the higher-order meet-in-the-middle attack and its application to the camellia block cipher (extended abstract)

The meet-in-the-middle (MitM) attack is a technique for analysing the security of a block cipher. In this paper, we propose an extension of the MitM attack, which we call the higher-order meet-in-the- middle (HO-MitM) attack; the core idea of the HO-MitM attack is to use multiple plaintexts to cancel some key-dependent component(s) or pa- rameter(s) when constructing a basic unit of "value-in-the-middle". We introduce a novel approach, which combines integral cryptanalysis with the MitM attack, to construct HO-MitM attacks on 10-round Camellia under 128 key bits, 11-round Camellia under 192 key bits and 12-round Camellia under 256 key bits, all of which include FL/FL � 1 functions. Finally, we apply an existing approach to construct HO-MitM attacks on 14-round Camellia without FL/FL � 1 functions under 192 key bits and 16-round Camellia without FL/FL � 1 functions under 256 key bits.

[1]  David A. Wagner,et al.  Integral Cryptanalysis , 2002, FSE.

[2]  Xuejia Lai Higher Order Derivatives and Differential Cryptanalysis , 1994 .

[3]  Dawu Gu,et al.  New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia , 2012, FSE.

[4]  Adi Shamir,et al.  Improved Single-Key Attacks on 8-Round AES-192 and AES-256 , 2010, Journal of Cryptology.

[5]  Martin E. Hellman,et al.  A cryptanalytic time-memory trade-off , 1980, IEEE Trans. Inf. Theory.

[6]  Whitfield Diffie,et al.  Special Feature Exhaustive Cryptanalysis of the NBS Data Encryption Standard , 1977, Computer.

[7]  Ali Aydin Selçuk,et al.  A Meet-in-the-Middle Attack on 8-Round AES , 2008, FSE.

[8]  Alex Biryukov,et al.  Impossible Differential Attack , 2005, Encyclopedia of Cryptography and Security.

[9]  Jiqiang Lu,et al.  Meet-in-the-Middle Attack on Reduced Versions of the Camellia Block Cipher , 2012, IWSEC.

[10]  Mitsuru Matsui,et al.  Camellia: A 128-Bit Block Cipher Suitable for Multiple Platforms - Design and Analysis , 2000, Selected Areas in Cryptography.

[11]  Yasuo Hatano,et al.  Higher Order Differential Attack of Camellia (II) , 2002, Selected Areas in Cryptography.

[12]  Chao Li,et al.  New Observation on Camellia , 2005, Selected Areas in Cryptography.

[13]  Jiqiang Lu,et al.  Meet-in-the-Middle Attack on 8 Rounds of the AES Block Cipher under 192 Key Bits , 2011, ISPEC.

[14]  Yupu Hu,et al.  Integral cryptanalysis of SAFER , 1999 .

[15]  Mohammad Dakhilalian,et al.  Impossible differential cryptanalysis of reduced-round Camellia-256 , 2011, IET Inf. Secur..

[16]  Leibo Li,et al.  New Impossible Differential Attacks on Camellia , 2012, ISPEC.

[17]  Alex Biryukov,et al.  Structural Cryptanalysis of SASAS , 2010, Journal of Cryptology.

[18]  Hüseyin Demirci,et al.  Improved Meet-in-the-Middle Attacks on AES , 2009, INDOCRYPT.

[19]  Mohammad Dakhilalian,et al.  New Results on Impossible Differential Cryptanalysis of Reduced-Round Camellia-128 , 2009, Selected Areas in Cryptography.

[20]  Eli Biham,et al.  The Rectangle Attack - Rectangling the Serpent , 2001, EUROCRYPT.

[21]  David A. Wagner,et al.  The Boomerang Attack , 1999, FSE.

[22]  Vincent Rijmen,et al.  The Block Cipher Square , 1997, FSE.

[23]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[24]  Jongsung Kim,et al.  Cryptanalysis of reduced versions of the Camellia block cipher , 2012, IET Inf. Secur..

[25]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[26]  Eli Biham,et al.  Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials , 1999 .

[27]  Keting Jia,et al.  New Impossible Differential Attacks of Reduced-Round Camellia-192 and Camellia-256 , 2011, ACISP.

[28]  Jiqiang Lu Cryptanalysis of Block Ciphers , 2008 .

[29]  Lars R. Knudsen,et al.  Truncated and Higher Order Differentials , 1994, FSE.

[30]  Marine Minier,et al.  A Collision Attack on 7 Rounds of Rijndael , 2000, AES Candidate Conference.