Abstract. Linear cryptanalysis remains the most powerful attack against DES at this time. Given 2 43 known plaintext-ciphertext pairs, Matsui expected a complexity of less than 2 43 DES evaluations in 85 % of the cases for recovering the key. In this paper, we present a theoretical and experimental complexity analysis of this attack, which has been simulated 21 times using the idle time of several computers. The experimental results suggest a complexity upper-bounded by 2 41 DES evaluations in 85 % of the case, while more than the half of the experiments needed less than 2 39 DES evaluations. In addition, we give a detailed theoretical analysis of the attack complexity.

Abstract not found

The main goal of this diploma work is the implementation of Matsui's linear cryptanalysis of DES and a statistical and theoretical analysis of its complexity and success probability. In order to achieve this goal, we implement first a very fast DES routine on the Intel Pentium III MMX architecture which is fully optimised for linear cryptanalysis. New implementation concepts are applied, resulting in a speed increase of almost 50 % towards the best known classical implementation. The experimental results suggest strongly that the attack is in average about 10 times faster (O 2 39 computations) as expected with 2 known plaintext-ciphertext at disposal; furthermore, we have achieved a complexity of O 2 by using only 2 known pairs. Last, we propose a new analytical expression which approximates success probabilities; it gives slightly better results than Matsui's experimental ones.