ETSI TS 104 053-3 V1.1.1 (2024-07)

TECHNICAL SPECIFICATION
TETRA Air Interface Security, Algorithms specification;
Part 3: TETRA and Authentication and Key Management
Algorithms TAA1
2 ETSI TS 104 053-3 V1.1.1 (2024-07)

Reference
DTS/TCCE-06213
Keywords
air interface, DMO, security, TETRA, V+D

ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - APE 7112B
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° w061004871

Important notice
The present document can be downloaded from:
https://www.etsi.org/standards-search
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the prevailing version of an ETSI
deliverable is the one made publicly available in PDF format at www.etsi.org/deliver.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx
If you find errors in the present document, please send your comment to one of the following services:
https://portal.etsi.org/People/CommiteeSupportStaff.aspx
If you find a security vulnerability in the present document, please report it through our
Coordinated Vulnerability Disclosure Program:
https://www.etsi.org/standards/coordinated-vulnerability-disclosure
Notice of disclaimer & limitation of liability
The information provided in the present deliverable is directed solely to professionals who have the appropriate degree of
experience to understand and interpret its content in accordance with generally accepted engineering or
other professional standard and applicable regulations.
No recommendation as to products and services or vendors is made or should be implied.
No representation or warranty is made that this deliverable is technically accurate or sufficient or conforms to any law
rule and/or regulation and further, no representation or warranty is made of merchantability or fitness
and/or governmental
for any particular purpose or against infringement of intellectual property rights.
In no event shall ETSI be held liable for loss of profits or any other incidental or consequential damages.

Any software contained in this deliverable is provided "AS IS" with no warranties, express or implied, including but not
limited to, the warranties of merchantability, fitness for a particular purpose and non-infringement of intellectual property
rights and ETSI shall not be held liable in any event for any damages whatsoever (including, without limitation, damages
for loss of profits, business interruption, loss of information, or any other pecuniary loss) arising out of or related to the use
of or inability to use the software.
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and
microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© ETSI 2024.
All rights reserved.
ETSI
3 ETSI TS 104 053-3 V1.1.1 (2024-07)
Contents
Intellectual Property Rights . 6
Foreword . 6
Modal verbs terminology . 6
1 Scope . 7
2 References . 7
2.1 Normative references . 7
2.2 Informative references . 7
3 Definition of terms, symbols and abbreviations . 7
3.1 Terms . 7
3.2 Symbols . 8
3.3 Abbreviations . 8
4 Introduction . 8
4.0 General . 8
4.1 TAA1 introduction . 8
4.2 HURDLE-II introduction . 8
4.3 Comments on TAA1 specification . 9
4.3.1 Illustration of Hurdle-II modes . 9
4.3.2 Specification of BL2, TA32, TA52, TA 82 and TA92 . 9
4.3.3 Requirements on the use of Redundancy in TA31, TA51, TA81 and TA91 . 9
4.3.4 Meaning of Boolean Output in TA32, TA52, TA82 and TA92 . 9
5 TAA1 Algorithms Set . 9
5.1 Notation . 9
5.2 Basic block structure BL1 . 10
5.3 Other block Structure BL2 . 10
5.4 Expansion of bit blocks . 11
5.4.0 General . 11
5.4.1 Expansion EXP1 . 11
5.4.2 Expansion EXP2 . 12
5.4.3 Expansion EXP3 . 12
5.4.4 Expansion EXP4 . 12
5.5 Shrinking of blocks . 13
5.5.0 General . 13
5.5.1 Shrinking SHR1 . 13
5.5.2 Shrinking SHR2 . 13
5.5.3 Shrinking SHR3 . 13
5.6 Algorithms TA11, TA21 and TA41 . 13
5.6.0 General . 13
5.6.1 Input 2 of TA11, TA4l . 14
5.6.2 Input 2 of TA21 . 14
5.7 Algorithms TA12 and TA22 . 14
5.7.0 General . 14
5.7.1 Input expansion . 15
5.7.2 Output 1 derivation . 15
5.7.3 Output 2 derivation . 15
5.8 Algorithm TA31 . 15
5.8.0 General . 15
5.8.1 Input 1 expansion . 16
5.8.2 Key derivation . 16
5.8.3 Output derivation . 16
5.9 Algorithm TA32 . 17
5.9.0 General . 17
5.9.1 Input 1 expansion . 17
5.9.2 Key derivation . 17
5.9.3 Output derivation . 18
ETSI
4 ETSI TS 104 053-3 V1.1.1 (2024-07)
5.10 Algorithm TA5l. 18
5.10.0 General . 18
5.10.1 Data input to BL1 . 18
5.10.2 Key derivation . 19
5.10.3 Output derivation . 19
5.11 Algorithm TA52 . 19
5.11.0 General . 19
5.11.1 Input 1 expansion . 20
5.11.2 Key derivation . 20
5.11.3 Output derivation . 20
5.12 The Algorithm TA61 . 20
5.12.0 General . 20
5.12.1 Input 1 shrinking . 21
5.12.2 Key derivation . 21
5.12.3 K-string derivation . 21
5.12.4 Permutation P . 22
5.13 The Algorithm TA71 . 22
5.13.0 General . 22
5.13.1 Data input . 23
5.13.2 Key input . 23
5.13.3 Output derivation . 23
5.14 Algorithm TA81 . 23
5.14.0 General . 23
5.14.1 Data input to BL1 . 24
5.14.2 Key derivation . 25
5.14.3 Output derivation . 25
5.15 Algorithm TA82 . 25
5.15.0 General . 25
5.15.1 Input 1 expansion . 26
5.15.2 Key derivation . 26
5.15.3 Output derivation . 26
5.16 Algorithm TA91 . 26
5.16.0 General . 26
5.16.1 Data input to BL1 . 27
5.16.2 Key derivation . 27
5.16.3 Output derivation . 28
5.17 Algorithm TA92 . 28
5.17.0 General . 28
5.17.1 Input 1 expansion . 29
5.17.2 Key derivation . 29
5.17.3 Output derivation . 29
5.18 Algorithm TA101 . 29
5.19 Algorithm TB1 . 30
5.20 Algorithm TB2 . 30
5.21 Algorithm TB3 . 31
5.22 Algorithm TB4 . 31
5.23 Algorithm TB5 . 31
5.24 Algorithm TB6 . 32
5.23 Algorithm TB7 . 32
6 The HURDLE-II Algorithm . 33
6.0 General . 33
6.1 Notation . 33
6.2 Encryption . 33
6.3 Decryption . 34
6.4 The f Function of HURDLE-II . 34
6.4.0 General . 34
6.4.1 Data Expansion . 34
6.4.2 Addition of Round Key and Chained Byte Substitution . 34
6.4.3 Nibble selection . 35
6.4.4 Bit Permutation . 35
6.5 Key Schedule Algorithm . 35
ETSI
5 ETSI TS 104 053-3 V1.1.1 (2024-07)
6.6 Block cipher Generation . 36
6.6.1 Summary . 36
6.6.2 K loading and Key Scheduling . 36
6.6.3 Block Cipher Generation . 36
6.7 Figures of HURDLE-II Algorithm . 36
Annex A (informative): Bibliography . 39
History . 40

ETSI
6 ETSI TS 104 053-3 V1.1.1 (2024-07)
Intellectual Property Rights
Essential patents
IPRs essential or potentially essential to normative deliverables may have been declared to ETSI. The declarations
pertaining to these essential IPRs, if any, are publicly available for ETSI members and non-members, and can be
found in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to
ETSI in respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the
ETSI Web server (https://ipr.etsi.org/).
Pursuant to the ETSI Directives including the ETSI IPR Policy, no investigation regarding the essentiality of IPRs,
including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not
referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become,
essential to the present document.
Trademarks
The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners.
ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no
right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does
not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks.
DECT™, PLUGTESTS™, UMTS™ and the ETSI logo are trademarks of ETSI registered for the benefit of its

Members. 3GPP™ and LTE™ are trademarks of ETSI registered for the benefit of its Members and of the 3GPP
Organizational Partners. oneM2M™ logo is a trademark of ETSI registered for the benefit of its Members and of the ®
oneM2M Partners. GSM and the GSM logo are trademarks registered and owned by the GSM Association.
Foreword
This Technical Specification (TS) has been produced by ETSI Technical Committee TETRA and Critical
Communications Evolution (TCCE).
The present document is part 3 of a multi-part deliverable covering the specifications of the TETRA standard
encryption, authentication and key management algorithms, as identified below:
Part 1: "TETRA Encryption Algorithms Set A";
Part 2: "TETRA Encryption Algorithms TEA Set B";
Part 3: "TETRA and Authentication and Key Management Algorithms TAA1";
Part 4: "TETRA Authentication and Key Management Algorithms TAA2".
Modal verbs terminology
In the present document "shall", "shall not", "should", "should not", "may", "need not", "will", "will not", "can" and
"cannot" are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of
provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.

ETSI
7 ETSI TS 104 053-3 V1.1.1 (2024-07)
1 Scope
The present document consists of a specification for a set of algorithms TAA1 which may be used in authentication
and key management mechanisms for the Terrestrial European Trunked Radio (TETRA). TAA1 is an acronym for
"TETRA Authentication and Key Management Algorithms set 1". These specifications are detailed in clause 5.
The present document includes addenda 1, 2 and 3 of the algorithm specifications which adds some algorithms and
corrects errors in the original V.1 specification.
The block cipher that is used for this TAAl set is the HURDLE-II algorithm. This is described in the present document
at clause 6.
2 References
2.1 Normative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
Referenced documents which are not found to be publicly available in the expected location might be found at
https://docbox.etsi.org/Reference.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long-term validity.
The following referenced documents are necessary for the application of the present document. "Some referenced ENs
are also published as Technical Specifications. In all cases, the latest version of such a document, either EN or TS,
should be taken as the referenced document.
[1] ETSI TS 100 392-7: "Terrestrial Trunked Radio (TETRA); Voice plus Data (V+D); Part 7:
Security".
2.2 Informative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long-term validity.
The following referenced documents are not necessary for the application of the present document but they assist the
user with regard to a particular subject area.
Not applicable.
3 Definition of terms, symbols and abbreviations
3.1 Terms
Void.
ETSI
8 ETSI TS 104 053-3 V1.1.1 (2024-07)
3.2 Symbols
Void.
3.3 Abbreviations
For the purposes of the present document, the following abbreviations apply:
TAA1 TETRA Authentication and Authentication Algorithm
TETRA Terrestrial Trunked Radio
4 Introduction
4.0 General
The set of algorithms TAA1 described in the present document are the associated algorithms used for providing
TETRA air interface authentication and key management as specified in detail by the ETSI TS 300-392-7 [1]
Security.
The present document is organized as follows:
• Clause 5 provides the specification of all TAA1 algorithms, starting with the definition of shared block
structures and expansion and shrinking methods for blocks of input/output bits. A number of the algorithms
have inputs and outputs of the same length and meet the same requirements, and are therefore specified group-
wise.
• Clause 6 specifies the HURDLE-II algorithm used with TAA1.
4.1 TAA1 introduction
The set of algorithms described is designed to support easy software implementation. All algorithms specified below,
with the exception of the rather simple algorithms TB1 up to TB7, make use of a block cipher with an input and
output consisting of 64-bits and running under a 128-bit key. The block cipher that is used for this TAA1 set is the
HURDLE-II Algorithm described in clause 6 of the present document.
4.2 HURDLE-II introduction
The algorithm HURDLE-II specified in the present document is a 64-bit block cipher with a 128-bit key, designed
for use with the TETRA key management and authentication algorithms.
The HURDLE-II design is based on the Feistel structure and consists of an iterated round function and a key schedule
algorithm. The key schedule is tailored to 16 iterations of the round function. The Feistel structure, a well tried and
tested template for producing secure block ciphers, allows encryption and decryption to be achieved using essentially
the same code. The present document is organized as follows:
• clauses 6.2 to 6.5 provide a full specification of the functional components of the HURDLE-II algorithm;
• clause 6.6 specifies how these functions are used to generate the block cipher.
ETSI
9 ETSI TS 104 053-3 V1.1.1 (2024-07)
4.3 Comments on TAA1 specification
4.3.1 Illustration of Hurdle-II modes
Figures 1 and 2 illustrate the block structures BL1 and BL2. In these figures the use of the Block Cipher Hurdle-II
illustrated by BC is depicted.
What the figures do not explicitly show is that Hurdle-II is used in encryption mode in Figure 1 and in decryption mode
in Figure 2 (but note that the text in clauses 5.2 and 5.3 describe the use of the encryption and decryption mode).
4.3.2 Specification of BL2, TA32, TA52, TA 82 and TA92
Clause 5.3 describes the block structure BL2 without formally specifying the length of the output of BL2. Figure 2
shows the output as being 128 bits (16 bytes) which are split in two parts of 120 bits and 8 bits respectively.
Clauses 5.9.3, 5.11.3 and 5.15.3 refer to a 120-bit output of BL2. In fact, what is meant with this is the 120 bits which is
the result of deleting from the actual 16-byte BL2 output:
O O O O O O O O O O O O O O O O
15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
the last byte O as indicated in Figure 2.
The convention of a 16-byte output of BL2 is applied.
4.3.3 Requirements on the use of Redundancy in TA31, TA51, TA81 and
TA91
The requirements to the TA31, TA51, TA81 and TA91 and corresponding algorithms which are specified in (TA3* and
TA5*) and (TA8* and TA9*) should be clarified as follows.
To the input of the TA31, TA51, TA81 and TA91 redundancy shall be added. The output of these algorithms shall be
used as input to the respective TA32, TA52, TA82 and TA92 algorithms. The resulting output of these TA32, TA52,
TA82 and TA92 should contain the correct redundancy. This is indicated by a Boolean Output.
4.3.4 Meaning of Boolean Output in TA32, TA52, TA82 and TA92
TA31, TA51, TA81 and TA91 are encryption algorithms that encrypt values to which first redundancy is added.
TA32, TA52, TA82 and TA92 are the corresponding decryption algorithms. Each of these algorithms includes a
Boolean output that is referred to as the Manipulation Flag. These Boolean outputs are manipulation detection bits and
they may be used to check if the original redundancy is also present in the decrypted value: FALSE = redundancy
present and correct (not manipulated), TRUE = redundancy incorrect (manipulated).
5 TAA1 Algorithms Set
5.1 Notation
Throughout the present document bit strings are used. The bits of these strings are numbered from right to left,
beginning at zero. Bit strings are divided into strings of bytes, again numbered from right to left starting with zero. E.g.
the 128-bit input K is written with bytes:
K(127), K(126),. . .,K(2), K(1), K(0),
with bytes
K K K K . . . K K K K K ,
15 14 13 12 4 3 2 1 0
ETSI
10 ETSI TS 104 053-3 V1.1.1 (2024-07)
where the j-th byte is denoted as bit string:
K (7), K (6), K (5), K (4), K (3), K (2), K (1), K (0),
j j j j j j j j
and
K (i) = K (8 × j + i) , for j = 0, 1, 2, … , 15 and i = 0, 1, 2, … , 7.
j
The symbol ⊕ denotes the bytewise addition modulo two (exclusive or); i.e. rightmost bit of byte x is added
modulo two to rightmost bit of byte y, ., leftmost bit of byte x to leftmost bit of byte y.
x (i)1 x(i)2 x(i)1 ⊕ x(i)2
0 0 0
0 1 1
1 0 1
1 1 0
x(i) is bit i of byte x
y(i) is bit i of byte y
i = 0,.7
5.2 Basic block structure BL1
Most of the TAAl algorithms, with exception of TBl up to TB4 and TA61, consist of the basic
block structure BLl shown in Figure 1.

Figure 1: The basic structure BL1
The input consists of two 64-bit blocks. The leftmost block is enciphered with· a 64-bit block cipher BC using a 128-bit
key K (BC is the HURDLE-II block cipher). The output of this encryption is XOR-ed with the rightmost block and the
result of this is again enciphered using K as the key. The two encrypted output blocks from both BCs are the 128-bit
output of the algorithm core. The block ciphers will be used in two modes, in encryption and decryption mode.
5.3 Other block Structure BL2
In three algorithms (TA32, TA52 and TA82, see below), instead of the XOR- function described in clause 5.2 above,
the leftmost 56 bits of the leftmost input block are XOR-ed with leftmost 56 bits of the enciphered rightmost block (see
Figure 2). The rightmost 8 bits of this enciphered block are XOR-ed with the rightmost 8 bits of the leftmost input
block.
ETSI
11 ETSI TS 104 053-3 V1.1.1 (2024-07)

Figure 2: Other structure BL2
5.4 Expansion of bit blocks
5.4.0 General
The number of inputs and their block lengths are specific for each (or groups) of the TAA l algorithms. Several input
blocks are expanded before they are offered to the algorithm core in order to obtain the required block lengths.
In several algorithms, input blocks consisting of 80 or 88 bits need to be expanded to 120 or 128 bits. Four expansion
methods, EXP1, EXP2, EXP3 and EXP4 which are described below, are used for this.
Both methods, EXP2 and EXP4, expand 80-bit blocks to 128-bit blocks. EXP4 is used for key blocks and is
therefore different from EXP2.
5.4.1 Expansion EXP1
The input block consisting of 80 bits is expanded to 120 bits as follows (see also Figure 3 below, where B is the original
80-bit string):
• split the 80-bit input block into 5 pairs of bytes;
• for each pair, compute the XOR of both bytes and insert the result at the right- hand side of the pair.

Figure 3: Expansion EXP1 (from 80 to 120 bits)
ETSI
12 ETSI TS 104 053-3 V1.1.1 (2024-07)
5.4.2 Expansion EXP2
The input block consisting of 80 bits is expanded to 128 bits. The expansion method EXP2 is an EXP1 expansion with
one additional step (see also Figure 4):
• expansion EXP1;
• compute the byte-wise addition (modulo- 256) of all XOR results (5 bytes) obtained in the previous step,
and insert the result at the right-hand side of the 120  bits.
Expansion EXP1
G =A + C + D + E + F mod 256 (additional step).
Figure 4: Expansion EXP2
5.4.3 Expansion EXP3
The string of 88 bits is expanded to 120 bits as follows (see also Figure 5, where the original bit string is denoted by
B):
• Split the 88-bit string as shown in Figure 5.
• Compute the values A, C, D and E, and insert these into the 88-bit block as shown in Figure 5.

Figure 5: Expansion EXP3 (from 88 to 120 bits)
5.4.4 Expansion EXP4
The 80-bit input blocks, which are used as keys, are expanded to 128 bits, the length of the key to the block cipher.
EXP4 is done as follows (see also Figure 6, where the original 80-bit string is denoted by B):
• split the 80-bit input block into 5 pairs of bytes;
• for each pair, compute the byte-wise addition (modulo 256) of both bytes and insert the result at the left-hand
side of the pair of bytes;
• compute the XOR of all results of the byte-wise additions (5 bytes) obtained in the previous step, and insert the
result at the left-hand side of the 120 bits.
ETSI
13 ETSI TS 104 053-3 V1.1.1 (2024-07)

Figure 6: Expansion EXP4 (from 80 to 128 bits)
5.5 Shrinking of blocks
5.5.0 General
The outputs of the algorithm core are shrunk (and split) to the required outputs of specific block lengths. In several
algorithms, blocks consisting of 120 or 128 bits need to be shrunk to 80 or 88 bits. Three shrinking methods SHR l,
SHR2 and SHR3, which are described below, are used for this.
5.5.1 Shrinking SHR1
The block consisting of 120 bits, denoted as B, is shrunk to 80 bits by taking only the bytes numbered B , B , B ,
14 13 11
B , B , B , B , B , B and B .
10 8 7 5 4 2 1
5.5.2 Shrinking SHR2
The block consisting of 120 bits, denoted as B, is shrunk to 88 bits by taking only the bytes B , B , B , B , B , B , B ,
14 13 11 10 9 7 6
B , B , B and B .
5 3 2 1
5.5.3 Shrinking SHR3
The block consisting of 128 bits is shrunk to 80 bits by throwing away the leftmost 24 bits as well as the rightmost
24 bits.
5.6 Algorithms TA11, TA21 and TA41
5.6.0 General
The three algorithms TA11, TA21 and TA41 have the same input-output properties and meet the same requirements.
The inputs and output are of the following lengths:
Parameter Size
Input 1 128 bits
Input 2 80 bits
Output 128 bits
ETSI
14 ETSI TS 104 053-3 V1.1.1 (2024-07)
The algorithms TA11, TA21 and TA41 are based on the BL1 structure as shown in Figure 7:
• Input 1 is used as the key to BL1.
• Input 2 is expanded to 128 bits and is used as the data input to BL1.
• The Output is the output of BL1.
Input 2*
(expand)
128 bits
Key (input1)
BL1
128 bits
Output
*Reversed for clause 5.6.2
Figure 7: The TA11, TA21 and TA41 Algorithm
5.6.1 Input 2 of TA11, TA4l
The input 2 is expanded using EXP2 defined in clause 5.4.2.
5.6.2 Input 2 of TA21
The bytes of Input 2 are first reversed, i.e. if Input 2 is S , S …S , S then its reverse S' is:
9 8 1 0
S' = S, 0≤ I ≤ 9.
I 9-1
The reversed string S' is defined in clause 5.4.2 then expanded using EXP2.
5.7 Algorithms TA12 and TA22
5.7.0 General
The algorithms TA12 and TA22 have the same input-output properties and meet the same requirements. The Inputs and
Outputs are:
Parameter Size
Input 1 128 bits
Input 2 80 bits
Output 1 32 bits
Output 2 80 bits
The algorithms are based on the BLl structure as shown in Figure 8.
ETSI
15 ETSI TS 104 053-3 V1.1.1 (2024-07)
Input 2
(expand)
128 bits
Key(input 1)
BL1
128 bits
Bit selection
Output 2
Output 1
Figure 8: The TA12 and TA22 Algorithm
Input 1 is used as the key to BLl.
Input 2 is expanded to 128 bits and used as the data input to BLl. The two Outputs are derived from the 128-bit output
of BLl.
5.7.1 Input expansion
The input 2 is expanded using EXP2 defined in clause 5.4.2.
5.7.2 Output 1 derivation
If the bytes of the 128-bit output of BL1 are numbered B to B from right to left then the 32-bit Output 1 is:
0 15
5.7.3 Output 2 derivation
Output 2 consists of the remaining 10 bytes of the 128-bit output of BL1:

5.8 Algorithm TA31
5.8.0 General
The Inputs and Output of the algorithm are:
Parameter Size
Input 1 80 bits
Input 2 16 bits
Input 3 80 bits
Output 120 bits
The algorithm is based on the BLl structure as shown in Figure 9.
ETSI
16 ETSI TS 104 053-3 V1.1.1 (2024-07)
Input l is expanded and used as the input to BLl.
Input 2 is combined with Input 3 and used to form the key.
The Output is derived from the output of BLl.
5.8.1 Input 1 expansion
The 128-bit data input to BL1is derived from Input1 in the following manner.
Input 1is expanded to 120 bits using EXP1 as defined in clause 5.4.1. A zero byte is then appended to the right-hand
end.
Input 1
(expand)
120 bits & zero byte
Key (input2, input3
BL1
128 bits
(shrink)
Output
Figure 9: The TA31 Algorithm
5.8.2 Key derivation
The 128-bit key is derived from Input 2 and Input 3 as follows. If Input 2 is denoted as A and Input 3 as B, then:
An 80-bit string C is formed by concatenating five copies of Input A:
C = A A A A A A A A A A
1 0 1 0 1 0 1 0 1 0
C is XOR-ed with B and the result is expanded to 128 bits using EXP4 defined in clause 5.4.4:
K = EXP4 (C ⊕ B)
5.8.3 Output derivation
The 120-bit Output is:
O O O O O O O O O O O O O O O
15 14 13 12 11 10 9 7 6 5 4 3 2 1 0
where O is the 128-bit output of BLl. Note that O is discarded.
ETSI
17 ETSI TS 104 053-3 V1.1.1 (2024-07)
5.9 Algorithm TA32
5.9.0 General
The Inputs and Outputs of the algorithm are:
Parameter Size
Input 1
120 bits
Input 2 80 bits
Input 3 16 bits
Output 1 80 bits
Output 2 1 bit
The algorithm is based on the BL2 structure and is shown in Figure 10.
Input 1 is expanded and used as the input to BL2.
Input 1
(expand)
128 bits
Key (input2, input3)
BL2
120 bits
(shrink)
Output 1
Output 2
Figure 10: The TA32 Algorithm
Input 2 is combined with Input 3 and used to form the key.
Output 1 and Output 2 are derived from the 120-bit output of BL2.
5.9.1 Input 1 expansion
The 128-bit data input to BL2 is derived from Input 1 in the following manner.
If Input 1 is denoted by B, then the expansion is:

5.9.2 Key derivation
The 128-bit key is derived in the same way as described in clause 5.8.2, however, for TA32 the mentioned Input 2 and
Input 3 has to be interchanged.
ETSI
18 ETSI TS 104 053-3 V1.1.1 (2024-07)
5.9.3 Output derivation
The 120-bit output of BL2 is shrunk to the 80-bit Output 1 using SHR1 defined in clause 5.5.1.
The one-bit Output 2 is the binary result of a check of the 120-bit output of BL2, denoted B14 ……. Bo, before
shrinking:
Output 2 = False if Bi = Bi ⊕ B for i = 0, 3, 6, 9, 12
+ 1 i + 2
Output 2 = True otherwise.
5.10 Algorithm TA5l
5.10.0 General
The Inputs and Output of the algorithm are:
Parameter Size
Input 1
80 bits
Input 2
16 bits
Input 3
...