# ISO/IEC 18033-3:2010

(Main)## Information technology -- Security techniques -- Encryption algorithms

## Information technology -- Security techniques -- Encryption algorithms

ISO/IEC 18033 specifies encryption systems (ciphers) for the purpose of data confidentiality. ISO/IEC 18033-3:2010 specifies block ciphers. A block cipher is a symmetric encipherment system with the property that the encryption algorithm operates on a block of plaintext, i.e. a string of bits of a defined length, to yield a block of ciphertext. ISO/IEC 18033-3:2010 specifies following algorithms: 64-bit block ciphers: TDEA, MISTY1, CAST-128, HIGHT; 128-bit block ciphers: AES, Camellia, SEED. NOTE The primary purpose of encryption (or encipherment) techniques is to protect the confidentiality of stored or transmitted data. An encryption algorithm is applied to data (often called plaintext or cleartext) to yield encrypted data (or ciphertext); this process is known as encryption. The encryption algorithm needs to be designed so that the ciphertext yields no information about the plaintext except, perhaps, its length. Associated with every encryption algorithm is a corresponding decryption algorithm, which transforms ciphertext back into its original plaintext.

## Technologies de l'information -- Techniques de sécurité -- Algorithmes de chiffrement

### General Information

### RELATIONS

### Standards Content (sample)

INTERNATIONAL ISO/IEC

STANDARD 18033-3

Second edition

2010-12-15

Information technology — Security

techniques — Encryption algorithms —

Part 3:

Block ciphers

Technologies de l'information — Techniques de sécurité — Algorithmes

de chiffrement

Partie 3: Chiffrement par blocs

Reference number

ISO/IEC 18033-3:2010(E)

ISO/IEC 2010

---------------------- Page: 1 ----------------------

ISO/IEC 18033-3:2010(E)

PDF disclaimer

This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but

shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In

downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat

accepts no liability in this area.Adobe is a trademark of Adobe Systems Incorporated.

Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation

parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In

the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.

COPYRIGHT PROTECTED DOCUMENT© ISO/IEC 2010

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,

electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or

ISO's member body in the country of the requester.ISO copyright office

Case postale 56 • CH-1211 Geneva 20

Tel. + 41 22 749 01 11

Fax + 41 22 749 09 47

E-mail copyright@iso.org

Web www.iso.org

Published in Switzerland

ii © ISO/IEC 2010 – All rights reserved

---------------------- Page: 2 ----------------------

ISO/IEC 18033-3:2010(E)

Contents Page

Foreword ............................................................................................................................................................. v

1 Scope ...................................................................................................................................................... 1

2 Terms and definitions ........................................................................................................................... 1

3 Symbols .................................................................................................................................................. 2

4 64-bit block ciphers ............................................................................................................................... 3

4.1 Introduction ............................................................................................................................................ 3

4.2 TDEA ....................................................................................................................................................... 3

4.2.1 The Triple Data Encryption Algorithm ................................................................................................. 3

4.2.2 TDEA encryption/decryption ................................................................................................................ 3

4.2.3 TDEA keying options ............................................................................................................................ 4

4.3 MISTY1 .................................................................................................................................................... 4

4.3.1 The MISTY1 algorithm ........................................................................................................................... 4

4.3.2 MISTY1 encryption ................................................................................................................................ 4

4.3.3 MISTY1 decryption ................................................................................................................................ 5

4.3.4 MISTY1 functions .................................................................................................................................. 5

4.3.5 MISTY1 key schedule .......................................................................................................................... 10

4.4 CAST-128 .............................................................................................................................................. 11

4.4.1 The CAST-128 algorithm ..................................................................................................................... 11

4.4.2 CAST-128 encryption .......................................................................................................................... 11

4.4.3 CAST-128 decryption .......................................................................................................................... 11

4.4.4 CAST-128 functions ............................................................................................................................ 11

4.4.5 CAST-128 key schedule ...................................................................................................................... 18

4.5 HIGHT.................................................................................................................................................... 20

4.5.1 The HIGHT algorithm ........................................................................................................................... 20

4.5.2 HIGHT encryption ................................................................................................................................ 21

4.5.3 HIGHT decryption ................................................................................................................................ 22

4.5.4 HIGHT functions .................................................................................................................................. 23

4.5.5 HIGHT key schedule ............................................................................................................................ 23

5 128-bit block ciphers ........................................................................................................................... 24

5.1 Introduction .......................................................................................................................................... 24

5.2 AES ....................................................................................................................................................... 24

5.2.1 The AES algorithm .............................................................................................................................. 24

5.2.2 AES encryption .................................................................................................................................... 24

5.2.3 AES decryption .................................................................................................................................... 25

5.2.4 AES transformations ........................................................................................................................... 26

5.2.5 AES key schedule ................................................................................................................................ 30

5.3 Camellia ................................................................................................................................................ 32

5.3.1 The Camellia algorithm ....................................................................................................................... 32

5.3.2 Camellia encryption ............................................................................................................................ 32

5.3.3 Camellia decryption ............................................................................................................................ 34

5.3.4 Camellia functions ............................................................................................................................... 37

5.3.5 Camellia key schedule ........................................................................................................................ 43

5.4 SEED ..................................................................................................................................................... 47

5.4.1 The SEED algorithm ............................................................................................................................ 47

5.4.2 SEED encryption ................................................................................................................................. 47

5.4.3 SEED decryption ................................................................................................................................. 47

5.4.4 SEED functions .................................................................................................................................... 48

5.4.5 SEED key schedule ............................................................................................................................. 50

Annex A (normative) Description of DES ....................................................................................................... 52

© ISO/IEC 2010 — All rights reserved iii---------------------- Page: 3 ----------------------

ISO/IEC 18033-3:2010(E)

A.1 Introduction .......................................................................................................................................... 52

A.2 DES encryption .................................................................................................................................... 52

A.3 DES decryption .................................................................................................................................... 52

A.4 DES functions ...................................................................................................................................... 52

A.4.1 Initial permutation IP ........................................................................................................................... 52

A.4.2 Inverse initial permutation IP ........................................................................................................... 54

A.4.3 Function f .............................................................................................................................................. 54

A.4.4 Expansion permutation E ................................................................................................................... 55

A.4.5 Permutation P ...................................................................................................................................... 55

A.4.6 S-Boxes ................................................................................................................................................. 56

A.5 DES key schedule ................................................................................................................................ 57

Annex B (normative) Object identifiers .......................................................................................................... 60

Annex C (informative) Algebraic forms of MISTY1 and Camellia S-boxes .................................................. 62

C.1 Introduction .......................................................................................................................................... 62

C.2 MISTY1 S-boxes ................................................................................................................................... 62

C.2.1 The S-boxes S and S ......................................................................................................................... 62

7 9C.2.2 MISTY1 S-box S .................................................................................................................................. 62

C.2.3 MISTY1 S-box S .................................................................................................................................. 62

C.3 Camellia S-boxes ................................................................................................................................. 63

Annex D (informative) Test vectors ................................................................................................................. 64

D.1 Introduction .......................................................................................................................................... 64

D.2 TDEA test vectors ................................................................................................................................ 64

D.2.1 TDEA encryption .................................................................................................................................. 64

D.2.2 DES encryption and decryption ......................................................................................................... 65

D.3 MISTY1 test vectors ............................................................................................................................. 66

D.4 CAST-128 test vectors ......................................................................................................................... 67

D.5 HIGHT test vectors .............................................................................................................................. 67

D.6 AES test vectors .................................................................................................................................. 67

D.6.1 AES encryption .................................................................................................................................... 67

D.6.2 Key expansion example ...................................................................................................................... 68

D.6.3 Cipher example .................................................................................................................................... 70

D.7 Camellia test vectors ........................................................................................................................... 73

D.7.1 Introduction .......................................................................................................................................... 73

D.7.2 Camellia encryption ............................................................................................................................. 73

D.8 SEED test vectors ................................................................................................................................ 75

Annex E (informative) Feature table ................................................................................................................ 77

Bibliography ...................................................................................................................................................... 78

iv © ISO/IEC 2010 — All rights reserved---------------------- Page: 4 ----------------------

ISO/IEC 18033-3:2010(E)

Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that are members

of ISO or IEC participate in the development of International Standards through technical committees

established by the respective organization to deal with particular fields of technical activity. ISO and IEC

technical committees collaborate in fields of mutual interest. Other international organizations, governmental

and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information

technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.

International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.

The main task of the joint technical committee is to prepare International Standards. Draft International

Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication

as an International Standard requires approval by at least 75 % of the national bodies casting a vote.

Attention is drawn to the possibility that some of the elements of this document may be the subject of patent

rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.

ISO/IEC 18033-3 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,

Subcommittee SC 27, IT Security techniques.This second edition cancels and replaces the first edition (ISO/IEC 18033-3:2005), which has been

technically revised. It also incorporates the Technical Corrigenda ISO/IEC 18033-3:2005/Cor.1:2006,

ISO/IEC 18033-3:2005/Cor.2:2007 and ISO/IEC 18033-3:2005/Cor.3:2008.ISO/IEC 18033 consists of the following parts, under the general title Information technology — Security

techniques — Encryption algorithms:⎯ Part 1: General

⎯ Part 2: Asymmetric ciphers

⎯ Part 3: Block ciphers

⎯ Part 4: Stream ciphers

© ISO/IEC 2010 — All rights reserved v

---------------------- Page: 5 ----------------------

INTERNATIONAL STANDARD ISO/IEC 18033-3:2010(E)

Information technology — Security techniques — Encryption

algorithms —

Part 3:

Block ciphers

1 Scope

This part of ISO/IEC 18033 specifies block ciphers. A block cipher maps blocks of n bits to blocks of n bits,

under the control of a key of k bits. A total of seven different block ciphers are defined. They are

categorized in 98H96H96H96HTable 1.Table 1 — Block ciphers specified

Block length Algorithm name (see #) Key length

TDEA (97H97H97H4.2) 128 or 192 bits

MISTY1 (98H98H98H4.3)

64 bits

CAST-128 (99H99H99H4.4) 128 bits

HIGHT (100H100H100H4.5)

AES (101H101H101H5.2)

128, 192 or 256 bits

128 bits Camellia (102H102H102H5.3)

SEED (103H103H103H5.4)

128 bits

The algorithms specified in this part of ISO/IEC 18033 have been assigned object identifiers in accordance

with ISO/IEC 9834. The list of assigned object identifiers is given in Annex B. Any changes to the

specification of the algorithms resulting in a change of functional behaviour will result in a change of the

object identifier assigned to the algorithm.2 Terms and definitions

For the purposes of this document, the following terms and definitions apply.

2.1

block

string of bits of defined length

NOTE In this part of ISO/IEC 18033, the block length is either 64 or 128 bits.

[ISO/IEC 18033-1:2005]

2.2

block cipher

symmetric encipherment system with the property that the encryption algorithm operates on a block of

plaintext, i.e. a string of bits of a defined length, to yield a block of ciphertext

[ISO/IEC 18033-1:2005]© ISO/IEC 2010 — All rights reserved 1

---------------------- Page: 6 ----------------------

ISO/IEC 18033-3:2010(E)

2.3

ciphertext

data which has been transformed to hide its information content

[ISO/IEC 9798-1:1997]

2.4

key

sequence of symbols that controls the operation of a cryptographic transformation (e.g. encipherment,

decipherment)NOTE In all the ciphers specified in this part of ISO/IEC 18033, keys consist of a sequence of bits.

[ISO/IEC 11770-1:1996]2.5

n-bit block cipher

block cipher with the property that plaintext blocks and ciphertext blocks are n bits in length

[ISO/IEC 10116:2006]2.6

plaintext

unenciphered information

[ISO/IEC 9797-1:1999]

3 Symbols

n plaintext/ciphertext bit length for a block cipher

E encryption function with key K

D decryption function with key K

Nr the number of rounds for the AES algorithm, which is 10, 12 or 14 for the choices of key length

128, 192 or 256 bits respectively⊕ the bit-wise logical exclusive-OR operation on bit-strings, i.e., if A, B are strings of the same

length then A ⊕ B is the string equal to the bit-wise logical exclusive-OR of A and B

⊗ multiplication of two polynomials (each with degree < 4) modulo x + 1∧ the bit-wise logical AND operation on bit-strings, i.e., if A, B are strings of the same length then

A B is the string equal to the bit-wise logical AND of A and B∨ the bit-wise logical OR operation on bit-strings, i.e., if A, B are strings of the same length then

A B is the string equal to the bit-wise logical OR of A and B|| concatenation of bit strings

• finite field multiplication

<<< the left circular rotation of the operand by i bits

>>> the right circular rotation of the operand by i bits

2 © ISO/IEC 2010 — All rights reserved

---------------------- Page: 7 ----------------------

ISO/IEC 18033-3:2010(E)

x the bitwise complement of x

a mod n for integers a and n, (a mod n) denotes the (non-negative) remainder obtained when a is

divided by n. Equivalently if b = a mod n, then b is the unique integer satisfying:

(i) 0 ≤ b < n, and(ii) (b-a) is an integer multiple of n

addition in modular arithmetic, i.e., if A, B are t-bit strings then A B is defined to equal (A+B

mod 2 )subtraction in modular arithmetic, i.e., if A, B are t-bit strings then A B is defined to equal (A-B

mod 2 )4 64-bit block ciphers

4.1 Introduction

In this clause, four 64-bit block ciphers are specified; TDEA (or ‘Triple DES’) in 104H104H104H4.2, MISTY1 in 105H105H105H4.3,

CAST-128 in 4.4, and HIGHT in 4.5.Users authorized to access data that has been enciphered shall have the key that was used to encipher the

data in order to decipher it. The algorithm for any cipher in this clause is designed to encipher and decipher

blocks of data consisting of 64 bits under control of a 128- (or 192-) bit key. Deciphering shall be

accomplished using the same key as for enciphering.4.2 TDEA

4.2.1 The Triple Data Encryption Algorithm

The Triple Data Encryption Algorithm (TDEA) is a symmetric cipher that can process data blocks of 64 bits,

using cipher keys with length of 128 (or 192) bits, of which 112 (or 168) bits can be chosen arbitrarily, and

the rest may be used for error detection. The TDEA is commonly known as Triple DES (Data Encryption

Standard).A TDEA encryption/decryption operation is a compound operation of DES encryption and decryption

operations, where the DES algorithm is specified in Annex A. A TDEA key consists of three DES keys.

4.2.2 TDEA encryption/decryption4.2.2.1 Encryption/decryption definitions

The TDEA is defined in terms of DES operations, where E is the DES encryption operation for the key K

and D is the DES decryption operation for the key K.4.2.2.2 TDEA encryption

The transformation of a 64-bit block P into a 64-bit block C is defined as follows:

C = E (D (E (P))) .K K K

3 2 1

© ISO/IEC 2010 — All rights reserved 3

---------------------- Page: 8 ----------------------

ISO/IEC 18033-3:2010(E)

4.2.2.3 TDEA decryption

The transformation of a 64-bit block C into a 64-bit block P is defined as follows:

P = D (E (D (C))) .K K K

1 2 3

4.2.3 TDEA keying options

This part of ISO/IEC 18033 specifies the following keying options for TDEA. The TDEA key comprises the

triple (K , K , K ).1 2 3

1. Keying Option 1: K , K and K are different DES keys;

1 2 3

2. Keying Option 2: K and K are different DES keys and K = K .

1 2 3 1

NOTE The option that K = K = K , the single-DES equivalent, is not recommended. Furthermore, the use of

1 2 3keying option 1 is preferred over keying option 2 since it provides additional security at the same performance level

(see [3] for further details).4.3 MISTY1

4.3.1 The MISTY1 algorithm

The MISTY1 algorithm is a symmetric block cipher that can process data blocks of 64 bits, using a cipher

key with length of 128 bits.4.3.2 MISTY1 encryption

The encryption operation is as shown in Figure 1. The transformation of a 64-bit block P into a 64-bit block C

is defined as follows (KL, KO and KI are keys):(1) P = L || R

0 0

KL = KL || KL || … || KL

1 2 10

KO = KO || KO || … || KO

1 2 8

KI = KI || KI || … || KI

1 2 8

(2) for i = 1, 3, …, 7 (increment in steps of 2 because the loop body consists of two rounds):

R = FL(L , KL )i i-1 i

L = FL(R , KL ) ⊕ FO(R , KO , KI )

i i-1 i+1 i i i

L = R ⊕ FO(L , KO , KI )

i+1 i i i+1 i+1

R = L

i+1 i

for i = 9:

R = FL(L , KL )

i i-1 i

L = FL(R , KL )

i i-1 i+1

(3) C = L || R

9 9

4 © ISO/IEC 2010 — All rights reserved

---------------------- Page: 9 ----------------------

ISO/IEC 18033-3:2010(E)

4.3.3 MISTY1 decryption

The decryption operation is as shown in Figure 2, and is identical in operation to encryption apart from the

following two modifications.(1) All FL functions are replaced by their inverse functions FL .

(2) The order in which the subkeys are applied is reversed.

4.3.4 MISTY1 functions

4.3.4.1 MISTY1 function definitions

The MISTY1 algorithm uses a number of functions, namely S , S , FI, FO, FL and FL , which are now

7 9defined.

4.3.4.2 Function FL

The FL function is used in encryption only and is shown in Figure 3. The FL function is defined as follows (X

and Y are data, KL is a key):(1) X = X || X , KL = KL || KL

32 L R i iL iR

(2) Y = (X ∧ KL ) ⊕ X

R L iL R

(3) Y = X ⊕ (Y ∨ KL )

L L R iR

(4) Y = Y || Y

32 L R

© ISO/IEC 2010 — All rights reserved 5

---------------------- Page: 10 ----------------------

ISO/IEC 18033-3:2010(E)

Plaintext Ciphertext

KL1 KL2 KL10 KL9

-1 -1

FL FL

FL FL

KO1,KI1 KO8,KI8

FO FO

KO2,KI2 KO7,KI7

FO FO

KL3 KL4 KL8 KL7

-1 -1

FL FL

FL FL

KO3,KI3 KO6,KI6

FO FO

KO4,KI4 KO5,KI5

FO FO

KL5 KL6 KL6 KL5

-1 -1

FL FL

FL FL

KO5,KI5 KO4,KI4

FO FO

KO6,KI6 KO3,KI3

FO FO

KL7 KL8 KL4 KL3

-1 -1

FL FL FL FL

KO7,KI7 KO2,KI2

FO FO

KO8,KI8 KO1,KI1

FO FO

KL9 KL10 KL2 KL1

-1 -1

FL FL

FL FL

Ciphertext Plaintext

Figure 1 — The Encryption Procedure Figure 2 — The Decryption Procedure

6 © ISO/IEC 2010 — All rights reserved

---------------------- Page: 11 ----------------------

ISO/IEC 18033-3:2010(E)

4.3.4.3 Function FL

The FL function, which is the inverse to the FL function, is used in decryption only and is shown in Figure 4.

The FL function is defined as follows (X and Y are data, KL is a key):(1) Y = Y || Y , KL = KL || KL

32 L R i iL iR

(2) X = Y ⊕ (Y ∨ KL )

L L R iR

(3) X = (X ∧ KL ) Y

R L iL R

(4) X = X || X

32 L R

4.3.4.4 Function FO

The FO function is used in encryption and decryption, and is shown in Figure 5. The FO function is defined

as follows (X and Y are data, KO and KI are keys):(1) X = L || R

32 0 0

KO = KO || KO || KO || KO , KI = KI || KI || KI

i i1 i2 i3 i4 i i1 i2 i3

(2) for j = 1 to 3 :

R = FI(L ⊕ KO , KI ) ⊕ R

j j-1 ij ij j-1

L = R

j j-1

(3) Y = (L ⊕ KO ) || R

32 3 i4 3

4.3.4.5 Function FI

The FI function is used for encryption, decryption and the key schedule, and is shown in Figure 6, where

Extnd is the operation zero-extended from 7 bits to 9 bits by the concatenation of two bits on the left side,

and Trunc is the operation truncated by two bits on the left side. The FI function is defined as follows (X and

Y are data, KI is a key):(1) X = L (9 bits) || R (7 bits), KI = KI || KI

16 0 0 ij ijL ijR

(2) R = S (L ) ⊕ Extnd(R )

1 9 0 0

(3) L =R

1 0

(4) R = S7(L ) ⊕ Trunc(R ) ⊕ KI

2 1 1 ijL

(5) L = R ⊕ KI

2 1 ijR

(6) R = S (L ) ⊕ Extnd(R )

3 9 2 2

(7) L = R

3 2

(8) Y = L || R

16 3 3

© ISO/IEC 2010 — All rights reserved 7

---------------------- Page: 12 ----------------------

ISO/IEC 18033-3:2010(E)

X32 Y32

X X Y Y

L R L R

KLiL KLiR

KLiR KLiL

YL YR XL XR

Y32 X32

Figure 3 — The Function FL Figure 4 — The Function FL

X32 X16

L R L R

0 0 0 0

KI

i1 FI S9

Extnd

KOi2

KIi2 FI S

Trunc

KIijL KIijR

KOi3

KI FI S

i3 9

Extnd

KOi4

Y32 Y16

Figure 5 — The Function FO Figure 6 — The Function FI

8 © ISO/IEC 2010 — All rights reserved

---------------------- Page: 13 ----------------------

ISO/IEC 18033-3:2010(E)

4.3.4.6 Lookup Tables S and S

7 9

S is a bijective lookup table that accepts a 7-bit input and yields a 7-bit output. S is a bijective lookup table

7 9that accepts a 9-bit input and yields a 9-bit output. Tables 2 and 3 define these lookup tables in a

hexadecimal form. S and S can be also described in a simple algebraic form over GF(2) as shown in

7 9clause C.2.

For example, if the input to S is {53}, then the substitution value would be determined by the intersection of

the row with index ‘5’ and the column with index ‘3’ in Table 2. This would result in S having a value of {57}.

Table 2 — S0 12 3 4 56789a bcd e f

0 1b 32 33 5a 3b 10 17 54 5b 1a 72 73 6b 2c 66 49

1 1f 24 13 6c 37 2e 3f 4a 5d 0f 40 56 25 51 1c 04

2 0b 46 20 0d 7b 35 44 42 2b 1e 41 14 4b 79 15 6f

3 0e 55 09 36 74 0c 67 53 28 0a 7e 38 02 07 60 29

4 19 12 65 2f 30 39 08 68 5f 78 2a 4c 64 45 75 3d

5 59 48 03 57 7c 4f 62 3c 1d 21 5e 27 6a 70 4d 3a

6 01 6d 6e 63 18 77 23 05 26 76 00 31 2d 7a 7f 61

7 50 22 11 06 47 16 52 4e 71 3e 69 43 34 5c 58 7d

Table 3 — S

0 1 2 3 4 5 6 7 8 9 a b c d e f

00 1c3 0cb 153 19f 1e3 0e9 0fb 035 181 0b9 117 1eb 133 009 02d 0d3

01 0c7 14a 037 07e

**...**

## Questions, Comments and Discussion

## Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.