This paper evaluates the security of the block cipher E2 against truncated differential cryptanalysis. We show an algorithm to search for effective truncated differentials. The result of the search confirmed that there exist no truncated differentials that lead to possible attacks for E2 with more than 8 rounds. The best attack breaks an 8-round variant of E2 with either IT-Function (the initial transformation) or FT-Function (the final transformation) using 294 chosen plaintexts. We also found the attack which distinguishes a 7-round variant of E2 with IT- and FT-Functions from a random permutation using 291 chosen plaintexts.

Since the proposal of differential cryptanalysis and linear cryptanalysis in 1991 and 1993, respectively, the resistance to these cryptanalysis has been studied. In FSE2, Knudsen proposed a method of attacking block ciphers that used the higher order differential, and in FSE4, Jakobsen and Knudsen applied it to a cipher proposed by Nyberg and Knudsen. Their approach, however, requires large complexity of running time. In this paper, we improve this attack and show that our improved algorithm requires much fewer chosen texts and much less complexity than those of previous works.

We present the new 128-bit block cipher called Camellia. Camellia supports 128-bit block size and 128-, 192-, and 256-bit key lengths, i.e. the same interface specifications as the Advanced Encryption Standard (AES). Camellia was carefully designed to withstand all known cryptanalytic attacks and even to have a sufficiently large security leeway. It was also designed to suit both software and hardware implementations and to cover all possible encryption applications that range from low-cost smart cards to high-speed network systems. Compared to the AES finalists, Camellia offers at least comparable encryption speed in software and hardware. An optimized implementation of Camellia in assembly language can encrypt on a Pentium III (1.13 GHz) at the rate of 471 Mbits per second. In addition, a distinguishing feature is its small hardware design. A hardware implementation, which includes encryption, decryption, and the key schedule for 128-bit keys, occupies only 9.66 K gates using a 0.35 µm CMOS ASIC library. This is in the smallest class among all existing 128-bit block ciphers. It perfectly meets the current market requirements in wireless cards, for instance, where low power consumption is essential.

In this paper, we discuss the impossible differential cryptanalysis for the block cipher Zodiac. The main design principles of Zodiac include simplicity and efficiency. However, the diffusion layer in its round function is too simple to offer enough security. The impossible differential cryptanalysis exploits such weakness in Zodiac. Our attack using a 14-round impossible characteristic derives the 128-bit master key of the full 16-round Zodiac faster than the exhaustive search. The efficiency of the attack compared with exhaustive search increases as the key size increases.

We introduce an efficient interpolation attack which gives the tighter upper bound of the complexity and the number of pairs of plaintexts and ciphertexts required for the attack. In the previously known interpolation attack there is a problem in that the required complexity for the attack can be overestimated. We solve this problem by first, finding the actual number of coefficients in the polynomial used in the attack by using a computer algebra system, and second, by finding the polynomial with fewer coefficients by choosing the plaintexts. We apply this interpolation attack to the block cipher SNAKE and succeeded in attacking many ciphers in the SNAKE family. When we evaluate the resistance of a block cipher to interpolation attack, it is necessary to apply the interpolation attack described in this paper.

It is important to find the best linear expression to estimate the vulnerability of cryptosystems to Linear Cryptanalysis. This paper shows the results of the best linear expressions search of FEAL-N (N32) and discusses the security of FEAL against Linear Cryptanalysis. We improve Matsui's search algorithm which determines the best linear expressions, and apply it to FEAL. The improved search algorithm finds all the best linear expression of FEAL-N (N32) much faster than the original; the required time is decreased from over three months to about two and a half days. We find the best linear expressions of FEAL-7, FEAL-15, and FEAL-31 with deviations of 1.152-8, 1.482-20, and 1.992-41, respectively. These linear expressions have higher deviations than those derived from Bi-ham's 4-round iterative linear approximations. Using these data we calculated the number of known plaintexts required to attack FEAL-8, FEAL-16, and FEAL-32. It is proved that FEAL-32 is secure against Linear Cryptanalysis.

In estimating the vulnerability of a block cipher to differential cryptanalysis and linear cryptanalysis, we must consider the fact that the differential probability and the linear probability vary with the key. In the case of cryptosystems where the round key is XORed to the input data of each round, the difference in both types of probability with different keys is regarded as negligible. However, this is not the case with RC5. This paper makes a primary analysis of the key-dependency of linear probability of RC5. Throughout this paper we study "precise" linear probability. We find some linear approximations that have higher deviation (bias) for some keys than the "best linear approximation" claimed by Kaliski and Yin in CRYPTO'95. Using one linear approximation, we find 10 weak keys of RC5-4/2/2 with linear probability 2-1, 2 weak keys of RC5-4/5/16 with linear probability 2-2, and a weak key of RC5-16/5/16 with linear probability 2-15.4, while Kaliski-Yin's "best biases" are 2-3, 2-9, and 2-17, respectively.

This paper describes the design principles, the specification, and evaluations of a new 128-bit block cipher E2, which was proposed to the AES (Advanced Encryption Standard) candidates. This algorithm supports 128-bit, 192-bit, and 256-bit secret keys. The design philosophy of E2 is highly conservative; the structure uses 12-round Feistel as its main function whose round function is constructed with 2-round SPN structure, and initial/final transformational functions. E2 has practical security against differential attack, linear attack, cryptanalysis with impossible differential, truncated differential attack, and so on. Furthermore, E2 can be implemented efficiently and flexibly on various platforms because the primitive operations involve byte length processing.

This paper applies linear cryptanalysis to FEAL and describes the experimental results of attacking FEAL-8 by linear cryptanalysis. The following points are important in linear cryptanalysis to reduce the processing amount and memory size in the attack: 1) to find linear expressions with as high a deviation as possible, and 2) to reduce the number of effective key bits and effective text bits. We have succeeded in attacking FEAL-8 in about 1 hour on a low-end workstation (SPARCstation 10 Model 30). We have confirmed that the entire set of subkeys of FEAL-8 can be derived from 225 known plaintexts with a success rate of over 70%, and from 226 known plaintexts with a success rate of almost 100%.

This paper presents the results of the best differential characteristic search of FEAL. The search algorithm for the best differential characteristic (best linear expression) was already presented by Matsui, and improvements on this algorithm were presented by Moriai et al. We further improve the speed of the search algorithm. For example, the search time for the 7-round best differential characteristic of FEAL is reduced to about 10 minutes (Pentium/166 MHz), which is about 212. 6 times faster than Matsui's algorithm. Moreover, we determine all the best differential characteristics of FEAL for up to 32 rounds assuming all S-boxes are independent. As a result, we confirm that the N-round (7N32) best differential characteristic probability of FEAL is 2-2N, which was found by Biham. For N=6, we find 6-round differential characteristics with a greater probability, 2-11, than that previously discovered, 2-12.

In this paper, we present several cryptanalyses of Hierocrypt-L1 block cipher, which was selected as one of the CRYPTREC recommended ciphers in Japan in 2003. We present a differential attack and an impossible differential attack on 8 S-function layers in a related-key setting. We first show that there exist the key scheduling differential characteristics which always hold, then we search for differential paths for the data randomizing part with the minimum active S-boxes using the above key differentials. We also show that our impossible differential attack is a new type.