Universite Bordeaux 1
In this paper, the authors mainly focused on the experimental review of a number of important assumptions used in linear cryptanalysis and its extensions. It highlights the difficulty of predicting the statistical behavior of a block cipher as its number of rounds increases, both for adversaries trying to exploit key-dependent biases, and for designers trying to accurately predict security bounds. As a consequence, the authors' experiments confirm a tension between the practical and provable security approaches for designing block ciphers. They recall that security against linear cryptanalysis attacks is mainly due to the difficulty to find good approximations, and to their key dependency.