Differential & Linear Cryptanalysis
- Differential and linear cryptanalysis are key techniques that exploit biases in difference propagation and linear approximations to evaluate symmetric-key ciphers.
- Automated search methods using MILP and SAT solvers enable precise modeling of S-box behaviors and efficient identification of high-probability trails.
- Quantum enhancements, including amplitude amplification and CHSH-game strategies, reduce data complexity and broaden the scope of cryptanalytic attacks.
Differential and linear cryptanalysis are foundational methodologies for evaluating the security of symmetric-key ciphers, particularly block ciphers. Differential cryptanalysis exploits statistical biases in the propagation of input differences through cryptographic functions, while linear cryptanalysis uses linear approximations to predict output bits from input bits with biases above random chance. The evolution of these attacks has led to sophisticated variants, cross-analysis techniques—such as differential-linear cryptanalysis—and quantum generalizations. Recent mathematical and algorithmic advancements have sharpened these tools, broadened their scope, and elucidated the structural properties of functions resisting such attacks.
1. Differential Cryptanalysis: Theory and Methodology
Differential cryptanalysis examines how differences in plaintext pairs are transformed through the cipher to differences in ciphertext. Let be a (vectorial) Boolean function or S-box. The classical differential distribution table (DDT) records, for each input difference and output difference , the count
and the differential uniformity governs the maximum possible statistical bias for any input-output difference pair (Bartoli et al., 2022). Attackers construct differentials—input differences likely to result in output differences —and use resulting biases to mount distinguishers or recover key bits.
In modern block ciphers, propagation characteristics of nonlinear layers (e.g., S-boxes) are typically modeled with Boolean functions, and the path-finding for high-probability differential trails is often handled using Mixed-Integer Linear Programming (MILP). MILP constraints capture the feasible propagations based on S-box DDTs and model full cipher layers via wiring or permutation constraints. Optimizations include selecting minimal cutsets of inequalities modeling the S-box hull, reducing computational effort while maintaining analytical sharpness. Moreover, techniques exist to automatically enumerate impossible differentials—input/output difference pairs that can never be realized—facilitating powerful key-recovery methods (Pal et al., 2024).
Generalizations such as -differential cryptanalysis capture a broad class of potential biases by considering derivatives of the form . For most low-degree , the 0-differential uniformity reaches its maximal value for all but 1 exceptions in 2 (Bartoli et al., 2022). As such, most low-degree S-boxes inherently exhibit some large differential biases under this generalization, which can make them vulnerable in broader attack models.
2. Linear Cryptanalysis: Foundations and Enhancements
Linear cryptanalysis seeks linear masks 3 such that the correlation
4
is significantly biased from 5 for a block cipher 6. The bias 7 is detected via known-plaintext analysis. Classical linear attacks, such as Matsui's Algorithms 1 and 2, recover key bits by accumulating statistics over the biased linear approximations and partial decryptions (Kaplan et al., 2015). The data complexity for distinguishers is typically 8.
Linear biases are measured and bounded using the linear approximation table (LAT) and, in more advanced frameworks, by autocorrelation spectra. In practice, tools such as MILP have also been adapted to search for linear trails by encoding feasible mask-propagations and maximizing signed correlations (Pal et al., 2024, Chen et al., 4 Dec 2025). Gaps or errors in cipher specification—for example, incorrect modeling of mask propagation through linear layers—can significantly overstate resistance, as highlighted by recent corrections in Gleeok-128’s security analysis (Chen et al., 4 Dec 2025).
Quantum and post-quantum variants improve on data or time complexities by employing amplitude amplification or Grover’s search for faster counting and filtering over candidate keys or data samples (Kaplan et al., 2015). Moreover, quantum strategies can, in special cases, enable entanglement-based "bias amplification" for linear approximations, as realized through embedding the Clauser-Horne-Shimony-Holt (CHSH) game within the logic of classical ciphers. This embedding allows the bias in linear approximations to increase from 9 classically to approximately 0 quantumly, effectively halving the required data complexity for attacks on certain structures such as the SIMON cipher (Maitra et al., 2021).
3. Differential-Linear Cryptanalysis and the DLCT Framework
Differential-linear (DL) cryptanalysis is a hybrid attack that combines an initial differential trail with a linear approximation over the remaining rounds. Its effectiveness is governed by a new metric: the Differential-Linear Connectivity Table (DLCT) introduced by Bar-On et al. The DLCT 1, for a function 2, measures the correlation between a one-round input difference 3 and a subsequent application of a linear mask 4, with entries
5
or equivalently (via autocorrelation)
6
(Canteaut et al., 2019, Li et al., 2019, Xie et al., 2 Aug 2025). The differential-linear uniformity (DLU) is the maximum absolute value of any off-zero entry, governing the worst-case joint differential-linear bias.
DLCTs bridge difference propagation and linear correlation, providing a nuanced measure of combined attack resistance. A small DLU indicates that there are no strong pairs 7 capable of yielding both high-probability differentials and high-bias linear approximations, thus blocking the classical differential-linear attack strategy.
Structural properties link DLCTs to the Walsh spectrum, DDT, and autocorrelation. For specific function classes:
- Quadratic permutations have DLUs divisible by 8
- APN functions have minimal DLUs
- S-boxes with optimal DDT and linearity also exhibit low DLU, as exhaustively cataloged for 4–bit S-boxes (Canteaut et al., 2019)
Algebraic constructions now exist for functions achieving low DLU, including cubic monomials, Dillon-type exponents, and cyclotomic modifications of known optimal S-boxes; these match or nearly match the theoretical optima for DLU (Xie et al., 2 Aug 2025).
4. Automated Search Methods and MILP/SAT Approaches
Automated search frameworks leveraging MILP and, in advanced settings, SAT solvers are now the standard for constructing and analyzing differential and linear attacks:
- MILP models encode S-box constraints (using reduced sets of inequalities to minimize solver workload), exact XOR parity constraints for the linear layer, and wiring/permutation for full cipher rounds (Pal et al., 2024).
- Objective functions are set as minimization of the number of active S-boxes (for differential bounds) or maximization/minimization of correlation for linear or DL trails.
- For differential-linear attacks, two-stage MILP frameworks separate the search into a high-probability differential prefix, a single DLCT stage, and a high-correlation linear suffix, thereby optimizing the overall bias in the combined attack (Chen et al., 4 Dec 2025).
Key optimizations include the Greedy Random-Tiebreaker and Subset-Addition algorithms for minimizing S-box hull inequalities (Pal et al., 2024), reducing computational burden orders of magnitude relative to naive enumeration.
Case studies on lightweight ciphers (e.g., Lilliput, GIFT64, SKINNY64, Klein, MIBS) demonstrate that these tools can efficiently enumerate all impossible differentials up to boundaries set only by the exponential search space (Pal et al., 2024). For multi-branch ciphers such as Gleeok-128, branch-wise MILP models can be glued together, with correct mask-sharing constraints, to analyze full-cipher DL distinguishers (Chen et al., 4 Dec 2025).
5. Quantum and Post-Quantum Perspectives
Quantum algorithms provide polynomial speed-ups for many differential and linear attacks but do not achieve the exponential speed-ups seen against public-key cryptosystems (such as those obtained by Shor’s algorithm). Specifically, for simple differential or linear distinguishers, data complexities drop from 9 classically to 0 quantumly via quantum amplitude amplification (Grover-type search). For truncated differential attacks, only cubic-root speed-ups can be achieved due to the use of collision-finding algorithms (Kaplan et al., 2015).
The CHSH-game embedding in linear cryptanalysis offers an alternative quantum-inspired approach: replacing classical AND gates with subcircuits mimicking quantum strategies, resulting in increased linear or differential bias for certain Feistel rounds (Maitra et al., 2021). This bias amplification is distinct from the standard quadratic speed-ups and is achieved via nonlocal correlations.
Quantum cryptanalysis also prompts the reevaluation of security margins: the best classical attack may not yield the best quantum attack, and vice versa (e.g., case studies on LAC and KLEIN ciphers) (Kaplan et al., 2015). The Q1 model (quantum computation, classical queries) and Q2 model (quantum computation and quantum superposition queries) offer distinct attack surfaces, and quantum-resilience is stricter for Q2.
The Bernstein-Vazirani algorithm provides further avenues for quantum search of linear structures, high-probability differentials, small-probability differentials, and impossible differentials, all in polynomial time in the domain size (Xie et al., 2017). This unification contrasts with the combinatorial or exponential complexity in classical settings.
6. Advanced Structural Results and S-Box Design
The DLCT framework and associated lower bounds on DLU have spurred new lines of research into S-box and 1-function design:
- New infinite classes of cubic and Dillon-type monomials with provably small DLU have been constructed by detailed analysis of exponential sums, kernel bounds, and cyclotomic mappings (Xie et al., 2 Aug 2025).
- Pointwise and cyclotomic modifications of known optimal S-boxes (e.g., the inverse on 2, Kasami exponents) typically preserve low DLU, expanding the design space for differentially-linear-robust components.
- Explicit DLCT and DLU spectra have been computed for all optimal 4–bit S-boxes under affine equivalence, highlighting the tight range of possible maximal biases (Canteaut et al., 2019, Li et al., 2019).
The DLCT is not invariant under CCZ equivalence but is under affine equivalence. This is crucial for constructing or validating new S-boxes or permutations: functions may have optimal differential uniformity and nonlinearity but still be suboptimal against differential-linear attacks if DLU is not minimal.
7. Practical Impact, Limitations, and Future Directions
Differential and linear cryptanalysis, together with their modern enhancements—differential-linear methods, MILP/SAT-based trail construction, and quantum/post-quantum variants—remain the central tools for evaluating block cipher security. Recent trends include:
- Integration of DLCT-based analysis into cipher evaluation workflows, especially for ciphers or modes susceptible to combined attacks (Xie et al., 2 Aug 2025, Chen et al., 4 Dec 2025).
- Automated toolchains for MILP-based enumeration of (im)possible differentials, integrals, and high-bias linear or DL trails, with case-study validations on multiple modern ciphers (Pal et al., 2024, Chen et al., 4 Dec 2025).
- Security proofs and benchmarks adjusted for quantum models, including entanglement-enabled bias amplification (Maitra et al., 2021, Kaplan et al., 2015).
- Open problems concerning the simultaneous optimization of DLU and other cryptographic metrics (nonlinearity, boomerang uniformity), construction of APN-like permutations with minimal DLU, and extension of cyclotomic mapping strategies for tailored S-box construction (Xie et al., 2 Aug 2025, Canteaut et al., 2019).
- Quantum techniques for systematically uncovering all differentiable or linearly biased structures (not just the highest-probability ones) in cryptographic mappings (Xie et al., 2017).
A plausible implication is that, as analytical and search methodologies advance, cryptographic designs must increasingly balance a growing list of statistical and structural criteria, including resistance to differential, linear, and differential-linear attacks, both in classical and quantum-adversarial models. MILP, SAT, and quantum-accelerated frameworks are now requisite for comprehensive evaluation and validation in modern symmetric cipher design.