Des. Codes Cryptogr. (2009) 50:325–338 DOI 10.1007/s10623-008-9234-2 Provable security of block ciphers against linear cryptanalysis: a mission impossible? An experimental review of the practical security approach and the key equivalence hypothesis in linear cryptanalysis Gilles Piret · François-Xavier Standaert Received: 4 June 2007 / Revised: 31 July 2008 / Accepted: 4 August 2008 / Published online: 30 August 2008 © Springer Science+Business Media, LLC 2008 Abstract In this paper, we are concerned with the security of block ciphers against linear cryptanalysis and discuss the distance between the so-called practical security approach and the actual theoretical security provided by a given cipher. For this purpose, we present a number of illustrative experiments performed against small (i.e. computationally tractable) ciphers. We compare the linear probability of the best linear characteristic and the actual best linear probability (averaged over all keys). We also test the key equivalence hypothesis. Our experiments illustrate both that provable security against linear cryptanalysis is not achieved by present design strategies and the relevance of the practical security approach. Finally, we discuss the (im)possibility to derive actual design criteria from the intuitions underlined in these experiments. Keywords Symmetric cryptography · Block ciphers · Linear cryptanalysis Mathematics Subject Classification (2000) 94A60 1 Introduction The linear cryptanalysis [8, 14] is one of the most powerful attacks against block ciphers. However, although a number of commonly accepted strategies have been developed to pro- vide practical security against such adversaries (most famously, the wide-trail strategy [4] Communicated by P. Wild. F.-X. Standaert is a Postdoctoral researcher of the Belgian Fund for Scientific Research (FNRS). G. Piret (B ) Oberthur Card Systems, Nanterre, France e-mail: gilles.piret@gmail.com F.-X. Standaert Microelectronics Laboratory, UCL Crypto Group, Louvain-la-Neuve, Belgium 123