Jiazhe Chen,Keting Jia,Hongbo Yu,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-642-22497-3_2

2011-01-01

Abstract:Camellia, which is a block cipher selected as a standard by ISO/IEC, is one of the most widely used block ciphers. In this paper, we propose several 6-round impossible differentials of Camellia with FL/FL-1 layers in the middle of them. With the impossible differentials and a well-organized precomputed table, impossible differential attacks on 10-round Camellia-192 and 11-round Camellia-256 are given, and the time complexities are 2(175.3) and 2(206.8) respectively. In addition, an impossible differential attack on 15-round Camellia-256 without FL/FL-1 layers and whitening is also be given, which needs about 2(236.1) encryptions. To the best of our knowledge, these are the best cryptanalytic results of Camellia-192/-256 with FL/FL-1 layers and Camellia-256 without FL/FL-1 layers to date.

Ya Liu,Dawu Gu,Zhiqiang Liu,Wei Li

DOI: https://doi.org/10.1016/j.jss.2012.05.051

2012-01-01

Abstract:As an international standard adopted by ISO/IEC, the block cipher Camellia has been used in various cryptographic applications. In this paper, we reevaluate the security of Camellia against impossible differential cryptanalysis. Specifically, we propose several 7-round impossible differentials with the FL/FL-1 layer. Based on one of them, we mount impossible differential attacks on 11-round Camellia-192 and 12-round Camellia-256. The data complexities of our attacks on 11-round Camellia-192 and 12-round Camellia-256 are about 2(120) chosen plaintexts and 2(119.8) chosen plaintexts, respectively. The corresponding time complexities are approximately 2(167.1) 11-round encryptions and 2(220.87) 12-round encryptions. As far as we know, our attacks are 2(16.9) times and 2(19.13) times faster than the previously best known ones but have slightly more data. (c) 2012 Elsevier Inc. All rights reserved.

Leibo Li,Jiazhe Chen,Keting Jia

DOI: https://doi.org/10.1007/978-3-642-25513-7_4

2011-01-01

Abstract:Camellia is one of the widely used block ciphers, which has been selected as an international standard by ISO/IEC. In this paper, by exploiting some interesting properties of the key-dependent layer, we improve previous results on impossible differential cryptanalysis of reduced-round Camellia and gain some new observations. First, we introduce some new 7-round impossible differentials of Camellia for weak keys. These weak keys that work for the impossible differential take 3/4 of the whole key space, therefore, we further get rid of the weak-key assumption and leverage the attacks on reduced-round Camellia to all keys by utilizing the multiplied method. Second, we build a set of differentials which contains at least one 8-round impossible differential of Camellia with two FL/FL−1 layers. Following this new result, we show that the key-dependent transformations inserted in Camellia cannot resist impossible differential cryptanalysis effectively. Based on this set of differentials, we present a new cryptanalytic strategy to mount impossible differential attacks on reduced-round Camellia.

Keting Jia,Ning Wang

DOI: https://doi.org/10.1007/978-3-319-40367-0_23

2016-01-01

Abstract:As an international standard by ISO/IEC, Camellia is a widely used block cipher, which has received much attention from cryptanalysts. The impossible differential attack is one of efficient methods to analyze Camellia. Liu et al. gave an 8-round impossible differential, of which the input and output differences depend on some weak keys. In this paper, we apply some key relations to build the precomputation table to reduce time complexity and give some relations between the size of weak key sets and the number of input and output differences of the impossible differentials, which are used to balance the time complexity and the fraction of key space attacked. Furthermore, we give an impossible differential attack on 14-round Camellia-192 with $$2^{126.5}$$ known plaintexts and $$2^{189.32}$$ encryptions. Our impossible differential attack works one more round than previous cryptanalysis results.

Xiaoyang Dong,Leibo Li,Keting Jia,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-319-16715-2_4

2015-01-01

Abstract:Camellia is a widely used block cipher, which has been selected as an international standard by ISO/IEC. In this paper, we consider a new family of differentials of round-reduced Camellia-128 depending on different key subsets. There are totally 224 key subsets corresponding to 224 types of 8-round differentials, which cover a fraction of \(1-1/2^{15}\) of the keyspace. And each type of 8-round differential consists of \(2^{43}\) differentials. Combining with the multiple differential attack techniques, we give the key-dependent multiple differential attack on 10-round Camellia-128 with data complexity \(2^{91}\) and time complexity \(2^{113}\). Furthermore, we propose a 7-round property for Camellia-192 and an 8-round property for Camellia-256, and then mount the meet-in-the-middle attacks on 12-round Camellia-192 and 13-round Camellia-256, with complexity of \(2^{180}\) encryptions and \(2^{232.7}\) encryptions, respectively. All these attacks start from the first round in a single key setting.

Zhiqiang Liu,Bing Sun,Qingju Wang,Kerem Varici,Dawu Gu

DOI: https://doi.org/10.1049/iet-ifs.2014.0614

2015-01-01

IET Information Security

Abstract:Camellia is one of the widely used block ciphers, which has been included in the NESSIE block cipher portfolio and selected as a standard by ISO/IEC. In this study, the authors observe that there exist some interesting properties of the FL/FL −1 functions in Camellia. With this observation they derive some weak keys for the cipher, based on which they present the first known 8-round zero-correlation linear distinguisher of Camellia with FL/FL −1 layers. This result shows that the FL/FL −1 layers inserted in Camellia cannot resist zero-correlation linear cryptanalysis effectively for some weak keys since the currently best zero-correlation linear distinguisher for Camellia without FL/FL −1 layers also covers eight rounds. Moreover, by using the novel distinguisher, they launch key recovery attacks on 13-round Camellia-192 and 14-round Camellia-256. To their knowledge, these results are the best for Camellia-192 and Camellia-256 with FL/FL −1 and whitening layers.

Duo Lei,Li Chao,Keqin Feng

DOI: https://doi.org/10.1007/11693383_4

2005-01-01

Abstract:In this paper, some observations on Camellia are presented, by which the Square attack and the Collision attack are improved. 11-round 256-bit Camellia without FL function is breakable with complexity of 2250 encryptions. 9-round 128-bit Camellia without FL function is breakable with the complexity of 290 encryptions. And 10-round 256-bit Camellia with FL function is breakable with the complexity of 2210 encryptions and 9-round 128-bit Camellia with FL function is breakable with the complexity of 2122 encryptions. These results are better than any other known results. It concludes that the most efficient attack on Camellia is Square attack.

Wei Li,Dawu Cu,Juanru Li,Zhiqiang Liu,Ya Liu

DOI: https://doi.org/10.1016/j.jss.2009.12.019

2010-01-01

Abstract:Camellia is a 128-bit block cipher published by NTT and Mitsubishi in 2000. On the basis of the byte-oriented model and the differential analysis principle, we propose a differential fault attack on the Camellia algorithm. Mathematical analysis and simulating experiments show that our attack can recover its 128-bit, 192-bit or 256-bit secret key by introducing 30 faulty ciphertexts. Thus our result in this study describes that Camellia is vulnerable to differential fault analysis. This work provides a new reference to the fault analysis of other block ciphers.

Yaoling Ding,Xiaoyun Wang,Ning Wang,Wei Wang

DOI: https://doi.org/10.1007/s11432-016-9104-3

2017-01-01

Science China Information Sciences

Abstract:Camellia is an international standard adopted by ISO/IEC and is recommended by CRYPTREC and NESSIE project.Wuet al.[1] presented an effective tool to search truncated impossible differentials for word-oriented block ciphers with bijective Sboxes.However,their method only adopted Sbox as the nonlinear part and cannot be applied to Camellia with FL/FL-1 layers.We discover the difference propagation of three basic components employed in the FL/FL-1 layers,i.e.,AND,OR,ROTATION operations,and generalize the automatic search to consider more nonlinear operations.Using this system,we search for impossible differentials of round-reduced Camellia with FL/FL-1 layers.Moreover,by some changes in the nonlinear subsystem,our algorithm can be easily adjusted to be compatible with searching for impossible differentials which are with restrictions on input/output differences or subkeys.Table 1 summaries our searching results and compares them with the previous results.

Lei Duo,Chao Li,Keqin Feng

DOI: https://doi.org/10.1007/978-3-540-77048-0_21

2007-01-01

Abstract:In this paper, a square like attack on Camellia is presented, by which 9-round 128-bit key Camellia without FL/FL-1 functions layer and whitening is breakable with complexity of 2(86.9) encryptions and 2(66) data and 12-round 256-bit key Camellia without FL/FL-1 function layer and whitening is breakable with the complexity of 2(250.8) encryptions and 2(66) data. And we can also apply such method to block cipher having XORing sBoxes in diffusion layer.

Leibo Li,Keting Jia,Xiaoyun Wang,Xiaoyang Dong

DOI: https://doi.org/10.1007/978-3-662-48116-5_3

2015-01-01

Abstract:As one of the generalizations of differential cryptanalysis, the truncated differential cryptanalysis has become a powerful toolkit to evaluate the security of block ciphers. In this article, taking advantage of the meet-in-the-middle like technique, we introduce a new method to construct truncated differential characteristics of block ciphers. Based on the method, we propose 10-round and 8-round truncated differential characteristics for CLEFIA and Camellia, respectively, which are ISO standard block ciphers. Applying the 10-round truncated differential characteristic for CLEFIA, we launch attacks on 14/14/15-round CLEFIA-128/192/256 with 2(108), 2(135) and 2(203) encryptions, respectively. For Camellia, we utilize the 8-round truncated differential to attack 11/12-round Camellia-128/192 including the FL/FL-1 and whiten layers with 2(121.3) and 2(185.3) encryptions. As far as we know, most of the cases are the best results of these attacks on both ciphers.

王薇,王小云

DOI: https://doi.org/10.3724/SP.J.1001.2009.00576

2009-01-01

Journal of Software

Abstract:An improved impossible differential attack on the block cipher CLEFIA is presented.CLEFIA was proposed by Sony Corporation at FSE 2007.Combining some observations with new tricks,the wrong keys are filtered out more efficiently,and the original impossible differential attack on 11-round CLEFIA-192/256 published by the designers,is extended to CLEFIA-128/192/256,with about 2103.1 encryptions and 2103.1 chosen plaintexts.By putting more constraint conditions on plaintext pairs,we present an attack on 12-round CLEFIA for all three key lengths with 2119.1 encryptions and 2119.1 chosen plaintexts.Moreover,a birthday sieve method is introduced to decrease the complexity of the precomputation.And an error about the time complexity evaluation in Tsunoo et al.'s attack on 12-round CLEFIA is pointed out and corrected.

Wei Wang,Xiaoyun Wang

2007-01-01

Abstract:This paper presents an improved impossible differential attack on the new block cipher CLEFIA which is proposed by Sony Corporation at FSE 2007. Combining some observations with new tricks, we can filter out the wrong keys more efficiently, and improve the impossible differential attack on 11-round CLEFIA-192/256, which also firstly works for CLEFIA-128. The complexity is about 2 encryptions and 2 chosen plaintexts. By putting more constraint conditions on plaintext pairs, we give the first attack on 12-round CLEFIA for all three key lengths with 2 encryptions and 2 chosen plaintexts. For CLEFIA-192/256, our attack is applicable to 13-round variant, of which the time complexity is about 2, and the data complexity is 2. We also extend our attack to 14-round CLEFIA-256, with about 2 encryptions and 2 chosen plaintexts. Moreover, a birthday sieve method is introduced to decrease the complexity of the core precomputation.

Keting Jia,Leibo Li

DOI: https://doi.org/10.1007/978-3-642-35416-8_2

2012-01-01

Abstract:MISTY1 is a Feistel block cipher with a 64-bit block and a 128-bit key. It is one of the final NESSIE portfolio of block ciphers, and has been recommended for Japanese e-Government ciphers by the CRYPTREC project. In this paper, we improve the impossible differential attack on 6-round MISTY1 with 4 FL layers introduced by Dunkelman et al. with a factor of 211 for the time complexity. Furthermore, combing with the FL function properties and the key schedule algorithm, we propose an impossible differential attack on 7-round MISTY1 with 3 FL layers, which needs 258 known plaintexts and 2124.4 7-round encryptions. It is the first attack on 7-round MISTY1 in the known plaintext model to the best of our knowledge. Besides, we show an improved impossible differential attack on 7-round MISTY1 without FL layers with 292.2 7-round encryptions and 255 chosen plaintexts, which has lower time complexity than previous attacks.

Xuexin Zheng,Keting Jia

DOI: https://doi.org/10.1007/978-3-319-12160-4_8

2014-01-01

Abstract:TWINE, proposed at the ECRYPT Workshop on Lightweight Cryptography in 2011, is a 64-bit lightweight block cipher consisting of 36 rounds with 80-bit or 128-bit keys. In this paper, we give impossible differential attacks on both versions of the cipher, which is an improvement over what the designers claimed to be the best possible. Although our results are not the best considering different cryptanalysis methods, our algorithm which can filter wrong subkeys that have more than 80 bits and 128 bits for TWINE-80 and TWINE-128 respectively shows some novelty. Besides, some observations which may be used to mount other types of attacks are given. Overall, making use of some complicated subkey relations and time-memory tradeoff trick, the time, data and memory complexity of attacking 23-round TWINE-80 are 2(79.09) 23-round encryptions, 2(57.85) chosen plaintexts and 2(78.04) blocks respectively. Besides, the impossible differential attack on 24-round TWINE-128 needs 2(58.1) chosen plaintexts, 2(126.78) 24-round encryptions and 2(125.61) blocks of memory.

Qingju Wang,Dawu Gu,Vincent Rijmen,Ya Liu,Jiazhe Chen,Andrey Bogdanov

DOI: https://doi.org/10.1007/978-3-642-37682-5_10

2012-01-01

Abstract:In this paper, we present more powerful 6-round impossible differentials for large-block Rijndael-224 and Rijndael-256 than the ones used by Zhang et al. in ISC 2008. Using those, we can improve the previous impossible differential cryptanalysis of both 9-round Rijndael-224 and Rijndael-256. The improvement can lead to 10-round attack on Rijndael-256 as well. With 2198.1 chosen plaintexts, an attack is demonstrated on 9-round Rijndael-224 with 2195.2 encryptions and 2140.4 bytes memory. Increasing the data complexity to 2216 plaintexts, the time complexity can be reduced to 2130 encryptions and the memory requirements to 293.6 bytes. For 9-round Rijndael-256, we provide an attack requiring 2229.3 chosen plaintexts, 2194 encryptions, and 2139.6 bytes memory. Alternatively, with 2245.3 plaintexts, an attack with a reduced time of 2127.1 encryptions and a memory complexity of 290.9 bytes can be mounted. With 2244.2 chosen plaintexts, we can attack 10-round Rijndael-256 with 2253.9 encryptions and 2186.8 bytes of memory.

Keting Jia,Leibo Li,Christian Rechberger,Jiazhe Chen,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-642-35999-6_15

2012-01-01

Abstract:KASUMI is a block cipher which consists of eight Feistel rounds with a 128-bit key. Proposed more than 10 years ago, the confidentiality and integrity of 3G mobile communications systems depend on the security of KASUMI. In the practically interesting single key setting, only up to 6 rounds have been attacked so far. In this paper we use some observations on the FL and FO functions. Combining these observations with a key schedule weakness, we select some special input and output values to refine the general 5-round impossible differentials and propose the first 7-round attack on KASUMI with time and data complexities similar to the previously best 6-round attacks. This leaves now only a single round of security margin. The new impossible differential attack on the last 7 rounds needs 2114.3 encryptions with 252.5 chosen plaintexts. For the attack on the first 7 rounds, the data complexity is 262 known plaintexts and the time complexity is 2115.8 encryptions.

Fan Zhang,Xiaofei Dong,Xinjie Zhao,Yidi Wang,Samiya Qureshi,Yiran Zhang,Xiaoxuan Lou,Yongkang Tang

DOI: https://doi.org/10.1109/MASS.2018.00056

2018-01-01

Abstract:This paper proposed an advanced round modification fault analysis (RMFA) at the theoretical level on AEGIS-128, which is one of seven finalists in CAESAR competition. First, we clarify our assumptions and simplifications on the attack model, focusing on the encryption security. Then, we emphasize the difficulty of applying vanilla RMFA to AEGIS-128 in the practical case. Finally we demonstrate our advanced fault analysis on AEGIS-128 using machine-solver based algebraic techniques. Our enhancement can be used to conquer the practical scenario which is difficult for vanilla RMFA. Simulation results show that when the fault is injected to the initialization phase and the number of rounds is reduced to one, two samples of injections can extract the whole 128 key bits within less than two hours. This work can also be extended to other versions such as AEGIS-256.

Asli Bay,Jorge Nakahara,Serge Vaudenay

DOI: https://doi.org/10.1007/978-3-642-17619-7_1

2010-01-01

Abstract:This paper presents the first independent and systematic linear, differential and impossible-differential (ID) cryptanalyses of MIBS, a lightweight block cipher aimed at constrained devices such as RFID tags and sensor networks. Our contributions include linear attacks on up to 18-round MIBS, and the first ciphertext-only attacks on 13-round MIBS. Our differential analysis reaches 14 rounds, and our impossible-differential attack reaches 12 rounds. These attacks do not threaten the full 32-round MIBS, but significantly reduce its margin of security by more than 50%. One fact that attracted our attention is the striking similarity of the round function of MIBS with that of the Camellia block cipher. We actually used this fact in our ID attacks. We hope further similarities will help build better attacks for Camellia as well.