Integral Cryptanalysis of the Block Cipher E2

TL;DR

This paper presents integral cryptanalysis attacks on reduced-round E2 block cipher, improving relations between linear and integral distinguishers, and successfully breaks 6-round E2-128 and 7-round E2-192 with specific resource estimates.

Contribution

It introduces new integral distinguishers based on zero-correlation linear approximations and applies them to break reduced-round E2 cipher variants.

Findings

Broken 6-round E2-128 with feasible resources.

Broken 7-round E2-192 with high computational effort.

Enhanced understanding of linear and integral relation in cryptanalysis.

Abstract

Block cipher E2, designed and submitted by Nippon Telegraph and Telephone Corporation, is a first-round Advanced Encryption Standard candidate. It employs a Feistel structure as global structure and two-layer substitution-permutation network structure in round function with initial transformation IT function before the first round and final transformation FT function after the last round. The design principles influences several more recent block ciphers including Camellia, an ISO/IEC standard cipher. In this paper, we focus on the key-recovery attacks on reduced-round E2-128/192 taking both IT and FT functions in consideration with integral cryptanalysis. We first improve the relations between zero-correlation linear approximations and integral distinguishers, and then deduce some integral distinguishers from zero-correlation linear approximations over 6 rounds of E2. Furthermore, we apply these integral distinguishers to break 6-round E2-128 with 2^{120} known plaintexts (KPs), 2^{115.4} encryptions and 2^{28} bytes memory. In addition, the attack on 7-round E2-192 requires 2^{120} KPs, 2^{167.2} encryptions and 2^{60} bytes memory.