. Matsui's linear cryptanalysis for iterated block ciphers is generalized by replacing his linear expressions with I#O sums. For a single round, an I#O sum is the XOR of a balanced binary-valued function of the round input and a balanced binary-valued function of the round output. The basic attack is described and conditions for it to be successful are given. A procedure for #nding e#ective I#O sums, i.e., I#O sums yielding successful attacks, is given. A cipher contrived to be secure against linear cryptanalysis but vulnerable to this generalization of linear cryptanalysis is given. Finally, it is argued that the ciphers IDEA and SAFER K-64 are secure against this generalization. Keywords. Linear cryptanalysis, di#erential cryptanalysis, piling-up lemma, IDEA, SAFER. 1 Introduction Linear cryptanalysis, whichwas introduced by Matsui in #Mat93# to attack DES, is an attack that applies to any iterated block cipher. In this paper, wedevelop a generalized version of linear cryptanalysis...