Improved MeetintheMiddle Distinguisher on Feistel Schemes
Abstract
Improved meetinthemiddle cryptanalysis with efficient tabulation technique has been shown to be a very powerful form of cryptanalysis against SPN block ciphers, especially AES. However, few results have been proposed on BalancedFeistelNetworks (BFN) and GeneralizedFeistelNetworks (GFN). This is due to the stagger of affected trail and special truncated differential trail in the precomputation phase, i.e. these two trails differ a lot from each other for BFN and GFN ciphers. In this paper, we describe an efficient and generic algorithm to search for an optimal improved meetinthemiddle distinguisher with efficient tabulation technique on wordoriented BFN and GFN block ciphers. It is based on recursive algorithm and greedy algorithm. To demonstrate the usefulness of our approach, we show key recovery attacks on 14/16round CLEFIA192/256 which are the best attacks. We also give key recovery attacks on 13/15round Camellia192/256 (without \(FL/FL^{1}\)).
Keywords
Block ciphers Improved meetinthemiddle attack Efficient tabulation technique Automatic search algorithm CLEFIA Camellia1 Introduction
Meetinthemiddle attack is first proposed by Diffie and Hellman to attack DES [8]. In recent years, it is widely researched due to its effectiveness against block cipher AES [4]. For AES, Gilbert and Minier show in [12] some collision attacks on 7round AES. At FSE 2008, Demirci and Selçuk improve the Gilbert and Minier attacks using meetinthemiddle technique instead of collision idea. More specifically, they show that the value of each byte of 4round AES ciphertext can be described by a function of the \(\delta \)set, i.e. a set of 256 plaintexts where a byte (called active byte) can take all values and the other 15 bytes are constant, parameterized by 25 [5] and 24 [6] 8bit parameters. The last improvement is due to storing differences instead of values. This function is used to build a distinguisher in the offline phase, i.e. they build a lookup table containing all the possible sequences constructed from a \(\delta \)set. In the online phase, they identify a \(\delta \)set, and then partially decrypt the \(\delta \)set through some rounds and check whether it belongs to the table. At ASIACRYPT 2010, Dunkelman, Keller and Shamir develop many new ideas to solve the memory problems of the Demirci and Selçuk attacks [10]. First of all, they only store multiset, i.e. an unordered sequence with multiplicity, rather than the ordered sequence. The second and main idea is the differential enumeration technique which uses a special property on a truncated differential characteristic to reduce the number of parameters that describes the set of functions from 24 to 16. Furthermore, Derbez, Fouque and Jean present a significant improvement to the Dunkelman et al. attacks at EUROCRYPT 2013 [7], called efficient tabulation technique. Using this reboundlike idea, they show that many values in the precomputation table are not reached at all under the constraint of a special truncated differential trail. Actually, the size of the precomputation table is determined by 10 byteparameters only. At FSE 2014, Li et al. give an attack on 9round AES192 using some relations among subkeys [17].
In [18], Lin et al. summarize former works of improved MITM distinguisher, and then define T\(\delta \)set which is a special \(\delta \)set of T active cells and Smultiset which is a multiset of S cells. With these definitions, they get affected trail which is a function connecting a T\(\delta \)set to an Smultiset with the minimal number of active cells after Rround encryption. After that, they introduce a general algorithm to search for the affected trail from a T\(\delta \)set to an Smultiset, and find that building a better distinguisher is equivalent to a positive integer optimization problem.
Although new results on SubstitutionPermutation Networks(SPN) block ciphers using improved meetinthemiddle attack with efficient tabulation technique are given in many literatures [7, 16, 17, 18], few results have been proposed on BalancedFeistelNetworks (BFN) [14] and GeneralizedFeistelNetworks (GFN) [23]^{1}. This is due to the stagger of affected trail and special truncated differential trail in the precomputation phase, i.e. these two trails differ a lot from each other for BFN and GFN ciphers. However, they are almost the same for SPN block ciphers.
Our Contribution. In this paper, we describe an efficient and generic algorithm to search for an optimal improved meetinthemiddle distinguisher with efficient tabulation technique on wordoriented BFN and GFN block ciphers. It is based on recursive algorithm and greedy algorithm. Given an affected trail \(\mathcal {D}\) connecting a T\(\delta \)set to an Smultiset by the algorithm of [18], our algorithm can get an optimal truncated differential trail. The algorithm is made up of two phases: table construction phase and searching phase.
The table construction phase is based on the precomputation phase proposed by Fouque et al. in [11]. In this phase, we build a 2equipartite directed acyclic graph G containing all the possible oneround transitions.
The searching phase is based on the algorithm proposed by Matsui to find the best differential characteristics for DES [22]. Our algorithm works by recursion and can be seen as a tree traversal in a depthfirst manner. One truncated differential trail is a path in this tree, and its weight equals the product of all traversed edges. We are looking for the path with the minimum number of guessedcells in this tree under certain transition probability. The knowledge of the previous best truncated differential trail allows pruning during the procedure. To speed up this algorithm, We also use greedy algorithm to divide the search process into 2 parts: one starts from the beginning, the other one starts from the end.
To demonstrate the usefulness of our approach, we apply our algorithm to CLEFIA192/256 [24] and Camellia192/256 (without \(FL/FL^{1}\))^{2} [1]. For CLEFIA256, we give a 10round distinguisher, and then give a 16round key recovery attack with data complexity of \(2^{113}\) chosenplaintexts, time complexity of \(2^{219}\) encryptions and memory complexity of \(2^{210}\) 128bit blocks. To the best of our knowledge, this is currently the best attack with respect to the number of attacked rounds. For CLEFIA192, we give a 9round distinguisher, and then give a 14round key recovery attack with data complexity of \(2^{113}\) chosenplaintexts, time complexity of \(2^{155}\) encryptions and memory complexity of \(2^{146}\) 128bit blocks. To the best of our knowledge, this is currently the best attack with respect to the complexity.
We also give an 8round distinguisher on Camellia*192, and then give a 13round key recovery attack with data complexity of \(2^{113}\) chosenplaintexts, time complexity of \(2^{180}\) encryptions and memory complexity of \(2^{130}\) 128bit blocks. For Camellia*256, we give a 9round distinguisher, and then give a 15round key recovery attack with data complexity of \(2^{113}\) chosenplaintexts, time complexity of \(2^{244}\) encryptions and memory complexity of \(2^{194}\) 128bit blocks. Although Lu et al. proposed a 14round attack on Camellia*192 and a 16round attack on Camellia*256 [21], they didn’t consider the whitening operations. So we think our works on Camellia* have certain significance.
We present here a summary of our attack results on CLEFIA and Camellia*, and compare them to the best attacks known for them. This summary is given in Table 1.
Summary of the best attacks on CLEFIA192/256, Camellia*192/256.
Cipher  Attack type  Rounds  Data  Memory (Bytes)  Time (Euc)  Source 

CLEFIA192  Improbable  14  \(2^{127.0}\) CPs  \(2^{127.0}\)  \(2^{183.2}\)  [25] 
Multidim. ZC  14  \(2^{127.5}\) KPs  \(2^{115}\)  \(2^{180.2}\)  [2]  
Improved MITM  14  \(2^{113}\) CPs  \(2^{150}\)  \(2^{155}\)  Sect. 4.1  
CLEFIA256  Improbable  15  \(2^{127.4}\) CPs  \(2^{127.4}\)  \(2^{247.5}\)  [25] 
Multidim. ZC  15  \(2^{127.5}\) KPs  \(2^{115}\)  \(2^{244.2}\)  [2]  
Improved MITM  16  \(2^{113}\) CPs  \(2^{214}\)  \(2^{219}\)  Sect. 4.1  
Camellia*192  Impossible Diff  12  \(2^{119}\) CPs  \(2^{124}\)  \(2^{147.3}\)  [19] 
Impossible Diff  \(14^{ww}\)  \(2^{117}\) CPs  \(2^{122.1}\)  \(2^{182.2}\)  [20]  
HO MITM  \(14^{ww}\)  \(2^{118}\) CPs  \(2^{166}\)  \(2^{164.6}\)  [21]  
Improved MITM  13  \(2^{113}\) CPs  \(2^{134}\)  \(2^{180}\)  Sect. 4.2.1  
Camellia*256  Impossible Diff  \(15^{ww}\)  \(2^{122.5}\) KPs  \(2^{233}\)  \(2^{236.1}\)  [3] 
Impossible Diff  \(16^{ww}\)  \(2^{123}\) KPs  \(2^{129}\)  \(2^{249}\)  [20]  
HO MITM  \(16^{ww}\)  \(2^{120}\) CPs  \(2^{230}\)  \(2^{252}\)  [21]  
Improved MITM  15  \(2^{113}\) CPs  \(2^{198}\)  \(2^{244}\)  Sect. 4.2.2 
2 Preliminaries
In this section, we give notations used throughout this paper, and then briefly recall the previous improved MITM distinguishers, and after that the attack scheme is given. Finally, we discuss the improved meetinthemiddle distinguisher on Feistel schemes with efficient tabulation technique.
2.1 Notation

b: number of cells in a state.

k: the size of the master key.

o: the size of one branch.

r: number of rounds.

c: number of bits in a cell.

n: number of branches that will get through Ffunction in a state.

X: number of active cells in a state X.

\(x_i\): the input state of roundi.

\(y_i\): the state after the key addition layer of roundi.

\(z_i\): the state after the Sbox layer of roundi.

\(w_i\): the state after the linear transformation layer of roundi.

s[i]: the \(i^{th}\) branch of a state.

s[i][j]: the \(j^{th}\) cell in the \(i^{th}\) branch of a state.

\(K_{i}[j]\): the \(j^{th}\) cell of the \(i^{th}\) round key.
2.2 Reviews of Former Works
In this section, we present a unified view of the previously known MITM distinguishers on AES in [5, 7, 10] and the algorithm to search for the affected trail given by Lin et al. in [18]. Let’s start with particular structures of messages captured by Definitions 1 and 2.
Definition 1
(\(\delta \)set, [4]). Let a \(\delta \)set be a set of 256 AESstates that are all different in one state byte (active byte) and all equal in the other state bytes (inactive bytes).
Definition 2
(Multisets of bytes, [7]). A multiset generalizes the set concept by allowing elements to appear more than once. Here, a multiset of 256 bytes can take as many as \({2^8 +2^8 1 \atopwithdelims ()2^8} \approx 2^{506.17}\) different values.
Proposition 1
Dunkelman et al. Distinguisher and Derbez et al. Distinguisher. In [10], Dunkelman et al. introduced two new improvements to further reduce the memory complexity of [6]. The first uses multiset which is an unordered sequence with multiplicity to replace ordered sequence in the offline phase, since there is enough information so that the attack succeeds. The second improvement uses a novel idea named differential enumeration technique. The main idea of this technique is to use a special 4round property on a truncated differential characteristic to reduce the number of parameters which describes the set of functions from 24 to 16.
In [7], Derbez et al. presented an improvement to Dunkelman et al.’s differential enumeration technique, called efficient tabulation technique (Proposition 2). Combining with the reboundlike idea, many values in the precomputation table are not reached at all under the constraint of a special truncated differential trail.
Proposition 2
(Efficient Tabulation Technique, [7]). If a message of \(\delta \)set belongs to a pair conforming to the 4round truncated differential trail outlined in Fig. 2, the values of multiset are only determined by 10 byteparameters of intermediate state \(\varDelta z_1[0]x_2[0,1,2,3]\varDelta x_5[0]z_4[0,1,2,3]\) presented as gray cells in this figure.
The main idea of their works is that suppose one get a pair of messages conforming to this truncated differential trail, the differences \(\varDelta x_3\) and \(\varDelta y_3\) can be determined by these 10 byteparameters. By Proposition 1, part of the 24 byteparameters in the Demirci and Selçuk distinguisher, i.e. \(x_3\), can be determined.
Lin et al. Algorithm. In [18], Lin et al. summarized former works of improved MITM distinguisher and gave a general model for this kind of distinguisher on SPN block ciphers. In their works, they define T\(\delta \)set which is a special \(\delta \)set of T active cells and Smultiset which is a multiset of S cells to extend the definitions of \(\delta \)set and multiset. With these definitions, they get affected trail which is a function connecting a T\(\delta \)set to an Smultiset with the minimal number of active cells^{3} after rround encryption. We call these active cells guessedcells in this paper. As shown in Fig. 1, \(x_1[0]\) is an 1\(\delta \)set and \(\varDelta x_5[0]\) is an 1multiset. \((x_4[0,5,10,15]x_3x_2[0,1,2,3])\) is the affected trail connecting \(x_1[0]\) to \(x_5[0]\), i.e. the value of \(\varDelta x_5\) can be determined by \(x_1[0]\) and these bytes. After that, they introduce a general algorithm to search for the best affected trail from a T\(\delta \)set to an Smultiset, and find that building a better affected trail is equivalent to a positive integer optimization problem. In this paper, T represents a T\(\delta \)set and S represents an Smultiset. With these two definitions in mind, we can choose appropriate values of T and S according to the success probability [18].
 1.
Propagation. In the forward direction, differences of T can propagate from one round to the next. Active cells before the Sbox layer need to be guessed, and then S can be got from this trail.
 2.
Pruning. In this trail, some guessedcells have nothing to do with the building of S. These cells are pruned.
Using this algorithm, we can get an affected trail \(\mathcal {D}\) for (T, S).
2.3 Attack Scheme
In this subsection, we present our new unified view of the improved meetinthemiddle attack, where R rounds of block cipher can be split into three consecutive parts: \(r_1,\ r,\) and \(r_2\).
The general attack scheme is shown in Fig. 3(B), here T represents a T\(\delta \)set and S represents an Smultiset, \(T^*\) represents input difference of the truncated differential trail and \(S^*\) represents the output difference. For SPN block ciphers, (T, S) and \((T^*,S^*)\) are almost the same. But for Feistel block ciphers, they are always different. The reason will be explained in Subsect. 2.4.
 Precomputation phase
 1.
In the precomputation phase, we build an affected trail from T to S by guessing some cells.
 2.
Use efficient tabulation technique to build a special truncated differential trail from \(T^*\) to one middle round, and then build a truncated differential trail from \(S^*\) to another middle round in the reverse direction. This step needs to guess some more cells. Using Proposition 1, we can prune some guessedcells made in step 1.
 3.
Build a lookup table L containing all the possible sequences constructed from T such that one message verifies the truncated differential trail.
 1.
 Online phase
 1.
In the online phase, we need to identify a T\(\delta \)set containing a message m verifying the desired property. This is done by using a large number of plaintexts and ciphertexts, and expecting that for each key candidate, there is one pair of plaintexts satisfying the truncated differential trail from \(P\rightarrow T^*\) and \(C \rightarrow S^*\). m is one member of this plaintext pair. Then use m to build a T\(\delta \)set.
 2.
Finally, we partially decrypt the associated T\(\delta \)set through the last \(r_2\) rounds and check whether it belongs to L.
 1.
2.4 Feistel Ciphers with Efficient Tabulation Technique
In this paper, we focus on the application of efficient tabulation technique on wordoriented BFN and GFN. The round function F is made up of 3 layers: key addition layer, Sbox layer and linear transformation layer. This is true for most BFN and GFN ciphers.
The advantage of improved meetinthemiddle attack with efficient tabulation technique on Feistel ciphers is that it can use Proposition 1 in \(\lfloor \frac{b}{n\times o}\rfloor \) rounds, i.e. less cells are guessed in these rounds. We take CLEFIA [24] as an example. CLEFIA is a 4branch type2 GFN cipher with \(b=16\), \(n=2\) and \(o=4\).
Although affected trail and truncated differential trail are almost the same for SPN ciphers, they differ a lot from each other for BFN and GFN ciphers. We also take CLEFIA as an example. As shown in Fig. 4(B), the guessedcells of affected trail and truncated differential trail are totally different in the backward direction. For affected trail, if we want to get \(\varDelta x_{i+2}[1][0]\) from \(\varDelta x_i\), \(\varDelta x_{i+2}[1][0] = \varDelta x_{i+1}[1][0] = \varDelta w_i[2][0] \oplus \varDelta x_i[3][0]\), only \(y_i[2]\) need to be guessed. For truncated differential trail, if \(\varDelta x_{i+2}[1][0]\) is active and we know its value, by guessing \(y_{i+1}[2][0]\), \(\varDelta x_{i+1}[2][0]\) and \(\varDelta x_{i+1}[3]\) can be got. By guessing \(y_i[0]\), \(\varDelta x_i\) can be got. So \(y_{i+1}[2][0]\) and \(y_{i}[0]\) need to be guessed in addition. But for another truncated differential trail, if \(\varDelta x_{i+2}[2][0]\) is active, by guessing \(y_i[0][0]\), \(\varDelta x_i\) can be got. So only one additional cell need to be guessed.
In order to apply this technique to Feistel schemes, first of all, we should get an affected trail; and then we can use a truncated differential trail to restrain values of guessedcells in the middle \(\lfloor \frac{b}{n\times o}\rfloor \) rounds by guessing some extra cells. These two trails may differ a lot from each other, so we need to find a method to minimize the total number of guessedcells.
To solve this problem, we present an automatic search algorithm in Sect. 3 to search for an optimal improved meetinthemiddle distinguisher with efficient tabulation technique on BFN and GFN ciphers.
3 Automatic Search Algorithm Using Efficient Tabulation Technique
In this section, we present a practical algorithm to derive an optimal improved meetinthemiddle distinguisher on Feistel schemes with efficient tabulation technique, which combines the precomputation phase of [11] and the search procedure of [22].
Suppose we get the affected trail [18] gives, our algorithm works by recursion and consists of 2 phases: table construction phase and searching phase.
3.1 Table Construction Phase
As shown in [11], the table construction phase builds a 2equipartite directed acyclic graph G which contains all the possible oneround transitions. This graph can be built and stored efficiently by observing its inner structure: the block cipher internal state output depends only on the block cipher internal state input. Unlike [11], since we don’t consider the key schedule, the graph is small and can be stored in truncated differential characteristic^{4}. A toy example of G is shown in Fig. 5.
3.2 Searching Phase
As the algorithm in [22], our searching phase finds an optimal nround improved meetinthemiddle distinguisher. The algorithm works by recursion and can be seen as a tree traversal in a depthfirst manner, where the tree represents all the possible truncated differential trail in the cipher layered by round. The nodes represent the truncated differential characteristics and the edges the possible transitions between them, and are labeled by their numbers of guessedcells and transition probabilities. One truncated differential trail is a path in this tree, and its weight equals the product of all traversed edges. We are looking for the path with the minimum number of guessedcells in this tree under certain transition probability. The knowledge of the previous best truncated differential trail allows pruning during the procedure. Since we only consider truncated differential characteristic and the pruning is very efficient, the running time will not be too long.
3.2.1 Trail Probability
Almost all the truncated differential trails used in the distinguishers on SPN ciphers are with probability 1. In our algorithm, we consider the truncated differential trail with probability less than 1, i.e. operations such as XOR can output inactive cells with certain probability. Suppose there is one less active cell in the backward direction (with probability \(2^{c}\)), it may cause less extra cells to be guessed. Getting a trail with probability \(2^{c}\) means that the online phase should be repeated \(2^{c}\) times. So our algorithm require an “initial value” for the minimum trail probability, which is presented as \(\overline{P}\). This value can be determined by analyzing the online phase.
3.2.2 Comparing Trails
Next we introduce a (quasi)order relation for two truncated differential trail \(\mathcal {T}_1\) and \(\mathcal {T}_2\) as follows:
Definition 3
Also \(\mathcal {T}_1 \equiv \mathcal {T}_2 \Leftrightarrow \mathcal {G}(\mathcal {T}_1)=\mathcal {G}(\mathcal {T}_2) \text { and } \mathcal {P}(\mathcal {T}_1)=\mathcal {P}(\mathcal {T}_2)\)^{5}.
3.2.3 Ending Condition
3.2.4 Finding an Optimal Trail
Although we could test all the truncated differential trail under the probability lower bound \(\overline{P}\) to find the best one, we have a more efficient way using the greedy algorithm. Since the affected trail is unique for each (S, T) pair, we can find out \(\lfloor \frac{b}{n\times o}\rfloor \) successive rounds which need to guess more cells than others, i.e. there are more active cells in these rounds. This means that more cells need not to be guessed using Proposition 1. If the number of these successive rounds is more than one, the beginning of these rounds can be represented as a set, called SRset.
With SRset in mind, the search procedure can be divided into 2 parts: one starts at the first round in the forward direction, the other starts at the last round in the backward direction. This algorithm will divide an rround truncated differential trail search process into 2 parts: \(r_1\) and \(r_2\), where \(r=r_1+\lfloor \frac{b}{n\times o}\rfloor +r_2\).
At the beginning of this algorithm, we should decrease \(\mathcal {G}(\mathcal {D})\) by the number of guessedcells in the middle \(\lfloor \frac{b}{n\times o}\rfloor \) rounds. We may meet the situation that not all the guessedcells can be pruned in the middle \(\lfloor \frac{b}{n\times o}\rfloor \) rounds, i.e. there are inactive cells in the truncated differential trail. However, since this also restrains the values of guessedcells in the truncated differential trail, the total number of guessedcells remains unchanged.
Although the first and last truncated differential characteristics in the trail can take any values, we put some limitations on them by some observations. Since there is little difference between an affected trail and a truncated differential trail in the first \(r_1\)round, we fix the first truncated differential characteristic \(T^*\) to T. And by the propagation of differences, we constrain values of the last truncated differential characteristics \(S^*\) with \(S^*\le S\).
The framework of our algorithm for the first \(r_1\) and the last \(r_2\) rounds is now established by Algorithms 1 and 2 including essentially recursive calls.
Line 10 of Algorithm 2 means \(s_{r_1}\xrightarrow {\lfloor \frac{b}{n\times o}\rfloor rounds}{} s_{r_2}\), where \(s_{r_1}\) and \(s_{r_2}\) are truncated differential characteristics of round\(r_1\) and round(\(r_1+\lfloor \frac{b}{n\times o}\rfloor \)) in the trail, respectively. Take CLEFIA as an example, since the branch number of \(M_0\) and \(M_1\) is 5, if the total number of active cells before and after \(M_0\) or \(M_1\) is less than 5, we should stop the search procedure and try another trail.
Algorithm 3 presents the search algorithm for a (T, S) pair.
4 Applications
In this section, we give our attacks on CLEFIA192/256 and Camellia*192/256.
4.1 Applications to CLEFIA192/256
CLEFIA is a lightweight 128bit block cipher designed by Shirai et al. in 2007 [24] and based on a 4branch type2 GFN. It is adopted as an international ISO/IEC 29192 standard in lightweight cryptography. We refer to [24] for a detailed description.
4.1.1 9/10Round Distinguisher on CLEFIA
First, we use our search algorithm to find an optimal 10round distinguisher on CLEFIA256 and 9round distinguisher on CLEFIA192. They are shown in Figs. 6 and 7.
In the attack of CLEFIA, we apply an equivalent transformation to the 10round and 9round distinguishers, as shown in Figs. 6 and 7. Namely, the right linear transformations of round \(i+8\) and \(i+7\) are removed from these rounds, and these linear transformations are added to three different positions in order to obtain distinguishers that are computationally equivalent to the original one.
The 10round distinguisher on CLEFIA256 is based on the proposition below.
Proposition 3
Considering to encrypt \(2^8\) values of the (1)\(\delta \)set after 10round CLEFIA256 starting from roundi, where \(x_i[1][0]\) is the active byte, in the case of that a message of the \(\delta \)set belongs to a pair which conforms to the truncated differential trail outlined in Fig. 6, then the corresponding (1)multiset of \(\varDelta x_{i+10}[1][0]\) only contains about \(2^{208}\) values.
Proof
As shown in Fig. 6, we first consider the affected trail from \(x_i[1][0]\) to \(x_{i+10}[1][0]\). This affected trail is determined by 39 byteparameters: \(y_{i+1}[0][0]y_{i+2}[0]y_{i+3}[0]y_{i+3}[2][0]y_{i+4}[0]y_{i+4}[2]y_{i+5}[0] y_{i+5}[2]y_{i+6}[0]y_{i+6}[2]y_{i+7}[2]y_{i+8}[2][0]\).
This can be easily seen from the figure.
Furthermore, if there exists a message of the (1)\(\delta \)set belongs to a pair which conforms the truncated differential trail as in Fig. 6, the 35 byteparameters \(y_{i+1}[0][0]y_{i+2}[0]y_{i+3}[0]y_{i+3}[2][0]y_{i+4}[0]y_{i+4}[2]y_{i+5}[0] y_{i+5}[2]y_{i+6}[0] y_{i+6}[2][0]y_{i+7}[2]\) is determined by 22 byteparameters: \(\varDelta x_i[1][0]y_{i+1}[0][0]y_{i+2}[0] y_{i+3}[0] y_{i+3}[2][0]y_{i+6}[0]y_{i+6}[2][0]y_{i+7}[2]y_{i+8}[0][0]\varDelta x_{i+10}[2][0]\).
Using 11 byteparameters \(\varDelta x_i[1][0]y_{i+1}[0][0]y_{i+2}[0]y_{i+3}[0]y_{i+3}[2][0]\), we can deduce \(\varDelta x_{i+4}\). In the backward direction, using \(\varDelta x_{i+10}[2][0]y_{i+8}[0][0]y_{i+7}[2]y_{i+6}[0]y_{i+6}[2][0]\),we can deduce \(\varDelta x_{i+6}\). By Proposition 1, this can deduce \(y_{i+4}[0]\), \(y_{i+4}[2]\), \(y_{i+5}[0]\) and \(y_{i+5}[2]\).
In conclusion, the corresponding multiset of byte \(\varDelta x_{i+10}[1][0]\) only contains about \(2^{208}\) values with the truncated differential trail. \(\square \)
The 9round distinguisher on CLEFIA192 is based on the proposition below, and we will meet the situation Sect. 3.2.4 gives.
Proposition 4
Considering to encrypt \(2^8\) values of the (1)\(\delta \)set after 9round CLEFIA192 starting from roundi, where \(x_i[1][0]\) is the active byte, in the case of that a message of the \(\delta \)set belongs to a pair which conforms to the truncated differential trail outlined in Fig. 7, and then the corresponding multiset of \(\varDelta x_{i+9}[1][0]\) only contains about \(2^{144}\) values.
The proof of this proposition is the same as before and is shown in Fig. 7.
The online phase of 16/14round attack on CLEFIA256/192 is shown in Appendix A. For CLEFIA256, we give a 16round key recovery attack with data complexity of \(2^{113}\) chosenplaintexts, time complexity of \(2^{219}\) encryptions and memory complexity of \(2^{210}\) 128bit blocks. For CLEFIA192, we give a 14round key recovery attack with data complexity of \(2^{113}\) chosenplaintexts, time complexity of \(2^{155}\) encryptions and memory complexity of \(2^{146}\) 128bit blocks.
4.2 Applications to Camellia*192/256
Camellia is a 128bit block cipher designed by Aoki et al. in 2000 [1]. It is a Feistellike construction where two keydependent layer FL and \(FL^{1}\) are applied every 6 rounds to each branch. In this paper, we analyze Camellia without FL and \(FL^{1}\), and call it Camellia* here. We refer to [1] for the detailed description of Camellia.
4.2.1 Attack on Camellia*192
By guessing \(y_{i+1}[0][0]\), \(y_{i+2}[0][0, 1, 2, 4, 7]\), \(y_{i+3}[0]\), \(y_{i+4}[0]\), \(y_{i+5}[0][1, 2, 4, 6, 7]\) and \(y_{i+6}[0][5]\), we can get multiset of \(\varDelta x_{i+8}[1][5]\). If there is a truncated differential trail from \(x_i[1][0]\) to \(x_{i+8}[0][0]\) as the figure shows, then \(y_{i+1}[0][0]\), \(y_{i+2}[0][0, 1, 2, 4, 7]\), \(y_{i+3}[0]\), \(y_{i+4}[0]\) and \(y_{i+5}[0][1, 2, 4, 7]\) can be determined by \(\varDelta x_{i}[1][0]\), \(y_{i+1}[0][0]\), \(y_{i+2}[0][0, 1, 2, 4, 7]\), \(\varDelta x_{i+8}[0][0]\), \(y_{i+6}[0][0]\), \(y_{i+5}[0][0, 1, 2, 4, 7]\).
In a word, the multiset of byte \(\varDelta x_{i+8}[1][5]\) can be determined by 16 byteparameters.
The online phase of this attack is the same as the 12round attack on Camellia192 in [15]. So we can extend 2 rounds on the top and 3 rounds on the bottom to build a 13round attack on Camellia*192 with time complexity of \(2^{180}\) encryptions, data complexity of \(2^{113}\) chosen plaintexts and memory complexity of \(2^{130}\) 128bit blocks.
4.2.2 Attack on Camellia*256
For the distinguisher of Camellia*256, we simply extend one round after round\((i+3)\) by guessing the whole 8 byteparameters after the key addition layer. Then we can get a 10round distinguisher on Camellia*256.
In the online phase, we simply extend one round after the distinguisher by guessing all the 8 byteparameters after the key addition layer. Then we can build a 15round attack on Camellia*256 with time complexity of \(2^{244}\) encryptions, data complexity of \(2^{113}\) chosen plaintexts and memory complexity of \(2^{194}\) 128bit blocks.
5 Conclusion and Future Work
This paper has shown the improved meetinthemiddle distinguisher with efficient tabulation technique on BFN and GFN block ciphers. We discuss the problem why this technique is rarely used on the attacks of BFN and GFN ciphers, and then describe an efficient and generic algorithm to search for an optimal improved meetinthemiddle distinguisher with efficient tabulation technique on them. It is based on recursive algorithm and greedy algorithm.
To demonstrate the usefulness and versatility of our approaches, we show attacks on CLEFIA and Camellia*. Among them, we would like to stress that the presented attacks on 14/16round CLEFIA192/256 are the best attacks. Since our approach is generic, it is expected to be applied to other BFN and GFN ciphers. We believe that our results are useful not only for a deeper understanding of the security of Feistel schemes, but also for designing a secure block cipher.
The research community still has a lot to learn on the way to build better attacks and there are many future works possible: the algorithm combining the precomputation phase and online phase together, and the link between this kind of attack with other kinds of attacks, such as truncated differential attack and impossible differential attack.
Appendix A: 16/14Round Attack on CLEIFA256/192
Based on the 10round distinguisher, we extend 3 rounds on the top and 3 rounds on the bottom to present a 16round improved meetinthemiddle attack on CLEFIA256, and based on the 9round distinguisher, we extend 3 rounds on the top and 2 rounds on the bottom to present a 14round improved meetinthemiddle attack on CLEFIA192. The procedure of the attack on CLEFIA256 is shown in Fig. 9.
The following proposition is important in finding the special truncated differential trail.
Proposition 5.If\(M_i(\varDelta s_0) = (a_0, 0, 0, 0)\)and\(M_i(\varDelta s_1)=(a_1, 0, 0, 0)\), then \(M_i(\varDelta s_0 \oplus \varDelta s_1) = (a_2, 0, 0, 0)\), where \(a_0\), \(a_1\), \(a_2\)are any bytes^{6}.
This is because of the linearity of \(M_i\). The set of \(2^8\) differences that results in (a, 0, 0, 0) after the linear transformation layer is called \(\alpha \)set, and it is marked by red triangle in Fig. 9.
 1.
Precomputation phase. In the precomputation phase of the attack, we build the lookup table L that contains the multiset of size \(2^{208}\) for difference \(\varDelta x_{13}[1][0]\) by following the method of Proposition 4.
 2.
Online Phase.
 (a)
Detecting the Right Pair:
 i.
We prepare a structure of \(2^{80}\) plaintexts where \(\varDelta P[0][0]\), \(\varDelta P[2]\) and \(\varDelta P[3]\) take all the \(2^{72}\) values and \(\varDelta P[1]\) takes all the values of the \(\alpha \)set. Hence, we can generate \(2^{80} \times (2^{80}1)/2 \approx 2^{159}\) pairs satisfying the plaintext differences. Choose \(2^{33}\) structures and get the corresponding ciphertexts. Among the \(2^{159+33}=2^{192}\) corresponding ciphertext pairs, we expect \(2^{192}\times 2^{48} = 2^{144}\) pairs to verify the truncated difference pattern where \(\varDelta C[0][0]\), \(\varDelta C[2]\), \(\varDelta C[3]\) have differences, and \(\varDelta C[1]\) has difference in \(\alpha \)set. Store the \(2^{144}\) remaining pairs in a hash table. This step require \(2^{113}\) plaintext and ciphertext pairs.
 ii.
Guess the values of \(K_0[0]\), \(K_1\), \(y_1[0]\) and \(y_2[2][0]\), using the guessed values to encrypt the remaining pairs to \(x_3\). We choose the pairs that have difference only in byte \(x_3[1][0]\), there are \(2^{14472}= 2^{72}\) pairs left.
 iii.
Guess the values of \(K_{30}[0]\), \(K_{31}\), \(y_{14}[2]\) and \(y_{13}[2][0]\), using the guessed values to decrypt the remaining pairs to \(x_{13}\). We choose the pairs that have differences only in byte \(x_{13}[2][0]\), there are \(2^{7272}= 1\) pair left.
 i.
 (b)
Creating and Checking the Multiset:
 i.
For each guess of the 20 bytes made in Phase (a), decrypt the \(2^{8}\) possible differences in \(\varDelta x_3\) to \(\varDelta x_0\) using the knowledge of \(K_0[0]\), \(K_1\), \(y_1[0]\) and \(y_2[2][0]\). Then XOR it with one plaintext \(P_0\) of the pair.
 ii.
Using \(P_0\) as the standard plaintext, denote the other 255 plaintexts as \(P_1\) to \(P_{255}\), and the corresponding ciphertexts as \(C_0\) to \(C_{255}\). Partially decrypt the ciphertexts to \(x_{13}\) (here \(x'_{13}[1]=M_1(x_{13}[1])\)), and then get the multiset of \(\varDelta x_{13}[1][0]\) by guessing \(K_{30}[1,2,3]\), \(y_{13}[0]\), and using the knowledge of \(K_{30}[0]\), \(K_{31}\), \(y_{14}[2]\).
 iii.
Checking whether the multiset exists in L. If not, discard the key guess. The probability for a wrong guess to pass this test is smaller than \(2^{208} 2^{506.17}= 2^{306.17}\).
 i.
 (c)
Searching the Rest of Key: For each remaining key guess, find the remaining key bytes by exhaustive search.
 (a)
We take another look at online phase to evaluate the complexity. For each of the \(2^{144}\) remaining pairs after the first part of Phase (a), since \(\varDelta y_0[2]=\varDelta P[2]\) and \(\varDelta z_0[2]=M_{1}^{1}(\varDelta P[3] \oplus \varDelta x_1[2])=M_{1}^{1}(\varDelta P[3])\), by Proposition 1, we can get \(K_1\). By guessing \(y_2[2][0]\), we can deduce \(\varDelta x_2[3]\), and then get \(y_1[0]\) and \(K_0[0]\) for the same reason as before. Since \(\varDelta y_{15}[2] = \varDelta C[2]\) and \(\varDelta z_{15}[2] = M_1^{1}(\varDelta C[3])\), by Proposition 1, we can get \(K_{31}\). By guessing \(y_{14}[2][0]\), we can deduce \(\varDelta x_{14}[2]\), and then get \(y_{14}[2]\) and \(K_{30}[0]\) for the same reason as before. Therefore, there are \(2^{16}\) of 20 byteparameters for one pair. After that, we should guess \(K_{30}[1,2,3]\) and \(y_{13}[0]\) in addition. In conclusion, for each of the \(2^{144}\) found pairs, we perform \(2^{72}\) partial encryptions/decryptions of a \(\delta \)set. We evaluate the time complexity of this part to \(2^{144+72+85}\)= \(2^{219}\) encryptions.
Hence, the data complexity is \(2^{113}\) chosenplaintexts, the time complexity is \(2^{219}\) encryptions and the memory complexity is \(2^{210}\) 128bit blocks.
The 14round attack on CLEFIA192 is almost the same as the former attack. The data complexity is \(2^{113}\) chosenplaintexts, the time complexity is \(2^{155}\) encryptions and the memory complexity is \(2^{146}\) 128bit blocks.
Footnotes
 1.
[13] was published after the accomplishment of this paper.
 2.
We call it Camellia* in this paper.
 3.
These active cells are before the Sbox layer, so we need to guess their values to get the Smultiset.
 4.
The memory cost of CLEFIA is less than 20 MB.
 5.
\(\mathcal {G}\): total number of guessedcells including the affected trail. \(\mathcal {P}\): trail probability.
 6.
\(M_i\) denotes the linear transformation layer.
Notes
Acknowledgements
We would like to thank the anonymous reviewers for providing valuable comments. The research presented in this paper is supported by the National Basic Research Program of China (No. 2013CB338002) and National Natural Science Foundation of China (No. 61272476, No.61232009 and No. 61202420).
References
 1.Aoki, K., Ichikawa, T., Kanda, M., Matsui, M., Moriai, S., Nakajima, J., Tokita, T.: \(Camellia\): a 128bit block cipher suitable for multiple platforms  design and analysis. In: Stinson, D.R., Tavares, S. (eds.) SAC 2000. LNCS, vol. 2012, pp. 39–56. Springer, Heidelberg (2001)CrossRefGoogle Scholar
 2.Bogdanov, A., Geng, H., Wang, M., Wen, L., Collard, B.: Zerocorrelation linear cryptanalysis with FFT and improved attacks on ISO standards Camellia and CLEFIA. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 306–323. Springer, Heidelberg (2014)CrossRefGoogle Scholar
 3.Chen, J., Jia, K., Yu, H., Wang, X.: New impossible differential attacks of reducedround Camellia192 and Camellia256. In: Parampalli, U., Hawkes, P. (eds.) ACISP 2011. LNCS, vol. 6812, pp. 16–33. Springer, Heidelberg (2011)CrossRefGoogle Scholar
 4.Daemen, J., Rijmen, V.: The Design of Rijndael: AESthe Advanced Encryption Standard. Springer, Heidelberg (2002)CrossRefzbMATHGoogle Scholar
 5.Demirci, H., Selçuk, A.A.: A meetinthemiddle attack on 8round AES. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 116–126. Springer, Heidelberg (2008)CrossRefGoogle Scholar
 6.Demirci, H., Taşkın, I., Çoban, M., Baysal, A.: Improved meetinthemiddle attacks on AES. In: Roy, B., Sendrier, N. (eds.) INDOCRYPT 2009. LNCS, vol. 5922, pp. 144–156. Springer, Heidelberg (2009)CrossRefGoogle Scholar
 7.Derbez, P., Fouque, P.A., Jean, J.: Improved key recovery attacks on reducedround AES in the singlekey setting. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 371–387. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 8.Diffie, W., Hellman, M.E.: Special feature exhaustive cryptanalysis of the NBS data encryption standard. Computer 10(6), 74–84 (1977)CrossRefGoogle Scholar
 9.Dong, X., Li, L., Jia, K., Wang, X.: Improved attacks on reducedround Camellia128/192/256. In: Nyberg, K. (ed.) CTRSA 2015. LNCS, vol. 9048, pp. 59–83. Springer, Heidelberg (2015)Google Scholar
 10.Dunkelman, O., Keller, N., Shamir, A.: Improved singlekey attacks on 8round AES192 and AES256. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 158–176. Springer, Heidelberg (2010)CrossRefGoogle Scholar
 11.Fouque, P.A., Jean, J., Peyrin, T.: Structural evaluation of AES and ChosenKey Distinguisher of 9Round AES128. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 183–203. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 12.Gilbert, H., Minier, M.: A collisions attack on the 7rounds Rijndael. In: AES Candidate Conference, Citeseer (2000)Google Scholar
 13.Guo, J., Jean, J., Nikolić, I., Sasaki, Y.: Meetinthemiddle attacks on generic Feistel constructions. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 458–477. Springer, Heidelberg (2014)Google Scholar
 14.Isobe, T., Shibutani, K.: All subkeys recovery attack on block ciphers: extending meetinthemiddle approach. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 202–221. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 15.Li, L., Jia, K.: Improved meetinthemiddle attacks on reducedround Camellia192/256. IACR Cryptology ePrint Archive 2014, 292 (2014)Google Scholar
 16.Li, L., Jia, K., Wang, X.: Improved meetinthemiddle attacks on AES192 and PRINCE. IACR Cryptology ePrint Archive 2013, 573 (2013)Google Scholar
 17.Li, L., Jia, K., Wang, X.: Improved singlekey attacks on 9round AES192/256. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 127–146. Springer, Heidelberg (2015)Google Scholar
 18.Lin, L., Wu, W., Wang, Y., Zhang, L.: General model of the singlekey meetinthemiddle distinguisher on the wordoriented block cipher. In: Lee, H.S., Han, D.G. (eds.) ICISC 2013. LNCS, vol. 8565, pp. 203–223. Springer, Heidelberg (2014)Google Scholar
 19.Jiqiang, L.: Cryptanalysis of block ciphers. Ph.D. thesis. University of London, UK (2008)Google Scholar
 20.Jiqiang, L., Wei, Y., Fouque, P.A., Kim, J.: Cryptanalysis of reduced versions of the Camellia block cipher. IET Inf. Secur. 6(3), 228–238 (2012)CrossRefGoogle Scholar
 21.Jiqiang, L., Wei, Y., Kim, J., Pasalic, E.: The higherorder meetinthemiddle attack and its application to the Camellia block cipher. Theoret. Comput. Sci. 527, 102–122 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
 22.Matsui, M.: On correlation between the order of SBoxes and the strength of DES. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 366–375. Springer, Heidelberg (1995)CrossRefGoogle Scholar
 23.Nyberg, K.: Generalized Feistel networks. In: Kim, K., Matsumoto, T. (eds.) ASIACRYPT 1996. LNCS, vol. 1163, pp. 91–104. Springer, Heidelberg (1996)CrossRefGoogle Scholar
 24.Shirai, T., Shibutani, K., Akishita, T., Moriai, S., Iwata, T.: The 128bit blockcipher CLEFIA (extended abstract). In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 181–195. Springer, Heidelberg (2007)CrossRefGoogle Scholar
 25.Tezcan, C.: The improbable differential attack: cryptanalysis of reduced round CLEFIA. In: Gong, G., Gupta, K.C. (eds.) INDOCRYPT 2010. LNCS, vol. 6498, pp. 197–209. Springer, Heidelberg (2010)CrossRefGoogle Scholar