The SEED Encryption Algorithm
RFC 4009

Document Type RFC - Informational (February 2005; Errata)
Obsoleted by RFC 4269
Was draft-park-seed (individual in sec area)
Authors Jongwook Park  , Jaeil Lee  , Sungjae Lee  , Jeeyeon Kim 
Last updated 2013-03-02
Stream IETF
Formats plain text html pdf htmlized bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 4009 (Informational)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Russ Housley
Send notices to (None)
Network Working Group                                            J. Park
Request for Comments: 4009                                        S. Lee
Category: Informational                                           J. Kim
                                                                  J. Lee
                                                           February 2005

                     The SEED Encryption Algorithm

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2005).


   This document describes the SEED encryption algorithm, which has been
   adopted by most of the security systems in the Republic of Korea.
   Included are a description of the cipher and the key scheduling
   algorithm (Section 2), the S-boxes (Appendix A), and a set of test
   vectors (Appendix B).

1.  Introduction

1.1.  SEED Overview

   SEED is a 128-bit symmetric key block cipher that has been developed
   by KISA (Korea Information Security Agency) and a group of experts
   since 1998.  SEED is a national standard encryption algorithm in
   South Korea [TTASSEED] and is designed to use the S-boxes and
   permutations that balance with the current computing technology.  It
   has the Feistel structure with 16-round and is strong against DC
   (Differential Cryptanalysis), LC (Linear Cryptanalysis), and related
   key attacks, balanced with security/efficiency trade-off.

Park, et al.                 Informational                      [Page 1]
RFC 4009             The SEED Encryption Algorithm         February 2005

   The features of SEED are outlined as follows:

     -  The Feistel structure with 16-round
     -  128-bit input/output data block size
     -  128-bit key length
     -  A round function strong against known attacks
     -  Two 8x8 S-boxes
     -  Mixed operations of XOR and modular addition

   SEED has been widely used in South Korea for confidential services
   such as electronic commerce; e.g., financial services provided in
   wired and wireless communication.

1.2.  Notation

   The following notation is used in the description of the SEED
   encryption algorithm:

      &             bitwise AND
      ^             bitwise exclusive OR
      +             addition in modular 2**32
      -             subtraction in modular 2**32
      ||            concatenation
      << n          left circular rotation by n bits
      >> n          right circular rotation by n bits
      0x            hexadecimal representation

2.  The Structure of SEED

   The input/output block size of SEED is 128-bit, and the key length is
   also 128-bit.  SEED has the 16-round Feistel structure.  A 128-bit
   input is divided into two 64-bit blocks (L, R), and the right 64-bit
   block is an input to the round function F, with a 64-bit subkey Ki
   generated from the key schedule.

   A pseudo code for the structure of SEED is as follows:

     for (i = 1; i <= 16; i++)
       L = R;
       R = L ^ F(Ki, R);

Park, et al.                 Informational                      [Page 2]
RFC 4009             The SEED Encryption Algorithm         February 2005

2.1.  The Round Function F

   SEED uses two 8x8 S-boxes, permutations, rotations, and basic modular
   operations such as exclusive OR (XOR) and additions to provide strong
   security, high speed, and simplicity in its implementation.

   A 64-bit input block of the round function F is divided into two
   32-bit blocks (R0, R1) and wrapped with 4 phases:

      -  A mixing phase of two 32-bit subkey blocks (Ki0 , Ki1)
      -  3 layers of function G (See Section 2.2), with additions for
         mixing two 32-bit blocks

   The outputs (R0', R1') of function F are as follows:

     R0' = G[ G[ G[(R0 ^ Ki0) ^ (R1 ^ Ki1)] + (R0 ^ Ki0)] + G[(R0 ^ Ki0)
            ^ (R1 ^ Ki1)]] + G[ G[(R0 ^ Ki0) ^ (R1 ^ Ki1)] + (R0 ^ Ki0)]

     R1' = G[ G[ G[(R0 ^ Ki0) ^ (R1 ^ Ki1)] + (R0 ^ Ki0)] + G[(R0 ^ Ki0)
            ^ (R1 ^ Ki1)]] + G[ G[(R0 ^ Ki0) ^ (R1 ^ Ki1)]

2.2.  The Function G

   The function G has two layers: a layer of two 8x8 S-boxes and a layer
   of block permutation of sixteen 8-bit sub-blocks.  The outputs
   Z (= Z0 || Z1 || Z2 || Z3) of the function G with four 8-bit inputs
   X (= X0 || X1 || X2 || X3) are as follows:

    Z0 = {S1(X0) & m0} ^ {S2(X1) & m1} ^ {S1(X2) & m2} ^ {S2(X3) & m3}
    Z1 = {S1(X0) & m1} ^ {S2(X1) & m2} ^ {S1(X2) & m3} ^ {S2(X3) & m0}
    Z2 = {S1(X0) & m2} ^ {S2(X1) & m3} ^ {S1(X2) & m0} ^ {S2(X3) & m1}
    Z3 = {S1(X0) & m3} ^ {S2(X1) & m0} ^ {S1(X2) & m1} ^ {S2(X3) & m2}

   where m0 = 0xfc, m1 = 0xf3, m2 = 0xcf, and m3 = 0x3f.

   To increase the efficiency of G function, four extended S-boxes
   'SS-box' (See Appendix A.2) are defined as follows:
Show full document text