Camellia: A 128-Bit Block Cipher Suitable for Multiple Platforms — Design and Analysis — Kazumaro Aoki† Tetsuya Ichikawa‡ Masayuki Kanda† Mitsuru Matsui‡ Shiho Moriai† Junko Nakajima‡ Toshio Tokita‡ †Nippon Telegraph and Telephone Corporation 1-1 Hikarinooka, Yokosuka, Kanagawa, 239-0847 Japan {maro,kanda,shiho}@isl.ntt.co.jp ‡Mitsubishi Electric Corporation 5-1-1 Ofuna, Kamakura, Kanagawa, 247-8501 Japan {ichikawa,matsui,june15,tokita}@iss.isl.melco.co.jp Abstract. We present a new 128-bit block cipher High level of security. The recent advances in called Camellia. Camellia supports 128-bit block size cryptanalytic techniques are remarkable. A quantita- and 128-, 192-, and 256-bit keys, i.e. the same inter- tive evaluation of security against powerful cryptana- face specifications as the Advanced Encryption Stan- lytic techniques such as differential cryptanalysis [4] and dard (AES). Efficiency on both software and hardware linear cryptanalysis [21] is considered to be essential platforms is a remarkable characteristic of Camellia in in designing any new block cipher. We evaluated the addition to its high level of security. It is confirmed that security of Camellia by utilizing state-of-art cryptana- Camellia provides strong security against differential lytic techniques. We have confirmed that Camellia has and linear cryptanalysis. Compared to the AES final- no differential and linear characteristics that hold with ists, i.e. MARS, RC6, Rijndael, Serpent, and Twofish, probability more than 2−128. Moreover, Camellia was Camellia offers at least comparable encryption speed designed to offer security against other advanced crypt- in software and hardware. An optimized implementa- analytic attacks including higher order differential at- tion of Camellia in assembly language can encrypt on tacks [15, 12], interpolation attacks [12, 2], related-key a Pentium III (800MHz) at the rate of more than 276 attacks [5, 18], truncated differential attacks [15, 26], Mbits per second, which is much faster than the speed boomerang attacks [29], and slide attacks [6, 7]. of an optimized DES implementation. In addition, a distinguishing feature is its small hardware design. The Efficiency on multiple platforms. As crypto- hardware design, which includes both encryption and graphic systems are needed in various applications, en- decryption, occupies approximately 11K gates, which cryption algorithms that can be implemented efficiently is the smallest among all existing 128-bit block ciphers on a wide range of platforms are desirable, however, few as far as we know. 128-bit block ciphers are suitable for both software and hardware implementation. Camellia was designed to of- fer excellent efficiency in hardware and software imple- mentations, including gate count for hardware design, 1 Introduction memory requirements in smart card implementations, as well as performance on multiple platforms. This paper presents a 128-bit block cipher called Camellia consists of only 8-by-8-bit substitution ta- Camellia, which was jointly developed by NTT and bles (s-boxes) and logical operations that can be ef- Mitsubishi Electric Corporation. Camellia supports ficiently implemented on a wide variety of platforms. 128-bit block size and 128-, 192-, and 256-bit key Therefore, it can be implemented efficiently in software, lengths, and so offers the same interface specifications including the 8-bit processors used in low-end smart as the Advanced Encryption Standard (AES). The de- cards, 32-bit processors widely used in PCs, and 64-bit sign goals of Camellia are as follows. processors. Camellia doesn’t use 32-bit integer addi- 1 tions and multiplications, which are extensively used in some software-oriented 128-bit block ciphers. Such M(128) operations perform well on platforms providing a high kw kw degree of support, e.g., Pentium II/III or Athlon, but 1(64) 2(64) not as well on others. These operations can cause a L0(64) R0(64) k k k longer critical path and larger hardware implementa- 1(64), 2(64), 3(64), L R k 0(64) 0(64) k4(64), k5(64), k 6(64) 1(64) tion requirements. 6-Round F s The -boxes of Camellia are designed to minimize L1(64) R1(64) k 2(64) hardware size. The four s-boxes are affine equivalent to F -1 8 kl1(64) FL FL kl2(64) the inversion function in the finite field GF(2 ). More- L R 8 k 2(64) 2(64) k7(64), k8(64), k9(64), 3(64) over, we reduced the inversion function in GF(2 )to F 4 k k k a few GF(2 ) arithmetic operations. It enabled us to 10(64), 11(64), 12(64) 6-Round L3(64) R3(64) implement the s-boxes by fewer gate counts. k 4(64) F The key schedule is simple and shares part of its pro- FL FL -1 kl3(64) kl4(64) L4(64) R4(64) cedure with encryption. It supports on-the-key sub- k 5(64) F key generation and subkeys are computable in any or- k13(64), k14(64), k15(64), k k k 16(64), 17(64), 18(64) L5(64) R 5(64) der. The memory requirement for generating subkeys is 6-Round k 6(64) quite small; an efficient implementation requires about F 32-byte RAM for 128-bit keys and about 64-byte RAM L18(64) R18(64) for 192- and 256-bit keys. kw3(64) kw4(64) Future developments. NTT and Mitsubishi Elec- C(128) tric Corporation will propose Camellia in response to the call for contributions from ISO/IEC JTC 1/SC 27, aiming at its being adopted as an international stan- Figure 1: Encryption procedure of Camellia for 128-bit dard. We will submit Camellia to NESSIE (New Euro- keys pean Schemes for Signature, Integrity, and Encryption) project as a strong cryptographic primitive. 2.1 Notations XL the left-half data of X. Outline of the paper. This paper is organized as XR the right-half data of X. follows: Section 2 describes the notations and high-level ⊕ bitwise exclusive-OR operation. structure of Camellia. Section 3 defines each compo- || concatenation of two operands. nents of the cipher. Section 4 describes the rationale >>>n rotation to the right by n bits. behind Camellia’s design. In Section 5 we evaluate <<<n rotation to the left by n bits. Camellia’s strength against known attacks. Section 6 ∩ bitwise AND operation. contains the performance of Camellia. We conclude in ∪ bitwise OR operation. Section 7. 0x hexadecimal representation. 2.2 Encryption for 128-bit keys Camellia 2 Structure of First a 128-bit plaintext M is XORed with kw1||kw2 and separated into two 64-bit data L0 and R0, i.e., M ⊕ Camellia uses an 18-round Feistel structure for 128- (kw1||kw2)=L0||R0. Then, the following operations bit keys, and a 24-round Feistel structure for 192- and are performed from r = 1 to 18, except for r =6and 256-bit keys, with additional input/output whitenings 12; and logical functions called the FL-function and FL−1- function inserted every 6 rounds. Figures 1 shows an Lr = Rr−1 ⊕ F (Lr−1,kr), overview of encryption using 128-bit keys. The key Rr = Lr−1. schedule generates 64-bit subkeys kwt (t =1, 2, 3, 4) for input/output whitenings, ku (u =1, 2,...,r)for For r = 6 and 12, the following is carried out; round functions and klv(v =1, 2,...,r/3 − 2) for FL- FL−1 K L0 R ⊕ F L ,k , and -functions from the secret key . r = r−1 ( r−1 r) 2 0 R = L −1, r r Table 1: The key schedule constants L FL L0 ,kl , r = ( r r/3−1) 0xA09E667F3BCC908B R FL−1 R0 ,kl . Σ1 r = ( r r/3) Σ2 0xB67AE8584CAA73B2 0xC6EF372FE94F82BE Lastly, R18 and L18 are concatenated and XORed Σ3 0x54FF53A5F1D36F1C with kw3||kw4. The resultant value is the 128-bit ci- Σ4 0x10E527FADE682D1D phertext, i.e., C =(R18||L18) ⊕ (kw3||kw4). Σ5 Σ6 0xB05688C2B3E6C1FD 2.3 Encryption for 192- and 256-bit keys Similarly to the encryption for 128-bit keys, first a 128- “keys” in the Feistel network. They are defined as con- M kw ||kw bit plaintext is XORed with 1 2 and separated tinuous values from the second hexadecimal place to the L R M ⊕ kw ||kw into two 64-bit data 0 and 0, i.e., ( 1 2)= seventeenth hexadecimal place of the hexadecimal rep- L ||R 0 0. Then, the following operations are performed resentation of the square root of the i-th prime. These r r from = 1 to 24, except for = 6, 12, and 18; constant values are shown in Table 1. Lr = Rr−1 ⊕ F (Lr−1,kr), The 64-bit subkeys kwt, ku,andklv are generated R L . r = r−1 from KL, KR, KA,andKB. The subkeys are generated by rotating K , K , K ,andK and taking the left- r L R A B For = 6, 12, and 18, the following are performed; or right-half of them. Details are shown in Tables 2 L0 R ⊕ F L ,k , and 3. r = r−1 ( r−1 r) R0 L , r = r−1 0 Lr = FL(L ,kl2r/6−1), r K K R FL−1 R0 ,kl . L(128) R(128) r = ( r 2r/6) Lastly, R24 and L24 are concatenated and XORed with kw3||kw4. The resultant value is the 128-bit ci- Σ1(64) phertext, i.e., C =(R24||L24) ⊕ (kw3||kw4). F Σ 2.4 Decryption 2(64) F The decryption procedure of Camellia canbedonein K the same way as the encryption procedure by reversing R(128) the order of the subkeys, which is one of merits of Feis- tel networks.