2000.11.13-14 1st NESSIE workshop Copyright (C) NTT & Mitsubishi Electric Corp. 20001

128-bit Block

Cipher

　CamelliaKazumaro Aoki* Tetsuya Ichikawa†

Masayuki Kanda* Mitsuru Matsui† Shiho Moriai* Junko Nakajima†

Toshio Tokita†

* NTT† Mitsubishi Electric Corporation

2

Outline

What’s Camellia?Advantages over RijndaelPerformance FiguresStructure of CamelliaSecurity ConsiderationConclusion

3

What’s Camellia?

Jointly developed by NTT and Mitsubishi Electric Corporation Designed by experts of research and

development in cryptography Inherited good characteristics from E2

and MISTYSame interface as AES

block size: 128 bits key sizes: 128, 192, 256 bits

4

FAQ: Why “Camellia”?Camellia is well known as “Camellia Jap

onica” botanically, and Japan is its origin.

Easy to pronounce :-) unlike ….

Flower language: Good fortune, Perfect loveliness.

5

Users’ Demands on Block Ciphers

No More No More

Ciphers!Ciphers!

ReliabilityReliability Good PerformerGood Performer

InteroperabilityInteroperability

AES coming soon!AES coming soon!

Royalty-FreeRoyalty-Free

(No IPR Problem)(No IPR Problem)

6

Advantage over RijndaelEfficiency in H/W Implementations

Smaller Hardware 9.66Kgates (0.35m rule)

Better Throughput/Area 21.9Mbit/(s*Kgates) Much more efficient in implementing both enc

ryption and decryptionExcellent Key Agility

Shorter key setup time On-the-fly subkey computation for both encryp

tion and decryption

7

Advantage over Rijndael (Cont.)Symmetric Encryption and Decryption (Feis

tel cipher) Very little additional area to implement both e

ncryption and decryption in H/W Little additional ROM is favorable in restricted

-space environmentsBetter performance in JAVAComparable speed on 8-bit CPUs

e.g. Z80

8

Encryption speed on P6 [cycles/block]

*Programmed by Aoki, Lipmaa, Twofish team, and Osvik. Each figure is the fastest as far as we know.

Software Performance (128-bit keys)Pentium III (1.13GHz)

308 cycles/block (Assembly) = 471Mbit/s

Comparable speed to the AES finalists

RC6RijndaelTwofish

Camellia

MarsSerpent

Fast

229238

258308312 759

9

Twofish 19.27

JAVA Performance (128-bit keys)Pentium II (300MHz)

36.112Mbit/s (Java 1.2) Above average among AES

finalists

RC6Camellia 24.07

Speed*[Mbit/s]

26.21

Rijndael 19.32Mars 19.72

Serpent 11.46

* AES finalists’ data by Sterbenz[AES3](Pentium Pro 200MHz) Camellia’s datum is converted into 200 MHz

10

Throughput

Hardware (128-bit keys)ASIC (0.35m CMOS)

Type II: Top priority: Size• Less than 10KGates (212Mbit/s)• Among smallest 128-bit block ciphers

Type I: Top priority: Speed

[Mbit/s]

Area[Kgates]

The above data (except Camellia) by Ichikawa et al. are refered in NIST’s AES report.

Thru/Area

MARS 2,936 226 0.08RC6 1,643 204 0.12

Serpent 504 932 1.85Twofish 432 394 0.91

Rijndael 613 1,950 3.18Camellia 273 1,171 4.29

11

Structure of CamelliaEncryption/Decryption Procedure

Feistel structure 18 rounds (for 128-bit keys)24 rounds (for 192/256-bit keys)• Round function: SPN • FL/FL-1-functions inserted every 6 rounds• Input/Output whitening : XOR with subkeys

Key Schedule simple shares the same part of its procedure with enc

ryption

12

Camellia for 128-bit keysplaintext

FL

subkey

F

S1

Bytewise Linear

Transfor-mation

Si ： substitution-box

F

F

F

F

F

S2

S3

S4

S2

S3

S4

S1

FL-1

ciphertext

key

key s

c hed

ule

key s

c hed

ule

FL FL-1

13

FL

F

S1

F

F

F

F

F

S2

S3

S4

S2

S3

S4

S1

FL-1

Camellia for 192/256-bit keys

FL FL-1

FL FL-1

plaintextsubkey

Bytewise Linear

Transfor-mation

Si ： substitution-box

ciphertext

key

key s

c hed

ule

key s

c hed

ule

14

Security of Camellia

Encryption/Decryption Process Differential and Linear Cryptanalysis Truncated Differential Cryptanalysis Truncated Linear Cryptanalysis Cryptanalysis with Impossible Differential Higher Order Differential Attack Interpolation Attack

15

Security of Camellia (Cont.)

Key Schedule No Equivalent Keys Slide Attack Related-key Attack

Attacks on Implementations Timing Attacks Power Analysis

16

Conclusion

High level of Security No known cryptanalytic attacks A sufficiently large security margin

Efficiency on a wide range of platforms Small and efficient H/W High S/W performance Performs well on low-cost platforms JAVA

18

Standardization Activities

IETF Submitted Internet-Drafts

•A Description of the Camellia Encryption Algorithm– <draft-nakajima-camellia-00.txt>

•Addition of the Camellia Encryption Algorithm to Transport Layer Security (TLS)

– <draft-ietf-tls-camellia-00.txt>

19

Standardization Activities (Cont.)ISO/IEC JTC 1/SC 27

Encryption Algorithms (N2563)CRYPTREC

Project to investigate and evaluate the cryptographic techniques proposed for the infrastructure of an electronic government of Japan

WAP TLSAdopted in some Governmental Systems