New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia

Liu, Ya; Li, Leibo; Gu, Dawu; Wang, Xiaoyun; Liu, Zhiqiang; Chen, Jiazhe; Li, Wei

doi:10.1007/978-3-642-34047-5_6

Cited by 20 publications

(38 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Our results show that as far as Camellia is concerned, the semi-advanced MitM attack technique is more efficient than or at least as efficient as the advanced cryptanalytic techniques studied, except impossible differential cryptanalysis; in this latter case the MitM attacks are now one or two rounds inferior to the best newly emerging impossible differential cryptanalysis results in [2,22].…”

Section: Discussionmentioning

confidence: 75%

“…If the FL −1 function were modified to have a good avalanche effect, then those MitM properties would involve a large number of unknown 1-bit constant parameters, and the resulting MitM attacks would be ineffective for the resulting cipher, but nevertheless it does not necessarily resist the HO-MitM attack technique, for those HO-MitM attacks described in [24] work as long as that integral property of Camellia holds (canceling the FL −1 function). Actually, if the FL/FL −1 functions had had a good avalanche effect, the Camellia cipher could have withstood the best currently known cryptanalytic results that are the newly emerging impossible differential cryptanalysis results [2,22]. In this sense, the FL/FL −1 functions do play an important role in the security of Camellia.…”

Section: Discussionmentioning

confidence: 99%

“…The security of Camellia has been analysed against a variety of cryptanalytic techniques, including differential cryptanalysis [5], truncated differential cryptanalysis [17], higher-order differential cryptanalysis [17,20], linear cryptanalysis [25], integral cryptanalysis [8,15,19], boomerang attack [30], rectangle attack [4], collision attack and impossible differential cryptanalysis [3,18]; and many cryptanalytic results on Camellia have been published [2, 6, 11-13, 21-24, 27-29, 31, 32], of which impossible differential cryptanalysis is the most efficient technique in terms of the numbers of attacked rounds, that broke 11-round Camellia-128, 12-round Camellia-192 and 14-round Camellia-256 [2,22], presented most recently at FSE 2012 and ISPEC 2012.…”

mentioning

confidence: 99%

See 2 more Smart Citations

Meet-in-the-Middle Attack on Reduced Versions of the Camellia Block Cipher

Wei

Pašalić

et al. 2012

Advances in Information and Computer Security

View full text Add to dashboard Cite

Abstract. The Camellia block cipher has a 128-bit block length and a user key of 128, 192 or 256 bits long, which employs a total of 18 rounds for a 128-bit key and 24 rounds for a 192 or 256-bit key. It is a Japanese CRYPTREC-recommended e-government cipher, a European NESSIE selected cipher, and an ISO international standard. In this paper, we describe a few 5 and 6-round properties of Camellia and finally use them to give meet-in-the-middle attacks on 10-round Camellia under 128 key bits, 11-round Camellia under 192 key bits and 12-round Camellia under 256 key bits, all of which include the FL/FL −1 functions but do not include whitening operations.

show abstract

Section: Discussionmentioning

confidence: 75%

Section: Discussionmentioning

confidence: 99%

mentioning

confidence: 99%

See 1 more Smart Citation

Meet-in-the-Middle Attack on Reduced Versions of the Camellia Block Cipher

Wei

Pašalić

et al. 2012

Advances in Information and Computer Security

View full text Add to dashboard Cite

show abstract

“…As opposed to that, in this paper, we only discuss attacks on Camellia with F L/F L −1 and whitening key starting from the first round. Rather recently, some attacks on reduced-round Camellia with F L/F L −1 and whitening key have been introduced [6,11,12]. In this setting, the best attack on Camellia-128 is the impossible differential attack on 10 rounds [11].…”

Section: Introductionmentioning

confidence: 99%

“…Rather recently, some attacks on reduced-round Camellia with F L/F L −1 and whitening key have been introduced [6,11,12]. In this setting, the best attack on Camellia-128 is the impossible differential attack on 10 rounds [11]. A similar attack can break 11 rounds of Camellia-192 [11].…”

Section: Introductionmentioning

confidence: 99%

Zero-Correlation Linear Cryptanalysis with FFT and Improved Attacks on ISO Standards Camellia and CLEFIA

Bogdanov

Geng

Wang

et al. 2014

Selected Areas in Cryptography -- SAC 2013

View full text Add to dashboard Cite

Abstract. Zero-correlation linear cryptanalysis is based on the linear approximations with correlation exactly zero, which essentially generalizes the integral property, and has already been applied to several block ciphers -among others, yielding best known attacks to date on round-reduced TEA and CAST-256 as published in FSE'12 and ASI-ACRYPT'12, respectively.In this paper, we use the FFT (Fast Fourier Transform) technique to speed up the zero-correlation cryptanalysis. First, this allows us to improve upon the state-of-the-art cryptanalysis for the ISO/IEC standard and CRYPTREC-portfolio cipher Camellia. Namely, we present zero-correlation attacks on 11-round Camellia-128 and 12-round Camellia-192 with F L/F L −1 and whitening key starting from the first round, which is an improvement in the number of attacked rounds in both cases. Moreover, we provide multidimensional zero-correlation cryptanalysis of 14-round CLEFIA-192 and 15-round CLEFIA-256 that are attacks on the highest numbers of rounds in the classical single-key setting, respectively, with improvements in memory complexity.

show abstract

Impossible differential cryptanalysis on cipher E2

Wei

Yang

2013

Concurrency and Computation

View full text Add to dashboard Cite

E2, a block cipher, is an Advanced Encryption Standard candidate designed and submitted by Nippon Telegraph and Telephone Corporation. It employs a Feistel structure as global structure and two-layer substitution-permutation network structure in round function. The conservative structure makes E2 immune to kinds of current cryptanalysis. Previously, there is no result of impossible differential attacks on E2 because it was once supposed to have no more than five-round impossible differential characteristic. In this paper, we present a series of six-round impossible differential characteristics of E2 with/without initial transformation (IT)/ final transformation (FT) functions. Based on these impossible differentials, the immunity of E2 against impossible differential cryptanalysis is evaluated. We perform a seven-round attack on tweaked E2 (E2 without IT and FT ) with 128, 192, and 256 bits key and an eight-round attack on tweaked E2 with 256 bits key. The seven-round attack requires about 2 120 chosen plaintexts and 2 115.5 seven-round encryptions; the eight-round attack needs 2 121 chosen plaintexts and less than 2 214 eight-round encryptions. We also discuss the seven-round attack on E2 with IT or FT, and the result shows that the attack has the same complexities with the seven-round attack on tweaked E2.

show abstract

New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia

Cited by 20 publications

References 19 publications

Meet-in-the-Middle Attack on Reduced Versions of the Camellia Block Cipher

Meet-in-the-Middle Attack on Reduced Versions of the Camellia Block Cipher

Zero-Correlation Linear Cryptanalysis with FFT and Improved Attacks on ISO Standards Camellia and CLEFIA

Impossible differential cryptanalysis on cipher E2

Contact Info

Product

Resources

About