The 128-Bit Blockcipher CLEFIA
RFC 6114

Approval announcement
Draft of message to be sent after approval:

From: The IESG <>
To: RFC Editor <>,
Cc: The IESG <>, <>, <>
Subject: Re: Informational RFC to be: <draft-katagi-clefia-03.txt>

The IESG has no problem with the publication of 'The 128-bit Blockcipher
CLEFIA' <draft-katagi-clefia-03.txt> as an Informational RFC.

The IESG would also like the RFC-Editor to review the comments in
the datatracker (
related to this document and determine whether or not they merit
incorporation into the document. Comments may exist in both the ballot
and the comment log.

A URL of this Internet Draft is:

The process for such documents is described at

Thank you,

The IESG Secretary

Technical Summary

   Relevant content can frequently be found in the abstract
   and/or introduction of the document.  If not, this may be 
   an indication that there are deficiencies in the abstract
   or introduction.

Working Group Summary

   This is an independent stream submission.

Document Quality

The CLEFIA cipher appears to be quite good.  It has been invented for
"lightweight" cryptography.  In three years since CLEFIA has been
announced, the only attacks that were found were those where a fault was
introduced in the later rounds of CLEFIA.  This might be theoretically
interesting but not very practical, as far as I can tell.  On the other
hand, there were papers – mostly, in Japanese, but also two independent
ones in English, presented at the Indocrypt and the Inscrypt conferences -
where the authors demonstrated the futility of many commonly known
attacks.  They could not even break CLEFIA with a reduced number of
There are some similarities between CLEFIA and AES.  The block size and
the available key sizes are the same in both algorithms. Both algorithms
employ the substitution tables (S-boxes) and each one uses key scheduling.

  CLEFIA uses the Feistel structure and this is the construction that
makes the only known attach – the fault induction attack described in the
previous paragraph – possible.    My guess is that the Feistel structure
was needed to produce a “lightweight” algorithm. 


   Tim Polk reviewed this document for the IESG.  Allen Roginsky
   performed a more detailed review of the algorithm.

RFC Editor Note

Proposed response to the RFC Editor
   1. The IESG has concluded that there is no conflict between this
   document and IETF work.