Abstract
E2 is a block cipher designed by NTT and was a first-round AES candidate. E2’s design principles influenced several more recent block ciphers including Camellia, an ISO/IEC standard cipher. So far the cryptanalytic results for round-reduced E2 have been concentrating around truncated and impossible differentials. At the same time, rather recently at SAC’13, it has been shown how to improve upon the impossible differential cryptanalysis of Camellia with the zero-correlation linear cryptanalysis. Due to some similarities between E2 and Camellia, E2 might also render itself more susceptible to this type of cryptanalysis.
In this paper, we investigate the security of E2 against zero-correlation linear cryptanalysis. We identify zero-correlation linear approximations over 6 rounds of E2. With these linear approximations, we can attack 8-round E2-128 and 9-round E2-256 without IT and FT. The attack on 8-round E2-128 requires 2124.1 known plaintexts (KPs), 2119.3 encryptions and 299 bytes memory. The attack on 9-round E2-256 requires 2124.6 KPs, 2225.5 encryptions and 299 bytes memory. In contrast, the previous attacks on 8-round E2-128 had an uncertain time complexity and one could only attack 8-round E2-256. Besides, for the first time, we propose a key recovery attack on reduced-round E2 with both IT and FT taken into consideration. More concretely, we can attack 6-round E2-128 with 2123.7 KPs, 2119.1 encryptions and 229 bytes and 7-round E2-256 requires 2124.7 KPs, 2252.8 encryptions and 291 bytes when both IT and FT are considered.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Aoki, K., Ichikawa, T., Kanda, M., Matsui, M., Moriai, S., Nakajima, J., Tokita, T.: Camellia: A 128-Bit Block Cipher Suitable for Multiple Platforms-Design and Analysis. In: Stinson, D.R., Tavares, S. (eds.) SAC 2000. LNCS, vol. 2012, pp. 39–56. Springer, Heidelberg (2001)
Biham, E.: On Matsui’s Linear Cryptanalysis. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 341–355. Springer, Heidelberg (1995)
Bogdanov, A., Rijmen, V.: Linear Hulls with Correlation Zero and Linear Cryptanalysis of Block Ciphers. Accepted to Designs, Codes and Cryptography (2012) (in press)
Bogdanov, A., Wang, M.: Zero Correlation Linear Cryptanalysis with Reduced Data Complexity. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 29–48. Springer, Heidelberg (2012)
Bogdanov, A., Leander, G., Nyberg, K., Wang, M.: Integral and Multidimensional Linear Distinguishers with Correlation Zero. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 244–261. Springer, Heidelberg (2012)
Soleimany, H., Nyberg, K.: Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock. In: WCC 2013 (2013)
Blondeau, C., Nyberg, K.: New Links Between Differential and Linear Cryptanalysis. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 388–404. Springer, Heidelberg (2013)
Bogdanov, A., Geng, H., Wang, M., Wen, L., Collard, B.: Zero-Correlation Linear Cryptanalysis with FFT and Improved Attacks on ISO Standards Camellia and CLEFIA. In: SAC 2013. LNCS. Springer (2014)
ISO/IEC 18033-3:2005, Information technology – Security techniques – Encryption algrithm – Part 3: Block Ciphers (July 2005)
Kanda, M., Moriai, S., Aoki, K., Ueda, H., Takashima, Y., Ohta, K., Matsumoto, T.: E2-a new 128-bit block cipher. IEICE Transactions Fundamentals of Electronics, Communications and Computer Sciences E83-A(1), 48–59 (2000)
Matsui, M.: Linear Cryptanalysis Method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994)
Matsui, M.: On Correlation between the Order of S-boxes and the Strength of DES. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 366–375. Springer, Heidelberg (1995)
Hermelin, M., Cho, J.Y., Nyberg, K.: Multidimensional Extension of Matsui’s Algorithm 2. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 209–227. Springer, Heidelberg (2009)
Matsui, M., Tokita, T.: Cryptanalysis of a Reduced Version of the Block Cipher E2. In: Knudsen, L. (ed.) FSE 1999. LNCS, vol. 1636, pp. 71–80. Springer, Heidelberg (1999)
Moriai, S., Sugita, M., Aoki, K., Kanda, M.: Security of E2 against Truncated Differential Cryptanalysis. In: Heys, H.M., Adams, C.M. (eds.) SAC 1999. LNCS, vol. 1758, pp. 106–117. Springer, Heidelberg (2000)
Wei, Y., Li, P., Sun, B., Li, C.: Impossible Differential Cryptanalysis on Feistel Ciphers with SP and SPS Round Functions. In: Zhou, J., Yung, M. (eds.) ACNS 2010. LNCS, vol. 6123, pp. 105–122. Springer, Heidelberg (2010)
Wei, Y., Yang, X., Li, C., Du, W.: Impossible Differential Cryptanalysis on Tweaked E2. In: Xu, L., Bertino, E., Mu, Y. (eds.) NSS 2012. LNCS, vol. 7645, pp. 392–404. Springer, Heidelberg (2012)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Wen, L., Wang, M., Bogdanov, A. (2014). Multidimensional Zero-Correlation Linear Cryptanalysis of E2. In: Pointcheval, D., Vergnaud, D. (eds) Progress in Cryptology – AFRICACRYPT 2014. AFRICACRYPT 2014. Lecture Notes in Computer Science, vol 8469. Springer, Cham. https://doi.org/10.1007/978-3-319-06734-6_10
Download citation
DOI: https://doi.org/10.1007/978-3-319-06734-6_10
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-06733-9
Online ISBN: 978-3-319-06734-6
eBook Packages: Computer ScienceComputer Science (R0)