Improved Meet-in-the-middle Attacks on Reduced-round E2
E2 is one of the 15 candidate algorithms in the first round of AES,which has the characteristics of excellent software and hardware implementation efficiency and strong security.The meet-in-the-middle attacks on E2 are carried out in this paper by using multiset tabulation technique and differential enumeration technique.First,E2-128 is taken as an example to improve the existing 4-round meet-in-the-middle distinguisher,and the pre-computation complexity of 5-round key recovery attack is reduced to231 5-round encryptions.Second,for E2-256,a 6-round distinguisher is constructed from the new 4-round distinguisher by extending two rounds backward,and then a 9-round meet-in-the-middle attack is presented,whose data complexity is 2105 chosen plaintexts,memory complexity is 2200 Byte,and time complexity is 2205 9-round encryptions.Compared with the existing security analysis results of E2,the scheme achieves the longest number of attack rounds for E2-256.
NETL
NSTL
万方数据
