
	Where results make sense

Topic: Linear cryptanalysis

Related Topics

Differential cryptanalysis

Mod n cryptanalysis

Cryptanalysis

Mitsuru Matsui

FEAL

Data Encryption Standard

XSL attack

Block cipher

Substitution boxes

Madryga

DESX

Triple DES

SHACAL

SAFER

Brute force attack

In the News (Thu 26 Nov 09)

Northern Trust

Marvin Harrison

Peter Chernin

Gary Locke

Match Play

Penelope Cruz

Mickey Rourke

AR Rahman

Danny Boyle

Hugh Jackman

	NationMaster - Encyclopedia: Linear cryptanalysis
		In cryptography, linear cryptanalysis is a general form of cryptanalysis based on finding affine approximations to the action of a cipher.
		Linear cryptanalysis is one of two widely applicable attacks on block ciphers; the other being differential cryptanalysis.
		The discovery of linear cryptanalysis is attributed to Mitsuru Matsui, who first applied the technique to the FEAL cipher (Matsui and Yamagishi, 1992).
	www.nationmaster.com /encyclopedia/Linear-cryptanalysis (325 words)

	Linear Cryptanalysis: A Literature Survey
		The purpose of this method is to obtain a linear approximate expression of a given cipher algorithm.
		The complexity of differential cryptanalysis depends on the size of the largest entry in the XOR table, the total number of zeros in the XOR table, and the number of nonzero entries in the first column of that table [1], [3].
		The complexity of differential cryptanalysis depends on the size of the largest entry in the XOR table, the total number of zeros in the XOR table, and the number of nonzero entries in the first column in that table [1], [8].
	www.ciphersbyritter.com /RES/LINANA.HTM (2070 words)

	Differential and Linear Cryptanalysis
		However, if one is fortunate enough to have a large quantity of corresponding plaintext and ciphertext blocks for a particular unknown key, a technique called differential cryptanalysis, developed by Eli Biham and Adi Shamir, is available to obtain clues about some bits of the key, thereby shortening an exhaustive search.
		In fact, however, a complete pattern of which bits change and do not change in the input and in the output is the subject of differential cryptanalysis.
		Linear cryptanalysis, invented by Mitsuru Matsui, is a different, but related technique.
	www.quadibloc.com /crypto/co040501.htm (489 words)

	Linear cryptanalysis (Site not responding. Last check: )
		In cryptography, linear cryptanalysis is a general form of cryptanalysis based on finding affine approximations to the action of a cipher.
		Linear cryptanalysis is one of two widely applicable attacks on block ciphers; the other being differential cryptanalysis.
		The discovery of linear cryptanalysis is attributed to Mitsuru Matsui, who first applied the technique to the FEAL cipher (Matsui and Yamagishi, 1992).
	linear-cryptanalysis.kiwiki.homeip.net (298 words)

	RSA Security - 2.4.5 What are the most important attacks on symmetric block ciphers?
		Four such attacks are differential cryptanalysis, linear cryptanalysis, the exploitation of weak keys, and algebraic attacks.
		Differential cryptanalysis is basically a chosen plaintext attack (see Question 2.4.2); it relies on an analysis of the evolution of the differences between two related plaintexts as they are encrypted under the same key.
		Linear cryptanalysis is a known plaintext attack (see Question 2.4.2) which uses a linear approximation to describe the behavior of the block cipher.
	rsasecurity.com /rsalabs/node.asp?id=2204 (762 words)

	News Release 980727
		Research is rapidly moving forward on potent cryptanalytic techniques such as differential and linear cryptanalysis, and security against these techniques is a criterion for evaluating the strength of block ciphers.
		used to determine a cipher's strength against differential and linear cryptanalysis, NTT evaluated the strength of E2 using the strength of one round function of E2.
		This is a quantitative scale to determine a cipher's strength against differential and linear cryptanalysis, etc. It determines the security of the whole cipher by evaluating the security of round function of the cipher.
	www.ntt.co.jp /news/news98e/980727.html (1123 words)

	Dr. Dobb's \| Differential and Linear Cryptanalysis \| January 1, 1996
		Linear cryptanalysis, invented by Mitsuru Matsui in 1993, is a type of cryptanalytic attack that uses linear approximations to describe the action of DES.
		Linear cryptanalysis depends heavily on the structure of the S-boxes, and the S-boxes in DES are not optimized against this attack.
		Linear cryptanalysis is newer than differential cryptanalysis, and there may be more improvements in the years to come.
	www.ddj.com /184409803?pgno=10 (2658 words)

	Linear Cryptanalysis Demo
		Furthermore, we can get a linear equation like this for any number of rounds, for example let’s try four rounds where K1, K2, K3, and K4 are all independently chosen subkeys and not generated off of the same encryption key:
		The level of effort to do linear cryptanalysis on DES is still dependent on the size of the subkey, but you need a lot of plaintext/ciphertext pairs which makes it pretty much infeasible.
		This was created as part of the Cryptography Module of NSF Award No. 0113627: "Increasing Security Expertise in Aviation-oriented Computing Education: A Modular Approach", at Embry-Riddle Aeronautical University in Prescott, Arizona.
	nsfsecurity.pr.erau.edu /crypto/lincrypt.html (1588 words)

	RSA Laboratories - 2.4.5 What are the most important attacks on symmetric block ciphers?
		Four such attacks are differential cryptanalysis, linear cryptanalysis, the exploitation of weak keys, and algebraic attacks.
		Differential cryptanalysis is basically a chosen plaintext attack (see Question 2.4.2); it relies on an analysis of the evolution of the differences between two related plaintexts as they are encrypted under the same key.
		Linear cryptanalysis is a known plaintext attack (see Question 2.4.2) which uses a linear approximation to describe the behavior of the block cipher.
	www.rsa.com /rsalabs/node.asp?id=2204 (762 words)

	Potential Flaws in the Conjectured Resistance of MARS to Linear Cryptanalysis (ResearchIndex)
		In this note we consider the conjectured resistance of MARS to linear cryptanalysis and discover that some of the existing analysis may well be flawed.
		In this note we describe the preliminary findings of an investigation of the resistance of MARS to linear cryptanalysis.
		2 Linear approximations to the MARS S-box - Knudsen, Raddum - 2000
	citeseer.ist.psu.edu /319145.html (394 words)

	SecurityFocus
		of cryptanalysis from renowed and widely known cryptographers
		to publish : differential cryptanalysis, linear cryptanalysis and
		cryptanalysis of a reduce-round variant of your cipher.
	www.securityfocus.com /archive/91/417765/30/210/threaded (913 words)

	Cryptography - Computer Forensic
		The complexity of cryptanalysis of the data is dependent upon several factors.
		The other factor over which cryptanalysis is dependent relates to data that will be required for performing the operations.
		The success of cryptanalysis can be classified into several parts dependent upon the decryption carried out on the cipher text.
	www.computerforensics1.com /cryptography.html (490 words)

	Blowfish encryption algorithm
		Its 56-bit key size is vulnerable to a brute-force attack [22], and recent advances in differential cryptanalysis [1] and linear cryptanalysis [10] indicate that DES is vulnerable to other attacks as well.
		Cryptanalysis of the mini-Blowfish variants may be significantly easier than cryptanalysis of the full version.
		The small-number of bits to large-number of bits may have weaknesses with respect to linear cryptanalysis, but these weaknesses are hidden both by combining the output of four S-boxes and making them dependent on the key.
	www.crypto-systems.com /blowfish.html (4045 words)

	How far can we go beyond linear cryptanalysis ? (Site not responding. Last check: )
		This paper consider statistical attacks against block cipher in an unified framework, it generalizes the concept of linear approximations using statistical techniques and shows that resistance to linear cryptanalysis implies some resistance to a wide class of generalizations, but not all.
		Several generalizations of linear cryptanalysis have been proposed in the past, as well as very similar attacks in a statistical point of view.
		Then, we explicitely construct optimal distinguishers, we evaluate their performance, and we prove that a block cipher immune to classical linear cryptanalysis possesses some resistance to a wide class of generalized versions, but not all.
	crypto.junod.info /a04.html (220 words)

	Differential cryptanalysis - Wikipedia, the free encyclopedia
		Differential cryptanalysis is a general form of cryptanalysis applicable primarily to block ciphers, but also to stream ciphers and cryptographic hash functions.
		The discovery of differential cryptanalysis is generally attributed to Eli Biham and Adi Shamir in the late 1980s, who published a number of attacks against various block ciphers and hash functions, including a theoretical weakness in the Data Encryption Standard (DES).
		Differential cryptanalysis is usually a chosen plaintext attack, meaning that the attacker must be able to obtain encrypted ciphertexts for some set of plaintexts of his choosing.
	en.wikipedia.org /wiki/Differential_cryptanalysis (730 words)

	Constructing Symmetric Ciphers Using the CAST Design Procedure
		With subsequent improvements to the differential attack [8] and with the introduction of linear cryptanalysis, it now appears that 18-20 rounds would be necessary for DES to be theoretically as strong as its keysize.
		Finally, the goal of linear cryptanalysis is to derive, with reasonable probability, the XOR sum of a subset of subkey bits.
		Differential and linear cryptanalysis (chosen- and known-plaintext attacks, respectively) are similar in flavour in that both rely on s-box properties to formulate an attack on a single s-box.
	cryptome.sabotage.org /cast.html (12489 words)

	Azio’s Computer Log » About: Linear CryptAnalysis
		In cryptography, linear cryptanalysis is a form of cryptanalysis like we have spoken about before, apart from the hacker will be searching for a special case, an Affine Cipher, which is a more general substitution of the original cipher “key” but unlocks the data none the less.
		Linear cryptanalysis is one of two widely applicable attacks on block ciphers and for differential cryptanalysis using multiple key diff’s of differentiation tables much like rainbow tables or, a dns database, actually - just a TINY bit more sophisticated!
		As of 2004, the best analytical attack is linear cryptanalysis, which requires 243 known plaintexts and has a time complexity of 239-43 (Junod, 2001); under a chosen-plaintext assumption, the data complexity can be reduced by a factor of four (Knudsen and Mathiassen, 2000).
	azio.org /2006/10/19/about-linear-cryptanalysis (360 words)

	Security Forums :: View topic - Questions regarding cryptanalytical techniques.
		Linear cryptanalysis, in the most general conceptualization, is a known-plaintext attack, involving linear approximations that follow the behavior of a block cipher.
		Lars Knudsen has, most notably, pioneered a large portion of this stem of cryptanalytical research, including the cryptanalysis specifically for the Square block algorithm, and it is no surprise that he is one of the most clever cryptographers to date.
		Much of these mathematical branches is echoed in Bruce Schneier's Self-Study Course in Block Cipher Cryptanalysis, which is a superb reference to the bulk of the greatest analyses we have to date.
	www.security-forums.com /viewtopic.php?t=13534 (2714 words)

	Valery's blog - Sunday, 04 September 2005 (Site not responding. Last check: )
		Another thing to note about linear cryptanalysis is that since here we are collecting plaintext/ciphertext pairs, it belongs to a class of passive wiretapping attacks.
		Linear cryptanalysis was discovered by Matsui in 1992, and it appears to be unknown to NSA during DES standardization period.
		There are other variations of differential and linear cryptanalysis like “impossible cryptanalysis” (relying on odds of impossible combinations) and differential-linear cryptanalysis (that tries to combine strongest features of both cryptanalysis types).
	www.harper.no /valery/default,date,2005-09-04.aspx (5785 words)

	Linear cryptanalysis - Wikipedia, the free encyclopedia
		Subsequently, Matsui published an attack on the Data Encryption Standard (DES), eventually leading to the first experimental cryptanalysis of the cipher reported in the open community (Matsui, 1993; 1994).
		A variety of refinements to the attack have been suggested, including using multiple linear approximations or incorporating non-linear expressions.
		A tutorial on linear (and differential) cryptanalysis of block ciphers
	en.wikipedia.org /wiki/Linear_cryptanalysis (213 words)

	Cryptanalysis of ICE
		These keys can be found by setting up a series of linear (under XOR) equations expressing the fact that the schedule of key 1 is the reverse of the schedule of key 2, then solving the equations.
		None of the ICE variants appear to be breakable by linear cryptanalysis.
		The resistance of ICE to linear cryptanalysis is due to the larger S-boxes, and to the keyed permutation, which roughly squares the effort otherwise required.
	www.ussrback.com /crypto/ice/cryptanalysis.html (769 words)

	[No title] (Site not responding. Last check: )
		Here's a clarification on applying linear cryptanalysis to find a good approximation for a linear function.
		Then we can view it as a linear function that takes n-bit strings to n-bit strings, and every linear function can be viewed this way.
		Therefore, every linear operation in a cipher has a bias 1 approximation.
	www.cs.berkeley.edu /~daw/teaching/cs294-s02/linear-crypt (243 words)

	Katholieke Universiteit Leuven, Departement ESAT/Electrotechniek
		Differential cryptanalysis is a recent technique based on the study of the relation between input and output differences.
		Linear cryptanalysis, also a very recent method, is based on judiciously chosen linear approximations of the non-linear parts of an algorithm.
		In the research for the nature of the basic mechanisms of differential and linear cryptanalysis, we have introduced a number of tools that significantly increase the understanding of these phenomena.
	www.win.tue.nl /wsk/eidma/jaarverslagen/verslag94/node20.html (2464 words)

	Kryptographie FAQ: Frage 59: What is Linear Cryptoanalysis? (Site not responding. Last check: )
		Linear cryptanalysis was first devised by Matsui and Yamagishi [MY92] in an attack on FEAL (see Question 79).
		Linear cryptanalysis is a known plaintext attack (see Question 63) and uses a linear approximation to describe the behavior of the block cipher.
		Langford and Hellman [LH94] introduced an attack called differential-linear cryptanalysis which combines elements of differential cryptanalysis (see Question 58) with those of linear cryptanalysis.
	www.iks-jena.de /mitarb/lutz/security/cryptfaq/q59.html (177 words)

	A tutorial on linear and differential cryptanalysis Cryptologia - Find Articles
		The intent of the paper is to present a lucid explanation of the attacks, detailing the practical application of the attacks to a cipher in a simple, conceptually revealing manner for the novice cryptanalyst.
		In this paper, we present a tutorial on two powerful cryptanalysis techniques applied to symmetric-key block ciphers: linear cryptanalysis [16] and differential cryptanalysis [1].
		It introduces the basic concepts of linear and differential cryptanalysis but is by no means a definitive source for understanding all the many refinements and improvements of the attacks over the years.
	www.findarticles.com /p/articles/mi_qa3926/is_200207/ai_n9095223 (787 words)

	SoftDesignz :: Encryption \| Block Ciphers
		Differential cryptanalysis is basically a chosen plaintext attack and relies on an analysis of the evolution of the differences between two related plaintexts as they are encrypted under the same key.
		Linear cryptanalysis is a known plaintext attack and uses a linear approximation to describe the behavior of the block cipher.
		Also, Kaliski and Robshaw showed that a linear cryptanalytic attack using multiple approximations might allow for a reduction in the amount of data required for a successful attack.
	www.softdesignz.com /blockciphers.asp (1641 words)

Try your search on: Qwika (all wikis)