128-bit Block Cipher Camellia Kazumaro Aoki* Tetsuya Ichikawa† Masayuki Kanda* Mitsuru Matsui† Shiho Moriai* Junko Nakajima† Toshio Tokita† * NTT † Mitsubishi Electric Corporation
Outline What’s Camellia? Advantages over Rijndael Performance Figures Structure of Camellia Security Consideration Conclusion
What’s Camellia? Jointly developed by NTT and Mitsubishi Electric Corporation Designed by experts of research and development in cryptography Inherited good characteristics from E2 and MISTY Same interface as AES block size: 128 bits key sizes: 128, 192, 256 bits
FAQ: Why “Camellia”? Camellia is well known as “Camellia Japonica” botanically, and Japan is its origin. Easy to pronounce :-) unlike …. Flower language: Good fortune, Perfect loveliness.
Users’ Demands on Block Ciphers Reliability Good Performer Interoperability AES coming soon! Royalty-Free (No IPR Problem) No More Ciphers!
Advantage over Rijndael Efficiency in H/W Implementations Smaller Hardware 9.66Kgates (0.35mm rule) Better Throughput/Area 21.9Mbit/(s*Kgates) Much more efficient in implementing both encryption and decryption Excellent Key Agility Shorter key setup time On-the-fly subkey computation for both encryption and decryption
Advantage over Rijndael (Cont.) Symmetric Encryption and Decryption (Feistel cipher) Very little additional area to implement both encryption and decryption in H/W Little additional ROM is favorable in restricted-space environments Better performance in JAVA Comparable speed on 8-bit CPUs e.g. Z80
Software Performance (128-bit keys) Pentium III (1.13GHz) 308 cycles/block (Assembly) = 471Mbit/s Comparable speed to the AES finalists RC6 229 238 258 308 312 759 Encryption speed on P6 [cycles/block] Rijndael Twofish Fast For example, an optimized implementation of Camellia in assembly language can encrypt on a Pentium III of 1.13GHz at the rate of 71Mbps. Compared to the AES finalists, Camellia offers at least comparable encryption speed. These figures are encryption speed on P6, cycles per one block. Camellia Mars Serpent *Programmed by Aoki, Lipmaa, Twofish team, and Osvik. Each figure is the fastest as far as we know.
JAVA Performance (128-bit keys) Pentium II (300MHz) 36.112Mbit/s (Java 1.2) Above average among AES finalists Speed* [Mbit/s] * AES finalists’ data by Sterbenz[AES3] (Pentium Pro 200MHz) Camellia’s datum is converted into 200 MHz Camellia 24.07 RC6 26.21 Mars 19.72 Rijndael 19.32 Twofish 19.27 Serpent 11.46
Hardware (128-bit keys) ASIC (0.35mm CMOS) Type II: Top priority: Size Less than 10KGates (212Mbit/s) Among smallest 128-bit block ciphers Type I: Top priority: Speed Area [Kgates] Throughput Thru/Area [Mbit/s] Camellia 273 1,171 4.29 Rijndael 613 1,950 3.18 On the hardware design, I’ll show several figures of Camellia implemented on ASIC using .35micro CMOS library. One is designed aiming small-size hardware in terms of total number of logic gates. The hardware which includes both encryption and decryption, occupies approximately only 11Kgates, which is the smallest among existing 128-bit block ciphers. Another design policy is to achieve the fastest encryption and decryption speed with no consideration of logic size. This is the comparison with the AES finalists and DES evaluated with the same design policy. Camellia achieves more than 1 Gbit/s with this small hardware. Serpent 504 932 1.85 Twofish 432 394 0.91 RC6 1,643 204 0.12 MARS 2,936 226 0.08 The above data (except Camellia) by Ichikawa et al. are refered in NIST’s AES report.
Structure of Camellia Encryption/Decryption Procedure Key Schedule Feistel structure 18 rounds (for 128-bit keys) 24 rounds (for 192/256-bit keys) Round function: SPN FL/FL-1-functions inserted every 6 rounds Input/Output whitening : XOR with subkeys Key Schedule simple shares the same part of its procedure with encryption
Camellia for 128-bit keys key plaintext ciphertext key schedule subkey Bytewise Linear Transfor- mation S4 F S3 F S2 FL FL-1 S4 F S3 key schedule FL FL-1 F S2 S1 F Si:substitution-box ciphertext
Camellia for 192/256-bit keys subkey key plaintext F S1 Bytewise Linear Transfor- mation S4 F S3 F S2 FL FL-1 S4 F S3 key schedule FL FL-1 F S2 S1 F Si:substitution-box FL FL-1 ciphertext
Security of Camellia Encryption/Decryption Process Differential and Linear Cryptanalysis Truncated Differential Cryptanalysis Truncated Linear Cryptanalysis Cryptanalysis with Impossible Differential Higher Order Differential Attack Interpolation Attack
Security of Camellia (Cont.) Key Schedule No Equivalent Keys Slide Attack Related-key Attack Attacks on Implementations Timing Attacks Power Analysis
Conclusion High level of Security No known cryptanalytic attacks A sufficiently large security margin Efficiency on a wide range of platforms Small and efficient H/W High S/W performance Performs well on low-cost platforms JAVA
For Q&A
Standardization Activities IETF Submitted Internet-Drafts A Description of the Camellia Encryption Algorithm <draft-nakajima-camellia-00.txt> Addition of the Camellia Encryption Algorithm to Transport Layer Security (TLS) <draft-ietf-tls-camellia-00.txt>
Standardization Activities (Cont.) ISO/IEC JTC 1/SC 27 Encryption Algorithms (N2563) CRYPTREC Project to investigate and evaluate the cryptographic techniques proposed for the infrastructure of an electronic government of Japan WAP TLS Adopted in some Governmental Systems
Intellectual Property Rights Mitsubishi Electric and NTT have filed patent applications on the techniques used in the block cipher Camellia. Mitsubishi Electric and NTT will license any resulting patent in a reasonable and non-discriminatory fashion. An intellectual property statement regarding royalty-free license is now under review.
Suitability for Wireless Devices Small Hardware Most suitable 128-bit block cipher that can be an alternative for Triple DES from hardware viewpoint: a small number of gate counts and low power consumption High Software Performance 8-bit CPUs: same level as Rijndael 32-bit CPUs: same level as AES finalists
Attacks on Implementations Poor implementation can leak information by timing attacks or power analysis. Camellia uses only operations that are the easiest to defend against the attacks: logical operations, table-lookups and fixed rotations. Additionally, some defense can be provided against such attacks w/o significantly impacting its performance.
Design Rationale ~ F-function Design strategy follows F-function of E2 main change from E2 to Camellia is the adoption of 1-round SPN, not 2-round SPN subkey E2 subkey subkey Camellia S P S S1 P S S S4 S S S3 S S S2 S S S4 S S S3 S S S2 S S S1
Design Rationale ~ P-function Represented by only bytewise XORs efficiency in a wide range of environments Branch number is optimal (=5) security against differential and linear cryptanalyses Slightly different matrix from that of E2 Easy to implement efficiently on 32- and 64-bit processors slightly improved security against truncated differential cryptanalysis
Details of F-function s-boxes P-function S1 S4 S3 S2 S4 S3 S2 S1 subkeys s-boxes P-function S1 S4 S3 S2 S4 S3 S2 S1
Design Rationale ~ s-boxes Functions affine equivalent to the inversion function in GF(28) Security Max differential (resp. linear) prob is proven to be 2-6 (optimal). High degree (=7) of the Boolean polynomial makes higher order differential attacks difficult. Affine functions make the expression in GF(28) complicated to defend against interpolation attacks. Small hardware design Represented elements in GF(28) as polynomials with coefficients in the subfield GF(24).
Design Rationale ~ FL/FL-1-functions Provides non-regularity across rounds To be secure against slide attacks To thwart future unknown attacks Merit of regular Feistel structure is still preserved. Encryption and decryption procedures are the same except the order of subkeys.
Design Rationale ~ FL/FL-1-functions (Cont.) Similar design rationale to FL-function of MISTY To be linear for any fixed key, and to have variable forms depending on key values Efficiency in both S/W and H/W Constructed by logical operations (AND, OR, XOR, rotations).
Details of FL/FL-1-functions subkey subkey <<<1 <<<1 subkey subkey FL-function FL-1-function
Design Rationale ~ Key Schedule Simple and share part of its procedure with encryption/decryption. Subkey generation for 128, 192, 256-bit keys can be performed by using the same key schedule (circuit). Key schedule for 128-bit keys can be performed by using a part of it.
Design Rationale ~ Key Schedule (Cont.) Key setup time should be shorter than encryption time. Support on-the-fly subkey generation. On-the-fly subkey generation should be computable in the same way in both encryption and decryption. No equivalent keys. No related-key attacks.
Details of Key Schedule KL KR F KB S5 S6 Constants Si: from 2nd to 17th of hex. representation of square root of the i-th prime. S1 F S2 F KL S3 F S4 F KA
Differential and Linear Cryptanalysis Evaluate the upper bound of differentia/linear characteristic probability using the min numbers of active s-boxes. Kanda, “Practical Security Evaluation against Differential and Linear Attacks for Feistel Ciphers with SPN Round Function”
Differential and Linear Cryptanalysis (Cont.) Definition 1: The branch number B of linear transformation P is defined by B=min(wH(x)+wH(P(x))) wH(x): bytewise Hamming weight of x S1 P S4 S3 S2 x P(x) S4 S3 S2 S1
Feistel Network with SPN round function subkey F S1 P S4 F S3 F S2 S4 F S3 F S2 S1 F Si : substitution-box
Differential and Linear Cryptanalysis (Cont.) Theorem 1: The minimum number of active s-boxes in any 8 consecutive rounds is equal or more than 2B+1. Theorem 2: Let ps be the max differential probability of all s-boxes, and D be the min numbers of total active s-boxes. Then, the max differential characteristic probability is bounded by psD.
Differential and Linear Cryptanalysis (Cont.) In Case of Camellia branch number of linear function P B = 5 max differential probability of s-boxes ps = 2-6 upper bound of max differential characteristic probability of 16 rounds p p = psD = (2-6)2(2B+1) = (2-6)22 =2-132 < 2 -128 .
Differential and Linear Cryptanalysis (Result) 12-round Camellia with FL/FL-1-function layers has no differential/linear characteristic with prob > 2-128. cf. Camellia has 18 rounds for 128-bit keys and 24 rounds for 192- and 256-bit keys.
Truncated Differential Cryptanalysis a differential where only a part of the difference can be predicted With a byte-oriented cipher it is natural to consider it as a bytewise differential. We searched for truncated differentials by computer experiments. As a result, Camellia with > 10 rounds is indistinguishable from a random permutation.
Truncated Linear Cryptanalysis Due to the duality between differential and linear cryptanalysis, security can be evaluated by using a similar algorithm. Perform the search by replacing the matrix of P-function with the transposed matrix. More than 10-round Camellia without FL-function layers is indistinguishable from a random permutation.
Cryptanalysis with Impossible Differential We have not found impossible differential for Camellia with more than 6 rounds. FL-function layers make the attack difficult, because FL-function changes differential paths depending on key values. Impossible differential: the differential which never exists. Using impossible differentials, it is possible to narrow down the candidates of the (last-round) subkey. It is known that there is at least one 5-round impossible differential in any Feistel network with bijective round function.
Higher Order Differential Attack Generally applicable to ciphers presented as Boolean polynomials of low degree. We confirmed that degree of Boolean polynomial of every output bit of the s-boxes is 7 by finding the Boolean polynomial expressions. It is expected the degree of Camellia becomes 73 > 128 after passing through three s-boxes. Generally applicable to ciphers that can be presented as Boolean polynomials of low degree. We confirmed that degree of Boolean polynomial of every output bit of the s-boxes is 7 by finding the Boolean polynomial expressions. It is expected the degree of Camellia becomes 73 > 128 after passing through three s-boxes.
Interpolation Attack The smallest number of unknown coefficients whitening×1 + round ×r (r<4) 1 whitening×1 + round ×4 255 More rounds 256 Typically applicable to ciphers that use simple algebaic functions. For example, if a cipher can be expressed as a polynomial over GF(28) whose number of unknown coefficients (N) is less than 256, the polynomial can be constructed using N pairs of plaintext and ciphertext by Lagrange Interpolation. Camellia is secure against (bytewise) Interpolation Attack.
No Equivalent Keys Since the set of subkeys generated by the key schedule contain the original secret key, there is no equivalent set of subkeys generated from distinct secret key. Key schedule K (K, KA) Key schedule K’ (K’, KA’)
Slide Attack Iterated ciphers with identical round functions (the same structures and same subkeys in the round funtion) are susceptible to slide attacks. In Camellia, FL-function layers are inserted between every 6 rounds of Feistel network to provide non-regularity across rounds. Moreover, the key schedule makes the attack hard.
Related-key Attack For some ciphers, how the related keys would encrypt plaintexts can be predetermined. In Camellia, the subkey relations is hard to control and predict: the subkeys depend on KA and KB, which are the result of encryption of a secret key (K). If an attacker wants to change K, it is difficult to get the desired KA and KB, and vice versa.