1 / 18

128-bit Block Cipher Camellia

128-bit Block Cipher Camellia. Kazumaro Aoki * Tetsuya Ichikawa † Masayuki Kanda * Mitsuru Matsui † Shiho Moriai * Junko Nakajima † Toshio Tokita † * NTT † Mitsubishi Electric Corporation. Outline. What’s Camellia?

peri
Download Presentation

128-bit Block Cipher Camellia

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. 128-bit Block CipherCamellia Kazumaro Aoki* Tetsuya Ichikawa† Masayuki Kanda* Mitsuru Matsui† Shiho Moriai* Junko Nakajima† Toshio Tokita† * NTT † Mitsubishi Electric Corporation

  2. Outline • What’s Camellia? • Advantages over Rijndael • Performance Figures • Structure of Camellia • Security Consideration • Conclusion

  3. What’s Camellia? • Jointly developed by NTT and Mitsubishi Electric Corporation • Designed by experts of research and development in cryptography • Inherited good characteristics from E2 and MISTY • Same interface as AES • block size: 128 bits • key sizes: 128, 192, 256 bits

  4. FAQ: Why “Camellia”? • Camellia is well known as “Camellia Japonica” botanically, and Japan is its origin. • Easy to pronounce :-) • unlike …. • Flower language: Good fortune, Perfect loveliness.

  5. Users’ Demands on Block Ciphers Reliability Good Performer Interoperability AES coming soon! Royalty-Free (No IPR Problem) No More Ciphers!

  6. Advantage over Rijndael • Efficiency in H/W Implementations • Smaller Hardware 9.66Kgates (0.35mm rule) • Better Throughput/Area 21.9Mbit/(s*Kgates) • Much more efficient in implementing both encryption and decryption • Excellent Key Agility • Shorter key setup time • On-the-fly subkey computation for both encryption and decryption

  7. Advantage over Rijndael (Cont.) • Symmetric Encryption and Decryption (Feistel cipher) • Very little additional area to implement both encryption and decryption in H/W • Little additional ROM is favorable in restricted-space environments • Better performance in JAVA • Comparable speed on 8-bit CPUs • e.g. Z80

  8. 229 238 258 308 312 759 Software Performance (128-bit keys) • Pentium III (1.13GHz) • 308 cycles/block (Assembly) = 471Mbit/s • Comparable speed to the AES finalists RC6 Encryption speed on P6 [cycles/block] Rijndael Twofish Fast Camellia Mars Serpent *Programmed by Aoki, Lipmaa, Twofish team, and Osvik. Each figure is the fastest as far as we know.

  9. Rijndael 19.32 Mars 19.72 Serpent 11.46 Twofish 19.27 JAVA Performance (128-bit keys) • Pentium II (300MHz) • 36.112Mbit/s (Java 1.2) • Above average among AES finalists Speed* [Mbit/s] * AES finalists’ data by Sterbenz[AES3] (Pentium Pro 200MHz) Camellia’s datum is converted into 200 MHz Camellia 24.07 RC6 26.21

  10. Area [Kgates] MARS 2,936 226 0.08 Rijndael RC6 1,643 613 1,950 204 0.12 3.18 Serpent 504 932 1.85 Twofish 432 394 0.91 Hardware (128-bit keys) • ASIC (0.35mm CMOS) • Type II: Top priority: Size • Less than10KGates (212Mbit/s) • Among smallest 128-bit block ciphers • Type I: Top priority: Speed Throughput Thru/Area [Mbit/s] Camellia 273 1,171 4.29 The above data (except Camellia) by Ichikawa et al. are refered in NIST’s AES report.

  11. Structure of Camellia • Encryption/Decryption Procedure • Feistel structure 18 rounds (for 128-bit keys) 24 rounds (for 192/256-bit keys) • Round function: SPN • FL/FL-1-functions inserted every 6 rounds • Input/Output whitening : XOR with subkeys • Key Schedule • simple • shares the same part of its procedure with encryption

  12. Camellia for 128-bit keys subkey key plaintext F S1 Bytewise Linear Transfor- mation S4 F S3 F S2 FL FL-1 S4 F S3 key schedule FL FL-1 F S2 S1 F Si:substitution-box ciphertext

  13. Camellia for 192/256-bit keys subkey key plaintext F S1 Bytewise Linear Transfor- mation S4 F S3 F S2 FL FL-1 S4 F S3 key schedule FL FL-1 F S2 S1 F Si:substitution-box FL FL-1 ciphertext

  14. Security of Camellia • Encryption/Decryption Process • Differential and Linear Cryptanalysis • Truncated Differential Cryptanalysis • Truncated Linear Cryptanalysis • Cryptanalysis with Impossible Differential • Higher Order Differential Attack • Interpolation Attack

  15. Security of Camellia (Cont.) • Key Schedule • No Equivalent Keys • Slide Attack • Related-key Attack • Attacks on Implementations • Timing Attacks • Power Analysis

  16. Conclusion • High level of Security • No known cryptanalytic attacks • A sufficiently large security margin • Efficiency on a wide range of platforms • Small and efficient H/W • High S/W performance • Performs well on low-cost platforms • JAVA

  17. Standardization Activities • IETF • Submitted Internet-Drafts • A Description of the Camellia Encryption Algorithm • <draft-nakajima-camellia-00.txt> • Addition of the Camellia Encryption Algorithm to Transport Layer Security (TLS) • <draft-ietf-tls-camellia-00.txt>

  18. Standardization Activities (Cont.) • ISO/IEC JTC 1/SC 27 • Encryption Algorithms (N2563) • CRYPTREC • Project to investigate and evaluate the cryptographic techniques proposed for the infrastructure of an electronic government of Japan • WAP TLS • Adopted in some Governmental Systems

More Related