How much can complexity of linear cryptanalysis be reduced?

Abstract

The linear cryptanalysis proposed by Matsui is one of the most effective attacks on block ciphers, and he demonstrated an experimental cryptanalysis against DES at CRYPTO 1994. In this paper, we show how to optimize the linear cryptanalysis on modern microprocessors. Nowadays, there are two methods of implementing the linear cryptanalysis. Method 1 reduces the time complexity by reducing the number of computations of round functions, and Method 2 applies the fast Fourier transform (FFT).We implement both methods optimized for modern microprocessors and compare them in terms of computation time so as to discover which method is more appropriate for practical cryptanalysis. From the results of comparative experiments, we show that the fastest implementation depends on the number of given known plaintexts (KPs) and that of guessed key bits. These results clarify the criteria for selecting the method to implement the linear cryptanalysis. Taking the experimental results into account, we implement the linear cryptanalysis on FEAL-8X. In 2014, Biham and Carmeli showed an implementation of linear cryptanalysis that was able to recover the secret key with 214 KPs. Our implementation breaks FEAL-8X with 212 KPs and is the best attack on FEAL-8X in terms of data complexity.