Impossible differential cryptanalysis on cipher E2

Abstract

SUMMARYE2, a block cipher, is an Advanced Encryption Standard candidate designed and submitted by Nippon Telegraph and Telephone Corporation. It employs a Feistel structure as global structure and two‐layer substitution–permutation network structure in round function. The conservative structure makes E2 immune to kinds of current cryptanalysis. Previously, there is no result of impossible differential attacks on E2 because it was once supposed to have no more than five‐round impossible differential characteristic. In this paper, we present a series of six‐round impossible differential characteristics of E2 with/without initial transformation (IT)/ final transformation (FT) functions. Based on these impossible differentials, the immunity of E2 against impossible differential cryptanalysis is evaluated. We perform a seven‐round attack on tweaked E2 (E2 without IT and FT ) with 128, 192, and 256 bits key and an eight‐round attack on tweaked E2 with 256 bits key. The seven‐round attack requires about 2120 chosen plaintexts and 2115.5 seven‐round encryptions; the eight‐round attack needs 2121 chosen plaintexts and less than 2214 eight‐round encryptions. We also discuss the seven‐round attack on E2 with IT or FT, and the result shows that the attack has the same complexities with the seven‐round attack on tweaked E2. Copyright © 2013 John Wiley & Sons, Ltd.