Camellia (algorithm)

Camellia
developer	Mitsubishi , NTT
Released	2000
Derived from	MISTY1 , E2
Certification	NESSIE , CRYPTREC
Key length	128, 192 or 256 bits
Block size	128 bit
structure	Feistel cipher
Round	18, 24

Camellia is a symmetric block cipher that was developed in 2000 in cooperation with Mitsubishi and NTT . Camellia was selected as one of their recommended algorithms by the European NESSIE project and the Japanese CRYPTREC project. Camellia shares similarities with the MISTY1 and E2 algorithms previously developed by these companies.

Camellia is patented, but was placed under a royalty-free license by NTT in 2001 , which allows use in open source libraries.

Camellia uses the same parameters as the Advanced Encryption Standard : a block size of 128 bits and key lengths of 128, 192 or 256 bits. It is a Feistel cipher with an SPN round function. The number of rounds depends on the key length - 18 rounds with 128 bit or 24 rounds with longer keys. Four 8 × 8-bit S-boxes with affine transformations and logical XOR are used as the non-linear substitution layer, whereby rotations by one bit result from . The permutation layer only uses linear transformations and is similar to the P-function of E2. In order to make bit-by-bit cryptanalysis more difficult, a linear FL function based on MISTY is also applied to the left half block and its inverse FL ⁻¹ to the right half block every six rounds . ${\ displaystyle s_ {1}, \ ldots, s_ {4}}$ ${\ displaystyle s_ {2}, \ ldots, s_ {4}}$ ${\ displaystyle s_ {1}}$

design

Camellia is a Feistel cipher with either 18 rounds (if a 128-bit key is used) or 24 rounds (if a 192- or 256-bit key is used). A logical transformation layer is applied every six rounds: the so-called "FL function" or its inverse function. Camellia uses four 8x8-bit S-boxes with affine input and task transformations and logical operations. The cipher also uses the so-called " key whitening " technology for input and output , which increases the security of iterated block ciphers. The diffusion layer uses a linear mapping based on the branch number 5 matrix.

safety

Camellia is considered a modern, secure cipher. Even the smaller key sizes (128-bit) are considered secure against brute force attacks with today's technology. There are no reports of successful attacks on the cipher. Camellia has been certified for use by I SO / IEC , the EU's NESSIE project and the Japanese CRYPTREC project. The Japanese cipher has security levels and processing methods which can be compared with that of AES .

Camellia is a block cipher which can be completely defined by minimal systems of multivariate polynomials:

The Camellia (same as AES) S-boxes can be defined by a system of 23 quadratic equations with 80 terms.
The key schedule can be described by 1120 equations with 768 variables using 3329 linear and quadratic terms.
The whole block cipher can be described by 5104 equations with 2816 variables using 14592 linear and quadratic terms.
A total of 6224 equations with 3584 variables are required which use 17920 linear and quadratic terms.
The number of free terms is 11696, which is roughly the same number as AES .

Theoretically it would be possible to crack Camellia (as well as AES) through an algebraic attack. An XSL attack (eXtended Spare Linearization) would also be conceivable.

use

Mozilla Firefox 3 implemented Camellia in 2008. However, the function was deactivated in Firefox 33 2014 and then finally removed in version 23 2015.

In 2008 the FreeBSD team announced that the cipher would be included in FreeBSD 6.4. Camellia was also available for hard disk encryption.

In September 2009, version 1.4.10 of GNU Privacy Guard added support for Camellia.

VeraCrypt (a descendant of TrueCrypt ) added Camellia as one of their encryption algorithms.

Many larger libraries with a focus on security such as Crypto ++, GNUTLS , mbedTLS and OpenSSL also support Camellia.

power

The S-boxes used by Camellia show great similarities to those from AES . As a result, AES CPU instructions can also be used for Camellia, including AES-NI .

patent

Although Camellia is patented, the algorithm is available royalty-free. This enabled the Camellia cipher to become part of the OpenSSL project under an open source license since November 2006 . The Mozilla NSS (Network Security Services) module also recorded the cipher.

Web links

Camellia homepage
RFC 3713 - A Description of the Camellia Encryption Algorithm
RFC 3657 - Use of the Camellia Encryption Algorithm in Cryptographic Message Syntax (CMS)
RFC 4312 - The Camellia Cipher Algorithm and Its Use With IPsec

Individual evidence

↑ NTT News of April 17, 2001: Announcement of Royalty-free Licenses for Essential Patents of NTT Encryption and Digital Signature Algorithms
↑ M. Matsui, S. Moriai, J. Nakajima: A Description of the Camellia Encryption Algorithm. Retrieved May 25, 2020 (English).
↑ M. Matsui, S. Moriai, J. Nakajima: A Description of the Camellia Encryption Algorithm. Retrieved May 25, 2020 (English).
↑ M. Matsui, S. Moriai, J. Nakajima: A Description of the Camellia Encryption Algorithm. Retrieved May 25, 2020 (English).
↑ News Release 050710. Retrieved May 25, 2020 .
↑ ^a ^b Alex Biryukov: Block ciphers and systems of quadratic equations . Ed .: FSE 2003. Springer-Verlag, p. 274-289 .
^ Nicolas T. Courtois: Cryptanalysis of Block Ciphers with Overdefined Systems of Equations. 2002, accessed August 13, 2010 .
↑ Camellia cipher added to Firefox | Mozilla in Asia. December 21, 2012, accessed May 25, 2020 .
↑ Camellia cipher added to Firefox | Mozilla in Asia. December 21, 2012, accessed May 25, 2020 .
↑ 1037098 - Remove preferences for cipher suites disabled in bug 1036765 (Camellia and some 3DES & DSS cipher suites). Retrieved May 25, 2020 (English).
↑ [Announce] GnuPG 1.4.10 released. Retrieved May 25, 2020 .
↑ VeraCrypt - Free Open Source Disk Encryption with Strong Security for the Paranoid. Retrieved May 25, 2020 .
↑ News Release 010417.html. Retrieved May 25, 2020 .
↑ News Release 061108a. Retrieved May 25, 2020 .
↑ Camellia cipher added to Firefox | Mozilla in Asia. December 21, 2012, accessed May 25, 2020 .

[1] NTT News of April 17, 2001: Announcement of Royalty-free Licenses for Essential Patents of NTT Encryption and Digital Signature Algorithms

[2] M. Matsui, S. Moriai, J. Nakajima: A Description of the Camellia Encryption Algorithm. Retrieved May 25, 2020 (English).

[3] M. Matsui, S. Moriai, J. Nakajima: A Description of the Camellia Encryption Algorithm. Retrieved May 25, 2020 (English).

[4] M. Matsui, S. Moriai, J. Nakajima: A Description of the Camellia Encryption Algorithm. Retrieved May 25, 2020 (English).

[5] News Release 050710. Retrieved May 25, 2020 .

[:0-6] Alex Biryukov: Block ciphers and systems of quadratic equations . Ed .: FSE 2003. Springer-Verlag, p. 274-289 .

[7] Nicolas T. Courtois: Cryptanalysis of Block Ciphers with Overdefined Systems of Equations. 2002, accessed August 13, 2010 .

[8] Camellia cipher added to Firefox | Mozilla in Asia. December 21, 2012, accessed May 25, 2020 .

[9] Camellia cipher added to Firefox | Mozilla in Asia. December 21, 2012, accessed May 25, 2020 .

[10] 1037098 - Remove preferences for cipher suites disabled in bug 1036765 (Camellia and some 3DES & DSS cipher suites). Retrieved May 25, 2020 (English).

[11] [Announce] GnuPG 1.4.10 released. Retrieved May 25, 2020 .

[12] VeraCrypt - Free Open Source Disk Encryption with Strong Security for the Paranoid. Retrieved May 25, 2020 .

[13] News Release 010417.html. Retrieved May 25, 2020 .

[14] News Release 061108a. Retrieved May 25, 2020 .

[15] Camellia cipher added to Firefox | Mozilla in Asia. December 21, 2012, accessed May 25, 2020 .