idnits 2.17.1 draft-nsri-aria-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** The document seems to lack a License Notice according IETF Trust Provisions of 28 Dec 2009, Section 6.b.ii or Provisions of 12 Sep 2009 Section 6.b -- however, there's a paragraph with a matching beginning. Boilerplate error? (You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Feb 2009 rather than one of the newer Notices. See https://trustee.ietf.org/license-info/.) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** The document is more than 15 pages and seems to lack a Table of Contents. == The page length should not exceed 58 lines per page, but there was 1 longer page, the longest (page 1) being 59 lines Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 69 instances of too long lines in the document, the longest one being 5 characters in excess of 72. == There are 3 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 706: '... &Type OPTIONAL...' RFC 2119 keyword, line 712: '...Type( {AlgoSet}{@algorithm} ) OPTIONAL...' Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (December 3, 2009) is 5251 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- No issues found here. Summary: 5 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Lee 3 Internet Draft J. Lee 4 Intended status: Informational J. Kim 5 Expires: June 6, 2010 D. Kwon 6 C. Kim 7 NSRI 8 December 3, 2009 10 A Description of the ARIA Encryption Algorithm 11 draft-nsri-aria-04.txt 13 Status of this Memo 15 This Internet-Draft is submitted to IETF in full conformance with the 16 provisions of BCP 78 and BCP 79. 18 Internet-Drafts are working documents of the Internet Engineering 19 Task Force (IETF), its areas, and its working groups. Note that 20 other groups may also distribute working documents as Internet-Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/ietf/1id-abstracts.txt 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html 33 This Internet-Draft will expire on June 6, 2010. 35 Copyright Notice 37 Copyright (c) 2009 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents in effect on the date of 42 publication of this document (http://trustee.ietf.org/license-info). 43 Please review these documents carefully, as they describe your rights 44 and restrictions with respect to this document. 46 Abstract 47 This document describes the ARIA encryption algorithm. ARIA is a 128- 48 bit block cipher with 128-, 192-, and 256-bit keys. The algorithm 49 consists of key scheduling part and data randomizing part. 51 1. Introduction 53 1.1. ARIA Overview 55 ARIA is a general-purpose block cipher algorithm developed by Korean 56 cryptographers in 2003. It is an iterated block cipher with 128-, 57 192-, and 256-bit keys and encrypts 128-bit blocks in 12, 14, and 16 58 rounds, depending on the key size. It is secure and suitable for most 59 software and hardware implementations on 32-bit and 8-bit processors. 60 It was established as a Korean standard block cipher algorithm in 61 2004 [ARIAKS] and has been widely used in Korea, especially for 62 government-to-public services. It was included in PKCS #11 in 2007 63 [ARIAPKCS]. 65 2. Algorithm Description 67 The algorithm consists of key scheduling part and data randomizing 68 part. 70 2.1. Notations 72 The following notations are used in this document to describe the 73 algorithm. 75 ^ bitwise XOR operation. 76 <<< left circular rotation. 77 >>> right circular rotation. 78 || concatenation of bit strings. 79 0x hexadecimal representation 81 2.2. Key Scheduling Part 83 Let K denote a master key of 128, 192 or 256 bits. Given the master 84 key K, we first define 128-bit values KL and KR as follows. 86 KL || KR = K || 0 ... 0, 88 where the number of zeros is 128, 64 or 0, depending on the size of K. 89 That is, KL is set to the leftmost 128 bits of K and KR is set to the 90 remaining bits of K (if any), right-padded with zeros to a 128-bit 91 value. Then, we define four 128-bit values W0, W1, W2 and W3 as the 92 intermediate round values appearing in the encryption of KL || KR by 93 a 3-round 256-bit Feistel cipher. 95 W0 = KL, 96 W1 = FO(W0, CK1) ^ KR, 97 W2 = FE(W1, CK2) ^ W0, 98 W3 = FO(W2, CK3) ^ W1. 100 Here, FO and FE, respectively called odd and even round functions, 101 are defined in Section 2.4.1. CK1, CK2 and CK3 are 128-bit constants, 102 taking one of the following values. 104 C1 = 0x517cc1b727220a94fe13abe8fa9a6ee0 105 C2 = 0x6db14acc9e21c820ff28b1d5ef5de2b0 106 C3 = 0xdb92371d2126e9700324977504e8c90e 108 These values are obtained from the first 128*3 bits of the fractional 109 part of 1/PI, where PI is the circle ratio. Now the constants CK1, 110 CK2, and CK3 are defined by the following table. 112 Key size CK1 CK2 CK3 113 128 C1 C2 C3 114 192 C2 C3 C1 115 256 C3 C1 C2 117 For example, if the key size is 192 bits, CK1 = C2, CK2 = C3 and CK3 118 = C1. 120 Once W0, W1, W2 and W3 are determined, we compute encryption round 121 keys ek1,...,ek17 as follows. 123 ek1 = W0 ^(W1 >>> 19), 124 ek2 = W1 ^(W2 >>> 19), 125 ek3 = W2 ^(W3 >>> 19), 126 ek4 = (W0 >>> 19) ^ W3, 127 ek5 = W0 ^ (W1 >>> 31), 128 ek6 = W1 ^ (W2 >>> 31), 129 ek7 = W2 ^ (W3 >>> 31), 130 ek8 = (W0 >>> 31) ^ W3, 131 ek9 = W0 ^ (W1 <<< 61), 132 ek10 = W1 ^ (W2 <<< 61), 133 ek11 = W2 ^ (W3 <<< 61), 134 ek12 = (W0 <<< 61) ^ W3, 135 ek13 = W0 ^ (W1 <<< 31), 136 ek14 = W1 ^ (W2 <<< 31), 137 ek15 = W2 ^ (W3 <<< 31), 138 ek16 = (W0 <<< 31) ^ W3, 139 ek17 = W0 ^ (W1 <<< 19). 141 The number of rounds depends on the size of the master key as follows. 143 Key size Number of Rounds 144 128 12 145 192 14 146 256 16 148 Due to an extra key addition layer in the last round, 12-, 14-, and 149 16-round algorithms require 13, 15, and 17 round keys, respectively. 151 Decryption round keys are derived from the encryption round keys. 153 dk1 = ek{n+1}, 154 dk2 = A(ek{n}), 155 dk3 = A(ek{n-1}), 156 ..., 157 dk{n}= A(ek2), 158 dk{n+1}= ek1. 160 Here, A and n denote the diffusion layer of ARIA and the number of 161 rounds, respectively. The diffusion layer A is defined in Section 162 2.4.3. 164 2.3 Data Randomizing Part 166 The data randomizing part of the ARIA algorithm consists of the 167 encryption and decryption processes. The encryption and decryption 168 processes use functions FO, FE, A, SL1, and SL2. These functions are 169 defined in Section 2.4. 171 2.3.1. Encryption Process 173 2.3.1.1. Encryption for 128-bit keys 175 Let P be a 128-bit plaintext and K be a 128-bit master key. Let 176 ek1,..., ek13 be the encryption round keys defined by K. Then the 177 ciphertext C is computed by the following algorithm. 179 P1 = FO(P , ek1 ); // Round 1 180 P2 = FE(P1 , ek2 ); // Round 2 181 P3 = FO(P2 , ek3 ); // Round 3 182 P4 = FE(P3 , ek4 ); // Round 4 183 P5 = FO(P4 , ek5 ); // Round 5 184 P6 = FE(P5 , ek6 ); // Round 6 185 P7 = FO(P6 , ek7 ); // Round 7 186 P8 = FE(P7 , ek8 ); // Round 8 187 P9 = FO(P8 , ek9 ); // Round 9 188 P10 = FE(P9 , ek10); // Round 10 189 P11 = FO(P10, ek11); // Round 11 190 C = SL2(P11 ^ ek12) ^ ek13; // Round 12 192 2.3.1.2. Encryption for 192-bit keys 194 Let P be a 128-bit plaintext and K be a 192-bit master key. Let 195 ek1,..., ek15 be the encryption round keys defined by K. Then the 196 ciphertext C is computed by the following algorithm. 198 P1 = FO(P , ek1 ); // Round 1 199 P2 = FE(P1 , ek2 ); // Round 2 200 P3 = FO(P2 , ek3 ); // Round 3 201 P4 = FE(P3 , ek4 ); // Round 4 202 P5 = FO(P4 , ek5 ); // Round 5 203 P6 = FE(P5 , ek6 ); // Round 6 204 P7 = FO(P6 , ek7 ); // Round 7 205 P8 = FE(P7 , ek8 ); // Round 8 206 P9 = FO(P8 , ek9 ); // Round 9 207 P10 = FE(P9 , ek10); // Round 10 208 P11 = FO(P10, ek11); // Round 11 209 P12 = FE(P11, ek12); // Round 12 210 P13 = FO(P12, ek13); // Round 13 211 C = SL2(P13 ^ ek14) ^ ek15; // Round 14 213 2.3.1.3. Encryption for 256-bit keys 215 Let P be a 128-bit plaintext and K be a 256-bit master key. Let 216 ek1,..., ek17 be the encryption round keys defined by K. Then the 217 ciphertext C is computed by the following algorithm. 219 P1 = FO(P , ek1 ); // Round 1 220 P2 = FE(P1 , ek2 ); // Round 2 221 P3 = FO(P2 , ek3 ); // Round 3 222 P4 = FE(P3 , ek4 ); // Round 4 223 P5 = FO(P4 , ek5 ); // Round 5 224 P6 = FE(P5 , ek6 ); // Round 6 225 P7 = FO(P6 , ek7 ); // Round 7 226 P8 = FE(P7 , ek8 ); // Round 8 227 P9 = FO(P8 , ek9 ); // Round 9 228 P10= FE(P9 , ek10); // Round 10 229 P11= FO(P10, ek11); // Round 11 230 P12= FE(P11, ek12); // Round 12 231 P13= FO(P12, ek13); // Round 13 232 P14= FE(P13, ek14); // Round 14 233 P15= FO(P14, ek15); // Round 15 234 C = SL2(P15 ^ ek16) ^ ek17; // Round 16 236 2.3.2 Decryption Process 238 The decryption process of ARIA is the same as the encryption process 239 except that encryption round keys are replaced by decryption round 240 keys. For example, encryption round keys ek1,..., ek13 of the 12- 241 round ARIA algorithm are replaced by decryption round keys dk1,..., 242 dk13, respectively. 244 2.4 Components of ARIA 246 2.4.1. Round Functions 248 There are two types of round functions for ARIA. One is called an odd 249 round function, and denoted FO. It takes as input a pair (D,RK) of 250 two 128-bit strings and outputs 252 FO(D,RK) = A(SL1(D ^ RK)). 254 The other is called an even round function, and denoted FE. It takes 255 as input a pair (D,RK) of two 128-bit strings and outputs 257 FE(D,RK) = A(SL2(D ^ RK)). 259 Functions SL1 and SL2, called substitution layers, are described in 260 Section 2.4.2. Function A, called a diffusion layer, is described in 261 Section 2.4.3. 263 2.4.2. Substitution Layers 265 ARIA has two types of substitution layers which alternate between 266 rounds. Type 1 is used in the odd rounds, and type 2 in the even 267 rounds. 269 Type 1 substitution layer SL1 is an algorithm which takes as input a 270 16-byte string x0 || x1 ||...|| x15 and outputs a 16-byte string y0 271 || y1 ||...|| y15 as follows. 273 y0 = SB1(x0), y1 = SB2(x1), y2 = SB3(x2), y3 = SB4(x3), 274 y4 = SB1(x4), y5 = SB2(x5), y6 = SB3(x6), y7 = SB4(x7), 275 y8 = SB1(x8), y9 = SB2(x9), y10= SB3(x10), y11= SB4(x11), 276 y12= SB1(x12), y13= SB2(x13), y14= SB3(x14), y15= SB4(x15). 278 Type 2 substitution layer SL2 is an algorithm which takes as input a 279 16-byte string x0 || x1 ||...|| x15 and outputs a 16-byte string y0 280 || y1 ||...|| y15 as follows. 282 y0 = SB3(x0), y1 = SB4(x1), y2 = SB1(x2), y3 = SB2(x3), 283 y4 = SB3(x4), y5 = SB4(x5), y6 = SB1(x6), y7 = SB2(x7), 284 y8 = SB3(x8), y9 = SB4(x9), y10= SB1(x10), y11= SB2(x11), 285 y12= SB3(x12), y13= SB4(x13), y14= SB1(x14), y15= SB2(x15). 287 Here, SB1, SB2, SB3, and SB4 are S-boxes which take as input an 8-bit 288 string and output an 8-bit string. These S-boxes are defined by the 289 following look-up tables. 291 SB1: 292 0 1 2 3 4 5 6 7 8 9 a b c d e f 293 00 63 7c 77 7b f2 6b 6f c5 30 01 67 2b fe d7 ab 76 294 10 ca 82 c9 7d fa 59 47 f0 ad d4 a2 af 9c a4 72 c0 295 20 b7 fd 93 26 36 3f f7 cc 34 a5 e5 f1 71 d8 31 15 296 30 04 c7 23 c3 18 96 05 9a 07 12 80 e2 eb 27 b2 75 297 40 09 83 2c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f 84 298 50 53 d1 00 ed 20 fc b1 5b 6a cb be 39 4a 4c 58 cf 299 60 d0 ef aa fb 43 4d 33 85 45 f9 02 7f 50 3c 9f a8 300 70 51 a3 40 8f 92 9d 38 f5 bc b6 da 21 10 ff f3 d2 301 80 cd 0c 13 ec 5f 97 44 17 c4 a7 7e 3d 64 5d 19 73 302 90 60 81 4f dc 22 2a 90 88 46 ee b8 14 de 5e 0b db 303 a0 e0 32 3a 0a 49 06 24 5c c2 d3 ac 62 91 95 e4 79 304 b0 e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 08 305 c0 ba 78 25 2e 1c a6 b4 c6 e8 dd 74 1f 4b bd 8b 8a 306 d0 70 3e b5 66 48 03 f6 0e 61 35 57 b9 86 c1 1d 9e 307 e0 e1 f8 98 11 69 d9 8e 94 9b 1e 87 e9 ce 55 28 df 308 f0 8c a1 89 0d bf e6 42 68 41 99 2d 0f b0 54 bb 16 310 SB2: 311 0 1 2 3 4 5 6 7 8 9 a b c d e f 312 00 e2 4e 54 fc 94 c2 4a cc 62 0d 6a 46 3c 4d 8b d1 313 10 5e fa 64 cb b4 97 be 2b bc 77 2e 03 d3 19 59 c1 314 20 1d 06 41 6b 55 f0 99 69 ea 9c 18 ae 63 df e7 bb 315 30 00 73 66 fb 96 4c 85 e4 3a 09 45 aa 0f ee 10 eb 316 40 2d 7f f4 29 ac cf ad 91 8d 78 c8 95 f9 2f ce cd 317 50 08 7a 88 38 5c 83 2a 28 47 db b8 c7 93 a4 12 53 318 60 ff 87 0e 31 36 21 58 48 01 8e 37 74 32 ca e9 b1 319 70 b7 ab 0c d7 c4 56 42 26 07 98 60 d9 b6 b9 11 40 320 80 ec 20 8c bd a0 c9 84 04 49 23 f1 4f 50 1f 13 dc 321 90 d8 c0 9e 57 e3 c3 7b 65 3b 02 8f 3e e8 25 92 e5 322 a0 15 dd fd 17 a9 bf d4 9a 7e c5 39 67 fe 76 9d 43 323 b0 a7 e1 d0 f5 68 f2 1b 34 70 05 a3 8a d5 79 86 a8 324 c0 30 c6 51 4b 1e a6 27 f6 35 d2 6e 24 16 82 5f da 325 d0 e6 75 a2 ef 2c b2 1c 9f 5d 6f 80 0a 72 44 9b 6c 326 e0 90 0b 5b 33 7d 5a 52 f3 61 a1 f7 b0 d6 3f 7c 6d 327 f0 ed 14 e0 a5 3d 22 b3 f8 89 de 71 1a af ba b5 81 329 SB3: 330 0 1 2 3 4 5 6 7 8 9 a b c d e f 331 00 52 09 6a d5 30 36 a5 38 bf 40 a3 9e 81 f3 d7 fb 332 10 7c e3 39 82 9b 2f ff 87 34 8e 43 44 c4 de e9 cb 333 20 54 7b 94 32 a6 c2 23 3d ee 4c 95 0b 42 fa c3 4e 334 30 08 2e a1 66 28 d9 24 b2 76 5b a2 49 6d 8b d1 25 335 40 72 f8 f6 64 86 68 98 16 d4 a4 5c cc 5d 65 b6 92 336 50 6c 70 48 50 fd ed b9 da 5e 15 46 57 a7 8d 9d 84 337 60 90 d8 ab 00 8c bc d3 0a f7 e4 58 05 b8 b3 45 06 338 70 d0 2c 1e 8f ca 3f 0f 02 c1 af bd 03 01 13 8a 6b 339 80 3a 91 11 41 4f 67 dc ea 97 f2 cf ce f0 b4 e6 73 340 90 96 ac 74 22 e7 ad 35 85 e2 f9 37 e8 1c 75 df 6e 341 a0 47 f1 1a 71 1d 29 c5 89 6f b7 62 0e aa 18 be 1b 342 b0 fc 56 3e 4b c6 d2 79 20 9a db c0 fe 78 cd 5a f4 343 c0 1f dd a8 33 88 07 c7 31 b1 12 10 59 27 80 ec 5f 344 d0 60 51 7f a9 19 b5 4a 0d 2d e5 7a 9f 93 c9 9c ef 345 e0 a0 e0 3b 4d ae 2a f5 b0 c8 eb bb 3c 83 53 99 61 346 f0 17 2b 04 7e ba 77 d6 26 e1 69 14 63 55 21 0c 7d 348 SB4: 349 0 1 2 3 4 5 6 7 8 9 a b c d e f 350 00 30 68 99 1b 87 b9 21 78 50 39 db e1 72 9 62 3c 351 10 3e 7e 5e 8e f1 a0 cc a3 2a 1d fb b6 d6 20 c4 8d 352 20 81 65 f5 89 cb 9d 77 c6 57 43 56 17 d4 40 1a 4d 353 30 c0 63 6c e3 b7 c8 64 6a 53 aa 38 98 0c f4 9b ed 354 40 7f 22 76 af dd 3a 0b 58 67 88 06 c3 35 0d 01 8b 355 50 8c c2 e6 5f 02 24 75 93 66 1e e5 e2 54 d8 10 ce 356 60 7a e8 08 2c 12 97 32 ab b4 27 0a 23 df ef ca d9 357 70 b8 fa dc 31 6b d1 ad 19 49 bd 51 96 ee e4 a8 41 358 80 da ff cd 55 86 36 be 61 52 f8 bb 0e 82 48 69 9a 359 90 e0 47 9e 5c 04 4b 34 15 79 26 a7 de 29 ae 92 d7 360 a0 84 e9 d2 ba 5d f3 c5 b0 bf a4 3b 71 44 46 2b fc 361 b0 eb 6f d5 f6 14 fe 7c 70 5a 7d fd 2f 18 83 16 a5 362 c0 91 1f 05 95 74 a9 c1 5b 4a 85 6d 13 07 4f 4e 45 363 d0 b2 0f c9 1c a6 bc ec 73 90 7b cf 59 8f a1 f9 2d 364 e0 f2 b1 00 94 37 9f d0 2e 9c 6e 28 3f 80 f0 3d d3 365 f0 25 8a b5 e7 42 b3 c7 ea f7 4c 11 33 03 a2 ac 60 367 For example, SB1(0x23) = 0x26 and SB4(0xef) = 0xd3. Note that SB3 and 368 SB4 are the inverse functions of SB1 and SB2, respectively, and 369 accordingly SL2 is the inverse of SL1. 371 2.4.3. Diffusion Layer 373 Diffusion layer A is an algorithm which takes as input a 16-byte 374 string x0 || x1 || ... || x15 and outputs a 16-byte string y0 || y1 375 ||...|| y15 by the following equations. 377 y0 = x3 ^ x4 ^ x6 ^ x8 ^ x9 ^ x13 ^ x14, 378 y1 = x2 ^ x5 ^ x7 ^ x8 ^ x9 ^ x12 ^ x15, 379 y2 = x1 ^ x4 ^ x6 ^ x10 ^ x11 ^ x12 ^ x15, 380 y3 = x0 ^ x5 ^ x7 ^ x10 ^ x11 ^ x13 ^ x14, 381 y4 = x0 ^ x2 ^ x5 ^ x8 ^ x11 ^ x14 ^ x15, 382 y5 = x1 ^ x3 ^ x4 ^ x9 ^ x10 ^ x14 ^ x15, 383 y6 = x0 ^ x2 ^ x7 ^ x9 ^ x10 ^ x12 ^ x13, 384 y7 = x1 ^ x3 ^ x6 ^ x8 ^ x11 ^ x12 ^ x13, 385 y8 = x0 ^ x1 ^ x4 ^ x7 ^ x10 ^ x13 ^ x15, 386 y9 = x0 ^ x1 ^ x5 ^ x6 ^ x11 ^ x12 ^ x14, 387 y10 = x2 ^ x3 ^ x5 ^ x6 ^ x8 ^ x13 ^ x15, 388 y11 = x2 ^ x3 ^ x4 ^ x7 ^ x9 ^ x12 ^ x14, 389 y12 = x1 ^ x2 ^ x6 ^ x7 ^ x9 ^ x11 ^ x12, 390 y13 = x0 ^ x3 ^ x6 ^ x7 ^ x8 ^ x10 ^ x13, 391 y14 = x0 ^ x3 ^ x4 ^ x5 ^ x9 ^ x11 ^ x14, 392 y15 = x1 ^ x2 ^ x4 ^ x5 ^ x8 ^ x10 ^ x15. 394 Note that A is an involution. That is, for any 16-byte input string x, 395 x = A(A(x)) holds. 397 3. Security Considerations 399 ARIA is designed to be resistant to all known attacks on block 400 ciphers [ARIA03]. Its security was analyzed by the COSIC group of 401 K.U.Leuven in Belgium [ARIAEVAL] and no security flaw has been found. 403 4. Informative References 405 [ARIAEVAL] A. Biryukov et al., "Security and Performance Analysis of 406 ARIA", K.U.Leuven (2003), available at 407 http://www.cosic.esat.kuleuven.be/publications/article- 408 500.pdf 410 [ARIA03] D. Kwon et al., "New Block Cipher: ARIA", ICISC 2003, 411 pp. 432-445. 413 [ARIAKS] Korean Agency for Technology and Standards (KATS), "128 414 bit block encryption algorithm ARIA", KS X 1213:2004, 415 December 2004 (In Korean) 417 [ARIAPKCS] RSA Laboratories, PKCS #11 v2.20 Amendment 3 Revision 1: 418 Additional PKCS #11 Mechanisms, January 2007. 420 [X.680] ITU-T Recommendation X.680 (2002) | ISO/IEC 8824-1:2002, 421 Information technology ?Abstract Syntax Notation One 422 (ASN.1): Specification of basic notation. 424 [X.681] ITU-T Recommendation X.681 (2002) | ISO/IEC 8824-2:2002, 425 Information technology ?Abstract Syntax Notation One 426 (ASN.1): Information object specification. 428 [X.682] ITU-T Recommendation X.682 (2002) | ISO/IEC 8824-3:2002, 429 Information technology ?Abstract Syntax Notation One 430 (ASN.1): Constraint specification. 432 [X.683] ITU-T Recommendation X.683 (2002) | ISO/IEC 8824-4:2002, 433 Information technology ?Abstract Syntax Notation One 434 (ASN.1): Parameterization of ASN.1 specifications. 436 Appendix A. Example Data of ARIA 438 Here are test data for ARIA in hexadecimal form. 440 A.1. 128-bit key 442 - Key : 000102030405060708090a0b0c0d0e0f 443 - Plaintext : 00112233445566778899aabbccddeeff 444 - Ciphertext: d718fbd6ab644c739da95f3be6451778 446 - Round key generators 447 W0: 000102030405060708090a0b0c0d0e0f 448 W1: 2afbea741e1746dd55c63ba1afcea0a5 449 W2: 7c8578018bb127e02dfe4e78c288e33c 450 W3: 6785b52b74da46bf181054082763ff6d 452 - Encryption round keys 453 e1: d415a75c794b85c5e0d2a0b3cb793bf6 454 e2: 369c65e4b11777ab713a3e1e6601b8f4 455 e3: 0368d4f13d14497b6529ad7ac809e7d0 456 e4: c644552b549a263fb8d0b50906229eec 457 e5: 5f9c434951f2d2ef342787b1a781794c 458 e6: afea2c0ce71db6de42a47461f4323c54 459 e7: 324286db44ba4db6c44ac306f2a84b2c 460 e8: 7f9fa93574d842b9101a58063771eb7b 461 e9: aab9c57731fcd213ad5677458fcfe6d4 462 e10: 2f4423bb06465abada5694a19eb88459 463 e11: 9f8772808f5d580d810ef8ddac13abeb 464 e12: 8684946a155be77ef810744847e35fad 465 e13: 0f0aa16daee61bd7dfee5a599970fb35 467 - Intermediate round values 468 P1: 7fc7f12befd0a0791de87fa96b469f52 469 P2: ac8de17e49f7c5117618993162b189e9 470 P3: c3e8d59ec2e62d5249ca2741653cb7dd 471 P4: 5d4aebb165e141ff759f669e1e85cc45 472 P5: 7806e469f68874c5004b5f4a046bbcfa 473 P6: 110f93c9a630cdd51f97d2202413345a 474 P7: e054428ef088fef97928241cd3be499e 475 P8: 5734f38ea1ca3ddd102e71f95e1d5f97 476 P9: 4903325be3e500cccd52fba4354a39ae 477 P10: cb8c508e2c4f87880639dc896d25ec9d 478 P11: e7e0d2457ed73d23d481424095afdca0 480 A.2 192-bit key 482 Key : 000102030405060708090a0b0c0d0e0f 483 1011121314151617 484 Plaintext : 00112233445566778899aabbccddeeff 485 Ciphertext: 26449c1805dbe7aa25a468ce263a9e79 487 A.3. 256-bit key 489 Key : 000102030405060708090a0b0c0d0e0f 490 101112131415161718191a1b1c1d1e1f 491 Plaintext : 00112233445566778899aabbccddeeff 492 Ciphertext: f92bd7c79fb72e2f2b8f80c1972d24fc 494 Appendix B. OIDs 496 AriaModesOfOperation { 497 iso(1) member-body(2) korea(400) nsri(200046) algorithm (1) 498 symmetric-encryption-algorithm(1) asn1-module(0) alg-oids(0) } 500 DEFINITIONS IMPLICIT TAGS ::= 501 BEGIN 503 OID ::= OBJECT IDENTIFIER 505 -- Synonyms -- 507 id-algorithm OID ::= { iso(1) member-body(2) korea(410) nsri(200046) 508 algorithm(1)} 509 id-sea OID ::= { id-algorithm symmetric-encryption-algorithm(1)} 510 id-pad OID ::= { id-algorithm pad(2)} 512 id-pad-null RELATIVE-OID ::= {0} -- no padding algorithms identified 513 id-pad-1 RELATIVE-OID ::= {1} 514 -- padding method 2 of ISO/IEC 9797-1:1999 516 -- confidentiality modes: 517 -- ECB, CBC, CFB, OFB, CTR 519 id-aria128-ecb OID ::= { id-sea aria128-ecb(1)} 520 id-aria128-cbc OID ::= { id-sea aria128-cbc(2)} 521 id-aria128-cfb OID ::= { id-sea aria128-cfb(3)} 522 id-aria128-ofb OID ::= { id-sea aria128-ofb(4)} 523 id-aria128-ctr OID ::= { id-sea aria128-ctr(5)} 525 id-aria192-ecb OID ::= { id-sea aria192-ecb(6)} 526 id-aria192-cbc OID ::= { id-sea aria192-cbc(7)} 527 id-aria192-cfb OID ::= { id-sea aria192-cfb(8)} 528 id-aria192-ofb OID ::= { id-sea aria192-ofb(9)} 529 id-aria192-ctr OID ::= { id-sea aria192-ctr(10)} 531 id-aria256-ecb OID ::= { id-sea aria256-ecb(11)} 532 id-aria256-cbc OID ::= { id-sea aria256-cbc(12)} 533 id-aria256-cfb OID ::= { id-sea aria256-cfb(13)} 534 id-aria256-ofb OID ::= { id-sea aria256-ofb(14)} 535 id-aria256-ctr OID ::= { id-sea aria256-ctr(15)} 537 -- authentication modes: CMAC 539 id-aria128-cmac OID ::= { id-sea aria128-cmac(21)} 540 id-aria192-cmac OID ::= { id-sea aria192-cmac(22)} 541 id-aria256-cmac OID ::= { id-sea aria256-cmac(23)} 543 -- modes for both confidentiality and authentication 544 -- OCB 2.0, GCM, CCM, Key Wrap 546 id-aria128-ocb2 OID ::= { id-sea aria128-ocb2(31)} 547 id-aria192-ocb2 OID ::= { id-sea aria192-ocb2(32)} 548 id-aria256-ocb2 OID ::= { id-sea aria256-ocb2(33)} 550 id-aria128-gcm OID ::= { id-sea aria128-gcm(34)} 551 id-aria192-gcm OID ::= { id-sea aria192-gcm(35)} 552 id-aria256-gcm OID ::= { id-sea aria256-gcm(36)} 554 id-aria128-ccm OID ::= { id-sea aria128-ccm(37)} 555 id-aria192-ccm OID ::= { id-sea aria192-ccm(38)} 556 id-aria256-ccm OID ::= { id-sea aria256-ccm(39)} 558 id-aria128-kw OID ::= { id-sea aria128-kw(40)} 559 id-aria192-kw OID ::= { id-sea aria192-kw(41)} 560 id-aria256-kw OID ::= { id-sea aria256-kw(42)} 562 -- ARIA Key-Wrap with Padding Algorithm (AES version: RFC 5649) 564 id-aria128-kwp OID ::= { id-sea aria128-kwp(43)} 565 id-aria192-kwp OID ::= { id-sea aria192-kwp(44)} 566 id-aria256-kwp OID ::= { id-sea aria256-kwp(45)} 568 AriaModeOfOperation ::= AlgorithmIdentifier 569 { {AriaModeOfOperationAlgorithms} } 571 AriaModeOfOperationAlgorithms ALGORITHM ::= { 572 aria128ecb |aria128cbc |aria128cfb |aria128ofb |aria128ctr | 573 aria192ecb |aria192cbc |aria192cfb |aria192ofb |aria192ctr | 574 aria256ecb |aria256cbc |aria256cfb |aria256ofb |aria256ctr | 575 aria128cmac |aria192cmac |aria256cmac | 576 aria128ocb2 |aria192ocb2 |aria256ocb2 | 577 aria128gcm |aria192gcm |aria256gcm | 578 aria128ccm |aria192ccm |aria256ccm | 579 aria128kw |aria192kw |aria256kw | 580 aria128kwp |aria192kwp |aria256kwp , 581 ... --Extensible 582 } 584 aria128ecb ALGORITHM ::= 585 { OID id-aria128-ecb PARAMS AriaEcbParameters } 586 aria128cbc ALGORITHM ::= 587 { OID id-aria128-cbc PARAMS AriaCbcParameters } 588 aria128cfb ALGORITHM ::= 589 { OID id-aria128-cfb PARAMS AriaCfbParameters } 590 aria128ofb ALGORITHM ::= 591 { OID id-aria128-ofb PARAMS AriaOfbParameters } 592 aria128ctr ALGORITHM ::= 593 { OID id-aria128-ctr PARAMS AriaCtrParameters } 595 aria192ecb ALGORITHM ::= 596 { OID id-aria192-ecb PARAMS AriaEcbParameters } 597 aria192cbc ALGORITHM ::= 598 { OID id-aria192-cbc PARAMS AriaCbcParameters } 599 aria192cfb ALGORITHM ::= 600 { OID id-aria192-cfb PARAMS AriaCfbParameters } 601 aria192ofb ALGORITHM ::= 602 { OID id-aria192-ofb PARAMS AriaOfbParameters } 603 aria192ctr ALGORITHM ::= 604 { OID id-aria192-ctr PARAMS AriaCtrParameters } 606 aria256ecb ALGORITHM ::= 607 { OID id-aria256-ecb PARAMS AriaEcbParameters } 608 aria256cbc ALGORITHM ::= 609 { OID id-aria256-cbc PARAMS AriaCbcParameters } 610 aria256cfb ALGORITHM ::= 611 { OID id-aria256-cfb PARAMS AriaCfbParameters } 612 aria256ofb ALGORITHM ::= 613 { OID id-aria256-ofb PARAMS AriaOfbParameters } 614 aria256ctr ALGORITHM ::= 615 { OID id-aria256-ctr PARAMS AriaCtrParameters } 617 aria128cmac ALGORITHM ::= 618 { OID id-aria128-cmac PARAMS AriaCmacParameters } 619 aria192cmac ALGORITHM ::= 620 { OID id-aria192-cmac PARAMS AriaCmacParameters } 621 aria256cmac ALGORITHM ::= 622 { OID id-aria256-cmac PARAMS AriaCmacParameters } 624 aria128ocb2 ALGORITHM ::= 625 { OID id-aria128-ocb2 PARAMS AriaOcb2Parameters } 626 aria192ocb2 ALGORITHM ::= 627 { OID id-aria192-ocb2 PARAMS AriaOcb2Parameters } 628 aria256ocb2 ALGORITHM ::= 629 { OID id-aria256-ocb2 PARAMS AriaOcb2Parameters } 631 aria128gcm ALGORITHM ::= 632 { OID id-aria128-gcm PARAMS AriaGcmParameters } 633 aria192gcm ALGORITHM ::= 634 { OID id-aria192-gcm PARAMS AriaGcmParameters } 635 aria256gcm ALGORITHM ::= 636 { OID id-aria256-gcm PARAMS AriaGcmParameters } 638 aria128ccm ALGORITHM ::= 639 { OID id-aria128-ccm PARAMS AriaCcmParameters } 640 aria192ccm ALGORITHM ::= 641 { OID id-aria192-ccm PARAMS AriaCcmParameters } 642 aria256ccm ALGORITHM ::= 643 { OID id-aria256-ccm PARAMS AriaCcmParameters } 645 aria128kw ALGORITHM ::= { OID id-aria128-kw } 646 aria192kw ALGORITHM ::= { OID id-aria192-kw } 647 aria256kw ALGORITHM ::= { OID id-aria256-kw } 648 aria128kwp ALGORITHM ::= { OID id-aria128-kwp } 649 aria192kwp ALGORITHM ::= { OID id-aria192-kwp } 650 aria256kwp ALGORITHM ::= { OID id-aria256-kwp } 652 AriaPadAlgo ::= CHOICE { 653 specifiedPadAlgo RELATIVE-OID, 654 generalPadAlgo OID 655 } 657 AriaEcbParameters ::= SEQUENCE { 658 padAlgo AriaPadAlgo DEFAULT specifiedPadAlgo:id-pad-null 659 } 661 AriaCbcParameters ::= SEQUENCE { 662 m INTEGER DEFAULT 1, 663 -- number of stored ciphertext blocks 664 padAlgo AriaPadAlgo DEFAULT specifiedPadAlgo:id-pad-1 665 } 667 AriaCfbParameters ::= SEQUENCE { 668 r INTEGER, 669 -- bit-length of feedback buffer, 128<=r<=128*1024 670 k INTEGER, 671 -- bit-length of feedback variable, 1<=k<=128 672 j INTEGER, 673 -- bit-length of plaintext/ciphertext block, 1<=j<=k 674 padAlgo AriaPadAlgo DEFAULT specifiedPadAlgo:id-pad-null 675 } 677 AriaOfbParameters ::= SEQUENCE { 678 j INTEGER, 679 -- bit-length of plaintext/ciphertext block, 1<=j<=128 680 padAlgo AriaPadAlgo DEFAULT specifiedPadAlgo:id-pad-null 681 } 683 AriaCtrParameters ::= SEQUENCE { 684 j INTEGER, 685 -- bit-length of plaintext/ciphertext block, 1<=j<=128 686 padAlgo AriaPadAlgo DEFAULT specifiedPadAlgo:id-pad-null 687 } 689 AriaCmacParameters ::= INTEGER -- bit-length of authentication tag 691 AriaOcb2Parameters ::= INTEGER -- bit-length of authentication tag 692 AriaGcmParameters ::= SEQUENCE { 693 s INTEGER, -- bit-length of starting variable 694 t INTEGER -- bit-length of authentication tag 695 } 697 AriaCcmParameters ::= SEQUENCE { 698 w INTEGER (2|3|4|5|6|7|8), 699 -- length of message length field in octets 700 t INTEGER (32|48|64|80|96|112|128) 701 -- bit-length of authentication tag 702 } 704 ALGORITHM ::= CLASS { 705 &id OBJECT IDENTIFIER UNIQUE, 706 &Type OPTIONAL 707 } 708 WITH SYNTAX { OID &id [PARAMS &Type] } 710 AlgorithmIdentifier { ALGORITHM:AlgoSet } ::= SEQUENCE { 711 algorithm ALGORITHM.&id( {AlgoSet} ), 712 parameters ALGORITHM.&Type( {AlgoSet}{@algorithm} ) OPTIONAL 713 } 715 END 717 Authors' Addresses 719 Jungkeun Lee 720 National Security Research Institute 721 P.O.Box 1, Yuseong, Daejeon, 305-350, Korea 723 Email: jklee@ensec.re.kr 725 Jooyoung Lee 726 National Security Research Institute 727 P.O.Box 1, Yuseong, Daejeon, 305-350, Korea 729 Email: jlee05@ensec.re.kr 731 Jaeheon Kim 732 National Security Research Institute 733 P.O.Box 1, Yuseong, Daejeon, 305-350, Korea 735 Email: jaeheon@ensec.re.kr 737 Daesung Kwon 738 National Security Research Institute 739 P.O.Box 1, Yuseong, Daejeon, 305-350, Korea 741 Email: ds_kwon@ensec.re.kr 743 Choonsoo Kim 744 National Security Research Institute 745 P.O.Box 1, Yuseong, Daejeon, 305-350, Korea 747 Email: jbr@ensec.re.kr