On Matsui's Linear Cryptanalysis

to linear cryptanalysis. We also described how to sum up characteristics (which also hold in diierential cryptanalysis). The iteration of this characteristic to seven rounds have probability 1=2 ? 2 ?11. A similar characteristic exist with a reverse order of the bytes in each word. From the tables in 9] we can see that about 4 2 112 = 2 24 known plaintexts are required to attack Feal-8, with success rate about 78% and that 2 25 known plaintexts are required for success rate about 97%. This characteristic can be used to attack Feal-N with up to 20 rounds, with a complexity (and known plaintexts) smaller than of exhaustive search. The attack on Feal-8 was applied successfully on a personal computer. It takes about 10 minutes to encrypt the 2 24 required known plaintexts and to nd the key. 7 Summary In this paper we studied Matsui's linear cryptanalysis. We showed that the formalism of diierential cryptanalysis can be adopted to linear cryptanalysis. In particular, we showed that characteristics can be deened, concatenated, and used in a very similar manner as in diierential cryptanalysis. Constraints on the size of S boxes were described. Matsui's characteristic used to attack DES in his paper is shown to be the best characteristic which has only up to one active S box at each round; on the other hand, we improved his results on Feal. We attack Feal-8 using 2 24 known plaintexts with linear cryptanalysis. Davies' attack on DESS5] was shown to be closely related 15 found two ve-round characteristic with probability 1=2 + 1=32. One of them is: