128-bit Block Cipher Camellia Kazumaro Aoki* Tetsuya Ichikawa† Masayuki Kanda* Mitsuru Matsui† Shiho Moriai* Junko Nakajima† Toshio Tokita† * NTT † Mitsubishi Electric Corporation

Outline What’s Camellia? Advantages over Rijndael Performance Figures Structure of Camellia Security Consideration Conclusion

What’s Camellia? Jointly developed by NTT and Mitsubishi Electric Corporation Designed by experts of research and development in cryptography Inherited good characteristics from E2 and MISTY Same interface as AES block size: 128 bits key sizes: 128, 192, 256 bits

FAQ: Why “Camellia”? Camellia is well known as “Camellia Japonica” botanically, and Japan is its origin. Easy to pronounce :-) unlike …. Flower language: Good fortune, Perfect loveliness.

Users’ Demands on Block Ciphers Reliability Good Performer Interoperability AES coming soon! Royalty-Free (No IPR Problem) No More Ciphers!

Advantage over Rijndael Efficiency in H/W Implementations Smaller Hardware 9.66Kgates (0.35mm rule) Better Throughput/Area 21.9Mbit/(s*Kgates) Much more efficient in implementing both encryption and decryption Excellent Key Agility Shorter key setup time On-the-fly subkey computation for both encryption and decryption

Advantage over Rijndael (Cont.) Symmetric Encryption and Decryption (Feistel cipher) Very little additional area to implement both encryption and decryption in H/W Little additional ROM is favorable in restricted-space environments Better performance in JAVA Comparable speed on 8-bit CPUs e.g. Z80

Software Performance (128-bit keys) Pentium III (1.13GHz) 308 cycles/block (Assembly) = 471Mbit/s Comparable speed to the AES finalists RC6 229 238 258 308 312 759 Encryption speed on P6 [cycles/block] Rijndael Twofish Fast For example, an optimized implementation of Camellia in assembly language can encrypt on a Pentium III of 1.13GHz at the rate of 71Mbps. Compared to the AES finalists, Camellia offers at least comparable encryption speed. These figures are encryption speed on P6, cycles per one block. Camellia Mars Serpent *Programmed by Aoki, Lipmaa, Twofish team, and Osvik. Each figure is the fastest as far as we know.

JAVA Performance (128-bit keys) Pentium II (300MHz) 36.112Mbit/s (Java 1.2) Above average among AES finalists Speed* [Mbit/s] * AES finalists’ data by Sterbenz[AES3] (Pentium Pro 200MHz) Camellia’s datum is converted into 200 MHz Camellia 24.07 RC6 26.21 Mars 19.72 Rijndael 19.32 Twofish 19.27 Serpent 11.46

Hardware (128-bit keys) ASIC (0.35mm CMOS) Type II: Top priority: Size Less than 10KGates (212Mbit/s) Among smallest 128-bit block ciphers Type I: Top priority: Speed Area [Kgates] Throughput Thru/Area [Mbit/s] Camellia 273 1,171 4.29 Rijndael 613 1,950 3.18 On the hardware design, I’ll show several figures of Camellia implemented on ASIC using .35micro CMOS library. One is designed aiming small-size hardware in terms of total number of logic gates. The hardware which includes both encryption and decryption, occupies approximately only 11Kgates, which is the smallest among existing 128-bit block ciphers. Another design policy is to achieve the fastest encryption and decryption speed with no consideration of logic size. This is the comparison with the AES finalists and DES evaluated with the same design policy. Camellia achieves more than 1 Gbit/s with this small hardware. Serpent 504 932 1.85 Twofish 432 394 0.91 RC6 1,643 204 0.12 MARS 2,936 226 0.08 The above data (except Camellia) by Ichikawa et al. are refered in NIST’s AES report.

Structure of Camellia Encryption/Decryption Procedure Key Schedule Feistel structure 18 rounds (for 128-bit keys) 24 rounds (for 192/256-bit keys) Round function: SPN FL/FL-1-functions inserted every 6 rounds Input/Output whitening : XOR with subkeys Key Schedule simple shares the same part of its procedure with encryption

Camellia for 128-bit keys key plaintext ciphertext key schedule subkey Bytewise Linear Transfor- mation S4 F S3 F S2 FL FL-1 S4 F S3 key schedule FL FL-1 F S2 S1 F Si：substitution-box ciphertext

Camellia for 192/256-bit keys subkey key plaintext F S1 Bytewise Linear Transfor- mation S4 F S3 F S2 FL FL-1 S4 F S3 key schedule FL FL-1 F S2 S1 F Si：substitution-box FL FL-1 ciphertext

Security of Camellia Encryption/Decryption Process Differential and Linear Cryptanalysis Truncated Differential Cryptanalysis Truncated Linear Cryptanalysis Cryptanalysis with Impossible Differential Higher Order Differential Attack Interpolation Attack

Security of Camellia (Cont.) Key Schedule No Equivalent Keys Slide Attack Related-key Attack Attacks on Implementations Timing Attacks Power Analysis

Conclusion High level of Security No known cryptanalytic attacks A sufficiently large security margin Efficiency on a wide range of platforms Small and efficient H/W High S/W performance Performs well on low-cost platforms JAVA

Standardization Activities IETF Submitted Internet-Drafts A Description of the Camellia Encryption Algorithm <draft-nakajima-camellia-00.txt> Addition of the Camellia Encryption Algorithm to Transport Layer Security (TLS) <draft-ietf-tls-camellia-00.txt>

Standardization Activities (Cont.) ISO/IEC JTC 1/SC 27 Encryption Algorithms (N2563) CRYPTREC Project to investigate and evaluate the cryptographic techniques proposed for the infrastructure of an electronic government of Japan WAP TLS Adopted in some Governmental Systems