Camellia — Where (Horst) Feistel Meets Rijndael (AES)
Camellia — Where (Horst) Feistel Meets Rijndael (AES)
In research, you should never dismiss something, just because it isn’t currently being used. A good researcher will always look to the other competing methods to current practice, and note their strengths and weaknesses. Something might just come along that could fit a particular problem. And, so, with the advent of AES (aka Rijndael) and ChaCha20, other block ciphers hardly get a look-in. The Camellia cipher is one of these. Overall, it is named after Camellia japonica — which is a Japanese flower that has undulating petals.
Like AES, Camellia has a block size of 128 bits (16 bytes), and can use 128-, 192-, and 256-bit encryption keys. It was created by Mitsubishi and NTT and has been approved by the ISO/IEC. Camellia is also efficient for both hardware and software implementations, and is part of the TLS stack [here]:
Camellia is a Feisitel cipher and uses 18 rounds for 128-bit keys or 24 rounds for 192/256-bit keys. It also uses four 8x8 S-boxes. These s-boxes have a similar structure to the ones used by AES. This means that its performance can be enhanced by using the x86 AES-NI instruction set.
The basic structure of a Feisitel cipher is to split the data into two (left bits and right bits) and put it through a number of rounds:
As with many other Feistel ciphers, it is seen to be secure and is almost impossible at the current time to brute force it. One of its strengths is that it can be formally defined as a number of multivariate polynomials. It is now patent-free and included in OpenSSL. Firefox used Camelia for a while but has since dropped it, but Veracrypt supports it for symmetric key encryption.
Coding
Overall, the usage of Camellia is similar to AES, and uses the same key sizes and modes [here]:
import os
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.primitives import padding
import sys
message="Hello"
associated_data=b"Hello"
tag=b"0123456789ABCDEF"
keysize=32
iv = os.urandom(16)
mode=0
if (len(sys.argv)>1):
message=str(sys.argv[1])
if (len(sys.argv)>2):
mode=int(sys.argv[2])
if (len(sys.argv)>3):
keysize=int(sys.argv[3])
if (mode==1): keysize=32
key = os.urandom(keysize)
padder = padding.PKCS7(128).padder()
unpadder = padding.PKCS7(128).unpadder()
cipher=None
if (mode==0):
cipher = Cipher(algorithms.Camellia(key), modes.CBC(iv))
if (mode==1):
cipher = Cipher(algorithms.Camellia(key), modes.OFB(iv))
if (mode==2):
cipher = Cipher(algorithms.Camellia(key), modes.CFB(iv))
if (mode==3):
cipher = Cipher(algorithms.Camellia(key), modes.CFB8(iv))
if (mode==4):
cipher = Cipher(algorithms.Camellia(key), modes.CTR(iv))
if (mode==5):
cipher = Cipher(algorithms.Camellia(key), modes.ECB())
encryptor = cipher.encryptor()
str=padder.update(message.encode())+padder.finalize()
ciphertext = encryptor.update(str ) + encryptor.finalize()
# Now decrypt
decryptor = cipher.decryptor()
rtn=unpadder.update(decryptor.update(ciphertext) + decryptor.finalize())+unpadder.finalize()
print("Type:\t\t\t",cipher.algorithm.name)
if (mode!=1): print("Mode:\t\t\t",cipher.mode.name)
print("Message:\t\t",message)
print("Message with padding:\t",str)
print("\nKey:\t\t\t",key.hex())
if (mode!=5): print("IV:\t\t\t",iv.hex())
print("\nCipher:\t\t\t",ciphertext.hex())
print("Decrypt:\t\t",rtn.decode())and a sample run [here]:
Type: camellia
Mode: CBC
Message: Hello
Message with padding: b'Hello\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b'
Key: b7abe32930c1e93b5237bde9822bba01
IV: 26e4a4b21787fde7f835bdb3e9375941
Cipher: 2e5b35569d5014c8ac5c189bdd399671
Decrypt: HelloIn this case, as we are using a block cipher, we need to pad the last block with PKCS7. If the above we have the message of “Hello”, and which has five characters. Will will thus have 11 free spaces left in the block, so we pad with an 11 (0xb). This is stripped off after it is decrypted (unpadded).
Conclusions
What’s interesting about Camellia is that it has a similar s-box structure to AES, but is implemented in a Feistel structure, which has applications to Format Preserving Encryption (FPE), and which can be used to encrypt data into a form that looks like valid content.