Scribd
Upload
2 views

Linear Cryptanalysis

Linear cryptanalysis is a known-plaintext attack aimed at breaking symmetric-key ciphers, particularly block ciphers like DES, by finding linear relationships among plaintext, ciphertext, and key bits. It exploits biases in linear approximations to recover key bits, requiring a large number of plaintext-ciphertext pairs for effective attacks. Modern ciphers implement countermeasures such as complex S-boxes and increased diffusion to mitigate the effectiveness of linear cryptanalysis.

Uploaded by

Vishal Kumar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
2 views

Linear Cryptanalysis

Linear cryptanalysis is a known-plaintext attack aimed at breaking symmetric-key ciphers, particularly block ciphers like DES, by finding linear relationships among plaintext, ciphertext, and key bits. It exploits biases in linear approximations to recover key bits, requiring a large number of plaintext-ciphertext pairs for effective attacks. Modern ciphers implement countermeasures such as complex S-boxes and increased diffusion to mitigate the effectiveness of linear cryptanalysis.

Uploaded by

Vishal Kumar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Linear Cryptanalysis

Linear cryptanalysis is a known-plaintext attack used to break symmetric-key ciphers,


particularly block ciphers. It was first introduced by Mitsuru Matsui in the early 1990s to attack DES
(Data Encryption Standard).

Basic Idea
The main goal of linear cryptanalysis is to find linear approximations that relate plaintext bits,
ciphertext bits, and key bits. If a cipher has a structure where certain bits follow a linear
relationship with a probability significantly different from 0.5, an attacker can use this information to
deduce the secret key.

How Linear Cryptanalysis Works


1. Linear Approximation
A cipher consists of multiple rounds, where confusion and diffusion techniques (such as S-boxes and
permutation layers) are applied. The attacker tries to find a linear equation of the form:

Pi ⊕ Pj ⊕ ... ⊕ Cm ⊕ Cn ⊕ ... = Kk ⊕ Kl ⊕ ...


​ ​ ​ ​ ​ ​

where:
Pi , Pj , … are bits of the plaintext,
​ ​

Cm , Cn , … are bits of the ciphertext,


​ ​

Kk , Kl , … are bits of the key,


​ ​

⊕ denotes XOR operation.

2. Probability Bias
In an ideal cipher, bits should behave randomly, meaning each linear equation should hold with a
probability close to 0.5.
If a certain equation holds with a probability noticeably different from 0.5 (e.g., 0.75 or 0.25), it
means there is a bias in the cipher.
This bias can be exploited to recover key bits.

3. Finding the Best Approximation


To mount an attack, the attacker needs to:
1. Find the most biased linear approximation of the cipher (this is usually done using linear hull
analysis and Walsh transforms).
2. Collect a large number of plaintext-ciphertext pairs (since small biases require many samples to
exploit).
3. Use statistical techniques to guess key bits by comparing observed biases with theoretical
predictions.

Attack on DES Using Linear Cryptanalysis


Matsui successfully used linear cryptanalysis to attack DES using two approaches:
1. Algorithm 1 (Key Ranking)
Uses a linear approximation for the entire cipher.
Tests different key candidates and ranks them based on how well they match the observed
probabilities.
2. Algorithm 2 (Stepwise Key Recovery)
Recovers parts of the key round-by-round, making it more efficient.
Requires 2⁴³ known plaintext-ciphertext pairs to successfully recover the DES key.

Limitations of Linear Cryptanalysis


1. High Data Complexity – Requires a large number of known plaintexts (e.g., 243 for DES).
2. Countermeasures Exist – Modern ciphers like AES include design features (e.g., complex S-boxes)
to reduce linear biases.
3. Not Always Practical – Many real-world systems limit the number of plaintexts an attacker can
obtain.

Countermeasures Against Linear Cryptanalysis


Use non-linear S-boxes to reduce bias in linear approximations.
Increase diffusion so that small biases don’t persist across rounds.
Use larger block and key sizes to make attacks computationally infeasible.
Introduce key-dependent transformations to disrupt statistical patterns.

Summary
Feature Description

Attack Type Known-plaintext

Exploits Linear approximations with non-random probability

Goal Find biased equations to recover key bits

Best Known Attack Matsui's attack on DES (1993)

Countermeasures Stronger S-boxes, better diffusion, key-dependent operations

Linear cryptanalysis remains an important tool in cryptanalysis, but modern cryptographic designs take
it into account to ensure resistance.

You might also like