INTERNET-DRAFT                                                 S. Moriai
TLS Working Group             Nippon Telegraph and Telephone Corporation
Expires April November 2001                                           May 2001                                          October 2000

          Addition of the Camellia Encryption Algorithm to TLS

                    <draft-ietf-tls-camellia-00.txt>

                    <draft-ietf-tls-camellia-01.txt>

Status of this Memo

    This document is an Internet-Draft and is NOT offered in accordance full conformance with
    all provisions of Section 10 of RFC2026, and the author does not provide the IETF
    with any rights other than to publish as an Internet-Draft. RFC2026.

    Internet-Drafts are working documents of the Internet Engineering
    Task Force (IETF), its areas, and its working groups.  Note that
    other groups may also distribute working documents as Internet-
    Drafts.

    Internet-Drafts are draft documents valid for a maximum of six
    months and may be updated, replaced, or obsoleted by other documents
    at any time.  It is inappropriate to use Internet-Drafts as
    reference material or to cite them other than as "work in progress."

    The list of current Internet-Drafts can be accessed at
    http://www.ietf.org/ietf/1id-abstracts.txt

    The list of Internet-Draft Shadow Directories can be accessed at
    http://www.ietf.org/shadow.html.

Abstract

    This document proposes the addition of new cipher suites to the TLS
    protocol 1.0 to support the Camellia encryption algorithm as a bulk
    cipher algorithm.  Please send comments on this document to the TLS
    mailing list.

1. Introduction

    The demands placed on cryptographic primitives are changing:

    This document proposes the
    required level addition of security is increasing new cipher suites to match the progress made
    in computational power and cryptanalytic techniques, and more
    efficiency on a wide variety of platforms is required as they are
    being implemented in a wide variety of applications.  However, the TLS Protocol Version
    protocol 1.0 [4] currently does not to support the Camellia encryption algorithm as a
    bulk cipher
    suites including 128-bit block ciphers that offer algorithm.  This proposal provides a high level of
    security and performance. new option for bulk
    cipher algorithms.

    Camellia is a block cipher with 128-bit block size and 128-, 192-,
    and 256-bit key sizes, i.e. the same interface specifications as the
    Advanced Encryption Standard (AES).  The algorithm description is in
    [1] or [3].
    [1][3].  Efficiency on both software and hardware platforms is a
    remarkable characteristic of Camellia in addition to its high level
    of security.  It is confirmed that Camellia provides strong security
    against differential and linear cryptanalysis.  An optimized
    implementation of Camellia in assembly language can encrypt on a
    Pentium III (800MHz) (1.13GHz) at the rate of more than 276 471 Mbits per second,
    which is much faster than the speed of an optimized DES
    implementation. second.  In
    addition, a distinguishing feature is its small hardware design.
    The hardware design, which includes the parts for key scheduling, schedule,
    encryption and decryption, occupies approximately
    11K gates, only 9.66K gates using a 0.35um
    CMOS ASIC library, which is in the smallest class among all existing
    128-bit block ciphers as far as we know [2].

    This document proposes the addition of new cipher suites to the TLS
    protocol 1.0 [4] to support Camellia as a bulk cipher algorithm.
    The proposed change is minimal, just the addition of a new option
    for bulk cipher algorithms.

2. The CipherSuites Cipher Suites

    We propose the following new cipher suites.

    CipherSuite TLS_RSA_WITH_CAMELLIA_CBC_128_SHA      = { 0x00,0x2F };
    CipherSuite TLS_DH_DSS_WITH_CAMELLIA_CBC_128_SHA   = { 0x00,0x30 };
    CipherSuite TLS_DH_RSA_WITH_CAMELLIA_CBC_128_SHA   = { 0x00,0x31 };
    CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_CBC_128_SHA  = { 0x00,0x32 };
    CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_CBC_128_SHA  = { 0x00,0x33 };
    CipherSuite TLS_DH_anon_WITH_CAMELLIA_CBC_128_SHA  = { 0x00,0x34 }; suites below following the AES
    ciphersuites.

    CipherSuite TLS_RSA_WITH_CAMELLIA_CBC_192_SHA TLS_RSA_WITH_CAMELLIA_128_CBC_SHA      = { 0x00,0x35 0x00,0x41 };
    CipherSuite TLS_DH_DSS_WITH_CAMELLIA_CBC_192_SHA TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA   = { 0x00,0x36 0x00,0x42 };
    CipherSuite TLS_DH_RSA_WITH_CAMELLIA_CBC_192_SHA TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA   = { 0x00,0x37 0x00,0x43 };
    CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_CBC_192_SHA TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA  = { 0x00,0x38 0x00,0x44 };
    CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_CBC_192_SHA TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA  = { 0x00,0x39 0x00,0x45 };
    CipherSuite TLS_DH_anon_WITH_CAMELLIA_CBC_192_SHA TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA  = { 0x00,0x3A 0x00,0x46 };

    CipherSuite TLS_RSA_WITH_CAMELLIA_CBC_256_SHA TLS_RSA_WITH_CAMELLIA_256_CBC_SHA      = { 0x00,0x3B 0x00,0x47 };
    CipherSuite TLS_DH_DSS_WITH_CAMELLIA_CBC_256_SHA TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA   = { 0x00,0x3C 0x00,0x48 };
    CipherSuite TLS_DH_RSA_WITH_CAMELLIA_CBC_256_SHA TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA   = { 0x00,0x3D 0x00,0x49 };
    CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_CBC_256_SHA TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA  = { 0x00,0x3E 0x00,0x4A };
    CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_CBC_256_SHA TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA  = { 0x00,0x3F 0x00,0x4B };
    CipherSuite TLS_DH_anon_WITH_CAMELLIA_CBC_256_SHA TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA  = { 0x00,0x40 0x00,0x4C };

    Note: The above numeric definitions for CipherSuites Cipher Suites have not yet
    been registered.  The numeric definitions follow the numbers given
    in the CipherSuite of the TLS standard [4]. standard.

3. CipherSuite Definitions

CipherSuite                        Is       Key    Cipher           Hash
                               Exportable Exchange

TLS_RSA_WITH_CAMELLIA_CBC_128_SHA         RSA      CAMELLIA_CBC_128 SHA
TLS_DH_DSS_WITH_CAMELLIA_CBC_128_SHA      DH_DSS   CAMELLIA_CBC_128 SHA
TLS_DH_RSA_WITH_CAMELLIA_CBC_128_SHA      DH_RSA   CAMELLIA_CBC_128 SHA
TLS_DHE_DSS_WITH_CAMELLIA_CBC_128_SHA     DHE_DSS  CAMELLIA_CBC_128 SHA
TLS_DHE_RSA_WITH_CAMELLIA_CBC_128_SHA     DHE_RSA  CAMELLIA_CBC_128 SHA
TLS_DH_anon_WITH_CAMELLIA_CBC_128_SHA     DH_anon  CAMELLIA_CBC_128 SHA

TLS_RSA_WITH_CAMELLIA_CBC_192_SHA

TLS_RSA_WITH_CAMELLIA_128_CBC_SHA         RSA      CAMELLIA_CBC_192      CAMELLIA_128_CBC SHA
TLS_DH_DSS_WITH_CAMELLIA_CBC_192_SHA
TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA      DH_DSS   CAMELLIA_CBC_192   CAMELLIA_128_CBC SHA
TLS_DH_RSA_WITH_CAMELLIA_CBC_192_SHA
TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA      DH_RSA   CAMELLIA_CBC_192   CAMELLIA_128_CBC SHA
TLS_DHE_DSS_WITH_CAMELLIA_CBC_192_SHA
TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA     DHE_DSS  CAMELLIA_CBC_192  CAMELLIA_128_CBC SHA
TLS_DHE_RSA_WITH_CAMELLIA_CBC_192_SHA
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA     DHE_RSA  CAMELLIA_CBC_192  CAMELLIA_128_CBC SHA
TLS_DH_anon_WITH_CAMELLIA_CBC_192_SHA
TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA     DH_anon  CAMELLIA_CBC_192  CAMELLIA_128_CBC SHA

TLS_RSA_WITH_CAMELLIA_CBC_256_SHA

TLS_RSA_WITH_CAMELLIA_256_CBC_SHA         RSA      CAMELLIA_CBC_256      CAMELLIA_256_CBC SHA
TLS_DH_DSS_WITH_CAMELLIA_CBC_256_SHA
TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA      DH_DSS   CAMELLIA_CBC_256   CAMELLIA_256_CBC SHA
TLS_DH_RSA_WITH_CAMELLIA_CBC_256_SHA
TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA      DH_RSA   CAMELLIA_CBC_256   CAMELLIA_256_CBC SHA
TLS_DHE_DSS_WITH_CAMELLIA_CBC_256_SHA
TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA     DHE_DSS  CAMELLIA_CBC_256  CAMELLIA_256_CBC SHA
TLS_DHE_RSA_WITH_CAMELLIA_CBC_256_SHA
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA     DHE_RSA  CAMELLIA_CBC_256  CAMELLIA_256_CBC SHA
TLS_DH_anon_WITH_CAMELLIA_CBC_256_SHA
TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA     DH_anon  CAMELLIA_CBC_256  CAMELLIA_256_CBC SHA
                             Key      Expanded   Effective   IV   Block
    Cipher           Type  Material Key Material  Key Bits  Size  Size

    CAMELLIA_CBC_128

    CAMELLIA_128_CBC Block   16         16         128       16    16
    CAMELLIA_CBC_192 Block   24         24         192       16    16
    CAMELLIA_CBC_256
    CAMELLIA_256_CBC Block   32         32         256       16    16

   Note: Key Exchange Algorithms and Hash Functions are defined in TLS.

4. Security Considerations

    Security considerations except Camellia are discussed in [4]. The
    security of Camellia was is evaluated by utilizing state-of-the-art
    cryptanalytic techniques.  We confirmed that Camellia has no
    differential and linear characteristics that hold with probability
    more than 2^(-128), which means that it is extremely unlikely that
    differential and linear attacks will succeed against Camellia.
    Moreover, Camellia was designed to offer security against other
    advanced cryptanalytic attacks including higher order differential
    attacks, interpolation attacks, related-key attacks, truncated
    differential attacks, and so on [3].

5. Intellectual Property Statement

    Mitsubishi Electric Corporation (Mitsubishi Electric) and Nippon
    Telegraph and Telephone Corporation (NTT) have filed patent pending applications
    or filed patents which are essential to Camellia.  License policy
    for these essential patents declared formally by NTT and Mitsubishi
    Electric will be available on the techniques used in the block cipher Camellia.
    For more information, please contact MISTY@isl.melco.co.jp and/or
    camellia@isl.ntt.co.jp. IETF page of Intellectual Property
    Rights Notices.

References

    [1] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai,
        J. Nakajima, and T. Tokita
        ``Specification of Camellia --- a 128-bit Block Cipher'',
        2000.  http://info.isl.ntt.co.jp/camellia/

    [2] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai,
        J. Nakajima, and T. Tokita
        ``Camellia: A 128-Bit Block Cipher Suitable for Multiple
        Platforms'', 2000.  http://info.isl.ntt.co.jp/camellia/

    [3] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai,
        J. Nakajima, and T. Tokita
        ``Camellia: A 128-Bit Block Cipher Suitable for Multiple
        Platforms --- Design and Analysis ---'', in Workshop Record
        of SAC 2000, Seventh Annual Workshop on In Selected Areas in
        Cryptography, pp.41--54, 14-15 7th Annual International Workshop, SAC 2000,
        Waterloo, Ontario, Canada, August 2000.  (to appear in 2000, Proceedings,
        Lecture Notes in Computer Science of Spring-Verlag) 2012, pp.39--56,
        Springer-Verlag, 2001.

    [4] T. Dierks, and C. Allen, "The ``The TLS Protocol Version 1.0", 1.0'', RFC
        2246, January 1999.

Author's Addresses

    Shiho Moriai
    Nippon Telegraph and Telephone Corporation
    1-1 Hikarinooka, Yokosuka, 239-0847, Japan
    Phone: +81-468-59-2007
    FAX:   +81-468-59-3858
    Email: shiho@isl.ntt.co.jp