"Combat algebra" or cryptography "according to GOST"
At first glance, the title of the article is absurd, apparently the only thing that occurs to the reader is the use of calculation methods in ballistics. But there is more military physics than military mathematics. The field of application of “pure” mathematics in the military sphere is cryptography. I will not dwell on the importance of the topic, this is understandable since the days of Enigma . At present, there are very disturbing events in cryptography, to which, unfortunately, Russian specialists do not react. And if they react, then in a very specific way, this has already been written about , but apparently not enough, we will have to continue the topic.
In the middle of 2015, several new GOST standards for standardizing cryptographic operations were made. Even the title pages of these important state documents are puzzling, to put it mildly. Look, here is one of them:
')
I, too, “for the first time” see official documents of special state importance in the development of which a certain commercial firm of the category “Horns and Hooves” took part.
The Infotex company does not even have its own premises and is located on the premises of the “Office Shopping Center” (quoted from the company's website). Who does not believe, can make sure himself, here is a link to the public website of this company .
By the way, standards of cryptographic algorithms were developed, not GOST for the production of Doctor Sausage ...
In terms of encryption reliability, the new GOSTs are a step backwards. I will not be unfounded, here is just one example - the requirement of secrecy to specific sets of random numbers, called “replacement blocks”, was removed from the new algorithms.
Previously, replacement units were secret and were issued by the regulator in a “special” order, but now they are public and unchanged. Accordingly, cryptanalysts (as cipher crackers are politely called) have become much easier to work with. Their task now comes down only to the calculation of encryption keys, previously it was also necessary to calculate the values ​​of the replacement units.
The weakening of the cryptographic strength of Russian encryption tools occurs against the background of the introduction of quantum cryptanalysis methods (hacking of encrypted information) by our potential "friends" and the computer technology race.
It is no secret that the emergence of actually working Quantum computers was primarily triggered by the needs of cryptanalyst, there is even a public term “Quantum Cryptanalysis”.
It has long been no secret that cryptanalysis algorithms for symmetric and asymmetric encryption have been developed specifically for quantum computers. Algorithms were, there were no computers, now they appeared:
Quote
Until recently, it was believed that symmetric encryption is poorly amenable to methods of quantum cryptanalysis, but here is information regarding the breaking of block ciphers by a new (well forgotten old) method.
Article
Please note, the news “slipped” in 2007, after that there was no mention of this method in open Internet sources.
At first glance, it’s not clear what I’m talking about, I’ll try to explain it on my fingers; radio electronics and communications specialists will understand me easily ...
First, it is a return to the ancient analog solver. There were earlier computing facilities, then they were “electrical”, but now they have become “quantum”. But the essence does not change.
Secondly, in the described installation, a new technique of quantum cryptanalysis is used and it needs clarification.
Take the simplest case of generating a gamma generated for example, based on the old algorithm GOST 28147-89. In our case, gamma is a sequence of 32 bit numbers, the more such numbers the better. We will consider each such number as the instantaneous value of the wave function in the process of digitization.
We digitize the resulting gamma sequence as a wave, and using the Fourier transform, decompose it into harmonic components.
As a result, we get a classic and very stable picture of pseudo-random "pink" noise; there will be a stable and limited set of frequencies modulated in amplitude and phase.
Now we will impose on the gamut the encrypted text, we get the encrypted text, it can also be represented as a digitized wave function, but already modulated with the encrypted text.
In fact, any encryption is a process that is identical to radio transmission, when high-frequency radiation, resulting from the operation of a cryptoalgorithm, is modulated with a low-frequency payload signal (encrypted text).
In our example, gamma is a high frequency signal, and the text to be encrypted is a low frequency modulator. Hacking with the help of quantum cryptography is essentially identical to the operation of the detector receiver, the initial high-frequency wave function is cut off and the low-frequency modulating component is distinguished. Such a “detector” method will work the better, the smaller the number of harmonic frequency components in the ciphertext, and the longer the length of the encrypted message.
Ideally, a ciphertext with the properties of a true “white” noise with an infinite number of harmonic components cannot be cracked by this method.
It follows that the only cryptographic algorithms, besides the algorithmic complexity (the number of equations for calculating key values) and the algebraic complexity (the complexity of solving these equations), should also have the maximum attainable statistical complexity (be as close as possible to the “white noise” parameters).
So far no one pays attention to the statistical complexity of ciphertexts. The ciphertexts obtained with the help of standardized in Rossi cryptoalgorithms are very far from the statistical parameters of truly random sequences.
The reason for this is very specific, and it will be discussed further.
Again, we will have to return to the "features of national cryptography," but I will start from afar. A long time ago, when they could not even think about computers, mechanical typewriters were used instead of computers. In the USSR, the power obsessed with the idea of ​​total control over its citizens, typewriters "marked", filing inconspicuously letters. So that the printed text can be identified with a specific typewriter.
Something similar happened in cryptography, the “elder brother”, with some effort, can read the encrypted texts without even knowing the key information. For this purpose, specially selected replacement units are used, the use of which is mandatory.
Theoretically, replacement blocks should consist of random numbers, but in practice they contain “not random, but pseudo-random” numbers. In other words, in the replacement blocks there is a hidden algorithm that allows you to read the ciphertexts without knowing the keys.
This is true of the two standardized block ciphers in Russia, the first is now called Magma (the old simplified GOST 28147-89), the second is called Grasshopper, it is discredited even before its official adoption as a standard.
Information about the “filed” replacement units wanders at the level of rumors, she certainly does not have official confirmation, but the facts are stubborn things, here they are:
- Regarding "Magma", there is an approval in the "pseudo-randomness" of replacement units, expressed during the consideration of the application for inclusion in the international block encryption standard ISO / IEC 18033-3. In 2010, the International Organization for Standardization (ISO / IEC JTC 1 / SC 27) began research on GOST 28147-89, but after analyzing the provided replacement units, certification was denied.
- With regard to the “pseudo-randomness” of the Grasshopper replacement units, there are irrefutable mathematical calculations. They were officially presented at the CRYPTO conference in 2015. Authors Alex Biryukov, Leo Perrin and Alexey Udovenko presented a report that states that:
"Despite the claims of the developers, the Grasshopper S-block cipher values ​​and Stribog's hash functions are not random numbers, but are generated based on a hidden algorithm that was restored by reverse engineering methods."
The “fileness” of replacement blocks as such is of little interest to us, if not for one “but”, - the algorithm hidden in the replacement blocks significantly weakens the statistical parameters of the ciphertext.
From the point of view of statistical parameters, the ciphertext obtained on the basis of the Russian algorithms of symmetric encryption is seriously weakened and can be easily cracked on quantum cryptocalculators.
Well, without it, who can guarantee that the algorithms for reading the ciphertext without the key information did not “flow away”? As it was, for example, with bookmarks in the new building of the American Embassy. And the English-speaking businessmen of the now-former generals of Russia from cryptography in the early 2000s across the hot seas on superyachts have “tricked” them. What happened there is unknown, but wise in such situations always suggests the worst ...
A thoughtful reader, having read the above, will certainly argue that this trouble is easy to defeat by starting to use honest replacement blocks made up of really random numbers. That's right, the statistical parameters of the ciphertexts of the Russian symmetric encryption algorithms can be significantly improved by means of replacement units, only this is not enough. It is necessary to complicate the encryption algorithms, says the NSA:
Article
While we are talking about increasing the key size, but even this is not done in our new guests, not to mention the introduction of more robust algorithms.
It seems that the new cipher algorithm “Grasshopper” has appeared, but in its structure it fully complies with the AES algorithm twenty years ago and has similar cryptographic resistance. And twenty years ago, this “trouble”, now called quantum cryptanalysis, was not even suspected.
So while we are defenseless, and moreover, it is not known what our potential adversaries actually manage to read in our encrypted messages, because they already have quantum computers, according to the documents of Snowden ...
Moreover, they are now even publicly available:
Article
So, in our cryptography, the next classic situation with the “bare king” is very likely. Soon the head of the 8th center of the FSB will have a new first deputy, by tradition, the first deputies there have always been cryptographers. The previous "Gone" to understand who left, and who he was in this position is one very characteristic link:
Article
The new cryptographic GOSTs adopted in 2015 and the Grasshopper encryption algorithm, which was discussed above, are the brainchild of A.S. Kuzmina. Even the name of this encryption algorithm comes from his last name (Kuzmin + Nechaev). Let's hope that the new head of Russian cryptography will restore order in their troops.
PS In conclusion, about one feature of the troops of “combat algebra”, - the losses are silent. Where have you seen that the "tragic death" of the main cryptographer of the country and the lieutenant general of the FSB was not announced in the news feeds?
"Features of national cryptography"
In the middle of 2015, several new GOST standards for standardizing cryptographic operations were made. Even the title pages of these important state documents are puzzling, to put it mildly. Look, here is one of them:
')
I, too, “for the first time” see official documents of special state importance in the development of which a certain commercial firm of the category “Horns and Hooves” took part.
The Infotex company does not even have its own premises and is located on the premises of the “Office Shopping Center” (quoted from the company's website). Who does not believe, can make sure himself, here is a link to the public website of this company .
By the way, standards of cryptographic algorithms were developed, not GOST for the production of Doctor Sausage ...
In terms of encryption reliability, the new GOSTs are a step backwards. I will not be unfounded, here is just one example - the requirement of secrecy to specific sets of random numbers, called “replacement blocks”, was removed from the new algorithms.
Previously, replacement units were secret and were issued by the regulator in a “special” order, but now they are public and unchanged. Accordingly, cryptanalysts (as cipher crackers are politely called) have become much easier to work with. Their task now comes down only to the calculation of encryption keys, previously it was also necessary to calculate the values ​​of the replacement units.
The weakening of the cryptographic strength of Russian encryption tools occurs against the background of the introduction of quantum cryptanalysis methods (hacking of encrypted information) by our potential "friends" and the computer technology race.
It is no secret that the emergence of actually working Quantum computers was primarily triggered by the needs of cryptanalyst, there is even a public term “Quantum Cryptanalysis”.
Quantum Cryptanalysis Public Information
It has long been no secret that cryptanalysis algorithms for symmetric and asymmetric encryption have been developed specifically for quantum computers. Algorithms were, there were no computers, now they appeared:
Quote
Until recently, it was believed that symmetric encryption is poorly amenable to methods of quantum cryptanalysis, but here is information regarding the breaking of block ciphers by a new (well forgotten old) method.
Article
Please note, the news “slipped” in 2007, after that there was no mention of this method in open Internet sources.
At first glance, it’s not clear what I’m talking about, I’ll try to explain it on my fingers; radio electronics and communications specialists will understand me easily ...
First, it is a return to the ancient analog solver. There were earlier computing facilities, then they were “electrical”, but now they have become “quantum”. But the essence does not change.
Secondly, in the described installation, a new technique of quantum cryptanalysis is used and it needs clarification.
Take the simplest case of generating a gamma generated for example, based on the old algorithm GOST 28147-89. In our case, gamma is a sequence of 32 bit numbers, the more such numbers the better. We will consider each such number as the instantaneous value of the wave function in the process of digitization.
We digitize the resulting gamma sequence as a wave, and using the Fourier transform, decompose it into harmonic components.
As a result, we get a classic and very stable picture of pseudo-random "pink" noise; there will be a stable and limited set of frequencies modulated in amplitude and phase.
Now we will impose on the gamut the encrypted text, we get the encrypted text, it can also be represented as a digitized wave function, but already modulated with the encrypted text.
In fact, any encryption is a process that is identical to radio transmission, when high-frequency radiation, resulting from the operation of a cryptoalgorithm, is modulated with a low-frequency payload signal (encrypted text).
In our example, gamma is a high frequency signal, and the text to be encrypted is a low frequency modulator. Hacking with the help of quantum cryptography is essentially identical to the operation of the detector receiver, the initial high-frequency wave function is cut off and the low-frequency modulating component is distinguished. Such a “detector” method will work the better, the smaller the number of harmonic frequency components in the ciphertext, and the longer the length of the encrypted message.
Ideally, a ciphertext with the properties of a true “white” noise with an infinite number of harmonic components cannot be cracked by this method.
It follows that the only cryptographic algorithms, besides the algorithmic complexity (the number of equations for calculating key values) and the algebraic complexity (the complexity of solving these equations), should also have the maximum attainable statistical complexity (be as close as possible to the “white noise” parameters).
So far no one pays attention to the statistical complexity of ciphertexts. The ciphertexts obtained with the help of standardized in Rossi cryptoalgorithms are very far from the statistical parameters of truly random sequences.
The reason for this is very specific, and it will be discussed further.
"Filed" GOST encryption
Again, we will have to return to the "features of national cryptography," but I will start from afar. A long time ago, when they could not even think about computers, mechanical typewriters were used instead of computers. In the USSR, the power obsessed with the idea of ​​total control over its citizens, typewriters "marked", filing inconspicuously letters. So that the printed text can be identified with a specific typewriter.
Something similar happened in cryptography, the “elder brother”, with some effort, can read the encrypted texts without even knowing the key information. For this purpose, specially selected replacement units are used, the use of which is mandatory.
Theoretically, replacement blocks should consist of random numbers, but in practice they contain “not random, but pseudo-random” numbers. In other words, in the replacement blocks there is a hidden algorithm that allows you to read the ciphertexts without knowing the keys.
This is true of the two standardized block ciphers in Russia, the first is now called Magma (the old simplified GOST 28147-89), the second is called Grasshopper, it is discredited even before its official adoption as a standard.
Information about the “filed” replacement units wanders at the level of rumors, she certainly does not have official confirmation, but the facts are stubborn things, here they are:
- Regarding "Magma", there is an approval in the "pseudo-randomness" of replacement units, expressed during the consideration of the application for inclusion in the international block encryption standard ISO / IEC 18033-3. In 2010, the International Organization for Standardization (ISO / IEC JTC 1 / SC 27) began research on GOST 28147-89, but after analyzing the provided replacement units, certification was denied.
- With regard to the “pseudo-randomness” of the Grasshopper replacement units, there are irrefutable mathematical calculations. They were officially presented at the CRYPTO conference in 2015. Authors Alex Biryukov, Leo Perrin and Alexey Udovenko presented a report that states that:
"Despite the claims of the developers, the Grasshopper S-block cipher values ​​and Stribog's hash functions are not random numbers, but are generated based on a hidden algorithm that was restored by reverse engineering methods."
The “fileness” of replacement blocks as such is of little interest to us, if not for one “but”, - the algorithm hidden in the replacement blocks significantly weakens the statistical parameters of the ciphertext.
From the point of view of statistical parameters, the ciphertext obtained on the basis of the Russian algorithms of symmetric encryption is seriously weakened and can be easily cracked on quantum cryptocalculators.
Well, without it, who can guarantee that the algorithms for reading the ciphertext without the key information did not “flow away”? As it was, for example, with bookmarks in the new building of the American Embassy. And the English-speaking businessmen of the now-former generals of Russia from cryptography in the early 2000s across the hot seas on superyachts have “tricked” them. What happened there is unknown, but wise in such situations always suggests the worst ...
The eternal Russian question "What to do?"
A thoughtful reader, having read the above, will certainly argue that this trouble is easy to defeat by starting to use honest replacement blocks made up of really random numbers. That's right, the statistical parameters of the ciphertexts of the Russian symmetric encryption algorithms can be significantly improved by means of replacement units, only this is not enough. It is necessary to complicate the encryption algorithms, says the NSA:
Article
While we are talking about increasing the key size, but even this is not done in our new guests, not to mention the introduction of more robust algorithms.
It seems that the new cipher algorithm “Grasshopper” has appeared, but in its structure it fully complies with the AES algorithm twenty years ago and has similar cryptographic resistance. And twenty years ago, this “trouble”, now called quantum cryptanalysis, was not even suspected.
So while we are defenseless, and moreover, it is not known what our potential adversaries actually manage to read in our encrypted messages, because they already have quantum computers, according to the documents of Snowden ...
Moreover, they are now even publicly available:
Article
So, in our cryptography, the next classic situation with the “bare king” is very likely. Soon the head of the 8th center of the FSB will have a new first deputy, by tradition, the first deputies there have always been cryptographers. The previous "Gone" to understand who left, and who he was in this position is one very characteristic link:
Article
The new cryptographic GOSTs adopted in 2015 and the Grasshopper encryption algorithm, which was discussed above, are the brainchild of A.S. Kuzmina. Even the name of this encryption algorithm comes from his last name (Kuzmin + Nechaev). Let's hope that the new head of Russian cryptography will restore order in their troops.
PS In conclusion, about one feature of the troops of “combat algebra”, - the losses are silent. Where have you seen that the "tragic death" of the main cryptographer of the country and the lieutenant general of the FSB was not announced in the news feeds?
Source: https://habr.com/ru/post/311456/
All Articles