Impossible Differential Cryptanalysis of Reduced-Round ARIA and Camellia

This paper studies thesecurity of the block ciphers ARIA and Camellia against impossibledifferential cryptanalysis. Our work improves the best impossibledifferential cryptanalysis of ARIA and Camellia known so far. Thedesigners of ARIA expected no impossible differentials exist for4-round ARIA. However, we found some nontrivial 4-round impossibledifferentials, which may lead to a possible attack on 6-round ARIA.Moreover, we found some nontrivial 8-round impossible differentialsfor Camellia, whereas only 7-round impossible differentials werepreviously known. By using the 8-round impossible differentials, wepresented an attack on 12-round Camellia without FL/FL^-1 layers.