summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc6114.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc6114.txt')
-rw-r--r--doc/rfc/rfc6114.txt1851
1 files changed, 1851 insertions, 0 deletions
diff --git a/doc/rfc/rfc6114.txt b/doc/rfc/rfc6114.txt
new file mode 100644
index 0000000..f0bc09b
--- /dev/null
+++ b/doc/rfc/rfc6114.txt
@@ -0,0 +1,1851 @@
+
+
+
+
+
+
+Independent Submission M. Katagi
+Request for Comments: 6114 S. Moriai
+Category: Informational Sony Corporation
+ISSN: 2070-1721 March 2011
+
+
+ The 128-Bit Blockcipher CLEFIA
+
+Abstract
+
+ This document describes the specification of the blockcipher CLEFIA.
+ CLEFIA is a 128-bit blockcipher, with key lengths of 128, 192, and
+ 256 bits, which is compatible with the interface of the Advanced
+ Encryption Standard (AES). The algorithm of CLEFIA was published in
+ 2007, and its security has been scrutinized in the public community.
+ CLEFIA is one of the new-generation lightweight blockcipher
+ algorithms designed after AES. Among them, CLEFIA offers high
+ performance in software and hardware as well as lightweight
+ implementation in hardware. CLEFIA will be of benefit to the
+ Internet, which will be connected to more distributed and constrained
+ devices.
+
+Status of This Memo
+
+ This document is not an Internet Standards Track specification; it is
+ published for informational purposes.
+
+ This is a contribution to the RFC Series, independently of any other
+ RFC stream. The RFC Editor has chosen to publish this document at
+ its discretion and makes no statement about its value for
+ implementation or deployment. Documents approved for publication by
+ the RFC Editor are not a candidate for any level of Internet
+ Standard; see Section 2 of RFC 5741.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ http://www.rfc-editor.org/info/rfc6114.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Katagi & Moriai Informational [Page 1]
+
+RFC 6114 The 128-Bit Blockcipher CLEFIA March 2011
+
+
+Copyright Notice
+
+ Copyright (c) 2011 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document.
+
+Table of Contents
+
+ 1. Introduction ....................................................3
+ 2. Notations .......................................................3
+ 3. CLEFIA Algorithm ................................................4
+ 4. CLEFIA Building Blocks ..........................................4
+ 4.1. GFN_{d,r} ..................................................4
+ 4.2. F-Functions ................................................6
+ 4.3. S-Boxes ....................................................7
+ 4.4. Diffusion Matrices .........................................9
+ 5. Data Processing Part ............................................9
+ 5.1. Encryption/Decryption ......................................9
+ 5.2. The Numbers of Rounds .....................................10
+ 6. Key Scheduling Part ............................................10
+ 6.1. DoubleSwap Function .......................................10
+ 6.2. Overall Structure .........................................11
+ 6.3. Key Scheduling for a 128-Bit Key ..........................11
+ 6.4. Key Scheduling for a 192-Bit Key ..........................11
+ 6.5. Key Scheduling for a 256-Bit Key ..........................12
+ 6.6. Constant Values ...........................................13
+ 7. Security Considerations ........................................18
+ 8. Informative References .........................................18
+ Appendix A. Test Vectors ..........................................19
+ Appendix B. Test Vectors (Intermediate Values) ....................19
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Katagi & Moriai Informational [Page 2]
+
+RFC 6114 The 128-Bit Blockcipher CLEFIA March 2011
+
+
+1. Introduction
+
+ Due to the widespread use of the Internet, devices with limited
+ capabilities, e.g., wireless sensors, are connected to the network.
+ In order to realize enough security for the network, cryptographic
+ technologies suitable for such constrained devices are very
+ important. This recent technology is called "lightweight
+ cryptography", and the demand for lightweight cryptography is
+ increasing.
+
+ In order to satisfy these needs, a 128-bit blockcipher, CLEFIA, was
+ designed based on state-of-the-art techniques [FSE07]. CLEFIA is a
+ 128-bit blockcipher, with key lengths of 128, 192, and 256 bits,
+ which is compatible with the interface of AES [FIPS-197]. Since the
+ cipher algorithm was published in 2007, its security has been
+ scrutinized in the public community, but no security weaknesses have
+ been reported so far.
+
+ CLEFIA is a lightweight blockcipher, since it can be implemented
+ within 3 Kgates using a 0.13-um standard Complementary Metal Oxide
+ Semiconductor (CMOS) Application-Specific Integrated Circuit (ASIC)
+ library. Many of the lightweight cryptographic algorithms sacrifice
+ security and/or speed; however, CLEFIA provides high-level security
+ of 128, 192, and 256 bits and high performance in software and
+ hardware. CLEFIA will be of benefit to the Internet, which will be
+ connected to more distributed and resource-constrained devices.
+
+ CLEFIA is proposed in ISO/IEC 29192-2 [ISO29192-2] and the CRYPTREC
+ project for the revision of the e-Government recommended ciphers list
+ in Japan [CRYPTREC].
+
+ Further information about CLEFIA, including reference implementation,
+ test vectors, and security and performance evaluation, is available
+ from http://www.sony.net/clefia/.
+
+2. Notations
+
+ This section describes mathematical notations, conventions, and
+ symbols used throughout this document.
+
+ 0x : A prefix for a binary string in hexadecimal form
+ a|b or (a|b) : Concatenation of a and b
+ (a,b) or (a b) : Vector style representation of a|b
+ a <- b : Updating a value of a by a value of b
+ trans(a) : Transposition of a vector or a matrix a
+ a XOR b : Bitwise exclusive-OR operation
+
+
+
+
+
+Katagi & Moriai Informational [Page 3]
+
+RFC 6114 The 128-Bit Blockcipher CLEFIA March 2011
+
+
+ ~a : Logical negation
+ a <<< b : b-bit left cyclic shift operation
+ a ^ b : a raised to the power of b
+ a * b : Multiplication in GF(2^n) over a defined polynomial
+
+3. CLEFIA Algorithm
+
+ The CLEFIA algorithm consists of two parts: a data processing part
+ and a key scheduling part. The data processing part of CLEFIA
+ consists of functions ENCr for encryption and DECr for decryption.
+ The encryption/decryption process is as follows:
+
+ Step 1. Key scheduling
+ Step 2. Encrypting/decrypting each block of data using ENCr/DECr
+
+ The process of the key scheduling is described in Section 6, and the
+ definitions of ENCr and DECr are explained in Section 5. CLEFIA
+ supports 128-bit, 192-bit, and 256-bit keys, and the key scheduling
+ and ENCr/DECr should be appropriately selected for its key length.
+
+4. CLEFIA Building Blocks
+
+4.1. GFN_{d,r}
+
+ We first define the function GFN_{d,r}, which is a fundamental
+ structure for CLEFIA, and then define a data processing part and a
+ key scheduling part.
+
+ CLEFIA uses a 4-branch and an 8-branch generalized Feistel network.
+ The 4-branch generalized Feistel network is used in the data
+ processing part and the key scheduling for a 128-bit key. The
+ 8-branch generalized Feistel network is applied in the key scheduling
+ for a 192-bit/256-bit key. We denote the d-branch r-round
+ generalized Feistel network employed in CLEFIA as GFN_{d,r}.
+
+ For d pairs of 32-bit inputs Xi and outputs Yi (0 <= i < d), and dr/2
+ 32-bit round keys RK_{i} (0 <= i < dr/2), GFN_{d,r} (d = 4,8) is
+ defined as follows.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Katagi & Moriai Informational [Page 4]
+
+RFC 6114 The 128-Bit Blockcipher CLEFIA March 2011
+
+
+ GFN_{4,r}(RK_{0}, ..., RK_{2r-1}, X0, X1, X2, X3)
+
+ input : 32-bit round keys RK_{0}, ..., RK_{2r-1},
+ 32-bit data X0, X1, X2, X3,
+
+ output: 32-bit data Y0, Y1, Y2, Y3
+
+ Step 1. T0 | T1 | T2 | T3 <- X0 | X1 | X2 | X3
+
+ Step 2. For i = 0 to r - 1 do the following:
+
+ Step 2.1. T1 <- T1 XOR F0(RK_{2i},T0),
+ T3 <- T3 XOR F1(RK_{2i + 1}, T2)
+
+ Step 2.2. T0 | T1 | T2 | T3 <- T1 | T2 | T3 | T0
+
+ Step 3. Y0 | Y1 | Y2 | Y3 <- T3 | T0 | T1 | T2
+
+ GFN_{8,r}(RK_{0}, ..., RK_{4r-1}, X0, X1, ..., X7)
+
+ input : 32-bit round keys RK_{0}, ..., RK_{4r-1},
+ 32-bit data X0, X1, X2, X3, X4, X5, X6, X7,
+
+ output: 32-bit data Y0, Y1, Y2, Y3, Y4, Y5, Y6, Y7
+
+ Step 1. T0 | T1 | ... | T7 <- X0 | X1 | ... | X7
+
+ Step 2. For i = 0 to r - 1 do the following:
+
+ Step 2.1. T1 <- T1 XOR F0(RK_{4i}, T0),
+ T3 <- T3 XOR F1(RK_{4i + 1}, T2),
+ T5 <- T5 XOR F0(RK_{4i + 2}, T4),
+ T7 <- T7 XOR F1(RK_{4i + 3}, T6)
+
+ Step 2.2. T0 | T1 | ... | T6 | T7 <- T1 | T2 | ... | T7 | T0
+
+ Step 3. Y0 | Y1 | ... | Y6 | Y7 <- T7 | T0 | ... | T5 | T6
+
+ The inverse function GFNINV_{4,r} is obtained by changing the order
+ of RK_{i} and the direction of word rotation at Step 2.2 and Step 3
+ in GFN_{4,r}.
+
+
+
+
+
+
+
+
+
+
+Katagi & Moriai Informational [Page 5]
+
+RFC 6114 The 128-Bit Blockcipher CLEFIA March 2011
+
+
+ GFNINV_{4,r}(RK_{0}, ..., RK_{2r-1}, X0, X1, X2, X3)
+
+ input : 32-bit round keys RK_{0}, ..., RK_{2r-1},
+ 32-bit data X0, X1, X2, X3,
+
+ output: 32-bit data Y0, Y1, Y2, Y3
+
+ Step 1. T0 | T1 | T2 | T3 <- X0 | X1 | X2 | X3
+
+ Step 2. For i = 0 to r - 1 do the following:
+
+ Step 2.1. T1 <- T1 XOR F0(RK_{2(r - i) - 2}, T0),
+ T3 <- T3 XOR F1(RK_{2(r - i) - 1}, T2)
+
+ Step 2.2. T0 | T1 | T2 | T3 <- T3 | T0 | T1 | T2
+
+ Step 3. Y0 | Y1 | Y2 | Y3 <- T1 | T2 | T3 | T0
+
+4.2. F-Functions
+
+ Two F-functions F0 and F1 used in GFN_{d,r} are defined as follows:
+
+ F0(RK, x)
+
+ input : 32-bit round key RK, 32-bit data x,
+
+ output: 32-bit data y
+
+ Step 1. T <- RK XOR x
+
+ Step 2. Let T = T0 | T1 | T2 | T3, where Ti is 8-bit data,
+ T0 <- S0(T0),
+ T1 <- S1(T1),
+ T2 <- S0(T2),
+ T3 <- S1(T3)
+
+ Step 3. Let y = y0 | y1 | y2 | y3, where yi is 8-bit data,
+ y <- M0 trans((T0, T1, T2, T3))
+
+
+
+
+
+
+
+
+
+
+
+
+
+Katagi & Moriai Informational [Page 6]
+
+RFC 6114 The 128-Bit Blockcipher CLEFIA March 2011
+
+
+ F1(RK, x)
+
+ input : 32-bit round key RK, 32-bit data x,
+
+ output: 32-bit data y
+
+ Step 1. T <- RK XOR x
+
+ Step 2. Let T = T0 | T1 | T2 | T3, where Ti is 8-bit data,
+ T0 <- S1(T0),
+ T1 <- S0(T1),
+ T2 <- S1(T2),
+ T3 <- S0(T3)
+
+ Step 3. Let y = y0 | y1 | y2 | y3, where yi is 8-bit data,
+ y <- M1 trans((T0, T1, T2, T3))
+
+ S0 and S1 are nonlinear 8-bit S-boxes, and M0 and M1 are 4x4
+ diffusion matrices described in the following section. In each
+ F-function, two S-boxes are used in the different order, and a
+ different matrix is used.
+
+4.3. S-Boxes
+
+ CLEFIA employs two different types of 8-bit S-boxes: S0 is based on
+ four 4-bit S-boxes, and S1 is based on the inverse function over
+ GF(2^8) [CLEFIA1].
+
+ Tables 1 and 2 show the output values of S0 and S1, respectively. In
+ these tables, all values are expressed in hexadecimal form. For an
+ 8-bit input of an S-box, the upper 4 bits indicate a row and the
+ lower 4 bits indicate a column. For example, if a value 0xab is
+ input, 0x7e is output by S0 because it is on the cross line of the
+ row indexed by "a." and the column indexed by ".b".
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Katagi & Moriai Informational [Page 7]
+
+RFC 6114 The 128-Bit Blockcipher CLEFIA March 2011
+
+
+ Table 1: S-Box S0
+
+ .0 .1 .2 .3 .4 .5 .6 .7 .8 .9 .a .b .c .d .e .f
+ 0. 57 49 d1 c6 2f 33 74 fb 95 6d 82 ea 0e b0 a8 1c
+ 1. 28 d0 4b 92 5c ee 85 b1 c4 0a 76 3d 63 f9 17 af
+ 2. bf a1 19 65 f7 7a 32 20 06 ce e4 83 9d 5b 4c d8
+ 3. 42 5d 2e e8 d4 9b 0f 13 3c 89 67 c0 71 aa b6 f5
+ 4. a4 be fd 8c 12 00 97 da 78 e1 cf 6b 39 43 55 26
+ 5. 30 98 cc dd eb 54 b3 8f 4e 16 fa 22 a5 77 09 61
+ 6. d6 2a 53 37 45 c1 6c ae ef 70 08 99 8b 1d f2 b4
+ 7. e9 c7 9f 4a 31 25 fe 7c d3 a2 bd 56 14 88 60 0b
+ 8. cd e2 34 50 9e dc 11 05 2b b7 a9 48 ff 66 8a 73
+ 9. 03 75 86 f1 6a a7 40 c2 b9 2c db 1f 58 94 3e ed
+ a. fc 1b a0 04 b8 8d e6 59 62 93 35 7e ca 21 df 47
+ b. 15 f3 ba 7f a6 69 c8 4d 87 3b 9c 01 e0 de 24 52
+ c. 7b 0c 68 1e 80 b2 5a e7 ad d5 23 f4 46 3f 91 c9
+ d. 6e 84 72 bb 0d 18 d9 96 f0 5f 41 ac 27 c5 e3 3a
+ e. 81 6f 07 a3 79 f6 2d 38 1a 44 5e b5 d2 ec cb 90
+ f. 9a 36 e5 29 c3 4f ab 64 51 f8 10 d7 bc 02 7d 8e
+
+ Table 2: S-Box S1
+
+ .0 .1 .2 .3 .4 .5 .6 .7 .8 .9 .a .b .c .d .e .f
+ 0. 6c da c3 e9 4e 9d 0a 3d b8 36 b4 38 13 34 0c d9
+ 1. bf 74 94 8f b7 9c e5 dc 9e 07 49 4f 98 2c b0 93
+ 2. 12 eb cd b3 92 e7 41 60 e3 21 27 3b e6 19 d2 0e
+ 3. 91 11 c7 3f 2a 8e a1 bc 2b c8 c5 0f 5b f3 87 8b
+ 4. fb f5 de 20 c6 a7 84 ce d8 65 51 c9 a4 ef 43 53
+ 5. 25 5d 9b 31 e8 3e 0d d7 80 ff 69 8a ba 0b 73 5c
+ 6. 6e 54 15 62 f6 35 30 52 a3 16 d3 28 32 fa aa 5e
+ 7. cf ea ed 78 33 58 09 7b 63 c0 c1 46 1e df a9 99
+ 8. 55 04 c4 86 39 77 82 ec 40 18 90 97 59 dd 83 1f
+ 9. 9a 37 06 24 64 7c a5 56 48 08 85 d0 61 26 ca 6f
+ a. 7e 6a b6 71 a0 70 05 d1 45 8c 23 1c f0 ee 89 ad
+ b. 7a 4b c2 2f db 5a 4d 76 67 17 2d f4 cb b1 4a a8
+ c. b5 22 47 3a d5 10 4c 72 cc 00 f9 e0 fd e2 fe ae
+ d. f8 5f ab f1 1b 42 81 d6 be 44 29 a6 57 b9 af f2
+ e. d4 75 66 bb 68 9f 50 02 01 3c 7f 8d 1a 88 bd ac
+ f. f7 e4 79 96 a2 fc 6d b2 6b 03 e1 2e 7d 14 95 1d
+
+
+
+
+
+
+
+
+
+
+
+
+Katagi & Moriai Informational [Page 8]
+
+RFC 6114 The 128-Bit Blockcipher CLEFIA March 2011
+
+
+4.4. Diffusion Matrices
+
+ The multiplications of a diffusion matrix M0 or M1, and a vector T in
+ Section 4.2, are obtained as follows.
+
+ y = M0 trans((T0, T1, T2, T3)):
+
+ y0 = T0 XOR (0x02 * T1) XOR (0x04 * T2) XOR (0x06 * T3),
+ y1 = (0x02 * T0) XOR T1 XOR (0x06 * T2) XOR (0x04 * T3),
+ y2 = (0x04 * T0) XOR (0x06 * T1) XOR T2 XOR (0x02 * T3),
+ y3 = (0x06 * T0) XOR (0x04 * T1) XOR (0x02 * T2) XOR T3
+
+ y = M1 trans((T0, T1, T2, T3)):
+
+ y0 = T0 XOR (0x08 * T1) XOR (0x02 * T2) XOR (0x0a * T3),
+ y1 = (0x08 * T0) XOR T1 XOR (0x0a * T2) XOR (0x02 * T3),
+ y2 = (0x02 * T0) XOR (0x0a * T1) XOR T2 XOR (0x08 * T3),
+ y3 = (0x0a * T0) XOR (0x02 * T1) XOR (0x08 * T2) XOR T3
+
+ In the above equations, * denotes a multiplication in GF(2^8) defined
+ by the lexicographically first primitive polynomial
+ z^8 + z^4 + z^3 + z^2 + 1. The constants 0x02, 0x04, 0x06, 0x08, and
+ 0x0a are represented in hexadecimal form of finite field polynomials.
+ For example, 0x02 identifies the finite field element z. 8-bit data
+ Ti is also interpreted as a finite field element.
+
+ The mathematical background of two diffusion matrices and their
+ choices are explained in [CLEFIA2].
+
+5. Data Processing Part
+
+5.1. Encryption/Decryption
+
+ The data processing part of CLEFIA consists of ENCr for encryption
+ and DECr for decryption. ENCr and DECr are based on the 4-branch
+ generalized Feistel structure GFN_{4,r}. Let P,C be 128-bit
+ plaintext and ciphertext, and let Pi, Ci (0 <= i < 4) be divided
+ 32-bit plaintexts and ciphertexts where P = P0 | P1 | P2 | P3 and
+ C = C0 | C1 | C2 | C3, and let WK0, WK1, WK2, WK3 be 32-bit whitening
+ keys and RK_{i} (0 <= i < 2r) be 32-bit round keys provided by the
+ key scheduling part. Then, r-round encryption function ENCr is
+ defined as follows:
+
+
+
+
+
+
+
+
+
+Katagi & Moriai Informational [Page 9]
+
+RFC 6114 The 128-Bit Blockcipher CLEFIA March 2011
+
+
+ Step 1. T0 | T1 | T2 | T3 <- P0 | (P1 XOR WK0) | P2 | (P3 XOR WK1)
+
+ Step 2. T0 | T1 | T2 | T3
+ <- GFN_{4,r}(RK_{0}, ..., RK_{2r-1}, T0, T1, T2, T3)
+
+ Step 3. C0 | C1 | C2 | C3 <- T0 | (T1 XOR WK2) | T2 | (T3 XOR WK3)
+
+ The decryption function DECr is defined as follows:
+
+ Step 1. T0 | T1 | T2 | T3 <- C0 | (C1 XOR WK2) | C2 | (C3 XOR WK3)
+
+ Step 2. T0 | T1 | T2 | T3
+ <- GFNINV_{4,r}(RK_{0}, ..., RK_{2r-1}, T0, T1, T2, T3)
+
+ Step 3. P0 | P1 | P2 | P3 <- T0 | (T1 XOR WK0) | T2 | (T3 XOR WK1)
+
+5.2. The Numbers of Rounds
+
+ The number of rounds, r, is 18, 22, and 26 for 128-bit, 192-bit, and
+ 256-bit keys, respectively. The total number of RK_{i} depends on
+ the key length. The data processing part requires 36, 44, and 52
+ round keys for 128-bit, 192-bit, and 256-bit keys, respectively.
+
+6. Key Scheduling Part
+
+ The key scheduling part of CLEFIA supports 128-bit, 192-bit, and
+ 256-bit keys and outputs whitening keys WKi (0 <= i < 4) and round
+ keys RK_{j} (0 <= j < 2r) for the data processing part.
+
+6.1. DoubleSwap Function
+
+ We first define the DoubleSwap function, which is used in the key
+ scheduling part.
+
+ The DoubleSwap Function Sigma(X):
+
+ For 128-bit data X,
+
+ Y = Sigma(X)
+ = X[7-63] | X[121-127] | X[0-6] | X[64-120],
+
+ where X[a-b] denotes a bit string cut from the a-th bit to the b-th
+ bit of X. Bit 0 is the most significant bit.
+
+
+
+
+
+
+
+
+Katagi & Moriai Informational [Page 10]
+
+RFC 6114 The 128-Bit Blockcipher CLEFIA March 2011
+
+
+6.2. Overall Structure
+
+ The key scheduling part of CLEFIA provides whitening keys and round
+ keys for the data processing part. Let K be the key and L be an
+ intermediate key, and the key scheduling part consists of the
+ following two steps.
+
+ 1. Generating L from K.
+ 2. Expanding K and L (Generating WKi and RK_{j}).
+
+ To generate L from K, the key schedule for a 128-bit key uses a
+ 128-bit permutation GFN_{4,12}, while the key schedules for
+ 192/256-bit keys use a 256-bit permutation GFN_{8,10}.
+
+6.3. Key Scheduling for a 128-Bit Key
+
+ The 128-bit intermediate key L is generated by applying GFN_{4,12},
+ which takes twenty-four 32-bit constant values CON_128[i] (0 <= i
+ < 24) as round keys and K = K0 | K1 | K2 | K3 as an input. Then, K
+ and L are used to generate WKi (0 <= i < 4) and RK_{j} (0 <= j < 36)
+ in the following steps. In the latter part, thirty-six 32-bit
+ constant values CON_128[i] (24 <= i < 60) are used. The generation
+ steps of CON_128[i] are explained in Section 6.6.
+
+ (Generating L from K)
+
+ Step 1. L <- GFN_{4,12}(CON_128[0], ..., CON_128[23], K0, ..., K3)
+
+ (Expanding K and L)
+
+ Step 2. WK0 | WK1 | WK2 | WK3 <- K
+
+ Step 3. For i = 0 to 8 do the following:
+ T <- L XOR (CON_128[24 + 4i] | CON_128[24 + 4i + 1]
+ | CON_128[24 + 4i + 2] | CON_128[24 + 4i + 3])
+ L <- Sigma(L)
+ if i is odd: T <- T XOR K
+ RK_{4i} | RK_{4i + 1} | RK_{4i + 2} | RK_{4i + 3} <- T
+
+6.4. Key Scheduling for a 192-Bit Key
+
+ Two 128-bit values KL and KR are generated from a 192-bit key K = K0
+ | K1 | K2 | K3 | K4 | K5, where Ki is 32-bit data. Then, two 128-bit
+ values LL and LR are generated by applying GFN_{8,10}, which takes
+ CON_192[i] (0 <= i < 40) as round keys and KL|KR as a 256-bit input.
+
+
+
+
+
+
+Katagi & Moriai Informational [Page 11]
+
+RFC 6114 The 128-Bit Blockcipher CLEFIA March 2011
+
+
+ Then, KL,KR and LL,LR are used to generate WKi (0 <= i < 4) and
+ RK_{j} (0 <= j < 44) in the following steps. In the latter part,
+ forty-four 32-bit constant values CON_192[i] (40 <= i < 84) are used.
+
+ The following steps show the 192-bit/256-bit key scheduling. For the
+ 192-bit key scheduling, the value of k is set as 192.
+
+6.5. Key Scheduling for a 256-Bit Key
+
+ The key scheduling for a 256-bit key is almost the same as that for a
+ 192-bit key, except for constant values, the required number of RKi,
+ and the initialization of KR.
+
+ For a 256-bit key, the value of k is set as 256, and the steps are
+ almost the same as in the 192-bit key case. The difference is that
+ we use CON_256[i](0 <= i < 40) as round keys to generate LL and LR,
+ and then to generate RK_{j} (0 <= j < 52), we use fifty-two 32-bit
+ constant values CON_256[i](40 <= i < 92).
+
+ (Generating LL,LR from KL,KR for a k-bit key)
+
+ Step 1. Set k = 192 or k = 256
+
+ Step 2. If k = 192 :
+ KL <- K0 | K1 | K2 | K3, KR <- K4 | K5 | ~K0 | ~K1
+ else if k = 256 :
+ KL <- K0 | K1 | K2 | K3, KR <- K4 | K5 | K6 | K7
+
+ Step 3. Let KL = KL0 | KL1 | KL2 | KL3
+ KR = KR0 | KR1 | KR2 | KR3
+ LL|LR <-
+ GFN_{8,10}(CON_k[0] , ..., CON_k[39],
+ KL0, ..., KL3, KR0, ..., KR3)
+
+ (Expanding KL,KR and LL,LR for a k-bit key)
+
+ Step 4. WK0 | WK1 | WK2 | WK3 <- KL XOR KR
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Katagi & Moriai Informational [Page 12]
+
+RFC 6114 The 128-Bit Blockcipher CLEFIA March 2011
+
+
+ Step 5. For i = 0 to 10 (if k = 192),
+ or 12 (if k = 256) do the following:
+
+ If (i mod 4) = 0 or 1:
+ T <- LL XOR (CON_k[40 + 4i] | CON_k[40 + 4i + 1]
+ | CON_k[40 + 4i + 2] | CON_k[40 + 4i + 3])
+ LL <- Sigma(LL)
+ if i is odd: T <- T XOR KR
+ else:
+ T <- LR XOR (CON_k[40 + 4i] | CON_k[40 + 4i + 1]
+ | CON_k[40 + 4i + 2] | CON_k[40 + 4i + 3])
+ LR <- Sigma(LR)
+ if i is odd: T <- T XOR KL
+
+ RK_{4i} | RK_{4i + 1} | RK_{4i + 2} | RK_{4i + 3} <- T
+
+6.6. Constant Values
+
+ 32-bit constant values CON_k[i] are used in the key scheduling
+ algorithm. We need 60, 84, and 92 constant values for 128-bit,
+ 192-bit, and 256-bit keys, respectively. Let P(16) = 0xb7e1
+ (= (e-2)2^16) and Q(16) = 0x243f (= (pi-3)2^16), where e is the base
+ of the natural logarithm (2.71828...) and pi is the circle ratio
+ (3.14159...). CON_k[i], for k = 128,192,256, are generated as
+ follows (see Table 3 for the repetition numbers l_k and the initial
+ values IV_k).
+
+ Step 1. T_k[0] <- IV_k
+
+ Step 2. For i = 0 to l_k - 1 do the following:
+
+ Step 2.1. CON_k[2i] <- (T_k[i] XOR P) | (~T_k[i] <<< 1)
+
+ Step 2.2. CON_k[2i + 1] <- (~T_k[i] XOR Q) | (T_k[i] <<< 8)
+
+ Step 2.3. T_k[i + 1] <- T_k[i] * (0x0002^{-1})
+
+ In Step 2.3, the multiplications are performed in the field GF(2^16)
+ defined by a primitive polynomial z^16 + z^15 + z^13 + z^11 + z^5 +
+ z^4 + 1 (=0x1a831). 0x0002^{-1} denotes the multiplicative inverse
+ of the finite field element z. The selection criteria of IV and the
+ primitive polynomial are shown in [CLEFIA1].
+
+
+
+
+
+
+
+
+
+Katagi & Moriai Informational [Page 13]
+
+RFC 6114 The 128-Bit Blockcipher CLEFIA March 2011
+
+
+ Table 3: Required Numbers of Constant Values
+
+ k # of CON_k[i] l_k IV_k
+ --------------------------------------
+ 128 60 30 0x428a
+ 192 84 42 0x7137
+ 256 92 46 0xb5c0
+
+ Tables 4-6 show the values of T_k[i](k = 128,192,256), and Tables 7-9
+ show the values of CON_k[i](k = 128,192,256).
+
+ Table 4: T_128[i]
+
+ i 0 1 2 3 4 5 6 7
+ T_128[i] 428a 2145 c4ba 625d e536 729b ed55 a2b2
+ i 8 9 10 11 12 13 14 15
+ T_128[i] 5159 fcb4 7e5a 3f2d cb8e 65c7 e6fb a765
+ i 16 17 18 19 20 21 22 23
+ T_128[i] 87aa 43d5 f5f2 7af9 e964 74b2 3a59 c934
+ i 24 25 26 27 28 29
+ T_128[i] 649a 324d cd3e 669f e757 a7b3
+
+
+ Table 5: T_192[i]
+
+ i 0 1 2 3 4 5 6 7
+ T_192[i] 7137 ec83 a259 8534 429a 214d c4be 625f
+ i 8 9 10 11 12 13 14 15
+ T_192[i] e537 a683 8759 97b4 4bda 25ed c6ee 6377
+ i 16 17 18 19 20 21 22 23
+ T_192[i] e5a3 a6c9 877c 43be 21df c4f7 b663 8f29
+ i 24 25 26 27 28 29 30 31
+ T_192[i] 938c 49c6 24e3 c669 b72c 5b96 2dcb c2fd
+ i 32 33 34 35 36 37 38 39
+ T_192[i] b566 5ab3 f941 a8b8 545c 2a2e 1517 de93
+ i 40 41
+ T_192[i] bb51 89b0
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Katagi & Moriai Informational [Page 14]
+
+RFC 6114 The 128-Bit Blockcipher CLEFIA March 2011
+
+
+ Table 6: T_256[i]
+
+ i 0 1 2 3 4 5 6 7
+ T_256[i] b5c0 5ae0 2d70 16b8 0b5c 05ae 02d7 d573
+ i 8 9 10 11 12 13 14 15
+ T_256[i] bea1 8b48 45a4 22d2 1169 dcac 6e56 372b
+ i 16 17 18 19 20 21 22 23
+ T_256[i] cf8d b3de 59ef f8ef a86f 802f 940f 9e1f
+ i 24 25 26 27 28 29 30 31
+ T_256[i] 9b17 9993 98d1 9870 4c38 261c 130e 0987
+ i 32 33 34 35 36 37 38 39
+ T_256[i] d0db bc75 8a22 4511 f690 7b48 3da4 1ed2
+ i 40 41 42 43 44 45
+ T_256[i] 0f69 d3ac 69d6 34eb ce6d b32e
+
+
+ Table 7: CON_128[i] (0 <= i < 60)
+
+ i 0 1 2 3
+ CON_128[i] f56b7aeb 994a8a42 96a4bd75 fa854521
+ i 4 5 6 7
+ CON_128[i] 735b768a 1f7abac4 d5bc3b45 b99d5d62
+ i 8 9 10 11
+ CON_128[i] 52d73592 3ef636e5 c57a1ac9 a95b9b72
+ i 12 13 14 15
+ CON_128[i] 5ab42554 369555ed 1553ba9a 7972b2a2
+ i 16 17 18 19
+ CON_128[i] e6b85d4d 8a995951 4b550696 2774b4fc
+ i 20 21 22 23
+ CON_128[i] c9bb034b a59a5a7e 88cc81a5 e4ed2d3f
+ i 24 25 26 27
+ CON_128[i] 7c6f68e2 104e8ecb d2263471 be07c765
+ i 28 29 30 31
+ CON_128[i] 511a3208 3d3bfbe6 1084b134 7ca565a7
+ i 32 33 34 35
+ CON_128[i] 304bf0aa 5c6aaa87 f4347855 9815d543
+ i 36 37 38 39
+ CON_128[i] 4213141a 2e32f2f5 cd180a0d a139f97a
+ i 40 41 42 43
+ CON_128[i] 5e852d36 32a464e9 c353169b af72b274
+ i 44 45 46 47
+ CON_128[i] 8db88b4d e199593a 7ed56d96 12f434c9
+ i 48 49 50 51
+ CON_128[i] d37b36cb bf5a9a64 85ac9b65 e98d4d32
+ i 52 53 54 55
+ CON_128[i] 7adf6582 16fe3ecd d17e32c1 bd5f9f66
+ i 56 57 58 59
+ CON_128[i] 50b63150 3c9757e7 1052b098 7c73b3a7
+
+
+
+Katagi & Moriai Informational [Page 15]
+
+RFC 6114 The 128-Bit Blockcipher CLEFIA March 2011
+
+
+ Table 8: CON_192[i] (0 <= i < 84)
+
+ i 0 1 2 3
+ CON_192[i] c6d61d91 aaf73771 5b6226f8 374383ec
+ i 4 5 6 7
+ CON_192[i] 15b8bb4c 799959a2 32d5f596 5ef43485
+ i 8 9 10 11
+ CON_192[i] f57b7acb 995a9a42 96acbd65 fa8d4d21
+ i 12 13 14 15
+ CON_192[i] 735f7682 1f7ebec4 d5be3b41 b99f5f62
+ i 16 17 18 19
+ CON_192[i] 52d63590 3ef737e5 1162b2f8 7d4383a6
+ i 20 21 22 23
+ CON_192[i] 30b8f14c 5c995987 2055d096 4c74b497
+ i 24 25 26 27
+ CON_192[i] fc3b684b 901ada4b 920cb425 fe2ded25
+ i 28 29 30 31
+ CON_192[i] 710f7222 1d2eeec6 d4963911 b8b77763
+ i 32 33 34 35
+ CON_192[i] 524234b8 3e63a3e5 1128b26c 7d09c9a6
+ i 36 37 38 39
+ CON_192[i] 309df106 5cbc7c87 f45f7883 987ebe43
+ i 40 41 42 43
+ CON_192[i] 963ebc41 fa1fdf21 73167610 1f37f7c4
+ i 44 45 46 47
+ CON_192[i] 01829338 6da363b6 38c8e1ac 54e9298f
+ i 48 49 50 51
+ CON_192[i] 246dd8e6 484c8c93 fe276c73 9206c649
+ i 52 53 54 55
+ CON_192[i] 9302b639 ff23e324 7188732c 1da969c6
+ i 56 57 58 59
+ CON_192[i] 00cd91a6 6cec2cb7 ec7748d3 8056965b
+ i 60 61 62 63
+ CON_192[i] 9a2aa469 f60bcb2d 751c7a04 193dfdc2
+ i 64 65 66 67
+ CON_192[i] 02879532 6ea666b5 ed524a99 8173b35a
+ i 68 69 70 71
+ CON_192[i] 4ea00d7c 228141f9 1f59ae8e 7378b8a8
+ i 72 73 74 75
+ CON_192[i] e3bd5747 8f9c5c54 9dcfaba3 f1ee2e2a
+ i 76 77 78 79
+ CON_192[i] a2f6d5d1 ced71715 697242d8 055393de
+ i 80 81 82 83
+ CON_192[i] 0cb0895c 609151bb 3e51ec9e 5270b089
+
+
+
+
+
+
+
+Katagi & Moriai Informational [Page 16]
+
+RFC 6114 The 128-Bit Blockcipher CLEFIA March 2011
+
+
+ Table 9: CON_256[i] (0 <= i < 92)
+
+ i 0 1 2 3
+ CON_256[i] 0221947e 6e00c0b5 ed014a3f 8120e05a
+ i 4 5 6 7
+ CON_256[i] 9a91a51f f6b0702d a159d28f cd78b816
+ i 8 9 10 11
+ CON_256[i] bcbde947 d09c5c0b b24ff4a3 de6eae05
+ i 12 13 14 15
+ CON_256[i] b536fa51 d917d702 62925518 0eb373d5
+ i 16 17 18 19
+ CON_256[i] 094082bc 6561a1be 3ca9e96e 5088488b
+ i 20 21 22 23
+ CON_256[i] f24574b7 9e64a445 9533ba5b f912d222
+ i 24 25 26 27
+ CON_256[i] a688dd2d caa96911 6b4d46a6 076cacdc
+ i 28 29 30 31
+ CON_256[i] d9b72353 b596566e 80ca91a9 eceb2b37
+ i 32 33 34 35
+ CON_256[i] 786c60e4 144d8dcf 043f9842 681edeb3
+ i 36 37 38 39
+ CON_256[i] ee0e4c21 822fef59 4f0e0e20 232feff8
+ i 40 41 42 43
+ CON_256[i] 1f8eaf20 73af6fa8 37ceffa0 5bef2f80
+ i 44 45 46 47
+ CON_256[i] 23eed7e0 4fcf0f94 29fec3c0 45df1f9e
+ i 48 49 50 51
+ CON_256[i] 2cf6c9d0 40d7179b 2e72ccd8 42539399
+ i 52 53 54 55
+ CON_256[i] 2f30ce5c 4311d198 2f91cf1e 43b07098
+ i 56 57 58 59
+ CON_256[i] fbd9678f 97f8384c 91fdb3c7 fddc1c26
+ i 60 61 62 63
+ CON_256[i] a4efd9e3 c8ce0e13 be66ecf1 d2478709
+ i 64 65 66 67
+ CON_256[i] 673a5e48 0b1bdbd0 0b948714 67b575bc
+ i 68 69 70 71
+ CON_256[i] 3dc3ebba 51e2228a f2f075dd 9ed11145
+ i 72 73 74 75
+ CON_256[i] 417112de 2d5090f6 cca9096f a088487b
+ i 76 77 78 79
+ CON_256[i] 8a4584b7 e664a43d a933c25b c512d21e
+ i 80 81 82 83
+ CON_256[i] b888e12d d4a9690f 644d58a6 086cacd3
+ i 84 85 86 87
+ CON_256[i] de372c53 b216d669 830a9629 ef2beb34
+ i 88 89 90 91
+ CON_256[i] 798c6324 15ad6dce 04cf99a2 68ee2eb3
+
+
+
+Katagi & Moriai Informational [Page 17]
+
+RFC 6114 The 128-Bit Blockcipher CLEFIA March 2011
+
+
+7. Security Considerations
+
+ The security of CLEFIA has been scrutinized in the public community,
+ but no security weaknesses have been found for full-round CLEFIA to
+ date, neither by the designers nor by independent cryptographers.
+ Security evaluation by the designers is described in [CLEFIA3], and a
+ list of published cryptanalysis results by external cryptographers is
+ available from
+ http://www.sony.net/Products/cryptography/clefia/technical/
+ related_material.html.
+
+8. Informative References
+
+ [CLEFIA1] The 128-bit Blockcipher CLEFIA - Algorithm Specification,
+ Revision 1.0, June 1, 2007, Sony Corporation,
+ http://www.sony.net/Products/cryptography/clefia/
+ technical/data/clefia-spec-1.0.pdf.
+
+ [CLEFIA2] The 128-bit blockcipher CLEFIA - Design Rationale,
+ Revision 1.0, June 1, 2007, Sony Corporation,
+ http://www.sony.net/Products/cryptography/clefia/
+ technical/data/clefia-design-1.0.pdf.
+
+ [CLEFIA3] The 128-bit blockcipher CLEFIA - Security and Performance
+ Evaluations, Revision 1.0, June 1, 2007, Sony
+ Corporation,
+ http://www.sony.net/Products/cryptography/clefia/
+ technical/data/clefia-eval-1.0.pdf.
+
+ [CRYPTREC] Cryptography Research and Evaluation Committees,
+ http://www.cryptrec.go.jp/.
+
+ [FIPS-197] National Institute of Standards and Technology, "Advanced
+ Encryption Standard (AES)", FIPS 197, November 2001,
+ http://csrc.nist.gov/publications/fips/fips197/
+ fips-197.pdf.
+
+ [FSE07] Shirai, T., Shibutani, K., Akishita, T., Moriai, S., and
+ T. Iwata, "The 128-bit Blockcipher CLEFIA", proceedings
+ of Fast Software Encryption 2007 - FSE 2007, LNCS 4593,
+ pp. 181-195, Springer-Verlag, 2007.
+
+ [ISO29192-2]
+ ISO/IEC 29192-2, "Information technology - Security
+ techniques - Lightweight cryptography - Part 2: Block
+ ciphers", http://www.iso.org/iso/iso_catalogue/
+ catalogue_tc/catalogue_detail.htm?csnumber=56552.
+
+
+
+
+Katagi & Moriai Informational [Page 18]
+
+RFC 6114 The 128-Bit Blockcipher CLEFIA March 2011
+
+
+Appendix A. Test Vectors
+
+ In this appendix, we give test vectors of CLEFIA for each key length.
+ The data are expressed in hexadecimal form. For the intermediate
+ values of these vectors, refer to Appendix B.
+
+ 128-bit key:
+
+ key ffeeddcc bbaa9988 77665544 33221100
+ plaintext 00010203 04050607 08090a0b 0c0d0e0f
+ ciphertext de2bf2fd 9b74aacd f1298555 459494fd
+
+ 192-bit key:
+
+ key ffeeddcc bbaa9988 77665544 33221100
+ f0e0d0c0 b0a09080
+ plaintext 00010203 04050607 08090a0b 0c0d0e0f
+ ciphertext e2482f64 9f028dc4 80dda184 fde181ad
+
+ 256-bit key:
+
+ key ffeeddcc bbaa9988 77665544 33221100
+ f0e0d0c0 b0a09080 70605040 30201000
+ plaintext 00010203 04050607 08090a0b 0c0d0e0f
+ ciphertext a1397814 289de80c 10da46d1 fa48b38a
+
+Appendix B. Test Vectors (Intermediate Values)
+
+ 128-bit key:
+
+ key ffeeddcc bbaa9988 77665544 33221100
+ plaintext 00010203 04050607 08090a0b 0c0d0e0f
+ ciphertext de2bf2fd 9b74aacd f1298555 459494fd
+
+ L 8f89a61b 9db9d0f3 93e65627 da0d027e
+
+ WK_{0,1,2,3} ffeeddcc bbaa9988 77665544 33221100
+ RK_{0,1,2,3} f3e6cef9 8df75e38 41c06256 640ac51b
+ RK_{4,5,6,7} 6a27e20a 5a791b90 e8c528dc 00336ea3
+ RK_{8,9,10,11} 59cd17c4 28565583 312a37cc c08abd77
+ RK_{12,13,14,15} 7e8e7eec 8be7e949 d3f463d6 a0aad6aa
+ RK_{16,17,18,19} e75eb039 0d657eb9 018002e2 9117d009
+ RK_{20,21,22,23} 9f98d11e babee8cf b0369efa d3aaef0d
+ RK_{24,25,26,27} 3438f93b f9cea4a0 68df9029 b869b4a7
+ RK_{28,29,30,31} 24d6406d e74bc550 41c28193 16de4795
+ RK_{32,33,34,35} a34a20f5 33265d14 b19d0554 5142f434
+
+
+
+
+
+Katagi & Moriai Informational [Page 19]
+
+RFC 6114 The 128-Bit Blockcipher CLEFIA March 2011
+
+
+ plaintext 00010203 04050607 08090a0b 0c0d0e0f
+ initial whitening key ffeeddcc bbaa9988
+ after whitening 00010203 fbebdbcb 08090a0b b7a79787
+
+ Round 1 input 00010203 fbebdbcb 08090a0b b7a79787
+ F-function F0 F1
+ input 00010203 08090a0b
+ round key f3e6cef9 8df75e38
+ after key add f3e7ccfa 85fe5433
+ after S 290246e1 777de8e8
+ after M 547a3193 abf12070
+
+ Round 2 input af91ea58 08090a0b 1c56b7f7 00010203
+ F-function F0 F1
+ input af91ea58 1c56b7f7
+ round key 41c06256 640ac51b
+ after key add ee51880e 785c72ec
+ after S cb5d2b0c 63a5edd2
+ after M f51cebb3 82dfe347
+
+ Round 3 input fd15e1b8 1c56b7f7 82dee144 af91ea58
+ F-function F0 F1
+ input fd15e1b8 82dee144
+ round key 6a27e20a 5a791b90
+ after key add 973203b2 d8a7fad4
+ after S c2c7c6c2 be59e10d
+ after M d8dfd8de e15ea81c
+
+ Round 4 input c4896f29 82dee144 4ecf4244 fd15e1b8
+ F-function F0 F1
+ input c4896f29 4ecf4244
+ round key e8c528dc 00336ea3
+ after key add 2c4c47f5 4efc2ce7
+ after S 9da4dafc 43bce638
+ after M b5b28e96 b65c519a
+
+ Round 5 input 376c6fd2 4ecf4244 4b49b022 c4896f29
+ F-function F0 F1
+ input 376c6fd2 4b49b022
+ round key 59cd17c4 28565583
+ after key add 6ea17816 631fe5a1
+ after S f26ad3e5 62af9f1b
+ after M 29f08afd be01d127
+
+
+
+
+
+
+
+
+Katagi & Moriai Informational [Page 20]
+
+RFC 6114 The 128-Bit Blockcipher CLEFIA March 2011
+
+
+ Round 6 input 673fc8b9 4b49b022 7a88be0e 376c6fd2
+ F-function F0 F1
+ input 673fc8b9 7a88be0e
+ round key 312a37cc c08abd77
+ after key add 5615ff75 ba020379
+ after S b39c8e58 2dd1e9a2
+ after M 5999a79e 0429b329
+
+ Round 7 input 12d017bc 7a88be0e 3345dcfb 673fc8b9
+ F-function F0 F1
+ input 12d017bc 3345dcfb
+ round key 7e8e7eec 8be7e949
+ after key add 6c5e6950 b8a235b2
+ after S 8b737025 67a08eba
+ after M 6ed11b09 dfd3cd32
+
+ Round 8 input 1459a507 3345dcfb b8ec058b 12d017bc
+ F-function F0 F1
+ input 1459a507 b8ec058b
+ round key d3f463d6 a0aad6aa
+ after key add c7adc6d1 1846d321
+ after S e7ee5a5f 9e97f1a1
+ after M 8c9d011c 93684eec
+
+ Round 9 input bfd8dde7 b8ec058b 81b85950 1459a507
+ F-function F0 F1
+ input bfd8dde7 81b85950
+ round key e75eb039 0d657eb9
+ after key add 58866dde 8cdd27e9
+ after S 4e821daf 59c56044
+ after M e6d6501e 6d5839b4
+
+ Round 10 input 5e3a5595 81b85950 79019cb3 bfd8dde7
+ F-function F0 F1
+ input 5e3a5595 79019cb3
+ round key 018002e2 9117d009
+ after key add 5fba5777 e8164cba
+ after S 612d8f7b 0185a49c
+ after M 3a1b0e97 b9b479c8
+
+ Round 11 input bba357c7 79019cb3 066ca42f 5e3a5595
+ F-function F0 F1
+ input bba357c7 066ca42f
+ round key 9f98d11e babee8cf
+ after key add 243b86d9 bcd24ce0
+ after S f70f1144 cb72a481
+ after M 28974052 4a6700b1
+
+
+
+
+Katagi & Moriai Informational [Page 21]
+
+RFC 6114 The 128-Bit Blockcipher CLEFIA March 2011
+
+
+ Round 12 input 5196dce1 066ca42f 145d5524 bba357c7
+ F-function F0 F1
+ input 5196dce1 145d5524
+ round key b0369efa d3aaef0d
+ after key add e1a0421b c7f7ba29
+ after S 6f7efd4f 72642dce
+ after M ffb5db32 907d3820
+
+ Round 13 input f9d97f1d 145d5524 2bde6fe7 5196dce1
+ F-function F0 F1
+ input f9d97f1d 2bde6fe7
+ round key 3438f93b f9cea4a0
+ after key add cde18626 d210cb47
+ after S 3f751141 ab28e0da
+ after M 0a744c28 1c3e38a3
+
+ Round 14 input 1e29190c 2bde6fe7 4da8e442 f9d97f1d
+ F-function F0 F1
+ input 1e29190c 4da8e442
+ round key 68df9029 b869b4a7
+ after key add 76f68925 f5c150e5
+ after S fe6db7e7 fc0c25f6
+ after M aaa2c803 c4315b8d
+
+ Round 15 input 817ca7e4 4da8e442 3de82490 1e29190c
+ F-function F0 F1
+ input 817ca7e4 3de82490
+ round key 24d6406d e74bc550
+ after key add a5aae789 daa3e1c0
+ after S 8d233818 2904757b
+ after M 7bd4cced eac2f0fb
+
+ Round 16 input 367c28af 3de82490 f4ebe9f7 817ca7e4
+ F-function F0 F1
+ input 367c28af f4ebe9f7
+ round key 41c28193 16de4795
+ after key add 77bea93c e235ae62
+ after S 7c4a935b 669b8953
+ after M 598e6940 c119609f
+
+ Round 17 input 64664dd0 f4ebe9f7 4065c77b 367c28af
+ F-function F0 F1
+ input 64664dd0 4065c77b
+ round key a34a20f5 33265d14
+ after key add c72c6d25 73439a6f
+ after S e7e61de7 788c85b4
+ after M 2ac01b0a c755adfa
+
+
+
+
+Katagi & Moriai Informational [Page 22]
+
+RFC 6114 The 128-Bit Blockcipher CLEFIA March 2011
+
+
+ Round 18 input de2bf2fd 4065c77b f1298555 64664dd0
+ F-function F0 F1
+ input de2bf2fd f1298555
+ round key b19d0554 5142f434
+ after key add 6fb6f7a9 a06b7161
+ after S b44d648c 7e99ea2a
+ after M ac7738f2 12d0c82d
+
+ output de2bf2fd ec12ff89 f1298555 76b685fd
+ final whitening key 77665544 33221100
+ after whitening de2bf2fd 9b74aacd f1298555 459494fd
+ ciphertext de2bf2fd 9b74aacd f1298555 459494fd
+
+
+ 192-bit key:
+
+ key ffeeddcc bbaa9988 77665544 33221100
+ f0e0d0c0 b0a09080
+ plaintext 00010203 04050607 08090a0b 0c0d0e0f
+ ciphertext e2482f64 9f028dc4 80dda184 fde181ad
+
+ LL db05415a 800082db 7cb8186c d788c5f3
+ LR 1ca9b2e1 b4606829 c92dd35e 2258a432
+ WK_{0,1,2,3} 0f0e0d0c 0b0a0908 77777777 77777777
+ RK_{0,1,2,3} 4d3bfd1b 7a1f5dfa 0fae6e7c c8bf3237
+ RK_{4,5,6,7} 73c2eeb8 dd429ec5 e220b3af c9135e73
+ RK_{8,9,10,11} 38c46a07 fc2ce4ba 370abf2d b05e627b
+ RK_{12,13,14,15} 38351b2f 74bd6e1e 1b7c7dce 92cfc98e
+ RK_{16,17,18,19} 509b31a6 4c5ad53c 6fc2ba33 e1e5c878
+ RK_{20,21,22,23} 419a74b9 1dd79e0e 240a33d2 9dabfd09
+ RK_{24,25,26,27} 6e3ff82a 74ac3ffd b9696e2e cc0b3a38
+ RK_{28,29,30,31} ed785cbd 9c077c13 04978d83 2ec058ba
+ RK_{32,33,34,35} 4bbd5f6a 31fe8de8 b76da574 3a6fa8e7
+ RK_{36,37,38,39} 521213ce 4f1f59d8 c13624f6 ee91f6a4
+ RK_{40,41,42,43} 17f68fde f6c360a9 6288bc72 c0ad856b
+
+ plaintext 00010203 04050607 08090a0b 0c0d0e0f
+ initial whitening key 0f0e0d0c 0b0a0908
+ after whitening 00010203 0b0b0b0b 08090a0b 07070707
+
+ Round 1 input 00010203 0b0b0b0b 08090a0b 07070707
+ F-function F0 F1
+ input 00010203 08090a0b
+ round key 4d3bfd1b 7a1f5dfa
+ after key add 4d3aff18 721657f1
+ after S 43c58e9e ed85d736
+ after M b5021a3b c397f62b
+
+
+
+
+Katagi & Moriai Informational [Page 23]
+
+RFC 6114 The 128-Bit Blockcipher CLEFIA March 2011
+
+
+ Round 2 input be091130 08090a0b c490f12c 00010203
+ F-function F0 F1
+ input be091130 c490f12c
+ round key 0fae6e7c c8bf3237
+ after key add b1a77f4c 0c2fc31b
+ after S f3d10ba4 13d83a3d
+ after M 9fba69c1 6683cae3
+
+ Round 3 input 97b363ca c490f12c 6682c8e0 be091130
+ F-function F0 F1
+ input 97b363ca 6682c8e0
+ round key 73c2eeb8 dd429ec5
+ after key add e4718d72 bbc05625
+ after S 79ea66ed f47b0d7a
+ after M 61c21ea5 120e06e2
+
+ Round 4 input a552ef89 6682c8e0 ac0717d2 97b363ca
+ F-function F0 F1
+ input a552ef89 ac0717d2
+ round key e220b3af c9135e73
+ after key add 47725c26 651449a1
+ after S daeda541 355c651b
+ after M 28a43c63 cb1ab573
+
+ Round 5 input 4e26f483 ac0717d2 5ca9d6b9 a552ef89
+ F-function F0 F1
+ input 4e26f483 5ca9d6b9
+ round key 38c46a07 fc2ce4ba
+ after key add 76e29e84 a0853203
+ after S fe663e39 7edcc7c6
+ after M 5ce7dafe ac7f4e3e
+
+ Round 6 input f0e0cd2c 5ca9d6b9 092da1b7 4e26f483
+ F-function F0 F1
+ input f0e0cd2c 092da1b7
+ round key 370abf2d b05e627b
+ after key add c7ea7201 b973c3cc
+ after S e77f9fda 174a3a46
+ after M b9869270 8fc7e089
+
+ Round 7 input e52f44c9 092da1b7 c1e1140a f0e0cd2c
+ F-function F0 F1
+ input e52f44c9 c1e1140a
+ round key 38351b2f 74bd6e1e
+ after key add dd1a5fe6 b55c7a14
+ after S c5496150 5aa5c15c
+ after M 33d8590f e62eb913
+
+
+
+
+Katagi & Moriai Informational [Page 24]
+
+RFC 6114 The 128-Bit Blockcipher CLEFIA March 2011
+
+
+ Round 8 input 3af5f8b8 c1e1140a 16ce743f e52f44c9
+ F-function F0 F1
+ input 3af5f8b8 16ce743f
+ round key 1b7c7dce 92cfc98e
+ after key add 21898576 8401bdb1
+ after S a118dc09 3949b1f3
+ after M f091202d 04f9e827
+
+ Round 9 input 31703427 16ce743f e1d6acee 3af5f8b8
+ F-function F0 F1
+ input 31703427 e1d6acee
+ round key 509b31a6 4c5ad53c
+ after key add 61eb0581 ad8c79d2
+ after S 2a8d3304 eeffc072
+ after M f9639a90 8bebfe3d
+
+ Round 10 input efadeeaf e1d6acee b11e0685 31703427
+ F-function F0 F1
+ input efadeeaf b11e0685
+ round key 6fc2ba33 e1e5c878
+ after key add 806f549c 50fbcefd
+ after S cd5eeb61 25d7fe02
+ after M a100e35b 26a4e16d
+
+ Round 11 input 40d64fb5 b11e0685 17d4d54a efadeeaf
+ F-function F0 F1
+ input 40d64fb5 17d4d54a
+ round key 419a74b9 1dd79e0e
+ after key add 014c3b0c 0a034b44
+ after S 49a4c013 b4c6c912
+ after M 51c0208f f1a2c339
+
+ Round 12 input e0de260a 17d4d54a 1e0f2d96 40d64fb5
+ F-function F0 F1
+ input e0de260a 1e0f2d96
+ round key 240a33d2 9dabfd09
+ after key add c4d415d8 83a4d09f
+ after S 801beebe 86b8f8ed
+ after M 8a9aef34 3e451646
+
+ Round 13 input 9d4e3a7e 1e0f2d96 7e9359f3 e0de260a
+ F-function F0 F1
+ input 9d4e3a7e 7e9359f3
+ round key 6e3ff82a 74ac3ffd
+ after key add f371c254 0a3f660e
+ after S 29ea68e8 b4f530a8
+ after M 17524741 4b8c607e
+
+
+
+
+Katagi & Moriai Informational [Page 25]
+
+RFC 6114 The 128-Bit Blockcipher CLEFIA March 2011
+
+
+ Round 14 input 095d6ad7 7e9359f3 ab524674 9d4e3a7e
+ F-function F0 F1
+ input 095d6ad7 ab524674
+ round key b9696e2e cc0b3a38
+ after key add b03404f9 67597c4c
+ after S 152a2f03 52161e39
+ after M f7ee818b 7902f3eb
+
+ Round 15 input 897dd878 ab524674 e44cc995 095d6ad7
+ F-function F0 F1
+ input 897dd878 e44cc995
+ round key ed785cbd 9c077c13
+ after key add 640584c5 784bb586
+ after S 459d9e10 636b5a11
+ after M 4034defc 0228bdd4
+
+ Round 16 input eb669888 e44cc995 0b75d703 897dd878
+ F-function F0 F1
+ input eb669888 0b75d703
+ round key 04978d83 2ec058ba
+ after key add eff1150b 25b58fb9
+ after S 90e4ee38 e7691f3b
+ after M 4a678609 05b2b4a9
+
+ Round 17 input ae2b4f9c 0b75d703 8ccf6cd1 eb669888
+ F-function F0 F1
+ input ae2b4f9c 8ccf6cd1
+ round key 4bbd5f6a 31fe8de8
+ after key add e59610f6 bd31e139
+ after S f6a5286d b15d7589
+ after M 720df49d bad65e22
+
+ Round 18 input 7978239e 8ccf6cd1 51b0c6aa ae2b4f9c
+ F-function F0 F1
+ input 7978239e 51b0c6aa
+ round key b76da574 3a6fa8e7
+ after key add ce1586ea 6bdf6e4d
+ after S 919c117f 283aaa43
+ after M ef24fe56 08916103
+
+ Round 19 input 63eb9287 51b0c6aa a6ba2e9f 7978239e
+ F-function F0 F1
+ input 63eb9287 a6ba2e9f
+ round key 521213ce 4f1f59d8
+ after key add 31f98149 e9a57747
+ after S 5d03e265 3c8d7bda
+ after M b7464b63 e1d086a7
+
+
+
+
+Katagi & Moriai Informational [Page 26]
+
+RFC 6114 The 128-Bit Blockcipher CLEFIA March 2011
+
+
+ Round 20 input e6f68dc9 a6ba2e9f 98a8a539 63eb9287
+ F-function F0 F1
+ input e6f68dc9 98a8a539
+ round key c13624f6 ee91f6a4
+ after key add 27c0a93f 7639539d
+ after S 20b5938b 09893194
+ after M 3cae819e b603c454
+
+ Round 21 input 9a14af01 98a8a539 d5e856d3 e6f68dc9
+ F-function F0 F1
+ input 9a14af01 d5e856d3
+ round key 17f68fde f6c360a9
+ after key add 8de220df 232b367a
+ after S 6666bff2 b383a1bd
+ after M 7ae08a5d 662b2c4d
+
+ Round 22 input e2482f64 d5e856d3 80dda184 9a14af01
+ F-function F0 F1
+ input e2482f64 80dda184
+ round key 6288bc72 c0ad856b
+ after key add 80c09316 407024ef
+ after S cdb5f1e5 fbe99290
+ after M 3d9dac60 108259db
+
+ output e2482f64 e875fab3 80dda184 8a96f6da
+ final whitening key 77777777 77777777
+ after whitening e2482f64 9f028dc4 80dda184 fde181ad
+ ciphertext e2482f64 9f028dc4 80dda184 fde181ad
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Katagi & Moriai Informational [Page 27]
+
+RFC 6114 The 128-Bit Blockcipher CLEFIA March 2011
+
+
+ 256-bit key:
+
+ key ffeeddcc bbaa9988 77665544 33221100
+ f0e0d0c0 b0a09080 70605040 30201000
+ plaintext 00010203 04050607 08090a0b 0c0d0e0f
+ ciphertext a1397814 289de80c 10da46d1 fa48b38a
+
+ LL 477e8f09 66ee5378 2cc2be04 bf55e28f
+ LR d6c10b89 4eeab575 84bd5663 cc933940
+
+ WK_{0,1,2,3} 0f0e0d0c 0b0a0908 07060504 03020100
+ RK_{0,1,2,3} 58f02029 15413cd0 1b0c41a4 e4bacd0f
+ RK_{4,5,6,7} 6c498393 8846231b 1fc716fc 7c81a45b
+ RK_{8,9,10,11} fa37c259 0e3da2ee aacf9abb 8ec0aad9
+ RK_{12,13,14,15} b05bd737 8de1f2d0 8ffee0f6 b70b47ea
+ RK_{16,17,18,19} 581b3e34 03263f89 2f7100cd 05cee171
+ RK_{20,21,22,23} b523d4e9 176d7c44 6d7ba5d7 f797b2f3
+ RK_{24,25,26,27} 25d80df2 a646bba2 6a3a95e1 3e3a47f0
+ RK_{28,29,30,31} b304eb20 44f8824e c7557cbc 47401e21
+ RK_{32,33,34,35} d71ff7e9 aca1fb0c 2deff35d 6ca3a830
+ RK_{36,37,38,39} 4dd7cfb7 ae71c9f6 4e911fef 90aa95de
+ RK_{40,41,42,43} 2c664a7a 8cb5cf6b 14c8de1e 43b9caef
+ RK_{44,45,46,47} 568c5a33 07ef7ddd 608dc860 ac9e50f8
+ RK_{48,49,50,51} c0c18358 4f53c80e 33e01cb9 80251e1c
+
+ plaintext 00010203 04050607 08090a0b 0c0d0e0f
+ initial whitening key 0f0e0d0c 0b0a0908
+ after whitening 00010203 0b0b0b0b 08090a0b 07070707
+
+ Round 1 input 00010203 0b0b0b0b 08090a0b 07070707
+ F-function F0 F1
+ input 00010203 08090a0b
+ round key 58f02029 15413cd0
+ after key add 58f1222a 1d4836db
+ after S 4ee41927 2c78a1ac
+ after M 2db2101b d87ee718
+
+ Round 2 input 26b91b10 08090a0b df79e01f 00010203
+ F-function F0 F1
+ input 26b91b10 df79e01f
+ round key 1b0c41a4 e4bacd0f
+ after key add 3db55ab4 3bc32d10
+ after S aa5afadb 0f1e1928
+ after M 317e029c c0cc96ba
+
+
+
+
+
+
+
+Katagi & Moriai Informational [Page 28]
+
+RFC 6114 The 128-Bit Blockcipher CLEFIA March 2011
+
+
+ Round 3 input 39770897 df79e01f c0cd94b9 26b91b10
+ F-function F0 F1
+ input 39770897 c0cd94b9
+ round key 6c498393 8846231b
+ after key add 553e8b04 488bb7a2
+ after S 5487484e d84876a0
+ after M c3a7ac1d 7ae05884
+
+ Round 4 input 1cde4c02 c0cd94b9 5c594394 39770897
+ F-function F0 F1
+ input 1cde4c02 5c594394
+ round key 1fc716fc 7c81a45b
+ after key add 03195afe 20d8e7cf
+ after S c607fa95 12f002c9
+ after M 5edee0ce 4cfb0e90
+
+ Round 5 input 9e137477 5c594394 758c0607 1cde4c02
+ F-function F0 F1
+ input 9e137477 758c0607
+ round key fa37c259 0e3da2ee
+ after key add 6424b62e 7bb1a4e9
+ after S 4592c8d2 46f3a044
+ after M adfd33ae 42450650
+
+ Round 6 input f1a4703a 758c0607 5e9b4a52 9e137477
+ F-function F0 F1
+ input f1a4703a 5e9b4a52
+ round key aacf9abb 8ec0aad9
+ after key add 5b6bea81 d05be08b
+ after S 22285e04 f822d448
+ after M 0fa52ed4 aa7a0a9c
+
+ Round 7 input 7a2928d3 5e9b4a52 34697eeb f1a4703a
+ F-function F0 F1
+ input 7a2928d3 34697eeb
+ round key b05bd737 8de1f2d0
+ after key add ca72ffe4 b9888c3b
+ after S 23ed8e68 172b59c0
+ after M 8b158630 334e2af2
+
+ Round 8 input d58ecc62 34697eeb c2ea5ac8 7a2928d3
+ F-function F0 F1
+ input d58ecc62 c2ea5ac8
+ round key 8ffee0f6 b70b47ea
+ after key add 5a702c94 75e11d22
+ after S facf9d64 586f2c19
+ after M 72c2027e a582d5f0
+
+
+
+
+Katagi & Moriai Informational [Page 29]
+
+RFC 6114 The 128-Bit Blockcipher CLEFIA March 2011
+
+
+ Round 9 input 46ab7c95 c2ea5ac8 dfabfd23 d58ecc62
+ F-function F0 F1
+ input 46ab7c95 dfabfd23
+ round key 581b3e34 03263f89
+ after key add 1eb042a1 dc8dc2aa
+ after S 177afd6a 57664735
+ after M 51d5740a 110287d7
+
+ Round 10 input 933f2ec2 dfabfd23 c48c4bb5 46ab7c95
+ F-function F0 F1
+ input 933f2ec2 c48c4bb5
+ round key 2f7100cd 05cee171
+ after key add bc4e2e0f c142aac4
+ after S e0434cd9 22fd2380
+ after M a768d32a b6ae4f2b
+
+ Round 11 input 78c32e09 c48c4bb5 f00533be 933f2ec2
+ F-function F0 F1
+ input 78c32e09 f00533be
+ round key b523d4e9 176d7c44
+ after key add cde0fae0 e7684ffa
+ after S 3fd410d4 02ef5310
+ after M 08bd9b01 2fdb3f65
+
+ Round 12 input cc31d0b4 f00533be bce411a7 78c32e09
+ F-function F0 F1
+ input cc31d0b4 bce411a7
+ round key 6d7ba5d7 f797b2f3
+ after key add a14a7563 4b73a354
+ after S 1b512562 c94a71eb
+ after M 7c2c762b 81ca0b59
+
+ Round 13 input 8c294595 bce411a7 f9092550 cc31d0b4
+ F-function F0 F1
+ input 8c294595 f9092550
+ round key 25d80df2 a646bba2
+ after key add a9f14867 5f4f9ef2
+ after S 93e47852 5c26cae5
+ after M 4a87c858 54bc68d5
+
+ Round 14 input f663d9ff f9092550 988db861 8c294595
+ F-function F0 F1
+ input f663d9ff 988db861
+ round key 6a3a95e1 3e3a47f0
+ after key add 9c594c1e a6b7ff91
+ after S 58ff39b0 054d1d75
+ after M d82301d4 085d5025
+
+
+
+
+Katagi & Moriai Informational [Page 30]
+
+RFC 6114 The 128-Bit Blockcipher CLEFIA March 2011
+
+
+ Round 15 input 212a2484 988db861 847415b0 f663d9ff
+ F-function F0 F1
+ input 212a2484 847415b0
+ round key b304eb20 44f8824e
+ after key add 922ecfa4 c08c97fe
+ after S 86d2c9a0 b5ff567d
+ after M dbf56073 87e2a6a2
+
+ Round 16 input 4378d812 847415b0 71817f5d 212a2484
+ F-function F0 F1
+ input 4378d812 71817f5d
+ round key c7557cbc 47401e21
+ after key add 842da4ae 36c1617c
+ after S 9e19b889 a10c5414
+ after M 6791a3e3 e177d3a8
+
+ Round 17 input e3e5b653 71817f5d c05df72c 4378d812
+ F-function F0 F1
+ input e3e5b653 c05df72c
+ round key d71ff7e9 aca1fb0c
+ after key add 34fa41ba 6cfc0c20
+ after S d4e1be2d 32bc13bf
+ after M 2743ef2d 6fec0aab
+
+ Round 18 input 56c29070 c05df72c 2c94d2b9 e3e5b653
+ F-function F0 F1
+ input 56c29070 2c94d2b9
+ round key 2deff35d 6ca3a830
+ after key add 7b2d632d 40377a89
+ after S 56193719 fb13c1b7
+ after M ee6316fa 5e3245b7
+
+ Round 19 input 2e3ee1d6 2c94d2b9 bdd7f3e4 56c29070
+ F-function F0 F1
+ input 2e3ee1d6 bdd7f3e4
+ round key 4dd7cfb7 ae71c9f6
+ after key add 63e92e61 13a63a12
+ after S 373c4c54 8fe6c54b
+ after M 87aab08e 8f8d16f3
+
+ Round 20 input ab3e6237 bdd7f3e4 d94f8683 2e3ee1d6
+ F-function F0 F1
+ input ab3e6237 d94f8683
+ round key 4e911fef 90aa95de
+ after key add e5af7dd8 49e5135d
+ after S f6ad88be 65f68f77
+ after M 0889df33 f418c84f
+
+
+
+
+Katagi & Moriai Informational [Page 31]
+
+RFC 6114 The 128-Bit Blockcipher CLEFIA March 2011
+
+
+ Round 21 input b55e2cd7 d94f8683 da262999 ab3e6237
+ F-function F0 F1
+ input b55e2cd7 da262999
+ round key 2c664a7a 8cb5cf6b
+ after key add 993866ad 5693e6f2
+ after S 2c2b6cee 0df150e5
+ after M 8999e772 da5415d2
+
+ Round 22 input 50d661f1 da262999 716a77e5 b55e2cd7
+ F-function F0 F1
+ input 50d661f1 716a77e5
+ round key 14c8de1e 43b9caef
+ after key add 441ebfef 32d3bd0a
+ after S 12b052ac c7bbb182
+ after M f5efd89e 744a9ced
+
+ Round 23 input 2fc9f107 716a77e5 c114b03a 50d661f1
+ F-function F0 F1
+ input 2fc9f107 c114b03a
+ round key 568c5a33 07ef7ddd
+ after key add 7945ab34 c6fbcde7
+ after S a2a77e2a 4cd7e238
+ after M e84f6d9b ce67e20a
+
+ Round 24 input 99251a7e c114b03a 9eb183fb 2fc9f107
+ F-function F0 F1
+ input 99251a7e 9eb183fb
+ round key 608dc860 ac9e50f8
+ after key add f9a8d21e 322fd303
+ after S f84572b0 c7d8f1c6
+ after M 20634b77 591b3f55
+
+ Round 25 input e177fb4d 9eb183fb 76d2ce52 99251a7e
+ F-function F0 F1
+ input e177fb4d 76d2ce52
+ round key c0c18358 4f53c80e
+ after key add 21b67815 3981065c
+ after S a14dd39c c8e20aa5
+ after M 3f88fbef 89ff5caf
+
+ Round 26 input a1397814 76d2ce52 10da46d1 e177fb4d
+ F-function F0 F1
+ input a1397814 10da46d1
+ round key 33e01cb9 80251e1c
+ after key add 92d964ad 90ff58cd
+ after S 864445ee 9a8e803f
+ after M 5949235a 183d49c7
+
+
+
+
+Katagi & Moriai Informational [Page 32]
+
+RFC 6114 The 128-Bit Blockcipher CLEFIA March 2011
+
+
+ output a1397814 2f9bed08 10da46d1 f94ab28a
+ final whitening key 07060504 03020100
+ after whitening a1397814 289de80c 10da46d1 fa48b38a
+ ciphertext a1397814 289de80c 10da46d1 fa48b38a
+
+Authors' Addresses
+
+ Masanobu Katagi
+ System Technologies Laboratories
+ Sony Corporation
+ 5-1-12 Kitashinagawa Shinagawa-ku
+ Tokyo, 141-0001, Japan
+
+ EMail: Masanobu.Katagi@jp.sony.com
+
+
+ Shiho Moriai
+ System Technologies Laboratories
+ Sony Corporation
+ 5-1-12 Kitashinagawa Shinagawa-ku
+ Tokyo, 141-0001, Japan
+
+ Phone: +81-3-5448-3701
+ EMail: clefia-q@jp.sony.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Katagi & Moriai Informational [Page 33]
+