Presentation is loading. Please wait.

Presentation is loading. Please wait.

Update on Camellia Camellia Design Team Thank you, chairman.

Published byTorvald Håkonsen Modified over 5 years ago

Similar presentations

Presentation on theme: "Update on Camellia Camellia Design Team Thank you, chairman."— Presentation transcript:

1 Update on Camellia Camellia Design Team Thank you, chairman.
Today’s my talk is focused on “security of Camellia against truncated differential cryptanalysis”. This work is studied jointly with Tsutomu Matsumoto, Yokohama National University. (27/27) Camellia Design Team

2 New Results on Security
As far as we know, the following results are published. No attacks exist on 12 and more rounds without FL/FL-1 for 128-bit key (14 and more rounds for 256-bit key). Full Camellia [18 (for 128-bit key) or 24 (for 192/256-bit key) rounds with FL/FL-1] seems to be secure and achieve high security margin. Attackers Main Results Presentation T.Kawabata, T.Kaneko 8rounds without FL/FL-1 are breakable for 128-bit keys by H.O.D. This Workshop Y. He, S. Qing 6 rounds are breakable by Square attack ICICS 2001 M. Sugita, et. al. 9 rounds without FL/FL-1 are distinguishable (and 11 rounds are breakable for 128-bit key) by T.D.C. ASIACRYPT2001 As you know, differential and linear cryptanalysis were proposed in 1990s. They are powerful cryptanalytic methods to many block ciphers. So designers should provide some evidences that the proposed cipher is secure against them. To evaluate the security, two security measures are known. One is the upper bound of probabilities of differentials and linear hulls. That is called provably secure. And the other is the upper bound of differential and linear characteristic probability. That is called practically secure. Here, the important thing is that they are focused on the upper bound of probability. We call this security measures with designer’s viewpoint. (101/128) nd NESSIE Workshop Copyright (C) NTT&MELCO 2001

3 Updated Performance on SW #1
From CRYPTREC Report 2000 For 32-bit and 64-bit processors Assembly code Measurement function is provided by CRYPTREC Processors Encryption (Decryption) Speed One block encryption (decryption) and Key Generation Encryption [cycles] Decryption Enc + Key Dec + Key Pentium III 326 467 474 UltraSPARCIIi 355 403 Alpha 21264 282 448 435 nd NESSIE Workshop Copyright (C) NTT&MELCO 2001

4 Updated Performance on SW #2
New Implementation – Best Results Assembly code for Z80 processor ROM Usage: 1,268 bytes RAM Usage: 60 bytes (including stack, text, key area) Enc+Key: 35,951 states Dec+Key: 37,553 states (using on-the-fly key generation) Java for Pentium III Key Generation: 9,091 cycles Encryption Speed: 793 cycles nd NESSIE Workshop Copyright (C) NTT&MELCO 2001

5 Updated Performance on HW
New Implementation – Best Results (ASIC) Mitsubishi 0.18mm ASIC CMOS (FPGA) Xilinx VirtexE Target Area [Kgates] Speed [Mbps] Efficiency (=Speed/Area) Smallest 8.12 177.62 21.87 Best Efficiency 11.87 1,050.90 88.52 Fastest 44.30 1,881.25 42.47 Target Area [slices] Speed [Mbps] Efficiency (=Speed/Area) Smallest 1,780 227.42 127.76 Best Efficiency (Fastest) 9,692 6,749.99 696.45 nd NESSIE Workshop Copyright (C) NTT&MELCO 2001

6 Summary New Results on Security of Camellia
Updated Performance on SW and HW A Comment on D14 “Report on the Performance Evaluation of NESSIE Candidates I” D14 contains (I) Estimation of # of basic operations (II) Performance measurement using reference C code Our reference C code is NOT optimized. D14 describes 161 cycles/byte on P III for Camellia Our optimized C code runs in 36 cycles/byte on P II/III (See NESSIE submission) Please also look at performance of optimized codes !! Camellia is a Royalty-free algorithm  nd NESSIE Workshop Copyright (C) NTT&MELCO 2001

Download ppt "Update on Camellia Camellia Design Team Thank you, chairman."

Similar presentations

Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.

Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.
Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.

Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.
128-bit Block Cipher Camellia

128-bit Block Cipher Camellia
Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.

Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.
Proposal of MISTY1 as a Block Cipher of Cipher Suites in TLS Hirosato Tsuji Toshio Tokita Mitsubishi Electric Corporation.

Proposal of MISTY1 as a Block Cipher of Cipher Suites in TLS Hirosato Tsuji Toshio Tokita Mitsubishi Electric Corporation.
Cryptography and Network Security

Cryptography and Network Security
AES clear a replacement for DES was needed

AES clear a replacement for DES was needed
Cryptography and Network Security (AES) Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 10/18/2009 INCS 741: Cryptography 10/18/20091Dr.

Cryptography and Network Security (AES) Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 10/18/2009 INCS 741: Cryptography 10/18/20091Dr.
Cryptography and Network Security Chapter 5. Chapter 5 –Advanced Encryption Standard It seems very simple. It is very simple. But if you don't know.

Cryptography and Network Security Chapter 5. Chapter 5 –Advanced Encryption Standard "It seems very simple." "It is very simple. But if you don't know.
Cryptography and Network Security Chapter 5 Fourth Edition by William Stallings.

Cryptography and Network Security Chapter 5 Fourth Edition by William Stallings.
Implementation of DSP Algorithm on SoC. Characterization presentation Student : Einat Tevel Supervisor : Isaschar Walter Accompany engineer : Emilia Burlak.

Implementation of DSP Algorithm on SoC. Characterization presentation Student : Einat Tevel Supervisor : Isaschar Walter Accompany engineer : Emilia Burlak.
SEED Updates March 2, 2004 Jongwook Park, KISA - SEED Encryption Algorithm - Use of the SEED Encryption Algorithm in CMS.

SEED Updates March 2, 2004 Jongwook Park, KISA - SEED Encryption Algorithm - Use of the SEED Encryption Algorithm in CMS.
AES Proposal: Rijndael Joan Daemen Vincent Rijmen “Rijndael is expected, for all key and block lengths defined, to behave as good as can be expected from.

AES Proposal: Rijndael Joan Daemen Vincent Rijmen “Rijndael is expected, for all key and block lengths defined, to behave as good as can be expected from.
Chapter 5 Advanced Encryption Standard. Origins clear a replacement for DES was needed –have theoretical attacks that can break it –have demonstrated.

Chapter 5 Advanced Encryption Standard. Origins clear a replacement for DES was needed –have theoretical attacks that can break it –have demonstrated.
Chapter 5 –Advanced Encryption Standard It seems very simple. It is very simple. But if you don't know what the key is it's virtually indecipherable.

Chapter 5 –Advanced Encryption Standard "It seems very simple." "It is very simple. But if you don't know what the key is it's virtually indecipherable."
Linear Fault Analysis of Block Ciphers Zhiqiang Liu 1, Dawu Gu 1, Ya Liu 1, Wei Li 2 1. Shanghai Jiao Tong University 2. Donghua University ACNS 2012 June.

Linear Fault Analysis of Block Ciphers Zhiqiang Liu 1, Dawu Gu 1, Ya Liu 1, Wei Li 2 1. Shanghai Jiao Tong University 2. Donghua University ACNS 2012 June.
9/17/15UB Fall 2015 CSE565: S. Upadhyaya Lec 6.1 CSE565: Computer Security Lecture 6 Advanced Encryption Standard Shambhu Upadhyaya Computer Science &

9/17/15UB Fall 2015 CSE565: S. Upadhyaya Lec 6.1 CSE565: Computer Security Lecture 6 Advanced Encryption Standard Shambhu Upadhyaya Computer Science &
Advance Encryption Standard. Topics  Origin of AES  Basic AES  Inside Algorithm  Final Notes.

Advance Encryption Standard. Topics  Origin of AES  Basic AES  Inside Algorithm  Final Notes.
2001.9.12 2nd NESSIE Workshop Copyright (C) NTT&MELCO 2001 Update on Camellia Camellia Design Team.

nd NESSIE Workshop Copyright (C) NTT&MELCO 2001 Update on Camellia Camellia Design Team.
New Block Cipher for Ultra-Compact Hardware   BeeM みかか A. Satoh K. Aoki.

New Block Cipher for Ultra-Compact Hardware   BeeM みかか A. Satoh K. Aoki.

Similar presentations

Ads by Google