The higher-order meet-in-the-middle attack and its application to the Camellia block cipher (extended abstract)

Abstract

The meet-in-the-middle (MitM) attack is a technique for analysing the security of a block cipher. In this paper, we propose an extension of the MitM attack, which we call the higher-order meet-in-the-middle (HO-MitM) attack; the core idea of the HO-MitM attack is to use multiple plaintexts to cancel some key-dependent component(s) or parameter(s) when constructing a basic unit of "value-in-the-middle". We introduce a novel approach, which combines integral cryptanalysis with the MitM attack, to construct HO-MitM attacks on 10-round Camellia under 128 key bits, 11-round Camellia under 192 key bits and 12-round Camellia under 256 key bits, all of which include FL/FL-1 functions. Finally, we apply an existing approach to construct HO-MitM attacks on 14-round Camellia without FL/FL-1 functions under 192 key bits and 16-round Camellia without FL/FL-1 functions under 256 key bits. © Springer-Verlag 2012.