The 128-bit Blockcipher CLEFIA Algorithm Specification

The 128-bit Blockcipher CLEFIA
Algorithm Specification
Revision 1.0
June 1, 2007
Sony Corporation
NOTICE
THIS DOCUMENT IS PROVIDED ”AS IS,” WITH NO WARRANTIES
WHATSOVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY, NON-INFRINGEMENT, FITNESS FOR ANY PARTICULAR PURPOSE, OR ANY WARRANTY OTHERWISE ARISING OUT OF ANY
PROPOSAL, SPECIFICATION OR SAMPLE.
Acknowledgments
Tetsu Iwata of Nagoya University has contributed to the development of
CLEFIA.
Contact
E-MAIL :
[email protected]
Postal Address :
Information Technologies Laboratories
Sony Corporation
1-7-1 Konan, Minato-ku, Tokyo 108-0075 Japan
Revision History
June 1, 2007
1.0 revision
c 2007 Sony Corporation
2
CONTENTS
Contents
1 Introduction
4
2 Notations
5
3 Definition of GFNd,r
3.1 F-functions . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.2 S-boxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.3 Diffusion Matrices . . . . . . . . . . . . . . . . . . . . . . . .
6
7
7
11
4 Data Processing Part
12
4.1 Overall Structure . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.2 The Numbers of Rounds . . . . . . . . . . . . . . . . . . . . . 12
5 Key Scheduling Part
5.1 Overall Structure . .
5.2 Key Scheduling for a
5.3 Key Scheduling for a
5.4 Key Scheduling for a
5.5 Constant Values . .
. . . . . . .
128-bit Key
192-bit Key
256-bit Key
. . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
14
14
14
15
16
19
6 Test Vectors
26
6.1 Test Vectors (Intermediate Values) . . . . . . . . . . . . . . . 27
c 2007 Sony Corporation
3
1
1
INTRODUCTION
Introduction
This document describes the specification of the blockcipher CLEFIA. CLEFIA is a 128-bit blockcipher with its key length being 128, 192 and 256 bits,
which is compatible to AES. CLEFIA consists of two parts: a data processing part and a key scheduling part. CLEFIA employs a generalized Feistel
structure with four data lines, and the width of each data line is 32 bits.
Additionally, there are key whitening parts at the beginning and the end of
the cipher. The numbers of rounds of CLEFIA are 18, 22 and 26 for 128-bit,
192-bit and 256-bit keys, respectively.
c 2007 Sony Corporation
4
2
2
NOTATIONS
Notations
This section describes mathematical notations, conventions and symbols
used throughout this paper.
0x
: A prefix for a binary string in a hexadecimal form
a(b)
: b denotes the bit length of a
a|b or (a|b)
: Concatenation
(a, b) or (a b) : Vector style representation of a|b
a←b
: Updating a value of a by a value of b
ta
: Transposition of a vector or a matrix a
a⊕b
: Bitwise exclusive-OR. Addition in GF(2 n )
a·b
: Multiplication in GF(2n )
a
: Logical negation
a≪b
: b-bit left cyclic shift operation
wb (a)
: For an 8n-bit string a = a0 |a1 | . . . |an−1 , ai ∈ {0, 1}8 ,
wb (a) denotes the number of non-zero a i s.
c 2007 Sony Corporation
5
3
3
DEFINITION OF GFND,R
Definition of GFNd,r
We first define a function GFN d,r which is a fundamental structure for CLEFIA, followed by definitions of a data processing part and a key scheduling
part.
CLEFIA uses a 4-branch and an 8-branch generalized Feistel network.
We denote d-branch r-round generalized Feistel network employed in CLEFIA as GFNd,r . GFNd,r uses two different 32-bit F-functions F 0 and F1
whose input/output are defined as follows.
{0, 1}32 × {0, 1}32 → {0, 1}32
F0 , F 1 :
(RK(32) , x(32) ) 7→ y(32)
For d 32-bit input Xi and output Yi (0 ≤ i < d), and dr/2 32-bit round
keys RKi (0 ≤ i < dr/2), GFNd,r (d = 4, 8) are defined as follows.
GFN4,r :
{{0, 1}32 }2r × {{0, 1}32 }4 → {{0, 1}32 }4
(RK0(32) , . . . , RK2r−1(32) , X0(32) , . . . , X3(32) ) 7→ Y0(32) , . . . , Y3(32)
Step 1. T0 | T1 | T2 | T3 ← X0 | X1 | X2 | X3
Step 2. For i = 0 to r − 1 do the following:
Step 2.1 T1 ← T1 ⊕ F0 (RK2i , T0 ),
T3 ← T3 ⊕ F1 (RK2i+1 , T2 )
Step 2.2 T0 | T1 | T2 | T3 ← T1 | T2 | T3 | T0
Step 3. Y0 | Y1 | Y2 | Y3 ← T3 | T0 | T1 | T2
GFN8,r :
{{0, 1}32 }4r × {{0, 1}32 }8 → {{0, 1}32 }8
(RK0(32) , . . . , RK4r−1(32) , X0(32) , . . . , X7(32) ) 7→ Y0(32) , . . . , Y7(32)
Step 1. T0 | T1 | . . . | T7 ← X0 | X1 | . . . | X7
Step 2. For i = 0 to r − 1 do the following:
Step 2.1 T1 ← T1 ⊕ F0 (RK4i , T0 ),
T3 ← T3 ⊕ F1 (RK4i+1 , T2 ),
T5 ← T5 ⊕ F0 (RK4i+2 , T4 ),
T7 ← T7 ⊕ F1 (RK4i+3 , T6 )
Step 2.2 T0 | T1 | . . . | T6 | T7 ← T1 | T2 | . . . | T7 | T0
Step 3. Y0 | Y1 | . . . | Y6 | Y7 ← T7 | T0 | . . . | T5 | T6
The inverse function GFN−1
4,r is obtained by changing the order of RK i
and the direction of word rotation at Step 2.2 and Step 3.
GFN−1
4,r
:
{{0, 1}32 }2r × {{0, 1}32 }4 → {{0, 1}32 }4
(RK0(32) , . . . , RK2r−1(32) , X0(32) , . . . , X3(32) ) 7→ Y0(32) , . . . , Y3(32)
c 2007 Sony Corporation
6
3
DEFINITION OF GFND,R
Step 1. T0 | T1 | T2 | T3 ← X0 | X1 | X2 | X3
Step 2. For i = 0 to r − 1 do the following:
Step 2.1 T1 ← T1 ⊕ F0 (RK2(r−i)−2 , T0 ),
T3 ← T3 ⊕ F1 (RK2(r−i)−1 , T2 )
Step 2.2 T0 | T1 | T2 | T3 ← T3 | T0 | T1 | T2
Step 3. Y0 | Y1 | Y2 | Y3 ← T1 | T2 | T3 | T0
3.1
F-functions
Two F-functions F0 and F1 used by GFNd,r are defined as follows:
F0 : (RK(32) , x(32) ) 7→ y(32)
Step 1. T ← RK ⊕ x
Step 2. Let T = T0 | T1 | T2 | T3 , Ti ∈ {0, 1}8
T0 ← S0 (T0 ),
T1 ← S1 (T1 ),
T2 ← S0 (T2 ),
T3 ← S1 (T3 )
Step 3. Let y = y0 | y1 | y2 | y3 , yi ∈ {0, 1}8
t (y , y , y , y ) = M t (T , T , T , T )
0 1 2 3
0
0 1 2 3
F1 : (RK(32) , x(32) ) 7→ y(32)
Step 1. T ← RK ⊕ x
Step 2. Let T = T0 | T1 | T2 | T3 , Ti ∈ {0, 1}8
T0 ← S1 (T0 ),
T1 ← S0 (T1 ),
T2 ← S1 (T2 ),
T3 ← S0 (T3 )
Step 3. Let y = y0 | y1 | y2 | y3 , yi ∈ {0, 1}8
t (y , y , y , y ) = M t (T , T , T , T )
0 1 2 3
1
0 1 2 3
S0 and S1 are nonlinear 8-bit S-boxes, and M0 and M1 are 4×4 matrices
defined later in this section. In each F-function, two S-boxes are used in the
different order, and different matrix is used. Figure 1 shows the construction
of the F-functions.
3.2
S-boxes
CLEFIA employs two different types of 8-bit S-boxes: one is based on four
4-bit random S-boxes, and the other is based on the inverse function over
GF(28 ).
Tables 1 and 2 show the output values of S 0 and S1 , respectively. In these
tables all values are expressed in a hexadecimal form. For an 8-bit input
c 2007 Sony Corporation
7
3
DEFINITION OF GFND,R
k0 k 1 k 2 k 3
8/ 8/ 8/ 8/
8
y0
8
y1
S0
8
y2
S1
8
y3
8
y0
8
y1
y2
y3
x0
8
S0
x1
8
S1
/
/
x2
8
x3
8
/
M0
/
/
/
/
/
F0
k0 k1 k2 k3
8/ 8/ 8/ 8/
x0
8
S1
x1
8
S0
/
/
/
M1
/
x2
8
S1
8
x3
8
S0
8
/
/
/
/
F1
Figure 1: F-functions
of an S-box, the upper 4-bit indicates a row and the lower 4-bit indicates a
column. For example, if a value 0xab is input, 0x7e is output by S 0 because
it is on the cross line of the row indexed by ’a.’ and the column indexed by
’.b’.
3.2.1
S0
S0 is generated by combining four 4-bit S-boxes SS 0 , SS1 , SS2 and SS3 in
the following way. The values of these S-boxes are defined as Table 3.
{0, 1}8 → {0, 1}8
S0 :
x(8) 7→ y(8)
Step 1. t0 ← SS0 (x0 ), t1 ← SS1 (x1 ), where x = x0 |x1 , xi ∈ {0, 1}4
Step 2. u0 ← t0 ⊕ 0x2 · t1 , u1 ← 0x2 · t0 ⊕ t1
Step 3. y0 ← SS2 (u0 ), y1 ← SS3 (u1 ), where y = y0 |y1 , yi ∈ {0, 1}4
The multiplication in 0x2 · ti is performed in GF(24 ) defined by the
lexicographically first primitive polynomial z 4 + z + 1. Figure 2 shows the
construction of S0 .
c 2007 Sony Corporation
8
3
DEFINITION OF GFND,R
Table 1: S0
0.
1.
2.
3.
4.
5.
6.
7.
8.
9.
a.
b.
c.
d.
e.
f.
.0
57
28
bf
42
a4
30
d6
e9
cd
03
fc
15
7b
6e
81
9a
.1
49
d0
a1
5d
be
98
2a
c7
e2
75
1b
f3
0c
84
6f
36
.2
d1
4b
19
2e
fd
cc
53
9f
34
86
a0
ba
68
72
07
e5
.3
c6
92
65
e8
8c
dd
37
4a
50
f1
04
7f
1e
bb
a3
29
.4
2f
5c
f7
d4
12
eb
45
31
9e
6a
b8
a6
80
0d
79
c3
.5
33
ee
7a
9b
00
54
c1
25
dc
a7
8d
69
b2
18
f6
4f
0.
1.
2.
3.
4.
5.
6.
7.
8.
9.
a.
b.
c.
d.
e.
f.
.0
6c
bf
12
91
fb
25
6e
cf
55
9a
7e
7a
b5
f8
d4
f7
.1
da
74
eb
11
f5
5d
54
ea
04
37
6a
4b
22
5f
75
e4
.2
c3
94
cd
c7
de
9b
15
ed
c4
06
b6
c2
47
ab
66
79
.3
e9
8f
b3
3f
20
31
62
78
86
24
71
2f
3a
f1
bb
96
.4
4e
b7
92
2a
c6
e8
f6
33
39
64
a0
db
d5
1b
68
a2
.5
9d
9c
e7
8e
a7
3e
35
58
77
7c
70
5a
10
42
9f
fc
x
SS0 (x)
SS1 (x)
SS2 (x)
SS3 (x)
0
e
6
b
a
1
6
4
8
2
.6
74
85
32
0f
97
b3
6c
fe
11
40
e6
c8
5a
d9
2d
ab
.7
fb
b1
20
13
da
8f
ae
7c
05
c2
59
4d
e7
96
38
64
.8
95
c4
06
3c
78
4e
ef
d3
2b
b9
62
87
ad
f0
1a
51
.9
6d
0a
ce
89
e1
16
70
a2
b7
2c
93
3b
d5
5f
44
f8
.a
82
76
e4
67
cf
fa
08
bd
a9
db
35
9c
23
41
5e
10
.b
ea
3d
83
c0
6b
22
99
56
48
1f
7e
01
f4
ac
b5
d7
.c
0e
63
9d
71
39
a5
8b
14
ff
58
ca
e0
46
27
d2
bc
.d
b0
f9
5b
aa
43
77
1d
88
66
94
21
de
3f
c5
ec
02
.e
a8
17
4c
b6
55
09
f2
60
8a
3e
df
24
91
e3
cb
7d
.f
1c
af
d8
f5
26
61
b4
0b
73
ed
47
52
c9
3a
90
8e
.9
36
07
21
c8
65
ff
16
c0
18
08
8c
17
00
44
3c
03
.a
b4
49
27
c5
51
69
d3
c1
90
85
23
2d
f9
29
7f
e1
.b
38
4f
3b
0f
c9
8a
28
46
97
d0
1c
f4
e0
a6
8d
2e
.c
13
98
e6
5b
a4
ba
32
1e
59
61
f0
cb
fd
57
1a
7d
.d
34
2c
19
f3
ef
0b
fa
df
dd
26
ee
b1
e2
b9
88
14
.e
0c
b0
d2
87
43
73
aa
a9
83
ca
89
4a
fe
af
bd
95
.f
d9
93
0e
8b
53
5c
5e
99
1f
6f
ad
a8
ae
f2
ac
1d
d
9
7
0
f
e
d
5
d
c
Table 2: S1
.6
0a
e5
41
a1
84
0d
30
09
82
a5
05
4d
4c
81
50
6d
.7
3d
dc
60
bc
ce
d7
52
7b
ec
56
d1
76
72
d6
02
b2
.8
b8
9e
e3
2b
d8
80
a3
63
40
48
45
67
cc
be
01
6b
Table 3: Tables of SSi (0 ≤ i < 4)
2
c
0
5
6
3
a
d
e
d
4
8
2
a
3
5
7
b
6
4
6
2
a
4
5
7
f
3
c
e
8
b
9
f
0
9
1
c
7
7
a
4
e
2
8
c 2007 Sony Corporation
b
0
f
3
9
c
5
8
1
b
f
3
1
9
1
9
3
4
x0
/
SS0
SS2
DEFINITION OF GFND,R
4
y0
4
y1
/
×2
×2
4
x1
/
SS1
SS3
/
Figure 2: S0
3.2.2
S1
S1 is defined as follows:
S1 :
y=
{0, 1}8 → {0, 1}8
x(8) 7→ y(8)
g(f (x)−1 ) if f (x) 6= 0
.
g(0)
if f (x) = 0
The inverse function is performed in GF(2 8 ) defined by a primitive polynomial z 8 + z 4 + z 3 + z 2 + 1. f (·) and g(·) are affine transformations over
GF(2), which are defined as follows.
{0, 1}8 → {0, 1}8
f:
x(8) 7→ y(8)












y0
y1
y2
y3
y4
y5
y6
y7


 
 
 
 
 
=
 
 
 
 
 
0
0
0
0
0
0
0
1
0
1
0
0
1
1
1
0
0
0
0
0
1
0
1
0
g:
1
1
0
0
0
1
0
0
1
0
0
0
0
1
0
0
0
0
0
1
1
1
0
0
0
0
0
1
0
0
0
0
0
1
1
0
1
0
0
1












x0
x1
x2
x3
x4
x5
x6
x7


 
 
 
 
 
+
 
 
 
 
 
0
0
0
1
1
1
1
0












{0, 1}8 → {0, 1}8
x(8) 7→ y(8)
c 2007 Sony Corporation
10
3












y0
y1
y2
y3
y4
y5
y6
y7


 
 
 
 
 
=
 
 
 
 
 
0
0
0
0
0
0
1
0
0
1
1
0
0
0
0
1
0
0
0
1
1
0
0
0
0
0
1
0
1
0
1
0
1
0
1
0
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
0
0
1
0
0
DEFINITION OF GFND,R
0
1
0
0
0
0
0
0












x0
x1
x2
x3
x4
x5
x6
x7


 
 
 
 
 
+
 
 
 
 
 
0
1
1
0
1
0
0
1












Here, x = x0 |x1 |x2 |x3 |x4 |x5 |x6 |x7 and y = y0 |y1 |y2 |y3 |y4 |y5 |y6 |y7 , xi , yi ∈
{0, 1}. The constants in f and g can be represented as 0x1e and 0x69,
respectively.
3.3
Diffusion Matrices
Two matrices M0 and M1 are defined as follows.

0x01
 0x02
M0 = 
 0x04
0x06
0x02
0x01
0x06
0x04
0x04
0x06
0x01
0x02

0x06
0x04 
,
0x02 
0x01

0x01
 0x08
M1 = 
 0x02
0x0a
0x08
0x01
0x0a
0x02
0x02
0x0a
0x01
0x08

0x0a
0x02 
 .
0x08 
0x01
The multiplications of a matrix and a vector are performed in GF(2 8 )
defined by the lexicographically first primitive polynomial z 8 +z 4 +z 3 +z 2 +1.
c 2007 Sony Corporation
11
4
4
DATA PROCESSING PART
Data Processing Part
4.1
Overall Structure
The data processing part of CLEFIA consists of ENC r for encryption and
DECr for decryption. ENCr and DECr are based on the 4-branch generalized Feistel structure GFN4,r . Let P, C ∈ {0, 1}128 be a plaintext and
a ciphertext, and let Pi , Ci ∈ {0, 1}32 (0 ≤ i < 4) be divided plaintext
and ciphertext where P = P0 |P1 |P2 |P3 and C = C0 |C1 |C2 |C3 , and let
WK0 , WK1 , WK2 , WK3 ∈ {0, 1}32 be whitening keys and RKi ∈ {0, 1}32
(0 ≤ i < 2r) be round keys provided by the key scheduling part. Then,
r-round encryption function ENCr is defined as follows:

 {{0, 1}32 }4 × {{0, 1}32 }2r × {{0, 1}32 }4 → {{0, 1}32 }4
(WK0(32) , . . . , WK3(32) , RK0(32) , . . . , RK2r−1(32) , P0(32) , . . . , P3(32) )
ENCr :

7→ C0(32) , . . . , C3(32)
Step 1. T0 | T1 | T2 | T3 ← P0 | (P1 ⊕ WK0 ) | P2 | (P3 ⊕ WK1 )
Step 2. T0 | T1 | T2 | T3 ← GFN4,r (RK0 , . . . , RK2r−1 , T0 , T1 , T2 , T3 )
Step 3. C0 | C1 | C2 | C3 ← T0 | (T1 ⊕ WK2 ) | T2 | (T3 ⊕ WK3 )
The decryption function DECr is defined as follows:

 {{0, 1}32 }4 × {{0, 1}32 }2r × {{0, 1}32 }4 → {{0, 1}32 }4
(WK0(32) , . . . , WK3(32) , RK0(32) , . . . , RK2r−1(32) , C0(32) , . . . , C3(32) )
DECr :

7→ P0(32) , . . . , P3(32)
Step 1. T0 | T1 | T2 | T3 ← C0 | (C1 ⊕ WK2 ) | C2 | (C3 ⊕ WK3 )
Step 2. T0 | T1 | T2 | T3 ← GFN−1
4,r (RK0 , . . . , RK2r−1 , T0 , T1 , T2 , T3 )
Step 3. C0 | C1 | C2 | C3 ← T0 | (T1 ⊕ WK0 ) | T2 | (T3 ⊕ WK1 )
Figure 3 illustrates both of ENCr and DECr .
4.2
The Numbers of Rounds
The number of rounds, r, is 18, 22 and 26 for 128-bit, 192-bit and 256-bit
keys, respectively. The total number of RK i depends on the key length. The
data processing part requires 36, 44 and 52 round keys for 128-bit, 192-bit
and 256-bit keys, respectively.
c 2007 Sony Corporation
12
4
P0
P1
P2
P3
32/
32/
32/
32/
RK0
WK0
RK1
DATA PROCESSING PART
C0
C1
32/
32/
WK1
RK2r−2
C2
C3
32/
32/
WK2 RK2r−1
F0
F1
F0
F1
RK2
RK3
RK2r−4
RK2r−3
F0
F1
F0
F1
RK4
RK5
RK2r−6
RK2r−5
F0
F1
F0
F1
..
.
. RK2r−6 ..
..
.
. RK2r−5 ..
F0
F1
F0
F1
RK2r−4
RK2r−3
RK2
RK3
F0
F1
F0
F1
RK2r−2
RK2r−1
RK0
RK1
F0
F1
F0
F1
WK2
32/
C0
32/
32/
C1
C2
..
. RK4
..
.
WK3
32/
C3
..
. RK5
WK3
..
.
WK0
32/
P0
32/
P1
ENCr
WK1
32/
P2
32/
P3
DECr
Figure 3: Structures of Data Processing Part
c 2007 Sony Corporation
13
5
5
KEY SCHEDULING PART
Key Scheduling Part
The key scheduling part of CLEFIA supports 128, 192 and 256-bit keys and
outputs whitening keys WKi (0 ≤ i < 4) and round keys RKj (0 ≤ j < 2r)
for the data processing part. We first define the DoubleSwap function which
is used in the key scheduling part.
Definition 1 The DoubleSwap Function Σ
The DoubleSwap function Σ : {0, 1}128 → {0, 1}128 is defined as follows:
X(128) 7→ Y(128)
Y = X[7 − 63] | X[121 − 127] | X[0 − 6] | X[64 − 120] ,
where X[a − b] denotes a bit string cut from the a-th bit to the b-th bit of X.
0-th bit is the most significant bit.
The DoubleSwap function is illustrated in Fig 4.
128 bits
7
57
57
7
57
7 7
57
Figure 4: DoubleSwap Function Σ
5.1
Overall Structure
The key scheduling part of CLEFIA provides whitening keys and round keys
for the data processing part. Let K be the key and L be an intermediate
key, and the key scheduling part consists of the following two steps.
1. Generating L from K.
2. Expanding K and L (Generating WKi and RKj ).
To generate L from K, the key schedule for a 128-bit key uses a 128-bit
permutation GFN4,12 , while the key schedules for 192/256-bit keys use a
256-bit permutation GFN 8,10 .
5.2
Key Scheduling for a 128-bit Key
The 128-bit intermediate key L is generated by applying GFN 4,12 which
(128)
takes twenty-four 32-bit constant values CONi
(0 ≤ i < 24) as round
c 2007 Sony Corporation
14
5
KEY SCHEDULING PART
keys and K = K0 |K1 |K2 |K3 as an input. Then K and L are used to
generate WKi (0 ≤ i < 4) and RKj (0 ≤ j < 36) in the following steps. In
(128)
the latter part, thirty-six 32-bit constant values CON i
(24 ≤ i < 60) are
(128)
used. The generation steps of CONi
are explained in Sect 5.5.
(Generating L from K)
(128)
(128)
Step 1. L ← GFN4,12 (CON0 , . . . , CON23 , K0 , . . . , K3 )
(Expanding K and L)
Step 2. WK0 |WK1 |WK2 |WK3 ← K
Step 3. For i = 0 to 8 do the following:
(128)
(128)
(128)
(128)
T ← L ⊕ (CON24+4i | CON24+4i+1 | CON24+4i+2 | CON24+4i+3 )
L ← Σ(L)
if i is odd: T ← T ⊕ K
RK4i |RK4i+1 |RK4i+2 |RK4i+3 ← T
Figure 5 shows the relationship between generated round keys and related data.
WK0 WK1 WK2 WK3 ←K
(128)
(128)
(128)
(128)
RK0 RK1 RK2 RK3 ←L
⊕
(CON24 |CON25 |CON26 |CON27 )
(128)
(128)
(128)
(128)
RK4 RK5 RK6 RK7 ←Σ(L) ⊕K⊕(CON28 |CON29 |CON30 |CON31 )
(128)
(128)
(128)
(128)
RK8 RK9 RK10 RK11 ←Σ2 (L)⊕
(CON32 |CON33 |CON34 |CON35 )
(128)
(128)
(128)
(128)
RK12 RK13 RK14 RK15 ←Σ3 (L)⊕K⊕(CON36 |CON37 |CON38 |CON39 )
(128)
(128)
(128)
(128)
RK16 RK17 RK18 RK19 ←Σ4 (L)⊕
(CON40 |CON41 |CON42 |CON43 )
(128)
(128)
(128)
(128)
RK20 RK21 RK22 RK23 ←Σ5 (L)⊕K⊕(CON44 |CON45 |CON46 |CON47 )
(128)
(128)
(128)
(128)
RK24 RK25 RK26 RK27 ←Σ6 (L)⊕
(CON48 |CON49 |CON50 |CON51 )
(128)
(128)
(128)
(128)
RK28 RK29 RK30 RK31 ←Σ7 (L)⊕K⊕(CON52 |CON53 |CON54 |CON55 )
(128)
(128)
(128)
(128)
RK32 RK33 RK34 RK35 ←Σ8 (L)⊕
(CON56 |CON57 |CON58 |CON59 )
Figure 5: Expanding K and L (128-bit key)
5.3
Key Scheduling for a 192-bit Key
Two 128-bit values KL , KR are generated from a 192-bit key K = K 0 |K1 |K2
|K3 |K4 |K5 , Ki ∈ {0, 1}32 . Then two 128-bit values LL , LR are generated
(192)
by applying GFN8,10 which takes CONi
(0 ≤ i < 40) as round keys and
KL |KR as a 256-bit input. Figure 6 shows the construction of GFN 8,10 .
Then KL , KR and LL , LR are used to generate WKi (0 ≤ i < 4) and
RKj (0 ≤ j < 44) in the following steps. In the latter part, forty-four 32-bit
(192)
constant values CONi
(40 ≤ i < 84) are used.
The following steps show the 192-bit/256-bit key scheduling. For the 192-bit
key scheduling, the value of k is set as 192.
c 2007 Sony Corporation
15
5
KEY SCHEDULING PART
(Generating LL , LR from KL , KR for a k-bit key)
Step 1. Set k = 192 or k = 256
Step 2. If k = 192
: KL ← K0 |K1 |K2 |K3 , KR ← K4 |K5 |K0 |K1
else if k = 256 : KL ← K0 |K1 |K2 |K3 , KR ← K4 |K5 |K6 |K7
Step 3. Let KL = KL0 |KL1 |KL2 |KL3 , KR = KR0 |KR1 |KR2 |KR3
LL |LR ←
(k)
(k)
GFN8,10 (CON0 , . . . , CON39 , KL0 , . . . , KL3 , KR0 , . . . , KR3 )
(Expanding KL , KR and LL , LR for a k-bit key)
Step 4. WK0 |WK1 |WK2 |WK3 ← KL ⊕ KR
Step 5. For i = 0 to 10 (if k = 192), or 12 (if k = 256) do the following:
If (i mod 4) = 0 or 1:
(k)
(k)
(k)
(k)
T ← LL ⊕ (CON40+4i | CON40+4i+1 | CON40+4i+2 | CON40+4i+3 )
LL ← Σ(LL )
if i is odd: T ← T ⊕ KR
else:
(k)
(k)
(k)
(k)
T ← LR ⊕ (CON40+4i | CON40+4i+1 | CON40+4i+2 | CON40+4i+3 )
LR ← Σ(LR )
if i is odd: T ← T ⊕ KL
RK4i |RK4i+1 |RK4i+2 |RK4i+3 ← T
Figure 7 shows the relationship between generated round keys and related data.
5.4
Key Scheduling for a 256-bit Key
The key scheduling for a 256-bit key is almost the same as that for 192-bit
key, except for constant values, required number of RK i , and initialization
of KR .
For a 256-bit key, the value of k is set as 256, and the steps are almost
(256)
the same as in the 192-bit key case. The difference is that we use CON i
(0 ≤ i < 40) as round keys to generate L L and LR , and then to generate
(256)
RKj (0 ≤ j < 52), we use fifty-two 32-bit constant values CON i
(40 ≤
i < 92).
Figure 8 shows the relationship between generated round keys and related data.
c 2007 Sony Corporation
16
5
KEY SCHEDULING PART
KL0
KL1
KL2
KL3
KR0
KR1
KR2
KR3
32/
32/
32/
32/
32/
32/
32/
32/
(k)
CON0
(k)
CON1
(k)
CON2
(k)
CON3
F0
F1
F0
F1
(k)
(k)
(k)
(k)
CON4
CON5
CON6
CON7
F0
F1
F0
F1
(k)
CON9
F0
F1
..
.
(k)
(k)
CON8
..
.
(k)
CON28
..
.
(k)
CON29
(k)
..
.
(k)
CON30
(k)
(k)
(k)
CON31
(k)
(k)
CON35
F0
(k)
CON37
F0
..
.
F1
CON34
F1
CON36
..
.
F0
CON33
F0
F1
..
.
F1
CON32
CON11
F0
..
.
F0
(k)
CON10
F1
(k)
CON38
F1
(k)
CON39
F0
F1
32/
32/
32/
32/
32/
32/
32/
32/
LL0
LL1
LL2
LL3
LR0
LR1
LR2
LR3
Figure 6: Structure of GFN8,10
c 2007 Sony Corporation
17
5
KEY SCHEDULING PART
WK0 WK1 WK2 WK3 ←KL
⊕KR
(192)
(192)
(192)
(192)
RK0 RK1 RK2 RK3 ←LL
⊕
(CON40 |CON41 |CON42 |CON43 )
(192)
(192)
(192)
(192)
RK4 RK5 RK6 RK7 ←Σ(LL ) ⊕KR ⊕(CON44 |CON45 |CON46 |CON47 )
(192)
(192)
(192)
(192)
RK8 RK9 RK10 RK11 ←LR
⊕
(CON48 |CON49 |CON50 |CON51 )
(192)
(192)
(192)
(192)
RK12 RK13 RK14 RK15 ←Σ(LR ) ⊕KL ⊕(CON52 |CON53 |CON54 |CON55 )
(192)
(192)
(192)
(192)
RK16 RK17 RK18 RK19 ←Σ2 (LL )⊕
(CON56 |CON57 |CON58 |CON59 )
(192)
(192)
(192)
(192)
RK20 RK21 RK22 RK23 ←Σ3 (LL )⊕KR ⊕(CON60 |CON61 |CON62 |CON63 )
(192)
(192)
(192)
(192)
RK24 RK25 RK26 RK27 ←Σ2 (LR )⊕
(CON64 |CON65 |CON66 |CON67 )
(192)
(192)
(192)
(192)
RK28 RK29 RK30 RK31 ←Σ3 (LR )⊕KL ⊕(CON68 |CON69 |CON70 |CON71 )
(192)
(192)
(192)
(192)
RK32 RK33 RK34 RK35 ←Σ4 (LL )⊕
(CON72 |CON73 |CON74 |CON75 )
(192)
(192)
(192)
(192)
RK36 RK37 RK38 RK39 ←Σ5 (LL )⊕KR ⊕(CON76 |CON77 |CON78 |CON79 )
(192)
(192)
(192)
(192)
RK40 RK41 RK42 RK43 ←Σ4 (LR )⊕
(CON80 |CON81 |CON82 |CON83 )
Figure 7: Expanding KL , KR , LL and LR (192-bit key)
WK0 WK1 WK2 WK3 ←KL
⊕KR
(256)
(256)
(256)
(256)
RK0 RK1 RK2 RK3 ←LL
⊕
(CON40 |CON41 |CON42 |CON43 )
(256)
(256)
(256)
(256)
RK4 RK5 RK6 RK7 ←Σ(LL ) ⊕KR ⊕(CON44 |CON45 |CON46 |CON47 )
(256)
(256)
(256)
(256)
RK8 RK9 RK10 RK11 ←LR
⊕
(CON48 |CON49 |CON50 |CON51 )
(256)
(256)
(256)
(256)
RK12 RK13 RK14 RK15 ←Σ(LR ) ⊕KL ⊕(CON52 |CON53 |CON54 |CON55 )
(256)
(256)
(256)
(256)
RK16 RK17 RK18 RK19 ←Σ2 (LL )⊕
(CON56 |CON57 |CON58 |CON59 )
(256)
(256)
(256)
(256)
RK20 RK21 RK22 RK23 ←Σ3 (LL )⊕KR ⊕(CON60 |CON61 |CON62 |CON63 )
(256)
(256)
(256)
(256)
2
RK24 RK25 RK26 RK27 ←Σ (LR )⊕
(CON64 |CON65 |CON66 |CON67 )
(256)
(256)
(256)
(256)
RK28 RK29 RK30 RK31 ←Σ3 (LR )⊕KL ⊕(CON68 |CON69 |CON70 |CON71 )
(256)
(256)
(256)
(256)
RK32 RK33 RK34 RK35 ←Σ4 (LL )⊕
(CON72 |CON73 |CON74 |CON75 )
(256)
(256)
(256)
(256)
RK36 RK37 RK38 RK39 ←Σ5 (LL )⊕KR ⊕(CON76 |CON77 |CON78 |CON79 )
(256)
(256)
(256)
(256)
RK40 RK41 RK42 RK43 ←Σ4 (LR )⊕
(CON80 |CON81 |CON82 |CON83 )
(256)
(256)
(256)
(256)
RK44 RK45 RK46 RK47 ←Σ5 (LR )⊕KL ⊕(CON84 |CON85 |CON86 |CON87 )
(256)
(256)
(256)
(256)
RK48 RK49 RK50 RK51 ←Σ6 (LL )⊕
(CON88 |CON89 |CON90 |CON91 )
Figure 8: Expanding KL , KR , LL and LR (256-bit key)
c 2007 Sony Corporation
18
5
5.5
KEY SCHEDULING PART
Constant Values
(k)
32-bit constant values CONi are used in the key scheduling algorithm. We
need 60, 84 and 92 constant values for 128, 192 and 256-bit keys, respectively.
Let P(16) = 0xb7e1 (= (e−2)·216 ) and Q(16) = 0x243f (= (π−3)·216 ), where
e is the base of the natural logarithm (2.71828...) and π is the circle ratio
(k)
(3.14159...). CONi , for k = 128, 192, 256, are generated by the following
way (See Table 4 for the repetition numbers l (k) and the initial values IV (k) ).
Step 1. T0 ← IV (k)
Step 2. For i = 0 to l (k) − 1 do the following:
(k)
Step 2.1. CON2i ← (Ti ⊕ P) | (Ti <<< 1)
(k)
Step 2.2. CON2i+1 ← (Ti ⊕ Q) | (Ti <<< 8)
Step 2.3. Ti+1 ← Ti · 0x0002−1
In Step 2.3, the multiplications are performed in the field GF(2 16 ) defined
by a primitive polynomial z 16 + z 15 + z 13 + z 11 + z 5 + z 4 + 1 (=0x1a831)5.
Table 4: Required Numbers of Constant Values
k
128
192
256
(k)
# of CONi
60
84
92
l(k)
30
42
46
IV (k)
0x428a
0x7137
0xb5c0
√
3
(= ( √
2 − 1) · 216 )
3
(= ( √3 − 1) · 216 )
(= ( 3 5 − 1) · 216 )
Tables 5-7 show the values of Ti , and Tables 8-12 show the values of
(k)
CONi .
√
The lower 16-bit value is defined as 0xa831=( 3 101 − 4) · 216 . ‘101’ is the smallest
prime number satisfying the primitive polynomial condition in this form.
5
c 2007 Sony Corporation
19
5
KEY SCHEDULING PART
(128)
Table 5: Ti
i
(128)
Ti
i
(128)
Ti
i
(128)
Ti
i
(128)
Ti
0
428a
8
5159
16
87aa
24
649a
1
2145
9
fcb4
17
43d5
25
324d
2
c4ba
10
7e5a
18
f5f2
26
cd3e
3
625d
11
3f2d
19
7af9
27
669f
4
e536
12
cb8e
20
e964
28
e757
5
729b
13
65c7
21
74b2
29
a7b3
6
ed55
14
e6fb
22
3a59
7
a2b2
15
a765
23
c934
5
214d
13
25ed
21
c4f7
29
5b96
37
2a2e
6
c4be
14
c6ee
22
b663
30
2dcb
38
1517
7
625f
15
6377
23
8f29
31
c2fd
39
de93
(192)
Table 6: Ti
i
(192)
Ti
i
(192)
Ti
i
(192)
Ti
i
(192)
Ti
i
(192)
Ti
i
(192)
Ti
0
7137
8
e537
16
e5a3
24
938c
32
b566
40
bb51
1
ec83
9
a683
17
a6c9
25
49c6
33
5ab3
41
89b0
2
a259
10
8759
18
877c
26
24e3
34
f941
3
8534
11
97b4
19
43be
27
c669
35
a8b8
4
429a
12
4bda
20
21df
28
b72c
36
545c
c 2007 Sony Corporation
20
5
KEY SCHEDULING PART
(256)
Table 7: Ti
i
(256)
Ti
i
(256)
Ti
i
(256)
Ti
i
(256)
Ti
i
(256)
Ti
i
(256)
Ti
0
b5c0
8
bea1
16
cf8d
24
9b17
32
d0db
40
0f69
1
5ae0
9
8b48
17
b3de
25
9993
33
bc75
41
d3ac
2
2d70
10
45a4
18
59ef
26
98d1
34
8a22
42
69d6
3
16b8
11
22d2
19
f8ef
27
9870
35
4511
43
34eb
4
0b5c
12
1169
20
a86f
28
4c38
36
f690
44
ce6d
5
05ae
13
dcac
21
802f
29
261c
37
7b48
45
b32e
c 2007 Sony Corporation
6
02d7
14
6e56
22
940f
30
130e
38
3da4
7
d573
15
372b
23
9e1f
31
0987
39
1ed2
21
5
(128)
(0 ≤ i < 60)
1
994a8a42
5
1f7abac4
9
3ef636e5
13
369555ed
17
8a995951
21
a59a5a7e
25
104e8ecb
29
3d3bfbe6
33
5c6aaa87
37
2e32f2f5
41
32a464e9
45
e199593a
49
bf5a9a64
53
16fe3ecd
57
3c9757e7
2
96a4bd75
6
d5bc3b45
10
c57a1ac9
14
1553ba9a
18
4b550696
22
88cc81a5
26
d2263471
30
1084b134
34
f4347855
38
cd180a0d
42
c353169b
46
7ed56d96
50
85ac9b65
54
d17e32c1
58
1052b098
Table 8: CONi
i
(128)
CONi
i
(128)
CONi
i
(128)
CONi
i
(128)
CONi
i
(128)
CONi
i
(128)
CONi
i
(128)
CONi
i
(128)
CONi
i
(128)
CONi
i
(128)
CONi
i
(128)
CONi
i
(128)
CONi
i
(128)
CONi
i
(128)
CONi
i
(128)
CONi
0
f56b7aeb
4
735b768a
8
52d73592
12
5ab42554
16
e6b85d4d
20
c9bb034b
24
7c6f68e2
28
511a3208
32
304bf0aa
36
4213141a
40
5e852d36
44
8db88b4d
48
d37b36cb
52
7adf6582
56
50b63150
KEY SCHEDULING PART
c 2007 Sony Corporation
3
fa854521
7
b99d5d62
11
a95b9b72
15
7972b2a2
19
2774b4fc
23
e4ed2d3f
27
be07c765
31
7ca565a7
35
9815d543
39
a139f97a
43
af72b274
47
12f434c9
51
e98d4d32
55
bd5f9f66
59
7c73b3a7
22
5
(192)
(0 ≤ i < 60)
1
aaf73771
5
799959a2
9
995a9a42
13
1f7ebec4
17
3ef737e5
21
5c995987
25
901ada4b
29
1d2eeec6
33
3e63a3e5
37
5cbc7c87
41
fa1fdf21
45
6da363b6
49
484c8c93
53
ff23e324
57
6cec2cb7
2
5b6226f8
6
32d5f596
10
96acbd65
14
d5be3b41
18
1162b2f8
22
2055d096
26
920cb425
30
d4963911
34
1128b26c
38
f45f7883
42
73167610
46
38c8e1ac
50
fe276c73
54
7188732c
58
ec7748d3
Table 9: CONi
i
(192)
CONi
i
(192)
CONi
i
(192)
CONi
i
(192)
CONi
i
(192)
CONi
i
(192)
CONi
i
(192)
CONi
i
(192)
CONi
i
(192)
CONi
i
(192)
CONi
i
(192)
CONi
i
(192)
CONi
i
(192)
CONi
i
(192)
CONi
i
(192)
CONi
0
c6d61d91
4
15b8bb4c
8
f57b7acb
12
735f7682
16
52d63590
20
30b8f14c
24
fc3b684b
28
710f7222
32
524234b8
36
309df106
40
963ebc41
44
01829338
48
246dd8e6
52
9302b639
56
00cd91a6
KEY SCHEDULING PART
c 2007 Sony Corporation
3
374383ec
7
5ef43485
11
fa8d4d21
15
b99f5f62
19
7d4383a6
23
4c74b497
27
fe2ded25
31
b8b77763
35
7d09c9a6
39
987ebe43
43
1f37f7c4
47
54e9298f
51
9206c649
55
1da969c6
59
8056965b
23
5
(192)
Table 10: CONi
i
(192)
CONi
i
(192)
CONi
i
(192)
CONi
i
(192)
CONi
i
(192)
CONi
i
(192)
CONi
60
9a2aa469
64
02879532
68
4ea00d7c
72
e3bd5747
76
a2f6d5d1
80
0cb0895c
61
f60bcb2d
65
6ea666b5
69
228141f9
73
8f9c5c54
77
ced71715
81
609151bb
(256)
Table 11: CONi
i
(256)
CONi
i
(256)
CONi
i
(256)
CONi
i
(256)
CONi
i
(256)
CONi
i
(256)
CONi
0
0221947e
4
9a91a51f
8
bcbde947
12
b536fa51
16
094082bc
20
f24574b7
1
6e00c0b5
5
f6b0702d
9
d09c5c0b
13
d917d702
17
6561a1be
21
9e64a445
KEY SCHEDULING PART
(60 ≤ i < 84)
62
751c7a04
66
ed524a99
70
1f59ae8e
74
9dcfaba3
78
697242d8
82
3e51ec9e
63
193dfdc2
67
8173b35a
71
7378b8a8
75
f1ee2e2a
79
055393de
83
5270b089
(0 ≤ i < 24)
2
ed014a3f
6
a159d28f
10
b24ff4a3
14
62925518
18
3ca9e96e
22
9533ba5b
c 2007 Sony Corporation
3
8120e05a
7
cd78b816
11
de6eae05
15
0eb373d5
19
5088488b
23
f912d222
24
5
(256)
Table 12: CONi
i
(256)
CONi
i
(256)
CONi
i
(256)
CONi
i
(256)
CONi
i
(256)
CONi
i
(256)
CONi
i
(256)
CONi
i
(256)
CONi
i
(256)
CONi
i
(256)
CONi
i
(256)
CONi
i
(256)
CONi
i
(256)
CONi
i
(256)
CONi
i
(256)
CONi
i
(256)
CONi
i
(256)
CONi
24
a688dd2d
28
d9b72353
32
786c60e4
36
ee0e4c21
40
1f8eaf20
44
23eed7e0
48
2cf6c9d0
52
2f30ce5c
56
fbd9678f
60
a4efd9e3
64
673a5e48
68
3dc3ebba
72
417112de
76
8a4584b7
80
b888e12d
84
de372c53
88
798c6324
25
caa96911
29
b596566e
33
144d8dcf
37
822fef59
41
73af6fa8
45
4fcf0f94
49
40d7179b
53
4311d198
57
97f8384c
61
c8ce0e13
65
0b1bdbd0
69
51e2228a
73
2d5090f6
77
e664a43d
81
d4a9690f
85
b216d669
89
15ad6dce
KEY SCHEDULING PART
(24 ≤ i < 92)
26
6b4d46a6
30
80ca91a9
34
043f9842
38
4f0e0e20
42
37ceffa0
46
29fec3c0
50
2e72ccd8
54
2f91cf1e
58
91fdb3c7
62
be66ecf1
66
0b948714
70
f2f075dd
74
cca9096f
78
a933c25b
82
644d58a6
86
830a9629
90
04cf99a2
c 2007 Sony Corporation
27
076cacdc
31
eceb2b37
35
681edeb3
39
232feff8
43
5bef2f80
47
45df1f9e
51
42539399
55
43b07098
59
fddc1c26
63
d2478709
67
67b575bc
71
9ed11145
75
a088487b
79
c512d21e
83
086cacd3
87
ef2beb34
91
68ee2eb3
25
6
6
TEST VECTORS
Test Vectors
We give test vectors of CLEFIA for each key length. The data are expressed
in hexadecimal form.
128-bit key:
key
plaintext
ciphertext
192-bit key:
key
plaintext
ciphertext
256-bit key:
key
plaintext
ciphertext
ffeeddcc bbaa9988 77665544 33221100
00010203 04050607 08090a0b 0c0d0e0f
de2bf2fd 9b74aacd f1298555 459494fd
ffeeddcc
f0e0d0c0
00010203
e2482f64
bbaa9988 77665544 33221100
b0a09080
04050607 08090a0b 0c0d0e0f
9f028dc4 80dda184 fde181ad
ffeeddcc
f0e0d0c0
00010203
a1397814
bbaa9988
b0a09080
04050607
289de80c
77665544
70605040
08090a0b
10da46d1
c 2007 Sony Corporation
33221100
30201000
0c0d0e0f
fa48b38a
26
6
6.1
TEST VECTORS
Test Vectors (Intermediate Values)
128-bit key:
key
plaintext
ciphertext
ffeeddcc bbaa9988 77665544 33221100
00010203 04050607 08090a0b 0c0d0e0f
de2bf2fd 9b74aacd f1298555 459494fd
L
8f89a61b 9db9d0f3 93e65627 da0d027e
W K0,1,2,3
RK0,1,2,3
RK4,5,6,7
RK8,9,10,11
RK12,13,14,15
RK16,17,18,19
RK20,21,22,23
RK24,25,26,27
RK28,29,30,31
RK32,33,34,35
ffeeddcc
f3e6cef9
6a27e20a
59cd17c4
7e8e7eec
e75eb039
9f98d11e
3438f93b
24d6406d
a34a20f5
bbaa9988
8df75e38
5a791b90
28565583
8be7e949
0d657eb9
babee8cf
f9cea4a0
e74bc550
33265d14
77665544
41c06256
e8c528dc
312a37cc
d3f463d6
018002e2
b0369efa
68df9029
41c28193
b19d0554
33221100
640ac51b
00336ea3
c08abd77
a0aad6aa
9117d009
d3aaef0d
b869b4a7
16de4795
5142f434
c 2007 Sony Corporation
27
6
plaintext
initial whitening key
after whitening
Round 1 input
F-function
input
round key
after key add
after S
after M
Round 2 input
F-function
input
round key
after key add
after S
after M
Round 3 input
F-function
input
round key
after key add
after S
after M
Round 4 input
F-function
input
round key
after key add
after S
after M
Round 5 input
F-function
input
round key
after key add
after S
after M
Round 6 input
F-function
input
round key
after key add
after S
after M
00010203
00010203
00010203
04050607
ffeeddcc
fbebdbcb
fbebdbcb
F0
00010203
f3e6cef9
f3e7ccfa
290246e1
547a3193
af91ea58 08090a0b
F0
af91ea58
41c06256
ee51880e
cb5d2b0c
f51cebb3
fd15e1b8 1c56b7f7
F0
fd15e1b8
6a27e20a
973203b2
c2c7c6c2
d8dfd8de
c4896f29 82dee144
F0
c4896f29
e8c528dc
2c4c47f5
9da4dafc
b5b28e96
376c6fd2 4ecf4244
F0
376c6fd2
59cd17c4
6ea17816
f26ad3e5
29f08afd
673fc8b9 4b49b022
F0
673fc8b9
312a37cc
5615ff75
b39c8e58
5999a79e
TEST VECTORS
08090a0b
08090a0b
08090a0b
0c0d0e0f
bbaa9988
b7a79787
b7a79787
F1
08090a0b
8df75e38
85fe5433
777de8e8
abf12070
1c56b7f7 00010203
F1
1c56b7f7
640ac51b
785c72ec
63a5edd2
82dfe347
82dee144 af91ea58
F1
82dee144
5a791b90
d8a7fad4
be59e10d
e15ea81c
4ecf4244 fd15e1b8
F1
4ecf4244
00336ea3
4efc2ce7
43bce638
b65c519a
4b49b022 c4896f29
F1
4b49b022
28565583
631fe5a1
62af9f1b
be01d127
7a88be0e 376c6fd2
F1
7a88be0e
c08abd77
ba020379
2dd1e9a2
0429b329
c 2007 Sony Corporation
28
6
Round 7
Round 8
Round 9
Round 10
Round 11
Round 12
input
F-function
input
round key
after key add
after S
after M
input
F-function
input
round key
after key add
after S
after M
input
F-function
input
round key
after key add
after S
after M
input
F-function
input
round key
after key add
after S
after M
input
F-function
input
round key
after key add
after S
after M
input
F-function
input
round key
after key add
after S
after M
12d017bc
7a88be0e
F0
12d017bc
7e8e7eec
6c5e6950
8b737025
6ed11b09
1459a507 3345dcfb
F0
1459a507
d3f463d6
c7adc6d1
e7ee5a5f
8c9d011c
bfd8dde7 b8ec058b
F0
bfd8dde7
e75eb039
58866dde
4e821daf
e6d6501e
5e3a5595 81b85950
F0
5e3a5595
018002e2
5fba5777
612d8f7b
3a1b0e97
bba357c7 79019cb3
F0
bba357c7
9f98d11e
243b86d9
f70f1144
28974052
5196dce1 066ca42f
F0
5196dce1
b0369efa
e1a0421b
6f7efd4f
ffb5db32
c 2007 Sony Corporation
TEST VECTORS
3345dcfb
673fc8b9
F1
3345dcfb
8be7e949
b8a235b2
67a08eba
dfd3cd32
b8ec058b 12d017bc
F1
b8ec058b
a0aad6aa
1846d321
9e97f1a1
93684eec
81b85950 1459a507
F1
81b85950
0d657eb9
8cdd27e9
59c56044
6d5839b4
79019cb3 bfd8dde7
F1
79019cb3
9117d009
e8164cba
0185a49c
b9b479c8
066ca42f 5e3a5595
F1
066ca42f
babee8cf
bcd24ce0
cb72a481
4a6700b1
145d5524 bba357c7
F1
145d5524
d3aaef0d
c7f7ba29
72642dce
907d3820
29
6
Round 13
input
F-function
input
round key
after key add
after S
after M
Round 14 input
F-function
input
round key
after key add
after S
after M
Round 15 input
F-function
input
round key
after key add
after S
after M
Round 16 input
F-function
input
round key
after key add
after S
after M
Round 17 input
F-function
input
round key
after key add
after S
after M
Round 18 input
F-function
input
round key
after key add
after S
after M
output
final whitening key
after whitening
ciphertext
f9d97f1d
145d5524
F0
f9d97f1d
3438f93b
cde18626
3f751141
0a744c28
1e29190c 2bde6fe7
F0
1e29190c
68df9029
76f68925
fe6db7e7
aaa2c803
817ca7e4 4da8e442
F0
817ca7e4
24d6406d
a5aae789
8d233818
7bd4cced
367c28af 3de82490
F0
367c28af
41c28193
77bea93c
7c4a935b
598e6940
64664dd0 f4ebe9f7
F0
64664dd0
a34a20f5
c72c6d25
e7e61de7
2ac01b0a
de2bf2fd 4065c77b
F0
de2bf2fd
b19d0554
6fb6f7a9
b44d648c
ac7738f2
de2bf2fd ec12ff89
77665544
de2bf2fd 9b74aacd
de2bf2fd 9b74aacd
c 2007 Sony Corporation
TEST VECTORS
2bde6fe7
5196dce1
F1
2bde6fe7
f9cea4a0
d210cb47
ab28e0da
1c3e38a3
4da8e442 f9d97f1d
F1
4da8e442
b869b4a7
f5c150e5
fc0c25f6
c4315b8d
3de82490 1e29190c
F1
3de82490
e74bc550
daa3e1c0
2904757b
eac2f0fb
f4ebe9f7 817ca7e4
F1
f4ebe9f7
16de4795
e235ae62
669b8953
c119609f
4065c77b 367c28af
F1
4065c77b
33265d14
73439a6f
788c85b4
c755adfa
f1298555 64664dd0
F1
f1298555
5142f434
a06b7161
7e99ea2a
12d0c82d
f1298555 76b685fd
33221100
f1298555 459494fd
f1298555 459494fd
30
6
192-bit key:
key
TEST VECTORS
plaintext
ciphertext
ffeeddcc
f0e0d0c0
00010203
e2482f64
bbaa9988 77665544 33221100
b0a09080
04050607 08090a0b 0c0d0e0f
9f028dc4 80dda184 fde181ad
LL
LR
db05415a 800082db 7cb8186c d788c5f3
1ca9b2e1 b4606829 c92dd35e 2258a432
W K0,1,2,3
RK0,1,2,3
RK4,5,6,7
RK8,9,10,11
RK12,13,14,15
RK16,17,18,19
RK20,21,22,23
RK24,25,26,27
RK28,29,30,31
RK32,33,34,35
RK36,37,38,39
RK40,41,42,43
0f0e0d0c
4d3bfd1b
73c2eeb8
38c46a07
38351b2f
509b31a6
419a74b9
6e3ff82a
ed785cbd
4bbd5f6a
521213ce
17f68fde
0b0a0908
7a1f5dfa
dd429ec5
fc2ce4ba
74bd6e1e
4c5ad53c
1dd79e0e
74ac3ffd
9c077c13
31fe8de8
4f1f59d8
f6c360a9
77777777
0fae6e7c
e220b3af
370abf2d
1b7c7dce
6fc2ba33
240a33d2
b9696e2e
04978d83
b76da574
c13624f6
6288bc72
c 2007 Sony Corporation
77777777
c8bf3237
c9135e73
b05e627b
92cfc98e
e1e5c878
9dabfd09
cc0b3a38
2ec058ba
3a6fa8e7
ee91f6a4
c0ad856b
31
6
plaintext
initial whitening key
after whitening
Round 1 input
F-function
input
round key
after key add
after S
after M
Round 2 input
F-function
input
round key
after key add
after S
after M
Round 3 input
F-function
input
round key
after key add
after S
after M
Round 4 input
F-function
input
round key
after key add
after S
after M
Round 5 input
F-function
input
round key
after key add
after S
after M
Round 6 input
F-function
input
round key
after key add
after S
after M
00010203
00010203
00010203
04050607
0f0e0d0c
0b0b0b0b
0b0b0b0b
F0
00010203
4d3bfd1b
4d3aff18
43c58e9e
b5021a3b
be091130 08090a0b
F0
be091130
0fae6e7c
b1a77f4c
f3d10ba4
9fba69c1
97b363ca c490f12c
F0
97b363ca
73c2eeb8
e4718d72
79ea66ed
61c21ea5
a552ef89 6682c8e0
F0
a552ef89
e220b3af
47725c26
daeda541
28a43c63
4e26f483 ac0717d2
F0
4e26f483
38c46a07
76e29e84
fe663e39
5ce7dafe
f0e0cd2c 5ca9d6b9
F0
f0e0cd2c
370abf2d
c7ea7201
e77f9fda
b9869270
TEST VECTORS
08090a0b
08090a0b
08090a0b
0c0d0e0f
0b0a0908
07070707
07070707
F1
08090a0b
7a1f5dfa
721657f1
ed85d736
c397f62b
c490f12c 00010203
F1
c490f12c
c8bf3237
0c2fc31b
13d83a3d
6683cae3
6682c8e0 be091130
F1
6682c8e0
dd429ec5
bbc05625
f47b0d7a
120e06e2
ac0717d2 97b363ca
F1
ac0717d2
c9135e73
651449a1
355c651b
cb1ab573
5ca9d6b9 a552ef89
F1
5ca9d6b9
fc2ce4ba
a0853203
7edcc7c6
ac7f4e3e
092da1b7 4e26f483
F1
092da1b7
b05e627b
b973c3cc
174a3a46
8fc7e089
c 2007 Sony Corporation
32
6
Round 7
Round 8
Round 9
Round 10
Round 11
Round 12
input
F-function
input
round key
after key add
after S
after M
input
F-function
input
round key
after key add
after S
after M
input
F-function
input
round key
after key add
after S
after M
input
F-function
input
round key
after key add
after S
after M
input
F-function
input
round key
after key add
after S
after M
input
F-function
input
round key
after key add
after S
after M
e52f44c9
092da1b7
F0
e52f44c9
38351b2f
dd1a5fe6
c5496150
33d8590f
3af5f8b8 c1e1140a
F0
3af5f8b8
1b7c7dce
21898576
a118dc09
f091202d
31703427 16ce743f
F0
31703427
509b31a6
61eb0581
2a8d3304
f9639a90
efadeeaf e1d6acee
F0
efadeeaf
6fc2ba33
806f549c
cd5eeb61
a100e35b
40d64fb5 b11e0685
F0
40d64fb5
419a74b9
014c3b0c
49a4c013
51c0208f
e0de260a 17d4d54a
F0
e0de260a
240a33d2
c4d415d8
801beebe
8a9aef34
c 2007 Sony Corporation
TEST VECTORS
c1e1140a
f0e0cd2c
F1
c1e1140a
74bd6e1e
b55c7a14
5aa5c15c
e62eb913
16ce743f e52f44c9
F1
16ce743f
92cfc98e
8401bdb1
3949b1f3
04f9e827
e1d6acee 3af5f8b8
F1
e1d6acee
4c5ad53c
ad8c79d2
eeffc072
8bebfe3d
b11e0685 31703427
F1
b11e0685
e1e5c878
50fbcefd
25d7fe02
26a4e16d
17d4d54a efadeeaf
F1
17d4d54a
1dd79e0e
0a034b44
b4c6c912
f1a2c339
1e0f2d96 40d64fb5
F1
1e0f2d96
9dabfd09
83a4d09f
86b8f8ed
3e451646
33
6
Round 13
Round 14
Round 15
Round 16
Round 17
Round 18
input
F-function
input
round key
after key add
after S
after M
input
F-function
input
round key
after key add
after S
after M
input
F-function
input
round key
after key add
after S
after M
input
F-function
input
round key
after key add
after S
after M
input
F-function
input
round key
after key add
after S
after M
input
F-function
input
round key
after key add
after S
after M
9d4e3a7e
1e0f2d96
F0
9d4e3a7e
6e3ff82a
f371c254
29ea68e8
17524741
095d6ad7 7e9359f3
F0
095d6ad7
b9696e2e
b03404f9
152a2f03
f7ee818b
897dd878 ab524674
F0
897dd878
ed785cbd
640584c5
459d9e10
4034defc
eb669888 e44cc995
F0
eb669888
04978d83
eff1150b
90e4ee38
4a678609
ae2b4f9c 0b75d703
F0
ae2b4f9c
4bbd5f6a
e59610f6
f6a5286d
720df49d
7978239e 8ccf6cd1
F0
7978239e
b76da574
ce1586ea
919c117f
ef24fe56
c 2007 Sony Corporation
TEST VECTORS
7e9359f3
e0de260a
F1
7e9359f3
74ac3ffd
0a3f660e
b4f530a8
4b8c607e
ab524674 9d4e3a7e
F1
ab524674
cc0b3a38
67597c4c
52161e39
7902f3eb
e44cc995 095d6ad7
F1
e44cc995
9c077c13
784bb586
636b5a11
0228bdd4
0b75d703 897dd878
F1
0b75d703
2ec058ba
25b58fb9
e7691f3b
05b2b4a9
8ccf6cd1 eb669888
F1
8ccf6cd1
31fe8de8
bd31e139
b15d7589
bad65e22
51b0c6aa ae2b4f9c
F1
51b0c6aa
3a6fa8e7
6bdf6e4d
283aaa43
08916103
34
6
Round 19
input
F-function
input
round key
after key add
after S
after M
Round 20 input
F-function
input
round key
after key add
after S
after M
Round 21 input
F-function
input
round key
after key add
after S
after M
Round 22 input
F-function
input
round key
after key add
after S
after M
output
final whitening key
after whitening
ciphertext
63eb9287
51b0c6aa
F0
63eb9287
521213ce
31f98149
5d03e265
b7464b63
e6f68dc9 a6ba2e9f
F0
e6f68dc9
c13624f6
27c0a93f
20b5938b
3cae819e
9a14af01 98a8a539
F0
9a14af01
17f68fde
8de220df
6666bff2
7ae08a5d
e2482f64 d5e856d3
F0
e2482f64
6288bc72
80c09316
cdb5f1e5
3d9dac60
e2482f64 e875fab3
77777777
e2482f64 9f028dc4
e2482f64 9f028dc4
c 2007 Sony Corporation
TEST VECTORS
a6ba2e9f
7978239e
F1
a6ba2e9f
4f1f59d8
e9a57747
3c8d7bda
e1d086a7
98a8a539 63eb9287
F1
98a8a539
ee91f6a4
7639539d
09893194
b603c454
d5e856d3 e6f68dc9
F1
d5e856d3
f6c360a9
232b367a
b383a1bd
662b2c4d
80dda184 9a14af01
F1
80dda184
c0ad856b
407024ef
fbe99290
108259db
80dda184 8a96f6da
77777777
80dda184 fde181ad
80dda184 fde181ad
35
6
256-bit key:
key
bbaa9988
b0a09080
04050607
289de80c
plaintext
ciphertext
ffeeddcc
f0e0d0c0
00010203
a1397814
LL
LR
477e8f09 66ee5378 2cc2be04 bf55e28f
d6c10b89 4eeab575 84bd5663 cc933940
W K0,1,2,3
RK0,1,2,3
RK4,5,6,7
RK8,9,10,11
RK12,13,14,15
RK16,17,18,19
RK20,21,22,23
RK24,25,26,27
RK28,29,30,31
RK32,33,34,35
RK36,37,38,39
RK40,41,42,43
RK44,45,46,47
RK48,49,50,51
0f0e0d0c
58f02029
6c498393
fa37c259
b05bd737
581b3e34
b523d4e9
25d80df2
b304eb20
d71ff7e9
4dd7cfb7
2c664a7a
568c5a33
c0c18358
0b0a0908
15413cd0
8846231b
0e3da2ee
8de1f2d0
03263f89
176d7c44
a646bba2
44f8824e
aca1fb0c
ae71c9f6
8cb5cf6b
07ef7ddd
4f53c80e
77665544
70605040
08090a0b
10da46d1
TEST VECTORS
07060504
1b0c41a4
1fc716fc
aacf9abb
8ffee0f6
2f7100cd
6d7ba5d7
6a3a95e1
c7557cbc
2deff35d
4e911fef
14c8de1e
608dc860
33e01cb9
c 2007 Sony Corporation
33221100
30201000
0c0d0e0f
fa48b38a
03020100
e4bacd0f
7c81a45b
8ec0aad9
b70b47ea
05cee171
f797b2f3
3e3a47f0
47401e21
6ca3a830
90aa95de
43b9caef
ac9e50f8
80251e1c
36
6
plaintext
initial whitening key
after whitening
Round 1 input
F-function
input
round key
after key add
after S
after M
Round 2 input
F-function
input
round key
after key add
after S
after M
Round 3 input
F-function
input
round key
after key add
after S
after M
Round 4 input
F-function
input
round key
after key add
after S
after M
Round 5 input
F-function
input
round key
after key add
after S
after M
Round 6 input
F-function
input
round key
after key add
after S
after M
00010203
00010203
00010203
04050607
0f0e0d0c
0b0b0b0b
0b0b0b0b
F0
00010203
58f02029
58f1222a
4ee41927
2db2101b
26b91b10 08090a0b
F0
26b91b10
1b0c41a4
3db55ab4
aa5afadb
317e029c
39770897 df79e01f
F0
39770897
6c498393
553e8b04
5487484e
c3a7ac1d
1cde4c02 c0cd94b9
F0
1cde4c02
1fc716fc
03195afe
c607fa95
5edee0ce
9e137477 5c594394
F0
9e137477
fa37c259
6424b62e
4592c8d2
adfd33ae
f1a4703a 758c0607
F0
f1a4703a
aacf9abb
5b6bea81
22285e04
0fa52ed4
TEST VECTORS
08090a0b
08090a0b
08090a0b
0c0d0e0f
0b0a0908
07070707
07070707
F1
08090a0b
15413cd0
1d4836db
2c78a1ac
d87ee718
df79e01f 00010203
F1
df79e01f
e4bacd0f
3bc32d10
0f1e1928
c0cc96ba
c0cd94b9 26b91b10
F1
c0cd94b9
8846231b
488bb7a2
d84876a0
7ae05884
5c594394 39770897
F1
5c594394
7c81a45b
20d8e7cf
12f002c9
4cfb0e90
758c0607 1cde4c02
F1
758c0607
0e3da2ee
7bb1a4e9
46f3a044
42450650
5e9b4a52 9e137477
F1
5e9b4a52
8ec0aad9
d05be08b
f822d448
aa7a0a9c
c 2007 Sony Corporation
37
6
Round 7
Round 8
Round 9
Round 10
Round 11
Round 12
input
F-function
input
round key
after key add
after S
after M
input
F-function
input
round key
after key add
after S
after M
input
F-function
input
round key
after key add
after S
after M
input
F-function
input
round key
after key add
after S
after M
input
F-function
input
round key
after key add
after S
after M
input
F-function
input
round key
after key add
after S
after M
7a2928d3
5e9b4a52
F0
7a2928d3
b05bd737
ca72ffe4
23ed8e68
8b158630
d58ecc62 34697eeb
F0
d58ecc62
8ffee0f6
5a702c94
facf9d64
72c2027e
46ab7c95 c2ea5ac8
F0
46ab7c95
581b3e34
1eb042a1
177afd6a
51d5740a
933f2ec2 dfabfd23
F0
933f2ec2
2f7100cd
bc4e2e0f
e0434cd9
a768d32a
78c32e09 c48c4bb5
F0
78c32e09
b523d4e9
cde0fae0
3fd410d4
08bd9b01
cc31d0b4 f00533be
F0
cc31d0b4
6d7ba5d7
a14a7563
1b512562
7c2c762b
c 2007 Sony Corporation
TEST VECTORS
34697eeb
f1a4703a
F1
34697eeb
8de1f2d0
b9888c3b
172b59c0
334e2af2
c2ea5ac8 7a2928d3
F1
c2ea5ac8
b70b47ea
75e11d22
586f2c19
a582d5f0
dfabfd23 d58ecc62
F1
dfabfd23
03263f89
dc8dc2aa
57664735
110287d7
c48c4bb5 46ab7c95
F1
c48c4bb5
05cee171
c142aac4
22fd2380
b6ae4f2b
f00533be 933f2ec2
F1
f00533be
176d7c44
e7684ffa
02ef5310
2fdb3f65
bce411a7 78c32e09
F1
bce411a7
f797b2f3
4b73a354
c94a71eb
81ca0b59
38
6
Round 13
Round 14
Round 15
Round 16
Round 17
Round 18
input
F-function
input
round key
after key add
after S
after M
input
F-function
input
round key
after key add
after S
after M
input
F-function
input
round key
after key add
after S
after M
input
F-function
input
round key
after key add
after S
after M
input
F-function
input
round key
after key add
after S
after M
input
F-function
input
round key
after key add
after S
after M
8c294595
bce411a7
F0
8c294595
25d80df2
a9f14867
93e47852
4a87c858
f663d9ff f9092550
F0
f663d9ff
6a3a95e1
9c594c1e
58ff39b0
d82301d4
212a2484 988db861
F0
212a2484
b304eb20
922ecfa4
86d2c9a0
dbf56073
4378d812 847415b0
F0
4378d812
c7557cbc
842da4ae
9e19b889
6791a3e3
e3e5b653 71817f5d
F0
e3e5b653
d71ff7e9
34fa41ba
d4e1be2d
2743ef2d
56c29070 c05df72c
F0
56c29070
2deff35d
7b2d632d
56193719
ee6316fa
c 2007 Sony Corporation
TEST VECTORS
f9092550
cc31d0b4
F1
f9092550
a646bba2
5f4f9ef2
5c26cae5
54bc68d5
988db861 8c294595
F1
988db861
3e3a47f0
a6b7ff91
054d1d75
085d5025
847415b0 f663d9ff
F1
847415b0
44f8824e
c08c97fe
b5ff567d
87e2a6a2
71817f5d 212a2484
F1
71817f5d
47401e21
36c1617c
a10c5414
e177d3a8
c05df72c 4378d812
F1
c05df72c
aca1fb0c
6cfc0c20
32bc13bf
6fec0aab
2c94d2b9 e3e5b653
F1
2c94d2b9
6ca3a830
40377a89
fb13c1b7
5e3245b7
39
6
Round 19
Round 20
Round 21
Round 22
Round 23
Round 24
input
F-function
input
round key
after key add
after S
after M
input
F-function
input
round key
after key add
after S
after M
input
F-function
input
round key
after key add
after S
after M
input
F-function
input
round key
after key add
after S
after M
input
F-function
input
round key
after key add
after S
after M
input
F-function
input
round key
after key add
after S
after M
2e3ee1d6
2c94d2b9
F0
2e3ee1d6
4dd7cfb7
63e92e61
373c4c54
87aab08e
ab3e6237 bdd7f3e4
F0
ab3e6237
4e911fef
e5af7dd8
f6ad88be
0889df33
b55e2cd7 d94f8683
F0
b55e2cd7
2c664a7a
993866ad
2c2b6cee
8999e772
50d661f1 da262999
F0
50d661f1
14c8de1e
441ebfef
12b052ac
f5efd89e
2fc9f107 716a77e5
F0
2fc9f107
568c5a33
7945ab34
a2a77e2a
e84f6d9b
99251a7e c114b03a
F0
99251a7e
608dc860
f9a8d21e
f84572b0
20634b77
c 2007 Sony Corporation
TEST VECTORS
bdd7f3e4
56c29070
F1
bdd7f3e4
ae71c9f6
13a63a12
8fe6c54b
8f8d16f3
d94f8683 2e3ee1d6
F1
d94f8683
90aa95de
49e5135d
65f68f77
f418c84f
da262999 ab3e6237
F1
da262999
8cb5cf6b
5693e6f2
0df150e5
da5415d2
716a77e5 b55e2cd7
F1
716a77e5
43b9caef
32d3bd0a
c7bbb182
744a9ced
c114b03a 50d661f1
F1
c114b03a
07ef7ddd
c6fbcde7
4cd7e238
ce67e20a
9eb183fb 2fc9f107
F1
9eb183fb
ac9e50f8
322fd303
c7d8f1c6
591b3f55
40
6
Round 25
input
F-function
input
round key
after key add
after S
after M
Round 26 input
F-function
input
round key
after key add
after S
after M
output
final whitening key
after whitening
ciphertext
e177fb4d
9eb183fb
F0
e177fb4d
c0c18358
21b67815
a14dd39c
3f88fbef
a1397814 76d2ce52
F0
a1397814
33e01cb9
92d964ad
864445ee
5949235a
a1397814 2f9bed08
07060504
a1397814 289de80c
a1397814 289de80c
c 2007 Sony Corporation
TEST VECTORS
76d2ce52
99251a7e
F1
76d2ce52
4f53c80e
3981065c
c8e20aa5
89ff5caf
10da46d1 e177fb4d
F1
10da46d1
80251e1c
90ff58cd
9a8e803f
183d49c7
10da46d1 f94ab28a
03020100
10da46d1 fa48b38a
10da46d1 fa48b38a
41