 19 70 53

K = 09 08 07 06 05 04 03 02 01 00
IV= 00 00 00 00 00 00 00 00
Z = 52 b1 73 10 01 2a cd 3a d2 20 4f e2 b2 2a 5d 21 64 41 f6 3d d3 b4 43 6a

K = eb 98 45 f2 9f 4c f9 a6 53 00
IV= de 77 10 a9 42 db 74 0d
Z = 62 ff c9 cc 21 0e 07 ea 6e 50 f0 fb 1b 60 36 7f 88 a6 a5 27 9b 18 cb b8
12 © ISO/IEC 2009 – All rights reserved

---------------------- Page: 15 ----------------------
ISO/IEC 18033-4:2005/Amd.1:2009(E)
K = fa a7 54 01 ae 5b 08 b5 62 0f
IV= f9 92 2b c4 5d f6 8f 28
Z = f0 af 66 52 2a 23 8b 29 63 37 8b 18 ec 1f 4c a8 27 91 3d 2c f0 ad 94 d9

A.5.2 Sample internal states
We provide the binary equivalents of the internal states for key stages, namely at time -256, time -64, time 0
and time 193.
K = 00 00 00 00 00 00 00 00 00 80
IV= 00 00 00 00 00 00 00 00
Z = 76 e3 89 be 1b fb ad d5 3c ce a0 fe 43 b8 c8 fb d3 92 b8 0b 52 94 60 f8

For time -256 until -64 (executions of InitNext (S,LFSR)), internal
...