View metadata, citation and similar papers at core.ac.uk Quantum Digital Signatures brought to you by CORE provided by CERN Document Server Daniel Gottesman and Isaac Chuang Computer Science Division, University of California, Berkeley, CA 94270 MIT Media Laboratory, Cambridge, MA 02139
The physics of quantum systems opens a door to tremen- bit message. It is not sufficient, however, to simply plug dously intriguing possibilities for cryptography, the art and in fk in place of f(k). First, due to the no-cloning the- science of communicating in the presence of adversaries [1]. orem,| i there can be no perfect equality test for quantum One major goal of classical cryptography is to certify the states. Also, as we show below, the nature of quantum origin of a message. Much like a handwritten signature states provides Alice with non-classical cheating strategies, on a paper document, a digital signature authenticates an and eavesdroppers with non-classical forgery mechanisms. electronic document and ensures that it has not been tam- And unlike classical schemes, only a limited number of pered with. The importance of digital signatures to mod- copies of the public key can be issued, or the scheme be- ern electronic commerce has become such that Rivest has comes insecure. Despite these difficulties, the protocol we written “[they] may prove to be one of the most fundamen- present, when used correctly, allows the probability of any tal and useful inventions of modern cryptography.” [2] This security failure to be made exponentially small with only is especially true of schemes where the signature can be rec- polynomial expenditure of resources. ognized using a widely available reference. The security of Let us begin with the quantum one-way function. Sup- all such public key digital signature schemes presently de- pose we take all classical bit strings k of length L,and pends on the inability of a forger to solve certain difficult assign to each one a quantum state fk of n qubits. Fur- mathematical problems, such as factoring large numbers | i ther, let the states be nearly orthogonal: fk fk δ for [3]. Unfortunately, with a quantum computer factoring be- |h | 0 i| ≤ k = k0; this allows L to be much larger than n. Buhrman, comes tractable [4], thus allowing signatures to be forged. Cleve,6 Watrous, and de Wolf introduced one such family as Here, we present a quantum digital signature scheme which quantum fingerprints,inwhichL = O(2n)andδ 0.9[7]. is absolutely secure, even against powerful quantum cheat- Another family is provided by the set of stabilizer≈ states ing strategies. It allows a sender (Alice) to sign a message [1], with L = n2/2+o(n2), and δ =1/√2. Both these sets so that the signature can be validated by one or more dif- are easy to create with any standard set of universal quan- ferent people, and all will agree either that the message tum gates. A third family of interest uses just n = 1 qubit came from Alice or that it has been tampered with. per state, and consists of the states cos(jθ) 0 +sin(jθ) 1 , | i | i Classical digital signature schemes can be created out of for θ = π/2L, and integer j. This family works for any any one-way function [5]. f(x) is a one-way function if it value of L,andgivesδ =cosθ.
is easy to compute f(x)givenx, but computing x given The mapping k fk acts as a sort of “quantum one- f(x) is very difficult. This allows the following digital sig- way function” because7→ | iti is impossible to invert, but easy nature scheme [6]: Alice chooses k0 and k1, and publicly to compute and verify. Holevo’s theorem puts limits on announces f,(0,f(k0)) and (1,f(k1)). Later, to sign a sin- the amount of classical information that can be extracted gle bit b, Alice presents (b, kb). The recipient can easily from a quantum state [8]; in particular, measurements on compute f(kb) and check that it agrees with Alice’s ear- n qubits can give at most n classical bits of information. lier announcement, and since k0 and k1 were known only Thus, given t copies of the state fk , we can learn at most to Alice, this certifies that she must have sent the mes- tn bits of information about k,andwhen| i L tn 1, our sage. However, while there are many candidate one-way chance of successfully guessing the string k remains− small. functions, none have been proven to be secure, and some, We take for granted certain properties of classical func- such as multiplying together two primes (the inverse be- tions which are no longer so straightforward quantum- ing factoring the product), become insecure on a quantum mechanically. Given two outputs fk and fk ,howcanwe computer. This deficiency leaves a substantial gap in the | i | 0 i be sure that k = k0? This is done using a simple quantum cryptographic landscape. circuit [7], which we shall call the swap-test. Take the states
Our quantum digital signature scheme is based on a fk and fk0 , and prepare a single ancilla qubit in the state quantum analogue of a one-way function which, unlike any |( 0i + 1|)/√i2. Next, perform a Fredkin gate (controlled- | i | i classical function, is provably secure from an information- swap) with the ancilla qubit as control and fk0 and fk theoretic standpoint, no matter how advanced the enemy’s as targets. Then perform a Hadamard on the| ancillai qubit| i computers. The key idea we introduce is a one-way func- and measure it. If the result is 0 , then the swap-test is tion whose input is a classical bit-string k, and output is a passed; this always happens if |fi = f . Otherwise, | k0 i | ki quantum state fk (versus, for instance, a function which if fk0 fk δ, the result 0 occurs with probability at maps quantum| statesi to quantum states). Like the above most|h (1| +i|δ ≤2)/2. If the result| i is 1 , then the test fails; | i classical scheme, we will require O(m) qubits to sign a m- this happens only when k = k0 and occurs with probability 6
1 2 (1 δ )/2. Clearly the swap test works equally well even if works in the presence of weak noise by letting c1 be greater the− states are not outputs of the function f —ifthestates than zero, and with other minor adjustments. are the same, they always pass the swap test, while if they The key distribution stage works as follows: are different, they sometimes fail. i i Another important property is the ability to verify the 1. Alice creates a set k0,k1 ,1 i M, of pairs of -bit strings. The {’s will} be used≤ ≤ to sign 0’s in the output of the function: given k, how do we check that a L k0 message, and the k1’s will be used to sign 1’s. Note state ψ = fk ? This is straightforward: since the func- i i | i | i k0 and k1 are chosen independently and randomly for tion k 0 k fk is easy to compute, simply perform the inverse| i| i7→| operation,i| i and measure the second register. If each i. ψ = fk , the measurement result will be nonzero with 2. Alice creates 2t copies of each of the states | i6 | i 2 probability 1 ψ fk . f i , f i . These will be Alice’s public keys. k0 k1 Blindly modifying−|h | i| classical cryptographic protocols to {| i | i} 3. Alice sends her public keys to a key distribution cen- use quantum one-way functions will generally fail. First, ter, and each of the t recipients downloads two copies given the output of a classical one-way function, someone of each fki , fki . One copy will be used to verify with limited computational ability can learn nothing at 0 1 the message,{| i and| onei} to test for Alice cheating. The all about the input, whereas f always leaks a limited k public keys have been labelled by Alice, so the recip- amount of information about k|, thei input to the quantum ients know which key is which (but not the identities one-way function. This is why in our signature scheme, of the individual keys). Alice must limit the number of copies of her public keys in circulation. Second, verification of the identity of fk can 4. Finally, for each value of i, the recipients verify that only be done with some error. Third, quantum cheating| i they all received the same public keys using the swap strategies become available; for example Alice (the person test. Each recipient first performs a swap-test be- preparing the state) can prepare an entangled initial state, tween their two keys, then each passes one copy which enables her to delay choosing k until after she has to a single recipient. That recipient checks that given fk away. This fact spells the doom of any attempt these t test keys remain unchanged when any pair to use| quantumi one-way functions to perform bit commit- is swapped. If any of the public keys fail the test, ment [9,10], which is one application of classical one-way the protocol is aborted. Otherwise, discard the test functions. However, only Alice has the ability to change the keys. state, which enables us to use quantum one-way functions Assuming all recipients’ public keys pass the swap test, to perform digital signatures. ideally all the recipients would now have identical public Our digital signature protocol consists of two stages. keys. However, a dishonest Alice may create states which The first step is the key distribution stage, where Alice pass the swap test but are different for different recipients. creates and distributes quantum states which we shall re- Nevertheless, all the keys are equivalent in the sense that fer to as her public keys. The public keys are “public,” in on average, each recipient will find a similar number of the sense that no particular security measures are neces- correct keys for a given message. Alice can now send a sary in distributing them. If a number of copies fall into message b using the following procedure: the hands of potential forgers, the protocol remains secure, provided the honest recipients receive valid keys. Classi- 1 2 M 1. Alice sends the signed message (b, kb ,kb ,...,kb ) cally, it is much easier to deal with identical public keys over an insecure classical channel. Thus, Alice re- than with private keys that vary from recipient to recipi- veals the identity of half of her public keys. ent. The only purpose of our key distribution stage is to 2. Each recipient of the signed message checks each of check that the public keys are truly indistinguishable. In i the revealed public keys to verify that k fki . the second stage of the protocol, Alice sends a classical b b Recipient j counts the number of incorrect7→ keys; | leti message, and the t recipients use the public keys to ver- this be s . ify that the message was sent by Alice. We shall initially j describe how Alice sends one bit, b; multiple bits could 3. Recipient j accepts the message if s c M,andre- j ≤ 1 be sent by repeating the protocol, but we describe a more jects it if sj c2M.Ifc1M 2 are caught using the c2 and c1 thresholds. Forgery is pre- dishonest, we will simplify to the case where there are only vented by c2, and cheating by Alice is prevented by a gap two recipients, Bob and Charlie, but the proof can easily between c2 and c1. Alice might attempt to divide the re- be generalized to t>2 recipients. cipients, but she will almost always fail: she must mind Here, Alice wishes Bob to accept the message and Char- the gap. lie to reject it or vice-versa. She can prepare any state she We prove the security of this scheme against two scenar- wishes for the public keys, including entangled states and ios of cheaters. In the first scenario, only Alice is dishon- states outside the family fk . For instance, she can prepare est; her goal is to get recipients to disagree about whether | i a symmetric state, such as ψ B φ C + φ B ψ C . Because a message is valid or not (i.e., she wishes to “repudiate” this state is invariant under| i swaps,| i it| alwaysi | i passes all it). We show that if one recipient unconditionally accepts tests, so that Bob and Charlie believe they have the same (sj 3 2 terms can give different chances for Bob and Charlie to of digital signature public keys is sufficient to provide au- pass key verification. thentication information for a quantum key distribution Expanding every set of keys in Ψ in this way gives a session. Quantum digital signatures can be used to sign global state which we can again divide| i up into two terms: contracts or other legal documents. In addition, digital Ψ + Ψ . Every summand in Ψ contains at most r signatures are useful components of other more complex | 1i | 2i | 1i type-2 tensor factors, where r =(c2 c1 c)M for some cryptographic procedures. constant c>0; the rest are type-1 terms.− Each− type-1 term One particularly interesting application is to create a has equal amplitude to contribute to sB and sC, so the ten- kind of quantum public key cryptography. If Bob has Al- sor product of M r such terms has a Gaussian distribution ice’s public key, but Alice has nothing from Bob, then Bob − of amplitudes, centered at sB = sC =(M r)/2andwith can initiate a quantum key distribution session with Alice. width O(√M). That is, most of the weight− of Ψ falls on Bob will be sure that he is really talking to Alice, even | 1i cases where sB sC r + O(√M) < (c2 c1)M. Ψ2 though Alice has no way to be sure that Bob is who he consists of terms| − with|≤ more than r type-2 tensor− factors.| i says he is. Therefore, the key generated this way can be Since each type-2 term has at least a 1/2 chance of failing safely used to send messages from Bob to Alice, but not the swap test, Ψ2 passes with probability no larger than vice-versa. r | i 2− .Notethat Ψ1 need not be orthogonal to Ψ2 . We have demonstrated the existence of an absolutely se- Now we can| puti this together to obtain a| boundi on cure public key digital signature scheme, something which pcheat.TheΨ1 term might have a good chance of is not possible classically. Many potential improvements passing all swap| tests,i but yields an exponentially small remain, however. A disadvantage of our protocol is that chance of giving the required separation between sB and it consumes several key bits for each message bit. This sC .The Ψ2 term might have O(1) probability of having makes key management unpleasant. Classical schemes al- | i r sB sC > (c2 c1)M, but only has an O(2− ) chance low reuse of keys and similar capability would be desirable of| passing− | all swap− tests. The best case for constructive in an improved quantum signature scheme. Other future interference between the two terms gives a total probabil- goals, in addition to optimizing the protocol, would be to ity pcheat at most twice the sum of the two probabilities devise a method for efficiently distributing new public keys for Ψ1 and Ψ2 , which is still exponentially small in M. or signing certain quantum states (although it is not pos- | i | i M Therefore, Alice has pcheat O(d− ) probability of suc- sible to sign a general quantum state). Also intriguing cessfully cheating for some d>∼ 1. would be generalization of quantum one-way functions, to Multi-bit messages can be sent by repeating the above further exploit unique properties of quantum information process, using M pairs of public keys for each message bit. for cryptographic purposes. However, a much more efficient procedure is to first en- [1] M. A. Nielsen and I. L. Chuang, Quantum computation and code the message in a classical error-correcting code with quantum information (Cambridge University Press, Cam- distance M, and to use a single pair of public keys for each bridge, UK, 2000). encoded bit. The previous protocol can be viewed as a spe- [2] R. Rivest, in Handbook of Theoretical Computer Science cial case of this using a repetition code. Valid messages are (Elsevier, Amsterdam, The Netherlands, 1990), Vol. 1, pp. codewords of the error-correcting code; to change from one 717–755. valid message to another requires altering M bits. There- [3] R. L. Rivest, A. Shamir, and L. Adleman, Comm. Assoc. fore, the above security proof holds with only two changes: Comput. Mach. 21, 120 (1978). G, the number of keys successfully guessed by Eve, is now [4] P. W. Shor, SIAM J. Comp. 26, 1484 (1997). (L 2tn) [5] J. Rompel, Proc. 22th Ann. ACM Symp. on Theory of 2− − (2N), where N is the length of the full encoded message. In addition, if Alice attempts to cheat, she can Computing (STOC ’90) 387 (1990). [6] L. Lamport, Technical Report CSL-98, SRI International produce a difference s s = O(√N) with type-1 terms. | B − C| (1979). We should thus have M scale linearly with N when the lat- [7] H. Buhrman, R. Cleve, J. Watrous, and R. de Wolf, arXive ter is very large. e-print quant-ph/0102001 (2001). Note that in a purely classical scheme, the public key [8] A. S. Holevo, Rep. Math. Phys. 12(2), 273 (1977). can be given out indiscriminately. This cannot be true of [9]H.-K.LoandH.F.Chau,Phys.Rev.Lett.78, 3410 (1997). a quantum scheme: when there are very many copies of [10] D. Mayers, Phys. Rev. Lett. 78, 3414 (1997). a public key, sufficiently careful measurements can com- [11] D. Chaum and S. Roijakkers, Lecture Notes in Computer pletely determine its state, and therefore one may as well Science 537, 206 (1991). treat the public key as classical. In that case, security Acknowledgements: DG was supported by a Clay long- must be dependent on computational or similar assump- term CMI prize fellowship. ILC was supported in part by the tions. Thus, any quantum digital signature scheme will Things That Think consortium. We thank C. Bennett, D. Di- necessarily require limited circulation of the public key. Vincenzo, D. Leung, H. K. Lo, M. Mosca, J. Smolin, B. Terhal, The digital signature scheme provided here has many and W. van Dam for helpful comments. potential applications. It combines unconditional security Author electronic addresses: [email protected]; with the flexibility of a public key system. An exchange [email protected] 4