Abstract. Several generalizations of linear cryptanalysis have been proposed in the past, as well as very similar attacks in a statistical point of view. In this paper, we define a rigorous general statistical framework which allows to interpret most of these attacks in a simple and unified way. Then, we explicitely construct optimal distinguishers, we evaluate their performance, and we prove that a block cipher immune to classical linear cryptanalysis possesses some resistance to a wide class of generalized versions, but not all. Finally, we derive tools which are necessary to set up more elaborate extensions of linear cryptanalysis, and to generalize the notions of bias, characteristic, and piling-up lemma.

We discuss the security of Message Authentication Code (MAC) schemes from the viewpoint of differential attack, and propose an attack that is effective against DES-MAC and FEAL-MAC. The attack derives the secret authentication key in the chosen plaintext scenario. For example, DES(8-round)-MAC can be broken with 2 34 pairs of plain text, while FEAL8-MAC can be broken with 2 22 pairs. The proposed attack is applicable to any MAC scheme, even if the 32-bits are randomly selected from among the 64-bits of ciphertext generated by a cryptosystem vulnerable to differential attack in the chosen plaintext scenario.

Abstract. Several generalizations of linear cryptanalysis have been proposed in the past, as well as very similar attacks in a statistical point of view. In this paper, we define a rigorous general statistical framework which allows to interpret most of these attacks in a simple and unified way. Then, we explicitely construct optimal distinguishers, we evaluate their performance, and we prove that a block cipher immune to classical linear cryptanalysis possesses some resistance to a wide class of generalized versions, but not all. Finally, we derive tools which are necessary to set up more elaborate extensions of linear cryptanalysis, and to generalize the notions of bias, characteristic, and piling-up lemma. Keywords: Block ciphers, linear cryptanalysis, statistical cryptanalysis. 1 A Decade of Linear Cryptanalysis Linear cryptanalysis is a known-plaintext attack proposed in 1993 by Matsui[21, 22] to break DES [26], exploiting specific correlations between the input andthe output of a block cipher. Namely, the attack traces the statistical correlation between one bit of information about the plaintext and one bit of informationabout the ciphertext, both obtained linearly with respect to GF(2) L (where L is the block size of the cipher), by means of probabilistic linear expressions, aconcept previously introduced by Tardy-Corfdir and Gilbert [30]. Soon after, several attempts to generalize linear cryptanalysis are published:Kaliski and Robshaw [13] demonstrate how it is possible to combine several independent linear correlations depending on the same key bits. In [31], Vaudenaydefines another kind of attack on DES, called A^2-attack, and shows that one canobtain an attack slightly less powerful than a linear cryptanalysis, but without the need to know precisely what happens in the block cipher. Harpes, Kramer,and Massey [7] replace the linear expressions with so-called I/O sums, i.e., balanced binary-valued functions; they prove the potential effectiveness of such ageneralization by exhibiting a block cipher secure against conventional linear cryptanalysis but vulnerable to their generalization. Practical examples are theattack of Knudsen and Robshaw [15] against

Abstract. This paper discusses the security of the Fast Data Encipherment Algorithm (FEAL) against Linear Cryptanalysis. It has been confirmed that the entire subkeys used in FEAL–8 can be derived with 2 25 pairs of known plaintext and ciphertext with a success rate over 70% spending about 1 hour using a WS (SPARCstation 10 Model 30). This paper also evaluates the security of FEAL–N in comparison with that of the Data Encryption Standard (DES). 1

Abstract. Many attacks on iterated block ciphers rely on statistical considerations using plaintext/ciphertext pairs to distinguish some part of the cipher from a random permutation. We provide here a simple formula for estimating the amount of plaintext/ciphertext pairs which is needed for such distinguishers and which applies to a lot of different scenarios (linear cryptanalysis, differentiallinear cryptanalysis, differential/truncated differential/impossible differential cryptanalysis). The asymptotic data complexities of all these attacks are then derived. Moreover, we give an efficient algorithm for computing the data complexity accurately.

Former research reports suggesting the idea of non-linear cryptanalysis of block ciphers date back to the work of Harpes, on generalizations of Matsui's linear cryptanalytic attacks, presented at Eurocrypt '95. Also, the non-linear approach was more explicitly stated in an attack against DES described by Knudsen and Robshaw at Eurocrypt'96 (again as an extension of the concept of linear cryptanalysis, in which binary-valued non-linear approximations are used to approximated the action of the S-boxes of DES). More recently, at Crypto'98, Shimoyama and Kaneko improved Knudsen and Robshaw's attack on DES using quadratic relations to approximate the DES S-boxes. Moreover, the research results of Van Dooren were also concerned with non-linear approximations applied to two AES nalist block ciphers, Two sh and Serpent.