[Ach] Camellia

ianG iang at iang.org
Mon Jan 6 08:33:54 CET 2014

Much as people like democracy and locally written algorithms, security 
is not a social endeavor.  It has network effects, and in this game, 
winner typically takes all.

I agree entirely that there is no positive, rational reason to include 
Camelia.  Nice as it might be...

If you're going to recommend better crypto as opposed to more crypto, 
you have to actually be cutting about the recommendation, and drop any 
local favourites.


On 6/01/14 00:40 AM, Jeff Hodges wrote:
> Camellia and AES are roughly equivalent in strength and equivalent in
> difficulty to make constant time[1]. However, AES has had significant
> investment to build constant-time implementations culminating with
> AES-NI, now a standard feature on server CPUs. Camellia has not had such
> far-reaching work done for its implementations. Finally, most major web
> services do not prefer Camellia, and the number of uses of it is growing
> smaller[2].
> Because of that, putting Camellia in the cipher string is bad for
> interop, and bad for security, especially as a first preference.
> Removing it completely, since there are other cipher suites of
> equivalent strength and better support, would be best.
> [1] The use of S-boxes are what does them in, as they make timing
> attacks against processor caches possible.
> [2]  Firefox, it seems, is one of the last major users and they are
> dropping it behind the AES ciphers soon in 27. Their developers
> expect Camellia to drop off the map afterwards.
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach

More information about the Ach mailing list