RU2695050C1 - Method of generating an encryption/decryption key - Google Patents

Abstract

FIELD: electrical communication engineering.

SUBSTANCE: invention relates to generation of an encryption/decryption key. Method comprises generating random sequence on transmitting side of communication direction, transmitting it along communication channel with errors to receiving side of direction of communication, generating a block of parity symbols for the formed random sequence, transmitting it along a communication channel without errors to a receiving side of the direction of communication, where a decoded sequence is formed, and an encryption/decryption key is formed from random sequences. At that, random sequence on transmitting side of communication direction is formed by radiation of harmonic signal by means of phased antenna array, which directional pattern is formed randomly, and a communication channel with errors on the receiving side of the direction of communication is formed by taking into account multi-beam propagation of radio waves.

EFFECT: method of generating an encryption/decryption key, which provides higher resistance of the formed encryption/decryption key to compromise from the intruder.

3 cl, 31 dwg

Description

The invention relates to the field of cryptography, namely the formation of the encryption key / decryption key (CLSD) and can be used as a separate element in the construction of symmetric cryptographic systems designed to transmit encrypted voice, sound, television and other messages.

The inventive method of forming KlShD may be used in cryptographic systems in the absence or loss kriptosvyaznosti ^{1 (1} Kriptosvyaznost - the presence of the legitimate parties KlShD identical.) Between the legitimate parties communication direction ^{2 (2} Legitimate side NA - i.e. authorized parties exchanging information.) (NS) or establishing cryptographic connectivity between new legal parties NA (ZSNS) when the violator conducts interception, modification and substitution of information transmitted via open communication channels.

The known method of CLDS formation is described in the book of U. Diffie “The first ten years of public key cryptography”, TIIER, 1988, vol. 76, No. 5, p. 57-58. The known method consists in the preliminary distribution between the legitimate parties of the direction of the relationship of the numbers α and β, where α is a prime number and 1≤β≤α-1. The transmitting side NS (PersSNS) and the receiving side NS (PrsNS), independently of each other, choose random numbers X _A and X _B, respectively, which are kept secret and then form numbers based on X _A , α, β on PerSNS and X _B , α, β on PRSNS. ZSNS exchange the received numbers via communication channels without errors. After receiving the numbers of correspondents, the legal parties convert the obtained numbers using their secret numbers into a single CLDS. The method allows you to encrypt information during each communication session on new CLSDs (i.e., excludes storage of key information on media) and form CLDS relatively quickly when using one unprotected communication channel.

However, the known method has a low resistance of CLSD to compromise ³ ( ^{3 The} resistance of CLSD to compromise is the ability of the cryptographic system to resist the intruder’s attempts to obtain the CLSD generated and used by the legitimate parties of the National Assembly, when the violator uses the information on the CLDS obtained as a result of interception, theft and loss of carriers , disclosure, analysis, etc.), the duration of CLDS is limited to the duration of one communication session or its part, incorrect distribution of α and β numbers leads to CLSD formation.

There is also known a method of forming CLDS when using a quantum communication channel [Patent RU No. 2507690 H04L 9/08 dated 11/13/12], which allows you to automatically generate CLDS without additional measures for sending (delivering) the preliminary sequence. The known method consists in using the principle of uncertainty of quantum physics and forms CLSD, by transferring photons through the quantum channel. The method provides CLDS with high resistance to compromise, provides guaranteed control of the presence and degree of interception CLDS.

However, the implementation of this method requires high-precision equipment, which leads to the high cost of its implementation. In addition, CLSD in this way can be formed using fiber-optic communication lines of limited length, which significantly limits the scope of its application in practice.

There is also known a method of forming CLDS based on the informational difference [RF Patent №2183051 H04L 9/00 dated 05.27.02], which consists in forming the initial sequence (PI), encoding it, extracting from the coded initial sequence of the block of test symbols, transmitting it through the channel communication without errors and the formation of the decoded sequence, and from the source and decoded sequences form the encryption / decryption key.

The disadvantage of this method is the large time of CLSD formation and the complexity of implementation, which leads to a high probability of imposing false messages by the violator and the likelihood of information leakage.

The closest in technical essence to the claimed method of forming CLSD is the method of forming CLSD based on random and decoded sequences [RF Patent №2295199 H04L 9/14 dated 23.08.05].

где l - длина формируемого ключа шифрования / дешифрования, (N, K) и (N _a , K _a ) - предварительно заданные на передающей и приемной сторонах направления связи линейные блоковые систематические двоичные помехоустойчивые коды, порождающие матрицы которых имеют соответственно размерности K×N и K _a ×N _a , причем N>K и N _a >K _a . Передают по каналу связи с ошибками три блока X₁, Х₂, Х₃, которые принимают на приемной стороне направления связи в виде блоков Y₁, Y₂, Y₃. Формируют на передающей стороне направления связи для первого Х₁ и второго Х₂ блоков блоки проверочных символов С₁ и С₂ с длинами r₁ и r₂ соответственно, где

и

Затем формируют сообщение

длиной (r₁+r₂) путем конкатенации блоков проверочных символов С₁ и С₂. После чего формируют аутентификатор w для сообщения

. Передают сообщение

и его аутентификатор w по каналу связи без ошибок на приемную сторону направления связи. На приемной стороне направления связи формируют аутентификатор w' для принятого сообщения. А также формируют вектор V путем суммирования по модулю два принятого w и сформированного w' аутентификаторов. Вычисляют вес w(V) вектора V путем подсчета его не нулевых элементов и сравнивают полученный вес w(V) с предварительно заданным пороговым значением веса w(V)_пор. При w(V)>w(V)_пор процесс формирования ключа шифрования / дешифрования прерывают, а при w(V)<w(V)_пор на приемной стороне направления связи из принятого сообщения

выделяют блоки проверочных символов С₁ и С₂, путем разбиения принятого сообщения

на две равные части. На приемной стороне направления связи из ранее принятых по каналу связи с ошибками блоков Y₁, Y₂ и блоков проверочных символов С₁ и С₂ формируют декодированные блоки

После чего формируют ключи шифрования / дешифрования на приемной и передающей сторонах направления связи путем хэширования блока Х₁ на передающей стороне направления связи и декодированного блока

на приемной стороне направления связи.The prototype method consists in forming a random sequence on the transmitting side of the communication direction, transmitting it through the communication channel with errors to the receiving side of the communication direction, forming a block of check symbols for the random sequence formed, transmitting it through the communication channel without errors to the receiving side of the direction links, where they form a decoded sequence, and an encryption / decryption key is formed from the random and decoded sequences. A random sequence on the transmitting side of the direction of communication form in the form of three blocks X ₁ , X ₂ , X ₃ with lengths k ₁ , k ₂ , k ₃ respectively. Moreover, k ₁ > l, k ₁ = k ₂ ,

where l is the length of the generated encryption / decryption key, (N, K) and (N _a , K _a ) are pre-defined on the transmitting and receiving sides of the communication direction linear block systematic binary error-correcting codes, generating matrices of which have the dimensions K × N and K _a × N _a , and N> K and N _a > K _a . Three units X ₁ , X ₂ , X ₃ are transmitted through the communication channel with errors, which receive on the receiving side the directions of communication as Y ₁ , Y ₂ , Y ₃ . On the transmitting side, the communication directions are formed for the first X ₁ and second X ₂ blocks of test symbols С ₁ and С ₂ with lengths r ₁ and r _2, respectively, where

and

Then form the message

length (r ₁ + r ₂ ) by concatenating blocks of test symbols С ₁ and С ₂ . Then form the authenticator w for the message

. Send a message

and its authenticator w on the communication channel without errors on the receiving side of the direction of communication. At the receiving side, the communication directions form the authenticator w 'for the received message. And also form a vector V by summing modulo two received w and generated authenticators. Calculate the weight w (V) of the vector V by counting its non-zero elements and compare the resulting weight w (V) with a predefined threshold value of the weight w (V) of the _pores . When w (V)> w (V) _then the encryption / decryption key generation process is interrupted, and with w (V) <w (V) _then the receiving side of the communication direction from the received message

allocate blocks of check symbols С ₁ and С ₂ , by splitting a received message

into two equal parts. At the receiving side, the directions of communication from the previously received over the communication channel with errors of blocks Y ₁ , Y ₂ and blocks of check symbols С ₁ and С ₂ form decoded blocks

After that, encryption / decryption keys are formed at the receiving and transmitting sides of the communication direction by hashing the block X ₁ on the transmitting side of the communication direction and the decoded block

on the receiving side of the direction of communication.

To form a block of checking symbols С ₁ with length r ₁ for block X ₁ , code block X _{1 with a} linear block systematic binary error-correcting (N, K) code. What is block X ₁ divided into T ₁ = k ₁ / K subblocks with K symbols in each. Each i-th subblock is formed, where i = 1,2, ..., T ₁ , i-th code sub-block of N symbols length by multiplying the i-th subblock by generating a K × N matrix of a linear systematic binary error-correcting block (N, K ) code. Then, from the i-th code sub-block, the i-th sub-block of test symbols of length (NK) symbols is extracted. The set of T ₁ subblocks of check symbols forms a block of check symbols С ₁ for block X ₁ .

To form the parity block length C ₂ r ₂ x ₂ blocks, encode the block X ₂ systematic linear block error-correcting binary (N, K) code. For this, block X _{2 is} divided into T ₂ = k ₂ / K sub-blocks with K symbols in each. Each i-th subblock is formed, where i = 1,2, ..., T ₂ , i-th code sub-block of N characters length by multiplying the i-th subblock by generating a K × N matrix of a linear systematic binary error-correcting block (N, K ) code. Then, from the i-th code sub-block, the i-th sub-block of test symbols of length (NK) symbols is extracted. The combination of T ₂ subblocks of check symbols forms a block of check symbols С ₂ for block X ₂ .

, кодируют сообщение

линейным блоковым систематическим двоичным помехоустойчивым (N _a , K _a ) кодом. Для чего разделяют сообщение

на T_a=(r₁+r₂)/K _a блоков по K _a символов в каждом. Формируют из каждого j-го блока, где j=1,2,…, T_a, j-ый кодовый блок длиной N _a символов, перемножением j-го блока на порождающую матрицу размерности K _a ×N _a линейного блокового систематического двоичного помехоустойчивого (N _a , K _a ) кода. Формируют кодовое слово для сообщения

, в виде последовательности состоящей из T_a кодовых блоков. Затем преобразуют кодовое слово для сообщения

путем замены в нем символов «0» на «01», а символов «1» на «10». Присваивают каждому символу преобразованного кодового слова и соответствующему символу блока Х₃ порядковые номера s, где s=1,2…, 2N _a T _a . Запоминают s-ый символ блока Х₃, если в преобразованном кодовом слове s-ый символ равен 1. Последовательность запомненных символов блока Х₃ образует аутентификатор w.To form message w on the transmitter side of the authenticator

code message

linear block systematic binary noise-resistant (N _a , K _a ) code. Why share a message

on T _a = (r ₁ + r ₂ ) / K _a blocks of K _a characters each. Each j-th block is formed from where j = 1,2, ..., T _a , j-th code block of length N _a symbols by multiplying the j-th block by the generating matrix of dimension K _a × N _{a of a} linear block systematic binary error-correcting ( N _a , K _a ) code. Form a code word for the message

, in the form of a sequence consisting of T _a code blocks. Then convert the code word for the message

by replacing the characters "0" with "01", and the characters "1" with "10". Assign each character of the transformed code word and the corresponding block symbol X ₃ sequence numbers s, where s = 1,2 ..., 2N _a T _a . Remember the s-th symbol of the block X ₃ , if the s-th symbol in the transformed code word is 1. The sequence of the memorized symbols of the block X ₃ forms the authenticator w.

из принятого блока Y₁ и блока проверочных символов С₁ декодируют принятый блок Y₁ линейным блоковым систематическим двоичным помехоустойчивым (N, K) кодом. Для чего разделяют принятый блок Y₁ и блок проверочных символов С₁ на Т₁ соответствующих пар декодируемых и проверочных подблоков, где Т₁=k₁/K. Длины декодируемых подблоков и проверочных подблоков выбирают равными соответственно K и (N-K) двоичных символов. Формируют Т₁ принятых кодовых подблоков длиной N двоичных символов путем конкатенации справа к t-му декодируемому подблоку t-го проверочного подблока, где t=1, 2, 3,…, Т₁. Вычисляют последовательно, начиная с 1-го до Т₁-го, t-й синдром S длины (N-K) двоичных символов перемножением t-го принятого кодового подблока на транспонированную проверочную матрицу. Исправляют по полученному t-му синдрому S ошибки в t-ом декодируемом подблоке. Запоминают t-й декодируемый подблок в качестве t-го подблока декодированного блока

To form a decoded block at the receiving side

Y from the received block ₁ and the block C ₁ parity decoding a received block Y ₁ systematic linear block error-correcting binary (N, K) code. For this purpose, the received block Y ₁ and the block of check symbols С ₁ are divided into T _{1 of the} corresponding pairs of decoded and check sub-blocks, where T ₁ = k ₁ / K. The lengths of the subblocks to be decoded and the verification subblocks are chosen to be equal, respectively, to K and (NK) binary symbols. Form T ₁ received code subblocks of length N binary symbols by concatenating to the t-th decoded sub-block of the t-th test sub-block, where t = 1, 2, 3, ..., T ₁ . Calculate sequentially, starting from the 1st to the T of the _1st, tth syndrome S of the length (NK) of binary symbols by multiplying the tth received code subblock by the transposed check matrix. Correct according to the received t-th syndrome S errors in the t-th decoded sub-block. Remember the t-th decoded sub-block as the t-th sub-block of the decoded block

и

После чего из полученных после перемножения последовательностей выделяют l младших разрядов.To generate the encryption / decryption key by hashing on the transmitting side, the communication directions multiply the blocks X ₁ and X ₂ . On the receiving side multiply decoded blocks

and

Then from the received after multiplication of sequences allocate l younger categories.

The disadvantage of the prototype is the relatively high probability of compromise formed CLSD, which is explained by the transfer in open form of the message containing blocks of a random sequence to form CLDS. This allows the offender to form the same encryption / decryption key.

The purpose of the inventive method is to develop a method of forming CLSD, which provides increased resistance of the formed CLSD to compromise on the part of the offender due to the substantial difficulty in intercepting a random sequence. Increased resistance to compromise formed CLSD is due to the fact that the signal itself does not contain information about a random sequence in contrast to the method of the prototype. This is achieved by forming a random sequence using the parameter of the phase pattern of the phased antenna array, which varies according to a random law.

This goal is achieved by the fact that in the known method of forming CLSD, the communication direction forms the signal s (t) = sin (ωt + ϑ) on the transmitting side, where where ω is the transmission frequency, ϑ is the initial phase, 0≤t ≤T / 2, j = l, 2, ..., N, in the form of harmonic oscillation. The signal from the transmitter output is transmitted to a phased antenna array with a random phase radiation pattern, and it is transmitted via the communication channel with errors to the receiving side of the communication direction. On the receiving side of the direction of communication, using an omnidirectional antenna, receive the signal y _j (t) = μ _cj cos (ωt + ϕ _j ), where 0≤t≤T / 2, j = l, 2, ..., N, μ _j - the signal envelope, ϕ _j is the phase, and calculate the value of ϕ _j in the phase detector (PD) using the signal of the reference generator, the phase of which is in phase with the generator in transmission. A phase difference value ϑ _δ = ϑ _j –ϑ _j-1 is applied to the solver, where j is the number of the package, is a numerical parameter — a report that is sent to the solver. Due to the fact that when the phase difference is close to zero, the probability of an error in choosing the right symbol on both the transmitting and receiving sides is high, the threshold values of the phase Δ, -Δ are preset. Then, the signal y 'in the resolver is compared with these values (Δ, -Δ) and decide on the reception of the symbol b according to the rule: “1” is remembered if the value of the phase difference 0≤f <Δ, Δ <ƒ≤360 °; remember "0", if the magnitude of the phase difference -Δ <ƒ≤180 °, 180 ° ≤ƒ <-Δ; a message is sent over the service channel to the correspondent A that this number in the sequence is erased if the value of the phase difference is Δ≤ƒ≤Δ. Then, on the receiving side, the directions of coupling form the same signal in the form of harmonic oscillations s (t) = sin (ωt + ϑ) where ω is the transmission frequency, ϑ is the initial phase, 0≤t≤T / 2, j = 1.2, ..., N, and transmit it over the communication channel using an omnidirectional antenna to the transmitting side of the direction of communication. On the transmitting side, the directions of communication take the signal y '(t) and decide on the value of the symbol b' according to the same rule as on the receiving side of the communication. Then remember the binary symbol x _j ∈ 0,1.

After the formation of the first symbol, at each subsequent interval on the transmitting side, the directions of communication rearrange the PAR in the PDN randomly and transmit the same signal s (t) = sin (ωt + ϑ) to the receiving side of the direction of coupling. As a result, on the receiving and transmitting sides of the direction of communication form random sequences X = x ₁ , x ₂ , ..., x _N and Y = y ₁ , y ₂ , ..., y _N, respectively.

и

Затем формируют сообщение

длиной (r₁+r₂) путем конкатенации блоков проверочных символов С₁ и С₂. После чего формируют аутентификатор w для сообщения

. Передают сообщение

и его аутентификатор w по каналу связи без ошибок на приемную сторону направления связи. На приемной стороне направления связи формируют аутентификатор w' для принятого сообщения. А также формируют вектор V путем суммирования по модулю два принятого w и сформированного w' аутентификаторов. Вычисляют вес w(V) вектора V путем подсчета его не нулевых элементов и сравнивают полученный вес w(V) с предварительно заданным пороговым значением веса w(V)_пор. При w(V)>w(V)_пор процесс формирования ключа шифрования / дешифрования прерывают, а при w(V)<w(V)_пор сообщение считается подлинным. После чего из случайных последовательностей X и Y на приемной и передающей сторонах направления связи формируют ключи шифрования / дешифрования.At the receiving and transmitting sides, the random sequences X and Y are divided into three blocks X ₁ , X ₂ , X ₃ and Y ₁ , Y ₂ , Y _3, respectively, with lengths k ₁ , k ₂ , k ₃ . On the transmitting side, the communication directions are formed for the first X1 and second X2 blocks of test symbols C ₁ and C ₂ with lengths r ₁ and r _2, respectively, where

and

Then form the message

length (r ₁ + r ₂ ) by concatenating blocks of test symbols С ₁ and С ₂ . Then form the authenticator w for the message

. Send a message

and its authenticator w on the communication channel without errors on the receiving side of the direction of communication. At the receiving side, the communication directions form the authenticator w 'for the received message. And also form a vector V by summing modulo two received w and generated authenticators. Calculate the weight w (V) of the vector V by counting its non-zero elements and compare the resulting weight w (V) with a predefined threshold value of the weight w (V) of the _pores . When w (V)> w (V) _{then the} process of generating the encryption / decryption key is interrupted, and when w (V) <w (V) _{then the} message is considered authentic. Then from random sequences X and Y at the receiving and transmitting sides of the direction of communication form the encryption / decryption keys.

To form a block of checking symbols С ₁ with length r ₁ for block X ₁ , code block X _{1 with a} linear block systematic binary error-correcting (N, K) code. What is block X ₁ divided into T ₁ = k ₁ / K subblocks with K symbols in each. Each i-th subblock is formed, where i = 1,2, ..., T ₁ , i-th code sub-block of N symbols length by multiplying the i-th subblock by generating a K × N matrix of a linear systematic binary error-correcting block (N, K ) code. Then, from the i-th code sub-block, the i-th sub-block of test symbols of length (NK) symbols is extracted. The set of T ₁ subblocks of check symbols forms a block of check symbols С ₁ for block X ₁ .

To form the parity block length C ₂ r ₂ x ₂ blocks, encode the block X ₂ systematic linear block error-correcting binary (N, K) code. For this, block X _{2 is} divided into T ₂ = k ₂ / K sub-blocks with K symbols in each. Each i-th subblock is formed, where i = 1,2, ..., T ₂ , i-th code sub-block of N characters length by multiplying the i-th subblock by generating a K × N matrix of a linear systematic binary error-correcting block (N, K ) code. Then, from the i-th code sub-block, the i-th sub-block of test symbols of length (NK) symbols is extracted. The set of T ₂ subblocks of check symbols forms a block of check symbols С ₂ for block X ₂ .

, кодируют сообщение

линейным блоковым систематическим двоичным помехоустойчивым (N _a , K _a ) кодом. Для чего разделяют сообщение

на T_a=(r₁+r₂)/K _a блоков по K _a символов в каждом. Формируют из каждого j-го блока, где j=1,2,…, T_a, j-ый кодовый блок длиной N _a символов, перемножением j-го блока на порождающую матрицу размерности K _a ×N _a линейного блокового систематического двоичного помехоустойчивого (N _a , K _a ) кода. Формируют кодовое слово для сообщения

, в виде последовательности состоящей из T_a кодовых блоков. Затем преобразуют кодовое слово для сообщения

путем замены в нем символов «0» на «01», а символов «1» на «10». Присваивают каждому символу преобразованного кодового слова и соответствующему символу блока Х₃, порядковые номера s, где s=1,2…, 2N _a T _a . Запоминают s-ый символ блока Х₃, если в преобразованном кодовом слове s-ый символ равен 1. Последовательность запомненных символов блока X₃ образует аутентификатор w.To form message w on the transmitter side of the authenticator

code message

linear block systematic binary noise-resistant (N _a , K _a ) code. Why share a message

on T _a = (r ₁ + r ₂ ) / K _a blocks of K _a characters each. Each j-th block is formed from where j = 1,2, ..., T _a , j-th code block of length N _a symbols by multiplying the j-th block by the generating matrix of dimension K _a × N _{a of a} linear block systematic binary error-correcting ( N _a , K _a ) code. Form a code word for the message

, in the form of a sequence consisting of T _a code blocks. Then convert the code word for the message

by replacing the characters "0" with "01", and the characters "1" with "10". Each symbol of the converted code word and the corresponding block symbol X _{3 are} assigned sequence numbers s, where s = 1.2 ..., 2N _a T _a . Remember the s-th symbol of the block X ₃ if the s-th symbol in the transformed code word is 1. The sequence of the memorized symbols of the block X ₃ forms the authenticator w.

The analysis of the level of technology has allowed to establish that the analogues, characterized by a set of features, identical to all features of the stated solution, are absent, which indicates the compliance of the claimed method to the condition of patentability "novelty."

Search results known solutions in this and related areas of technology in order to identify signs that match the distinctive features of the prototype features of the claimed method, showed that they do not follow explicitly from the prior art. The prior art also revealed no prominence of the effect of the transformations envisaged by the essential features of the claimed invention on the achievement of the said technical result. Therefore, the claimed invention meets the condition of patentability "inventive step".

The claimed method is illustrated by the figures, which show:

• in figure 1 - the formation of chains of bits using an antenna with random excitation;

• in figure 2 - the scheme of parameter estimation of the received signal by the correspondent;

• in figure 3 - the principle of formation of the logical values of "ones" and "zeros";

• in figure 4 - the timing diagram of the formed random sequence after splitting into PersSN in the form of blocks X ₁ , X ₂ , X ₃ ;

• in figure 5 - the timing diagram of the formed random sequence after splitting into PrmsNS in the form of blocks Y ₁ , Y ₂ , Y ₃ ;

• in figure 6 - the form of the generating matrix of a linear block systematic binary error-correcting (N, K) code;

• in figure 7 - the timing diagram of the formed block X ₁ divided into T ₁ subblocks by K symbols;

• in figure 8 - the timing diagram of the selected i-th subblock of the block X ₁ ;

• in figure 9 - the timing diagram of the formation of the i-th code subblock with a length of N binary symbols;

• Figure 10 is a timing diagram for the selection of the i-th sub-block of check symbols with a length of N-K binary symbols;

• in figure 11 - the timing diagram of the formation of the block of check characters With ₁ ;

• in figure 12 - the timing diagram of the formed block of check symbols С ₂ ;

;• in figure 13 - time diagram of the formation of the message

;

• in figure 14 - view of the generating matrix of a linear block systematic binary error-correcting (N _a , K _a ) code;

, разделенного на Т _а блоков по K _a символов;• in figure 15 - time diagram of the generated message

divided into T _a blocks of K _a characters;

;• in figure 16 - time diagram of the selected j-th message block

;

• Figure 17 is a timing diagram of the formation of the jth code block with a length of N _a binary symbols;

, разделенного на Т _а блоков по N _a символов;• Figure 18 is a timing diagram of a generated codeword for a message.

divided into T _a blocks of N _a characters;

• Figure 19 is a timing diagram of a generated codeword for a message;

• Figure 20 is a timing diagram of the formation of the transformed codeword;

• figure 21 - timing diagram of the formed block X ₃ ,

• Figure 22 is a time diagram of the formation of the authenticator w;

;• in figure 23 - time diagram of concatenation on the right of the authenticator w to the message

;

и его аутентификатора w;• in figure 24 - time diagram of the message received on the PRSNS

and its authenticator w;

• Figure 25 is a timing diagram of a generated codeword for a message;

• in figure 26 - time diagram of the received block Y ₃ ,

• in figure 27 - the timing diagram of the formation of the authenticator w ';

• in figure 28 - the timing diagram of the formation of the vector V;

• in figure 29 - the dependence of the probability of mismatch chains of bits in legal correspondents from the ratio S / N;

• Figure 30 shows the dependence of the probability of erasing in chains of bits from legal correspondents on the S / N ratio;

• in figure 31 - the probability of mismatch of bit chains in the legal correspondent and the offender, depending on the correlation coefficient of the signal samples.

In the presented figures, the letter "A" denotes the actions that occur on the transmitting side of the NA, the letter "B" - on the receiving side of the NA. In the figures, the shaded pulse is a binary symbol “1”, and the non-shaded pulse is a binary symbol “0”. The signs “+” and “×” denote addition and multiplication in the Galois field GF (2), respectively. The upper letter indices denote the length of the sequence (block), the lower letter indices denote the number of the element in the sequence (block).

The implementation of the claimed method is as follows. Modern cryptosystems are built on the principle of Kerkhoff, described, for example, in the book by D. Messi, "Introduction to modern cryptology", TIER v. 76, No.5, May 1988, p. 24, according to which the full knowledge of the offender includes, in addition to the information obtained through interception, full information about the algorithm of interaction between the legitimate parties of the National Assembly and the CLDS formation process. The formation of a common CLSD can be divided into three main stages. At the first stage, legal correspondents A and B form chains of random bits X ₁ , X ₂ , ..., X _N and Y ₁ , Y ₂ , ..., Y _N, respectively. For this purpose, an exchange of signals over a channel with artificially variable parameters is used when a phased antenna array (PAR) with random excitation is used on one of the correspondents. Since the chains of legal users may differ from each other due to a number of reasons, in the second stage they are coordinated by correcting mismatched bits. For this purpose, various methods can be used: erasing the least reliable, or vice versa, selecting the most reliable symbols of samples of a received parameter, and applying error-correcting codes with transmitting verification symbols over the supplementary (auxiliary) channel. Finally, in the third stage, keys are generated from “bit-cleared” chains of bits based on secrecy-enhancing methods. The intruder E intercepts the signals exchanged between legal correspondents and forms a chain of bits Z ₁ , Z ₂ , ..., Z _N , which, due to the randomness of the channel parameters, will differ from the chains of bits from legal reporters. We also assume that violator E can fully control the additional channel, intercept data in it or effect it. However, the intruder E, taking the signal and performing the evaluation of the parameter c, forms the symbol z _j ∈ 0,1. And, since the parameters, due to differences in the locations of correspondents B and E and the multipath of signal propagation, are different, the generated bits x _i and z _j will also differ. The degree of this difference is determined by the correlation of the transmission coefficients and the correlation of the phase shifts of the signals in different directions of antenna radiation. Obviously, the amount of mismatch bits generated by the violator and the legal correspondent, determines the degree of security key formation.

In the inventive method of generating the encryption / decryption key to ensure increased resistance of the generated CLSD to compromise, the following sequence of actions is implemented.

Correspondent A generates a sequence of signals (radio pulses) of the form (see Fig. 1):

The signal from the transmitter output enters the ring-shaped HEADLIGHT, the control of the radiation pattern, which is carried out by a discrete-time random process. At each signal transmission interval, the antenna parameters do not change, however, when transmitting a signal at the next interval, they change randomly.

Correspondent B, using an omnidirectional antenna, receives the signal:

where υ _ij is the antenna transmission coefficient in the i-th beam in the j-th transmission interval; μ _i - channel transfer coefficient in the i-th beam; ϑ _ij is the phase shift in the ith beam on the j-th interval; k is the number of rays. Further, the correspondent B calculates the value of ϑ _ij in the phase detector (PD) (see Fig. 2). To calculate the value of the phases of the received oscillations use the signal of the reference generator, the phase of which is in phase with the generator on the transmission. Due to the fact that when the phase difference is close to zero, the probability of an error in choosing the right symbol on both the transmitting and receiving sides is high, the threshold values of the phase Δ, -Δ are preset. The signal y 'in the resolver is compared with the predetermined values (Δ, -Δ) and a decision is made to receive the symbol b according to the rule (see FIG. 3):

After receiving the signal at each interval, the correspondent B immediately sends to the correspondent A exactly the same signal s (t) = sin (ωt + ϑ), T / 2 <t≤T, j = l, 2, ..., N. By virtue of the principle of reciprocity (since the DN PAR has not changed yet), correspondent A accepts the signal x _j (t) ≈ y _i (t), finds the parameter estimate c by the same rule as correspondent B. As a result, it forms the binary symbol x _j Ε0.1. After the formation of the first symbol, the HEADLIGHT is rearranged randomly and in the next interval the same signal with a new value of the initial phase is transmitted to the B correspondent, etc.

As a result, correspondents A and B form random sequences X = x ₁ , x ₂ , ..., x _N and Y = y ₁ , y ₂ , ..., y _N, respectively.

путем конкатенации блоков проверочных символов С₁ и С₂ (см. фиг. 13). Затем разделяют сформированное сообщение

на Т _а блоков длиной по K _a символов (см. фиг. 15), гдеThe offender can substitute or imitate the messages transmitted in the communication channel, in order to form CLDS in common with one or both of the correspondents. Therefore, information transmitted by correspondents over a communication channel must be authenticated. To achieve this goal, correspondents A and B split random sequences X and Y into three blocks X ₁ , X ₂ , X ₃ (see Fig. 4) and Y ₁ , Y ₂ , Y ₃ (see Fig. 5), respectively with lengths k ₁ , k ₂ , k ₃ . The block X ₁ is encoded on PERSON, for which the block X _{1 is} previously divided into T ₁ subblocks of length K binary symbols, where T ₁ = k1 / K, as shown in FIG. 7. Known methods of breaking a sequence into blocks of fixed length are described, for example, in the book V. Vasiliev, V. Sviridenko, “Communication Systems”, Moscow, Higher School, 1987, p. 208. Consistently, starting from the 1st to T _{The 1st} , each i-th subunit of the block X ₁ , where i = l, 2,3, ..., T ₁ , is encoded with a linear block systematic binary error-correcting (N, K) code (see Fig. 8). The generating matrix of the code (see Fig. 6) has the dimension K × N, and N> K. The dimensions K and N of the generating matrix of a linear block systematic binary error-correcting (N, K) code are chosen K = 2 ^m -1-m and N = 2 ^m -1, where m≥3, as described, for example, in the book R. Blahut, “Theory and practice of codes that control errors”, M., Mir, 1986, p. 71. To encode a block X _1, each i-th subblock with length K of binary symbols is multiplied by the generating code matrix and the i-th code block with length N binary symbols is obtained as shown in FIG. 9. Known methods of noise-resistant coding of blocks of characters are described, for example, in the book by R. Bleichut, “Theory and Practice of Error Control Codes,” M., Mir, 1986, p. 63. The i-th sub-block of verification is distinguished from the i-th code block characters with a length of NK binary symbols (see Fig. 10). Known methods of allocating blocks of fixed length are described, for example, in the book V. Vasiliev, V. Sviridenko, “Communication Systems”, M., Higher School, 1987, p. 208. Memorize the i-th sub-block of check characters as the i-th sub-block block of verification symbols of a coded block X ₁ . A timing diagram of the formation of a block of check symbols С _{1 of a} coded block X _{1 is} shown in FIG. 11. Known methods of storing bit sequences are described, for example, in the book by L. Maltsev, E. Flomberg, V. Yampolsky, “Fundamentals of Digital Technology”, M., Radio and Telecommunications, 1986, p. 38. In a similar way, they are coded with linear block systematic binary error-correcting (N, K) code block X ₂ on PerSNS, dividing it into T ₂ subblocks of length K binary symbols, where T ₂ = k ₂ / K. Known methods of splitting a sequence into blocks of fixed length are described, for example, in the book V. Vasiliev, V. Sviridenko, “Communication Systems”, Moscow, Higher School, 1987, p. 208. Timing diagram of a formed block of check symbols С _{2 of a} coded block X _{2 is} shown in FIG. 12. On the PerSNS form a message.

by concatenating blocks of check symbols С ₁ and С ₂ (see Fig. 13). Then share the generated message.

on T _and blocks of length K _a characters (see Fig. 15), where

(см. фиг. 18).Each block of length K _a characters is encoded with a linear block systematic binary error-correcting (N _a , K _a ) code, where K _a is the length of the block of information symbols of the code and N _a is the length of the code block (see Fig. 16). The generated code blocks (see Fig. 17) form the code word for the message

(see Fig. 18).

на ПерСНС заключается в следующем. Предварительно сообщение

разделяют на Т _а блоков длиной K _a двоичных символов, где Т _а =(N-K)(T₁+Т₂)/K _a , как показано на фиг. 15. Известные способы разбиения последовательности на блоки фиксированной длины описаны, например, в книге В. Васильев, В. Свириденко, «Системы связи», М., Высшая школа, 1987, стр. 208. Последовательно, начиная с 1-го до T_a-го, каждый j-й блок сообщения

, где j=1, 2, 3, …, Т _а , кодируют линейным блоковым систематическим двоичным помехоустойчивым (N _a , K _a ) кодом (см. фиг. 16). Порождающая матрица кода имеет размерность K _a ×N _a , причем N _a >K _a . Размеры K _a и N _a порождающей матрицы линейного блочного систематического двоичного помехоустойчивого (N _a , K _a ) кода выбирают K _a =2^m-1-m и N _a =2^m-1, где m≥3, как описано, например, в книге Р. Блейхут, «Теория и практика кодов контролирующих ошибки», М., Мир, 1986, стр. 71. Для кодирования сообщения

, каждый j-й блок длиной K _a двоичных символов перемножают на порождающую матрицу кода и получают j-й кодовый блок длиной N _a двоичных символов, как показано на фиг. 17. Известные способы помехоустойчивого кодирования блоков символов описаны, например, в книге Р. Блейхут, «Теория и практика кодов контролирующих ошибки», М., Мир, 1986, стр. 63. Запоминают j-й кодовый блок в качестве j-го блока кодового слова для сообщения

. Временная диаграмма формирования кодового слова для сообщения

показана на фиг. 18. Известные способы хранения последовательности бит описаны, например, в книге Л. Мальцев, Э. Фломберг, В. Ямпольский, «Основы цифровой техники», М., Радио и связь, 1986, стр. 38. Затем преобразуют сформированное кодовое слово для сообщения

путем замены в нем символов «0» на «01», а символов «1» на «10» (см. фиг. 20). Каждому символу преобразованного кодового слова присваивают порядковый номер s, где s=1,2…, 2N _a T _a . Аналогичным образом каждому символу блока Х₃ присваивают порядковый номер s, где s=1,2…, 2N _a T _a . Запоминают s-ый символ блока X₃, если в преобразованном кодовом слове на s-ом месте стоит символ «1». Аутентификатор w образуют как последовательность сохраненных символов блока Х₃ (см. фиг. 22). Далее сообщение

и его аутентификатор w передают по открытому каналу связи без ошибок на ПрСНС (см. фиг. 23).Message coding

on persns is as follows. Pre message

divided into T _a blocks of length K _{a of} binary symbols, where T _a = (NK) (T ₁ + T ₂ ) / K _a , as shown in FIG. 15. Known methods of breaking a sequence into blocks of fixed length are described, for example, in the book V. Vasiliev, V. Sviridenko, “Communication Systems”, Moscow, Higher School, 1987, p. 208. Sequentially, starting from the 1st to T _a- th, every j-th message block

, where j = 1, 2, 3, ..., T _a , is encoded with a linear block systematic binary error-correcting (N _a , K _a ) code (see Fig. 16). The generating matrix of the code has the dimension K _a × N _a , and N _a > K _a . The dimensions K _a and N _{a of the} generating matrix of a linear block systematic binary error-correcting (N _a , K _a ) code choose K _a = 2 ^m -1-m and N _a = 2 ^m -1, where m≥3, as described, for example, in the book by R. Bleichut, “Theory and Practice of Codes for Controlling Errors”, M., Mir, 1986, p. 71. For encoding a message

, each j-th block of length K _a binary symbols is multiplied by the generator matrix of the code and the j-th code block of length N _a binary symbols is obtained, as shown in FIG. 17. Known methods of noise-resistant coding of blocks of characters are described, for example, in the book by R. Bleichut, “Theory and Practice of Error Control Codes”, M., Mir, 1986, p. 63. Remember j-th code block as j-th block code word for message

. Timing diagram of the formation of a code word for the message

shown in FIG. 18. Known methods of storing bit sequences are described, for example, in the book by L. Maltsev, E. Flomberg, V. Yampolsky, “Fundamentals of Digital Technology”, M., Radio and Telecommunications, 1986, p. 38. Then, the generated code word is converted for messages

by replacing the characters "0" with "01" and the characters "1" with "10" (see Fig. 20). Each symbol of the converted code word is assigned a sequence number s, where s = 1.2 ..., 2N _a T _a . Similarly, each symbol of the block X _{3 is} assigned a sequence number s, where s = 1,2 ..., 2N _a T _a . Memorize the st symbol of the block X ₃ , if in the transformed code word the symbol “1” is in the s-th place. The authenticator w is formed as a sequence of stored symbols of the block X ₃ (see FIG. 22). Next message

and its authenticator w is transmitted over an open communication channel without errors on the PNSN (see FIG. 23).

где υ_i∈(0,1), а блок Х₃ в виде вектора

где x_i∈(0,1). Тогда аутентификатор

в котором для всех j<n _a , w_ij=x_j, если υ_ij=1, в противном случае w_ij не формируется.For example, the converted code word for the message is represented as a vector

where υ _i ∈ (0,1), and the block X ₃ in the form of a vector

where x _i ∈ (0,1). Then authenticator

in which for all j <n _a , w _ij = x _j , if υ _ij = 1, otherwise w _{ij is} not formed.

и его аутентификатор w (см. фиг. 24), формируют аутентификатор w'. Для чего формируют кодовое слово для принятого сообщения

, используя линейный блоковый систематический двоичный помехоустойчивый (N _a , K _a ) код. Преобразуют сформированное кодовое слово для сообщения

путем замены в нем символов «0» на «01», а символов «1» на «10».On PRSNS, having received the message

and its authenticator w (see FIG. 24), form authenticator w '. Why form a code word for a received message?

using a linear block systematic binary error-correcting (N _a , K _a ) code. Transform the generated codeword for the message

by replacing the characters "0" with "01", and the characters "1" with "10".

Each symbol of the converted code word is assigned a sequence number s, where s = 1.2 ..., 2N _a T _a . Similarly, each block symbol Y _{3 is} assigned a sequence number s, where s = 1.2 ..., 2N _a T _a . Remember the s-th character of the block Y ₃ , if in the transformed code word in the s-th place is the symbol "1". The authenticator w 'is formed as a sequence of stored symbols of the block Y ₃ (see FIG. 27).

считается подлинным, если больше, сообщение

отвергается как ложное. При подлинности сообщения

на ПрдСНС и ПрмСНС формируют КлШД.To verify the authenticity of the received message, the VNS vector forms a vector V by summing modulo two (as described, for example, in the book of W. Peterson, E. Weldon, Error Correction Codes, Moscow: Mir, 1976. 34 p.) Received w and generated w 'authenticators (see FIG. 28). Calculate the weight w (V) of the formed vector V as, for example, described in the book by McWilliams, F., Sloan N., “Theory of Error Correction Codes”, M., Svyaz, 1979, 19 p. Then, the obtained value of the weight w (V) is compared with the predetermined threshold value w (V) of the _pores . If the weights w (V) are equal to or less than the threshold value w (V) _then , then the message

considered authentic if more message

rejected as false. When the authenticity of the message

on PrdsNS and PrmsNS form CLSHD.

The described authentication procedure was first proposed in Maurer U., “Authenticated public discussion of information-theoretically secure agreement-key agreement”, Advances in Cryptology - EUROCRYPT 97, Berlin, Germany: Springer-Verlag, 1997, vol. 1233, pp. 209-225, and received the name of authenticating error-correcting codes (AP-code).

The main characteristics of the AP code are:

R _lo - the probability of a false rejection of a transmitted message, when the intruder did not interfere in the transfer process.

P _n - the probability of successful imposition of a false message.

и ложному

сообщениям.Resistance to the imposition of spurious messages depends on the so-called asymmetric code distance d ₀₁ , which is determined by the number of transitions from 0 to 1 between code words corresponding to the true

and false

reportedly

If (n _a , k _a ) - the code has a constant weight τ and an asymmetric code distance d ₀₁ , then the characteristics of the AP code are determined by the relations (see Korjik V., Bakin M. “Information theoretically optimized keyless authentication”, IEEE on Information Theory Symposium 2000, Sorrento, Italy, July.):

In the above described method of constructing an AP code (coding a message with a linear block systematic binary error-correcting (N _a , K _a ) code and replacing the characters “0” with “01” and the characters “1” with “10”), the asymmetric code distance d ₀₁ coincides with the minimum distance of the code d. Which can be found, for example, with the help of the Varshamov-Gilbert border as described in the book by F. Williams F., Sloan N. “The Theory of Error Correction Codes”, M .: Communication, 1979, 539 p.

where g (p) = - p * log (p) - (1-p) * log (1-p) is the entropy function.

.The weight τ of all converted code words is constant and equal to the length of the code word for the message

.

где

- параметры аналогичные параметрам сигнала y_j(t), выполняет оценку параметра с и формирует символ z_j∈0,1. Поскольку параметры υ_ij и

μ_i и

ϑ_ij и

в силу различия местоположения корреспондентов В и Е и многолучевости распространения сигнала будут отличаются, то и формируемые биты x_i и z_i также будут отличаться. Степень этого отличия определяется коррелированностью коэффициентов передачи υ_ij и

и коррелированностью фазовых сдвигов ϑ^ij и

сигналов по разным направлениям излучения антенны. Очевидно, что величина рассогласования бит, формируемых нарушителем и законным корреспондентом, обуславливает степень безопасности формирования ключа.The intruder also receives a signal

Where

- Parameters similar to those of the signal y _j (t), evaluates the parameter с and forms the symbol z _j ∈ 0,1. Since the parameters υ _ij and

μ _i and

ϑ _ij and

due to differences in the location of correspondents B and E and the multipath propagation of the signal will be different, then the generated bits x _i and z _i will also differ. The degree of this difference is determined by the correlation of the transfer coefficients υ _ij and

and correlated phase shifts ϑ ^ij and

signals in different directions of radiation of the antenna. Obviously, the amount of mismatch bits generated by the violator and the legal correspondent, determines the degree of security key formation.

We give a full description of the key generation system, we give estimates of the security and reliability of key distribution.

We introduce the following indicators of the quality of the generated key:

1. The probability of mismatch of keys K _A and K _B among correspondents Р (K _A ≠ K _B ) = р _е .

2. The amount of information on Shannon about the key I (K _A ; U), which the intruder receives as a result of analyzing all the information U has at his disposal, including the sequence Z _k and messages transmitted over the service channel.

3. The randomness generated by the key, estimated by its entropy - N (K ^l ).

4. Key length (l) - the number of binary characters in the key K _A (K _B ).

5. Key generation rate (R _k ) - the ratio of the key length l to the length of the sequence X _N , Y _N required to form it

It is reasonable to present such requirements to the key being formed.

δ - допустимые значения параметров, l_треб - требуемая длина ключа.Where

δ - allowable parameter values, l _treb - required key length.

The efficiency of key formation will be evaluated by the rate of its formation (8) while all other requirements (9-12) are met.

By the reliability of chains of bits formed by correspondents A and B, we mean their coincidence. The probability of coincidence will be estimated by the probability P (X _j = Y _j ), j = 1,2, ..., N. This value directly determines the probability of coincidence of keys among correspondents. Let us consider in more detail the scheme for estimating the signal parameter by the correspondent B (see Fig. 2). As a parameter, we will consider the phase difference of adjacent signals.

The signal y (t) arriving at the input of the receiver of the correspondent B at the j-th clock interval can be represented through its quadrature and in-phase components

where the signal envelope μ _j and phase ϑ _j are from the relations:

where A _ij and ϑ _{i, j} are the amplitude and phase of the signal in the i-th beam.

The calculation of ϑ _{j is} carried out in a phase detector (PD). To calculate the value of the phases of the received oscillation, the reference generator signal is used, the phase of which is in phase with the generator in transmission. (Ensuring the synchronization of the reference frequencies is usually carried out by transmitting pilot signals).

(Такой способ введения шума, конечно не совсем точно описывает реальную ситуацию, однако он позволяет существенно облегчить дальнейшие исследования).The magnitude of the phase difference ϑ _δ = ϑ _j –ϑ _j-1 , where j is the number of the premise, is a numerical parameter — a report that is sent to the resolver. To take into account the noise acting in the transmission channel, we will assume that the input of the decision circuit is the signal y = ϑ _δ + ξ, where ξ the noise signal is a Gaussian process with zero expectation and dispersion

(This method of introducing noise, of course, does not quite accurately describe the real situation, however, it makes it possible to substantially facilitate further research).

In the decision device, the signal y is compared with the threshold Δ and the decision is made to receive the symbol b according to the rule

where Δ is the decision threshold.

When erasing a character, the correspondent B sends a message through the service channel to the correspondent A that this number in the sequence is erased.

User A receives the signal y '(t) of the form (13) and decides on the value of the symbol b' on the basis of the value of the phase difference of neighboring parcels, similarly to the correspondent B.

Find an estimate of the probability of coincidence of the generated binary symbols of the chains of bits by correspondents A and B.

Let p _e = p (b '≠ b) be the probability of binary symbols mismatch in the generated bit chains; p _st - the probability of erasing bits by one user; p _pr = 1-p _st - the probability of receiving a bit by the user.

For the probability of erasing, the ratio

Since y-ξ = ϑ _δ , then, making the substitution of a variable in the integral, we write

With the same thresholds and noise variances ξ, ξ ', the probability of erasures for each correspondent will be equal, then the total probability of erasure (at least by one correspondent) is estimated by the ratio

p _{st common} ≤ 2 p _st ,

Ошибка (несовпадение символов b и b') имеет место, либо когда b=1, b'=0 либо, когда b=0, b'=1.To estimate p _e, we will assume that, by virtue of the reciprocating-path reciprocity theorem, the condition

An error (mismatch of the symbols b and b ') occurs, either when b = 1, b' = 0, or when b = 0, b '= 1.

Consider the first case.

b = 1, if y> Δ, that is, ϑ _δ + ξ> Δ,

b '= 0, if у'<- Δ, that is, ϑ _δ + ξ '<- Δ.

These relationships can be rewritten as follows.

b = 1 if ϑ _δ > Δ-ξ ', b' = 0 if _δ <-Δ-ξ '.

Then the probability of error will be determined by the ratio

The factor 2 in (16) is due to the second error occurrence. With a known distribution density, CB ϑ _δ -w (ϑ) (and taking into account the fact that CB ξ and ξ 'have a Gaussian distribution), it is possible from (15) and (16) to find the probabilities p _e and p _st . Moreover, as can be seen from these relations, it is possible to exchange P _e into p _st and vice versa.

Calculations using formulas (15) and (16) require knowledge of the distribution density of the CB ϑ _δ , which is not always known, so we will find estimates for p _e and p _st on the basis of modeling.

Let N be the total number of signals transmitted from A to B and back and let

- общее количество символов стертых либо корреспондентом А, либо корреспондентом В, либо обоими вместе;

- the total number of characters erased either by correspondent A, or correspondent B, or both together;

- количество несовпадающих символов у корреспондентов А и В среди принятых символов.

- the number of mismatched symbols for correspondents A and B among the accepted symbols.

Then the estimates of the probabilities of erasing and mismatching characters are

For a quantitative assessment of p _st and p _{e, we} use a three-beam model of the signal transmission channel s (t) using PAR, formed by a direct beam between correspondents located at a distance of 25 m and two beams from reflecting surfaces located at a distance of 3 m from the line of propagation of a direct beam .

Obtaining statistical material for this model is performed according to the following algorithm:

i=1,…,N соседних сигналов. Находим дисперсию

СВ ϑ_δ;1. We simulate the transmission of 2N s (t) signals over a three-beam channel and find the N values of the phase difference

i = 1, ..., N adjacent signals. Find the variance

SW ϑ _δ ;

с дисперсиями

и нулевым математическим ожиданием (Эти отчеты соответствуют шумовым сигналам на входе решающих устройств пользователей А и В соответственно). Значения

устанавливаем таким образом, чтобы выполнялось требуемое отношение Сигнал/Шум

2. We generate reports corresponding to two independent normal noise processes ξ _i and

with dispersions

and zero expectation (These reports correspond to the noise signals at the input of the resolvers of users A and B, respectively). Meanings

set in such a way that the required Signal / Noise ratio is fulfilled

и

3. Find the sequences of SV of the form:

and

α - коэффициент пропорциональности;4. Set the threshold value of the resolver Δ proportional to the signal power at the input of the resolver

α is the proportionality coefficient;

5. Comparing y and y 'with the threshold Δ, we obtain, according to (14), the sequences CB b and b';

6. In the obtained sequences and count the number of erased correctly received symbols and in accordance with (17) we obtain estimates p p _v and _e.

Figures 29 and 30 show the dependences of the p _e and p _st on the signal-to-noise ratio at the input of the resolver at various values of the decision threshold A.

It can be seen that, as was to be expected, with the increase in the S / N ratio, the probability of error decreases, and the larger the threshold value Δ, the smaller the probability of error The probability of erasing decreases with increasing S / N ratio and increases with increasing threshold value.

The dependences obtained show that for a given S / N ratio, choosing a certain threshold value Δ can reduce the error value in the generated sequences of bit chains.

However, this increases the probability of erasure, which leads to a decrease in the length of the chain of bits and, consequently, to a decrease in the speed of key formation. If necessary, the magnitude of the error can be reduced to a sufficiently small level by applying error-correcting coding. The choice of the error-correcting code, as well as the values of the resolver threshold, is an independent task of optimizing the parameters of the key distribution system.

The most important parameter characterizing the procedure of enhancing secrecy is the amount of information about the key that an intruder can receive. To estimate the amount of this information we will use the following theorem.

Theorem. Let X ^{k be a} sequence of k bits in length, distributed between A and B, let Z ^k be the same sequence obtained by violator E by DSC with error probability p _w . Let t be the Renyi information contained in Z ^k about X ^k . Let H be the U ₂ -class of hash functions known to users, displaying {0,1} ^k → {0,1} ^l , h is a hash function chosen by the correspondent A from H randomly and transmitted to B via the discussion channel. Using h, correspondents A and B calculate the keys K _A = h (X ^k ),

Then the amount of information about the key that E receives has a top estimate.

For DSC with the error probability p _w , the Renyi information is found from the relation:

If the violator E, in addition to the information contained in Z ^k , receives additional information about the sequence X ^k , for example, in the form of a block C ^{r of} check symbols of a code of length r transmitted from A to B over the service channel, then:

which is performed with probability:

Thus, to estimate the amount of information about a key of length l bits received by a legal correspondent from a chain of bits of length k using the secrecy enhancement procedure, it is necessary to find an estimate of the Renyi information, for which it is necessary to have an estimate of the probability p _w sequence difference X ^k = X ₁ , X ₂ , ..., X ^k and Z ^k = Z ₁ , Z ₂ , ..., Z _k .

We will assume that the violator decides on the transferred symbol according to the rule:

Then the probability of an error p _w is the probability of an event in which the characters in the chains y _i and z _i will differ. In this case, we assume that the symbols y _i satisfy the conditions of their reception, i.e. do not contain erase characters.

For the first addend, you can write

- плотность распределения СВ

(шумового сигнала в РУ нарушителя);

- двумерная плотность распределения параметров ϑ и

сигналов, принимаемых законным пользователем В и нарушителем Е.where w (ξ) is the distribution density of the waveform ξ ξ (noise signal in the switchgear of a legal user);

- distribution density CB

(noise signal in the intruder’s control room);

- two-dimensional distribution density of the parameters ϑ and

signals received by legitimate user B and intruder E.

можно полагать независимыми, гауссовскими процессами с нулевым математическим ожиданием и дисперсиями

тогда (23) можно записать в виде.Noises ξ and

can be considered independent, Gaussian processes with zero expectation and variances

then (23) can be written as.

Если оцениваемым параметром, на основе которого принимается решение о принятом бите, является разность фаз, т.е. ϑ=ϑ_i-ϑ_i+1, то плотность w(ϑ) имеет треугольное распределение. Это распределение весьма близко к нормальному.To estimate the probability of an error in (24), it is necessary to know the distribution

If the estimated parameter, on the basis of which the decision on the accepted bit is made, is the phase difference, i.e. ϑ = ϑ _i - ϑ _{i + 1} , then the density w () has a triangular distribution. This distribution is very close to normal.

- плотность двумерного гауссовского распределения:Therefore, we make the first assumption that

- density of a two-dimensional Gaussian distribution:

where r is the correlation coefficient of CB ϑ,

(у легального пользователя и нарушителя) друг от друга определяется только случайным возбуждением ФАР и многолучевым распространением радиоволн. При таком допущении мы решаем задачу распределения ключей в заведомо лучших условиях для легального пользователя.The second assumption will be made regarding the noise in the receiver of the legal user and the offender. First, suppose that the selection of the signal parameter takes place in the absence of noise and the difference between the parameters ϑ and

(at the legal user and the offender) from each other is determined only by the random excitation of the HEADLIGHTS and multipath propagation of radio waves. With this assumption, we solve the problem of key distribution in obviously better conditions for a legal user.

In this case, the ratio for the probability p _w (1) can be written in the following form

Consider the 2nd integral.

Using the formula to the integral from the book of IS Gradshtein. and Ryzhik I.M. "Tables of integrals, sums, series and products", we write

получаемSubstituting (26) into (25) and replacing the variable

we get

Finally, applying the formula to the integral from the book of IS Gradshtein. and Ryzhik I.M. "Tables of integrals, sums, series and products", we get

равна:The total probability of error according to (22) due to the symmetry of the relation

equals:

From this relationship it follows that the probability of error does not depend on the signal dispersions, but is determined only by the correlation coefficient.

представляющих собой значения оцениваемого параметра, у легального пользователя и нарушителя согласно (27).FIG. 31 shows the dependence of the probability of error p _w on the correlation coefficient CB ϑ and

representing the values of the parameter being evaluated, for a legal user and an offender according to (27).

The same graph (Fig. 31) shows the dependence of the probability of error on r, obtained on the basis of a simulation of signal samples representing the phase differences of neighboring parcels that have a triangular probability density distribution. We see that the dependencies obtained have a fairly good match. Moreover, with the same correlation coefficient, the probability of error for the triangular distribution is even greater. That is, the Gaussian approximation from the point of view of ensuring the security of the generated key seems to be the least favorable.

Thus, we showed that the key distribution problem over radio channels can be solved not by the fact that the channel of an illegal user is worse than the channel of a legal user (p <p _w ), as was assumed in the prototype, but due to the fact that intercepted by an illegal correspondent the signals are partially uncorrelated with the signals of the legal correspondent and, moreover, the level of correlation can be quite large (r≤0.9).

Claims (3)

1. The method of generating the encryption / decryption key, which consists in forming a random sequence on the transmitting side of the communication direction, transmitting it via the communication channel with errors to the receiving side of the communication direction, forming a block of verification symbols for the random sequence formed, transmitting it via the communication channel without errors on the receiving side of the direction of communication, where they form a decoded sequence, and from random sequences form an encryption / decryption key, different The fact that a random sequence on the transmitting side forms communication directions due to the emission of a harmonic signal by means of a phased antenna array, the radiation pattern of which is randomly generated, and a communication channel with errors on the receiving side generates communication directions by taking into account the multipath of radio waves. 2. The method according to p. 1, characterized in that a random sequence of length N on the transmitting side of the direction of communication form on the clock intervals of length T, and in the first half of the clock interval on the transmitting side of the direction of communication form the test signal s (t) in the form of a harmonic Oscillations, which from the transmitter output enters the phased antenna array with a random radiation pattern (Fig. 1), and at the receiving side of the communication direction, using an omnidirectional antenna, receive the signal y (t), estimate some the parameter b, it is compared with preset values (Δ, -Δ) by the rule (3) and decide on the allocation of 1 or 0. 3. The method according to claim 1, characterized in that after receiving the signal at the second half of the clock interval on the receiving side, the communication directions are immediately sent to the transmitting side exactly the same signal s (t); by virtue of the principle of reciprocity (since the antenna's DN has not changed yet), the transmitting side receives the signal x (t) ≈y (t), finds the estimate of the parameter b by the same rule (3) as on the receiving side, and forms the binary symbol x _j ∈ 0.1; after the formation of the first symbol on each subsequent interval, the antenna is rearranged randomly and the same signal is transmitted; as a result, random sequences X = x ₁ , x ₂ , ..., x _N and Y = y ₁ , y ₂ , ..., y _N, respectively, form on the receiving and transmitting sides.

Images