标题:Multidimensional Zero-Correlation Linear Cryptanalysis of E2
作者:Wen, Long; Wang, Meiqin; Bogdanov, Andrey
通讯作者:Wang, M
作者机构:[Wen, Long; Wang, Meiqin] Shandong Univ, Key Lab Cryptol Technol & Informat Secur, Minist Educ, Jinan 250100, Peoples R China.; [Bogdanov, Andrey] T 更多
会议名称:7th International Conference on Cryptology in Africa (AFRICACRYPT)
会议日期:MAY 28-30, 2014
来源:PROGRESS IN CRYPTOLOGY - AFRICACRYPT 2014
出版年:2014
卷:8469
页码:147-164
DOI:10.1007/978-3-319-06734-6_10
关键词:Block cipher; zero-correlation; multidimensional linear cryptanalysis;; E2
摘要:E2 is a block cipher designed by NTT and was a first-round AES candidate. E2's design principles influenced several more recent block ciphers including Camellia, an ISO/IEC standard cipher. So far the cryptanalytic results for round-reduced E2 have been concentrating around truncated and impossible differentials. At the same time, rather recently at SAC'13, it has been shown how to improve upon the impossible differential cryptanalysis of Camellia with the zero-correlation linear cryptanalysis. Due to some similarities between E2 and Camellia, E2 might also render itself more susceptible to this type of cryptanalysis.; In this paper, we investigate the security of E2 against zero-correlation linear cryptanalysis. We identify zero-correlation linear approximations over 6 rounds of E2. With these linear approximations, we can attack 8-round E2-128 and 9-round E2-256 without IT and FT. The attack on 8-round E2-128 requires 2(124.1) known plaintexts (KPs), 2(119.3) encryptions and 2(99) bytes memory. The attack on 9-round E2-256 requires 2(124.6) KPs, 2(225.5) encryptions and 2(99) bytes memory. In contrast, the previous attacks on 8-round E2-128 had an uncertain time complexity and one could only attack 8-round E2-256. Besides, for the first time, we propose a key recovery attack on reduced-round E2 with both IT and FT taken into consideration. More concretely, we can attack 6-round E2-128 with 2(123.7) KPs, 2(119.1) encryptions and 2(29) bytes and 7-round E2-256 requires 2(124.7) KPs, 2(252.8) encryptions and 2(91) bytes when both IT and FT are considered.
收录类别:CPCI-S;EI;SCOPUS
WOS核心被引频次:6
Scopus被引频次:13
资源类型:会议论文;期刊论文
原文链接:https://www.scopus.com/inward/record.uri?eid=2-s2.0-84902661641&doi=10.1007%2f978-3-319-06734-6_10&partnerID=40&md5=c4a9eb9ea144e1da1d9b486970b680c4
TOP