In this paper we analyze the security of
using a technique that combines differential and linear cryptanalysis. This technique is different from differential-linear cryptanalysis. We use linear approximations to increase the probability of differential characteristics. We show that specific choices of some of the key bits give rise to a certain differential characteristic probability, which is far higher than the best characteristic probability claimed by the designers. We give the underlying mechanism of this probability increase. We have developed attacks on 29 and 31 rounds of
for 4.54% and 0.036% of the keys, respectively. Moreover, we have implemented the proposed attack algorithm on 20 rounds of the cipher.