Crypto Wiki

Template:Infobox block cipher

In cryptography, Camellia is a 128 bit block cipher jointly developed by Mitsubishi and NTT. The cipher has been approved for use by the ISO/IEC, the European Union's NESSIE project, the Japanese CRYPTREC project, and the Internet Engineering Task Force. The cipher has security levels and processing abilities comparable to the Advanced Encryption Standard.[1]

Camellia's block size is 16 bytes (128 bits), and can use 128-bit, 192-bit or 256-bit keys. The block cipher was designed to be suitable for both software and hardware implementations, from low-cost smart cards to high-speed network systems.[2]


Camellia is a Feistel cipher with either 18 rounds (when using 128 bit keys) or 24 rounds (when using 192 or 256 bit keys). Every six rounds, a logical transformation layer is applied: the so-called "FL-function" or its inverse. Camellia uses four 8 x 8-bit S-boxes with input and output affine transformations and logical operations. The cipher also uses input and output key whitening. The diffusion layer uses a linear transformation based on an MDS matrix with a branch number of 5.

Security analysis[]


Camellia is a block cipher which can be completely defined by minimal systems of multivariate polynomials.Template:Vague[3] The Camellia (as well as AES) S-boxes can be described by a system of 23 quadratic equations in 80 terms.[4] The key schedule can be described by 1120 equations in 768 variables using 3328 linear and quadratic terms.[3] The entire block cipher can be described by 5104 equations in 2816 variables using 14592 linear and quadratic terms.[3] In total, 6224 equations in 3584 variables using 17920 linear and quadratic terms are required.[3] The number of free terms is 11696, which is approximately the same number as for AES. Theoretically, such properties might make it possible to break Camellia (and AES) using an algebraic attack, such as Extended Sparse Linearisation, in the future (provided that the attack becomes feasible).

Patent status[]

Camellia is patented and available under a royalty-free license.[5] This has allowed the Camellia cipher to become part of the OpenSSL Project, under an Open Source, license since November 2006.[6] It has also allowed it to become part of the Mozilla's NSS (Network Security Services) module.[7]


Support for Camellia was added to the final release of Mozilla Firefox 3 in 2008.[7] Later in the same year, the FreeBSD Release Engineering Team announced that the cipher had also been included in the FreeBSD 6.4-RELEASE. Also, support for the Camellia cipher was added to the disk encryption storage class geli of FreeBSD by Yoshisato Yanagisawa. In September 2009, GNU Privacy Guard added support for Camellia in version 1.4.10.[8]

More over, various popular security libraries, such as Crypto++ and OpenSSL also include support for Camellia.

See also[]

Template:Portal box

  • Computer science
  • Symmetric cipher


  1. Template:Cite web
  2. Template:Cite web
  3. 3.0 3.1 3.2 3.3 [citation needed]
  4. [citation needed]
  5. Template:Cite press release
  6. Template:Cite press release
  7. 7.0 7.1 Template:Cite web
  8. Template:Cite web
  • Template:Cite conference
  • Template:Cite conference
  • Template:Cite conference

External links[]

  • Camellia's English home page
  • RFC 3713 — A Description of the Camellia Encryption Algorithm
  • RFC 3657 — Use of the Camellia Encryption Algorithm in Cryptographic Message Syntax (CMS)
  • RFC 4312 — The Camellia Cipher Algorithm and Its Use With IPsec
  • RFC 4132 — Addition of Camellia Cipher Suites to Transport Layer Security (TLS)
  • RFC 5581 — Certification of Camellia Cipher as IETF standard for OpenPGP
  • Bug 382223 — Add support for Camellia to PSM (Mozilla Firefox)
  • FreeBSD System Manager's Manual — Add support for Camellia to geli (FreeBSD)

de:Camellia (Algorithmus) fr:Camellia (algorithme) it:Camellia (cifrario) ja:Camellia ru:Camellia zh:Camellia