Presentation is loading. Please wait.

Presentation is loading. Please wait.

128-bit Block Cipher Camellia

Published byAngelica Day Modified over 5 years ago

Similar presentations

Presentation on theme: "128-bit Block Cipher Camellia"— Presentation transcript:

1 128-bit Block Cipher Camellia
Kazumaro Aoki* Tetsuya Ichikawa† Masayuki Kanda* Mitsuru Matsui† Shiho Moriai* Junko Nakajima† Toshio Tokita† * NTT † Mitsubishi Electric Corporation First , I‘ll introduce a 128-bit block cipher Camellia. Camellia was jointly developed by Mitsubishi Electric Corporation and NTT this March. It was designed by experienced crypto-analysts and programmers. CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

2 Copyright (C) NTT & Mitsubishi Electric Corp. 2001
Outline What’s Camellia? Structure of Camellia Security Evaluation Performance Figures Intellectual Property Rights Standardization Activities Conclusion <Appendix> Comments on Security Design Rationale CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

3 Copyright (C) NTT & Mitsubishi Electric Corp. 2001
What’s Camellia? Jointly developed by NTT and Mitsubishi, 2000 Combining strength on cipher design technologies NTT: High-speed SW implementation Mitsubishi: Compact & high-speed HW implementation Both: State-of-the-art security evaluation Same interface as AES Block size: 128 bits Key size: 128, 192, 256 bits Camellia is a block cipher with 128-bit block size and supports 128-, 192-, and 256-bit keys. This is the same interface as the Advanced Encryption Standard, AES. These longer key lengths offer more security against exhaustive key search attack in the future. CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

4 Copyright (C) NTT & Mitsubishi Electric Corp. 2001
What’s Camellia? High level of security Withstanding all known cryptanalytic attacks High security margin for use of the next several decades Efficiency on multiple platforms Software: High-speed on 32-/64-bit processors Compact and high-performance on smart cards (8-/32-bit processors with restricted-space) Hardware: compact and high-performance Smallest-class of area size among existing bit block ciphers Excellent key agility: short key setup time Camellia is a block cipher with 128-bit block size and supports 128-, 192-, and 256-bit keys. This is the same interface as the Advanced Encryption Standard, AES. These longer key lengths offer more security against exhaustive key search attack in the future. CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

5 Copyright (C) NTT & Mitsubishi Electric Corp. 2001
Structure of Camellia Encryption/Decryption Procedure: 18-round Feistel structure (for 128-bit keys) 24-round Feistel structure (for 192-/256-bit keys) Round function: SPN FL/FL-1-functions inserted every 6 rounds Input/Output whitening : XOR with subkeys Key Schedule: Simple Shares the same 2-round Feistel structure CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

6 Camellia for 128-bit Keys Secret key (128-bit) Plaintext (128-bit)
Subkey F S1 Bytewise Linear Trans. F S4 S3 F S2 F S4 S3 F Intermediate Keys Generation Rotation & Choice S2 F S1 Si : Substitution-box En/Decryption Procedure Key Schedule Subkey FL FL-1 Subkey Ciphertext (128-bit) CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

7 Camellia for 192-/256-bit Keys
Secret key (192-/256-bit) Plaintext (128-bit) Subkey F S1 Bytewise Linear Trans. F S4 S3 F S2 F S4 S3 F Intermediate Keys Generation Rotation & Choice S2 F S1 Si : Substitution-box Key Schedule Subkey FL FL-1 Subkey Ciphertext (128-bit) CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

8 Design Rationale (Digest)
Round function to provide high security against differential and linear cryptanalysis to achieve high performance on multiple platform to design small hardware FL/FL-1-functions to provide non-regularity across rounds without significantly impacting its performance Key schedule to provide excellent key agility CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

9 Security Consideration
Camellia was designed to provide strong security against: Differential and Linear Cryptanalysis Truncated Differential and Linear Cryptanalysis Cryptanalysis with Impossible Differential Boomerang Attack Higher Order Differential Attack & Square Attack Interpolation Attack & Linear Sum Attack No Equivalent Keys Slide Attack Related-key Attack Implementation Attacks, … CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

10 Third-Party’s Results on Security
Published results No attacks are found on 12 and more rounds without FL/FL-1 for 128-bit keys so far Full version of Camellia seems to be secure and achieve high security margin Authors Reference Main Results (for 128-bit keys) # of breakable rounds FL Technique Knudsen Camellia HP Distinguishable for 7 rounds w/o T.D.C. E. Biham, et. al. NESSIE public report 9 rounds D.C. Distinguishable for 8 rounds Kawabata, Kaneko 2nd NESSIE workshop 8 rounds H.O.D. He, Qing ICICS2001 6 rounds --- Square Sugita, et. al. ASIACRYPT2001 Distinguishable for 9 rounds 7 rounds impossible difference I.D.C As you know, differential and linear cryptanalysis were proposed in 1990s. They are powerful cryptanalytic methods to many block ciphers. So designers should provide some evidences that the proposed cipher is secure against them. To evaluate the security, two security measures are known. One is the upper bound of probabilities of differentials and linear hulls. That is called provably secure. And the other is the upper bound of differential and linear characteristic probability. That is called practically secure. Here, the important thing is that they are focused on the upper bound of probability. We call this security measures with designer’s viewpoint. (101/128) CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

11 SW Performance for 128-bit Keys
On Pentium III (assuming CPU clock: 1GHz) (cycles/byte) Bulk encryption speed (msec) One block enc. + Key schedule 74.9 Mbps Fast Fast 229.8 Mbps 415.6 Mbps 392.6 Mbps Assembly Self evaluation Assembly CRYPTREC* ANSI C Non-opt. Assembly CRYPTREC* Assembly Self evaluation Assembly CRYPTREC* Assembly CRYPTREC* [Ref] CRYPTREC*: CRYPTREC Report 2000 CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

12 SW Performance for 128-bit Keys
Assembly code on Z80 processor (CPU clock: 5MHz) [Ref] Rijndael*: F. Sano, et.al., in the proceeding of the Second NESSIE Workshop Camellia Rijndael* ROM Usage [bytes] 1,268 1,221 RAM Usage [bytes] (including stack, text, key area) 60 63 Enc + KS [states] (using on-the-fly subkey generation) 35,951 (7.19 msec) 35,709 (7.15 msec) Dec + KS [states] 37,553 (7.51 msec) 52,094 (10.42 msec) CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

13 SW Performance for 128-bit Keys
Other results Java on Pentium III (Self evaluation) Key Schedule: 9,091 cycles Encryption: 793 cycles Assembly code on UltraSPARC and Alpha (Reported by CRYPTREC Report 2000) Processors Encryption/decryption Speed One block encryption/decryption and Key Schedule Encryption [cycles] Decryption Enc + KS Dec + KS UltraSPARCIIi 355 403 Alpha 21264 282 448 435 CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

14 HW Performance for 128-bit Keys
Self-evaluation – best results (ASIC) Mitsubishi 0.18mm ASIC CMOS (FPGA) Xilinx VirtexE Target Area Size [Kgates] Throughput [Mbps] Efficiency (=Thru./Area) Smallest 8.12 177.62 21.87 Best Efficiency 11.87 1,050.90 88.52 Fastest 44.30 1,881.25 42.47 Target Area Size [slices] Throughput [Mbps] Efficiency (=Thru./Area) Smallest 1,780 227.42 127.76 Best Efficiency (Fastest) 9,692 6,749.99 696.45 CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

15 Intellectual Property Rights
We declare that there is no responsibility for evaluation purpose of CRYPTREC on Camellia We are prepared to grant, on the basis of reciprocity and non-discriminatory, a royalty-free license under the essential patent of Camellia to an unrestricted number of applicants to manufacture, use and/or sell implementations of Camellia CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

16 Standardization Activities
NESSIE (New European Schemes for Signature, Integrity, and Encryption) project Advanced to Phase II evaluation IETF Submitted Internet-Drafts Addition of the Camellia Encryption Algorithm to Transport Layer Security (TLS) A Description of the Camellia Encryption Algorithm ISO/IEC JTC 1/SC 27 Submitted to Japan NB Encryption Algorithms (18033) CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

17 Copyright (C) NTT & Mitsubishi Electric Corp. 2001
For More Information… Camellia Home Page Specification & Sample code Technical papers on design rationale, performance, software implementation techniques, hardware evaluation, and details of cryptanalysis. For more information, see the Camellia home page. Specification of Camellia and a reference code are available. You will also find technical papers on design rationale, performance, software implementation techniques, and security evaluation. Internet-Draft on a description of Camellia will be coming soon! CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

18 Copyright (C) NTT & Mitsubishi Electric Corp. 2001
Conclusion Camellia is a 128-bit block cipher with 128-/192-/256-bit keys Based on precise design rationales High level of security No known cryptanalytic attacks High security margin Efficiency on a wide range of platforms High performance on SW Small and high performance on HW Performs well on smart cards (low-cost platforms with restricted space) Camellia is a ROYALTY-FREE algorithm  CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

19 Copyright (C) NTT & Mitsubishi Electric Corp. 2001
Question? CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

20 Copyright (C) NTT & Mitsubishi Electric Corp. 2001
Appendix CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

21 Comments on Security of Camellia
Differential and Linear Cryptanalysis 12-round Camellia with FL/FL-1-function layers has no differential/linear characteristic with probability higher than 2-128 Truncated Differential and Linear Cryptanalysis Camellia with more than 10 rounds is indistinguishable from a random permutation Cryptanalysis with Impossible Differential FL/FL-1-function changes differential paths depending on key values Boomerang Attack Best boomerang probability of 8-round Camellia without FL/FL-1-function layers is bounded by 2-66 CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

22 Comments on Security of Camellia
Higher Order Differential Attack & Square Attack Degree of Boolean polynomial of Camellia is expected to become high enough Interpolation Attack & Linear Sum Attack Smallest number of unknown coefficients of Camellia is expected to become maximum Implementation Attacks One of “Favorable” algorithms Easiest to defend against the attacks Some defense can be provided against such attacks without significantly impacting its performance CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

23 Comments on Security of Camellia
No Equivalent Keys Set of subkeys generated by the key schedule contains the original secret key Slide Attack FL/FL-1-function layers are inserted between every 6 rounds of Feistel network to provide non-regularity across rounds Related-key Attack Subkey relations is hard to control and predict CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

24 Design Rationale – Round Function
P-function Can be represented by only bytewise XORs For efficiency in a wide range of environments Branch number is optimal For security against differential and linear cryptanalyses S-box Functions affine equivalent to the inversion function in GF(28) For security against differential and linear cryptanalysis higher order differential attacks interpolation attacks For small hardware design CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

25 Copyright (C) NTT & Mitsubishi Electric Corp. 2001
Details of F-function subkeys s-boxes P-function S1 S4 S3 S2 S4 S3 S2 S1 CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

26 Design Rationale – FL/FL-1-functions
Provides non-regularity across rounds To be secure against slide attacks To thwart future unknown attacks A merit of regular Feistel structure is still preserved Encryption and decryption procedures are the same except the order of subkeys Design criteria are similar to FL-function of MISTY To be linear for any fixed key, and to have variable forms depending on key values Constructed by logical operations for efficiency in both software and hardware CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

27 Details of FL/FL-1-functions
<<<1 Subkey FL-function FL-1-function CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

28 Design Rationale – Key Schedule
From HW aspect Simple and share part of its procedure with encryption/decryption Key schedule for 128-bit keys can be performed by using a part of that for all keys For efficiency in a wide range of environments Key setup time should be shorter than encryption time Support on-the-fly subkey generation On-the-fly subkey generation should be computable in the same way in both encryption and decryption From security aspect No equivalent keys No related-key attack CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

29 Details of Key Schedule
KL KR F KB Σ5 Σ6 constantsΣi: from 2nd to 17th of hex. representation of square root of the i-th prime. Σ1 F Σ2 F KL Σ3 F Σ4 F KA CRYPTREC Workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2001

Download ppt "128-bit Block Cipher Camellia"

Similar presentations

Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.

Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.
Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.

Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.
128-bit Block Cipher Camellia

128-bit Block Cipher Camellia
Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 5

Cryptography and Network Security Chapter 5
Block Ciphers and the Data Encryption Standard

Block Ciphers and the Data Encryption Standard
Proposal of MISTY1 as a Block Cipher of Cipher Suites in TLS Hirosato Tsuji Toshio Tokita Mitsubishi Electric Corporation.

Proposal of MISTY1 as a Block Cipher of Cipher Suites in TLS Hirosato Tsuji Toshio Tokita Mitsubishi Electric Corporation.
Cryptography and Network Security

Cryptography and Network Security
This Lecture: AES Key Expansion Equivalent Inverse Cipher Rijndael performance summary.

This Lecture: AES Key Expansion Equivalent Inverse Cipher Rijndael performance summary.
FEAL FEAL 1.

FEAL FEAL 1.
AES clear a replacement for DES was needed

AES clear a replacement for DES was needed
Cryptography and Network Security (AES) Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 10/18/2009 INCS 741: Cryptography 10/18/20091Dr.

Cryptography and Network Security (AES) Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 10/18/2009 INCS 741: Cryptography 10/18/20091Dr.
Cryptography and Network Security Chapter 5. Chapter 5 –Advanced Encryption Standard It seems very simple. It is very simple. But if you don't know.

Cryptography and Network Security Chapter 5. Chapter 5 –Advanced Encryption Standard "It seems very simple." "It is very simple. But if you don't know.
Cryptography and Network Security Chapter 5 Fourth Edition by William Stallings.

Cryptography and Network Security Chapter 5 Fourth Edition by William Stallings.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption
AES Proposal: Rijndael Joan Daemen Vincent Rijmen “Rijndael is expected, for all key and block lengths defined, to behave as good as can be expected from.

AES Proposal: Rijndael Joan Daemen Vincent Rijmen “Rijndael is expected, for all key and block lengths defined, to behave as good as can be expected from.
Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on “A Tutorial on Linear and Differential Cryptanalysis” by Howard Heys.] Modern block ciphers.

Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on “A Tutorial on Linear and Differential Cryptanalysis” by Howard Heys.] Modern block ciphers.
Chapter 5 Advanced Encryption Standard. Origins clear a replacement for DES was needed –have theoretical attacks that can break it –have demonstrated.

Chapter 5 Advanced Encryption Standard. Origins clear a replacement for DES was needed –have theoretical attacks that can break it –have demonstrated.
1 University of Palestine Information Security Principles ITGD 2202 Ms. Eman Alajrami 2 nd Semester 2008-2009.

1 University of Palestine Information Security Principles ITGD 2202 Ms. Eman Alajrami 2 nd Semester
Cryptography and Network Security

Cryptography and Network Security

Similar presentations

Ads by Google