3.3.4 Triple DES 1 Technical overview
3.3.6.4 Result of security evaluation
Neither the results of the screening evaluation nor the detailed evaluation have identified any serious security problem with this cryptographic technique. Especially against differential and linear
cryptanalysis, the actual number of rounds that can be attacked is expected to be about seven or eight. Therefore, Camellia can satisfy security requirements in a practical sense. Note that, by a truncated differential path search, some effective characteristics applied to attack a 7-round variant Camellia cipher without the auxiliary functions FL/FL-1 have shown [4].
In addition, the security has been continuously considered, and more precise evaluations have been progressed along with advancement of the attack methods. As a result, attack of about 10-round Camellia cipher is achievable (for example, 11-round Camellia cipher can be breaked by combination of higher order differential attack and chosen-ciphertext attack [10]) without particular security problems [9, 6, 7, 8, 13, 11, 10]. Summary of the detailed evaluation results is as follows:
188 Chapter 3 Evaluation of symmetric-key cryptographic techniques
• In a 5-round variant Camellia without the auxiliary functions FL/FL-1 , it is sometimes
possible to narrow down 1 byte of an expanded key in the fifth round to a single one, using two chosen plaintexts and an analysis based on a byte polynomial.
• Because Camellia uses a bijective round function, it should be possible to estimate a key for a 6-round variant Camellia cipher without the auxiliary functions FL/FL-1, using a
smaller number of computations than exhaustive key search.
• With a boomerang attack, which uses two differentials, it should be possible to use a smaller number of computations than an exhaustive key search in order to find the key for an eight-round variant Camellia cipher without auxiliary functions FL/FL-1. The boomerang attack is considered to be the most effective analysis method for Camellia. • In the key schedule part, the case that 1 byte of unknown secret key can be computed from
5 bytes of a secret key and 6 bytes of an intermediate key exists.
• No security problem has also been discovered from truncated differential and linear cryptanalysis, higher order differential attack, impossible differential cryptanalysis, interpolation attack, linear sum attacks, and slide attack, along with differential cryptanalysis and linear cryptanalysis.
Security against side-channel attack
As a kind of side channel attack against Camellia, a timing attack utilizing time difference between hit and hit miss of the cache memory was carried out under some kind of special condition, to thereby derive entire secret keys [12].
This attack is a method that depends on the working environments or implementation schemes, and countermeasures will be possible. Therefore, fatal defects are not brought to the security of the algorithm of MISTRY1 itself, but if the suitable measures against the side channel attack under working environments are taken, it is considered that practically sufficient security is guaranteed. Therefore, when using MISTY1 in environment with the threat over this kind of timing attack, adopting a defense measure over such a side channel attack is desired with carefulness. The defense measure includes preventing a significant power consumption and processing time lag from being measured. For reference of a general outline of the side channel attack and the details of the countermeasures see Chapter 6.
3.3.6.5 Software implementation evaluation results
Under the following environment, software implementation evaluation was carried out. Evaluation results are shown in Table 3.48 and Table 3.49.
Also, the following self-evaluation is reported from an applicant.
Platform : Pentium III (1GHz), 512MB
OS and compiler : Windows 2000, IBM Java Compiler 1.2.2, Java VM 1.2.2
Language : Java
Key schedule : 9,091 cycles/key
3.3 Evaluation of individual ciphers 189
Table 3.48 Data randomization part processing speed measurement results of Camellia
Pentium III (650 MHz)
Language: Assembler Program size 29,285 bytes (including encryption/decryption/key scheduling)
Compiler option /G6/ML/O2/Ob2/Og/Oi/Ot/Ox/Oy/Gr/I
Number of processing clocks [clocks/block] Encryption
(Maximum /average) (Maximum /average) Decryption
First round 326 / 327 326 / 328
Second round 326 / 327 326 / 327
Third round 326 / 327 326 / 327
UltraSPARC IIi (400 MHz)
Language Assembler Program size 15,240 bytes (including encryption/decryption/key scheduling)
Compiler option -fast -xtarget = ultra -xarch = v9a
Number of processing clocks [clocks/block] Encryption
(Maximum /average) (Maximum /average) Decryption
First round 355 / 360 355 / 357
Second round 355 / 358 355 / 358
Third round 355 / 357 355 / 357
Alpha 21264 (463 MHz)
Language Assembler Program size 31,552 bytes (including encryption/decryption/key scheduling)
Compiler option -O -arch ev6
Number of processing clocks [clocks/block] Encryption
(Maximum /average) (Maximum /average) Decryption
First round 282 / 288 282 / 288
Second round 282 / 289 282 / 288
190 Chapter 3 Evaluation of symmetric-key cryptographic techniques
Table 3.49 Key schedule part of Camellia + data rand0mization part processing speed measurement results
Pentium III (650 MHz)
Language: Assembler
Program size 20,110 bytes (including encryption/key scheduling)
20,236 bytes (including decryption/key scheduling)
Compiler option /G6/ML/O2/Ob2/Og/Oi/Ot/Ox/Oy/Gr/I
Number of processing clocks [clocks] Encryption (Maximum / average) Decryption (Maximum / average) First round 467 / 487 474 / 493 Second round 467 / 487 474 / 494 Third round 467 / 487 474 / 493 UltraSPARC IIi (400 MHz) Language Assembler Program size 23,992 bytes (including encryption/decryption/key scheduling)
Compiler option -fast -xcrossfile -xtarget = ultra -xarch = v9a Number of processing clocks [clocks] Encryption (Maximum / average) Decryption (Maximum / average) First round 403 / 408 403 / 407 Second round 403 / 407 403 / 407 Third round 403 / 408 403 / 408 Alpha 21264 (463 MHz) Language Assembler Program size 25,792 bytes (including encryption/decryption/key scheduling)
Compiler option -O -arch ev6
Number of processing clocks [clocks] Encryption (Maximum / average) Decryption (Maximum / average) First round 448 / 454 435 / 439 Second round 448 / 454 435 / 439 Third round 448 / 455 435 / 439
3.3 Evaluation of individual ciphers 191 Smart card implementation
Smart card implementations based on the Z80 were evaluated. Table 3.50 indicates the processing speed measurement results of the key schedule part + data randomization part when 128-bit keys are used.
Table 3.50 Processing speed measurement results of Camellia's key schedule part + data randomization part on Z80
ROM [bytes] RAM [bytes] Stack [bytes] Processing time [states]
Encryption 1,023 48 12 35,951
Decryption 1,042 48 12 37,553
For encryption and decryption 1,268 − − −
The following table indicates results provided by an applicant for a measurement that used 128-bit keys.
Processor Encryption Key schedule ROM RAM
[cycles/block] [cycles/key] [bytes] [bytes]
8051 10,217 (Including key schedule) 990 32
Z80 28,382 5,146 1,698 62
H8/3113 4,100 2,380 − 208
MC68HC705B16 9,900 7,500 − 208
MC68HC908AB32 8,430 5,679 − 208
M32Rx/D 1,236 642 8,684 44
3.3.6.6 Hardware implementation evaluation results
Implementation results on FPGA (Table 3.51) will be shown in the architecture shown in the following block diagram (Fig. 3.12,3.14,3.15,3.13).
Table 3.51 Camellia Hardware Implementation Evaluation Resul
Number of clocks 1
Number of Data Randomize Clocks 20
192 Chapter 3 Evaluation of symmetric-key cryptographic techniques Input F関数 FL function FL-1 function F function k1∼ kw1,kw2 kw3,kw4 kl2,kl4 kl1,kl3 Register ● ● ● 1 2 0 Output
Figure 3.12 Camellia encryption circuit block diagram
Key K_L input
F function
F function
F function
F function
Expanded key output
Σ1
Expanded key generation part
K_A kw1 kw2 kw3 kw4 Σ2 Σ3 Σ4 ● ● ● ● ● ●
3.3 Evaluation of individual ciphers 193 Input s1 s2 s3 s4 s2 s3 s4 s1 ki Output ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●
Figure 3.14 F-function internal block diagram
AND <<< 1 OR Input Output AND <<< 1 OR Input Output KliR ● ● KliL KliR KliL ● ● FL function FL-1 function
194 Chapter 3 Evaluation of symmetric-key cryptographic techniques
In addition, the following self-evaluation on ASIC and FPGA implementation is reported from an applicant. The processing circuit includes all of the encryption/decryption processing part and key schedule part (128-bit key).
ASIC process : Mitsubishi Electric 0.18 µm CMOS ASIC Design Library Speed priority implementation : 3,200 Mbps, 355.1 Kgates
Scale priority implementation 177.7 Mbps, 8.1 Kgates
FPGA DEVICE : Xilinx XC4000XL
Scale priority implementation : 77.3 Mbps, 1,296 CLBs
FPGA DEVICE : Xilinx VertexE
Speed priority implementation : 401.9 Mbps, 9,426 slices Scale priority implementation : 227.4 Mbps, 1,780 slices Pipeline implementation : 6,750.0 Mbps, 9,692 slices
Recently, the examination related to an implementation technology about Camellia has been made, and the improvement in the circuit scale and the processing performance is found [5, 14, 16].
ASIC process : 0.18 µm CMOS ASIC Design Library Speed priority implementation : 1.422.2 Mbps, 31.1 Kgates
Scale priority implementation 204.6 Mbps, 6.3 Kgates
ASIC process : 0.13 µm CMOS ASIC Design Library Speed priority implementation : 2,154.9 Mbps, 29.8 Kgates
Scale priority implementation 325.8 Mbps, 6.5 Kgates
FPGA process : Xilinx Vertex 3200E Speed priority implementation : 369.0 Mbps, 8,957 slices Scale priority implementation 223.7 Mbps, 1,678 slices
In addition, as an interesting implementation example, shared hardware architecture with Camellia which is a cipher made from the almost same component as AES is disclosed [15]. The processing
performance by this implementation example is as follows:
ASIC process : 0.13 µm CMOS ASIC Design Library Speed priority implementation : (AES+Camellia) 24.7 Kgates
(Camellia) 1,118.9 Mbps, (AES) 794.1 Mbps Scale priority implementation (AES+Camellia) 16.3 Kgates