ISO/IEC 18033-4:2011

INTERNATIONAL ISO/IEC
STANDARD 18033-4
Second edition
2011-12-15
Information technology — Security
techniques — Encryption algorithms —
Part 4:
Stream ciphers
Technologies de l'information — Techniques de sécurité — Algorithmes
de chiffrement —
Partie 4: Chiffrements en flot

Reference number
©
ISO/IEC 2011
©  ISO/IEC 2011
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56  CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2011 – All rights reserved

Contents Page
Foreword . iv
Introduction . v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols and abbreviated terms . 3
4.1 Symbols . 3
4.2 Functions . 5
5 Framework for stream ciphers . 6
6 General models for stream ciphers . 6
6.1 Keystream generators . 6
6.2 Output functions . 7
7 Constructing keystream generators from block ciphers . 10
7.1 Block cipher modes for a synchronous keystream generator . 10
7.2 Block cipher mode for a self-synchronizing keystream generator . 12
8 Dedicated keystream generators . 13
8.1 MUGI keystream generator . 13
8.2 SNOW 2.0 keystream generator . 18
8.3 Rabbit keystream generator . 23
v2
8.4 Decim keystream generator . 27
8.5 KCipher-2 (K2) keystream generator . 33
Annex A (normative) Object Identifiers . 43
n
Annex B (informative) Operations over the finite field GF(2 ) . 45
Annex C (informative) Examples . 46
Annex D (informative) Security information . 88
Bibliography . 91

© ISO/IEC 2011 – All rights reserved iii

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 18033-4 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
This second edition cancels and replaces the first edition (ISO/IEC 18033-4:2005), which has been technically
revised. It also incorporates the Amendment ISO/IEC 18033-4:2005/Amd.1:2009.
ISO/IEC 18033 consists of the following parts, under the general title Information technology — Security
techniques — Encryption algorithms:
 Part 1: General
 Part 2: Asymmetric ciphers
 Part 3: Block ciphers
 Part 4: Stream ciphers
iv © ISO/IEC 2011 – All rights reserved

Introduction
This part of ISO/IEC 18033 includes stream cipher algorithms. A stream cipher is an encryption mechanism
that uses a keystream to encrypt a plaintext in a bitwise or a block-wise manner. There are two types of
stream ciphers: a synchronous stream cipher, in which the keystream is generated from only the secret key
(and an initialization vector) and a self-synchronizing stream cipher, in which the keystream is generated from
the secret key and some past ciphertexts (and an initialization vector). This part of ISO/IEC 18033 describes
both pseudorandom number generators for producing keystream and output functions to combine a
keystream with plaintext.
This part of ISO/IEC 18033 includes two output functions:
 Binary-additive output function; and
 MULTI-S01 output function.
This part of ISO/IEC 18033 includes five dedicated keystream generators:
 MUGI keystream generator;
 SNOW 2.0 keystream generator;
 Rabbit keystream generator;
v2
 Decim keystream generator; and
 KCipher-2 (K2) keystream generator.

© ISO/IEC 2011 – All rights reserved v

INTERNATIONAL STANDARD ISO/IEC 18033-4:2011(E)

Information technology — Security techniques — Encryption
algorithms —
Part 4:
Stream ciphers
1 Scope
This part of ISO/IEC 18033 specifies
a) output functions to combine a keystream with plaintext,
b) keystream generators for producing keystream, and
c) object identifiers assigned to dedicated keystream generators in accordance with ISO/IEC 9834.
NOTE 1 The list of assigned object identifiers is given in Annex A.
NOTE 2 Any change to the specification of these algorithms resulting in a change of functional behaviour will result in a
change of the object identifier assigned to the algorithms concerned.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 18033-1, Information technology — Security techniques — Encryption algorithms — Part 1: General
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 18033-1 and the following
apply.
3.1
big-endian
method of storage of multi-byte numbers with the most significant bytes at the lowest memory addresses
[ISO/IEC 10118-1:2000]
3.2
ciphertext
data which has been transformed to hide its information content
[ISO/IEC 10116:2006]
© ISO/IEC 2011 – All rights reserved 1

3.3
confidentiality
property that information is not made available or disclosed to unauthorized individuals, entities, or processes
3.4
data integrity
property that data has not been altered or destroyed in an unauthorized manner
[ISO/IEC 9797-1:2011]
3.5
decryption
reversal of a corresponding encryption
[ISO/IEC 10116:2006]
3.6
encryption
reversible transformation of data by a cryptographic algorithm to produce ciphertext, i.e., to hide the
information content of the data
[ISO/IEC 9797-1:2011]
3.7
initialization value
value used in defining the starting point of an encryption process
3.8
key
sequence of symbols that controls the operation of a cryptographic transformation (e.g., encryption,
decryption, cryptographic check function computation, signature generation, or signature verification)
[ISO/IEC 11770-1:2010]
3.9
keystream function
function that takes as input, the current state of the keystream generator and (optionally) part of the previously
generated ciphertext, and gives as output the next part of the keystream
3.10
keystream generator
state-based process (i.e., a finite state machine) that takes as input, a key, an initialization vector, and if
necessary the ciphertext, and gives as output a keystream (i.e., a sequence of bits or blocks of bits) of
arbitrary length
3.11
n-bit block cipher
block cipher with the property that plaintext blocks and ciphertext blocks are n bits in length
[ISO/IEC 10116:2006]
3.12
next-state function
function that takes as input, the current state of the keystream generator and (optionally) part of the previously
generated ciphertext, and gives as output a new state for the keystream generator
3.13
output function
function that combines the keystream and the plaintext to produce the ciphertext
NOTE This function is often bitwise XOR.
2 © ISO/IEC 2011 – All rights reserved

3.14
padding
appending extra bits to a data string
[ISO/IEC 10118-1:2000]
3.15
plaintext
unencrypted information
[ISO/IEC 9797-1:2011]
3.16
secret key
key used with symmetric cryptographic techniques by a specified set of entities
[ISO/IEC 11770-3:2008]
3.17
state
current internal state of a keystream generator
4 Symbols and abbreviated terms
4.1 Symbols
0x  Prefix for hexadecimal values.
(n)
0  n-bit variable where 0 is assigned to every bit.
AND Bitwise logical AND operation.
(i) (i)
Am [Y] The Y-th bit of the register Am in KCipher-2 (K2).
a  Variables in an internal state of a keystream generator.
i
b  Variables in an internal state of a keystream generator.
i
CFB Cipher FeedBack mode of a block cipher.
CTR Counter mode of a block cipher.
C  Ciphertext block.
i
D  64-bit constants used for MUGI.
i
e  Symmetric block cipher encryption function using secret key K.
K
F  Subfunction used for MUGI.
FSM Subfunction used for SNOW 2.0.
n n
GF(2 ) Finite field of exactly 2 elements.
n n
GF(2 )[x] The polynomial ring over the finite field GF(2 ).
© ISO/IEC 2011 – All rights reserved 3

Init  Function which generates the initial internal state of a keystream generator.
IV  Initialization vector.
IK  Internal key used for KCipher-2 (K2).
K  Key.
M  Subfunction used for MUGI.
Next Next-state function of a keystream generator.
NLF  Nonlinear function used for KCipher-2 (K2).
n  Block length.
OFB Output FeedBack mode of a block cipher.
OR  Bitwise logical OR operation.
Out  Output function combining keystream and plaintext in order to generate ciphertext.
P  Plaintext.
P  Plaintext block.
i
R  Additional input to Out.
S  Subfunction used for MUGI.
R
Strm Keystream function of a keystream generator.
SUB Lookup table used for MUGI and SNOW 2.0.
Sub Subfunction used for KCipher-2 (K2).
K2
S  Internal state of a keystream generator.
i
NOTE During normal operation of the cipher, i will increase monotonically starting from zero. However, during
initialization of the ciphers, it is convenient from a notational point of view to let i take negative values and define the
starting state S in terms of values of S for i <0.
i
T  Subfunction used for SNOW 2.0.
Z  Keystream.
Z  Keystream block.
i
 Lookup table used for SNOW 2.0.
MUL
 Lookup table with index 0 used for KCipher-2 (K2).
MUL0
 Lookup table with index 1 used for KCipher-2 (K2).
MUL1
 Lookup table with index 2 used for KCipher-2 (K2).
MUL2
4 © ISO/IEC 2011 – All rights reserved

 Lookup table with index 3 used for KCipher-2 (K2).
MUL3
 Inverse lookup table used for SNOW 2.0.
inv_MUL
  Subfunction used for MUGI.
  Subfunction used for MUGI.
x  The smallest integer greater than or equal to the real number x.

¬x  Bitwise complement operation.
  Polynomial multiplication.
||  Bit concatenation.
m
+      Integer addition modulo 2 .
m
  Bitwi
...