Piling-up Lemma - Theory

Theory

The piling-up lemma allows the cryptanalyst to determine the probability that the equality:

holds, where the X 's are binary variables (that is, bits: either 0 or 1).

Let P(A) denote "the probability that A is true". If it equals one, A is certain to happen, and if it equals zero, A cannot happen. First of all, we consider the piling-up lemma for two binary variables, where and .

Now, we consider:

Due to the properties of the xor operation, this is equivalent to

X₁ = X₂ = 0 and X₁ = X₂ = 1 are mutually exclusive events, so we can say

Now, we must make the central assumption of the piling-up lemma: the binary variables we are dealing with are independent; that is, the state of one has no effect on the state of any of the others. Thus we can expand the probability function as follows:

Now we express the probabilities p₁ and p₂ as ½ + ε₁ and ½ + ε₂, where the ε's are the probability biases — the amount the probability deviates from ½.

Thus the probability bias ε_1,2 for the XOR sum above is 2ε₁ε₂.

This formula can be extended to more X 's as follows:

Note that if any of the ε's is zero; that is, one of the binary variables is unbiased, the entire probability function will be unbiased — equal to ½.

A related slightly different definition of the bias is in fact minus two times the previous value. The advantage is that now with

we have

adding random variables amounts to multiplying their (2nd definition) biases.