RU2480923C1 - Method to generate coding/decoding key - Google Patents

Abstract

FIELD: radio engineering, communication.

SUBSTANCE: method of K generation provides for simultaneous generation of a source sequence at the side of the 1st correspondent of the communication network and preliminary sequences at the sides of the 2nd and 3rd correspondents, at the same time a code word generated by the 1st correspondent of the communication network is simultaneously sent along communication channels with independent errors to the 2nd and 3rd correspondents of the communication network, accordingly, a binary symbol of acknowledgment generated by the 2nd correspondent of the communication network is sent along the communication channels without errors accordingly to the 1st and 3rd correspondents of the communication network, similarly a binary acknowledgement symbol generated by the 3rd correspondent of the communication network is sent. Then the source sequence is coded, a unit of testing symbols is identified from it and simultaneously transferred along direct communication channels without errors to the 2nd and 3rd correspondents, simultaneously decoded sequences are generated by the 2nd and 3rd correspondents, and the K is simultaneously generated by all correspondents of the communication network.

EFFECT: reduced time for K generation for a communication network comprising three correspondents.

11 cl, 43 dwg, 4 app

Description

The invention relates to the field of cryptography, in particular to the formation of an encryption / decryption key (CLC), and can be used as a separate element in the construction of symmetric cryptographic systems designed to transmit encrypted speech, sound, television and other messages.

The proposed method for generating CDS can be used in cryptographic systems if there is no or loss of cryptocurrency (cryptocurrency - if the communication network correspondents have the same CFD) between the correspondents of the communication network (CC), which includes three correspondents, or establishing cryptoconductivity between new CC correspondents in the conditions of interception by the intruder information transmitted over open communication channels. The term “communication network” means many nodes and lines connecting them, and for any two different nodes there is at least one connecting path, as described, for example, in the book by D. Phillips, A. Garcia-Diaz, “Analysis Methods Networks, Moscow: Mir, 1984, p. 16.

There is a known method for the formation of CLSD described in the book by W. Diffie “The First Ten Years of Public Key Cryptography”, TIIER, v. 76, No. 5, p. 57-58. The known method consists in the preliminary distribution between the parties of the direction of communication (SNA) of the numbers α and β, where α is a prime number and 1≤β≤α-1. The term “communication direction” is understood to mean a combination of transmission lines and communication nodes providing communication between two network points, as described, for example, in the National Standard of the Russian Federation, GOST R 53111-2008, “Sustainability of the operation of a public communication network,” Moscow: Standartinform, 2009, p. 7. The transmitting side of the communication direction (PerSNS) and the receiving side of the NS (PrNS), independently from each other, choose random corresponding numbers X _A and X _B , which are kept secret and then form numbers based on X _A , α, β on PersNS and X _B , α, β on PrSNS. SNA exchange the received numbers via communication channels without errors. After receiving the numbers of correspondents, the parties convert the received numbers using their secret numbers into a single CLSD. The method allows you to encrypt information during each communication session on new CLSD (that is, excludes the storage of key information on media) and relatively quickly form CLDS using one unprotected communication channel.

However, the known method has a relatively low resistance to CLSD (compromise of CLSD to compromise - the ability of the cryptographic system to withstand attempts by an intruder to obtain CLSD, which is generated and used by legitimate participants in the exchange of information when using the information about CLSD obtained by intercepting, theft, loss, disclosure, analysis, etc.), the validity of the CLSD is limited by the duration of one communication session or part thereof, incorrect distribution of the numbers α and β p leads to the impossibility of forming CLSD.

There is also a known method for generating CWD using a quantum communication channel [US Patent No. 5515438, H04L 9/00 of 05/07/96], which allows the CWD to be automatically generated without additional measures for distribution (delivery) of the preliminary sequence. The known method consists in using the uncertainty principle of quantum physics and generates CLSD by transmitting photons through a quantum channel. The method provides receiving CWSD with high resistance to compromise, provides guaranteed control of the presence and degree of interception of CWSD.

However, the implementation of the known method requires high-precision equipment, which leads to the high cost of its implementation. In addition, CWD by this method can be formed using fiber-optic communication lines of limited length, which significantly limits its scope in practice.

Closest to the technical nature of the claimed method of forming KShShD is the method of forming KShShD [RF Patent No. 2170112 from 07.20.2001].

The prototype method includes forming the initial sequence (IP) by the first correspondent of the direction of communication (NS), encoding the IP, extracting a block of check symbols from the encoded IP, transmitting it via the direct communication channel without errors to the second NS correspondent, forming a decoded sequence (DP) by the second NS correspondent , the formation of the hashing function of sequences by the first correspondent of the National Assembly, its transmission via a direct communication channel without errors to the second correspondent of the National Assembly, and the formation of encryption / decryption keys Hovhan first and second correspondents by hashing NA SP and DP according to the generated first hash function HC reporter sequences.

The IP formation by the first correspondent of the National Assembly consists in generating L times, where L> 10 ⁴ is the selected primary length of the IP, a random binary symbol, forming a code word from it by repeating the generated random binary symbol M times, where M≥1, and transmitting the code word by the error communication channel to the second NS correspondent, the formation of the received binary symbol and the binary confirmation symbol F from the received code word, the transmission of the binary confirmation symbol on the reverse error-free channel to the first correspondent that NS, and with a binary confirmation symbol F equal to zero, NS correspondents erase the generated random binary symbol and the received binary symbol, and with a binary confirmation symbol F equal to one, the generated random binary symbol and the received binary symbol are stored, respectively, the first and second correspondents of the National Assembly as ix elements, where i = 1, 2, 3, ..., LU, of the initial and preliminary sequences of the first and second correspondents of the National Assembly, r e U - the number of erased symbols in the formation of the source and pre sequences.

Coding of IP is carried out by a linear block systematic binary noise-resistant (N, K) code, the generating matrix of which has dimension K × N, and N> K. The sizes K and N of the generator matrix of the linear block systematic binary noise-immunity (N, K) code are chosen K = 2 ^m -1-m and N = 2 ^m -1, where m≥3. For encoding, IPs are preliminarily divided into Y subblocks of length K of binary symbols, where Y = (LU) / K, then sequentially starting from the jth to the Yth of each jth subblock, where j = 1, 2, 3, ... , Y, form the j-th code block with a length of N binary symbols by multiplying the j-th subblock by the generating matrix, then from the j-th code block, the j-th sub-block of test symbols with a length of NK binary symbols is extracted, which is stored as the j-th block sub-block verification characters encoded IP.

The allocation of the block of verification symbols IP consists in breaking the encoded IP into IP and the block of verification symbols of the encoded IP and highlighting the latter.

The transmission of the block of verification symbols of the encoded IP consists in transmitting it from the first correspondent of the National Assembly via a direct communication channel without errors to the second correspondent of the National Assembly.

The DP formation by the second NS correspondent is carried out as follows, the preliminary sequence is decoded by a linear block systematic binary noise-resistant (N, K) code, the transposed verification matrix of which has the dimension N × (NK), and N> K. The sizes K and N of the verification matrix of the linear block systematic binary error-correcting (N, K) code are chosen K = 2 ^m -1-m and N = 2 ^m -1, where m≥3. For decoding, the preliminary sequence and the block of check symbols of the encoded source coded sequence are divided into Y corresponding pairs of decoded subblocks and subblocks of check symbols, where Y = (LU) / K, and the lengths of the decoded subblocks and subblocks of check symbols are chosen equal to K and NK binary symbols, respectively then, Y received code blocks with a length of N binary symbols are formed by concatenating to the right of the jth decoded subblock of the jth subblock of check symbols, where j = 1, 2, 3, ..., Y, then sequentially, starting from the 1st to the Yth, calculate the jth syndrome S of NK binary characters length by multiplying the jth received code block by the transposed check matrix, and correct the errors in the jth by the received jth syndrome S a decoded subunit, which is then stored as the jth subunit of the decoded sequence.

The formation of the hashing function of sequences by the first correspondent of the National Assembly consists in generating a binary matrix G of dimension (L-U) × T, where T≥64 is the length of the generated encryption / decryption key, and each of the elements of the binary matrix G is randomly generated.

The transmission of the hashing function of the sequences consists in sequential transmission, starting from the 1st through (L-U) -th row of the binary matrix G, from the first correspondent of the NS through the direct communication channel without error to the second correspondent of the NS.

The formation of CLSD by the first and second correspondents of the communication direction consists in hashing the original and decoded sequences using the sequence hashing function generated by the first NS correspondent. For hashing sequences, the binary matrix G and IP are preliminarily on the side of the first correspondent, and the binary matrix G and DP on the side of the second correspondent are divided into W corresponding pairs of submatrices of dimension P × T, where P = (LU) / W, and subblocks of the original and decoded sequences with a length of B binary symbols, then starting from the 1st to the Wth, the zth primary key of length T of binary symbols is calculated, where z = 1, 2, 3, ..., W, by multiplying the zth subblock of the IP by the zth the submatrix G _z on the side of the first correspondent and the zth subblock of the DP on the zth submatrix G _z on the side of the second correspondent, after which they form the CLD by bitwise summation modulo 2 of all W primary keys on the sides of the first and second correspondents of the communication direction.

The prototype method allows you to create CLS between the correspondents of the National Assembly with relatively low material costs with a large spatial diversity of the correspondents of the National Assembly.

The disadvantage of the prototype is the relatively large time spent on generating the CLSD for the SS from three correspondents, since it is necessary to consistently generate the CLSD using the prototype method for each pair of SS correspondents, including the first correspondent, then choose one of the generated CLSD as the CLSD for the SS and provide it receipt by all SS correspondents.

The purpose of the claimed technical solution is to develop a method for generating CLSD, which reduces the time for forming CLSD for a communication network, including three correspondents.

This goal is achieved by the fact that in the known method of generating an encryption / decryption key, which consists in generating a random binary symbol on the side of the first correspondent, forming a code word from a random binary symbol, transmitting a code word from the first correspondent to the second correspondent, forming the received binary symbol form a binary confirmation symbol, transmit a binary confirmation symbol from the second correspondent to the first, form the initial and preliminary sequence those on the sides of the first and second correspondents, respectively, encode the original sequence, extract a block of check symbols from the encoded original sequence, transmit it from the first correspondent to the second, form and store the decoded sequence on the side of the second correspondent, form a hash function on the side of the first correspondent, transfer the hash function from the first correspondent to the second, after which an encryption / decryption key is formed from the original and decoded sequences on the sides of the first and second reporters, respectively, an encryption key / decryption formed simultaneously for a communication network comprising three correspondents. The code word generated by the first correspondent of the communication network is simultaneously transmitted via the first and second communication channels with independent errors to the second and third correspondents of the communication network, respectively. The binary confirmation symbol F1, formed by the second correspondent of the communication network, is transmitted over the first reverse and third forward communication channels without errors, respectively, to the first and third correspondents of the communication network. The binary confirmation symbol F2 formed by the third correspondent of the communication network is transmitted via the second reverse and third reverse communication channels without errors, respectively, to the first and second correspondents of the communication network. The generated random binary symbol of the first correspondent of the communication network and the received binary symbols of the second and third correspondents of the communication network are erased if at least one of the received binary acknowledgment symbols is equal to zero; otherwise, the generated random binary symbol of the first correspondent of the communication network and the received binary symbol of the second correspondent are remembered communication network, the received binary symbol of the third correspondent of the communication network, respectively, as ix elements, where i = 1, 2, 3, ..., LU, the original th sequence, first pre-sequence and the second pre-sequence where L> March ¹⁰ - the number of generations of random binary symbol, U - the number of erased symbols in the formation of the source sequence and preliminary sequences. After that, at the same time, the block of check symbols of the encoded source sequence is transmitted over the first direct and second direct communication channels without errors, respectively, to the second and third correspondents of the communication network. After the initial and decoded sequences are formed, the function of hashing the sequences generated by the first correspondent of the communication network is transmitted over the first direct and second direct communication channels without errors, respectively, to the second and third correspondents of the communication network. To generate the codeword, the generated random binary symbol is repeated M times, where M≥1. The received binary symbol of any communication network correspondent is assigned the value of the first binary symbol of the received codeword. For independent from each other and simultaneously generating a binary confirmation symbol F1 of the second correspondent or a binary confirmation symbol F2 of the third correspondent of the communication network, the first binary symbol of the received codeword is compared with the subsequent M binary symbols of the received codeword, where M≥1 is the number of repetitions of the generated random binary symbol when forming a codeword, after which, if there are M matches of the first binary character of the received codeword with M binary characters accepted of the second code word, the binary confirmation symbol F1 of the second correspondent or the binary confirmation symbol F2 of the third correspondent is assigned the value one, and if there is at least one mismatch of the first binary symbol of the received code word with M binary symbols of the received code word, the binary confirmation symbol F1 of the second correspondent or the binary confirmation symbol F2 of the third correspondent is assigned a value of zero. The original sequence is encoded by a linear block systematic binary error-correcting (N, K) code, where K is the length of the block of information symbols and N is the length of the code block, the generating matrix of which has dimension K × N, and N> K. When encoding, the original sequence is preliminarily divided into Y subblocks of length K of binary symbols, where Y = (LU) / K. Then, sequentially starting from the first to the Yth of each j-th subunit, where j = 1, 2, 3, ..., Y, form the j-th code block with a length of N binary symbols by multiplying the j-th subunit by the generating matrix. From the j-th code block, the j-th sub-block of check characters with the length of NK binary characters is extracted. Remember as the jth subblock of the block of check symbols of the encoded source sequence. The sizes K and N of the generator matrix of the linear block systematic binary noise-immunity (N, K) code are chosen K = 2 ^m -1-m and N = 2 ^m -1, where m≥3. To form the first and second decoded sequences, the first and second preliminary sequences of the second and third correspondents of the communication network are independently and simultaneously decoded by a linear block systematic binary noise-resistant (N, K) code, where K is the length of the block of information symbols and N is the length of the code block transposed whose verification matrix has dimension N × (NK), moreover, N> K. For the simultaneous and independent generation of decoded sequences of the second and third correspondents of the communication network, the preliminary sequences of the second and third correspondents of the communication network and blocks of verification symbols of the encoded source sequence are divided into Y corresponding pairs of decoded subblocks and subblocks of verification symbols, where Y = (LU) / K. The lengths of the decoded subblocks and subblocks of the check symbols are chosen equal to K and NK binary symbols, respectively. Then, Y received code blocks with a length of N binary symbols are formed by concatenating to the right of the jth decoded subblock of the jth subblock of check symbols, where j = 1, 2, 3, ..., Y. Consistently, starting from the 1st to the Yth , the jth syndrome S of length NK of binary symbols is calculated by multiplying the jth received code block by the transposed check matrix. According to the obtained jth syndrome S, errors in the jth decoded subunit are corrected. Then stored as the j-th subblock of decoded sequences. Select the sizes K and N of the verification matrix of the linear block systematic binary noise-immunity (N, K) code K = 2 ^m -1-m and N = 2 ^m -1, where m≥3. The sequence hashing function on the side of the first correspondent of the communication network is formed in the form of a binary matrix G of dimension (LU) × T, where T≥64 is the length of the generated encryption / decryption key, and each of the elements of the binary matrix G is randomly generated. The sequence hashing function generated by the first correspondent of the communication network is simultaneously transmitted sequentially, starting from the first (LU) -th row of the binary matrix G to the second and third correspondents of the communication network via the first direct and second direct communication channels without errors, respectively. While generating the encryption / decryption key, the binary matrix G and the initial sequence of the first correspondent of the communication network, the binary matrix G and the first decoded sequence of the second correspondent of the communication network, the binary matrix G and the second decoded sequence of the third correspondent of the communication network are divided into W corresponding pairs of dimension P submatrices × T, where P = (LU) / W, T≥64 is the length of the generated encryption / decryption key, and, accordingly, the subunits of the original sequence and first and second decoded sequence decoded sequence of binary symbols of length P, respectively. Then simultaneously starting from the first to the Wth, the correspondents of the communication network calculate the zth primary key of length T of binary symbols, where z = 1, 2, 3, ..., W, by multiplying the zth subblock of the original sequence of the first correspondent of the communication network by z the 3rd submatrix of G _z , the zth subblock of the first decoded sequence of the second correspondent of the communication network to the zth submatrix G _z , the zth subblock of the second decoded sequence of the third correspondent of the communication network to the zth submatrix of G _z . Then, at the same time, an encryption / decryption key is generated by bitwise summing modulo 2 of all W primary keys on the sides of all correspondents of the communication network.

Thanks to the new set of essential features, due to the simultaneous generation of the CLSD, the correspondents of the communication network provide the possibility of generating an encryption / decryption key for the communication network, which includes three correspondents, and the reduction of the time required to form the CLSD for the three correspondents of the communication network.

The claimed method is illustrated by figures, which show:

- figure 1 is a generalized block diagram of a communication network used in the claimed method;

- figure 2 is a timing chart for generating a random binary symbol on the side of the first correspondent of the communication network;

- figure 3 is a timing diagram of the formation of a code word on the side of the first correspondent of the communication network;

- figure 4 is a timing chart of the error vector in the first communication channel with errors between the first and second correspondents of the communication network;

- figure 5 is a timing chart adopted by the second correspondent of the communication network code word;

- figure 6 is a timing chart of the formation of the second correspondence network of the binary confirmation symbol F1;

- in figure 7 is a timing diagram of the formation of the received binary symbol by the second correspondent of the communication network;

- figure 8 is a timing chart received by the first correspondent of the communication network from the second binary confirmation symbol F1;

- figure 9 is a timing chart received by the third correspondent of the communication network from the second binary confirmation symbol F1;

- figure 10 is a timing diagram of the formation of the code word on the side of the first correspondent of the communication network (repeat of figure 3 to show the effect of independent errors in the second communication channel with errors between the first and third correspondents of the communication network);

- figure 11 is a timing chart of the error vector in the second communication channel with errors between the first and third correspondents of the communication network;

- figure 12 is a timing chart adopted by the third correspondent of the communication network code word;

- figure 13 is a timing chart of the formation of a third correspondence communication network binary confirmation symbol F2;

- figure 14 is a timing chart of the formation of the third binary correspondent communication network received binary character;

- figure 15 is a timing chart received by the first correspondent of the communication network from the third binary confirmation symbol F2;

- in figure 16 is a timing chart received by the second correspondent of the communication network from the third binary confirmation symbol F2;

- figure 17 is a timing chart of the stored i-th element of the original sequence of the first correspondent of the communication network;

- figure 18 is a timing chart of the stored i-th element of the first preliminary sequence of the second correspondent of the communication network;

- figure 19 is a timing chart of the stored i-th element of the second preliminary sequence of the third correspondent of the communication network;

- figure 20 is a timing diagram of the generated first preliminary sequence of the second correspondent of the communication network;

- figure 21 is a timing chart of the generated second preliminary sequence of the third correspondent of the communication network;

- figure 22 is a timing chart of the generated original sequence of the first correspondent SS, divided into Y sub-blocks of K characters;

- figure 23 is a timing chart of the selected j-th subunit of the original sequence of length K of binary symbols;

- figure 24 is a timing diagram of the formation of the j-th code block of length N binary characters;

- figure 25 is a timing diagram of the allocation of the j-th subunit of test characters with a length of N-K binary characters;

- figure 26 is a timing diagram of the formation of a block of verification symbols of the encoded IP from Y subunits of verification symbols;

- in Fig. 27 is a timing chart of a block of check symbols of the encoded source sequence transmitted to the second and third correspondents of the communication network and divided into Y sub-blocks of check symbols of length N-K binary characters, and the allocation of the jth sub-block of check symbols from it;

- figure 28 is a timing chart of a second preliminary sequence of a third correspondent of a communication network, divided into Y decoded subunits of K characters, and the allocation of the jth decoded subunit from it;

- figure 29 is a timing diagram of the formation of the j-th code block by concatenating on the right the j-th sub-block of check symbols to the j-th decoded sub-block;

- figure 30 is a timing chart for calculating the j-th syndrome S of length N-K binary characters and determining the location of the error;

- figure 31 is a timing chart of the error correction in the j-th decoded subunit according to the received j-th syndrome S;

- figure 32 is a timing chart of the formation of the second decoded sequence of the third correspondent SS from Y decoded subunits;

- figure 33 is a timing diagram of a block of check symbols of the encoded source sequence transmitted to the second and third correspondents of the communication network and divided into Y sub-blocks of check symbols of length N-K binary characters, and the allocation of the j-th sub-block of check symbols from it;

- figure 34 is a timing chart of the first preliminary sequence of the second correspondent of the communication network, divided into Y decoded subunits of K characters, and the allocation of the jth decoded subunit from it;

- figure 35 is a timing diagram of the formation of the j-th code block by concatenating on the right the j-th sub-block of check symbols to the j-th decoded sub-block;

- in figure 36 is a timing chart for calculating the j-th syndrome S of length N-K binary characters;

- figure 37 is a timing chart for checking for errors in the j-th decoded subunit according to the received j-th syndrome S;

- figure 38 is a timing diagram of the formation of the first decoded sequence of the second correspondent of the communication network from Y decoded subunits;

- figure 39 is a view of the generated hash function of the sequences;

- in figure 40 is a timing diagram of a hash function in the form of a sequence of binary characters, including from the first to (L-U) -th line with a length of T binary characters;

- figure 41 is a timing chart of the generated original sequence of the first correspondent, the first decoded sequence of the second correspondent, the second decoded sequence of the third correspondent of the communication network;

- figure 42 is a timing chart of the generated encryption / decryption key of the first, second and third correspondents of the communication network;

- figure 43 is a timing diagram of the formation of CLSD.

In the presented figures, the symbol “A” indicates actions that occur on the side of the first correspondent of the communication network, the symbols “B1” on the side of the second correspondent of the communication network, and the symbols “B2” on the side of the third correspondent of the communication network. The symbol “→” denotes the process of transmitting sequences of binary symbols over communication channels between correspondents of a communication network. In the figures, the hatched pulse represents the symbol “1”, and not the hatched pulse represents the symbol “0”. The signs “+” and “×” denote addition and multiplication in the Galois field GF (2). Upper letter indices indicate the length of the sequence (block), lower letter indices indicate the number of the element in the sequence (block).

The implementation of the claimed method is as follows. Modern cryptosystems are built on the Kirkhoff principle, described, for example, in the book of D. Messi, “Introduction to Modern Cryptology”, TIIER vol. 76, No. 5, May 1988, p.24, according to which the complete knowledge of the violator includes, in addition to the information received using interception, complete information about the order of interaction of the correspondents of the SS and the process of forming CLSD. The formation of a common CLSD can be divided into three main stages.

The first stage is the simultaneous formation of the initial (PI) and preliminary (PRP) sequences. Ensuring the formation of IP and PDP is carried out by simultaneously transmitting information about IP through the first and second communication channels with independent errors, respectively, to the second and third correspondents of the SS and its simultaneous processing by all correspondents of the SS. It is assumed that the violator knows the procedure for processing information about IP and intercepts its version of information about IP transmitted by the first correspondent of the SS at the output of an independent interception channel and uses it to form its version of the PRP. The ability to simultaneously generate an encryption / decryption key for a CC including three correspondents is determined by the construction of the channel connectivity model of the correspondents shown in Fig. 1. Reducing the time required to generate an encryption / decryption key is achieved by simultaneously generating the initial and preliminary sequences of all CC correspondents.

The second stage is designed to ensure the formation of CLS with high reliability. The formation of CLD with high reliability is achieved by eliminating (correcting) inconsistent characters (errors) in the preliminary sequences of the second and third correspondents relative to the initial sequence of the first correspondent SS when the correspondents use additional information about the IP transmitted via the first and second direct communication channels without errors from the first correspondent to the second and the third correspondents of the SS, respectively. It is assumed that the intruder intercepts additional information through the interception channels without errors and uses it to eliminate inconsistencies in his version of the PDP regarding the IP of the first correspondent. The possibility of generating a CLSD for an SS from three correspondents and reducing the time of generating a CLSD in an SS is achieved by the simultaneous transmission and processing of additional information about IP by three correspondents of the SS.

The third stage is designed to generate a key of a given length with a small amount of key information received by the intruder. Ensuring the formation of a key for CC correspondents with a small amount of information about it from the violator is ensured by compressing the sequences of communication network correspondents that they received after the second stage. It is assumed that the attacker knows the sequence compression algorithm. The possibility of generating a CLSD for an SS from three correspondents and reducing the time spent on generating a CLSD in an SS is achieved by simultaneously transferring the hashing function from the first correspondent of the SS via the first direct and second direct communication channels without errors, respectively, to the second and third correspondents of the SS and simultaneously processing information in order to form a CLSD all correspondents SS.

In the claimed method of generating an encryption / decryption key to provide the possibility of generating a CDS for SS from three correspondents and reducing the time required to generate a CDS, the following sequence of actions is implemented.

It is assumed that the intruder has an interception channel, with the help of which he receives information about the transmitted code words through communication channels with errors for the formation of IP and PRP of SS correspondents. The violator can only receive information and cannot participate in the information exchange. In order to provide the possibility of generating a CLSD for a CC from three correspondents and reducing the time spent on generating a CLSD for a CC from three correspondents, it is necessary to create conditions under which the simultaneous formation of a CLSD for a CC from three correspondents is required.

To create the above conditions, each of the symbols of the initial binary sequence randomly generated on the side of the first SS correspondent (each binary IP symbol is randomly generated to provide the possibility of generating CLSD for three SS correspondents and reducing the time required to generate it), repeat M times and simultaneously transmit to the second and third correspondents of the communication network via the first and second communication channels with independent errors, respectively. The second and third correspondents simultaneously take each of the words of the repetition code if all its elements are either “1” or “0” and decide on an information symbol corresponding to the accepted code word. Otherwise, erase this codeword. The decision on the accepted (erased) code words is simultaneously transmitted via communication channels without error to all other network correspondents. SS correspondents simultaneously store characters that have not been erased in the original and preliminary sequences. An intruder can also delete characters that were erased by SS correspondents. However, the characters stored by the intruder (i.e., which correspond to the simultaneously stored characters of the CC correspondents) are not reliable enough, because errors that occur in independent channels with errors of CC correspondents and errors that occur in the interception channel are independent errors. Instead of the presented codeword decoding, CC correspondents can simultaneously use threshold decoding. The main difference when using threshold decoding is that the CC correspondents simultaneously accept each of the words of the repetition code, not only when all its elements are either “1” or “0”, but also when the number of identical binary characters in the code word is at least a certain number (threshold). This will lead, on the one hand, to a decrease in the reliability of each of the simultaneously stored characters in preliminary sequences (PRPs) on the sides of the second and third correspondents, on the other hand, CC correspondents will erase IP symbols (PRPs) less.

The creation of conditions under which the CLSD is formed simultaneously for three SS correspondents and the time spent on its formation is reduced is realized in the claimed method by the following sequence of actions for the simultaneous formation of the IP of the first SS correspondent and preliminary sequences of the second and third SS correspondents. The formation of the initial sequence of the first correspondent of the SS is as follows. L times, where L> 10 ³ , a random binary symbol is generated (see FIG. 2). Known methods for generating random numbers are described, for example, in the book of D. Knut "The Art of Computer Programming", M .: Mir, 1977, v.2, p.22. A codeword is formed from a random binary symbol. To generate a codeword, the generated random binary symbol is encoded with M-repetition code (see FIGS. 3 and 10), where M≥1. M is determined by the quality of communication channels with errors. Known methods of coding with a repetitive code are described, for example, in the book by E. Berlekamp, “Algebraic Coding Theory”, M .: Mir, 1971, p. 11, however, when the code word is decoded by CC correspondents, error-free communication channels are used, which significantly affects to increase the reliability of the received characters. At the same time, the code word is transmitted via the first and second communication channels with independent errors to the second and third correspondents of the SS, respectively. Timing diagrams of error vectors in communication channels with independent errors are shown in figures 4 and 11. The term "error vector" refers to the bitwise difference between the transmitted and received code words, as described, for example, in the book by A. Zyuko, D. Klovsky, M. Nazarov, L. Fink, “Theory of Signal Transmission,” Moscow: Radio and Communications, 1986, p. 93. Accepted codewords are shown in figures 5 and 12. Known methods for transmitting sequences over communication channels with errors are described, for example, in the book by A. Zyuko, D. Klovsky, M. Nazarov, L. Fink, “Theory of signal transmission”, M .: Radio and Communications, 1986, p. 11. The second and third correspondents SS from the received codeword simultaneously form the received binary symbols and binary confirmation symbols F1, F2. The received binary symbol on the side of the first and second correspondents CC is simultaneously assigned the value of the first binary symbol of the received code words (see Figs. 7 and 14). To form a binary confirmation symbol, the first binary symbol of the received codeword is simultaneously compared with the subsequent M binary symbols of the received codeword. If there is at least one mismatch of the first binary symbol of the received codeword with M binary symbols of the received codeword, the binary confirmation symbol is assigned the value “0”. If there are M matches of the first binary character of the received codeword with M binary characters of the received codeword, the binary confirmation character is assigned the value “1”, as shown in figures 6 and 13. Known methods for comparing binary characters are described, for example, in the book by P. Horovets, U Khil, “The Art of Circuit Engineering”, Moscow: Mir, vol. 1, 1983, p. 212. The binary confirmation symbol F1 formed by the second correspondent of the communication network is transmitted via the first reverse and third direct communication channels without errors, respectively, to the first and third correspondents of the communication network, the binary confirmation symbol F2 generated by the third correspondent of the communication network is transmitted via the second reverse and third reverse communication channels without errors, respectively, to the first and second correspondents of the communication network (see Fig. 8, 9, 15 and 16). Known methods for transmitting a binary symbol on the reverse channel are described, for example, in the book by A. Zyuko, D. Klovsky, M. Nazarov, L. Fink, “Theory of signal transmission”, M .: Radio and communications, 1986, p. 156. If at least one of the received binary acknowledgment symbols is equal to zero (F1, F2), the generated random binary symbol of the first correspondent of the communication network and the received binary symbols of the second and third correspondents of the communication network are simultaneously erased, otherwise, the generated random binary symbol of the first correspondent of the network is simultaneously stored communication, the received binary symbol of the second correspondent of the communication network, the received binary symbol of the third correspondent of the communication network, respectively, as ix lementov where i = 1, 2, 3, ..., LU, the original sequence, first pre-sequence and the second pre-sequence where L> March ¹⁰ - the number of generations of random binary symbol, U - the number of simultaneously erased symbols in the formation of the initial sequence of the first correspondent a communication network, a first preliminary sequence of a second correspondent of a communication network and a second preliminary sequence of a third correspondent of a communication network. Figure 17 shows the i-th element of the initial sequence of the first correspondent SS, figure 18 - the i-th element of the first preliminary sequence of the second CC correspondent, and the i-th element of the second preliminary sequence of the third CC correspondent is shown in figure 19. Known methods for erasing binary characters are described, for example, in the book of W. Peterson, E. Weldon “Codes of Correcting Errors”, M .: Mir, 1976, p. 17. Known methods for storing binary characters are described, for example, in the book of L. Maltsev, E. Flomberg, V. Yampolsky "Fundamentals of Digital Technology", M .: Radio and communications, 1986, p. 79. A view of the generated first preliminary sequence is shown in FIG. 20, a view of the generated second preliminary sequence is shown in FIG. 21, and a view of the generated initial sequence is shown in FIG. 22.

An estimate of the probability of errors in the PDP of SS correspondents is given in Appendix 1.

After the SS correspondents use the code with repetitions in the IP of the first SS correspondent and preliminary sequences of the second and third SS correspondents, mismatched characters remain, which does not allow the SS correspondents to proceed with the direct formation of CLSD. Elimination of these discrepancies can be implemented through the use of error-correcting coding. However, well-known error-correcting codes make it possible to encode sequences of significantly shorter length than the obtained IP length (PDP), equal to the LU of binary symbols. For this, sequential coding is used, i.e. if the length of the PI (PRP) is large, for example, 10 ³ ÷ 10 ⁵ binary characters, it is divided into Y subunits of K characters in length, where Y = (LU) / K.

Each sub-block with a length of K characters is encoded on the side of the first correspondent CC by a linear systematic block noise-resistant (N, K) binary code, where K is the length of the block of information symbols and N is the length of the code block. A linear binary code is a code that is built on the basis of using linear operations in the GF field (2), as described, for example, in the book by R. Bleikhut, “Theory and Practice of Error Control Codes,” Moscow: Mir, 1986, p. 61. The term "block code" means a code in which actions are performed on blocks of characters, as described, for example, in the book by R. Bleikhut, "Theory and Practice of Error Control Codes," Moscow: Mir, 1986, p. 13. A systematic code is one in which the code word begins with information symbols, the remaining symbols of the code word are verification symbols for information symbols, as described, for example, in the book by R. Bleikhut “Theory and Practice of Error Control Codes”, M .: Mir, 1986, p.66. Then, the generated blocks of test symbols with a length of N-K binary symbols are combined into a single block of test symbols of an encoded IP with a length of Y · (N-K) binary symbols and simultaneously transmit it via the first direct and second direct communication channels without errors, respectively, to the second and third correspondents CC. The second and third correspondents of the SS use the block of verification symbols of the encoded IP to eliminate inconsistencies in their preliminary sequences with respect to the IP and as a result, decoded sequences are obtained.

An estimate of the probabilities of erroneous decoding of preliminary sequences of communication network correspondents is given in Appendix 2.

As error-correcting codes, a wide class of Bowse-Chowdhury-Hockingham codes, Hamming, Reed-Mahler, Reed-Solomon codes and other linear block codes characterized by their parameters N, K, d can be used. During the application by correspondents of SS of error-correcting coding, the intruder obtains additional information about CLSD by intercepting the block of test symbols of the encoded IP of the first SS correspondent transmitted via the first direct and second direct communication channels without errors, respectively, to the second and third SS correspondents. Using it, the violator also corrects part of the discrepancies in his version of the intercepted PRP with respect to the IP of the first SS correspondent. Correspondents consider this circumstance when forming from the original and decoded CLSD sequences for a communication network. The elimination of discrepancies (errors) in the preliminary sequences of the second and third correspondents of the SS is implemented in the claimed method by the following sequence of actions. The coding of the original sequence is as follows. Previously, the original sequence is divided into Y subblocks with a length of K binary symbols, where Y = (LU) / K, as shown in FIG. Known methods of dividing a sequence into blocks of fixed length are described, for example, in the book by V. Vasiliev, V. Sviridenko “Communication Systems”, Moscow: Vysshaya Shkola, 1987, p. 208. Consistently, starting from the 1st to the Yth, each j-th subunit, where j = 1, 2, 3, ..., Y, is encoded by a linear block systematic binary noise-immunity (N, K) code (see Fig. 23) . The generating code matrix has dimension K × N, moreover, N> K. The sizes K and N of the generator matrix of the linear block systematic binary noise-immunity (N, K) code are chosen K = 2 ^m -1-m and N = 2 ^m -1, where m≥3, as described, for example, in the book by R. Bleikhut “ Theory and practice of error control codes ”, Moscow: Mir, 1986, p. 71. For IP coding, each jth subblock of length K of binary symbols is multiplied by a generating matrix of a code and a jth code block of length N of binary symbols is obtained, as shown in FIG. Known methods for error-correcting coding of symbol blocks are described, for example, in the book by R. Bleikhut, “Theory and Practice of Error Control Codes,” Moscow: Mir, 1986, p. 63. From the j-th code block, the j-th sub-block of check symbols with a length of NK binary symbols is extracted (see FIG. 25). Known methods for allocating fixed-length blocks are described, for example, in the book by V. Vasiliev, V. Sviridenko “Communication Systems”, Moscow: Higher School, 1987, p. 208. The j-th sub-block of check symbols is stored as the j-th sub-block of the block of check symbols of the encoded source sequence. A timing diagram of the formation of a block of verification symbols of a coded IP is shown in Figure 26. Known methods for storing a sequence of binary symbols are described, for example, in the book “Fundamentals of Digital Technology” by L. Maltsev, E. Flomberg, V. Yampolsky, Moscow: Radio and Communications , p. 38. At the same time, a block of verification symbols of the encoded IP is transmitted via the first direct and second direct communication channels without errors, respectively, to the second and third correspondents of the SS. Known methods for transmitting sequences over communication channels are described, for example, in the book by A. Zyuko, D. Klovsky, M. Nazarov, L. Fink, “Theory of Signal Transmission,” Moscow: Radio and Communications, 1986, p. 11. The simultaneous formation of decoded sequences by the second and third correspondents of the SS is as follows. The first DP of the second SS correspondent and the second DP of the third SS correspondent are simultaneously formed from the first and second PDP, respectively. The actions of the second and third SS correspondents in the formation of the first and second DPs are respectively similar and are performed in parallel, therefore, actions and their order for one SS correspondent (for the second SS correspondent) will be shown below. The PRP and the block of check symbols of the encoded source sequence are simultaneously divided into Y of the corresponding pairs of decoded subblocks (see Figs. 28 and 34) and subblocks of check symbols (see Figs. 27 and 33), where Y = (LU) / K. The lengths of the decoded subblocks and subblocks of the check symbols are chosen equal to K and NK binary symbols, respectively. Known methods of dividing a sequence into blocks of fixed length are described, for example, in the book by V. Vasiliev, V. Sviridenko “Communication Systems”, Moscow: Vysshaya Shkola, 1987, p. 208. At the same time, Y received code blocks with a length of N binary symbols are formed by concatenating to the jth decoded subunit of the jth subunit of test symbols to the right, where j = 1, 2, 3, ..., Y, as shown in Figs. 29 and 35. Y received code blocks are simultaneously decoded by a linear block systematic binary error-correcting (N, K) code (see FIGS. 29 and 35). The code verification matrix has the dimension (NK) × N, with N> K. Choose the sizes K and N of the verification matrix of the linear block systematic binary noise-immunity (N, K) code K = 2 ^m -1-m and N = 2 ^m -1, where m≥3, as described, for example, in the book by R. Bleikhug “ Theory and practice of error control codes ”, Moscow: Mir, 1986, p. 71. Successively, starting from the 1st to the Yth, the jth syndrome S of length NK of binary symbols is calculated by multiplying the jth received code block by the transposed check matrix. The timing diagram for calculating the j-th syndrome S with the length of NK binary symbols is shown in figures 30 and 36. According to the obtained j-th syndrome S, errors are corrected in the j-th decoded sub-block (see Figs. 31 and 37). Known methods for syndromic decoding of symbol blocks are described, for example, in the book by R. Bleikhut, “Theory and Practice of Error Control Codes,” Moscow: Mir, 1986, p. 70. Then, the jth decoded subblock is stored as the jth subblock of the decoded sequence, as shown in FIGS. 32 and 38. Known methods for storing a sequence of binary characters are described, for example, in the book L. Fundamentals, E. Flomberg, V. Yampolsky digital technology ", M .: Radio and communication, 1986, p. 38. And thus, a decoded sequence is obtained.

After the SS correspondents form identical SPs on the side of the first SS correspondent and the DP on the sides of the second and third SS correspondents, the SS correspondents must form a CLSD with a small amount of information about the CLR offender. To ensure a small amount of information about the CLS offender SS correspondents use the method of "secrecy" sequences.

An estimate of the amount of Shannon’s information received by the intruder about the CLSD generated by correspondents of the SS using the “secrecy enhancement” method is given in Appendix 3.

To ensure a small amount of information of the offender about CLS in the proposed method of forming CLS, the following sequence of actions is implemented. The simultaneous formation of IP and DP her CLSD is as follows. On the side of the first correspondent CC, a sequence hashing function is formed in the form of a binary matrix G of dimension (LU) × T, where T≥64 is the required length of the generated CD. Each of the elements of the binary matrix G is randomly generated (see Fig. 39). Known methods for generating random numbers are described, for example, in the book of D. Knut "The Art of Computer Programming", M .: Mir, 1977, v.2, p.22. The sequence hashing function is simultaneously transmitted via the first direct and second direct communication channels without errors, respectively, to the second and third correspondents CC, sequentially starting from the 1st through (LU) -th row of the binary matrix G, as shown in Fig. 40. Known methods for transmitting sequences over communication channels are described, for example, in the book by A. Zyuko, D. Klovsky, M. Nazarov, L. Fink, “Theory of Signal Transmission,” Moscow: Radio and Communications, 1986, p. 11. CLs on the sides of the first, second, and third correspondents of the SS are simultaneously formed by hashing the IP, the first DP, and the second DP, respectively (see Fig. 41) using the sequence hashing function generated on the side of the first correspondent of the communication network, as shown in Fig. 42. In the formation of the CDS, the binary matrix G and the IP of the first correspondent SS, the binary matrix G and the first DP of the second correspondent SS, the binary matrix G and the second DP of the third correspondent SS are divided into W corresponding pairs of submatrices of dimension P × T, where P = (LU) / W, and subblocks of the original and decoded sequences of length P of binary symbols, respectively. Known methods of dividing a sequence into blocks of fixed length are described, for example, in the book by V. Vasiliev, V. Sviridenko “Communication Systems”, Moscow: Vysshaya Shkola, 1987, p. 208. Then, starting from the first to the Wth, the zth primary key of length T of binary symbols is calculated, where z = 1, 2, 3, ..., W, by multiplying the zth subblock of the IP of the first correspondent SS by the zth submatrix G _z , z-th subunit of the first DP of the second SS correspondent to the zth submatrix of G _z , z-th subunit of the second DP of the third SS correspondent to the zth submatrix of G _z . After that, the CLC is formed by bitwise summation modulo 2 of all W primary keys on the sides of all correspondents CC, as shown in Fig. 43. The actions for transmitting and receiving sequences over communication channels with errors, forward and reverse communication channels without errors are synchronized. Known methods of synchronization are described, for example, in the book of E. Martynov "Synchronization in transmission systems of discrete messages", M .: Communication, 1972, p.186.

To confirm the feasibility of achieving the formulated technical result, analytical modeling was carried out, according to the results of which it can be concluded that the time of formation of CLSD for SS by means of the proposed method can be 2.29165 times shorter than the time of formation of CLSD for SS by means of the prototype method . The results of the estimation of the CLSD formation time for the SS, including three correspondents, are given in Appendix 4.

Annex 1.

Estimation of the probability of errors in preliminary sequences of communication network correspondents

(In Appendices 1-4, all catch abbreviations used in the description of the invention are used.)

- вероятность ошибки в первой ПРП второго корреспондента СС может быть найдена из выражения:Let p _m1 be the probability of error per binary symbol in the first communication channel with errors between the first and second correspondents of the SS and p _{m2 the} probability of error per binary symbol in the second communication channel with errors between the first and second correspondents of the SS, then

- the probability of error in the first PDP of the second correspondent of the SS can be found from the expression:

- вероятность ошибки во второй ПРП третьего корреспондента СС, определяется выражением:Similarly

- the probability of error in the second PDP of the third correspondent of the SS, is determined by the expression:

where p _ac is the probability with which a block is accepted at the same time (length M + 1 binary characters) with M repetitions by the second and third correspondents, which is determined using the expression:

where α _ij is the joint probability of events, the occurrence of error i in the first communication channel with errors between the first and second correspondents of the SS (the presence of an error (i = 1) or the absence of an error (i = 0), and i∈ {0,1}), and the occurrence of error j in the second communication channel with errors between the first and third correspondents of the SS (the presence of error j = 1) or the absence of an error (j = 0), moreover, j∈ {0, 1}) when transmitting any character from the first correspondent of the SS on the first and second communication channels with independent errors, where:

The likelihood of an error in the PRP of the offender will depend on the admission rule chosen by him. So, if p _w is the probability of an error per binary symbol in the interception channel and the intruder decodes according to the majority rule (the majority decoding rule is the rule when the decision on the information symbol of the received code block with repetitions is made according to the greater number of identical symbols in the received code block with repetitions) , then the probability of error per binary symbol for the received information symbols of the intruder can be determined from the expression:

Appendix 2

Estimation of the probability of erroneous decoding of preliminary sequences of communication network correspondents

The probability of erroneous decoding of the first PDP of the second CC correspondent can be determined by the formula

where P _E01 is the probability of erroneous decoding of a subblock of length K of binary symbols from the first PDP of the second SS correspondent, determined, as described, for example, in the book by F. Mc-Williams, N. Sloan, “Theory of Error Correcting Codes,” Moscow: Communication, 1979 , p. 29,

- вероятность ошибки в первой ПРП второго корреспондента СС, полученная из выражения (1.1) Приложения 1, a d - минимальное кодовое расстояние (N, K) кода, которое определяется как минимальное число несовпадающих разрядов в двух любых кодовых словах (N, K) кода, как описано, например, в книге Ф. Мак-Вильямс, Н. Слоэн «Теория кодов исправляющих ошибки», М.: Связь, 1979, стр.20.Where

- the probability of error in the first PDP of the second SS correspondent obtained from the expression (1.1) of Appendix 1, ad is the minimum code distance (N, K) of the code, which is defined as the minimum number of mismatched bits in any two code words (N, K) of the code, as described, for example, in the book by F. Mac-Williams, N. Sloan, “Theory of error-correcting codes,” Moscow: Svyaz, 1979, p. 20.

The probability of erroneous decoding of the second PDP of the third CC correspondent can be determined by the formula

P _E02 - the probability of erroneous decoding of a subblock of length K of binary symbols from the second PDP of the third correspondent SS, is determined according to the expression:

- вероятность ошибки во второй ПРП третьего корреспондента СС, полученная из выражения (1.2) Приложения 1.Where

- the probability of error in the second PDP of the third correspondent of the SS obtained from the expression (1.2) of Appendix 1.

Appendix 3

Estimation of the amount of Shannon’s information received by the intruder about the encryption / decryption key generated by the correspondents of the communication network when using the “secrecy enhancement” method

In order to provide a small amount of information about the CLS in the proposed method for generating CLS, the method of “secreting” sequences is used, based on universal hashing, as described, for example, in Bennett S., Brassard G., Crepeau S., Maurer U. “Generalized privacy amplification ", IEEE Trans. on IT. vol. 41, no.6, pp. 1915-1923, 1995, p. 1920. The essence of the method of "enhancing secrecy" is as follows. On the side of the first correspondent, the hash function is randomly selected from the universal set of hash functions. The hash function is transmitted via the first direct and second direct communication channels without errors, respectively, to the second and third correspondents of the SS. Then, the IP of the first SS correspondent, the first DP of the second SS correspondent and the second DP of the third SS correspondent are hashed. The result of the hashing will be the generated CLSD for the communication network of three correspondents. With a probability close to unity and equal to 1-Pε, an event occurs when the intruder information about the CJD does not exceed a certain small value of Io and with a low probability of failure Pε an event is possible in which the information of the intruder about the CJD is more than Io. An IP of length LU of binary symbols is displayed when hashed into a sequence K _{A of} length T of binary symbols of the generated CLSD of the first correspondent SS, the first DP of length LU of binary symbols is mapped to a sequence K1 _{B of} length T of binary symbols of generated CLSD of the second correspondent SS, the second DP of length LU of binary characters is displayed in a sequence K2 _{B of} length T of binary symbols of the generated CLSD of the third correspondent SS. It is assumed that the intruder has complete information about the hash function of the sequences of CC correspondents. The function of hashing sequences must satisfy a number of requirements, as described, for example, in the book by Yu. Romanets, P. Timofeev, V. Shangin “Information Security in Computer Systems and Networks”, M .: Radio and Communication, 1999, p.156:

- the hash function must be sensitive to all kinds of changes in the sequence, such as inserts, outliers, permutations, etc .;

- the hash function must have the property of irreversibility, i.e. the task of selecting another sequence that possesses the required value of the hash function should be computationally insoluble;

is the probability of collision, i.e. the probability of an event in which the values of the hash function of two different sequences coincide should be negligible.

In addition, the hash function must belong to a universal set of hash functions. A universal set of hash functions is defined as follows. Let n and r be two positive integers, with n> r. The set of functions G2 that map the set of binary sequences of length n to the set of binary sequences of length r is called universal if, for any different sequences x ₁ and x ₂ from the set of binary sequences of length n, the probability (collision) that the value of the hash function of x ₁ is value of the hash function from x ₂ (g (x ₁ ) = g (x ₂ )), does not exceed 2 ^-r if the hash function g is selected randomly, in accordance with an equally probable distribution, from G2, as described, for example, in Carter J., Wegman M. "Universal classes of hash functions", Journal of Computer and System Sciences, 1979, Vol. 18, pp. 143-154, p. 145. All linear functions that map the set of binary sequences of length n to the set of binary sequences of length r belong to the universal set, as described, for example, in the book Carter J., Wegman M. "Universal classes of hash functions". Journal of Computer and System Sciences, 1979, Vol. 18, pp. 143-154, p. 150. Linear functions can be described by binary matrices of dimension n × r. The storage of the universal set G2 of hashing functions for sequences of IPs, the first and second DPs (the number of hashing functions of the sequences belonging to the universal set G2 is large and amounts to 2 ^{T · (LU)} , and each storage hashing function requires T · (LU for storage ) memory cells) is difficult to implement and impractical. Therefore, the random equiprobable choice of the hashing function of sequences from the universal set G2 of the hashing functions on the side of the first correspondent CC consists in randomly generating elements of a binary matrix of dimension (LU) × T, which describes a randomly selected hashing function of sequences from G2. After the CC correspondents form the CLSD by hashing the IP, the first and second DP according to the sequence hashing function randomly selected from G2, the amount of Shannon information received by the offender about the CLSD generated by the CC correspondents is no more than

where I _R is Renyi information.

Renyi information is determined through the Renyi entropy per symbol in the interception channel with a probability of error per binary symbol p _w , which characterizes the intruder’s uncertainty about CLW, when the intruder knows the information obtained by interception, complete information about the interaction algorithm of legitimate correspondents of the SS and the key generation process, as described, for example, in Bennett C., Brassard G., Crepeau C., Maurer U. "Generalized privacy amplification", IEEE Trans. on IT. vol. 41, no. 6, pp. 1915-1923, 1995, p. 1919. Renyi entropy is equal to

Then the information of Renyi I _R obtained by the intruder when observing the sequences of the PRP with the length of LU symbols is determined by the expression

When eliminating discrepancies (errors) in the first and second PRPs of the second and third correspondents of the SS, when the block of check symbols of encoded IP length Y (NK) of binary characters is transmitted from the first correspondent to the second and third correspondents without errors, the intruder receives additional information Renyi about CLSD. Additional information Renyi obtained by the intruder by encoding the IP I _{R code} is I _{R code} = Y (NK), as proved, for example, in Maurer U, Lemma 5. "Linking Information Reconciliation and Privacy Amplification", J. Cryptology, 1997, no .10, pp. 97-110, p. 105. Then the total amount of Renyi’s information received by the intruder is

In this case (3.1) takes the form:

The amount of Shannon’s information received by the intruder about the CLSD generated by correspondents when using the “secrecy enhancement” method is greater than the Io limit (defined in (3.5)) with a low probability of Pε failure. When correspondents use a code with repetitions, the Renyi entropy and probability Рε are determined by more complex relationships described, for example, in the journal Information Security Problems. Computer systems ”, St. Petersburg, Petrovsky Fund, No. 1, 2000, p. 18 in the article by V. Korzhik, V. Yakovlev, A. Sinyuk“ Protocol for generating a key in a channel with interference ”, and Renyi's entropy does not depend on the intruder’s choice rules for handling intercepted messages.

The determination of Renyi information and the probability Pε while generating the CLD for the SS requires consideration of all procedures associated with the simultaneous transmission of information via communication channels with errors, which include: generating and transmitting the IP of the first correspondent of the SS to the second and third correspondents of the SS. To do this, each of the characters of the original binary sequence randomly generated on the side of the first correspondent of the SS (each binary symbol of the IP is generated randomly to provide the possibility of generating CLSD for the three correspondents of the SS and reducing the time of its formation), repeated M times and simultaneously transmitted to the second and third correspondents of the communication network on the first and second communication channels with independent errors. The second and third correspondents simultaneously take each of the words of the repetition code if all its elements are either “1” or “0” and decide on an information symbol corresponding to the accepted code word. Otherwise, erase this codeword. Then the second and third correspondents simultaneously transmit the decision on the accepted (erased) code words through the communication channels without error to other network correspondents. SS correspondents simultaneously store characters that have not been erased in the original and preliminary sequences. An intruder can also delete characters that were erased by SS correspondents. However, the symbols stored by the intruder (that is, which the CC correspondents saved at the same time) are not reliable enough, because errors that occur in communication channels with errors of CC correspondents and errors that occur in the interception channel are independent errors.

Evaluation of Renyi information is carried out taking into account the results of error probability assessments in the PDP of SS correspondents given in Appendix 1.

We rewrite expression (1.3) taking into account (1.4), taking the common factors out of brackets, and we obtain:

We rewrite (1.1), taking into account (1.4) and (3.6), taking the common factors out of brackets and performing a reduction, we obtain

We similarly rewrite (1.2) taking into account (1.4), (3.6) and get:

Consider the situation of the intruder when he observes a noisy sequence of blocks of length M + 1 binary symbols. Denote by | z | Hamming weight (Hamming weight of a block of binary symbols — the number of non-zero bits in a block of binary symbols) of a block z of length M + 1 binary symbols obtained by the intruder. It is easy to show that the joint probability of events | z | = d and events that this block is accepted by the second and third correspondents, provided that the first correspondent SS transmits an information symbol equal to 0, equal

where γ _ijk is the joint probability of events in which the information symbol x = 0 sent by the first correspondent of the CC is received by the second correspondent of the CC as i, moreover, i∈ {0, 1}, the third correspondent of the CC as j, and j∈ {0, 1 }, and the intruder as k, and k∈ {0, 1}, where:

Similarly, for the case when x = 1, we determine:

Where

Replacing (3.10) in (3.9), taking into account (3.6), after taking the common factors out of brackets and performing reductions, we obtain the probability that the intruder takes the word z with the Hamming weight | z | = d, provided that the symbol x = 0 has arrived at the input of the interception channel and the second and third SS correspondents adopted the code word:

Similarly, as for (3.13), we obtain the probability that the intruder receives the word z with a Hamming weight | z | = d, provided that the symbol x = 1 arrived at the input of the interception channel and the second and third correspondents of the SS accepted the code word:

Using the Bayesian theorem [as described, for example, in the book of V. Feller, “Introduction to Probability Theory and its Applications,” Moscow: Mir, 1967, 498 pp.] And taking into account the uniform distribution law of the probabilities of binary symbols of IP, we obtain the probabilities of symbol transmission x = 0, provided that the offender accepted the block | z | = d,

or x = 1, provided that the intruder accepted the block | z | = d,

The probability that the intruder takes any block z of Hamming weight | z | = d

The relative knowledge by the intruder of the IP of length LU is represented by his knowledge of the Hamming weights d ₁ , d ₂ , ..., d _{LU of the} corresponding code blocks with repetitions of length M + 1 characters. For the intruder's PDP, the Renyi entropy R is

, где

). Используя границу Чернова [как описано, например, в книге Коржик В.И., Финк Л.М., Щелкунов К.Н. "Расчет помехоустойчивости систем передачи дискретных сообщений". - М.: Радио и связь, 1981. - 231 с.], Рε определяетсяThe weights d ₁ , d ₂ , ..., d _LU are random variables and the Renyi entropy obtained by the intruder is also a random variable. The probability Pε is the probability that the sum of random values of the Renyi entropy of the symbols of the PI will be less than the value (R ₀ -ε) (LU), where R ₀ is the average Renyi entropy of the received repetition unit of length M + 1, ε is a small value that determines Pε (

where

) Using the Chernov border [as described, for example, in the book Korzhik V.I., Fink L.M., Schelkunov K.N. "Calculation of noise immunity of discrete message transmission systems." - M .: Radio and communications, 1981. - 231 p.], Pε is determined

Where

- Renyi entropy (see expression (3.2)) to the block of code with repetitions of length M + 1 with a Hamming weight d and P (d) accepted by the intruder, and the probability of reception by the intruder through the interception channel of the code block with repetitions of length M determined according to expression (3.17) +1 and Hamming weight d,

R ₀ is determined

the optimal parameter σ can be found from the solution of the equation

Then the information of Renyi I _R in expression (3.3) when used by CC correspondents to transmit code information with repetitions can be determined from the expression:

Appendix 4

Estimation of the encryption / decryption key generation time for a communication network

The possibility of simultaneously generating an encryption / decryption key for a communication network of three correspondents is determined by constructing a channel connectivity model of correspondents, as shown in Fig. 1, the feature of which is to use two open communication channels with independent errors to form a CDS for SS. Random events of occurrence of errors in communication channels are independent, as described in the book by I.N. Bronstein, K.A. Semendyaeva "A reference to mathematics for engineers and students of technical colleges", M.: Science. The main edition of the physical and mathematical literature, 1981, p. 580.

It is advisable to present a series of requirements for CL for SS in the conditions of minimizing the time of its formation, taking into account the peculiarities of its formation through open communication channels with errors.

.Requirements for the reliability of the formation of CLSD are determined by the probability of mismatch formed by the correspondents of CC CLSD -

.

The safety requirements for the formation of CLShD are determined by:

a) the required (minimum permissible) length of the generated CLSD - T ^Tp [binary characters];

[бит];b) the required (maximum permissible) amount of Shannon information received by the offender about the formed Class Code of Defense -

[bit];

- вероятностью риска, что информация Шеннона о сформированном КлШД превысит

.at)

- the likelihood of the risk that Shannon’s information about the generated CLSD will exceed

.

The time of formation of CLSD for SS (T _total ) is determined by the time of transmission of all necessary information about CLSD of SS. An assumption was made that all time delays associated with information processing (generation, encoding, decoding, compression, etc.) are equal to zero, i.e. run instantly. Then

We rewrite (4.1), taking into account the given technical speed of information transfer V _{[dvc / s]} via communication channels, and we consider it the same in any communication channel shown in figure 1 (taking into account the notation adopted in the description of the invention):

Due to the fact that each information transmission system is characterized by a different V _{[dv / s]} , it is proposed to use a generalized indicator instead of the elapsed time T _{total [c]} - the total length of transmitted DLINA sequences, which is determined from (4.2) according to the expression

The task of minimizing the time of generating CLSD for SS is reduced to selecting the parameters of the process of forming CLSD for SS in such a way that, in the conditions of fulfilling the requirements, to form a CLSD with the minimum DLINA parameter.

CLS requirements for SS can be written as

where P _carried - the probability of mismatch formed by the correspondents SS CLSD, which is equal to

where P _{E1 is} determined from expression (2.1), P _E2 is determined from expression (2.3) of Appendix 2, I _{o is} defined in (3.5), and P _{ε is} defined in (3.19) of Appendix 3.

We set the requirements for CLShD for SS:

Define a common source data for figure 1:

1) the quality of the first communication channel with errors - p _m1 = 10 ^-2 ;

2) the quality of the second communication channel with errors - p _m2 = 2 · 10 ^-2 ;

3) the quality of the interception channel of the intruder - p _w = 8 · 10 ^-2 .

We present the results of calculating the parameters and evaluating the fulfillment of the requirements for the conditions for the formation of CLSD for SS using the proposed method of forming CLSD for SS.

Options:

L = 4400 [d.s.];

M + 1 = 3 [d.s.];

U = 384 [d.s.];

N = 511 [d.s.];

K = 502 [d.s.];

Y = 8;

ε = 7.03 · 10 ^-3 [bit].

Assessment of requirements:

T = 64 [dv];

P _carried = 7.35406 · 10 ^-5 ;

I _o = 3.10477 · 10 ^-11 [bit];

P _ε = 9.97693 · 10 ^-6 .

The resulting total length of the sequences transmitted over the communication channels is

DLINA3 = 2.70296 · 10 ⁵ [d.s.].

Consider the features of the formation of CLSD for SS through the prototype method. This becomes possible when implementing the following sequence of actions, which we will call the prototype method:

1. By means of the prototype method is formed KlShD K1 between the first and second correspondents SS through communication channels, as shown in figure 1.

2. By means of the prototype method, the KShSD K2 is formed between the first and third correspondents of the SS via communication channels, as shown in FIG.

3. The first CC correspondent selects CLSD K1, formed with the second correspondent of SS, as CLSD for SS and then, since the communication channels in the channel connectivity model shown in Fig. 1 are open channels, the first correspondent SS encrypts CLSD K1 on CLSD K2 receives a cryptogram C, after which the first correspondent of the SS transmits C via the communication channel without error to the third correspondent of the SS.

4. The third correspondent SS decrypts the cryptogram C on KShSD K2 and receives KShShD K1. KShShD K1 is accepted as KShShD for SS.

The assumption is made that the first and third correspondents of the SS use an unconditionally strong encryption system, which is described, for example, in the book of I.N. Okov “Cryptographic information protection systems”, St. Petersburg, VUS, 2001, p. 78. Using an unconditionally stable encryption system for encrypting CWSD and receiving cryptogram C with its subsequent transmission through communication channels without errors (including to the intruder) does not increase the information of the intruder about CWSD for SS. The above described procedure and content of actions for the formation of CLSD SS through the prototype method requires redefinition of requirements, i.e. the transition from the general requirements to KShShD for SS to the requirements for paired KShSh formed by the prototype method.

The CLSD for the SS will not be authenticated if at least one of the paired CLSD is not authenticated. Then

- требуемая величина вероятности несовпадения при формировании парного КлШД методом-прототипом на первом шаге,

- требуемая величина вероятности несовпадения при формировании парного КлШД на втором шаге метода-прототипа.Where

- the required magnitude of the probability of mismatch during the formation of a pair of CLSD by the prototype method in the first step,

- the required magnitude of the probability of mismatch during the formation of the paired CLS at the second step of the prototype method.

. Тогда перепишем (4.7):Let be

. Then we rewrite (4.7):

From here

к КлШД для СС не будет выполнено, если будет превышена вероятность риска при формировании хотя бы одного парного ключа по методу-прототипу.Risk requirement

to CLSD for SS will not be performed if the risk probability is exceeded when generating at least one pair key according to the prototype method.

- требуемая величина вероятности риска при формировании парного КлШД на 1 шаге,

- требуемая величина вероятности риска при формировании парного КлШД на 2 шаге.Where

- the required value of the probability of risk in the formation of paired CLSD in 1 step,

- the required value of the probability of risk in the formation of paired CLSD in step 2.

. Тогда перепишем (4.10):Let be

. Then we rewrite (4.10):

From here

After using the prototype method, the general information I _{about the} intruder about the generated CLSD for the SS can be written in the form:

where K1 is the pair key generated in the first step of the prototype method; K2 is the pair key generated in the second step of the prototype method; f1 - all information of the intruder about K1, including information obtained through communication channels, and information based on his knowledge of the entire order and content of processing information to obtain K1; f2 - all information of the intruder about K2, including information obtained through communication channels, and information based on his knowledge of the entire order and content of processing information to obtain K2.

Given the features of the prototype method, we rewrite (4.13).

- условная энтропия Шеннона ключей K1 и K2 при условии знания нарушителем информации f1 и f2.where H (K1, K2) is the Shannon entropy of the keys K1 and K2,

- Shannon conditional entropy of keys K1 and K2 provided that the intruder knows the information f1 and f2.

We define ourselves with respect to H (K1, K2). Based on the property of additivity of entropy, as shown in the book of V.D. Kolesnik, G.Sh. Poltyrev “Information Theory Course”, M.: Science. The main edition of the physics and mathematics literature, 1982, p. 29, we write

запишемThe last equality in (4.15) is determined by the independence of the events of formation of K1 and K2. Similarly for

we write

The last equality in (4.16) is also determined by the independence of the events of formation of K1 and K2.

We rewrite (4.14) with (4.15) and (4.16) taken into account and obtain

можно записатьThen, taking into account (4.17) for

can write

- требуемая величина информации утечки к нарушителю для формируемого парного КлШД K1 на первом шаге;

- требуемая величина информации утечки к нарушителю для формируемого парного КлШД K2 на втором шаге.Where

- the required amount of information leakage to the intruder for the formed pair KlShD K1 in the first step;

- the required amount of information leakage to the intruder for the formed pair KlShD K2 in the second step.

. ТогдаLet be

. Then

From here

Taking into account the solutions (4.9), (4.12), (4.20) and the requirements for the CLSD for the SS (4.6), we pass from the requirements for the CLSD for the SS to the requirements for the paired CLSD formed using the prototype method used as part of the prototype method:

;

;

The requirement T ^Tp remains unchanged T ^Tp = 64 [dv].

Correction is subject to the expression for determining DLINAp - the total length of the sequences transmitted over the communication channels during the formation of the CLSD for the SS using the prototype method.

where DLINA1 - the total length of the transmitted sequences over the communication channels during the formation of paired CLSD using the prototype method in the first step of the prototype method, which is determined from expression (4.3); DLINA2 - the total length of the transmitted sequences over the communication channels during the formation of paired CLS using the prototype method in the second step of the prototype method, which is determined from expression (4.3); T is the minimum possible length of the transmitted cryptogram C.

The condition for the transition from the proposed method to the prototype method is to introduce the assumption that the probability of an error in one of the communication channels with errors in FIG. 1 is 0.

We present the results of calculating the parameters and evaluating the fulfillment of the amended requirements for the formation of a paired CLS using the prototype method at each step.

Step 1. The formation of KShShD K1.

Parameters of communication channels (p _m1 = 10 ^-2 , p _w = 8 · 10 ^-2 ).

L = 3135 [d.s.];

M + 1 = 3 [d.s.];

U = 96 [d.s.];

N = 1023 [d.s.];

K = 1013 [d.s.];

Y = 3;

ε = 8.3 · 10 ⁻³ [bit].

Assessment of the requirements of the prototype method (for the first step):

T1 = 64 [d.s.];

P _carried 1 = 1.63218 · 10 ^-6 ;

I _o 1 = 1.97369 · 10 ^-12 [bit];

P _ε 1 = 4.8762 · 10 ^-6 .

The length of the sequences transmitted over the communication channels is

DLINA1 = 2.70296 · 10 ⁵ [d.s.].

Step 2. The formation of KShShD K2.

Parameters of communication channels (p _m2 = 2 · 10 ^-2 , p _w = 8 · 10 ^-2 ).

L = 6594 [d.s.];

M + 1 = 4 [d.s.];

U = 516 [d.s.];

N = 1023 [d.s.];

K = 1013 [d.s.];

Y = 6;

ε = 1.06 · 10 ^-2 [bit].

Assessment of the requirements of the prototype method (for the second step):

T2 = 64 [d.s.];

P _carried 2 = 9.25321 · 10 ^-8 ;

I _o 2 = 1.78335 · 10 ^-13 [bit];

P _ε 2 = 4.37348 · 10 ^-6 .

The length of the sequences transmitted over the communication channels is

DLINA2 = 4.15428 · 10 ⁵ [d.s.].

Step 3. Estimation of the length of the transmitted cryptogram C equal to T [d.s.].

The total length of the sequences transmitted over communication channels during the formation of CLSD for SS is determined according to (4.21):

DLINAp = 6.19423 · 10 ⁵ [d.s.].

A comparison of the lengths of the DLINA and DLINAp sequences transmitted over the communication channels shows that DLINAp is 2.29165 times longer than DLINA. Then we can conclude that the time of formation of CLSD for SS by means of the proposed method can be 2.29165 times shorter than the time of formation of CLSD for SS by means of the prototype method using the prototype method (under the same speed V _{[dv. s / s]} in any communication channel shown in FIG. 1).

Claims (11)

1. The method of generating the encryption / decryption key, which consists in generating a random binary symbol on the side of the first correspondent, generating a code word from a random binary symbol, transmitting a code word from the first correspondent to the second correspondent, generating a received binary symbol, generating a confirmation binary symbol, transmit a binary confirmation symbol from the second correspondent to the first, form the initial and preliminary sequences on the sides of the first and second correspondents with accordingly, the source sequence is encoded, a block of check symbols is extracted from the encoded source sequence, it is transmitted from the first correspondent to the second, the decoded sequence is generated and stored on the second correspondent side, the hash function is generated on the first correspondent side, the hash function is transmitted from the first correspondent to the second, after which form the encryption / decryption key from the original and decoded sequences on the sides of the first and second to correspondents, respectively, characterized in that the encryption / decryption key is generated simultaneously for the communication network including three correspondents, the code word generated by the first correspondent of the communication network is simultaneously transmitted via the first and second communication channels with independent errors to the second and third correspondents of the communication network, respectively, the generated second the correspondent of the communication network, the binary confirmation symbol F1 on the first reverse and third forward communication channels without errors, respectively to the second and third correspondents of the communication network, transmit the binary confirmation symbol F2 generated by the third correspondent of the communication network through the second reverse and third reverse channels without errors to the first and second correspondents of the communication network, if at least one of the received binary acknowledgment symbols is equal to zero, the generated random binary the symbol of the first correspondent of the communication network and the received binary symbols of the second and third correspondents of the communication network are erased, otherwise, the generated random binary symbol of the first correspondent of the communication network, received binary symbol of the second correspondent of the communication network, received binary symbol of the third correspondent of the communication network, respectively, as ix elements, where i = 1, 2, 3, ..., LU, the initial sequence, the first preliminary sequence and the second preliminary sequence, where L> 10 ³ is the number of generations of a random binary symbol; U is the number of erased characters in the formation of the original sequence and preliminary sequences, and at the same time, a block of test symbols of the encoded source sequence is transmitted along the first direct and second direct communication channels without errors, respectively, to the second and third correspondents of the communication network, after generating the original and decoded sequences, the generated first correspondent network communication function hashing sequences on the first direct and the second direct communication channels without errors, respectively, the second and third correspondents of the communication network. 2. The method according to claim 1, characterized in that to generate the code word, the generated random binary symbol is repeated M times, where M≥1. 3. The method according to claim 1, characterized in that the received binary symbol of any correspondent of the communication network is assigned the value of the first binary symbol of the received codeword. 4. The method according to claim 1, characterized in that for independent from each other and simultaneously generating a binary confirmation symbol F1 of the second communication network correspondent or binary confirmation symbol F2 of the third communication network correspondent, respectively, the first binary symbol of the received codeword is compared with the subsequent M binary symbols the received codeword, where M≥1 is the number of repetitions of the generated random binary symbol in the formation of the codeword, after which if there are M matches of the first binary the symbol of the received codeword with M binary symbols of the received codeword, the binary confirmation symbol F1 of the second correspondent or the binary confirmation symbol F2 of the third correspondent is assigned a value of one, and if there is at least one mismatch of the first binary symbol of the received codeword with M binary symbols of the received codeword, the binary symbol confirmations F1 of the second correspondent or the binary confirmation symbol F2 of the third correspondent are set to zero. 5. The method according to claim 1, characterized in that the original sequence is encoded by a linear block systematic binary noise-resistant (N, K) code, where K is the length of the block of information symbols, and N is the length of the code block, the generating matrix of which has dimension K × N moreover, N> K, for which the initial sequence is first divided into Y subblocks of length K of binary symbols, where Y = (LU) / K, then sequentially, starting from the first to the Yth of each jth subblock, where j = 1 , 2, 3, ..., Y, form the j-th code block of length N binary characters multiplied by using the jth subblock on the generating matrix, then the jth subblock of check symbols of length N-K binary characters is extracted from the jth code block, which is stored as the jth subblock of the block of test symbols of the encoded source sequence. 6. The method according to claim 5, characterized in that the sizes K and N of the generating matrix of the linear block systematic binary noise-immunity (N, K) code are chosen K = 2 ^m -1-m and N = 2 ^m -1, where m≥3 . 7. The method according to claim 1, characterized in that for the formation of the first and second decoded sequences, the first and second preliminary sequences of the second and third correspondents of the communication network are independently and simultaneously decoded by a linear block systematic binary noise-resistant (N, K) code, where K is the length of the block of information symbols, and N is the length of the code block, the transposed verification matrix of which has the dimension N × (NK), and N> K, for which preliminary sequences and blocks are checked full-time characters of the encoded source sequence are divided into Y corresponding pairs of decoded subblocks and sub-blocks of check characters, where Y = (LU) / K, and the lengths of decoded sub-blocks and sub-blocks of check characters are selected equal to K and NK binary characters, respectively, then form Y received code blocks of length N binary characters by concatenating to the right of the j-th decoded sub-block of the j-th sub-block of check characters, where j = l, 2, 3, ..., Y, then the j-th syndrome is calculated sequentially from the 1st to the Y-th S long NK two GOVERNMENTAL symbols by multiplying the received j-th code block check matrix transpose, and on the resulting j-th syndrome S correct errors in the decoded j-th subblock which is then stored as the j-th subblock decoded sequences. 8. The method according to claim 7, characterized in that they select the sizes K and N of the verification matrix of the linear block systematic binary noise-immunity (N, K) code K = 2 ^m -1-m and N = 2 ^m -1, where m≥3 . 9. The method according to claim 1, characterized in that the hashing function of the sequences on the side of the first correspondent of the communication network is formed in the form of a binary matrix G of dimension (LU) × T, where T≥64 is the length of the generated encryption / decryption key, each of which the binary matrix G is randomly generated. 10. The method according to claim 1, characterized in that the hash function of the sequences is transmitted sequentially, starting from the first through the (L-U) th row of the binary matrix G. 11. The method according to claim 1, characterized in that while generating the encryption / decryption key, the binary matrix G and the initial sequence of the first correspondent of the communication network, the binary matrix G and the first decoded sequence of the second correspondent of the communication network, the binary matrix G and the second decoded sequence the third correspondent of the communication network is divided into W corresponding pairs of submatrices of dimension P × T, where P = (LU) / W, T≥64 is the length of the generated encryption / decryption key, and accordingly single blocks of the original sequence, the first decoded sequence and the second decoded sequence of length B of binary symbols, respectively, then simultaneously, starting from the first to the Wth, the zth primary key of length T of binary symbols is calculated, where z = 1, 2, 3, ..., W by multiplying the zth subblock of the original sequence of the first correspondent of the communication network by the zth submatrix of G _z , the zth subblock of the first decoded sequence of the second correspondent of the communication network by the zth submatrix of G _z , the zth subblock of the second decoded the sequence of the third correspondent of the communication network to the z-th submatrix G _z , and then simultaneously form the encryption / decryption key by bitwise summation modulo 2 of all W primary keys on the sides of all correspondents of the communication network.

Images