190 likes | 462 Views
128-bit Block Cipher Camellia. Kazumaro Aoki * Tetsuya Ichikawa † Masayuki Kanda * Mitsuru Matsui † Shiho Moriai * Junko Nakajima † Toshio Tokita † * NTT † Mitsubishi Electric Corporation. Outline. What’s Camellia?
E N D
128-bit Block CipherCamellia Kazumaro Aoki* Tetsuya Ichikawa† Masayuki Kanda* Mitsuru Matsui† Shiho Moriai* Junko Nakajima† Toshio Tokita† * NTT † Mitsubishi Electric Corporation
Outline • What’s Camellia? • Advantages over Rijndael • Performance Figures • Structure of Camellia • Security Consideration • Conclusion
What’s Camellia? • Jointly developed by NTT and Mitsubishi Electric Corporation • Designed by experts of research and development in cryptography • Inherited good characteristics from E2 and MISTY • Same interface as AES • block size: 128 bits • key sizes: 128, 192, 256 bits
FAQ: Why “Camellia”? • Camellia is well known as “Camellia Japonica” botanically, and Japan is its origin. • Easy to pronounce :-) • unlike …. • Flower language: Good fortune, Perfect loveliness.
Users’ Demands on Block Ciphers Reliability Good Performer Interoperability AES coming soon! Royalty-Free (No IPR Problem) No More Ciphers!
Advantage over Rijndael • Efficiency in H/W Implementations • Smaller Hardware 9.66Kgates (0.35mm rule) • Better Throughput/Area 21.9Mbit/(s*Kgates) • Much more efficient in implementing both encryption and decryption • Excellent Key Agility • Shorter key setup time • On-the-fly subkey computation for both encryption and decryption
Advantage over Rijndael (Cont.) • Symmetric Encryption and Decryption (Feistel cipher) • Very little additional area to implement both encryption and decryption in H/W • Little additional ROM is favorable in restricted-space environments • Better performance in JAVA • Comparable speed on 8-bit CPUs • e.g. Z80
229 238 258 308 312 759 Software Performance (128-bit keys) • Pentium III (1.13GHz) • 308 cycles/block (Assembly) = 471Mbit/s • Comparable speed to the AES finalists RC6 Encryption speed on P6 [cycles/block] Rijndael Twofish Fast Camellia Mars Serpent *Programmed by Aoki, Lipmaa, Twofish team, and Osvik. Each figure is the fastest as far as we know.
Rijndael 19.32 Mars 19.72 Serpent 11.46 Twofish 19.27 JAVA Performance (128-bit keys) • Pentium II (300MHz) • 36.112Mbit/s (Java 1.2) • Above average among AES finalists Speed* [Mbit/s] * AES finalists’ data by Sterbenz[AES3] (Pentium Pro 200MHz) Camellia’s datum is converted into 200 MHz Camellia 24.07 RC6 26.21
Area [Kgates] MARS 2,936 226 0.08 Rijndael RC6 1,643 613 1,950 204 0.12 3.18 Serpent 504 932 1.85 Twofish 432 394 0.91 Hardware (128-bit keys) • ASIC (0.35mm CMOS) • Type II: Top priority: Size • Less than10KGates (212Mbit/s) • Among smallest 128-bit block ciphers • Type I: Top priority: Speed Throughput Thru/Area [Mbit/s] Camellia 273 1,171 4.29 The above data (except Camellia) by Ichikawa et al. are refered in NIST’s AES report.
Structure of Camellia • Encryption/Decryption Procedure • Feistel structure 18 rounds (for 128-bit keys) 24 rounds (for 192/256-bit keys) • Round function: SPN • FL/FL-1-functions inserted every 6 rounds • Input/Output whitening : XOR with subkeys • Key Schedule • simple • shares the same part of its procedure with encryption
Camellia for 128-bit keys subkey key plaintext F S1 Bytewise Linear Transfor- mation S4 F S3 F S2 FL FL-1 S4 F S3 key schedule FL FL-1 F S2 S1 F Si:substitution-box ciphertext
Camellia for 192/256-bit keys subkey key plaintext F S1 Bytewise Linear Transfor- mation S4 F S3 F S2 FL FL-1 S4 F S3 key schedule FL FL-1 F S2 S1 F Si:substitution-box FL FL-1 ciphertext
Security of Camellia • Encryption/Decryption Process • Differential and Linear Cryptanalysis • Truncated Differential Cryptanalysis • Truncated Linear Cryptanalysis • Cryptanalysis with Impossible Differential • Higher Order Differential Attack • Interpolation Attack
Security of Camellia (Cont.) • Key Schedule • No Equivalent Keys • Slide Attack • Related-key Attack • Attacks on Implementations • Timing Attacks • Power Analysis
Conclusion • High level of Security • No known cryptanalytic attacks • A sufficiently large security margin • Efficiency on a wide range of platforms • Small and efficient H/W • High S/W performance • Performs well on low-cost platforms • JAVA
Standardization Activities • IETF • Submitted Internet-Drafts • A Description of the Camellia Encryption Algorithm • <draft-nakajima-camellia-00.txt> • Addition of the Camellia Encryption Algorithm to Transport Layer Security (TLS) • <draft-ietf-tls-camellia-00.txt>
Standardization Activities (Cont.) • ISO/IEC JTC 1/SC 27 • Encryption Algorithms (N2563) • CRYPTREC • Project to investigate and evaluate the cryptographic techniques proposed for the infrastructure of an electronic government of Japan • WAP TLS • Adopted in some Governmental Systems