ISO/IEC 29192-2:2012

INTERNATIONAL ISO/IEC
STANDARD 29192-2
First edition
2012-01-15

Information technology — Security
techniques — Lightweight cryptography
Part 2:
Block ciphers
Technologies de l'information — Techniques de sécurité —
Cryptographie pour environnements contraints
Partie 2: Chiffrements par blocs




Reference number
ISO/IEC 29192-2:2012(E)
©
ISO/IEC 2012

---------------------- Page: 1 ----------------------
ISO/IEC 29192-2:2012(E)

COPYRIGHT PROTECTED DOCUMENT


©  ISO/IEC 2012
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56  CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO/IEC 2012 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 29192-2:2012(E)
Contents Page
Foreword . iv
Introduction . v
1  Scope . 1
2  Normative references . 1
3  Terms and definitions . 1
4  Symbols . 2
5  Lightweight block cipher with a block size of 64 bits . 2
5.1  PRESENT . 2
6  Lightweight block cipher with a block size of 128 bits . 7
6.1  CLEFIA . 7
Annex A (normative) Object identifiers . 24
Annex B (informative) Test vectors . 26
Annex C (informative) Feature table . 39
Annex D (informative) A limitation of a block cipher under a single key . 40
Bibliography . 41

© ISO/IEC 2012 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC 29192-2:2012(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
ISO/IEC 29192-2 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Security techniques.
ISO/IEC 29192 consists of the following parts, under the general title Information technology — Security
techniques — Lightweight cryptography:
 Part 1: General
 Part 2: Block ciphers
 Part 3: Stream ciphers
 Part 4: Mechanisms using asymmetric techniques
Further parts may follow.
iv © ISO/IEC 2012 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC 29192-2:2012(E)
Introduction
This part of ISO/IEC 29192 specifies block ciphers suitable for lightweight cryptography, which are tailored for
implementation in constrained environments.
ISO/IEC 29192-1 specifies the requirements for lightweight cryptography.
A block cipher maps blocks of n bits to blocks of n bits, under the control of a key of k bits.
The International Organization for Standardization (ISO) and the International Electrotechnical Commission
(IEC) draw attention to the fact that it is claimed that compliance with this document may involve the use of
patents.
ISO and IEC take no position concerning the evidence, validity and scope of these patent rights.
The holder of these patent rights has assured ISO and IEC that he is willing to negotiate licences under
reasonable and non-discriminatory terms and conditions with applicants throughout the world. In this respect,
the statement of the holder of these patent rights is registered with ISO and IEC. Information may be obtained
from:
Sony Corporation
System Technologies Laboratories
Attn Masanobu Katagi
Gotenyama Tec. 5-1-12 Kitashinagwa Shinagawa-ku
Tokyo
141-0001 Japan
Tel. +81-3-5448-3701
Fax +81-3-5448-6438
E-mail Masanobu.Katagi@jp.sony.com
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights other than those identified above. ISO and IEC shall not be held responsible for identifying any or all
such patent rights.

© ISO/IEC 2012 – All rights reserved v

---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO/IEC 29192-2:2012(E)

Information technology — Security techniques — Lightweight
cryptography
Part 2:
Block ciphers
1 Scope
This part of ISO/IEC 29192 specifies two block ciphers suitable for applications requiring lightweight
cryptographic implementations:
 PRESENT: a lightweight block cipher with a block size of 64 bits and a key size of 80 or 128 bits;
 CLEFIA: a lightweight block cipher with a block size of 128 bits and a key size of 128, 192 or 256 bits.
2 Normative references
There are no normative references for this part of ISO/IEC 29192.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
block
string of bits of defined length
[ISO/IEC 18033-1]
3.2
block cipher
symmetric encipherment system with the property that the encryption algorithm operates on a block of
plaintext, i.e. a string of bits of a defined length, to yield a block of ciphertext
[ISO/IEC 18033-1]
3.3
ciphertext
data which has been transformed to hide its information content
[ISO/IEC 9798-1]
3.4
key
sequence of symbols that controls the operation of a cryptographic transformation (e.g. encipherment,
decipherment)
© ISO/IEC 2012 – All rights reserved 1

---------------------- Page: 6 ----------------------
ISO/IEC 29192-2:2012(E)
NOTE Adapted from ISO/IEC 11770-1.
3.5
n-bit block cipher
block cipher with the property that plaintext blocks and ciphertext blocks are n bits in length
[ISO/IEC 10116]
3.6
plaintext
unenciphered information
NOTE Taken from ISO/IEC 9797-1:1999.
3.7
round key
sequence of symbols derived from the key using the key schedule, and used to control the transformation in
each round of the block cipher
4 Symbols
0x A prefix for a binary string in hexadecimal notation
|| Concatenation of bit strings
a ← b Updating a value of a by a value of b
 Bitwise exclusive-OR operation
5 Lightweight block cipher with a block size of 64 bits
5.1 PRESENT
5.1.1 PRESENT algorithm
The PRESENT algorithm [10] is a symmetric block cipher that can process data blocks of 64 bits, using a key
of length 80 or 128 bits. The cipher is referred to as PRESENT-80 or PRESENT-128 when using an 80-bit or
128-bit key respectively.
5.1.2 PRESENT specific notations
i i
K = k …k 64-bit round key that is used in round i
i 63 0
i
k  bit b of round key K
b i
K = k … k 80-bit key register
79 0
k  bit b of key register K
b
STATE 64-bit internal state
b  bit i of the current STATE
i
w  4-bit word where 0 ≤ i ≤ 15
i
2 © ISO/IEC 2012 – All rights reserved

---------------------- Page: 7 ----------------------
ISO/IEC 29192-2:2012(E)
5.1.3 PRESENT encryption
The PRESENT block cipher consists of 31 ‘rounds’, i.e. 31 applications of a sequence of simple
transformations. A pseudocode description of the complete encryption algorithm is provided in Figure 1, where
STATE denotes the internal state. The individual transformations used by the algorithm are defined in 5.1.5.
Each round of the algorithm uses a distinct round key K (1  i  31), derived as specified in 5.1.6. Two
i
consecutive rounds of the algorithm are shown for illustrative purposes in Figure 2.

Figure 1 — The encryption procedure of PRESENT


Figure 2 — Two rounds of PRESENT

5.1.4 PRESENT decryption
The complete PRESENT decryption algorithm is given in Figure 3. The individual transformations used by the
algorithm are defined in 5.1.5. Each round of the algorithm uses a distinct round key K (1  i  31), derived as
i
specified in 5.1.6.
© ISO/IEC 2012 – All rights reserved 3

---------------------- Page: 8 ----------------------
ISO/IEC 29192-2:2012(E)

Figure 3 — The decryption procedure of PRESENT

5.1.5 PRESENT transformations
5.1.5.1 addRoundKey
i i
Given round key K = k …k for 1 ≤ i ≤ 32 and current STATE b …b , addRoundKey consists of the
i 63 0 63 0
i
operation for 0 ≤ j ≤ 63, b ← b  k .
j j j
5.1.5.2 sBoxLayer
The non-linear sBoxLayer of the encryption process of PRESENT uses a single 4-bit to 4-bit S-box S which is
applied 16 times in parallel in each round. The S-box transforms the input x to an output S(x) as given in
hexadecimal notation in Table 1.
Table 1 — PRESENT S-box
0 1 2 3 4 5 6 7 8 9 A B C D E F
x
S(x)
C 5 6 B 9 0 A D 3 E F 8 4 7 1 2

For sBoxLayer the current STATE b …b is considered as sixteen 4-bit words w …w where w = b || b
63 0 15 0 i 4*i+3 4*i+2
|| b || b for 0 ≤ i ≤ 15 and the output nibble S(w ) provides the updated state values as a concatenation S(w )
4*i+1 4*i i 15
|| S(w ) || . || S(w ).
14 0
5.1.5.3 invsBoxLayer
The S-box used in the decryption procedure of PRESENT is the inverse of the 4-bit to 4-bit S-box S that is
−1
described in 5.1.5.2. The inverse S-box transforms the input x to an output S (x) as given in hexadecimal
notation in Table 2.
Table 2 — PRESENT inverse S-box
0 1 2 3 4 5 6 7 8 9 A B C D E F
x
−1
5 E F 8 C 1 2 D B 4 6 3 0 7 9 A
S (x)
4 © ISO/IEC 2012 – All rights reserved

---------------------- Page: 9 ----------------------
ISO/IEC 29192-2:2012(E)
5.1.5.4 pLayer
The bit permutation pLayer used in the encryption routine of PRESENT is given by Table 3. Bit i of STATE is
moved to bit position P(i).
Table 3 — PRESENT permutation layer pLayer
i 0 1
2 3 4 5 6 7 8 9 10 11 12 13 14 15
P(i) 0 16 32 48 1 17 33 49 2 18 34 50 3 19 35 51


i 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
P(i)
4 20 36 52 5 21 37 53 6 22 38 54 7 23 39 55

i 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47
P(i) 8 24 40 56 9 25 41 57 10 26 42 58 11 27 43 59

i 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63
P(i) 12 28 44 60 13 29 45 61 14 30 46 62 15 31 47 63

5.1.5.5 invpLayer
The inverse permutation layer invpLayer used in the decryption routine of PRESENT is given by Table 4. Bit i
−1
of STATE is moved to bit position P (i).
Table 4 — PRESENT inverse permutation Layer invpLayer
i 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
−1
P (i) 0 4 8 12 16 20 24 28 32 36 40 44 48 52 56 60

i 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
−1
P (i) 1 5 9 13 17 21 25 29 33 37 41 45 49 53 57 61

i 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47
−1
P (i) 2 6 10 14 18 22 26 30 34 38 42 46 50 54 58 62

i 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63
−1
P (i) 3 7 11 15 19 23 27 31 35 39 43 47 51 55 59 63


5.1.6 PRESENT key schedule
5.1.6.1 PRESENT-80 and PRESENT-128
PRESENT can take keys of either 80 or 128 bits. In 5.1.6.2 the version with an 80-bit key (PRESENT-80) and
in 5.1.6.3 the 128-bit version (PRESENT-128) is described.
© ISO/IEC 2012 – All rights reserved 5

---------------------- Page: 10 ----------------------
ISO/IEC 29192-2:2012(E)
5.1.6.2 80-bit key for PRESENT-80
The user-supplied key is stored in a key register K and represented as k k … k . At round i the 64-bit round
79 78 0
i i i
key K = k k … k consists of the 64 leftmost bits of the current contents of register K. Thus at round i we
i 63 62 0
have that:
i i i
K = k k . k = k k . k .
i 63 62 0 79 78 16
After extracting the round key K , the key register K = k k . k is updated as follows.
i 79 78 0
1) k k . k k ← k k . k k
79 78 1 0 18 17 20 19
2) k k k k ← S[k k k k ]
79 78 77 76 79 78 77 76
3) k k k k k ← k k k k k  round_counter
19 18 17 16 15 19 18 17 16 15
In words, the key register is rotated by 61 bit positions to the left, the left-most four bits are passed through the
PRESENT S-box, and the round_counter value i is exclusive-ORed with bits k k k k k of K where the least
19 18 17 16 15
significant bit of round_counter is on the right. The rounds are numbered from 1 ≤ i ≤ 31 and round_counter = i.
Figure 4 depicts the key schedule for PRESENT-80 graphically.


Figure 4 — PRESENT-80 key schedule

5.1.6.3 128-bit key for PRESENT-128
Similar to the 80-bit variant the user-supplied key is stored initially in a key register K and is represented as
i i i
k k … k . At round i the 64-bit round key K = k k … k consists of the 64 leftmost bits of the current
127 126 0 i 63 62 0
contents of register K. Thus at round i we have that:
i i i
K = k k . k = k k . k .
i 63 62 0 127 126 64
After extracting the round key K , the key register K = k k . k is updated as follows.
i 127 126 0
1) k k . k k ← k k . k k
127 126 1 0 66 65 68 67
2) k k k k ← S[k k k k ]
127 126 125 124 127 126 125 124
3) k k k k ← S[k k k k ]
123 122 121 120 123 122 121 120
4) k k k k k ← k k k k k  round_counter
66 65 64 63 62 66 65 64 63 62
6 © ISO/IEC 2012 – All rights reserved

---------------------- Page: 11 ----------------------
ISO/IEC 29192-2:2012(E)
In words, the key register is rotated by 61 bit positions to the left, the left-most eight bits are passed through
the PRESENT S-box, and the round_counter value i is exclusive-ORed with bits k k k k k of K where the
66 65 64 63 62
least significant bit of round_counter is on the right. The rounds are numbered from 1 ≤ i ≤ 31 and round_counter
= i. Figure 5 depicts the key schedule for PRESENT-128 graphically.


Figure 5 — PRESENT-128 key schedule
6 Lightweight block cipher with a block size of 128 bits
6.1 CLEFIA
6.1.1 CLEFIA algorithm
The CLEFIA algorithm [14] is a symmetric block cipher that can process data blocks of 128 bits using a cipher
key of length 128, 192, or 256 bits. The number of rounds is 18, 22 and 26 for CLEFIA with 128-bit, 192-bit
and 256-bit keys, respectively. The total number of round keys depends on the key length. The CLEFIA
encryption and decryption functions require 36, 44 and 52 round keys for 128-bit, 192-bit and 256-bit keys,
respectively.
6.1.2 CLEFIA specific notations

a bit string of bit length b
(b)
n
{0,1} A set of n-bit binary strings
n
 Multiplication in GF(2 )
 i i-bit left cyclic shift operation
~
a Bitwise complement of bit string a
n

 n times operations of the DoubleSwap function 
© ISO/IEC 2012 – All rights reserved 7

---------------------- Page: 12 ----------------------
ISO/IEC 29192-2:2012(E)
6.1.3 CLEFIA encryption
The encryption process of CLEFIA is based on the 4-branch r-round generalized Feistel structure GFN . Let
4,r
128 32
P, C  {0,1} be a plaintext and a ciphertext. Let P , C  {0,1} (0 i < 4) be divided plaintexts and
i i
32
ciphertexts where P = P || P || P || P and C = C || C || C || C . Let WK , WK , WK , WK  {0,1} be whitening
0 1 2 3 0 1 2 3 0 1 2 3
32
keys and RK  {0,1} (0  i < 2r) be round keys provided by the key schedule. Then, r-round encryption
i
function ENC is defined as follows:
r
ENC :
r
1) T || T || T || T ← P || (P  WK ) || P || (P  WK )
0 1 2 3 0 1 0 2 3 1
2) T || T || T || T ← GFN (RK , ., RK , T , T , T , T )
0 1 2 3 4,r 0 2r-1 0 1 2 3
3) C || C || C || C ← T || (T  WK ) || T || (T  WK )
0 1 2 3 0 1 2 2 3 3
6.1.4 CLEFIA decryption
The decryption function DEC is defined as follows:
r
DEC :
r
1) T || T || T || T ← C || (C  WK ) || C || (C  WK )
0 1 2 3 0 1 2 2 3 3
−1
2) T || T || T || T ← GFN (RK , ., RK , T , T , T , T )
0 1 2 3 4,r 0 2r-1 0 1 2 3
3) P || P || P || P ← T || (T  WK ) || T || (T  WK )
0 1 2 3 0 1 0 2 3 1
Figure 6 illustrates both ENC and DEC .
r r
8 © ISO/IEC 2012 – All rights reserved

---------------------- Page: 13 ----------------------
ISO/IEC 29192-2:2012(E)
P P P P C C C C
0 1 2 3 0 1 2 3
32 32 32 32 32 32 32 32
/ / / / / / / /
RK RK
2r−2 2r−1
RK WK RK WK WK WK
0 0 1 1 2 3
F F F F
0 1 0 1
RK RK RK RK
2 3 2r−4 2r−3
F F F F
0 1 0 1
RK RK
RK RK 2r−6 2r−5
4 5
F F F F
0 1 0 1
. . . . . . . .
. . . . . . . .
. . . . . . . .
RK RK
2r−6 2r−5 RK RK
4 5
F F F F
0 1 0 1
RK RK
2r−4 2r−3 RK RK
2 3
F F F F
0 1 0 1
RK RK
RK RK
2r−2 2r−1 0 1
F F F F
0 1 0 1
WK WK WK WK
2 3 0 1
32 32 32 32 32 32 32 32
/ / / / / / / /
C C C C P P P P
0 1 2 3 0 1 2 3
ENC DEC
r r

Figure 6 — The encryption procedure and the decryption procedure of CLEFIA

6.1.5 CLEFIA building blocks
6.1.5.1 GFN
d,r
The fundamental structure of CLEFIA is a generalized Feistel structure. This structure is employed in both a
data processing part and a key schedule part.
CLEFIA uses a 4-branch and an 8-branch generalized Feistel network. The 4-branch generalized Feistel
network is used in the data processing part and the key schedule for a 128-bit key. The 8-branch generalized
Feistel network is applied in the key schedule for a 192-bit/256-bit key. We denote d-branch r-round
generalized Feistel network employed in CLEFIA as GFN . GFN uses two different 32-bit F-functions F and
d,r d,r 0
F .
1
© ISO/IEC 2012 – All rights reserved 9

---------------------- Page: 14 ----------------------
ISO/IEC 29192-2:2012(E)
For d pairs of 32-bit input X and output Y (0  i < d), and dr/2 32-bit round keys RK (0  i < dr/2), GFN (d = 4,
i i i d,r
−1
8) and the inverse function GFN (d = 4) are defined as follows.
d,r
GFN :
4,r
1) T || T || T || T ← X || X || X || X
0 1 2 3 0 1 2 3
2) For i = 0 to r − 1 do the following:
2.1)  T ← T  F (RK , T )
1 1 0 2i 0
T ← T  F (RK , T )
3 3 1 2i + 1 2
2.2)  T || T || T || T ← T || T || T || T
0 1 2 3 1 2 3 0
3) Y || Y || Y || Y ← T || T || T || T
0 1 2 3 3 0 1 2
GFN :
8,r
1) T || T || . || T ← X || X || . || X
0 1 7 0 1 7
2) For i = 0 to r − 1 do the following:
2.1)  T ← T  F (RK , T )
1 1 0 4i 0
T ← T  F (RK , T )
3 3 1 4i + 1 2
T ← T  F (RK , T )
5 5 0 4i + 2 4
T ← T  F (RK , T )
7 7 1 4i + 3 6
2.2)  T || T || . || T || T ← T || T || . || T || T
0 1 6 7 1 2 7 0
3) Y || Y || . || Y || Y ← T || T || . || T || T
0 1 6 7 7 0 5 6
−1
The inverse function GFN is obtained by changing the order of RK and the direction of word rotation at 2.2)
4,r i
and 3) in GFN .
4,r
−1
GFN :
4,r
1) T || T || T || T ← X || X || X || X
0 1 2 3 0 1 2 3
2) For i = 0 to r − 1 do the following:
2.1)  T ← T  F (RK , T )
1 1 0 2(r - i) - 2 0
T ← T  F (RK , T )
3 3 1 2(r - i) - 1 2
2.2)  T || T || T || T ← T || T || T || T
0 1 2 3 3 0 1 2
3) Y || Y || Y || Y ← T || T || T || T
0 1 2 3 1 2 3 0
10 © ISO/IEC 2012 – All rights reserved

---------------------- Page: 15 ----------------------
ISO/IEC 29192-2:2012(E)
6.1.5.2 F-functions

Two F-functions F and F used in GFN are defined as follows:
0 1 d,r
F : (RK , x )  y
0 (32) (32) (32)
1) V ← RK  x
8
2) Let V = V || V || V || V , V  {0,1} .
0 1 2 3 i
V ← S (V )
0 0 0
V ← S (V )
1 1 1
V ← S (V )
2 0 2
V ← S (V )
3 1 3
8
3) Let y = y || y || y || y , y  {0,1} .
0 1 2 3 i
 y  V 
0 0
   
y V
   
1 1
 M
  0 
y V
2 2
   
   
y V
3 3
   
F : (RK , x )  y
1 (32) (32) (32)
1) V ← RK  x
8
2) Let V = V || V || V || V , V  {0,1} .
0 1 2 3 i
V ← S (V )
0 1 0
V ← S (V )
1 0 1
V ← S (V )
2 1 2
V ← S (V )
3 0 3
8
3) Let y = y || y || y || y , y  {0,1} .
0 1 2 3 i
y V
   
0 0
   
y V
   
1 1
 M
1
   
y V
2 2
   
   
y V
 3  3
S and S are nonlinear 8-bit S-boxes, and M and M are 4x4 diffusion matrices described in the following
0 1 0 1
clause. In each F-function two S-boxes and a matrix are used, but the S-boxes are used in a different order
and the matrices differ. Figure 7 shows a graphical representation of the F-functions.
© ISO/IEC 2012 – All rights reserved 11

---------------------- Page: 16 ----------------------
ISO/IEC 29192-2:2012(E)
k k k k
0 1 2 3
k k k k
0 1 2 3
8888
//// 8888
////
8 8
8 8
x y
0 / S / 0 x y
0 0 / / 0
S
1
8 8
8 8
x y
1 / S / 1 x y
1 1 / S / 1
0
M
0
M
1
8 8
8 8
x y
2 / S / 2 x y
0 2 / S / 2
1
8 8
8 8
x y
3 / S / 3 x y
1 3 / S / 3
0
F
0 F
1

Figure 7 — F-functions
6.1.5.3 S-boxes

CLEFIA employs two different types of 8-bit S-boxes S and S : S is based on four 4-bit random S-boxes, and
0 1 0
8
S is based on the inverse function over GF(2 ).
1
Tables 5 and 6 show the output values of S and S , respectively. In these tables all values are expressed in a
0 1
hexadecimal notation. For an 8-bit input of an S-box, the upper 4 bits indicate a row and the lower 4 bits
indicate a column. For example, if a value 0xab is input, 0x7e is output by S because it is on the cross line of
0
the row indexed by 'a.' and the column indexed by '.b'.
Table 5 — S
0
.0 .1 .2 .3 .4 .5 .6 .7 .8 .9 .a .b .c .d .e .f
0. 57 49 d1 c6 2f 33 74 fb 95 6d 82 ea 0e b0 a8 1c
1. 28 d0 4b 92 5c ee 85 b1 c4 0a 76 3d 63 f9 17 af
2. bf a1 19 65 f7 7a 32 20 06 ce e4 83 9d 5b 4c d8
3. 42 5d 2e e8 d4 9b 0f 13 3c 89 67 c0 71 aa b6 f5
4. a4 be fd 8c 12 00 97 da 78 e1 cf 6b 39 43 55 26
5. 30 98 cc dd eb 54 b3 8f 4e 16 fa 22 a5 77 09 61
6. d6 2a 53 37 45 c1 6c ae ef 70 08 99 8b 1d f2 b4
7. e9 c7 9f 4a 31 25 fe 7c d3 a2 bd 56 14 88 60 0b
8. cd e2 34 50 9e dc 11 05 2b b7 a9 48 ff 66 8a 73
9. 03 75 86 f1 6a a7 40 c2 b9 2c db 1f 58 94 3e ed
a. fc 1b a0 04 b8 8d e6 59 62 93 35 7e ca 21 df 47
b. 15 f3 ba 7f a6 69 c8 4d 87 3b 9c 01 e0 de 24 52
c. 7b 0c 68 1e 80 b2 5a e7 ad d5 23 f4 46 3f 91 c9
d. 6e 84 72 bb 0d 18 d9 96 f0 5f 41 ac 27 c5 e3 3a
e. 81 6f 07 a3 79 f6 2d 38 1a 44 5e b5 d2 ec cb 90
f. 9a 36 e5 29 c3 4f ab 64 51 f8 10 d7 bc 02 7d 8e
12 © ISO/IEC 2012 – All rights reserved

---------------------- Page: 17 ----------------------
ISO/IEC 29192-2:2012(E)
Table 6 — S
1
.0 .1 .2 .3 .4 .5 .6 .7 .8 .9 .a .b .c .d .e .f
0.
6c da c3 e9 4e 9d 0a 3d b8 36 b4 38 13 34 0c d9
1. bf 74 94 8f b7 9c e5 dc 9e 07 49 4f 98 2c b0 93
2. 12 eb cd b3 92 e7 41 60 e3 21 27 3b e6 19 d2 0e
3. 91 11 c7 3f 2a 8e a1 bc 2b c8 c5 0f 5b f3 87 8b
4. fb f5 de 20 c6 a7 84 ce d8 65 51 c9 a4 ef 43 53
5. 25 5d 9b 31 e8 3e 0d d7 80 ff 69 8a ba 0b 73 5c
6. 6e 54 15 62 f6 35 30 52 a3 16 d3 28 32 fa aa 5e
7.
cf ea ed 78 33 58 09 7b 63 c0 c1 46 1e df a9 99
8. 55 04 c4 86 39 77 82 ec 40 18 90 97 59 dd 83 1f
9. 9a 37 06 24 64 7c a5 56 48 08 85 d0 61 26 ca 6f
a. 7e 6a b6 71 a0 70 05 d1 45 8c 23 1c f0 ee 89 ad
b. 7a 4b c2 2f db 5a 4d 76 67 17 2d f4 cb b1 4a a8
c.
b5 22 47 3a d5 10 4c 72 cc 00 f9 e0 fd e2 fe ae
d. f8 5f ab f1 1b 42 81 d6 be 44 29 a6 57 b9 af f2
e. d4 75 66 bb 68 9f 50 02 01 3c 7f 8d 1a 88 bd ac
f. f7 e4 79 96 a2 fc 6d b2 6b 03 e1 2e 7d 14 95 1d

a) S-box S
0
8 8
S : {0,1} → {0,1} : x  y = S (x) is generated by combining four 4-bit S-boxes SS , SS , SS and SS in the
0 0 0 1 2 3
following way. The values of these S-boxes are defined in Table 7.
4
1) t ← SS (x ), t ← SS (x ), where x = x || x , x{0, 1}
0 0 0 1 1 1 0 1 i
2) u ← t  0x2 t , u ← 0x2 t  t
0 0 1 1 0 1
4
3) y ← SS (u ), y ← SS (u ), where y = y || y , y  {0, 1}
0 2 0 1 3 1 0 1 i
4 4
The multiplication in 0x2 t is performed in GF(2 ) defined by the lexicographically first primitive polynomial z
i
+ z + 1. Figure 8 shows the construction of S .
0
Table 7 — SS (0  i  4)
i
x 0 1 2 3 4 5 6 7 8 9 a b c d e f
e 6 c a 8 7 2 f b 1 4 0 5 9 d 3
SS (x)
0
SS (x) 6 4 0 d 2 b a 3 9 c e f 8 7 5 1
1
b 8 5 e a 6 4 c f 7 2 3 1 0 d 9
SS (x)
2
SS (x) a 2 6 d 3 4 5 e 0 7 8 9 b f c 1
3

© ISO/IEC 2012 – All rights reserved 13

---------------------- Page: 18 ----------------------
ISO/IEC 29192-2:2012(E)
4 4
x SS SS y
0 / 0 2 / 0
×2
×2
4 4
x y
1 / SS SS / 1
1 3

Figure 8 — S
0
b) S-box S
1
8 8
S : {0,1} → {0,1} : x  y = S (x) is defined as follows:
1 1
1
 g(( f (x)) ) if f (x) 0
y

g(0) if f (x) 0

8 8 4 3 2
The inverse function is performed in GF(2 ) defined by a primitive polynomial z + z + z + z + 1 (= 0x11d).
f and g are affine transformations over GF(2), which are defined as follows.
8 8
f : {0,1} → {0,1} : x  y = f(x),
y 0 0 0 1 1 0 0 0 x 0
      
0 0
      
y 0 1 0 1 0 0 0 1 x 0
      
1 1
      
y 0 0 0 0 0 0 0 1 x 0
2 2
      
 y  0 0 0 0 0 1 1 0 x  1
3 3
 
      
y 0 1 1 0 0 1 0 1 x 1
4 4
      
      
y 0 1 0 1 1 1 0 0 x 1
5 5
      
y 0 1 1 0 0 0 0 0 x 1
 6   6  
 
    
y 1 0 0 0 0 0 0 1 x 0
 7   7  
8 8
g : {0,1} → {0,1} : x  y = g(x),
y x
  0 0 0 0 1 0 1 0  0
0 0

     
y x
0 1 0 0 0 0 0 1 1
      
1 1
      
y x
0 1 0 1 1 0 0 0 1
2 2
      
y x
  0 0 1 0 0 0 0 0  0
3 3
 
      
y x
0 0 1 1 0 0 0 0 1
4 4

     
      
y x
0 0 0 0 0 0 1 0 0
5 5

     
y x
1 0 0 1 0 0 0 0 0
 6   6  
      
y x
0 1 0 0 0 1 0 0 1
7   7  

Here, x = x || x || x || x || x || x || x || x and y = y || y || y || y || y || y || y || y , x , y  {0,1}. The constants in f
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 i i
and g can be represented as 0x1e and 0x69, respectively.
14 © ISO/IEC 2012 – All rights reserved

---------------------- Page: 19 ----------------------
ISO/IEC 29192-2:2012(E)
6.1.5.4 Diffusion matrices

The matrices M and M are defined as follows.
0 1
01 02 04 06 01 08 02 0a
   
   
02 01 06 04 08 01 0a 02
   
M = ,   M = .
0 1
   
04 06 01 02 02 0a 01 08
   
   
06 04 02 01 0a 02 08 01
   
8
The multiplications of a matrix and a vector are performed in GF(2 ) defined by the lexicographically first
8 4 3 2
primitive polynomial z + z + z + z + 1 ( = 0x11d).
6.1.6 CLEFIA key schedule
6.1.6.1 Overall structure
The key schedule of CLEFIA supports 128, 192 and 256-bit keys and outputs whitening keys WK (0  i < 4)
i
and round keys RK (0  j < 2r) for the data processing part. Let K be the key and L be an intermediate key.
j
The key schedule consists of the following two steps.
1) Generating L from K.
2) Expanding K and L (Generating WK and RK ).
i j
To generate L from K, the key schedule for a 128-bit key uses a 128-bit permutation GFN , while the key
4,12
schedules for 192/256-bit keys use a 256-bit permutation GFN .
8,10
6.1.6.2 Key schedule for a 128-bit key

The 128-bit intermediate key L is generated in step 1 by applying GFN which takes twenty-four 32-bit
4,12
(128)
constant values CON (0  i < 24) as round keys and K = K || K || K || K as an input. Then K and L are
i 0 1 2 3
used to generate WK (0  i < 4) and RK (0  j < 36) in steps 2 and 3. The thirty-six 32-bit constant values
i j
(128)

CON (24 i < 60) used in step 3 are defined in 6.1.6.6. The DoubleSwap function  is defined in 6.1.6.5.
i
(Generating L from K)
(128) (128)
1) L ← GFN (CON , ., CON , K , ., K )
4,12 0 23 0 3
(Expanding K and L)
2) WK || WK || WK || WK ← K
0 1 2 3
3) For i = 0 to 8 do the following:
(128) (128) (128) (128)

T ← L (CON || CON || CON || CON )
24 + 4i 24 + 4i + 1 24 + 4i + 2 24 + 4i + 3
L ←  (L)
if i is odd: T ← T  K
RK || RK || RK || RK ← T
4i 4i + 1 4i + 2 4i + 3
© ISO/IEC 2012 – All rights reserved 15

---------------------- Page: 20 ----------------------
ISO/IEC 29192-2:2012(E)
Table 8 shows the relationship between generated round keys and related data.
Table 8 — Expanding K and L (128-bit key)
WK WK WK WK K
0 1 2 3
(128) (128) (128) (128)
RK RK RK RK
0 1 2 3
L           (CON || CON || CON || CON )
24 25 26 27
(128) (128) (128) (128)
RK RK RK RK
4 5 6 7
 (L)  K  (CON || C
...