128-bit Block Cipher Camellia Kazumaro Aoki* Tetsuya Ichikawa† Masayuki Kanda* Mitsuru Matsui† Shiho Moriai* Junko Nakajima† Toshio Tokita† * NTT † Mitsubishi Electric Corporation First , I‘ll introduce a 128-bit block cipher Camellia. Camellia was jointly developed by Mitsubishi Electric Corporation and NTT this March. It was designed by experienced crypto-analysts and programmers. 2001.10.09. CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

Copyright (C) NTT & Mitsubishi Electric Corp. 2001 Outline What’s Camellia? Structure of Camellia Security Evaluation Performance Figures Intellectual Property Rights Standardization Activities Conclusion <Appendix> Comments on Security Design Rationale 2001.10.09. CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

Copyright (C) NTT & Mitsubishi Electric Corp. 2001 What’s Camellia? Jointly developed by NTT and Mitsubishi, 2000 Combining strength on cipher design technologies NTT: High-speed SW implementation Mitsubishi: Compact & high-speed HW implementation Both: State-of-the-art security evaluation Same interface as AES Block size: 128 bits Key size: 128, 192, 256 bits Camellia is a block cipher with 128-bit block size and supports 128-, 192-, and 256-bit keys. This is the same interface as the Advanced Encryption Standard, AES. These longer key lengths offer more security against exhaustive key search attack in the future. 2001.10.09. CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

Copyright (C) NTT & Mitsubishi Electric Corp. 2001 What’s Camellia? High level of security Withstanding all known cryptanalytic attacks High security margin for use of the next several decades Efficiency on multiple platforms Software: High-speed on 32-/64-bit processors Compact and high-performance on smart cards (8-/32-bit processors with restricted-space) Hardware: compact and high-performance Smallest-class of area size among existing 128-bit block ciphers Excellent key agility: short key setup time Camellia is a block cipher with 128-bit block size and supports 128-, 192-, and 256-bit keys. This is the same interface as the Advanced Encryption Standard, AES. These longer key lengths offer more security against exhaustive key search attack in the future. 2001.10.09. CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

Copyright (C) NTT & Mitsubishi Electric Corp. 2001 Structure of Camellia Encryption/Decryption Procedure: 18-round Feistel structure (for 128-bit keys) 24-round Feistel structure (for 192-/256-bit keys) Round function: SPN FL/FL-1-functions inserted every 6 rounds Input/Output whitening : XOR with subkeys Key Schedule: Simple Shares the same 2-round Feistel structure 2001.10.09. CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

Camellia for 128-bit Keys Secret key (128-bit) Plaintext (128-bit) Subkey F S1 Bytewise Linear Trans. F S4 S3 F S2 F S4 S3 F Intermediate Keys Generation Rotation & Choice S2 F S1 Si ： Substitution-box En/Decryption Procedure Key Schedule Subkey FL FL-1 Subkey Ciphertext (128-bit) 2001.10.09. CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

Camellia for 192-/256-bit Keys Secret key (192-/256-bit) Plaintext (128-bit) Subkey F S1 Bytewise Linear Trans. F S4 S3 F S2 F S4 S3 F Intermediate Keys Generation Rotation & Choice S2 F S1 Si ： Substitution-box Key Schedule Subkey FL FL-1 Subkey Ciphertext (128-bit) 2001.10.09. CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

Design Rationale (Digest) Round function to provide high security against differential and linear cryptanalysis to achieve high performance on multiple platform to design small hardware FL/FL-1-functions to provide non-regularity across rounds without significantly impacting its performance Key schedule to provide excellent key agility 2001.10.09. CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

Security Consideration Camellia was designed to provide strong security against: Differential and Linear Cryptanalysis Truncated Differential and Linear Cryptanalysis Cryptanalysis with Impossible Differential Boomerang Attack Higher Order Differential Attack & Square Attack Interpolation Attack & Linear Sum Attack No Equivalent Keys Slide Attack Related-key Attack Implementation Attacks, … 2001.10.09. CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

Third-Party’s Results on Security Published results No attacks are found on 12 and more rounds without FL/FL-1 for 128-bit keys so far Full version of Camellia seems to be secure and achieve high security margin Authors Reference Main Results (for 128-bit keys) # of breakable rounds FL Technique Knudsen Camellia HP Distinguishable for 7 rounds w/o T.D.C. E. Biham, et. al. NESSIE public report 9 rounds D.C. Distinguishable for 8 rounds Kawabata, Kaneko 2nd NESSIE workshop 8 rounds H.O.D. He, Qing ICICS2001 6 rounds --- Square Sugita, et. al. ASIACRYPT2001 Distinguishable for 9 rounds 7 rounds impossible difference I.D.C As you know, differential and linear cryptanalysis were proposed in 1990s. They are powerful cryptanalytic methods to many block ciphers. So designers should provide some evidences that the proposed cipher is secure against them. To evaluate the security, two security measures are known. One is the upper bound of probabilities of differentials and linear hulls. That is called provably secure. And the other is the upper bound of differential and linear characteristic probability. That is called practically secure. Here, the important thing is that they are focused on the upper bound of probability. We call this security measures with designer’s viewpoint. (101/128) 2001.10.09. CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

SW Performance for 128-bit Keys On Pentium III (assuming CPU clock: 1GHz) (cycles/byte) Bulk encryption speed (msec) One block enc. + Key schedule 74.9 Mbps Fast Fast 229.8 Mbps 415.6 Mbps 392.6 Mbps Assembly Self evaluation Assembly CRYPTREC* ANSI C Non-opt. Assembly CRYPTREC* Assembly Self evaluation Assembly CRYPTREC* Assembly CRYPTREC* [Ref] CRYPTREC*: CRYPTREC Report 2000 2001.10.09. CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

SW Performance for 128-bit Keys Assembly code on Z80 processor (CPU clock: 5MHz) [Ref] Rijndael*: F. Sano, et.al., in the proceeding of the Second NESSIE Workshop Camellia Rijndael* ROM Usage [bytes] 1,268 1,221 RAM Usage [bytes] (including stack, text, key area) 60 63 Enc + KS [states] (using on-the-fly subkey generation) 35,951 (7.19 msec) 35,709 (7.15 msec) Dec + KS [states] 37,553 (7.51 msec) 52,094 (10.42 msec) 2001.10.09. CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

SW Performance for 128-bit Keys Other results Java on Pentium III (Self evaluation) Key Schedule: 9,091 cycles Encryption: 793 cycles Assembly code on UltraSPARC and Alpha (Reported by CRYPTREC Report 2000) Processors Encryption/decryption Speed One block encryption/decryption and Key Schedule Encryption [cycles] Decryption Enc + KS Dec + KS UltraSPARCIIi 355 403 Alpha 21264 282 448 435 2001.10.09. CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

HW Performance for 128-bit Keys Self-evaluation – best results (ASIC) Mitsubishi 0.18mm ASIC CMOS (FPGA) Xilinx VirtexE Target Area Size [Kgates] Throughput [Mbps] Efficiency (=Thru./Area) Smallest 8.12 177.62 21.87 Best Efficiency 11.87 1,050.90 88.52 Fastest 44.30 1,881.25 42.47 Target Area Size [slices] Throughput [Mbps] Efficiency (=Thru./Area) Smallest 1,780 227.42 127.76 Best Efficiency (Fastest) 9,692 6,749.99 696.45 2001.10.09. CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

Intellectual Property Rights We declare that there is no responsibility for evaluation purpose of CRYPTREC on Camellia We are prepared to grant, on the basis of reciprocity and non-discriminatory, a royalty-free license under the essential patent of Camellia to an unrestricted number of applicants to manufacture, use and/or sell implementations of Camellia 2001.10.09. CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

Standardization Activities NESSIE (New European Schemes for Signature, Integrity, and Encryption) project Advanced to Phase II evaluation IETF Submitted Internet-Drafts Addition of the Camellia Encryption Algorithm to Transport Layer Security (TLS) A Description of the Camellia Encryption Algorithm ISO/IEC JTC 1/SC 27 Submitted to Japan NB Encryption Algorithms (18033) 2001.10.09. CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

Copyright (C) NTT & Mitsubishi Electric Corp. 2001 For More Information… Camellia Home Page http://info.isl.ntt.co.jp/camellia/ Specification & Sample code Technical papers on design rationale, performance, software implementation techniques, hardware evaluation, and details of cryptanalysis. E-mail camellia@isl.ntt.co.jp MISTY@isl.melco.co.jp For more information, see the Camellia home page. Specification of Camellia and a reference code are available. You will also find technical papers on design rationale, performance, software implementation techniques, and security evaluation. Internet-Draft on a description of Camellia will be coming soon! 2001.10.09. CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

Copyright (C) NTT & Mitsubishi Electric Corp. 2001 Conclusion Camellia is a 128-bit block cipher with 128-/192-/256-bit keys Based on precise design rationales High level of security No known cryptanalytic attacks High security margin Efficiency on a wide range of platforms High performance on SW Small and high performance on HW Performs well on smart cards (low-cost platforms with restricted space) Camellia is a ROYALTY-FREE algorithm  2001.10.09. CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

Copyright (C) NTT & Mitsubishi Electric Corp. 2001 Question? 2001.10.09. CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

Copyright (C) NTT & Mitsubishi Electric Corp. 2001 Appendix 2001.10.09. CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

Comments on Security of Camellia Differential and Linear Cryptanalysis 12-round Camellia with FL/FL-1-function layers has no differential/linear characteristic with probability higher than 2-128 Truncated Differential and Linear Cryptanalysis Camellia with more than 10 rounds is indistinguishable from a random permutation Cryptanalysis with Impossible Differential FL/FL-1-function changes differential paths depending on key values Boomerang Attack Best boomerang probability of 8-round Camellia without FL/FL-1-function layers is bounded by 2-66 2001.10.09. CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

Comments on Security of Camellia Higher Order Differential Attack & Square Attack Degree of Boolean polynomial of Camellia is expected to become high enough Interpolation Attack & Linear Sum Attack Smallest number of unknown coefficients of Camellia is expected to become maximum Implementation Attacks One of “Favorable” algorithms Easiest to defend against the attacks Some defense can be provided against such attacks without significantly impacting its performance 2001.10.09. CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

Comments on Security of Camellia No Equivalent Keys Set of subkeys generated by the key schedule contains the original secret key Slide Attack FL/FL-1-function layers are inserted between every 6 rounds of Feistel network to provide non-regularity across rounds Related-key Attack Subkey relations is hard to control and predict 2001.10.09. CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

Design Rationale – Round Function P-function Can be represented by only bytewise XORs For efficiency in a wide range of environments Branch number is optimal For security against differential and linear cryptanalyses S-box Functions affine equivalent to the inversion function in GF(28) For security against differential and linear cryptanalysis higher order differential attacks interpolation attacks For small hardware design 2001.10.09. CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

Copyright (C) NTT & Mitsubishi Electric Corp. 2001 Details of F-function subkeys s-boxes P-function S1 S4 S3 S2 S4 S3 S2 S1 2001.10.09. CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

Design Rationale – FL/FL-1-functions Provides non-regularity across rounds To be secure against slide attacks To thwart future unknown attacks A merit of regular Feistel structure is still preserved Encryption and decryption procedures are the same except the order of subkeys Design criteria are similar to FL-function of MISTY To be linear for any fixed key, and to have variable forms depending on key values Constructed by logical operations for efficiency in both software and hardware 2001.10.09. CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

Details of FL/FL-1-functions <<<1 Subkey FL-function FL-1-function 2001.10.09. CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

Design Rationale – Key Schedule From HW aspect Simple and share part of its procedure with encryption/decryption Key schedule for 128-bit keys can be performed by using a part of that for all keys For efficiency in a wide range of environments Key setup time should be shorter than encryption time Support on-the-fly subkey generation On-the-fly subkey generation should be computable in the same way in both encryption and decryption From security aspect No equivalent keys No related-key attack 2001.10.09. CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

Details of Key Schedule KL KR F KB Σ5 Σ6 constantsΣi： from 2nd to 17th of hex. representation of square root of the i-th prime. Σ1 F Σ2 F KL Σ3 F Σ4 F KA 2001.10.09. CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001