+ All Categories
Home > Documents > 128-bit Block Cipher Camellia

128-bit Block Cipher Camellia

Date post: 31-Jan-2016
Category:
Upload: peri
View: 72 times
Download: 0 times
Share this document with a friend
Description:
128-bit Block Cipher Camellia. Kazumaro Aoki * Tetsuya Ichikawa † Masayuki Kanda * Mitsuru Matsui † Shiho Moriai * Junko Nakajima † Toshio Tokita † * NTT † Mitsubishi Electric Corporation. Outline. What’s Camellia? - PowerPoint PPT Presentation
18
2000.11.13-14 1st NESSIE workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2000 1 128-bit Block Cipher Camellia Kazumaro Aoki * Tetsuya Ichikawa Masayuki Kanda * Mitsuru Matsui Shiho Moriai * Junko Nakajima Tos hio Tokita * NTT † Mitsubishi Electric Corpora tion
Transcript
Page 1: 128-bit Block Cipher Camellia

2000.11.13-14 1st NESSIE workshop Copyright (C) NTT & Mitsubishi Electric Corp. 20001

128-bit Block

Cipher

 CamelliaKazumaro Aoki* Tetsuya Ichikawa†

Masayuki Kanda* Mitsuru Matsui† Shiho Moriai* Junko Nakajima†

Toshio Tokita†

* NTT† Mitsubishi Electric Corporation

Page 2: 128-bit Block Cipher Camellia

2

Outline

What’s Camellia?Advantages over RijndaelPerformance FiguresStructure of CamelliaSecurity ConsiderationConclusion

Page 3: 128-bit Block Cipher Camellia

3

What’s Camellia?

Jointly developed by NTT and Mitsubishi Electric Corporation Designed by experts of research and

development in cryptography Inherited good characteristics from E2

and MISTYSame interface as AES

block size: 128 bits key sizes: 128, 192, 256 bits

Page 4: 128-bit Block Cipher Camellia

4

FAQ: Why “Camellia”?Camellia is well known as “Camellia Jap

onica” botanically, and Japan is its origin.

Easy to pronounce :-) unlike ….

Flower language: Good fortune, Perfect loveliness.

Page 5: 128-bit Block Cipher Camellia

5

Users’ Demands on Block Ciphers

No More No More

Ciphers!Ciphers!

ReliabilityReliability Good PerformerGood Performer

InteroperabilityInteroperability

AES coming soon!AES coming soon!

Royalty-FreeRoyalty-Free

(No IPR Problem)(No IPR Problem)

Page 6: 128-bit Block Cipher Camellia

6

Advantage over RijndaelEfficiency in H/W Implementations

Smaller Hardware 9.66Kgates (0.35m rule)

Better Throughput/Area 21.9Mbit/(s*Kgates) Much more efficient in implementing both enc

ryption and decryptionExcellent Key Agility

Shorter key setup time On-the-fly subkey computation for both encryp

tion and decryption

Page 7: 128-bit Block Cipher Camellia

7

Advantage over Rijndael (Cont.)Symmetric Encryption and Decryption (Feis

tel cipher) Very little additional area to implement both e

ncryption and decryption in H/W Little additional ROM is favorable in restricted

-space environmentsBetter performance in JAVAComparable speed on 8-bit CPUs

e.g. Z80

Page 8: 128-bit Block Cipher Camellia

8

Encryption speed on P6 [cycles/block]

*Programmed by Aoki, Lipmaa, Twofish team, and Osvik. Each figure is the fastest as far as we know.

Software Performance (128-bit keys)Pentium III (1.13GHz)

308 cycles/block (Assembly) = 471Mbit/s

Comparable speed to the AES finalists

RC6RijndaelTwofish

Camellia

MarsSerpent

Fast

229238

258308312 759

Page 9: 128-bit Block Cipher Camellia

9

Twofish 19.27

JAVA Performance (128-bit keys)Pentium II (300MHz)

36.112Mbit/s (Java 1.2) Above average among AES

finalists

RC6Camellia 24.07

Speed*[Mbit/s]

26.21

Rijndael 19.32Mars 19.72

Serpent 11.46

* AES finalists’ data by Sterbenz[AES3](Pentium Pro 200MHz) Camellia’s datum is converted into 200 MHz

Page 10: 128-bit Block Cipher Camellia

10

Throughput

Hardware (128-bit keys)ASIC (0.35m CMOS)

Type II: Top priority: Size• Less than 10KGates (212Mbit/s)• Among smallest 128-bit block ciphers

Type I: Top priority: Speed

[Mbit/s]

Area[Kgates]

The above data (except Camellia) by Ichikawa et al. are refered in NIST’s AES report.

Thru/Area

MARS 2,936 226 0.08RC6 1,643 204 0.12

Serpent 504 932 1.85Twofish 432 394 0.91

Rijndael 613 1,950 3.18Camellia 273 1,171 4.29

Page 11: 128-bit Block Cipher Camellia

11

Structure of CamelliaEncryption/Decryption Procedure

Feistel structure 18 rounds (for 128-bit keys)24 rounds (for 192/256-bit keys)• Round function: SPN • FL/FL-1-functions inserted every 6 rounds• Input/Output whitening : XOR with subkeys

Key Schedule simple shares the same part of its procedure with enc

ryption

Page 12: 128-bit Block Cipher Camellia

12

Camellia for 128-bit keysplaintext

FL

subkey

F

S1

Bytewise Linear

Transfor-mation

Si : substitution-box

F

F

F

F

F

S2

S3

S4

S2

S3

S4

S1

FL-1

ciphertext

key

key s

c hed

ule

key s

c hed

ule

FL FL-1

Page 13: 128-bit Block Cipher Camellia

13

FL

F

S1

F

F

F

F

F

S2

S3

S4

S2

S3

S4

S1

FL-1

Camellia for 192/256-bit keys

FL FL-1

FL FL-1

plaintextsubkey

Bytewise Linear

Transfor-mation

Si : substitution-box

ciphertext

key

key s

c hed

ule

key s

c hed

ule

Page 14: 128-bit Block Cipher Camellia

14

Security of Camellia

Encryption/Decryption Process Differential and Linear Cryptanalysis Truncated Differential Cryptanalysis Truncated Linear Cryptanalysis Cryptanalysis with Impossible Differential Higher Order Differential Attack Interpolation Attack

Page 15: 128-bit Block Cipher Camellia

15

Security of Camellia (Cont.)

Key Schedule No Equivalent Keys Slide Attack Related-key Attack

Attacks on Implementations Timing Attacks Power Analysis

Page 16: 128-bit Block Cipher Camellia

16

Conclusion

High level of Security No known cryptanalytic attacks A sufficiently large security margin

Efficiency on a wide range of platforms Small and efficient H/W High S/W performance Performs well on low-cost platforms JAVA

Page 17: 128-bit Block Cipher Camellia

18

Standardization Activities

IETF Submitted Internet-Drafts

•A Description of the Camellia Encryption Algorithm– <draft-nakajima-camellia-00.txt>

•Addition of the Camellia Encryption Algorithm to Transport Layer Security (TLS)

– <draft-ietf-tls-camellia-00.txt>

Page 18: 128-bit Block Cipher Camellia

19

Standardization Activities (Cont.)ISO/IEC JTC 1/SC 27

Encryption Algorithms (N2563)CRYPTREC

Project to investigate and evaluate the cryptographic techniques proposed for the infrastructure of an electronic government of Japan

WAP TLSAdopted in some Governmental Systems


Recommended