Impossible differential attack on 13-round Camellia-192

Information Processing Letters 115 (2015) 660–666

Contents lists available at ScienceDirect

Information Processing Letters www.elsevier.com/locate/ipl

Impossible differential attack on 13-round Camellia-192 Céline Blondeau Aalto University, School of Science, Department of Information and Computer Science, Finland

a r t i c l e

i n f o

Article history: Received 5 August 2014 Received in revised form 5 January 2015 Accepted 18 March 2015 Available online 1 April 2015 Communicated by M. Fischlin

a b s t r a c t In this paper, we study the security of the block ciphers Camellia-192 and Camellia-256 in the impossible differential context. In particular, we present the first attack on 13 rounds of Camellia-192 with FL/FL−1 layers. An attack on 14 rounds of Camellia-256 requiring less complexity than the previous impossible differential attacks is also described. © 2015 Elsevier B.V. All rights reserved.

Keywords: Cryptography Impossible differential Camellia

1. Introduction The Camellia block cipher [1], largely inspired by the AES candidate E2 [7], has been developed by Mitsubishi and NTT of Japan in 2000. This cipher, which has been recommended by the CRYPTEC e-government and by NESSIE, has later been selected as an ISO standard. As for the AEScandidates, this cipher is a 128-bit block cipher supporting keys of length 128, 192 and 256 bits. In this paper, only Camellia-192 and Camellia-256 are analyzed. A description of the cipher is provided in Section 2.1. Among the different attacks on this cipher (considering the cipher with FL/FL−1 layers), the best attacks are impossible differential [10,2] and multidimensional zero-correlation linear [5]. While the power of these attacks seems to be relatively similar, the analyses are starting from different rounds of the cipher. The best known attacks on this cipher are resumed in Table 1. In this paper, we analyze the impossible differential attacks of [2] and present attacks on 12 rounds of Camellia-192 and 14 rounds of Camellia-256 with reduced time complexity. As a new result, we present the first attack on Camellia-192 reduced to 13 rounds. The remainder of this paper is organized as follows. In Section 2 we describe the block cipher Camellia and de-

E-mail address: celine.blondeau@aalto.fi. http://dx.doi.org/10.1016/j.ipl.2015.03.008 0020-0190/© 2015 Elsevier B.V. All rights reserved.

fine some general notation. In Section 3 we explain how the time complexity of the most recent impossible differential attacks on 12 rounds of Camellia-192 and 14 rounds of Camellia-256 can be reduced. In Section 4, we present the first attack on 13 rounds of Camellia-192. Section 5 provides the conclusions. 2. The Camellia block cipher 2.1. The cipher Camellia [1] is a 128-bit Feistel-type cipher parameterized by a 128, 192 or 256-bit key. In this paper, only the versions parameterized by 192-bit and 256-bit keys are considered. For these versions, the round function is iterated 24 times. Every 6 rounds the FL and FL−1 functions add some confusion to the 64-bit partial states. Pre- and post-whitening keys are added to the partial state before the first round and after the last round. An illustration of the different steps is given in Fig. 1 (a). The last round swap is included on the reduced versions of Camellia considered in this paper. The round function of Camellia is depicted in Fig. 1 (b). The internal function F transforming 64 bits of the state consists of a key addition, a non-linear layer S (application of eight 8-bit Sboxes in parallel) and a linear layer P .

C. Blondeau / Information Processing Letters 115 (2015) 660–666

661

Table 1 Best attacks on Camellia-192 and Camellia-256 with FL/FL−1 layers. Key size

Rounds

Type

Data

Time

Memory

Source

192 192 192 192 192 192 192 192

11 (1–11) 12 (1–12) 12† (3–14) 12 (4–15) 12 (1–12) 12† (11–22) 12† (11–22) 13† (3–15)

ID ZC ID ID ID ID ID ID

2114.64 CP 2125.3 DKP 2120.1 CP 2123 CP 2119.7 CP 2120.6 CP 2118.8 CP 2118.59 CP

2184 2188.8 2184 2187.2 2161.06 2171.4 2153.45 2182.10

2141.64 2112.0 2124.1 2160 2154.7

[10] [5] [10] [10] [6] [2] Section 3.1 Section 4

256 256 256 256 256

13 (4–16) 14† (10–23) 14† (1–14) 14† (10–23) 14† (10–23)

ID ID ID ID ID

2123 CP 2120 CC 2118 CC 2121.2 CP 2118.72 CP

2251.1 2250.5 2220 2238.3 2222.4

2208 2125 2177

− 2124.05 2124

[10] [10] [6] [2] Section 3.2

− 2123.94

ID stands for impossible differential attack, ZC stands for multidimensional zero-correlation attack, CP for chosen plaintext, CC for chosen ciphertext and DKP for distinct known-plaintext attacks. The memory complexity is expressed in number of bytes, the time complexity in number of encryptions. †

Attacks without whitening keys. Table 2 Subkey of Camellia-192 and Camellia-256. KW 1,2 are the whitening keys added before the first round, KW 3,4 are added after the last round. KLi , 1 ≤ i ≤ 6, are the keys used to parameterize the FL/FL−1 layers. The keys K i , 1 ≤ i ≤ 24, correspond to the round-keys added at round i. KW 1 KW 2 K1 K2 K3 K4 K5 K6 KL1 KL2 K7 K8 K9 K 10 K 11 K 12

Fig. 1. The Camellia block cipher. (a): The 24-round cipher. (b): The round function. (c): The key derivation.

The linear layer, P , transforms the 8 bytes ( y 1 , y 2 , y 3 , y 4 , y 5 , y 6 , y 7 , y 8 ) to the bytes ( z1 , z2 , z3 , z4 , z5 , z6 , z7 , z8 ) as follows.

z1 = y 1 ⊕ y 3 ⊕ y 4 ⊕ y 6 ⊕ y 7 ⊕ y 8 , z2 = y 1 ⊕ y 2 ⊕ y 4 ⊕ y 5 ⊕ y 7 ⊕ y 8 , z3 = y 1 ⊕ y 2 ⊕ y 3 ⊕ y 5 ⊕ y 6 ⊕ y 8 , z4 = y 2 ⊕ y 3 ⊕ y 4 ⊕ y 5 ⊕ y 6 ⊕ y 7 , z5 = y 1 ⊕ y 2 ⊕ y 6 ⊕ y 7 ⊕ y 8 , z6 = y 2 ⊕ y 3 ⊕ y 5 ⊕ y 7 ⊕ y 8 , z7 = y 3 ⊕ y 4 ⊕ y 5 ⊕ y 6 ⊕ y 8 , z8 = y 1 ⊕ y 4 ⊕ y 5 ⊕ y 6 ⊕ y 7 . A complete description of the cipher can be found in [1]. In the remainder of this paper, to describe the

= = = = = = = = = = = = = = = =

K L [1 − 64] K L [65 − 128] K B [1 − 64] K B [65 − 128] K R [16 − 79] K R [80 − 15] K A [16 − 79] K A [80 − 15] K R [31 − 94] K R [95 − 30] K B [31 − 94] K B [95 − 30] K L [46 − 109] K L [110 − 45] K A [46 − 109] K A [110 − 45]

KL3 KL4 K 13 K 14 K 15 K 16 K 17 K 18 KL5 KL6 K 19 K 20 K 21 K 22 K 23 K 24 KW 3 KW 4

= = = = = = = = = = = = = = = = = =

K L [61 − 124] K L [125 − 60] K R [61 − 124] K R [125 − 60] K B [61 − 124] K B [125 − 60] K L [78 − 13] K L [14 − 77] K A [78 − 13] K A [14 − 77] K R [95 − 30] K R [31 − 94] K A [95 − 30] K A [31 − 94] K L [112 − 47] K L [48 − 111] K B [112 − 47] K B [48 − 111]

attacks on Camellia, we denote by X i −1 = ( L i −1 , R i −1 ), 1 ≤ i ≤ 24, the input of the i-th round of Camellia. Each byte of the round-key is denoted by K ij , 1 ≤ j ≤ 8 and the

bytes of the state by L ij−1 or R ij−1 . The round-keys of Camellia are derived from four different keys. From the 128-bit keys K L and K R , two keys K A and K B are non-linearly derived as described in Fig. 1. Each round of Camellia is parameterized by 64 bits of one of these four keys. For Camellia-192, the key K R is the concatenation of 64 bits of the master key and its complement. The result of the key derivation is given in Table 2. The notation K 1 = K B [1 − 64] means that the bits of the first round key corresponds to the bits 1 to 64 of the key K B . 2.2. Complexity of an impossible differential attack

Impossible differential cryptanalysis is a technique developed by Knudsen in [8] to recover the encryption key of a given block cipher. This technique is particularly efficient

662

C. Blondeau / Information Processing Letters 115 (2015) 660–666

for word-oriented ciphers. Impossible differential distinguishers are derived from an inconsistency between two partial differentials. In [6], new methods to compute the complexity of an impossible differential attacks are proposed. The presented attacks take advantage of a strong analysis of the key schedule as well as methods such as state-test techniques. The time complexity of the attack is computed assuming that the partial inversion is done for each individual pair. In the attacks presented in this paper, the time complexity of the first steps can be reduced by first analyzing the plaintexts individually. As the analysis is therefore slightly different from the one of [6] we use in this paper older notations (see for instance [3]) which are well accepted in the community. The analysis of the data complexity is similar to the one of [6]. To fix the notation, in this paper,1 we denote by 2− p i the sieving probability of a step i. The probability 2− p 0 being the sieving probability usually applied on the ciphertext directly. More importantly we denote by 2− p =  − p i and by 2−q the probability to discard a key in the i2 last step of the attack. When no sieve is applied at a given step j, we have 2− p j = 1. To maximize the number of pairs used in an impossible attack, the messages are organized into structures. We denote by 2t the number of elements inside a structure and by 2m the number of structures used in the impossible differential attack. The data complexity N of an impossible differential attack corresponds to the 2m+t plaintexts needed to recover the key. The false alarm probability (see [3]) of an impossible differential attack, denoted β in this paper, is determined m+2t −1− p

m+2t − p −q−1

by β = (1 − 2−q )2 ≈ e −2 . From this equation, we derive that for a given β , the data complexity is

N ≈2

p +q−t

· 2 · log(1/β).

(1)

2.3. Recent attacks In [4], it is shown that for some Feistel-type ciphers, impossible differential and multidimensional zerocorrelation linear distinguishers can be derived from each other. Nevertheless, as illustrated in [5], the internal permutation of this cipher as well as the FL/FL−1 layers do not behave “orthogonally” in the differential and linear context and the recent relation between impossible differential and zero-correlation linear distinguishers is not applicable on this cipher. While carried out over the same number of rounds, the derived impossible differential and zero-correlation linear distinguishers are therefore not directly related to each other. For instance, the impossible differential attacks of [10] starting from the first round are derived from a distinguisher starting from the second round. In contrary, the multidimensional zero-correlation linear attacks of [5] starting from the first round are derived from distinguishers starting from the third round. In this particular case,

1

Note that sieving over the pairs or over the keys does usually not affect the data complexity of the attack.

the asymmetry, in the number of inverted rounds at the beginning2 and the end can be seen as a limiting factor for impossible differential attacks starting from the first round. 3. Attacks on Camellia-192 and Camellia-256 with FL/FL−1 layers Among the attacks cited in Table 1, the impossible differential ones not starting from the first round are derived from two different distinguishers. Due to the number of involved differential, the overall time complexity of the proposed attacks in [10] is larger than that of the attacks of [2] (see Table 1 for the complexity values). The distinguisher on 7 rounds of [2] starting from an FL/FL−1 layer is:

[(0, 0, 0, 0, 0, 0, 0, 0), (a, 0, 0, 0, 0, 0, 0, 0)]  [(0, 0, 0, 0, b, 0, 0, 0), (0, 0, 0, 0, 0, 0, 0, 0)],

(2)

where 1 ≤ a < 2 and 1 ≤ b < 2 . In this section, we explain how the time complexity of the attacks developed by Bai and Li [2] can be reduced by storing only the pairs when their number is smaller than the total number of plaintexts necessary to the attack. This technique, which has already been used in some impossible differential attacks (see for instance [11]), consists of storing all plaintexts and corresponding ciphertexts in the key-recovery phase as long as the number of plaintext pairs is greater than the number of plaintexts. This method has as effect that it reduces the time complexity of the impossible differential attack if its time complexity is dominated by the first phases of the attack. 7

8

3.1. An attack on 12 rounds of Camellia-192 with reduced time complexity In this section, we explain how the time complexity of the attack on 12 rounds of Camellia-192 with FL/FL−1 layer proposed in [2] can be reduced. The intermediate differences involved in the attack are depicted in Fig. 2 and are denoted by  X i −1 for difference in the state at the beginning of round i. The difference in the state after the substitution layer is denoted by Si . Attack on 12 rounds of Camellia-192 1. Take 2m structures of plaintexts with the following form.

X 10 = [P (x1 , α2 , α3 , α4 , α5 , α6 , α7 , α8 ), P ( y 1 , y 2 , y 3 , y 4 , y 5 , β6 , β7 , y 8 )] , where αi (i = 2, · · · 8), β j ( j = 6, 7) are fixed constants, x1 , y i (i = 1, 2, 3, 5, 8) take all 28 values and y 4 takes all 27 values with fixed most significant bit.

2 From the impossible differential distinguisher of [10] starting from the second round, on the encryption side, only the first round can be partially inverted.

C. Blondeau / Information Processing Letters 115 (2015) 660–666

663

Fig. 2. Key-recovery on Camellia based on the impossible differential [(0, 0, 0, 0, 0, 0, 0, 0), (a, 0, 0, 0, 0, 0, 0, 0, 0)]  [(0, 0, 0, 0, b, 0, 0, 0), (0, 0, 0, 0, 0, 0, 0, 0, 0)] on 7 rounds starting from an FL/FL−1 layer. The attack on 12 rounds corresponds to the attack on Camellia-192 given in Section 3.1. For Camellia-256 an attack on 14 rounds is given in Section 3.2.

Each structure contains 255 plaintexts. Instead of keeping the pairs with ciphertext difference 6.

X

22

= [P ( g 1 , g 2 , g 3 , g 4 , g 5 , g 6 , g 7 , g 8 ), P (0, b2 , b3 , b4 , b, b6 , b7 , b8 )] ,

2.

3.

4.

5.

(3)

where b, b8 are non-zero bytes, g i (i = 1, · · · , 8) and b j = b ( j = 2, 3, 4, 6, 7) are unknown bytes, rearrange the pairs ( X 10 , X 22 ) into 28 structures with same [ P ( R 23 )]0 . We now have 2m+8 structures with 255−8 = 247 plaintexts. 11 Guess K 111 = K A [46 − 53], compute S 1 ( L 10 1 ⊕ K1 ) ⊕ 10 R 1 for each plaintext and rearrange the list to obtain 2m+8+8 structures of 247−8 = 239 plaintexts. In each structure, we have S11 1 = a1 and (3) is satisfied (see Fig. 2). 11 Guess K 211 = K A [54 − 61], compute S 2 ( L 10 2 ⊕ K2 ) ⊕ 10 R 10 ⊕ R for each plaintext and rearrange to obtain 2 4 2m+24 structures of 239−8 = 231 plaintexts. In each structure we have S11 2 = a2 ⊕ a. Do the same operation for the keys K 311 ,5,8 = K A [62 − 69, 78 − 85, 102 − 109]. At the end of this step we have 2m+48 structures with 27 plaintexts. The value of K 322 = K A [47 − 54] is already known. For 22 each ciphertext compute S 3 ( R 22 3 ⊕ K 3 ) and the differ22 22 22 ence S 3 ( R 3 ⊕ K 3 ) ⊕ ( L 3 ). Sort the list accordingly to obtain 2m+56 structures with on average 2−1 plaintext.

7.

8.

9.

For now on, we consider the pairs individually. The number of remaining pairs is 2m+56−1−2 = 2m+53 . The value of K 422 = K A [55 − 62] is already known. Among the remaining pairs, we keep the ones such m+45 that S22 pairs remain). 4 = g 4 (2 The remaining steps of the attack are the same as in [2] (starting from Step 3.2) and are resumed in Table 3. After guessing 128-key bits, the number of remaining pairs is 2m−51 . For the last step of the attack, K 112 = K A [110 − 117] is known. If S12 1 = e (see Fig. 2) the impossible differential (2) is fulfilled and the guessed key is discarded. Perform an exhaustive search on the remaining keys.

Complexity For this attack, 128-key bits are guessed. According to the notation given in Section 2, we have t = 55, p = 160 and q = 8. In contrary to the attack of [2], no sieve is performed during the first steps of this attack. In particular Step 2, 3, 4, 5 can be done at the same time. The time complexity of Step 1 to 5 is dominated by the time complexity of Step 5. As up to this step 5 key-bytes are guessed, the time complexity corresponds to 2m+55+5·8 · 6/8 · 1/12 = 2m+91 encryptions. In Step 6, we have one Sbox computation for all 2m+45 pairs and for all keys. The cost of this step corresponds to 2 · 2m+53+5·8 · 1/8 · 1/12 = 2m+87.41 encryptions, which is the most costly step among the remaining ones (the most costly step in Table 3 corresponds to 2 · 21+41+m+45 · 1/8 · 1/12 = 2m+80.42 encryptions).

664

C. Blondeau / Information Processing Letters 115 (2015) 660–666

Table 3 The intermediate steps of the key-recovery attack on 12 rounds of Camellia-192 given in Section 3.1. Key

Guessed Bit

Sieve

# Pairs

Time Compl.

K 722 = K A [79 − 86]

K A [86]

S22 7 = g7

2m+37

21+41+m+45

K 222 = K A [39 − 46]

K A [39 − 45]

S22 2 = g2

2m+29

27+42+m+37

K 622 = K A [71 − 78] K 122 = K A [31 − 38] K 822 = K A [87 − 94] K 522 = K A [63 − 70] K 221 = K A [103 − 110] K 321 = K A [111 − 118] K 421 = K A [119 − 126] K 621 = K A [7 − 14] K 721 = K A [15 − 22] K 821 = K A [23 − 30] K 121 = K A [95 − 102] K 520 = K R [63 − 70] K 411 = K A [70 − 77] K 611 ,7 = K A [86 − 101]

K A [71 − 77]

S22 6 S22 1 S22 8 S22 5 S21 2 S21 3 S21 4 S21 6 S21 7 S21 8

= g6

m+21

2

27+49+m+29

= g1

2m+13

28+56+m+21

= g8

2m+5

28+64+m+13

= g5

2m+5

21+72+m+5

= b2 ⊕ b

m−3

2

21+73+m+5

= b3 ⊕ b

2m−11

28+74+m−3

= b4 ⊕ b

2m−19

28+82+m−11

= b4 ⊕ b

m−27

2

28+90+m−19

= b7 ⊕ b

2m−35

28+98+m−27

= b8

2m−43

28+106+m−35

m−43

K A [31 − 38] K A [87 − 94] K A [70] K A [110] K A [111 − 118] K A [119 − 126] K A [7 − 14] K A [15 − 22] K A [23 − 30] K A [95 − 101]

−

2

27+114+m−43

K R [63 − 70]

S20 5 = f

2m−51

28+121+m−43

−

−

2m−51

2129+m−51

−

−

2m−51

2129+m−51

Taking β = 2−128 , according to (1), the data complexity of the attack is therefore 2m+55 = 2120.47 (m = 65.47) chosen plaintexts. The time complexity of the attack on 12 rounds of Camellia-192 is then 2m+91 + 2m+87.41 = 2156.59 encryptions (to compare with the 2171.4 encryptions of [2]). The memory complexity is dominated by the storage of the list of plaintexts and related ciphertexts and is equal to 2m+55 [16 + 16 + 6] = 2125.85 bytes. If we select β = 2−42 the data complexity is reduced to 2118.9 . In that case, the time complexity of the attack corresponds to 2154.86 + 2151.28 + 2192−42 = 2155.02 encryptions. 3.2. An attack on 14 rounds of Camellia-256 with reduced time complexity The attack on 14 rounds of Camellia-256 without whitening keys developed in [2] is similar to the attack on 12 rounds of Camellia-192. In particular, using the same technique as the one described previously, the time complexity of the attack can be reduced. The first steps of this attack are as follows. Attack on 14 rounds of Camellia-256 1. Take 2m structures of plaintexts with the following form:

X 9 = [P (x1 , x2 , x3 , x4 , x5 , α6 , α7 , x8 ), P ( y 1 , y 2 , y 3 , y 4 , y 5 , y 6 , y 7 , y 8 )] , where the αi (i = 6, 7, 8) are fixed constants, xi , y j (1 ≤ i , j ≤ 8, i = 4) take all 28 values, and x4 takes all 27 values with most significant bit fixed. Each structure contains 2111 plaintexts. 2. Guess K 10 = K L [110 − 45] and partially encrypt the plaintexts by one round. In accordance with the intermediate difference given in Fig. 2, rearrange the list of plaintexts/ciphertexts to obtain 2m+56 structures of 255 elements.

3. As K 23 = K L [112 − 47], guess K L [46 − 47] (2 bits) and partially decrypt the ciphertexts. Rearrange the list of plaintexts/ciphertexts to obtain 2m+64 structures of 247 elements. 4. Perform the same steps as given in Section 3.1 starting from Step 2. Complexity For this attack we have t = 111, p = 160 + 56 = 216 and q = 8. As K L is not guessed in the attack described in Section 3.1, the total number of guessed keys in this attack is 264+2+128 = 2194 . Taking β = 2−194 , we obtain an attack on 14 rounds of Camellia-256 with a data complexity of 2121.1 chosen plaintexts and a time complexity equivalent to 266+5·8+111+m · (8 + 8 + 6)/8 · 1/14 + 266+40+1+109+m · 1/8 · 1/14 = 2224.78 encryptions. This computation is similar to the one of the previous section. A factor of 213.51 encryptions is gained in comparison with the attack of [2]. This attack requires the storage of 2m+111 (16 + 16 + 6) = 2126.35 bytes. Taking β = 2−38 a different data/time trade-off is obtained and an attack with data complexity 2118.72 and time complexity 2222.37 + 2216.91 + 2256−38 = 2222.47 can be performed. 4. Attack on 13 rounds of Camellia-192 Taking advantage of the fact that for Camellia-192, K 4 is completely determined by K 3 would require to place the distinguisher of the previous section from round 7 (including the previous FL/FL−1 layer) to round 13. Due to the position of the FL/FL−1 layers, this is only possible with a partial encryption of the first four rounds and partial decryption of the last two rounds (see Fig. 2). Such keyrecovery attack is highly unbalanced and can be performed only with high time complexity. For the attack described in this section, we use an impossible distinguisher from round 6 to round 12 (including the FL/FL−1 layers). This distinguisher is similar to the one of [2] taken the other way around. As depicted in Fig. 3,

C. Blondeau / Information Processing Letters 115 (2015) 660–666

665

Fig. 4. Key-recovery on Camellia based on the impossible differential [(0, 0, 0, 0, 0, 0, 0, 0, 0), (0, 0, 0, 0, b, 0, 0, 0)]  [(a, 0, 0, 0, 0, 0, 0, 0, 0), (0, 0, 0, 0, 0, 0, 0, 0)] on 7 rounds starting from round 6 or round 12.

Fig. 3. Impossible differential distinguisher on 7 rounds of Camellia between round 6 and 12. The most significant bits of a is zero. We have P (c 1 , c 2 , c 3 , c 4 , c 5 , c 6 , c 7 , c 8 ) ⊕ (a, 0, 0, 0, A , 0, 0, 0) = (?, 0, 0, 0, ?, 0, 0, 0) ⇒ P (c 1 , c 2 , c 3 , c 4 , c 5 , c 6 , c 7 , c 8 ) = (?, 0, 0, 0, ?, 0, 0, 0) ⇒ c 1 = 0. The contradiction is obtained by observing that P (c , 0, 0, 0, C , 0, 0, 0) = (c , ?, ?, ?, c , ?, ?, ?) with c = 0, implying that c 1 = 0.

we have the following impossible differential distinguisher on 7 rounds of Camellia starting from round 6:

(4)

where the most significant bit of a is fixed to 0. To build this distinguisher, we use the following observations on the FL function.3 Proposition 1. For the FL function,

• [2] if the input difference is (0, 0, 0, 0, b, 0, 0, 0), where b is a non-zero byte, then the output difference is ( B , 0, 0, 0, b, 0, 0, 0) where B is an unknown byte. • [9] if the output difference is (a, 0, 0, 0, 0, 0, 0, 0), where a is a non-zero byte with most significant bit equal to 0, then the input difference is (a, 0, 0, 0, A , 0, 0, 0) where A is an unknown byte. The attack on 13 rounds of Camellia-192 without whitening keys is done by adding three rounds at the beginning and three rounds at the end of the distinguisher The results of [2] and [9] are stated for FL−1 and can be easily rewritten for the FL function. 3

Attack on 13 rounds of Camellia-192 1. From 2m+120 plaintexts organized into 2m structures of 2120 plaintexts, such that inside a structure the plaintext pairs satisfy

 X 2 = [P (0, b2 , b3 , b4 , b, b6 , b7 , b8 ),

[(0, 0, 0, 0, 0, 0, 0, 0), (0, 0, 0, 0, b, 0, 0, 0)]  [(a, 0, 0, 0, 0, 0, 0, 0), (0, 0, 0, 0, 0, 0, 0, 0)],

given in Fig. 3, meaning by partially guessing the keys K 3,4,5,13,14 and K 15 (Fig. 4).

P ( g 1 , g 2 , g 3 , g 4 , g 5 , g 6 , g 7 , g 8 )] , where b and b8 are a non-zero byte. 2. Inside a structure, the difference between the ciphertexts should satisfy

 X 15 = [( z1 , z2 , z3 , z4 , z5 , z6 , z7 , z8 ), P (a1 , a2 , a3 , a, a5 , 0, 0, a8 )] , with the most significant bit of a equal to 0 and a = 0. Rearrange the plaintexts and ciphertexts into 2m+17 structures of 2103 plaintexts. 3. Guess the 64 bits of the key K R . Partially encrypt according to the keys K 3 and K 4 . Inside a structure the differences satisfy the conditions given in Fig. 4. We now have 2m+17+56+48 = 2m+121 structures with on average 2−1 plaintexts. Starting from this step, the pairs are analyzed individually. The number of remaining pairs is 2m+121−1−2 = 2m+118 . 4. Byte by byte guess K 215 ,3,4,5,6,7,8 = K B [69 − 124]. A sieve with probability 2−8 is applied for each of the guessed bytes.

666

C. Blondeau / Information Processing Letters 115 (2015) 660–666

After this step the number of remaining pairs is 2m+118−56 = 2m+62 . 5. Guess K 115 = K B [61 − 68]. No sieve is performed at this step. For each pair the partial state X 14 is known. 6. As K R is already known, we can partially invert the rounds 14 and 13 (see Table 2). After inversion of the round 14 a sieve with probability 2−40 is applied. At round 13, we discard the pairs which does not fulfill S13 1 = e. The number of remaining pairs is 2m+62−40−8 = 2m+14 . 7. Guess K 55 . If a pair fulfills the impossible differential given in (4), discard the guessed key. At the end we have guessed 64 + 64 + 8 = 136 key-bits. The number of remaining keys depends on the data complexity and is determined by β . Complexity The time complexity of Step 3 corresponds to 264+m+120 · 2/13 = 2181.3+m encryptions. The time complexity of Step 4 is 7 · 264+8+m+118+1 · 1/8 · 1/13 = 2187.11+m . The time complexity of Step 5 is 2128+m+62+1 · 1/8 · 1/13 = 2184.81+m . The time complexity of the following steps is negligible. In this attack, 136 out of the 192 bits of keys are guessed. We have p = 17 + 56 + 48 + 56 + 40 + 8 = 225 and q = 8. Taking β = 2−136 , the data complexity of the attack is 2120.56 meaning m = 0.56. The time complexity is equivalent to 2187.96 13-round encryptions. This attack can also be performed using a unique structure of size smaller than 2120 . In which case the data complexity 2t fulfills 22t = 2 p +q+1 log(1/β). Taking β = 2−13 the data complexity of the attack is 2118.59 . The time complexity corresponds to 264+t · 2/13 + (7 · 264+2t −121 + 2128+2t −117 ) · 1/8 · 1/13 + 2192 β = 2182.10 encryptions. 5. Conclusion Using a new impossible differential distinguisher on 7 rounds of Camellia, we developed the first attack on 13 rounds of Camellia-192 with FL/FL−1 layers. This attack on the cipher without whitening keys takes advantage of the redundancy in the key K R and cannot be used to attack 15 rounds of Camellia-256. While the security of Camellia is not threatened by this attack,

it raises the question whether more rounds of Camellia can be threatened by an attack in the impossible differential context. References [1] Kazumaro Aoki, Tetsuya Ichikawa, Masayuki Kanda, Mitsuru Matsui, Shiho Moriai, Junko Nakajima, Toshio Tokita, Camellia: a 128-bit block cipher suitable for multiple platforms – design and analysis, in: Douglas R. Stinson, Stafford E. Tavares (Eds.), SAC 2000, in: LNCS, vol. 2012, Springer, 2001. [2] Dongxia Bai, Leibo Li, New impossible differential attacks on Camellia, in: Mark Dermot Ryan, Ben Smyth, Guilin Wang (Eds.), ISPEC, in: LNCS, vol. 7232, Springer, 2012, pp. 80–96. [3] Eli Biham, Alex Biryukov, Adi Shamir, Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials, in: Jacques Stern (Ed.), EUROCRYPT, in: LNCS, vol. 1592, Springer, 1999, pp. 12–23. [4] Céline Blondeau, Andrey Bogdanov, Meiqin Wang, On the (in)equivalence of impossible differential and zero correlation distinguishers for Feistel- and Skipjack-type ciphers, in: Ioana Boureanu, Philippe Owezarski, Serge Vaudenay (Eds.), Applied Cryptography and Network Security – 12th International Conference, ACNS 2014, Lausanne, Switzerland, June 10–13, 2014, in: Lecture Notes in Computer Science, vol. 8479, Springer, 2014, pp. 271–288. [5] Andrey Bogdanov, Huizheng Geng, Meiqin Wang, Long Wen, Baudoin Collard, Zero-correlation linear cryptanalysis with FFT and improved attacks on ISO standards Camellia and CLEFIA, in: SAC’13, in: LNCS, Springer, 2014. [6] Christina Boura, María Naya-Plasencia, Valentin Suder, Scrutinizing and improving impossible differential attacks: applications to CLEFIA, Camellia, LBlock and Simon, in: Palash Sarkar, Tetsu Iwata (Eds.), ASIACRYPT 2014, in: LNCS, vol. 8873, Springer, 2014, pp. 179–199. [7] Masayuki Kanda, Shiho Moriai, Kazumaro Aoki, Hiroki Ueda, Youichi Takashima, Kazuo Ohta, Tsutomu Matsumoto, E2 – a new 128-bit block cipher, IEICE Trans. Fundam. Electron. Commun. Comput. Sci. E83-A (1) (2000) 48–59. [8] Lars R. Knudsen, DEAL – a 128-Bit Block-Cipher, NIST AES Proposal, 1998. [9] Leibo Li, Jiazhe Chen, Keting Jia, New impossible differential cryptanalysis of reduced-round Camellia, in: Dongdai Lin, Gene Tsudik, Xiaoyun Wang (Eds.), CANS 2011, in: LNCS, vol. 7092, Springer, 2011, pp. 26–39. [10] Ya Liu, Leibo Li, Dawu Gu, Xiaoyun Wang, Zhiqiang Liu, Jiazhe Chen, Wei Li, New observations on impossible differential cryptanalysis of reduced-round Camellia, in: A. Canteaut (Ed.), FSE, in: LNCS, vol. 7549, Springer, 2012, pp. 90–109. [11] Hamid Mala, Mohammad Dakhilalian, Mohsen Shakiba, Impossible differential cryptanalysis of reduced-round Camellia-256, IET Inf. Secur. 5 (3) (2011) 129–134.