A Description of the ARIA Encryption Algorithm
RFC 5794
Document | Type |
RFC - Informational
(March 2010; Errata)
Was draft-nsri-aria (gen)
|
|
---|---|---|---|
Authors | Jaeheon Kim , Jooyoung Lee , Choonsoo Kim , Jungkeun Lee , Daesung Kwon | ||
Last updated | 2020-01-21 | ||
Stream | ISE | ||
Formats | plain text html pdf htmlized with errata bibtex | ||
Stream | ISE state | (None) | |
Consensus Boilerplate | Unknown | ||
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 5794 (Informational) | |
Telechat date | |||
Responsible AD | Russ Housley | ||
Send notices to | rfc-ise@rfc-editor.org |
Independent Submission J. Lee Request for Comments: 5794 J. Lee Category: Informational J. Kim ISSN: 2070-1721 D. Kwon C. Kim NSRI March 2010 A Description of the ARIA Encryption Algorithm Abstract This document describes the ARIA encryption algorithm. ARIA is a 128-bit block cipher with 128-, 192-, and 256-bit keys. The algorithm consists of a key scheduling part and data randomizing part. Status of This Memo This document is not an Internet Standards Track specification; it is published for informational purposes. This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not a candidate for any level of Internet Standard; see Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc5794. Copyright Notice Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Lee, et al. Informational [Page 1] RFC 5794 The ARIA Encryption Algorithm March 2010 1. Introduction 1.1. ARIA Overview ARIA is a general-purpose block cipher algorithm developed by Korean cryptographers in 2003. It is an iterated block cipher with 128-, 192-, and 256-bit keys and encrypts 128-bit blocks in 12, 14, and 16 rounds, depending on the key size. It is secure and suitable for most software and hardware implementations on 32-bit and 8-bit processors. It was established as a Korean standard block cipher algorithm in 2004 [ARIAKS] and has been widely used in Korea, especially for government-to-public services. It was included in PKCS #11 in 2007 [ARIAPKCS]. 2. Algorithm Description The algorithm consists of a key scheduling part and data randomizing part. 2.1. Notations The following notations are used in this document to describe the algorithm. ^ bitwise XOR operation <<< left circular rotation >>> right circular rotation || concatenation of bit strings 0x hexadecimal representation 2.2. Key Scheduling Part Let K denote a master key of 128, 192, or 256 bits. Given the master key K, we first define 128-bit values KL and KR as follows. KL || KR = K || 0 ... 0, where the number of zeros is 128, 64, or 0, depending on the size of K. That is, KL is set to the leftmost 128 bits of K and KR is set to the remaining bits of K (if any), right-padded with zeros to a 128-bit value. Then, we define four 128-bit values (W0, W1, W2, and W3) as the intermediate round values appearing in the encryption of KL || KR by a 3-round, 256-bit Feistel cipher. W0 = KL, W1 = FO(W0, CK1) ^ KR, W2 = FE(W1, CK2) ^ W0, W3 = FO(W2, CK3) ^ W1. Lee, et al. Informational [Page 2] RFC 5794 The ARIA Encryption Algorithm March 2010 Here, FO and FE, respectively called odd and even round functions, are defined in Section 2.4.1. CK1, CK2, and CK3 are 128-bit constants, taking one of the following values. C1 = 0x517cc1b727220a94fe13abe8fa9a6ee0 C2 = 0x6db14acc9e21c820ff28b1d5ef5de2b0 C3 = 0xdb92371d2126e9700324977504e8c90e These values are obtained from the first 128*3 bits of the fractional part of 1/PI, where PI is the circle ratio. Now the constants CK1, CK2, and CK3 are defined by the following table. Key size CK1 CK2 CK3 128 C1 C2 C3 192 C2 C3 C1 256 C3 C1 C2 For example, if the key size is 192 bits, CK1 = C2, CK2 = C3, and CK3 = C1. Once W0, W1, W2, and W3 are determined, we compute encryption round keys ek1, ..., ek17 as follows. ek1 = W0 ^(W1 >>> 19), ek2 = W1 ^(W2 >>> 19), ek3 = W2 ^(W3 >>> 19), ek4 = (W0 >>> 19) ^ W3, ek5 = W0 ^ (W1 >>> 31), ek6 = W1 ^ (W2 >>> 31), ek7 = W2 ^ (W3 >>> 31), ek8 = (W0 >>> 31) ^ W3,Show full document text