A new quantum cryptanalysis method on block cipher Camellia

Symmetric cryptography is expected to be quantum safe when long-term security is needed. Kuwakado and Morii gave a 3-round quantum distinguisher of the Feistel cipher based on Simon's algorithm. However, the quantum distinguisher without considering the specific structure of the round function is not accurate enough. A new quantum cryptanalysis method for Feistel structure is studied here. It can make full use of the specific structure of the round function. The properties of Camellia round function and its linear transformation P are taken into account, and a 5-round quantum distinguisher is proposed. Then, the authors follow a key-recovery attack framework by Leander and May, that is, Grover-meet-Simon algorithm, and give a quantum key-recovery attack on 7-round Camellia in Q2 model with the time complexity of 2(24). It is the very first time that the specific structure of the round function is used to improve quantum attack on Camellia.