< draft-nakajima-camellia-02.txt   draft-nakajima-camellia-03.txt >
INTERNET-DRAFT J. Nakajima INTERNET-DRAFT M. Matsui
J. Nakajima
Mitsubishi Electric Corporation Mitsubishi Electric Corporation
Expires January 2002 S. Moriai Expires June 2004 S. Moriai
Nippon Telegraph and Telephone Corporation Sony Computer Entertainmemt Inc.
July 2001 December 2003
A Description of the Camellia Encryption Algorithm A Description of the Camellia Encryption Algorithm
<draft-nakajima-camellia-02.txt> <draft-nakajima-camellia-03.txt>
Status of this Memo Status of this Memo
This document is an Internet-Draft and is NOT offered in accordance This document is an Internet-Draft and is in full conformance with
with Section 10 of RFC2026, and the author does not provide the IETF all provisions of Section 10 of RFC2026.
with any rights other than to publish as an Internet-Draft.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six
and may be updated, replaced, or obsoleted by other documents at any months and may be updated, replaced, or obsoleted by other documents
time. It is inappropriate to use Internet-Drafts as reference at any time. It is inappropriate to use Internet-Drafts as
material or to cite them other than as "work in progress." reference material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
Abstract Abstract
This document describes a secret-key cryptosystem, Camellia; it is a This document describes the Camellia encryption algorithm. Camellia
block cipher with 128-bit block size and 128-, 192-, and 256-bit is a block cipher with 128-bit block size and 128-, 192-, and
keys. The algorithm description is presented together with key 256-bit keys. The algorithm description is presented together with
scheduling part and data randomizing part. key scheduling part and data randomizing part.
Note:
This work was done when the second author worked for NTT.
1. Introduction 1. Introduction
This document describes the secret-key cryptosystem Camellia 1.1 Camellia
[1][2][3], a block cipher with 128-bit block size and 128-, 192-, and
256-bit keys, i.e. the same interface specifications as the Advanced Camellia was jointly developed by Nippon Telegraph and Telephone
Encryption Standard (AES). Camellia offers excellent efficiency on Corporation and Mitsubishi Electric Corporation in 2000
both software and hardware platforms in addition to a high level of
security. It is confirmed that Camellia provides strong security [CamelliaSpec]. Camellia specifies the 128-bit block size and 128-,
against differential and linear cryptanalysis. 192-, and 256-bit key sizes, the same interface as the Advanced
Encryption Standard (AES). Camellia is characterized by its
suitability for both software and hardware implementations as well
as its high level of security. From a practical viewpoint, it is
designed to enable flexibility in software and hardware
implementations on 32-bit processors widely used over the Internet
and many applications, 8-bit processors used in smart cards,
cryptographic hardware, embedded systems, and so on [CamelliaTech].
Moreover, its key setup time is excellent, and its key agility is
superior to that of AES.
Camellia has been scrutinized by the wide cryptographic community
during several projects for evaluating crypto algorithms. In
particular, Camellia was selected as a recommended cryptographic
primitive by the EU NESSIE (New European Schemes for Signatures,
Integrity and Encryption) project [NESSIE] and also included in
the list of cryptographic techniques for Japanese e-Government
systems which were selected by the Japan CRYPTREC (Cryptography
Research and Evaluation Committees) [CRYPTREC].
1.2 Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD
NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document (in
uppercase, as shown) are to be interpreted as described in
[RFC2119].
2. Algorithm Description 2. Algorithm Description
Camellia can be divided into "key scheduling part" and "data Camellia can be divided into "key scheduling part" and "data
randomizing part". randomizing part".
2.1 Terminology 2.1 Terminology
The following operators are used in this document to describe the The following operators are used in this document to describe the
algorithm. algorithm.
& bitwise AND operation. & bitwise AND operation.
| bitwise OR operation. | bitwise OR operation.
^ bitwise exclusive-OR operation. ^ bitwise exclusive-OR operation.
<< logically left shift operation. << logical left shift operation.
>> logically right shift operation. >> logical right shift operation.
<<< left rotation operation. <<< left rotation operation.
~y bitwise complement of y. ~y bitwise complement of y.
0x hexadecimal representation. 0x hexadecimal representation.
Note that the resultant values of logically left shift operation are Note that the logical left shift operation is done with the infinite
expanded their data width infinitely. data width.
The constant values of MASK8, MASK32, MASK64, and MASK128 are defined The constant values of MASK8, MASK32, MASK64, and MASK128 are defined
as follows. as follows.
MASK8 = 0xff; MASK8 = 0xff;
MASK32 = 0xffffffff; MASK32 = 0xffffffff;
MASK64 = 0xffffffffffffffff; MASK64 = 0xffffffffffffffff;
MASK128 = 0xffffffffffffffffffffffffffffffff; MASK128 = 0xffffffffffffffffffffffffffffffff;
2.2 Key Scheduling Part 2.2 Key Scheduling Part
skipping to change at page 9, line 8 skipping to change at page 9, line 36
var k1, k2 as 32-bit unsigned integer; var k1, k2 as 32-bit unsigned integer;
y1 = FLINV_IN >> 32; y1 = FLINV_IN >> 32;
y2 = FLINV_IN & MASK32; y2 = FLINV_IN & MASK32;
k1 = KE >> 32; k1 = KE >> 32;
k2 = KE & MASK32; k2 = KE & MASK32;
y1 = y1 ^ (y2 | k2); y1 = y1 ^ (y2 | k2);
y2 = y2 ^ ((y1 & k1) <<< 1); y2 = y2 ^ ((y1 & k1) <<< 1);
FLINV_OUT = (y1 << 32) | y2; FLINV_OUT = (y1 << 32) | y2;
end. end.
3. Object Identifier 3. Object Identifiers
The Object Identifier for Camellia with 18 rounds and 128-bit key in The Object Identifier for Camellia with 18 rounds and 128-bit key in
Cipher Block Chaining (CBC) mode is as follows: Cipher Block Chaining (CBC) mode is as follows:
id-camellia128-cbc OBJECT IDENTIFIER ::= id-camellia128-cbc OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) 392 200011 61 security(1) { iso(1) member-body(2) 392 200011 61 security(1)
algorithm(1) symmetric-encryption-algorithm(1) algorithm(1) symmetric-encryption-algorithm(1)
camellia128-cbc(2) } camellia128-cbc(2) }
The Object Identifier for Camellia with 24 rounds and 192-bit key in The Object Identifier for Camellia with 24 rounds and 192-bit key in
skipping to change at page 10, line 9 skipping to change at page 10, line 37
techniques such as differential cryptanalysis and linear techniques such as differential cryptanalysis and linear
cryptanalysis is considered to be essential in designing any new cryptanalysis is considered to be essential in designing any new
block cipher. We evaluated the security of Camellia by utilizing block cipher. We evaluated the security of Camellia by utilizing
state-of-the-art cryptanalytic techniques. We confirmed that state-of-the-art cryptanalytic techniques. We confirmed that
Camellia has no differential and linear characteristics that hold Camellia has no differential and linear characteristics that hold
with probability more than 2^(-128), which means that it is extremely with probability more than 2^(-128), which means that it is extremely
unlikely that differential and linear attacks will succeed against unlikely that differential and linear attacks will succeed against
the full 18-round Camellia. Moreover, Camellia was designed to offer the full 18-round Camellia. Moreover, Camellia was designed to offer
security against other advanced cryptanalytic attacks including security against other advanced cryptanalytic attacks including
higher order differential attacks, interpolation attacks, related-key higher order differential attacks, interpolation attacks, related-key
attacks, truncated differential attacks, and so on [3]. attacks, truncated differential attacks, and so on [Camellia].
5. Intellectual Property Statement 5. Intellectual Property Statement
Mitsubishi Electric Corporation (Mitsubishi Electric) and Nippon The IETF takes no position regarding the validity or scope of any
Telegraph and Telephone Corporation (NTT) have pending applications intellectual property or other rights that might be claimed to
or filed patents which are essential to Camellia. License policy for pertain to the implementation or use of the technology described in
these essential patents is available on the IETF page of Intellectual this document or the extent to which any license under such rights
Property Rights Notices. might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11. Copies of
claims of rights made available for publication and any assurances of
licenses to be made available, or the result of an attempt made to
obtain a general license or permission for the use of such
proprietary rights by implementors or users of this specification can
be obtained from the IETF Secretariat.
6. References The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive
Director.
[1] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai, J. The IETF has been notified of intellectual property rights claimed in
Nakajima, and T. Tokita, ``Specification of Camellia --- a regard to some or all of the specification contained in this
128-bit Block Cipher,'' 2000. document. For more information consult the online list of claimed
http://info.isl.ntt.co.jp/camellia/ rights.
[2] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai, J. 6. Informative References
Nakajima, and T. Tokita, ``Camellia: A 128-Bit Block Cipher
Suitable for Multiple Platforms,'' 2000.
http://info.isl.ntt.co.jp/camellia/
[3] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai, J. [CamelliaSpec] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai,
Nakajima, and T. Tokita, ``Camellia: A 128-Bit Block Cipher J. Nakajima, and T. Tokita, "Specification of Camellia --- a
Suitable for Multiple Platforms --- Design and Analysis ---,'' 128-bit Block Cipher". http://info.isl.ntt.co.jp/camellia/
In Selected Areas in Cryptography, 7th Annual International
Workshop, SAC 2000, Waterloo, Ontario, Canada, August 2000,
Proceedings, Lecture Notes in Computer Science 2012, pp.39-56,
Springer-Verlag, 2001.
7. Authors' Addresses [CamelliaTech] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai,
J. Nakajima, and T. Tokita, "Camellia: A 128-Bit Block Cipher
Suitable for Multiple Platforms".
http://info.isl.ntt.co.jp/camellia/
Junko Nakajima [Camellia] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai, J.
Mitsubishi Electric Corporation, Information Technology R&D Center Nakajima, and T. Tokita, "Camellia: A 128-Bit Block Cipher
5-1-1 Ofuna, Kamakura, Kanagawa 247-8501, Japan Suitable for Multiple Platforms - Design and Analysis -", In
Phone: +81-467-41-2181 Selected Areas in Cryptography, 7th Annual International
FAX: +81-467-41-2185 Workshop, SAC 2000, Waterloo, Ontario, Canada, August 2000,
Email: june15@iss.isl.melco.co.jp Proceedings, Lecture Notes in Computer Science 2012, pp.39-56,
Springer-Verlag, 2001.
Shiho Moriai [CRYPTREC] "CRYPTREC Advisory Committee Report FY2002", Ministry
NTT Laboratories of Public Management, Home Affairs, Posts and
1-1 Hikarinooka, Yokosuka, 239-0847, Japan Telecommunications, and Ministry of Economy, Trade and
Phone: +81-468-59-2007 Industry, March 2003.
FAX: +81-468-59-3858 http://www.soumu.go.jp/joho_tsusin/security/cryptrec.html
Email: shiho@isl.ntt.co.jp CRYPTREC home page by Information-technology Promotion Agency,
Japan (IPA).
http://www.ipa.go.jp/security/enc/CRYPTREC/index-e.html
[NESSIE] New European Schemes for Signatures, Integrity and
Encryption (NESSIE) project. http://www.cryptonessie.org
[RFC2119] S. Bradner, "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
Appendix A. Example Data of Camellia Appendix A. Example Data of Camellia
Here is a test data for Camellia in hexadecimal form. Here is a test data for Camellia in hexadecimal form.
128-bit key 128-bit key
Key : 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10 Key : 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10
Plaintext : 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10 Plaintext : 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10
Ciphertext: 67 67 31 38 54 96 69 73 08 57 06 56 48 ea be 43 Ciphertext: 67 67 31 38 54 96 69 73 08 57 06 56 48 ea be 43
skipping to change at page 11, line 17 skipping to change at page 12, line 4
Here is a test data for Camellia in hexadecimal form. Here is a test data for Camellia in hexadecimal form.
128-bit key 128-bit key
Key : 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10 Key : 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10
Plaintext : 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10 Plaintext : 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10
Ciphertext: 67 67 31 38 54 96 69 73 08 57 06 56 48 ea be 43 Ciphertext: 67 67 31 38 54 96 69 73 08 57 06 56 48 ea be 43
192-bit key 192-bit key
Key : 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10 Key : 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10
: 00 11 22 33 44 55 66 77 : 00 11 22 33 44 55 66 77
Plaintext : 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10 Plaintext : 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10
Ciphertext: b4 99 34 01 b3 e9 96 f8 4e e5 ce e7 d7 9b 09 b9 Ciphertext: b4 99 34 01 b3 e9 96 f8 4e e5 ce e7 d7 9b 09 b9
256-bit key 256-bit key
Key : 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10 Key : 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10
: 00 11 22 33 44 55 66 77 88 99 aa bb cc dd ee ff : 00 11 22 33 44 55 66 77 88 99 aa bb cc dd ee ff
Plaintext : 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10 Plaintext : 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10
Ciphertext: 9a cc 23 7d ff 16 d7 6c 20 ef 7c 91 9e 3a 75 09 Ciphertext: 9a cc 23 7d ff 16 d7 6c 20 ef 7c 91 9e 3a 75 09
Authors' Addresses
Mitsuru Matsui & Junko Nakajima
Mitsubishi Electric Corporation, Information Technology R&D Center
5-1-1 Ofuna, Kamakura, Kanagawa 247-8501, Japan
Phone: +81-467-41-2190
FAX: +81-467-41-2185
Email: matsui@iss.isl.melco.co.jp
Shiho Moriai
Sony Computer Entertainment Inc.
Phone: +81-3-6438-7523
FAX: +81-3-6438-8629
Email: camellia@isl.ntt.co.jp (Camellia team)
shiho@rc.scei.sony.co.jp (Shiho Moriai)
 End of changes. 24 change blocks. 
71 lines changed or deleted 117 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/