On Matsuis Linear Cryptanalysis Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa Israel Abstract In Matsui introduced a new metho d of cryptanalysis called Linear Crypt 47 analysis This metho d was used to attack DES using known plaintexts In this pap er we formalize this metho d and show that although in the details level this metho d is quite dierent from dierential cryptanalysis in the structural level they are very similar For example characteristics can b e dened in lin ear cryptanalysis but the concatenation rule has several imp ortant dierences from the concatenation rule of dierential cryptanalysis We show that the attack of Davies on DES is closely related to linear cryptanalysis We describ e constraints on the size of S b oxes caused by linear cryptanalysis New results to Feal are also describ ed Introduction In EUROCRYPT Matsui introduced a new metho d of cryptanalysis called Linear Cryptanalysis This metho d was used to attack DES using known plaintexts In this pap er we formalize this metho d and show that although in the details level this metho d is quite dierent from dierential cryptanalysis in the structural level they are very similar For example characteristics can b e dened in linear cryptanalysis but the concatenation rule has several imp ortant dierences from the concatenation rule of dierential cryptanalysis We show that the attack of Davies on DES is closely related to linear cryptanalysis We describ e constraints on the size of S b oxes caused by linear cryptanalysis New results to Feal are also describ ed Overview of Linear Cryptanalysis Technion - Computer Science Department Technical Report CS0813 1994 Linear cryptanalysis studies statistical linear relations b etween bits of the plaintexts the ciphertexts and the keys they are encrypted under These relations are used to predict values of bits of the key when many plaintexts and their corresp onding ciphertexts are known Since all the op erations in DES except the S b oxes are linear it suces to derive linear relations of the S b oxes These relations are derived for each S b ox by choosing a subset of the input bits and the output bits calculating the parity exclusiveor of these bits for each of the p ossible inputs of the S b ox and counting the number of inputs whose subsets parity is zero If the S b ox is linear in the bits of the subset all the inputs must have a zero parity of the subset If the S b ox is ane in the bits of the subset all the inputs must have parity Usually a subset will have many inputs with parity and many inputs with parity As the number of zero es is closer to the number of ones we will say that the subset is more nonlinear The least linear subset under this denition is one whose half of the inputs have parity zero and the other half inputs have parity Matsui has calculated the number of zero parities for each of the p ossible subsets of the input and the output bits of each S b ox To represent the subsets linearity in a simple manner he subtracts from these numbers the number of half of the inputs This way zero values denote nonlinear subsets and high absolute values denote linearane or close to linearane subsets A table which describ es all these values for all the p ossible subsets of an S b ox is called a linear approximation table of the S b ox Table is the linear approximation table of S of DES In this linear approximation table we can see that of the entries have value zero The highest absolute value in the linear approximation table of S is in entry F Therefore only in out of the inputs the parity of the four output bits x x is the same as the value of the second input bit This entry was actually describ ed by Shamir in but it was later describ ed as a necessity from the design criteria of DES and nob o dy knew to p oint out whether it weakens DES This sp ecic entry which is the most linear entry of all the S b oxes of DES is actually one of the three entries used in Matsuis attack Matsuis solution was to nd a statistical linear expression consisting of a parity of subsets of the plaintext ciphertext and the key which is derived from similar expressions of the various rounds Thus the parity of some set of data bits in each round is known as a function of the parity of the previous set of bits in the previous round and the parity of several key bits The roundlinearization is based on the linearization of the S b oxes If we would XOR the same value to the two halves of the data we would remain with the same parity as b efore the XOR Since the subset of the input bits is statistically linearane to the subset of the output bits the parity of the data after the XOR is usually the parity b efore the XOR XORed with a particular keydependent constant The probability that the approximation in an S b ox is valid is given as the distance 0 from half for example the probability of the ab ove entry with value is p 0 An entry with value has probability p such an entry is useless to attack an cryptosystem Any other nonzero value either p ositive or negative can b e used in attacks An approximation may involve more than one S Technion - Computer Science Department Technical Report CS0813 1994 b ox We will follow Copp ersmith and call the S b oxes involved in the linearization active S b oxes The probability of an approximation with two active S b oxes is 0 0 0 0 since the parity is even if either b oth parities of the p p p p approximations of the two S b oxes are zero or b oth are one For simplicity we denote Input Output subset subset A B C D E F x x x x x x x x x x x x x x x x x x x x x x x x x x A x B x C x D x E x F x x x x x x x x x x x A x B x C x D x E x F x x x x x x x x x x x A x B x C x D x E x F x x x x x x x x x x x A x B x C x D x E x F x Table The Linear Approximation Table of S Technion - Computer Science Department Technical Report CS0813 1994 0 the probabilities with the notation p by their distance from half p p Then i i i the combined probability is p p p In general if an approximation Q l l consists of l S b oxes the combined probability is p p i i When a linear approximation with probability p is known to the attacker he can mount an attack which requires ab out p known plaintexts these plaintexts can b e randomly chosen but all of them must b e encrypted under the same key and the ciphertexts should b e known to the attacker as well The basic metho d of linear cryptanalysis nds only one bit of the key which is a parity of a subset of the key bits Auxiliary techniques of reducing the number of rounds of the approximations by eliminating the rst andor last rounds and counting on all the key bits aecting the data at the rounds not in the approximation can reduce the number of plaintexts required and increase the number of key bits that the attack nds A Study of Linear Cryptanalysis Before we formalize the linear approximations by dening characteristics we feel it is very imp ortant to mention that the bits we set in the characteristics are not the actual values of bits or bitdierences as in dierential cryptanalysis the bits we set denote the subset of bits whose parity is approximated The exp ected parity itself is not directly denoted however the reader can easily identify the exp ected parity from the probability of the characteristic if the probability is more than half the exp ected parity is zero and if the probability is less than half the exp ected parity is one Another very imp ortant topic is the key space used in the analysis of linear crypt analysis There is a dierence b etween the key space of the analyzed cryptosystem and the key space that the attack can handle In dierential cryptanalysis it was mentioned that the attacks assume that indep endent keys are used The indep endent keys were dened as follows Denition An independent key is a list of subkeys which is not necessarily deriv able from some key via the key scheduling algorithm Each key in the cryptosystems key space has an equivalent indep endent key derived by the key scheduling algorithm We observe that linear cryptanalysis also assumes the use of indep endent keys The theoretical analysis of systems with dep endent keys are much harder However in practice it can b e very well estimated by the analysis of the indep endent key variants Therefore Matsuis metho d to nd bits of the subkeys still hold even if indep endent keys are used Other auxiliary metho ds can then