BS ISO IEC 29192-2-2012 Information technology Security techniques Lightweight cryptography Block ciphers《信息技术 安全技术 轻量级密码技术 分组密码》.pdf

1、raising standards worldwide NO COPYING WITHOUT BSI PERMISSION EXCEPT AS PERMITTED BY COPYRIGHT LAW BSI Standards Publication BS ISO/IEC 29192-2:2012 Information technology Security techniques Lightweight cryptography Part 2: Block ciphersBS ISO/IEC 29192-2:2012 BRITISH STANDARD National foreword Thi

2、s British Standard is the UK implementation of | ISO/IEC 29192-2:2012. The UK participation in its preparation was entrusted to T e c h n i c a l C o m m i t t e e I S T / 3 3 , I T - S e c u r i t y t e c h n i q u e s . A list of organizations represented on this committee can be obtained on reque

3、st to its secretary. This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2012 ISBN 978 0 580 71684 3 ICS 35.040 Compliance with a British Standard cannot confer immunity from leg

4、al obligations. This British Standard was published under the authority of the Standards Policy and Strategy Committee on 31 January 2012. Amendments issued since publication Date T e x t a f f e c t e dBS ISO/IEC 29192-2:2012Reference number ISO/IEC 29192-2:2012(E) ISO/IEC 2012INTERNATIONAL STANDAR

5、D ISO/IEC 29192-2 First edition 2012-01-15 Information technology Security techniques Lightweight cryptography Part 2: Block ciphers Technologies de linformation Techniques de scurit Cryptographie pour environnements contraints Partie 2: Chiffrements par blocs BS ISO/IEC 29192-2:2012 ISO/IEC 29192-2

6、:2012(E) COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2012 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at

7、the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ii ISO/IEC 2012 All rights reservedBS ISO/IEC 29192-2:2012 ISO/I

8、EC 29192-2:2012(E) ISO/IEC 2012 All rights reserved iiiContents Page Foreword iv Introduction . v 1 Scope 1 2 Normative references 1 3 Terms and definitions . 1 4 Symbols 2 5 Lightweight block cipher with a block size of 64 bits 2 5.1 PRESENT 2 6 Lightweight block cipher with a block size of 128 bit

9、s 7 6.1 CLEFIA 7 Annex A (normative) Object identifiers 24 Annex B (informative) Test vectors . 26 Annex C (informative) Feature table . 39 Annex D (informative) A limitation of a block cipher under a single key 40 Bibliography 41 BS ISO/IEC 29192-2:2012 ISO/IEC 29192-2:2012(E) iv ISO/IEC 2012 All r

10、ights reservedForeword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards

11、through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC,

12、also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to

13、prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. ISO/IEC 29192-2 was prepared by Joi

14、nt Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, Security techniques. ISO/IEC 29192 consists of the following parts, under the general title Information technology Security techniques Lightweight cryptography: Part 1: General Part 2: Block ciphers Part 3: Stream ciph

15、ers Part 4: Mechanisms using asymmetric techniques Further parts may follow. BS ISO/IEC 29192-2:2012 ISO/IEC 29192-2:2012(E) ISO/IEC 2012 All rights reserved vIntroduction This part of ISO/IEC 29192 specifies block ciphers suitable for lightweight cryptography, which are tailored for implementation

16、in constrained environments. ISO/IEC 29192-1 specifies the requirements for lightweight cryptography. A block cipher maps blocks of n bits to blocks of n bits, under the control of a key of k bits. The International Organization for Standardization (ISO) and the International Electrotechnical Commis

17、sion (IEC) draw attention to the fact that it is claimed that compliance with this document may involve the use of patents. ISO and IEC take no position concerning the evidence, validity and scope of these patent rights. The holder of these patent rights has assured ISO and IEC that he is willing to

18、 negotiate licences under reasonable and non-discriminatory terms and conditions with applicants throughout the world. In this respect, the statement of the holder of these patent rights is registered with ISO and IEC. Information may be obtained from: Sony Corporation System Technologies Laboratori

19、es Attn Masanobu Katagi Gotenyama Tec. 5-1-12 Kitashinagwa Shinagawa-ku Tokyo 141-0001 Japan Tel. +81-3-5448-3701 Fax +81-3-5448-6438 E-mail Masanobu.K Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights other than those identified abo

20、ve. ISO and IEC shall not be held responsible for identifying any or all such patent rights. BS ISO/IEC 29192-2:2012BS ISO/IEC 29192-2:2012 INTERNATIONAL STANDARD ISO/IEC 29192-2:2012(E) ISO/IEC 2012 All rights reserved 1Information technology Security techniques Lightweight cryptography Part 2: Blo

21、ck ciphers 1 Scope This part of ISO/IEC 29192 specifies two block ciphers suitable for applications requiring lightweight cryptographic implementations: PRESENT: a lightweight block cipher with a block size of 64 bits and a key size of 80 or 128 bits; CLEFIA: a lightweight block cipher with a block

22、size of 128 bits and a key size of 128, 192 or 256 bits. 2 Normative references There are no normative references for this part of ISO/IEC 29192. 3 Terms and definitions For the purposes of this document, the following terms and definitions apply. 3.1 block string of bits of defined length ISO/IEC 1

23、8033-1 3.2 block cipher symmetric encipherment system with the property that the encryption algorithm operates on a block of plaintext, i.e. a string of bits of a defined length, to yield a block of ciphertext ISO/IEC 18033-1 3.3 ciphertext data which has been transformed to hide its information con

24、tent ISO/IEC 9798-1 3.4 key sequence of symbols that controls the operation of a cryptographic transformation (e.g. encipherment, decipherment) BS ISO/IEC 29192-2:2012 ISO/IEC 29192-2:2012(E) 2 ISO/IEC 2012 All rights reservedNOTE Adapted from ISO/IEC 11770-1. 3.5 n-bit block cipher block cipher wit

25、h the property that plaintext blocks and ciphertext blocks are n bits in length ISO/IEC 10116 3.6 plaintext unenciphered information NOTE Taken from ISO/IEC 9797-1:1999. 3.7 round key sequence of symbols derived from the key using the key schedule, and used to control the transformation in each roun

26、d of the block cipher 4 Symbols 0x A prefix for a binary string in hexadecimal notation | Concatenation of bit strings a b Updating a value of a by a value of b Bitwise exclusive-OR operation 5 Lightweight block cipher with a block size of 64 bits 5.1 PRESENT 5.1.1 PRESENT algorithm The PRESENT algo

27、rithm 10 is a symmetric block cipher that can process data blocks of 64 bits, using a key of length 80 or 128 bits. The cipher is referred to as PRESENT-80 or PRESENT-128 when using an 80-bit or 128-bit key respectively. 5.1.2 PRESENT specific notations K i= k i 63 k i 064-bit round key that is used

28、 in round i k i bbit b of round key K iK = k 79 k 080-bit key register k bbit b of key register K STATE 64-bit internal state b ibit i of the current STATE w i4-bit word where 0 i 15 BS ISO/IEC 29192-2:2012 ISO/IEC 29192-2:2012(E) ISO/IEC 2012 All rights reserved 35.1.3 PRESENT encryption The PRESEN

29、T block cipher consists of 31 rounds, i.e. 31 applications of a sequence of simple transformations. A pseudocode description of the complete encryption algorithm is provided in Figure 1, where STATE denotes the internal state. The individual transformations used by the algorithm are defined in 5.1.5

30、. Each round of the algorithm uses a distinct round key K i(1 i 31), derived as specified in 5.1.6. Two consecutive rounds of the algorithm are shown for illustrative purposes in Figure 2. Figure 1 The encryption procedure of PRESENT Figure 2 Two rounds of PRESENT 5.1.4 PRESENT decryption The comple

31、te PRESENT decryption algorithm is given in Figure 3. The individual transformations used by the algorithm are defined in 5.1.5. Each round of the algorithm uses a distinct round key K i(1 i 31), derived as specified in 5.1.6. BS ISO/IEC 29192-2:2012 ISO/IEC 29192-2:2012(E) 4 ISO/IEC 2012 All rights

32、 reservedFigure 3 The decryption procedure of PRESENT 5.1.5 PRESENT transformations 5.1.5.1 addRoundKey Given round key K i= k i 63 k i 0for 1 i 32 and current STATE b 63 b 0 , addRoundKey consists of the operation for 0 j 63, b j b j k i j . 5.1.5.2 sBoxLayer The non-linear sBoxLayer of the encrypt

33、ion process of PRESENT uses a single 4-bit to 4-bit S-box S which is applied 16 times in parallel in each round. The S-box transforms the input x to an output S(x) as given in hexadecimal notation in Table 1. Table 1 PRESENT S-box x 0 1 2 3 4 5 6 7 8 9 A B C D E F S(x) C 5 6 B 9 0 A D 3 E F 8 4 7 1

34、2 For sBoxLayer the current STATE b 63 b 0is considered as sixteen 4-bit words w 15 w 0where w i= b 4*i+3 | b 4*i+2 | b 4*i+1 | b 4*ifor 0 i 15 and the output nibble S(w i ) provides the updated state values as a concatenation S(w 15 ) | S(w 14 ) | . | S(w 0 ). 5.1.5.3 invsBoxLayer The S-box used in

35、 the decryption procedure of PRESENT is the inverse of the 4-bit to 4-bit S-box S that is described in 5.1.5.2. The inverse S-box transforms the input x to an output S 1 (x) as given in hexadecimal notation in Table 2. Table 2 PRESENT inverse S-box x 0 1 2 3 4 5 6 7 8 9 A B C D E F S 1 (x) 5 E F 8 C

36、 1 2 D B 4 6 3 0 7 9 A BS ISO/IEC 29192-2:2012 ISO/IEC 29192-2:2012(E) ISO/IEC 2012 All rights reserved 55.1.5.4 pLayer The bit permutation pLayer used in the encryption routine of PRESENT is given by Table 3. Bit i of STATE is moved to bit position P(i). Table 3 PRESENT permutation layer pLayer i 0

37、 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 P(i) 0 16 32 48 1 17 33 49 2 18 34 50 3 19 35 51i 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 P(i) 4 20 36 52 5 21 37 53 6 22 38 54 7 23 39 55i 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 P(i) 8 24 40 56 9 25 41 57 10 26 42 58 11 27 43 59i 48 49 50 51 52

38、53 54 55 56 57 58 59 60 61 62 63 P(i) 12 28 44 60 13 29 45 61 14 30 46 62 15 31 47 635.1.5.5 invpLayer The inverse permutation layer invpLayer used in the decryption routine of PRESENT is given by Table 4. Bit i of STATE is moved to bit position P 1 (i). Table 4 PRESENT inverse permutation Layer inv

39、pLayer i 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 P 1 (i) 0 4 8 12 16 20 24 28 32 36 40 44 48 52 56 60i 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 P 1 (i) 1 5 9 13 17 21 25 29 33 37 41 45 49 53 57 61i 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 P 1 (i) 2 6 10 14 18 22 26 30 34 38 42 46 50 54 5

40、8 62i 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 P 1 (i) 3 7 11 15 19 23 27 31 35 39 43 47 51 55 59 635.1.6 PRESENT key schedule 5.1.6.1 PRESENT-80 and PRESENT-128 PRESENT can take keys of either 80 or 128 bits. In 5.1.6.2 the version with an 80-bit key (PRESENT-80) and in 5.1.6.3 the 128-bit v

41、ersion (PRESENT-128) is described. BS ISO/IEC 29192-2:2012 ISO/IEC 29192-2:2012(E) 6 ISO/IEC 2012 All rights reserved5.1.6.2 80-bit key for PRESENT-80 The user-supplied key is stored in a key register K and represented as k 79 k 78 k 0 . At round i the 64-bit round key K i= k i 63 k i 62 k i 0consis

42、ts of the 64 leftmost bits of the current contents of register K. Thus at round i we have that: K i= k i 63 k i 62. k i 0= k 79 k 78. k 16 . After extracting the round key K i , the key register K = k 79 k 78. k 0is updated as follows. 1) k 79 k 78. k 1 k 0 k 18 k 17. k 20 k 192) k 79 k 78 k 77 k 76

43、 Sk 79 k 78 k 77 k 76 3) k 19 k 18 k 17 k 16 k 15 k 19 k 18 k 17 k 16 k 15 round_counter In words, the key register is rotated by 61 bit positions to the left, the left-most four bits are passed through the PRESENT S-box, and the round_counter value i is exclusive-ORed with bits k 19 k 18 k 17 k 16

44、k 15of K where the least significant bit of round_counter is on the right. The rounds are numbered from 1 i 31 and round_counter = i. Figure 4 depicts the key schedule for PRESENT-80 graphically. Figure 4 PRESENT-80 key schedule 5.1.6.3 128-bit key for PRESENT-128 Similar to the 80-bit variant the u

45、ser-supplied key is stored initially in a key register K and is represented as k 127 k 126 k 0 . At round i the 64-bit round key K i= k i 63 k i 62 k i 0consists of the 64 leftmost bits of the current contents of register K. Thus at round i we have that: K i= k i 63 k i 62. k i 0= k 127 k 126. k 64

46、. After extracting the round key K i , the key register K = k 127 k 126. k 0is updated as follows. 1) k 127 k 126. k 1 k 0 k 66 k 65. k 68 k 672) k 127 k 126 k 125 k 124 Sk 127 k 126 k 125 k 124 3) k 123 k 122 k 121 k 120 Sk 123 k 122 k 121 k 120 4) k 66 k 65 k 64 k 63 k 62 k 66 k 65 k 64 k 63 k 62

47、round_counter BS ISO/IEC 29192-2:2012 ISO/IEC 29192-2:2012(E) ISO/IEC 2012 All rights reserved 7In words, the key register is rotated by 61 bit positions to the left, the left-most eight bits are passed through the PRESENT S-box, and the round_counter value i is exclusive-ORed with bits k 66 k 65 k

48、64 k 63 k 62of K where the least significant bit of round_counter is on the right. The rounds are numbered from 1 i 31 and round_counter = i. Figure 5 depicts the key schedule for PRESENT-128 graphically. Figure 5 PRESENT-128 key schedule 6 Lightweight block cipher with a block size of 128 bits 6.1

49、CLEFIA 6.1.1 CLEFIA algorithm The CLEFIA algorithm 14 is a symmetric block cipher that can process data blocks of 128 bits using a cipher key of length 128, 192, or 256 bits. The number of rounds is 18, 22 and 26 for CLEFIA with 128-bit, 192-bit and 256-bit keys, respectively. The total number of round keys depends on the key length. The CLEFIA encryption and decryption function