Camellia (cipher)
Encyclopedia
In cryptography
, Camellia is a 128-bit block cipher
jointly developed by Mitsubishi and NTT
. The cipher has been approved for use by the ISO/IEC, the European Union
's NESSIE
project and the Japan
ese CRYPTREC
project. The cipher
has security levels and processing abilities comparable to the Advanced Encryption Standard
.
Camellia's block size
is 16 bytes (128 bit
s), and can use 128-bit, 192-bit or 256-bit key
s. The block cipher
was designed to be suitable for both software and hardware implementations, from low-cost smart cards to high-speed network systems.
with either 18 rounds (when using 128-bit keys) or 24 rounds (when using 192 or 256-bit keys). Every six rounds, a logical transformation layer is applied: the so-called "FL-function" or its inverse. Camellia
uses four 8 x 8-bit S-boxes with input and output affine transformations and
logical operations. The cipher also uses input and output key whitening
. The diffusion layer uses a linear transformation
based on an MDS matrix
with a branch number of 5.
which can be completely defined by minimal systems of multivariate polynomials.
The Camellia (as well as AES
) S-boxes can be described by a system of 23 quadratic equations in 80 terms. The key schedule can be described by 1120 equations in 768 variables using 3328 linear and quadratic terms. The entire block cipher can be described by 5104 equations in 2816 variables using 14592 linear and quadratic terms. In total, 6224 equations in 3584 variables using 17920 linear and quadratic terms are required. The number of free terms is 11696, which is approximately the same number as for AES
. Theoretically, such properties might make it possible to break Camellia (and AES
) using an algebraic attack, such as Extended Sparse Linearisation
, in the future (provided that the attack becomes feasible). With today's technology, such an attack would take years to compute, and thus is not realistic.
Project, under an Open-source license
, since November 2006. It has also allowed it to become part of the Mozilla's NSS
(Network Security Services) module.
in 2008. Later in the same year, the FreeBSD
Release Engineering Team announced that the cipher had also been included in the FreeBSD
6.4-RELEASE. Also, support for the Camellia cipher was added to the disk encryption storage class geli
of FreeBSD by Yoshisato Yanagisawa. In September 2009, GNU Privacy Guard
added support for Camellia in version 1.4.10.
Moreover, various popular security libraries, such as Crypto++
, GnuTLS
, PolarSSL
and OpenSSL
also include support for Camellia.
Cryptography
Cryptography is the practice and study of techniques for secure communication in the presence of third parties...
, Camellia is a 128-bit block cipher
Block cipher
In cryptography, a block cipher is a symmetric key cipher operating on fixed-length groups of bits, called blocks, with an unvarying transformation. A block cipher encryption algorithm might take a 128-bit block of plaintext as input, and output a corresponding 128-bit block of ciphertext...
jointly developed by Mitsubishi and NTT
Nippon Telegraph and Telephone
, commonly known as NTT, is a Japanese telecommunications company headquartered in Tokyo, Japan. Ranked the 31st in Fortune Global 500, NTT is the largest telecommunications company in Asia, and the second-largest in the world in terms of revenue....
. The cipher has been approved for use by the ISO/IEC, the European Union
European Union
The European Union is an economic and political union of 27 independent member states which are located primarily in Europe. The EU traces its origins from the European Coal and Steel Community and the European Economic Community , formed by six countries in 1958...
's NESSIE
NESSIE
NESSIE was a European research project funded from 2000–2003 to identify secure cryptographic primitives. The project was comparable to the NIST AES process and the Japanese Government-sponsored CRYPTREC project, but with notable differences from both...
project and the Japan
Japan
Japan is an island nation in East Asia. Located in the Pacific Ocean, it lies to the east of the Sea of Japan, China, North Korea, South Korea and Russia, stretching from the Sea of Okhotsk in the north to the East China Sea and Taiwan in the south...
ese CRYPTREC
CRYPTREC
CRYPTREC is the Cryptography Research and Evaluation Committees set up by the Japanese Government to evaluate and recommend cryptographic techniques for government and industrial use...
project. The cipher
Block cipher
In cryptography, a block cipher is a symmetric key cipher operating on fixed-length groups of bits, called blocks, with an unvarying transformation. A block cipher encryption algorithm might take a 128-bit block of plaintext as input, and output a corresponding 128-bit block of ciphertext...
has security levels and processing abilities comparable to the Advanced Encryption Standard
Advanced Encryption Standard
Advanced Encryption Standard is a specification for the encryption of electronic data. It has been adopted by the U.S. government and is now used worldwide. It supersedes DES...
.
Camellia's block size
Block size (cryptography)
In modern cryptography, symmetric key ciphers are generally divided into stream ciphers and block ciphers. Block ciphers operate on a fixed length string of bits. The length of this bit string is the block size...
is 16 bytes (128 bit
Bit
A bit is the basic unit of information in computing and telecommunications; it is the amount of information stored by a digital device or other physical system that exists in one of two possible distinct states...
s), and can use 128-bit, 192-bit or 256-bit key
Key (cryptography)
In cryptography, a key is a piece of information that determines the functional output of a cryptographic algorithm or cipher. Without a key, the algorithm would produce no useful result. In encryption, a key specifies the particular transformation of plaintext into ciphertext, or vice versa...
s. The block cipher
Block cipher
In cryptography, a block cipher is a symmetric key cipher operating on fixed-length groups of bits, called blocks, with an unvarying transformation. A block cipher encryption algorithm might take a 128-bit block of plaintext as input, and output a corresponding 128-bit block of ciphertext...
was designed to be suitable for both software and hardware implementations, from low-cost smart cards to high-speed network systems.
Design
Camellia is a Feistel cipherFeistel cipher
In cryptography, a Feistel cipher is a symmetric structure used in the construction of block ciphers, named after the German-born physicist and cryptographer Horst Feistel who did pioneering research while working for IBM ; it is also commonly known as a Feistel network. A large proportion of block...
with either 18 rounds (when using 128-bit keys) or 24 rounds (when using 192 or 256-bit keys). Every six rounds, a logical transformation layer is applied: the so-called "FL-function" or its inverse. Camellia
uses four 8 x 8-bit S-boxes with input and output affine transformations and
logical operations. The cipher also uses input and output key whitening
Key whitening
In cryptography, key whitening is a technique intended to increase the security of an iterated block cipher. It consists of steps that combine the data with portions of the key before the first round and after the last round of encryption.The first block cipher to use a form of key whitening is...
. The diffusion layer uses a linear transformation
Linear transformation
In mathematics, a linear map, linear mapping, linear transformation, or linear operator is a function between two vector spaces that preserves the operations of vector addition and scalar multiplication. As a result, it always maps straight lines to straight lines or 0...
based on an MDS matrix
MDS matrix
An MDS matrix is a matrix representing a function with certain diffusion properties that have useful applications in cryptography...
with a branch number of 5.
Security analysis
Camellia is a block cipherBlock cipher
In cryptography, a block cipher is a symmetric key cipher operating on fixed-length groups of bits, called blocks, with an unvarying transformation. A block cipher encryption algorithm might take a 128-bit block of plaintext as input, and output a corresponding 128-bit block of ciphertext...
which can be completely defined by minimal systems of multivariate polynomials.
The Camellia (as well as AES
Advanced Encryption Standard
Advanced Encryption Standard is a specification for the encryption of electronic data. It has been adopted by the U.S. government and is now used worldwide. It supersedes DES...
) S-boxes can be described by a system of 23 quadratic equations in 80 terms. The key schedule can be described by 1120 equations in 768 variables using 3328 linear and quadratic terms. The entire block cipher can be described by 5104 equations in 2816 variables using 14592 linear and quadratic terms. In total, 6224 equations in 3584 variables using 17920 linear and quadratic terms are required. The number of free terms is 11696, which is approximately the same number as for AES
Advanced Encryption Standard
Advanced Encryption Standard is a specification for the encryption of electronic data. It has been adopted by the U.S. government and is now used worldwide. It supersedes DES...
. Theoretically, such properties might make it possible to break Camellia (and AES
Advanced Encryption Standard
Advanced Encryption Standard is a specification for the encryption of electronic data. It has been adopted by the U.S. government and is now used worldwide. It supersedes DES...
) using an algebraic attack, such as Extended Sparse Linearisation
XSL attack
In cryptography, the XSL attack is a method of cryptanalysis for block ciphers. The attack was first published in 2002 by researchers Nicolas Courtois and Josef Pieprzyk. It has caused some controversy as it was claimed to have the potential to break the Advanced Encryption Standard cipher—also...
, in the future (provided that the attack becomes feasible). With today's technology, such an attack would take years to compute, and thus is not realistic.
Patent status
Camellia is patented and available under a royalty-free license. This has allowed the Camellia cipher to become part of the OpenSSLOpenSSL
OpenSSL is an open source implementation of the SSL and TLS protocols. The core library implements the basic cryptographic functions and provides various utility functions...
Project, under an Open-source license
Open-source license
An open-source license is a copyright license for computer software that makes the source code available for everyone to use. This allows end users to review and modify the source code for their own customization and/or troubleshooting needs...
, since November 2006. It has also allowed it to become part of the Mozilla's NSS
Network Security Services
In computing, Network Security Services comprises a set of libraries designed to support cross-platform development of security-enabled client and server applications. NSS provides a complete open-source implementation of crypto libraries supporting SSL and S/MIME...
(Network Security Services) module.
Adoption
Support for Camellia was added to the final release of Mozilla Firefox 3Mozilla Firefox
Mozilla Firefox is a free and open source web browser descended from the Mozilla Application Suite and managed by Mozilla Corporation. , Firefox is the second most widely used browser, with approximately 25% of worldwide usage share of web browsers...
in 2008. Later in the same year, the FreeBSD
FreeBSD
FreeBSD is a free Unix-like operating system descended from AT&T UNIX via BSD UNIX. Although for legal reasons FreeBSD cannot be called “UNIX”, as the direct descendant of BSD UNIX , FreeBSD’s internals and system APIs are UNIX-compliant...
Release Engineering Team announced that the cipher had also been included in the FreeBSD
FreeBSD
FreeBSD is a free Unix-like operating system descended from AT&T UNIX via BSD UNIX. Although for legal reasons FreeBSD cannot be called “UNIX”, as the direct descendant of BSD UNIX , FreeBSD’s internals and system APIs are UNIX-compliant...
6.4-RELEASE. Also, support for the Camellia cipher was added to the disk encryption storage class geli
Geli (software)
geli is a block device-layer disk encryption system written for FreeBSD, introduced in version 6.0. It utilises the GEOM disk framework. It was designed and implemented by Pawel Jakub Dawidek.- Design details :...
of FreeBSD by Yoshisato Yanagisawa. In September 2009, GNU Privacy Guard
GNU Privacy Guard
GNU Privacy Guard is a GPL Licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with RFC 4880, which is the current IETF standards track specification of OpenPGP...
added support for Camellia in version 1.4.10.
Moreover, various popular security libraries, such as Crypto++
Crypto++
Crypto++ is a free and open source C++ class library of cryptographic algorithms and schemes written by Wei Dai. Crypto++ has been widely used in academia, student projects, open source and non-commercial projects, as well as businesses...
, GnuTLS
GnuTLS
GnuTLS , the GNU Transport Layer Security Library, is a free software implementation of the SSL and TLS protocols. Its purpose is to offer an application programming interface for applications to enable secure communication protocols over their network transport layer.-Features:GnuTLS consists of...
, PolarSSL
PolarSSL
PolarSSL is a dual licensed implementation of the SSL and TLS protocols. PolarSSL is almost entirely based on XySSL, which was written and copyrighted by French "white hat hacker" Christophe Devine. XySSL was first released on November 1, 2006 under GPL and BSD licenses...
and OpenSSL
OpenSSL
OpenSSL is an open source implementation of the SSL and TLS protocols. The core library implements the basic cryptographic functions and provides various utility functions...
also include support for Camellia.
External links
- Camellia's English home page
- Reference implementation and derived code
- RFC 3713 A Description of the Camellia Encryption Algorithm
- RFC 3657 Use of the Camellia Encryption Algorithm in Cryptographic Message Syntax (CMS)
- RFC 4312 The Camellia Cipher Algorithm and Its Use With IPsec
- RFC 4132 Addition of Camellia Cipher Suites to Transport Layer Security (TLS)
- RFC 5581 Certification of Camellia Cipher as IETF standard for OpenPGP
- Bug 382223: Add support for Camellia to PSM (Mozilla Firefox)
- FreeBSD System Manager's Manual: Add support for Camellia to geli (FreeBSD)