How does Linear Cryptanalysis work?
In general, linear cryptanalysis consists of two steps.
💡 Step 1: Create a linear equation.
The first step is to create linear equations with a significant bias related to plaintext, ciphertext, and secret key bits, meaning that their probability of holding is as close as possible to 0 or 1.
💡 Step 2: Drive secret key bits.
The second step is that these linear equations be used to drive secret key bits along with known plaintextciphertext combinations.
Example
Consider a knownplaintext attack in which the attacker has a large collection of plaintextciphertext pairings that are all encrypted with the same secret key K. We will start by employing all potential secret keys for the last round of the cypher to decrypt the ciphertext for each pair of plaintext and ciphertext.
We calculate the values of the relevant state bits involved in the linear equation for each secret key and then check to see if the linear relationship is still valid. We increase a counter for the specific secret key every time it does.
We predict that after this procedure, the candidate key whose frequency count is farthest from 1/2 times the number of plaintextciphertext pairs will include the correct values for these key bits.
To explain the attack's strategies, we must verify several probability theory results.
The Pilingup lemma
The pilingup lemma is a cryptanalysis principle applied to linear cryptanalysis to create linear approximations to block cipher actions.
A block cipher is a method. A block cipher encrypts data in blocks to create ciphertext using a cryptographic key and algorithm.
According to the lemma, the bias of a linear Boolean function (XORclause) of independent binary random variables is correlated to the product of the input biases.
On the other hand, the input variables are not independent if the lemma does not hold.
Derivation
Assume that X1, X2,... are independent random variables that only accept values between 0 and 1.
Consider p1, p2,... to be real values such that 0 ≤ pi ≤ 1 for all i.
Also, Pr[Xi = 0] = pi and Pr[Xi = 1] = 1 − pi.
Let's assume that i ≠ j. Since Xi and Xj are independent:

Pr[Xi = 0, Xj = 0] = pi pj.

Pr[Xi = 0, Xj = 1] = pi(1 − pj).

Pr[Xi = 1, Xj = 0] = (1 − pi)pj and

Pr[Xi = 1, Xj = 1] = (1 − pi)(1 − pj).
After that, consider the discrete random variable Xi ⊕ Xj (also known as Xi + Xj mod 2). It is clear that the probability distribution for Xi ⊕ Xj is as follows:
Pr[Xi ⊕ Xj = 0] = pi pj + (1 − pi)(1 − pj)
Pr[Xi ⊕ Xj = 1] = pi(1 − pj) + (1 − pi)pj
The bias of the distribution is frequently used to express a probability distribution of a random variable with values between 0 and 1. The quantity Єi = pi 1/2 is used to define the bias of Xi.
Consider the following details:
For 1/2 ≤ Єi ≤ 1/2,
Pr[Xi = 0] = 1/2 + Єi and Pr[Xi = 1] = 1/2  Єi, respectively, for i = 1, 2,... The pilingup lemma refers to the following conclusion, which provides a formula for the bias of the random variable Xi1⊕…..⊕Xik.
[1] Let the bias of the random variables Xi1⊕…..⊕Xik is denoted by Є_{i1, i2, i3……..ik} then,
Є_{i1, i2, i3……..ik} = 2^{k1} ∏Є_{ij} for j = 1 to k.
[2] Let the bias of the random variables Xi1⊕…..⊕Xik is denoted by Є_{i1, i2, i3……..ik} and Є_{ij} = 0 for some j. Then, Є_{i1, i2, i3……..ik }= 0.
For example:
Take independent random variables X1 and X2.
Let Pr[X1 = 0] = p1 => Pr[X1 = 1] = 1  p1
and Pr[X2 = 0] = p2 => Pr[X2 = 1] = 1  p2.
Therefore, Pr[X1 ^ X2 = 0] = p1p2 + (1p1)(1p2).
Now, let the bias values of the random variables:
Є1 = p1  1/2 and Є2 = p2  1/2
Hence, Pr[X1 ^ X2] = 0 = 2 * Є1Є2.
Frequently Asked Questions
What do you mean by Bias of a random Variable?
The bias of the distribution is frequently used to express a probability distribution of a random variable with values between 0 and 1. It has to do with the uniform probability of certain values. Bias is the idea that some values are more likely to show up than a random distribution would expect.
What is the Pilingup lemma?
The pilingup lemma is a cryptanalysis principle applied to linear cryptanalysis to create linear approximations to block cipher actions. According to the lemma, the bias of a linear Boolean function (XORclause) of independent binary random variables is correlated to the product of the input biases.
What is a Block Cipher?
A block cipher is a method. A block cipher encrypts data in blocks to create ciphertext using a cryptographic key and algorithm. We require a block cypher mode of operation to encode and decode messages of any size and content without leaving ourselves vulnerable to attack.
Conclusion
We discussed Linear Cryptanalysis and how it works with an example. Further, we discussed the Pilingup Lemma and the derivation of the formula for bias of the random variables in the Pilingup Lemma.
We hope this blog has helped you. We recommend you visit our articles on different topics of Cryptography, such as
🔥 What is Cryptography?
🔥 Cryptographic System.
🔥 Cryptosystem.
If you liked our article, do upvote our article and help other ninjas grow. You can refer to our Guided Path on Coding Ninjas Studio to upskill yourself in Data Structures and Algorithms, Competitive Programming, System Design, and many more!
Head over to our practice platform Coding Ninjas Studio to practice top problems, attempt mock tests, read interview experiences and interview bundles, follow guided paths for placement preparations, and much more!!
Happy Reading!!