An improvement of linear cryptanalysis with addition operations with applications to FEAL-8X

Abstract

FEAL is a Feistel cipher that uses addition operations. Since its introduction 26 years ago it played a key role in the development of many cryptanalytic techniques, including differential and linear cryptanalysis. For its 25th anniversary Mitsuru Matsui announced a challenge for an improved known plaintext attack on FEAL-8X. In this paper we describe our attack and introduce several improvements to linear cryptanalysis that allowed us to recover the key given 214known plaintexts in about 14 h of computation, and led us to win the challenge. An especially interesting improvement considers the approximation of addition-based S-boxes by partitioning into several sets in a way that amplifies the bias, and therefore allows for a reduction in the number of required known plaintexts as well as saving computation time. We also describe attacks that require only a few (even 2 or 3) known plaintexts that recover the key much faster than exhaustive search.