Advance in Keyless Cryptography

1. Introduction

The term keyless cryptography dates back many years ago. See for example the paper [1]. One author of this chapter used also before this term many times, for example in the papers [2, 3, 4]. This term is commonly used in two senses: either in the scenarios where information transmission security is provided by special channel properties without execution of key sharing protocol in advance, or in the second scenarios where specific channel properties are used on the stage of secret key sharing between users, whereas later are executed ordinary key-based cryptography. An approach to a providing of security at the cost of channel properties was termed as physical layer security [5]. As a rule, it means that communication channel plays the role of some randomizer due to their specific stochastic properties. However, sometimes such randomization is provided by the use of artificial noises by the communicating users.

A natural question arises—why it is not sufficiently to execute algorithms of the so-called public key cryptosystems (PKC), invented by W. Diffie and M. Hellman and developed later by many cryptographers: A. Shamir, Rabin, El Gamal, McEliece, J. Massey, and others (see [6, 7])? The point is that PKC have some drawbacks that limit their practical use. The main of these are:

1. PKC are based on some cryptographic assumptions (integer factoring, discrete log computation, error correction by random liner codes [6]). Unfortunately, the most of such hard computational problems can be solved in polynomial time by quantum computers (QC) [8]. Although a practical implementation of such QC’s is still highly conjectural [9], it would be a hazardous to ignore such attacks in the future.

2. The use of PKC is needed in an assistance of certificated center that would be guaranty an authenticity of public keys in order to prevent impersonation attack where an attacker camouflages itself by authorized user and could share with legitimate user falsified keys.

3. The third shortcoming is in a complexity of encryption/decryption algorithms because it requires performing operations with large integer values. It is especially important for mobile hardware devices.

One more way out to provide secure key sharing is an implementation of quantum cryptography [10]. But unfortunately such approach requires the use of very specific quantum devices.

The objections mentioned above give the reason to turn to keyless cryptography which is what we do in this chapter. In Section 2 we investigate Shamir’s protocol for secure communication over public channels but without any key sharing in advance. This protocol corresponds to the first scenario. Section 3 presents Dean and Goldsmith cryptosystem that performs channel transmission like a randomizer in the first scenario. We turn out under which restrictions on the channel such protocol is in fact secure. In Section 4 the second scenario (with key sharing) is considered and it is shown that on the contrary to author’s claims [11], such key sharing protocol (KSP) is in fact insecure. Section 5 corresponds also to the second scenarios. We present a new KSP and prove that such protocol for appropriated chosen parameters provides reliable shared keys which are secure in terms of Shannon information without any cryptographic assumptions. Section 6 summarized all previous results and presents our opinion regarding to possible future investigations.

2. Investigation of Shamir’s protocol based on commutative cryptography

Shamir’s protocol was described in the book [6]. This protocol can be executed for any cryptosystem (both symmetric and asymmetric) if they satisfy the following condition:

where fKAKBM is encryption algorithm using the keys KA and KB, respectively and M is any message. If relation (1) is true for some encryption algorithm fKAKBM then can be performed protocol presented in Figure 1.

If the relation (1) is valid, then we get:

On the next step user B decrypts fKBM by the algorithm fKB−1· and gets the message M. But the following question arises—for which cryptosystems the relation (1) is valid? Let us call such encryption algorithms, for which (1) is true, commutative encryption (CE). It is easy to verify that for such cryptographic standard as AES, 3DES, GOST [7] the relation (1) is not fulfilled for all messages. Let us consider public key cryptosystems and, first of all, Rivest-Shamir-Adleman system (RSA). It is well known that such cryptosystem is determined by the following parameters: p,q—different primes, n=pqmodulo, φ=p−1q−1, e—encryption key, 1≤e≤φ, d—decryption key, d=e−1modφ, gcdeφ=1, 1≤M≤n−1—integers. Encryption algorithm for RSA is E=Memodn; decryption algorithm is M=Edmodn. Then for RSA condition (1) takes the form:

Since exponentiation by modulo n is a commutative operation, the relation (3) becomes trivially true. In fact

On the one hand RSA system is self-sufficient one but on the other hand there may be situations where its public key eB is unknown for the user A or should be secure. Then protocol shown in Figure 1 could have a reason.

Example. Let p=3, q=5, M=2, eA=3, eB=5. Then it is easy to verify that both parts of (3) are equal to 8.

Let us consider as next public key cryptosystem, Rabin’s one, that is determined by the following parameters [7]: p,q are distinct primes (secret key), nAB=pqmodulo is public key. 0≤M≤n−1, E=M2modn. Then relation (1) takes the form:

It is easy to make sure that (4) is not satisfied, generally speaking. In fact, let us consider an example: pA=3, qA=5, nA=15, pB=11, qB=7, nB=77, M=5. Then it is easy to check that the left side of (4) is equal to 23, while the right side is equal to 10.

In order to find out the reason of that fact, let us present both sides of (4) as the following values, respectively:

where l is some integer.

where m is some integer too. We can see that in general case nA≠nB the right sides of (5) and (6) are different values. It was mentioned in Section 1 that some PKC is vulnerable against QC’s. Such of them that are resistant against QC’s attacks were called post quantum cryptosystems. The most known among them is McEliece PKC [7]. The matrices that determine it are: k×n matrix G∼AB=SABGABPAB—public key where SAB is nonsingular random k×k matrix, PAB is permutation random n×n matrix, GAB is random Goppa code generating matrix. Matrices SAB, GAB, PAB are believed as secret key jointly with a binary random vector ZAB of the known length n, and with given weight tAB. Encryption procedure is performed as follows:

where “⊕” is bitwise modulo two addition. It follows from (7) that commutative property (1) for McEliece CS was looking as:

It is easy to see that the values in the right sides of (8) and (9) are, generally speaking, unequal one to another owing at least different vectors ZA and ZB. Hence McEliece CS does not correspond to CE algorithm. At a single glance stream cipher is looking as CE algorithm. In fact, the encryption procedure for this cipher is:

where EMK is a cipher text given secret key K, γK is an encrypting binary sequence (gamma) given the key K, “⊕” is bitwise modulo 2 addition, M is the binary message to be encrypted. It follows from (10) that the condition (1) takes the following form for γ-based stream ciphers:

that is valid trivially. The use of stream ciphers as CE in protocol shown in Figure 1 was looking as it is presented in Figure 2.

However we can see from Figure 2 that eavesdropper receiving CB and CA′ be able to bitwise add them by modulo 2 that gives the following binary sequence: M⊕γKB⊕γKB⊕M⊕γKA=γKA. Next, attacker add bitwise modulo 2 the last sequence γKA with the sequence CA intercepted during the first transmission session that gives M⊕γKA⊕γKA=M that is exactly the desired open sequence M. (It is worth to note that similar conclusion was mentioned in [6].)

3. Protocol of keyless Dean and Goldsmith system elaborated for secure message transmission through fading channels with executing MIMO technology

Cryptosystem proposed by Dean and Goldsmith in [12] belongs also to the class of keyless cryptography because it may provide a security of message transmission without a secret key sharing in advance. The main difference in the knowledge of legitimate users and eavesdroppers is only their different locations in space. But such cryptosystems can be used not in all possible scenarios but only in those ones where messages are transmitted over fading channels and with the use of a massive multiple-input, multiple-output (MIMO) technology.

For brevity, we denote such cryptosystem by abbreviation DGC. First, we consider the model with the main steps of its implementation for the particular case where the number of legal user receiving antennas nr and eavesdropper antennas nr′ are equal to each other. (Later we consider more general case nr≠nr′).

Legitimate channel between Alice (A) and Bob (B) is described by equation:

where z∈Rn is vector received by B, y∈Rn is vector transmitted by A, e∈Rn is additive noise vector at the receiver B, A∈Rn×n is legitimate channel matrix. It is assumed that e are i.i.d. Gaussian vectors: N0σe2. A=aij,i=1…nj=1…n are also matrices with i.i.d. Gaussian matrix elements: N0σ2. For Eavesdropper channel from A to E (Eve) holds the equation:

where z′∈Rn is vector received by E, e′∈Rn is additive noise vector at the receiver E, B∈Rn×n eavesdropper channel matrix. It is assumed that e′ are also i.i.d. vectors based on Gaussian distribution N0σ∼e2, B=bij, i=1,…,n,j=1,…,n with bij which are i.i.d. Gaussian values N0σw2. All entries of matrices A and B are assumed to be mutually independent. Next three conditions are very important for further discussion:

• channel matrices A and B are constant for some time until user A applies encoder,

• matrix A is known exactly by legitimate users,

• matrices A and B are known exactly by eavesdropper E.

It is worth to note that the model described above is more or less valid in practice for fading channels based on MIMO technology if space distance between legitimate users and eavesdropper is at least several wavelengths of communication. Encoding procedure in line with [12] is the following:

where V∈Rn×n is orthogonal matrix taken from singular value decomposition (SVD) of matrix A=USVT, x∈Rn with binary entries xi, i=1,…,n. Predecoding procedure in line with [12] is the following:

where U∈Rn×n is orthogonal matrix taken from SVD of matrix A, e′=UTe. Since S is diagonal matrix, we get from (15) the following optimal decoding rule:

where si is i-th element of diagonal matrix S, xi are binary entries of vector x. We can see from (16) that decoding procedure has linear complexity on the number of antennas n. Eavesdropper E following to strategy of legitimate users performs the optimal decoding procedure:

where

where U′, V′, S′ are SVD of matrix B. Substituting (18) into (17), we get:

where C=S′V′TV, e∼=U′Te′. Since matrix C is not a diagonal one in this case, their optimal decoding be the following:

where· is Euclidian norm in Rn. Solution of problem (20) is known as hard CVP problem and it was proved in [12] that it has exponential complexity with respect to the number of antennas n if the following condition holds:

But let us consider suboptimal decoding method after some transform, assuming that matrix C is non-singular:

Thus suboptimal decoding method can be implemented as follows:

where z∼i is the i-th entry of vector C−1z′′.

We can see from (21) that complexity of suboptimal decoding procedure is linear on the number n of antennas. The efficiency of DGC can be estimated by comparing the bit error rate (BER) for optimal decoding (16) and suboptimal decoding (21). In fact if for some chosen DGC parameters the first BER is satisfactory while the second one is close to ½, then DGC can be termed as secure. In Table 1 are presented the results of simulation for BER’s by (16) and (21) denoted as p and p′, respectively.

We can see from Table 1 that for all five set of system parameters, DGC is looking as acceptable one because the case p′≥0.3 does not allow to recover a meaningful text. In fact, let us consider 32-ary symmetric noisy channel (in line with 32-ary alphabet of Russian language). Then it is easy to see that Shannon capacity of such channel, if every letter is encoded by five bits with BER equal to p′, is:

In Table 2 are presented the values of channel capacity calculated by (22) for different values p′.

It is well known that entropy H of Russian language lies within interval 1.5÷2.5 bit/letter. This means that according to Shannon’s theorem, if H>C, then a reading of meaningful text be impossible. In our case we get that if p′>0.19 such text decoding cannot be done, that is exactly the thing for every set of parameters in Table 1. Moreover, we simulated transmission of Russian meaningful text over the channel with BER equal to 0.19 and have got that only very short words could be readable. Thus we may conclude so far, that DGC is secure against eavesdropping at least for the condition nr′=nr and the more nr′<nr. But the following question arises—if such conclusion is true for the case nr′>nr? In Table 3 are presented the results of simulation BER’s p′ for eavesdropper by suboptimal decoding rule (21) in the case of typical parameters σ2=σw2=4, σe2=σ∼e2=7, nr=100 and different nr′, where inverse matrix C−1 for rectangular nr×nr′ matrix C was calculated as Moore-Penrose pseudo-inverse matrix to C14.

We can see from Table 3 that even small increasing of nr′ (on 9 antennas) compared to nr, results in a drastic degradation of DGC because the symbol error probability p′ becomes for eavesdropper very close to the probability p for legitimate users. In order to find out that such “paradox” that contradicts to our intuition appears not due to “ill-posed” inverse matrices [13], let us consider a theoretical proof of the bounds for the symbol correct probabilities both for legitimate users and eavesdropper. It is easy to see that decision rule (16) for legitimate users when xi∈01 is equivalent to the following relation:

Thus for the symbol correct probability we get the following lower bound:

where ei is the i-th entry of additive noise vector e in (12). Because we assumed before that ei∼N0σe2 we get from (23):

where Φa=12π∫0aexp−t22dt. The decision rule (21) for eavesdropper will be equivalent to the following one:

From relation (25) we get the lower bound for correct symbol probability:

where ei′′ is the i-th entry of additive noise vector e′′=C−1e∼. In order to find Varei′′ let us accomplish some matrix transforms:

Taking into account that U′ is orthogonal matrix and S′ is diagonal one, we get from (27):

where Vik are elements of matrix VTV′ and Sk′ elements of matrix S′. Substituting (28) into (27) we obtain

In order to compute theoretically the average value of symbol correct probabilities, it would be necessary to average relations (24) and (29) on the probability distribution of singular values Sk, and also on elements of channel matrices VTV′. Solution to this problem requires a very crude approximations. Therefore we used simulations by (24) and (29). In Table 4 are presented such results for both legitimate users (q) and for eavesdropper (q′) with channel parameters: σ2=σw2=7, σe2=σ∼e2=4, nt=nr=100 against different numbers nr′ for eavesdropper antennas.

We can see from this Table that an increasing of the eavesdropper’s antennas even till nr′=105 results in equality of values q and q′ that is in line with our previous claiming. Thus we can conclude that a compromising of DGC after a small increment of the eavesdropper antenna numbers against legitimate user antenna numbers is the proved fact but not a consequence of an ill-conditioned matrix property. On the other hand, legitimate users executing DGC do not take for granted that the condition nr′≤nr holds. In the paper [14] it was proposed to change matrix V in “precoding” procedure to another matrix. In particular, authors of the current paper have proved that a choice of matrix A−1 as precoding one has some advantages, namely a growth of some parameter “advantage” (introduced in [14]) for legitimate users proportional to n2 if n=nt=nr=nr′. Such approach means that a precoding procedure is simply “canceling of channel fading”.

However in the case of such precoding we face with a growing of the transmitter power. In Table 5 are presented the results of the average transmitter power calculated for the case of precoding with matrix A−1, and obtained by simulation for n=nt=nr=nr′=100 on different sessions with 10,000 realizations for each session.

We can see from Table 5 that the use of inverse precoding results in a drastic growing of the required transmission power and to a large fluctuations on each of sessions that makes such approach impracticable (we note that such power was equal to be n2=104 only for ordinary encoding by matrix V). It seems to be acceptable to use for a precoding V=A−1 only in the case with the required transmitter power P0≤Ptr where Ptr is some reasonable threshold and ordinary matrix V otherwise. But such approach requires further investigations.

There is one more problem with practical implementation of DGC. It is a correct estimation of the channel matrix A by legitimate users. Of course, they may do it by a sending of special test signal from user A to user B and back from B to A during a coherent time of legitimate channel, when matrix A holds practically constant. But any way it will result in some matrix A corruption. In Table 6 are given our simulation results for symbol error probabilities that obtain legitimate users if they estimate elements of the channel matrix A with Gaussian noise error having variance σε2. We can see from Table 6 that a correctness of matrix element estimation affects very strong on the symbol error probabilities. It is possible to neglect such incorrectness only if signal-to-noise ratio for legitimate users is about 30-40 dB that is sufficiently high requirement.

Concluding the Section 3 we may say that theoretically would be interesting to develop further DGC in the direction of improving precoding algorithm. But according to our opinion, practical implementation of such approach is very sensitive to channel and system parameters (SNR for eavesdropper and their antenna numbers). It is worth to note also that it is not so dangerous to face with unfavorable parameters for DGC implementation as the fact that these parameters cannot be controlled by legitimate users and hence they are unable to match with parameters of DGC. In the Section 5 we consider protocol that is completely invariant to channel parameters.

4. EVSkey scheme proposed by Qin and Ding

In this Section we consider the second scenarios of keyless cryptography the purpose of which is to share secret keys between legitimate users communicating with each other over channels and next to execute the shared key for ordinary key-based cryptography. In the current section we consider key sharing protocol proposed by G. Qin and Z. Ding in the paper [11], called EVSkey Scheme and declared secure by their authors. This KSP is presented in Figure 3. Before a performance of KSP A and B generate their own random unitary matrices XA,XB∈ℂn×n as well as random Ginibre matrices GA,GB∈ℂn×n, where n is the number of antennas employed by each of the users, and length of pilot signals too. Matrices HAB,HBA are n×n channel matrices with independent Gaussian matrix elements distributed according to hAB,hBA∼CN01. NA1,NB1 are additive white Gaussian noise (AWGN) matrices nA1ij,nB1ij∈CN0σ2 of proper noises for legitimate users A and B, respectively.

Let us introduce the following matrices: P=HBAGB,Q=HABGA. Then PQ and QP can be estimated by users via least square method as

It is well known [13] that square matrices of the same size PQ and QP have the same characteristic polynomials (CP):

Thus from (30) we conclude that the legitimate users A and B are able to extract the same CP after a completion of four-steps KSP through noiseless channels although matrices PQ and QP can be different.

It was claimed in [11] that EVSkey Scheme is secure against interception of key bits by eavesdropper E. Let us show that, in fact, such KSP is insecure because eavesdropper E is able to intercept the key bits if she intercepts simultaneously the following signals:

where HAE,HBE denote E’s channel matrices and under the condition that all E’s noises are equal to zero.

Statement 1. For random matrices described above, say Y, the inverse matrix Y−1 and, in the general case of rectangular matrices, the Moore-Penrose pseudoinverse YP−1 matrix [13] does exist with probability one.

Proof. Indeed let H be n×n complex random matrix with i.i.d. elements which are CN01. Then its joint element density is [15]:

where Tr· is matrix trace. Degenerate matrices (detH=0) form 2n2−2 dimension manifold. fH, being non-singular, entails zero probability for H to hit any manifold of lower than 2n2 dimension. Thus, probability of detH≠0 equals one. Such matrices stay invertible being multiplied by unitary matrices G,X. □

Statement 2. Let EVY denote the set of matrix Y eigenvalues. Then

where

Proof. Substituting (31) into (32), we get:

The last relation means that matrix Y is similar to matrix QP and thus EVY=EVQP for any matrices HAE,HBE.□

The statement 2 has been proved for the case of noiseless E’s channels. But our simulation shows that even for noisy channels, if Eva be following to algorithm (32), she extracts the key bits with BER very close to those that have legitimate users. This fact proves finally that EVSkey Scheme is in fact insecure and hence cannot be recommended for practical application. However the general idea to use KSP with matrix exchange over the channels and extraction of key bits after a quantization of eigenvalues is possible if protocol be elaborated in the desired directions. Such KSP is presented in the next Section.

5. Novel key sharing protocol for public constant noiseless channels and without any cryptographic assumptions

Let us introduce novel KSP designed for its use in constant, public and noiseless communication channels. This protocol has the following distinctions in comparison with other KSP’s:

• it executes over public, constant parameter, noiseless channels (like internet),

• no cryptographic assumptions are needed in order to provide its security and quantum computers cannot break it,

• this KSP provides tradeoff between key reliability and security for given size of key strings,

• security of protocol is estimated in terms of Shannon information leaking to eavesdropper,

• a good key bits statistics can be provided due to their generation by hardware devices,

• the size of traffic for execution of protocol is acceptable for ordinary users,

• the number of protocol steps is minimized and equal to 2.

In Figure 4 it is presented KSP protocol for execution in public constant noiseless channels that we call KSP-PCN. Here G and P are n×n random matrices generating A and B in advance as well as n×n matrices of artificial noises NA1,NB1. We believe that all matrix elements are independent of each and Gaussian distributed.

At first step, these matrices are transmitted over constant public noiseless channel to opposite party. Next, each of users A and B calculates K∼A and K∼B that are noisy version of matrices GP, PG, respectively, and extract eigenvalues from these matrices. After a quantization procedure of eigenvalues A and B obtain “raw bits” of the shared key K∼∼A and K∼∼B, respectively. Eavesdropper E intercepts signals G+NA, G+NB. It extracts eigenvalues from the matrix product G+NAG+NB and subsequently quantizes them to get eavesdropper’s “raw key” KE. Simulation of KSP shows that the of key bit error probabilities for legitimate users Pl occur very close to that ones Pe of eavesdropper. Hence we need such additional protocol that be able to “diverse” these probabilities. Such protocol that was called Preference Improvement of the Main Channel (PIMC) works as follows: user A (or B) repeats S times each “raw bit”, while opposite user accepts such S-blocks if, and only if, they consist of the same S bits (zeros or ones),otherwise opposite user inform initiator of protocol about inadequate receiving blocks. Supposing that bit errors are independent, one from another, PIMC protocol provides the following BER between A and B:

At the same time eavesdropper E also intercepts S-blocks with BER Pe and controls public channel over that was transmitting information regarding acceptance or rejection of S-blocks between legitimate users. E takes decisions about each S-block using majority rule. If E’s channel is believed statistically independent on the legitimate channel, then the BER after such decision will be (for odd number S):

In order to provide a repetition of bit’s blocks and to improve key bit statistics, it was proposed to use the scheme of key bit generation shown in Figure 5.

We can see from Figure 5 that user B generates truly random binary stringγ that is XOR-ed with B’s raw bit string K∼∼B and the sum is transmitted over public noiseless channel to user A who adds this string with raw bits string K∼∼A in order to get:

where εAB is noise string between raw strings K∼∼A and K∼∼B, “⊕” is operation of bitwise modulo two addition. In such version only one user has to repeat S times each bit of γ in order to perform PIMC protocol. From now on a string γ will be considered as a final key bit string between A and B. At the same time E receives K∼∼B⊕γ over public noiseless channel and possessing her string K∼∼E be able to add her intercepted bit string KE as follows:

where εBE is noise string between raw string K∼∼E and K∼∼B. In order to optimize KSP with point of reliability, security and key string size, it is necessary to select the following parameters:

• sizes of matrices n,

• number of bit repetitions S,

• variances of additive artificial noises σ2.

It is worth to note that in the proposed KSP (see Figure 4), unlike the earlier presented protocols (see [5]), all parameters are under the control of legitimate users. This means that we can take for granted reliability and security of the shared key string as well as its size regardless of properties of eavesdropper’s channel.

Although the formulas (33) and (34) of BER for both legitimate users and eavesdropper have been already proved they have to be specified by simulation because our assumption regarding statistical independence of errors is valid only partly. In Tables 7–9 are presented the results of simulation for BER’s P∼l and P∼e for given parameters σ2, the matrix sizes n and parameter S. (They were chosen, of course, from a huge simulation results which have been removed simply as unsuitable.)

We can see from these Tables that a choice of matrix size n=1 (i.e. replacing matrices with integer numbers) is inadmissible because the probabilities P∼l and P∼e occur close to one another for all parameters S and σ2. The choice of matrix size n=4 also cannot be recommended because it is inferior to the case with n=64. In the last case we can see the most large difference of the BER’s P∼l and P∼e for some parameters S and σ2. But unfortunately the BER P∼l and P∼e cannot be chosen as final results.

In fact, the probability P∼l has to be decreased in order to provide an acceptable reliability of the shared key with the key length at least 256 bits. The probability P∼e is quite unacceptable because it results in a large leakage of the key information to the eavesdropper E.

Therefore, it is necessary first of all to correct errors in legitimate channel, suppose, using error correcting codes and next to amplify security of the shared bit string against eavesdropping. Let us apply so called enhance of privacy amplification procedure described in [16]. We recall that privacy amplification procedure can be performed in two stages: firstly with the use of hashing by hash function taken randomly from universal₂ class, and secondly, by special “puncturing” of the hashed string [16]. Then the upper bound for Shannon’s information I leaking to eavesdropper be given by the following [16]:

where k is the string, generated by A and B after a completion of PIMC protocol, tc is the Renyi (or collision) information obtained by E via eavesdropper BSC channel with BER P∼e, r is the number of check bits sent by one of legitimate users to another one in order to reconcile their key strings finally, l0 is the length of the final key string, α is a coefficient that approaches to 0.42 for any fixed r as k and k−r are increasing. It has been proved in [17] that in order to satisfy Shannon’s theorem about reliable communication over noisy channel and provide an exponential decreasing of information leaking to eavesdropper E, minimum sum k0+r0 is provided with:

where

Let us adopt the following parameters from Table 9: n=64,S=5,σ2=0.4,P∼l=0.00022,P∼e=0.0699. After a simulation of LDPC decoding procedure in line with [18] we select LDPC code with parameters k=24039,r=961, that provides for the final key length l0=3659 the block error probability after decoding Ped≈2.5·10−3 and information leakage I0≈9·10−4 bits. If we select LDPC code with parameters k=50001,r=1999, we get for final key length l0=7624 the error probability after error correction Ped=8·10−4 and information leakage I=1.4·10−3 bits. In the paper [17] has been proved the formula for amount of the traffic bytes that is needed in order to perform KSP described above:

Substituting the corresponding parameters chosen for KSP, we get that Tr≈32 MB that is acceptable for practical implementation.

As it can be seen from a description of proposed KSP, the generators of random numbers are needed for its implementation. Moreover it is impossible to use standard program-oriented generator (like MT19937) because it can be vulnerable to sequence prediction attack. Thus it is necessary to use hardware generator of random numbers. We propose to take such generator as Crypton USB-DRN that is manufactured by company “Ankad” [19]. Photo of this device is shown in Figure 6. We tested this device on standard NIST tests and concluded that it passes all of them except two last ones from the list of 15-ary NIST tests. Experiment showed that it is required at most about 20 minutes in order to generate key string according to this KSP.

For our KSP is required (as for any such protocol) to perform authentication procedure—otherwise the adversary could impersonate legitimate users and eventually share with them a common key. It is possible to use different authentication methods: short key, the Needham-Schroder protocol [20] or pairing procedure during the face to face device meeting [21].

6. Conclusion

In the current chapter we have presented four different systems related with keyless cryptography. The first two of them consider such systems that do not require any key distribution in advance. The first one is based on protocol with feedback that uses public key cryptosystems but it does not require any key distribution in advance, even public one. It executes commutative cryptography but, unfortunately, it is a poor choice. It would be very interesting to find at least one of symmetric strong block cipher or post-quantum public cryptosystems that belong to commutative ones (or may be to prove that such cryptosystem does not exist at all). The second example in our “gallery” of keyless cryptography was Dean-Goldsmith one. It is based on physical layer properties and has unquestionable theoretical interest. But unfortunately it is impractical because requires from eavesdroppers unrealistic conditions. The third example is related with key sharing without some short subkeys sharing in advance. Unfortunately authors’ claiming that such system is secure, occurs wrong. But their scheme can be significantly modified (see version four) to be in fact secure. According to our opinion, the fourth key sharing protocol is the first attempt to distribute keys by secret manner executing over such very popular channel as internet (or over any other public and noiseless channel). It provides easy way for a confidential communication between ordinary internet users. In the future it will be interesting to investigate exchange by integers (but not matrices) that results in, for sure, to a decreasing of channel traffic. Elaboration of reliable authentication system is also interesting both for theory and practice.