RU2180469C2 - Encryption/decryption key generation process - Google Patents

Abstract

FIELD: cryptography; building cryptographic systems. SUBSTANCE: key generation process includes simultaneous generation of each bits of original sequence and respective bit of provisional sequence on receiving and sending ends of communication link, respectively, when using binary-character noise-inducing block conveyed over communication channel with errors, encoding of original sequence on receiving end of communication link, separation of check character block from encoded original sequence, its transmission over return communication channel without errors, generation of decoded sequences from provisional sequence, and generation of hashing function of sequence on transmitting end of communication link, transmission of hashing function over direct communication channel without errors to receiving end of communication link, and generation of encryption/decryption key on receiving and sending ends of communication link by hashing original and decoded sequences using generated sequence-hashing function, and erasing of original, provisional, and decoded sequences. EFFECT: enhanced compromising stability of generated encryption/decryption key. 5 cl, 35 dwg

Description

 The invention relates to the field of cryptography, in particular to the formation of an encryption / decryption key (CWD), and can be used as a separate element in the construction of symmetric cryptographic systems designed to transmit encrypted speech, sound, television and other messages.

 The proposed method for generating CDS can be used in cryptographic systems if there is no or loss of cryptocurrency (cryptocurrency is the presence of the same CSD between the legal parties) between the legal parties of the communication direction (NS) (legal parties of the NS - that is, authorized participants in the exchange of information) or the establishment of cryptocurrency between new legitimate parties of the National Assembly (ZSNS) when the violator conducts interception of information transmitted through open communication channels.

There is a known method of generating CLSD described in the book of W. Diffie "The First Ten Public Key Cryptographies", TIIER, v. 76, 5, p. 57-58. The known method consists in the preliminary distribution between the legal parties of the direction of communication of the numbers α and β, where α is a prime number and 1 ≤ β ≤ α-1. The transmitting side NA (PerSNS) and a receiving side NA (PrSNS) independently selected random appropriate number of X _a and _X, which is stored in a secret and then form the number based on X _a, α, β to PerSNS and _X , α, β on PrSNS. ZSNS exchange the received numbers on communication channels without errors. After receiving the numbers of correspondents, the legal parties convert the received numbers using their secret numbers into a single CLSD. The method allows you to encrypt information during each communication session on the new CLSD (i.e., it excludes the storage of key information on media) and relatively quickly form CLDS using one unprotected communication channel.

 However, the known method has low resistance to CLSD to compromise (resistance of CLSD to compromise is the ability of the cryptographic system to resist attempts by an intruder to obtain CLSD, which is generated and used by legitimate parties of the National Assembly, when the intruder uses information about CLSD obtained from interception, theft and loss of media, disclosure , analysis, etc.), the validity of the CL is limited by the duration of one communication session or part thereof, an incorrect distribution of the numbers α and β leads to impossible ti KlShD formation.

 There is also a known method for generating CWD using a quantum communication channel [Patent US 5515438, H 04 L 9/00 of 05/07/96], which allows you to automatically generate CWD without additional measures for distribution (delivery) of the preliminary sequence. The known method consists in using the uncertainty principle of quantum physics and generates a CDS by transmitting photons through a quantum channel. The method provides receiving CWSD with high resistance to compromise, provides guaranteed control of the presence and degree of interception of CWSD.

 However, the implementation of the known method requires high-precision equipment, which leads to the high cost of its implementation. In addition, CLSh by this method can be formed using fiber-optic communication lines of limited length, which significantly limits the scope of its application in practice.

Closest to the technical nature of the claimed method for the formation of CLSD is the method of forming CLSD based on the information difference [Patent EP 0511420 A1, IPC ⁶ H 04 L 9/08 from 04.11.92].

 Method - the prototype consists in forming the initial sequence (IP) on the transmitting side of the communication direction, encoding the IP, extracting the block of test symbols from the encoded IP, transferring it via the direct communication channel without errors to the receiving side of the communication direction, and forming a decoded sequence (DP) at the receiving side of the direction of communication and the formation of IP and DP CLSD.

 The formation of the IS on the transmitting side of the NS consists in extracting the first part of the IS of length L binary symbols from a pre-generated correlated sequence on the PerSNS, randomly generating the second part of the IS - R of length M of binary symbols, concatenation (concatenation is the sequential connection of sequences to each other on the right) first and the second part of the IP and receiving IP length K of binary characters, where K = L + M.

 Encoding IP linear block systematic noise-tolerant (N, K) code, where N is the length of the encoded IP and N = 2K-1. The formation of each i-th verification symbol of the block of verification symbols of the encoded IP is performed by adding modulo 2 of the first and (i + 1) -th binary symbols of the IP, where i = 1,2,3 ,. .., (NK).

 The allocation of the block of verification symbols of the encoded IP consists in splitting the encoded IP into IP and the block of verification symbols of the encoded IP and highlighting the latter.

 The transmission of the block of verification symbols of the encoded IP via the direct communication channel without errors to the receiving side of the NS consists in transmitting it from the transmitting side of the NS through the direct communication channel without errors to the receiving side of the NS.

 The formation of the DP on the receiving side of the NS is carried out as follows, the first part of the preliminary sequence (PRP) of length L binary symbols corresponding to the first part of the IP on the transmitting side of the communication direction is extracted from the pre-formed correlated sequence on the PRNS, then a block of check symbols of the first part of the PRP of length L-1 binary characters. Each i-th verification symbol of the block of verification symbols of the first part of the PDP is formed by modulo 2 addition of the first and (i + 1) -th binary characters of the first part of the PDP, where i = 1,2,3,. .., (L-1). The block of check characters of the first part of the PDP is bitwise compared with the first L-1 binary characters of the received block of check characters of the encoded IP, if at least one mismatch occurs, the confirmation bit F is set to zero (F = 0) and the first part of the PDP is erased, the block of check characters of the first part PDP, the received block of verification symbols of the encoded IP, and if they coincide completely, the confirmation bit F is assigned the value one (F = 1) and the second part of the PDP of length M is formed by modulo 2 adding the first character the first part of the PDP and the i + (L-1) -th symbol of the received block of verification symbols of the encoded IP, where i = 1,2,3, ..., M. Then a DP is formed of length K, where K = L + M, by concatenating the first part of the PRP and the second part of the PRP. A confirmation bit is transmitted via the reverse communication channel without errors to the transmitting side of the NS.

 The formation of the CSP part from the IP and the DP consists in the linear conversion of the CID and the DP into the CSP part by modulo 2 addition of the IP symbols on the transmitting side of the NS and the DP on the receiving side of the NS if the legitimate parties of the NS have a confirmation bit equal to one (F = 1), and if the legitimate parties of the National Assembly have a confirmation bit equal to zero (F = 0), the first part of the PDP and the block of check characters of the encoded IP and the block of check characters of the first part are erased on the PRSNS IP; PRP

 The specified sequence of actions is repeated a certain number of times until the CLSD of the required length is generated.

 Method - prototype allows you to create CLS between the legitimate parties of the National Assembly with relatively small material costs with a large spatial diversity of the legal parties of the National Assembly.

 The disadvantage of the prototype of the claimed method is the low resistance of the generated CDS to compromise, which is caused by the formation of CDS from parts of CDS, formed on the basis of sequential processing of short sequences of binary symbols isolated from previously generated correlated sequences of the legitimate sides of the NS (processing of a short sequence increases the likelihood of reliable knowledge of the formed part by the intruder CLSD, which makes it easier for him to perform cryptanalysis formed for example, when using the brute force method (the brute force brute force method is based on brute force attackers trying to decrypt the intercepted cryptogram until a meaningful message is received from the cryptogram) CLSh) and the need to store pre-generated correlated sequences of legitimate NS sides on media ( as described, for example, in the book by Y. Romanets, P. Timofeev, V. Shangin, "Information Protection in Computer Systems and Networks", M., Radio and Communications, 1999, p. 174). In addition, the error-free channels used in the prototype method are not protected by authentication methods of received messages (message authentication - the process of authenticating (absence of falsification or distortion) of arbitrary messages received from the communication channel), which determines the high probability of false messages being imposed by the intruder during the formation of CLSD, which also reduces the resistance of CLW to compromise by the offender.

 The purpose of the claimed technical solution is the development of a method for forming a classifier, which provides increased resistance of the formed classifier to compromise by the violator.

This goal is achieved by the fact that in the known method of generating an encryption / decryption key, which consists in generating the original sequence, encoding it, extracting a block of check symbols from the encoded initial sequence, transmitting it via the communication channel without errors and generating a decoded sequence, and from source and decoded sequences form the encryption key / decryption, L times, where L> April ¹⁰ - the selected initial length of the original sequence, at the transmitting side voltage Lenia bonds form zashumlyayuschy block of binary symbols. A noisy block of binary symbols is transmitted over the communication channel with errors to the receiving side of the communication direction. A random bit is generated at the receiving side of the communication direction. A codeword is formed from a random bit. A noisy codeword (CKS) is formed by bitwise summation modulo 2 of the received noisy binary symbol block and the generated codeword. A noisy codeword is transmitted over the reverse communication channel without error to the transmitting side of the communication direction. On the transmitting side of the communication direction, a received codeword is formed from a noisy codeword by bitwise summing modulo 2 of a noisy binary symbol block and a noisy codeword.

 The received bit and the confirmation bit F are formed from the received codeword. The confirmation bit is transmitted on the forward channel without errors to the receiving side of the communication direction. When the confirmation bit F is equal to zero, the generated random bit and the received bit are erased respectively on the receiving and transmitting sides of the communication direction. When the confirmation bit F is equal to unity, the generated random bit and the received bit are stored respectively on the receiving and transmitting sides of the communication direction as ix elements, where i = 1,2,3, ..., LU, the initial and preliminary sequences, where U - the number of erased characters in the formation of the source and preliminary sequences. The decoded sequence on the transmitting side of the communication direction is formed from a preliminary sequence. After the initial and decoded sequences are formed, the hashing function of the sequences is formed on the transmitting side of the communication direction. The sequence hashing function is transmitted over the forward communication channel without errors to the receiving side of the communication direction. The encryption / decryption keys on the receiving and transmitting sides of the communication direction are generated by hashing the original and decoded sequences using the sequence hashing function generated on the transmitting side of the communication direction.

Then, on the receiving side of the communication direction, the original sequence is erased. On the transmitting side of the communication direction, the decoded and preliminary sequences are erased. The initial sequence on the receiving side of the communication direction is encoded by a linear block systematic binary noise-immunity (N, K) code, the generating matrix of which has dimension K • N, with N> K. When encoding the original sequence, the initial sequence is preliminarily divided into G subblocks of length K of binary symbols, where Y = (LU) / K. Then, sequentially, starting from the 1st to the Yth of each j-th subunit, where j = 1,2,3, ..., Y, form the j-th code block with a length of N binary symbols by multiplying the j-th subunit on the generating matrix. From the j-th code block, the j-th sub-block of check characters of length N - K binary characters is extracted. The j-th sub-block of check symbols is stored as the j-th sub-block of the block of check symbols of the encoded source sequence. The sizes K and N of the generator matrix of the linear block systematic binary noise-immunity (N, K) code are chosen K = 2 ^m -1-m and N = 2 ^m -1, where m≥3.

 When generating a noisy binary symbol block (BACS) on the transmitting side of the communication direction, every ith bit of the noisy binary symbol block, where i = 1,2,3, ..., M + 1, is randomly generated, where M≥1. To generate the codeword, the generated random bit is repeated M times, where M≥1. The received bit is assigned the value of the first bit of the received codeword. To generate a confirmation bit F, the first bit of the received codeword is compared with the subsequent M bits of the received codeword. Then, if there are M matches of the first bit of the received codeword with M bits of the received codeword, the confirmation bit F is assigned a value of one. If there is at least one mismatch of the first bit of the received codeword with M bits of the received codeword, the confirmation bit F is assigned the value zero. To form a decoded sequence on the transmitting side of the communication direction, the preliminary sequence is decoded by a linear block systematic binary noise-resistant (N, K) code, the verification matrix of which has the dimension (N-K) • N, with N> K.

When forming the decoded sequence, the preliminary sequence and the block of check symbols of the encoded source coded sequence are divided into Y corresponding pairs of decoded sub-blocks and sub-blocks of check symbols, where Y = (LU) / K. The lengths of the decoded subblocks and subblocks of the check symbols are chosen equal to K and N - K binary symbols, respectively. Then, Y received code blocks with a length of N binary symbols are formed by concatenating to the jth decoded subblock of the jth subblock of verification symbols to the right, where j = 1,2,3, ..., Y. Then, sequentially, starting from the 1st to Yth, calculate the jth syndrome S of length N-K binary characters by multiplying the jth received code block by the transposed check matrix. According to the obtained jth syndrome S, errors are corrected in the jth decoded subunit. Then, the jth decoded subblock is stored as the jth subblock of the decoded sequence. Choose the sizes K and N of the verification matrix of the linear block systematic binary noise-immunity (N, K) code K = 2 ^m -1-m and N = 2 ^m -1, where m≥3.

 The hashing function of the sequences on the transmitting side of the communication direction is formed in the form of a binary matrix G of dimension (L-U) • T, where T≥64 is the length of the generated encryption / decryption key. Each of the elements of the binary matrix G is randomly generated. The hash function of the sequences is transmitted sequentially, starting from the 1st to the (LU) th row of the binary matrix G. When generating the encryption / decryption key, the binary matrix G and the original sequence are divided into W of the corresponding pairs of submatrices of dimension P • T on the receiving side of the communication direction , where P = (LU) / W, and subblocks of the original sequence of length B of binary characters.

When generating the encryption / decryption key previously on the transmitting side of the communication direction, the binary matrix G and the decoded sequence are divided into W of the corresponding pairs of submatrices of dimension P • T, where P = (LU) / W, and subblocks of the decoded sequence of length B of binary symbols. Then, starting from the 1st to the Wth, the zth primary key of length T of binary symbols is calculated, where z = 1,2,3, ..., W, by multiplying the zth subblock of the original sequence by the zth submatrix G _z on the receiving side of the communication direction and the zth subblock of the decoded sequence on the zth submatrix G _z on the transmitting side of the communication direction. An encryption / decryption key is formed by bitwise summing modulo two W primary keys on the receiving and transmitting sides of the communication direction.

 The specified new set of essential features due to processing (by hashing method) sequences of IP and DP of large length, the formation of IP and DP using code words of repetition and noisy blocks of binary characters (which are formed using a communication channel with errors) and the use of authenticated communication channels will increase the resistance of the formed CLS to compromise in relation to the intruder.

 The analysis of the prior art made it possible to establish that analogues that are characterized by a combination of features that are identical to all the features of the claimed solution are absent, which indicates the compliance of the claimed method with the condition of patentability "novelty". Search results for known solutions in this and related fields of technology in order to identify features that match the distinctive features of the prototype of the claimed method showed that they do not follow explicitly from the prior art. The prior art also did not reveal the popularity of the impact provided by the essential features of the claimed invention transformations to achieve the specified technical result. Therefore, the claimed invention meets the condition of patentability "inventive step".

The claimed method is illustrated by drawings, which show:
in FIG. 1 is a generalized structural diagram of the NS used in the claimed method;
in FIG. 2 is a timing diagram of the formation of the WBDS;
in FIG. 3 is a timing diagram of an error vector in an error communication channel;
in FIG. 4 is a timing chart of an adopted ZBDS;
in FIG. 5 is a timing chart for generating a random bit;
in FIG. 6 is a timing chart for generating a codeword;
in FIG. 7 is a timing chart of an adopted ZBDS;
in FIG. 8 is a timing chart for generating a noisy codeword;
in FIG. 9 is a timing diagram of the WBDS;
in FIG. 10 is a timing diagram of a noisy codeword;
in FIG. 11 is a timing chart for generating a received codeword;
in FIG. 12 is a timing chart of the formation of a confirmation bit F;
in FIG. 13 is a timing chart of the formation of a received bit;
in FIG. 14 is a timing chart of a received confirmation bit F;
in FIG. 15 is a timing chart of a stored i-th element of the original sequence;
in FIG. 16 is a timing chart of a stored i-th element of a preliminary sequence;
in FIG. 17 is a timing chart of a generated preliminary sequence;
in FIG. 18 is a timing chart of a generated source sequence divided into Y sub-blocks of K characters;
in FIG. 19 is a timing chart of the selected j-th subblock IP;
in FIG. 20 is a timing diagram of the formation of the j-th code block with a length of N binary symbols;
in FIG. 21 is a timing chart of the allocation of the jth subblock of check symbols of length N - K binary characters;
in FIG. 22 is a timing chart for generating a block of check symbols of an encoded IP from Y sub-blocks of check symbols;
in FIG. 23 is a timing chart of a block of check symbols of a coded source sequence divided into Y sub-blocks of check characters of length N - K binary characters and the allocation of the j-th block of check characters from it;
in FIG. 24 is a timing chart of a preliminary sequence of K symbols divided into Y decoded subblocks and the allocation of the jth decoded subblock from it;
in FIG. 25 is a timing diagram of the concatenation on the right of the jth decoded subblock and the jth subblock of check symbols;
in FIG. 26 is a timing chart for calculating the j-th syndrome S of length N - K binary characters;
in FIG. 27 is a timing chart of error correction in the j-th decoded subunit according to the obtained j-th syndrome S;
in FIG. 28 is a timing chart for generating a decoded sequence of Y decoded subunits;
in FIG. 29 is a view of a generated sequence hashing function;
in FIG. 30 is a timing chart of a transferred sequence hashing function;
in FIG. 31 is a timing chart of the generated IP;
in FIG. 32 is a timing chart of the generated CLSD K _b ;
in FIG. 33 is a timing chart of the formed DP;
in FIG. 34 is a timing chart of the generated CLSD K _a ;
in FIG. 35 is a timing diagram of the formation of CLShD,
In the presented drawings, the letter "A" denotes the actions that occur on the transmitting side of the HC, the letter "B" - on the receiving side of the HC. In the drawings, the hatched pulse represents the binary symbol "1", and not the hatched pulse represents the binary symbol "0". The signs “+” and “•” denote addition and multiplication in the Galois field GF (2). The upper alphabetic indices indicate the length of the sequence (block), the lower alphabetic indices indicate the number of the element in the sequence (block).

 The implementation of the claimed method is as follows. Modern cryptosystems are constructed according to the Kirkhoff principle, described, for example, in the book of D. Messi, "Introduction to Modern Cryptology", TIIER vol. 76, 5, May 1988, p. 24, according to which the full knowledge of the intruder includes, in addition to information obtained by interception, complete information about the algorithm for the interaction of the legitimate parties of the National Assembly and the process of generating the CJD. The formation of a common CLSD can be divided into three main stages. The first stage is to ensure the presence of pre-formed correlated sequences of binary symbols for the legitimate parties of the National Assembly, as the source material for the formation of CLSD. It is assumed that the violator has its own pre-formed correlated sequence (PSCP) correlated with the PSCP of the legitimate parties of the National Assembly.

 The second stage is designed to ensure the formation of CLS with high reliability. The formation of CLSD with high reliability is achieved by eliminating (correcting) inconsistent characters (errors) in the PSKP of one legitimate NS side (PSKP on the PRSNS) relative to the PSKP of the other legitimate side of the NS (PSKP on the PRSNS), when using the ZSNS additional information about PSKP (PSKP on the PRSNS) transmitted over the communication channel without errors. It is assumed that the intruder uses additional information to eliminate inconsistencies in the PSCP-ts of the ZSNS to eliminate inconsistencies in his PSCP-ts with the sequences of the ZSNS.

 The third stage is designed to ensure the formation of CLS with a low level of information on the CLS by the offender by compressing the identical sequences of the legitimate sides of the NS that were received by the ZSNS after the end of the second stage. It is assumed that the attacker knows the sequence compression algorithm used by the MSS. The storage by legal parties of the NS at the first stage of the PSKP-tei leads to a decrease in the resistance of the generated CDS to compromise, because it is possible for an intruder to obtain information about the PSCP of at least one of the legitimate parties of the National Assembly as a result of theft of information carriers, unauthorized access, disclosure of information, etc.

 This requires the implementation of measures to ensure reliable storage of complete information about the SSPS of the ZSNS. On the other hand, when legitimate parties perform actions of the NS of the second and third stages to obtain a part of CLSD on the same short sequences isolated from the SSPS of the ZSNS, the probability of reliable knowledge of the formed part of CLSD by the violator increases. This also leads to a decrease in the resistance of the formed CDS to compromise. In addition, when the legitimate parties of the National Assembly take actions to exchange information through open communication channels, the intruder can impose his CLSD (or part of CLSD) on the CSNS, which leads to a decrease in the resistance of the generated CLSD to compromise. Therefore, for the formation of CLSD, it is necessary to exclude the storage of PSCP-tei from the MSS by simultaneously generating them using the MSS of the communication channel with errors (the possibility of generating the MSS is based on the independence of errors arising in the communication channel with errors of the legitimate sides of the NS and errors arising in the interception channel violator), to form a CWD by hashing the obtained identical sequences of the full length (the hashing function of the sequences satisfies a number of requirements and the length of one PSKP block (one of the IP subunit), to which the verification symbols are generated, should be significantly less than the total length of the received identical ZSNS sequences (IP and DP) to be hashed) and all communication channels should be protected by authentication methods of received messages. Message authentication methods do not fall within the scope of the proposed method. Known methods for authenticating messages are described, for example, in the book by D., Simmons, "Overview of Information Authentication Methods," TIIER, v. 76, 5, May 1988, p. 106.

 In the claimed method of generating an encryption / decryption key to ensure increased resistance of the generated CDS to compromise, the following sequence of actions is implemented.

 The intruder has his own interception channel, with the help of which he receives information about the transmitted PSP through the communication channel with errors of the legitimate parties of the National Assembly (see figure 1). In order to form a CLD with high resistance to compromise, it is necessary to create conditions under which the reception quality in the communication channel with errors of the legitimate sides of the NS (i.e., the main channel) will exceed the reception quality in the interception channel, i.e. it is necessary to create conditions under which the main channel will have an advantage (better reception quality) with respect to the interception channel. To create conditions under which the reception quality in the communication channel with errors of the legitimate sides of the NS (i.e., the main channel) will exceed the reception quality in the interception channel, each of the IP symbols randomly generated on the PRSN (each bit of the IP is randomly generated so that increase the resistance of CLSD to compromise), repeat M times and form a codeword with a length of M + 1 binary characters, sum it modulo 2 with a received noisy block of binary characters with a length of M + 1 binary characters (ZBDS is pre-formed on the PermSN, ZBDS it every bit is randomly generated and then transmitted to ZBDS PrSNS through the main channel) and the obtained noisy codeword. ZKS transmit to PersNS on the reverse communication channel without errors. A received codeword with the length M + 1 of binary symbols is formed at the PerSNS by summing modulo 2 ZBDS and ZKS, and the received codeword of the code with repetitions is received if all its elements are either "1" or "0" and a decision is made on the information symbol corresponding to accepted codeword. Otherwise, the accepted codeword is deleted at PersNS. The decision on the accepted (erased) accepted codewords at PersNS is transmitted via the direct communication channel without errors to the PRNS. ZSNS save in sequences of IP on PrSNS and PRP on PerSNS characters which were not erased.

 The violator may also delete characters that have been erased by the legitimate parties of the National Assembly. However, the characters stored by the intruder (that is, those that saved the HSS) are not reliable enough, because the errors that occur in the main channel and the errors that occur in the interception channel are independent errors. Instead of the presented decoding with two codewords, SSSNs may use threshold decoding. The main difference when using the threshold detection decoding system is that each of the words of the repetition code is received at PerNSS, not only when all its elements are either “1” or “0”, but also when the number of identical binary characters in the code word is at least a certain number (threshold). This will lead, on the one hand, to a decrease in the likelihood of matching the corresponding stored characters in the PRP on the PRSNS and in the IP on the PRSNS, on the other hand, the ZSNS will erase the characters of the IP (PRP) less.

The creation of conditions under which the main channel has an advantage over the interception channel is implemented in the claimed method by the following sequence of actions for the simultaneous formation of the UE on the receiving side of the communication direction and the PRP on the transmitting side of the communication direction. The simultaneous formation of IP on the receiving side of the communication direction and the PDP on the PerSNS is as follows. On the transmitting side of the communication direction L times, where L> 10 ⁴ is the selected primary IP length, form an STD, each i-th bit, where i = 1,2,3, ..., M + 1, is randomly generated, where M≥1, M is determined by the quality of the communication channel with errors (see Fig. 2). Known methods for generating random numbers are described, for example, in the book of D. Knut, "The Art of Computer Programming", M., Mir, 1977, v. 2, p. 22.

 The ZBDS is transmitted over the communication channel with errors to the receiving side of the communication direction. The timing diagram of the error vector in the error communication channel is shown in FIG. 3. The term "error vector" refers to the bitwise difference between the transmitted and received blocks of binary symbols, as described, for example, in the book by A. Zyuko, D. Klovsky, M. Nazarov, L. Fink, "Theory of signal transmission", M. , Radio and Communications, 1986, p. 93. The received BAC is shown in FIG. 4. Known methods for transmitting sequences over communication channels with errors are described, for example, in the book by A. Zyuko, D. Klovsky, M. Nazarov, L. Fink, "Theory of signal transmission", M., Radio and communication, 1986, p. 11. On the receiving side of the communication direction, a random bit is generated (see FIG. 5). Known methods for generating random numbers are described, for example, in the book of D. Knut, "The Art of Computer Programming", M., Mir, 1977, v.2, p. 22.

 A codeword is formed from a random bit. To generate a codeword, the generated random bit is encoded with an M-repetition code (see FIG. 6). Known methods of coding with a repetitive code are described, for example, in the book of E. Berlekamp, “Algebraic Coding Theory”, M., Mir, 1971, p. 11, however, when decoding the code word ZSNS, a direct communication channel is used without errors, which significantly affects an increase in the reliability of the received symbols (and the intruder does not have such a channel with any of the MSS) A noisy codeword is generated (see FIG. 8) by bitwise summation modulo 2 of the received noisy binary symbol block (see FIG. 7) and the generated codeword. The ZKS is transmitted over the reverse communication channel without errors to the transmitting side of the communication direction. Known methods for transmitting blocks of binary symbols on the reverse channel are described, for example, in the book by A. Zyuko, D. Klovsky, M. Nazarov, L. Fink, "Theory of signal transmission", M., Radio and communications, 1986, p. 156.

 On the transmitting side of the communication direction, a received codeword is formed from a noisy codeword (see FIG. 11) by bitwise summing modulo 2 of a noisy binary symbol block (see FIG. 9) and a noisy codeword (see FIG. 10). From the received codeword, the received bit and the confirmation bit F are formed. The received bit is assigned the value of the first bit of the received codeword (see FIG. 13). To form a confirmation bit, the first bit of the received codeword is compared with the subsequent M bits of the received codeword. If there are M matches of the first bit of the received codeword with M bits of the received codeword, the confirmation bit is assigned the value "1", as shown in FIG. 12. If there is at least one mismatch of the first bit of the received codeword with M bits of the received codeword, the confirmation bit is assigned the value "0". Known methods for comparing bits are described, for example, in the book by P. Horovets, W. Hill, "The Art of Circuit Engineering", M., Mir, vol. 1, 1983, p. 212. A confirmation bit is transmitted on the forward channel without errors to the receiving side of the direction communication (see Fig. 14). Known methods for transmitting bits over a communication channel are described, for example, in the book by A. Zyuko, D. Klovsky, M. Nazarov, L. Fink, "Theory of signal transmission", M., Radio and communications, 1986, p. 156.

 If the confirmation bit F is equal to unity (F = 1), the generated random bit and the received bit are stored, respectively, on the receiving and transmitting sides of the communication direction as ix elements, where i = 1, 2, 3 ... LU, UI and PRP, where U - the number of erased characters in the formation of IP and PRP. In FIG. 15 shows the i-th element of the PI, and the i-th element of the PDP is shown in FIG. 16. Known methods for storing bits are described, for example, in the book of L. Maltsev, E. Flomberg, V. Yampolsky, "Fundamentals of Digital Technology", M., Radio and Communications, 1986, p. 79.

где р_ас - вероятность с которой принимается блок ( длиной М+1 двоичных символов ) с М повторениями на ПерСНС, которая определяется с помощью выражения
p_ac= p $\genfrac{}{}{0ex}{}{\text{M+1}}{\text{m}}$ +(1-p_m)^M+1. (2)
Рассмотрим ситуацию у нарушителя, при перехвате им первоначально ЗБДС по каналу перехвата с вероятностью ошибки р_w (т.е. нарушитель принимает свою версию ЗБДС ), затем он перехватывает ЗКС, переданное от ПрСНС на ПерСНС по обратному каналу без ошибок. Из перехваченного ЗКС нарушитель не может извлечь никакой полезной информации о сформированном на ПрСНС кодовом слове т.к. ЗКС для него представляет собой случайную последовательность. В этом случае для нарушителя оптимальной обработкой имеющейся у него информации будет сложение по модулю 2 ЗКС и его версии ЗБДС (т.е. удаление случайного зашумления с ЗКС ), как доказано, например, в работе Maurer U. "Secret Key Agreement by Public Discussion Based on Common Information" // IEEE Trans. on IT., Vol. 39, May 1993, p. 733 - 742, стр. 733-734, и в результате он получает свою версию принятого кодового слова. Тогда после такой обработки нарушителя, учитывая, что ЗКС - это просуммированные по модулю 2 сформированное кодовое слово и принятый ЗБДС на ПрСНС, вероятность ошибки на бит

в каждом двоичном символе версии принятого кодового слова нарушителя определяется с учетом вероятности ошибки на двоичный символ в принятом ЗБДС на ПрСНС относительно соответствующего двоичного символа сформированного ЗБДС на ПерСНС и равна

Это приводит к ухудшению качества приема канала перехвата т.к.

при сохранении прежнего качества приема основного канала (вероятность несовпадения (ошибки) соответствующих двоичных символов в принятом кодовом слове на ПерСНС и в кодовом слове на ПрСНС равна p_m). Вероятность ошибки на двоичный символ (соответствующий охраненным ЗСНС символам) в версии ПРП нарушителя будет зависеть от выбранного им правила приема. Так, если нарушитель декодирует по мажоритарному правилу (мажоритарное правило декодирования - правило, когда решение об информационном символе принятого блока кода с повторениями выносится согласно большего количества одинаковых символов в принятом блоке кода), то вероятность ошибки на бит для принятого символа нарушителя относительно переданного от ПрСНС по обратному каналу символа ИП может быть выражена как

где

определяется согласно выражения (3).If the confirmation bit F is equal to zero (F = 0), the generated random bit and the received bit are erased. Known methods for erasing bits are described, for example, in the book by W. Peterson, E. Weldon, “Codes for Correcting Errors,” M., Mir, 1976, p. 17. The form of the generated PDP is shown in FIG. 17, and a view of the generated IP is shown in FIG. 18. So, for example, if p _m is the probability of an error on a bit in the main channel, then the probability of a mismatch (error) of the corresponding binary symbols in the PRP on PersNS and IP on PRSNS can be expressed as

where p _as - the probability with which a block is accepted (length M + 1 binary characters) with M repetitions on PerSNS, which is determined using the expression
p _ac = p $\genfrac{}{}{0ex}{}{\text{M + 1}}{\text{m}}$ + (1-p _m ) ^{M + 1} . (2)
Consider the situation with the intruder, when he initially intercepts the ZBDS through the interception channel with the probability of error p _w (i.e., the intruder accepts his version of the ZBDS), then he intercepts the ZKS transmitted from the PRNS to the PRNS via the return channel without errors. The intruder cannot extract any useful information from the intercepted CCS on the code word generated at the PRSN. ZKS for him is a random sequence. In this case, for the intruder, the optimal processing of the information available to him would be the addition of modulo 2 ZKS and its version of the ZBDS (that is, the removal of random noise from the ZKS), as proved, for example, by Maurer U. "Secret Key Agreement by Public Discussion Based on Common Information "// IEEE Trans. on IT., Vol. 39, May 1993, p. 733-742, pp. 733-734, and as a result, he gets his version of the accepted codeword. Then, after such processing of the intruder, given that the ZKS is the generated codeword summed modulo 2 and the received ZBDS at the PRNS, the probability of error per bit

in each binary symbol, the version of the received codeword of the intruder is determined taking into account the probability of an error per binary symbol in the received STDB at PRSN relative to the corresponding binary character of the formed STBD at PRNS and is equal to

This leads to a deterioration in the reception quality of the interception channel, as

while maintaining the same reception quality of the main channel (the probability of mismatch (error) of the corresponding binary symbols in the received codeword on the PRSNS and in the code word on the PRNS is p _m ). The probability of an error per binary symbol (corresponding to protected by the ZSNS characters) in the PRP version of the intruder will depend on the admission rule chosen by him. So, if the intruder decodes according to the majority rule (the majority decoding rule is the rule when the decision on the information symbol of the received code block with repetitions is made according to a larger number of identical symbols in the received code block), then the probability of an error per bit for the received symbol of the violator relative to the one transmitted from PRNS on the reverse channel of the symbol IP can be expressed as

Where

determined according to expression (3).

вероятность ошибки на бит

(после обработки) в каждом двоичном символе версии принятого кодового слова нарушителя равна

а вероятность ошибки на бит

для принятых символов в версии ПРП нарушителя относительно переданной от ПрСНС ИП будет равна

Тогда число несовпадающих символов (ошибок) в ПРП и ИП законных сторон НС будет меньше, чем в ИП и версии ПРП нарушителя. При этом ЗСНС будет стерто U двоичных символов из ИП (ПРП), U=29078 двоичных символов, и вторичная длина ИП (ПРП) составит величину L-U=86344 бит, в то время, когда по каналу связи с ошибками необходимо будет передать 461688 двоичных символов.Example 1. ZSNS for the formation of PI (PRP) using a code with M repetitions. The intruder decodes according to the majority rule. The probability of error per bit in the interception channel is p _w = 0.06, and the probability of error per bit in the main channel is p _m = 0.07, i.e. in the case when the reliability of the communication channel with errors of the legitimate parties of the National Assembly is worse than the interception channel of the intruder. When transmitting from the PRSNS IP primary length L = 115422 binary characters and using a code with M repetitions, where M = 3 (p _ac = 0.748), the probability of mismatch (error) of the corresponding binary symbols in the PDP on the PRNS and IP on the PRNS will be equal to

probability of error per bit

(after processing) in each binary symbol of the version of the received code word of the intruder is

and the probability of error per bit

for received characters in the PRP version of the intruder relative to the transmitted from the PRSNS IP will be equal to

Then the number of mismatched characters (errors) in the PDP and IP of the legal parties of the National Assembly will be less than in the IP and the version of the PRP of the violator. In this case, the UCNS will be erased U binary characters from the IP (PRP), U = 29078 binary characters, and the secondary length of the IP (PRP) will be LU = 86344 bits, while 461688 binary characters will need to be transmitted over the communication channel with errors .

Каждый подблок длиной К символов кодируется линейным систематическим блоковым помехоустойчивым (N,K) двоичным кодом, где К - длина блока информационных символов кода и N - длина кодового блока. Линейным двоичным кодом называется код, который построен на основе использования линейных операций в поле GF(2), как описано, например, в книге Р. Блейхут, "Теория и практика кодов, контролирующих ошибки", М. , Мир, 1986, стр. 61. Под термином "блоковый код" понимают код, в котором действия производятся над блоками символов, как описано, например, в книге Р. Блейхут, "Теория и практика кодов, контролирующих ошибки", М., Мир, 1986, стр. 13. Систематическим называется код, в котором кодовое слово начинается с информационных символов, оставшиеся символы кодового слова являются проверочными символами к информационным символам, как описано, например, в книге Р. Блейхут, "Теория и практика кодов, контролирующих ошибки", М., Мир, 1986, стр. 66.After the formation of the ZSNS, the IP on the PRSNS and the PRP on the PerSNS in the IP and the PRP, the mismatching characters remain, which does not allow the ZSNS to proceed with the direct formation of CLSD. Elimination of these discrepancies can be implemented through the use of error-correcting coding. However, well-known error-correcting codes make it possible to encode sequences of significantly shorter length than the obtained secondary length of the PI (PRP), equal to the LU of binary symbols. For this, sequential coding is used, i.e. if the length of the PI (PRP) is large, for example, 10 ⁵ ÷ 10 ⁷ binary characters, it is divided into Y sub-blocks of length K characters, where

Each sub-block with a length of K characters is encoded by a linear systematic block noise-resistant (N, K) binary code, where K is the length of the block of information symbols of the code and N is the length of the code block. Linear binary code is a code that is built on the basis of the use of linear operations in the GF field (2), as described, for example, in the book of R. Bleikhut, "Theory and Practice of Error Control Codes", M., Mir, 1986, p. 61. The term "block code" means a code in which actions are performed on blocks of characters, as described, for example, in the book of R. Bleichut, "Theory and Practice of Error Control Codes", M., Mir, 1986, p. 13 A systematic code is a code in which the code word begins with information characters, the remaining characters of the code words are test symbols for information symbols, as described, for example, in the book of R. Bleikhut, "Theory and Practice of Error Control Codes", M., Mir, 1986, p. 66.

где

- определяется из выражения (1), a d - минимальное кодовое расстояние (N, K) кода, которое определяется, как минимальное число несовпадающих разрядов в двух любых кодовых словах (N,K) кода, как описано, например, в книге Ф. Мак-Вильямс, П. Слоэн, "Теория кодов, исправляющих ошибки", М., Связь, 1979, стр. 20.Then, the generated blocks of check symbols with a length of N - K binary characters are combined into a single block of test characters of a coded IP with a length of Y (N-K) binary characters and transmit it via the reverse communication channel without errors to the PermSN. At PerSNS, a block of verification symbols of the encoded IP is used to eliminate inconsistencies in the PDP with respect to the IP and receive DP. Then the probability of erroneous decoding of the PRP can be determined by the formula
P _e ≤1- (1-P _eo ) ^Y , (6)
where P ^eo is the probability of erroneous decoding of a sub-block of length K of binary characters, determined, as described, for example, in the book by F. Mc-Williams, P. Sloane, "Theory of error correction codes," M., Communication, 1979, p. 29 ,

Where

- is determined from expression (1), ad is the minimum code distance (N, K) of the code, which is defined as the minimum number of mismatched bits in any two code words (N, K) of the code, as described, for example, in the book by F. Mac -Williams, P. Sloan, "Theory of error-correcting codes," M., Communications, 1979, p. 20.

 A wide class of Bowes - Chowdhury - Hockingham codes, Hamming, Reed - Mahler, Reed - Solomon codes and other linear block codes characterized by their parameters N, K, d can be used as error-correcting codes. In the course of the application of the ZNSN of error-correcting coding, the intruder obtains additional information about the CLD by intercepting the block of verification symbols of the encoded IP transmitted over the reverse communication channel without errors. Using it, the violator also corrects part of the discrepancies in his version of the intercepted PRP with respect to the IP. This circumstance of ZSNS is taken into account when forming from the initial and decoded sequences of CLSD ZSNS.

 The elimination of discrepancies (errors) in the PDP on the PerSNS is implemented in the claimed method by the following sequence of actions. The coding of the original sequence on the PRNS is as follows. Previously, the original sequence is divided into K subblocks of length K of binary symbols, where Y = (L-U) / K, as shown in Fig. 18. Known methods of dividing a sequence into blocks of fixed length are described, for example, in the book of V. Vasiliev, V. Sviridenko, "Communication Systems", M., Higher School, 1987, p. 208.

Sequentially, starting from the 1st to the Yth, each j-th subunit, where j = 1, 2, 3,. . ..U, encode a linear block systematic binary noise-immunity (N, K) code (see Fig. 19). The generating code matrix has dimension K • N, and N> K. The sizes K and N of the generating matrix of the linear block systematic binary noise-immunity (N, K) code are chosen K = 1 ^t -1-m and N = 2 ^m -1, where m≥3, as described, for example, in the book of R. Bleikhut, "Theory and Practice of Error Control Codes," M., Mir, 1986, p. 71.

 For IP coding, each jth subblock of length K of binary symbols is multiplied by a generating matrix of a code and a jth code block of length N of binary symbols is obtained, as shown in FIG. Known methods for error-correcting coding of symbol blocks are described, for example, in the book of R. Bleichut, "Theory and Practice of Error Control Codes", M., Mir, 1986, p. 63.

 From the j-th code block, the j-th sub-block of check symbols of length N - K binary characters is isolated (see Fig. 21). Known methods for allocating fixed-length blocks are described, for example, in the book by V. Vasiliev, V. Sviridenko, “Communication Systems”, M., Higher School, 1987, p. 208.

 The j-th sub-block of check symbols is stored as the j-th sub-block of the block of check symbols of the encoded source sequence. A timing diagram for generating a block of verification symbols for a coded IP is shown in FIG. 22. Known methods for storing a sequence of bits are described, for example, in the book of L. Maltsev, E. Flomberg, V. Yampolsky, "Fundamentals of Digital Technology", M., Radio and Communications, 1986, p. 38.

 A block of verification symbols of the encoded IP is transmitted over the reverse communication channel without errors to the transmitting side of the communication direction. Known methods for transmitting sequences over communication channels are described, for example, in the book by A. Zyuko, D. Klovsky, M. Nazarov, L. Fink, "Theory of signal transmission", M., Radio and communications, 1986, p. 11.

 The formation of the decoded sequence on the transmitting side of the communication direction is as follows. The decoded sequence is formed from a preliminary sequence. The preliminary sequence and the block of check symbols of the encoded source sequence are divided into Y corresponding pairs of decoded sub-blocks (see Fig. 24) and sub-blocks of check symbols (see Fig. 23), where Y = (L-U) / K. The lengths of the decoded subblocks and subblocks of the check symbols are selected equal to K and N-K binary symbols, respectively. Known methods of dividing a sequence into blocks of fixed length are described, for example, in the book by V. Vasiliev, V. Sviridenko, “Communication Systems”, M., Higher School, 1987, p. 208.

Y received code blocks are formed with a length of N binary symbols by concatenating to the jth decoded subunit of the jth subunit of check symbols on the right, where j = 1, 2, 3, ..., Y, as shown in Fig. 25. Each of the Y received code blocks is decoded by a linear block systematic binary noise-immunity (N, K) code (see FIG. 25). The verification matrix of the code has the dimension (N-K) • N, and N> K. Select the sizes K and N of the verification matrix of the linear block systematic binary noise-immunity (N, K) code K = 2 ^t -1-m and N = 2 ^m -1, where m≥3, as described, for example, in the book of R. Bleikhut, "Theory and practice of error control codes," M., Mir, 1986, p. 71.

 Consistently, starting from the 1st to the Yth, the jth syndrome S of length N-K of binary symbols is calculated by multiplying the jth received code block by the transposed check matrix. A timing diagram for calculating the jth syndrome S of length N-K binary symbols is shown in FIG. 26. According to the obtained j-th syndrome S, errors are corrected in the j-th decoded sub-block (see Fig. 27). Known methods for syndromic decoding of symbol blocks are described, for example, in the book of R. Bleikhut, "Theory and Practice of Error Control Codes", M., Mir, 1986, p. 70.

 Then, the jth decoded subblock is stored as the jth subblock of the decoded sequence, as shown in FIG. Known methods for storing a sequence of bits are described, for example, in the book of L. Maltsev, E. Flomberg, V. Yampolsky, "Fundamentals of Digital Technology", M., Radio and Communications, 1986, p. 38. And thus, they receive DP on PersNS.

Example 2. The source data for example 2 take the source data and the results of example 1 (see above). When using the ZSNS, to correct inconsistent characters in the PRPs on the PerNS, a Hamming code with m = 9 receive a code with the characteristics: N = 511, K = 502, d = 3. According to expression (5), Y is obtained - the number of subblocks 502 binary characters long, Y = 172. According to expression (7), P _Ео is obtained - the probability of erroneous decoding of one sub-block, P _Ео = 1.28 • 10 ^-4 . Using expression (6) determine the probability R _E - the probability of erroneous decoding of the PRP length LU, R _E = 2,18 • 10 ^-2 .

 After the formation of the ZSNS of identical IPs on the PrSNS and the DP on the PerSNS, the ZSNS should form a CDS with a small amount of information of the violator about CSD. To provide a small amount of information about the CSP in the proposed method for the formation of CSP, the method of "secreting" the sequences of IP and DP based on universal hashing is used, as described, for example, in the book Bennett C., Brassard G., Crepeau S., Maurer U . "Generalized privacy amplification", IEEE Trans. on IT, vol. 41, N 6, p. 1915 - 1923, 1995, p. 1920.

The essence of the method of "enhancing secrecy" is as follows. At PersNS, the hash function is randomly selected from the universal set of hash functions. The hash function is transmitted via a direct communication channel without errors to the PRNS. Then the IP is hashed on the PRNS and the DP on the PRNS. The result of the hash will be the generated CLSD ZSNS. With a probability close to unity and equal to 1-Pε, an event occurs in which the information (Shannon information) of the intruder about the CJD does not exceed a certain small value I _о and with a low probability of failure Pε an event is possible in which the information of the intruder about CJD is more than I _about . Hashing SP (SP LU length binary symbols) are displayed in sequence K of length T _b binary symbols formed on KlShD PrSNS, Similarly, K is displayed in the sequence _and length T generated binary symbols hashing DP (DP LU binary characters). CLSD on PersNS. It is assumed that the intruder has complete information about the hashing function of the ZSNS sequences. The function of hashing sequences must satisfy a number of requirements, as described, for example, in the book by Yu. Romanets, P. Timofeev, V. Shangin, "Information Security in Computer Systems and Networks", M., Radio and Communications, 1999, p. 156:
the hash function must be sensitive to all kinds of changes in the sequence, such as inserts, outliers, permutations, etc .;
the hash function must have the property of irreversibility, i.e. the task of selecting another sequence that possesses the required value of the hash function should be computationally insoluble;
collision probability, i.e. the probability of an event in which the values of the hash function of two different sequences coincide should be negligible.

In addition, the hash function must belong to a universal set of hash functions. The universal set of hash functions is defined as follows. Let n and r be two positive integers, with n> r. The set of functions G2 that map the set of binary sequences of length n to the set of binary sequences of length r is called universal if, for any different sequences x ₁ and x ₂ from the set of binary sequences of length n, the probability (collision) that the value of the hash function of x ₁ is the value of the hash function from x ₂ (g (x ₁ ) = g (x ₂ )), not more than 2 ^-r , with a random choice of the hash function g, in accordance with the equiprobable distribution, from G2, as described, for example, in Carter J., Wegman M., "Universal cla sses of hash functions ", Journal of Computer and System Sciences, 1979, vol. 18, p. 143-154, p. 145.

 All linear functions that map the set of binary sequences of length n to the set of binary sequences of length r belong to the universal set, as described, for example, in Carter J., Wegman M., "Universal classes of hash functions", Journal of Computer and System Sciences 1979, vol. 18, p. 143-154, p. 150.

Linear functions can be described by binary matrices of dimension n • r. Storage of the universal set G2 of sequence hashing functions for UIs and DPs (the number of hashing functions of the sequences belonging to the universal set G2 is large and amounts to 2 ^{T (LU)} , and each storage hashing function requires T (LU) memory cells for storage) is difficult and impractical . Therefore, the random equiprobable choice of the hashing function of sequences from the universal set G2 of the functions of hashing sequences on the PerSNS consists in randomly generating each of the elements of a binary matrix of dimension (LU) • T, which describes a randomly selected hashing function of sequences from the universal set of hashing functions of sequences G2.

где I_R - информации Реньи. Информация Реньи I_R определяется через выражение для энтропии Реньи на символ (энтропия Реньи на символ зависит от вероятности ошибки на бит р_w в канале перехвата), которая характеризует неопределенность нарушителя о КлШД, при знании нарушителем информации полученной с помощью канала перехвата, полной информации о алгоритме взаимодействия законных сторон НС и их действиям по формированию КлШД, как описано, например, в книге Bennett С., Brassard G., Crepeau С., Maurer U. "Generalized privacy amplification", IEEE Trans. on IT, vol. 41, N 6, p. 1915 -1923, 1995, стр. 1919.After the formation of the CLSD WSS by hashing the AI and DP using a randomly generated binary matrix of dimension (LU) • T, the amount of Shannon information received by the intruder about the CLSD generated by the WSS is no more than

where I _R is Renyi's information. Renyi information I _R is determined through the expression for the Renyi entropy per symbol (the Renyi entropy per symbol depends on the probability of an error per bit p _w in the interception channel), which characterizes the intruder’s uncertainty about CWD, when the intruder knows the information received using the interception channel, full information about the algorithm for the interaction of the legitimate parties of the National Assembly and their actions for the formation of CLS, as described, for example, in the book Bennett S., Brassard G., Crepeau S., Maurer U. "Generalized privacy amplification", IEEE Trans. on IT, vol. 41, N 6, p. 1915-1923, 1995, p. 1919.

Renyi entropy is equal to
H _RDSK = _{-log 2} {p ^w2 + (1-p _w ) ² }. (9)
Then the Renyi information I _R obtained by the intruder when intercepting the sequence of IP length LU characters is determined by the expression
I _R = (LU) (1-log2 {p _w ² + (1-p _w ) ² )}). (10)
When eliminating the MSS of inconsistencies (errors) in the PRSN to the PerSNS, when the block of verification symbols of encoded IP length Y (N - K) binary characters is transmitted from the PRSNS without errors to the PerSNS, the intruder receives additional Renyi information about the IP (CLC). Additional information Renyi obtained by the intruder by encoding the IP I _{R code} is equal to I _{R code} = Y (N - К), as proved, for example, in Lemma 5 of Maurer U. "Linking Information Reconciliation and Privacy Amplification", J. Cryptology, 1997, N 10, p. 97-110, p. 105.

Количество информации Шеннона, получаемое нарушителем о сформированном ЗСНС КлШД, при использовании ЗСНС метода "усиления секретности", может быть больше ограничения I_о (определенного в (12)) с малой вероятностью сбоя Pε.
Энтропия Реньи и вероятность Pε, при использовании ЗСНС зашумляющего блока двоичных символов для кода с повторениями и формировании ИП на ПрСНС и ДП на ПерСНС, определяются более сложными соотношениями. Определение энтропии Реньи и вероятности Pε, при использовании ЗСНС зашумляющего блока двоичных символов для кода с повторениями и формировании ИП на ПрСНС и ДП на ПерСНС, приведено в Приложении 1.Then the total amount of Renyi’s information received by the intruder is
I _Rtotal = I _R + Y (NK). (eleven)
In this case (8), takes the form

The amount of Shannon’s information received by the intruder about the CLSD generated by the CCSS using the SCCS method of “secrecy enhancement” may be greater than the restriction I _о (defined in (12)) with a low probability of Pε failure.
The Renyi entropy and probability Pε, when using the ZSSN of a noisy block of binary symbols for a code with repetitions and the formation of SP on PRSNS and DP on PersNS, are determined by more complex relationships. The determination of the Renyi entropy and probability Pε, when using the ZSNS of a noisy block of binary symbols for a code with repetitions and the formation of SPs on PrSNS and DP on PersNSs, is given in Appendix 1.

 To ensure a small amount of information on the CLS offender in the proposed method of forming CLS (using the method of "secrecy enhancement"), the following sequence of actions is implemented. The formation of CLSD from the original and decoded sequences is as follows. A function of hashing sequences is formed on the PerSNS in the form of a binary matrix G of dimension (L-U) • T, where T≥64 is the required length of the generated CD. Each of the elements of the binary matrix G is randomly generated (see FIG. 29). Known methods for generating random numbers are described, for example, in the book of D. Knut, "The Art of Computer Programming", M., Mir, 1977, v.2, p. 22.

 The sequence hashing function is transmitted over the forward communication channel without errors to the receiving side of the communication direction, sequentially, starting from the 1st through the (L-U) th row of the binary matrix G, as shown in FIG. 30. Known methods for transmitting sequences over communication channels are described, for example, in the book by A. Zyuko, D. Klovsky, M. Nazarov, L. Fink, "Theory of signal transmission", M., Radio and communications, 1986, p. 11.

 The CLD on the receiving side of the communication direction is formed by hashing the IP (see Fig. 31) according to the sequence hashing function formed on the transmitting side of the communication direction, as shown in Fig. 32. The CLD on the transmitting side of the communication direction is formed by hashing DP (see FIG. 33) according to the hashing function of the sequences generated on the transmitting side of the communication direction, as shown in FIG. 34. When forming a CDS, the binary matrix G and the initial sequence are preliminary on the receiving side of the communication direction, and the binary matrix G and the decoded sequence on the transmitting side of the communication direction are divided into W of the corresponding pairs of submatrices of dimension P • T, where P = (LU) / W, and subblocks of the original and decoded sequences of length P of binary symbols. Known methods of dividing a sequence into subblocks of fixed length are described, for example, in the book by V. Vasiliev, V. Sviridenko, “Communication Systems”, M., Higher School, 1987, p. 208.

Then, sequentially, starting from the 1st to the Wth, the zth primary key of length T of binary symbols is calculated, where z = 1, 2, 3, ..., W, by multiplying the zth subblock of the original sequence by z- nth submatrix G _z on the receiving side of the communication direction and the zth subblock of the decoded sequence on the zth submatrix G _z on the transmitting side of the communication direction. Then, a CWD is formed by bitwise summing modulo two W primary keys, respectively, on the receiving and transmitting sides of the communication direction, as shown in Fig. 35.

 The intruder still has the opportunity to obtain complete information about the CLSD of the ZSNS as a result of the theft of information carriers about IP and (DP, PRP), unauthorized access to information about IP (DP, PRP), disclosure of information about IP (DP, PRP), etc. at least one of the legal parties of the National Assembly. To exclude this possibility, the intruder ZSNS after the formation of CLSD erase the IP on the receiving side of the communication direction and DP, PRP on the transmitting side of the communication direction. The actions for transmitting and receiving sequences over the communication channel with errors, the forward and reverse communication channels are synchronized without errors. Known methods of synchronization are described, for example, in the book of E. Martynov, "Synchronization in transmission systems of discrete messages", M., Communication, 1972, p.186.

Example 3. The source data for example 3 take the source data and the results of examples 1 and 2 (see above). ZSNS form CLSD with length T = 64 bits. ZSNS use the binary matrix G of dimension 86344 • 64 formed on PerSNS. The average entropy of Repyi R _{o is} determined for the received code block with repetitions of length M + 1 = 4 binary symbols, equal to R ₀ = 2,155-10 ^-2 , ε is the value that determines the deviation of the Renyi entropy to the received code block with repetitions from R ₀ , ε = 2.685 • 10 ^-3 . The value of the probability of failure Pε, Pε = 2.458 • 10 ^{-8 is} determined while providing information of the intruder about the generated CDS of not more than I _о , where I _о = 7.96 • 10 ^-6 bits. With so much information about CLS, the attacker can only use the CLS enumeration, the time for which will be about 86 days (it is likely that the current CLSD will be replaced several times during this period of time by the MSS), i.e. continuous operation time of one of the most powerful computers of the INTEL ASCI RED type (which is used by the NSA of the USA), as described, for example, in the journal "Confident. Information Protection", May - June, 3, 1998, p. 69, article Yu. E. Pudovenko "When the time comes to pick up the keys."

 The method of "secrecy enhancement" used in the proposed method is more powerful in terms of resistance to compromise of the generated CFSN WSD as compared to the compression algorithm used by the prototype method (see page 11 for the description of the prototype method in English). The term “stronger in compromising resistance of the generated CLSD” means that when using the “secrecy enhancement” method, the maximum amount of information of the violator about CLSD (which does not depend on the information processing strategies used by the violator) is limited from above with a probability close to unity. This restriction is mathematically proven, as shown, for example, in Bennett S., Brassard G., Crepeau S., Maurer U. "Generalized privacy amplification", IEEE Trans. on IT, vol. 41, N 6, p. 1915 - 1923, 1995, p. 1920. This evidence regarding the compression algorithm used by the prototype method is not known, therefore it is difficult to predict the maximum amount of information of the intruder about the generated CSN CLS (when using the compression method of the method - prototype), taking into account the real capabilities of the violator , which uses powerful computing tools and modern methods of cryptanalysis.

Claims (5)

1. The method of generating the encryption / decryption key, which consists in the fact that they form the original sequence on the receiving side of the communication direction, encode it, extract the block of check symbols from the encoded original sequence, transmit it via the reverse communication channel without errors to the transmitting side of the communication direction, where form a decoded sequence, and from the original and decoded sequences form the encryption / decryption key, characterized in that for the formation of the original sequence L times, where L> 10 ⁴ is the selected primary length of the original sequence, a noisy binary symbol block is formed on the transmitting side of the communication direction, with each i-th bit of the noisy binary symbol block, where i = 1, 2, 3,. . . , M + 1, randomly generated, where M≥1, transmit it via the error channel to the receiving side of the communication direction, generate a random bit on the receiving side of the communication direction, generate a code word from it, and to generate a code word, a generated random bit repeat M times, generate a noisy codeword by bitwise summing modulo 2 of the received noisy binary symbol block and the generated codeword, transmit the noisy codeword over the reverse link without error and the transmitting side of the communication direction, where the received codeword is formed from the noisy code word by bitwise modulo 2 summation of the noisy binary symbol block and the noisy code word, then the received bit is formed from the received code word by assigning it the value of the first bit of the received code word, the bit is formed confirmation F, and to form a confirmation bit, the first bit of the received codeword is compared with the subsequent M bits of the received codeword, after which, if any M matches the first bit of the received codeword with M bits of the received codeword, the confirmation bit F is set to one, and if there is at least one mismatch of the first bit of the received codeword with M bits of the received code word, the confirmation bit F is set to zero, the confirmation bit F is transmitted to the direct communication channel without errors to the receiving side of the communication direction, when the confirmation bit F is zero, the generated random bit and the received bit are erased, and when the confirmation bit F is equal to unity ingly random bit and the received bit is simultaneously stored respectively at the receiving and transmitting sides of the connection destinations as i-th elements, where i = 1, 2, 3,. . . , LU, of the initial and preliminary sequences, respectively, on the receiving and transmitting sides of the communication direction, where U is the number of erased characters during the formation of the initial and preliminary sequences, and the decoded sequence on the transmitting side of the communication direction is formed and stored from the preliminary sequence, after the initial and decoded sequences are generated on the transmitting side of the communication direction form a function of hashing sequences in the form of binary ith matrix G of dimension (LU) хТ, where Т≥64 is the length of the generated encryption / decryption key, and each of the elements of the binary matrix G is randomly generated, then it is transmitted via the forward communication channel without errors to the receiving side of the communication direction by sequential line-wise transmission starting from the 1st through the (LU) th row of the binary matrix G, after which the binary matrix G and the original sequence are on the receiving side of the communication direction, and the binary matrix G and the decoded sequence are on the transmitting side of the communication direction be divided into W corresponding pairs of submatrices of dimension PxT, where P = (LU) / W, and subblocks of the original and decoded sequences of length B of binary symbols, then starting from the 1st to the Wth, the zth primary key of length T binary is calculated characters, where z = 1, 2, 3,. . . , W, by multiplying the zth subblock of the original sequence by the zth submatrix G _z on the receiving side of the communication direction and the zth subblock of the decoded sequence by the zth submatrix G _z on the transmitting side of the communication direction, after which an encryption / decryption key is generated by bitwise sum modulo 2 W of the primary keys on the receiving and transmitting sides of the communication direction, then on the receiving side of the communication direction erase the original sequence, and on the transmitting side of the communication direction erase th and decoded sequence.  2. The method according to p. 1, characterized in that the source sequence is encoded on the receiving side of the communication direction by a linear block systematic binary noise-tolerant (N, K) code, the generating matrix of which has the dimension KxN, with N> K, for which the initial sequence is preliminarily divided on Y subblocks of length K of binary characters, where Y = (LU) / K, then sequentially starting from the 1st to the Yth of each j-th subunit, where j = 1, 2, 3,. . . , Y, form the j-th code block with a length of N binary symbols by multiplying the j-th subblock by the generating matrix, then from the j-th code block, the j-th sub-block of test symbols with a length of N-K binary symbols is extracted, which is stored as the j-th a subblock of the block of check symbols of the encoded source sequence. 3. The method according to p. 2, characterized in that the sizes K and N of the generating matrix of the linear block systematic binary noise-immune (N, K) code are chosen K = 2 ^m -1-m and N = 2 ^m -1, where m≥3 .  4. The method according to any one of paragraphs. 1 and 2, characterized in that to form a decoded sequence, the preliminary sequence is decoded on the transmitting side of the communication direction by a linear block systematic binary noise-resistant (N, K) code, the verification matrix of which has the dimension (N-K) xN, and N> K, for whereupon the preliminary sequence and the block of check symbols of the encoded source coded sequence are divided into Y corresponding pairs of decoded subblocks and subblocks of check symbols, where Y = (LU) / K, pr than the lengths of decoded subblocks and subblocks of check symbols are chosen equal to K and N-K binary characters, respectively, then Y received code blocks of length N binary characters are formed by concatenating to the jth decoded subblock of the jth subblock of check symbols to the right, where j = 1, 2, 3,. . . , Y, then sequentially, starting from the 1st to the Yth, calculate the j-th syndrome S of length N-K binary characters by multiplying the j-th received code block by the transposed check matrix, and correct errors by the obtained j-th syndrome S in the jth decoded subblock, which is then stored as the jth subblock of the decoded sequence. 5. The method according to p. 4, characterized in that the sizes K and N are selected for the verification matrix of the linear block systematic binary noise-immunity (N, K) code K = 2 ^m -1-m and N = 2 ^m -1, where m≥3 .

Images