A great thanks to my friend Kosmod who breakdown a Citadel II encrypted bitstream and saw that the Initialization Vector (IV) composed of 96 bits, 3 times repeated, is followed by a 64-bit field, this one also 3 times repeated. The problem is that the periodicity of the two "patterns" is different, so once the start/sync sequence is removed, it is necessary to set the bitstream period to 96 bits, remove the three IV sequences and then set the bitstream period to 64 bits (as shown in Figure 1).
 |
| Fig. 1 |
A question arises: could it be a 20 bytes/160 bits Initialization Vector composed of two 96 and 64 bits parts, each part 3 times repeated? Well, I think no.
It must be said that a 160-bit IV sequence is unusual, athough double-checked in other bitstreams. That length would be suspicious because most block-cipher sizes are powers of two or use multiples of 32 (32, 64, 96, 128, 256, 512) and since the IV typically matches the cipher’s internal structure or counter construction, a 160-bit length is not impossible but it would be atypical enough that cryptographers would immediately suspect parsing error or mixed fields.
Indeed, some systems prepend metadata or combine nonce + counter (1) and what looks like a single IV may actually be multiple fields, each repeated for robustness; in this case:
- a 96-bit nonce, likely serving as the true Initialization Vector (2)
- a 64-bit nonce, likely a per-frame synchronization value or session diversifier. In other words: it's something that changes per transmission, maybe the 96-bit IV alone not being the entire initializer.
Because both fields are variable and precede the ciphertext, they could easily be mistaken as a single composite IV.
So, speaking about Citadel II, why does the 64-bit sequence appear only with the 96-bit IV and not with the 256-bit one?
 |
| Fig. 2 - 32 bytes/256 bits IV |
It likely comes down to how modern encryption systems structure their nonces. When a shorter 96-bit IV is used, a separate 64-bit counter or sequence field may be transmitted alongside it to guarantee that every message remains unique. With a 256-bit IV, that sequencing data is probably embedded inside the larger nonce itself — so the counter is still present, just no longer visible as a distinct field. In short: we are not seeing different security levels, but two design approaches:
96-bit IV + external sequencer,
256-bit IV with internal sequencer.
The “missing” 64-bit field (or another length) is most likely hidden inside the larger initialization structure rather than removed.
(1) In cryptography, a “nonce” (short for number used once) is a value that is unique for each encryption operation – it should never repeat with the same key, usually not secret – it can be transmitted openly and used to make encryption different each time – even if the same plaintext is encrypted with the same key, a different nonce produces a different ciphertext.
(2) A 96-bit IV is mainly used in AES-GCM, AES-CCM, and
ChaCha20-Poly1305, where it strikes a balance between security (avoiding
collisions) and computational efficiency.
