DOCSLIB.ORG

Specification of Camellia | a 128-Bit Block Cipher

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Specification of Camellia | a 128-Bit Block Cipher Sp eci cation of C amel l ia | a 128-bit Blo ck Cipher y z y Kazumaro AOKI , Tetsuya ICHIKAWA , Masayuki KANDA , z y z z Mitsuru MATSUI , Shiho MORIAI , Junko NAKAJIMA , Toshio TOKITA y z Nipp on Telegraph and Telephone Corp oration, Mitsubishi Electric Corp oration Version 1.0: July 12, 2000 Version 2.0: September 26, 2001 Contents 1 Intro duction 3 2 Notations and Conventions 3 2.1 Radix . 3 2.2 Notations . 3 2.3 List of Symbols . 3 2.4 Bit/Byte Ordering . 3 3 Structure of C amel l ia 5 3.1 List of Functions and Variables . 5 3.2 Encryption Pro cedure . 5 3.2.1 128-bit key . 5 3.2.2 192-bit and 256-bit key . 6 3.3 Decryption Pro cedure . 6 3.3.1 128-bit key . 6 3.3.2 192-bit and 256-bit key . 7 3.4 Key Schedule . 8 4 Comp onents of C amel l ia 10 4.1 F -function . 10 4.2 FL-function . 10 1 4.3 FL -function . 10 4.4 S -function . 10 4.5 s-b oxes . 11 4.6 P -function . 15 A Figures of the Camellia Algorithm 16 B Test Data 22 1 Copyright NTT and Mitsubishi Electric Corp oration 2000-2001 2 C Software Implementation Techniques 22 C.1 Setup . 22 C.1.1 Store All Subkeys . 22 C.1.2 Subkey Generation Order . 23 C.1.3 XOR Cancellation Prop erty in Key Schedule . 23 C.1.4 Rotation Bits for K , K , K ,andK . 23 L R A B C.1.5 kl and kl Generation from k and k . 23 5 6 11 12 C.1.6 On-the- y Subkey Generation . 23 C.1.7 128-bit key and 192/256-bit key . 23 C.1.8 How to Rotate an ElementinQ . 23 C.1.9 F -function . 24 C.1.10 Keyed Functions . 24 C.2 Data Randomization . 24 C.2.1 Endian Conversion . 24 C.2.2 1-bit Rotation in Little Endian Interpretation . 25 C.2.3 Whitening . 25 C.2.4 Key XOR . 25 C.2.5 S -function . 26 C.2.6 P -function . 26 C.2.7 Substitution and Permutation . 27 C.2.8 Making Indices for s-b ox . 29 C.3 General Guidelines . 30 D Design Policy 30 E Design Rationale 31 E.1 F -function . 31 E.2 P -function . 31 E.3 s-b oxes . 32 F Version Information 32 G Ob ject Identi er 33 H Applications and Pro ducts 33 Copyright NTT and Mitsubishi Electric Corp oration 2000-2001 3 1 Intro duction This do cument shows a complete description of the encryption algorithm Camel lia, which is a secret key cipher with 128-bit data blo ck and 128/192/256-bit secret key. 2 Notations and Conventions 2.1 Radix We use the pre x 0x to indicate hexadecimal numb ers. 2.2 Notations Throughout this do cument, the following notations are used. 8 B denotes a vector space of 8-bit (byte) elements; that is, B := GF (2) . 4 W denotes a vector space of 32-bit (word) elements; that is, W := B . 8 L denotes a vector space of 64-bit (double word) elements; that is, L := B . 16 Q denotes a vector space of 128-bit (quad word) elements; that is, Q := B . An element with the sux (e.g. x )shows that the elementisn-bit long. (n) (n) An element with the sux (e.g. x ) denotes left-half part of x. L L An element with the sux (e.g. x ) denotes right-half part of x. R R The sux will b e omitted if no ambiguity is exp ected. See section 2.4 for numerical examples (n) of \left" and \right". 2.3 List of Symbols The bitwise exclusive-OR op eration. jj The concatenation of the two op erands. <<< The left circular rotation of the op erand by n bits. n \ The bitwise AND op eration. [ The bitwise OR op eration. x The bitwise complementof x. 2.4 Bit/Byte Ordering We adopt big endian ordering. The following example shows how to comp ose a 128-bit value Q (128) of two 64-bit values L (i = 1; 2), four 32-bit values W (i = 1; 2; 3; 4), sixteen 8-bit values i(64) i(32) B (i =1; 2;::: ;16), or 128 1-bit values E (i =1; 2;::: ;128), resp ectively. i(8) i(1) Copyright NTT and Mitsubishi Electric Corp oration 2000-2001 4 Q = L jjL (128) 1(64) 2(64) = W jjW jjW jjW 1(32) 2(32) 3(32) 4(32) = B jjB jjB jjB jj ::::::jjB jjB jjB jjB 1(8) 2(8) 3(8) 4(8) 13(8) 14(8) 15(8) 16(8) = E jjE jjE jjE jj ::::::::::::::::::jjE jjE jjE jjE 1(1) 2(1) 3(1) 4(1) 125(1) 126(1) 127(1) 128(1) Numerical examples: Q = 0x0123456789ABCDEF0011223344556677 (128) (128) L = Q = 0x0123456789ABCDEF 1(64) L(64) (64) L = Q = 0x0011223344556677 2(64) R(64) (64) W = L = 0x01234567 1(32) 1L(32) (32) W = L = 0x89ABCDEF 2(32) 1R(32) (32) W = L = 0x00112233 3(32) 2L(32) (32) W = L = 0x44556677 4(32) 2R(32) (32) B = 0x01 ; B = 0x23 ; B = 0x45 ; B = 0x67 ; 1(8) (8) 2(8) (8) 3(8) (8) 4(8) (8) B = 0x89 ; B = 0xAB ; B = 0xCD ; B = 0xEF ; 5(8) (8) 6(8) (8) 7(8) (8) 8(8) (8) B = 0x00 ; B = 0x11 ; B = 0x22 ; B = 0x33 ; 9(8) (8) 10(8) (8) 11(8) (8) 12(8) (8) B = 0x44 ; B = 0x55 ; B = 0x66 ; B = 0x77 ; 13(8) (8) 14(8) (8) 15(8) (8) 16(8) (8) E = 0 ; E = 0 ; E = 0 ; E = 0 ; 1(1) (1) 2(1) (1) 3(1) (1) 4(1) (1) E = 0 ; E = 0 ; E = 0 ; E = 1 ; 5(1) (1) 6(1) (1) 7(1) (1) 8(1) (1) . E = 0 ; E = 1 ; E = 1 ; E = 1 ; 121(1) (1) 122(1) (1) 123(1) (1) 124(1) (1) E = 0 ; E = 1 ; E = 1 ; E = 1 : 125(1) (1) 126(1) (1) 127(1) (1) 128(1) (1) Q <<< = E jjE jjE jjE jj ::::::::::::::::::jjE jjE jjE jjE jjE 1 (128) 2(1) 3(1) 4(1) 5(1) 125(1) 126(1) 127(1) 128(1) 1(1) = 0x02468ACF13579BDE0022446688AACCEE (128) Copyright NTT and Mitsubishi Electric Corp oration 2000-2001 5 3 Structure of Camellia 3.1 List of Functions and Variables M The plaintext blo ck. (128) C The ciphertext blo ck. (128) K The secret key, whose length is 128, 192, or 256 bits. kw ;k ;kl The subkeys. t(64) u(64) v (64) (t =1; 2; 3; 4) (u =1; 2;::: ;18) (v =1; 2; 3; 4) for 128-bit secret key. (t =1; 2; 3; 4) (u =1; 2;::: ;24) (v =1; 2;::: ;6) for 192-bit and 256-bit secret key. Y = F (X , k ) The F -function that transforms a 64-bit input X to a (64) (64) (64) (64) 64-bit output Y using a 64-bit subkey k . (64) (64) Y = FL(X ;k ) The FL-function that transforms a 64-bit input X to a (64) (64) (64) (64) 64-bit output Y using a 64-bit subkey k . (64) (64) 1 1 Y = FL (X ;k ) The FL -function that transforms a 64-bit input X to (64) (64) (64) (64) a 64-bit output Y using a 64-bit subkey k . (64) (64) Y = S (X ) The S -function that transforms a 64-bit input X to a (64) (64) (64) 64-bit output Y . (64) Y = P (X ) The P -function that transforms a 64-bit input X to a (64) (64) (64) 64-bit output Y . (64) y = s (x ) The s-b oxes that transform an 8-bit input to an 8-bit output i (8) (8) (i =1; 2; 3; 4). 3.2 Encryption Pro cedure 3.2.1 128-bit key Figure 1 shows the encryption pro cedure for a 128-bit key. The data randomizing part has an 1 18-round Feistel structure with two F L=F L -function layers after the 6-th and 12-th rounds, and 128-bit XOR op erations b efore the rst round and after the last round. The key schedule part generates subkeys kw (t =1; 2; 3; 4), k (u =1; 2;::: ;18) and kl (v =1; 2; 3; 4) from the t(64) u(64) v (64) secret key K ; see section 3.4 for details of the key schedule part. In the data randomizing part, rst the plaintext M is XORed with kw jjkw and (128) 1(64) 2(64) separated into L and R of equal length, i.e., M (kw jjkw ) = L jjR . 0(64) 0(64) (128) 1(64) 2(64) 0(64) 0(64) Then, the following op erations are p erfomed from r = 1 to 18, except for r = 6 and 12; L = R F (L ;k ); r r 1 r 1 r R = L : r r 1 Copyright NTT and Mitsubishi Electric Corp oration 2000-2001 6 For r = 6 and 12, the following is carried out; 0 L = R F (L ;k ); r 1 r 1 r r 0 R = L ; r 1 r 0 L = FL(L ;kl ); r 2r=61 r 1 0 R = FL (R ;kl ): r 2r=6 r Lastly, R and L are concatenated and XORed with kw jjkw .
Load more

Recommended publications
  • Camellia: a 128-Bit Block Cipher Suitable for Multiple Platforms
    gopyright x nd witsuishi iletri gorp ortion PHHHEPHHI g mel l iX e IPVEfit flo k gipher uitle for wultiple ltforms y z y uzumro eoki etsuyshikw wsyuki und z y z z witsuru wtsui hiho worii tunkoxkjim oshio okit y xipp on elegrph nd elephone gorp ortion IEI rikrino okD okosukD ungwD PQWEHVRU tpn fmroDkndDshihogdislFnttFoFjp z witsuishi iletri gorp ortion SEIEI yfunD umkurD ungwD PRUEVSHI tpn fihikwDmtsuiDjuneISDtokitgdissFislFmeloFoFjp er IFHX tuly IQD PHHH er PFHX eptemer PTD PHHI estrtF e present new IPVEit lo k ipher lled gmel liF gmelli supp orts IPVEit lo ksizend IPVED IWPED nd PSTEit keysD iFeF the sme interfe sp eitions s the edvned inryption tndrd @eiAF iieny on oth softE wre nd hrdwre pltforms is remrkle hrteristi of gmelli in ddition to its high level of seurityF st is onrmed tht gmelli provides strong seurity ginst dierentil nd liner ryptnlysisF gompred to the ei nlistsD iFeF weD gTD ijndelD erp entD nd woshD gmelli oers t lest omprle enryption sp eed in softwre nd hrdwreF en optimized implementtion of gmelE li in ssemly lnguge n enrypt on entiums s s @IFIQqrzA t the rte of RUI wits p er seondF sn dditionD distinguishing feture is its smll hrdwre designF e hrdwre implementtionD whih inludes enryptionD deryptionD nd the key shedule for IPVEit keysD o upies only VFIPu gtes using HFIV"m gwy esg lirryF his is in the smllest lss mong ll existing IPVEit lo k iphersF gopyright x nd witsuishi iletri gorp ortion PHHHEPHHI gontents I sntro dution I P hesign tionle Q PFI p Efuntion X X X X X X X X X X X X X X X X X X X X X X X X X
    [Show full text]
  • Integral Cryptanalysis on Full MISTY1⋆
    Integral Cryptanalysis on Full MISTY1? Yosuke Todo NTT Secure Platform Laboratories, Tokyo, Japan [email protected] Abstract. MISTY1 is a block cipher designed by Matsui in 1997. It was well evaluated and standardized by projects, such as CRYPTREC, ISO/IEC, and NESSIE. In this paper, we propose a key recovery attack on the full MISTY1, i.e., we show that 8-round MISTY1 with 5 FL layers does not have 128-bit security. Many attacks against MISTY1 have been proposed, but there is no attack against the full MISTY1. Therefore, our attack is the first cryptanalysis against the full MISTY1. We construct a new integral characteristic by using the propagation characteristic of the division property, which was proposed in 2015. We first improve the division property by optimizing a public S-box and then construct a 6-round integral characteristic on MISTY1. Finally, we recover the secret key of the full MISTY1 with 263:58 chosen plaintexts and 2121 time complexity. Moreover, if we can use 263:994 chosen plaintexts, the time complexity for our attack is reduced to 2107:9. Note that our cryptanalysis is a theoretical attack. Therefore, the practical use of MISTY1 will not be affected by our attack. Keywords: MISTY1, Integral attack, Division property 1 Introduction MISTY [Mat97] is a block cipher designed by Matsui in 1997 and is based on the theory of provable security [Nyb94,NK95] against differential attack [BS90] and linear attack [Mat93]. MISTY has a recursive structure, and the component function has a unique structure, the so-called MISTY structure [Mat96].
    [Show full text]
  • Zero Correlation Linear Cryptanalysis on LEA Family Ciphers
    Journal of Communications Vol. 11, No. 7, July 2016 Zero Correlation Linear Cryptanalysis on LEA Family Ciphers Kai Zhang, Jie Guan, and Bin Hu Information Science and Technology Institute, Zhengzhou 450000, China Email: [email protected]; [email protected]; [email protected] Abstract—In recent two years, zero correlation linear Zero correlation linear cryptanalysis was firstly cryptanalysis has shown its great potential in cryptanalysis and proposed by Andrey Bogdanov and Vicent Rijmen in it has proven to be effective against massive ciphers. LEA is a 2011 [2], [3]. Generally speaking, this cryptanalytic block cipher proposed by Deukjo Hong, who is the designer of method can be concluded as “use linear approximation of an ISO standard block cipher - HIGHT. This paper evaluates the probability 1/2 to eliminate the wrong key candidates”. security level on LEA family ciphers against zero correlation linear cryptanalysis. Firstly, we identify some 9-round zero However, in this basic model of zero correlation linear correlation linear hulls for LEA. Accordingly, we propose a cryptanalysis, the data complexity is about half of the full distinguishing attack on all variants of 9-round LEA family code book. The high data complexity greatly limits the ciphers. Then we propose the first zero correlation linear application of this new method. In FSE 2012, multiple cryptanalysis on 13-round LEA-192 and 14-round LEA-256. zero correlation linear cryptanalysis [4] was proposed For 13-round LEA-192, we propose a key recovery attack with which use multiple zero correlation linear approximations time complexity of 2131.30 13-round LEA encryptions, data to reduce the data complexity.
    [Show full text]
  • SAEB: a Lightweight Blockcipher-Based AEAD Mode of Operation
    SAEB: A Lightweight Blockcipher-Based AEAD Mode of Operation Yusuke Naito1, Mitsuru Matsui1, Takeshi Sugawara2 and Daisuke Suzuki1 1 Mitsubishi Electric Corporation, Japan {Naito.Yusuke@ce,Matsui.Mitsuru@ab,Suzuki.Daisuke@bx}.MitsubishiElectric.co.jp 2 The University of Electro-Communications, Japan [email protected] Abstract. Lightweight cryptography in computationally constrained devices is ac- tively studied. In contrast to advances of lightweight blockcipher in the last decade, lightweight mode of operation is seemingly not so mature, yet it has large impact in performance. Therefore, there is a great demand for lightweight mode of oper- ation, especially that for authenticated encryption with associated data (AEAD). Among many known properties of conventional modes of operation, the following four properties are essential for constrained devices: 1. Minimum State Size: the state size equals to a block size of a blockcipher. 2. Inverse Free: no need for a blockcipher decryption. 3. XOR Only: only XOR is needed in addition to a blockcipher encryption. 4. Online: a data block is processed only once. The properties 1 and 4 contribute to small memory usage, and the properties 2 and 3 contribute to small program/circuit footprint. On top of the above properties, the fifth property regarding associated data (AD) is also important for performance: 5. Efficient Handling of Static AD: static AD can be precomputed. We design a lightweight blockcipher-based AEAD mode of operation called SAEB: the first mode of operation that satisfies all the five properties to the best of our knowledge. Performance of SAEB is evaluated in various software and hardware platforms.
    [Show full text]
  • On the Decorrelated Fast Cipher (DFC) and Its Theory
    On the Decorrelated Fast Cipher (DFC) and Its Theory Lars R. Knudsen and Vincent Rijmen ? Department of Informatics, University of Bergen, N-5020 Bergen Abstract. In the first part of this paper the decorrelation theory of Vaudenay is analysed. It is shown that the theory behind the propo- sed constructions does not guarantee security against state-of-the-art differential attacks. In the second part of this paper the proposed De- correlated Fast Cipher (DFC), a candidate for the Advanced Encryption Standard, is analysed. It is argued that the cipher does not obtain prova- ble security against a differential attack. Also, an attack on DFC reduced to 6 rounds is given. 1 Introduction In [6,7] a new theory for the construction of secret-key block ciphers is given. The notion of decorrelation to the order d is defined. Let C be a block cipher with block size m and C∗ be a randomly chosen permutation in the same message space. If C has a d-wise decorrelation equal to that of C∗, then an attacker who knows at most d − 1 pairs of plaintexts and ciphertexts cannot distinguish between C and C∗. So, the cipher C is “secure if we use it only d−1 times” [7]. It is further noted that a d-wise decorrelated cipher for d = 2 is secure against both a basic linear and a basic differential attack. For the latter, this basic attack is as follows. A priori, two values a and b are fixed. Pick two plaintexts of difference a and get the corresponding ciphertexts.
    [Show full text]
  • Internet Engineering Task Force (IETF) S. Kanno Request for Comments: 6367 NTT Software Corporation Category: Informational M
    Internet Engineering Task Force (IETF) S. Kanno Request for Comments: 6367 NTT Software Corporation Category: Informational M. Kanda ISSN: 2070-1721 NTT September 2011 Addition of the Camellia Cipher Suites to Transport Layer Security (TLS) Abstract This document specifies forty-two cipher suites for the Transport Security Layer (TLS) protocol to support the Camellia encryption algorithm as a block cipher. Status of This Memo This document is not an Internet Standards Track specification; it is published for informational purposes. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6367. Copyright Notice Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
    [Show full text]
  • Hemiunu Used Numerically Tagged Surface Ratios to Mark Ceilings Inside the Great Pyramid Hinting at Designed Spaces Still Hidden Within
    Archaeological Discovery, 2018, 6, 319-337 http://www.scirp.org/journal/ad ISSN Online: 2331-1967 ISSN Print: 2331-1959 Hemiunu Used Numerically Tagged Surface Ratios to Mark Ceilings inside the Great Pyramid Hinting at Designed Spaces Still Hidden Within Manu Seyfzadeh Institute for the Study of the Origins of Civilization (ISOC)1, Boston University’s College of General Studies, Boston, USA How to cite this paper: Seyfzadeh, M. Abstract (2018). Hemiunu Used Numerically Tagged Surface Ratios to Mark Ceilings inside the In 1883, W. M. Flinders Petrie noticed that the vertical thickness and height Great Pyramid Hinting at Designed Spaces of certain stone courses of the Great Pyramid2 of Khufu/Cheops at Giza, Still Hidden Within. Archaeological Dis- Egypt markedly increase compared to those immediately lower periodically covery, 6, 319-337. https://doi.org/10.4236/ad.2018.64016 and conspicuously interrupting a general trend of progressive course thinning towards the summit. Having calculated the surface area of each course, Petrie Received: September 10, 2018 further noted that the courses immediately below such discrete stone thick- Accepted: October 5, 2018 Published: October 8, 2018 ness peaks tended to mark integer multiples of 1/25th of the surface area at ground level. Here I show that the probable architect of the Great Pyramid, Copyright © 2018 by author and Khufu’s vizier Hemiunu, conceptualized its vertical construction design using Scientific Research Publishing Inc. surface areas based on the same numerical principles used to design his own This work is licensed under the Creative Commons Attribution International mastaba in Giza’s western cemetery and conspicuously used this numerical License (CC BY 4.0).
    [Show full text]
  • Report on the AES Candidates
    Rep ort on the AES Candidates 1 2 1 3 Olivier Baudron , Henri Gilb ert , Louis Granb oulan , Helena Handschuh , 4 1 5 1 Antoine Joux , Phong Nguyen ,Fabrice Noilhan ,David Pointcheval , 1 1 1 1 Thomas Pornin , Guillaume Poupard , Jacques Stern , and Serge Vaudenay 1 Ecole Normale Sup erieure { CNRS 2 France Telecom 3 Gemplus { ENST 4 SCSSI 5 Universit e d'Orsay { LRI Contact e-mail: [email protected] Abstract This do cument rep orts the activities of the AES working group organized at the Ecole Normale Sup erieure. Several candidates are evaluated. In particular we outline some weaknesses in the designs of some candidates. We mainly discuss selection criteria b etween the can- didates, and make case-by-case comments. We nally recommend the selection of Mars, RC6, Serp ent, ... and DFC. As the rep ort is b eing nalized, we also added some new preliminary cryptanalysis on RC6 and Crypton in the App endix which are not considered in the main b o dy of the rep ort. Designing the encryption standard of the rst twentyyears of the twenty rst century is a challenging task: we need to predict p ossible future technologies, and wehavetotake unknown future attacks in account. Following the AES pro cess initiated by NIST, we organized an op en working group at the Ecole Normale Sup erieure. This group met two hours a week to review the AES candidates. The present do cument rep orts its results. Another task of this group was to up date the DFC candidate submitted by CNRS [16, 17] and to answer questions which had b een omitted in previous 1 rep orts on DFC.
    [Show full text]
  • Cryptanalysis of a Reduced Version of the Block Cipher E2
    Cryptanalysis of a Reduced Version of the Block Cipher E2 Mitsuru Matsui and Toshio Tokita Information Technology R&D Center Mitsubishi Electric Corporation 5-1-1, Ofuna, Kamakura, Kanagawa, 247, Japan [email protected], [email protected] Abstract. This paper deals with truncated differential cryptanalysis of the 128-bit block cipher E2, which is an AES candidate designed and submitted by NTT. Our analysis is based on byte characteristics, where a difference of two bytes is simply encoded into one bit information “0” (the same) or “1” (not the same). Since E2 is a strongly byte-oriented algorithm, this bytewise treatment of characteristics greatly simplifies a description of its probabilistic behavior and noticeably enables us an analysis independent of the structure of its (unique) lookup table. As a result, we show a non-trivial seven round byte characteristic, which leads to a possible attack of E2 reduced to eight rounds without IT and FT by a chosen plaintext scenario. We also show that by a minor modification of the byte order of output of the round function — which does not reduce the complexity of the algorithm nor violates its design criteria at all —, a non-trivial nine round byte characteristic can be established, which results in a possible attack of the modified E2 reduced to ten rounds without IT and FT, and reduced to nine rounds with IT and FT. Our analysis does not have a serious impact on the full E2, since it has twelve rounds with IT and FT; however, our results show that the security level of the modified version against differential cryptanalysis is lower than the designers’ estimation.
    [Show full text]
  • Provable Security Evaluation of Structures Against Impossible Differential and Zero Correlation Linear Cryptanalysis ⋆
    Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation Linear Cryptanalysis ⋆ Bing Sun1,2,4, Meicheng Liu2,3, Jian Guo2, Vincent Rijmen5, Ruilin Li6 1 College of Science, National University of Defense Technology, Changsha, Hunan, P.R.China, 410073 2 Nanyang Technological University, Singapore 3 State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, P.R. China, 100093 4 State Key Laboratory of Cryptology, P.O. Box 5159, Beijing, P.R. China, 100878 5 Dept. Electrical Engineering (ESAT), KU Leuven and iMinds, Belgium 6 College of Electronic Science and Engineering, National University of Defense Technology, Changsha, Hunan, P.R.China, 410073 happy [email protected] [email protected] [email protected] [email protected] [email protected] Abstract. Impossible differential and zero correlation linear cryptanal- ysis are two of the most important cryptanalytic vectors. To character- ize the impossible differentials and zero correlation linear hulls which are independent of the choices of the non-linear components, Sun et al. proposed the structure deduced by a block cipher at CRYPTO 2015. Based on that, we concentrate in this paper on the security of the SPN structure and Feistel structure with SP-type round functions. Firstly, we prove that for an SPN structure, if α1 → β1 and α2 → β2 are possi- ble differentials, α1|α2 → β1|β2 is also a possible differential, i.e., the OR “|” operation preserves differentials. Secondly, we show that for an SPN structure, there exists an r-round impossible differential if and on- ly if there exists an r-round impossible differential α → β where the Hamming weights of both α and β are 1.
    [Show full text]
  • Recommendation for Block Cipher Modes of Operation Methods
    NIST Special Publication 800-38A Recommendation for Block 2001 Edition Cipher Modes of Operation Methods and Techniques Morris Dworkin C O M P U T E R S E C U R I T Y ii C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 December 2001 U.S. Department of Commerce Donald L. Evans, Secretary Technology Administration Phillip J. Bond, Under Secretary of Commerce for Technology National Institute of Standards and Technology Arden L. Bement, Jr., Director iii Reports on Information Security Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations. Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose.
    [Show full text]
  • Camellia: a 128-Bit Block Cipher Suitable for Multiple Platforms – Design Andanalysis
    Camellia: A 128-Bit Block Cipher Suitable for Multiple Platforms – Design andAnalysis Kazumaro Aoki1, Tetsuya Ichikawa2, Masayuki Kanda1, Mitsuru Matsui2, Shiho Moriai1, Junko Nakajima2, and Toshio Tokita2 1 Nippon Telegraph and Telephone Corporation, 1-1 Hikarinooka, Yokosuka, Kanagawa, 239-0847Japan {maro,kanda,shiho}@isl.ntt.co.jp 2 Mitsubishi Electric Corporation, 5-1-1 Ofuna, Kamakura, Kanagawa, 247-8501 Japan {ichikawa,matsui,june15,tokita}@iss.isl.melco.co.jp Abstract. We present a new 128-bit block cipher called Camellia. Camellia supports 128-bit block size and 128-, 192-, and 256-bit keys, i.e., the same interface specifications as the Advanced Encryption Stan- dard (AES). Efficiency on both software and hardware platforms is a remarkable characteristic of Camellia in addition to its high level of se- curity. It is confirmed that Camellia provides strong security against differential and linear cryptanalyses. Compared to the AES finalists, i.e., MARS, RC6, Rijndael, Serpent, and Twofish, Camellia offers at least comparable encryption speed in software and hardware. An optimized implementation of Camellia in assembly language can encrypt on a Pen- tium III (800MHz) at the rate of more than 276 Mbits per second, which is much faster than the speed of an optimized DES implementation. In addition, a distinguishing feature is its small hardware design. The hard- ware design, which includes encryption and decryption and key schedule, occupies approximately 11K gates, which is the smallest among all ex- isting 128-bit block ciphers as far as we know. 1 Introduction This paper presents a 128-bit block cipher called Camellia, which was jointly developed by NTT and Mitsubishi Electric Corporation.
    [Show full text]