1. TLS (Transport Layer Security) への new cipher suites 提案について
盛合 志帆
NTT 情報流通プラットフォーム研究所

2. Outline TLS WGでの活動紹介 48回 IETF会議でのTLS WGの概要
TLS ver.1.0で規定されている暗号アルゴリズムと新規提案
私が行った提案内容の紹介
第48回IETF報告会
Copyright (C) NTT 2000

3. TLS (Transport Layer Security) WG
’96 Established
began with SSL ver.3.0
’99 RFC2246 (TLS Protocol ver.1.0) published as a Proposed Standard
RFC2712 (Addition of Kerberos Cipher Suites to TLS) also published as a Proposed Standard
第48回IETF報告会
Copyright (C) NTT 2000

4. Purpose of TLS WG To advance the TLS Protocol to Internet Standard
To publish documents defining new cipher suites for use with TLS as needed
第48回IETF報告会
Copyright (C) NTT 2000

5. TLS: Goals and Milestones
Nov 2000
First revised draft of TLS specification
Apr 2001
Submit specification to IESG for consideration as Draft Standard
第48回IETF報告会
Copyright (C) NTT 2000

6. Agenda of TLS WG at the 48th IETF Meeting in Pittsburgh
Update TLS charter
Getting to Draft Standard
Presentation and discussion on WTLS (Wireless Transport Layer Security)
Proposed cipher suites specifications
Presentation: TLS on mobile devices (by Vipul Gupta)
第48回IETF報告会
Copyright (C) NTT 2000

7. Cipher Suites in TLS ver.1.0
Key Exchange Algorithms
Diffie-Hellman, RSA, DSS
Bulk Cipher Algorithms
RC2, RC4, DES, 3DES, DES40, IDEA
MAC Algorithms
MD5, SHA-1
上記の組み合わせでcipher suiteを指定
TLS_RSA_WITH_3DES_EDE_CBC_SHA
RSAで
鍵交換
Triple DES
(CBCモード)で暗号化
SHA-1
で認証
第48回IETF報告会
Copyright (C) NTT 2000

8. Proposed New Cipher Suites
MISTY-1
Camellia, EPOC, PSEC
SEED/HAS-160
第48回IETF報告会
Copyright (C) NTT 2000

9. Shiho Moriai shiho@isl.ntt.co.jp NTT Laboratories
48th IETF Meeting in Pittsburgh 発表資料より
Proposal of addition of new cipher suites to TLS to support Camellia, EPOC, and PSEC
Shiho Moriai
NTT Laboratories

10. 128-bit Block Cipher Camellia
Kazumaro Aoki* Tetsuya Ichikawa†
Masayuki Kanda* Mitsuru Matsui†
Shiho Moriai* Junko Nakajima†
Toshio Tokita†
* NTT
† Mitsubishi Electric Corporation

11. What’s Camellia? 128-bit Block Cipher
Jointly developed by NTT and Mitsubishi
Designed by experienced cryptanalysists and programmers
Supports 128-, 192-, 256-bit keys
Same interface as Advanced Encryption Standard (AES)
Offer more security against exhaustive key search
第48回IETF報告会
Copyright (C) NTT 2000

12. Design Goals High level of security Efficiency on multiple platforms
State-of-the-art cipher analysis technology
Efficiency on multiple platforms
Software : 8-bit, 32-bit, 64-bit processors
Hardware : compact and high-performance
第48回IETF報告会
Copyright (C) NTT 2000

13. Software Performance (128-bit keys)
On a Pentium III
309 cycles/block (Assembly)
= 469Mbps (1.13GHz)
Much faster than DES
Comparable speed to the AES finalists
RC6
229
238
288
309
312
759
Encryption speed on P6 [cycles/block]
*The programs are written in assembly language by Aoki,
Lipmaa, and Osvik. Each figure is the fastest as far as we know.
Rijndael
Twofish
Camellia
Mars
Serpent
第48回IETF報告会
Copyright (C) NTT 2000

14. Hardware (128-bit keys) ASIC (0.35mm CMOS)
Small Size Hardware 11KGates
Smallest among existing 128-bit block ciphers
High Performance Hardware
Throughput
Area
[Kgates]
[Mbit/s]
MARS
2,936
226
RC6
1,643
204
Rijndael
613
1,950
Serpent
504
932
Twofish
432
394
Camellia
273
1,171
*DES is a 64-bit
block cipher.
DES* 54
1,161
The above data (except Camellia) are presented by Ichikawa et al. at the 3rd AES conference.
第48回IETF報告会
Copyright (C) NTT 2000

15. Security Consideration
Camellia provides strong security against differential and linear cryptanalysis.
Moreover, Camellia was designed to offer security against other advanced cryptanalytic attacks:
truncated differential attacks,
higher order differential attacks,
interpolation attacks,
related-key attacks, ...
第48回IETF報告会
Copyright (C) NTT 2000

16. For more information… Camellia Home Page
Specification & Sample code
Technical papers on design rationale, performance, software implementation techniques, and security evaluation
Internet-Draft on description of Camellia is available now.
<draft-nakajima-camellia-00.txt>
第48回IETF報告会
Copyright (C) NTT 2000

17. Public Key Algorithms EPOC and PSEC
Tatsuaki Okamoto
Shigenori Uchiyama
Eiichiro Fujisaki
NTT

18. Provable Security of Public Key Algorithms
Flaw in RSA with PKCS #1 Ver.1
Importance of security against adaptively chosen ciphertext attacks
EPOC & PSEC
Developed by Okamoto et al. (NTT)
Provably secure under the random oracle model in the strongest sense (i.e., non-malleable against adaptively chosen ciphertext attacks)
第48回IETF報告会
Copyright (C) NTT 2000

19. EPOC (Efficient Probabilistic Public-Key Encryption Scheme)
Novelty
Essentially different from any other previous schemes including RSA-Rabin and Diffie-Hellman
Security
Provably as secure as factoring in the strongest sense
Efficiency
Compared with RSA(PKCS#1 Ver.2) with small e (216+1), encryption speed is slower, but decryption speed is faster.
第48回IETF報告会
Copyright (C) NTT 2000

20. PSEC (Provably Secure Elliptic Curve Encryption Scheme)
Security
Provably as secure as elliptic-curve Diffie-Hellman problem in the strongest sense
Efficiency
Almost as efficient as most common ECC, elliptic-curve ElGamal (Diffie-Hellman) scheme
第48回IETF報告会
Copyright (C) NTT 2000

21. Toward International Standards
EPOC
IEEE P1363a (royalty free if selected)
Camellia
ISO/IEC JTC 1/SC27
NESSIE (New European Schemes for Signature, Integrity, and Encryption)
第48回IETF報告会
Copyright (C) NTT 2000

22. Sample Code Camellia EPOC & PSEC http://info.isl.ntt.co.jp/camellia/
第48回IETF報告会
Copyright (C) NTT 2000

23. Conclusion
Camellia is a 128-bit block cipher with high security and performance
suitable for bulk encryption
PSEC and EPOC are public-key algorithms with provable security and efficiency
suitable for key exchange and authentication
第48回IETF報告会
Copyright (C) NTT 2000

24. Conclusion (Cont.) Add them to Transport Layer Security!!
enum { null, rc4, rc2, des, 3des, des0, idea, …,
camellia } BulkCipherAlgorithm
enum { rsa, diffie-hellman, epoc, psec }
KeyExchangeAlgorithm
enum { anonymous, rsa, dsa, epoc, psec }
SignatureAlgorithm
第48回IETF報告会
Copyright (C) NTT 2000