Information technology — Security techniques — Encryption algorithms — Part 4: Stream ciphers

ISO/IEC 18033-4:2011 specifies output functions to combine a keystream with plaintext, keystream generators for producing keystream, and object identifiers assigned to dedicated keystream generators in accordance with ISO/IEC 9834.

Technologies de l'information — Techniques de sécurité — Algorithmes de chiffrement — Partie 4: Chiffrements en flot

General Information

Status
Published
Publication Date
15-Dec-2011
Current Stage
9093 - International Standard confirmed
Completion Date
26-Oct-2022
Ref Project

Relations

Buy Standard

Standard
ISO/IEC 18033-4:2011 - Information technology -- Security techniques -- Encryption algorithms
English language
92 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

INTERNATIONAL ISO/IEC
STANDARD 18033-4
Second edition
2011-12-15


Information technology — Security
techniques — Encryption algorithms —
Part 4:
Stream ciphers
Technologies de l'information — Techniques de sécurité — Algorithmes
de chiffrement —
Partie 4: Chiffrements en flot





Reference number
ISO/IEC 18033-4:2011(E)
©
ISO/IEC 2011

---------------------- Page: 1 ----------------------
ISO/IEC 18033-4:2011(E)

COPYRIGHT PROTECTED DOCUMENT


©  ISO/IEC 2011
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56  CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO/IEC 2011 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 18033-4:2011(E)
Contents Page
Foreword . iv
Introduction . v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols and abbreviated terms . 3
4.1 Symbols . 3
4.2 Functions . 5
5 Framework for stream ciphers . 6
6 General models for stream ciphers . 6
6.1 Keystream generators . 6
6.2 Output functions . 7
7 Constructing keystream generators from block ciphers . 10
7.1 Block cipher modes for a synchronous keystream generator . 10
7.2 Block cipher mode for a self-synchronizing keystream generator . 12
8 Dedicated keystream generators . 13
8.1 MUGI keystream generator . 13
8.2 SNOW 2.0 keystream generator . 18
8.3 Rabbit keystream generator . 23
v2
8.4 Decim keystream generator . 27
8.5 KCipher-2 (K2) keystream generator . 33
Annex A (normative) Object Identifiers . 43
n
Annex B (informative) Operations over the finite field GF(2 ) . 45
Annex C (informative) Examples . 46
Annex D (informative) Security information . 88
Bibliography . 91

© ISO/IEC 2011 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC 18033-4:2011(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 18033-4 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
This second edition cancels and replaces the first edition (ISO/IEC 18033-4:2005), which has been technically
revised. It also incorporates the Amendment ISO/IEC 18033-4:2005/Amd.1:2009.
ISO/IEC 18033 consists of the following parts, under the general title Information technology — Security
techniques — Encryption algorithms:
 Part 1: General
 Part 2: Asymmetric ciphers
 Part 3: Block ciphers
 Part 4: Stream ciphers
iv © ISO/IEC 2011 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC 18033-4:2011(E)
Introduction
This part of ISO/IEC 18033 includes stream cipher algorithms. A stream cipher is an encryption mechanism
that uses a keystream to encrypt a plaintext in a bitwise or a block-wise manner. There are two types of
stream ciphers: a synchronous stream cipher, in which the keystream is generated from only the secret key
(and an initialization vector) and a self-synchronizing stream cipher, in which the keystream is generated from
the secret key and some past ciphertexts (and an initialization vector). This part of ISO/IEC 18033 describes
both pseudorandom number generators for producing keystream and output functions to combine a
keystream with plaintext.
This part of ISO/IEC 18033 includes two output functions:
 Binary-additive output function; and
 MULTI-S01 output function.
This part of ISO/IEC 18033 includes five dedicated keystream generators:
 MUGI keystream generator;
 SNOW 2.0 keystream generator;
 Rabbit keystream generator;
v2
 Decim keystream generator; and
 KCipher-2 (K2) keystream generator.

© ISO/IEC 2011 – All rights reserved v

---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO/IEC 18033-4:2011(E)

Information technology — Security techniques — Encryption
algorithms —
Part 4:
Stream ciphers
1 Scope
This part of ISO/IEC 18033 specifies
a) output functions to combine a keystream with plaintext,
b) keystream generators for producing keystream, and
c) object identifiers assigned to dedicated keystream generators in accordance with ISO/IEC 9834.
NOTE 1 The list of assigned object identifiers is given in Annex A.
NOTE 2 Any change to the specification of these algorithms resulting in a change of functional behaviour will result in a
change of the object identifier assigned to the algorithms concerned.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 18033-1, Information technology — Security techniques — Encryption algorithms — Part 1: General
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 18033-1 and the following
apply.
3.1
big-endian
method of storage of multi-byte numbers with the most significant bytes at the lowest memory addresses
[ISO/IEC 10118-1:2000]
3.2
ciphertext
data which has been transformed to hide its information content
[ISO/IEC 10116:2006]
© ISO/IEC 2011 – All rights reserved 1

---------------------- Page: 6 ----------------------
ISO/IEC 18033-4:2011(E)
3.3
confidentiality
property that information is not made available or disclosed to unauthorized individuals, entities, or processes
3.4
data integrity
property that data has not been altered or destroyed in an unauthorized manner
[ISO/IEC 9797-1:2011]
3.5
decryption
reversal of a corresponding encryption
[ISO/IEC 10116:2006]
3.6
encryption
reversible transformation of data by a cryptographic algorithm to produce ciphertext, i.e., to hide the
information content of the data
[ISO/IEC 9797-1:2011]
3.7
initialization value
value used in defining the starting point of an encryption process
3.8
key
sequence of symbols that controls the operation of a cryptographic transformation (e.g., encryption,
decryption, cryptographic check function computation, signature generation, or signature verification)
[ISO/IEC 11770-1:2010]
3.9
keystream function
function that takes as input, the current state of the keystream generator and (optionally) part of the previously
generated ciphertext, and gives as output the next part of the keystream
3.10
keystream generator
state-based process (i.e., a finite state machine) that takes as input, a key, an initialization vector, and if
necessary the ciphertext, and gives as output a keystream (i.e., a sequence of bits or blocks of bits) of
arbitrary length
3.11
n-bit block cipher
block cipher with the property that plaintext blocks and ciphertext blocks are n bits in length
[ISO/IEC 10116:2006]
3.12
next-state function
function that takes as input, the current state of the keystream generator and (optionally) part of the previously
generated ciphertext, and gives as output a new state for the keystream generator
3.13
output function
function that combines the keystream and the plaintext to produce the ciphertext
NOTE This function is often bitwise XOR.
2 © ISO/IEC 2011 – All rights reserved

---------------------- Page: 7 ----------------------
ISO/IEC 18033-4:2011(E)
3.14
padding
appending extra bits to a data string
[ISO/IEC 10118-1:2000]
3.15
plaintext
unencrypted information
[ISO/IEC 9797-1:2011]
3.16
secret key
key used with symmetric cryptographic techniques by a specified set of entities
[ISO/IEC 11770-3:2008]
3.17
state
current internal state of a keystream generator
4 Symbols and abbreviated terms
4.1 Symbols
0x  Prefix for hexadecimal values.
(n)
0  n-bit variable where 0 is assigned to every bit.
AND Bitwise logical AND operation.
(i) (i)
Am [Y] The Y-th bit of the register Am in KCipher-2 (K2).
a  Variables in an internal state of a keystream generator.
i
b  Variables in an internal state of a keystream generator.
i
CFB Cipher FeedBack mode of a block cipher.
CTR Counter mode of a block cipher.
C  Ciphertext block.
i
D  64-bit constants used for MUGI.
i
e  Symmetric block cipher encryption function using secret key K.
K
F  Subfunction used for MUGI.
FSM Subfunction used for SNOW 2.0.
n n
GF(2 ) Finite field of exactly 2 elements.
n n
GF(2 )[x] The polynomial ring over the finite field GF(2 ).
© ISO/IEC 2011 – All rights reserved 3

---------------------- Page: 8 ----------------------
ISO/IEC 18033-4:2011(E)
Init  Function which generates the initial internal state of a keystream generator.
IV  Initialization vector.
IK  Internal key used for KCipher-2 (K2).
K  Key.
M  Subfunction used for MUGI.
Next Next-state function of a keystream generator.
NLF  Nonlinear function used for KCipher-2 (K2).
n  Block length.
OFB Output FeedBack mode of a block cipher.
OR  Bitwise logical OR operation.
Out  Output function combining keystream and plaintext in order to generate ciphertext.
P  Plaintext.
P  Plaintext block.
i
R  Additional input to Out.
S  Subfunction used for MUGI.
R
Strm Keystream function of a keystream generator.
SUB Lookup table used for MUGI and SNOW 2.0.
Sub Subfunction used for KCipher-2 (K2).
K2
S  Internal state of a keystream generator.
i
NOTE During normal operation of the cipher, i will increase monotonically starting from zero. However, during
initialization of the ciphers, it is convenient from a notational point of view to let i take negative values and define the
starting state S in terms of values of S for i <0.
0
i
T  Subfunction used for SNOW 2.0.
Z  Keystream.
Z  Keystream block.
i
 Lookup table used for SNOW 2.0.
MUL
 Lookup table with index 0 used for KCipher-2 (K2).
MUL0
 Lookup table with index 1 used for KCipher-2 (K2).
MUL1
 Lookup table with index 2 used for KCipher-2 (K2).
MUL2
4 © ISO/IEC 2011 – All rights reserved

---------------------- Page: 9 ----------------------
ISO/IEC 18033-4:2011(E)
 Lookup table with index 3 used for KCipher-2 (K2).
MUL3
 Inverse lookup table used for SNOW 2.0.
inv_MUL
  Subfunction used for MUGI.
1
  Subfunction used for MUGI.
1
x  The smallest integer greater than or equal to the real number x.

¬x  Bitwise complement operation.
  Polynomial multiplication.
||  Bit concatenation.
m
+      Integer addition modulo 2 .
m
  Bitwise XOR (eXclusive OR) operation.
n
  Operation of multiplication of elements in the finite field GF(2 ).
EXAMPLE C = A  B: In this operation, the finite field is represented as a selected irreducible polynomial F(x) of
degree n with binary coefficients, the n-bit blocks A = (a ,a ,.,a ) and B = (b ,b ,.,b ) (where the a and b are bits) are
0 1 n-1 0 1 n-1 i i
n-1 n-2 n-1 n-2
represented as the polynomials, A(x) = a x + a x + . + a and B(x) = b x + b x + . + b respectively, then let
n-1 n-2 1 n-1 n-2 0
C(x) = A(x)  B(x) mod F(x), i.e., C(x) is the polynomial of degree at most n–1 obtained by multiplying A(x) and B(x), dividing
n-1 n-2
the result by F(x), and then taking the remainder. If C(x) = c x + c x + . + c (where the c are bits) then let C be
n-1 n-2 0 i
the n-bit block (c ,c ,.,c ).
0 1 n-1
+  Modular addition operation
<< t t-bit left shift in an n-bit register.
n
>> t t-bit right shift in an n-bit register.
n
<<< t t-bit left circular rotation in an n-bit register.
n
>>> t t-bit right circular rotation in an n-bit register.
n
4.2 Functions
4.2.1 Left-truncation of bits
The operation of selecting the j leftmost bits of an array A=( a ,a ,.,a ) to generate a j-bit array is written
0 1 m-1
(j ~ A)=( a ,a ,.,a )
0 1 j-1
This operation is defined only when 1 ≤ j ≤ m.
See ISO/IEC 10116:2006.
© ISO/IEC 2011 – All rights reserved 5

---------------------- Page: 10 ----------------------
ISO/IEC 18033-4:2011(E)
4.2.2 Shift operation
The operation Shift is defined as follows: Given an n-bit variable X and a k-bit variable V where 1 ≤ k ≤ n, the
effect of the shift function Shift is to produce the n-bit variable
Shift (X | V ) = (x , x , ., x , v , v , ., v) (k < n)
k k k+1 n-1 0 1 k-1
Shift (X | V ) = (v , v , ., v) (k = n)
k 0 1 k-1
The effect is to shift the bits of array X left by k places, discarding x , x , ., x and to place the array V in the
0 1 k-1
rightmost k places of X. When k = n the effect is to totally replace X by V.
See ISO/IEC 10116:2006.
4.2.3 Variable I(k)
The variable I(k) is a k-bit variable where 1 is assigned to every bit.
5 Framework for stream ciphers
This clause contains a high-level description of a framework for the stream ciphers specified in this part of
ISO/IEC 18033. A detailed description of the general model for a stream cipher is provided in Clause 6. A
stream cipher specified in this part of ISO/IEC 18033 is defined by the specification of the following processes:
a) The keystream generator, which may be either
 a Synchronous keystream generator, or
 a Self-synchronizing keystream generator.
NOTE 1 Block cipher modes of operation are methods by which a block cipher can be used to construct a keystream
generator. These modes are standardised in ISO/IEC 10116, and the meaning of the functions used in the specification is
defined in 6.2.1 and 6.2.2.
NOTE 2 Block ciphers are defined in this part of ISO/IEC 18033.
b) The output function, which may be either
 the Binary-additive output function, or
 the MULTI-S01 output function.
6 General models for stream ciphers
6.1 Keystream generators
6.1.1 Synchronous keystream generators
A synchronous keystream generator is a finite-state machine. It is defined by:
a) An initialization function, Init, which takes as input a key K and an initialization vector IV, and outputs an
initial state S for the keystream generator. The initialization vector should be chosen so that no two
0
messages are ever encrypted using the same key and the same IV.
6 © ISO/IEC 2011 – All rights reserved

---------------------- Page: 11 ----------------------
ISO/IEC 18033-4:2011(E)
b) A next-state function, Next, which takes as input the current state of the keystream generator S , and
i
outputs the next state of the keystream generator S .
i+1
c) A keystream function, Strm, which takes as input a state of the keystream generator S , and outputs a
i
keystream block Z .
i
When the synchronous keystream generator is first initialized, it will enter an initial state S defined by:
0
S = Init(IV, K).
0
On demand the synchronous keystream generator will, for i=0,1,.:
a) Output a keystream block Z = Strm(S , K).
i i
b) Update the state of the machine S = Next(S , K).
i+1 i
Therefore to define a synchronous keystream generator it is only necessary to specify the functions Init, Next
and Strm, including the lengths and alphabets of the key, the initialization vector, the state, and the output
block.
6.1.2 Self-synchronizing keystream generators
Generation of a keystream for a self-synchronizing stream cipher is dependent only on previous ciphertexts,
the key, and the initialization vector. A general model for a keystream generator for a self-synchronizing
stream cipher is now defined:
a) An initialization function, Init, which takes as input a key K and an initialization vector IV and outputs an
internal input for the keystream generator S and r dummy ciphertext blocks C , C , …, C .
-1 -2 -r
b) A keystream function, Strm, that takes as input S and r ciphertext blocks C , C , …, C , and outputs a
i-1 i-2 i-r
keystream block Z .
i
To define a self-synchronizing keystream generator it is only necessary to specify the number of feedback
blocks r and the functions Init and Strm.
NOTE A self-synchronizing stream cipher differs from a synchronous stream cipher in that the keystream depends
only on previous ciphertext, the initialization vector and the key, i.e., the keystream generator operates in a stateless
fashion. As a result, a decryptor for such a cipher can recover from loss of synchronization after receiving sufficient
ciphertext blocks. This also means that the method of keystream generation is dependent upon the selected output
function Out, which is typically the bitwise XOR operation.
6.2 Output functions
6.2.1 General model of output function
6.2 specifies two stream cipher output functions, i.e., techniques to be used in a stream cipher to combine a
keystream with plaintext to derive ciphertext.
An output function for a synchronous or a self-synchronizing stream cipher is a function Out that combines a
plaintext block P , a keystream block Z , and some other input R if necessary to give a ciphertext block C (i ≥
i i i
0). A general model for a stream cipher output function is now defined:
Encryption of a plaintext block P by a keystream block Z is given by:
i i
C = Out(P , Z , R),
i i i
© ISO/IEC 2011 – All rights reserved 7

---------------------- Page: 12 ----------------------
ISO/IEC 18033-4:2011(E)
and decryption of a ciphertext block C by a keystream block Z is given by:
i i
-1
P = Out (C , Z , R).
i i i
The output function shall satisfy that for any keystream block Z , plaintext block P , and other input R,
i i
-1
P = Out (Out (P , Z , R), Z , R).
i i i i
6.2.2 Binary-additive output function
A binary-additive stream cipher is a stream cipher in which the keystream, plaintext, and ciphertext blocks are
strings of binary digits, and the operation to combine plaintext with keystream is bitwise XOR. The operation
Out takes two inputs and does not use any additional information R for calculation. Let n to be the bit length of
P . This function is specified by
i
Out(P , Z , R) = P  Z .
i i i i
-1
The operation Out is specified by
-1
Out (C , Z , R) = C  Z .
i i i i
NOTE The binary-additive stream cipher does not provide any integrity protection for encrypted data. If data integrity
is required, either the MULTI-S01 output function or a separate integrity mechanism should be used, such as a MAC, i.e.,
a Message Authentication Code (such mechanisms are specified in ISO/IEC 9797).
6.2.3 MULTI-S01 output function
a) General model of MULTI-S01
MULTI-S01 is an output function for a synchronous stream cipher that supports both data confidentiality
and data integrity. The MULTI-S01 encryption operation is suitable for use in an online environment.
However, the decryption operation of MULTI-S01 can only be performed in an offline situation, as the
integrity check is only performed after receiving all the ciphertext blocks. MULTI-S01 has a security
n
parameter n. The computation of Out depends on the choice of a field GF(2 ), i.e., on the choice of an
irreducible polynomial over GF(2) of degree n. The MULTI-S01 function only accepts messages whose
length is a multiple of n. To encrypt messages whose length is not a multiple of n, a padding mechanism
Pad(M) is required.
NOTE 1 The redundancy R is generated in such a way that the sender and the receiver share it. R can be a fixed public
value like 0x00.0.
b) The encryption function Out(P, Z, R)
Input: n·u -bit plaintext P, keystream Z = (Z , Z , .), where Z are n-bit blocks, n-bit redundancy R.
0 1 i
Output: Ciphertext C.
(n)
1) Let t be the lowest value of i (i ≥ 0) such that Z  0 .
i
2) Let (P , P , ., P ) = P, where P is an n-bit block.
0 1 u - 1 i
3) Set P = Z .
u t + u + 3
4) Set P = R.
u + 1
8 © ISO/IEC 2011 – All rights reserved

---------------------- Page: 13 ----------------------
ISO/IEC 18033-4:2011(E)
5) For each P , do the following calculations (for i = 0, 1,., u + 1):
i
 Let W = P  Z .
i i t + i + 1
n
 Let X = Z  W (in GF(2 )).
i t i
(n)
 Let C = X  W , where W is the W value of the previous block i - 1, and W = 0 .
i i i - 1 i - 1 -1
 Set C = C || C || . || C .
0 1 u + 1
 Output C.
Figure 1 shows the block diagram of Out function.
PP PP PP PP PP (=(= ZZ )) PP (=(= RR))
00 11 22 uu -- 11 uu tt + + uu + + 33 uu + + 11
ZZ ZZ ZZ ZZ ZZ ZZ
tt + + 11 tt + + 22 tt + + 33 tt + + uu tt + + uu + + 11 tt + + uu + + 22
WW WW WW WW WW
00 11 22 uu -- 11 uu
ZZ
tt
WW (=(=00))
--11
WW
uu -- 22
CC CC CC CC CC CC
00 11 22 uu -- 11 uu u u + 1+ 1

Figure 1 — Out function of MULTI-S01 mode
NOTE 2 The irreducible polynomial used to define multiplication in the field depends on n. For instance, in the case of n
64 4 3 128 7 2
= 64 and 128, the irreducible polynomial x + x + x + x + 1 and x + x + x + x + 1 can be used.
-1
c) The decryption function Out (P, Z, R)
Input: n·v-bit ciphertext C, keystream Z, n-bit redundancy R.
Output: Plaintext P or “reject”.
(n)
1) Let t be the lowest value of i (i ≥ 0) such that Z  0 .
i
2) Let (C , C , ., C ) = C, where C is an n-bit block.
0 1 v - 1 i
3) For each C , do the following calculations (for i = 0, 1, ., v - 1):
i
(n)
 Let X = C  W , where W = 0 .
i i i - 1 -1
-1 n
 Let W = Z  X (in GF(2 )).
i t i
 Let P = W  Z .
i i t + i + 1
4) If P = Z and P = R, output P = P || P ||. || P as plaintext. Otherwise, output the
v - 2 t + v + 1 v - 1 0 1 v - 3
special symbol meaning “reject” without any text.
© ISO/IEC 2011 – All rights reserved 9

---------------------- Page: 14 ----------------------
ISO/IEC 18033-4:2011(E)
-1
Figure 2 shows the block diagram of Out function.
CC CC CC CC CC CC
00 11 22 vv -- 33 vv -- 22 vv -- 11
WW
vv -- 44
WW (=(= 00))
--11
-- 11
ZZ
tt
WW WW WW WW WW
00 11 22 vv -- 33 vv -- 22
ZZ ZZ ZZ ZZ ZZ ZZ
tt + + 11 tt + + 22 tt + + 33 tt + + vv -- 22 tt + + vv -- 11 tt + + vv
PP PP PP PP PP (?(? = = ZZ ))
PP (?(? = = RR))
00 11 22 vv -- 33 vv -- 22 tt + + vv + + 11
vv -- 11

-1
Figure 2 ― Out function of MULTI-S01 mode
d) Padding mechanism Pad(M)
Only when lengths of input messages are not multiples of n, the following padding mechanism Pad(M) is
excecuted:
Input: (n v + c)-bit string M, where v is a non-negative integer and 0 ≤ c < n.
Output: Padded plaintext P.
1) Pad a bit string "1" at the end of the message.
(n - c - 1)
2) Pad (n – c – 1)-bit string 0 to the string generated by step a).
3) Output the whole data string in length of (n v + n) bits.
NOTE 3 If the length of the message is a multiple of n in an environment where the length is not certain to be so, this
padding mechanism is recommended.
NOTE 4 In order to unpad the message, remove consecutive 0 bits at the end of the data, and remove another bit "1".
7 Constructing keystream generators from block ciphers
7.1 Block cipher modes for a synchronous keystream generator
7.1.1 The OFB (Output FeedBack) mode and the CTR (Counter) mode
Subclause 7.1 specifies two n-bit block cipher modes for a synchronous keystream generator. They are the
OFB (Output FeedBack) mode and the CTR (Counter) mode of an n-bit block cipher e .
K
7.1.2 OFB mode
The OFB mode is defined by one parameter r, 1 ≤ r ≤ n, which is the size of a plaintext and ciphertext block.
The initialization vector IV is an n-bit string. IV shall be generated differently for two encryptions with the same
key K. The functions Init, Next and Strm are specified as follows:
 Init(IV, K) = IV.
10 © ISO/IEC 2011 – All rights reserved

---------------------- Page: 15 ----------------------
ISO/IEC 18033-4:2011(E)
 Next(S , K) = e (S ).
i K i
 Strm(S ) = (r ~ S ).
i i
NOTE Init(IV, K) = IV, is equivalent to S = IV.
0
In case of the OFB mode, the binary-additive output function defined in 6.2.2 is used. Figure 3 shows the
block diagram of a keystream generator based on CFB mode.

Figure 3 ― Keystream generation based on OFB mode
7.1.3 CTR mode
The CTR mode is defined by one parameter r, 1 ≤ r ≤ n, which is the size of a plaintext and ciphertext block.
The initialization vector IV is an n-bit string. It shall be assured that S S ’ for two keystreams S , S , S , .
i j 0 1 2
and S ’, S ’, S ’, . generated with the same key K. The functions Init, Next and Strm are specified as follows:
0 1 2
 Init(IV, K) = IV.
n
 Next(S , K) = S + 1 mod 2 .
i i
 Strm(S , K) = (r ~ e (S )).
i K i
NOTE Init(IV, K) = IV, is equivalent to S = IV.
0
In case of the CTR mode, the binary-additive output function defined in 6.2.2 is used. Figure 4 shows the
block diagram of a keystream generator based on CFB mode.
© ISO/IEC 2011 – All rights reserved 11

---------------------- Page: 16 ----------------------
ISO/IEC 18033-4:2011(E)

Figure 4 ― Keystream generation based on CTR mode
7.2 Block cipher mode for a self-synchronizing keystream generator
7.2.1 Introduction to the CFB mode
The CFB mode of an n-bit block cipher is a self-synchronizing stream cipher.
7.2.2 CFB mode
The CFB (Cipher FeedBack) mode is defined by three parameters, i.e., the size j of feedback buffer S , where
i
n ≤ j ≤ 1024n, the size b of feedback variable, where 1 ≤ b ≤ n and the size r of the output block, where 1 ≤ r ≤
b.
NOTE 1 The value b-r shall be small compared to b.
The initialization vector IV shall be a randomly generated j-bit string and also shall be generated differently for
two encryptions with the same key K. The functions Init, Next and Strm are specified as follows:
 Init(IV, K) = IV.
 Next(S) = Shift (S | Shift (I (b)| C )).
b r i
 Strm(S, K) = (r ~ e (( n ~ S))).
K
NOTE 2 Init(IV, K) = IV, is equivalent to S = IV.
0
In case of the CFB mode, the binary-additive output function defined in 6.2.2 is use
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.