en>Rgdboer: lk union (set theory)

2012-09-01T21:04:00Z

lk union (set theory)

New page

{{refimprove|date=February 2009}}
In [[cryptanalysis]], the '''piling-up lemma''' is a principle used in [[linear cryptanalysis]] to construct [[linear approximation]] to the action of [[block cipher]]s. It was introduced by [[Mitsuru Matsui]] (1993) as an analytical tool for linear cryptanalysis.

==Theory==
The piling-up lemma allows the cryptanalyst to determine the [[probability]] that the equality:

:<math>X_1\oplus X_2\oplus\cdots\oplus X_n=0</math>

holds, where the ''X'' 's are [[binary variable]]s (that is, bits: either 0 or 1).

Let ''P''(A) denote "the probability that A is true". If it equals [[probability one|one]], A is certain to happen, and if it equals zero, A cannot happen. First of all, we consider the piling-up lemma for two binary variables, where <math>P(X_1 = 0)=p_1</math> and <math>P(X_2 = 0)=p_2</math>.

Now, we consider:

:<math>P(X_1 \oplus X_2 = 0)</math>

Due to the properties of the [[xor]] operation, this is equivalent to

:<math>P(X_1=X_2)</math>

''X''1 = ''X''2 = 0 and ''X''1 = ''X''2 = 1 are [[mutually exclusive events]], so we can say

:<math>P(X_1=X_2)=P(X_1=X_2=0) + P(X_1=X_2=1)=P(X_1=0, X_2=0) + P(X_1=1, X_2=1)</math>

Now, we must make the central assumption of the piling-up lemma: the binary variables we are dealing with are '''[[Dependent and independent variables|independent]]'''; that is, the state of one has no effect on the state of any of the others. Thus we can expand the probability function as follows:

{|
|-
|<math>P(X_1 \oplus X_2 = 0)</math>
|<math>=P(X_1=0)P(X_2=0)+P(X_1=1)P(X_2=1)\ </math>
|-
|
|<math>=p_1p_2 + (1-p_1)(1-p_2)\ </math>
|-
|
|<math>=p_1p_2 + (1-p_1-p_2+p_1p_2)\ </math>
|-
|
|<math>=2p_1p_2-p_1-p_2+1\ </math>
|}

Now we express the probabilities ''p''1 and ''p''2 as ½ + ε1 and ½ + ε2, where the ε's are the probability biases — the amount the probability deviates from ½.

{|
|-
|<math>P(X_1 \oplus X_2 = 0)</math>
|<math>=2(1/2+\epsilon_1)(1/2+\epsilon_2)-(1/2+\epsilon_1)-(1/2+\epsilon_2)+1\ </math>
|-
|
|<math>=1/2+\epsilon_1+\epsilon_2+2\epsilon_1\epsilon_2-1/2-\epsilon_1-1/2-\epsilon_2+1\ </math>
|-
|
|<math>=1/2+2\epsilon_1\epsilon_2\ </math>
|}

Thus the probability bias ε1,2 for the XOR sum above is 2ε1ε2.

This formula can be extended to more ''X'' 's as follows:

:<math>P(X_1\oplus X_2\oplus\cdots\oplus X_n=0)=1/2+2^{n-1}\prod_{i=1}^n \epsilon_i</math>

Note that if any of the ε's is zero; that is, one of the binary variables is unbiased, the entire probability function will be unbiased — equal to ½.

A related slightly different definition of the bias is
<math> \epsilon_i = P(X_i=1) - P(X_i=0),</math>
in fact minus two times the previous value. The advantage is that now with

<math>\varepsilon_{total}= P(X_1\oplus X_2\oplus\cdots\oplus X_n=1)- P(X_1\oplus X_2\oplus\cdots\oplus X_n=0)</math>

we have

:<math>\varepsilon_{total}=(-1)^{n+1}\prod_{i=1}^n \varepsilon_i,</math>

adding random variables amounts to multiplying their (2nd definition) biases.

==Practice==
In practice, the ''X''<nowiki></nowiki>s are approximations to the [[S-box]]es (substitution components) of block ciphers. Typically, ''X'' values are inputs to the S-box and ''Y'' values are the corresponding outputs. By simply looking at the S-boxes, the cryptanalyst can tell what the probability biases are. The trick is to find combinations of input and output values that have probabilities of zero or one. The closer the approximation is to zero or one, the more helpful the approximation is in linear cryptanalysis.

However, in practice, the binary variables are not independent, as is assumed in the derivation of the piling-up lemma. This consideration has to be kept in mind when applying the lemma; it is not an automatic cryptanalysis formula.

==References==
* Mitsuru Matsui. Linear Cryptanalysis Method for DES Cipher. EUROCRYPT 1993: 386-397

{{Cryptography navbox | block}}

[[Category:Cryptographic attacks]]
[[Category:Lemmas]]

Hyperplane at infinity - Revision history

en>Rgdboer: lk union (set theory)