Secure Quantum Key Distribution

The following information has been extracted from the Secure Quantum Key Distribution Article, and provides more information into QKD.

Introduction to QKD
Quantum cryptography, specifically quantum key distribution is being considered as an important cryptographic method as quantum computers begin to be further developed. One difference between classical cryptography and quantum cryptography, is that the eavesdropper, Eve, is able to store a transcript of any classically encrypted transmission, but cannot do so for a quantum encrypted transmission. This is because classical encryption involves the process of using a mathematically difficult algorithm known as key, which encrypts the data within the transmission so that a passive eavesdropper, like Eve, is unable to decipher the message without the use of either the same key (symmetric keys) or the partner key (asymmetric keys). However, Eve is still able to intercept the data without either Bob or Alice being aware of her. For QKD, Alice sends Bob a sequence of polarized photon, that are either rectilinear or diagonal. As Bob receives the photons, he records the photon through a randomly chosen basis of either rectilinear or diagonal basis. Bob records his basis choice and the result of the respective photon, which he then verifies his data with Alice to determine matching results. The non-matching photon data is ignored and the matching data is compiled to generate a sifted key. Alice and Bob can check whether their data has been intercepted by Eve by checking their quantum bit error rate. If the error rate is below a certain threshold, then they can be confident that their data is secure. ‘The quantum data can have classical post-processing protocols such as error correction and privacy amplification to generate a secure key. This key can be used to make the communication unconditionally secure using a one-time pad protocol.’

One-time pad is a protocol in which the key is the same length as the message. The message is interpreted as a binary string, as is the key. The message is encrypted using a bitwise exclusive-OR between the two corresponding bits in the binary string.

Security model of QKD
The security of the QKD method is based upon the perfect key distribution, where Alice and Bob share a truly random secret key. A QKD system is considered to be ϵ-secure ‘if and only if the probability distribution of an outcome of any measurement performed on the QKD scheme and the resulting key deviates at most ϵ from the one of the perfect key distribution protocol and the perfect key.’ The value of ϵ is approximately 10-10, but this can be adjusted based upon agreements between Bob and Alice on their privacy level. To consider the security of the QKD protocol, the security of the generated key when it is employed in a cryptosystem needs to be taken into account. This is known as composable security. To calculate the composable security, each security protocol is considered to have a defined security parameter,ϵi, with the total security of the cryptographic scheme being defined as Σiϵi.

However, the implementation of QKD relies on imperfect devices. The BB84 protocol provides the theory of Alice and Bob transmitting data through single polarized photons. Yet efficient single-photon sources and measuring devices are still a matter of the future. (During this publication). One current method for implementing the BB84 protocol is through the use of phase-randomized weak coherent state pulses (WCPs) that have a typical average photon number of 0.1 or higher. These states are created using standard semiconductor lasers and and calibrated attenuators. The limitation with these systems is that some signals may contain more than one photon prepared in the same quantum state. This is a security weakness as Eve can perform a Photon-Number-Splitting (P-N-S) attack upon the multi-photon pulses and obtain the portion of key that was generated with that information without Alice and Bob being aware.

The BB84 protocol relies upon Alice and Bob using single-photon states to create the secure key. To generate a key from this data, Bob and Alice do not necessarily need to identify which detected pulses specifically came from the single-photon emissions, but rather can ‘estimate a lower bound for the total number of such events.’ This estimation technique contains the worst case scenario where Eve were to block as many single photon pulses as she could. This assumption can be used to provide a key generation rate that scales as η2, where η is the transmittance of the quantum channel. ‘This quantity has the form η = 10-(αd)/(10), where α is the loss coefficient of the channel measured in dB/km (α ≈ 0.2 dB/km for standard commercial fibres) and d is the the covered distance in km.’

Eve however, may not be performing a PNS attack, so to improve the achievable secret key rate, their needs to be a more precise method for determining the number of single-photon pulses detected by Bob. The decoy-state method, which can ‘basically reach the performance of single-photon sources, where the key generation scales linearly with η’ can be used. Rather than sending equal intensity signals, Alice sends a signal with an intensity that has been randomly picked from a set of prescribed values. The states sent in the chosen intensity are known as signal states, and states that exist with different intensities are considered as decoy states.  ‘Once Bob has detected all the signals, Alice broadcasts the intensity used for each pulse. A crucial assumption here is that all other possible degrees of freedom of the signals (apart from the intensity) are equal for all of them.’ The result of this technique is that even if Eve has knowledge of the number of photons contained within a certain pulse, ‘her decision on whether or not to send that signal to Bob cannot depend on its intensity. That is, Eve’s decision is based upon what is known a priori.‘ Hence, the probability of ‘having a detection event given that Alice sent a single-photon pulse is the same for the signal and decoy pulses. This results in Alice and Bob being able to more precisely estimate the portion of detected events that occur from single-photons.

Experimental implementations
In recent years, QKD has been experimentally implemented. The signal can be transmitted through free space with approximately 800nm wavelength, through optical fibres with wavelengths of around 1310nm and 1550nm. The use of polarized photons, called polarization coding, is used mostly for free space transmission. Fibre optic based transmission uses different coding implementations, such as time-bin coding, phase coding, and frequency coding. These different techniques are used due to optical fibres being more likely to cause disturbances to the polarizion coding due to the fibre’s susceptibility to environmental effects and birefringence.

Entanglement-based QKD protocols allow Alice and Bob to transmit their information through further distances due to this protocol being more resilient to losses than WCP protocols. (It can stand up to about 70 dB). ‘For instance, they could employ a parametric down-conversion source to generate polarization entangled photons that are distributed between [Alice and Bob]’. This scheme however suffers from systems that are more involved than the ones for WCPs, and they have a lower low loss regime for their secret key. Aside from polarization coding, energy-time entangled pairs could be used.

For QKD for distances shorter than 100km, distributed-phase-reference QKD protocols could be used. This protocol involves Alice encoding the information coherently between adjacent pulses rather than in individual pulses. ‘This approach includes the differential phase shift (DPS) and the coherent-one-way (COW) protocols.’ DPS protocol involves Alice preparing a train of WCPs of equal intensity but with modulated phases. ‘Bob uses a one-bit delay Mach-Zehnder interferometer, followed by two single-photon detectors to measure the incoming pulses. The COW protocol involves all the pulses having a common phase but with varied intensities. These protocols are considered to belong to discrete-variable QKD schemes.

Another set of methods belong to the continuous-variable systems (CV-QKD), where the device ‘consists of homodyne or heterodyne measurements if the light-field quadratures. These protocols do not need single-photon detectors, but rather can be implemented through the use of standard telecom components.

QKD components and data-processing
‘For the optical layer of a QKD system, the following components are typically needed:’

  • Light Sources
    Attenuated laser pulses can be used for the signal source. The signal is modeled as a WCP. Application of global phase randomization results in the state becoming a classical mixture of Fock states with Poissonian distribution.
  • Single-photon detectors
    ‘Single photon detection is the ultimate limit of the detection of light.’ Traditional detectors include silicon detectors and InGaAs detectors. Si detectors are used for the 800nm wavelengths, and free-space transmission. InGaAs avalanche photo-diodes (APD) are used for telecom and fibre optic based transmission. InGaAS detectors have had previous issues such as low detection efficiency (15%) compared to the Si detectors (~50%), and a ‘long dead time after a detection event.’ This dead-time reduces the repetition rate to a few MHz. This issue however, has been resolved in recent years with the use of the following techniques: Self-differentiating APDs, sine-wave grating technique, a hybrid approach of SD-APDs and sine-wave grating techniques, superconducting nanowire single-photon detectors (SNSPDs). The detection efficiency for InGaAs has increased to 50%, with SNSPD detection efficiency of ~93%. The SNSPDs have a caveat, in that their operating temperature is around 0.1K (-273.14 ºC)
  • Standard linear optical components
    These optical components include polarizing beam-splitters, beam-splitters, amplitude modulators, and phase modulators.
  • Random number generators
    Random number are required in QKD for basis choice, bit-value choice, phase randomization, intensity choice in the decoy state method, and for data post-processing. Quantum mechanics offers randomness based upon physical principles rather than complex mathematical algorithms. ‘A simple way to build a quantum random number generator (QRNG) is to send a WCP through a 50:50 beam-splitter and put two single-photon detectors on the two outgoing arms. The actual bit value (0 or 1) generated depends on which detector detects a photon.’
  • Classical post-processing techniques
    This includes techniques such as error correction and privacy amplification, which are used to fix any errors in the transmission, and ‘remove any residual information that Eve might have on the raw key.’ A difficulty with classical post-processing is the computational complexity of the protocols that is required to process a very large amount of raw data in a short amount of time.
  • Authenticated Channel
    Alice and Bob need to have an authenticated classical channel through which Bob and Alice verify the results of the QKD transmissions. This channel requires a short authentication key that ‘may be provided in the initial shipment of the QKD system through a temper-resistant device.’ After the first successful QKD session, the authentication key can be renewed by the key generated from the QKD.

 

Industrial/application perspectives
As of 2015, when this article was published, QKD networks had been deployed in USA, Austria, Switzerland, Chine, and Japan. ‘The [Japanese-Tokyo] network consists of three main layers: a QKD layer, a key management layer, and an application layer.’ To the user in the application layer, the QKD layer and the key management layer can be considered as a black box, which supplies them keys. (Tokyo has a layer structure that is based upon a trusted node architecture. ) ‘Secure communication is possible between any nodes in the network by relaying on the secret key that is controlled by command of the key management server.’ This type of network can be employed for the provision of secure communications with smart phones. When a user needs a new key to protect communications, they could connect to the QKD network and store the obtained in their phone, for use when needed. ‘Other potential of QKD include, for example, offsite backup, enterprise private networks, critical infrastructure protection, backbone protection, and high security access networks.’

Quantum hacking
‘In principle, QKD only secures the communication channel, so Eve may try to attack the sources, i.e. the preparation stage of the quantum signal, and the measurement device.’ The sources can protected by preventative methods against Eve. For instance, ‘Alice can prepare her quantum signals (e.g. the polarization state of phase-randomized WCPs) in a fully protected environment outside the influence of an eavesdropper. The use of optical isolators is an example of this. The measurement device, Bob’s single-photon detector, is harder to protect due to Eve being allowed to send any signal, as it is more difficult to protect Bob’s device from any possible attack. ‘The most important hacking attack so far against the detectors of the system is the so-called detector blinding attack. Here, Eve shines bright light into the detectors to make them enter into the so-called linear mode operation, where they are no longer sensitive to single-photon pulses but only to strong light pulses. This provides Eve with complete control in which detector ‘clicks’ each time through the transmission of bright pulses. This method allows Eve to completely learn the secret key. Other aspects that are exploitable are: the sources detection efficiency mismatch, and the dead-time of detectors.

There are three main approaches in counter-measuring any hacking. The first approach is to use security patches. This provides security against any and all known attacks but implies vulnerability of the system against any hacking advances. This technique is akin to most classical cryptographic techniques.
The second approach is called device-independent QKD (DI-QKD) In this approach, Alice and Bob consider their devices as black boxes. In other words, ‘they do not need to fully characterize their different elements.’ ‘The security of DI-QKD relies on the violation of a Bell inequality, which certifies the presence of quantum correlations. This approach is impractical with current technology due to high decoupling and channel loss, limited detection efficiency of current single-photon detectors (this is considered as the detection efficiency loophole, which requires detection efficiency to be ~80% or more for a loophole free Bell test).
The third approach is MDI-QKD. This approach allows Alice and Bob to perform QKD with untrusted measurement devices, even ones developed by Eve. MDI-QKD security is based upon the idea of time reversal. ‘Alice and Bob  prepare quantum signals and send them to an untrusted relay, Charles/Eve, who is supposed to perform a Bell-state measurement on the signals received. The honesty of Charles can be verified by comparing a subset of the transmitted data.’ MDI-QKD can be achieved through current ‘optical components with low detection efficiency and high lossy channels.’ MDI-QKD has a key rate that is far greater than that of DI-QKD, and has been demonstrated  in laboratories and field tests (as of publication). ‘The key assumption of MDI-QKD is that Alice and Bob trust their sources.” One downside of MDI-QKD is that it has a ‘relatively low secret key rate when compared to the decoy state BB84 protocol.’ This is due to MDI-QKD requiring two-fold coincidence detector events. These are currently restrained due to the low detection efficiency of InGaAs single-photon detectors, however the downside is not an issue if SNSPDs (at ~0.1K) are utilized. ‘MDI-QKD could be used to build a QKD network with untrusted nodes, which would be desirable from a security standpoint.’

Conclusion
This article gives an idea of the advancement of QKD since the publication of BB84. This article contains techniques and terminology that I’m not familiar with, so my next step is to look up the terms that I am unfamiliar with. From this, I will build up a glossary to provide myself with greater comprehension of the prospects discussed within this article, and any further article that I examine.

Reference
Lo Hoi-Kwong et al. (21 May 2015). Secure Quantum Key Distribution. https://arxiv.org/pdf/1505.05303.pdf

Quantum Cryptography: Public Key Distribution and Coin Tossing (BB84)

The BB84 protocol is based upon the article, ‘Quantum Cryptography: Public Key Distribution and Coin Tossing’ by Charles Bennett and Gilles Brassard, which was published in 1984.

The following information has been extracted from parts I-III of the article.

Most digital communication channels can be either passively monitored or actively copied, whether or not the information is encrypted. If the information is encoded in non-orthogonal quantum states however, then the channel is in theory unable to be monitored or copied without the outside party having critical information on the formation of the transmission. If the outside party were to eavesdrop, this would cause the transmission to be altered in such a way that their presence would be discernible to the legitimate party that received the transmission.

Quantum coding then, can be used to enable secure distribution of key information between two parties that have no initial shared secret information. This however can only occur under the proviso that both parties have access to a quantum channel and an ordinary channel that may be susceptible to passive eavesdropping. This can be done with the use of polarized photons.

Polarized photons are created by polarizing a beam of light with polarizing equipment such as Polaroid filters or calcite crystals. Photons contain quantum mechanical properties, which results in the uncertainty principle constraining the measurements of a single photon to reveal a single bit in regards to its polarization state. Photons, however, will behave deterministically if the orientation of the photon is either parallel of perpendicular to the orientation of the filter. Parallel orientation results in complete transmission, and perpendicular orientation results in complete absorption. If the two axes of orientations are not perpendicular, then an incident photon of orientation α passing through a polarizer of orientation β will result in a transmitted photon of orientation β.  A photon can also not be cloned due to cloning being contradictory to the nature of quantum mechanics.

(This following paragraph contains mostly copied portions from the article as it involves their formalism in introducing quantum mechanics)
A photon is a sub-atomic particle that is subject to quantum effects. Quantum mechanics can be considered as the interpretation of photon’s state within a defined quantum system, which is a ‘vector, ψ, with the properties of being unit length in a linear space, Η, over field of complex numbers.’ This space is known as Hilbert space. For a Hilbert space, ‘each physical measurement, defined as M, upon the system corresponds to a resolution of its H space into orthogonal subspaces, one for each possible outcome of the measurement.’ For the system in a state, which is denoted by ψ, has a physical measurement, M, acted upon it, ‘its behavior is in general probabilistic: where outcome, k, occurs with a probability equal to: Probabilistic outcome of M_k and psiAfter the measurement, the system is left in a new state:Normalized unit vectorWhich is the normalized unit vector in the direction of the old state vector’s projection into the subspace M_k. This measurement has a deterministic outcome which leaves the state vector unmodified.’ The implies that the outcome of the physical measurement will always provide a unique outcome from the same set of input variables. In other words, this measurement can be considered as a 1-1 function.
‘The Hilbert space for a single polarized photon is two-dimensional, which implies that the state of the photon can be described as a linear combination of two unit vectors that represent horizontal and vertical polarization.’ These unit vectors are:
Horizontal and Vertical Unit Vectors‘A photon polarized at an angle, α, to the horizontal is described by the state vector (cosα, sinα).’ When the photon is subject to horizontal polarization, the photon has a probability of (cosα)^2 at becoming horizontal. This is similar for vertical polarization, where the photon has the probability of (sinα)^2 at becoming vertical. This implies that ‘the two orthogonal vectors r_V and r_H exemplify the resolution of a 2-dimensional Hilbert space into 2 orthogonal 1-dimensional subspaces.’
‘An alternative basis for the same Hilbert space can be considered with two diagonal basis vectors:
Diagonal Basis VectorsWhere d_1 represents a 45-degree photon, and d_2 represents a 135-degree photon.’

For non-quantum cryptography, a trapdoor function is used in a public key to initially encrypt a message between two parties in order to hinder any passive eavesdropping. For quantum cryptography, the public key is used to send a sequence of random bits between two parties, rather than a message. The two parties can communicate over a non-quantum channel and with high probability, determine whether the original transmission of random bits has been subject to eavesdropping. If the transmission has been subject to eavesdropping, the disrupted material can be disposed of, and the transmission attempt repeated until a sufficient number of random bits have been exchanged for them to use as a one-time pad. If the transmission has not been subject to eavesdropping, then the shared random bits can be used as a one-time pad to encrypt any further communications or other cryptographic purposes.

The transmission of the random bits through a quantum channel is as follows: Party A, or Alice, chooses a random bit string and a random sequence of polarization bases, that are either rectilinear or diagonal. Alice sends a train of photons to party B, or Bob, where each photon represents a single bit of the string in the basis chosen for that bit position. The photon is a binary zero if the polarization is horizontal or at 45-degrees, and is a binary one if the polarization is vertical or at 135 degrees. Once Bob has received the photons, he can either choose to measure the rectilinear or diagonal polarization of the photons. Bob’s measurements influence the result that he obtains from the polarized photons. As such, if he attempts to measure the rectilinear polarization of a diagonally polarized photon, or vice versa, the information is lost and he receives a non-deterministic result. This implies that Bob will only obtain meaningful results from half of the data. This percentage of meaningful results is an optimal proportion, as in reality, the use of imperfectly-efficient detectors would result in a reduction of photons received. Bob can communicate his results to Alice over a non-quantum encrypted channel that provides Bob and Alice with authentic and non-repudiable messages, but may be susceptible to passive eavesdropping.

Any eavesdropping on the quantum transmission can result in the diagonal and rectilinear photons becoming altered which will cause disagreements between Alice and Bob on bits that would have originally matched. ‘No measurement of a polarized photon during its transit, by an eavesdropper informed of the original basis, will yield more than 1/2 the expected bits of information about the key bit encoded on that photon.’ ‘Were the eavesdropper to measure and re-transmit all of the photons in the rectilinear basis, they would be able to learn the correct polarization of half of the photons and would induce disagreements in 1/4 of the photons that were re-measured in the original basis.’ The implications of this information is that Bob and Alice can publicly compare some of the bits that are likely to agree. If the bits do agree, then Alice and Bob can be confident that no eavesdropping has occurred. Although this method does reduce the secrecy of some of the bits, only a small portion of correctly received bits need to be used, which results in the remaining received bits staying secure.

The received bits can be used as a one-time pad for further secure communication between Bob and Alice over a public channel. The concern for the public channel to not be compromised by active eavesdropping is reduced if Wegman-Carter authentication tags are implemented through a previous agreement of a small secret key. The suggestion for the WC authentication method is due to the unlikely-hood of an eavesdropper, ignorant of the key, being able to reproduce a valid message-tag pair. The WC method also involves the gradual loss of bits which cannot be reused without compromising the security of the system. However, these bits can be replaced by new random bits that are transmitted through the quantum channel.

One of the important advantages of using quantum key distribution is that both Alice and Bob have a high probability of being able to discern whether their exchange is being eavesdropped, and hence, compromised.

 

 

References:
Bennett and Brassard, (December 1984) Quantum Cryptography: Quantum Key Distribution and Coin Tossing. https://www.research.ibm.com/people/b/bennetc/bennettc198469790513.pdf

NIST SP 800-57: Recommendation for Key Management

During my post of ‘Clarifying Enterprise Implications‘, I considered how QKD would influence current key maintenance. This NIST SP article will help me understand the concepts involved in key maintenance, and whether it is a suitable project focus.

**This blog has been updated as the publication that I was using was out of date. The updated information is sourced from NIST SP 800-57 Part 1, Revision 4. **

An important item to note before I extrapolate certain information from the article, is that NIST Recommendations are designed to provide a “minimum level of security for U.S. government systems” (section 1.4, part 1), which means that this information will not provide an accurate example for key maintenance in New Zealand enterprises. It will however, provide me with more knowledge of what practices are involved in key maintenance.

This blog only contains information from section 5 of the NIST SP 800-57, and I will write further blogs based upon other relevant information contained in the NIST publication.

From section 5: General Key Management Guidance

  • A key should be used for only one purpose
    • Using the same key for multiple uses may weaken security
    • Limiting a key to one purpose reduces the potential destruction that could occur if the key were to become compromised.
    • Some uses of keys interfere with each other. E.g. A key shouldn’t be used for key transport and as a digital signature.
    • (This does not include multi-service keys such as one that provides encryption and authentication of data during the same use.)
  • There should exist well-defined lifetimes for each key, dependent upon various factors such as amount of data encrypted by a single key, the key’s algorithm, the sensitivity of the data accessible by the key.
  • The risk involved with key exposure should be determined, and various factors should be taken into account in order to minimize the risk. NIST SP 800-57 contains the following factors:
    • Strength of cryptographic mechanisms
    • The environment in which the key is utilized
    • The security life of the data
    • The transaction number or volume of information flow that is using a single key
    • The process of key updates and key derivation
    • The methods involved in re-keying
    • The mechanisms/technology involved for creating, holding, updating keys
    • The security function which includes data encryption, key production, and key protection.
    • Number of nodes in a network that share a common key
    • Number of copies of a key and their distribution
    • Personnel turnover
    • Threat from adversaries and their perceived technical capabilities and financial resources
    • Threat to information from new and disruptive technologies (e.g. quantum computers)
  • The key’s operation should be well defined in regards to whether it is used for encryption exchangeable data or whether it is being used to encrypt stored data.
  • The cost involved with replacing or cancelling a key needs to be considered.
  • The differences of symmetric and asymmetric keys should be considered, as this will determine which key will be implemented.

 

The NIST SP 800-57 provides the following table describing their recommended cryptoperiods for a range of key types:

Cryptoperiods for key types _Part ICryptoperiods for key types _Part II

Most keys appear to have a lifetime of less than two years, with the longest lifetime being less than five years.

The article also provides the following procedures that may minimize the likelihood of a key from being compromised:

  • Limit time that symmetric or private key is in plaintext
  • Prevent human view of the plaintext of the private and symmetric keys
  • Restricting plaintext symmetric and private keys to physically protected containers
  • Use regular integrity checks to ensure that the key or its associated data hasn’t been compromised
  • Employ the use of key confirmation
  • Employ an accountability system that keeps track of access to plaintext form of symmetric and private keys
  • Ensure that there are regular cryptographic integrity checks on the key
  • Use trusted timestamps for signed data
  • Destroy the key as soon as it is no longer required

 

The article also entails cryptographic algorithms and key size selection. It provides the following table that provides algorithm security lifetimes and the corresponding symmetric key algorithms.
Comparable strengths of keys
-The security strength column denotes an estimated maximum strength, in units of bits. -The orange-filled cells are keys that are considered no longer approved for Federal government information, which does not apply to my project. The yellow cells are certain key strengths for the FFC and IFC algorithms that NIST does not include in its standards. This also does not apply to my project.
-The FFC (finite field cryptography) column provides a minimum size for keys, where L is the public key length, and N is the private key length.
-The fourth column provides a value based upon integer-factorization cryptography (IFC), where k is considered to be the key size.
-The final column provides a range of values of key size for elliptic curve cryptography (ECC).

The following tables are NIST’s acceptable time frames for the keys based upon their security strength.
Security strength time frames _Part ISecurity strength time frames _Part II

Note, these tables are based upon the latest publication, which was published in 2016.

Their nomenclature within the table has the following definitions:
Applying: Data is being encrypted
Processing: Data is being decrypted
Disallowed: The key length does not fulfill the NIST standards for suitability of application on the data
Legacy-Use: The length is suitable for processing encrypted data
Acceptable: The length is suitable for cryptographic application upon data as the key has no known insecurities.

This data, although based upon the NIST standards, does provide me with a general time frame for keys in regards to their security strength.

 

Conclusion
This section of the publication has provided me with three main focuses for key maintenance; the purpose of the key, its expected security lifetime, and minimization of risks that may lead to key compromise.

When I have completed more research upon quantum keys, I can compare this information as to how it applies to quantum keys and their distribution.

 

Reference:
Barker et al.(March 2007) Recommendation for Key Management-Part 1: General (Revised), NIST Special Publication 800-57. http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf

Barker et al. (January 2016) Recommendation for Key Management-Part 1: General (Revised), NIST Special Publication 800-57. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf