ου γαρ εστιν κρυπτον ο ου φανερον γενησεται ουδε αποκρυφον ο ου γνωσθησεται και εις φανερον ελθη  # Camellia

• Description
• Algorithm
• Block diagrams
• Mathematical functions
• Implementation
The cipher was developed in Japan by Mitsubishi and NTT companies in 2000. It was later approved by the International Organization for Standardization (ISO), the European Union's NESSIE project and the Japanese CRYPTREC project.
Block cipher with symmetric secret key
Block length = 128 bits
Key length = 128, 192 or 256 bits

Camellia was designed to be efficient for both software and hardware implementations and it is used in various devices from low-cost smart cards to high-speed network protocols.

Camellia is a symmetric block cipher with secret key of size of 128, 192 or 256 bits. The length of plaintext and ciphertext blocks is always equal to 128 bits.

In the following description, the original names of variables and functions the Camellia documentation are used to describe its algorithm.

The most importnt elements of the algorithm are F-functions. They are used during encryption, decryption and creating helper variables of the key. The F-function takes 128 input bits, mixes them with bits of subkeys ki and returns 128 new bits. Modification of bits in the F-function is referred to as one round of the algorithm. F-function calls are gathered in blocks. Each block contains six rounds.

Six-round blocks (that means block of six calls of  the F-function) are separated by calls of FL-functions and FL-1-functions. They manipulate 64-bit long parts of data and mix them with subkeys kli.

Both encryption and decryption algorithms are about to perform some repetitions of the 6-round blocks described above. The number of repetitions depends on the length of the currently used secret key:

• 3 repetitions of the 6-round blocks - for the 128-bit secret key,
• 4 repetitions of the 6-round blocks - for the 192-bit or 256-bit secret keys.

Furthermore, at the beginning and at the end of both encryption and decryption algorithms, additional operations are performed: data bits are added to bits of subkeys kwi.

Subkeys, which are used to encrypt each data block (or to decrypt each ciphertext block), are created in the separate process. Tens of subkeys are calculated from the secret key for each block. They are used for various operations in the main algorithm.

## Key schedule

The secret key using in the Camellia cipher can consist of 128, 192 or 256 bits. In order to encrypt data blocks, one have to create a few helper variables and then subkeys, based on secret key bits. Each subkey is 64-bit long.

At first, one should calculate two variables of size of 128 bits (KL and KR) and four variables of size of 64 bits (KLL, KLR, KRL and KRR). The following equations describe connections between those variables:

• KLL = 64 left bits of KL
• KLR = 64 right bits of KL
• KRL = 64 left bits of KR
• KRR = 64 right bits of KR

The rest of connections should be determined based on the length of the secret key K.

• for the 128-bit long key:
• KL = K
• KR = 0
• for the 192-bit long key:
• KL = 128 left bits of K
• KRL = 64 right bits of K
• KRR = ~KRL (negation of bits)
• for the 256-bit long key:
• KL = 128 left bits of K
• KR = 128 right bits of K

Then, it is possible to calculate two new helper variables: KA and KB, based on the previous ones. They are both 128-bit long. KB is nonzero if and only if the secret key consists of 192 or 256 bits. While creating KA and KB one should use six help constant values, which are referred to as ∑i.

At the end, based on four 128-bit long just created variables KL, KR, KA and KB, one should compute all secret subkeys of size of 64 bits: ki, kwi and kli. Subkeys are used in all the steps during encryption and decryption in the Camellia algorithm.

Camellia - encryption for 192 or 256-bit key
Camellia - decryption for 192 or 256-bit key
Camellia - creating helper variables of key

Camellia uses a few basic bitwise operations: bitwise AND, bitwise OR, exclusive OR (XOR), logical negation on all bits and left circular rotation of the operand by n bits: <<< n (leftmost bits move to rightmost positions of the variable).

Beyond those operations, there are defined some more complex functions. They are used during encryption and decryption processes, and during creating subkeys.

S-function

S-function is used inside the F-function. The input data of size of 64 bits are substituted by other 8 bytes, which are returns for further processing.

The function uses four substitution tables. They are referred to as s-boxes.

The input data is divided into eight separate bytes x1,...,x8. x1 contains eight leftmost bits, x2 contains eight next bits and x8 contains eight last rightmost bits.

Every of the s-blocks changes eight received bits into eight other bits indicated by the table. The four s-blocks are referred to as s1,...,s4. If y1,...,y8 are the eight subsequent output bytes (the byte y1 contains leftmost input bits, y8 contains rightmost output bits), modifications performed by the S-function can be defined as:

y1 = s1(x1)
y2 = s2(x2)
y3 = s3(x3)
y4 = s4(x4)
y5 = s2(x5)
y6 = s3(x6)
y7 = s4(x7)
y8 = s1(x8)

s-box s1 contains 256 following numbers:

 112 130 44 236 179 39 192 229 228 133 87 53 234 12 174 65 35 239 107 147 69 25 165 33 237 14 79 78 29 101 146 189 134 184 175 143 124 235 31 206 62 48 220 95 94 197 11 26 166 225 57 202 213 71 93 61 217 1 90 214 81 86 108 77 139 13 154 102 251 204 176 45 116 18 43 32 240 177 132 153 223 76 203 194 52 126 118 5 109 183 169 49 209 23 4 215 20 88 58 97 222 27 17 28 50 15 156 22 83 24 242 34 254 68 207 178 195 181 122 145 36 8 232 168 96 252 105 80 170 208 160 125 161 137 98 151 84 91 30 149 224 255 100 210 16 196 0 72 163 247 117 219 138 3 230 218 9 63 221 148 135 92 131 2 205 74 144 51 115 103 246 243 157 127 191 226 82 155 216 38 200 55 198 59 129 150 111 75 19 190 99 46 233 121 167 140 159 110 188 142 41 245 249 182 47 253 180 89 120 152 6 106 231 70 113 186 212 37 171 66 136 162 141 250 114 7 185 85 248 238 172 10 54 73 42 104 60 56 241 164 64 40 211 123 187 201 67 193 21 227 173 244 119 199 128 158

S-blocks return values determined by the one-byte input number. All cells in the table are numbered from 0 to 255, from left to right and from top to bottom. For example s1 is equal to 112, s1 is equal to 130, and s1 is equal to 158.

The remaining three s-boxes can be also defined as tables of 256 numbers. Alternatively, their substitutions can be defined as operations on s1, with changed input data:

s2(x) := (s1(x) <<< 1)
s3(x) := (s1(x) >>> 1)
s4(x) :=   s1(x<<<1)

P-function

P-function is used inside the F-function. P-function takes input data of size of 8 bytes (which are output bytes of the S-function), modifies them and returns the vector, which is also 8-byte long. Output data of the P-function is also output data of the F-function.

The input data is divided into eight separate bytes x1,...,x8. The byte x1 contains leftmost eight bits, x2 next eight bits, and x8 contains rightmost eight bits.

If y1,...,y8 are the eight subsequent output bytes (y1 contains eight leftmost bits, y2 next eight bits, and y8 contains rightmost eight output bits), modifications performed by the P-function can be defined as:

y1 = x1 XOR x3 XOR x4 XOR x6 XOR x7 XOR x8
y2 = x1 XOR x2 XOR x4 XOR x5 XOR x7 XOR x8
y3 = x1 XOR x2 XOR x3 XOR x5 XOR x6 XOR x8
y4 = x2 XOR x3 XOR x4 XOR x5 XOR x6 XOR x7
y5 = x1 XOR x2 XOR x6 XOR x7 XOR x8
y6 = x2 XOR x3 XOR x5 XOR x7 XOR x8
y7 = x3 XOR x4 XOR x5 XOR x6 XOR x8
y8 = x1 XOR x4 XOR x5 XOR x6 XOR x7

F-function

F-function is on of the main functions. It is used during encryption and decryption processes, and during creating subkeys. The input data X of size of 64 bits are mixed with one of the subkeys k (also 64-bit long). The function returns a 64-bit long output block Y.

Data bits are added XOR to key bits and the result is modified by two functions S and P.

(X, k) -> Y  =>  P (S (X XOR k)) -> Y

FL-function

FL-function is used during both encryption and decryption processes. It takes 64-bit long input data and one of the subkeys, then it performs some modifications and finally it returns a block of data, which contains also 64 bits.

An input data block is referred to as X, while Y is a 64-bit long output block. kl is one of the subkeys created before:

(X, kl) -> Y  =>  (XL || XR, klL || klR) -> YL || YR

At the beginning X is divided into two 32-bit long parts: XL contains 32 left bits of X, and XR contains 32 right bits of X. Then, two new blocks (each 32-bit long) are calculated:

YR = ((XL AND klL) <<< 1) XOR XR
YL = (YR OR klR) XOR XL

YL contains 32 left output bits of the FL-function, and YR contains 32 right output bits.

FL-1-function

FL-1-function is used during both encryption and decryption processes. It takes 64-bit long input data and one of the subkeys, then it performs some modifications and finally it returns a block of data, which contains also 64 bits.

An input data block is referred to as X, while Y is a 64-bit long output block. kl is one of the subkeys created before:

(Y, kl) -> X  =>  (YL || YR, klL || klR) -> XL || XR

At the beginning Y is divided into two 32-bit long parts: YL contains 32 left bits of Y, and YR contains 32 right bits of Y. Then, two new blocks (each 32-bit long) are calculated:

XL = (YR OR klR) XOR YL
XR = ((XL AND klL) <<< 1) XOR YR

XL contains 32 left output bits of the FL-1-function, and XR contains 32 right output bits.

The key schedule constants
During creating subkeys in encryption and decryption processes, one should use six constant predefined values, commonly referred to as i.

The values below are 64-bit long and they are presented in hexadecimal.

 ∑1 0xA09E667F3BCC908B ∑2 0xB67AE8584CAA73B2 ∑3 0xC6EF372FE94F82BE ∑4 0x54FF53A5F1D36F1C ∑5 0x10E527FADE682D1D ∑6 0xB05688C2B3E6C1FD
Creating subkeys

Using four 128-bit long variables KL, KR, KA and KB one should calculate subkeys ki, kwi and kli (all subkeys have 64 bits).

The table for creating subkeys for the secret key of size of 128 bits:
kw1 64 left bits KLat the beginning
kw264 right bits KLat the beginning
k164 left bits KAF (round 1)
k264 right bits KAF (round 2)
k3 64 left bits (KL <<< 15)F (round 3)
k4 64 right bits (KL <<< 15)F (round 4)
k5 64 left bits (KA <<< 15)F (round 5)
k6 64 right bits (KA <<< 15)F (round 6)
kl1 64 left bits (KA <<< 30)FL
kl2 64 right bits (KA <<< 30)FL-1
k7 64 left bits (KL <<< 45) F (round 7)
k8 64 right bits (KL <<< 45) F (round 8)
k9 64 left bits (KA <<< 45) F (round 9)
k10 64 right bits (KL <<< 60) F (round 10)
k12 64 left bits (KA <<< 60) F (round 11)
k12 64 right bits (KL <<< 60) F (round 12)
kl3 64 left bits (KL <<< 77) FL
kl4 64 right bits (KL <<< 77) FL-1
k13 64 left bits (KL <<< 94) F (round 13)
k14 64 right bits (KL <<< 94) F (round 14)
k15 64 left bits (KA <<< 94) F (round 15)
k16 64 right bits (KA <<< 94) F (round 16)
k17 64 left bits (KL <<< 111) F (round 17)
k18 64 right bits (KL <<< 111) F (round 18)
kw3 64 left bits (KA <<< 111) at the end
kw4 64 right bits (KA <<< 111) at the end
The table for creating subkeys for the secret keys of size of 192 bits and 256 bits:
kw1 64 left bits KLat the beginning
kw264 right bits KLat the beginning
k1 64 left bits KBF (round 1)
k2 64 right bits KBF (round 2)
k3 64 left bits (KR <<< 15)F (round 3)
k4 64 right bits (KR <<< 15)F (round 4)
k5 64 left bits (KA <<< 15)F (round 5)
k6 64 right bits (KA <<< 15)F (round 6)
kl1 64 left bits (KR <<< 30)FL
kl2 64 right bits (KR <<< 30)FL-1
k7 64 left bits (KB <<< 30) F (round 7)
k8 64 right bits (KB <<< 30) F (round 8)
k9 64 left bits (KL <<< 45) F (round 9)
k10 64 right bits (KL <<< 45) F (round 10)
k12 64 left bits (KA <<< 45) F (round 11)
k12 64 right bits (KA <<< 45) F (round 12)
kl3 64 left bits (KL <<< 60) FL
kl4 64 right bits (KL <<< 60) FL-1
k13 64 left bits (KR <<< 60) F (round 13)
k14 64 right bits (KR <<< 60) F (round 14)
k15 64 left bits (KB <<< 60) F (round 15)
k16 64 right bits (KB <<< 60) F (round 16)
k17 64 left bits (KL <<< 77) F (round 17)
k18 64 right bits (KL <<< 77) F (round 18)
kl5 64 left bits (KA <<< 77) FL
kl6 64 right bits (KA <<< 77) FL-1
k19 64 left bits (KR <<< 94) F (round 19)
k20 64 right bits (KR <<< 94) F (round 20)
k21 64 left bits (KA <<< 94) F (round 21)
k22 64 right bits (KA <<< 94) F (round 22)
k23 64 left bits (KL <<< 111) F (round 23)
k24 64 right bits (KL <<< 111) F (round 24)
kw3 64 left bits (KB <<< 111) at the end
kw4 64 right bits (KB <<< 111) at the end

On the website of NTT Corporation you can find source codes and detailed descriptions of the Camellia cipher:
info.isl.ntt.co.jp/crypt/eng/camellia