By Topic

The piling-up approximation in linear cryptanalysis

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$31 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

1 Author(s)
Kukorelly, Z. ; Signal & Inf. Process. Lab., Eidgenossische Tech. Hochschule, Zurich, Switzerland

One of the key identities in linear cryptanalysis is the piling-up lemma, which allows one to compute the probability distribution of a sum modulo 2 of binary random variables, when the probability that these are zero is known. However, the lemma holds only for independent random variables. In linear cryptanalysis, one often (mis)uses this identity without knowing whether the random variables are independent or not. This paper investigates the problems that may arise when using this identity for dependent random variables. In particular, it is shown that the identity holds in almost all cases if one replaces equality by an approximation sign. The amplitude of departure from equality is also given

Published in:

Information Theory, IEEE Transactions on  (Volume:47 ,  Issue: 7 )