ITRM20110061A1 - METHOD FOR THE SECURE EXCHANGE OF DATA IN SYMMETRICAL COMMUNICATIONS. - Google Patents

Description

Method for secure data exchange in symmetrical communications

The present invention relates to a method for secure data exchange in symmetrical communications.

More precisely, the present invention relates to a method for symmetric communications, in particular for encrypting and decrypting messages with a length not established a priori. Therefore the method allows the encrypted communication of data streams (streams) generated in real time, ie of data whose final length is not predictable.

The common name QP-DYN refers to a family of stream cryptographic algorithms, based on a common mathematical structure, but which differ in specific protocols.

The clarity of their mathematical structure allows to introduce a practically infinite multiplicity of variants, while maintaining the characteristics of robustness.

The QP-DYN algorithms are symmetric, but the private key is composed of two parts, one fixed (symmetrical part), which has the role of shared secret key generator (SSK in the following) and one that can be made public (asymmetric part) ).

The two interlocutors can arbitrarily and at no cost change the potentially public part of the key, obtaining different shared secret keys (SSK) each time.

This excludes information accumulation attacks through repeated use of the same key.

Like all cryptographic flow algorithms, QP-DYN protocols also consist of three independent phases:

(I) Initialization algorithm;

(II) Algorithm for the production of the shared secret key (SSK) given the initialization;

(III) Encoding and decoding algorithm, i.e. use of the SSK to exchange messages.

The algorithms of class (III) can be any however, since in the case of QP-DYN methods the SSK is as long as the text and has excellent statistical properties, while the potentially public part of the key can be changed for each text at no cost. , as an encoding and decoding algorithm it is sufficient to use the XOR in "one time pad" mode which, according to Shannon's theorem, is the maximum security one.

The report [Gabler07], based on a part of the Ph.D. thesis by Markus Gàbler (Cottbus), discusses the results of a statistical analysis of the QP-DYN generators of pseudo-random sequences.

This analysis has now been repeated many times by the Applicant's research group, confirming the results obtained.

The report [ItaOttGrilLent09] was created by the research group headed by prof. Giuseppe Italiano of the Department of Computer Science, Systems and Production, of the University of Rome Tor Vergata and compares the performance of the execution on mobile phones of the QP-DYN methods with several variants of the currently most used cryptographic method suite both at the key cryptography level public (RSA, Diffie-Hellmann, elliptic curves) and flow (AES, RC5).

The result is that the methods developed by the Applicant are theoretically more robust and produce longer SSKs in shorter times.

Notes on the theoretical basis of QP-DYN algorithms

The theoretical basis of QP-DYN algorithms are in the theory of chaotic dynamical systems and are described in the work [AbAcAu91] that develops the previous work [AcdeTiDiLi81], in which the main idea of the method is introduced, adding a constructive demonstration of the fact that by appropriately choosing the initial data, it is possible to obtain arbitrarily long periods and provides an estimate of the length of the period as a function of the initial data. These works also contain (albeit in implicit form) the explanation of why the transition from the method of generating pseudo-random vectors to the cryptographic algorithm is anything but trivial: the fact is that, while computers can only work on numbers almost all of the results on chaotic dynamical systems (in particular the demonstration of their chaotic properties) use measurement theory techniques and therefore exclude sets of zero measure such as rational numbers.

To this we must add that a slavish software implementation of the dynamic system at the base of the algorithm would give rise to an easily breakable cryptographic protocol (for more details see section II). Therefore the simulation of the chaotic dynamic system must be integrated with measures of a specifically cryptographic nature.

After the original proposal contained in the work [AcdeTiDiLi 81], other authors (some even recently) have developed the idea of using the hyperbolic automorphisms of the torus (or their variants) for the generation of random vectors, however the Applicant does not find the presence in the literature of a cryptographic application of such methods and algorithms. The purpose of each algorithm of the QP-DYN family is the following: "given in input a text Γ of binary length lTe N, produce a key of binary length equal to lT

This method is used in two conceptually different situations:

(i) the length of the text is known a priori; or (ii) the length of the text is not known a priori.

The first case typically occurs in data storage, the second in the encryption of information flows.

3. Dynamic systems underlying the QP-DYN algorithms The QP-DYN cryptographic algorithms are implemented using variants of the class of discrete-time chaotic dynamical systems described in this section, which are determined by:

(11) a natural integer d≡ N, where N is the set of positive natural numbers, called the "size of the algorithm";

(12) a square matrix M with natural integer coefficients and of dimension dxd (we will briefly write M and M (d; N) in the following), which represents the law of motion of the dynamic system and which is chosen as invertible (reversible dynamic system);

(13) a natural integer peN, called "modulo".

So such a dynamic system is essentially determined by 3 objects:

p is typically a prime number which, to guard against exhaustive searches, should be large. If p is kept secret, attacks that try to break the cryptographic method are much more difficult. Furthermore, if p is not prime, then the field Zp of the modulo p numbers is no longer a field but only a ring and not all numbers (modulo p) other than zero are invertible, which makes the calculation and construction more difficult. of invertible matrices.

In the following, we will use the following: Definition 1. Given a vector v0a d components in N

(briefly, called "initial vector", we define the orbit of the dynamic system {d, M, p} M with initial vector v01 'together:

where the index «eTV is interpreted as a discrete time parameter: each unit of time labels a step of the cryptographic algorithm associated with the dynamic system, and where Z d is the space of the vectors of

dimension d to components in integers modulo p.

Since there are exactly pd different vectors

in Z ^, each orbit θ (Μ, ν0) is a finite set. Also, if

then for every vector v0 there exists a P≡N such that vT — vQ.

If P is the smallest of these numbers, the orbit is said to have period / 3.

Since the dynamic system is deterministic and reversible, an orbit can intersect itself only if it returns to the initial vector v0 and in this case it repeats itself.

The object of the present invention is to provide an encryption method which solves the problems and overcomes the drawbacks of the prior art.

A further specific aim of the present invention is to provide the means and apparatuses for implementing the method which is the object of the invention. The object of the present invention is an encryption method for exchanging data between two interlocutors, which uses the vectors of a discrete-time dynamic system determined by:

(11) a natural integer d ≡ N, where N is the set of positive natural numbers, called the "size of the algorithm";

(12) a square matrix M with natural integer coefficients and of dimension dxd, which represents the law of motion of the dynamic system;

(i3) a natural integer p≡N, called "modulo", preferably a prime number;

(13) a natural integer neN, which represents the counter of the «-th iteration step of the law of motion;

(i4) an initial vector v0, and a vector

relative to the iteration step «-th,

to generate a binary encryption key k, defining, for each nn, a function

called "generating function of the order key" or "KGF" which uses the binary expansion of the components of the n vectors produced in the first n interaction steps of the law of motion to construct the n-th partial key, the method comprising the execution of the following successive phases:

A. starting from v0 in the first step 0, calculate n iteration steps of the law of motion by always calculating the components of the vectors modulo p, thus having at the «- th the vectors {v0, Vp ..., vn}; B. calculate the vector at the («+ l) -th step:

C. calculate the partial key («+1) -th:

D. proceed to the calculation of the KGF function in the next step by repeating steps B and C, up to step n = // eN in which the cryptographic key kn = k has the desired length;

the method being characterized by the fact that:

I. in phase C, given a function:

with b≡N and associating a substring of its binary expansion to a natural integer of b bit, the KGF is the function

being the components of the vector v „+1;

II. we choose a number q≡N such that:

and for each vector component, in phases A and B, an operation of modulo q is carried out before the aforementioned operation modulo p, preferably q ~ 32

with = 2;

III. in phase B:

- compare the current vector vn + 1 with the initial vector v0;

if vn + 1 ≠ v0, one passes directly to phase C;

if vn + 1 = v0, we redefine:

where J: N <d> -> N <d> is an orbit jump function, and we pass to phase C, the operation being equivalent to starting a new orbit from vector J (vn), which then becomes the new starting point;

IV. are carried out:

- the phases from A to C for at least two dynamic systems defined by corresponding different sets {d, M, P, kn, J} and {d \ M \ p \ k'n, J '} which give rise to at least two respective partial keys - at the end of phase C the partial key (n + 1) -th is the combined partial key kn + 1 (v1, ..., v (! + 1; v1 ', ..., v (! + 1 ') obtained by carrying out the XOR operation between said at least two partial keys, where, if said at least two partial keys are of different length, they become the same length by adding or deleting digits, and n can be arbitrary or n-H.

Preferably according to the invention, the matrices M and M 'of said at least two dynamic systems are invertible and therefore select corresponding reversible dynamic systems.

Preferably according to the invention, the KGF is the left queuing function:

defined by:

where the rightmost member denotes the binary string obtained by combining in the indicated way the binary strings λ (3⁄4), ..., Afo), / !, ηλ, ..., ηά being the components of the vector v „+1 .

Preferably according to the invention, in operation I said substring results from a cut of a number of digits, starting from the bits of greater power, equal to an integer τj variable from 0 to q and which depends on n and on the j-th component of the vector v „, thus obtaining a key k with Y, V _ /. =, l (ΰ-τ«, v „j) 'bit.

Preferably according to the invention, in operation I said substring results from a deterministic truncation of order T, T being a positive integer, which consists in cutting the first τ = T bits of each component of the vector vn

starting from the left or right.

Preferably according to the invention, in operation I said substring results from the cutting of the first zeros from the left up to the first "1" included of each component of the vector v "+ i starting from the left or from the right, and / or, at the end of operation IV, the combined partial key results from said XOR operation and from the subsequent cutting of the first zeros from the left up to the first "1" included starting from the left or from the right.

Preferably according to the invention, the function J: lS <d> -> N <d> is defined by:

or

where equality is understood modulop.

Preferably according to the invention, in operation IV the duplicated environment field i, i.e. d = d ', M = M' and p Φ p ', and also J J and k = k

Preferably according to the invention, the private key has a potentially public and a secret part, characterized by the fact that the potentially public part is constituted by the initial vector vo, and the secret part, also called symmetric part, is constituted by the matrix M, while the SSK is the cryptographic key k, called two interlocutors arbitrarily changing the potentially public part of the private key in order to obtain, for different data communications, from time to time different SSK shared secret keys.

Preferably according to the invention, the method comprises an initialization procedure, in which the initial vector vo is arbitrarily defined, through an arbitrary function f (vo), which is kept secret, and / or the first 3⁄4eN steps of the orbit.

A further specific object of the present invention is a computer program characterized in that it comprises code means suitable for executing, when operating on a computer, the method object of the invention.

A further specific object of the present invention is a memory medium that can be read by a computer, having a program memorized on it, characterized in that the program is the program object of the invention.

The invention will now be described for illustrative but not limitative purposes, with particular reference to its preferred embodiments.

4. Use of a multiplicity of dynamic systems

The cryptographic robustness of the SSK, built in the following sections, is based on the fact that, in generic cases, the reconstruction of the dynamic law of a dynamic system (in our case the secret key M), starting from the partial information on its orbits, is a very difficult problem even if the system produces relatively simple orbits.

For example, tracing Newton's law of gravity from the elliptical orbits of the solar system (Kepler) required nearly a century of hard work by the best mathematicians, physicists and astronomers of that time. For chaotic systems the problem is notoriously even more difficult. The difficulty is enormously increased if the information is expressed as a function of the orbits of two or more dynamical systems. This intuitive observation is the basis of the construction described in section 10. The dynamic system described above has discrete chaotic properties but, as described in the first lines of section 11, where an attack is described that allows to reconstruct exactly the matrix that generates the pseudo sequence - random, it is easily attackable from the cryptographic point of view.

This shows that the pseudorandom generation mechanism cannot be used alone as a cryptographic algorithm.

In order to obtain a robust cryptographic algorithm, the following additional operations have been introduced whose role is to destroy the algebraic information present in the pseudo-random generation mechanism:

(i) bit cut (see section 9.1);

(ii) the XOR with another similarly produced sequence (see section 9);

(iii) machine truncation (see section 7); (iv) the jump of orbit (see section 6.1).

Section 10 is devoted to estimating precisely how much of the algebraic structure can be recovered after the cutting operation alone and at what computational cost. The estimate is made here for simplicity in the case of a fixed cut. In the case of a random cut, the complexity increases.

5. Production of the shared secret key (SSK)

The dynamic system is used according to the invention to produce a shared secret key (SSK) in the manner described below. Each step of the method according to the invention produces a two-dimensional vector with integer components (more precisely as a whole {0,1, ..., p-l} ì.

Each of these components is represented in base 2 with c binary digits (typically c = 32). So each step of the algorithm produces a string of de bits. Consequently, after n steps of the algorithm we will have a string of ndc bits. This string is used to build an SSK.

By identifying a natural integer to its binary expansion, this construction is accomplished by constructing, for each nN, a function kn iN '* <1> -> N, called "key generating function (KGF) of order« "which uses the vectors produced in first steps of the algorithm for constructing the partial key «-th (see section 9.1 for the choice made concretely in an embodiment of the invention).

6. Jump orbit function

We have seen that, given that we work modulo p, the space of possible vectors, and a fortiori every single orbit of every dynamic system whose state space is a finite dimensional vector space on the field Zp, contains a finite number of points. To obtain good statistical properties, a desirable condition for a good cryptographic sequence, such orbits must be very long.

To this end the original dynamic system is modified as follows. The algorithm compares, at each step, the current vector vn with the initial vector (it is useless to memorize the whole orbit since the system is reversible). If the two coincide, it replaces vncon

7 (v „_i) where J: N <d> → N <d> is a function, called" function of

jump of orbit ".

This is equivalent to starting a new orbit from the vector J {vn-ih which then becomes the new starting point. It is clear from the description above that the role of the J function, of jump of orbit, is to prevent, as long as possible, the occurrence of a periodic orbit, thus improving the chaos of the generated sequences.

6.1 Choice of the orbit jump function

A preferred embodiment of the method according to the invention is provided below, which uses the following jump orbit function.

Denoting with F the environment field (in the present implementation a Zp),

That is explicitly:

This preferred embodiment of the invention has the advantage that it is very easy to implement because "2" is a shift and adding "1" means changing the first digit. In addition to the ease of implementation, the method is also made significantly faster.

7. Machine parting

The fact that the usual calculating machines deal with natural integers with a pre-defined number of bits, say m (typically m = 32), can be exploited to introduce an additional non-linearity that increases the complexity of the system and its robustness to attacks. If m is the number of binary digits (precision) available for the calculation, then the prime number p (modulo) is chosen in such a way as to satisfy the following relationship:

and the coefficients of the matrix M (secret key), used to generate the orbit, are not immediately taken modulo p. This device means that some of the summations involved in the matrix-vector multiplications, carried out for the construction of the orbit, can lead to vectors some of whose components exceed 2m bits. When this happens the machine truncates the result to m bits, before calculating the modulo p perM according to the scheme:

where M [Z, &] (respectively v [&]) are the coefficients of the matrix M (respectively the components of the vector v).

Although this feature of calculating machines is exploited, the cut can also be implemented as a specific calculation; in this case, a ge number is chosen such that:

and for each vector component, in the operations of the method according to the present invention, the modulo operation q is carried out before the modulo p operation, preferably q = 2. The two form operations do not switch.

In this way the possible attacker cannot know if, on a given component of a given vector of the orbit, the dynamic law has acted only with the module p, that is, first with the module m = 32 and then with the module p. Taking into account the fact that it is typically better to keep p secret, this shows that an attack on the system, even if only theoretical, becomes in such conditions inconceivable. For this truncation to be effective, the coefficients of the matrices must be chosen large enough (typically numbers in m —1 or m bits) to be able to generate those remainders that the machine cuts automatically. The effectiveness of this further non-linearity was experimentally verified.

In fact, an embodiment of the method of the present invention, in which this function is removed, does not pass all the statistical tests (albeit providing appreciable results), while by introducing this operation all the tests are passed.

8. Summary of the basic algorithm steps Starting from v0 at the first step 0, after n steps either the algorithm has stopped (because the cryptographic key for the encryption of the whole text has been calculated) or has produced the vectors {v0 , vp ..., vn}. The («+ l) -th step of the algorithm is the following:

(i) compare & n (vp ..., vn) to the length of the text lr (this step is not performed in the case of data stream encryption);

(ii-a) stops if

(ii-b) otherwise calculate

(iii) check if

(3)

(iv-a) if this happens, go to step (v);

(iv-b) if (3) doesn't happen, define

(4)

(V) computes the key relative to the («+ 1) -pass

(vi) iterates the procedure starting from point (i) with the new sequence.

In the case of encryption of data streams, the encryption is obviously carried out as long as the stream continues. In the case of the method implemented on a calculating machine, the command to initiate encryption is either given by hand or activated via a data flow detection mechanism. In this condition, when the flow stops, encryption also stops. The computer goes into stand-by and then, if the data flow resumes, the encryption restarts using a device that will be described later in this description.

9. Recursive construction of the sequence (k „)

In the general scheme of QP-DYN protocols the (KGF) functions can be arbitrary. There are many computationally interesting classes of J-dimensional binary KGFs.

The choice of these functions can be used: (i) to further customize the algorithm;

(ii) to increase its robustness by keeping this choice secret.

In the following section we will describe a preferred choice, meaning that many other choices can be made as variations of this one.

This choice is based on the observation that a computationally efficient way to construct the sequence (& n) is to recursively compute each k "by fixing a function:

and defining the KGF in the first step k: N <d> -> N by prescribing:

The sequence (& n) is then defined inductively as follows:

Recalling that a natural integer is identified as a binary string, the SSK at the (n + 1) -th step (i.e. kn + i (vn + 1, vn)) is obtained by combining the SSK at the nth step (i.e. kn ( vn, vn-l)) with the new datum produced by the algorithm at the (n + l) -th step (i.e. vn + 1).

Definition 2. A function k: N <d> xN—> N satisfying the condition:

it will be called a d-dimensional binary KGF.

9. 1 KGF for queuing

As usual we will identify a natural integer to the string of 0 and 1 defined by its binary expansion. We will use integers dib bits, with

that is, b is a multiple of 32.

Definition 3. Give a function:

which associates, to a natural b bit integer, a substring of its binary expansion) the left appending function:

is defined by

where the right member denotes the binary string obtained by juxtaposing the binary strings À {nd), ..., À {nl), n as indicated.

It is observed that the left appending function kÀ, defined by the relation (6), depends on the choice of the function λ. The two preferred choices according to the present invention are:

(i) random truncation: the bit segment between the first two 1s (included) of each component of the vector is cut starting from the left;

(ii) the deterministic truncation of order c: the first c bits of each component of the vector are cut starting from the left.

The role of bit cutting is to discourage exhaustive research.

Keeping the λ function secret increases the security of the algorithm.

10. The 2 first protocol

The computational advantage of the protocol described in section 8 consists in the fact that the non-linearity is due only to the operation consisting in reducing mod (p) the result of a linear function. The operations of cutting, jumping of orbit and machine cutting introduce further non-linearities which, by themselves, make it impossible to conceive a credible attack on the method.

A further strengthening of security can be achieved by replicating the original dynamic system. To this end, there are two main possible choices:

(i) replicate the dynamic law (matrix) leaving the environment, ie the field Zp, unchanged;

(ii) replicate the environment, ie the field, leaving the dynamic law unchanged.

From the qualitative point of view, both cases lead to different dynamical systems, that is to different orbits. Since choice (ii) has the advantage, with respect to calculation and memory, of using a single matrix at each point of the iteration, this choice is preferred according to the invention. In what follows we will illustrate this embodiment of the method according to the invention.

Furthermore, since the level of security achieved by simple duplication is quite acceptable, we will limit our discussion to this case, although it is possible to replicate the dynamic system as many times as you want by following the same procedure.

Given a text T of length equal to lTbit, we consider two dynamic systems:

with

(the) the same dimension JeN

(i2) the same dynamic law MeM (d; N)

(± 3) the same initial vector v0eN <d>

(i4) the same jump orbit function J: N <d> x N <d> → N <d>

(15) the same key generating function (KGF) kn: N <d> → N IKEN)

(16) two prime numbers p ', p and N called "modules".

Then the method described in section 8 is carried out up to the point (v) excluded (calculation of the («+ l) -th key), which is modified as follows.

Having produced two keys at the («+ l) -th step:

(remember that the KGF kns are the same) the algorithm computes:

where, for any two binary strings x, y, denotes the string jcXORy and if necessary the two strings are made the same length by adding zeros to the left.

Then the method removes from the bits of (8) all the main 0s (i.e. corresponding to powers higher than 2) and the first 1.

The result is the key to the (n + 1) -th step of the modified algorithm:

The stopping rule of the method steps is the same as that of section 8.

It is observed that it can happen that the string (8) has some of the main bits (powers greater than 2) equal to zero, because the operations of modulo p and p 'come into play only after a certain number of points of the orbit, and therefore , in these steps, the two partial keys are identical.

This consideration concerns the initialization procedure, in which Vo is defined. Vo is public, while matrix M is secret and it is it that makes you lose memory of the initial state, in order to protect the encrypted text against an attacker.

One can certainly start not from Vo, but from an arbitrary function f (vo), which is kept secret.

In addition, or alternatively, the first h steps of the orbit can be discarded so that, not knowing the law of motion, memory of Vo is lost.

The initialization procedure is in any case arbitrary.

11. Attack to the case of a matrix and complexity considerations

A robustness test of the method according to the present invention is provided here. The following robustness analyzes have been developed in the worst possible cases for the defender, namely:

- the single matrix case is considered (thus excluding the most relevant safety factor);

- machine cutting is excluded;

- it is assumed that the only secret key is the matrix M while the following information is considered public:

- the primop number (form),

- the dimension d,

- the initial data v0,

- the KGF kn,

- bit cutting (see end of section 9.1) is considered fixed and public.

In addition to this, the most favorable case for the attacker is considered, i.e. the plaintext attack, in which both the original text T and the encoded text are known to the attacker, and therefore the SSK is known (which however, it is changed with each message!). The question then arises: can the attacker reconstruct the secret key or the Mi matrix.

The attacker, in the following, will be denoted with E. The degree of inviolability naturally increases enormously if, as is always possible, some of this information is kept secret (and shared). Indeed, knowing T and C = T xor S and using the idempotence of the operation ∞r, E can recover 5 = C w Γ.

This will help to understand why so far the Applicant has not been able to find, even at a theoretical level, attacks on the 2-matrix version of the algorithm.

It is supposed:

(i) that E knows d + \ consecutive vectors of the orbit; (ii) that the first d among these vectors are linearly independent and the following matrices are defined by juxtaposition of column vectors:

then MV = V and this allows us to obtain M = V’V <1>.

However E has the entire string S, but not the corresponding subdivision indicated by equation (9) (see below), necessary to retrieve the components of the vectors v ;. And he must try to guess which is the correct subdivision. For this purpose E can exploit his knowledge of the algorithm structure, which is public, namely the construction:

• iterative calculation of the vectors of the orbit:

v0, V [, v2, ... using M as described above;

• for each component j = l, ..., d of each vector v ;, consider the corresponding base 2 representation with binary digits:

in which the main 0 and 1 are highlighted, and the remaining bits

they are generally represented with the letter

X is {0,1};

generates the pseudorandom sequence by iteratively juxtaposing the main bits of dy and juxtaposing after making the cut (fixed or random):

• as soon as n bits are obtained, the process is stopped and the pseudorandom sequence is returned.

Since the cut of the bits is considered fixed, let's say equal to 7 bits, and public, E knows that, for each component of each vector, it loses dtj = 7 bits and therefore has

an ambiguity of 2 <T> possibilities for each component. Since these components are d, the ambiguity is 2 <dT> possibilities for each vector. Since E needs d + 1 vectors, he has to choose between 2 <d> ^ <+ 1> ^ possibilities. For example, if d = 10 (a dimension that a common personal can handle without any difficulty), then rf (rf + l) = 110. Assuming, to further facilitate the work of E, that 7 = 2, E has to choose between 2 <220> possibilities. For each of these choices E must perform an inversion and multiplication of matrices of order 10. Finally, it should be observed that an increase of d or of 7, for example from 10 to 15 and from 2 to 3 respectively, increases the difficulty of construction for a a factor which is at most quadratic in the increase, while the difficulty of attack increases exponentially.

11.1 Attack on the case of 2 first courses

If the cryptographic algorithm used is the first 2 one, the considerations described in the previous section are completely destroyed, even in the absence of cuts, by the fact that, with this algorithm, E can only recover the sequence:

(where Θ = xor) but it is impossible to know if, in this sequence, a 1 was obtained from the combination of a 0 in kN [vl, ..., vN) (SSK of the first dynamic system) and a 1 in kN [v \,.,., ν'N) (SSK of the second dynamic system), or vice versa. Similarly, it is impossible to know whether a 0 is derived from two 0s or from two 1s.

In other words, and this is one of the main ideas of the method according to the invention, E is not faced with a difficult problem, but rather with an indeterminate problem such as: given a sum of two numbers, reconstruct the exact value of the addendi. Since, by arbitrarily fixing one of the two numbers, the knowledge of the sum uniquely determines the other and since, with respect to the information of E all the numbers of the base field are equiprobable, it follows that, for each component of the vector, E has an ambiguity of the same order as the number of elements of the field, i.e. p. For a vector the ambiguity will therefore be of the order of p <d> and for d + 1 vectors of the order of p <d> ^ <d + ì> '<ì>. Finally, the simultaneous use of the three different fields Z,, Z „, Z2 (where the last one is

refers to the operation of xor), makes it practically impossible to extract information, even if only statistical, by means of algebraic methods.

Bibliography

[AcdeTiDiLi 81]

Accardi L., F. de Tisi, A. Di Libero:

Unstable dynamical systems and generation of pseudo-random sequences, In: Review of statistical methods and applications, W. Racugno (ed.) Pitagora Editrice, Bologna (1981) 1-32

[AbAcAu9 1]

Abundo M., Accardi L., Auricchio A .:

Hyperbolic automorphisms of tori and pseudo-random sequences, Calculus 29 (1992) 213-240

[AcRe93]

Accardi L., Regoli M .:

Some simple algorithms for forms generations, IN: L. Accardi (ed.), Fractals in nature and in mathematics, Acta Encyclopaedica, Institute of the Italian Encyclopedia (1993) 109-116

[Cugiani80]

M.Cugiani: Statistical Numerical Methods (1980)

[Gabler07]

Markus Gabler:

Statistical Analysis of Random Number Generators

Internal report of the V. Volterra Center, October (2007)

[EngOttGrilLent 09]

Giuseppe F. Italiano, Vittorio Ottaviani Antonio Grillo, Alessandro Lentini: BENCHMARKING FOR THE QP CRYPTOGRAPHIC SUITE, August (2009)

[REGIO]

Regoli, M., A redundant cryptographic symmetric algorithm that confounds statistical tests,

Proceeding International Conference QBIC10, World Scientific, Series QP - PQ (2010)

[RobshBil08]

Mattew Robshaw, Olivier Billet (Eds.): New Stream Cipher Designs, The eSTREAM Finalists, State-of-the-Art Survey, LNCS 4986 Springer (2008).

In the foregoing, the preferred embodiments have been described and variants of the present invention have been suggested, but it is to be understood that those skilled in the art will be able to make modifications and changes without thereby departing from the relative scope of protection, as defined by the claims attached.

Claims (12)

CLAIMS 1. Method of cryptography for the exchange of data between two interlocutors, which uses the vectors of a discrete-time dynamic system determined by: (11) a natural integer JeN, where N is the set of positive natural numbers, called "algorithm size"; (12) a square matrix M with natural integer coefficients and of dimension dxd, which represents the law of motion of the dynamic system; (i3) a natural integer p≡N, called "modulo", preferably a prime number; (i3) a natural integer nn, which represents the counter of the n-th iteration step of the law of motion; (i4) an initial vector v0, and a vector vn— M <n> v0 relating to the «-th iteration step, to generate a binary encryption key k, defining, for each n and N, a function kn: <'> N <dn> -> N, named "function generating the order key« "or" KGF "which uses binary expansion of the components of the "vectors produced in the first" interaction steps of the law of motion to construct the partial key "-th, the method comprising the execution of the following successive phases: A. starting from v0 in the first step 0, calculate «iteration steps of the law of motion by always calculating the components of the vectors modulo p, thus having at the nth the vectors {v0, Vp ..., vn}; B. calculate the vector at the («+ l) -th step: C. calculate the partial key («+1) -th: D. proceed to the calculation of the KGF function in the next step by repeating steps B and C, up to step n = // eN in which the cryptographic key kn = k has the desired length; the method being characterized by the fact that: I. in phase C, given a function: with b≡N and associating a substring of its binary expansion to a natural integer of b bit, the KGF is the function kÀ: N <d> xN → N and K + \ <= k> x {<n> \ «p ..., 3⁄4 <≡ N, nx, ..., neaning the components of the vector v„ +1; II. we choose a number q≡N such that: and for each vector component, in steps A and B, an operation of modulo q is carried out before the aforesaid modulo p operation, preferably with q = 2 ~ 32; III. in phase B: - compare the current vector vn + 1 with the initial vector v0; if vn + 1 ≠ v0, one passes directly to phase C; if vn + 1 = v0, we redefine: where J: N <d> -> N <d> is an orbit jump function, and we pass to phase C, the operation being equivalent to starting a new orbit from the vector J (v "), which therefore becomes the new starting point; IV. are carried out: - the phases from A to C for at least two dynamic systems defined by corresponding different sets {d, M, P, kn, J] <e> {d ', M \ p \ k'n, J'} which give rise to at least two respective partial keys and k'n + l (v \, ..., v'n + l); And - at the end of phase C the (n + 1) -th partial key is the combined partial key <k> n + 1 (vi ν „+ Ι ·) obtained by carrying out the XOR operation between said at least two partial keys, where, if said at least two partial keys are of different length, they are made of the same length by adding or eliminating digits , and n can be arbitrary or n-H. 2 Method according to claim 1, characterized by the fact that the matrices M and M 'of said at least two dynamic systems are invertible and therefore select corresponding reversible dynamic systems. 3 Method according to claim 1 or 2, characterized in that the KGF is the left queuing function: where the rightmost member denotes the binary string obtained by juxtaposing the binary strings nx, ..., ndessendendo the components of the vector v „+1 as indicated. Method according to any one of claims 1 to 3, characterized in that in operation I said substring results from a cut of a number of digits, starting from the bits of greater power, equal to an integer Tn variable from 0 a q and which depends on n and on the j-th component of the vector v „, thus obtaining a key k with V <w> (g-T) bit. 5. Method according to claim 4, characterized in that in operation I said substring results from a deterministic truncation of order T, T being a positive integer, which consists in cutting the first Tnv = T bits of each component of the vector v „starting from the left or from the right. 6. Method according to claim 4, characterized in that, in operation I said substring results from the cutting of the first zeros from the left up to the first "1" included of each component of the vector v "+ 1 starting from the left or from the right , and / or, at the end of operation IV, the combined partial key results from said XOR operation and from the subsequent cutting of the first zeros from the left up to the first "1" included starting from the left or from the right. Method according to any one of claims 1 to 6, characterized in that the function /: N <d> - »N <d> is defined by: that is, explicitly: where equality is understood modulop. Method according to any one of claims 1 to 7, characterized in that in operation IV the environment field is duplicated, that is d = d ', M = M' and p ≠ p ', and furthermore J = J and kn = k'n. Method according to any one of claims 1 to 8, in which the private key has a potentially public and a secret part, characterized in that the potentially public part is constituted by the initial vector vo, and the secret part, also called part symmetric, it consists of the matrix M, while the SSK is the cryptographic key k, called two interlocutors arbitrarily changing the potentially public part of the private key in order to obtain, for different data communications, from time to time different shared secret keys SSK . Method according to any one of claims 1 to 9, characterized in that it comprises an initialization procedure, in which the initial vector vo is arbitrarily defined, through an arbitrary function f (vo), which is kept secret, and / or the first 3⁄4eN steps of the orbit are discarded. 11. Computer program characterized in that it comprises code means suitable for executing, when operating on a computer, the method according to any one of claims 1 to 10. 12. A computer readable memory medium having a program stored thereon, characterized in that the program is the computer program according to claim 11.