Zero-Correlation Linear Cryptanalysis with FFT and Improved Attacks on ISO Standards Camellia and CLEFIA

Zero-correlation linear cryptanalysis is based on the linear approximations with correlation exactly zero, which essentially generalizes the integral property, and has already been applied to several block ciphers -- among others, yielding best known attacks to date on round-reduced TEA and CAST-256 as published in FSE'12 and ASIACRYPT'12, respectively. In this paper, we use the FFT Fast Fourier Transform technique to speed up the zero-correlation cryptanalysis. First, this allows us to improve upon the state-of-the-art cryptanalysis for the ISO/IEC standard and CRYPTREC-portfolio cipher Camellia. Namely, we present zero-correlation attacks on 11-round Camellia-128 and 12-round Camellia-192 with $$FL/FL^{-1}$$ and whitening key starting from the first round, which is an improvement in the number of attacked rounds in both cases. Moreover, we provide multidimensional zero-correlation cryptanalysis of 14-round CLEFIA-192 and 15-round CLEFIA-256 that are attacks on the highest numbers of rounds in the classical single-key setting, respectively, with improvements in memory complexity.

[1]  Yukiyasu Tsunoo,et al.  Impossible Differential Cryptanalysis of CLEFIA , 2008, FSE.

[2]  Wenling Wu,et al.  Improved Impossible Differential Cryptanalysis of Reduced-Round Camellia , 2009, Selected Areas in Cryptography.

[3]  Wang Xiao-yun Saturation cryptanalysis of CLEFIA , 2008 .

[4]  Masanobu Katagi,et al.  The 128-Bit Blockcipher CLEFIA , 2007, RFC.

[5]  Jing Han,et al.  Impossible Differential Analysis of Reduced Round CLEFIA , 2008, Inscrypt.

[6]  Yanjun Li,et al.  Improved Integral Attacks on Reduced-Round CLEFIA Block Cipher , 2011, WISA.

[7]  Kyoji Shibutani,et al.  The 128-Bit Blockcipher CLEFIA (Extended Abstract) , 2007, FSE.

[8]  T. Suzaki,et al.  Cryptanalysis of CLEFIA using multiple impossible differentials , 2008, 2008 International Symposium on Information Theory and Its Applications.

[9]  Keting Jia,et al.  New Impossible Differential Attacks of Reduced-Round Camellia-192 and Camellia-256 , 2011, ACISP.

[10]  Dawu Gu,et al.  New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia , 2012, FSE.

[11]  Mitsuru Matsui,et al.  Camellia: A 128-Bit Block Cipher Suitable for Multiple Platforms - Design and Analysis , 2000, Selected Areas in Cryptography.

[12]  Andrey Bogdanov,et al.  Zero Correlation Linear Cryptanalysis with Reduced Data Complexity , 2012, FSE.

[13]  Mohammad Dakhilalian,et al.  New Results on Impossible Differential Cryptanalysis of Reduced-Round Camellia-128 , 2009, Selected Areas in Cryptography.

[14]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[15]  Keting Jia,et al.  New Impossible Differential Cryptanalysis of Reduced-Round Camellia , 2011, CANS.

[16]  Cihangir Tezcan The Improbable Differential Attack: Cryptanalysis of Reduced Round CLEFIA , 2010, INDOCRYPT.

[17]  Zhiqiang Liu,et al.  Improved results on impossible differential cryptanalysis of reduced-round Camellia-192/256 , 2011, J. Syst. Softw..

[18]  Jean-Jacques Quisquater,et al.  Improving the Time Complexity of Matsui's Linear Cryptanalysis , 2007, ICISC.

[19]  Vincent Rijmen,et al.  Linear hulls with correlation zero and linear cryptanalysis of block ciphers , 2014, Des. Codes Cryptogr..

[20]  Andrey Bogdanov,et al.  Integral and Multidimensional Linear Distinguishers with Correlation Zero , 2012, ASIACRYPT.