Linear Approximations of Addition Modulo 2n

  • Johan Wallén
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2887)


We present an in-depth algorithmic study of the linear approximations of addition modulo 2 n . Our results are based on a fairly simple classification of the linear approximations of the carry function. Using this classification, we derive an Θ(logn)-time algorithm for computing the correlation of linear approximation of addition modulo 2 n , an optimal algorithm for generating all linear approximations with a given non-zero correlation coefficient, and determine the distribution of the correlation coefficients. In the generation algorithms, one or two of the selection vectors can optionally be fixed. The algorithms are practical and easy to implement.


Linear approximations correlation modular addition linear cryptanalysis 


  1. 1.
    Aoki, K., Kobayashi, K., Moriai, S.: Best differential characteristic search for FEAL. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 41–53. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  2. 2.
    Biham, E., Shamir, A.: Differential Cryptanalysis of the Data Encryption Standard. Springer, Heidelberg (1993)zbMATHGoogle Scholar
  3. 3.
    Chabaud, F., Vaudenay, S.: Links between differential and linear cryptanalysis. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 356–365. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  4. 4.
    Daemen, J.: Cipher and Hash Function Design: Methods Based on Linear and Differential Cryptanalysis. PhD thesis, Katholieke Universiteit Leuven (March 1995)Google Scholar
  5. 5.
    Lawler, E.L., Wood, D.E.: Branch-and-bound methods: a survey. Operations Research 14(4), 699–719 (1966)zbMATHCrossRefMathSciNetGoogle Scholar
  6. 6.
    Lipmaa, H.: On differential properties of Pseudo-Hadamard transform and related mappings. In: Menezes, A., Sarkar, P. (eds.) INDOCRYPT 2002. LNCS, vol. 2551, pp. 48–61. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  7. 7.
    Lipmaa, H., Moriai, S.: Efficient algorithms for computing differential properties of addition. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 336–350. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  8. 8.
    Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994)Google Scholar
  9. 9.
    Matsui, M.: On correlation between the order of S-boxes and the strength of DES. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 366–375. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  10. 10.
    Matsui, M.: New structure of block ciphers with provable security against differential and linear cryptanalysis. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 205–218. Springer, Heidelberg (1996)Google Scholar
  11. 11.
    Miyano, H.: Addend dependency of differential/linear probability of addition. IEICE Trans. Fundamentals E81-A(1), 106–109 (1998)MathSciNetGoogle Scholar
  12. 12.
    Nyberg, K.: Linear approximations of block ciphers. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 439–444. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  13. 13.
    Vaudenay, S.: Provable security for block ciphers by decorrelation. In: Meinel, C., Morvan, M. (eds.) STACS 1998. LNCS, vol. 1373, pp. 249–275. Springer, Heidelberg (1998)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Johan Wallén
    • 1
  1. 1.Laboratory for Theoretical Computer ScienceHelsinki University of TechnologyEspooFinland

Personalised recommendations