[Ach] getting rid of CAMELLIA

Aaron Zauner azet at azet.org
Thu Feb 6 22:42:38 CET 2014

Aeh. forget the part about shor's. Thats factoring specific. Not sure why I
associated AES with that. O_o.

So the idea is that quantum computers can brute force some algorithms in
polynomial time. AES is one of the algorithms that still provides good
security, I've been googling for a non-scientific article on the topic:

By the way, good symmetric algorithms, e.g. AES, don’t have flaws allowing
that kind of dramatic bruteforcing speedup. By existing estimates,
bruteforcing 256-bit AES key on quantum computer is equal to bruteforcing
128-bit AES on a classic computer, so security levels remain very high.


On Thu, Feb 6, 2014 at 10:30 PM, Aaron Zauner <azet at azet.org> wrote:

> Hi List,
> Since there wasn't any conclusion at the last meeting I've been to and
> nobody mentioned it again:
> We need to speak about CAMELLIA and the obvious issues involved. A couple
> of external people already told us they do not understand this choice of
> preference in the ciphersuite
> 1) It'll soon be unavailable in ANY client software available
> 2) security analysis is by far not as extensive as with AES
> 3) there are no plans to implement in new client or server software
> 4) most people I know do not understand how the cipher actually works -
> simply because nobody bothers to - It's pretty similar to AES
> 5) there are no constant-time implementations and no attempts to implement
> CAMELLIA in constant time
> I still do not understand why we have this stuff in there. I've heard a
> couple of reasons:
> - pro: one is that we want more ciphers in case AES gets broken
> -- contra: I don't think that is a realistic argument, since it is the
> most well audited cipher in human history and no attacks come anywhere
> close to be useful besides for academic publications on reduced rounds of
> the cipher [that nobody implements!]). Besides, it not being implemented in
> any client software will essentially end in clients "downgrading" to AES.
> - pro: we need more ciphers in there
> -- contra: why? and if so we should recommend ciphers that are bulletproof
> as is AES.
> - pro: It's the prefered cipher in Japan
> -- contra: enigma was the prefered cipher of the germans. does anybody
> remember alan turing? right. GOST was the prefered cipher of the russians
> (and even russian banks up until the mid 1990ties).
> I'm not saying CAMELLIA is a bad cipher, but it's almost obsolete, not as
> well audited as most other algorithms we reference in the paper and I
> simply to not see any reason to get the ciphersuite more complicated. One
> poster to the mailinglist amptly pointed out that we currently try to
> promote CAMELLIA but due to the way we have the cipherstring in our paper
> currently it actually has no effect.
> Did I mention already that AES is one of the few algorithms which provides
> the same security even if shor's algorithm can be implemented in a quantum
> computer (which is a thing that we'll probably not see in the next 15
> years, but still)?
> Food for thought,
> Aaron
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20140206/3d52f2dd/attachment.html>

More information about the Ach mailing list