How Much Can Complexity of Linear Cryptanalysis Be Reduced?

  • Sho Sakikoyama
  • Yosuke Todo
  • Kazumaro Aoki
  • Masakatu Morii
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8949)


The linear cryptanalysis proposed by Matsui is one of the most effective attacks on block ciphers, and he demonstrated an experimental cryptanalysis against DES at CRYPTO 1994. In this paper, we show how to optimize the linear cryptanalysis on modern microprocessors. Nowadays, there are two methods of implementing the linear cryptanalysis. Method 1 reduces the time complexity by reducing the number of computations of round functions, and Method 2 applies the fast Fourier transform (FFT). We implement both methods optimized for modern microprocessors and compare them in terms of computation time so as to discover which method is more appropriate for practical cryptanalysis. From the results of comparative experiments, we show that the fastest implementation depends on the number of given known plaintexts (KPs) and that of guessed key bits. These results clarify the criteria for selecting the method to implement the linear cryptanalysis. Taking the experimental results into account, we implement the linear cryptanalysis on FEAL-8X. In 2014, Biham and Carmeli showed an implementation of linear cryptanalysis that was able to recover the secret key with \(2^{14}\) KPs. Our implementation breaks FEAL-8X with \(2^{12}\) KPs and is the best attack on FEAL-8X in terms of data complexity.


Linear cryptanalysis FFT Multiple linear cryptanalysis FEAL-8X 


  1. 1.
    Aoki, K., Ohta, K., Araki, S., Mitsuru, M.: Linear Cryptanalysis of FEAL-8 (Experimentation Report). Technical Report, ISEC 94–6 (1994–05), IEICE (1994)Google Scholar
  2. 2.
    Biham, E., Carmeli, Y.: An improvement of linear cryptanalysis with addition operations with applications to FEAL-8X. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, pp. 59–76. Springer, Heidelberg (2014)Google Scholar
  3. 3.
    Bogdanov, A., Geng, H., Wang, M., Wen, L., Collard, B.: Zero-correlation linear cryptanalysis with FFT and improved attacks on ISO standards Camellia and CLEFIA. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 306–323. Springer, Heidelberg (2014) Google Scholar
  4. 4.
    Collard, B., Standaert, F.-X., Quisquater, J.-J.: Improving the time complexity of matsui’s linear cryptanalysis. In: Nam, K.-H., Rhee, G. (eds.) ICISC 2007. LNCS, vol. 4817, pp. 77–88. Springer, Heidelberg (2007) Google Scholar
  5. 5.
    Hermelin, M., Nyberg, K.: Dependent linear approximations: the algorithm of Biryukov and others revisited. In: Pieprzyk, J. (ed.) CT-RSA 2010. LNCS, vol. 5985, pp. 318–333. Springer, Heidelberg (2010) Google Scholar
  6. 6.
    Kaliski Jr., B.S., Robshaw, M.: Linear cryptanalysis using multiple approximations. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 26–39. Springer, Heidelberg (1994) Google Scholar
  7. 7.
    Kaliski Jr., B.S., Robshaw, M.J.B.: Linear cryptanalysis using multiple approximations and FEAL. In: Preneel, B. (ed.) Fast Software Encryption. LNCS, vol. 1008, pp. 249–264. Springer, Heidelberg (1995) Google Scholar
  8. 8.
    Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994) Google Scholar
  9. 9.
    Matsui, M.: The first experimental cryptanalysis of the data encryption standard. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 1–11. Springer, Heidelberg (1994) Google Scholar
  10. 10.
    Matsui, M.: Celebrating the 25th year of FEAL - A New Prize Problem - (2012), CRYPTO 2012 Rump Session (2012).
  11. 11.
    Matsui, M., Yamagishi, A.: A new method for known plaintext attack of FEAL cipher. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 81–91. Springer, Heidelberg (1993) Google Scholar
  12. 12.
    Miyaguchi, S.: The FEAL cipher family. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 627–637. Springer, Heidelberg (1991) Google Scholar
  13. 13.
    Nguyen, P.H., Wei, L., Wang, H., Ling, S.: On multidimensional linear cryptanalysis. In: Steinfeld, R., Hawkes, P. (eds.) ACISP 2010. LNCS, vol. 6168, pp. 37–52. Springer, Heidelberg (2010) Google Scholar
  14. 14.
    Nguyen, P.H., Wu, H., Wang, H.: Improving the algorithm 2 in multidimensional linear cryptanalysis. In: Parampalli, U., Hawkes, P. (eds.) ACISP 2011. LNCS, vol. 6812, pp. 61–74. Springer, Heidelberg (2011) Google Scholar
  15. 15.
    Todo, Y., Aoki, K.: FFT key recovery for integral attack. In: Gritzalis, D., Kiayias, A., Askoxylakis, I. (eds.) Cryptology and Network Security. LNCS, vol. 8813, pp. 64–81. Springer, Heidelberg (2014) Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Sho Sakikoyama
    • 1
  • Yosuke Todo
    • 2
  • Kazumaro Aoki
    • 2
  • Masakatu Morii
    • 1
  1. 1.Kobe UniversityKobeJapan
  2. 2.NTT Secure Platform LaboratoriesTokyoJapan

Personalised recommendations