A large thanks to my friend Kosmod who breakdown a Citadel II encrypted bitstream and saw that the Initialization Vector (IV) composed of 96 bits, 3 times repeated, is followed by a 64-bit field, this 1 besides 3 times repeated. The problem is that the periodicity of the 2 "patterns" is different, so erstwhile the start/sync series is removed, it is essential to set the bitstream period to 96 bits, remove the 3 IV sequences and then set the bitstream period to 64 bits (as shown in Figure 1).
 |
| Fig. 1 |
A question arises: could it be a 20 bytes/160 bits Initialization Vector composed of 2 96 and 64 bits parts, each part 3 times repeated? Well, I think no.
It must be said that a 160-bit IV series is unusual, athough double-checked in another bitstreams. That dimension would be suspicious due to the fact that most block-cipher sizes are powers of 2 or usage multiples of 32 (32, 64, 96, 128, 256, 512) and since the IV typically matches the cipher’s interior structure or counter construction, a 160-bit dimension is not impossible but it would be atypical adequate that cryptographers would immediately fishy parsing mistake or mixed fields.
Indeed, any systems prepend metadata or combine nonce + counter (1) and what looks like a single IV may actually be multiple fields, each repeated for robustness; in this case:
- a 96-bit nonce, likely serving as the actual Initialization Vector (2)
- a 64-bit nonce, likely a per-frame synchronization value or session diversifier. In another words: it's something that changes per transmission, possibly the 96-bit IV alone not being the full initializer.
Because both fields are variable and precede the ciphertext, they could easy be mistaken as a single composite IV.
So, speaking about Citadel II, why does the 64-bit series appear only with the 96-bit IV and not with the 256-bit one?
 |
| Fig. 2 - 32 bytes/256 bits IV |
It likely comes down to how modern encryption systems structure their nonces. erstwhile a shorter 96-bit IV is used, a separate 64-bit counter or series field may be transmitted alongside it to warrant that all message remains unique. With a 256-bit IV, that sequencing data is most likely embedded inside the larger nonce itself — so the counter is inactive present, just no longer visible as a distinct field. In short: we are not seeing different safety levels, but 2 plan approaches:
96-bit IV + external sequencer,
256-bit IV with interior sequencer.
The “missing” 64-bit field (or another length) is most likely hidden inside the larger initialization structure alternatively than removed.
(1) In cryptography, a “nonce” (short for number utilized once) is simply a value that is unique for each encryption operation – it should never repeat with the same key, usually not secret – it can be transmitted openly and utilized to make encryption different each time – even if the same plaintext is encrypted with the same key, a different nonce produces a different ciphertext.
(2) A 96-bit IV is mainly utilized in AES-GCM, AES-CCM, and
ChaCha20-Poly1305, where it strikes a balance between safety (avoiding
collisions) and computational efficiency.
