Impossible differential cryptanalysis of reduced-round Camellia-256

Abstract

Camellia, a 128-bit block cipher that has been accepted by ISO/IEC as an international standard, is increasingly being used in many cryptographic applications. In this study, the authors present a new impossible differential attack on a reduced version of Camellia-256 without FL/FL-1 functions and whitening. First, the authors introduce a new extension of the hash table technique and then exploit it to attack 16 rounds of Camellia-256. When, in an impossible differential attack, the size of the target subkey space is large and the filtration, in the initial steps of the attack, is performed slowly, the extended hash table technique will be very useful. The proposed attack on Camellia-256 requires 2124.1 known plaintexts and has a running time equivalent to about 2249.3 encryptions. In terms of the number of attacked rounds, our result is the best published attack on Camellia-256. © 2011 The Institution of Engineering and Technology.