Strength of the encryption system, classification of encryption systems by strength. Types of attacks on the encryption system.
Persistence- the ability to withstand all kinds of intruder attacks aimed at finding (calculating) the key, or open message under the assumption that a number of conditions are met.
Intruder attacks
1. Cryptanalysis is carried out only on the basis of intercepted cryptograms;
2. Cryptanalysis is carried out on the basis of intercepted cryptograms and their corresponding open messages.
3. Cryptanalysis is carried out on the basis of an open message chosen by the enemy;
Classes of encryption systems
· Certainly persistent or perfect, perfect
· Computationally robust
Unconditionally strong (ideal) encryption systems
An unconditionally strong encryption system (BSSS) is an encryption system in which any cryptogram (if the attacker does not have a key) does not contain additional information to a priori known about the message encrypted in this cryptogram.
In the best way decryption of the BSSSH cryptogram is guessing
one of possible messages source Mathematically, the ACSS condition can be written in the form:
The conditional probability that the message M i was encrypted with a cryptogram E j;
- a priori (with an unknown cryptogram) probability of the presence of a message M i.
Computationally resistant systems encryption
The encryption system is called computationally resistant(VSSH), if opening such a system is possible, but even best algorithm opening takes an immensely long time or immeasurably great memory devices with which cryptanalysis is carried out.
The cryptanalysis time is determined by:
1. The complexity of the decryption algorithm;
2. The speed of computing devices,
decrypting
The complexity of cryptanalysis algorithms must match the complexity of solving a complex problem.
Basic approaches to cryptanalysis:
1. Busting of keys
2. Analysis of the statistical features of cryptograms
3. Linear cryptanalysis
4. Differential cryptanalysis
Speed of computing devices 10 10 - 10 12 operations / s
Computer speed increases 4 times every 3 years
Replacement code, its properties.
Simple replacement cipher, simple substitution cipher, mono-alphabetic cipher - a class of encryption methods that boil down to the creation of an encryption table according to a specific algorithm, in which for each letter plain text there is only one letter of the cipher-text associated with it. The encryption itself consists in replacing letters according to the table. For decryption, it is enough to have the same table, or to know the algorithm by which it is generated.
Column replacement ciphercalled a cipher with the alphabet of open messages Z m coinciding with the alphabet of encrypted messages and the key set K.
Thus, the column replacement cipher consists in applying substitutions from the symmetric group to the characters of the plaintext of the order of the cardinality of the alphabet of open messages. In this case, each substitution is selected depending on the key and the previous characters of the plain text.
Replacement cipher properties.
1. If all substitutions in the substitution table are equally probable and mutually independent, then the encryption system using this method will certainly be strong.
2. Unlike the gamma method, the implementation this method encryption is more complex, which is determined by the need to build managed node permutations with m outputs.
3. When encrypting by the replacement method, there is no multiplication of errors arising in the communication channel due to interference.
4. Overlapping cipher, ie encryption with the same table different messages does not lead to a simple and unambiguous decryption, as in the gamma method. However, the robustness of the method decreases, since repeated substitutions make it possible to carry out cryptanalysis based on the repetition rates of the letters of the cryptogram.
ten). Block cipher, Feistel scheme, block cipher properties
Block cipher called a cryptosystem in which each new block an open message is converted into a block of a cryptogram according to the same rule determined by the encryption algorithm and the key. The decryption procedure is performed according to the same principle.
According to the Kerchhoff principle, the encryption and decryption algorithms are fully known to the cryptanalyst. Only the key is unknown, which is used for both encryption and decryption. The same message blocks Mi and Mj are always converted into the same blocks of cryptograms Ei and Ej. If this property is undesirable, then another modification of the same block encryption algorithm is used.
The principles of building block ciphers are that the block cipher algorithm must use:
a) substitutions (nonlinear transformations of short parts (for blocks of a block cipher);
b) permutations of symbols in blocks;
c) iterating operations (a) and (b) (i.e., repeating them multiple times with different keys).
Feistel's scheme.
To simplify the encryption and decryption procedures, the Feistel scheme is used, based on the following principles:
a) each current block is divided into two equal parts - the left Li and the right Ri, where i is the iteration (round) parameter;
b) the method of forming the next "halves" of blocks from the previous ones is determined as shown in Fig. 3.3, where ki is the key of the i-th round.
Let's represent this transformation in analytical form:
L i = R i-1, R i = L i-l + f (R i-1, k i),
where f () is a nonlinear function of two arguments, in which nonlinearity is determined, for example, by a table.
Features of the Feistel scheme:
1) The reversibility of the encryption procedure turns out to be possible when the function / () in the scheme is not necessarily reversible.
2) Both halves of the block are constantly changing places and therefore, despite the apparent asymmetry, they are encrypted with the same strength.
Characteristics of the AES cipher
1.Can be faster than normal block cipher;
2.Can be implemented on a smart card using a small PAM and having small number cycles;
3. Round transformation allows parallel execution;
4. Does not use arithmetic operations, so the type of processor architecture does not matter;
5. Can be used to calculate MAC-code and hash-function.
This cipher is based on the principle of iteration (iteration is the repetition of some mathematical operation, using the result of the previous analogous operation) SD-transformations and uses the so-called architecture "square", that is, all transformations are performed within one square.
The current data (including the original message and the received cryptogram) is written one byte (8 bits) into each of the 16 cells, which gives a total encryption block length of 8x16 -128 bits.
The first transformation of this algorithm is performed as the computation of the inverse element in the field GF () modulo the irreducible polynomial + + + x +1, which ensures the provable stability of the cipher with respect to linear and differential cryptanalysis, while the zero element of the field is preserved without transformation (Fig. 3.16 ).
The next transformation consists in multiplying each cell of the square, represented as a binary column vector (,), by a fixed matrix and adding also a fixed column vector, and all operations here are performed in the GF (2) field:
The matrix and column vector used in this transformation are kept the same across all rounds and are independent of the key.
Note that matrix multiplication and vector addition improve cryptographic properties cipher for the case when zero elements appear in the cells of the square.
As the next transformation, a byte cyclic shift of the message array by a different number of bytes (cells) is used, shown in Fig. 3.17.
The next transformation is called column shuffling. At this step, everyone C-th column square matrix is represented as a 4-dimensional vector over the field GF (), and then multiplication is performed in this field, given by the irreducible polynomial + + + x +1, by a certain matrix with elements from the same field:
where the elements shown in this matrix are specified as elements of the GF () field (i.e., as binary sequences of length 8), as illustrated following example:
Finally, the round key addition is performed, which is performed simply as a bitwise addition of all elements of the last square with 128 elements of the round key mod 2. After one round is completed, all the operations described above are repeated using other round keys. Round keys are generated from a single secret key with a length of 128, 192 or 256 bits (depending on the selected encryption mode) using special transformations, including cyclic shifts and expansions. The number of rounds of the cipher depends on the selected mode of its operation and varies from 10 to 14.
For decryption, the sequence is used inverse transformations with reverse order following round keys, which turns out to be quite possible, since all operations performed in each round, as it is easy to see, are reversible. However, it should be noted that unlike ciphers based on the Feistel structure (for example, DES cipher), this cipher must use different electronic circuits or programs for encryption and decryption, respectively.
Features of the AES cipher
1) AES is focused mainly on implementation with 8-bit processors;
2) all round transformations are performed in finite fields, which allows simple implementation on various platforms.
AES cipher strength
It is obvious that enumeration of all keys (even with their minimum number - 2) turns out to be impossible. Linear and differential cryptanalysis are also practically impossible due to the choice of optimal transformation procedures and, in particular, due to the use of computation return elements in the final field.
Cryptanalysis based on the solution of a nonlinear system of equations over the field GF (2) describing the cipher is theoretically possible, including due to the appearance of additional equations. However, this procedure requires an immensely large computational resource. Thus, at present, the AES cipher can be considered strong against any known attacks.
Speed AES encryption
At software implementation this algorithm is most efficiently implemented on 8- and 32-bit platforms. For typical PCs, the encryption speed can be in the order of 1 MB / s - 500 KB / s. With hardware implementation high speeds encryption (about 100 MB / s and higher) will require an increase in hardware resources and, consequently, an increase in the size of the device.
Cipher strength A5 / 1
When developing this cipher, it was assumed that it would have a high
durability, since the number of its keys is large enough, however
further research by independent cryptographers
They showed that this cipher has weak sides... One of them consists
the fact that the LRRs included in the encoder have small lengths, and therefore
they are susceptible to some modification of statistical attacks, and
attacks based on exchange ratios between the required memory size
and analysis time.
Ultimately, the studies that have been conducted since
2000 (i.e., almost immediately after the introduction of this standard), showed that this
the cipher can be "cracked" using an ordinary PC in real
22. Raising to a power, finding the discrete logarithm
Exponentiation modulo is the calculation of the remainder of the division of a natural number b(base) raised to the power e(exponent), on natural number m(module).
. Quick way construction by D. Knut.
Let's represent the exponent in binary form;
We replace each unit with a pair of letters KU (square + multiplication);
We replace each zero with the letter K (square);
In the resulting sequence, cross out the first pair of KUs;
We carry out calculations over the base a, according to the obtained sequence.
Example: 3 37 (mod7)
37 = 100101 = KUKKKUKKU = KKKKUKKU
3®3 2 (mod7) = 2®2 2 (mod7) = 4®4 2 (mod7) = 2®2 × 3 (mod7) = 6®6 2 (mod7) = 1®1 2 (mod7) = 1 ®1 × 3 (mod7) = 3
Computational complexity for the exponentiation operation: [email protected](2logx).
Computational complexity for the discrete logarithm operation: [email protected]((n) 1/2).
Finding the discrete logarithm by the "meeting in the middle" method
Build a database of size O ((n) 1/2) of the form a z (modn) for random numbers zÎ and sort it.
For random numbers b such that gcd (b, n-1) = 1, calculate y b (modn) and compare with the numbers in the database.
With a high probability, after several attempts, we get
a z (modn) = y b (modn)
4. Raise both sides to the power b -1, we get a z · b-1 (modn) = y (modn). Where does it follow
This method has complexity N t @O ((n) 1/2 logn), N v @O ((n) 1/2)
Exponentiation is fairly easy, even with large input values. But the calculation of the discrete logarithm, that is, finding the exponent e given b, c and m is much more complicated. This one-way behavior of the function makes it a candidate for use in cryptographic algorithms.
El Gamal COP.
This is some modification of the RSA CS, the stability of which is not directly related to the factorization problem. It is widely used in standards digital signature and admits a natural generalization to the case of CSs constructed based on the use of elliptic curves, which will be considered below.
Generating keys.
User A performs the following operations to generate keys:
1) generates a prime number p and a primitive element ɑ∈GF (p);
2) selects random number but such that 1<= a<= p-2, и вычисляет число ɑ^a;
3) chooses the set: (p, ɑ, ɑ ^ amodp) as the public key, and the number a as the private key.
Encryption.
User B takes the following steps to encrypt a message M intended for user A:
1) Receives public key A;
2) Represents the message M in the form of a chain of numbers Mi, each of which does not exceed p-1;
3) Chooses a random number k such that 1<=k<=p-2;
4) Calculates ɣ = (ɑ ^ k) mod p, b = Mi ((ɑ ^ a) ^ k) mod p;
5) Sends cryptogram C = (ɣ, b) to user A.
Decryption
User A takes the following steps to decrypt the message received from User B:
1) using its private key, calculates (ɣ ^ (- a)) mod p
2) restores the message Mi = (ɣ ^ (- a)) * b mod p
Indeed, ɣ ^ (- a)*b=(ɑ^(- a k)) * Mi * (ɑ ^ ( a k)) = Mi mod p
A feature of the El-Gamal scheme is that it belongs to the so-called randomization encryption schemes, since it uses an additional randomness in the form of the number k when encrypting it.
The advantage of the El Gamal QS is also in the fact that then all users on the network can choose the same ɑ and R, which is impossible for the CS of the RSA. Moreover, as will be shown below, this scheme can be naturally extended to the case of elliptic curves.
A significant drawback of the scheme is that the length of the cryptogram in it is 2 times the length of the message.
Resilience of El Gamal QS
The problem of restoring the message M on the given p, ɑ, ɑ ^ a, b, ɣ for unknown a is equivalent to solving the Diffie-Hellman problem.
It is also clear that if the problem of finding the discrete logarithm is solved, then El-Gamal's cryptosystem will be opened. When choosing R with a capacity of 768 bits (for increased security - up to 1024 bits), the security of El-Gamal's CS will be the same as that of RSA's CS when choosing the same parameters for the module in the latter.
It is important to note that to encrypt different messages Mi, Mj, it is necessary to use different values of the numbers k, since in the opposite case b1 / b2 = Mi / Mj, and then the message Mj can be easily found if the message Mi is known.
Generating keys.
Two primes p and q are chosen at random. Located
module N = pq. Find the Euler function φ (N) = (p-1) (q-1).
Choose a number e such that GCD (e, φ (N)) = 1.
Find d as the inverse of e, de = 1 (mod φ (N)).
We declare d = SK, (e, N) = PK. PK is communicated to everyone
correspondents.
Encryption.
Corr. A transmits an encrypted message to correspondent B
(uses public key corr. B)
Decryption.
Corr. B decrypts the received cryptogram from
Correspondent A using your private key.
Attacks.
1. The RSA system can be opened if it is possible to find p and q, that is, to factor N.
Proceeding from this fact, p and q should be chosen with such a large bit depth that factorization of the number n would require an immeasurably long time, even with the use of all available and modern means of computing.
Currently, the problem of factorizing numbers has no polynomial solution. Only a few algorithms have been developed that simplify factorization, but their implementation for factorizable numbers of large digits still requires an immeasurably long time. Indeed, the complexity of solving the factorization problem for the best currently known factorization algorithm is
So, for example ln n = 200, if, then the number of operations will be approximately equal to 1.37 ∙ 10 14.
With an increase in the number of bits n to 1000 or more, the factorization time becomes completely immeasurable.
2. Another natural attack on the RSA CS is discrete logarithm. This attack (with a known message) is performed as follows: d = log E M mod N. However, the problem of discrete logarithm modulo multidigit numbers is also difficult in mathematics, and it turns out that it has almost the same complexity as the problem of factorization.
3. Cyclic attack. We will sequentially raise the resulting cryptogram to a power equal to the value of the public key, i.e. (((((E e) e)… ..) e.
If at some step it turns out that E i = E, then this means
that E i-1 = m. It is proved that this attack is no better than the attack of factorization N.
4. Lack of encryption. This case is possible if, as a result of encryption, we obtain an open message, i.e., M e mod n = M. Such a condition must be fulfilled for at least one of the messages, for example, for messages M = 0, 1, n - 1. In fact, such messages are generally! not encrypted, exists exactly. Their number is always at least 9. However, with a random choice of q and p, the proportion of such messages will be negligible and they will almost never be encountered in practice.
5. Attack with a small amount of possible messages
Suppose that the number of messages is limited by the values M1, M2,…, Mr, where r is observable. (These can be, for example, different commands - forward, backward, left, right, etc.). Then the message can be easily decrypted.
Indeed, let the cryptogram C be intercepted. Then you need to try to encrypt all commands with a known public key and determine the cryptogram that matches the received C:
The way to combat such an attack is to add some salt to messages (that is, attach small bit strings to them, obtained using a purely random sensor).
VIEWS
Simple ES is a signature that, by using codes, passwords or other means, confirms the fact of the formation of an ES by a certain person.
Unqualified:
Received as a result of cryptographic transformation of information using the ES key;
Allows you to identify the person who signed the document;
Allows you to detect the fact of changes in the ED;
Created using ES tools;
Qualified:
Complies with all the signs of an unqualified electronic signature;
The ES verification key is specified in the qualified certificate.
To create and verify the ES, ES means are used, which have received confirmation of conformity in accordance with the law on ES.
RSA EP scheme.
Let there be some message M and some user A generated a public / private key pair for the RSA system, that is, numbers e A, n A; d A. Then the message M is divided into blocks, each of which can be represented by an integer not exceeding n A. For each of such message-digits M, the CPU S is formed according to the following rule: S = M dA mod (n A). Then the CPU joins the message, forming the so-called signed message, that is, a pair of M, S. To verify the CPU, the user must obtain the public key A, as well as the “signed” (but possibly falsified) message M, S and calculate Ṁ = S eA mod (e A). Further, he compares Ṁ with M and, if they coincide, assumes that the message M is indeed signed by A, otherwise he rejects it as a forgery or distortion.
Scheme of EP El-Gamal.
ES - Electronic signature (CPU - Digital Signature)
ES (CPU) is some additional data attached to the main message, which are formed depending both on the message and on the secret key of the author of the message. To verify the authenticity of the message (otherwise called the verification procedure), the public key of the author of the message is used, which can be accessed by any user.
Generating keys:
1) a large prime is generated R and primitive element a over a finite field GF (p);
2) a number is generated x: 1
3) y = a x mod (p) is calculated;
4) the public key of the CPU verification is selected: ( p, a, y) and the secret key to create the CPU: x.
CPU shaping
If user A wants to sign a message m, represented as a number belonging to Zp, then he performs the following operations:
1) generates a secret number k: 1 ≤ k≤ p - 2; gcd ( k, p - l) = 1, where gcd is the gcd
2) calculates r = a k mod (p);
3) calculates k -1 mod (p - 1);
4) calculates s = k -l (m - xr) mod (p - l);
5) Forms the CPU S to the message m as a pair of numbers S = (r, t).
CPU verification (verification)
In order to verify the signature S created by A under the message M, any user takes the following steps:
1) obtains the public key A: (p, a, y);
2) verifies that 1 ≤ r ≤ p - 1, and if it fails, then rejects the CPU;
3) calculates V 1 = y r r s mod (p);
4) calculates V 2 = a m mod (p);
5) accepts the CPU as correct provided that V 1 = V 2
CPU Resilience Based on ElGamal's COP
1) An attacker can try to forge a signature to his message M as follows: generate a random number k, calculate r = a k mod (p), and then try to find s = k - l (m - xr) mod (p - l).
However, in order to perform the last operation, he needs to know a, which cannot be calculated with the appropriate choice of CPU parameters.
3) It should be noted that if not fulfilled step 2 of the CPU verification algorithm then an attacker can correctly sign any message of his choice, provided he has some other message with the correct CPU at his disposal. Thus, when choosing a module R, which in binary representation has a length of about 768 bits, provides good CPU stability, and to ensure long-term stability it is advisable to increase it to 1024 bits.
Requirements for cryptographic HF
1. Unidirectionality, when for a known hash h it is computationally unfeasible (that is, it requires an unrealizable large number of operations) to find at least one value of x for which, that is, h (x) turns out to be a unidirectional function (ONF).
2. Weak collision resistance, when for given x, h (x) = h it is computationally unfeasible to find another x 'value that satisfies the equation h (x') = h.
3. Strong collision resistance, when it is computationally impracticable to find a pair of arguments x, x ’for which the relation h (x) = h (x’) holds.
Vulnerability fix
Denning and Sacco suggested using timestamps in messages to prevent attacks like the one discussed above. Let us denote such a label by the letter t. Consider the option to fix the vulnerability:
PKI components
· Certificate Authority (CA)- the part of the public key system that issues a certificate to validate the rights of users or systems making a request. She creates a certificate and signs it using a private key. Due to its function of creating certificates, the CA is the central part of the PKI.
· Certificate Repository... Repository for valid certificates and Certificate Revocation Lists (CRLs). Applications verify the validity of the certificate and the level of access it grants by checking against the sample contained in the repository.
· Key Recovery Server- a server that performs automatic key recovery, if this service is installed.
· PKI-Enabled Application- applications that can use PKI tools for security. PKI manages digital certificates and keys used to encrypt information held on web servers when using e-mail, exchanging messages, browsing the Internet, and transferring data. Some applications may use PKI natively, while others require programmers to modify.
· Registration Authority- a module responsible for registering users and accepting requests for a certificate.
· Security Server- A server that manages user access, digital certificates, and strong relationships in a PKI environment. The Security Server centrally manages all users, certificates, CA connections, reports, and verifies the certificate revocation list.
PKI functions
· Registration- the process of collecting information about a user and verifying its authenticity, which is then used during user registration, in accordance with security rules.
· Certificate Issuance... Once the CA has signed the certificate, it is issued to the applicant and / or sent to the certificate store. CA affixes a validity period to the certificates, thus requiring periodic renewal of the certificate.
· Certificate Revocation... A certificate can become invalid before expiration for various reasons: the user has left the company, changed his name, or if his private key has been compromised. Under these circumstances, the CA will revoke the certificate by entering its serial number on the CRL.
· Key Recovery... An additional PKI function allows you to recover data or messages in the event of a lost key.
· Lifecycle Management- Continuous support of certificates in PKI, including renewal, restoration and archiving of keys. These functions are performed periodically and not in response to ad hoc requests. Automated key management is the most important feature for large PKIs. Manual key management can limit PKI scalability.
Basic definitions
· Certificate Revocation Lists (CRLs)- list of canceled certificates. Cancellations may be due to a change of job, private key theft, or other reasons. PKI applications can check user certificates against a CRL before granting access against that certificate.
· Digital Certificate / X.509 Certificate... A data structure used to associate a specific module with a specific public key. Digital certificates are used to authenticate users, applications and services, and to control access (authorization). Digital certificates are issued and distributed by CAs.
· Digital Envelope... A method of using public key encryption to securely distribute secret keys used in symmetric encryption and to send encrypted messages. The key distribution problem associated with symmetric encryption is greatly reduced.
· Digital Signature... A method of using public key encryption to ensure data integrity and inability to refuse a parcel. The encrypted block of information, after decryption by the recipient, identifies the sender and confirms the safety of the data. For example: the document is "compressed", HASH is encrypted using the sender's private key and attached to the document (in fact, this means attaching the "fingerprint" of this document). The recipient uses the public key to decrypt the received message to the "squeeze" state, which is then compared to the "squeeze" obtained after the sent document is "compressed". If both "squeezes" did not match, then this means that the document was changed or damaged during the transfer.
· Public Key Cryptography... There are two main types of encryption: public key and secret (symmetric) key. Public key encryption uses a key pair: open, i.e. freely available, and its corresponding private key, known only to the specific user, application or service that owns this key. This key pair is linked in such a way that what is encrypted with the private key can only be decrypted with the public key and vice versa.
· Symmetric encryption (Shared Secret Cryptography)... There are two main types of encryption: public key and secret (symmetric) key. With symmetric encryption, the recipient and sender use the same key for encryption and decryption. This means that many users must have the same keys. Obviously, until the user receives the key, encryption is not possible, and the distribution of the key over the network is not secure. Other distribution methods, such as a special courier, are expensive and slow.
· RSA Algorithm is the first public key encryption system named after its inventors: Ronald Rivest, Adi Shamir and Leonard Adleman.
· Smart card. A credit card-like device with built-in memory and a processor used to securely store user keys and certificates and other information (usually social and medical).
· Digital Credentials. Within the framework of PKI technology, the ISO / TS 17090-1 standard defines this term as a cryptographically protected object that can contain individual user keys, certificates of individual keys, certificates of CAs of the user's PKI structure, a list of trusted CAs, and other parameters related to user domain - user identifier, names of applied cryptographic algorithms, values of starting values, etc. Credentials can be placed on hardware or software media.
Principle of operation
Certificates are typically used to exchange encrypted data over large networks. A public key cryptosystem solves the problem of exchanging secret keys between participants in a secure exchange, but does not solve the problem of trusting public keys. Suppose that Alice, wanting to receive encrypted messages, generates a pair of keys, one of which (public) she publishes in some way. Anyone who wants to send her a confidential message has the ability to encrypt it with this key, and be sure that only she (since only she has the corresponding secret key) will be able to read this message. However, the described scheme can in no way prevent the attacker David from creating a key pair and publishing his public key, passing it off as Alice's key. In this case, David will be able to decrypt and read at least that part of the messages intended for Alice, which were mistakenly encrypted with his public key.
The idea behind a certificate is that there is a third party that is trusted by the other two parties to the information exchange. It is assumed that there are few such third parties, and their public keys are known to everyone in some way, for example, stored in the operating system or published in logs. Thus, a forgery of the public key of a third party is easily detected.
Cryptographic systems with public encryption keys allow users to transfer data securely over an unsecured channel without any prior preparation. Such cryptosystems must be asymmetric in the sense that the sender and the receiver have different keys, and neither of them can be deduced from the other by computation. In these systems, the encryption and decryption phases are separated and the message is protected without the encryption key being made secret, since it is not used in decryption.
Using the public encryption key, user i encrypts message M and sends it to user j via an unprotected data transmission channel. Only user j can decrypt to recover M, since only he knows the secret decryption key.
Among asymmetric (open) cryptosystems, the most widespread is the RSA cryptographic system. In this system, the recipient of the message chooses two large primes p and q so that the product n = pq is beyond computational capabilities. The original message M can be of arbitrary length in the range 1 The original text M is restored from the encrypted C by the reverse transformation The recipient chooses e and d so that the following conditions are met: where is the Euler function equal to (p - 1) (q - 1); (a, b) is the greatest common divisor of two numbers. That is, e and d in the multiplicative group are reciprocals in residue arithmetic mod. Obviously, the main purpose of cryptographic disclosure is to determine the secret key (exponent at C - the value of d). There are three known ways that a cryptanalyst could use to disclose the value of d from open information about the pair (e, n). Factorization n Prime factorization of n allows us to compute the function, and hence the hidden value of d, using the equation Various algorithms for such decomposition are presented in. The fastest algorithm currently known can factorize n in steps of order Analysis of this expression shows that the number n with 200 decimal digits will be well protected from known expansion methods. Direct computation Another possible way of cryptanalysis is associated with the direct calculation of the Euler function without factoring n. Direct computation is not at all simpler than factorizing n, since it then makes it easy to factorize n. This can be seen from the following example. Let be x = p + q = n + 1 -, y = (p - q) 2 = x 2 - 4n. Knowing, you can determine x and, therefore, y, knowing x and y, prime p and q can be determined from the following relations: Direct estimate d The third method of cryptanalysis is to directly calculate the value of d. The reasoning behind this method is based on the fact that if d is chosen large enough for simple enumeration to be unacceptable, computation of d is no simpler than factoring n, since if d is known, then n is easily factorized. This can be shown as follows. If d is known, then we can calculate a multiple of the Euler function using the condition where k is an arbitrary integer. You can factorize n using any multiple of. The decryptor, on the other hand, might try to find some value d "that is equivalent to the hidden value d used in the design of the cipher. If there are many such d", then brute force can be attempted to break the cipher. But all d "differ by a factor equal to and if this factor is calculated, then n can be factorized. Thus, finding d is as difficult as factoring n. Thus, the main task of cryptanalysis of asymmetric encryption systems is reduced mainly to the problem of factorization (factorization). This problem is one of the main ones in number theory and is formulated as follows: Let us be given an integer n> 0, and it is required, if possible, to find two numbers a and b such that ab = n. There are actually two different tasks: the first, called the simplicity test, is to check if such a and b exist; the second, called decomposition, is the problem of finding them. Let's consider both of these tasks. First deterministic test.