## Linear Cryptanalysis Using Multiple Approximations (1994)

Venue: | Advances in Cryptology | CRYPTO '94 Proceedings |

Citations: | 50 - 2 self |

### BibTeX

@INPROCEEDINGS{Kaliski94linearcryptanalysis,

author = {Burton S. Kaliski and M. J. B. Robshaw},

title = {Linear Cryptanalysis Using Multiple Approximations},

booktitle = {Advances in Cryptology | CRYPTO '94 Proceedings},

year = {1994},

pages = {26--39},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. We present a technique which aids in the linear cryptanalysis of a block cipher and allows for a reduction in the amount of data required for a successful attack. We note the limits of this extension when applied to DES, but illustrate that it is generally applicable and might be exceptionally successful when applied to other block ciphers. This forces us to reconsider some of the initial attempts to quantify the resistance of block ciphers to linear cryptanalysis, and by taking account of this new technique we cover several issues which have not yet been considered. 1

### Citations

428 | Linear cryptanalysis method for DES cipher - Matsui - 1994 |

335 |
Differential Cryptanalysis of the Data Encryption Standard
- Biham, Shamir
- 1993
(Show Context)
Citation Context ...roving to be very valuable in the analysis of block ciphers. While there are fascinating comparisons [2, 7, 10] to be made between linear cryptanalysis and the technique of differential cryptanalysis =-=[3]-=-, linear cryptanalysis requires known rather than chosen plaintext and, as such, might well pose more of a practical threat to a block cipher than differential cryptanalysis. Gradually the technique o... |

123 |
The first experimental cryptanalysis of the data encryption standard
- Matsui
- 1994
(Show Context)
Citation Context ...me to the fore. Much of our work in this section is preliminary and is still the subject of ongoing research.s4.1 Key ranking At Crypto’94 Matsui presented the first experimental cryptanalysis of DES =-=[5]-=-. The innovative feature of this attack which allows an important reduction in plaintext requirements is the idea of what we shall term key ranking. When attempting to identify the correct guess for a... |

53 | Fundamentals of Applied Probability Theory - Drake - 1967 |

44 | On Matsui’s Linear Cryptanalysis
- Biham
(Show Context)
Citation Context ...n on the first phase of the attack due to Aoki et al. we note that very similar techniques can be used to devise a similar modification to the third phase. Aoki et al. use one approximation PH[7] ⊕ PL=-=[1, 2, 8, 15]-=- ⊕ CL[1, 2, 7, 8, 15]⊕ ⊕ f(PH ⊕ PL, K 1 )[1, 7, 15] = k1. We would use the following three linear approximations as well: 67% PH[0] ⊕ PL[0, 1, 2, 7, 8, 15] ⊕ CL[1, 2, 7, 8, 15] ⊕ CH[0, 7] ⊕ f(PH ⊕ PL,... |

43 |
S.: Fast data encipherment algorithm FEAL
- Shimizu, Miyaguchi
- 1987
(Show Context)
Citation Context ...een quite how powerful it might be in practice 1 . In this paper we shall describe the results of experiments on the use of multiple approximations in a linear cryptanalytic attack on the cipher FEAL =-=[14]-=-, in particular on the eight-round version denoted FEAL-8. In the following section we shall describe the essential features of the technique of linear cryptanalysis together with a description of how... |

34 |
On correlation between the order of S-boxes and the strength of DES
- Matsui
- 1995
(Show Context)
Citation Context ...attention on the first phase of the attack due to Aoki et al. we note that very similar techniques can be used to devise a similar modification to the third phase. Aoki et al. use one approximation PH=-=[7]-=- ⊕ PL[1, 2, 8, 15] ⊕ CL[1, 2, 7, 8, 15]⊕ ⊕ f(PH ⊕ PL, K 1 )[1, 7, 15] = k1. We would use the following three linear approximations as well: 67% PH[0] ⊕ PL[0, 1, 2, 7, 8, 15] ⊕ CL[1, 2, 7, 8, 15] ⊕ CH[... |

33 | On the need of Multipermutations: Cryptanalysis of MD4 and SAFER
- Vaudenay
- 1994
(Show Context)
Citation Context ...tial three. We close with our conclusions. 1 Vaudenay has mentioned that multiple approximations can provide a factor of 64 reduction in the plaintext requirements for his work with variants of SAFER =-=[15]-=-.s2 Linear cryptanalysis 2.1 Using a single approximation Linear cryptanalysis is a technique which is proving to be very valuable in the analysis of block ciphers. While there are fascinating compari... |

27 | Practically secure feistel ciphers - Knudsen - 1993 |

23 | A new method for known plaintext attack of FEAL cipher - Matsui, Yamagishi |

16 | Linear cryptanalysis for DES cipher - Matsui - 1994 |

13 | Likelihood estimation for block cipher keys
- Murphy, Piper, et al.
- 1995
(Show Context)
Citation Context ...inear cryptanalysis 2.1 Using a single approximation Linear cryptanalysis is a technique which is proving to be very valuable in the analysis of block ciphers. While there are fascinating comparisons =-=[2, 7, 10]-=- to be made between linear cryptanalysis and the technique of differential cryptanalysis [3], linear cryptanalysis requires known rather than chosen plaintext and, as such, might well pose more of a p... |

3 | Institute of Standards and Technology (NIST). FIPS-46-3: Data Encryption Standard - National - 1999 |

3 | Linear Cryptanalysis of the Fast Data Encipherment Algorithm
- Ohta, Aoki
- 1994
(Show Context)
Citation Context ... is a rewriting of FEAL to give an equivalent cipher; we shall use this technique in the attack presented here. There has been considerable recent work completed on the linear cryptanalysis of FEAL-8 =-=[2, 1, 12, 13]-=-. Matsui and Yamagishi [8] originally showed thatsK 9 PH ⊕� ⊕� CL f � PL � ⊕ � f �⊕ f � � f �⊕ ⊕ ⊕ ⊕� ⊕� ⊕� f � � f �⊕ f � � f �⊕ CH K 10 K 1 K 2 K 3 K 4 K 5 K 6 K 7 K 8 Fig. 1. Modified FEAL-8 there ... |

2 |
Linear cryptanalysis of FEAL-8 (experimentation report
- Aoki, Ohta, et al.
- 1994
(Show Context)
Citation Context ... is a rewriting of FEAL to give an equivalent cipher; we shall use this technique in the attack presented here. There has been considerable recent work completed on the linear cryptanalysis of FEAL-8 =-=[2, 1, 12, 13]-=-. Matsui and Yamagishi [8] originally showed thatsK 9 PH ⊕� ⊕� CL f � PL � ⊕ � f �⊕ f � � f �⊕ ⊕ ⊕ ⊕� ⊕� ⊕� f � � f �⊕ f � � f �⊕ CH K 10 K 1 K 2 K 3 K 4 K 5 K 6 K 7 K 8 Fig. 1. Modified FEAL-8 there ... |

1 | On the distribution of characteristics in bijective mappings - O’Conner - 1994 |