**5. Novel key sharing protocol for public constant noiseless channels and without any cryptographic assumptions**

Let us introduce novel KSP designed for its use in constant, public and noiseless communication channels. This protocol has the following distinctions in comparison with other KSP's:


In **Figure 4** it is presented KSP protocol for execution in public constant noiseless channels that we call *KSP-PCN*. Here *G* and *P* are *n* � *n* random matrices generating A and B in advance as well as *n* � *n* matrices of artificial noises *NA*<sup>1</sup> , *NB*<sup>1</sup> . We believe that all matrix elements are independent of each and Gaussian distributed.

At first step, these matrices are transmitted over constant public noiseless channel to opposite party. Next, each of users A and B calculates *K*~ *<sup>A</sup>* and *K*~ *<sup>B</sup>* that are noisy version of matrices *GP*, *PG*, respectively, and extract eigenvalues from these matrices. After a quantization procedure of eigenvalues A and B obtain "raw bits" of the shared key *K* ~~ *<sup>A</sup>* and *<sup>K</sup>* ~~ *<sup>B</sup>*, respectively. Eavesdropper E intercepts signals *<sup>G</sup>* <sup>þ</sup> *NA*, *<sup>G</sup>* <sup>þ</sup> *NB .* It extracts eigenvalues from the matrix product ð Þ *G* þ *NA* ð Þ *G* þ *NB* and subsequently quantizes them to get eavesdropper's "raw key" *KE*. Simulation of KSP shows that the of key bit error probabilities for legitimate users *Pl* occur very close to that ones *Pe* of eavesdropper. Hence we need such additional protocol that be able to "diverse" these probabilities. Such protocol that was called *Preference Improvement of the Main Channel* (PIMC) works as follows: user A (or B) repeats *S* times each "raw bit", while opposite

user accepts such *S*-blocks if, and only if, they consist of the same *S* bits (zeros or ones),otherwise opposite user inform initiator of protocol about inadequate receiving blocks. Supposing that bit errors are independent, one from another, PIMC protocol provides the following BER between A and B:

$$
\tilde{P}\_l = \frac{P\_l^S}{\left(1 - P\_l\right)^S + P\_l^S} \tag{33}
$$

At the same time eavesdropper E also intercepts *S*-blocks with BER *Pe* and controls public channel over that was transmitting information regarding acceptance or rejection of *S*-blocks between legitimate users. E takes decisions about each *S*-block using *majority rule*. If E's channel is believed statistically independent on the legitimate channel, then the BER after such decision will be (for odd number *S*):

$$\tilde{P}\_{\epsilon} = \sum\_{i = \frac{S+1}{2}} \binom{S}{i} P\_{\epsilon}^{i} (1 - P\_{\epsilon})^{S-i} \tag{34}$$

In order to provide a repetition of bit's blocks and to improve key bit statistics, it was proposed to use the scheme of key bit generation shown in **Figure 5**.

We can see from **Figure 5** that user B generates *truly random binary string γ* that is XOR-ed with B's raw bit string *K* ~~ *<sup>B</sup>* and the sum is transmitted over public noiseless channel to user A who adds this string with raw bits string *K* ~~ *<sup>A</sup>* in order to get:

$$K\_A = \tilde{\tilde{K}}\_B \oplus \gamma \oplus \tilde{\tilde{K}}\_A = \tilde{\tilde{K}}\_A \oplus \varepsilon\_{AB} \oplus \tilde{\tilde{K}}\_A \oplus \gamma = \gamma \oplus \varepsilon\_{AB},\tag{35}$$

where *εAB* is noise string between raw strings *K* ~~ *<sup>A</sup>* and *<sup>K</sup>* ~~ *<sup>B</sup>*, " <sup>⊕</sup> " is operation of bitwise modulo two addition. In such version only one user has to repeat *S* times each

**Figure 5.** *Additional key-transformed protocol.*

bit of *γ* in order to perform PIMC protocol. From now on a string *γ* will be considered as a final key bit string between A and B. At the same time E receives *K* ~~ *<sup>B</sup>* <sup>⊕</sup> *<sup>γ</sup>* over public noiseless channel and possessing her string *K* ~~ *<sup>E</sup>* be able to add her intercepted bit string *KE* as follows:

$$K\_E = \tilde{\tilde{K}}\_E \oplus \chi \oplus \tilde{\tilde{K}}\_B = \tilde{\tilde{K}}\_B \oplus \varepsilon\_{BE} \oplus \chi \oplus \tilde{\tilde{K}}\_B = \chi \oplus \varepsilon\_{BE},\tag{36}$$

where *εBE* is noise string between raw string *K* ~~ *<sup>E</sup>* and *<sup>K</sup>* ~~ *<sup>B</sup>*. In order to optimize KSP with point of reliability, security and key string size, it is necessary to select the following parameters:


It is worth to note that in the proposed KSP (see **Figure 4**), unlike the earlier presented protocols (see [5]), all parameters are *under the control of legitimate users*. This means that we can take for granted reliability and security of the shared key string as well as its size regardless of properties of eavesdropper's channel.

Although the formulas (33) and (34) of BER for both legitimate users and eavesdropper have been already proved they have to be specified by simulation because our assumption regarding statistical independence of errors is valid only partly. In **Tables 7**–**9** are presented the results of simulation for BER's *P*~*<sup>l</sup>* and *P*~*<sup>e</sup>* for given parameters *σ*<sup>2</sup> , the matrix sizes *n* and parameter *S*. (They were chosen, of course, from a huge simulation results which have been removed simply as unsuitable.)

We can see from these Tables that a choice of matrix size *n* ¼ 1 (i.e. replacing matrices with integer numbers) is inadmissible because the probabilities *P*~*<sup>l</sup>* and *P*~*<sup>e</sup>* occur close to one another for all parameters *<sup>S</sup>* and *<sup>σ</sup>*2. The choice of matrix size *<sup>n</sup>* <sup>¼</sup> <sup>4</sup> also cannot be recommended because it is inferior to the case with *n* ¼ 64. In the last case we can see the most large difference of the BER's *P*~*<sup>l</sup>* and *P*~*<sup>e</sup>* for some parameters *S* and *σ*2. But unfortunately the BER *P*~*<sup>l</sup>* and *P*~*<sup>e</sup>* cannot be chosen as final results.

In fact, the probability *P*~*<sup>l</sup>* has to be decreased in order to provide an acceptable reliability of the shared key with the key length at least 256 bits. The probability *P*~*<sup>e</sup>* is quite unacceptable because it results in a large leakage of the key information to the eavesdropper E.

Therefore, it is necessary first of all to correct errors in legitimate channel, suppose, using error correcting codes and next to amplify security of the shared bit string


#### **Table 7.**

*The results of simulation for BER <sup>P</sup>*~*<sup>l</sup> and <sup>P</sup>*~*<sup>e</sup> for matrix size n* <sup>¼</sup> <sup>1</sup> *(integers instead of matrices), given different noise variances σ*<sup>2</sup> *and the number of repetitions S.*

against eavesdropping. Let us apply so called enhance of privacy amplification procedure described in [16]. We recall that *privacy amplification* procedure can be performed in two stages: firstly with the use of hashing by hash function taken randomly from universal2 class, and secondly, by special "puncturing" of the hashed string [16]. Then the upper bound for Shannon's information *I* leaking to eavesdropper be given by the following [16]:

$$I \le \frac{2^{-(k-t\_c-l\_0-r)}}{a\ln 2},\tag{37}$$

where *k* is the string, generated by A and B after a completion of PIMC protocol, *tc* is the Renyi (or collision) information obtained by E via eavesdropper BSC channel with BER *P*~*e*, *r* is the number of check bits sent by one of legitimate users to another one in order to reconcile their key strings finally, *l*<sup>0</sup> is the length of the final key string, *α* is a coefficient that approaches to 0.42 for any fixed *r* as *k* and *k* � *r* are increasing. It has been proved in [17] that in order to satisfy Shannon's theorem about reliable communication over noisy channel and provide an exponential decreasing of information leaking to eavesdropper E, minimum sum *k*<sup>0</sup> þ *r*<sup>0</sup> is provided with:

$$r\_0 = H\_L \frac{\lambda + l\_0}{\text{CH}\_C - H\_L}, \ \ k\_0 = \text{C} \frac{\lambda + l\_0}{\text{CH}\_C - H\_L}, \tag{38}$$

where

$$H\_L = \mathbf{1} - \mathbf{C} = -\bar{P}\_l \log\_2 \bar{P}\_l - \left(\mathbf{1} - \bar{P}\_l\right) \log\_2 \left(\mathbf{1} - \bar{P}\_l\right),$$

$$H\_C = -\log\_2 \left(\bar{P}\_\epsilon^2 + \left(\mathbf{1} - \bar{P}\_\epsilon\right)^2\right),$$

$$\mathbf{C} = \mathbf{1} + \bar{P}\_l \log\_2 \bar{P}\_l + \left(\mathbf{1} - \bar{P}\_l\right) \log\_2 \left(\mathbf{1} - \bar{P}\_l\right),$$

$$\lambda = k - t\_\epsilon - l\_0 - r,$$

$$t\_\epsilon = k - kH\_C.$$

*Advance in Keyless Cryptography DOI: http://dx.doi.org/10.5772/intechopen.104429*


#### **Table 8.**

*The results of simulation for BER <sup>P</sup>*~*<sup>l</sup> and <sup>P</sup>*~*<sup>e</sup> for matrix size n* <sup>¼</sup> <sup>4</sup> *given different noise variances <sup>σ</sup>*<sup>2</sup> *and the number of repetitions S.*


#### **Table 9.**

*The results of simulation for BER <sup>P</sup>*~*<sup>l</sup> and <sup>P</sup>*~*<sup>e</sup> for matrix size n* <sup>¼</sup> <sup>64</sup> *given different noise variances <sup>σ</sup>*<sup>2</sup> *and the number of repetitions S.*

Let us adopt the following parameters from **Table 9**: *<sup>n</sup>* <sup>¼</sup> 64, *<sup>S</sup>* <sup>¼</sup> 5, *<sup>σ</sup>*<sup>2</sup> <sup>¼</sup> <sup>0</sup>*:*4, *<sup>P</sup>*~*<sup>l</sup>* <sup>¼</sup> <sup>0</sup>*:*00022, *<sup>P</sup>*~*<sup>e</sup>* <sup>¼</sup> <sup>0</sup>*:*0699*:* After a simulation of LDPC decoding procedure in line with [18] we select LDPC code with parameters *k* ¼ 24039,*r* ¼ 961, that provides for the final key length *<sup>l</sup>*<sup>0</sup> <sup>¼</sup> 3659 the block error probability after decoding *Ped* <sup>≈</sup>2*:*<sup>5</sup> � <sup>10</sup>�<sup>3</sup> and information leakage *<sup>I</sup>*<sup>0</sup> <sup>≈</sup><sup>9</sup> � <sup>10</sup>�<sup>4</sup> bits. If we select LDPC code with parameters *k* ¼ 50001,*r* ¼ 1999, we get for final key length *l*<sup>0</sup> ¼ 7624 the error probability after error correction *Ped* <sup>¼</sup> <sup>8</sup> � <sup>10</sup>�<sup>4</sup> and information leakage *<sup>I</sup>* <sup>¼</sup> <sup>1</sup>*:*<sup>4</sup> � <sup>10</sup>�<sup>3</sup> bits. In the paper [17] has been proved the formula for amount of the traffic bytes that is needed in order to perform KSP described above:

$$\text{Traffic} = Tr = 2.66 \cdot 10^{-6} \frac{\text{S} \text{l} \text{s}}{\left( (\text{1} - P\_l)^{\text{S}} + P\_l^{\text{S}} \right)^2} \text{MB} \tag{39}$$

**Figure 6.** *View of random number generator Crypton USB-DRN.*

Substituting the corresponding parameters chosen for KSP, we get that *Tr*≈32 MB that is acceptable for practical implementation.

As it can be seen from a description of proposed KSP, the generators of random numbers are needed for its implementation. Moreover it is impossible to use standard program-oriented generator (like MT19937) because it can be vulnerable to sequence prediction attack. Thus it is necessary to use *hardware generator of random numbers*. We propose to take such generator as Crypton USB-DRN that is manufactured by company "Ankad" [19]. Photo of this device is shown in **Figure 6**. We tested this device on standard NIST tests and concluded that it passes all of them except two last ones from the list of 15-ary NIST tests. Experiment showed that it is required at most about 20 minutes in order to generate key string according to this KSP.

For our KSP is required (as for any such protocol) to perform authentication procedure—otherwise the adversary could impersonate legitimate users and eventually share with them a common key. It is possible to use different authentication methods: short key, the Needham-Schroder protocol [20] or pairing procedure during the face to face device meeting [21].

## **6. Conclusion**

In the current chapter we have presented four different systems related with keyless cryptography. The first two of them consider such systems that do not require any key distribution in advance. The first one is based on protocol with feedback that uses public key cryptosystems but it does not require any key distribution in advance, even public one. It executes commutative cryptography but, unfortunately, it is a poor choice. It would be very interesting to find at least one of symmetric strong block cipher or post-quantum public cryptosystems that belong to commutative ones (or may be to prove that such cryptosystem does not exist at all). The second example in our "gallery" of keyless cryptography was Dean-Goldsmith one. It is based on physical layer properties and has unquestionable theoretical interest. But unfortunately it is impractical because requires from eavesdroppers unrealistic conditions. The third example is related with key sharing without some short subkeys sharing in advance. Unfortunately authors' claiming that such system is secure, occurs wrong. But their scheme can be significantly modified (see version four) to be in fact secure. According to our opinion, the fourth key sharing protocol is the first attempt to distribute keys by secret manner executing over such very popular channel as internet (or over any other public and noiseless channel). It provides easy way for a confidential

*Advance in Keyless Cryptography DOI: http://dx.doi.org/10.5772/intechopen.104429*

communication between ordinary internet users. In the future it will be interesting to investigate exchange by integers (but not matrices) that results in, for sure, to a decreasing of channel traffic. Elaboration of reliable authentication system is also interesting both for theory and practice.
