NESSIE

advertisement
128-bit Block Cipher
Camellia
Kazumaro Aoki* Tetsuya Ichikawa†
Masayuki Kanda* Mitsuru Matsui†
Shiho Moriai*
Junko Nakajima†
Toshio Tokita†
* NTT
† Mitsubishi Electric Corporation
2000.11.13-14 1st NESSIE workshop
1
Copyright (C) NTT & Mitsubishi Electric Corp. 2000
Outline
What’s Camellia?
Advantages over Rijndael
Performance Figures
Structure of Camellia
Security Consideration
Conclusion
2
What’s Camellia?
Jointly developed by NTT and
Mitsubishi Electric Corporation
 Designed by experts of research and
development in cryptography
 Inherited good characteristics from E2
and MISTY
Same interface as AES
 block size: 128 bits
 key sizes: 128, 192, 256 bits
3
FAQ: Why “Camellia”?
Camellia is well known as “Camellia
Japonica” botanically, and Japan is
its origin.
Easy to pronounce :-)
 unlike ….
Flower language: Good fortune,
Perfect loveliness.
4
Users’ Demands on Block Ciphers
Reliability
Good Performer
Interoperability
AES coming soon!
Royalty-Free
(No IPR Problem)
No More
Ciphers!
5
Advantage over Rijndael
Efficiency in H/W Implementations
 Smaller Hardware 9.66Kgates (0.35mm rule)
 Better Throughput/Area
21.9Mbit/(s*Kgates)
 Much more efficient in implementing both
encryption and decryption
Excellent Key Agility
 Shorter key setup time
 On-the-fly subkey computation for both
encryption and decryption
6
Advantage over Rijndael (Cont.)
Symmetric Encryption and Decryption
(Feistel cipher)
 Very little additional area to implement
both encryption and decryption in H/W
 Little additional ROM is favorable in
restricted-space environments
Better performance in JAVA
Comparable speed on 8-bit CPUs
 e.g. Z80
7
Software Performance (128-bit keys)
Pentium III (1.13GHz)
 308 cycles/block (Assembly)
= 471Mbit/s
Comparable speed to the AES finalists
RC6
Rijndael
Twofish
Camellia
Mars
Serpent
229
238
258
308
312
Encryption speed on
P6 [cycles/block]
759
*Programmed by Aoki, Lipmaa, Twofish team, and Osvik.
Each figure is the fastest as far as we know.
8
JAVA Performance (128-bit keys)
Pentium II (300MHz)
 36.112Mbit/s (Java 1.2)
Above average among AES finalists
Camellia
RC6
Mars
Rijndael
Twofish
Serpent
Speed*
[Mbit/s]
24.07
26.21
19.72
19.32
19.27
11.46
9
* AES finalists’ data by
Sterbenz[AES3]
(Pentium Pro 200MHz)
Camellia’s datum is
converted into 200 MHz
Hardware (128-bit keys)
ASIC (0.35mm CMOS)
 Type II: Top priority: Size
• Less than 10KGates (212Mbit/s)
• Among smallest 128-bit block ciphers
 Type I: Top priority: Speed
Area
[Kgates]
Camellia
273
Rijndael
613
Serpent
504
Twofish
432
RC6
1,643
MARS 2,936
Throughput
[Mbit/s]
1,171
1,950
932
394
204
226
Thru/Area
4.29
3.18
1.85
0.91
0.12
0.08
The above data (except Camellia) by Ichikawa et al. are refered in NIST’s AES report.
10
Structure of Camellia
Encryption/Decryption Procedure
 Feistel structure
18 rounds (for 128-bit keys)
24 rounds (for 192/256-bit keys)
• Round function: SPN
• FL/FL-1-functions inserted every 6 rounds
• Input/Output whitening: XOR with subkeys
Key Schedule
 simple
 shares the same part of its procedure with
encryption
11
Camellia for 128-bit keys
key
subkey
plaintext
F
F
S1
S4
S3
FL
FL
F
-1
F
S2
S4
S3
FL
FL-1
F
Bytewise
Linear
Transformation
S2
S1
F
Si:substitution-box
ciphertext
12
Camellia for 192/256-bitsubkey
keys
key
plaintext
F
F
S1
S4
S3
FL
FL
F
-1
F
S2
S4
S3
FL
FL-1
F
Bytewise
Linear
Transformation
S2
S1
F
FL
Si:substitution-box
FL-1
ciphertext
13
Security of Camellia
Encryption/Decryption Process
 Differential and Linear Cryptanalysis
 Truncated Differential Cryptanalysis
 Truncated Linear Cryptanalysis
 Cryptanalysis with Impossible Differential
 Higher Order Differential Attack
 Interpolation Attack
14
Security of Camellia (Cont.)
Key Schedule
 No Equivalent Keys
 Slide Attack
 Related-key Attack
Attacks on Implementations
 Timing Attacks
 Power Analysis
15
Conclusion
High level of Security
 No known cryptanalytic attacks
 A sufficiently large security margin
Efficiency on a wide range of
platforms
 Small and efficient H/W
 High S/W performance
 Performs well on low-cost platforms
 JAVA
16
Standardization Activities
IETF
 Submitted Internet-Drafts
•A Description of the Camellia Encryption
Algorithm
– <draft-nakajima-camellia-00.txt>
•Addition of the Camellia Encryption
Algorithm to Transport Layer Security
(TLS)
– <draft-ietf-tls-camellia-00.txt>
18
Standardization Activities (Cont.)
ISO/IEC JTC 1/SC 27
 Encryption Algorithms (N2563)
CRYPTREC
 Project to investigate and evaluate the
cryptographic techniques proposed for the
infrastructure of an electronic government
of Japan
 WAP TLS
 Adopted in some Governmental Systems
19
Download