 The linear cryptanalysis are two major generic techniques for assessing the strange of block cycle. These techniques have various extensions which can improve the success in various cases. Along with Davis attack, they form all the non-short cut attacks against the data encryption standard. Today, I will show an extension that reduces the complexity of the best attack on death to less than 2242. Death consists of 16 rounds of permutations and arithmetic operations. The block size of death is 64 bits and the key size is 56 bits. The main part of the RAM function is the F function. The F function works on the right half of the data. Then the output of the F function is soaked with the left half of the data and the two halves are soaked before the next round. Let's take a deeper look at the F function. The F function expended 32 input bits to 48 bits, sourced them with the stop key and transformed the result by 8 S boxes. Each of the 8 S boxes transformed 6 input bits to 4 output bits using a non-linear transformation. Then the order of the resulting 32 bits is commuted to become the 32 output bits of the F function. Since the S boxes are the only non-linear component, the attack is based on statistical linear relations of the S boxes. For example, the best linear approximation of S5 approximates the second bit of input to the XOR of the 4 output bits. The probability of this linear approximation is 12 divided by 64, as in 12 cases of the 64 possible inputs, the parity of these bits is 0, and in 152 the parity is 1. Linear cryptanalysis uses statistical approximations that approximate parity of subsets of bits of the plaintext, ciphertext and the stop key. In an ideal cipher and a linear equation involving plaintext bits, ciphertext bits and key bits, we hold with probability close to half when we're considering all the plaintexts in the plaintext space and the corresponding ciphertext. Linear cryptanalysis takes advantage of the fact that some linear approximations have probabilities different than half. Each approximation has a probability to hold, which is the fraction of plaintexts whose encryption satisfies the approximation. The ability to distinguish whether an approximation holds highly depends on the distance of the probability from half. We call this distance the best of the approximation. A linear approximation is a tupper lambda p lambda c and lambda k, where lambda p is subsets of bits of the plaintext, lambda c is a subsets of bits of the ciphertext and lambda k is a subsets of bits of the key. The probability of the approximation is the probability that the parity of these subsets of bits is equal to 0. The bias of the approximation is equal to the probability minus half. We are usually interested in approximation with the highest absolute value of the bias. Algorithm 1 finds the parity bits of the key involving the approximation. Given that the approximation holds with probability half plus epsilon and n plaintext and their corresponding ciphertext, the algorithm counts the number m of plaintext satisfying p lambda p x or c lambda c equal to 0. The algorithm guesses the parity of the key bits involving the approximation. For example, if epsilon is greater than 0 and m is greater than n half, the algorithm guesses that the parity of the key bits is 0. This algorithm finds only one parity bit of the key. The success rate of the algorithm grows as the absolute value of the bias increases. In particular, the amount of plaintext required for this attack is proportional to 1 over the bias squared. In order to attack the full 16 round desks, Matsui uses the best 14 round approximation, as we can see in this slide. Matsui uses algorithm 2 to find the parity bits of the key involving the approximation, same as in algorithm 1, as well as bits of the first and last sub-keys. The attack required about 2 to 43 non-plaintexts and also time of analysis. We develop an extension of linear cryptanalysis that conditions linear approximations on other linear approximations. We use conditions to discard some of the data so the bias of the remaining data increase or decrease. As the number of required non-plaintexts is proportional to 1 over the bias squared, discarding some of the data may improve the number of needed non-plaintexts. Conditions can be defined by any observable information, plaintext bits, ciphertext bits, and a formula on them. In the case of facial ciphers, we found a specific type of conditions that is highly based on their specific structure. In particular, we refer to bits that are the XOR of the outputs of the F-function of the odd rounds, which are computable from the plaintext and the ciphertext. In this example, we can see that PL, the left half of the plaintext, XOR Y1, the output of the F-function in the first round, is equal to CR, the left half of the ciphertext. Therefore, we can calculate the XOR of the output of the F-function in all the odd rounds from the left half of the plaintext and the right half of the ciphertext. It is important to emphasize that this information on the XOR values is not probabilistic, unlike the situation in a general linear approximation. Such XOR bits, when viewed as linear approximations, typically have bias zero, but they are very useful as conditions to other approximations. I start with an example of such a linear dependency with a single active S-box. As mentioned earlier, this is the best non-trivial linear approximation, and the bias of this linear approximation is 12 divided by 64. In the case of single round, we can compute the output of the F-function from the plaintext and the ciphertext. The output of the F-function is equal to the left half of the plaintext, XOR the left half of the ciphertext. In this table, we calculated the bias of the linear approximation, conditioning on all the four output bits of S5. It is an important and unexpected observation that only one of the 12 parity zero cases satisfies LSB equal one. These are the rate cases in this table, while the other 11 satisfy LSB equal zero. The bias of the approximation without any condition is minus 20 divided by 64. In 12 cases, the parity is zero, and in 52, the parity is one. When conditioning on LSB equals zero, in 11 cases, the parity is zero, and in 21, the parity is one, and when conditioning on LSB equals one, the rate case in one case, the parity is zero, and in 31, the parity is one. So consider only encryptions in which the LSB is one. In this half of the data, the bias grows from minus 20 divided by 64 to minus 30 divided by 64, while the bias of the rest of the data reduces to minus 10 divided by 64. We will exemplify this with a scan from Adi Shamir's crypto paper. On the left side of the vertical line appear all the outputs with the second bit of input is zero, and on the right side of the line all the outputs with the second bit of input is one. Shamir circled the values with an even parity of the four output bits. Therefore, in the left side he circled the outputs which satisfy the parity approximation, and in the right side he circled the outputs which do not satisfy the parity approximation, and the blue cases are the cases that satisfy the approximation, and we can see that only one of the blue cases is odd. Therefore, we see that when we condition on the odd cases in which LSB equals one, we get one value against 31. It's not only that we can do it for a single round, we can extend conditional approximations to more than one round. In this case, we show it on four. So consider four successive rounds taken from Matsui's best linear approximation. This approximation uses three active S boxes, S5 on the first and third round, and S1 on the first round. Notice that both odd rounds have the same active S box, and that we can calculate the XOR of the output of S5 in all the odd rounds from the plaintext and the ciphertext. So what we are going to do is we are going to condition the bias of the linear approximation on these XOR values. In this table, we calculated the bias of the linear approximation conditioning on all the four XOR output bits of S5. We can see that in the case that the XOR of the LSB of the output of S5 is equal to one, the bias of the linear approximation is zero. These are the red cases in the table. So using only the plaintext in which the XOR of the LSB is equal to zero, increase the bias by a factor of two. So we need a quarter of the data compared to the regular linear attack with the same approximation, but this is the amount of data that remain after we discard half. So in total, we need half of the original data. We discard the plaintext in which the XOR of the LSB is equal to one, and then we get the required quarter. The same factor of saving holds for an 8 round reduced death. The same factor of saving holds for a 12 round reduced death. And the same factor of saving holds for the full 16 round death, but this is not the best attack on the full death. As mentioned earlier, in order to attack the full 16 round death, Matsuyo uses the best 14 round approximation denoted here by lambda one. In this approximation, S5 is active in all the odd rounds, so we can do here the same. In this table, we calculated the bias of lambda one, conditioning on all the 4XOR output bits of S5. The bias of lambda one, when conditioned on LSB equal one, the red cases in the table, is improved by a small factor. So using this conditional linear approximation, we can save 12% over Matsuyo's attack. But we want to save more. So our attack is based on two 14 round linear approximations. Lambda one is the best 14 round linear approximation, same as Matsuyo uses, and lambda two differs from lambda one in the first round. Notice that S5 is active in all the odd rounds in both linear approximations. In these tables, we calculated the bias of lambda one and lambda two, conditioning on all the 4XOR output bits of S5. In the case of lambda one, the average bias of the red entries with X or LSB equal to one is greater than the average bias of the entries with X or LSB equal to zero. In the case of lambda two, the average bias of the red entries with X or LSB equal to zero is greater than the average bias of the entries with X or LSB equal to one. So the bias of lambda one, when conditioned on LSB equal to one, is improved by a factor of 2 to the 0.6. The bias of lambda two, which was much worse than the bias of lambda one, is improved by a higher factor of 2 to the 0.8. So the biases are almost similar after the improvement. In practice, in our attack, we use these two conditional linear approximations in a complex way. So in total, we can improve the complexity of the attack by a factor of about two. We tested most techniques with our test programs and we can see in these graphs all the attacks against the data encryption standard. This is the success rate of the attack and this is the complexity of the attack. I mean the maximum between the number of needed plaintext and the time of analysis. The brown curve is differential cryptanalysis. The orange one is linear cryptanalysis and the red one is conditional linear cryptanalysis. Between the orange and the red curve, we can see extensions of linear cryptanalysis. To summarize, in this talk, we showed that linear approximations are highly affected by conditioning them on other approximations. We showed how to use such conditional approximations for attacks, leading to the best current attack against the data encryption standard. The simplest case is conditioning linear approximations on the XOR of the output of the F function in all the odd rounds. We showed that even using a single conditional linear approximation, we can save 12% over Matsui's attack. Using both conditional linear approximations lead to attack against deaths with complexity less than 2 to 42. Thank you. Any questions for our staff? Thank you for the talk. I just wonder if your method can be applied to other ciphers than deaths. For example, SPN ciphers. In the case of SPN ciphers, we can condition linear approximations on any other linear approximations, and we can gain improvement in the bias in some cases. Any kind of linear approximation? More questions? Actually, I have one. Did you try to do an experimental verification of your attack? Of course. The graph we saw was experimentally tried. That's weird data. Yes. Thank you. More questions? If no, let's thank staff again. Thank you.