In cryptography, linear cryptanalysis is a general form of cryptanalysis based on finding affine approximations to the action of a cipher. Attacks have been developed for block ciphers and stream ciphers. Linear cryptanalysis is one of the two most widely used attacks on block ciphers; the other being differential cryptanalysis.
The discovery is attributed to Mitsuru Matsui, who first applied the technique to the FEAL cipher (Matsui and Yamagishi, 1992). Subsequently, Matsui published an attack on the Data Encryption Standard (DES), eventually leading to the first experimental cryptanalysis of the cipher reported in the open community (Matsui, 1993; 1994). The attack on DES is not generally practical, requiring 2^{43} known plaintexts.
A variety of refinements to the attack have been suggested, including using multiple linear approximations or incorporating nonlinear expressions, leading to a generalized partitioning cryptanalysis. Evidence of security against linear cryptanalysis is usually expected of new cipher designs.
Contents 
There are two parts to linear cryptanalysis. The first is to construct linear equations relating plaintext, ciphertext and key bits that have a high bias; that is, whose probabilities of holding (over the space of all possible values of their variables) are as close as possible to 0 or 1. The second is to use these linear equations in conjunction with known plaintextciphertext pairs to derive key bits.
For the purposes of linear cryptanalysis, a linear equation expresses the equality of two expressions which consist of binary variables combined with the exclusiveor (XOR) operation. For example, the following equation, from a hypothetical cipher, states the XOR sum of the first and third plaintext bits (as in a block cipher's block) and the first ciphertext bit is equal to the second bit of the key:
In an ideal cipher, any linear equation relating plaintext, ciphertext and key bits would hold with probability 1/2. Since the equations dealt with in linear cryptanalysis will vary in probability, they are more accurately referred to as linear approximations.
The procedure for constructing approximations is different for each cipher. In the most basic type of block cipher, a substitutionpermutation network, analysis is concentrated primarily on the Sboxes, the only nonlinear part of the cipher (i.e. the operation of an Sbox cannot be encoded in a linear equation). For small enough Sboxes, it is possible to enumerate every possible linear equation relating the Sbox's input and output bits, calculate their biases and choose the best ones. Linear approximations for Sboxes then must be combined with the cipher's other actions, such as permutation and key mixing, to arrive at linear approximations for the entire cipher. The pilingup lemma is a useful tool for this combination step. There are also techniques for iteratively improving linear approximations (Matsui 1994).
Having obtained a linear approximation of the form:
we can then apply a straightforward algorithm (Matsui's Algorithm 2), using known plaintextciphertext pairs, to guess at the values of the key bits involved in the approximation.
For each set of values of the key bits on the righthand side (referred to as a partial key), count how many times the approximation holds true over all the known plaintextciphertext pairs; call this count T. The partial key whose T has the greatest absolute difference from half the number of plaintextciphertext pairs is designated as the most likely set of values for those key bits. This is because it is assumed that the correct partial key will cause the approximation to hold with a high bias. The magnitude of the bias is significant here, as opposed to the magnitude of the probability itself.
This procedure can be repeated with other linear approximations, obtaining guesses at values of key bits, until the number of unknown key bits is low enough that they can be attacked with brute force.
In cryptography, linear cryptanalysis is a general form of cryptanalysis based on finding affine approximations to the action of a cipher. Attacks have been developed for block ciphers and stream ciphers. Linear cryptanalysis is one of the two most widely used attacks on block ciphers; the other being differential cryptanalysis.
A variety of refinements to the attack have been suggested, including using multiple linear approximations or including nonlinear expressions.
Evidence of security against linear cryptanalysis is usually expected of new cipher designs.
