Abstract. Linear cryptanalysis remains the most powerful attack against DES at this time. Given 2 43 known plaintext-ciphertext pairs, Matsui expected a complexity of less than 2 43 DES evaluations in 85 % of the cases for recovering the key. In this paper, we present a theoretical and experimental complexity analysis of this attack, which has been simulated 21 times using the idle time of several computers. The experimental results suggest a complexity upper-bounded by 2 41 DES evaluations in 85 % of the case, while more than the half of the experiments needed less than 2 39 DES evaluations. In addition, we give a detailed theoretical analysis of the attack complexity.

In this paper, we consider the statistical decision processes behind a linear and a differential cryptanalysis. By applying techniques and concepts of statistical hypothesis testing, we describe precisely the shape of optimal linear and dierential distinguishers and we improve known results of Vaudenay concerning their asymptotic behaviour. Furthermore, we formalize the concept of "sequential distinguisher" and we illustrate potential applications of such tools in various statistical attacks.