INTERNET-DRAFT J. Nakajima Mitsubishi Electric Corporation Expires January 2002 S. Moriai Nippon Telegraph and Telephone Corporation July 2001 A Description of the Camellia Encryption Algorithm <draft-nakajima-camellia-02.txt> Status of this Memo This document is an Internet-Draft and is NOT offered in accordance with Section 10 of RFC2026, and the author does not provide the IETF with any rights other than to publish as an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Abstract This document describes a secret-key cryptosystem, Camellia; it is a block cipher with 128-bit block size and 128-, 192-, and 256-bit keys. The algorithm description is presented together with key scheduling part and data randomizing part. 1. Introduction This document describes the secret-key cryptosystem Camellia [1][2][3], a block cipher with 128-bit block size and 128-, 192-, and 256-bit keys, i.e. the same interface specifications as the Advanced Encryption Standard (AES). Camellia offers excellent efficiency on both software and hardware platforms in addition to a high level of security. It is confirmed that Camellia provides strong security against differential and linear cryptanalysis. Nakajima & Moriai [Page 1]

INTERNET-DRAFT Camellia Encryption Algorithm July 2001 2. Algorithm Description Camellia can be divided into "key scheduling part" and "data randomizing part". 2.1 Terminology The following operators are used in this document to describe the algorithm. & bitwise AND operation. | bitwise OR operation. ^ bitwise exclusive-OR operation. << logically left shift operation. >> logically right shift operation. <<< left rotation operation. ~y bitwise complement of y. 0x hexadecimal representation. Note that the resultant values of logically left shift operation are expanded their data width infinitely. The constant values of MASK8, MASK32, MASK64, and MASK128 are defined as follows. MASK8 = 0xff; MASK32 = 0xffffffff; MASK64 = 0xffffffffffffffff; MASK128 = 0xffffffffffffffffffffffffffffffff; 2.2 Key Scheduling Part In the key schedule part of Camellia, the 128-bit variables of KL and KR are defined as follows. For 128-bit keys, the 128-bit key K is used as KL and KR is 0. For 192-bit keys, the leftmost 128-bits of key K are used as KL and the concatenation of the rightmost 64-bits of K and the complement of the rightmost 64-bits of K are used as KR. For 256-bit keys, the leftmost 128-bits of key K are used as KL and the rightmost 128-bits of K are used as KR. 128-bit key K: KL = K; KR = 0; 192-bit key K: KL = K >> 64; KR = ((K & MASK64) << 64) | (~(K & MASK64)); 256-bit key K: KL = K >> 128; KR = K & MASK128; The 128-bit variables KA and KB are generated from KL and KR as follows. Note that KB is used only if the length of the secret key is 192 or 256 bits. D1 and D2 are 64-bit temporary variables. Nakajima & Moriai [Page 2]

INTERNET-DRAFT Camellia Encryption Algorithm July 2001 D1 = (KL ^ KR) >> 64; D2 = (KL ^ KR) & MASK64; D2 = D2 ^ F(D1, Sigma1); D1 = D1 ^ F(D2, Sigma2); D1 = D1 ^ (KL >> 64); D2 = D2 ^ (KL & MASK64); D2 = D2 ^ F(D1, Sigma3); D1 = D1 ^ F(D2, Sigma4); KA = (D1 << 64) | D2; D1 = (KA ^ KR) >> 64; D2 = (KA ^ KR) & MASK64; D2 = D2 ^ F(D1, Sigma5); D1 = D1 ^ F(D2, Sigma6); KB = (D1 << 64) | D2; The 64-bit constants Sigma1, Sigma2, ..., Sigma6 are used as "keys" in the Feistel network. These constant values are, in hexadecimal notation, as follows. Sigma1 = 0xA09E667F3BCC908B; Sigma2 = 0xB67AE8584CAA73B2; Sigma3 = 0xC6EF372FE94F82BE; Sigma4 = 0x54FF53A5F1D36F1C; Sigma5 = 0x10E527FADE682D1D; Sigma6 = 0xB05688C2B3E6C1FD; The 64-bit subkeys are generated by rotating KL, KR, KA and KB and taking the left- or right-half of them. For 128-bit keys, subkeys are generated as follows. kw1 = (KL <<< 0) >> 64; kw2 = (KL <<< 0) & MASK64; k1 = (KA <<< 0) >> 64; k2 = (KA <<< 0) & MASK64; k3 = (KL <<< 15) >> 64; k4 = (KL <<< 15) & MASK64; k5 = (KA <<< 15) >> 64; k6 = (KA <<< 15) & MASK64; ke1 = (KA <<< 30) >> 64; ke2 = (KA <<< 30) & MASK64; k7 = (KL <<< 45) >> 64; k8 = (KL <<< 45) & MASK64; k9 = (KA <<< 45) >> 64; k10 = (KL <<< 60) & MASK64; k11 = (KA <<< 60) >> 64; k12 = (KA <<< 60) & MASK64; ke3 = (KL <<< 77) >> 64; ke4 = (KL <<< 77) & MASK64; k13 = (KL <<< 94) >> 64; k14 = (KL <<< 94) & MASK64; k15 = (KA <<< 94) >> 64; k16 = (KA <<< 94) & MASK64; Nakajima & Moriai [Page 3]

INTERNET-DRAFT Camellia Encryption Algorithm July 2001 k17 = (KL <<< 111) >> 64; k18 = (KL <<< 111) & MASK64; kw3 = (KA <<< 111) >> 64; kw4 = (KA <<< 111) & MASK64; For 192- and 256-bit keys, subkeys are generated as follows. kw1 = (KL <<< 0) >> 64; kw2 = (KL <<< 0) & MASK64; k1 = (KB <<< 0) >> 64; k2 = (KB <<< 0) & MASK64; k3 = (KR <<< 15) >> 64; k4 = (KR <<< 15) & MASK64; k5 = (KA <<< 15) >> 64; k6 = (KA <<< 15) & MASK64; ke1 = (KR <<< 30) >> 64; ke2 = (KR <<< 30) & MASK64; k7 = (KB <<< 30) >> 64; k8 = (KB <<< 30) & MASK64; k9 = (KL <<< 45) >> 64; k10 = (KL <<< 45) & MASK64; k11 = (KA <<< 45) >> 64; k12 = (KA <<< 45) & MASK64; ke3 = (KL <<< 60) >> 64; ke4 = (KL <<< 60) & MASK64; k13 = (KR <<< 60) >> 64; k14 = (KR <<< 60) & MASK64; k15 = (KB <<< 60) >> 64; k16 = (KB <<< 60) & MASK64; k17 = (KL <<< 77) >> 64; k18 = (KL <<< 77) & MASK64; ke5 = (KA <<< 77) >> 64; ke6 = (KA <<< 77) & MASK64; k19 = (KR <<< 94) >> 64; k20 = (KR <<< 94) & MASK64; k21 = (KA <<< 94) >> 64; k22 = (KA <<< 94) & MASK64; k23 = (KL <<< 111) >> 64; k24 = (KL <<< 111) & MASK64; kw3 = (KB <<< 111) >> 64; kw4 = (KB <<< 111) & MASK64; 2.3 Data Randomizing Part 2.3.1 Encryption for 128-bit keys 128-bit plaintext M is divided into the left 64-bit D1 and the right 64-bit D2. D1 = M >> 64; D2 = M & MASK64; D1 = D1 ^ kw1; // Prewhitening D2 = D2 ^ kw2; D2 = D2 ^ F(D1, k1); // Round 1 Nakajima & Moriai [Page 4]

INTERNET-DRAFT Camellia Encryption Algorithm July 2001 D1 = D1 ^ F(D2, k2); // Round 2 D2 = D2 ^ F(D1, k3); // Round 3 D1 = D1 ^ F(D2, k4); // Round 4 D2 = D2 ^ F(D1, k5); // Round 5 D1 = D1 ^ F(D2, k6); // Round 6 D1 = FL (D1, ke1); // FL D2 = FLINV(D2, ke2); // FLINV D2 = D2 ^ F(D1, k7 ); // Round 7 D1 = D1 ^ F(D2, k8 ); // Round 8 D2 = D2 ^ F(D1, k9 ); // Round 9 D1 = D1 ^ F(D2, k10); // Round 10 D2 = D2 ^ F(D1, k11); // Round 11 D1 = D1 ^ F(D2, k12); // Round 12 D1 = FL (D1, ke3); // FL D2 = FLINV(D2, ke4); // FLINV D2 = D2 ^ F(D1, k13); // Round 13 D1 = D1 ^ F(D2, k14); // Round 14 D2 = D2 ^ F(D1, k15); // Round 15 D1 = D1 ^ F(D2, k16); // Round 16 D2 = D2 ^ F(D1, k17); // Round 17 D1 = D1 ^ F(D2, k18); // Round 18 D2 = D2 ^ kw3; // Postwhitening D1 = D1 ^ kw4; 128-bit ciphertext C is constructed from D1 and D2 as follows. C = (D2 << 64) | D1; 2.3.2 Encryption for 192- and 256-bit keys 128-bit plaintext M is divided into the left 64-bit D1 and the right 64-bit D2. D1 = M >> 64; D2 = M & MASK64; D1 = D1 ^ kw1; // Prewhitening D2 = D2 ^ kw2; D2 = D2 ^ F(D1, k1); // Round 1 D1 = D1 ^ F(D2, k2); // Round 2 D2 = D2 ^ F(D1, k3); // Round 3 D1 = D1 ^ F(D2, k4); // Round 4 D2 = D2 ^ F(D1, k5); // Round 5 D1 = D1 ^ F(D2, k6); // Round 6 D1 = FL (D1, ke1); // FL D2 = FLINV(D2, ke2); // FLINV D2 = D2 ^ F(D1, k7 ); // Round 7 D1 = D1 ^ F(D2, k8 ); // Round 8 D2 = D2 ^ F(D1, k9 ); // Round 9 D1 = D1 ^ F(D2, k10); // Round 10 D2 = D2 ^ F(D1, k11); // Round 11 D1 = D1 ^ F(D2, k12); // Round 12 D1 = FL (D1, ke3); // FL D2 = FLINV(D2, ke4); // FLINV Nakajima & Moriai [Page 5]

INTERNET-DRAFT Camellia Encryption Algorithm July 2001 D2 = D2 ^ F(D1, k13); // Round 13 D1 = D1 ^ F(D2, k14); // Round 14 D2 = D2 ^ F(D1, k15); // Round 15 D1 = D1 ^ F(D2, k16); // Round 16 D2 = D2 ^ F(D1, k17); // Round 17 D1 = D1 ^ F(D2, k18); // Round 18 D1 = FL (D1, ke5); // FL D2 = FLINV(D2, ke6); // FLINV D2 = D2 ^ F(D1, k19); // Round 19 D1 = D1 ^ F(D2, k20); // Round 20 D2 = D2 ^ F(D1, k21); // Round 21 D1 = D1 ^ F(D2, k22); // Round 22 D2 = D2 ^ F(D1, k23); // Round 23 D1 = D1 ^ F(D2, k24); // Round 24 D2 = D2 ^ kw3; // Postwhitening D1 = D1 ^ kw4; 128-bit ciphertext C is constructed from D1 and D2 as follows. C = (D2 << 64) | D1; 2.3.3 Decryption The decryption procedure of Camellia can be done in the same way as the encryption procedure by reversing the order of the subkeys. That is to say: 128-bit key: kw1 <-> kw3 kw2 <-> kw4 k1 <-> k18 k2 <-> k17 k3 <-> k16 k4 <-> k15 k5 <-> k14 k6 <-> k13 k7 <-> k12 k8 <-> k11 k9 <-> k10 ke1 <-> ke4 ke2 <-> ke3 192- or 256-bit key: kw1 <-> kw3 kw2 <-> kw4 k1 <-> k24 k2 <-> k23 k3 <-> k22 k4 <-> k21 k5 <-> k20 k6 <-> k19 k7 <-> k18 k8 <-> k17 Nakajima & Moriai [Page 6]

INTERNET-DRAFT Camellia Encryption Algorithm July 2001 k9 <-> k16 k10 <-> k15 k11 <-> k14 k12 <-> k13 ke1 <-> ke6 ke2 <-> ke5 ke3 <-> ke4 2.4 Components of Camellia 2.4.1 F-function Function F takes two parameters. One is 64-bit wide input data, namely F_IN. The other is 64-bit wide subkey, namely KE. F returns 64-bit wide data, namely F_OUT. F(F_IN, KE) begin var x as 64-bit unsigned integer; var t1, t2, t3, t4, t5, t6, t7, t8 as 8-bit unsigned integer; var y1, y2, y3, y4, y5, y6, y7, y8 as 8-bit unsigned integer; x = F_IN ^ KE; t1 = x >> 56; t2 = (x >> 48) & MASK8; t3 = (x >> 40) & MASK8; t4 = (x >> 32) & MASK8; t5 = (x >> 24) & MASK8; t6 = (x >> 16) & MASK8; t7 = (x >> 8) & MASK8; t8 = x & MASK8; t1 = SBOX1[t1]; t2 = SBOX2[t2]; t3 = SBOX3[t3]; t4 = SBOX4[t4]; t5 = SBOX2[t5]; t6 = SBOX3[t6]; t7 = SBOX4[t7]; t8 = SBOX1[t8]; y1 = t1 ^ t3 ^ t4 ^ t6 ^ t7 ^ t8; y2 = t1 ^ t2 ^ t4 ^ t5 ^ t7 ^ t8; y3 = t1 ^ t2 ^ t3 ^ t5 ^ t6 ^ t8; y4 = t2 ^ t3 ^ t4 ^ t5 ^ t6 ^ t7; y5 = t1 ^ t2 ^ t6 ^ t7 ^ t8; y6 = t2 ^ t3 ^ t5 ^ t7 ^ t8; y7 = t3 ^ t4 ^ t5 ^ t6 ^ t8; y8 = t1 ^ t4 ^ t5 ^ t6 ^ t7; F_OUT = (y1 << 56) | (y2 << 48) | (y3 << 40) | (y4 << 32) | (y5 << 24) | (y6 << 16) | (y7 << 8) | y8; return FO_OUT; end. SBOX2, SBOX3, and SBOX4 are defined using SBOX1 as follows: SBOX2[x] = SBOX1[x] <<< 1; Nakajima & Moriai [Page 7]

INTERNET-DRAFT Camellia Encryption Algorithm July 2001 SBOX3[x] = SBOX1[x] <<< 7; SBOX4[x] = SBOX1[x <<< 1]; SBOX1 is defined by the following table. For example, SBOX1[0x3d] equals 86. SBOX1: 0 1 2 3 4 5 6 7 8 9 a b c d e f 00: 112 130 44 236 179 39 192 229 228 133 87 53 234 12 174 65 10: 35 239 107 147 69 25 165 33 237 14 79 78 29 101 146 189 20: 134 184 175 143 124 235 31 206 62 48 220 95 94 197 11 26 30: 166 225 57 202 213 71 93 61 217 1 90 214 81 86 108 77 40: 139 13 154 102 251 204 176 45 116 18 43 32 240 177 132 153 50: 223 76 203 194 52 126 118 5 109 183 169 49 209 23 4 215 60: 20 88 58 97 222 27 17 28 50 15 156 22 83 24 242 34 70: 254 68 207 178 195 181 122 145 36 8 232 168 96 252 105 80 80: 170 208 160 125 161 137 98 151 84 91 30 149 224 255 100 210 90: 16 196 0 72 163 247 117 219 138 3 230 218 9 63 221 148 a0: 135 92 131 2 205 74 144 51 115 103 246 243 157 127 191 226 b0: 82 155 216 38 200 55 198 59 129 150 111 75 19 190 99 46 c0: 233 121 167 140 159 110 188 142 41 245 249 182 47 253 180 89 d0: 120 152 6 106 231 70 113 186 212 37 171 66 136 162 141 250 e0: 114 7 185 85 248 238 172 10 54 73 42 104 60 56 241 164 f0: 64 40 211 123 187 201 67 193 21 227 173 244 119 199 128 158 2.4.2 FL- and FLINV-functions Function FL takes two parameters. One is 64-bit wide input data, namely FL_IN. The other is 64-bit wide subkey, namely KE. FL returns 64-bit wide data, namely FL_OUT. FL(FL_IN, KE) begin var x1, x2 as 32-bit unsigned integer; var k1, k2 as 32-bit unsigned integer; x1 = FL_IN >> 32; x2 = FL_IN & MASK32; k1 = KE >> 32; k2 = KE & MASK32; x2 = x2 ^ ((x1 & k1) <<< 1); x1 = x1 ^ (x2 | k2); FL_OUT = (x1 << 32) | x2; end. Function FLINV is the inverse function of FL. FLINV(FLINV_IN, KE) begin var y1, y2 as 32-bit unsigned integer; var k1, k2 as 32-bit unsigned integer; y1 = FLINV_IN >> 32; y2 = FLINV_IN & MASK32; k1 = KE >> 32; k2 = KE & MASK32; y1 = y1 ^ (y2 | k2); Nakajima & Moriai [Page 8]

INTERNET-DRAFT Camellia Encryption Algorithm July 2001 y2 = y2 ^ ((y1 & k1) <<< 1); FLINV_OUT = (y1 << 32) | y2; end. 3. Object Identifier The Object Identifier for Camellia with 18 rounds and 128-bit key in Cipher Block Chaining (CBC) mode is as follows: id-camellia128-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2) 392 200011 61 security(1) algorithm(1) symmetric-encryption-algorithm(1) camellia128-cbc(2) } The Object Identifier for Camellia with 24 rounds and 192-bit key in Cipher Block Chaining (CBC) mode is as follows: id-camellia192-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2) 392 200011 61 security(1) algorithm(1) symmetric-encryption-algorithm(1) camellia192-cbc(3) } The Object Identifier for Camellia with 24 rounds and 256-bit key in Cipher Block Chaining (CBC) mode is as follows: id-camellia256-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2) 392 200011 61 security(1) algorithm(1) symmetric-encryption-algorithm(1) camellia256-cbc(4) } The above alogrithms need Initialization Vector (IV) as like as other algorithms, such as DES-CBC, DES-EDE3-CBC, MISTY1-CBC and so on. To determine the value of IV, the above algorithms take parameter as: CamelliaCBCParameter ::= CamelliaIV -- Initialization Vector CamelliaIV ::= OCTET STRING (SIZE(16)) When these object identifiers are used, plaintext is padded before encrypt it. At least 1 padding octet is appended at the end of the plaintext to make the length of the plaintext to the multiple of 16 octets. The value of these octets is as same as the number of appended octets. (e.g., If 10 octets are needed to pad, the value is 0x0a.) 4. Security Considerations The recent advances in cryptanalytic techniques are remarkable. A quantitative evaluation of security against powerful cryptanalytic techniques such as differential cryptanalysis and linear cryptanalysis is considered to be essential in designing any new block cipher. We evaluated the security of Camellia by utilizing state-of-the-art cryptanalytic techniques. We confirmed that Camellia has no differential and linear characteristics that hold Nakajima & Moriai [Page 9]

INTERNET-DRAFT Camellia Encryption Algorithm July 2001 with probability more than 2^(-128), which means that it is extremely unlikely that differential and linear attacks will succeed against the full 18-round Camellia. Moreover, Camellia was designed to offer security against other advanced cryptanalytic attacks including higher order differential attacks, interpolation attacks, related-key attacks, truncated differential attacks, and so on [3]. 5. Intellectual Property Statement Mitsubishi Electric Corporation (Mitsubishi Electric) and Nippon Telegraph and Telephone Corporation (NTT) have pending applications or filed patents which are essential to Camellia. License policy for these essential patents is available on the IETF page of Intellectual Property Rights Notices. 6. References [1] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai, J. Nakajima, and T. Tokita, ``Specification of Camellia --- a 128-bit Block Cipher,'' 2000. http://info.isl.ntt.co.jp/camellia/ [2] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai, J. Nakajima, and T. Tokita, ``Camellia: A 128-Bit Block Cipher Suitable for Multiple Platforms,'' 2000. http://info.isl.ntt.co.jp/camellia/ [3] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai, J. Nakajima, and T. Tokita, ``Camellia: A 128-Bit Block Cipher Suitable for Multiple Platforms --- Design and Analysis ---,'' In Selected Areas in Cryptography, 7th Annual International Workshop, SAC 2000, Waterloo, Ontario, Canada, August 2000, Proceedings, Lecture Notes in Computer Science 2012, pp.39-56, Springer-Verlag, 2001. 7. Authors' Addresses Junko Nakajima Mitsubishi Electric Corporation, Information Technology R&D Center 5-1-1 Ofuna, Kamakura, Kanagawa 247-8501, Japan Phone: +81-467-41-2181 FAX: +81-467-41-2185 Email: june15@iss.isl.melco.co.jp Shiho Moriai NTT Laboratories 1-1 Hikarinooka, Yokosuka, 239-0847, Japan Phone: +81-468-59-2007 FAX: +81-468-59-3858 Email: shiho@isl.ntt.co.jp Nakajima & Moriai [Page 10]

INTERNET-DRAFT Camellia Encryption Algorithm July 2001 Appendix A. Example Data of Camellia Here is a test data for Camellia in hexadecimal form. 128-bit key Key : 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10 Plaintext : 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10 Ciphertext: 67 67 31 38 54 96 69 73 08 57 06 56 48 ea be 43 192-bit key Key : 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10 : 00 11 22 33 44 55 66 77 Plaintext : 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10 Ciphertext: b4 99 34 01 b3 e9 96 f8 4e e5 ce e7 d7 9b 09 b9 256-bit key Key : 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10 : 00 11 22 33 44 55 66 77 88 99 aa bb cc dd ee ff Plaintext : 01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10 Ciphertext: 9a cc 23 7d ff 16 d7 6c 20 ef 7c 91 9e 3a 75 09 Nakajima & Moriai [Page 11]