Camellia (cipher)

Last updated
Camellia
General
Designers Mitsubishi Electric, NTT
First published2000
Derived from E2, MISTY1
Certification CRYPTREC, NESSIE
Cipher detail
Key sizes 128, 192 or 256 bits
Block sizes 128 bits
Structure Feistel network
Rounds 18 or 24
Best public cryptanalysis
Truncated differential cryptanalysis requiring chosen plaintexts on modified Camellia reduced to 7 and 8 rounds. [1] Impossible differential attack on 12 rounds of Camellia-192 and 14 rounds of Camellia-256. [2]

In cryptography, Camellia is a symmetric key block cipher with a block size of 128 bits and key sizes of 128, 192 and 256 bits. It was jointly developed by Mitsubishi Electric and NTT of Japan. The cipher has been approved for use by the ISO/IEC, the European Union's NESSIE project and the Japanese CRYPTREC project. The cipher has security levels and processing abilities comparable to the Advanced Encryption Standard. [3]

Contents

The cipher was designed to be suitable for both software and hardware implementations, from low-cost smart cards to high-speed network systems. It is part of the Transport Layer Security (TLS) [4] cryptographic protocol designed to provide communications security over a computer network such as the Internet.

The cipher was named for the flower Camellia japonica , which is known for being long-lived as well as because the cipher was developed in Japan.

Design

Camellia is a Feistel cipher with either 18 rounds (when using 128-bit keys) or 24 rounds (when using 192- or 256-bit keys). Every six rounds, a logical transformation layer is applied: the so-called "FL-function" or its inverse. Camellia uses four 8×8-bit S-boxes with input and output affine transformations and logical operations. The cipher also uses input and output key whitening. The diffusion layer uses a linear transformation based on a matrix with a branch number of 5.[ citation needed ]

Security analysis

Camellia is considered a modern, safe cipher. Even using the smaller key size option (128 bits), it's considered infeasible to break it by brute-force attack on the keys with current technology. There are no known successful attacks that weaken the cipher considerably. The cipher has been approved for use by the ISO/IEC, the European Union's NESSIE project and the Japanese CRYPTREC project. The Japanese cipher has security levels and processing abilities comparable to the AES/Rijndael cipher. [3]

Camellia is a block cipher which can be completely defined by minimal systems of multivariate polynomials:[ vague ] [5]

Theoretically, such properties might make it possible to break Camellia (and AES) using an algebraic attack, such as extended sparse linearisation, in the future, provided that the attack becomes feasible.

Patent status

Although Camellia is patented, it is available under a royalty-free license. [7] This has allowed the Camellia cipher to become part of the OpenSSL Project, under an open-source license, since November 2006. [8] It has also allowed it to become part of the Mozilla's NSS (Network Security Services) module. [9]

Adoption

Support for Camellia was added to the final release of Mozilla Firefox 3 in 2008 [9] (disabled by default as of Firefox 33 in 2014 [10] in spirit of the "Proposal to Change the Default TLS Ciphersuites Offered by Browsers", [11] and has been dropped from version 37 in 2015 [12] ). Pale Moon, a fork of Mozilla/Firefox, continues to offer Camellia and had extended its support to include Galois/Counter mode (GCM) suites with the cipher, [13] but has removed the GCM modes again with release 27.2.0, citing the apparent lack of interest in them.

Later in 2008, the FreeBSD Release Engineering Team announced that the cipher had also been included in the FreeBSD 6.4-RELEASE. Also, support for the Camellia cipher was added to the disk encryption storage class geli of FreeBSD by Yoshisato Yanagisawa. [14]

In September 2009, GNU Privacy Guard added support for Camellia in version 1.4.10. [15]

VeraCrypt (a fork of TrueCrypt) included Camellia as one of its supported encryption algorithms. [16]

Moreover, various popular security libraries, such as Crypto++, GnuTLS, mbed TLS and OpenSSL also include support for Camellia.

Thales and Bloombase support Camellia encryption cipher with their data cryptography offerings. [17]

On March 26, 2013, Camellia was announced as having been selected again for adoption in Japan's new e-Government Recommended Ciphers List as the only 128-bit block cipher encryption algorithm developed in Japan. This coincides with the CRYPTREC list being updated for the first time in 10 years. The selection was based on Camellia's high reputation for ease of procurement, and security and performance features comparable to those of the Advanced Encryption Standard (AES). Camellia remains unbroken in its full implementation. [18] An impossible differential attack on 12-round Camellia without FL/FL−1 layers does exist. [19]

Performance

The S-boxes used by Camellia share a similar structure to AES's S-box. As a result, it is possible to accelerate Camellia software implementations using CPU instruction sets designed for AES, such as x86 AES-NI or x86 GFNI, by affine isomorphism. [20] [21]

Standardization

Camellia has been certified as a standard cipher by several standardization organizations: [22]

Related Research Articles

In cryptography, RC4 is a stream cipher. While it is remarkable for its simplicity and speed in software, multiple vulnerabilities have been discovered in RC4, rendering it insecure. It is especially vulnerable when the beginning of the output keystream is not discarded, or when nonrandom or related keys are used. Particularly problematic uses of RC4 have led to very insecure protocols such as WEP.

In computing, Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in virtual private networks (VPNs).

<span class="mw-page-title-main">Triple DES</span> Block cipher

In cryptography, Triple DES, officially the Triple Data Encryption Algorithm, is a symmetric-key block cipher, which applies the DES cipher algorithm three times to each data block. The Data Encryption Standard's (DES) 56-bit key is no longer considered adequate in the face of modern cryptanalytic techniques and supercomputing power. A CVE released in 2016, CVE-2016-2183 disclosed a major security vulnerability in DES and 3DES encryption algorithms. This CVE, combined with the inadequate key size of DES and 3DES, led to NIST deprecating DES and 3DES for new applications in 2017, and for all applications by the end of 2023. It has been replaced with the more secure, more robust AES.

In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity. A block cipher by itself is only suitable for the secure cryptographic transformation of one fixed-length group of bits called a block. A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block.

Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.

CRYPTREC is the Cryptography Research and Evaluation Committees set up by the Japanese Government to evaluate and recommend cryptographic techniques for government and industrial use. It is comparable in many respects to the European Union's NESSIE project and to the Advanced Encryption Standard process run by National Institute of Standards and Technology in the U.S.

SEED is a block cipher developed by the Korea Information Security Agency (KISA). It is used broadly throughout South Korean industry, but seldom found elsewhere. It gained popularity in Korea because 40-bit encryption was not considered strong enough, so the Korea Information Security Agency developed its own standard. However, this decision has historically limited the competition of web browsers in Korea, as no major SSL libraries or web browsers supported the SEED algorithm, requiring users to use an ActiveX control in Internet Explorer for secure web sites.

NSA Suite B Cryptography was a set of cryptographic algorithms promulgated by the National Security Agency as part of its Cryptographic Modernization Program. It was to serve as an interoperable cryptographic base for both unclassified information and most classified information.

CCM mode is a mode of operation for cryptographic block ciphers. It is an authenticated encryption algorithm designed to provide both authentication and confidentiality. CCM mode is only defined for block ciphers with a block length of 128 bits.

Authenticated Encryption (AE) is an encryption scheme which simultaneously assures the data confidentiality and authenticity. Examples of encryption modes that provide AE are GCM, CCM.

<span class="mw-page-title-main">SM4 (cipher)</span> Block cipher used in Chinese wireless standards

ShāngMì 4 is a block cipher used in the Chinese National Standard for Wireless LAN WAPI and also used with Transport Layer Security.

<span class="mw-page-title-main">Network Security Services</span> Collection of cryptographic computer libraries

Network Security Services (NSS) is a collection of cryptographic computer libraries designed to support cross-platform development of security-enabled client and server applications with optional support for hardware TLS/SSL acceleration on the server side and hardware smart cards on the client side. NSS provides a complete open-source implementation of cryptographic libraries supporting Transport Layer Security (TLS) / Secure Sockets Layer (SSL) and S/MIME. NSS releases prior to version 3.14 are tri-licensed under the Mozilla Public License 1.1, the GNU General Public License, and the GNU Lesser General Public License. Since release 3.14, NSS releases are licensed under GPL-compatible Mozilla Public License 2.0.

In cryptography, Galois/Counter Mode (GCM) is a mode of operation for symmetric-key cryptographic block ciphers which is widely adopted for its performance. GCM throughput rates for state-of-the-art, high-speed communication channels can be achieved with inexpensive hardware resources.

In cryptography, ARIA is a block cipher designed in 2003 by a large group of South Korean researchers. In 2004, the Korean Agency for Technology and Standards selected it as a standard cryptographic technique.

The following outline is provided as an overview of and topical guide to cryptography:

A cipher suite is a set of algorithms that help secure a network connection. Suites typically use Transport Layer Security (TLS) or its now-deprecated predecessor Secure Socket Layer (SSL). The set of algorithms that cipher suites usually contain include: a key exchange algorithm, a bulk encryption algorithm, and a message authentication code (MAC) algorithm.

wolfSSL is a small, portable, embedded SSL/TLS library targeted for use by embedded systems developers. It is an open source implementation of TLS written in the C programming language. It includes SSL/TLS client libraries and an SSL/TLS server implementation as well as support for multiple APIs, including those defined by SSL and TLS. wolfSSL also includes an OpenSSL compatibility interface with the most commonly used OpenSSL functions.

The Transport Layer Security (TLS) protocol provides the ability to secure communications across or inside networks. This comparison of TLS implementations compares several of the most notable libraries. There are several TLS implementations which are free software and open source.

Storage security is a specialty area of security that is concerned with securing data storage systems and ecosystems and the data that resides on these systems.

ChaCha20-Poly1305 is an authenticated encryption with additional data (AEAD) algorithm, that combines the ChaCha20 stream cipher with the Poly1305 message authentication code. Its usage in IETF protocols is standardized in RFC 8439. It has fast software performance, and without hardware acceleration, is usually faster than AES-GCM.

References

  1. Seonhee Lee; Seokhie Hong; Sangjin Lee; Jongin Lim; Seonhee Yoon (2001). "Truncated Differential Cryptanalysis of Camellia" . Retrieved 2022-10-14.{{cite journal}}: Cite journal requires |journal= (help)
  2. Céline Blondeau; Seokhie Hong; Sangjin Lee; Jongin Lim; Seonhee Yoon (2015). "Impossible differential attack on 13-round Camellia-192". Information Processing Letters. 115 (9): 660–666. doi:10.1016/j.ipl.2015.03.008 . Retrieved 2022-10-22.
  3. 1 2 "News Release 050710: Japan's First 128-bit Block Cipher "Camellia" Approved as a New Standard Encryption Algorithm in the Internet". NTT. July 20, 2005.
  4. RFC 4132 Addition of Camellia Cipher Suites to Transport Layer Security (TLS)
  5. 1 2 3 4 Alex Biryukov; Christophe De Canniere (2003), "Block Ciphers and Systems of Quadratic Equations", Fast Software Encryption, Lecture Notes in Computer Science, vol. 2887, Springer-Verlag, pp. 274–289, CiteSeerX   10.1.1.95.349 , doi:10.1007/978-3-540-39887-5_21, ISBN   978-3-540-20449-7
  6. Nicolas T. Courtois; Josef Pieprzyk (2002), Cryptanalysis of Block Ciphers with Overdefined Systems of Equations (PDF), Springer-Verlag, pp. 267–287, retrieved 2010-08-13
  7. "Announcement of Royalty-free Licenses for Essential Patents of NTT Encryption and Digital Signature Algorithms" (Press release). NTT. 2001-04-17.
  8. "The Open Source Community OpenSSL Project Adopts the Next Generation International Standard Cipher "Camellia" Developed in Japan" (Press release). NTT. 2006-11-08.
  9. 1 2 Kanai, Gen (July 30, 2007). "Camellia cipher added to Firefox". Mozilla . Archived from the original on December 21, 2012.
  10. "Bug 1036765 – Disable cipher suites that are not in the "Browser Cipher Suite" proposal that are still enabled". Mozilla. Retrieved 2015-01-09.
  11. Smith, Brian (8 August 2013). "Proposal to Change the Default TLS Ciphersuites Offered by Browsers". Briansmith.org. Retrieved 2015-01-09.
  12. "Bug 1037098 – Remove preferences for cipher suites disabled in bug 1036765 (Camellia and some 3DES & DSS cipher suites)". Mozilla. Retrieved 2015-02-26.
  13. Moonchild (January 26, 2016). "Release notes for Pale Moon 26.0". PaleMoon.org.
  14. "FreeBSD System Manager's Manual: GELI(8)". FreeBSD.org. March 9, 2011.
  15. "GnuPG 1.4.10 released". GnuPG.org. September 2, 2009.
  16. "Camellia". VeraCrypt Documentation. IDRIX. Retrieved 2018-02-03.
  17. "Product Information (Oversea)".
  18. "Camellia Encryption Algorithm Selected for New e-Government Recommended Ciphers List". MitsubishiElectric.com. March 26, 2013.
  19. Wu, Wen-Ling; Zhang, Wen-Tao; Feng, Deng-Guo (May 3, 2007). "Impossible differential cryptanalysis of reduced-round ARIA and Camellia". Journal of Computer Science and Technology. 22 (3): 449–456. doi:10.1007/s11390-007-9056-0. S2CID   855434.
  20. Kivilinna, Jussi (2013). Block Ciphers: Fast Implementations on x86-64 Architecture (PDF) (M.Sc.). University of Oulu. pp. 33, 42. Retrieved 2017-06-22.
  21. Kivilinna, Jussi (2022-05-01). "camellia: add amd64 GFNI/AVX512 implementation". git.gnupg.org Gitweb. Retrieved 2022-07-06.
  22. "Camellia Standardization Related Information" . Retrieved 2013-11-30.
General
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.