International Workshop on Cloud Computing and Information Security (CCIS 2013) Integral Attacks on Feistel-SP Structure Block Cipher Yanjun Li Wenling Wu, Lei Zhang, and Liting Zhang The Department of Information Security State Key Laboratory of Information Security Beijing Electronic Science and Technology Institute Institute of Software, Chinese Academy of Sciences Beijing, P.R. China Beijing, P.R. China [email protected] Abstract-In this paper, a method is presented to extend the 11-round Camellia-128 with the data complexity of 2120 length of integral distinguisher of Feistel-SP structure, based and the time complexity of 2125.5, and 12-round on which a new 8-round distinguisher for the block cipher Camellia-256 with the data complexity of 2120 and the Camellia is proposed. Moreover, integral attacks on time complexity of 2214.3. The result is the best integral -1 round-reduced Camellia without FL/FL are improved. We attack on round-reduced Camellia so far. attack 11-round Camellia-128 with the data complexity of This paper is organized as follows: Section II provides 2120 and the time complexity of 2125.5, and attack 12-round Camellia-256 with the data complexity of 2120 and the time a brief description of preliminaries. Section III describes a complexity of 2214.3. These attacks are the best integral method to extend the length of the distinguisher. Section attacks on round-reduced Camellia so far. IV describes the attacks on 11/12-round Camellia. Finally, Section V concludes this paper. Keywords-block cipher, distinguisher, integral attack, camellia, partial sum technique II. PRELIMINARIES A. Description of Camellia I. INTRODUCTION Camellia is a Feistel-SP style block cipher with The block cipher Camellia was proposed by NTT and 1 Mitsubishi in 2000[1]. It is based on Feistel structure with FL/ FL layers, and the number of rounds are 18/24/24 SP-type F function and FL/FL-1 functions layers, and it corresponding to key length of 128/192/256 bits. 1 supports the block length of 128 bits and a variable key Additionally, FL/ FL function is inserted every 6 length of 128/192/256 bits. Camellia was accepted by rounds (Fig.1). The round keys are derived from the ISO/IEC as an international standard[6]. It is also a winner master key by means of key scheduling.The key schedule of NESSIE, CRYPTREC project and IETF. The security constants are listed in Table 1. In this paper the input and of Camellia was initially analyzed by the algorithm output of round function are treated as two 8-byte vectors designers. Efficient attacks on Camellia include linear over F 8 . 28 cryptanalysis[14], differential cryptanalysis[13,14], [15, 17] P impossible differential cryptanalysis , truncated X1 X0 [7, 9,15] K F differential cryptanalysis , higher order differential K 1 cryptanalysis[5], collision attack[16] and Square attack[3, 19, 20] -1 . The best attacks on Camellia without FL/FL function 6-Round X 2 F2 layer were impossible differential cryptanalysis [18], which can attack 12-round Camellia-128 and 16- round -1 FL FL-1 Camellia-256 without FL/FL . X3 F3 Integral attack was extended from Square attack, [2] which is one of the best attacks on AES . Ferguson et al. 6-Round X in [4] improved this attack to 8 rounds version of 4 F4 Rijndael-128 with the partial sum technique and the herd technique. Knudsen and Wagner first proposed the FL FL-1 X5 F5 definition of integral and analyzed it as a dual to differential attacks particularly applicable to block 6-round [8] ciphers with bijective components . Several years later, X 6 F6 Reza Z'aba et al. presented bit pattern based integral K K attack [12]. The integral attack applied to many kinds of [11] [10] block ciphers so far, such as Rijndael , ARIA , and C Serpent [12]. Higher order differential attack and Square Fig. 1. The Structure of Camellia-128 attack are different from integral attack. However, the length of their distinguisher can be extended by using the The round function of Camellia includes three basic integral property. In this paper a method is presented to operations: Round Key Addition, Substitution Layer and extend the length of Camellia’s distinguisher, based on Diffusion Layer (Fig.2). These three basic operations are which the effect of integral attack will be improved. defined as follows: Moreover, this method can also be used even on any Round Key Addition (RKA): The 64-bit round key is Feistel-SP structure. Then a new 8-round distinguisher of Xored to the state. Camellia without FL/FL-1 is proposed. Finally, we attack Substitution Layer (SL): A non-linear byte substitution © 2013. The authors - Published by Atlantis Press 156 operation is applied to each byte of the state and Round Key Addition Layer will not affect this independently. In Camellia this is implemented by 4 property of saturation. However, the linear transformation S-boxes with the relationship as follows. influences the length of the integral distinguisher. Integral s21( a ) s ( a ) 1; attack considers a particular collection of m bytes in the s( a ) s ( a ) 1; plaintexts and ciphertexts. In [8], Knudsen and Wagner 31 also generalized this approach to higher order integrals: s( a ) s ( a 1). d 41 the original set to consider becomes a set of m vectors Diffusion Layer (DL): The diffusion layer is a function which differ in d components where the sum of this set is PFF: 88 , which is given by 2288 predictable after a certain number of rounds. The sum of this set is called a d th -order integral. In this paper we m1 x 1 x 3 x 4 x 6 x 7 x 8 m x x x x x x not only pay attention to the sum, but also to the 2 1 2 4 5 7 8 appearing times of the sum value. m3 x 1 x 2 x 3 x 5 x 6 x 8 The Partial Sum Technique. In our attack we will m4 x 2 x 3 x 4 x 5 x 6 x 7 use the partial sum technique. For a value c0,,,, c 1 c 2 cl , we define m5 x 1 x 2 x 6 x 7 x 8 u m6 x 2 x 3 x 5 x 7 x 8 xu :[] Sj c j k j . j0 m7 x 3 x 4 x 5 x 6 x 8 Guessing the values of k0 and k1 ,we will complete m8 x 1 x 4 x 5 x 6 x 7 the transformation B. Notations (,,,,)c0 c 1 c 2 cl (,,,)x12 c cl . In the following, we introduce some notations used in Guessing the values of ki , we will complete the this paper. The plaintext are denoted as (,)XX10, where transformation Xi ( x i,1 , x i ,2 , , x i ,8 ), ir0, , 1 . Other notations (,,,,)xi11 c i c i c l (,,,)xi c i1 c l . that will be used in this paper are described as follows: In order to obtain the value of xl , l-1 steps of Br: the output of RKA in r -th round. processing are required. If ci s are in byte pattern, the time 8l 16 Or: the output of SL in r -th round. complexity of the count of xl is 2 2 (l 1) times Mr: the output of DL in r -th round. S-box lookups. For the details of the complexities of each step, the readers can refer to [4]. ki8 m si8 i8 xi8 s1 ki7 III. INTEGRAL DISTINGUISHERS BASED ON si7 mi7 xi7 s4 FEISTEL-SP STRUCTURE ki6 k s i8 i6 mi6 In this section we first explain how to construct a xi6 s3 ki5 2nd-order 5-round integral distinguishers (Sec. 2.1), then si5 m i5 introduce a method to extend the length of integral xi5 s2 ki4 distinguishers and the proof is also given in detail (Sec. si4 mi4 xi4 s4 2.2). ki3 si3 mi3 A. The 2nd-Order 5-Round Integral Distinguisher xi3 s3 ki2 si2 The idea of constructing a 2nd-order 5-round integral x s mi2 i2 2 distinguisher is like that of constructing 5-round higher ki1 si1 x s m order differential distinguishers in [5]. i1 1 i1 [5] Lemma 1 . Let the bytes of xx0,1, 0,2 are active, and Fig. 2. The Round Function of Camellia other bytes of XX01, are constants, each value of t appears even times. 1 Kr : the subkey of the r -th round. t s3( x 6,6 k 6,6 ) [ P ( X7 )] 6 . bri, : the i 1-th byte of Br . B. A Method to Extend the Length of Integral o : the i 1-th byte of O . ri, r Distinguisher mri, : the i 1-th byte of M r . In the structure of Feistel-SP, the Xor operation and kri, : the i 1-th byte of Kr . the permutation P are linear transformations (Fig.3), which can influence the general integral property and also : the active bytes. i can be used to extend the integral distinguisher. Let some C. Higher Order Integral Attack and the Partial Sum bytes of X 0 be active, and the bytes of X1 be constant, Technique and then the input of a known t -round integral Higher Order Integral Attack. The integral attack distinguisher is (,)XX10. Now we extend it backward has many interesting features. It can saturate S-Box Layer 157 by one round using the following formula: denoted as x1,,,,,,,, x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 , and all XFXXPSKXX1 ()0 1 ( (0 )) 1 constants be denoted as 0.