piling-up lemma

In cryptanalysis, the piling-up lemma is a principle used in linear cryptanalysis to construct linear approximations to the action of block ciphers. It was introduced by Mitsuru Matsui (1993) as an analytical tool for linear cryptanalysis.

Theory

The piling-up lemma allows the cryptanalyst to determine the probability that the equality:

X_1\oplus X_2\oplus\cdots\oplus X_n=0

holds, where the X 's are binary variables (that is, bits: either 0 or 1). Let P(A) denote "the probability of event A happening". If it equals one, A is certain to happen, and if it equals zero, A cannot happen. First of all, we consider the piling-up lemma for two binary variables.

P(X_1 = i)=\left\lbrace\begin{matrix}p_1 & \hbox{for }i=0 \\ 1-p_1 & \hbox{for }i=1\end{matrix}\right.

P(X_2 = j)=\left\lbrace\begin{matrix}p_2 & \hbox{for }j=0 \\ 1-p_2 & \hbox{for }j=1\end{matrix}\right.

Now, we consider:

P(X_1 \oplus X_2 = 0)

Due to the properties of the xor operation, this is equivalent to

P(X_1=X_2)

X₁ = X₂ = 0 and X₁ = X₂ = 1 are mutually exclusive events, so we can say

P(X_1=X_2)=P(X_1=X_2=0) + P(X_1=X_2=1)=P(X_1=0, X_2=0) + P(X_1=1, X_2=1)

Now, we must make the central assumption of the piling-up lemma: the binary variables we are dealing with are independent; that is, the state of one has no effect on the state of any of the others. Thus we can expand the probability function as follows:

math>P(X_1 \oplus X_2 = 0)	$=P(X_1=0)P(X_2=0)+P(X_1=1)P(X_2=1)\$
\| $=p_1p_2 + (1-p_1)(1-p_2)\$
\| $=p_1p_2 + (1-p_1-p_2+p_1p_2)\$
\| $=2p_1p_2-p_1-p_2+1\$

Now we express the probabilities p₁ and p₂ as + ε₁ and + ε₂, where the ε's are the probability biases — the amount the probability deviates from .

math>P(X_1 \oplus X_2 = 0)	$=2(1/2+\epsilon_1)(1/2+\epsilon_2)-(1/2+\epsilon_1)-(1/2+\epsilon_2)+1\$
\| $=1/2+\epsilon_1+\epsilon_2+2\epsilon_1\epsilon_2-1/2-\epsilon_1-1/2-\epsilon_2+1\$
\| $=1/2+2\epsilon_1\epsilon_2\$

Thus the probability bias ε_1,2 for the XOR sum above is 2ε₁ε₂. This formula can be extended to more X 's as follows:

P(X_1\oplus X_2\oplus\cdots\oplus X_n=0)=1/2+2^{n-1}\prod_{i=1}^n \epsilon_i

Note that if any of the ε's is zero; that is, one of the binary variables is unbiased, the entire probability function will be unbiased — equal to .

Practice

In practice, the X's are approximations to the S-boxes (substitution components) of block ciphers. Typically, X values are inputs to the S-box and Y values are the corresponding outputs. By simply looking at the S-boxes, the cryptanalyst can tell what the probability biases are. The trick is to find combinations of input and output values that have probabilities of zero or one. The closer the approximation is to zero or one, the more helpful the approximation is in linear cryptanalysis. However, in practice, the binary variables are not independent, as is assumed in the derivation of the piling-up lemma. This consideration has to be kept in mind when applying the lemma; it is not an automatic cryptanalysis formula.

References

Mitsuru Matsui. Linear Cryptanalysis Method for DES Cipher. EUROCRYPT 1993: 386-397

<< Previous

Word Browser

Next >>

benjamin ruggles
pavlovsky district
pechorsky district
pervomaysky district
general epistles
joseph kerr
petropavlovsky district
lupawa
carlos di sarli
petrovsky district
university of wrzburg

osvaldo pugliese
pochinkovsky district
aristotle university of thessaloniki
university of turku
juan d'arienzo
university of coimbra
university of lyon
francisco canaro
secretary jenny
prigorodny district
wolw

anbal troilo
new flyer
perpetual virginity of mary
roshnai gate
henry saari
university of granada
henry ian cusick
democratic globalization
bongwater
culmer white
sleepaway camp

michael buffer
release to manufacturing
john beradino
julian glover
ventral stream
brooke english
robin strasser
richard courant
croatia national football team
grandson
let's get ready to rumble!