Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [linear-cryptanalysis]

Linear cryptanalysis is a known plaintext attack and uses a linear approximation to describe the behavior of the block cipher. Given sufficient pairs of plaintext and corresponding ciphertext, bits of information about the key can be obtained and increased amounts of data will usually give a higher probability of success.

Linear cryptanalysis is a known plaintext attack and uses a linear approximation to describe the behavior of the block cipher. Given sufficient pairs of plaintext and corresponding ciphertext, bits of information about the key can be obtained and increased amounts of data will usually give a higher probability of success.

Linear cryptanalysis was first devised by Matsui and Yamagishi (MY92) in an attack on FEAL. It was extended by Matsuito attack DES. There have been a variety of enhancements and improvements to the basic attack. Langford and Hellman (LH94) introduced an attack called differential-linear cryptanalysis which combines elements of differential cryptanalysis with those of linear cryptanalysis. Also, Kaliski and Robshaw (KR94) showed that a linear cryptanalytic attack using multiple approximations might allow for a reduction in the amount of data required for a successful attack.

123 questions
33
votes
2 answers

Reason why “XOR” is a linear operation, but ordinary “addition” isn’t?

I'm new in cryptography and try to read some articles in this field. Many of these articles talk about non-linear S-boxes, and nothing more on what they mean by their non-linearity. I have a simple question which I think will guide me through my…
Shnd
  • 495
  • 1
  • 4
  • 7
26
votes
3 answers

Why do block ciphers need a non-linear component (like an S-box)?

Why is there a requirement of "Non-Linear functions" as a component of many popular block ciphers (e.g. the S-box in DES or 3DES)? How does it make the cipher more secure? The only intuition I have is a non linear function can have many roots…
David
  • 443
  • 1
  • 4
  • 6
19
votes
1 answer

Understanding the wide trail design strategy

I am trying to understand the wide trail design strategy. I have read the paper (paywall-free preprint) which describes it from the point of view of AES. From what I understand, it is a technique to increase diffusion in a particular way to resist…
forest
  • 15,626
  • 2
  • 49
  • 103
17
votes
1 answer

Selection of rotation constants in ARX design

My question is about choosing the rotation values in ARX design such as SIMON-like or SPECK-like ciphers to provide optimal differential and linear immunity. According to this, the selection of $a$ and $b$ values (shown in SIMON-like figure below)…
hardyrama
  • 2,288
  • 1
  • 17
  • 41
11
votes
2 answers

Combining LFSRs for Stream Ciphers: Why do we need high non-linearity?

Linear Feedback Shift Registers (LFSRs) can be excellent (efficient, fast, and with good statistial properties) pseudo-random generators. Many stream ciphers are based on LFSRs and one of the possible designs of such stream ciphers is combining…
geo909
  • 387
  • 3
  • 11
7
votes
2 answers

Why is the DES s-box non-linear? Why does it make the cracking of the cipher more difficult?

I know that if we have a cipher that makes only linear transformations (let's say a bunch of $XOR$s), we break it simply by writing a system of equations with $\oplus$ operation starting from the cipher's scheme. In the end, we'll have a system of…
ela
  • 357
  • 2
  • 12
7
votes
1 answer

Help with linear cryptanalysis

I am new to linear cryptanalysis, so I decided to try to break a toy cipher that was designed to be vulnerable to linear cryptanalysis. Unfortunately, I can't get it to work no matter how hard I try. I've read the Wikipedia article and several…
Antimony
  • 341
  • 3
  • 9
7
votes
2 answers

Non-linearity of a boolean function

What's the definition of non-linearity of a boolean function? Roughly saying it is minimum number of times it equals any affine function. But I don't get it mathematically. For example, if $f = x_1x_2$, then all the affine functions are $g_1 = 0$,…
Mahdi Khosravi
  • 265
  • 3
  • 9
6
votes
1 answer

Differential and Linear trail propagation in Noekeon

In the Noekeon Cipher Specification they write the following : The propagation through Lambda is denoted by $(a \rightarrow A)$, also called a step. Because of the linearity of Lambda it is fully deterministic: both for LC and DC patterns, we…
Yuon
  • 163
  • 9
6
votes
1 answer

Linear Cryptanalysis of hash function

I've studied linear cryptanalysis, but i don't think I have it very clear. I've the following doubt: I've constructed a "cryptographic" hash function for an exercise, and now i want to show summarily that is secure from "linear cryptanalysis". My…
user45166
  • 61
  • 1
6
votes
1 answer

Matsui's Linear attack on DES P box

I'm trying to understand Matsui's linear attack on DES and I have something I don't understand in his paper. In his paper he say that: $NS_{5}(16,15)=12$ (which is OK) and from that he say that: $X[15]\bigoplus F_5(X,K)[7,18,24,29]=K[22]$ My problem…
RyArazi
  • 163
  • 5
5
votes
1 answer

Matsui's linear attack on 5-round DES

I'm trying to understand Mitsuru Matsui's "Linear Cryptanalysis Method for DES Cipher", specifically the attack he describes at the end of section 5, on 5-round DES. I followed the attack on 3 rounds, and here's the math for it: For 5 rounds of…
Federico Lebrón
  • 181
  • 5
5
votes
2 answers

What is the meaning of Maximum Expected Differential/Linear Probability (MEDP/MELP)?

I was reading this paper which has a lot of references to the terms MEDP and MELP. Even though i think i got the general meaning, I could not verify that it is indeed correct. For the MEDP, I would say that it is the maximum bias that can be…
Anton Paragas
  • 411
  • 2
  • 8
5
votes
1 answer

Does hashing require non-linearity?

I know that for encryption we require non-linearity because it impedes the ability to attack the cipher by solving for the key with linear equations. Does hashing require non-linear components as well? I presume it does, but I do not know why. How…
Ella Rose
  • 19,971
  • 6
  • 56
  • 103
5
votes
1 answer

FEAL-4 Linear Cryptanalysis - Prevention

currently, I prepare for an exam about cryptanalysis. In class, we talked about linear cryptanalysis for FEAL-4. We constructed four linear equations, extended them to equations for three rounds and then applied a Brut Force search in order to find…
Christine
  • 363
  • 2
  • 5
1
2 3
8 9