. Matsui's linear cryptanalysis for iterated block ciphers is generalized to an attack called #. This attack exploits a weakness that can be described by an e#ective partition-pair, i.e., a partition of the plaintext set and a partition of the next-to-last-round output set such that, for every key, the next-to-last-round outputs are non-uniformly distributed over the blocks of the second partition when the plaintexts are chosen uniformly at random from a particular block of the #rst partition. The last-round attack by #is formalized and requirements for it to be successful are stated. The success probability is approximated and a procedure for #nding e#ective partition-pairs is formulated. The usefulness of #is demonstrated by applying it successfully to six rounds of the DES. Keywords. Iterated block ciphers, linear cryptanalysis , #, DES. 1 Introduction In cryptography, frequent use is made of iterated block ciphers in which a keyed function, called the round function, is iterated r ...

The resistance of an iterated block cipher to most classical attacks can be quantified by some properties of its round function. The involved parameters (nonlinearity, degrees of the derivatives...) for a function F from F m 2 into F m 2 are related to the weight distribution of a binary linear code CF of length 2m − 1 and dimension 2m. In particular, the weight divisibility of CF appears as an important criterion in the context of linear cryptanalysis and of higher-order differential attacks. When the round function F is a power permutation over F2m, the associated code CF is the dual of a primitive cyclic code with two zeroes. Therefore, McEliece’s theorem provides a powerful tool for evaluating the resistance of some block ciphers to linear and higherorder differential attacks.