Linear cryptanalysis is a method used to break encryption standards like DES. It involves finding linear approximations between plaintext, ciphertext, and key bits that hold with probability greater than 50%. These approximations are used to determine partial key bits using maximum likelihood algorithms on known or ciphertext-only data. For S-DES, the method finds a linear expression involving S-box inputs/outputs that predicts a key bit with 78% accuracy, allowing recovery of multiple key bits.

1. Linear Cryptanalysis
Lecture in AQUA Camp 2019
raven
September 6, 2019
1 / 27

2. 3 Sentences Summary
Mainly Results
Preliminaries
Notations
Principles of Linear Cryptoanalysis
Linear Cryptanalysis for S-DES
2 / 27

3. 3 Sentences Summary

4. 3 Sentences Summary
Linear cryptanalysis is a method first actually broke Data Encryption Standard
(DES).
The method can apply to known-plaintext attack (KPA) and only-ciphertext
attack (OCA).
It is built from two steps: to design linear equations and to solve these equations.
This slide based on [2,3,1].
3 / 27

5. Mainly Results

6. Mainly Results
8-round DES is breakable with 221
known-plaintexts in 40 second.
12-round DES is breakable with 233
known-plaintexts in 50 hours.
16-round DES is breakable with 247
known-plaintexts faster than an brute force
search for 56 key bits.
8-round DES is breakable with at most 237
ciphertexts only.
4 / 27

7. Preliminaries

8. Preliminaries
DES is constructed from the initial permutation IP, the final permutation IP−1
and F-function.
5 / 27

9. Notations

10. Notations
Table 1: Notation Table
C Ciphertext
P Plaintext
K Key
R Low part of plaintext/ciphertext block.
L High part of plaintext/ciphertext block.
• Bitwise AND operation
Ar r-round boldsymbolA
A[i] The i-th bit of A
A[i, j, . . . , k] A[i] ⊕ A[j] ⊕ · · · ⊕ A[k]
E Encryption
6 / 27

11. Principles of Linear
Cryptoanalysis

12. Principles of Linear Cryptanalysis
The purpose of Linear Cryptanalysis is to find the following “effective” linear
expression for a given chipher algorithm:
P [i1, i2, . . . , ia] ⊕ C[j1, j2, . . . , jb] = K[k1, k2, . . . , kc] (1)
where i1, i2, . . . , ia, j1, j2, . . . , jb and k1, k2, . . . , kc denote fixed bit locations.
Equation 1 holds with probability p ̸= 1
2
for randomly given P and the
corresponding C .The magnitude of |p − 1
2
| represents the effectiveness of
equation.
7 / 27

13. If we succeed in reaching an effective linear expression, we can apply Matsui’s
algorithm 1, which based on the maximum likelihood method, to determine key
bits Kkγ .
Data: P ←− plaintexts
begin
T ←− #{p ∈ P|p[i1, i2, . . . , ia] ⊕ E(p)[j1, j2, . . . , jb] = 0}
if T > |P|
2
then
guess K[k1, k2, . . . , kc] = p > 1
2
? 0 : 1
else
guess K[k1, k2, . . . , kc] = p > 1
2
? 1 : 0
end
end
Algorithm 1: Matsui’s Algorithm 1
8 / 27

14. In the practical situation, we make use of the best expression of (n-1)-round DES
cipher to attack of n-round DES cipher.
P [i1, i2, . . . , ia] ⊕ C[j1, j2, . . . , jb] ⊕ Fn(R, Kn)[l1, l2, . . . , ld] = K[k1, k2, . . . , kc]
(2)
where l1, l2, .., ld denotes fixed bit locations. The follow maximum likelihood
method can be applied to deduce Kn and K[k1, k2, . . . , kc].
9 / 27

15. begin
f ← λk.#{p∈P|p[i1,i2,...,ia]⊕E(p)[j1,j2,...,jb]⊕Fn(Rp,k)[l1,l2,...,ld]=0}
foreach candidate K(i)
n (i = 1, 2, . . .) of Kn do
Ti ← f(K(i)
n )
end
Tmax, Tmin ←− max T, min T
if |Tmax − |P|
2
| > |Tmin − |P|
2
| then
guess Kn = f−1
(Tmax) and K[k1, k2, . . . , kc] = p > 1
2
? 0 : 1
else
guess Kn = f−1
(Tmin) and K[k1, k2, . . . , kc] = p > 1
2
? 1 : 0
end
end
Algorithm 2: Matsui’s Algorithm 2
10 / 27

16. Linear Approximation of S-boxes
Definition 1
For a given S-box Sa(a = 1, 2, . . .), 1 ≤ α ≤ 2y
and 1 ≤ β ≤ 2z
, we define
NSa(α, β) as the number of times out of 2y
input patterns of Sa, such that a
XORed value of the input bits masked by α matches with an XORed value of the
output bits masked by β.
NSa(α, β) = #
{
x|0 ≤ x < 2y
,
(
y−1
⊕
s=0
(x[s] • α[s])
)
=
(
z−1
⊕
t=0
(Sa (x[t]) • α[t])
)}
(3)
where y is the number of input bits and z is the number of output bits.
11 / 27

17. 3 Steps of Linear Cryptoanalysis
1. Find the linear expression with the highest bias magnitude.
2. Extracting the partial subkey bits using Algorithm 1 or 2.
3. Brute force attack using partial subkey bits.
12 / 27

18. Linear Cryptanalysis for S-DES

19. Linear Cryptanalysis for S-DES
Let’s take Linear Cryptanalysis for S-DES.
13 / 27

20. S-DES
S-DES is a reduced version of the DES algorithm. It has smaller block and key
size (operates on 8-bit message blocks with a 10-bit key). The encryption
procedure be summarized as:
C = E(P , K) = IP −1
(ρ2(ρ1(IP (P ))) (4)
where ρ denotes a round.
14 / 27

21. f
f
INITIAL PERMUTATION
⊕
R1 = L0 ⊕ f(R0, K1)
R2 = L1 ⊕ f(R1, K2)
⊕
K2
K1
INPUT
L2 = R1
L0
L1 = R0
R0
OUTPUT
INVERSE INITIAL PREMUTATION
Figure 1: The encryption procedure
15 / 27

22. We can deduce
L1 = R0 (5)
R1 = L0 ⊕ f(R0, K1) (6)
L2 = R1 (7)
R2 = L1 ⊕ f(R1, K2) (8)
16 / 27

23. We consider f-function
Figure 2: A sketch of the f(R, K) [3].
17 / 27

24. E denotes a expansion function which takes in a 4 bit block input and yields a 8
bit block as output. The 8-bit output block of E is obtained according to the
following table:
Table 2: E
3 0 1 2 1 2 3 0
P denotes a permutation function. This function is defined by the following take:
Table 3: P
1 0 3 2
18 / 27

25. Table 4: S0
Column Number
Row
No.
0 1 2 3
0 1 0 2 3
1 3 1 0 2
2 2 0 3 1
3 1 3 2 0
Table 5: S1
Column Number
Row
No.
0 1 2 3
0 0 3 1 2
1 3 2 0 1
2 1 0 3 2
3 2 1 3 0
19 / 27

26. Using equation 3 and table 4, We can calculate best linear expression for S0. We
choose NS0(5, 1) since |NS0(5, 1) − 2(y−1)
| is one of the highest in the
NS0(α, β). Thus, the linear approximation for S0 is X[2] ⊕ X[0] = Y [0] which
holds with probability 14
16
.
20 / 27

27. Linear Approximation of the f-function
Figure 3: Considering linear expression of the S-DES’s function 21 / 27

28. Linear Approximation of the f-function
Taking into account the expansion E and the permutation P. We obtain from
the linear approximation ofr S0.
R[0] ⊕ R[2] ⊕ f(R, K) = K[1] ⊕ K[3] (9)
22 / 27

29. We apply equation 9 to the first round to get the equation:
R1[0] ⊕ L0[0] ⊕ R0[0] ⊕ R0[2] = K1[1] ⊕ K1[3] (10)
The equation for the second round is:
L1[0] ⊕ L2[0] ⊕ R1[0] ⊕ R1[2] = K2[1] ⊕ K2[3] (11)
We also derive a linear approximation of the entire algorithm, which is:
L0[0]⊕L1[0]⊕L2[0]⊕R0[0]⊕R0[2]⊕R1[2] = K1[1]⊕K1[3]⊕K2[1]⊕K2[3]
(12)
23 / 27

30. We use Piling-up lemma to obtain the probability that this equation hold:
Pr =
1
2
+ 21
ϵ1ϵ2
=
1
2
+ 2 ×
6
16
×
6
16
= 0.78125
where ϵ defined by |p − 1/2|. We finally apply Algorithm 1 to deduce
K1[1] ⊕ K1[3] ⊕ K2[1] ⊕ K2[3].
24 / 27

31. Thank you for listening!
25 / 27

32. References i
[1] Howard M. Heys.
A tutorial on linear and differential cryptanalysis.
Cryptologia, 26(3):189–221, 2002.
[2] Mitsuru Matsui.
Linear cryptanalysis method for DES cipher.
In Advances in Cryptology - EUROCRYPT ’93, Workshop on the Theory and
Application of of Cryptographic Techniques, Lofthus, Norway, May 23-27,
1993, Proceedings, pages 386–397, 1993.
26 / 27

33. References ii
[3] KS Ooi and Brain Chin Vito.
Cryptanalysis of s-des.
2002.
27 / 27