Continuing the monitoring and analyzing the receivable signals around 7 MHz band, I am increasingly convinced that the Harris Citadel II is the encryption algorithm utilized for these transmissions. In the analysis of the bitstreams published in the erstwhile post [1], I have spotted patterns that look like 32 bytes Initialization Vectors: the 256 bits are divided in 2 128 bits parts, each 3 times repeated, sent just after the Citadel sync series and prepended the ciphertext (Figure 1).
 |
| Fig. 1 - 32 bytes (256 bits) IV |
This kind of encrypted transmissions occurs erstwhile the STANAG-4538 circuit mode service is used, in the packet mode service (L/HDL protocols) - although Citadel is besides utilized there - the bitstreams do not show any repeating pattern: my guess is that in specified a case the Citadel I algorithm is being used.
That said, I took care of catching & recording only the circuit mode transmissions, inactive within the same condition of HF band. Bitstreams analysis turned out to be very useful, especially the transmissions recorded on 6769.5 and 6772.5 KHz/USB; indeed, in these transmissions the utilized Initialization Vector (IV) is 12 bytes (96 bits) dimension and it's 3 times repeated (Figure 2): this is truly interesting since I would have expected to see 32 bytes IV as in another akin recordings.
 |
| Fig. 2 - 12 bytes (96 bits) IVs after removal of the first sync sequences |
I have verified this characteristic in all transmissions recorded on that frequency, Figure 2 lists only a fewer for brevity.
 |
| Fig. 3 |
So far, I've observed the following format (related to S-4538 circuit mode services):
16 bytes start/sync series 1E561E561E561E001A5D1A5D1A5D1A5D (Citadel)
12 bytes Initialization Vector, 3 times repeated
- or-
32 bytes Initialization Vector, 2x128 bits parts each 3 times repeated
ciphertext
8 bytes end series 1E561E561E561E08 (Citadel)
The different lengths of the utilized Initialization Vectors (12 and 32 bytes) propose that the Citadel II algorithm (if this is the case) can be configured for different block cipher modes with different block lengths; furthermore it's backward compatible with its predecessor Citadel I, given the coexistence of circuit/packet modes within the same logical link (see the comment in erstwhile post). Anyway, different configurations of the algorithm in different frequencies make me think about field tests: indeed war theaters are formidable test-beds not only for weapons but besides for milcomm technologies, fresh waveforms and COMSEC.
The fewer informations I could find by googling the web seem confirm my guess, even if I've inactive no confirm: "The Citadel II algorithm can be operated utilizing any block cipher traffic mode [...] include Cipher Feedback mode (CFB), Counter Mode and same Synchronizing Cipher Feedback Mode (SSCFB). The 256-bit Citadel II algorithm provides a configuration that is interoperable with current Citadel I-based applications and a configuration that is full disclosable" [2]. Note that although Citadel I and II are referred to as algorithms, they are actually ASIC chips (Application-Specific Integrated Circuit), i.e. algorithms rendered in hardware, which are embedded - for example - in Harris Falcon II, Falcon III household radios.
It is inactive not clear to me why the (presuemed) Citadel II encryption is not utilized in packet mode transmissions, i.e. in LDL/HDL protocols: I don't think it's due to problems acquiring the IVs since at the advanced layer surely sits a data link protocol like S-5066 which is able to assemble the received packets.
https://disk.yandex.com/d/2ceYFGyy0LWdJA
[1] https://i56578-swl.blogspot.com/2023/05/harris-citadel-ii-secured-traffic.html
[2] https://www.researchgate.net/...
