3 What’s Camellia? Jointly developed by NTT and Mitsubishi Electric Corporation Designed by experts of research and development in cryptography Inherited good characteristics from E2 and MISTY Same interface as AES block size: 128 bits key sizes: 128, 192, 256 bits
4 FAQ: Why “Camellia”? Camellia is well known as “Camellia Japonica” botanically, and Japan is its origin. Easy to pronounce :-) unlike …. Flower language: Good fortune, Perfect loveliness.
5 Users’ Demands on Block Ciphers No More Ciphers! Reliability Good Performer Interoperability AES coming soon! Royalty-Free (No IPR Problem)
6 Advantage over Rijndael Efficiency in H/W Implementations Smaller Hardware 9.66 Kgates (0.35 m rule) Better Throughput / Area 21.9Mbit/( s*Kgates) Much more efficient in implementing both encryption and decryption Excellent Key Agility Shorter key setup time On-the-fly subkey computation for both encryption and decryption
7 Advantage over Rijndael (Cont.) Symmetric Encryption and Decryption (Feistel cipher) Very little additional area to implement both encryption and decryption in H/W Little additional ROM is favorable in restricted-space environments Better performance in JAVA Comparable speed on 8-bit CPUs e.g. Z80
8 Encryption speed on P6 [cycles/block] *Programmed by Aoki, Lipmaa, Twofish team, and Osvik. Each figure is the fastest as far as we know. Software Performance (128-bit keys) Pentium III (1.13GHz) 308 cycles/block (Assembly) = 471Mbit/s Comparable speed to the AES finalists RC6 Rijndael Twofish Camellia Mars Serpent Fast 229 238 258 308 312 759
9 Twofish19.27 JAVA Performance (128-bit keys) Pentium II (300MHz) 36.112Mbit/s (Java 1.2) Above average among AES finalists RC6 Camellia24.07 Speed* [Mbit/s] 26.21 Rijndael19.32 Mars19.72 Serpent11.46 * AES finalists’ data by Sterbenz[AES3] (Pentium Pro 200MHz) Camellia’s datum is converted into 200 MHz
10 Throughput Hardware (128-bit keys) ASIC (0.35 m CMOS) Type II: Top priority: Size Less than 10KGates (212Mbit/s) Among smallest 128-bit block ciphers Type I: Top priority: Speed [Mbit/s] Area [Kgates] The above data (except Camellia) by Ichikawa et al. are refered in NIST’s AES report. Thru/Area MARS2,9362260.08 RC61,6432040.12 Serpent5049321.85 Twofish4323940.91 Rijndael6131,9503.18 Camellia2731,1714.29
11 Structure of Camellia Encryption/Decryption Procedure Feistel structure 18 rounds (for 128-bit keys) 24 rounds (for 192/256-bit keys) Round function: SPN FL/FL -1 -functions inserted every 6 rounds Input/Output whitening: XOR with subkeys Key Schedule simple shares the same part of its procedure with encryption
12 Camellia for 128-bit keys plaintext FL subkey F S1S1 Bytewise Linear Transfor- mation S i ： substitution-box F F F F F S2S2 S3S3 S4S4 S2S2 S3S3 S4S4 S1S1 FL -1 ciphertext key key schedule FLFL -1
13 FL F S1S1 F F F F F S2S2 S3S3 S4S4 S2S2 S3S3 S4S4 S1S1 FL -1 Camellia for 192/256-bit keys FLFL -1 FLFL -1 plaintext subkey Bytewise Linear Transfor- mation S i ： substitution-box ciphertext key key schedule
14 Security of Camellia Encryption/Decryption Process Differential and Linear Cryptanalysis Truncated Differential Cryptanalysis Truncated Linear Cryptanalysis Cryptanalysis with Impossible Differential Higher Order Differential Attack Interpolation Attack
15 Security of Camellia (Cont.) Key Schedule No Equivalent Keys Slide Attack Related-key Attack Attacks on Implementations Timing Attacks Power Analysis
16 Conclusion High level of Security No known cryptanalytic attacks A sufficiently large security margin Efficiency on a wide range of platforms Small and efficient H/W High S/W performance Performs well on low-cost platforms JAVA
2000.11.13-14 1st NESSIE workshop Copyright (C) NTT & Mitsubishi Electric Corp. 2000 17 For Q&A
18 Standardization Activities IETF Submitted Internet-Drafts A Description of the Camellia Encryption Algorithm – Addition of the Camellia Encryption Algorithm to Transport Layer Security (TLS) –
19 Standardization Activities (Cont.) ISO/IEC JTC 1/SC 27 Encryption Algorithms (N2563) CRYPTREC Project to investigate and evaluate the cryptographic techniques proposed for the infrastructure of an electronic government of Japan WAP TLS Adopted in some Governmental Systems
20 Intellectual Property Rights Mitsubishi Electric and NTT have filed patent applications on the techniques used in the block cipher Camellia. Mitsubishi Electric and NTT will license any resulting patent in a reasonable and non-discriminatory fashion. An intellectual property statement regarding royalty-free license is now under review.
21 Suitability for Wireless Devices Small Hardware Most suitable 128-bit block cipher that can be an alternative for Triple DES from hardware viewpoint: a small number of gate counts and low power consumption High Software Performance 8-bit CPUs: same level as Rijndael 32-bit CPUs: same level as AES finalists
22 Attacks on Implementations Poor implementation can leak information by timing attacks or power analysis. Camellia uses only operations that are the easiest to defend against the attacks: logical operations, table- lookups and fixed rotations. Additionally, some defense can be provided against such attacks w/o significantly impacting its performance.
23 Design Rationale ~ F-function Design strategy follows F-function of E2 main change from E2 to Camellia is the adoption of 1-round SPN, not 2-round SPN subkey S1S1 P S2S2 S3S3 S4S4 S2S2 S3S3 S4S4 S1S1 S P S S S S S S S S S S S S S S S E2Camellia
24 Design Rationale ~ P-function Represented by only bytewise XORs efficiency in a wide range of environments Branch number is optimal (=5) security against differential and linear cryptanalyses Slightly different matrix from that of E2 Easy to implement efficiently on 32- and 64-bit processors slightly improved security against truncated differential cryptanalysis
26 Design Rationale ~ s-boxes Functions affine equivalent to the inversion function in GF(2 8 ) Security Max differential (resp. linear) prob is proven to be 2 -6 (optimal). High degree (=7) of the Boolean polynomial makes higher order differential attacks difficult. Affine functions make the expression in GF(2 8 ) complicated to defend against interpolation attacks. Small hardware design Represented elements in GF(2 8 ) as polynomials with coefficients in the subfield GF(2 4 ).
27 Design Rationale ~ FL/FL -1 - functions Provides non-regularity across rounds To be secure against slide attacks To thwart future unknown attacks Merit of regular Feistel structure is still preserved. Encryption and decryption procedures are the same except the order of subkeys.
28 Design Rationale ~ FL/FL -1 - functions (Cont.) Similar design rationale to FL-function of MISTY To be linear for any fixed key, and to have variable forms depending on key values Efficiency in both S/W and H/W Constructed by logical operations (AND, OR, XOR, rotations).
30 Design Rationale ~ Key Schedule Simple and share part of its procedure with encryption/decryption. Subkey generation for 128, 192, 256-bit keys can be performed by using the same key schedule (circuit). Key schedule for 128-bit keys can be performed by using a part of it.
31 Design Rationale ~ Key Schedule (Cont.) Key setup time should be shorter than encryption time. Support on-the-fly subkey generation. On-the-fly subkey generation should be computable in the same way in both encryption and decryption. No equivalent keys. No related-key attacks.
32 Details of Key Schedule F KLKL F F F KAKA KLKL 11 22 33 44 KRKR F F KBKB KRKR 55 66 Constants i ： from 2nd to 17th of hex. representation of square root of the i-th prime.
33 Differential and Linear Cryptanalysis Evaluate the upper bound of differentia/linear characteristic probability using the min numbers of active s-boxes. Kanda, “Practical Security Evaluation against Differential and Linear Attacks for Feistel Ciphers with SPN Round Function”
34 Differential and Linear Cryptanalysis (Cont.) Definition 1: The branch number B of linear transformation P is defined by B=min(w H (x)+w H (P(x))) w H (x): bytewise Hamming weight of x S1S1 P S2S2 S3S3 S4S4 S2S2 S3S3 S4S4 S1S1 xP(x)
35 subkey F S1S1 P S i ： substitution-box F F F F F S2S2 S3S3 S4S4 S2S2 S3S3 S4S4 S1S1 Feistel Network with SPN round function
36 Differential and Linear Cryptanalysis (Cont.) Theorem 1: The minimum number of active s-boxes in any 8 consecutive rounds is equal or more than 2B+1. Theorem 2: Let p s be the max differential probability of all s-boxes, and D be the min numbers of total active s-boxes. Then, the max differential characteristic probability is bounded by p s D.
37 Differential and Linear Cryptanalysis (Cont.) In Case of Camellia branch number of linear function P B = 5 max differential probability of s-boxes p s = 2 -6 upper bound of max differential characteristic probability of 16 rounds p p = p s D = (2 -6 ) 2(2B+1) = (2 -6 ) 22 =2 -132 < 2 -128.
38 Differential and Linear Cryptanalysis (Result) 12-round Camellia with FL/FL -1 - function layers has no differential/linear characteristic with prob > 2 -128. cf. Camellia has 18 rounds for 128-bit keys and 24 rounds for 192- and 256-bit keys.
39 Truncated Differential Cryptanalysis “truncated differential” a differential where only a part of the difference can be predicted With a byte-oriented cipher it is natural to consider it as a bytewise differential. We searched for truncated differentials by computer experiments. As a result, Camellia with > 10 rounds is indistinguishable from a random permutation.
40 Truncated Linear Cryptanalysis Due to the duality between differential and linear cryptanalysis, security can be evaluated by using a similar algorithm. Perform the search by replacing the matrix of P-function with the transposed matrix. More than 10-round Camellia without FL-function layers is indistinguishable from a random permutation.
41 Cryptanalysis with Impossible Differential We have not found impossible differential for Camellia with more than 6 rounds. FL-function layers make the attack difficult, because FL-function changes differential paths depending on key values.
42 Higher Order Differential Attack Generally applicable to ciphers presented as Boolean polynomials of low degree. We confirmed that degree of Boolean polynomial of every output bit of the s- boxes is 7 by finding the Boolean polynomial expressions. It is expected the degree of Camellia becomes 7 3 > 128 after passing through three s-boxes.
43 Interpolation Attack The smallest number of unknown coefficients whitening×1 + round ×r (r<4) 1 whitening×1 + round ×4 255 More rounds 256 Camellia is secure against (bytewise) Interpolation Attack.
44 No Equivalent Keys Since the set of subkeys generated by the key schedule contain the original secret key, there is no equivalent set of subkeys generated from distinct secret key. K K’ Keyschedule Keyschedule (K, K A ) (K’, K A ’)
45 Slide Attack Iterated ciphers with identical round functions (the same structures and same subkeys in the round funtion) are susceptible to slide attacks. In Camellia, FL-function layers are inserted between every 6 rounds of Feistel network to provide non- regularity across rounds. Moreover, the key schedule makes the attack hard.
46 Related-key Attack For some ciphers, how the related keys would encrypt plaintexts can be predetermined. In Camellia, the subkey relations is hard to control and predict: the subkeys depend on K A and K B, which are the result of encryption of a secret key (K). If an attacker wants to change K, it is difficult to get the desired K A and K B, and vice versa.