SAC '98 Proceedings of the Selected Areas in Cryptography
Security of E2 against Truncated Differential Cryptanalysis
SAC '99 Proceedings of the 6th Annual International Workshop on Selected Areas in Cryptography
Cryptanalysis of a Reduced Version of the Block Cipher E2
FSE '99 Proceedings of the 6th International Workshop on Fast Software Encryption
Impossible differential cryptanalysis of reduced-round ARIA and Camellia
Journal of Computer Science and Technology
New Impossible Differential Attacks on AES
INDOCRYPT '08 Proceedings of the 9th International Conference on Cryptology in India: Progress in Cryptology
An Improved Impossible Differential Attack on MISTY1
ASIACRYPT '08 Proceedings of the 14th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Impossible Differential Analysis of Reduced Round CLEFIA
Information Security and Cryptology
Improved Impossible Differential Cryptanalysis of Reduced-Round Camellia
Selected Areas in Cryptography
New Results on Impossible Differential Cryptanalysis of Reduced---Round Camellia---128
Selected Areas in Cryptography
Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials
EUROCRYPT'99 Proceedings of the 17th international conference on Theory and application of cryptographic techniques
Improving the efficiency of impossible differential cryptanalysis of reduced Camellia and MISTY1
CT-RSA'08 Proceedings of the 2008 The Cryptopgraphers' Track at the RSA conference on Topics in cryptology
Impossible differential cryptanalysis on feistel ciphers with SP and SPS round functions
ACNS'10 Proceedings of the 8th international conference on Applied cryptography and network security
Hi-index | 0.00 |
E2, a 128-bit block cipher, is an AES candidate designed and submitted by NTT corporation. It employs a Feistel structure as global structure and 2-layer Substitution-Permutation Network structure in round function. The conservative structure makes E2 immune to kinds of current cryptanalysis. Previously, there is no result of impossible differential attacks on E2 since it was once supposed to have no more than 5-round impossible differential characteristic. In this paper, the immunity of tweaked E2 (E2 without initial transformation and final transformation) against impossible differential cryptanalysis is evaluated. We present many 6-round impossible differential characteristics of tweaked E2, by using one of which, we perform a 7-round attack on tweaked E2 with 128, 192 and 256 bits key and an 8-round attack on tweaked E2 with 256 bits key. The 7-round attack requires about 2120 chosen plaintexts and 2115.5 7-round encryptions; the 8-round attack needs 2121 chosen plaintexts and less than 2214 8-round encryptions.