Special Feature Promoting the Use of Camellia Masayuki Kanda† Abstract Camellia, a 128-bit block cipher developed jointly by NTT and Mitsubishi Electric Corporation, is an encryption algorithm with the world’s highest level of security and performance. It has been selected as an ISO/IEC international standard cipher and an Internet standard cipher. This report provides an overview of Camellia and describes NTT’s efforts to promote its use. 1. Camellia: Japan’s representative cipher speed software implementations (shown in blue), Mitsubishi Electric’s world-renowned know-how on Recognizing that cryptographic technology has designing ciphers for compact and high-speed hard- become an important foundation of the information ware implementations (red), and world-class cipher- society, a worldwide movement is taking place to security evaluation techniques*2 developed by both select secure encryption algorithms as standard and companies (yellow). Camellia uses a message-block recommended ciphers based on strict evaluations per- length of 128 bits and supports secret keys of three formed by cryptographic researchers. Camellia has different lengths: 128, 192, and 256 bits. been recognized as the only cipher in the world hav- It has been proven mathematically that Camellia is ing security and processing performance levels secure against differential and linear cryptanalysis, equivalent to AES (Advanced Encryption Standard), which are known to be strong attacks against block the standard cipher of the United States government. ciphers. It has also been shown that Camellia is Like AES, Camellia has been selected as a next-gen- secure against other attacks. In addition, no obvious eration international standard cipher by various stan- vulnerabilities have been found to date in numerous dardization organizations and projects. Camellia is third-party evaluations conducted by cryptographic expected to be used on the international level as researchers throughout the world. Therefore, Camel- Japan’s representative cipher. lia’s expected security level in future (security mar- This article provides an overview of Camellia, dis- gin) is in the world’s top class. Camellia is expected cusses the significance of its selection by standard- to be more resistant to future unknown attacks than ization organizations and projects, and describes how AES. NTT is working to promote the use of Camellia now Another feature of Camellia is its excellent utility and in the future. in diverse applications. Unlike AES, Camellia uses the same structure for encryption and decryption, 2. Overview of Camellia which enables it to exhibit superior performance in Camellia is a 128-bit block cipher*1 developed *1 Block cipher: A block cipher, which encrypts data in fixed-length jointly by NTT and Mitsubishi Electric Corporation blocks, is a symmetric key encryption algorithm that uses the same [1], [2]. As shown in Fig. 1, its design combines secret key to encrypt and decrypt data. Since it achieves high- NTT’s know-how on designing ciphers for high- speed encryption processing, it is used widely in various applica- tions such as communication sessions that deal with large-volume data, file encryption, and mobile terminal authentication. † NTT Information Sharing Platform Laboratories *2 Cipher-security evaluation techniques: Methods of expressing an Yokosuka-shi, 239-0847 Japan index of immunity against cryptanalytic attacks, e.g., differential E-mail: [email protected] cryptanalysis and linear cryptanalysis. Vol. 4 No. 2 Feb. 2006 49 Special Feature Subkey Secret key S : substitution table (128, 192, or 256 bits) Plaintext (128 bits) Round function i S1 Round function S4 Primary converter Round function S3 Linear S2 transformation Secondary converter Round function S by exclusive 4 OR Primary S3 converter Round function Intermediate key S2 Secondary converter Round function S1 Rotation & choice section Primary Intermediate-key generator converter Subkey –1 Security evaluation FL FL Subkey technique Ciphertext (128 bits) Subkey Fig. 1. Design of Camellia. Entering/leaving control Gbit/s-class hardware implementations system; traffic-control system About 45 kilo-gates (KGs) at 2 Gbit/s (0.18-µm application-specific integrated circuit (ASIC)) About 9.5K slices at 400 Mbit/s (field programmable Enables high-speed and compact implementations Encrypted router; gate array (FPGA)) (key length: 128 bits) for both smartcards having little onboard memory High-speed software implementations Smartcard and small-scale central processing units (CPUs) authentication High-speed processing of requests from many clients having low processing power RAM: about 60 B; server ROM: 1.5 KB or less Processing time: about 2 ms (at 15 MHz) (key length: 128 bits; data size: 128 bits) Encrypted file management system Authentication Encrypted communication path system Internet services Hard-disk drive Protection of portable media High-speed software implementations capable of encrypting High-efficiency/compact hardware implementations high-definition television (HDTV)-grade video streaming capable of low power consumption and low-cost About 500 Mbit/s (on Pentium III, 1.3 GHz) production Cellular µ (key length: 128 bits; assembler language) About 8 KGs at 200 Mbps (0.18- m ASIC) phones About 2K slices at 250 Mbps (FPGA) Web services Cryptographic library (key length: 128 bits) Videoconferencing systems; Hardware digital rights management (DRM) systems * Performance values are best values. Fig. 2. Camellia’s high-efficiency processing. smartcards that have a little onboard memory and in achieve high-speed processing in hardware imple- other compact hardware devices. Specifically, mentations. Camellia can be used to achieve high-speed encryp- Moreover, it can be used to construct the world’s tion processing on a variety of platforms from low- smallest implementation of a 128-bit block cipher cost smartcards to personal computers and server sys- (with a circuit scale under 8000 gates) with a pro- tems by using software implementations that use cessing efficiency at the highest level in this class. As instruction sets and ROM/RAM (read-only memory, shown in Fig. 2, Camellia achieves high-efficiency random access memory) sizes applicable to the appli- processing by flexibly adapting the implementation cation environments in question. In this way, Camel- to the application and circumstances. Camellia is the lia has been shown to achieve processing speeds from best choice in these typical software implementations four to five times faster than Triple DES and at least and two hardware implementations, which have dif- twice as fast as FEAL-32X. It can also be used to ferent priorities for performance, memory, and cost. 50 NTT Technical Review Special Feature 3. Camellia’s inclusion among standard and ing performance as AES, Camellia has joined AES recommended ciphers on the lists of various standard and recommended ciphers, as shown in Fig. 3. Its selection as an Besides international cryptography societies, NTT ISO/IEC international standard cipher and Internet has submitted proposals for using Camellia to the standard cipher is especially significant [5]. European Union’s project for selecting recommended ciphers (NESSIE: New European Schemes for Signa- 3.1 ISO/IEC international standard cipher tures, Integrity, and Encryption) and Japan’s project Based on the results of evaluations conducted in a for selecting recommended ciphers for e-government similar manner to those of NESSIE and CRYPTREC, (CRYPTREC: Cryptography Research and Evalua- ISO/IEC standardized a set of ciphers recognized tion Committees) [3]. In this way, NTT received thor- internationally as secure and efficient in the first for- ough and objective evaluations of Camellia from mal ISO/IEC international standard cipher (ISO/ researchers throughout the world over a period of IEC18033 series). Camellia, AES, and SEED (devel- several years. For example, the evaluation performed oped by Korea Information Security Agency (KISA)) at NESSIE determined that “Camellia has many sim- are the only 128-bit block ciphers included in ilarities to AES, so much of the analysis for AES is ISO/IEC18033-3 and are thus destined to become also applicable to Camellia. It is also the case that the next-generation standards. NESSIE project did not find an attack on either AES or Camellia.” For this reason, Camellia was the only 3.2 Internet standard ciphers 128-bit block cipher selected as an EU recommended The only ciphers that can be formally used on the cipher out of ten submitted ciphers [4]. Internet are those that have been selected by IETF Furthermore, as the only 128-bit block cipher in the (Internet Engineering Task Force) as Internet stan- world having the same level of security and process- dard ciphers. As a result, protocols for secure com- Standardization organization Type of standardized ciphers Japanese block ciphers Overseas block ciphers Camellia AES NESSIE EU recommended ciphers MISTY 1 — — SHACAL-2 Camellia, Cipherunicorn-A, AES Recommended ciphers for Hierocrypt-3, SC2000 CRYPTREC e-government in Japan Cipherunicorn-E, Hierocrypt-L1, MISTY 1 3-key Triple DES ISO/IEC international Camellia AES, SEED ISO/IEC standard ciphers MISTY 1 Triple DES, CAST-128 (ISO/IEC18033-3) Camellia (RFC4132) AES, SEED SSL/TLS standard ciphers Japanese first — Triple DES, IDEA, RC2 Camellia (RFC4051) AES XML standard ciphers — Triple DES Camellia (RFC3657) AES, SEED IETF S/MIME standard ciphers Triple DES, CAST-128, IDEA, — RC2, RC5 Camellia (RFC4312)