Markov ciphers and differential cryptanalysis
EUROCRYPT'91 Proceedings of the 10th annual international conference on Theory and application of cryptographic techniques
Camellia: A 128-Bit Block Cipher Suitable for Multiple Platforms - Design and Analysis
SAC '00 Proceedings of the 7th Annual International Workshop on Selected Areas in Cryptography
ASIACRYPT '01 Proceedings of the 7th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Security of Camellia against Truncated Differential Cryptanalysis
FSE '01 Revised Papers from the 8th International Workshop on Fast Software Encryption
Improved Upper Bounds of Differential and Linear Characteristic Probability for Camellia
FSE '02 Revised Papers from the 9th International Workshop on Fast Software Encryption
Impossible differential cryptanalysis on tweaked E2
NSS'12 Proceedings of the 6th international conference on Network and System Security
Hi-index | 0.00 |
. This paper studies the security offered by the block cipher E2 against truncated differential cryptanalysis. At FSE'99 Matsui and Tokita showed a possible attack on an 8-round variant of E2 without IT-Function (the initial transformation) and FT-Function (the final transformation) based on byte characteristics. To evaluate the security against attacks using truncated differentials, which mean bytewise differentials in this paper, we searched for all truncated differentials that lead to possible attacks for reduced-round variants of E2. As a result, we conformed that there exist no such truncated differentials for E2 with more than 8 rounds. However, we found another 7-round truncated differential which lead to another possible attack on an 8-round variant of E2 without IT-or FT-Function with less complexity. We also found that the 7-round truncated differential is useful to distinguish a 7-round variant of E2 with IT- and FT-Functions from a random permutation. In spite of our severe examination, this type of cryptanalysis fails to break the full E2. We believe that this means that the full E2 offers strong security against this truncated differential cryptanalysis.