Cryptanalysis of a Reduced Version of the Block Cipher E2
Mitsuri Matsui,Toshio Tokita +1 more
- pp 71-80
TLDR
This paper deals with truncated differential cryptanalysis of the 128-bit block cipher E2, which is an AES candidate designed and submitted by NTT and shows a non-trivial seven round byte characteristic, which leads to a possible attack of E2 reduced to eight rounds without IT and FT by a chosen plaintext scenario.Abstract:
This paper deals with truncated differential cryptanalysis of the 128-bit block cipher E2, which is an AES candidate designed and submitted by NTT. Our analysis is based on byte characteristics, where a difference of two bytes is simply encoded into one bit information "0" (the same) or "1" (not the same). Since E2 is a strongly byte-oriented algorithm, this bytewise treatment of characteristics greatly simplifies a description of its probabilistic behavior and noticeably enables us an analysis independent of the structure of its (unique) lookup table. As a result, we show a non-trivial seven round byte characteristic, which leads to a possible attack of E2 reduced to eight rounds without IT and FT by a chosen plaintext scenario. We also show that by a minor modification of the byte order of output of the round function -- which does not reduce the complexity of the algorithm nor violates its design criteria at all --, a non-trivial nine round byte characteristic can be established, which results in a possible attack of the modified E2 reduced to ten rounds without IT and FT, and reduced to nine rounds with IT and FT. Our analysis does not have a serious impact on the full E2, since it has twelve rounds with IT and FT; however, our results show that the security level of the modified version against differential cryptanalysis is lower than the designers' estimation.read more
Citations
More filters
Book ChapterDOI
Camellia: A 128-Bit Block Cipher Suitable for Multiple Platforms - Design and Analysis
Kazumaro Aoki,Tetsuya Ichikawa,Masayuki Kanda,Mitsuru Matsui,Shiho Moriai,Nakajima Junko,Toshio Tokita +6 more
TL;DR: It is confirmed that Camellia provides strong security against differential and linear cryptanalyses and at least comparable encryption speed in software and hardware.
Camellia: A 128-Bit Block Cipher Suitable for Multiple Platforms
Kazumaro Aoki,Tetsuya Ichikawa,Masayuki Kanda,Mitsuru Matsui,Shiho Moriai,Nakajima Junko,Toshio Tokita,Nippon Telegraph +7 more
TL;DR: Camellia as discussed by the authors is a new 128-bit block cipher with 128-, 192-, and 256-bit key lengths, which was designed to withstand all known cryptanalytic attacks and even to have a sufficiently large security leeway for use of the next 10-20 years.
Book
The Block Cipher Companion
Lars R. Knudsen,Matthew Robshaw +1 more
TL;DR: This book provides a technically detailed, yet readable, account of the state of the art of block cipher analysis, design, and deployment and provides an overview of some of the most important cryptanalytic methods.
Book ChapterDOI
Security of Reduced Version of the Block Cipher Camellia against Truncated and Impossible Differential Cryptanalysis
TL;DR: A nontrivial 9-round byte characteristic is shown, which may lead to a possible attack of reduced-round version of Camellia without input/output whitening, FL or FL-1 in a chosen plain text scenario.
Speci cation of Camellia | a 128-bit Block Cipher
Kazumaro Aoki,Tetsuya Ichikawa,Masayuki Kanda,Mitsuru Matsui,Shiho Moriai,Nakajima Junko,Toshio Tokita +6 more
TL;DR: Notations and Conventions 2.2.1 Radix 2.3 List of Symbols 2.4 Bit/Byte Ordering 2.5 Bit/ Byte Ordering.
References
More filters
Book
Differential Cryptanalysis of the Data Encryption Standard
Eli Biham,Adi Shamir +1 more
TL;DR: This book introduces a new cryptographic method, called differential cryptanalysis, which can be applied to analyze cryptosystems, and describes the cryptanalysis of DES, deals with the influence of its building blocks on security, and analyzes modified variants.
Book ChapterDOI
Markov ciphers and differential cryptanalysis
TL;DR: It is shown that PES (8) and PES(16) are immune to differential cryptanalysis after sufficiently many rounds, and a new design principle for Markov ciphers, viz., that their transition probability matrices should not be symmetric is suggested.
BookDOI
Advances in Cryptology — EUROCRYPT ’91
TL;DR: The applicability of differential cryptanalysis to the Feal family of encryption algorithms and to the N-Hash hash function is shown.
Book ChapterDOI
Truncated Differentials of SAFER
Lars R. Knudsen,Thomas A. Berson +1 more
TL;DR: This paper considers “truncated differentials” and applies them in an attack on 5-round SAFER, which finds the secret key in time much faster than by exhaustive search.