2001.9.12 2nd nessie workshop copyright (c) ntt&melco 2001 update on camellia camellia design...
TRANSCRIPT
2001.9.12 2nd NESSIE Workshop Copyright (C) NTT&MELCO 2001
Update on Camellia
Camellia Design Team
2001.9.12 2nd NESSIE Workshop Copyright (C) NTT&MELCO 2001
New Results on Security As far as we know, the following results are published.
No attacks exist on 12 and more rounds without FL/FL-1
for 128-bit key (14 and more rounds for 256-bit key). Full Camellia [18 (for 128-bit key) or 24 (for 192/256-bit
key) rounds with FL/FL-1] seems to be secure and achieve high security margin.
Attackers Main Results Presentation
T.Kawabata,
T.Kaneko
8rounds without FL/FL-1 are breakable for 128-bit keys by H.O.D.
This Workshop
Y. He,
S. Qing
6 rounds are breakable by Square attack
ICICS 2001
M. Sugita,
et. al.
9 rounds without FL/FL-1 are distinguishable (and 11 rounds are breakable for 128-bit key) by T.D.C.
ASIACRYPT2001
2001.9.12 2nd NESSIE Workshop Copyright (C) NTT&MELCO 2001
Updated Performance on SW #1 From CRYPTREC Report 2000
For 32-bit and 64-bit processorsAssembly codeMeasurement function is provided by CRYPTREC
Processors
Encryption (Decryption) Speed
One block encryption (decryption) and Key Generation
Encryption
[cycles]
Decryption
[cycles]
Enc + Key
[cycles]
Dec + Key
[cycles]
Pentium III 326 326 467 474
UltraSPARCIIi 355 355 403 403
Alpha 21264 282 282 448 435
2001.9.12 2nd NESSIE Workshop Copyright (C) NTT&MELCO 2001
Updated Performance on SW #2 New Implementation – Best Results
Assembly code for Z80 processor ROM Usage: 1,268 bytes RAM Usage: 60 bytes
(including stack, text, key area)
Enc+Key: 35,951 states Dec+Key: 37,553 states
(using on-the-fly key generation)
Java for Pentium III Key Generation: 9,091 cycles Encryption Speed: 793 cycles
2001.9.12 2nd NESSIE Workshop Copyright (C) NTT&MELCO 2001
Updated Performance on HW New Implementation – Best Results
(ASIC) Mitsubishi 0.18m ASIC CMOS
(FPGA) Xilinx VirtexE
Target Area [Kgates] Speed [Mbps] Efficiency (=Speed/Area)
Smallest 8.12 177.62 21.87
Best Efficiency 11.87 1,050.90 88.52
Fastest 44.30 1,881.25 42.47
Target Area [slices] Speed [Mbps]Efficiency
(=Speed/Area)
Smallest 1,780 227.42 127.76
Best Efficiency
(Fastest)9,692 6,749.99 696.45
2001.9.12 2nd NESSIE Workshop Copyright (C) NTT&MELCO 2001
Summary New Results on Security of Camellia Updated Performance on SW and HW A Comment on D14 “Report on the Performance
Evaluation of NESSIE Candidates I”D14 contains (I) Estimation of # of basic operations (II) Performance measurement using reference C code Our reference C code is NOT optimized.
D14 describes 161 cycles/byte on P III for Camellia Our optimized C code runs in 36 cycles/byte on P II/III
(See NESSIE submission) Please also look at performance of optimized codes !!
Camellia is a Royalty-free algorithm