Keting Jia

New impossible differential attacks of reduced-round Camellia-192 and Camellia-256

Camellia, which is a block cipher selected as a standard by ISO/IEC, is one of the most widely used block ciphers. In this paper, we propose several 6-round impossible differentials of Camellia with FL/FL-1 layers in the middle of them. With the impossible differentials and a well-organized precomputed table, impossible differential attacks on 10-round Camellia-192 and 11-round Camellia-256 are given, and the time complexities are 2175.3 and 2206.8 respectively. In addition, an impossible differential attack on 15-round Camellia-256 without FL/FL-1 layers and whitening is also be given, which needs about 2236.1 encryptions. To the best of our knowledge, these are the best cryptanalytic results of Camellia-192/-256 with FL/FL-1 layers and Camellia-256 without FL/FL-1 layers to date.

Improved Single-Key Attacks on 9-Round AES-192/256

This paper focuses on key-recovery attacks on 9-round AES-192 and AES-256 under single-key model with the framework of the meet-in-the-middle attack. A new technique named key-dependent sieve is introduced to further reduce the size of lookup table of the attack, and the 9-round AES-192 is broken with (2^{121}) chosen plaintexts, (2^{187.5}) 9-round encryptions and (2^{185}) 128-bit words of memory. If the attack starts from the third round, the complexities would be further reduced by a factor of 16. Moreover, the whole attack is split up into a series of weak-key attacks. Then the memory complexity of the attack is saved significantly when we execute these weak attacks in streaming mode. This method is also applied to reduce the memory complexity of the attack on 9-round AES-256.

New impossible differential cryptanalysis of reduced-round camellia

Camellia is one of the widely used block ciphers, which has been selected as an international standard by ISO/IEC. This paper introduces a 7-round impossible differential of Camellia including FL /FL −1 layer. Utilizing impossible differential attack, 10-round Camellia-128 is breakable with 2118.5 chosen plaintexts and 2123.5 10 round encryptions. Moreover, 10-round Camellia-192 and 11-round Camellia-256 can also be analyzed, the time complexity are about 2130.4 and 2194.5, respectively. Comparing with known attacks on reduced round Camellia including FL /FL −1 layer, our results are better than all of them.

Meet-in-the-Middle Technique for Truncated Differential and Its Applications to CLEFIA and Camellia

As one of the generalizations of differential cryptanalysis, the truncated differential cryptanalysis has become a powerful toolkit to evaluate the security of block ciphers. In this article, taking advantage of the meet-in-the-middle like technique, we introduce a new method to construct truncated differential characteristics of block ciphers. Based on the method, we propose 10-round and 8-round truncated differential characteristics for CLEFIA and Camellia, respectively, which are ISO standard block ciphers. Applying the 10-round truncated differential characteristic for CLEFIA, we launch attacks on 14/14/15-round CLEFIA-128/192/256 with (2^{108}), (2^{135}) and (2^{203}) encryptions, respectively. For Camellia, we utilize the 8-round truncated differential to attack 11/12-round Camellia-128/192 including the (FL/FL^{-1}) and whiten layers with (2^{121.3}) and (2^{185.3}) encryptions. As far as we know, most of the cases are the best results of these attacks on both ciphers.

Improved Attacks on Reduced-Round Camellia-128/192/256

Camellia is a widely used block cipher, which has been selected as an international standard by ISO/IEC. In this paper, we consider a new family of differentials of round-reduced Camellia-128 depending on different key subsets. There are totally 224 key subsets corresponding to 224 types of 8-round differentials, which cover a fraction of (1-1/2^{15}) of the keyspace. And each type of 8-round differential consists of (2^{43}) differentials. Combining with the multiple differential attack techniques, we give the key-dependent multiple differential attack on 10-round Camellia-128 with data complexity (2^{91}) and time complexity (2^{113}). Furthermore, we propose a 7-round property for Camellia-192 and an 8-round property for Camellia-256, and then mount the meet-in-the-middle attacks on 12-round Camellia-192 and 13-round Camellia-256, with complexity of (2^{180}) encryptions and (2^{232.7}) encryptions, respectively. All these attacks start from the first round in a single key setting.

Improved Cryptanalysis of the Block Cipher KASUMI

KASUMI is a block cipher which consists of eight Feistel rounds with a 128-bit key. Proposed more than 10 years ago, the confidentiality and integrity of 3G mobile communications systems depend on the security of KASUMI. In the practically interesting single key setting, only up to 6 rounds have been attacked so far. In this paper we use some observations on the FL and FO functions. Combining these observations with a key schedule weakness, we select some special input and output values to refine the general 5-round impossible differentials and propose the first 7-round attack on KASUMI with time and data complexities similar to the previously best 6-round attacks. This leaves now only a single round of security margin.

Differential Fault Attack on KASUMI Cipher Used in GSM Telephony

The confidentiality of GSM cellular telephony depends on the security of A5 family of cryptosystems. As an algorithm in this family survived from cryptanalysis, A5/3 is based on the block cipher KASUMI. This paper describes a novel differential fault attack on KAUSMI with a 64-bit key. Taking advantage of some mathematical observations on the FL, FO functions, and key schedule, only one 16-bit word fault is required to recover all information of the 64-bit key. The time complexity is only 232 encryptions. We have practically simulated the attack on a PC which takes only a few minutes to recover all the key bits. The simulation also experimentally verifies the correctness and complexity.

Practical attack on the full MMB block cipher

Modular Multiplication based Block Cipher (MMB) is a block cipher designed by Daemen et al. as an alternative to the IDEA block cipher. In this paper, we give a practical sandwich attack on MMB with adaptively chosen plaintexts and ciphertexts. By constructing a 5-round sandwich distinguisher of the full 6-round MMB with probability 1, we recover the main key of MMB with text complexity 240 and time complexity 240 MMB encryptions. We also present a chosen plaintexts attack on the full MMB by employing the rectangle-like sandwich attack, which the complexity is 266.5 texts, 266.5 MMB encryptions and 270.5 bytes of memory. In addition, we introduce an improved differential attack on MMB with 296 chosen plaintexts, 296 encryptions and 266 bytes of memory. Especially, even if MMB is extended to 7 rounds, the improved differential attack is applicable with the same complexity as that of the full MMB.

Impossible Differential Cryptanalysis of 14-Round Camellia-192

As an international standard by ISO/IEC, Camellia is a widely used block cipher, which has received much attention from cryptanalysts. The impossible differential attack is one of efficient methods to analyze Camellia. Liu et al. gave an 8-round impossible differential, of which the input and output differences depend on some weak keys. In this paper, we apply some key relations to build the precomputation table to reduce time complexity and give some relations between the size of weak key sets and the number of input and output differences of the impossible differentials, which are used to balance the time complexity and the fraction of key space attacked. Furthermore, we give an impossible differential attack on 14-round Camellia-192 with