Best Truncated and Impossible Differentials of Feistel Block Ciphers with S-D (Substitution and Diffusion) or D-S Round Functions

摘要

This paper describes truncated and impossible differentials of Feistel block ciphers with round functions of 2-layer SPN (Substitution and Permutation Network) transformation modules such as the 128-bit block cipher Camellia, which was proposed by NTT and Mitsubishi Electric Corporation. Our work improves on the best known truncated and impossible differentials, and has found a nontrivial 9-round truncated differential that: may lead to a possible attack against, a reduced-round version of Camellia without input/output whitening, FL or FL~(-1) (Camellia-NFL), in the chosen plain text scenario. Previously, only 6-round differentials were known that may suggest a possible attack of Camellia-NFL reduced to 8-rounds. We also show a nontrivial 7-round impossible differential, whereas only a 5-round impossible differential was previously known. We also consider the truncated differential of a reduced-round version of Camellia (Camellia-DS) whose round functions are composed of D-S (Diffusion and Substitution) transformation modules and without input/output whitening, FL or FL~(-1) (Camellia-DS-NFL), and show a nontrivial 9-round truncated differential, which may lead to a possible attack in the chosen plain text scenario. This truncated differential is effective for general Feistel structures with round functions composed of S-D (Substitution and Diffusion) or D-S transformation.