1. 128-bit Block Cipher Camellia
Kazumaro Aoki* Tetsuya Ichikawa†
Masayuki Kanda* Mitsuru Matsui†
Shiho Moriai* Junko Nakajima†
Toshio Tokita†
* NTT
† Mitsubishi Electric Corporation

2. Outline What’s Camellia? Advantages over Rijndael Performance Figures
Structure of Camellia
Security Consideration
Conclusion

3. What’s Camellia?
Jointly developed by NTT and Mitsubishi Electric Corporation
Designed by experts of research and development in cryptography
Inherited good characteristics from E2 and MISTY
Same interface as AES
block size: 128 bits
key sizes: 128, 192, 256 bits

4. FAQ: Why “Camellia”?
Camellia is well known as “Camellia Japonica” botanically, and Japan is its origin.
Easy to pronounce :-)
unlike ….
Flower language: Good fortune, Perfect loveliness.

5. Users’ Demands on Block Ciphers
Reliability
Good Performer
Interoperability
AES coming soon!
Royalty-Free
(No IPR Problem)
No More
Ciphers!

6. Advantage over Rijndael
Efficiency in H/W Implementations
Smaller Hardware 9.66Kgates (0.35mm rule)
Better Throughput/Area 21.9Mbit/(s*Kgates)
Much more efficient in implementing both encryption and decryption
Excellent Key Agility
Shorter key setup time
On-the-fly subkey computation for both encryption and decryption

7. Advantage over Rijndael (Cont.)
Symmetric Encryption and Decryption (Feistel cipher)
Very little additional area to implement both encryption and decryption in H/W
Little additional ROM is favorable in restricted-space environments
Better performance in JAVA
Comparable speed on 8-bit CPUs
e.g. Z80

8. Software Performance (128-bit keys)
Pentium III (1.13GHz)
308 cycles/block (Assembly)
= 471Mbit/s
Comparable speed to the AES finalists
RC6
229
238
258
308
312
759
Encryption speed on P6 [cycles/block]
Rijndael
Twofish
Fast
For example, an optimized implementation of Camellia in assembly language can encrypt on a Pentium III of 1.13GHz at the rate of 71Mbps.
Compared to the AES finalists, Camellia offers at least comparable encryption speed. These figures are encryption speed on P6, cycles per one block.
Camellia
Mars
Serpent
*Programmed by Aoki, Lipmaa, Twofish team, and Osvik.
Each figure is the fastest as far as we know.

9. JAVA Performance (128-bit keys)
Pentium II (300MHz)
36.112Mbit/s (Java 1.2)
Above average among AES finalists
Speed*
[Mbit/s]
* AES finalists’ data by Sterbenz[AES3]
(Pentium Pro 200MHz)
Camellia’s datum is converted into 200 MHz
Camellia
24.07
RC6
26.21
Mars
19.72
Rijndael
19.32
Twofish
19.27
Serpent
11.46

10. Hardware (128-bit keys) ASIC (0.35mm CMOS) Type II: Top priority: Size
Less than 10KGates (212Mbit/s)
Among smallest 128-bit block ciphers
Type I: Top priority: Speed
Area
[Kgates]
Throughput
Thru/Area
[Mbit/s]
Camellia
273
1,171
4.29
Rijndael
613
1,950
3.18
On the hardware design, I’ll show several figures of Camellia implemented on ASIC using .35micro CMOS library.
One is designed aiming small-size hardware in terms of total number of logic gates. The hardware which includes both encryption and decryption, occupies approximately only 11Kgates, which is the smallest among existing 128-bit block ciphers.
Another design policy is to achieve the fastest encryption and decryption speed with no consideration of logic size.
This is the comparison with the AES finalists and DES evaluated with the same design policy. Camellia achieves more than 1 Gbit/s with this small hardware.
Serpent
504
932
1.85
Twofish
432
394
0.91
RC6
1,643
204
0.12
MARS
2,936
226
0.08
The above data (except Camellia) by Ichikawa et al. are refered in NIST’s AES report.

11. Structure of Camellia Encryption/Decryption Procedure Key Schedule
Feistel structure
18 rounds (for 128-bit keys)
24 rounds (for 192/256-bit keys)
Round function: SPN
FL/FL-1-functions inserted every 6 rounds
Input/Output whitening : XOR with subkeys
Key Schedule
simple
shares the same part of its procedure with encryption

12. Camellia for 128-bit keys key plaintext ciphertext key schedule subkey
Bytewise
Linear
Transfor-
mation S4 F S3 F S2 FL
FL-1 S4 F S3
key schedule FL
FL-1 F S2 S1 F
Si：substitution-box
ciphertext

13. Camellia for 192/256-bit keys
subkey
key
plaintext F S1
Bytewise
Linear
Transfor-
mation S4 F S3 F S2 FL
FL-1 S4 F S3
key schedule FL
FL-1 F S2 S1 F
Si：substitution-box FL
FL-1
ciphertext

14. Security of Camellia Encryption/Decryption Process
Differential and Linear Cryptanalysis
Truncated Differential Cryptanalysis
Truncated Linear Cryptanalysis
Cryptanalysis with Impossible Differential
Higher Order Differential Attack
Interpolation Attack

15. Security of Camellia (Cont.)
Key Schedule
No Equivalent Keys
Slide Attack
Related-key Attack
Attacks on Implementations
Timing Attacks
Power Analysis

16. Conclusion High level of Security
No known cryptanalytic attacks
A sufficiently large security margin
Efficiency on a wide range of platforms
Small and efficient H/W
High S/W performance
Performs well on low-cost platforms
JAVA

17. For Q&A

18. Standardization Activities
IETF
Submitted Internet-Drafts
A Description of the Camellia Encryption Algorithm
<draft-nakajima-camellia-00.txt>
Addition of the Camellia Encryption Algorithm to Transport Layer Security (TLS)
<draft-ietf-tls-camellia-00.txt>

19. Standardization Activities (Cont.)
ISO/IEC JTC 1/SC 27
Encryption Algorithms (N2563)
CRYPTREC
Project to investigate and evaluate the cryptographic techniques proposed for the infrastructure of an electronic government of Japan
WAP TLS
Adopted in some Governmental Systems

20. Intellectual Property Rights
Mitsubishi Electric and NTT have filed patent applications on the techniques used in the block cipher Camellia. Mitsubishi Electric and NTT will license any resulting patent in a reasonable and non-discriminatory fashion.
An intellectual property statement regarding royalty-free license is now under review.

21. Suitability for Wireless Devices
Small Hardware
Most suitable 128-bit block cipher that can be an alternative for Triple DES from hardware viewpoint: a small number of gate counts and low power consumption
High Software Performance
8-bit CPUs: same level as Rijndael
32-bit CPUs: same level as AES finalists

22. Attacks on Implementations
Poor implementation can leak information by timing attacks or power analysis.
Camellia uses only operations that are the easiest to defend against the attacks: logical operations, table-lookups and fixed rotations.
Additionally, some defense can be provided against such attacks w/o significantly impacting its performance.

23. Design Rationale ~ F-function
Design strategy follows F-function of E2
main change from E2 to Camellia is the adoption of 1-round SPN, not 2-round SPN
subkey E2
subkey
subkey
Camellia S P S S1 P S S S4 S S S3 S S S2 S S S4 S S S3 S S S2 S S S1

24. Design Rationale ~ P-function
Represented by only bytewise XORs
efficiency in a wide range of environments
Branch number is optimal (=5)
security against differential and linear cryptanalyses
Slightly different matrix from that of E2
Easy to implement efficiently on 32- and 64-bit processors
slightly improved security against truncated differential cryptanalysis

25. Details of F-function s-boxes P-function S1 S4 S3 S2 S4 S3 S2 S1
subkeys
s-boxes
P-function S1 S4 S3 S2 S4 S3 S2 S1

26. Design Rationale ~ s-boxes
Functions affine equivalent to the inversion function in GF(28)
Security
Max differential (resp. linear) prob is proven to be 2-6 (optimal).
High degree (=7) of the Boolean polynomial makes higher order differential attacks difficult.
Affine functions make the expression in GF(28) complicated to defend against interpolation attacks.
Small hardware design
Represented elements in GF(28) as polynomials with coefficients in the subfield GF(24).

27. Design Rationale ~ FL/FL-1-functions
Provides non-regularity across rounds
To be secure against slide attacks
To thwart future unknown attacks
Merit of regular Feistel structure is still preserved.
Encryption and decryption procedures are the same except the order of subkeys.

28. Design Rationale ~ FL/FL-1-functions (Cont.)
Similar design rationale to FL-function of MISTY
To be linear for any fixed key, and to have variable forms depending on key values
Efficiency in both S/W and H/W
Constructed by logical operations (AND, OR, XOR, rotations).

29. Details of FL/FL-1-functions
subkey
subkey
<<<1
<<<1
subkey
subkey
FL-function
FL-1-function

30. Design Rationale ~ Key Schedule
Simple and share part of its procedure with encryption/decryption.
Subkey generation for 128, 192, 256-bit keys can be performed by using the same key schedule (circuit).
Key schedule for 128-bit keys can be performed by using a part of it.

31. Design Rationale ~ Key Schedule (Cont.)
Key setup time should be shorter than encryption time.
Support on-the-fly subkey generation.
On-the-fly subkey generation should be computable in the same way in both encryption and decryption.
No equivalent keys.
No related-key attacks.

32. Details of Key ScheduleKL KR F KB S5 S6
Constants Si：
from 2nd to 17th of hex.
representation of square root
of the i-th prime. S1 F S2 F KL S3 F S4 F KA

33. Differential and Linear Cryptanalysis
Evaluate the upper bound of differentia/linear characteristic probability using the min numbers of active s-boxes.
Kanda, “Practical Security Evaluation against Differential and Linear Attacks for Feistel Ciphers with SPN Round Function”

34. Differential and Linear Cryptanalysis (Cont.)
Definition 1: The branch number B of linear transformation P is defined by
B=min(wH(x)+wH(P(x)))
wH(x): bytewise Hamming weight of x S1 P S4 S3 S2 x
P(x) S4 S3 S2 S1

35. Feistel Network with SPN round function
subkey F S1 P S4 F S3 F S2 S4 F S3 F S2 S1 F
Si ： substitution-box

36. Differential and Linear Cryptanalysis (Cont.)
Theorem 1: The minimum number of active s-boxes in any 8 consecutive rounds is equal or more than 2B+1.
Theorem 2: Let ps be the max differential probability of all s-boxes, and D be the min numbers of total active s-boxes.
Then, the max differential characteristic probability is bounded by psD.

37. Differential and Linear Cryptanalysis (Cont.)
In Case of Camellia
branch number of linear function P
B = 5
max differential probability of s-boxes
ps = 2-6
upper bound of max differential characteristic probability of 16 rounds p
p = psD = (2-6)2(2B+1) = (2-6)22 =2-132
<

38. Differential and Linear Cryptanalysis (Result)
12-round Camellia with FL/FL-1-function layers has no differential/linear characteristic with prob >
cf. Camellia has 18 rounds for 128-bit keys and 24 rounds for 192- and 256-bit keys.

39. Truncated Differential Cryptanalysis
a differential where only a part of the difference can be predicted
With a byte-oriented cipher it is natural to consider it as a bytewise differential.
We searched for truncated differentials by computer experiments. As a result, Camellia with > 10 rounds is indistinguishable from a random permutation.

40. Truncated Linear Cryptanalysis
Due to the duality between differential and linear cryptanalysis, security can be evaluated by using a similar algorithm.
Perform the search by replacing the matrix of P-function with the transposed matrix.
More than 10-round Camellia without FL-function layers is indistinguishable from a random permutation.

41. Cryptanalysis with Impossible Differential
We have not found impossible differential for Camellia with more than 6 rounds.
FL-function layers make the attack difficult, because FL-function changes differential paths depending on key values.
Impossible differential: the differential which never exists.
Using impossible differentials, it is possible to narrow down the candidates of the (last-round) subkey.
It is known that there is at least one 5-round impossible differential in any Feistel network with bijective round function.

42. Higher Order Differential Attack
Generally applicable to ciphers presented as Boolean polynomials of low degree.
We confirmed that degree of Boolean polynomial of every output bit of the s-boxes is 7 by finding the Boolean polynomial expressions.
It is expected the degree of Camellia becomes 73 > 128 after passing through three s-boxes.
Generally applicable to ciphers that can be presented as Boolean polynomials of low degree.
We confirmed that degree of Boolean polynomial of every output bit of the s-boxes is 7 by finding the Boolean polynomial expressions.
It is expected the degree of Camellia becomes 73 > 128 after passing through three s-boxes.

43. Interpolation Attack The smallest number of unknown coefficients
whitening×1 + round ×r (r<4)
whitening×1 + round ×
More rounds
Typically applicable to ciphers that use simple algebaic functions.
For example, if a cipher can be expressed as a polynomial over GF(28) whose number of unknown coefficients (N) is less than 256, the polynomial can be constructed using N pairs of plaintext and ciphertext by Lagrange Interpolation.
Camellia is secure against (bytewise) Interpolation Attack.

44. No Equivalent Keys
Since the set of subkeys generated by the key schedule contain the original secret key, there is no equivalent set of subkeys generated from distinct secret key.
Key
schedule K
(K, KA)
Key
schedule K’
(K’, KA’)

45. Slide Attack
Iterated ciphers with identical round functions (the same structures and same subkeys in the round funtion) are susceptible to slide attacks.
In Camellia, FL-function layers are inserted between every 6 rounds of Feistel network to provide non-regularity across rounds.
Moreover, the key schedule makes the attack hard.

46. Related-key Attack
For some ciphers, how the related keys would encrypt plaintexts can be predetermined.
In Camellia, the subkey relations is hard to control and predict: the subkeys depend on KA and KB, which are the result of encryption of a secret key (K). If an attacker wants to change K, it is difficult to get the desired KA and KB, and vice versa.