. Matsui's linear cryptanalysis for iterated block ciphers is generalized to an attack called #. This attack exploits a weakness that can be described by an e#ective partition-pair, i.e., a partition of the plaintext set and a partition of the next-to-last-round output set such that, for every key, the next-to-last-round outputs are non-uniformly distributed over the blocks of the second partition when the plaintexts are chosen uniformly at random from a particular block of the #rst partition. The last-round attack by #is formalized and requirements for it to be successful are stated. The success probability is approximated and a procedure for #nding e#ective partition-pairs is formulated. The usefulness of #is demonstrated by applying it successfully to six rounds of the DES. Keywords. Iterated block ciphers, linear cryptanalysis , #, DES. 1 Introduction In cryptography, frequent use is made of iterated block ciphers in which a keyed function, called the round function, is iterated r ...