On the Complexity of Matsui’s Attack

  • Pascal Junod
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2259)


Linear cryptanalysis remains the most powerful attack against DES at this time. Given 243 known plaintext-ciphertext pairs, Matsui expected a complexity of less than 243 DES evaluations in 85 % of the cases for recovering the key. In this paper, we present a theoretical and experimental complexity analysis of this attack, which has been simulated 21 times using the idle time of several computers. The experimental results suggest a complexity upper-bounded by 241 DES evaluations in 85 % of the case, while more than the half of the experiments needed less than 239 DES evaluations. In addition, we give a detailed theoretical analysis of the attack complexity.


linear cryptanalysis DES 


  1. 1.
    E. Biham, A fast new DES implementation in software, FSE’ 97, LNCS, vol. 1267, Springer-Verlag, 1997, pp. 260–272.Google Scholar
  2. 2.
    U. Blöcher and M. Dichtl, Problems with the linear cryptanalysis of DES using more than one active S-box per round, FSE’ 94, LNCS, vol. 1008, Springer-Verlag, 1995, pp. 265–274.Google Scholar
  3. 3.
    C. Harpes, G. Kramer, and J.L. Massey, A generalization of linear cryptanalysis and the applicability of Matsui’s piling-up lemma, Advances in Cryptology—EuroCrypt’ 95, LNCS, vol. 921, Springer-Verlag, 1995, pp. 24–38.Google Scholar
  4. 4.
    Z. Kukorelly, The piling-up lemma and dependent random variables, Cryptography and coding: 7th IMA conference, LNCS, vol. 1746, Springer-Verlag, 1999.CrossRefGoogle Scholar
  5. 5.
    M. Kwan, Reducing the gate count of bitslice DES,, 2000.
  6. 6.
    M. Matsui, Linear cryptanalysis method for DES cipher, Advances in Cryptology—EuroCrypt’ 93, LNCS, vol. 765, Springer-Verlag, 1993, pp. 386–397.Google Scholar
  7. 7.
    ___, The first experimental cryptanalysis of the Data Encryption Standard, Advances in Cryptology—Crypto’ 94, LNCS, vol. 839, Springer-Verlag, 1994, pp. 1–11.Google Scholar
  8. 8.
    L. May, L. Penna, and A. Clark, An implementation of bitsliced DES on the pentium MMX TM processor, Information Security and Privacy: 5th Australasian Conference, ACISP 2000, LNCS, vol. 1841, Springer-Verlag, 2000.Google Scholar
  9. 9.
    K. Nyberg, Linear approximation of block ciphers, Advances in Cryptology—EuroCrypt’ 94, LNCS, vol. 950, Springer-Verlag, 1995, pp. 439–444.CrossRefGoogle Scholar
  10. 10.
    National Bureau of Standards, Data encryption standard, U. S. Department of Commerce, 1977.Google Scholar
  11. 11.
    A. Rényi, Probability theory, Elsevier, 1970.Google Scholar
  12. 12.
    T. Shimoyama and T. Kaneko, Quadratic relation of s-box and its application to the linear attack of full round DES, Advances in Cryptology—Crypto’ 98, LNCS, vol. 1462, Springer-Verlag, 1998, pp. 200–211.CrossRefGoogle Scholar
  13. 13.
    S. Vaudenay, An experiment on DES statistical cryptanalysis, 3rd ACM Conference on Computer and Communications Security, ACM Press, 1996, pp. 139–147.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2001

Authors and Affiliations

  • Pascal Junod
    • 1
  1. 1.Security and Cryptography LaboratorySwiss Federal Institute of TechnologyLausanneSwitzerland

Personalised recommendations