The press release says
>> > Camellia was designed to ensure security in usage for more than 20 years
>> > and to provide high speed in software and hardware implementation as
well as
>> > compactness of hardware chips. Camellia therefore provides world's
highest
>> > level performance in terms of efficiency and practicality on various
platforms.
But it doesn't say several important things
- Is the algorithm free, or does it require commercial license to use?
If it's not free, it's not practical on many platforms.
- If it's not free, where can we buy it? What does it cost?
I don't expect corporate press releases to be technically deep.
I do expect them to say what the product costs and where to buy it. :-)
- Where is a detailed implementation description of the algorithm?
- Where is a detailed explanation of why the algorithm is strong,
what are the known or expected weaknesses, what attacks fail and why,
what do you have to do to use it safely?
- Which academic journal has it been published in, and who's done
serious cryptanalysis on it besides the authors?
Unlike some previous Japanese algorithms, the authors appear to
have done some good initial work, but very few people have the
skills to evaluate the weaknesses in their own algorithms,
and cryptanalysis is about finding the weaknesses,
not so much about finding the strengths.
- The cryptographic world let Ron Rivest get away with saying RC2 and RC4
were secure "trust me" even though they were patented,
but that was partly because of his reputation and partly because
those algorithms were very small and very fast but still
appeared to be reasonably strong - and there are serious limitations
in the way you can use those algorithms.
The press release doesn't give a reason to believe that
these algorithms are either faster or stronger than the
AES candidate algorithms, which have similar key lengths
and have been heavily analyzed by everyone in the field.
That means there's even less incentive to use these,
because there's less reason to trust them, and because
not enough people have looked for flaws in their design,
and even if there are not any major flaws, there are no
major advantages that have been documented.
Also, the claim that they're very small in hardware
has been disputed by someone who says they're several times
larger than DES in hardware.
Tom and Jarrod commented:
>> Based on Moore's Law, this means it will be secure on computers roughly
>> 10,000 times more powerful than today's systems. How likely is that?
>
>depends. if the algorithm is safe and it's only a matter of pure
>processing power, then 10k is nothing. a brute-force attack might only
>take 10 million years instead of 100 billion, but that's not exactly a
>difference.
>
>the real danger is new forms of attack, and you can't possibly foresee
>those, so 20 years is a very "optimistic" goal. but sheer computing
>power isn't the deciding factor there.
The most serious danger is *existing* forms of attack -
people deploy it and it gets broken right away.
There are buzzwords in the announcement that suggest that
many of these risks have been addressed, so it may not be
doomed from the start. But I still don't trust it.
Sheer computing power, if you believe Moore's law,
requires that key lengths have an extra bit for every
1.5 years of safety, and be designed for attacks
that use much larger storage than current computers.
128 bits of key and 128-bit blocksize is enough for now,
and the algorithm expands to 192 and 256 bits,
so that's fine - if it's strong enough now.
But yes, future forms of attack are a serious risk,
and having extra bits of key length helps reduce that risk.
Thanks!
Bill
Bill Stewart, [EMAIL PROTECTED]
PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
