Zero-Correlation Linear Cryptanalysis with FFT and Improved Attacks on ISO Standards Camellia and CLEFIA [chapter]

Andrey Bogdanov, Huizheng Geng, Meiqin Wang, Long Wen, Baudoin Collard
2014 Lecture Notes in Computer Science  
Zero-correlation linear cryptanalysis is based on the linear approximations with correlation exactly zero, which essentially generalizes the integral property, and has already been applied to several block ciphers -among others, yielding best known attacks to date on round-reduced TEA and CAST-256 as published in FSE'12 and ASI-ACRYPT'12, respectively. In this paper, we use the FFT (Fast Fourier Transform) technique to speed up the zero-correlation cryptanalysis. First, this allows us to
more » ... upon the state-of-the-art cryptanalysis for the ISO/IEC standard and CRYPTREC-portfolio cipher Camellia. Namely, we present zero-correlation attacks on 11-round Camellia-128 and 12-round Camellia-192 with F L/F L −1 and whitening key starting from the first round, which is an improvement in the number of attacked rounds in both cases. Moreover, we provide multidimensional zero-correlation cryptanalysis of 14-round CLEFIA-192 and 15-round CLEFIA-256 that are attacks on the highest numbers of rounds in the classical single-key setting, respectively, with improvements in memory complexity. 16, c Springer-Verlag Berlin Heidelberg 2014 rounds as possible, which gives a high number of (sub)key bits that need to be guessed. Now, in a cryptanalytic effort based on correlation zero, one has to evaluate the sample correlation of all linear approximations (usually, a rather low number) for all plaintext-ciphertext pairs (usually, a significantly higher number) and all key guesses (which can be very high). In terms of computational complexity, this is the bottle neck of zero-correlation attacks so far. And this is exactly the point where the Discrete Fast Fourier Transform comes in handy. Contributions. The contributions of this paper are three-fold: Zero-correlation cryptanalysis with FFT: We use Discrete Fast Fourier Transform -that has been previosly used in linear cryptanalysis in [7] -to improve the time complexity of zero-correlation attacks. It relies on eliminating the redundant computations from the partial encryption/decryption in the course of zero-correlation key recovery. For that, an auxiliary {−1, 1}-matrix with a level-circulant structure is defined such that the evaluation of the sample correlation can be done by matrix-vector multiplication for different keys. By making use of this special structure, the matrix-vector multiplication can be computed efficiently with FFT. This technique is described in Sect. 3. Improved cryptanalysis of Camellia: We apply this FFT technique to the block cipher Camellia and obtain an improvement in the number of attacked rounds for Camellia is a block cipher jointly proposed by Mitsubishi and NTT in 2000 [1]. It was adopted as international standard by ISO/IEC [8] . Camellia is a CRYPTREC-recommended cipher for Japanese e-Government applications and is a part of the NESSIE project portfolio. It has a 128-bit block and supports a variable key size. The number of rounds depends on the key size: 18 rounds
doi:10.1007/978-3-662-43414-7_16 fatcat:j2vqjpiv3vf77luliftecjyywq