Problems with the linear cryptanalysis of DES using more than one active S-box per round

  • Uwe Blöcher
  • Markus Dichtl
Session 5: Block Ciphers-Linear Cryptanalysis
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1008)


Matsui introduced the concept of linear cryptanalysis. Originally only one active S-box per round was used. Later he and Biham proposed linear cryptanalysis with more than one active S-box per round. They combine equations with the Piling-up Lemma which requires independent random input variables. This requirement is not met for neighbouring S-boxes, because they share input bits. In this paper we study the error resulting from this application of the Piling-up Lemma. We give statistical evidence that the errors are severe. On the other hand we show that the Piling-up Lemma gives the correct probabilities for Matsui's Type II approximation.


  1. 1.
    Eli Biham. On Matsui's linear cryptanalysis. In Pre-proceedings of Eurocrypt '94, pages 349–361, 1994.Google Scholar
  2. 2.
    Mitsuru Matsui. Linear cryptanalysis of DES cipher (I) (Version 1.03). Preprint.Google Scholar
  3. 3.
    Mitsuru Matsui. Linear cryptanalysis method for DES cipher. In Advances in Cryptology — Eurocrypt '93, number 765 in Lecture Notes in Computer Science, pages 386–397. Springer-Verlag, 1993.Google Scholar
  4. 4.
    Mitsuru Matsui. On correlation between the order of S-boxes and the strength of DES. In Pre-proceedings of Eurocrypt '94, pages 377–387, 1994.Google Scholar
  5. 5.
    National Bureau of Standards. Data Encryption Standard. FIPS Publ. 46, Washington, DC, 1977.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1995

Authors and Affiliations

  • Uwe Blöcher
    • 1
  • Markus Dichtl
    • 1
  1. 1.Siemens AGMünchenGermany

Personalised recommendations