2000.11.13-14 1st NESSIE workshop Copyright (C) NTT & Mitsubishi Electric Corp. 20001
128-bit Block
Cipher
CamelliaKazumaro Aoki* Tetsuya Ichikawa†
Masayuki Kanda* Mitsuru Matsui† Shiho Moriai* Junko Nakajima†
Toshio Tokita†
* NTT† Mitsubishi Electric Corporation
2
Outline
What’s Camellia?Advantages over RijndaelPerformance FiguresStructure of CamelliaSecurity ConsiderationConclusion
3
What’s Camellia?
Jointly developed by NTT and Mitsubishi Electric Corporation Designed by experts of research and
development in cryptography Inherited good characteristics from E2
and MISTYSame interface as AES
block size: 128 bits key sizes: 128, 192, 256 bits
4
FAQ: Why “Camellia”?Camellia is well known as “Camellia Jap
onica” botanically, and Japan is its origin.
Easy to pronounce :-) unlike ….
Flower language: Good fortune, Perfect loveliness.
5
Users’ Demands on Block Ciphers
No More No More
Ciphers!Ciphers!
ReliabilityReliability Good PerformerGood Performer
InteroperabilityInteroperability
AES coming soon!AES coming soon!
Royalty-FreeRoyalty-Free
(No IPR Problem)(No IPR Problem)
6
Advantage over RijndaelEfficiency in H/W Implementations
Smaller Hardware 9.66Kgates (0.35m rule)
Better Throughput/Area 21.9Mbit/(s*Kgates) Much more efficient in implementing both enc
ryption and decryptionExcellent Key Agility
Shorter key setup time On-the-fly subkey computation for both encryp
tion and decryption
7
Advantage over Rijndael (Cont.)Symmetric Encryption and Decryption (Feis
tel cipher) Very little additional area to implement both e
ncryption and decryption in H/W Little additional ROM is favorable in restricted
-space environmentsBetter performance in JAVAComparable speed on 8-bit CPUs
e.g. Z80
8
Encryption speed on P6 [cycles/block]
*Programmed by Aoki, Lipmaa, Twofish team, and Osvik. Each figure is the fastest as far as we know.
Software Performance (128-bit keys)Pentium III (1.13GHz)
308 cycles/block (Assembly) = 471Mbit/s
Comparable speed to the AES finalists
RC6RijndaelTwofish
Camellia
MarsSerpent
Fast
229238
258308312 759
9
Twofish 19.27
JAVA Performance (128-bit keys)Pentium II (300MHz)
36.112Mbit/s (Java 1.2) Above average among AES
finalists
RC6Camellia 24.07
Speed*[Mbit/s]
26.21
Rijndael 19.32Mars 19.72
Serpent 11.46
* AES finalists’ data by Sterbenz[AES3](Pentium Pro 200MHz) Camellia’s datum is converted into 200 MHz
10
Throughput
Hardware (128-bit keys)ASIC (0.35m CMOS)
Type II: Top priority: Size• Less than 10KGates (212Mbit/s)• Among smallest 128-bit block ciphers
Type I: Top priority: Speed
[Mbit/s]
Area[Kgates]
The above data (except Camellia) by Ichikawa et al. are refered in NIST’s AES report.
Thru/Area
MARS 2,936 226 0.08RC6 1,643 204 0.12
Serpent 504 932 1.85Twofish 432 394 0.91
Rijndael 613 1,950 3.18Camellia 273 1,171 4.29
11
Structure of CamelliaEncryption/Decryption Procedure
Feistel structure 18 rounds (for 128-bit keys)24 rounds (for 192/256-bit keys)• Round function: SPN • FL/FL-1-functions inserted every 6 rounds• Input/Output whitening : XOR with subkeys
Key Schedule simple shares the same part of its procedure with enc
ryption
12
Camellia for 128-bit keysplaintext
FL
subkey
F
S1
Bytewise Linear
Transfor-mation
Si : substitution-box
F
F
F
F
F
S2
S3
S4
S2
S3
S4
S1
FL-1
ciphertext
key
key s
c hed
ule
key s
c hed
ule
FL FL-1
13
FL
F
S1
F
F
F
F
F
S2
S3
S4
S2
S3
S4
S1
FL-1
Camellia for 192/256-bit keys
FL FL-1
FL FL-1
plaintextsubkey
Bytewise Linear
Transfor-mation
Si : substitution-box
ciphertext
key
key s
c hed
ule
key s
c hed
ule
14
Security of Camellia
Encryption/Decryption Process Differential and Linear Cryptanalysis Truncated Differential Cryptanalysis Truncated Linear Cryptanalysis Cryptanalysis with Impossible Differential Higher Order Differential Attack Interpolation Attack
15
Security of Camellia (Cont.)
Key Schedule No Equivalent Keys Slide Attack Related-key Attack
Attacks on Implementations Timing Attacks Power Analysis
16
Conclusion
High level of Security No known cryptanalytic attacks A sufficiently large security margin
Efficiency on a wide range of platforms Small and efficient H/W High S/W performance Performs well on low-cost platforms JAVA
18
Standardization Activities
IETF Submitted Internet-Drafts
•A Description of the Camellia Encryption Algorithm– <draft-nakajima-camellia-00.txt>
•Addition of the Camellia Encryption Algorithm to Transport Layer Security (TLS)
– <draft-ietf-tls-camellia-00.txt>
19
Standardization Activities (Cont.)ISO/IEC JTC 1/SC 27
Encryption Algorithms (N2563)CRYPTREC
Project to investigate and evaluate the cryptographic techniques proposed for the infrastructure of an electronic government of Japan
WAP TLSAdopted in some Governmental Systems