Reexamination of arbitrated quantum signature: the ... - Springer Link

3 downloads 100317 Views 183KB Size Report
May 21, 2013 - Keywords Arbitrated quantum signature · Forgery attack · Security analysis ... most classical digital signature protocols is based on the ...
Quantum Inf Process (2013) 12:3127–3141 DOI 10.1007/s11128-013-0589-6

Reexamination of arbitrated quantum signature: the impossible and the possible Ke-Jia Zhang · Su-Juan Qin · Ying Sun · Ting-Ting Song · Qi Su

Received: 27 February 2013 / Accepted: 10 May 2013 / Published online: 21 May 2013 © Springer Science+Business Media New York 2013

Abstract As a new model for signing both quantum and classical messages, the arbitrated quantum signature (AQS) protocols have recently attracted a lot of attentions. In this paper, we analyze their security from an important security aspect—the receiver’s forgery of the signature, and provide a detailed proof of the fact that the attempt to design an improved optimal encryption used in AQS cannot prevent the receiver’s forgery attack unless some assistant security strategies are introduced. In order to show that, we firstly summarize an explicit formalization of the general AQS model and propose the necessary and sufficient conditions against the receiver’s forgery attack. Then a contradiction of them has been pointed out. In order to complete our security analysis, we verify that the AQS protocols for signing classic messages are still susceptible to the receiver’s forgery. Finally, some assistant security strategies are provided to recover the security. Keywords

Arbitrated quantum signature · Forgery attack · Security analysis

1 Introduction Digital signature is an important branch of cryptography. As we know, the security of most classical digital signature protocols is based on the assumption of computational complexity and might be susceptible to the strong ability of quantum computation [1,2]. Fortunately, the development of quantum cryptography provides us a new

K.-J. Zhang (B) · S.-J. Qin · T.-T. Song · Q. Su State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China e-mail: [email protected] Y. Sun Beijing Electronic Science and Technology Institute, Beijing 100070, China

123

3128

K.-J. Zhang et al.

method to stand against the quantum attack [3]. Quite a few branches of quantum cryptography have attracted a great deal of attentions and many effective results have been proposed, including quantum key distribution (QKD) [4–8], quantum secret sharing (QSS) [9–12] and quantum secure direct communication (QSDC) [13–17]. During the development, the researches of quantum signatures have been studied in recent years. As we know, Gottesman et al. [18] and Buhrman et al. [19] made the first attempts to quantum digital signatures, respectively. However, in 2002, Barnum et al. pointed out there exists a limit for quantum signatures, i.e., it is impossible to design a secure two-party quantum signature scheme [20]. In order to overcome this obstacle, Zeng and Keitel (ZK) proposed a pioneering arbitrated quantum signature (AQS) protocol, which gives an elementary model to sign both a quantum message and a classical one in the Ref. [21] afterwards. During the AQS model, one kind of optimal encryptions named quantum one-time pad (QOTP) [22] is used to ensure the security and make the model feasible in theory. In 2009, Li et al. presented a Bellstates-based AQS protocol, which simplified ZK protocol by replacing GreenbergerHorne-Zeilinger (GHZ) states with Bell ones as the carrier [23]. Then, Zou et al. further simplified this protocol by achieving AQS without entangled states [24]. All the protocols preserve the merits of AQS model. In fact, AQS has been considered as the most important aspect to study the quantum digital signatures. The idea has been used in many practical quantum signature schemes such as quantum proxy signatures [25–27], quantum group signatures [28–30], quantum blind signatures [31,32], quantum multiparty signatures [33,34] etc. Though AQS makes great contributions to the study of quantum signature and perfect the system of quantum cryptography in the practical and fundamental view, there exist some potential security loopholes itself. In 2011, Gao et al. proposed a cryptanalysis of AQS [35]. They pointed out that the QOTP used in AQS cannot prevent the receiver’s forgery of the signature, because the encryption operators are based on Pauli operations which commute with each other. In addition, the signer can successfully disavow any of her signatures by simple attack. Later, Choi et al. provided an improved idea to prevent the receiver’s Pauli forgery attack with the example of ZK protocol [36]. In Choi et al.’s improvement, an assistant operation H is introduced to make the new encryption operator as Pi H , here Pi represents the encryption operator of QOTP. Since Choi et al.’s encryption set (it represents a set includes all the encryption operators) destroys the commutativity of the encryption operators and satisfies the requirement for an optimal encryption (note that the necessary and sufficient conditions were also proposed in Ref. [22]), it is considered as a feasible idea to improve the security of AQS. Recently, Hwang et al. discussed the influences of the denial-ofservice attack [37,38] and Trojan horse attack [39,40] to AQS with the example of Zou et al.’s protocol [24] in Ref. [41]. In this paper, we focus on an important security aspect—the receiver’s forgery of the signature, and point out all the referred AQS protocols above, including Choi et al.’s improved one, are susceptible to this attack. In order to prove the conclusion, we firstly summarize the general AQS model and propose the necessary and sufficient conditions against the forgery attack. Then, we analyze the conditions and verify that there exists a contradiction of them. According to the result, it can be seen the attempt to design an improved optimal encryption is susceptible to prevent the receiver’s forgery

123

Reexamination of arbitrated quantum signature

3129

of the signature. Moreover, we also analyze the security of AQS model for signing classical messages, and show that it is still insecure. However, as we know, AQS is the only model to overcome Barnum et al.’s limit [20] until now. Hence looking for some feasible methods to improve its security is significant. In order to achieve this, some assistant strategies, which can be introduced to AQS to recover its security, are finally discussed in this paper. The rest of this paper is organized as follows. In Sect. 2, we summarize the general AQS model. In Sect. 3, we propose the necessary and sufficient conditions to make AQS immune to the receiver’s forgery attack. Furthermore, a contradiction of them is pointed out with our detailed analysis of the conditions. In Sect. 4, the AQS model for signing classical messages are proved to be still susceptible to the receiver’s forgery. In order to improve the security of AQS, we provide some assistant security strategies in Sect. 5. Our discussions and conclusions are given in Sect. 6.

2 The description of AQS model In this section, we summarize a general AQS model. Here a signer Alice, a receiver Bob and a trusted arbitrator Trent are involved. 2.1 Initializing phase (I1) With some secure QKD techniques, each participant shares a secret key string with the others, which is denoted as K AB , K AT and K BT , respectively. (I2) The encryption algorithm used in AQS is the quantum one-time pad (QOTP). It uses 2n classical key bits to encrypt n-qubit quantum states, which can be seen in Ref. [22]. 2.2 Signing phase n (S1) Alice prepares three copies of the quantum message |P = i=1 | pi  to be signed. (S2) Hiding messages: with the shared key, one copy of |P is turned into |R, where 

|R = E K (|P).

(1)



Here E K represents the operations to hide the quantum message |P. It can be accomplished by teleportation via some particular entanglement states in Ref. [21,23] or the shared key K AB in Ref. [24]. The aim of this step is to send the hidden message |R to Bob safely. (S3) Generating signature: with the shared key K AT and the second copy of |P, the signature |S is obtained |S = E K AT (|P).

(2)

123

3130

K.-J. Zhang et al.

Here we simplify the form of the signature, because the preprocessing of |P will not affect the security from the discussions in Ref. [35]. (S4) Alice encrypts the signature |S, the hidden information |R and the third copy of message |P with K AB and sends the encrypted state, which is denoted as |Y AB , to Bob. 2.3 Verifying phase (V1) Bob decrypts |Y AB  with K AB and obtains |S, |R and |P. According to their definitions, Bob encrypts the quantum states |P and |S with K BT and sends the encrypted state, which is denoted as |Y BT , to Trent. (V2) Trent obtains |S and |P by decrypting |Y BT  with K BT . With the key K AT , he recovers the quantum message |P r  from the signature |S. Then he verifies whether the two recovered messages are equal or not (this may be achieved by probabilistic comparison of quantum states [19] or the projection measurement if Alice signs unknown quantum messages or known ones). If they are equal, he publishes RT = 1, and sends the encrypted state |YT B  to Bob; otherwise he publishes RT = 0 and stops the protocol. Here |YT B  contains the message |P r  (|P r  = |P), the signature |S (note that the compared states can be recovered after the comparison if they are indeed equal) and the assistant quantum state |H  if necessary.  (V3) Bob decrypts |YT B  and verifies whether |R r  = E K (|P r ) is equal to |R (here he may use the assistant quantum state |H  to achieve that in some cases [21,23]). If the equation holds, he publishes R B = 1; otherwise R B = 0. (V4) Bob accepts Alice’s signature in the case of R B = RT = 1 and keeps (|P, |S) as the signed message. 3 Our security analysis of the AQS model In this section, we will analyze the security of the summarized AQS model above. It is well known that the security of AQS is determined by the usage of QOTP from the Ref. [35,36]. Hence, our security analysis is still focused on the quantum encryption used in AQS. Here the necessary and sufficient conditions against Bob’s forgery attack are firstly proposed. Then, we point out a contradiction of them. Based on the conditions, it can be verified that the attempt to design an improved optimal encryption is susceptible to prevent Bob’s forgery of the signature. 3.1 The necessary and sufficient conditions against the forgery attack It is not difficult to imagine Bob’s successful forgery of the signature in the following  situation: he wants to modify the received message |P as |P  and get the correspond ing signature |S  to obtain more profits. More specifically, this can be described as 

|P  = U |P,  |S  = Q|S,

123

(3)

Reexamination of arbitrated quantum signature

3131

here U, Q respectively represents the unitary operation used to modify Alice’s initial message and corresponding signature. Bob sends the forged message and signature   pair (|P , |S ) to Trent and his successful forgery of the signature will be achieved,   if (|P , |S ) is able to pass Trent’s verification. In the view of this, Trent’s verification determines whether Bob’s forgery of the signature is successful or not. From the step V2, it can be seen that Trent uses the key   K AT to recover the message |P r  from the received signature |S  and judges whether   |P r  is equal to the received message |P . That is to say, Bob’s successful forgery   † means |P  = α E K AT |S , here α is a constant which satisfies |α| = 1. Combing the Eq. (3), the above conclusion dues to † Q E K AT . U = αEK AT

(4)

Namely, the analysis of Bob’s successful forgery of the signature means judging whether Trent’s decryption operation corresponds one operation U without caring the constant. If it is positive, Bob will perform the unitary operation U to the received message to achieve the forgery attack. Based on the above analysis, let’s summarize the necessary and sufficient conditions for a feasible encryption to prevent Bob’s forgery attack. It can be seen that the previous analysis proposed by Gao et al. [35] and Choi et al. [36] become the particular cases of our results. In order to show that, the encryption set is represented by {W1 , W2 , W3 , W4 } without loss of generality. The conditions are proposed as follows. 1. The condition to an optimal encryption: obviously, if {W1 , W2 , W3 , W4 } makes up an optimal encryption set, it should previously satisfy the basic condition referred in Ref. [22], i.e., the set {Wi |i = 1, 2, 3, 4} forms an orthonormal basis in a canonical inner product space as follows 1 tr [Wi† W j ] = δi, j = 2



0, i = j, 1, i = j.

(5)

The requirement makes sure that the malicious eavesdropper cannot discriminate the encoded states in the transformation. In a word, if there exists a secure encryption against Bob’s forgery of the signature, the encryption set {W1 , W2 , W3 , W4 } must firstly satisfy the precondition above. 2. The condition against Bob’s forgery of the signature: from the security analysis of the AQS model proposed above, we know Bob’s successful forgery of the signature is determined by Trent’s decryption. Namely, under the assumed encryption, Bob will successfully forge the signature with the operation Q, if and only if the following equation is achieved U = W1† QW1 = α1 W2† QW2 = α2 W3† QW3 = α3 W4† QW4 ,

(6)

here αi is any complex number with |αi | = 1. Furthermore, the result is equal to a fact that there exists a unitary operation Q which commutes with Wi W †j (i = j).

123

3132

K.-J. Zhang et al.

Therefore, if a secure quantum encryption can prevent Bob’s forgery attack, there must exist no unitary operation to commute with Wi W †j (i = j). With the conditions above, Gao et al.’s [35] and Choi et al.’s [36] researches can be redescribed. It can be seen that for the AQS protocols based on QOTP [21,23,24], Wi W †j equals to the Pauli operator Pk , which is commuted with any Pauli operator, hence the type of AQS protocols is susceptible to Bob’s Pauli forgery. Obviously, their cryptanalysis are accordant with our results. Furthermore, some security loopholes can be pointed out with the conditions. In Choi et al.’s improvement [36], any two encryption operators can be described by Wi = Pi H, W j = P j H . In the view of this, we can get Wi W †j = Pi P j = Pk . Hence their improvement is still not available to prevent Bob’s Pauli forgery, and the detailed analysis can be seen in Ref. [42]. 3.2 The contradiction of the necessary and sufficient conditions Until now, we have found that the presented quantum encryptions including Choi et al.’s improved one are susceptible to Bob’s forgery attack. Therefore, a question arises: Can we design a secure optimal encryption to prevent Bob’s forgery of the signature? In this section, we will answer the question and prove that there exists no optimal encryption against Bob’s forgery attack in the current quantum encryption idea (encrypting n qubits with 2n classical bits). In order to show that, we should propose a contradiction of the necessary and sufficient conditions above. The detailed analysis can be shown as follows. Firstly, we discuss to design an optimal encryption set from the condition 1. It is known that for any unitary operation T satisfying tr [T ] = 0, if and only if it is in the form of T = ασx + βσ y + γ σz (here α, β, γ are complex numbers and |α|2 + |β|2 + |γ |2 = 1). This can be easily verified with some math deductions. According to this result, we consider to give an encryption set in the form of W1 = w, W2 = (a1 σx + b1 σ y + c1 σz )w, W3 = (a2 σx + b2 σ y + c2 σz )w, W4 = (a3 σx + b3 σ y + c3 σz )w,

(7)

here |ai |2 + |bi |2 + |ci |2 = 1(i = 1, 2, 3) and w is an arbitrary unitary operation. Obviously, the set proposed above satisfies tr [W1† W j ] = tr [ai σx + bi σ y + ci σz ] = 0( j = 1, i = 1, 2, 3). Furthermore, in order to make any tr [Wi† W j ] = 0(i = j), a necessary condition should be pointed out in the following equation ⎧ ∗ ⎨ a1 a2 + b1∗ b2 + c1∗ c2 = 0, a ∗ a3 + b1∗ b3 + c1∗ c3 = 0, ⎩ 1∗ a2 a3 + b2∗ b3 + c2∗ c3 = 0.

(8)

It is clear that the analysis about W †j Wi can be similarly obtained. Combing the Eqs. (7) and (8), an optimal encryption satisfying the condition 1 has been obtained. Then we

123

Reexamination of arbitrated quantum signature

3133

verify that there exists no optimal encryption satisfying the condition 1 and condition 2, simultaneously. In order to show the result, the following theorem should be introduced previously. Theorem 1 A unitary operation T = AI + Bσx + Cσ y + Dσz (A, B, C, D are complex numbers and |A|2 + |B|2 + |C|2 + |D|2 = 1) commutes with the operation  T = mσx + nσ y + lσz (m, l, n are complex numbers and |m|2 + |l|2 + |n|2 = 1), if and only if Bm + Cn + Dl = 0 or Bn = Cm, Bl = Dm, Cl = Dn. Proof According to the definition of commutativity, we will get (mσx + nσ y + lσz )(AI + Bσx + Cσ y + Dσz ) = α(AI + Bσx + Cσ y + Dσz )(mσx + nσ y + lσz ).

(9)

By the linear independence of Pauli operators, the coefficient α must be 1 or −1. More specifically, we can see if α = 1, then Bn = Cm, Bl = Dm, Cl = Dn, and Bm + Cn + Dl = 0 in the case of α = −1. At the same time, we can easily verify that, if T = AI + Bσx +Cσ y + Dσz satisfies Bm + Cn + Dl = 0 or Bn = Cm, Bl = Dm, Cl = Dn, it must commute with the  unitary operation in the form of T = mσx + nσ y + lσz . Obviously, the theorem provides an intuitive conclusion to judge whether the two unitary operations commute with each other. Based on the result, let us discuss whether the proposed optimal encryption satisfies the condition 2, i.e., we want to recognize whether there exists a unitary operation Q commuting with Wi W †j (i = j). If the result is positive, our proof will be achieved. In order to simplify our analysis, we only discuss Wi W †j in the case of i > j (note that the analysis to other cases can be similarly obtained). Without loss of generality, we set M1 = W2 W1† = (a1 σx + b1 σ y + c1 σz ), M2 = W3 W1† = (a2 σx + b2 σ y + c2 σz ), M3 =

W4 W1†

(10)

= (a3 σx + b3 σ y + c3 σz ),

and the other forms of Wi W †j can be similarly obtained as M2 M1† = W3 W2† = (a2 σx + b2 σ y + c2 σz )(a1∗ σx + b1∗ σ y + c1∗ σz ), M3 M1† = W4 W2† = (a3 σx + b3 σ y + c3 σz )(a1∗ σx + b1∗ σ y + c1∗ σz ), M3 M2†

=

W4 W3†

=

(a3 σx + b3 σ y + c3 σz )(a2∗ σx

+ b2∗ σ y

(11)

+ c2∗ σz ).

Hence, our analysis dues to looking for a unitary operation Q commuting with both Mi and Mi M †j (i > j, i, j = 1, 2, 3). For the operation Mi , we can get Mi Mk† = −Mk† Mi (i > k, i, k = 1, 2, 3) according to the Eq. (8) and Theorem 1 (note that this

123

3134

K.-J. Zhang et al.

can be easily obtained from the conclusions of their coefficients). Furthermore, it can be seen that Mi Mk† = −Mk† Mi ⇒ Mi = −Mk† Mi Mk ⇒ Mk Mi = −Mi Mk ,

(12)

and the similar conclusion can be easily extended to the case of i = k. Based on the conclusion, it can be seen that any operation in the set {Mk |k = 1, 2, 3} is commuted with each other. Moreover, we show that the unitary operation Mk also commutes with Mi M †j (i > j). In order to verify that, we discuss the following three cases: 1. k = i Mk (Mi M †j ) = Mi (Mi M †j ) = Mi (−M †j Mi ) = −(Mi M †j )Mi = −(Mi M †j )Mk (13) 2. k = j Mk (Mi M †j ) = M j (Mi M †j ) = −(Mi M j )M †j = −(Mi M †j )M j = −(Mi M †j )Mk (14) 3. k = i = j Mk (Mi M †j ) = (Mk Mi )M †j = −(Mi Mk )M †j = Mi (M †j Mk ) = (Mi M †j )Mk

(15)

Combing all the analysis above, it can be seen that for {Wi |i = 1, 2, 3, 4} satisfying the condition 1, any Wi W †j must commute with the set {Mk |k = 1, 2, 3, 4} (here Mk = I ). From our proof, the condition is necessary and sufficient. That is to say, there exists a contradiction of the necessary and sufficient conditions against the forgery attack. Hence, there exists no optimal encryption against Bob’s forgery attack in the current quantum encryption idea. 4 Our security analysis to AQS for signing classical messages Above we provide a detailed security analysis of AQS model. It can be seen the the attempt to design an optimal encryption in current encryption idea cannot prevent Bob’s forgery of the signature. Since our proof is based on the most general AQS model (the encryption we discussed can be used to sign both quantum and classical messages), a question may be directly presented: whether there exists an encryption algorithm which can be used to sign classical messages against Bob’s forgery attack? In this section, we answer the question by discussing the security of AQS model for signing classical messages only. In order to describe our analysis, a different quantum encryption algorithm only for classical messages is introduced. As we know, it has been widely used in most practical AQS protocols. Without loss of generality, its encryption operator Fk (k = 00, 01, 10, 11) can be seen in Table 1. Here K i represents the shared key between the two participants and Mi represents one bit of the classical messages (i represents the ith bit of the classical messages

123

Reexamination of arbitrated quantum signature Table 1 The quantum encryption operator Fk

3135 The encrypted message Mi

The shared key K i 0 1

0 |ψ0  |φ0 

1 |ψ1  |φ1 

Fig. 1 Here the mutual unbiased {|ψi } and {|φi }(i = 0, 1) compose the encryption operator Fk , and {|ϕi } is orthogonal with the two basises above

and {K i , Mi } = {0, 1}). The table shows that if one participant wants to encrypt the bit Mi , he will send the corresponding encrypted quantum state to the other person. Since the encrypted result is determined by both the values of K i and Mi , and {|ψ0 , |ψ1 }, {|φ0 , |φ1 } are assumed to be mutual unbiased basises on one qubit, the encryption algorithm has the equal security with BB84 and the malicious eavesdropper cannot recognize the accurate form of the encrypted bit. Applying the encryption algorithm above to the AQS protocols for signing classic messages, Alice’s signature can be represented as |S = Fk AT (M) generally, here Fk AT is the encryption operator determined by k AT . Differently, the encryption algorithm used in signature does not only ensure no information leakage in the transfer, but also prevents Bob’s forgery attack after he received the signature pair (M, |S). However, the quantum encryption cannot prevent Bob’s forgery of the signature. In order to show that, we divide our proof into two parts. Firstly, we discuss a particular case — {|ψ0  = |0, |ψ1  = |1} and {|φ0  = |+ = √1 (|0 + |1), |φ1  = |− = √1 (|0 − |1)}. In this case, if Bob wants to change 2

2

Mi into Mi without being detected, he just needs to perform iσ y to the corresponding qubit |Si  in the signature, because of the conclusion that |0 ⇔ |1, |+ ⇔ |− under the operation iσ y (here “⇔” means the inversion of each quantum state). Then we discuss to extend the result above to a most general case. It can be verified that for {|ψi } and {|φi } with mutual unbiased property, there must exist a unitary operation T to achieve |ψ0  ⇔ |φ0 , |ψ1  ⇔ |φ1  simultaneously. In order to show that, we use the method of Bloch sphere to describe the possible encoded states in Fig. 1. It is known that the mutual unbiased property means the orthogonality of quantum states in the Bloch sphere. Hence, the three sets are mutual unbiased. In order to

123

3136

K.-J. Zhang et al.

simplify our verification, we redescribe them as 1 |φ0  = √ (|ψ0  + |ψ1 ), 2 1 |φ1  = √ (|ψ0  − |ψ1 ), 2 1 |ϕ0  = √ (|ψ0  + i|ψ1 ), 2 1 |ϕ1  = √ (|ψ0  − i|ψ1 ), 2

(16)

and 1 |ϕ0  = √ (eiπ/4 |φ0  + e−iπ/4 |φ1 ), 2 1 −iπ/4 |φ0  + eiπ/4 |φ1 ). |ϕ1  = √ (e 2

(17)

In the view of this, we prove the unitary operation T = |ϕ0  ϕ0 | − |ϕ1  ϕ1 | is the one we are looking for, because 1 T |ψ0  = √ (|ψ0  − |ψ1 ) = i|ψ1 , 2 i T |ψ1  = − √ (|ψ0  + |ψ1 ) = −i|ψ0 , 2 1 −iπ/4 |ψ0  − eiπ/4 |ψ1 ) = −i|φ1 , T |φ0  = √ (e 2 1 T |φ1  = √ (eiπ/4 |ψ0  − e−iπ/4 |ψ1 ) = i|φ0 . 2

(18)

That is to say, if Alice directly uses the quantum encryption above to generate the signature, Bob will certainly perform a proper operation T to the signature to achieve his forgery attack. Therefore, the current quantum encryptions cannot prevent Bob’s forgery of the signature even if they are only used to sign classical messages. 5 Some assistant security strategies to improve the security of AQS Based on the security analysis above, it can be seen that the security loophole—Bob’s forgery of the signature, has not been solved yet. In this section, we discuss the ideas to improve the security of AQS. As we know, the chosen of quantum encryption determines the security of AQS protocols. In the view of this, a direct idea to improve the security is designing some new and secure encryption algorithms. However, we have verified that there exists no quantum encryption against Bob’s forgery attack in the current quantum encryption

123

Reexamination of arbitrated quantum signature Table 2 An improved quantum encryption with messages and keys

3137 The encrypted message Mi

The shared key K i 0 1 2

0 |ψ0  |φ0  |ϕ0 

1 |ψ1  |φ1  |ϕ1 

idea (encrypting n qubits with 2n classical bits). Hence it is necessary to design a more secure quantum encryption algorithm to be used in AQS by adding more shared key bits. From this point of view, some interesting attempts are provided. 1. Utilizing the additional shared keys to determine the security parameters of quantum encryption algorithms. The idea derives from our improved methods proposed in Ref. [42], though the initial researches did not discuss the possible security risks caused by the reuse of shared keys. In Ref. [42], two alternative quantum encryption algorithms named KeyControlled-‘I’QOTP and Key-Controlled-‘T’QOTP are presented. For each signature pair (|Pi , |Si ), the security parameter of Key-Controlled-‘I’QOTP is the accurate form of quantum encryption operator; and the one of Key-Controlled-‘T’QOTP is the assured position that the quantum encryption operator performs on. If their corresponding security parameters are determined by the additional shared keys, their security will be further improved. That is because the possible security risks caused by the reuse of shared keys are avoided in this case. Furthermore, Bob cannot perform a proper forgery operation to an assured qubit of the signature to achieve his attack, and the detailed security analysis against this can be seen in Ref. [42]. 2. Utilizing the additional shared keys to increase the numbers of encryption operators. Obviously, the improved idea can be easily seen, when the AQS model is used to sign classical messages. Different from the quantum encryption algorithm proposed in Sect. 4, we can design an improved one to be used in AQS in Table 2. Here the three sets {|ψi }, {|φi } and {|ϕi }(i = 0, 1) are mutual unbiased and their forms can be seen in Fig. 1. For each signature pair (Mi , |Si ), let’s analyze its security as follows. Without loss of generality, we suppose that {|ψ0  = |0, |ψ1  = |1}, {|φ0  = |+ = √1 (|0 + |1), |φ1  = |− = √1 (|0 − |1)} and {|ϕ0  = √1 (|0 + i|1), |ϕ1  2

2

2

= √1 (|0 − i|1)} to simplify our discussions. 2 Firstly, we should verify whether it satisfies the requirements for a quantum encryption for classical messages. Similarly, since the encrypted result is determined by both the values of K i and Mi , and the three sets are mutual unbiased, the malicious eavesdropper cannot make sure which basis should be used to measure the encrypted states. In this case, he has three possible choices —X -basis, Z -basis, Y -basis. Hence, the value of his successful eavesdropping probability is only 1/3 and it seems more secure than the BB84 protocol. Obviously, it can be seen as a feasible quantum encryption for classical messages.

123

3138

K.-J. Zhang et al.

Secondly, we discuss Bob’s successful forgery under this quantum encryption algorithm. Combing with the analysis in Sect. 4, it can be seen that if Bob wants to change Mi into Mi , there exist three possible forgery operations T to the corresponding qubit |Si  without the shared key K iAT (it represents the i-th bit of the shared keys), i.e., ⎧ ⎨ T0 = |ϕ0  ϕ0 | − |ϕ1  ϕ1 |, K iAT = 0, 1, T = T1 = |φ0  φ0 | − |φ1  φ1 |, K iAT = 0, 2, ⎩ T2 = |ψ0  ψ0 | − |ψ1  ψ1 |, K iAT = 1, 2.

(19)

The above equation shows that if Bob wants to forge the signature pair, he cannot find a forgery operation T to make |ψ0  ⇔ |ψ1 , |φ0  ⇔ |φ1  and |ϕ0  ⇔ |ϕ1  simultaneously. In the view of this, his successful forgery will not be always achieved, and the value of its probability reduces to 1/2. Certainly, if he tries to forge more bits, his successful probability will be further reduced. 3. Utilizing the additional shared keys to perform sequential quantum encryptions. In a sense, this method is a continuation of the idea 2. It means that for the message |P, we sequentially perform two or more different kinds of quantum encryptions on it to generate the signature |S. Without loss of generality, we suppose there are 2Mn bits in the shared key sequence K AT . Then we divide it into M parts, which are denoted by K 1 , K 2 , · · · , K M , here each K i contains 2n bits. In the view of this, the signature is generated by 2 · · · EK E 1 (|P), |S = E KMM E KM−1 2 K1 M−1 j

(20)

where E K j represents one optimal quantum encryption determined by the sequence K j . In order to simplify our security analysis, we only discuss the case that |S = 2 E 1 (|P) and the general case can be easily extended. EK 2 K1 Based on the proof in Sect. 3.2, we can get a fact that for any quantum encryption {Wi |i = 1, 2, 3, 4}, its commutative set is {Mi |i = 1, 2, 3, 4} (it means that any Wi W †j only commutes with the operation in {Mi |i = 1, 2, 3, 4} without caring the coefficient). Here we define M 1 , M 2 as the corresponding commutative set of 1 , E 2 . In the view of this, if there only exists the element I in the intersection of EK K2 1 the set M 1 and M 2 , Bob’s successful forgery will not be achieved. That is because he cannot perform a proper forgery operation except for the operation I to the signature pair without being detected. 1 and In fact, it is not difficult to choose two secure quantum encryptions E K 1 2 1 E K 2 against the forgery attack. An example is to make E K 1 = {I, X, Y, Z } and 2 = {I, √1 X + √1 Y + √1 Z , √1 X + √i Y + √i Z , √i X + √1 Y − √1 Z }. Here EK 2 3 3 3 3 3 3 3 3 3 1 , M 2 = E 2 and M 1 2 = {I }, hence Bob cannot the corresponding M 1 = E K M K 1 2 forge the signature successfully. From the above analysis, it can be seen that if the participants have the ability to share more keys with each other, some feasible quantum encryption algorithms against Bob’s forgery attack will be provided. Generally, our idea is utilizing more resources to

123

Reexamination of arbitrated quantum signature

3139

make more secure AQS protocols. Besides us, some different methods have also been provided in these years. For example, the quantum message authentication schemes and quantum Hash functions are discussed in Gao et al.’s researches [35]. Furthermore, some practical eavesdropping detection strategies may be introduced to ensure the security of AQS, such as quantum public-key encryption [43] and quantum error correction [44]. We hope more significant improved ideas will be proposed in further.

6 Discussions and conclusions In this paper, we present a detailed security analysis of AQS. In order to show that, we firstly summarize the general AQS model and then provide the necessary and sufficient conditions against the receiver’s forgery attack. After a detailed proof, we verify that there exists a contradiction of them. Combing the security analysis of AQS model for signing classical messages, it can be seen that there exists no feasible quantum encryption algorithms against the receiver’s forgery attack in the current encryption idea. With the significance of AQS model, we give some potential assistant security ideas to improve its security. Though we have provide an analysis of the security of AQS from the receiver’s forgery attack in this paper, some problems still need further study. For example, some feasible methods to prevent the sender (Alice)’s disavowal of the signature are not discussed. Some particular quantum attack strategies, such as interceptresend attacks [45], entanglement-swapping attacks [46,47], teleportation attacks [48], dense-coding attacks [49,50], channel-loss attacks [51,52], correlation-extractability attacks [53–55], participant attacks [47,50], may also affect the security of AQS. In addition, the influence of noise in a real channel and the imperfect comparison of two unknown quantum states [19], still require analysis. We hope some significant results will be reflected in further research. And our conclusions can be applied in discussing these interesting topics or solving other cryptography problems. Acknowledgments This work is supported by NSFC (Grant Nos. 61103210, 61272057, 61202434, 61170270, 61100203, 61003286, 61121061), NCET (Grant No. NCET-10-0260), Beijing Natural Science Foundation (Grant Nos. 4112040, 4122054), the Fundamental Research Funds for the Central Universities (Grant Nos. 2011YB01, 2012RC0612).

References 1. Shor, P.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997) 2. Grover, L.K.: A fast quantum mechanical algorithm for, database search, http://quant-ph/9605043v3 (1996) 3. Gisin, N., Ribordy, G., Tittel, W., et al.: Quantum cryptography. Rev. Mod. Phys. 74, 145–195 (2002) 4. Bennett, C.H., Brassard, G.: Quantum cryptography: public key distribution and coin tossing. In: Proceedings of IEEE International Conference on Computers, Systems, and Signal Processing, pp. 175–179. IEEE Press, New York (1984) 5. Ekert, A.K.: Quantum cryptography based on bell theorem. Phys. Rev. Lett. 67, 661–663 (1991) 6. Bennett, C.H.: Quantum cryptography using any two nonorthogonal states. Phys. Rev. Lett. 68, 3121–3124 (1992)

123

3140

K.-J. Zhang et al.

7. Bennett, C.H., Brassard, G., et al.: Teleporting an unknown quantum state via dual classical and Einstein-Podolsky-Rosen channels. Phys. Rev. Lett. 70, 1895–1899 (1993) 8. Gao, F., Guo, F.Z., Wen, Q.Y., et al.: Quantum key distribution without alternative measurements and rotations. Phys. Lett. A 349, 53–58 (2006) 9. Cleve, R., Gottesman, D., Lo, H.K.: How to share a quantum secret. Phys. Rev. Lett. 83, 648–651 (1999) 10. Hillery, M., Buz˘ek, V., Berthiaume, A.: Quantum secret sharing. Phys. Rev. A 59, 1829–1834 (1999) 11. Karlsson, A., Koashi, M., Imoto, N.: Quantum entanglement for secret sharing and secret splitting. Phys. Rev. A 59, 162–168 (1999) 12. Jiang, M., Huang, X., Zhou, L.L., Zhou, Y.M., Zeng, J.: An efficient scheme for multi-party quantum state sharing via non-maximally entangled states. Chin. Sci. Bull. 57(10), 1089–1094 (2012) 13. Long, G.L., Liu, X.S.: Theoretically efficient high-capacity quantum-key-distribution scheme. Phys. Rev. A 65, 032302 (2002) 14. Deng, F.G., Long, G.L., Liu, X.S.: Two-step quantum direct communication protocol using the EinsteinPodolsky-Rosen pair block. Phys. Rev. A 68, 042317 (2003) 15. Lin, S., Wen, Q.Y., Zhu, F.C.: Quantum secure direct communication with X-type entangled states. Phys. Rev. A 78, 064304 (2008) 16. Li, J., Jin, H.F., Jing, B.: Improved eavesdropping detection strategy based on four-particle cluster state in quantum direct communication protocol. Chin. Sci. Bull. 57(34), 4434–4441 (2012) 17. Song, S.Y., Wang, C.: Recent development in quantum communication. Chin. Sci. Bull. 57(36), 4694–4700 (2012) 18. Gottesman, D., Chuang, I.: Quantum Digital Signatures, http://quant-ph/0105032v2 (2001) 19. Buhrman, H., Cleve, R., Watrous, J., et al.: Quantum fingerprinting. Phys. Rev. Lett. 87, 167902 (2001) 20. Buhrman, H., Crepeau, C., Gottesman, D., et al.: Authentication of Quantum Messages, pp. 449–458. IEEE Computer Society Press, Washington DC (2002) 21. Zeng, G.H., Keitel, C.H.: Arbitrated quantum-signature scheme. Phys. Rev. A 65, 042312 (2002) 22. Boykin, P.O., Roychowdhury, V.: Optimal encryption of quantum bits. Phys. Rev. A 67, 042317 (2003) 23. Li, Q., Chan, W.H., Long, D.Y.: Arbitrated quantum signature scheme using Bell states. Phys. Rev. A 79, 054307 (2009) 24. Zou, X.F., Qiu, D.W.: Security analysis and improvements of arbitrated quantum signature schemes. Phys. Rev. A 82, 042325 (2010) 25. Yang, Y.G., Wen, Q.Y.: Threshold proxy quantum signature scheme with threshold shared verification. Sci. Chin. Ser. G Phys. Mech. Astron 51, 1079–1088 (2008) 26. Wang, T.Y., Wei, Z.L.: One-time proxy signature based on quantum cryptography. Quantum Inf. Proc. 11, 455–463 (2012) 27. Shi, J.H., Zhang, S.L., Chang, Z.G.: The security analysis of a threshold proxy quantum signature scheme. Sci. China Phys. Mech. Astron. 56(3), 519–523 (2013) 28. Wen, X.J., Tian, Y., Ji, L.P., Niu, X.M.: A group signature scheme based on quantum teleportation. Phys. Scr. 81, 055001 (2010) 29. Wen, X.J.: Quantum group blind signature scheme without entanglement. Phys. Scr. 82, 065403 (2010) 30. Xu, R., Huang, L.S., Yang, W., He, L.B.: Quantum group blind signature scheme without entanglement. Opt. Commun. 284, 3654–3658 (2011) 31. Wang, T.Y., Wen, Q.Y.: Fair quantum blind signatures. Chin. Phys. B 19, 060307 (2010) 32. Wen, X.J., Niu, X.M., Ji, L.P., Tian, Y.: A weak blind signature scheme based on quantum cryptography. Opt. Commun. 282, 666–669 (2009) 33. Yang, Y.G.: Multi-proxy quantum group signature scheme with threshold shared verification. Chin. Phys. B 17, 415 (2008) 34. Yang, Y.G., Wang, Y., Teng, Y.W., Chai, H.P., Wen, Q.Y.: Scalable arbitrated quantum signature of classical messages with multi-signers. Commun. Theor. Phys. 54, 84 (2010) 35. Gao, F., Qin, S.J., Guo, F.Z., Wen, Q.Y.: Cryptanalysis of the arbitrated quantum signature protocols. Phys. Rev. A 84, 022344 (2011) 36. Choi, J.W., Chang, K.Y., Hong, D.: Security problem on arbitrated quantum signature schemes. Phys. Rev. A 84, 062330 (2011) 37. Cai, Q.Y.: The “Ping-Pong” protocol can be attacked without eavesdropping. Phys. Rev. Lett. 91, 109801 (2003) 38. Gao, F., Guo, F.Z., Wen, Q.Y., Zhu, F.C.: Consistency of shared reference frames should be reexamined. Phys. Rev. A 77, 014302 (2008)

123

Reexamination of arbitrated quantum signature

3141

39. Gisin, N., Fasel, S., Kraus, B., Zbinden, H., Ribordy, G.: Trojan-horse attacks on quantum-keydistribution systems. Phys. Rev. A 73, 022320 (2006) 40. Deng, F.G., Li, X.H., Zhou, H.Y., Zhang, Z.J.: Improving the security of multiparty quantum secret sharing against Trojan horse attack. Phys. Rev. A 72, 044302 (2005) 41. Hwang, T., Luo, Y.P., Chong, S.K.: Comment on “security analysis and improvements of arbitrated quantum signature schemes”. Phys. Rev. A 85, 056301 (2012) 42. Zhang, K.J., Zhang, W.W., Li, D.: Improving the security of arbitrated quantum signature against the forgery attack. Quantum Inf. Proc. doi:10.1007/s11128-013-0554-4 43. Liang, M., Yang, L.: Public-key encryption and authentication of quantum information. Sci. China Phys. Mech. Astron. 55(9), 1618–1629 (2012) 44. Salemian, S., Mohammadnejad, S.: An error-free protocol for quantum entanglement distribution in long-distance quantum communication. Chin. Sci. Bull. 56(7), 618–625 (2011) 45. Gao, F., Guo, F.Z., Wen, Q.Y., Zhu, F.C.: Comment on “experimental demonstration of a quantum protocol for Byzantine agreement and Liar detection”. Phys. Rev. Lett. 101, 208901 (2008) 46. Zhang, Y.S., Li, C.F., Guo, G.C.: Comment on “quantum key distribution without alternative measurements”. Phys. Rev. A 63, 036301 (2001) 47. Gao, F., Qin, S.J., Wen, Q.Y., Zhu, F.C.: A simple participant attack on the bradler-dusek protocol. Quantum Inf. Comput. 7, 329 (2007) 48. Gao, F., Wen, Q.Y., Zhu, F.C.: Teleportation attack on the QSDC protocol with a random basis and order. Chin. Phys. B 17, 3189 (2008) 49. Gao, F., Qin, S.J., Guo, F.Z., Wen, Q.Y.: Dense-coding attack on three-party quantum key distribution protocols. IEEE J. Quantum Electron. 47, 630 (2011) 50. Qin, S.J., Gao, F., Wen, Q.Y., Zhu, F.C.: Improving the security of multiparty quantum secret sharing against an attack with a fake signal. Phys. Lett. A 357, 101 (2006) 51. W’ojcik, A.: Eavesdropping on the ping-pong quantum communication protocol. Phys. Rev. Lett. 90, 157901 (2003) 52. W’ojcik, A.: Comment on “quantum dense key distribution”. Phys. Rev. A 71, 016301 (2005) 53. Gao, F., Wen, Q.Y., Zhu, F.C.: Comment on “quantum exam”. Phys. Lett. A 360, 748 (2007) 54. Gao, F., Lin, S., Wen, Q.Y., Zhu, F.C.: A special eavesdropping on one-sender versus N-receiver QSDC protocol. Chin. Phys. Lett. 25, 1561 (2008) 55. Gao, F., Lin, S., Wen, Q.Y., Zhu, F.C.: Cryptanalysis of multiparty controlled quantum secure direct communication using Greenberger-Horne-Zeilinger state. Opt. Commun. 283, 192 (2010)

123