Keywords

1 Introduction

With the rapid development of computing technologies, the importance of secure communication is growing daily [2124]. Unlike conventional cryptography which based on the computational complexity, Quantum Key Distribution (QKD) can achieve the unconditional security communication [1, 2, 1820]. By transmitting security key information with quantum states, the final key generated by QKD system is information-theoretically secure (ITS), which is guaranteed by the non-cloning theorem and measuring collapse theorem in quantum physics [3, 4]. Nowadays, QKD has been one of the research focuses around the world. In recent years, the famous QKD network projects mainly include SECOQC in Europe [5], UQCC in Tokyo [6] and NQCB in China [7] and so on.

ITS authentication is the compulsory procedure of QKD system and also the key procedure which ensures the security of generated keys between communication parties [4, 8]. Otherwise, QKD is vulnerable to the man-in-the-middle attack [911]. The main challenge about the research of ITS authentication is the construction of hash functions which are suitable for ITS authentication with less security key [9, 1214].

Usually, ε -Almost Strongly Universal ( ε -ASU) hash functions can be used to construct ITS authentication schemes in a natural way. Majority construction schemes focus on the ε -ASU 2 hash function families, such as Wegman-Carter’s and Krawczyk’s construction schemes [13, 14]. Nowadays, the photon transmission frequency has reached to about ten GHz [15, 16]. With heavy computational amounts, ITS authentication schemes which based on ε -ASU 2 hash functions cannot meet the high performance requirement of QKD systems [9, 13, 17].

In this extended abstract, with NTT technology, we proposed a novel Efficient ε -Almost Strongly Universal Hash Function. With the special features of number-theoretic transforms (NTT) technology, our ε -ASU hash function family is constructed in the prime ring \( \varvec{Z}_{p}^{L} \) . In order to construct the NTT-based ε -ASU hash function efficiently, we assume that \( L = 2^{\lambda } \) , and the prime number \( p = \upsilon L + 1 \) . We assume that the set of all messages is \( R \) , where \( R \in \varvec{Z}_{p}^{L} \) with length of \( L \) , and the length of authentication tag is \( n \) , where \( n = \beta \left\lceil {\log_{2} p} \right\rceil \) . The security of our NTT-based ε -ASU hash function meets \( \varepsilon \le L\left( {n + 1} \right)/2^{n - 2} \) and the consumed key length of ITS authentication scheme is less than \( 3n + 1 \) .

2 NTT-Based Almost Strongly Universal Hash Function

Since the construction has to consume a very long key, Gilles’s NTT-based almost universal hash function is not suitable for ITS authentication [18]. With a partially known security key and a LFSR structure [13], a random bit stream can be generated to construct the NTT-based almost strongly universal (NASU) hash functions.

Let \( \varvec{R} \) be the set of messages, where \( \varvec{R} \in \varvec{Z}_{p}^{L} \) . We take only the first \( \beta \) elements of the hashing result. Let \( f\left( x \right) \) be an irreducible polynomial with degree \( \beta \left\lceil {\log_{2} p} \right\rceil \) of \( GF\left( 2 \right) \) and \( \varvec{s}_{{\varvec{init}}} = \left( {s_{0} ,s_{1} , \cdots ,s_{{\beta \left\lceil {\log_{2} p} \right\rceil - 1}} } \right)^{T} \) be an initial state of the LFSR structure defined by the feedback function \( f\left( x \right) \) . \( \varvec{s}_{{\varvec{init}}} \) and \( f\left( x \right) \) are both generated from the partially known key with length of \( 2\beta \left\lceil {\log_{2} p} \right\rceil + 1 \) . Let \( \varvec{f} = \left( {f_{0} ,f_{1} , \cdots ,f_{{\beta \left\lceil {\log_{2} p} \right\rceil - 1}} } \right)^{T} \) be the coefficient vector of \( f\left( x \right) \) and \( \varvec{s}_{{\left[ {i - \beta \left\lceil {\log_{2} p} \right\rceil ,i - 1} \right]}} = \left( {s_{{i - \beta \left\lceil {\log_{2} p} \right\rceil }} ,s_{{i - \beta \left\lceil {\log_{2} p} \right\rceil + 1}} , \cdots ,s_{i - 1} } \right)^{T} \) , where \( i \ge \beta \left\lceil {\log_{2} p} \right\rceil \) .

Thus, we can gain the random bit

$$ s_{i} = {\varvec{s}}_{{\left[ {i - \beta \left\lceil {\log_{2} p} \right\rceil ,i - 1} \right]}^{T}} \varvec{f}\bmod 2. $$
(1)

Let \( 1 \le \beta \le L \) and \( K = \left( {2^{0} ,2^{1} , \cdots ,2^{{\left\lceil {\log_{2} p} \right\rceil - 1}} } \right) \) . For \( \varvec{C,R} \in \varvec{Z}_{p}^{L} \) , let \( h_{\text{C}} \left( \varvec{R} \right) = \left( {F^{ - 1} \left( {C \cdot R} \right)} \right)_{0,1, \cdots ,\beta - 1} \) be the inverse NTT of their component-wise product, taking only the \( \beta \) first elements of the result. Assume that \( u = \left\lceil {\log_{2} p} \right\rceil \) , we define that the set

$$ H_{{p,L,\beta ,\varvec{s},\varvec{f}}} = \left\{ {h_{\text{C}} :C_{i} = K\varvec{s}_{{\left[ {\left( {i + \beta } \right)u,\left( {i + \beta + 1} \right)u - 1} \right]}} \bmod p,\forall i} \right\} $$
(2)

is an almost strongly universal family of hash functions with \( \varepsilon \le \left( {L + 2L\beta \left\lceil {\log_{2} p} \right\rceil + 2} \right)/2^{{\beta \left\lceil {\log_{2} p} \right\rceil }} \) . Assume that \( n = \beta u \) , we have \( \varepsilon \le \left( {L + 2nL + 2} \right)/2^{n} \) .

3 Potential Advantages

Comparing with ASU 2 hash functions, our proposed NASU hash functions have the following potential advantages:

  1. (a)

    NASU hash functions can be easily constructed with a partially known security key and a LFSR structure.

  2. (b)

    With the special features of number-theoretic transforms (NTT) technology, the computational amounts of our NASU hashing procedure is much less than Krawczyk’s scheme and other ASU 2 hash functions.

  3. (c)

    Treating the elements of input messages as non-binary integers of the ring \( \varvec{Z}_{p}^{L} \) , our proposed NTT-based ε -ASU hash function is very suitable for ITS authentication in QKD systems.

In the future, we will explore the detailed security proof of NASU hash functions and its deployment within the QKD system.