Matsui's paper on Linear Cryptanalysis of DES

Question

I am trying to derive the best linear approximation for one round DES.

I read the question and answer

Regarding matsui's Paper on Linear Cryptanalysis of DES

several times but still could not figure out the part

" y_3y_2y_1y_0 can be propagated to bits 7, 18, 24 and 29 of the output of the round function, this time taking into account the effect of the bit permutation P(.) "

The output of S box #5 is Y[13], Y[14], Y[15] and Y[16] (when counting from right). And after permutation these bits would be Y[26], Y[20], Y[10] and Y[1] respectively. I could not find the desired bit number i.e. F(X,K)_7, F(X,K)_18, ...

score 2 · Answer 1 · answered Sep 02 '18 at 08:01

2

Confusion is from notation differences between standard DES notation and Matsui's notation. After reading this: Matsui's Linear attack on DES P box and make some rearrangements I can find the solution.

answered Sep 02 '18 at 08:01

Fidan

31
2

Matsui's paper on Linear Cryptanalysis of DES

1 Answers1