Cryptanalysis of reduced versions of the Camellia block cipher

The Camellia block cipher has a 128-bit block length, a user key of 128, 192 or 256 bits long, and a total of 18 rounds for a 128-bit key and 24 rounds for a 192 or 256-bit key. It is a Japanese CRYPTRECrecommended e-government cipher, an European NESSIE selected cipher and an ISO international standard. In this paper, we describe a flaw in the approach used to choose plaintexts or ciphertexts in certain previously published square-like cryptanalytic results for Camellia and give possible approaches to correct them. Finally, by taking advantage of the early abort technique and a few observations on the key schedule, we present impossible differential attacks on 10-round Camellia with the FL/FL−1 functions under 128 key bits, 11-round Camellia with the FL/FL−1 functions under 192 key bits, 14-round Camellia without the FL/FL−1 functions under 192 key bits and 16-round Camellia without the FL/FL−1 functions under 256 key bits. These are better than any previously published cryptanalytic results for the respective versions of Camellia in terms of the numbers of attacked rounds.