Camellia (cipher)

From Wikipedia, the free encyclopedia

Camellia
General
Designers	Mitsubishi, NTT
First published	2000
Derived from	E2, MISTY1
Certification	CRYPTREC, NESSIE
Cipher detail
Key sizes	128, 192 or 256 bits
Block sizes	128 bits
Structure	Feistel network
Rounds	18 or 24

In cryptography, Camellia is a block cipher that has been evaluated favorably by several organisations, including the European Union's NESSIE project (a selected algorithm), and the Japanese CRYPTREC project (a recommended algorithm). The cipher was developed jointly by Mitsubishi and NTT in 2000, and has similar design elements to earlier block ciphers (MISTY1 and E2) from these companies.

Camellia has a block size of 128 bits, and can use 128-bit, 192-bit or 256-bit keys — the same interface as the Advanced Encryption Standard. It is a Feistel cipher with either 18 rounds (if the key is 128 bits) or 24 rounds (if the key is 192 or 256 bits). Every six rounds, a logical transformation layer is applied: the so-called "FL-function" or its inverse. Camellia uses four 8 x 8-bit S-boxes with input and output affine transformations and logical operations. The cipher also uses input and output key whitening. The diffusion layer uses a linear transformation based on an MDS matrix with a branch number of 5.

In July 2007, support for the Camellia cipher was added to alpha builds of Mozilla Firefox 3.

Yoshisato Yanagisawa had added support for the Camellia cipher to the geli (software) utility in FreeBSD 7.0.

Contents 1 Security analysis 2 Patent status 3 Notes and references 4 External links

[edit] Security analysis

Camellia is one of the ciphers that can be completely defined by minimal systems of multivariate polynomials ^[1]. The Camellia (as well as AES) S-boxes can be described by a system of 23 quadratic equations in 80 terms ^[2]. The key schedule can be described by 1120 equations in 768 variables using 3328 linear and quadratic terms ^[1]. The entire block cipher can be described by 5104 equations in 2816 variables using 14592 linear and quadratic terms ^[1]. In total, 6224 equations in 3584 variables using 17920 linear and quadratic terms are required ^[1]. The number of free terms is 11696, which is approximately the same number as for AES. Theoretically, such properties might make it possible to break Camellia (and AES) using an algebraic attack, such as Extended Sparse Linearisation, in the future (provided that the attack becomes feasible).

[edit] Patent status

Although patented, Camellia is available under a royalty-free license.^[3] This has allowed the Camellia cipher to become part of the OpenSSL Project, under an Open Source license, as of November 8, 2006.^[4]

[edit] Notes and references

• Kazumaro Aoki, Tetsuya Ichikawa, Masayuki Kanda, Mitsuru Matsui, Shiho Moriai, Junko Nakajima, Toshio Tokita (2000). "Camellia: A 128-Bit Block Cipher Suitable for Multiple Platforms — Design and Analysis". Selected Areas in Cryptography: pp. 39–56, Mitsubishi, NTT. Retrieved on 2006-11-08. 

1. ^ ^{a b c d} Biryukov, De Cannière, Block ciphers and systems of quadratic equations, Springer-Verlag, 2003.
2. ^ N. T. Courtois, J. Pieprzyk, Cryptanalysis of block ciphers with overdefined systems of equations, Springer-Verlag, 2002.
3. ^ NTT (2001-04-17). "Announcement of Royalty-free Licenses for Essential Patents of NTT Encryption and Digital Signature Algorithms". Press release. Retrieved on 2006-11-08.
4. ^ NTT (2006-11-08). "The Open Source Community OpenSSL Project Adopts the Next Generation International Standard Cipher "Camellia" Developed in Japan". Press release. Retrieved on 2008-02-29.

[edit] External links

• Camellia's English home page
• RFC 3657 — Use of the Camellia Encryption Algorithm in Cryptographic Message Syntax (CMS)
• RFC 4312 — The Camellia Cipher Algorithm and Its Use With IPsec
• RFC 4132 — Addition of Camellia Cipher Suites to Transport Layer Security (TLS)
• Bug 382223 — Add support for Camellia to PSM (Mozilla Firefox)
• FreeBSD System Manager's Manual — Add support for Camellia to geli (FreeBSD)

v • d • e   Block ciphers Common algorithms: AES | Blowfish | DES | Triple DES | Serpent | Twofish Other algorithms: 3-Way | ABC | Akelarre | Anubis | ARIA | BaseKing | BassOmatic | BATON | BEAR and LION | C2 | Camellia | CAST-128 | CAST-256 | CIKS-1 | CIPHERUNICORN-A | CIPHERUNICORN-E | CLEFIA | CMEA | Cobra | COCONUT98 | Crab | CRYPTON | CS-Cipher | DEAL | DES-X | DFC | E2 | FEAL | FEA-M | FROG | G-DES | GOST | Grand Cru | Hasty Pudding Cipher | Hierocrypt | ICE | IDEA | IDEA NXT | Intel Cascade Cipher | Iraqi | KASUMI | KeeLoq | KHAZAD | Khufu and Khafre | KN-Cipher | Ladder-DES | Libelle | LOKI97 | LOKI89/91 | Lucifer | M6 | M8 | MacGuffin | Madryga | MAGENTA | MARS | Mercy | MESH | MISTY1 | MMB | MULTI2 | MultiSwap | New Data Seal | NewDES | Nimbus | NOEKEON | NUSH | Q | RC2 | RC5 | RC6 | REDOC | Red Pike | S-1 | SAFER | SAVILLE | SC2000 | SEED | SHACAL | SHARK | Skipjack | SMS4 | Spectr-H64 | Square | SXAL/MBAL | TEA | Treyfer | UES | Xenon | xmx | XTEA | XXTEA | Zodiac Design: Feistel network | Key schedule | Product cipher | S-box | SPN Attacks: Brute force | Linear / Differential / Integral cryptanalysis | Mod n | Related-key | Slide | XSL Standardization: AES process | CRYPTREC | NESSIE Misc: Avalanche effect | Block size | IV | Key size | Modes of operation | Piling-up lemma | Weak key v • d • e   Cryptography History of cryptography | Cryptanalysis | Cryptography portal | Topics in cryptography Symmetric-key algorithm | Block cipher | Stream cipher | Public-key cryptography | Cryptographic hash function | Message authentication code | Random numbers | Steganography