Independent Submission S. Kiyomoto Request for Comments: 7008 W. Shin Category: Informational KDDI R&D Laboratories, Inc. ISSN: 2070-1721 August 2013 A Description of the KCipher-2 Encryption Algorithm Abstract This document describes the KCipher-2 encryption algorithm. KCipher-2 is a stream cipher with a 128-bit key and a 128-bit initialization vector. Since the algorithm for KCipher-2 was published in 2007, security and efficiency have been rigorously evaluated through academic and industrial studies. As of the publication of this document, no security vulnerabilities have been found. KCipher-2 offers fast encryption and decryption by means of simple operations that enable efficient implementation. KCipher-2 has been used for industrial applications, especially for mobile health monitoring and diagnostic services in Japan. Status of This Memo This document is not an Internet Standards Track specification; it is published for informational purposes. This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not a candidate for any level of Internet Standard; see Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7008. Copyright Notice Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Kiyomoto & Shin Informational [Page 1] RFC 7008 A Description of KCipher-2 August 2013 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Algorithm Description . . . . . . . . . . . . . . . . . . . . 3 2.1. Notations . . . . . . . . . . . . . . . . . . . . . . . . 4 2.2. Internal State . . . . . . . . . . . . . . . . . . . . . . 4 2.2.1. Feedback Shift Registers . . . . . . . . . . . . . . . 4 2.2.2. Internal Registers . . . . . . . . . . . . . . . . . . 5 2.3. Operations . . . . . . . . . . . . . . . . . . . . . . . . 5 2.3.1. next() . . . . . . . . . . . . . . . . . . . . . . . . 5 2.3.2. init() . . . . . . . . . . . . . . . . . . . . . . . . 7 2.3.3. stream() . . . . . . . . . . . . . . . . . . . . . . . 8 2.4. Subroutines . . . . . . . . . . . . . . . . . . . . . . . 9 2.4.1. NLF() . . . . . . . . . . . . . . . . . . . . . . . . 9 2.4.2. sub_K2() . . . . . . . . . . . . . . . . . . . . . . . 9 2.4.3. S_box() . . . . . . . . . . . . . . . . . . . . . . . 10 2.4.4. Multiplications in GF(2#32) . . . . . . . . . . . . . 11 2.5. Encryption and Decryption Scheme . . . . . . . . . . . . . 13 2.5.1. Key Stream Generation . . . . . . . . . . . . . . . . 13 2.5.2. Encryption and Decryption of a Message . . . . . . . . 14 3. Security Considerations . . . . . . . . . . . . . . . . . . . 14 4. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14 4.1. Normative References . . . . . . . . . . . . . . . . . . . 14 4.2. Informative References . . . . . . . . . . . . . . . . . . 14 Appendix A. Tables for Multiplication in GF(2#32) . . . . . . . . 16 A.1. The table amul0 . . . . . . . . . . . . . . . . . . . . . 16 A.2. The table amul1 . . . . . . . . . . . . . . . . . . . . . 17 A.3. The table amul2 . . . . . . . . . . . . . . . . . . . . . 19 A.4. The table amul3 . . . . . . . . . . . . . . . . . . . . . 20 Appendix B. A Simple Implementation Example of KCipher-2 . . . . 22 B.1. Code Components I - Definitions and Declarations . . . . . 22 B.2. Code Components II - Functions . . . . . . . . . . . . . . 23 B.3. Use Case . . . . . . . . . . . . . . . . . . . . . . . . . 28 Appendix C. Test Vectors . . . . . . . . . . . . . . . . . . . . 28 C.1. Key Stream Generation Examples . . . . . . . . . . . . . . 28 C.2. Another Key Stream Generation with the State Values . . . 29 C.2.1. S after init(1) . . . . . . . . . . . . . . . . . . . 30 C.2.2. S after init(2) . . . . . . . . . . . . . . . . . . . 30 C.2.3. S after init(3) . . . . . . . . . . . . . . . . . . . 30 C.2.4. S after init(4) . . . . . . . . . . . . . . . . . . . 31 C.2.5. S after init(5) . . . . . . . . . . . . . . . . . . . 31 C.2.6. S after init(6) . . . . . . . . . . . . . . . . . . . 31 C.2.7. S after init(7) . . . . . . . . . . . . . . . . . . . 31 C.2.8. S after init(8) . . . . . . . . . . . . . . . . . . . 32 C.2.9. S after init(9) . . . . . . . . . . . . . . . . . . . 32 C.2.10. S after init(10) . . . . . . . . . . . . . . . . . . . 32 C.2.11. S after init(11) . . . . . . . . . . . . . . . . . . . 32 C.2.12. S after init(12) . . . . . . . . . . . . . . . . . . . 33 Kiyomoto & Shin Informational [Page 2] RFC 7008 A Description of KCipher-2 August 2013 C.2.13. S after init(13) . . . . . . . . . . . . . . . . . . . 33 C.2.14. S after init(14) . . . . . . . . . . . . . . . . . . . 33 C.2.15. S after init(15) . . . . . . . . . . . . . . . . . . . 33 C.2.16. S after init(16) . . . . . . . . . . . . . . . . . . . 34 C.2.17. S after init(17) . . . . . . . . . . . . . . . . . . . 34 C.2.18. S after init(18) . . . . . . . . . . . . . . . . . . . 34 C.2.19. S after init(19) . . . . . . . . . . . . . . . . . . . 34 C.2.20. S after init(20) . . . . . . . . . . . . . . . . . . . 35 C.2.21. S after init(21) . . . . . . . . . . . . . . . . . . . 35 C.2.22. S after init(22) . . . . . . . . . . . . . . . . . . . 35 C.2.23. S after init(23) . . . . . . . . . . . . . . . . . . . 35 C.2.24. S(0) after init(24) . . . . . . . . . . . . . . . . . 36 C.2.25. S(1) and the Key Stream at S(1) . . . . . . . . . . . 36 C.2.26. S(2) and the Key Stream at S(2) . . . . . . . . . . . 37 1. Introduction KCipher-2 is a stream cipher that uses a 128-bit secret key and a 128-bit initialization vector. Since the algorithm for KCipher-2 was published in 2007 [SASC07], it has been evaluated in academic and industrial studies. The security and performance of KCipher-2 have been rigorously evaluated by its developers and other institutions [SECRYPT07] [ICETE07] [CRYPTEC] [SIIS11]. As of the publication of this document, no attack on KCipher-2 has been successful. KCipher-2 can be efficiently implemented in software to provide fast encryption and decryption, owing to its uncomplicated design. Only four simple operations are used: exclusive-OR, addition, shift, and table lookup. When the algorithm is implemented in hardware, internal computations can be parallel to yield greater efficiency. Moreover, since its internal state representation only amounts to several hundred bits, KCipher-2 is suitable for resource-limited environments. KCipher-2 has been actively used in several industrial applications in Japan, has been published by an international standardization body (ISO/IEC 18033-4 [ISO18033]), and has been designated a Japanese e-Government recommended cipher [CRYPTECLIST]. 2. Algorithm Description In this section, we describe the internal components of KCipher-2 and define the operations for deriving key streams from an input key and an initialization vector. We illustrate the detailed operations, mostly in pseudocode format, but also provide code snippets written in the C language syntax when necessary. Kiyomoto & Shin Informational [Page 3] RFC 7008 A Description of KCipher-2 August 2013 2.1. Notations All values in this document are stored in big-endian order (aka network byte order). We use the following notations in the description of KCipher-2. ^ Bitwise exclusive-OR n#m mth power of n +n Integer addition modulo 2#n <<_r n n-bit left circular shift in an r-bit register 0x Hexadecimal representation E[i] The (i + 1)th element of E when E is composed of consecutive multiple elements GF Galois field. GF(n#m) means the finite field of exactly n#m elements ** Multiplication of elements on the finite field GF(2#32) NOTE: Many texts denote "the mth power of n" by "n^m", but we write it using '#', instead of '^', to avoid reader confusion with the power operator and the XOR operator of the C language syntax. 2.2. Internal State The internal state of KCipher-2 can be denoted by S. The internal state consists of six sub-components: two feedback shift registers, FSR-A and FSR-B, and four internal registers, L1, R1, L2, and R2. We, therefore, often write S = (A, B, L1, R1, L2, R2), where A and B refer to FSR-A and FSR-B, respectively. 2.2.1. Feedback Shift Registers The two feedback shift registers (FSRs) are separately called Feedback Shift Register A (FSR-A) and Feedback Shift Register B (FSR-B). FSR-A is composed of five 32-bit units that are consecutively arranged. Each unit can be identified by A[0], A[1], A[2], A[3], and A[4]. Likewise, FSR-B is composed of eleven consecutive 32-bit units, B[0], ..., B[10]. All values stored in each 32-bit unit of FSR is in GF(2#32). Kiyomoto & Shin Informational [Page 4] RFC 7008 A Description of KCipher-2 August 2013 2.2.2. Internal Registers Besides FSR, KCipher-2 has four internal registers to store intermediate computation results during operation. The four registers are named L1, R1, L2, and R2. 2.3. Operations Three major operations constitute the behavior of KCipher-2: init(), next(), and stream(). The init() operation initializes the internal values of the system. The next() operation derives new values of S' from the values of S, where S' and S refer to the internal state. The stream() operation derives a key stream from the current state S. 2.3.1. next() The next() operation takes the current state S = (A, B, L1, R1, L2, R2) as input. The size of the input amounts to twenty of the 32-bit units in total (five units for A, eleven for B, and one for L1, R1, L2, and R2). It produces the next state S' = (A', B', L1', R1', L2', R2'). This operation is mainly used to generate secure key streams by applying non-linear functions (NLFs) for every cycle of KCipher-2. Additionally, it is used to initialize the system. The behaviors are distinguished by the input parameter that indicates the operation modes. Inside the next() operation, the internal registers are updated by the result of the substitution function described in Section 2.4.2. The feedback shift registers are also updated by feedback functions. The feedback functions include the multiplication of register units and the fixed elements a0, a1, a2, and a3 in a finite field. The fixed elements a0, ..., a3 are carefully chosen to provide the maximum length of the feedback shift registers. The theory behind the selection of fixed elements and the way to simplify the necessary multiplications are briefly described in Section 2.4.4. The operation takes the following inputs: o S = (A, B, L1, R1, L2, R2) o mode = {INIT, NORMAL}, where INIT means the operation is used for initialization, and NORMAL means it is used for generating secure key streams. The operation outputs a new state, o S' = (A', B', L1', R1', L2', R2') Kiyomoto & Shin Informational [Page 5] RFC 7008 A Description of KCipher-2 August 2013 by performing the following steps: 1. Set registers in the nonlinear functions L1' = sub_K2(R2 +32 B[4]); R1' = sub_K2(L2 +32 B[9]); L2' = sub_K2(L1); R2' = sub_K2(R1); for m from 0 to 3 A'[m] = A[m + 1]; for m from 0 to 9 B'[m] = B[m + 1]; NOTE: sub_K2 is a substitution function described in Section 2.4.2. 2. Depending on the value of the operation mode, do the following: a. When the mode is NORMAL, A'[4] and B'[10] are computed as follows: A'[4] = (a0 ** A[0]) ^ A[3]; if A[2][30] is 1: if A[2][31] is 1: B'[10] = (a1 ** B[0]) ^ B[1] ^ B[6] ^ (a3 ** B[8]); else if A[2][31] is 0: B'[10] = (a1 ** B[0]) ^ B[1] ^ B[6] ^ B[8]; else if A[2][30] is 0: if A[2][31] is 1: B'[10] = (a2 ** B[0]) ^ B[1] ^ B[6] ^ (a3 ** B[8]); else if A[2][31] is 0: B'[10] = (a2 ** B[0]) ^ B[1] ^ B[6] ^ B[8]; b. When the mode is INIT, A'[4] and B'[10] are XOR-ed with the non-linear function output described in Section 2.4.1. A'[4] = (a0 ** A[0]) ^ A[3] ^ NLF(B[0], R2, R1, A[4]); if A[2][30] is 1: if A[2][31] is 1: B'[10] = (a1 ** B[0]) ^ B[1] ^ B[6] ^ (a3 ** B[8]) ^ NLF(B[10], L2, L1, A[0]); else if A[2][31] is 0: B'[10] = (a1 ** B[0]) ^ B[1] ^ B[6] ^ B[8] ^ NLF(B[10], L2, L1, A[0]); Kiyomoto & Shin Informational [Page 6] RFC 7008 A Description of KCipher-2 August 2013 else if A[2][30] is 0: if A[2][31] is 1: B'[10] = (a2 ** B[0]) ^ B[1] ^ B[6] ^ (a3 ** B[8]) ^ NLF(B[10], L2, L1, A[0]); else if A[2][31] is 0: B'[10] = (a2 ** B[0]) ^ B[1] ^ B[6] ^ B[8] ^ NLF(B[10], L2, L1, A[0]); 3. Output S' = (A', B', L1', R1', L2', R2'). Note that A[2] is a 32-bit unit. Thus, A[2][j] is the value of the jth least significant bit of A[2], where 0 <= j <= 31. The corresponding code snippets written in the C language syntax can be found in Section 2.4.4 and Appendix B. 2.3.2. init() The init() operation takes a 128-bit key (K) and a 128-bit initialization vector (IV) and prepares the values of the state variables for generating key streams. o K = (K[0], K[1], K[2], K[3]), where each K[i] is a 32-bit unit and 0 <= i <= 3 o IV =(IV[0], IV[1], IV[2], IV[3]), where each IV[i] is a 32-bit unit and 0 <= i <= 3, and the output is an initialized state S, which will be referenced as S(0). The output is derived from the following steps: 1. Expand K to the 384-bit internal key IK = (IK[0], ..., IK[11]), where IK[i] is a 32-bit unit and 0 <= i <= 11. The expansion procedure is as follows: for m from 0 to 11 if m is 0, 1, 2, or 3: IK[m] = K[m]; else if m is 5, 6, 7, 9, 10, or 11: IK[m] = IK[m - 4] ^ IK[m - 1]; else if m is 4: IK[4] = IK[0] ^ sub_K2(IK[3] <<_32 8) ^ (0x01, 0x00, 0x00, 0x00); else if m is 8: IK[8] = IK[4] ^ sub_K2(IK[7] <<_32 8) ^ (0x02, 0x00, 0x00, 0x00); Kiyomoto & Shin Informational [Page 7] RFC 7008 A Description of KCipher-2 August 2013 NOTE: sub_K2 is the substitution function described in Section 2.4.2. 2. Initialize the feedback shift registers and the internal registers using the values of IK and IV as follows: for m from 0 to 4 A[m] = IK[4 - m]; B[0] = IK[10]; B[1] = IK[11]; B[2] = IV[0]; B[3] = IV[1]; B[4] = IK[8]; B[5] = IK[9]; B[6] = IV[2]; B[7] = IV[3]; B[8] = IK[7]; B[9] = IK[5]; B[10] = IK[6]; L1 = R1 = L2 = R2 = 0x00000000; Set S as (A, B, L1, R1, L2, R2). 3. Prepare the state values by applying the next() operation 24 times as follows: for m from 1 to 24 Set S' as next(S, INIT); Set S as S'; 4. Output S. 2.3.3. stream() The stream() function derives a 64-bit key stream, Z, from the state values. Its input is an initialized state, o S = (A, B, L1, R1, L2, R2) and its output is Z = (ZH, ZL), where ZH and ZL are 32-bit units. stream() performs the following: 1. Set register values ZH = NLF(B[10], L2, L1, A[0]); ZL = NLF(B[0], R2, R1, A[4]); 2. Output Z = (ZH, ZL). NOTE: The function NLF is described in Section 2.4.1. Kiyomoto & Shin Informational [Page 8] RFC 7008 A Description of KCipher-2 August 2013 2.4. Subroutines We explain the functions used above: sub_K2(), NLF(), and S_box(). 2.4.1. NLF() NLF() is a non-linear function that takes the four 32-bit values, A, B, C, D, and outputs the 32-bit value, Q. The output Q is calculated as follows. Q = (A +32 B) ^ C ^ D; 2.4.2. sub_K2() sub_K2() is a substitution function that is a permutation of GF(2#32), based on components from the Advanced Encryption Standard (AES) [FIPS-AES]. Its input is a 32-bit value divided into four 8-bit strings. Inside sub_K2(), an 8-to-8-bit substitution function, S_box(), is applied to each 8-bit string separately, and then a 32- to-32-bit linear permutation is applied to the whole 32-bit string. Our S_box() function is identical to the S-Box operation of AES, and our linear permutation is identical to the AES Mix Column operation. Consider the input of sub_K2 as a 32-bit value W = (w[3], w[2], w[1], w[0]), where each subelement of w is an 8-bit unit. Prepare two 32-bit temporary storages, T = (t[3], t[2], t[1], t[0]) and Q = (q[3], q[2], q[1], q[0]), where t[i] and q[i] are 8-bit units and 0 <= i <= 3. The 32-bit output Q is obtained from the following procedures: 1. Apply S_box() to each 8-bit input string. Note that S_box() is defined in Section 2.4.3. for m from 0 to 3 t[m] = S_box(w[m]); 2. Calculate q by the matrix multiplication, Q = M * T in GF(2#8) of the irreducible polynomial f(x) = x#8 + x#4 + x#3 + x + 1, where o Q is a 1x4 matrix, (q[0], q[1], q[2], q[3)) o M is a 4x4 matrix, (02, 03, 01, 01, 01, 02, 03, 01, 01, 01, 02, 03, 03, 01, 01, 02) Kiyomoto & Shin Informational [Page 9] RFC 7008 A Description of KCipher-2 August 2013 o T is a 1x4 matrix, (t[0], t[1], t[2], t[3]). Namely, the procedure that calculates (q[3], q[2], q[1], q[0]) can be written in the C language syntax as: q[0] = GF_mult_by_2(t[0]) ^ GF_mult_by_3(t[1]) ^ t[2] ^ t[3]; q[1] = t[0] ^ GF_mult_by_2(t[1]) ^ GF_mult_by_3(t[2]) ^ t[3]; q[2] = t[0] ^ t[1] ^ GF_mult_by_2(t[2]) ^ GF_mult_by_3(t[3]); q[3] = GF_mult_by_3(t[0]) ^ t[1] ^ t[2] ^ GF_mult_by_2(t[3]); where GF_mult_by_2 and GF_mult_by_3 are multiplication functions in GF(2#8), defined as follows: o The function GF_mult_by_2(t) multiplies 2 by the given 8-bit value t in GF(2#8) and returns an 8-bit value q as follows (lq is a temporary 32-bit variable): lq = t << 1; if ((lq & 0x100) != 0) lq ^= 0x011B; q = lq ^ 0xFF; o The function GF_mult_by_3(t) multiplies 3 by the given 8-bit value t in GF(2#8) and returns an 8-bit value q as follows (lq is a temporary 32-bit variable): lq = (t << 1) ^ t; if ((lq & 0x100) != 0) lq ^= 0x011B; q = lq ^ 0xFF; 3. Output Q = (q[3], q[2], q[1], q[0]). 2.4.3. S_box() S_box() is a substitution that can be done by a simple table lookup operation. Thus, S_box() can be defined by the following value table: S_box[256] = { 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76, 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0, 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15, 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75, 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84, Kiyomoto & Shin Informational [Page 10] RFC 7008 A Description of KCipher-2 August 2013 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf, 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8, 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2, 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73, 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb, 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79, 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08, 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a, 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e, 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf, 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16 }; 2.4.4. Multiplications in GF(2#32) FSR-A and FSR-B are word-oriented linear feedback shift registers (LFSRs). In the next() operation of Section 2.3.1, the feedback functions to the two LFSRs are shown, which include multiplication of fixed elements a0, a1, a2, or a3 in GF(2#32). The fixed elements are carefully chosen to maximize the period of the key stream generated by the two registers. Here, we briefly explain how we obtain the fixed elements. Further details and theories can be found in [SECRYPT07]. We obtain a0 as follows. First, to guarantee that the period is maximized for an 8-bit unit, we consider p as the root of the primitive polynomial: x#8 + x#7 + x#6, + x + 1 in GF(2). Therefore, an 8-bit string y = (y7, ..., y0), where y7 is the most significant bit, can be written as: y = y7(p#7) + y6(p#6) + ... + y1(p) + y0 Next, a0 is the root of irreducible polynomial of degree four: x#4 + p#24(x#3) + p#3(x#2) + p#12(x) + p#71 in GF(2#8). Kiyomoto & Shin Informational [Page 11] RFC 7008 A Description of KCipher-2 August 2013 Then, hierarchically, a 32-bit unit Y = (Y3, Y2, Y1, Y0), where Y3 is the most significant byte, can be written as: Y3(a0#3) + Y2(a0#2) + Y1(a0) + Y0 The feedback polynomial to FSR-A, f(x) = a0(x#5) + x#2 + 1 produces the maximum-length period of the key stream with a0. Similarly, a1, a2, and a3 are the roots of irreducible polynomials of degree four of x#4 + q#230(x#3) + q#156(x#2) + q#93(x) + q#29 in GF(2#8) x#4 + r#34(x#3) + r#16(x#2) + r#199(x) + r#248 in GF(2#8) x#4 + s#157(x#3) + s#253(x#2) + s#56(x) + s#16 in GF(2#8) respectively. The feedback polynomial to FSR-B that uses a1, a2, and a3 can produce the maximum-length period. The feedback polynomials to FSR-A and FSR-B are as written in Step 2 of the next() operation, and the mathematical notations of these polynomials can also be found in [SECRYPT07]. Calculation of the original feedback polynomials might be time- consuming because it includes multiplications in finite fields. However, these multiplications can be done faster if the multiples of a0, ..., a3 were already calculated for all possible inputs. The tables of amul0, ..., amul3 in Appendix A provide such pre- calculation results. As shown in Step 2 of next(), we can utilize these tables to finish the necessary calculations efficiently. For example, consider the input as a 32-bit value w, which represents an element of GF(2#32). The 32-bit output string w' = a0 ** w can be obtained using the amul0 table in Appendix A.1 as follows: w' = (w << 8) ^ amul0[w >> 24]; Likewise, multiplications of (a1 ** w), (a2 ** w), and (a3 ** w) can be obtained in the same way, simply by using the amul1, amul2, and amul3 tables that we provide in Appendixes A.2, A.3, and A.4. Eventually, Step 2 of the next() operation, which updates A'[4] and B'[10], can be written in the C language syntax as follows. Note that nA[4] and nB[10] correspond to A'[4] and B'[10], respectively, and temp1 and temp2 are 32-bit variables. Kiyomoto & Shin Informational [Page 12] RFC 7008 A Description of KCipher-2 August 2013 nA[4] = ((A[0] << 8) ^ amul0[(A[0] >> 24)]) ^ A[3]; if (mode == INIT) nA[4] ^= NLF(B[0], R2, R1, A[4]); if (A[2] & 0x40000000) { temp1 = (B[0] << 8) ^ amul1[(B[0] >> 24)]; } else { temp1 = (B[0] << 8) ^ amul2[(B[0] >> 24)]; } if (A[2] & 0x80000000) { temp2 = (B[8] << 8) ^ amul3[(B[8] >> 24)]; } else { temp2 = B[8]; } nB[10] = temp1 ^ B[1] ^ B[6] ^ temp2; if (mode == INIT) nB[10] ^= NLF(B[10], L2, L1, A[0]); 2.5. Encryption and Decryption Scheme In this section, we use the notation S(i) to specifically reference the values of the internal state at i (where i >= 0), which is an arbitrary, discrete temporal moment (aka cycle) after the initialization. 2.5.1. Key Stream Generation Given a 128-bit key K, a 128-bit initialization vector (IV), KCipher-2 is initialized as follows: S(0) = init(K, IV); where S(0) is a state representation. With an initialized state S(i), where i >= 0, a 64-bit key stream X(i) can be obtained using the stream() operation, as follows: X(i) = stream(S(i)); To generate a new key stream X(i + 1), use the next() operation and the stream() operation as follows: S(i + 1) = next(S(i), NORMAL); X(i + 1) = stream(S(i + 1)); Kiyomoto & Shin Informational [Page 13] RFC 7008 A Description of KCipher-2 August 2013 2.5.2. Encryption and Decryption of a Message Given a 64-bit message block M and a key stream X, an encrypted message E is obtained by E = M ^ X; Conversely, the decrypted message D is obtained by D = E ^ X; The original message M and the decrypted message D are identical when the same key stream is used. 3. Security Considerations We recommend reinitializing and rekeying after 2#58 cycles of KCipher-2, which means after generating 2#64 key stream bits. It is important to make sure that no IV is ever reused under the same key. 4. References 4.1. Normative References [ISO18033] "Information technology -- Security techniques -- Encryption algorithms -- Part 4: Stream ciphers", ISO/ IEC 18033-4:2012 Ed. 2, December 2012. [FIPS-AES] National Institute of Standards and Technology, "Advanced Encryption Standard (AES)", FIPS PUB 197, November 2001, . 4.2. Informative References [SECRYPT07] Kiyomoto, S., Tanaka, T., and K. Sakurai, "K2: A Stream Cipher Algorithm Using Dynamic Feedback Control", Proc. SECRYPT 2007, pp. 204-213. [ICETE07] Kiyomoto, S., Tanaka, T., and K. Sakurai, "K2 Stream Cipher", Proc. ICETE 2007, pp. 214-226. [CRYPTEC] Bogdanov, A., Preneel, B., and V. Rijmen, "Security Evaluation of the K2 Stream Cipher", 2010, . [CRYPTECLIST] "Cryptography Research and Evaluation Committees", . Kiyomoto & Shin Informational [Page 14] RFC 7008 A Description of KCipher-2 August 2013 [SIIS11] Priemuth-Schmid, D., "Attacks on Simplified Versions of K2", Proc. SIIS 2011, LNCS 7053, pp. 117-127. [SASC07] Kiyomoto, S., Tanaka, T., and K. Sakurai, "A Word- Oriented Stream Cipher Using Clock Control", Proc. SASC 2007, pp. 260-274. Kiyomoto & Shin Informational [Page 15] RFC 7008 A Description of KCipher-2 August 2013 Appendix A. Tables for Multiplication in GF(2#32) A.1. The table amul0 amul0[256] = { 0x00000000,0xB6086D1A,0xAF10DA34,0x1918B72E, 0x9D207768,0x2B281A72,0x3230AD5C,0x8438C046, 0xF940EED0,0x4F4883CA,0x565034E4,0xE05859FE, 0x646099B8,0xD268F4A2,0xCB70438C,0x7D782E96, 0x31801F63,0x87887279,0x9E90C557,0x2898A84D, 0xACA0680B,0x1AA80511,0x03B0B23F,0xB5B8DF25, 0xC8C0F1B3,0x7EC89CA9,0x67D02B87,0xD1D8469D, 0x55E086DB,0xE3E8EBC1,0xFAF05CEF,0x4CF831F5, 0x62C33EC6,0xD4CB53DC,0xCDD3E4F2,0x7BDB89E8, 0xFFE349AE,0x49EB24B4,0x50F3939A,0xE6FBFE80, 0x9B83D016,0x2D8BBD0C,0x34930A22,0x829B6738, 0x06A3A77E,0xB0ABCA64,0xA9B37D4A,0x1FBB1050, 0x534321A5,0xE54B4CBF,0xFC53FB91,0x4A5B968B, 0xCE6356CD,0x786B3BD7,0x61738CF9,0xD77BE1E3, 0xAA03CF75,0x1C0BA26F,0x05131541,0xB31B785B, 0x3723B81D,0x812BD507,0x98336229,0x2E3B0F33, 0xC4457C4F,0x724D1155,0x6B55A67B,0xDD5DCB61, 0x59650B27,0xEF6D663D,0xF675D113,0x407DBC09, 0x3D05929F,0x8B0DFF85,0x921548AB,0x241D25B1, 0xA025E5F7,0x162D88ED,0x0F353FC3,0xB93D52D9, 0xF5C5632C,0x43CD0E36,0x5AD5B918,0xECDDD402, 0x68E51444,0xDEED795E,0xC7F5CE70,0x71FDA36A, 0x0C858DFC,0xBA8DE0E6,0xA39557C8,0x159D3AD2, 0x91A5FA94,0x27AD978E,0x3EB520A0,0x88BD4DBA, 0xA6864289,0x108E2F93,0x099698BD,0xBF9EF5A7, 0x3BA635E1,0x8DAE58FB,0x94B6EFD5,0x22BE82CF, 0x5FC6AC59,0xE9CEC143,0xF0D6766D,0x46DE1B77, 0xC2E6DB31,0x74EEB62B,0x6DF60105,0xDBFE6C1F, 0x97065DEA,0x210E30F0,0x381687DE,0x8E1EEAC4, 0x0A262A82,0xBC2E4798,0xA536F0B6,0x133E9DAC, 0x6E46B33A,0xD84EDE20,0xC156690E,0x775E0414, 0xF366C452,0x456EA948,0x5C761E66,0xEA7E737C, 0x4B8AF89E,0xFD829584,0xE49A22AA,0x52924FB0, 0xD6AA8FF6,0x60A2E2EC,0x79BA55C2,0xCFB238D8, 0xB2CA164E,0x04C27B54,0x1DDACC7A,0xABD2A160, 0x2FEA6126,0x99E20C3C,0x80FABB12,0x36F2D608, 0x7A0AE7FD,0xCC028AE7,0xD51A3DC9,0x631250D3, 0xE72A9095,0x5122FD8F,0x483A4AA1,0xFE3227BB, 0x834A092D,0x35426437,0x2C5AD319,0x9A52BE03, 0x1E6A7E45,0xA862135F,0xB17AA471,0x0772C96B, 0x2949C658,0x9F41AB42,0x86591C6C,0x30517176, 0xB469B130,0x0261DC2A,0x1B796B04,0xAD71061E, 0xD0092888,0x66014592,0x7F19F2BC,0xC9119FA6, Kiyomoto & Shin Informational [Page 16] RFC 7008 A Description of KCipher-2 August 2013 0x4D295FE0,0xFB2132FA,0xE23985D4,0x5431E8CE, 0x18C9D93B,0xAEC1B421,0xB7D9030F,0x01D16E15, 0x85E9AE53,0x33E1C349,0x2AF97467,0x9CF1197D, 0xE18937EB,0x57815AF1,0x4E99EDDF,0xF89180C5, 0x7CA94083,0xCAA12D99,0xD3B99AB7,0x65B1F7AD, 0x8FCF84D1,0x39C7E9CB,0x20DF5EE5,0x96D733FF, 0x12EFF3B9,0xA4E79EA3,0xBDFF298D,0x0BF74497, 0x768F6A01,0xC087071B,0xD99FB035,0x6F97DD2F, 0xEBAF1D69,0x5DA77073,0x44BFC75D,0xF2B7AA47, 0xBE4F9BB2,0x0847F6A8,0x115F4186,0xA7572C9C, 0x236FECDA,0x956781C0,0x8C7F36EE,0x3A775BF4, 0x470F7562,0xF1071878,0xE81FAF56,0x5E17C24C, 0xDA2F020A,0x6C276F10,0x753FD83E,0xC337B524, 0xED0CBA17,0x5B04D70D,0x421C6023,0xF4140D39, 0x702CCD7F,0xC624A065,0xDF3C174B,0x69347A51, 0x144C54C7,0xA24439DD,0xBB5C8EF3,0x0D54E3E9, 0x896C23AF,0x3F644EB5,0x267CF99B,0x90749481, 0xDC8CA574,0x6A84C86E,0x739C7F40,0xC594125A, 0x41ACD21C,0xF7A4BF06,0xEEBC0828,0x58B46532, 0x25CC4BA4,0x93C426BE,0x8ADC9190,0x3CD4FC8A, 0xB8EC3CCC,0x0EE451D6,0x17FCE6F8,0xA1F48BE2 }; A.2. The table amul1 amul1[256] = { 0x00000000,0xA0F5FC2E,0x6DC7D55C,0xCD322972, 0xDAA387B8,0x7A567B96,0xB76452E4,0x1791AECA, 0x996B235D,0x399EDF73,0xF4ACF601,0x54590A2F, 0x43C8A4E5,0xE33D58CB,0x2E0F71B9,0x8EFA8D97, 0x1FD646BA,0xBF23BA94,0x721193E6,0xD2E46FC8, 0xC575C102,0x65803D2C,0xA8B2145E,0x0847E870, 0x86BD65E7,0x264899C9,0xEB7AB0BB,0x4B8F4C95, 0x5C1EE25F,0xFCEB1E71,0x31D93703,0x912CCB2D, 0x3E818C59,0x9E747077,0x53465905,0xF3B3A52B, 0xE4220BE1,0x44D7F7CF,0x89E5DEBD,0x29102293, 0xA7EAAF04,0x071F532A,0xCA2D7A58,0x6AD88676, 0x7D4928BC,0xDDBCD492,0x108EFDE0,0xB07B01CE, 0x2157CAE3,0x81A236CD,0x4C901FBF,0xEC65E391, 0xFBF44D5B,0x5B01B175,0x96339807,0x36C66429, 0xB83CE9BE,0x18C91590,0xD5FB3CE2,0x750EC0CC, 0x629F6E06,0xC26A9228,0x0F58BB5A,0xAFAD4774, 0x7C2F35B2,0xDCDAC99C,0x11E8E0EE,0xB11D1CC0, 0xA68CB20A,0x06794E24,0xCB4B6756,0x6BBE9B78, 0xE54416EF,0x45B1EAC1,0x8883C3B3,0x28763F9D, 0x3FE79157,0x9F126D79,0x5220440B,0xF2D5B825, 0x63F97308,0xC30C8F26,0x0E3EA654,0xAECB5A7A, 0xB95AF4B0,0x19AF089E,0xD49D21EC,0x7468DDC2, 0xFA925055,0x5A67AC7B,0x97558509,0x37A07927, Kiyomoto & Shin Informational [Page 17] RFC 7008 A Description of KCipher-2 August 2013 0x2031D7ED,0x80C42BC3,0x4DF602B1,0xED03FE9F, 0x42AEB9EB,0xE25B45C5,0x2F696CB7,0x8F9C9099, 0x980D3E53,0x38F8C27D,0xF5CAEB0F,0x553F1721, 0xDBC59AB6,0x7B306698,0xB6024FEA,0x16F7B3C4, 0x01661D0E,0xA193E120,0x6CA1C852,0xCC54347C, 0x5D78FF51,0xFD8D037F,0x30BF2A0D,0x904AD623, 0x87DB78E9,0x272E84C7,0xEA1CADB5,0x4AE9519B, 0xC413DC0C,0x64E62022,0xA9D40950,0x0921F57E, 0x1EB05BB4,0xBE45A79A,0x73778EE8,0xD38272C6, 0xF85E6A49,0x58AB9667,0x9599BF15,0x356C433B, 0x22FDEDF1,0x820811DF,0x4F3A38AD,0xEFCFC483, 0x61354914,0xC1C0B53A,0x0CF29C48,0xAC076066, 0xBB96CEAC,0x1B633282,0xD6511BF0,0x76A4E7DE, 0xE7882CF3,0x477DD0DD,0x8A4FF9AF,0x2ABA0581, 0x3D2BAB4B,0x9DDE5765,0x50EC7E17,0xF0198239, 0x7EE30FAE,0xDE16F380,0x1324DAF2,0xB3D126DC, 0xA4408816,0x04B57438,0xC9875D4A,0x6972A164, 0xC6DFE610,0x662A1A3E,0xAB18334C,0x0BEDCF62, 0x1C7C61A8,0xBC899D86,0x71BBB4F4,0xD14E48DA, 0x5FB4C54D,0xFF413963,0x32731011,0x9286EC3F, 0x851742F5,0x25E2BEDB,0xE8D097A9,0x48256B87, 0xD909A0AA,0x79FC5C84,0xB4CE75F6,0x143B89D8, 0x03AA2712,0xA35FDB3C,0x6E6DF24E,0xCE980E60, 0x406283F7,0xE0977FD9,0x2DA556AB,0x8D50AA85, 0x9AC1044F,0x3A34F861,0xF706D113,0x57F32D3D, 0x84715FFB,0x2484A3D5,0xE9B68AA7,0x49437689, 0x5ED2D843,0xFE27246D,0x33150D1F,0x93E0F131, 0x1D1A7CA6,0xBDEF8088,0x70DDA9FA,0xD02855D4, 0xC7B9FB1E,0x674C0730,0xAA7E2E42,0x0A8BD26C, 0x9BA71941,0x3B52E56F,0xF660CC1D,0x56953033, 0x41049EF9,0xE1F162D7,0x2CC34BA5,0x8C36B78B, 0x02CC3A1C,0xA239C632,0x6F0BEF40,0xCFFE136E, 0xD86FBDA4,0x789A418A,0xB5A868F8,0x155D94D6, 0xBAF0D3A2,0x1A052F8C,0xD73706FE,0x77C2FAD0, 0x6053541A,0xC0A6A834,0x0D948146,0xAD617D68, 0x239BF0FF,0x836E0CD1,0x4E5C25A3,0xEEA9D98D, 0xF9387747,0x59CD8B69,0x94FFA21B,0x340A5E35, 0xA5269518,0x05D36936,0xC8E14044,0x6814BC6A, 0x7F8512A0,0xDF70EE8E,0x1242C7FC,0xB2B73BD2, 0x3C4DB645,0x9CB84A6B,0x518A6319,0xF17F9F37, 0xE6EE31FD,0x461BCDD3,0x8B29E4A1,0x2BDC188F }; Kiyomoto & Shin Informational [Page 18] RFC 7008 A Description of KCipher-2 August 2013 A.3. The table amul2 amul2[256] = { 0x00000000,0x5BF87F93,0xB6BDFE6B,0xED4581F8, 0x2137B1D6,0x7ACFCE45,0x978A4FBD,0xCC72302E, 0x426E2FE1,0x19965072,0xF4D3D18A,0xAF2BAE19, 0x63599E37,0x38A1E1A4,0xD5E4605C,0x8E1C1FCF, 0x84DC5E8F,0xDF24211C,0x3261A0E4,0x6999DF77, 0xA5EBEF59,0xFE1390CA,0x13561132,0x48AE6EA1, 0xC6B2716E,0x9D4A0EFD,0x700F8F05,0x2BF7F096, 0xE785C0B8,0xBC7DBF2B,0x51383ED3,0x0AC04140, 0x45F5BC53,0x1E0DC3C0,0xF3484238,0xA8B03DAB, 0x64C20D85,0x3F3A7216,0xD27FF3EE,0x89878C7D, 0x079B93B2,0x5C63EC21,0xB1266DD9,0xEADE124A, 0x26AC2264,0x7D545DF7,0x9011DC0F,0xCBE9A39C, 0xC129E2DC,0x9AD19D4F,0x77941CB7,0x2C6C6324, 0xE01E530A,0xBBE62C99,0x56A3AD61,0x0D5BD2F2, 0x8347CD3D,0xD8BFB2AE,0x35FA3356,0x6E024CC5, 0xA2707CEB,0xF9880378,0x14CD8280,0x4F35FD13, 0x8AA735A6,0xD15F4A35,0x3C1ACBCD,0x67E2B45E, 0xAB908470,0xF068FBE3,0x1D2D7A1B,0x46D50588, 0xC8C91A47,0x933165D4,0x7E74E42C,0x258C9BBF, 0xE9FEAB91,0xB206D402,0x5F4355FA,0x04BB2A69, 0x0E7B6B29,0x558314BA,0xB8C69542,0xE33EEAD1, 0x2F4CDAFF,0x74B4A56C,0x99F12494,0xC2095B07, 0x4C1544C8,0x17ED3B5B,0xFAA8BAA3,0xA150C530, 0x6D22F51E,0x36DA8A8D,0xDB9F0B75,0x806774E6, 0xCF5289F5,0x94AAF666,0x79EF779E,0x2217080D, 0xEE653823,0xB59D47B0,0x58D8C648,0x0320B9DB, 0x8D3CA614,0xD6C4D987,0x3B81587F,0x607927EC, 0xAC0B17C2,0xF7F36851,0x1AB6E9A9,0x414E963A, 0x4B8ED77A,0x1076A8E9,0xFD332911,0xA6CB5682, 0x6AB966AC,0x3141193F,0xDC0498C7,0x87FCE754, 0x09E0F89B,0x52188708,0xBF5D06F0,0xE4A57963, 0x28D7494D,0x732F36DE,0x9E6AB726,0xC592C8B5, 0x59036A01,0x02FB1592,0xEFBE946A,0xB446EBF9, 0x7834DBD7,0x23CCA444,0xCE8925BC,0x95715A2F, 0x1B6D45E0,0x40953A73,0xADD0BB8B,0xF628C418, 0x3A5AF436,0x61A28BA5,0x8CE70A5D,0xD71F75CE, 0xDDDF348E,0x86274B1D,0x6B62CAE5,0x309AB576, 0xFCE88558,0xA710FACB,0x4A557B33,0x11AD04A0, 0x9FB11B6F,0xC44964FC,0x290CE504,0x72F49A97, 0xBE86AAB9,0xE57ED52A,0x083B54D2,0x53C32B41, 0x1CF6D652,0x470EA9C1,0xAA4B2839,0xF1B357AA, 0x3DC16784,0x66391817,0x8B7C99EF,0xD084E67C, 0x5E98F9B3,0x05608620,0xE82507D8,0xB3DD784B, 0x7FAF4865,0x245737F6,0xC912B60E,0x92EAC99D, 0x982A88DD,0xC3D2F74E,0x2E9776B6,0x756F0925, Kiyomoto & Shin Informational [Page 19] RFC 7008 A Description of KCipher-2 August 2013 0xB91D390B,0xE2E54698,0x0FA0C760,0x5458B8F3, 0xDA44A73C,0x81BCD8AF,0x6CF95957,0x370126C4, 0xFB7316EA,0xA08B6979,0x4DCEE881,0x16369712, 0xD3A45FA7,0x885C2034,0x6519A1CC,0x3EE1DE5F, 0xF293EE71,0xA96B91E2,0x442E101A,0x1FD66F89, 0x91CA7046,0xCA320FD5,0x27778E2D,0x7C8FF1BE, 0xB0FDC190,0xEB05BE03,0x06403FFB,0x5DB84068, 0x57780128,0x0C807EBB,0xE1C5FF43,0xBA3D80D0, 0x764FB0FE,0x2DB7CF6D,0xC0F24E95,0x9B0A3106, 0x15162EC9,0x4EEE515A,0xA3ABD0A2,0xF853AF31, 0x34219F1F,0x6FD9E08C,0x829C6174,0xD9641EE7, 0x9651E3F4,0xCDA99C67,0x20EC1D9F,0x7B14620C, 0xB7665222,0xEC9E2DB1,0x01DBAC49,0x5A23D3DA, 0xD43FCC15,0x8FC7B386,0x6282327E,0x397A4DED, 0xF5087DC3,0xAEF00250,0x43B583A8,0x184DFC3B, 0x128DBD7B,0x4975C2E8,0xA4304310,0xFFC83C83, 0x33BA0CAD,0x6842733E,0x8507F2C6,0xDEFF8D55, 0x50E3929A,0x0B1BED09,0xE65E6CF1,0xBDA61362, 0x71D4234C,0x2A2C5CDF,0xC769DD27,0x9C91A2B4 }; A.4. The table amul3 amul3[256] = { 0x00000000,0x4559568B,0x8AB2AC73,0xCFEBFAF8, 0x71013DE6,0x34586B6D,0xFBB39195,0xBEEAC71E, 0xE2027AA9,0xA75B2C22,0x68B0D6DA,0x2DE98051, 0x9303474F,0xD65A11C4,0x19B1EB3C,0x5CE8BDB7, 0xA104F437,0xE45DA2BC,0x2BB65844,0x6EEF0ECF, 0xD005C9D1,0x955C9F5A,0x5AB765A2,0x1FEE3329, 0x43068E9E,0x065FD815,0xC9B422ED,0x8CED7466, 0x3207B378,0x775EE5F3,0xB8B51F0B,0xFDEC4980, 0x27088D6E,0x6251DBE5,0xADBA211D,0xE8E37796, 0x5609B088,0x1350E603,0xDCBB1CFB,0x99E24A70, 0xC50AF7C7,0x8053A14C,0x4FB85BB4,0x0AE10D3F, 0xB40BCA21,0xF1529CAA,0x3EB96652,0x7BE030D9, 0x860C7959,0xC3552FD2,0x0CBED52A,0x49E783A1, 0xF70D44BF,0xB2541234,0x7DBFE8CC,0x38E6BE47, 0x640E03F0,0x2157557B,0xEEBCAF83,0xABE5F908, 0x150F3E16,0x5056689D,0x9FBD9265,0xDAE4C4EE, 0x4E107FDC,0x0B492957,0xC4A2D3AF,0x81FB8524, 0x3F11423A,0x7A4814B1,0xB5A3EE49,0xF0FAB8C2, 0xAC120575,0xE94B53FE,0x26A0A906,0x63F9FF8D, 0xDD133893,0x984A6E18,0x57A194E0,0x12F8C26B, 0xEF148BEB,0xAA4DDD60,0x65A62798,0x20FF7113, 0x9E15B60D,0xDB4CE086,0x14A71A7E,0x51FE4CF5, 0x0D16F142,0x484FA7C9,0x87A45D31,0xC2FD0BBA, 0x7C17CCA4,0x394E9A2F,0xF6A560D7,0xB3FC365C, 0x6918F2B2,0x2C41A439,0xE3AA5EC1,0xA6F3084A, Kiyomoto & Shin Informational [Page 20] RFC 7008 A Description of KCipher-2 August 2013 0x1819CF54,0x5D4099DF,0x92AB6327,0xD7F235AC, 0x8B1A881B,0xCE43DE90,0x01A82468,0x44F172E3, 0xFA1BB5FD,0xBF42E376,0x70A9198E,0x35F04F05, 0xC81C0685,0x8D45500E,0x42AEAAF6,0x07F7FC7D, 0xB91D3B63,0xFC446DE8,0x33AF9710,0x76F6C19B, 0x2A1E7C2C,0x6F472AA7,0xA0ACD05F,0xE5F586D4, 0x5B1F41CA,0x1E461741,0xD1ADEDB9,0x94F4BB32, 0x9C20FEDD,0xD979A856,0x169252AE,0x53CB0425, 0xED21C33B,0xA87895B0,0x67936F48,0x22CA39C3, 0x7E228474,0x3B7BD2FF,0xF4902807,0xB1C97E8C, 0x0F23B992,0x4A7AEF19,0x859115E1,0xC0C8436A, 0x3D240AEA,0x787D5C61,0xB796A699,0xF2CFF012, 0x4C25370C,0x097C6187,0xC6979B7F,0x83CECDF4, 0xDF267043,0x9A7F26C8,0x5594DC30,0x10CD8ABB, 0xAE274DA5,0xEB7E1B2E,0x2495E1D6,0x61CCB75D, 0xBB2873B3,0xFE712538,0x319ADFC0,0x74C3894B, 0xCA294E55,0x8F7018DE,0x409BE226,0x05C2B4AD, 0x592A091A,0x1C735F91,0xD398A569,0x96C1F3E2, 0x282B34FC,0x6D726277,0xA299988F,0xE7C0CE04, 0x1A2C8784,0x5F75D10F,0x909E2BF7,0xD5C77D7C, 0x6B2DBA62,0x2E74ECE9,0xE19F1611,0xA4C6409A, 0xF82EFD2D,0xBD77ABA6,0x729C515E,0x37C507D5, 0x892FC0CB,0xCC769640,0x039D6CB8,0x46C43A33, 0xD2308101,0x9769D78A,0x58822D72,0x1DDB7BF9, 0xA331BCE7,0xE668EA6C,0x29831094,0x6CDA461F, 0x3032FBA8,0x756BAD23,0xBA8057DB,0xFFD90150, 0x4133C64E,0x046A90C5,0xCB816A3D,0x8ED83CB6, 0x73347536,0x366D23BD,0xF986D945,0xBCDF8FCE, 0x023548D0,0x476C1E5B,0x8887E4A3,0xCDDEB228, 0x91360F9F,0xD46F5914,0x1B84A3EC,0x5EDDF567, 0xE0373279,0xA56E64F2,0x6A859E0A,0x2FDCC881, 0xF5380C6F,0xB0615AE4,0x7F8AA01C,0x3AD3F697, 0x84393189,0xC1606702,0x0E8B9DFA,0x4BD2CB71, 0x173A76C6,0x5263204D,0x9D88DAB5,0xD8D18C3E, 0x663B4B20,0x23621DAB,0xEC89E753,0xA9D0B1D8, 0x543CF858,0x1165AED3,0xDE8E542B,0x9BD702A0, 0x253DC5BE,0x60649335,0xAF8F69CD,0xEAD63F46, 0xB63E82F1,0xF367D47A,0x3C8C2E82,0x79D57809, 0xC73FBF17,0x8266E99C,0x4D8D1364,0x08D445EF }; Kiyomoto & Shin Informational [Page 21] RFC 7008 A Description of KCipher-2 August 2013 Appendix B. A Simple Implementation Example of KCipher-2 We provide an example implementation of KCipher-2 written in C. The implementation is simple; we do not consider storage or time complexity, nor do we consider software engineering-related issues, such as encapsulation, modularity, and so on. B.1. Code Components I - Definitions and Declarations #include #include #define INIT 0 #define NORMAL 1 void init (unsigned int *, unsigned int *); void next(int); void stream (unsigned int *, unsigned int *); static const uint8_t S_box[256] = { ... // as defined in Section 2.4.3 }; static const uint32_t amul0[256] = { ... // as defined in Appendix A.1 }; static const uint32_t amul1[256] = { ... // as defined in Appendix A.2 }; static const uint32_t amul2[256] = { ... // as defined in Appendix A.3 }; static const uint32_t amul3[256] = { ... // as defined in Appendix A.4 }; /* Global variables */ // State S uint32_t A[5]; // five 32-bit units Kiyomoto & Shin Informational [Page 22] RFC 7008 A Description of KCipher-2 August 2013 uint32_t B[11]; // eleven 32-bit units uint32_t L1, R1, L2, R2; // one 32-bit unit for each // The internal key (IK) and the initialization vector (IV) uint32_t IK[12]; // (12*32) bits uint32_t IV[4]; // (4*32) bits B.2. Code Components II - Functions /** * Do multiplication in GF(2#8) of the irreducible polynomial, * f(x) = x#8 + x#4 + x#3 + x + 1. The given parameter is multiplied * by 2. * @param t : (INPUT). 8 bits. The number will be multiplied by 2 * @return : (OUTPUT). 8 bits. The multiplication result */ uint8_t GF_mult_by_2 (uint8_t t) { uint8_t q; uint32_t lq; lq = t << 1; if ((lq & 0x100) != 0) lq ^= 0x011B; q = lq ^ 0xFF; return q; } /** * Do multiplication in GF(2#8) of the irreducible polynomial, * f(x) = x#8 + x#4 + x#3 + x + 1. The given parameter is multiplied * by 3. * @param t : (INPUT). 8 bits. The number will be multiplied by 3 * @return : (OUTPUT). 8 bits. The multiplication result */ uint8_t GF_mult_by_3 (uint8_t t) { uint8_t q; uint32_t lq; lq = (t << 1) ^ t; if ((lq & 0x100) != 0) lq ^= 0x011B; q = lq ^ 0xFF; return q; } Kiyomoto & Shin Informational [Page 23] RFC 7008 A Description of KCipher-2 August 2013 /** * Do substitution on a given input. See Section 2.4.2. * @param t : (INPUT), (1*32) bits * @return : (OUTPUT), (1*32) bits */ uint32_t sub_k2 (uint32_t in) { uint32_t out; uint8_t w0 = in & 0x000000ff; uint8_t w1 = (in >> 8) & 0x000000ff; uint8_t w2 = (in >> 16) & 0x000000ff; uint8_t w3 = (in >> 24) & 0x000000ff; uint8_t t3, t2, t1, t0; uint8_t q3, q2, q1, q0; t0 = S_box[w0]; t1 = S_box[w1]; t2 = S_box[w2]; t3 = S_box[w3]; q0 = GF_mult_by_2(t0) ^ GF_mult_by_3(t1) ^ t2 ^ t3; q1 = t0 ^ GF_mult_by_2(t1) ^ GF_mult_by_3(t2) ^ t3; q2 = t0 ^ t1 ^ GF_mult_by_2(t2) ^ GF_mult_by_3(t3); q3 = GF_mult_by_3(t0) ^ t1 ^ t2 ^ GF_mult_by_2(t3); out = (q3 << 24) | (q2 << 16) | (q1 << 8) | q0; return out; } /** * Expand a given 128-bit key (K) to a 384-bit internal key * information (IK). * See Step 1 of init() in Section 2.3.2. * @param key[4] : (INPUT), (4*32) bits * @param iv[4] : (INPUT), (4*32) bits * @modify IK[12] : (OUTPUT), (12*32) bits * @modify IV[12] : (OUTPUT), (4*32) bits */ void key_expansion (uint32_t *key, uint32_t *iv) { // copy iv to IV IV[0] = iv[0]; IV[1] = iv[1]; IV[2] = iv[2]; IV[3] = iv[3]; // m = 0 ... 3 IK[0] = key[0]; IK[1] = key[1]; IK[2] = key[2]; IK[3] = key[3]; // m = 4 IK[4] = IK[0] ^ sub_k2((IK[3] << 8) ^ (IK[3] >> 24)) ^ 0x01000000; Kiyomoto & Shin Informational [Page 24] RFC 7008 A Description of KCipher-2 August 2013 // m = 4 ... 11, but not 4 nor 8 IK[5] = IK[1] ^ IK[4]; IK[6] = IK[2] ^ IK[5]; IK[7] = IK[3] ^ IK[6]; // m = 8 IK[8] = IK[4] ^ sub_k2((IK[7] << 8) ^ (IK[7] >> 24)) ^ 0x02000000; // m = 4 ... 11, but not 4 nor 8 IK[9] = IK[5] ^ IK[8]; IK[10] = IK[6] ^ IK[9]; IK[11] = IK[7] ^ IK[10]; } /** * Set up the initial state value using IK and IV. See Step 2 of * init() in Section 2.3.2. * @param key[4] : (INPUT), (4*32) bits * @param iv[4] : (INPUT), (4*32) bits * @modify S : (OUTPUT), (A, B, L1, R1, L2, R2) */ void setup_state_values (uint32_t *key, uint32_t *iv) { // setting up IK and IV by calling key_expansion(key, iv) key_expansion(key, iv); // setting up the internal state values A[0] = IK[4]; A[1] = IK[3]; A[2] = IK[2]; A[3] = IK[1]; A[4] = IK[0]; B[0] = IK[10]; B[1] = IK[11]; B[2] = IV[0]; B[3] = IV[1]; B[4] = IK[8]; B[5] = IK[9]; B[6] = IV[2]; B[7] = IV[3]; B[8] = IK[7]; B[9] = IK[5]; B[10] = IK[6]; L1 = R1 = L2 = R2 = 0x00000000; } /** * Initialize the system with a 128-bit key (K) and a 128-bit * initialization vector (IV). It sets up the internal state value * and invokes next(INIT) iteratively 24 times. After this, * the system is ready to produce key streams. See Section 2.3.2. * @param key[12] : (INPUT), (4*32) bits * @param iv[4] : (INPUT), (4*32) bits * @modify IK : (12*32) bits, by calling setup_state_values() * @modify IV : (4*32) bits, by calling setup_state_values() * @modify S : (OUTPUT), (A, B, L1, R1, L2, R2) */ void init (uint32_t *k, uint32_t *iv) { int i; Kiyomoto & Shin Informational [Page 25] RFC 7008 A Description of KCipher-2 August 2013 setup_state_values(k, iv); for(i=0; i < 24; i++) { next(INIT); } } /** * Non-linear function. See Section 2.4.1. * @param A : (INPUT), 8 bits * @param B : (INPUT), 8 bits * @param C : (INPUT), 8 bits * @param D : (INPUT), 8 bits * @return : (OUTPUT), 8 bits */ uint32_t NLF (uint32_t A, uint32_t B, uint32_t C, uint32_t D ) { uint32_t Q; Q = (A + B) ^ C ^ D; return Q; } /** * Derive a new state from the current state values. * See Section 2.3.1. * @param mode : (INPUT) INIT (= 0) or NORMAL (= 1) * @modify S : (OUTPUT) */ void next (int mode) { uint32_t nA[5]; uint32_t nB[11]; uint32_t nL1, nR1, nL2, nR2; uint32_t temp1, temp2; nL1 = sub_k2(R2 + B[4]); nR1 = sub_k2(L2 + B[9]); nL2 = sub_k2(L1); nR2 = sub_k2(R1); // m = 0 ... 3 nA[0] = A[1]; nA[1] = A[2]; nA[2] = A[3]; nA[3] = A[4]; // m = 0 ... 9 nB[0] = B[1]; nB[1] = B[2]; nB[2] = B[3]; nB[3] = B[4]; nB[4] = B[5]; nB[5] = B[6]; nB[6] = B[7]; nB[7] = B[8]; nB[8] = B[9]; nB[9] = B[10]; Kiyomoto & Shin Informational [Page 26] RFC 7008 A Description of KCipher-2 August 2013 // update nA[4] temp1 = (A[0] << 8) ^ amul0[(A[0] >> 24)]; nA[4] = temp1 ^ A[3]; if (mode == INIT) nA[4] ^= NLF(B[0], R2, R1, A[4]); // update nB[10] if (A[2] & 0x40000000) /* if A[2][30] == 1 */ { temp1 = (B[0] << 8) ^ amul1[(B[0] >> 24)]; } else /*if A[2][30] == 0*/ { temp1 = (B[0] << 8) ^ amul2[(B[0] >> 24)]; } if (A[2] & 0x80000000) /* if A[2][31] == 1 */ { temp2 = (B[8] << 8) ^ amul3[(B[8] >> 24)]; } else /* if A[2][31] == 0 */ { temp2 = B[8]; } nB[10] = temp1 ^ B[1] ^ B[6] ^ temp2; if (mode == INIT) nB[10] ^= NLF(B[10], L2, L1, A[0]); /* copy S' to S */ A[0] = nA[0]; A[1] = nA[1]; A[2] = nA[2]; A[3] = nA[3]; A[4] = nA[4]; B[0] = nB[0]; B[1] = nB[1]; B[2] = nB[2]; B[3] = nB[3]; B[4] = nB[4]; B[5] = nB[5]; B[6] = nB[6]; B[7] = nB[7]; B[8] = nB[8]; B[9] = nB[9]; B[10] = nB[10]; L1 = nL1; R1 = nR1; L2 = nL2; R2 = nR2; } /** * Obtain a key stream = (ZH, ZL) from the current state values. * See Section 2.3.3. * @param ZH : (OUTPUT) (1 * 32)-bit * @modify ZL : (OUTPUT) (1 * 32)-bit */ void stream (uint32_t *ZH, uint32_t *ZL) { *ZH = NLF(B[10], L2, L1, A[0]); *ZL = NLF(B[0], R2, R1, A[4]); } Kiyomoto & Shin Informational [Page 27] RFC 7008 A Description of KCipher-2 August 2013 B.3. Use Case void main (void) { // Set the key and the iv uint32_t key[4] = ...; uint32_t iv[4] = ...; init(key, iv); // produce a key stream stream(&zh, &zl); next(NORMAL); // produce another key stream stream(&zh, &zl); next(NORMAL); ... } Appendix C. Test Vectors This appendix provides running examples of KCipher-2 obtained from the naive implementation. All values are written in hexadecimal form. C.1. Key Stream Generation Examples The following is a series of the 64-bit key streams generated from the given 8-bit keys (K) and 128-bit initialization vectors (IVs). - K : 00000000 00000000 00000000 00000000 - IV: 00000000 00000000 00000000 00000000 - Generated key streams at S(i) are as follows S(0): F871EBEF 945B7272 S(1): E40C0494 1DFF0537 S(2): 0B981A59 FBC8AC57 S(3): 566D3B02 C179DBB4 S(4): 3B46F1F0 33554C72 S(5): 5DE68BCC 9872858F S(6): 57549602 4062F0E9 S(7): F932C998 226DB6BA ... - K : A37B7D01 2F897076 FE08C22D 142BB2CF - IV: 33A6EE60 E57927E0 8B45CC4C A30EDE4A - Generated key streams at S(i) are as follows S(0): 60E9A6B6 7B4C2524 Kiyomoto & Shin Informational [Page 28] RFC 7008 A Description of KCipher-2 August 2013 S(1): FE726D44 AD5B402E S(2): 31D0D1BA 5CA233A4 S(3): AFC74BE7 D6069D36 S(4): 4A75BB6C D8D5B7F0 S(5): 38AAAA28 4AE4CD2F S(6): E2E5313D FC6CCD8F S(7): 9D2484F2 0F86C50D ... - K : 3D62E9B1 8E5B042F 42DF43CC 7175C96E - IV: 777CEFE4 541300C8 ADCACA8A 0B48CD55 - Generated key streams at S(i) are as follows S(0): 690F108D 84F44AC7 S(1): BF257BD7 E394F6C9 S(2): AA1192C3 8E200C6E S(3): 073C8078 AC18AAD1 S(4): D4B8DADE 68802368 S(5): 2FA42076 83DEA5A4 S(6): 4C1D95EA E959F5B4 S(7): 2611F41E A40F0A58 ... C.2. Another Key Stream Generation with the State Values In this section, the initialization procedure and the key stream generation are illustrated in detail. The given 128-bit key (K) and the 128-bit initialization vector (IV) are as follows: - K : 0F1E2D3C 4B5A6978 8796A5B4 C3D2E1F0 - IV: F0E0D0C0 B0A09080 70605040 30201000. Based on K and IV, the init() operation (Section 2.3.2) sets up the internal state values, S = (A, B, L1, R1, L2, R2), as follows: A[0]: 7993A6A2 A[1]: C3D2E1F0 A[2]: 8796A5B4 A[3]: 4B5A6978 A[4]: 0F1E2D3C B[0]: 38AB371B B[1] : 4E26BC85 B[2]: F0E0D0C0 B[3]: B0A09080 B[4] : BF3D92AF B[5]: 8DF45D75 B[6]: 70605040 B[7] : 30201000 B[8]: 768D8B9E B[9]: 32C9CFDA B[10]: B55F6A6E L1: 00000000 R1: 00000000 L2: 00000000 R2: 00000000 Kiyomoto & Shin Informational [Page 29] RFC 7008 A Description of KCipher-2 August 2013 To complete the initialization, the next() operation is applied to the state values 24 times (in Section 2.3.2, Step 3). Let us denote each repeated application of the next() operation by init(i), where 1 <= i <= 24. The internal state values resulting from each init(i) are shown in Appendixes C.2.1 - C.2.24. C.2.1. S after init(1) A[0]: C3D2E1F0 A[1]: 8796A5B4 A[2]: 4B5A6978 A[3]: 0F1E2D3C A[4]: 37070F7F B[0]: 4E26BC85 B[1] : F0E0D0C0 B[2]: B0A09080 B[3]: BF3D92AF B[4] : 8DF45D75 B[5]: 70605040 B[6]: 30201000 B[7] : 768D8B9E B[8]: 32C9CFDA B[9]: B55F6A6E B[10]: 64DEFF24 L1: F360860C R1: E81907D5 L2: 63636363 R2: 63636363 C.2.2. S after init(2) A[0]: 8796A5B4 A[1]: 4B5A6978 A[2]: 0F1E2D3C A[3]: 37070F7F A[4]: 25BCF981 B[0]: F0E0D0C0 B[1] : B0A09080 B[2]: BF3D92AF B[3]: 8DF45D75 B[4] : 70605040 B[5]: 30201000 B[6]: 768D8B9E B[7] : 32C9CFDA B[8]: B55F6A6E B[9]: 64DEFF24 B[10]: 7E65CB6A L1: 1B9542ED R1: 9B259D28 L2: 971610F6 R2: 39C36E1D C.2.3. S after init(3) A[0]: 4B5A6978 A[1]: 0F1E2D3C A[2]: 37070F7F A[3]: 25BCF981 A[4]: FA2DD9D3 B[0]: B0A09080 B[1] : BF3D92AF B[2]: 8DF45D75 B[3]: 70605040 B[4] : 30201000 B[5]: 768D8B9E B[6]: 32C9CFDA B[7] : B55F6A6E B[8]: 64DEFF24 B[9]: 7E65CB6A B[10]: 08573732 L1: 1F41CDFB R1: CFAE13F3 L2: BCC7DC5B R2: 1528DDA1 Kiyomoto & Shin Informational [Page 30] RFC 7008 A Description of KCipher-2 August 2013 C.2.4. S after init(4) A[0]: 0F1E2D3C A[1]: 37070F7F A[2]: 25BCF981 A[3]: FA2DD9D3 A[4]: AB820031 B[0]: BF3D92AF B[1] : 8DF45D75 B[2]: 70605040 B[3]: 30201000 B[4] : 768D8B9E B[5]: 32C9CFDA B[6]: B55F6A6E B[7] : 64DEFF24 B[8]: 7E65CB6A B[9]: 08573732 B[10]: 40941D82 L1: 8D7100A7 R1: AA6C8F89 L2: B4F43081 R2: 81264AF3 C.2.5. S after init(5) A[0]: 37070F7F A[1]: 25BCF981 A[2]: FA2DD9D3 A[3]: AB820031 A[4]: D8F5995F B[0]: 8DF45D75 B[1] : 70605040 B[2]: 30201000 B[3]: 768D8B9E B[4] : 32C9CFDA B[5]: B55F6A6E B[6]: 64DEFF24 B[7] : 7E65CB6A B[8]: 08573732 B[9]: 40941D82 B[10]: 1A8DA7FB L1: D315A91D R1: 751BC887 L2: 9E8539E3 R2: 929B1D3C C.2.6. S after init(6) A[0]: 25BCF981 A[1]: FA2DD9D3 A[2]: AB820031 A[3]: D8F5995F A[4]: F697B5BB B[0]: 70605040 B[1] : 30201000 B[2]: 768D8B9E B[3]: 32C9CFDA B[4] : B55F6A6E B[5]: 64DEFF24 B[6]: 7E65CB6A B[7] : 08573732 B[8]: 40941D82 B[9]: 1A8DA7FB B[10]: 13B5E7F3 L1: 88658E94 R1: 7F1C023D L2: B16F9402 R2: 5F06AB3F C.2.7. S after init(7) A[0]: FA2DD9D3 A[1]: AB820031 A[2]: D8F5995F A[3]: F697B5BB A[4]: 6B0A7012 B[0]: 30201000 B[1] : 768D8B9E B[2]: 32C9CFDA B[3]: B55F6A6E B[4] : 64DEFF24 B[5]: 7E65CB6A B[6]: 08573732 B[7] : 40941D82 B[8]: 1A8DA7FB B[9]: 13B5E7F3 B[10]: D76ABD2C L1: 21BF8813 R1: 743F68DE L2: A1F603E6 R2: 3D1EA499 Kiyomoto & Shin Informational [Page 31] RFC 7008 A Description of KCipher-2 August 2013 C.2.8. S after init(8) A[0]: AB820031 A[1]: D8F5995F A[2]: F697B5BB A[3]: 6B0A7012 A[4]: 23995B7E B[0]: 768D8B9E B[1] : 32C9CFDA B[2]: B55F6A6E B[3]: 64DEFF24 B[4] : 7E65CB6A B[5]: 08573732 B[6]: 40941D82 B[7] : 1A8DA7FB B[8]: 13B5E7F3 B[9]: D76ABD2C B[10]: 997C3F70 L1: B48EA08C R1: 657C8FFD L2: AAB50B58 R2: 281F9A12 C.2.9. S after init(9) A[0]: D8F5995F A[1]: F697B5BB A[2]: 6B0A7012 A[3]: 23995B7E A[4]: F8532F87 B[0]: 32C9CFDA B[1] : B55F6A6E B[2]: 64DEFF24 B[3]: 7E65CB6A B[4] : 08573732 B[5]: 40941D82 B[6]: 1A8DA7FB B[7] : 13B5E7F3 B[8]: D76ABD2C B[9]: 997C3F70 B[10]: 95FFF657 L1: A2040C44 R1: EF19DC4E L2: 543A1967 R2: 05D0CF60 C.2.10. S after init(10) A[0]: F697B5BB A[1]: 6B0A7012 A[2]: 23995B7E A[3]: F8532F87 A[4]: BEDF1DEF B[0]: B55F6A6E B[1] : 64DEFF24 B[2]: 7E65CB6A B[3]: 08573732 B[4] : 40941D82 B[5]: 1A8DA7FB B[6]: 13B5E7F3 B[7] : D76ABD2C B[8]: 997C3F70 B[9]: 95FFF657 B[10]: 6D2C2FA3 L1: C7AE66B0 R1: 9C075DB9 L2: 5554CBE7 R2: 866080C4 C.2.11. S after init(11) A[0]: 6B0A7012 A[1]: 23995B7E A[2]: F8532F87 A[3]: BEDF1DEF A[4]: 983D37. B[0]: 64DEFF24 B[1] : 7E65CB6A B[2]: 08573732 B[3]: 40941D82 B[4] : 1A8DA7FB B[5]: 13B5E7F3 B[6]: D76ABD2C B[7] : 997C3F70 B[8]: 95FFF657 B[9]: 6D2C2FA3 B[10]: A02127BE L1: 29F322A2 R1: 01F771D9 L2: 725670A2 R2: D4F24463 Kiyomoto & Shin Informational [Page 32] RFC 7008 A Description of KCipher-2 August 2013 C.2.12. S after init(12) A[0]: 23995B7E A[1]: F8532F87 A[2]: BEDF1DEF A[3]: 983D37CB A[4]: 526A110D B[0]: 7E65CB6A B[1] : 08573732 B[2]: 40941D82 B[3]: 1A8DA7FB B[4] : 13B5E7F3 B[5]: D76ABD2C B[6]: 997C3F70 B[7] : 95FFF657 B[8]: 6D2C2FA3 B[9]: A02127BE B[10]: 49F99042 L1: 51536DF4 R1: 66111E6A L2: 8147B572 R2: 6CC2AC80 C.2.13. S after init(13) A[0]: F8532F87 A[1]: BEDF1DEF A[2]: 983D37CB A[3]: 526A110D A[4]: A5EEB8AE B[0]: 08573732 B[1] : 40941D82 B[2]: 1A8DA7FB B[3]: 13B5E7F3 B[4] : D76ABD2C B[5]: 997C3F70 B[6]: 95FFF657 B[7] : 6D2C2FA3 B[8]: A02127BE B[9]: 49F99042 B[10]: 406CE62C L1: 9582D912 R1: 6953AFE8 L2: B22A3A1D R2: 903A4823 C.2.14. S after init(14) A[0]: BEDF1DEF A[1]: 983D37CB A[2]: 526A110D A[3]: A5EEB8AE A[4]: 70A5B5BA B[0]: 40941D82 B[1] : 1A8DA7FB B[2]: 13B5E7F3 B[3]: D76ABD2C B[4] : 997C3F70 B[5]: 95FFF657 B[6]: 6D2C2FA3 B[7] : A02127BE B[8]: 49F99042 B[9]: 406CE62C B[10]: C57BED5B L1: EB77DD2D R1: 633CFD8F L2: 32A4BCEF R2: CB33BCB2 C.2.15. S after init(15) A[0]: 983D37CB A[1]: 526A110D A[2]: A5EEB8AE A[3]: 70A5B5BA A[4]: B1145F18 B[0]: 1A8DA7FB B[1] : 13B5E7F3 B[2]: D76ABD2C B[3]: 997C3F70 B[4] : 95FFF657 B[5]: 6D2C2FA3 B[6]: A02127BE B[7] : 49F99042 B[8]: 406CE62C B[9]: C57BED5B B[10]: 7BE2C520 L1: E11420CC R1: 6730A956 L2: 8EC8ACEF R2: C7FC060A Kiyomoto & Shin Informational [Page 33] RFC 7008 A Description of KCipher-2 August 2013 C.2.16. S after init(16) A[0]: 526A110D A[1]: A5EEB8AE A[2]: 70A5B5BA A[3]: B1145F18 A[4]: FA752FDC B[0]: 13B5E7F3 B[1] : D76ABD2C B[2]: 997C3F70 B[3]: 95FFF657 B[4] : 6D2C2FA3 B[5]: A02127BE B[6]: 49F99042 B[7] : 406CE62C B[8]: C57BED5B B[9]: 7BE2C520 B[10]: 1F48829C L1: 0D95C94D R1: 8238B05F L2: 7B00D356 R2: 0EFE8596 C.2.17. S after init(17) A[0]: A5EEB8AE A[1]: 70A5B5BA A[2]: B1145F18 A[3]: FA752FDC A[4]: DB29190A B[0]: D76ABD2C B[1] : 997C3F70 B[2]: 95FFF657 B[3]: 6D2C2FA3 B[4] : A02127BE B[5]: 49F99042 B[6]: 406CE62C B[7] : C57BED5B B[8]: 7BE2C520 B[9]: 1F48829C B[10]: F95DD14F L1: 262687B5 R1: 9B9AC5E9 L2: 7C08EB5C R2: 8C1300A3 C.2.18. S after init(18) A[0]: 70A5B5BA A[1]: B1145F18 A[2]: FA752FDC A[3]: DB29190A A[4]: 35623CDA B[0]: 997C3F70 B[1] : 95FFF657 B[2]: 6D2C2FA3 B[3]: A02127BE B[4] : 49F99042 B[5]: 406CE62C B[6]: C57BED5B B[7] : 7BE2C520 B[8]: 1F48829C B[9]: F95DD14F B[10]: D939E13E L1: E478DEF0 R1: 06F84503 L2: 71350E88 R2: 14EF8E61 C.2.19. S after init(19) A[0]: B1145F18 A[1]: FA752FDC A[2]: DB29190A A[3]: 35623CDA A[4]: 746B4AE8 B[0]: 95FFF657 B[1] : 6D2C2FA3 B[2]: A02127BE B[3]: 49F99042 B[4] : 406CE62C B[5]: C57BED5B B[6]: 7BE2C520 B[7] : 1F48829C B[8]: F95DD14F B[9]: D939E13E B[10]: 9970C980 L1: C2AC94C4 R1: C708FAE8 L2: FC4900F1 R2: 7C260B6A Kiyomoto & Shin Informational [Page 34] RFC 7008 A Description of KCipher-2 August 2013 C.2.20. S after init(20) A[0]: FA752FDC A[1]: DB29190A A[2]: 35623CDA A[3]: 746B4AE8 A[4]: 2EB9213A B[0]: 6D2C2FA3 B[1] : A02127BE B[2]: 49F99042 B[3]: 406CE62C B[4] : C57BED5B B[5]: 7BE2C520 B[6]: 1F48829C B[7] : F95DD14F B[8]: D939E13E B[9]: 9970C980 B[10]: 3C517031 L1: 8F007DE9 R1: B2AE0889 L2: DD68D5EA R2: 3C8757AC C.2.21. S after init(21) A[0]: DB29190A A[1]: 35623CDA A[2]: 746B4AE8 A[3]: 2EB9213A A[4]: BE3CA984 B[0]: A02127BE B[1] : 49F99042 B[2]: 406CE62C B[3]: C57BED5B B[4] : 7BE2C520 B[5]: 1F48829C B[6]: F95DD14F B[7] : D939E13E B[8]: 9970C980 B[9]: 3C517031 B[10]: D1439B63 L1: AFC4E32F R1: 98FBC87F L2: 58B22D36 R2: 481DC7D6 C.2.22. S after init(22) A[0]: 35623CDA A[1]: 746B4AE8 A[2]: 2EB9213A A[3]: BE3CA984 A[4]: 974E6719 B[0]: 49F99042 B[1] : 406CE62C B[2]: C57BED5B B[3]: 7BE2C520 B[4] : 1F48829C B[5]: F95DD14F B[6]: D939E13E B[7] : 9970C980 B[8]: 3C517031 B[9]: D1439B63 B[10]: 9334E221 L1: F9C43357 R1: E5539EA2 L2: C0B76A7C R2: 06EE4ED5 C.2.23. S after init(23) A[0]: 746B4AE8 A[1]: 2EB9213A A[2]: BE3CA984 A[3]: 974E6719 A[4]: 86916EFF B[0]: 406CE62C B[1] : C57BED5B B[2]: 7BE2C520 B[3]: 1F48829C B[4] : F95DD14F B[5]: D939E13E B[6]: 9970C980 B[7] : 3C517031 B[8]: D1439B63 B[9]: 9334E221 B[10]: 50EF13E7 L1: 309527ED R1: C473D814 L2: 1B107B6D R2: 0180D95D Kiyomoto & Shin Informational [Page 35] RFC 7008 A Description of KCipher-2 August 2013 C.2.24. S(0) after init(24) A[0]: 2EB9213A A[1]: BE3CA984 A[2]: 974E6719 A[3]: 86916EFF A[4]: F52DACF9 B[0]: C57BED5B B[1] : 7BE2C520 B[2]: 1F48829C B[3]: F95DD14F B[4] : D939E13E B[5]: 9970C980 B[6]: 3C517031 B[7] : D1439B63 B[8]: 9334E221 B[9]: 50EF13E7 B[10]: E0BD9F91 L1: 4370D8E6 R1: DABED76C L2: 11C1ACCB R2: C3BAAEDF Note that the result of init(24) is also referred to as S(0) (in Section 2.3.2). Since the state is S(0), the stream() operation (in Section 2.3.3) can be applied and generate key streams. Key stream at S(0) : 9FB6B580A6A5E7AF Henceforth, a new key stream can be produced by 1) obtaining a new state by applying the next() operation to the current state, and 2) generating a new key stream by applying the stream() operation to the new state. C.2.25. S(1) and the Key Stream at S(1) A[0]: BE3CA984 A[1]: 974E6719 A[2]: 86916EFF A[3]: F52DACF9 A[4]: 960329B5 B[0]: 7BE2C520 B[1] : 1F48829C B[2]: F95DD14F B[3]: D939E13E B[4] : 9970C980 B[5]: 3C517031 B[6]: D1439B63 B[7] : 9334E221 B[8]: 50EF13E7 B[9]: E0BD9F91 B[10]: 5318AEE1 L1: 8FD86092 R1: 4BBDC0F6 L2: 8D63A5EF R2: FEE0F24B Key stream at S(1) : D1989DC6A77D5E28 Kiyomoto & Shin Informational [Page 36] RFC 7008 A Description of KCipher-2 August 2013 C.2.26. S(2) and the Key Stream at S(2) A[0]: 974E6719 A[1]: 86916EFF A[2]: F52DACF9 A[3]: 960329B5 A[4]: 1A3DB24E B[0]: 1F48829C B[1] : F95DD14F B[2]: D939E13E B[3]: 9970C980 B[4] : 3C517031 B[5]: D1439B63 B[6]: 9334E221 B[7] : 50EF13E7 B[8]: E0BD9F91 B[9]: 5318AEE1 B[10]: C86C2C77 L1: 9686FE8C R1: FAF89251 L2: 86C824E7 R2: 7BC21098 Key stream at S(2) : 4EFCC8CB7BCFB32B Authors' Addresses Shinsaku Kiyomoto KDDI R&D Laboratories, Inc. 2-1-15 Ohara Fujimino-shi, Saitama 356-8502 Japan Phone: +81-49-278-7885 Fax: +81-49-278-7510 EMail: kiyomoto@kddilabs.jp Wook Shin KDDI R&D Laboratories, Inc. 2-1-15 Ohara Fujimino-shi, Saitama 356-8502 Japan EMail: ohpato@hanmail.net Kiyomoto & Shin Informational [Page 37]