Special cryptographic reports, B.Kljuchevsky

Special cryptographic reports

What is the cryptographic report

The report is a sequence of steps which two or большее undertake quantity of the parties for the joint decision of some problem. It is necessary to pay attention that all steps are undertaken as strict sequence and any of them cannot be made before the previous will end.
Besides, any report means participation of two parties. Alone it is possible to mix and drink a cocktail, but to the report these actions will not have any relation. Therefore it is necessary to treat somebody with the made cocktail that its preparation and tasting became the present report. And at last, the report is necessarily intended for achievement of any purpose, differently it not the report, and empty pastime.
At reports is as well other distinctive features:
• each participant of the report should be in advance notified on steps which to it should be undertaken;
• all participants of the report should follow its rules voluntary, without compulsion;
• it is necessary, that the report supposed only unequivocal interpretation, and its steps have been absolutely accurately defined and did not suppose possibility of their wrong understanding;
• the report should describe reaction of participants to any situations which can arise during its realisation. Differently, position at which for the arisen situation the report does not define corresponding action is inadmissible.
As the cryptographic report is called the report in which basis the cryptographic algorithm lies. However the purpose of the cryptographic report frequently is not only preservation of the information unknown to strangers. Participants of the cryptographic report can be close friends who do not have from each other secrets, and can be and irreconcilable enemies, each of which refuses to inform another, what is the date today. Nevertheless they can be necessary to put the signatures under the joint contract or to prove the identity. In this case the cryptography is necessary to prevent or find out interception by extraneous persons, and also not to admit swindle. Therefore often cryptographic report is required there where its participants should not make or learn more than that is defined by this report.
What for cryptographic reports are necessary
In an everyday life we should face reports literally continually — playing any games, or doing purchases in shops, or voting on elections. Many reports us parents, school teachers and friends have learnt to use. We have managed to learn the others independently.
Now people even more often contact with each other by means of computers. Computers, unlike the majority of people, did not go to school, they did not have parents, and to study without the aid of the person they not in a condition. Therefore it is necessary to supply computers with the formalized reports that they could do that people carry out without reflecting. For example, if in shop there will be no cash register, all of you be able to equally buy in it a thing necessary for. The computer can put such cardinal change of the report in full deadlock.
The majority of the reports, which people use at dialogue with each other confidentially, well itself have recommended only because their participants have possibility to enter direct contact. Interaction with other people through a computer network, on the contrary, means anonymity. Whether you will play with the stranger in preference, without seeing, how it shuffles a pack and distributes cards? Whether you will entrust the money to absolutely extraneous person that he has bought to you something in shop? Whether you will send the voting slip by mail, knowing, what someone can familiarise with it from post workers and then tell all about your nonconventional political predilections? I think that is not present.
Silly to consider that computer users behave more fairly, than absolutely casual people. The same concerns both network managers, and designers of computer networks. The majority of them and really are fair enough, however the others can cause you too big troubles. Therefore so the cryptographic reports which use allows to be protected from dishonourable people are necessary.
Cast
That the description of reports was more evident, their participants will bear names which unequivocally define roles, to it prepared (see the table). Anton and Boris take part in all bilaterial reports. As a rule, begins performance of the steps provided by the report, Anton, and undertakes reciprocal actions Boris. If the report is three- or quadrilateral, execution of corresponding roles incur Vladimir and George.
About other characters it will be told a bit later more in detail.
Reports with arbitration
The arbitrator is not interested participant of the report to whom other participants completely trust, undertaking corresponding actions for end of the next step of the report. It means that the arbitrator does not have personal interest in achievement of those or other purposes pursued by participants of the report, and it cannot act on the party of one of them. Participants of the report also take on trust everything that the arbitrator will tell, and implicitly follow all its recommendations.
In reports to which we follow in an everyday life, the role of the arbitrator is played more often by the lawyer. However attempts to transfer reports with the lawyer as the arbitrator from an everyday life in computer networks encounter essential obstacles:
• it is easy to trust in the lawyer about whom it is known that at it spotless reputation and with which it is possible to come into personal contact. However if two participants of the report do not trust each other, the arbitrator not dressed in a corporal cover and existing somewhere in bowels of a computer network, will enjoy hardly at them the big trust.
• Quotations on the services rendered by the lawyer, are known. Who and how will pay similar services of the arbitrator in a computer network?
• Introduction of the arbitrator in any report increases time spent for realisation of this report.
• As the arbitrator supervises each step of the report, its participation in very difficult reports can become a bottleneck at realisation of such reports. The corresponding increase in number of arbitrators allows to get rid of the given bottleneck, however also expenses on report realisation simultaneously increase.
• Owing to that all participants of the report should use the same arbitrator, actions of the malefactor which the damage will decide to cause to them, will be directed, first of all, against this arbitrator. Hence, the arbitrator represents a weak link in a chain of participants of any report with arbitration.
Despite noted obstacles, reports with arbitration find wide application in practice.
The report with refereeing
To lower an overhead charge for arbitration, the report in which the arbitrator participates, often shares on two parts. The first completely coincides with the usual report without arbitration, and to the second resort only in case of occurrence of disagreements between participants. For the resolution of conflicts between them the special type of the arbitrator — the judge is used.
Like the arbitrator, the judge is not interested participant of the report to whom its other participants trust at decision-making. However unlike the arbitrator, the judge participates at all in each step of the report. Services of the judge use, only if it is required to resolve doubts concerning correctness of actions of participants of the report. If such doubts at anybody does not arise, refereeing is not required.
In computer reports with refereeing presence of the data is provided, having checked up which the entrusted third party can solve, whether someone from participants of this report has swindled. The good report with refereeing also allows to find out, who exactly behaves dishonestly. It serves as fine preventive means against swindle from outside participants of such report.
The ego-tripping report
The ego-tripping report does not demand presence of the arbitrator for end of each step of the report. It also does not provide presence of the judge for the permission of conflict situations. The ego-tripping report is arranged so that if one of its participants swindles, others can instantly distinguish the dishonesty shown by this participant, and to stop performance of the subsequent steps of the report.
Certainly, it would be desirable, that there was a universal ego-tripping report for all occasions. However in practice in each specific case it is necessary to design the special ego-tripping report.
Versions of attacks to reports
Attacks to reports happen are directed against cryptographic algorithms which are involved in them, against the cryptographic methods applied to their realisation, and also against reports. To begin with we will assume that used cryptographic algorithms and methods are proof enough, and we will consider attacks actually on reports.
The person who is not the participant of the report, can try to overhear the information which its participants exchange. It is passive attack to the report which is named so because attacking (we will call its Peter) can accumulate only the data and observe of a course of events, but not in a condition influence it. Passive attack is similar криптоаналитической to attack with knowledge only шифртекста. As participants of the report do not possess the well-tried remedies allowing them to define that they became object of passive attack, for protection against it the reports, giving the chance to prevent possible adverse consequences of passive attack are used, instead of to distinguish it.
The attacking can try to make changes to the report for the sake of own benefit. It can give out itself(himself) for the participant of the report, make changes to messages which participants of the report exchange, to change the information which is stored in the computer and is used by participants of the report for decision-making. It is active attack to the report as attacking (we name its Zinoviem) can interfere with process of performance of steps of the report by its participants.
So, Peter tries to collect a maximum of the information on participants of the report and on their actions. At Zinovija absolutely other interests — deterioration of productivity of a computer network, reception of unapproved access to its resources, entering of distortions into databases. Thus both Peter, and Zinovy not necessarily are absolutely extraneous persons. Among them there can be legal users, system and network managers, software developers and even participants of the report who behave dishonourably or even at all do not observe this report.
In the latter case attacking is called as the swindler. The passive swindler follows all rules which are defined by the report, but thus also tries to learn about other participants more than is provided by this report. The active swindler makes any changes to the report by unfair means to achieve for itself the greatest benefit.
Protection of the report against actions of several active swindlers represents rather not trivial problem. Nevertheless under some conditions this problem manages to be solved, having given to participants of the report possibility in time to distinguish signs of active swindle. And any report without dependence from conditions in which its participants are put should give protection against passive swindle.

The proof with zero disclosure of the confidential information

Anton: «I know the password for an input in a computer network of the Central Bank and the preparation recipe„ Baikal “».
Boris: «Is not present, you do not know!»
Anton: «Is not present, I know!»
Boris: «Than you will prove?»
Anton: «it is good, I to you will tell all».
Anton long whispers something on an ear to Boris.
Boris: «it is really interesting! It is necessary to inform on it to newsdealers!»
Anton: «YO...»
Unfortunately, in usual conditions Anton can prove to Boris that knows any secret, in the unique way — having told, in what its essence consists. But then Boris automatically learns this secret and can tell about it to the first comer. Whether there is at Anton a possibility to prevent Boris it to make?
Certainly, is. First of all, Anton should not be trusted the secret to Boris. But how then Anton can convince Boris what is included really into number of the devoted?
Anton should take advantage of the report of the proof with zero disclosure of the confidential information. By means of this report Anton is able to prove to Boris that it possesses a certain classified information, however to disclose the given information before Boris it will be completely not obligatory.
The proof has interactive character. Boris sets to Anton a series of questions. If Anton knows a secret will answer correctly all questions asked to it. If does not know, the probability of a right answer on each of questions will be insignificant. After approximately 10 questions Boris will precisely know, whether its Anton deceives. Thus Boris's chances to take for themselves any helpful information on an essence of the secret are almost equal to zero.
The report of the proof with zero disclosure of the confidential information
With zero disclosure of the confidential information it is possible to explain use of the proof on a concrete example.
Let's assume that there is a cave, the input point in a cave is designated by letter A, in point B the cave branches on two half — C and D (drawing see). The cave has a secret: only the one who knows magic words, can open a door located between C and D.
To Anton magic words are known, to Boris — are not present. Anton wishes to prove to Boris that knows magic words but so that Boris still remained in ignorance concerning these words. Then Anton can take advantage of the following report:
1. Boris costs in point A.
2. At the choice Anton approaches to the door or from outside points C, or from outside points D.
3. Boris moves to point B.
4. Boris orders to Anton to appear or () — through the left pass to a door, or () — through the right pass to a door.
5. Anton obeys the order Boris, in case of need using magic words to pass through a door.
6. Steps 1–5 repeat n time, where n — report parametre.
Let's admit that Boris has a videocamera with which help it fixes Anton's all disappearances in bowels of a cave and all its subsequent occurrences from this or that party. If Boris shows records of all n the experiments made by it together with Anton, whether these records as the proof of knowledge Anton of magic words for other person (for example, for Vladimir) can serve?
Hardly. Vladimir never can make sure completely that Anton each time preliminary did not inform Boris, from what party it will go to a door that then Boris ordered to it to leave from that party, with what Anton has come. Or that all unsuccessful experiments in which course Anton appeared at all from that party from what it was ordered by Boris are not cut out from the made videorecording.
It means that Boris not to convince Vladimir who personally was not present at carrying out of experiments in a cave of a condition, that Anton has really confirmed there the knowledge of a secret. So, the report of the proof used by Anton is characterised by zero disclosure of the confidential information. If Anton does not know the magic words opening a door in a cave, that, observing of Anton, cannot learn anything and Boris. If to Anton magic words Boris will be not not helped even by detailed videorecording of the spent experiments are known. First, as at its viewing Boris will see only that already saw alive. And secondly, because it is almost impossible to distinguish the videorecording forged by Boris from the original.
The report of the proof with zero disclosure works owing to that, without knowing magic words, Anton can leave only from that party from which has come. Hence, only in 50 % of all cases Anton will manage to deceive Boris, having managed to leave from that party from which that will ask. If quantity of experiments equally n Anton successfully will take place all tests only in one case from 2n. In practice it is possible to be limited n=16. If Anton correctly executes Boris's order in all 16 cases, means, he indeed knows magic words.
The example with a cave is very evident, but has essential defect. It will be much easier to Boris to track, as in point B Anton turns in one party, and then appears from an opposite side. The report of the proof with zero disclosure here simply is not necessary.
Therefore we will assume that to Anton magic words of type any there «are known for Sezam not, open». No, Anton owns more interesting information — he the first has managed to cope труднорешаемой with a problem. To prove this fact to Boris, Anton it is completely not obligatory to show the decision publicly. It is enough to it to apply the following report of the proof with zero disclosure of the confidential information:
1. Anton uses the information available for it and the generated random number to reduce труднорешаемую a problem to another труднорешаемой to a problem, an isomorphic initial problem. Then Anton solves this new problem.
2. Anton will involve the report of a prediction of bit for 1 decision found on a step that subsequently if Boris has a necessity to familiarise with this decision, Boris could be convinced authentically that the decision shown by Anton has really been received by it on a step 1.
3. Anton shows new труднорешаемую a problem to Boris.
4. Boris asks Anton
Or () — to prove that two труднорешаемые problems (old and new) are isomorphic,
Or () — to give the decision which Anton should find on a step 1, and prove that it is valid the problem decision to which Anton has reduced an initial problem on the same step.
5. Anton satisfies Boris's request.
6. Anton and Boris repeat steps 1–6 n time, where n — report parametre.
Trudnoreshaemye problems, way of data of one problem to another, and also random numbers should get out whenever possible so that Boris did not have any information concerning the decision of an initial problem even after repeated performance of steps of the report.
Not all труднорешаемые problems can be used at the proof with zero disclosure of the confidential information, however the majority of them are quite suitable for such purposes. As examples can serve search in the coherent count of a cycle of Hamilton (the closed way passing through all tops the column only once) and definition of isomorphism of counts (two column are isomorphic if they differ only names of the tops).
Parallel proofs
With zero disclosure
The confidential
Information
The usual report of the proof with zero disclosure of the confidential information demands, that Anton and Boris have consistently repeated its steps n time. It is possible to try to carry out the actions provided by this report, simultaneously:
1. Anton uses the information available for it and n the generated random numbers to reduce труднорешаемую a problem to n another труднорешаемым to problems, isomorphic to an initial problem. Then Anton solves these n new problems.
2. Anton will involve the report of a prediction of bit for found on a step 1 n decisions that subsequently if Boris has a necessity to familiarise with these decisions, Boris could be convinced authentically that the decisions shown by Anton have really been received by it on a step 1.
3. Anton shows n new труднорешаемых problems to Boris.
4. For each of n new труднорешаемых problems Boris asks Anton
Or () — to prove that it is isomorphic initial труднорешаемой to a problem,
Or () — to give the decision of this problem which Anton should find on a step 1, and prove that it really is its decision.
5. Anton carries out Boris's all requests.
At first sight the parallel report possesses the same property of zero disclosure of the confidential information, as usual. However the strict proof of this fact it is not found yet. For now with full definiteness it is possible to tell only one: some interactive reports of the proof with zero disclosure in some situations can be carried out in parallel, and from it they do not lose property of zero disclosure of the confidential information.
Not interactive reports
Proofs
With zero disclosure
The confidential
Information
The extraneous person who is not participating in performance of steps of the interactive report of the proof with zero disclosure of the confidential information, it is impossible to convince of of what during report realisation Boris is convinced, namely — that Anton really owns the confidential information. To overcome this lack, it is required to apply not interactive report in which instead of Boris unidirectional function is used:
1. Anton uses the information available for it and n the generated random numbers to reduce труднорешаемую a problem to n another труднорешаемым to problems, isomorphic to an initial problem. Then Anton solves these n new problems.
2. Anton will involve the report of a prediction of bit for found on a step 1 n decisions.
3. Anton submits n the obligations received by it on a step 2, on an input of unidirectional function.
4. For everyone i-й труднорешаемой problems to which Anton has reduced an initial problem on a step 1, it takes i-й bit of the value calculated by means of unidirectional function, and
() if this bit is equal 1 Anton proves that initial and i-я problems are isomorphic, or
() if this bit is equal 0 Anton places in a popular database the decision i-й the problems, calculated on a step 1.
5. Anton transfers all obligations which have been received by it on a step 2 in a popular database.
6. Boris, Vladimir or any other interested person can check up correctness of performance of steps 1–5 Anton.
Surprisingly, but the fact: Anton gives the data which allow any to be convinced that he owns some secret in the general using, and at the same time do not contain any information on an essence of the secret.
Boris's role in this report is executed by unidirectional function. If Anton does not know the decision труднорешаемой a problem, it all the same can execute the actions provided or point (), or point () a step 4 reports, but at all both points at once. Therefore, to swindle, Anton should learn to predict value of unidirectional function. However, if function really is unidirectional, Anton cannot guess, what will be its values, to affect it so that on its exit the bit sequence necessary to Anton has turned out.
Unlike the interactive report, here it is required большее quantity of iterations. As generation of random numbers is assigned to Anton, selection of these numbers he can try to achieve, that on an exit of unidirectional function the bit sequence of the kind necessary to it has turned out. After all even if Anton does not know the decision initial труднорешаемой a problem, it always in a condition to fulfil the requirement or point (), or point () a step 4 reports.
Then Anton can try to guess, on what of these points the choice will fall, and to execute steps 1–3 reports. And if its guess is incorrect, he will repeat all at first. For this reason in not interactive reports it is necessary больший safety factor, than in the interactive. It is recommended to choose n=64 or even n=128.
It is proved that generally any mathematical proof can be transformed in appropriate way to the proof with zero disclosure of the confidential information. And it means that now it is not so obligatory to mathematician to publish results of the scientific researches. It can prove to the colleagues that has found the decision of any mathematical problem, without opening before them an essence of the found decision.

The identification card with zero disclosure of the confidential information

In an everyday life people regularly should prove the identity. Usually they do it by a presentation of passports, a driving licence, student's cards and other similar documents. Such document usually has some individual distinctive feature which allows to connect it with the certain person unequivocally. It is a photo, sometimes — the signature more often, is more rare — fingerprints or a x-ray picture of a teeth. Whether it is possible to do the same by means of cryptography?
Certainly. In this case for Anton's identification card its secret cryptographic key is used. Applying the proof with zero disclosure of the confidential information, Anton can show to any that knows the secret key and by that unequivocally to identify itself. The idea of digital identification is rather tempting and conceals in itself weight of various possibilities, however it has a number of essential lacks.
First, malefactor Zinovy under a false pretext can ask to show Anton the digital identification card. Simultaneously by means of a modern communication facility of Zinovy initializes process of identification of Anton absolutely in other place and will readdress all inquiries from this place to Anton, and the answers given to it — to send back. For example, Zinovy can contact jeweller shop and, having given out itself for Anton, to pay from its pocket rather expensive purchase.
Secondly, Zinovy can get without ceremony several secret keys, and consequently, and заиметь corresponding number of digital identification cards. It uses one of them unique time for financial swindle and more it will not use. The person becomes the witness of a crime, to which Zinovy will show the "disposable" identification card, however to prove that it was Zinovy, it will not be possible. After all provident Zinovy never proved thus the identity before. It not begins to do it and henceforth. And the witness can show only, what identification card has been shown by the criminal. Unequivocally to connect this certificate with person Zinovija it will be impossible.
Thirdly, Anton can ask Zinovija to borrow for the period of its digital identification card. A pier, Anton should go to the United States and as he is the former employee of the Soviet investigation working against the USA, the American government flatly refuses to it the entry visa. Зиновий with pleasure agrees: after Anton's departure it can go practically on any crime as has got an ironclad alibi. On the other hand, nothing prevents to commit a crime to Anton. Who will believe to babble of Zinovija what it has borrowed the digital identification card to any other person?
To get rid of the listed lacks additional safety measures help. In the first case swindle became possible as Zinovy, checking Anton's digital identification card, could communicate simultaneously with an external world by phone or radio. If Zinovija to place in экранированную a room without any communication facility, no swindle would exist.
To exclude the second form of swindle, it is necessary to enter restriction on quantity of keys, which to the person are authorised to be used to prove the identity (as a rule, such key should exist in a singular).
And at last, not to admit the third kind of swindle, it is required or to force to prove all citizens the identity as it is possible is more often (for example, at each lamppost as it becomes in the totalitarian states), or to add means of digital identification with other identification methods (for example, check of fingerprints).
Not realised transfer
Information
Let's assume that Boris unsuccessfully tries to spread out 700-bit number to simple multipliers. Thus it knows that the given number is product of seven 100-bit multipliers. To the aid of Boris Anton who casually knows one of multipliers comes. Anton suggests Boris to sell this multiplier for 1000 roubles — on 10 roubles for bit. However Boris has available only 500 roubles. Then Anton expresses desire to give to Boris of 50 bits for half of price. Boris doubts, as even having bought these of 50 bits, he all the same cannot be convinced that they really are a part required множителя, yet does not learn all its bits entirely.
To leave deadlock, Anton and Boris should take advantage of the report of not realised information transfer. According to it Anton transfers to Boris a little шифрованных messages. Boris chooses one of them and sends all messages back. Anton deciphers the message chosen by Boris and again sends to Boris. Thus Anton remains in ignorance concerning what message was chosen for itself by Boris.
The report of not realised information transfer does not solve all problems which face to Anton and Boris, wishing to conclude the bargain about purchase and sale of one of multipliers of 700-bit number. That the transaction became fair, Anton should prove to Boris that the sold 50 bits really are a part of one of simple multipliers on which this number is displayed. Therefore Anton most likely should take advantage in addition also of the report of the proof with zero disclosure of the information.
The following report Anton allows Anton to send two messages one of which will be accepted Boris, but which, and does not learn.
1. Anton generates two pairs the keys consisting of an open and secret key, and sends both opened keys to Boris.
2. Boris generates a key for symmetric algorithm (for example, for DES-algorithm), ciphers this key by means of one of the open keys sent by Anton, and sends back to Anton.
3. Anton deciphers Boris's key by means of each of two secret keys generated by it on a step 1, and receives two bit sequences. One of them is an original key for DES-algorithm, and another contains any set of bits.
4. Anton ciphers two messages on DES-algorithm, using as keys both bit sequences which have been received by it on a step 3, and sends results of enciphering to Boris.
5. Boris deciphers both messages sent by Anton on a key generated on a step 2, and finds two clear texts of the message one of which represents the present gibberish, and the second — the substantial message.
Now for Boris is available one or the other Anton's messages, however last cannot tell with all definiteness, which. Unfortunately, if in the report not to provide an additional verifying step, Anton will have a possibility to swindle (for example to cipher on a step 4 two identical messages). Therefore one more is necessary, a final step of the report:
6. After need has disappeared to store in a secret the second message (for example, Boris had 500 roubles more to redeem at Anton the remained half множителя), Anton gives to Boris the secret keys that that could be convinced of Anton's honesty.
The report is protected from attack from outside Anton as on a step 3 Anton not in a condition to distinguish any bit sequence from an original key of the DES-algorithm generated by Boris. The report also provides protection against attack from outside Boris, as that does not have Anton's secret keys to define the bit sequence used by Anton as a key of DES-algorithm for enciphering of the second message.
Certainly, the report of not realised information transfer at all does not guarantee that Anton will not send to Boris any senseless messages (type «Boris — лох» or "Mjau-mjau") instead of bits of one of seven simple multipliers on which the initial 700-bit number is displayed. Or that Boris in general will want to familiarise with them and will take part in performance of steps of this report.
In practice the report of not realised information transfer is used seldom enough. Usually it serves as one of building blocks for construction of other reports.
The anonymous joint
Calculations
Sometimes happens so that the group of people needs to calculate in common some function from many variables. Each participant of computing process is a source of values of one or several variable these functions. The result of calculations becomes known to all members of the group, however any of them not in a condition to find out something about the values submitted on an input of function by other member of group.
Calculation
The average salary
Let's admit that the chief of department has ordered subordinated to count up the average salary in department. The chief is informed on the salary of any employee, but too occupied more by important issues to distract on similar trifles. Each employee perfectly knows own salary, but categorically does not wish to inform on it to colleagues. That employees of department could просуммировать the salaries, having kept them unknown to others, they should take advantage of the following report:
1. Anton generates a random number, adds it to the salary, ciphers the received sum by means of Boris's open key and then tells that at it has turned out, to Boris.
2. On the secret key Boris deciphers the result calculated by Anton, adds to it the salary, ciphers the received sum by means of Vladimir's open key and then tells that at it has turned out, to Vladimir.
3. On the secret key Vladimir deciphers the result calculated by Boris, adds to it the salary, ciphers the received sum by means of George's open key and then tells that at it has turned out, to George.
4. On the secret key George deciphers the result calculated by Vladimir, adds to it the salary, ciphers the received sum by means of Anton's open key and then tells that at it has turned out, to Anton.
5. On the secret key Anton deciphers the result calculated by George, subtracts from it a random number generated on a step 1, divides into quantity of employees of department and gets required average wages in department.
Accuracy of calculation of the average salary depends on honesty of each employee. If at least one of participants of the report tells lies concerning the salary, total value will be incorrect. Especially big potential possibilities for abusings Anton possesses. On a step 5 it can subtract any number what only will come to to it mind, and nobody will notice fakes. Therefore it is necessary to oblige Anton to take advantage any of schemes of a prediction of bit. However if from Anton it is required to open before all a random number generated by it on a step 1, Anton's salary is learnt by Boris. It means that the chief of department nevertheless should distract and execute the calculations provided by step of 2 reports, most. After all it and so in a course of the size of a payment of Anton.
How to find similar
Anton likes to play with the rubber dolls which manufacturers have worked wonderfully well, carefully having copied full-scale certain features of an anatomic structure of the woman. And it is pleasant to observe to Boris in all colourful details of a life of neighbours from an apartment house opposite by means of modern optical adaptations. Both carefully hide the predilections from relatives, friends and fellow workers, but very much would like to find people who divide their interests.
The firm «Joint anonymous calculations» is ready to render the necessary help to Anton, Boris and to it similar in selection of the same odd fellows, as they. Employees of firm have made the universal list of all human eccentricities, each of which is supplied by the unique identifier from seven figures. Having addressed in firm, Anton and Boris take part in performance of steps of some report then learn, whether they feel inclination to the same eccentricities. At an affirmative reply they can communicate with each other and merge in mutual ecstasy. If the answer is negative, about their unusual predilections anybody does not learn, including employees of firm.
The report looks so:
1. Using unidirectional function, Anton will transform the 7-unit identifier of the eccentricity to other 7-unit number.
2. Treating 1 number received on a step as telephone number, Boris dials this number and leaves to its subscriber the co-ordinates. If nobody answers a call or such telephone number does not exist, Anton applies to it unidirectional function and receives new seven-element number. So proceeds until somebody will not answer Anton's phone call.
3. Anton informs in firm, how many time Boris should apply unidirectional function to receive required telephone number.
4. By means of unidirectional function Boris will transform the 7-unit identifier of the eccentricity so much time, how many it was done by Anton, and receives 7-unit number which treats as telephone number. Boris calls under number received by it and asks, whether there is for it no information.
It is necessary to notice that Boris can undertake attack with the chosen clear text. Having learnt identifiers of widespread human eccentricities, Boris will touch by turns them, to apply to them unidirectional function and to call under telephone numbers turning out at it. Therefore it is necessary to make so that the quantity of possible eccentricities was great enough also this sort of attack became as a result of impracticable.
Deposition
Keys
From time immemorial one of the most widespread methods of shadowing is the interception including interception of messages which the people who are objects of supervision exchange. Today, thanks to a wide circulation proof криптосистем with an open key, criminals and terrorists had a possibility to exchange messages on popular communication channels, without being afraid of interception from outside somebody. In this connection law enforcement bodies had an imperative need under certain conditions to provide operative access to clear texts шифрованных of the messages circulating in commercial communication networks.
In 1993 the American government publicly declared for the first time the plans of introduction of the Standard of enciphering of the data with key deposition. According to this standard for enciphering of the data it is supposed to use the protected microcircuit under name Clipper which is supplied with unique identification number and a deposited key. The deposited key consists of two parts which are separately stored in two various authorised governmental departments. For enciphering of a clear text of the message the microcircuit generates a session key. This key is ciphered by means of a deposited key and in the ciphered kind joins a message text in code together with identification number of a microcircuit. In case of necessity occurrence to familiarise with the maintenance of the message ciphered by means of microcircuit Clipper, it is enough to law enforcement bodies to address when due hereunder in the authorised governmental departments for a deposited key stored there, to decipher with its help a session key, and then to read a required clear text of the message.
In the most general case the Standard of enciphering of the data with key deposition is realised by means of the following cryptographic report:
1. Anton generates pair of the keys consisting of an open and secret key, and divides them on n parts.
2. Anton sends each part of a secret key and a part of an open key corresponding to it to the separate authorised representative.
3. Each authorised representative checks the parts of the open and secret key received from Anton and places them on storage in a reliable place.
4. If law enforcement bodies achieve the permission to familiarise with Anton's correspondence, they address to its authorised representatives and reconstruct a corresponding secret key.
There are various variants of the report of enciphering of the data with key deposition. For example, it is possible to build in the threshold scheme it so that for restoration of a secret key it was necessary to collect not all n, and only not less m (m <n) the parts of this key distributed by Anton among the authorised representatives. Besides, with key deposition it is possible to add the report of enciphering of the data with the actions borrowed from the report with not realised information transfer that authorised representatives did not know whose particularly key they reconstruct at present at the desire of law enforcement bodies.