What Is Linear Cryptanalysis in Information Security?

Linear cryptanalysis is a known plaintext attack, in which the attacker studies probabilistic linear relations referred to as linear approximations among parity bits of the plaintext, the Ciphertext and the hidden key.

In this approach, the attacker acquire high probability approximations for the parity bit of the hidden key by computing the parity bits of the known plaintexts and ciphertexts. By use of several approaches including the auxiliary technique, the attacker can extend the attack to discover extra bits of the secret key.

Linear cryptanalysis together with differential cryptanalysis are the generally used attacks on block ciphers. The linear cryptanalysis technique was first invented by Mitsuru Matsui who first used it to the FEAL cipher.

There are generally two parts to linear cryptanalysis such as the first is to make linear equations associating to plaintext, Ciphertext and key bits that have a large bias; that is whose probabilities of holding are as close as applicable to 0 0r 1.

The second part is to need these linear equations in conjunction with known plaintext-ciphertext pairs to drive key bits.

Linear Cryptanalysis uses linear approximation to model non-linear process in the encryption procedure. It can be using the approximation to a large amount of known plaintext will eventually find one key bit that is correct with a specific probability. Cipher-specific refinements of this approach can find multiple key-bits.

The linear cryptanalysis attack is based on discovering linear approximations to define the transformations implemented in Data Encryption Standard. This approach can discover a Data Encryption Standard key given 243 known plaintexts, as distinguished to 247 chosen plaintexts for differential cryptanalysis.

Even this is a minor progress, because it can be simpler to acquire known plaintext instead of chosen plaintext, and it can leaves linear cryptanalysis infeasible as an attack on Data Encryption Standard.

The objective of linear cryptanalysis is to discover an effective linear equation of the form −

$$\mathrm{P\left [ \alpha 1,\: \alpha 2\: ...\alpha a \right ] \oplus \, C\left [\beta 1,\: \beta 2\: ...\beta b \right ]=K\left [ \gamma 1,\, \gamma 2\: ...\gamma c \right ] }$$

(where x = 0 or 1; 1≤ a, b≤ n, 1 ≤ c ≤ m, and where the α, β and γ terms represent fixed, specific bit locations) that influence with probability p ≠ 0.5.

The further p is from 0.5, the more effective the equation. Because a prospective associations is decided, the process is to evaluate the results of the left hand side of the preceding equation for a high number of plaintext-ciphertext pairs. If the result is 0 more than half the time, assume K [γ1, γ2... γc] = 0.

If it is 1 most of the time, assume K [γ1, γ2 ... γc] = 1. This provides us a linear equation on the key bits. It can try to receive more such relations so that it can solve for the key bits. Because in this paper managing with linear equations, the problem can be approached one round of the cipher at a time, with the results connected.