Improved zero-correlation linear cryptanalysis
of reduced-round Camellia under weak keys
ISSN 1751-8709
Received on 12th August 2014
Revised on 30th May 2015
Accepted on 19th June 2015
doi: 10.1049/iet-ifs.2014.0614
www.ietdl.org
Zhiqiang Liu
1,4
✉
, Bing Sun
2,4
, Qingju Wang
1,4
, Kerem Varici
3,4
, Dawu Gu
1
1
Department of Computer Science and Engineering, Shanghai Jiao Tong University, 800 Dong Chuan Road, Shanghai 200240,
People’s Republic of China
2
Department of Mathematics and System Science, Science College, National University of Defense Technology, Changsha,
People’s Republic of China
3
ICTEAM-Crypto Group, Universite Catholique de Louvain, 1348 Louvain-la-Neuve, Belgium
4
ESAT/COSIC, KU Leuven and iMinds, Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium
✉ E-mail: happy_come@163.com
Abstract: Camellia is one of the widely used block ciphers, which has been included in the NESSIE block cipher portfolio
and selected as a standard by ISO/IEC. In this study, the authors observe that there exist some interesting properties of the
FL/FL
−1
functions in Camellia. With this observation they derive some weak keys for the cipher, based on which they
present the first known 8-round zero-correlation linear distinguisher of Camellia with FL/FL
−1
layers. This result shows
that the FL/ FL
−1
layers inserted in Camellia cannot resist zero-correlation linear cryptanalysis effectively for some weak
keys since the currently best z ero-correlation linear distinguisher for Camellia without FL/FL
−1
layers also covers eight
rounds. Moreover, by using the novel distinguisher, they launch key recovery attacks on 13-round Camellia-192 and 14-
round Camellia-256. To their kn owledge, these results are the best for Camellia-192 and Camellia-256 with FL/FL
−1
and
whitening layers.
1 Introduction
The block cipher Camellia was jointly proposed by NTT and
Mitsubishi in 2000 [1]. It was selected as one of the CRYPTREC
e-government recommended ciphers in 2002 [2] and was
re-evaluated by CRYPTREC in 2012 [3]. Moreover, it was
included in the NESSIE block cipher portfolio in 2003 [4], and in
2005 it was adopted as the international standard by ISO/IEC [5].
Camellia is a 128 bit block cipher which uses the Feistel structure
with key-dependent functions FL/FL
−1
inserted every six rounds.
It supports three different key sizes: 128, 192 and 256, and the
number of rounds changes according to the key size, that is, 18
rounds for 128 bit key size (denoted as Camellia-128) and 24
rounds for 192/256 bit key sizes (denoted as Camellia-192/
Camellia-256, respectively).
So far there have been many cryptanalytic results for
reduced-round Camellia by using different approaches such as
differential and linear cryptanalysis [6], truncated differential
cryptanalysis [7, 8], integral attack [9–11], meet-in-the-middle
attack [12], collision attack [10, 13], impossible differential
cryptanalysis [8, 14–20] and zero-correlation linear cryptanalysis
[21]. As a matter of fact, most attacks presented before 2011
excluded the FL/FL
−1
and whitening layers to ease the
cryptanalysis, whereas recent attacks aimed at reduced-round
Camellia with FL/FL
−1
and/or whitening layers. For example,
in [14], several 6-round impossible differentials of Camellia with
FL/FL
−1
layers were proposed, based on which some attacks were
mounted on 10-round Camellia-192 and 11-round Camellia-256.
Li et al. [15] introduced a 7-round impossible differential of
Camellia including FL/FL
−1
layers, with which they presented
improved attacks on 10-round Camellia-128, 10-round
Camellia-192 and 11-round Camellia-256. Liu et al. [18]
constructed some 7- and 8-round impossible differentials of
Camellia with FL/FL
−1
layers and then attacked 11-round
Camellia-128, 12-round Camellia-192 and 13-round Camellia-256.
In 2013, Bogdanov et al. [21] proposed attacks on 11-round
Camellia-128 and 12-round Camellia-192 by using 7-round
zero-correlation linear distinguishers of Camellia with FL/FL
−1
layers and the fast Fourier transform (FFT) technique.
Zero-correlation linear attack is one of the recent cryptanalytic
methods introduced by Bogdanov and Rijmen [22]. The attack is
based on linear approximations with zero correlation, which is
different from the traditional linear cryptanalysis where linear
characteristics (hulls) with high correlations are used. The idea of
zero-correlation linear attack can be considered as the projection of
impossible differential cryptanalysis to linear cryptanalysis. To
construct a zero-correlation linear distinguisher, one always adopts
the miss-in-the-middle techniques as that used in impossible
differential cryptanalysis. In [23, 24], Bogdanov et al. and
Bogdanov and Wang proposed new models that can decrease the
data complexity of zero-correlation linear cryptanalysis. We see
[21, 23–25] for details of zero-correlation linear cryptanalysis on
various block ciphers such as CAST, CLEFIA, HIGHT, Skipjack,
TEA and XTEA.
In this paper, we first rewrite the FL/FL
−1
functions within
Camellia in matrix forms, which show that for given keys, FL/
FL
−1
functions are indeed linear (affine) transformations. Thus the
correlations of FL/FL
−1
functions can only be 0 or ±1. From this
we derive some interesting properties of the FL/FL
−1
functions.
Then following these properties we find some weak keys for the
cipher, with which the first known 8-round zero-correlation linear
distinguisher of Camellia with FL/FL
−1
layers is presented. Note
that this distinguisher covers the same number of rounds as the
best known zero-correlation linear distinguisher for Camellia
without FL/FL
−1
layers. Consequently, our result demonstrates
that FL/FL
−1
layers cannot thwart zero-correlation linear
cryptanalysis effectively in the case of some specific weak keys.
Furthermore, we apply this new distinguisher to attack 13-round
Camellia-192 and 14-round Camellia-256. Although our attacks
require certain conditions for 15 subkey bits, they improve the
existing cryptanalytic results on Camellia-192/256 with FL/FL
−1
and whitening layers which can be seen in Table 1.
The remaining of this paper is organised as follows: In Section 2,
we give necessary notations, brief description of Camellia and
IET Information Security
Research Article
IET Inf. Secur., pp. 1–9
1
&
The Institution of Engineering and Technology 2015