Parts VI–VII:
Linear & Differential Cryptanalysis

Bartosz Naskręcki

Elements of Cryptanalysis • Adam Mickiewicz University

Chapters 16–21

Part VI

Linear Cryptanalysis — Chapters 16–18

Chapter 16

Linear Cryptanalysis Foundations

Linear Approximations & Bias

Definition — Linear Approximation
For S-box \(S: \{0,1\}^n \to \{0,1\}^m\), masks \(\alpha, \beta\): \[ \text{bias } \varepsilon = \Pr[\alpha \cdot x = \beta \cdot S(x)] - \tfrac{1}{2} \]
Piling-Up Lemma
For \(n\) independent binary variables with biases \(\varepsilon_1, \ldots, \varepsilon_n\): \[ \varepsilon_{\text{total}} = 2^{n-1} \prod_{i=1}^n \varepsilon_i \]

Linear Approximation Table (LAT)

Definition — LAT
\(\mathrm{LAT}[\alpha, \beta] = \#\{x : \alpha \cdot x = \beta \cdot S(x)\} - 2^{n-1}\)
Parseval’s Relation
\(\sum_{\beta} \mathrm{LAT}[\alpha, \beta]^2 = 2^{2n}\) ⇒ \(\max|\mathrm{LAT}| \geq 2^{n/2}\)

No S-box can be perfectly linear-resistant.

Nonlinearity
\(\mathcal{NL}(S) = 2^{n-1} - \max_{\alpha \neq 0, \beta} |\mathrm{LAT}[\alpha, \beta]|\)

Chapter 17

Linear Attack on SPN Ciphers

Linear Trails & Key Recovery

Linear Trail
A chain of masks \((\alpha_0, \beta_1, \alpha_1, \ldots)\) through \(r\) rounds. Overall bias: \(\varepsilon_{\text{trail}} = 2^{r-1} \prod \varepsilon_i\)
Algorithm — Linear Key Recovery
  1. Find high-bias trail through rounds 1 to \(r{-}1\)
  2. For each candidate last-round subkey: partially decrypt, count bias
  3. Correct key maximizes deviation from \(1/2\)
Data: \(N \approx 1/\varepsilon^2\) known plaintexts.

Chapter 18

Matsui's Algorithm

Scaling to Real Ciphers

Matsui’s Algorithm 2
Uses \((r{-}1)\)-round approximation; guesses last-round subkey bits. For DES (1994): bias \(\approx 1.19 \times 2^{-21}\), needs \(2^{43}\) known plaintexts.
CipherRoundsBiasDataStatus
Heys SPN4\(2^{-4}\)\(2^{8}\)Broken
DES16\(2^{-21}\)\(2^{43}\)Broken (1994)
AES-12810\(\leq 2^{-75}\)\(\geq 2^{150}\)Secure

Part VII

Differential Cryptanalysis — Chapters 19–21

Chapter 19

Differential Cryptanalysis Foundations

Input Differences & the DDT

Definition — Differential
\(\Delta y = S(x \oplus \Delta x) \oplus S(x)\)
Probability: \(\Pr[\Delta x \to \Delta y] = \frac{\#\{x : S(x \oplus \Delta x) \oplus S(x) = \Delta y\}}{2^n}\)
Difference Distribution Table
\(\mathrm{DDT}[\Delta x, \Delta y] = \#\{x : S(x \oplus \Delta x) \oplus S(x) = \Delta y\}\)
Key Cancellation
\((x \oplus k) \oplus (x' \oplus k) = x \oplus x'\) — XOR with the key does not affect differences.

S-Box Security Metrics

Differential Uniformity
\(\delta(S) = \max_{\Delta x \neq 0, \Delta y} \mathrm{DDT}[\Delta x, \Delta y]\)
S-boxSize\(\delta\)\(\mathcal{NL}\)
DES S16→41616
AES8→84112
APN (ideal)n→n2max

Chapter 20

Differential Attack on SPN

Differential Key Recovery

Differential Trail
Sequence of differences through \(r\) rounds. Trail probability: \(p = \prod p_i\)
Attack Procedure
  1. Find high-probability \((r{-}1)\)-round trail
  2. Encrypt \(N \approx 1/p\) chosen plaintext pairs with difference \(\Delta x_0\)
  3. For each candidate last-round subkey: partially decrypt, check output difference
  4. Correct key creates a peak in the count

Chapter 21

Advanced Differential Techniques

Extensions & Comparison

Truncated Differentials
Specify only some difference bits. Higher probability accumulation.
Impossible Differentials
Probability = 0 ⇒ filter wrong keys by contradiction.
Linear vs. Differential
LinearDifferential
DataKnown-PTChosen-PT pairs
MeasuresBias \(\varepsilon\)Probability \(p\)
Cost\(O(1/\varepsilon^2)\)\(O(1/p)\)
TableLATDDT

Parts VI–VII: Summary

ChTopicKey Result
16Linear foundationsLAT, bias, piling-up lemma, Parseval bound
17Linear attack on SPNTrail construction, active S-boxes, key recovery
18Matsui’s algorithmDES broken with \(2^{43}\) KP; AES safe
19Differential foundationsDDT, key cancellation, differential uniformity
20Differential attackChosen-PT pairs, trail probability, key recovery
21Advanced differentialTruncated, impossible differentials

End of Parts VI–VII

← Back to Slides Index
← Parts IV–V
Parts VIII–IX →