Cryptoy - Cryptography for beginners

The British intelligence service GCHQ (if you don’t know, it’s an analogue of the American intelligence agency CIA) has developed the Cryptoy mobile application for Android to train teenagers, university students and all those who are interested in the topic of cryptography, intelligence and espionage.

Cryptoy – School of Scouts and Spies

With this application, the British Intelligence Service hopes to increase the level of cryptographic literacy among the younger generation, and in the future attract new, talented special agents to the staff.

The application has a simple and colorful interface. It teaches basic cryptography techniques such as the world's first Caesar cipher (shift cipher), substitution cipher, Vigenère cipher, and the famous Enigma military cipher. Users can use these ciphers to encrypt their messages - and send them to friends for decryption.

Privacy in the Cryptoy application

Now about privacy. When some kind of intelligence agency is involved in the development of an application, one can assume that the application will be stuffed with all kinds of bookmarks and spy modules. But I want to reassure you, there is no spyware in the application. During the installation process, the application does not require access to contacts, camera and other important personal data. And in general, if they wanted to develop something for themselves with malware, they would not do it in their own name.

Leono April 23, 2017 at 03:17 pm

Introduction to cryptography and encryption, part one. Lecture in Yandex

• Yandex company blog,
• Algorithms,
• Information security,
• Cryptography

To immediately understand materials about public key infrastructure, network security, and HTTPS, you need to know the basics of cryptographic theory. One of the fastest ways to learn them is to watch or read a lecture by Vladimir Ivanov. Vladimir is a well-known specialist in networks and their protection systems. He worked at Yandex for a long time and was one of the heads of our operations department.

I once gave lectures on cryptography at Moscow State University, and they took me six months. I will try to tell you everything in two and a half hours. I've never done this. So let's try it.

Who understands what DES is? AES? TLS? Binomial mapping?

We will try to speak in general terms, because it is difficult and in-depth to analyze: there is little time and the basic preparation should be quite extensive. We will operate with general concepts, rather superficially.

We will talk about what cryptographic primitives are, simple things from which more complex things, protocols, can later be built.

We will talk about three primitives: symmetric encryption, message authentication, and asymmetric encryption. A lot of protocols grow from them.

Today we will try to talk a little about how keys are generated. In general, let's talk about how to send a secure message using the crypto primitives that we have from one user to another.

When people talk about crypto in general, there are several fundamental principles. One of them is the Kerkhoffs principle, which says that open source in cryptography is very important. More precisely, it provides general knowledge about the design of protocols. The meaning is very simple: cryptographic algorithms that are used in a particular system should not be a secret that ensures its stability. Ideally, it is necessary to build systems so that their cryptographic side is completely known to the attacker and the only secret is the cryptographic key that is used in this system.

Modern and commercially available encryption systems - all or most or the best of them - are built from components whose design and operating principles are well known. The only secret thing about them is the encryption key. There is only one significant exception that I know of - a set of secret cryptographic protocols for various government organizations. In the US it's called NSA suite B, but in Russia it's all sorts of weird secret encryption algorithms that are used to a certain extent by military and government agencies.

I wouldn't say that such algorithms bring them much benefit, except that it's kind of like atomic physics. You can try to understand the design of the protocol to understand the direction of thought of the people who developed it, and in some way overtake the other side. I don’t know how relevant this principle is by today’s standards, but people who know more about this than I do do just that.

In every commercial protocol you encounter, the situation is different. An open system is used everywhere there, everyone adheres to this principle.

The first cryptographic primitive is symmetric ciphers.


They are very simple. We have some kind of algorithm, the input of which is plaintext and something called a key, some kind of value. The output is an encrypted message. When we want to decrypt it, it is important that we take the same encryption key. And, applying it to another algorithm, the decryption algorithm, we get our plaintext back from the ciphertext.


What are the important nuances here? In most common symmetric encryption algorithms you encounter, the size of the ciphertext is always equal to the size of the plaintext. Modern encryption algorithms operate on key sizes. The size of keys is measured in bits. The modern size is from 128 to 256 bits for symmetric encryption algorithms. We'll talk about the rest, including block size, later.


Historically, in the supposed 4th century BC, there were two methods of cipher design: substitution and permutation ciphers. Substitution ciphers are an algorithm where in those days they replaced one letter of a message with another according to some principle. A simple substitution cipher is based on a table: we take a table where it says that we change A to Z, B to S, etc. Then we encrypt using this table, and decrypt using it.

In terms of key size, how complex do you think this algorithm is? How many key options are there? Factorial order of the length of the alphabet. We take the table. How do we build it? Let's say there is a table of 26 characters. We can replace the letter A with any of them, the letter B with any of the remaining 25, C with any of the remaining 24... We get 26*25*24*... - that is, the factorial of 26. Factorial of the dimension of the alphabet.

If we take log 2 26!, this will be a lot. I think you will definitely get around 100 bits of key length, or even more. It turned out that from the point of view of a formal representation of strength, the specified encryption algorithm is quite good. 100 bits is acceptable. At the same time, everyone, probably in childhood or youth, when faced with encodings, saw that such algorithms were trivial to decipher. There are no problems with decryption.

For a long time there were all sorts of substitution algorithms in different constructions. One of them, even more primitive, is the Caesar cipher, where the table is formed not by a random permutation of symbols, but by a shift by three symbols: A changes to D, B to E, etc. It is clear that the Caesar cipher along with all its variants can be sorted out very easy: unlike table substitution, the Caesar key has only 25 options with 26 letters in the alphabet - not counting the trivial encryption into itself. And it can just be sorted out by brute force. There is some complexity here.

Why is the table substitution cipher so simple? Where does the problem arise in which we can easily, even without knowing anything about cryptography, decrypt a table substitution? It's a matter of frequency analysis. There are the most common letters - some I or E. Their prevalence is great, vowels are much more common than consonants, and there are negative pairs that are never found in natural languages ​​- something like bb. I even gave students the task of making an automatic substitution cipher decipherer, and, in principle, many succeeded.

What's the problem? It is necessary to distort the statistics of the distribution of letters so that common letters do not shine so brightly in the encrypted text. An obvious way: let's encrypt the most frequently occurring letters not into one character, but into five different ones, for example. If a letter occurs on average five times more often, then let's take turns - first we will encrypt the first character, then the second, the third, etc. Next, we will get a mapping of letters not 1 to 1, but, conditionally, 26 k 50. Statistics will thus be violated. Here is the first example of a polyalphabetic cipher that somehow worked. However, there are quite a few problems with it, and most importantly, it is very inconvenient to work with the table.

We take the word VASYA as the key. We take the message MASHA. Let's use the Caesar cipher, but counting from these letters. For example, B is the third letter in the alphabet. We must shift the corresponding letter in the plaintext by three letters. M shifts to P. A to A. Ш - by 16, let's jump over the letter A, we get, conditionally, D. I will shift A to Y. PADDYA.

What is convenient about the resulting cipher? There were two identical letters, but as a result they were encrypted into different ones. This is cool because it blurs the statistics. The method worked well until somewhere in the 19th century, just recently against the backdrop of the history of cryptography, they figured out how to break it. If you look at a message of several dozen words, and the key is quite short, then the whole structure looks like several Caesar ciphers. We say: okay, let's consider every fourth letter - the first, fifth, ninth - as a Caesar cipher. And let's look for statistical patterns among them. We will definitely find them. Then we take the second, sixth, tenth and so on. We'll find it again. This will restore the key. The only problem is figuring out how long it is. It's not very difficult, but how long can it be? Well, 4, well, 10 characters. Going through 6 options from 4 to 10 is not very difficult. A simple attack - it was available without computers, just with a pen and a piece of paper.

How to make an unbreakable cipher from this thing? Take the text size key. A character named Claude Shannon in the twentieth century, in 1946, wrote the classic first work on cryptography as a branch of mathematics, where he formulated a theorem. The length of the key is equal to the length of the message - he used XOR instead of adding modulo equal to the length of the alphabet, but in this situation this is not very important. The key is generated randomly, is a sequence of random bits, and the output will also be a random sequence of bits. Theorem: if we have such a key, then such a design is absolutely stable. The proof is not very complicated, but I won’t talk about it now.

The important thing is that it is possible to create an unbreakable cipher, but it has disadvantages. First, the key must be completely random. Secondly, it should never be reused. Third, the length of the key must be equal to the length of the message. Why can't you use the same key to encrypt different messages? Because by intercepting this key next time, it will be possible to decrypt all messages? No. Will the Caesar cipher be visible in the first characters? I don't really understand. It seems not.

Let's take two messages: MASHA, encrypted with the key VASYA, and another word, which also had the key VASYA - VERA. We get something like this: ZESHA. Let's add the two received messages, and so that the two keys are mutually deleted. As a result, we get only the difference between a meaningful ciphertext and a meaningful ciphertext. This is done more conveniently with XOR than with addition along the length of the alphabet, but there is practically no difference.

If we get the difference between two meaningful ciphertexts, then it usually becomes much easier, since natural language texts have high redundancy. Often we can guess what is happening by making various assumptions and hypotheses. And the main thing is that each correct hypothesis will reveal to us a piece of the key, and therefore pieces of two ciphertexts. Something like that. That's why it's bad.

In addition to substitution ciphers, there were also permutation ciphers. Everything is quite simple with them too. We take the VASYAI message, write it in a block of some length, for example in DIDOM, and read the result in the same way.

Not God knows what kind of thing. How to break it is also clear - we will go through all possible permutations. There aren't very many of them here. We take the length of the block, select it and restore it.

For the next iteration, the following method was chosen: let's take everything the same, and write some key on top - SIMON. Let's rearrange the columns so that the letters are in alphabetical order. As a result, we get a new permutation by key. It is already much better than the old one, since the number of permutations is much greater and choosing it is not always easy.

Every modern cipher is based in one way or another on these two principles - substitution and permutation. Nowadays their use is much more complex, but the basic principles themselves remain the same.


If we talk about modern ciphers, they are divided into two categories: stream and block. The stream cipher is designed in such a way that it is actually a random number generator, the output of which we add modulo 2, “xorim,” with our ciphertext, as you can see on my slide. Earlier I said: if the length of the resulting key stream - also known as the key - is absolutely random, never reused, and its length is equal to the length of the message, then we have an absolutely strong cipher, unbreakable.

The question arises: how to generate a random, long and eternal Key for such a cipher? How do stream ciphers actually work? They are essentially a random number generator based on some seed value. The initial value is the cipher key, the answer.

There is one interesting exception to this story - encryption pads. This is a real spy story about real espionage. Some people who need absolutely stable communication generate random numbers - for example, by literally throwing a die or literally drawing balls from a drum, as in lotto. Create two sheets where these random numbers are printed. One sheet is given to the recipient, and the second is left with the sender. When they want to communicate, they use this stream of random numbers as a key stream. No, the story is not taken from the very distant past. I have a real radio intercept from October 15, 2014: 7 2 6, 7 2 6, 7 2 6. This is the call sign. 4 8 3, 4 8 3, 4 8 3. This is the codepad number. 5 0, 5 0, 5 0. This is the number of words. 8 4 4 7 9 8 4 4 7 9 2 0 5 1 4 2 0 5 1 4 etc. 50 such number groups. I don’t know where, somewhere not in Russia, some person sat with a pen and pencil at an ordinary radio and wrote down these numbers. Having written them down, he took out a similar thing, added them modulo 10 and received his message. In other words, it actually works, and such a message cannot be hacked. If good random numbers were indeed generated and he subsequently burned the piece of paper with the key, then there is no way to hack it at all.

But there are quite a few problems here. The first is how to generate really good random numbers. The world around us is deterministic, and if we are talking about computers, they are completely deterministic.

Secondly, delivering keys of this size... if we are talking about transmitting messages from 55 digital groups, then doing this is not very difficult, but transmitting several gigabytes of text is already a serious problem. Therefore, we need some algorithms that essentially generate pseudo-random numbers based on some small seed and that can be used as such streaming algorithms.


The most historically common algorithm of this kind is called RC4. It was developed by Ron Rivest about 25 years ago and was actively used for a very long time, it was the most common algorithm for TLS, all its different variants, including HTTPS. But lately the RC4 has started to show its age. There are a number of attacks for him. It is actively used in WEP. There was one good lecture by Anton, a story that shows: poor use of an encryption algorithm that is decent even by today’s standards leads to the entire system being compromised.

RC4 is not complicated. The slide describes his work in full. There is an internal byte state of 256 bytes. At each step of this state there are two numbers, two pointers to different bytes in the state. And at each step, an addition occurs between these numbers - they are placed in some place in the state. The byte received from there is the next byte in the numerical sequence. By rotating this knob in this way, performing a similar action at each step, we obtain each next byte. We can receive the next byte of a numeric sequence forever, in a stream.

The great advantage of RC4 is that it is entirely intra-byte, which means that its software implementation works quite quickly - much faster, several times, if not tens of times faster than the comparable DES cipher that existed at approximately the same time. That's why RC4 has become so widespread. It was a trade secret of RSA for a long time, but then, somewhere around the 90s, some people anonymously published the source code of its device on the cypherpunks mailing list. As a result, there was a lot of drama, there were cries, like, how come some indecent people stole RSA's intellectual property and published it. RSA began to threaten everyone with patents and all kinds of legal prosecution. To avoid them, all implementations of the algorithm that are open source are called not RC4, but ARC4 or ARCFOUR. A - alleged. We are talking about a cipher that matches RC4 in all test cases, but technically it doesn’t seem to be it.

If you configure any SSH or OpenSSL, you will not find any mention of RC4 in it, but you will find ARC4 or something similar. It's a simple design, it's already old, there are attacks on it now, and it's not really recommended for use.


There have been several attempts to replace it. Probably, in my biased opinion, the most successful cipher was Salsa20 and several of its followers from the character Dan Burstein, widely known in narrow circles. He is usually known to Linux users as the author of qmail.

Salsa20 is more complex than DES. Its block diagram is complex, but it has several interesting and cool properties. To begin with, it is always executed in a finite time, every round, which is important for protection against timing attacks. These are attacks where the attacker observes the behavior of the encryption system by feeding it different ciphertexts or different keys behind this black box. And by understanding changes in response times or system power consumption, he can draw conclusions about what exactly happened internally. If you think the attack is very far-fetched, it is not. Attacks of this kind on smart cards are very widespread - very convenient, since the attacker has full access to the box. The only thing he, as a rule, cannot do in it is read the key itself. This is difficult, but he can do everything else - put different messages there and try to decipher them.

Salsa20 is designed so that it always runs in the same constant amount of time. Internally, it consists of only three primitives: a constant-time shift, as well as addition modulo 2 and modulo 32, 32-bit words. The speed of the Salsa20 is even higher than that of the RC4. It has not yet gained such widespread adoption in mainstream cryptography - we do not have a cipher suite for TLS using Salsa20 - but it is still slowly becoming mainstream. The specified cipher became one of the winners of the eSTREAM competition to select the best stream cipher. There were four of them, and Salsa was one of them. It is slowly starting to appear in all sorts of open source products. Perhaps soon - maybe in a couple of years - there will even be a cipher suite in TLS with Salsa20. I really like him.

There is a certain amount of cryptanalysis on it, there are even attacks. From the outside it looks like a threaded one, generating a sequence of almost arbitrary length based on the key, 2 64 . But inside it works like a block one. There is a place in the algorithm where you can substitute the block number, and it will produce the specified block.

What's the problem with stream ciphers? If you have a stream of data being sent over a network, a stream cipher is useful for it. A packet arrived at your door, you encrypted it and transmitted it. The next one flew in - they applied this scale and transmitted it. The first byte, the second, the third go over the network. Comfortable.

If the data, for example an entire gigabyte file, is encrypted on disk with a stream cipher, then in order to read the last 10 bytes, you will first need to generate gammas of the cipher stream for 1 gigabyte, and then take the last 10 bytes from it. Very inconvenient.

In Salsa, this problem is solved, since it also receives the input number of the block that needs to be generated. Then the algorithm is applied to the block number 20 times. 20 rounds - and we get 512 bits of output stream.

The most successful attack is 8 rounds. It itself is 256-bit, and the complexity of the attack in 8 rounds is 250 or 251 bits. It is considered to be very stable and good. There is public cryptanalysis for it. Despite all the odiousness of Berstein’s personality in this aspect, it seems to me that the thing is good and has a great future.

Historically, there have been many stream ciphers. They are the first not only in commercial encryption, but also in military encryption. It used what were called linear shift registers.

What are the problems here? First: in classic stream ciphers, not in Salsa, to decrypt the last value of a gigabyte file, the last byte, you need to first generate a per gigabyte sequence. From it you use only the last byte. Very inconvenient.

Stream ciphers are poorly suited for non-sequential access systems, the most common example of which is the hard drive.

There is one more problem, we will talk about it further. It manifests itself very clearly in stream ciphers. Two problems combined led to the fact that it would be great to use some other mechanism.

Another mechanism for symmetric encryption is called a block cipher. It's structured a little differently. It does not generate this key stream, which must be mixed with our ciphertext, but works similarly - like a substitution table. It takes a block of text of a fixed length, outputs a block of text of the same length, and that’s it.

The block size in modern ciphers is usually 128 bits. There are different variations, but as a rule, we are talking about 128 or 256 bits, no more and no less. The key size is exactly the same as for stream algorithms: 128 or 256 bits in modern implementations, inside and out.

Of all the widely used block ciphers, two can now be named - DES and AES. DES is a very old cipher, the same age as RC4. DES currently has a block size of 64 bits and a key size of 56 bits. It was created by IBM under the name Lucifer. When Horst Feistel was designing it at IBM, they suggested choosing 128 bits as the block size. And the key size was changeable, from 124 to 192 bits.

When DES began to undergo standardization, it was submitted for verification, including to the NSA. From there he returned with the block size reduced to 64 bits and the key size reduced to 56 bits.


20 years ago this whole story caused a lot of noise. Everyone said - they probably built a bookmark there, it’s terrible, they selected the size of the block so as to be able to attack. However, the great advantage of DES is that it was the first cipher that was standardized and then became the basis of commercial cryptography.

It was attacked a lot and explored a lot. There are a large number of different attacks. But there is still not a single practically feasible attack, despite its rather respectable age. The only thing is that the key size of 56 bits is now simply unacceptable and can be attacked with brute force.

How does DES work? Feistel made a cool thing called the Feistel network. She operates in blocks. Each block entering the input is divided into two parts: left and right. The left side becomes the right side without changes. The right side interacts with the result of calculating a certain function, the input of which is the left side and the key. After this transformation, the right side becomes the left.


It has several interesting advantages. The first important advantage: the function F can be anything. It should not have reversibility properties; it may not be linear or nonlinear. All the same, the cipher remains symmetric.

The second very convenient property: decryption works in the same way as encryption. If you need to decrypt a given network, you put ciphertext into the previous mechanism instead of plaintext and get the plaintext out again.

Why is this convenient? 30 years ago, convenience was a consequence of the fact that encryptors were hardware and it was labor-intensive to design a separate set of chips for encryption and decryption. And in this design everything is very cool; in fact, we can use one block for different tasks.

In a real situation, this construction is one round of a block cipher, that is, in a real cipher it is executed 16 times with different keys. At each 16th round, a separate key and 16 round subkeys are generated, each of which is used at each round for function F.

The round also looks quite simple - it consists of only two or three operations. First operation: the size of the encountered half-block becomes 32 bits, the half-block goes through the expansion function, and 32 bits are received as the input. Next, using a special unclassified table, we add a little to 32 bits, turning them into 48: some bits are duplicated and rearranged, such a comb.

Then we match it with a round key, the size of which is also 48 bits, and we get a 48-bit value.
It then goes into a set of functions called S-boxes that convert each bit of input into four bits of output. Therefore, at the output we again get 32 ​​bits from 48 bits.

And finally, the final permutation P. It again shuffles the 32 bits together. Everything is very simple, the round function is as simple as possible.

Its most interesting property lies in the indicated S-boxes: a very complex transformation of 6 bits into 4 is conceived. If you look at the entire design, you can see that it consists of XOR and a couple of permutations. If S-boxes were simple, the entire DES would actually be some set of linear transformations. It could be thought of as a matrix by which we multiply our plaintext to obtain the ciphertext. And then the attack on DES would be trivial: it would just require finding a matrix.

All nonlinearity is concentrated in S-boxes, selected in a special way. There are various anecdotes about how exactly they were selected. In particular, about 10 years after DES was published and standardized, cryptographers discovered a new type of attack - differential cryptanalysis. The essence of the attack is very simple: we make small changes in the plaintext - changing, for example, the value of one bit from 0 to 1 - and see what happens to the ciphertext. It turned out that in an ideal cipher, changing one bit from 0 to 1 should lead to a change in exactly half the bits of the ciphertext. It turned out that DES, although it was made before differential cryptanalysis was discovered, was resistant to this type of attack. As a result, at one time another wave of paranoia arose: they say that the NSA knew about the existence of differential cryptanalysis 10 years before open cryptographers, and you can imagine what it might know now.

Hundreds of articles have been devoted to analyzing the design of S-boxes. There are cool articles called something like this: features of the statistical distribution of output bits in the fourth S-box. Because the cipher is many years old, it has been thoroughly researched in different places and remains quite stable even by today's standards.

56 bits can now be simply sorted out on a cluster of general-purpose machines - maybe even on one. And that's bad. What can you do?

You cannot simply move the size of the key: the entire structure is tied to its length. Triple DES. The obvious answer was this: let's encrypt our block several times, arrange several sequential encryptions. And here everything is not too trivial.

Let's say we take it and encrypt it twice. First, you need to prove that for encryption k1 and k2 on two different keys there is no such encryption on key k3 that the performance of the two specified functions will be the same. This is where the property that DES is not a group comes into play. There is evidence of this, albeit not very trivial.

Okay, 56 bit. Let's take two - k1 and k2. 56 + 56 = 112 bits. 112 bits, even by today's standards, is a completely acceptable key length. Anything over 100 bits can be considered normal. So why can't you use two encryptions, 112 bits?

One DES encryption consists of 16 rounds. The network is applied 16 times. Changes from left to right occur 16 times. And he is not a group. There is evidence that there is no such key k3 with which we could decrypt the text sequentially encrypted with the keys k1 and k2 we have chosen.

There is an attack. Let's encrypt all possible texts using some key, take the ciphertext and try to decrypt it using all arbitrary keys. Both here and here we get 2 56 options. And somewhere they will meet. That is, in two times 2 56 options - plus memory for storing all decryptions - we will find such a combination of k1 and k2 that the attack will be feasible.

The effective strength of the algorithm is not 112 bits, but 57, if we have enough memory. You need quite a lot of memory, but still. Therefore, we decided that we can’t work like that, let’s encrypt three times: k1, k2, k3. The design is called Triple DES. Technically, it can be arranged in different ways. Since encryption and decryption are the same thing in DES, actual algorithms sometimes look like this: encrypt, decrypt, and decrypt again - to make the operations easier in hardware implementations.

Our reverse implementation of Triple DES will turn into a hardware DES implementation. This can be very convenient in various situations for backward compatibility purposes.

Where was DES used? Actually everywhere. It can still sometimes be observed for TLS, there are cipher suites for TLS that use Triple DES and DES. But there it is actively dying out, since we are talking about software. The software is easy to update.

But in ATMs it died out for a very long time, and I’m not sure that it completely died. I don’t know if a separate lecture is needed on how this design works in ATMs. In short, the keyboard where you enter your PIN is a self-contained thing in itself. Keys are loaded into it, and it does not output a PIN, but a PIN block design. The design is encrypted - for example, via DES. Since there are a huge number of ATMs, many of them are old and you can still find an ATM where inside the box it is not even Triple DES, but regular DES.

One day DES began to show its age, it became difficult to use, and people decided to come up with something new. The American standardization office, called NIST, said: let's hold a competition and choose a new cool cipher. It became AES.

DES stands for digital encrypted standard. AES - advanced encrypted standard. The block size in AES is 128 bits, not 64. This is important from a cryptographic point of view. AES key size is 128, 192 or 256 bits. AES does not use a Feistel network, but it is also multi-round, and relatively primitive operations are repeated several times. For 128 bits, 10 rounds are used, for 256 - 14.

Now I’ll show you how each round works. The first and last rounds are slightly different from the standard scheme - there are reasons for this.

Like DES, each AES round has its own round keys. They are all generated from the encryption key for the algorithm. At this point AES works the same as DES. A 128-bit key is taken and 10 subkeys are generated from it for 10 rounds. Each subkey, as in DES, is used in each specific round.

Each round consists of four fairly simple operations. The first round is substitution using a special table.

In AES, we build a 4 by 4 byte matrix. Each element of the matrix is ​​a byte. The total is 16 bytes or 128 bits. They make up the entire AES block.

The second operation is a byte shift.

Its structure is simple and primitive. We take a 4 by 4 matrix. The first row remains unchanged, the second row is shifted 1 byte to the left, the third - by 2 bytes, the fourth - by 3, cyclically.

Next, we perform mixing inside the columns. This is also a very simple operation. It actually rearranges the bits within each column, nothing else happens. You can think of it as multiplying by a special function.

The fourth, again very simple operation is to XOR each byte in each column with the corresponding key byte. This is the result.

In the first round, the keys are only added, and the other three operations are not used. In the last round, no such shuffling of columns occurs:

We repeat the 4 steps described 10 times, and the output from the 128-bit block is again a 128-bit block.

What are the advantages of AES? It operates on bytes, not bits like DES. AES is much faster in software implementations. If we compare the execution speed of AES and DES on a modern machine, AES will be many times faster, even if we talk about implementation exclusively in program code.

Manufacturers of modern processors, Intel and AMD, have already developed assembly instructions for implementing AES on the chip, because the standard is quite simple. As a result, AES is even faster. If we can encrypt, for example, 1-2 gigabits using DES on a modern machine, then a 10-gigabit AES encryptor is nearby and commercially available to ordinary companies.

The block algorithm encrypts block into block. It takes a 128 or 64 bit block and turns it into a 128 or 64 bit block.

What will we do if we need more than 16 bytes?

The first thing that comes to mind is to try to break the original message into blocks, and supplement the block that remains incomplete with a standard, known and fixed sequence of data.

Yes, obviously, we’ll break everything into blocks of 16 bytes and encrypt it. This encryption is called ECB - electronic code boot, when each of the blocks of 16 bytes in the case of AES or 8 bytes in the case of DES is encrypted independently.


We encrypt each block, get the ciphertext, add the ciphertexts and get the full result.


This is what an image encrypted in ECB mode looks like. Even if we imagine that the cipher is completely secure, the result seems to be less than satisfactory. What's the problem? The fact is that it is a bijective mapping. For the same input, the same output will always be obtained, and vice versa - for the same ciphertext, the same plaintext will always be obtained.

It would be necessary to somehow contrive and make sure that the output result is different all the time, depending on the location of the block - despite the fact that the same ciphertext blocks are supplied to the input. The first solution was the CBC mode.


Not only do we take the key and the plaintext, but we also generate a random number that is not secret. It's the size of a block. It is called an initialization vector.

When encrypting the first block, we take the initialization vector, add it modulo 2 with the plaintext and encrypt it. The output is ciphertext. Next, we add the resulting ciphertext modulo 2 with the second block and encrypt it. The output is the second block of ciphertext. We add it modulo 2 with the third block of plaintext and encrypt it. The output is the third block of ciphertext. Here you can see the linkage: we link each next block with the previous one.

The result is a picture where everything, starting from the second block, is evenly smeared, and the first block depends on the initialization vector each time. And it will be absolutely mixed up. Everything is fine here.

However, the CBC has several problems.

About block size. Imagine: we started encrypting and, let’s say, we have DES. If DES were a perfect encryption algorithm, the output of DES would look like uniformly distributed random numbers 64 bits long. What is the probability that in a sample of uniformly distributed random numbers of length 64 bits, two numbers will match for one operation? 1/(2 64). What if we compare three numbers? Let's take a break for now.

You can download all books and manuals absolutely free of charge and without registration.

NEW Alferov, Zubov, Kuzmin, Cheremushkin. Basics of cryptography. 2005 480 pp. djvu. 19.2 MB.
Written by leading experts in the field of cryptography who have many years of experience in developing cryptographic security tools and teaching cryptographic disciplines at leading universities in the country. The basic concepts and sections are outlined that allow you to get an idea of ​​the tasks and problems of modern cryptography. The manual includes both traditional issues of classification and assessment of the reliability of ciphers, and systemic issues of using cryptographic methods of information protection.
For students, graduate students studying disciplines in cryptography and computer security, teachers, as well as a wide range of specialists whose tasks are the qualified selection and organization of the use of cryptographic information security tools.

Download .

NEW N. Ferguson, B. Schneier. Practical cryptography. 2005 416 pp. pdf. 16.9 MB.
In the modern business world, the issue of computer system security is of critical importance. By ignoring it, you deprive yourself of the opportunity to earn money, expand your business, and, therefore, jeopardize the very existence of your company. One of the most promising technologies for ensuring security in cyberspace is cryptography.
Written by world-renowned cryptographic experts, this book provides a one-of-a-kind guide to practical cryptographic system design, thereby bridging the frustrating gap between the theoretical foundations of cryptography and real-world cryptographic applications.

. . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . Download .

. . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . Download .

A.A. Bolotov et al. Elementary introduction to elliptic cryptography. Elliptic curve cryptography protocols.. 2006. 274 pp. djvu. 12.7 MB.
This book contains a description and comparative analysis of elliptic curve algorithms. We study elliptic cryptography protocols that have analogues - protocols based on the algebraic properties of the multiplicative group of a finite field and protocols for which there are no such analogues - protocols based on Weyl and Tate pairing. In this regard, the Weil and Tate pairing algorithms and their modifications are described. The presentation of the theory is accompanied by a large number of examples and exercises.

This book is a continuation of previously published editions of the book by the same authors "Elementary Introduction to Elliptic Cryptography. Algebraic and Algorithmic Fundamentals"

. . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . Download .

A.A. Bolotov et al. Elementary introduction to elliptic cryptography. Algebraic and algorithmic foundations. 2006 324 pp. djvu. 15.0 MB.
This book is devoted to a promising direction in the field of information security, the mathematical basis of which is the theory of elliptic curves. The book contains information on finite field theory and basic concepts of the theory of elliptic curves necessary for studying elliptic cryptography. It outlines the algebraic concepts used and methods for the effective implementation of basic algebraic operations, with the help of which both known and promising cryptographic systems based on the use of a group of points of an elliptic curve can be built. The presentation is accompanied by a large number of examples and exercises.
Intended for students, university teachers and specialists in the field of information security, applied mathematics, computer technology and information science. The publication is of interest to people involved in the coding and transmission of information and digital technology, as well as specialists in applied mathematics interested in computer algebra.

. . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . Download .

A.V. Babash. Cryptography. 2007 511 pp. djvu. 9.7 MB.
The book is written in the form of a manual aimed at studying “classical” ciphers, that is, ciphers with a symmetric key. After a brief historical outline, it examines the issues of decrypting the simplest ciphers, methods of cryptanalysis and synthesis of cryptographic schemes, issues of cryptographic strength, noise immunity and imitation resistance of cipher systems. The architecture of the manual is two-level. The first level is intended for students studying the disciplines of cryptography and computer security, readers who are getting acquainted with educational materials on cryptography for the first time. The second level is for graduate students, university teachers of the relevant profile, for a circle of specialists whose task is to use cryptographic means of information security, for readers who want to get acquainted with theoretical cryptography. The manual has received positive reviews from specialists and organizations.

. . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . Download .

Barichev S.G., Serov R.E. Fundamentals of modern cryptography. 60 pages djvu 740 Kb.
This book will cover only the basics of cryptography. Modern cryptography includes four major sections:
Symmetric cryptosystems.
Public key cryptosystems.
Electronic signature systems.
Key management.
The main areas of use of cryptographic methods are the transfer of confidential information through communication channels (for example, e-mail), establishing the authenticity of transmitted messages, storing information (documents, databases) on media in encrypted form.

Download .

Vasilenko O.N. Number-theoretic algorithms in cryptography. 2003, 328 pp. PDF. 1.8 MB.
The monograph presents the current state of algorithmic number theory, which has important applications in cryptography.
Intended for senior students and graduate students of mathematics departments of universities, as well as for specialists who want to get acquainted with the latest achievements in this field.

. . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Download .

Grusho A.A., Primenko E.A., Timonina E.E. Analysis and synthesis of cryptographic algorithms. LECTURE COURSE. 2000 110 pp. PDF. 1.4 MB.
Cryptoalgorithms are data transformation algorithms that use a “secret”. The main quality parameter of a crypto-algorithm is its resistance to enemy attempts to reveal the “secret”. Such stability in cryptography is called strength. Cryptographic strength must be justified, since in protecting critical information the logic: “I cannot reveal the “secret”, therefore no one can” is not applicable. Methods for justifying cryptographic strength are based on accumulated experience in revealing the “secrets” of cryptoalgorithms.
In accordance with the tradition of modern cryptography, the course of lectures contains a description of the most well-known universal methods of cryptanalysis, methods for analyzing block and stream ciphers, methods for analyzing hash functions and algorithms with asymmetric keys. As the reader becomes familiar with the methods of analysis, sections containing methods for synthesizing cryptoalgorithms are offered.

Download

N. Koblitz. COURSE IN NUMBER THEORY AND CRYPTOGRAPHY. 2001, 254 pp. djvu. 3.0 MB.
The purpose of this book is to introduce the reader to those areas of arithmetic, both classical and modern, that are the focus of applications of number theory, especially cryptography. It is assumed that knowledge of higher algebra and number theory is limited to the most modest acquaintance with their fundamentals; For this reason, the necessary information from these areas of mathematics is also presented. The authors chose an algorithmic approach, with special attention paid to assessing the effectiveness of the methods proposed by the theory.
A special feature of the book is the presentation of very recently developed applications of the theory of elliptic curves. The translation into Russian was carried out from the original of the second edition, significantly revised in comparison with the first edition and provided with an updated list of references. Each chapter includes a carefully composed selection of problems, usually accompanied by detailed instructions and solutions.
All this allows us to recommend the book not only as a valuable guide for the general theoretical training of information security specialists, but also as a useful source of examples of the practical applicability of a number of abstract branches of mathematics and cybernetics. The book is also perfect for self-education.

. . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Download .

S. Coutinho. Introduction to number theory. RSA algorithm. 2001 328 pp. djvu. 2.8 MB.
Cryptography! Many people have been intrigued by this process since childhood. Who wouldn't love Conan Doyle's "dancing men"? But the real encryption scheme is both simpler and more complex than described in the famous classic story.
Having missed the mathematical theory in the title, some of you will find the book boring and uninteresting. You are wrong! The manual is written in a lively, interesting and very accessible manner. To understand the essence, high school knowledge is enough. But despite the simple style of presentation, all statements are supported by strict evidence or references to the literature.
The range of readers is very wide: from schoolchildren interested in number theory or encryption, to banking and corporate programmers who want to delve deeper into the fundamentals of their activities.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Download

Osipyan V.O. Osipyan. K.V. Cryptography in tasks and exercises. 2004 146 pp. djvu. 1.7 MB.
More than 450 different tasks and exercises are presented, grouped in accordance with the main directions of development of cryptographic methods for increasing the information security of automated data processing systems. Each section is preceded by a brief introduction consisting of definitions and basic concepts of the relevant field of science. The presented tasks and exercises cover both classical methods of cryptographic information protection and modern methods of ensuring confidentiality and data integrity, focused on the use of computer technology.
For students studying in the Information Security group, it can also be useful to anyone who wants to increase their own level of knowledge in the field of secure transmission and processing of information.

. . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . Download .

N. Ptitsyn. APPLICATION OF THE THEORY OF DETERMINISTIC CHAOS IN CRYPTOGRAPHY. 2002, 80 pp. PDF. 1.6 MB.
This work is devoted to the application of the theory of deterministic chaos (nonlinear dynamics) to computer cryptography. The relationship between chaotic and cryptographic systems is considered at the conceptual and practical levels. The theoretical basis for this connection includes a discussion of such concepts as exponential sensitivity to initial conditions, ergodicity, mixing, complexity, randomness, and unpredictability. Two approaches to the practical application of nonlinear systems in cryptography are considered: (1) approximation of continuous systems using floating point mathematics and (2) binary chaos with a limited number of states. A review of publications describing chaotic ciphers and chaotic pseudo-random generators is presented. The application of nonlinear systems with an exact solution and ambiguous transformation for the construction of pseudo-random generators is considered.

. . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Download .

A.G. Rostovtsev, E.B. Makhovenko. Theoretical cryptography. 2005 479 pp. djvu. 9.3 MB.
This publication includes materials from the books “Algebraic Foundations of Cryptography”, “Introduction to Public Key Cryptography”, “Introduction to the Theory of Iterated Ciphers”, published by the publishing house “Peace and Family” in 2000-2003. The book consists of three parts. The first part contains information from algebra, number theory, and algebraic geometry. The second part is devoted to public key cryptography algorithms, with special attention to elliptic curves. The third part contains basic information about iterated ciphers and hash functions. The appendix shows elliptic curves for the digital signature standard GOST R 34.10-2001.
The book can be used as a textbook for in-depth study of cryptography. Unlike most publications on cryptography, the main focus is on cryptanalysis methods.
Intended for students, teachers, mathematicians and engineers specializing in the development and research of cryptographic methods and information security tools.

. . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . Download .

B.Ya. Ryabko, A.N. Fionov. Cryptographic methods of information protection. 2005 229 pp. djvu. 9.3 MB.
Textbook for universities; Classification of the UMO Ministry of Defense of the Russian Federation; Study guide; University; The main approaches and methods of modern cryptography for solving problems arising during the processing, storage and transmission of information are outlined. The main attention is paid to new areas of cryptography related to ensuring the confidentiality of interactions between computer users and computer networks. Basic public key ciphers, digital signature methods, basic cryptographic protocols, block and stream ciphers, cryptographic hash functions are considered, as well as questions rarely encountered in the literature about the design of provably unbreakable cryptosystems and elliptic curve cryptography. The theoretical material is presented quite strictly, but using elementary mathematical apparatus. The algorithms underlying cryptographic domestic and international standards are described in detail. The tasks and exercises necessary for conducting practical classes and laboratory work are given.
For students studying in the field of Telecommunications, it may be useful for specialists.

. . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . Download .

N. Smart. Cryptography. 2005 526 pp. pdf. 8.3 MB.
One of the best courses in the world. Intended for specialists working in the field of information security and software developers. Symmetric ciphers, public key cryptosystems, digital signature standards, and repelling attacks on cryptosystems are described in extreme detail. Examples are given in Java, numerous original problems reflecting the latest developments in the theory and practice of cryptography.

. . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . Download .

H.K.A.van Tilborg. Professional guidance and interactive tutorial. 2006 471 pp. djvu. 22.1 MB.
The book by the Dutch cryptologist is devoted to modern aspects of cryptography and cryptanalysis. Among them, three main areas can be distinguished: traditional (symmetric) cryptosystems, systems with public keys and cryptographic protocols. The main results are supported by evidence. The main feature is the numerous examples created on the basis of the well-known “Mathematica” computer algebra package. The book comes with a CD ROM that allows you (if you have the Mathematica package) to modify the examples, in particular, by increasing the parameter values. This is the first such multifaceted educational book on cryptography in Russian. An English version of this book is attached with examples.
The book is primarily addressed to mathematicians, engineers and students specializing in the field of information security. But it will also be interesting for a wider circle of readers, which, in particular, can be facilitated by detailed applications devoted to number theory and finite fields, making the book quite self-contained.

. . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Download .

Fomichev V.M. Discrete mathematics and cryptology. Course of lectures. 2003 397 pp. djvu. 12.9 MB.
The book was written by a leading expert in the field of cryptology, who has many years of teaching experience at MEPhI. The basic questions of cryptology and the fundamentals of the mathematical apparatus necessary for their study are outlined. In order to consolidate the material, tasks and exercises are given.
Recommended for undergraduate and graduate students studying cryptology and computer security, teachers, and practitioners dealing with cryptographic methods of information security.

Cheremushkin A.V. Lectures on arithmetic cryptography algorithms. 2002, 100 pp. PDF. 585 KB.
The lectures were given at the Institute of Crypography of Communications and Informatics. The course is compact and simple in presentation, although it is written in strict mathematical language. Recommended for anyone interested in cryptography.

. . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Yashchenko, editor. 270 pp. PDF.
Table of contents:
1. Basic concepts of cryptography. 2. Cryptography and complexity theory. 3. Cryptographic protocols. 4. Algorithmic problems of number theory. 5. Mathematics of secret sharing. 6. Computer and cryptography. Appendix: excerpt from Shannon’s article “The Theory of Communication in Secret Systems” (about 40 pages).

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Download

Victor Shoup. A Computational Introduction to Number Theory and Algebra. 2005 512 pp. PDF. 4.6 MB.
Table of contents (by chapter):
1. Basic properties of the integers. 2. Congruences. 3. Computing with large integers. 4. Euclid's algorithm. 5. The distribution of primes. 6. Finite and discrete probability distributions. 7. Probabilistic algorithms. 8. Abelian groups. 9. Rings. 10. Probabilistic primality testing. 11 Finding generators and discrete logarithms in Z. 12, Quadratic residues and quadratic reciprocity. 13 Computational problems related to quadratic residues. 14. Modules and vector spaces. 15. Matrices. 16. Subexponential-time discrete logarithms and factoring. 17 More rings. 18. Polynomial arithmetic and applications. 19. Linearly generated sequences and applications. 20 Finite fields. 21. Algorithms for ?nite fields. 22. Deterministic primality testing.

. . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Download .

R. F. Churchhouse. Codes and ciphers. Julius Caesar, the Enigma and the internet. 2004, 240 pp. PDF. 1.1 MB.
Table of contents (by chapter):
1. Introduction. 2. From Julius Caesarto simples ubstitution. 3. Polyalphabetic systems. 4.Jigsaw ciphers. 5.Two-letter ciphers. 6.Codes. 7. Ciphers forspies. 8. Produce grandom numbers and letters. 9.The Enigma cipher machine. 10. The Hagelin cipher machine. 11. Beyond the Enigma. 12. Public key cryptography. 13. Encipherment and the internet.

. . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Download .

J. TALBOT, D. WELSH. Complexity and Cryptography. 2006, 290 pp. PDF. 1.1 MB.
Table of contents (by chapter):
1. Basics of cryptography. 2. Complexity theory. 3. Non-deterministic computation. 5. Symmetric cryptosystems. 6. One way functions. 7. Public key cryptography. 8. Digital signatures. 9. Key establishment protocols. 10. Secure encryption. 11. Identification schemes. Many applications.

. . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Download .

I. F. Blake, G. Seroussi, N. P. Smart editors. Advances in Elliptic Curve Cryptography. 2005, 280 pp. PDF. 1.9 MB.
Table of contents (by chapter):
I. Elliptic Curve Based Protocols. II. On the Provable Security of ECDSA. III. Proofs of Security for ECIES. IV. Side-Channel Analysis. V. Defenses Against Side-Channel Analysis. VI. Advances in Point Counting. VII. Hyperelliptic Curves and the HCDLP. VIII. Weil Descent Attacks. IX. Pairings. X. Cryptography from Pairings.

. . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Download .

Jeroen Mathias Doumen. Some Applications of Coding Theory in Cryptography. 2003, 80 pp. PDF. 415 KB.
Table of contents (by chapter):
1. Preliminaries and notation. 2. Adaptive chosen ciphertext attacks on the McEliece cryptosystem. 3. Digital signature schemes based on error–correcting codes. 4. Two families of Mersenne–like primes. 5 Pseudorandom sequences from elliptic curves.

. . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Download .

Nicolas Gisin, Grґ egoire Ribordy, Wolfgang Tittel and Hugo Zbinden. Quantum cryptography. 2004, 110 pp. PDF. 1.3 MB.
Table of contents (by chapter):
1. Introduction. 2. A beautiful idea. 3. Technological challenges. 4. Experimental quantum cryptography with Faint laser pulses. 5 Experimental quantum cryptography with photon pairs. 6. Eavesdropping

Institute of Cryptography of Communications and Informatics

The Institute of Cryptography, Communications and Informatics (ICSI) traces its history back to the Higher School of Cryptographers, created on October 19, 1949 by the decision of the Politburo of the Central Committee of the All-Union Communist Party of Bolsheviks, as well as the closed department of the Faculty of Mechanics and Mathematics of the Moscow State University, formed in the same year. M.V. Lomonosov. Subsequently, these educational institutions were reorganized into the technical faculty of the Higher School of the KGB of the USSR named after. F.E. Dzerzhinsky. In 1992, the technical faculty was transformed into the Institute of Cryptography, Communications and Informatics of the Academy of the FSB of Russia.

Today the Institute is a multidisciplinary educational institution that has high authority both among universities of law enforcement agencies and in the higher education system of Russia. It is the leading educational institution of the Russian Federation for education in the field of information security. On the basis of ICSI, the Federal Educational and Methodological Association in the field of higher education for UGSN “Information Security” (hereinafter referred to as UMO IB) was created, which includes more than two hundred leading secondary and higher educational institutions in Russia.

At 4 faculties and 11 departments of the institute, university training of specialists in 6 specialties of higher education is conducted.

Training of specialists is carried out in the following specialties:

All educational programs are designed for 5 years of study.

In all specialties, graduates are awarded the qualification “information security specialist.”

ICSI students, in addition to special technical disciplines, receive good humanitarian and military training. Within the walls of the institute there are excellent opportunities for in-depth study of foreign languages. In specially equipped classrooms under the guidance of experienced teachers, they master the intricacies of modern military science, fire training and combat skills.

Teaching staff

ICSI employs more than two hundred teaching staff. Among them are more than 150 doctors and candidates of science, academicians and corresponding members of various academies. These are qualified teachers and famous scientists. Laureates of state prizes and recipients of high government awards teach at the institute. The best specialists from research institutes and operational and technical units of the FSB of Russia, other ministries and departments are actively involved in conducting classes. Among the teachers are not only ICSI students, but also teachers from other leading Russian universities: Moscow State University, MEPhI, MIPT, MSTU.

The teaching staff of ICSI carries out extensive educational, methodological and research work. Curricula, textbooks and teaching aids developed for each of the specialties being implemented meet the most modern requirements of the 3rd generation Federal State Educational Standards.

The Institute preserves and develops the best traditions of the Higher School of Cryptographers and a special department of the Faculty of Mechanics and Mathematics of Moscow State University. M.V. Lomonosov, whose worthy successor he is. This continuity lies in deep special training, focused on solving the most complex problems facing practical units, in whose interests specialists are trained.

The education received by ICSI students is based on the highest achievements in fundamental fields of science. Among them are mathematics, physics, programming, cybernetics, radio and microelectronics, communication and information theory, and nanotechnology. The quality of education at the institute corresponds to the level of the most reputable universities in the country.

Material and technical equipment

In connection with the global development of information technology, the institute pays great attention to the formation of skills and abilities to work with various types of modern computer technology. The Institute's diverse computer park includes a large number of personal computers, workstations and servers from well-known manufacturers. The modern material and technical base of computer classes, the latest software make it possible to study the most complex aspects of the use of computing tools, the problems of building and protecting computer networks and computer security, protection against computer viruses.

The developed laboratory facilities of the institute contribute to the development of practical skills in natural sciences and special disciplines. Classes in physics, radio engineering and special disciplines are held in classrooms equipped with modern, unique instruments and special equipment.

Research activities

The teaching staff instills in students the ability for independent scientific research. This is a priority and an integral part of the institute’s work.

Students acquire scientific thinking skills during the preparation of coursework and dissertations, and conduct unscheduled scientific developments. The most interesting results are published in authoritative national and departmental scientific publications. Students who have demonstrated ability for research work have the opportunity to continue their education in the Academy’s postgraduate program. Most of the institute's graduates continue the scientific research begun at the university. Every year, representatives of ICSI are among the laureates and diploma recipients of the All-Russian student competition for the best research work.

In addition, the institute has created and supported by grants from the President of the Russian Federation 2 scientific schools (in algebraic and radio engineering profiles). The scientific research of a number of young scientists at the institute is supported by presidential personal grants.

The activities of ICSI graduates are extremely important for ensuring the security of the state. Upon graduation from the institute, graduates are guaranteed employment in the technical and scientific divisions of the FSB of Russia, and other ministries and departments that ensure the country's security. The high level and relevance of knowledge, skills and abilities acquired during training allow them to be included in the work process, bypassing the period of initial adaptation. It is ICSI graduates who make up the main backbone of the personnel of most practical units of the relevant profile. Many of them were awarded high government awards and became leading specialists and major managers.

Pre-university preparation

For a number of years, the institute has been implementing the Entrant program.

As part of this program, the following are held every year at the institute:

• written tests in mathematics and physics,
• Interregional Olympiad for schoolchildren in mathematics and cryptography,
• Interregional Olympiads for schoolchildren in physics and mathematics on the basis of departmental educational institutions,
• Olympiad "Informatics and Computer Security".

The Institute invites all interested young people to test their knowledge, evaluate the level of training and, having passed the entrance tests, receive a specialized education at a university that has many years of tradition in the field of training specialists for the Russian security agencies.

Distance learning system

A publicly accessible distance learning system (DLS) has been deployed on the Olympiad website www.v-olymp.ru. The SDO organizes courses for applicants to technical universities to help them prepare independently for passing entrance examinations.

The purpose of the courses presented in the SDO is to help applicants organize a systematic repetition of the school curriculum in mathematics and physics, provide the necessary consultations, and also introduce them to the main types of problems encountered in the entrance exams at the ICSI Academy of the FSB of Russia, and the Academy of the FSB of Russia (Orel) . Mastering the materials of these courses also contributes to preparation for the Unified State Exam.

In addition, the SDO offers preparation courses for Olympiads, which are conducted by departmental universities. Schoolchildren are given the opportunity to become familiar with the basic ideas for solving problems of past Olympiads, which allows them to feel the specifics of tasks and increase their level of knowledge in basic subjects.

Online, schoolchildren from all over Russia can receive qualified advice on solving problems and the topics of the Olympiad. Working in the LMS is user-friendly; to complete the training, it is enough to log into the system once or twice a week. Studying the theoretical part and solving tests in each selected course takes about 40 - 50 minutes.