Camellia is considered a modern, safe cipher. Even using the smaller key size option (128 bits), it's considered infeasible to break it by brute-force attack on the keys with current technology. There are no known successful attacks that weaken the cipher considerably. The cipher has been approved for use by the ISO/IEC, the European Union's NESSIE project and the JapaneseCRYPTREC project. The Japanese cipher has security levels and processing abilities comparable to the AES/Rijndael cipher.
The Camellia (as well as AES) S-boxes can be described by a system of 23 quadratic equations in 80 terms.
The key schedule can be described by 1,120 equations in 768 variables using 3,328 linear and quadratic terms.
The entire block cipher can be described by 5,104 equations in 2,816 variables using 14,592 linear and quadratic terms.
In total, 6,224 equations in 3,584 variables using 17,920 linear and quadratic terms are required.
The number of free terms is 11,696, which is approximately the same number as for AES.
Theoretically, such properties might make it possible to break Camellia (and AES) using an algebraic attack, such as extended sparse linearisation, in the future, provided that the attack becomes feasible.
Although Camellia is patented, it is available under a royalty-free license. This has allowed the Camellia cipher to become part of the OpenSSL Project, under an open-source license, since November 2006. It has also allowed it to become part of the Mozilla's NSS (Network Security Services) module.
Support for Camellia was added to the final release of Mozilla Firefox 3 in 2008 (disabled by default as of Firefox 33 in 2014 in spirit of the "Proposal to Change the Default TLS Ciphersuites Offered by Browsers", and has been dropped from version 37 in 2015). Pale Moon, a fork of Mozilla/Firefox, continues to offer Camellia and had extended its support to include Galois/Counter mode (GCM) suites with the cipher, but has removed the GCM modes again with release 27.2.0, citing the apparent lack of interest in them.
Later in 2008, the FreeBSD Release Engineering Team announced that the cipher had also been included in the FreeBSD 6.4-RELEASE. Also, support for the Camellia cipher was added to the disk encryption storage class geli of FreeBSD by Yoshisato Yanagisawa.
On March 26, 2013, Camellia was announced as having been selected again for adoption in Japan's new e-Government Recommended Ciphers List as the only 128-bit block cipher encryption algorithm developed in Japan. This coincides with the CRYPTREC list being updated for the first time in 10 years. The selection was based on Camellia's high reputation for ease of procurement, and security and performance features comparable to those of the Advanced Encryption Standard (AES). Camellia remains unbroken in its full implementation. An impossible differential attack on 12-round Camellia without FL/FL−1 layers does exist.
The S-boxes used by Camellia share a similar structure to AES's S-box. As a result, it is possible to accelerate Camellia software implementations using CPU instruction sets designed for AES, such as x86 AES-NI.
Camellia has been certified as a standard cipher by several standardization organizations:
^RFC 4132 Addition of Camellia Cipher Suites to Transport Layer Security (TLS)
Alex Biryukov; Christophe De Canniere (2003), "Block ciphers and systems of quadratic equations", Lecture Notes in Computer Science, proceedings of FSE 2003, Springer-Verlag, pp. 274–289, CiteSeerX10.1.1.95.349