Abstract
Quantum digital signature offers an information theoretically secure way to guarantee the identity of the sender and the integrity of classical messages between one sender and many recipients. The existing unconditionally secure protocols only deal with the problem of sending single-bit messages. In this paper, we modify the model of quantum digital signature protocol and construct an unconditionally secure quantum digital signature protocol which can sign multi-bit messages at one time. Our protocol is against existing quantum attacks. Compared with the previous protocols, our protocol requires less quantum memory and becomes much more efficient. Our construction makes it possible to have a quantum signature in actual application.
Similar content being viewed by others
References
Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21, 120–126 (1978)
ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theory 31, 469–472 (1985)
Gottesman, D., Chuang, I.: Quantum digital signatures. Quantum Phys., Preprint at arXiv:quant-ph/0105032 (2001)
Clarke, P.J., Collins, R.J., Dunjko, V., Andersson, E., Jeffers, J., Buller, G.S.: Experimental demonstration of quantum digital signatures using phase-encoded coherent states of light. Nat. Commun. 3(6), 1174 (2012)
Wang, T.Y., Cai, X.Q., Ren, Y.L., Zhang, R.L.: Security of quantum digital signatures for classical messages. Sci. Rep. 5, 9231 (2015)
Greenberger, D.M., Horne, M.A., Zeilinger, A.: Bells theorem, quantum theory, and conceptions of universe. Physics 58, 1131 (1990)
Boykin, P.O., Roychowdhury, V.: Optimal encryption of quantum bits. Phys. Rev. A 67, 042317 (2003)
Zeng, G., Keitel, C.H.: Arbitrated quantum-signature scheme. Phys. Rev. A 65, 042312 (2002)
Li, Q., Chan, W.H., Long, D.Y.: Arbitrated quantum signature scheme using Bell states. Phys. Rev. A 79, 054307 (2009)
Zou, X., Qiu, D.: Security analysis and improvements of arbitrated quantum signature schemes. Phys. Rev. A 82(4), 042325 (2010)
Luo, M.X., Chen, X.B., Yun, D., Yang, Y.X.: Quantum signature scheme with weak arbitrator. Int. J. Theor. Phys. 51, 2135–2142 (2012)
Zou, X., Qiu, D., Yu, F., Mateus, P.: Security problems in the quantum signature scheme with a weak arbitrator. Int. J. Theor. Phys. 53(2), 603–611 (2014)
Andersson, E., Curty, M., Jex, I.: Experimentally realiable quantum comparison of coherent states and its applications. Phys. Rev. A 74(2), 022304-1–022304-11 (2006)
Dunjko, V., Wallden, P., Andersson, E.: Quantum digital signatures without quantum memory. Phys. Rev. Lett. 112(4), 040502 (2014)
Amiri, R., Wallden, P., Kent, A., Andersson, E.: Secture quantum signatures using insecure quantum channels. Phys. Rev. A 93(3), 032325 (2016)
Hoeffding, W.: Probability inequalities for sums of bounded random variables. J. Am. Stat. Assoc. 58(301), 13–30 (1963)
Unruh, D.: Computationally binding quantum commitments. In: Advances in Cryptology-EUROCRYPT 2016, LNCS 9666, pages, pp. 497–527, Springer (2016)
Wang, M.Q., Wang, X., Zhan, T.: Unconditionally secure multi-party quantum commitment scheme. Quantum Inf. Process. 17(2), 31 (2018)
Author information
Authors and Affiliations
Corresponding author
Additional information
The author is supported by MMJJ20180210, NSFC: 61832012, NSFC Grant 61672019 and The Fundamental Research Funds of Shandong University Grant 2016JC029.
Appendices
Appendix A
Bob’s optimal strategy is to minimize the probability of causing a photodetection event, with the cost matrix \({\mathbf {C}}\) with elements \(c_{\phi ,\theta }\). In the cost matrix \({\mathbf {C}}\), the diagonal elements represent the cases when recipient uses the same phase as sender, and the off-diagonal elements represent the cases when recipient uses the phase different from sender. In the specific experimental operation, to make our protocol to be secure against forging, a practical requirement is that the probabilities of registering a photodetection event on Charlie’s signal null-port arm are greatly different between the above two cases. If so, Charlie can register distinctly more photodetection events than threshold value when Bob (or other external party) attempts to forge a message. That is to say, Charlie is capable of detecting a discrepancy between the true and forged messages. To achieve this requirement, the choice of the number of possible phase encodings p cannot be large. Clarke et al. [4] presents us a practical experimental data, they use 8 different phase states, and the average photon number per pulse is \(|\alpha ^2|=0.16\). In this experimental setup, the cost matrix is given by
Appendix B
Lemma 4
For any bit message \(m_j,\ j=1,2,\ldots ,n\), the probability of Alice repudiating successfully is
Proof
For this purpose, Alice needs to forward different quantum signatures to Bob and Charlie, or more generally, the most general state Alice prepares is \(\pi _{A,B_1,C_1,B_2,C_2,\ldots ,B_{L},C_{L}}\), which is a general \( 2L+1\)-partite state. Subsystem A Alice keeps and sends partitions \(B_1,\ldots ,B_{L}\) to Bob and \(C_1,\ldots ,C_{L}\) to Charlie. If Alice is honest, there is no subsystem A, \(B_i\) and \(C_i\) are identical coherent states with a complex phase known to Alice alone, as specified by the protocol.
There are two cases of this attack: security against individual repudiation and security against coherent repudiation.
At first, we show that our protocol is secure against individual repudiation. We assume that the system A is disentangled from the rest of Alice’s state, and the subsystems \((B_kC_k)\) and \((B_lC_l)\) are not entangled with each other for \(k\ne l\). However, we allow the partitions \(B_k\) and \(C_k\) to be mutually entangled. This type of an attack we refer to as an individual attack. According to the protocol specifications, Bob and Charlie will individually run the pairs of states in the systems through the multi-port and commit to quantum memory whatever comes out on their signal outputs of the multi-port. For the purpose of showing security against repudiation, we can assume that they ignore the measurement outcomes on the multi-port null-ports.
For the kth signature element, the joint system of Bob and Charlie which they store into memory is state \(\pi ^\mathrm{out}_{B_kC_k}\), which is symmetric under permutations of Bob’s and Charlie’s subsystems as we now show. Let
be any general two mode state given in the \(\mathrm P\) representation. Then the stored output state (when the null-port subsystems have been traced out) is
which is symmetric in the sense given above. From [4], we know that the signature states Bob and Charlie end up with are symmetric under the swap of their systems and the probability matrix describing a priori occurrence of photodection events on Bob’s and Charlie’s signal null-port arm is symmetric. So for every possible state \(\pi ^\mathrm{out}_{B_kC_k}\), the probability of getting event outcomes (0, 1) (only Charlie registers a photodection event) and (1, 0) (only Bob registers a photodection event) is the same and is no more than \(\frac{1}{2}\). Specifically, if Alice succeeds in repudiating that Bob accepted the message sent by Alice, but Charlie rejected, Charlie needs to register more photodection events than Bob, so we can bound the probability of Alice repudiating successfully as
The security against coherent repudiation of our protocol is rather obviously. In a coherent attack, the entanglement of the states Alice may use is unrestricted. From [4], we know that using globally entangled states cannot help Alice repudiate her signed message, that is to say
\(\square \)
Rights and permissions
About this article
Cite this article
Wang, MQ., Wang, X. & Zhan, T. An efficient quantum digital signature for classical messages. Quantum Inf Process 17, 275 (2018). https://doi.org/10.1007/s11128-018-2047-y
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s11128-018-2047-y