Improved zero-correlation linear cryptanalysis of reduced-round Camellia under weak keys

Improved zero-correlation linear cryptanalysis of reduced-round Camellia under weak keys

For access to this article, please select a purchase option:

Buy article PDF
(plus tax if applicable)
Buy Knowledge Pack
10 articles for $120.00
(plus taxes if applicable)

IET members benefit from discounts to all IET publications and free access to E&T Magazine. If you are an IET member, log in to your account and the discounts will automatically be applied.

Learn more about IET membership 

Recommend Title Publication to library

You must fill out fields marked with: *

Librarian details
Your details
Why are you recommending this title?
Select reason:
IET Information Security — Recommend this title to your library

Thank you

Your recommendation has been sent to your librarian.

Camellia is one of the widely used block ciphers, which has been included in the NESSIE block cipher portfolio and selected as a standard by ISO/IEC. In this study, the authors observe that there exist some interesting properties of the FL/FL −1 functions in Camellia. With this observation they derive some weak keys for the cipher, based on which they present the first known 8-round zero-correlation linear distinguisher of Camellia with FL/FL −1 layers. This result shows that the FL/FL −1 layers inserted in Camellia cannot resist zero-correlation linear cryptanalysis effectively for some weak keys since the currently best zero-correlation linear distinguisher for Camellia without FL/FL −1 layers also covers eight rounds. Moreover, by using the novel distinguisher, they launch key recovery attacks on 13-round Camellia-192 and 14-round Camellia-256. To their knowledge, these results are the best for Camellia-192 and Camellia-256 with FL/FL −1 and whitening layers.


    1. 1)
      • 1. Aoki, K., Ichikawa, T., Kanda, M., et al: ‘Camellia: a 128 bit block cipher suitable for multiple platforms – design and analysis’. SAC (LNCS, 2012), pp. 3956.
    2. 2)
      • 2. CRYPTREC. Cryptography Research and Evaluation Committees: report. Archive, 2002. Available at
    3. 3)
      • 3. CRYPTREC. Cryptography Research and Evaluation Committees: report. Archive, 2012. Available at
    4. 4)
      • 4. Preneel, B.: ‘NESSIE project’. Encyclopedia of Cryptography and Security (Springer, USA, 2011, 2nd edn.), pp. 831836.
    5. 5)
      • 5. International Organization of Standardization (ISO): ISO/IEC 18033–3:2005. Information technology – security techniques – encryption algorithms – Part 3: block ciphers (July 2005).
    6. 6)
      • 6. Shirai, T., Kanamaru, S., Abe, G.: ‘Improved upper bounds of differential and linear characteristic probability for camellia’. FSE (LNCS, 2365), pp. 128142.
    7. 7)
      • 7. Lee, S., Hong, S., Lee, S., et al: ‘Truncated differential cryptanalysis of camellia’. ICISC (LNCS, 2288), pp. 3238.
    8. 8)
      • 8. Sugita, M., Kobara, K., Imai, H.: ‘Security of reduced version of the block cipher camellia against truncated and impossible differential cryptanalysis’. ASIACRYPT (LNCS, 2248), pp. 193207.
    9. 9)
      • 9. Lei, D., Li, C., Feng, K.: ‘Square like attack on camellia’. ICICS (LNCS, 4861), pp. 269283.
    10. 10)
      • 10. Lei, D., Li, C., Feng, K.: ‘New observation on camellia’. SAC (LNCS, 3897), pp. 5164.
    11. 11)
    12. 12)
      • 12. Lu, J., Wei, Y., Kim, J., et al: ‘The higher-order meet-in-the-middle attack and its application to the camellia block cipher’. INDOCRYPT (LNCS, 7668), pp. 244264.
    13. 13)
      • 13. Wu, W., Feng, D., Chen, H.: ‘Collision attack and pseudorandomness of reduced-round camellia’. SAC (LNCS, 3357), pp. 252266.
    14. 14)
      • 14. Chen, J., Jia, K., Yu, H., et al: ‘New impossible differential attacks of reduced-round camellia-192 and camellia-256’. ACISP (LNCS, 6812), pp. 1633.
    15. 15)
      • 15. Li, L., Chen, J., Jia, K.: ‘New impossible differential cryptanalysis of reduced-round camellia’. CANS (LNCS, 7092), pp. 2639.
    16. 16)
      • 16. Lu, J., Kim, J., Keller, N., et al: ‘Improving the efficiency of impossible differential cryptanalysis of reduced camellia and MISTY1’. CT-RSA (LNCS, 4964), pp. 370386.
    17. 17)
      • 17. Mala, H., Shakiba, M., Dakhilalian, M., et al: ‘New results on impossible differential cryptanalysis of reduced-round camellia-128’. SAC (LNCS, 5867), pp. 281294.
    18. 18)
      • 18. Liu, Y., Li, L., Gu, D., et al: ‘New observations on impossible differential cryptanalysis of reduced-round camellia’. FSE (LNCS, 7549), pp. 90109.
    19. 19)
    20. 20)
      • 20. Bai, D., Li, L.: ‘New impossible differential attacks on camellia’. ISPEC (LNCS, 7232), pp. 8096.
    21. 21)
      • 21. Bogdanov, A., Geng, H., Wang, M., et al: ‘Zero-correlation linear cryptanalysis with FFT and improved attacks on ISO standards camellia and CLEFIA’. SAC (LNCS, 8282), pp. 306323.
    22. 22)
    23. 23)
      • 23. Bogdanov, A., Leander, G., Nyberg, K., et al: ‘Integral and multidimensional linear distinguishers with correlation zero’. ASIACRYPT (LNCS, 7658), pp. 244261.
    24. 24)
      • 24. Bogdanov, A., Wang, M.: ‘Zero correlation linear cryptanalysis with reduced data complexity’. FSE (LNCS, 7549), pp. 2948.
    25. 25)
    26. 26)
      • 26. Hatano, Y., Sekine, H., Kaneko, T.: ‘Higher order differential attack of camellia (II)’. SAC (LNCS, 2595), pp. 129146.
    27. 27)
      • 27. Collard, B., Standaert, F.-X., Quisquater, J.-J.: ‘Improving the time complexity of matsui's linear cryptanalysis’. ICISC (LNCS, 4817), pp. 7788.
    28. 28)
      • 28. Daemen, J., Govaerts, R., Vandewalle, J.: ‘Correlation matrices’. FSE (LNCS, 1008), pp. 275285.
    29. 29)
      • 29. Matsui, M.: ‘Linear cryptanalysis method for DES cipher’. EUROCRYPT (LNCS, 765), pp. 386397.
    30. 30)
      • 30. Harpes, C., Kramer, G.G., Massey, J.L.: ‘A generalization of linear cryptanalysis and the applicability of matsui's piling-up lemma’. EUROCRYPT (LNCS, 921), pp. 2423.

Related content

This is a required field
Please enter a valid email address