New Observation on Camellia

Similar documents
Improved Impossible Differential Attack on Reduced Version of Camellia-192/256

Improved Meet-in-the-Middle Attacks on Reduced-Round Camellia-192/256

Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA

Complementing Feistel Ciphers

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128

Improved Impossible Differential Cryptanalysis of Rijndael and Crypton

New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia

Security of the SMS4 Block Cipher Against Differential Cryptanalysis

Cryptanalysis of a Generalized Unbalanced Feistel Network Structure

FFT-Based Key Recovery for the Integral Attack

Differential Attack on Five Rounds of the SC2000 Block Cipher

Structural Cryptanalysis of SASAS

Practically Secure against Differential Cryptanalysis for Block Cipher SMS4

GENERALIZED NONLINEARITY OF S-BOXES. Sugata Gangopadhyay

Research Article New Linear Cryptanalysis of Chinese Commercial Block Cipher Standard SM4

How Fast can be Algebraic Attacks on Block Ciphers?

Impossible Differential Attacks on 13-Round CLEFIA-128

Cryptanalysis of a Generalized Unbalanced Feistel Network Structure

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)

A Low Data Complexity Attack on the GMR-2 Cipher Used in the Satellite Phones

Block Ciphers and Systems of Quadratic Equations

Block Cipher Cryptanalysis: An Overview

Impossible Boomerang Attack for Block Cipher Structures

Using MILP in Analysis of Feistel Structures and Improving Type II GFS by Switching Mechanism

Security of SM4 Against (Related-Key) Differential Cryptanalysis

Differential-Linear Cryptanalysis of Serpent

Human-readable Proof of the Related-Key Security of AES-128

A Unified Method for Finding Impossible Differentials of Block Cipher Structures

A Five-Round Algebraic Property of the Advanced Encryption Standard

Type 1.x Generalized Feistel Structures

jorge 2 LSI-TEC, PKI Certification department

Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher

Algebraic Techniques in Differential Cryptanalysis

Security of the AES with a Secret S-box

Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Module 2 Advanced Symmetric Ciphers

Cryptanalysis of Hummingbird-2

Linear Cryptanalysis of Reduced-Round PRESENT

Differential Cache Trace Attack Against CLEFIA

Improved S-Box Construction from Binomial Power Functions

Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version)

Towards Provable Security of Substitution-Permutation Encryption Networks

Improved Upper Bounds of Differential and Linear Characteristic Probability for Camellia

Linear Cryptanalysis Using Multiple Approximations

3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis

MATH 509 Differential Cryptanalysis on DES

Cryptography Lecture 4 Block ciphers, DES, breaking DES

DD2448 Foundations of Cryptography Lecture 3

Impossible differential and square attacks: Cryptanalytic link and application to Skipjack

Siwei Sun, Lei Hu, Peng Wang, Kexin Qiao, Xiaoshuang Ma, Ling Song

Linear Cryptanalysis of RC5 and RC6

Revisit and Cryptanalysis of a CAST Cipher

Bernoulli variables. Let X be a random variable such that. 1 with probability p X = 0 with probability q = 1 p

Improved Slide Attacks

Ciphertext-only Cryptanalysis of a Substitution Permutation Network

Linear Cryptanalysis

Key classification attack on block ciphers

A Byte-Based Guess and Determine Attack on SOSEMANUK

Lecture 4: DES and block ciphers

Introduction. CSC/ECE 574 Computer and Network Security. Outline. Introductory Remarks Feistel Cipher DES AES

Block ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit

Cryptanalysis of a Multistage Encryption System

Cryptanalysis of PRESENT-like ciphers with secret S-boxes

BISON Instantiating the Whitened Swap-Or-Not Construction November 14th, 2018

On Feistel Ciphers Using Optimal Diffusion Mappings Across Multiple Rounds

An average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and

Weak Keys of the Full MISTY1 Block Cipher for Related-Key Cryptanalysis

Low Complexity Differential Cryptanalysis and Fault Analysis of AES

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128

Enhancing the Signal to Noise Ratio

Menu. Lecture 5: DES Use and Analysis. DES Structure Plaintext Initial Permutation. DES s F. S-Boxes 48 bits Expansion/Permutation

Lecture 12: Block ciphers

MASKED INVERSION IN GF(2 N ) USING MIXED FIELD REPRESENTATIONS AND ITS EFFICIENT IMPLEMENTATION FOR AES

SOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies

New Block Cipher: ARIA

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

Linear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers

Distinguishing Attack on Common Scrambling Algorithm

Chapter 1 - Linear cryptanalysis.

Akelarre. Akelarre 1

Hardware Design and Analysis of Block Cipher Components

Subspace Trail Cryptanalysis and its Applications to AES

Structural Cryptanalysis of SASAS

Provable Security Against Differential and Linear Cryptanalysis

Advanced differential-style cryptanalysis of the NSA's skipjack block cipher

Linear Cryptanalysis. Kaisa Nyberg. Department of Computer Science Aalto University School of Science. S3, Sackville, August 11, 2015

Bit-Pattern Based Integral Attack

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES

A new version of the RC6 algorithm, stronger against χ 2 cryptanalysis

A New Algorithm to Construct. Secure Keys for AES

Improved Cascaded Stream Ciphers Using Feedback

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

Cryptanalysis of SP Networks with Partial Non-Linear Layers

Truncated differential cryptanalysis of five rounds of Salsa20

Specification on a Block Cipher : Hierocrypt L1

Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock

New Combined Attacks on Block Ciphers

Impossible Differential Cryptanalysis of Mini-AES

Transcription:

New Observation on Camellia Duo ei 1,iChao 2,andeqinFeng 3 1 Department of cience, National University of Defense Technology, Changsha, China Duoduolei@163.com 2 Department of cience, National University of Defense Technology, Changsha, China 3 Department of Math, Tsinghua University, Beijing, China Abstract. In this paper, some observations on Camellia are presented, by which the quare attack and the Collision attack are improved. 11- round 256-bit Camellia without F function is breakable with complexity of 2 250 encryptions. 9-round 128-bit Camellia without F function is breakable with the complexity of 2 90 encryptions. And 10-round 256- bit Camellia with F function is breakable with the complexity of 2 210 encryptions and 9-round 128-bit Camellia with F function is breakable with the complexity of 2 122 encryptions. These results are better than any other known results. It concludes that the most efficient attack on Camellia is quare attack. 1 Introduction Camellia [1] is a 128-bit block cipher proposed by NTT and Mitsubishi in 2000. It has the modified Feistel structure with irregular rounds, which is called the F/F 1 function layers. Camellia had been submitted to the standardization and the evaluation projects such as IO/IEC JTC 1/C 27, CYTEC, and NEIE. The most efficient methods analyzing Camellia are truncated differential cryptanalysis[4][5][6] and higher order differential attack[7][9]. Camellia with more than 11 rounds is secure against truncated differential cryptanalysis. quare attack[11] is a most efficient attack on AE[11][12]. Y. He and. Qing [2] showed that 6-round Camellia is breakable by it. Y.Yeom,. ark, and I. im [3] improved the result to 8 rounds. Collision attack on Camellia was presented by W Wu[10]. In this paper, some observations on Camellia are presented, by which the quare attack and the Collision attack are improved. Variant quare Attack can break 11-round 256-bit Camellia without F function with complexity of 2 250 encryptions. 9-round 128-bit Camellia without F function is breakable with the complexity of 2 90 encryptions. And 10-round 256-bit Camellia with F function is breakable with the complexity of 2 210 encryptions and 9-round 128-bit Camellia with F function is breakable with the complexity of 2 122 encryptions. These results are better than any other known results. B. reneel and. Tavares (Eds.): AC 2005, NC 3897, pp. 51 64, 2006. c pringer-verlag Berlin Heidelberg 2006

52 D. ei,. Chao, and. Feng Brief description of Camellia and some new structures equivalent to Camellia are presented in section2. In section 3, active bytes transformations on Camellias are illustrated and some new properties are demonstrated. Our attacking methods are described in section 4. ection 5 is some extension. The paper concludes with our most important results. 2 Equivalent tructures of Camellia 2.1 Description of the Camellia Camellia has a 128-bit block size and supports 128-, 192- and 256-bit keys. Camellia with a 128-bit key and 256-bit key is written as 128-Camellia, 256-Camellia. The design of Camellia is based on the Feistel structure and its number of rounds is 18(128-bit key) or 24(192-, 256-bit key). The F/F 1 function layer is inserted in it every 6 rounds in order to thwart future unknown attacks. Before the first round and after the last round, there are pre- and post-whitening layers. F function contains key-addition, -function and -function. -function contains 4 types of - boxes s 1, s 2, s 3,ands 4. s 2,s 3,s 4 are variations of s 1. The -function:{0, 1} 64 {0, 1} 64 maps (z 1,..., z 8 )to(z 1,..., z 8 ), defined as: z 1 = z 1 z 3 z 4 z 6 z 7 z 8 z 2 = z 1 z 2 z 4 z 5 z 7 z 8 z 3 = z 1 z 2 z 3 z 5 z 6 z 8 z 4 = z 2 z 3 z 4 z 5 z 6 z 7 z 5 = z 1 z 2 z 6 z 7 z 8 z 6 = z 2 z 3 z 5 z 7 z 8 z 7 = z 3 z 4 z 5 z 6 z 8 z 8 = z 1 z 4 z 5 z 6 z 7 We refer X (r), (r) to the rth round input and subkey, refer X(r) and X (r) to the left, right half bytes of X (r), which implies X (r) =(X(r),X (r) ). et X (ri) is the ith byte of X (r), and C be the laintext and Ciphertext, and X () be the last round output. The round function of Camellia is written as follows (named as Camellia-1), which is shown in Fig. 1: X (1) =,X (1) =, X (r+1) = X (r) (s(x (r) (r))), X (r+1) = X (r), C = X (),C = X () ound r Fig. 1. ound function of Camellia-1

New Observation on Camellia 53 2.2 Three Equivalent tructures of Camellia We can write Camellia in following form called Camellia-2, where 1 is the inverse transformation of -function and X (r) is the rth round input of Camellia-2. Figure illustration of Camellia-2 is given in Fig. 2: X (1) = 1 ( ), X (1) = 1 ( ), X (r+1) = X (r) s( ( X (r) ) (r)), X (r+1) = X (r), C = ( X () ),C = ( X () ) ound r Fig. 2. ound function of Camellia-2 We can also write Camellia in the form of Camellia-3 where ˆX (r) is the rth round input. Figure illustration is given in Fig. 3: ˆX (1) =, ˆX (1) = 1 ( ), ˆX (r+1) = ˆX (r) s( ˆX (r) (r)), where r is odd ˆX (r+1) = ( ˆX (r) s( ( ˆX (r) ) (r))), where r is even ˆX (r+1) = ˆX (r), C = ˆX (),C = ( ˆX () ) ound 2r 1 ound 2r 2 Fig. 3. ound function of Camellia-3 The structure of Camellia-4 is given as follows where X (r) is the rth round input of that. Figure illustration is given in Fig. 4: X (1) = 1 ( ), X (1) =, X (r+1) = ( X (r) s( ( X (r) ) (r))), where r is odd X (r+1) = X (r) s( X (r) (r)), where r is even X (r+1) = X (r), C = ( X () ),C = X ()

54 D. ei,. Chao, and. Feng ound 2r 1 ound 2r 2 Fig. 4. ound function of Camellia-4 3 New Observations on Camellia 3.1 reliminaries et a Λ-set be a set of 256 states that are all different in some of the state bytes (the active) and all equal in the other state bytes (the passive). We have: x, y Λ : { x i y i x i = y i if x i is active else et Γ -set be a set of 256 states that are all equal to zero in summation (the balanced). x Γ : x i =0 Applying the -function or ey-addition on a Λ-set results in a Λ-set with the positions of the active bytes unchanged. The result set of applying -function to a Λ-set is not always a Λ-set but always a Γ -set. Applying ey-addition or -function on a Γ -set results in a Γ -set. Applying - function on a Γ -set results in the active bytes and passive bytes are still balanced. Applying AND operation, O operation or right shift operation on a Γ -set results in a Γ -set. Here, we give some definitions that are used in following sections. F: AΛ set has the form of {α 1, α 2, α 3, α 4, α 5, α 6, α 7, α 8, i, β 2, β 3, β 4, β 5, β 6, β 7, β 8 },inwhichα i, β j are constant, i {0,.., 255}. F t :AΛ set has the form of {α 1, α 2, α 3, α 4, α 5, α 6, α 7, α 8, i, β 2, β 3, β 4, β 5, β 6, β 7, γ t } t,inwhichα i, β j, γ k are constant, i {0,.., 255}. F t :AΛ set has the form of {i, β 2, β 3, β 4, β 5, β 6, β 7, γ t, s 1 (i k 1 ), α 2, α 3, α 4, α 5, α 6, α 7, s 1 (γ t k 2 )} t,inwhichα i, β j, γ k, k 1, k 2 are constant, i {0,.., 255}. F t :AΛ set has the form of {β 1, i β 2, i β 3, i β 4, i β 5, β 6, β 7, i γ t, s 1 (i k 1 ), s 1 (i k 1 ) α 2, s 1 (i k 1 ) α 3, α 4, s 1 (i k 1 ) α 5, α 6, α 7, s 1 (i k 1 ) α 8 } t,inwhichα i, β j, γ k, k 1 are constant, i {0,.., 255}. F t :AΛ set has the form of {s 1 (i k 1 ), α 2, α 3, α 4, α 5, α 6, α 7, s 1 (γ t k 2 ), 1 i, 2, 3, 4, 5, 6, 7, 8 γ t },inwhich{ 1, 2, 3, 4, 5, 6, 7, 8 } satisfy Eq.(1), α i, β j, γ k, η 1, η 2, η 3, η 4, η 5, η 6, η 7, η 8 k 1, k 2, k 3, k 4, k 5, k 6, k 7, k 8, k 9 are constant, i {0,.., 255}.

New Observation on Camellia 55 1 10110111 s 1 (s 1 (i k 1 ) η 1 s 1 (γ t k 2 )) 2 11011011 s 2 (s 1 (i k 1 ) η 2 s 1 (γ t k 2 )) 3 11101101 s 3 (s 1 (i k 1 ) η 3 s 1 (γ t k 2 )) 4 5 = 01111110 s 4 (η 4 ) 11000111 s 2 (s 1 (i k 1 ) η 5 s 1 (γ t k 2 )) 6 01101011 s 3 (η 6 s 1 (γ t k 2 )) 7 00111101 s 4 (η 7 s 1 (γ t k 2 )) 8 10011110 s 1 (s 1 (i k 1 ) η 8 ) F t :AΛ set has the form of {s 1 (i k 1 ), s 1 (i k 1 ) α 2, s 1 (i k 1 ) α 3, α 4, s 1 (i k 1 ) α 5, α 6, α 7, s 1 (i k 1 ), s 1 (s 1 (i k 1 ) k 2 ), s 2 (s 1 (i k 1 ) k 3 ) i, s 3 (s 1 (i k 1 ) k 4 ) i, α 4 i, s 2 (s 1 (i k 1 ) k 5 ) i, α 6, α 7, s 1 (s 1 (i k 1 ) k 6 ) i γ t )} t,inwhichα i, β j, γ k, k 1, k 2, k 3, k 4, k 5, k 6 are constant, i {0,.., 255}. In next section, we trace the position changes of the active bytes through 5 rounds transformations of Camellia-1 4 and the plaintext set {} is a Λ set F. We just describe the evolution of left half bytes of round outputs, for the left half bytes of previous round pass to right half bytes of next round unchanged. 3.2 Active Bytes Changing roperties In Camellia-1, X(1,1) is active byte, 1st round transformations convert the active byte to X(2,1), other bytes are passive. In 2nd round transformations, -function converts the active byte to 5 active bytes which are X(31), X (32), X (33),X (35), X(38) and three passive bytes. In 3rd round transformation, -function converts the active bytes to 8 balanced bytes. In 4th round transformation, -function converts balanced bytes to unbalanced bytes. After 5th round transformation all bytes are unbalanced. Evolutions of active bytes are illustrated in Fig. 5. (1) ( 1, 2,..., 8) (A, 2,..., 8) ound1 ound2 ound3 ound4 C assive Byte Balanced Byte ound5 C Unbalanced Byte Fig. 5. ound function of Camellia-1 In Camellia-2, 1st byte of {} is active, the pre- 1 -function converts the active byte to 5 active bytes. 1st round transformations convert the 5 active bytes and 3 passive bytes to 5 active bytes and 3 passive bytes. 2nd round

56 D. ei,. Chao, and. Feng transformations convert the 5 active bytes and 3 passive bytes to 1 active byte and 7 passive bytes. 3rd round transformation convert the 5 active bytes and 3passivebytesto2activebytes,4balanced bytes and 2 passive bytes, where X (41), X (42) are active, X (42), X (43), X (45), X (48) are balanced and X (46), X (47) are passive. 4th round transformations convert those bytes to unbalanced bytes. Evolutions of active bytes are illustrated in Fig. 6. Details of 2nd and 3rd transformation are given in Eq.(2)and Eq.(3). X (3) = X (2) s( ( X (2) (2)) = X (1) s( ( X (1) s( ( X (1) ) (1))) (2) ) = X (1) s( ( 1 ( ) s( ( X (1) ) (1))) (2) ) = X (1) s(( s( ( X (1) ) (1))) (2) ) (2) ( 1, 2,..., 8) (A, 2,..., 8) -1-1 ound1 ound2 ound3 ound4 C Fixed Byte Balanced byte ound5 C Unbalanced byte Fig. 6. ound function of Camellia-2 X (11) is the only active byte in { X (1) }, since applying addition and -function on it results in { X (3) } with position of active byte unchanged, demonstrated in Eq.(2). Each byte of X (4) canbewrittenintheformofeq.(3),inwhich X (41), X (44) are influenced by an active byte X (31) so active, X (42), X (43), X (45), X (48) are influenced by 2 active bytes thus balanced and X (46), X (47) are derived from passive bytes, still passive. X (41) = s( X (31) X (33) X (34) X (36) X (37) X (38) (31)) X (31) X (42) = s( X (31) X (32) X (34) X (35) X (37) X (38) (32)) X (32) X (43) = s( X (31) X (32) X (33) X (35) X (36) X (38) (33)) X (33) X (44) = s( X (32) X (33) X (34) X (35) X (36) X (37) (34)) X (34) X (45) = s( X (31) X (32) X (36) X (37) X (38) (35)) X (35) X (46) = s( X (32) X (33) X (35) X (37) X (38) (36)) X (36) X (47) = s( X (33) X (34) X (35) X (36) X (38) (37)) X (37) X (48) = s( X (31) X (34) X (35) X (36) X (37) (38)) X (38) (3) In Camellia-3, 1st byte of {} is active, the pre--function converts the active byte to 5 active bytes. 1st round transformations convert the 5 active

New Observation on Camellia 57 bytes, 3 passive bytes to 5 active bytes,3 passive bytes. 2nd round transformations convert the 5 active bytes, 3 passive bytes to 5 active bytes, 3 active bytes. 3rd round transformation convert 5 active bytes, 3 passive bytes to 2 active bytes, 4 balanced bytes and 2 passive bytes, where ˆX (41), ˆX (42) are active, ˆX (42), ˆX (43), ˆX (45), ˆX (48) are balanced and ˆX (46), ˆX (47) are passive.and 4th round transformations convert those bytes to unbalanced bytes. The deducing procedure is similar to that of Camellia-2. Figure illustration is given in Fig.7. ( 1, 2,..., 8) (A, 2,..., 8) -1 ound1 ound2 ound3 ound4 C Fixed Byte Balanced byte ound5 C Unbalanced byte Fig. 7. ound function of Camellia-3 The outstanding properties of Camellia-3 are Eq.(4) and Eq.(5), that are used in Improved quare attack and Improved Collision attack in section 4.2 andsection4.3. ˆX (5i) =0 (s( ˆX (6i) (5i)) ˆX (6i) =0, 6 i 7. (4) F F ˆX (5i) C s( ˆX (6i) (5i)) ˆX (6i) C, F, 1 i 8. (5) Camellia-3 also have the property of Eq.(6) that is used in section 4.4. ˆX (5i) = B s( ˆX (6i) (5i)) ˆX (6i) = B, F,Bisactive,i {1, 4}. (6) In Camellia-4, X(11) is active, 1st round transformations convert the active byte to an active byte, 2nd round transformations convert the active byte to an active byte and 3rd round transformations convert the active byte to 8 active bytes. Figure illustration is shown in Fig.8. The outstanding property of Camellia-4 is that seven 3rd round output bytes are passive, which will be used in variant quare attack in section 4.1. F X (4i) (4i) =0,i 1, C i is a constant. (s 1 ( X (5i) ) C i )=0,i 1, C i is a constant. (7) F

58 D. ei,. Chao, and. Feng ( 1, 2,..., 8) (A, 2,..., 8) -1 ound1 ound2 ound3 ound4 C Fixed Byte Balanced Byte ound5 C Unbalanced Byte Fig. 8. ound function of Camellia-4 4 ome Attacks In this section, we construct the attacks on Camellia without pre-, post- whitening and F/F 1 function. The influences of F/F 1 function are discussed in section 5. 4.1 Variant quare Attack The 6-round variant quare attack use the property of Eq.(8), which is derives from Eq.(7), and use the structure of Camellia-4. This attack can be described by the following steps. (s 1 () (s( X (7i) (6i)) X (7i) C i )=0, C i is a constant, i 1. (8) F t tep 1: elect the laintext sets {} t as {} t = F t, 1 t 3, calculate the values of (X(7),X (7)) and record them, which will be used in following steps. tep 2: Guess k (65) and C 5, then check whether Eq.(8) is satisfied or not, where the laintext set is F 1. If Eq.(8) is satisfied, record the values of k (65) and C 5 that may be the correct pair. tep 2 is ended until all possible values are checked. tep 3: For all correct pairs from step 2, checks whether Eq.(8) is satisfied or not, where the laintext set are F t, 2 t 3. (γ t does not influence the value of C 5 ). In this 6-round attack, the time that step 1 takes is 3 2 8 6-round encryptions takes. ince Eq.(8) has 256 + 256 3 additions, 256 2 substitutions, and 6- round Camellia has 44 6 additions, 8 6 substitutions, the time Eq.(8) takes is nearly 6 times of that 6-round encryptions of Camellia take. In step 2, Eq.(8) repeats 2 8 2 8 times. The probability of wrong key passing the checking is 2 8, so there is 2 8 pairs passing the checking in step 2, that implies the time of step

New Observation on Camellia 59 3and4take2 8 3 and 3 times of that 6-round encryptions take, respectively. In this 6-round attack, we only do the step 1, step 2 and step 3 one time. o the 6-round attack s complexity is 2 8 3+2 16 6+2 8 6 2 2 18.6. The counts of selected laintexts are 2 8 3. In 7-round attack, we add one round at the beginning, use the structure of Camellia-3 and select the input sets { X (1) } t as F t,wherek 1 and k 2 are guessing key, for that: if k 1 = k (11),k 2 = k (18) then X (1) F t X (2) F t. This 7-round attack use Eq.(9) for checking and select the T as 7, for the probability of all key bytes pass the checking is 2 8 T. The guessing step is as follows: (s 1 () (s( X (8i) (7i)) X 8i C i )=0,i 1, 1 t T }. (9) X (1) F t tep 1: Guess the values of k (11) and k (18). tep 2: For each X (1) F t calculate the result of {X (8) } t. tep 3: Guess k (75) and C 5, and record the values that pass the checking Eq.(9),where the laintext set is F 1. tep 4: For all correct pairs from step 3, checks whether Eq.(9) is satisfied or not, where 2 t 7, if all the pairs can t pass the check, go to step 1. The attacking complexity is 2 16 (2 8 7+2 16 6+2 8 6 6) 2 33.6.The complexity of 256-Camellia is 2 25.6, since its 1st round key bits are the same as 7th round key bits. The 8-round attack is similar to 7-round attack, the only difference is that X () (8i) is unknown. Getting X () (8i) from X (9) needs five 8th round key bytes, then complexity of this attack is 2 16 (2 8 12 + 2 56 6+2 48 6 11) 2 74.6,the complexity of 256-Camellia becomes 2 66.6. In 9-round attack, we add one round at the beginning and use the structure of Camellia-4, where the selected special plaintexts should satisfy the properties of that { X (2) } t is a Γ set with the from of F t. o we select { X (1) } t as F t,where k 1,...,k 9 are guessing key.. The complexity of this attack is 2 72 (2 8 19 + 2 56 4+2 48 4 18) 2 130. In 256-Camellia, the 2nd round key bytes are the same as 8th round key bytes, so the complexity of the attack is 2 122. In 128-Camellia 1st round key bytes are the same as 9th round key, so the complexity is 2 90.In 10-round attack, we add 1 round at the end and use the structure of Camellia-4, it will need to guess another 8 bytes key. The complexity is 2 186. And attacking on 11-round Camellia, the complexity is 2 250. 4.2 Improved quare Attack The best result of quare attack against Camellia was given by Y.Yeom,. ark, and I. im [3]. In this paper we improved the attacking result, since Camellia-3 satisfying Eq.(4), so called Improved quare attack. The basic attack on 5-round camellia use the property of s( ˆX (65) (55)) ˆX (65) is balanced byte if the plaintext set is F t, which is illustrated in Eq.(4),

60 D. ei,. Chao, and. Feng and the probability of wrong key pass the checking is 2 8. The attacking details are as follows. tep 1: Choose F t, 1 t 2 as plaintext sets, calculate the values of ˆX (65) and record them. tep 2: For each possible values of (55), check whether Eq.(4) is satisfied or not, where the laintext set is F 1, and record the passed key bytes, which may be the correct key byte. Go to next step until all possible values are checked. tep 3: For all correct key bytes in step 2, checks whether Eq.(4) is satisfied or not, where the laintext set is F 2. For this 5-round attack, the time that step 1 takes equals the time that 2 2 8 5-round encryptions takes. ince Eq.(4) has 256 2 + 256 additions and 256 substitutions, and 5-round Camellia has 44 5 additions and 8 5 substitutions, so the time Eq.(4) takes is nearly 5 times of that 5-round Camellia encryptions take. In step 2, Eq.(4) repeats 2 8 times. The probability of wrong key passing the checking is 2 8, so there will be few passing the checking, that means the time of step 3 takes 5 times of that 5-round encryptions take. o the complexity of 5-round attack is 2 8 2+2 8 5+5 2 10.6. 6-round attack add one round at the begin and select the F t, 1 t 5 as plaintext sets and use the structure of Camellia-4. If k 1 in F t, 1 t 5 equals k (11),thens( ˆX (75) (65)) ˆX (75) is balanced byte. o in this attack for each guessing k 1 we check wether the byte s( ˆX (75) (65)) ˆX (75) is balanced or not, similar as 5-round attack. The complexity of the attack is 2 8 (2 8 5+2 8 4+4 4) 2 18. We extend 6 round attacks to 7-round by adding one round at the end and select the plaintexs as 6-round attack. Then to get to know ˆX (75) we have to guess 5 7th round key bytes, so the complexity is 2 8 (2 8 10 + 2 48 4+2 40 4) 2 58. In 8-round attack, adding one round at the beginning, use the structure of Camellia-4. The input sets { ˆX (1 } t is selected as F t, 1 t 15. The key bytes are used in attack. The complexity of the attack is 2 48 (2 8 15+2 48 4+2 40 14) 2 98. The complexity of the attack on 256-Camellia is 2 82,sincethe1stand2nd round key bytes are the same as 7th and 8th round key bytes, respectively. The complexity of the attacks on 9 and 10 rounds are 2 146 and 2 212, respectively. 4.3 Improved Collision Attack Collision attack on Camellia is given by W wu[10]. We improve the attacking results, called Improved Collision attack. In 5-round attack, Eq.(10) is used for checking, which is derived from Eq.(5). s( ˆX (6i) (5i)) ˆX (6i) s( ˆX (6i) (5i)) ˆX (6i), ˆX (1), ˆX (1) F,i {6, 7}. (10) The procedure of this attack is similar to that of 5 round Improved quare attack. The time Eq.(10) takes is nearly 1/4 times that of 1-round Camellia

New Observation on Camellia 61 encryptions take, then the complexity of 5 round attack is 4 + 4 2 8 /(4 5) 2 5.8. imilarly as section 4.2, The complexities of the attack on 6,7,8,9 rounds are 2 8 (5 + 5 2 8 /(6 4)) 2 13.7,2 8 (10 + 10 2 48 /(7 4)) 2 54.5, 2 48 (15 + 15 2 48 /(8 4)) 2 94.9 and 2 48 (23 + 23 2 112 /(9 4)) 2 159.4. The complexity of 9-round attack on 128-Camellia is 2 119.4. The complexities of the attack on 256-Camellia with 7,8,9 and 10 are 2 46.5,2 78.9,2 143.4 and 2 205.6. 4.4 Other Observations We can build a new attack on Camellia based on Eq.(6), which implies the result of s( ˆX (6i) (5i)) ˆ(X) (6i) is a active byte. We select the Λ set F as plaintext sets,then check whether s( ˆX (6i) (5i)) ˆ(X) (6i) is active byte or not for guessing key byte (5i). There is also an interesting property in Camellia-4. If we select the laintext ( X 1, X 1 ) F,then X (58) with the form of Eq.(11). X (58) = s 1(s 1 (B γ) s 2 (B γ) δ) ɛ, γ, δ, ɛ are passive, B is active (11) 5 The Influence of F/F 1 In this section, we construct the attacks on Camellia with F/F 1 function and without pre- and post-whitening. 5.1 Variant quare Attack In 7-round variant quare attack, we use the structure of Camellia-4 and select the plaintexts { X (1), X (1) } t as a series of Λ sets F t. The equation used in this attack is Eq.(12). (s 1 ( X (7i) C i )=0,i {1, 2,..., 8},t {1, 2,..., T }. (12) X (1), X (1) F t If there is a F/F 1 function in Camellia-4, we have X (7i) X (8i). Getting X (7i) from X (8i) needs to guess eight key bytes, which are used in F 1 function. Hence the attacking complexity is 2 72 (2 8 21+2 72 6+2 64 6 20) 2 146.6, where the value of T is 21. In 128-Camellia,the complexity becomes 2 90.6,since the key bytes used in F 1 function are the same as 1st round key bytes. In this 8-round attack, we add one round at the end. Then the attacking complexity is 2 146.6+64. It becomes 2 194.6 in 256-Camellia, since in 256-Camellia 2nd round key bytes are the same as 8th round key. 5.2 Improved quare Attack In 7-round Improved quare attack, we use the structure of Camellia-3 and select the { ˆX (1), ˆX (1) } as F t, and use Eq.(13) for checking. s( ˆX (8i) (7i)) ˆX (8i) =0,i {1, 2,..., 8}. (13) X (1) F

62 D. ei,. Chao, and. Feng If there is a F/F 1 function in Camellia-3, we have to consider the property of F( ˆX (7) ). ince the F function results a Γ set in a Γ set, wehavea conclusion that whether there is a F/F 1 or not Eq.(13) always holds. Hence the complexity of that attack is 2 48 (2 8 10 + 2 8 6+3 9) 2 58.6,thekey bytes required in this attack are {k (11), k (12), k (13), k (15), k (18), k (21), k (75) }. Table 1. The ummary of known attacks on Camellia ounds F/F 1 Methods Time 128 bit Time 256 bit Notes 5 No A 2 48 [2] 5 No A 2 16 [3] 5 No Improved A 2 10.6 This aper 5 No Improved CA 2 5.8 This aper 6 No A 2 56 [3] 6 No Higher Order DC 2 18 [9] 6 No Improved A 2 18 This aper 6 No Improved CA 2 13.7 This aper 6 No Variant A 2 18.6 This aper 7 No Truncated DC 192 [5] 7 No Higher Order DC 2 57 [9] 7 Yes A 2 57.2 [3] 7 No Improved A 2 58 2 50 This aper 7 No Improved CA 2 54.7 2 46.7 This aper 7 No Variant A 2 33.5 2 25.6 This aper 7 Yes Improved A 2 58.6 This aper 7 Yes Variant A 2 90.6 2 146.6 This aper 8 No Truncated DC 2 55.6 [5] 8 No Higher Order DC 2 120 [9] 8 Yes A 2 116 [3] 8 Yes Improved A 2 98 2 82 This aper 8 No Improved CA 2 94.9 2 78.9 This aper 8 No Variant A 2 74.6 2 66.6 This aper 8 Yes Improved CA 2 74.6 2 66,6 This aper 8 Yes Variant A 2 194.6 This aper 9 No Higher Order DC 2 188 [9] 9 Yes A 2 181.4 [3] 9 Yes Improved A 2 122 2 146 This aper 9 No Improved CA 2 119.4 2 143.4 This aper 9 No Variant A 2 90 2 122 This aper 10 No Higher Order DC 2 252 [9] 10 Yes Improved A 2 210 This aper 10 No Improved CA 2 207.4 This aper 10 No Variant A 2 186 This aper 11 No Higher Order DC 2 259.6 [9] 11 No Variant A 2 250 This aper

New Observation on Camellia 63 In 8-round attack, we add one round at the end and still use Eq.(13) for checking, than the attacking procedure becomes the same as that of section 4.2. The attacks on 9-and 10-round Camellia with F function are also no difference from that of without F function, which have been described in section 4.2. 6 Conclusions Variant quare attack can break 9-round 128bit Camellia, 11-round 256 bit Camellia without F function, further more, it is faster than exhaustive key search. The conclusions can be made that key schedule and -function influence the security of Camellia and quare attack is still the best attack on Camellia. Table(1) give a summary of known attacks on Camellia. Acknowledgement. We would like to thank Vincent ijmen for his help for important comments and correctness of mistakes that improved the technical quality of the paper. The reviewer has kindly pointed out many technical problems and give suggestions in the submitted version of this draft. We would also like to thank the referees of the paper, for their constructive comments and suggestions. eferences 1.. Aoki, T. Ichikawa, M. anda, M. Matsui,. Moriai, J. Nakajima and T. Tokita.: Camellia: A 128-Bit Block Cipher uitable for Multiple latforms - Design and Analysis. In: roceedings of elected Areas in Cryptography. ecture Notes in Computer cience, Vol. 1281. pringer-verlag, Berlin Heidelberg New York (2000) 39-56. 2. Y. He and. Qing: quare Attack on educed Camellia Cipher. In: ICIC 2001, ecture Notes in Computer cience, Vol. 2229. pringer-verlag, Berlin Heidelberg New York (2001) 238-245. 3. Y.Yeom,. ark, and I. im.: On the security of Camellia against the quare attack.: In: roceed-ings of Fast oftware Encryption. ecture Notes in Computer cience, Vol. 2365. pringer-verlag, Berlin Heidelberg New York (2002) 89-99. 4. M. anda and T. Matsumoto.: ecurity of Camellia against Truncated Differential Cryptanalysis. In: roceedings of Fast oftware Encryption ecture Notes in Computer cience, Vol. 2355. pringer-verlag, Berlin Heidelberg New York (2001) 286-299. 5.. ee,. Hong,. ee, J. im and. Yoon.: Truncated Differential Cryptanalysis of Camellia. In: ICIC 2001, ecture Notes in Computer cience, Vol. 2288. pringer- Verlag, Berlin Heidel-berg New York (2001).32-38. 6. M. ugita,. obara and H. Imai.: ecurity of educed Version of the Block Cipher Camellia against Truncated and Impossible Differential Cryptanalysis. In: AIACYT 2001, ecture Notes in Computer cience, Vol. 2248. pringer-verlag, Berlin Heidelberg New York (2001) 193-207. 7. T. awabata and T. aneko.: A tudy on Higher Order Differential Attack of Camellia.: The 2nd open NEIE workshop (2001).

64 D. ei,. Chao, and. Feng 8. J. Daemen,.. nudsen and V. ijmen.: The Block Cipher QUAE. In Fast oftware En-cryption, ecture Notes in Computer cience, Vol. 1267. pringer- Verlag, Berlin Heidelberg New York (1997) 149-165. 9. Y.Hatano,H.ekine, and T.aneko.: Higher order differential attack of Camellia(II). In: roceed-ings of elected Areas in Cryptography-AC 02, ecture Notes in Computer cience, Vol. 2595. pringer-verlag, Berlin Heidelberg New York (2002) 39-56. 10. W..Wu,F. D.G. Feng: Collision attack on reduced-round Camellia, cience in China eries F-Information ciences, 2005, Vol.48, No.1pp.78-90. 11. Joan Daemen and Vincent ijmen, The Design of ijndael, AE - The Advanced Encryption tandard, pringer-verlag 2002, (238 pp.). 12. Niels Ferguson,John elsey,tefan ucks,bruce chneier,mike tay,david Wagner and Doug : Improved Cryptanalysis of ijndael Whiting. In roceedings of Fast oftware Encryption-FE 00, Vol 1978, pringer-verlag, Berlin Heidelberg New York (2000) 213-230.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback