p. 9: "Since we may consider random variables X1+X2 and X2+X3
to be independent..."
- In fact, they are not, in general, independent and
the statement should more correctly read "If we treat random
variables X1+X2 and X2+X3 as if they were independent...". Only under very
strict conditions are they independent: bias of X1 = 0, bias of X3 = 0,
or bias of X2 = +/- 1/2. However, in practice, when applying the
linear attack, we "cheat" and assume that the Piling-Up Lemma
may be applied, as if X1+X2 and X2+X3 are independent, in order to
get an estimate of the bias of the overall linear approximation of the
cipher.
p. 21: The column under delta_X in Table 6 has some errors. The correct
values are 1101, 1110, 1011, 1101, 0111, 0110, 1011, 1111, 1101, 1110,
1011, 1101, 0111, 0110, 1011, 1111.