- Email: [email protected]
Identity-based quantum signature based on Bell states
Optik - International Journal for Light and Electron Optics 200 (2020) 163388
Contents lists available at ScienceDirect
Optik journal homepage: www.elsevier.com/locate/ijleo
Original research article
Identity-based quantum signature based on Bell states ⁎
Xiangjun Xina, , Zhuo Wanga, Qinglan Yangb a b
T
School of Mathematics and Information Science, Zhengzhou University of Light Industry, Zhengzhou 450002, China Library, Zhengzhou University of Light Industry, Zhengzhou 450002, China
A R T IC LE I N F O
ABS TRA CT
Keywords: Quantum signature Identity-based signature Bell state Quantum swap test
Based on the Bell states, an identity-based quantum signature scheme is proposed. In our scheme, the signer’s private key is generated by a trusted third party called private key generator(PKG), while the signer’s public key is his/her identity(such as his/her name or email address). The message to be signed is encoded into a Bell state sequence. To generate a quantum signature, the signer signs the Bell state sequence with his/her private key. The quantum signature can be verified by anyone with the signer’s identity. Our quantum signature scheme has the advantages of the classical identity-based signature scheme. It need not use long-term quantum memory. On the other hand, in our scheme, during the signature verification phase, the verifier need not perform any quantum swap test. What is more, in our scheme, PKG can arbitrate the disputation of losing quantum signature, which cannot be arbitrated in most of the quantum signature schemes. Our scheme also has the security properties of non-repudation, unforgeability, etc. Our signature is more secure, efficient and practicable than the similar schemes.
1. Introduction A digital signature is a mathematical technique, which can be used to authenticate the message sources and verify the integrity of the transmitted messages. It has the functions like a traditional handwritten signature. Because the digital signatures can authenticate the message sources and identify the integrity of the electronic documents, they have many applications in the fields such as information security and e-commerce. In last decades, many classical public-key digital signature schemes have been proposed. In general, the security of these digital signature schemes is based on some unproven hardness assumptions such as factoring problem and discrete logarithm. However, with the development of quantum computation technologies, the security of the classical public-key digital signatures is greatly challenged [1]. To improve the security of digital signature schemes, the quantum signature was introduced [2]. The security of a quantum signature is different from that of a classical digital signature. That is, the security of the quantum signature depends on some physical principles of quantum mechanics instead of the hardness assumptions of the unproven mathematical problems. It is believed that the quantum signatures have good security properties than the classical digital signatures. In the recent years, many quantum signature schemes have been proposed [3–12]. Most of them are arbitrated quantum signature schemes, in which some disputations between the signers and the verifiers have to be arbitrated by the arbitrators. Recently, based on the idea of identity-based cryptosystem [13], Chen et al. proposed an asymmetric public-key quantum signature scheme [14]. In their scheme, the signer’s public key is his/her identity, and the corresponding private key is generated by a trusted PKG. The signer generates a quantum signature with his/her private key, while the verifier verifies the quantum signature with the signer’s identity
⁎
Corresponding author. E-mail address: [email protected] (X. Xin).
https://doi.org/10.1016/j.ijleo.2019.163388 Received 7 June 2019; Accepted 7 September 2019 0030-4026/ © 2019 Elsevier GmbH. All rights reserved.
Optik - International Journal for Light and Electron Optics 200 (2020) 163388
X. Xin, et al.
information. Then, Chen et al.’s quantum signature scheme has some merits of the classical identity-based signatures. However, in Chen et al.’s scheme, the long-term quantum memory has to be used to store many copies of quantum digests for the verifiers. At the same time, each signature verifier has to perform many rounds of quantum swap test during the signature verification phase. In this paper, a new identity-based quantum signature scheme is proposed. Our scheme is based on Bell states. It has the advantages of classical identity-based signature schemes. It also has the security properties such as non-repudiation and unforgeability. On the other hand, in our scheme, it need not use long-term quantum memory to store the quantum digests, and the verifier need not perform any quantum swap test during the signature verification phase. What is more, in our scheme, PKG can arbitrate the disputation of losing quantum signature, which cannot be arbitrated in most of the quantum signature schemes. Therefore, our scheme is more secure, practicable and efficient than the similar public-key quantum signature schemes. This paper is organized as follows. In Section 2, the preliminary about one-time pad (OTP) is briefly reviewed. In Section 3, our identity-based quantum signature scheme is proposed. In Section 4, we analyze the security and efficiency of the proposed scheme. At last, we conclude. 2. Preliminary: OTP OTP is one of the symmetric encryption algorithms, which is proposed by Frank Miller and Gilbert Vernam. In OTP, the message sender and the message receiver share a secret random n-bit pad r. To encrypt an n-bit message m, the message sender uses m XOR the secret pad r and gets the OTP ciphertext c. Then, the sender sends c to the receiver. To decrypt the OTP ciphertext c, the receiver uses c XOR the secret pad r and gets the message m. OTP can be proved to be unconditionally secure [15]. 3. Our identity-based quantum signature scheme based on Bell states In this section, we present our identity-based public-key quantum signature scheme based on Bell states. In our scheme, Alice is the signer, and Bob is a verifier. On the other hand, in our scheme, there exists a trusted PKG, who generates a private key for the signer Alice. Our scheme includes four phases: initializing phase, key generation phase, signing phase and verification phase. 3.1. Initializing phase For any two n-bit strings x=(x1, x2,…, xn) and y=(y1, y2,…, yn), we define
x ⊕ y = (x1 ⊕ y1 , x2 ⊕ y2 , ..., x n ⊕ yn ), where the symbol “⊕” denotes “XOR” operation. Let H = respectively. We use
|ψ−〉 =
1 (|01〉 − |10〉 ), 2
|ψ+〉 =
1 (|01〉 + |10〉 ), 2
|ϕ−〉 =
1 (|00〉 − |11〉 ), 2
|ϕ+〉 =
1 (|00〉 + |11〉 ) 2
2 2
(11 −11) and Y = (01 −01) be the Hadamard operator and Y-operator,
denote the four Bell states. Before the key generation phase, PKG secretly selects a one-way function with uniform distribution G: {0, 1}*→{0, 1}2n as his own master-key. PKG secretly keeps his master key. Let T1: {0, 1}2n→{0, 1}n, T2: {0, 1}2n→{0, 1}n, T3: {0, 1}2n→{0, 1}n and T4: {0, 1}2n→{0, 1}n be four public one-way functions with uniform distribution. 3.2. Key generation phase Assume Alice’s public key is her identity ID=(ID1, ID2,…, IDn)∈{0, 1}n (such as her name or her email address). By performing the steps as follows, PKG generates the private key for Alice. K-step 1: First, PKG calculates k=G(ID) with his master key G. K-step 2: By performing the quantum key distribution protocol [16], Alice and PKG share a secret random 2n-bit string x. PKG calculates OTP ciphertext x ′ = x ⊕ k . Then, PKG publicly announces x’. According to the secret pad x and the OTP ciphertext x’, Alice calculates her own private key k = x ⊕ x ′. Suppose Alice’s private key k=(k1, k2, …, kn, kn+1,…, k2n) ∈{0, 1}2n. Alice secretly keeps her private key. 2
Optik - International Journal for Light and Electron Optics 200 (2020) 163388
X. Xin, et al.
3.3. Signing phase Assume the message to be signed is m=(m1, m2,…,mn), where mi∈{00, 01, 10, 11}, i = 1, 2,…, n. Let mi=(mi1, mi2), where mi1 and mi2 are the first bit and the second bit of mi, respectively. S-step 1: Alice encodes the message m as a Bell state sequence |a〉 = ⊗in= 1 |ai〉 according to the following rules: mi = 00: ↦ |ai〉 = |φ+〉, mi = 01: ↦ |ai〉 = |φ−〉, mi = 10: ↦ |ai〉 = |ψ−〉, mi = 11: ↦ |ai〉 = |ψ+〉,where |ai〉 is the i-th Bell state of the sequence |a〉. S-step 2: Alice selects a random 2n-bit string r=(r1, r2,…, rn, rn+1, …, r2n) and computes
h = T1 (m ⊕ k ⊕ r ), e = T2 (m ⊕ k ⊕ r ), l = T3 (m ⊕ k ⊕ r ), u = T4 (m ⊕ k ⊕ r ).
(1)
Assume h=(h1, h2,…, hn), e=(e1, e2,…, en), l=(l1, l2,…, ln) and u=(u1, u2,…, un). For each mi=(mi1, mi2) she calculates
wi = mi1 ⊕ ri ⊕ IDi ⊕ hi ,
(2)
vi = mi1 ⊕ ri ⊕ IDi ⊕ ei ,
(3)
gi = mi2 ⊕ rn + i ⊕ IDi ⊕ li ,
(4)
qi = mi2 ⊕ rn + i ⊕ IDi ⊕ ui ,
(5)
where i = 1, 2,…, n. Let w=(w1, w2,…,wn), v=(v1, v2,…,vn), g=(g1, g2,…, gn) and q=(q1, q2,…, qn). S-step 3: For each Bell state |ai〉, Alice performs the operation (H vi Y wi ) ⊗ (H gi Y qi ) on the message state |ai〉 and gets
|si〉 = (H vi Y wi ) ⊗ (H gi Y qi )|ai〉.
(6)
The quantum signature on m is
|s〉: =⊗in= 1 |si〉.
(7)
S-step 4: Alice randomly generates l (l > > 2n) decoy particles selected in the set {|0〉, |1〉, | + 〉, | − 〉} for checking eavesdropping actions. Next, she randomly inserts the decoy particles into the sequence |s〉 and gets the corresponding particle sequence |s′〉. Finally, Alice sends the sequences {|s′〉, m, ID} to Bob. S-step 5: After confirming that Bob has received {|s′〉, m, ID}, Alice announces the positions and the initial states of the decoy particles in the quantum sequence |s′〉. Then, Bob measures each of the decoy particles with the corresponding basis and compares the measurement outcome with its initial state. If there exist no errors, Bob continues to perform the next step; otherwise, he restarts the protocol. S-step 6: After checking eavesdropping, Bob recovers the quantum sequence |s〉 from |s′〉. Bob stores {|s〉, m, ID} as Alice’s quantum signature. On the other hand, according to the same measurement outcomes of the decoy particles, Alice and Bob share a random 2nbit string t in the same way as that of BB84 protocol in reference [16]. The random t will be used as the secret pad to encrypt r in Vstep 1 of the verifying phase. 3.4. Verifying phase V-step 1: According to the shared random pad t, Alice calculates the OTP ciphertext r ′ = r ⊕ t and publicly announces r’. V-step 2: According to the OTP ciphtertext r’ announced by Alice, Bob calculates r = r ′ ⊕ t with the shared one-time pad t. Next, According to m, ID and r, Bob calculates
ci = mi1 ⊕ ri ⊕ IDi , di = mi2 ⊕ rn + i ⊕ IDi i = 1, 2, …, n.
(8)
For each state |si〉 of the quantum signature |s〉, Bob performs the operation H ci ⊗ H di and gets
|bi〉 = H ci ⊗ H di |si〉.
(9)
=⊗in= 1 |bi〉.
Let |b〉: V-step 3: Bob sends the quantum sequence |b〉 to PKG and publicly announces m, r and ID. V-step 4: According to the m, r and ID publicly announced by Bob, PKG computes k=G(ID) with his master key G. Then, he computes h, e, l and u according to Eq. (1). Then, for each mi, he calculates wi and qi according to Eqs. (2), (5). Next, for each state |bi〉 of |b〉, PKG performs the operation ((Y +) wi H ei ) ⊗ ((Y +)qi H li ) and gets
|ai〉 = ((Y +) wi H ei ) ⊗ ((Y +)qi H li )|bi〉.
(10) {|φ+〉, |φ−〉, |ψ−〉, |ψ+〉}.
V-step 5: PKG measures each |ai〉 with the Bell base quantum state |ai〉 as the message m’i by following rules: |ai〉 = |φ+〉: ↦ m’i = 00, |ai〉 = |φ−〉: ↦ m’i = 01,
3
According to each measurement result, PKG decodes the
Optik - International Journal for Light and Electron Optics 200 (2020) 163388
X. Xin, et al.
Fig. 1. Process of the signing phase and verifying phase.
|ai〉 = |ψ−〉: ↦ m’i = 10, |ai〉 = |ψ+〉: ↦ m’i = 11. Let m’=(m’1, m’2,…, m’n). According to the m publicly announced by Bob, PKG compares m’ with m. If m’=m, PKG publicly announces “Yes” and Bob accepts {|s〉, m, ID} as a valid quantum signature. Otherwise, he publicly announces “No” and Bob rejects the quantum signature. On the other hand, once the quantum signature passes the verification, PKG stores (h, e, l, u, ID, r, m, Bob) as the signature proof, which can be used to arbitrate the disputation of losing quantum signature in the future. In Section 4.3, we will show how to use the signature proof to arbitrate the disputation of losing quantum signature. The simplified process of signing phase and verifying phase is described in Fig. 1 as follow. 4. Security analysis and discussion The correctness of our quantum signature can be proved easily. In the following, we analyze the security of our identity-based quantum signature scheme. First, we analyze the security of the signer’s private key. 4.1. Secrecy of the private key Our quantum signature is an identity-based one. Note our scheme is based on the idea of Shamir’s identity-based signature scheme, in which PKG is a trust third party, who will never reveal the signer’s private key. In our scheme, the trusted PKG generates private key for the signer. As a trusted third party, PKG will never reveal Alice’s private key. In the following, we analyze that an adversary cannot break Alice’s private key from the public information. In our scheme, if Bob cannot break the private key of Alice, neither can the outside adversary. Firstly, Bob cannot break the private key from the identity ID. In our scheme, during the key generation phase, PKG generates the signer’s private key k=G(ID) with his master key G, which is a one-way function secretly selected by PKG. If G is chosen as random one-way permutation oracle, Bob can guess G with a negligible probability 1/2n!. Hence, it is impossible for Bob to break the private key from the signer’s identity. Secondly, Bob cannot break the private key from the OTP ciphertext x’ during the key generation phase. Note that x ′ = x ⊕ k , where x is a random pad, which has the same length as that of k. According to the security of OTP, it follows that Bob cannot break the private key k from the OTP ciphertext x’. Thirdly, Bob cannot break the private key from the quantum signature. Note that the quantum signature is a quantum sequence which satisfies Eqs. (6), (7). In Table 1, according to the message state of |ai〉 and the values of vi, wi, gi and qi, all the possible states of |si〉 are listed. For example, according to S-step 3 and Table 1, if |ai〉 = |ϕ−〉 and (vi, wi, gi, qi)=(0, 1, 1, 0), it follows |si〉 = (|φ+〉 − |ψ−〉 )/ 2 . From Table 1, Bob can get Table 2. In Table 2, we show that given a signature |si〉 and the corresponding message state |ai〉, Bob cannot derive Alice’s private key. In fact, according to Table 2, it follows that if Bob knows the message state |ai〉, he knows how to correctly measure the signature |si〉 with the corresponding orthogonal base. For example, according to S-step 3 and Table 2, if |ai〉 = |ψ+〉, Bob knows that the corresponding quantum signature
|si〉 ∈ B = {|ψ+〉, |ϕ−〉, (|φ+〉 + |ψ−〉 )/ 2 , (|φ+〉 − |ψ−〉 )/ 2 } , where B is an orthogonal base. So, Bob measures |si 〉 with the orthogonal base B. However, Bob can get nothing about the value (vi, 4
Optik - International Journal for Light and Electron Optics 200 (2020) 163388
X. Xin, et al.
Table 1 The state of |si〉. (vi,wi, gi,qi)
|ai〉 |ϕ+〉
|ϕ−〉
|ψ+〉
|ψ−〉
|ϕ+〉 |ψ−〉
|ϕ−〉 |ψ+〉
|ψ+〉 − |ϕ−〉
|ψ−〉
(0, 0, 0, 1) (0, 0, 1, 0)
(|φ−〉 + |ψ+〉 )/ 2
(|φ+〉 + |ψ−〉 )/ 2
(|φ+〉 − |ψ−〉 )/ 2
(|φ−〉 − |ψ+〉 )/ 2
(0, 0, 1, 1)
(|φ+〉 − |ψ−〉 )/ 2
− (|φ+〉 + |ψ−〉 )/ 2 − |ϕ−〉
− (|φ−〉 + |ψ+〉 )/ 2
(0, 1, 0, 0)
(|φ−〉 − |ψ+〉 )/ 2 − |ψ−〉
(0, 1, 0, 1)
|ϕ+〉
(0, 1, 1, 0)
− (|φ−〉 − |ψ+〉 )/ 2
(0, 1, 1, 1)
(|φ−〉 + |ψ+〉 )/ 2
(1, 0, 0, 0)
(|φ−〉 + |ψ+〉 )/ 2
(0, 0, 0, 0)
|ψ+〉 − |ϕ−〉
− |ϕ+〉
− |ψ+〉
|ϕ+〉 |ψ−〉
(|φ+〉 − |ψ−〉 )/ 2
− (|φ+〉 + |ψ−〉 )/ 2
(|φ−〉 + |ψ+〉 )/ 2
− (|φ+〉 + |ψ−〉 )/ 2
− (|φ+〉 − |ψ−〉 )/ 2
(|φ−〉 − |ψ+〉 )/ 2
(|φ+〉 − |ψ−〉 )/ 2
(|φ+〉 + |ψ−〉 )/ 2
− (|φ−〉 − |ψ+〉 )/ 2
− (|φ+〉 − |ψ−〉 )/ 2 |ϕ−〉
− (|φ−〉 + |ψ+〉 )/ 2 − |ψ−〉
− |ψ+〉
− |ϕ+〉
(1, 0, 0, 1)
− (|φ−〉 − |ψ+〉 )/ 2
(|φ+〉 + |ψ−〉 )/ 2
(1, 0, 1, 0) (1, 0, 1, 1)
|ϕ+〉 − |ψ−〉
|ψ+〉 |ϕ−〉
(1, 1, 0, 0)
(|φ−〉 − |ψ+〉 )/ 2
(|φ+〉 + |ψ−〉 )/ 2
− (|φ+〉 − |ψ−〉 )/ 2
(|φ−〉 + |ψ+〉 )/ 2
(1, 1, 0, 1)
− (|φ+〉 − |ψ−〉 )/ 2 |ϕ−〉
− (|φ+〉 + |ψ−〉 )/ 2
− (|φ−〉 − |ψ+〉 )/ 2
(1, 1, 1, 0)
(|φ−〉 + |ψ+〉 )/ 2 |ψ−〉
(1, 1, 1, 1)
|ϕ+〉
− |ψ+〉
− |ψ+〉 − |ϕ−〉
|ϕ+〉 − |ψ−〉
Table 2 Measurement base of |si〉 and the possible values (vi, wi, gi, qi). |ai〉
The corresponding measurement base of |si〉
Measurement result of|si〉
Possible values of (vi, wi, gi, qi)
|ϕ+〉
|ϕ+〉, |ψ−〉,
|ϕ+〉 |ψ−〉
(0, 0, 0, 0), (0, 1, 0, 1), (1, 0, 1, 0), (1, 1, 1, 1)
(|φ−〉 + |ψ+〉 )/ 2 , (|φ−〉 − |ψ+〉 )/ 2
(|φ−〉 + |ψ+〉 )/ 2
(0, 0, 0, 1), (0, 1, 0, 0), (1, 0, 1, 1), (1, 1, 1, 0) (0, 0, 1, 0), (0, 1, 1, 1), (1, 0, 0, 0), (1, 1, 0, 1)
(|φ−〉 − |ψ+〉 )/ 2
(0, 0, 1, 1), (0, 1, 1, 0), (1, 0, 0, 1), (1, 1, 0, 0)
|ψ+〉, |ϕ−〉,
|ψ+〉 |ϕ−〉
(0, 0, 0, 1), (0, 1, 0, 0), (1, 0, 1, 0), (1, 1, 1, 1)
(|φ+〉 + |ψ−〉 )/ 2 , (|φ+〉 − |ψ−〉 )/ 2
(|φ+〉 + |ψ−〉 )/ 2
(0, 0, 0, 0), (0, 1, 0, 1), (1, 0, 1, 1), (1, 1, 1, 0) (0, 0, 1, 0), (0, 1, 1, 1), (1, 0, 0, 1), (1, 1, 0, 0)
(|φ+〉 − |ψ−〉 )/ 2
(0, 0, 1, 1), (0, 1, 1, 0), (1, 0, 0, 0), (1, 1, 0, 1)
|ψ+〉, |ϕ−〉,
|ψ+〉 |ϕ−〉
(0, 0, 0, 0), (0, 1, 0, 1), (1, 0, 1, 1), (1, 1, 1, 0)
(|φ+〉 + |ψ−〉 )/ 2 , (|φ+〉 − |ψ−〉 )/ 2
(|φ+〉 + |ψ−〉 )/ 2
(0, 0, 0, 1), (0, 1, 0, 0), (1, 0, 1, 0), (1, 1, 1, 1) (0, 0, 1, 1), (0, 1, 1, 0), (1, 0, 0, 0), (1, 1, 0, 1)
(|φ+〉 − |ψ−〉 )/ 2
(0, 0, 1, 0), (0, 1, 1, 1), (1, 0, 0, 1), (1, 1, 0, 0)
|ϕ+〉, |ψ−〉,
|ϕ+〉 |ψ−〉
(0, 0, 0, 1), (0, 1, 0, 0), (1, 0, 1, 1), (1, 1, 1, 0)
(|φ−〉 + |ψ+〉 )/ 2 , (|φ−〉 − |ψ+〉 )/ 2
(|φ−〉 + |ψ+〉 )/ 2
(0, 0, 0, 0), (0, 1, 0, 1), (1, 0, 1, 0), (1, 1, 1, 1) (0, 0, 1, 1), (0, 1, 1, 0), (1, 0, 0, 1), (1, 1, 0, 0)
(|φ−〉 − |ψ+〉 )/ 2
(0, 0, 1, 0), (0, 1, 1, 1), (1, 0, 0, 0), (1, 1, 0, 1)
|ϕ−〉
|ψ+〉
|ψ−〉
wi, gi, qi) from the measurement result. For example, according to Table 2, if the measurement result of |si〉 is (|φ+〉 + |ψ−〉 )/ 2 , the possible values of (vi, wi, gi, qi) may be (0, 0, 1, 1), (0, 1, 1, 0), (1, 0, 0, 0), (1, 1, 0, 1). Note any of vi, wi, gi and qi has a uniform distribution. Hence, Bob cannot determine the value (vi, wi, gi, qi) from the measurement result. Without v, w, g, q, Bob cannot get h, e, l and u. Note h, e, l and u satisfy Eq. (1). Therefore, without h, e, l and u, it is impossible for Bob to derive the secret k from the quantum signature. 4.2. Security against forgery Suppose Eve is an adversary, who tires forge a quantum signature of Alice. There are mainly two purposes for Eve’s forgery. The first purpose is that Eve tries to forge another signature {|s∗〉, m, ID} after she captures a valid quantum signature {|s〉, m, ID}. That is, given a valid signature {|s〉, m, ID}, Eve tries to impersonate Alice to forge another signature {|s∗〉, m, ID} on the same message m. Note a valid quantum signature should has the form of Eqs. (6), (7). Hence, to forge a signature {|s∗〉, m, ID}, Eve has to choose ∗ ∗ ∗ ∗ some r* and compute the operator (H vi Y wi ) ⊗ (H gi Y qi ) , where
wi∗ = mi1 ⊕ ri∗ ⊕ IDi ⊕ hi∗,
(11)
vi∗ = mi1 ⊕ ri∗ ⊕ IDi ⊕ ei∗,
(12) 5
Optik - International Journal for Light and Electron Optics 200 (2020) 163388
X. Xin, et al.
gi∗ = mi2 ⊕ rn∗+ i ⊕ IDi ⊕ li∗,
(13)
qi∗ = mi2 ⊕ rn∗+ i ⊕ IDi ⊕ ui∗.
(14)
However, without knowing the private key k, Eve cannot compute h*, e*, l* and u* from Eq. (1), so it is impossible for Eve to compute w*, v*, g* and q* which satisfy Eqs. (11)–(14). Without w*, v*, g* and q*, it is impossible for Eve to get the operator ∗ ∗ ∗ ∗ (H vi Y wi ) ⊗ (H gi Y qi ) for each |ai〉. Therefore, this kind of forgery is infeasible for Eve. For the second forgery, Eve tries to forge a signature on her chosen message m*. So, Eve has to choose some m* and r* adaptively so as to forge a new signature quantum {|s∗〉, m*, ID}. By the analysis similar to the above, it follows that this kind of forgery is infeasible for the adversary, too. Therefore, our scheme is secure against forgery attacks. 4.3. Security against repudiation Non-repudiation is an important security property of the public-key signature scheme. It requires a signer cannot deny the valid signatures he/she signed previously. In an identity-based signature scheme, PKG is a trust party, who will never reveal the private keys of all the users. In our scheme, the trusted party PKG generates private key for the signer. PKG will never reveal the private key of the signer. Neither PKG impersonates the signer to sign any message. Alice signs a message and generates the corresponding quantum signature with her private key. Bob verifies the quantum signature with Alice’s identity ID. From Section 4.2, it is known that the proposed quantum signature scheme is secure against forgery. So, once the quantum signature passes the verification, Alice cannot deny it, since only Alice owns the corresponding public key, her identity, and only she can generate the identity-based quantum signature. On the other hand, our quantum signature scheme can arbitrate the disputation of losing quantum signature. In general, for a quantum signature scheme, once the quantum signature is verified, the state of the quantum signature is changed. This means both the signer and the verifier will lose the quantum signature. So, the signer may deny the fact that she has ever generated a quantum signature, while the verifier may deny the fact that he has ever verified a quantum signature. We call the kind of disputation as disputation of losing quantum signature. To our knowledge, most of the existing quantum signature schemes cannot arbitrate this kind of disputation. Our identity-based signature scheme can arbitrate this kind of disputation. In fact, in our scheme, once the quantum signature {|s〉, m, ID} passes the verification, both of the signer and the verifier will lose the quantum signature. However, Alice cannot deny the fact that she has ever generate a quantum signature {|s〉, m, ID}, because PKG has the signature proof (h, e, l, u, ID, r, m, Bob), which satisfies Eqs. (1)–(7). Since only Alice masters the private key k, only she can generate (h, e, l, u) for r and m according to Eq. (1). PKG can check the signature proof to prove that Alice has generated the quantum signature for Bob. Therefore, with the help of PKG, Alice cannot deny the fact that she has ever generated the signature on m. Similarly, the verifier cannot deny that he has ever verified the quantum signature, since the signature proof (h, e, l, u, ID, r, m, Bob) records Bob’s verifying information (ID, r, m, Bob), where m, r and ID are announced by Bob. 4.4. Comparison with other public-key quantum signature schemes In Table 3, we show the advantages of our scheme. Firstly, our scheme is an identity-based quantum signature scheme, in which the signer’s public key is her identity information, and the corresponding private key is a bit string. The signer signs a message with his private key, and anyone can verify the quantum signature with the signer’s identity. So, our quantum scheme has the same advantages of key management as the classical identitybased schemes. It can simplify the key management of quantum signature schemes. Secondly, in Gottesman et al.’s scheme, the signer uses an unknown qubit string as the public key, which leads to the signer’s public key can only be used once time. In our quantum signature, the signer’s public key and private key are all classical bit strings, which can be easily stored. According to Section 4.1, we know that Alice’s private key is secure. Hence, the signer’s private key can be reused to sign different messages. On the other hand, the signer’s public key is her identity, which can be reused to verify different quantum signatures, too. Thirdly, in Chen et al.’s scheme, the long-term quantum memory has to be used to store many copies of quantum digest (unknown quantum sequences), which may affect the application of their scheme. In our scheme, it need not use the long-term quantum memory. So, our scheme is more practicable than Chen et al.’s scheme. Fourthly, in both Gottesman and Chen et al.’s schemes, the verifiers have to perform many rounds of quantum swap tests to verify a quantum signature, which will greatly affect the efficiency of their quantum signatures. In our scheme, it need not perform any quantum swap test. Hence, our scheme is relatively more efficient. Finally, in our scheme, the quantum signature proof is used to arbitrate the disputation of losing quantum signature, which cannot be arbitrated in most of the existing quantum signature schemes. So, our scheme is more secure than the similar schemes. 5. Conclusions Most of the quantum signature schemes were arbitrated quantum signature schemes, and seldom public-key quantum signature 6
Gottesman in Ref. [2] Chen in Ref. [14] Our scheme
Schemes
No Yes Yes
Identity-based scheme
Table 3 Comparisons of the similar public-key schemes.
No Yes Yes
Reusability of keys No Yes No
Requirement for long-term quantum memory Yes Yes No
Requirement for Quantum swap test
No No Yes
Ability of arbitrating losing quantum signature
X. Xin, et al.
Optik - International Journal for Light and Electron Optics 200 (2020) 163388
7
Optik - International Journal for Light and Electron Optics 200 (2020) 163388
X. Xin, et al.
schemes were proposed. In this paper, we propose an identity-based public-key quantum signature scheme. It has the advantages of the classical identitybased systems. The signer’s public key and private key are all classical bit strings, which can be easily stored. The signer’s private key can be reused to sign different messages, and the signer’s identity can be reused to verify different quantum signatures. The system need not use the long-term quantum memory. The signer need not perform any quantum swap test during the signature verification. What is more, we use the signature proof to arbitrate the disputation of losing quantum signature, which cannot be arbitrated in most of existing quantum signature schemes. Therefore, our scheme is more secure, practicable and efficient than the similar schemes. References [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
P.W. Shor, Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer, SIAM J. Comput. 26 (5) (1997) 1484–1509. D. Gottesman, I. Chuang, Quantum Digital Signatures, arXiv: quant-ph/0105032 (2001). G.H. Zeng, C.H. Keitel, Arbitrated quantum-signature scheme, Phys. Rev. A 65 (4) (2002) 042312. K.J. Zhang, W.W. Zhang, D. Li, Improving the security of arbitrated quantum signature against the forgery attack, Quantum Inf. Process. 12 (8) (2013) 2655–2669. Q. Su, W.M. Li, Improved quantum signature scheme with weak arbitrator, Int. J. Theor. Phys. 52 (9) (2013) 3343–3352. M.S. Kang, C.H. Hong, J. Heo, J.I. Lim, H.J. Yang, Quantum signature scheme using a single qubit rotation operator, Int. J. Theor. Phys. 54 (2) (2015) 614–629. Y. Guo, Y. Feng, D. Huang, Arbitrated quantum signature scheme with continuous-variable coherent states, Int. J. Theor. Phys. 55 (4) (2016) 2290–2302. Y.G. Yang, H. Lei, Z.C. Liu, Y.H. Zhou, W.M. Shi, Arbitrated quantum signature scheme based on cluster states, Quantum Inf. Process. 15 (2016) 2487–2497. T.Y. Wang, J.F. Ma, X.Q. Cai, The postprocessing of quantum digital signatures, Quantum Inf. Process. 16 (19) (2017). H. Ma, F. Li, N. Mao, Y. Wang, Y. Guo, Network-based arbitrated quantum signature with graph state, Int. J. Theor. Phys 56 (8) (2017) 2551–2561. N. Fatahi, M. Naseri, L.H. Gong, H.L. Qing, High-efficient arbitrated quantum signature scheme based on cluster states, Int. J. Theor. Phys. 56 (2) (2017) 609–616. X. Xin, Q. He, Z. Wang, Q. Yang, F. Li, Security analysis and improvement of an arbitrated quantum signature scheme, Optik 189 (2019) 23–31. A. Shamir, Identity-based cryptosystems and signature schemes, The Workshop on the Theory and Application of Cryptographic Techniques vol. 21, Springer, Berlin Heidelberg, 1984, pp. 47–53. F.L. Chen, W.F. Liu, S.G. Chen, Z.H. Wang, Public-key quantum digital signature scheme with one-time pad private-key, Quantum Inf. Process. 17 (10) (2018) 1–14. C.E. Shannon, Communication theory of secrecy systems, Bell Syst. Tech. J. 28 (4) (1949) 656–715. C.H. Bennett, G. Brassard, Quantum cryptography: public key distribution and coin tossing, Proceedings of the IEEE International Conference on Computers Systems and, Signal Processing (1984) 175–179.
8
Contents lists available at ScienceDirect
Optik journal homepage: www.elsevier.com/locate/ijleo
Original research article
Identity-based quantum signature based on Bell states ⁎
Xiangjun Xina, , Zhuo Wanga, Qinglan Yangb a b
T
School of Mathematics and Information Science, Zhengzhou University of Light Industry, Zhengzhou 450002, China Library, Zhengzhou University of Light Industry, Zhengzhou 450002, China
A R T IC LE I N F O
ABS TRA CT
Keywords: Quantum signature Identity-based signature Bell state Quantum swap test
Based on the Bell states, an identity-based quantum signature scheme is proposed. In our scheme, the signer’s private key is generated by a trusted third party called private key generator(PKG), while the signer’s public key is his/her identity(such as his/her name or email address). The message to be signed is encoded into a Bell state sequence. To generate a quantum signature, the signer signs the Bell state sequence with his/her private key. The quantum signature can be verified by anyone with the signer’s identity. Our quantum signature scheme has the advantages of the classical identity-based signature scheme. It need not use long-term quantum memory. On the other hand, in our scheme, during the signature verification phase, the verifier need not perform any quantum swap test. What is more, in our scheme, PKG can arbitrate the disputation of losing quantum signature, which cannot be arbitrated in most of the quantum signature schemes. Our scheme also has the security properties of non-repudation, unforgeability, etc. Our signature is more secure, efficient and practicable than the similar schemes.
1. Introduction A digital signature is a mathematical technique, which can be used to authenticate the message sources and verify the integrity of the transmitted messages. It has the functions like a traditional handwritten signature. Because the digital signatures can authenticate the message sources and identify the integrity of the electronic documents, they have many applications in the fields such as information security and e-commerce. In last decades, many classical public-key digital signature schemes have been proposed. In general, the security of these digital signature schemes is based on some unproven hardness assumptions such as factoring problem and discrete logarithm. However, with the development of quantum computation technologies, the security of the classical public-key digital signatures is greatly challenged [1]. To improve the security of digital signature schemes, the quantum signature was introduced [2]. The security of a quantum signature is different from that of a classical digital signature. That is, the security of the quantum signature depends on some physical principles of quantum mechanics instead of the hardness assumptions of the unproven mathematical problems. It is believed that the quantum signatures have good security properties than the classical digital signatures. In the recent years, many quantum signature schemes have been proposed [3–12]. Most of them are arbitrated quantum signature schemes, in which some disputations between the signers and the verifiers have to be arbitrated by the arbitrators. Recently, based on the idea of identity-based cryptosystem [13], Chen et al. proposed an asymmetric public-key quantum signature scheme [14]. In their scheme, the signer’s public key is his/her identity, and the corresponding private key is generated by a trusted PKG. The signer generates a quantum signature with his/her private key, while the verifier verifies the quantum signature with the signer’s identity
⁎
Corresponding author. E-mail address: [email protected] (X. Xin).
https://doi.org/10.1016/j.ijleo.2019.163388 Received 7 June 2019; Accepted 7 September 2019 0030-4026/ © 2019 Elsevier GmbH. All rights reserved.
Optik - International Journal for Light and Electron Optics 200 (2020) 163388
X. Xin, et al.
information. Then, Chen et al.’s quantum signature scheme has some merits of the classical identity-based signatures. However, in Chen et al.’s scheme, the long-term quantum memory has to be used to store many copies of quantum digests for the verifiers. At the same time, each signature verifier has to perform many rounds of quantum swap test during the signature verification phase. In this paper, a new identity-based quantum signature scheme is proposed. Our scheme is based on Bell states. It has the advantages of classical identity-based signature schemes. It also has the security properties such as non-repudiation and unforgeability. On the other hand, in our scheme, it need not use long-term quantum memory to store the quantum digests, and the verifier need not perform any quantum swap test during the signature verification phase. What is more, in our scheme, PKG can arbitrate the disputation of losing quantum signature, which cannot be arbitrated in most of the quantum signature schemes. Therefore, our scheme is more secure, practicable and efficient than the similar public-key quantum signature schemes. This paper is organized as follows. In Section 2, the preliminary about one-time pad (OTP) is briefly reviewed. In Section 3, our identity-based quantum signature scheme is proposed. In Section 4, we analyze the security and efficiency of the proposed scheme. At last, we conclude. 2. Preliminary: OTP OTP is one of the symmetric encryption algorithms, which is proposed by Frank Miller and Gilbert Vernam. In OTP, the message sender and the message receiver share a secret random n-bit pad r. To encrypt an n-bit message m, the message sender uses m XOR the secret pad r and gets the OTP ciphertext c. Then, the sender sends c to the receiver. To decrypt the OTP ciphertext c, the receiver uses c XOR the secret pad r and gets the message m. OTP can be proved to be unconditionally secure [15]. 3. Our identity-based quantum signature scheme based on Bell states In this section, we present our identity-based public-key quantum signature scheme based on Bell states. In our scheme, Alice is the signer, and Bob is a verifier. On the other hand, in our scheme, there exists a trusted PKG, who generates a private key for the signer Alice. Our scheme includes four phases: initializing phase, key generation phase, signing phase and verification phase. 3.1. Initializing phase For any two n-bit strings x=(x1, x2,…, xn) and y=(y1, y2,…, yn), we define
x ⊕ y = (x1 ⊕ y1 , x2 ⊕ y2 , ..., x n ⊕ yn ), where the symbol “⊕” denotes “XOR” operation. Let H = respectively. We use
|ψ−〉 =
1 (|01〉 − |10〉 ), 2
|ψ+〉 =
1 (|01〉 + |10〉 ), 2
|ϕ−〉 =
1 (|00〉 − |11〉 ), 2
|ϕ+〉 =
1 (|00〉 + |11〉 ) 2
2 2
(11 −11) and Y = (01 −01) be the Hadamard operator and Y-operator,
denote the four Bell states. Before the key generation phase, PKG secretly selects a one-way function with uniform distribution G: {0, 1}*→{0, 1}2n as his own master-key. PKG secretly keeps his master key. Let T1: {0, 1}2n→{0, 1}n, T2: {0, 1}2n→{0, 1}n, T3: {0, 1}2n→{0, 1}n and T4: {0, 1}2n→{0, 1}n be four public one-way functions with uniform distribution. 3.2. Key generation phase Assume Alice’s public key is her identity ID=(ID1, ID2,…, IDn)∈{0, 1}n (such as her name or her email address). By performing the steps as follows, PKG generates the private key for Alice. K-step 1: First, PKG calculates k=G(ID) with his master key G. K-step 2: By performing the quantum key distribution protocol [16], Alice and PKG share a secret random 2n-bit string x. PKG calculates OTP ciphertext x ′ = x ⊕ k . Then, PKG publicly announces x’. According to the secret pad x and the OTP ciphertext x’, Alice calculates her own private key k = x ⊕ x ′. Suppose Alice’s private key k=(k1, k2, …, kn, kn+1,…, k2n) ∈{0, 1}2n. Alice secretly keeps her private key. 2
Optik - International Journal for Light and Electron Optics 200 (2020) 163388
X. Xin, et al.
3.3. Signing phase Assume the message to be signed is m=(m1, m2,…,mn), where mi∈{00, 01, 10, 11}, i = 1, 2,…, n. Let mi=(mi1, mi2), where mi1 and mi2 are the first bit and the second bit of mi, respectively. S-step 1: Alice encodes the message m as a Bell state sequence |a〉 = ⊗in= 1 |ai〉 according to the following rules: mi = 00: ↦ |ai〉 = |φ+〉, mi = 01: ↦ |ai〉 = |φ−〉, mi = 10: ↦ |ai〉 = |ψ−〉, mi = 11: ↦ |ai〉 = |ψ+〉,where |ai〉 is the i-th Bell state of the sequence |a〉. S-step 2: Alice selects a random 2n-bit string r=(r1, r2,…, rn, rn+1, …, r2n) and computes
h = T1 (m ⊕ k ⊕ r ), e = T2 (m ⊕ k ⊕ r ), l = T3 (m ⊕ k ⊕ r ), u = T4 (m ⊕ k ⊕ r ).
(1)
Assume h=(h1, h2,…, hn), e=(e1, e2,…, en), l=(l1, l2,…, ln) and u=(u1, u2,…, un). For each mi=(mi1, mi2) she calculates
wi = mi1 ⊕ ri ⊕ IDi ⊕ hi ,
(2)
vi = mi1 ⊕ ri ⊕ IDi ⊕ ei ,
(3)
gi = mi2 ⊕ rn + i ⊕ IDi ⊕ li ,
(4)
qi = mi2 ⊕ rn + i ⊕ IDi ⊕ ui ,
(5)
where i = 1, 2,…, n. Let w=(w1, w2,…,wn), v=(v1, v2,…,vn), g=(g1, g2,…, gn) and q=(q1, q2,…, qn). S-step 3: For each Bell state |ai〉, Alice performs the operation (H vi Y wi ) ⊗ (H gi Y qi ) on the message state |ai〉 and gets
|si〉 = (H vi Y wi ) ⊗ (H gi Y qi )|ai〉.
(6)
The quantum signature on m is
|s〉: =⊗in= 1 |si〉.
(7)
S-step 4: Alice randomly generates l (l > > 2n) decoy particles selected in the set {|0〉, |1〉, | + 〉, | − 〉} for checking eavesdropping actions. Next, she randomly inserts the decoy particles into the sequence |s〉 and gets the corresponding particle sequence |s′〉. Finally, Alice sends the sequences {|s′〉, m, ID} to Bob. S-step 5: After confirming that Bob has received {|s′〉, m, ID}, Alice announces the positions and the initial states of the decoy particles in the quantum sequence |s′〉. Then, Bob measures each of the decoy particles with the corresponding basis and compares the measurement outcome with its initial state. If there exist no errors, Bob continues to perform the next step; otherwise, he restarts the protocol. S-step 6: After checking eavesdropping, Bob recovers the quantum sequence |s〉 from |s′〉. Bob stores {|s〉, m, ID} as Alice’s quantum signature. On the other hand, according to the same measurement outcomes of the decoy particles, Alice and Bob share a random 2nbit string t in the same way as that of BB84 protocol in reference [16]. The random t will be used as the secret pad to encrypt r in Vstep 1 of the verifying phase. 3.4. Verifying phase V-step 1: According to the shared random pad t, Alice calculates the OTP ciphertext r ′ = r ⊕ t and publicly announces r’. V-step 2: According to the OTP ciphtertext r’ announced by Alice, Bob calculates r = r ′ ⊕ t with the shared one-time pad t. Next, According to m, ID and r, Bob calculates
ci = mi1 ⊕ ri ⊕ IDi , di = mi2 ⊕ rn + i ⊕ IDi i = 1, 2, …, n.
(8)
For each state |si〉 of the quantum signature |s〉, Bob performs the operation H ci ⊗ H di and gets
|bi〉 = H ci ⊗ H di |si〉.
(9)
=⊗in= 1 |bi〉.
Let |b〉: V-step 3: Bob sends the quantum sequence |b〉 to PKG and publicly announces m, r and ID. V-step 4: According to the m, r and ID publicly announced by Bob, PKG computes k=G(ID) with his master key G. Then, he computes h, e, l and u according to Eq. (1). Then, for each mi, he calculates wi and qi according to Eqs. (2), (5). Next, for each state |bi〉 of |b〉, PKG performs the operation ((Y +) wi H ei ) ⊗ ((Y +)qi H li ) and gets
|ai〉 = ((Y +) wi H ei ) ⊗ ((Y +)qi H li )|bi〉.
(10) {|φ+〉, |φ−〉, |ψ−〉, |ψ+〉}.
V-step 5: PKG measures each |ai〉 with the Bell base quantum state |ai〉 as the message m’i by following rules: |ai〉 = |φ+〉: ↦ m’i = 00, |ai〉 = |φ−〉: ↦ m’i = 01,
3
According to each measurement result, PKG decodes the
Optik - International Journal for Light and Electron Optics 200 (2020) 163388
X. Xin, et al.
Fig. 1. Process of the signing phase and verifying phase.
|ai〉 = |ψ−〉: ↦ m’i = 10, |ai〉 = |ψ+〉: ↦ m’i = 11. Let m’=(m’1, m’2,…, m’n). According to the m publicly announced by Bob, PKG compares m’ with m. If m’=m, PKG publicly announces “Yes” and Bob accepts {|s〉, m, ID} as a valid quantum signature. Otherwise, he publicly announces “No” and Bob rejects the quantum signature. On the other hand, once the quantum signature passes the verification, PKG stores (h, e, l, u, ID, r, m, Bob) as the signature proof, which can be used to arbitrate the disputation of losing quantum signature in the future. In Section 4.3, we will show how to use the signature proof to arbitrate the disputation of losing quantum signature. The simplified process of signing phase and verifying phase is described in Fig. 1 as follow. 4. Security analysis and discussion The correctness of our quantum signature can be proved easily. In the following, we analyze the security of our identity-based quantum signature scheme. First, we analyze the security of the signer’s private key. 4.1. Secrecy of the private key Our quantum signature is an identity-based one. Note our scheme is based on the idea of Shamir’s identity-based signature scheme, in which PKG is a trust third party, who will never reveal the signer’s private key. In our scheme, the trusted PKG generates private key for the signer. As a trusted third party, PKG will never reveal Alice’s private key. In the following, we analyze that an adversary cannot break Alice’s private key from the public information. In our scheme, if Bob cannot break the private key of Alice, neither can the outside adversary. Firstly, Bob cannot break the private key from the identity ID. In our scheme, during the key generation phase, PKG generates the signer’s private key k=G(ID) with his master key G, which is a one-way function secretly selected by PKG. If G is chosen as random one-way permutation oracle, Bob can guess G with a negligible probability 1/2n!. Hence, it is impossible for Bob to break the private key from the signer’s identity. Secondly, Bob cannot break the private key from the OTP ciphertext x’ during the key generation phase. Note that x ′ = x ⊕ k , where x is a random pad, which has the same length as that of k. According to the security of OTP, it follows that Bob cannot break the private key k from the OTP ciphertext x’. Thirdly, Bob cannot break the private key from the quantum signature. Note that the quantum signature is a quantum sequence which satisfies Eqs. (6), (7). In Table 1, according to the message state of |ai〉 and the values of vi, wi, gi and qi, all the possible states of |si〉 are listed. For example, according to S-step 3 and Table 1, if |ai〉 = |ϕ−〉 and (vi, wi, gi, qi)=(0, 1, 1, 0), it follows |si〉 = (|φ+〉 − |ψ−〉 )/ 2 . From Table 1, Bob can get Table 2. In Table 2, we show that given a signature |si〉 and the corresponding message state |ai〉, Bob cannot derive Alice’s private key. In fact, according to Table 2, it follows that if Bob knows the message state |ai〉, he knows how to correctly measure the signature |si〉 with the corresponding orthogonal base. For example, according to S-step 3 and Table 2, if |ai〉 = |ψ+〉, Bob knows that the corresponding quantum signature
|si〉 ∈ B = {|ψ+〉, |ϕ−〉, (|φ+〉 + |ψ−〉 )/ 2 , (|φ+〉 − |ψ−〉 )/ 2 } , where B is an orthogonal base. So, Bob measures |si 〉 with the orthogonal base B. However, Bob can get nothing about the value (vi, 4
Optik - International Journal for Light and Electron Optics 200 (2020) 163388
X. Xin, et al.
Table 1 The state of |si〉. (vi,wi, gi,qi)
|ai〉 |ϕ+〉
|ϕ−〉
|ψ+〉
|ψ−〉
|ϕ+〉 |ψ−〉
|ϕ−〉 |ψ+〉
|ψ+〉 − |ϕ−〉
|ψ−〉
(0, 0, 0, 1) (0, 0, 1, 0)
(|φ−〉 + |ψ+〉 )/ 2
(|φ+〉 + |ψ−〉 )/ 2
(|φ+〉 − |ψ−〉 )/ 2
(|φ−〉 − |ψ+〉 )/ 2
(0, 0, 1, 1)
(|φ+〉 − |ψ−〉 )/ 2
− (|φ+〉 + |ψ−〉 )/ 2 − |ϕ−〉
− (|φ−〉 + |ψ+〉 )/ 2
(0, 1, 0, 0)
(|φ−〉 − |ψ+〉 )/ 2 − |ψ−〉
(0, 1, 0, 1)
|ϕ+〉
(0, 1, 1, 0)
− (|φ−〉 − |ψ+〉 )/ 2
(0, 1, 1, 1)
(|φ−〉 + |ψ+〉 )/ 2
(1, 0, 0, 0)
(|φ−〉 + |ψ+〉 )/ 2
(0, 0, 0, 0)
|ψ+〉 − |ϕ−〉
− |ϕ+〉
− |ψ+〉
|ϕ+〉 |ψ−〉
(|φ+〉 − |ψ−〉 )/ 2
− (|φ+〉 + |ψ−〉 )/ 2
(|φ−〉 + |ψ+〉 )/ 2
− (|φ+〉 + |ψ−〉 )/ 2
− (|φ+〉 − |ψ−〉 )/ 2
(|φ−〉 − |ψ+〉 )/ 2
(|φ+〉 − |ψ−〉 )/ 2
(|φ+〉 + |ψ−〉 )/ 2
− (|φ−〉 − |ψ+〉 )/ 2
− (|φ+〉 − |ψ−〉 )/ 2 |ϕ−〉
− (|φ−〉 + |ψ+〉 )/ 2 − |ψ−〉
− |ψ+〉
− |ϕ+〉
(1, 0, 0, 1)
− (|φ−〉 − |ψ+〉 )/ 2
(|φ+〉 + |ψ−〉 )/ 2
(1, 0, 1, 0) (1, 0, 1, 1)
|ϕ+〉 − |ψ−〉
|ψ+〉 |ϕ−〉
(1, 1, 0, 0)
(|φ−〉 − |ψ+〉 )/ 2
(|φ+〉 + |ψ−〉 )/ 2
− (|φ+〉 − |ψ−〉 )/ 2
(|φ−〉 + |ψ+〉 )/ 2
(1, 1, 0, 1)
− (|φ+〉 − |ψ−〉 )/ 2 |ϕ−〉
− (|φ+〉 + |ψ−〉 )/ 2
− (|φ−〉 − |ψ+〉 )/ 2
(1, 1, 1, 0)
(|φ−〉 + |ψ+〉 )/ 2 |ψ−〉
(1, 1, 1, 1)
|ϕ+〉
− |ψ+〉
− |ψ+〉 − |ϕ−〉
|ϕ+〉 − |ψ−〉
Table 2 Measurement base of |si〉 and the possible values (vi, wi, gi, qi). |ai〉
The corresponding measurement base of |si〉
Measurement result of|si〉
Possible values of (vi, wi, gi, qi)
|ϕ+〉
|ϕ+〉, |ψ−〉,
|ϕ+〉 |ψ−〉
(0, 0, 0, 0), (0, 1, 0, 1), (1, 0, 1, 0), (1, 1, 1, 1)
(|φ−〉 + |ψ+〉 )/ 2 , (|φ−〉 − |ψ+〉 )/ 2
(|φ−〉 + |ψ+〉 )/ 2
(0, 0, 0, 1), (0, 1, 0, 0), (1, 0, 1, 1), (1, 1, 1, 0) (0, 0, 1, 0), (0, 1, 1, 1), (1, 0, 0, 0), (1, 1, 0, 1)
(|φ−〉 − |ψ+〉 )/ 2
(0, 0, 1, 1), (0, 1, 1, 0), (1, 0, 0, 1), (1, 1, 0, 0)
|ψ+〉, |ϕ−〉,
|ψ+〉 |ϕ−〉
(0, 0, 0, 1), (0, 1, 0, 0), (1, 0, 1, 0), (1, 1, 1, 1)
(|φ+〉 + |ψ−〉 )/ 2 , (|φ+〉 − |ψ−〉 )/ 2
(|φ+〉 + |ψ−〉 )/ 2
(0, 0, 0, 0), (0, 1, 0, 1), (1, 0, 1, 1), (1, 1, 1, 0) (0, 0, 1, 0), (0, 1, 1, 1), (1, 0, 0, 1), (1, 1, 0, 0)
(|φ+〉 − |ψ−〉 )/ 2
(0, 0, 1, 1), (0, 1, 1, 0), (1, 0, 0, 0), (1, 1, 0, 1)
|ψ+〉, |ϕ−〉,
|ψ+〉 |ϕ−〉
(0, 0, 0, 0), (0, 1, 0, 1), (1, 0, 1, 1), (1, 1, 1, 0)
(|φ+〉 + |ψ−〉 )/ 2 , (|φ+〉 − |ψ−〉 )/ 2
(|φ+〉 + |ψ−〉 )/ 2
(0, 0, 0, 1), (0, 1, 0, 0), (1, 0, 1, 0), (1, 1, 1, 1) (0, 0, 1, 1), (0, 1, 1, 0), (1, 0, 0, 0), (1, 1, 0, 1)
(|φ+〉 − |ψ−〉 )/ 2
(0, 0, 1, 0), (0, 1, 1, 1), (1, 0, 0, 1), (1, 1, 0, 0)
|ϕ+〉, |ψ−〉,
|ϕ+〉 |ψ−〉
(0, 0, 0, 1), (0, 1, 0, 0), (1, 0, 1, 1), (1, 1, 1, 0)
(|φ−〉 + |ψ+〉 )/ 2 , (|φ−〉 − |ψ+〉 )/ 2
(|φ−〉 + |ψ+〉 )/ 2
(0, 0, 0, 0), (0, 1, 0, 1), (1, 0, 1, 0), (1, 1, 1, 1) (0, 0, 1, 1), (0, 1, 1, 0), (1, 0, 0, 1), (1, 1, 0, 0)
(|φ−〉 − |ψ+〉 )/ 2
(0, 0, 1, 0), (0, 1, 1, 1), (1, 0, 0, 0), (1, 1, 0, 1)
|ϕ−〉
|ψ+〉
|ψ−〉
wi, gi, qi) from the measurement result. For example, according to Table 2, if the measurement result of |si〉 is (|φ+〉 + |ψ−〉 )/ 2 , the possible values of (vi, wi, gi, qi) may be (0, 0, 1, 1), (0, 1, 1, 0), (1, 0, 0, 0), (1, 1, 0, 1). Note any of vi, wi, gi and qi has a uniform distribution. Hence, Bob cannot determine the value (vi, wi, gi, qi) from the measurement result. Without v, w, g, q, Bob cannot get h, e, l and u. Note h, e, l and u satisfy Eq. (1). Therefore, without h, e, l and u, it is impossible for Bob to derive the secret k from the quantum signature. 4.2. Security against forgery Suppose Eve is an adversary, who tires forge a quantum signature of Alice. There are mainly two purposes for Eve’s forgery. The first purpose is that Eve tries to forge another signature {|s∗〉, m, ID} after she captures a valid quantum signature {|s〉, m, ID}. That is, given a valid signature {|s〉, m, ID}, Eve tries to impersonate Alice to forge another signature {|s∗〉, m, ID} on the same message m. Note a valid quantum signature should has the form of Eqs. (6), (7). Hence, to forge a signature {|s∗〉, m, ID}, Eve has to choose ∗ ∗ ∗ ∗ some r* and compute the operator (H vi Y wi ) ⊗ (H gi Y qi ) , where
wi∗ = mi1 ⊕ ri∗ ⊕ IDi ⊕ hi∗,
(11)
vi∗ = mi1 ⊕ ri∗ ⊕ IDi ⊕ ei∗,
(12) 5
Optik - International Journal for Light and Electron Optics 200 (2020) 163388
X. Xin, et al.
gi∗ = mi2 ⊕ rn∗+ i ⊕ IDi ⊕ li∗,
(13)
qi∗ = mi2 ⊕ rn∗+ i ⊕ IDi ⊕ ui∗.
(14)
However, without knowing the private key k, Eve cannot compute h*, e*, l* and u* from Eq. (1), so it is impossible for Eve to compute w*, v*, g* and q* which satisfy Eqs. (11)–(14). Without w*, v*, g* and q*, it is impossible for Eve to get the operator ∗ ∗ ∗ ∗ (H vi Y wi ) ⊗ (H gi Y qi ) for each |ai〉. Therefore, this kind of forgery is infeasible for Eve. For the second forgery, Eve tries to forge a signature on her chosen message m*. So, Eve has to choose some m* and r* adaptively so as to forge a new signature quantum {|s∗〉, m*, ID}. By the analysis similar to the above, it follows that this kind of forgery is infeasible for the adversary, too. Therefore, our scheme is secure against forgery attacks. 4.3. Security against repudiation Non-repudiation is an important security property of the public-key signature scheme. It requires a signer cannot deny the valid signatures he/she signed previously. In an identity-based signature scheme, PKG is a trust party, who will never reveal the private keys of all the users. In our scheme, the trusted party PKG generates private key for the signer. PKG will never reveal the private key of the signer. Neither PKG impersonates the signer to sign any message. Alice signs a message and generates the corresponding quantum signature with her private key. Bob verifies the quantum signature with Alice’s identity ID. From Section 4.2, it is known that the proposed quantum signature scheme is secure against forgery. So, once the quantum signature passes the verification, Alice cannot deny it, since only Alice owns the corresponding public key, her identity, and only she can generate the identity-based quantum signature. On the other hand, our quantum signature scheme can arbitrate the disputation of losing quantum signature. In general, for a quantum signature scheme, once the quantum signature is verified, the state of the quantum signature is changed. This means both the signer and the verifier will lose the quantum signature. So, the signer may deny the fact that she has ever generated a quantum signature, while the verifier may deny the fact that he has ever verified a quantum signature. We call the kind of disputation as disputation of losing quantum signature. To our knowledge, most of the existing quantum signature schemes cannot arbitrate this kind of disputation. Our identity-based signature scheme can arbitrate this kind of disputation. In fact, in our scheme, once the quantum signature {|s〉, m, ID} passes the verification, both of the signer and the verifier will lose the quantum signature. However, Alice cannot deny the fact that she has ever generate a quantum signature {|s〉, m, ID}, because PKG has the signature proof (h, e, l, u, ID, r, m, Bob), which satisfies Eqs. (1)–(7). Since only Alice masters the private key k, only she can generate (h, e, l, u) for r and m according to Eq. (1). PKG can check the signature proof to prove that Alice has generated the quantum signature for Bob. Therefore, with the help of PKG, Alice cannot deny the fact that she has ever generated the signature on m. Similarly, the verifier cannot deny that he has ever verified the quantum signature, since the signature proof (h, e, l, u, ID, r, m, Bob) records Bob’s verifying information (ID, r, m, Bob), where m, r and ID are announced by Bob. 4.4. Comparison with other public-key quantum signature schemes In Table 3, we show the advantages of our scheme. Firstly, our scheme is an identity-based quantum signature scheme, in which the signer’s public key is her identity information, and the corresponding private key is a bit string. The signer signs a message with his private key, and anyone can verify the quantum signature with the signer’s identity. So, our quantum scheme has the same advantages of key management as the classical identitybased schemes. It can simplify the key management of quantum signature schemes. Secondly, in Gottesman et al.’s scheme, the signer uses an unknown qubit string as the public key, which leads to the signer’s public key can only be used once time. In our quantum signature, the signer’s public key and private key are all classical bit strings, which can be easily stored. According to Section 4.1, we know that Alice’s private key is secure. Hence, the signer’s private key can be reused to sign different messages. On the other hand, the signer’s public key is her identity, which can be reused to verify different quantum signatures, too. Thirdly, in Chen et al.’s scheme, the long-term quantum memory has to be used to store many copies of quantum digest (unknown quantum sequences), which may affect the application of their scheme. In our scheme, it need not use the long-term quantum memory. So, our scheme is more practicable than Chen et al.’s scheme. Fourthly, in both Gottesman and Chen et al.’s schemes, the verifiers have to perform many rounds of quantum swap tests to verify a quantum signature, which will greatly affect the efficiency of their quantum signatures. In our scheme, it need not perform any quantum swap test. Hence, our scheme is relatively more efficient. Finally, in our scheme, the quantum signature proof is used to arbitrate the disputation of losing quantum signature, which cannot be arbitrated in most of the existing quantum signature schemes. So, our scheme is more secure than the similar schemes. 5. Conclusions Most of the quantum signature schemes were arbitrated quantum signature schemes, and seldom public-key quantum signature 6
Gottesman in Ref. [2] Chen in Ref. [14] Our scheme
Schemes
No Yes Yes
Identity-based scheme
Table 3 Comparisons of the similar public-key schemes.
No Yes Yes
Reusability of keys No Yes No
Requirement for long-term quantum memory Yes Yes No
Requirement for Quantum swap test
No No Yes
Ability of arbitrating losing quantum signature
X. Xin, et al.
Optik - International Journal for Light and Electron Optics 200 (2020) 163388
7
Optik - International Journal for Light and Electron Optics 200 (2020) 163388
X. Xin, et al.
schemes were proposed. In this paper, we propose an identity-based public-key quantum signature scheme. It has the advantages of the classical identitybased systems. The signer’s public key and private key are all classical bit strings, which can be easily stored. The signer’s private key can be reused to sign different messages, and the signer’s identity can be reused to verify different quantum signatures. The system need not use the long-term quantum memory. The signer need not perform any quantum swap test during the signature verification. What is more, we use the signature proof to arbitrate the disputation of losing quantum signature, which cannot be arbitrated in most of existing quantum signature schemes. Therefore, our scheme is more secure, practicable and efficient than the similar schemes. References [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
P.W. Shor, Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer, SIAM J. Comput. 26 (5) (1997) 1484–1509. D. Gottesman, I. Chuang, Quantum Digital Signatures, arXiv: quant-ph/0105032 (2001). G.H. Zeng, C.H. Keitel, Arbitrated quantum-signature scheme, Phys. Rev. A 65 (4) (2002) 042312. K.J. Zhang, W.W. Zhang, D. Li, Improving the security of arbitrated quantum signature against the forgery attack, Quantum Inf. Process. 12 (8) (2013) 2655–2669. Q. Su, W.M. Li, Improved quantum signature scheme with weak arbitrator, Int. J. Theor. Phys. 52 (9) (2013) 3343–3352. M.S. Kang, C.H. Hong, J. Heo, J.I. Lim, H.J. Yang, Quantum signature scheme using a single qubit rotation operator, Int. J. Theor. Phys. 54 (2) (2015) 614–629. Y. Guo, Y. Feng, D. Huang, Arbitrated quantum signature scheme with continuous-variable coherent states, Int. J. Theor. Phys. 55 (4) (2016) 2290–2302. Y.G. Yang, H. Lei, Z.C. Liu, Y.H. Zhou, W.M. Shi, Arbitrated quantum signature scheme based on cluster states, Quantum Inf. Process. 15 (2016) 2487–2497. T.Y. Wang, J.F. Ma, X.Q. Cai, The postprocessing of quantum digital signatures, Quantum Inf. Process. 16 (19) (2017). H. Ma, F. Li, N. Mao, Y. Wang, Y. Guo, Network-based arbitrated quantum signature with graph state, Int. J. Theor. Phys 56 (8) (2017) 2551–2561. N. Fatahi, M. Naseri, L.H. Gong, H.L. Qing, High-efficient arbitrated quantum signature scheme based on cluster states, Int. J. Theor. Phys. 56 (2) (2017) 609–616. X. Xin, Q. He, Z. Wang, Q. Yang, F. Li, Security analysis and improvement of an arbitrated quantum signature scheme, Optik 189 (2019) 23–31. A. Shamir, Identity-based cryptosystems and signature schemes, The Workshop on the Theory and Application of Cryptographic Techniques vol. 21, Springer, Berlin Heidelberg, 1984, pp. 47–53. F.L. Chen, W.F. Liu, S.G. Chen, Z.H. Wang, Public-key quantum digital signature scheme with one-time pad private-key, Quantum Inf. Process. 17 (10) (2018) 1–14. C.E. Shannon, Communication theory of secrecy systems, Bell Syst. Tech. J. 28 (4) (1949) 656–715. C.H. Bennett, G. Brassard, Quantum cryptography: public key distribution and coin tossing, Proceedings of the IEEE International Conference on Computers Systems and, Signal Processing (1984) 175–179.
8