Improved known-key distinguishers on Feistel-SP ciphers and application to camellia

This paper revisits previous known-key distinguishers on generic Feistel-SP ciphers based on rebound attacks. In this paper first we propose a new 5-round inbound phase that requires 2c computations, while the previous work requires 22c computations (c is a size of the S-box). The new method also improves the number of rounds which can be attacked. Then, we apply the new procedure to Camellia. After several optimizations for Camellia, it is shown that collisions are efficiently generated against 9 rounds out of 18 rounds of Camellia-128 including FL and whitening layers in the compression function modes such as MMO and Miyaguchi-Preneel modes. The attack on Camellia is verified by a machine experiment and the generated results are presented in the paper.