A Description of the Camellia Encryption Algorithm
RFC 3713
Document  Type 
RFC  Informational
(April 2004; No errata)
Was draftnakajimacamellia (individual in sec area)



Last updated  20151014  
Stream  IETF  
Formats  plain text html pdf htmlized bibtex  
Stream  WG state  (None)  
Document shepherd  No shepherd assigned  
IESG  IESG state  RFC 3713 (Informational)  
Consensus Boilerplate  Unknown  
Telechat date  
Responsible AD  Steven Bellovin  
Send notices to  <shino@isl.ntt.co.jp> 
Network Working Group M. Matsui Request for Comments: 3713 J. Nakajima Category: Informational Mitsubishi Electric Corporation S. Moriai Sony Computer Entertainment Inc. April 2004 A Description of the Camellia Encryption Algorithm Status of this Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2004). All Rights Reserved. Abstract This document describes the Camellia encryption algorithm. Camellia is a block cipher with 128bit block size and 128, 192, and 256bit keys. The algorithm description is presented together with key scheduling part and data randomizing part. 1. Introduction 1.1. Camellia Camellia was jointly developed by Nippon Telegraph and Telephone Corporation and Mitsubishi Electric Corporation in 2000 [CamelliaSpec]. Camellia specifies the 128bit block size and 128, 192, and 256bit key sizes, the same interface as the Advanced Encryption Standard (AES). Camellia is characterized by its suitability for both software and hardware implementations as well as its high level of security. From a practical viewpoint, it is designed to enable flexibility in software and hardware implementations on 32bit processors widely used over the Internet and many applications, 8bit processors used in smart cards, cryptographic hardware, embedded systems, and so on [CamelliaTech]. Moreover, its key setup time is excellent, and its key agility is superior to that of AES. Matsui, et al. Informational [Page 1] RFC 3713 Camellia Encryption Algorithm April 2004 Camellia has been scrutinized by the wide cryptographic community during several projects for evaluating crypto algorithms. In particular, Camellia was selected as a recommended cryptographic primitive by the EU NESSIE (New European Schemes for Signatures, Integrity and Encryption) project [NESSIE] and also included in the list of cryptographic techniques for Japanese eGovernment systems which were selected by the Japan CRYPTREC (Cryptography Research and Evaluation Committees) [CRYPTREC]. 2. Algorithm Description Camellia can be divided into "key scheduling part" and "data randomizing part". 2.1. Terminology The following operators are used in this document to describe the algorithm. & bitwise AND operation.  bitwise OR operation. ^ bitwise exclusiveOR operation. << logical left shift operation. >> logical right shift operation. <<< left rotation operation. ~y bitwise complement of y. 0x hexadecimal representation. Note that the logical left shift operation is done with the infinite data width. The constant values of MASK8, MASK32, MASK64, and MASK128 are defined as follows. MASK8 = 0xff; MASK32 = 0xffffffff; MASK64 = 0xffffffffffffffff; MASK128 = 0xffffffffffffffffffffffffffffffff; 2.2. Key Scheduling Part In the key schedule part of Camellia, the 128bit variables of KL and KR are defined as follows. For 128bit keys, the 128bit key K is used as KL and KR is 0. For 192bit keys, the leftmost 128bits of key K are used as KL and the concatenation of the rightmost 64bits of K and the complement of the rightmost 64bits of K are used as KR. For 256bit keys, the leftmost 128bits of key K are used as KL and the rightmost 128bits of K are used as KR. Matsui, et al. Informational [Page 2] RFC 3713 Camellia Encryption Algorithm April 2004 128bit key K: KL = K; KR = 0; 192bit key K: KL = K >> 64; KR = ((K & MASK64) << 64)  (~(K & MASK64)); 256bit key K: KL = K >> 128; KR = K & MASK128; The 128bit variables KA and KB are generated from KL and KR as follows. Note that KB is used only if the length of the secret key is 192 or 256 bits. D1 and D2 are 64bit temporary variables. F function is described in Section 2.4. D1 = (KL ^ KR) >> 64; D2 = (KL ^ KR) & MASK64; D2 = D2 ^ F(D1, Sigma1); D1 = D1 ^ F(D2, Sigma2); D1 = D1 ^ (KL >> 64); D2 = D2 ^ (KL & MASK64); D2 = D2 ^ F(D1, Sigma3); D1 = D1 ^ F(D2, Sigma4); KA = (D1 << 64)  D2; D1 = (KA ^ KR) >> 64; D2 = (KA ^ KR) & MASK64; D2 = D2 ^ F(D1, Sigma5); D1 = D1 ^ F(D2, Sigma6); KB = (D1 << 64)  D2; The 64bit constants Sigma1, Sigma2, ..., Sigma6 are used as "keys" in the Ffunction. These constant values are, in hexadecimalShow full document text