# Piling-up lemma

In cryptanalysis, the piling-up lemma is a principle used in linear cryptanalysis to construct linear approximations to the action of block ciphers. It was introduced by Mitsuru Matsui (1993) as an analytical tool for linear cryptanalysis.

Table of contents |

2 Practice 3 References |

## Theory

The piling-up lemma allows the cryptanalyst to determine the probability that the equality:

*X*'s are binary variables (that is, bits: either 0 or 1).

Let *P*(A) denote "the probability of event A happening". If it equals one, A is certain to happen, and if it equals zero, A cannot happen. First of all, we consider the piling-up lemma for two binary variables.

*X*

_{1}=

*X*

_{2}= 0 and

*X*

_{1}=

*X*

_{2}= 1 are mutually exclusive events, so we can say

**independent**; that is, the state of one has no effect on the state of any of the others. Thus we can expand the probability function as follows:

Now we express the probabilities *p*_{1} and *p*_{2} as 1/2 + ε_{1} and 1/2 + ε_{2}, where the ε's are the probability biases - the amount the probability deviates from 1/2.

Thus the probability bias ε_{1,2} for the XOR sum above is 2ε_{1}ε_{2}.

This formula can be extended to more *X* 's as follows:

## Practice

In practice, the*X*'s are approximations to the S-boxes (substitution components) of block ciphers. Typically,

*X*values are inputs to the S-box and

*Y*values are the corresponding outputs. By simply looking at the S-boxes, the cryptanalyst can tell what the probability biases are. The trick is to find combinations of input and output values that have probabilities of zero or one. The closer the approximation is to zero or one, the more helpful the approximation is in linear cryptanalysis.

However, in practice, the binary variables are not independent, as is assumed in the derivation of the piling-up lemma. This consideration has to be kept in mind when applying the lemma; it is not an automatic cryptanalysis formula.

## References

- Mitsuru Matsui. Linear Cryptanalysis Method for DES Cipher. EUROCRYPT 1993: 386-397