Quantum Chosen-Cipher Attack on Camellia

Abstract

The Feistel structure represents a fundamental architectural component within the domain of symmetric cryptographic algorithms, with a substantial body of research conducted within the context of classical computing environments. Nevertheless, research into specific symmetric cryptographic algorithms utilizing the Feistel structure is relatively scarce in quantum computing environments. This paper, for the first time, proposes a five-round distinguisher for Camellia under the quantum chosen-ciphertext attack (qCCA) setting, with its effectiveness empirically validated. Additionally, by combining Grover’s algorithm and Simon’s algorithm, we construct a nine-round key-recovery attack model against Camellia. Through an in-depth analysis of Camellia’s key expansion algorithm, we significantly reduce the complexity of the key-recovery attack. The proposed attack achieves a time complexity of 2^61.5 for recovering the correct key bits and requires 531 quantum bits.

1. Introduction

Quantum computing has the potential to address problems that are intractable for classical computing, particularly in the field of cryptanalysis. For certain complex problems, such as large-scale search or the identification of specific structures, the computational complexity on classical computers often grows exponentially. In contrast, quantum computing leverages quantum superposition and quantum parallelism to significantly improve computational efficiency. For example, Shor’s quantum algorithm [1] can break the classical RSA public-key encryption system in polynomial time, while Grover’s algorithm [2] reduces the time complexity of unstructured database search from the classical $O\left(2^n\right)$ to the quantum $O\left(2^{n/2}\right)$, posing a direct threat to the key search process of symmetric encryption algorithms. Similarly, Simon’s algorithm [3] can effectively break cryptographic schemes with specific structural properties by identifying the periodicity of certain functions. In addition, recent studies in the field of quantum computing have demonstrated that its applications have expanded to advanced domains such as secure communication and machine learning. For example, Zhou et al. [4] proposed a multi-party semi-quantum private comparison protocol based on d-dimensional GHZ states, which highlights significant advancements in leveraging quantum technology for privacy protection. Similarly, Akrom’s review [5] of quantum support-vector machines underscores the advantages of quantum computing in machine learning. These findings indicate that quantum computing is developing at a rapid pace and has emerged as a powerful tool for the field of cryptography. Thus, employing quantum algorithms to analyze the security of symmetric encryption algorithms is not only a critical approach to evaluating their resistance to quantum attacks but also provides valuable insights into the potential threats quantum computing poses to modern cryptography.

Until 2010, quantum attacks on symmetric ciphers were not considered a significant threat. However, when Kuwakado and others [6] first introduced a polynomial distinguisher for a three-round Feistel cipher under a quantum chosen-plaintext attack (qCPA) setting, this perspective changed. Since then, various quantum attacks on symmetric ciphers have been developed.

Zhandry [7], Kaplan [8], and others have proposed two different models for the quantum cryptanalysis of symmetric ciphers:

Standard Security (Q1 Model): A block cipher is standard secure against quantum adversaries if no efficient quantum algorithm can distinguish the block cipher from pseudorandom permutation (PRP or a PRF) by making only classical queries.

Quantum Security (Q2 Model): A block cipher is deemed quantum secure against quantum adversaries if no efficient quantum algorithm can distinguish the block cipher from PRP (or a PRF) even by making quantum queries.

This paper assumes that the attackers belong to the Q2 model. Recent studies have analyzed the security of symmetric ciphers under this model. In 2012, Kuwakado et al. [9] studied the quantum security of the EM cipher under the Q2 model, utilizing Simon’s algorithm to construct an efficient distinguisher under the qCPA setting, thereby proving that the quantum version of the EM cipher is not secure. Subsequently, in 2015, Dinur et al. [10] combined meet-in-the-middle and partitioning attacks to enhance attacks on Feistel structures of more than four rounds. In 2016, Kaplan [11] utilized Simon’s algorithm to break CBC-MAC, PMAC, and other symmetric cipher systems in polynomial time, demonstrating that Simon’s algorithm could be used for slide attacks, providing exponential acceleration. Leander et al. [12] in 2017 first combined Grover’s algorithm with Simon’s algorithm to construct a quantum attack framework, which was later applied to the analysis of FX structures. Since then, the Grover-meets-Simon algorithm has been extensively utilized by numerous scholars in the quantum analysis of symmetric ciphers. Following Kaplan et al.’s [11] development of quantum slide attacks, Hosoyamada and colleagues [13] in 2019 expanded upon these techniques, introducing a related-key attack on the EM cipher structure and presenting a two-round key-recovery attack on the EM cipher structure.

Dong et al. [14] combined Grover’s algorithm and Simon’s algorithm to introduce a new quantum key-recovery attack on Feistel structures with varying rounds. In 2019, Ito [15] and others proposed a novel distinguisher for Feistel structures under a quantum-chosen ciphertext attack (qCCA) setting. This distinguisher can differentiate, in polynomial time, between four-round Feistel-F and Feistel-KF constructions and six-round Feistel-FK structures from random permutations. Subsequently, quantum key-recovery attacks for r-round Feistel-KF and Feistel-FK structures were performed, achieving key-recovery in $O(2^{{\displaystyle \frac{(r-4)n}{4}}})$ and $O(2^{{\displaystyle \frac{(r-6)n}{4}}})$ time, respectively. In the same year, Dong et al. [16] conducted a study on quantum distinguisher and key recovery attacks for two generalized Feistel structure (GFS) algorithms. They constructed $2d-1$ rounds of quantum distinguisher against d-branch Type-1 GFS and $2d+1$ rounds of quantum distinguisher against 2d-branch Type-2 GFS. Using these quantum distinguishers, key-recovery attacks were conducted on the Type-1 and Type-2 GFS ciphers over $d^2-d+2$ and $4d$ rounds, respectively, with time complexities of $O(2^{({\displaystyle \frac{1}{2d^2}}-{\displaystyle \frac{3}{2d}}+2)·{\displaystyle \frac{n}{2}}})$ and $O(2^{{\displaystyle \frac{d^{2}n}{2}}})$.

Ito et al. [17] also designed a polynomial-level quantum distinguisher under the qCPA setting for $3d-3$ round configurations of Type-1 GFS, along with a $d^2-d+1$ round version under the qCCA setting. Based on these distinguishers, key-recovery attacks were performed on r-round Type-1 GFS ciphers, with complexities of $O(2^{\left({\displaystyle \frac{d^2}{2}}-{\displaystyle \frac{3d}{2}}+2\right)·{\displaystyle \frac{k}{2}}+{\displaystyle \frac{\left(r-d^2\right)k}{2}}})$ and $O(2^{{\displaystyle \frac{\left(r-\left(d^2-d+1\right)\right)k}{2}}})$.

Ni et al. [18] introduce a $3d-3$ rounds of quantum distinguisher on Type-1 GFS under the Q2 model and also investigate quantum attacks against the CAST-256 block cipher. In 2020, Cid et al. [19] demonstrated a qCPA on contracting Feistel structures and studied related-key attacks on balanced Feistel structures. That same year, Hodzic et al. [20], based on Simon’s algorithm, developed a construction for seven-round and eight-round quantum distinguishers for generalized Feistel structures under the qCPA setting. In 2021, Li et al. [21] examined the round functions and linear transformation P of Camellia, presenting a five-round quantum distinguisher and, under the qCPA setting, proposed a seven-round Camellia algorithm key-recovery attack with a complexity of $2^{24}$.

Cui et al. [22] initially defined weakly periodic functions, thereby extending the application scope of Simon’s algorithm and further constructing several variant Feistel structure distinguishers. They proposed quantum key-recovery attacks for Feistel variants. In 2022, Canale et al. [23] provided an automated periodic function search algorithm under a quantum computing model, implementing key-recovery attacks for the five-round Feistel-FK structure. In 2023, Xu et al. [24], based on the divisibility of branch output functions, proposed quantum attacks on two types of GFS under the qCPA setting. They constructed quantum distinguishers for an 8-round 4F and a 5-round 2F under the Q2 model, conducting 12-round and 7-round quantum key-recovery attacks, respectively. Additionally, they constructed a six-round 2F quantum distinguisher on a weak divisibility basis, performing an eight-round quantum key-recovery attack.

In the same year, Sun et al. [25] studied the security of Type-1 generalized Feistel structures, constructing a quantum distinguisher for a d-branch $d^2-1$ round Type-1 GFS structure under the qCCA setting. Furthermore, under the qCPA setting for the Type-1 block cipher CAST-256, they introduced a 17-round quantum distinguisher and constructed a quantum key-recovery attack with a complexity of $O(2^{{\displaystyle \frac{37(r-17)}{2}}})$.

The rapid advancement of quantum computing has necessitated the development and evaluation of post-quantum cryptographic (PQC) schemes to ensure secure communication in the quantum era. Recent studies have highlighted both the practical applications and potential vulnerabilities of PQC. For instance, Aslam et al. [26] proposed a quantum-resilient blockchain-enabled secure communication framework for connected autonomous vehicles, demonstrating the applicability of PQC in real-world IoT scenarios. Similarly, Sim et al. [27] investigated the side-channel vulnerabilities of lattice-based cryptographic schemes, particularly CRYSTALS-KYBER, and introduced a chosen-ciphertext clustering attack by leveraging the side-channel leakage of Barrett reduction. Their attack achieved a 100% success rate in recovering secret keys on ARM Cortex-M4 microcontrollers. These findings underscore the dual necessity of ensuring mathematical robustness and addressing side-channel resistance in PQC implementations, especially in resource-constrained environments such as IoT devices.

Based on the findings of prior research, it is apparent that studies conducted under the qCCA model remain inadequate, and numerous aspects remain unexplored. Studies demonstrate that numerous schemes proven secure under qCPA can be compromised by quantum algorithms like Simon’s algorithm in qCCA settings. More significantly, the NIST Post-Quantum Cryptography Standardization Project has adopted the Q2 model (i.e., qCCA security) as a core evaluation criterion. Consequently, analysis under qCCA conditions constitutes an essential benchmark for assessing the quantum security of block cipher algorithms.

The paper presents a five-round distinguisher for Camellia algorithm [28] under the qCCA setting. This is achieved by studying the round function and the characteristics of the key scheduling algorithm. Additionally, a key recovery attack model is proposed, and the complexity of nine rounds of Camellia recovery key under the quantum computing model is analyzed using the distinguisher.

2. Preliminaries

2.1. Notation and Acronyms

The notations used in this paper and their explanations are presented in

Table 1. Notations and Their Definitions.

Symbol	Description
$X_i$	Output on the left side of the i-th round in the Feistel structure
$X_{i-1}$	Output on the right side of the i-th round in the Feistel structure
$F_i$	Round function of the i-th round in the Feistel structure
$k_i$	Round key for the i-th round
$<<<$	Circular left shift operation
$>>>$	Circular right shift operation
$k_{i,j}$	The j-th byte of the round key for the i-th round
$S_i$	S-box substitution in the round function of the i-th round
∩	Logical AND operation
∪	Logical OR operation

.

List of the acronyms and their definitions used in this paper in

Table 2. Acronyms and their definitions.

Acronym	Definition
IoT	Internet of Things
qCPA	Quantum Chosen-Plaintext Attack
qCCA	Quantum Chosen-Ciphertext Attack
GFS	Generalized Feistel Structure
SP	Substitution–Permutation Network
PQC	Post-Quantum Cryptographic

.

2.2. Brief Description of Camellia Algorithm

The Camellia algorithm [28], jointly designed by NTT and Mitsubishi Electric in 2000, is known for its high security and efficient performance on both hardware and software platforms. It was selected as a winning algorithm in the European NESSIE project in 2003, recommended in Japan’s CRYPTREC initiative the same year, became an IETF standard in 2004, and adopted as an ISO/IEC standard in 2005.

Camellia is based on a Feistel structure with a block length of 128 bits and supports key lengths of 128, 192, and 256 bits, corresponding to 18, 24, and 32 rounds, respectively.

2.2.1. Camellia Encryption Transformation

The encryption transformation of Camellia involves differing initial and final whitening keys, with $FL/F{L}^{-1}$ functions inserted every six rounds. For the 128-bit key version, the process consists of three six-round Feistel structures and two rounds of $FL/F{L}^{-1}$ functions. Below, Camellia with a 128-bit key is described in Figure 1.

The plaintext $\mathrm{M}$ is 128 bits, the whitening key $k{w}_i(1\le i\le 4)$ is 64 bits, and the round key $k_i(1\le i\le$ 18) is 64 bits. The key $k{l}_i(1\le i\le 4)$ utilized in each $FL/F{L}^{-1}$ function is 32 bits, and the final output ciphertext $\mathrm{C}$ is 128 bits. The specific encryption process is as follows:

(1)

Plaintext Whitening

A 128-bit plaintext M undergoes an XOR operation with the whitening key $k{w}_1\parallel k{w}_2$, resulting in two parts: the left 64 bits $X_{-1}$ and the right 64 bits $X_0$, such that $M\oplus \left(k{w}_1\parallel k{w}_2\right)=X_{-1}\parallel X_0$.

(2)

Round Iteration

For each round of the Feistel structure, let $X_i$ denote the left output of the i-th round, and $X_{i-1}$ denote the right output of the i-th round. For $i=1,2,\dots ,18$, excluding $i=6$ and $i=12$, the i-th round transformation is performed as follows:

$$X_i=X_{i-2}\oplus F\left(X_{i-1},k_i\right)$$

(1)

For $i=6,12$, the transformation is as follows:

$$\begin{array}{cc}\hfill {X^{\prime }}_i=X_{i-2}\oplus F\left(X_{i-1},k_i\right)X_i& =FL\left({X^{\prime }}_i,k{l}_{i/3-1}\right)\hfill \\ \hfill X_{i-1}=F{L}^{-1}(X_{i-1},k{l}_{i/3})\end{array}$$

(2)

(3)

Pre-whitening of ciphertext output

The final round output $X_{18}\parallel X_{17}$ is XORed with the whitening keys $k{w}_3\parallel k{w}_4$, producing the whitened ciphertext $C=\left(X_{18}\parallel X_{17}\right)\oplus \left(k{w}_3\parallel k{w}_4\right)$.

The $FL$ and $F{L}^{-1}$ transformations are defined as follows:

$$\begin{array}{cc}\hfill & FL:F_2^{64}\to F_2^{64},\hfill \\ \hfill & \left(X_L∥X_R,k{l}_L∥k{l}_R\right)\mapsto Y_L\parallel Y_R,\hfill \\ \hfill & Y_R=\left(\left(X_L\cap k{l}_L\right)\ll 1\right)\oplus X_R,Y_L=\left(Y_R\cup k{l}_R\right)\oplus X_L\hfill \\ \hfill & F{L}^{-1}:{\mathrm{F}}_2^{64}\to {\mathrm{F}}_2^{64},\hfill \\ \hfill & \left(Y_L∥Y_R,k{l}_R∥k{l}_L\right)\mapsto X_L\parallel X_R,\hfill \\ \hfill & X_L=\left(Y_R\cup k{l}_R\right)\oplus Y_L,X_R=\left(\left(X_L\cap k{l}_L\right)\ll 1\right)\oplus Y_R.\hfill \end{array}$$

(3)

where ∩ represents bitwise logical “AND” operation; ∪ represents bitwise logical “OR” operation. In the Feistel structure, the function F during step (2) utilizes an SP structure design that incorporates round key XOR operations, S-box lookups, and the permutation $\mathbf{P}$. The final output of function $\mathrm{F}$ is formed by the outputs of eight S-boxes after undergoing the permutation $\mathbf{P}$, as depicted in Figure 2. The specific steps involved are outlined below:

(1)

Round Key XOR

A 64-bit input is divided into eight bytes. Each byte is then XORed with a corresponding round key byte before proceeding to the next step.

(2)

S-Box Lookup

The XORed bytes sequentially query eight S-boxes in the order of $s1,s2,s3,s4,s2,s3,s4,s1$.

(3)

Permutation $\mathbf{P}$

The output from the S-boxes undergoes a linear transformation, described as follows.

$$\begin{array}{cc}\hfill & y_1=x_1\oplus x_3\oplus x_4\oplus x_6\oplus x_7\oplus x_8;y_5=x_1\oplus x_2\oplus x_6\oplus x_7\oplus x_8\hfill \\ \hfill & y_2=x_1\oplus x_2\oplus x_4\oplus x_5\oplus x_7\oplus x_8;y_6=x_2\oplus x_3\oplus x_5\oplus x_7\oplus x_8\hfill \\ \hfill & y_3=x_1\oplus x_2\oplus x_3\oplus x_5\oplus x_6\oplus x_8;y_7=x_3\oplus x_4\oplus x_5\oplus x_6\oplus x_8\hfill \\ \hfill & y_4=x_2\oplus x_3\oplus x_4\oplus x_5\oplus x_6\oplus x_7;y_8=x_1\oplus x_4\oplus x_5\oplus x_6\oplus x_7\hfill \end{array}$$

(4)

The final output order is $\left(y_8,y_7,y_6,y_5,y_4,y_3,y_2,y_1\right)$. The diffusion layer $\mathbf{P}$ and its inverse ${\mathbf{P}}^{-1}$ have the following coefficient matrices:

$$\mathbf{P}=\left[\begin{array}{cccccccc}0\hfill & 1\hfill & 1\hfill & 1\hfill & 1\hfill & 0\hfill & 0\hfill & 1\hfill \\ 1\hfill & 0\hfill & 1\hfill & 1\hfill & 1\hfill & 1\hfill & 0\hfill & 0\hfill \\ 1\hfill & 1\hfill & 0\hfill & 1\hfill & 0\hfill & 1\hfill & 1\hfill & 0\hfill \\ 1\hfill & 1\hfill & 1\hfill & 0\hfill & 0\hfill & 0\hfill & 1\hfill & 1\hfill \\ 0\hfill & 1\hfill & 1\hfill & 1\hfill & 1\hfill & 1\hfill & 1\hfill & 0\hfill \\ 1\hfill & 0\hfill & 1\hfill & 1\hfill & 0\hfill & 1\hfill & 1\hfill & 1\hfill \\ 1\hfill & 1\hfill & 0\hfill & 1\hfill & 1\hfill & 0\hfill & 1\hfill & 1\hfill \\ 1\hfill & 1\hfill & 1\hfill & 0\hfill & 1\hfill & 1\hfill & 0\hfill & 1\hfill \end{array}\right], {\mathbf{P}}^{-1}=\left[\begin{array}{cccccccc}1\hfill & 1\hfill & 1\hfill & 0\hfill & 1\hfill & 0\hfill & 0\hfill & 1\hfill \\ 0\hfill & 1\hfill & 1\hfill & 1\hfill & 1\hfill & 1\hfill & 0\hfill & 0\hfill \\ 1\hfill & 0\hfill & 1\hfill & 1\hfill & 0\hfill & 1\hfill & 1\hfill & 0\hfill \\ 1\hfill & 1\hfill & 0\hfill & 1\hfill & 0\hfill & 0\hfill & 1\hfill & 1\hfill \\ 0\hfill & 1\hfill & 1\hfill & 1\hfill & 0\hfill & 1\hfill & 1\hfill & 1\hfill \\ 1\hfill & 0\hfill & 1\hfill & 1\hfill & 1\hfill & 0\hfill & 1\hfill & 1\hfill \\ 1\hfill & 1\hfill & 0\hfill & 1\hfill & 1\hfill & 1\hfill & 0\hfill & 1\hfill \\ 1\hfill & 1\hfill & 1\hfill & 0\hfill & 1\hfill & 1\hfill & 1\hfill & 0\hfill \end{array}\right]$$

(5)

Figure 2. The round function of Camellia.

Figure 2. The round function of Camellia.

2.2.2. Key Expansion Algorithm

The round keys used in the encryption process are generated from a 256-bit initial key $k_{L\left(128\right)}\parallel k_{R\left(128\right)}$. Initially, $k_{L\left(128\right)}\parallel k_{R\left(128\right)}$ is input into the Feistel structure with round constants $\mathrm{\Sigma }1,\mathrm{\Sigma }2,\mathrm{\Sigma }3,\mathrm{\Sigma }4,\mathrm{\Sigma }5,\mathrm{\Sigma }6$. After four rounds, 128-bit $k_{A\left(128\right)}$ is generated, and after six rounds, 128-bit $k_{B\left(128\right)}$ is produced. The structure of the algorithm is shown in Figure 3. The six round constants involved in generating $k_{A\left(128\right)}$ and $k_{B\left(128\right)}$ are:

$$\begin{array}{cc}\hfill & {\mathrm{\Sigma }}_1=0xA09E667F3BCC908B\hfill \\ \hfill & {\mathrm{\Sigma }}_2=0xB67AE8584CAA73B2\hfill \\ \hfill & {\mathrm{\Sigma }}_3=0xC6EF372FE94F82BE\hfill \\ \hfill & {\mathrm{\Sigma }}_4=0x54FF53A5F1D26F1C\hfill \\ \hfill & {\mathrm{\Sigma }}_5=0x10E527FADE682D1D\hfill \\ \hfill & {\mathrm{\Sigma }}_6=0xB05688C2B3E6C1FD\hfill \end{array}$$

(6)

In the 128-bit version of the master key, the 256-bit initial key is defined as: $k_{L\left(128\right)}∥k_{R\left(128\right)}=k∥0$. The round keys for each round are derived by shift transformations of the initial key $K_L$ and $K_A$, as summarized in

Table 3. Wheel keys for each wheel.

Round	Round Key	Round Key Value	Round	Round Key	Round Key Value
Pre-whitening	$k{w}_{1\left(64\right)}$	${\left(k_L<<<0\right)}_{L\left(64\right)}$	$\mathrm{F}($Round10)	$k_{10\left(64\right)}$	${\left(k_L<<<60\right)}_{R\left(64\right)}$
Pre-whitening	$k{w}_{2\left(64\right)}$	${\left(k_L<<<0\right)}_{R\left(64\right)}$	$\mathrm{F}($Round11)	$k_{11\left(64\right)}$	${\left(k_A<<<60\right)}_{L\left(64\right)}$
$\mathrm{F}($Round1)	$k_{1\left(64\right)}$	${\left(k_A<<<0\right)}_{L\left(64\right)}$	$\mathrm{F}($Round12)	$k_{12\left(64\right)}$	${\left(k_A<<<60\right)}_{R\left(64\right)}$
$\mathrm{F}($Round2)	$k_{2\left(64\right)}$	${\left(k_A<<<0\right)}_{R\left(64\right)}$	$\mathrm{FL}$	$k{l}_{3\left(64\right)}$	${\left(k_L<<<77\right)}_{L\left(64\right)}$
F (Round3)	$k_{3\left(64\right)}$	${\left(k_L<<<15\right)}_{L\left(64\right)}$	${\mathrm{FL}}^{-1}$	$k{l}_{4\left(64\right)}$	${\left(k_L<<<77\right)}_{R\left(64\right)}$
$\mathrm{F}($Round4)	$k_{4\left(64\right)}$	${\left(k_L<<<15\right)}_{R\left(64\right)}$	$\mathrm{F}($Round13)	$k_{13\left(64\right)}$	${\left(k_L<<<94\right)}_{L\left(64\right)}$
F (Round5)	$k_{5\left(64\right)}$	${\left(k_A<<<15\right)}_{L\left(64\right)}$	$\mathrm{F}($Round14)	$k_{14\left(64\right)}$	${\left(k_L<<<94\right)}_{R\left(64\right)}$
F (Round6)	$k_{6\left(64\right)}$	${\left(k_A<<<15\right)}_{R\left(64\right)}$	$\mathrm{F}($Round15)	$k_{15\left(64\right)}$	${\left(k_A<<<94\right)}_{L\left(64\right)}$
$\mathrm{FL}$	$k{l}_{1\left(64\right)}$	${\left(k_A<<<30\right)}_{L\left(64\right)}$	$\mathrm{F}($Round16)	$k_{16\left(64\right)}$	${\left(k_A<<<94\right)}_{R\left(64\right)}$
${\mathrm{FL}}^{-1}$	$k{l}_{2\left(64\right)}$	${\left(k_A<<<30\right)}_{R\left(64\right)}$	$\mathrm{F}($Round17)	$k_{17\left(64\right)}$	${\left(k_L<<<111\right)}_{L\left(64\right)}$
$\mathrm{F}($Round7)	$k_{7\left(64\right)}$	${\left(k_L<<<45\right)}_{L\left(64\right)}$	$\mathrm{F}($Round18)	$k_{18\left(64\right)}$	${\left(k_L<<<111\right)}_{R\left(64\right)}$
F Round8)	$k_{8\left(64\right)}$	${\left(k_L<<<45\right)}_{R\left(64\right)}$	Post-whitening	$k{w}_{3\left(64\right)}$	${\left(k_A<<<111\right)}_{L\left(64\right)}$
F (Round9)	$k_{9\left(64\right)}$	${\left(k_A<<<45\right)}_{L\left(64\right)}$	Post-whitening	$k{w}_{4\left(64\right)}$	${\left(k_A<<<111\right)}_{R\left(64\right)}$

.

2.3. Related Algorithms

In this section, we offer a concise overview of classical quantum algorithms, specifically Simon’s algorithm, Grover’s algorithm, and the Grover-meets-Simon algorithm.

2.3.1. Simon’s Algorithm

Given a Boolean function $f:{\{0,1\}}^n\to {\{0,1\}}^n$, which is guaranteed to satisfy $f\left(x\right)=f\left(y\right)\iff x\oplus y\in \{0,s\}$, it means the function has a period s and we need to find s. Classically, the optimal time to find period s is $O\left(2^{n/2}\right)$. Nevertheless, Simon [3] introduced an algorithm that significantly expedites this process, requiring only $O\left(n\right)$ queries to determine $\mathrm{s}$. This algorithm comprises the following five steps:

(1)

Initialize two n-bit quantum registers in state ${|0\rangle }^{\otimes n}{|0\rangle }^{\otimes n}$ and apply the Hadamard transform to the first register to obtain the corresponding superposition state.

$$H^{\otimes n}|0\rangle |0\rangle ={\displaystyle \frac{1}{\sqrt{2^n}}}\sum _{x\in {\{0,1\}}^n}|x\rangle |0\rangle$$

(7)

(2)

Conduct a quantum query on function f and map it to the current state.

$${\displaystyle \frac{1}{\sqrt{2^n}}}\sum _{x\in {\{0,1\}}^n}|x\rangle |f\left(x\right)\rangle$$

(8)

(3)

Measure the second register, reducing the first register to the following state:

$${\displaystyle \frac{1}{\sqrt{2}}}\left(\right|z\rangle +|z\oplus s\rangle )$$

(9)

(4)

Apply the Hadamard transform to the first register to obtain

$${\displaystyle \frac{1}{\sqrt{2}}}{\displaystyle \frac{1}{\sqrt{2^n}}}\sum _{y\in {\{0,1\}}^n}{(-1)}^{y·z}\left(1+{(-1)}^{y·s}\right)|y\rangle$$

(10)

(5)

In this superposition state, the amplitudes corresponding to $y·s=1$ are zero. As a result, for any measurement of y, it is always true that $y·s=0$. By iterating this process $O\left(n\right)$ times, a set of linear equations can be constructed. Solving this system of equations results in determining the value of s.

At ISIT2010, Kuwawkado et al. [6] presented a quantum distinguishing attack on a three-round Feistel cipher constructed using Simon’s algorithm. As illustrated in Figure 4, ${\alpha }_0$ and ${\alpha }_1$ are arbitrary constants.

$$\begin{array}{cc}\hfill & f:\{0,1\}\times {\{0,1\}}^n\to {\{0,1\}}^n\hfill \\ \hfill & b,x\to {\alpha }_b\oplus X_2,\left(X_3,X_2\right)=E\left({\alpha }_b,x\right)\hfill \\ \hfill & f(b,x)=F_2\left(F_1\left({\alpha }_b\right)\oplus x\right)\hfill \end{array}$$

(11)

Let f be a periodic function satisfying $f(b,x)=f\left(b\oplus 1,x\oplus F_1\left({\alpha }_0\right)\oplus F_1\left({\alpha }_1\right)\right)$. Subsequently, the period $s=$$1\parallel F_1\left({\alpha }_0\right)\oplus F_1\left({\alpha }_1\right)$ can be obtained in polynomial time by employing Simon’s algorithm.

2.3.2. Grover’s Algorithm

When dealing with an unordered set of $N=2^n$ elements, Grover’s algorithm [2] is employed to pinpoint a unique element that fulfills certain criteria. Specifically, a quantum oracle O is used, which performs the operation $O|x\rangle =$${(-1)}^{f\left(x\right)}|x\rangle$, where $f\left(x\right)=0$ for all x except $x_0$ within the range $0\le x<2^n$, and $f\left(x_0\right)=1$. The goal is to determine $x_0$. The most efficient classical algorithm for searching this unordered data has a time complexity of $O\left(N\right)$. However, Grover’s algorithm, executed on a quantum computer, dramatically reduces this to merely $O\left(\sqrt{N}\right)$ operations. The algorithm proceeds as follows:

(1)

Initialize an n-bit register ${|0\rangle }^{\otimes n}$ and apply the Hadamard transform to the first register to achieve the corresponding superposition state, as shown in Equation (12):

$$H^{\otimes n}|0\rangle ={\displaystyle \frac{1}{\sqrt{2^n}}}\sum _{x\in {\{0,1\}}^n}|x\rangle =|\phi \rangle$$

(12)

(2)

Construct a quantum oracle $O:|x\rangle \to {(-1)}^{f\left(x\right)}|x\rangle$, if x is the correct state, then $f\left(x\right)=1$; otherwise, $f\left(x\right)=0$.

(3)

Define the Grover iteration: $\left(2\right|\phi \rangle \langle \phi |-I)O$, and iterate this operation $R\approx \pi \sqrt{2^n}/4$ times:

$${\left[\left(2\right|\phi \rangle \langle \phi |-I)O\right]}^R|\phi \rangle \approx \left|x_0\right.〉$$

(13)

(4)

Return $x_0$.

2.3.3. Grover-Meets-Simon

During the 2017 ASIACRYPT conference, Leander et al. [12] presented a quantum key recovery attack approach that integrates Grover’s algorithm with Simon’s algorithm, specifically targeting the FX structure, depicted in Figure 5. The FX structure fulfills the given equation:

$$Enc\left(x\right)=E_{k_0}\left(x+k_1\right)+k_2$$

(14)

Reference [12] constructs the function $f(k,x)=Enc\left(x\right)+E_k\left(x\right)=E_{k_0}\left(x+k_1\right)+k_2+E_k\left(x\right)$. When the correct key guess $k=k_0$, it holds that $f(k,x)=f\left(k,x+k_1\right)$. However, for $k\ne k_0$, the function is not periodic. Under the qCPA setting, Reference [10] employs a combination of Simon’s algorithm and Grover’s algorithm to attack the FX structure.

Based on the work of Leander [12], Hosoyamada et al. [29] and Dong et al. [14] added a few rounds behind the three-round Feistel structured distinguisher shown in Figure 4 for recovering the keys of the Feistel encryption algorithm for the r rounds, with a time complexity of $O\left(2^{(r-3)n/2}\right)$.

3. Construction of Periodic Functions

This chapter presents a brief description of the periodic function of four-round Feistel structure proposed by ITO et al. [15]. Additionally, a periodic function for the Camellia algorithm is constructed and verified to be correct.

3.1. The Periodic Function of Four-Round Feistel Structure

At RSA 2019, Ito et al. introduced the design of periodic functions for a four-round Feistel cipher. They developed a quantum distinguisher and presented a key recovery attack against the Feistel structure. We will now describe the method for constructing a periodic function for a four-round Feistel structure, as proposed in Reference [15]. Figure 6 illustrates the structure of the periodic function.

The four-round Feistel-F encryption structure is denoted as ${\mathrm{FF}}_4$, and its corresponding decryption structure is represented by ${\mathrm{FF}}_4^{-1}$. The round functions of Feistel-F are signified by $F_1,\dots ,F_4\in$ Func ( $n/2$ ). The plaintext input $(a,b)\in {\left({\{0,1\}}^{n/2}\right)}^2$ to ${\mathrm{FF}}_4$, which outputs the ciphertext $(c,d)\in {\left({\{0,1\}}^{n/2}\right)}^2$. The encryption structure $(a,b)\mapsto$$(c,d)$ is defined as follows:

$$\begin{array}{c}c=a\oplus F_1\left(b\right)\oplus F_3\left(b\oplus F_2\left(a\oplus F_1\left(b\right)\right)\right)\\ d=b\oplus F_2\left(a\oplus F_1\left(b\right)\right)\oplus F_4\left(a\oplus F_1\left(b\right)\oplus F_3\left(b\oplus F_2\left(a\oplus F_1\left(b\right)\right)\right)\right)\end{array}$$

(15)

The decryption structure $(c,d)\mapsto (a,b)$ is defined as follow:

$$\begin{array}{c}a=c\oplus F_3\left(d\oplus F_4\left(c\right)\right)\oplus F_1\left(d\oplus F_4\left(c\right)\oplus F_2\left(c\oplus F_3\left(d\oplus F_4\left(c\right)\right)\right)\right)\\ b=d\oplus F_4\left(c\right)\oplus F_2\left(c\oplus F_3\left(d\oplus F_4\left(c\right)\right)\right)\end{array}$$

(16)

For the input plaintext $\left({\alpha }_{\beta },x\right)$, the encryption and decryption structures can be further simplified.The simplified structure is depicted in Figure 7. The function $f^o(\beta \parallel x)$ is described as:

$$\begin{array}{c}{f}^o(\beta \parallel x)={\alpha }_0\oplus {\alpha }_1\oplus F_2\left(x\oplus F_1\left({\alpha }_{\beta }\right)\right)\oplus F_2\left(x\oplus F_1\left({\alpha }_{\beta }\right)\oplus F_3\left({\alpha }_{\beta }\oplus F_2\left(x\oplus F_1\left({\alpha }_{\beta }\right)\right)\right)\right.\\ \left.\oplus F_3\left({\alpha }_{\beta }\oplus {\alpha }_0\oplus {\alpha }_1\oplus F_2\left(x\oplus F_1\left({\alpha }_{\beta }\right)\right)\right)\right)\end{array}$$

(17)

Theorem 1.

Define $Z_{(\beta \parallel x)}=F_1\left({\alpha }_{\beta }\right)\oplus x$. Then, $Z_{(\beta \parallel x)}$ is a periodic function with a period $s=1\parallel \left(F_1\left({\alpha }_0\right)\oplus F_1\left({\alpha }_1\right)\right)$.

Proof of Theorem 1.

$Z_{\left(\right(\beta \parallel x)\oplus s)}=x\oplus F_1\left({\alpha }_0\right)\oplus F_1\left({\alpha }_1\right)\oplus F_1\left({\alpha }_{(\beta \oplus 1)}\right)=x\oplus F_1\left({\alpha }_{\beta }\right)=Z_{(\beta \parallel x)}$. □

It is straightforward to demonstrate that $Z_{(\beta \parallel x)}$ is a periodic function. The output function $f^{\circ }(\beta \parallel x)$ can be described as follows:

$$f^o(\beta \parallel x)={\alpha }_0\oplus {\alpha }_1\oplus F_2\left(Z_{\beta \parallel x}\right)\oplus F_2\left(Z_{\beta \parallel x}\oplus F_3\left({\alpha }_0\oplus F_2\left(Z_{\beta \parallel x}\right)\right)\oplus F_3\left({\alpha }_1\oplus F_2\left(Z_{\beta \parallel x}\right)\right)\right)$$

(18)

It can be deduced that $f^o(\beta \parallel x)$ is a periodic function with a period of s.

Figure 7. The equivalent structure of 4-round Feistel structure periodic function.

Figure 7. The equivalent structure of 4-round Feistel structure periodic function.

3.2. Construction of Periodic Functions for Camellia

In this section, we aim to construct a periodic function for Camellia, leveraging the periodic function construction methods outlined in the preceding section. To commence, we construct the five-round periodic function structure as illustrated in Figure 8.

In the illustrated structure, $F_5$ and $F_1$ do not participate in the construction of the periodic function $f^o(\beta \parallel x)$, thus the structure can be further simplified as shown in Figure 9.

Let the inputs for the two branches be $\left(\mathbf{000000}{\alpha }_{\beta }\mathbf{0}\right)$ and $\mathbf{P}\left(\mathbf{000000}x\mathbf{0}\right)$, where $\mathbf{0}$ represents a sequence of eight zero bits. The variables ${\alpha }_{\beta }$ and x are both byte variables, both of which are located at the sixth byte. Byte indexing starts at 0 in this article. The input $\mathbf{P}\left(\mathbf{000000}x\mathbf{0}\right)$ is obtained from ($\mathbf{000000}x\mathbf{0})$ through a permutation $\mathbf{P}$.

After the first round function transformation, we obtain the output $X_1$ as

$$X_1=F_1\left(X_0\right)\oplus X_{-1}=F_1\left(\mathbf{000000}{\alpha }_{\beta }\mathbf{0}\right)\oplus \mathbf{P}\left(\mathbf{000000}x\mathbf{0}\right)=\mathbf{P}(\mathbf{000000}\ast \mathbf{0})$$

(19)

where $\ast =s_1\left({\alpha }_{\beta }\right)\oplus x,s_{\mathrm{i}}$ is the s transformation of the i-th round function. Given the characteristics of Camellia algorithm’s $\mathrm{P}$ permutation matrix, we obtain the output $X_2$ as:

$$X_2=F_2\left(X_1\right)\oplus X_0=\mathbf{P}\left(\mathbf{00}\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathbf{0}\right)\oplus \left(\mathbf{000000}{\alpha }_{\beta }\mathbf{0}\right)$$

(20)

Within this structure, each symbol $\mathrm{\Delta }$ is distinct and consists solely of bytes related to *. The output obtained above continues to participate in the round function operation, and we can obtain the subsequent output as shown in the following equations:

$$\begin{array}{cc}\hfill & X_3=X_1\oplus F_3\left(X_2\right)=\mathbf{P}(\mathbf{000000}\ast \mathbf{0})\oplus F_3\left(\mathbf{P}\left(\mathbf{00}\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathbf{0}\right)\oplus \left(\mathbf{000000}{\alpha }_{\beta }\mathbf{0}\right)\right)\hfill \\ \hfill & =\mathbf{P}(\mathbf{000000}\ast \mathbf{0})\oplus F_3\left(\left(\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\right)\oplus \left(\mathbf{000000}{\alpha }_{\beta }\mathbf{0}\right)\right)\hfill \\ \hfill & =\mathbf{P}(\mathbf{000000}\ast \mathbf{0})\oplus F_3(\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }?\mathrm{\Delta })\hfill \\ \hfill & =\mathbf{P}(\mathbf{000000}\ast \mathbf{0})\oplus \mathbf{P}(\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }?\mathrm{\Delta })\hfill \\ \hfill & =\mathbf{P}(\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }?\mathrm{\Delta })\hfill \end{array}$$

(21)

The symbol ? is used to indicate a byte where the periodicity of the function cannot be determined.

$$\begin{array}{cc}\hfill & X_4=F_4\left(X_3\right)\oplus X_2=F_4\left(\mathbf{P}(\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }?\mathrm{\Delta })\right)\oplus \mathbf{P}\left(\mathbf{00}\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathbf{0}\right)\oplus \left(\mathbf{000000}{\alpha }_{\beta }\mathbf{0}\right)\hfill \\ \hfill & =F_4(\mathrm{\Delta }\mathrm{\Delta }?????\mathrm{\Delta })\oplus \mathbf{P}\left(\mathbf{00}\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathbf{0}\right)\oplus \left(\mathbf{000000}{\alpha }_{\beta }\mathbf{0}\right)\hfill \end{array}$$

(22)

$$\begin{array}{cc}\hfill & X_2^{\prime }=F_4\left(X_3\oplus \left(\mathbf{0}\alpha \mathbf{000000}\right)\right)\oplus X_4=F_4((\mathrm{\Delta }\mathrm{\Delta }?????\mathrm{\Delta })\oplus \left(\mathbf{0}\alpha \mathbf{000000}\right))\oplus X_4\hfill \\ \hfill & =\mathbf{P}\left(\mathrm{\Delta }{\alpha }^{\prime }?????\mathrm{\Delta }\right)\oplus \mathbf{P}(\mathrm{\Delta }\mathrm{\Delta }?????\mathrm{\Delta })\oplus \mathbf{P}\left(\mathbf{00}\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathbf{0}\right)\oplus \left(\mathbf{000000}{\alpha }_{\beta }\mathbf{0}\right)\hfill \\ \hfill & =\mathbf{P}\left(\mathrm{\Delta }{\alpha }^{\prime }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\right)\oplus \left(\mathbf{000000}{\alpha }_{\beta }\mathbf{0}\right)\hfill \end{array}$$

(23)

$$X_1^{\prime }=F_3\left(X_2^{\prime }\right)\oplus X_3^{\prime }=\mathbf{P}(\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }?\mathrm{\Delta })\oplus X_3\oplus \left(\mathbf{0}\alpha \mathbf{000000}\right)=\mathbf{P}(\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }?\mathrm{\Delta })$$

(24)

$$X_0^{\prime }=X_2^{\prime }\oplus F_2\left(X_1^{\prime }\right)=\mathbf{P}\left(\mathrm{\Delta }{\alpha }^{\prime }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\right)\oplus \left(\mathbf{000000}{\alpha }_{\beta }\mathbf{0}\right)\oplus S_2\mathbf{P}\left(\mathbf{P}(\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }?\mathrm{\Delta })\right)$$

(25)

Performing the ${\mathbf{P}}^{-1}$ operation on both sides of the above equation, we obtain:

$$\begin{array}{c}{\mathbf{P}}^{-1}{X}_0^{\prime }=\left(\mathrm{\Delta }{\alpha }^{\prime }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\right)\oplus {\mathbf{P}}^{-1}\left(\mathbf{000000}{\alpha }_{\beta }\mathbf{0}\right)\oplus S_2(\mathrm{\Delta }\mathrm{\Delta }?????\mathrm{\Delta })\\ =\left(\mathrm{\Delta }{\alpha }^{\prime }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\mathrm{\Delta }\right)\oplus \left(\mathbf{00}{\alpha }_{\beta }{\alpha }_{\beta }{\alpha }_{\beta }{\alpha }_{\beta }\mathbf{0}{\alpha }_{\beta }\right)\oplus (\mathrm{\Delta }\mathrm{\Delta }?????\mathrm{\Delta })\\ =(\mathrm{\Delta }\mathrm{\Delta }??????)\end{array}$$

(26)

As derived above, the 0 th and first bytes of ${\mathbf{P}}^{-1}{X}_0^{\prime }$ relate only to the variable *; thus they can be used to construct a periodic function. Define the output byte ${\mathbf{P}}^{-1}{\left(X_0^{\prime }\right)}_1$ as the function $f^o(\beta ,x)$, i.e., $f^o(\beta ,x)=\left({\mathbf{P}}^{-1}{\left(X_0^{\prime }\right)}_1\right)$. The theorem states the following:

Theorem 2.

The period of the function $f^o(\beta ,x)$ is $s=1\parallel s_1\left({\alpha }_0\right)\oplus s_1\left({\alpha }_1\right)$.

$$f^o(\beta ,x)=f^o\left(\beta \oplus 1,x\oplus s_1\left({\alpha }_0\right)\oplus s_1\left({\alpha }_1\right)\right)$$

Proof of Theorem 2.

When $\beta =0$, for $f^o(\beta \parallel x),\ast =s\left({\alpha }_0\right)\oplus x=s\left({\alpha }_{0\oplus 1}\right)\oplus x\oplus s\left({\alpha }_0\right)\oplus s\left({\alpha }_1\right)=s\left({\alpha }_0\right)\oplus x$. Since the value of $f^o(\beta \parallel x)$ relates only to *, it follows that $f^o(0\parallel x)=f^o\left(0\oplus 1\parallel x\oplus s\left({\alpha }_0\right)\oplus s\left({\alpha }_1\right)\right)$.

When $\beta =1$, for $f^o(\beta \parallel x),\ast =s\left({\alpha }_1\right)\oplus x=s\left({\alpha }_{1\oplus 1}\right)\oplus x\oplus s\left({\alpha }_0\right)\oplus s\left({\alpha }_1\right)=s\left({\alpha }_1\right)\oplus x$. Since the value of $f^o(\beta \parallel x)$ relates only to *, it follows that $f^o(1\parallel x)=f^o\left(1\oplus 1\parallel x\oplus s\left({\alpha }_0\right)\oplus s\left({\alpha }_1\right)\right)$. □

It can be demonstrated that the function $f^o(\beta \parallel x)$ exhibits periodicity. In accordance with Theorem 2 of the study [15], a distinguisher against the five-round Camellia can be constructed using the function $f^o(\beta \parallel x)$.

During the research process, we attempted to construct distinguishers with a higher number of rounds. However, distinguishers exceeding five rounds could not be theoretically verified for their correctness. Based on the method proposed in this paper, we consider the five-round distinguisher to be an appropriate choice. On the other hand, the five-round distinguisher offers a balance between complexity and theoretical verifiability, making it the most suitable choice based on the method proposed in this paper. This selection ensures that the distinguisher is both practical to implement and theoretically sound, which is critical for the reliability of our approach.

3.3. Experimental Validation

In this subsection, we conducted targeted experiments to validate the correctness of the periodic functions developed in the preceding section. In accordance with the Camellia algorithm criteria outlined in the literature [28], we have constructed the five-round periodic function structure presented in Section 3.2 on the Python 3.7 environment. Our primary aim was to verify the equation $f^{\circ }(\beta ,x)=f^{\circ }\left(\beta \oplus 1,x\oplus s_1\left({\alpha }_0\right)\oplus s_1\left({\alpha }_1\right)\right)$. We conducted correctness verification by setting different input parameters. Based on a local computer, we selected $2^{32}$ sets of distinct parameter data for periodicity testing, all of which confirmed the correctness of the periodic. As illustrated in Figure 10, the periodic function is demonstrated to be correct with a specific set of data.

The input plaintext group data are (000000α_β0), P(000000x0), where x = (00000000), α₀ = (00000000), and α₁ = (00000001). When $\beta =0$, for $f^{\circ }(\beta ,x)$, the plaintext input comprises solely zeros. The output for the first byte, denoted as $\left({\mathbf{P}}^{-1}\right)X_0^{\prime }$, is $\left(01101100\right)$.

For $f^{\circ }\left(\beta \oplus 1,x\oplus s_1\left({\alpha }_0\right)\oplus s_1\left({\alpha }_1\right)\right)$, the plaintext group data is updated to $\left(\mathbf{0000000}{\alpha }_1\right),\mathbf{P}(\mathbf{000000}x\oplus$$s_1\left({\alpha }_0\right)\oplus s_1\left({\alpha }_1\right)0$ ), and remarkably, the output for the first byte, again denoted as $\left({\mathbf{P}}^{-1}\right)X_0^{\prime }$, remains unchanged at $\left(01101100\right)$.

Given the experimental verification outlined above, Theorem 1 is confirmed to be accurate.

4. The Attack Model for Camellia

This section presents a key-recovery attack model for the Camellia algorithm under the qCCA setting, leveraging the five-round distinguisher proposed in Section 3.2. Here is an outline of our attack methodology:

• Implement a nine-round encryption oracle, denoted as $\mathcal{E}$, and decrypt the input of the periodic function $f_{\mathrm{in}}$ over two rounds. The resulting intermediate value after the two rounds and the subkeys for the two rounds as the input to the circuit $\mathcal{E}$. Then, the output of $\mathcal{E}$ undergoes two rounds of decryption and is XORed with a constant.
• Implement a quantum circuit $\mathcal{D}$ that computes the inverse of $\mathcal{E}$. Encrypt the results from the previous step over two rounds, inputting the intermediate value along with subkeys into the circuit $\mathcal{D}$. Subsequently, encrypt $\mathcal{D}$’s output over two rounds to acquire the periodic function output $f_{\mathrm{out}}$.
• Guess the keys for the two rounds preceding and succeeding the quantum circuits $\mathcal{E}$ and $\mathcal{D}$.
• For each key guess, check its correctness with the following procedure.

  (1)

  Apply the five-round distinguisher to $\mathcal{E}$ and $\mathcal{D}$.

  (2)

  If the distinguisher returns “this is a random permutation”, then judge that the guess is wrong. Otherwise, judge that the guess is correct.

Nine-Round Key-Recovery Attack on Camellia

A nine-round key-recovery attack is performed using the established attack model, as shown in Figure 11. The periodic function input $f_{\mathrm{in}}$ is $\left[\mathbf{P}\left(\mathbf{000000}x\mathbf{0}\right),\left(\mathbf{000000}{\alpha }_{\beta }\mathbf{0}\right)\right]$, with the output $f_{\mathrm{out}}$ being ${\mathbf{P}}^{-1}\left({\left(X_7\right)}_1\right)$. To decrypt $f_{\mathrm{in}}$ through two rounds and retrieve the plaintext, the keys $K_1$ and $K_{2,\{2,3,4,5,7\}}$ need to be guessed. Subsequently, the ciphertext is obtained after nine rounds of encryption by the oracle. In addition, the keys to be guessed for the decryption of the ciphertext for two rounds are $K_{9,\{0,3,4,5,6\}}$ and $K_{8,7}$. After xOR the obtained intermediate state with the constant $\left[\right(\mathbf{00000000}),(\mathbf{0}\alpha \mathbf{000000}\left)\right]$, it needs to guess the keys $K_{8,7}$ and $K_{9,\{0,3,5,6,7\}}$ to encrypt for two rounds to obtain the ciphertext. The plaintext is then obtained by nine rounds of decryption oracle. Finally, the keys $K_1$ and $K_{2,1}$ must be guessed in order to encrypt the plaintext for two rounds, thereby obtaining the output $f_{\mathrm{out}}$.

Due to the characteristics of Camellia’s key scheduling, where round keys for F (Round 1), F (Round 2), and F (Round 9) are derived from cyclic shifts of $K_A$, many key bits are repeated. We guess all key bits for Round 1 and bytes 1–5, 7 for Round 2. Round 9 requires guesses for 0 and 3–7 bytes of the key, with 45 bits being repetitions. As shown in Figure 12, the orange portion of the figure indicates the three-bit non-repeating key positions that must be guessed in Round 9. Thus, the actual key bits to guess are $K_{A[0–63]},K_{A[72–111],[120–127]},K_{L[37–44]},K_{A[69,70,71]}$, totaling $64+$$48+8+3=123$ bits.

Define $g:F_2^{64}\times F_2^{48}\times F_2^8\times F_2^{32}\times F_2^{(8+1)}\to F_2^8$ satisfying $(K_{A[0–63]},K_{A[72–119]},$$K_{L[37–44]},K_{A[69,70,71]},y)\to$$f\left(y\right)$, where $y=f^o(\beta ,x)$. If the key guess is correct, the following holds true:

$$\begin{array}{cc}\hfill & g\left(K_{\mathrm{A}[0–63]},K_{\mathrm{A}[72–119]},K_{\mathrm{L}[37–44]},K_{\mathrm{A}[69,70,71]},y\right)=\hfill \\ \hfill & g\left(K_{\mathrm{A}[0–63]},K_{\mathrm{A}[72–119]},K_{\mathrm{L}[37–44]},K_{\mathrm{A}[69,70,71]},y\oplus s\right)\hfill \end{array}$$

(27)

If $f_{\mathrm{in}}\to f_{\mathrm{out}}$ is a periodic function, then the period of this function can be determined by inputting it into Simon’s algorithm. The guess is correct; otherwise, the guess is incorrect.

As outlined in the literature [12], the formula for the number of quantum bits required for a key recovery attack is as follows:

$$\mathrm{sum}=n_k+n_{\mathrm{in}}\times l+n_{\mathrm{out}}\times l,l=2(\tilde{n}+\sqrt{n})$$

(28)

where sum represents the total number of quantum bits required, $n_k$ the length of the key, $n_{\mathrm{in}}$ the input length of the periodic function, $n_{\mathrm{out}}$ the output length of the periodic function, and $\tilde{n}$ the length of the period. For Camellia’s guessed keys $K_A[0–63],K_A[72–119],K_L[37–44],K_A[69,70,71]$, we have that:

$$\begin{array}{cc}\hfill & n_k=64+48+8+3=123,n_{\mathrm{in}}=8+1=9,\tilde{n}=8+1=9\hfill \\ \hfill & n_{\mathrm{out}}=8,l=2(9+\sqrt{9})=24,\mathrm{sum}=123+9\times 24+8\times 24=531\hfill \end{array}$$

(29)

The whole attack needs $123+9\times 2(9+\sqrt{9})+8\times 2(9+\sqrt{9})=531$ qubits. According to the methods described in References [14,16], the proof is provided as follows: Given an accurate guess of the key:

$$(K_1,K_{2,\{1,2,3,4,5,6\}},K_{8,7}{K}_{9,[69,70,71]})$$

(30)

it holds that:

$$g(K_1,K_{2,\{1,2,3,4,5,6\}},K_{8,7}{K}_{9,[69,70,71]},y)=g(K_1,K_{2,\{1,2,3,4,5,6\}},K_{8,7}{K}_{9,[69,70,71]},y\oplus s).$$

(31)

Let the h be defined as:

$$\begin{array}{cc}\hfill h:F_2^{123}\times F_2^{(8+1)\times 24}& \to F_2^{8\times 24}\hfill \\ \hfill (K_1,K_{2,\{1,2,3,4,5,6\}},K_{8,7},K_{9,[69,70,71]},& y_1,\dots ,y_{24})\hfill \\ \hfill \to g(K_1,K_{2,\{1,2,3,4,5,6\}},K_{8,7},K_{9,[69,70,71]},& y_1\left)\right||\dots ||\hfill \\ \hfill g(K_1,K_{2,\{1,2,3,4,5,6\}},K_{8,7},K_{9,[69,70,71]},& y_{24}).\hfill \end{array}$$

(32)

where $\left|\right|$ denotes concatenation.

The constructed quantum gate $U_h$ satisfies the following mapping:

$$\begin{array}{cc}\hfill |K_1,K_{2,\{1,2,3,4,5,6\}},K_{8,7},K_{9,[69,70,71]},& y_1,\dots ,y_{24},0,\dots ,0\rangle \hfill \\ \hfill \to |K_1,K_{2,\{1,2,3,4,5,6\}},K_{8,7},K_{9,[69,70,71]},& y_1,\dots ,y_{24},\hfill \\ \hfill h(K_1,K_{2,\{1,2,3,4,5,6\}},K_{8,7},K_{9,[69,70,71]},& y_1,\dots ,y_{24}\left)\right)\rangle .\hfill \end{array}$$

(33)

By constructing a quantum algorithm A, we achieve a key recovery attack on the Camellia algorithm. The algorithm begins by initializing 531 qubits, all set to the initial state $|0\rangle$. Among these qubits, the first $123+8+1\times 24=339$ qubits undergo a Hadamard transform $H^{\otimes 339}$, resulting in the following uniform superposition:

$$\begin{array}{c}\hfill \sum _{k_1\in F_2^{64},k_2\in F_2^{48},k_8\in F_2^8,k_9\in F_2^3,y_1,\dots ,y_{24}\in F_2^{8+1}}|k_1,k_2,k_{8,7},k_9\rangle |y_1\dots y_{24}\rangle |0\rangle \end{array}$$

(34)

In the proof, $k_1$ represents the full key for the first round, $k_2$ represents $K_{2,\{1,2,3,4,5,6\}}$, $k_8$ represents $K_{8,7}$, $k_9$ represents $K_{9,[69,70,71]}$, and $y_1,\dots ,y_{24}$ are auxiliary qubits. The amplitude of this quantum state, which can be ignored, is given by:

$$2^{-(123+(8+1)\times 24)/2}=2^{-339/2}.$$

(35)

Next, the superposition state is processed through the $U_h$, resulting in the following state:

$$\sum _{k_1\in F_2^{64},k_2\in F_2^{48},k_8\in F_2^8,k_9\in F_2^3,y_1,\dots ,y_{24}\in F_2^{8+1}}|k_1,k_2,k_{8,7},k_9\rangle |y_1\dots y_{24}\rangle |h(k_1,k_2,k_{8,7},k_9,y_1,\dots ,y_{24})\rangle$$

(36)

To extract periodic information, a Hadamard transform is applied again to the $|y_1\dots y_{24}\rangle$ register, resulting in the following superposition:

$$\begin{array}{cc}\hfill |\varphi \rangle =& \sum _{k_1\in F_2^{64},k_2\in F_2^{48},k_8\in F_2^8,k_9\in F_2^3,y_1,\dots ,y_{24}\in F_2^{8+1}}|k_1,k_2,k_{8,7},k_9{\rangle (-1)}^{\langle u_1,y_1\rangle }|u_1{\rangle \dots (-1)}^{\langle u_{24},y_{24}\rangle }|u_{24}\rangle \hfill \\ \hfill & \left|h\right(k_1,k_2,k_{8,7},k_9,y_1,\dots ,y_{24})\rangle \hfill \end{array}$$

(37)

If the guessed key $(k_1,k_2,k_8,k_9)$ is correct, the period s will be orthogonal to $u_1,\dots ,u_{24}$ upon measuring $|\varphi \rangle$. According to Lemma 4 from Reference [12], choosing $l=2\times (8+1+8+1)=24$ ensures that the period s can be computed.

The classification of the quantum state is performed using a classifier B, defined as $B:F_2^{123+(8+1)\times 24}\to \{0,1\}$. The classifier operates as follows. First, it checks the dimension of

$$\overline{U}=\mathrm{Span}\left(\right|u_1,\dots ,u_{24}\rangle ).$$

(38)

If $\dim \left(\overline{U}\right)\ne 24$, the classifier outputs 0. Otherwise, the unique period s is computed using Lemma 4 from Reference [12]. For any given y, the classifier verifies the equality:

$$g(k_1,k_2,k_8,k_9,y)=g(k_1,k_2,k_8,k_9,y\oplus s).$$

(39)

If this equality holds, the classifier outputs 1; otherwise, it outputs 0. The classifier B divides the quantum state $|\varphi \rangle$ into the “good” subspace $|{\varphi }_1\rangle$ and the “bad” subspace $|{\varphi }_0\rangle$, such that:

$$|\varphi \rangle =|{\varphi }_1\rangle +|{\varphi }_0\rangle .$$

(40)

Here, $|{\varphi }_1\rangle$ represents the projection onto the “good” subspace, while $|{\varphi }_0\rangle$ represents the projection onto the “bad” subspace. The “good” subspace satisfies $B=1$. Furthermore, the classifier defines a unitary operator $S_B$, which acts as follows:

$$|k_1,k_2,k_8,k_9\rangle |y_1\dots y_{24}\rangle \to \left\{\begin{array}{cc}-|k_1,k_2,k_8,k_9\rangle |y_1\dots y_{24}\rangle ,\hfill & \mathrm{if}B=1,\hfill \\ |k_1,k_2,k_{8,7},k_9\rangle |y_1\dots y_{24}\rangle ,\hfill & \mathrm{if}B=0.\hfill \end{array}\right.$$

(41)

Grover’s algorithm is then applied to amplify the probability of the classifier outputting 1. For the initial state $|\varphi \rangle =A|0\rangle$, the angle to the “bad” subspace is $\theta$, where:

$${sin}^2\left(\theta \right)=p\approx 2^{-61.5}.$$

(42)

Using Grover’s algorithm, the following iterative operator is applied:

$$Q=-A{S}_0{A}^{-1}{S}_B.$$

(43)

The number of iterations required is:

$$t=\lceil \pi /\left(4\theta \right)\rceil =\lceil \pi /(4\times 2^{-61.5})\rceil =2^{61.5}.$$

(44)

After these iterations, the final state is almost orthogonal to the “bad” subspace, and the probability of measuring a “good” state approaches 1. The entire attack requires 531 qubits, including 123 qubits for storing the key, 9 qubits for the input to the periodic function, 8 qubits for the periodic function’s output, and additional qubits for periodic computation. The time complexity of the attack is:

$$T=O\left(2^{61.5}\right).$$

(45)

This approach successfully achieves a key recovery attack on the Camellia algorithm.

The comparison between the work presented in this paper and other methods is shown in

Table 4. Comparison with other attack methods.

Reference	Target Cipher	Attack Model	Attack Type	Rounds of Key Recovery	Time Complexity	Quantum Resources (Qubits)
[30]	Luby–Rackoff	qCPA	Distinguishing attack	4	$O\left(2^{n/12}\right)$	N/A
[15]	Feistel-F	qCCA	Distinguishing attack	4	Polynomial $O\left(\mathrm{n}\right)$	N/A
[21]	Camellia	qCPA	Key recovery attack	7	$O\left(2^{24}\right)$	456 qubits
[31]	MARS-like (4 branches)	qCCA	Key recovery attack	9	$O\left(2^{2n}\right)$	N/A
This work	Camellia	qCCA	Key recovery attack	9	$O\left(2^{61.5}\right)$	531 qubits

.

5. Conslusions and Future Work

Ref. [15] studied the quantum distinguisher for a four-round Feistel structure under the Q2 model but did not consider the internal structure of the algorithm. The contribution of this paper is the first construction of a quantum key-recovery attack against Camellia under the qCCA model. Specifically, based on the round function and key scheduling features of Camellia, we propose a five-round qCCA distinguisher. Subsequently, leveraging this distinguisher, we present a nine-round quantum key-recovery attack based on the Grover-meets-Simon algorithm, achieving a time complexity of $2^{61.5}$. Compared to previous quantum analyses of Camellia, our attack demonstrates better performance and makes a significant contribution to the study of the quantum security of block cipher algorithms. The ability of symmetric cryptographic algorithms to resist quantum attacks is garnering increasing attention. In addition to conducting quantum security analyses of existing symmetric cryptographic algorithms, researchers are also considering quantum security as a critical criterion in proposing new symmetric cryptographic designs. Future research will focus on constructing quantum distinguishers with an increased number of rounds under quantum computing models. Furthermore, by exploring quantum algorithms, the time complexity of quantum key-recovery attacks may be further reduced. Additionally, the effectiveness of symmetric cryptographic structural schemes against quantum attacks will be further investigated.