A Description of the Camellia Encryption Algorithm
RFC 3713

Document Type RFC - Informational (April 2004; No errata)
Was draft-nakajima-camellia (individual in sec area)
Authors Mitsuru Matsui  , Shiho Moriai  , Junko Nakajima 
Last updated 2015-10-14
Stream IETF
Formats plain text html pdf htmlized bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 3713 (Informational)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Steven Bellovin
Send notices to <shino@isl.ntt.co.jp>
Network Working Group                                          M. Matsui
Request for Comments: 3713                                   J. Nakajima
Category: Informational                  Mitsubishi Electric Corporation
                                                               S. Moriai
                                        Sony Computer Entertainment Inc.
                                                              April 2004

           A Description of the Camellia Encryption Algorithm

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2004).  All Rights Reserved.


   This document describes the Camellia encryption algorithm.  Camellia
   is a block cipher with 128-bit block size and 128-, 192-, and 256-bit
   keys.  The algorithm description is presented together with key
   scheduling part and data randomizing part.

1.  Introduction

1.1.  Camellia

   Camellia was jointly developed by Nippon Telegraph and Telephone
   Corporation and Mitsubishi Electric Corporation in 2000
   [CamelliaSpec].  Camellia specifies the 128-bit block size and 128-,
   192-, and 256-bit key sizes, the same interface as the Advanced
   Encryption Standard (AES).  Camellia is characterized by its
   suitability for both software and hardware implementations as well as
   its high level of security.  From a practical viewpoint, it is
   designed to enable flexibility in software and hardware
   implementations on 32-bit processors widely used over the Internet
   and many applications, 8-bit processors used in smart cards,
   cryptographic hardware, embedded systems, and so on [CamelliaTech].
   Moreover, its key setup time is excellent, and its key agility is
   superior to that of AES.

Matsui, et al.               Informational                      [Page 1]
RFC 3713             Camellia Encryption Algorithm            April 2004

   Camellia has been scrutinized by the wide cryptographic community
   during several projects for evaluating crypto algorithms.  In
   particular, Camellia was selected as a recommended cryptographic
   primitive by the EU NESSIE (New European Schemes for Signatures,
   Integrity and Encryption) project [NESSIE] and also included in the
   list of cryptographic techniques for Japanese e-Government systems
   which were selected by the Japan CRYPTREC (Cryptography Research and
   Evaluation Committees) [CRYPTREC].

2.  Algorithm Description

   Camellia can be divided into "key scheduling part" and "data
   randomizing part".

2.1.  Terminology

   The following operators are used in this document to describe the

      &    bitwise AND operation.
      |    bitwise OR operation.
      ^    bitwise exclusive-OR operation.
      <<   logical left shift operation.
      >>   logical right shift operation.
      <<<  left rotation operation.
      ~y   bitwise complement of y.
      0x   hexadecimal representation.

   Note that the logical left shift operation is done with the infinite
   data width.

   The constant values of MASK8, MASK32, MASK64, and MASK128 are defined
   as follows.

      MASK8   = 0xff;
      MASK32  = 0xffffffff;
      MASK64  = 0xffffffffffffffff;
      MASK128 = 0xffffffffffffffffffffffffffffffff;

2.2.  Key Scheduling Part

   In the key schedule part of Camellia, the 128-bit variables of KL and
   KR are defined as follows.  For 128-bit keys, the 128-bit key K is
   used as KL and KR is 0.  For 192-bit keys, the leftmost 128-bits of
   key K are used as KL and the concatenation of the rightmost 64-bits
   of K and the complement of the rightmost 64-bits of K are used as KR.
   For 256-bit keys, the leftmost 128-bits of key K are used as KL and
   the rightmost 128-bits of K are used as KR.

Matsui, et al.               Informational                      [Page 2]
RFC 3713             Camellia Encryption Algorithm            April 2004

   128-bit key K:
       KL = K;    KR = 0;

   192-bit key K:
       KL = K >> 64;
       KR = ((K & MASK64) << 64) | (~(K & MASK64));

   256-bit key K:
       KL = K >> 128;
       KR = K & MASK128;

   The 128-bit variables KA and KB are generated from KL and KR as
   follows.  Note that KB is used only if the length of the secret key
   is 192 or 256 bits.  D1 and D2 are 64-bit temporary variables.  F-
   function is described in Section 2.4.

   D1 = (KL ^ KR) >> 64;
   D2 = (KL ^ KR) & MASK64;
   D2 = D2 ^ F(D1, Sigma1);
   D1 = D1 ^ F(D2, Sigma2);
   D1 = D1 ^ (KL >> 64);
   D2 = D2 ^ (KL & MASK64);
   D2 = D2 ^ F(D1, Sigma3);
   D1 = D1 ^ F(D2, Sigma4);
   KA = (D1 << 64) | D2;
   D1 = (KA ^ KR) >> 64;
   D2 = (KA ^ KR) & MASK64;
   D2 = D2 ^ F(D1, Sigma5);
   D1 = D1 ^ F(D2, Sigma6);
   KB = (D1 << 64) | D2;

   The 64-bit constants Sigma1, Sigma2, ..., Sigma6 are used as "keys"
   in the F-function.  These constant values are, in hexadecimal
Show full document text