CAUSAS DE LA INDISCIPLINA Y LAS CONDUCTAS DISRUPTIVAS

Periodo II: en varias ocasiones se le

6.5 CAUSAS DE LA INDISCIPLINA Y LAS CONDUCTAS DISRUPTIVAS

So-called differential cryptanalysis belongs to the class of chosen-plaintext attacks and was invented by Biham and Shamir (1991). It is a method of cryptanalysis for block ciphers (in contrast to stream ciphers). (In order to avoid misunderstandings from the beginning, note that the term ”differential” is used because differences of elements of a commutative groupGwill be compared and it has nothing to do with calculus!) Let us describe the setting in detail. An r-round block cipher is an encrpytion algorithm that works as follows: For the first round, given an input X(1) and a round key Z(1), the (deterministic) ”enciphering function” f produces an output

Y(1) = f(X(1), Z(1)). The output of the ﬁrst round is used as input for the second roundX(2) := Y(1), and as output of the second round we get

Y(2) =f(X(2), Z(2)), etc. The ﬁnal output of the algorithm will be the output of the r-th round Y(r). Here, all occurring data are blocks of a certain length whose elements belong to some ﬁnite abelian group, in practice often some residue ring. The model assumption will be that all round keys

Z(1), Z(2), . . . Z(r) _{are chosen as independent uniformly distributed random}

variables, for in general, only in this case do reasonable theoretic results be- come available. But interestingly enough, in practice, it seems to work as well or even better when the round keys are determined by some key sched- ule for a ”small” overall key. Now the idea of diﬀerential cryptanalysis is that if one takes pairs of round inputs (X(i), X∗(i)) and compares them with the round output pairs (Y(i), Y∗(i)), often there are relations between their diﬀerences ∆X(i) := X(i)−X∗(i) and ∆Y(i) := Y(i)−Y∗(i) that allow as to infer information on the round keyZ(i). Informally speaking, the enciphering function f is called cryptographically weak if for given ∆Y(r−1),

Y(r),Y∗(r) for a relatively small number of input pairs (X(1), X∗(1)), one can ”easily” find the round key Z(r) or at least some information about it. A pair of differences (α, β) considered as values of a pair of first-round input andi-th-round output (α, β) = (∆X(1), ∆Y(i)) is termed ani-round differential (or characteristic). Differential cryptanalysis is successful if there are differentials that are significantly more probable than others if the round keys

Z(1), Z(2), . . . , Z(r−1) _{are chosen uniformly at random. Now the diﬀerential}

attack proceeds as follows:

D. Neuenschwander: Prob. and Stat. Methods in Cryptology, LNCS 3028, pp. 115-123, 2004.

– Choose an (r−1)-round diﬀerential (α, β) for which the conditional prob- abilityP(∆Y(r−1) =β | ∆X(1) =α) is relatively large.

– Take a plaintextX(1) chosen uniformly at random and encryptX(1) and

X∗(1) :=X(1) +αto get the ciphertextsY(r) andY∗(r).

– Assume thatβis the true diﬀerence∆Y(r−1). Find all values of the round key Z(r) _{that are consistent with} _r_{-round input diﬀerence} _β _{and output}

diﬀerence∆Y(r) =Y(r)−Y∗(r).

– Repeat the two preceding steps until some possible Z(r) _{appears signiﬁ-}

cantly more frequently than all the others. Then use this value as a guess for ther-th round key.

– Do all these steps iteratively forr−1, r−2, . . . ,1.

The creative act needed to mount a differential attack lies in the first step, i.e., to find a significantly more probable differential. This is why information about the distribution of differentials is important. We will treat this question in the next section.

Fortunately, by the following theorem due to Lai, Massey, and Murphy, there is a lower bound on the complexity of a diﬀerential attack. Here, ”complexity” means the number of times an encryption of a chosen plaintext pair must be made.

Theorem 9.1.Let G be an abelian group (in particular, a residue ring),N be the block length, and put

pmax:= max

α,β∈G{P(∆Y(r−1) =β | ∆X =α}.

Then the average complexity C of the diﬀerential cryptanalysis has the fol- lowing lower bound:

C≥ 2

pmax−₂N1₋1

Proof:If the attack succeeds, then the anticipated value β has to occur at least once more than a uniformly randomly chosen other β. In K pairs of encryptions, on the averageβoccursKpmaxandβoccursK(2N−1)−1times.

Thus

Kpmax−K 1

2N ₋₁ ≥1,

which, by resolving with respect toK, yields the assertion.2

So, the smaller pmax (i.e., the less there are signiﬁcantly more probable differentials), the bigger the complexity becomes.

Of course, the cardinal question here is how to design a cipher that, against diﬀerential cryptanalysis, is reasonably secure. It turns out that for this, the notion of a Markov cipher seems to be a natural condition. The following deﬁnition is due to Lai, Massey, and Murphy.

Deﬁnition 9.1.An r-round iterated block cipher is called a Markov cipher if, when the ﬁrst round key Z(1) is chosen uniformly at random, then the probability

9.1 The Principle 117 P(∆Y(1) =β | ∆X(1) =α, X(1) =γ)

is independent of γfor all α, β, γ.

To be exact, we need the model assumption of stochastic equivalence:

Deﬁnition 9.2. The assumption of stochastic equivalence means that

P(∆Y(r−1) = β | ∆X(1) =α) has the same value for ﬁxed round keys Z(1), Z(2), . . . , Z(r₋1) _{as if these round keys} _Z(i) ₍_i _{= 1}_,₂_{, . . . , r}₋₁_{) were}

independent and uniformly distributed.

As Biham and Shamir have shown, e.g., DES is a Markov cipher. The relation of the above deﬁnition to Markov chains is the following theorem due to Lai, Massey, and Murphy:

Theorem 9.2.If in anr-round Markov cipher, all round keys are chosen in- dependently and uniformly at random, then{∆Y(i)}0≤i≤ris a Markov chain.

(Here, the term ”Markov chain” will always mean ”homogeneous” Markov chain.)

Proof of Theorem 9.2:We have

P(∆Y(1) =β1, ∆Y(2) =β2, . . . , ∆Y(r) =βr | ∆Y(0) =β0)

i=1

P(∆Y(i) =βi | ∆Y(0) =β0, ∆Y(1) =β1, . . . , ∆Y(i−1) =βi−1).

However,

P(∆Y(i) =βi | ∆Y(0) =β0, ∆Y(1) =β1, . . . , ∆Y(i−1) =βi−1)

γ∈G

P(∆Y(i) =βi, Y(i−1) =γ | ∆Y(0) =β0, ∆Y(1) =β1, . . . ,

∆Y(i−1) =βi−1)

and

P(∆Y(i) =βi, Y(i−1) =γ | ∆Y(0) =β0, ∆Y(1) =β1, . . . , ∆Y(i−1) =βi−1) =P(Y(i−1) =γ | ∆Y(0) =β0, ∆Y(1) =β1, . . . , ∆Y(i−1) =βi−1)

·P(∆Y(i) =βi | Y(i−1) =γ, ∆Y(0) =β0, ∆Y(1) =β1, . . . , ∆Y(i−1) =βi−1).

By the independence of the round keys and the deﬁnition of a Markov cipher, we have

P(∆Y(i) =βi | Y(i−1) =γ, ∆Y(0) =β0, ∆Y(1) =β1, . . . ,

∆Y(i−1) =βi₋1)

=P(∆Y(i) =βi | Y(i−1) =γ, ∆Y(i−1) =βi−1)

So we get

P(∆Y(i) =βi | ∆Y(0) =β0, ∆Y(1) =β1, . . . , ∆Y(i−1) =βi−1) =P(∆Y(i) =βi | ∆Y(i−1) =βi−1)

γ∈G

P(Y(i−1) =γ | ∆Y(0) =β₀, ∆Y(1) =β₁, . . . , ∆Y(i−1) =βi₋₁).

Since the latter sum adds up to 1, we ﬁnally obtain

P(∆Y(1) =β₁, ∆Y(2) =β₂, . . . , ∆Y(r) =βr | ∆Y(0) =β₀)

i=1

P(∆Y(i) =βi | ∆Y(i−1) =βi−1).

Homogeneity follows from the fact that all round keys have the same (uniform) distribution.2

Lemma 9.1.For any Markov cipher, the uniform distribution on GN\{e} is a stationary distribution of the Markov chain {∆Y(i)}0≤i≤r.

Proof:PutY(i) =X(i+ 1) =eand chooseY∗(i) =X∗(i+ 1) uniformly on

GN_\{_e_} _{at random. Then, since the cipher is Markov, the random variable}

∆Y(i) obeys itself a uniform distribution onGN\{e}. For any ﬁxed (i+ 1)- th round key z = Z(i+1), the random variableY∗(i+ 1) = f(X∗(i+ 1), z) is uniformly distributed onGN\{f(e, z)}, sincef(., z) is invertible. Thus for ﬁxedz, the random variable∆Y(i+ 1) is uniformly distributed overGN_\{_e_}_.

Hence the same is also true without conditioning onZ(i+1)_.₂_.

A stronger notion than a stationary probability measure of a Markov chain is the concept of a so-called steady-state distribution. This means the following: Deﬁnition 9.3.The Markov chain {∆Y(i)}i≥0 is said to have the steady-

state distribution πif for all α, β, ∆Y(.)it holds that

P(∆Y(i) =β | ∆Y(0) =α)→π(β) (i→ ∞).

If a Markov chain has a steady-state distribution, then this is its unique stationary distribution. Now by the following theorem due to Lai, Massey, and Murphy, it turns out that Markov ciphers having a steady-state distribution are ”immune” to diﬀerential cryptanalysis.

Theorem 9.3.Under the assumption of stochastic equivalence, Markov ci- phers having a steady-state distribution are (asymptotically as the number of rounds tends to inﬁnity) immune to diﬀerential cryptanalysis (in the sense that the average complexity tends to ∞).

Proof:From Theorem 9.1 and the fact that from Lemma 9.1pmax→ ₂N1₋1,

In document Disciplina en el aula y conductas disruptivas en los grados 3° y 4° de la Institución Educativa Liceo Juan C Rocha de Ibagué Tolima (página 184-189)