On the complexity of Matsui’s attack

Abstract. Linear cryptanalysis remains the most powerful attack against DES at this time. Given 2 43 known plaintext-ciphertext pairs, Matsui expected a complexity of less than 2 43 DES evaluations in 85 % of the cases for recovering the key. In this paper, we present a theoretical and experimental complexity analysis of this attack, which has been simulated 21 times using the idle time of several computers. The experimental results suggest a complexity upper-bounded by 2 41 DES evaluations in 85 % of the case, while more than the half of the experiments needed less than 2 39 DES evaluations. In addition, we give a detailed theoretical analysis of the attack complexity

Cryptanalysis of block ciphers and weight divisibility of some binary codes

International audienceThe resistance of an iterated block cipher to most classical attacks can be quantified by some properties of its round function. The involved parameters (nonlinearity, degrees of the derivatives...) for a function F from GF(2^m) into GF(2^m) are related to the weight distribution of a binary linear code C_F of length (2^m − 1) and dimension 2m. In particular, the weight divisibility of C_F appears as an important criterion in the context of linear cryptanalysis and of higher-order differential attacks. When the round function F is a power permutation over GF(2^m), the associated code C_F is the dual of a primitive cyclic code with two zeroes. Therefore, McEliece's theorem provides a powerful tool for evaluating the resistance of some block ciphers to linear and higherorder differential attacks