Abstract
We discuss the security of the block cipher Camellia against differential attack and linear attack. The security of Camellia against these attacks has been evaluated by upper bounds of maximum differential characteristic probability (MDCP) and maximum linear characteristic probability (MLCP) calculated by the least numbers of active S-boxes which are found by a search method[2]. However, we found some truncated differential paths generated by the method have wrong properties. We show a new evaluation method for truncated differential and linear paths to discard such wrong paths by using linear equations systems and sets of nonzero conditions. By applying this technique to Camellia, we found tighter upper bounds of MDCP and MLCP for reduced-round Camellia. As a result, 10-round Camellia without FL/FL −1 has no differential and linear characteristic with probability higher than 2−128.
Chapter PDF
Similar content being viewed by others
References
K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai, J. Nakajima and T. Tokita, “Specification of Camellia-a 128-bit Block Cipher,” submitted to the First Open NESSIE Workshop, 13–14 November 2000, Leuven, Belgium-available at http://cryptonessie.org.
K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai, J. Nakajima and T. Tokita, “Camellia: A 128-Bit Block Cipher Suitable for Multiple Platforms-Design and Analysis,” Selected Area in Cryptography, SAC 2000, LNCS 2012, pp. 39–56, 2000.
E. Biham and A. Shamir, “Differential Cryptanalysis of DES-like Cryptosystems,” CRYPTO’ 90, LNCS 537, pp. 2–21, 1991.
Y. He and S. Qing, “Square Attack on Reduced Camellia Cipher,” Information and Communications Security, ICICS 2001, LNCS 2229, pp. 238–245, 2001.
M. Kanda and T. Matsumoto, “Security of Camellia against Truncated Differential Cryptanalysis,” Fast Software Encryption, FSE2001, to appear
M. Kanda, S. Moriai, K. Aoki, H. Ueda, Y. Takashima, K. Ohta and T. Matsumoto, “E2-A New 128-Bit Block Cipher,” IEICE Transactions Fundamentals of Electronics, Communications and Computer Sciences, Vol. E83-A, No. 1, pp. 48–59, 2000.
T. Kawabata and T. Kaneko, “A study on higher order differential attack of Camellia,” In Proceedings of the 2nd NESSIE workshop, 2001.
L.R. Knudsen, “Truncated and Higher Order Differentials,” Fast Software Encryption-Second International Workshop, LNCS 1008, pp. 196–211, 1995.
M. Matsui, “Differential Path Search of the Block Cipher E2,” Technical Report ISEC99-19, IEICE, 1999.(written in Japanese)
M. Matsui and T. Tokita, “Cryptanalysis of Reduced Version of the Block Cipher E2,” Fast Software Encryption, FSE’99, LNCS 1636, 1999.
M. Matsui, “Linear Cryptanalysis of the Data Encryption Standard,” EUROCRYPT’ 93, LNCS 765, pp. 386–397, 1994.
S. Moriai, M. Sugita, K. Aoki and M. Kanda, “Security of E2 against Truncated Differential Cryptanalysis,” Selected Areas in Cryptography, SAC’99, LNCS 1758, pp. 106–117, 2000.
M. Sugita, K. Kobara and H. Imai, “Security of Reduced Version of the Block Cipher Camellia against Truncated and Impossible Differential Cryptanalysis,” ASISCRYPT 2001, LNCS 2248, pp. 193–207.
New European Schemes for Signatures, Integrity, and Encryption, http://www.cryptonessie.org
CRYPTREC project, http://www.ipa.go.jp/security/enc/CRYPTREC/.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2002 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Shirai, T., Kanamaru, S., Abe, G. (2002). Improved Upper Bounds of Differential and Linear Characteristic Probability for Camellia. In: Daemen, J., Rijmen, V. (eds) Fast Software Encryption. FSE 2002. Lecture Notes in Computer Science, vol 2365. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45661-9_10
Download citation
DOI: https://doi.org/10.1007/3-540-45661-9_10
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-44009-3
Online ISBN: 978-3-540-45661-2
eBook Packages: Springer Book Archive