Problems with the linear cryptanalysis of DES using more than one active S-box per round
Matsui introduced the concept of linear cryptanalysis. Originally only one active S-box per round was used. Later he and Biham proposed linear cryptanalysis with more than one active S-box per round. They combine equations with the Piling-up Lemma which requires independent random input variables. This requirement is not met for neighbouring S-boxes, because they share input bits. In this paper we study the error resulting from this application of the Piling-up Lemma. We give statistical evidence that the errors are severe. On the other hand we show that the Piling-up Lemma gives the correct probabilities for Matsui's Type II approximation.
- 1.Eli Biham. On Matsui's linear cryptanalysis. In Pre-proceedings of Eurocrypt '94, pages 349–361, 1994.Google Scholar
- 2.Mitsuru Matsui. Linear cryptanalysis of DES cipher (I) (Version 1.03). Preprint.Google Scholar
- 3.Mitsuru Matsui. Linear cryptanalysis method for DES cipher. In Advances in Cryptology — Eurocrypt '93, number 765 in Lecture Notes in Computer Science, pages 386–397. Springer-Verlag, 1993.Google Scholar
- 4.Mitsuru Matsui. On correlation between the order of S-boxes and the strength of DES. In Pre-proceedings of Eurocrypt '94, pages 377–387, 1994.Google Scholar
- 5.National Bureau of Standards. Data Encryption Standard. FIPS Publ. 46, Washington, DC, 1977.Google Scholar