An efficient quantum digital signature for classical messages

Abstract

Quantum digital signature offers an information theoretically secure way to guarantee the identity of the sender and the integrity of classical messages between one sender and many recipients. The existing unconditionally secure protocols only deal with the problem of sending single-bit messages. In this paper, we modify the model of quantum digital signature protocol and construct an unconditionally secure quantum digital signature protocol which can sign multi-bit messages at one time. Our protocol is against existing quantum attacks. Compared with the previous protocols, our protocol requires less quantum memory and becomes much more efficient. Our construction makes it possible to have a quantum signature in actual application.

Appendices

Appendix A

Bob’s optimal strategy is to minimize the probability of causing a photodetection event, with the cost matrix \({\mathbf {C}}\) with elements \(c_{\phi ,\theta }\). In the cost matrix \({\mathbf {C}}\), the diagonal elements represent the cases when recipient uses the same phase as sender, and the off-diagonal elements represent the cases when recipient uses the phase different from sender. In the specific experimental operation, to make our protocol to be secure against forging, a practical requirement is that the probabilities of registering a photodetection event on Charlie’s signal null-port arm are greatly different between the above two cases. If so, Charlie can register distinctly more photodetection events than threshold value when Bob (or other external party) attempts to forge a message. That is to say, Charlie is capable of detecting a discrepancy between the true and forged messages. To achieve this requirement, the choice of the number of possible phase encodings p cannot be large. Clarke et al. [4] presents us a practical experimental data, they use 8 different phase states, and the average photon number per pulse is \(|\alpha ^2|=0.16\). In this experimental setup, the cost matrix is given by

$$\begin{aligned} {\mathbf {C}}=\begin{pmatrix}3.89&{}\quad 4.40&{}\quad 5.24&{}\quad 5.95&{}\quad 6.35&{}\quad 6.00&{}\quad 5.29&{}\quad 4.39\\ 4.56&{}\quad 3.88&{}\quad 4.43&{}\quad 5.29&{}\quad 6.04&{}\quad 6.39&{}\quad 6.02&{}\quad 5.20\\ 5.28&{}\quad 4.60&{}\quad 3.89&{}\quad 4.42&{}\quad 5.29&{}\quad 6.02&{}\quad 6.37&{}\quad 5.95\\ 5.68&{}\quad 5.22&{}\quad 4.58&{}\quad 3.90&{}\quad 4.40&{}\quad 5.24&{}\quad 5.91&{}\quad 6.30\\ 6.36&{}\quad 5.68&{}\quad 5.27&{}\quad 4.59&{}\quad 3.89&{}\quad 4.43&{}\quad 5.24&{}\quad 6.01\\ 5.62&{}\quad 6.36&{}\quad 5.66&{}\quad 5.23&{}\quad 4.57&{}\quad 3.89&{}\quad 4.41&{}\quad 5.30\\ 5.26&{}\quad 5.68&{}\quad 6.40&{}\quad 5.70&{}\quad 5.22&{}\quad 4.60&{}\quad 3.88&{}\quad 4.40\\ 4.61&{}\quad 5.24&{}\quad 5.65&{}\quad 6.36&{}\quad 5.68&{}\quad 5.22&{}\quad 4.56&{}\quad 3.88\end{pmatrix}\times 10^{-3}. \end{aligned}$$

(26)

Appendix B

Lemma 4

For any bit message \(m_j,\ j=1,2,\ldots ,n\), the probability of Alice repudiating successfully is

$$\begin{aligned} \text {Pr}(\mathrm{repudiation}\, m_j)\le 2^{-(s_v-s_a)L}. \end{aligned}$$

(1)

Proof

For this purpose, Alice needs to forward different quantum signatures to Bob and Charlie, or more generally, the most general state Alice prepares is \(\pi _{A,B_1,C_1,B_2,C_2,\ldots ,B_{L},C_{L}}\), which is a general \( 2L+1\)-partite state. Subsystem A Alice keeps and sends partitions \(B_1,\ldots ,B_{L}\) to Bob and \(C_1,\ldots ,C_{L}\) to Charlie. If Alice is honest, there is no subsystem A, \(B_i\) and \(C_i\) are identical coherent states with a complex phase known to Alice alone, as specified by the protocol.

There are two cases of this attack: security against individual repudiation and security against coherent repudiation.

At first, we show that our protocol is secure against individual repudiation. We assume that the system A is disentangled from the rest of Alice’s state, and the subsystems \((B_kC_k)\) and \((B_lC_l)\) are not entangled with each other for \(k\ne l\). However, we allow the partitions \(B_k\) and \(C_k\) to be mutually entangled. This type of an attack we refer to as an individual attack. According to the protocol specifications, Bob and Charlie will individually run the pairs of states in the systems through the multi-port and commit to quantum memory whatever comes out on their signal outputs of the multi-port. For the purpose of showing security against repudiation, we can assume that they ignore the measurement outcomes on the multi-port null-ports.

For the kth signature element, the joint system of Bob and Charlie which they store into memory is state \(\pi ^\mathrm{out}_{B_kC_k}\), which is symmetric under permutations of Bob’s and Charlie’s subsystems as we now show. Let

$$\begin{aligned} \pi ^\mathrm{in}_{B_kC_k}=\int _{C^2} P(\alpha , \beta )|\alpha> <\alpha |\otimes |\beta > <\beta | d^2\alpha d^2\beta \end{aligned}$$

(28)

be any general two mode state given in the \(\mathrm P\) representation. Then the stored output state (when the null-port subsystems have been traced out) is

$$\begin{aligned} \pi ^\mathrm{out}_{B_kC_k}= & {} \int _{C^2} P(\alpha , \beta )|(\alpha +\beta )/\sqrt{2}> <(\alpha +\beta )/\sqrt{2}|\nonumber \\&\otimes |(\alpha +\beta )/\sqrt{2}> <(\alpha +\beta )/\sqrt{2}| d^2\alpha d^2\beta , \end{aligned}$$

(29)

which is symmetric in the sense given above. From [4], we know that the signature states Bob and Charlie end up with are symmetric under the swap of their systems and the probability matrix describing a priori occurrence of photodection events on Bob’s and Charlie’s signal null-port arm is symmetric. So for every possible state \(\pi ^\mathrm{out}_{B_kC_k}\), the probability of getting event outcomes (0, 1) (only Charlie registers a photodection event) and (1, 0) (only Bob registers a photodection event) is the same and is no more than \(\frac{1}{2}\). Specifically, if Alice succeeds in repudiating that Bob accepted the message sent by Alice, but Charlie rejected, Charlie needs to register more photodection events than Bob, so we can bound the probability of Alice repudiating successfully as

$$\begin{aligned} \text {Pr}(\text {repudiation})\le 2^{-(s_v-s_a)L}. \end{aligned}$$

(30)

The security against coherent repudiation of our protocol is rather obviously. In a coherent attack, the entanglement of the states Alice may use is unrestricted. From [4], we know that using globally entangled states cannot help Alice repudiate her signed message, that is to say

$$\begin{aligned} \text {Pr}(\text {Alice cheats| individual\,attack})\ge \text {Pr(Alice\,cheats| coherent\,attack}). \end{aligned}$$

(31)

\(\square \)