Presentation is loading. Please wait.

Presentation is loading. Please wait.

2000.11.13-14 1st NESSIE workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2000 1 128-bit Block Cipher Camellia Kazumaro Aoki * Tetsuya Ichikawa †

Similar presentations

Presentation on theme: "2000.11.13-14 1st NESSIE workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2000 1 128-bit Block Cipher Camellia Kazumaro Aoki * Tetsuya Ichikawa †"— Presentation transcript:

1 2000.11.13-14 1st NESSIE workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2000 1 128-bit Block Cipher Camellia Kazumaro Aoki * Tetsuya Ichikawa † Masayuki Kanda * Mitsuru Matsui † Shiho Moriai * Junko Nakajima † Toshio Tokita † * NTT † Mitsubishi Electric Corporation

2 2 Outline  What’s Camellia?  Advantages over Rijndael  Performance Figures  Structure of Camellia  Security Consideration  Conclusion

3 3 What’s Camellia?  Jointly developed by NTT and Mitsubishi Electric Corporation  Designed by experts of research and development in cryptography  Inherited good characteristics from E2 and MISTY  Same interface as AES  block size: 128 bits  key sizes: 128, 192, 256 bits

4 4 FAQ: Why “Camellia”?  Camellia is well known as “Camellia Japonica” botanically, and Japan is its origin.  Easy to pronounce :-)  unlike ….  Flower language: Good fortune, Perfect loveliness.

5 5 Users’ Demands on Block Ciphers No More Ciphers! Reliability Good Performer Interoperability AES coming soon! Royalty-Free (No IPR Problem)

6 6 Advantage over Rijndael  Efficiency in H/W Implementations  Smaller Hardware 9.66 Kgates (0.35  m rule)  Better Throughput / Area 21.9Mbit/( s*Kgates)  Much more efficient in implementing both encryption and decryption  Excellent Key Agility  Shorter key setup time  On-the-fly subkey computation for both encryption and decryption

7 7 Advantage over Rijndael (Cont.)  Symmetric Encryption and Decryption (Feistel cipher)  Very little additional area to implement both encryption and decryption in H/W  Little additional ROM is favorable in restricted-space environments  Better performance in JAVA  Comparable speed on 8-bit CPUs  e.g. Z80

8 8 Encryption speed on P6 [cycles/block] *Programmed by Aoki, Lipmaa, Twofish team, and Osvik. Each figure is the fastest as far as we know. Software Performance (128-bit keys)  Pentium III (1.13GHz)  308 cycles/block (Assembly) = 471Mbit/s  Comparable speed to the AES finalists RC6 Rijndael Twofish Camellia Mars Serpent Fast 229 238 258 308 312 759

9 9 Twofish19.27 JAVA Performance (128-bit keys)  Pentium II (300MHz)  36.112Mbit/s (Java 1.2)  Above average among AES finalists RC6 Camellia24.07 Speed* [Mbit/s] 26.21 Rijndael19.32 Mars19.72 Serpent11.46 * AES finalists’ data by Sterbenz[AES3] (Pentium Pro 200MHz) Camellia’s datum is converted into 200 MHz

10 10 Throughput Hardware (128-bit keys)  ASIC (0.35  m CMOS)  Type II: Top priority: Size Less than 10KGates (212Mbit/s) Among smallest 128-bit block ciphers  Type I: Top priority: Speed [Mbit/s] Area [Kgates] The above data (except Camellia) by Ichikawa et al. are refered in NIST’s AES report. Thru/Area MARS2,9362260.08 RC61,6432040.12 Serpent5049321.85 Twofish4323940.91 Rijndael6131,9503.18 Camellia2731,1714.29

11 11 Structure of Camellia  Encryption/Decryption Procedure  Feistel structure 18 rounds (for 128-bit keys) 24 rounds (for 192/256-bit keys) Round function: SPN FL/FL -1 -functions inserted every 6 rounds Input/Output whitening: XOR with subkeys  Key Schedule  simple  shares the same part of its procedure with encryption

12 12 Camellia for 128-bit keys plaintext FL subkey F S1S1 Bytewise Linear Transfor- mation S i : substitution-box F F F F F S2S2 S3S3 S4S4 S2S2 S3S3 S4S4 S1S1 FL -1 ciphertext key key schedule FLFL -1

13 13 FL F S1S1 F F F F F S2S2 S3S3 S4S4 S2S2 S3S3 S4S4 S1S1 FL -1 Camellia for 192/256-bit keys FLFL -1 FLFL -1 plaintext subkey Bytewise Linear Transfor- mation S i : substitution-box ciphertext key key schedule

14 14 Security of Camellia  Encryption/Decryption Process  Differential and Linear Cryptanalysis  Truncated Differential Cryptanalysis  Truncated Linear Cryptanalysis  Cryptanalysis with Impossible Differential  Higher Order Differential Attack  Interpolation Attack

15 15 Security of Camellia (Cont.)  Key Schedule  No Equivalent Keys  Slide Attack  Related-key Attack  Attacks on Implementations  Timing Attacks  Power Analysis

16 16 Conclusion  High level of Security  No known cryptanalytic attacks  A sufficiently large security margin  Efficiency on a wide range of platforms  Small and efficient H/W  High S/W performance  Performs well on low-cost platforms  JAVA

17 2000.11.13-14 1st NESSIE workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2000 17 For Q&A

18 18 Standardization Activities  IETF  Submitted Internet-Drafts A Description of the Camellia Encryption Algorithm – Addition of the Camellia Encryption Algorithm to Transport Layer Security (TLS) –

19 19 Standardization Activities (Cont.)  ISO/IEC JTC 1/SC 27  Encryption Algorithms (N2563)  CRYPTREC  Project to investigate and evaluate the cryptographic techniques proposed for the infrastructure of an electronic government of Japan  WAP TLS  Adopted in some Governmental Systems

20 20 Intellectual Property Rights Mitsubishi Electric and NTT have filed patent applications on the techniques used in the block cipher Camellia. Mitsubishi Electric and NTT will license any resulting patent in a reasonable and non-discriminatory fashion.  An intellectual property statement regarding royalty-free license is now under review.

21 21 Suitability for Wireless Devices  Small Hardware  Most suitable 128-bit block cipher that can be an alternative for Triple DES from hardware viewpoint: a small number of gate counts and low power consumption  High Software Performance  8-bit CPUs: same level as Rijndael  32-bit CPUs: same level as AES finalists

22 22 Attacks on Implementations  Poor implementation can leak information by timing attacks or power analysis.  Camellia uses only operations that are the easiest to defend against the attacks: logical operations, table- lookups and fixed rotations.  Additionally, some defense can be provided against such attacks w/o significantly impacting its performance.

23 23 Design Rationale ~ F-function  Design strategy follows F-function of E2  main change from E2 to Camellia is the adoption of 1-round SPN, not 2-round SPN subkey S1S1 P S2S2 S3S3 S4S4 S2S2 S3S3 S4S4 S1S1 S P S S S S S S S S S S S S S S S E2Camellia

24 24 Design Rationale ~ P-function  Represented by only bytewise XORs  efficiency in a wide range of environments  Branch number is optimal (=5)  security against differential and linear cryptanalyses  Slightly different matrix from that of E2  Easy to implement efficiently on 32- and 64-bit processors  slightly improved security against truncated differential cryptanalysis

25 25 Details of F-function subkeys P-function S1S1 S4S4 S3S3 S2S2 S4S4 S3S3 S2S2 S1S1 s-boxes

26 26 Design Rationale ~ s-boxes  Functions affine equivalent to the inversion function in GF(2 8 )  Security Max differential (resp. linear) prob is proven to be 2 -6 (optimal). High degree (=7) of the Boolean polynomial makes higher order differential attacks difficult. Affine functions make the expression in GF(2 8 ) complicated to defend against interpolation attacks.  Small hardware design Represented elements in GF(2 8 ) as polynomials with coefficients in the subfield GF(2 4 ).

27 27 Design Rationale ~ FL/FL -1 - functions  Provides non-regularity across rounds  To be secure against slide attacks  To thwart future unknown attacks  Merit of regular Feistel structure is still preserved.  Encryption and decryption procedures are the same except the order of subkeys.

28 28 Design Rationale ~ FL/FL -1 - functions (Cont.)  Similar design rationale to FL-function of MISTY  To be linear for any fixed key, and to have variable forms depending on key values  Efficiency in both S/W and H/W  Constructed by logical operations (AND, OR, XOR, rotations).

29 29 Details of FL/FL -1 -functions <<< 1 subkey <<< 1 subkey FL-functionFL -1 -function

30 30 Design Rationale ~ Key Schedule  Simple and share part of its procedure with encryption/decryption.  Subkey generation for 128, 192, 256-bit keys can be performed by using the same key schedule (circuit).  Key schedule for 128-bit keys can be performed by using a part of it.

31 31 Design Rationale ~ Key Schedule (Cont.)  Key setup time should be shorter than encryption time.  Support on-the-fly subkey generation.  On-the-fly subkey generation should be computable in the same way in both encryption and decryption.  No equivalent keys.  No related-key attacks.

32 32 Details of Key Schedule F KLKL F F F KAKA KLKL 11 22 33 44 KRKR F F KBKB KRKR 55 66 Constants  i : from 2nd to 17th of hex. representation of square root of the i-th prime.

33 33 Differential and Linear Cryptanalysis  Evaluate the upper bound of differentia/linear characteristic probability using the min numbers of active s-boxes.  Kanda, “Practical Security Evaluation against Differential and Linear Attacks for Feistel Ciphers with SPN Round Function”

34 34 Differential and Linear Cryptanalysis (Cont.)  Definition 1: The branch number B of linear transformation P is defined by B=min(w H (x)+w H (P(x))) w H (x): bytewise Hamming weight of x S1S1 P S2S2 S3S3 S4S4 S2S2 S3S3 S4S4 S1S1 xP(x)

35 35 subkey F S1S1 P S i : substitution-box F F F F F S2S2 S3S3 S4S4 S2S2 S3S3 S4S4 S1S1 Feistel Network with SPN round function

36 36 Differential and Linear Cryptanalysis (Cont.)  Theorem 1: The minimum number of active s-boxes in any 8 consecutive rounds is equal or more than 2B+1.  Theorem 2: Let p s be the max differential probability of all s-boxes, and D be the min numbers of total active s-boxes. Then, the max differential characteristic probability is bounded by p s D.

37 37 Differential and Linear Cryptanalysis (Cont.)  In Case of Camellia  branch number of linear function P B = 5  max differential probability of s-boxes p s = 2 -6 upper bound of max differential characteristic probability of 16 rounds p p = p s D = (2 -6 ) 2(2B+1) = (2 -6 ) 22 =2 -132 < 2 -128.

38 38 Differential and Linear Cryptanalysis (Result)  12-round Camellia with FL/FL -1 - function layers has no differential/linear characteristic with prob > 2 -128.  cf. Camellia has 18 rounds for 128-bit keys and 24 rounds for 192- and 256-bit keys.

39 39 Truncated Differential Cryptanalysis  “truncated differential”  a differential where only a part of the difference can be predicted  With a byte-oriented cipher it is natural to consider it as a bytewise differential.  We searched for truncated differentials by computer experiments. As a result, Camellia with > 10 rounds is indistinguishable from a random permutation.

40 40 Truncated Linear Cryptanalysis  Due to the duality between differential and linear cryptanalysis, security can be evaluated by using a similar algorithm.  Perform the search by replacing the matrix of P-function with the transposed matrix.  More than 10-round Camellia without FL-function layers is indistinguishable from a random permutation.

41 41 Cryptanalysis with Impossible Differential  We have not found impossible differential for Camellia with more than 6 rounds.  FL-function layers make the attack difficult, because FL-function changes differential paths depending on key values.

42 42 Higher Order Differential Attack  Generally applicable to ciphers presented as Boolean polynomials of low degree.  We confirmed that degree of Boolean polynomial of every output bit of the s- boxes is 7 by finding the Boolean polynomial expressions.  It is expected the degree of Camellia becomes 7 3 > 128 after passing through three s-boxes.

43 43 Interpolation Attack  The smallest number of unknown coefficients  whitening×1 + round ×r (r<4) 1  whitening×1 + round ×4 255  More rounds 256  Camellia is secure against (bytewise) Interpolation Attack.

44 44 No Equivalent Keys  Since the set of subkeys generated by the key schedule contain the original secret key, there is no equivalent set of subkeys generated from distinct secret key. K K’ Keyschedule Keyschedule (K, K A ) (K’, K A ’)

45 45 Slide Attack  Iterated ciphers with identical round functions (the same structures and same subkeys in the round funtion) are susceptible to slide attacks.  In Camellia, FL-function layers are inserted between every 6 rounds of Feistel network to provide non- regularity across rounds.  Moreover, the key schedule makes the attack hard.

46 46 Related-key Attack  For some ciphers, how the related keys would encrypt plaintexts can be predetermined.  In Camellia, the subkey relations is hard to control and predict: the subkeys depend on K A and K B, which are the result of encryption of a secret key (K). If an attacker wants to change K, it is difficult to get the desired K A and K B, and vice versa.

Download ppt "2000.11.13-14 1st NESSIE workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2000 1 128-bit Block Cipher Camellia Kazumaro Aoki * Tetsuya Ichikawa †"

Similar presentations

Ads by Google