### What Is Linear Cryptanalysis?

Linear cryptanalysis is a known plaintext attack, in which the attacker studies probabilistic linear relations known as linear approximations between parity bits of the plaintext, the Ciphertext and the secrete key.

In this technique, the attacker obtains high probability approximations for the parity bit of the secrete key by analyzing the parity bits of the known plaintexts and ciphertexts. By use of several techniques such as the auxiliary technique, the attacker can extend the attack to find more bits of the secret key.

Linear cryptanalysis together with differential cryptanalysis are the most widely used attacks on block ciphers. The linear cryptanalysis technique was first discovered by Mitsuru Matsui who first applied it to the FEAL cipher.

There are usually two parts to linear cryptanalysis; the first is to construct linear equations relating to plaintext, Ciphertext and key bits that have a high bias; that is whose probabilities of holding are as close as possible to 0 0r 1. The second part is to use these linear equations in conjunction with known plaintext-ciphertext pairs to drive key bits.

### What is Differential Cryptanalysis?

Differential cryptanalysis can be described as a general form of cryptanalysis that is primarily applicable to block ciphers, cryptographic hash functions. In other words, it entails a careful analysis of how differences in information input can affect the resulting difference at the output.

In block cipher, differential analysis can be described as a set of techniques for tracing differences through the network of transformation, discovering where the cipher exhibits what is known as non-random behavior and exploiting such details to recover the secrete key (cryptography key).

For any particular cipher, the input difference must be
keenly selected for the attack to be successful. An analysis of the algorithm’s
internals is undertaken; the standard method is to trace a path of highly probable
differences through the various stages of encryption, referred to as *differential characteristic. *In the
process, observing the desired output difference between the two chosen or unknown
plaintext inputs suggests possible key values.

## Difference Between Linear and Differential Cryptanalysis In Tabular Form

Basis of comparison | Linear Cryptanalysis | Differential Cryptanalysis |

Description | Linear cryptanalysis is a known plaintext attack, in which the attacker studies probabilistic linear relations known as linear approximations between parity bits of the plaintext, the Ciphertext and the secrete key. | Differential cryptanalysis can be described as a general form of cryptanalysis that is primarily applicable to block ciphers, cryptographic hash functions. It entails a careful analysis of how differences in information input can affect the resulting difference at the output. |

Discovery | Linear cryptanalysis was first discovered by Matsui and Yamagishi in 1992. | Differential analysis was discovered by Israeli researchers Eli Biham and Adi Shamir. |

Focus | Linear cryptanalysis focuses on statistical analysis against one round of decrypted cipher text. | Differential analysis focuses on statistical analysis of two inputs and two outputs of a cryptographic algorithm. |

Role of The Attacker | In linear cryptanalysis, the role of the attacker is to identify the linear relation between some bits of the plaintext, some bits of the ciphertext and some bits of the unknown key. | In differential cryptanalysis, the role of the attacker is to analyze the changes in some chosen plaintexts and the difference in the outputs resulting from encrypting each one, it is possible to recover some of the key. |

Decryption | In linear cryptanalysis, the cryptanalyst decrypts each cipher using all possible sub keys for one round of encryption and studies the resulting intermediate cipher text to analyze the random results. | In differential cryptanalysis, the changes to the intermediate cipher text are obtained between multiple rounds of encryption. The attacks can be combined, and this can be referred to as differential-linear cryptanalysis. |