In cryptography, **linear cryptanalysis** is a general form of cryptanalysis based on finding affine approximations to the action of a cipher. Attacks have been developed for block ciphers and stream ciphers. Linear cryptanalysis is one of the two most widely used attacks on block ciphers; the other being differential cryptanalysis.

The discovery is attributed to Mitsuru Matsui, who first applied the technique to the FEAL cipher (Matsui and Yamagishi, 1992). Subsequently, Matsui published an attack on the Data Encryption Standard (DES), eventually leading to the first experimental cryptanalysis of the cipher reported in the open community (Matsui, 1993; 1994). The attack on DES is not generally practical, requiring 243 known plaintexts.

A variety of refinements to the attack have been suggested, including using multiple linear approximations or incorporating non-linear expressions, leading to a generalized partitioning cryptanalysis. Evidence of security against linear cryptanalysis is usually expected of new cipher designs.

Read more about Linear Cryptanalysis: Overview

### Other articles related to "linear cryptanalysis, cryptanalysis, linear":

**Linear Cryptanalysis**

...

**Linear cryptanalysis**is a form of

**cryptanalysis**based on finding affine approximations to the action of a cipher ...

**Linear cryptanalysis**is one of the two most widely used attacks on block ciphers the other being differential

**cryptanalysis**...

... In cryptography, partitioning

**cryptanalysis**is a form of

**cryptanalysis**for block ciphers ... Developed by Carlo Harpes in 1995, the attack is a generalization of

**linear cryptanalysis**... Harpes originally replaced the bit sums (affine transformations) of

**linear cryptanalysis**with more general balanced Boolean functions ...

**Linear Cryptanalysis**- Overview - Deriving Key Bits

... Having obtained a

**linear**approximation of the form This procedure can be repeated with other

**linear**approximations, obtaining guesses at values of key bits, until the number of unknown ...

... complexity than a brute-force search differential

**cryptanalysis**(DC),

**linear cryptanalysis**(LC), and Davies' attack ... Differential

**cryptanalysis**was rediscovered in the late 1980s by Eli Biham and Adi Shamir it was known earlier to both IBM and the NSA and kept secret ... To break the full 16 rounds, differential

**cryptanalysis**requires 249 chosen plaintexts ...