TL;DR I implemented some linear cryptanalysis in Ruby here.

The most referenced paper on linear cryptanalysis is Heys’s A Tutorial on Linear and Differential Cryptanalysis. The paper is fantastic, though as with most papers, there is no code or even pseudo code to solidify the algorithm concepts. After looking around, I did find another interesting source by King, with a bit of C code to boot, though the Toy Cipher example felt too simple. So I went ahead and implemented the more complex SPN Cipher described in Heys’s paper, as well as the linear cryptanalysis.

Conclusion: Yeah, Linear Cryptanalysis works on simple SPN Ciphers :)

The paper does lack a bit in one area: In section 3.4 “Constructing Linear Approximations for the Complete Cipher”, Heys chooses a path and does not really state why. He does start with a linear equation with high bias, but why choose Sbox(1,2)? Furthermore why the rest of the path?

Also, I suppose it is implicit, but the paper does not say the final (and perhaps obvious) step, which is to repeat the process enough times with enough different paths to attain the final subkey, at which point the previous round’s subkey would be attained using the same methods, all the way down to the first round’s subkey.