Collision attack on reduced-round Camellia

Camellia is the final winner of 128-bit block cipher in NESSIE. In this paper, we construct some efficient distinguishers between 4-round Camellia and a random permutation of the blocks space. By using collision-searching techniques, the distinguishers; are used to attack on 6, 7, 8 and 9 rounds of Camellia with 128-bit key and 8, 9 and 10 rounds of Camellia with 192/256-bit key. The 128-bit key of 6 rounds Camellia can be recovered with 2(10) chosen plaintexts and 2(15) encryptions. The 128-bit key of 7 rounds Camellia can be recovered with 2(12) chosen plaintexts and 2(54.5) encryptions. The 128-bit key of 8 rounds Camellia can be recovered with 2(13) chosen plaintexts and 2(112.1) encryptions. The 128-bit key of 9 rounds Camellia can be recovered with 2(113.6) chosen plaintexts and 2(121) encryptions. The 192/256-bit key of 8 rounds Camellia can be recovered with 2(13) chosen plaintexts and 2(111.1) encryptions. The 192/256-bit key of 9 rounds Camellia can be recovered with 2 13 chosen plaintexts and 2 175,6 encryptions. The 256-bit key of 10 rounds Camellia can be recovered with 2(14) chosen plaintexts and 2(239.9) encryptions.