New Impossible Differential Attacks of Reduced-Round Camellia-192 and Camellia-256

Camellia, which is a block cipher selected as a standard by ISO/IEC, is one of the most widely used block ciphers. In this paper, we propose several 6-round impossible differentials of Camellia with FL/FL-1 layers in the middle of them. With the impossible differentials and a well-organized precomputed table, impossible differential attacks on 10-round Camellia-192 and 11-round Camellia-256 are given, and the time complexities are 2(175.3) and 2(206.8) respectively. In addition, an impossible differential attack on 15-round Camellia-256 without FL/FL-1 layers and whitening is also be given, which needs about 2(236.1) encryptions. To the best of our knowledge, these are the best cryptanalytic results of Camellia-192/-256 with FL/FL-1 layers and Camellia-256 without FL/FL-1 layers to date.