summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc5794.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc5794.txt')
-rw-r--r--doc/rfc/rfc5794.txt1011
1 files changed, 1011 insertions, 0 deletions
diff --git a/doc/rfc/rfc5794.txt b/doc/rfc/rfc5794.txt
new file mode 100644
index 0000000..8e0a327
--- /dev/null
+++ b/doc/rfc/rfc5794.txt
@@ -0,0 +1,1011 @@
+
+
+
+
+
+
+Independent Submission J. Lee
+Request for Comments: 5794 J. Lee
+Category: Informational J. Kim
+ISSN: 2070-1721 D. Kwon
+ C. Kim
+ NSRI
+ March 2010
+
+
+ A Description of the ARIA Encryption Algorithm
+
+Abstract
+
+ This document describes the ARIA encryption algorithm. ARIA is a
+ 128-bit block cipher with 128-, 192-, and 256-bit keys. The
+ algorithm consists of a key scheduling part and data randomizing
+ part.
+
+Status of This Memo
+
+ This document is not an Internet Standards Track specification; it is
+ published for informational purposes.
+
+ This is a contribution to the RFC Series, independently of any other
+ RFC stream. The RFC Editor has chosen to publish this document at
+ its discretion and makes no statement about its value for
+ implementation or deployment. Documents approved for publication by
+ the RFC Editor are not a candidate for any level of Internet
+ Standard; see Section 2 of RFC 5741.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ http://www.rfc-editor.org/info/rfc5794.
+
+Copyright Notice
+
+ Copyright (c) 2010 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document.
+
+
+
+
+
+
+Lee, et al. Informational [Page 1]
+
+RFC 5794 The ARIA Encryption Algorithm March 2010
+
+
+1. Introduction
+
+1.1. ARIA Overview
+
+ ARIA is a general-purpose block cipher algorithm developed by Korean
+ cryptographers in 2003. It is an iterated block cipher with 128-,
+ 192-, and 256-bit keys and encrypts 128-bit blocks in 12, 14, and 16
+ rounds, depending on the key size. It is secure and suitable for
+ most software and hardware implementations on 32-bit and 8-bit
+ processors. It was established as a Korean standard block cipher
+ algorithm in 2004 [ARIAKS] and has been widely used in Korea,
+ especially for government-to-public services. It was included in
+ PKCS #11 in 2007 [ARIAPKCS].
+
+2. Algorithm Description
+
+ The algorithm consists of a key scheduling part and data randomizing
+ part.
+
+2.1. Notations
+
+ The following notations are used in this document to describe the
+ algorithm.
+
+ ^ bitwise XOR operation
+ <<< left circular rotation
+ >>> right circular rotation
+ || concatenation of bit strings
+ 0x hexadecimal representation
+
+2.2. Key Scheduling Part
+
+ Let K denote a master key of 128, 192, or 256 bits. Given the master
+ key K, we first define 128-bit values KL and KR as follows.
+
+ KL || KR = K || 0 ... 0,
+
+ where the number of zeros is 128, 64, or 0, depending on the size of
+ K. That is, KL is set to the leftmost 128 bits of K and KR is set to
+ the remaining bits of K (if any), right-padded with zeros to a
+ 128-bit value. Then, we define four 128-bit values (W0, W1, W2, and
+ W3) as the intermediate round values appearing in the encryption of
+ KL || KR by a 3-round, 256-bit Feistel cipher.
+
+ W0 = KL,
+ W1 = FO(W0, CK1) ^ KR,
+ W2 = FE(W1, CK2) ^ W0,
+ W3 = FO(W2, CK3) ^ W1.
+
+
+
+Lee, et al. Informational [Page 2]
+
+RFC 5794 The ARIA Encryption Algorithm March 2010
+
+
+ Here, FO and FE, respectively called odd and even round functions,
+ are defined in Section 2.4.1. CK1, CK2, and CK3 are 128-bit
+ constants, taking one of the following values.
+
+ C1 = 0x517cc1b727220a94fe13abe8fa9a6ee0
+ C2 = 0x6db14acc9e21c820ff28b1d5ef5de2b0
+ C3 = 0xdb92371d2126e9700324977504e8c90e
+
+ These values are obtained from the first 128*3 bits of the fractional
+ part of 1/PI, where PI is the circle ratio. Now the constants CK1,
+ CK2, and CK3 are defined by the following table.
+
+ Key size CK1 CK2 CK3
+ 128 C1 C2 C3
+ 192 C2 C3 C1
+ 256 C3 C1 C2
+
+ For example, if the key size is 192 bits, CK1 = C2, CK2 = C3, and
+ CK3 = C1.
+
+ Once W0, W1, W2, and W3 are determined, we compute encryption round
+ keys ek1, ..., ek17 as follows.
+
+ ek1 = W0 ^(W1 >>> 19),
+ ek2 = W1 ^(W2 >>> 19),
+ ek3 = W2 ^(W3 >>> 19),
+ ek4 = (W0 >>> 19) ^ W3,
+ ek5 = W0 ^ (W1 >>> 31),
+ ek6 = W1 ^ (W2 >>> 31),
+ ek7 = W2 ^ (W3 >>> 31),
+ ek8 = (W0 >>> 31) ^ W3,
+ ek9 = W0 ^ (W1 <<< 61),
+ ek10 = W1 ^ (W2 <<< 61),
+ ek11 = W2 ^ (W3 <<< 61),
+ ek12 = (W0 <<< 61) ^ W3,
+ ek13 = W0 ^ (W1 <<< 31),
+ ek14 = W1 ^ (W2 <<< 31),
+ ek15 = W2 ^ (W3 <<< 31),
+ ek16 = (W0 <<< 31) ^ W3,
+ ek17 = W0 ^ (W1 <<< 19).
+
+ The number of rounds depends on the size of the master key as
+ follows.
+
+ Key size Number of Rounds
+ 128 12
+ 192 14
+ 256 16
+
+
+
+Lee, et al. Informational [Page 3]
+
+RFC 5794 The ARIA Encryption Algorithm March 2010
+
+
+ Due to an extra key addition layer in the last round, 12-, 14-, and
+ 16-round algorithms require 13, 15, and 17 round keys, respectively.
+
+ Decryption round keys are derived from the encryption round keys.
+
+ dk1 = ek{n+1},
+ dk2 = A(ek{n}),
+ dk3 = A(ek{n-1}),
+ ...,
+ dk{n}= A(ek2),
+ dk{n+1}= ek1.
+
+ Here, A and n denote the diffusion layer of ARIA and the number of
+ rounds, respectively. The diffusion layer A is defined in Section
+ 2.4.3.
+
+2.3. Data Randomizing Part
+
+ The data randomizing part of the ARIA algorithm consists of the
+ encryption and decryption processes. The encryption and decryption
+ processes use functions FO, FE, A, SL1, and SL2. These functions are
+ defined in Section 2.4.
+
+2.3.1. Encryption Process
+
+2.3.1.1. Encryption for 128-Bit Keys
+
+ Let P be a 128-bit plaintext and K be a 128-bit master key. Let ek1,
+ ..., ek13 be the encryption round keys defined by K. Then the
+ ciphertext C is computed by the following algorithm.
+
+ P1 = FO(P , ek1 ); // Round 1
+ P2 = FE(P1 , ek2 ); // Round 2
+ P3 = FO(P2 , ek3 ); // Round 3
+ P4 = FE(P3 , ek4 ); // Round 4
+ P5 = FO(P4 , ek5 ); // Round 5
+ P6 = FE(P5 , ek6 ); // Round 6
+ P7 = FO(P6 , ek7 ); // Round 7
+ P8 = FE(P7 , ek8 ); // Round 8
+ P9 = FO(P8 , ek9 ); // Round 9
+ P10 = FE(P9 , ek10); // Round 10
+ P11 = FO(P10, ek11); // Round 11
+ C = SL2(P11 ^ ek12) ^ ek13; // Round 12
+
+
+
+
+
+
+
+
+Lee, et al. Informational [Page 4]
+
+RFC 5794 The ARIA Encryption Algorithm March 2010
+
+
+2.3.1.2. Encryption for 192-Bit Keys
+
+ Let P be a 128-bit plaintext and K be a 192-bit master key. Let ek1,
+ ..., ek15 be the encryption round keys defined by K. Then the
+ ciphertext C is computed by the following algorithm.
+
+ P1 = FO(P , ek1 ); // Round 1
+ P2 = FE(P1 , ek2 ); // Round 2
+ P3 = FO(P2 , ek3 ); // Round 3
+ P4 = FE(P3 , ek4 ); // Round 4
+ P5 = FO(P4 , ek5 ); // Round 5
+ P6 = FE(P5 , ek6 ); // Round 6
+ P7 = FO(P6 , ek7 ); // Round 7
+ P8 = FE(P7 , ek8 ); // Round 8
+ P9 = FO(P8 , ek9 ); // Round 9
+ P10 = FE(P9 , ek10); // Round 10
+ P11 = FO(P10, ek11); // Round 11
+ P12 = FE(P11, ek12); // Round 12
+ P13 = FO(P12, ek13); // Round 13
+ C = SL2(P13 ^ ek14) ^ ek15; // Round 14
+
+2.3.1.3. Encryption for 256-Bit Keys
+
+ Let P be a 128-bit plaintext and K be a 256-bit master key. Let ek1,
+ ..., ek17 be the encryption round keys defined by K. Then the
+ ciphertext C is computed by the following algorithm.
+
+ P1 = FO(P , ek1 ); // Round 1
+ P2 = FE(P1 , ek2 ); // Round 2
+ P3 = FO(P2 , ek3 ); // Round 3
+ P4 = FE(P3 , ek4 ); // Round 4
+ P5 = FO(P4 , ek5 ); // Round 5
+ P6 = FE(P5 , ek6 ); // Round 6
+ P7 = FO(P6 , ek7 ); // Round 7
+ P8 = FE(P7 , ek8 ); // Round 8
+ P9 = FO(P8 , ek9 ); // Round 9
+ P10= FE(P9 , ek10); // Round 10
+ P11= FO(P10, ek11); // Round 11
+ P12= FE(P11, ek12); // Round 12
+ P13= FO(P12, ek13); // Round 13
+ P14= FE(P13, ek14); // Round 14
+ P15= FO(P14, ek15); // Round 15
+ C = SL2(P15 ^ ek16) ^ ek17; // Round 16
+
+
+
+
+
+
+
+
+Lee, et al. Informational [Page 5]
+
+RFC 5794 The ARIA Encryption Algorithm March 2010
+
+
+2.3.2. Decryption Process
+
+ The decryption process of ARIA is the same as the encryption process
+ except that encryption round keys are replaced by decryption round
+ keys. For example, encryption round keys ek1, ..., ek13 of the
+ 12-round ARIA algorithm are replaced by decryption round keys dk1,
+ ..., dk13, respectively.
+
+2.4. Components of ARIA
+
+2.4.1. Round Functions
+
+ There are two types of round functions for ARIA. One is called an
+ odd round function and is denoted by FO. It takes as input a pair
+ (D,RK) of two 128-bit strings and outputs
+
+ FO(D,RK) = A(SL1(D ^ RK)).
+
+ The other is called an even round function and is denoted by FE. It
+ takes as input a pair (D,RK) of two 128-bit strings and outputs
+
+ FE(D,RK) = A(SL2(D ^ RK)).
+
+ Functions SL1 and SL2, called substitution layers, are described in
+ Section 2.4.2. Function A, called a diffusion layer, is described in
+ Section 2.4.3.
+
+2.4.2. Substitution Layers
+
+ ARIA has two types of substitution layers that alternate between
+ rounds. Type 1 is used in the odd rounds, and type 2 is used in the
+ even rounds.
+
+ Type 1 substitution layer SL1 is an algorithm that takes a 16-byte
+ string x0 || x1 ||...|| x15 as input and outputs a 16-byte string
+ y0 || y1 ||...|| y15 as follows.
+
+ y0 = SB1(x0), y1 = SB2(x1), y2 = SB3(x2), y3 = SB4(x3),
+ y4 = SB1(x4), y5 = SB2(x5), y6 = SB3(x6), y7 = SB4(x7),
+ y8 = SB1(x8), y9 = SB2(x9), y10= SB3(x10), y11= SB4(x11),
+ y12= SB1(x12), y13= SB2(x13), y14= SB3(x14), y15= SB4(x15).
+
+ Type 2 substitution layer SL2 is an algorithm that takes a 16-byte
+ string x0 || x1 ||...|| x15 as input and outputs a 16-byte string
+ y0 || y1 ||...|| y15 as follows.
+
+
+
+
+
+
+Lee, et al. Informational [Page 6]
+
+RFC 5794 The ARIA Encryption Algorithm March 2010
+
+
+ y0 = SB3(x0), y1 = SB4(x1), y2 = SB1(x2), y3 = SB2(x3),
+ y4 = SB3(x4), y5 = SB4(x5), y6 = SB1(x6), y7 = SB2(x7),
+ y8 = SB3(x8), y9 = SB4(x9), y10= SB1(x10), y11= SB2(x11),
+ y12= SB3(x12), y13= SB4(x13), y14= SB1(x14), y15= SB2(x15).
+
+ Here, SB1, SB2, SB3, and SB4 are S-boxes that take an 8-bit string as
+ input and output an 8-bit string. These S-boxes are defined by the
+ following look-up tables.
+
+ SB1:
+ 0 1 2 3 4 5 6 7 8 9 a b c d e f
+ 00 63 7c 77 7b f2 6b 6f c5 30 01 67 2b fe d7 ab 76
+ 10 ca 82 c9 7d fa 59 47 f0 ad d4 a2 af 9c a4 72 c0
+ 20 b7 fd 93 26 36 3f f7 cc 34 a5 e5 f1 71 d8 31 15
+ 30 04 c7 23 c3 18 96 05 9a 07 12 80 e2 eb 27 b2 75
+ 40 09 83 2c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f 84
+ 50 53 d1 00 ed 20 fc b1 5b 6a cb be 39 4a 4c 58 cf
+ 60 d0 ef aa fb 43 4d 33 85 45 f9 02 7f 50 3c 9f a8
+ 70 51 a3 40 8f 92 9d 38 f5 bc b6 da 21 10 ff f3 d2
+ 80 cd 0c 13 ec 5f 97 44 17 c4 a7 7e 3d 64 5d 19 73
+ 90 60 81 4f dc 22 2a 90 88 46 ee b8 14 de 5e 0b db
+ a0 e0 32 3a 0a 49 06 24 5c c2 d3 ac 62 91 95 e4 79
+ b0 e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 08
+ c0 ba 78 25 2e 1c a6 b4 c6 e8 dd 74 1f 4b bd 8b 8a
+ d0 70 3e b5 66 48 03 f6 0e 61 35 57 b9 86 c1 1d 9e
+ e0 e1 f8 98 11 69 d9 8e 94 9b 1e 87 e9 ce 55 28 df
+ f0 8c a1 89 0d bf e6 42 68 41 99 2d 0f b0 54 bb 16
+
+ SB2:
+ 0 1 2 3 4 5 6 7 8 9 a b c d e f
+ 00 e2 4e 54 fc 94 c2 4a cc 62 0d 6a 46 3c 4d 8b d1
+ 10 5e fa 64 cb b4 97 be 2b bc 77 2e 03 d3 19 59 c1
+ 20 1d 06 41 6b 55 f0 99 69 ea 9c 18 ae 63 df e7 bb
+ 30 00 73 66 fb 96 4c 85 e4 3a 09 45 aa 0f ee 10 eb
+ 40 2d 7f f4 29 ac cf ad 91 8d 78 c8 95 f9 2f ce cd
+ 50 08 7a 88 38 5c 83 2a 28 47 db b8 c7 93 a4 12 53
+ 60 ff 87 0e 31 36 21 58 48 01 8e 37 74 32 ca e9 b1
+ 70 b7 ab 0c d7 c4 56 42 26 07 98 60 d9 b6 b9 11 40
+ 80 ec 20 8c bd a0 c9 84 04 49 23 f1 4f 50 1f 13 dc
+ 90 d8 c0 9e 57 e3 c3 7b 65 3b 02 8f 3e e8 25 92 e5
+ a0 15 dd fd 17 a9 bf d4 9a 7e c5 39 67 fe 76 9d 43
+ b0 a7 e1 d0 f5 68 f2 1b 34 70 05 a3 8a d5 79 86 a8
+ c0 30 c6 51 4b 1e a6 27 f6 35 d2 6e 24 16 82 5f da
+ d0 e6 75 a2 ef 2c b2 1c 9f 5d 6f 80 0a 72 44 9b 6c
+ e0 90 0b 5b 33 7d 5a 52 f3 61 a1 f7 b0 d6 3f 7c 6d
+ f0 ed 14 e0 a5 3d 22 b3 f8 89 de 71 1a af ba b5 81
+
+
+
+
+
+Lee, et al. Informational [Page 7]
+
+RFC 5794 The ARIA Encryption Algorithm March 2010
+
+
+ SB3:
+ 0 1 2 3 4 5 6 7 8 9 a b c d e f
+ 00 52 09 6a d5 30 36 a5 38 bf 40 a3 9e 81 f3 d7 fb
+ 10 7c e3 39 82 9b 2f ff 87 34 8e 43 44 c4 de e9 cb
+ 20 54 7b 94 32 a6 c2 23 3d ee 4c 95 0b 42 fa c3 4e
+ 30 08 2e a1 66 28 d9 24 b2 76 5b a2 49 6d 8b d1 25
+ 40 72 f8 f6 64 86 68 98 16 d4 a4 5c cc 5d 65 b6 92
+ 50 6c 70 48 50 fd ed b9 da 5e 15 46 57 a7 8d 9d 84
+ 60 90 d8 ab 00 8c bc d3 0a f7 e4 58 05 b8 b3 45 06
+ 70 d0 2c 1e 8f ca 3f 0f 02 c1 af bd 03 01 13 8a 6b
+ 80 3a 91 11 41 4f 67 dc ea 97 f2 cf ce f0 b4 e6 73
+ 90 96 ac 74 22 e7 ad 35 85 e2 f9 37 e8 1c 75 df 6e
+ a0 47 f1 1a 71 1d 29 c5 89 6f b7 62 0e aa 18 be 1b
+ b0 fc 56 3e 4b c6 d2 79 20 9a db c0 fe 78 cd 5a f4
+ c0 1f dd a8 33 88 07 c7 31 b1 12 10 59 27 80 ec 5f
+ d0 60 51 7f a9 19 b5 4a 0d 2d e5 7a 9f 93 c9 9c ef
+ e0 a0 e0 3b 4d ae 2a f5 b0 c8 eb bb 3c 83 53 99 61
+ f0 17 2b 04 7e ba 77 d6 26 e1 69 14 63 55 21 0c 7d
+
+ SB4:
+ 0 1 2 3 4 5 6 7 8 9 a b c d e f
+ 00 30 68 99 1b 87 b9 21 78 50 39 db e1 72 9 62 3c
+ 10 3e 7e 5e 8e f1 a0 cc a3 2a 1d fb b6 d6 20 c4 8d
+ 20 81 65 f5 89 cb 9d 77 c6 57 43 56 17 d4 40 1a 4d
+ 30 c0 63 6c e3 b7 c8 64 6a 53 aa 38 98 0c f4 9b ed
+ 40 7f 22 76 af dd 3a 0b 58 67 88 06 c3 35 0d 01 8b
+ 50 8c c2 e6 5f 02 24 75 93 66 1e e5 e2 54 d8 10 ce
+ 60 7a e8 08 2c 12 97 32 ab b4 27 0a 23 df ef ca d9
+ 70 b8 fa dc 31 6b d1 ad 19 49 bd 51 96 ee e4 a8 41
+ 80 da ff cd 55 86 36 be 61 52 f8 bb 0e 82 48 69 9a
+ 90 e0 47 9e 5c 04 4b 34 15 79 26 a7 de 29 ae 92 d7
+ a0 84 e9 d2 ba 5d f3 c5 b0 bf a4 3b 71 44 46 2b fc
+ b0 eb 6f d5 f6 14 fe 7c 70 5a 7d fd 2f 18 83 16 a5
+ c0 91 1f 05 95 74 a9 c1 5b 4a 85 6d 13 07 4f 4e 45
+ d0 b2 0f c9 1c a6 bc ec 73 90 7b cf 59 8f a1 f9 2d
+ e0 f2 b1 00 94 37 9f d0 2e 9c 6e 28 3f 80 f0 3d d3
+ f0 25 8a b5 e7 42 b3 c7 ea f7 4c 11 33 03 a2 ac 60
+
+ For example, SB1(0x23) = 0x26 and SB4(0xef) = 0xd3. Note that SB3
+ and SB4 are the inverse functions of SB1 and SB2, respectively, and
+ accordingly SL2 is the inverse of SL1.
+
+2.4.3. Diffusion Layer
+
+ Diffusion layer A is an algorithm that takes a 16-byte string x0 ||
+ x1 || ... || x15 as input and outputs a 16-byte string
+ y0 || y1 ||...|| y15 by the following equations.
+
+
+
+
+Lee, et al. Informational [Page 8]
+
+RFC 5794 The ARIA Encryption Algorithm March 2010
+
+
+ y0 = x3 ^ x4 ^ x6 ^ x8 ^ x9 ^ x13 ^ x14,
+ y1 = x2 ^ x5 ^ x7 ^ x8 ^ x9 ^ x12 ^ x15,
+ y2 = x1 ^ x4 ^ x6 ^ x10 ^ x11 ^ x12 ^ x15,
+ y3 = x0 ^ x5 ^ x7 ^ x10 ^ x11 ^ x13 ^ x14,
+ y4 = x0 ^ x2 ^ x5 ^ x8 ^ x11 ^ x14 ^ x15,
+ y5 = x1 ^ x3 ^ x4 ^ x9 ^ x10 ^ x14 ^ x15,
+ y6 = x0 ^ x2 ^ x7 ^ x9 ^ x10 ^ x12 ^ x13,
+ y7 = x1 ^ x3 ^ x6 ^ x8 ^ x11 ^ x12 ^ x13,
+ y8 = x0 ^ x1 ^ x4 ^ x7 ^ x10 ^ x13 ^ x15,
+ y9 = x0 ^ x1 ^ x5 ^ x6 ^ x11 ^ x12 ^ x14,
+ y10 = x2 ^ x3 ^ x5 ^ x6 ^ x8 ^ x13 ^ x15,
+ y11 = x2 ^ x3 ^ x4 ^ x7 ^ x9 ^ x12 ^ x14,
+ y12 = x1 ^ x2 ^ x6 ^ x7 ^ x9 ^ x11 ^ x12,
+ y13 = x0 ^ x3 ^ x6 ^ x7 ^ x8 ^ x10 ^ x13,
+ y14 = x0 ^ x3 ^ x4 ^ x5 ^ x9 ^ x11 ^ x14,
+ y15 = x1 ^ x2 ^ x4 ^ x5 ^ x8 ^ x10 ^ x15.
+
+ Note that A is an involution. That is, for any 16-byte input string
+ x, x = A(A(x)) holds.
+
+3. Security Considerations
+
+ ARIA is designed to be resistant to all known attacks on block
+ ciphers [ARIA03]. Its security was analyzed by the COSIC group of
+ K.U.Leuven in Belgium [ARIAEVAL] and no security flaw has been found.
+
+4. Informative References
+
+ [ARIAEVAL] Biryukov, A., et al., "Security and Performance Analysis
+ of ARIA", K.U.Leuven (2003), available at
+ http://www.cosic.esat.kuleuven.be/publications/
+ article-500.pdf
+
+ [ARIA03] Kwon, D., et al., "New Block Cipher: ARIA", ICISC 2003,
+ pp. 432-445.
+
+ [ARIAKS] Korean Agency for Technology and Standards (KATS), "128
+ bit block encryption algorithm ARIA", KS X 1213:2004,
+ December 2004 (In Korean).
+
+ [ARIAPKCS] RSA Laboratories, PKCS #11 v2.20 Amendment 3 Revision 1:
+ Additional PKCS #11 Mechanisms, January 2007.
+
+ [X.680] ITU-T Recommendation X.680 (2002) | ISO/IEC 8824-1:2002,
+ Information technology - Abstract Syntax Notation One
+ (ASN.1): Specification of basic notation.
+
+
+
+
+
+Lee, et al. Informational [Page 9]
+
+RFC 5794 The ARIA Encryption Algorithm March 2010
+
+
+ [X.681] ITU-T Recommendation X.681 (2002) | ISO/IEC 8824-2:2002,
+ Information technology - Abstract Syntax Notation One
+ (ASN.1): Information object specification.
+
+ [X.682] ITU-T Recommendation X.682 (2002) | ISO/IEC 8824-3:2002,
+ Information technology - Abstract Syntax Notation One
+ (ASN.1): Constraint specification.
+
+ [X.683] ITU-T Recommendation X.683 (2002) | ISO/IEC 8824-4:2002,
+ Information technology - Abstract Syntax Notation One
+ (ASN.1): Parameterization of ASN.1 specifications.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Lee, et al. Informational [Page 10]
+
+RFC 5794 The ARIA Encryption Algorithm March 2010
+
+
+Appendix A. Example Data of ARIA
+
+ Here are test data for ARIA in hexadecimal form.
+
+A.1. 128-Bit Key
+
+ - Key : 000102030405060708090a0b0c0d0e0f
+ - Plaintext : 00112233445566778899aabbccddeeff
+ - Ciphertext: d718fbd6ab644c739da95f3be6451778
+
+ - Round key generators
+ W0: 000102030405060708090a0b0c0d0e0f
+ W1: 2afbea741e1746dd55c63ba1afcea0a5
+ W2: 7c8578018bb127e02dfe4e78c288e33c
+ W3: 6785b52b74da46bf181054082763ff6d
+
+ - Encryption round keys
+ e1: d415a75c794b85c5e0d2a0b3cb793bf6
+ e2: 369c65e4b11777ab713a3e1e6601b8f4
+ e3: 0368d4f13d14497b6529ad7ac809e7d0
+ e4: c644552b549a263fb8d0b50906229eec
+ e5: 5f9c434951f2d2ef342787b1a781794c
+ e6: afea2c0ce71db6de42a47461f4323c54
+ e7: 324286db44ba4db6c44ac306f2a84b2c
+ e8: 7f9fa93574d842b9101a58063771eb7b
+ e9: aab9c57731fcd213ad5677458fcfe6d4
+ e10: 2f4423bb06465abada5694a19eb88459
+ e11: 9f8772808f5d580d810ef8ddac13abeb
+ e12: 8684946a155be77ef810744847e35fad
+ e13: 0f0aa16daee61bd7dfee5a599970fb35
+
+ - Intermediate round values
+ P1: 7fc7f12befd0a0791de87fa96b469f52
+ P2: ac8de17e49f7c5117618993162b189e9
+ P3: c3e8d59ec2e62d5249ca2741653cb7dd
+ P4: 5d4aebb165e141ff759f669e1e85cc45
+ P5: 7806e469f68874c5004b5f4a046bbcfa
+ P6: 110f93c9a630cdd51f97d2202413345a
+ P7: e054428ef088fef97928241cd3be499e
+ P8: 5734f38ea1ca3ddd102e71f95e1d5f97
+ P9: 4903325be3e500cccd52fba4354a39ae
+ P10: cb8c508e2c4f87880639dc896d25ec9d
+ P11: e7e0d2457ed73d23d481424095afdca0
+
+
+
+
+
+
+
+
+Lee, et al. Informational [Page 11]
+
+RFC 5794 The ARIA Encryption Algorithm March 2010
+
+
+A.2. 192-Bit Key
+
+ Key : 000102030405060708090a0b0c0d0e0f
+ 1011121314151617
+ Plaintext : 00112233445566778899aabbccddeeff
+ Ciphertext: 26449c1805dbe7aa25a468ce263a9e79
+
+A.3. 256-Bit Key
+
+ Key : 000102030405060708090a0b0c0d0e0f
+ 101112131415161718191a1b1c1d1e1f
+ Plaintext : 00112233445566778899aabbccddeeff
+ Ciphertext: f92bd7c79fb72e2f2b8f80c1972d24fc
+
+Appendix B. OIDs
+
+ Here is an ASN.1 module conforming to the 2002 version of ASN.1
+ [X.680][X.681][X.682][X.683].
+
+ AriaModesOfOperation {
+ iso(1) member-body(2) korea(400) nsri(200046) algorithm (1)
+ symmetric-encryption-algorithm(1) asn1-module(0) alg-oids(0) }
+
+ DEFINITIONS IMPLICIT TAGS ::=
+ BEGIN
+
+ OID ::= OBJECT IDENTIFIER
+
+ -- Synonyms --
+
+ id-algorithm OID ::= { iso(1) member-body(2) korea(410) nsri(200046)
+ algorithm(1)}
+
+ id-sea OID ::= { id-algorithm symmetric-encryption-algorithm(1)}
+ id-pad OID ::= { id-algorithm pad(2)}
+
+ id-pad-null RELATIVE-OID ::= {0} -- no padding algorithms identified
+ id-pad-1 RELATIVE-OID ::= {1}
+ -- padding method 2 of ISO/IEC 9797-1:1999
+
+ -- confidentiality modes:
+ -- ECB, CBC, CFB, OFB, CTR
+
+ id-aria128-ecb OID ::= { id-sea aria128-ecb(1)}
+ id-aria128-cbc OID ::= { id-sea aria128-cbc(2)}
+ id-aria128-cfb OID ::= { id-sea aria128-cfb(3)}
+ id-aria128-ofb OID ::= { id-sea aria128-ofb(4)}
+ id-aria128-ctr OID ::= { id-sea aria128-ctr(5)}
+
+
+
+Lee, et al. Informational [Page 12]
+
+RFC 5794 The ARIA Encryption Algorithm March 2010
+
+
+ id-aria192-ecb OID ::= { id-sea aria192-ecb(6)}
+ id-aria192-cbc OID ::= { id-sea aria192-cbc(7)}
+ id-aria192-cfb OID ::= { id-sea aria192-cfb(8)}
+ id-aria192-ofb OID ::= { id-sea aria192-ofb(9)}
+ id-aria192-ctr OID ::= { id-sea aria192-ctr(10)}
+
+ id-aria256-ecb OID ::= { id-sea aria256-ecb(11)}
+ id-aria256-cbc OID ::= { id-sea aria256-cbc(12)}
+ id-aria256-cfb OID ::= { id-sea aria256-cfb(13)}
+ id-aria256-ofb OID ::= { id-sea aria256-ofb(14)}
+ id-aria256-ctr OID ::= { id-sea aria256-ctr(15)}
+
+ -- authentication modes: CMAC
+
+ id-aria128-cmac OID ::= { id-sea aria128-cmac(21)}
+ id-aria192-cmac OID ::= { id-sea aria192-cmac(22)}
+ id-aria256-cmac OID ::= { id-sea aria256-cmac(23)}
+
+ -- modes for both confidentiality and authentication
+ -- OCB 2.0, GCM, CCM, Key Wrap
+
+ id-aria128-ocb2 OID ::= { id-sea aria128-ocb2(31)}
+ id-aria192-ocb2 OID ::= { id-sea aria192-ocb2(32)}
+ id-aria256-ocb2 OID ::= { id-sea aria256-ocb2(33)}
+
+ id-aria128-gcm OID ::= { id-sea aria128-gcm(34)}
+ id-aria192-gcm OID ::= { id-sea aria192-gcm(35)}
+ id-aria256-gcm OID ::= { id-sea aria256-gcm(36)}
+
+ id-aria128-ccm OID ::= { id-sea aria128-ccm(37)}
+ id-aria192-ccm OID ::= { id-sea aria192-ccm(38)}
+ id-aria256-ccm OID ::= { id-sea aria256-ccm(39)}
+
+ id-aria128-kw OID ::= { id-sea aria128-kw(40)}
+ id-aria192-kw OID ::= { id-sea aria192-kw(41)}
+ id-aria256-kw OID ::= { id-sea aria256-kw(42)}
+
+ -- ARIA Key-Wrap with Padding Algorithm (AES version: RFC 5649)
+
+ id-aria128-kwp OID ::= { id-sea aria128-kwp(43)}
+ id-aria192-kwp OID ::= { id-sea aria192-kwp(44)}
+ id-aria256-kwp OID ::= { id-sea aria256-kwp(45)}
+
+
+
+
+
+
+
+
+
+Lee, et al. Informational [Page 13]
+
+RFC 5794 The ARIA Encryption Algorithm March 2010
+
+
+ AriaModeOfOperation ::= AlgorithmIdentifier
+ { {AriaModeOfOperationAlgorithms} }
+
+ AriaModeOfOperationAlgorithms ALGORITHM ::= {
+ aria128ecb |aria128cbc |aria128cfb |aria128ofb |aria128ctr |
+ aria192ecb |aria192cbc |aria192cfb |aria192ofb |aria192ctr |
+ aria256ecb |aria256cbc |aria256cfb |aria256ofb |aria256ctr |
+ aria128cmac |aria192cmac |aria256cmac |
+ aria128ocb2 |aria192ocb2 |aria256ocb2 |
+ aria128gcm |aria192gcm |aria256gcm |
+ aria128ccm |aria192ccm |aria256ccm |
+ aria128kw |aria192kw |aria256kw |
+ aria128kwp |aria192kwp |aria256kwp ,
+ ... --Extensible
+ }
+
+ aria128ecb ALGORITHM ::=
+ { OID id-aria128-ecb PARAMS AriaEcbParameters }
+ aria128cbc ALGORITHM ::=
+ { OID id-aria128-cbc PARAMS AriaCbcParameters }
+ aria128cfb ALGORITHM ::=
+ { OID id-aria128-cfb PARAMS AriaCfbParameters }
+ aria128ofb ALGORITHM ::=
+ { OID id-aria128-ofb PARAMS AriaOfbParameters }
+ aria128ctr ALGORITHM ::=
+ { OID id-aria128-ctr PARAMS AriaCtrParameters }
+
+ aria192ecb ALGORITHM ::=
+ { OID id-aria192-ecb PARAMS AriaEcbParameters }
+ aria192cbc ALGORITHM ::=
+ { OID id-aria192-cbc PARAMS AriaCbcParameters }
+ aria192cfb ALGORITHM ::=
+ { OID id-aria192-cfb PARAMS AriaCfbParameters }
+
+ aria192ofb ALGORITHM ::=
+ { OID id-aria192-ofb PARAMS AriaOfbParameters }
+ aria192ctr ALGORITHM ::=
+ { OID id-aria192-ctr PARAMS AriaCtrParameters }
+
+
+
+
+
+
+
+
+
+
+
+
+
+Lee, et al. Informational [Page 14]
+
+RFC 5794 The ARIA Encryption Algorithm March 2010
+
+
+ aria256ecb ALGORITHM ::=
+ { OID id-aria256-ecb PARAMS AriaEcbParameters }
+ aria256cbc ALGORITHM ::=
+ { OID id-aria256-cbc PARAMS AriaCbcParameters }
+ aria256cfb ALGORITHM ::=
+ { OID id-aria256-cfb PARAMS AriaCfbParameters }
+ aria256ofb ALGORITHM ::=
+ { OID id-aria256-ofb PARAMS AriaOfbParameters }
+ aria256ctr ALGORITHM ::=
+ { OID id-aria256-ctr PARAMS AriaCtrParameters }
+
+ aria128cmac ALGORITHM ::=
+ { OID id-aria128-cmac PARAMS AriaCmacParameters }
+ aria192cmac ALGORITHM ::=
+ { OID id-aria192-cmac PARAMS AriaCmacParameters }
+ aria256cmac ALGORITHM ::=
+ { OID id-aria256-cmac PARAMS AriaCmacParameters }
+
+ aria128ocb2 ALGORITHM ::=
+ { OID id-aria128-ocb2 PARAMS AriaOcb2Parameters }
+ aria192ocb2 ALGORITHM ::=
+ { OID id-aria192-ocb2 PARAMS AriaOcb2Parameters }
+ aria256ocb2 ALGORITHM ::=
+ { OID id-aria256-ocb2 PARAMS AriaOcb2Parameters }
+
+ aria128gcm ALGORITHM ::=
+ { OID id-aria128-gcm PARAMS AriaGcmParameters }
+ aria192gcm ALGORITHM ::=
+ { OID id-aria192-gcm PARAMS AriaGcmParameters }
+ aria256gcm ALGORITHM ::=
+ { OID id-aria256-gcm PARAMS AriaGcmParameters }
+
+ aria128ccm ALGORITHM ::=
+ { OID id-aria128-ccm PARAMS AriaCcmParameters }
+ aria192ccm ALGORITHM ::=
+ { OID id-aria192-ccm PARAMS AriaCcmParameters }
+ aria256ccm ALGORITHM ::=
+ { OID id-aria256-ccm PARAMS AriaCcmParameters }
+
+ aria128kw ALGORITHM ::= { OID id-aria128-kw }
+ aria192kw ALGORITHM ::= { OID id-aria192-kw }
+ aria256kw ALGORITHM ::= { OID id-aria256-kw }
+
+ aria128kwp ALGORITHM ::= { OID id-aria128-kwp }
+ aria192kwp ALGORITHM ::= { OID id-aria192-kwp }
+ aria256kwp ALGORITHM ::= { OID id-aria256-kwp }
+
+
+
+
+
+Lee, et al. Informational [Page 15]
+
+RFC 5794 The ARIA Encryption Algorithm March 2010
+
+
+ AriaPadAlgo ::= CHOICE {
+ specifiedPadAlgo RELATIVE-OID,
+ generalPadAlgo OID
+ }
+
+ AriaEcbParameters ::= SEQUENCE {
+ padAlgo AriaPadAlgo DEFAULT specifiedPadAlgo:id-pad-null
+ }
+
+ AriaCbcParameters ::= SEQUENCE {
+ m INTEGER DEFAULT 1,
+ -- number of stored ciphertext blocks
+ padAlgo AriaPadAlgo DEFAULT specifiedPadAlgo:id-pad-1
+ }
+
+ AriaCfbParameters ::= SEQUENCE {
+ r INTEGER,
+ -- bit-length of feedback buffer, 128<=r<=128*1024
+ k INTEGER,
+ -- bit-length of feedback variable, 1<=k<=128
+ j INTEGER,
+ -- bit-length of plaintext/ciphertext block, 1<=j<=k
+ padAlgo AriaPadAlgo DEFAULT specifiedPadAlgo:id-pad-null
+ }
+
+ AriaOfbParameters ::= SEQUENCE {
+ j INTEGER,
+ -- bit-length of plaintext/ciphertext block, 1<=j<=128
+ padAlgo AriaPadAlgo DEFAULT specifiedPadAlgo:id-pad-null
+ }
+
+ AriaCtrParameters ::= SEQUENCE {
+ j INTEGER,
+ -- bit-length of plaintext/ciphertext block, 1<=j<=128
+ padAlgo AriaPadAlgo DEFAULT specifiedPadAlgo:id-pad-null
+ }
+
+ AriaCmacParameters ::= INTEGER -- bit-length of authentication tag
+
+ AriaOcb2Parameters ::= INTEGER -- bit-length of authentication tag
+
+ AriaGcmParameters ::= SEQUENCE {
+ s INTEGER, -- bit-length of starting variable
+ t INTEGER -- bit-length of authentication tag
+ }
+
+
+
+
+
+
+Lee, et al. Informational [Page 16]
+
+RFC 5794 The ARIA Encryption Algorithm March 2010
+
+
+ AriaCcmParameters ::= SEQUENCE {
+ w INTEGER (2|3|4|5|6|7|8),
+ -- length of message length field in octets
+ t INTEGER (32|48|64|80|96|112|128)
+ -- bit-length of authentication tag
+ }
+
+ ALGORITHM ::= CLASS {
+ &id OBJECT IDENTIFIER UNIQUE,
+ &Type OPTIONAL
+ }
+ WITH SYNTAX { OID &id [PARAMS &Type] }
+
+ AlgorithmIdentifier { ALGORITHM:AlgoSet } ::= SEQUENCE {
+ algorithm ALGORITHM.&id( {AlgoSet} ),
+ parameters ALGORITHM.&Type( {AlgoSet}{@algorithm} ) OPTIONAL
+ }
+
+ END
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Lee, et al. Informational [Page 17]
+
+RFC 5794 The ARIA Encryption Algorithm March 2010
+
+
+Authors' Addresses
+
+ Jungkeun Lee
+ National Security Research Institute
+ P.O.Box 1, Yuseong, Daejeon, 305-350, Korea
+
+ EMail: jklee@ensec.re.kr
+
+
+ Jooyoung Lee
+ National Security Research Institute
+ P.O.Box 1, Yuseong, Daejeon, 305-350, Korea
+
+ EMail: jlee05@ensec.re.kr
+
+
+ Jaeheon Kim
+
+ National Security Research Institute
+ P.O.Box 1, Yuseong, Daejeon, 305-350, Korea
+
+ EMail: jaeheon@ensec.re.kr
+
+
+ Daesung Kwon
+ National Security Research Institute
+ P.O.Box 1, Yuseong, Daejeon, 305-350, Korea
+
+ EMail: ds_kwon@ensec.re.kr
+
+
+ Choonsoo Kim
+ National Security Research Institute
+ P.O.Box 1, Yuseong, Daejeon, 305-350, Korea
+
+ EMail: jbr@ensec.re.kr
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Lee, et al. Informational [Page 18]
+