On the Distribution of Linear Biases: Three Instructive Examples
Despite the fact that the authors evidently have very good block ciphers at hand today, some fundamental questions on their security are still unsolved. One such fundamental problem is to precisely assess the security of a given block cipher with respect to linear cryptanalysis. In by far most of the cases they have to make (clearly wrong) assumptions, e.g., assume independent round-keys. Besides being unsatisfactory from a scientific perspective, the lack of fundamental understanding might have an impact on the performance of the ciphers they use. As they do not understand the security sufficiently enough, they often tend to embed a security margin - from an efficiency perspective nothing else than wasted performance.