The SEED Encryption Algorithm
RFC 4009
Document  Type 
RFC  Informational
(February 2005; Errata)
Obsoleted by RFC 4269
Was draftparkseed (individual in sec area)



Authors  Jongwook Park , Jaeil Lee , Sungjae Lee , Jeeyeon Kim  
Last updated  20130302  
Stream  IETF  
Formats  plain text html pdf htmlized bibtex  
Stream  WG state  (None)  
Document shepherd  No shepherd assigned  
IESG  IESG state  RFC 4009 (Informational)  
Consensus Boilerplate  Unknown  
Telechat date  
Responsible AD  Russ Housley  
Send notices to  (None) 
Network Working Group J. Park Request for Comments: 4009 S. Lee Category: Informational J. Kim J. Lee KISA February 2005 The SEED Encryption Algorithm Status of This Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2005). Abstract This document describes the SEED encryption algorithm, which has been adopted by most of the security systems in the Republic of Korea. Included are a description of the cipher and the key scheduling algorithm (Section 2), the Sboxes (Appendix A), and a set of test vectors (Appendix B). 1. Introduction 1.1. SEED Overview SEED is a 128bit symmetric key block cipher that has been developed by KISA (Korea Information Security Agency) and a group of experts since 1998. SEED is a national standard encryption algorithm in South Korea [TTASSEED] and is designed to use the Sboxes and permutations that balance with the current computing technology. It has the Feistel structure with 16round and is strong against DC (Differential Cryptanalysis), LC (Linear Cryptanalysis), and related key attacks, balanced with security/efficiency tradeoff. Park, et al. Informational [Page 1] RFC 4009 The SEED Encryption Algorithm February 2005 The features of SEED are outlined as follows:  The Feistel structure with 16round  128bit input/output data block size  128bit key length  A round function strong against known attacks  Two 8x8 Sboxes  Mixed operations of XOR and modular addition SEED has been widely used in South Korea for confidential services such as electronic commerce; e.g., financial services provided in wired and wireless communication. 1.2. Notation The following notation is used in the description of the SEED encryption algorithm: & bitwise AND ^ bitwise exclusive OR + addition in modular 2**32  subtraction in modular 2**32  concatenation << n left circular rotation by n bits >> n right circular rotation by n bits 0x hexadecimal representation 2. The Structure of SEED The input/output block size of SEED is 128bit, and the key length is also 128bit. SEED has the 16round Feistel structure. A 128bit input is divided into two 64bit blocks (L, R), and the right 64bit block is an input to the round function F, with a 64bit subkey Ki generated from the key schedule. A pseudo code for the structure of SEED is as follows: for (i = 1; i <= 16; i++) { L = R; R = L ^ F(Ki, R); } Park, et al. Informational [Page 2] RFC 4009 The SEED Encryption Algorithm February 2005 2.1. The Round Function F SEED uses two 8x8 Sboxes, permutations, rotations, and basic modular operations such as exclusive OR (XOR) and additions to provide strong security, high speed, and simplicity in its implementation. A 64bit input block of the round function F is divided into two 32bit blocks (R0, R1) and wrapped with 4 phases:  A mixing phase of two 32bit subkey blocks (Ki0 , Ki1)  3 layers of function G (See Section 2.2), with additions for mixing two 32bit blocks The outputs (R0', R1') of function F are as follows: R0' = G[ G[ G[(R0 ^ Ki0) ^ (R1 ^ Ki1)] + (R0 ^ Ki0)] + G[(R0 ^ Ki0) ^ (R1 ^ Ki1)]] + G[ G[(R0 ^ Ki0) ^ (R1 ^ Ki1)] + (R0 ^ Ki0)] R1' = G[ G[ G[(R0 ^ Ki0) ^ (R1 ^ Ki1)] + (R0 ^ Ki0)] + G[(R0 ^ Ki0) ^ (R1 ^ Ki1)]] + G[ G[(R0 ^ Ki0) ^ (R1 ^ Ki1)] 2.2. The Function G The function G has two layers: a layer of two 8x8 Sboxes and a layer of block permutation of sixteen 8bit subblocks. The outputs Z (= Z0  Z1  Z2  Z3) of the function G with four 8bit inputs X (= X0  X1  X2  X3) are as follows: Z0 = {S1(X0) & m0} ^ {S2(X1) & m1} ^ {S1(X2) & m2} ^ {S2(X3) & m3} Z1 = {S1(X0) & m1} ^ {S2(X1) & m2} ^ {S1(X2) & m3} ^ {S2(X3) & m0} Z2 = {S1(X0) & m2} ^ {S2(X1) & m3} ^ {S1(X2) & m0} ^ {S2(X3) & m1} Z3 = {S1(X0) & m3} ^ {S2(X1) & m0} ^ {S1(X2) & m1} ^ {S2(X3) & m2} where m0 = 0xfc, m1 = 0xf3, m2 = 0xcf, and m3 = 0x3f. To increase the efficiency of G function, four extended Sboxes 'SSbox' (See Appendix A.2) are defined as follows:Show full document text