INTERNET-DRAFT M. Katagi Intended Status: Informational S. Moriai Expires: April 22, 2010 Sony Corporation October 19, 2009 The 128-bit Blockcipher CLEFIA Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on April 22, 2010. Abstract This document describes the specification of the blockcipher CLEFIA. CLEFIA is a 128-bit blockcipher with its key length being 128, 192 and 256 bits, which is compatible to the interface of AES. The cipher algorithm was published in 2007 [FSE07] and its security has been scrutinized in the public community. CLEFIA is one of the new- generation lightweight blockcipher algorithms designed after AES. Among them CLEFIA offers high performance in software and hardware as well as lightweight implementation in hardware. CLEFIA will be of benefit to the Internet which will be connected to more distributed and constrained devices. Katagi & Moriai Expires April 22, 2010 [Page 1] INTERNET-DRAFT The 128-bit Blockcipher CLEFIA October 19, 2009 Table of Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2 Notations . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3 Definition of GFN_{d,r} . . . . . . . . . . . . . . . . . . . . 4 3.1 F-functions . . . . . . . . . . . . . . . . . . . . . . . . 5 3.2 S-boxes . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.3 Diffusion Matrices . . . . . . . . . . . . . . . . . . . . . 7 4 Data Processing Part . . . . . . . . . . . . . . . . . . . . . . 7 4.1 Encryption / Decryption . . . . . . . . . . . . . . . . . . 7 4.2 The Numbers of Rounds . . . . . . . . . . . . . . . . . . . 8 5 Key Scheduling Part . . . . . . . . . . . . . . . . . . . . . . 8 5.1 DoubleSwap Function . . . . . . . . . . . . . . . . . . . . 8 5.2 Overall Structure . . . . . . . . . . . . . . . . . . . . . 8 5.3 Key Scheduling for a 128-bit Key . . . . . . . . . . . . . . 9 5.4 Key Scheduling for a 192-bit Key . . . . . . . . . . . . . . 9 5.5 Key Scheduling for a 256-bit Key . . . . . . . . . . . . . 10 5.6 Constant Values . . . . . . . . . . . . . . . . . . . . . 10 6 Security Considerations . . . . . . . . . . . . . . . . . . . 15 7 Informative References . . . . . . . . . . . . . . . . . . . . 15 Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 16 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16 Copyright Notice . . . . . . . . . . . . . . . . . . . . 17 Katagi & Moriai Expires April 22, 2010 [Page 2] INTERNET-DRAFT The 128-bit Blockcipher CLEFIA October 19, 2009 1 Introduction CLEFIA is a 128-bit blockcipher with its key length being 128, 192 and 256 bits, which is compatible to the interface of AES. Since the cipher algorithm was published in 2007, its security has been scrutinized in the public community but no security weaknesses have been reported so far. CLEFIA can be considered as a lightweight blockcipher, since it can be implemented within 5 Kgates using a 0.09um standard CMOS ASIC library. Many of lightweight cryptographic algorithms sacrifice security and/or speed, however CLEFIA provieds high level security of more than 128 bits and high performance in software and hardware. CLEFIA will be of benefit to the Internet which will be connected to more distributed and resource-constrained devices. Further information about CLEFIA, including reference implementation, test vectors, and security and performance evaluation, is available from http://www.sony.net/clefia/. 2 Notations This section describes mathematical notations, conventions and symbols used throughout this document. 0x : A prefix for a binary string in a hexadecimal form a|b or (a|b) : Concatenation of a and b (a,b) or (a b) : Vector style representation of a|b a <- b : Updating a value of a by a value of b trans(a) : Transposition of a vector or a matrix a a XOR b : Bitwise exclusive-OR. Addition in GF(2^n) ~a : Logical negation a <<< b : b-bit left cyclic shift operation a ^ b : a raised to the power of b a * b : Multiplication in GF(2^n) Katagi & Moriai Expires April 22, 2010 [Page 3] INTERNET-DRAFT The 128-bit Blockcipher CLEFIA October 19, 2009 3 Definition of GFN_{d,r} We first define a function GFN_{d,r} which is a fundamental structure for CLEFIA, followed by definitions of a data processing part and a key scheduling part. CLEFIA uses a 4-branch and an 8-branch generalized Feistel network. We denote d-branch r-round generalized Feistel network employed in CLEFIA as GFN_{d,r}. For d 32-bit input Xi and output Yi (0 <= i < d), and dr/2 32-bit round keys RK_{i} (0 <= i < dr/2), GFN_{d,r} (d = 4,8) are defined as follows. GFN_{4,r}: Step 1. T0 | T1 | T2 | T3 <- X0 | X1 | X2 | X3 Step 2. For i = 0 to r - 1 do the following: Step 2.1 T1 <- T1 XOR F0(RK_{2i},T0), T3 <- T3 XOR F1(RK_{2i + 1}, T2) Step 2.2 T0 | T1 | T2 | T3 <- T1 | T2 | T3 | T0 Step 3. Y0 | Y1 | Y2 | Y3 <- T3 | T0 | T1 | T2 GFN_{8,r}: Step 1. T0 | T1 | ... | T7 <- X0 | X1 | ... | X7 Step 2. For i = 0 to r - 1 do the following: Step 2.1 T1 <- T1 XOR F0(RK_{4i}, T0), T3 <- T3 XOR F1(RK_{4i + 1}, T2), T5 <- T5 XOR F0(RK_{4i + 2}, T4), T7 <- T7 XOR F1(RK_{4i + 3}, T6) Step 2.2 T0 | T1 | ... | T6 | T7 <- T1 | T2 | ... | T7 | T0 Step 3. Y0 | Y1 | ... | Y6 | Y7 <- T7 | T0 | ... | T5 | T6 The inverse function GFNINV_{4,r} is obtained by changing the order of RK_{i} and the direction of word rotation at Step 2.2 and Step 3. GFNINV_{4,r}: Katagi & Moriai Expires April 22, 2010 [Page 4] INTERNET-DRAFT The 128-bit Blockcipher CLEFIA October 19, 2009 Step 1. T0 | T1 | T2 | T3 <- X0 | X1 | X2 | X3 Step 2. For i = 0 to r - 1 do the following: Step 2.1 T1 <- T1 XOR F0(RK_{2(r - i) - 2}, T0), T3 <- T3 XOR F1(RK_{2(r - i) - 1}, T2) Step 2.2 T0 | T1 | T2 | T3 <- T3 | T0 | T1 | T2 Step 3. Y0 | Y1 | Y2 | Y3 <- T1 | T2 | T3 | T0 3.1 F-functions Two F-functions F0 and F1 used by GFN_{d,r} are defined as follows: F0(RK, x) input: 32-bit data x, RK, output: 32-bit data y. Step 1. T <- RK XOR x Step 2. Let T = T0 | T1 | T2 | T3, where Ti is 8-bit data, T0 <- S0(T0), T1 <- S1(T1), T2 <- S0(T2), T3 <- S1(T3) Step 3. Let y = y0 | y1 | y2 | y3, where yi is 8-bit data, trans((y0, y1, y2, y3)) = M0 trans((T0, T1, T2, T3)) F1(RK, x) input: 32-bit data x, RK, output: 32-bit data y. Step 1. T <- RK XOR x Step 2. Let T = T0 | T1 | T2 | T3, where Ti is 8-bit data, T0 <- S1(T0), T1 <- S0(T1), T2 <- S1(T2), T3 <- S0(T3) Step 3. Let y = y0 | y1 | y2 | y3, where yi is 8-bit data, trans((y0, y1, y2, y3)) = M1 trans((T0, T1, T2, T3)) S0 and S1 are nonlinear 8-bit S-boxes, and M0 and M1 are 4x4 diffusion matrices described in the following section. In each F- Katagi & Moriai Expires April 22, 2010 [Page 5] INTERNET-DRAFT The 128-bit Blockcipher CLEFIA October 19, 2009 function, two S-boxes are used in the different order, and different matrix is used. 3.2 S-boxes CLEFIA employs two different types of 8-bit S-boxes: S0 is based on four 4-bit random S-boxes, and S1 is based on the inverse function over GF(2^8) [CLEFIA1]. Tables 1 and 2 show the output values of S0 and S1, respectively. In these tables all values are expressed in a hexadecimal form. For an 8-bit input of an S-box, the upper 4-bit indicates a row and the lower 4-bit indicates a column. For example, if a value 0xab is input, 0x7e is output by S0 because it is on the cross line of the row indexed by 'a.' and the column indexed by '.b'. Table 1: S-box S0 .0 .1 .2 .3 .4 .5 .6 .7 .8 .9 .a .b .c .d .e .f 0. 57 49 d1 c6 2f 33 74 fb 95 6d 82 ea 0e b0 a8 1c 1. 28 d0 4b 92 5c ee 85 b1 c4 0a 76 3d 63 f9 17 af 2. bf a1 19 65 f7 7a 32 20 06 ce e4 83 9d 5b 4c d8 3. 42 5d 2e e8 d4 9b 0f 13 3c 89 67 c0 71 aa b6 f5 4. a4 be fd 8c 12 00 97 da 78 e1 cf 6b 39 43 55 26 5. 30 98 cc dd eb 54 b3 8f 4e 16 fa 22 a5 77 09 61 6. d6 2a 53 37 45 c1 6c ae ef 70 08 99 8b 1d f2 b4 7. e9 c7 9f 4a 31 25 fe 7c d3 a2 bd 56 14 88 60 0b 8. cd e2 34 50 9e dc 11 05 2b b7 a9 48 ff 66 8a 73 9. 03 75 86 f1 6a a7 40 c2 b9 2c db 1f 58 94 3e ed a. fc 1b a0 04 b8 8d e6 59 62 93 35 7e ca 21 df 47 b. 15 f3 ba 7f a6 69 c8 4d 87 3b 9c 01 e0 de 24 52 c. 7b 0c 68 1e 80 b2 5a e7 ad d5 23 f4 46 3f 91 c9 d. 6e 84 72 bb 0d 18 d9 96 f0 5f 41 ac 27 c5 e3 3a e. 81 6f 07 a3 79 f6 2d 38 1a 44 5e b5 d2 ec cb 90 f. 9a 36 e5 29 c3 4f ab 64 51 f8 10 d7 bc 02 7d 8e Table 2: S-box S1 .0 .1 .2 .3 .4 .5 .6 .7 .8 .9 .a .b .c .d .e .f 0. 6c da c3 e9 4e 9d 0a 3d b8 36 b4 38 13 34 0c d9 1. bf 74 94 8f b7 9c e5 dc 9e 07 49 4f 98 2c b0 93 2. 12 eb cd b3 92 e7 41 60 e3 21 27 3b e6 19 d2 0e 3. 91 11 c7 3f 2a 8e a1 bc 2b c8 c5 0f 5b f3 87 8b 4. fb f5 de 20 c6 a7 84 ce d8 65 51 c9 a4 ef 43 53 5. 25 5d 9b 31 e8 3e 0d d7 80 ff 69 8a ba 0b 73 5c 6. 6e 54 15 62 f6 35 30 52 a3 16 d3 28 32 fa aa 5e 7. cf ea ed 78 33 58 09 7b 63 c0 c1 46 1e df a9 99 8. 55 04 c4 86 39 77 82 ec 40 18 90 97 59 dd 83 1f 9. 9a 37 06 24 64 7c a5 56 48 08 85 d0 61 26 ca 6f a. 7e 6a b6 71 a0 70 05 d1 45 8c 23 1c f0 ee 89 ad b. 7a 4b c2 2f db 5a 4d 76 67 17 2d f4 cb b1 4a a8 c. b5 22 47 3a d5 10 4c 72 cc 00 f9 e0 fd e2 fe ae Katagi & Moriai Expires April 22, 2010 [Page 6] INTERNET-DRAFT The 128-bit Blockcipher CLEFIA October 19, 2009 d. f8 5f ab f1 1b 42 81 d6 be 44 29 a6 57 b9 af f2 e. d4 75 66 bb 68 9f 50 02 01 3c 7f 8d 1a 88 bd ac f. f7 e4 79 96 a2 fc 6d b2 6b 03 e1 2e 7d 14 95 1d 3.3 Diffusion Matrices The multiplications of a diffusion matrix M0 or M1 and a vector T in 3.1 are obtained as follows. y = M0 trans((T0, T1, T2, T3)): y0 = T0 XOR (0x02 * T1) XOR (0x04 * T2) XOR (0x06 * T3), y1 = (0x02 * T0) XOR T1 XOR (0x06 * T2) XOR (0x04 * T3), y2 = (0x04 * T0) XOR (0x06 * T1) XOR T2 XOR (0x02 * T3), y3 = (0x06 * T0) XOR (0x04 * T1) XOR (0x02 * T2) XOR T3 y = M1 trans((T0, T1, T2, T3)): y0 = T0 XOR (0x08 * T1) XOR (0x02 * T2) XOR (0x0a * T3), y1 = (0x08 * T0) XOR T1 XOR (0x0a * T2) XOR (0x02 * T3), y2 = (0x02 * T0) XOR (0x0a * T1) XOR T2 XOR (0x08 * T3), y3 = (0x0a * T0) XOR (0x02 * T1) XOR (0x08 * T2) XOR T3 In the above equations, * denotes a multiplication in GF(2^8) defined by the lexicographically first primitive polynomial z^8+z^4+z^3+z^2+1. The constants 0x02, 0x04, 0x06, 0x08, 0x0a are represented in hexadecimal form of finite field polynomials. For example, 0x02 identifies the finite field element z. 8-bit data Ti is also interpreted as finite field element. The mathematical background of two diffusion matrices and their choices are explained in [CLEFIA2]. 4 Data Processing Part 4.1 Encryption / Decryption The data processing part of CLEFIA consists of ENCr for encryption and DECr for decryption. ENCr and DECr are based on the 4-branch generalized Feistel structure GFN_{4,r}. Let P,C be 128-bit plaintext and ciphertext, and let Pi, Ci (0 <= i < 4) be divided 32-bit plaintext and ciphertext where P = P0 | P1 | P2 | P3 and C = C0 | C1 | C2 | C3, and let WK0, WK1, WK2, WK3 be 32-bit whitening keys and RK_{i} (0 <= i < 2r) be 32-bit round keys provided by the key scheduling part. Then, r-round encryption function ENCr is defined as follows: Katagi & Moriai Expires April 22, 2010 [Page 7] INTERNET-DRAFT The 128-bit Blockcipher CLEFIA October 19, 2009 Step 1. T0 | T1 | T2 | T3 <- P0 | (P1 XOR WK0) | P2 | (P3 XOR WK1) Step 2. T0 | T1 | T2 | T3 <- GFN_{4,r}(RK_{0}, ..., RK_{2r-1}, T0, T1, T2, T3) Step 3. C0 | C1 | C2 | C3 <- T0 | (T1 XOR WK2) | T2 | (T3 XOR WK3) The decryption function DECr is defined as follows: Step 1. T0 | T1 | T2 | T3 <- C0 | (C1 XOR WK2) | C2 | (C3 XOR WK3) Step 2. T0 | T1 | T2 | T3 <- GFNINV_{4,r}(RK_{0}, ..., RK_{2r-1}, T0, T1, T2, T3) Step 3. P0 | P1 | P2 | P3 <- T0 | (T1 XOR WK0) | T2 | (T3 XOR WK1) 4.2 The Numbers of Rounds The number of rounds, r, is 18, 22 and 26 for 128-bit, 192-bit and 256-bit keys, respectively. The total number of RK_{i} depends on the key length. The data processing part requires 36, 44 and 52 round keys for 128-bit, 192-bit and 256-bit keys, respectively. 5 Key Scheduling Part The key scheduling part of CLEFIA supports 128, 192 and 256-bit keys and outputs whitening keys WKi (0 <= i < 4) and round keys RK_{j} (0 <= j < 2r) for the data processing part. 5.1 DoubleSwap Function We first define the DoubleSwap function which is used in the key scheduling part. The DoubleSwap Function Sigma(X): For 128-bit data X, Y = Sigma(X) = X[7-63] | X[121-127] | X[0-6] | X[64-120], where X[a-b] denotes a bit string cut from the a-th bit to the b-th bit of X. 0-th bit is the most significant bit. 5.2 Overall Structure The key scheduling part of CLEFIA provides whitening keys and round Katagi & Moriai Expires April 22, 2010 [Page 8] INTERNET-DRAFT The 128-bit Blockcipher CLEFIA October 19, 2009 keys for the data processing part. Let K be the key and L be an intermediate key, and the key scheduling part consists of the following two steps. 1. Generating L from K. 2. Expanding K and L (Generating WKi and RK_{j} ). To generate L from K, the key schedule for a 128-bit key uses a 128- bit permutation GFN_{4,12}, while the key schedules for 192/256-bit keys use a 256-bit permutation GFN_{8,10}. 5.3 Key Scheduling for a 128-bit Key The 128-bit intermediate key L is generated by applying GFN_{4,12} which takes twenty-four 32-bit constant values CON_128[i] (0 <= i < 24) as round keys and K = K0 | K1 | K2 | K3 as an input. Then K and L are used to generate WKi (0 <= i < 4) and RK_{j} (0 <= j < 36) in the following steps. In the latter part, thirty-six 32-bit constant values CON_128[i] (24 <= i < 60) are used. The generation steps of CON_128[i] are explained in Sect 5.6. (Generating L from K) Step 1. L <- GFN_{4,12}(CON_128[0], ..., CON_128[23], K0, ..., K3) (Expanding K and L) Step 2. WK0 | WK1 | WK2 | WK3 <- K Step 3. For i = 0 to 8 do the following: T <- L XOR (CON_128[24 + 4i] | CON_128[24 + 4i + 1] | CON_128[24 + 4i + 2] | CON_128[24 + 4i + 3]) L <- Sigma(L) if i is odd: T <- T XOR K RK_{4i} | RK_{4i + 1} | RK_{4i + 2} | RK_{4i + 3} <- T 5.4 Key Scheduling for a 192-bit Key Two 128-bit values KL, KR are generated from a 192-bit key K = K0 | K1 | K2 | K3 | K4 | K5, where Ki is 32-bit data. Then two 128-bit values LL,LR are generated by applying GFN_{8,10} which takes CON_192[i] (0 <= i < 40) as round keys and KL|KR as a 256-bit input. Then KL,KR and LL,LR are used to generate WKi (0 <= i < 4) and RK_{j} (0 <= j < 44) in the following steps. In the latter part, forty-four 32-bit constant values CON_192[i] (40 <= i < 84) are used. The following steps show the 192-bit/256-bit key scheduling. For the 192-bit key scheduling, the value of k is set as 192. Katagi & Moriai Expires April 22, 2010 [Page 9] INTERNET-DRAFT The 128-bit Blockcipher CLEFIA October 19, 2009 5.5 Key Scheduling for a 256-bit Key The key scheduling for a 256-bit key is almost the same as that for 192-bit key, except for constant values, required number of RKi, and initialization of KR. For a 256-bit key, the value of k is set as 256, and the steps are almost the same as in the 192-bit key case. The difference is that we use CON_256[i](0 <= i < 40) as round keys to generate LL and LR, and then to generate RK_{j} (0 <= j < 52), we use fifty-two 32-bit constant values CON_256[i](40 <= i < 92). (Generating LL,LR from KL,KR for a k-bit key) Step 1. Set k = 192 or k = 256 Step 2. If k = 192 : KL <- K0 | K1 | K2 | K3, KR <- K4 | K5 | ~K0 | ~K1 else if k = 256 : KL <- K0 | K1 | K2 | K3, KR <- K4 | K5 | K6 | K7 Step 3. Let KL = KL0 | KL1 | KL2 | KL3 KR = KR0 | KR1 | KR2 | KR3 LL|LR <- GFN_{8,10}(CON_k[0] , ..., CON_k[39], KL0, ..., KL3, KR0, ..., KR3) (Expanding KL,KR and LL,LR for a k-bit key) Step 4. WK0 | WK1 | WK2 | WK3 <- KL XOR KR Step 5. For i = 0 to 10 (if k = 192), or 12 (if k = 256) do the following: If (i mod 4) = 0 or 1: T <- LL XOR (CON_k[40 + 4i] | CON_k[40 + 4i + 1] | CON_k[40 + 4i + 2] | CON_k[40 + 4i + 3]) LL<- Sigma(LL) if i is odd: T <- T XOR KR else: T <- LR XOR (CON_k[40 + 4i] | CON_k[40 + 4i + 1] | CON_k[40 + 4i + 2] | CON_k[40 + 4i + 3]) LR <- Sigma(LR) if i is odd: T <- T XOR KL RK_{4i} | RK_{4i + 1} | RK_{4i + 2} | RK_{4i + 3} <- T 5.6 Constant Values 32-bit constant values CON_k[i] are used in the key scheduling algorithm. We need 60, 84 and 92 constant values for 128, 192 and Katagi & Moriai Expires April 22, 2010 [Page 10] INTERNET-DRAFT The 128-bit Blockcipher CLEFIA October 19, 2009 256-bit keys, respectively. Let P(16) = 0xb7e1 (= (e-2)2^16) and Q(16) = 0x243f (= (pi-3)2^16), where e is the base of the natural logarithm (2.71828...) and pi is the circle ratio (3.14159...). CON_k[i], for k = 128,192,256, are generated by the following way (See Table 3 for the repetition numbers l and the initial values IV). Step 1. T_k[0] <- IV Step 2. For i = 0 to l - 1 do the following: Step 2.1. CON_k[2i] <- (T_k[i] XOR P) | (~T_k[i] <<< 1) Step 2.2. CON_k[2i + 1] <- (~T_k[i] XOR Q) | (T_k[i] <<< 8) Step 2.3. T_k[i + 1] <- T_k[i] * (0x0002^{-1}) In Step 2.3, the multiplication are performed in the field GF(2^16) defined by a primitive polynomial z^16 + z^15 + z^13 + z^11 + z^5 + z^4 + 1 (=0x1a831). 0x0002^{-1} denotes the multiplicative inverse of finite field element z. The selection criteria of IV and the primitive polynomial are shown in [CLEFIA1]. Table 3: Required Numbers of Constant Values k # of CON_k[i] l IV -------------------------------------- 128 60 30 0x428a 192 84 42 0x7137 256 92 46 0xb5c0 Tables 4-6 show the values of T_k[i](k = 128,192,256) and Tables 7-9 show the values of CON_k[i](k = 128,192,256). Table 4: T_128[i] i 0 1 2 3 4 5 6 7 T_128[i] 428a 2145 c4ba 625d e536 729b ed55 a2b2 i 8 9 10 11 12 13 14 15 T_128[i] 5159 fcb4 7e5a 3f2d cb8e 65c7 e6fb a765 i 16 17 18 19 20 21 22 23 T_128[i] 87aa 43d5 f5f2 7af9 e964 74b2 3a59 c934 i 24 25 26 27 28 29 T_128[i] 649a 324d cd3e 669f e757 a7b3 Table 5: T_192[i] i 0 1 2 3 4 5 6 7 T_192[i] 7137 ec83 a259 8534 429a 214d c4be 625f i 8 9 10 11 12 13 14 15 T_192[i] e537 a683 8759 97b4 4bda 25ed c6ee 6377 Katagi & Moriai Expires April 22, 2010 [Page 11] INTERNET-DRAFT The 128-bit Blockcipher CLEFIA October 19, 2009 i 16 17 18 19 20 21 22 23 T_192[i] e5a3 a6c9 877c 43be 21df c4f7 b663 8f29 i 24 25 26 27 28 29 30 31 T_192[i] 938c 49c6 24e3 c669 b72c 5b96 2dcb c2fd i 32 33 34 35 36 37 38 39 T_192[i] b566 5ab3 f941 a8b8 545c 2a2e 1517 de93 i 40 41 T_192[i] bb51 89b0 Table 6: T_256[i] i 0 1 2 3 4 5 6 7 T_256[i] b5c0 5ae0 2d70 16b8 0b5c 05ae 02d7 d573 i 8 9 10 11 12 13 14 15 T_256[i] bea1 8b48 45a4 22d2 1169 dcac 6e56 372b i 16 17 18 19 20 21 22 23 T_256[i] cf8d b3de 59ef f8ef a86f 802f 940f 9e1f i 24 25 26 27 28 29 30 31 T_256[i] 9b17 9993 98d1 9870 4c38 261c 130e 0987 i 32 33 34 35 36 37 38 39 T_256[i] d0db bc75 8a22 4511 f690 7b48 3da4 1ed2 i 40 41 42 43 44 45 T_256[i] 0f69 d3ac 69d6 34eb ce6d b32e Table 7: CON_128[i] (0 <= i < 60) i 0 1 2 3 CON_128[i] f56b7aeb 994a8a42 96a4bd75 fa854521 i 4 5 6 7 CON_128[i] 735b768a 1f7abac4 d5bc3b45 b99d5d62 i 8 9 10 11 CON_128[i] 52d73592 3ef636e5 c57a1ac9 a95b9b72 i 12 13 14 15 CON_128[i] 5ab42554 369555ed 1553ba9a 7972b2a2 i 16 17 18 19 CON_128[i] e6b85d4d 8a995951 4b550696 2774b4fc i 20 21 22 23 CON_128[i] c9bb034b a59a5a7e 88cc81a5 e4ed2d3f i 24 25 26 27 CON_128[i] 7c6f68e2 104e8ecb d2263471 be07c765 i 28 29 30 31 CON_128[i] 511a3208 3d3bfbe6 1084b134 7ca565a7 i 32 33 34 35 CON_128[i] 304bf0aa 5c6aaa87 f4347855 9815d543 i 36 37 38 39 CON_128[i] 4213141a 2e32f2f5 cd180a0d a139f97a Katagi & Moriai Expires April 22, 2010 [Page 12] INTERNET-DRAFT The 128-bit Blockcipher CLEFIA October 19, 2009 i 40 41 42 43 CON_128[i] 5e852d36 32a464e9 c353169b af72b274 i 44 45 46 47 CON_128[i] 8db88b4d e199593a 7ed56d96 12f434c9 i 48 49 50 51 CON_128[i] d37b36cb bf5a9a64 85ac9b65 e98d4d32 i 52 53 54 55 CON_128[i] 7adf6582 16fe3ecd d17e32c1 bd5f9f66 i 56 57 58 59 CON_128[i] 50b63150 3c9757e7 1052b098 7c73b3a7 Table 8: CON_192[i] (0 <= i < 84) i 0 1 2 3 CON_192[i] c6d61d91 aaf73771 5b6226f8 374383ec i 4 5 6 7 CON_192[i] 15b8bb4c 799959a2 32d5f596 5ef43485 i 8 9 10 11 CON_192[i] f57b7acb 995a9a42 96acbd65 fa8d4d21 i 12 13 14 15 CON_192[i] 735f7682 1f7ebec4 d5be3b41 b99f5f62 i 16 17 18 19 CON_192[i] 52d63590 3ef737e5 1162b2f8 7d4383a6 i 20 21 22 23 CON_192[i] 30b8f14c 5c995987 2055d096 4c74b497 i 24 25 26 27 CON_192[i] fc3b684b 901ada4b 920cb425 fe2ded25 i 28 29 30 31 CON_192[i] 710f7222 1d2eeec6 d4963911 b8b77763 i 32 33 34 35 CON_192[i] 524234b8 3e63a3e5 1128b26c 7d09c9a6 i 36 37 38 39 CON_192[i] 309df106 5cbc7c87 f45f7883 987ebe43 i 40 41 42 43 CON_192[i] 963ebc41 fa1fdf21 73167610 1f37f7c4 i 44 45 46 47 CON_192[i] 01829338 6da363b6 38c8e1ac 54e9298f i 48 49 50 51 CON_192[i] 246dd8e6 484c8c93 fe276c73 9206c649 i 52 53 54 55 CON_192[i] 9302b639 ff23e324 7188732c 1da969c6 i 56 57 58 59 CON_192[i] 00cd91a6 6cec2cb7 ec7748d3 8056965b i 60 61 62 63 CON_192[i] 9a2aa469 f60bcb2d 751c7a04 193dfdc2 i 64 65 66 67 CON_192[i] 02879532 6ea666b5 ed524a99 8173b35a Katagi & Moriai Expires April 22, 2010 [Page 13] INTERNET-DRAFT The 128-bit Blockcipher CLEFIA October 19, 2009 i 68 69 70 71 CON_192[i] 4ea00d7c 228141f9 1f59ae8e 7378b8a8 i 72 73 74 75 CON_192[i] e3bd5747 8f9c5c54 9dcfaba3 f1ee2e2a i 76 77 78 79 CON_192[i] a2f6d5d1 ced71715 697242d8 055393de i 80 81 82 83 CON_192[i] 0cb0895c 609151bb 3e51ec9e 5270b089 Table 9: CON_256[i] (0 <= i < 92) i 0 1 2 3 CON_256[i] 0221947e 6e00c0b5 ed014a3f 8120e05a i 4 5 6 7 CON_256[i] 9a91a51f f6b0702d a159d28f cd78b816 i 8 9 10 11 CON_256[i] bcbde947 d09c5c0b b24ff4a3 de6eae05 i 12 13 14 15 CON_256[i] b536fa51 d917d702 62925518 0eb373d5 i 16 17 18 19 CON_256[i] 094082bc 6561a1be 3ca9e96e 5088488b i 20 21 22 23 CON_256[i] f24574b7 9e64a445 9533ba5b f912d222 i 24 25 26 27 CON_256[i] a688dd2d caa96911 6b4d46a6 076cacdc i 28 29 30 31 CON_256[i] d9b72353 b596566e 80ca91a9 eceb2b37 i 32 33 34 35 CON_256[i] 786c60e4 144d8dcf 043f9842 681edeb3 i 36 37 38 39 CON_256[i] ee0e4c21 822fef59 4f0e0e20 232feff8 i 40 41 42 43 CON_256[i] 1f8eaf20 73af6fa8 37ceffa0 5bef2f80 i 44 45 46 47 CON_256[i] 23eed7e0 4fcf0f94 29fec3c0 45df1f9e i 48 49 50 51 CON_256[i] 2cf6c9d0 40d7179b 2e72ccd8 42539399 i 52 53 54 55 CON_256[i] 2f30ce5c 4311d198 2f91cf1e 43b07098 i 56 57 58 59 CON_256[i] fbd9678f 97f8384c 91fdb3c7 fddc1c26 i 60 61 62 63 CON_256[i] a4efd9e3 c8ce0e13 be66ecf1 d2478709 i 64 65 66 67 CON_256[i] 673a5e48 0b1bdbd0 0b948714 67b575bc i 68 69 70 71 CON_256[i] 3dc3ebba 51e2228a f2f075dd 9ed11145 Katagi & Moriai Expires April 22, 2010 [Page 14] INTERNET-DRAFT The 128-bit Blockcipher CLEFIA October 19, 2009 i 72 73 74 75 CON_256[i] 417112de 2d5090f6 cca9096f a088487b i 76 77 78 79 CON_256[i] 8a4584b7 e664a43d a933c25b c512d21e i 80 81 82 83 CON_256[i] b888e12d d4a9690f 644d58a6 086cacd3 i 84 85 86 87 CON_256[i] de372c53 b216d669 830a9629 ef2beb34 i 88 89 90 91 CON_256[i] 798c6324 15ad6dce 04cf99a2 68ee2eb3 6 Security Considerations The security of CLEFIA has been scrutinized in the public community but no security weaknesses have been found for full-round CLEFIA to date, neither by the designers nor by independent cryptographers. Security evaluation by the designers is described in [CLEFIA3], and a list of published cryptanalysis results by external cryptographers is available from http://www.sony.net/Products/cryptography/clefia/technical/related_ material.html. 7 Informative References [CLEFIA1] The 128-bit Blockcipher CLEFIA Algorithm Specification, Revision 1.0, June 1, 2007, Sony Corporation. http://www.sony.net/Products/cryptography/clefia/technical /data/clefia-spec-1.0.pdf [CLEFIA2] The 128-bit blockcipher CLEFIA Design Rationale, Revision 1.0, June 1, 2007, Sony Corporation. http://www.sony.net/Products/cryptography/clefia/technical /data/clefia-design-1.0.pdf [CLEFIA3] The 128-bit blockcipher CLEFIA Security and Performance Evaluations, Revision 1.0, June 1, 2007, Sony Corporation. http://www.sony.net/Products/cryptography/clefia/technical /data/clefia-eval-1.0.pdf [FSE07] T. Shirai, K. Shibutani, T. Akishita, S. Moriai, T. Iwata, "The 128-bit Blockcipher CLEFIA." in proceedings of Fast Software Encryption 2007 - FSE 2007, LNCS 4593, pp. 181- 195, Springer-Verlag, 2007. Katagi & Moriai Expires April 22, 2010 [Page 15] INTERNET-DRAFT The 128-bit Blockcipher CLEFIA October 19, 2009 Appendix A. Test Vectors We give test vectors of CLEFIA for each key length. The data are expressed in hexadecimal form. The intermediate values of these vectors refer to [1]. 128-bit key: key ffeeddcc bbaa9988 77665544 33221100 plaintext 00010203 04050607 08090a0b 0c0d0e0f ciphertext de2bf2fd 9b74aacd f1298555 459494fd 192-bit key: key ffeeddcc bbaa9988 77665544 33221100 f0e0d0c0 b0a09080 plaintext 00010203 04050607 08090a0b 0c0d0e0f ciphertext e2482f64 9f028dc4 80dda184 fde181ad 256-bit key: key ffeeddcc bbaa9988 77665544 33221100 f0e0d0c0 b0a09080 70605040 30201000 plaintext 00010203 04050607 08090a0b 0c0d0e0f ciphertext a1397814 289de80c 10da46d1 fa48b38a Authors' Addresses Masanobu Katagi System Technologies Laboratories Sony Corportation 5-1-12 Kitashinagawa Shinagawa-ku Tokyo, 141-0001, Japan Shiho Moriai System Technologies Laboratories Sony Corportation 5-1-12 Kitashinagawa Shinagawa-ku Tokyo, 141-0001, Japan Phone: +81-3-5448-3701 EMail: clefia-q@jp.sony.com Katagi & Moriai Expires April 22, 2010 [Page 16] INTERNET-DRAFT The 128-bit Blockcipher CLEFIA October 19, 2009 Copyright Notice Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents in effect on the date of publication of this document (http://trustee.ietf.org/license-info). Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Katagi & Moriai Expires April 22, 2010 [Page 17]