The Higher-Order Meet-in-the-Middle Attack and Its ...

Viewer
Transcript

The Higher-Order Meet-in-the-Middle Attack and Its Application to the Camellia Block Cipher⋆ Jiqiang Lu1,⋆⋆ , Yongzhuang Wei2,⋆ ⋆ ⋆ , Jongsung Kim3 , and Enes Pasalic4 1

Institute for Infocomm Research, Agency for Science, Technology and Research 1 Fusionopolis Way, #19-01 Connexis, Singapore 138632 [email protected] 2 Guilin University of Electronic Technology, Guilin City, Guangxi Province 541004, China walker− [email protected] 3 Division of e-Business, Kyungnam University, 449 Wolyoung-dong, Masan, Kyungnam, Korea [email protected] 4 University of Primorska FAMNIT, Koper, Slovenia [email protected]

Abstract. The Camellia block cipher has a 128-bit block length, a user key of 128, 192 or 256 bits long, and a total of 18 rounds for a 128-bit key and 24 rounds for a 192 or 256-bit key. It is a Japanese CRYPTRECrecommended e-government cipher, an European NESSIE selected cipher and an ISO international standard. In this paper, we propose an extension of the meet-in-the-middle attack, which we call the higher-order meet-in-the-middle (HO-MitM) attack; the core of the HO-MitM attack is to use multiple plaintexts to cancel some key-dependent component(s) or parameter(s) when constructing a basic unit of “value-in-the-middle”. Then we introduce a novel approach, which combines integral cryptanalysis with the meet-in-the-middle attack, to construct HO-MitM attacks on 10-round Camellia with the FL/FL−1 functions under 128 key bits, 11-round Camellia with the FL/FL−1 functions under 192 key bits and 12-round Camellia with the FL/FL−1 functions under 256 key bits. Finally, we apply an existing approach to construct HO-MitM attacks on 14-round Camellia without the FL/FL−1 functions under 192 key bits and 16-round Camellia without the FL/FL−1 functions under 256 key ⋆

⋆⋆

⋆⋆⋆

The material in this paper was presented in part in an invited talk given by J. Lu at the First Asian Workshop on Symmetric Key Cryptography (ASK ’11), in August 2011, Singapore. ´ This work was done when this author was with Ecole Normale Sup´erieure (France) under the support of the French ANR project SAPHIR II. This author was partially supported by the Natural Science Foundation of China (No. 60833008), the Open Project Program of the State Key Laboratory of Integrated Services Networks (No. ISN11-11), and the National Basic Research 973 Program of China (No. 2007CB311201).

2 bits. In terms of the numbers of attacked rounds, these are better than any previously published cryptanalytic results for the respective versions of Camellia. The HO-MitM attack is a general cryptanalytic technique, and can potentially be used to cryptanalyse other block ciphers.

Key words: Block cipher, Camellia, Meet-in-the-middle attack, Integral cryptanalysis.

1

Introduction

The block cipher Camellia [1] was published in 2000; it has a 128-bit block length, a user key of 128, 192 or 256 bits long, and a total of 16 rounds when used with a 128-bit key and 24 rounds when used with a 192/256-bit key. For simplicity, we denote by Camellia-128/192/256 the three versions of Camellia that use 128, 192 and 256 key bits, respectively. Camellia became a CRYPTREC e-government recommended cipher [7] in 2002, a NESSIE selected block cipher [27] in 2003, and was adopted as an ISO international standard [18] in 2005. So far, in terms of the numbers of attacked rounds, the best previously published cryptanalytic results on Camellia with the FL/FL−1 functions are the square [8] attack on 9-round Camellia-128 [13], the impossible diﬀerential [2, 20] attack on 10-round Camellia-192 [6], and the higher-order diﬀerential [22] and impossible diﬀerential attacks on 11-round Camellia-256 [6, 15]; the best previously published cryptanalytic results on Camellia without the FL/FL−1 functions are the impossible diﬀerential attacks on 12-round Camellia-128/192 [23,26] and 15-round Camellia-256 [6]. Besides, Biryukov and Nikolic [4] analysed a reduced Camellia-128 with a modiﬁed key schedule. In this paper, we propose an extension of the meet-in-the-middle (MitM) attack [11], which we call the higher-order meet-in-the-middle (HO-MitM) attack. The core of the HO-MitM attack is to use multiple plaintexts to cancel some key-dependent component(s) or parameter(s) when constructing a basic unit of so-called value-in-the-middle. Then we introduce a novel approach, that combines integral cryptanalysis [17, 21] with the MitM attack, to construct a few HO-MitM properties for 5 and 6-round Camellia with FL/FL−1 functions, and ﬁnally apply these properties to conduct HO-MitM attacks on 10-round Camellia-128 with FL/FL−1 functions, 11-round Camellia-192 with FL/FL−1 functions and 12-round Camellia-256 with FL/FL−1 functions. At last, we use an existing approach to construct a few HO-MitM properties for 7 and 8-round Camellia without FL/FL−1 functions, and then describe HO-MitM attacks on 14-round Camellia-192 without FL/FL−1 functions and 16-round Camellia-256 without FL/FL−1 functions. Table 1 summarises the best previously published and our main cryptanalytic results on Camellia, where CP and KP refer respectively to the numbers of chosen plaintexts and known plaintexts, Enc. refers to the required number of encryption operations of the relevant reduced version of

3 Table 1. The best previously published and our main cryptanalytic results on Camellia FL/FL−1 Rounds Attack Type

Key 128 bits

yes

192 bits

yes

no

no 256 bits

yes

no

Data

Memory

Time

Source

9 10 12

Square HO-MitM Impossible diﬀ.

248 CP 253 Bytes 2122 Enc. [13] 293 CP 2109 Bytes 2118.6 Enc. Sect. 4.2 2116.3 CP 273 Bytes 2116.6 Enc. [26]

10 10 11 11 12 14

Impossible diﬀ. Impossible diﬀ. HO-MitM HO-MitM Impossible diﬀ. HO-MitM

2121 CP 2121 CP 278 CP 294 CP 2119 CP 2118 CP

2155.2 Bytes 2155.2 Bytes 2174 Bytes 2174 Bytes 2124 Bytes 2166 Bytes

2175 Enc. [6] 2144 Enc. [6] 2187.4 Enc. Sect. 4.3 2180.2 Enc. Sect. 4.3 2147.3 Enc. [23] 2164.6 Enc. Sect. 5.2

11 11 12 15 16

Higher-order diﬀ. Impossible diﬀ. HO-MitM Impossible diﬀ. HO-MitM

293 CP 2121 CP 294 CP 2122 KP 2126 CP

298 Bytes 2155.2 Bytes 2174 Bytes 2225 Bytes 2230 Bytes

2255.6 Enc. [15] 2206.8 Enc. [6] 2237.3 Enc. Sect. 4.4 2248.4 Enc. [6] 2252 Enc. Sect. 5.3

Camellia-128/192/256, “yes” means “with FL/FL−1 functions”, and “no” means “without FL/FL−1 functions”.1 The remainder of the paper is organised as follows. In the next section, we describe the notation and the Camellia block cipher. We deﬁne the HO-MitM attack in Section 3 and present our HO-MitM attacks on Camellia in Sections 4 and 5. Section 6 concludes this paper.

2

Preliminaries

In this section we give the notation used throughout this paper, and brieﬂy describe the Camellia block cipher. 2.1

Notation

The bits of a value are numbered from left to right, starting with 1. We use the following notation throughout this paper. ⊕ 1

bitwise logical exclusive OR (XOR) of two bit strings of the same length

Note that some of the previous results include or can include whitening subkeys by making use of an equivalent structure of Camellia, namely [6, 15, 23]. Besides, this paper was part of a manuscript in which we used three diﬀerent techniques (namely impossible diﬀerential cryptanalysis, the meet-in-the-middle attack and the higher-order meet-in-the-middle attack) to cryptanalyse Camellia. Because of page constraint we split the manuscript into three parts; see [24, 25] for the other parts.

4

∩ ∪ ≪ || ◦

X |X| X[i1 , · · · , ij ] 2.2

bitwise logical AND of two bit strings of the same length bitwise logical OR of two bit strings of the same length left rotation of a bit string bit string concatenation functional composition. When composing functions X and Y, X ◦ Y denotes the function obtained by ﬁrst applying X and then applying Y bitwise logical complement of a bit string X the number of bits in a bit string X the j-bit string of bits (i1 , · · · , ij ) of a bit string X

The Camellia Block Cipher

Camellia [1] employs a Feistel structure with a 128-bit block length and a variable key length of 128, 192 or 256 bits. It uses the following ﬁve functions: – S : {0, 1}64 → {0, 1}64 is a non-linear substitution constructed by applying eight 8×8-bit S-boxes S1 , S2 , S3 , S4 , S5 , S6 , S7 and S8 in parallel to the input, where S1 and S8 are identical, S2 and S5 are identical, S3 and S6 are identical, and S4 and S7 are identical. – P : GF (28 )8 → GF (28 )8 is a linear permutation equivalent to multiplication by a 8 × 8 byte matrix P; the matrix P and its reverse P−1 are as follows. 1 0 1 1 0 1 1 1 P

=

1 1 0  1 0 0 1

1 1 1 1 1 0 0

0 1 1 0 1 1 0

1 0 1 0 0 1 1

1 1 1 0 1 1 1

0 1 1 1 0 1 1

1 0 1 1 1 0 1

1 1  −1 0 1, P 1 1 0

0 1 1 1 0 1 1 1 10 1 1 1 0 1 1

1 1 0 1 1 1 0 1 1 1 1 0 1 1 1 0  = 1 1 0 0 1 0 1 1. 0 1 1 0 1 1 0 1 00 1 1 1 1 1 0 10 0 1 0 1 1 1

– F : {0, 1}64 × {0, 1}64 → {0, 1}64 is a Feistel function. If X and Y are 64-bit blocks, F(X, Y ) = P(S(X ⊕ Y )). – FL/FL−1 : {0, 1}64 ×{0, 1}64 → {0, 1}64 are key-dependent linear functions. If X = (XL ||XR ) and Y = (YL ||YR ) are 64-bit blocks, then FL(X, Y ) = ((((XL ∩ YL ) ≪ 1 ⊕ XR ) ∪ YR ) ⊕ XL )||((XL ∩ YL ) ≪ 1 ⊕ XR ), and FL−1 (X, Y ) = (XL ⊕ (XR ∪ YR ))||(((XL ⊕ (XR ∪ YR )) ∩ YL ) ≪ 1 ⊕ XR ). Camellia uses a total of four 64-bit whitening subkeys KWj , Nr3−6 64-bit subkeys KIl for the FL and FL−1 functions, and Nr 64-bit round subkeys Ki , (1 6 j 6 4, 1 6 l 6 Nr3−6 , 1 6 i 6 Nr ), all derived from an Nk -bit key K, where Nr denotes the number of rounds which is 18 for Camellia-128 and 24 for Camellia-192/256, Nk denotes the key length which is 128 for Camellia-128, 192 for Camellia-192 and 256 for Camellia-256. The key schedule is as follows. First, two 128-bit strings KL and KR are generated from K in the following way: For Camellia-128, KL is the 128-bit key K, and KR is zero; for Camellia-192, KL is the left 128 bits of K, and KR is the concatenation of the right 64 bits of K and the complement of the right 64 bits of K; and for Camellia-256, KL is the left

5

128 bits of K, and KR is the right 128 bits of K. Secondly, two 128-bit strings KA and KB are generated from (KL , KR ) by a non-linear transformation; see [1] for detail. Finally, the subkeys are as follows.2 – For Camellia-128: K2 = (KA ≪ 0)[65 ∼ 128], K3 = (KL ≪ 15)[1 ∼ 64], K9 = (KA ≪ 45)[1 ∼ 64], K10 = (KL ≪ 60)[65 ∼ 128], K11 = (KA ≪ 60)[1 ∼ 64], · · ·. – For Camellia-192/256: K1 = (KB ≪ 0)[1 ∼ 64], K2 = (KB ≪ 0)[65 ∼ 128], K3 = (KR ≪ 15)[1 ∼ 64], K4 = (KR ≪ 15)[65 ∼ 128], K7 = (KB ≪ 30)[1 ∼ 64], K8 = (KB ≪ 30)[65 ∼ 128], K12 = (KA ≪ 45)[65 ∼ 128], K13 = (KR ≪ 60)[1 ∼ 64], K14 = (KR ≪ 60)[65 ∼ 128], K15 = (KB ≪ 60)[1 ∼ 64], K16 = (KB ≪ 60)[65 ∼ 128], K17 = (KL ≪ 77)[1 ∼ 64], K18 = (KL ≪ 77)[65 ∼ 128], K21 = (KA ≪ 94)[1 ∼ 64], K22 = (KA ≪ 94)[65 ∼ 128], K23 = (KL ≪ 111)[1 ∼ 64], · · ·. Below is the encryption procedure of Camellia, where P is a 128-bit plaintext, b i and R bi are 64-bit variables. represented as 16 bytes, and L0 , R0 , Li , Ri , L 1. L0 ||R0 = P ⊕ (KW1 ||KW2 ) 2. For i = 1 to Nr : if i = 6 or 12 (or 18 for Camellia-192/256), b i = F(Li−1 , Ki ) ⊕ Ri−1 , R bi = Li−1 ; L b bi , KI i ); Li = FL(Li , KI 3i −1 ), Ri = FL−1 (R 3 else Li = F(Li−1 , Ki ) ⊕ Ri−1 , Ri = Li−1 ; 3. Ciphertext C = (RNr ⊕ KW3 )||(LNr ⊕ KW4 ). We refer to the ith iteration of Step 2 in the above description as Round i, and write Ki,j for the j-th byte of Ki , (1 6 j 6 8).

3

The Higher-Order Meet-in-the-Middle Attack

In this section, we ﬁrst brieﬂy recall the meet-in-the-middle (MitM) attack, and then deﬁne the higher-order meet-in-the-middle (HO-MitM) attack. 3.1

The Meet-in-the-Middle Attack

The meet-in-the-middle (MitM) attack was introduced in 1977 by Diﬃe and Hellman [11]. It usually treats a block cipher E : {0, 1}n × {0, 1}k → {0, 1}n as a cascade of two sub-ciphers E = Ea ◦ Eb . The basic unit of input for the MitM attack is a known-plaintext. Given a guess for the subkeys used in Ea and Eb , if a plaintext produces just after Ea the same value as the corresponding ciphertext produces just before Eb , then this guess for the subkeys is likely to be correct; otherwise, this guess must be incorrect. Thus, we can ﬁnd the correct 2

Here we give only the subkeys concerned in this paper, (KA ≪ 0)[65 ∼ 128] represents bits (65, 66, · · · , 128) of (KA ≪ 0), and so on.

6

subkey, given a suﬃcient number of matching plaintext-ciphertext pairs. (The concerned value-in-the-middle can be a truncated one in some circumstances.) Suppose (P, C) is a known plaintext-ciphertext pair, and let Ka denote the subkeys used in Ea , Kb denote the subkeys used in Eb , and K denote the subkeys used in Ea and Eb . Obviously, max{|Ka |, |Kb |} 6 |K| 6 |Ka | + |Kb |. When checking whether P produces the same value just after Ea as C produces just before Eb , a straightforward approach is to guess Ka to partially encrypt P through Ea , then guess Kb to partially decrypt C through Eb , and ﬁnally check whether the two intermediate values match. This approach requires negligible memory, and has a total time complexity of 2|K| partial encryptions/decryptions. However, if the 2|K| partial encryptions/decryptions are greater than 2k full encryptions, then this approach is slower than an exhaustive key search and thus is not eﬀective. Instead, a precomputation table may be helpful, just as in [11], as we now describe. We precompute EaKa (P ) for all possible candidates for Ka and store these values in a hash table indexed by the values (and the overlapping bits between Ka and Kb if any). Then, guess Kb to partially decrypt C through Eb , and check whether the intermediate value matches a value in the precomputation table. If so, the guess for Kb and the corresponding value for Ka are likely to be correct; otherwise, the guess for Kb must be incorrect and we repeat the same process with a diﬀerent guess for Kb . The oﬀ-line precomputation requires a memory of n × 2|Ka | bits and has a time complexity of 2|Ka | partial encryptions. Thus, this approach has a total time complexity of 2|Ka | + 2|Kb | partial encryptions/decryptions.3 Therefore, the approach using a precomputation table is eﬃcient if the 2|Ka | + 2|Kb | partial encryptions/decryptions are smaller than 2k full encryptions. Both the approaches described above work in a known-plaintext attack scenario. Nevertheless, things may get better under a chosen-plaintext attack scenario. In such an attack scenario, as followed in [9], we are able to choose a structure of plaintexts with a particular property, (e.g., a speciﬁc byte position takes all the possible values in {0, 1}8 and the other 15 bytes are ﬁxed); a desirable consequence is that the matched (truncated) value-in-the-middle may be expressed as a function of plaintext and a smaller number of unknown one-bit constants than the number of possible candidates for Ka . As a result, we may generate a precomputation table with a smaller memory and time complexity, and thus give a more eﬃcient attack. The terminology “the meet-in-the-middle attack” has been abused somewhat to mean a broader type of similar attacks where the matched (truncated) “valuein-the-middle” can be not from the middle or anyplace of encryption/descryption 3

When being checked with a plaintext-ciphertext pair, a wrong guess for K will survive with a probability of 2−n in the ﬁrst approach, and a wrong guess for Kb 2|Ka | will survive with a probability of about 2|Ka |+|K × 2−n = 2|K|−|Kb |−n in the b |−|K| approach using a precomputation table. Usually, one or more additional plaintextciphertext pairs are required to ﬁlter out the right subkey, but generally the time complexity associated with these additional plaintext-ciphertext pairs is negligible.

7

but is abstracted as the output of some function of plaintext and/or intermediate values, though something like “the meet-in-the-middle-style attack” is more appropriate to term this type of attacks. This is the case for our attacks presented in this paper. 3.2

The HO-MitM Attack

Typically, in the MitM attack a basic unit of value-in-the-middle is obtained from a known-plaintext. We note that we can use multiple plaintexts to construct a basic unit of value-in-the-middle in a MitM attack; we call such an attack a higher-order meet-in-the-middle (HO-MitM) attack. Speciﬁcally, the basic idea of the HO-MitM attack can be described as follows, which is an extended version of the basic idea of the MitM attack: It involves treating a block cipher E : {0, 1}n × {0, 1}k → {0, 1}n as a cascade of two sub-ciphers E = Ea ◦ Eb for some Ea and Eb . Given a guess for the subkeys used in Ea and Eb , if the output of some function4 (e.g., a truncated XOR sum) of the values that a set of chosen plaintexts produces just after Ea is equal to the output of the same function of the values that the corresponding ciphertexts produce just before Eb , then this guess for the subkeys is likely to be correct; otherwise, this guess must be incorrect. More formally, suppose {P1 , P2 , · · · , Pl } is a set of l chosen plaintexts, {C1 , C2 , · · · , Cl } is the set of the corresponding ciphertexts, and f : {0, 1}n×l → {0, 1}m (for a speciﬁc value of m) is some function of l variables of n bits long, then given a guess (Ka∗ , Kb∗ ) for the subkeys a a a (Ka , Kb ) used respectively in Ea and Eb , if f (EK ∗ (P1 ), EK ∗ (P2 ), · · · , EK ∗ (Pl )) = a a a b −1 b −1 b −1 f ((EK (C1 ), (EK (C2 ), · · · , (EK (Cl )), then the subkey guess (Ka∗ , Kb∗ ) ∗) ∗) ∗) b b b is likely to be correct; otherwise, this subkey guess must be incorrect. This is a easy to prove: If (Ka∗ , Kb∗ ) is the correct guess for (Ka , Kb ), then EK ∗ (Pi ) = a a b −1 b −1 EKa (Pi ) = (EKb ) (Ci ) = (EK ∗ ) (Ci ) must hold for all i = 1, 2, · · · , l. Thus, b given a suﬃcient number of sets of chosen plaintexts, we can ﬁnd the correct subkey in a similar approach as we describe for the MitM attack in Section 3.1, particularly the approach using a precomputation table in a chosen-plaintext attack scenario. From the above descriptions, it is easy to see that the fundamental distinction between the basic ideas of the HO-MitM attack and the MitM attack lies in the number of plaintexts used to construct a basic unit of value-in-the-middle: The basic value-in-the-middle concerned in the MitM attack is obtained from a plaintext (we note that it is obtained from two plaintexts in some MitM attacks, as discussed in Section 3.3), whiles the basic value-in-the-middle concerned in the HO-MitM attack is obtained from multiple plaintexts; in other words, while the basic input unit for the MitM attack is a known-plaintext, the basic input unit of the HO-MitM attack is a set of chosen plaintexts. At ﬁrst glance, the HO-MitM attack might appear to be a trivial extension of the MitM attack. Generally speaking, we can easily convert a MitM attack to a 4

Of course, the function should have certain distinguishing properties.

8

HO-MitM attack, if we do not consider the consequence caused by the increase of the number of plaintexts in the basic input unit, however, the MitM attack would outperform the HO-MitM attack, for it seems not necessary to use a basic input unit with multiple plaintexts. But we observe that this is not always the case and the HO-MitM attack can be advantageous in some circumstances, because some key-dependent component(s) or parameter(s) can be canceled when using more than one plaintexts, depending on the cipher being attacked and how to choose these plaintexts. Thus, we may reduce the number of subkeys required when computing the concerned value-in-the-middle, or reduce the number of unknown parameters in the approach using a precomputation table; this is the core of the HO-MitM attack. As a consequence, the HO-MitM attack may have smaller computational workload than the MitM attack, and even more signiﬁcantly we may break more rounds of a cipher, just as shown by its application to Camellia in the following sections. As for how to construct a HO-MitM attack (which is equivalent to construct the function f in some degree) depends on the design of the cipher to be attacked. In this paper when constructing HO-MitM attacks for Camellia, we use two approaches to cancel some key-dependent component(s)/parameter(s). The ﬁrst approach, as described in Section 4.1, is to use an integral [17, 21] property, and the HO-MitM attack obtained by this approach is actually a combination of integral cryptanalysis and the MitM attack (thus it is entitled to an alias — the integral-meet-in-the-middle attack), and it is particularly applicable in Camellia-like Feistel ciphers. The second approach, as described in Section 5, is to use a general diﬀerential [3] property, and it has broader applicability in block ciphers with diﬀerent structures such as substitution-permutation networks and Feistel networks; notice that this approach is not novel and had been used in the cryptanalytic literature as to be discussed in Section 3.3. Anyway, the basic idea of the HO-MitM attack gives us more ﬂexibility to use a broader property, just provided that it allows us to use multiple plaintexts to cancel some keydependent parameters somehow, like those potentially useful properties from higher-order diﬀerential cryptanalysis [19, 22], structural cryptanalysis [5] and etc. Though we can call a HO-MitM attack with a basic input unit of l plaintexts an l-th order MitM attack, we will not distinguish HO-MitM attacks with diﬀerent orders in this paper, and we only distinguish between the HO-MitM attack and the MitM attack. The MitM attack corresponds to the special case when l = 1 under our deﬁnition. 3.3

Related Work

We noted that some previously published MitM attacks used a basic input unit of two plaintexts, in [10,12,28] say, the matched “value-in-the-middle” was deﬁned to be a diﬀerence between two (truncated) intermediate values with respect to a chosen-plaintext pair, that is the basic input unit is a pair of chosen plaintexts. Thus, these attacks can be categorized as HO-MitM attacks (with a basic input unit of two plaintexts) by our deﬁnition. Some collision attacks, like those in [14],

9

are based on checking whether a pair of plaintexts produces the same (truncated) intermediate value in an approach similar to one used for the MitM attack in Section 3.1, and can be seen as a special case of HO-MitM attacks with a basic input unit of two plaintexts, where the matched value-in-the-middle is 0. Thus, the HO-MitM attack with a basic input unit of two plaintexts is not novel, however, these attacks do not take full advantage of possible approaches to cancel key-dependent parameters, and we describe HO-MitM attacks with a basic input unit of 256 plaintexts in Section 4. Broadly speaking, integral cryptanalysis [17,21] and higher-order diﬀerential cryptanalysis [19, 22] are based on an idea which is similar to the basic idea of the HO-MitM attack, but a distinction is that we do not need to guess any secret parameter when going through the rounds covered by an integral distinguisher or a higher-order diﬀerential in such cryptanalyses.

4

HO-MitM Attacks on Camellia-128/192/256 with FL/FL−1 Functions

In this section, we describe 5 and 6-round HO-MitM properties of Camellia with FL/FL−1 functions, and then present HO-MitM attacks on 10-round Camellia128 with FL/FL−1 functions, 11-round Camellia-192 with FL/FL−1 functions and 12-round Camellia-256 with FL/FL−1 functions. 4.1

HO-MitM Properties for 5/6-Round Camellia with FL/FL−1

We assume the 5-round Camellia is from Rounds 4 to 8 (including the FL/FL−1 functions between Rounds 6 and 7), and the 6-round Camellia is from Rounds 3 to 8; see Fig. 1-(a). (i,j)

(i,j)

Proposition 1. Suppose a set of 216 sixteen-byte values X (i,j) = (XL ||XR ) = (m1 , m2 , m3 , m4 , m5 , m6 , m7 , m8 , x(i) , y (j) , m9 , m10 , m11 , m12 , m13 , m14 ) with x(i) and y (j) taking all the possible values in {0, 1}8 and the other 14 bytes m1 , m2 , · · · , m14 fixed to arbitrary values, (i, j = 1, · · · , 256). Then: (i,j)

(i,j)

– If Z (i,j) = (ZL ||ZR ) is the result of encrypting X (i,j) using Rounds 4 to 8 with the FL/FL−1 functions between Rounds 6 and 7, then the 8-bit ⊕256 (i,j) value P−1 ( j=1 ZR )[49 ∼ 56] can be expressed as a function of x(i) and 13 constant 8-bit parameters c1 , c2 , · · · , c13 , written Φc1 ,c2 ,···,c13 (x(i) ). (i,j) (i,j) – If Z (i,j) = (ZL ||ZR ) is the result of encrypting X (i,j) using Rounds 3 to 8 with the FL/FL−1 functions between Rounds 6 and 7, then the 8-bit ⊕256 (i,j) value P−1 ( j=1 ZR )[41 ∼ 48] can be expressed as a function of x(i) and 21 constant 8-bit parameters c′1 , c′2 , · · · , c′21 , written Θc′1 ,c′2 ,···,c′21 (x(i) ). These HO-MitM properties are obtained by using an integral [17,21] property for Camellia to cancel some key-dependent components FL−1 , and the basic

10 (i,j)

K3

Y

(i,j) 3

(i,j) 4

Y

K5

(i,j) 5

(i,j) 4

(i,j) 3

⊕

(i,j) 4

(i,j) 5

K6

W

P Y

W

P

(i,j) 7

(i) 1

L

(i) 2

(i,j) 6

⊕

W

(i) 1

⊕ R

Y

(i) 2

Y

(i) 2

W

P

(i) 3

(i) 1

⊕ R

(i) 3

S

(i,j) 5

W

P

S

K3

⊕

(i) 1

P

K2

⊕ (i,j) 4

Y

S

(i) 2

⊕

···

⊕

K6

Y

(i) 6

W

P

S

⊕

b6(i,j)

(i) 6

⊕

R

FL

⊕ L

L

⊕

R

(i,j) 6

S

K7

(i,j) 6

(i,j) 3

(i,j) 5

(i,j) b L 6 FL

L

⊕

R Y

S

⊕

W

P

S

⊕ L

W

P

XR K1

R

K4

⊕ L

(i,j) 3

S

(i)

XL

XR

⊕ L

(i)

(i,j)

XL

Y

(i,j) 7

P

S

R

(i,j) 7

Y

(i,j) 8

W

P

S

L

(i,j) 6

(i) 6

(i,j) 8

⊕

(i,j) 7

L

(i) 7

(i,j)

⊕

6 rounds:

(i) 7

W

(i) 7

W

(i) 8

P

S (i) 8

P

S

(i) 7

⊕ (i)

ZL

ZR

7 rounds:

+

(i) 6

⊕ R

Y

(i)

(i,j)

ZR

5 rounds:

Y

K8

⊕

ZL

R

K7

⊕ R

K8

⊕

W

−1

8 rounds:

(a)

+

(b)

Fig. 1. 5/6-round Camellia with FL/FL−1 and 7/8-round Camellia without FL/FL−1

“value-in-the-middle” is obtained from 256 plaintexts. Below we brieﬂy describe where the advantage comes from in the case of the HO-MitM attacks. (i,j) For expediency, when encrypting X (i,j) , we denote by Yt the value imme(i,j) diately after the S operation of Round t, and by Wt the value immediately after the P operation of Round t, (3 6 t 6 8). From [29] we know the following integral property holds for Rounds 3 or 4 to 6 with FL/FL−1 : 256 ⊕

b FL−1 (R 6

(i,j)

, KI2 ) = 0.

(1)

j=1

By the structure of the 5-round Camellia, we have (i,j)

ZR

= FL−1 (XL

(i,j)

(i,j)

⊕ W5

(i,j)

, KI2 ) ⊕ W7

.

(2)

After applying the P−1 operation to Eq. (2) we get the following equation: P−1 (ZR

(i,j)

) = P−1 (FL−1 (XL

(i,j)

(i,j)

⊕ W5

(i,j)

, KI2 )) ⊕ Y7

.

(3)

11 (i,j)

Observe that XL 256 ⊕

P−1 (ZR

(i,j)

(i,j)

⊕ W5

)=(

j=1

256 ⊕

b(i,j) . Thus, by Eqs. (1) and (3) we have =R 6

P−1 (FL−1 (XL

(i,j)

(i,j)

⊕ W5

, KI2 ))) ⊕ (

j=1 256 ⊕

=

256 ⊕

(i,j)

Y7

)

j=1 (i,j)

Y7

.

(4)

j=1

For the 6-round Camellia, we have (i,j)

ZR

= FL−1 (XR

(i,j)

(i,j)

⊕ W3

(i,j)

⊕ W5

(i,j)

, KI2 ) ⊕ W7

.

(5)

After applying the P−1 operation to Eq. (5) and then by Eq. (1) we have 256 ⊕

P−1 (ZR

(i,j)

)=(

j=1

256 ⊕

P−1 (FL−1 (XR

(i,j)

(i,j)

⊕ W3

(i,j)

⊕ W5

, KI2 ))) ⊕ (

j=1

=

256 ⊕

256 ⊕

(i,j)

Y7

)

j=1 (i,j)

Y7

.

(6)

j=1

Now, observe that the key components FL−1 (XL ⊕W5 , KI2 ) cancel out ⊕256 (i,j) in Eqs. (4) and (6). Thus we can compute j=1 P−1 (ZR ) from the structure of chosen inputs, without guessing the subkeys used in the FL−1 function. This is the origin of the advantage of our HO-MitM attacks. Further, we prove that ⊕256 (i,j) can be expressed as a function of x(i) and 13 constant 8-bit paramj=1 Y7,7 ⊕256 (i,j) can be expressed as eters in the 5-round HO-MitM property, and j=1 Y7,6 (i) a function of x and 21 constant 8-bit parameters in the 6-round HO-MitM property. See Appendix A for the proof. In these 5 and 6-round HO-MitM properties, we can regard x(i) as a principle variable and y (j) as a co-variable (we note that y (j) is not really a variable, as we use 256 speciﬁc values for it), where the co-variable y (j) is used mainly to cancel the key-dependent component FL−1 under the integral property of Camellia. (i,j)

4.2

(i,j)

Attacking 10-Round Camellia-128 with FL/FL−1 Functions

The 5-round HO-MitM property in Proposition 1-1 enables us to break 10-round Camellia-128 with FL/FL−1 functions. The attacked rounds are from Rounds 2 to 11, and the procedure is as follows. Observe that P−1 (Ri ) = P−1 (Li+1 ) ⊕ S(Ri+1 ⊕ Ki+1 ). 1. For each of 2104 possible values of the 13 constant 8-bit parameters c1 , c2 , · · · , c13 , precompute Φc1 ,c2 ,···,c13 (z) sequentially for z = 0, 1, · · · , 31. Store the 2104 32-byte sequences in a hash table LΦ .

12

2. Guess a value for (K2 , K3,1 , K3,2 ), and we denote the guessed value by ∗ ∗ (K2∗ , K3,1 , K3,2 ). Then for x = 0, 1, · · · , 31 and y = 0, 1, · · · , 255, choose (x,y)

(x,y)

plaintext P (x,y) = (PL , PR ) in the following way, where α1 , α2 , · · · , α8 , β1 , β2 , · · · , β6 are randomly chosen 8-bit constants:  S (x ⊕ K ∗ ) ⊕ α T 1

(x,y)

PL

3,1 ∗

1

α7 ∗ S1 (x ⊕ K3,1 ) ⊕ α8

 S1 (S1 (x ⊕ K ∗

(x,y)

PR

∗

(x ⊕ K3,1 ) ⊕ S2 (y ⊕ K3,2 ) ⊕ α2  SS11 (x  ∗ ∗ ⊕ K3,1 ) ⊕ S2 (y ⊕ K3,2 ) ⊕ α3   ∗  S2 (y ⊕ K3,2  ) ⊕ α4 =  S1 (x ⊕ K ∗ ) ⊕ S2 (y ⊕ K ∗ ) ⊕ α5  , 3,1 3,2   ∗  S2 (y ⊕ K3,2 ) ⊕ α6 

=



T ∗ 3,1 ) ⊕ α1 ⊕ K2,1 ) ∗ ∗ ∗ S2 (S1 (x ⊕ K3,1 ) ⊕ S2 (y ⊕ K3,2 ) ⊕ α2 ⊕ K2,2 )  S3 (S1 (x ⊕ K ∗ ) ⊕ S2 (y ⊕ K ∗ ) ⊕ α3 ⊕ K ∗ )  3,1 3,2 2,3   ∗   S (S (y ⊕ K ∗ ) ⊕ α4 ⊕ K2,4 ) P  S54 (S12 (x ⊕ K3,2 ∗ ∗ ∗  ) ⊕ S (y ⊕ K ) ⊕ α ⊕ K 2 5 3,1 3,2 2,5 )   ∗ ∗   S6 (S2 (y ⊕ K 3,2 ) ⊕ α6 ⊕ K2,6 ) ∗ S7 (α7 ⊕ K2,7 ) ∗ ∗ S8 (S1 (x ⊕ K3,1 ) ⊕ α8 ⊕ K2,8 )

 ⊕

x T y  β1   β2     β3   β4  β5 β6

.

In a chosen-plaintext attack scenario, obtain the ciphertexts for the plaintexts; we denote by C (x,y) the ciphertext for plaintext P (x,y) . 3. Guess a value for (K9,7 , K10,3 , K10,4 , K10,5 , K10,6 , K10,8 , K11 ), and we denote ∗ ∗ ∗ ∗ ∗ ∗ ∗ ). Partially , K11 , K10,8 , K10,6 , K10,5 , K10,4 , K10,3 the guessed value by (K9,7 ∗ ∗ ∗ ∗ ∗ (x,y) ∗ ) , K11 decrypt every ciphertext C with (K10,3 , K10,4 , K10,5 , K10,6 , K10,8 to get the corresponding value for bytes (1, 2, · · · , 8, 15) just before Round ⊕255 (x,y) (x,y) (x,y) 10; we denote it by (L9 , R9,7 ). Compute T (x) = y=0 (P−1 (L9 )[49 ∼ ∗ )). Finally, check whether the sequence (T (0) , T (1) , · · · , 56] ⊕ S7 (R9,7 ⊕ K9,7 ∗ , T (31) ) matches a sequence in LΦ ; if so, record the guessed value (K2∗ , K3,1 ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ K3,2 , K9,7 , K10,3 , K10,4 , K10,5 , K10,6 , K10,8 , K11 ) and execute Step 4; otherwise, repeat Step 3 with another subkey guess (if all the subkey possibilities are tested in Step 3, repeat Step 2 with another subkey guess). 4. For every recorded value for (K10,3 , K10,4 , K10,5 , K10,6 , K10,8 ), exhaustively search the remaining 11 key bytes. (x,y)

The attack requires 32 × 256 × 280 = 293 chosen plaintexts. The one-oﬀ precomputation requires a memory of 2104 × 32 = 2109 bytes, and has a time 1 complexity of 2104 × 32 × 256 × 2 × 10 ≈ 2114.7 10-round Camellia-128 encryptions under the rough estimate that a computation of Φc1 ,c2 ,···,c13 (z) equals 256 × 2 = 512 one-round Camellia encryptions in terms of time. If the guessed ∗ ∗ , K3,2 ) is correct, the input to Round 4 must have the form value (K2∗ , K3,1 (m1 , m2 , m3 , m4 , m5 , m6 , m7 , m8 , x, y, β1 , β2 , β3 , β4 , β5 , β6 ), where m1 , m2 , · · · , m8 are indeterminate constants. 2+8 = 290 10-round Step 2 has a time complexity of 280 × 32 × 256 × 8×10 Camellia-128 encryptions. Given (K2 , K3,1 , K3,2 ), there are only 28 unknown bits for (K9,7 , K10,3 , K10,4 , K10,5 , K10,6 , K10,8 , K11 ), thus Step 3 has a time com118.5 plexity of about 280+28 × 32 × 256 × 8+5+1 10-round Camellia-128 8×10 ≈ 2 encryptions.

13 ∗ ∗ ∗ ∗ ∗ ∗ ∗ In Step 3, if the guessed value (K2∗ , K3,1 , K3,2 , K9,7 , K10,3 , K10,4 , K10,5 , K10,6 , (0) (1) (31) is correct, the sequence (T , T , · · · , T ) must match a sequence ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ in LΦ ; if the guessed value (K2∗ , K3,1 , K3,2 , K9,7 , K10,3 , K10,4 , K10,5 , K10,6 , K10,8 , ∗ (0) (1) (31) K11 ) is wrong, the sequence (T , T , · · · , T ) matches a sequence in LΦ with ( 104 ) 104 a probability of approximately 1 − 2 0 (2−32×8 )0 (1 − 2−32×8 )2 ≈ 2−32×8 × 104 −152 2 =2 , (assuming the event has a binomial distribution). Consequently, it is expected that about 280+28 × 2−152 = 2−44 values for (K2 , K3,1 , K3,2 , K9,7 , K10,3 , K10,4 , K10,5 , K10,6 , K10,8 , K11 ) are recorded in Step 3, meaning only the correct subkey guess will be recorded. Since a total of 40 bits of KL can be known from (K10,3 , K10,4 , K10,5 , K10,6 , K10,8 ), Step 4 takes at most 288 10-round Camellia-128 encryptions to ﬁnd the correct 128-bit user key. Therefore, the attack has a memory complexity of 2109 bytes and a total time complexity of approximately 2118.6 10-round Camellia-128 encryptions. ∗ ∗ K10,8 , K11 )

4.3

Attacking 11-Round Camellia-192 with FL/FL−1 Functions

We can use the 6-round HO-MitM property given in Proposition 1-2 to attack 11-round Camellia-192 with FL/FL−1 functions. We attack Rounds 13 to 23, and use the 6-round property from Rounds 15 to 20. The attack procedure is as follows. 1. For each of 2168 possible values of the 21 constant 8-bit parameters c′1 , c′2 , · · · , c′21 , precompute Θc′1 ,c′2 ,···,c′21 (z) for z = 0, 1, · · · , 63 sequentially. Store the 2168 64-byte sequences in a hash table LΘ . 2. Guess a value for (K13 , K14,1 , K14,2 ), and we denote the guessed value by ∗ ∗ ∗ ). Then for x = 0, 1, · · · , 63 and y = 0, 1, · · · , 255, choose , K14,2 , K14,1 (K13 (x,y)

(x,y)

plaintext P (x,y) = (PL , PR ) in a similar way as described for the 10round Camellia-128 attack in Section 4.2. In a chosen-plaintext attack scenario, obtain the ciphertexts for the plaintexts; we denote by C (x,y) the ciphertext for plaintext P (x,y) . 3. Guess a value for (K21,6 , K22,2 , K22,3 , K22,5 , K22,7 , K22,8 , K23 ), and we de∗ ∗ ∗ ∗ ∗ ∗ ∗ ). Par, K23 , K22,8 , K22,7 , K22,5 , K22,3 , K22,2 note the guessed value by (K21,6 ∗ ∗ ∗ ∗ (x,y) ∗ , tially decrypt every ciphertext C with (K22,2 , K22,3 , K22,5 , K22,7 , K22,8 ∗ K23 ) to get the corresponding value for bytes (1, 2, · · · , 8, 14) just before (x,y) (x,y) Round 22; and we denote it by (L21 , R21,6 ). Then, compute T (x) = ⊕255 −1 (x,y) (x,y) ∗ )). Finally, check whether the (L21 )[41 ∼ 48] ⊕ S6 (R21,6 ⊕ K21,6 y=0 (P (0) (1) (63) sequence (T , T , · · · , T ) matches a sequence in LΘ ; if so, record the ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ) , K23 , K22,5 , K22,7 , K22,8 , K22,3 , K14,2 , K21,6 , K22,2 , K14,1 guessed value (K13 and execute Step 4; otherwise, repeat Step 3 with another subkey guess (if all the subkey possibilities are tested in Step 3, repeat Step 2 with another subkey guess). 4. For every recorded value for (K13 , K23 ), exhaustively search the remaining 8 key bytes. There are 264 possible values for (K13 , K14,1 , K14,2 ) by the key schedule of Camellia-192, thus the attack requires 64 × 256 × 264 = 278 chosen plaintexts.

14

The one-oﬀ precomputation requires a memory of 2168 × 64 = 2174 bytes, and 1 has a time complexity of 2168 × 64 × 256 × 3 × 11 ≈ 2180.2 11-round Camellia192 encryptions under the rough estimate that a computation of Θc′1 ,c′2 ,···,c′21 (z) equals 256 × 3 = 768 one-round Camellia encryptions in terms of time. 2+8 Step 2 has a time complexity of 264 × 64 × 256 × 8×11 ≈ 274.9 11-round Camellia-192 encryptions. There is no overlapping bit between (K13 , K14,1 , K14,2 ) and (K21,6 , K22,2 , K22,3 , K22,5 , K22,7 , K22,8 , K23 ), so Step 3 has a time complex187.4 ity of approximately 264+112 × 64 × 256 × 8+5+1 11-round Camellia-192 8×11 ≈ 2 encryptions. ∗ ∗ ∗ ∗ ∗ ∗ ∗ In Step 3, if the guessed value (K13 , K14,1 , K14,2 , K21,6 , K22,2 , K22,3 , K22,5 , (0) (1) (63) is correct, the sequence (T , T , · · · , T ) must match a se∗ ∗ ∗ ∗ ∗ ∗ ∗ quence in LΘ ; if the guessed value (K13 , K14,1 , K14,2 , K21,6 , K22,2 , K22,3 , K22,5 , ∗ ∗ ∗ (0) (1) (63) K22,7 , K22,8 , K23 ) is wrong, the sequence (T , T , · · · , T ) matches a se(2168 ) −64×8 0 −64×8 2168 quence in LΘ with a probability of 1− 0 (2 ) (1−2 ) ≈ 2−64×8 × 168 −344 64+112 −344 −168 2 = 2 . So it is expected that about 2 ×2 = 2 values for (K13 , K14,1 , K14,2 , K21,6 , K22,2 , K22,3 , K22,5 , K22,7 , K22,8 , K23 ) are recorded in Step 3. Since 64 bits of KL can be known from K23 and KR can be known from K13 , Step 4 takes at most 264 11-round Camellia-192 encryptions to ﬁnd the correct 192-bit user key. ∗ ∗ ∗ K22,7 , K22,8 , K23 )

Therefore, the attack has a memory complexity of 2174 bytes and a total time complexity of approximately 2187.4 11-round Camellia-192 encryptions. We notice that one of the 21 one-byte parameters involved in the 6-round HOMitM property is KI1 [10 ∼ 17] (see the proof in Appendix A), and the 8 bits of KI1 [10 ∼ 17] are also used in K13 . Thus, in the oﬀ-line precomputation phase we can sort the 2168 64-byte sequences ﬁrst by KI1 [10 ∼ 17] and then by the values 168 of the sequences with the same KI1 [10 ∼ 17]. On average, there are 228 = 2160 sequences for each value of KI1 [10 ∼ 17]. Then, during the key recovery phase we only need to check whether the computed sequence (T (0) , T (1) , · · · , T (63) ) matches one of 2160 sequences indexed by the value of KI1 [10 ∼ 17] (that is part ∗ of the guessed K13 ). Every check requires two memory accesses now, instead of one in the above attack. This approach makes a stronger ﬁltering condition, and it is expected that about 2−176 values for (K13 , K14,1 , · · · , K23 ) are recorded in Step 3. We can also attack Rounds 7 to 17 by applying the 6-round HO-MitM property from Rounds 9 to 14, where we guess (K7 , K8,1 , K8,2 , K15,6 , K16,2 , K16,3 , K16,5 , K16,7 , K16,8 , K17 ). There are 280 possible values for (K7 , K8,1 , K8,2 ); and given (K7 , K8,1 , K8,2 ), there are only 82 unknown bits for (K15,6 , K16,2 , K16,3 , K16,5 , K16,7 , K16,8 , K17 ). Similarly, this attack requires 64 × 256 × 280 = 294 chosen plaintexts and a memory of 2174 bytes, and has a time complexity of 180.2 11-round Camellia-192 approximately 2180.2 + 280+82 × 64 × 256 × 8+5+1 8×11 ≈ 2 encryptions.

15

4.4

Attacking 12-Round Camellia-256 with FL/FL−1 Functions

Using the 6-round HO-MitM property given in Proposition 1-2, we can also attack 12-round Camellia-256 with FL/FL−1 functions; the attacked rounds are from Rounds 7 to 18, where the 6-round property is used from Rounds 9 to 14. The attack is basically the version of the above 11-round Camellia-192 attack when applied to Rounds 7 to 17 and then appended with one round (i.e., Round 18) at the end; more speciﬁcally, we guess (K7 , K8,1 , K8,2 ) in Step 2 and guess (K15,6 , K16,2 , K16,3 , K16,5 , K16,7 , K16,8 , K17 , K18 ) in Step 3. There are 280 possible values for (K7 , K8,1 , K8,2 ), thus the attack requires 64 × 256 × 280 = 294 chosen plaintexts. Now, the time complexity of the one-oﬀ 1 precomputation is equivalent to 2168 ×64×256×3× 12 = 2180 12-round Camellia2+8 80 ≈ 290.8 256 encryptions. Step 2 has a time complexity of 2 × 64 × 256 × 8×12 12-round Camellia-256 encryptions. Given (K7 , K8,1 , K8,2 ), there are only 146 unknown bits for (K15,6 , K16,2 , K16,3 , K16,5 , K16,7 , K16,8 , K17 , K18 ), so Step 3 has 237.3 a time complexity of approximately 280+146 ×64×256× 8+5+1 12-round 8×12 ≈ 2 80+146 Camellia-256 encryptions. It is expected that about 2 × 2−344 = 2−118 values for (K7 , K8,1 , K8,2 , K15,6 , K16,2 , K16,3 , K16,5 , K16,7 , K16,8 , K17 , K18 ) are recorded in Step 3. Since KL can be known from the recorded (K17 , K18 ), we can ﬁnd the remaining 16 key bytes by exhaustive key search with at most 2128 12round Camellia-256 encryptions. Hence, the attack has a total time complexity of approximately 2237.3 12-round Camellia-256 encryptions to ﬁnd the 256-bit user key. 4.5

A Comparison

We have checked the corresponding MitM properties for the 5 and 6-round Camellia with the FL/FL−1 functions, and our result is as follows. For a set of 256 sixteen-byte values X (i) = (m1 , m2 , m3 , m4 , m5 , m6 , m7 , m8 , x(i) , m9 , m10 , m11 , m12 , m13 , m14 , m15 ) with x(i) taking all the possible values in {0, 1}8 and the other 15 bytes m1 , m2 , · · · , m15 ﬁxed to arbitrary values, (i = 1, · · · , 256), then: (i) (i) If Z (i) = (ZL ||ZR ) is the result of encrypting X (i) using Rounds 4 to 8, then (i) P−1 (ZR )[49 ∼ 56] is a function of x(i) and 198 constant 1-bit parameters; if (i) (i) Z (i) = (ZL ||ZR ) is the result of encrypting X (i) using Rounds 3 to 8, then (i) P−1 (ZR )[41 ∼ 48] is a function of x(i) and 264 constant 1-bit parameters. Obviously, the numbers of constant 1-bit parameters involved in these MitM properties are much larger than the numbers of constant 1-bit parameters involved in the corresponding HO-MitM properties. Since they are even larger than the key length of Camellia-192/256, it is not preferable to directly use these MitM properties; otherwise, we would like to guess the key bits involved, which are less than the numbers of constant 1-bit parameters involved in the MitM properties. Nevertheless, the MitM properties may potentially become useful in the case we consider only a portion of possible values for the constant 1-bit parameters under a data-memory-time tradeoﬀ [16]; we have checked this direction, and our results are as follows.

16

Suppose we only consider 2N1 1 of the 2264 (or 2198 ) possible values for the 264 (respectively, 198) constant 1-bit parameters in the 6-round (respectively, 5-round) MitM property. For each of the 2264−N1 (respectively, 2198−N1 ) possible values for the 264 (respectively, 198) constant 1-bit parameters, we precompute for N2 chosen inputs X (i) . Then, we ﬁnd we can use the 6-round MitM property to break Rounds 7 to 18 of Camellia-256 with FL/FL−1 functions, where we use the 6-round MitM property from Rounds 9 to 14 and guess (K7,1 , K7,2 , K7,3 , K7,5 , K7,8 , K8,1 , K15,6 , K16,2 , K16,3 , K16,5, K16,7, K16,8, K17, K18 ) and a secret 8-bit parameter δ (it has a similar meaning as the δ deﬁned in Section 5.2). The required plaintexts are chosen in a similar approach as in the 14-round Camellia-192 attack in Section 5.2, and the attack procedure is similar to the HO-MitM attack described in Section 4.4, except a major diﬀerence: In this 12-round Camellia-256 attack, for every guess of (K7,1 , K7,2 , K7,3 , K7,5 , K7,8 , K8,1 , δ) we use 2N1 +2 structures of N2 plaintexts P (x) to have a high success probability 98%. After a similar analysis to that for the HO-MitM attack in Section 4.4, we know that the oﬀ-line precomputation phase requires a memory 1 of N2 × 2264−N1 × 81 = N2 × 2261−N1 bytes and takes N2 × 2264−N1 × 3 × 12 = 262−N1 N2 ×2 12-round Camellia-256 encryptions, and the key-recovery phase requires N2 × 2N1 +2 × 256 = N2 × 258+N1 chosen plaintexts and takes N2 × 2N1 +2 × 213.3+N1 256+158 × 8+5+1 12-round Camellia-256 encryptions (There 8×12 ≈ N2 × 2 are only 158 unknown bits for (K15,6 , K16,2 , K16,3 , K16,5 , K16,7 , K16,8 , K17 , K18 ) given (K7,1 , K7,2 , K7,3 , K7,5 , K7,8 , K8,1 )). Therefore, when N1 = 24.35 and N2 = 64, the attack has a data complexity of 288.35 chosen plaintexts, a memory complexity of 2242.65 bytes and a time complexity of 2244.65 12-round Camellia-256 encryptions. This MitM attack is slower than the HO-MitM attack on 12-round Camellia-256 presented in Section 4.4 which is based on the corresponding 6round HO-MitM property, and particularly its memory complexity is signiﬁcantly larger than that for the 12-round HO-MitM attack (2242.65 versus 2174 ). The 6-round MitM property cannot lead to break 11-round Camellia-192 effectively. The 11-round Camellia-192 that the 5-round MitM property seems to most possibly break are from Rounds 13 to 23, where we use the 5-round MitM property from Rounds 16 to 20 and guess (K13 , K14 , K15,1 , K21,7 , K22,3 , K22,4 , K22,5 , K22,6 , K22,8 , K23 ). There are only 264 possible values for (K13 , K14 ). For every guess of (K13 , K14 , K15,1 ) we also use 2N1 +2 structures of N2 plaintexts P (x) to have a high success probability 98%. Similarly, the precomputation phase requires a memory of N2 × 2198−N1 × 81 = N2 × 2195−N1 bytes and takes 1 N2 × 2198−N1 × 2 × 11 = N2 × 2196.6−N1 11-round Camellia-192 encryptions, and the key-recovery phase requires N2 × 2N1 +2 × 272 = N2 × 274+N1 chosen 183.4+N1 plaintexts and takes N2 × 2N1 +2 × 272+112 × 8+5+1 11-round 8×11 ≈ N2 × 2 Camellia-192 encryptions. Therefore, the smallest total time complexity happens when N1 = 6.6, which is N2 × 2191 11-round Camellia-192 encryptions, and under this circumstance the data complexity is N2 × 280.6 chosen plaintexts and the memory complexity is N2 × 2188.4 bytes. However, N2 should be far larger than 2 to ﬁlter out a reasonable number of wrong candidates for (K13 , K14 , K15,1 , K21,7 , K22,3 , K22,4 , K22,5 , K22,6 , K22,8 , K23 ). This means the 5-

17

round MitM property cannot be used to break 11-round Camellia-192 with FL/FL−1 functions faster than exhaustive key search (unless some auxiliary trick is used to improve the attack), but anyway the corresponding 5-round HO-MitM property can easily do so as presented in Section 4.3. By any means the 5-round MitM property cannot be used to break 10-round Camellia-128 with FL/FL−1 functions, not to mention the 6-round MitM property, but the corresponding 5-round HO-MitM property does so as described in Section 4.2. This comparison shows that the HO-MitM attack can achieve some advantages over the MitM attack in some circumstances. Nevertheless, we obtain some MitM attacks on Camellia, because of page constraints we will describe them in detail in an individual paper [25].

5

HO-MitM Attacks on Camellia-192/256 without FL/FL−1 Functions

In this section, we give 7 and 8-round HO-MitM properties of Camellia without FL/FL−1 functions, and then brieﬂy describe HO-MitM attacks on 14-round Camellia-192 without FL/FL−1 functions and 16-round Camellia-256 without FL/FL−1 functions.

5.1

HO-MitM Properties for 7/8-Round Camellia without FL/FL−1

We construct these 7 and 8-round HO-MitM properties by using a general diﬀerential property to cancel some constant parameters, where the basic concerned “value-in-the-middle” is obtained from two plaintexts. See Fig. 1-(b). A proof is given in Appendix B. (i)

(i)

Proposition 2. Suppose a set of 256 sixteen-byte values X (i) = (XL ||XR ) = (m1 , m2 , m3 , m4 , m5 , m6 , m7 , m8 , x(i) , m9 , m10 , m11 , m12 , m13 , m14 , m15 ) with x(i) taking all the possible values in {0, 1}8 and the other 15 bytes m1 , m2 , · · · , m15 fixed to arbitrary values, (i = 1, · · · , 256). Let i1 , i2 ∈ {1, 2, · · · , 256} and i1 ̸= i2 , then: (i)

(i)

(i)

(i)

1. If Z (i) = (ZL ||ZR ) is the result of encrypting X (i) using 7-round Camel(i ) (i ) lia without FL/FL−1 functions, then P−1 (ZR 1 ⊕ ZR 2 )[41 ∼ 48] can be ex(i1 ) (i2 ) pressed as a function of x , x and 20 constant 8-bit parameters c1 , c2 , · · · , c20 , written Γc1 ,c2 ,···,c20 (x(i1 ) , x(i2 ) ). 2. If Z (i) = (ZL ||ZR ) is the result of encrypting X (i) using 8-round Camel(i ) (i ) lia without FL/FL−1 functions, then P−1 (ZR 1 ⊕ ZR 2 )[41 ∼ 48] can be ex(i1 ) (i2 ) pressed as a function of x , x and 28 constant 8-bit parameters c′1 , c′2 , · · · , ′ (i ) (i ) c28 , written Ψc′1 ,c′2 ,···,c′28 (x 1 , x 2 ).

18

5.2

Attacking 14-Round Camellia-192 without FL/FL−1 Functions

The 7-round HO-MitM property in Proposition 2-1 can be used to attack 14round Camellia-192 without FL/FL−1 functions. We attack Rounds 2 to 15 and use the 7-round HO-MitM property from Rounds 5 to 11, where we guess (K2 , K3,1 , K3,2 , K3,3 , K3,5 , K3,8 , K4,1 , K12,6 , K13,2 , K13,3 , K13,5 , K13,7 , K13,8 , K14 , K15 ), plus an additional secret 8-bit parameter δ which is deﬁned to be δ = γ1 ⊕ γ2 ⊕ γ3 ⊕ S4 (γ4 ⊕ K3,4 ) ⊕ S6 (γ5 ⊕ K3,6 ) ⊕ S7 (γ6 ⊕ K3,7 ), with γ1 , γ2 , · · · , γ6 being 6 randomly chosen 8-bit constants. Here, δ is used below to allow us to have qualiﬁed inputs to Round 5 and know the values at byte (9) of the inputs to Round 5, so that we can sort the computed sequences in the key-recovery phase. For each possible value of the 20 one-byte parameters c1 , c2 , · · · , c20 , precompute Γc1 ,c2 ,···,c20 (0, z) for z = 1, 2, · · · , 63 sequentially. Then for every guess of ∗ ∗ ∗ ∗ (K2 , K3,1 , K3,2 , K3,3 , K3,5 , K3,8 , K4,1 , δ), denoted by (K2∗ , K3,1 , K3,2 , K3,3 , K3,5 , ∗ ∗ K3,8 , K4,1 , δ ∗ ), choose 64 plaintexts P (x) = (PL , PR ) in the following way (x = 0, 1, · · · , 63), where α1 , α2 , · · · , α5 , β1 , β2 , · · · , β7 are randomly chosen 8-bit constants:  S (S (x ⊕ K ∗ ) ⊕ α ⊕ K ∗ ) T  ∗ T (x)

1

(x) PL

1

4,1 ∗

1

3,1 ∗

(x)

(S1 (x ⊕ K4,1 ) ⊕ α2 ⊕ K3,2 )  SS2 (S  ∗ ∗  ) ⊕ α3 ⊕ K3,3 )  3 1 (x ⊕ K4,1   γ1  = P  S5 (S1 (x ⊕ K ∗ ) ⊕ α4 ⊕ K ∗ )  ⊕   4,1 3,5     γ2  γ3 ∗ ∗ S8 (S1 (x ⊕ K4,1 ) ⊕ α5 ⊕ K3,8 )

x⊕δ β1 β2 β3 β4 β5 β6 β7

   ,  

T ∗ ) ⊕ α1 S1 (x ⊕ K4,1 ∗  S1 (x ⊕ K4,1 ) ⊕ α2    ∗  S1 (x ⊕ K4,1 ) ⊕ α3      γ4 (x) ∗  .  = F(PL , K2 ) ⊕  ∗  ) ⊕ α S (x ⊕ K 4 4,1  1   γ5     γ6 ∗ ) ⊕ α5 S1 (x ⊕ K4,1 

(x)

PR

If the guessed value for (K2 , K3,1 , K3,2 , K3,3 , K3,5 , K3,8 , K4,1 , δ) is correct, the input to Round 5 must have the form (m1 , m2 , m3 , m4 , m5 , m6 , m7 , m8 , x, m9 , m10 , m11 , m12 , m13 , m14 , m15 ), where m1 , m2 , · · · , m15 are indeterminate constants. The remaining steps are similar to the attacks described in Section 4. There are 264+40 = 2104 possible values for (K2 , K3,1 , K3,2 , K3,3 , K3,5 , K3,8 , K4,1 ) by the key schedule of Camellia-192, thus the attack requires 64×2104+8 = 2118 chosen plaintexts. Given (K2 , K3,1 , K3,2 , K3,3 , K3,5 , K3,8 , K4,1 ), there are only 36 unknown bits for (K12,6 , K13,2 , K13,3 , K13,5 , K13,7 , K13,8 , K14 , K15 ), so the time complexity in the key recovery phase is approximately 2104+8+36 × 64 × 8+8+5+1 ≈ 2151.7 14-round Camellia-192 encryptions. As a result, the attack 8×14 requires a memory of 2160 ×63 ≈ 2166 bytes, and its time complexity is dominated by the time complexity of a one-oﬀ precomputation of Γc1 ,c2 ,···,c20 (0, z), which

19 1 is approximately 2160 × 64 × 5 × 14 ≈ 2164.6 14-round Camellia-192 encryptions under the rough estimate that a computation of Γc1 ,c2 ,···,c20 (0, z) equals 5 oneround Camellia-192 encryptions in terms of time except a one-oﬀ computation with connection to the value 0 for each (c1 , c2 , · · · , c20 ). Since the attack’s time complexity is dominated by the time complexity of the one-oﬀ precomputation Γc1 ,c2 ,···,c20 (0, z), we can use a data-time-memory tradeoﬀ to slightly reduce the memory and time complexity by precomputing only for a proportion of the 20 constant 8-bit parameters c1 , c2 , · · · , c20 and then using more data to achieve a reasonable success probability: Such an attack requires 2125 chosen plaintexts and a memory of 2161 bytes, and has a total time complexity of 2160.3 14-round Camellia-192 encryptions, with a success probability of 98%.

5.3

Attacking 16-Round Camellia-256 without FL/FL−1 Functions

Similarly, we can use the 8-round HO-MitM property given in Proposition 2-2 to break the ﬁrst 16 rounds of Camellia-256 without FL/FL−1 functions, where the 8-round HO-MitM property is used from Rounds 4 to 11, and we guess (K1 , K2,1 , K2,2 , K2,3 , K2,5 , K2,8 , K3,1 , δ, K12,6 , K13,2 , K13,3 , K13,5 , K13,7 , K13,8 , K14 , K15 , K16 ), here δ is similar to the δ deﬁned in Section 5.2. For each possible value of the 28 one-byte parameters c′1 , c′2 , · · · , c′28 , precompute Ψc′1 ,c′2 ,···,c′28 (0, z) for z = 1, 2, · · · , 63 sequentially. The one-oﬀ precomputation requires a memory 1 of 2224 × 63 ≈ 2230 bytes, and has a time complexity of 2224 × 64 × 5 × 16 ≈ 2228.4 16-round Camellia-256 encryptions under the rough estimate that a computation of Ψc′1 ,c′2 ,···,c′28 equals 5 one-round Camellia-256 encryptions in terms of time plus a one-oﬀ computation with connection to the value 0 for each (c′1 , c′2 , · · · , c′28 ). Given (K1 , K2,1 , K2,2 , K2,3 , K2,5 , K2,8 , K3,1 ), there are only 128 unknown bits for (K12,6 , K13,2 , K13,3 , K13,5 , K13,7 , K13,8 , K14 , K15 , K16 ). After a similar analysis, we learn that the attack requires 264+48+8 × 64 = 2126 chosen plaintexts and has a total time complexity of approximately 2120+128 × 64 × 8+8+8+5+1 ≈ 2252 8×16 16-round Camellia-256 encryptions. 5.4

A Comparison

When constructing the 7 and 8-round HO-MitM properties, we ﬁrst obtain the (i) corresponding 7 and 8-round MitM properties: The value-in-the-middle P−1 (XL (i) (i) (i) (i) ⊕ZR )[41 ∼ 48] = Y2,6 ⊕ Y4,6 ⊕ Y6,6 in the 7-round MitM property can be ex(i) pressed as a function of x and 21 constant 8-bit parameters; and the value-in(i) (i) (i) (i) (i) (i) the-middle P−1 (XR ⊕ ZR )[41 ∼ 48] = Y1,6 ⊕ Y3,6 ⊕ Y5,6 ⊕ Y7,6 in the 8-round MitM property can be expressed as a function of x(i) and 30 constant 8-bit parameters. Then, by taking XOR under two plaintexts X (i1 ) and X (i2 ) , we cancel (i) (i) the two constant terms P−1 (XL )[41 ∼ 48] and Y2,6 in the 7-round MitM property, or cancel the three constant terms P−1 (XR )[41 ∼ 48], Y1,6 and Y3,6 in the 8-round MitM property. (i)

(i)

(i)

20

The 7 and 8-round MitM properties can be respectively used to break 14round Camellia-192 without FL/FL−1 functions and 16-round Camellia-256 without FL/FL−1 functions; the attacked rounds are the same as in the HO-MitM attacks given in Sections 5.2 and 5.3, and the attack procedures are rather similar as well, except that we use the following way to deal with the unknown 8-bit (i) (i) parameter P−1 (XR )[41 ∼ 48] or P−1 (XL )[41 ∼ 48]: For a 64-byte sequence ob(i) tained in the key-recovery phase, we XOR a possible value of P−1 (XR )[41 ∼ 48] (i) or P−1 (XL )[41 ∼ 48] to all 64 basic units of value-in-the-middle in the sequence and then check the resulting sequence, and repeat this process for all the 256 (i) (i) possible values of P−1 (XR )[41 ∼ 48] or P−1 (XL )[41 ∼ 48]. Similarly, the MitM attack on 14-round Camellia-192 without FL/FL−1 functions has a data complexity of 64 × 2104+8 = 2118 chosen plaintexts, a memory complexity of 64 × 221×8 = 2174 bytes and a time complexity of 64 × 1 221×8 × 5 × 14 + 64 × 2112+36 × 8+8+5+1 ≈ 2172.6 + 2151.7 ≈ 2172.6 14-round 8×14 Camellia-192 encryptions. The time complexity is dominated by the one-oﬀ precomputation, and we can use a data-memory-time tradeoﬀ to obtain a 14round Camellia-192 attack with a data complexity of 2118+7 = 2125 chosen plaintexts, a memory complexity of 2174−5 = 2169 bytes, a time complexity of 2172.6−5 + 2151.7+7 ≈ 2167.6 14-round Camellia-192 encryptions and a success probability of 98%. The MitM attack on 16-round Camellia-256 without FL/FL−1 functions has a data complexity of 64 × 2112+8 = 2126 chosen plaintexts, a memory complexity of 64 × 230×8 = 2246 bytes and a time complexity of 1 64×230×8 ×5× 16 +64×2120+128 × 8+8+8+5+1 ≈ 2252 16-round Camellia-256 en8×16 cryptions. These MitM attacks are eﬀective but less eﬃcient than the HO-MitM attacks described earlier.

6

Conclusions

In this paper, we have proposed an extension of the meet-in-the-middle attack, called the higher-order meet-in-the-middle attack; it is based on using multiple plaintexts to cancel some key-dependent component(s) or parameter(s) when constructing a basic unit of value-in-the-middle. We have described a novel approach to construct higher-order meet-in-the-middle attacks and achieved the ﬁrst cryptanalytic results on 10-round Camellia-128 with FL/ FL−1 functions, 11-round Camellia-192 with FL/FL−1 functions and 12-round Camellia-256 with FL/FL−1 functions. The higher-order meet-in-the-middle attack obtained by this approach can also be called the integral-meet-in-the-middle attack. Besides, we have brieﬂy described higher-order meet-in-the-middle attacks on 14-round Camellia-192 without FL/FL−1 functions and 16-round Camellia-256 without FL/FL−1 functions. The higher-order meet-in-the-middle attack is a general cryptanalytic technique, and it would be interesting to investigate the security of other block ciphers against the higher-order meet-in-the-middle attack and explore new approaches to construct such attacks.

21

Acknowledgments The authors are very grateful to the anonymous referees for their comments.

References 1. Aoki, K., Ichikawa, T., Kanda, M., Matsui, M., Moriai, S., Nakajima, J., Tokita, T.: Camellia: a 128-bit block cipher suitable for multiple platforms — design and analysis. In: Stinson, D.R., Tavares, S.E. (eds.) SAC 2000. LNCS, vol. 2012, pp. 39– 56. Springer, Heidelberg (2001) 2. Biham, E., Biryukov, A., Shamir, A.: Cryptanalysis of Skipjack reduced to 31 rounds using impossible diﬀerentials. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 12–23. Springer, Heidelberg (1999) 3. Biham, E., Shamir, A.: Diﬀerential cryptanalysis of DES-like cryptosystems. Journal of Cryptology 4(1), 3–72. Springer (1991) 4. Biryukov, A., Nikolic, I.: Automatic search for related-key diﬀerential characteristics in byte-oriented block ciphers: application to AES, Camellia, Khazad and others. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 322–344. Springer, Heidelberg (2010) 5. Biryukov, A., Shamir, A.: Structural cryptanalysis of SASAS. Journal of Cryptology 23(4), 505–518. Springer (2010) 6. Chen, J., Jia, K., Yu, H., Wang, X.: New impossible diﬀerential attacks of reducedround Camellia-192 and Camellia-256. In: Hawkes, P., Parampalli, U. (eds.) ACISP 2011. LNCS. Springer, Heidelberg (2011) 7. CRYPTREC — Cryptography Research and Evaluatin Committees, report 2002. 8. Daemen, J., Knudsen, L.R., Rijmen, V.: The block cipher Square. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 149–165. Springer, Heidelberg (1997) 9. Demirci, H., Sel¸cuk, A. A.: A meet-in-the-middle attack on 8-round AES. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 116–126. Springer, Heidelberg (2008) 10. Demirci, H., Ta¸skm, I., C ¸ oban, M., Baysal, A.: Improved meet-in-the-middle attacks on AES. In: Roy, B., Sendrier, N. (eds.) INDOCRYPT 2009. LNCS, vol. 5922, pp. 144-156. Springer, Heidelberg (2009) 11. Diﬃe, W., Hellman, M.: Exhaustive cryptanalysis of the NBS data encryption standard. Computer 10(6), pp. 74–84. IEEE (1977) 12. Dunkelman, O., Keller, N., Shamir, A.: Improved single-key attacks on 8-round AES-192 and AES-256. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 158-176. Springer, Heidelberg (2010) 13. Duo, L., Li, C., Feng, K.: New observation on Camellia. In: Preneel, B., Tavares, S.E. (eds.) SAC 2005. LNCS, vol. 3897, pp. 51–64. Springer, Heidelberg (2006) 14. Gilbert, H., Minier, M.: A collision attack on 7 rounds of Rijndael. In: The Third Advanced Encryption Standard Candidate Conference, pp. 230–241. NIST (2000) 15. Hatano, Y., Sekine, H., Kaneko, T.: Higher order diﬀerential attack of Camellia(II). In Nyberg, K., Heys, H.M. (eds.) SAC 2002. LNCS, vol. 2595, pp.39–56. Springer, Heidelberg (2003) 16. Hellman, M.E.: A cryptanalytic time-memory-tradeoﬀ. IEEE Transcations on Information Theory 26(4), 401–406 (1980) 17. Hu, Y., Zhang, Y., Xiao, G.: Integral cryptanalysis of SAFER+. Electronics Letters 35(17), 1458–1459. IEE (1999)

22 18. International Standardization of Organization (ISO), International Standard – ISO/IEC 18033-3, Information technology – Security techniques – Encryption algorithms – Part 3: Block ciphers, July, 2005. 19. Knudsen, L.R.: Truncated and higher order diﬀerentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995) 20. Knudsen, L.R.: DEAL — a 128-bit block cipher. Technical report, Department of Informatics, University of Bergen, Norway (1998). 21. Knudsen, L.R., Wagner, D.: Integral cryptanalysis. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 112–127. Springer, Heidelberg (2002) 22. Lai, X.: Higher order derivatives and diﬀerential cryptanalysis. In: Communications and Cryptography, pages 227–233, 1994. Academic Publishers. 23. Lu, J.: Cryptanalysis of block ciphers. PhD thesis, University of London, UK (2008) 24. Lu, J., Wei, Y., Kim, J., Fouque, P.-A.: Cryptanalysis of reduced versions of the Camellia block cipher. (Manuscript, 2011) 25. Lu, J., Wei, Y., Pasalic, E., Fouque, P.-A.: Meet-in-the-middle attack on reduced versions of the Camellia block cipher. (Manuscript, 2011) 26. Mala, H., Shakiba, M., Dakhilalian, M., Bagherikaram, G.: New results on impossible diﬀerential cryptanalysis of reduced-round Camellia-128. In: Jacobson Jr., M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 281–294. Springer, Heidelberg (2009) 27. NESSIE — New European Schemes for Signatures, Integrity, and Encryption, ﬁnal report of European project IST-1999-12324. 28. Wei, Y., Lu, J., Hu, Y.: Meet-in-the-middle attack on 8 rounds of the AES block cipher under 192 key bits. In: Bao, F., Weng, J. (eds.) ISPEC 2011. LNCS, vol. 6672, pp. 222–232. Springer, Heidelberg (2011). 29. Yeom, Y., Park, S., Kim, I.: A study of integral type cryptanalysis on Camellia. In Proceedings of the 2003 Symposium on Cryptography and Information Security, pp. 453–456 (2003)

A

Proof of Proposition 1

By deﬁnition of the FL and FL−1 functions, we easily obtain the following property. Property 1 Let x1 , x2 , · · · , x8 , y1 , y2 , · · · , y8 be 8-bit blocks and KI be a 64-bit subkey. 1. If (y1 ||y2 || · · · ||y8 ) = FL(x1 ||x2 || · · · ||x8 , KI), then y1 = ((((x1 [2 ∼ 8]||x2 [1]) ∩ KI[2 ∼ 9]) ⊕ x5 ) ∪ KI[33 ∼ 40]) ⊕ x1 , y2 = ((((x2 [2 ∼ 8]||x3 [1]) ∩ KI[10 ∼ 17]) ⊕ x6 ) ∪ KI[41 ∼ 48]) ⊕ x2 , y3 = ((((x3 [2 ∼ 8]||x4 [1]) ∩ KI[18 ∼ 25]) ⊕ x7 ) ∪ KI[49 ∼ 56]) ⊕ x3 , y4 = ((((x4 [2 ∼ 8]||x1 [1]) ∩ KI[26 ∼ 32, 1]) ⊕ x8 ) ∪ KI[57 ∼ 64]) ⊕ x4 , y5 = ((x1 [2 ∼ 8]||x2 [1]) ∩ KI[2 ∼ 9]) ⊕ x5 , y6 = ((x2 [2 ∼ 8]||x3 [1]) ∩ KI[10 ∼ 17]) ⊕ x6 , y7 = ((x3 [2 ∼ 8]||x4 [1]) ∩ KI[18 ∼ 25]) ⊕ x7 , y8 = ((x4 [2 ∼ 8]||x1 [1]) ∩ KI[26 ∼ 32, 1]) ⊕ x8 .

(7)

23

2. If (y1 ||y2 || · · · ||y8 ) = FL−1 (x1 ||x2 || · · · ||x8 , KI), then y1 = (x5 ∪ KI[33 ∼ 40]) ⊕ x1 , y2 = (x6 ∪ KI[41 ∼ 48]) ⊕ x2 , y3 = (x7 ∪ KI[49 ∼ 56]) ⊕ x3 , y4 = (x8 ∪ KI[57 ∼ 64]) ⊕ x4 , y5 = ((((x5 [2 − 8]||x6 [1]) ∪ KI[34 ∼ 41]) ⊕ (x1 [2 ∼ 8]||x2 [1])) ∩ KI[2 ∼ 9]) ⊕ x5 , y6 = ((((x6 [2 − 8]||x7 [1]) ∪ KI[42 ∼ 49]) ⊕ (x2 [2 ∼ 8]||x3 [1])) ∩ KI[10 ∼ 17]) ⊕ x6 , y7 = ((((x7 [2 − 8]||x8 [1]) ∪ KI[50 ∼ 57]) ⊕ (x3 [2 ∼ 8]||x4 [1])) ∩ KI[18 ∼ 25]) ⊕ x7 , y8 = ((((x8 [2 − 8]||x5 [1]) ∪ KI[58 ∼ 64, 33]) ⊕ (x4 [2 ∼ 8]||x1 [1])) ∩ KI[26 ∼ 32, 1]) ⊕ x8 . We ﬁrst prove Proposition 1-1. Below we focus on encrypting X (i,j) through (i,j) (i,j) Rounds 4 to 8. The output (L4 , R4 ) of Round 4 is as follows, where a1 , a2 , · · · , a8 are 8-bit constants completely determined by m1 , m2 , · · · , m14 and K4 . (i,j)

R4

= (m1 , m2 , m3 , m4 , m5 , m6 , m7 , m8 ),

(i,j) L4

= (x(i) ⊕ a1 , y (j) ⊕ a2 , a3 , a4 , a5 , a6 , a7 , a8 ).

The output (L5 , R5 ) of Round 5 is as follows, where b, b∗ , b1 , · · · , b8 are 8-bit constants completely determined by m1 , m2 , · · · , m8 , a1 , a2 , · · · , a8 and K5 : (i,j)

(i,j)

(i,j)

= (x(i) ⊕ a1 , y (j) ⊕ a2 , a3 , a4 , a5 , a6 , a7 , a8 ),

(i,j)

= (L5,1 , L5,2 , L5,3 , L5,4 , L5,5 , L5,6 , L5,7 , L5,8 ),

R5 L5

(i,j)

(i,j)

(i,j)

(i,j)

(i,j)

(i,j)

(i,j)

(i,j)

with (i,j)

L5,1 = S1 (x(i) ⊕ b) ⊕ b1 , L5,2 = S1 (x(i) ⊕ b) ⊕ S2 (y (j) ⊕ b∗ ) ⊕ b2 , (i,j)

L5,3 = S1 (x(i) ⊕ b) ⊕ S2 (y (j) ⊕ b∗ ) ⊕ b3 , (i,j)

L5,4 = S2 (y (j) ⊕ b∗ ) ⊕ b4 , (i,j)

L5,5 = S1 (x(i) ⊕ b) ⊕ S2 (y (j) ⊕ b∗ ) ⊕ b5 , (i,j)

L5,6 = S2 (y (j) ⊕ b∗ ) ⊕ b6 , (i,j)

(i,j)

L5,7 = b7 , (i,j)

L5,8 = S1 (x(i) ⊕ b) ⊕ b8 . b (i,j) , R b(i,j) ) immediately before the FL/FL−1 functions is as folThe output (L 6 6 lows, where d1 , d2 , · · · , d7 are 8-bit constants completely determined by b1 , b2 , · · · , b8 and K6 ; and e1 , e2 , · · · , e8 are 8-bit constants completely determined by a1 , a2 , · · · , a8 , b1 , b2 , · · · , b8 and K6 : b(i,j) = (L(i,j) , L(i,j) , L(i,j) , L(i,j) , L(i,j) , L(i,j) , L(i,j) , L(i,j) ), R 6 5,1 5,2 5,3 5,4 5,5 5,6 5,7 5,8 b (i,j) = (L b (i,j) , L b (i,j) , L b (i,j) , L b (i,j) , L b (i,j) , L b (i,j) , L b (i,j) , L b (i,j) ), L 6 6,1 6,2 6,3 6,4 6,5 6,6 6,7 6,8

24

with b (i,j) = S1 (S1 (x(i) ⊕ b) ⊕ d1 ) ⊕ S3 (S1 (x(i) ⊕ b) ⊕ S2 (y (j) ⊕ b∗ ) ⊕ d3 ) ⊕ S4 (S2 (y (j) ⊕ b∗ ) ⊕ d4 ) ⊕ L 6,1 S6 (S2 (y (j) ⊕ b∗ ) ⊕ d6 ) ⊕ S8 (S1 (x(i) ⊕ b) ⊕ d7 ) ⊕ x(i) ⊕ e1 , b (i,j) = S1 (S1 (x(i) ⊕ b) ⊕ d1 ) ⊕ S2 (S1 (x(i) ⊕ b) ⊕ S2 (y (j) ⊕ b∗ ) ⊕ d2 ) ⊕ S4 (S2 (y (j) ⊕ b∗ ) ⊕ d4 ) ⊕ L 6,2 S5 (S1 (x(i) ⊕ b) ⊕ S2 (y (j) ⊕ b∗ ) ⊕ d5 ) ⊕ S8 (S1 (x(i) ⊕ b) ⊕ d7 ) ⊕ y (j) ⊕ e2 , b (i,j) = S1 (S1 (x(i) ⊕ b) ⊕ d1 ) ⊕ S2 (S1 (x(i) ⊕ b) ⊕ S2 (y (j) ⊕ b∗ ) ⊕ d2 ) ⊕ L 6,3 S3 (S1 (x(i) ⊕ b) ⊕ S2 (y (j) ⊕ b∗ ) ⊕ d3 ) ⊕ S5 (S1 (x(i) ⊕ b) ⊕ S2 (y (j) ⊕ b∗ ) ⊕ d5 ) ⊕ S6 (S2 (y (j) ⊕ b∗ ) ⊕ d6 ) ⊕ S8 (S1 (x(i) ⊕ b) ⊕ d7 ) ⊕ e3 ,

(8)

b (i,j) = S2 (S1 (x(i) ⊕ b) ⊕ S2 (y (j) ⊕ b∗ ) ⊕ d2 ) ⊕ S3 (S1 (x(i) ⊕ b) ⊕ S2 (y (j) ⊕ b∗ ) ⊕ d3 ) ⊕ L 6,4 S4 (S2 (y (j) ⊕ b∗ ) ⊕ d4 ) ⊕ S5 (S1 (x(i) ⊕ b) ⊕ S2 (y (j) ⊕ b∗ ) ⊕ d5 ) ⊕ S6 (S2 (y (j) ⊕ b∗ ) ⊕ d6 ) ⊕ e4 ,

(9) (i,j) (i) (i) (j) ∗ (j) ∗ b L6,5 = S1 (S1 (x ⊕ b) ⊕ d1 ) ⊕ S2 (S1 (x ⊕ b) ⊕ S2 (y ⊕ b ) ⊕ d2 ) ⊕ S6 (S2 (y ⊕ b ) ⊕ d6 ) ⊕ S8 (S1 (x(i) ⊕ b) ⊕ d7 ) ⊕ e5 , b (i,j) = S2 (S1 (x(i) ⊕ b) ⊕ S2 (y (j) ⊕ b∗ ) ⊕ d2 ) ⊕ S3 (S1 (x(i) ⊕ b) ⊕ S2 (y (j) ⊕ b∗ ) ⊕ d3 ) ⊕ L 6,6 S5 (S1 (x(i) ⊕ b) ⊕ S2 (y (j) ⊕ b∗ ) ⊕ d5 ) ⊕ S8 (S1 (x(i) ⊕ b) ⊕ d7 ) ⊕ e6 , b (i,j) = S3 (S1 (x(i) ⊕ b) ⊕ S2 (y (j) ⊕ b∗ ) ⊕ d3 ) ⊕ S4 (S2 (y (j) ⊕ b∗ ) ⊕ d4 ) ⊕ L 6,7 S5 (S1 (x(i) ⊕ b) ⊕ S2 (y (j) ⊕ b∗ ) ⊕ d5 ) ⊕ S6 (S2 (y (j) ⊕ b∗ ) ⊕ d6 ) ⊕ S8 (S1 (x(i) ⊕ b) ⊕ d7 ) ⊕ e7 , b (i,j) L 6,8

(i)

= S1 (S1 (x S6 (S2 (y

(j)

⊕ b) ⊕ d1 ) ⊕ S4 (S2 (y

(10) (j)

∗

⊕ b ) ⊕ d4 ) ⊕ S5 (S1 (x

(i)

⊕ b) ⊕ S2 (y

(j)

∗

⊕ b ) ⊕ d6 ) ⊕ e8 .

b (i,j) , KI1 )[49 ∼ 56] depends By Eq. (7) in Property 1 we know that FL(L 6 b (i,j) and KI1 [18 ∼ 25]. By Eqs. (8)–(10), we know that b (i,j) , L b (i,j) , L only on L 6,7 6,4 6,3 b (i,j) , L b (i,j) , L b (i,j) depend only on b, b∗ , d1 , d2 , · · · , d7 , e3 , e4 , e7 , x(i) , y (j) . SubseL 6,3 6,4 6,7 is determined only by b, b∗ , d1 , d2 , ⊕256 (i,j) · · · , d7 , e3 , e4 , r1 , KI1 [18 ∼ 25], x(i) , y (j) . Hence, j=1 Y7,7 is determined only by x(i) and 13 constant 8-bit parameters b, b∗ , d1 , d2 , · · · , d7 , e3 , e4 , r1 , KI1 [18 ∼ 25]. ⊕256 (i,j) ⊕256 −1 (i,j) (ZR )[49 ∼ 56] = By Eq. (4) we have j=1 Y7,7 . Therefore, j=1 P Proposition 1-1 holds. (i,j) (i,j) Next we prove Proposition 1-2. The output (L3 , R3 ) of Round 3 is as follows, where b a1 , b a2 , · · · , b a8 are 8-bit constants completely determined by m1 , m2 , · · · , m14 and K3 . (i,j)

quently, if we let r1 = e7 ⊕ K7,7 , then Y7,7

(i,j)

R3

= (m1 , m2 , m3 , m4 , m5 , m6 , m7 , m8 ),

(i,j) L3

= (x(i) ⊕ b a1 , y (j) ⊕ b a2 , b a3 , b a4 , b a5 , b a6 , b a7 , b a8 ).

∗

⊕ b ) ⊕ d5 ) ⊕

25 (i,j) (i,j) The output (L4 , R4 ) of Round 4 is as follows, where bb, bb∗ , bb1 , · · · , bb8 are 8-bit constants completely determined by m1 , m2 , · · · , m8 , b a1 , b a2 , · · · , b a8 and K4 : (i,j)

= (x(i) ⊕ b a1 , y (j) ⊕ b a2 , b a3 , b a4 , b a5 , b a6 , b a7 , b a8 ),

(i,j)

= (L4,1 , L4,2 , L4,3 , L4,4 , L4,5 , L4,6 , L4,7 , L4,8 ),

R4 L4

(i,j)

(i,j)

(i,j)

(i,j)

(i,j)

(i,j)

(i,j)

(i,j)

with L4,1 = S1 (x(i) ⊕ bb) ⊕ bb1 , (i,j)

(i,j) L4,2 = S1 (x(i) ⊕ bb) ⊕ S2 (y (j) ⊕ bb∗ ) ⊕ bb2 , (i,j) L4,3 = S1 (x(i) ⊕ bb) ⊕ S2 (y (j) ⊕ bb∗ ) ⊕ bb3 ,

L4,4 = S2 (y (j) ⊕ bb∗ ) ⊕ bb4 , (i,j)

(i,j) L4,5 = S1 (x(i) ⊕ bb) ⊕ S2 (y (j) ⊕ bb∗ ) ⊕ bb5 ,

L4,6 = S2 (y (j) ⊕ bb∗ ) ⊕ bb6 , (i,j)

L4,7 = bb7 , (i,j)

(i,j) L4,8 = S1 (x(i) ⊕ bb) ⊕ bb8 . (i,j) (i,j) The output (L5 , R5 ) of Round 5 is as follows, where db1 , db2 , · · · , db7 are 8-bit constants completely determined by bb1 , bb2 , · · · , bb8 and K5 ; and eb1 , eb2 , · · · , eb8 are 8-bit constants completely determined by b a1 , b a2 , · · · , b a8 , bb1 , bb2 , · · · , bb8 and K5 : (i,j)

= (L4,1 , L4,2 , L4,3 , L4,4 , L4,5 , L4,6 , L4,7 , L4,8 ),

(i,j)

= (L5,1 , L5,2 , L5,3 , L5,4 , L5,5 , L5,6 , L5,7 , L5,8 ),

R5 L5

(i,j)

(i,j)

(i,j)

(i,j)

(i,j)

(i,j)

(i,j)

(i,j)

(i,j)

(i,j)

(i,j)

(i,j)

(i,j)

(i,j)

(i,j)

(i,j)

with L5,1 = S1 (S1 (x(i) ⊕ bb) ⊕ db1 ) ⊕ S3 (S1 (x(i) ⊕ bb) ⊕ S2 (y (j) ⊕ bb∗ ) ⊕ db3 ) ⊕ S4 (S2 (y (j) ⊕ bb∗ ) ⊕ db4 ) ⊕ (i,j)

(i,j)

L5,2

(i,j)

L5,3

S6 (S2 (y (j) ⊕ bb∗ ) ⊕ db6 ) ⊕ S8 (S1 (x(i) ⊕ bb) ⊕ db7 ) ⊕ x(i) ⊕ eb1 , = S1 (S1 (x(i) ⊕ bb) ⊕ db1 ) ⊕ S2 (S1 (x(i) ⊕ bb) ⊕ S2 (y (j) ⊕ bb∗ ) ⊕ db2 ) ⊕ S4 (S2 (y (j) ⊕ bb∗ ) ⊕ db4 ) ⊕ S5 (S1 (x(i) ⊕ bb) ⊕ S2 (y (j) ⊕ bb∗ ) ⊕ db5 ) ⊕ S8 (S1 (x(i) ⊕ bb) ⊕ db7 ) ⊕ y (j) ⊕ eb2 , = S1 (S1 (x(i) ⊕ bb) ⊕ db1 ) ⊕ S2 (S1 (x(i) ⊕ bb) ⊕ S2 (y (j) ⊕ bb∗ ) ⊕ db2 ) ⊕ S3 (S1 (x(i) ⊕ bb) ⊕ S2 (y (j) ⊕ bb∗ ) ⊕ db3 ) ⊕ S5 (S1 (x(i) ⊕ bb) ⊕ S2 (y (j) ⊕ bb∗ ) ⊕ db5 ) ⊕ S6 (S2 (y (j) ⊕ bb∗ ) ⊕ db6 ) ⊕ S8 (S1 (x(i) ⊕ bb) ⊕ db7 ) ⊕ eb3 ,

L5,4 = S2 (S1 (x(i) ⊕ bb) ⊕ S2 (y (j) ⊕ bb∗ ) ⊕ db2 ) ⊕ S3 (S1 (x(i) ⊕ bb) ⊕ S2 (y (j) ⊕ bb∗ ) ⊕ db3 ) ⊕ (i,j)

S4 (S2 (y (j) ⊕ bb∗ ) ⊕ db4 ) ⊕ S5 (S1 (x(i) ⊕ bb) ⊕ S2 (y (j) ⊕ bb∗ ) ⊕ db5 ) ⊕ S6 (S2 (y (j) ⊕ bb∗ ) ⊕ db6 ) ⊕ eb4 , L5,5 = S1 (S1 (x(i) ⊕ bb) ⊕ db1 ) ⊕ S2 (S1 (x(i) ⊕ bb) ⊕ S2 (y (j) ⊕ bb∗ ) ⊕ db2 ) ⊕ S6 (S2 (y (j) ⊕ bb∗ ) ⊕ db6 ) ⊕ (i,j)

26

(i,j)

L5,6

(i,j)

L5,7

S8 (S1 (x(i) ⊕ bb) ⊕ db7 ) ⊕ eb5 , = S2 (S1 (x(i) ⊕ bb) ⊕ S2 (y (j) ⊕ bb∗ ) ⊕ db2 ) ⊕ S3 (S1 (x(i) ⊕ bb) ⊕ S2 (y (j) ⊕ bb∗ ) ⊕ db3 ) ⊕ S5 (S1 (x(i) ⊕ bb) ⊕ S2 (y (j) ⊕ bb∗ ) ⊕ db5 ) ⊕ S8 (S1 (x(i) ⊕ bb) ⊕ db7 ) ⊕ eb6 , = S3 (S1 (x(i) ⊕ bb) ⊕ S2 (y (j) ⊕ bb∗ ) ⊕ db3 ) ⊕ S4 (S2 (y (j) ⊕ bb∗ ) ⊕ db4 ) ⊕ S5 (S1 (x(i) ⊕ bb) ⊕ S2 (y (j) ⊕ bb∗ ) ⊕ db5 ) ⊕ S6 (S2 (y (j) ⊕ bb∗ ) ⊕ db6 ) ⊕ S8 (S1 (x(i) ⊕ bb) ⊕ db7 ) ⊕ eb7 ,

(i,j) L5,8 = S1 (S1 (x(i) ⊕ bb) ⊕ db1 ) ⊕ S4 (S2 (y (j) ⊕ bb∗ ) ⊕ db4 ) ⊕ S5 (S1 (x(i) ⊕ bb) ⊕ S2 (y (j) ⊕ bb∗ ) ⊕ db5 ) ⊕

S6 (S2 (y (j) ⊕ bb∗ ) ⊕ db6 ) ⊕ eb8 . b By Property 1-1, we know that FL(L 6 (i,j) b (i,j) b (i,j) b by L6,2 , L6,3 , L6,6 , KI1 [10 ∼ 17], where

(i,j)

, KI1 )[41 ∼ 48] is determined only

b (i,j) = S1 (L(i,j) ⊕ K6,1 ) ⊕ S2 (L(i,j) ⊕ K6,2 ) ⊕ S4 (L(i,j) ⊕ K6,4 ) ⊕ S5 (L(i,j) ⊕ K6,5 ) ⊕ L 6,2 5,1 5,2 5,4 5,5 (i,j) (i,j) S7 (L5,7 ⊕ K6,7 ) ⊕ S8 (L5,8 ⊕ K6,8 ) ⊕ S1 (x(i) ⊕ bb) ⊕ S2 (y (j) ⊕ bb∗ ) ⊕ bb2 ,

b (i,j) = S1 (L(i,j) ⊕ K6,1 ) ⊕ S2 (L(i,j) ⊕ K6,2 ) ⊕ S3 (L(i,j) ⊕ K6,3 ) ⊕ S5 (L(i,j) ⊕ K6,5 ) ⊕ L 5,5 5,3 5,2 5,1 6,3 S6 (L5,6 ⊕ K6,6 ) ⊕ S8 (L5,8 ⊕ K6,8 ) ⊕ S1 (x(i) ⊕ bb) ⊕ S2 (y (j) ⊕ bb∗ ) ⊕ bb3 , (i,j)

(i,j)

b (i,j) = S2 (L(i,j) ⊕ K6,2 ) ⊕ S3 (L(i,j) ⊕ K6,3 ) ⊕ S5 (L(i,j) ⊕ K6,5 ) ⊕ S7 (L(i,j) ⊕ K6,7 ) ⊕ L 6,6 5,2 5,3 5,5 5,7 S8 (L5,8 ⊕ K6,8 ) ⊕ S2 (y (j) ⊕ bb∗ ) ⊕ bb6 . (i,j)

Letting n bl = ebl ⊕ K6,l for l = 1, 2, · · · , 8 and ob1 = bb6 ⊕ K7,6 , then we can learn ⊕256 (i,j) that j=1 Y7,6 is determined only by (x(i) , bb, bb∗ , bb2 , bb3 , ob1 , db1 , db2 , · · · , db7 , n b1 , n b2 , ···,n b8 , KI1 [10 ∼ 17]). Therefore, following Eq. (6), we know that Proposition 12 holds.

B

Proof of Proposition 2

We assume the 7-round Camellia is from Rounds 1 to 7, and the 8-round Camel(i) lia is from Rounds 1 to 8. When encrypting X (i) , we denote by Yt the value (i) immediately after the S operation of Round t, and by Wt the values immediately after the P operation of Round t, (1 6 t 6 8). For the 7-round Camellia, we have (i)

(i)

(i)

(i)

(i)

XL ⊕ W2 ⊕ W4 ⊕ W6 = ZR .

(11)

After applying the P−1 operation to Eq. (11), we get the following equation for the 7-round Camellia: P−1 (XL ⊕ ZR ) = Y2 (i)

(i)

(i)

(i)

⊕ Y4

(i)

⊕ Y6 .

(12)

27

For the 8-round Camellia, we have (i)

(i)

(i)

(i)

(i)

(i)

XR ⊕ W1 ⊕ W3 ⊕ W5 ⊕ W7 = ZR .

(13)

After applying the P−1 operation to Eq. (13), we have the following equation for the 8-round Camellia: P−1 (XR ⊕ ZR ) = Y1 (i)

(i)

(i)

(i)

⊕ Y3

(i)

⊕ Y5

(i)

⊕ Y7 .

(14)

Next, we focus on encrypting X (i) through the ﬁrst 7 rounds. The output of Round 1 is as follows, where a1 , a2 , · · · , a8 are 8-bit constants completely determined by m1 , m2 , · · · , m15 and K1 . (i)

R1 = (m1 , m2 , m3 , m4 , m5 , m6 , m7 , m8 ), (i)

L1 = (x(i) ⊕ a1 , a2 , a3 , a4 , a5 , a6 , a7 , a8 ). The output of Round 2 is as follows, where b, b1 , · · · , b8 are 8-bit constants completely determined by m1 , m2 , · · · , m8 , a1 , a2 , · · · , a8 and K2 : (i)

R2 = (x(i) ⊕ a1 , a2 , a3 , a4 , a5 , a6 , a7 , a8 ), (i)

(i)

(i)

(i)

(i)

(i)

(i)

(i)

(i)

L2 = (L2,1 , L2,2 , L2,3 , L2,4 , L2,5 , L2,6 , L2,7 , L2,8 ), with (i)

L2,1 = S1 (x(i) ⊕ b) ⊕ b1 , (i)

L2,2 = S1 (x(i) ⊕ b) ⊕ b2 , (i)

L2,3 = S1 (x(i) ⊕ b) ⊕ b3 , (i)

L2,4 = b4 , (i)

L2,5 = S1 (x(i) ⊕ b) ⊕ b5 , (i)

L2,6 = b6 , (i)

L2,7 = b7 , (i)

L2,8 = S1 (x(i) ⊕ b) ⊕ b8 . The output of Round 3 is as follows, where d1 = b1 ⊕K3,1 , d2 = b2 ⊕K3,2 , d3 = b3 ⊕ K3,3 , d4 = b5 ⊕ K3,5 , d5 = b8 ⊕ K3,8 ; and e1 , e2 , · · · , e8 are 8-bit constants completely determined by a1 , a2 , · · · , a8 and b1 , b2 , · · · , b8 : (i)

(i)

(i)

(i)

(i)

(i)

(i)

(i)

(i)

(i)

(i)

(i)

(i)

(i)

(i)

(i)

(i)

(i)

R3 = (L2,1 , L2,2 , L2,3 , L2,4 , L2,5 , L2,6 , L2,7 , L2,8 ), L3 = (L3,1 , L3,2 , L3,3 , L3,4 , L3,5 , L3,6 , L3,7 , L3,8 ), with (i)

L3,1 = S1 (S1 (x(i) ⊕ b) ⊕ d1 ) ⊕ S3 (S1 (x(i) ⊕ b) ⊕ d3 ) ⊕ S8 (S1 (x(i) ⊕ b) ⊕ d5 ) ⊕ x(i) ⊕ e1 ,

28 (i)

L3,2 = S1 (S1 (x(i) ⊕ b) ⊕ d1 ) ⊕ S2 (S1 (x(i) ⊕ b) ⊕ d2 ) ⊕ S5 (S1 (x(i) ⊕ b) ⊕ d4 ) ⊕ S8 (S1 (x(i) ⊕ b) ⊕ d5 ) ⊕ e2 , (i)

L3,3 = S1 (S1 (x(i) ⊕ b) ⊕ d1 ) ⊕ S2 (S1 (x(i) ⊕ b) ⊕ d2 ) ⊕ S3 (S1 (x(i) ⊕ b) ⊕ d3 ) ⊕ S5 (S1 (x(i) ⊕ b) ⊕ d4 ) ⊕ S8 (S1 (x(i) ⊕ b) ⊕ d5 ) ⊕ e3 , (i)

L3,4 = S2 (S1 (x(i) ⊕ b) ⊕ d2 ) ⊕ S3 (S1 (x(i) ⊕ b) ⊕ d3 ) ⊕ S5 (S1 (x(i) ⊕ b) ⊕ d4 ) ⊕ e4 , (i)

L3,5 = S1 (S1 (x(i) ⊕ b) ⊕ d1 ) ⊕ S2 (S1 (x(i) ⊕ b) ⊕ d2 ) ⊕ S8 (S1 (x(i) ⊕ b) ⊕ d5 ) ⊕ e5 , (i)

L3,6 = S2 (S1 (x(i) ⊕ b) ⊕ d2 ) ⊕ S3 (S1 (x(i) ⊕ b) ⊕ d3 ) ⊕ S5 (S1 (x(i) ⊕ b) ⊕ d4 ) ⊕ S8 (S1 (x(i) ⊕ b) ⊕ d5 ) ⊕ e6 , (i)

L3,7 = S3 (S1 (x(i) ⊕ b) ⊕ d3 ) ⊕ S5 (S1 (x(i) ⊕ b) ⊕ d4 ) ⊕ S8 (S1 (x(i) ⊕ b) ⊕ d5 ) ⊕ e7 , (i)

L3,8 = S1 (S1 (x(i) ⊕ b) ⊕ d1 ) ⊕ S5 (S1 (x(i) ⊕ b) ⊕ d4 ) ⊕ e8 . Similarly, we can learn (i)

– Each byte of the output L4 of Round 4 is determined by the following parameters, where lj = ej ⊕ K4,j , (j = 1, 2, · · · , 8): (i)

L4,1 : {x(i) , b, b1 , d1 , d2 , · · · , d5 , l1 , l3 , l4 , l6 , l7 , l8 }, (i)

L4,2 : {x(i) , b, b2 , d1 , d2 , · · · , d5 , l1 , l2 , l4 , l5 , l7 , l8 }, (i)

L4,3 : {x(i) , b, b3 , d1 , d2 , · · · , d5 , l1 , l2 , l3 , l5 , l6 , l8 }, (i)

L4,4 : {x(i) , b, b4 , d1 , d2 , · · · , d5 , l2 , l3 , l4 , l5 , l6 , l7 }, (i)

L4,5 : {x(i) , b, b5 , d1 , d2 , · · · , d5 , l1 , l2 , l6 , l7 , l8 }, (i)

L4,6 : {x(i) , b, b6 , d1 , d2 , · · · , d5 , l2 , l3 , l5 , l7 , l8 }, (i)

L4,7 : {x(i) , b, b7 , d1 , d2 , · · · , d5 , l3 , l4 , l5 , l6 , l8 }, (i)

L4,8 : {x(i) , b, b8 , d1 , d2 , · · · , d5 , l1 , l4 , l5 , l6 , l7 }. (i)

– Each byte of the output L5 of Round 5 is determined by the following parameters, where nj = bj ⊕ K5,j , (j = 1, 2, · · · , 8): (i)

L5,1 : {x(i) , b, e1 , d1 , d2 , · · · , d5 , l1 , l2 , · · · , l8 , n1 , n3 , n4 , n6 , n7 , n8 }, (i)

L5,2 : {x(i) , b, e2 , d1 , d2 , · · · , d5 , l1 , l2 , · · · , l8 , n1 , n2 , n4 , n5 , n7 , n8 }, (i)

L5,3 : {x(i) , b, e3 , d1 , d2 , · · · , d5 , l1 , l2 , · · · , l8 , n1 , n2 , n3 , n5 , n6 , n8 }, (i)

L5,4 : {x(i) , b, e4 , d1 , d2 , · · · , d5 , l1 , l2 , · · · , l8 , n2 , n3 , n4 , n5 , n6 , n7 }, (i)

L5,5 : {x(i) , b, e5 , d1 , d2 , · · · , d5 , l1 , l2 , · · · , l8 , n1 , n2 , n6 , n7 , n8 }, (i)

L5,6 : {x(i) , b, e6 , d1 , d2 , · · · , d5 , l1 , l2 , · · · , l8 , n2 , n3 , n5 , n7 , n8 }, (i)

L5,7 : {x(i) , b, e7 , d1 , d2 , · · · , d5 , l1 , l2 , · · · , l8 , n3 , n4 , n5 , n6 , n8 }, (i)

L5,8 : {x(i) , b, e8 , d1 , d2 , · · · , d5 , l1 , l2 , · · · , l8 , n1 , n4 , n5 , n6 , n7 }.

29 (i)

– Each byte of the output L6 of Round 6 is determined by the following parameters, where oj = ej ⊕ K6,j , (j = 1, 2, · · · , 8): (i)

L6,1 : {x(i) , b, b1 , d1 , d2 , · · · , d5 , l1 , l2 , · · · , l8 , n1 , n2 , · · · , n8 , o1 , o3 , o4 , o6 , o7 , o8 }, (i)

L6,2 : {x(i) , b, b2 , d1 , d2 , · · · , d5 , l1 , l2 , · · · , l8 , n1 , n2 , · · · , n8 , o1 , o2 , o4 , o5 , o7 , o8 }, (i)

L6,3 : {x(i) , b, b3 , d1 , d2 , · · · , d5 , l1 , l2 , · · · , l8 , n1 , n2 , · · · , n8 , o1 , o2 , o3 , o5 , o6 , o8 }, (i)

L6,4 : {x(i) , b, b4 , d1 , d2 , · · · , d5 , l1 , l2 , · · · , l8 , n1 , n2 , · · · , n8 , o2 , o3 , o4 , o5 , o6 , o7 }, (i)

L6,5 : {x(i) , b, b5 , d1 , d2 , · · · , d5 , l1 , l2 , · · · , l8 , n1 , n2 , · · · , n8 , o1 , o2 , o6 , o7 , o8 }, (i)

L6,6 : {x(i) , b, b6 , d1 , d2 , · · · , d5 , l1 , l2 , · · · , l8 , n1 , n2 , · · · , n8 , o2 , o3 , o5 , o7 , o8 }, (i)

L6,7 : {x(i) , b, b7 , d1 , d2 , · · · , d5 , l1 , l2 , · · · , l8 , n1 , n2 , · · · , n8 , o3 , o4 , o5 , o6 , o8 }, (i)

L6,8 : {x(i) , b, b8 , d1 , d2 , · · · , d5 , l1 , l2 , · · · , l8 , n1 , n2 , · · · , n8 , o1 , o4 , o5 , o6 , o7 }. From the above discussions, we particularly have, (i)

Y1,6 = S6 (m6 ⊕ K1,6 ),

(15)

(i) Y2,6

= S6 (a6 ⊕ K2,6 ),

(16)

Y3,6 = S6 (b6 ⊕ K3,6 ),

(17)

(i)

(i) Y4,6

= S6 (S2 (S1 (x(i) ⊕ b) ⊕ d2 ) ⊕ S3 (S1 (x(i) ⊕ b) ⊕ d3 ) ⊕ S5 (S1 (x(i) ⊕ b) ⊕ d4 ) ⊕ S8 (S1 (x(i) ⊕ b) ⊕ d5 ) ⊕ l6 ),

(18)

(i) Y5,6

: {x , b, n6 , d1 , d2 , · · · , d5 , l2 , l3 , l5 , l7 , l8 },

(19)

(i) Y6,6

: {x(i) , b, o6 , d1 , d2 , · · · , d5 , l1 , l2 , · · · , l8 , n2 , n3 , n5 , n7 , n8 },

(20)

(i) Y7,6

: {x , b, b6 ⊕ K7,6 , d1 , d2 , · · · , d5 , l1 , l2 , · · · , l8 , n1 , n2 , · · · , n8 , o2 , o3 , o5 , o7 , o8 }.

(i)

(i)

(21) Letting q1 = S6 (m6 ⊕ K1,6 ), q2 = S6 (a6 ⊕ K2,6 ), q3 = S6 (b6 ⊕ K3,6 ), q4 = b6 ⊕ K7,6 , then by Eqs. (15)–(21) we know: (i)

(i)

(i)

• Y2,6 ⊕ Y4,6 ⊕ Y6,6 can be expressed as a function of x(i) and 21 constants (i )

b, q2 , d1 , d2 , · · · , d5 , l1 , l2 , · · · , l8 , n2 , n3 , n5 , n7 , n8 , o6 . When we XOR Y2,61 ⊕ (i )

(i )

(i )

(i )

(i )

Y4,61 ⊕ Y6,61 with Y2,62 ⊕ Y4,62 ⊕ Y6,62 , then q2 will cancel out, and thus (i ) Y2,61 (i1 )

x

(i ) ⊕ Y4,61 (i2 )

,x

(i ) ⊕ Y6,61

(i ) ⊕ Y2,62

(i ) ⊕ Y4,62

(i )

⊕ Y6,62 can be expressed as a function of and 20 constants b, d1 , d2 , · · · , d5 , l1 , l2 , · · · , l8 , n2 , n3 , n5 , n7 , n8 , o6 .

30 (i)

(i)

(i)

(i)

• Y1,6 ⊕Y3,6 ⊕Y5,6 ⊕Y7,6 can be expressed as a function of x(i) and 30 constants b, q1 , q3 , q4 , d1 , d2 , · · · , d5 , l1 , l2 , · · · , l8 , n1 , n2 , · · · , n8 , o2 , o3 , o5 , o7 , o8 . When (i ) (i ) (i ) (i ) (i ) (i ) (i ) (i ) we XOR Y1,61 ⊕ Y3,61 ⊕ Y5,61 ⊕ Y7,61 with Y1,62 ⊕ Y3,62 ⊕ Y5,62 ⊕ Y7,62 , (i )

(i )

(i )

(i )

(i )

then q1 and q3 will cancel out, and thus Y1,61 ⊕ Y3,61 ⊕ Y5,61 ⊕ Y7,61 ⊕ Y1,62 ⊕ (i )

(i )

(i )

Y3,62 ⊕ Y5,62 ⊕ Y7,62 can be expressed as a function of x(i1 ) , x(i2 ) and 28 constants b, q4 , d1 , d2 , · · · , d5 , l1 , l2 , · · · , l8 , n1 , n2 , · · · , n8 , o2 , o3 , o5 , o7 , o8 . Observe that P−1 (XL 1 ⊕ XL 2 ) = 0 and P−1 (XR 1 ⊕ XR 2 ) = (0, x(i1 ) ⊕ x , x(i1 ) ⊕x(i2 ) , x(i1 ) ⊕x(i2 ) , x(i1 ) ⊕x(i2 ) , 0, 0, x(i1 ) ⊕x(i2 ) ). Therefore, the results follow from Eqs. (12) and (14). (i )

(i2 )

(i )

(i )

(i )

impossible boomerang attack and its application to the ... - Springer Link