Differential and linear cryptanalysis

The paper http://members.aol.com/jpeschel3/report.pdf is a nice introduction to the ideas behind linear and differential cryptanalysis. Here we just sketch the basic idea behind these approaches.

Differential cryptanalysis is credited to Biham and Shamir, though it is now clear that someone involved with the design of DES (read NSA) knew about the technique. The basic idea of differential cryptanalysis is to look for plaintext differences that produce biased ciphertext differences. If such a bias depends on the key, then an attacker can gain information about the key and, perhaps with sufficient data, even recover the key.

Linear cryptanalysis is, in the open literature, due to Matsui. The idea here is to approximate some nonlinear part of a cipher by a linear function. For example, the nonlinear function

      f(x) = x + xy,

can be approximated by the linear function g(x) = x, with the approximation holding with probability 3/4. If such a linear approximation is biased, it might yield information about the key. In an iterated block cipher, it is sensible to look for linear approximators to the round function. Such a linear approximator could be a function of plaintext and/or ciphertext and/or key bits.

Differential cryptanalysis requires chosen plaintext, while linear cryptanalysis "only" requires known plaintext. However, it should be noted that sufficient quantities of known plaintext implies that some lesser amount of chosen plaintext is available.