[Ach] getting rid of CAMELLIA

Aaron Zauner azet at azet.org
Thu Feb 6 22:30:18 CET 2014

Hi List,

Since there wasn't any conclusion at the last meeting I've been to and
nobody mentioned it again:

We need to speak about CAMELLIA and the obvious issues involved. A couple
of external people already told us they do not understand this choice of
preference in the ciphersuite

1) It'll soon be unavailable in ANY client software available
2) security analysis is by far not as extensive as with AES
3) there are no plans to implement in new client or server software
4) most people I know do not understand how the cipher actually works -
simply because nobody bothers to - It's pretty similar to AES
5) there are no constant-time implementations and no attempts to implement
CAMELLIA in constant time

I still do not understand why we have this stuff in there. I've heard a
couple of reasons:

- pro: one is that we want more ciphers in case AES gets broken
-- contra: I don't think that is a realistic argument, since it is the most
well audited cipher in human history and no attacks come anywhere close to
be useful besides for academic publications on reduced rounds of the cipher
[that nobody implements!]). Besides, it not being implemented in any client
software will essentially end in clients "downgrading" to AES.

- pro: we need more ciphers in there
-- contra: why? and if so we should recommend ciphers that are bulletproof
as is AES.

- pro: It's the prefered cipher in Japan
-- contra: enigma was the prefered cipher of the germans. does anybody
remember alan turing? right. GOST was the prefered cipher of the russians
(and even russian banks up until the mid 1990ties).

I'm not saying CAMELLIA is a bad cipher, but it's almost obsolete, not as
well audited as most other algorithms we reference in the paper and I
simply to not see any reason to get the ciphersuite more complicated. One
poster to the mailinglist amptly pointed out that we currently try to
promote CAMELLIA but due to the way we have the cipherstring in our paper
currently it actually has no effect.

Did I mention already that AES is one of the few algorithms which provides
the same security even if shor's algorithm can be implemented in a quantum
computer (which is a thing that we'll probably not see in the next 15
years, but still)?

Food for thought,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20140206/72f97b62/attachment.html>

More information about the Ach mailing list