2Outline What’s Camellia? Advantages over Rijndael Performance Figures Structure of CamelliaSecurity ConsiderationConclusion
3What’s Camellia?Jointly developed by NTT and Mitsubishi Electric CorporationDesigned by experts of research and development in cryptographyInherited good characteristics from E2 and MISTYSame interface as AESblock size: 128 bitskey sizes: 128, 192, 256 bits
4FAQ: Why “Camellia”?Camellia is well known as “Camellia Japonica” botanically, and Japan is its origin.Easy to pronounce :-)unlike ….Flower language: Good fortune, Perfect loveliness.
6Advantage over Rijndael Efficiency in H/W ImplementationsSmaller Hardware 9.66Kgates (0.35mm rule)Better Throughput/Area 21.9Mbit/(s*Kgates)Much more efficient in implementing both encryption and decryptionExcellent Key AgilityShorter key setup timeOn-the-fly subkey computation for both encryption and decryption
7Advantage over Rijndael (Cont.) Symmetric Encryption and Decryption (Feistel cipher)Very little additional area to implement both encryption and decryption in H/WLittle additional ROM is favorable in restricted-space environmentsBetter performance in JAVAComparable speed on 8-bit CPUse.g. Z80
8Software Performance (128-bit keys) Pentium III (1.13GHz)308 cycles/block (Assembly)= 471Mbit/sComparable speed to the AES finalistsRC6229238258308312759Encryption speed on P6 [cycles/block]RijndaelTwofishFastFor example, an optimized implementation of Camellia in assembly language can encrypt on a Pentium III of 1.13GHz at the rate of 71Mbps.Compared to the AES finalists, Camellia offers at least comparable encryption speed. These figures are encryption speed on P6, cycles per one block.CamelliaMarsSerpent*Programmed by Aoki, Lipmaa, Twofish team, and Osvik.Each figure is the fastest as far as we know.
9JAVA Performance (128-bit keys) Pentium II (300MHz)36.112Mbit/s (Java 1.2)Above average among AES finalistsSpeed*[Mbit/s]* AES finalists’ data by Sterbenz[AES3](Pentium Pro 200MHz)Camellia’s datum is converted into 200 MHzCamellia24.07RC626.21Mars19.72Rijndael19.32Twofish19.27Serpent11.46
10Hardware (128-bit keys) ASIC (0.35mm CMOS) Type II: Top priority: Size Less than 10KGates (212Mbit/s)Among smallest 128-bit block ciphersType I: Top priority: SpeedArea[Kgates]ThroughputThru/Area[Mbit/s]Camellia2731,1714.29Rijndael6131,9503.18On the hardware design, I’ll show several figures of Camellia implemented on ASIC using .35micro CMOS library.One is designed aiming small-size hardware in terms of total number of logic gates. The hardware which includes both encryption and decryption, occupies approximately only 11Kgates, which is the smallest among existing 128-bit block ciphers.Another design policy is to achieve the fastest encryption and decryption speed with no consideration of logic size.This is the comparison with the AES finalists and DES evaluated with the same design policy. Camellia achieves more than 1 Gbit/s with this small hardware.Serpent5049321.85Twofish4323940.91RC61,6432040.12MARS2,9362260.08The above data (except Camellia) by Ichikawa et al. are refered in NIST’s AES report.
11Structure of Camellia Encryption/Decryption Procedure Key Schedule Feistel structure18 rounds (for 128-bit keys)24 rounds (for 192/256-bit keys)Round function: SPNFL/FL-1-functions inserted every 6 roundsInput/Output whitening : XOR with subkeysKey Schedulesimpleshares the same part of its procedure with encryption
13Camellia for 192/256-bit keys subkeykeyplaintextFS1BytewiseLinearTransfor-mationS4FS3FS2FLFL-1S4FS3key scheduleFLFL-1FS2S1FSi：substitution-boxFLFL-1ciphertext
14Security of Camellia Encryption/Decryption Process Differential and Linear CryptanalysisTruncated Differential CryptanalysisTruncated Linear CryptanalysisCryptanalysis with Impossible DifferentialHigher Order Differential AttackInterpolation Attack
15Security of Camellia (Cont.) Key ScheduleNo Equivalent KeysSlide AttackRelated-key AttackAttacks on ImplementationsTiming AttacksPower Analysis
16Conclusion High level of Security No known cryptanalytic attacksA sufficiently large security marginEfficiency on a wide range of platformsSmall and efficient H/WHigh S/W performancePerforms well on low-cost platformsJAVA
18Standardization Activities IETFSubmitted Internet-DraftsA Description of the Camellia Encryption Algorithm<draft-nakajima-camellia-00.txt>Addition of the Camellia Encryption Algorithm to Transport Layer Security (TLS)<draft-ietf-tls-camellia-00.txt>
19Standardization Activities (Cont.) ISO/IEC JTC 1/SC 27Encryption Algorithms (N2563)CRYPTRECProject to investigate and evaluate the cryptographic techniques proposed for the infrastructure of an electronic government of JapanWAP TLSAdopted in some Governmental Systems
20Intellectual Property Rights Mitsubishi Electric and NTT have filed patent applications on the techniques used in the block cipher Camellia. Mitsubishi Electric and NTT will license any resulting patent in a reasonable and non-discriminatory fashion.An intellectual property statement regarding royalty-free license is now under review.
21Suitability for Wireless Devices Small HardwareMost suitable 128-bit block cipher that can be an alternative for Triple DES from hardware viewpoint: a small number of gate counts and low power consumptionHigh Software Performance8-bit CPUs: same level as Rijndael32-bit CPUs: same level as AES finalists
22Attacks on Implementations Poor implementation can leak information by timing attacks or power analysis.Camellia uses only operations that are the easiest to defend against the attacks: logical operations, table-lookups and fixed rotations.Additionally, some defense can be provided against such attacks w/o significantly impacting its performance.
23Design Rationale ~ F-function Design strategy follows F-function of E2main change from E2 to Camellia is the adoption of 1-round SPN, not 2-round SPNsubkeyE2subkeysubkeyCamelliaSPSS1PSSS4SSS3SSS2SSS4SSS3SSS2SSS1
24Design Rationale ~ P-function Represented by only bytewise XORsefficiency in a wide range of environmentsBranch number is optimal (=5)security against differential and linear cryptanalysesSlightly different matrix from that of E2Easy to implement efficiently on 32- and 64-bit processorsslightly improved security against truncated differential cryptanalysis
26Design Rationale ~ s-boxes Functions affine equivalent to the inversion function in GF(28)SecurityMax differential (resp. linear) prob is proven to be 2-6 (optimal).High degree (=7) of the Boolean polynomial makes higher order differential attacks difficult.Affine functions make the expression in GF(28) complicated to defend against interpolation attacks.Small hardware designRepresented elements in GF(28) as polynomials with coefficients in the subfield GF(24).
27Design Rationale ~ FL/FL-1-functions Provides non-regularity across roundsTo be secure against slide attacksTo thwart future unknown attacksMerit of regular Feistel structure is still preserved.Encryption and decryption procedures are the same except the order of subkeys.
28Design Rationale ~ FL/FL-1-functions (Cont.) Similar design rationale to FL-function of MISTYTo be linear for any fixed key, and to have variable forms depending on key valuesEfficiency in both S/W and H/WConstructed by logical operations (AND, OR, XOR, rotations).
29Details of FL/FL-1-functions subkeysubkey<<<1<<<1subkeysubkeyFL-functionFL-1-function
30Design Rationale ~ Key Schedule Simple and share part of its procedure with encryption/decryption.Subkey generation for 128, 192, 256-bit keys can be performed by using the same key schedule (circuit).Key schedule for 128-bit keys can be performed by using a part of it.
31Design Rationale ~ Key Schedule (Cont.) Key setup time should be shorter than encryption time.Support on-the-fly subkey generation.On-the-fly subkey generation should be computable in the same way in both encryption and decryption.No equivalent keys.No related-key attacks.
32Details of Key Schedule KLKRFKBS5S6Constants Si：from 2nd to 17th of hex.representation of square rootof the i-th prime.S1FS2FKLS3FS4FKA
33Differential and Linear Cryptanalysis Evaluate the upper bound of differentia/linear characteristic probability using the min numbers of active s-boxes.Kanda, “Practical Security Evaluation against Differential and Linear Attacks for Feistel Ciphers with SPN Round Function”
34Differential and Linear Cryptanalysis (Cont.) Definition 1: The branch number B of linear transformation P is defined byB=min(wH(x)+wH(P(x)))wH(x): bytewise Hamming weight of xS1PS4S3S2xP(x)S4S3S2S1
35Feistel Network with SPN round function subkeyFS1PS4FS3FS2S4FS3FS2S1FSi ： substitution-box
36Differential and Linear Cryptanalysis (Cont.) Theorem 1: The minimum number of active s-boxes in any 8 consecutive rounds is equal or more than 2B+1.Theorem 2: Let ps be the max differential probability of all s-boxes, and D be the min numbers of total active s-boxes.Then, the max differential characteristic probability is bounded by psD.
37Differential and Linear Cryptanalysis (Cont.) In Case of Camelliabranch number of linear function PB = 5max differential probability of s-boxesps = 2-6upper bound of max differential characteristic probability of 16 rounds pp = psD = (2-6)2(2B+1) = (2-6)22 =2-132<
38Differential and Linear Cryptanalysis (Result) 12-round Camellia with FL/FL-1-function layers has no differential/linear characteristic with prob >cf. Camellia has 18 rounds for 128-bit keys and 24 rounds for 192- and 256-bit keys.
39Truncated Differential Cryptanalysis a differential where only a part of the difference can be predictedWith a byte-oriented cipher it is natural to consider it as a bytewise differential.We searched for truncated differentials by computer experiments. As a result, Camellia with > 10 rounds is indistinguishable from a random permutation.
40Truncated Linear Cryptanalysis Due to the duality between differential and linear cryptanalysis, security can be evaluated by using a similar algorithm.Perform the search by replacing the matrix of P-function with the transposed matrix.More than 10-round Camellia without FL-function layers is indistinguishable from a random permutation.
41Cryptanalysis with Impossible Differential We have not found impossible differential for Camellia with more than 6 rounds.FL-function layers make the attack difficult, because FL-function changes differential paths depending on key values.Impossible differential: the differential which never exists.Using impossible differentials, it is possible to narrow down the candidates of the (last-round) subkey.It is known that there is at least one 5-round impossible differential in any Feistel network with bijective round function.
42Higher Order Differential Attack Generally applicable to ciphers presented as Boolean polynomials of low degree.We confirmed that degree of Boolean polynomial of every output bit of the s-boxes is 7 by finding the Boolean polynomial expressions.It is expected the degree of Camellia becomes 73 > 128 after passing through three s-boxes.Generally applicable to ciphers that can be presented as Boolean polynomials of low degree.We confirmed that degree of Boolean polynomial of every output bit of the s-boxes is 7 by finding the Boolean polynomial expressions.It is expected the degree of Camellia becomes 73 > 128 after passing through three s-boxes.
43Interpolation Attack The smallest number of unknown coefficients whitening×1 + round ×r (r<4)whitening×1 + round ×More roundsTypically applicable to ciphers that use simple algebaic functions.For example, if a cipher can be expressed as a polynomial over GF(28) whose number of unknown coefficients (N) is less than 256, the polynomial can be constructed using N pairs of plaintext and ciphertext by Lagrange Interpolation.Camellia is secure against (bytewise) Interpolation Attack.
44No Equivalent KeysSince the set of subkeys generated by the key schedule contain the original secret key, there is no equivalent set of subkeys generated from distinct secret key.KeyscheduleK(K, KA)KeyscheduleK’(K’, KA’)
45Slide AttackIterated ciphers with identical round functions (the same structures and same subkeys in the round funtion) are susceptible to slide attacks.In Camellia, FL-function layers are inserted between every 6 rounds of Feistel network to provide non-regularity across rounds.Moreover, the key schedule makes the attack hard.
46Related-key AttackFor some ciphers, how the related keys would encrypt plaintexts can be predetermined.In Camellia, the subkey relations is hard to control and predict: the subkeys depend on KA and KB, which are the result of encryption of a secret key (K). If an attacker wants to change K, it is difficult to get the desired KA and KB, and vice versa.