DOCSLIB.ORG

Arxiv:1903.09051V3 [Quant-Ph] 19 Feb 2020 3

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Secure quantum key distribution with realistic devices Feihu Xu,1, 2 Xiongfeng Ma,3 Qiang Zhang,1, 2 Hoi-Kwong Lo,4, ∗ and Jian-Wei Pan1, 2, y 1Hefei National Laboratory for Physical Sciences at Microscale and Department of Modern Physics, University of Science and Technology of China, Hefei 230026 China 2Shanghai Branch, CAS Center for Excellence and Synergetic Innovation Center in Quantum Information and Quantum Physics, University of Science and Technology of China, Shanghai 201315 China 3Center for Quantum Information, Institute for Interdisciplinary Information Sciences, Tsinghua University, Beijing 100084 China 4Center for Quantum Information and Quantum Control, Department of Physics and Department of Electrical & Computer Engineering, University of Toronto, M5S 3G4 Toronto Canada (Dated: February 20, 2020) In principle, quantum key distribution (QKD) offers information-theoretic security based on the laws of physics. In practice, however, the imperfections of realistic devices might introduce deviations from the idealized models used in security analyses. Can quantum code-breakers successfully hack real systems by exploiting the side channels? Can quan- tum code-makers design innovative counter-measures to foil quantum code-breakers? This article reviews theoretical and experimental progress in the practical security as- pects of quantum code-making and quantum code-breaking. After numerous attempts, researchers now thoroughly understand and are able to manage the practical imper- fections. Recent advances, such as the measurement-device-independent protocol, have closed the critical side channels in the physical implementations, paving the way for secure QKD with realistic devices. CONTENTS A. Encoding and decoding 20 B. Photon sources 20 I. Introduction2 1. Prepare-and-measure 20 A. Secure communication2 2. Entanglement-based 21 B. Quantum key distribution (QKD)3 C. Channel 22 1. BB84 protocol4 D. Detection 22 2. Intuition of security4 E. Postprocessing 22 3. Overview of recent developments5 1. Error correction 23 C. Focus of this review6 2. Error verification and authentication 24 D. Outline of this review6 3. Privacy amplification 24 4. Finite-key length 25 II. Security analysis7 A. Security definition8 IV. Quantum Hacking 25 B. Security proofs 10 A. Attacks at source 26 1. Lo-Chau security proof 10 1. Photon-number-splitting attack 26 2. Shor-Preskill: reduction to prepare-and-measure 2. Phase-remapping attack 26 schemes 13 3. Nonrandom-phase attack 27 arXiv:1903.09051v3 [quant-ph] 19 Feb 2020 3. Koashi’s complementarity approach 14 B. Attacks at detection 27 4. Entropic approach 15 1. Double-click attack 28 C. Security assumptions 16 2. Fake-state attack 28 1. Source 16 3. Time-shift attack 29 2. Measurement 17 4. Detector-control attack 29 3. Channel 17 C. Other attacks 30 D. Practical security analysis 17 1. GLLP 18 V. Source Security 31 2. Random sampling and finite-data size 19 A. Decoy-state method 31 III. QKD Implementation 19 1. Theory 32 2. Experiment 33 B. Source flaws 33 1. Basis-dependent source 33 2. Nonrandom phase 35 ∗ [email protected] 3. Encoding flaws 35 y [email protected] C. Leaky source 35 2 VI. Detection Security 36 presence of Eve is called the key distribution problem. In A. Countermeasures against detection attacks 36 fact, the key distribution problem is a central challenge B. Measurement-device-independent scheme 36 in all kinds of encryption methods. 1. Time-reversed EPR QKD 36 2. MDI-QKD protocol 37 In principle, all conventional key distribution schemes 3. Theoretical developments 38 that rely on classical physics and mathmatics can only 4. Experimental developments 39 provide computational security, because in classical C. Twin-field QKD 41 physics, there is nothing to prevent an eavesdropper VII. Continuous-Variable QKD 42 from copying the key during the key distribution pro- A. Protocol and security 43 cess. Now, if Eve and Bob have the same key, whatever 1. Gaussian-modulated protocol 43 Bob can decrypt, Eve can decrypt too. 2. Discrete modulated protocol 44 3. Security analysis 44 Currently, the key distribution problem is often solved B. Experimental developments 45 by public key cryptography. In public key cryptography, C. Quantum hacking and countermeasures 46 there are a pair of keys: a public key and a private key. An intended recipient Bob will publish the public key so VIII. Other Quantum Cryptographic Protocols 47 A. Device-independent QKD 47 that anyone, such as an intended sender Alice, can en- B. Some New QKD implementations 48 crypt a message, called a plain text, with the public key 1. Round-robin DPS QKD 48 and send the encrypted message, a cipher text, to Bob. 2. High-dimensional QKD 50 On the other hand, only Bob with the private key can de- 3. QKD with wavelength-division multiplexing 51 4. Chip-based QKD 51 crypt the cipher text to recover the plain text efficiently. C. Other quantum cryptographic protocols 53 The security of public key cryptography is based on com- 1. Quantum bit commitment 53 putational assumptions. Given the public key, there is no 2. Quantum digital signature 53 efficient known algorithm for Eve to work out the private 3. Other protocols 54 key or to recover the plain text, from the cipher text. IX. Concluding Remarks 55 For instance, the security of the best-known public key crypto-system, RSA (Rivest et al., 1978), is based on the Acknowledgement 57 presumed hardness of factoring large integers. Unfortu- A. General questions to QKD 57 nately, public key cryptography is vulnerable to unan- ticipated advances in hardware and software. Moreover, References 58 in 1994, Peter Shor then at AT&T invented an efficient quantum algorithm for factorization (Shor, 1997). For this reason, if a large scale quantum computer is ever I. INTRODUCTION constructed, much of conventional cryptography will fall apart! A. Secure communication After more than two decades of intense theoretical and experimental efforts, primitive small scale quantum com- For thousands of years, code-makers and code-breakers puters have already been built. Several big companies have been fighting for supremacy. With the recent rise and a number of labs and start-ups are racing to build of Internet of Things, cyber security has become a hot the world’s first practical quantum computer. For in- topic. Cyber warfare that can undermine the security stance, Google AI Quantum Laboratory1 has realized of critical infrastructures, such as smart power grids and the quantum advantage (or supremacy) over state-of-the- financial systems, threatens the well-being of individual art classical supercomputer for a specific computational countries and the global economy. task (Arute et al., 2019), and plans to commercialize In conventional cryptography, two distant parties, tra- quantum computers within a few years (Mohseni et al., ditionally called Alice and Bob, share a communication 2017); IBM Q has already put its sixteen-qubit quantum channel and they would like to communicate privately in processor online for client use2; Rigetti has also provided the presence of an eavesdropper, Eve. The Holy Grail the quantum cloud service3; Chinese Academy of Sci- of secure communication is information-theoretical secu- ences (CAS) and Alibaba have established the Quantum rity. It is known that one could achieve information- Computing Laboratory to advance the research of quan- theoretically secure communication via the one-time-pad tum computing4; Other companies, such as Intel, Mi- (OTP) method (Vernam, 1926), if the two users, Alice crosoft, Baidu, Tencent, IonQ, Xanadu, Zapata and so and Bob, share a long random string that is kept se- cret from Eve. Note that, for the OTP scheme to be information-theoretically secure, it is important not to 1 Google Q: research.google/teams/applied-science/quantum re-use the key (Shannon, 1949). That is to say that the 2 IBM Q: www.research.ibm.com/ibm-q key has to be as long as the message itself and can only 3 Rigetti: www.rigetti.com be used once. How to distribute such a long key in the 4 CAS-Alibaba: quantumcomputer.ac.cn/index.html 3 forth, have also joined the international race to build a quantum crypto algorithm in Transport Layer Security quantum computer. Moreover, China is building the Na- (TLS)9. One drawback of post-quantum algorithms is tional Laboratory for Quantum Information Science to that those conventional algorithms are only shown to be support the revolutionary research in quantum informa- secure against known quantum attacks. There is always tion; The European Commission is planning to launch a possibility that some smart conventional or quantum the flagship initiative on quantum technologies5; USA physicist or computer scientist might one day come up has already launched the National Quantum Initiative with clever algorithms for breaking them efficiently. As Act in 20186. All in all, the risk of successful construc- said, this would lead to a retroactive security breach in tion of a quantum computer in the next decade can no future for data transmitted today with potentially disas- longer be ignored. trous consequences. Note that some data such as our DNA data and health The second approach is to use quantum cryptogra- data need to kept secret for decades. This is called long- phy (Bennett and Brassard, 1984; Ekert, 1991), particu- term security. However, cryptographic standards could larly quantum key distribution (QKD). It has the advan- take many years to change. An eavesdropper intercepting tage of promising information-theoretical security based encrypted data sent in 2019 may save them for decades on the fundamental laws of quantum physics, i.e., the se- as they wait for the future successful construction of a curity is independent of all future advances of algorithm quantum computer. The eavesdropper could then retro- or computational power. actively successfully crack an encryption scheme, there- Note however that quantum cryptography cannot fore cryptographic standards need to consider potential replicate all the functionalities of public key cryptogra- future technological advances of the next few decades.
Recommended publications
  • Security of Quantum Key Distribution with Entangled Qutrits

    Security of Quantum Key Distribution with Entangled Qutrits

    View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by CERN Document Server Security of Quantum Key Distribution with Entangled Qutrits. Thomas Durt,1 Nicolas J. Cerf,2 Nicolas Gisin,3 and Marek Zukowski˙ 4 1 Toegepaste Natuurkunde en Fotonica, Theoeretische Natuurkunde, Vrije Universiteit Brussel, Pleinlaan 2, 1050 Brussels, Belgium 2 Ecole Polytechnique, CP 165, Universit´e Libre de Bruxelles, 1050 Brussels, Belgium 3 Group of Applied Physics - Optique, Universit´e de Gen`eve, 20 rue de l’Ecole de M´edecine, Gen`eve 4, Switzerland, 4Instytut Fizyki Teoretycznej i Astrofizyki Uniwersytet, Gda´nski, PL-80-952 Gda´nsk, Poland July 2002 Abstract The study of quantum cryptography and quantum non-locality have traditionnally been based on two-level quantum systems (qubits). In this paper we consider a general- isation of Ekert's cryptographic protocol[20] where qubits are replaced by qutrits. The security of this protocol is related to non-locality, in analogy with Ekert's protocol. In order to study its robustness against the optimal individual attacks, we derive the infor- mation gained by a potential eavesdropper applying a cloning-based attack. Introduction Quantum cryptography aims at transmitting a random key in such a way that the presence of an eavesdropper that monitors the communication is revealed by disturbances in the transmission of the key (for a review, see e.g. [21]). Practically, it is enough in order to realize a crypto- graphic protocol that the key signal is encoded into quantum states that belong to incompatible bases, as in the original protocol of Bennett and Brassard[4].
  • Permutation-Based Encryption, Authentication and Authenticated Encryption

    Permutation-Based Encryption, Authentication and Authenticated Encryption

    Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen1 Joint work with Guido Bertoni1, Michaël Peeters2 and Gilles Van Assche1 1STMicroelectronics 2NXP Semiconductors DIAC 2012, Stockholm, July 6 . Permutation-based encryption, authentication and authenticated encryption Modern-day cryptography is block-cipher centric Modern-day cryptography is block-cipher centric (Standard) hash functions make use of block ciphers SHA-1, SHA-256, SHA-512, Whirlpool, RIPEMD-160, … So HMAC, MGF1, etc. are in practice also block-cipher based Block encryption: ECB, CBC, … Stream encryption: synchronous: counter mode, OFB, … self-synchronizing: CFB MAC computation: CBC-MAC, C-MAC, … Authenticated encryption: OCB, GCM, CCM … . Permutation-based encryption, authentication and authenticated encryption Modern-day cryptography is block-cipher centric Structure of a block cipher . Permutation-based encryption, authentication and authenticated encryption Modern-day cryptography is block-cipher centric Structure of a block cipher (inverse operation) . Permutation-based encryption, authentication and authenticated encryption Modern-day cryptography is block-cipher centric When is the inverse block cipher needed? Indicated in red: Hashing and its modes HMAC, MGF1, … Block encryption: ECB, CBC, … Stream encryption: synchronous: counter mode, OFB, … self-synchronizing: CFB MAC computation: CBC-MAC, C-MAC, … Authenticated encryption: OCB, GCM, CCM … So a block cipher
  • Large Scale Quantum Key Distribution: Challenges and Solutions

    Large Scale Quantum Key Distribution: Challenges and Solutions

    Large scale quantum key distribution: challenges and solutions QIANG ZHANG,1,2 FEIHU XU,1,2 YU-AO CHEN,1,2 CHENG-ZHI PENG1,2 AND JIAN-WEI PAN1,2,* 1Shanghai Branch, Hefei National Laboratory for Physical Sciences at Microscale and Department of Modern Physics, University of Science and Technology of China, Shanghai, 201315, China 2CAS Center for Excellence and Synergetic Innovation Center in Quantum Information and Quantum Physics, University of Science and Technology of China, Shanghai 201315, P. R. China *[email protected], [email protected] Abstract: Quantum key distribution (QKD) together with one time pad encoding can provide information-theoretical security for communication. Currently, though QKD has been widely deployed in many metropolitan fiber networks, its implementation in a large scale remains experimentally challenging. This letter provides a brief review on the experimental efforts towards the goal of global QKD, including the security of practical QKD with imperfect devices, QKD metropolitan and backbone networks over optical fiber and satellite-based QKD over free space. 1. Introduction Quantum key distribution (QKD) [1,2], together with one time pad (OTP) [3] method, provides a secure means of communication with information-theoretical security based on the basic principle of quantum mechanics. Light is a natural and optimal candidate for the realization of QKD due to its flying nature and its compatibility with today’s fiber-based telecom network. The ultimate goal of the field is to realize a global QKD network for worldwide applications. Tremendous efforts have been put towards this goal [4–6]. Despite significant progresses over the past decades, there are still two major challenges for large-scale QKD network.
  • Progress in Satellite Quantum Key Distribution

    Progress in Satellite Quantum Key Distribution

    www.nature.com/npjqi REVIEW ARTICLE OPEN Progress in satellite quantum key distribution Robert Bedington 1, Juan Miguel Arrazola1 and Alexander Ling1,2 Quantum key distribution (QKD) is a family of protocols for growing a private encryption key between two parties. Despite much progress, all ground-based QKD approaches have a distance limit due to atmospheric losses or in-fibre attenuation. These limitations make purely ground-based systems impractical for a global distribution network. However, the range of communication may be extended by employing satellites equipped with high-quality optical links. This manuscript summarizes research and development which is beginning to enable QKD with satellites. It includes a discussion of protocols, infrastructure, and the technical challenges involved with implementing such systems, as well as a top level summary of on-going satellite QKD initiatives around the world. npj Quantum Information (2017) 3:30 ; doi:10.1038/s41534-017-0031-5 INTRODUCTION losses that increase exponentially with distance, greatly limiting Quantum key distribution (QKD) is a relatively new cryptographic the secure key rates that can be achieved over long ranges. primitive for establishing a private encryption key between two For any pure-loss channel with transmittance η, it has been parties. The concept has rapidly matured into a commercial shown that the secure key rate per mode of any QKD protocol 5, 6, 7 technology since the first proposal emerged in 1984,1 largely scales linearly with η for small η. This places a fundamental because of a very attractive proposition: the security of QKD is not limit to the maximum distance attainable by QKD protocols based on the computational hardness of solving mathematical relying on direct transmission.
  • Practical Quantum Key Distribution Based on the BB84 Protocol

    Practical Quantum Key Distribution Based on the BB84 Protocol

    Practical Quantum Key Distribution based on the BB84 protocol A. Ruiz-Alba, D. Calvo, V. Garcia-Muñoz, A. Martinez, W. Amaya, J.G. Rozo, J. Mora, J. Capmany Instituto de Telecomunicaciones y Aplicaciones Multimedia, Universitat Politècnica de València, 8G Building-access D-Camino de Vera s/n-46022 Valencia (Spain) Corresponding author: [email protected] Abstract relies on photon sources and the so-called pho- ton guns are far from ready. An alternative and This paper provides a review of the most impor- also a complementary approach to increase the tant and widely used Quantum Key Distribution bit rate is to make QKD systems work in paral- systems and then describes our recently pro- lel. This simple engineering approach becomes a posed scheme based on Subcarrier Multiplexing challenge when working with quantum systems: that opens the possibility of parallel Quantum The system should work in parallel but still rely Key Distribution. We report the first-ever ex- on just one source and its security should still be perimental implementation of parallel quantum guaranteed by the principles of quantum me- key distribution using this technique showing a chanics both when Alice prepares the photons maximum multiplexing gain. and when Bob “measures” the incoming states. At the same time the multiplexing technique Keywords: Optical fiber communications, quan- should be safe to Eve gaining any information. tum information, quantum key distribution, sub- carrier multiplexing. In this context, recent progress in the literature [4] remarks that photonics is a key enabling technology for implementing commercial QKD 1. Introduction systems to become a competitive technology in Information Security.
  • The Missing Difference Problem, and Its Applications to Counter Mode

    The Missing Difference Problem, and Its Applications to Counter Mode

    The Missing Difference Problem, and its Applications to Counter Mode Encryption? Ga¨etanLeurent and Ferdinand Sibleyras Inria, France fgaetan.leurent,[email protected] Abstract. The counter mode (CTR) is a simple, efficient and widely used encryption mode using a block cipher. It comes with a security proof that guarantees no attacks up to the birthday bound (i.e. as long as the number of encrypted blocks σ satisfies σ 2n=2), and a matching attack that can distinguish plaintext/ciphertext pairs from random using about 2n=2 blocks of data. The main goal of this paper is to study attacks against the counter mode beyond this simple distinguisher. We focus on message recovery attacks, with realistic assumptions about the capabilities of an adversary, and evaluate the full time complexity of the attacks rather than just the query complexity. Our main result is an attack to recover a block of message with complexity O~(2n=2). This shows that the actual security of CTR is similar to that of CBC, where collision attacks are well known to reveal information about the message. To achieve this result, we study a simple algorithmic problem related to the security of the CTR mode: the missing difference problem. We give efficient algorithms for this problem in two practically relevant cases: where the missing difference is known to be in some linear subspace, and when the amount of data is higher than strictly required. As a further application, we show that the second algorithm can also be used to break some polynomial MACs such as GMAC and Poly1305, with a universal forgery attack with complexity O~(22n=3).
  • Quantum Key Distribution Protocols and Applications

    Quantum Key Distribution Protocols and Applications

    Quantum Key Distribution Protocols and Applications Sheila Cobourne Technical Report RHUL{MA{2011{05 8th March 2011 Department of Mathematics Royal Holloway, University of London Egham, Surrey TW20 0EX, England http://www.rhul.ac.uk/mathematics/techreports Title: Quantum Key Distribution – Protocols and Applications Name: Sheila Cobourne Student Number: 100627811 Supervisor: Carlos Cid Submitted as part of the requirements for the award of the MSc in Information Security at Royal Holloway, University of London. I declare that this assignment is all my own work and that I have acknowledged all quotations from the published or unpublished works of other people. I declare that I have also read the statements on plagiarism in Section 1 of the Regulations Governing Examination and Assessment Offences and in accordance with it I submit this project report as my own work. Signature: Date: Acknowledgements I would like to thank Carlos Cid for his helpful suggestions and guidance during this project. Also, I would like to express my appreciation to the lecturers at Royal Holloway who have increased my understanding of Information Security immensely over the course of the MSc, without which this project would not have been possible. Contents Table of Figures ................................................................................................... 6 Executive Summary ............................................................................................. 7 Chapter 1 Introduction ...................................................................................
  • Machine Learning Aided Carrier Recovery in Continuous-Variable Quantum Key Distribution

    Machine Learning Aided Carrier Recovery in Continuous-Variable Quantum Key Distribution

    Machine Learning Aided Carrier Recovery in Continuous-Variable Quantum Key Distribution T Gehring1, H-M Chin1,2, N Jain1, D Zibar2, and U L Andersen1 1Department of Physics, Technical University of Denmark, Lyngby, Denmark 2Department of Photonics, Technical University of Denmark, Lyngby, Denmark Contact Email: [email protected] Continuous-variable quantum key distribution (CV-QKD) makes use of in-phase and quadrature mod- ulation and coherent detection to distribute secret keys between two parties for data encryption with future proof security. The secret key rate of such CV-QKD systems is limited by excess noise, which is attributed to an eavesdropper. A key issue typical to all modern CV-QKD systems implemented with a reference or pilot signal and an independent local oscillator is controlling the excess noise generated from the fre- quency and phase noise accrued by the transmitter and receiver. Therefore accurate phase estimation and compensation, so-called carrier recovery, is a critical subsystem of CV-QKD. Here, we present the implementation of a machine learning framework based on Bayesian inference, namely an unscented Kalman filter (UKF), for estimation of phase noise and compare it to a standard reference method. Experimental results obtained over a 20 km fiber-optic link indicate that the UKF can ensure very low excess noise even at low pilot powers. The measurements exhibited low variance and high stability in excess noise over a wide range of pilot signal to noise ratios. The machine learning framework may enable CV-QKD systems with low implementation complexity, which can seamlessly work on diverse transmission lines, and it may have applications in the implemen- tation of other cryptographic protocols, cloud-based photonic quantum computing, as well as in quantum sensing..
  • SECURING CLOUDS – the QUANTUM WAY 1 Introduction

    SECURING CLOUDS – the QUANTUM WAY 1 Introduction

    SECURING CLOUDS – THE QUANTUM WAY Marmik Pandya Department of Information Assurance Northeastern University Boston, USA 1 Introduction Quantum mechanics is the study of the small particles that make up the universe – for instance, atoms et al. At such a microscopic level, the laws of classical mechanics fail to explain most of the observed phenomenon. At such a state quantum properties exhibited by particles is quite noticeable. Before we move forward a basic question arises that, what are quantum properties? To answer this question, we'll look at the basis of quantum mechanics – The Heisenberg's Uncertainty Principle. The uncertainty principle states that the more precisely the position is determined, the less precisely the momentum is known in this instant, and vice versa. For instance, if you measure the position of an electron revolving around the nucleus an atom, you cannot accurately measure its velocity. If you measure the electron's velocity, you cannot accurately determine its position. Equation for Heisenberg's uncertainty principle: Where σx standard deviation of position, σx the standard deviation of momentum and ħ is the reduced Planck constant, h / 2π. In a practical scenario, this principle is applied to photons. Photons – the smallest measure of light, can exist in all of their possible states at once and also they don’t have any mass. This means that whatever direction a photon can spin in -- say, diagonally, vertically and horizontally -- it does all at once. This is exactly the same as if you constantly moved east, west, north, south, and up-and-down at the same time.
  • Lecture 12: Quantum Key Distribution. Secret Key. BB84, E91 and B92 Protocols. Continuous-Variable Protocols. 1. Secret Key. A

    Lecture 12: Quantum Key Distribution. Secret Key. BB84, E91 and B92 Protocols. Continuous-Variable Protocols. 1. Secret Key. A

    Lecture 12: Quantum key distribution. Secret key. BB84, E91 and B92 protocols. Continuous-variable protocols. 1. Secret key. According to the Vernam theorem, any message (for instance, consisting of binary symbols, 01010101010101), can be encoded in an absolutely secret way if the one uses a secret key of the same length. A key is also a sequence, for instance, 01110001010001. The encoding is done by adding the message and the key modulo 2: 00100100000100. The one who knows the key can decode the encoded message by adding the key to the message modulo 2. The important thing is that the key should be used only once. It is exactly this way that classical cryptography works. Therefore the only task of quantum cryptography is to distribute the secret key between just two users (conventionally called Alice and Bob). This is Quantum Key Distribution (QKD). 2. BB84 protocol, proposed in 1984 by Bennett and Brassard – that’s where the name comes from. The idea is to encode every bit of the secret key into the polarization state of a single photon. Because the polarization state of a single photon cannot be measured without destroying this photon, this information will be ‘fragile’ and not available to the eavesdropper. Any eavesdropper (called Eve) will have to detect the photon, and then she will either reveal herself or will have to re-send this photon. But then she will inevitably send a photon with a wrong polarization state. This will lead to errors, and again the eavesdropper will reveal herself. The protocol then runs as follows.
  • NISTIR 7620 Status Report on the First Round of the SHA-3

    NISTIR 7620 Status Report on the First Round of the SHA-3

    NISTIR 7620 Status Report on the First Round of the SHA-3 Cryptographic Hash Algorithm Competition Andrew Regenscheid Ray Perlner Shu-jen Chang John Kelsey Mridul Nandi Souradyuti Paul NISTIR 7620 Status Report on the First Round of the SHA-3 Cryptographic Hash Algorithm Competition Andrew Regenscheid Ray Perlner Shu-jen Chang John Kelsey Mridul Nandi Souradyuti Paul Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 September 2009 U.S. Department of Commerce Gary Locke, Secretary National Institute of Standards and Technology Patrick D. Gallagher, Deputy Director NISTIR 7620: Status Report on the First Round of the SHA-3 Cryptographic Hash Algorithm Competition Abstract The National Institute of Standards and Technology is in the process of selecting a new cryptographic hash algorithm through a public competition. The new hash algorithm will be referred to as “SHA-3” and will complement the SHA-2 hash algorithms currently specified in FIPS 180-3, Secure Hash Standard. In October, 2008, 64 candidate algorithms were submitted to NIST for consideration. Among these, 51 met the minimum acceptance criteria and were accepted as First-Round Candidates on Dec. 10, 2008, marking the beginning of the First Round of the SHA-3 cryptographic hash algorithm competition. This report describes the evaluation criteria and selection process, based on public feedback and internal review of the first-round candidates, and summarizes the 14 candidate algorithms announced on July 24, 2009 for moving forward to the second round of the competition. The 14 Second-Round Candidates are BLAKE, BLUE MIDNIGHT WISH, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein.
  • High-Speed Hardware Implementations of BLAKE, Blue

    High-Speed Hardware Implementations of BLAKE, Blue

    High-Speed Hardware Implementations of BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein Version 2.0, November 11, 2009 Stefan Tillich, Martin Feldhofer, Mario Kirschbaum, Thomas Plos, J¨orn-Marc Schmidt, and Alexander Szekely Graz University of Technology, Institute for Applied Information Processing and Communications, Inffeldgasse 16a, A{8010 Graz, Austria {Stefan.Tillich,Martin.Feldhofer,Mario.Kirschbaum, Thomas.Plos,Joern-Marc.Schmidt,Alexander.Szekely}@iaik.tugraz.at Abstract. In this paper we describe our high-speed hardware imple- mentations of the 14 candidates of the second evaluation round of the SHA-3 hash function competition. We synthesized all implementations using a uniform tool chain, standard-cell library, target technology, and optimization heuristic. This work provides the fairest comparison of all second-round candidates to date. Keywords: SHA-3, round 2, hardware, ASIC, standard-cell implemen- tation, high speed, high throughput, BLAKE, Blue Midnight Wish, Cube- Hash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, Skein. 1 About Paper Version 2.0 This version of the paper contains improved performance results for Blue Mid- night Wish and SHAvite-3, which have been achieved with additional imple- mentation variants. Furthermore, we include the performance results of a simple SHA-256 implementation as a point of reference. As of now, the implementations of 13 of the candidates include eventual round-two tweaks. Our implementation of SIMD realizes the specification from round one. 2 Introduction Following the weakening of the widely-used SHA-1 hash algorithm and concerns over the similarly-structured algorithms of the SHA-2 family, the US NIST has initiated the SHA-3 contest in order to select a suitable drop-in replacement [27].