There is science actual problem solved in the dissertation, namely the problem of creation approaches and methods for proven kleptographic modification free cryptosystem. General classification of kleptographic systems has been suggested, firstly formal model over “challenge-response” protocols in kleptographic sense has been suggested, firstly sufficient conditions of impossibility of kleptographic modifications have been obtained, the new method of implementation hash function with kleptographic mechanism has been demonstrated. These science results allow to improve analysis process of both released and being developed cryptographic systems to increase level of resistance against malicious modification. The main practical result is a capability of development of new cryptographic protocols with proved resistance against cleptographic attacks and improving security level of cryptographic systems. The dissertation consists of introduction, four sections, conclusion and list of used sources. The introduction substantiates topic’s actuality, formulates goals and tasks of research, the scientific novelty and the practical significance of the results. In the first section is overview of current state of kleptographic research, known methods and use cases of kleptographic schemes. Firstly, it’s demonstrated one of the most famous usage – symmetric encryption algorithm DES, which is designed
with weakened structure to allow National Security Agency to perform practical cryptoanalysis using its huge computational resources and unknown cryptoanalysis method (namely, linear cryptoanalysis). Further, it’s described modern example – random number generator DualEC DRGB, which was standardized in 2006 and it’s a cryptographicaly secure RNG only if the development follows standard. However, if
algorithm’s parameters have relation, that is known by somebody, relation’s owner is able to forecast output in practice. Next examples are russian hash function GOST Ð34-11-2012 and block ciphers GOST Ð34-12-2015 that are suspected to be designed with kleptographic trapdoor. Finally, it’s demonstrated kleptographic trapdoors based on asymmetric primitives: elliptic curves, RSA and Discrete Logarithm Problem. The second section devoted to the theory of kleptographic trapdoors. It started from classification of kleptographic mechanisms. Further, it’s introduced formal model of practical distinguisher to precise security metrics. After, formal model of “challengeresponse” protocol type is introduced with kleptographic extension of this model. The main scientific result of this section are sufficient conditions of SETUP free protocol.
It allows to develop protocols without kleptographic trapdoors. The last result of the section is new kleptographic metric called “kleptographic potential”. This metric may be used for evaluation of risks of kleptographic trapdoor existence in cryptographic primitive and it may be used in crypto primitive’s design stage and for filtering of suspicious candidates on crypto competitions. The 3-rd section demonstrates sufficient conditions applying: two basic SETUP free protocols are designed – enhanced nonce generation protocol and enhanced 1-round Diffie-Hellman key agreement protocol. The main idea is usage of non randomized digital signature that is used to generate public random values that can’t be disclosed before publication but can be verified for non randomness. Theorems about absence of SETUP are formulated and proved. Also, there are two methods for hash function trapdoor development. One of them uses special transformation based on Discrete Logarithm Problem and allows Developer to recover part of message from known hash digest. Another method is Preneell’s method for generation trapdoored Feistel’s cipher which is applied to hash function basic cipher and gives Developer advantage in special use cases, here it’s blockchain Proof-of-Work consensus protocol. Thus, Developer, who knows secret in the hash function design, is able to guess message with special formatted hash digest (e.g., digest has some amount of “zero” most significant bits) with greater probability that for ideal hash function.