Camellia: A 128-Bit Block Cipher Suitable for Multiple Platforms - Design and Analysis

We present a new 128-bit block cipher called Camellia. Camellia supports 128-bit block size and 128-, 192-, and 256-bit keys, i.e., the same interface specifications as the Advanced Encryption Standard (AES). Efficiency on both software and hardware platforms is a remarkable characteristic of Camellia in addition to its high level of security. It is confirmed that Camellia provides strong security against differential and linear cryptanalyses. Compared to the AES finalists, i.e., MARS, RC6, Rijndael, Serpent, and Twofish, Camellia offers at least comparable encryption speed in software and hardware. An optimized implementation of Camellia in assembly language can encrypt on a Pentium III (800MHz) at the rate of more than 276 Mbits per second, which is much faster than the speed of an optimized DES implementation. In addition, a distinguishing feature is its small hardware design. The hardware design, which includes encryption and decryption and key schedule, occupies approximately 11K gates, which is the smallest among all existing 128-bit block ciphers as far as we know.

[1]  Kazumaro Aoki Practical Evaluation of Security against Generalized Interpolation Attack , 2000 .

[2]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[3]  Martin E. Hellman,et al.  A cryptanalytic time-memory trade-off , 1980, IEEE Trans. Inf. Theory.

[4]  Masayuki Kanda,et al.  Practical Security Evaluation against Differential and Linear Cryptanalyses for Feistel Ciphers with SPN Round Function , 2000, Selected Areas in Cryptography.

[5]  Lars R. Knudsen,et al.  Practically Secure Feistel Cyphers , 1993, FSE.

[6]  Kazumaro Aoki,et al.  Optimized Software Implementations of E2(Special Section on Cryptography and Information Security) , 2000 .

[7]  Donald W. Davies,et al.  Advances in Cryptology — EUROCRYPT ’91 , 2001, Lecture Notes in Computer Science.

[8]  Lars R. Knudsen,et al.  Truncated and Higher Order Differentials , 1994, FSE.

[9]  Thomas S. Messerges,et al.  Securing the AES Finalists Against Power Analysis Attacks , 2000, FSE.

[10]  Cryptanalysis of a Reduced Version of the Block Cipher E2 , 1999, FSE.

[11]  Kazuo Ohta,et al.  E2 - A new 128-bit block cipher , 2000 .

[12]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[13]  Alfredo De Santis,et al.  Advances in Cryptology — EUROCRYPT'94 , 1994, Lecture Notes in Computer Science.

[14]  Serge Vaudenay,et al.  Links Between Differential and Linear Cryptanalysis , 1994, EUROCRYPT.

[15]  Tsutomu Matsumoto,et al.  Optimization of Time-Memory Trade-Off Cryptanalysis and Its Application to DES, FEAL-32, and Skipjack (Special Section on Cryptography and Information Security) , 1996 .

[16]  Louis Goubin,et al.  DES and Differential Power Analysis (The "Duplication" Method) , 1999, CHES.

[17]  Mitsuru Matsui,et al.  On the criteria of hardware evaluation of block ciphers(1) , 2001 .

[18]  Tor Helleseth,et al.  Advances in Cryptology — EUROCRYPT ’93 , 2001, Lecture Notes in Computer Science.

[19]  David A. Wagner,et al.  The Boomerang Attack , 1999, FSE.

[20]  Vincent Rijmen,et al.  The Block Cipher Square , 1997, FSE.

[21]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[22]  Tsutomu Matsumoto,et al.  A Strategy for Constructing Fast Round Functions with Practical Security Against Differential and Linear Cryptanalysis , 1998, Selected Areas in Cryptography.

[23]  Lars R. Knudsen,et al.  Cryptanalysis of LOKI91 , 1992, AUSCRYPT.

[24]  Xuejia Lai,et al.  Markov Ciphers and Differential Cryptanalysis , 1991, EUROCRYPT.

[25]  Vincent Rijmen,et al.  The Cipher SHARK , 1996, FSE.

[26]  Bruce Schneier,et al.  Key-Schedule Cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES , 1996, CRYPTO.

[27]  Suresh Chari,et al.  A Cautionary Note Regarding Evaluation of AES Candidates on Smart-Cards , 1999 .

[28]  Neal Koblitz,et al.  Advances in Cryptology — CRYPTO ’96 , 2001, Lecture Notes in Computer Science.

[29]  Lars R. Knudsen,et al.  Block Ciphers - A Survey , 1997, State of the Art in Applied Cryptography.

[30]  Eli Biham,et al.  Differential Cryptanalysis of the Data Encryption Standard , 1993, Springer New York.

[31]  Lars R. Knudsen,et al.  Practically Secure Feistel Ciphers , 1994 .

[32]  Mitsuru Matsui,et al.  New Block Encryption Algorithm MISTY , 1997, FSE.

[33]  Kazumaro Aoki,et al.  Security of E2 against Truncated Differential Cryptanalysis , 1999, Selected Areas in Cryptography.

[34]  Yeping He,et al.  Square Attack on Reduced Camellia Cipher , 2001, ICICS.

[35]  P. Kocher,et al.  Differential power analysis, advances in cryptology-CRYPTO'99 , 1999 .

[36]  Jennifer Seberry,et al.  Advances in Cryptology — AUSCRYPT '92 , 1992, Lecture Notes in Computer Science.

[37]  Chung-Huang Yang Performance Evaluation of AES/DES/Camellia On the 6805 and H8/300 CPUs * , 2001 .

[38]  Mitsuru Matsui,et al.  Speci cation of Camellia | a 128-bit Block Cipher , 2001 .

[39]  Alex Biryukov,et al.  Slide Attacks , 1999, FSE.

[40]  Mitsuru Matsui,et al.  On Correlation Between the Order of S-boxes and the Strength of DES , 1994, EUROCRYPT.

[41]  Lars R. Knudsen,et al.  The Interpolation Attack on Block Ciphers , 1997, FSE.

[42]  Mitsuru Matsui,et al.  The 128-Bit Block Cipher Camellia , 2002, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[43]  Kazukuni Kobara,et al.  Security of Reduced Version of the Block Cipher Camellia against Truncated and Impossible Differential Cryptanalysis , 2001, ASIACRYPT.

[44]  Alex Biryukov,et al.  Advanced Slide Attacks , 2000, EUROCRYPT.

[45]  Eli Biham,et al.  Serpent: A Flexible Block Cipher With Maximum Assurance , 1998 .