< draft-lee-rfc4009bis-01.txt   draft-lee-rfc4009bis-02.txt >
Internet-Draft H.J. Lee Internet-Draft H.J. Lee
Obsoletes: 4009(if approved) S.J. Lee Obsoletes: 4009(if approved) S.J. Lee
Expires: November 2005 J.H. Yoon Expires: November 2005 J.H. Yoon
D.H. Cheon D.H. Cheon
J.I. Lee J.I. Lee
KISA KISA
May 2005 May 2005
The SEED Encryption Algorithm The SEED Encryption Algorithm
<draft-lee-rfc4009bis-01.txt> <draft-lee-rfc4009bis-02.txt>
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 37 skipping to change at page 1, line 37
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress". material or to cite them other than as "work in progress".
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html http://www.ietf.org/shadow.html
This Internet-Draft will expire on November 21, 2005. This Internet-Draft will expire on November 30, 2005.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2005). Copyright (C) The Internet Society (2005).
Abstract Abstract
This document describes the SEED encryption algorithm, which has been This document describes the SEED encryption algorithm, which has been
adopted by most of the security systems in the Republic of Korea. adopted by most of the security systems in the Republic of Korea.
Included are a description of the encryption and the key scheduling Included are a description of the encryption and the key scheduling
algorithm (Section 2), the S-boxes (Appendix A), and a set of test algorithm (Section 2), the S-boxes (Appendix A), and a set of test
vectors (Appendix B). vectors (Appendix B).
1. Introduction 1. Introduction
1.1. Changes from RFC 4009 1.1. Changes from RFC 4009
This specification obsoletes RFC 4009, because the RFC 4009 had This specification obsoletes RFC 4009, because the RFC 4009 had
ambiguous function and SS-boxes definitions cryptographically. Thus, ambiguous function and SS-boxes definitions cryptographically. Thus,
some definitions have been changed and for better understanding, the some definitions have been changed and for better understanding, the
SEED pseudo codes have been modified. This update is to provide SEED pseudo codes have been modified. This update is to provide
clarity and facilitate the development of interoperable clarity and facilitate the development of interoperable
implementations. The SEED algorithm itself has not been changed. implementations. The SEED algorithm itself has not been changed.
This specification updates the RFC 4009 in the following areas: This specification updates the RFC 4009 in the following areas:
- Pseudo code changes. The Pseudo code in section2 in RFC4009 is - Pseudo code changes. The Pseudo code in section2 in RFC4009 is
insufficient for the explanation of the structure of SEED. Thus insufficient for the explanation of the structure of SEED. Thus
detailed pseudo code is introduced. detailed pseudo code is introduced.
- Some corrections of errata which are the definition of R1', Z, X - Some corrections of errata which are the definition of R1', Z, X
and SS-boxes. and SS-boxes.
1.2. SEED Overview 1.1. SEED Overview
SEED is a 128-bit symmetric key block cipher that has been developed SEED is a 128-bit symmetric key block cipher that has been developed
by KISA (Korea Information Security Agency) since 1998. SEED is a by KISA (Korea Information Security Agency) since 1998. SEED is a
national standard encryption algorithm in the Republic of Korea national standard encryption algorithm in the Republic of Korea
[TTASSEED] and is designed to use the S-boxes and permutations that [TTASSEED] and is designed to use the S-boxes and permutations that
balance with the current computing technology. It has the Feistel balance with the current computing technology. It has the Feistel
structure with 16-round and is strong against DC(Differential structure with 16-round and is strong against DC(Differential
Cryptanalysis), LC(Linear Cryptanalysis), and related key attacks, Cryptanalysis), LC(Linear Cryptanalysis), and related key attacks,
balanced with security/efficiency trade-off. balanced with security/efficiency trade-off.
skipping to change at page 2, line 49 skipping to change at page 2, line 49
- 128-bit input/output data block size - 128-bit input/output data block size
- 128-bit key length - 128-bit key length
- A round function strong against known attacks - A round function strong against known attacks
- Two 8x8 S-boxes - Two 8x8 S-boxes
- Mixed operations of XOR and modular addition - Mixed operations of XOR and modular addition
SEED has been widely used in the Republic of Korea for confidential SEED has been widely used in the Republic of Korea for confidential
services such as electronic commerce; e.g., financial services services such as electronic commerce; e.g., financial services
provided in wired and wireless communication. provided in wired and wireless communication.
1.3. Notation 1.2. Notation
The following notation is used in the description of the SEED The following notation is used in the description of the SEED
encryption algorithm: encryption algorithm:
& bitwise AND & bitwise AND
^ bitwise exclusive OR ^ bitwise exclusive OR
+ addition in modular 2**32 + addition in modular 2**32
- subtraction in modular 2**32 - subtraction in modular 2**32
|| concatenation || concatenation
<< n left circular rotation by n bits << n left circular rotation by n bits
>> n right circular rotation by n bits >> n right circular rotation by n bits
0x hexadecimal representation 0x hexadecimal representation
2. The Structure of SEED 2. The Structure of SEED
The input/output block size of SEED is 128-bit, and the key length is The input/output block size of SEED is 128-bit, and the key length is
also 128-bit. SEED has the 16-round Feistel structure. A 128-bit also 128-bit. SEED has the 16-round Feistel structure. A 128-bit
input is divided into two 64-bit blocks (L, R), and the right 64-bit input is divided into two 64-bit blocks (L, R), and the right 64-bit
block is an input to the round function F, with a 64-bit subkey Ki block is an input to the round function F, with a 64-bit subkey Ki
generated from the key schedule. generated from the key schedule. L is the most significant 64 bits
of 128-bit input, and R is the least significant 64 bits.
A pseudo code for the structure of SEED is as follows: A pseudo code for the structure of SEED is as follows:
Input : (L, R) Input : (L, R)
for i = 1 to 15 for i = 1 to 15
L = R, R = L ^ F(Ki, R)
T = R;
R = L ^ F(Ki, R);
L = T;
L = L ^ F(K16, R), R=R L = L ^ F(K16, R), R=R
Output : (L, R) Output : (L, R)
Where, T is a temporary.
2.1. The Round Function F 2.1. The Round Function F
SEED uses two 8x8 S-boxes, permutations, rotations, and basic modular SEED uses two 8x8 S-boxes, permutations, rotations, and basic modular
operations such as exclusive OR (XOR) and additions to provide strong operations such as exclusive OR (XOR) and additions to provide strong
security, high speed, and simplicity in its implementation. security, high speed, and simplicity in its implementation.
A 64-bit input block of the round function F is divided into two A 64-bit input block of the round function F is divided into two
32-bit blocks (R0, R1) and wrapped with 4 phases: 32-bit blocks (R0, R1) and wrapped with 4 phases:
- A mixing phase of two 32-bit subkey blocks (Ki0 , Ki1) - A mixing phase of two 32-bit subkey blocks (Ki0 , Ki1)
- 3 layers of function G (See Section 2.2), with additions for - 3 layers of function G (See Section 2.2), with additions for
mixing two 32-bit blocks mixing two 32-bit blocks
Where R0 is the most significant 32bits of R, and R1 is the least
significant 32bits.
The outputs (R0', R1') of function F are as follows: The outputs (R0', R1') of function F are as follows:
R0' = G[ G[ G[(R0 ^ Ki0) ^ (R1 ^ Ki1)] + (R0 ^ Ki0)] + G[(R0 ^ Ki0) R0' = G[ G[ G[(R0 ^ Ki0) ^ (R1 ^ Ki1)] + (R0 ^ Ki0)] + G[(R0 ^ Ki0)
^ (R1 ^ Ki1)]] + G[ G[(R0 ^ Ki0) ^ (R1 ^ Ki1)] + (R0 ^ Ki0)] ^ (R1 ^ Ki1)]] + G[ G[(R0 ^ Ki0) ^ (R1 ^ Ki1)] + (R0 ^ Ki0)]
R1' = G[ G[ G[(R0 ^ Ki0) ^ (R1 ^ Ki1)] + (R0 ^ Ki0)] + G[(R0 ^ Ki0) R1' = G[ G[ G[(R0 ^ Ki0) ^ (R1 ^ Ki1)] + (R0 ^ Ki0)] + G[(R0 ^ Ki0)
^ (R1 ^ Ki1)]] ^ (R1 ^ Ki1)]]
2.2. The Function G 2.2. The Function G
skipping to change at page 4, line 19 skipping to change at page 4, line 28
Z (= Z3 || Z2 || Z1 || Z0) of the function G with four 8-bit inputs Z (= Z3 || Z2 || Z1 || Z0) of the function G with four 8-bit inputs
X (= X3 || X2 || X1 || X0) are as follows: X (= X3 || X2 || X1 || X0) are as follows:
Z0 = {S0(X0) & m0} ^ {S1(X1) & m1} ^ {S0(X2) & m2} ^ {S1(X3) & m3} Z0 = {S0(X0) & m0} ^ {S1(X1) & m1} ^ {S0(X2) & m2} ^ {S1(X3) & m3}
Z1 = {S0(X0) & m1} ^ {S1(X1) & m2} ^ {S0(X2) & m3} ^ {S1(X3) & m0} Z1 = {S0(X0) & m1} ^ {S1(X1) & m2} ^ {S0(X2) & m3} ^ {S1(X3) & m0}
Z2 = {S0(X0) & m2} ^ {S1(X1) & m3} ^ {S0(X2) & m0} ^ {S1(X3) & m1} Z2 = {S0(X0) & m2} ^ {S1(X1) & m3} ^ {S0(X2) & m0} ^ {S1(X3) & m1}
Z3 = {S0(X0) & m3} ^ {S1(X1) & m0} ^ {S0(X2) & m1} ^ {S1(X3) & m2} Z3 = {S0(X0) & m3} ^ {S1(X1) & m0} ^ {S0(X2) & m1} ^ {S1(X3) & m2}
where m0 = 0xFC, m1 = 0xF3, m2 = 0xCF, and m3 = 0x3F. where m0 = 0xFC, m1 = 0xF3, m2 = 0xCF, and m3 = 0x3F.
To increase the efficiency of G function, four extended S-boxes To increase the efficiency of G function, four extended S-boxes "SS-
box" (See Appendix A.2) are defined as follows:
SS0(X0)= {S0(X0)& m3} || {S0(X0)& m2} || {S0(X0)& m1} || {S0(X0)& m0} SS0(X0)= {S0(X0)& m3} || {S0(X0)& m2} || {S0(X0)& m1} || {S0(X0)& m0}
SS1(X1)= {S1(X1)& m0} || {S1(X1)& m3} || {S1(X1)& m2} || {S1(X1)& m1} SS1(X1)= {S1(X1)& m0} || {S1(X1)& m3} || {S1(X1)& m2} || {S1(X1)& m1}
SS2(X2)= {S0(X2)& m1} || {S0(X2)& m0} || {S0(X2)& m3} || {S0(X2)& m2} SS2(X2)= {S0(X2)& m1} || {S0(X2)& m0} || {S0(X2)& m3} || {S0(X2)& m2}
SS3(X3)= {S1(X3)& m2} || {S1(X3)& m1} || {S1(X3)& m0} || {S1(X3)& m3} SS3(X3)= {S1(X3)& m2} || {S1(X3)& m1} || {S1(X3)& m0} || {S1(X3)& m3}
New G function, Z, can be defined as follows: New G function, Z, can be defined as follows:
Z = SS0(X0) ^ SS1(X1) ^ SS2(X2) ^ SS3(X3) Z = SS0(X0) ^ SS1(X1) ^ SS2(X2) ^ SS3(X3)
skipping to change at page 4, line 51 skipping to change at page 5, line 13
- Type 1 : Odd round - Type 1 : Odd round
Ki0 = G(Key0 + Key2 - KCi) Ki0 = G(Key0 + Key2 - KCi)
Ki1 = G(Key1 - Key3 + KCi) Ki1 = G(Key1 - Key3 + KCi)
Key0 || Key1 = (Key0 || Key1) >> 8 Key0 || Key1 = (Key0 || Key1) >> 8
- Type 2 : Even round - Type 2 : Even round
Ki0 = G(Key0 + Key2 - KCi) Ki0 = G(Key0 + Key2 - KCi)
Ki1 = G(Key1 - Key3 + KCi) Ki1 = G(Key1 - Key3 + KCi)
Key2 || Key3 = (Key2 || Key3) << 8 Key2 || Key3 = (Key2 || Key3) << 8
Where Ki0 is the most significant 32bits of Ki, and Ki1 is the least
significant 32bits of Ki.(where, i=0,...,3)
The following table shows constants used in KCi: The following table shows constants used in KCi:
i | Value i | Value i | Value i | Value
============================================ ============================================
KC1 | 0x9E3779B9 KC2 | 0x3C6EF373 KC1 | 0x9E3779B9 KC2 | 0x3C6EF373
KC3 | 0x78DDE6E6 KC4 | 0xF1BBCDCC KC3 | 0x78DDE6E6 KC4 | 0xF1BBCDCC
KC5 | 0xE3779B99 KC6 | 0xC6EF3733 KC5 | 0xE3779B99 KC6 | 0xC6EF3733
KC7 | 0x8DDE6E67 KC8 | 0x1BBCDCCF KC7 | 0x8DDE6E67 KC8 | 0x1BBCDCCF
KC9 | 0x3779B99E KC10 | 0x6EF3733C KC9 | 0x3779B99E KC10 | 0x6EF3733C
KC11 | 0xDDE6E678 KC12 | 0xBBCDCCF1 KC11 | 0xDDE6E678 KC12 | 0xBBCDCCF1
 End of changes. 12 change blocks. 
15 lines changed or deleted 28 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/