Authentication of variable length messages in quantum key distribution

Authentication plays a critical role in the security of quantum key distribution (QKD) protocols. We propose using Polynomial Hash and its variants for authentication of variable length messages in QKD protocols. Since universal hashing is used not only for authentication in QKD but also in other steps in QKD like error correction and privacy amplification, and also in several other areas of quantum cryptography, Polynomial Hash and its variants as the most efficient universal hash function families can be used in these important steps and areas, as well. We introduce and analyze several efficient variants of Polynomial Hash and, using deep results from number theory, prove that each variant gives an ε-almost-Δ-universal family of hash functions. We also give a general method for transforming any such family to an ε-almost-strongly universal family of hash functions. The latter families can then, among other applications, be used in the Wegman–Carter MAC construction which has been shown to provide a universally composable authentication method in QKD protocols. As Polynomial Hash has found many applications, our constructions and results are potentially of interest in various areas.


Introduction
Key establishment protocols, in which cryptographic keys are securely exchanged between parties over a public channel, usually use methods from public-key cryptography, like Diffie-Hellman key exchange (DH) and elliptic-curve Diffie-Hellman (ECDH); see [1] for a comprehensive treatment of the key establishment protocols in cryptography. However, the security of such schemes relies on the computational hardness of certain mathematical problems (namely, the discrete logarithm problem, the elliptic-curve discrete logarithm problem, and the integer factorization problem) which can be solved on a sufficiently powerful quantum computer running Shor's algorithm. Quantum key distribution (QKD), which relies on the foundations of quantum mechanics, provides a higher level of security than such schemes. QKD is provably secure even against an adversary with unbounded computational power and is also becoming increasingly feasible to implement. QKD has found many surprising applications, its commercialization has been successful, and QKD networks are now deployed in some metropolitan areas [2]. There are many excellent surveys on QKD (see, e.g., [3][4][5]).
Studying the security of QKD has become a topic of great importance (see [6,7] for two excellent surveys). QKD requires a quantum channel and a classical channel. The classical channel needs to be authenticated to avoid man-in-the-middle (MITM) attacks. For the authentication of the communications on the classical channel, the original message authentication codes (MACs) proposed by Wegman and Carter [8], its variants [9], or other efficient constructions [10] are used. All these MACs use universal hash functions in their constructions. In the Wegman-Carter paradigm [8] the message is first hashed with an ε-almost-strongly universal hash function and then encrypted with a one-time pad. The application of the Wegman-Carter paradigm in QKD was originally proposed by Bennett and Brassard [11,12] in the BB84 protocol (their well-known QKD scheme developed in 1984) and by Bennett et. al. [13], and since then has been studied extensively (see, e.g., [9,10,[14][15][16][17][18]). The Wegman-Carter MAC construction is described as follows. The legitimate parties share a secret hash function chosen uniformly at random from an ε-almost-strongly universal (ε-ASU) family of hash functions, and a secret encryption key (a sequence of random one-time pads). A message is authenticated by first hashing it with the shared hash function and then encrypting the resulting hash value with the shared encryption key (shared one-time pad). The resulting encrypted hash value, called an authentication tag, is transmitted together with the message (as a pair). Upon receiving this pair, the legitimate party recomputes and validates it. Such a MAC algorithm is information-theoretically (unconditionally) secure, that is, even an adversary who has unbounded computational power cannot forge the MAC with probability greater than the collision probability of the hash function family [8].
Because, in the authentication of the classical channel, the legitimate parties need to share some initial small secret information in advance as described above, QKD is sometimes called a quantum key growing (rather than quantum key distribution) protocol. The Wegman-Carter MAC construction has been shown in [18] to be universally composable (UC) [19][20][21], and therefore it is sufficient for authentication in QKD systems. One way to make QKD protocols more efficient and applicable is to construct efficient ε-ASU hash function families because these families are the main ingredient in the Wegman-Carter construction (and in many other universal hashing based MACs).
In this paper, following [22][23][24] we propose using Polynomial Hash (PH) and its variants for authentication of variable length messages in QKD systems. Since universal hashing is used not only for authentication in QKD but also in other steps in QKD like error correction and privacy amplification [7,13,[25][26][27][28][29][30], and also in several other areas of quantum cryptography (that we will briefly mention in the last section), Polynomial Hash and its variants as the most efficient universal hash function families can be used in these important steps and areas, as well. Polynomial Hash is a well-known ε-almost--universal (ε-A U) family of hash functions which has found various important applications, for example, Galois/Counter Mode (GCM) [31] (which is used in IPsec, SSH, and TLS) and Poly1305 [32] (which is used in Google Chrome's TLS, and later was added to OpenSSH) use this scheme. See also [33][34][35][36][37][38][39][40][41][42][43] for various other applications of Polynomial Hash. We introduce and analyze several efficient variants of Polynomial Hash and, using deep results from number theory, prove that such variants are also ε-A U and so can be used in various applications. Furthermore, we propose a general method by which any ε-A U hash function family can be transformed to an ε-ASU family. Therefore, the Polynomial Hash variants constructed in this paper can all be transformed to ε-ASU families which makes them useful for various applications including authentication of variable length messages in QKD.
The rest of this paper is organized as follows. In Sect. 2, we review some results on equations over fields and rings, in particular some rather underappreciated results of Konyagin [44,45], using which we obtain upper bounds for the number of solutions of polynomial congruences over the ring of integers modulo n, Z n . In Sect. 3, we formally define universal hashing and its variants and prove a general result for transforming ε-A U families to ε-ASU families. In Sect. 4, we construct and analyze several efficient variants of Polynomial Hash and compare our results with available results.

Equations over fields and rings
Throughout the paper, n is a positive integer, p is a prime, Z n is the ring of integers modulo n defined as Z n = {0, . . . , n -1}, F is a field, and F q is the finite field with q elements, where q is a prime power. Also, F p is the prime field. Note that Finding (the number of ) solutions of univariate and multivariate polynomial equations over fields and rings is a fundamental problem in mathematics, computer science, and related areas with many applications in various domains. In this paper, by a polynomial we mean a univariate polynomial. As a classical example, one can mention the Fundamental Theorem of Algebra which gives the exact number of solutions of polynomial equations over the field of complex numbers. There are about a hundred proofs(!) of the Fundamental Theorem of Algebra [46]. See [46] for "one of the most elegant and certainly the shortest" proof.
By a solution of the polynomial congruence we mean an integer in Z n that satisfies the congruence. So, every polynomial congruence modulo n has at most n solutions. Similarly, every multivariate polynomial congruence in k variables modulo n has at most n k solutions. A natural question is whether the Fundamental Theorem of Algebra can be applied to the ring Z n (that is, to polynomial congruences modulo n)? The answer is no; there is no direct analog of the Fundamental Theorem of Algebra for polynomial congruences. Let us see some examples. The following result, proved by D. N. Lehmer [47], gives an explicit formula for the number of solutions of linear congruences: Theorem 2.2 (Lehmer's Theorem) Let a 1 , . . . , a k , b ∈ Z. The linear congruence has a solution x 1 , . . . , x k ∈ Z k n if and only if | b, where = gcd(a 1 , . . . , a k , n). Furthermore, if this condition is satisfied, then there are n k-1 solutions.
Note that the generalization of Lehmer's Theorem to higher degree multivariate polynomial congruences is a challenging problem. In fact, even the quadratic version addressed by Cohen [48] has much more complicated formulas. By Lehmer's Theorem, the linear congruence ax ≡ b (mod n), where a and b are integers, has zero, one, or more solutions (in fact, zero or gcd(a, n) solutions). As another example, the quadratic congruence x 2 ≡ 1 (mod 8) has four solutions 1, 3, 5, and 7. These examples show that the Fundamental Theorem of Algebra is not applicable to polynomial congruences. But when the modulus is prime, we have the following result due to Lagrange which gives an upper bound for the number of solutions (see, e.g., [49]).

Theorem 2.3 (Lagrange's Theorem) Given a prime p, let
f (x) = a d x d + · · · + a 1 x + a 0 be a polynomial with integer coefficients such that a d ≡ 0 (mod p) (said to be of degree d).
Then the polynomial congruence f (x) ≡ 0 (mod p) has at most d solutions.
Lagrange's Theorem can be extended from the prime field Z p to arbitrary fields (not necessarily finite) as the following (see, e.g., [50]): It would be useful to compare the above results: Remark 2.5 The following observations are useful, specially when discussing the Polynomial Hash and its variants: • Setting F = Z p in Theorem 2.4 we obtain Lagrange's Theorem but not in full generality. In fact, in Theorem 2.4 when F = Z p , the coefficients of the polynomial must be in Z p , but in Lagrange's Theorem the coefficients are arbitrary integers.
• While Theorem 2.4 works on arbitrary fields (including the field of complex numbers), it does not imply the Fundamental Theorem of Algebra. In fact, the Fundamental Theorem of Algebra gives the exact number of complex solutions of polynomial equations over the field of complex numbers, but Lagrange's Theorem and Theorem 2.4 just give upper bounds for the number of solutions over the prime field and arbitrary fields, respectively. • The proof of the Fundamental Theorem of Algebra is totally different from the proof of Lagrange's Theorem and Theorem 2.4. In fact, the proof of the Fundamental Theorem of Algebra is usually given as a result in complex analysis and "the shortest" proof [46] still requires two pages, but the proofs of Lagrange's Theorem and Theorem 2.4 are usually given as results in number theory and field theory and can be written in just a few lines (see, e.g., [49,50]).
Note that Lagrange's Theorem does not hold for composite moduli. For example, the quadratic congruence x 2 ≡ 1 (mod 8) has four solutions 1, 3, 5, and 7. Surprisingly, Vandiver [51] obtained, for 'restricted' solutions, exactly the same upper bound as in Lagrange's Theorem and Theorem 2.4 in the much more general setting of commutative rings with identity (that we call Vandiver's Theorem), but, unfortunately, his result, while is quite interesting, seems to have been forgotten. Let R be a commutative ring with identity. Two elements u, v ∈ R are said to be absolutely distinct if uv is not zero and not a zero divisor. Taking R = Z n , Vandiver [51] derived the following version for Z n . Two integers a and b are said to be absolutely incongruent modulo n if ab is coprime to n. Theorem 2.7 (Vandiver's Theorem for Z n ) Given a positive integer n, let be a polynomial with integer coefficients such that a d ≡ 0 (mod n). Then the polynomial congruence has at most d absolutely incongruent solutions.
Note that setting n = p, a prime, in Vandiver's Theorem for Z n , we re-obtain Lagrange's Theorem since any two distinct elements of Z p are absolutely incongruent modulo p.
The rest of this section is devoted to generalizing Lagrange's Theorem to composite moduli (or, equivalently, generalizing Vandiver's Theorem for Z n to cover all solutions). For generalization to prime power moduli, an upper bound for the number of solutions can be obtained using the following result (see, e.g., [49]).

Theorem 2.8 Suppose α > 1 is an integer and s is a solution of the polynomial congruence
Then we have the following cases: • If f (s) ≡ 0 (mod p) then s can be lifted in a unique way from p α-1 to p α . That is, there is a unique t ∈ Z p α which generates s and which satisfies the polynomial congruence Given a positive integer n, let be a polynomial with integer coefficients such that a d ≡ 0 (mod n) (said to be of degree d).
Denote by N d (a 0 , a 1 , . . . , a d , n) the number of solutions of the polynomial congruence Proof The proof easily follows from the basic properties of congruences.
Therefore, by Lemma 2.9, it suffices to consider the number of solutions of the above polynomial congruence with gcd(a 0 , a 1 , . . . , a d , n) = 1. For simplicity, we denote the number of such solutions by N(d, n).
Using Lagrange's Theorem and Theorem 2.8, we can obtain the following upper bound for N(d, p α ).

Theorem 2.10
Let α ≥ 1 be an integer. Then Then, using Theorem 2.8, corresponding to each solution of the polynomial congruence modulo p there will be 0, 1, or p solutions modulo p 2 . So, using Lagrange's Theorem and Theorem 2.8, N(d, p 2 ) ≤ dp. Similarly, corresponding to each solution of the polynomial congruence modulo p 2 there will be 0, 1, or p solutions modulo p 3 . Therefore, N(d, p 3 ) ≤ dp 2 . Repeating this process, the result follows.
Is there a better upper bound for N(d, p α )? Yes(!), and the best upper bound for N(d, p α ) is widely attributed to Stewart [52], and to Schmidt and Stewart [53]. But we have discovered that Konyagin [44,45] (in Russian and back in 1979) has already obtained a stronger and more general upper bound for N(d, p α ) (that we call Konyagin's Theorem). We remark that all these bounds were obtained using advanced tools in number theory and their proofs are rather long and complicated.
So far, we have very good upper bounds for the number of solutions of polynomial congruences modulo prime powers. Now, we generalize these upper bounds to arbitrary moduli. For this we need the following tool (see, e.g., [49]).

Theorem 2.12
Let f (x) be a polynomial with integer coefficients. Also, let n 1 , . . . , n r be positive integers, pairwise coprime, and let n = n 1 · · · n r . Then the polynomial congruence has a solution if and only if each of the polynomial congruences has a solution. Moreover, if v(n) and v(n i ) denote the number of solutions of (1) and (2), When modulus n is square-free, we obtain the best upper bound for N(d, n) using Lagrange's Theorem and Theorem 2.12 as follows. Proof Let n has the prime factorization n = p 1 . . . p r , where p i 's are distinct primes. By Lagrange's Theorem, N(d, p i ) ≤ d for all i. Since p i 's are pairwise coprime, using Theorem 2.12 we have Similarly, when modulus n is an arbitrary positive integer, we obtain the best upper bound for N(d, n) using Konyagin's Theorem and Theorem 2.12 as follows.
for all i. Since p α i i 's are pairwise coprime, using Theorem 2.12 we have .
Similarly, if d ≥ 2 and p i ≥ d 1+1/(d-1) for all i, then by Konyagin's Theorem and Theorem 2.12, we have

Universal hashing and its variants
Universal hash function families, introduced by Carter and Wegman [54], guarantee a low number of collisions in expectation when a hash function is chosen uniformly at random from the universal hash function family. These hash function families have many important applications in computer science and cryptography (see [55] for a comprehensive list of references). We begin by describing universal hashing and its variants in detail [54,[56][57][58][59][60]. For a set X , we write x ← X to denote that x is chosen uniformly at random from X . Because many universal hash functions only work on fixed length messages, it is often necessary to extend the domain of the hash function to work on longer messages. Wegman and Carter [8] introduced a construction which recursively hashes messages to a desired length. Let H be an ε-AU family of hash functions, which maps blocks of length 2l to blocks of length l. At each round of tree hash, the message is split into blocks of length 2l and each block is hashed with some h ∈ H. The length of the message is halved each round, so the runtime is logarithmic in the size of message, and after n rounds of tree hash, the collision probability is 1 -(1ε) n [61]. However, due to the recursive nature of tree hash, it is not suitable for devices with limited memory. Instead, an iterative method can be constructed by composing hash functions.
The last two parts of this result can be used to pair an efficient ε-AU hash family with an ε-A U or ε-ASU hash family to create an efficient ε-A U or ε-ASU family. We can also use this result to create a Merkle-Damgård like paradigm for universal hash functions. Let H : A × B → B be ε-AU and let b ∈ B. Then the family H l = {h l (m l , h l-1 (. . . h 2 (m 2 , h 1 (m 1 , b)) . . . )|h 1 , . . . , h l ∈ H} can hash messages of length l for any positive l, and is l(2εε 2 )-AU. This construction was used by Minematsu and Tsunoo [62], and a more general proof on its collision bound was given by Duval and Leurent [63].
Often the collision probability of a hash function may be larger than desired. For this reason, there are several techniques for reducing the collision probability of a hash function family. If H is an ε-AU family of hash functions, then by hashing a message with two independent keys and concatenating the results, the probability of collision is lowered to ε 2 , at the expense of doubling the computational work, the length of the hash value, and the size of the key. The well-known Toeplitz extension, which has been used in several MAC algorithms (c.f. [56,64]), reduces the key size needed for this technique. Rather than generating independent keys x = x 1 , x 2 , . . . , x k , x = x 1 , x 2 , . . . , x k , we generate the values x 1 , . . . , x k+1 and use the keys x 1 = x 1 , x 2 , . . . , x k and x 2 = x 2 , x 3 , . . . , x k+1 . We can easily extend this procedure to concatenate n hash values to get a collision probability of ε n . While the computation and hash length still increase by a factor of n, the size of the key only increases by n values. Not only does this save key material, it reduces memory accesses, thus potentially improving performance. Now, we prove a general result for transforming ε-A U families to ε-ASU families. Because for authentication in QKD systems we need efficient ε-ASU families, our result implies that constructing such families boils down to constructing efficient ε-A U families. Our result is a generalization of the following result by Etzel et al. [65] which seems to have remained underappreciated.
and '+' denotes the group addition operation, is strongly universal.
In order to generalize the above result, we also need the following result (see [66]): Theorem 3.4 Let G be an Abelian group, and let ξ 1 , ξ 2 , . . . , ξ t be independent random variables which take on values in G. If one of ξ i is uniformly distributed in G, then the sum ξ 1 + ξ 2 + · · · + ξ t is also uniformly distributed in G.
More generally, Sherstnev [66] gave necessary and sufficient conditions on the distributions of independent random variables ξ 1 , ξ 2 , . . . , ξ t , taking on values in an Abelian group G, under which the sum ξ 1 + ξ 2 + · · · + ξ t is uniformly distributed in G. Now, we are ready to prove our result.
and '+' denotes the group addition operation, is ε-almost-strongly universal.
Proof For any two distinct x, y ∈ D, and all a, b ∈ R, we have Since H is ε-almost--universal, we have

Also, by Theorem 3.4 we have
Consequently, Hence, the result follows.

Polynomial Hash and its variants
An ε-A U family of hash functions which has received much attention is Polynomial Hash (PH), which is used for hashing variable length messages. The idea is that we put the message blocks as the coefficients of a polynomial and then evaluate the polynomial at the secret key, where all operations are done in a specific field or ring. In this section, we introduce and analyze several efficient variants of Polynomial Hash and then compare our results with available results. As Polynomial Hash has found many applications, our constructions and results might be of interest in various areas.

Five variants
Here we introduce five variants of Polynomial Hash (other variants are also possible depending on applications) and analyze their universality using results from Sect.
Since m = m , there exists some i 0 such that a i 0 = 0. Now, we need to find the maximum number of solutions of the above polynomial congruence over all choices of a = a 0 , a 1 , . . . , a d ∈ Z d+1 p 1 \ {0} and b ∈ Z n . Note that since a i 's are in Z p 1 and at least one of them is not zero, we have gcd (a 0 , a 1 , . . . , a d , n)

Polynomial Hash With Probability
Since m = m , there exists some i 0 such that a i 0 = 0. Now, we need to find the maximum number of solutions of the above polynomial congruence over all choices of a = a 0 , a 1 , . . . , a d ∈ E d+1 \ {0} and b ∈ Z kp . Since m i 's are all even, a i 's are also all even. For every b ∈ Z kp , if b is odd then the polynomial congruence Consequently, we have Note that although d p is an upper bound for the collision probability, but when b is odd and possibly in other cases (so with probability at least 1/2) the collision probability is exactly zero. Hence, the result follows. Remark 4.7 It is important to note that we do not have to restrict the message blocks to be in Z p or Z n . In fact, the message blocks can be arbitrary non-negative integers as long as no two messages have all their corresponding blocks congruent modulo p or modulo n. See Theorem 4.9 for an example of such constructions in the case of Z p but the same technique is also applicable to Z n .

Polynomial Hash Over Prime Fields With Arbitrary Message Blocks (PH-PA): Let A be a subset of Z d+1
≥0 such that no two elements of A have all their corresponding coordinates congruent modulo p. In this family, each message m is in A, the key x is in Z p , and all operations are performed in Z p . Formally, Proof Same as above, just use Lagrange's Theorem. Note that when we find the difference of the two polynomials, at least one of the coefficients is non-zero modulo p (by the definition of the set A) so the assumption of Lagrange's Theorem is satisfied. Also, note that Theorem 2.4 is not applicable here because message blocks are not necessarily in Z p .

Polynomial Hash Over Finite Fields (PH-FF):
In this family, each message block m i and the key x are in F q , and all operations are performed in F q . Formally, Definition 4.10 (PH-FF) Given the finite field F q with q elements, where q is a prime power,

Comparison and remarks
The above techniques and results on the Polynomial Hash and its variants and comparing them with what were known before, reveals some remarks: • Polynomial Hash is widely attributed to Wegman and Carter [8], Dietzfelbinger et. al. [67], den Boer [68], Bierbrauer et. al. [69], and Taylor [70]. But we have discovered that it has been already introduced by Mehlhorn and Vishkin [71] back in 1984 (of course, Wegman and Carter [8] already studied the degree one case).
• So far, only the families PH-PF and PH-FF have been introduced in the literature but, unfortunately, there is a growing number of papers that explicitly or implicitly have used the Fundamental Theorem of Algebra to prove the ε-almost--universality of these families. As discussed in detail in Remark 2.5, the Fundamental Theorem of Algebra works only over the field of complex numbers not over the prime field or finite fields, so is not applicable to the families PH-PF and PH-FF. Instead, those papers should have used Lagrange's Theorem or Theorem 2.4 as we did. • Polynomial Hash has been already used to provide a very efficient universal hash function family, for authentication in QKD [22][23][24] but it has not been explained why that is the case. In fact, the efficiency of Polynomial Hash comes from at least the following observations: -The evaluation of a polynomial f (x) of degree d, needs only d multiplications and d additions since, by Horner's rule, f (x) can be written as Therefore, hashing a message of length d + 1 using Polynomial Hash needs only d multiplications and d additions, while hashing the same message using most other universal hash function families needs more computations, for example, hashing it using MMH * [56,72,73] (which is one of the most well-known universal hash function families) needs d + 1 multiplications and d + 1 additions. -Unlike most other universal hash function families (e.g., MMH * and its variants) which hash fixed length messages (that is, once the key is chosen we can only hash message of the same length as the key) Polynomial Hash can be used for hashing variable length messages because each message block becomes the coefficient of the polynomial, and so is independent of the key. • Even though the collision bounds of the hash families introduced in this paper are quite strong, even if for some application we pick a family with a slightly weaker collision bound thanks to the everlasting security of QKD [5,6,74] if authentication remains unbroken during the execution of the QKD protocol, then the resulting key is information-theoretically secure; breaking authentication after the protocol has output the key will not change the security of the generated key. • As universal hashing is used not only for authentication in QKD but also in other steps in QKD like error correction and privacy amplification [7,13,[25][26][27][28][29][30], our constructions and results might lead to improvements in QKD protocols, among other areas. • Universal hash functions have been recently used in studying quantum secure direct communication (QSDC) [75] (see also, [76][77][78][79][80]), quantum secret sharing (QSS) (either directly [81,82] or via a security proof based on QKD [83]), quantum conference key agreement (QCKA) [84][85][86], and quantum authentication [87][88][89]. Therefore, our efficient and secure constructions and results might lead to improvements in these directions as well.
• Our study of Polynomial Hash over Z n and its variants also demonstrate various benefits which do not hold in the case of the two well-known variants of Polynomial Hash. In particular, -We do not have to restrict the message blocks to be in Z p or Z n . In fact, the message blocks can be arbitrary non-negative integers (unlike the two well-known versions). See Remark 4.7 and Theorem 4.9 for the details. -In some of these variants with probability at least 1/2 the collision probability is exactly zero (see Theorem 4.4). -We do not need large prime numbers or finite field arithmetic anymore (that is, all arithmetic is done in Z n ). -It is also possible to introduce, generalize, and analyze other variants of Polynomial Hash (for specific applications) using results from Sect. 2. -Although in QKD the legitimate parties need to share some initial small secret information in advance for the authentication of the classical channel, each round of QKD provides substantially larger fresh key materials, part of which can be used for authentication in the next round of QKD. Furthermore, keys generated in each round of QKD are completely independent of all prior keys and messages [5,6,74]. Therefore, even if any of our schemes uses more key materials at the expense of other benefits, the protocol compensates it in the next round. -We connected Polynomial Hash and QKD with deep results in number theory.
This may motivate more work in these areas.