Batch proxy quantum blind signature scheme - Semantic Scholar

Download PDF
5 downloads 93119 Views 287KB Size Report
Comment
Sep 15, 2011 - quantum cryptography, quantum signature, blind signature, proxy ... Digital signature [1, 2] is an electronic signature that can be used to ..... Laboratory of Advanced Optical Communication Systems and Networks (Grant No.
SCIENCE CHINA Information Sciences

. RESEARCH PAPER .

May 2013, Vol. 56 052115:1–052115:9 doi: 10.1007/s11432-011-4422-5

Batch proxy quantum blind signature scheme SHI JinJing1 ∗ , SHI RongHua1 , GUO Ying1 , PENG XiaoQi2 & TANG Ying3 1School

of Information Science and Engineering, Central South University, Changsha 410083, China; 2Department of Information Science & Engineering, Hunan First Normal University, Changsha 410205, China; 3School of Physics Science and Technology, Central South University, Changsha 410083, China Received June 20, 2011; accepted August 1, 2011; published online September 15, 2011

Abstract Motivated by proxy signature and blind signature for the secure communications, the batch signature is proposed to create a novel quantum cryptosystem. It is based on three-dimensional two-particle-entangled quantum system which is used to distribute the quantum keys and create strings of quantum-trits (qutrits) for messages. All of the messages, which are expected to be signed, are encrypted by the private key of the message owner during communications. Different from the classical blind signature, an authenticity verification of signatures and an arbitrator’s efficient batch proxy signature are simultaneously applied in the present scheme. Analysis of security and efficiency shows that it enables us to achieve a large number of quantum blind signatures for quantities of messages with a high efficiency with the arbitrator’s secure batch proxy blind signature. Keywords

quantum cryptography, quantum signature, blind signature, proxy signature, batch signature

Citation Shi J J, Shi R H, Guo Y, et al. Batch proxy quantum blind signature scheme. Sci China Inf Sci, 2013, 56: 052115(9), doi: 10.1007/s11432-011-4422-5

1

Introduction

Digital signature [1, 2] is an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document. It ensures that the original content of the message or document is unchanged. In the classical cryptography, the proxy signature [3], which has characteristics of distinguishability, unforgeability, verifiability, identifiability and undeniableness, allows the signer to specify another one to verify his signature [4]. A blind signature introduced by David Chaum [5], is a form of digital signature in which the content of a message is disguised (blinded) before it is signed. Blind signatures are typically employed in privacy-related protocols where the signer and message author are different participants. Blind signature schemes can be realized by using a number of common public key signing schemes, for instance RSA and DSA, in the classical theory [4–6]. However, those schemes could be easily broken with the emergence of quantum computers. That is why more and more quantum signature schemes are proposed. Currently, Zeng et al. [7–10] introduced a quantum signature scheme based on the classical signature theory and quantum cryptography, whose algorithm is a symmetrical quantum key cryptosystem with ∗ Corresponding

author (email: [email protected])

c Science China Press and Springer-Verlag Berlin Heidelberg 2011 

info.scichina.com

www.springerlink.com

Shi J J, et al.

Sci China Inf Sci

May 2013 Vol. 56 052115:2

Greenberger-Horne-Zeilinger (GHZ) triplet states. Li et al. [11] proposed an arbitrated quantum signature scheme using Bell states. Gottesman and Chuang [12] proposed a quantum digital signature scheme based on quantum one-way function [12], Lee [13] also presented two quantum signature schemes with message recovery, and Shi et al. [14] introduced a multiparty quantum proxy group signature scheme for the entangled-state message with QFT. In 2008, Wen [15] suggested a weak blind signature scheme based on the correlation of EPR (Einstein-Padolsky-Rosen) pairs. Different from classical blind signature schemes and previous quantum signature schemes, the suggested quantum signature scheme could guarantee not only the unconditional security but also the anonymity of the message owner. However, there is a disadvantage of those quantum signature schemes in the actual application for a great number of messages expected to be signed, since they just consider the situation for only one message and always keep the signing-verifying modality. Therefore, the factor of efficiency should be taken into account in this paper. A batch signature, which means a large number of signatures on quantities of messages, is presented in our scheme. It can be carried out efficiently by a fully trusted arbitrator and proxy. In this paper, a batch signature scheme is smartly proposed by combining proxy signature and blind signature to create a novel systemetrical quantum key cryptosystem with two-particle-entangled quantumtrits. A third fully trusted participant Trent (the arbitrator [16] and proxy) is involved. The responsibility of Trent is to verify the legality and authenticity of the trying blind signature, and provide efficient batch proxy blind signatures to Alice as an agent of Bob. The rest of this paper is organized as follows. Section 2 proposes the constructions of the batch proxy quantum blind signature scheme. Security analysis and discussion are made in section 3. Finally, the conclusions are drawn in section 4.

2

Batch proxy quantum blind signature scheme

Assume Bob is a notary, and Alice expects Bob who does not obtain any information about her message to sign on it. Bob does not care what the message is, and he just testifies that he has notated them at some time [4]. The proposed batch proxy blind signature scheme is different from previous quantum signature schemes [8–10]. It is based on three-dimensional two-particle-entangled quantum system [17] expressed as |ϕ = a00 |00 + a01 |01 + a02 |02 + a10 |10 + a11 |11 + a12 |12 + a20 |20 + a21 |21 + a22 |22, (1) 2 where i=0,j=0 |aij |2 = 1. Suppose that Alice and Bob share an entangled pair which corresponds to their shared key Kab , i.e., 1 (|00ab + |01ab + |02ab + |10ab + |11ab + |12ab + |20ab + |21ab + |22ab ). (2) 3 Trent shares an entangled pair each with Alice and Bob respectively which correspond to their shared keys Kac and Kbc and the form is similar to eq. (2). The process of the batch proxy quantum blind signature scheme which is shown in Figure 1 can be briefly described as follows. 1) Alice firstly sends a trying message which is encrypted by her private key to Bob. 2) Bob adds his encrypted personal information to the blinded message and encrypts them by using the shared key [18] with Alice. 3) Bob sends the blinded message obtained in (2) to Alice, and then implements the trying blind signature. 4) Alice receives the trying blind signature and decrypts it by using the shared key with Bob, and then she judges whether the blinded trying message is falsify. 5) Alice and Bob inform the results of signature to the third fully trusted participant Trent who verifies the legality and authenticity of the trying signature. 6) After the verification, Alice sends quantities of messages to Trent. 7) Trent as the agent of Bob signs on quantities of messages with Bob’s personal information and his random checking photons. |ϕab  =

Shi J J, et al.

Figure 1

Sci China Inf Sci

May 2013 Vol. 56 052115:3

The flow chart of batch proxy quantum blind signature scheme.

The proposed algorithm includes four phases, i.e., initial phase, first quantum blind signing (trying quantum blind signature) phase, verification phase, and batch proxy quantum blind signing phase. 2.1

Initial phase

This phase involves generation and distribution of keys [19–21] and the message preparation. Step 1. Generation and distribution of keys. Alice and Bob share key Kab which is employed in the communication between Alice and Bob for encrypting and decrypting. Similarly, the shared key Kac (or Kbc ) is employed in the communication between Alice (or Bob) and the arbitrator Trent. Besides the three shared keys Kab , Kac , Kbc , Alice owns a private key Ka which is used for encrypting the messages to be signed by Bob. Step 2. Message preparation. Alice has quantities of messages (maybe text or image stored in pixels) which are expected to be signed by Bob. Assume that there are m messages {M1 ,M2 ,. . .,Mm }, each of which contains n bits, and they can be described with a matrix, i.e., ⎞ ⎛ ⎞ ⎛ M1 m11 m12 · · · m1j · · · m1n ⎟ ⎜ ⎟ ⎜ ⎜ M2 ⎟ ⎜ m21 m22 · · · m2j · · · m2n ⎟ ⎟ ⎜ ⎟ ⎜ ⎜ . ⎟ ⎜ . .. .. .. ⎟ ⎜ .. ⎟ ⎜ .. . . . ⎟ ⎟ ⎜ ⎟ ⎜ M ⎜ (3) ⎟=⎜ ⎟. ⎜ Mi ⎟ ⎜ mi1 mi2 · · · mij · · · min ⎟ ⎟ ⎜ ⎟ ⎜ ⎜ . ⎟ ⎜ . .. .. .. ⎟ ⎜ .. ⎟ ⎜ .. . . . ⎟ ⎠ ⎝ ⎠ ⎝ Mm mm1 mm2 · · · mmj · · · mmn Each message Mi = (mi1 , mi2 , . . . , mij , . . . , min ) may be randomly chosen as the trying message for the first trying quantum blind signature. 2.2

First quantum blind signing phase

In this phase, Bob adds his encrypted personal information |Pi  to sign on the secret trying message Mi blindly. Step 1. Alice transforms the trying message Mi into a qutrit string |ψMi , and there are n qutrits in this string such as (4) |ψMi  = {|ψi1 , |ψi2 , . . . , |ψij , . . . , |ψin },

Shi J J, et al.

Sci China Inf Sci

May 2013 Vol. 56 052115:4

where |ψij  is a single qutrit in the string |ψMi  which can be expressed as a superposition of the three eigenstates |0, |1, |2, i.e., |ψij  = αi0 |0 + αi1 |1 + αi2 |2, (5) where αi0 , αi1 , αi2 are complex numbers satisfying |αi0 |2 + |αi1 |2 + |αi2 |2 = 1. Step 2. Alice relates her private key Ka = {|Ka1 , |Ka2 , . . . , |Kaj , . . . , |Kan } to a sequence of measurement operators Mka , often referred to as a measurement basis according to [8], which is denoted by (6) Mka = {Mk1a1 , Mk2a2 , . . . , Mkjj , . . . , Mknan }, a

Mkjj a

where the operator is suitably defined to arise from the key |Kaj  for j ∈ {1, 2, . . . , n}. Alice is required to measure the information string of qutrits |ψMi  with Mka , and she gains |Ti  = Mka |ψMi  = {|t1 , |t2 , . . . , |tj , . . . , |tn },

(7)

where |tj  = Mkjj |ψij  denotes the jth qutrit in the string of |Ti . Note the string |Ti  is the blinded state a of the trying message, which can be called the secret (blinded) trying message. Alice sends the yielded state |Ti  to Bob. Step 3. Bob adds his personal information into |Ti  in order to sign on it. Bob creates an n-qutrit string of his own personal information |ψpi  by the same way of step 1, i.e., |ψpi  = {|ψpi1 , |ψpi2 , . . . , |ψpij , . . . , |ψpin }.

(8)

Bob does not expect Alice to understand the content of his personal information (if the dishonest Alice 1 2 , |Kbc , . . . , achieves it, she may forge Bob’s signature); therefore, Bob encrypts |ψpi  with Kbc = {|Kbc j n |Kbc , . . . , |Kbc }. Similarly, |Kbc  corresponds to a sequence of measurement operators Mkbc = {Mk11 , Mk22 , . . . , Mkjj , . . . , Mknn } like eq. (6). Bob entangles Mkbc and |ψpi , then he obtains bc

bc

bc

bc

|Pi  = Mkbc |ψpi  = {|p1 , |p2 , . . . , |pj , . . . , |pn },

(9)

where |pj  = Mkjj |ψpij . Bob provides a quantum blind signature to Mi with Kab , |Ti , and |Pi . Namely, bc

Bob encrypts |Ti  and |Pi  with Kab to obtain

Sb = Kab (|Ti , |Pi ),

(10)

where Sb is a trying blind signature on Mi . Bob sends Sb back to Alice and waits for the verification of the signature. 2.3

Verification phase

In this phase, the arbitrator Trent verifies the legality and authenticity of the trying blind signature Sb with Alice together. Step 1. Alice decrypts Sb with the shared key Kab to obtain |Ti  and |Pi . Then she achieves a string  of qutrits |ψM  after decrypting |Ti  with her private key Ka . i  Step 2. Alice compares |ψM  to |ψMi . A comparing quantum circuit presented in Figure 2 is derived i by generalizing the qubit string comparator introduced in [22] for n quantum states. The comparison    = |ψMi . If |ψM  = |ψMi , it means result is outputted from |O1 , |O2 . Only if |O1 O2  = |00, |ψM i i there is something wrong with the transmitted secret message, or there is some eavesdropper who has intercepted the whole or a part of the trying message, because any measurement may change the quantum   = |ψMi , the trying blind signature is established. So they can go on to states [17]. Otherwise, if |ψM i the next step.

Step 3.

Alice and Bob send |Pi  and |Pi  to the arbitrator Trent respectively.

Shi J J, et al.

Figure 2

Sci China Inf Sci

May 2013 Vol. 56 052115:5

The comparison circuit for quantum states. (a) is the overall structure of quantum comparison circuit. The

quantum states are inputted from left, and the comparison result is outputted from |01, |02. (b) is a processing unit of (a).

Step 4. Trent certifies whether the signature is authentic by comparing |Pi  to |Pi , and the method is the same as that in step 2. If |Pi  = |Pi , Trent obtains |ψp i  and |ψpi  by decrypting |Pi  and |Pi  with Kbc separately. After that, he compares |ψp i  to |ψpi . Besides the conditions described above, if |ψp i  = |ψpi , the trying blind signature is considered to be successful. Otherwise, this communication is void. 2.4

Batch proxy quantum blind signing phase

In this phase, Trent as an agent of Bob signs on m − 1 messages {M1 , M2 , . . . , Mτ , . . . , Mm : τ = i} from Alice. Step 1. As the same as the first quantum blind signature, Alice transforms the remaining {Mτ : 1  τ  m, τ = i} into several quantum strings {|ψMτ  : 1  τ  m, τ = i}. Then she measures them with the measurement operator sequence Mka (described in eq. (6)) to derive |Tτ  = Mka |ψMτ  = {|tτ 1 , |tτ 2 , . . . , |tτ j , . . . , |tτ n },

(11)

where |tτ j  = Mkjj |ψτ j  denotes the jth qutrit in the quantum string of |Tτ . a

Step 2. Alice sends the remaining m − 1 strings of qutrits {|Tτ  : τ = i} for the m − 1 secret messages to Trent successively and waits for the signatures from Bob’s agent Trent. Step 3. Trent randomly adds one single-qutrit |pτc  which stands for the checking photon to the state |Pi  in order to enhance the security, where τ |pτc  = Mkrbc r |ψc .

(12)

|ψcτ  is formed as eq. (5), and r is a random number chosen from (1, 2, . . . , n). The combined string of |Pi  and |pτc  is presented as follows: τ |PBT  = {|Pi , |pτc } = {|p1 , |p2 , . . . , |pj , . . . , |pn , |pτc }.

(13)

Shi J J, et al.

Sci China Inf Sci

May 2013 Vol. 56 052115:6

τ Then Trent uses different |PBT  randomly to sign on Alice’s messages {Mτ : τ = i}.

Step 4.

τ  : τ = i}, i.e., Trent provides batch proxy quantum blind signatures with Kac , |Tτ  and {|PBT τ STτ = Kac (|Tτ , |PBT ).

(14)

Trent sends {STτ : τ = i} back to Alice. τ

Step 5. After Alice receives STτ , she decrypts them with Kac and obtains (|Tτ , |P  BT ). Then she   decrypts |Tτ  with Ka to get |ψM . Because Trent is the third fully trusted arbitrator, and the proxy τ signatures have contained his checking photons and Bob’s correct personal information, the validity of the proxy signatures can be guaranteed. Moreover, Alice may randomly authenticate the signature by τ  . checking whether |P  BT  = |Pi  (obtained in step 1 of the verification phase) and |ψMτ  = |ψM τ

3 3.1

Security analysis and discussion Impossibility of forgery

If the malicious receiver Ealice wants to forge the signature of Bob, she may not succeed because of lacking Bob’s personal information |Pi  encrypted by Kbc and the shared key Kbc . Moreover, the m − 1 proxy signatures can be generated only if the first trying signature has been considered legitimate by Trent. When Ealice wants to forge the proxy signature of the agent Trent, she may not succeed without Bob’s personal information |Pi , Trent’s checking photon |pτc  or Trent’s and Alice’s shared key Kac either. Suppose Ealice is clever enough and she can forge a quantum string |Ps  of Bob’s personal information, and the following steps are all imitated by her successfully. However, any error on the quantum state can be detected when the arbitrator Trent compares |Ps  to |Pi  in the verification phase, and then this communication is void. Suppose the attacker Eve wants to entangle her quantum states with the quantum string of a message by some quantum operations [23] in order to obtain some information about the signature. The quantum string of the message transmitted in the channel has been encrypted by Alice’s private key, and the entangled system between Eve and the message (introduced in eq. (5)) can be expressed as Ka Ka a |Ξi ae = αK i0 |0|ηx  + αi1 |1|ηy  + αi2 |2|ηz .

(15)

Eq. (15) denotes the entangled situation for one qutrit of the quantum string. Because Eve may prepare binary qubits |ηx , |ηy , |ηz  ∈ {|0, |1} as usual, the possible states that she can gain are {|00, |01, |10, |11}; however, the states {|02, |20, |12, |21, |22} may never be derived by Eve for the qutrit system. Therefore, the probability of detecting Eve is 5/9. If Eve is extremely fortunate to escape the detection, and she sends her message to Bob. Bob also provides his signature without knowing the content of the message. But she cannot obtain any information from that signature for lack of the shared key Kab and Alice’s private key Ka . Moreover, the arbitrator Trent may suspect Eve’s identification in the verification phase because she cannot provide |Pi . Consequently, neither the malicious receiver nor the attacker can succeed in forging the signature. 3.2

Impossibility of disavowal by the signatory and the receiver

Actually, since Bob has added his personal information to the trying message, the arbitrator Trent can judge whether the signature is authentic or not. Once it is proven to be authentic by the arbitrator Trent, Bob’s personal information stands for a register of him. Then signing on the remaining m − 1 messages is the responsibility of the arbitrator and proxy Trent who makes use of the combination of his checking photons and Bob’s personal information. If Bob disavows it, he should be discovered by Trent immediately. Moreover, in this scheme, as long as Bob has signed on the trying message, which has been proven to be authentic by Trent, the mechanism of proxy signature makes Bob have no chance to disavow the remaining m − 1 signatures. Therefore, the signatory Bob is unable to disavow the signature.

Shi J J, et al.

Sci China Inf Sci

May 2013 Vol. 56 052115:7

In the verification phase, Alice obtains Sb and decrypts it with Kab to get |Ti  and |Pi . After decrypt ing |Ti  with Ka , she can authenticate the secret message by identifying whether |ψM  = |ψMi . |Pi  is i not always the correct personal information of Bob, but after Trent’s authentication he informs Alice and   = |ψMi , |Pi  = |Pi , |ψp i  = |ψpi . Bob that this trying blind signature is authentic if and only if |ψM i Otherwise, the trying signature is considered to be incredible and the process of generating signatures should be quited at once. It means neither Alice nor Bob can deny the signature. 3.3

Security of batch proxy blind signature

It is noteworthy that all the messages in communications are encrypted by Alice’s private key Ka , whether for the trying signature or m − 1 batch proxy signatures. Moreover, in the batch proxy quantum blind τ  which Trent employs to sign on the remaining m − 1 messages is the combination signing phase, |PBT of Bob’s personal information and Trent’s checking photons. For a different message there is a different combination, thus greatly increasing the randomness and uncertainty [24]. Assume that an attacker Eve wants to obtain some information about the signature by quantum operations. The probability of detecting Eve who utilizes the entanglement attack on the message is discussed in subsection 3.1. The entanglement attack on shared keys can be analyzed as follows. The general entangled system between Eve and the shared key (introduced in eq. (1)) can be expressed as |Ξi abe =

2 2

aij |ijab |ηij e .

(16)

i=0 j=0

Eve may execute some quantum operations to reduce the probability of being detected, and assume she sets a CNOT gate Cbe on this entangled system to derive the state: Cbe |Ξi abe =

2 2 i=0 j=0,j=1

aij |ijab |ηij e +

2

aij |ijab |ηij ⊕ 1e .

(17)

i=0 j=1

In order to reduce the probability of unwanted states below a tolerable threshold , she should choose the proper states {|ηij , 0  i  2, 0  j  2} such that a201 (η01 |η01 ) + a211 (η11 |η11 ) + a221 (η21 |η21 )  1 − .

(18)

Thus the probability of Eve obtaining the correct states can be calculated as Pc = a201 (η01 |η01 ) + a211 (η11 |η11 ) + a221 (η21 |η21 ).

(19)

Under this condition, the mutual information between Eve and the shared key can be calculated as I(E, |ϕ) = 1 − H(Pc ),

(20)

where H(x) is the Shannon binary entropy, i.e., H(x) = x log x − (1 − x) log(1 − x). To obtain the maximum information on the shared key, the tolerable threshold  should approach to 1/2. Thus, the probability of detecting Eve is 1/2, which may be large enough for Eve to be detected by Trent. In addition, Eve may try to attack Trent’s random checking photons, and the probability for her successful speculation should be 1/3 because of the trinary quantum information. Then the probability of detecting Eve is 2/3. Moreover, the checking photon is randomly inserted into the quantum string of the message; thus the probability of successfully obtaining the order of the checking photon is 1/(n + 1), which is also very difficult for Eve to achieve. All the strings of qutrits for messages mentioned previously have three eigenstates, so it makes attackers more difficult to succeed. According to eq. (5), the von Neumann binary entropy [17] is calculated as H(ρψij ) = −tr(ρψij log2 ρψij ),

(21)

ρψij = |αi0 |2 |00| + |αi1 |2 |11| + |αi2 |2 |22|.

(22)

where

Shi J J, et al.

Sci China Inf Sci

May 2013 Vol. 56 052115:8

√ Taking |αi0 | = |αi1 | = |αi2 | = 1/ 3, the maximum von Neumann binary entropy is H(ρψij ) = log2 3 = 1.58 (bit), which stands for the degree of uncertainty. It implies that even if the attacker obtains one or some parts of qutrits, the original state cannot be completely achieved. Therefore it has more advantages of resisting attacks than the binary quantum information. 3.4

Efficiency of batch proxy quantum blind signature scheme

The previous quantum signature schemes, for instance the Zeng’s signature scheme [8], concern only one message to be signed. We prove that batch quantum blind signatures can be achieved by analyzing the signing efficiency, while there are a large number of messages. We denote the previous Zeng’s scheme by ‘Z’ with efficiency EZ , and denote the proposed scheme by ‘O’ with efficiency EO . Assume there are m n-qutrit messages to be signed. The time for sending and receiving per qutrit is ts , for signing on each message is tsg , and for verifying each signature is tv . In Z, since each message needs to be sent, signed, sent back and verified, the total time for that process is tZ = 2mnts + mtsg + mtv .

(23)

In O, besides sending, signing and sending back, only the first trying message needs to be verified. Some of the remaining m − 1 messages will be randomly chosen to be verified merely. Assume that the number of randomly verifying is ε, where ε  m − 1. Then the total time for that process is tO = (2nts + tv + tsg ) + [2(m − 1)nts + (m − 1)tsg + εtv ] = 2mnts + mtsg + (ε + 1)tv .

(24)

Here tZ − tO = (m − ε − 1)tv and ε  m − 1 such that (tZ − tO ) → (m − 1)tv . When m → ∞, tZ tO , and hence EZ  EO , where EZ = 1/tz , EO = 1/to . Namely, we can reach the conclusion that the more the messages (m is larger), the higher the efficiency.

4

Conclusions

A secure batch proxy quantum blind signature scheme is proposed with two-particle entangled quantumtrits, which is a new combination of cryptosystem of blind signature and proxy signature. During the communications, the trying message and the remaining m − 1 messages are all encrypted by the private key of Alice, and thus no one can tamper the content. Moreover, the verification of trying signature and partial verifications of the arbitrator’s proxy signatures are implemented in this scheme. The security analysis and discussion show that a large number of blind signatures for quantities of messages can be achieved efficiently with security.

Acknowledgements This work was supported by National Natural Science Foundation of China (Grant No. 60902044), State Key Laboratory of Advanced Optical Communication Systems and Networks (Grant No. 2008SH01), Hunan Provincial Innovation Foundation for Postgraduate, State Scholarship Fund Organized by China Scholarship Council, Excellent Doctoral Dissertation Fund of Central South University, World Class University R32-2009-000-20014-0 (Fundamental Research 2010-0020942NRF, Korea), and Brain Korea 21 Project (the second stage, Korea).

References 1 William S. Cryptography and Network Security: Principles and Practice. 2nd ed. New Jersey: Prentice Hall, 2003. 67–68 2 Cao Z J, Liu M L. Classification of signature-only signature models. Sci China Ser F-Inf Sci, 2008, 51: 1083–1095 3 Lu R X, Dong X L, Cao Z F. Designing efficient proxy signature schemes for mobile communication. Sci China Ser F-Inf Sci, 2008, 51: 183–195 4 Schneier B. Applied Cryptography: Protocols, Algorithms, and Source Code in C. 2nd ed. New York: John Wiley and Sons, 1996. 79–80

Shi J J, et al.

Sci China Inf Sci

May 2013 Vol. 56 052115:9

5 Chaum D, Heyst E V. Group signatures, advances in cryptography-EUROCRYPT’91. Lect Notes Comput Sci, 1991, 547: 257–265 6 Fan C I, Lei C L. Efficient blind signature scheme based on quadratic residues. Electron Lett, 1996, 32: 811–813 7 Zeng G H, Ma W P, Wang X M, et al. Signature scheme based on quantum cryptography (in Chinese). Acta Electron Sin, 2001, 29: 1098–1100 8 Zeng G H, Keitel C H. Arbitrated quantum-signature scheme. Phys Rev A, 2002, 65: 1–6 9 Curty M, L¨ utkenhaus N. Comment on “Arbitrated quantum-signature scheme”. Phys Rev A, 2008, 77: 1–4 10 Zeng G H. Reply to “Comment on ‘Arbitrated quantum-signature scheme’”. Phys Rev A, 2008, 78: 1–5 11 Li Q, Chan W H, Long D Y. Arbitrated quantum signature scheme using Bell states. Phys Rev A, 2009, 79: 1–4 12 Gottesman D, Chuang L I. Quantum digital signatures. arXiv:quant-ph/0105032v2, 2001 13 Lee H, Hong C, Kim H, et al. Arbitrated quantum signature scheme with message recovery. Phys Lett A, 2004, 321: 295–300 14 Shi J J, Shi R H, Tang Y, et al. A multiparty quantum proxy group signature scheme for the entangled-state message with quantum Fourier transform. Quantum Inf Process, 2011, doi: 10.1007/s11128-010-0225-7 15 Wen X J, Niu X M, Ji L P, et al. A weak blind signature scheme based on quantum cryptography. Optics Commun, 2009, 282: 666–669 16 Meijer H, Akl S. Digital signature schemes. Advance in Cryptography, Proceedings of Crypto’81. Berlin: SpringerVerlag, 1981. 65–76 17 Nielsen M A, Chuang I L. Quantum Computation and Quantum Information. Cambridge: Cambridge University Press, 2000. 171–607 18 He G Q, Zhu J, Zeng G H. Quantum secure communication using continuous variable Einstein-Podolsky-Rosen correlations. Phys Rev A, 2006, 73: 1–7 19 Bennett C H, Bessette F, Brassard G, et al. Experimental quantum cryptography. J Cryptology, 1992, 5: 3–28 20 Buttler W T, Hughes R J, Kwiat P G, et al. Free-space quantum-key distribution. Phys Rev A, 1998, 57: 2379–2382 21 Shor P W, Preskill J. Simple proof of security of the BB84 quantum key distribution protocol. Phys Rev Lett, 2000, 85: 441–444 22 Oliveira D S, Ramos R V. Quantum bit string comparator: circuits and applications. Quantum Comput Comput, 2007, 7: 17–26 23 Guo Y, Zeng G H, Chen Z G. Multiparty quantum secret sharing of quantum states with quantum registers. Chin Phys Lett, 2007, 24: 863–866 24 Li F G, Shirase M, Takagi T. Cryptanalysis of efficient proxy signature schemes for mobile communication. Sci China Inf Sci, 2010, 53: 2016–2021