RU2183051C2 - Process of formation of encryption/decryption key - Google Patents

Abstract

FIELD: cryptography. SUBSTANCE: invention can be used as individual element in development of symmetrical cryptographic systems designed to transmit encoded speech, sound, television and other messages. Technical result achieved by realization of proposed technical decision lies in development of method of formation of encryption/decryption key with provision for increased stability of formed encryption/decryption key and for compromising transgressor. Process of formation of encryption/decryption key ensures formation of initial sequence at receiving side of communication route, its encryption, extraction of block of test symbols from encrypted initial sequence, its transmission over backward communication channel without any errors to transmitting side of route, formation of decrypted sequence at transmitting side of route, formation of hashing function of sequences at transmitting side of route, its transmission without any errors over forward communication channel to receiving side of route and formation of encryption/decryption keys at receiving and transmission sides of route by way of hashing initial and decrypted sequences with use of function of hashing of sequences at transmitting side of route, erasure of initial and decrypted sequences. EFFECT: increased stability of formed encryption/decryption keys. 10 l, 29 dwg

Description

 The invention relates to the field of cryptography, in particular to the formation of an encryption / decryption key (CLSD), and can be used as a separate element in the construction of symmetric cryptographic systems designed to transmit encrypted speech, sound, television and other messages.

 The proposed method for generating CDS can be used in cryptographic systems if there is no or loss of cryptocurrency (cryptocurrency - the legal parties have the same CDS) between the legitimate parties of the communication direction (NS) (legal parties of the NS are authorized participants in the exchange of information) or the establishment of cryptocurrency between new legitimate parties NS (ZSNS) when the intruder conducts the interception of information transmitted over open communication channels.

There is a known method of generating CLSD described in the book of W. Diffie "The First Ten Public Key Cryptographies", TIIER, v. 76, 5, p. 57 and 58. The known method consists in the preliminary distribution between the legal parties of the direction of communication of the numbers α and β, where α is a prime number and 1≤β≤α-1. The transmitting side of the NS (PerSNS) and the receiving side of the NS (PrSNS), independently from each other, choose random corresponding numbers X _A and X _B , which are kept secret and then form numbers based on X _A , α, β on PersNS and X _B , α, β on PrSNS. ZSNS exchange the received numbers on communication channels without errors. After receiving the numbers of correspondents, the legal parties convert the received numbers using their secret numbers into a single CLSD. The method allows you to encrypt information during each communication session on the new CLSD (i.e., it excludes the storage of key information on media) and relatively quickly form CLDS using one unprotected communication channel.

 However, the known method has low resistance to CLSD to compromise (resistance of CLSD to compromise is the ability of the cryptographic system to resist attempts by an intruder to obtain CLSD, which is generated and used by legitimate parties of the National Assembly, when the intruder uses information about CLSD obtained from interception, theft and loss of media, disclosure , analysis, etc.), the validity of the CL is limited by the duration of one communication session or part thereof, an incorrect distribution of the numbers α and β leads to impossible ti KlShD formation.

 There is also a known method for generating CLD using a quantum communication channel (US Pat. No. 5,515,438, H 04 L 9/00 of 05/07/96), which allows the automatic formation of CLD without additional measures for sending (delivering) a preliminary sequence. The known method consists in using the uncertainty principle of quantum physics and generates a CDS by transmitting photons through a quantum channel. The method provides receiving CWSD with high resistance to compromise, provides guaranteed control of the presence and degree of interception of CWSD.

 However, the implementation of the known method requires high-precision equipment, which leads to the high cost of its implementation. In addition, CWD by this method can be formed using fiber-optic communication lines of limited length, which significantly limits its scope in practice.

Closest to the technical nature of the claimed method for the formation of CLSD is the method of forming CLSD based on the information difference (patent EP 0511420 A1, IPC ⁶ H 04 L 9/08 of 11/04/92).

 The prototype method consists in forming an initial sequence (IP) on the transmitting side of the communication direction, encoding the IP, extracting a block of test symbols from the encoded IP, transferring it via the direct communication channel without errors to the receiving side of the communication direction, and forming a decoded sequence (DP) at the receiving side of the direction of communication and the formation of IP and DP CLSD.

 The formation of the IS on the transmitting side of the NS consists in extracting the first part of the IS of length L binary symbols from the pre-generated correlated sequence of PerNSs, randomly generating the second part of the IS - R of length M of binary symbols, concatenation (concatenation is the sequential connection of the sequences to each other on the right) of the first and the second part of the IP and obtaining the IP of length K of binary characters, where K = L + M.

 Encoding IP linear block systematic noise-tolerant (K, N) code, where N is the length of the encoded IP and N = 2K-1. The formation of each i-th verification symbol of the block of verification symbols of the encoded IP is performed by modulo 2 addition of the first and (i + 1) -th binary symbols of the IP, where i = 1, 2, 3, ..., (N-K).

 The allocation of the block of verification symbols of the encoded IP consists in splitting the encoded IP into IP and the block of verification symbols of the encoded IP and highlighting the latter.

 The transmission of the block of verification symbols of the encoded IP via the direct communication channel without errors to the receiving side of the NS consists in transmitting it from the transmitting side of the NS through the direct communication channel without errors to the receiving side of the NS.

 The formation of the DP on the receiving side of the NS is carried out as follows, the first part of the preliminary sequence (PDP) of length L binary symbols corresponding to the first part of the IP on the transmitting side of the communication direction is extracted from the pre-formed correlated sequence of the PRNS, then a block of check symbols of the first part of the PDP of length L -1 binary characters. Each i-th verification symbol of the block of verification symbols of the first part of the PDP is formed by modulo 2 addition of the first and (i + 1) -th binary characters of the first part of the PDP, where i = 1, 2, 3, .., (L-1) . The block of check characters of the first part of the PDP is bitwise compared with the first L-1 binary characters of the received block of check characters of the encoded UI, if at least one mismatch occurs, the confirmation bit F is set to zero (F = 0) and the first part of the PDP is erased, the block of check characters of the first part PDP, the received block of verification symbols of the encoded IP, and if they coincide completely, the confirmation bit F is assigned the value one (F = 1) and the second part of the PDP of length M is formed by modulo 2 adding the first character the first part of the PDP and the i + (L-1) -th character of the received block of verification characters of the encoded IP, where f = 1, 2, 3, ..., M. Then, a DP of length K is formed, where K = L + M, by concatenation the first part of the PDP and the second part of the PDP. A confirmation bit is transmitted via the reverse communication channel without errors to the transmitting side of the NS.

 The formation of the CSP part from the IP and the DP consists in the linear conversion of the CID and the DP into the CSP part by modulo 2 addition of the IP symbols on the transmitting side of the NS and the DP on the receiving side of the NS if the legitimate parties of the NS have a confirmation bit equal to one (F = 1), and if the legitimate parties of the National Assembly have a confirmation bit equal to zero (F = 0), the IP on the PRSNS and the first part of the PRP on the PRNS are erased.

 The specified sequence of actions is repeated a certain number of times until the CLSD of the required length is generated.

 The prototype method allows you to create CLS between the legitimate parties of the National Assembly with relatively small material costs with a large spatial diversity of the legal parties of the National Assembly.

 The disadvantage of the prototype of the claimed method is the low resistance of the generated CDS to compromise, which is caused by the formation of CDS from parts of CDS, formed on the basis of sequential processing of short sequences of binary symbols isolated from pre-formed correlated sequences of the legitimate sides of the NS (short sequence processing increases the likelihood of reliable knowledge of the formed part by the intruder CLSD, which facilitates cryptanalysis of the formed CLSD, on for example, when using the brute force method (the CLSD brute force method is based on the intruder trying all possible CLSD when trying to decrypt the intercepted cryptogram until a meaningful message is received from the cryptogram) CLSD) and the need to store the pre-formed correlated sequences of NS sides on media (as described, for example, in the book by Y. Romanets, P. Timofeev, V. Shangin, "Information Protection in Computer Systems and Networks", M.: Radio and Communications, 1999, p. 174). In addition, the error-free channels used in the prototype method are not protected by methods of authentication of received messages (message authentication - the process of verifying the authenticity (absence of falsification or distortion) of arbitrary messages received from a communication channel), which determines the high probability of an intruder imposing a false message during the formation of the CDS , which also reduces the resistance of CLShD to compromise by the offender.

 The purpose of the claimed technical solution is the development of a method for forming a classifier, which provides increased resistance of the formed classifier to compromise by the violator.

This goal is achieved by the fact that in the known method of generating an encryption / decryption key, which consists in generating the original sequence, encoding it, extracting a block of check symbols from the encoded original sequence, transmitting it via the communication channel without errors and generating the decoded sequence from the original and decoded sequences form the encryption / decryption key on the transmitting side of the communication direction to form the original sequence L times, where L> 10 ⁴ - the selected primary length of the original sequence, generate a random bit. A codeword is formed from a random bit. The codeword is transmitted over the communication channel with errors to the receiving side of the communication direction. On the receiving side of the communication direction, the received bit and the confirmation bit F are formed from the received code word. The confirmation bit is transmitted on the reverse channel without errors to the transmitting side of the communication direction. The received bit and the generated random bit are erased respectively on the receiving and transmitting sides of the communication direction if the confirmation bit F is zero. When the confirmation bit F is equal to unity, the received bit and the generated random bit are stored, respectively, on the receiving and transmitting sides of the communication direction as ix elements, where i = 1, 2, 3, ..., LU, the initial and preliminary sequences, where U - the number of erased characters in the formation of the source and preliminary sequences. The decoded sequence on the transmitting side of the communication direction is formed from a preliminary sequence. After the initial and decoded sequences are formed, the hashing function of the sequences is formed on the transmitting side of the communication direction. The sequence hashing function is transmitted over the forward communication channel without errors to the receiving side of the communication direction. The encryption / decryption keys on the receiving and transmitting sides of the communication direction are generated by hashing the original and decoded sequences using the sequence hashing function generated on the transmitting side of the communication direction. Then, the original sequence on the receiving side of the communication direction and the decoded sequence on the transmitting side of the communication direction are erased. The initial sequence on the receiving side of the communication direction is encoded by a linear block systematic binary noise-immunity (N, K) code, the generating matrix of which has the dimension KxN, with N> K. When encoding the original sequence, the initial sequence is preliminarily divided into Y subblocks of length K of binary symbols, where Y = (LU) / K. Then, sequentially, starting from the 1st to the Yth of each j-th subunit, where j = 1, 2, 3, ..., Y, form the j-th code block with a length of N binary characters by multiplying the j-th subunit on the generating matrix. From the j-th code block, the j-th sub-block of check symbols with the length of N-K binary characters is extracted. The j-th sub-block of check symbols is stored as the j-th sub-block of the block of check symbols of the encoded source sequence. The sizes K and N of the generator matrix of the linear block systematic binary noise-immunity (N, K) code are chosen K = 2 ^m -1-m and N = 2 ^m -1, where m≥3. To generate the codeword, the generated random bit is repeated M times, where M≥1. The received bit is assigned the value of the first bit of the received codeword. To form a confirmation bit, the first bit of the received codeword is compared with the subsequent M bits of the received codeword. Then, if M matches the first bit of the received codeword with the M bits of the received codeword, the confirmation bit is assigned the value one. If there is at least one mismatch of the first bit of the received codeword with M bits of the received generic word, the confirmation bit is assigned the value zero. To form a decoded sequence on the transmitting side of the communication direction, the preliminary sequence is decoded by a linear block systematic binary noise-resistant (N, K) code, the verification matrix of which has the dimension (N-K) x N, and N> K. When forming the decoded sequence, the preliminary sequence and the block of check symbols of the encoded source coded sequence are divided into Y corresponding pairs of decoded sub-blocks and sub-blocks of check symbols, where Y = (LU) / K. The lengths of the decoded subblocks and subblocks of the check symbols are selected equal to K and N-K binary symbols, respectively. Then, Y received code blocks with a length of N binary symbols are formed by concatenating to the right of the jth decoded sub-block j-ro of the sub-block of check symbols, where j = 1, 2, 3,. .., Y. Then, sequentially, from the 1st to the Yth, the jth syndrome S of length N-K of binary symbols is calculated by multiplying the jth received code block by the transposed check matrix. According to the obtained jth syndrome S, errors are corrected in the jth decoded subunit. Then, the jth decoded sub-block is stored as the j-ro sub-block of the decoded sequence. Choose the sizes K and N of the verification matrix of the linear block systematic binary noise-immunity (N, K) code K = 2 ^m -1-m and N = 2 ^m -1, where m≥3. The hashing function of the sequences on the transmitting side of the communication direction is formed in the form of a binary matrix G of dimension (LU) x T, where T≥64 is the length of the generated encryption / decryption key. Each of the elements of the binary matrix G is randomly generated. The sequence hashing function is transmitted sequentially, starting from the 1st through the (LU) th row of the binary matrix G. When generating the encryption / decryption key, the binary matrix G and the original sequence are divided into W corresponding pairs of submatrices of dimension P x T on the receiving side of the communication direction , where P = (LU) / W, and subblocks of the original sequence of length B of binary characters. When generating the encryption / decryption key previously on the transmitting side of the communication direction, the binary matrix G and the decoded sequence are divided into W of the corresponding pairs of submatrices of dimension P x T, where P = (LU) / W, and subblocks of the decoded sequence of length B of binary symbols. Then, starting from the 1st to the Wth, the zth primary key of length T of binary symbols is calculated, where z = 1, 2, 3, ..., W, by multiplying the zth subblock of the original sequence by the zth submatrix G _z on the receiving side of the communication direction and the zth subblock of the decoded sequence on the zth submatrix G _z on the transmitting side of the communication direction. An encryption / decryption key is formed by bitwise summing modulo two W primary keys on the receiving and transmitting sides of the communication direction.

 The indicated new set of essential features due to processing (hashing method) of long IP and DP sequences, formation of IP and DP using an error communication channel and the use of authenticated communication channels will increase the resistance of the generated CDS to compromise against the intruder.

 The analysis of the prior art made it possible to establish that analogues that are characterized by a combination of features that are identical to all the features of the claimed solution are absent, which indicates the compliance of the claimed method with the condition of patentability "novelty". Search results for known solutions in this and related fields of technology in order to identify features that match the distinctive features of the prototype of the claimed method showed that they do not follow explicitly from the prior art. The prior art also did not reveal the popularity of the impact provided by the essential features of the claimed invention transformations to achieve the specified technical result. Therefore, the claimed invention meets the condition of patentability "inventive step".

The claimed method is illustrated by figures, which show:
in FIG. 1 is a generalized structural diagram of the NS used in the claimed method;
in FIG. 2 is a timing chart for generating a random bit;
in FIG. 3 is a timing chart for generating a codeword;
in FIG. 4 is a timing diagram of an error vector in an error communication channel;
in FIG. 5 is a timing chart of a received codeword;
in FIG. 6 is a timing diagram of the formation of a confirmation bit;
in FIG. 7 is a timing chart of the formation of a received bit;
in FIG. 8 is a timing chart of a received confirmation bit;
in FIG. 9 is a timing chart of a stored i-th element of the original sequence;
in FIG. 10 is a timing chart of a stored i-th element of a preliminary sequence;
in FIG. 11 is a timing chart of a generated preliminary sequence;
in FIG. 12 is a timing chart of the generated original sequence divided into Y sub-blocks of K characters;
in FIG. 13 is a timing chart of the selected j-th subblock IP;
in FIG. 14 is a timing diagram of the formation of the j-th code block with a length of N binary symbols;
in FIG. 15 is a timing chart of the allocation of the jth subblock of check symbols of length N-K binary characters;
in FIG. 16 is a timing chart for generating a block of check symbols of an encoded IP from Y sub-blocks of check symbols;
in FIG. 17 is a timing chart of a block of check symbols of a coded source sequence divided into Y sub-blocks of check characters of length N-K binary characters, and the allocation of the j-th block of check characters from it;
in FIG. 18 is a timing diagram of a preliminary sequence of K symbols divided into Y decoded subunits and the allocation of the jth decoded subunit from it;
in FIG. 19 is a timing diagram of concatenation on the right of the jth decoded subblock and the jth subblock of check symbols;
in FIG. 20 is a timing chart for calculating the jth syndrome S of length N - K binary characters;
in FIG. 21 is a timing chart of error correction in the jth decoded subunit according to the obtained jth syndrome S;
in FIG. 22 is a timing chart for generating a decoded sequence of Y decoded subunits;
in FIG. 23 is a view of a generated sequence hashing function;
in FIG. 24 is a timing chart of a transferred sequence hashing function;
in FIG. 25 is a time chart of the generated IP;
in FIG. 26 is a timing diagram of the generated CLSD K _in ;
in FIG. 27 is a time chart of the formed DP;
in FIG. 28 is a timing diagram of the generated CLSD K _A ;
in FIG. 29 is a timing diagram of the formation of CLShD.

 On the presented figures, the letter "A" denotes the actions that occur on the transmitting side of the NS, the letter "B" - on the receiving side of the NS. In the figures, the hatched pulse is a binary symbol "1", and unshaded pulse is a binary symbol "0". The signs “+” and “x” denote addition and multiplication in the Galois field GF (2). The upper alphabetic indices indicate the length of the sequence (block), the lower alphabetic indices indicate the number of the element in the sequence (block).

 The implementation of the claimed method is as follows. Modern cryptosystems are constructed according to the Kirkhoff principle, described, for example, in the book of D. Messi, "Introduction to Modern Cryptology", TIIER vol. 76, 5, May 1988, p. 24, according to which the full knowledge of the intruder includes, in addition to information obtained by interception, complete information about the algorithm for the interaction of the legitimate parties of the National Assembly and the process of generating the CJD. The formation of a common CLSD can be divided into three main stages. The first stage is to ensure the presence of pre-formed correlated sequences of binary symbols from the legitimate parties of the National Assembly as the source material for the formation of CLSD. It is assumed that the violator has its own pre-formed correlated sequence (PSCP), correlated with the PSCP of the legitimate parties of the National Assembly. The second stage is designed to ensure the formation of CLS with high reliability. The formation of CLSD with high reliability is achieved by eliminating (correcting) inconsistent characters (errors) in the PSKP of one legitimate NS side (PSKP on the PRSNS) relative to the PSKP of the other legitimate side of the NS (PSKP on the PRSNS), when using the ZSNS additional information about PSKP (PSKP on the PRSNS) transmitted over the communication channel without errors. It is assumed that the intruder uses additional information to eliminate inconsistencies in the PSCP-ts of the ZSNS to eliminate inconsistencies in his PSCP-ts with the sequences of the ZSNS. The third stage is designed to ensure the formation of CLS with a low level of information on the CLS by the offender by compressing the identical sequences of the legitimate sides of the NS that were received by the ZSNS after the end of the second stage. It is assumed that the attacker knows the sequence compression algorithm used by the MSS. The storage by legal parties of the NS at the first stage of the PSKP-tei leads to a decrease in the resistance of the generated CDS to compromise, because it is possible for an intruder to obtain information about the PSCP of at least one of the legitimate parties of the National Assembly as a result of theft of information carriers, unauthorized access, disclosure of information, etc. This requires measures to ensure reliable storage of complete information about the PSCP-ts of the ZSNS. On the other hand, when legitimate parties perform actions of the NS of the second and third stages to obtain a part of CLSD on the same short sequences isolated from the SSPS of the ZSNS, the probability of reliable knowledge of the formed part of CLSD by the violator increases. This also leads to a decrease in the resistance of the generated key to compromise. In addition, when the legitimate parties of the National Assembly take actions to exchange information through open communication channels, the intruder can impose his CLSD (or part of CLSD) on the CSNS, which leads to a decrease in the resistance of the generated CLSD to compromise. Therefore, for the formation of CLSD, it is necessary to exclude the storage of PSCP-tei from the MSS by simultaneously generating them when using the MSS of the communication channel with errors (the possibility of generating the CLSD is based on the independence of errors in the communication channel with errors of the legitimate sides of the NS and errors in the interceptor interception channel), to form the CLSD by hashing the obtained identical sequences of full length (the hashing function of the sequences satisfies a number of requirements and the length of the PSKP (IP) block, to which e characters, should be significantly less than the total length of the received identical ZSNS sequences (IP and DP) to be hashed) and all communication channels should be protected by authentication methods of received messages. Message authentication methods do not fall within the scope of the proposed method. Known methods for authenticating messages are described, for example, in the book by D. Simmons, “Overview of Information Authentication Methods,” TIIER, v. 76, 5, May 1988, p. 106.

 In the claimed method of generating an encryption / decryption key to ensure increased resistance of the generated CDS to compromise, the following sequence of actions is implemented.

где р_ac - вероятность, с которой принимается блок (длиной М+1 двоичных символов) с М повторениями на ПрСНС, которая определяется с помощью выражения
P_ac= P $\genfrac{}{}{0ex}{}{\text{M+1}}{\text{m}}$ +(1-p_m)^M+1. (2)
Вероятность ошибки на двоичный символ (соответствующий сохраненным ЗСНС символам) в ПРП нарушителя будет зависеть от выбранного им правила приема. Так, если р_w - вероятность ошибки на бит в канале перехвата и нарушитель декодирует по мажоритарному правилу (мажоритарное правило декодирования - правило, когда решение о информационном символе принятого блока кода с повторениями выносится согласно большего количества одинаковых символов в принятом блоке кода с повторениями), то вероятность ошибки на бит для принятых информационных символов нарушителя относительно переданной от ПерСНС по основному каналу ПРП может быть выражена как

Однако ИП формируется на ПрСНС и относительно ее будут исправляться несовпадающие символы (ошибки) в ПРП на ПерСНС. Тогда вероятность ошибки на бит для принятого информационного символа нарушителя относительно принятого информационного символа ИП на ПрСНС будет зависеть от вероятности несовпадения (ошибки) соответствующих двоичных символов в ПРП на ПерСНС и ИП на ПрСНС, равной

(см. выражение (1)), и вероятности совпадения соответствующих двоичных символов в ПРП на ПерСНС и ИП на ПрСНС, равной

Эта вероятность с учетом того, что ошибки, возникающие в основном канале и канале перехвата, являются независимыми ошибками, может быть выражена как

где

определяется согласно выражению (3), причем

Это приводит к ухудшению качества приема канала перехвата, т.к.

при сохранении качества приема основного канала (вероятность несовпадения (ошибки) соответствующих двоичных символов в ПРП на ПерСНС и ИП на ПрСНС равна

).The intruder has his own interception channel, with the help of which he receives information about the transmitted PRP through the communication channel with errors of the legitimate parties of the National Assembly (see Fig. 1). In order to form a CLD with high resistance to compromise, it is necessary to create conditions under which the reception quality in the communication channel with errors of the legitimate sides of the NS (i.e., the main channel) will exceed the reception quality in the interception channel, i.e. it is necessary to create conditions under which the main channel will have an advantage (better reception quality) with respect to the interception channel. To create the above conditions, each of the symbols of the preliminary binary sequence randomly generated on the PerSNS (each bit of the PRP is randomly generated to increase the resistance of the CDS to compromise) is repeated M times and transmitted to the PRSN through the main channel (via the communication channel with errors of the ZSNS). At the PRSNs, each of the words of the repetition code is received if all its elements are either “1” or “0” and a decision is made on the information symbol corresponding to the received code word. Otherwise, the code word is erased at the PRNS. The decision on the accepted (erased) code words is transmitted via the reverse communication channel without errors to the PersNS. ZSNS save characters in the sequences of IP on PRSNS and PRP on PersNS, which were not erased. The violator can also delete characters that have been erased by the legitimate parties of the National Assembly. However, the characters stored by the intruder (that is, those that saved the HSSS) are not reliable enough because the errors that occur in the main channel and the errors that occur in the interception channel are independent errors. Instead of the presented decoding with two codewords, SSSNs may use threshold decoding. The main difference when using the ZSSN threshold decoding is that each of the words of the repetition code is received at the PRSNS, not only when all its elements are either “1” or “0”, but when the number of identical binary characters in the codeword is at least a certain number ( threshold). This will lead, on the one hand, to a decrease in the likelihood of matching the corresponding stored characters in the PRP on the PRSNS and in the IP on the PRSNS, on the other hand, the ZSNS will erase the IP symbols (PRP) less. The creation of conditions under which the main channel takes precedence over the interception channel is realized in the claimed method by the following sequence of actions for simultaneously forming an initial sequence on the receiving side of the communication direction and a preliminary sequence on the transmitting side of the communication direction. The formation of the initial sequence on the receiving side of the communication direction is as follows. On the transmitting side of the communication direction L times, where L> 10 ⁴ is the selected primary length of the original sequence, a random bit is generated (see FIG. 2). Known methods for generating random numbers are described, for example, in the book of D. Knut, "The Art of Computer Programming," M.: Mir, 1977, vol. 2, p. 22. A code word is generated from a random bit. To generate a codeword, the generated random bit is encoded with a code with M repetitions (see Fig. 3), where M≥1, M is determined by the quality of the communication channel with errors. Known methods of coding with a repetitive code are described, for example, in the book by E. Berlekamp, “Algebraic Coding Theory”, M.: Mir, 1971, p. 11, however, when decoding the code word ZSNS, the reverse communication channel is used without errors, which significantly affects increase the reliability of the received characters. The codeword is transmitted over the communication channel with errors to the receiving side of the communication direction. The timing diagram of the error vector in the error communication channel is shown in FIG. 4. The term "error vector" means the bitwise difference between the transmitted and received code words, as described, for example, in the book by A. Zyuko, D. Klovsky, M. Nazarov, L. Fink, "Theory of signal transmission", M .: Radio and Communications, 1986, p. 93. The received codeword is shown in FIG. 5. Known methods for transmitting sequences over communication channels with errors are described, for example, in the book by A. Zyuko, D. Klovsky, M. Nazarov, L. Fink, "Theory of signal transmission", M .: Radio and communication, 1986, p. 11. On the receiving side of the communication direction, the received bit and the confirmation bit F are formed from the received codeword. The value of the first bit of the received codeword is assigned to the received bit (see Fig. 7). To form a confirmation bit, the first bit of the received codeword is compared with the subsequent M bits of the received codeword. If there are M matches of the first bit of the received codeword with M bits of the received codeword, the confirmation bit is assigned the value "1". If there is at least one discrepancy between the first bit of the received codeword and the M bits of the received codeword, the confirmation bit is assigned the value "0", as shown in FIG. 6. Known methods for comparing bits are described, for example, in the book by P. Horovets, W. Hill, "The Art of Circuit Engineering", Moscow: Mir, vol. 1, 1983, p. 212. A confirmation bit is transmitted on the reverse channel without errors to the transmitting side of the communication direction (see Fig. 8). Known methods for transmitting bits on the return channel are described, for example, in the book by A. Zyuko, D. Klovsky, M. Nazarov, L. Fink, "Theory of signal transmission", M .: Radio and communications, 1986, p. 156. With equality confirmation bit F to unity (F = 1) the received bit and the generated random bit are stored respectively on the receiving and transmitting sides of the communication direction as ix elements, where i = 1, 2, 3 ... LU, the initial and preliminary sequences, where U is the number of erased characters in the formation of the initial and preliminary sequences. In FIG. 9 shows the i-th element of the original sequence, and the i-th element of the preliminary sequence is shown in figure 10. Known methods for storing bits are described, for example, in the book of L. Maltsev, E. Flomberg, V. Yampolsky, "Fundamentals of digital technology", M .: Radio and communications, 1986, p. 79. If the confirmation bit F is equal to zero (F = 0), the generated random bit and the received bit are erased. Known methods for erasing bits are described, for example, in the book by W. Peterson, E. Weldon, “Error Correcting Codes”, M .: Mir, 1976, p. 17. The form of the generated preliminary sequence is shown in FIG. 11, and a view of the generated source sequence is shown in FIG. 12. So, for example, if p _m is the probability of an error on a bit in the main channel, then the probability of a mismatch (error) of the corresponding binary symbols in the PRP on PersNS and IP on PRSNS can be expressed as

where p _ac is the probability with which a block is accepted (length M + 1 binary symbols) with M repetitions on the PRSN, which is determined using the expression
P _ac = P $\genfrac{}{}{0ex}{}{\text{M + 1}}{\text{m}}$ + (1-p _m ) ^{M + 1} . (2)
The probability of an error per binary symbol (corresponding to the symbols stored by the ZSNS) in the PRP of the intruder will depend on the admission rule chosen by him. So, if p _w is the probability of an error per bit in the interception channel and the intruder decodes according to the majority rule (the majority decoding rule is the rule when the decision on the information symbol of the received code block with repetitions is made according to a larger number of identical symbols in the received code block with repetitions), then the probability of an error per bit for the received information symbols of the intruder relative to that transmitted from the PRNS via the main PRP channel can be expressed as

However, the IP is formed on the PRSNS and in relation to it, mismatched characters (errors) in the PDP on the PRNS will be corrected. Then the probability of an error per bit for the received information symbol of the intruder relative to the received information symbol of the IP on the PRSNS will depend on the probability of mismatch (error) of the corresponding binary symbols in the PRP on the PRNS and the IP on the PRNS equal to

(see expression (1)), and the probability of coincidence of the corresponding binary symbols in the PRP on PersNS and IP on PRSNS equal to

This probability, given that the errors that occur in the main channel and the interception channel, are independent errors, can be expressed as

Where

is determined according to expression (3), and

This leads to a deterioration in the reception quality of the interception channel, as

while maintaining the reception quality of the main channel (the probability of mismatch (error) of the corresponding binary characters in the PRP on PersNS and IP on PRSNS is

)

а вероятность ошибки на бит для принятых информационных символов нарушителя относительно переданной от ПерСНС по основному каналу ПРП будет равна

а вероятность ошибки на бит для принятого информационного символа нарушителя относительно принятого информационного символа ИП на ПрСНС

будет равна

, т.е. число несовпадающих символов (ошибок) в ПРП и ИП законных сторон НС будет меньше, чем в ИП и последовательности нарушителя, причем при формировании ИП на ПрСНС достигается лучший результат, т.к.

При этом ЗСНС будет стерто U двоичных символов, U= 25697 двоичных символов, и вторичная длина ИП (ПРП) составит величину L-U=76304 бит, в то время когда по каналу связи с ошибками необходимо будет передать 408004 двоичных символа.Example 1. ZSNS for the formation of PI (PRP) using a code with M repetitions. The intruder decodes according to the majority rule. The probability of error per bit in the interception channel is p _w = 0.06, and the probability of error per bit in the main channel is p _m = 0.07, i.e. the case when the reliability of the communication channel with errors of the legitimate parties of the National Assembly is worse than the interception channel of the intruder. When transmitting the primary length L = 102001 binary characters from the PerSNS PRP and using a code with M repetitions, where M = 3 (p _ac = 0.748), the probability of mismatch (error) of the corresponding binary characters in the PRP on the PRSNS and the IP on the PRSNS will be

and the probability of an error per bit for the received information symbols of the intruder relative to that transmitted from the PersNS on the main PRP channel will be equal to

and the probability of error per bit for the received information symbol of the intruder relative to the received information symbol of the IP on the PRSN

will be equal

, i.e. the number of mismatching characters (errors) in the PDP and IP of the legitimate parties of the National Assembly will be less than in the IP and the sequence of the violator, and the best result is achieved when forming the IP on the PRSN,

In this case, the UCNS will be erased U binary characters, U = 25697 binary characters, and the secondary IP length (PRP) will be LU = 76304 bits, while 408004 binary characters will need to be transmitted over the communication channel with errors.

Каждый подблок длиной К символов кодируется линейным систематическим блоковым помехоустойчивым (N, K) двоичным кодом, где К - длина блока информационных символов кода и N - длина кодового блока. Линейным двоичным кодом называется код, который построен на основе использования линейных операций в поле GF(2), как описано, например, в книге Р. Блейхут, "Теория и практика кодов, контролирующих ошибки", М. : Мир, 1986, стр. 61. Под термином "блоковый код" понимают код, в котором действия производятся над блоками символов, как описано, например, в книге Р. Блейхут, "Теория и практика кодов контролирующих ошибки", М.: Мир, 1986, стр. 13. Систематическим называется код, в котором кодовое слово начинается с информационных символов, оставшиеся символы кодового слова являются проверочными символами к информационным символам, как описано, например, в книге Р. Блейхут, "Теория и практика кодов, контролирующих ошибки", М.: Мир, 1986, стр. 66. Затем формируемые блоки проверочных символов длиной N-K двоичных символов объединяют в единый блок проверочных символов кодированной ИП длиной Y(N-К) двоичных символов и передают его по обратному каналу связи без ошибок на ПерСНС. На ПерСНС используют блок проверочных символов кодированной ИП для устранения несовпадений в ПРП по отношению к ИП и получают ДП. Тогда вероятность ошибочного декодирования ПРП может быть определена по формуле
P_Е≤1-(1-P_Е0)^Y, (6)
где Р_E0 - вероятность ошибочного декодирования подблока длиной К двоичных символов, определяемая как описано, например, в книге Ф. Мак-Вильямс, Н. Слоэн, "Теория кодов, исправляющих ошибки", М.: Связь, 1979, стр. 29,

где

определяется из выражения (1), а d - минимальное кодовое расстояние (N, K) кода, которое определяется как минимальное число несовпадающих разрядов в двух любых кодовых словах (N, K) кода, как описано, например, в книге Ф. Мак-Вильямс, Н. Слоэн, "Теория кодов, исправляющих ошибки", М.: Связь, 1979, стр. 20. В качестве помехоустойчивых кодов могут использоваться широкий класс кодов Боуза - Чоудхури - Хоквингема, коды Хемминга, Рида - Малера, Рида - Соломона и другие линейные блоковые коды, характеризующиеся своими параметрами N, К, d. В ходе применения ЗСНС помехоустойчивого кодирования, нарушитель получает дополнительную информацию о КлШД путем перехвата блока проверочных символов кодированной ИП, переданного по обратному каналу связи без ошибок. Используя его нарушитель также исправляет часть несовпадений в своей версии перехваченной ПРП относительно ИП. Это обстоятельство ЗСНС учитывают при формировании из исходной и декодированной последовательностей КлШД ЗСНС. Устранение несовпадений (ошибок) в ПРП на ПерСНС реализуется в заявленном способе следующей последовательностью действий. Кодирование исходной последовательности на ПрСНС заключается в следующем. Предварительно исходную последовательность разделяют на Y подблоков данной К двоичных символов, где Y=(L-U)/К, как показано на фиг. 12. Известные способы разбиения последовательности на блоки фиксированной длины описаны, например, в книге В. Васильев, В. Свириденко, "Системы связи", М.: Высшая школа, 1987, стр. 208. Последовательно, начиная с 1-го до Y-ro, каждый j-й подблок, где j= 1, 2, 3,..., Y, кодируют линейным блоковым систематическим двоичным помехоустойчивым (N, К) кодом (см. фиг. 13). Порождающая матрица кода имеет размерность К х N, причем N>К. Размеры К и N порождающей матрицы линейного блочного систематического двоичного помехоустойчивого (N, К) кода выбирают К= 2^m-1-m и N= 2^m-1, где m≥3, как описано, например, в книге Р. Блейхуг, "Теория и практика кодов, контролирующих ошибки", М.: Мир, 1986, стр. 71. Для кодирования ИП каждый j-й подблок длиной К двоичных символов перемножают на порождающую матрицу кода и получают j-й кодовый блок длиной N двоичных символов, как показано на фиг. 14. Известные способы помехоустойчивого кодирования блоков символов описаны, например, в книге Р. Блейхут, "Теория и практика кодов, контролирующих ошибки", М.: Мир, 1986, стр. 63. Из j-го кодового блока выделяют j-й подблок проверочных символов длиной N - К двоичных символов (см. фиг. 15 ). Известные способы выделения блоков фиксированной длины описаны, например, в книге В. Васильев, В. Свириденко, "Системы связи", М. : Высшая школа, 1987 стр. 208. Запоминают j-й подблок проверочных символов в качестве j-го подблока блока проверочных символов кодированной исходной последовательности. Временная диаграмма формирования блока проверочных символов кодированной ИП показана на фиг. 16. Известные способы хранения последовательности бит описаны, например, в книге Л. Мальцев, Э. Фломберг, В. Ямпольский, "Основы цифровой техники", М.: Радио и связь, 1986, стр. 38. Передают блок проверочных символов кодированной ИП по обратному каналу связи без ошибок на передающую сторону направления связи. Известные способы передачи последовательностей по каналам связи описаны, например, в книге А. Зюко, Д. Кловский, М. Назаров, Л. Финк, "Теория передачи сигналов", М. : Радио и связь, 1986, стр. 11. Формирование декодированной последовательности на передающей стороне направления связи заключается в следующем. Декодированную последовательность формируют из предварительной последовательности. Предварительную последовательность и блок проверочных символов кодированной исходной последовательности разделяют на Y соответствующих пар декодируемых подблоков (см. фиг. 18) и подблоков проверочных символов (см. фиг. 17), где Y=(L-U)/К. Длины декодируемых подблоков и подблоков проверочных символов выбирают равными соответственно К и N-К двоичных символов. Известные способы разбиения последовательности на блоки фиксированной длины описаны, например, в книге В. Васильев, В. Свириденко, "Системы связи", М.: Высшая школа, 1987, стр. 208. Формируют Y принятых кодовых блоков длиной N двоичных символов путем конкатенации справа к j-му декодируемому подблоку j-го подблока проверочных символов, где j=1, 2, 3,...,Y, как показано на фиг. 19. Каждый из Y принятых кодовых блоков декодируют линейным блоковым систематическим двоичным помехоустойчивым (N, К) кодом (см. фиг. 19). Проверочная матрица кода имеет размерность (N-K)xN, причем N>К. Выбирают размеры К и N проверочной матрицы линейного блокового систематического двоичного помехоустойчивого (N, К) кода К=2^m-1-m и N=2^m-1, где m≥3, как описано, например, в книге Р. Блейхуг, "Теория и практика кодов, контролирующих ошибки", М. : Мир, 1986, стр. 71. Последовательно, начиная с 1-го до Y-го, вычисляют j-й синдром S длины N-К двоичных символов перемножением j-го принятого кодового блока на транспонированную проверочную матрицу. Временная диаграмма вычисления j-го синдрома S длиной N-К двоичных символов показана на фиг. 20. По полученному j-му синдрому S исправляют ошибки в j-м декодируемом подблоке (см. фиг. 21). Известные способы синдромного декодирования блоков символов описаны, " например, в книге Р. Блейхут, "Теория и практика кодов, контролирующих ошибки", М. : Мир, 1986, стр. 70. Затем j-й декодируемый подблок запоминают в качестве j-го подблока декодированной последовательности, как показано на фиг. 22. Известные способы хранения последовательности бит описаны, например, в книге Л. Мальцев, Э. Фломберг, В. Ямпольский, "Основы цифровой техники", М.: Радио и связь, 1986, стр. 38. И получают, таким образом, ДП на ПерСНС.After applying the ZSNS code with repetitions in the IP and PDP, mismatched characters remain, which does not allow the ZSNS to proceed with the direct formation of CLSD. Elimination of these discrepancies can be implemented through the use of error-correcting coding. However, well-known error-correcting codes make it possible to encode sequences of significantly shorter length than the obtained secondary length of the PI (PRP), equal to the LU of binary symbols. For this, sequential coding is used, i.e., if the length of the PI (PDP) is large, for example, 10 ⁵ - 10 ⁷ binary characters, it is divided into Y subunits of K characters in length, where

Each sub-block with a length of K characters is encoded by a linear systematic block noise-resistant (N, K) binary code, where K is the length of the block of information symbols of the code and N is the length of the code block. Linear binary code is a code that is built on the basis of the use of linear operations in the GF field (2), as described, for example, in the book of R. Bleikhut, "Theory and Practice of Error Control Codes", M.: Mir, 1986, p. 61. The term "block code" refers to a code in which actions are performed on blocks of characters, as described, for example, in the book of R. Bleikhut, "Theory and Practice of Error Control Codes," Moscow: Mir, 1986, p. 13. A systematic code is a code in which the code word begins with information characters, the remaining characters of the code fishing gears are test characters to informational characters, as described, for example, in the book of R. Bleikhut, "Theory and Practice of Error Control Codes", Moscow: Mir, 1986, p. 66. Then, formed blocks of test characters with a length of NK binary characters are combined into a single block of verification symbols of a coded IP with a length of Y (N-K) binary symbols and transmit it via the reverse communication channel without errors to PersNS. At PerSNS, a block of verification symbols of the encoded IP is used to eliminate inconsistencies in the PDP with respect to the IP and receive DP. Then the probability of erroneous decoding of the PRP can be determined by the formula
P _E ≤1- (1-P _E0 ) ^Y , (6)
where P _E0 is the probability of erroneous decoding of a sub-block of length K of binary characters, determined as described, for example, in the book by F. Mc-Williams, N. Sloan, "Theory of error correction codes", Moscow: Communication, 1979, p. 29,

Where

is determined from expression (1), and d is the minimum code distance (N, K) of the code, which is defined as the minimum number of mismatched bits in any two code words (N, K) of the code, as described, for example, in the book of F. Mac- Williams, N. Sloan, “Theory of error-correcting codes,” Moscow: Svyaz, 1979, p. 20. A wide class of Bowes – Chowdhury – Hockingham codes, Hamming, Reed – Mahler, Reed – Solomon codes can be used as error-correcting codes. and other linear block codes characterized by their parameters N, K, d. In the course of the application of the ZNSN of error-correcting coding, the intruder obtains additional information about the CLD by intercepting the block of verification symbols of the encoded IP transmitted over the reverse communication channel without errors. Using it, the intruder also corrects part of the discrepancies in his version of the intercepted PRP with respect to the IP. This circumstance of ZSNS is taken into account when forming from the initial and decoded sequences of CLSD ZSNS. The elimination of discrepancies (errors) in the PDP on the PerSNS is implemented in the claimed method by the following sequence of actions. The coding of the original sequence on the PRNS is as follows. Previously, the original sequence is divided into Y subblocks of a given K binary symbol, where Y = (LU) / K, as shown in FIG. 12. Known methods of dividing a sequence into blocks of fixed length are described, for example, in the book by V. Vasiliev, V. Sviridenko, “Communication Systems”, Moscow: Vysshaya Shkola, 1987, p. 208. Consistently, starting from 1st to Y -ro, each j-th subunit, where j = 1, 2, 3, ..., Y, is encoded by a linear block systematic binary noise-resistant (N, K) code (see Fig. 13). The generating code matrix has dimension K x N, and N> K. The sizes K and N of the generating matrix of the linear block systematic binary noise-immunity (N, K) code are chosen K = 2 ^m -1-m and N = 2 ^m -1, where m≥3, as described, for example, in the book of R. Bleikhug, "Theory and Practice of Error Control Codes", Moscow: Mir, 1986, p. 71. To encode IP, each jth subblock of length K of binary symbols is multiplied by the generating matrix of the code and receive the jth code block of length N of binary characters, as shown in FIG. 14. Known methods for error-correcting coding of symbol blocks are described, for example, in the book of R. Bleikhut, “Theory and Practice of Error Control Codes,” Moscow: Mir, 1986, p. 63. The jth subblock is extracted from the jth code block test characters of length N - K binary characters (see Fig. 15). Known methods for allocating fixed-length blocks are described, for example, in the book by V. Vasiliev, V. Sviridenko, “Communication Systems”, Moscow: Vysshaya Shkola, 1987, p. 208. The j-th sub-block of check characters is stored as the j-th sub-block of the block check characters of the encoded source sequence. A timing diagram for generating a block of verification symbols for a coded IP is shown in FIG. 16. Known methods for storing a sequence of bits are described, for example, in the book of L. Maltsev, E. Flomberg, V. Yampolsky, "Fundamentals of Digital Technology", Moscow: Radio and Communications, 1986, p. 38. A block of verification symbols of the encoded IP is transmitted. on the reverse communication channel without errors to the transmitting side of the communication direction. Known methods for transmitting sequences over communication channels are described, for example, in the book by A. Zyuko, D. Klovsky, M. Nazarov, L. Fink, "Theory of signal transmission", M.: Radio and communications, 1986, p. 11. Formation of decoded The sequence on the transmitting side of the communication direction is as follows. The decoded sequence is formed from a preliminary sequence. The preliminary sequence and the block of check symbols of the encoded source sequence are divided into Y corresponding pairs of decoded sub-blocks (see Fig. 18) and sub-blocks of check symbols (see Fig. 17), where Y = (LU) / K. The lengths of the decoded subblocks and subblocks of the check symbols are selected equal to K and N-K binary symbols, respectively. Known methods for splitting a sequence into blocks of fixed length are described, for example, in the book by V. Vasiliev, V. Sviridenko, “Communication Systems”, Moscow: Vysshaya Shkola, 1987, p. 208. Form Y received code blocks of length N binary characters by concatenation to the right of the jth decoded subblock of the jth subblock of check symbols, where j = 1, 2, 3, ..., Y, as shown in FIG. 19. Each of the Y received code blocks is decoded by a linear block systematic binary noise-immunity (N, K) code (see FIG. 19). The verification matrix of the code has the dimension (NK) xN, and N> K. Choose the sizes K and N of the verification matrix of the linear block systematic binary noise-immunity (N, K) code K = 2 ^m -1-m and N = 2 ^m -1, where m≥3, as described, for example, in the book of R. Bleikhug, "Theory and practice of error control codes", Moscow: Mir, 1986, p. 71. Consistently, starting from the 1st to the Yth, the jth syndrome S of length N-K of binary symbols is calculated by multiplying the jth accepted code block to the transposed check matrix. A timing diagram for calculating the jth syndrome S of length N-K binary symbols is shown in FIG. 20. According to the obtained j-th syndrome S, errors in the j-th decoded sub-block are corrected (see Fig. 21). Known methods for syndromic decoding of symbol blocks are described, for example, in the book of R. Bleichut, “Theory and Practice of Error Control Codes,” M.: Mir, 1986, p. 70. Then, the jth decoded subblock is stored as the jth subblock of the decoded sequence, as shown in Fig. 22. Known methods for storing a sequence of bits are described, for example, in the book of L. Maltsev, E. Flomberg, V. Yampolsky, "Fundamentals of digital technology", M .: Radio and communications, 1986, p. 38. And so they get DP on PersNS.

Example 2. The source data for example 2 take the source data and the results of example 1 (see above). When using the ZSNS, to correct inconsistent characters in the PRPs on the PerNS, a Hamming code with m = 9 receive a code with the characteristics: N = 511, K = 502, d = 3. According to expression (5), Y is obtained, the number of subblocks 502 binary characters long, Y = 152. According to expression (7), P _EO is obtained — the probability of erroneous decoding of one sub-block, P _E0 = 1.28 • 10 ^-4 . Using expression (6), determine the probability P _E - the probability of erroneous decoding of the PRP length LU, P _E = 1,929 • 10 ^-2 .

After the formation of the ZSNS of identical IPs on the PrSNS and the DP on the PerSNS, the ZSNS should form a CDS with a small amount of information of the violator about CSD. To provide a small amount of information about the CSP in the proposed method for the formation of CSP, the method of "secreting" IP and DP sequences is used, based on universal hashing, as described, for example, in the book of Bennett C., Brassard G., Crepeau C Maurer U. " Generalized privacy amplification ", IEEE Trans. on IT. vol. 41. no. 6. pp. 1915 - 1923, 1995, p. 1920. The essence of the method of "enhancing secrecy" is as follows. At PersNS, the hash function is randomly selected from the universal set of hash functions. The hash function is transmitted via a direct communication channel without errors to the PRNS. Then the IP is hashed on the PRNS and the DP on the PRNS. The result of the hash will be the generated CLSD ZSNS. With a probability close to unity and equal to 1-P _ε , an event occurs in which the information (Shannon information) of the intruder about the CWD does not exceed a certain small value of Io and with a low probability of failure P _ε an event is possible in which the information of the intruder about CWC will be more Io. When hashing IP (IP length LU binary characters) is displayed in a sequence K _B length T binary characters generated CLSD on the PRSNS. Similarly, when hashing a DP (DP with a length of LU binary characters) it is mapped into a sequence K _{A of} length T of binary characters of the generated CLSD on PersNS. It is assumed that the intruder has complete information about the hashing function of the ZSNS sequences. The hashing function of sequences must satisfy a number of requirements, as described, for example, in the book by Yu. Romanets, P. Timofeev, V. Shangin, "Information Security in Computer Systems and Networks", M .: Radio and Communication, 1999, p. 156:
- the hash function must be sensitive to all kinds of changes in the sequence, such as inserts, outliers, permutations, etc .;
- the hash function must have the property of irreversibility, i.e. the task of selecting another sequence that possesses the required value of the hash function must be computationally insoluble;
is the probability of collision, i.e. the probability of an event in which the values of the hash function of two different sequences coincide should be negligible.

где I_R - информация Реньи. Информация Реньи I_R определяется через выражение для энтропии Реньи на символ (энтропия Реньи на символ зависит от вероятности ошибки на бит p_w в канале перехвата), которая характеризует неопределенность нарушителя о КлШД, при знании нарушителем информации, полученной с помощью канала перехвата, полной информации об алгоритме взаимодействия законных сторон НС и их действиям по формированию КлШД, как описано, например, в книге Bennett С. , Brassard G., Crepeau С., Maurer U. "Generalized privacy amplification", IEEE Trans. on IT. vol. 41. no. 6. pp. 1915-1923, 1995, стр. 1919. Энтропия Реньи равна
H_RДСК=-log₂{p_w ²+(1-p_w)²}. (9)
Тогда информация Реньи I_R, полученная нарушителем при перехвате последовательности ПРП длиной L-U символов, определяется выражением
I_R=(L-U)(1-log₂{p_w ²+(1-p_w)²}). (10)
При устранении ЗСНС несовпадений (ошибок) в ПРП на ПерСНС, когда от ПрСНС передают по обратному каналу связи без ошибок на ПерСНС блок проверочных символов кодированной ИП длиной Y(N-K) двоичных символов, нарушитель получает дополнительную информацию Реньи о ИП (КлШД). Дополнительная информация Реньи, полученная нарушителем за счет кодирования ИП I_Rкод равна I_Rкод= Y(N-К), как доказано, например, в лемме 5 статьи Maurer U. "Linking Information Reconciliation and Privacy Amplification", J. Cryptology, 1997, no. 10, pp. 97-110, стр. 105. Тогда общее количество информации Реньи, поступающее к нарушителю, равно
I_Rобщ=I_R+Y(N-K). (11)
В этом случае (8), принимает вид

(12)
Количество информации Шеннона, получаемое нарушителем о сформированном ЗСНС КлШД, при использовании ЗСНС метода "усиления секретности", может быть больше ограничения Iо ( определенного в (12) ) с малой вероятностью сбоя

При использовании ЗСНС кода с повторениями и формировании ИП на ПрСНС энтропия Реньи и вероятность P_ε определяются более сложными соотношениями, причем энтропия Реньи не зависит от выбранного нарушителем правила обработки перехваченных сообщений. Определение энтропии Реньи и вероятности P_ε, при использовании ЗСНС кода с повторениями и формировании ИП на ПрСНС и ДП на ПерСНС, приведено в Приложении 1 (см. в конце описания). Для обеспечения малой величины информации нарушителя о КлШД в предлагаемом способе формирования КлШД (с использованием метода "усиления секретности") реализуется следующая последовательность действий. Формирование КлШД из исходной и декодированной последовательностей заключается в следующем. Формируют на ПерСНС функцию хеширования последовательностей в виде двоичной матрицы G размерности (L-U)xT, где Т≥64 - требуемая длина формируемого КлШЦ. Каждый из элементов двоичной матрицы G генерируют случайным образом (см. фиг. 23). Известные способы генерирования случайных чисел описаны, например, в книге Д. Кнут, "Искусство программирования для ЭВМ", М.: Мир, 1977, т. 2, стр. 22. Функцию хеширования последовательностей передают по прямому каналу связи без ошибок на приемную сторону направления связи, последовательно, начиная с 1-й по (L-U)-ю строки двоичной матрицы G, как показано на фиг. 24. Известные способы передачи последовательностей по каналам связи описаны, например, в книге А. Зюко, Д. Кловский, М. Назаров, И. Финк, "Теория передачи сигналов", М.: Радио и связь, 1986, стр. 11. КлШД на приемной стороне направления связи формируют путем хеширования ИП (см. фиг. 25) по сформированной на передающей стороне направления связи функции хеширования последовательностей, как показано на фиг. 26. КлШД на передающей стороне направления связи формируют путем хеширования ДП (см. фиг. 27) по сформированной на передающей стороне направления связи функции хеширования последовательностей, как показано на фиг. 28. При формировании КлШД предварительно на приемной стороне направления связи двоичную матрицу G и исходную последовательность, а на передающей стороне направления связи двоичную матрицу G и декодированную последовательность разделяют на W соответствующих пар подматриц размерности РхТ, где P= (L-U)/W, и подблоков исходной и декодированной последовательностей длиной Р двоичных символов. Известные способы разбиения последовательности на подблоки фиксированной длины описаны, например, в книге В. Васильев, В. Свириденко, "Системы связи", М.: Высшая школа, 1987, стр. 208. Затем последовательно, начиная с 1-го до W-й, вычисляют z-й первичный ключ длиной Т двоичных символов, где z=1, 2, 3,..., W, перемножением z-го подблока исходной последовательности на z-ю подматрицу G_z на приемной стороне направления связи и z-го подблока декодированной последовательности на z-ю подматрицу G_z на передающей стороне направления связи. После чего формируют КлШД путем поразрядного суммирования по модулю два W первичных ключей соответственно на приемной и передающей сторонах направления связи, как показано на фиг. 29. У нарушителя остается возможность получения полной информации о КлШД ЗСНС в результате хищения носителей информации о ИП (ДП), несанкционированного доступа к информации о ИП (ДП), разглашения информации о ИП (ДП) и др. хотя бы одной из законных сторон НС. Для исключения этой возможности ЗСНС стирают исходную последовательность на приемной стороне направления связи и декодированную последовательность на передающей стороне направления связи. Действия по передаче и приему последовательностей по каналу связи с ошибками, прямому и обратному каналам связи без ошибок засинхронизированы. Известные способы синхронизации описаны, например, в книге Е. Мартынов, "Синхронизация в системах передачи дискретных сообщений", М.: Связь, 1972, стр. 186.In addition, the hash function must belong to a universal set of hash functions. The universal set of hash functions is defined as follows. Let n and r be two positive integers, with n> r. The set of functions G2 that map the set of binary sequences of length n to the set of binary sequences of length r is called universal if, for any different sequences x ₁ and x ₂ from the set of binary sequences of length n, the probability (collision) that the value of the hash function of x ₁ is the value of the hash function from x ₂ (g (x ₁ ) = g (x ₂ )), not more than 2 ^-r , with a random choice of the hash function g, in accordance with the equiprobable distribution, from G2, as described, for example, in Carter J., Wegman M., "Universal classe s of hash functions ". Journal of Computer and System Sciences, 1979, Vol. 18, pp. 143 - 154, p. 145. All linear functions that map the set of binary sequences of length n to the set of binary sequences of length r belong to the universal set, as described, for example, in Carter J., Wegman M., "Universal classes of hash functions " Journal of Computer and System Sciences, 1979, Vol. 18, pp. 143-154, p. 150. Linear functions can be described by binary matrices of dimension n x r. Storage of the universal set G2 of sequence hashing functions for UIs and DPs (the number of hashing functions belonging to the universal set G2 is large and amounts to 2 ^{T (LU)} ; moreover, each sequence hashing function requires T (LU) memory cells) is difficult to implement and impractical. Therefore, the random equiprobable choice of the hashing function of sequences from the universal set G2 of functions of hashing sequences on the PerSNS consists in randomly generating each of the elements of a binary matrix of dimension (LU) x Т, which describes a randomly selected hashing function of sequences from the universal set of hashing functions of sequences G2. After the formation of the CLSD by the HSS by hashing IP and DP using a randomly generated binary matrix of dimension (LU) xT, the amount of Shannon information received by the intruder about the CLSD generated by the CLSS is no more than

where I _R is Renyi information. The Renyi information I _R is determined through the expression for the Renyi entropy per symbol (the Renyi entropy per symbol depends on the probability of an error per bit p _w in the interception channel), which characterizes the intruder’s uncertainty about CWD, if the intruder knows the information obtained using the interception channel, complete information on the algorithm for the interaction of the legitimate parties of the National Assembly and their actions for the formation of CLS, as described, for example, in the book Bennett S., Brassard G., Crepeau S., Maurer U. "Generalized privacy amplification", IEEE Trans. on IT. vol. 41. no. 6. pp. 1915-1923, 1995, p. 1919. The entropy of Renyi is
H _RDSK = _{-log 2} {p _w ² + (1-p _w ) ² }. (9)
Then the information of Renyi I _R obtained by the intruder when intercepting a sequence of PRPs with a length of LU symbols is determined by the expression
I _R = (LU) (1-log ₂ {p _w ² + (1-p _w ) ² }). (10)
When eliminating the MSS of inconsistencies (errors) in the PRSN to the PerSNS, when the block of verification symbols of the encoded IP length Y (NK) of binary characters is transmitted from the PRSNS without errors to the PerSNS, the intruder receives additional Renyi information about the IP (CLSD). Additional information Renyi obtained by the intruder by encoding the IP I _{R code} is equal to I _{R code} = Y (N-K), as proved, for example, in Lemma 5 of Maurer U. "Linking Information Reconciliation and Privacy Amplification", J. Cryptology, 1997, no. 10, pp. 97-110, p. 105. Then the total amount of Renyi’s information received by the intruder is
I _Rtotal = I _R + Y (NK). (eleven)
In this case (8), takes the form

(12)
The amount of Shannon’s information received by the intruder about the CLSD generated by the CSNS when using the “secrecy enhancement” method of the CSNS may be greater than the Io limit (defined in (12)) with a low probability of failure

When using the ZSNS code with repetitions and generating an IP on the PRSNS, the Renyi entropy and probability P _{ε are} determined by more complex relationships, and the Renyi entropy does not depend on the rule chosen by the violator for processing intercepted messages. The determination of the Renyi entropy and probability P _ε , when using the ZSNS code with repetitions and the formation of SPs on PrSNS and DP on PerSNS, is given in Appendix 1 (see the end of the description). To ensure a small amount of information on the CLS offender in the proposed method of forming CLS (using the method of "secrecy enhancement"), the following sequence of actions is implemented. The formation of CLSD from the original and decoded sequences is as follows. A function of hashing sequences is formed on the PerSNS in the form of a binary matrix G of dimension (LU) xT, where T≥64 is the required length of the generated CLC. Each of the elements of the binary matrix G is randomly generated (see FIG. 23). Known methods for generating random numbers are described, for example, in the book of D. Knut, “The Art of Computer Programming,” Moscow: Mir, 1977, vol. 2, p. 22. The hash function of the sequences is transmitted through the direct communication channel to the receiving side without errors communication directions, sequentially, starting from the 1st through (LU) -th row of the binary matrix G, as shown in FIG. 24. Known methods for transmitting sequences over communication channels are described, for example, in the book by A. Zyuko, D. Klovsky, M. Nazarov, I. Fink, "Theory of signal transmission", M .: Radio and communications, 1986, p. 11. A CDS on the receiving side of the communication direction is formed by hashing IP (see FIG. 25) according to the sequence hashing function formed on the transmitting side of the communication direction, as shown in FIG. 26. A CDS on the transmitting side of the communication direction is formed by hashing the PD (see FIG. 27) according to the sequence hashing function generated on the transmitting side of the communication direction, as shown in FIG. 28. When forming a CDS, the binary matrix G and the initial sequence are preliminary on the receiving side of the communication direction, and the binary matrix G and the decoded sequence on the transmitting side of the communication direction are divided into W corresponding pairs of PxT dimension submatrices, where P = (LU) / W, and subunits source and decoded sequences of length P of binary symbols. Known methods for dividing a sequence into subblocks of a fixed length are described, for example, in the book by V. Vasiliev, V. Sviridenko, “Communication Systems”, Moscow: Vysshaya Shkola, 1987, p. 208. Then, sequentially, from the 1st to the W- th, calculate the zth primary key with a length T of binary characters, where z = 1, 2, 3, ..., W, by multiplying the zth subblock of the original sequence by the zth submatrix G _z on the receiving side of the communication direction and z- subblock of the decoded sequence to the zth submatrix G _z on the transmitting side of the communication direction. After that, a CDS is formed by bitwise summation modulo two W primary keys respectively on the receiving and transmitting sides of the communication direction, as shown in FIG. 29. The intruder still has the opportunity to obtain complete information about the CLSD of the ZSNS as a result of the theft of information carriers on IP (DP), unauthorized access to information on IP (DP), disclosure of information on IP (DP), etc., at least one of the legitimate parties to the NS . To eliminate this possibility, the MSSE erases the original sequence on the receiving side of the communication direction and the decoded sequence on the transmitting side of the communication direction. The actions for transmitting and receiving sequences over the communication channel with errors, the forward and reverse communication channels are synchronized without errors. Known methods of synchronization are described, for example, in the book of E. Martynov, "Synchronization in transmission systems of discrete messages", M .: Communication, 1972, p. 186.

Example 3. The source data for example 3 take the source data and the results of examples 1 and 2 (see above). ZSNS form CLSD with a length of 64 bits. ZSNS use the binary matrix of dimension 76304x64 formed on PerSNS. The average Renyi entropy R _{0 is} determined for the received code block with repetitions of length M + 1 = 4 binary symbols, equal to R ₀ = 2.15 • 10 ^-2 , ε is the value that determines the deviation of the Renyi entropy for the received code block with repetitions from R ₀ , ε = 2.562 • 10 ^-3 . The value of the failure probability P _ε , P _ε = 7.824 • 10 ^{-7 is} determined while providing the information of the intruder about the generated CDS of not more than Io, where Io = 8.289 • 10 ^-6 bits. With so much information about CLS, the attacker can only use the CLS enumeration, the time for which will be about 86 days (it is likely that the current CLSD will be replaced several times during this period of time by the MSS), i.e. continuous operation time of one of the most powerful computers of the INTEL ASCI RED type (which is used by the NSA of the USA), as described, for example, in the journal "Confident. Information Protection", May - June, 3, 1998, p. 69, article Yu.E. Pudovenko "When the time comes to pick up the keys."

 The method of "secrecy enhancement" used in the proposed method is stronger in terms of resistance to compromise of the generated CLSWSD as compared to the compression algorithm used by the prototype method (see page 11 for the description of the prototype method in English). The term “stronger in compromising resistance of the generated CLSD” means that when using the “secrecy enhancement” method, the maximum amount of information of the violator about CLSD (which does not depend on the information processing strategies used by the violator) is limited from above with a probability close to unity. This restriction is mathematically proven, as shown, for example, in Bennett S., Brassard G., Crepeau S., Maurer U. "Generalized privacy amplification", IEEE Trans, on IT. vol. 41. no. 6. pp. 1915 - 1923, 1995, p. 1920. Such evidence regarding the compression algorithm used by the prototype method is not known, therefore it is difficult to predict the maximum amount of information of the intruder about the generated CSN CLSD (when using the compression method of the prototype method), taking into account the real capabilities of the violator , which uses powerful computing tools and modern cryptanalysis methods.

Claims (4)

1. The method of generating the encryption / decryption key, which consists in generating the original sequence on the receiving side of the communication direction, encoding it, extracting a block of check symbols from the encoded source sequence, transmitting it via the direct communication channel without errors to the transmitting side of the communication direction, where the decoded sequence, and from the original and decoded sequences form the encryption / decryption key, characterized in that for the formation of the original sequence lnosti L times, where L> April ¹⁰ - the selected initial length of the original sequence, at the transmitting side of the communication directions generate random bits form a codeword therefrom, and for generating a codeword generated random bit is repeated M times, where M≥1 transmit code the word through the communication channel with errors to the receiving side of the communication direction, where the received bit is formed from the received code word by assigning it the value of the first bit of the received code word and the confirmation bit F is generated, and for forming confirmation bits F, the first bit of the received codeword is compared with the subsequent M bits of the received codeword, after which, if there are M matches of the first bit of the received codeword with M bits of the received codeword, the confirmation bit F is set to one, and if there is at least one mismatch of the first bit the received codeword with M bits of the received codeword, the confirmation bit F is set to zero, the confirmation bit is transmitted on the reverse channel without errors to the transmitting side of the communication direction , with the confirmation bit F equal to zero, the received bit and the generated random bit are erased, and with the confirmation bit F equal to one, the received bit and the generated random bit are simultaneously stored on the receiving and transmitting sides of the communication direction as i-elements, where i = 1, 2, 3,. . . , LU, of the initial and preliminary sequences, respectively, on the receiving and transmitting sides of the communication direction, where U is the number of erased characters during the formation of the initial and preliminary sequences, and to form a decoded sequence on the transmitting side of the communication direction, the preliminary sequence is decoded by a linear block systematic binary noise-tolerant (N, K) a code whose verification matrix has the dimension (NK) xN, moreover, N> K, for which a preliminary sequence The integrity and the block of test symbols of the encoded source sequence are divided into Y corresponding pairs of decoded subblocks and subblocks of test symbols, where Y = (LU) / K, and the lengths of the decoded subblocks and subblocks of test symbols are chosen equal to K and NK binary symbols, respectively, and then Y received code blocks with a length of N binary symbols by concatenating to the right of the jth decoded subblock of the jth subblock of check symbols, where j = 1, 2, 3,. . . , Y, then sequentially, starting from the 1st to the Yth, calculate the jth syndrome S of length NK of binary symbols multiplying the jth received code block by the transposed check matrix, and correct the errors in j from the received jth syndrome S -th decoded subblock, which is then stored as the jth subblock of the decoded sequence, after generating the original and decoded sequences on the transmitting side of the communication direction, a sequence hashing function is generated in the form of a binary matrix G of dimension ( LU) xТ, where T≥64 is the length of the generated encryption / decryption key, and each of the elements of the binary matrix G is randomly generated, then it is transmitted via the forward communication channel without errors to the receiving side of the communication direction by sequential stitch transmission starting from 1- th by the (LU) th row of the binary matrix G, after which, on the receiving side of the communication direction, the binary matrix G and the original sequence, and on the transmitting side of the communication direction, the binary matrix G and the decoded sequence are divided by W, respectively of the existing pairs of submatrices of dimension PxT, where P = (LU) / W, and subblocks of the original and decoded sequences of length B of binary symbols, then from the 1st to the Wth, the zth primary key of length T of binary symbols is calculated, where z = 1, 2, 3,. . . , W, by multiplying the zth subblock of the original sequence by the zth submatrix G _z on the receiving side of the communication direction and the zth subblock of the decoded sequence by the zth submatrix G _z on the transmitting side of the communication direction, after which an encryption / decryption key is generated by bitwise sum modulo 2 W of the primary keys on the receiving and transmitting sides of the communication direction, then erase the original sequence on the receiving side of the communication direction and the decoded sequence on the transmitting side of communication.  2. The method according to p. 1, characterized in that the source sequence is encoded on the receiving side of the communication direction by a linear block systematic binary noise-resistant (N, K) code, the generating matrix of which has dimension KxN, with N> K, for which the initial sequence is preliminarily divided on Y subblocks of length K of binary characters, where Y = (LU) / K, then sequentially starting from the 1st to the Yth of each jth subblock, where j = 1, 2, 3,. . . , Y, form the j-th code block with a length of N binary symbols by multiplying the j-th subblock by the generating matrix, then from the j-th code block, select the j-th sub-block of test characters with a length of NK binary symbols, which is stored as the j-th block sub-block check characters of the encoded source sequence. 3. The method according to p. 2, characterized in that the sizes K and N of the generating matrix of the linear block systematic binary noise-immune (N, K) code are chosen K = 2 ^m -1-m and N = 2 ^m -1, where m≥3 . 4. The method according to p. 1, characterized in that the sizes K and N are selected for the verification matrix of the linear block systematic binary noise-immune (N, K) code K = 2 ^m -1-m and N = 2 ^m -1, where m≥3 .

Images