## ETSI TS 104 053-3 v1.1.1 (2024-07)



TETRA Air Interface Security, Algorithms specification; Part 3: TETRA and Authentication and Key Management Algorithms TAA1

Reference
DTS/TCCE-06213
Keywords
air interface, DMO, security, TETRA, V+D

## ETSI

650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE
Tel.: +33 492944200 Fax: +33 493654716
Siret N ${ }^{\circ} 34862356200017$ - APE 7112B
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N ${ }^{\circ}$ w061004871

## Important notice

The present document can be downloaded from:
https://www.etsi.org/standards-search
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the prevailing version of an ETSI deliverable is the one made publicly available in PDF format at www.etsi.org/deliver.

Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx
If you find errors in the present document, please send your comment to one of the following services:
https://portal.etsi.org/People/CommiteeSupportStaff.aspx
If you find a security vulnerability in the present document, please report it through our Coordinated Vulnerability Disclosure Program:
https://www.etsi.org/standards/coordinated-vulnerability-disclosure

## Notice of disclaimer \& limitation of liability

The information provided in the present deliverable is directed solely to professionals who have the appropriate degree of experience to understand and interpret its content in accordance with generally accepted engineering or other professional standard and applicable regulations.
No recommendation as to products and services or vendors is made or should be implied.
No representation or warranty is made that this deliverable is technically accurate or sufficient or conforms to any law and/or governmental rule and/or regulation and further, no representation or warranty is made of merchantability or fitness for any particular purpose or against infringement of intellectual property rights.
In no event shall ETSI be held liable for loss of profits or any other incidental or consequential damages.
Any software contained in this deliverable is provided "AS IS" with no warranties, express or implied, including but not limited to, the warranties of merchantability, fitness for a particular purpose and non-infringement of intellectual property rights and ETSI shall not be held liable in any event for any damages whatsoever (including, without limitation, damages for loss of profits, business interruption, loss of information, or any other pecuniary loss) arising out of or related to the use of or inability to use the software.

## Copyright Notification

No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.
© ETSI 2024.
All rights reserved.

## Contents

Intellectual Property Rights ..... 6
Foreword .....  6
Modal verbs terminology ..... 6
1 Scope .....  7
2 References .....  7
2.1 Normative references .....  7
2.2 Informative references .....  7
3 Definition of terms, symbols and abbreviations .....  7
3.1 Terms .....  7
3.2 Symbols. .....  8
3.3 Abbreviations .....  8
4 Introduction .....  8
4.0 General .....  8
4.1 TAA1 introduction .....  8
4.2 HURDLE-II introduction .....  8
4.3 Comments on TAA1 specification .....  9
4.3.1 Illustration of Hurdle-II modes .....  9
4.3.2 Specification of BL2, TA32, TA52, TA 82 and TA92 ..... 9
4.3.3 Requirements on the use of Redundancy in TA31, TA51, TA81 and TA91 .....  9
4.3.4 Meaning of Boolean Output in TA32, TA52, TA82 and TA92 .....  9
5 TAA 1 Algorithms Set .....  9
5.1 Notation. .....  9
5.2 Basicblock structureBL1 ..... 10
5.3 Other block Structure BL2 ..... 10
5.4 Expansion of bit blocks ..... 11
5.4.0 General ..... 11
5.4.1 Expansion EXP1 ..... 11
5.4.2 Expansion EXP2 ..... 12
5.4.3 Expansion EXP3 ..... 12
5.4.4 ExpansionEXP4 ..... 12
5.5 Shrinking of blocks ..... 13
General ..... 13
5.5.0
Shrinking SHR1 .....  13
Shrinking SHR2 ..... 13
5.5.2
Shrinking SHR3
Shrinking SHR3 ..... 13 ..... 13 ..... 5.6
Algorithms TA11, TA21 and TA41 ..... 13
5.6.0 General ..... 13
5.6.1
5.6 .2Input 2 of TA11, TA4114
5.7Input 2 of TA2114
5.7.0
Algorithms TA12 and TA22 ..... 14
General ..... 14
5.7.1 Input expansion ..... 15
5.7.2 Output 1 derivation ..... 15
5.7.3 Output 2 derivation. ..... 15
5.8
Algorithm TA31 ..... 15
General ..... 15
5.8.1 Input 1 expansion ..... 16
5.8.2 Key derivation. ..... 16
5.8.3 Output derivation ..... 16
5.9 Algorithm TA32 ..... 17
5.9.0 General ..... 17
5.9.1 Input 1 expansion ..... 17
5.9.2 Key derivation ..... 17
5.9.3 Outputderivation ..... 18
5.10 Algorithm TA51 ..... 18
5.10 .0 General. ..... 18
5.10.1 Data input to BL1 ..... 18
5.10. Keyderivation ..... 19
5.10.3 Output derivation ..... 19
5.11 Algorithm TA52 .....  .19
5.11.0 General ..... 19
5.11. Input 1 expansion ..... 20
5.11.2 Key derivation ..... 20
5.11.3 Output derivation ..... 20
5.12 The Algorithm TA61 ..... 20
5.12 .0 General. ..... 20
5.12.1 Input 1 shrinking ..... 21
5.12.2 Key derivation ..... 21
5.12.3 K-stringderivation ..... 21
5.12.4 Permutation P ..... 22
5.13 The Algorithm TA71 ..... 22
5.13.0 General ..... 22
5.13.1 Data input ..... 23
5.13.2 Key input. ..... 23
5.13.3 Outputderivation ..... 23
5.14 Algorithm TA81 ..... 23
5.14.0 General ..... 23
5.14.1 Data input to BL1 ..... 24
5.14.2 Key derivation ..... 25
5.14.3 Output derivation ..... 25
5.15 Algorithm TA82 ..... 25
5.15.0 General ..... 25
5.15.1 Input 1 expansion ..... 26
5.15.2 Key derivation ..... 26
5.15.3 Output derivation ..... 26
5.16 Algorithm TA91 ..... 265.16.0
General ..... 26
5.16.1 Data input to BL1 ..... 27
5.16.2 Key derivation ..... 27
5.16.3 Output derivation ..... 28
Algorithm TA92 ..... 285.17.1 Input 1 expansion28
295.17.2 Key derivation
29
5.17.3 Output derivation ..... 295.18 Algorithm TA101
5.19 Algorithm TB1 ..... 29
305.20 Algorithm TB2
30
5.21 Algorithm TB3 Algorithm TB3 ..... 31
31
5.23 Algorithm TB5 ..... 31
5.24 Algorithm TB6 ..... 32
5.23 Algorithm TB7 ..... 32
6 The HURDLE-II Algorithm ..... 33
6.0 General ..... 33
6.1 Notation ..... 33
6.2 Encryption ..... 33
6.3 Decryption ..... 34
6.4 The $f$ Function of HURDLE-II. ..... 34
6.4.0 General ..... 34
6.4.1 Data Expansion ..... 34
6.4 .2 Addition of Round Key and Chained Byte Substitution ..... 34
6.4 .3 Nibble selection ..... 35
6.4.4 Bit Permutation ..... 35
6.5 Key Schedule Algorithm ..... 35
6.6 Block cipher Generation ..... 36
6.6.1 Summary ..... 36
6.6.2 $\quad$ K loading and Key Scheduling ..... 36
6.6.3 Block Cipher Generation ..... 36
6.7 Figures of HURDLE-II Algorithm. ..... 36
Annex A (informative): Bibliography ..... 39
History ..... 40

## Intellectual Property Rights

## Essential patents

IPRs essential or potentially essential to normative deliverables may have been declared to ETSI. The declarations pertaining to these essential IPRs, if any, are publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (https://ipr.etsi.org/).

Pursuant to the ETSI Directives including the ETSI IPR Policy, no investigation regarding the essentiality of IPRs, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document.

## Trademarks

The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners. ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks.

DECT $^{\text {TM }}$, PLUGTESTS ${ }^{\text {TM }}$, UMTS ${ }^{\text {TM }}$ and the ETSI logo are trademarks of ETSI registered for the benefit of its Members. 3GPP ${ }^{\text {TM }}$ and LTE $^{\text {TM }}$ are trademarks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. oneM2M ${ }^{\text {TM }}$ logo is a trademark of ETSI registered for the benefit of its Members and of the oneM2M Partners. GSM ${ }^{\circledR}$ and the GSM logo are trademarks registered and owned by the GSM Association.

## Foreword

This Technical Specification (TS) has been produced by ETSI Technical Committee TETRA and Critical Communications Evolution (TCCE).

The present document is part 3 of a multi-part deliverable covering the specifications of the TETRA standard encryption, authentication and key management algorithms, as identified below:

Part 1: "TETRA Encryption Algorithms Set A";
Part 2: "TETRA Encryption Algorithms TEA Set B";
Part 3: $\quad$ "TETRA and Authentication and Key Management Algorithms TAA1";
Part 4: "TETRA Authentication and Key Management Algorithms TAA2".

## Modal verbs terminology

In the present document "shall", "shall not", "should", "should not", "may", "need not", "will", "will not", "can" and "cannot" are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.

## 1 Scope

The present document consists of a specification for a set of algorithms TAA1 which may be used in authentication and key management mechanisms for the Terrestrial European Trunked Radio (TETRA). TAA1 is an acronym for "TETRA Authentication and Key Management Algorithms set 1". These specifications are detailed in clause 5.

The present document includes addenda 1, 2 and 3 of the algorithm specifications which adds some algorithms and corrects errors in the original V. 1 specification.

The block cipher that is used for this TAAl set is the HURDLE-II algorithm. This is described in the present document at clause 6.

## 2 References

### 2.1 Normative references

References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies.

Referenced documents which are not found to be publicly available in the expected location might be found at https://docbox.etsi.org/Reference.

NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long-term validity.

The following referenced documents are necessary for the application of the present document. "Some referenced ENs are also published as Technical Specifications. In all cases, the latest version of such a document, either EN or TS, should be taken as the referenced document.

ETSI TS 100 392-7: "Terrestrial Trunked Radio (TETRA); Voice plus Data (V+D); Part 7: Security".

### 2.2 Informative references

References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies.

NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long-term validity.

The following referenced documents are not necessary for the application of the present document but they assist the user with regard to a particular subject area.

Not applicable.

## 3 Definition of terms, symbols and abbreviations

### 3.1 Terms

Void.

### 3.2 Symbols

Void.

### 3.3 Abbreviations

For the purposes of the present document, the following abbreviations apply:
$\begin{array}{ll}\text { TAA1 } & \text { TETRA Authentication and Authentication Algorithm } \\ \text { TETRA } & \text { Terrestrial Trunked Radio }\end{array}$

## 4 Introduction

### 4.0 General

The set of algorithms TAA1 described in the present document are the associated algorithms used for providing TETRA air interface authentication and key management as specified in detail by the ETSI TS 300-392-7 [1] Security.

The present document is organized as follows:

- Clause 5 provides the specification of all TAA1 algorithms, starting with the definition of shared block structures and expansion and shrinking methods for blocks of input/output bits. A number of the algorithms have inputs and outputs of the same length and meet the same requirements, and are therefore specified groupwise.
- Clause 6 specifies the HURDLE-II algorithm used with TAA1.


### 4.1 TAA1 introduction

The set of algorithms described is designed to support easy software implementation. All algorithms specified below, with the exception of the rather simple algorithms TB1 up to TB7, make use of a block cipher with an input and output consisting of 64 -bits and running under a 128-bit key. The block cipher that is used for this TAA1 set is the HURDLE-II Algorithm described in clause 6 of the present document.

### 4.2 HURDLE-II introduction

The algorithm HURDLE-II specified in the present document is a 64 -bit block cipher with a 128 -bit key, designed for use with the TETRA key management and authentication algorithms.

The HURDLE-II design is based on the Feistel structure and consists of an iterated round function and a key schedule algorithm. The key schedule is tailored to 16 iterations of the round function. The Feistel structure, a well tried and tested template for producing secure block ciphers, allows encryption and decryption to be achieved using essentially the same code. The present document is organized as follows:

- clauses 6.2 to 6.5 provide a full specification of the functional components of the HURDLE-II algorithm;
- clause 6.6 specifies how these functions are used to generate the block cipher.


### 4.3 Comments on TAA1 specification

### 4.3.1 Illustration of Hurdle-II modes

Figures 1 and 2 illustrate the block structures BL1 and BL2. In these figures the use of the Block Cipher Hurdle-II illustrated by BC is depicted.

What the figures do not explicitly show is that Hurdle-II is used in encryption mode in Figure 1 and in decryption mode in Figure 2 (but note that the text in clauses 5.2 and 5.3 describe the use of the encryption and decryption mode).

### 4.3.2 Specification of BL2, TA32, TA52, TA 82 and TA92

Clause 5.3 describes the block structure BL2 without formally specifying the length of the output of BL2. Figure 2 shows the output as being 128 bits ( 16 bytes) which are split in two parts of 120 bits and 8 bits respectively.

Clauses 5.9.3, 5.11.3 and 5.15.3 refer to a 120-bit output of BL2. In fact, what is meant with this is the 120 bits which is the result of deleting from the actual 16-byte BL2 output:

$$
O_{15} O_{14} O_{13} O_{12} O_{11} O_{10} O_{9} O_{8} O_{7} O_{6} O_{5} O_{4} O_{3} O_{2} O_{1} O_{0}
$$

the last byte $O_{0}$ as indicated in Figure 2.
The convention of a 16-byte output of BL2 is applied.

### 4.3.3 Requirements on the use of Redundancy in TA31, TA51, TA81 and TA91

The requirements to the TA31, TA51, TA81 and TA91 and corresponding algorithms which are specified in (TA3* and TA5*) and (TA8* and TA9*) should be clarified as follows.

To the input of the TA31, TA51, TA81 and TA91 redundancy shall be added. The output of these algorithms shall be used as input to the respective TA32, TA52, TA82 and TA92 algorithms. The resulting output of these TA32, TA52, TA82 and TA92 should contain the correct redundancy. This is indicated by a Boolean Output.

### 4.3.4 Meaning of Boolean Output in TA32, TA52, TA82 and TA92

TA31, TA51, TA81 and TA91 are encryption algorithms that encrypt values to which first redundancy is added.
TA32, TA52, TA82 and TA92 are the corresponding decryption algorithms. Each of these algorithms includes a Boolean output that is referred to as the Manipulation Flag. These Boolean outputs are manipulation detection bits and they may be used to check if the original redundancy is also present in the decrypted value: FALSE = redundancy present and correct (not manipulated), TRUE = redundancy incorrect (manipulated).

## 5 TAA1 Algorithms Set

### 5.1 Notation

Throughout the present document bit strings are used. The bits of these strings are numbered from right to left, beginning at zero. Bit strings are divided into strings of bytes, again numbered from right to left starting with zero. E.g. the 128 -bit input K is written with bytes:

$$
K(127), K(126), \ldots, K(2), K(1), K(0),
$$

with bytes

$$
K_{15} K_{14} K_{13} K_{12} \ldots K_{4} K_{3} K_{2} K_{l} K_{0}
$$

where the j -th byte is denoted as bit string:

$$
K_{j}(7), K_{j}(6), K_{j}(5), K_{j}(4), K_{j}(3), K_{j}(2), K_{j}(1), K_{j}(0),
$$

and

$$
K_{j}(i)=K(8 \times j+i), \text { for } j=0,1,2, \ldots, 15 \text { and } i=0,1,2, \ldots, 7 .
$$

The symbol $\oplus$ denotes the bytewise addition modulo two (exclusive or); i.e. rightmost bit of byte $x$ is added modulo two to rightmost bit of byte $y, \ldots$, leftmost bit of byte $x$ to leftmost bit of byte $y$.

| $x(i) 1$ | $x(i) 2$ |  |
| :--- | :--- | :--- |
| 0 | 0 | 0 |
| 0 | 1 | 1 |
| 1 | 0 | 1 |
| 1 | 1 | 0 |
| $x(i)$ is bit $i$ of byte $x$ |  |  |
| $y(i)$ is bit $i$ of byte $y$ |  |  |
| $i=0, \ldots 7$ |  |  |

### 5.2 Basic block structure BL1

Most of the TAAl algorithms, with exception of TB1 up to TB4 and TA61, consist of the basic block structure BLl shown in Figure 1.


Figure 1: The basic structure BL1
The input consists of two 64-bit blocks. The leftmost block is enciphered with a 64 -bit block cipher BC using a 128 -bit key K (BC is the HURDLE-II block cipher). The output of this encryption is XOR-ed with the rightmost block and the result of this is again enciphered using K as the key. The two encrypted output blocks from both BCs are the 128-bit output of the algorithm core. The block ciphers will be used in two modes, in encryption and decryption mode.

### 5.3 Other block Structure BL2

In three algorithms (TA32, TA52 and TA82, see below), instead of the XOR- function described in clause 5.2 above, the leftmost 56 bits of the leftmost input block are XOR-ed with leftmost 56 bits of the enciphered rightmost block (see Figure 2). The rightmost 8 bits of this enciphered block are XOR-ed with the rightmost 8 bits of the leftmost input block.


Figure 2: Other structure BL2

### 5.4 Expansion of bit blocks

### 5.4.0 General

The number of inputs and their block lengths are specific for each (or groups) of the TAA 1 algorithms. Several input blocks are expanded before they are offered to the algorithm core in order to obtain the required block lengths.

In several algorithms, input blocks consisting of 80 or 88 bits need to be expanded to 120 or 128 bits. Four expansion methods, EXP1, EXP2, EXP3 and EXP4 which are described below, are used for this.

Both methods, EXP2 and EXP4, expand 80-bit blocks to 128-bit blocks. EXP4 is used for key blocks and is therefore different from EXP2.

### 5.4.1 Expansion EXP1

The input block consisting of 80 bits is expanded to 120 bits as follows (see also Figure 3 below, where B is the original 80-bit string):

- split the 80 -bit input block into 5 pairs of bytes;
- for each pair, compute the XOR of both bytes and insert the result at the right- hand side of the pair.


$$
A=B_{9} \oplus B_{8}, C=B_{7} \oplus B_{6}, D=B_{5} \oplus B_{4}, E=B_{3} \oplus B_{2}, F=B_{1} \oplus B_{0}
$$

Figure 3: Expansion EXP1 (from 80 to 120 bits)

### 5.4.2 Expansion EXP2

The input block consisting of 80 bits is expanded to 128 bits. The expansion method EXP2 is an EXP1 expansion with one additional step (see also Figure 4):

- expansion EXP1;
- compute the byte-wise addition (modulo- 256 ) of all XOR results ( 5 bytes) obtained in the previous step, and insert the result at the right-hand side of the 120 bits.


## Expansion EXP1

| $B_{9}$ | $B_{8}$ | $A$ | $B_{7}$ | $B_{6}$ | $C$ | $B_{5}$ | $B_{4}$ | $D$ | $B_{3}$ | $B_{2}$ | $E$ | $B_{1}$ | $B_{0}$ | $F$ | $G$ |
| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |

$$
\mathrm{G}=A+C+D+E+F \bmod 256(\text { additional step }) .
$$

Figure 4: Expansion EXP2

### 5.4.3 Expansion EXP3

The string of 88 bits is expanded to 120 bits as follows (see also Figure 5, where the original bit string is denoted by B):

- $\quad$ Split the 88 -bit string as shown in Figure 5.
- Compute the values A, C, D and E, and insert these into the 88-bit block as shown in Figure 5.


| $B_{10}$ | $B_{9}$ | $A$ | $B_{8}$ | $B_{7}$ | $B_{6}$ | $C$ | $B_{5}$ | $B_{4}$ | $B_{3}$ | $D$ | $B_{2}$ | $B_{1}$ | $B_{0}$ | $E$ |
| :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: |

where

$$
\begin{aligned}
& A=B_{10} \oplus B_{9} \\
& D=B_{5} \oplus B_{4} \oplus B_{3}
\end{aligned}
$$

$$
\begin{aligned}
& C=B_{8} \oplus B_{7} \oplus B_{6} \\
& E=B_{2} \oplus \dot{B}_{1} \oplus B_{0}
\end{aligned}
$$

Figure 5: Expansion EXP3 (from 88 to 120 bits)

### 5.4.4 Expansion EXP4

The 80-bit input blocks, which are used as keys, are expanded to 128 bits, the length of the key to the block cipher. EXP4 is done as follows (see also Figure 6, where the original 80-bit string is denoted by B):

- split the 80 -bit input block into 5 pairs of bytes;
- for each pair, compute the byte-wise addition (modulo 256) of both bytes and insert the result at the left-hand side of the pair of bytes;
- compute the XOR of all results of the byte-wise additions ( 5 bytes) obtained in the previous step, and insert the result at the left-hand side of the 120 bits.


Figure 6: Expansion EXP4 (from 80 to 128 bits)

### 5.5 Shrinking of blocks

### 5.5.0 General

The outputs of the algorithm core are shrunk (and split) to the required outputs of specific block lengths. In several algorithms, blocks consisting of 120 or 128 bits need to be shrunk to 80 or 88 bits. Three shrinking methods SHR 1, SHR2 and SHR3, which are described below, are used for this.

### 5.5.1 Shrinking SHR1

The block consisting of 120 bits, denoted as B , is shrunk to 80 bits by taking only the bytes numbered $B_{14}, B_{13}, B_{11}$, $B_{10}, B_{8}, B_{7}, B_{5}, B_{4}, B_{2}$ and $B_{1}$.

### 5.5.2 Shrinking SHR2

The block consisting of 120 bits, denoted as $B$, is shrunk to 88 bits by taking only the bytes $B_{14}, B_{13}, B_{11}, B_{10}, B_{9}, B_{7}, B_{6}$, $B_{5}, B_{3}, B_{2}$ and $B_{1}$.

### 5.5.3 Shrinking SHR3

The block consisting of 128 bits is shrunk to 80 bits by throwing away the leftmost 24 bits as well as the rightmost 24 bits.

### 5.6 Algorithms TA11, TA21 and TA41

### 5.6.0 General

The three algorithms TA11, TA21 and TA41 have the same input-output properties and meet the same requirements. The inputs and output are of the following lengths:

| Parameter | Size |
| :---: | :---: |
| Input 1 | 128 bits |
| Input 2 | 80 bits |
| Output | 128 bits |

The algorithms TA11, TA21 and TA41 are based on the BL1 structure as shown in Figure 7:

- Input 1 is used as the key to BL1.
- Input 2 is expanded to 128 bits and is used as the data input to BL1.
- The Output is the output of BL1.

*Reversed for clause 5.6.2
Figure 7: The TA11, TA21 and TA41 Algorithm


### 5.6.1 Input 2 of TA11, TA4

The input 2 is expanded using EXP2 defined in clause 5.4.2.

### 5.6.2 Input 2 of TA21

The bytes of Input 2 are first reversed, i.e. if Input 2 is $\boldsymbol{S}_{\boldsymbol{g}}, \boldsymbol{S}_{\boldsymbol{s}} \ldots \boldsymbol{S}_{\boldsymbol{l}}, \boldsymbol{S}_{\boldsymbol{o}}$ then its reverse $\mathbf{S}^{\prime}$ is:

$$
\mathrm{S}_{\mathrm{I}}^{\prime}=\mathrm{S}_{9-1}, \quad 0 \leq \mathrm{I} \leq 9 .
$$

The reversed string $S^{\prime}$ is defined in clause 5.4.2 then expanded using EXP2.

### 5.7 Algorithms TA12 and TA22

### 5.7.0 General

The algorithms TA12 and TA22 have the same input-output properties and meet the same requirements. The Inputs and Outputs are:

| Parameter | Size |
| :---: | :---: |
| Input 1 | 128 bits |
| Input 2 | 80 bits |
| Output 1 | 32 bits |
| Output 2 | 80 bits |

The algorithms are based on the BLl structure as shown in Figure 8.


Figure 8: The TA12 and TA22 Algorithm
Input 1 is used as the key to BLl.
Input 2 is expanded to 128 bits and used as the data input to BLl. The two Outputs are derived from the 128-bit output of BLl.

### 5.7.1 Input expansion

The input 2 is expanded using EXP2 defined in clause 5.4.2.

### 5.7.2 Output 1 derivation

If the bytes of the 128 -bit output of BL1 are numbered $B_{0}$ to $B_{15}$ from right to left then the 32 -bit Output 1 is:

| $B_{15} \oplus B_{12}$ | $B_{9}$ | $B_{6}$ | $B_{3} \oplus B_{0}$ |
| :--- | :--- | :--- | :--- |

### 5.7.3 Output 2 derivation

Output 2 consists of the remaining 10 bytes of the 128 -bit output of BL1:

| $B_{14}$ | $B_{13}$ | $B_{11}$ | $B_{10}$ | $B_{8}$ | $B_{7}$ | $B_{5}$ | $B_{4}$ | $B_{2}$ | $B_{1}$ |
| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |

### 5.8 Algorithm TA31

### 5.8.0 General

The Inputs and Output of the algorithm are:

| Parameter | Size |
| :---: | :---: |
| Input 1 | 80 bits |
| Input 2 | 16 bits |
| Input 3 | 80 bits |
| Output | 120 bits |

The algorithm is based on the BL1 structure as shown in Figure 9.

Input 1 is expanded and used as the input to BLl.
Input 2 is combined with Input 3 and used to form the key.
The Output is derived from the output of BLl.

### 5.8.1 Input 1 expansion

The 128-bit data input to BL1is derived from Input1 in the following manner.
Input 1is expanded to 120 bits using EXP1 as defined in clause 5.4.1. A zero byte is then appended to the right-hand end.


Figure 9: The TA31 Algorithm

### 5.8.2 Key derivation

The 128 -bit key is derived from Input 2 and Input 3 as follows. If Input 2 is denoted as A and Input 3 as B, then:
An 80-bit string C is formed by concatenating five copies of Input A:

$$
C=A_{l} A_{0} A_{l} A_{0} A_{l} A_{0} A_{l} A_{0} A_{l} A_{0}
$$

C is XOR-ed with B and the result is expanded to 128 bits using EXP4 defined in clause 5.4.4:

$$
K=E X P 4(C \oplus B)
$$

### 5.8.3 Output derivation

The 120-bit Output is:

$$
O_{15} O_{14} O_{13} O_{12} O_{11} O_{10} O_{9} O_{7} O_{6} O_{5} O_{4} O_{3} O_{2} O_{1} O_{0}
$$

where $O$ is the 128 -bit output of BLl . Note that $O_{8}$ is discarded.

### 5.9 Algorithm TA32

### 5.9.0 General

The Inputs and Outputs of the algorithm are:

| Parameter | Size |
| :---: | :---: |
| Input 1 | 120 bits |
| Input 2 | 80 bits |
| Input 3 | 16 bits |
| Output 1 | 80 bits |
| Output 2 | 1 bit |

The algorithm is based on the BL2 structure and is shown in Figure 10.
Input 1 is expanded and used as the input to BL2.


Figure 10: The TA32 Algorithm
Input 2 is combined with Input 3 and used to form the key.
Output 1 and Output 2 are derived from the 120-bit output of BL2.

### 5.9.1 Input 1 expansion

The 128-bit data input to BL2 is derived from Input 1 in the following manner.
If Input 1 is denoted by B, then the expansion is:

$$
B_{14} B_{13} B_{12} B_{11} B_{10} B_{9} B_{8} \text { (zero byte) } B_{7} B_{6} B_{5} B_{4} B_{3} B_{2} B_{1} B_{0}
$$

### 5.9.2 Key derivation

The 128-bit key is derived in the same way as described in clause 5.8.2, however, for TA32 the mentioned Input 2 and Input 3 has to be interchanged.

### 5.9.3 Output derivation

The 120 -bit output of BL2 is shrunk to the 80 -bit Output 1 using SHR1 defined in clause 5.5.1.
The one-bit Output 2 is the binary result of a check of the 120-bit output of BL2, denoted B14 ....... Bo, before shrinking:

Output $2=$ False $\quad$ if $B i=B i+1 \oplus B_{\mathrm{i}+2} \quad$ for $i=0,3,6,9,12$
Output $2=$ True $\quad$ otherwise.

### 5.10 Algorithm TA5I

### 5.10.0 General

The Inputs and Output of the algorithm are:

| Parameter | Size |
| :--- | :---: |
| Input 1 | 80 bits |
| Input 2 | 16 bits |
| Input 3 | 128 bits |
| Input 4 | 5 bits |
| Output | 120 bits |

The algorithm is based on the BL 1 structure as shown in Figure 11.
The combination of Input 1 and Input 4 is expanded and used as the input to BLl.
Input 2 is combined with Input 3 and used to form the key.
The Output is derived from the output of BL1.


Figure 11: The TA51 Algorithm

### 5.10.1 Data input to BL1

The 128 -bit data input to BLl is derived from Input 1 and Input 4 in the following manner.
Input 1 and Input 4 are concatenated as follows:

- (Input 4 is proceeded by three zeroes).
- This string of 88 bits is expanded to 120 bits using EXP3 defined in clause 5.4.3.

| Input 1 | 000 | Input 4 |
| :--- | :--- | :--- |

### 5.10.2 Key derivation

The 128 -bit key is derived from Input 2 and Input 3 as follows. If Input 2 is denoted as A and Input 3 as B, then: An128-bit string C is formed by concatenating eight copies of Input A.

$$
C=A_{1} A_{0} A_{1} A_{0} A_{1} A_{0} A_{1} A_{0} A_{1} A_{0} A_{1} A_{0} A_{1} A_{0} A_{1} A_{0}
$$

- $\quad$ C is XOR-ed with B and the result.
- $\quad K=C \oplus B$ is used as the key.


### 5.10.3 Output derivation

The 120-bit Output is derived as described in clause 5.8.3.

### 5.11 Algorithm TA52

### 5.11.0 General

The Inputs and Outputs of the algorithm are:

| Parameter | Size |
| :--- | ---: |
| Input 1 | 120 bits |
| Input 2 | 128 bits |
| Input 3 | 16 bits |
| Output 1 | 80 bits |
| Output 2 | 1 bit |
| Output 3 | 5 bits |

The algorithm is based on the BL2 structure and is shown in Figure 12.


Figure 12: The TA52 Algorithm

Input 1 is expanded and used as the input to BL2.
Input 2 is combined with Input 3 and used to form the key.
Output 1, Output 2 and Output 3 are derived from the 120-bit output of BL2.

### 5.11.1 Input 1 expansion

Input 1 is expanded to 128 bits as described in clause 5.9.1.

### 5.11.2 Key derivation

The 128 -bit key is derived in the same way as described in clause 5.10 .2 , however for TA52 the mentioned Input 2 and Input 3 has to be interchanged.

### 5.11.3 Output derivation

The 120-bit output of BL2 is shrunk to the 88 -bits using SHR2 defined in clause 5.5.1. The leftmost 80 bits are the Output 1 ; the rightmost 5 bits the Output 3.

The one-bit Output 2 is the binary result of a check of the 120-bit output of BL2, denoted B $14 \ldots$ Bo, before shrinking:
Output $2=$ False $\quad$ if $B_{i}=B_{i+1} \oplus \mathrm{~B}_{i+2} \oplus B_{i+3}$ for $i=0,4,8$ and
$\mathrm{B}_{12}=\mathrm{B}_{13} \oplus \mathrm{~B}_{14}$, and
if the leftmost three bits of byte B 1 are zero.
Output 2=True otherwise.

### 5.12 The Algorithm TA61

### 5.12.0 General

The Inputs and Output of the algorithm are:

| Parameter | Size |
| :---: | :---: |
| Input 1 | 80 bits |
| Input 2 | 24 bits |
| Output | 24 bits |

The structure of TA61 is shown in Figure 13.
Input 1 is shrunk to 64 bits and used as the input to $B C$. Input 1 is also expanded and used as the key to $B C$.
Input 2 is XOR-ed in three steps with three 24 -bit strings derived from the BC output. The XOR results of step 1 and 2 are permuted first before they are offered to the next step. The result of the last step is the Output of the algorithm.


Figure 13: The TA61 Algorithm

### 5.12.1 Input 1 shrinking

The 64 -bit data input to BC is derived from Input 1 in the following manner. If Input 1 is denoted as A , then the 64 -bit data input to BC is:

$$
\left(A_{9} \oplus A_{7}\right)\left(A_{8} \oplus A_{6}\right)\left(A_{7} \oplus A_{5}\right), \ldots,\left(A_{3} \oplus A_{1}\right)\left(A_{2} \oplus A_{0}\right) .
$$

### 5.12.2 Key derivation

The Input 1 is expanded to a 128 -bit key by using EXP4 defined in clause 5.4.4.

### 5.12.3 K-string derivation

The three 24-bit strings Ki, K2 and K3 are derived from the BC output in the following manner:

If we denote the BC output by:

| $B_{7}$ | $B_{6}$ | $B_{5}$ | $B_{4}$ | $B_{3}$ | $B_{2}$ | $B_{1}$ | $B_{0}$ |
| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |

then
$K_{1}=$

| $B_{7}$ | $B_{4}$ | $B_{1}$ |
| :--- | :--- | :--- |

$K_{2}=$

| $B_{6}$ | $B_{3}$ | $B_{0}$ |
| :--- | :--- | :--- |

$K_{3}=$

| $B_{5}$ | $B_{2}$ | $B_{7}$ |
| :--- | :--- | :--- |

### 5.12.4 Permutation P

The permutation P on the 24-bit strings (3 bytes) is done as follows. If the input to the permutation is:

| $a_{2}$ | $a_{1}$ | $a_{0}$ |
| :---: | :---: | :---: |

where $a_{2}, a_{1}$ and $a_{0}$ are bytes, then the output is

| $S\left(2 a_{2}+2 a_{1}-a_{0}\right)$ | $S\left(2 a_{2}+2 a_{0}-a_{1}\right)$ | $S\left(2 a_{1}+2 a_{0}-a_{2}\right)$ |
| :--- | :--- | :--- |

where + and - mean normal byte-by-byte addition and subtraction (i.e. modulo 256), and $S$ is the permutation on bytes, shown in the table below, that is also used in HURDLE-II (see [3]).
(Table entries are given row-wise in hexadecimal in the order $S[00], S[01], \ldots S[\mathrm{ff}]$.)


### 5.13 The Algorithm TA71

### 5.13.0 General

The Inputs and Output of the algorithm are:

| Parameter | Size |
| :---: | :---: |
| Input 1 | 80 bits |
| Input 2 | 80 bits |
| Output | 80 bits |

The algorithm is based on the BL1 structure as shown in Figure 14.
Input 1 and Input 2 are combined and used as the data input to BL1.
Input 1 is combined with Input 2 and used to form the key.
The Output is derived from the output of BL1.

### 5.13.1 Data input

The 128-bit data input to BL1 is derived from Input 1 and Input 2 in the following manner: Input 1 is XOR-ed with Input 2 and the resultant 80 -bit value is expanded to 128 bits using EXP2 as defined in clause 5.4.2.


## Output

Figure 14: The TA71 Algorithm

### 5.13.2 Key input

The 128 -bit key is derived from Input 1 and Input 2 in the following manner:

If Input 1 is denoted as $A$ and Input 2 as B, then the key $K$ is given by:

$$
K=A_{9} A_{8} A_{7} A_{6} A_{5} A_{4}\left(A_{3} \oplus B_{9}\right)\left(A_{2} \oplus B_{8}\right)\left(A_{1} \oplus B_{7}\right)\left(A_{0} \oplus B_{6}\right) B_{5} B_{4} B_{3} B_{2} B_{1} B_{0}
$$

### 5.13.3 Output derivation

The 128 -bit output of BLl is shrunk to the 80 -bit Output using SHR3 defined in clause 5.5.3.

### 5.14 Algorithm TA81

### 5.14.0 General

The basic block structure BL1 specified in clause 5.2 is used to construct TA81.
The Inputs and Output of the TA81 algorithm are:

| Parameter | Size |
| :---: | :---: |
| Input 1 | 80 bits |
| Input 2 | 16 bits |
| Input 3 | 128 bits |
| Input 4 | 16 bits |
| Output | 120 bits |

The algorithm is based on the BL1 structure as shown in Figure 15 below.
The combination of Input 1 and Input 4 is expanded and used as the input to BL1.
Input 2 is combined with Input 3 and used to form the key.

The Output is derived from the output of BL1.


Figure 15: The TA81 Algorithm

### 5.14.1 Data input to BL1

The 128 -bit data input to BL1 is derived from Input 1 and Input 4 in the following manner:

1) Input 1 and Input 4 are concatenated as follows:


This 96-bit string denoted as a 12-byte string.

| $B_{11}$ | $B_{10}$ | $B_{9}$ | $B_{8}$ | $B_{7}$ | $B_{6}$ | $B_{5}$ | $B_{4}$ | $B_{3}$ | $B_{2}$ | $B_{1}$ | $B_{0}$ |
| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |

2) This 12-byte string is expanded to 16-byte string as described below:

- Compute the values A, C, and D, insert these into the 12-byte block and add an all zero byte $\mathrm{Z}=$ ( 00000000 ) as shown in Figure 16 below.

| $B_{11}$ | $B_{10}$ | $B_{9}$ | $B_{8}$ | $B_{7}$ | $B_{6}$ | $B_{5}$ | $B_{4}$ | $B_{3}$ | $B_{2}$ | $B_{1}$ | $B_{0}$ |
| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |



| $B_{11}$ | $B_{10}$ | $B_{9}$ | $B_{8}$ | $A$ | $B_{7}$ | $B_{6}$ | $B_{5}$ | $B_{4}$ | $C$ | $B_{3}$ | $B_{2}$ | $B_{1}$ | $B_{0}$ | $D$ | Z |
| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |

where:
$A=B_{11} \oplus B_{10} \oplus B_{9} \oplus B_{8}$,
$C=B_{7} \oplus B_{6} \oplus B_{5} \oplus B_{4}$,
$D=B_{3} \oplus B_{2} \oplus B_{1} \oplus B_{0}, Z=(00000000)$.
Figure 16: Expansion from 12 to 16 bytes

### 5.14.2 Key derivation

Derive the 128 -bit key from Input 2 and Input 3 as follows. If Input 2 is denoted as A ( 2 bytes) and Input 3 as B (16 bytes), then:
a 128 -bit string $C$ is formed by concatenating eight copies of Input A .

$$
C=A_{l} A_{0} A_{l} A_{0} A_{l} A_{0} A_{l} A_{0} A_{l} A_{0} A_{l} A_{0} A_{l} A_{0} A_{l} A_{0}
$$

$C$ is XOR-ed with $B$ and the result.
$K=C \oplus B$ is used as the key.

### 5.14.3 Output derivation

Derive the 120-bit Output as described in clause 5.8.3 that is.
The 120-bit Output is:

$$
O_{15} O_{14} O_{13} O_{12} O_{11} O_{10} O_{9} O_{7} O_{6} O_{5} O_{4} O_{3} O_{2} O_{1} O_{0}
$$

where 0 is the 128 -bit output of BL1 and $O_{j}$ is the j -th byte of 0 .
Note that byte $O_{8}$ is discarded.

### 5.15 Algorithm TA82

### 5.15.0 General

The basic block structure BL2 specified in clause 5.3 is used to construct TA82.
The Inputs and Outputs of the TA82 algorithm are:

| Parameter | Size |
| :---: | :---: |
| Input 1 | 120 bits |
| Input 2 | 128 bits |
| Input 3 | 16 bits |
| Output 1 | 80 bits |
| Output 2 | 1 bit |
| Output 3 | 16 bits |

The algorithm is based on the BL2 structure and is shown in Figure 17.


Figure 17: The TA82 Algorithm

Input 1 is expanded and used as the input to BL2.
Input 2 is combined with Input 3 and used to form the key.
Output 1, Output 2 and Output 3 are derived from the 128 -bit output of BL2.

### 5.15.1 Input 1 expansion

Input 1 (length 120 bits) is expanded to 128 bits as described in clause 5.9.1. That is if Input 1 is denoted by $B$ ( 15 bytes), then the expansion is:

$$
B_{14} B_{13} B_{12} B_{11} B_{10} B_{9} B_{8} \text { (zero byte) } B_{7} B_{6} B_{5} B_{4} B_{3} B_{2} B_{1} B_{0}
$$

### 5.15.2 Key derivation

The 128 -bit key is derived in the same way as described in clause 5.14.1. However, for TA82 the mentioned Input 2 and Input 3 has to be interchanged, that is derive the 128-bit key from Input 2 and Input 3 as follows:

If Input 3 is denoted as $A$ ( 2 bytes) and Input 2 as $B$ ( 16 bytes), then:
a 128-bit string $C$ is formed by concatenating eight copies of Input $A$.

$$
C=A_{l} A_{0} A_{l} A_{0} A_{l} A_{0} A_{l} A_{0} A_{l} A_{0} A_{l} A_{0} A_{l} A_{0} A_{l} A_{0}
$$

$C$ is XOR-ed with $B$ and the result
$K=C \oplus B$ is used as the key.

### 5.15.3 Output derivation

Denote the 16-byte output (see also clause 5.3 describing BL2) as:

$$
B_{15} B_{14} B_{13} B_{12} B_{11} B_{10} B_{9} B_{8} B_{7} B_{6} B_{5} B_{4} B_{3} B_{2} B_{1} B_{0}
$$

The 10 bytes ( 80 bits) $B_{15} B_{14} B_{13} B_{12} B_{10} B_{9} B_{8} B_{7} B_{5} B_{4}$ are set as the Output 1.
The 2 bytes ( 16 bits) $B_{3} B_{2}$ are set as the Output 3 .
The one-bit Output 2 is the binary result of a check of the output of BL2:

- Output $2=$ FALSE if $B i=B_{4+i} \oplus B_{3+i} \oplus B_{2+i} \oplus B_{1+i}$. for $i=1,6,11$
- $\quad$ Output $2=$ TRUE otherwise.


### 5.16 Algorithm TA91

### 5.16.0 General

The basic block structure BL1 specified in clause 5.2 is used to construct TA91.
The Inputs and Output of the TA91 algorithm are:

| Parameter | Size |
| :---: | :---: |
| Input 1 | 96 bits |
| Input 2 | 16 bits |
| Input 3 | 128 bits |
| Output | 120 bits |

The algorithm is based on the BL1 structure as shown in Figure 18 below.

Input 1 is expanded and used as the input to BL1.
Input 2 is combined with Input 3 and used to form the key.
The Output is derived from the output of BL1.


Figure 18: The TA91 Algorithm

### 5.16.1 Data input to BL1

The 128-bit data input to BL1 is derived from Input 1 in the following manner:

1) Input 1 is denoted as a 12-byte string.

| $B_{11}$ | $B_{10}$ | $B_{9}$ | $B_{8}$ | $B_{7}$ | $B_{6}$ | $B_{5}$ | $B_{4}$ | $B_{3}$ | $B_{2}$ | $B_{1}$ | $B_{0}$ |
| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |

2) This 12-byte string is expanded to 16-byte string as described below.

- Compute the values A, C, and D, insert these into the 12-byte block and add an all zero byte $Z=(00000000)$ as shown in Figure 19 below.

| $B_{11}$ | $B_{10}$ | $B_{9}$ | $B_{8}$ | $B_{7}$ | $B_{6}$ | $B_{5}$ | $B_{4}$ | $B_{3}$ | $B_{2}$ | $B_{1}$ | $B_{0}$ |
| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |


| $B_{11}$ | $B_{10}$ | $B_{9}$ | $B_{8}$ |  | $B_{7}$ | $B_{6}$ | $B_{5}$ | $B_{4}$ |  | $B_{3}$ | $B_{2}$ | $B_{1}$ | $B_{0}$ |
| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |


| $B_{11}$ | $B_{10}$ | $B_{9}$ | $B_{8}$ | $A$ | $B_{7}$ | $B_{6}$ | $B_{5}$ | $B_{4}$ | $C$ | $B_{3}$ | $B_{2}$ | $B_{1}$ | $B_{0}$ | $D$ | Z |
| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |

where:
$A=B_{11} \oplus B_{10} \oplus B_{9} \oplus B_{8}$,
$C=B_{7} \oplus B_{6} \oplus B_{5} \oplus B_{4}$,
$D=B_{3} \oplus B_{2} \oplus B_{1} \oplus B_{0}$,
$Z=(00000000)$.
Figure 19: Expansion from 12 to 16 bytes

### 5.16.2 Key derivation

Derive the 128 -bit key from Input 2 and Input 3 as follows. If Input 2 is denoted as A ( 2 bytes) and Input 3 as B (16 bytes), then:
a 128 -bit string C is formed by concatenating eight copies of Input A.

$$
C=A_{l} A_{0} A_{l} A_{0} A_{l} A_{0} A_{l} A_{0} A_{l} A_{0} A_{l} A_{0} A_{l} A_{0} A_{l} A_{0}
$$

$C$ is XOR-ed with $B$ and the result.
$K=C \oplus B$ is used as the key.

### 5.16.3 Output derivation

The 120-bit Output is derived as described in clause 5.8.3 that is:
The 120-bit Output is:

$$
O_{15} O_{14} O_{13} O_{12} O_{11} O_{10} O_{9} O_{7} O_{6} O_{5} O_{4} O_{3} O_{2} O_{1} O_{0}
$$

where:
$O$ is the 128 -bit output of BL1; and
$O_{j}$ is the j-th byte of $O$.
Note that byte $O_{8}$ is discarded.

### 5.17 Algorithm TA92

### 5.17.0 General

The basic block structure BL2 specified in clause 5.3 is used to construct TA92.
The Inputs and Outputs of the TA92 algorithm are:

| Parameter | Size |
| :---: | :---: |
| Input 1 | 120 bits |
| Input 2 | 128 bits |
| Input 3 | 16 bits |
| Output 1 |  |
| Output 2 | 96 bits 1 bit |

The algorithm is based on the BL2 structure and is shown in Figure 20.


Figure 20: The TA92 Algorithm
Input 1 is expanded and used as the input to BL2.
Input 2 is combined with Input 3 and used to form the key.
Output 1 and Output 2 are derived from the 128-bit output of BL2.

### 5.17.1 Input 1 expansion

Input 1 (length 120 bits) is expanded to 128 bits as described in clause 5.9.1. That is if Input 1 is denoted by $B$ ( 15 bytes), then the expansion is:

$$
B_{14} B_{13} B_{12} B_{11} B_{10} B_{9} B_{8} \text { (zero byte) } B_{7} B_{6} B_{5} B_{4} B_{3} B_{2} B_{1} B_{0}
$$

### 5.17.2 Key derivation

The 128-bit key is derived in the same way as described in clause 5.16.2 of this addendum. However, for TA92 the mentioned Input 2 and Input 3 has to be interchanged, that is derive the 128-bit key from Input 2 and Input 3 as follows:

Input 3 is denoted as A (2 bytes) and Input 2 as B (16 bytes), then:
a 128-bit string $C$ is formed by concatenating eight copies of Input $A$.

$$
C=A_{l} A_{0} A_{l} A_{0} A_{l} A_{0} A_{l} A_{0} A_{l} A_{0} A_{l} A_{0} A_{l} A_{0} A_{l} A_{0}
$$

$C$ is XOR-ed with $B$ and the result $K=C \oplus B$ is used as the key.

### 5.17.3 Output derivation

Denote the 16-byte output see also clause 4.3.2 of BL2 as:

$$
B_{15} B_{14} B_{13} B_{12} B_{11} B_{10} B_{9} B_{8} B_{7} B_{6} B_{5} B_{4} B_{3} B_{2} B_{1} B_{0}
$$

The 12 bytes ( 96 bits) $B_{15} B_{14} B_{13} B_{12} B_{10} B_{9} B_{8} B_{7} B_{5} B_{4} B_{3} B_{2}$ are set as the Output 1.
The one-bit Output 2 is the binary result of a check of the output of BL2:

- Output $2=\mathrm{FALSE}$ if $B_{i}=B_{4+i} \oplus B_{3+i} \oplus B_{2+i} \oplus B_{1+i}$. for $i$ is 1 and 6 and 11 .
- Output $2=$ TRUE otherwise.


### 5.18 Algorithm TA101

The Inputs and Output of the TA101 algorithm are:

| Parameter | Size |
| :---: | :---: |
| Input $1(\mathrm{KS})$ | 128 bits |
| Input 2 (GCK0) | 80 bits |
| Input $3(\mathrm{MNI})$ | 24 bits |
| Output (KSv) | 128 bits |

TA101 uses the basic block structure BL1 of the TAA1 algorithm set.
An intermediate 80 -bit value Input 4 (INT) is generated by concatenating 3 copies of Input 3 and a single string of 8 binary zeros, and XORing this string with Input 2. The leftmost bit of the first copy of Input 3 shall form the leftmost bit of the concatenated string, and the 8 zeros shall form the rightmost bits of the concatenated string. This is illustrated in Figure 21.


Figure 21
That is, where:

- Input $1, \mathrm{KS}$ is a binary vector of 128 bits, labelled $\mathrm{KS}[127] \ldots . \mathrm{KS}[0]$
- Input 2, GCK0 is a binary vector of 80 bits, labelled GCK0[79]....GCK0[0]
- Input 3, MNI is a binary vector of 24 bits, labelled MNI[23]....MNI[0]
- Input 4, INT is a binary vector of 80 bits, labelled INT[79]....INT[0]
and where [0] in each case represents the least significant bit:

$$
\begin{array}{ll}
\text { INT [I] }=(\text { GCKO }[I]+\text { MNI }[I-56]) \bmod 2, & I=79,78, \ldots, 56 \\
\text { INT }[I]=(\text { GCKO }[I]+\text { MNI }[I-32]) \bmod 2, & I=55,54, \ldots, 32 \\
\text { INT [I] }=(\text { GCKO [I] + MNI [I-8]) mod } 2, & I=31,30, \ldots, 8 \\
\text { INT [I] }=(\text { GCKO [I]), } & I=7,6, \ldots, 0 .
\end{array}
$$

This intermediate Input 4, INT[79] ... INT[0], is expanded using the EXP2 expansion defined in the TAA1 algorithm set, and the 128-bit result used as the data input to BL1. Input 1, KS[127]...KS[0], forms the key input to BL1. The output from BL1 becomes the TA101 output value $\mathrm{KSv}[127]$... $\mathrm{KSv}[0]$.

### 5.19 Algorithm TB1

The Input and Output of the algorithm are:

| Parameter | Size |
| :---: | :---: |
| Input | $16-32$ bits |
| Output | 128 bits |

The Output of this algorithm is the Input repeated until 128 bits are obtained starting with the leftmost bit of the Input as the leftmost bit of the Output.

### 5.20 Algorithm TB2

The Input and Output of the algorithm are:

| Parameter | Size |
| :---: | :---: |
| Input | 128 bits |
| Output | 128 bits |

The Output of this algorithm is the Input.

### 5.21 Algorithm TB3

The Inputs and Output of the algorithm are:

| Parameter | Size |
| :---: | :---: |
| Input 1 | 128 bits |
| Input 2 | $16-32$ bits |
| Output | 128 bits |

The Output of this algorithm is the Input 1 XOR-ed with the repeated Input 2.
Input 2 is repeated until 128 bits are obtained starting with the leftmost bit of the Input 2 as the leftmost bit of the Output.

### 5.22 Algorithm TB4

The Input and Output. of the algorithm are:

| Parameter | Size |
| :---: | :---: |
| Input 1 | 80 bits |
| Input 2 | 80 bits |
| Output | 80 bits |

The Output of this algorithm is the Input 1 XOR-ed with Input 2.

### 5.23 Algorithm TB5

The Inputs and Output of the TB5 algorithm are:

| Parameter | Size |
| :---: | :---: |
| Input 1 | 80 bits |
| Input 2 | 14 bits |
| Input 3 | 12 bits |
| Input 4 | 6 bits |
| Output | 80 bits |

The Output of this algorithm is input 1 XOR-ed with an intermediate value. The intermediate value consists of inputs 2 , 3 and 4 concatenated with inputs 3 and 4 repeated; with the leftmost bits of input 2 forming the leftmost bits of the intermediate value:

| Input 2 | Input 3 | Input 4 | Input 3 | Input 4 | Input 3 | Input 4 | Input 3 |
| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |

That is:

$$
\begin{aligned}
& \text { ECK [I] }=(\text { CK[I] }+ \text { CN [I] }) \bmod 2, \\
& \mathrm{I}=0,1, \ldots, 11 \\
& \text { ECK [I] }=(\text { CK[I] }+ \text { CC [I-12] }) \bmod 2 \text {, } \\
& I=12,13, \ldots, 17 \\
& \text { ECK [I] }=(\text { CK[I] }+ \text { CN }[I-18]) \bmod 2, \quad I=18,19, \ldots, 29 \\
& \text { ECK [I] }=(\text { CK[I] }+C C[I-30]) \bmod 2, \quad I=30,31, \ldots, 35 \\
& \text { ECK [I] }=(\text { CK[I] }+C N[I-36]) \bmod 2, \quad I=36,37, \ldots, 47 \\
& \text { ECK [I] }=(\text { CK[I] }+ \text { CC [I-48] }) \bmod 2, \quad I=48,49, \ldots, 53 \\
& E C K[I]=(C K[I]+C N[I-54]) \bmod 2, \quad I=54,55, \ldots, 65
\end{aligned}
$$

$$
\text { ECK }[I]=(C K[I]+L A[I-66]) \bmod 2, \quad I=66,67, \ldots, 79
$$

### 5.24 Algorithm TB6

The Inputs and Output of the TB6 algorithm are:

| Parameter | Size |
| :---: | :---: |
| Input $1(\mathrm{CK})$ | 80 bits |
| Input $2(\mathrm{CN})$ | 12 bits |
| Input $3(\mathrm{SSI})$ | 24 bits |
| Output (ECK) | 80 bits |

The Output of this algorithm is input 1 XOR-ed with an intermediate output. The intermediate output consists of the concatenation in turn of inputs $2,3,2,3$ and $3^{*}$; with the most significant bits of input 2 forming the most significant bits of the intermediate output, and where input $3^{*}$ is the least significant 8 bits of input 3:

| Input 2 | Input 3 | Input 2 | Input 3 | Input 3* |
| :--- | :--- | :--- | :--- | :--- |

That is, where:
CK is a binary vector of 80 bits, labelled CK[79]....CK[0]
CN is a binary vector of 12 bits, labelled CN[11]....CN[0]
SSI is a binary vector of 24 bits, labelled SSI[23]....SSI[0]
ECK is a binary vector of 80 bits, labelled ECK[79]....ECK[0]
and where [0] in each case represents the least significant bit:

$$
\begin{array}{ll}
\text { ECK }[I]=(\text { CK }[I]+\text { CN }[I-68]) \bmod 2, & \\
\text { ECK }[I]=(\text { CK }[I]+\text { SSI }[I-44]) \bmod 2, & \\
\text { ECK }[I]=(\text { CK }[I]+\text { CN }[I-32]) \bmod 2, \ldots, 68 \\
\text { ECK }[I]=(\text { CK }[I]+\text { SSI }[I-8]) \bmod 2, & \\
\text { ECK }[I]=(\text { CK }[I]+\text { SSI }[I]) \bmod 2,42, \ldots, 32 \\
& \\
I=31,30, \ldots, 8 \\
\text { I }]=7,6, \ldots, 0
\end{array}
$$

### 5.23 Algorithm TB7

The Input and Output of the TB7 algorithm are:

| Parameter | Size |
| :---: | :--- |
| Input | 96 bits |
| Output | 128 bits |

The 16-byte Output of this algorithm is obtained by adding 4 bytes to the 12-byte Input as described below:

1) Denote the 12-byte input at shown below:

| $B_{11}$ | $B_{10}$ | $B_{9}$ | $B_{8}$ | $B_{7}$ | $B_{6}$ | $B_{5}$ | $B_{4}$ | $B_{3}$ | $B_{2}$ | $B_{1}$ | $B_{0}$ |
| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |

2) Compute the 4 bytes $A, C, D$ and $E$, insert these into the 12 byte in Figure 22 below:

| $B_{11}$ | $B_{10}$ | $B_{9}$ | $A$ | $B_{8}$ | $B_{7}$ | $B_{6}$ | $C$ | $B_{5}$ | $B_{4}$ | $B_{3}$ | $D$ | $B_{2}$ | $B_{1}$ | $B_{0}$ | $E$ |
| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |

where:
$A=B_{11} \oplus B_{10} \oplus B_{9}$,
$C=B_{8} \oplus B_{7} \oplus B_{6}$,
$D=B_{5} \oplus B_{4} \oplus B_{3}$,
$E=B_{2} \oplus B_{1} \oplus B_{0}$.
Figure 22: Expansion from 12 to 16 bytes

## 6 The HURDLE-II Algorithm

### 6.0 General

The functional structure of the HURDLE-II algorithm with the 16 round functions and the 16 round keys is shown in Figure 23 of clause 6.7.

### 6.1 Notation

Throughout the present documentbit strings are used. These are written with most significant bit on the left and least significant bit on the right. The bits of such a string are numbered from right to left, beginning at zero. Bit strings are divided into strings of bytes, again with most significant byte leftmost and with byte 0 rightmost.

The inputs to the HURDLE-II algorithm are a 64 -bit string $P$ with bytes:

$$
P_{7} P_{6} P_{5} P_{4} P_{3} P_{2} P_{1} P_{0}
$$

and a 128 -bit key $K$ with bytes $K_{15} K_{14} \ldots K_{l} K_{0}$.
The 16 rounds of encryption are numbered by $1,2, \ldots 16 . K^{i}$ indicates the 96 -bit round key used in round $i$ (these round keys are derived from $K$ using the HURDLE-II key schedule algorithm, as defined in detail below).

The symbol $\oplus$ denotes the bytewise addition modulo two (exclusive or); i.e. msb of byte x is added to msb of byte $y, \ldots .$, lsb of byte $x$ to lsb of byte $y$.

| $x(i)$ | $y(i)$ | $x(i) \oplus y(i)$ |
| :---: | :---: | :---: |
| 0 | 0 | 0 |
| 0 | 1 | 1 |
| 1 | 0 | 1 |
| 1 | 1 | 0 |

$x(i)$ is bit $i$ of byte $x$ $y(i)$ is bit $i$ of byte $y$
$i=0, \ldots, 7$

### 6.2 Encryption

The encryption of input $P$ under key $K$ is carried out as follows. Input $P$ is divided into two 4-byte strings, $L^{0}$ and $R^{0}$, with:

$$
L^{0}=P_{7} P_{6} P_{5} P_{4}, \quad R^{0}=P_{3} P_{2} P_{1} P_{0}
$$

Then for each integer $i$ with $1 \leq i \leq 16$, is defined as:

$$
\begin{equation*}
L^{i}=R^{i-1}, \quad R^{i}=L^{i-1} \oplus f\left({ }^{\prime} R^{i-1}, K^{i}\right) \tag{1}
\end{equation*}
$$

Equations (1) constitute the i-th round function of HURDLE-II, where $f$ denotes the round function with $\mathrm{R}^{\mathrm{i}-1}$ and round key $\mathrm{K}^{i}$ as inputs (see clause 6.4).

The encryption of $P$ under $K$ is the 8 -byte string $C=R^{16} L^{16}$ (note swapping of halves) offered at the end of the sixteenth round, i.e. after the execution of the last round function. See Figure 23 of clause 6.7.

### 6.3 Decryption

Decryption of the ciphertext C is achieved by encrypting it using as round keys $K^{16} \ldots, K^{l}$.
That is, following exactly the same procedure as above, but using round in round instead of round key $K^{17-i}$. The decryption round keys are easily derived from the key $K$ as described in clause 6.5.

### 6.4 The $f$ Function of HURDLE-II

### 6.4.0 General

The round function $f$ of HURDLE-II, has as inputs a 4-byte value $X=X_{3} X_{2} X_{1} X_{0}$ and a 12-byte round key, denoted by $K^{i}=K^{i}{ }_{l l} K^{i}{ }_{10} \ldots \ldots . . . K^{i}{ }_{0}$ (see clause 6.5 ).

The computation of the $f$ function proceeds in the following stages (see Figure 24 of clause 6.7):

- expansion of the 4-byte input
- addition of round key and chained byte substitution
- nibble selection
- bit permutation


### 6.4.1 Data Expansion

The 4-byte input data $X=X_{3} X_{2} X_{1} X_{0}$ is expanded to the following 12-byte string E:

$$
E_{11} E_{10} E_{9} E_{8} E_{7} E_{6} E_{5} E_{4} E_{3} E_{2} E_{1} E_{0}=X_{1} X_{3} X_{0} X_{2} X_{3} X_{1} X_{2} X_{0} X_{3} X_{2} X_{1} X_{0}
$$

### 6.4.2 Addition of Round Key and Chained Byte Substitution

$E$ and the round key $K^{i}$ the following 12-byte value $T=T_{11} T_{10} \ldots \ldots \ldots T_{0}$ is computed where:

$$
T_{0}=S\left[\left(E_{0}+K_{0}^{i}\right) \bmod 256\right]
$$

and

$$
\begin{equation*}
T_{j}=S\left[\left(\left(E_{j}+K_{j}^{i}\right) \bmod 256\right) \oplus T_{j-1}\right], \quad 1 \leq j \leq 11, \tag{2}
\end{equation*}
$$

with $S$ as the byte permutation defined in Table 1 of clause 6.7. The table entries are given row-wise in hexadecimal in the order $S[00], S[01], \ldots . . . . S[f f]$.

Thus, the expanded version of the data is added modulo 256 with the round key bytes and the resulting values are used to obtain bytes from the look-up table $\mathbf{S}$ box in a chained manner. This part of the $f$ function is illustrated in Figure 25 of clause 6.7.

### 6.4.3 Nibble selection

The 12-byte output $T$ is reduced to the following 32-bit string:

$$
U=U_{11} U_{10} U_{9} U_{8} U_{7} U_{6} U_{5} U_{4}
$$

where, for each $0 \leq q<12, U q$ denotes the 4 least significant bits of $T q$, i.e. the rightmost nibble of $T q$.

### 6.4.4 Bit Permutation

The final 4-byte output of the function f is obtained by performing a bit permutation $\pi$ on the 32-bit string $U$ to produce a 4-byte value $Y=Y_{3} Y_{2} Y_{1} Y_{o}$.

The permutation $\pi$ is given in Table 2 of 6.7 and its action on the bits of U is as follows: if the bits of $U$ and $Y$ are numbered from left to right by 31 to 0 , then bit $j$ of $Y$ is equal to bit $i$ of $U$ if $\pi[j]=i$. In Table 2 , the entries are arranged row-wise in the order $\pi[0], \pi[1], . ., \pi[31]$.

The permutation $\pi$ has a compact description enabling a fast software implementation: for each $0 \leq m<8$ and each $0 \leq n<4$, bit $m$ of $Y_{n}$ is equal to bit $n$ of $U_{m+4}$, i.e. bit $n$ of $T_{m+4}$.

The final 4-byte output of the function $f$ is equal to $Y=Y_{3} Y_{2} Y_{1} Y_{0}$.

### 6.5 Key Schedule Algorithm

In this clause the key schedule algorithm for HURDLE-II is defined. Recall that the 16-byte key is denoted by:

$$
K=K_{15} K_{14} \ldots K_{0}
$$

and the 12 byte round keys by $K^{I}$, $\qquad$ $K^{16}$

A 16 -byte constant is specified as $D=D_{15} D_{14} \ldots D_{0}$ by:

$$
D=3 \mathrm{c} \text { a } 7 \text { ec } 257957 \text { df c0 } 38 \text { 0a } 33 \text { le f3 8c f4 f7 }
$$

(hexadecimal values for each byte). An integer sequence is also specified as $a=a_{1} a_{2}, \ldots, a_{16}$ of length 16 by:

$$
a=5,5,5,5,3,7,5,5,5,5,7,3,5,5,5,5
$$

Finally, if $Q=Q_{15} Q_{14 \ldots} \ldots Q_{0}$ is a 16 -byte string and $l$ is an integer with $0 \leq ; l<16$, then the left shift of $Q$ is defined by $l$ bytes, denoted $E^{l} Q$, to be the 16 -byte string:

$$
E^{\prime} Q=Q_{15-1} \ldots Q_{0} Q_{15} \ldots Q_{15-1+1}
$$

(modulo 16 with byte subscripts is used).
For each $i$ with $1 \leq i \leq 17$, a 16 -byte value is defined as $Q^{i}=Q^{i}{ }_{15} Q^{i}{ }_{14 \ldots} Q^{i}{ }_{0}$ by:

$$
\mathrm{Q}^{1}=\mathrm{K}
$$

$$
\mathrm{Q}^{\mathrm{i}}=\mathrm{E}^{\mathrm{a}-1} \mathrm{Q}^{\mathrm{i}-1} \oplus \mathrm{D} \quad(2 \leq \mathrm{i} \leq 17)
$$

Thus, the bytes of $Q^{i}$ are obtained by rotating the bytes of $Q^{i-1}$ and then adding bit by bit modulo 2 the constant $D$. Then $K^{i}$, the round key in round $i$ is defined to be:

$$
K^{i}=Q_{11}^{i} Q_{10}^{i} \ldots Q_{0}^{i}
$$

that is, $K^{i}$ is formed from the 12 least significant bytes of $Q^{i}$.

### 6.6 Block cipher Generation

### 6.6.1 Summary

The block cipher generation consists of the following phases: the initial loading of $K$ and the running of the key scheduling process, the loading of $P$ and the proper generation of the block cipher concerned. Thereafter, because the HURDLE-II algorithm remains in continuous encryption mode, subsequent $P$ inputs can.be offered without needing to reset the key after each block cipher generation.

### 6.6.2 K loading and Key Scheduling

After loading of the 16 -byte key $K$ the key scheduling process is performed to determine the sixteen 12-byte round keys $K^{i}$ as described in clause 6.5.

### 6.6.3 Block Cipher Generation

The loaded 64-bit input $P / C$ is divided into two 4-byte strings and encrypted/ decrypted in sixteen rounds under the influence. of the round keys as described in clauses 6.2 and 6.3. All stages of the round function are explained in detail in clause 6.4.

### 6.7 Figures of HURDLE-II Algorithm


$f \quad$ Round function of HURDLE-II (see Figure 24)
Li, Ri Two 4-byte strings (subscript $0=$ input; $16=$ output)
$K \quad$ Round key
Figure 23: HURDLE-II block cipher


| $X$ | 32-bit input string |
| :--- | :--- |
| $E$ | 12 byte expanded input data |
| $K$ | 2 byte round key |
| $T$ | 8 most significant output bytes of the key addition \& chained substitution function |
| $U_{i}$ | Rightmost nibble of $T_{i ;}$ |
| $B P \pi$ | Bit permutation on 32-bit string |
| $Y$ | 32-bit output string |

Figure 24: f Function of HURDLE-II

$\begin{array}{ll}K_{j}^{i} & \text { Byte j of } 12 \text { byte round key } K^{i} \\ s & \text { Byte permutation (256 bytes) }\end{array}$
Figure 25: Addition of round key and chained $S$ substitution
Table 1: The byte permutation $S$


Table 2: The bit permutation $\pi$

| 0 | 4 | 8 | 12 | 16 | 20 | 24 | 28 |
| ---: | ---: | ---: | ---: | ---: | ---: | ---: | ---: |
| 1 | 5 | 9 | 13 | 17 | 21 | 25 | 29 |
| 2 | 6 | 10 | 14 | 18 | 22 | 26 | 30 |
| 3 | 7 | 11 | 15 | 19 | 23 | 27 | 31 |

## Annex A (informative): Bibliography

- ETSI TS 100 396-6: "Terrestrial Trunked Radio (TETRA); Direct Mode Operation (DMO); Part 6: Security".
- ETSI TS 101 052-1: "Rules for the management of the TETRA standard authentication and key management algorithm sets; Part 1: TAA1".


## History

| Document history |  |  |
| :--- | :--- | :--- |
| V1.1.1 | July 2024 | Publication |
|  |  |  |
|  |  |  |
|  |  |  |
|  |  |  |

