Relationships among Differential, Truncated Differential, Impossible Differential Cryptanalyses against Word-Oriented Block Ciphers like RIJNDAEL, E2

We propose a new method for evaluating the security of block ciphers against di erential cryptanalysis and propose new structures for block ciphers. To this end, we de ne the word-wise Markov (Feistel) cipher and random output-di erential (Feistel) cipher and clarify the relations among the di erential, the truncated di erential and the impossible di erential cryptanalyses of the random output-di erential (Feistel) cipher. This random output-di erential (Feistel) cipher model uses a not too strong assumption because denying this approximation model is equivalent to denying truncated di erential cryptanalysis. Utilizing these relations, we evaluate the truncated di erential probability and the maximum average of di erential probability of the word-wise Markov (Feistel) ciphers like Rijndael, E2 and the modi ed version of block cipher E2. This evaluation indicates that all three are provably secure against di erential cryptanalysis, and that Rijndael and a modi ed version of block cipher E2 have stronger security than E2. keywords. truncated di erential cryptanalysis, truncated di erential probability, maximum average of di erential probability, generalized E2-like transformation, SPN-structure, word-wise Markov cipher, random output-di erential cipher