Presentation is loading. Please wait.

Presentation is loading. Please wait.

128-bit Block Cipher Camellia

Published byHorace Woods Modified over 6 years ago

Similar presentations

Presentation on theme: "128-bit Block Cipher Camellia"— Presentation transcript:

1 128-bit Block Cipher Camellia
Kazumaro Aoki* Tetsuya Ichikawa† Masayuki Kanda* Mitsuru Matsui† Shiho Moriai* Junko Nakajima† Toshio Tokita† * NTT † Mitsubishi Electric Corporation

2 Outline What’s Camellia? Advantages over Rijndael Performance Figures
Structure of Camellia Security Consideration Conclusion

3 What’s Camellia? Jointly developed by NTT and Mitsubishi Electric Corporation Designed by experts of research and development in cryptography Inherited good characteristics from E2 and MISTY Same interface as AES block size: 128 bits key sizes: 128, 192, 256 bits

4 FAQ: Why “Camellia”? Camellia is well known as “Camellia Japonica” botanically, and Japan is its origin. Easy to pronounce :-) unlike …. Flower language: Good fortune, Perfect loveliness.

5 Users’ Demands on Block Ciphers
Reliability Good Performer Interoperability AES coming soon! Royalty-Free (No IPR Problem) No More Ciphers!

6 Advantage over Rijndael
Efficiency in H/W Implementations Smaller Hardware 9.66Kgates (0.35mm rule) Better Throughput/Area 21.9Mbit/(s*Kgates) Much more efficient in implementing both encryption and decryption Excellent Key Agility Shorter key setup time On-the-fly subkey computation for both encryption and decryption

7 Advantage over Rijndael (Cont.)
Symmetric Encryption and Decryption (Feistel cipher) Very little additional area to implement both encryption and decryption in H/W Little additional ROM is favorable in restricted-space environments Better performance in JAVA Comparable speed on 8-bit CPUs e.g. Z80

8 Software Performance (128-bit keys)
Pentium III (1.13GHz) 308 cycles/block (Assembly) = 471Mbit/s Comparable speed to the AES finalists RC6 229 238 258 308 312 759 Encryption speed on P6 [cycles/block] Rijndael Twofish Fast For example, an optimized implementation of Camellia in assembly language can encrypt on a Pentium III of 1.13GHz at the rate of 71Mbps. Compared to the AES finalists, Camellia offers at least comparable encryption speed. These figures are encryption speed on P6, cycles per one block. Camellia Mars Serpent *Programmed by Aoki, Lipmaa, Twofish team, and Osvik. Each figure is the fastest as far as we know.

9 JAVA Performance (128-bit keys)
Pentium II (300MHz) 36.112Mbit/s (Java 1.2) Above average among AES finalists Speed* [Mbit/s] * AES finalists’ data by Sterbenz[AES3] (Pentium Pro 200MHz) Camellia’s datum is converted into 200 MHz Camellia 24.07 RC6 26.21 Mars 19.72 Rijndael 19.32 Twofish 19.27 Serpent 11.46

10 Hardware (128-bit keys) ASIC (0.35mm CMOS) Type II: Top priority: Size
Less than 10KGates (212Mbit/s) Among smallest 128-bit block ciphers Type I: Top priority: Speed Area [Kgates] Throughput Thru/Area [Mbit/s] Camellia 273 1,171 4.29 Rijndael 613 1,950 3.18 On the hardware design, I’ll show several figures of Camellia implemented on ASIC using .35micro CMOS library. One is designed aiming small-size hardware in terms of total number of logic gates. The hardware which includes both encryption and decryption, occupies approximately only 11Kgates, which is the smallest among existing 128-bit block ciphers. Another design policy is to achieve the fastest encryption and decryption speed with no consideration of logic size. This is the comparison with the AES finalists and DES evaluated with the same design policy. Camellia achieves more than 1 Gbit/s with this small hardware. Serpent 504 932 1.85 Twofish 432 394 0.91 RC6 1,643 204 0.12 MARS 2,936 226 0.08 The above data (except Camellia) by Ichikawa et al. are refered in NIST’s AES report.

11 Structure of Camellia Encryption/Decryption Procedure Key Schedule
Feistel structure 18 rounds (for 128-bit keys) 24 rounds (for 192/256-bit keys) Round function: SPN FL/FL-1-functions inserted every 6 rounds Input/Output whitening : XOR with subkeys Key Schedule simple shares the same part of its procedure with encryption

12 Camellia for 128-bit keys key plaintext ciphertext key schedule subkey
Bytewise Linear Transfor- mation S4 F S3 F S2 FL FL-1 S4 F S3 key schedule FL FL-1 F S2 S1 F Si:substitution-box ciphertext

13 Camellia for 192/256-bit keys
subkey key plaintext F S1 Bytewise Linear Transfor- mation S4 F S3 F S2 FL FL-1 S4 F S3 key schedule FL FL-1 F S2 S1 F Si:substitution-box FL FL-1 ciphertext

14 Security of Camellia Encryption/Decryption Process
Differential and Linear Cryptanalysis Truncated Differential Cryptanalysis Truncated Linear Cryptanalysis Cryptanalysis with Impossible Differential Higher Order Differential Attack Interpolation Attack

15 Security of Camellia (Cont.)
Key Schedule No Equivalent Keys Slide Attack Related-key Attack Attacks on Implementations Timing Attacks Power Analysis

16 Conclusion High level of Security
No known cryptanalytic attacks A sufficiently large security margin Efficiency on a wide range of platforms Small and efficient H/W High S/W performance Performs well on low-cost platforms JAVA

17 Standardization Activities
IETF Submitted Internet-Drafts A Description of the Camellia Encryption Algorithm <draft-nakajima-camellia-00.txt> Addition of the Camellia Encryption Algorithm to Transport Layer Security (TLS) <draft-ietf-tls-camellia-00.txt>

18 Standardization Activities (Cont.)
ISO/IEC JTC 1/SC 27 Encryption Algorithms (N2563) CRYPTREC Project to investigate and evaluate the cryptographic techniques proposed for the infrastructure of an electronic government of Japan WAP TLS Adopted in some Governmental Systems

Download ppt "128-bit Block Cipher Camellia"

Similar presentations

Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.

Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.
128-bit Block Cipher Camellia

128-bit Block Cipher Camellia
Cryptography and Network Security Chapter 3

Cryptography and Network Security Chapter 3
Block Ciphers and the Data Encryption Standard

Block Ciphers and the Data Encryption Standard
Proposal of MISTY1 as a Block Cipher of Cipher Suites in TLS Hirosato Tsuji Toshio Tokita Mitsubishi Electric Corporation.

Proposal of MISTY1 as a Block Cipher of Cipher Suites in TLS Hirosato Tsuji Toshio Tokita Mitsubishi Electric Corporation.
History Applications Attacks Advantages & Disadvantages Conclusion.

History Applications Attacks Advantages & Disadvantages Conclusion.
Cryptography and Network Security

Cryptography and Network Security
AES clear a replacement for DES was needed

AES clear a replacement for DES was needed
Cryptography and Network Security (AES) Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 10/18/2009 INCS 741: Cryptography 10/18/20091Dr.

Cryptography and Network Security (AES) Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 10/18/2009 INCS 741: Cryptography 10/18/20091Dr.
Cryptography and Network Security Chapter 5. Chapter 5 –Advanced Encryption Standard It seems very simple. It is very simple. But if you don't know.

Cryptography and Network Security Chapter 5. Chapter 5 –Advanced Encryption Standard "It seems very simple." "It is very simple. But if you don't know.
Cryptography and Network Security Chapter 5 Fourth Edition by William Stallings.

Cryptography and Network Security Chapter 5 Fourth Edition by William Stallings.
Geneva, Switzerland, 15-16 September 2014 Lightweight Cryptography for the Connected Car/ITS Security Shiho Moriai Director, Security Fundamentals Laboratory,

Geneva, Switzerland, September 2014 Lightweight Cryptography for the Connected Car/ITS Security Shiho Moriai Director, Security Fundamentals Laboratory,
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption
CS470, A.SelcukAfter the DES1 Block Ciphers After the DES CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukAfter the DES1 Block Ciphers After the DES CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
AES Proposal: Rijndael Joan Daemen Vincent Rijmen “Rijndael is expected, for all key and block lengths defined, to behave as good as can be expected from.

AES Proposal: Rijndael Joan Daemen Vincent Rijmen “Rijndael is expected, for all key and block lengths defined, to behave as good as can be expected from.
Chapter 5 –Advanced Encryption Standard It seems very simple. It is very simple. But if you don't know what the key is it's virtually indecipherable.

Chapter 5 –Advanced Encryption Standard "It seems very simple." "It is very simple. But if you don't know what the key is it's virtually indecipherable."
Comparison AES-Rijndael/Serpent 2G1704: Internet Security and Privacy Weltz Max 2G1704: Internet Security and Privacy Weltz Max.

Comparison AES-Rijndael/Serpent 2G1704: Internet Security and Privacy Weltz Max 2G1704: Internet Security and Privacy Weltz Max.
9/17/15UB Fall 2015 CSE565: S. Upadhyaya Lec 6.1 CSE565: Computer Security Lecture 6 Advanced Encryption Standard Shambhu Upadhyaya Computer Science &

9/17/15UB Fall 2015 CSE565: S. Upadhyaya Lec 6.1 CSE565: Computer Security Lecture 6 Advanced Encryption Standard Shambhu Upadhyaya Computer Science &
Classical &ontemporyryptology 1 AESAES Classical &ontemporyryptology 2 Advanced Encryption Standard Since DES was becoming less reliable as new cryptanalysis.

Classical &ontemporyryptology 1 AESAES Classical &ontemporyryptology 2 Advanced Encryption Standard Since DES was becoming less reliable as new cryptanalysis.
Advance Encryption Standard. Topics  Origin of AES  Basic AES  Inside Algorithm  Final Notes.

Advance Encryption Standard. Topics  Origin of AES  Basic AES  Inside Algorithm  Final Notes.

Similar presentations

Ads by Google