Editing Camellia (cipher)

{{short description|Feistel network based block cipher}}
{{Infobox block cipher
 | name          = Camellia
 | image         = 
 | caption       = 
 | designers     = [[Mitsubishi Electric Corporation|Mitsubishi Electric]], [[Nippon Telegraph and Telephone|NTT]]
 | publish date  = 2000
 | derived from  = [[E2 (cipher)|E2]], [[MISTY1]]
 | derived to    = 
 | related to    = 
 | certification = [[CRYPTREC]], [[NESSIE]]
 | key size      = 128, 192 or 256 bits
 | block size    = 128 bits
 | structure     = [[Feistel network]]
 | rounds        = 18 or 24
 | cryptanalysis = [[Truncated differential cryptanalysis]] requiring chosen plaintexts on modified Camellia reduced to 7 and 8 rounds.<ref name="Cryptanalysis-of-Camellia">{{cite conference
 | last1 = Lee | first1 = Seonhee
 | last2 = Hong | first2 = Seokhie
 | last3 = Lee | first3 = Sangjin
 | last4 = Lim | first4 = Jongin
 | last5 = Yoon | first5 = Seonhee
 | editor-last = Kim | editor-first = Kwangjo
 | contribution = Truncated differential cryptanalysis of Camellia
 | doi = 10.1007/3-540-45861-1_3
 | pages = 32–38
 | publisher = Springer
 | series = Lecture Notes in Computer Science
 | title = Information Security and Cryptology – ICISC 2001, 4th International Conference Seoul, Korea, December 6–7, 2001, Proceedings
 | volume = 2288
 | year = 2001| isbn = 978-3-540-43319-4
 }}</ref>

[[Impossible differential attack]] on 12 rounds of Camellia-192 and 14 rounds of Camellia-256.<ref name="Impossible differential attack on 13-round Camellia-192">
    {{cite journal
    |author1=Céline Blondeau|author2=Seokhie Hong|author3= Sangjin Lee|author4= Jongin Lim|author5=Seonhee Yoon| title=Impossible differential attack on 13-round Camellia-192
    |journal=Information Processing Letters | year=2015
    |volume=115 |issue=9 |pages=660–666 |doi=10.1016/j.ipl.2015.03.008 | url=https://www.sciencedirect.com/science/article/abs/pii/S0020019015000472
    | access-date=2022-10-22
    }}</ref>

}}

In [[cryptography]], '''Camellia''' is a [[Symmetric-key algorithm|symmetric key]] [[block cipher]] with a [[block size (cryptography)|block size]] of 128 [[bit]]s and [[key size]]s of 128, 192 and 256 bits. It was jointly developed by [[Mitsubishi Electric Corporation|Mitsubishi Electric]] and [[Nippon Telegraph and Telephone|NTT]] of [[Japan]]. The cipher has been approved for use by the [[International Organization for Standardization|ISO/IEC]], the [[European Union]]'s [[NESSIE]] project and the [[Japan]]ese [[CRYPTREC]] project. The [[block cipher|cipher]] has security levels and processing abilities comparable to the [[Advanced Encryption Standard]].<ref name="camellia-aes">{{cite web|title=News Release 050710: Japan's First 128-bit Block Cipher "Camellia" Approved as a New Standard Encryption Algorithm in the Internet|url=https://web.archive.org/web/20190719142326if_/ntt.co.jp/news/news05e/0507/050720.html|publisher=NTT|date=July 20, 2005}}</ref>

The [[block cipher|cipher]] was designed to be suitable for both software and hardware implementations, from low-cost smart cards to high-speed network systems. It is part of the [[Transport Layer Security]] (TLS)<ref>RFC 4132 Addition of Camellia Cipher Suites to Transport Layer Security (TLS)</ref> [[cryptographic protocol]] designed to provide [[communications security]] over a [[computer network]] such as the [[Internet]].

The cipher was named for the flower ''[[Camellia japonica]]'', which is known for being long-lived as well as because the cipher was developed in Japan.

== Design ==
Camellia is a [[Feistel cipher]] with either 18 rounds (when using 128-bit keys) or 24 rounds (when using 192- or 256-bit keys). Every six rounds, a logical transformation layer is applied: the so-called "FL-function" or its inverse. Camellia uses four 8×8-bit [[S-boxes]] with input and output [[affine transformations]] and logical operations. The cipher also uses input and output [[key whitening]]. The [[Diffusion (cryptography)|diffusion]] layer uses a [[linear transformation]] based on a [[Matrix (mathematics)|matrix]] with a [[branch number]] of 5.{{citation needed|date=June 2012}}

== Security analysis ==
Camellia is considered a modern, safe cipher. Even using the smaller key size option (128 bits), it's considered infeasible to break it by [[brute-force attack]] on the keys with current technology. There are no known successful attacks that weaken the cipher considerably. The cipher has been approved for use by the [[International Organization for Standardization|ISO/IEC]], the [[European Union]]'s [[NESSIE]] project and the [[Japan]]ese [[CRYPTREC]] project. The Japanese [[block cipher|cipher]] has security levels and processing abilities comparable to the [[Advanced Encryption Standard|AES/Rijndael]] cipher.<ref name="camellia-aes" />

Camellia is a [[block cipher]] which can be completely defined by minimal systems of [[multivariate polynomial]]s:{{Vague|What does this sentence say? If this makes perfect sense to a pro, please consider expanding for casual readers to understand. Don't just rely on internal links.|date=August 2010}}<ref name="quadratic">
{{citation
 |author1=Alex Biryukov |author2=Christophe De Canniere |chapter=Block Ciphers and Systems of Quadratic Equations |title=Fast Software Encryption | series = Lecture Notes in Computer Science |doi=10.1007/978-3-540-39887-5_21 
 | citeseerx = 10.1.1.95.349
 | publisher = [[Springer Science+Business Media|Springer-Verlag]]
 | year = 2003
 |volume=2887 | pages = 274–289
|isbn=978-3-540-20449-7 }}</ref>
* The Camellia (as well as [[Advanced Encryption Standard|AES]]) [[S-boxes]] can be described by a system of 23 quadratic equations in 80 terms.<ref>
{{citation
 |author1=Nicolas T. Courtois |author2=Josef Pieprzyk | title = Cryptanalysis of Block Ciphers with Overdefined Systems of Equations
 | publisher = Springer-Verlag
 | year = 2002
 | pages = 267–287
 | url = https://eprint.iacr.org/2002/044.pdf
 | access-date=2010-08-13
}}</ref>
* The [[key schedule]] can be described by {{formatnum:1120}} equations in 768 variables using {{formatnum:3328}} linear and quadratic terms.<ref name="quadratic"/>
* The entire block cipher can be described by {{formatnum:5104}} equations in {{formatnum:2816}} variables using {{formatnum:14592}} linear and quadratic terms.<ref name="quadratic"/>
* In total, {{formatnum:6224}} equations in {{formatnum:3584}} variables using {{formatnum:17920}} linear and quadratic terms are required.<ref name="quadratic"/>
* The number of [[Free variable|free terms]] is {{formatnum:11696}}, which is approximately the same number as for [[Advanced Encryption Standard|AES]].
Theoretically, such properties might make it possible to break Camellia (and [[Advanced Encryption Standard|AES]]) using an algebraic attack, such as [[XSL attack|extended sparse linearisation]], in the future, provided that the attack becomes feasible.

== Patent status ==
Although Camellia is patented, it is available under a royalty-free license.<ref>
{{cite press release
 | title = Announcement of Royalty-free Licenses for Essential Patents of NTT Encryption and Digital Signature Algorithms
 | publisher = NTT
 | date = 2001-04-17
 | url = https://web.archive.org/web/20211224122533if_/ntt.co.jp/news/news01e/0104/010417.html
}}</ref>  This has allowed the Camellia cipher to become part of the [[OpenSSL]] Project, under an [[open-source license]], since November 2006.<ref>
{{cite press release
 | title = The Open Source Community OpenSSL Project Adopts the Next Generation International Standard Cipher "Camellia" Developed in Japan
 | publisher = NTT
 | date = 2006-11-08
 | url = https://web.archive.org/web/20181107132324if_/ntt.co.jp/news/news06e/0611/061108a.html
}}</ref> It has also allowed it to become part of the Mozilla's [[Network Security Services|NSS]] (Network Security Services) module.<ref name="firefox"/>

== Adoption ==
Support for Camellia was added to the final release of [[Mozilla Firefox]] 3 in 2008<ref name="firefox">{{Cite web | url=https://blog.mozilla.org/gen/2007/07/30/camellia-cipher-added-to-firefox/ | title=Camellia cipher added to Firefox | first=Gen | last=Kanai | work=[[Mozilla]] | date=July 30, 2007 | url-status=dead | archive-url=https://web.archive.org/web/20121221074122if_/http://blog.mozilla.org/gen/2007/07/30/camellia-cipher-added-to-firefox/ | archive-date=December 21, 2012 }}</ref> (disabled by default as of Firefox 33 in 2014<ref>{{cite web | title=Bug 1036765 – Disable cipher suites that are not in the "Browser Cipher Suite" proposal that are still enabled | url=https://bugzilla.mozilla.org/show_bug.cgi?id=1036765 | work=Mozilla | access-date=2015-01-09}}</ref> in spirit of the "Proposal to Change the Default TLS Ciphersuites Offered by Browsers",<ref>{{cite web | last=Smith | first=Brian | title=Proposal to Change the Default TLS Ciphersuites Offered by Browsers | url=https://briansmith.org/browser-ciphersuites-01 | work=Briansmith.org | date=8 August 2013 | access-date=2015-01-09}}</ref> and has been dropped from version 37 in 2015<ref>{{cite web | title=Bug 1037098 – Remove preferences for cipher suites disabled in bug 1036765 (Camellia and some 3DES & DSS cipher suites) | url=https://bugzilla.mozilla.org/show_bug.cgi?id=1037098 | work=Mozilla | access-date=2015-02-26}}</ref>). [[Pale Moon (web browser)|Pale Moon]], a fork of Mozilla/Firefox, continues to offer Camellia and had extended its support to include [[Galois/Counter Mode|Galois/Counter mode (GCM)]] suites with the cipher,<ref>{{cite web | url=https://forum.palemoon.org/viewtopic.php?f=1&t=10827&p=75697&hilit=camellia | title=Release notes for Pale Moon 26.0 | author=Moonchild | work=PaleMoon.org | date=January 26, 2016}}</ref> but has removed the GCM modes again with release 27.2.0, citing the apparent lack of interest in them.

Later in 2008, the [[FreeBSD]] Release Engineering Team announced that the cipher had also been included in the [[FreeBSD]] 6.4-RELEASE. Also, support for the Camellia cipher was added to the disk encryption storage class [[geli (software)|geli]] of FreeBSD by Yoshisato Yanagisawa.<ref>{{cite web | url=https://www.freebsd.org/cgi/man.cgi?query=geli&manpath=FreeBSD+9.0-RELEASE#end | title=FreeBSD System Manager's Manual: GELI(8) | work=FreeBSD.org | date=March 9, 2011}}</ref>

In September 2009, [[GNU Privacy Guard]] added support for Camellia in version 1.4.10.<ref>{{cite web | url=https://lists.gnupg.org/pipermail/gnupg-announce/2009q3/000291.html | title=GnuPG 1.4.10 released | work=GnuPG.org | date=September 2, 2009}}</ref>

[[VeraCrypt]] (a fork of [[TrueCrypt]]) included Camellia as one of its supported encryption algorithms.<ref>{{cite web |url=https://www.veracrypt.fr/en/Camellia.html |title=Camellia |work=VeraCrypt Documentation |publisher=IDRIX |access-date=2018-02-03}}</ref>

Moreover, various popular [[Library (computing)|security libraries]], such as [[Crypto++]], [[GnuTLS]], [[mbed TLS]] and [[OpenSSL]] also include support for Camellia.

[[Thales_Group|Thales]] and [[Bloombase]] support Camellia encryption cipher with their data cryptography offerings.<ref>{{cite web|url=https://info.isl.ntt.co.jp/crypt/eng/camellia/product.html#product_ov|title=Product Information (Oversea)|work=NTT Cryptographic Primitive }}</ref>

On March 26, 2013, Camellia was announced as having been selected again for adoption in Japan's new e-Government Recommended Ciphers List as the only 128-bit block cipher encryption algorithm developed in Japan. This coincides with the CRYPTREC list being updated for the first time in 10 years. The selection was based on Camellia's high reputation for ease of procurement, and security and performance features comparable to those of the Advanced Encryption Standard (AES). Camellia remains unbroken in its full implementation.<ref>{{cite web | url=https://www.mitsubishielectric.com/news/2013/0326-b_print.html | title=Camellia Encryption Algorithm Selected for New e-Government Recommended Ciphers List | work=MitsubishiElectric.com | date=March 26, 2013}}</ref> An impossible differential attack on 12-round Camellia without FL/FL<sup>−1</sup> layers does exist.<ref>{{cite journal | url=https://dl.acm.org/doi/10.1007/s11390-007-9056-0 | title=Impossible differential cryptanalysis of reduced-round ARIA and Camellia | date=May 3, 2007| doi=10.1007/s11390-007-9056-0 | last1=Wu | first1=Wen-Ling | last2=Zhang | first2=Wen-Tao | last3=Feng | first3=Deng-Guo | journal=Journal of Computer Science and Technology | volume=22 | issue=3 | pages=449–456 | s2cid=855434 }}</ref>

== Performance ==
The S-boxes used by Camellia share a similar structure to AES's S-box. As a result, it is possible to accelerate Camellia software implementations using CPU instruction sets designed for AES, such as x86 [[AES instruction set|AES-NI]] or x86 [[AVX-512#GFNI|GFNI]], by [[affine space|affine isomorphism]].<ref>{{cite thesis | type = M.Sc. | last = Kivilinna | first = Jussi | date = 2013 | url = http://jultika.oulu.fi/files/nbnfioulu-201305311409.pdf | title = Block Ciphers: Fast Implementations on x86-64 Architecture | pages = 33,42 | publisher = [[University of Oulu]] | access-date = 2017-06-22}}</ref><ref>{{cite web | url = https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9ab61ba24b72bc109b7578a7868716910d2ea9d1 | last = Kivilinna | first = Jussi | date = 2022-05-01 | website = git.gnupg.org Gitweb | access-date = 2022-07-06 | title = camellia: add amd64 GFNI/AVX512 implementation }}</ref>

== Standardization ==
Camellia has been certified as a standard cipher by several standardization organizations:<ref>
{{cite web
 | url=https://info.isl.ntt.co.jp/crypt/eng/camellia/standard.html
 | title=Camellia Standardization Related Information
 | access-date=2013-11-30
}}</ref>
* [[CRYPTREC]]
* [[NESSIE]]
* [[IETF]]
** Algorithm
*** {{IETF RFC|3713|link=no}}: A Description of the Camellia Encryption Algorithm
**[[Block cipher mode]]
*** {{IETF RFC|5528|link=no}}: Camellia Counter Mode and Camellia Counter with CBC-MAC Mode Algorithms
** [[S/MIME]] 
*** {{IETF RFC|3657|link=no}}: Use of the Camellia Encryption Algorithm in Cryptographic Message Syntax (CMS)
** [[XML Encryption]]
*** {{IETF RFC|4051|link=no}}: Additional XML Security Uniform Resource Identifiers (URIs)
** [[Transport Layer Security|TLS/SSL]]
*** {{IETF RFC|4132|link=no}}: Addition of Camellia Cipher Suites to Transport Layer Security (TLS)
*** {{IETF RFC|5932|link=no}}: Camellia Cipher Suites for TLS
*** {{IETF RFC|6367|link=no}}: Addition of the Camellia Cipher Suites to Transport Layer Security (TLS)
** [[IPsec]]
*** {{IETF RFC|4312|link=no}}: The Camellia Cipher Algorithm and Its Use With IPsec
*** {{IETF RFC|5529|link=no}}: Modes of Operation for Camellia for Use with IPsec
** [[Kerberos (protocol)|Kerberos]]
*** {{IETF RFC|6803|link=no}}: Camellia Encryption for Kerberos 5
** [[OpenPGP]]
*** {{IETF RFC|5581|link=no}}: The Camellia Cipher in OpenPGP
** [[RSA-KEM]] in [[Cryptographic Message Syntax|CMS]]
*** {{IETF RFC|5990|link=no}}: Use of the RSA-KEM Key Transport Algorithm in the Cryptographic Message Syntax (CMS)
**  [[Portable Symmetric Key Container|PSKC]]
*** {{IETF RFC|6030|link=no}}: Portable Symmetric Key Container (PSKC)
** [[Smart grid]]
*** {{IETF RFC|6272|link=no}}: Internet Protocols for the Smart Grid
* [[ISO/IEC]]
** [https://www.iso.org/standard/54531.html ISO/IEC 18033-3:2010] Information technology—Security techniques—Encryption algorithms—Part 3: Block ciphers
* [[ITU-T]]
** Security mechanisms and procedures for [[Next-generation network|NGN]] (Y.2704)
* [[RSA Laboratories]]
** Approved cipher in the [[PKCS|PKCS#11]]
* [[TV-Anytime Forum]]
** Approved cipher in TV-Anytime Rights Management and Protection Information for Broadcast Applications
** Approved cipher in Bi-directional Metadata Delivery Protection

== References ==
{{Reflist|30em}}

;General
* {{cite web
  | url = https://eprint.iacr.org/2009/354.pdf
  |author1=Xin-jie Zhao |author2=Tao Wang |author3=Yuan-yuan Zheng | title = Cache Timing Attacks on Camellia Block Cipher
  | year = 2009
  | pages = 1–18
  | publisher = [[International Association for Cryptologic Research|IACR]]
  | access-date = 2013-01-14
 }}

* {{cite web
  | url = https://eprint.iacr.org/2009/585.pdf
  | title = An Improved Differential Fault Attack on Camellia
  |author1=Xin-jie Zhao |author2=Tao Wang | year = 2009
  | pages = 1–18
  | publisher = IACR
  | access-date = 2013-01-14
 }}

* {{cite web
  | url = https://eprint.iacr.org/2010/026.pdf
  |author1=Xin-jie Zhao |author2=Tao Wang | title = Further Improved Differential Fault Attacks on Camellia by Exploring Fault Width and Depth
  | year = 2010
  | pages = 1–16
  | publisher = IACR
  | access-date = 2013-01-14
 }}

==External links==
* [https://info.isl.ntt.co.jp/crypt/eng/camellia/ Camellia's English home page] by [[Nippon Telegraph and Telephone|NTT]]
* [https://embeddedsw.net/Cipher_Reference_Home.html 256 bit ciphers – CAMELLIA reference implementation and derived code]
* {{IETF RFC|3657|link=no}} Use of the Camellia Encryption Algorithm in Cryptographic Message Syntax (CMS)
* {{IETF RFC|3713|link=no}} A Description of the Camellia Encryption Algorithm
* {{IETF RFC|4051|link=no}} Additional XML Security Uniform Resource Identifiers (URIs)
* {{IETF RFC|4132|link=no}} Addition of Camellia Cipher Suites to Transport Layer Security (TLS)
* {{IETF RFC|4312|link=no}} The Camellia Cipher Algorithm and Its Use With IPsec
* {{IETF RFC|5528|link=no}} Camellia Counter Mode and Camellia Counter with CBC-MAC Mode Algorithms
* {{IETF RFC|5529|link=no}} Modes of Operation for Camellia for Use with IPsec
* {{IETF RFC|5581|link=no}} Certification of Camellia Cipher as IETF standard for [[OpenPGP]]
* {{IETF RFC|5932|link=no}} Camellia Cipher Suites for TLS
* {{IETF RFC|5990|link=no}} Use of the RSA-KEM Key Transport Algorithm in the Cryptographic Message Syntax (CMS)
* {{IETF RFC|6030|link=no}} Portable Symmetric Key Container (PSKC)
* {{IETF RFC|6272|link=no}} Internet Protocols for the Smart Grid
* {{IETF RFC|6367|link=no}} Addition of the Camellia Cipher Suites to Transport Layer Security (TLS)
* [https://www.iso.org/standard/54531.html ISO/IEC 18033-3:2010] Information technology—Security techniques—Encryption algorithms—Part 3: Block ciphers

{{Cryptography navbox|block}}
{{Mitsubishi Electric}}

[[Category:Feistel ciphers]]
[[Category:Mitsubishi Electric products, services and standards]]
[[Category:2000 introductions]]
[[Category:Standards of Japan]]