An Arbitrated Quantum Signature Scheme Based on W States

Abstract

Arbitrated quantum signature(AQS) is a cryptographic scenario. There are three participants in this scheme. Sender(signer) Alice generates the signature of a message. Receiver(verifier) Bob verifies the signature. A trusted arbitrator helps Bob verify the signature. In this paper, we propose an arbitrated quantum signature scheme with W states. The W states are used for quantum signature and verification. The W states have stronger robustness than the GHZ states in the loss of the quantum bits. Finally, we also discuss its security against forgery and disavowal.

1 Introduction

Quantum cryptography is new cross subject with the combination of classic cryptography and quantum information. It is a new type of cryptographic system that uses quantum effects to realize the information exchange of unconditional security. The ideology of quantum cryptography can be traced back to the earliest Wiesner Stephen article in 1983 [1]. Bennet et al. designed the first quantum cryptography scheme named BB84 [2]. Since then, quantum cryptography has developed rapidly. Quite a few branches of quantum cryptography have been pointed out, including quantum key distribution(QKD) [3,4,5,6,7], quantum secure direct communication(QSDC) [8,9,10,11], quantum secret sharing(QSS) [12,13,14,15] and so on.

The principle of quantum signature is a combination of quantum theory and the principle of digital signature. Gotteman et al. [16] and Buhrman et al. [17] proposed quantum digital signatures in 2001. Zeng and Keitel proposed and designed the first arbitration quantum signature scheme by using the classical signature and the entanglement of the Greenberger-Horne-Zeilinger(GHZ) triplet states [18]. Li et al. modified the signature of Zeng and Keitel by using Bell states instead of GHZ states, which is more efficient and more convenient [19]. Zou and Qiu proposed an AQS scheme with a public board which can avoid being disavowed for the integrality of the signature by Bob [20]. With the continuous development and application of the arbitration quantum signature, many practical quantum signature protocols have been put forward, such as quantum proxy signature [21, 22] ,quantum group signature [23, 24], quantum blind signature [25, 26], quantum multi signature [27, 28], etc.

In 2000, D\(\ddot{u}\)r et al. proposed a new entangled state, and found that the W states have stronger robustness than the GHZ states in the loss of the quantum bits [29]. In the case of the loss of particles, the W states can maintain the quantum entanglement properties well. In this paper, we propose an arbitrated quantum signature scheme based on W states with public board. And we also discuss its security against forgery and disavowal.

This paper is arranged as follows. In Sect. 2, we introduce the general principle we demand for this AQS scheme. In Sect. 3, we describe the basic scheme including an initial phase, a signing phase and a verifying phase. In Sect. 4, we make security analyses on the proposed scheme to show neither to be disavowed by the signatory nor to be deniable for the receiver. In Sect. 5, we give a brief conclusion.

2 Preliminaries

There are four Bell basis shown as below

$$\begin{aligned} {\begin{matrix} |\phi ^+\rangle =\frac{1}{\sqrt{2}}(|00\rangle +|11\rangle )\\ |\phi ^-\rangle =\frac{1}{\sqrt{2}}(|00\rangle -|11\rangle )\\ |\psi ^+\rangle =\frac{1}{\sqrt{2}}(|01\rangle +|10\rangle )\\ |\psi ^-\rangle =\frac{1}{\sqrt{2}}(|01\rangle -|10\rangle ) \end{matrix}} \end{aligned}$$

(1)

There are three participants in the protocol, the signer Alice, the receiver Bob and the arbitrator Trent. Alice need to sign the message \(|P\rangle \) with a appropriate signature \(|S\rangle \). We assume n qubits in the string, such that \(|P\rangle =(|p_1\rangle \),\(|p_2\rangle ,\cdot \cdot \cdot ,|p_n\rangle )\). Any qubit \(|p_i\rangle \) can be expressed as below

$$\begin{aligned} |p_i\rangle =\alpha _i|0\rangle +\beta _i|1\rangle \end{aligned}$$

(2)

where \(\alpha _i, \beta _i\) are complex numbers with \(|\alpha _i|^2+|\beta _i|^2=1\). And \(|P\rangle \) can be known or unknown. In advance, three participants share a three-particle W state

$$\begin{aligned} |\varphi \rangle _{ATB}=\frac{1}{2}(|000\rangle +|110\rangle +|101\rangle +|011\rangle )_{ATB} \end{aligned}$$

(3)

where the subscripts A correspond to Alice, T correspond to Trent and B correspond to Bob. Alice implements a Bell measurement on \(|p_i\rangle \) and the particle she owns in W state, the system is expressed as follows

$$\begin{aligned} \begin{aligned} |\Psi \rangle _{iATB}&=|p_i\rangle \otimes |\varphi \rangle _{ATB}\\ =&\frac{1}{2\sqrt{2}}\{|\phi ^+\rangle _A[\alpha _i(|00\rangle +|11\rangle )_{TB}+\beta _i(|10\rangle +|01\rangle )_{TB}]\\&+|\phi ^-\rangle _A[\alpha _i(|00\rangle +|11\rangle )_{TB}-\beta _i(|10\rangle +|01\rangle )_{TB}]\\&+|\psi ^+\rangle _A[\alpha _i(|10\rangle +|01\rangle )_{TB}+\beta _i(|00\rangle +|11\rangle )_{TB}]\\&+|\psi ^-\rangle _A[\alpha _i(|10\rangle +|01\rangle )_{TB}-\beta _i(|00\rangle +|11\rangle )_{TB}]\} \end{aligned} \end{aligned}$$

(4)

where \(|\phi ^+\rangle _A, |\phi ^-\rangle _A, |\psi ^+\rangle _A, |\psi ^-\rangle _A\) represent the Bell states in Eq. (1). At present, Trent uses \(\{|0\rangle ,|1\rangle \}\) in the basis to implement a single-measurement, and sends the outcomes to Bob. Then, Bob can apply a proper unitary operation to recover the message.

Suppose Alice’s measurement result is \(|\phi ^+\rangle _A\). After the Trent’s measurement, the particles of Trent and Bob collapse into the state as follows

$$\begin{aligned} |0\rangle _T(\alpha _i|0\rangle +\beta _i|1\rangle )_B+|1\rangle _T(\alpha _i|1\rangle +\beta _i|0\rangle )_B \end{aligned}$$

(5)

If Trent’s measurement result is \(|0\rangle \), Bob’s particle will be \(\alpha _i|0\rangle +\beta _i|1\rangle \). Bob can use local unitary operation I to recover the message \(|p_i\rangle \). If Trent’s measurement result is \(|1\rangle \), Bob’s particle will be \(\alpha _i|1\rangle +\beta _i|0\rangle \). Bob can use unitary operation \(\sigma _x\) to recover the message \(|p_i\rangle \), where

$$\begin{aligned} {\begin{matrix} I=|0\rangle \langle 0|+|1\rangle \langle 1|\\ \sigma _x=|0\rangle \langle 1|+|1\rangle \langle 0|\\ i\sigma _y=|0\rangle \langle 1|-|1\rangle \langle 0|\\ \sigma _z=|0\rangle \langle 0|-|1\rangle \langle 1| \end{matrix}} \end{aligned}$$

(6)

All possibilities of the scheme are shown in Table 1. \(|M_A\rangle \) means Alice’s measurement results in Table 1. \(|M_T\rangle \) means Trent’s measurement result. \(|\phi _B\rangle \) means Bob’s collapse state and \(U_B\) means the unitary operation which Bob needs to recover the Alice’s message.

Table 1. Relation between the local unitary operations and measurement results

3 Arbitrated Quantum Signature Based on W States

There are three participants in the protocol, the signer Alice, the receiver Bob and the arbitrator Trent. Trent is absolutely trusted by Alice and Bob. The two sides share classical keys with arbitrator respectively. The key is stored by the communication terminal, which can be used for a long time. We also use public board to avoid being disavowed by Bob. The presented scheme includes three phases, initializing phase, signing phase, and verifying phase.

3.1 Initializing Phase

 

Step I1.:

Alice shares the secret keys \(K_A\) with arbitrator Trent through the quantum key distribution [3,4,5,6,7], which were proved to be unconditionally secure [7, 30]. Similarly, Bob shares the secret keys \(K_B\) with Trent.

Step I2.:

Trent generates n W triplet states \(|\varphi \rangle _{ATB}=(|\varphi _1\rangle ,|\varphi _2\rangle ,\cdot \cdot \cdot ,|\varphi _n\rangle )\).\(|\varphi _i\rangle \) is the same as Eq.(3).

$$\begin{aligned} |\varphi _i\rangle _{ATB}=\frac{1}{2}(|000\rangle +|110\rangle +|101\rangle +|011\rangle )_{ATB} \end{aligned}$$

(7)

where the subscripts A, T and B correspond to Alice, Trent and Bob. Trent distributes corresponding particles to Alice and Bob.

Step S1.:

Alice need to sign a qubit string \(|P\rangle =(|p_1\rangle ,|p_2\rangle ,\cdot \cdot \cdot ,|p_n\rangle )\) related to the message with \(|p_i\rangle =\alpha _i|0\rangle +\beta _i|1\rangle \). Alice prepares three copies of \(|P\rangle \) necessarily. Then, Alice uses four unitary operators on the \(|P\rangle \) for local operation.

$$\begin{aligned} |P^\prime \rangle =\sigma |P\rangle =(\sigma _1|p_1\rangle ,\sigma _2|p_2\rangle ,\cdot \cdot \cdot ,\sigma _n|p_n\rangle ) \end{aligned}$$

(8)

where \(\sigma _i\in \{I,\sigma _x,i\sigma _y,\sigma _z\},i=1,2,\cdot \cdot \cdot ,n\). Here notice that \(|P^\prime \rangle \) return to the original states perfectly because of Hermitian conjugate operators of unitary operators, while measurement operations are not usually reversible.

Step S2.:

Alice transforms the qubit string \(|P^\prime \rangle \) into a secret qubit string \(|R_A\rangle \) in terms of the key \(K_A\).

$$\begin{aligned} |R_A\rangle =E_{K_A}|P^\prime \rangle \end{aligned}$$

(9)

For example, assume that the key \(K_A\) is related to a collection of unitary operators \(R_{K_A}=(R^1_{K^1_A},R^2_{K^2_A},\cdot \cdot \cdot ,R^n_{K^n_A})\). If \(R^i_{K^i_A}=0\), Alice applies the unitary operation \(\sigma _x\), namely, \(R^i_{K^i_A}=\sigma _x\). If \(R^i_{K^i_A}=1\), Alice applies the unitary operation \(\sigma _z\), namely, \(R^i_{K^i_A}=\sigma _z\). So \(|R_A\rangle =R_{K_A}(P)=(|r_1\rangle ,|r_2\rangle ,\cdot \cdot \cdot ,|r_n\rangle )\) with \(|r_i\rangle =M^i_{K^i_A}(p_i)\).

Step S3.:

Alice combines each secret message state \(|P^\prime \rangle \) and the W states. Then, she implements a Bell measurement on her particles. It shows in Eq.(4). And she can obtain \(|M_A\rangle =(|M^1_A\rangle ,|M^2_A\rangle ,\cdot \cdot \cdot ,|M^n_A\rangle )\), where \(|M^i_A\rangle \) represents one of the four Bell states in Eq.(1).

Step S4.:

Alice generates the signature \(|S^\prime \rangle =E_{K_A}(|M_A\rangle ,|R_A\rangle )\) of the message \(|P^\prime \rangle \) with the secret key \(K_A\) by using the quantum one-time pad algorithm.

Step S5.:

Alice transmits the signature \(|S^\prime \rangle \) and \(|P^\prime \rangle \) to Bob.

 

3.2 Verifying Phase

 

Step V1.:

Bob encrypts \(|S^\prime \rangle \) and \(|P^\prime \rangle \) with the secret key \(K_B\) and sends the resultant outcomes \(|Y_B\rangle =E_{K_B}(|S^\prime \rangle ,|P^\prime \rangle )\) to the arbitrator Trent.

Step V2.:

Trent decrypts with \(K_B\) and gets \(|S\prime \rangle \) and \(|P^\prime \rangle \). Then he decrypts \(|S^\prime \rangle \) with \(K_A\) and gets \(|M_A\rangle \) and \(|R_A\rangle \). Trent encrypts \(|P^\prime \rangle \) by using \(K_A\) and gets \(|R^\prime _A\rangle \). The operation is same as Alice in Step S2. Then Trent compares \(|R_A\rangle \) with \(|R^\prime _A\rangle \) through swap [17]. If \(R_A\rangle =|R^\prime _A\rangle \), Trent sets the verification parameter \(r=1\); otherwise, he sets \(r=0\).

Step V3.:

Trent implements a measurement in the basis \(\{|0\rangle ,|1\rangle \}\) and obtains \(|M_T\rangle =(|M^1_T\rangle ,|M^2_T\rangle ,\cdot \cdot \cdot ,|M^n_T\rangle )\). All possibilities of the measurement results are shown in Table 1.

Step V4.:

Trent sends the encrypted results \(|Y_T\rangle =E_{K_B}(|S^\prime \rangle ,|P^\prime \rangle ,|R^\prime _A\rangle ,|M_T\rangle ,r)\) to Bob.

Step V5.:

Bob decrypts \(|Y_T\rangle \) and gets \(|S^\prime \rangle ,|P^\prime \rangle ,|R^\prime _A\rangle ,|M_T\rangle \) and r. If \(r=0\), obviously the signature has been forged and Bob rejects it directly. If \(r=1\), Bob goes on the next step.

Step V6.:

Bob combines the \(|R^\prime _A\rangle \) and \(|M_T\rangle \) and implements the corresponding unitary operation according to Table 1. Bob obtains \(|P^\prime _B\). He makes comparisons between \(|P^\prime _B\rangle \) and \(|P^\prime \rangle \). This method is still swap [17]. If \(|P^\prime _B\rangle \ne |P^\prime \rangle \), Bob rejects the signature; otherwise he informs Alice by the public board to publish \(\sigma \), which Alice used in Eq.(8).

Step V7.:

Alice publishes \(\sigma \) by the public board.

Step V8.:

Bob gets back \(|P\rangle \) from \(|P^\prime \rangle \) and holds \(|S\rangle =(|S^\prime \rangle ,\sigma )\) as Alice’s signature for quantum message \(|P\rangle \).

 

The communications in this AQS scheme are described in Fig. 1.

Fig. 1.

The communications of the AQS scheme

4 Security Analysis and Discussion

A secure quantum signature scheme should satisfy two requirements: the signature should not be forged by the attacker(including the malicious receiver) and the signature should not be disavowed by the signatory and the receiver. We discuss security of the proposed AQS scheme to against the two attacks.

4.1 Impossibility of Forgery

If the attacker Eve tries to forge Alice’s signature \(|S^\prime \rangle =E_{K_A}(|M_A\rangle ,|R_A\rangle )\) for his own benefit, she has to know Alice’s secret keys \(K_A\). However, this is impossible due to the unconditionally security of quantum key distribution [7, 30]. Besides, the use of quantum one-time pad algorithm enhances the security. Subsequently the parameter r used in verifying phase will not pass the test.

In the worse situation, for instance, the secret key is exposed to attacker, attacker still cannot forge the signature, since she cannot create appropriate \(|M_A\rangle \) and \(|M_T\rangle \). Bob would find such forgery, because the further verification about \(|P^\prime _B\rangle =|P^\prime \rangle \) could not hold without the correct \(|M_A\rangle \) and \(|M_T\rangle \).

If the malicious receiver Bob wants to forge Alice’s signature \(|S^\prime \rangle =E_{K_A}(|M_A\rangle ,|R_A\rangle )\) for his own sake, he also should know Alice’s secret \(K_A\). It’s also impossible because of the unconditionally security of quantum key distribution.

4.2 Impossibility of Disavowal by Signatory and Receiver

Suppose that Alice disavows her signature for her own benefits. In this case, the arbitrator Trent can confirm that Alice has signed the message since Alice’s initial secret key \(k_A\) in the signature \(|S^\prime \rangle =E_{K_A}(|M_A\rangle ,|R_A\rangle )\). Thus Alice cannot deny signing the message\(|P\rangle \).

Similarly, suppose Bob repudiates the receipt of the signature. Then Trent also can confirm that Bob has received the signature since he needs the assistance of Trent to verify the signature. And if Bob wants to deny the signature by saying \(|P^\prime _B\rangle \ne |P^\prime \rangle \), he cannot get \(\sigma \) to recover the message \(|P\rangle \). This means that Bob cannot disavow the signature.

5 Conclusion

We have investigated an AQS based on W states in three phases, including initialing phased, signing phase and verifying phase. In the case of the loss of particles, the W states can maintain the quantum entanglement properties well. To avoid being disavowed by Bob, Bob has to ask Alice to publish the encryption key \(\sigma \) which means Bob has no chance to repudiate the signature.