FACTOID # 29: Qataris have lots and lots of gas.
 
 Home   Encyclopedia   Statistics   Countries A-Z   Flags   Maps   Education   Forum   FAQ   About 
 
WHAT'S NEW
RECENT ARTICLES
More Recent Articles »
 

FACTS & STATISTICS    Simple view

  1. Select countries to view: (hold down Control key and click to select several)

     

     

    Compare:

     

     
  1. Select fact or statistic: (* = graphable)

     

     

     

  2. (OPTIONAL) Compare to statistic: (both need to be graphable)

     

     

     

  3. View result as:

     

       
(OR) SEARCH ALL encyclopedia, stats & forums:   

Encyclopedia > Piling up lemma

In cryptanalysis, the piling-up lemma is a principle used in linear cryptanalysis to construct linear approximations to the action of block ciphers. It was introduced by Mitsuru Matsui (1993) as an analytical tool for linear cryptanalysis.


Theory

The piling-up lemma allows the cryptanalyst to determine the probability that the equality:

holds, where the X 's are binary variables (that is, bits: either 0 or 1).


Let P(A) denote "the probability of event A happening". If it equals one, A is certain to happen, and if it equals zero, A cannot happen. First of all, we consider the piling-up lemma for two binary variables.

Now, we consider:

Due to the properties of the xor operation, this is equivalent to

P(X1 = X2)

X1 = X2 = 0 and X1 = X2 = 1 are mutually exclusive events, so we can say

P(X1 = X2) = P(X1 = X2 = 0) + P(X1 = X2 = 1) = P(X1 = 0,X2 = 0) + P(X1 = 1,X2 = 1)

Now, we must make the central assumption of the piling-up lemma: the binary variables we are dealing with are independent; that is, the state of one has no effect on the state of any of the others. Thus we can expand the probability function as follows:


Now we express the probabilities p1 and p2 as ½ + ε1 and ½ + ε2, where the ε's are the probability biases — the amount the probability deviates from ½.


Thus the probability bias ε1,2 for the XOR sum above is 2ε1ε2.


This formula can be extended to more X 's as follows:

Note that if any of the ε's is zero; that is, one of the binary variables is unbiased, the entire probability function will be unbiased — equal to ½.


Practice

In practice, the X's are approximations to the S-boxes (substitution components) of block ciphers. Typically, X values are inputs to the S-box and Y values are the corresponding outputs. By simply looking at the S-boxes, the cryptanalyst can tell what the probability biases are. The trick is to find combinations of input and output values that have probabilities of zero or one. The closer the approximation is to zero or one, the more helpful the approximation is in linear cryptanalysis.


However, in practice, the binary variables are not independent, as is assumed in the derivation of the piling-up lemma. This consideration has to be kept in mind when applying the lemma; it is not an automatic cryptanalysis formula.


References

  • Mitsuru Matsui. Linear Cryptanalysis Method for DES Cipher. EUROCRYPT 1993: 386-397


Block ciphers edit  (http://en.wikipedia.org/w/index.php?title=Template:Block_ciphers&action=edit)
Algorithms: 3-Way | AES | Akelarre | Blowfish | Camellia | CAST-128 | CAST-256 | CMEA | DEAL | DES | DES-X | FEAL | FROG | G-DES | GOST | ICE | IDEA | Iraqi | KASUMI | KHAZAD | Khufu and Khafre | LOKI89/91 | LOKI97 | Lucifer | MacGuffin | Madryga | MAGENTA | MARS | MISTY1 | MMB | NewDES | RC2 | RC5 | RC6 | REDOC | Red Pike | S-1 | SAFER | SEED | Serpent | SHACAL | SHARK | Skipjack | Square | TEA | Triple DES | Twofish | XTEA
Design: Feistel network | Key schedule | Product cipher | S-box | SPN   Attacks: Brute force | Linear / Differential cryptanalysis | Mod n | XSL   Standardisation: AES process | CRYPTREC | NESSIE   Misc: Avalanche effect | Block size | IV | Key size | Modes of operation | Piling-up lemma | Weak key

  Results from FactBites:
 
Piling-up lemma - Wikipedia, the free encyclopedia (376 words)
In cryptanalysis, the piling-up lemma is a principle used in linear cryptanalysis to construct linear approximations to the action of block ciphers.
Now, we must make the central assumption of the piling-up lemma: the binary variables we are dealing with are independent; that is, the state of one has no effect on the state of any of the others.
However, in practice, the binary variables are not independent, as is assumed in the derivation of the piling-up lemma.
List of lemmas - Wikipedia, the free encyclopedia (80 words)
This following is a list of lemmas (or, "lemmata", i.e.
See also list of theorems and list of conjectures.
Poincaré lemma of closed and exact differential forms (differential forms)
  More results at FactBites »


 

COMMENTARY     


Share your thoughts, questions and commentary here
Your name
Your comments
Please enter the 5-letter protection code

Want to know more?
Search encyclopedia, statistics and forums:
 


Lesson Plans | Student Area | Student FAQ | Reviews | Press Releases |  Feeds | Contact
The Wikipedia article included on this page is licensed under the GFDL.
Images may be subject to relevant owners' copyright.
All other elements are (c) copyright NationMaster.com 2003-5. All Rights Reserved.
Usage implies agreement with terms.