Ownership by Science China Press; Copyright©2014 by Science China Press, Beijing, China and Springer-Verlag Heidelberg, Germany Submission of a manuscript implies: that the work described has not been published before (except in the form of an abstract or as part of a published lecture, review, or thesis); that it is not under consideration for publication elsewhere; that its publication has been approved by all co-authors, if any, as well as–tacitly or explicitly–by the responsible authorities at the institution where the work was carried out. The author warrants that his/her contribution is original and that he/she has full power to make this grant. The author signs for and accepts responsibility for releasing this material on behalf of any and all co-authors. Transfer of copyright to Science China Press and Springer becomes effective if and when the article is accepted for publication. After submission of the Copyright Transfer Statement signed by the corresponding author, changes of authorship or in the order of the authors listed will not be accepted by Science China Press and Springer. The copyright covers the exclusive right (for U.S. government employees: to the extent transferable) to reproduce and distribute the article, including reprints, translations, photographic reproductions, microform, electronic form (offline, online) or other reproductions of similar nature. An author may self-archive an author-created version of his/her article on his/her own website. He/she may also deposit this version on his/her institution’s and funder’s (funder designated) repository at the funder’s request or as a result of a legal obligation, including his/her final version, provided it is not made publicly available until after 12 months of official publication. He/she may not use the publisher’s PDF version which is posted on link.springer.com for the purpose of self-archiving or deposit. Furthermore, the author may only post his/her version provided acknowledgement is given to the original source of publication and a link is inserted to the published article on Springer’s website. The link must be accompanied by the following text: “The original publication is available at link.springer.com”. All articles published in this journal are protected by copyright, which covers the exclusive rights to reproduce and distribute the article (e.g., as offprints), as well as all translation rights. No material published in this journal may be reproduced photographically or stored on microfilm, in electronic data bases, video disks, etc., without first obtaining written permission from the publishers. The use of general descriptive names, trade names, trademarks, etc., in this publication, even if not specifically identified, does not imply that these names are not protected by the relevant laws and regulations. While the advice and information in this journal is believed to be true and accurate at the date of its going to press, neither the authors, the editors, nor the publishers can accept any legal responsibility for any errors or omissions that may be made. The publisher makes no warranty, express or implied, with respect to the material contained herein. Special regulations for photocopies in the USA: Photocopies may be made for personal or in-house use beyond the limitations stipulated under Section 107 or 108 of U.S. Copyright Law, provided a fee is paid. All fees should be paid to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA, Tel.: +1-978-7508400, Fax: +1-978-6468600, http://www.copyright.com, stating the ISSN of the journal, the volume, and the first and last page numbers of each article copied. The copyright owner’s consent does not include copying for general distribution, promotion, new works, or resale. In these cases, specific written permission must first be obtained from the publishers.

Abstracted/indexed in: SCI, EI, Aerospace & High Technology Database, Astrophysics Data System, Current Contents, Computer and Information Systems Abstracts, CSA Materials Research Database with METADEX, Google Scholar, Index to Scientific Reviews, INSPEC, Mathematical Reviews, Mechanical and Transportation Engineering Abstracts, Solid State and Superconductivity Abstracts, World Ceramics Abstracts, etc.

SCIENCE CHINA Physics, Mechanics & Astronomy

Vol. 57

No. 11

November 2014 (Monthly)

Supervised by Chinese Academy of Sciences Sponsored by Chinese Academy of Sciences and National Natural Science Foundation of China Published jointly by Science China Press and Springer Subscriptions China Science China Press, 16 Donghuangchenggen North Street, Beijing 100717, China Email: [email protected] Fax: 86-10-64016350 North and South America Springer New York, Inc., Journal Fulfillment, P.O. Box 2485, Secaucus, NJ 07096 USA Email: [email protected] Fax: 1-201-348-4505 Outside North and South America Springer Distribution Center, Customer Service Journals, Haberstr. 7, 69126 Heidelberg, Germany Email: [email protected] Fax: 49-6221-345-4229 Printed by Beijing Zhongke Printing Co., Ltd., Building 101, Songzhuang Industry Zone, Tongzhou District, Beijing 101118, China Edited by Editorial Board of SCIENCE CHINA Physics, Mechanics & Astronomy, 16 Donghuangchenggen North Street, Beijing 100717, China Editors-in-Chief WANG DingSheng ZHANG Jie

CN 11-5849/N 广告经营许可证: 京东工商广字第 0429 号

邮发代号: 80-212 国内每期定价: 138 元

Go To Website

SCIENCE CHINA Physics, Mechanics & Astronomy

Contents

Vol.57 No.11 November 2014

Progress of Projects Supported by NSFC

Letters Condensed Matter Physics Enhanced Raman scattering of graphene on Ag nanoislands ......................................................................................................................................... HU Wei, HUANG ZhiYi, ZHOU YingHui, CAI WeiWei & KANG JunYong

2021

High-energy Physics First dark matter search results from the PandaX-I experiment ..................................................................................................................................... XIAO MengJiao, XIAO Xiang, ZHAO Li, CAO XiGuang, CHEN Xun, CHEN YunHua, CUI XiangYi, FANG DeQing, FU ChangBo, GIBONI Karl L., GONG HaoWei, GUO GuoDong, HU Jie, HUANG XingTao, JI XiangDong, JU YongLin, LEI SiAo, LI ShaoLi, LIN Qing, LIU HuaXuan, LIU JiangLai, LIU Xiang, LORENZON Wolfgang, MA YuGang, MAO YaJun, NI KaiXuan, PUSHKIN Kirill, REN XiangXiang, SCHUBNELL Michael, SHEN ManBing, STEPHENSON Scott, TAN AnDi, TARLÉ Greg, WANG HongWei, WANG JiMin, WANG Meng, WANG XuMing, WANG Zhou, WEI YueHuan, WU ShiYong, XIE PengWei, YOU YingHui, ZENG XiongHui, ZHANG Hua, ZHANG Tao, ZHU ZhongHua

2024

************************************************************************************************************

Articles Theoretical Physics Computable upper bounds for the adiabatic approximation errors ................................................................................................................................. YU BaoMin, CAO HuaiXin, GUO ZhiHua & WANG WenHua

2031

Optics Parallel detection and quantitative analysis of specific binding of proteins by oblique-incidence reflectivity difference technique in label-free format .. DAI Jun, LI Lin, HE LiPing, RUAN KangCheng, LU HuiBin, JIN KuiJuan & YANG GuoZhen

2039

Spin-orbit hybrid entanglement quantum key distribution scheme ................................................................................................................................ ZHANG ChengXian, GUO BangHong, CHENG GuangMing, GUO JianJun & FAN RongHua

2043

Nuclear Physics Prototype of a large neutron detector based on MWPC.................................................................................................................................................. TIAN LiChao, QI HuiRong, SUN ZhiJia, WANG YanFeng, ZHANG Jian, LIU RongGuang, ZHAO YuBin, ZHANG HongYu, ZHAO DongXu, DONG Jing, XIE Wan, YANG GuiAn, OUYANG Qun & CHEN YuanBo

2049

Projected total energy surface description for axial shape asymmetry in 172W .............................................................................................................. TU Ya, CHEN YongShou, GAO ZaoChun, YU ShaoYing & LIU Ling

2054

Influence of thermalization on the initial condition for heavy ion collisions ................................................................................................................. ZHAO AMeng, SUN WeiMin & ZONG HongShi

2060

Cover

The PandaX collaboration reported the first physics results from their stage-I dark matter detector containing a large 120-kg Xenon target. Many dark matter search experiments, such as the DAMA/LIBRA experiment in Italy, the CoGeNT and CDMS experiments in the US, the German-led CRESST experiment reported positive signals which could be interpreted as the dark matter in recent years. The PandaX collaboration observed no dark matter signals in the first PandaX-I run. This places strong constraints on all previously reported dark matter-like signals from other similar types of experiments. The result casts doubts on the interpretation of the positive signals in other experiments as dark matter. The paper published in this issue gives a detailed description of the first results of PandaX-I. Shown in the cover are the cables inside the PandaX-I detector used for the connection of the the Photon Multiplier Tubes (PMTs) used to catch the signals between the system of electronics for data acquisition (See the article by XIAO MengJiao et al. on page 2024).

II

Contents

Flow effects on jet energy loss with detailed balance ..................................................................................................................................................... CHENG Luan, LIU Jia & WANG EnKe

2070

Quantum Physics Arbitrated quantum signature scheme based on reusable key ........................................................................................................................................ YU ChaoHua, GUO GongDe & LIN Song

2079

SU(2) symmetry in a Hubbard model with spin-orbit coupling ..................................................................................................................................... ZHANG XiZheng, JIN Liang & SONG Zhi

2086

Photonic phase transition in circuit quantum electrodynamics lattices coupled to superconducting phase qubits ....................................................... LIU YiMin, JIN WuYin & YOU JiaBin

2092

Entangler and analyzer for multiphoton Greenberger-Horne-Zeilinger states using weak nonlinearities ..................................................................... DING Dong, YAN FengLi & GAO Ting

2098

Biophysics Poisson-Fokker-Planck model for biomolecules translocation through nanopore driven by electroosmotic flow ....................................................... LIN XiaoHui, ZHANG ChiBin, GU Jun, JIANG ShuYun & YANG JueKuan

2104

Effects of oxaliplatin on DNA condensation .................................................................................................................................................................. JU HaiPeng, ZHANG HongYan, LI Wei & WANG PengYe

2114

Basic Mechanics On the stability of the three classes of Newtonian three-body planar periodic orbits .................................................................................................... LI XiaoMing & LIAO ShiJun

2121

Wetting property of smooth and textured hydrophobic surfaces under condensation condition ................................................................................... HAO PengFei, LV CunJing, YAO ZhaoHui & NIU FengLei

2127

Fluid Dynamics Drag reduction in turbulent channel flow using bidirectional wavy Lorentz force ........................................................................................................ HUANG LePing, CHOI KwingSo, FAN BaoChun & CHEN YaoHui

2133

Nonlinear interaction mechanisms of disturbances in supersonic flat-plate boundary layers........................................................................................ YU Min & LUO JiSheng

2141

Physical Mechanics Molecular kinetic theory of boundary slip on textured surfaces by molecular dynamics simulations .......................................................................... WANG LiYa, WANG FengChao, YANG FuQian & WU HengAn

2152

Biomechanics Effects of microcracks on the poroelastic behaviors of a single osteon ......................................................................................................................... WU XiaoGang, WANG YanQin, WU XiaoHong, CEN HaiPeng, GUO Yuan & CHEN WeiYi

2161

Galaxy and Cosmology An efficient method to identify galaxy clusters by using SuperCOSMOS, 2MASS and WISE data ............................................................................ XU WeiWei, WEN ZhongLue & HAN JinLin

2168

Letter Fluid Dynamics The effects of vortex breakdown on the static rolling aerodynamics of finned slender body ........................................................................................ XU KeZhe, ZHANG YuFei, CHEN HaiXin & FU Song

2174

SCIENCE CHINA Physics, Mechanics & Astronomy

. Article .

November 2014 Vol. 57 No. 11: 2079–2085 doi: 10.1007/s11433-014-5491-4

Arbitrated quantum signature scheme based on reusable key YU ChaoHua1,2 , GUO GongDe1,2 & LIN Song1,2* 1 School 2 Key

of Mathematics and Computer Science, Fujian Normal University, Fuzhou 350007, China; Lab of Network Security and Cryptography, Fujian Normal University, Fuzhou 350007, China

Received February 20, 2014; accepted March 13, 2014; published online August 22, 2014

An arbitrated quantum signature scheme without using entangled states is proposed. In the scheme, by employing a classical hash function and random numbers, the secret keys of signer and receiver can be reused. It is shown that the proposed scheme is secure against several well-known attacks. Specifically, it can stand against the receiver’s disavowal attack. Moreover, compared with previous relevant arbitrated quantum signature schemes, the scheme proposed has the advantage of less transmission complexity. arbitrated quantum signature, disavowal, reusable key PACS number(s): 03.67.Dd, 03.65.Ta, 03.67.Hk Citation:

Yu C H, Guo G D, Lin S. Arbitrated quantum signature scheme based on reusable key. Sci China-Phys Mech Astron, 2014, 57: 2079–2085, doi: 10.1007/s11433-014-5491-4

As an analogy of handwritten signature, digital signature provides a method of ensuring the sender of an electronic message that it be secure. It has been widely employed in secure electronic commerce and becomes a primitive of classical cryptography. However, most of classical digital signature schemes are based on public key cryptography, where the security relies on the complexity of computation and might be significantly weakened by some quantum algorithms [1,2]. Fortunately, this problem can be solved by quantum cryptography, because it can provide theoretically unconditional security based on the fundamental principles of quantum mechanics. In quantum cryptography, some security tasks which are difficult or not possible in classical cryptography have been solved, such as quantum key distribution [3–9], quantum secret sharing [10–13] and quantum direct communication [14–30]. Stimulated by them, researchers have studied signature scheme with quantum mechanics for unconditional security. In recent years, various quantum protocols for signing classical messages have been proposed and analyzed [31– 36]. These achievements have allowed researchers to design *Corresponding author (email: [email protected])

c Science China Press and Springer-Verlag Berlin Heidelberg 2014

signature schemes for signing quantum messages. However, Barnum et al. [37] has suggested that it is not possible to sign quantum messages for two parties. To overcome this obstacle, the concept of arbitrated quantum signature (AQS), where the receiver can verify the validity of the signature with the help of an arbitrator, has been put forward and has been given consideration in recent years [38–49]. Zeng and Keitel [38] proposed the first AQS scheme, the security of which is ensured by the correlation of Greenberger-Horne-Zeilinger (GHZ) states and the quantum one-time pad (QOTP) encryption [50]. Later, Li et al. [41] presented a more efficient AQS scheme by replacing GHZ states with Bell states. In general, a secure AQS scheme should satisfy two conditions: first is that the signature should not be forged by attacker (including the receiver) and the other is that the signer and the receiver cannot disavow the signature [38,41,42]. However, Zou and Qiu [42] showed that both the two schemes above were insecure because they could be repudiated by the receiver, and further proposed two AQS schemes to solve the problem. But Hwang et al. [47] showed that the same security problem might exist in the schemes of Zou and Qiu. Some other security problems and improvephys.scichina.com

link.springer.com

2080

Yu C H, et al.

Sci China-Phys Mech Astron

ments on AQS were also presented in refs. [45,46,48,49]. In this paper, we further discuss the security problem of the receiver’s disavowal attack [42,47] and show that it can be solved if the receiver does not perform a further verification after the arbitrator verifies the validity of a signature. Moreover, we find that a classical one-way hash function and a random number can ensure the signer’s secret key is reusable to sign multiple quantum messages. Based on these two ideas, we design a secure AQS scheme with reusable key, in which no entangled states are utilized. The security analysis shows our scheme is secure in theory because it satisfies two basic security requirements mentioned above. Furthermore, it is also shown that the proposed scheme can overcome the other security problems [43,45,46]. Compared with the previous AQS schemes [38,41,42], our scheme achieves a higher transmission efficiency since less qubits are transmitted in our scheme.

1 Security problems on the previous AQS schemes In this section, we primarily discuss two security problems in the previous AQS schemes: (1) all the previous AQS schemes are susceptible to the receiver’s disavowal attack; (2) the keys shared between the signer (the receiver) and the arbitrator can not be reused. Furthermore, some potential solutions are also provided. Although the typical AQS schemes [38,41,42] utilized different types of states, they could be reduced to a basic model with three transmissions (or procedures): (T1). The signer Alice transfers two copies of message |Pi (to distinguish between them, we denote them with |P1 i and |P2 i) and the corresponding signature |S i = E KAT (|Pi) to the receiver Bob, where KAT is the key shared between Alice and the arbitrator Trent and E KAT is the quantum one-time pad (QOTP) algorithm [50]. (T2). Bob transmits the message-signature pair (|P1 i, |S i) to Trent and retains the other copy of message |P2 i in his hand. (T3). Trent verify the validity of signature |S i by unknown state comparison [42], and after that, he returns the messagesignature pair (|P1 i, |S i) and the corresponding verification result to Bob. If the result is negative, Bob denies the signature |S i. Otherwise, he further verifies whether |P1 i = |P2 i. If it is not, he denies the signature, otherwise he accepts it. • All the previous AQS schemes are susceptible to the receiver’s disavowal attack Zou and Qiu [42] showed that two typical AQS schemes are not secure because Trent could not arbitrate the dispute between Alice and Bob when Bob repudiates the integrity of a signature in the transmission (T3). That is, when Bob claims |P1 i , |P2 i in the transmission (T3), Trent will face a dilemma that he cannot judge which one of following cases has happened: (1) Bob told a falsehood; (2) Alice sent two different messages in the transmission (T1); (3) an eaves-

November (2014)

Vol. 57 No. 11

dropper, Eve, disturbed the communication. Thus, Bob can actively repudiate the received signature without being detected. By using a public board, they constructed two AQS schemes to solve the problem. However, Hwang et al. [47] pointed out that the same security problem still exists in their AQS schemes. We observe that the reason why this repudiation by Bob works in the previous AQS schemes is that, after Trent verifies the validity of the signature |S i, he needs to return the message-signature pair and the verification result back to Bob to let him do a further verification (that is the transmission (T3)). Then if Bob claims an unfair verification, Trent would consistently be faced with the same dilemma as above. To avoid it, Bob should not do a further verification after Trent verifies the validity of the signature. In fact, what Bob needs Trent to do is only helping him verify the validity of signature and telling him the result. From this viewpoint, if Bob has two same message-signature pairs and sends one of them to Trent for verification, Trent only needs to announce the verification result to public without returning the message-pair back to Bob for a further verification. This implies the problem of repudiation by the receiver will be solved naturally. • Keys shared between the signer (the receiver) and the arbitrator can not be reused Since all the previous AQS schemes employ a QOTP algorithm [50] to generate the signature, Alice’s secret key should not be reused to sign multiple signatures for security concerns. If Bob owns a number of message-signature pairs signed by Alice with the same secret key KAT before, Bob can probably deduce the exact encryption operation of every qubit of signature through multiple unknown state comparisons, which indicates a certain amount of information of Alice’s secret key can leak to Bob. The more pairs he owns, the more information he will reveal. A direct solution is that Alice shares a fresh key via QKD with Trent each time she wants to sign a quantum message. However, it is not practical and will greatly reduce the efficiency of AQS scheme. In order to overcome this problem, we employ a classical oneway hash function H(x) to help us produce different session keys that are used for signing different quantum messages. That is, every time Alice starts to sign a quantum message, she chooses a random number rA and computes the session ′ key KAT = H(KAT ||rA ), where KAT is her secret key shared with Trent via a secure QKD protocol and || denotes the “concatenate” operation. In this way, each signature Bob receives ′ from Alice is encrypted with different session key KAT and KAT can be reused. Similarly, Bob can also produce his ses′ sion key KBT = H(KBT ||rB ) so that his secret key KBT is ′ ′ reusable. We will further discuss the security of KAT and KBT in sect. (3.2).

2 Our AQS scheme based on reusable key Based on the conclusions of last section and the other security analysis on AQS [43–46], we intend to design a se-

Yu C H, et al.

Sci China-Phys Mech Astron

cure AQS scheme with reusable key. Using the second AQS scheme [42], the scheme suggested herein does not use entangled states. Before giving the details of our scheme, it is necessary to introduce the QOTP algorithm [50] and the rotation encryption algorithm [42], both of which use classical key bits to encrypt a quantum message and play important roles in AQS. n N Suppose a quantum message |Pi = |Pi i is composed of i=1

n qubits |Pi i = αi |0i + βi |1i, and the key is K ∈ {0, 1}2n . The QOTP encryption E K on the quantum message can be described as: n O E K (|Pi) = U K2i−1 K2i |Pi i, (1) i=1

where K j is the jth bit of K, and the unitary operations {U K2i−1 K2i } comprise an orthonormal basis in a canonical in+ ner product space, namely Tr(U jk Ulm ) = δ jk,lm ( jk, lm ∈ {00, 01, 10, 11}). Similarly, the rotation encryption MK can be written as: n O MK (|Pi) = U Ki (Ki ⊕1) |Pi i. (2) i=1

In the previous AQS schemes, the encryption operations are Pauli matrices, namely U00 = I, U01 = σ x , U10 = σz , U11 = −iσy . However, this one-time pad cannot resist the existential forgery [43,44]. Although an improved QOTP is given in ref. [44], it still can not prevent the forgery [48,49]. Fortunately, Zhang et al. [49] have suggested two effective encryption algorithms to resist it. In this paper, we employ the first one (called “Key-Controlled-’I’ QOTP” [49]), which is in the form of n O E K (|Pi) = σKx 2i σzK2i−1 WKi K2n−i+1 |Pi i, (3)

November (2014)

2081

Vol. 57 No. 11

(I2). Alice, Bob and Trent agree on a one-way hash function H(x) : {0, 1}∗ → {0, 1}m , such as MD5 algorithm. The identities of Alice and Bob are denoted by IDA and IDB respectively. 2.2 Signing phase (S1). Alice prepares four copies of an unknown quantum n N message with n qubits |Pi = |Pi i, where |Pi i = αi |0i + i=1

βi |1i. (S2). Alice chooses a random number rA ∈ {0, 1}∗ , and ′ then obtains the session key KAT = H(KAT k rA ). The length ′ of KAT can be adjusted to satisfy the actual needs by setting rA = rA + 1. (S3). Alice transforms the classical messages, IDA , IDB , the timestamp T , and rA into the quantum messages |IDA i, |IDB i, |T i, |rA i with the basis BZ = {|0i, integration N|1i}, theN N of which is denoted as: |mA i = |IDA i |IDB i |T i |rA i. That is, the classical bit 0 (or 1) is transformed into a quantum bit in the state |0i (or |1i). These quantum messages can be prepared for several copies to satisfy the actual needs. (S4). N Alice generates two N N copies of signature |S i = E K ′ (|Pi |IDA i |IDB i |T i) by encrypting two copies AT of |Pi. Now, she has two same message-signature (|Pi, |S i) pairs. (S5). She rotates one message-signature pair into a secret N message |RAB i = MKAB (|Pi |S i). (S6). Alice encryptsN |Pi, |SN i, and |RN AB i with KAB and obtains |YA i = E KAB (|Pi |S i |RAB i) |mA i. Then she transmits |YA i to Bob. 2.3 Verifying phase

i=1

where W00 , W01 , W10 , W11 are four Clifford operators generally described as: 1 W00 = √ (σ x + σz ), 2 1 W01 = √ (σy + σz ), 2 (4) 1 W10 = (I + iσ x − iσy + iσz ), 2 1 W11 = (I + iσ x + iσy + iσz ). 2 Just as the previous AQS schemes, our scheme also involves three participants: the signer Alice, the receiver Bob and the arbitrator Trent, and includes three phases: the initializing phase, the signing phase and the verifying phase. 2.1 Initializing phase (I1). Trent shares the secret key KAT and KBT with Alice and Bob respectively via a secure QKD protocol [3]. By the same way, Alice and Bob share the secret key KAB .

(V1). After receiving |YA i from Alice, Bob adequately deN N crypts E KAB (|Pi |S i |RAB i) with KAB and obtains |Pi, |S i and |RAB i. Then he further decrypts |RAB i with KAB , and finally, gets two message-signature pairs and |mA i. (V2). Bob verifies whether the two message-signature pairs are same by the unknown state probabilistic comparison [42]. If it is not, he denies the signature. Otherwise, he continues to next step. (V3). Bob chooses a random number rB ∈ {0, 1}∗ , and ′ then obtains the session key KBT = H(KBT k rB ). The length ′ of KBT can be adjusted to satisfy the actual needs by setting rB = rB + 1. (V4). Bob prepares two copies of |mA i (note that |mA i is a classical message in essence and can be prepared for any copies). Then, he generates |rB i and appends it to one Ncopy of |mA i (but save another copy), and gets N |mB i = |m i |rB i. NA ′ (V5). Bob computes |YB i = E K (|Pi |S i) |mB i and BT transmits it to Trent, but saves another copy of (|Pi,|S i,|mAi). (V6). After receiving |YB i from Bob, Trent extracts the classical information (IDA , IDB , T , rA and rB ) by performing

2082

Yu C H, et al.

Sci China-Phys Mech Astron

project measurements on |mB i with basis BZ . Then he can ′ ′ obtain KBT and KAT by simple calculation. (V7). Trnet obtains |Pi and |S i by decrypting |YB i with ′ ′ ′ ′ ′ the key KBT , and further obtains |P i, |IDA i, |IDB i and |T i ′ by decrypting |S i with the key KAT . Then he verify wether ′ ′ |P i = |Pi (by unknown state comparison [42]), IDA = IDA , ′ ′ IDB = IDB and T = T . If the answer is positive, he believes the signature is valid and sets the verification parameter V = 1, otherwise, he sets V = 0. If V = 1, he saves IDA , IDB , rA , rB and T to his database for recording this successful signature. (V8). Trent destroys the particles of message and signature, and announces V to public. (V9). If V = 1, Bob will retain (|Pi,|S i,|mA i) in his hands as the valid signature. The whole procedures of the AQS scheme can be illustrated by Figure 1.

3 Security analysis on our AQS scheme A secure AQS scheme should satisfy two requirements: one is that the signature should not be forged by attacker (including the receiver) and the other is that the signer and the receiver cannot disavow the signature [38,41,42]. In this section, we will show that the scheme is secure by demonstrating it satisfies these two requirements. Some other specific attacks [42–47] are also analyzed.

3.1 Forgery by an outside attacker If an outside attacker, Eve, N N wants Nto forge the signature ′ (|Pi |S i = E KAT |IDA i |IDB i |T i), she has to know ′ = H(KAT k rA ), which is determined Alice’s session key KAT by the value of KAT and the random number rA . However, although the hash function H(x) and rA are known, she can ′ not generate KAT , because she does not know the values of KAT which is shared between Alice and Trent by the unconditional secure QKD scheme [3]. Moreover, because of the employment of the improved quantum encryption algorithm “Key-Controlled-’I’ QOTP” [49], Eve cannot do the existential forgery [43]. Hence, it is impossible for Eve to forge Alice’s signature.

3.2 Forgery by the receiver As a participant of the scheme, the receiver, Bob, might be more powerful than Eve to forge Alice’s signature. If he tries to forge the signature |S i, just as Eve, he still has to deter′ mine the session key KAT . However, he can not generate ′ KAT either, because KAT is still unknown to him. Meanwhile, the improved encryption also prevent Bob from existential forgery [49].

November (2014)

Vol. 57 No. 11

Figure 1 Communications of the AQS scheme.

We should note that, evenN if Bob owns N a message-signature N ′ (|Pi pair (|Pi,|S i = E KAT |IDA i |IDB i |T i)) after singing a message successfully, he cannot obtain the value of ′ KAT because: (1) the fundamental principles of quantum mechanics, such as no-cloning and measurement uncertainty, do not permit Bob to deduce the exact encryption operations in signature |S i; (2) the employed sixteen encryption operations mentioned in sect. 2 cannot be discriminated conclusively according to the analysis of sect. 3.5. Moreover, unknown hash ′ value KAT also implies we do not require the used hash function H(x) to be collision-free. Therefore, the security of our scheme depends on the fundamental principles of quantum mechanics, instead of the security of hash function. In realistic conditions, with respective to the security of ′ ′ KAT (or KBT ), there are two other points should be noted. First, the length of KAT (or KBT ) should be set greater than m, given the employed hash function H(x) : {0, 1}∗ → {0, 1}m . That is because, if the length of KAT (or KBT ) is less than m, ′ the number of distinct values of KAT = H(KAT k rA ) is at |KAT | m most 2 < 2 so that the secret key rate is roughly |KmAT | less than 1, where |KAT | is the length of KAT . Second, KAT (or KBT ) should be shared again once the number of failures in verification phase is greater than a predetermined number Cmax . The concrete value of Cmax depends on various factors, such as the amount of signed messages and the expected security level. 3.3 Repudiation by the signer If Alice Bob disagree with each other, the arbitrator Trent trusted by both of them should be required to make a judgment. Suppose Alice repudiates her signature, Bob will hand over the quantum N message N|Pi, theNcorresponding signature ′ (|Pi |S i = E KAT |IDA i |IDB i |T i) and |mA i to Trent. Then Trent can easily detect Alice’s cheat by executing step ′ (V7), because KAT contains Alice’s information KAT . It is shown that our scheme can also resist some specific Alice’s disavowal attacks proposed in refs. [43,45]: • Alice’s disavowal attack Gao et al. [43] noted that, in the typical AQS schemes [38,41,42], Alice can achieve repudiating her signature by modifying the signature when Trent returns the messagesignature pair (that is, in the transmission (T3) of sect. 1)

Yu C H, et al.

Sci China-Phys Mech Astron

to Bob, because the signature is useless for Bob’s further verification. However, it is apparent that this attack can be avoid in our scheme, because Trent does not need to return any message-signature pair to Bob and Alice has no chance to do that. • Fake-photon attack Sun et al. [45] noted that, in the previous AQS schemes [38,41,42], because of the use of QOTP, the signer Alice can always successfully acquire the receiver Bob’s secret key (that is KBT ) by sending fake photons to Bob, and thus can successfully disavow any of her signature sighed before. In our scheme, Alice may also take this ′ attack in order to obtain Bob’s session key KBT . Alice could beforehand prepare 2n Bell states |φi = (|00i + ht √ |11i)ht / 2, and in stepN (S6), she N transmits the quantum message |YA′ iN= EN |RAB i) |mA i instead of |YA i = KAB (|ti N E KAB (|Pi |S i |RAB i) |mA i to Bob, where |ti represents the state of 2n particles labeled tin the state |φi. Then ′ (|ti) in step (V5) and performs the she intercepts |YB′ i = E KBT collective measurements on the particles t and particles h to infer the right encryption operators. However, she cannot achieve this because: (1) N In step (V2), Bob will compare the state |ti with |Pi |S i and find their inequality; (2) According to the analysis of sect. 3.5, the sixteen encryption operations cannot be discriminated conclusively so ′ that Alice cannot acquire the session key KBT even if she can successfully pass Bob’s verification in step (V2). Hence, our scheme is secure against this attack. 3.4 Repudiation by the receiver In our scheme, after Trent verifies the validity of signature, he does not return the message or signature back to Bob. Consequently, just as analyzed in sect. 1, once the signature passes the verification in the site of Trent, Bob cannot repudiate his receipt of the signature, because his secret key KBT is contained in |YB i. Therefore, the problem that Bob can repudiate his receipt of signature sent from Trent [42,47], can be well solved in our scheme. In fact, our scheme can also resist another kind of receiver’s disavowal attack proposed in ref. [46]. Let us discuss this case below. • Signature-exchange attack Li et al. [46] noted that, in the previous AQS schemes [38,41,42], different receivers could exchange their messages and the corresponding signatures arbitrarily and thus can repudiate accepting signatures for appointed messages. Suppose both Bob and Charlie ask Alice to sign the quantum message |PB i and |PC i respectively. In step (V4), BobN and Charlie two copies of (|PB i, |S B i = N holdN B (|P B i E KAT |IDA i |IDB i |T i)) and (|PC i, |S C i = N N N B C (|PC i E KAT |IDA i |IDC i |T C i)) respectively, where B B C KAT = H(KAT ||rA ) and KAT = H(KAT ||rCA ). Then they ′ (|PC i trade their quantum messages. Bob will transmit E KBT

November (2014)

2083

Vol. 57 No. 11

N

N N N N C N |S C i) |IDA i |IDB i |T C i |rA i |rB i to Trent for verification. However, in step (V7), after Trent decrypts the signature |S C i, he will find that the obtained IDC , IDB and announce a failure signature. Therefore, our scheme is secure against this attack. 3.5 Trojan-horse attacks Trojan-horse attack, which takes advantage of the imperfection of practical quantum apparatus, is one of common attacks in quantum communications. It is believed to be a serious security threaten to previous AQS schemes [47]. Generally, there are two types of Trojan-horse attacks: invisible photon eavesdropping (IPE) [51] and delay photon eavesdropping [52]. In a quantum protocol, if the same quantum signals are transmitted twice, it could suffer from the Trojanhorse attacks. To prevent the Trojan-horse attacks, it is necessary to introduce two additional devices, a wavelength filter and a photon number splitter (PNS), to the protocol [47]. By letting the received photons pass through both devices, the photons with different wavelengths or the delay photons will not exist or will be detected. In our protocol, the quantum states |Pi ⊗ |S i in |YA i are transmitted twice (in the step (S6) and step (V5)), thus it is probable that a malicious Alice applies the Trojan-horse at′ tacks to eavesdrop Bob’s session key KBT . Let us take the IPE attack for example. In the step (S6), Alice prepares two entangled systems |ϕiht made of invisible photons, and only inserts the photons of system t to the states |Pi ⊗ |S i, then intercepts |YB i in step (V5) and performs collective measurements on system t together with system h to reveal Bob’s encryption operations. However, in the following, it will be shown that she can not achieve it because she cannot discriminate the encryption operations unambiguously. From Theorem 1 in ref. [53], we know that the quantum operations ξ1 , · · · , ξn can be unambiguously discriminated by a single use if and only if for any i = 1, · · · , n, supp(ξi ) * supp(S i ), where supp(A) represents the support of operator A and S i = {ξ j : j , i}. In our scheme, according to the sect. 2, there are sixteen encryption operations {ξt1 t2 t3 t4 = σtx1 σtz2 Wt3 t4 , t1 , t2 , t3 , t4 ∈ {0, 1}}. By simple I−iσ z , calculation, we get ξ1000 = √2 y , ξ0000 = W00 = σx√+σ 2 ξ0010 = W10 = means:

(I+iσx −iσy +iσz ) 2

and find ξ0010 =

supp(ξ0010 ) ⊆ supp{ξ1000 , ξ0000 }

ξ1000 +iξ0000 √ , 2

⊆ supp{ξt1 t2 t3 t4 : t1 t2 t3 t4 , 0010}.

which

(5)

That is to say, the sixteen encryption operations cannot be discriminated unambiguously so that Alice cannot determine the ′ values of KBT conclusively by Trojan-horse attacks. Therefore, different from the previous AQS schemes, our AQS scheme is free from the Trojan-horse attack without additional hardware devices.

2084

Yu C H, et al.

Sci China-Phys Mech Astron

November (2014)

Vol. 57 No. 11

Table 1 Comparison between the proposed AQS scheme and the previous AQS schemes [38,41,42]. Here m represents the amount of transmitted qubits of |IDA i, |ID B i, |T i, |rA i and |r B i in our scheme AQS scheme

Quantum resource

Transmitted qubits’ quantity

ref. [38] ref. [41] ref. [42]’s second scheme the proposed scheme

GHZ states Bell states single-particle states single-particle states

17n + 1 14n + 1 [42] 9n + 2 [42] 6n + m

4 Discussion Compared with the previous AQS schemes [38,41,42], the proposed scheme exhibits many specialties and advantages (see Table 1). First, our scheme only needs to transmit 6n + m qubits, which reduces transmission complexity to some degree. Second, according to the security analysis in sect. 3, our scheme can resist the well-known attacks [42–47] which have made the previous AQS schemes insecure. Finally, the keys of signer and receiver in our scheme can be reusable, by utilizing a general classical hash function together with random numbers. We also observe that, two AQS schemes [35,36], which also combine classical hash functions with random numbers to make the users’ key reusable, were proposed recently. However, the proposed scheme is still quite different from them in three main aspects. First of all, just as the previous AQS schemes [38,41,42], our AQS scheme is constructed for signing both classical messages and (unknown) quantum messages, while their schemes are designed for signing only classical messages. Second, the methods for generating each signature are different: the proposed scheme uses different session keys while their schemes utilize the constant key. Lastly, our scheme applies the technique of quantum unknown state comparison which has one-side errors [42], yet their schemes do not need this. However, it is not feasible that all the AQS schemes including ours only provide theoretically feasible models for signing classical messages or quantum messages. The practical feasibility of them could be difficult because of the imperfections of real apparatus and channel, such as noise and signal loss. In order to overcome these flaws, some important techniques, such as quantum error correction [54] and quantum repeater [55], might be applicable. Therefore, designing a secure and practical AQS scheme for a real-world application deserves further study in the future.

5 Conclusions Herein, we firstly give an solution to solve the receiver’s disavowal attack [42,47] existing in all the previous AQS schemes. Based on that, then we present an AQS scheme without using entangled states, in which the signer’s and receiver’s secret key can be reused by employing a cryptographic hash function together with random numbers. It is shown that the presented scheme is secure against vari-

Immune to the attacks of refs. [42–47] No No No Yes

Key is reusable No No No Yes

ous common attacks [42–47]. Compared with previous AQS schemes, the proposed scheme transmits less quantum bits.

This work was supported by the National Natural Science Foundation of China (Grants Nos. 61202451 and 61103210), Fujian Province Science and Technology Cooperation Projects (Grant No. 2010H6007), Foundation of Fujian Education Bureau (Grant No. JA12062), Program for Innovative Re search Team in Science and Technology in Fujian Province University, and a Key Project of Fujian Provincial Universities-Information Technology Research Based on Mathematics.

1 Shor P W. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J Comput, 1997, 26: 1484–1509 2 Grover L K. A fast quantum mechanical algorithm for database search. In: Proceedings of the 28th Annual ACM Symposium on Theory of Computation. New York: ACM Press, 1996. 212–219 3 Gisin N, Ribordy G, Tittel W, et al. Quantum cryptography. Rev Mod Phys, 2002, 74: 145–195 4 Deng F G, Long G L. Controlled order rearrangement encryption for quantum key distribution. Phys Rev A, 2003, 68: 042315 5 Deng F G, Long G L. Bidirectional quantum key distribution protocol with practical faint laser pulses. Phys Rev A, 2004, 70: 012311 6 Hwang W Y. Quantum key distribution with high loss: Toward global secure communication. Phys Rev Lett, 2003, 91: 057901 7 Wang X B. Beating the photon-number-splitting attack in practical quantum cryptography. Phys Rev Lett, 2005, 94: 230503 8 Lo H K, Ma X F, Chen K. Decoy state quantum key distribution. Phys Rev Lett, 2005, 94: 230504 9 Li X H, Deng F G, Zhou H Y. Efficient quantum key distribution over a collective noise channel. Phys Rev A, 2008, 78: 022321 10 Hillery M, Bu˘zek V, Berthiaume A. Quantum secret sharing. Phys Rev A, 1999, 59: 1829–1834 11 Karlsson A, Koashi M, Imoto N. Quantum entanglement for secret sharing and secret splitting. Phys Rev A, 1999, 59: 162–168 12 Hao L, Li J L, Long G L. Eavesdropping in a quantum secret sharing protocol based on Grover algorithm and its solution. Sci China-Phys Mech Astron, 2010, 53: 491–495 13 Xiao L, Long G L, Deng F G, et al. Efficient multiparty quantumsecret-sharing schemes. Phys Rev A, 2004, 69: 052307 14 Long G L, Liu X S. Theoretically efficient high-capacity quantum-keydistribution scheme. Phys Rev A, 2002, 65: 032302 15 Bostrom K, Felbinger T. Deterministic secure direct communication using entanglement. Phys Rev Lett, 2002, 89: 187902 16 Deng F G, Long G L, Liu X S. Two-step quantum direct communication protocol using the Einstein-Podolsky-Rosen pair block. Phys Rev A, 2003, 68: 042317 17 Deng F G, Long G L. Secure direct communication with a quantum one-time pad. Phys Rev A, 2004, 69: 052319

Yu C H, et al.

Sci China-Phys Mech Astron

18 Cai Q Y, Li B W. Deterministic secure communication without using entanglement. Chin Phys Lett, 2004, 21: 601–603 19 Wang C, Deng F G, Li Y S. Quantum secure direct communication with high-dimension quantum superdense coding. Phys Rev A, 2005, 71: 044305 20 Li X H, Li C Y, Deng F G, et al. Quantum secure direct communication with quantum encryption based on pure entangled states. Chin Phys B, 2007, 16: 2149–2153 21 Lin S, Wen Q Y, Gao F. Quantum secure direct communication with χ-type entangled states. Phys Rev A, 2008, 78: 064304 22 Wang T J, Li T, Du F F, et al. High-capacity quantum secure direct communication based on quantum hyperdense coding with hyperentanglement. Chin Phys Lett, 2011, 28: 040305 23 Gu B, Zhang C Y, Huang Y G, et al. A two-step quantum secure direct communication protocol with hyperentanglement. Chin Phys B, 2011, 20: 100309 24 Gu B, Zhang C Y, Cheng G S. Robust quantum secure direct communication with a quantum one-time pad over a collective-noise channel. Sci China-Phys Mech Astron, 2011, 54: 942–947 25 Liu D, Chen J L, Jiang W. High-capacity quantum secure direct communication with single photons in both polarization and spatial-mode degrees of freedom. Int J Theor Phys, 2012, 51: 2923–2929 26 Sun Z W, Du R G, Long D Y. Quantum secure direct communication with two-photon four-qubit cluster states. Int J Theor Phys, 2012, 51: 1946–1952 27 Ren B C, Wei H R, Hua M, et al. Photonic spatial Bell-state analysis for robust quantum secure direct communication using quantum dot-cavity systems. Eur Phys J D, 2013, 67: 30 28 Gu B, Huang Y G, Fang X, et al. Robust quantum secure communication with spatial quantum states of single photons. Int J Theor Phys, 2013, 52: 4461–4469 29 Chang Y, Xu C X, Zhang S B, et al. Quantum secure direct communication and authentication protocol with single photons. Chin Sci Bull, 2013, 58: 4571–4576 30 Tsai C W, Hwang T. Deterministic quantum communication using the symmetric W state. Sci China-Phys Mech Astron, 2013, 56: 1903– 1908 31 Zhou J X, Zhou Y J, Niu X X. Quantum proxy signature scheme with public verifiability. Sci China-Phys Mech Astron, 2011, 54: 1828– 1832 32 Liang M, Yang L. Public-key encryption and authentication of quantum information. Sci China-Phys Mech Astron, 2012, 55: 1618–1629 33 Wang M M, Chen X B, Yang Y X. A blind quantum signature protocol using the GHZ states. Sci China-Phys Mech Astron, 2013, 56: 1636–1641 34 Shi J H, Zhang S L, Chang Z G. The security analysis of a threshold proxy quantum signature scheme. Sci China-Phys Mech Astron, 2013, 56: 519–523 35 Luo Y P, Hwang T. Arbitrated quantum signature of classical messages

November (2014)

36 37

38 39 40 41 42 43 44 45 46 47

48

49

50 51 52

53 54 55

Vol. 57 No. 11

2085

without using authenticated classical channels. Quantum Inf Process, 2014, 13: 113–120 Li Q, Li C Q, Long D Y, et al. Efficient arbitrated quantum signature and its proof of security. Quantum Inf Process, 2013, 12: 2427–2439 Barnum H, Crepeau C, Gottesman D, et al. Authentication of Quantum Messages. Washington DC: IEEE Computer Society Press, 2002. 449–458 Zeng G H, Keitel C H. Arbitrated quantum-signature scheme. Phys Rev A, 2002, 65: 042312 Curty M, L¨utkenhaus N. Comment on “Arbitrated quantum-signature scheme”. Phys Rev A, 2008, 77: 064301 Zeng G H. Reply to “Comment on ‘Arbitrated quantum-signature scheme’”. Phys Rev A, 2008, 78: 016301 Li Q, Chan W H, Long D Y. Arbitrated quantum signature scheme using Bell states. Phys Rev A, 2009, 79: 054307 Zou X F, Qiu D W. Security analysis and improvements of arbitrated quantum signature schemes. Phys Rev A, 2010, 82: 042325 Gao F, Qin S J, Guo F Z, et al. Cryptanalysis of the arbitrated quantum signature protocols. Phys Rev A , 2011, 84: 022344 Choi J W, Chang K Y, Hong D. Security problem on arbitrated quantum signature schemes. Phys Rev A, 2011, 84: 062330 Sun Z W, Du R G, Wang B H, et al. Improvements on the security of arbitrated quantum signature protocols. arXiv:quan-ph/1107.2459 Li Q, Li C Q, Wen Z H, et al. On the security of arbitrated quantum signature schemes. arXiv:quan-ph/1205.3265 Hwang T, Luo Y P, Chong S K. Comment on “security analysis and improvements of arbitrated quantum signature schemes”. Phys Rev A, 2012, 85: 056301 Zhang K J, Qin S J, Sun Y, et al. Reexamination of arbitrated quantum signature: The impossible and the possible. Quantum Inf Process, 2013, 12: 3127–3141 Zhang K J, Zhang W W, Li D. Improving the security of arbitrated quantum signature against the forgery attack. Quantum Inf Process, 2013, 12: 2655–2669 Boykin P O, Roychowdhury V. Optimal encryption of quantum bits. Phys Rev A, 2003, 67: 042317 Cai Q Y. Eavesdropping on the two-way quantum communication protocols with invisible photons. Phys Lett A, 2006, 351: 23–25 Deng F G, Zhou P, Li X H, et al. Robustness of two-way quantum communication protocols against Trojan horse attack. arXiv:quantph/0508168 Wang G M, Ying M S. Unambiguous discrimination among quantum operations. Phys Rev A, 2006, 73: 042301 Nielsen M A, Chuang I L. Quantum Computation and Quantum Information. Cambridge: Cambridge University Press, 2000. 425–493 van Enk S J, Cirac J I, Zoller P. Ideal quantum communication over noisy channels: A quantum optical implementation. Phys Rev Lett, 1997, 78: 4293–4296

Information for authors SCIENCE CHINA Physics, Mechanics & Astronomy, a monthly peer-reviewed academic journal cosponsored by the Chinese Academy of Sciences and the National Natural Science Foundation of China, and published by Science China Press and Springer, is committed to publishing high-quality, original results in both basic and applied research. Categories of articles: Reviews summarize representative results and achievements in a particular topic or an area, comment on the current state of research, and advise on the research directions. The author’s own opinion and related discussion are requested. Articles report on important original results in all areas of physics, mechanics and astronomy. Letters present short reports in a timely manner of the latest important results. Comments: are welcome on a paper or other report or event within the past month or so, or in the near future. Authors are recommended to use the online submission services. To submit a manuscript, please visit phys.scichina.com, click the button “submission”, and use ScholarOne System. For a new user, please register an “Author Accoant”, and then submite a manuscript following the guidance. Authors should also submit such accompanying materials as a short statement on the research background and significance of the work, a brief introduction to the first and corresponding authors including their mailing address, post code, telephone number, fax number, and email address. Authors may suggest several referees (please supply full names, addresses, phone, fax and email), and/or request the exclusion of specific reviewers. All submissions will be reviewed by referees selected by the editorial board. The decision of acceptance or rejection of a manuscript is made by the editorial board based on the referees’ reports. The entire review process may take 30 to 90 days, and the editorial office will inform the author of the decision as soon as the process is completed. If the editorial board fails to make a decision within 90 days, please contact the editorial office. Authors should guarantee that their submitted manuscript has not been published before, and has not been submitted elsewhere for print or electronic publication consideration. Submission of a manuscript is taken to imply that all the named authors are aware that they are listed as co-authors, and they have seen and agreed to the submitted version of the paper. No change in the order of listed authors can be made without an agreement signed by all the authors. A manuscript recommended and peer-reviewed by an associate editor of this journal (please indicate “Recommended by XXX” on the title page) will be directly sent to the editor-in-chief for the acceptance/refusal decision. For a paper authored by an associate editor of this journal, who takes responsibility for this paper (please indicate “Contributed by XXX” on the title page), it will be coped with in the same way. Once a manuscript is accepted, the authors should send a copyright transfer form signed by all authors to Science China Press. Authors of each published paper will be presented one sample copy. If more sample copies and offprints are required, please contact the managing editor and pay the extra fee. The full text in Chinese and in English opens free to the readers in China at phys.scichina.com, and the full text in English is available to overseas readers at link.springer.com. Ethical responsibilities of authors: Authors should refrain from misrepresenting research results which could damage the trust in the journal and ultimately the entire scientific endeavour, and

follow the COPE guidelines on how to deal with potential acts of misconduct. Disclosure of potential conflict of interests: Authors must disclose all relationships or interests that could influence or bias the work. The corresponding author will include a summary statement in the text of the manuscript in a separate section before the reference list.

Subscription information ISSN print edition: 1674-7348 ISSN electronic edition: 1869-1927 Volume 57 (12 issues) will appear in 2014 Subscription rates For information on subscription rates please contact: Customer Service China: [email protected] North and South America: [email protected] Outside North and South America: [email protected] Orders and inquiries: China Science China Press 16 Donghuangchenggen North Street, Beijing 100717, China Tel: +86 10 64019709 or +86 10 64015835 Fax: +86 10 64016350 North and South America Springer New York, Inc. Journal Fulfillment, P.O. Box 2485 Secaucus, NJ 07096 USA Tel: 1-800-SPRINGER or 1-201-348-4033 Fax: 1-201-348-4505 Email: [email protected] Outside North and South America: Springer Distribution Center Customer Service Journals Haberstr. 7, 69126 Heidelberg, Germany Tel: +49-6221-345-0, Fax: +49-6221-345-4229 Email: [email protected] Cancellations must be received by September 30 to take effect at the end of the same year. Changes of address: Allow for six weeks for all changes to become effective. All communications should include both old and new addresses (with postal codes) and should be accompanied by a mailing label from a recent issue. According to § 4 Sect. 3 of the German Postal Services Data Protection Regulations, if a subscriber’s address changes, the German Federal Post Office can inform the publisher of the new address even if the subscriber has not submitted a formal application for mail to be forwarded. Subscribers not in agreement with this procedure may send a written complaint to Customer Service Journals, Karin Tiks, within 14 days of publication of this issue. Microform editions are available from: ProQuest. Further information available at http://www.il.proquest.com/uni Electronic edition An electronic version is available at link.springer.com Production Science China Press 16 Donghuangchenggen North Street, Beijing 100717, China Tel: +86 10 64019709 or +86 10 64015835 Fax: +86 10 64016350 Printed in the People’s Republic of China Jointly published by Science China Press and Springer

Abstracted/indexed in: SCI, EI, Aerospace & High Technology Database, Astrophysics Data System, Current Contents, Computer and Information Systems Abstracts, CSA Materials Research Database with METADEX, Google Scholar, Index to Scientific Reviews, INSPEC, Mathematical Reviews, Mechanical and Transportation Engineering Abstracts, Solid State and Superconductivity Abstracts, World Ceramics Abstracts, etc.

SCIENCE CHINA Physics, Mechanics & Astronomy

Vol. 57

No. 11

November 2014 (Monthly)

Supervised by Chinese Academy of Sciences Sponsored by Chinese Academy of Sciences and National Natural Science Foundation of China Published jointly by Science China Press and Springer Subscriptions China Science China Press, 16 Donghuangchenggen North Street, Beijing 100717, China Email: [email protected] Fax: 86-10-64016350 North and South America Springer New York, Inc., Journal Fulfillment, P.O. Box 2485, Secaucus, NJ 07096 USA Email: [email protected] Fax: 1-201-348-4505 Outside North and South America Springer Distribution Center, Customer Service Journals, Haberstr. 7, 69126 Heidelberg, Germany Email: [email protected] Fax: 49-6221-345-4229 Printed by Beijing Zhongke Printing Co., Ltd., Building 101, Songzhuang Industry Zone, Tongzhou District, Beijing 101118, China Edited by Editorial Board of SCIENCE CHINA Physics, Mechanics & Astronomy, 16 Donghuangchenggen North Street, Beijing 100717, China Editors-in-Chief WANG DingSheng ZHANG Jie

CN 11-5849/N 广告经营许可证: 京东工商广字第 0429 号

邮发代号: 80-212 国内每期定价: 138 元

Go To Website

SCIENCE CHINA Physics, Mechanics & Astronomy

Contents

Vol.57 No.11 November 2014

Progress of Projects Supported by NSFC

Letters Condensed Matter Physics Enhanced Raman scattering of graphene on Ag nanoislands ......................................................................................................................................... HU Wei, HUANG ZhiYi, ZHOU YingHui, CAI WeiWei & KANG JunYong

2021

High-energy Physics First dark matter search results from the PandaX-I experiment ..................................................................................................................................... XIAO MengJiao, XIAO Xiang, ZHAO Li, CAO XiGuang, CHEN Xun, CHEN YunHua, CUI XiangYi, FANG DeQing, FU ChangBo, GIBONI Karl L., GONG HaoWei, GUO GuoDong, HU Jie, HUANG XingTao, JI XiangDong, JU YongLin, LEI SiAo, LI ShaoLi, LIN Qing, LIU HuaXuan, LIU JiangLai, LIU Xiang, LORENZON Wolfgang, MA YuGang, MAO YaJun, NI KaiXuan, PUSHKIN Kirill, REN XiangXiang, SCHUBNELL Michael, SHEN ManBing, STEPHENSON Scott, TAN AnDi, TARLÉ Greg, WANG HongWei, WANG JiMin, WANG Meng, WANG XuMing, WANG Zhou, WEI YueHuan, WU ShiYong, XIE PengWei, YOU YingHui, ZENG XiongHui, ZHANG Hua, ZHANG Tao, ZHU ZhongHua

2024

************************************************************************************************************

Articles Theoretical Physics Computable upper bounds for the adiabatic approximation errors ................................................................................................................................. YU BaoMin, CAO HuaiXin, GUO ZhiHua & WANG WenHua

2031

Optics Parallel detection and quantitative analysis of specific binding of proteins by oblique-incidence reflectivity difference technique in label-free format .. DAI Jun, LI Lin, HE LiPing, RUAN KangCheng, LU HuiBin, JIN KuiJuan & YANG GuoZhen

2039

Spin-orbit hybrid entanglement quantum key distribution scheme ................................................................................................................................ ZHANG ChengXian, GUO BangHong, CHENG GuangMing, GUO JianJun & FAN RongHua

2043

Nuclear Physics Prototype of a large neutron detector based on MWPC.................................................................................................................................................. TIAN LiChao, QI HuiRong, SUN ZhiJia, WANG YanFeng, ZHANG Jian, LIU RongGuang, ZHAO YuBin, ZHANG HongYu, ZHAO DongXu, DONG Jing, XIE Wan, YANG GuiAn, OUYANG Qun & CHEN YuanBo

2049

Projected total energy surface description for axial shape asymmetry in 172W .............................................................................................................. TU Ya, CHEN YongShou, GAO ZaoChun, YU ShaoYing & LIU Ling

2054

Influence of thermalization on the initial condition for heavy ion collisions ................................................................................................................. ZHAO AMeng, SUN WeiMin & ZONG HongShi

2060

Cover

The PandaX collaboration reported the first physics results from their stage-I dark matter detector containing a large 120-kg Xenon target. Many dark matter search experiments, such as the DAMA/LIBRA experiment in Italy, the CoGeNT and CDMS experiments in the US, the German-led CRESST experiment reported positive signals which could be interpreted as the dark matter in recent years. The PandaX collaboration observed no dark matter signals in the first PandaX-I run. This places strong constraints on all previously reported dark matter-like signals from other similar types of experiments. The result casts doubts on the interpretation of the positive signals in other experiments as dark matter. The paper published in this issue gives a detailed description of the first results of PandaX-I. Shown in the cover are the cables inside the PandaX-I detector used for the connection of the the Photon Multiplier Tubes (PMTs) used to catch the signals between the system of electronics for data acquisition (See the article by XIAO MengJiao et al. on page 2024).

II

Contents

Flow effects on jet energy loss with detailed balance ..................................................................................................................................................... CHENG Luan, LIU Jia & WANG EnKe

2070

Quantum Physics Arbitrated quantum signature scheme based on reusable key ........................................................................................................................................ YU ChaoHua, GUO GongDe & LIN Song

2079

SU(2) symmetry in a Hubbard model with spin-orbit coupling ..................................................................................................................................... ZHANG XiZheng, JIN Liang & SONG Zhi

2086

Photonic phase transition in circuit quantum electrodynamics lattices coupled to superconducting phase qubits ....................................................... LIU YiMin, JIN WuYin & YOU JiaBin

2092

Entangler and analyzer for multiphoton Greenberger-Horne-Zeilinger states using weak nonlinearities ..................................................................... DING Dong, YAN FengLi & GAO Ting

2098

Biophysics Poisson-Fokker-Planck model for biomolecules translocation through nanopore driven by electroosmotic flow ....................................................... LIN XiaoHui, ZHANG ChiBin, GU Jun, JIANG ShuYun & YANG JueKuan

2104

Effects of oxaliplatin on DNA condensation .................................................................................................................................................................. JU HaiPeng, ZHANG HongYan, LI Wei & WANG PengYe

2114

Basic Mechanics On the stability of the three classes of Newtonian three-body planar periodic orbits .................................................................................................... LI XiaoMing & LIAO ShiJun

2121

Wetting property of smooth and textured hydrophobic surfaces under condensation condition ................................................................................... HAO PengFei, LV CunJing, YAO ZhaoHui & NIU FengLei

2127

Fluid Dynamics Drag reduction in turbulent channel flow using bidirectional wavy Lorentz force ........................................................................................................ HUANG LePing, CHOI KwingSo, FAN BaoChun & CHEN YaoHui

2133

Nonlinear interaction mechanisms of disturbances in supersonic flat-plate boundary layers........................................................................................ YU Min & LUO JiSheng

2141

Physical Mechanics Molecular kinetic theory of boundary slip on textured surfaces by molecular dynamics simulations .......................................................................... WANG LiYa, WANG FengChao, YANG FuQian & WU HengAn

2152

Biomechanics Effects of microcracks on the poroelastic behaviors of a single osteon ......................................................................................................................... WU XiaoGang, WANG YanQin, WU XiaoHong, CEN HaiPeng, GUO Yuan & CHEN WeiYi

2161

Galaxy and Cosmology An efficient method to identify galaxy clusters by using SuperCOSMOS, 2MASS and WISE data ............................................................................ XU WeiWei, WEN ZhongLue & HAN JinLin

2168

Letter Fluid Dynamics The effects of vortex breakdown on the static rolling aerodynamics of finned slender body ........................................................................................ XU KeZhe, ZHANG YuFei, CHEN HaiXin & FU Song

2174

SCIENCE CHINA Physics, Mechanics & Astronomy

. Article .

November 2014 Vol. 57 No. 11: 2079–2085 doi: 10.1007/s11433-014-5491-4

Arbitrated quantum signature scheme based on reusable key YU ChaoHua1,2 , GUO GongDe1,2 & LIN Song1,2* 1 School 2 Key

of Mathematics and Computer Science, Fujian Normal University, Fuzhou 350007, China; Lab of Network Security and Cryptography, Fujian Normal University, Fuzhou 350007, China

Received February 20, 2014; accepted March 13, 2014; published online August 22, 2014

An arbitrated quantum signature scheme without using entangled states is proposed. In the scheme, by employing a classical hash function and random numbers, the secret keys of signer and receiver can be reused. It is shown that the proposed scheme is secure against several well-known attacks. Specifically, it can stand against the receiver’s disavowal attack. Moreover, compared with previous relevant arbitrated quantum signature schemes, the scheme proposed has the advantage of less transmission complexity. arbitrated quantum signature, disavowal, reusable key PACS number(s): 03.67.Dd, 03.65.Ta, 03.67.Hk Citation:

Yu C H, Guo G D, Lin S. Arbitrated quantum signature scheme based on reusable key. Sci China-Phys Mech Astron, 2014, 57: 2079–2085, doi: 10.1007/s11433-014-5491-4

As an analogy of handwritten signature, digital signature provides a method of ensuring the sender of an electronic message that it be secure. It has been widely employed in secure electronic commerce and becomes a primitive of classical cryptography. However, most of classical digital signature schemes are based on public key cryptography, where the security relies on the complexity of computation and might be significantly weakened by some quantum algorithms [1,2]. Fortunately, this problem can be solved by quantum cryptography, because it can provide theoretically unconditional security based on the fundamental principles of quantum mechanics. In quantum cryptography, some security tasks which are difficult or not possible in classical cryptography have been solved, such as quantum key distribution [3–9], quantum secret sharing [10–13] and quantum direct communication [14–30]. Stimulated by them, researchers have studied signature scheme with quantum mechanics for unconditional security. In recent years, various quantum protocols for signing classical messages have been proposed and analyzed [31– 36]. These achievements have allowed researchers to design *Corresponding author (email: [email protected])

c Science China Press and Springer-Verlag Berlin Heidelberg 2014

signature schemes for signing quantum messages. However, Barnum et al. [37] has suggested that it is not possible to sign quantum messages for two parties. To overcome this obstacle, the concept of arbitrated quantum signature (AQS), where the receiver can verify the validity of the signature with the help of an arbitrator, has been put forward and has been given consideration in recent years [38–49]. Zeng and Keitel [38] proposed the first AQS scheme, the security of which is ensured by the correlation of Greenberger-Horne-Zeilinger (GHZ) states and the quantum one-time pad (QOTP) encryption [50]. Later, Li et al. [41] presented a more efficient AQS scheme by replacing GHZ states with Bell states. In general, a secure AQS scheme should satisfy two conditions: first is that the signature should not be forged by attacker (including the receiver) and the other is that the signer and the receiver cannot disavow the signature [38,41,42]. However, Zou and Qiu [42] showed that both the two schemes above were insecure because they could be repudiated by the receiver, and further proposed two AQS schemes to solve the problem. But Hwang et al. [47] showed that the same security problem might exist in the schemes of Zou and Qiu. Some other security problems and improvephys.scichina.com

link.springer.com

2080

Yu C H, et al.

Sci China-Phys Mech Astron

ments on AQS were also presented in refs. [45,46,48,49]. In this paper, we further discuss the security problem of the receiver’s disavowal attack [42,47] and show that it can be solved if the receiver does not perform a further verification after the arbitrator verifies the validity of a signature. Moreover, we find that a classical one-way hash function and a random number can ensure the signer’s secret key is reusable to sign multiple quantum messages. Based on these two ideas, we design a secure AQS scheme with reusable key, in which no entangled states are utilized. The security analysis shows our scheme is secure in theory because it satisfies two basic security requirements mentioned above. Furthermore, it is also shown that the proposed scheme can overcome the other security problems [43,45,46]. Compared with the previous AQS schemes [38,41,42], our scheme achieves a higher transmission efficiency since less qubits are transmitted in our scheme.

1 Security problems on the previous AQS schemes In this section, we primarily discuss two security problems in the previous AQS schemes: (1) all the previous AQS schemes are susceptible to the receiver’s disavowal attack; (2) the keys shared between the signer (the receiver) and the arbitrator can not be reused. Furthermore, some potential solutions are also provided. Although the typical AQS schemes [38,41,42] utilized different types of states, they could be reduced to a basic model with three transmissions (or procedures): (T1). The signer Alice transfers two copies of message |Pi (to distinguish between them, we denote them with |P1 i and |P2 i) and the corresponding signature |S i = E KAT (|Pi) to the receiver Bob, where KAT is the key shared between Alice and the arbitrator Trent and E KAT is the quantum one-time pad (QOTP) algorithm [50]. (T2). Bob transmits the message-signature pair (|P1 i, |S i) to Trent and retains the other copy of message |P2 i in his hand. (T3). Trent verify the validity of signature |S i by unknown state comparison [42], and after that, he returns the messagesignature pair (|P1 i, |S i) and the corresponding verification result to Bob. If the result is negative, Bob denies the signature |S i. Otherwise, he further verifies whether |P1 i = |P2 i. If it is not, he denies the signature, otherwise he accepts it. • All the previous AQS schemes are susceptible to the receiver’s disavowal attack Zou and Qiu [42] showed that two typical AQS schemes are not secure because Trent could not arbitrate the dispute between Alice and Bob when Bob repudiates the integrity of a signature in the transmission (T3). That is, when Bob claims |P1 i , |P2 i in the transmission (T3), Trent will face a dilemma that he cannot judge which one of following cases has happened: (1) Bob told a falsehood; (2) Alice sent two different messages in the transmission (T1); (3) an eaves-

November (2014)

Vol. 57 No. 11

dropper, Eve, disturbed the communication. Thus, Bob can actively repudiate the received signature without being detected. By using a public board, they constructed two AQS schemes to solve the problem. However, Hwang et al. [47] pointed out that the same security problem still exists in their AQS schemes. We observe that the reason why this repudiation by Bob works in the previous AQS schemes is that, after Trent verifies the validity of the signature |S i, he needs to return the message-signature pair and the verification result back to Bob to let him do a further verification (that is the transmission (T3)). Then if Bob claims an unfair verification, Trent would consistently be faced with the same dilemma as above. To avoid it, Bob should not do a further verification after Trent verifies the validity of the signature. In fact, what Bob needs Trent to do is only helping him verify the validity of signature and telling him the result. From this viewpoint, if Bob has two same message-signature pairs and sends one of them to Trent for verification, Trent only needs to announce the verification result to public without returning the message-pair back to Bob for a further verification. This implies the problem of repudiation by the receiver will be solved naturally. • Keys shared between the signer (the receiver) and the arbitrator can not be reused Since all the previous AQS schemes employ a QOTP algorithm [50] to generate the signature, Alice’s secret key should not be reused to sign multiple signatures for security concerns. If Bob owns a number of message-signature pairs signed by Alice with the same secret key KAT before, Bob can probably deduce the exact encryption operation of every qubit of signature through multiple unknown state comparisons, which indicates a certain amount of information of Alice’s secret key can leak to Bob. The more pairs he owns, the more information he will reveal. A direct solution is that Alice shares a fresh key via QKD with Trent each time she wants to sign a quantum message. However, it is not practical and will greatly reduce the efficiency of AQS scheme. In order to overcome this problem, we employ a classical oneway hash function H(x) to help us produce different session keys that are used for signing different quantum messages. That is, every time Alice starts to sign a quantum message, she chooses a random number rA and computes the session ′ key KAT = H(KAT ||rA ), where KAT is her secret key shared with Trent via a secure QKD protocol and || denotes the “concatenate” operation. In this way, each signature Bob receives ′ from Alice is encrypted with different session key KAT and KAT can be reused. Similarly, Bob can also produce his ses′ sion key KBT = H(KBT ||rB ) so that his secret key KBT is ′ ′ reusable. We will further discuss the security of KAT and KBT in sect. (3.2).

2 Our AQS scheme based on reusable key Based on the conclusions of last section and the other security analysis on AQS [43–46], we intend to design a se-

Yu C H, et al.

Sci China-Phys Mech Astron

cure AQS scheme with reusable key. Using the second AQS scheme [42], the scheme suggested herein does not use entangled states. Before giving the details of our scheme, it is necessary to introduce the QOTP algorithm [50] and the rotation encryption algorithm [42], both of which use classical key bits to encrypt a quantum message and play important roles in AQS. n N Suppose a quantum message |Pi = |Pi i is composed of i=1

n qubits |Pi i = αi |0i + βi |1i, and the key is K ∈ {0, 1}2n . The QOTP encryption E K on the quantum message can be described as: n O E K (|Pi) = U K2i−1 K2i |Pi i, (1) i=1

where K j is the jth bit of K, and the unitary operations {U K2i−1 K2i } comprise an orthonormal basis in a canonical in+ ner product space, namely Tr(U jk Ulm ) = δ jk,lm ( jk, lm ∈ {00, 01, 10, 11}). Similarly, the rotation encryption MK can be written as: n O MK (|Pi) = U Ki (Ki ⊕1) |Pi i. (2) i=1

In the previous AQS schemes, the encryption operations are Pauli matrices, namely U00 = I, U01 = σ x , U10 = σz , U11 = −iσy . However, this one-time pad cannot resist the existential forgery [43,44]. Although an improved QOTP is given in ref. [44], it still can not prevent the forgery [48,49]. Fortunately, Zhang et al. [49] have suggested two effective encryption algorithms to resist it. In this paper, we employ the first one (called “Key-Controlled-’I’ QOTP” [49]), which is in the form of n O E K (|Pi) = σKx 2i σzK2i−1 WKi K2n−i+1 |Pi i, (3)

November (2014)

2081

Vol. 57 No. 11

(I2). Alice, Bob and Trent agree on a one-way hash function H(x) : {0, 1}∗ → {0, 1}m , such as MD5 algorithm. The identities of Alice and Bob are denoted by IDA and IDB respectively. 2.2 Signing phase (S1). Alice prepares four copies of an unknown quantum n N message with n qubits |Pi = |Pi i, where |Pi i = αi |0i + i=1

βi |1i. (S2). Alice chooses a random number rA ∈ {0, 1}∗ , and ′ then obtains the session key KAT = H(KAT k rA ). The length ′ of KAT can be adjusted to satisfy the actual needs by setting rA = rA + 1. (S3). Alice transforms the classical messages, IDA , IDB , the timestamp T , and rA into the quantum messages |IDA i, |IDB i, |T i, |rA i with the basis BZ = {|0i, integration N|1i}, theN N of which is denoted as: |mA i = |IDA i |IDB i |T i |rA i. That is, the classical bit 0 (or 1) is transformed into a quantum bit in the state |0i (or |1i). These quantum messages can be prepared for several copies to satisfy the actual needs. (S4). N Alice generates two N N copies of signature |S i = E K ′ (|Pi |IDA i |IDB i |T i) by encrypting two copies AT of |Pi. Now, she has two same message-signature (|Pi, |S i) pairs. (S5). She rotates one message-signature pair into a secret N message |RAB i = MKAB (|Pi |S i). (S6). Alice encryptsN |Pi, |SN i, and |RN AB i with KAB and obtains |YA i = E KAB (|Pi |S i |RAB i) |mA i. Then she transmits |YA i to Bob. 2.3 Verifying phase

i=1

where W00 , W01 , W10 , W11 are four Clifford operators generally described as: 1 W00 = √ (σ x + σz ), 2 1 W01 = √ (σy + σz ), 2 (4) 1 W10 = (I + iσ x − iσy + iσz ), 2 1 W11 = (I + iσ x + iσy + iσz ). 2 Just as the previous AQS schemes, our scheme also involves three participants: the signer Alice, the receiver Bob and the arbitrator Trent, and includes three phases: the initializing phase, the signing phase and the verifying phase. 2.1 Initializing phase (I1). Trent shares the secret key KAT and KBT with Alice and Bob respectively via a secure QKD protocol [3]. By the same way, Alice and Bob share the secret key KAB .

(V1). After receiving |YA i from Alice, Bob adequately deN N crypts E KAB (|Pi |S i |RAB i) with KAB and obtains |Pi, |S i and |RAB i. Then he further decrypts |RAB i with KAB , and finally, gets two message-signature pairs and |mA i. (V2). Bob verifies whether the two message-signature pairs are same by the unknown state probabilistic comparison [42]. If it is not, he denies the signature. Otherwise, he continues to next step. (V3). Bob chooses a random number rB ∈ {0, 1}∗ , and ′ then obtains the session key KBT = H(KBT k rB ). The length ′ of KBT can be adjusted to satisfy the actual needs by setting rB = rB + 1. (V4). Bob prepares two copies of |mA i (note that |mA i is a classical message in essence and can be prepared for any copies). Then, he generates |rB i and appends it to one Ncopy of |mA i (but save another copy), and gets N |mB i = |m i |rB i. NA ′ (V5). Bob computes |YB i = E K (|Pi |S i) |mB i and BT transmits it to Trent, but saves another copy of (|Pi,|S i,|mAi). (V6). After receiving |YB i from Bob, Trent extracts the classical information (IDA , IDB , T , rA and rB ) by performing

2082

Yu C H, et al.

Sci China-Phys Mech Astron

project measurements on |mB i with basis BZ . Then he can ′ ′ obtain KBT and KAT by simple calculation. (V7). Trnet obtains |Pi and |S i by decrypting |YB i with ′ ′ ′ ′ ′ the key KBT , and further obtains |P i, |IDA i, |IDB i and |T i ′ by decrypting |S i with the key KAT . Then he verify wether ′ ′ |P i = |Pi (by unknown state comparison [42]), IDA = IDA , ′ ′ IDB = IDB and T = T . If the answer is positive, he believes the signature is valid and sets the verification parameter V = 1, otherwise, he sets V = 0. If V = 1, he saves IDA , IDB , rA , rB and T to his database for recording this successful signature. (V8). Trent destroys the particles of message and signature, and announces V to public. (V9). If V = 1, Bob will retain (|Pi,|S i,|mA i) in his hands as the valid signature. The whole procedures of the AQS scheme can be illustrated by Figure 1.

3 Security analysis on our AQS scheme A secure AQS scheme should satisfy two requirements: one is that the signature should not be forged by attacker (including the receiver) and the other is that the signer and the receiver cannot disavow the signature [38,41,42]. In this section, we will show that the scheme is secure by demonstrating it satisfies these two requirements. Some other specific attacks [42–47] are also analyzed.

3.1 Forgery by an outside attacker If an outside attacker, Eve, N N wants Nto forge the signature ′ (|Pi |S i = E KAT |IDA i |IDB i |T i), she has to know ′ = H(KAT k rA ), which is determined Alice’s session key KAT by the value of KAT and the random number rA . However, although the hash function H(x) and rA are known, she can ′ not generate KAT , because she does not know the values of KAT which is shared between Alice and Trent by the unconditional secure QKD scheme [3]. Moreover, because of the employment of the improved quantum encryption algorithm “Key-Controlled-’I’ QOTP” [49], Eve cannot do the existential forgery [43]. Hence, it is impossible for Eve to forge Alice’s signature.

3.2 Forgery by the receiver As a participant of the scheme, the receiver, Bob, might be more powerful than Eve to forge Alice’s signature. If he tries to forge the signature |S i, just as Eve, he still has to deter′ mine the session key KAT . However, he can not generate ′ KAT either, because KAT is still unknown to him. Meanwhile, the improved encryption also prevent Bob from existential forgery [49].

November (2014)

Vol. 57 No. 11

Figure 1 Communications of the AQS scheme.

We should note that, evenN if Bob owns N a message-signature N ′ (|Pi pair (|Pi,|S i = E KAT |IDA i |IDB i |T i)) after singing a message successfully, he cannot obtain the value of ′ KAT because: (1) the fundamental principles of quantum mechanics, such as no-cloning and measurement uncertainty, do not permit Bob to deduce the exact encryption operations in signature |S i; (2) the employed sixteen encryption operations mentioned in sect. 2 cannot be discriminated conclusively according to the analysis of sect. 3.5. Moreover, unknown hash ′ value KAT also implies we do not require the used hash function H(x) to be collision-free. Therefore, the security of our scheme depends on the fundamental principles of quantum mechanics, instead of the security of hash function. In realistic conditions, with respective to the security of ′ ′ KAT (or KBT ), there are two other points should be noted. First, the length of KAT (or KBT ) should be set greater than m, given the employed hash function H(x) : {0, 1}∗ → {0, 1}m . That is because, if the length of KAT (or KBT ) is less than m, ′ the number of distinct values of KAT = H(KAT k rA ) is at |KAT | m most 2 < 2 so that the secret key rate is roughly |KmAT | less than 1, where |KAT | is the length of KAT . Second, KAT (or KBT ) should be shared again once the number of failures in verification phase is greater than a predetermined number Cmax . The concrete value of Cmax depends on various factors, such as the amount of signed messages and the expected security level. 3.3 Repudiation by the signer If Alice Bob disagree with each other, the arbitrator Trent trusted by both of them should be required to make a judgment. Suppose Alice repudiates her signature, Bob will hand over the quantum N message N|Pi, theNcorresponding signature ′ (|Pi |S i = E KAT |IDA i |IDB i |T i) and |mA i to Trent. Then Trent can easily detect Alice’s cheat by executing step ′ (V7), because KAT contains Alice’s information KAT . It is shown that our scheme can also resist some specific Alice’s disavowal attacks proposed in refs. [43,45]: • Alice’s disavowal attack Gao et al. [43] noted that, in the typical AQS schemes [38,41,42], Alice can achieve repudiating her signature by modifying the signature when Trent returns the messagesignature pair (that is, in the transmission (T3) of sect. 1)

Yu C H, et al.

Sci China-Phys Mech Astron

to Bob, because the signature is useless for Bob’s further verification. However, it is apparent that this attack can be avoid in our scheme, because Trent does not need to return any message-signature pair to Bob and Alice has no chance to do that. • Fake-photon attack Sun et al. [45] noted that, in the previous AQS schemes [38,41,42], because of the use of QOTP, the signer Alice can always successfully acquire the receiver Bob’s secret key (that is KBT ) by sending fake photons to Bob, and thus can successfully disavow any of her signature sighed before. In our scheme, Alice may also take this ′ attack in order to obtain Bob’s session key KBT . Alice could beforehand prepare 2n Bell states |φi = (|00i + ht √ |11i)ht / 2, and in stepN (S6), she N transmits the quantum message |YA′ iN= EN |RAB i) |mA i instead of |YA i = KAB (|ti N E KAB (|Pi |S i |RAB i) |mA i to Bob, where |ti represents the state of 2n particles labeled tin the state |φi. Then ′ (|ti) in step (V5) and performs the she intercepts |YB′ i = E KBT collective measurements on the particles t and particles h to infer the right encryption operators. However, she cannot achieve this because: (1) N In step (V2), Bob will compare the state |ti with |Pi |S i and find their inequality; (2) According to the analysis of sect. 3.5, the sixteen encryption operations cannot be discriminated conclusively so ′ that Alice cannot acquire the session key KBT even if she can successfully pass Bob’s verification in step (V2). Hence, our scheme is secure against this attack. 3.4 Repudiation by the receiver In our scheme, after Trent verifies the validity of signature, he does not return the message or signature back to Bob. Consequently, just as analyzed in sect. 1, once the signature passes the verification in the site of Trent, Bob cannot repudiate his receipt of the signature, because his secret key KBT is contained in |YB i. Therefore, the problem that Bob can repudiate his receipt of signature sent from Trent [42,47], can be well solved in our scheme. In fact, our scheme can also resist another kind of receiver’s disavowal attack proposed in ref. [46]. Let us discuss this case below. • Signature-exchange attack Li et al. [46] noted that, in the previous AQS schemes [38,41,42], different receivers could exchange their messages and the corresponding signatures arbitrarily and thus can repudiate accepting signatures for appointed messages. Suppose both Bob and Charlie ask Alice to sign the quantum message |PB i and |PC i respectively. In step (V4), BobN and Charlie two copies of (|PB i, |S B i = N holdN B (|P B i E KAT |IDA i |IDB i |T i)) and (|PC i, |S C i = N N N B C (|PC i E KAT |IDA i |IDC i |T C i)) respectively, where B B C KAT = H(KAT ||rA ) and KAT = H(KAT ||rCA ). Then they ′ (|PC i trade their quantum messages. Bob will transmit E KBT

November (2014)

2083

Vol. 57 No. 11

N

N N N N C N |S C i) |IDA i |IDB i |T C i |rA i |rB i to Trent for verification. However, in step (V7), after Trent decrypts the signature |S C i, he will find that the obtained IDC , IDB and announce a failure signature. Therefore, our scheme is secure against this attack. 3.5 Trojan-horse attacks Trojan-horse attack, which takes advantage of the imperfection of practical quantum apparatus, is one of common attacks in quantum communications. It is believed to be a serious security threaten to previous AQS schemes [47]. Generally, there are two types of Trojan-horse attacks: invisible photon eavesdropping (IPE) [51] and delay photon eavesdropping [52]. In a quantum protocol, if the same quantum signals are transmitted twice, it could suffer from the Trojanhorse attacks. To prevent the Trojan-horse attacks, it is necessary to introduce two additional devices, a wavelength filter and a photon number splitter (PNS), to the protocol [47]. By letting the received photons pass through both devices, the photons with different wavelengths or the delay photons will not exist or will be detected. In our protocol, the quantum states |Pi ⊗ |S i in |YA i are transmitted twice (in the step (S6) and step (V5)), thus it is probable that a malicious Alice applies the Trojan-horse at′ tacks to eavesdrop Bob’s session key KBT . Let us take the IPE attack for example. In the step (S6), Alice prepares two entangled systems |ϕiht made of invisible photons, and only inserts the photons of system t to the states |Pi ⊗ |S i, then intercepts |YB i in step (V5) and performs collective measurements on system t together with system h to reveal Bob’s encryption operations. However, in the following, it will be shown that she can not achieve it because she cannot discriminate the encryption operations unambiguously. From Theorem 1 in ref. [53], we know that the quantum operations ξ1 , · · · , ξn can be unambiguously discriminated by a single use if and only if for any i = 1, · · · , n, supp(ξi ) * supp(S i ), where supp(A) represents the support of operator A and S i = {ξ j : j , i}. In our scheme, according to the sect. 2, there are sixteen encryption operations {ξt1 t2 t3 t4 = σtx1 σtz2 Wt3 t4 , t1 , t2 , t3 , t4 ∈ {0, 1}}. By simple I−iσ z , calculation, we get ξ1000 = √2 y , ξ0000 = W00 = σx√+σ 2 ξ0010 = W10 = means:

(I+iσx −iσy +iσz ) 2

and find ξ0010 =

supp(ξ0010 ) ⊆ supp{ξ1000 , ξ0000 }

ξ1000 +iξ0000 √ , 2

⊆ supp{ξt1 t2 t3 t4 : t1 t2 t3 t4 , 0010}.

which

(5)

That is to say, the sixteen encryption operations cannot be discriminated unambiguously so that Alice cannot determine the ′ values of KBT conclusively by Trojan-horse attacks. Therefore, different from the previous AQS schemes, our AQS scheme is free from the Trojan-horse attack without additional hardware devices.

2084

Yu C H, et al.

Sci China-Phys Mech Astron

November (2014)

Vol. 57 No. 11

Table 1 Comparison between the proposed AQS scheme and the previous AQS schemes [38,41,42]. Here m represents the amount of transmitted qubits of |IDA i, |ID B i, |T i, |rA i and |r B i in our scheme AQS scheme

Quantum resource

Transmitted qubits’ quantity

ref. [38] ref. [41] ref. [42]’s second scheme the proposed scheme

GHZ states Bell states single-particle states single-particle states

17n + 1 14n + 1 [42] 9n + 2 [42] 6n + m

4 Discussion Compared with the previous AQS schemes [38,41,42], the proposed scheme exhibits many specialties and advantages (see Table 1). First, our scheme only needs to transmit 6n + m qubits, which reduces transmission complexity to some degree. Second, according to the security analysis in sect. 3, our scheme can resist the well-known attacks [42–47] which have made the previous AQS schemes insecure. Finally, the keys of signer and receiver in our scheme can be reusable, by utilizing a general classical hash function together with random numbers. We also observe that, two AQS schemes [35,36], which also combine classical hash functions with random numbers to make the users’ key reusable, were proposed recently. However, the proposed scheme is still quite different from them in three main aspects. First of all, just as the previous AQS schemes [38,41,42], our AQS scheme is constructed for signing both classical messages and (unknown) quantum messages, while their schemes are designed for signing only classical messages. Second, the methods for generating each signature are different: the proposed scheme uses different session keys while their schemes utilize the constant key. Lastly, our scheme applies the technique of quantum unknown state comparison which has one-side errors [42], yet their schemes do not need this. However, it is not feasible that all the AQS schemes including ours only provide theoretically feasible models for signing classical messages or quantum messages. The practical feasibility of them could be difficult because of the imperfections of real apparatus and channel, such as noise and signal loss. In order to overcome these flaws, some important techniques, such as quantum error correction [54] and quantum repeater [55], might be applicable. Therefore, designing a secure and practical AQS scheme for a real-world application deserves further study in the future.

5 Conclusions Herein, we firstly give an solution to solve the receiver’s disavowal attack [42,47] existing in all the previous AQS schemes. Based on that, then we present an AQS scheme without using entangled states, in which the signer’s and receiver’s secret key can be reused by employing a cryptographic hash function together with random numbers. It is shown that the presented scheme is secure against vari-

Immune to the attacks of refs. [42–47] No No No Yes

Key is reusable No No No Yes

ous common attacks [42–47]. Compared with previous AQS schemes, the proposed scheme transmits less quantum bits.

This work was supported by the National Natural Science Foundation of China (Grants Nos. 61202451 and 61103210), Fujian Province Science and Technology Cooperation Projects (Grant No. 2010H6007), Foundation of Fujian Education Bureau (Grant No. JA12062), Program for Innovative Re search Team in Science and Technology in Fujian Province University, and a Key Project of Fujian Provincial Universities-Information Technology Research Based on Mathematics.

1 Shor P W. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J Comput, 1997, 26: 1484–1509 2 Grover L K. A fast quantum mechanical algorithm for database search. In: Proceedings of the 28th Annual ACM Symposium on Theory of Computation. New York: ACM Press, 1996. 212–219 3 Gisin N, Ribordy G, Tittel W, et al. Quantum cryptography. Rev Mod Phys, 2002, 74: 145–195 4 Deng F G, Long G L. Controlled order rearrangement encryption for quantum key distribution. Phys Rev A, 2003, 68: 042315 5 Deng F G, Long G L. Bidirectional quantum key distribution protocol with practical faint laser pulses. Phys Rev A, 2004, 70: 012311 6 Hwang W Y. Quantum key distribution with high loss: Toward global secure communication. Phys Rev Lett, 2003, 91: 057901 7 Wang X B. Beating the photon-number-splitting attack in practical quantum cryptography. Phys Rev Lett, 2005, 94: 230503 8 Lo H K, Ma X F, Chen K. Decoy state quantum key distribution. Phys Rev Lett, 2005, 94: 230504 9 Li X H, Deng F G, Zhou H Y. Efficient quantum key distribution over a collective noise channel. Phys Rev A, 2008, 78: 022321 10 Hillery M, Bu˘zek V, Berthiaume A. Quantum secret sharing. Phys Rev A, 1999, 59: 1829–1834 11 Karlsson A, Koashi M, Imoto N. Quantum entanglement for secret sharing and secret splitting. Phys Rev A, 1999, 59: 162–168 12 Hao L, Li J L, Long G L. Eavesdropping in a quantum secret sharing protocol based on Grover algorithm and its solution. Sci China-Phys Mech Astron, 2010, 53: 491–495 13 Xiao L, Long G L, Deng F G, et al. Efficient multiparty quantumsecret-sharing schemes. Phys Rev A, 2004, 69: 052307 14 Long G L, Liu X S. Theoretically efficient high-capacity quantum-keydistribution scheme. Phys Rev A, 2002, 65: 032302 15 Bostrom K, Felbinger T. Deterministic secure direct communication using entanglement. Phys Rev Lett, 2002, 89: 187902 16 Deng F G, Long G L, Liu X S. Two-step quantum direct communication protocol using the Einstein-Podolsky-Rosen pair block. Phys Rev A, 2003, 68: 042317 17 Deng F G, Long G L. Secure direct communication with a quantum one-time pad. Phys Rev A, 2004, 69: 052319

Yu C H, et al.

Sci China-Phys Mech Astron

18 Cai Q Y, Li B W. Deterministic secure communication without using entanglement. Chin Phys Lett, 2004, 21: 601–603 19 Wang C, Deng F G, Li Y S. Quantum secure direct communication with high-dimension quantum superdense coding. Phys Rev A, 2005, 71: 044305 20 Li X H, Li C Y, Deng F G, et al. Quantum secure direct communication with quantum encryption based on pure entangled states. Chin Phys B, 2007, 16: 2149–2153 21 Lin S, Wen Q Y, Gao F. Quantum secure direct communication with χ-type entangled states. Phys Rev A, 2008, 78: 064304 22 Wang T J, Li T, Du F F, et al. High-capacity quantum secure direct communication based on quantum hyperdense coding with hyperentanglement. Chin Phys Lett, 2011, 28: 040305 23 Gu B, Zhang C Y, Huang Y G, et al. A two-step quantum secure direct communication protocol with hyperentanglement. Chin Phys B, 2011, 20: 100309 24 Gu B, Zhang C Y, Cheng G S. Robust quantum secure direct communication with a quantum one-time pad over a collective-noise channel. Sci China-Phys Mech Astron, 2011, 54: 942–947 25 Liu D, Chen J L, Jiang W. High-capacity quantum secure direct communication with single photons in both polarization and spatial-mode degrees of freedom. Int J Theor Phys, 2012, 51: 2923–2929 26 Sun Z W, Du R G, Long D Y. Quantum secure direct communication with two-photon four-qubit cluster states. Int J Theor Phys, 2012, 51: 1946–1952 27 Ren B C, Wei H R, Hua M, et al. Photonic spatial Bell-state analysis for robust quantum secure direct communication using quantum dot-cavity systems. Eur Phys J D, 2013, 67: 30 28 Gu B, Huang Y G, Fang X, et al. Robust quantum secure communication with spatial quantum states of single photons. Int J Theor Phys, 2013, 52: 4461–4469 29 Chang Y, Xu C X, Zhang S B, et al. Quantum secure direct communication and authentication protocol with single photons. Chin Sci Bull, 2013, 58: 4571–4576 30 Tsai C W, Hwang T. Deterministic quantum communication using the symmetric W state. Sci China-Phys Mech Astron, 2013, 56: 1903– 1908 31 Zhou J X, Zhou Y J, Niu X X. Quantum proxy signature scheme with public verifiability. Sci China-Phys Mech Astron, 2011, 54: 1828– 1832 32 Liang M, Yang L. Public-key encryption and authentication of quantum information. Sci China-Phys Mech Astron, 2012, 55: 1618–1629 33 Wang M M, Chen X B, Yang Y X. A blind quantum signature protocol using the GHZ states. Sci China-Phys Mech Astron, 2013, 56: 1636–1641 34 Shi J H, Zhang S L, Chang Z G. The security analysis of a threshold proxy quantum signature scheme. Sci China-Phys Mech Astron, 2013, 56: 519–523 35 Luo Y P, Hwang T. Arbitrated quantum signature of classical messages

November (2014)

36 37

38 39 40 41 42 43 44 45 46 47

48

49

50 51 52

53 54 55

Vol. 57 No. 11

2085

without using authenticated classical channels. Quantum Inf Process, 2014, 13: 113–120 Li Q, Li C Q, Long D Y, et al. Efficient arbitrated quantum signature and its proof of security. Quantum Inf Process, 2013, 12: 2427–2439 Barnum H, Crepeau C, Gottesman D, et al. Authentication of Quantum Messages. Washington DC: IEEE Computer Society Press, 2002. 449–458 Zeng G H, Keitel C H. Arbitrated quantum-signature scheme. Phys Rev A, 2002, 65: 042312 Curty M, L¨utkenhaus N. Comment on “Arbitrated quantum-signature scheme”. Phys Rev A, 2008, 77: 064301 Zeng G H. Reply to “Comment on ‘Arbitrated quantum-signature scheme’”. Phys Rev A, 2008, 78: 016301 Li Q, Chan W H, Long D Y. Arbitrated quantum signature scheme using Bell states. Phys Rev A, 2009, 79: 054307 Zou X F, Qiu D W. Security analysis and improvements of arbitrated quantum signature schemes. Phys Rev A, 2010, 82: 042325 Gao F, Qin S J, Guo F Z, et al. Cryptanalysis of the arbitrated quantum signature protocols. Phys Rev A , 2011, 84: 022344 Choi J W, Chang K Y, Hong D. Security problem on arbitrated quantum signature schemes. Phys Rev A, 2011, 84: 062330 Sun Z W, Du R G, Wang B H, et al. Improvements on the security of arbitrated quantum signature protocols. arXiv:quan-ph/1107.2459 Li Q, Li C Q, Wen Z H, et al. On the security of arbitrated quantum signature schemes. arXiv:quan-ph/1205.3265 Hwang T, Luo Y P, Chong S K. Comment on “security analysis and improvements of arbitrated quantum signature schemes”. Phys Rev A, 2012, 85: 056301 Zhang K J, Qin S J, Sun Y, et al. Reexamination of arbitrated quantum signature: The impossible and the possible. Quantum Inf Process, 2013, 12: 3127–3141 Zhang K J, Zhang W W, Li D. Improving the security of arbitrated quantum signature against the forgery attack. Quantum Inf Process, 2013, 12: 2655–2669 Boykin P O, Roychowdhury V. Optimal encryption of quantum bits. Phys Rev A, 2003, 67: 042317 Cai Q Y. Eavesdropping on the two-way quantum communication protocols with invisible photons. Phys Lett A, 2006, 351: 23–25 Deng F G, Zhou P, Li X H, et al. Robustness of two-way quantum communication protocols against Trojan horse attack. arXiv:quantph/0508168 Wang G M, Ying M S. Unambiguous discrimination among quantum operations. Phys Rev A, 2006, 73: 042301 Nielsen M A, Chuang I L. Quantum Computation and Quantum Information. Cambridge: Cambridge University Press, 2000. 425–493 van Enk S J, Cirac J I, Zoller P. Ideal quantum communication over noisy channels: A quantum optical implementation. Phys Rev Lett, 1997, 78: 4293–4296

Information for authors SCIENCE CHINA Physics, Mechanics & Astronomy, a monthly peer-reviewed academic journal cosponsored by the Chinese Academy of Sciences and the National Natural Science Foundation of China, and published by Science China Press and Springer, is committed to publishing high-quality, original results in both basic and applied research. Categories of articles: Reviews summarize representative results and achievements in a particular topic or an area, comment on the current state of research, and advise on the research directions. The author’s own opinion and related discussion are requested. Articles report on important original results in all areas of physics, mechanics and astronomy. Letters present short reports in a timely manner of the latest important results. Comments: are welcome on a paper or other report or event within the past month or so, or in the near future. Authors are recommended to use the online submission services. To submit a manuscript, please visit phys.scichina.com, click the button “submission”, and use ScholarOne System. For a new user, please register an “Author Accoant”, and then submite a manuscript following the guidance. Authors should also submit such accompanying materials as a short statement on the research background and significance of the work, a brief introduction to the first and corresponding authors including their mailing address, post code, telephone number, fax number, and email address. Authors may suggest several referees (please supply full names, addresses, phone, fax and email), and/or request the exclusion of specific reviewers. All submissions will be reviewed by referees selected by the editorial board. The decision of acceptance or rejection of a manuscript is made by the editorial board based on the referees’ reports. The entire review process may take 30 to 90 days, and the editorial office will inform the author of the decision as soon as the process is completed. If the editorial board fails to make a decision within 90 days, please contact the editorial office. Authors should guarantee that their submitted manuscript has not been published before, and has not been submitted elsewhere for print or electronic publication consideration. Submission of a manuscript is taken to imply that all the named authors are aware that they are listed as co-authors, and they have seen and agreed to the submitted version of the paper. No change in the order of listed authors can be made without an agreement signed by all the authors. A manuscript recommended and peer-reviewed by an associate editor of this journal (please indicate “Recommended by XXX” on the title page) will be directly sent to the editor-in-chief for the acceptance/refusal decision. For a paper authored by an associate editor of this journal, who takes responsibility for this paper (please indicate “Contributed by XXX” on the title page), it will be coped with in the same way. Once a manuscript is accepted, the authors should send a copyright transfer form signed by all authors to Science China Press. Authors of each published paper will be presented one sample copy. If more sample copies and offprints are required, please contact the managing editor and pay the extra fee. The full text in Chinese and in English opens free to the readers in China at phys.scichina.com, and the full text in English is available to overseas readers at link.springer.com. Ethical responsibilities of authors: Authors should refrain from misrepresenting research results which could damage the trust in the journal and ultimately the entire scientific endeavour, and

follow the COPE guidelines on how to deal with potential acts of misconduct. Disclosure of potential conflict of interests: Authors must disclose all relationships or interests that could influence or bias the work. The corresponding author will include a summary statement in the text of the manuscript in a separate section before the reference list.

Subscription information ISSN print edition: 1674-7348 ISSN electronic edition: 1869-1927 Volume 57 (12 issues) will appear in 2014 Subscription rates For information on subscription rates please contact: Customer Service China: [email protected] North and South America: [email protected] Outside North and South America: [email protected] Orders and inquiries: China Science China Press 16 Donghuangchenggen North Street, Beijing 100717, China Tel: +86 10 64019709 or +86 10 64015835 Fax: +86 10 64016350 North and South America Springer New York, Inc. Journal Fulfillment, P.O. Box 2485 Secaucus, NJ 07096 USA Tel: 1-800-SPRINGER or 1-201-348-4033 Fax: 1-201-348-4505 Email: [email protected] Outside North and South America: Springer Distribution Center Customer Service Journals Haberstr. 7, 69126 Heidelberg, Germany Tel: +49-6221-345-0, Fax: +49-6221-345-4229 Email: [email protected] Cancellations must be received by September 30 to take effect at the end of the same year. Changes of address: Allow for six weeks for all changes to become effective. All communications should include both old and new addresses (with postal codes) and should be accompanied by a mailing label from a recent issue. According to § 4 Sect. 3 of the German Postal Services Data Protection Regulations, if a subscriber’s address changes, the German Federal Post Office can inform the publisher of the new address even if the subscriber has not submitted a formal application for mail to be forwarded. Subscribers not in agreement with this procedure may send a written complaint to Customer Service Journals, Karin Tiks, within 14 days of publication of this issue. Microform editions are available from: ProQuest. Further information available at http://www.il.proquest.com/uni Electronic edition An electronic version is available at link.springer.com Production Science China Press 16 Donghuangchenggen North Street, Beijing 100717, China Tel: +86 10 64019709 or +86 10 64015835 Fax: +86 10 64016350 Printed in the People’s Republic of China Jointly published by Science China Press and Springer