If I remember Schneider's applied cryptography correctly, the NSA s-boxes were among the worst 7% possible.
I wonder what we would be saying about the NSA if we (publicly) discovered linear crypto-analysys before differential. However, I suspect the vulnerabilty to linear analysys is the result of how structured they made it to resist differential.
Actually the NSA s-boxes are weak against linear crypto analysis. http://reference.kfupm.edu.sa/content/l/i/linear_cryptanalys...
If I remember Schneider's applied cryptography correctly, the NSA s-boxes were among the worst 7% possible.
I wonder what we would be saying about the NSA if we (publicly) discovered linear crypto-analysys before differential. However, I suspect the vulnerabilty to linear analysys is the result of how structured they made it to resist differential.