A Description of the KCipher-2 Encryption Algorithm
RFC 7008
| Document | Type |
RFC
- Informational
(August 2013)
IPR
Was
draft-kiyomoto-kcipher2
(individual)
|
|
|---|---|---|---|
| Authors | Shinsaku Kiyomoto , Wook Shin | ||
| Last updated | 2013-08-28 | ||
| RFC stream | Independent Submission | ||
| Formats | |||
| IETF conflict review | conflict-review-kiyomoto-kcipher2 | ||
| Stream | ISE state | Published RFC | |
| Consensus boilerplate | Unknown | ||
| Document shepherd | (None) | ||
| IESG | IESG state | RFC 7008 (Informational) | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
RFC 7008
Independent Submission S. Kiyomoto
Request for Comments: 7008 W. Shin
Category: Informational KDDI R&D Laboratories, Inc.
ISSN: 2070-1721 August 2013
A Description of the KCipher-2 Encryption Algorithm
Abstract
This document describes the KCipher-2 encryption algorithm.
KCipher-2 is a stream cipher with a 128-bit key and a 128-bit
initialization vector. Since the algorithm for KCipher-2 was
published in 2007, security and efficiency have been rigorously
evaluated through academic and industrial studies. As of the
publication of this document, no security vulnerabilities have been
found. KCipher-2 offers fast encryption and decryption by means of
simple operations that enable efficient implementation. KCipher-2
has been used for industrial applications, especially for mobile
health monitoring and diagnostic services in Japan.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This is a contribution to the RFC Series, independently of any other
RFC stream. The RFC Editor has chosen to publish this document at
its discretion and makes no statement about its value for
implementation or deployment. Documents approved for publication by
the RFC Editor are not a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7008.
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
Kiyomoto & Shin Informational [Page 1]
RFC 7008 A Description of KCipher-2 August 2013
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Algorithm Description . . . . . . . . . . . . . . . . . . . . 3
2.1. Notations . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2. Internal State . . . . . . . . . . . . . . . . . . . . . . 4
2.2.1. Feedback Shift Registers . . . . . . . . . . . . . . . 4
2.2.2. Internal Registers . . . . . . . . . . . . . . . . . . 5
2.3. Operations . . . . . . . . . . . . . . . . . . . . . . . . 5
2.3.1. next() . . . . . . . . . . . . . . . . . . . . . . . . 5
2.3.2. init() . . . . . . . . . . . . . . . . . . . . . . . . 7
2.3.3. stream() . . . . . . . . . . . . . . . . . . . . . . . 8
2.4. Subroutines . . . . . . . . . . . . . . . . . . . . . . . 9
2.4.1. NLF() . . . . . . . . . . . . . . . . . . . . . . . . 9
2.4.2. sub_K2() . . . . . . . . . . . . . . . . . . . . . . . 9
2.4.3. S_box() . . . . . . . . . . . . . . . . . . . . . . . 10
2.4.4. Multiplications in GF(2#32) . . . . . . . . . . . . . 11
2.5. Encryption and Decryption Scheme . . . . . . . . . . . . . 13
2.5.1. Key Stream Generation . . . . . . . . . . . . . . . . 13
2.5.2. Encryption and Decryption of a Message . . . . . . . . 14
3. Security Considerations . . . . . . . . . . . . . . . . . . . 14
4. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14
4.1. Normative References . . . . . . . . . . . . . . . . . . . 14
4.2. Informative References . . . . . . . . . . . . . . . . . . 14
Appendix A. Tables for Multiplication in GF(2#32) . . . . . . . . 16
A.1. The table amul0 . . . . . . . . . . . . . . . . . . . . . 16
A.2. The table amul1 . . . . . . . . . . . . . . . . . . . . . 17
A.3. The table amul2 . . . . . . . . . . . . . . . . . . . . . 19
A.4. The table amul3 . . . . . . . . . . . . . . . . . . . . . 20
Appendix B. A Simple Implementation Example of KCipher-2 . . . . 22
B.1. Code Components I - Definitions and Declarations . . . . . 22
B.2. Code Components II - Functions . . . . . . . . . . . . . . 23
B.3. Use Case . . . . . . . . . . . . . . . . . . . . . . . . . 28
Appendix C. Test Vectors . . . . . . . . . . . . . . . . . . . . 28
C.1. Key Stream Generation Examples . . . . . . . . . . . . . . 28
C.2. Another Key Stream Generation with the State Values . . . 29
C.2.1. S after init(1) . . . . . . . . . . . . . . . . . . . 30
C.2.2. S after init(2) . . . . . . . . . . . . . . . . . . . 30
C.2.3. S after init(3) . . . . . . . . . . . . . . . . . . . 30
C.2.4. S after init(4) . . . . . . . . . . . . . . . . . . . 31
C.2.5. S after init(5) . . . . . . . . . . . . . . . . . . . 31
C.2.6. S after init(6) . . . . . . . . . . . . . . . . . . . 31
C.2.7. S after init(7) . . . . . . . . . . . . . . . . . . . 31
C.2.8. S after init(8) . . . . . . . . . . . . . . . . . . . 32
C.2.9. S after init(9) . . . . . . . . . . . . . . . . . . . 32
C.2.10. S after init(10) . . . . . . . . . . . . . . . . . . . 32
C.2.11. S after init(11) . . . . . . . . . . . . . . . . . . . 32
C.2.12. S after init(12) . . . . . . . . . . . . . . . . . . . 33
Kiyomoto & Shin Informational [Page 2]
RFC 7008 A Description of KCipher-2 August 2013
C.2.13. S after init(13) . . . . . . . . . . . . . . . . . . . 33
C.2.14. S after init(14) . . . . . . . . . . . . . . . . . . . 33
C.2.15. S after init(15) . . . . . . . . . . . . . . . . . . . 33
C.2.16. S after init(16) . . . . . . . . . . . . . . . . . . . 34
C.2.17. S after init(17) . . . . . . . . . . . . . . . . . . . 34
C.2.18. S after init(18) . . . . . . . . . . . . . . . . . . . 34
C.2.19. S after init(19) . . . . . . . . . . . . . . . . . . . 34
C.2.20. S after init(20) . . . . . . . . . . . . . . . . . . . 35
C.2.21. S after init(21) . . . . . . . . . . . . . . . . . . . 35
C.2.22. S after init(22) . . . . . . . . . . . . . . . . . . . 35
C.2.23. S after init(23) . . . . . . . . . . . . . . . . . . . 35
C.2.24. S(0) after init(24) . . . . . . . . . . . . . . . . . 36
C.2.25. S(1) and the Key Stream at S(1) . . . . . . . . . . . 36
C.2.26. S(2) and the Key Stream at S(2) . . . . . . . . . . . 37
1. Introduction
KCipher-2 is a stream cipher that uses a 128-bit secret key and a
128-bit initialization vector. Since the algorithm for KCipher-2 was
published in 2007 [SASC07], it has been evaluated in academic and
industrial studies. The security and performance of KCipher-2 have
been rigorously evaluated by its developers and other institutions
[SECRYPT07] [ICETE07] [CRYPTEC] [SIIS11]. As of the publication of
this document, no attack on KCipher-2 has been successful. KCipher-2
can be efficiently implemented in software to provide fast encryption
and decryption, owing to its uncomplicated design. Only four simple
operations are used: exclusive-OR, addition, shift, and table lookup.
When the algorithm is implemented in hardware, internal computations
can be parallel to yield greater efficiency. Moreover, since its
internal state representation only amounts to several hundred bits,
KCipher-2 is suitable for resource-limited environments. KCipher-2
has been actively used in several industrial applications in Japan,
has been published by an international standardization body (ISO/IEC
18033-4 [ISO18033]), and has been designated a Japanese e-Government
recommended cipher [CRYPTECLIST].
2. Algorithm Description
In this section, we describe the internal components of KCipher-2 and
define the operations for deriving key streams from an input key and
an initialization vector. We illustrate the detailed operations,
mostly in pseudocode format, but also provide code snippets written
in the C language syntax when necessary.
Kiyomoto & Shin Informational [Page 3]
RFC 7008 A Description of KCipher-2 August 2013
2.1. Notations
All values in this document are stored in big-endian order (aka
network byte order). We use the following notations in the
description of KCipher-2.
^ Bitwise exclusive-OR
n#m mth power of n
+n Integer addition modulo 2#n
<<_r n n-bit left circular shift in an r-bit register
0x Hexadecimal representation
E[i] The (i + 1)th element of E when E is composed of
consecutive multiple elements
GF Galois field. GF(n#m) means the finite field of exactly
n#m elements
** Multiplication of elements on the finite field GF(2#32)
NOTE: Many texts denote "the mth power of n" by "n^m", but we write
it using '#', instead of '^', to avoid reader confusion with the
power operator and the XOR operator of the C language syntax.
2.2. Internal State
The internal state of KCipher-2 can be denoted by S. The internal
state consists of six sub-components: two feedback shift registers,
FSR-A and FSR-B, and four internal registers, L1, R1, L2, and R2.
We, therefore, often write S = (A, B, L1, R1, L2, R2), where A and B
refer to FSR-A and FSR-B, respectively.
2.2.1. Feedback Shift Registers
The two feedback shift registers (FSRs) are separately called
Feedback Shift Register A (FSR-A) and Feedback Shift Register B
(FSR-B). FSR-A is composed of five 32-bit units that are
consecutively arranged. Each unit can be identified by A[0], A[1],
A[2], A[3], and A[4]. Likewise, FSR-B is composed of eleven
consecutive 32-bit units, B[0], ..., B[10]. All values stored in
each 32-bit unit of FSR is in GF(2#32).
Kiyomoto & Shin Informational [Page 4]
RFC 7008 A Description of KCipher-2 August 2013
2.2.2. Internal Registers
Besides FSR, KCipher-2 has four internal registers to store
intermediate computation results during operation. The four
registers are named L1, R1, L2, and R2.
2.3. Operations
Three major operations constitute the behavior of KCipher-2: init(),
next(), and stream(). The init() operation initializes the internal
values of the system. The next() operation derives new values of S'
from the values of S, where S' and S refer to the internal state.
The stream() operation derives a key stream from the current state S.
2.3.1. next()
The next() operation takes the current state S = (A, B, L1, R1, L2,
R2) as input. The size of the input amounts to twenty of the 32-bit
units in total (five units for A, eleven for B, and one for L1, R1,
L2, and R2). It produces the next state S' = (A', B', L1', R1', L2',
R2'). This operation is mainly used to generate secure key streams
by applying non-linear functions (NLFs) for every cycle of KCipher-2.
Additionally, it is used to initialize the system. The behaviors are
distinguished by the input parameter that indicates the operation
modes.
Inside the next() operation, the internal registers are updated by
the result of the substitution function described in Section 2.4.2.
The feedback shift registers are also updated by feedback functions.
The feedback functions include the multiplication of register units
and the fixed elements a0, a1, a2, and a3 in a finite field. The
fixed elements a0, ..., a3 are carefully chosen to provide the
maximum length of the feedback shift registers. The theory behind
the selection of fixed elements and the way to simplify the necessary
multiplications are briefly described in Section 2.4.4.
The operation takes the following inputs:
o S = (A, B, L1, R1, L2, R2)
o mode = {INIT, NORMAL}, where INIT means the operation is used for
initialization, and NORMAL means it is used for generating secure
key streams.
The operation outputs a new state,
o S' = (A', B', L1', R1', L2', R2')
Kiyomoto & Shin Informational [Page 5]
RFC 7008 A Description of KCipher-2 August 2013
by performing the following steps:
1. Set registers in the nonlinear functions
L1' = sub_K2(R2 +32 B[4]);
R1' = sub_K2(L2 +32 B[9]);
L2' = sub_K2(L1);
R2' = sub_K2(R1);
for m from 0 to 3
A'[m] = A[m + 1];
for m from 0 to 9
B'[m] = B[m + 1];
NOTE: sub_K2 is a substitution function described in
Section 2.4.2.
2. Depending on the value of the operation mode, do the following:
a. When the mode is NORMAL, A'[4] and B'[10] are computed as
follows:
A'[4] = (a0 ** A[0]) ^ A[3];
if A[2][30] is 1:
if A[2][31] is 1:
B'[10] = (a1 ** B[0]) ^ B[1] ^ B[6] ^ (a3 ** B[8]);
else if A[2][31] is 0:
B'[10] = (a1 ** B[0]) ^ B[1] ^ B[6] ^ B[8];
else if A[2][30] is 0:
if A[2][31] is 1:
B'[10] = (a2 ** B[0]) ^ B[1] ^ B[6] ^ (a3 ** B[8]);
else if A[2][31] is 0:
B'[10] = (a2 ** B[0]) ^ B[1] ^ B[6] ^ B[8];
b. When the mode is INIT, A'[4] and B'[10] are XOR-ed with the
non-linear function output described in Section 2.4.1.
A'[4] = (a0 ** A[0]) ^ A[3] ^ NLF(B[0], R2, R1, A[4]);
if A[2][30] is 1:
if A[2][31] is 1:
B'[10] = (a1 ** B[0]) ^ B[1] ^ B[6] ^ (a3 ** B[8]) ^
NLF(B[10], L2, L1, A[0]);
else if A[2][31] is 0:
B'[10] = (a1 ** B[0]) ^ B[1] ^ B[6] ^ B[8] ^
NLF(B[10], L2, L1, A[0]);
Kiyomoto & Shin Informational [Page 6]
RFC 7008 A Description of KCipher-2 August 2013
else if A[2][30] is 0:
if A[2][31] is 1:
B'[10] = (a2 ** B[0]) ^ B[1] ^ B[6] ^ (a3 ** B[8]) ^
NLF(B[10], L2, L1, A[0]);
else if A[2][31] is 0:
B'[10] = (a2 ** B[0]) ^ B[1] ^ B[6] ^ B[8] ^
NLF(B[10], L2, L1, A[0]);
3. Output S' = (A', B', L1', R1', L2', R2').
Note that A[2] is a 32-bit unit. Thus, A[2][j] is the value of the
jth least significant bit of A[2], where 0 <= j <= 31.
The corresponding code snippets written in the C language syntax can
be found in Section 2.4.4 and Appendix B.
2.3.2. init()
The init() operation takes a 128-bit key (K) and a 128-bit
initialization vector (IV) and prepares the values of the state
variables for generating key streams.
o K = (K[0], K[1], K[2], K[3]), where each K[i] is a 32-bit unit and
0 <= i <= 3
o IV =(IV[0], IV[1], IV[2], IV[3]), where each IV[i] is a 32-bit
unit and 0 <= i <= 3,
and the output is an initialized state S, which will be referenced as
S(0). The output is derived from the following steps:
1. Expand K to the 384-bit internal key IK = (IK[0], ..., IK[11]),
where IK[i] is a 32-bit unit and 0 <= i <= 11. The expansion
procedure is as follows:
for m from 0 to 11
if m is 0, 1, 2, or 3:
IK[m] = K[m];
else if m is 5, 6, 7, 9, 10, or 11:
IK[m] = IK[m - 4] ^ IK[m - 1];
else if m is 4:
IK[4] = IK[0] ^ sub_K2(IK[3] <<_32 8) ^
(0x01, 0x00, 0x00, 0x00);
else if m is 8:
IK[8] = IK[4] ^ sub_K2(IK[7] <<_32 8) ^
(0x02, 0x00, 0x00, 0x00);
Kiyomoto & Shin Informational [Page 7]
RFC 7008 A Description of KCipher-2 August 2013
NOTE: sub_K2 is the substitution function described in
Section 2.4.2.
2. Initialize the feedback shift registers and the internal
registers using the values of IK and IV as follows:
for m from 0 to 4
A[m] = IK[4 - m];
B[0] = IK[10]; B[1] = IK[11]; B[2] = IV[0]; B[3] = IV[1];
B[4] = IK[8]; B[5] = IK[9]; B[6] = IV[2]; B[7] = IV[3];
B[8] = IK[7]; B[9] = IK[5]; B[10] = IK[6];
L1 = R1 = L2 = R2 = 0x00000000;
Set S as (A, B, L1, R1, L2, R2).
3. Prepare the state values by applying the next() operation 24
times as follows:
for m from 1 to 24
Set S' as next(S, INIT);
Set S as S';
4. Output S.
2.3.3. stream()
The stream() function derives a 64-bit key stream, Z, from the state
values. Its input is an initialized state,
o S = (A, B, L1, R1, L2, R2)
and its output is Z = (ZH, ZL), where ZH and ZL are 32-bit units.
stream() performs the following:
1. Set register values
ZH = NLF(B[10], L2, L1, A[0]);
ZL = NLF(B[0], R2, R1, A[4]);
2. Output Z = (ZH, ZL).
NOTE: The function NLF is described in Section 2.4.1.
Kiyomoto & Shin Informational [Page 8]
RFC 7008 A Description of KCipher-2 August 2013
2.4. Subroutines
We explain the functions used above: sub_K2(), NLF(), and S_box().
2.4.1. NLF()
NLF() is a non-linear function that takes the four 32-bit values, A,
B, C, D, and outputs the 32-bit value, Q. The output Q is calculated
as follows.
Q = (A +32 B) ^ C ^ D;
2.4.2. sub_K2()
sub_K2() is a substitution function that is a permutation of
GF(2#32), based on components from the Advanced Encryption Standard
(AES) [FIPS-AES]. Its input is a 32-bit value divided into four
8-bit strings. Inside sub_K2(), an 8-to-8-bit substitution function,
S_box(), is applied to each 8-bit string separately, and then a 32-
to-32-bit linear permutation is applied to the whole 32-bit string.
Our S_box() function is identical to the S-Box operation of AES, and
our linear permutation is identical to the AES Mix Column operation.
Consider the input of sub_K2 as a 32-bit value W = (w[3], w[2], w[1],
w[0]), where each subelement of w is an 8-bit unit. Prepare two
32-bit temporary storages, T = (t[3], t[2], t[1], t[0]) and Q =
(q[3], q[2], q[1], q[0]), where t[i] and q[i] are 8-bit units and 0
<= i <= 3.
The 32-bit output Q is obtained from the following procedures:
1. Apply S_box() to each 8-bit input string. Note that S_box() is
defined in Section 2.4.3.
for m from 0 to 3
t[m] = S_box(w[m]);
2. Calculate q by the matrix multiplication, Q = M * T in GF(2#8) of
the irreducible polynomial f(x) = x#8 + x#4 + x#3 + x + 1, where
o Q is a 1x4 matrix, (q[0], q[1], q[2], q[3))
o M is a 4x4 matrix,
(02, 03, 01, 01,
01, 02, 03, 01,
01, 01, 02, 03,
03, 01, 01, 02)
Kiyomoto & Shin Informational [Page 9]
RFC 7008 A Description of KCipher-2 August 2013
o T is a 1x4 matrix, (t[0], t[1], t[2], t[3]).
Namely, the procedure that calculates (q[3], q[2], q[1], q[0])
can be written in the C language syntax as:
q[0] = GF_mult_by_2(t[0]) ^ GF_mult_by_3(t[1]) ^ t[2] ^ t[3];
q[1] = t[0] ^ GF_mult_by_2(t[1]) ^ GF_mult_by_3(t[2]) ^ t[3];
q[2] = t[0] ^ t[1] ^ GF_mult_by_2(t[2]) ^ GF_mult_by_3(t[3]);
q[3] = GF_mult_by_3(t[0]) ^ t[1] ^ t[2] ^ GF_mult_by_2(t[3]);
where GF_mult_by_2 and GF_mult_by_3 are multiplication functions
in GF(2#8), defined as follows:
o The function GF_mult_by_2(t) multiplies 2 by the given 8-bit
value t in GF(2#8) and returns an 8-bit value q as follows (lq
is a temporary 32-bit variable):
lq = t << 1;
if ((lq & 0x100) != 0) lq ^= 0x011B;
q = lq ^ 0xFF;
o The function GF_mult_by_3(t) multiplies 3 by the given 8-bit
value t in GF(2#8) and returns an 8-bit value q as follows (lq
is a temporary 32-bit variable):
lq = (t << 1) ^ t;
if ((lq & 0x100) != 0) lq ^= 0x011B;
q = lq ^ 0xFF;
3. Output Q = (q[3], q[2], q[1], q[0]).
2.4.3. S_box()
S_box() is a substitution that can be done by a simple table lookup
operation. Thus, S_box() can be defined by the following value
table:
S_box[256] = {
0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5,
0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0,
0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc,
0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a,
0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,
0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0,
0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84,
Kiyomoto & Shin Informational [Page 10]
RFC 7008 A Description of KCipher-2 August 2013
0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b,
0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85,
0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8,
0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5,
0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2,
0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17,
0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88,
0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb,
0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c,
0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9,
0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6,
0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a,
0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e,
0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e,
0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94,
0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68,
0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16 };
2.4.4. Multiplications in GF(2#32)
FSR-A and FSR-B are word-oriented linear feedback shift registers
(LFSRs). In the next() operation of Section 2.3.1, the feedback
functions to the two LFSRs are shown, which include multiplication of
fixed elements a0, a1, a2, or a3 in GF(2#32). The fixed elements are
carefully chosen to maximize the period of the key stream generated
by the two registers. Here, we briefly explain how we obtain the
fixed elements. Further details and theories can be found in
[SECRYPT07].
We obtain a0 as follows. First, to guarantee that the period is
maximized for an 8-bit unit, we consider p as the root of the
primitive polynomial:
x#8 + x#7 + x#6, + x + 1 in GF(2).
Therefore, an 8-bit string y = (y7, ..., y0), where y7 is the most
significant bit, can be written as:
y = y7(p#7) + y6(p#6) + ... + y1(p) + y0
Next, a0 is the root of irreducible polynomial of degree four:
x#4 + p#24(x#3) + p#3(x#2) + p#12(x) + p#71 in GF(2#8).
Kiyomoto & Shin Informational [Page 11]
RFC 7008 A Description of KCipher-2 August 2013
Then, hierarchically, a 32-bit unit Y = (Y3, Y2, Y1, Y0), where Y3 is
the most significant byte, can be written as:
Y3(a0#3) + Y2(a0#2) + Y1(a0) + Y0
The feedback polynomial to FSR-A,
f(x) = a0(x#5) + x#2 + 1
produces the maximum-length period of the key stream with a0.
Similarly, a1, a2, and a3 are the roots of irreducible polynomials of
degree four of
x#4 + q#230(x#3) + q#156(x#2) + q#93(x) + q#29 in GF(2#8)
x#4 + r#34(x#3) + r#16(x#2) + r#199(x) + r#248 in GF(2#8)
x#4 + s#157(x#3) + s#253(x#2) + s#56(x) + s#16 in GF(2#8)
respectively. The feedback polynomial to FSR-B that uses a1, a2, and
a3 can produce the maximum-length period. The feedback polynomials
to FSR-A and FSR-B are as written in Step 2 of the next() operation,
and the mathematical notations of these polynomials can also be found
in [SECRYPT07].
Calculation of the original feedback polynomials might be time-
consuming because it includes multiplications in finite fields.
However, these multiplications can be done faster if the multiples of
a0, ..., a3 were already calculated for all possible inputs. The
tables of amul0, ..., amul3 in Appendix A provide such pre-
calculation results. As shown in Step 2 of next(), we can utilize
these tables to finish the necessary calculations efficiently.
For example, consider the input as a 32-bit value w, which represents
an element of GF(2#32). The 32-bit output string w' = a0 ** w can be
obtained using the amul0 table in Appendix A.1 as follows:
w' = (w << 8) ^ amul0[w >> 24];
Likewise, multiplications of (a1 ** w), (a2 ** w), and (a3 ** w) can
be obtained in the same way, simply by using the amul1, amul2, and
amul3 tables that we provide in Appendixes A.2, A.3, and A.4.
Eventually, Step 2 of the next() operation, which updates A'[4] and
B'[10], can be written in the C language syntax as follows. Note
that nA[4] and nB[10] correspond to A'[4] and B'[10], respectively,
and temp1 and temp2 are 32-bit variables.
Kiyomoto & Shin Informational [Page 12]
RFC 7008 A Description of KCipher-2 August 2013
nA[4] = ((A[0] << 8) ^ amul0[(A[0] >> 24)]) ^ A[3];
if (mode == INIT)
nA[4] ^= NLF(B[0], R2, R1, A[4]);
if (A[2] & 0x40000000) {
temp1 = (B[0] << 8) ^ amul1[(B[0] >> 24)];
} else {
temp1 = (B[0] << 8) ^ amul2[(B[0] >> 24)];
}
if (A[2] & 0x80000000) {
temp2 = (B[8] << 8) ^ amul3[(B[8] >> 24)];
} else {
temp2 = B[8];
}
nB[10] = temp1 ^ B[1] ^ B[6] ^ temp2;
if (mode == INIT)
nB[10] ^= NLF(B[10], L2, L1, A[0]);
2.5. Encryption and Decryption Scheme
In this section, we use the notation S(i) to specifically reference
the values of the internal state at i (where i >= 0), which is an
arbitrary, discrete temporal moment (aka cycle) after the
initialization.
2.5.1. Key Stream Generation
Given a 128-bit key K, a 128-bit initialization vector (IV),
KCipher-2 is initialized as follows:
S(0) = init(K, IV);
where S(0) is a state representation. With an initialized state
S(i), where i >= 0, a 64-bit key stream X(i) can be obtained using
the stream() operation, as follows:
X(i) = stream(S(i));
To generate a new key stream X(i + 1), use the next() operation and
the stream() operation as follows:
S(i + 1) = next(S(i), NORMAL);
X(i + 1) = stream(S(i + 1));
Kiyomoto & Shin Informational [Page 13]
RFC 7008 A Description of KCipher-2 August 2013
2.5.2. Encryption and Decryption of a Message
Given a 64-bit message block M and a key stream X, an encrypted
message E is obtained by
E = M ^ X;
Conversely, the decrypted message D is obtained by
D = E ^ X;
The original message M and the decrypted message D are identical when
the same key stream is used.
3. Security Considerations
We recommend reinitializing and rekeying after 2#58 cycles of
KCipher-2, which means after generating 2#64 key stream bits. It is
important to make sure that no IV is ever reused under the same key.
4. References
4.1. Normative References
[ISO18033] "Information technology -- Security techniques --
Encryption algorithms -- Part 4: Stream ciphers", ISO/
IEC 18033-4:2012 Ed. 2, December 2012.
[FIPS-AES] National Institute of Standards and Technology,
"Advanced Encryption Standard (AES)", FIPS PUB 197,
November 2001, <http://csrc.nist.gov/publications/
fips/fips197/fips-197.pdf>.
4.2. Informative References
[SECRYPT07] Kiyomoto, S., Tanaka, T., and K. Sakurai, "K2: A
Stream Cipher Algorithm Using Dynamic Feedback
Control", Proc. SECRYPT 2007, pp. 204-213.
[ICETE07] Kiyomoto, S., Tanaka, T., and K. Sakurai, "K2 Stream
Cipher", Proc. ICETE 2007, pp. 214-226.
[CRYPTEC] Bogdanov, A., Preneel, B., and V. Rijmen, "Security
Evaluation of the K2 Stream Cipher", 2010,
<http://www.cryptrec.go.jp/english/estimation.html>.
[CRYPTECLIST] "Cryptography Research and Evaluation Committees",
<http://www.cryptrec.go.jp/english/estimation.html>.
Kiyomoto & Shin Informational [Page 14]
RFC 7008 A Description of KCipher-2 August 2013
[SIIS11] Priemuth-Schmid, D., "Attacks on Simplified Versions
of K2", Proc. SIIS 2011, LNCS 7053, pp. 117-127.
[SASC07] Kiyomoto, S., Tanaka, T., and K. Sakurai, "A Word-
Oriented Stream Cipher Using Clock Control", Proc.
SASC 2007, pp. 260-274.
Kiyomoto & Shin Informational [Page 15]
RFC 7008 A Description of KCipher-2 August 2013
Appendix A. Tables for Multiplication in GF(2#32)
A.1. The table amul0
amul0[256] = {
0x00000000,0xB6086D1A,0xAF10DA34,0x1918B72E,
0x9D207768,0x2B281A72,0x3230AD5C,0x8438C046,
0xF940EED0,0x4F4883CA,0x565034E4,0xE05859FE,
0x646099B8,0xD268F4A2,0xCB70438C,0x7D782E96,
0x31801F63,0x87887279,0x9E90C557,0x2898A84D,
0xACA0680B,0x1AA80511,0x03B0B23F,0xB5B8DF25,
0xC8C0F1B3,0x7EC89CA9,0x67D02B87,0xD1D8469D,
0x55E086DB,0xE3E8EBC1,0xFAF05CEF,0x4CF831F5,
0x62C33EC6,0xD4CB53DC,0xCDD3E4F2,0x7BDB89E8,
0xFFE349AE,0x49EB24B4,0x50F3939A,0xE6FBFE80,
0x9B83D016,0x2D8BBD0C,0x34930A22,0x829B6738,
0x06A3A77E,0xB0ABCA64,0xA9B37D4A,0x1FBB1050,
0x534321A5,0xE54B4CBF,0xFC53FB91,0x4A5B968B,
0xCE6356CD,0x786B3BD7,0x61738CF9,0xD77BE1E3,
0xAA03CF75,0x1C0BA26F,0x05131541,0xB31B785B,
0x3723B81D,0x812BD507,0x98336229,0x2E3B0F33,
0xC4457C4F,0x724D1155,0x6B55A67B,0xDD5DCB61,
0x59650B27,0xEF6D663D,0xF675D113,0x407DBC09,
0x3D05929F,0x8B0DFF85,0x921548AB,0x241D25B1,
0xA025E5F7,0x162D88ED,0x0F353FC3,0xB93D52D9,
0xF5C5632C,0x43CD0E36,0x5AD5B918,0xECDDD402,
0x68E51444,0xDEED795E,0xC7F5CE70,0x71FDA36A,
0x0C858DFC,0xBA8DE0E6,0xA39557C8,0x159D3AD2,
0x91A5FA94,0x27AD978E,0x3EB520A0,0x88BD4DBA,
0xA6864289,0x108E2F93,0x099698BD,0xBF9EF5A7,
0x3BA635E1,0x8DAE58FB,0x94B6EFD5,0x22BE82CF,
0x5FC6AC59,0xE9CEC143,0xF0D6766D,0x46DE1B77,
0xC2E6DB31,0x74EEB62B,0x6DF60105,0xDBFE6C1F,
0x97065DEA,0x210E30F0,0x381687DE,0x8E1EEAC4,
0x0A262A82,0xBC2E4798,0xA536F0B6,0x133E9DAC,
0x6E46B33A,0xD84EDE20,0xC156690E,0x775E0414,
0xF366C452,0x456EA948,0x5C761E66,0xEA7E737C,
0x4B8AF89E,0xFD829584,0xE49A22AA,0x52924FB0,
0xD6AA8FF6,0x60A2E2EC,0x79BA55C2,0xCFB238D8,
0xB2CA164E,0x04C27B54,0x1DDACC7A,0xABD2A160,
0x2FEA6126,0x99E20C3C,0x80FABB12,0x36F2D608,
0x7A0AE7FD,0xCC028AE7,0xD51A3DC9,0x631250D3,
0xE72A9095,0x5122FD8F,0x483A4AA1,0xFE3227BB,
0x834A092D,0x35426437,0x2C5AD319,0x9A52BE03,
0x1E6A7E45,0xA862135F,0xB17AA471,0x0772C96B,
0x2949C658,0x9F41AB42,0x86591C6C,0x30517176,
0xB469B130,0x0261DC2A,0x1B796B04,0xAD71061E,
0xD0092888,0x66014592,0x7F19F2BC,0xC9119FA6,
Kiyomoto & Shin Informational [Page 16]
RFC 7008 A Description of KCipher-2 August 2013
0x4D295FE0,0xFB2132FA,0xE23985D4,0x5431E8CE,
0x18C9D93B,0xAEC1B421,0xB7D9030F,0x01D16E15,
0x85E9AE53,0x33E1C349,0x2AF97467,0x9CF1197D,
0xE18937EB,0x57815AF1,0x4E99EDDF,0xF89180C5,
0x7CA94083,0xCAA12D99,0xD3B99AB7,0x65B1F7AD,
0x8FCF84D1,0x39C7E9CB,0x20DF5EE5,0x96D733FF,
0x12EFF3B9,0xA4E79EA3,0xBDFF298D,0x0BF74497,
0x768F6A01,0xC087071B,0xD99FB035,0x6F97DD2F,
0xEBAF1D69,0x5DA77073,0x44BFC75D,0xF2B7AA47,
0xBE4F9BB2,0x0847F6A8,0x115F4186,0xA7572C9C,
0x236FECDA,0x956781C0,0x8C7F36EE,0x3A775BF4,
0x470F7562,0xF1071878,0xE81FAF56,0x5E17C24C,
0xDA2F020A,0x6C276F10,0x753FD83E,0xC337B524,
0xED0CBA17,0x5B04D70D,0x421C6023,0xF4140D39,
0x702CCD7F,0xC624A065,0xDF3C174B,0x69347A51,
0x144C54C7,0xA24439DD,0xBB5C8EF3,0x0D54E3E9,
0x896C23AF,0x3F644EB5,0x267CF99B,0x90749481,
0xDC8CA574,0x6A84C86E,0x739C7F40,0xC594125A,
0x41ACD21C,0xF7A4BF06,0xEEBC0828,0x58B46532,
0x25CC4BA4,0x93C426BE,0x8ADC9190,0x3CD4FC8A,
0xB8EC3CCC,0x0EE451D6,0x17FCE6F8,0xA1F48BE2 };
A.2. The table amul1
amul1[256] = {
0x00000000,0xA0F5FC2E,0x6DC7D55C,0xCD322972,
0xDAA387B8,0x7A567B96,0xB76452E4,0x1791AECA,
0x996B235D,0x399EDF73,0xF4ACF601,0x54590A2F,
0x43C8A4E5,0xE33D58CB,0x2E0F71B9,0x8EFA8D97,
0x1FD646BA,0xBF23BA94,0x721193E6,0xD2E46FC8,
0xC575C102,0x65803D2C,0xA8B2145E,0x0847E870,
0x86BD65E7,0x264899C9,0xEB7AB0BB,0x4B8F4C95,
0x5C1EE25F,0xFCEB1E71,0x31D93703,0x912CCB2D,
0x3E818C59,0x9E747077,0x53465905,0xF3B3A52B,
0xE4220BE1,0x44D7F7CF,0x89E5DEBD,0x29102293,
0xA7EAAF04,0x071F532A,0xCA2D7A58,0x6AD88676,
0x7D4928BC,0xDDBCD492,0x108EFDE0,0xB07B01CE,
0x2157CAE3,0x81A236CD,0x4C901FBF,0xEC65E391,
0xFBF44D5B,0x5B01B175,0x96339807,0x36C66429,
0xB83CE9BE,0x18C91590,0xD5FB3CE2,0x750EC0CC,
0x629F6E06,0xC26A9228,0x0F58BB5A,0xAFAD4774,
0x7C2F35B2,0xDCDAC99C,0x11E8E0EE,0xB11D1CC0,
0xA68CB20A,0x06794E24,0xCB4B6756,0x6BBE9B78,
0xE54416EF,0x45B1EAC1,0x8883C3B3,0x28763F9D,
0x3FE79157,0x9F126D79,0x5220440B,0xF2D5B825,
0x63F97308,0xC30C8F26,0x0E3EA654,0xAECB5A7A,
0xB95AF4B0,0x19AF089E,0xD49D21EC,0x7468DDC2,
0xFA925055,0x5A67AC7B,0x97558509,0x37A07927,
Kiyomoto & Shin Informational [Page 17]
RFC 7008 A Description of KCipher-2 August 2013
0x2031D7ED,0x80C42BC3,0x4DF602B1,0xED03FE9F,
0x42AEB9EB,0xE25B45C5,0x2F696CB7,0x8F9C9099,
0x980D3E53,0x38F8C27D,0xF5CAEB0F,0x553F1721,
0xDBC59AB6,0x7B306698,0xB6024FEA,0x16F7B3C4,
0x01661D0E,0xA193E120,0x6CA1C852,0xCC54347C,
0x5D78FF51,0xFD8D037F,0x30BF2A0D,0x904AD623,
0x87DB78E9,0x272E84C7,0xEA1CADB5,0x4AE9519B,
0xC413DC0C,0x64E62022,0xA9D40950,0x0921F57E,
0x1EB05BB4,0xBE45A79A,0x73778EE8,0xD38272C6,
0xF85E6A49,0x58AB9667,0x9599BF15,0x356C433B,
0x22FDEDF1,0x820811DF,0x4F3A38AD,0xEFCFC483,
0x61354914,0xC1C0B53A,0x0CF29C48,0xAC076066,
0xBB96CEAC,0x1B633282,0xD6511BF0,0x76A4E7DE,
0xE7882CF3,0x477DD0DD,0x8A4FF9AF,0x2ABA0581,
0x3D2BAB4B,0x9DDE5765,0x50EC7E17,0xF0198239,
0x7EE30FAE,0xDE16F380,0x1324DAF2,0xB3D126DC,
0xA4408816,0x04B57438,0xC9875D4A,0x6972A164,
0xC6DFE610,0x662A1A3E,0xAB18334C,0x0BEDCF62,
0x1C7C61A8,0xBC899D86,0x71BBB4F4,0xD14E48DA,
0x5FB4C54D,0xFF413963,0x32731011,0x9286EC3F,
0x851742F5,0x25E2BEDB,0xE8D097A9,0x48256B87,
0xD909A0AA,0x79FC5C84,0xB4CE75F6,0x143B89D8,
0x03AA2712,0xA35FDB3C,0x6E6DF24E,0xCE980E60,
0x406283F7,0xE0977FD9,0x2DA556AB,0x8D50AA85,
0x9AC1044F,0x3A34F861,0xF706D113,0x57F32D3D,
0x84715FFB,0x2484A3D5,0xE9B68AA7,0x49437689,
0x5ED2D843,0xFE27246D,0x33150D1F,0x93E0F131,
0x1D1A7CA6,0xBDEF8088,0x70DDA9FA,0xD02855D4,
0xC7B9FB1E,0x674C0730,0xAA7E2E42,0x0A8BD26C,
0x9BA71941,0x3B52E56F,0xF660CC1D,0x56953033,
0x41049EF9,0xE1F162D7,0x2CC34BA5,0x8C36B78B,
0x02CC3A1C,0xA239C632,0x6F0BEF40,0xCFFE136E,
0xD86FBDA4,0x789A418A,0xB5A868F8,0x155D94D6,
0xBAF0D3A2,0x1A052F8C,0xD73706FE,0x77C2FAD0,
0x6053541A,0xC0A6A834,0x0D948146,0xAD617D68,
0x239BF0FF,0x836E0CD1,0x4E5C25A3,0xEEA9D98D,
0xF9387747,0x59CD8B69,0x94FFA21B,0x340A5E35,
0xA5269518,0x05D36936,0xC8E14044,0x6814BC6A,
0x7F8512A0,0xDF70EE8E,0x1242C7FC,0xB2B73BD2,
0x3C4DB645,0x9CB84A6B,0x518A6319,0xF17F9F37,
0xE6EE31FD,0x461BCDD3,0x8B29E4A1,0x2BDC188F };
Kiyomoto & Shin Informational [Page 18]
RFC 7008 A Description of KCipher-2 August 2013
A.3. The table amul2
amul2[256] = {
0x00000000,0x5BF87F93,0xB6BDFE6B,0xED4581F8,
0x2137B1D6,0x7ACFCE45,0x978A4FBD,0xCC72302E,
0x426E2FE1,0x19965072,0xF4D3D18A,0xAF2BAE19,
0x63599E37,0x38A1E1A4,0xD5E4605C,0x8E1C1FCF,
0x84DC5E8F,0xDF24211C,0x3261A0E4,0x6999DF77,
0xA5EBEF59,0xFE1390CA,0x13561132,0x48AE6EA1,
0xC6B2716E,0x9D4A0EFD,0x700F8F05,0x2BF7F096,
0xE785C0B8,0xBC7DBF2B,0x51383ED3,0x0AC04140,
0x45F5BC53,0x1E0DC3C0,0xF3484238,0xA8B03DAB,
0x64C20D85,0x3F3A7216,0xD27FF3EE,0x89878C7D,
0x079B93B2,0x5C63EC21,0xB1266DD9,0xEADE124A,
0x26AC2264,0x7D545DF7,0x9011DC0F,0xCBE9A39C,
0xC129E2DC,0x9AD19D4F,0x77941CB7,0x2C6C6324,
0xE01E530A,0xBBE62C99,0x56A3AD61,0x0D5BD2F2,
0x8347CD3D,0xD8BFB2AE,0x35FA3356,0x6E024CC5,
0xA2707CEB,0xF9880378,0x14CD8280,0x4F35FD13,
0x8AA735A6,0xD15F4A35,0x3C1ACBCD,0x67E2B45E,
0xAB908470,0xF068FBE3,0x1D2D7A1B,0x46D50588,
0xC8C91A47,0x933165D4,0x7E74E42C,0x258C9BBF,
0xE9FEAB91,0xB206D402,0x5F4355FA,0x04BB2A69,
0x0E7B6B29,0x558314BA,0xB8C69542,0xE33EEAD1,
0x2F4CDAFF,0x74B4A56C,0x99F12494,0xC2095B07,
0x4C1544C8,0x17ED3B5B,0xFAA8BAA3,0xA150C530,
0x6D22F51E,0x36DA8A8D,0xDB9F0B75,0x806774E6,
0xCF5289F5,0x94AAF666,0x79EF779E,0x2217080D,
0xEE653823,0xB59D47B0,0x58D8C648,0x0320B9DB,
0x8D3CA614,0xD6C4D987,0x3B81587F,0x607927EC,
0xAC0B17C2,0xF7F36851,0x1AB6E9A9,0x414E963A,
0x4B8ED77A,0x1076A8E9,0xFD332911,0xA6CB5682,
0x6AB966AC,0x3141193F,0xDC0498C7,0x87FCE754,
0x09E0F89B,0x52188708,0xBF5D06F0,0xE4A57963,
0x28D7494D,0x732F36DE,0x9E6AB726,0xC592C8B5,
0x59036A01,0x02FB1592,0xEFBE946A,0xB446EBF9,
0x7834DBD7,0x23CCA444,0xCE8925BC,0x95715A2F,
0x1B6D45E0,0x40953A73,0xADD0BB8B,0xF628C418,
0x3A5AF436,0x61A28BA5,0x8CE70A5D,0xD71F75CE,
0xDDDF348E,0x86274B1D,0x6B62CAE5,0x309AB576,
0xFCE88558,0xA710FACB,0x4A557B33,0x11AD04A0,
0x9FB11B6F,0xC44964FC,0x290CE504,0x72F49A97,
0xBE86AAB9,0xE57ED52A,0x083B54D2,0x53C32B41,
0x1CF6D652,0x470EA9C1,0xAA4B2839,0xF1B357AA,
0x3DC16784,0x66391817,0x8B7C99EF,0xD084E67C,
0x5E98F9B3,0x05608620,0xE82507D8,0xB3DD784B,
0x7FAF4865,0x245737F6,0xC912B60E,0x92EAC99D,
0x982A88DD,0xC3D2F74E,0x2E9776B6,0x756F0925,
Kiyomoto & Shin Informational [Page 19]
RFC 7008 A Description of KCipher-2 August 2013
0xB91D390B,0xE2E54698,0x0FA0C760,0x5458B8F3,
0xDA44A73C,0x81BCD8AF,0x6CF95957,0x370126C4,
0xFB7316EA,0xA08B6979,0x4DCEE881,0x16369712,
0xD3A45FA7,0x885C2034,0x6519A1CC,0x3EE1DE5F,
0xF293EE71,0xA96B91E2,0x442E101A,0x1FD66F89,
0x91CA7046,0xCA320FD5,0x27778E2D,0x7C8FF1BE,
0xB0FDC190,0xEB05BE03,0x06403FFB,0x5DB84068,
0x57780128,0x0C807EBB,0xE1C5FF43,0xBA3D80D0,
0x764FB0FE,0x2DB7CF6D,0xC0F24E95,0x9B0A3106,
0x15162EC9,0x4EEE515A,0xA3ABD0A2,0xF853AF31,
0x34219F1F,0x6FD9E08C,0x829C6174,0xD9641EE7,
0x9651E3F4,0xCDA99C67,0x20EC1D9F,0x7B14620C,
0xB7665222,0xEC9E2DB1,0x01DBAC49,0x5A23D3DA,
0xD43FCC15,0x8FC7B386,0x6282327E,0x397A4DED,
0xF5087DC3,0xAEF00250,0x43B583A8,0x184DFC3B,
0x128DBD7B,0x4975C2E8,0xA4304310,0xFFC83C83,
0x33BA0CAD,0x6842733E,0x8507F2C6,0xDEFF8D55,
0x50E3929A,0x0B1BED09,0xE65E6CF1,0xBDA61362,
0x71D4234C,0x2A2C5CDF,0xC769DD27,0x9C91A2B4 };
A.4. The table amul3
amul3[256] = {
0x00000000,0x4559568B,0x8AB2AC73,0xCFEBFAF8,
0x71013DE6,0x34586B6D,0xFBB39195,0xBEEAC71E,
0xE2027AA9,0xA75B2C22,0x68B0D6DA,0x2DE98051,
0x9303474F,0xD65A11C4,0x19B1EB3C,0x5CE8BDB7,
0xA104F437,0xE45DA2BC,0x2BB65844,0x6EEF0ECF,
0xD005C9D1,0x955C9F5A,0x5AB765A2,0x1FEE3329,
0x43068E9E,0x065FD815,0xC9B422ED,0x8CED7466,
0x3207B378,0x775EE5F3,0xB8B51F0B,0xFDEC4980,
0x27088D6E,0x6251DBE5,0xADBA211D,0xE8E37796,
0x5609B088,0x1350E603,0xDCBB1CFB,0x99E24A70,
0xC50AF7C7,0x8053A14C,0x4FB85BB4,0x0AE10D3F,
0xB40BCA21,0xF1529CAA,0x3EB96652,0x7BE030D9,
0x860C7959,0xC3552FD2,0x0CBED52A,0x49E783A1,
0xF70D44BF,0xB2541234,0x7DBFE8CC,0x38E6BE47,
0x640E03F0,0x2157557B,0xEEBCAF83,0xABE5F908,
0x150F3E16,0x5056689D,0x9FBD9265,0xDAE4C4EE,
0x4E107FDC,0x0B492957,0xC4A2D3AF,0x81FB8524,
0x3F11423A,0x7A4814B1,0xB5A3EE49,0xF0FAB8C2,
0xAC120575,0xE94B53FE,0x26A0A906,0x63F9FF8D,
0xDD133893,0x984A6E18,0x57A194E0,0x12F8C26B,
0xEF148BEB,0xAA4DDD60,0x65A62798,0x20FF7113,
0x9E15B60D,0xDB4CE086,0x14A71A7E,0x51FE4CF5,
0x0D16F142,0x484FA7C9,0x87A45D31,0xC2FD0BBA,
0x7C17CCA4,0x394E9A2F,0xF6A560D7,0xB3FC365C,
0x6918F2B2,0x2C41A439,0xE3AA5EC1,0xA6F3084A,
Kiyomoto & Shin Informational [Page 20]
RFC 7008 A Description of KCipher-2 August 2013
0x1819CF54,0x5D4099DF,0x92AB6327,0xD7F235AC,
0x8B1A881B,0xCE43DE90,0x01A82468,0x44F172E3,
0xFA1BB5FD,0xBF42E376,0x70A9198E,0x35F04F05,
0xC81C0685,0x8D45500E,0x42AEAAF6,0x07F7FC7D,
0xB91D3B63,0xFC446DE8,0x33AF9710,0x76F6C19B,
0x2A1E7C2C,0x6F472AA7,0xA0ACD05F,0xE5F586D4,
0x5B1F41CA,0x1E461741,0xD1ADEDB9,0x94F4BB32,
0x9C20FEDD,0xD979A856,0x169252AE,0x53CB0425,
0xED21C33B,0xA87895B0,0x67936F48,0x22CA39C3,
0x7E228474,0x3B7BD2FF,0xF4902807,0xB1C97E8C,
0x0F23B992,0x4A7AEF19,0x859115E1,0xC0C8436A,
0x3D240AEA,0x787D5C61,0xB796A699,0xF2CFF012,
0x4C25370C,0x097C6187,0xC6979B7F,0x83CECDF4,
0xDF267043,0x9A7F26C8,0x5594DC30,0x10CD8ABB,
0xAE274DA5,0xEB7E1B2E,0x2495E1D6,0x61CCB75D,
0xBB2873B3,0xFE712538,0x319ADFC0,0x74C3894B,
0xCA294E55,0x8F7018DE,0x409BE226,0x05C2B4AD,
0x592A091A,0x1C735F91,0xD398A569,0x96C1F3E2,
0x282B34FC,0x6D726277,0xA299988F,0xE7C0CE04,
0x1A2C8784,0x5F75D10F,0x909E2BF7,0xD5C77D7C,
0x6B2DBA62,0x2E74ECE9,0xE19F1611,0xA4C6409A,
0xF82EFD2D,0xBD77ABA6,0x729C515E,0x37C507D5,
0x892FC0CB,0xCC769640,0x039D6CB8,0x46C43A33,
0xD2308101,0x9769D78A,0x58822D72,0x1DDB7BF9,
0xA331BCE7,0xE668EA6C,0x29831094,0x6CDA461F,
0x3032FBA8,0x756BAD23,0xBA8057DB,0xFFD90150,
0x4133C64E,0x046A90C5,0xCB816A3D,0x8ED83CB6,
0x73347536,0x366D23BD,0xF986D945,0xBCDF8FCE,
0x023548D0,0x476C1E5B,0x8887E4A3,0xCDDEB228,
0x91360F9F,0xD46F5914,0x1B84A3EC,0x5EDDF567,
0xE0373279,0xA56E64F2,0x6A859E0A,0x2FDCC881,
0xF5380C6F,0xB0615AE4,0x7F8AA01C,0x3AD3F697,
0x84393189,0xC1606702,0x0E8B9DFA,0x4BD2CB71,
0x173A76C6,0x5263204D,0x9D88DAB5,0xD8D18C3E,
0x663B4B20,0x23621DAB,0xEC89E753,0xA9D0B1D8,
0x543CF858,0x1165AED3,0xDE8E542B,0x9BD702A0,
0x253DC5BE,0x60649335,0xAF8F69CD,0xEAD63F46,
0xB63E82F1,0xF367D47A,0x3C8C2E82,0x79D57809,
0xC73FBF17,0x8266E99C,0x4D8D1364,0x08D445EF };
Kiyomoto & Shin Informational [Page 21]
RFC 7008 A Description of KCipher-2 August 2013
Appendix B. A Simple Implementation Example of KCipher-2
We provide an example implementation of KCipher-2 written in C. The
implementation is simple; we do not consider storage or time
complexity, nor do we consider software engineering-related issues,
such as encapsulation, modularity, and so on.
B.1. Code Components I - Definitions and Declarations
#include <stdio.h>
#include <stdint.h>
#define INIT 0
#define NORMAL 1
void init (unsigned int *, unsigned int *);
void next(int);
void stream (unsigned int *, unsigned int *);
static const uint8_t S_box[256] = {
...
// as defined in Section 2.4.3
};
static const uint32_t amul0[256] = {
...
// as defined in Appendix A.1
};
static const uint32_t amul1[256] = {
...
// as defined in Appendix A.2
};
static const uint32_t amul2[256] = {
...
// as defined in Appendix A.3
};
static const uint32_t amul3[256] = {
...
// as defined in Appendix A.4
};
/* Global variables */
// State S
uint32_t A[5]; // five 32-bit units
Kiyomoto & Shin Informational [Page 22]
RFC 7008 A Description of KCipher-2 August 2013
uint32_t B[11]; // eleven 32-bit units
uint32_t L1, R1, L2, R2; // one 32-bit unit for each
// The internal key (IK) and the initialization vector (IV)
uint32_t IK[12]; // (12*32) bits
uint32_t IV[4]; // (4*32) bits
B.2. Code Components II - Functions
/**
* Do multiplication in GF(2#8) of the irreducible polynomial,
* f(x) = x#8 + x#4 + x#3 + x + 1. The given parameter is multiplied
* by 2.
* @param t : (INPUT). 8 bits. The number will be multiplied by 2
* @return : (OUTPUT). 8 bits. The multiplication result
*/
uint8_t GF_mult_by_2 (uint8_t t) {
uint8_t q;
uint32_t lq;
lq = t << 1;
if ((lq & 0x100) != 0) lq ^= 0x011B;
q = lq ^ 0xFF;
return q;
}
/**
* Do multiplication in GF(2#8) of the irreducible polynomial,
* f(x) = x#8 + x#4 + x#3 + x + 1. The given parameter is multiplied
* by 3.
* @param t : (INPUT). 8 bits. The number will be multiplied by 3
* @return : (OUTPUT). 8 bits. The multiplication result
*/
uint8_t GF_mult_by_3 (uint8_t t) {
uint8_t q;
uint32_t lq;
lq = (t << 1) ^ t;
if ((lq & 0x100) != 0) lq ^= 0x011B;
q = lq ^ 0xFF;
return q;
}
Kiyomoto & Shin Informational [Page 23]
RFC 7008 A Description of KCipher-2 August 2013
/**
* Do substitution on a given input. See Section 2.4.2.
* @param t : (INPUT), (1*32) bits
* @return : (OUTPUT), (1*32) bits
*/
uint32_t sub_k2 (uint32_t in) {
uint32_t out;
uint8_t w0 = in & 0x000000ff;
uint8_t w1 = (in >> 8) & 0x000000ff;
uint8_t w2 = (in >> 16) & 0x000000ff;
uint8_t w3 = (in >> 24) & 0x000000ff;
uint8_t t3, t2, t1, t0;
uint8_t q3, q2, q1, q0;
t0 = S_box[w0]; t1 = S_box[w1]; t2 = S_box[w2]; t3 = S_box[w3];
q0 = GF_mult_by_2(t0) ^ GF_mult_by_3(t1) ^ t2 ^ t3;
q1 = t0 ^ GF_mult_by_2(t1) ^ GF_mult_by_3(t2) ^ t3;
q2 = t0 ^ t1 ^ GF_mult_by_2(t2) ^ GF_mult_by_3(t3);
q3 = GF_mult_by_3(t0) ^ t1 ^ t2 ^ GF_mult_by_2(t3);
out = (q3 << 24) | (q2 << 16) | (q1 << 8) | q0;
return out;
}
/**
* Expand a given 128-bit key (K) to a 384-bit internal key
* information (IK).
* See Step 1 of init() in Section 2.3.2.
* @param key[4] : (INPUT), (4*32) bits
* @param iv[4] : (INPUT), (4*32) bits
* @modify IK[12] : (OUTPUT), (12*32) bits
* @modify IV[12] : (OUTPUT), (4*32) bits
*/
void key_expansion (uint32_t *key, uint32_t *iv) {
// copy iv to IV
IV[0] = iv[0]; IV[1] = iv[1]; IV[2] = iv[2]; IV[3] = iv[3];
// m = 0 ... 3
IK[0] = key[0]; IK[1] = key[1];
IK[2] = key[2]; IK[3] = key[3];
// m = 4
IK[4] = IK[0] ^ sub_k2((IK[3] << 8) ^ (IK[3] >> 24)) ^
0x01000000;
Kiyomoto & Shin Informational [Page 24]
RFC 7008 A Description of KCipher-2 August 2013
// m = 4 ... 11, but not 4 nor 8
IK[5] = IK[1] ^ IK[4]; IK[6] = IK[2] ^ IK[5];
IK[7] = IK[3] ^ IK[6];
// m = 8
IK[8] = IK[4] ^ sub_k2((IK[7] << 8) ^ (IK[7] >> 24)) ^
0x02000000;
// m = 4 ... 11, but not 4 nor 8
IK[9] = IK[5] ^ IK[8]; IK[10] = IK[6] ^ IK[9];
IK[11] = IK[7] ^ IK[10];
}
/**
* Set up the initial state value using IK and IV. See Step 2 of
* init() in Section 2.3.2.
* @param key[4] : (INPUT), (4*32) bits
* @param iv[4] : (INPUT), (4*32) bits
* @modify S : (OUTPUT), (A, B, L1, R1, L2, R2)
*/
void setup_state_values (uint32_t *key, uint32_t *iv) {
// setting up IK and IV by calling key_expansion(key, iv)
key_expansion(key, iv);
// setting up the internal state values
A[0] = IK[4]; A[1] = IK[3]; A[2] = IK[2];
A[3] = IK[1]; A[4] = IK[0];
B[0] = IK[10]; B[1] = IK[11]; B[2] = IV[0]; B[3] = IV[1];
B[4] = IK[8]; B[5] = IK[9]; B[6] = IV[2]; B[7] = IV[3];
B[8] = IK[7]; B[9] = IK[5]; B[10] = IK[6];
L1 = R1 = L2 = R2 = 0x00000000;
}
/**
* Initialize the system with a 128-bit key (K) and a 128-bit
* initialization vector (IV). It sets up the internal state value
* and invokes next(INIT) iteratively 24 times. After this,
* the system is ready to produce key streams. See Section 2.3.2.
* @param key[12] : (INPUT), (4*32) bits
* @param iv[4] : (INPUT), (4*32) bits
* @modify IK : (12*32) bits, by calling setup_state_values()
* @modify IV : (4*32) bits, by calling setup_state_values()
* @modify S : (OUTPUT), (A, B, L1, R1, L2, R2)
*/
void init (uint32_t *k, uint32_t *iv) {
int i;
Kiyomoto & Shin Informational [Page 25]
RFC 7008 A Description of KCipher-2 August 2013
setup_state_values(k, iv);
for(i=0; i < 24; i++) {
next(INIT);
}
}
/**
* Non-linear function. See Section 2.4.1.
* @param A : (INPUT), 8 bits
* @param B : (INPUT), 8 bits
* @param C : (INPUT), 8 bits
* @param D : (INPUT), 8 bits
* @return : (OUTPUT), 8 bits
*/
uint32_t NLF (uint32_t A, uint32_t B,
uint32_t C, uint32_t D ) {
uint32_t Q;
Q = (A + B) ^ C ^ D;
return Q;
}
/**
* Derive a new state from the current state values.
* See Section 2.3.1.
* @param mode : (INPUT) INIT (= 0) or NORMAL (= 1)
* @modify S : (OUTPUT)
*/
void next (int mode) {
uint32_t nA[5];
uint32_t nB[11];
uint32_t nL1, nR1, nL2, nR2;
uint32_t temp1, temp2;
nL1 = sub_k2(R2 + B[4]);
nR1 = sub_k2(L2 + B[9]);
nL2 = sub_k2(L1);
nR2 = sub_k2(R1);
// m = 0 ... 3
nA[0] = A[1]; nA[1] = A[2]; nA[2] = A[3]; nA[3] = A[4];
// m = 0 ... 9
nB[0] = B[1]; nB[1] = B[2]; nB[2] = B[3]; nB[3] = B[4];
nB[4] = B[5]; nB[5] = B[6]; nB[6] = B[7]; nB[7] = B[8];
nB[8] = B[9]; nB[9] = B[10];
Kiyomoto & Shin Informational [Page 26]
RFC 7008 A Description of KCipher-2 August 2013
// update nA[4]
temp1 = (A[0] << 8) ^ amul0[(A[0] >> 24)];
nA[4] = temp1 ^ A[3];
if (mode == INIT)
nA[4] ^= NLF(B[0], R2, R1, A[4]);
// update nB[10]
if (A[2] & 0x40000000) /* if A[2][30] == 1 */ {
temp1 = (B[0] << 8) ^ amul1[(B[0] >> 24)];
} else /*if A[2][30] == 0*/ {
temp1 = (B[0] << 8) ^ amul2[(B[0] >> 24)];
}
if (A[2] & 0x80000000) /* if A[2][31] == 1 */ {
temp2 = (B[8] << 8) ^ amul3[(B[8] >> 24)];
} else /* if A[2][31] == 0 */ {
temp2 = B[8];
}
nB[10] = temp1 ^ B[1] ^ B[6] ^ temp2;
if (mode == INIT)
nB[10] ^= NLF(B[10], L2, L1, A[0]);
/* copy S' to S */
A[0] = nA[0]; A[1] = nA[1]; A[2] = nA[2];
A[3] = nA[3]; A[4] = nA[4];
B[0] = nB[0]; B[1] = nB[1]; B[2] = nB[2]; B[3] = nB[3];
B[4] = nB[4]; B[5] = nB[5]; B[6] = nB[6]; B[7] = nB[7];
B[8] = nB[8]; B[9] = nB[9]; B[10] = nB[10];
L1 = nL1; R1 = nR1; L2 = nL2; R2 = nR2;
}
/**
* Obtain a key stream = (ZH, ZL) from the current state values.
* See Section 2.3.3.
* @param ZH : (OUTPUT) (1 * 32)-bit
* @modify ZL : (OUTPUT) (1 * 32)-bit
*/
void stream (uint32_t *ZH, uint32_t *ZL) {
*ZH = NLF(B[10], L2, L1, A[0]);
*ZL = NLF(B[0], R2, R1, A[4]);
}
Kiyomoto & Shin Informational [Page 27]
RFC 7008 A Description of KCipher-2 August 2013
B.3. Use Case
void main (void) {
// Set the key and the iv
uint32_t key[4] = ...;
uint32_t iv[4] = ...;
init(key, iv);
// produce a key stream
stream(&zh, &zl);
next(NORMAL);
// produce another key stream
stream(&zh, &zl);
next(NORMAL);
...
}
Appendix C. Test Vectors
This appendix provides running examples of KCipher-2 obtained from
the naive implementation. All values are written in hexadecimal
form.
C.1. Key Stream Generation Examples
The following is a series of the 64-bit key streams generated from
the given 8-bit keys (K) and 128-bit initialization vectors (IVs).
- K : 00000000 00000000 00000000 00000000
- IV: 00000000 00000000 00000000 00000000
- Generated key streams at S(i) are as follows
S(0): F871EBEF 945B7272
S(1): E40C0494 1DFF0537
S(2): 0B981A59 FBC8AC57
S(3): 566D3B02 C179DBB4
S(4): 3B46F1F0 33554C72
S(5): 5DE68BCC 9872858F
S(6): 57549602 4062F0E9
S(7): F932C998 226DB6BA
...
- K : A37B7D01 2F897076 FE08C22D 142BB2CF
- IV: 33A6EE60 E57927E0 8B45CC4C A30EDE4A
- Generated key streams at S(i) are as follows
S(0): 60E9A6B6 7B4C2524
Kiyomoto & Shin Informational [Page 28]
RFC 7008 A Description of KCipher-2 August 2013
S(1): FE726D44 AD5B402E
S(2): 31D0D1BA 5CA233A4
S(3): AFC74BE7 D6069D36
S(4): 4A75BB6C D8D5B7F0
S(5): 38AAAA28 4AE4CD2F
S(6): E2E5313D FC6CCD8F
S(7): 9D2484F2 0F86C50D
...
- K : 3D62E9B1 8E5B042F 42DF43CC 7175C96E
- IV: 777CEFE4 541300C8 ADCACA8A 0B48CD55
- Generated key streams at S(i) are as follows
S(0): 690F108D 84F44AC7
S(1): BF257BD7 E394F6C9
S(2): AA1192C3 8E200C6E
S(3): 073C8078 AC18AAD1
S(4): D4B8DADE 68802368
S(5): 2FA42076 83DEA5A4
S(6): 4C1D95EA E959F5B4
S(7): 2611F41E A40F0A58
...
C.2. Another Key Stream Generation with the State Values
In this section, the initialization procedure and the key stream
generation are illustrated in detail. The given 128-bit key (K) and
the 128-bit initialization vector (IV) are as follows:
- K : 0F1E2D3C 4B5A6978 8796A5B4 C3D2E1F0
- IV: F0E0D0C0 B0A09080 70605040 30201000.
Based on K and IV, the init() operation (Section 2.3.2) sets up
the internal state values, S = (A, B, L1, R1, L2, R2), as follows:
A[0]: 7993A6A2 A[1]: C3D2E1F0 A[2]: 8796A5B4
A[3]: 4B5A6978 A[4]: 0F1E2D3C
B[0]: 38AB371B B[1] : 4E26BC85 B[2]: F0E0D0C0
B[3]: B0A09080 B[4] : BF3D92AF B[5]: 8DF45D75
B[6]: 70605040 B[7] : 30201000 B[8]: 768D8B9E
B[9]: 32C9CFDA B[10]: B55F6A6E
L1: 00000000 R1: 00000000 L2: 00000000 R2: 00000000
Kiyomoto & Shin Informational [Page 29]
RFC 7008 A Description of KCipher-2 August 2013
To complete the initialization, the next() operation is applied to
the state values 24 times (in Section 2.3.2, Step 3). Let us denote
each repeated application of the next() operation by init(i), where 1
<= i <= 24. The internal state values resulting from each init(i)
are shown in Appendixes C.2.1 - C.2.24.
C.2.1. S after init(1)
A[0]: C3D2E1F0 A[1]: 8796A5B4 A[2]: 4B5A6978
A[3]: 0F1E2D3C A[4]: 37070F7F
B[0]: 4E26BC85 B[1] : F0E0D0C0 B[2]: B0A09080
B[3]: BF3D92AF B[4] : 8DF45D75 B[5]: 70605040
B[6]: 30201000 B[7] : 768D8B9E B[8]: 32C9CFDA
B[9]: B55F6A6E B[10]: 64DEFF24
L1: F360860C R1: E81907D5 L2: 63636363 R2: 63636363
C.2.2. S after init(2)
A[0]: 8796A5B4 A[1]: 4B5A6978 A[2]: 0F1E2D3C
A[3]: 37070F7F A[4]: 25BCF981
B[0]: F0E0D0C0 B[1] : B0A09080 B[2]: BF3D92AF
B[3]: 8DF45D75 B[4] : 70605040 B[5]: 30201000
B[6]: 768D8B9E B[7] : 32C9CFDA B[8]: B55F6A6E
B[9]: 64DEFF24 B[10]: 7E65CB6A
L1: 1B9542ED R1: 9B259D28 L2: 971610F6 R2: 39C36E1D
C.2.3. S after init(3)
A[0]: 4B5A6978 A[1]: 0F1E2D3C A[2]: 37070F7F
A[3]: 25BCF981 A[4]: FA2DD9D3
B[0]: B0A09080 B[1] : BF3D92AF B[2]: 8DF45D75
B[3]: 70605040 B[4] : 30201000 B[5]: 768D8B9E
B[6]: 32C9CFDA B[7] : B55F6A6E B[8]: 64DEFF24
B[9]: 7E65CB6A B[10]: 08573732
L1: 1F41CDFB R1: CFAE13F3 L2: BCC7DC5B R2: 1528DDA1
Kiyomoto & Shin Informational [Page 30]
RFC 7008 A Description of KCipher-2 August 2013
C.2.4. S after init(4)
A[0]: 0F1E2D3C A[1]: 37070F7F A[2]: 25BCF981
A[3]: FA2DD9D3 A[4]: AB820031
B[0]: BF3D92AF B[1] : 8DF45D75 B[2]: 70605040
B[3]: 30201000 B[4] : 768D8B9E B[5]: 32C9CFDA
B[6]: B55F6A6E B[7] : 64DEFF24 B[8]: 7E65CB6A
B[9]: 08573732 B[10]: 40941D82
L1: 8D7100A7 R1: AA6C8F89 L2: B4F43081 R2: 81264AF3
C.2.5. S after init(5)
A[0]: 37070F7F A[1]: 25BCF981 A[2]: FA2DD9D3
A[3]: AB820031 A[4]: D8F5995F
B[0]: 8DF45D75 B[1] : 70605040 B[2]: 30201000
B[3]: 768D8B9E B[4] : 32C9CFDA B[5]: B55F6A6E
B[6]: 64DEFF24 B[7] : 7E65CB6A B[8]: 08573732
B[9]: 40941D82 B[10]: 1A8DA7FB
L1: D315A91D R1: 751BC887 L2: 9E8539E3 R2: 929B1D3C
C.2.6. S after init(6)
A[0]: 25BCF981 A[1]: FA2DD9D3 A[2]: AB820031
A[3]: D8F5995F A[4]: F697B5BB
B[0]: 70605040 B[1] : 30201000 B[2]: 768D8B9E
B[3]: 32C9CFDA B[4] : B55F6A6E B[5]: 64DEFF24
B[6]: 7E65CB6A B[7] : 08573732 B[8]: 40941D82
B[9]: 1A8DA7FB B[10]: 13B5E7F3
L1: 88658E94 R1: 7F1C023D L2: B16F9402 R2: 5F06AB3F
C.2.7. S after init(7)
A[0]: FA2DD9D3 A[1]: AB820031 A[2]: D8F5995F
A[3]: F697B5BB A[4]: 6B0A7012
B[0]: 30201000 B[1] : 768D8B9E B[2]: 32C9CFDA
B[3]: B55F6A6E B[4] : 64DEFF24 B[5]: 7E65CB6A
B[6]: 08573732 B[7] : 40941D82 B[8]: 1A8DA7FB
B[9]: 13B5E7F3 B[10]: D76ABD2C
L1: 21BF8813 R1: 743F68DE L2: A1F603E6 R2: 3D1EA499
Kiyomoto & Shin Informational [Page 31]
RFC 7008 A Description of KCipher-2 August 2013
C.2.8. S after init(8)
A[0]: AB820031 A[1]: D8F5995F A[2]: F697B5BB
A[3]: 6B0A7012 A[4]: 23995B7E
B[0]: 768D8B9E B[1] : 32C9CFDA B[2]: B55F6A6E
B[3]: 64DEFF24 B[4] : 7E65CB6A B[5]: 08573732
B[6]: 40941D82 B[7] : 1A8DA7FB B[8]: 13B5E7F3
B[9]: D76ABD2C B[10]: 997C3F70
L1: B48EA08C R1: 657C8FFD L2: AAB50B58 R2: 281F9A12
C.2.9. S after init(9)
A[0]: D8F5995F A[1]: F697B5BB A[2]: 6B0A7012
A[3]: 23995B7E A[4]: F8532F87
B[0]: 32C9CFDA B[1] : B55F6A6E B[2]: 64DEFF24
B[3]: 7E65CB6A B[4] : 08573732 B[5]: 40941D82
B[6]: 1A8DA7FB B[7] : 13B5E7F3 B[8]: D76ABD2C
B[9]: 997C3F70 B[10]: 95FFF657
L1: A2040C44 R1: EF19DC4E L2: 543A1967 R2: 05D0CF60
C.2.10. S after init(10)
A[0]: F697B5BB A[1]: 6B0A7012 A[2]: 23995B7E
A[3]: F8532F87 A[4]: BEDF1DEF
B[0]: B55F6A6E B[1] : 64DEFF24 B[2]: 7E65CB6A
B[3]: 08573732 B[4] : 40941D82 B[5]: 1A8DA7FB
B[6]: 13B5E7F3 B[7] : D76ABD2C B[8]: 997C3F70
B[9]: 95FFF657 B[10]: 6D2C2FA3
L1: C7AE66B0 R1: 9C075DB9 L2: 5554CBE7 R2: 866080C4
C.2.11. S after init(11)
A[0]: 6B0A7012 A[1]: 23995B7E A[2]: F8532F87
A[3]: BEDF1DEF A[4]: 983D37.
B[0]: 64DEFF24 B[1] : 7E65CB6A B[2]: 08573732
B[3]: 40941D82 B[4] : 1A8DA7FB B[5]: 13B5E7F3
B[6]: D76ABD2C B[7] : 997C3F70 B[8]: 95FFF657
B[9]: 6D2C2FA3 B[10]: A02127BE
L1: 29F322A2 R1: 01F771D9 L2: 725670A2 R2: D4F24463
Kiyomoto & Shin Informational [Page 32]
RFC 7008 A Description of KCipher-2 August 2013
C.2.12. S after init(12)
A[0]: 23995B7E A[1]: F8532F87 A[2]: BEDF1DEF
A[3]: 983D37CB A[4]: 526A110D
B[0]: 7E65CB6A B[1] : 08573732 B[2]: 40941D82
B[3]: 1A8DA7FB B[4] : 13B5E7F3 B[5]: D76ABD2C
B[6]: 997C3F70 B[7] : 95FFF657 B[8]: 6D2C2FA3
B[9]: A02127BE B[10]: 49F99042
L1: 51536DF4 R1: 66111E6A L2: 8147B572 R2: 6CC2AC80
C.2.13. S after init(13)
A[0]: F8532F87 A[1]: BEDF1DEF A[2]: 983D37CB
A[3]: 526A110D A[4]: A5EEB8AE
B[0]: 08573732 B[1] : 40941D82 B[2]: 1A8DA7FB
B[3]: 13B5E7F3 B[4] : D76ABD2C B[5]: 997C3F70
B[6]: 95FFF657 B[7] : 6D2C2FA3 B[8]: A02127BE
B[9]: 49F99042 B[10]: 406CE62C
L1: 9582D912 R1: 6953AFE8 L2: B22A3A1D R2: 903A4823
C.2.14. S after init(14)
A[0]: BEDF1DEF A[1]: 983D37CB A[2]: 526A110D
A[3]: A5EEB8AE A[4]: 70A5B5BA
B[0]: 40941D82 B[1] : 1A8DA7FB B[2]: 13B5E7F3
B[3]: D76ABD2C B[4] : 997C3F70 B[5]: 95FFF657
B[6]: 6D2C2FA3 B[7] : A02127BE B[8]: 49F99042
B[9]: 406CE62C B[10]: C57BED5B
L1: EB77DD2D R1: 633CFD8F L2: 32A4BCEF R2: CB33BCB2
C.2.15. S after init(15)
A[0]: 983D37CB A[1]: 526A110D A[2]: A5EEB8AE
A[3]: 70A5B5BA A[4]: B1145F18
B[0]: 1A8DA7FB B[1] : 13B5E7F3 B[2]: D76ABD2C
B[3]: 997C3F70 B[4] : 95FFF657 B[5]: 6D2C2FA3
B[6]: A02127BE B[7] : 49F99042 B[8]: 406CE62C
B[9]: C57BED5B B[10]: 7BE2C520
L1: E11420CC R1: 6730A956 L2: 8EC8ACEF R2: C7FC060A
Kiyomoto & Shin Informational [Page 33]
RFC 7008 A Description of KCipher-2 August 2013
C.2.16. S after init(16)
A[0]: 526A110D A[1]: A5EEB8AE A[2]: 70A5B5BA
A[3]: B1145F18 A[4]: FA752FDC
B[0]: 13B5E7F3 B[1] : D76ABD2C B[2]: 997C3F70
B[3]: 95FFF657 B[4] : 6D2C2FA3 B[5]: A02127BE
B[6]: 49F99042 B[7] : 406CE62C B[8]: C57BED5B
B[9]: 7BE2C520 B[10]: 1F48829C
L1: 0D95C94D R1: 8238B05F L2: 7B00D356 R2: 0EFE8596
C.2.17. S after init(17)
A[0]: A5EEB8AE A[1]: 70A5B5BA A[2]: B1145F18
A[3]: FA752FDC A[4]: DB29190A
B[0]: D76ABD2C B[1] : 997C3F70 B[2]: 95FFF657
B[3]: 6D2C2FA3 B[4] : A02127BE B[5]: 49F99042
B[6]: 406CE62C B[7] : C57BED5B B[8]: 7BE2C520
B[9]: 1F48829C B[10]: F95DD14F
L1: 262687B5 R1: 9B9AC5E9 L2: 7C08EB5C R2: 8C1300A3
C.2.18. S after init(18)
A[0]: 70A5B5BA A[1]: B1145F18 A[2]: FA752FDC
A[3]: DB29190A A[4]: 35623CDA
B[0]: 997C3F70 B[1] : 95FFF657 B[2]: 6D2C2FA3
B[3]: A02127BE B[4] : 49F99042 B[5]: 406CE62C
B[6]: C57BED5B B[7] : 7BE2C520 B[8]: 1F48829C
B[9]: F95DD14F B[10]: D939E13E
L1: E478DEF0 R1: 06F84503 L2: 71350E88 R2: 14EF8E61
C.2.19. S after init(19)
A[0]: B1145F18 A[1]: FA752FDC A[2]: DB29190A
A[3]: 35623CDA A[4]: 746B4AE8
B[0]: 95FFF657 B[1] : 6D2C2FA3 B[2]: A02127BE
B[3]: 49F99042 B[4] : 406CE62C B[5]: C57BED5B
B[6]: 7BE2C520 B[7] : 1F48829C B[8]: F95DD14F
B[9]: D939E13E B[10]: 9970C980
L1: C2AC94C4 R1: C708FAE8 L2: FC4900F1 R2: 7C260B6A
Kiyomoto & Shin Informational [Page 34]
RFC 7008 A Description of KCipher-2 August 2013
C.2.20. S after init(20)
A[0]: FA752FDC A[1]: DB29190A A[2]: 35623CDA
A[3]: 746B4AE8 A[4]: 2EB9213A
B[0]: 6D2C2FA3 B[1] : A02127BE B[2]: 49F99042
B[3]: 406CE62C B[4] : C57BED5B B[5]: 7BE2C520
B[6]: 1F48829C B[7] : F95DD14F B[8]: D939E13E
B[9]: 9970C980 B[10]: 3C517031
L1: 8F007DE9 R1: B2AE0889 L2: DD68D5EA R2: 3C8757AC
C.2.21. S after init(21)
A[0]: DB29190A A[1]: 35623CDA A[2]: 746B4AE8
A[3]: 2EB9213A A[4]: BE3CA984
B[0]: A02127BE B[1] : 49F99042 B[2]: 406CE62C
B[3]: C57BED5B B[4] : 7BE2C520 B[5]: 1F48829C
B[6]: F95DD14F B[7] : D939E13E B[8]: 9970C980
B[9]: 3C517031 B[10]: D1439B63
L1: AFC4E32F R1: 98FBC87F L2: 58B22D36 R2: 481DC7D6
C.2.22. S after init(22)
A[0]: 35623CDA A[1]: 746B4AE8 A[2]: 2EB9213A
A[3]: BE3CA984 A[4]: 974E6719
B[0]: 49F99042 B[1] : 406CE62C B[2]: C57BED5B
B[3]: 7BE2C520 B[4] : 1F48829C B[5]: F95DD14F
B[6]: D939E13E B[7] : 9970C980 B[8]: 3C517031
B[9]: D1439B63 B[10]: 9334E221
L1: F9C43357 R1: E5539EA2 L2: C0B76A7C R2: 06EE4ED5
C.2.23. S after init(23)
A[0]: 746B4AE8 A[1]: 2EB9213A A[2]: BE3CA984
A[3]: 974E6719 A[4]: 86916EFF
B[0]: 406CE62C B[1] : C57BED5B B[2]: 7BE2C520
B[3]: 1F48829C B[4] : F95DD14F B[5]: D939E13E
B[6]: 9970C980 B[7] : 3C517031 B[8]: D1439B63
B[9]: 9334E221 B[10]: 50EF13E7
L1: 309527ED R1: C473D814 L2: 1B107B6D R2: 0180D95D
Kiyomoto & Shin Informational [Page 35]
RFC 7008 A Description of KCipher-2 August 2013
C.2.24. S(0) after init(24)
A[0]: 2EB9213A A[1]: BE3CA984 A[2]: 974E6719
A[3]: 86916EFF A[4]: F52DACF9
B[0]: C57BED5B B[1] : 7BE2C520 B[2]: 1F48829C
B[3]: F95DD14F B[4] : D939E13E B[5]: 9970C980
B[6]: 3C517031 B[7] : D1439B63 B[8]: 9334E221
B[9]: 50EF13E7 B[10]: E0BD9F91
L1: 4370D8E6 R1: DABED76C L2: 11C1ACCB R2: C3BAAEDF
Note that the result of init(24) is also referred to as S(0) (in
Section 2.3.2). Since the state is S(0), the stream() operation (in
Section 2.3.3) can be applied and generate key streams.
Key stream at S(0) : 9FB6B580A6A5E7AF
Henceforth, a new key stream can be produced by 1) obtaining a new
state by applying the next() operation to the current state, and 2)
generating a new key stream by applying the stream() operation to the
new state.
C.2.25. S(1) and the Key Stream at S(1)
A[0]: BE3CA984 A[1]: 974E6719 A[2]: 86916EFF
A[3]: F52DACF9 A[4]: 960329B5
B[0]: 7BE2C520 B[1] : 1F48829C B[2]: F95DD14F
B[3]: D939E13E B[4] : 9970C980 B[5]: 3C517031
B[6]: D1439B63 B[7] : 9334E221 B[8]: 50EF13E7
B[9]: E0BD9F91 B[10]: 5318AEE1
L1: 8FD86092 R1: 4BBDC0F6 L2: 8D63A5EF R2: FEE0F24B
Key stream at S(1) : D1989DC6A77D5E28
Kiyomoto & Shin Informational [Page 36]
RFC 7008 A Description of KCipher-2 August 2013
C.2.26. S(2) and the Key Stream at S(2)
A[0]: 974E6719 A[1]: 86916EFF A[2]: F52DACF9
A[3]: 960329B5 A[4]: 1A3DB24E
B[0]: 1F48829C B[1] : F95DD14F B[2]: D939E13E
B[3]: 9970C980 B[4] : 3C517031 B[5]: D1439B63
B[6]: 9334E221 B[7] : 50EF13E7 B[8]: E0BD9F91
B[9]: 5318AEE1 B[10]: C86C2C77
L1: 9686FE8C R1: FAF89251 L2: 86C824E7 R2: 7BC21098
Key stream at S(2) : 4EFCC8CB7BCFB32B
Authors' Addresses
Shinsaku Kiyomoto
KDDI R&D Laboratories, Inc.
2-1-15 Ohara
Fujimino-shi, Saitama 356-8502
Japan
Phone: +81-49-278-7885
Fax: +81-49-278-7510
EMail: kiyomoto@kddilabs.jp
Wook Shin
KDDI R&D Laboratories, Inc.
2-1-15 Ohara
Fujimino-shi, Saitama 356-8502
Japan
EMail: ohpato@hanmail.net
Kiyomoto & Shin Informational [Page 37]