In cryptanalysis, the piling-up lemma is a principle used in linear cryptanalysis to construct linear approximations to the action of block ciphers.
It was introduced by Mitsuru Matsui (1993) as an analytical tool for linear cryptanalysis.
[1] The lemma states that the bias (deviation of the expected value from 1/2) of a linear Boolean function (XOR-clause) of independent binary random variables is related to the product of the input biases:[2] or where
the imbalance:[4][5] Conversely, if the lemma does not hold, then the input variables are not independent.
[6] The lemma implies that XOR-ing independent binary variables always reduces the bias (or at least does not increase it); moreover, the output is unbiased if and only if there is at least one unbiased input variable.
The piling-up lemma can be expressed more naturally when the random variables take values in
(mapping 0 to 1 and 1 to -1) then, by inspection, the XOR-operation transforms to a product: and since the expected values are the imbalances,
, the lemma now states: which is a known property of the expected value for independent variables.
For dependent variables the above formulation gains a (positive or negative) covariance term, thus the lemma does not hold.
In fact, since two Bernoulli variables are independent if and only if they are uncorrelated (i.e. have zero covariance; see uncorrelatedness), we have the converse of the piling up lemma: if it does not hold, the variables are not independent (uncorrelated).
The piling-up lemma allows the cryptanalyst to determine the probability that the equality: holds, where the X's are binary variables (that is, bits: either 0 or 1).
Now, we consider: Due to the properties of the xor operation, this is equivalent to X1 = X2 = 0 and X1 = X2 = 1 are mutually exclusive events, so we can say Now, we must make the central assumption of the piling-up lemma: the binary variables we are dealing with are independent; that is, the state of one has no effect on the state of any of the others.
This formula can be extended to more X's as follows: Note that if any of the ε's is zero; that is, one of the binary variables is unbiased, the entire probability function will be unbiased — equal to 1/2.
A related slightly different definition of the bias is
in fact minus two times the previous value.
The advantage is that now with we have adding random variables amounts to multiplying their (2nd definition) biases.
In practice, the Xs are approximations to the S-boxes (substitution components) of block ciphers.
By simply looking at the S-boxes, the cryptanalyst can tell what the probability biases are.
The trick is to find combinations of input and output values that have probabilities of zero or one.
However, in practice, the binary variables are not independent, as is assumed in the derivation of the piling-up lemma.
This consideration has to be kept in mind when applying the lemma; it is not an automatic cryptanalysis formula.