The Higher-Order Meet-in-the-Middle Attack and Its Application to the Camellia Block Cipher

(Extended Abstract)
  • Jiqiang Lu
  • Yongzhuang Wei
  • Jongsung Kim
  • Enes Pasalic
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7668)


The meet-in-the-middle (MitM) attack is a technique for analysing the security of a block cipher. In this paper, we propose an extension of the MitM attack, which we call the higher-order meet-in-the-middle (HO-MitM) attack; the core idea of the HO-MitM attack is to use multiple plaintexts to cancel some key-dependent component(s) or parameter(s) when constructing a basic unit of “value-in-the-middle”. We introduce a novel approach, which combines integral cryptanalysis with the MitM attack, to construct HO-MitM attacks on 10-round Camellia under 128 key bits, 11-round Camellia under 192 key bits and 12-round Camellia under 256 key bits, all of which include FL/FL− 1 functions. Finally, we apply an existing approach to construct HO-MitM attacks on 14-round Camellia without FL/FL− 1 functions under 192 key bits and 16-round Camellia without FL/FL− 1 functions under 256 key bits.


Block cipher Camellia Meet-in-the-middle attack Integral cryptanalysis 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aoki, K., Ichikawa, T., Kanda, M., Matsui, M., Moriai, S., Nakajima, J., Tokita, T.: Camellia: A 128-Bit Block Cipher Suitable for Multiple Platforms - Design and Analysis. In: Stinson, D.R., Tavares, S. (eds.) SAC 2000. LNCS, vol. 2012, pp. 39–56. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  2. 2.
    Bai, D., Li, L.: New Impossible Differential Attacks on Camellia. In: Ryan, M.D., Smyth, B., Wang, G. (eds.) ISPEC 2012. LNCS, vol. 7232, pp. 80–96. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  3. 3.
    Biham, E., Biryukov, A., Shamir, A.: Cryptanalysis of Skipjack Reduced to 31 Rounds Using Impossible Differentials. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 12–23. Springer, Heidelberg (1999)Google Scholar
  4. 4.
    Biham, E., Dunkelman, O., Keller, N.: The Rectangle Attack - Rectangling the Serpent. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 340–357. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  5. 5.
    Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. Journal of Cryptology 4(1), 3–72 (1991)MathSciNetzbMATHCrossRefGoogle Scholar
  6. 6.
    Biryukov, A., Shamir, A.: Structural cryptanalysis of SASAS. Journal of Cryptology 23(4), 505–518 (2010)MathSciNetzbMATHCrossRefGoogle Scholar
  7. 7.
    Chen, J., Jia, K., Yu, H., Wang, X.: New Impossible Differential Attacks of Reduced-Round Camellia-192 and Camellia-256. In: Parampalli, U., Hawkes, P. (eds.) ACISP 2011. LNCS, vol. 6812, pp. 16–33. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  8. 8.
    CRYPTREC — Cryptography Research and Evaluatin Committees, report 2002 (2003)Google Scholar
  9. 9.
    Daemen, J., Knudsen, L.R., Rijmen, V.: The Block Cipher SQUARE. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 149–165. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  10. 10.
    Demirci, H., Selçuk, A.A.: A Meet-in-the-Middle Attack on 8-Round AES. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 116–126. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  11. 11.
    Demirci, H., Taşkın, İ., Çoban, M., Baysal, A.: Improved Meet-in-the-Middle Attacks on AES. In: Roy, B., Sendrier, N. (eds.) INDOCRYPT 2009. LNCS, vol. 5922, pp. 144–156. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  12. 12.
    Diffie, W., Hellman, M.: Exhaustive cryptanalysis of the NBS data encryption standard. Computer 10(6), 74–84 (1977)CrossRefGoogle Scholar
  13. 13.
    Dunkelman, O., Keller, N., Shamir, A.: Improved Single-Key Attacks on 8-Round AES-192 and AES-256. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 158–176. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  14. 14.
    Lei, D., Chao, L., Feng, K.: New Observation on Camellia. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 51–64. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  15. 15.
    Gilbert, H., Minier, M.: A collision attack on 7 rounds of Rijndael. In: Proceedings of the Third Advanced Encryption Standard Candidate Conference, pp. 230–241. NIST (2000)Google Scholar
  16. 16.
    Hatano, Y., Sekine, H., Kaneko, T.: Higher Order Differential Attack of Camellia(II). In: Nyberg, K., Heys, H.M. (eds.) SAC 2002. LNCS, vol. 2595, pp. 39–56. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  17. 17.
    Hellman, M.E.: A cryptanalytic time–memory trade-off. IEEE Transcations on Information Theory 26(4), 401–406 (1980)MathSciNetzbMATHCrossRefGoogle Scholar
  18. 18.
    Hu, Y., Zhang, Y., Xiao, G.: Integral cryptanalysis of SAFER+. Electronics Letters 35(17), 1458–1459 (1999)CrossRefGoogle Scholar
  19. 19.
    International Standardization of Organization (ISO), International Standard – ISO/IEC 18033-3, Information technology – Security techniques – Encryption algorithms – Part 3: Block ciphers (2005)Google Scholar
  20. 20.
    Knudsen, L.R.: Truncated and Higher Order Differentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  21. 21.
    Knudsen, L.R.: DEAL — a 128-bit block cipher. Technical report, Department of Informatics, University of Bergen, Norway (1998)Google Scholar
  22. 22.
    Knudsen, L.R., Wagner, D.: Integral Cryptanalysis. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 112–127. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  23. 23.
    Lai, X.: Higher order derivatives and differential cryptanalysis. In: Communications and Cryptography, pp. 227–233. Academic Publishers (1994)Google Scholar
  24. 24.
    Liu, Y., Li, L., Gu, D., Wang, X., Liu, Z., Chen, J., Li, W.: New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 90–109. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  25. 25.
    Lu, J.: Cryptanalysis of block ciphers. PhD thesis, University of London, UK (2008)Google Scholar
  26. 26.
    Lu, J., Wei, Y., Kim, J., Fouque, P.-A.: Cryptanalysis of reduced versions of the Camellia block cipher. In: Miri, A., Vaudenay, S. (eds.) Pre-proceedings of SAC 2011 (2011),, An editorially revised version is to appear in IET Information Security
  27. 27.
    Lu, J., Wei, Y., Pasalic, E., Fouque, P.-A.: Meet-in-the-Middle Attack on Reduced Versions of the Camellia Block Cipher. In: Hanaoka, G., Yamauchi, T. (eds.) IWSEC 2012. LNCS, vol. 7631, pp. 197–215. Springer, Heidelberg (2012)Google Scholar
  28. 28.
    Mala, H., Shakiba, M., Dakhilalian, M., Bagherikaram, G.: New Results on Impossible Differential Cryptanalysis of Reduced–Round Camellia–128. In: Jacobson Jr., M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 281–294. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  29. 29.
    Mala, H., Dakhilalian, M., Shakiba, M.: Impossible differential cryptanalysis of reduced-round Camellia-256. IET Information Security 5(3), 129–134 (2011)CrossRefGoogle Scholar
  30. 30.
    Matsui, M.: Linear Cryptanalysis Method for DES Cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994)Google Scholar
  31. 31.
    NESSIE — New European Schemes for Signatures, Integrity, and Encryption, Final report of European project IST-1999-12324 (2004)Google Scholar
  32. 32.
    Wei, Y., Lu, J., Hu, Y.: Meet-in-the-Middle Attack on 8 Rounds of the AES Block Cipher under 192 Key Bits. In: Bao, F., Weng, J. (eds.) ISPEC 2011. LNCS, vol. 6672, pp. 222–232. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  33. 33.
    Wu, W., Feng, D., Chen, H.: Collision Attack and Pseudorandomness of Reduced-Round Camellia. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 252–266. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  34. 34.
    Wagner, D.: The Boomerang Attack. In: Knudsen, L.R. (ed.) FSE 1999. LNCS, vol. 1636, pp. 156–170. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  35. 35.
    Yeom, Y., Park, S., Kim, I.: A study of integral type cryptanalysis on Camellia. In: Proceedings of the 2003 Symposium on Cryptography and Information Security, pp. 453–456. IEICE (2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Jiqiang Lu
    • 1
  • Yongzhuang Wei
    • 2
    • 3
  • Jongsung Kim
    • 4
  • Enes Pasalic
    • 5
  1. 1.Institute for Infocomm Research, Agency for Science, Technology and ResearchSingapore
  2. 2.Guilin University of Electronic TechnologyGuilin CityP.R. China
  3. 3.State Key Lab of Information Security, Institute of SoftwareChinese Academy of SciencesBeijingChina
  4. 4.Department of e-BusinessKyungnam UniversityKyungnamKorea
  5. 5.University of Primorska FAMNITKoperSlovenia

Personalised recommendations