Independent Submission J. Lee Request for Comments: 5794 J. Lee Category: Informational J. Kim ISSN: 2070-1721 D. Kwon C. Kim NSRI March 2010
A Description of the ARIA Encryption Algorithm
Abstract
This document describes the ARIA encryption algorithm. ARIA is a 128-bit block cipher with 128-, 192-, and 256-bit keys. The algorithm consists of a key scheduling part and data randomizing part.
Status of This Memo
This document is not an Internet Standards Track specification; it is published for informational purposes.
This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not a candidate for any level of Internet Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc5794.
Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.
ARIA is a general-purpose block cipher algorithm developed by Korean cryptographers in 2003. It is an iterated block cipher with 128-, 192-, and 256-bit keys and encrypts 128-bit blocks in 12, 14, and 16 rounds, depending on the key size. It is secure and suitable for most software and hardware implementations on 32-bit and 8-bit processors. It was established as a Korean standard block cipher algorithm in 2004 [ARIAKS] and has been widely used in Korea, especially for government-to-public services. It was included in PKCS #11 in 2007 [ARIAPKCS].
Let K denote a master key of 128, 192, or 256 bits. Given the master key K, we first define 128-bit values KL and KR as follows.
KL || KR = K || 0 ... 0,
where the number of zeros is 128, 64, or 0, depending on the size of K. That is, KL is set to the leftmost 128 bits of K and KR is set to the remaining bits of K (if any), right-padded with zeros to a 128-bit value. Then, we define four 128-bit values (W0, W1, W2, and W3) as the intermediate round values appearing in the encryption of KL || KR by a 3-round, 256-bit Feistel cipher.
Here, FO and FE, respectively called odd and even round functions, are defined in Section 2.4.1. CK1, CK2, and CK3 are 128-bit constants, taking one of the following values.
These values are obtained from the first 128*3 bits of the fractional part of 1/PI, where PI is the circle ratio. Now the constants CK1, CK2, and CK3 are defined by the following table.
The data randomizing part of the ARIA algorithm consists of the encryption and decryption processes. The encryption and decryption processes use functions FO, FE, A, SL1, and SL2. These functions are defined in Section 2.4.
Let P be a 128-bit plaintext and K be a 128-bit master key. Let ek1, ..., ek13 be the encryption round keys defined by K. Then the ciphertext C is computed by the following algorithm.
Let P be a 128-bit plaintext and K be a 192-bit master key. Let ek1, ..., ek15 be the encryption round keys defined by K. Then the ciphertext C is computed by the following algorithm.
Let P be a 128-bit plaintext and K be a 256-bit master key. Let ek1, ..., ek17 be the encryption round keys defined by K. Then the ciphertext C is computed by the following algorithm.
The decryption process of ARIA is the same as the encryption process except that encryption round keys are replaced by decryption round keys. For example, encryption round keys ek1, ..., ek13 of the 12-round ARIA algorithm are replaced by decryption round keys dk1, ..., dk13, respectively.
There are two types of round functions for ARIA. One is called an odd round function and is denoted by FO. It takes as input a pair (D,RK) of two 128-bit strings and outputs
FO(D,RK) = A(SL1(D ^ RK)).
The other is called an even round function and is denoted by FE. It takes as input a pair (D,RK) of two 128-bit strings and outputs
FE(D,RK) = A(SL2(D ^ RK)).
Functions SL1 and SL2, called substitution layers, are described in Section 2.4.2. Function A, called a diffusion layer, is described in Section 2.4.3.
ARIA has two types of substitution layers that alternate between rounds. Type 1 is used in the odd rounds, and type 2 is used in the even rounds.
Type 1 substitution layer SL1 is an algorithm that takes a 16-byte string x0 || x1 ||...|| x15 as input and outputs a 16-byte string y0 || y1 ||...|| y15 as follows.
Type 2 substitution layer SL2 is an algorithm that takes a 16-byte string x0 || x1 ||...|| x15 as input and outputs a 16-byte string y0 || y1 ||...|| y15 as follows.
Here, SB1, SB2, SB3, and SB4 are S-boxes that take an 8-bit string as input and output an 8-bit string. These S-boxes are defined by the following look-up tables.
SB1: 0 1 2 3 4 5 6 7 8 9 a b c d e f 00 63 7c 77 7b f2 6b 6f c5 30 01 67 2b fe d7 ab 76 10 ca 82 c9 7d fa 59 47 f0 ad d4 a2 af 9c a4 72 c0 20 b7 fd 93 26 36 3f f7 cc 34 a5 e5 f1 71 d8 31 15 30 04 c7 23 c3 18 96 05 9a 07 12 80 e2 eb 27 b2 75 40 09 83 2c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f 84 50 53 d1 00 ed 20 fc b1 5b 6a cb be 39 4a 4c 58 cf 60 d0 ef aa fb 43 4d 33 85 45 f9 02 7f 50 3c 9f a8 70 51 a3 40 8f 92 9d 38 f5 bc b6 da 21 10 ff f3 d2 80 cd 0c 13 ec 5f 97 44 17 c4 a7 7e 3d 64 5d 19 73 90 60 81 4f dc 22 2a 90 88 46 ee b8 14 de 5e 0b db a0 e0 32 3a 0a 49 06 24 5c c2 d3 ac 62 91 95 e4 79 b0 e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 08 c0 ba 78 25 2e 1c a6 b4 c6 e8 dd 74 1f 4b bd 8b 8a d0 70 3e b5 66 48 03 f6 0e 61 35 57 b9 86 c1 1d 9e e0 e1 f8 98 11 69 d9 8e 94 9b 1e 87 e9 ce 55 28 df f0 8c a1 89 0d bf e6 42 68 41 99 2d 0f b0 54 bb 16
SB2: 0 1 2 3 4 5 6 7 8 9 a b c d e f 00 e2 4e 54 fc 94 c2 4a cc 62 0d 6a 46 3c 4d 8b d1 10 5e fa 64 cb b4 97 be 2b bc 77 2e 03 d3 19 59 c1 20 1d 06 41 6b 55 f0 99 69 ea 9c 18 ae 63 df e7 bb 30 00 73 66 fb 96 4c 85 e4 3a 09 45 aa 0f ee 10 eb 40 2d 7f f4 29 ac cf ad 91 8d 78 c8 95 f9 2f ce cd 50 08 7a 88 38 5c 83 2a 28 47 db b8 c7 93 a4 12 53 60 ff 87 0e 31 36 21 58 48 01 8e 37 74 32 ca e9 b1 70 b7 ab 0c d7 c4 56 42 26 07 98 60 d9 b6 b9 11 40 80 ec 20 8c bd a0 c9 84 04 49 23 f1 4f 50 1f 13 dc 90 d8 c0 9e 57 e3 c3 7b 65 3b 02 8f 3e e8 25 92 e5 a0 15 dd fd 17 a9 bf d4 9a 7e c5 39 67 fe 76 9d 43 b0 a7 e1 d0 f5 68 f2 1b 34 70 05 a3 8a d5 79 86 a8 c0 30 c6 51 4b 1e a6 27 f6 35 d2 6e 24 16 82 5f da d0 e6 75 a2 ef 2c b2 1c 9f 5d 6f 80 0a 72 44 9b 6c e0 90 0b 5b 33 7d 5a 52 f3 61 a1 f7 b0 d6 3f 7c 6d f0 ed 14 e0 a5 3d 22 b3 f8 89 de 71 1a af ba b5 81
Lee, et al. Informational [Page 7]
RFC 5794 The ARIA Encryption Algorithm March 2010
SB3: 0 1 2 3 4 5 6 7 8 9 a b c d e f 00 52 09 6a d5 30 36 a5 38 bf 40 a3 9e 81 f3 d7 fb 10 7c e3 39 82 9b 2f ff 87 34 8e 43 44 c4 de e9 cb 20 54 7b 94 32 a6 c2 23 3d ee 4c 95 0b 42 fa c3 4e 30 08 2e a1 66 28 d9 24 b2 76 5b a2 49 6d 8b d1 25 40 72 f8 f6 64 86 68 98 16 d4 a4 5c cc 5d 65 b6 92 50 6c 70 48 50 fd ed b9 da 5e 15 46 57 a7 8d 9d 84 60 90 d8 ab 00 8c bc d3 0a f7 e4 58 05 b8 b3 45 06 70 d0 2c 1e 8f ca 3f 0f 02 c1 af bd 03 01 13 8a 6b 80 3a 91 11 41 4f 67 dc ea 97 f2 cf ce f0 b4 e6 73 90 96 ac 74 22 e7 ad 35 85 e2 f9 37 e8 1c 75 df 6e a0 47 f1 1a 71 1d 29 c5 89 6f b7 62 0e aa 18 be 1b b0 fc 56 3e 4b c6 d2 79 20 9a db c0 fe 78 cd 5a f4 c0 1f dd a8 33 88 07 c7 31 b1 12 10 59 27 80 ec 5f d0 60 51 7f a9 19 b5 4a 0d 2d e5 7a 9f 93 c9 9c ef e0 a0 e0 3b 4d ae 2a f5 b0 c8 eb bb 3c 83 53 99 61 f0 17 2b 04 7e ba 77 d6 26 e1 69 14 63 55 21 0c 7d
SB4: 0 1 2 3 4 5 6 7 8 9 a b c d e f 00 30 68 99 1b 87 b9 21 78 50 39 db e1 72 9 62 3c 10 3e 7e 5e 8e f1 a0 cc a3 2a 1d fb b6 d6 20 c4 8d 20 81 65 f5 89 cb 9d 77 c6 57 43 56 17 d4 40 1a 4d 30 c0 63 6c e3 b7 c8 64 6a 53 aa 38 98 0c f4 9b ed 40 7f 22 76 af dd 3a 0b 58 67 88 06 c3 35 0d 01 8b 50 8c c2 e6 5f 02 24 75 93 66 1e e5 e2 54 d8 10 ce 60 7a e8 08 2c 12 97 32 ab b4 27 0a 23 df ef ca d9 70 b8 fa dc 31 6b d1 ad 19 49 bd 51 96 ee e4 a8 41 80 da ff cd 55 86 36 be 61 52 f8 bb 0e 82 48 69 9a 90 e0 47 9e 5c 04 4b 34 15 79 26 a7 de 29 ae 92 d7 a0 84 e9 d2 ba 5d f3 c5 b0 bf a4 3b 71 44 46 2b fc b0 eb 6f d5 f6 14 fe 7c 70 5a 7d fd 2f 18 83 16 a5 c0 91 1f 05 95 74 a9 c1 5b 4a 85 6d 13 07 4f 4e 45 d0 b2 0f c9 1c a6 bc ec 73 90 7b cf 59 8f a1 f9 2d e0 f2 b1 00 94 37 9f d0 2e 9c 6e 28 3f 80 f0 3d d3 f0 25 8a b5 e7 42 b3 c7 ea f7 4c 11 33 03 a2 ac 60
For example, SB1(0x23) = 0x26 and SB4(0xef) = 0xd3. Note that SB3 and SB4 are the inverse functions of SB1 and SB2, respectively, and accordingly SL2 is the inverse of SL1.
Diffusion layer A is an algorithm that takes a 16-byte string x0 || x1 || ... || x15 as input and outputs a 16-byte string y0 || y1 ||...|| y15 by the following equations.
ARIA is designed to be resistant to all known attacks on block ciphers [ARIA03]. Its security was analyzed by the COSIC group of K.U.Leuven in Belgium [ARIAEVAL] and no security flaw has been found.
AriaCmacParameters ::= INTEGER -- bit-length of authentication tag
AriaOcb2Parameters ::= INTEGER -- bit-length of authentication tag
AriaGcmParameters ::= SEQUENCE { s INTEGER, -- bit-length of starting variable t INTEGER -- bit-length of authentication tag }
Lee, et al. Informational [Page 16]
RFC 5794 The ARIA Encryption Algorithm March 2010
AriaCcmParameters ::= SEQUENCE { w INTEGER (2|3|4|5|6|7|8), -- length of message length field in octets t INTEGER (32|48|64|80|96|112|128) -- bit-length of authentication tag }
ALGORITHM ::= CLASS { &id OBJECT IDENTIFIER UNIQUE, &Type OPTIONAL } WITH SYNTAX { OID &id [PARAMS &Type] }