๐ฏ๐ต Exhibit 1 โ Camellia-256
ISO/IEC 18033-3 ยท IETF RFC 3713 ยท CRYPTREC approved
Structure: Feistel network with SPN-like keying layers (FL/FLโปยน)
Block size: 128-bit ยท Key sizes: 128, 192, 256-bit
Interactive Encrypt / Decrypt
Side-by-Side: Camellia-256-CBC vs AES-256-CBC
Same plaintext, same key, same IV โ different ciphertext. Both decrypt correctly.
Camellia-256-CBC
AES-256-CBC
Round Structure
Camellia uses 18 rounds for 128-bit keys or 24 rounds for 192/256-bit keys. AES uses 10/12/14 rounds for the same key sizes. Camellia's extra rounds were a deliberate conservative design decision โ more rounds mean a larger security margin against future cryptanalysis.
Camellia is the only national cipher in this demo included in TLS cipher suites for international use (RFC 4132). It has equivalent security to AES, a published design rationale, and is actively maintained by CRYPTREC. For systems requiring AES alternatives with strong international vetting, Camellia is the most defensible choice.
๐ฐ๐ท Exhibit 2 โ ARIA-256
Korean Standard KS X 1213 ยท ISO/IEC 18033-3
Structure: SPN (like AES) with involutory S-boxes
Block size: 128-bit ยท Key sizes: 128, 192, 256-bit
Interactive Encrypt / Decrypt
Involutory S-box Visualizer
ARIA's S-boxes are involutory: applying the same S-box twice returns the original value. Encryption and decryption share the same circuit โ a significant hardware advantage.
Contrast with AES: AES uses separate SubBytes and InvSubBytes operations. ARIA's involutory design means the same S-box serves both, reducing hardware gate count.
ARIA is legally required for products sold into Korean government and financial markets. Its involutory design is not a weakness โ it is a deliberate engineering choice that reduces hardware gate count. If you are building systems for Korean regulatory compliance, ARIA is not optional.
๐จ๐ณ Exhibit 3 โ SM4
GB/T 32907-2016 ยท ISO/IEC 18033-3
Structure: 32-round non-balanced Feistel network with nonlinear T-transform
Block size: 128-bit ยท Key size: 128-bit only (no 192 or 256-bit variant)
Interactive Encrypt / Decrypt
SM4 has a fixed 128-bit key with no larger variant. At 128-bit classical security, SM4 provides approximately 64-bit post-quantum security (Grover's algorithm halves symmetric key strength). This is below the NIST post-quantum recommendation of 128-bit PQ security.
SM4 + classical security only โ plan accordingly. For long-term data protection in a post-quantum world, SM4 alone is insufficient.
SM4 is required for products operating in Chinese markets, including WAPI (Chinese Wi-Fi standard, required for devices sold in China), Chinese banking systems, and government procurement. China's Cryptography Law (2020) mandates OSCCA-approved algorithms for certain categories of data.
The design rationale for SM4's S-box has been partially published but not with the same transparency as AES's design criteria.
If your product is sold or operated in China, SM4 is not a choice โ it is a legal requirement. Understanding its structure and limitations (fixed 128-bit key, partial design transparency) is essential for any engineer working in Chinese-regulated markets.
๐ท๐บ Exhibit 4 โ Kuznyechik
GOST R 34.12-2015 ยท ISO/IEC 18033-3
Replaces the older GOST 28147-89 block cipher
Structure: SPN with a 10-round substitution-permutation network
Block size: 128-bit ยท Key size: 256-bit only
Interactive Encrypt / Decrypt
Kuznyechik's S-box was published without any design rationale. In 2019, independent researchers (Lรฉo Perrin et al.) discovered that the S-box has an unusual hidden structure โ it can be decomposed in ways that suggest it was not generated randomly, but was constructed using an undisclosed process. The FSB has not responded to these findings.
This is categorically different from:
- AES: S-box derived from multiplicative inverse in GF(2โธ), fully documented
- Camellia: design criteria published, S-box generation explained
- ARIA: involutory S-boxes, construction documented
Use Kuznyechik ONLY when Russian regulatory compliance requires it. The S-box transparency concern is unresolved. For any other use case, AES-256-GCM, Camellia-256, or ARIA-256 are preferable.
Kuznyechik is required by Russian law for government and certain commercial applications. The S-box controversy does not mean it is definitely backdoored โ but the lack of design transparency is a meaningful distinction from every other cipher in this demo. Engineers should understand this tradeoff before deployment.
๐ Exhibit 5 โ Four-Way Comparison
Comparison Table
| Property | Camellia-256 | ARIA-256 | SM4 | Kuznyechik |
|---|---|---|---|---|
| Country | Japan | South Korea | China | Russia |
| Designer | NTT / Mitsubishi | NSRI Korea | OSCCA | FSB Russia |
| Year | 2000 | 2003 | 2006 | 2015 |
| Block size | 128-bit | 128-bit | 128-bit | 128-bit |
| Key sizes | 128 / 192 / 256 | 128 / 192 / 256 | 128 only | 256 only |
| Structure | Feistel + SPN | SPN | Feistel | SPN |
| ISO/IEC 18033-3 | โ | โ | โ | โ |
| TLS cipher suite | โ (RFC 4132) | โ | โ (China TLS) | โ |
| Design transparency | โ Full | โ Full | Partial | โ S-box opaque |
| PQ security (128-bit key) | โ | โ | โ (64-bit PQ) | โ |
| Use when | AES alternative | Korean compliance | China compliance | Russian compliance |
| Trust level | High | High | Medium | Use with caution |
Decision Tree
All four of these ciphers appear in crypto-compare. This demo covers the practical encrypt/decrypt behavior. For deeper algorithm reference including security estimates, see: systemslibrarian.github.io/crypto-compare/