ISO/IEC 29192-2:2019

INTERNATIONAL ISO/IEC
STANDARD 29192-2
Second edition
2019-11
Information security — Lightweight
cryptography —
Part 2:
Block ciphers
Sécurité de l'information — Cryptographie pour environnements
contraints —
Partie 2: Chiffrements par blocs
Reference number
©
ISO/IEC 2019
© ISO/IEC 2019
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2019 – All rights reserved

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols . 2
5 Lightweight block cipher with a block size of 64 bits . 2
5.1 General . 2
5.2 PRESENT . 2
5.2.1 PRESENT algorithm . 2
5.2.2 PRESENT specific notation . 2
5.2.3 PRESENT encryption . . 3
5.2.4 PRESENT decryption . . 4
5.2.5 PRESENT transformations . 4
5.2.6 PRESENT key schedule . 5
6 Lightweight block ciphers with a block size of 128 bits . 7
6.1 General . 7
6.2 CLEFIA . 7
6.2.1 CLEFIA algorithm . 7
6.2.2 CLEFIA specific notation . 7
6.2.3 CLEFIA encryption . 7
6.2.4 CLEFIA decryption . 8
6.2.5 CLEFIA building blocks . 9
6.2.6 CLEFIA key schedule .14
6.3 LEA .24
6.3.1 LEA algorithm . . .24
6.3.2 LEA specific notation.24
6.3.3 LEA encryption .24
6.3.4 LEA decryption .26
6.3.5 LEA key schedule .27
Annex A (normative) Object identifiers .30
Annex B (informative) Numerical examples .31
Annex C (informative) Feature tables .53
Annex D (informative) A limitation of a block cipher under a single key .55
Bibliography .56
© ISO/IEC 2019 – All rights reserved iii

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that
are members of ISO or IEC participate in the development of International Standards through
technical committees established by the respective organization to deal with particular fields of
technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other
international organizations, governmental and non-governmental, in liaison with ISO and IEC, also
take part in the work.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www. iso. org/d irectives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www. iso. org/p atents) or the IEC
list of patent declarations received (see http://p atents.i ec. ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www. iso. org/
iso/f oreword. html.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www. iso. org/m embers. html.
This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
This second edition cancels and replaces the first edition (ISO/IEC 29192-2:2012), which has been
technically revised.
The main changes compared to the previous edition are as follows:
— the LEA algorithm has been added to 6.3;
— numerical examples and feature tables of LEA have been added to B.3 and Annex C.
A list of all parts in the ISO/IEC 29192 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www. iso. org/m embers. html.
iv © ISO/IEC 2019 – All rights reserved

Introduction
ISO/IEC 29192-1 specifies the requirements for lightweight cryptography.
A block cipher maps blocks of n bits to blocks of n bits, under the control of a key of k bits.
The International Organization for Standardization (ISO) and International Electrotechnical
Commission (IEC) draws attention to the fact that it is claimed that compliance with this document may
involve the use of a patent.
ISO and IEC takes no position concerning the evidence, validity and scope of this patent right.
The holder of this patent right has assured ISO and IEC that he/she is willing to negotiate licences under
reasonable and non-discriminatory terms and conditions with applicants throughout the world. In this
respect, the statement of the holder of this patent right is registered with ISO and IEC. Information may
be obtained from the patent database available at www .iso .org/ patents.
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights other than those in the patent database. ISO and IEC shall not be held responsible for
identifying any or all such patent rights.
© ISO/IEC 2019 – All rights reserved v

INTERNATIONAL STANDARD ISO/IEC 29192-2:2019(E)
Information security — Lightweight cryptography —
Part 2:
Block ciphers
1 Scope
This document specifies three block ciphers suitable for applications requiring lightweight
cryptographic implementations:
— PRESENT: a lightweight block cipher with a block size of 64 bits and a key size of 80 or 128 bits;
— CLEFIA: a lightweight block cipher with a block size of 128 bits and a key size of 128, 192 or 256 bits;
— LEA: a lightweight block cipher with a block size of 128 bits and a key size of 128, 192 or 256 bits.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
3.1
block
string of bits of defined length
[SOURCE: ISO/IEC 18033-1:2015, 2.8]
3.2
block cipher
symmetric encipherment system with the property that the encryption algorithm operates on a block
(3.1) of plaintext (3.6), i.e. a string of bits of a defined length, to yield a block of ciphertext (3.3)
[SOURCE: ISO/IEC 18033-1:2015, 2.9]
3.3
ciphertext
data which has been transformed to hide its information content
[SOURCE: ISO/IEC 10116:2017, 3.2]
3.4
key
sequence of symbols that controls the operation of a cryptographic transformation (e.g. encipherment,
decipherment)
[SOURCE: ISO/IEC 18033-1:2015, 2.27]
© ISO/IEC 2019 – All rights reserved 1

3.5
n-bit block cipher
block cipher (3.2) with the property that plaintext (3.6) blocks and ciphertext (3.3) blocks are n bits
in length
[SOURCE: ISO/IEC 18033-1:2015, 2.29]
3.6
plaintext
unenciphered information
[SOURCE: ISO/IEC 9798-1:2010, 3.19]
3.7
round key
sequence of symbols derived from the key (3.4) using the key schedule, and used to control the
transformation in each round of the block cipher (3.2)
4 Symbols
0x
a prefix for a binary string in hexadecimal notation
|| concatenation of bit strings
a ← b updating a value of a by a value of b
⊕ bitwise exclusive-OR operation
5 Lightweight block cipher with a block size of 64 bits
5.1 General
In this clause, a 64-bit lightweight block cipher is specified: PRESENT in 5.2.
Annex A defines the object identifiers which shall be used to identify the algorithm specified in Clause 5.
Annex B provides numerical examples of the block ciphers described in this document. Annex C
summarizes the lightweight properties of the block ciphers described in this document. Annex D gives a
limit on the number of block cipher encryption operations that should be performed using a single key.
5.2 PRESENT
5.2.1 PRESENT algorithm
[10]
The PRESENT algorithm is a symmetric block cipher that can process data blocks of 64 bits, using a
key of length 80 or 128 bits. The cipher is referred to as PRESENT-80 or PRESENT-128 when using an
80-bit or 128-bit key respectively.
5.2.2 PRESENT specific notation
ii
64-bit round key that is used in round i
Kk= .k
i 63 0
i
bit b of round key K
k
i
b
K = k .k 80-bit key register
79 0
k bit b of key register K
b
2 © ISO/IEC 2019 – All rights reserved

STATE 64-bit internal state
b bit i of the current STATE
i
w 4-bit word where 0 ≤ i ≤ 15
i
5.2.3 PRESENT encryption
The PRESENT block cipher consists of 31 "rounds", i.e. 31 applications of a sequence of simple
transformations. A pseudocode description of the complete encryption algorithm is provided in
Figure 1, where STATE denotes the internal state. The individual transformations used by the algorithm
are defined in 5.2.5. Each round of the algorithm uses a distinct round key K (1 ≤ i ≤ 31), derived as
i
specified in 5.2.6. Two consecutive rounds of the algorithm are shown for illustrative purposes in
Figure 2.
Figure 1 — The encryption procedure of PRESENT
Figure 2 — Two rounds of PRESENT
© ISO/IEC 2019 – All rights reserved 3

5.2.4 PRESENT decryption
The complete PRESENT decryption algorithm is given in Figure 3. The individual transformations
used by the algorithm are defined in 5.2.5. Each round of the algorithm uses a distinct round key K
i
(1 ≤ i ≤ 31), derived as specified in 5.2.6.
Figure 3 — The decryption procedure of PRESENT
5.2.5 PRESENT transformations
5.2.5.1 addRoundKey
ii
Given round key Kk= k for 1 ≤ i ≤ 32 and current STATE b .b , addRoundKey consists of the
63 0
i 63 0
i
operation for 0 ≤ j ≤ 63, bb←⊕k .
jj j
5.2.5.2 sBoxLayer
The non-linear sBoxLayer of the encryption process of PRESENT uses a single 4-bit to 4-bit S-box S
which is applied 16 times in parallel in each round. The S-box transforms the input x to an output S(x) as
given in hexadecimal notation in Table 1.
Table 1 — PRESENT S-box
0 1 2 3 4 5 6 7 8 9 A B C D E F
x
C 5 6 B 9 0 A D 3 E F 8 4 7 1 2
S(x)
For sBoxLayer the current STATE b .b is considered as sixteen 4-bit words w . w where
63 0 15 0
wb= bb b for 0 ≤ i ≤ 15 and the output nibble S(w ) provides the updated state
i
ii43**++42ii41**+ 4 i
values as a concatenation Sw Sw …Sw .
() () ()
15 14 0
5.2.5.3 invsBoxLayer
The S-box used in the decryption procedure of PRESENT is the inverse of the 4-bit to 4-bit S-box S
−1
that is described in 5.2.5.2. The inverse S-box transforms the input x to an output S (x) as given in
hexadecimal notation in Table 2.
Table 2 — PRESENT inverse S-box
0 1 2 3 4 5 6 7 8 9 A B C D E F
x
−1
5 E F 8 C 1 2 D B 4 6 3 0 7 9 A
S (x)
4 © ISO/IEC 2019 – All rights reserved

5.2.5.4 pLayer
The bit permutation pLayer used in the encryption routine of PRESENT is given by Table 3. Bit i of
STATE is moved to bit position P(i).
Table 3 — PRESENT permutation layer pLayer
i 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
P(i) 0 16 32 48 1 17 33 49 2 18 34 50 3 19 35 51

i 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
P(i) 4 20 36 52 5 21 37 53 6 22 38 54 7 23 39 55

i 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47
P(i) 8 24 40 56 9 25 41 57 10 26 42 58 11 27 43 59

i 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63
P(i) 12 28 44 60 13 29 45 61 14 30 46 62 15 31 47 63
5.2.5.5 invpLayer
The inverse permutation layer invpLayer used in the decryption routine of PRESENT is given by
−1
Table 4. Bit i of STATE is moved to bit position P (i).
Table 4 — PRESENT inverse permutation Layer invpLayer
i 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
−1
P (i) 0 4 8 12 16 20 24 28 32 36 40 44 48 52 56 60

i 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
−1
P (i) 1 5 9 13 17 21 25 29 33 37 41 45 49 53 57 61

i 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47
−1
P (i) 2 6 10 14 18 22 26 30 34 38 42 46 50 54 58 62

i 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63
−1
P (i) 3 7 11 15 19 23 27 31 35 39 43 47 51 55 59 63
5.2.6 PRESENT key schedule
5.2.6.1 PRESENT-80 and PRESENT-128
PRESENT can take keys of either 80 or 128 bits. In 5.2.6.2, the version with an 80-bit key (PRESENT-80)
and in 5.2.6.3 the 128-bit version (PRESENT-128) is described.
© ISO/IEC 2019 – All rights reserved 5

5.2.6.2 80-bit key for PRESENT-80
The user-supplied key is stored in a key register K and represented as k k .k . At round i the 64-bit
79 78 0
ii i
round key Kk= kk consists of the 64 leftmost bits of the current contents of register K. Thus at
i 63 62 0
round i, K is as follows:
i
ii i
Kk==kkkk k
i 63 62 0797816
After extracting the round key K , the key register K = k k .k is updated as follows.
i 79 78 0
1) k k .k k ← k k .k k
79 78 1 0 18 17 20 19
2) k k k k ← S[k k k k ]
79 78 77 76 79 78 77 76
3) k k k k k ← k k k k k ⊕ round_counter
19 18 17 16 15 19 18 17 16 15
In words, the key register is rotated by 61 bit positions to the left, the left-most four bits are passed
through the PRESENT S-box, and the round_counter value i is exclusive-ORed with bits k k k k k
19 18 17 16 15
of K where the least significant bit of round_counter is on the right. The rounds are numbered from
1 ≤ i ≤ 31 and round_counter = i. Figure 4 depicts the key schedule for PRESENT-80 graphically.
Figure 4 — PRESENT-80 key schedule
5.2.6.3 128-bit key for PRESENT-128
Similar to the 80-bit variant the user-supplied key is stored initially in a key register K and is represented
ii i
as k k .k . At round i the 64-bit round key Kk= kk consists of the 64 leftmost bits of the
127 126 0 i 63 62 0
current contents of register K. Thus at round i, K is as follows:
i
ii i
Kk==kkkk k
i 63 62 0 127 126 64
After extracting the round key K , the key register K = k k .k is updated as follows.
i 127 126 0
1) k k .k k ← k k .k k
127 126 1 0 66 65 68 67
2) k k k k ← S[k k k k ]
127 126 125 124 127 126 125 124
3) k k k k ← S[k k k k ]
123 122 121 120 123 122 121 120
4) k k k k k ← k k k k k ⊕ round_counter
66 65 64 63 62 66 65 64 63 62
In words, the key register is rotated by 61 bit positions to the left, the left-most eight bits are passed
through the PRESENT S-box, and the round_counter value i is exclusive-ORed with bits k k k k k
66 65 64 63 62
6 © ISO/IEC 2019 – All rights reserved

of K where the least significant bit of round_counter is on the right. The rounds are numbered from
1 ≤ i ≤ 31 and round_counter = i. Figure 5 depicts the key schedule for PRESENT-128 graphically.
Figure 5 — PRESENT-128 key schedule
6 Lightweight block ciphers with a block size of 128 bits
6.1 General
In this clause, two 128-bit lightweight block ciphers are specified: CLEFIA in 6.2 and LEA in 6.3.
Annex A defines the object identifiers which shall be used to identify the algorithms specified in
Clause 6. Annex B provides numerical examples of the block ciphers described in this document. Annex C
summarizes the lightweight properties of the block ciphers described in this document. Annex D gives a
limit on the number of block cipher encryption operations that should be performed using a single key.
6.2 CLEFIA
6.2.1 CLEFIA algorithm
[15]
The CLEFIA algorithm is a symmetric block cipher that can process data blocks of 128 bits using a
cipher key of length 128, 192, or 256 bits. The number of rounds is 18, 22 and 26 for CLEFIA with 128-
bit, 192-bit and 256-bit keys, respectively. The total number of round keys depends on the key length.
The CLEFIA encryption and decryption functions require 36, 44 and 52 round keys for 128-bit, 192-bit
and 256-bit keys, respectively.
6.2.2 CLEFIA specific notation
a bit string of bit length b
(b)
n
{0,1} a set of n-bit binary strings
n
· multiplication in GF(2 )
<< ~
a bitwise complement of bit string a
n
Σ n times operations of the DoubleSwap function Σ
6.2.3 CLEFIA encryption
The encryption process of CLEFIA is based on the 4-branch r-round generalized Feistel structure GFN .
4,r
128 32
Let P, C∈{}01, be a plaintext and a ciphertext. Let P , C ∈{}01, (0 ≤ i < 4) be divided plaintexts
i
i
© ISO/IEC 2019 – All rights reserved 7

and ciphertexts where P = P || P || P || P and C = C || C || C || C . Let WK , WK , WK , WK ∈{}01,
0 1 2 3 0 1 2 3 0 1 2
be whitening keys and RK ∈{}01, (0 ≤ i < 2r) be round keys provided by the key schedule. Then,
i
r-round encryption function ENC is defined as follows:
r
ENC :
r
1) T || T || T || T ← P || (P ⊕ WK ) || P || (P ⊕ WK )
0 1 2 3 0 1 0 2 3 1
2) T || T || T || T ← GFN (RK , ., RK , T , T , T , T )
0 1 2 3 4,r 0 2r−1 0 1 2 3
3) C || C || C || C ← T || (T ⊕ WK ) || T || (T ⊕ WK )
0 1 2 3 0 1 2 2 3 3
6.2.4 CLEFIA decryption
The decryption function DEC is defined as follows:
r
DEC :
r
1) T || T || T || T ← C || (C ⊕ WK ) || C || (C ⊕ WK )
0 1 2 3 0 1 2 2 3 3
−1
2) TT TT…←GFNRKR,, KT,, TT,, T
()
01 23 4,rr02 −10 12 3
3) P || P || P || P ← T || (T ⊕ WK ) || T || (T ⊕ WK )
0 1 2 3 0 1 0 2 3 1
Figure 6 illustrates both ENC and DEC .
r r
8 © ISO/IEC 2019 – All rights reserved

Figure 6 — The encryption procedure and the decryption procedure of CLEFIA
6.2.5 CLEFIA building blocks
6.2.5.1 GFN
d,r
The fundamental structure of CLEFIA is a generalized Feistel structure. This structure is employed in
both a data processing part and a key schedule part.
CLEFIA uses a 4-branch and an 8-branch generalized Feistel network. The 4-branch generalized Feistel
network is used in the data processing part and the key schedule for a 128-bit key. The 8-branch
generalized Feistel network is applied in the key schedule for a 192-bit/256-bit key. Let GFN denote
d,r
the d-branch r-round generalized Feistel network employed in CLEFIA. GFN uses two different 32-bit
d,r
F-functions F and F .
0 1
For d pairs of 32-bit input X and output Y (0 ≤ i < d), and dr/2 32-bit round keys RK (0 ≤ i < dr/2), GFN
i i i d,r
−1
(d = 4, 8) and the inverse function GFN (d = 4) are defined as follows.
dr,
© ISO/IEC 2019 – All rights reserved 9

GFN :
4,r
1) T || T || T || T ← X || X || X || X
0 1 2 3 0 1 2 3
2) For i = 0 to r − 1 do the following:
2.1) T ← T ⊕ F (RK , T )
1 1 0 2i 0
T ← T ⊕ F (RK , T )
3 3 1 2i+1 2
2.2) T || T || T || T ← T || T || T || T
0 1 2 3 1 2 3 0
3) Y || Y || Y || Y ← T || T || T || T
0 1 2 3 3 0 1 2
GFN :
8,r
1) T || T || . || T ← X || X || . || X
0 1 7 0 1 7
2) For i = 0 to r − 1 do the following:
2.1) T ← T ⊕ F (RK , T )
1 1 0 4i 0
T ← T ⊕ F (RK , T )
3 3 1 4i+1 2
T ← T ⊕ F (RK , T )
5 5 0 4i+2 4
T ← T ⊕ F (RK , T )
7 7 1 4i+3 6
2.2) T || T || . || T || T ← T || T || . || T || T
0 1 6 7 1 2 7 0
3) Y || Y || . || Y || Y ← T || T || . || T || T
0 1 6 7 7 0 5 6
−1
The inverse function GFN is obtained by changing the order of RK and the direction of word rotation
i
4,r
at 2.2) and 3) in GFN .
4,r
−1
GFN :
4,r
1) T || T || T || T ← X || X || X || X
0 1 2 3 0 1 2 3
2) For i = 0 to r - 1 do the following:
2.1) T ← T ⊕ F (RK , T )
1 1 0 2(r−i)−2 0
T ← T ⊕ F (RK , T )
3 3 1 2(r−i)−1 2
2.2) T || T || T || T ← T || T || T || T
0 1 2 3 3 0 1 2
3) Y || Y || Y || Y ← T || T || T || T
0 1 2 3 1 2 3 0
6.2.5.2 F-functions
Two F-functions F and F used in GFN are defined as follows:
0 1 d,r
FR:,()Kx  y
03()()232 ()32
1) V ← RK ⊕ x
2) Let VV=∈VV  VV,,{}01 .
01 23 i
V ← S (V )
0 0 0
V ← S (V )
1 1 1
10 © ISO/IEC 2019 – All rights reserved

V ← S (V )
2 0 2
V ← S (V )
3 1 3
3) Let yy=∈yy  yy,,{}01 .
01 23 i
y V
   
0 0
   
y V
 1   1 
←M
  0 
y V
2 2
   
   
y V
   
3 3
FR:,()Kx  y
13()()232 32
()
1) V ← RK ⊕ x
2) Let VV=∈VV  VV,,{}01 .
01 23 i
V ← S (V )
0 1 0
V ← S (V )
1 0 1
V ← S (V )
2 1 2
V ← S (V )
3 0 3
3) Let yy=∈yy  yy,,01 .
{}
01 23 i
y V
   
0 0
   
y V
   
1 1
←M
  1 
y V
2 2
   
   
y V
   
3 3
S and S are nonlinear 8-bit S-boxes described in 6.2.5.3, and M and M are 4 × 4 diffusion matrices
0 1 0 1
described in 6.2.5.4. In each F-function two S-boxes and a matrix are used, but the S-boxes are used in
a different order and the matrices differ. Figure 7 shows a graphical representation of the F-functions.
Figure 7 — F-functions
6.2.5.3 S-boxes
CLEFIA employs two different types of 8-bit S-boxes S and S : S is based on four 4-bit random S-boxes,
0 1 0
and S is based on the inverse function over GF(2 ).
Tables 5 and 6 show the output values of S and S , respectively. In these tables all values are expressed
0 1
in a hexadecimal notation. For an 8-bit input of an S-box, the upper 4 bits indicate a row and the lower
© ISO/IEC 2019 – All rights reserved 11

4 bits indicate a column. For example, if a value 0xab is input, 0x7e is output by S because it is on the
cross line of the row indexed by 'a.' and the column indexed by '.b'.
Table 5 — S
.0 .1 .2 .3 .4 .5 .6 .7 .8 .9 .a .b .c .d .e .f

0. 57 49 d1 c6 2f 33 74 fb 95 6d 82 ea 0e b0 a8 1c
28 d0 4b 92 5c ee 85 b1 c4 0a 76 3d 63 f9 17 af
1.
2. bf a1 19 65 f7 7a 32 20 06 ce e4 83 9d 5b 4c d8
3. 42 5d 2e e8 d4 9b 0f 13 3c 89 67 c0 71 aa b6 f5
4. a4 be fd 8c 12 00 97 da 78 e1 cf 6b 39 43 55 26
5. 30 98 cc dd eb 54 b3 8f 4e 16 fa 22 a5 77 09 61
6. d6 2a 53 37 45 c1 6c ae ef 70 08 99 8b 1d f2 b4
e9 c7 9f 4a 31 25 fe 7c d3 a2 bd 56 14 88 60 0b
7.
8. cd e2 34 50 9e dc 11 05 2b b7 a9 48 ff 66 8a 73
9. 03 75 86 f1 6a a7 40 c2 b9 2c db 1f 58 94 3e ed
a. fc 1b a0 04 b8 8d e6 59 62 93 35 7e ca 21 df 47
b. 15 f3 ba 7f a6 69 c8 4d 87 3b 9c 01 e0 de 24 52
c. 7b 0c 68 1e 80 b2 5a e7 ad d5 23 f4 46 3f 91 c9
6e 84 72 bb 0d 18 d9 96 f0 5f 41 ac 27 c5 e3 3a
d.
e. 81 6f 07 a3 79 f6 2d 38 1a 44 5e b5 d2 ec cb 90
f. 9a 36 e5 29 c3 4f ab 64 51 f8 10 d7 bc 02 7d 8e
Table 6 — S
.0 .1 .2 .3 .4 .5 .6 .7 .8 .9 .a .b .c .d .e .f

0. 6c da c3 e9 4e 9d 0a 3d b8 36 b4 38 13 34 0c d9
1. bf 74 94 8f b7 9c e5 dc 9e 07 49 4f 98 2c b0 93
12 eb cd b3 92 e7 41 60 e3 21 27 3b e6 19 d2 0e
2.
3. 91 11 c7 3f 2a 8e a1 bc 2b c8 c5 0f 5b f3 87 8b
4. fb f5 de 20 c6 a7 84 ce d8 65 51 c9 a4 ef 43 53
5. 25 5d 9b 31 e8 3e 0d d7 80 ff 69 8a ba 0b 73 5c
6. 6e 54 15 62 f6 35 30 52 a3 16 d3 28 32 fa aa 5e
7. cf ea ed 78 33 58 09 7b 63 c0 c1 46 1e df a9 99
55 04 c4 86 39 77 82 ec 40 18 90 97 59 dd 83 1f
8.
9. 9a 37 06 24 64 7c a5 56 48 08 85 d0 61 26 ca 6f
a. 7e 6a b6 71 a0 70 05 d1 45 8c 23 1c f0 ee 89 ad
b. 7a 4b c2 2f db 5a 4d 76 67 17 2d f4 cb b1 4a a8
c. b5 22 47 3a d5 10 4c 72 cc 00 f9 e0 fd e2 fe ae
d. f8 5f ab f1 1b 42 81 d6 be 44 29 a6 57 b9 af f2
d4 75 66 bb 68 9f 50 02 01 3c 7f 8d 1a 88 bd ac
e.
f. f7 e4 79 96 a2 fc 6d b2 6b 03 e1 2e 7d 14 95 1d
a)  S-box S
Sx:,01 →=01,:  yS x is generated by combining four 4-bit S-boxes SS , SS , SS and
{} {} ()
0 1 2
0 0
SS in the following way. The values of these S-boxes are defined in Table 7.
1) t ← SS (x ), t ← SS (x ), where xx=∈ xx,,{}01
0 0 0 1 1 1
01 i
2) u ← t ⊕0x2·t , u ← 0x2· t ⊕t
0 0 1 1 0 1
3) y ← SS (u ), y ← SS (u ), where yy=∈ yy,,01
{}
0 2 0 1 3 1
01 i
12 © ISO/IEC 2019 – All rights reserved

The multiplication in 0x2·t , is performed in GF(2 ) defined by the lexicographically first primitive
i
polynomial z + z + 1. Figure 8 shows the construction of S .
Table 7 — SS (0 ≤ i < 4)
i
x 0 1 2 3 4 5 6 7 8 9 a b c d e f
e 6 c a 8 7 2 f b 1 4 0 5 9 d 3
SS (x)
6 4 0 d 2 b a 3 9 c e f 8 7 5 1
SS (x)
b 8 5 e a 6 4 c f 7 2 3 1 0 d 9
SS (x)
a 2 6 d 3 4 5 e 0 7 8 9 b f c 1
SS (x)
Figure 8 — S
b)  S-box S
Sx:,{}01 →={}01,:  yS ()x is defined as follows:
1 1
−1

gf xfif x ≠ 0
()() ()
()

y=


gf00if x =
() ()

8 8 4 3 2
The inverse function is performed in GF(2 ) defined by a primitive polynomial z + z + z + z + 1
(=0x11d). f and g are affine transformations over GF(2), which are defined as follows.
© ISO/IEC 2019 – All rights reserved 13

fx:,{}01 →={}01,:  yf ()x ,
y x
00011000 0
      

0 0
      
y x
01 01 0 000 1 0
   
1   1  
      
y 0000000 1 x 0
2 2
   
   
      
y x
0000011 0 1
3 3
   
   
= ⊕
   
y   x  
01 10 01 01 1
4 4
   
   
y 01 0 11100 x 1
   
   
5 5
   
   
y x
011 00000 1
 6   6 
   
   
   
y x
1 000000 1 0
   
   
7 7
gx:,{}01 →={}01,:  yg()x ,
y 00001010 x 0
   
   
0 0
   
   
y x
01 000 000 1 1
 1    1   
   
   
y x
01 011 000 1
2 2
   
   
   
   
y 00100000 x 0
3 3
   
   
= ⊕
 y   x 
00110000 1
4 4
   
   
y x
00000010 0
   
   
5 5
   
   
y 10 01 0000 x 0
 6   6 
   
      
y x
01 00010 0 1
      
7 7
Here, x = x || x || x || x || x || x || x || x and y = y || y || y || y || y || y || y || y ,  x , y ∈ 01, . The
{}
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 i
i
constants in f and g can be represented as 0x1e and 0x69, respectively.
6.2.5.4 Diffusion matrices
The matrices M and M are defined as follows.
0 1
01 02 04 06 01 08 02 0a
   
   
02 01 06 04 08 01 0a 02
   
M = , M =
0 1
   
04 06 01 02 02 0a 01 08
   
   
06 04 02 01 0a 02 08 01
   
The multiplications of a matrix and a vector are performed in GF(2 ) defined by the lexicographically
8 4 3 2
first primitive polynomial z + z + z + z + 1 (=0x11d).
6.2.6 CLEFIA key schedule
6.2.6.1 Overall structure
The key schedule of CLEFIA supports 128, 192 and 256-bit keys and outputs whitening keys WK
i
(0 ≤ i < 4) and round keys RK (0 ≤ j < 2r) for the data processing part. Let K be the key and L be an
j
intermediate key. The key schedule consists of the following two steps.
1) Generating L from K.
2) Expanding K and L (Generating WK and RK ).
i j
To generate L from K, the key schedule for a 128-bit key uses a 128-bit permutation GFN , while the
4,12
key schedules for 192/256-bit keys use a 256-bit permutation GFN .
8,10
14 © ISO/IEC 2019 – All rights reserved

6.2.6.2 Key schedule for a 128-bit key
The 128-bit intermediate key L is generated in step 1 by applying GFN which takes twenty-four 32-
4,12
()
bit constant values CON (0 ≤ i < 24) as round keys and KK= KK  K as an input. Then K and
i 01 23
L are used to generate WK (0 ≤ i < 4) and RK (0 ≤ j < 36) in steps 2 and 3. The thirty-six 32-bit constant
i j
()128
values CON (24 ≤ i < 60) used in step 3 are defined in 6.2.6.6. The DoubleSwap function Σ is defined
i
in 6.2.6.5.
(Generating L from K)
128 128
() ()
1) LG← FN CONC,, ON ,, KK,
()
41, 2 0 23 03
(Expanding K and L)
2) WK WK WK WK ←K
01 23
3) For i = 0 to 8, do the following:
()128 ()128 ()128 ()128
TL←⊕ CONCON CONC ON
()
24+4ii24++41 24++42ii24+4 ++3
LL←Σ()
if i is odd: TT←⊕K
RK RK RK RK ←T
44ii++14ii24 +3
Table 8 shows the relationship between generated round keys and related data.
Table 8 — Expanding K and L (128-bit key)
WK WK WK WK K
0 1 2 3
()128 ()128 ()128 (()128
RK RK RK RK LC        ⊕ ON CONCON CON
0 1 2 3 ( )
24 25 26 27
()128 ()128 ()128 ()128
RK RK RK RK Σ()LK ⊕⊕ CONCON CONCON
4 5 6 7 ( )
28 29 30 31
()128 ()128 ()128 ()128
RK RK RK RK Σ LC   ⊕ ON CONCON CON
()
8 9 10 11 ( )
32 33 34 35
()128 ()128 ()128 ()128
RK RK RK RK Σ ()LK⊕⊕ CONCON CONCON
12 13 14 15 ( )
36 37 38 39
()128 ()128 ()128 ()128
RK RK RK RK Σ LC   ⊕ ON CONCON CON
()
16 17 18 19 ( )
40 41 42 43
()128 ()128 ()128 ()128
RK RK RK RK Σ ()LK⊕⊕ CONCON CONCON
20 21 22 23 ( )
44 46 47
()128 ()128 ()128 ()128
RK RK RK RK Σ LC   ⊕ ON CONCON CON
()
24 25 26 27 ( )
48 49 50 51
()128 ()128 ()128 ()128
RK RK RK RK Σ ()LK⊕⊕ CONCON CONCON
28 29 30 31 ( )
52 53 54 55
()128 ()128 ()128 ()128
RK RK RK RK Σ LC   ⊕ ON CONCON CON
()
32 33 34 35 ( )
56 57 58 59
6.2.6.3 Key schedule for a 192-bit key
Two 128-bit values K and K are generated from a 192-bit key KK= KK KK  K , where
L R
01 23 45
32 ()192
K ∈{}01, . Then two 128-bit values L and L are generated by applying GFN which takes CON
L R 8,10
i i
(0 ≤ i < 40) as round keys and K ||K as a 256-bit input. Figure 9 shows the construction of GFN .
L R
81, 0
© ISO/IEC 2019 – All rights reserved 15

K , K and L , L are used to generate WK (0 ≤ i < 4) and RK (0 ≤ j < 44) in steps 4 and 5 below. In the
L R L R i j
()
latter part, forty-four 32-bit constant values CON (40 ≤ i < 84) are used.
i
The following steps show the 192-bit/256-bit key schedule. For the 192-bit key schedule, the value of k
is set as 192.
Figure 9 — Structure of GFN
8,10
(Generating L , L from K , K for a k-bit key)
L R L R
1) Set k = 192 or k = 256
~~
2) If k = 192         : KK← KK K , KK← KK  K
L 01 23 R 45 01
else if k = 256    : KK← KK K , KK← KK K
L 01 23 R 45 67
3) Let KK= KK K , KK= KK K
LL01LL23L RR01RR23R
16 © ISO/IEC 2019 – All rights reserved

()kk()
LL…←GFNCON ,, CONK,, ……,, KK ,, K
()
LR 81, 0 039 LL03 RR0 33
(Expanding K , K and L , L for a k-bit key)
L R L R
4) WK WK WK WK ←⊕KK
01 23 LR
5) For i = 0 to 10 (if k = 192), or 12 (if k = 256) do the following:
If (i mod 4) = 0 or 1:
()k ()k ()k ()k
TL←⊕ CONCON CONC ON
(()
L 40+44i 04++i 1404++i 2404++i 3
LL←Σ
()
LL
if i is odd: TT←⊕K
R
else:
k k k k
() () () ()
TL←⊕ CONCON CONC ON
(()
R 40+44i 04++i 1404++i 2404++i 3
LL←Σ
()
RR
if i is odd: TT←⊕K
L
RK RK RK RK ←T
44ii++14ii24 +3
Table 9 shows the relationship between generated round keys and related data.
Table 9 — Expanding K , K , L and L (192-bit key)
L R L R
KK   ⊕
WK WK WK WK
0 1 2 3 LR
192 192 192 1992
() () () ()
RK RK RK RK LC        ⊕ ON CONCON CON
( )
0 1 2 3 L
40 41 42 43
()192 ()192 ()192 ()192
RK RK RK RK Σ LK ⊕⊕ CONCON CONCON
()
4 5 6 7 ( )
LR 44 45 46 47
192 192 192 1992
() () () ()
RK RK RK RK LC        ⊕ ON CONCON CON
( )
8 9 10 11 R
48 49 50 51
()192 ()192 ()192 ()192
RK RK RK RK Σ LK ⊕⊕ CONCON CONCON
()
12 13 14 15 ( )
RL 52 53 54 55
192 192 192 192
() () () ()
RK RK RK RK Σ ()LC    ⊕ ON CONCON CON
(( )
16 17 18 19 L
56 57 58 59
()192 ()192 ()192 ()192
RK RK RK RK Σ LK⊕⊕ CONCON CONCON
()
20 21 22 23 ( )
LR 60 61 62 63
192 192 192 192
() () () ()
RK RK RK RK Σ ()LC    ⊕ ON CONCON CON
(( )
24 25 26 27 R
64 65 66 67
()192 ()192 ()192 ()192
RK RK RK RK Σ LK⊕⊕ CONCON CONCON
()
28 29 30 31 ( )
RL 68 69 70 71
192 192 192 192
() () () ()
RK RK RK RK Σ ()LC    ⊕ ON CONCON CON
(( )
32 33 34 35 L 74
72 73 75
()192 ()192 ()192 ()192
RK RK RK RK Σ LK⊕⊕ CONCON CONCON
()
36 37 38 39 ( )
LR 76 77 78 79
192 192 192 192
() () () ()
RK RK RK RK Σ ()LC    ⊕ ON CONCON CON
(( )
40 41 42 43 R
80 81 82 83
6.2.6.4 Key schedule for a 256-bit key
The key schedule for a 256-bit key is almost the same as that for 192-bit key, except for constant values,
the required number of RK , and the initialization of K .
i R
© ISO/IEC 2019 – All rights reserved 17

For a 256-bit key, the value of k is set as 256, and the steps are almost the same as in the 192-bit key case
()
(see description in 6.2.6.3). The difference is that the first forty 32-bit constant values, CON
i
(0 ≤ i < 40), are used as round keys to generate L and L , and the last fifty-two 32-bit constant values,
L R
()256
CON (40 ≤ i < 92), are used to generate RK (0 ≤ j < 52).
j
i
Table 10 shows the relationship between generated round keys and related data.
Table 10 — Expanding K , K , L and L (256-bit key)
L R L R
KK   ⊕
WK WK WK WK
0 1 2 3 LR
256 256 256 2556
() () () ()
RK RK RK RK LC        ⊕ ON CONCON CON
)
0 1 2 3 (
L 40 41 42 43
()256 ()256 ()256 ()256
Σ LK ⊕⊕ CONCON CONCON
RK RK RK RK ()
4 5 6 7 ( )
LR 44 45 46 47
256 256 256 2556
() () () ()
RK RK RK RK LC        ⊕ ON CONCON CON
)
8 9 10 11 (
R 48 49 50 51
()256 ()256 ()256 ()256
Σ LK ⊕⊕ CONCON CONCON
RK RK RK RK ()
12 13 14 15 ( )
RL 52 53 54 55
256 256 256 256
() () () ()
RK RK RK RK Σ LC    ⊕ ON CONCON CON
()
)
16 17 18 19 ((
L 56 57 58 59
()256 ()256 ()256 ()256
Σ LK⊕⊕ CONCON CONCON
RK RK RK RK ()
20 21 22 23 ( )
LR 60 61 62 63
256 256 256 256
() () () ()
RK RK RK RK Σ LC    ⊕ ON CONCON CON
()
)
24 25 26 27 ((
R 64 65 66 67
()256 ()256 ()256 ()256
Σ LK⊕⊕ CONCON CONCON
RK RK RK RK ()
28 29 30 31 ( )
RL 68 69 70 71
256 256 256 256
() () () ()
RK RK RK RK Σ LC    ⊕ ON CONCON CON
()
)
32 33 34 35 ((
L 72 73 74 75
()256 ()256 ()256 ()256
Σ LK⊕⊕ CONCON CONCON
RK RK RK RK ()
36 37 38 39 ( )
LR 76 77 78 79
256 256 256 256
() () () ()
RK RK RK RK Σ LC    ⊕ ON CONCON CON
()
)
40 41 42 43 ((
R 80 81 82 83
()256 ()256 ()256 ()256
Σ LK⊕⊕ CONCON CONCON
RK RK RK RK ()
44 45 46 47 ( )
RL 84 85 86 87
256 256 256 256
() () () ()
RK RK RK RK Σ LC    ⊕ ON CONCON CON
()
)
48 49 50 51 ((
L 88 89 90 91
6.2.6.5 DoubleSwap function
128 128
The DoubleSwap function Σ: 01,,→ 01 is defined as follows:
{} {}
XY
()128 ()128
YX= 76--3 XX121 127 06--X 64 120 ,
[] [] [] []
where X[a-b] denotes a bit string cut from the a-th bit to the b-th bit of X. Bit 0 is the most significant bit.
The DoubleSwap function is illustrated in Figure 10.
18 © ISO/IEC 2019 – All rights reserved

Figure 10 — DoubleSwap Function Σ
6.2.6.6 Constant values
()k
32-bit constant values CON are used in the key schedule algorithm. Sixty, eighty-four and ninety-
i
two constant values are needed for 128, 192 and 256-bit keys, respectively. Let P = 0xb7e1
(16)
16 16
(=(e − 2)2 ) and Q = 0x243f (=(π −3)2 ), where e is the base of the natural logarithm (2,718 28.)
(16)
k
()
and π is the circle ratio (3,141 59.). CON , for k= 128,, 192 256 are generated in the following way
i
(k) (k)
(see Table 11 for the repetition numbers l and the initial values IV ).
()k
()k
1) TI← V
()k
2) For i= 0 to l −1 , do the following:
k k k
() () ()
~
2.1) CONT←⊕PT <<<1
() ()
2i i i
()k ()k ()k
~
2.2) CONT←⊕QT <<<8
() ()
i i
21i+
()k ()k
−1
2.3) TT←•0x0002
i+1 i
In step 2.3, the multiplication is performed in the field GF(2 ) defined by a primitive polynomial
16 15 13 11 5 4 1)
-1
z + z + z + z + z + z + 1 (=0x1a831) . 0x0002 is a constant denoting the multiplicative inverse
of a finite field element z (=0x0002).
Table 11 — Required numbers of constant values
()k
(k) (k)
k l IV
# of CON
i
128 60 30 0x428a (=−21 ⋅2 )
()
192 84 42 0x7137 (=−31 ⋅2 )
()
256 92 46 0xb5c0 (=−51 ⋅2 )
()
k k
() ()
Tables 12 to 14 show the values of T and Tables 15 to 17 show the values of CON .
i i
()
Table 12 — T
i
i 0 1 2 3 4 5 6 7
()
428a 2145 c4ba 625d e536 729b ed55 a2b2
T
i
i 8 9 10 11 12 13 14 15
()128
5159 fcb4 7e5a 3f2d cb8e 65c7 e6fb a765
T
i
1) The lower 16-bit value is defined as 0xa831=−101 42⋅ . "101" is the smallest prime number satisfying the
()
primitive polynomial condition in this form.
© ISO/IEC 2019 – All rights reserved 19

Table 12 (continued)
i 16 17 18 19 20 21 22 23
()
87aa 43d5 f5f2 7af9 e964 74b2 3a59 c934
T
i
i 24 25 26 27 28 29
()128
649a 324d cd3e 669f e757 a7b3
T
i
()192
Table 13 — T
i
i 0 1 2 3 4 5 6 7
()192
7137 ec83 a259 8534 429a 214d c4be 625f
T
i
i 8 9 10 11 12 13 14 15
()
e537 a683 8759 97b4 4bda 25ed c6ee 6377
T
i
i 16 17 18 19 20 21 22 23
()192
e5a3 a6c9 877c 43be 21df c4f7 b663 8f29
T
i
i 24 25 26 27 28 29 30 31
()192
938c 49c6 24e3 c669 b72c 5b96 2dcb c2fd
T
i
i 32 33 34 35 36 37 38 39
()
b566 5ab3 f941 a8b8 545c 2a2e 1517 de93
T
i
i 40 41
()192
bb51 89b0
T
i
()256
Table 14 — T
i
i 0 1 2 3 4 5 6 7
()256
b5c0 5ae0 2d70 16b8 0b5c 05ae 02d7 d573
T
i
i 8 9 10 11 12 13 14 15
()256
bea1 8b48 45a4 22d2 1169 dcac 6e56 372b
T
i
i 16 17 18 19 20 21 22 23
()
cf8d b3de 59ef f8ef a86f 802f 940f 9e1f
T
i
i 24 25 26 27 28 29 30 31
()256
9b17 9993 98d1 9870 4c38 261c 130e 0987
T
i
i 32 33 34 35 36 37 38 39
()256
d0db bc75 8a22 4511 f690 7b48 3da4 1ed2
T
i
i 40 41 42 43 44 45
()
0f69 d3ac 69d6 34eb ce6d b32e
T
i
()128
Table 15 — CON
i
i 0 1 2 3
()128
f56b7aeb 994a8a42 96a4bd75 fa854521
CON
i
i 4 5 6 7
20 © ISO/IEC 2019 – All rights reserved

Table 15 (continued)
()128
735b768a 1f7abac4 d5bc3b45 b99d5d62
CON
i
i 8 9 10 11
()
52d73592 3ef636e5 c57a1ac9 a95b9b72
CON
i
i 12 13 14 15
()128
5ab42554 369555ed 1553ba9a 7972b2a2
CON
i
i 16 17 18 19
()128
e6b85d4d 8a995951 4b550696 2774b4fc
CON
i
i 20 21 22 23
()
c9bb034b a59a5a7e 88cc81a5 e4ed2
...