On bias estimation in linear cryptanalysis

Abstract

Security analysis of block ciphers against linear cryptanalysis has virtually always been based on the bias estimates obtained by the Piling-Up Lemma (PUL) method. Despite its common use, and despite the fact that the independence assumption of the PUL is known not to hold in practice, accuracy of the PUL method has not been analyzed to date. In this study, we start with an experimental analysis of the PUL method. The results on RC5 show that the estimates by the PUL method can be quite inaccurate for some non-Feistel ciphers. On the other hand, the tests with SP-structured Feistel ciphers consistently show a much higher degree of accuracy. In the second part, we analyze several theories for an alternative method for bias estimation, including correlation matrices, linear hulls, and statistical sampling. We show a practical application of the theory of correlation matrices, where better estimates than the PUL method are obtained. We point out certain problems in some current applications of linear hulls. We show that the sample size required for a reliable statistical estimator is an impractically large amount for most practical cases.