Camellia is a block cipher jointly developed by Mitsubishi and NTT of Japan. It is designed suitable for both software and hardware implementations. One of the design-for-test techniques using scan chains is called scan-path test, in which testers can observe and control the registers inside the LSI chip directly in order to check if the LSI chip correctly operates or not. Recently, a scan-based side-channel attack is reported which retrieves the secret information from the cryptosystem using scan chains. In this paper, we propose a scan-based attack method on the Camellia cipher using scan signatures. Our proposed method is based on the equivalent transformation of the Camellia algorithm and the possible key candidate reduction in order to retrieve the secret key. Experimental results show that our proposed method sucessfully retrieved its 128-bit secret key using 960 plaintexts even if the scan chain includes the Camellia cipher and other circuits and also sucessfully retrieves its secret key on the SASEBO-GII board, which is a side-channel attack standard evaluation board.

In this paper, generic attacks are presented against hash functions that are constructed by a hashing mode instantiating a Feistel or generalized Feistel networks with an SP-round function. It is observed that the omission of the network twist in the last round can be a weakness against preimage attacks. The first target is a standard Feistel network with an SP round function. Up to 11 rounds can be attacked in generic if a condition on a key schedule function is satisfied. The second target is a 4-branch type-2 generalized Feistel network with an SP round function. Up to 15 rounds can be attacked in generic. These generic attacks are then applied to hashing modes of ISO standard ciphers Camellia-128 without FL and whitening layers and CLEFIA-128.

Computer systems with GPUs are expected to become a strong methodology for high-speed encryption processing. Moreover, power consumption has remained a primary deterrent for such processing on devices of all sizes. However, GPU vendors are currently announcing their future roadmaps of GPU architecture development: Nvidia Corp. promotes the Kepler architecture and AMD Corp. emphasizes the GCN architecture. Therefore, we evaluated throughput and power efficiency of three 128-bit block ciphers on GPUs with recent Nvidia Kepler and AMD GCN architectures. From our experiments, whereas the throughput and per-watt throughput of AES-128 on Radeon HD 7970 (2048 cores) with GCN architecture are 205.0Gbps and 1.3Gbps/Watt respectively, those on Geforce GTX 680 (1536 cores) with Kepler architecture are, respectively, 63.9Gbps and 0.43Gbps/W; an approximately 3.2 times throughput difference occurs between AES-128 on the two GPUs. Next, we investigate the reasons for the throughput difference using our micro-benchmark suites. According to the results, we speculate that to ameliorate Kepler GPUs as co-processor of block ciphers, the arithmetic and logical instructions must be improved in terms of software and hardware.

We present pseudo-preimage attacks on Davis-Meyer mode of reduced rounds of the block ciphers ARIA, Camellia, and Serpent by using Sasaki's framework. They yield preimage or second-preimage attacks on PGV hashing modes. We develop proper initial structures for applying meet-in-the-middle techniques to the block ciphers, by considering their diffusion layers, and propose a method to find matching-check equations for indirect partial matching technique with a binary matrix. These works enable us to attack 5 rounds of ARIA, 7 rounds of Camellia, and 4 rounds of Serpent faster than brute force attack.

The encryption algorithm Camellia is a 128 bit block cipher proposed by NTT and Mitsubishi, Japan. Since the algebraic degree of the outputs after 3 rounds is greater than 128, designers estimate that it is impossible to attack Camellia by higher order differential. In this paper, we show a new higher order differential attack which controls the value of differential using proper fixed value of plaintext. As the result, we found that 6-round F-function can be attacked using 8th order differentials. The attack requires 217 chosen plaintexts and 222 F-function operations. Our computer simulation took about 2 seconds for the attack. If we take 2-R elimination algorithm, 7-round F-function will be attacked using 8th order differentials. This attack requires 219 chosen plaintexts and 264 F-function operations, which is less than exhaustive search for 128 bit key.

This paper describes truncated and impossible differentials of Feistel block ciphers with round functions of 2-layer SPN (Substitution and Permutation Network) transformation modules such as the 128-bit block cipher Camellia, which was proposed by NTT and Mitsubishi Electric Corporation. Our work improves on the best known truncated and impossible differentials, and has found a nontrivial 9-round truncated differential that may lead to a possible attack against a reduced-round version of Camellia without input/output whitening, FL or FL-1 (Camellia-NFL), in the chosen plain text scenario. Previously, only 6-round differentials were known that may suggest a possible attack of Camellia-NFL reduced to 8-rounds. We also show a nontrivial 7-round impossible differential, whereas only a 5-round impossible differential was previously known. We also consider the truncated differential of a reduced-round version of Camellia (Camellia-DS) whose round functions are composed of D-S (Diffusion and Substitution) transformation modules and without input/output whitening, FL or FL-1 (Camellia-DS-NFL), and show a nontrivial 9-round truncated differential, which may lead to a possible attack in the chosen plain text scenario. This truncated differential is effective for general Feistel structures with round functions composed of S-D (Substitution and Diffusion) or D-S transformation.

We present the new 128-bit block cipher called Camellia. Camellia supports 128-bit block size and 128-, 192-, and 256-bit key lengths, i.e. the same interface specifications as the Advanced Encryption Standard (AES). Camellia was carefully designed to withstand all known cryptanalytic attacks and even to have a sufficiently large security leeway. It was also designed to suit both software and hardware implementations and to cover all possible encryption applications that range from low-cost smart cards to high-speed network systems. Compared to the AES finalists, Camellia offers at least comparable encryption speed in software and hardware. An optimized implementation of Camellia in assembly language can encrypt on a Pentium III (1.13 GHz) at the rate of 471 Mbits per second. In addition, a distinguishing feature is its small hardware design. A hardware implementation, which includes encryption, decryption, and the key schedule for 128-bit keys, occupies only 9.66 K gates using a 0.35 µm CMOS ASIC library. This is in the smallest class among all existing 128-bit block ciphers. It perfectly meets the current market requirements in wireless cards, for instance, where low power consumption is essential.