| < draft-nakajima-camellia-02.txt | draft-nakajima-camellia-03.txt > | |||
|---|---|---|---|---|
| INTERNET-DRAFT J. Nakajima | INTERNET-DRAFT M. Matsui | |||
| J. Nakajima | ||||
| Mitsubishi Electric Corporation | Mitsubishi Electric Corporation | |||
| Expires January 2002 S. Moriai | Expires June 2004 S. Moriai | |||
| Nippon Telegraph and Telephone Corporation | Sony Computer Entertainmemt Inc. | |||
| July 2001 | December 2003 | |||
| A Description of the Camellia Encryption Algorithm | A Description of the Camellia Encryption Algorithm | |||
| <draft-nakajima-camellia-02.txt> | <draft-nakajima-camellia-03.txt> | |||
| Status of this Memo | Status of this Memo | |||
| This document is an Internet-Draft and is NOT offered in accordance | This document is an Internet-Draft and is in full conformance with | |||
| with Section 10 of RFC2026, and the author does not provide the IETF | all provisions of Section 10 of RFC2026. | |||
| with any rights other than to publish as an Internet-Draft. | ||||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| other groups may also distribute working documents as Internet- | other groups may also distribute working documents as Internet- | |||
| Drafts. | Drafts. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six | |||
| and may be updated, replaced, or obsoleted by other documents at any | months and may be updated, replaced, or obsoleted by other documents | |||
| time. It is inappropriate to use Internet-Drafts as reference | at any time. It is inappropriate to use Internet-Drafts as | |||
| material or to cite them other than as "work in progress." | reference material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt | http://www.ietf.org/ietf/1id-abstracts.txt | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| Abstract | Abstract | |||
| This document describes a secret-key cryptosystem, Camellia; it is a | This document describes the Camellia encryption algorithm. Camellia | |||
| block cipher with 128-bit block size and 128-, 192-, and 256-bit | is a block cipher with 128-bit block size and 128-, 192-, and | |||
| keys. The algorithm description is presented together with key | 256-bit keys. The algorithm description is presented together with | |||
| scheduling part and data randomizing part. | key scheduling part and data randomizing part. | |||
| Note: | ||||
| This work was done when the second author worked for NTT. | ||||
| 1. Introduction | 1. Introduction | |||
| This document describes the secret-key cryptosystem Camellia | 1.1 Camellia | |||
| [1][2][3], a block cipher with 128-bit block size and 128-, 192-, and | ||||
| 256-bit keys, i.e. the same interface specifications as the Advanced | Camellia was jointly developed by Nippon Telegraph and Telephone | |||
| Encryption Standard (AES). Camellia offers excellent efficiency on | Corporation and Mitsubishi Electric Corporation in 2000 | |||
| both software and hardware platforms in addition to a high level of | ||||
| security. It is confirmed that Camellia provides strong security | [CamelliaSpec]. Camellia specifies the 128-bit block size and 128-, | |||
| against differential and linear cryptanalysis. | 192-, and 256-bit key sizes, the same interface as the Advanced | |||
| Encryption Standard (AES). Camellia is characterized by its | ||||
| suitability for both software and hardware implementations as well | ||||
| as its high level of security. From a practical viewpoint, it is | ||||
| designed to enable flexibility in software and hardware | ||||
| implementations on 32-bit processors widely used over the Internet | ||||
| and many applications, 8-bit processors used in smart cards, | ||||
| cryptographic hardware, embedded systems, and so on [CamelliaTech]. | ||||
| Moreover, its key setup time is excellent, and its key agility is | ||||
| superior to that of AES. | ||||
| Camellia has been scrutinized by the wide cryptographic community | ||||
| during several projects for evaluating crypto algorithms. In | ||||
| particular, Camellia was selected as a recommended cryptographic | ||||
| primitive by the EU NESSIE (New European Schemes for Signatures, | ||||
| Integrity and Encryption) project [NESSIE] and also included in | ||||
| the list of cryptographic techniques for Japanese e-Government | ||||
| systems which were selected by the Japan CRYPTREC (Cryptography | ||||
| Research and Evaluation Committees) [CRYPTREC]. | ||||
| 1.2 Terminology | ||||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD | ||||
| NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document (in | ||||
| uppercase, as shown) are to be interpreted as described in | ||||
| [RFC2119]. | ||||
| 2. Algorithm Description | 2. Algorithm Description | |||
| Camellia can be divided into "key scheduling part" and "data | Camellia can be divided into "key scheduling part" and "data | |||
| randomizing part". | randomizing part". | |||
| 2.1 Terminology | 2.1 Terminology | |||
| The following operators are used in this document to describe the | The following operators are used in this document to describe the | |||
| algorithm. | algorithm. | |||
| & bitwise AND operation. | & bitwise AND operation. | |||
| | bitwise OR operation. | | bitwise OR operation. | |||
| ^ bitwise exclusive-OR operation. | ^ bitwise exclusive-OR operation. | |||
| << logically left shift operation. | << logical left shift operation. | |||
| >> logically right shift operation. | >> logical right shift operation. | |||
| <<< left rotation operation. | <<< left rotation operation. | |||
| ~y bitwise complement of y. | ~y bitwise complement of y. | |||
| 0x hexadecimal representation. | 0x hexadecimal representation. | |||
| Note that the resultant values of logically left shift operation are | Note that the logical left shift operation is done with the infinite | |||
| expanded their data width infinitely. | data width. | |||
| The constant values of MASK8, MASK32, MASK64, and MASK128 are defined | The constant values of MASK8, MASK32, MASK64, and MASK128 are defined | |||
| as follows. | as follows. | |||
| MASK8 = 0xff; | MASK8 = 0xff; | |||
| MASK32 = 0xffffffff; | MASK32 = 0xffffffff; | |||
| MASK64 = 0xffffffffffffffff; | MASK64 = 0xffffffffffffffff; | |||
| MASK128 = 0xffffffffffffffffffffffffffffffff; | MASK128 = 0xffffffffffffffffffffffffffffffff; | |||
| 2.2 Key Scheduling Part | 2.2 Key Scheduling Part | |||
| skipping to change at page 9, line 8 ¶ | skipping to change at page 9, line 36 ¶ | |||
| var k1, k2 as 32-bit unsigned integer; | var k1, k2 as 32-bit unsigned integer; | |||
| y1 = FLINV_IN >> 32; | y1 = FLINV_IN >> 32; | |||
| y2 = FLINV_IN & MASK32; | y2 = FLINV_IN & MASK32; | |||
| k1 = KE >> 32; | k1 = KE >> 32; | |||
| k2 = KE & MASK32; | k2 = KE & MASK32; | |||
| y1 = y1 ^ (y2 | k2); | y1 = y1 ^ (y2 | k2); | |||
| y2 = y2 ^ ((y1 & k1) <<< 1); | y2 = y2 ^ ((y1 & k1) <<< 1); | |||
| FLINV_OUT = (y1 << 32) | y2; | FLINV_OUT = (y1 << 32) | y2; | |||
| end. | end. | |||
| 3. Object Identifier | 3. Object Identifiers | |||
| The Object Identifier for Camellia with 18 rounds and 128-bit key in | The Object Identifier for Camellia with 18 rounds and 128-bit key in | |||
| Cipher Block Chaining (CBC) mode is as follows: | Cipher Block Chaining (CBC) mode is as follows: | |||
| id-camellia128-cbc OBJECT IDENTIFIER ::= | id-camellia128-cbc OBJECT IDENTIFIER ::= | |||
| { iso(1) member-body(2) 392 200011 61 security(1) | { iso(1) member-body(2) 392 200011 61 security(1) | |||
| algorithm(1) symmetric-encryption-algorithm(1) | algorithm(1) symmetric-encryption-algorithm(1) | |||
| camellia128-cbc(2) } | camellia128-cbc(2) } | |||
| The Object Identifier for Camellia with 24 rounds and 192-bit key in | The Object Identifier for Camellia with 24 rounds and 192-bit key in | |||
| skipping to change at page 10, line 9 ¶ | skipping to change at page 10, line 37 ¶ | |||
| techniques such as differential cryptanalysis and linear | techniques such as differential cryptanalysis and linear | |||
| cryptanalysis is considered to be essential in designing any new | cryptanalysis is considered to be essential in designing any new | |||
| block cipher. We evaluated the security of Camellia by utilizing | block cipher. We evaluated the security of Camellia by utilizing | |||
| state-of-the-art cryptanalytic techniques. We confirmed that | state-of-the-art cryptanalytic techniques. We confirmed that | |||
| Camellia has no differential and linear characteristics that hold | Camellia has no differential and linear characteristics that hold | |||
| with probability more than 2^(-128), which means that it is extremely | with probability more than 2^(-128), which means that it is extremely | |||
| unlikely that differential and linear attacks will succeed against | unlikely that differential and linear attacks will succeed against | |||
| the full 18-round Camellia. Moreover, Camellia was designed to offer | the full 18-round Camellia. Moreover, Camellia was designed to offer | |||
| security against other advanced cryptanalytic attacks including | security against other advanced cryptanalytic attacks including | |||
| higher order differential attacks, interpolation attacks, related-key | higher order differential attacks, interpolation attacks, related-key | |||
| attacks, truncated differential attacks, and so on [3]. | attacks, truncated differential attacks, and so on [Camellia]. | |||
| 5. Intellectual Property Statement | 5. Intellectual Property Statement | |||
| Mitsubishi Electric Corporation (Mitsubishi Electric) and Nippon | The IETF takes no position regarding the validity or scope of any | |||
| Telegraph and Telephone Corporation (NTT) have pending applications | intellectual property or other rights that might be claimed to | |||
| or filed patents which are essential to Camellia. License policy for | pertain to the implementation or use of the technology described in | |||
| these essential patents is available on the IETF page of Intellectual | this document or the extent to which any license under such rights | |||
| Property Rights Notices. | might or might not be available; neither does it represent that it | |||
| has made any effort to identify any such rights. Information on the | ||||
| IETF's procedures with respect to rights in standards-track and | ||||
| standards-related documentation can be found in BCP-11. Copies of | ||||
| claims of rights made available for publication and any assurances of | ||||
| licenses to be made available, or the result of an attempt made to | ||||
| obtain a general license or permission for the use of such | ||||
| proprietary rights by implementors or users of this specification can | ||||
| be obtained from the IETF Secretariat. | ||||
| 6. References | The IETF invites any interested party to bring to its attention any | |||
| copyrights, patents or patent applications, or other proprietary | ||||
| rights which may cover technology that may be required to practice | ||||
| this standard. Please address the information to the IETF Executive | ||||
| Director. | ||||
| [1] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai, J. | The IETF has been notified of intellectual property rights claimed in | |||
| Nakajima, and T. Tokita, ``Specification of Camellia --- a | regard to some or all of the specification contained in this | |||
| 128-bit Block Cipher,'' 2000. | document. For more information consult the online list of claimed | |||
| http://info.isl.ntt.co.jp/camellia/ | rights. | |||
| [2] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai, J. | 6. Informative References | |||
| Nakajima, and T. Tokita, ``Camellia: A 128-Bit Block Cipher | ||||
| Suitable for Multiple Platforms,'' 2000. | ||||
| http://info.isl.ntt.co.jp/camellia/ | ||||
| [3] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai, J. | [CamelliaSpec] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai, | |||
| Nakajima, and T. Tokita, ``Camellia: A 128-Bit Block Cipher | J. Nakajima, and T. Tokita, "Specification of Camellia --- a | |||
| Suitable for Multiple Platforms --- Design and Analysis ---,'' | 128-bit Block Cipher". http://info.isl.ntt.co.jp/camellia/ | |||
| In Selected Areas in Cryptography, 7th Annual International | ||||
| Workshop, SAC 2000, Waterloo, Ontario, Canada, August 2000, | ||||
| Proceedings, Lecture Notes in Computer Science 2012, pp.39-56, | ||||
| Springer-Verlag, 2001. | ||||
| 7. Authors' Addresses | [CamelliaTech] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai, | |||
| J. Nakajima, and T. Tokita, "Camellia: A 128-Bit Block Cipher | ||||
| Suitable for Multiple Platforms". | ||||
| http://info.isl.ntt.co.jp/camellia/ | ||||
| Junko Nakajima | [Camellia] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai, J. | |||
| Mitsubishi Electric Corporation, Information Technology R&D Center | Nakajima, and T. Tokita, "Camellia: A 128-Bit Block Cipher | |||
| 5-1-1 Ofuna, Kamakura, Kanagawa 247-8501, Japan | Suitable for Multiple Platforms - Design and Analysis -", In | |||
| Phone: +81-467-41-2181 | Selected Areas in Cryptography, 7th Annual International | |||
| FAX: +81-467-41-2185 | Workshop, SAC 2000, Waterloo, Ontario, Canada, August 2000, | |||
| Email: june15@iss.isl.melco.co.jp | Proceedings, Lecture Notes in Computer Science 2012, pp.39-56, | |||
| Springer-Verlag, 2001. | ||||
| Shiho Moriai | [CRYPTREC] "CRYPTREC Advisory Committee Report FY2002", Ministry | |||
| NTT Laboratories | of Public Management, Home Affairs, Posts and | |||
| 1-1 Hikarinooka, Yokosuka, 239-0847, Japan | Telecommunications, and Ministry of Economy, Trade and | |||
| Phone: +81-468-59-2007 | Industry, March 2003. | |||
| FAX: +81-468-59-3858 | http://www.soumu.go.jp/joho_tsusin/security/cryptrec.html | |||
| Email: shiho@isl.ntt.co.jp | CRYPTREC home page by Information-technology Promotion Agency, | |||
| Japan (IPA). | ||||
| http://www.ipa.go.jp/security/enc/CRYPTREC/index-e.html | ||||
| [NESSIE] New European Schemes for Signatures, Integrity and | ||||
| Encryption (NESSIE) project. http://www.cryptonessie.org | ||||
| [RFC2119] S. Bradner, "Key words for use in RFCs to Indicate | ||||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | ||||
| Appendix A. Example Data of Camellia | Appendix A. Example Data of Camellia | |||
| Here is a test data for Camellia in hexadecimal form. | Here is a test data for Camellia in hexadecimal form. | |||
| 128-bit key | 128-bit key | |||
| Key : 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10 | Key : 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10 | |||
| Plaintext : 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10 | Plaintext : 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10 | |||
| Ciphertext: 67 67 31 38 54 96 69 73 08 57 06 56 48 ea be 43 | Ciphertext: 67 67 31 38 54 96 69 73 08 57 06 56 48 ea be 43 | |||
| skipping to change at page 11, line 17 ¶ | skipping to change at page 12, line 4 ¶ | |||
| Here is a test data for Camellia in hexadecimal form. | Here is a test data for Camellia in hexadecimal form. | |||
| 128-bit key | 128-bit key | |||
| Key : 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10 | Key : 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10 | |||
| Plaintext : 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10 | Plaintext : 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10 | |||
| Ciphertext: 67 67 31 38 54 96 69 73 08 57 06 56 48 ea be 43 | Ciphertext: 67 67 31 38 54 96 69 73 08 57 06 56 48 ea be 43 | |||
| 192-bit key | 192-bit key | |||
| Key : 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10 | Key : 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10 | |||
| : 00 11 22 33 44 55 66 77 | : 00 11 22 33 44 55 66 77 | |||
| Plaintext : 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10 | Plaintext : 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10 | |||
| Ciphertext: b4 99 34 01 b3 e9 96 f8 4e e5 ce e7 d7 9b 09 b9 | Ciphertext: b4 99 34 01 b3 e9 96 f8 4e e5 ce e7 d7 9b 09 b9 | |||
| 256-bit key | 256-bit key | |||
| Key : 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10 | Key : 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10 | |||
| : 00 11 22 33 44 55 66 77 88 99 aa bb cc dd ee ff | : 00 11 22 33 44 55 66 77 88 99 aa bb cc dd ee ff | |||
| Plaintext : 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10 | Plaintext : 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10 | |||
| Ciphertext: 9a cc 23 7d ff 16 d7 6c 20 ef 7c 91 9e 3a 75 09 | Ciphertext: 9a cc 23 7d ff 16 d7 6c 20 ef 7c 91 9e 3a 75 09 | |||
| Authors' Addresses | ||||
| Mitsuru Matsui & Junko Nakajima | ||||
| Mitsubishi Electric Corporation, Information Technology R&D Center | ||||
| 5-1-1 Ofuna, Kamakura, Kanagawa 247-8501, Japan | ||||
| Phone: +81-467-41-2190 | ||||
| FAX: +81-467-41-2185 | ||||
| Email: matsui@iss.isl.melco.co.jp | ||||
| Shiho Moriai | ||||
| Sony Computer Entertainment Inc. | ||||
| Phone: +81-3-6438-7523 | ||||
| FAX: +81-3-6438-8629 | ||||
| Email: camellia@isl.ntt.co.jp (Camellia team) | ||||
| shiho@rc.scei.sony.co.jp (Shiho Moriai) | ||||
| End of changes. 24 change blocks. | ||||
| 71 lines changed or deleted | 117 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||