Camellia (cipher)

Camellia
General
Designers Mitsubishi Electric, NTT
First published 2000
Derived from E2, MISTY1
Certification CRYPTREC, NESSIE
Cipher detail
Key sizes 128, 192 or 256 bits
Block sizes 128 bits
Structure Feistel network
Rounds 18 or 24

In cryptography, Camellia is a symmetric key block cipher with a block size of 128 bits and key sizes of 128, 192 and 256 bits. It was jointly developed by Mitsubishi Electric and NTT of Japan. The cipher has been approved for use by the ISO/IEC, the European Union's NESSIE project and the Japanese CRYPTREC project. The cipher has security levels and processing abilities comparable to the Advanced Encryption Standard.[1]

The cipher was designed to be suitable for both software and hardware implementations, from low-cost smart cards to high-speed network systems. It is part of the Transport Layer Security (TLS),[2] cryptographic protocol designed to provide communications security over a computer network such as the internet.

Design

Camellia is a Feistel cipher with either 18 rounds (when using 128-bit keys) or 24 rounds (when using 192 or 256-bit keys). Every six rounds, a logical transformation layer is applied: the so-called "FL-function" or its inverse. Camellia uses four 8 × 8-bit S-boxes with input and output affine transformations and logical operations. The cipher also uses input and output key whitening. The diffusion layer uses a linear transformation based on a matrix with a branch number of 5.

Security analysis

Camellia is considered a modern safe cipher. Even using the smaller key size option (128 bits), it's considered infeasible to break it by brute-force attack on the keys with current technology. There are no known successful attacks that weaken the cipher considerably. The cipher has been approved for use by the ISO/IEC, the European Union's NESSIE project and the Japanese CRYPTREC project. The Japanese cipher has security levels and processing abilities comparable to the AES/Rijndael cipher.[1]

Camellia is a block cipher which can be completely defined by minimal systems of multivariate polynomials.[3]

Theoretically, such properties might make it possible to break Camellia (and AES) using an algebraic attack, such as Extended Sparse Linearisation, in the future, provided that the attack becomes feasible.

Patent status

Although Camellia is patented, it is available under a royalty-free license.[5] This has allowed the Camellia cipher to become part of the OpenSSL Project, under an open-source license, since November 2006.[6] It has also allowed it to become part of the Mozilla's NSS (Network Security Services) module.[7]

Adoption

Support for Camellia was added to the final release of Mozilla Firefox 3 in 2008[7] (disabled by default as of Firefox 33 in 2014[8] in spirit of the "Proposal to Change the Default TLS Ciphersuites Offered by Browsers",[9] and has been dropped from version 37 in 2015[10]). Pale Moon, a fork of Mozilla/Firefox, continues to offer Camellia and has extended its support to include Galois/Counter mode (GCM) suites with the cipher.[11]

Later in 2008, the FreeBSD Release Engineering Team announced that the cipher had also been included in the FreeBSD 6.4-RELEASE. Also, support for the Camellia cipher was added to the disk encryption storage class geli of FreeBSD by Yoshisato Yanagisawa.[12]

In September 2009, GNU Privacy Guard added support for Camellia in version 1.4.10.[13]

Moreover, various popular security libraries, such as Crypto++, GnuTLS, PolarSSL and OpenSSL also include support for Camellia.

On March 26, 2013, Camellia was announced as having been selected again for adoption in Japan's new e-Government Recommended Ciphers List as the only 128-bit block cipher encryption algorithm developed in Japan. This coincides with the CRYPTREC list being updated for the first time in 10 years. The selection was based on Camellia's high reputation for ease of procurement, and security and performance features comparable to those of the Advanced Encryption Standard (AES). Camellia remains unbroken in its full implementation.[14] An impossible differentials attack on 12-round Camellia without FL/FL−1 layers does exist.[15]

Standardization

Camellia has been certified as a standard cipher by several standardization organizations.[16]

See also

References

  1. 1 2 "Japan's First 128-bit Block Cipher 'Camellia' Approved as a New Standard Encryption Algorithm in the Internet". Phys.Org. 2005-07-20. Retrieved 2013-01-14.
  2. RFC 4132 Addition of Camellia Cipher Suites to Transport Layer Security (TLS)
  3. 1 2 3 4 Alex Biryukov; Christophe De Canniere (2003), "Block ciphers and systems of quadratic equations", Lecture Notes in Computer Science, proceedings of FSE 2003, Springer-Verlag, pp. 274–289, CiteSeerX 10.1.1.95.349Freely accessible
  4. Nicolas T. Courtois; Josef Pieprzyk (2002), Cryptanalysis of Block Ciphers with Overdefined Systems of Equations (PDF), Springer-Verlag, pp. 267–287, retrieved 2010-08-13
  5. "Announcement of Royalty-free Licenses for Essential Patents of NTT Encryption and Digital Signature Algorithms" (Press release). NTT. 2001-04-17. Retrieved 2013-01-14.
  6. "The Open Source Community OpenSSL Project Adopts the Next Generation International Standard Cipher "Camellia" Developed in Japan" (Press release). NTT. 2006-11-08. Retrieved 2013-01-14.
  7. 1 2 Gen Kanai (2007-07-30). "Camellia cipher added to Firefox". Mozilla in Asia. Mozilla.
  8. "Bug 1036765 - Disable cipher suites that are not in the "Browser Cipher Suite" proposal that are still enabled". Retrieved 9 January 2015.
  9. Smith, Brian. "Proposal to Change the Default TLS Ciphersuites Offered by Browsers". https://briansmith.org. Retrieved 9 January 2015. External link in |website= (help)
  10. "Bug 1037098 - Remove preferences for cipher suites disabled in bug 1036765 (Camellia and some 3DES & DSS cipher suites)". Retrieved 26 February 2015.
  11. Moonchild (2016-01-26). "Release notes for Pale Moon 26.0".
  12. "FreeBSD System Manager's Manual: GELI(8)". 2011-03-09.
  13. "GnuPG 1.4.10 released". 2009-09-02.
  14. "Camellia Encryption Algorithm Selected for New e-Government Recommended Ciphers List". 2013-03-26.
  15. "Impossible differential cryptanalysis of reduced-round ARIA and Camellia". 2007-05-03.
  16. "Camellia Standardization Related Information". Retrieved 2013-11-30.
General
This article is issued from Wikipedia - version of the 11/1/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.