[11] Sho ji Miyaguchi, Akira Shiraishi, Akihiro Shimizu, Fast Data Encryption
Algorithm FEAL-8, Review of electrical communications lab oratories, Vol. 36,
No. 4, pp. 433{437, 1988.
[12] Luke O'Connor, On the Distribution of Characteristics in Bijective Mappings,
Lecture Notes in Computer Science, Advances in Cryptology, pro ceedings of
EUROCRYPT'93, to app ear.
[13] Luke O'Connor, On the Distribution of Characteristics in Composite Permuta-
tions, Lecture Notes in Computer Science, Advances in Cryptology, pro ceedings
of CRYPTO'93, to app ear.
[14] Adi Shamir, On the Security of DES, Lecture Notes in Computer Science,
Advances in Cryptology, pro ceedings of CRYPTO'85, pp. 280{281, 1985.
[15] Akihiro Shimizu, Sho ji Miyaguchi, Fast Data Encryption Algorithm FEAL,
Lecture Notes in Computer Science, Advances in Cryptology, pro ceedings of
EUROCRYPT'87, pp. 267{278, 1987.
Technion - Computer Science Department Technical Report CS0813 1994 17
to linear cryptanalysis. We also describ ed how to sum up characteristics (which also
hold in di erential cryptanalysis).
8 Acknowledgments
Acknowledgment: This research was supp orted by the fund for the promotion of
research at the Technion. Some of the results in this pap er were found using variants
of programs, whose originals were written by Ishai Ben-Aroya.
References
[1] Eli Biham, Adi Shamir, Di erential Cryptanalysis of the Data Encryption
Standard, Springer-Verlag, 1993.
[2] Eli Biham, Adi Shamir, Di erential Cryptanalysis of DES-like Cryptosystems,
Journal of Cryptology,Vol. 4, No. 1, pp. 3{72, 1991.
[3] Eli Biham, Adi Shamir, Di erential Cryptanalysis of Snefru, Khafre, REDOC-
II, LOKI and Lucifer, technical rep ort CS91-18, Department of Applied
Mathematics and Computer Science, The Weizmann Institute of Science, 1991.
The extended abstract app ears in Lecture Notes in Computer Science, Advances
in Cryptology, pro ceedings of CRYPTO'91, pp. 156{171, 1991.
[4] Don Copp ersmith, The Data Encryption Standard (DES) and its Strength
Against Attacks, technical rep ort, IBM Thomas J. Watson Research Center, RC
18613 (81421), Decemb er 1992.
[5] D. W. Davies, Investigation of a Potential Weakness in the DES Algorithm,
1987, private communication.
[6] Xuejia Lai, James L. Massey, Sean Murphy, Markov Ciphers and Di erential
Cryptanalysis, Lecture Notes in Computer Science, Advances in Cryptology,
pro ceedings of EUROCRYPT'91, pp. 17{38, 1991.
[7] Xuejia Lai, On the Design and Security of Block Ciphers, Ph.D. thesis, Swiss
Federal Institue of Technology, Zurich, 1992.
[8] Mitsuru Matsui, Atsuhiro Yamagishi, A New Method for Known Plaintext Attack
of FEAL Cipher, Lecture Notes in Computer Science, Advances in Cryptology,
pro ceedings of EUROCRYPT'92, pp. 81{91, 1992.
[9] M. Matsui, Linear Cryptanalysis Method for DES Cipher, Abstracts of
EUROCRYPT'93, pp. W112{W123, May 1993.
Technion - Computer Science Department Technical Report CS0813 1994
[10] Ralph C. Merkle, Fast Software Encryption Functions, Lecture Notes in Computer
Science, Advances in Cryptology, pro ceedings of CRYPTO'90, pp. 476{501,
1990. 16
characteristics is:
= 86 81 00 00 86 81 00 00
P x
0 0
A = 86 81 00 00 a = 81 00 00 00 with probability 1=2 1=8 x
x F
0 0
B = 07 81 00 00 b = 81 00 00 00 with probability 1=2 1=4 x
x F
0 0
C = 07 81 00 00 c = 81 00 00 00 with probability 1=2 1=4 x
x F
0 0
D = 86 81 00 00 d = 81 00 00 00 with probability 1=2 1=8 x
x F
= 86 81 00 00 86 81 00 00 :
T x