256-bit Camellia vs 256-bit AES - Which is better?

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

256-bit Camellia vs 256-bit AES - Which is better?

Panarchy
Hi

Recently found a website, (using Firefox 3, love there blue favicon
idea, always click it), that was using Camelia 256-bit, instead of
what I usually see (RC4 128 bit or AES 256-bit).

Hadn't seen that cipher before...

Which 256-bit encryption is the best? Camellia or AES?

Also, what attacks can be run against each of them? (or are they
'uncrackable', eg would take 2yrs to crack one password)

Can rainbow tables be generated for both ciphers? If so, how much
hard-drive space would I need to store them? And what program should I
use to generate these rainbow tables? (eg Winrtgen, etc.)

Are there open-source implementations of both ciphers?

Please reply, as I know very little about the 'security' of these two ciphers.

Thanks in advance,

Panarchy

PS: If I'm using the word cipher incorrectly, please tell me what word
I should rather be using. Thanks!


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: 256-bit Camellia vs 256-bit AES - Which is better?

Izak Burger
On Sat, Feb 14, 2009 at 6:19 AM, Chip Panarchy <[hidden email]> wrote:
> Which 256-bit encryption is the best? Camellia or AES?

>From the wikipedia article it seems they are the same as far as
strength goes, but Camellia is supposedly a little more efficient (ie
less/smaller cpu and that sort of thing).

http://en.wikipedia.org/wiki/Camellia_(cipher)
http://info.isl.ntt.co.jp/crypt/eng/camellia/intro.html

Disclaimer: I am not a crypto person (I had a 6 month course in basic
crypto analysis about 10 years ago, I forgot most of it).

My understanding of a rainbow table is basically that you work out a
table of crypto-text words from a clear-text dictionary of some sort,
and then work backwards to decrypt portions of the original crypto
text. This usually works best for unsalted hashes because there is a
one to one relation, but even with salt added it is possible to work
out a table for every possible salt value (given a limited amount of
salts of course, or if you know the salt).

I was reading about A5 over the weekend (the encryption used in GSM)
and apparently that can also be cracked using rainbow tables because
the shift registers are too short. But looking at Camellia's "6224
equations in 3584 variables using 17920 linear and quadratic terms" I
think a rainbow table is pretty much out of the question.

According to the wikipedia article, the same theoretical method can be
used to crack both AES and Camellia "provided the attack becomes
feasible".

regards,
Izak


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: 256-bit Camellia vs 256-bit AES - Which is better?

shailesh.sf
In reply to this post by Panarchy
The Camellia Cipher has been around the block for sometime now.
I won't delve in its genealogy as you can Google it yourself.

Camellia is similar to AES in a number of cases as either of them have  
multiple similarities between them.
- both are Block Cipher
- both use the 'Fiestel Network' (first used in Lucifer & DES). Its  
essence is Decryption is done by Reversing the order of Encryption.
- both have similar block size for operations 128, 192 & 256 bits
- usage of S-Boxes

Its hard to comment which of them is a better one. I would say  
Efficiency & Security wise their isn't much to choose from. Either one  
is Highly Efficient and Secure as well.

Most of the attacks against AES are 'Theoretical' and almost all of  
them are 'Unrealistic'. In theory a 2^128 (3.40282367 × 10^38)  
exhaustive key search is almost equally infeasible as is an 2^120  
(1.329228 × 10^36) key search. But in cryptographic literature you  
might come across 'Theoretical Breaks' that can ensure that you will  
recover the 'Key' from an 2^120 key search rather than a 2^128 search.

Rainbow Tables, FPGA, FPAA can help you only to a certain extent.  
Maybe up to 2^60. Keep in mind the fact that every bit added to the  
key will double the time you need for a key search.
As of now AES can most certainly termed to be Secure and Unbreakable,  
in terms of Cryptanalytic attacks.

That leaves us with Side Channel Cryptanalytic Attacks on AES or for  
that matter any other crypto system. These attacks are against the  
Implementation of the Crypto and not on the Cipher itself.
You would do well to understand Camellia's Implementation for it is an  
open source implementation. I believe that you can also implement AES  
in open source.

A literature review of Camellia would certainly help you in  
understanding the security of the underlying cipher as well as any  
know attacks against it.

Hope this helps.

Thanks,
Shailesh

On Feb 13, 2009, at 11:19 PM, Chip Panarchy wrote:

> Hi
>
> Recently found a website, (using Firefox 3, love there blue favicon
> idea, always click it), that was using Camelia 256-bit, instead of
> what I usually see (RC4 128 bit or AES 256-bit).
>
> Hadn't seen that cipher before...
>
> Which 256-bit encryption is the best? Camellia or AES?
>
> Also, what attacks can be run against each of them? (or are they
> 'uncrackable', eg would take 2yrs to crack one password)
>
> Can rainbow tables be generated for both ciphers? If so, how much
> hard-drive space would I need to store them? And what program should I
> use to generate these rainbow tables? (eg Winrtgen, etc.)
>
> Are there open-source implementations of both ciphers?
>
> Please reply, as I know very little about the 'security' of these  
> two ciphers.
>
> Thanks in advance,
>
> Panarchy
>
> PS: If I'm using the word cipher incorrectly, please tell me what word
> I should rather be using. Thanks!


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: 256-bit Camellia vs 256-bit AES - Which is better?

Bastian Blank
On Tue, Feb 17, 2009 at 07:08:31PM -0500, Shailesh Rangari wrote:
> - both use the 'Fiestel Network' (first used in Lucifer & DES). Its  
> essence is Decryption is done by Reversing the order of Encryption.

No, AES uses a SP network. DES uses a Feistel Network.

> That leaves us with Side Channel Cryptanalytic Attacks on AES or for  
> that matter any other crypto system. These attacks are against the  
> Implementation of the Crypto and not on the Cipher itself.

There already was successful side channel attacks agaist AES. The Skein
team decided to don't do any table lookups in there new block cipher to
defeat this attacks.

Bastian

--
We have phasers, I vote we blast 'em!
                -- Bailey, "The Corbomite Maneuver", stardate 1514.2


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: 256-bit Camellia vs 256-bit AES - Which is better?

yawnmoth
In reply to this post by shailesh.sf
On Tue, Feb 17, 2009 at 6:08 PM, Shailesh Rangari <[hidden email]> wrote:

> - both use the 'Fiestel Network' (first used in Lucifer & DES). Its essence
> is Decryption is done by Reversing the order of Encryption.

That's incorrect.  In DES, the only difference between the encryption
and decryption is the order in which the round keys are used.  That's
pretty much the definition of a Fiestel Network.

In AES, in contrast, the differences between encryption and decryption
are a bit more pronounced.  Take a look at fips-197.pdf#page=25 and
fips-197.pdf#page=19.  The only function shared by both is
AddRoundKey.  SubBytes and InvSubBytes differ in that they use
different S-Boxes, InvShiftRows and ShiftRows shift the rows in
opposite directions, and MixColumns and InvMixColumns with a different
fixed polynomial.

fips-197.pdf can be found here:

http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: 256-bit Camellia vs 256-bit AES - Which is better?

yawnmoth
In reply to this post by Panarchy
On Fri, Feb 13, 2009 at 10:19 PM, Chip Panarchy <[hidden email]> wrote:
> Hi
>
> Recently found a website, (using Firefox 3, love there blue favicon
> idea, always click it), that was using Camelia 256-bit, instead of
> what I usually see (RC4 128 bit or AES 256-bit).

Which website, out of curiosity?

> Can rainbow tables be generated for both ciphers? If so, how much
> hard-drive space would I need to store them? And what program should I
> use to generate these rainbow tables? (eg Winrtgen, etc.)

Rainbow tables are intended for hash functions - not for encryption
algorithms.  With a hash function the only things you need to keep
track of are the plaintext and the hash.  The plaintext will always
produce the same hash, no matter what.  The plaintext might be salted,
but all salting really does is turn one plaintext into another longer
plaintext.  So instead of 'test' you have 'abtest' because you
prepended 'ab' to 'test'.

For encryption algorithms, it's different.  You don't just keep track
of the plaintext - you keep track of the key.  I guess you could have
a table with every possible plaintext block, every possible key, and
the plaintext that it corresponds to, but that'd be huge.  For a 128
bit key, that'd take 16 ** 16 bytes or 16.7 million terabytes.  And
whereas rainbow tables often include only the most common characters
(a-zA-Z0-9, whatever), a table like this for AES couldn't make any
omissions.  Thanks to the CBC mode of encryption, even if you were
just encrypting the letter a repeated 160 times (10 blocks), only the
first block would be encrypting the letter a.  All subsequent blocks
would be encrypting the letter a XOR'd against the previous block's
ciphertext.

Now, I suppose you could just attack the first block and ignore all
other blocks until you've found a key that produces a realistic
looking plaintext block, but even then, you're still likely to have a
huge table.

Long story short, rainbow tables are really best suited for hashes -
not encryption algorithms.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: 256-bit Camellia vs 256-bit AES - Which is better?

The MadDaemon
In reply to this post by Panarchy
On Fri, Feb 13, 2009 at 11:19 PM, Chip Panarchy <[hidden email]> wrote:
> Hi
>
> Recently found a website, (using Firefox 3, love there blue favicon
> idea, always click it), that was using Camelia 256-bit, instead of
> what I usually see (RC4 128 bit or AES 256-bit).
>
> Hadn't seen that cipher before...

http://www.ietf.org/rfc/rfc3713.txt

> Which 256-bit encryption is the best? Camellia or AES?
>
> Also, what attacks can be run against each of them? (or are they
> 'uncrackable', eg would take 2yrs to crack one password)
>
> Can rainbow tables be generated for both ciphers? If so, how much
> hard-drive space would I need to store them? And what program should I
> use to generate these rainbow tables? (eg Winrtgen, etc.)
>
> Are there open-source implementations of both ciphers?
>
> Please reply, as I know very little about the 'security' of these two ciphers.
>
> Thanks in advance,
>
> Panarchy
>
> PS: If I'm using the word cipher incorrectly, please tell me what word
> I should rather be using. Thanks!
>
>
>



--

<insert witty random quote here>


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: 256-bit Camellia vs 256-bit AES - Which is better?

shailesh.sf
In reply to this post by yawnmoth
I was mentioning Fiestel Network in general. The comment wasn't  
implied directly on AES and/or DES specifically.
As such I would still maintain that the essence of Fiestel remains in  
its simplicity of Encryption and Decryption process which are reversal  
of the process itself.

"The Feistel structure has the advantage that encryption and  
decryption operations are very similar, even identical in some cases,  
requiring only a reversal of the key schedule" -Wikipedia

Precisely the similarities between AES and DES are -

AES Round Key addition corresponds to DES XOR of subkey material with  
the input to function f.
AES Mixcolumn corresponds to DES XOR of function f output with the  
left half block.
AES ByteSub corresponds to function f in DES.
AES ShiftRow corresponds to DES permutation P.

Regards,
Shailesh

On Feb 18, 2009, at 12:01 PM, Terra Frost wrote:

> On Tue, Feb 17, 2009 at 6:08 PM, Shailesh Rangari <[hidden email]
> > wrote:
>
>> - both use the 'Fiestel Network' (first used in Lucifer & DES). Its  
>> essence
>> is Decryption is done by Reversing the order of Encryption.
>
> That's incorrect.  In DES, the only difference between the encryption
> and decryption is the order in which the round keys are used.  That's
> pretty much the definition of a Fiestel Network.
>
> In AES, in contrast, the differences between encryption and decryption
> are a bit more pronounced.  Take a look at fips-197.pdf#page=25 and
> fips-197.pdf#page=19.  The only function shared by both is
> AddRoundKey.  SubBytes and InvSubBytes differ in that they use
> different S-Boxes, InvShiftRows and ShiftRows shift the rows in
> opposite directions, and MixColumns and InvMixColumns with a different
> fixed polynomial.
>
> fips-197.pdf can be found here:
>
> http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]