Quantum signature-masked authentication schemes

Quantum signature-masked authentication schemes

Optik 126 (2015) 3544–3548 Contents lists available at ScienceDirect Optik journal homepage: www.elsevier.de/ijleo Quantum signature-masked authent...
Download PDF
348KB Sizes 1 Downloads 81 Views
Report

Optik 126 (2015) 3544–3548

Contents lists available at ScienceDirect

Optik journal homepage: www.elsevier.de/ijleo

Quantum signature-masked authentication schemes Wei-Min Shi ∗ , Yu-Guang Yang, Yi-Hua Zhou College of Computer Science and Technology, Beijing University of Technology, Beijing 100124, China

a r t i c l e

i n f o

Article history: Received 23 September 2014 Accepted 31 August 2015 Keywords: Quantum identity authentication Signature-masked Public key

a b s t r a c t In this paper we analyze the security of Zhang’s scheme [Chin. Sci. Bull., 2009, 54: 2018–2021], and find that there are two potential loopholes, i.e. the participants forgery attack and impersonation attack. Then, following the elementary method of Zhang’s scheme, we propose a quantum signature-masked authentication scheme, which can be widely used many systems, such as the identity authentication between Digital Set-Top-Box (DSTB) and smart card in secure Digital Video Broadcasting (DVB) service system. In our scheme, a semi-trusted center of authentication CA issues the original credential certificates for a user and the final credential certificates is generated by adding her secret information, that is, the user’s final credential certificates is generated by her own and CA together. This new scheme can solve Zhang’s scheme security problem. Moreover, analysis results show that our scheme can withstand the forgery attack, impersonation attack and inter-resend attack. © 2015 Elsevier GmbH. All rights reserved.

1. Introduction In many cryptographic applications we consider the following situation: a user wants to get some services from a service provider. There is also a trusted center of authentication, e.g. CA, who issues credential certificates to the qualified users. Only after the service provider is convinced that a user possesses the corresponding credentials issued by CA, the user can obtain its services. In this system, to prevent any adversary from intercepting the credential certificates or colluding with the service provider to frame some authorized users, based on the classical cryptography, they proposed some signature-masked authentication schemes [1–4]. Signature-masked authentication scheme means [1]: when a user obtains a certificate (signature) from CA and in order to get some services from a service provider, he shall convince the service provider that he has the signature without transmitting the original signature to the provider. That is to say, the signature of CA will not be sent to the service provider directly by the user, while the service provider can be convinced that the user really knows the signature. Signature-masked authentication widely used many systems, such as the identity authentication between Digital Set-Top-Box (DSTB) and smart card in secure Digital Video Broadcasting (DVB) service system. The quantum identity authentication (QIA) [5–19] has been proposed successively in recent years. However, those QIA schemes are

∗ Corresponding author. Tel.: +86 010 67396063. E-mail address: [email protected] (W.-M. Shi). http://dx.doi.org/10.1016/j.ijleo.2015.08.277 0030-4026/© 2015 Elsevier GmbH. All rights reserved.

limited in DSTB or DVB service system. For example, Duˇsek et al. [5] proposed a hybrid quantum authentication system by combining quantum key distribution (QKD) with classical authentication. Refs. [6,7] proposed some schemes by introducing a reliable authentication center, which can perform QKD as well as QIA. Curty and Santos [8] proposed a quantum authentication protocol for binary classical messages in a secure manner by using one qubit as the authentication key. Based on quantum entanglement, Mihara [9] presented a QIA scheme depending on a trusted authority and a quantum message authentication scheme by combining a different quantum cryptosystems with an ordinary authentication tag. A QIA scheme for distributed network [10] was proposed based on quantum teleportation and entanglement swapping. Utilizing the Greenberger–Horne–Zeilinger (GHZ) states, Lee et al. [11] proposed two protocols which combined quantum secure direct communication with user authentication. However, Zhang et al. [12] indicated these two protocols are vulnerable to some specific attacks by the authenticator Trent and put forward two modified protocols by using the Pauli Z operation ız instead of the original bit-flip operation. Based on Bell states, Yen et al. [13] proposed a quantum direct communication with mutual authentication protocol, but it is in the condition that the authenticator must do the authentication job faithfully. In 2010, Liu et al. [14] presented a quantum secure direct communication and authentication protocol, where Bell states were used as the information carriers and polarized photons were used to detect eavesdropping and authentication. And then Gao et al. [15] pointed out this protocol is not secure against the MITM attack. In 2011, Naseri [16] proposed a protocol for quantum secure dialog with authentication by using single photons. In

W.-M. Shi et al. / Optik 126 (2015) 3544–3548

Refs. [17–19], the multi-user can be authenticated by a trusted third party simultaneously. The above QIA schemes are based on symmetrical key cryptosystem but Zhang [20] proposed a QIA protocol cryptosystem with the help from a trusted center of authentication (CA). In this paper, we firstly analyze the security of Zhang’s scheme [20], and show that there are two potential loopholes, i.e. CA’s impersonation attack and Alice’s forgery attack. Then, following the elementary method of Zhang’s scheme, we propose a quantum signature-masked authentication scheme, which can resist forgery attack, impersonation attack and inter-resend attack. The rest of the paper will be constructed as follow: Section 2 gives cryptanalysis of Zhang’s protocol. Section 3 gives details of the quantum signaturemasked authentication scheme. The security is analyzed in Section 4. Finally, a short conclusion is given in Section 5.

3545

2.1.3. Authentication phase Bob authenticates Alice’s identity, then applies W  [2] to | : [2] [2] [1] [2] [2]  : |  → | , and W  [2] is defined as W  [2] = U  1 V  1 ⊗ W [2]

[2]

[2]

[2]

U  2 V  2 ⊗ · · ·· · · ⊗ U  n V  n , where [2]

Ui

= U(ai ),

[2]

V i

= V (bi ),

U(1) = iy = |0 1| − |1 0|, U(0) = |0 0| + |1 1|, 1 1 V (1) = H = √ (|0 + |1) 0| + √ (|0 − |1) 1|, 2 2 V (0) = |0 0| − |1 1| [2]

Bob measures |  on the basis (0, 0, . . .. . . , 0) and gets message (c1 , c2 , . . .. . ., cn ). If (c1 , c2 , . . .. . ., cn ) = (c1 , c2 , . . .. . ., cn ), the signature is valid. Otherwise, the signature is invalid.

2. Analysis of Zhang’s scheme [20] 2.2. Cryptanalysis of Zhang’s protocol In this section we first recall Zhang’s protocol briefly and our security analysis follows. 2.1. Zhang’s protocol Zhang’s protocol has three phases: preparation phase, signature phase and authentication phase. To save space, the follow description about checking eavesdropping is omitted. 2.1.1. Preparation phase Alice selects a public key Ka = (a1 , b1 , a2 , b2 , . . .. . . , an , bn ) and sends it to CA. CA generates a private key Kb = (e1 , f1 , e2 , f2 , . . .. . . , en , fn ) for Alice. CA calculates and secretly stores K = Ka ⊕ Kb = (k1a , k1b , k2a , k2b , . . .. . ., kna , knb ). Where ai , bi , ei , fi , kia , kib ∈ {0, 1}, and ⊕ represents bitwise exclusive-OR. At last, CA sends the private key Kb to Alice in a security way. 2.1.2. Signature phase Suppose that Alice generates an authentication message M = (c1 , c2 , . . .. . . , cn ), where ci ∈ {0, 1}. Then Alice generates a quantum state encoded with Kb expressed by |  = |ϕc1 ⊕e1 ,f1  ⊗ |ϕc2 ⊕e2 ,f2  ⊗ · · ·· · · ⊗ |ϕcn ⊕en ,fn . Where for each i = 1, 2, . . ., n, a qubit |ϕci ⊕ei ,fi  is one of the following states: |ϕ0,0  = |0 |ϕ1,0  = |1 |0 + |1 √ 2 |0 − |1 |ϕ1,1  = √ 2 |ϕ0,1  =

Alice sends the private key |  to CA, then CA applies W  [1] to [1] [1] [1] |: W  [1] : |  → | , and W  [1] is defined as W  [1] = U  1 V  1 ⊗ [1]

[1]

[1]

[1]

U  2 V  2 ⊗ · · ·· · · ⊗ U  n V  n , where [1]

Ui

= U(kia ),

[1]

V i

= V (kib ),

U(1) = iy = |0 1| − |1 0|, U(0) = |0 0| + |1 1|, 1 1 V (1) = H = √ (|0 + |1) 0| + √ (|0 − |1) 1|, 2 2 V (0) = |0 0| − |1 1| At last, CA sends signature |

[1]

 to Bob.

After analyzing the above protocol, we find that there are two potential loopholes: 2.2.1. Alice’s forgery attack CA generates signature (this is also called credential certificates [1] in the traditional cryptography) |  for Alice, similarly Alice can [1] also generate |  because Alice knows K by her public key Ka and private key Kb , namely, K = Ka ⊕ Kb . Moreover, when Bob receives [1] signature |  from CA, Bob do not identity the true source of [1] quantum state |  except for checking eavesdropping by insert[1] ing some sample particle in |  randomly. In Zhang’s protocol, Alice may be malicious, so Alice’s can forge credential certificates (valid signature) by herself to get some services from the service provider Bob. 2.2.2. CA’s impersonation attack In Zhang’s protocol, CA may be untrusted, so CA can get Alice’s private key Ka by keeping secretly or according to K ⊕ Kb in preparation phase, then CA generates a sequence of single photons | and obtains Alice’s credential certificates (signature) |[1]  without Alice’s participating. That is, Zhang’s scheme cannot prevent the malicious CA from impersonation legitimate user Alice by forging her credential certificates to get Alice’s privacy information. Because there are the above two potential loopholes, Zhang’s scheme is limited in many network application systems, For example, in many cryptographic applications we consider the following situation: when a user wants to get some services from a service provider (e.g. a user applies for a driving license from the traffic management department), he has to firstly prove to the service provider that he is qualified (e.g. he has passed the driving examination.) or he has a credential certificates issued by a trusted center of authentication (e.g. CA). Then the service provider provides the service to the user. Suppose Alice is a service requester, and Bob is a service provider, and CA issues credential certificates for the qualified users in Zhang’s scheme. On the one hand, Alice can forge the valid credential certificates by herself, so Alice can obtain directly services from the service provider Bob without a credential certificates issued by CA. On the other hand, through forging Alice’s credential certificates, CA can impersonate legitimate user Alice to get her services from the service provider Bob, hence, the assumption of a complete honest CA is unreasonable in Zhang’s protocol. To solve the above security problem, we will propose a quantum signature-masked authentication scheme by following the elementary method of Zhang’s scheme. In our scheme, CA issues the original credential certificates for Alice and the final credential certificates is generated by adding her secret information, that is,

3546

W.-M. Shi et al. / Optik 126 (2015) 3544–3548

Alice’s final credential certificates is generated by her own and CA together. Our scheme can solve Zhang’s scheme security problem.

Step 3: CA obtains | by decrypting EPA ⊕SA {|} with KA , and CA applies W[1] to | according to KA ⊕ KB , then obtains the original signature |S .

3. Quantum signature-masked authentication scheme

W [1] : | → |S  

Our quantum signature-masked authentication scheme involves three entities: a user Alice, a service provider Bob and a semi-trusted center of authentication CA. The present scheme includes the following three phases: setup, signature-masked, verify.

In this phase, the user Alice and the service provider Bob randomly selects a public key for identity, and sends it to CA for obtaining their private key, respectively. Step 1: Alice (Bob) selects a public key PA (PB ) and sends it to CA: PA = (aA1 , bA1 , aA2 , bA2 , . . .. . ., aAn , bAn )

(1)

PB = (aB1 , bB1 , aB2 , bB2 , . . .. . ., aBn , bBn )

where aAi , bAi (aBi , bBi ) ∈ {0, 1}, 0 ≤ i ≤ n. Step 2: CA examines the qualification of Alice (Bob). If TA accepts Alice (Bob) as a qualified user, it generates a private key SA (SB ) for Alice (Bob): SA = (c1A , d1A , c2A , d2A , . . .. . ., cnA , dnA )

(2)

SC = (c1B , d1B , c2B , d2B , . . .. . ., cnB , dnB ) where ciA , diA (ciB , diB ) ∈ {0, 1}, 0 ≤ i ≤ n. Step 3: CA computes and secretly stores KA (KB ): KA = PA ⊕ SA = (e1A , f1A , e2A , f2A , . . .. . ., enA , fnA )

(3)

KB = PB ⊕ SB = (e1B , f1B , e2B , f2B , . . .. . ., enB , fnB )

where eiA , fiA (eiB , fiB ) ∈ {0, 1}, 0 ≤ i ≤ n, and ⊕ represents bitwise exclusive-OR. At last, CA sends the private key SA (SB ) to Alice (Bob) by a security way. 3.2. Signature-Masked Step 1: Suppose Alice’s authentication message is M: M = (m1 , m2 , . . .. . ., mn )

(4)

where mi ∈ {0, 1} , 0 ≤ i ≤ n.   Step 2: Alice generates an initial quantum state  according to SA : A A 1 ⊕c1 ,d1

W

[1]

(7)

is defined as: [1]

[1]

[1]

[1]

[1]

[1]

= U1 V1 ⊗ U2 V2 ⊗ · · ·· · · ⊗ Un Vn

(8)

where [1]

Ui

= U(eiA ⊕ eiB ),

[1]

Vi

= V (fiA ⊕ fiB ),

U(1) = iy = |0 1| − |1 0|,

3.1. Setup

| = |ϕm

W[1]

 ⊗ |ϕm

A A 2 ⊕c2 ,d2

 ⊗ · · ·· · · ⊗ |ϕmn ⊕cA ,dA  n

n

(5)

ing states:

i

(9)

V (0) = |0 0| − |1 1| Then CA computes EKA {|S  } by encrypting |S  using KA according to one-time pad encryption algorithm [21], and sends EKA {|S  } to Alice through a quantum channel. Step 4: Alice generates n EPR pairs {| 1  , | 2  , . . .. . . , | n }, and each pair is in the Bell state | i  = √1 (|0ai 0bi  + |1ai 1bi ) = 2

√1 (|+a +b  + |−a −b ) i i i i 2

(i = 1, 2, . . ., 2n), where ai and bi denote

the ith two entangled particles. Then, Alice distributes the particle sequence | b  = {| b1 , | b2 , . . .. . ., | bn } to Bob and keeps the particle sequence | a  = {| a1 , | a2 , . . .. . ., | an }. For ensuring the security of the quantum channel, we utilize block-transmission protocol to distribution | b . You can find the block-transmission protocol in [22,23]. To save space, we omit it here. Step 5: Alice chooses randomly  Z -basis {|0  , |1 } or  X -basis {| +  , | − } to measure her particle sequence | a , and record the measurement results as {|k1  , |k2  , . . .. . . , |kn }, where |ki  ∈ {|0  , |1  , | +  , | − }. Then, Alice encodes the four states |0 , |1  , | +  , | −  into classical bits 00, 01, 10, 11, respectively. Finally, all the measurement results can be written as KAB = {p1 , q1 , p2 , q2 , . . .. . . , pn , qn }. Alice announces her measure bases ( Z -basis or  X -basis) to Bob, and Bob measures the corresponding particles | b  with the same bases published by Alice, then he encodes the four states |0 , |1  , | +  , | −  into classical bits 00, 01, 10, 11, finally bob gets KAB . Step 6: Alice chooses a 2n random sequence RA = (g1 , h1 , g2 , h2 , . . .. . . , gn , hn ) where gi , hi ∈ {0, 1} , 0 ≤ i ≤ n, and computes  = RA ⊕ KAB = (r1 , s1 , r2 , s2 , . . .. . . , rn , sn ). Step 7: Alice gets |S  by decryption EKA {|S  } with PA ⊕ SA , and applies W[2] to |S  according to RA ⊕ PB , then obtains the final signature |S. W [2] : |S   → |S

(10)

W[2] is defined as:

where for each i = 1, 2, . . ., n, a qubit |ϕm ⊕cA ,dA  is one of the followi

U(0) = |0 0| + |1 1|, 1 1 V (1) = H = √ (|0 + |1) 0| + √ (|0 − |1) 1|, 2 2

i

[2]

[2]

[2]

[2]

[2]

[2]

W [2] = U1 V1 ⊗ U2 V2 ⊗ · · ·· · · ⊗ Un Vn

(11)

where |ϕ0,0  = |0

[2]

Ui

|ϕ1,0  = |1 |0 + |1 √ 2 |0 − |1 |ϕ1,1  = √ 2 |ϕ0,1  =

= U(gi ⊕ aBi ),

[2]

Vi

= V (hi ⊕ bBi ),

U(1) = iy = |0 1| − |1 0|, (6)

Then Alice computes EPA ⊕SA {|} by encrypting | using PA ⊕ SA according to one-time pad encryption algorithm [21], and sends EPA ⊕SA {|} to CA through a quantum channel.

U(0) = |0 0| + |1 1|, 1 1 V (1) = H = √ (|0 + |1) 0| + √ (|0 − |1) 1|, 2 2

(12)

V (0) = |0 0| − |1 1| Finally, Alice’s credential certificates is {, |S } on M and Alice sends {M, , |S } to Bob for getting his service.

W.-M. Shi et al. / Optik 126 (2015) 3544–3548

3547

3.3. Verify

4.2. Forgery attack

After receiving {M, , |S } from Alice, the service provider Bob will execute the following steps: Step 1: Bob computes  ⊕ KAB = RA ⊕ KAB ⊕ KAB = RA , and applies W[3] to |S according to PA ⊕ SB ⊕ RA , then obtains |SV .

The proposed protocol can withstand the forgery attack. In our scheme, Alice’s credential certificates {, |S } is generated by her own and CA together, hence, Alice or CA cannot forger the final credential certificates {, |S }. Firstly, the user Alice may be dishonest in the scheme, so she may forge |SA∗  according to | then compute the final {A∗ , |SA∗ }. However, an effective |S  needs using the knowledges of the Bob’s private information KB , so it is impossible that {A∗ , |SA∗ } computed according to |SA∗  is valid through verification, because Alice does not know the value of KB . If Alice only guesses KB , the error rate for ever bit should be 1/2, and |SA∗  is accepted with the probability 1/16n . By the above cryptanalysis, we show that the malicious Alice cannot forge credential certificates (valid signature) by herself to get some services from the service provider Bob. Secondly, CA may be malicious in the scheme, so he may forge signature {C∗ , |SC∗ } according to |, then impersonate Alice to obtain some services from the service provider Bob. That is, CA randomly chooses RC∗ and tries to compute a new {C∗ , |SC∗ }. We know that an effective {, |S } needs using the knowledges of the shared keys KAB between Alice and Bob, so it is impossible that {C∗ , |SC∗ } is valid through verification, because CA does not know the value of KAB . If TC only guesses KAB , the error rate for ever bit should be 1/2, and C∗ is accepted with the probability 1/4n and |SC∗  is accepted with the probability 1/16n . Finally, because the service provider Bob does not know Alice’s private key SA , as the above cryptanalysis, Bob cannot also forge Alice’s credential certificates {, |S }. Alice and Bob and CA, as the participants, are still unable to forge signatures, let alone an outsider attacker Eve. Therefore, our scheme is strong unforgeability.

W [3] : |S → |SV 

(13)

W[3] is defined as: [3]

[3]

[3]

[3]

[3]

[3]

W [3] = U1 V1 ⊗ U2 V2 ⊗ · · ·· · · ⊗ Un Vn

(14)

where [3]

Ui

= U(aAi ⊕ ciB ⊕ gi ),

[3]

Vi

= V (bAi ⊕ diB ⊕ hi ),

U(1) = iy = |0 1| − |1 0|, U(0) = |0 0| + |1 1|, 1 1 V (1) = H = √ (|0 + |1) 0| + √ (|0 − |1) 1|, 2 2

(15)

V (0) = |0 0| − |1 1| Step 2: Bob measures |SV  on the basis (|0  , |0  , ......, |0 ) and gets M  = (m1 , m2 , . . .. . ., mn ). If (m1 , m2 , . . .. . ., mn ) = (m1 , m2 , . . .. . ., mn ), the signature-masked is valid, otherwise reject. In our scheme, CA issues the original credential certificates (signature) |S  for the qualified Alice, and only CA can generate |S , because anyone cannot know the two secret keys KA , KB except CA (but Alice knows KA and Bob knows KB ). After receiving |S  from CA, Alice does not send the original credential certificates (signature) |S  generated by CA to the service provider Bob, but uses {, |S } as her final credential certificates. Obviously, Bob can be convinced that the user Alice really knows the signature |S , because verifying the validity of {, |S }, Bob needs Alice’s public key PA and his own private SB . So our scheme is a signature-masked authentication scheme. 4. Security analysis In this section, we give security analysis of our proposed scheme. We will show that the proposed scheme is correctness and can withstand the forgery attack, impersonation attack, inter-resend attack. 4.1. Correctness The proposed quantum signature-masked authentication scheme can be accepted by the verify algorithm. In the signaturemasked phase, Alice generates an initial quantum state | according to SA . In the next phase, we can find: K ⊕K

R ⊕P

PA ⊕SB ⊕RA

(7)

(10)

(13)

B  A A | −→ |S  −→B |S

−→

|SV 

(16)

By Eqs. (3), (9), (12) and (15), we can get: ciA

= eiA ⊕ eiB ⊕ gi ⊕ aBi ⊕ aAi ⊕ ciB ⊕ gi = aAi ⊕ ciA ⊕ aBi ⊕ ciB ⊕ gi ⊕ aBi ⊕ aAi ⊕ ciB ⊕ gi

diA

= fiA ⊕ fiB ⊕ hi ⊕ bBi ⊕ bAi ⊕ diB ⊕ hi

4.3. Impersonation attack The proposed protocol can withstand the impersonation attack. On the one hand, an attacker impersonates the user Alice in order to get some services from the service provider Bob. Firstly, CA may forge Alice’s credential certificates {, |S }, then impersonate Alice to obtain some services from the service provider Bob. Same as the above analysis of forgery attack, CA cannot generate a valid {, |S }, so CA cannot impersonate the user Alice to get some services from the service provider Bob. Secondly, Eve may intercept EPA ⊕SA {|} (EKA {|S  }) when they are transmitted from Alice to CA (from CA to Alice) and tries to obtain | and |S , but those quantum state message transmitted though quantum channel is ciphertexts which is encrypted using one-time pad encryption algorithm. On the other hand, an attacker wants to impersonate the service provider Bob verifying Alice’s identity in order to provide some false services. In the verify phase, a verifier has to use his private key SB and the shared keys KAB between Alice and Bob to verify the validity of Alice’s credential certificates {, |S }. Only the service provider Bob has the two keys SB , KAB , so anyone cannot verify the validity of Alice’s credential certificates except Bob.

4.4. Inter-resend attack (17)

= bAi ⊕ diA ⊕ bBi ⊕ diB ⊕ hi ⊕ bBi ⊕ bAi ⊕ diB ⊕ hi Bob measures |SV  on the basis (|0  , |0  , . . .. . . , |0 ) and gets (m1 , m2 , . . .. . ., mn ), then it is easy to verify (m1 , m2 , . . .. . ., mn ) = (m1 , m2 , . . .. . ., mn ) holds.

The proposed protocol can withstand the Inter-resend attack. In our scheme, all the quantum state messages transmitted though quantum channel is ciphertexts which is encrypted using one-time pad encryption algorithm. Because the one-time pad encryption algorithm and the secret key are unconditionally secure in quantum cryptography, Eve cannot obtain any other message from these ciphertext. When the number of the qubit n is large

3548

W.-M. Shi et al. / Optik 126 (2015) 3544–3548

enough, the probability is negligible that Eve wants to resend a message and cannot be detected only by guessing. 5. Conclusions In this paper, we firstly point out that Zhang’s scheme has two potential loopholes, then we present a quantum signature-masked authentication scheme by following the elementary method of Zhang’s scheme. Different from the previous quantum identity authentication schemes, our scheme supposes the CA is a semi-trusted center of authentication, and user’s final credential certificates is generated by her own and CA together. Hence, the proposed protocol is a signature-masked authentication scheme and can resist the participant’s impersonation attack and forgery attack, which can be widely used many systems, such as the identity authentication between Digital Set-Top-Box (DSTB) and smart card in secure Digital Video Broadcasting (DVB) service system. Acknowledgments This work is supported by the National Natural Science Foundation of China (grant nos: 61003290 and 61272044); Beijing Natural Science Foundation (grant no. 4122008); Funding Project for Academic Human Resources Development in Institutions of Higher Learning Under the Jurisdiction of Beijing Municipality (no. CIT&TCD 201304039). References [1] F.G. Zhang, K. Kim, Signature-masked Authentication Using the Bilinear Pairings, Cryptology & Information Security Laboratory (CAIS), Information and Communications University, 2002, Technical report. [2] S.-p. Wang, C.-x. Yang, X.-f. Wang, Y.-l. Zhang, New signature-masked authentication schemes from the bilinear pairings, J. Electron. Inform. 30 (February (2)) (2008). [3] L. Yang, Analysis and improvement of signature-masked authentication scheme, Appl. Res. Comput. 28 (July (7)) (2011).

[4] W.-m. Shi, Efficient ID-based signature-masked authentication scheme, J. Huazhong Univ. Sci. Tech. (Nat. Sci. Ed.) 39 (October (10)) (2011). [5] M. Duˇsek, O. Haderka, M. Hendrych, et al., Quantum identification system, Phys. Rev. A 60 (1999) 149–156. [6] D. Ljunggren, M. Bourennane, A. Karlsson, Authority-based user authentication in quantum key distribution, Phys. Rev. A 62 (2000), 022305-1-7. [7] G.H. Zeng, W.P. Zhang, Identity verification in quantum key distribution, Phys. Rev. A 61 (2001), 022303-1-5. [8] M. Curty, D.J. Santos, Quantum authentication of classical messages, Phys. Rev. A 64 (2001), 062309-1-6. [9] T. Mihara, Quantum identification schemes with entanglements, Phys. Rev. A 65 (2002), 05236-1-4. [10] N.R. Zhou, G.H. Zeng, W.J. Zeng, et al., Cross-center quantum identification scheme based on teleportation and entanglement swapping, Opt. Commun. 254 (2005) 380–388. [11] H. Lee, J. Lim, H. Yang, Quantum direct communication with authentication, Phys. Rev. A 73 (2006) 042305. [12] Z.J. Zhang, J. Liu, D. Wang, S.H. Shi, Comment on quantum direct communication with authentication, Phys. Rev. A 75 (2007) 026301. [13] C.A. Yen, S.J. Horng, H.S. Goan, T.W. Kao, Y.H. Chou, Quantum direct communication with mutual authentication, Quantum. Inf. Comput. 9 (2009) 0376. [14] D. Liu, C. Pei, D. Quan, N. Zhao, A new quantum secure direct communication scheme with authentication, Chin. Phys. Lett. 27 (2010) 050306. [15] F. Gao, S.J. Qin, F.Z. Guo, Q.Y. Wen, Cryptanalysis of quantum secure direct communication and authentication scheme via Bell states, Chin. Phys. Lett. 28 (2011) 020303. [16] M. Naseri, An efficient protocol for quantum secure dialogue with authentication by using single photons, Int. J. Quantum Inf. 9 (2011) 1677. [17] J. Wang, Q. Zhang, C.J. Tang, Multiparty simultaneous quantum identity authentication based on entanglement swapping (2006) arXiv: quant-ph/0605006. [18] Y.G. Yang, Q.Y. Wen, X. Zhang, Multiparty simultaneous quantum identity authentication with secret sharing, Sci. China Ser. G: Phys. Mech. Astron. Mar. 51 (3) (2008) 321–327. [19] Y.-G. Yang, H.-Y. Wang, X. Jia, H. Zhang, A quantum protocol for (t,n)-threshold identity authentication based on Greenberger–Horne–Zeilinger states, Int. J. Theor. Phys (2012), http://dx.doi.org/10.1007/s10773-012-1356-7. [20] X.L. Zhang, One-way quantum identity authentication based on public key, Chin. Sci. Bull. 54 (2009) 2018–2021, http://dx.doi.org/10.1007/s11434-0090350-9. [21] J. Oppenheim, M. Horodecki, How to reuse a one-time pad and other notes on authentication, encryption, and protection of quantum information, Phys. Rev. A 72 (2005) 042309. [22] F.G. Deng, G.L. Long, X.S. Liu, Two-step quantum direct communication protocol using the Einstein–Podolsky–Rosen pair block, Phys. Rev. A 68 (2003) 042317. [23] A.K. Ekert, Quantum cryptography based on Bell theorem, Phys. Rev. Lett. 67 (1991) 661–664.