1. 2001.10.09. CRYPTREC WorkshopCopyright (C) NTT & Mitsubishi Electric Corp. 20011 128-bit Block Cipher Camellia Kazumaro Aoki * Tetsuya Ichikawa † Masayuki Kanda * Mitsuru Matsui † Shiho Moriai * Junko Nakajima † Toshio Tokita † * NTT † Mitsubishi Electric Corporation

2. 2001.10.09. CRYPTREC WorkshopCopyright (C) NTT & Mitsubishi Electric Corp. 20012 Outline  What’s Camellia?  Structure of Camellia  Security Evaluation  Performance Figures  Intellectual Property Rights  Standardization Activities  Conclusion  Comments on Security  Design Rationale

3. 2001.10.09. CRYPTREC WorkshopCopyright (C) NTT & Mitsubishi Electric Corp. 20013 What’s Camellia?  Jointly developed by NTT and Mitsubishi, 2000 Combining strength on cipher design technologies  NTT: High-speed SW implementation  Mitsubishi: Compact & high-speed HW implementation  Both: State-of-the-art security evaluation  Same interface as AES Block size: 128 bits Key size:128, 192, 256 bits

4. 2001.10.09. CRYPTREC WorkshopCopyright (C) NTT & Mitsubishi Electric Corp. 20014 What’s Camellia?  High level of security Withstanding all known cryptanalytic attacks High security margin for use of the next several decades  Efficiency on multiple platforms Software:  High-speed on 32-/64-bit processors  Compact and high-performance on smart cards (8-/32-bit processors with restricted-space) Hardware: compact and high-performance  Smallest-class of area size among existing 128-bit block ciphers Excellent key agility: short key setup time

5. 2001.10.09. CRYPTREC WorkshopCopyright (C) NTT & Mitsubishi Electric Corp. 20015 Structure of Camellia  Encryption/Decryption Procedure: 18-round Feistel structure (for 128-bit keys) 24-round Feistel structure (for 192-/256-bit keys)  Round function: SPN  FL/FL -1 -functions inserted every 6 rounds  Input/Output whitening: XOR with subkeys  Key Schedule: Simple Shares the same 2-round Feistel structure

6. 2001.10.09. CRYPTREC WorkshopCopyright (C) NTT & Mitsubishi Electric Corp. 20016 Camellia for 128-bit Keys Plaintext (128-bit) FL Subkey F S1S1 Bytewise Linear Trans. S i ： Substitution-box Subkey F F F F F S2S2 S3S3 S4S4 S2S2 S3S3 S4S4 S1S1 FL -1 Subkey Ciphertext (128- bit) Secret key (128-bit) Intermediate Keys Generation Rotation & Choice Key Schedule En/DecryptionProcedure

7. 2001.10.09. CRYPTREC WorkshopCopyright (C) NTT & Mitsubishi Electric Corp. 20017 Camellia for 192-/256-bit Keys Plaintext (128-bit) FL Subkey F S1S1 Bytewise Linear Trans. S i ： Substitution-box Subkey F F F F F S2S2 S3S3 S4S4 S2S2 S3S3 S4S4 S1S1 FL -1 Subkey Ciphertext (128- bit) Secret key (192-/256-bit) Intermediate Keys Generation Rotation & Choice Key Schedule

8. 2001.10.09. CRYPTREC WorkshopCopyright (C) NTT & Mitsubishi Electric Corp. 20018 Design Rationale (Digest)  Round function to provide high security against differential and linear cryptanalysis to achieve high performance on multiple platform to design small hardware  FL/FL -1 -functions to provide non-regularity across rounds without significantly impacting its performance  Key schedule to provide excellent key agility to design small hardware

9. 2001.10.09. CRYPTREC WorkshopCopyright (C) NTT & Mitsubishi Electric Corp. 20019 Security Consideration  Camellia was designed to provide strong security against: Differential and Linear Cryptanalysis Truncated Differential and Linear Cryptanalysis Cryptanalysis with Impossible Differential Boomerang Attack Higher Order Differential Attack & Square Attack Interpolation Attack & Linear Sum Attack No Equivalent Keys Slide Attack Related-key Attack Implementation Attacks, …

10. 2001.10.09. CRYPTREC WorkshopCopyright (C) NTT & Mitsubishi Electric Corp. 200110 Third-Party’s Results on Security  Published results  No attacks are found on 12 and more rounds without FL/FL -1 for 128-bit keys so far  Full version of Camellia seems to be secure and achieve high security margin AuthorsReference Main Results (for 128-bit keys) # of breakable roundsFLTechnique Knudsen Camellia HP Distinguishable for 7 roundsw/oT.D.C. E. Biham, et. al. NESSIE public report 9 roundsw/oD.C. Distinguishable for 8 roundsw/oT.D.C. Kawabata, Kaneko 2 nd NESSIE workshop 8 roundsw/oH.O.D. He, Qing ICICS2001 6 rounds---Square Sugita, et. al. ASIACRYPT2001 Distinguishable for 9 roundsw/oT.D.C. 7 rounds impossible differencew/oI.D.C

11. 2001.10.09. CRYPTREC WorkshopCopyright (C) NTT & Mitsubishi Electric Corp. 200111 SW Performance for 128-bit Keys  On Pentium III (assuming CPU clock: 1GHz) Bulk encryption speed (cycles/byte) Assembly Self evaluation Assembly CRYPTREC* ANSI C Non-opt. Assembly CRYPTREC* [Ref] CRYPTREC*: CRYPTREC Report 2000 One block enc. + Key schedule (  sec) Assembly Self evaluation Assembly CRYPTREC* Assembly CRYPTREC* 415.6 Mbps 392.6 Mbps 229.8 Mbps 74.9 Mbps Fast

12. 2001.10.09. CRYPTREC WorkshopCopyright (C) NTT & Mitsubishi Electric Corp. 200112 SW Performance for 128-bit Keys  Assembly code on Z80 processor (CPU clock: 5MHz) [Ref] Rijndael*: F. Sano, et.al., in the proceeding of the Second NESSIE Workshop CamelliaRijndael* ROM Usage [bytes] 1,2681,221 RAM Usage [bytes] (including stack, text, key area) 6063 Enc + KS [states] (using on-the-fly subkey generation) 35,951 (7.19 msec) 35,709 (7.15 msec) Dec + KS [states] (using on-the-fly subkey generation) 37,553 (7.51 msec) 52,094 (10.42 msec)

13. 2001.10.09. CRYPTREC WorkshopCopyright (C) NTT & Mitsubishi Electric Corp. 200113 SW Performance for 128-bit Keys  Other results Java on Pentium III (Self evaluation)  Key Schedule: 9,091 cycles  Encryption: 793 cycles Assembly code on UltraSPARC and Alpha (Reported by CRYPTREC Report 2000) Processors Encryption/decryption Speed One block encryption/decryption and Key Schedule Encryption [cycles] Decryption [cycles] Enc + KS [cycles] Dec + KS [cycles] UltraSPARCIIi 355 403 Alpha 21264 282 448435

14. 2001.10.09. CRYPTREC WorkshopCopyright (C) NTT & Mitsubishi Electric Corp. 200114 HW Performance for 128-bit Keys  Self-evaluation – best results (ASIC) Mitsubishi 0.18  m ASIC CMOS (FPGA) Xilinx VirtexE Target Area Size [Kgates] Throughput [Mbps] Efficiency (=Thru./Area) Smallest 8.12 177.6221.87 Best Efficiency11.871,050.90 88.52 Fastest44.30 1,881.25 42.47 Target Area Size [slices] Throughput [Mbps] Efficiency (=Thru./Area) Smallest 1,780 227.42127.76 Best Efficiency (Fastest) 9,692 6,749.99696.45

15. 2001.10.09. CRYPTREC WorkshopCopyright (C) NTT & Mitsubishi Electric Corp. 200115 Intellectual Property Rights  We declare that there is no responsibility for evaluation purpose of CRYPTREC on Camellia  We are prepared to grant, on the basis of reciprocity and non-discriminatory, a royalty- free license under the essential patent of Camellia to an unrestricted number of applicants to manufacture, use and/or sell implementations of Camellia

16. 2001.10.09. CRYPTREC WorkshopCopyright (C) NTT & Mitsubishi Electric Corp. 200116 Standardization Activities  NESSIE (New European Schemes for Signature, Integrity, and Encryption) project Advanced to Phase II evaluation  IETF Submitted Internet-Drafts  Addition of the Camellia Encryption Algorithm to Transport Layer Security (TLS)  A Description of the Camellia Encryption Algorithm  ISO/IEC JTC 1/SC 27 Submitted to Japan NB  Encryption Algorithms (18033)

17. 2001.10.09. CRYPTREC WorkshopCopyright (C) NTT & Mitsubishi Electric Corp. 200117 For More Information…  Camellia Home Page http://info.isl.ntt.co.jp/camellia/ Specification & Sample code Technical papers on design rationale, performance, software implementation techniques, hardware evaluation, and details of cryptanalysis.  E-mail camellia@isl.ntt.co.jp MISTY@isl.melco.co.jp

18. 2001.10.09. CRYPTREC WorkshopCopyright (C) NTT & Mitsubishi Electric Corp. 200118 Conclusion  Camellia is a 128-bit block cipher with 128- /192-/256-bit keys Based on precise design rationales High level of security  No known cryptanalytic attacks  High security margin Efficiency on a wide range of platforms  High performance on SW  Small and high performance on HW  Performs well on smart cards (low-cost platforms with restricted space)  Camellia is a ROYALTY-FREE algorithm

19. 2001.10.09. CRYPTREC WorkshopCopyright (C) NTT & Mitsubishi Electric Corp. 200119 Question?

20. 2001.10.09. CRYPTREC WorkshopCopyright (C) NTT & Mitsubishi Electric Corp. 200120 Appendix

21. 2001.10.09. CRYPTREC WorkshopCopyright (C) NTT & Mitsubishi Electric Corp. 200121 Comments on Security of Camellia  Differential and Linear Cryptanalysis 12-round Camellia with FL/FL -1 -function layers has no differential/linear characteristic with probability higher than 2 -128  Truncated Differential and Linear Cryptanalysis Camellia with more than 10 rounds is indistinguishable from a random permutation  Cryptanalysis with Impossible Differential FL/FL -1 -function changes differential paths depending on key values  Boomerang Attack Best boomerang probability of 8-round Camellia without FL/FL -1 -function layers is bounded by 2 -66

22. 2001.10.09. CRYPTREC WorkshopCopyright (C) NTT & Mitsubishi Electric Corp. 200122 Comments on Security of Camellia  Higher Order Differential Attack & Square Attack Degree of Boolean polynomial of Camellia is expected to become high enough  Interpolation Attack & Linear Sum Attack Smallest number of unknown coefficients of Camellia is expected to become maximum  Implementation Attacks One of “Favorable” algorithms Easiest to defend against the attacks  Some defense can be provided against such attacks without significantly impacting its performance

23. 2001.10.09. CRYPTREC WorkshopCopyright (C) NTT & Mitsubishi Electric Corp. 200123 Comments on Security of Camellia  No Equivalent Keys Set of subkeys generated by the key schedule contains the original secret key  Slide Attack FL/FL -1 -function layers are inserted between every 6 rounds of Feistel network to provide non-regularity across rounds  Related-key Attack Subkey relations is hard to control and predict

24. 2001.10.09. CRYPTREC WorkshopCopyright (C) NTT & Mitsubishi Electric Corp. 200124 Design Rationale – Round Function  P-function Can be represented by only bytewise XORs  For efficiency in a wide range of environments Branch number is optimal  For security against differential and linear cryptanalyses  S-box Functions affine equivalent to the inversion function in GF(2 8 )  For security against  differential and linear cryptanalysis  higher order differential attacks  interpolation attacks  For small hardware design

25. 2001.10.09. CRYPTREC WorkshopCopyright (C) NTT & Mitsubishi Electric Corp. 200125 Details of F-function subkeys P-function S1S1 S4S4 S3S3 S2S2 S4S4 S3S3 S2S2 S1S1 s-boxes

26. 2001.10.09. CRYPTREC WorkshopCopyright (C) NTT & Mitsubishi Electric Corp. 200126 Design Rationale – FL/FL- 1 -functions  Provides non-regularity across rounds To be secure against slide attacks To thwart future unknown attacks  A merit of regular Feistel structure is still preserved Encryption and decryption procedures are the same except the order of subkeys  Design criteria are similar to FL-function of MISTY To be linear for any fixed key, and to have variable forms depending on key values Constructed by logical operations for efficiency in both software and hardware

27. 2001.10.09. CRYPTREC WorkshopCopyright (C) NTT & Mitsubishi Electric Corp. 200127 Details of FL/FL -1 -functions <<< 1 Subkey <<< 1 Subkey FL-functionFL -1 -function

28. 2001.10.09. CRYPTREC WorkshopCopyright (C) NTT & Mitsubishi Electric Corp. 200128 Design Rationale – Key Schedule  From HW aspect Simple and share part of its procedure with encryption/decryption Key schedule for 128-bit keys can be performed by using a part of that for all keys  For efficiency in a wide range of environments Key setup time should be shorter than encryption time Support on-the-fly subkey generation On-the-fly subkey generation should be computable in the same way in both encryption and decryption  From security aspect No equivalent keys No related-key attack

29. 2001.10.09. CRYPTREC WorkshopCopyright (C) NTT & Mitsubishi Electric Corp. 200129 Details of Key Schedule F KLKL F F F KAKA KLKL Σ1Σ1 Σ2Σ2 Σ3Σ3 Σ4Σ4 KRKR F F KBKB KRKR Σ5Σ5 Σ6Σ6 constantsΣi ： from 2nd to 17th of hex. representation of square root of the i-th prime.