General  

Designers  Mitsubishi, NTT 
First published  2000 
Derived from  E2, MISTY1 
Certification  CRYPTREC, NESSIE 
Cipher detail  
Key sizes  128, 192 or 256 bits 
Block sizes  128 bits 
Structure  Feistel network 
Rounds  18 or 24 
In cryptography, Camellia is a block cipher that has been evaluated favorably by several organisations, including the European Union's NESSIE project (a selected algorithm), and the Japanese CRYPTREC project (a recommended algorithm). The cipher was developed jointly by Mitsubishi and NTT in 2000, and has similar design elements to earlier block ciphers (MISTY1 and E2) from these companies.
Camellia has a block size of 128 bits, and can use 128bit, 192bit or 256bit keys — the same interface as the Advanced Encryption Standard. It is a Feistel cipher with either 18 rounds (if the key is 128 bits) or 24 rounds (if the key is 192 or 256 bits). Every six rounds, a logical transformation layer is applied: the socalled "FLfunction" or its inverse. Camellia uses four 8 x 8bit Sboxes with input and output affine transformations and logical operations. The cipher also uses input and output key whitening. The diffusion layer uses a linear transformation based on an MDS matrix with a branch number of 5.
Contents 
Camellia is one of the ciphers that can be completely defined by minimal systems of multivariate polynomials ^{ [1]}. The Camellia (as well as AES) Sboxes can be described by a system of 23 quadratic equations in 80 terms ^{ [2]}. The key schedule can be described by 1120 equations in 768 variables using 3328 linear and quadratic terms ^{ [1]}. The entire block cipher can be described by 5104 equations in 2816 variables using 14592 linear and quadratic terms ^{ [1]}. In total, 6224 equations in 3584 variables using 17920 linear and quadratic terms are required ^{ [1]}. The number of free terms is 11696, which is approximately the same number as for AES. Theoretically, such properties might make it possible to break Camellia (and AES) using an algebraic attack, such as Extended Sparse Linearisation, in the future (provided that the attack becomes feasible).
Although patented, Camellia is available under a royaltyfree license.^{[3]} This has allowed the Camellia cipher to become part of the OpenSSL Project, under an Open Source license, as of November 8, 2006,^{[4]} as well as Mozilla's NSS (Network Security Services) module.^{[5]}
On June, 18 2008, support for the adopted Camellia cipher was added to the final release of Mozilla Firefox 3.^{[5]}
Yoshisato Yanagisawa had added support for the Camellia cipher to the disk encryption storage class geli (software) in FreeBSD 7.0. On November 11, 2008, The FreeBSD Release Engineering Team announced that the cipher had also been included in the FreeBSD 6.4RELEASE.
GNU Privacy Guard added support for Camellia in version 1.4.10 released on September 2, 2009.^{[6]}
7 ZHAO Xinjie and WANG Tao and ZHENG Yuanyuan (PDF). Cache Timing Attacks on Camellia Block Cipher. http://eprint.iacr.org/2009/354.pdf. Retrieved 2009914. 8 ZHAO Xinjie and WANG Tao(PDF). An Improved Differential Fault Attack on Camellia. http://eprint.iacr.org/2009/585.pdf. Retrieved 20091202.
