Differential-linear attack

Introduced by Martin Hellman and Susan K. Langford in 1994, the differential-linear attack is a mix of both linear cryptanalysis and differential cryptanalysis.

The attack utilises a differential characteristic over part of the cipher with a probability of 1 (for a few rounds—this probability would be much lower for the whole cipher). The rounds immediately following the differential characteristic have a linear approximation defined, and we expect that for each chosen plaintext pair, the probability of the linear approximation holding for one chosen plaintext but not the other will be lower for the correct key. Hellman and Langford have shown that this attack can recover 10 key bits of an 8-round DES with only 512 chosen plaintexts and an 80% chance of success.

The attack was generalised by Eli Biham et al. to use differential characteristics with probability less than 1. Besides DES, it has been applied to FEAL, IDEA, Serpent, Camellia, and even the stream cipher Phelix.

References

• {{ cite journal | author-link = Johan Borst
• {{ cite conference | access-date = 2007-03-08 }}
• {{ cite conference | access-date = 2006-12-07 }}
• {{ cite conference | access-date = 2007-03-08 }}
• {{cite conference | access-date = 2007-03-08 | archive-date = 2008-08-20 | archive-url = https://web.archive.org/web/20080820065036/http://www.ecrypt.eu.org/stream/papersdir/2006/056.pdf | url-status = dead
• {{ cite conference