Skip to main content
Version: Next

Camellia-OFB

Algorithm

Output feedback (OFB) with Camellia builds a keystream from a 16-byte register. Each step replaces the register with Camellia_encrypt(register) (forward cipher only), then XORs up to 16 bytes of that output with the next input segment. The IV seeds the register before the first encryption.

Encryption and decryption use the same XOR with the same IV-derived keystream. Unlike Camellia-CTR, successive keystream blocks depend on a chain of Camellia encryptions on the register, not on incrementing a counter. There is no authentication tag.

Purpose

Use Camellia-OFB when a legacy profile requires it. For new work that needs integrity, prefer an AEAD such as AES-GCM or ChaCha20-Poly1305.

Rust API

  • Crate: noxtls-crypto
  • Module path (conceptual): noxtls_crypto::sym (re-exported at crate root)
  • Primary symbols:
    • CamelliaCipher
    • noxtls_camellia_ofb_apply
    • noxtls_camellia_ofb_encrypt
    • noxtls_camellia_ofb_decrypt

Functions and types:

  • noxtls_camellia_ofb_apply(cipher, iv, input) -> Vec<u8> - Parameters: cipher is an initialized CamelliaCipher; iv is a 16-byte initial OFB register; input is plaintext or ciphertext of any length. Behavior: XORs input with the Camellia-OFB keystream. Returns: output Vec<u8> of the same length (encrypt and decrypt are the same operation).
  • noxtls_camellia_ofb_encrypt(cipher, iv, plaintext) -> Vec<u8> - Same as noxtls_camellia_ofb_apply for encrypt naming.
  • noxtls_camellia_ofb_decrypt(cipher, iv, ciphertext) -> Vec<u8> - Same keystream XOR as encrypt; use the same iv as for encryption.

Feature flags and policy

Standard noxtls-crypto build.

Examples

use noxtls_crypto::{CamelliaCipher, noxtls_camellia_ofb_decrypt, noxtls_camellia_ofb_encrypt};

let cipher = CamelliaCipher::new(&[0x51u8; 16])?;
let iv = [0u8; 16];
let plaintext = b"cam-ofb";
let ciphertext = noxtls_camellia_ofb_encrypt(&cipher, &iv, plaintext);
let recovered = noxtls_camellia_ofb_decrypt(&cipher, &iv, &ciphertext);
assert_eq!(recovered.as_slice(), plaintext.as_slice());
# Ok::<(), noxtls_core::Error>(())

Security and compatibility

Use an unpredictable unique IV per key and message (or follow the profile’s IV rules). Reusing (key, iv) for different messages exposes XOR of plaintexts. Ciphertext is malleable; add a MAC or AEAD if you need integrity.