Camellia Encryption & Decryption
ISO/NESSIE/CRYPTREC certified cipher - equivalent security to AES
Security Notice
Camellia provides excellent security equivalent to AES. It is recommended for applications requiring ISO/IEC standards compliance or Japanese/European certifications.
Format Options
About Camellia
About Camellia
Camellia is a symmetric block cipher developed jointly by Mitsubishi Electric and NTT (Nippon Telegraph and Telephone) and published in 2000. It operates on 128-bit blocks with 128, 192, or 256-bit keys. The algorithm organizes its rounds into groups of six, each group followed by FL/FL⁻¹ functions — key-dependent bitwise operations that inject additional non-linearity between the main Feistel layers, a structural element absent from AES.
Key Features
- 128-bit block size with 128/192/256-bit key support — identical block width to AES, ensuring byte-for-byte mode compatibility in TLS and IPsec
- 18 rounds for 128-bit keys; 24 rounds for 192/256-bit keys — organized in six-round groups with FL/FL⁻¹ layers between each group
- FL/FL⁻¹ functions between round groups: unique to Camellia, they apply key-dependent AND/OR/rotate operations that greatly increase diffusion of key material
- Triple certification: ISO/IEC 18033-3 global standard, NESSIE European project, and CRYPTREC Japanese government recommendation — the only non-AES cipher with all three
- Patent-free since 2017; already integrated in OpenSSL, GnuTLS, NSS (Firefox), LibreSSL, and Bouncy Castle across major TLS and VPN deployments
- Patent-free since 2017; already integrated in OpenSSL, GnuTLS, NSS (Firefox), LibreSSL, and Bouncy Castle across major TLS and VPN deployments
Encryption Modes
Encryption Modes
ECB: Electronic Codebook — each 128-bit block is independently processed through all 18 (or 24) Camellia rounds including the FL/FL⁻¹ key-mixing layers. Because identical 128-bit plaintext blocks yield identical ciphertext, data repetition patterns are visible — acceptable only for single-block encryption of truly unique nonces or random keys.
CBC: Cipher Block Chaining — each 128-bit Camellia block is XORed with the preceding ciphertext before the 18/24 Feistel rounds and FL/FL⁻¹ transformations begin. Camellia's 128-bit block width matches AES-CBC exactly, making it a drop-in replacement in TLS cipher suites (RFC 5932) — 16-byte aligned data needs no extra padding beyond standard PKCS#7.
CFB: Cipher Feedback — Camellia's full 18/24-round function (FL layers included) processes the previous ciphertext block and XORs the output with the next plaintext segment, producing a self-synchronizing stream cipher. Suitable for streaming protocols where incomplete final blocks or byte-level granularity are required without the overhead of padding.
OFB: Output Feedback — the Camellia round function iteratively re-encrypts the IV to build a key-dependent keystream independently of the plaintext. Errors affect only the corresponding output byte, with no cascade — well-suited to protecting packetized data over lossy channels (satellite, radio) where Camellia's hardware-efficient structure gives throughput advantages.
Algorithm Comparison
| Algorithm | Block Size | Key Length | Security | Standard | Standard |
|---|---|---|---|---|---|
| Camellia | 128 bit | 128/192/256 | 18/24 | Excellent | ISO/NESSIE/CRYPTREC |
| AES | 128 bit | 128/192/256 | 10/12/14 | Good | NIST |
| Twofish | 128 bit | 128/192/256 | 16 | Excellent | AES Finalist |
| DES | 64 bit | 56 | 16 | Excellent | Weak |
Security Considerations
- Best published attack against Camellia-128 reaches 12 of 18 rounds (related-key differential cryptanalysis); the full-round variant has no known practical attack, leaving a six-round security margin above the current cryptanalytic frontier
- The FL/FL⁻¹ functions between 6-round groups inject key-dependent bit permutations that disrupt differential and linear trails across round boundaries — the structural mechanism that makes related-key attacks significantly harder than in pure SPN ciphers like AES
- NESSIE (2003) and CRYPTREC independent evaluations confirmed Camellia's resistance to all known attack families: differential, linear, impossible differential, higher-order differential, and truncated differential — the same evaluation criteria that validated AES
- Camellia's 128-bit block width eliminates the birthday-bound problem that plagues 64-bit ciphers (DES, 3DES, Blowfish): the collision threshold occurs at 2⁶⁴ blocks (~147 petabytes per key), placing Sweet32-style attacks entirely outside practical reach
- Camellia's 128-bit block width eliminates the birthday-bound problem that plagues 64-bit ciphers (DES, 3DES, Blowfish): the collision threshold occurs at 2⁶⁴ blocks (~147 petabytes per key), placing Sweet32-style attacks entirely outside practical reach
Use Cases
TLS/SSL cipher suites: Camellia is deployed in TLS 1.2 as TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (RFC 5932) and TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (RFC 6367) — actively used in Japanese financial systems and government services
IPsec VPN: RFC 4312 defines Camellia for IKEv1/v2 and ESP, providing an AES alternative for deployments requiring CRYPTREC-compliant algorithms in Japanese government networks
OpenPGP email and file encryption: RFC 5581 added Camellia-128/192/256 as optional symmetric algorithms to OpenPGP, giving an alternative to AES for users or policy domains requiring NESSIE-certified ciphers
Japanese government and financial institution systems: CRYPTREC designation makes Camellia mandatory or strongly preferred for e-Government systems and banking infrastructure in Japan
Hardware security modules and embedded cryptography: Camellia's Feistel structure maps efficiently to both FPGA gate arrays and ASIC implementations, where its compact logic allows simultaneous encryption and key-schedule computation
Hardware security modules and embedded cryptography: Camellia's Feistel structure maps efficiently to both FPGA gate arrays and ASIC implementations, where its compact logic allows simultaneous encryption and key-schedule computation
Related Tools
AES Encryption/Decryption
Securely encrypt and decrypt text using AES algorithm
Twofish Encryption/Decryption
AES finalist symmetric cipher with 128-bit blocks and 128/192/256-bit keys, designed by Bruce Schneier
Serpent Encryption/Decryption
AES finalist block cipher with 128/192/256-bit keys, 32 rounds, offering excellent security margin and proven resistance to cryptanalysis
Rijndael Encryption/Decryption
Original AES algorithm with flexible block sizes (128/192/256 bits). Supports CBC, ECB, CFB, OFB modes