ARMWARE RFC Archive <- RFC Index (7001..7100)

RFC 7008


Independent Submission                                       S. Kiyomoto
Request for Comments: 7008                                       W. Shin
Category: Informational                      KDDI R&D Laboratories, Inc.
ISSN: 2070-1721                                              August 2013

          A Description of the KCipher-2 Encryption Algorithm

Abstract

   This document describes the KCipher-2 encryption algorithm.
   KCipher-2 is a stream cipher with a 128-bit key and a 128-bit
   initialization vector.  Since the algorithm for KCipher-2 was
   published in 2007, security and efficiency have been rigorously
   evaluated through academic and industrial studies.  As of the
   publication of this document, no security vulnerabilities have been
   found.  KCipher-2 offers fast encryption and decryption by means of
   simple operations that enable efficient implementation.  KCipher-2
   has been used for industrial applications, especially for mobile
   health monitoring and diagnostic services in Japan.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This is a contribution to the RFC Series, independently of any other
   RFC stream.  The RFC Editor has chosen to publish this document at
   its discretion and makes no statement about its value for
   implementation or deployment.  Documents approved for publication by
   the RFC Editor are not a candidate for any level of Internet
   Standard; see Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc7008.

Copyright Notice

   Copyright (c) 2013 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.

Kiyomoto & Shin               Informational                     [Page 1]



RFC 7008               A Description of KCipher-2            August 2013

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Algorithm Description  . . . . . . . . . . . . . . . . . . . .  3
     2.1.  Notations  . . . . . . . . . . . . . . . . . . . . . . . .  4
     2.2.  Internal State . . . . . . . . . . . . . . . . . . . . . .  4
       2.2.1.  Feedback Shift Registers . . . . . . . . . . . . . . .  4
       2.2.2.  Internal Registers . . . . . . . . . . . . . . . . . .  5
     2.3.  Operations . . . . . . . . . . . . . . . . . . . . . . . .  5
       2.3.1.  next() . . . . . . . . . . . . . . . . . . . . . . . .  5
       2.3.2.  init() . . . . . . . . . . . . . . . . . . . . . . . .  7
       2.3.3.  stream() . . . . . . . . . . . . . . . . . . . . . . .  8
     2.4.  Subroutines  . . . . . . . . . . . . . . . . . . . . . . .  9
       2.4.1.  NLF()  . . . . . . . . . . . . . . . . . . . . . . . .  9
       2.4.2.  sub_K2() . . . . . . . . . . . . . . . . . . . . . . .  9
       2.4.3.  S_box()  . . . . . . . . . . . . . . . . . . . . . . . 10
       2.4.4.  Multiplications in GF(2#32)  . . . . . . . . . . . . . 11
     2.5.  Encryption and Decryption Scheme . . . . . . . . . . . . . 13
       2.5.1.  Key Stream Generation  . . . . . . . . . . . . . . . . 13
       2.5.2.  Encryption and Decryption of a Message . . . . . . . . 14
   3.  Security Considerations  . . . . . . . . . . . . . . . . . . . 14
   4.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 14
     4.1.  Normative References . . . . . . . . . . . . . . . . . . . 14
     4.2.  Informative References . . . . . . . . . . . . . . . . . . 14
   Appendix A.  Tables for Multiplication in GF(2#32) . . . . . . . . 16
     A.1.  The table amul0  . . . . . . . . . . . . . . . . . . . . . 16
     A.2.  The table amul1  . . . . . . . . . . . . . . . . . . . . . 17
     A.3.  The table amul2  . . . . . . . . . . . . . . . . . . . . . 19
     A.4.  The table amul3  . . . . . . . . . . . . . . . . . . . . . 20
   Appendix B.  A Simple Implementation Example of KCipher-2  . . . . 22
     B.1.  Code Components I - Definitions and Declarations . . . . . 22
     B.2.  Code Components II - Functions . . . . . . . . . . . . . . 23
     B.3.  Use Case . . . . . . . . . . . . . . . . . . . . . . . . . 28
   Appendix C.  Test Vectors  . . . . . . . . . . . . . . . . . . . . 28
     C.1.  Key Stream Generation Examples . . . . . . . . . . . . . . 28
     C.2.  Another Key Stream Generation with the State Values  . . . 29
       C.2.1.  S after init(1)  . . . . . . . . . . . . . . . . . . . 30
       C.2.2.  S after init(2)  . . . . . . . . . . . . . . . . . . . 30
       C.2.3.  S after init(3)  . . . . . . . . . . . . . . . . . . . 30
       C.2.4.  S after init(4)  . . . . . . . . . . . . . . . . . . . 31
       C.2.5.  S after init(5)  . . . . . . . . . . . . . . . . . . . 31
       C.2.6.  S after init(6)  . . . . . . . . . . . . . . . . . . . 31
       C.2.7.  S after init(7)  . . . . . . . . . . . . . . . . . . . 31
       C.2.8.  S after init(8)  . . . . . . . . . . . . . . . . . . . 32
       C.2.9.  S after init(9)  . . . . . . . . . . . . . . . . . . . 32
       C.2.10. S after init(10) . . . . . . . . . . . . . . . . . . . 32
       C.2.11. S after init(11) . . . . . . . . . . . . . . . . . . . 32
       C.2.12. S after init(12) . . . . . . . . . . . . . . . . . . . 33

Kiyomoto & Shin               Informational                     [Page 2]



RFC 7008               A Description of KCipher-2            August 2013

       C.2.13. S after init(13) . . . . . . . . . . . . . . . . . . . 33
       C.2.14. S after init(14) . . . . . . . . . . . . . . . . . . . 33
       C.2.15. S after init(15) . . . . . . . . . . . . . . . . . . . 33
       C.2.16. S after init(16) . . . . . . . . . . . . . . . . . . . 34
       C.2.17. S after init(17) . . . . . . . . . . . . . . . . . . . 34
       C.2.18. S after init(18) . . . . . . . . . . . . . . . . . . . 34
       C.2.19. S after init(19) . . . . . . . . . . . . . . . . . . . 34
       C.2.20. S after init(20) . . . . . . . . . . . . . . . . . . . 35
       C.2.21. S after init(21) . . . . . . . . . . . . . . . . . . . 35
       C.2.22. S after init(22) . . . . . . . . . . . . . . . . . . . 35
       C.2.23. S after init(23) . . . . . . . . . . . . . . . . . . . 35
       C.2.24. S(0) after init(24)  . . . . . . . . . . . . . . . . . 36
       C.2.25. S(1) and the Key Stream at S(1)  . . . . . . . . . . . 36
       C.2.26. S(2) and the Key Stream at S(2)  . . . . . . . . . . . 37

1.  Introduction

   KCipher-2 is a stream cipher that uses a 128-bit secret key and a
   128-bit initialization vector.  Since the algorithm for KCipher-2 was
   published in 2007 [SASC07], it has been evaluated in academic and
   industrial studies.  The security and performance of KCipher-2 have
   been rigorously evaluated by its developers and other institutions
   [SECRYPT07] [ICETE07] [CRYPTEC] [SIIS11].  As of the publication of
   this document, no attack on KCipher-2 has been successful.  KCipher-2
   can be efficiently implemented in software to provide fast encryption
   and decryption, owing to its uncomplicated design.  Only four simple
   operations are used: exclusive-OR, addition, shift, and table lookup.
   When the algorithm is implemented in hardware, internal computations
   can be parallel to yield greater efficiency.  Moreover, since its
   internal state representation only amounts to several hundred bits,
   KCipher-2 is suitable for resource-limited environments.  KCipher-2
   has been actively used in several industrial applications in Japan,
   has been published by an international standardization body (ISO/IEC
   18033-4 [ISO18033]), and has been designated a Japanese e-Government
   recommended cipher [CRYPTECLIST].

2.  Algorithm Description

   In this section, we describe the internal components of KCipher-2 and
   define the operations for deriving key streams from an input key and
   an initialization vector.  We illustrate the detailed operations,
   mostly in pseudocode format, but also provide code snippets written
   in the C language syntax when necessary.

Kiyomoto & Shin               Informational                     [Page 3]



RFC 7008               A Description of KCipher-2            August 2013

2.1.  Notations

   All values in this document are stored in big-endian order (aka
   network byte order).  We use the following notations in the
   description of KCipher-2.

      ^         Bitwise exclusive-OR

      n#m       mth power of n

      +n        Integer addition modulo 2#n

      <<_r n    n-bit left circular shift in an r-bit register

      0x        Hexadecimal representation

      E[i]      The (i + 1)th element of E when E is composed of
                consecutive multiple elements

      GF        Galois field. GF(n#m) means the finite field of exactly
                n#m elements

      **        Multiplication of elements on the finite field GF(2#32)

   NOTE: Many texts denote "the mth power of n" by "n^m", but we write
   it using '#', instead of '^', to avoid reader confusion with the
   power operator and the XOR operator of the C language syntax.

2.2.  Internal State

   The internal state of KCipher-2 can be denoted by S.  The internal
   state consists of six sub-components: two feedback shift registers,
   FSR-A and FSR-B, and four internal registers, L1, R1, L2, and R2.
   We, therefore, often write S = (A, B, L1, R1, L2, R2), where A and B
   refer to FSR-A and FSR-B, respectively.

2.2.1.  Feedback Shift Registers

   The two feedback shift registers (FSRs) are separately called
   Feedback Shift Register A (FSR-A) and Feedback Shift Register B
   (FSR-B).  FSR-A is composed of five 32-bit units that are
   consecutively arranged.  Each unit can be identified by A[0], A[1],
   A[2], A[3], and A[4].  Likewise, FSR-B is composed of eleven
   consecutive 32-bit units, B[0], ..., B[10].  All values stored in
   each 32-bit unit of FSR is in GF(2#32).

Kiyomoto & Shin               Informational                     [Page 4]



RFC 7008               A Description of KCipher-2            August 2013

2.2.2.  Internal Registers

   Besides FSR, KCipher-2 has four internal registers to store
   intermediate computation results during operation.  The four
   registers are named L1, R1, L2, and R2.

2.3.  Operations

   Three major operations constitute the behavior of KCipher-2: init(),
   next(), and stream().  The init() operation initializes the internal
   values of the system.  The next() operation derives new values of S'
   from the values of S, where S' and S refer to the internal state.
   The stream() operation derives a key stream from the current state S.

2.3.1.  next()

   The next() operation takes the current state S = (A, B, L1, R1, L2,
   R2) as input.  The size of the input amounts to twenty of the 32-bit
   units in total (five units for A, eleven for B, and one for L1, R1,
   L2, and R2).  It produces the next state S' = (A', B', L1', R1', L2',
   R2').  This operation is mainly used to generate secure key streams
   by applying non-linear functions (NLFs) for every cycle of KCipher-2.
   Additionally, it is used to initialize the system.  The behaviors are
   distinguished by the input parameter that indicates the operation
   modes.

   Inside the next() operation, the internal registers are updated by
   the result of the substitution function described in Section 2.4.2.
   The feedback shift registers are also updated by feedback functions.
   The feedback functions include the multiplication of register units
   and the fixed elements a0, a1, a2, and a3 in a finite field.  The
   fixed elements a0, ..., a3 are carefully chosen to provide the
   maximum length of the feedback shift registers.  The theory behind
   the selection of fixed elements and the way to simplify the necessary
   multiplications are briefly described in Section 2.4.4.

   The operation takes the following inputs:

   o  S = (A, B, L1, R1, L2, R2)

   o  mode = {INIT, NORMAL}, where INIT means the operation is used for
      initialization, and NORMAL means it is used for generating secure
      key streams.

   The operation outputs a new state,

   o  S' = (A', B', L1', R1', L2', R2')

Kiyomoto & Shin               Informational                     [Page 5]



RFC 7008               A Description of KCipher-2            August 2013

   by performing the following steps:

   1.  Set registers in the nonlinear functions

         L1' = sub_K2(R2 +32 B[4]);
         R1' = sub_K2(L2 +32 B[9]);
         L2' = sub_K2(L1);
         R2' = sub_K2(R1);

         for m from 0 to 3
            A'[m] = A[m + 1];

         for m from 0 to 9
            B'[m] = B[m + 1];

       NOTE: sub_K2 is a substitution function described in
       Section 2.4.2.

   2.  Depending on the value of the operation mode, do the following:

       a.  When the mode is NORMAL, A'[4] and B'[10] are computed as
           follows:

             A'[4] = (a0 ** A[0]) ^ A[3];

             if A[2][30] is 1:
               if A[2][31] is 1:
                 B'[10] = (a1 ** B[0]) ^ B[1] ^ B[6] ^ (a3 ** B[8]);
               else if A[2][31] is 0:
                 B'[10] = (a1 ** B[0]) ^ B[1] ^ B[6] ^ B[8];
             else if A[2][30] is 0:
               if A[2][31] is 1:
                 B'[10] = (a2 ** B[0]) ^ B[1] ^ B[6] ^ (a3 ** B[8]);
               else if A[2][31] is 0:
                 B'[10] = (a2 ** B[0]) ^  B[1] ^ B[6] ^ B[8];

       b.  When the mode is INIT, A'[4] and B'[10] are XOR-ed with the
           non-linear function output described in Section 2.4.1.

             A'[4] = (a0 ** A[0]) ^ A[3] ^ NLF(B[0], R2, R1, A[4]);

             if A[2][30] is 1:
               if A[2][31] is 1:
                 B'[10] = (a1 ** B[0]) ^ B[1] ^ B[6] ^ (a3 ** B[8]) ^
                        NLF(B[10], L2, L1, A[0]);
               else if A[2][31] is 0:
                 B'[10] = (a1 ** B[0]) ^ B[1] ^ B[6] ^ B[8] ^
                        NLF(B[10], L2, L1, A[0]);

Kiyomoto & Shin               Informational                     [Page 6]



RFC 7008               A Description of KCipher-2            August 2013

             else if A[2][30] is 0:
               if A[2][31] is 1:
                 B'[10] = (a2 ** B[0]) ^ B[1] ^ B[6] ^ (a3 ** B[8]) ^
                        NLF(B[10], L2, L1, A[0]);
               else if A[2][31] is 0:
                 B'[10] = (a2 ** B[0]) ^ B[1] ^ B[6] ^ B[8] ^
                        NLF(B[10], L2, L1, A[0]);

   3.  Output S' = (A', B', L1', R1', L2', R2').

   Note that A[2] is a 32-bit unit.  Thus, A[2][j] is the value of the
   jth least significant bit of A[2], where 0 <= j <= 31.

   The corresponding code snippets written in the C language syntax can
   be found in Section 2.4.4 and Appendix B.

2.3.2.  init()

   The init() operation takes a 128-bit key (K) and a 128-bit
   initialization vector (IV) and prepares the values of the state
   variables for generating key streams.

   o  K = (K[0], K[1], K[2], K[3]), where each K[i] is a 32-bit unit and
      0 <= i <= 3

   o  IV =(IV[0], IV[1], IV[2], IV[3]), where each IV[i] is a 32-bit
      unit and 0 <= i <= 3,

   and the output is an initialized state S, which will be referenced as
   S(0).  The output is derived from the following steps:

   1.  Expand K to the 384-bit internal key IK = (IK[0], ..., IK[11]),
       where IK[i] is a 32-bit unit and 0 <= i <= 11.  The expansion
       procedure is as follows:

         for m from 0 to 11
            if m is 0, 1, 2, or 3:
               IK[m] = K[m];
            else if m is 5, 6, 7, 9, 10, or 11:
               IK[m] = IK[m - 4] ^ IK[m - 1];
            else if m is 4:
               IK[4] = IK[0] ^ sub_K2(IK[3] <<_32 8) ^
               (0x01, 0x00, 0x00, 0x00);
            else if m is 8:
               IK[8] = IK[4] ^ sub_K2(IK[7] <<_32 8) ^
               (0x02, 0x00, 0x00, 0x00);

Kiyomoto & Shin               Informational                     [Page 7]



RFC 7008               A Description of KCipher-2            August 2013

       NOTE: sub_K2 is the substitution function described in
       Section 2.4.2.

   2.  Initialize the feedback shift registers and the internal
       registers using the values of IK and IV as follows:

         for m from 0 to 4
            A[m] = IK[4 - m];

         B[0] = IK[10]; B[1] = IK[11]; B[2] = IV[0];  B[3] = IV[1];
         B[4] = IK[8];  B[5] = IK[9];  B[6] = IV[2];  B[7] = IV[3];
         B[8] = IK[7];  B[9] = IK[5];  B[10] = IK[6];

         L1 = R1 = L2 = R2 = 0x00000000;

         Set S as (A, B, L1, R1, L2, R2).

   3.  Prepare the state values by applying the next() operation 24
       times as follows:

          for m from 1 to 24
            Set S' as next(S, INIT);
            Set S as S';

   4.  Output S.

2.3.3.  stream()

   The stream() function derives a 64-bit key stream, Z, from the state
   values.  Its input is an initialized state,

   o  S = (A, B, L1, R1, L2, R2)

   and its output is Z = (ZH, ZL), where ZH and ZL are 32-bit units.
   stream() performs the following:

   1.  Set register values

        ZH = NLF(B[10], L2, L1, A[0]);
        ZL = NLF(B[0], R2, R1, A[4]);

   2.  Output Z = (ZH, ZL).

   NOTE: The function NLF is described in Section 2.4.1.

Kiyomoto & Shin               Informational                     [Page 8]



RFC 7008               A Description of KCipher-2            August 2013

2.4.  Subroutines

   We explain the functions used above: sub_K2(), NLF(), and S_box().

2.4.1.  NLF()

   NLF() is a non-linear function that takes the four 32-bit values, A,
   B, C, D, and outputs the 32-bit value, Q.  The output Q is calculated
   as follows.

         Q = (A +32 B) ^ C ^ D;

2.4.2.  sub_K2()

   sub_K2() is a substitution function that is a permutation of
   GF(2#32), based on components from the Advanced Encryption Standard
   (AES) [FIPS-AES].  Its input is a 32-bit value divided into four
   8-bit strings.  Inside sub_K2(), an 8-to-8-bit substitution function,
   S_box(), is applied to each 8-bit string separately, and then a 32-
   to-32-bit linear permutation is applied to the whole 32-bit string.
   Our S_box() function is identical to the S-Box operation of AES, and
   our linear permutation is identical to the AES Mix Column operation.

   Consider the input of sub_K2 as a 32-bit value W = (w[3], w[2], w[1],
   w[0]), where each subelement of w is an 8-bit unit.  Prepare two
   32-bit temporary storages, T = (t[3], t[2], t[1], t[0]) and Q =
   (q[3], q[2], q[1], q[0]), where t[i] and q[i] are 8-bit units and 0
   <= i <= 3.

   The 32-bit output Q is obtained from the following procedures:

   1.  Apply S_box() to each 8-bit input string.  Note that S_box() is
       defined in Section 2.4.3.

         for m from 0 to 3
            t[m] = S_box(w[m]);

   2.  Calculate q by the matrix multiplication, Q = M * T in GF(2#8) of
       the irreducible polynomial f(x) = x#8 + x#4 + x#3 + x + 1, where

       o  Q is a 1x4 matrix, (q[0], q[1], q[2], q[3))

       o  M is a 4x4 matrix,

                  (02,  03,  01,  01,
                   01,  02,  03,  01,
                   01,  01,  02,  03,
                   03,  01,  01,  02)

Kiyomoto & Shin               Informational                     [Page 9]



RFC 7008               A Description of KCipher-2            August 2013

       o  T is a 1x4 matrix, (t[0], t[1], t[2], t[3]).

       Namely, the procedure that calculates (q[3], q[2], q[1], q[0])
       can be written in the C language syntax as:

           q[0] = GF_mult_by_2(t[0]) ^ GF_mult_by_3(t[1]) ^ t[2] ^ t[3];
           q[1] = t[0] ^ GF_mult_by_2(t[1]) ^ GF_mult_by_3(t[2]) ^ t[3];
           q[2] = t[0] ^ t[1] ^ GF_mult_by_2(t[2]) ^ GF_mult_by_3(t[3]);
           q[3] = GF_mult_by_3(t[0]) ^ t[1] ^ t[2] ^ GF_mult_by_2(t[3]);

       where GF_mult_by_2 and GF_mult_by_3 are multiplication functions
       in GF(2#8), defined as follows:

       o  The function GF_mult_by_2(t) multiplies 2 by the given 8-bit
          value t in GF(2#8) and returns an 8-bit value q as follows (lq
          is a temporary 32-bit variable):

               lq = t << 1;
               if ((lq & 0x100) != 0) lq ^= 0x011B;
               q = lq ^ 0xFF;

       o  The function GF_mult_by_3(t) multiplies 3 by the given 8-bit
          value t in GF(2#8) and returns an 8-bit value q as follows (lq
          is a temporary 32-bit variable):

               lq = (t << 1) ^ t;
               if ((lq & 0x100) != 0) lq ^= 0x011B;
               q = lq ^ 0xFF;

   3.  Output Q = (q[3], q[2], q[1], q[0]).

2.4.3.  S_box()

   S_box() is a substitution that can be done by a simple table lookup
   operation.  Thus, S_box() can be defined by the following value
   table:

      S_box[256] = {
         0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5,
         0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
         0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0,
         0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
         0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc,
         0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
         0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a,
         0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,
         0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0,
         0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84,

Kiyomoto & Shin               Informational                    [Page 10]



RFC 7008               A Description of KCipher-2            August 2013

         0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b,
         0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
         0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85,
         0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8,
         0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5,
         0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2,
         0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17,
         0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
         0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88,
         0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb,
         0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c,
         0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
         0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9,
         0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
         0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6,
         0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a,
         0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e,
         0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e,
         0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94,
         0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
         0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68,
         0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16 };

2.4.4.  Multiplications in GF(2#32)

   FSR-A and FSR-B are word-oriented linear feedback shift registers
   (LFSRs).  In the next() operation of Section 2.3.1, the feedback
   functions to the two LFSRs are shown, which include multiplication of
   fixed elements a0, a1, a2, or a3 in GF(2#32).  The fixed elements are
   carefully chosen to maximize the period of the key stream generated
   by the two registers.  Here, we briefly explain how we obtain the
   fixed elements.  Further details and theories can be found in
   [SECRYPT07].

   We obtain a0 as follows.  First, to guarantee that the period is
   maximized for an 8-bit unit, we consider p as the root of the
   primitive polynomial:

         x#8 + x#7 + x#6, + x + 1 in GF(2).

   Therefore, an 8-bit string y = (y7, ..., y0), where y7 is the most
   significant bit, can be written as:

         y = y7(p#7) + y6(p#6) + ... + y1(p) + y0

   Next, a0 is the root of irreducible polynomial of degree four:

         x#4 + p#24(x#3) + p#3(x#2) + p#12(x) + p#71 in GF(2#8).

Kiyomoto & Shin               Informational                    [Page 11]



RFC 7008               A Description of KCipher-2            August 2013

   Then, hierarchically, a 32-bit unit Y = (Y3, Y2, Y1, Y0), where Y3 is
   the most significant byte, can be written as:

         Y3(a0#3) + Y2(a0#2) + Y1(a0) + Y0

   The feedback polynomial to FSR-A,

         f(x) = a0(x#5) + x#2 + 1

   produces the maximum-length period of the key stream with a0.

   Similarly, a1, a2, and a3 are the roots of irreducible polynomials of
   degree four of

         x#4 + q#230(x#3) + q#156(x#2) + q#93(x) + q#29 in GF(2#8)
         x#4 + r#34(x#3) + r#16(x#2) + r#199(x) + r#248 in GF(2#8)
         x#4 + s#157(x#3) + s#253(x#2) + s#56(x) + s#16 in GF(2#8)

   respectively.  The feedback polynomial to FSR-B that uses a1, a2, and
   a3 can produce the maximum-length period.  The feedback polynomials
   to FSR-A and FSR-B are as written in Step 2 of the next() operation,
   and the mathematical notations of these polynomials can also be found
   in [SECRYPT07].

   Calculation of the original feedback polynomials might be time-
   consuming because it includes multiplications in finite fields.
   However, these multiplications can be done faster if the multiples of
   a0, ..., a3 were already calculated for all possible inputs.  The
   tables of amul0, ..., amul3 in Appendix A provide such pre-
   calculation results.  As shown in Step 2 of next(), we can utilize
   these tables to finish the necessary calculations efficiently.

   For example, consider the input as a 32-bit value w, which represents
   an element of GF(2#32).  The 32-bit output string w' = a0 ** w can be
   obtained using the amul0 table in Appendix A.1 as follows:

         w' = (w << 8) ^ amul0[w >> 24];

   Likewise, multiplications of (a1 ** w), (a2 ** w), and (a3 ** w) can
   be obtained in the same way, simply by using the amul1, amul2, and
   amul3 tables that we provide in Appendixes A.2, A.3, and A.4.

   Eventually, Step 2 of the next() operation, which updates A'[4] and
   B'[10], can be written in the C language syntax as follows.  Note
   that nA[4] and nB[10] correspond to A'[4] and B'[10], respectively,
   and temp1 and temp2 are 32-bit variables.

Kiyomoto & Shin               Informational                    [Page 12]



RFC 7008               A Description of KCipher-2            August 2013

        nA[4] = ((A[0] << 8) ^ amul0[(A[0] >> 24)]) ^ A[3];
        if (mode == INIT)
          nA[4] ^= NLF(B[0], R2, R1, A[4]);

        if (A[2] & 0x40000000) {
          temp1 = (B[0] << 8) ^ amul1[(B[0] >> 24)];
        } else {
          temp1 = (B[0] << 8) ^ amul2[(B[0] >> 24)];
        }

        if (A[2] & 0x80000000) {
          temp2 = (B[8] << 8) ^ amul3[(B[8] >> 24)];
        } else {
          temp2 = B[8];
        }

        nB[10] = temp1 ^ B[1] ^ B[6] ^ temp2;
        if (mode == INIT)
          nB[10] ^= NLF(B[10], L2, L1, A[0]);

2.5.  Encryption and Decryption Scheme

   In this section, we use the notation S(i) to specifically reference
   the values of the internal state at i (where i >= 0), which is an
   arbitrary, discrete temporal moment (aka cycle) after the
   initialization.

2.5.1.  Key Stream Generation

   Given a 128-bit key K, a 128-bit initialization vector (IV),
   KCipher-2 is initialized as follows:

         S(0) = init(K, IV);

   where S(0) is a state representation.  With an initialized state
   S(i), where i >= 0, a 64-bit key stream X(i) can be obtained using
   the stream() operation, as follows:

         X(i) = stream(S(i));

   To generate a new key stream X(i + 1), use the next() operation and
   the stream() operation as follows:

         S(i + 1) = next(S(i), NORMAL);
         X(i + 1) = stream(S(i + 1));

Kiyomoto & Shin               Informational                    [Page 13]



RFC 7008               A Description of KCipher-2            August 2013

2.5.2.  Encryption and Decryption of a Message

   Given a 64-bit message block M and a key stream X, an encrypted
   message E is obtained by

         E = M ^ X;

   Conversely, the decrypted message D is obtained by

         D = E ^ X;

   The original message M and the decrypted message D are identical when
   the same key stream is used.

3.  Security Considerations

   We recommend reinitializing and rekeying after 2#58 cycles of
   KCipher-2, which means after generating 2#64 key stream bits.  It is
   important to make sure that no IV is ever reused under the same key.

4.  References

4.1.  Normative References

   [ISO18033]     "Information technology -- Security techniques --
                  Encryption algorithms -- Part 4: Stream ciphers", ISO/
                  IEC 18033-4:2012 Ed. 2, December 2012.

   [FIPS-AES]     National Institute of Standards and Technology,
                  "Advanced Encryption Standard (AES)", FIPS PUB 197,
                  November 2001, <http://csrc.nist.gov/publications/
                  fips/fips197/fips-197.pdf>.

4.2.  Informative References

   [SECRYPT07]    Kiyomoto, S., Tanaka, T., and K. Sakurai, "K2: A
                  Stream Cipher Algorithm Using Dynamic Feedback
                  Control", Proc. SECRYPT 2007, pp. 204-213.

   [ICETE07]      Kiyomoto, S., Tanaka, T., and K. Sakurai, "K2 Stream
                  Cipher", Proc. ICETE 2007, pp. 214-226.

   [CRYPTEC]      Bogdanov, A., Preneel, B., and V. Rijmen, "Security
                  Evaluation of the K2 Stream Cipher", 2010,
                  <http://www.cryptrec.go.jp/english/estimation.html>.

   [CRYPTECLIST]  "Cryptography Research and Evaluation Committees",
                  <http://www.cryptrec.go.jp/english/estimation.html>.

Kiyomoto & Shin               Informational                    [Page 14]



RFC 7008               A Description of KCipher-2            August 2013

   [SIIS11]       Priemuth-Schmid, D., "Attacks on Simplified Versions
                  of K2", Proc. SIIS 2011, LNCS 7053, pp. 117-127.

   [SASC07]       Kiyomoto, S., Tanaka, T., and K. Sakurai, "A Word-
                  Oriented Stream Cipher Using Clock Control", Proc.
                  SASC 2007, pp. 260-274.

Kiyomoto & Shin               Informational                    [Page 15]



RFC 7008               A Description of KCipher-2            August 2013

Appendix A.  Tables for Multiplication in GF(2#32)

A.1.  The table amul0

      amul0[256] = {
         0x00000000,0xB6086D1A,0xAF10DA34,0x1918B72E,
         0x9D207768,0x2B281A72,0x3230AD5C,0x8438C046,
         0xF940EED0,0x4F4883CA,0x565034E4,0xE05859FE,
         0x646099B8,0xD268F4A2,0xCB70438C,0x7D782E96,
         0x31801F63,0x87887279,0x9E90C557,0x2898A84D,
         0xACA0680B,0x1AA80511,0x03B0B23F,0xB5B8DF25,
         0xC8C0F1B3,0x7EC89CA9,0x67D02B87,0xD1D8469D,
         0x55E086DB,0xE3E8EBC1,0xFAF05CEF,0x4CF831F5,
         0x62C33EC6,0xD4CB53DC,0xCDD3E4F2,0x7BDB89E8,
         0xFFE349AE,0x49EB24B4,0x50F3939A,0xE6FBFE80,
         0x9B83D016,0x2D8BBD0C,0x34930A22,0x829B6738,
         0x06A3A77E,0xB0ABCA64,0xA9B37D4A,0x1FBB1050,
         0x534321A5,0xE54B4CBF,0xFC53FB91,0x4A5B968B,
         0xCE6356CD,0x786B3BD7,0x61738CF9,0xD77BE1E3,
         0xAA03CF75,0x1C0BA26F,0x05131541,0xB31B785B,
         0x3723B81D,0x812BD507,0x98336229,0x2E3B0F33,
         0xC4457C4F,0x724D1155,0x6B55A67B,0xDD5DCB61,
         0x59650B27,0xEF6D663D,0xF675D113,0x407DBC09,
         0x3D05929F,0x8B0DFF85,0x921548AB,0x241D25B1,
         0xA025E5F7,0x162D88ED,0x0F353FC3,0xB93D52D9,
         0xF5C5632C,0x43CD0E36,0x5AD5B918,0xECDDD402,
         0x68E51444,0xDEED795E,0xC7F5CE70,0x71FDA36A,
         0x0C858DFC,0xBA8DE0E6,0xA39557C8,0x159D3AD2,
         0x91A5FA94,0x27AD978E,0x3EB520A0,0x88BD4DBA,
         0xA6864289,0x108E2F93,0x099698BD,0xBF9EF5A7,
         0x3BA635E1,0x8DAE58FB,0x94B6EFD5,0x22BE82CF,
         0x5FC6AC59,0xE9CEC143,0xF0D6766D,0x46DE1B77,
         0xC2E6DB31,0x74EEB62B,0x6DF60105,0xDBFE6C1F,
         0x97065DEA,0x210E30F0,0x381687DE,0x8E1EEAC4,
         0x0A262A82,0xBC2E4798,0xA536F0B6,0x133E9DAC,
         0x6E46B33A,0xD84EDE20,0xC156690E,0x775E0414,
         0xF366C452,0x456EA948,0x5C761E66,0xEA7E737C,
         0x4B8AF89E,0xFD829584,0xE49A22AA,0x52924FB0,
         0xD6AA8FF6,0x60A2E2EC,0x79BA55C2,0xCFB238D8,
         0xB2CA164E,0x04C27B54,0x1DDACC7A,0xABD2A160,
         0x2FEA6126,0x99E20C3C,0x80FABB12,0x36F2D608,
         0x7A0AE7FD,0xCC028AE7,0xD51A3DC9,0x631250D3,
         0xE72A9095,0x5122FD8F,0x483A4AA1,0xFE3227BB,
         0x834A092D,0x35426437,0x2C5AD319,0x9A52BE03,
         0x1E6A7E45,0xA862135F,0xB17AA471,0x0772C96B,
         0x2949C658,0x9F41AB42,0x86591C6C,0x30517176,
         0xB469B130,0x0261DC2A,0x1B796B04,0xAD71061E,
         0xD0092888,0x66014592,0x7F19F2BC,0xC9119FA6,

Kiyomoto & Shin               Informational                    [Page 16]



RFC 7008               A Description of KCipher-2            August 2013

         0x4D295FE0,0xFB2132FA,0xE23985D4,0x5431E8CE,
         0x18C9D93B,0xAEC1B421,0xB7D9030F,0x01D16E15,
         0x85E9AE53,0x33E1C349,0x2AF97467,0x9CF1197D,
         0xE18937EB,0x57815AF1,0x4E99EDDF,0xF89180C5,
         0x7CA94083,0xCAA12D99,0xD3B99AB7,0x65B1F7AD,
         0x8FCF84D1,0x39C7E9CB,0x20DF5EE5,0x96D733FF,
         0x12EFF3B9,0xA4E79EA3,0xBDFF298D,0x0BF74497,
         0x768F6A01,0xC087071B,0xD99FB035,0x6F97DD2F,
         0xEBAF1D69,0x5DA77073,0x44BFC75D,0xF2B7AA47,
         0xBE4F9BB2,0x0847F6A8,0x115F4186,0xA7572C9C,
         0x236FECDA,0x956781C0,0x8C7F36EE,0x3A775BF4,
         0x470F7562,0xF1071878,0xE81FAF56,0x5E17C24C,
         0xDA2F020A,0x6C276F10,0x753FD83E,0xC337B524,
         0xED0CBA17,0x5B04D70D,0x421C6023,0xF4140D39,
         0x702CCD7F,0xC624A065,0xDF3C174B,0x69347A51,
         0x144C54C7,0xA24439DD,0xBB5C8EF3,0x0D54E3E9,
         0x896C23AF,0x3F644EB5,0x267CF99B,0x90749481,
         0xDC8CA574,0x6A84C86E,0x739C7F40,0xC594125A,
         0x41ACD21C,0xF7A4BF06,0xEEBC0828,0x58B46532,
         0x25CC4BA4,0x93C426BE,0x8ADC9190,0x3CD4FC8A,
         0xB8EC3CCC,0x0EE451D6,0x17FCE6F8,0xA1F48BE2 };

A.2.  The table amul1

      amul1[256] = {
         0x00000000,0xA0F5FC2E,0x6DC7D55C,0xCD322972,
         0xDAA387B8,0x7A567B96,0xB76452E4,0x1791AECA,
         0x996B235D,0x399EDF73,0xF4ACF601,0x54590A2F,
         0x43C8A4E5,0xE33D58CB,0x2E0F71B9,0x8EFA8D97,
         0x1FD646BA,0xBF23BA94,0x721193E6,0xD2E46FC8,
         0xC575C102,0x65803D2C,0xA8B2145E,0x0847E870,
         0x86BD65E7,0x264899C9,0xEB7AB0BB,0x4B8F4C95,
         0x5C1EE25F,0xFCEB1E71,0x31D93703,0x912CCB2D,
         0x3E818C59,0x9E747077,0x53465905,0xF3B3A52B,
         0xE4220BE1,0x44D7F7CF,0x89E5DEBD,0x29102293,
         0xA7EAAF04,0x071F532A,0xCA2D7A58,0x6AD88676,
         0x7D4928BC,0xDDBCD492,0x108EFDE0,0xB07B01CE,
         0x2157CAE3,0x81A236CD,0x4C901FBF,0xEC65E391,
         0xFBF44D5B,0x5B01B175,0x96339807,0x36C66429,
         0xB83CE9BE,0x18C91590,0xD5FB3CE2,0x750EC0CC,
         0x629F6E06,0xC26A9228,0x0F58BB5A,0xAFAD4774,
         0x7C2F35B2,0xDCDAC99C,0x11E8E0EE,0xB11D1CC0,
         0xA68CB20A,0x06794E24,0xCB4B6756,0x6BBE9B78,
         0xE54416EF,0x45B1EAC1,0x8883C3B3,0x28763F9D,
         0x3FE79157,0x9F126D79,0x5220440B,0xF2D5B825,
         0x63F97308,0xC30C8F26,0x0E3EA654,0xAECB5A7A,
         0xB95AF4B0,0x19AF089E,0xD49D21EC,0x7468DDC2,
         0xFA925055,0x5A67AC7B,0x97558509,0x37A07927,

Kiyomoto & Shin               Informational                    [Page 17]



RFC 7008               A Description of KCipher-2            August 2013

         0x2031D7ED,0x80C42BC3,0x4DF602B1,0xED03FE9F,
         0x42AEB9EB,0xE25B45C5,0x2F696CB7,0x8F9C9099,
         0x980D3E53,0x38F8C27D,0xF5CAEB0F,0x553F1721,
         0xDBC59AB6,0x7B306698,0xB6024FEA,0x16F7B3C4,
         0x01661D0E,0xA193E120,0x6CA1C852,0xCC54347C,
         0x5D78FF51,0xFD8D037F,0x30BF2A0D,0x904AD623,
         0x87DB78E9,0x272E84C7,0xEA1CADB5,0x4AE9519B,
         0xC413DC0C,0x64E62022,0xA9D40950,0x0921F57E,
         0x1EB05BB4,0xBE45A79A,0x73778EE8,0xD38272C6,
         0xF85E6A49,0x58AB9667,0x9599BF15,0x356C433B,
         0x22FDEDF1,0x820811DF,0x4F3A38AD,0xEFCFC483,
         0x61354914,0xC1C0B53A,0x0CF29C48,0xAC076066,
         0xBB96CEAC,0x1B633282,0xD6511BF0,0x76A4E7DE,
         0xE7882CF3,0x477DD0DD,0x8A4FF9AF,0x2ABA0581,
         0x3D2BAB4B,0x9DDE5765,0x50EC7E17,0xF0198239,
         0x7EE30FAE,0xDE16F380,0x1324DAF2,0xB3D126DC,
         0xA4408816,0x04B57438,0xC9875D4A,0x6972A164,
         0xC6DFE610,0x662A1A3E,0xAB18334C,0x0BEDCF62,
         0x1C7C61A8,0xBC899D86,0x71BBB4F4,0xD14E48DA,
         0x5FB4C54D,0xFF413963,0x32731011,0x9286EC3F,
         0x851742F5,0x25E2BEDB,0xE8D097A9,0x48256B87,
         0xD909A0AA,0x79FC5C84,0xB4CE75F6,0x143B89D8,
         0x03AA2712,0xA35FDB3C,0x6E6DF24E,0xCE980E60,
         0x406283F7,0xE0977FD9,0x2DA556AB,0x8D50AA85,
         0x9AC1044F,0x3A34F861,0xF706D113,0x57F32D3D,
         0x84715FFB,0x2484A3D5,0xE9B68AA7,0x49437689,
         0x5ED2D843,0xFE27246D,0x33150D1F,0x93E0F131,
         0x1D1A7CA6,0xBDEF8088,0x70DDA9FA,0xD02855D4,
         0xC7B9FB1E,0x674C0730,0xAA7E2E42,0x0A8BD26C,
         0x9BA71941,0x3B52E56F,0xF660CC1D,0x56953033,
         0x41049EF9,0xE1F162D7,0x2CC34BA5,0x8C36B78B,
         0x02CC3A1C,0xA239C632,0x6F0BEF40,0xCFFE136E,
         0xD86FBDA4,0x789A418A,0xB5A868F8,0x155D94D6,
         0xBAF0D3A2,0x1A052F8C,0xD73706FE,0x77C2FAD0,
         0x6053541A,0xC0A6A834,0x0D948146,0xAD617D68,
         0x239BF0FF,0x836E0CD1,0x4E5C25A3,0xEEA9D98D,
         0xF9387747,0x59CD8B69,0x94FFA21B,0x340A5E35,
         0xA5269518,0x05D36936,0xC8E14044,0x6814BC6A,
         0x7F8512A0,0xDF70EE8E,0x1242C7FC,0xB2B73BD2,
         0x3C4DB645,0x9CB84A6B,0x518A6319,0xF17F9F37,
         0xE6EE31FD,0x461BCDD3,0x8B29E4A1,0x2BDC188F };

Kiyomoto & Shin               Informational                    [Page 18]



RFC 7008               A Description of KCipher-2            August 2013

A.3.  The table amul2

      amul2[256] = {
         0x00000000,0x5BF87F93,0xB6BDFE6B,0xED4581F8,
         0x2137B1D6,0x7ACFCE45,0x978A4FBD,0xCC72302E,
         0x426E2FE1,0x19965072,0xF4D3D18A,0xAF2BAE19,
         0x63599E37,0x38A1E1A4,0xD5E4605C,0x8E1C1FCF,
         0x84DC5E8F,0xDF24211C,0x3261A0E4,0x6999DF77,
         0xA5EBEF59,0xFE1390CA,0x13561132,0x48AE6EA1,
         0xC6B2716E,0x9D4A0EFD,0x700F8F05,0x2BF7F096,
         0xE785C0B8,0xBC7DBF2B,0x51383ED3,0x0AC04140,
         0x45F5BC53,0x1E0DC3C0,0xF3484238,0xA8B03DAB,
         0x64C20D85,0x3F3A7216,0xD27FF3EE,0x89878C7D,
         0x079B93B2,0x5C63EC21,0xB1266DD9,0xEADE124A,
         0x26AC2264,0x7D545DF7,0x9011DC0F,0xCBE9A39C,
         0xC129E2DC,0x9AD19D4F,0x77941CB7,0x2C6C6324,
         0xE01E530A,0xBBE62C99,0x56A3AD61,0x0D5BD2F2,
         0x8347CD3D,0xD8BFB2AE,0x35FA3356,0x6E024CC5,
         0xA2707CEB,0xF9880378,0x14CD8280,0x4F35FD13,
         0x8AA735A6,0xD15F4A35,0x3C1ACBCD,0x67E2B45E,
         0xAB908470,0xF068FBE3,0x1D2D7A1B,0x46D50588,
         0xC8C91A47,0x933165D4,0x7E74E42C,0x258C9BBF,
         0xE9FEAB91,0xB206D402,0x5F4355FA,0x04BB2A69,
         0x0E7B6B29,0x558314BA,0xB8C69542,0xE33EEAD1,
         0x2F4CDAFF,0x74B4A56C,0x99F12494,0xC2095B07,
         0x4C1544C8,0x17ED3B5B,0xFAA8BAA3,0xA150C530,
         0x6D22F51E,0x36DA8A8D,0xDB9F0B75,0x806774E6,
         0xCF5289F5,0x94AAF666,0x79EF779E,0x2217080D,
         0xEE653823,0xB59D47B0,0x58D8C648,0x0320B9DB,
         0x8D3CA614,0xD6C4D987,0x3B81587F,0x607927EC,
         0xAC0B17C2,0xF7F36851,0x1AB6E9A9,0x414E963A,
         0x4B8ED77A,0x1076A8E9,0xFD332911,0xA6CB5682,
         0x6AB966AC,0x3141193F,0xDC0498C7,0x87FCE754,
         0x09E0F89B,0x52188708,0xBF5D06F0,0xE4A57963,
         0x28D7494D,0x732F36DE,0x9E6AB726,0xC592C8B5,
         0x59036A01,0x02FB1592,0xEFBE946A,0xB446EBF9,
         0x7834DBD7,0x23CCA444,0xCE8925BC,0x95715A2F,
         0x1B6D45E0,0x40953A73,0xADD0BB8B,0xF628C418,
         0x3A5AF436,0x61A28BA5,0x8CE70A5D,0xD71F75CE,
         0xDDDF348E,0x86274B1D,0x6B62CAE5,0x309AB576,
         0xFCE88558,0xA710FACB,0x4A557B33,0x11AD04A0,
         0x9FB11B6F,0xC44964FC,0x290CE504,0x72F49A97,
         0xBE86AAB9,0xE57ED52A,0x083B54D2,0x53C32B41,
         0x1CF6D652,0x470EA9C1,0xAA4B2839,0xF1B357AA,
         0x3DC16784,0x66391817,0x8B7C99EF,0xD084E67C,
         0x5E98F9B3,0x05608620,0xE82507D8,0xB3DD784B,
         0x7FAF4865,0x245737F6,0xC912B60E,0x92EAC99D,
         0x982A88DD,0xC3D2F74E,0x2E9776B6,0x756F0925,

Kiyomoto & Shin               Informational                    [Page 19]



RFC 7008               A Description of KCipher-2            August 2013

         0xB91D390B,0xE2E54698,0x0FA0C760,0x5458B8F3,
         0xDA44A73C,0x81BCD8AF,0x6CF95957,0x370126C4,
         0xFB7316EA,0xA08B6979,0x4DCEE881,0x16369712,
         0xD3A45FA7,0x885C2034,0x6519A1CC,0x3EE1DE5F,
         0xF293EE71,0xA96B91E2,0x442E101A,0x1FD66F89,
         0x91CA7046,0xCA320FD5,0x27778E2D,0x7C8FF1BE,
         0xB0FDC190,0xEB05BE03,0x06403FFB,0x5DB84068,
         0x57780128,0x0C807EBB,0xE1C5FF43,0xBA3D80D0,
         0x764FB0FE,0x2DB7CF6D,0xC0F24E95,0x9B0A3106,
         0x15162EC9,0x4EEE515A,0xA3ABD0A2,0xF853AF31,
         0x34219F1F,0x6FD9E08C,0x829C6174,0xD9641EE7,
         0x9651E3F4,0xCDA99C67,0x20EC1D9F,0x7B14620C,
         0xB7665222,0xEC9E2DB1,0x01DBAC49,0x5A23D3DA,
         0xD43FCC15,0x8FC7B386,0x6282327E,0x397A4DED,
         0xF5087DC3,0xAEF00250,0x43B583A8,0x184DFC3B,
         0x128DBD7B,0x4975C2E8,0xA4304310,0xFFC83C83,
         0x33BA0CAD,0x6842733E,0x8507F2C6,0xDEFF8D55,
         0x50E3929A,0x0B1BED09,0xE65E6CF1,0xBDA61362,
         0x71D4234C,0x2A2C5CDF,0xC769DD27,0x9C91A2B4 };

A.4.  The table amul3

      amul3[256] = {
         0x00000000,0x4559568B,0x8AB2AC73,0xCFEBFAF8,
         0x71013DE6,0x34586B6D,0xFBB39195,0xBEEAC71E,
         0xE2027AA9,0xA75B2C22,0x68B0D6DA,0x2DE98051,
         0x9303474F,0xD65A11C4,0x19B1EB3C,0x5CE8BDB7,
         0xA104F437,0xE45DA2BC,0x2BB65844,0x6EEF0ECF,
         0xD005C9D1,0x955C9F5A,0x5AB765A2,0x1FEE3329,
         0x43068E9E,0x065FD815,0xC9B422ED,0x8CED7466,
         0x3207B378,0x775EE5F3,0xB8B51F0B,0xFDEC4980,
         0x27088D6E,0x6251DBE5,0xADBA211D,0xE8E37796,
         0x5609B088,0x1350E603,0xDCBB1CFB,0x99E24A70,
         0xC50AF7C7,0x8053A14C,0x4FB85BB4,0x0AE10D3F,
         0xB40BCA21,0xF1529CAA,0x3EB96652,0x7BE030D9,
         0x860C7959,0xC3552FD2,0x0CBED52A,0x49E783A1,
         0xF70D44BF,0xB2541234,0x7DBFE8CC,0x38E6BE47,
         0x640E03F0,0x2157557B,0xEEBCAF83,0xABE5F908,
         0x150F3E16,0x5056689D,0x9FBD9265,0xDAE4C4EE,
         0x4E107FDC,0x0B492957,0xC4A2D3AF,0x81FB8524,
         0x3F11423A,0x7A4814B1,0xB5A3EE49,0xF0FAB8C2,
         0xAC120575,0xE94B53FE,0x26A0A906,0x63F9FF8D,
         0xDD133893,0x984A6E18,0x57A194E0,0x12F8C26B,
         0xEF148BEB,0xAA4DDD60,0x65A62798,0x20FF7113,
         0x9E15B60D,0xDB4CE086,0x14A71A7E,0x51FE4CF5,
         0x0D16F142,0x484FA7C9,0x87A45D31,0xC2FD0BBA,
         0x7C17CCA4,0x394E9A2F,0xF6A560D7,0xB3FC365C,
         0x6918F2B2,0x2C41A439,0xE3AA5EC1,0xA6F3084A,

Kiyomoto & Shin               Informational                    [Page 20]



RFC 7008               A Description of KCipher-2            August 2013

         0x1819CF54,0x5D4099DF,0x92AB6327,0xD7F235AC,
         0x8B1A881B,0xCE43DE90,0x01A82468,0x44F172E3,
         0xFA1BB5FD,0xBF42E376,0x70A9198E,0x35F04F05,
         0xC81C0685,0x8D45500E,0x42AEAAF6,0x07F7FC7D,
         0xB91D3B63,0xFC446DE8,0x33AF9710,0x76F6C19B,
         0x2A1E7C2C,0x6F472AA7,0xA0ACD05F,0xE5F586D4,
         0x5B1F41CA,0x1E461741,0xD1ADEDB9,0x94F4BB32,
         0x9C20FEDD,0xD979A856,0x169252AE,0x53CB0425,
         0xED21C33B,0xA87895B0,0x67936F48,0x22CA39C3,
         0x7E228474,0x3B7BD2FF,0xF4902807,0xB1C97E8C,
         0x0F23B992,0x4A7AEF19,0x859115E1,0xC0C8436A,
         0x3D240AEA,0x787D5C61,0xB796A699,0xF2CFF012,
         0x4C25370C,0x097C6187,0xC6979B7F,0x83CECDF4,
         0xDF267043,0x9A7F26C8,0x5594DC30,0x10CD8ABB,
         0xAE274DA5,0xEB7E1B2E,0x2495E1D6,0x61CCB75D,
         0xBB2873B3,0xFE712538,0x319ADFC0,0x74C3894B,
         0xCA294E55,0x8F7018DE,0x409BE226,0x05C2B4AD,
         0x592A091A,0x1C735F91,0xD398A569,0x96C1F3E2,
         0x282B34FC,0x6D726277,0xA299988F,0xE7C0CE04,
         0x1A2C8784,0x5F75D10F,0x909E2BF7,0xD5C77D7C,
         0x6B2DBA62,0x2E74ECE9,0xE19F1611,0xA4C6409A,
         0xF82EFD2D,0xBD77ABA6,0x729C515E,0x37C507D5,
         0x892FC0CB,0xCC769640,0x039D6CB8,0x46C43A33,
         0xD2308101,0x9769D78A,0x58822D72,0x1DDB7BF9,
         0xA331BCE7,0xE668EA6C,0x29831094,0x6CDA461F,
         0x3032FBA8,0x756BAD23,0xBA8057DB,0xFFD90150,
         0x4133C64E,0x046A90C5,0xCB816A3D,0x8ED83CB6,
         0x73347536,0x366D23BD,0xF986D945,0xBCDF8FCE,
         0x023548D0,0x476C1E5B,0x8887E4A3,0xCDDEB228,
         0x91360F9F,0xD46F5914,0x1B84A3EC,0x5EDDF567,
         0xE0373279,0xA56E64F2,0x6A859E0A,0x2FDCC881,
         0xF5380C6F,0xB0615AE4,0x7F8AA01C,0x3AD3F697,
         0x84393189,0xC1606702,0x0E8B9DFA,0x4BD2CB71,
         0x173A76C6,0x5263204D,0x9D88DAB5,0xD8D18C3E,
         0x663B4B20,0x23621DAB,0xEC89E753,0xA9D0B1D8,
         0x543CF858,0x1165AED3,0xDE8E542B,0x9BD702A0,
         0x253DC5BE,0x60649335,0xAF8F69CD,0xEAD63F46,
         0xB63E82F1,0xF367D47A,0x3C8C2E82,0x79D57809,
         0xC73FBF17,0x8266E99C,0x4D8D1364,0x08D445EF };

Kiyomoto & Shin               Informational                    [Page 21]



RFC 7008               A Description of KCipher-2            August 2013

Appendix B.  A Simple Implementation Example of KCipher-2

   We provide an example implementation of KCipher-2 written in C.  The
   implementation is simple; we do not consider storage or time
   complexity, nor do we consider software engineering-related issues,
   such as encapsulation, modularity, and so on.

B.1.  Code Components I - Definitions and Declarations

      #include <stdio.h>
      #include <stdint.h>

      #define INIT    0
      #define NORMAL  1

      void init (unsigned int *, unsigned int *);
      void next(int);
      void stream (unsigned int *, unsigned int *);

      static const uint8_t S_box[256] = {
          ...
          // as defined in Section 2.4.3
      };

      static const uint32_t amul0[256] = {
          ...
          // as defined in Appendix A.1
      };

      static const uint32_t amul1[256] = {
          ...
          // as defined in Appendix A.2
      };

      static const uint32_t amul2[256] = {
          ...
          // as defined in Appendix A.3
      };

      static const uint32_t amul3[256] = {
          ...
          // as defined in Appendix A.4
      };

      /* Global variables */

      // State S
      uint32_t A[5];              // five 32-bit units

Kiyomoto & Shin               Informational                    [Page 22]



RFC 7008               A Description of KCipher-2            August 2013

      uint32_t B[11];             // eleven 32-bit units
      uint32_t L1, R1, L2, R2;    // one 32-bit unit for each

      // The internal key (IK) and the initialization vector (IV)
      uint32_t IK[12];    // (12*32) bits
      uint32_t IV[4];     // (4*32) bits

B.2.  Code Components II - Functions

   /**
   * Do multiplication in GF(2#8) of the irreducible polynomial,
   * f(x) = x#8 + x#4 + x#3 + x + 1. The given parameter is multiplied
   * by 2.
   * @param    t : (INPUT). 8 bits. The number will be multiplied by 2
   * @return     : (OUTPUT). 8 bits. The multiplication result
   */
   uint8_t GF_mult_by_2 (uint8_t t) {
       uint8_t q;
       uint32_t lq;

       lq = t << 1;
       if ((lq & 0x100) != 0) lq ^= 0x011B;
       q = lq ^ 0xFF;

       return q;
   }

   /**
   * Do multiplication in GF(2#8) of the irreducible polynomial,
   * f(x) = x#8 + x#4 + x#3 + x + 1. The given parameter is multiplied
   * by 3.
   * @param    t   : (INPUT). 8 bits. The number will be multiplied by 3
   * @return       : (OUTPUT). 8 bits. The multiplication result
   */
   uint8_t GF_mult_by_3 (uint8_t t) {
       uint8_t q;
       uint32_t lq;

       lq = (t << 1) ^ t;
       if ((lq & 0x100) != 0) lq ^= 0x011B;
       q = lq ^ 0xFF;

       return q;
   }

Kiyomoto & Shin               Informational                    [Page 23]



RFC 7008               A Description of KCipher-2            August 2013

   /**
   * Do substitution on a given input. See Section 2.4.2.
   * @param    t   : (INPUT), (1*32) bits
   * @return       : (OUTPUT), (1*32) bits
   */
   uint32_t sub_k2 (uint32_t in) {
       uint32_t out;

       uint8_t w0 = in & 0x000000ff;
       uint8_t w1 = (in >> 8) & 0x000000ff;
       uint8_t w2 = (in >> 16) & 0x000000ff;
       uint8_t w3 = (in >> 24) & 0x000000ff;

       uint8_t t3, t2, t1, t0;
       uint8_t q3, q2, q1, q0;

       t0 = S_box[w0]; t1 = S_box[w1]; t2 = S_box[w2]; t3 = S_box[w3];

       q0 = GF_mult_by_2(t0) ^ GF_mult_by_3(t1) ^ t2 ^ t3;
       q1 = t0 ^ GF_mult_by_2(t1) ^ GF_mult_by_3(t2) ^ t3;
       q2 = t0 ^ t1 ^ GF_mult_by_2(t2) ^ GF_mult_by_3(t3);
       q3 = GF_mult_by_3(t0) ^ t1 ^ t2 ^ GF_mult_by_2(t3);

       out = (q3 << 24) | (q2 << 16) | (q1 << 8) | q0;

       return out;
   }

   /**
   * Expand a given 128-bit key (K) to a 384-bit internal key
   * information (IK).
   * See Step 1 of init() in Section 2.3.2.
   * @param    key[4]  : (INPUT), (4*32) bits
   * @param    iv[4]   : (INPUT), (4*32) bits
   * @modify   IK[12]  : (OUTPUT), (12*32) bits
   * @modify   IV[12]  : (OUTPUT), (4*32) bits
   */
   void key_expansion (uint32_t *key, uint32_t *iv) {
       // copy iv to IV
       IV[0] = iv[0];  IV[1] = iv[1];  IV[2] = iv[2];  IV[3] = iv[3];

       // m = 0 ... 3
       IK[0] = key[0];     IK[1] = key[1];
       IK[2] = key[2];     IK[3] = key[3];
       // m = 4
       IK[4] = IK[0] ^ sub_k2((IK[3] << 8) ^ (IK[3] >> 24)) ^
               0x01000000;

Kiyomoto & Shin               Informational                    [Page 24]



RFC 7008               A Description of KCipher-2            August 2013

       // m = 4 ... 11, but not 4 nor 8
       IK[5] = IK[1] ^ IK[4];  IK[6] = IK[2] ^ IK[5];
       IK[7] = IK[3] ^ IK[6];

       // m = 8
       IK[8] = IK[4] ^ sub_k2((IK[7] << 8) ^ (IK[7] >> 24)) ^
               0x02000000;

       // m = 4 ... 11, but not 4 nor 8
       IK[9] = IK[5] ^ IK[8];  IK[10] = IK[6] ^ IK[9];
       IK[11] = IK[7] ^ IK[10];
   }

   /**
   * Set up the initial state value using IK and IV. See Step 2 of
   * init() in Section 2.3.2.
   * @param    key[4]  : (INPUT), (4*32) bits
   * @param    iv[4]   : (INPUT), (4*32) bits
   * @modify   S       : (OUTPUT), (A, B, L1, R1, L2, R2)
   */
   void setup_state_values (uint32_t *key, uint32_t *iv) {
       // setting up IK and IV by calling key_expansion(key, iv)
       key_expansion(key, iv);

       // setting up the internal state values
       A[0] = IK[4];   A[1] = IK[3];   A[2] = IK[2];
       A[3] = IK[1];   A[4] = IK[0];

       B[0] = IK[10];  B[1] = IK[11];  B[2] = IV[0];   B[3] = IV[1];
       B[4] = IK[8];   B[5] = IK[9];   B[6] = IV[2];   B[7] = IV[3];
       B[8] = IK[7];   B[9] = IK[5];   B[10] = IK[6];

       L1 = R1 = L2 = R2 = 0x00000000;
   }

   /**
   * Initialize the system with a 128-bit key (K) and a 128-bit
   * initialization vector (IV). It sets up the internal state value
   * and invokes next(INIT) iteratively 24 times. After this,
   * the system is ready to produce key streams. See Section 2.3.2.
   * @param    key[12] : (INPUT), (4*32) bits
   * @param    iv[4]   : (INPUT), (4*32) bits
   * @modify   IK      : (12*32) bits, by calling setup_state_values()
   * @modify   IV      : (4*32) bits,  by calling setup_state_values()
   * @modify   S       : (OUTPUT), (A, B, L1, R1, L2, R2)
   */
   void init (uint32_t *k, uint32_t *iv) {
       int i;

Kiyomoto & Shin               Informational                    [Page 25]



RFC 7008               A Description of KCipher-2            August 2013

       setup_state_values(k, iv);

       for(i=0; i < 24; i++) {
           next(INIT);
       }
   }

   /**
   * Non-linear function. See Section 2.4.1.
   * @param    A   : (INPUT), 8 bits
   * @param    B   : (INPUT), 8 bits
   * @param    C   : (INPUT), 8 bits
   * @param    D   : (INPUT), 8 bits
   * @return       : (OUTPUT), 8 bits
   */
   uint32_t NLF (uint32_t A, uint32_t B,
           uint32_t C, uint32_t D ) {
       uint32_t Q;

       Q = (A + B) ^ C ^ D;

       return Q;
   }

   /**
   * Derive a new state from the current state values.
   * See Section 2.3.1.
   * @param    mode    : (INPUT) INIT (= 0) or NORMAL (= 1)
   * @modify   S       : (OUTPUT)
   */
   void next (int mode) {
       uint32_t nA[5];
       uint32_t nB[11];
       uint32_t nL1, nR1, nL2, nR2;
       uint32_t temp1, temp2;

       nL1 = sub_k2(R2 + B[4]);
       nR1 = sub_k2(L2 + B[9]);
       nL2 = sub_k2(L1);
       nR2 = sub_k2(R1);

       // m = 0 ... 3
       nA[0] = A[1];   nA[1] = A[2];   nA[2] = A[3];   nA[3] = A[4];

       // m = 0 ... 9
       nB[0] = B[1];   nB[1] = B[2];   nB[2] = B[3];   nB[3] = B[4];
       nB[4] = B[5];   nB[5] = B[6];   nB[6] = B[7];   nB[7] = B[8];
       nB[8] = B[9];   nB[9] = B[10];

Kiyomoto & Shin               Informational                    [Page 26]



RFC 7008               A Description of KCipher-2            August 2013

       // update nA[4]
       temp1 = (A[0] << 8) ^ amul0[(A[0] >> 24)];
       nA[4] = temp1 ^ A[3];
       if (mode == INIT)
           nA[4] ^= NLF(B[0], R2, R1, A[4]);

       // update nB[10]
       if (A[2] & 0x40000000) /* if A[2][30] == 1 */ {
           temp1 = (B[0] << 8) ^ amul1[(B[0] >> 24)];
       } else /*if A[2][30] == 0*/ {
           temp1 = (B[0] << 8) ^ amul2[(B[0] >> 24)];
       }

       if (A[2] & 0x80000000) /* if A[2][31] == 1 */ {
           temp2 = (B[8] << 8) ^ amul3[(B[8] >> 24)];
       } else /* if A[2][31] == 0 */ {
           temp2 = B[8];
       }

       nB[10] = temp1 ^ B[1] ^ B[6] ^ temp2;

       if (mode == INIT)
           nB[10] ^= NLF(B[10], L2, L1, A[0]);

       /* copy S' to S */
       A[0] = nA[0];   A[1] = nA[1];   A[2] = nA[2];
       A[3] = nA[3];   A[4] = nA[4];

       B[0] = nB[0];   B[1] = nB[1];   B[2] = nB[2];   B[3] = nB[3];
       B[4] = nB[4];   B[5] = nB[5];   B[6] = nB[6];   B[7] = nB[7];
       B[8] = nB[8];   B[9] = nB[9];   B[10] = nB[10];

       L1 = nL1;   R1 = nR1;   L2 = nL2;   R2 = nR2;
   }

   /**
   * Obtain a key stream = (ZH, ZL) from the current state values.
   * See Section 2.3.3.
   * @param    ZH  : (OUTPUT) (1 * 32)-bit
   * @modify   ZL  : (OUTPUT) (1 * 32)-bit
   */
   void stream (uint32_t *ZH, uint32_t *ZL) {
       *ZH = NLF(B[10], L2, L1, A[0]);
       *ZL = NLF(B[0], R2, R1, A[4]);
   }

Kiyomoto & Shin               Informational                    [Page 27]



RFC 7008               A Description of KCipher-2            August 2013

B.3.  Use Case

      void main (void)  {

          // Set the key and the iv
          uint32_t key[4] = ...;
          uint32_t iv[4] = ...;

          init(key, iv);

          // produce a key stream
          stream(&zh, &zl);
          next(NORMAL);

          // produce another key stream
          stream(&zh, &zl);
          next(NORMAL);
          ...
      }

Appendix C.  Test Vectors

   This appendix provides running examples of KCipher-2 obtained from
   the naive implementation.  All values are written in hexadecimal
   form.

C.1.  Key Stream Generation Examples

   The following is a series of the 64-bit key streams generated from
   the given 8-bit keys (K) and 128-bit initialization vectors (IVs).

      - K : 00000000 00000000 00000000 00000000
      - IV: 00000000 00000000 00000000 00000000
      - Generated key streams at S(i) are as follows
        S(0): F871EBEF 945B7272
        S(1): E40C0494 1DFF0537
        S(2): 0B981A59 FBC8AC57
        S(3): 566D3B02 C179DBB4
        S(4): 3B46F1F0 33554C72
        S(5): 5DE68BCC 9872858F
        S(6): 57549602 4062F0E9
        S(7): F932C998 226DB6BA
        ...

      - K : A37B7D01 2F897076 FE08C22D 142BB2CF
      - IV: 33A6EE60 E57927E0 8B45CC4C A30EDE4A
      - Generated key streams at S(i) are as follows
        S(0): 60E9A6B6 7B4C2524

Kiyomoto & Shin               Informational                    [Page 28]



RFC 7008               A Description of KCipher-2            August 2013

        S(1): FE726D44 AD5B402E
        S(2): 31D0D1BA 5CA233A4
        S(3): AFC74BE7 D6069D36
        S(4): 4A75BB6C D8D5B7F0
        S(5): 38AAAA28 4AE4CD2F
        S(6): E2E5313D FC6CCD8F
        S(7): 9D2484F2 0F86C50D
        ...

      - K : 3D62E9B1 8E5B042F 42DF43CC 7175C96E
      - IV: 777CEFE4 541300C8 ADCACA8A 0B48CD55
      - Generated key streams at S(i) are as follows
        S(0): 690F108D 84F44AC7
        S(1): BF257BD7 E394F6C9
        S(2): AA1192C3 8E200C6E
        S(3): 073C8078 AC18AAD1
        S(4): D4B8DADE 68802368
        S(5): 2FA42076 83DEA5A4
        S(6): 4C1D95EA E959F5B4
        S(7): 2611F41E A40F0A58
        ...

C.2.  Another Key Stream Generation with the State Values

   In this section, the initialization procedure and the key stream
   generation are illustrated in detail.  The given 128-bit key (K) and
   the 128-bit initialization vector (IV) are as follows:

      - K : 0F1E2D3C 4B5A6978 8796A5B4 C3D2E1F0
      - IV: F0E0D0C0 B0A09080 70605040 30201000.

      Based on K and IV, the init() operation (Section 2.3.2) sets up
      the internal state values, S = (A, B, L1, R1, L2, R2), as follows:

      A[0]: 7993A6A2    A[1]: C3D2E1F0    A[2]: 8796A5B4
      A[3]: 4B5A6978    A[4]: 0F1E2D3C

      B[0]: 38AB371B    B[1] : 4E26BC85   B[2]: F0E0D0C0
      B[3]: B0A09080    B[4] : BF3D92AF   B[5]: 8DF45D75
      B[6]: 70605040    B[7] : 30201000   B[8]: 768D8B9E
      B[9]: 32C9CFDA    B[10]: B55F6A6E

      L1: 00000000   R1: 00000000   L2: 00000000   R2: 00000000

Kiyomoto & Shin               Informational                    [Page 29]



RFC 7008               A Description of KCipher-2            August 2013

   To complete the initialization, the next() operation is applied to
   the state values 24 times (in Section 2.3.2, Step 3).  Let us denote
   each repeated application of the next() operation by init(i), where 1
   <= i <= 24.  The internal state values resulting from each init(i)
   are shown in Appendixes C.2.1 - C.2.24.

C.2.1.  S after init(1)

      A[0]: C3D2E1F0    A[1]: 8796A5B4    A[2]: 4B5A6978
      A[3]: 0F1E2D3C    A[4]: 37070F7F

      B[0]: 4E26BC85    B[1] : F0E0D0C0   B[2]: B0A09080
      B[3]: BF3D92AF    B[4] : 8DF45D75   B[5]: 70605040
      B[6]: 30201000    B[7] : 768D8B9E   B[8]: 32C9CFDA
      B[9]: B55F6A6E    B[10]: 64DEFF24

      L1: F360860C   R1: E81907D5   L2: 63636363   R2: 63636363

C.2.2.  S after init(2)

      A[0]: 8796A5B4    A[1]: 4B5A6978    A[2]: 0F1E2D3C
      A[3]: 37070F7F    A[4]: 25BCF981

      B[0]: F0E0D0C0    B[1] : B0A09080   B[2]: BF3D92AF
      B[3]: 8DF45D75    B[4] : 70605040   B[5]: 30201000
      B[6]: 768D8B9E    B[7] : 32C9CFDA   B[8]: B55F6A6E
      B[9]: 64DEFF24    B[10]: 7E65CB6A

      L1: 1B9542ED   R1: 9B259D28   L2: 971610F6   R2: 39C36E1D

C.2.3.  S after init(3)

      A[0]: 4B5A6978    A[1]: 0F1E2D3C    A[2]: 37070F7F
      A[3]: 25BCF981    A[4]: FA2DD9D3

      B[0]: B0A09080    B[1] : BF3D92AF   B[2]: 8DF45D75
      B[3]: 70605040    B[4] : 30201000   B[5]: 768D8B9E
      B[6]: 32C9CFDA    B[7] : B55F6A6E   B[8]: 64DEFF24
      B[9]: 7E65CB6A    B[10]: 08573732

      L1: 1F41CDFB   R1: CFAE13F3   L2: BCC7DC5B   R2: 1528DDA1

Kiyomoto & Shin               Informational                    [Page 30]



RFC 7008               A Description of KCipher-2            August 2013

C.2.4.  S after init(4)

      A[0]: 0F1E2D3C    A[1]: 37070F7F    A[2]: 25BCF981
      A[3]: FA2DD9D3    A[4]: AB820031

      B[0]: BF3D92AF    B[1] : 8DF45D75   B[2]: 70605040
      B[3]: 30201000    B[4] : 768D8B9E   B[5]: 32C9CFDA
      B[6]: B55F6A6E    B[7] : 64DEFF24   B[8]: 7E65CB6A
      B[9]: 08573732    B[10]: 40941D82

      L1: 8D7100A7   R1: AA6C8F89   L2: B4F43081   R2: 81264AF3

C.2.5.  S after init(5)

      A[0]: 37070F7F    A[1]: 25BCF981    A[2]: FA2DD9D3
      A[3]: AB820031    A[4]: D8F5995F

      B[0]: 8DF45D75    B[1] : 70605040   B[2]: 30201000
      B[3]: 768D8B9E    B[4] : 32C9CFDA   B[5]: B55F6A6E
      B[6]: 64DEFF24    B[7] : 7E65CB6A   B[8]: 08573732
      B[9]: 40941D82    B[10]: 1A8DA7FB

      L1: D315A91D   R1: 751BC887   L2: 9E8539E3   R2: 929B1D3C

C.2.6.  S after init(6)

      A[0]: 25BCF981    A[1]: FA2DD9D3    A[2]: AB820031
      A[3]: D8F5995F    A[4]: F697B5BB

      B[0]: 70605040    B[1] : 30201000   B[2]: 768D8B9E
      B[3]: 32C9CFDA    B[4] : B55F6A6E   B[5]: 64DEFF24
      B[6]: 7E65CB6A    B[7] : 08573732   B[8]: 40941D82
      B[9]: 1A8DA7FB    B[10]: 13B5E7F3

      L1: 88658E94   R1: 7F1C023D   L2: B16F9402   R2: 5F06AB3F

C.2.7.  S after init(7)

      A[0]: FA2DD9D3    A[1]: AB820031    A[2]: D8F5995F
      A[3]: F697B5BB    A[4]: 6B0A7012

      B[0]: 30201000    B[1] : 768D8B9E   B[2]: 32C9CFDA
      B[3]: B55F6A6E    B[4] : 64DEFF24   B[5]: 7E65CB6A
      B[6]: 08573732    B[7] : 40941D82   B[8]: 1A8DA7FB
      B[9]: 13B5E7F3    B[10]: D76ABD2C

      L1: 21BF8813   R1: 743F68DE   L2: A1F603E6   R2: 3D1EA499

Kiyomoto & Shin               Informational                    [Page 31]



RFC 7008               A Description of KCipher-2            August 2013

C.2.8.  S after init(8)

      A[0]: AB820031    A[1]: D8F5995F    A[2]: F697B5BB
      A[3]: 6B0A7012    A[4]: 23995B7E

      B[0]: 768D8B9E    B[1] : 32C9CFDA   B[2]: B55F6A6E
      B[3]: 64DEFF24    B[4] : 7E65CB6A   B[5]: 08573732
      B[6]: 40941D82    B[7] : 1A8DA7FB   B[8]: 13B5E7F3
      B[9]: D76ABD2C    B[10]: 997C3F70

      L1: B48EA08C   R1: 657C8FFD   L2: AAB50B58   R2: 281F9A12

C.2.9.  S after init(9)

      A[0]: D8F5995F    A[1]: F697B5BB    A[2]: 6B0A7012
      A[3]: 23995B7E    A[4]: F8532F87

      B[0]: 32C9CFDA    B[1] : B55F6A6E   B[2]: 64DEFF24
      B[3]: 7E65CB6A    B[4] : 08573732   B[5]: 40941D82
      B[6]: 1A8DA7FB    B[7] : 13B5E7F3   B[8]: D76ABD2C
      B[9]: 997C3F70    B[10]: 95FFF657

      L1: A2040C44   R1: EF19DC4E   L2: 543A1967   R2: 05D0CF60

C.2.10.  S after init(10)

      A[0]: F697B5BB    A[1]: 6B0A7012    A[2]: 23995B7E
      A[3]: F8532F87    A[4]: BEDF1DEF

      B[0]: B55F6A6E    B[1] : 64DEFF24   B[2]: 7E65CB6A
      B[3]: 08573732    B[4] : 40941D82   B[5]: 1A8DA7FB
      B[6]: 13B5E7F3    B[7] : D76ABD2C   B[8]: 997C3F70
      B[9]: 95FFF657    B[10]: 6D2C2FA3

      L1: C7AE66B0   R1: 9C075DB9   L2: 5554CBE7   R2: 866080C4

C.2.11.  S after init(11)

      A[0]: 6B0A7012    A[1]: 23995B7E    A[2]: F8532F87
      A[3]: BEDF1DEF    A[4]: 983D37.

      B[0]: 64DEFF24    B[1] : 7E65CB6A   B[2]: 08573732
      B[3]: 40941D82    B[4] : 1A8DA7FB   B[5]: 13B5E7F3
      B[6]: D76ABD2C    B[7] : 997C3F70   B[8]: 95FFF657
      B[9]: 6D2C2FA3    B[10]: A02127BE

      L1: 29F322A2   R1: 01F771D9   L2: 725670A2   R2: D4F24463

Kiyomoto & Shin               Informational                    [Page 32]



RFC 7008               A Description of KCipher-2            August 2013

C.2.12.  S after init(12)

      A[0]: 23995B7E    A[1]: F8532F87    A[2]: BEDF1DEF
      A[3]: 983D37CB    A[4]: 526A110D

      B[0]: 7E65CB6A    B[1] : 08573732   B[2]: 40941D82
      B[3]: 1A8DA7FB    B[4] : 13B5E7F3   B[5]: D76ABD2C
      B[6]: 997C3F70    B[7] : 95FFF657   B[8]: 6D2C2FA3
      B[9]: A02127BE    B[10]: 49F99042

      L1: 51536DF4   R1: 66111E6A   L2: 8147B572   R2: 6CC2AC80

C.2.13.  S after init(13)

      A[0]: F8532F87    A[1]: BEDF1DEF    A[2]: 983D37CB
      A[3]: 526A110D    A[4]: A5EEB8AE

      B[0]: 08573732    B[1] : 40941D82   B[2]: 1A8DA7FB
      B[3]: 13B5E7F3    B[4] : D76ABD2C   B[5]: 997C3F70
      B[6]: 95FFF657    B[7] : 6D2C2FA3   B[8]: A02127BE
      B[9]: 49F99042    B[10]: 406CE62C

      L1: 9582D912   R1: 6953AFE8   L2: B22A3A1D   R2: 903A4823

C.2.14.  S after init(14)

      A[0]: BEDF1DEF    A[1]: 983D37CB    A[2]: 526A110D
      A[3]: A5EEB8AE    A[4]: 70A5B5BA

      B[0]: 40941D82    B[1] : 1A8DA7FB   B[2]: 13B5E7F3
      B[3]: D76ABD2C    B[4] : 997C3F70   B[5]: 95FFF657
      B[6]: 6D2C2FA3    B[7] : A02127BE   B[8]: 49F99042
      B[9]: 406CE62C    B[10]: C57BED5B

      L1: EB77DD2D   R1: 633CFD8F   L2: 32A4BCEF   R2: CB33BCB2

C.2.15.  S after init(15)

      A[0]: 983D37CB    A[1]: 526A110D    A[2]: A5EEB8AE
      A[3]: 70A5B5BA    A[4]: B1145F18

      B[0]: 1A8DA7FB    B[1] : 13B5E7F3   B[2]: D76ABD2C
      B[3]: 997C3F70    B[4] : 95FFF657   B[5]: 6D2C2FA3
      B[6]: A02127BE    B[7] : 49F99042   B[8]: 406CE62C
      B[9]: C57BED5B    B[10]: 7BE2C520

      L1: E11420CC   R1: 6730A956   L2: 8EC8ACEF   R2: C7FC060A

Kiyomoto & Shin               Informational                    [Page 33]



RFC 7008               A Description of KCipher-2            August 2013

C.2.16.  S after init(16)

      A[0]: 526A110D    A[1]: A5EEB8AE    A[2]: 70A5B5BA
      A[3]: B1145F18    A[4]: FA752FDC

      B[0]: 13B5E7F3    B[1] : D76ABD2C   B[2]: 997C3F70
      B[3]: 95FFF657    B[4] : 6D2C2FA3   B[5]: A02127BE
      B[6]: 49F99042    B[7] : 406CE62C   B[8]: C57BED5B
      B[9]: 7BE2C520    B[10]: 1F48829C

      L1: 0D95C94D   R1: 8238B05F   L2: 7B00D356   R2: 0EFE8596

C.2.17.  S after init(17)

      A[0]: A5EEB8AE    A[1]: 70A5B5BA    A[2]: B1145F18
      A[3]: FA752FDC    A[4]: DB29190A

      B[0]: D76ABD2C    B[1] : 997C3F70   B[2]: 95FFF657
      B[3]: 6D2C2FA3    B[4] : A02127BE   B[5]: 49F99042
      B[6]: 406CE62C    B[7] : C57BED5B   B[8]: 7BE2C520
      B[9]: 1F48829C    B[10]: F95DD14F

      L1: 262687B5   R1: 9B9AC5E9   L2: 7C08EB5C   R2: 8C1300A3

C.2.18.  S after init(18)

      A[0]: 70A5B5BA    A[1]: B1145F18    A[2]: FA752FDC
      A[3]: DB29190A    A[4]: 35623CDA

      B[0]: 997C3F70    B[1] : 95FFF657   B[2]: 6D2C2FA3
      B[3]: A02127BE    B[4] : 49F99042   B[5]: 406CE62C
      B[6]: C57BED5B    B[7] : 7BE2C520   B[8]: 1F48829C
      B[9]: F95DD14F    B[10]: D939E13E

      L1: E478DEF0   R1: 06F84503   L2: 71350E88   R2: 14EF8E61

C.2.19.  S after init(19)

      A[0]: B1145F18    A[1]: FA752FDC    A[2]: DB29190A
      A[3]: 35623CDA    A[4]: 746B4AE8

      B[0]: 95FFF657    B[1] : 6D2C2FA3   B[2]: A02127BE
      B[3]: 49F99042    B[4] : 406CE62C   B[5]: C57BED5B
      B[6]: 7BE2C520    B[7] : 1F48829C   B[8]: F95DD14F
      B[9]: D939E13E    B[10]: 9970C980

      L1: C2AC94C4   R1: C708FAE8   L2: FC4900F1   R2: 7C260B6A

Kiyomoto & Shin               Informational                    [Page 34]



RFC 7008               A Description of KCipher-2            August 2013

C.2.20.  S after init(20)

      A[0]: FA752FDC    A[1]: DB29190A    A[2]: 35623CDA
      A[3]: 746B4AE8    A[4]: 2EB9213A

      B[0]: 6D2C2FA3    B[1] : A02127BE   B[2]: 49F99042
      B[3]: 406CE62C    B[4] : C57BED5B   B[5]: 7BE2C520
      B[6]: 1F48829C    B[7] : F95DD14F   B[8]: D939E13E
      B[9]: 9970C980    B[10]: 3C517031

      L1: 8F007DE9   R1: B2AE0889   L2: DD68D5EA   R2: 3C8757AC

C.2.21.  S after init(21)

      A[0]: DB29190A    A[1]: 35623CDA    A[2]: 746B4AE8
      A[3]: 2EB9213A    A[4]: BE3CA984

      B[0]: A02127BE    B[1] : 49F99042   B[2]: 406CE62C
      B[3]: C57BED5B    B[4] : 7BE2C520   B[5]: 1F48829C
      B[6]: F95DD14F    B[7] : D939E13E   B[8]: 9970C980
      B[9]: 3C517031    B[10]: D1439B63

      L1: AFC4E32F   R1: 98FBC87F   L2: 58B22D36   R2: 481DC7D6

C.2.22.  S after init(22)

      A[0]: 35623CDA    A[1]: 746B4AE8    A[2]: 2EB9213A
      A[3]: BE3CA984    A[4]: 974E6719

      B[0]: 49F99042    B[1] : 406CE62C   B[2]: C57BED5B
      B[3]: 7BE2C520    B[4] : 1F48829C   B[5]: F95DD14F
      B[6]: D939E13E    B[7] : 9970C980   B[8]: 3C517031
      B[9]: D1439B63    B[10]: 9334E221

      L1: F9C43357   R1: E5539EA2   L2: C0B76A7C   R2: 06EE4ED5

C.2.23.  S after init(23)

      A[0]: 746B4AE8    A[1]: 2EB9213A    A[2]: BE3CA984
      A[3]: 974E6719    A[4]: 86916EFF

      B[0]: 406CE62C    B[1] : C57BED5B   B[2]: 7BE2C520
      B[3]: 1F48829C    B[4] : F95DD14F   B[5]: D939E13E
      B[6]: 9970C980    B[7] : 3C517031   B[8]: D1439B63
      B[9]: 9334E221    B[10]: 50EF13E7

      L1: 309527ED   R1: C473D814   L2: 1B107B6D   R2: 0180D95D

Kiyomoto & Shin               Informational                    [Page 35]



RFC 7008               A Description of KCipher-2            August 2013

C.2.24.  S(0) after init(24)

      A[0]: 2EB9213A    A[1]: BE3CA984    A[2]: 974E6719
      A[3]: 86916EFF    A[4]: F52DACF9

      B[0]: C57BED5B    B[1] : 7BE2C520   B[2]: 1F48829C
      B[3]: F95DD14F    B[4] : D939E13E   B[5]: 9970C980
      B[6]: 3C517031    B[7] : D1439B63   B[8]: 9334E221
      B[9]: 50EF13E7    B[10]: E0BD9F91

      L1: 4370D8E6   R1: DABED76C   L2: 11C1ACCB   R2: C3BAAEDF

   Note that the result of init(24) is also referred to as S(0) (in
   Section 2.3.2).  Since the state is S(0), the stream() operation (in
   Section 2.3.3) can be applied and generate key streams.

      Key stream at S(0) : 9FB6B580A6A5E7AF

   Henceforth, a new key stream can be produced by 1) obtaining a new
   state by applying the next() operation to the current state, and 2)
   generating a new key stream by applying the stream() operation to the
   new state.

C.2.25.  S(1) and the Key Stream at S(1)

      A[0]: BE3CA984    A[1]: 974E6719    A[2]: 86916EFF
      A[3]: F52DACF9    A[4]: 960329B5

      B[0]: 7BE2C520    B[1] : 1F48829C   B[2]: F95DD14F
      B[3]: D939E13E    B[4] : 9970C980   B[5]: 3C517031
      B[6]: D1439B63    B[7] : 9334E221   B[8]: 50EF13E7
      B[9]: E0BD9F91    B[10]: 5318AEE1

      L1: 8FD86092   R1: 4BBDC0F6   L2: 8D63A5EF   R2: FEE0F24B

      Key stream at S(1) : D1989DC6A77D5E28

Kiyomoto & Shin               Informational                    [Page 36]



RFC 7008               A Description of KCipher-2            August 2013

C.2.26.  S(2) and the Key Stream at S(2)

      A[0]: 974E6719    A[1]: 86916EFF    A[2]: F52DACF9
      A[3]: 960329B5    A[4]: 1A3DB24E

      B[0]: 1F48829C    B[1] : F95DD14F   B[2]: D939E13E
      B[3]: 9970C980    B[4] : 3C517031   B[5]: D1439B63
      B[6]: 9334E221    B[7] : 50EF13E7   B[8]: E0BD9F91
      B[9]: 5318AEE1    B[10]: C86C2C77

      L1: 9686FE8C   R1: FAF89251   L2: 86C824E7   R2: 7BC21098

      Key stream at S(2) : 4EFCC8CB7BCFB32B

Authors' Addresses

   Shinsaku Kiyomoto
   KDDI R&D Laboratories, Inc.
   2-1-15 Ohara
   Fujimino-shi, Saitama  356-8502
   Japan

   Phone: +81-49-278-7885
   Fax:   +81-49-278-7510
   EMail: kiyomoto@kddilabs.jp

   Wook Shin
   KDDI R&D Laboratories, Inc.
   2-1-15 Ohara
   Fujimino-shi, Saitama  356-8502
   Japan

   EMail: ohpato@hanmail.net

Kiyomoto & Shin               Informational                    [Page 37]