Improving the security of arbitrated quantum signature ... - Springer Link

3 downloads 6673 Views 220KB Size Report
Mar 7, 2013 - Keywords Arbitrated quantum signature · Forgery · Improvement ... Digital signature, as an important branch of cryptography, has been widely ...
Quantum Inf Process (2013) 12:2655–2669 DOI 10.1007/s11128-013-0554-4

Improving the security of arbitrated quantum signature against the forgery attack Ke-Jia Zhang · Wei-Wei Zhang · Dan Li

Received: 14 August 2012 / Accepted: 22 February 2013 / Published online: 7 March 2013 © Springer Science+Business Media New York 2013

Abstract As a feasible model for signing quantum messages, some cryptanalysis and improvement of arbitrated quantum signature (AQS) have received a great deal of attentions in recent years. However, in this paper we find the previous improvement is not suitable implemented in some typical AQS protocols in the sense that the receiver, Bob, can forge a valid signature under known message attack. We describe the forgery strategy and present some corresponding improved strategies to stand against the forgery attack by modifying the encryption algorithm, an important part of AQS. These works preserve the merits of AQS and lead some potential improvements of the security in quantum signature or other cryptography problems. Keywords

Arbitrated quantum signature · Forgery · Improvement

1 Introduction Cryptography is the approach to protect data secrecy in a public environment. As we know, the security of most classical cryptosystems is based on the assumption of computational complexity. However, most of them might be broken with the development of quantum computation [1,2]. As we know, it has been proved that some defects of modern cryptography can be overcome by the quantum characteristics [3]. Therefore, quite a few branches of quantum cryptography have been pointed out, including

K.-J. Zhang (B) · W.-W. Zhang · D. Li State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China e-mail: [email protected] K.-J. Zhang State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, Beijing 100190, China

123

2656

K.-J. Zhang et al.

quantum key distribution (QKD) [4–8], quantum secret sharing (QSS) [9–11], quantum secure direct communication (QSDC) [12–14] and so on. Digital signature, as an important branch of cryptography, has been widely used in E-payment systems, grid computing, mobile agent, mobile communications etc. In order to protect the signature from the attack based on quantum computation, the researches of quantum signature have been studied in recent years [15–22]. In 2002, Zeng and Keitel firstly proposed an arbitrated quantum signature (AQS) protocol [18]. This work gave an elementary model to sign a quantum message, which overcomes Barnum et al.’s limit [17] and is feasible in theory. In 2009, Li et al. presented a Bellstates-based AQS protocol, which simplified ZK protocol by replacing Greenberger– Horne–Zeilinger (GHZ) states with Bell ones as the carrier [19]. Then, Zou et al. further simplified this protocol by achieving AQS without entangled states [20]. Both of them still preserve the merits of AQS. However, Gao et al. pointed out that all the AQS protocols above have some secure problems in Ref. [21]. It is shown that the receiver, Bob, can achieve existential forgery of the signature under known message attack, and the sender, Alice, can successfully disavow any of her signatures by simple attack. Recently, Choi et al. found Bob’s forgery can be prevented by modifying the encryption, an important part of AQS, and provided a novel encryption algorithm to achieve this [22]. With Choi et al.’s improvement, Bob cannot perform a forgery operation to both the message and signature to pass the arbitrator’s verification when dispute appears. Generally, a question arises—how to analyze the security of a quantum cryptographic protocol especially the one for quantum signature protocol. Firstly, we introduce three conditions which should be satisfied for a secure signature protocol. Here a signer Alice, a receiver Bob and a trusted arbitrator Trent are involved. 1. Verifiability: the designated verifier, Bob, is able to verify the validity of a signature after receiving it from Alice. In addition, the arbitrator Trent can also verify the signature when there exists a dispute between Alice and Bob. 2. Unforgeability: nobody can generate a valid signature except for the legal signer Alice (note that the trusted arbitrator Trent is also able to generate a valid signature in some case). 3. Undeniability: after the signer, Alice, signs the signature, she cannot deny it later. As we know the AQS is the only model which can overcome Barnum et al.’s limit [17] until now, hence the security analysis of it is significant to the further study of quantum signature. From the previous results of AQS (they have been presented above), all the present protocols satisfy the verifiability. In the view of this, the security of AQS is due to the attentions of unforgeability and undeniability. As proposed above, Gao et al. [21] and Choi et al. [22], respectively proposed some important results to the unforgeability of AQS. Similarly with their analysis, our research is still focused on the forgery attack. In this paper, we describe an attack strategy which can be used by Bob to forge the signature successfully. With the method, it can be seen some improvement ideas are still susceptible to the receiver’s forgery attack. In order to prevent it, some potential improved methods are provided. With our improved ideas, Bob cannot successfully forge Alice’s signature in his needs. Furthermore, we also discuss other security requirements including undeniability under the new improved methods.

123

Arbitrated quantum signature against the forgery attack

2657

The rest of this paper is organized as follows. In Sect. 2, we describe the elementary model of AQS. Here we take Zou et al.’s protocol [20] as an example instead of introducing all AQS protocols. In Sect. 3, some security analysis of the present AQS protocols are introduced, including Gao et al.’s cryptanalysis of the forgery attack [21] and Choi et al.’s improvement [22]. Furthermore, we point out Bob’s forgery attack will still be achieved in Choi et al.’s improved idea. Section 4 gives some potential improvements of AQS to recover the security against Bob’s forgery and some discussions are provided in Sect. 5. Finally our conclusion is given. 2 The elementary model of AQS In this section, we briefly describe the elementary model of AQS. Here we introduce Zou et al.’s protocol [20] as our example to analyze the security, because the protocol and the attack strategies are similar to that in Ref. [18] and [19], respectively. It includes three phases: initializing phase, signing phase and verifying phase. The procedure of the protocol can be seen in the following section. 2.1 Initializing phase The initializing phase is applied before signing the signature, which is shown as follows: (I1) Alice shares a secret key string with Bob and Trent, which denoted as K AB and K AT , respectively. The key string K BT is shared between Bob and Trent. All these are achieved by some practical quantum key distribution (QKD) techniques [4–8]. (I2) The encryption algorithm used in Zou et al.’s protocol is the quantum one-time pad (QOTP) [23]. 2.2 Signing phase n |Pi  to be signed. (S1) Alice has three copies of the quantum message |P = i=1  Here she selects a random number r and encrypts each copy into |P .  (S2) Using the key K AT , K AB , Alice performs encryptions |R AB  = E K AB |P ,   |S = E K AT |P  and |S AB  = E K AB (|P  ⊗ |S ⊗ |R AB ). Then she sends |S AB  to Bob. 2.3 Verifying phase In the verifying phase, the receiver Bob and arbitrator Trent work together to verify the signature. (V1) Bob decrypts |S AB  and sends 

|Y B  = E K BT (|P  ⊗ |S)

(1)

to Trent.

123

2658

K.-J. Zhang et al.

(V2) Trent decrypts the received ciphertext with K BT , and verifies whether |S =  E K AT |P  according to K AT . If it is, he publishes RT = 1, and sends |Y B  (note that the compared states can be recovered after the comparison if they are indeed equal) back to Bob; otherwise he publishes RT = 0 and stops the protocol.  (V3) Bob decrypts |Y B  and verifies whether |R AB  = E K AB |P . If the equation holds, he publishes R B = 1; otherwise R B = 0. (V4) When RT = R B = 1, Bob accepts Alices signature. In this condition Alice  publishes r and Bob recovers |P from |P . Finally, Bob stores (|P, |S, r ) as the signed message. 3 The security analysis of AQS on the forgery attack Above we have introduced the elementary model of AQS with the example of Zou et al.’s protocol. In this section, we firstly introduce some previous security analysis of AQS, including Gao et al.’s cryptanalysis on the forgery attack [21] and Choi et al.’s improvement to recover the security against Bob’s forgery of the signature [22]. Then we analyze the security of Choi et al.’s improvement in detail, where we find out that Bob can still forge Alice’s signature successfully. 3.1 Gao et al.’s cryptanalysis In order to analyze the security of AQS, we review Gao et al.’s cryptanalysis of the forgery attack here. From the Ref. [21], it is not difficult to imagine the dispute situation, that is, Bob says that Alice signed a message |P for him but Alice announces that she did not sign such a message for Bob (perhaps she indeed signed a message for Bob before but it is not |P). In this case Trent requires Bob to provide the message |P, random number r and Alice’s corresponding signature |S, and then verifies whether  |S = E k AT |P . If the comparison result is negative, Trent believes the signature is forged by Bob. From this point of view, Bob’s successful forgery means he is able to select an attack strategy to give a valid counterfeit of Alice’s signature in his favor without being detected by Trent. Gao et al. have verified the random number r has no contributions to prevent Bob’s forgery, and hereafter the effect of random number r can be neglected [21]. From this view, we simplified their cryptanalysis as follows. (F1) For the previous AQS protocols [18–20], the signature is determined by the Pauli encryption operators according to the shared key K . As described in Ref. [21], all the Pauli operators satisfy the property of commutativity, i.e., for any Pauli operators Pi , P j (i = 0, 1, 2), Pi P j = −P j Pi (i = j), Pi Pi = I, where P0 = σx , P1 = σ y and P2 = σz .

123

(2)

Arbitrated quantum signature against the forgery attack

2659

(F2) Based on the conclusion above, let’s see the security of the previous AQS protocols. Without loss of generality, we represent a counterfeit message and signature   pair (|PB , |S B ). In order to achieve the successful forgery attack, the key point   is whether the pair of qubit sequences (|PB , |S B ) satisfies the relation 



|S B  = E K AT |PB .

(3)

If the result is positive, he can forge the signature and pass Trent’s verification. With the   above analysis of Pauli operations, it is shown that after Bob receives {|Pi , |S(Pi )}   from Alice, he can implement any Pauli operator Ui to both |Pi  and |S(Pi ) and      obtain |PBi  = Ui |Pi , |S B (Pi ) = Ui |S(P i n). Here the total forgery operation for Ui with the bitwise encryption, and the signature |S can be described as U = i=1 n n     |S B  = i=1 |S B (Pi ), |PB  = i=1 |PBi . In fact, as the receiver of Alice’s signature, Bob, indeed possesses Alice’s valid signature of a certain message. Therefore, he has the advantage to perform a known message attack. Gao et al. also verified that if Alice signs the classical message in the AQS model, Bob will forge Alice’s signature on any classical message he wants. 3.2 Choi et al.’s improvement As shown above, Gao et al.’s conclusion created a serious obstacle for AQS. Fortunately, Choi et al. provide a novel method to recover the security against Bob’s forgery for all the previous AQS protocols [18–20] in Ref. [22]. Here we simplified their idea as follows. In Ref. [22], Choi et al. took advantage of an assistant unitary operation H to the initial encryption (QOTP), here H = 21 (I + iσx − iσ y + iσz ). They inserted H before the Pauli encryption operation, i.e, the total encryption became UT e = P H,

(4)

where P is the secret Pauli operator for a one-time encryption. Contrary to the QOTP used in previous AQS protocols, the encryption operators are modified as H, σx H, σ y H and σz H (hereafter we neglect the effect of the constant before the  operation). In this case, if Bob wants to forge the message |Pi  with Pauli operation Ui , the corresponding signature will be 











2i

|S B (Pi ) = E K AT |PBi  = E K AT Ui |Pi  = σxk σzk i 2i

= Ui σxk σzk

i

2i−1





H |Pi  = Ui |S(Pi ).

2i−1



HUi |Pi , (5)

Therefore, if Bob implements i.e., he performs nGao et al.’s proposed attack directly,  the forgery operation U = i=1 Ui to both the message |P  and the signature |S,   the pair of qubit sequences (|PB , |S B ) will not be able to pass Trent’s verification. That is to say, it is invalid for Bob to forge the message and signature in his favour and his dishonest behavior will always be detected with a certain positive probability.

123

2660

K.-J. Zhang et al.

3.3 Our security analysis In this section, we will analyze the security of Choi et al.’s improvement of AQS. We find their improvement is not suitable implemented, because Bob’s successful forgery of the message and the signature will still be achieved if he selects a new attack strategy. From the above analysis, we can see that Bob’s successful forgery is due to the careless usage of encryption of AQS. The commutativity of encryption operators in QOTP makes Bob can forge the message and signature with any Pauli operation, and Trent cannot find his forgery. Since Choi et al.’s method disorganizes the property of commutativity, it can be seen as a novel and effective security improvement of AQS. However, as the receiver, Bob will certainly choose the most optimal attack strategy to forge the message and the signature according to the selected encryption algorithm. Without loss of generality, let’s imagine a general forgery strategy, that is, if Bob  wants to forge the message |Pi  with operation Ui , he will be able to choose a proper  operation Q to the signature |S(|Pi ) to pass Trent’s verification (the two operations implemented on the message and signature need not be always identical).Obviously, the previous analysis of the security only corresponds a particular case, i.e., Bob forges the message and signature with the same operation. Then a question arises: Is Choi et al.’s improvement of AQS still secure in the general forgery strategy? Equivalently, is Bob able to find an operation Q to the signature to achieve his forgery of the message? In the following section, we will answer the question and point out Choi et al.’s method is still susceptible.  Here we imagine Bob wants to perform forgery attack σx to |Pi  in his favor, and he  performs Q to the corresponding signature |S(Pi ) in order to pass Trent’s verification. Meanwhile, it is not difficult to see that Trent’s verification can be redescribed in an  equal way, i.e., Trent decrypts the received |S(Pi ) with K AT , and judges whether the  decrypted state is the same as |Pi . In this case, Bob’s successful forgery is determined by Trent’s possible decryptions shown in Table 1. Obviously, if Bob’s forgery of the signature can pass Trent’s verification, Trent’s possible decryptions in the table should correspond the forgery operation σx . With Choi et al.’s improvement, we can easily get

1 H (−σ y) H = 4 †



1 − i −i + 1 −i − 1 1 + i



0 i −i 0



1+i i −1 1+i 1−i



 =

0 1 1 0

 = σx . (6)

Table 1 Trent’s possible decryptions

123

Encryption

Trent’s possible decryptions

I

H†QH

σz

H † σz Qσz H

σx

H † σx Qσx H

σy

H † σ y Qσ y H

Arbitrated quantum signature against the forgery attack

2661

That is to say, Bob can certainly let Q = −σ y to achieve his successful forgery attack without caring the shared K AT . The similar conclusions can be easily obtained when Bob forges the the message as σz (Q = σx ) and σ y (Q = −σz ). Hence Bob is able to achieve Pauli forgery of the message and signature, and the total forgery will be also obtained with the bitwise encryption. Up to now, we have found out Choi et al.’s improvement of AQS is insecure in the sense that Bob can make Pauli forgery of the message and signature. A direct idea to improve their method is to modify the form of the selected assistant operation H as W , but we have to say there still exists a potential safety problem in this case. As we know if all the decryption operators of Trent correspond an identical operation T , Bob will successfully forge the message with T . From this view, we can find if Q (in Table 1) is supposed as a Pauli operation, Bob will be able to forge the message with the operation W † QW . Although the forgery of message with W † QW may not satisfy Bob’s needs, Alice should not neglect the potential attack. In fact, as the sender, Alice cannot tolerate any forgery of his signature exists without being detected by himself. Therefore, the idea of improvement above is not feasible. Fortunately, we can propose some potential improved methods, which can be used in AQS, to solve the security problem in the following section.

4 Some potential improvements of AQS protocols Above we have shown that all the present AQS protocols, including Choi et al.’s improvement, are insecure in the sense that the receiver, Bob, can forge a valid signature. This is certainly a bad news for the application of AQS. In order to make up the loophole, we propose some new methods to recover the security against Bob’s forgery in this section. Different from the previous improvement, our idea has truly made the encryption algorithm be absolutely determined by the shared key string K . In this case, we propose two types of encryption algorithms which are called KeyControlled-‘I’QOTP and Key-Controlled-‘T’QOTP, respectively, and analyze Bob’s successful forgery attack in the new improved methods.

4.1 Key-Controlled-‘I’QOTP 4.1.1 The description of Key-Controlled-‘I’QOTP As we know, Choi et al.’s idea is to insert an assistant operation before the initial encryption algorithm (QOTP) to disorganize the commutativity of encryption operators. Here we announce Choi et al.’s encryption algorithm by the name of ‘I’QOTP. Intuitively, ‘I’QOTP makes the assistant operation be known by all the participators, and it certainly offers larger possibility of successful forgery attack for a malicious receiver. The analysis above has verified that a direct modification of Choi et al.’s assistant operation cannot prevent Bob’s forgery attack. From this view, we provide an improvement of ‘I’QOTP to make the assistant encryption operator be determined by the shared key string K , and we name this new encryption algorithm “Key-Controlled-‘I’QOTP”.

123

2662

K.-J. Zhang et al.

Now let’s describe the Key-Controlled-‘I’QOTP in the following scheme. Obviously, we can prepare a set of operators to encrypt the signature. Here we discuss a set W with four Clifford operators [24] {W00 , W01 , W10 , W11 } to encrypt the signature  |S(Pi ), i = 1, 2, . . . , n, and appoint the two bits K i and K 2n−i+1 in the shared key string K AT to determine the corresponding assistant one. Without loss of generality, the selected assistant operations are shown as 1 W00 = √ (σx + σz ), 2 1 W01 = √ (σ y + σz ), 2 1 W10 = (I + iσx − iσ y + iσz ), 2 1 W11 = (I + iσx + iσ y + iσz ), 2

(7)

and the subscripts of the assistant operations are determined by the corresponding value of K i K 2n−i+1 . Combing the assistant operations based on the shared key string and the initial QOTP, the Key-Controlled-‘I’QOTP can be obtained. 4.1.2 Bob’s successful forgery in the Key-Controlled-‘I’QOTP Above all, we have given an example to describe Key-Controlled-‘I’QOTP. In the view of this, the signature |S is in the form of |S =

n 

k



σxk2i σz 2i−1 W K i K 2n−i+1 |Pi .

(8)

i=1

Here we analyze Bob’s successful forgery in the Key-Controlled-‘I’QOTP. As we  know, suppose Bob wants to forge one qubit |Pi  in the message |P, it would be accomplished if he could make a correct unitary operation to the corresponding qubit  |S(Pi ) in the signature |S. However, he does not have the ability to realize this in the Key-Controlled-‘I’QOTP, because none can conclusively identify the forms of encryption operators except for the legal participants, and this can be shown in Table 2. Here the assistant Wi is selected from the set W . Table 2 Trent’s possible decryptions

123

Encryption

Trent’s possible decryptions

I

Wi† QWi

σz

Wi† σz Qσz Wi

σx

Wi† σx Qσx Wi

σy

Wi† σ y Qσ y Wi

Arbitrated quantum signature against the forgery attack Table 3 Bob’s successful forgery attack in “Key-Controlled-‘I’QOTP”

2663 

Bob’s forgery of |Pi 



Bob’s forgery of |S(Pi ) 00

01

10

11

σx

σz

σx

σy

σz

σy

σy

σz

σz

σx

σz

σx

σy

σx

σy

Without loss of generality, we discuss the situation that Bob wants to forge the  message |Pi  with any Pauli operation P k . In order to achieve the successful forgery, the following condition should be satisfied P k = α0 Wi† QWi = α1 Wi† σz Qσz Wi = α2 Wi† σx Qσx Wi = α3 Wi† σ y Qσ y Wi , (9) here αi is any complex number and Q is the corresponding operation to the qubit  |S(Pi ) in the signature |S. Because Wi is a Clifford operator which makes Wi P k Wi† to be a Pauli operator [24], the Eq. (9) will be obtained in the case of Q = Wi P k Wi† (note that Q can commutate any Pauli operator). In the view of this, the detail forgery strategies to one qubit can be described in Table 3.  From Table 3, it is shown that if Bob wants to forge the one qubit |Pi  in the message with σx , he should perform σz , σx , σ y or σz to the signature when the assistant operation corresponds W00 , W01 , W10 and W11 , respectively. That is to say, if Bob wants to forge one qubit of the signed message with Pauli operation σx or σ y , the successful probability will be 1/3. And the probability will be 1/2, if the forgery operation is σz . Furthermore, if Bob wants to forge m qubits of the messages to satisfy his needs, the probability of Bob’s successful forgery will be shown as follows  k  m−k 1 1 , p= 3 2

(10)

here k(0 ≤ k ≤ m, 0 ≤ m ≤ n) represents the total numbers of qubits Bob wants to get σx and σ y to the messages, and (m − k) represents the numbers of qubits forged by σz . Above all, we have showed that our idea of Key-Controlled-‘I’QOTP is effective to improve the security against Bob’s forgery. With the new encryption algorithm, we can see Bob cannot conclusively forge the signature as needed. Certainly, it is just an example of Key-Controlled-‘I’QOTP and we hope some optimal methods based on this new encryption idea would be pointed out in further. 4.2 Key-Controlled-‘T’QOTP 4.2.1 The description of Key-Controlled-‘T’QOTP Up to now, we have seen that all the present security analysis of AQS schemes are  based on a fact people can recognize the signature |S(Pi ) corresponding the message

123

2664

K.-J. Zhang et al.



|Pi  from all the qubits of the signature. That is because QOTP is a bitwise encryption and the structure of the signature is known to all the participants. In order to ensure the security of the signature, we propose a new encryption named “Key-Controlled‘T’QOTP” to make the signature recovered by the arbitrator not the receiver. The idea is to introduce a controlled transposition operation S to QOTP to disorganize the positions of the qubits in the signature, here the assistant S is determined by the shared key string K AT . Now we give a method to design the controlled transposition operation S as follows. Previously, we point out a secure one-way Hash function f which makes f : {0, 1}2n → {0, 1}n , here n is the number of qubits of the signature. It is not difficult to see that a new n-bit string L = {l1 , l2 , . . . , ln } will be obtained after inputting K AT to f . Now let’s discuss some shift operations in the following discussions. Firstly, we use Sk to represent a transposition operation on k qubits. Obviously, we needn’t pay attention to S0 and S1 , because it will not improve the security at all. Then, we analyze S2 and S3 and give a feasible Sn to make the possibility of Bob’s successful forgery as small as possible, here n is the number of qubits in the signature. Without loss of generality, we make the controlled transposition operation S2 determine whether the ith and (n + 1 − i)th qubits in the signature transpose their positions or not, and a parameter τ i = li ⊕ ln+1−i is used to realize this. Based on the value of τ i , we make S2 as ⎛

2 0 0 τ i 1 − (−1)τ i 1⎜ 0 1 + (−1) S2 = ⎜ i i 2 ⎝ 0 1 − (−1)τ 1 + (−1)τ 0 0 0

⎞ 0 0⎟ ⎟ . 0⎠ 2

(11)

It can be seen the two qubits will not change if τ i = 0, otherwise the transposition of the positions will be made in the case of τ i = 1. Similarly, a transposition operation S3 on three qubits can also be obtained, e.g., it determines whether the ith, ( 2n 3 + 1 − i)th ( x = min{n ∈ Z |n ≥ x}) and (n +1−i)th qubits in the signature transpose their positions or not. Here the parameter is represented in the form of τ i = (li + l 2n +1−i + ln+1−i )mod3.

(12)

3

Furthermore, the controlled transposition operation S3 = R3τ can be provided, here i R3τ is symmetric rotation which satisfies i

⎧ ⎨ (x0 , x1 , x2 ), τ i = 0, R3 (x0 , x1 , x2 ) = (x2 , x0 , x1 ), τ i = 1, ⎩ (x1 , x2 , x0 ), τ i = 2. τi

123

(13)

Arbitrated quantum signature against the forgery attack

2665

In fact, the operation in Eq. (11) can be also represented by a symmetric rotation, i.e., i S2 = R2τ and R2τ (x0 , x1 ) = i



(x0 , x1 ), τ i = 0, (x1 , x0 ), τ i = 1.

(14)

In the view of this, we further discuss a most feasible method to make the value of p1 as small as possible. For the signature with n qubits, a controlled transposition i operation Sn = Rnτ on n qubits will be similarly obtained, here Sn determines whether all the n qubits of the signature transpose their positions or not, and the parameter τ i is represented in the form of τ i = (l1 + l2 + · · · + ln )modn.

(15)

Moreover, Rnτ is a symmetric rotation which can be generalized into i

Rnτ (x0 , x1 , . . . , xn−1 ) = (xτ i , xτ i +1 , . . . , xn−1 , x0 , x1 , . . . , xτ i −1 ). i

(16)

From this point, we can see the position of one qubit in the signature is determined by the parameter τ i with n possible values, after the controlled transposition operation i Sn = Rnτ is applied into the signature. 4.2.2 Bob’s successful forgery in the Key-Controlled-‘T’QOTP With the definition of the controlled transposition operation S, the signature |S with n qubits can be represented in the form of |S = S

n  i=1



|S(Pi ) = S

n 

k



σxk2i σz 2i−1 |Pi .

(17)

i=1

Combing our analysis to S, a feasible Key-Controlled-‘T’QOTP can be provided, here S can be set into Sn to improve the security. The reason we use S = Sn is that the controlled transposition operation S does not act on all the qubits in the case of S = S1 , S2 , . . . , Sn−1 . If S acts on the qubits less than n, Bob will conclusively identify  the position of one qubit |Pk  in the signature at least, because the accurate form of the controlled transposition operation S is determined in the initializing phase and known  to all the participants. Though the forgery of one qubit |Pk  in the signature may not satisfy his needs, the potential attack can not be neglected. Hereafter, Key-Controlled‘T’QOTP we proposed is set S = Sn . Here we analyze Bob’s successful forgery in the Key-Controlled-‘T’QOTP. Simi larly, suppose Bob wants to forge one qubit |Pi  in the message |P, it would be accom plished if he could make a correct unitary operation to the corresponding qubit |S(Pi ) in the signature |S. However, none can conclusively identify the forms of encryption operators except for the legal participants to realize this in the Key-Controlled‘T’QOTP, because the controlled transposition operation Sn acts on on all the n qubits

123

2666

K.-J. Zhang et al.

n of the signature, i.e., Sn = i=1 si , here si is a unitary operation on one qubit, hence  the probability to identify the accurate position of |S(Pi ) in the signature, which is also the probability of successful forgery for one qubit, is 1/n. It is not difficult to see that though the initial encryption operation in QOTP is susceptible to Bob’s Pauli forgery, we still have some methods to reduce his successful forgery and prevent the possible attack. In fact, if Bob wants to forge more qubits to get higher profits, the probability of his successful forgery will obtained as  m 1 , p= n

(18)

here m(m ≤ n) represents the number of qubits forged by the receiver in the KeyControlled-‘T’QOTP. 5 Discussion Until now, we have provided a new method to analyze the security of the present AQS protocols in Sect. 3, here the previous security analysis conclusions proposed by Gao et al. [21] and Choi et al. [22] can be seen as some particular cases of our description. With the method, the present AQS protocols can be seen susceptible to Bob’s forgery attack. In order to prevent it, we propose two potential improved ideas and analyze Bob’s successful forgery under them in Sect. 4. In this section, we will provide some supplement analysis of the two improved ideas. 1. Verifiability: it can be seen that the improved methods proposed above only modify the encryption algorithm in AQS. That is to say the implementation procedure, including generating the signature and the transformations between the participants, remain unchanged in the improved protocols. Hence, the availability to the AQS protocols is ensured without difficulties. 2. Unforgeability: in Sect. 4, we have analyzed Bob’s successful forgery under the two improved methods. Though they are designed from different perspectives,

1 0.8

0.25

Probability

Probability

0.3 0.2 0.15 0.1 0.05

0.6 0.4 0.2 0 8

0 8 6

m

4 2

2

(a)

4

8

6

k

10

6

m

4 2

2

4

8

6

10

n

(b)

Fig. 1 The subgraph a, b show Bob’s successful forgery in Key-Controlled-‘I’QOTP and Key-Controlled‘T’QOTP, respectively. Here m(m ≤ n) represents the number of qubits forged by the receiver and n represents the number of qubits in the signature

123

Arbitrated quantum signature against the forgery attack

2667

Bob cannot forge a valid signature in his needs. Compared with the two improved ideas, the probability of his successful forgery of the signature will be directly shown in Fig. 1. Obviously, we can see the probability of Bob’s successful forgery will approach zero with the increase of the forged qubits. 3. Undeniability: as referred in Gao et al. [21] and Choi et al. [22], the solution to prevent the signer’s disavowal is a difficult and open problem until now. From the Ref. [21], we will recognize that the strategy which is used by Alice to successfully disavow his signature. It can be seen in in step V3, when Trent sends |Y B  =  E K BT (|P  ⊗ |S) back to Bob, Alice can use a kind of intercept-resend attacks [25], i.e., she modifies the last n qubits in |Y B , so that the resulting states of these qubits (denoted as |S A ) are not a valid signature of |P anymore and resends |S A  to Bob. Note that Alice’s disavowal can be successfully achieved, because the encryption of QOTP is qubit by qubit and she can recognize these qubits in the ciphertext and then disturb them while leaving others unchanged. However, Bob cannot discover Alice’s modification on |S here because he does not have K AT to verify the integrity of |Y B . In the view of this, a feasible method to prevent his successful disavowal is to make Alice cannot recognize the corresponding qubits of the signature. Fortunately, the Key-Controlled-‘T’QOTP we proposed above is available to disorganize the positions of the qubits. Here we suppose Alice wants to modify the last qubit of |Y B , obviously her disavowal will be achieved in the case of τ i = 0, 1, 2, . . . , (n − 1) i in the Sn = Rnτ , i.e., the probability of Alice’s successful disavowal will be reduced to 1/2. Furthermore, if he wants to modify more qubits, the probability of her successful disavowal will be further reduced. 4. Some potential security loopholes: with the development of quantum cryptography, a series of attack strategies are proposed in the recent researches, such as interceptresend attacks [25], entanglement-swapping attacks [26,27], teleportation attacks [28], dense-coding attacks [29,30], channel-loss attacks [31,32], denial-of-service attacks [33,34], correlation-extractability attacks [35–37], Trojan horse attacks [38,39], participant attacks [27,30] and so on. In the view of this, there may exist some security loopholes in the particular protocols not referred in this paper. For example, Hwang et al. applied the denial-of-service attack and Trojan horse attack to the discussion of Zou et al. ’s protocol [20] in Ref. [40]. They showed that the receiver may actively deny Alice’s signature without being detected, and a malicious signer can reveal the verifier’s secret key. In the view of this, there may exist some interesting security loopholes requiring further study in some specific AQS protocols. In addition, the influence of noise in a real channel and the imperfect comparison of two unknown quantum states [16], also need further analysis. We hope our conclusions can be applied in discussing these interesting topics or solving other cryptography problems.

6 Conclusion In this paper, we have pointed out the present AQS protocols cannot prevent Bob’s existential forgery attack. We describe Bob’s forgery strategy generally and propose

123

2668

K.-J. Zhang et al.

some improvements of AQS to recover the security against Bob’s forgery. Furthermore, our improvements only modify the encryption algorithm, hence some practical advantages of AQS will still be kept. In addition, we also analyze our encryption and give a possible strategy to prevent the sender (Alice)’s disavowal without a suitable quantum authentication scheme. However, we have to say though the encryption algorithm “Key-Controlled-‘T’QOTP” can prevent Alice’s disavowal in some way, the most available improved method, as pointed out in Ref. [21], is still to introduce quantum message authentication into AQS to ensure the integrity of the signature. However, the suitable quantum authentication scheme on quantum message still needs further study. Hopefully, some significant results will be reflected in further research, and our conclusions can be applied in discussing these interesting topics or solving other cryptography problems. In all, we have provided some encryption algorithms to improve the security of previous AQS protocols. Although some security problems have been found in AQS, the loopholes may be made up for the improvement of our encryption algorithms. Therefore, AQS is still valuable and the analysis of it deserves further study. Acknowledgments This work is supported by NSFC (Grant Nos. 61170270, 61100203, 61272057, 61202434, 61003286, 61121061), NCET (Grant No. NCET-10-0260), Beijing Natural Science Foundation (Grant Nos. 4112040, 4122054), the Fundamental Research Funds for the Central Universities (Grant Nos. 2011YB01, 2012RC0612).

References 1. Shor, P.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997) 2. Grover, L.K.: A Fast Quantum Mechanical Algorithm for, Database Search. quant-ph/9605043v3 (1996) 3. Gisin, N., Ribordy, G., Tittel, W., et al.: Quantum cryptography. Rev. Mod. Phys. 74, 145–195 (2002) 4. Bennett, C.H., Brassard, G.: Quantum cryptography. Public key distribution and coin tossing. In: Proceedings of the IEEE International Conference on Computers, Systems, and Signal Processing, pp. 175–179. IEEE Press, New York (1984) 5. Ekert, A.K.: Quantum cryptography based on bell theorem. Phys. Rev. Lett. 67, 661–663 (1991) 6. Bennett, C.H.: Quantum cryptography using any two nonorthogonal states. Phys. Rev. Lett. 68, 3121– 3124 (1992) 7. Bennett, C.H., Brassard, G., et al.: Teleporting an unknown quantum state via dual classical and Einstein–Podolsky–Rosen channels. Phys. Rev. Lett. 70, 1895–1899 (1993) 8. Gao, F., Guo, F.Z., Wen, Q.Y., et al.: Quantum key distribution without alternative measurements and rotations. Phys. Lett. A 349, 53–58 (2006) 9. Cleve, R., Gottesman, D., Lo, H.K.: How to share a quantum secret. Phys. Rev. Lett. 83, 648–651 (1999) 10. Hillery, M., Buzek, V., Berthiaume, A.: Quantum secret sharing. Phys. Rev. A 59, 1829–1834 (1999) 11. Karlsson, A., Koashi, M., Imoto, N.: Quantum entanglement for secret sharing and secret splitting. Phys. Rev. A 59, 162–168 (1999) 12. Long, G.L., Liu, X.S.: Theoretically efficient high-capacity quantum-key-distribution scheme. Phys. Rev. A 65, 032302 (2002) 13. Deng, F.G., Long, G.L., Liu, X.S.: Two-step quantum direct communication protocol using the Einstein–Podolsky–Rosen pair block. Phys. Rev. A 68, 042317 (2003) 14. Lin, S., Wen, Q.Y., Zhu, F.C.: Quantum secure direct communication with X-type entangled states. Phys. Rev. A 78, 064304 (2008) 15. Gottesman, D., Chuang, I.: Quantum Digital Signatures. quant-ph/0105032v2 (2001) 16. Buhrman, H., Cleve, R., Watrous, J., et al.: Quantum fingerprinting. Phys. Rev. Lett. 87, 167902 (2001)

123

Arbitrated quantum signature against the forgery attack

2669

17. Buhrman, H., Crepeau, C., Gottesman, D., et al.: Authentication of Quantum Messages. IEEE Computer Society Press, Washington (2002) 18. Zeng, G.H., Keitel, C.H.: Arbitrated quantum-signature scheme. Phys. Rev. A 65, 042312 (2002) 19. Li, Q., Chan, W.H., Long, D.Y.: Arbitrated quantum signature scheme using Bell states. Phys. Rev. A. 79, 054307 (2009) 20. Zou, X.F., Qiu, D.W.: Security analysis and improvements of arbitrated quantum signature schemes. Phys. Rev. A 82, 042325 (2010) 21. Gao, F., Qin, S.J., Guo, F.Z., Wen, Q.Y.: Cryptanalysis of the arbitrated quantum signature protocols. Phys. Rev. A 84, 022344 (2011) 22. Choi, J.W., Chang, K.Y., Hong, D.: Security problem on arbitrated quantum signature schemes. Phys. Rev. A 84, 062330 (2011) 23. Boykin, P.O., Roychowdhury, V.: Optimal encryption of quantum bits. Phys. Rev. A 67, 042317 (2003) 24. Rains, E., et al.: Handbook of Coding Theory, 177C294 pp. math.CO/0208001 (1998) 25. Gao, F., Guo, F.Z., Wen, Q.Y., Zhu, F.C.: Comment on “Experimental Demonstration of a Quantum Protocol for Byzantine Agreement and Liar Detection”. Phys. Rev. Lett. 101, 208901 (2008) 26. Zhang, Y.S., Li, C.F., Guo, G.C.: Comment on “Quantum key distribution without alternative measurements”. Phys. Rev. A 63, 036301 (2001) 27. Gao, F., Qin, S.J., Wen, Q.Y., Zhu, F.C.: A simple participant attack on the Bradler–Dusek protocol. Quantum Inf. Comput. 7, 329 (2007) 28. Gao, F., Wen, Q.Y., Zhu, F.C.: Teleportation attack on the QSDC protocol with a random basis and order. Chin. Phys. B 17, 3189 (2008) 29. Gao, F., Qin, S.J., Guo, F.Z., Wen, Q.Y.: Dense-coding attack on three-party quantum key distribution protocols. IEEE J. Quantum Electron. 47, 630 (2011) 30. Qin, S.J., Gao, F., Wen, Q.Y., Zhu, F.C.: Improving the security of multiparty quantum secret sharing against an attack with a fake signal. Phys. Lett. A 357, 101 (2006) 31. W’ojcik, A.: Eavesdropping on the ping-pong quantum communication protocol. Phys. Rev. Lett. 90, 157901 (2003) 32. W’ojcik, A.: Comment on “Quantum dense key distribution”. Phys. Rev. A 71, 016301 (2005) 33. Cai, Q.Y.: The “Ping-Pong” protocol can be attacked without eavesdropping. Phys. Rev. Lett. 91, 109801 (2003) 34. Gao, F., Guo, F.Z., Wen, Q.Y., Zhu, F.C.: Consistency of shared reference frames should be reexamined. Phys. Rev. A 77, 014302 (2008) 35. Gao, F., Wen, Q.Y., Zhu, F.C.: Comment on: “Quantum exam”. Phys. Lett. A 360, 748 (2007) 36. Gao, F., Lin, S., Wen, Q.Y., Zhu, F.C.: A special eavesdropping on one-sender versus N-receiver QSDC protocol. Chin. Phys. Lett. 25, 1561 (2008) 37. Gao, F., Lin, S., Wen, Q.Y., Zhu, F.C.: Cryptanalysis of multiparty controlled quantum secure direct communication using Greenberger-Horne-Zeilinger state. Opt. Commun. 283, 192 (2010) 38. Gisin, N., Fasel, S., Kraus, B., Zbinden, H., Ribordy, G.: Trojan-horse attacks on quantum-keydistribution systems. Phys. Rev. A 73, 022320 (2006) 39. Deng, F.G., Li, X.H., Zhou, H.Y., Zhang, Z.J.: Improving the security of multiparty quantum secret sharing against Trojan horse attack. Phys. Rev. A 72, 044302 (2005) 40. Hwang, T., Luo, Y.P., Chong, S.K.: Comment on: “Security analysis and improvements of arbitrated quantum signature schemes”. Phys. Rev. A 85, 056301 (2012)

123