[Ach] Proposal to change B cipher spec

ianG iang at iang.org
Sun Apr 6 16:36:47 CEST 2014 

On 6/04/2014 07:33 am, David Durvaux wrote:
> Hello,
> 
> 2014-04-04 22:31 GMT+02:00 ianG <iang at iang.org <mailto:iang at iang.org>>:
> 
>     On 2/04/2014 21:29 pm, Aaron Zauner wrote:
>     > While we're at it, could we get rid of camellia as well?
>     >
>     >       * no constant time implementation
>     >       * no extensive cryptanalysis - at least not as extensive as AES
>     >       * not actively used anywhere as far as I'm aware of
> 
> 
>     I believe it should be got rid of.  It is not used enough, and it
>     represents a drag on other implementations.  Its purpose is to allow a
>     switch-over algorithm in case AES goes bad, but I see no history that
>     this has worked well for us.
> 
> 
> I think it would be a mistake.  Not that much from a technical point of
> view (I do trust and use AES) but from a "political" point of view.
> When I was in Zurich with Aaron Kaplan, I had long discussion with some
> techies asking why AES?
> 
> Their point is that AES is a NIST approved algorithm.  The related
> question is then, we should trust?  (Which is quiet funny as NIST is
> suppose to be there to give trust in algorithms).  The idea was that we
> had to propose alternative to officially approved algorithm and let the
> user choose.


Well, AES wasn't an NSA-influenced algorithm.  It was chosen (by NIST)
out of 5 contenders whittled down from 30.  NSA's comments were
apparently limited to "no disagreement with any of the 5" which was
remarkable at the time.

I was part of that project, and when we were on it, we could see how it
was all panning out.  The competition at the 30 level was light and
amusing, one of them even got knocked out in his original presentation
by a breach.  But by the time it got to the final 5, the competition was
fierce.  Attention was very strong.  And there wasn't much between the 5.

At the time, we on the Cryptix team (one of us provided their Java
analysis framework, and another wrote the Rijndael) predicted it would
be Rijndael that would win.  Most of us were not real cryptographers, we
were all software guys except Paulo who was a cryptographer, but we
could feel the various weights of criticism and so forth.

(Having said that, I suppose we could re-analyse the question of AES
influence in the AES choice, as we now know their influence was far more
serious during the years that followed.)


> As far as I know, we cannot reject CAMELIA.  So, why throwing it away?
>  On the contrary, we have to clearly state that while nothing prove that
> CAMELIA isn't secure, there are less research against CAMELIA than
> against other algorithms like AES.


The problem we face is not a question of whether CAMELIA is secure or
not, we're pretty sure it is secure (IMHO).  The problem is how we get
better crypto into the hands of the users.

One huge mammoth planetary mistake that TLS WG have fallen into is the
smorgasbord of cipher suites and algorithms.  There is some sort of
self-centered logic driving this.  But the result is a nightmare out in
user-land, which results in a lower likelihood that whatever happens is
secure.

In contrast, I suggest there be only one cipher suite, and we get it
right [0].  This is backed up by the rather terrible history of anyone
who has tried to switch to a spare algorithm mid-stream.  Yes, people
have done things, and tried things, but it hasn't really worked so well.
The only known partial success was that BEAST thing switching back to
RC4.  Hardly an endorsement.




>     Also, in the future, there are going to be new suites.  I suspect for
>     their sins the TLS community is trying to get a new suite in place using
>     ChaCha/poly.
> 
> 
> I indeed hear Vincent Rijmen in a presentation that they start working
> on new generation of algorithms ;).  Let's see and wait :-D.


Right.  AES is now late 1990s.  It's another 5 years away from being 20
years old.  We do know quite a bit more.  Especially, the whole software
engineering side has shifted away from block ciphers, and now the AE is
the way to go.

AES will play little part in that.  Even in the world of DJB algorithms,
it's a mess.  We've got Salsa, ChaCha, both also in X mode, both with 2
key sizes and 3 round lengths, coupled with Poly1305 in two different
styles between the various popular uses, and Poly1305 drags in another
block algorithm to boot, e.g., AES.  And, not to mention a mishmash of
test vectors scattered over the map.

In sum, ChaCha/Poly combination is also a stopgap measure.


> So to conclude, I would keep CAMELIA except if we have a good reason to
> reject it.


It's definitely a strategy question.



iang


http://iang.org/ssl/h1_the_one_true_cipher_suite.html

More information about the Ach mailing list