| < draft-lee-rfc4009bis-01.txt | draft-lee-rfc4009bis-02.txt > | |||
|---|---|---|---|---|
| Internet-Draft H.J. Lee | Internet-Draft H.J. Lee | |||
| Obsoletes: 4009(if approved) S.J. Lee | Obsoletes: 4009(if approved) S.J. Lee | |||
| Expires: November 2005 J.H. Yoon | Expires: November 2005 J.H. Yoon | |||
| D.H. Cheon | D.H. Cheon | |||
| J.I. Lee | J.I. Lee | |||
| KISA | KISA | |||
| May 2005 | May 2005 | |||
| The SEED Encryption Algorithm | The SEED Encryption Algorithm | |||
| <draft-lee-rfc4009bis-01.txt> | <draft-lee-rfc4009bis-02.txt> | |||
| Status of this Memo | Status of this Memo | |||
| By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
| applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
| have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| skipping to change at page 1, line 37 ¶ | skipping to change at page 1, line 37 ¶ | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress". | material or to cite them other than as "work in progress". | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt | http://www.ietf.org/ietf/1id-abstracts.txt | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html | http://www.ietf.org/shadow.html | |||
| This Internet-Draft will expire on November 21, 2005. | This Internet-Draft will expire on November 30, 2005. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The Internet Society (2005). | Copyright (C) The Internet Society (2005). | |||
| Abstract | Abstract | |||
| This document describes the SEED encryption algorithm, which has been | This document describes the SEED encryption algorithm, which has been | |||
| adopted by most of the security systems in the Republic of Korea. | adopted by most of the security systems in the Republic of Korea. | |||
| Included are a description of the encryption and the key scheduling | Included are a description of the encryption and the key scheduling | |||
| algorithm (Section 2), the S-boxes (Appendix A), and a set of test | algorithm (Section 2), the S-boxes (Appendix A), and a set of test | |||
| vectors (Appendix B). | vectors (Appendix B). | |||
| 1. Introduction | 1. Introduction | |||
| 1.1. Changes from RFC 4009 | 1.1. Changes from RFC 4009 | |||
| This specification obsoletes RFC 4009, because the RFC 4009 had | This specification obsoletes RFC 4009, because the RFC 4009 had | |||
| ambiguous function and SS-boxes definitions cryptographically. Thus, | ambiguous function and SS-boxes definitions cryptographically. Thus, | |||
| some definitions have been changed and for better understanding, the | some definitions have been changed and for better understanding, the | |||
| SEED pseudo codes have been modified. This update is to provide | SEED pseudo codes have been modified. This update is to provide | |||
| clarity and facilitate the development of interoperable | clarity and facilitate the development of interoperable | |||
| implementations. The SEED algorithm itself has not been changed. | implementations. The SEED algorithm itself has not been changed. | |||
| This specification updates the RFC 4009 in the following areas: | This specification updates the RFC 4009 in the following areas: | |||
| - Pseudo code changes. The Pseudo code in section2 in RFC4009 is | - Pseudo code changes. The Pseudo code in section2 in RFC4009 is | |||
| insufficient for the explanation of the structure of SEED. Thus | insufficient for the explanation of the structure of SEED. Thus | |||
| detailed pseudo code is introduced. | detailed pseudo code is introduced. | |||
| - Some corrections of errata which are the definition of R1', Z, X | - Some corrections of errata which are the definition of R1', Z, X | |||
| and SS-boxes. | and SS-boxes. | |||
| 1.2. SEED Overview | 1.1. SEED Overview | |||
| SEED is a 128-bit symmetric key block cipher that has been developed | SEED is a 128-bit symmetric key block cipher that has been developed | |||
| by KISA (Korea Information Security Agency) since 1998. SEED is a | by KISA (Korea Information Security Agency) since 1998. SEED is a | |||
| national standard encryption algorithm in the Republic of Korea | national standard encryption algorithm in the Republic of Korea | |||
| [TTASSEED] and is designed to use the S-boxes and permutations that | [TTASSEED] and is designed to use the S-boxes and permutations that | |||
| balance with the current computing technology. It has the Feistel | balance with the current computing technology. It has the Feistel | |||
| structure with 16-round and is strong against DC(Differential | structure with 16-round and is strong against DC(Differential | |||
| Cryptanalysis), LC(Linear Cryptanalysis), and related key attacks, | Cryptanalysis), LC(Linear Cryptanalysis), and related key attacks, | |||
| balanced with security/efficiency trade-off. | balanced with security/efficiency trade-off. | |||
| skipping to change at page 2, line 49 ¶ | skipping to change at page 2, line 49 ¶ | |||
| - 128-bit input/output data block size | - 128-bit input/output data block size | |||
| - 128-bit key length | - 128-bit key length | |||
| - A round function strong against known attacks | - A round function strong against known attacks | |||
| - Two 8x8 S-boxes | - Two 8x8 S-boxes | |||
| - Mixed operations of XOR and modular addition | - Mixed operations of XOR and modular addition | |||
| SEED has been widely used in the Republic of Korea for confidential | SEED has been widely used in the Republic of Korea for confidential | |||
| services such as electronic commerce; e.g., financial services | services such as electronic commerce; e.g., financial services | |||
| provided in wired and wireless communication. | provided in wired and wireless communication. | |||
| 1.3. Notation | 1.2. Notation | |||
| The following notation is used in the description of the SEED | The following notation is used in the description of the SEED | |||
| encryption algorithm: | encryption algorithm: | |||
| & bitwise AND | & bitwise AND | |||
| ^ bitwise exclusive OR | ^ bitwise exclusive OR | |||
| + addition in modular 2**32 | + addition in modular 2**32 | |||
| - subtraction in modular 2**32 | - subtraction in modular 2**32 | |||
| || concatenation | || concatenation | |||
| << n left circular rotation by n bits | << n left circular rotation by n bits | |||
| >> n right circular rotation by n bits | >> n right circular rotation by n bits | |||
| 0x hexadecimal representation | 0x hexadecimal representation | |||
| 2. The Structure of SEED | 2. The Structure of SEED | |||
| The input/output block size of SEED is 128-bit, and the key length is | The input/output block size of SEED is 128-bit, and the key length is | |||
| also 128-bit. SEED has the 16-round Feistel structure. A 128-bit | also 128-bit. SEED has the 16-round Feistel structure. A 128-bit | |||
| input is divided into two 64-bit blocks (L, R), and the right 64-bit | input is divided into two 64-bit blocks (L, R), and the right 64-bit | |||
| block is an input to the round function F, with a 64-bit subkey Ki | block is an input to the round function F, with a 64-bit subkey Ki | |||
| generated from the key schedule. | generated from the key schedule. L is the most significant 64 bits | |||
| of 128-bit input, and R is the least significant 64 bits. | ||||
| A pseudo code for the structure of SEED is as follows: | A pseudo code for the structure of SEED is as follows: | |||
| Input : (L, R) | Input : (L, R) | |||
| for i = 1 to 15 | for i = 1 to 15 | |||
| L = R, R = L ^ F(Ki, R) | ||||
| T = R; | ||||
| R = L ^ F(Ki, R); | ||||
| L = T; | ||||
| L = L ^ F(K16, R), R=R | L = L ^ F(K16, R), R=R | |||
| Output : (L, R) | Output : (L, R) | |||
| Where, T is a temporary. | ||||
| 2.1. The Round Function F | 2.1. The Round Function F | |||
| SEED uses two 8x8 S-boxes, permutations, rotations, and basic modular | SEED uses two 8x8 S-boxes, permutations, rotations, and basic modular | |||
| operations such as exclusive OR (XOR) and additions to provide strong | operations such as exclusive OR (XOR) and additions to provide strong | |||
| security, high speed, and simplicity in its implementation. | security, high speed, and simplicity in its implementation. | |||
| A 64-bit input block of the round function F is divided into two | A 64-bit input block of the round function F is divided into two | |||
| 32-bit blocks (R0, R1) and wrapped with 4 phases: | 32-bit blocks (R0, R1) and wrapped with 4 phases: | |||
| - A mixing phase of two 32-bit subkey blocks (Ki0 , Ki1) | - A mixing phase of two 32-bit subkey blocks (Ki0 , Ki1) | |||
| - 3 layers of function G (See Section 2.2), with additions for | - 3 layers of function G (See Section 2.2), with additions for | |||
| mixing two 32-bit blocks | mixing two 32-bit blocks | |||
| Where R0 is the most significant 32bits of R, and R1 is the least | ||||
| significant 32bits. | ||||
| The outputs (R0', R1') of function F are as follows: | The outputs (R0', R1') of function F are as follows: | |||
| R0' = G[ G[ G[(R0 ^ Ki0) ^ (R1 ^ Ki1)] + (R0 ^ Ki0)] + G[(R0 ^ Ki0) | R0' = G[ G[ G[(R0 ^ Ki0) ^ (R1 ^ Ki1)] + (R0 ^ Ki0)] + G[(R0 ^ Ki0) | |||
| ^ (R1 ^ Ki1)]] + G[ G[(R0 ^ Ki0) ^ (R1 ^ Ki1)] + (R0 ^ Ki0)] | ^ (R1 ^ Ki1)]] + G[ G[(R0 ^ Ki0) ^ (R1 ^ Ki1)] + (R0 ^ Ki0)] | |||
| R1' = G[ G[ G[(R0 ^ Ki0) ^ (R1 ^ Ki1)] + (R0 ^ Ki0)] + G[(R0 ^ Ki0) | R1' = G[ G[ G[(R0 ^ Ki0) ^ (R1 ^ Ki1)] + (R0 ^ Ki0)] + G[(R0 ^ Ki0) | |||
| ^ (R1 ^ Ki1)]] | ^ (R1 ^ Ki1)]] | |||
| 2.2. The Function G | 2.2. The Function G | |||
| skipping to change at page 4, line 19 ¶ | skipping to change at page 4, line 28 ¶ | |||
| Z (= Z3 || Z2 || Z1 || Z0) of the function G with four 8-bit inputs | Z (= Z3 || Z2 || Z1 || Z0) of the function G with four 8-bit inputs | |||
| X (= X3 || X2 || X1 || X0) are as follows: | X (= X3 || X2 || X1 || X0) are as follows: | |||
| Z0 = {S0(X0) & m0} ^ {S1(X1) & m1} ^ {S0(X2) & m2} ^ {S1(X3) & m3} | Z0 = {S0(X0) & m0} ^ {S1(X1) & m1} ^ {S0(X2) & m2} ^ {S1(X3) & m3} | |||
| Z1 = {S0(X0) & m1} ^ {S1(X1) & m2} ^ {S0(X2) & m3} ^ {S1(X3) & m0} | Z1 = {S0(X0) & m1} ^ {S1(X1) & m2} ^ {S0(X2) & m3} ^ {S1(X3) & m0} | |||
| Z2 = {S0(X0) & m2} ^ {S1(X1) & m3} ^ {S0(X2) & m0} ^ {S1(X3) & m1} | Z2 = {S0(X0) & m2} ^ {S1(X1) & m3} ^ {S0(X2) & m0} ^ {S1(X3) & m1} | |||
| Z3 = {S0(X0) & m3} ^ {S1(X1) & m0} ^ {S0(X2) & m1} ^ {S1(X3) & m2} | Z3 = {S0(X0) & m3} ^ {S1(X1) & m0} ^ {S0(X2) & m1} ^ {S1(X3) & m2} | |||
| where m0 = 0xFC, m1 = 0xF3, m2 = 0xCF, and m3 = 0x3F. | where m0 = 0xFC, m1 = 0xF3, m2 = 0xCF, and m3 = 0x3F. | |||
| To increase the efficiency of G function, four extended S-boxes | To increase the efficiency of G function, four extended S-boxes "SS- | |||
| box" (See Appendix A.2) are defined as follows: | ||||
| SS0(X0)= {S0(X0)& m3} || {S0(X0)& m2} || {S0(X0)& m1} || {S0(X0)& m0} | SS0(X0)= {S0(X0)& m3} || {S0(X0)& m2} || {S0(X0)& m1} || {S0(X0)& m0} | |||
| SS1(X1)= {S1(X1)& m0} || {S1(X1)& m3} || {S1(X1)& m2} || {S1(X1)& m1} | SS1(X1)= {S1(X1)& m0} || {S1(X1)& m3} || {S1(X1)& m2} || {S1(X1)& m1} | |||
| SS2(X2)= {S0(X2)& m1} || {S0(X2)& m0} || {S0(X2)& m3} || {S0(X2)& m2} | SS2(X2)= {S0(X2)& m1} || {S0(X2)& m0} || {S0(X2)& m3} || {S0(X2)& m2} | |||
| SS3(X3)= {S1(X3)& m2} || {S1(X3)& m1} || {S1(X3)& m0} || {S1(X3)& m3} | SS3(X3)= {S1(X3)& m2} || {S1(X3)& m1} || {S1(X3)& m0} || {S1(X3)& m3} | |||
| New G function, Z, can be defined as follows: | New G function, Z, can be defined as follows: | |||
| Z = SS0(X0) ^ SS1(X1) ^ SS2(X2) ^ SS3(X3) | Z = SS0(X0) ^ SS1(X1) ^ SS2(X2) ^ SS3(X3) | |||
| skipping to change at page 4, line 51 ¶ | skipping to change at page 5, line 13 ¶ | |||
| - Type 1 : Odd round | - Type 1 : Odd round | |||
| Ki0 = G(Key0 + Key2 - KCi) | Ki0 = G(Key0 + Key2 - KCi) | |||
| Ki1 = G(Key1 - Key3 + KCi) | Ki1 = G(Key1 - Key3 + KCi) | |||
| Key0 || Key1 = (Key0 || Key1) >> 8 | Key0 || Key1 = (Key0 || Key1) >> 8 | |||
| - Type 2 : Even round | - Type 2 : Even round | |||
| Ki0 = G(Key0 + Key2 - KCi) | Ki0 = G(Key0 + Key2 - KCi) | |||
| Ki1 = G(Key1 - Key3 + KCi) | Ki1 = G(Key1 - Key3 + KCi) | |||
| Key2 || Key3 = (Key2 || Key3) << 8 | Key2 || Key3 = (Key2 || Key3) << 8 | |||
| Where Ki0 is the most significant 32bits of Ki, and Ki1 is the least | ||||
| significant 32bits of Ki.(where, i=0,...,3) | ||||
| The following table shows constants used in KCi: | The following table shows constants used in KCi: | |||
| i | Value i | Value | i | Value i | Value | |||
| ============================================ | ============================================ | |||
| KC1 | 0x9E3779B9 KC2 | 0x3C6EF373 | KC1 | 0x9E3779B9 KC2 | 0x3C6EF373 | |||
| KC3 | 0x78DDE6E6 KC4 | 0xF1BBCDCC | KC3 | 0x78DDE6E6 KC4 | 0xF1BBCDCC | |||
| KC5 | 0xE3779B99 KC6 | 0xC6EF3733 | KC5 | 0xE3779B99 KC6 | 0xC6EF3733 | |||
| KC7 | 0x8DDE6E67 KC8 | 0x1BBCDCCF | KC7 | 0x8DDE6E67 KC8 | 0x1BBCDCCF | |||
| KC9 | 0x3779B99E KC10 | 0x6EF3733C | KC9 | 0x3779B99E KC10 | 0x6EF3733C | |||
| KC11 | 0xDDE6E678 KC12 | 0xBBCDCCF1 | KC11 | 0xDDE6E678 KC12 | 0xBBCDCCF1 | |||
| End of changes. 12 change blocks. | ||||
| 15 lines changed or deleted | 28 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||