Theoretically extensible quantum digital signature with starlike cluster states

Abstract

Chen et al. (Phys Rev A 73:012303, 2006) constructed this “starlike cluster” state, which involves one qubit located at the center and n neighboring two-qubit arms. This genuine entangled state has been used for the construction of 2D and 3D cluster states, topological one-way computation, and dynamical quantum secret sharing. In this paper, we investigate the usefulness of this starlike cluster state and propose a theoretically extensible quantum digital signature scheme. The proposed scheme can be theoretically generalized to more than three participants. Moreover, it retains the merits of no requirements such as authenticated quantum channels and long-term quantum memory. We also give a security proof for the proposed scheme against repudiation and forgery.

Appendix A: The detailed process of the n-recipient QDS scheme

Exploiting the scalability of cluster states, theoretically the preparation of arbitrary \((2n+1)\)-particle starlike cluster states is possible by means of the \((2n-1)\)-particle starlike cluster states, additional 3-qubit linear cluster states and some quantum local operations including single-qubit measurement and two-qubit controlled operation [22]. The concrete process is as follows:

As illustrated in Fig. 2, the signer Alice prepares another 3-qubit linear cluster state

$$\begin{aligned}&|LC_3 \rangle _{A^{{\prime }}B_{n+1} A_{n+1} } \nonumber \\&\quad =\frac{1}{\sqrt{2}}(|+0+\rangle +|-1-\rangle )_{A^{{\prime }}B_{n+1} A_{n+1} } \nonumber \\&\quad =\frac{1}{2}(|0+0\rangle +|0-1\rangle +|1-0\rangle +|1+1\rangle )_{A^{{\prime }}B_{n+1} A_{n+1} } \nonumber \\&\quad =\frac{1}{2}(|+00\rangle +|+01\rangle +|-10\rangle -|-11\rangle )_{A^{{\prime }}B_{n+1} A_{n+1} } \nonumber \\&\quad =\frac{1}{2}(|+++\rangle +|+-+\rangle +|-+-\rangle -|---\rangle )_{A^{{\prime }}B_{n+1} A_{n+1} } \nonumber \\ \end{aligned}$$

(11)

Alice performs a CZ operation on the particle A and the particle \(A^{{\prime }}\), followed by a Y measurement on particle \(A^{{\prime }}\)(shown in Fig. 2a).

Here \(CZ=|00\rangle \langle 00|+|01\rangle \langle 01|+|10\rangle \langle 10|-|11\rangle \langle 11|\) and \(Y=\{(|0\rangle +i|1\rangle )/\sqrt{2},(|0\rangle -i|1\rangle )/\sqrt{2}\}\). By applying appropriate local operations, each pair can be transformed into a \((2n+1)\)-particle starlike cluster state theoretically.

Fig. 2

Scalability of cluster states

The process of the QDS scheme with n recipients is similar to the one with two recipients. The whole scheme also includes three phases, i.e., the distribution phase, the estimation phase, and the messaging phase. In the proposed scheme, \(|0\rangle \), \(|+\rangle \) represent classical bit 0; \(|1\rangle \) and \(|-\rangle \) encode 1, respectively.

1.1 The distribution phase

Assume the signed message is m. Alice prepares a sequence of N \((2n+1)\)-qubit cluster states in Eq. (1). For each cluster state, she sends the particle \(B_i\) to \(Bob_i\), \(i=1,2,\ldots ,n\). \(Bob_1 ,Bob_2 ,\ldots ,Bob_n\) will announce the result if their detectors have no click, and then Alice and \(Bob_i (i=1,2,\ldots ,n)\) discard all the corresponding data and keep the left 2M bits for Alice and M bits for each \(Bob_{i} \, (i=1,2,\ldots ,n)\), respectively. For each cluster state, Alice measures the particle A in the Z basis and measures the particle \(A_i \) in the Z or X basis randomly. \(Bob_i \) measures the particle \(B_i \) in the Z or X basis randomly, for \(i=1,2,\ldots ,n\). For each cluster state, Alice announces bit 0 if her measurement result of the particle \(A_i \, (i=1,2,\ldots ,n)\) belongs to the set \(\{|0\rangle ,\, |+\rangle \}\) while bit 1 if it belongs to the set \(\{|1\rangle ,\, |-\rangle \}\) through the authenticated classical channels. \(Bob_i\) interprets Alice’s measurement result of the particles \(A_i\) according to her public information. Let \(P_{B_i}^c\) be the probability that \(Bob_i\) has a conclusive result for each received quantum state; in the ideal case, \(P_{B_i }^c =P^{c}=1/4\), for \(i=1,2,\ldots ,n\). Note that \(Bob_i\) does not announce whether he has a conclusive result, for \(i=1,2,\ldots ,n\).

1.2 The estimation phase

For \(i=1,2,\ldots ,n\), Alice informs \(Bob_i\) to choose \(M_{t_i } \) bits as the test bits to estimate correlation randomly and independently. \(Bob_i \) announces the position of test bits, respectively and independently. For each position, Alice publishes the measurement outcome of the corresponding particles A, \(A_i \), respectively. \(Bob_i \) publishes the measurement outcome of the corresponding particle \(B_i\), respectively. Alice announces the measurement basis of the corresponding particle \(A_i \). Finally, \(Bob_i \) publishes the measurement basis of the corresponding particle \(B_i \), respectively. According to the correlation of Eq. (1), they calculate the mismatching rate \(e_{B_i }^c \) of conclusive results from the test bits. When \(e_{B_i }^c \) gets too high, they abort the protocol. Or when \(P_{B_i}^c \) shows a big deviation from the ideal value \(P^{c}=1/4\), they also announce to abort the protocol. Otherwise, Alice keeps \(M_u \) untested bits, denoted \(S_{A_i}\), respectively. \(Bob_i\) keeps \(M_u \) untested bits, denoted \(S_{A_i}\), respectively.

1.3 The messaging phase

The signer Alice randomly chooses the desired recipient, for example \(Bob_1\), who will be the authenticator in the messaging stage. Alice sends the message m and the corresponding bit strings \(S_{A_1} ,S_{A_2} ,\ldots ,S_{A_n}\) to the authenticator, \(Bob_1\)(if \(Bob_i \,(i\ne 1)\) is the authenticator chosen by Alice, Alice will send the message m and the corresponding bit strings \(S_{A_1 } ,S_{A_2} ,\ldots ,S_{A_n}\) to \(Bob_i\)). \(Bob_1 \) checks the mismatching rate \(P^{c}E_{B_1 }^c\) between \(S_{A_1}\) and \(S_{A_1}^{\prime } \) according to the correlation in Table 2, where \(E_{B_1 }^c \) is the mismatching rate of the conclusive results and \(S_{A_1}^{\prime } \) is inferred according to \(S_{B_1 }\) and Alice’s public information in the distribution phase. The inconclusive outcomes are considered to match Alice’s announcement bits automatically. If the mismatching rate \(E_{B_1 }^c \le T_{B_1 } (T_{B_1 } \) is the authentication security threshold), \(Bob_1 \) accepts the message. Otherwise, he rejects it and announces to abort the protocol. After \(Bob_1 \) accepts the message, he forwards it and the corresponding bit strings \(S_{A_1} ,S_{A_2} ,\ldots ,S_{A_n}\) to the recipient \(Bob_2 \).

For \(i=2,3,\ldots ,n-1\), \(Bob_i \) checks the mismatching rate \(P^{c}E_{B_i }^c \) between \(S_{A_i }\) and \(S_{A_i}^{\prime } \) according to the correlation in Table 2, where \(E_{B_i }^c \) is the mismatching rate of the conclusive results and \(S_{A_i }^{\prime } \) is inferred according to \(S_{B_i }\) and Alice’s public information in the distribution phase. The inconclusive outcomes are considered to match Alice’s announcement bits automatically. If the mismatching rate \(E_{B_i }^c \le T_{B_i} (T_{B_i } \) is the verification security threshold), \(Bob_i\) accepts the forwarded message and forwards it and the corresponding bit strings \(S_{A_1 } ,S_{A_2} ,\ldots ,S_{A_n }\) to the recipient \(Bob_{i+1} \). Otherwise, he rejects it.