With N key bits, there are 2^N different subsets of key bits. If you fix a plaintext, then each ciphertext bit is an N-to-1 boolean function. Is there any way to show that there is no subset of key bits whose parity is a good linear approximation of the function? -- Mike Stay Cryptographer / Programmer AccessData Corp. mailto:[EMAIL PROTECTED]
