Quantum homomorphic signature - Springer Link

Quantum Inf Process (2015) 14:393–410 DOI 10.1007/s11128-014-0853-4

Quantum homomorphic signature Tao Shang · Xiao-jie Zhao · Chao Wang · Jian-wei Liu

Received: 16 April 2014 / Accepted: 6 October 2014 / Published online: 22 October 2014 © Springer Science+Business Media New York 2014

Abstract Quantum signature is an effective approach to identity authentication for single stream in quantum networks, but it is constrained in the crossing case of multiple streams. To solve this problem, we present a quantum homomorphic signature scheme to enhance the security of quantum networks. By entanglement swapping, this scheme can combine two quantum signatures and generate a new homomorphic signature. Analysis results show that the proposed signature scheme can effectively guarantee the security of secret key and verify the identity of different data sources in a quantum network. Keywords Quantum signature · Homomorphic signature · Entanglement swapping · Quantum network · Multiple streams 1 Introduction It is well known that the security of quantum communication is assured by physical principles such as Heisenberg uncertainty principle and quantum no-cloning theorem. However, quite a few effective attack strategies have been proposed, such as intercept-resend attack, entanglement-swapping attack, teleportation attack, densecoding attack, channel-loss attack, denial-of-service attack, correlation-extractability attack, Trojan-horse attack, and participant attack. As the study of quantum cryptography develops, a few branches of quantum cryptography have been studied in recent years, including quantum key distribution (QKD), quantum secret sharing (QSS), quantum secure direct communication (QSDC), quantum encryption algorithm (QEA), quantum identification (QI), and quantum signature (QS). Quantum cryptog-

T. Shang (B) · X. Zhao · C. Wang · J. Liu School of Electronic and Information Engineering, Beihang University, Beijing 100191, China e-mail: [email protected]

123

394

T. Shang et al.

raphy is based on the physical characteristics, e.g., eavesdropping can be detected by means of the collapse of a quantum state during the measurement, which combines quantum theory with classical cryptography and utilize quantum effect for achieving unconditional security. Quantum signature that concerns about the authenticity and non-repudiation of messages on insecure quantum channels is an important research topic in quantum cryptography. So far, a few quantum signature schemes have been proposed. In 2001, Gottesman and Chuang [1] proposed the first quantum signature scheme based on quantum one-way functions and quantum swap test. In this scheme, the public key can only be used once for signing merely one bit of message each time. In 2002, Zeng and Keitel [2] proposed a pioneering arbitrated quantum signature (AQS) protocol which can be used to sign both classical message and quantum one. This scheme uses the correlation of Greenberger–Horne–Zeilinger (GHZ) triplet states and quantum one-time pads to ensure the security. To verify the validity of a signature, as a necessary and important technique, probabilistic comparison of two unknown quantum states was also introduced. This work provides an elementary model to sign a quantum message. Although it was mentioned that both known and unknown quantum states could be signed, there were some corresponding comments about whether it is suitable for unknown messages [3,4]. Then, a variety of quantum signature schemes based on AQS have been proposed. Lee et al. [5] proposed two quantum signature schemes with message recovery. One scheme used a public board and the other did not, but his schemes rely on the availability of an arbitrator and can be signed only by one user. Wang et al. [6] proposed an arbitrated quantum signature scheme with single photons. Zeng et al. [7] proposed a true quantum signature algorithm based on continuousvariable entangled state. A key pair, i.e., private signature key and public verification key, is generated based on a one-way function. In these arbitrated signature schemes, the arbitrator can have access to the contents of the messages, and therefore, the security of most arbitrated signature schemes depends heavily on the trustworthiness of the arbitrator. Furthermore, the existence of an arbitrator can reduce the communication efficiency of the whole system. In 2007, Wen and Liu [8] proposed a quantum signature scheme without an arbitrator. Their scheme can be used to sign general quantum superposition states. However, by claiming that the signing key was lost or stolen, a signer in a quantum signature scheme without an arbitrator can later deny sending a signature. Li et al. [9] found that in the Zeng’s scheme, the arbitrator is unnecessary to be entangled, and thus, the GHZ states can be replaced by Bell states and presented a Bell-state-based AQS protocol. His scheme simplified Zeng’s protocol and provided higher efficiency in transmission. Zou et al. [10] further achieved AQS without entangled state. Yang and Wen [11,12] proposed a pioneering work in arbitrated quantum signature of classical messages resistant to collective amplitude damping noises. By using the technique of decoherence-free (DF) subspaces to protect quantum computation and transmission, their scheme works over such a noisy quantum channel. Later, Chong et al. [13] pointed out a security flaw in Yang and Wen’s scheme, in which a legitimate but malicious user can perform Trojan-horse attacks to reveal the other party’s secret key without being detected. Based on Yang and Wen’s idea, Hwang et al. [14] proposed a new arbitrated quantum signature of classical messages against collective amplitude damping noise to prevent Chong et al.’s Trojan-horse attacks.

123

Quantum homomorphic signature

395

Moreover, he further pointed out that in Yang and Wen’s scheme, the arbitrator may not be able to solve the dispute between two users even if Trojan-horse attacks are not performed, i.e., if the signer denies his/her signature, or the verifier denies his/her verification, the arbitrator cannot do anything at all to solve the dispute. To protect the privacy of message owners, Wen et al. [15] proposed the first quantum group signature scheme by using quantum teleportation. Xu et al. [16] proposed a quantum group blind signature scheme by combining the properties of group signature and blind signature. Recently, Shi et al. [17] proposed a quantum communication scheme for blind signature based on two-particle entangled quantum system to create a novel systemetrical quantum cryptosystem. All the messages are encrypted by the private key of the sender Alice during the communication and the authenticity verification of signatures, and an arbitrator’s batch efficient proxy signature is applied. In order to authenticate the identity of data source in a network, homomorphic signature scheme [18] is considerably paid attention to instead of standard signature schemes in classical cryptography. However, homomorphic signature schemes of classical information are inapplicable in quantum networks. It is believed that homomorphic signature of quantum information is more meaningful and difficult than its counterpart in classical cryptography. Particularly, homomorphic signature in form of quantum states is desired for quantum networks. On one hand, the main problem is how to design a signature operation for quantum states. On the other hand, the authentication of different data sources is also a very hard problem for classical networks, so it is necessary to explore whether it is a hard problem for quantum networks or not. If quantum homomorphic signature scheme is feasible, it will be very helpful to enhance the security of quantum networks. However, a solution to quantum homomorphic signature still remains open. It is crucial to find an equivalent quantum homomorphic operation to realize signature computing in form of quantum states. Until now, there is no obvious way to combine two quantum signatures (e.g., S1 and S2 ) from the senders to realize a homomorphic operation due to the properties of quantum mechanics. Inspired by entanglement swapping [19], we first propose a new quantum homomorphic signature scheme which can be used to authenticate data packets of multiple streams for quantum networks. After combining two quantum signatures by entanglement swapping, it can generate a new homomorphic signature at the intermediate node. The proposed quantum signature scheme can effectively guarantee the security of secret key and verify the identity of different data sources in a quantum network. The main contributions of our work are as follows: (1) A homomorphic operation for quantum states is first found The homomorphic operation is the key part of quantum homomorphic signature. We delicately utilize entanglement swapping for the homomorphic operation which satisfies homomorphic property for the operation of quantum states. (2) Quantum homomorphic signature scheme is first proposed The property of quantum homomorphic signature scheme is derived. It contributes to the signature operation in the bottleneck nodes of quantum network. It also contributes to the authentication of multi-source unicast stream or single-source multicast stream. Our scheme provides a convenient model to combine authentication into quantum networks, which would be significant to enhance the security of quantum communication.

123

396

T. Shang et al.

This paper is structured as follows. In Sect. 2, we introduce the related works, including homomorphic signature and entanglement swapping. Section 3 mainly focuses on the quantum homomorphic signature scheme. Then, we give a detailed security analysis in Sect. 4 and discuss the network scenario of quantum homomorphic signature for different streams in Sect. 5. Section 6 is our conclusion. 2 Related works 2.1 Homomorphic signature Homomorphism can be divided into two types: additive homomorphism and multiplicative homomorphism [20]. Given variables X 1 and X 2 , a function φ is additively homomorphic if there exists a function f satisfying φ (X 1 + X 2 ) = f (φ (X 1 ) , φ (X 2 )). Similarly, φ is multiplicative homomorphic if there exists a function f satisfying φ (X 1 × X 2 ) = f (φ (X 1 ) , φ (X 2 )). Homomorphic signature scheme is based on homomorphic algorithm. Assume that a node receives messages (E 1 , E 2 , . . . , E n ) and corresponding signatures (φ(E 1 ), φ(E 2 ), . . . , φ(E n )), where φ is additively homomorphic. If this node wants to generate a signature on a1 E 1 + a2 E 2 , . . . , +an E n , it can obtain the signature by means of S = f (φ(E 1 ), φ(E 2 ), . . . , φ(E n )) equal to φ(a1 E 1 + a2 E 2 , · · · + an E n ). A concrete example of homomorphic signature scheme BFKW was given by Boneh et al. [21]. Hence, homomorphic signature scheme can generate a new signature on its message without the private keys of data sources, which is very important to distributed networks and can be used to generate new signatures at intermediate nodes through directly manipulating the original signatures of received messages without encryption operation. A general quantum signature model is conjectured just as shown in Fig. 1. By sharing an EPR pair (denoted as |ψ12 ) with a verifier V , a signer A can sign on its classical information X by means of performing a corresponding unitary operation on its particle 2. For the aggregation of multiple signatures, it is the most straight idea to guarantee that each signer shares an EPR pair with the aggregator C, then the aggregator generates a new signature. Just as described in Fig. 1, the key is to generate a new homomorphic signature S3 = U (X 1 ⊕ X 2 )·|ψ4 at the aggregator C according to two signatures S1 and S2 . As far as we know, no quantum signature schemes have been proposed to combine homomorphic algorithm till now. The existing quantum signature schemes are also not suitable for quantum network just as described in Introduction. Hence, it is significant to investigate the design of quantum homomorphic signature for the authentication of data sources in quantum networks. 2.2 Entanglement swapping Entanglement swapping [19] is a miracle property of quantum entanglement. The key idea of entanglement swapping is that two non-entangled particles (1, 3) become an entangled state by measurement as shown in Fig. 2. Assume the original states of these particles are:

123


397

X

A

V

S U X

2

S1 U X 1

2

A

X1

S3 U X 1

X2

4

C

V

X2 B S2

U X2

4

Fig. 1 Quantum signature model

2

1

4

3

Bell-state Measurement

2

1

4

3

Fig. 2 Entanglement swapping

+ φ

12

+ ψ

34

1 = √ (|0012 + |1112 ) , 2 1 = √ (|0134 + |1034 ) . 2

Then, + φ

12

⊗ ψ + 34

1 (|00011234 + |00101234 + |11011234 + |11101234 ) 2 1 = (|00011324 + |01001324 + |10111324 + |11101324 ) 2 1 + φ 13 + φ − 13 ψ + 24 + ψ − 24 + ψ + 13 + ψ − 13 = 4

=

123

398

T. Shang et al.

Table 1 States of particles after entanglement swapping Original states

States of particles after entanglement swapping

+ φ ⊗ φ + + 12 − 34 φ ⊗ φ + 12 + 34 φ ⊗ ψ + 12 − 34 φ ⊗ ψ − 12 + 34 φ ⊗ φ − 12 − 34 φ ⊗ φ − 12 + 34 φ ⊗ ψ − 12 − 34 φ ⊗ ψ + 12 + 34 ψ ⊗ φ + 12 − 34 ψ ⊗ φ + 12 + 34 ψ ⊗ ψ + 12 − 34 ψ ⊗ ψ − 12 + 34 ψ ⊗ φ − 12 − 34 ψ ⊗ φ − 12 + 34 ψ ⊗ ψ − 12 − 34 ψ 12 ⊗ ψ 34

1 2 1 2 1 2 1 2 1 2 1 2 1 2 1 2 1 2 1 2 1 2 1 2 1 2 1 2 1 2 1 2

− − + + − − + + φ 13 φ 24 + φ 13 φ 24 + ψ 13 ψ 24 + ψ 13 ψ 24 − + + − − + + − φ φ 13 24 + φ 13 φ 24 − ψ 13 ψ 24 − ψ 13 ψ 24 − − + + − − + + φ 13 ψ 24 + φ 13 ψ 24 + ψ 13 φ 24 + ψ 13 φ 24 − + + − − + + − φ ψ 13 24 + φ 13 ψ 24 − φ 13 ψ 24 − φ 13 ψ 24 − + + − − + + − φ φ 13 24 + φ 13 φ 24 + ψ 13 ψ 24 + ψ 13 ψ 24 − − + + − − + + φ φ 13 24 + φ 13 φ 24 − ψ 13 ψ 24 − ψ 13 ψ 24 − + + − − + + − φ 13 ψ 24 + φ 13 ψ 24 + ψ 13 φ 24 + ψ 13 φ 24 − − + + − − + + φ φ ψ ψ ψ ψ φ φ + − − 13 24 − 13 − 24 + 13 + 24 − 13 − 24 + + φ ψ 13 24 − φ 13 ψ 24 + ψ 13 φ 24 − ψ 13 φ 24 − + + − − + + − −φ 13 ψ 24 + φ 13 ψ 24 + ψ 13 φ 24 − ψ 13 φ 24 − − + + − − + + φ 13 φ 24 − φ 13 φ 24 + ψ 13 ψ 24 − ψ 13 ψ 24 − − + + − − + + −φ 13 φ 24 + φ 13 φ 24 + ψ 13 ψ 24 − ψ 13 ψ 24 + − −φ 13 ψ 24 + φ − 13 ψ + 24 − ψ + 13 φ − 24 + ψ − 13 φ + 24 − − + + − − + + φ 13 ψ 24 − φ 13 ψ 24 − ψ 13 φ 24 + ψ 13 φ 24 − − + + − − + + − φ 13 φ 24 + φ 13 φ 24 − ψ 13 ψ 24 + ψ 13 ψ 24 − − + + − − + + φ 13 φ 24 − φ 13 φ 24 − ψ 13 ψ 24 + ψ 13 ψ 24

− φ − 24 + ψ + 13 − ψ − 13 φ + 24 + φ − 24 + ψ + φ + − φ − − ψ −

+ φ

24

13

13

24

24

1 + + φ 13 ψ 24 + φ − 13 ψ − 24 + ψ + 13 φ + 24 = 2 +ψ − 13 φ − 24

(1)

According to Eq. (1), if we perform a Bell-state measurement on the particles 1 and 3, the particles 2 and 4 would collapse to another state. For instance, if the +entangled φ , then the state of the particles 2 measurement result of the particles 1 and 3 is 13 and 4 would be ψ + 24 . In other cases, the states of particles after entanglement swapping are shown in Table 1. Note that if we treat the particles 2 and 4 as two signatures, we can transform these two signatures into an entangled state without original data by means of entanglement swapping. Then in the new entangled state, the particle 4 can be treated as a new signature. Here, we take a simple example for illustration. Firstly four operators are defined as follows for convenience: 10 U (00) = I = |0 0| + |1 1| = 01 01 U (01) = σx = |1 0| + |0 1| = 10

123


399

1 0 0 −1 0 1 . U (11) = −iσ y = |0 1| − |1 0| = −1 0

U (10) = σz = |0 0| − |1 1| =

Assume the signatures are S1 = U (01) |ψ 4 = 2 = σx|ψ2 and S 2 = U (10) |ψ σz |ψ4 , the state of all particles would be ψ 12 ⊗ ψ 34 = σx (2) φ + 12 ⊗σz (4) φ + 34 , here the superscript (i) means performing an operation on the particle i. After entanglement swapping, the particles 2 and 4 would collapse to an entangled state. Without loss of generality, we assume that the measurement result of the particles 1 and 3 φ + . Hence according to Table 1, the state of the particles 2 and 4 would be is − 13 ψ . In comparison with the original state of φ + 24 after entanglement 24 resulting swapping without signature, we obtain ψ − 24 = −iσ y φ + 24 = U (01 ⊕ 10) φ + 24 . This result gives an important hint of relationship between entanglement swapping and homomorphic operation. The key to the design of homomorphic operation is to make the particle 4 become the homomorphic signature result of combining two original signatures. Hence, entanglement swapping provides the possibility of homomorphic operation for quantum signature. 3 Quantum homomorphic signature scheme Inspired by the idea of entanglement swapping, we propose a quantum homomorphic signature scheme based on entanglement swapping. Assume that the object of a signature is classical information, and the carrier of a signature is quantum information, a signer sends the data of classical bits X 1 (X 2 ) with the signature of quantum states to a verifier. Quantum homomorphic signature model is shown in Fig. 3. A1 (A2 ) are the signers, M1 is the aggregator who aggregates the received signatures to generate a new signature according to original signatures, and M2 is the verifier. Our signature scheme is defined by a tuple of algorithms (Setup, Sign, Combine, Verify) such that: Fig. 3 Quantum homomorphic signature model

123

400

T. Shang et al.

(1) Setup Step 1: Quantum key distribution. A1 (A2 ) chooses two classical bits (denoted as Y1 (Y2 )) as its secret key and shares this key with M2 by quantum key distribution protocol, such as an improved BB84 protocol with authentication [22] which can defend against middle-man attack, here Y1 , Y2 ∈ {00, 01, 10, 11}. Step 2: EPR pair distribution. M1 firstly prepares two pairs of entanglement: + φ

12

+ φ

34

1 = √ (|01 02 + |11 12 ) 2 1 = √ (|03 04 + |13 14 ) . 2

M1 sends its particles 2 and 4 (denoted as |ψ2 , |ψ4 ) to A1 and A2 , respectively. (2) Sign After receiving the particle from M1 , A1 (A2 ) chooses a unitary operator according to the exclusive OR result of its classical bits X 1 (X 2 ) and key Y1 (Y2 ) and performs a corresponding on the particle 2(4). operation to Note that ψ 12 = U (X 1 ⊕ Y1 )(2) |ψ12 . Although the particles 1 and2 belongs one entangled pair, we view the resulting state of the particle 2(4), namely ψ 2 (ψ 4 ), as the signature of A1 (A2 ) just for convenient description. In fact, the particle 2(4) is in an entangled state and thus has no pure state representation on its own. Here, the unitary operator corresponding to the classical bits X i and the key Yi is chosen as follows: 10 X i ⊕ Yi = 00 → I = 01 01 (2) X i ⊕ Yi = 01 → σx = 10 1 0 X i ⊕ Yi = 10 → σz = 0 −1 0 −1 X i ⊕ Yi = 11 → −iσ y = 1 0 Hence after signing phase, the state of the two EPR pairs would be ψ 12 = U (X 1 ⊕ Y1 )(2) · φ + 12 , ψ 34 = U (X 2 ⊕ Y2 )(4) · φ + 34 . (3) Combine

Step 1: A1 (A2 ) sends the transformed particle 2(4), namely ψ 2 (ψ 4 ), and the classical bits X 1 ⊕ Y1 (X 2 ⊕ Y2 ) to M1 . Step2: M 1 performs a Bell-state measurement on the particles 1 and 3. Here, we denote ψ 13 as the state of the particles 1 and 3 after measurement. Then according to entanglement swapping, which theparticles 2 and 4 would collapse to the Bell state can be denoted as ψ 24 . ψ 4 would be the signature of M1 , i.e., |S M1 = ψ 4 .

123


401

Step 3: M1 sends information (X 1 ⊕ Y1 )⊕(X 2 ⊕ Y2 ) and the particles the classical (1, 2, 3, 4) (i.e., ψ 13 ⊗ ψ 24 ) to M2 . (4) Verify After receiving the classical information and the particles from M1 , M2 can verify the signature as follows: Step a Bell-state measurement on the particles 1 and 3, and obtains 1: M2 performs ψ ψ . Note that falls to one of the four Bell states according to Table 1. Hence, 13 13 the Bell-state measurement on the particles 1 and 3 from M2 would be non-destructive. Step 2: M2 performs a Bell-state measurement on the particles 2 and 4, and obtains ψ . 24 Step 3: According to Table 1, M2 compares ψ 24 with |ψ24 , and obtains an oper ator which satisfies ψ 24 = c (Z ) U (Z )(4) · |ψ24 . Here, the superscript (4) means performing an operation on the particle 4, and |c (Z )| = 1. Consider the resulting state of the original particles after entanglement swapping. If the measurement result of the original particles 1 and 3 satisfies |ψ13 = ψ 13 , then we denote |ψ24 as the resulting state of the original particles 2 and 4 after entanglement swapping. Step 4: M2 compares X 1 ⊕ X 2 ⊕ Y1 ⊕ Y2 with Z . If X 1 ⊕ X 2 ⊕ Y1 ⊕ Y2 = Z , M2 would confirm that ψ 4 is the signature of M1 . Then, M2 can calculate X 1 ⊕ X 2 by its keys Y1 and Y2 (which are prior shared with the senders as described in the process of signature). Otherwise M2 would deny the signature. We take an example to illuminate this scheme more clearly. Example 1 Assume X 1 = 00, Y1 = 01, X 2 = 01 and Y2 = 11. Then, the signatures of A1 and A2 are S1 = U (00 ⊕ 01) |ψ2 = σx |ψ2 , S2 = U (01⊕11)|ψ4 = σz |ψ4 , respectively. After signing phase, the state of the particles (1, 2, 3, 4) becomes: + φ → ψ 12 = σx (2) φ + 12 = ψ + 34 12 + φ → ψ 34 = σz (4) φ + 34 = φ − 34 . 34 After combining phase, the particles 1(2) and 3(4) would collapse to a Bell state according to entanglement swapping. Here, we assume that ψ 13 = ψ + 13 . After − the information and signatures (the particles), − M2 would obtain that receiving φ φ ψ = by measurement. Then, M compares with the corresponding 24 24 24 2+ original state of |ψ24 (which equals to ψ 24 as shown in Table 1). Without mod ification from attackers, M2 will obtain that ψ 24 = φ − 24 = −U (11)(4) |ψ24 = −U (11)(4) ψ + 24 , i.e., Z = 11. By verifying whether Z equals to X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 (=11) or not, M2 can confirm that the resulting data X 1 ⊕ X 2 are surely from the senders A1 and A2 . 4 Scheme analysis In this section, we give the analysis of the above quantum homomorphic signature scheme.

123

402

T. Shang et al.

To prove the homomorphism of our quantum signature scheme, we give two lemmas as follows: Lemma 1 U (X 1 )U (X 2 ) |ϕ = c(X 1 , X 2 )U (X 1 ⊕ X 2 ) |ϕ, where X 1 , X 2 ∈ {00, 10, 01, 11}, |c (X 1 , X 2 )| = 1. Proof Since c(X 1 , X 2 ) depends on X 1 and X 2 , its value equals to -1 or 1. Hence, when |c (X 1 , X 2 )| = 1, the above lemma can be easily proved. Lemma 2 U1 (1) · U2 (2) · |ψ12 = cx · (U1 · U2 )(2) |ψ12 , |cx | = 1, where the on the particle i, U1 , U2 ∈

an operation

superscript (i) means performing I, σx , σz , −iσ y , |ψ12 ∈ φ + , φ − , ψ + , ψ − . x1 x2 y1 y2 , U2 = . Considering U1 , U2 ∈ Proof Assume that U1 = x3 x4 y3 y4

I, σx , σz , −iσ y , we can obtain that |x1 | = |x4 | |x2 | = |x3 | x1 · x2 = 0 |y1 | = |y4 | |y2 | = |y3 | y1 · y2 = 0. Take |ψ12 = φ + 12 as an example, we obtain that U1 (1) · U2 (2) · |ψ12 1 x1 x2 1 1 y1 y2 · · =√ ⊗ x3 x4 y3 y4 0 0 2

0 y1 y2 0 x1 x2 · ⊗ · + x3 x4 y3 y4 1 1

1 y x y x1 ⊗ 1 + 2 ⊗ 2 =√ x3 y3 x4 y4 2 ⎛ ⎞ x1 y1 + x2 y2 1 ⎜ x1 y3 + x2 y4 ⎟ ⎟ =√ ⎜ ⎝ 2 x3 y1 + x4 y2 ⎠ x3 y3 + x4 y4 (U1 · U2 )(2) |ψ12 1 1 1 x1 y1 + x2 y3 x1 y2 + x2 y4 · =√ ⊗ x3 y1 + x4 y3 x3 y2 + x4 y4 0 2 0 1 0 x1 y1 + x2 y3 x1 y2 + x2 y4 0 ⊗ · +√ x3 y1 + x4 y3 x3 y2 + x4 y4 1 2 1 ⎛ ⎞ x1 y1 + x2 y3 1 ⎜ x3 y1 + x4 y3 ⎟ ⎟ =√ ⎜ ⎝ 2 x1 y2 + x2 y4 ⎠ x3 y2 + x4 y4

123

(3)


403

In consideration of Eq. (3), we obtain that x1 = 1 = y1 → U1 (1) · U2 (2) · |ψ12 ⎛ ⎛ ⎞ ⎞ x1 y1 + x2 y2 x1 y1 ⎜ ⎟ 1 ⎜x1 y3 + x2 y4 ⎟ ⎟ = √1 ⎜ 0 ⎟ =√ ⎜ ⎝ ⎝ ⎠ ⎠ x y + x y 0 3 1 4 2 2 2 x3 y3 + x4 y4 x4 y4 ⎛ ⎞ x1 y1 + x2 y3 1 ⎜ x3 y1 + x4 y3 ⎟ ⎟ = (U1 · U2 )(2) |ψ12 =√ ⎜ 2 ⎝x1 y2 + x2 y4 ⎠ x3 y2 + x4 y4 In other cases, the same conclusion can be drawn. Hence, Lemma 2 is proved. Property 1 The proposed quantum signature scheme is additively homomorphic. Proof According to this scheme, the signature of Ai is ψ 2i = U (X i ⊕ Yi )|ψ2i . Then, the stateof all after Ai generates a signature would be transformed particles into: φ + 12 ⊗ φ + 34 → ψ 1234 . ψ

1234

= U (X 1 ⊕ Y1 )(2) φ + 12 ⊗ U (X 2 ⊕ Y2 )(4) φ + 34 1 = U (X 1 ⊕ Y1 )(2) U (X 2 ⊕ Y2 )(4) (|00001234 + |00111234 2 + |11001234 + |11111234 ) 1 = U (X 1 ⊕ Y1 )(2) U (X 2 ⊕ Y2 )(4) φ + 13 φ + 24 2 +φ − 13 φ − 24 + ψ + 13 ψ + 24 + ψ − 13 ψ − 24

It can be rewritten as follows according to Lemmas 1 and 2: ψ 1234 1 + φ 13 cx · U (X 1 ⊕ Y1 )(4) U (X 2 ⊕ Y2 )(4) φ + 24 = 2 + φ − 13 cx · U (X 1 ⊕ Y1 )(4) U (X 2 ⊕ Y2 )(4) φ − 24 + ψ + 13 cx · U (X 1 ⊕ Y1 )(4) U (X 2 ⊕ Y2 )(4) ψ + 24 + ψ − 13 cx · U (X 1 ⊕ Y1 )(4) U (X 2 ⊕ Y2 )(4) ψ − 24 1 + φ 13 cx · c (U1 , U2 ) · U (X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 )(4) = 2 + − φ + φ 13 cx · c (U1 , U2 ) · U (X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 )(4) 24 − + φ + ψ 13 cx · c (U1 , U2 ) · U (X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 )(4) 24

123

404

T. Shang et al.

+ − ψ + ψ 13 cx · c (U1 , U2 ) · U (X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 )(4) 24 − ψ 24 performing a Bell-state measurement on the particles 1 and 3, we obtain that After ψ = U (X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 )(4) |ψ24 . Note that |cx · c (U1 , U2 )| = 1 is a phase 24 factor and can be ignored after performing measurement. Compared aBell-state with the original state φ + 12 ⊗ φ + 34 = 21 φ + 13 φ + 24 + φ − 13 φ − 24 + ψ + 13 ψ + 24 + − − ψ ψ , we obtain that ψ 24 = c(Z )·U (Z )(4) ·|ψ24 , Z = X 1 ⊕Y1 ⊕ X 2 ⊕Y2 . 13 24 Here, we can view the operation of entanglement swapping as a function f and the operation of signature as a function Sign . As we know, the function of f is φ + 12 ⊗ + φ → ψ 13 ⊗ ψ 24 , and the function of Sign is Sign (X ) = U (X ⊕ Y )(2) |ψ12 , 34 here Y is the secret key corresponding to the information X . By definition, the aggregator M1 receives the messages (X 1 ⊕ Y1 , X 2 ⊕ Y2 ) and the corresponding signatures. Note that different from classical case, we only view the particles 2(4) as the signature S1 (S2 ). Hence, S1 (S2 ) can be generated by Sign (X 1 )(Sign (X 2 )) as follows: Sign (X 1 ) → S1 = ψ 2 = U (X 1 ⊕ Y1 )|ψ2 , Sign (X 2 ) → S2 = ψ 4 = U (X 2 ⊕ Y2 )|ψ4 . Without the keys Y1 and Y2 , M1 generates a new signature by entanglement swapping. The whole process can be described as follows: f Sign (X 1 ) , Sign (X 2 ) = ψ 13 ⊗ ψ 24 = U (X 1 ⊕ Y1 )(2) |ψ12 ⊗ U (X 2 ⊕ Y2 )(4) |ψ24 = |ψ13 ⊗ U (X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 )(4) |ψ24 . Obviously f (Sign (X 1 ), Sign (X 2 )) → S M1 = ψ 4 = U (X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 )|ψ4 . If M1 generates its signature according to the information X 1 ⊕ X 2 and the key Y1 ⊕ Y2 , then Sign (X 1 ⊕ X 2 ) → S M1 = U (X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 )|ψ4 . Thus f (Sign (X 1 ), Sign (X 2 )) → S M1 = S M1 ← Sign (X 1 ⊕ X 2 ). Comparing with the definition of classical additive homomorphism φ (X 1 + X 2 ) = f (φ (X 1 ) , φ (X 2 )), our signature scheme satisfies the property of additive homomorphism. To prove the unforgeability of our scheme, we first give two lemmas as follows: Lemma 3 The secret key Yi is shared by M2 and Ai securely. Proof Although the BB84 protocol has been proved to be unconditionally secure, it is vulnerable to middle-man attack. Hence, we use an improved BB84 protocol inspired by the literature [22] to distribute the key to defend against middle-man attack. In this protocol, M2 and Ai share a series of EPR pairs. M2 owns one half of these particles and Ai owns the others. M2 prepares a photon sequence (we called these particles as key particles for convenience), whose particles correspond to the base vector |+ |− or |1 |0 at random. Firstly, M2 inserts its EPR particles into its

123


405

Fig. 4 The security of secret key

photon sequence at random and preserve the sequence number of these EPR particles. Then, M2 sends its photon sequence and the sequence number to Ai . Ai performs measurement on the key particles on the basis of |+ |− or |0 |1. And Ai tells M2 the chosen measurement basis. M2 tells Ai the photons that they measured by the same base vectors. Consequently they discard the photons that they measured by the different base vectors. After transforming the remaining key particles to classical bits (called raw key) as follows: |1 → 1, |0 → 0 |+ → 1, |− → 0, they choose some bits of the raw key and compare them. Obviously if the unequal bits exceed a certain threshold, they have suffered from wiretapping attack. In this process, Ai can also detect the middle-man attack by measuring the EPR particles in the photon sequence and its own EPR particles. If a middle-man, Mallory, captures the sequence number of these EPR particles and the photon sequence, forges the EPR particles and sends it to Ai . Because Ai can measure the EPR particles by four Bell bases at random, the measurement results of the EPR particles forged by Mallory would be different from the EPR particles of Ai . Hence, the middle-man attack would be found. Based on the improved BB84 protocol, this quantum key distribution protocol can defend against any middle-man attack. Hence, we can prove Lemma 3. Lemma 4 The secret key Yi is impossibly calculated by means of classical information and its corresponding quantum signature. Proof As shown in Fig. 4, any attacker cannot obtain the secret key by capturing classical information and its quantum signature. The details are as follows: (1) If an attacker captures the particle 2i (i ∈ {1, 2}) and the information X i ⊕ Yi which are sent by Ai , he cannot obtain the key Yi . Assume an attacker obtains the particle 2 and the classical bits X 1 ⊕ Y1 . Without the particle 1, he cannot obtain ψ 12 , but the state of the particle 2 (|+ or |−) by a corresponding measurement basis, which can prevent him from calculating the unitary operation U (X 1 ⊕ Y1 ). Hence, any attacker cannot obtain the key Yi only by capturing the particle 2i and the information X i ⊕ Yi sent by Ai .

123

406

T. Shang et al.

(2) If an attacker captures the particles (1, 2, 3, 4) and the information (X 1 ⊕ Y1 ) ⊕ (X 2 ⊕ Y2 ) which are sent by the intermediate nodes M1 , he cannot obtain the key Yi . In this case, an attacker can obtain the state of the particles 2 and 4, namely ψ 24 = U (X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 )(4) |ψ24 by performing a Bell-state measurement on them. However, the attacker can only obtain the classical bits X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 by the unitary operator U (X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 ). But he cannot obtain the keys Y1 and Y2 separately even if he can also captures X 1 ⊕ Y1 and X 2 ⊕ Y2 . Property 2 The signature Si is unforgeable. Proof According to our quantum signature scheme, the signature of Ai is Si = U (X i ⊕ Yi ) |ψ2i . In other words, the key Yi is necessary to generate a signature. According to Lemmas 3 and 4, any attacker cannot obtain the key Yi by wiretap attacks. Hence, without the key Yi , any attacker cannot forge a signature corresponding to his data X i . In a quantum network, quantum channels are secure. In virtue of quantum homomorphic signature scheme, the classical bits would not be falsified. Even if an attacker obtains the classical bits by wiretap, he cannot recover the original quantum states. Furthermore, even if an attacker or malicious node falsifies these classical bits, the receivers would find and filter out these corrupt packets. Hence, our quantum signature scheme can effectively defend against active attacks and wiretap attacks. Property 3 If two senders use a same secret key, namely Y1 = Y2 , our quantum signature scheme can verify the identity of a single data source. If two senders use different secret keys, namely Y1 = Y2 , our quantum signature scheme can verify the identity of different data sources. Proof When Y1 = Y2 , our quantum network model can be viewed as a single-source multicast network. The information sent by A1 and A2 is from a single-source node upstream. Then by verifying the homomorphic signature, we can directly confirm that whether the classical bits X 1 ⊕ X 2 received by M2 are the exclusive OR result of the classical bits X 1 and X 2 from a certain source node. When Y1 = Y2 , our quantum network model can be viewed as a multi-source unicast network, where there are two source nodes A1 and A2 . The homomorphic signature received by M2 is the combination of signatures from A1 and A2 at the intermediate node M1 . Hence, by verifying the signature of M1 , we can confirm that whether the classical bits X 1 ⊕X 2 are from M1 . Note that the classical bits of M1 are the exclusive OR result of the classical bits X 1 from A1 and X 2 from A2 . On this basis, we can indirectly authenticate the identity of data source. 5 Discussion In this section, we will discuss the effect of quantum homomorphic signature on quantum network. For a more complicated and general scenario, there exist more than

123


407

Fig. 5 Multi-source model

A1

X1

X1

A2

M1 X2

X2

X2

X3

M2

X3

D1 A3

X3

two source nodes. Thus it is necessary to discuss whether our scheme can be realized to combine more signatures by some adjustment. As shown in Fig. 5, a multi-source model always can be transformed into double-source model. In this model, three source nodes A1 , A2 and A3 transmit their information to a intermediate node M1 . By adding a node D1 , we can transform this triple-source model into two double-source model whose source nodes are A1 , D1 and A2 , A3 , respectively. Obviously our quantum homomorphic signature scheme can be extended to this scenario after transformation. The details are described as follows: (1) Setup Similarly, we assume that Ai share its key Yi with M2 by the improved BB84 protocol described in Lemma 3. Furthermore, M1 prepares three pairs of entangled states: + φ

12

+ φ

34

+ φ 56

1 = √ (|01 02 + |11 12 ) 2 1 = √ (|03 04 + |13 14 ) 2 1 = √ (|05 06 + |15 16 ) . 2

M1 sends its particles 2, 4 and 6 (denoted as |ψ2 , |ψ4 , |ψ6 ) to A1 , A2 and A3 , respectively. (2) Sign In this phase each source node Ai signs on its particle 2i according to its classical information X i . The method of signature is the same as that in double-source model which is described in Sect. 3. Then, Ai send its particle 2i and classical information X i ⊕ Yi to M1 . Here, we assume that the state of the particle 2i is ψ = U (X i ⊕ Yi ) |ψ(2i) . (2i)

123

408

T. Shang et al.

(3) Combine After receiving the particles and information from source nodes, M1 first combines the signature of A2 and A3 and obtains a result (which can be viewed as the signature of the added node D1 in Fig. 5). Then, M1 combines the result and the signature of A1 . The detailed process is described as follows: a Bell-state measurement on the particles 3 and 5 and Step 1: M1 performs obtains the result ψ 35 . Obviously, the state of the particles 4 and 6 would be ψ 46 = c1 · U (X 2 ⊕ Y2 ⊕ X 3 ⊕ Y3 )(6) |ψ46 according to the Property 1. Here, the value of c1 depends on X 2 ⊕ Y2 and X 3 ⊕ Y3 , which satisfies |c1 | = 1 according to Lemma 1. Step 2: M1 performs a Bell-state measurement on the particles 1 and 4 and obtains the result ψ 14 . Then, the state of the particles 2 and 6 would be ψ 26 = c1 · c2 · U (X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 ⊕ X 3 ⊕ Y3 )(6) |ψ46 . Here, the value of c2 depends on X 1 ⊕Y1 and X 2 ⊕ Y2 ⊕ X 3 ⊕ Y3 , which satisfies |c1 | = 1 according to Lemma 1. Step 3: M1 sends the classical X1 ⊕ Y1 ⊕ X 2 ⊕ Y2 ⊕ X 3 ⊕ Y3 and the information particles (1, 2, 3, 4, 5, 6) (i.e., ψ 35 ⊗ ψ 14 ⊗ ψ 26 ) to M2 . (4) Verify After receiving the particles and X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 ⊕ X 3 ⊕ Y3 , M2 can verify the signature as follows: Step 1: M 2 performs the Bell-state measurement on the particles 3, 5 and 1, 4 and obtains ψ 35 and ψ 14 . According to Table 1, we can find out the value of |ψ46 which is the entanglement swapping result of |ψ34 ⊗ |ψ56 when |ψ35 = ψ 35 . Similarly, with the value of |ψ46 , we can also calculate the value of |ψ 26 which is the entanglement swapping result of |ψ12 ⊗ |ψ46 when |ψ14 = ψ 14 . measurement on the particles 2, 6 and obtains Step 2: M2 performs the Bell-state ψ |ψ26 and obtains an operator which satisfies ψ . Then, M compares with 2 26 26 (4) |ψ ψ = c (Z ) U (Z ) · 26 . Here, |c (Z )| = 1. 26 Step 3: M2 calculates X 1 ⊕ X 2 ⊕ X 3 by its keys. Furthermore, if X 1 ⊕ Y1 ⊕ X 2 ⊕ Y2 ⊕ X 3 ⊕ Y3 = Z , M2 would confirm that ψ 6 is the signature of M1 and assure that the resulting information X 1 ⊕ X 2 ⊕ X 3 originates from the source nodes A1 , A2 and A3 . Otherwise, M2 would deny the signature. According to the above approach, our scheme can be easily extended to multisource model which may contain n source nodes. Moreover, it can solve the problem of identity authentication of single-source unicast, single-source multicast, multi-source unicast, or multi-source multicast in quantum networks. Note that our scheme would consume 4 extra particles (two entangled pairs) to generate a homomorphic signature. Obviously, for an n-source node model, it would need 2n particles. Hence, the efficiency and security of EPR pair distribution is very important. An effective distribution scheme would be of great value to the popularization of our scheme in the future. It is worth noting that the particles (1,2,3,4) in our scheme would still fall into the Bell state after homomorphic signature as follows: |ϕ12 ⊗ |ϕ34 → ϕ 13 ⊗ |ϕ24 . This means that the particles can be reused for next signature. Hence, by a reasonable design in the future, the consumed particles for homomorphic signature would be reduced, which could greatly enhance the efficiency of our scheme.

123


409

6 Conclusion To verify the identity of different data sources in the quantum network, we designed a quantum homomorphic signature scheme based on entanglement swapping. In our scheme, any attacker which attempts to falsify the data would be found. Security analysis shows that this scheme can effectively guarantee the security of secret key and verify the identity of different data sources in the quantum network. Of course, for a more general scenario, our signature scheme need to be further extended to combine more signatures. Acknowledgments Project supported by the Research Promotion Grants-in-Aid for KUT Graduates of Special Scholarship Program, the National Basic Research Program of China (No.2012CB315905), the National Natural Science Foundation of China (No.61272501) and the Fundamental Research Funds for Central Universities (No.YWF14DZXY012) for valuable helps.

References 1. Gottesman, D., Chuang, I.: Quantum digital signatures, Technical Report. http://arxiv.org/abs/ quant-ph/0105032 (2001) 2. Zeng, G., Keitel, C.H.: Arbitrated quantum-signature scheme. Phys. Rev. A 65(4), 12–17 (2002) 3. Curty, M., Ltkenhaus, N.: Comment on arbitrated quantum-signature scheme. Phys. Rev. A 77(4), 1–4 (2008) 4. Zeng, G.H.: Reply to ‘Comment on Arbitrated quantum-signature scheme’. Phys. Rev. A 77(1), 1–5 (2008) 5. Lee, H., Hong, C., Kim, H., et al.: Arbitrated quantum signature scheme with message recovery. Phys. Lett. A 321, 295–300 (2004) 6. Wang, J., Zhang, Q., Tang, C.J.: Quantum signature scheme with single photons. Optoelectron. Lett. 2(2), 209–212 (2006) 7. Zeng, G., Lee, M., Guo, Y., et al.: Continuous variable quantum signature algorithm. Int. J. Quantum Inf. 5(4), 553–573 (2007) 8. Wen, X.J., Liu, Y.: Quantum message signature scheme without an arbitrator. In: The First International Symposium on Data, Privacy, and E-Commerce (ISDPE 2007), Chengdu, China, pp. 496–500, 01–03 Nov (2007) 9. Li, Q., Chan, W.H., Long, D.Y.: Arbitrated quantum signature scheme using Bell states. Phys. Rev. A 79(5), 054307 (2009) 10. Zou, X., Qiu, D.: Security analysis and improvements of arbitrated quantum signature schemes. Phys. Rev. A 82(4), 042325 (2010) 11. Yang, Y.G., Wen, Q.Y.: Arbitrated quantum signature of classical messages against collective amplitude damping noise. Opt. Commun. 283(16), 3198–3201 (2010) 12. Yang, Y.G., Wen, Q.Y.: Erratum: arbitrated quantum signature of classical messages against collective amplitude damping noise. Opt. Commun. 283(19), 3830 (2010) 13. Chong, S.K., Luo, Y.P., Hwang, T.: On “arbitrated quantum signature of classical messages against collective amplitude damping noise”. Opt. Commun. 284(3), 893–895 (2011) 14. Hwang, T., Chong, S.K., Luo, Y.P., et al.: New arbitrated quantum signature of classical messages against collective amplitude damping noise. Opt. Commun. 284, 3144–3148 (2011) 15. Wen, X.J., Tian, Y., Ji, L.P., et al.: A group signature scheme based on quantum teleportation. Phys. Scr. 81(5), 055001 (2010) 16. Xu, R., Huang, L.S., Yang, W., et al.: Quantum group blind signature scheme without entanglement. Opt. Commun. 284(14), 3654–3658 (2011) 17. Shi, J.J., Shi, R.H., Peng, X.Q., et al.: Quantum communication scheme for blind signature with arbitrary two-particle entangled system. In: The 15th International Conference on Advanced Communication Technology (ICACT), PyeongChang, Korea, pp. 58–62, 27–30 Jan (2013) 18. Johnson, R., Molnar, D., Song, D., et al.: Homomorphic Signature Schemes, Topics in CryptologyCT-RSA 2002. Springer, Berlin (2002)

123

410

T. Shang et al.

19. Lu, H., Guo, G.: Teleportation of a two-particle entangled state via entanglement swapping. Phys. Lett. A 276(5), 209–212 (2000) 20. Yu, Z., Wei, Y., Ramkumar, B.: An efficient Signature-based scheme for securing network coding against pollution attacks. In: The International Conference on Computer Communications, pp. 1409– 1417 (2008) 21. Boneh, D., Freeman, D., Katz, J., et al.: Signing a Linear Subspace: Signature Schemes for Network Coding, Public Key Cryptography(PKC2009). Springer, Berlin (2009) 22. Ljunggren, D., Bourennane, M., Karlsson, A.: Authority-based user authentication in quantum key distribution. Phys. Rev. A 62(2), 1–7 (2000)

123