Linear cryptanalysis proposed by Matsui is one of the most effective attacks on block ciphers. Some attempts to improve linear cryptanalysis have been made since Matsui introduced. We focus on how to optimize linear cryptanalysis with such techniques, and we apply the optimized linear cryptanalysis on FEAL-8X. First, we evaluate two existing implementation methods so as to optimize the computation time of linear cryptanalysis. Method 1 removes redundant round function computations and optimizes the other computation of linear cryptanalysis by transforming it into bitwise operations. Method 2 transforms the computation of linear cryptanalysis into a matrix multiplication and reduces the time complexity of the multiplication using the fast Fourier transform (FFT). We implement both methods optimized for modern microprocessors and compare their computation time to clarify the appropriate method for practical cryptanalysis. From the result, we show that the superior implementation depends on the number of given known plaintexts (KPs) and that of guessed key bits. Furthermore, we show that these results enable us to select the superior method to implement linear cryptanalysis without another comparative experiment. By using the superior method, we implement the multiple linear cryptanalysis (MLC) on FEAL-8X. Our implementation can recover the secret key of FEAL-8X with 210KPs in practical computation time with non-negligible probability, and it is the best attack on FEAL-8X in data complexity.

Linear cryptanalysis using sieve methods is a technique proposed by Takeda et al. in 1998 as an attack capable of breaking ciphers with smaller amounts of data than linear cryptanalysis (LC) by using data that satisfies linear sieve conditions. This paper shows that when considering the amount of data required for cryptanalysis in Takeda et al.'s proposed sieved linear cryptanalysis (S-LC), it is necessary to take into account the independence of keys relating to the linear mask (Linear key) and keys relating to the linear sieve mask (Sieve key) in rounds that are affected by these keys. If p is the probability that the linear approximate expression holds and p* is the probability after applying the linear sieve, then it has been shown that when the Linear keys are independent of the Sieve keys, then it is necessary to select the linear mask and linear sieve mask so that a larger value of p*-p is obtained. It is also shown that the amount of data needed for S-LC cannot be reduced below the amount of data needed for LC when the Linear key and Sieve key are not independent. In fixed sieve linear cryptanalysis, it is shown that the amount of data needed for cryptanalysis cannot be reduced regardless of the independence of the Linear key and Sieve key.

The design and analysis of block ciphers is an established field of study which has seen significant progress since the early 1990s. Nevertheless, what remains on an interesting direction to explore in this area is to design block ciphers with provable security against powerful known attacks such as differential and linear cryptanalysis. In this paper we introduce seven new block cipher structures, named Feistel-variant A, B, CLEFIA and MISTY-FO-variant A, B, C, D structures, and show that these structures are provably resistant against differential cryptanalysis. The main results of this paper are that the average differential probabilities over at least 2 rounds of Feistel-variant A structure and 1 round of Feistel-variant B structure are both upperbounded by p2, while the average differential probabilities over at least 5 rounds of CLEFIA, MISTY-FO-variant A, B, C and D structures are upperbounded by p4+2p5, p4, p4, 2p4 and 2p4, respectively, if the maximum differential probability of a round F function is p. We also give provable security for the Feistel-variant A, B and CLEFIA structures against linear cryptanalysis. Our results are attained under the assumption that all of components in our proposed structures are bijective. We expect that our results are useful to design block ciphers with provable security against differential and linear cryptanalysis.

This paper reports the strength of a pseudorandom number generator MUGI, which was published as a stream cipher by Hitachi, Ltd. in 2001, against linear cryptanalysis. MUGI is one of the recommended ciphers of CRYPTREC, which is a project for the e-Government in Japan. It has two internal states called state and buffer, which are updated by a linear function λ and a non-linear function ρ. The non-linear function ρ and the linear function λ have already been analyzed, independently. In this paper, whole MUGI is analyzed by truncated linear cryptanalysis. The analysis of λ function is based on the state variables method. The result is combined to the result of the analysis of ρ function to make a trellis diagram. Viterbi search is conducted on the diagram to find the best possible linear path under 64-bit truncated linear cryptanalysis. As the result, the upper bound of the maximum linear characteristic probability is estimated as less than 2-138. Therefore, MUGI is secure against linear cryptanalysis.

One of Kaliski and Robshaw's algorithms, which is used for the linear attack on block ciphers with multiple linear approximations and introduced as Algorithm 2M in this paper, looks efficient but lacks any theoretical and mathematical description. It means there exists no way to estimate the data complexity required for the attack by the algorithm except experiments of the reduced variants. In this paper we propose a new algorithm using multiple linear approximation. We achieve the theoretical and mathematical analysis of its success probability. The new algorithm needs about 240.6 plaintexts to find 12 bits of secret key of 16-round DES with a success probability of about 86%.

This paper cryptanalyzes 128-bit block cipher Xenon, which was designed by Chang-Hyi Lee and has been recently proposed by Korea to ISO 18033-3, an ongoing activity in ISO/IEC JTC1/SC27/WG2 for standardizing block cipher algorithms. We study security of Xenon against linear cryptanalysis and show highly biased linear approximate paths that hold with probability 1/2 2-11 in the full 16-round Xenon. As a result, we can easily derive four-bit subkey information of Xenon using 223 known plaintexts with approximate success rate 84%. We also demonstrate a distinguishing attack of Xenon in a chosen plaintext scenario, which successfully reduces the number of required plaintext/ciphertext pairs of the attack. All these results were confirmed by computer experiments.

This paper studies security of Feistel ciphers with SPN round function against differential cryptanalysis, linear cryptanalysis, and truncated differential cryptanalysis from the "designer's standpoint." In estimating the security, we use the upper bounds of differential characteristic probability, linear characteristic probability and truncated differential probability, respectively. They are useful to design practically secure ciphers against these cryptanalyses. Firstly, we consider the minimum numbers of differential and linear active s-boxes. They provide the upper bounds of differential and linear characteristic probability, which show the security of ciphers constructed by s-boxes against differential and linear cryptanalysis. We clarify the (lower bounds of) minimum numbers of differential and linear active s-boxes in some consecutive rounds of the Feistel ciphers by using differential and linear branch numbers, Pd, Pl, respectively. Secondly, we discuss the following items on truncated differential probability from the designer's standpoint, and show how the following items affect the upper bound of truncated differential probability; (a) truncated differential probability of effective active-s-box, (b) XOR cancellation probability, and (c) effect of auxiliary functions. Finally, we revise Matsui's algorithm using the above discussion in order to evaluate the upper bound of truncated differential probability, since we consider the upper bound of truncated differential probability as well as that of differential and linear probability.

In this letter we propose a new mode for block ciphers which uses an unknown random block as feedback. We show that the successful differential/linear cryptanalyses of DES under the mode require at least the complexity of the exhaustive key search. We also present the processing overhead of our scheme compared to that of ECB mode.

This letter examines outline measures of strength against the differential and linear cryptanalysis. These measures are useful to estimate the number of rounds giving an immune iterated cipher. This letter reports that the outline measures of strength are useful to relatively estimate the strength of generalized feistel ciphers.

We introduce a new methodology for designing block ciphers with provable security against differential and linear cryptanalysis. It is based on three new principles: change of the location of round functions, round functions with recursive structure, and substitution boxes of different sizes. The first realizes parallel computation of the round functions without losing provable security, and the second reduces the size of substitution boxes; moreover, the last is expected to make algebraic attacks difficult. This structure gives us a simple and effective method for designing secure and fast block ciphers in hardware as well as in software implementation. Block encryption algorithm MISTY was designed on the basis of this methodology.

This letter gives a study of additionY=X+K mod 2w which is used in some cryptosystems as RC5. Our results enables us to express the differential and linear probability of addition as a function of addendK. To detect a good differential characteristics or linear approximation of a cryptosystem in which extended key is used as addend, we need to consider how the characteristics or approximations behave depending upon the value of the addend, which are clarified by our results.

In the linear cryptanalysis (LC), to decrease the number of plain/cipher text pairs required for successful attack against DES, it is necessary to improve the effectiveness of the linear approximate expression and to decrease the number of key bits in the expression to be exhaustively searched for. In the previous work, we proposed a linear sieve method to improve the effectiveness of the linear approximate expression. On the other hand, the number of key bits increased. To suppress the number of key bits, we propose Fixed Sieve Linear Cryptanalysis (FS-LC) with fixed sieve key of the linear sieve method. With FS-LC against 8-round DES, we showed the number of plain/cipher text pairs required for sucessful attack is less than that of LC. Furthmore, we extended FS-LC with Kaliski's techniques using the multiple linear approximate expressions to intoroduce Fixed Sieve multiple Linear Cryptanalysis (FS-mLC). With FS-mLC against 8-round DES, computer simulation revealed that it is possible to solve its encryption-key with 220 plain/cipher text pairs. The number of pairs is about a half of the Matsui's 1-round linear cryptanalysis cases.

This paper applies linear cryptanalysis to FEAL and describes the experimental results of attacking FEAL-8 by linear cryptanalysis. The following points are important in linear cryptanalysis to reduce the processing amount and memory size in the attack: 1) to find linear expressions with as high a deviation as possible, and 2) to reduce the number of effective key bits and effective text bits. We have succeeded in attacking FEAL-8 in about 1 hour on a low-end workstation (SPARCstation 10 Model 30). We have confirmed that the entire set of subkeys of FEAL-8 can be derived from 225 known plaintexts with a success rate of over 70%, and from 226 known plaintexts with a success rate of almost 100%.

Nyberg and Knudsen proved that the maximum average of differential probability (ADPmax) and the maximum average of linear probability (ALPmax) of Feistel cipher with over 4 rounds can be evaluated as ADPmax 2DCP2max and ALPmax 2LCP2max using the maximum of defferential characteristic probability (DCPmax) and the maximum of linear characteristic probability (LCPmax) per round. This paper shows ADPmax DCP2max and ALPmax LCP2max if the F function is a bijection and the Feistel cipher has more than 3 rounds. The results prove that Feistel ciphers are stronger against differential and linear cryptanalyses than previously thought. Combining this result with that of Luby and Rackoff, the implication is that the 3-round Feistel cipher could be used as a building block cipher for the construction of provable secure block cipher algorithm.

In estimating the vulnerability of a block cipher to differential cryptanalysis and linear cryptanalysis, we must consider the fact that the differential probability and the linear probability vary with the key. In the case of cryptosystems where the round key is XORed to the input data of each round, the difference in both types of probability with different keys is regarded as negligible. However, this is not the case with RC5. This paper makes a primary analysis of the key-dependency of linear probability of RC5. Throughout this paper we study "precise" linear probability. We find some linear approximations that have higher deviation (bias) for some keys than the "best linear approximation" claimed by Kaliski and Yin in CRYPTO'95. Using one linear approximation, we find 10 weak keys of RC5-4/2/2 with linear probability 2-1, 2 weak keys of RC5-4/5/16 with linear probability 2-2, and a weak key of RC5-16/5/16 with linear probability 2-15.4, while Kaliski-Yin's "best biases" are 2-3, 2-9, and 2-17, respectively.

Weakness of a block cipher, which has provable immunity against linear cryptanalysis, is investigated. To this end, the round transformation used in MISTY, which is a data encryption algorithm recently proposed by M. Matsui from Mitsubishi Electric Corporation, is compared to the round transformation of DES from the point of view of pseudrandom generation. An important property of the MISTY cipher is that, in terms of theoretically provable resistance against linear and differential cryptanalysis, which are the most powerful cryptanalytic attacks known to date, it is more robust than the Data Encryption Standard or DES. This property can be attributed to the application of a new round transform in the MISTY cipher, which is obtained by changing the location of the basic round-function in a transform used in DES. Cryptograohic roles of the transform used in the MISTY cipher are the main focus of this paper. Our research reveals that when used for constructiong pseudorandom permutations, the transform employed by the MISTY cipher is inferior to the transform in DES, though the former is superior to the latter in terms of strength against linear and differential attacks. More specifically, we show that a 3-round (4-round, respectively) concatenation of transforms used in the MISTY cipher is not a pseudorandom (super pseudorandom, respectively) permutation.

It is important to find the best linear expression to estimate the vulnerability of cryptosystems to Linear Cryptanalysis. This paper shows the results of the best linear expressions search of FEAL-N (N32) and discusses the security of FEAL against Linear Cryptanalysis. We improve Matsui's search algorithm which determines the best linear expressions, and apply it to FEAL. The improved search algorithm finds all the best linear expression of FEAL-N (N32) much faster than the original; the required time is decreased from over three months to about two and a half days. We find the best linear expressions of FEAL-7, FEAL-15, and FEAL-31 with deviations of 1.152-8, 1.482-20, and 1.992-41, respectively. These linear expressions have higher deviations than those derived from Bi-ham's 4-round iterative linear approximations. Using these data we calculated the number of known plaintexts required to attack FEAL-8, FEAL-16, and FEAL-32. It is proved that FEAL-32 is secure against Linear Cryptanalysis.

RDES cryptosystem is an n-round DES in which an probabilistic swapping is added onto the right half of the input in each round. It is more effective than a simple increase of DES rounds for a countermeasure against differential attack. In this paper, we show that the RDES is also effective against linear cryptanalysis. We applied Matsui's search algorithm to find the best expression for RDES-1 and RDES-2. The results are as follows: (a) The 16-round RDES-1 is approximately as strong as a 22-round DES, and the 16-round RDES-2 is approximately as strong as a 29-round DES. (b) Linear cryptanalysis for a 16-round RDES-1 and a 16-round RDES-2 requires more than 264 known-plaintexts.

In CRYPTO '94, Langford and Hellman attacked DES reduced to 8-round in the chosen plaintext scenario by their "differential-1inear cryptanalysis," which is a combination of differential cryptanalysis and linear cryptanalysis. In this paper, a historical review of differential-linear cryptanalysis, our formalization of differential-linear cryptanalysis, and the application of differential-linear cryptanalysis to FEAL-8 are presented. As a result, though the previous best method (differential cryptanalysis) required 128 chosen plaintexts, only 12 chosen plaintexts are sufficient, in computer experimentations, to attack FEAL-8.

This paper discusses linear cryptanalysis of LOKI89, LOKI91 and s2DES. Our computer program based on Matsui's search algorithm has completely determined their best linear approximate equations, which tell us applicability of linear cryptanalysis to each cryptosystem. As a result, LOKI89 and LOKI91 are resistant to linear cryptanalysis from the viewpoint of the best linear approximate probability, whereas s2DES is breakable by a known-plaintext attack faster than an exhaustive key search. Moreover, our search program, which is also applicable to differential cryptanalysis, has derived their best differential characteristics as well. These values give a complete proof that characteristics found by Knudsen are actully best.