Quantum Digital Signatures Could Be Used to Sign Contracts That Similar Eﬃciency Could Be Achieved Here

arXiv:quant-ph/0105032v2 15 Nov 2001 o hspie eaheeucniinlyscr iia s digital secure an unconditionally Sending achieve exchange circula-natures. we in in However, price, be this insecure. can for becomes copies scheme for the of keys: or number public tion, limited classical a than keys whose only with public states deal instance, Quantum to quantum Alice. difficult of to more Al- set only are of known a copy is is identity a have exact which must key,” this message accomplish “public To the ice’s of with. from recipient tampered came each been way message has task, the a it that different that such either of or in agree number Alice will a message all by a validated and sign be people, can to signature (Alice) the physics. sender that quantum a of allows principles fundamental It secu- on whose based scheme is signature rity digital quantum a present We ABSTRACT st etf h rgno esg.Mc ieahandwrit- a a like document, Much paper cryptography message. a classical a of on of goal signature origin major ten the One certify 14]. to 17, is 6, adversaries[4, 7, of tremen- 9, presence 8, to the art in door communicating the of a cryptography, science for opens possibilities systems intriguing quantum dously of physics INTRODUCTION The 1. into cryptography key im- for public world. model classical quantum a of the provides ideas protocol the method The one porting show using distribution. secure and key absolutely discuss keys, of is briefly public scheme We quantum signature key. distribute the public securely the to of how recipient each for bits rsnl eed nteiaiiyo ogrt ov cer- solve to larg factoring forger as a such problems, of mathematical inability scheme difficult the signature tain digital on key depends public reference such presently available all widely of sig a security the using The where recognized schemes be the of can of true nature one cryptog- especially modern is be of This to inventions raphy.”[22] prove useful may and digital fundamental “[they] of such most written become importance has has The Rivest commerce that electronic with. modern tampered that to ensures been signatures and not document has electronic it an authenticates 21] [email protected] optrSineDivision Science Computer m nvriyo California of University ailGottesman Daniel btmsaeue up uses message -bit ekly A94270 CA Berkeley, unu iia Signatures Digital Quantum iia signature digital O ( m quantum ) and [22, ig- 5, e s - . rsns( presents hc hti geswt lc’ ale noneet and announcement, earlier Alice’s with since agrees it that check eue h euiyrqieet novdi e distribu key in involved oppo- This requirements an protocol. security to the given the of are safely security reduces be These the endangering can without key setting. nent public quantum a a First, classical in of twofold: advantages cryptography primary key the reproduce public to is computers. information-theoreti goal enemy’s Our the an advanced classical how from matter any no secure unlike standpoint, provably which, is quantum function a one-way function, on a based of scheme signature analogue digital a RESULT describe MAIN We 2. the in gap substantial a leaves landscape. deficiency cryptographic quantum This a on inverse insecure (the computer. become primes product), candidate two the and many factoring together secure, being multiplying are be as model to there such proven good While some, been have a none as scheme. functions, signature one-way serves quantum digital protocol a only sophisticated simple for can more this keys but unlike public The schemes, once, message. used the be sent have must she svr icl.Ti lostefloigdgtlsignatur digital following the chooses allows Alice This scheme[16]: difficult. very is f epeeta present We to signatures allowing forged. thus fac- tractable[25], computer becomes quantum toring a with Unfortunately, numbers[23]. lsia iia intr cee a ecetdotof out created be can function[24]. schemes one-way any signature digital Classical cryp- key public quantum for tography. uncon- potential sugges unrealized an scheme as-yet of signature an more existence digital remain the quantum secure and they ditionally keys, keys, private public are than classical keys powerful public than quantum fie limited the While more for cryptography. underly- directions quantum scheme research the of The novel but suggest with. cumbersome, principles tampered came somewhat ing been message is has differ- the here it that more described that either so or or agree message one Alice will a by from all validated sign and be to people, can (Alice) ent signature sender the a that allows cheating quantum It powerful strategies. against even secure, absolutely ayt compute to easy (0 , f , k 0 ( k and 0 [email protected] ,k b, )ad(1 and )) abig,M 02139 MA Cambridge, b k I ei Laboratory Media MIT .Tercpetcnesl compute easily can recipient The ). 1 sa .Chuang L. Isaac quantum eekonol oAie hscrie that certifies this Alice, to only known were 0Ae Street Ames 20 f ( f , x given ) ( k 1 ) ae,t inasnl bit single a sign to Later, )). iia intr ceewihis which scheme signature digital k f 0 ( x and x u computing but , saoewyfnto fi is it if function one-way a is ) k 1 n ulcyannounces publicly and , x given f ( k b Alice , b and ) f ( be x ld ts c e ) - n tion. Second, every recipient has the same public key, which for δ 0.9, one may have a set of size 2O(2 ). simplifies key distribution further; someone who is unsure ≈ whether he has received a correct public key can compare We shall make use of this property by taking all classical bit with one from a different source or with a friend’s copy of strings k of length L, and assigning to each one a quantum the key. Our protocol should not be regarded as the culmi- state fk of n qubits. These states are nearly orthogonal: | i ′ nation of this line of research, but as proof of the principle fk fk′ δ for k = k , allowing L to be much larger than that quantum protocols can have these properties. n|h. As| mentionedi| ≤ above,6 for the quantum fingerprint states, L = O(2n) with δ 0.9. Another family is provided by The key idea we introduce is a one-way function whose in- the set of stabilizer≈ states[20], with L = n2/2+ o(n2), and put is a classical bit-string k, and whose output is a quan- δ = 1/√2. Both these sets are easy to create with any tum state fk (versus, for instance, a function which maps standard set of universal quantum gates. A third family of quantum states| i to quantum states). Like the above classi- interest uses just n = 1 qubit per state, and consists of the cal scheme, we will require O(m) quantum bits (qubits) to states cos(jθ) 0 + sin(jθ) 1 , for θ = π/2L, and integer j. sign a m-bit message. It is not sufficient, however, to simply This family works| i for any| valuei of L, and gives δ = cos θ. plug in fk in place of f(k). First, due to the no-cloning theorem[20],| i there can be no perfect equality test for quan- The second property we exploit is that although the map- tum states. Also, as we show below, the nature of quantum ping k fk is easy to compute and verify, it is impossible states provides Alice with non-classical cheating strategies. to invert7→(without | i knowing k) by virtue of a fundamental And unlike classical schemes, only a limited number of copies theorem of quantum information theory. Holevo’s theorem of the public key can be issued, or the scheme becomes in- limits the amount of classical information that can be ex- secure. Despite these difficulties, the protocol we present, tracted from a quantum state[15, 20]; in particular, mea- when used correctly, allows the probability of any security surements on n qubits can give at most n classical bits of failure to be made exponentially small with only polynomial information. Thus, given T copies of the state fk , we can expenditure of resources. We begin by defining quantum learn at most T n bits of information about k|, andi when one-way functions and discussing their properties. We then L T n 1, our chance of successfully guessing the string − ≫ present our signature protocol and prove its security; this k remains small. This means that k fk acts as a sort proof appears in two parts, separated by a discussion of key of quantum one-way function, with a7→ classical | i input and a distribution. We conclude with some generalizations of and quantum output. limitations to our protocol. Certain important properties of classical functions are taken for granted which are no longer so straightforward quantum- mechanically. Given two outputs fk and fk′ , how can we 3. QUANTUM ONE-WAY FUNCTIONS ′ | i | i Ever since the invention of secure quantum key distribu- be sure that k = k ? This is done using a simple quantum tion[5], many attempts have been made to exploit the unique circuit[10], which we shall call the swap test. Take the states properties of quantum systems to provide new cryptographic fk and fk′ , and prepare a single ancilla qubit in the state (| 0i + 1 |)/√i2. Next, perform a Fredkin gate (controlled- primitives. A great surprise was the failure of quantum bit | i | i swap) with the ancilla qubit as control and f ′ and fk commitment[19, 18]; subsequently, less powerful but still in- | k i | i teresting primitives such as quantum bit escrow[1] were in- as targets. Then perform a Hadamard gate on the ancilla qubit and measure it. If the result is 0 , then the swap test troduced. Looking beyond cryptography, many more new | i is passed; this always happens if f ′ = fk . Otherwise, if quantum protocols have been discovered, such as quantum | k i | i random access codes[2] and quantum fingerprints[10]. fk′ fk δ, the result 0 occurs with probability at most (1+|h δ|2)/i|2. ≤ If the result is |1i, then the test fails; this happens ′ only when k = k and occurs| i with probability (1 δ2)/2. Here, we introduce a limited-utility quantum one-way func- 6 − tion, based on two properties of quantum systems[20] which Clearly the swap test works equally well even if the states are are also essential for quantum fingerprinting. First, quan- not outputs of the function f — if the states are the same, tum bits, unlike their classical counterparts, can exist in a they always pass the swap test, while if they are different, superposition of 0 and 1. The general state of a single qubit they sometimes fail. The point is that an equality test exists, is written as a two-component vector ψ = α0 0 + α1 1 = but fails with nonzero probability. | i | i | i (α0α1), where 0 and 1 form an orthonormal basis for | i | i the vector space, and α0, α1 are complex numbers satisfy- Another important property is the ability to verify the out- 2 2 ing α0 + α1 = 1. Because of this continuous degree of put of the function: given k, how do we check that a state ′ | | | | ψ = fk ? This is straightforward: since the function freedom, distances between two qubit states ψ and ψ | i | i naturally take on non-integer values (less than| i the max-| i k 0 k fk is easy to compute (here, 0 denotes an ′ | i| i 7→ | i| i | i imum, 1), defined as p1 ψ ψ′ 2, where ψ ψ is the n qubit state), simply perform the inverse operation, and − |h | i| h | i measure the second register. If ψ = fk , the measurement inner product between the two vectors. This becomes par- | i 6 | i 2 ticularly interesting when considering the general state of result will be nonzero with probability 1 ψ fk . Thus, n − |h | i| n 2 −1 verification is also possible, but again it is probabilistic. n qubits, ψ = Pj=0 αj j , where the number of coeffi- cients is exponentially| i larger| i than the number of qubits. It A naive quantum signature protocol. What happens follows from simple volumetric arguments that sets of states n n n ′ if we simply drop in our quantum one-way function in place ψ exist satisfying ψ ψ ′ δ for k = k where the k k k of the classical one in Lamport’s signature scheme[16] (de- set{| mayi} have many more|h than| i| 2n ≤states if δ6 < 1, meaning scribed above)? The protocol parameters L and n are fixed, the states are not maximally distant from each other. In and a map k fk is chosen by all parties. Alice gener- fact, as Buhrman, Cleve, Watrous, and de Wolf showed[10], 7→ | i ates k0 and k1 as her private keys, and publicly announces minimum number of people who agree with the conclusion

(0, fk0 ) and (1, fk1 ) as her public keys. As in Lamport’s that the message is valid). Result REJ implies the recipient | i | i scheme, she then signs a bit b by presenting (b,kb). Ideally, cannot safely reach any conclusion about the authenticity of the recipient, Bob, would then want to test Alice’s quantum the message. We require that any recipient who receives a public key for validity. He can do this using the verification correct message, signature pair (b,s(b)) always reaches con- test, to see if kb ffb maps back to kb 0 . Furthermore, clusion 1-ACC. once Bob is satisfied| i| withi the validity| of Alice’si| i message, he would like to be able to pass it on to Judge Charlie, knowing Security criteria. The protocol should satisfy two se- that Charlie will also find the message valid. Unfortunately, curity criteria. First, it should be secure against forging, Bob’s test sometimes fails; furthermore, it irreversibly con- which means that, even given access to a valid signed mes- sumes one of Alice’s public keys! sage (b,s(b)) and all available copies of the public keys, no forger has an appreciable chance of creating a message, sig- Other potential problems arise as well. For instance, un- nature pair (b′,s′) (with b′ = b) such that an honest recip- like the output of a perfect classical one-way function, from ient will accept it (conclusions6 1-ACC or 0-ACC) except which someone with limited computational ability can learn with exponentially small probability. Second, the scheme nothing at all about the input, fk always leaks a limited should be secure against Alice’s attempts to repudiate the amount of information about k,| thei input to the quantum message. That is, for any pair of recipients, with high prob- one-way function. Furthermore, quantum cheating strate- ability, if the first recipient reaches conclusion 1-ACC (the gies become available; for example Alice may want to make message is valid and transferable), then the second recipient Bob and Charlie disagree on the validity of her message. also reaches conclusion 1-ACC or 0-ACC (the message is How can we be sure that all of the copies of the public keys valid). she hands out are identical? Along the same lines, Alice is free to prepare an entangled initial state, with which she Our definition differs from the most common classical defi- can delay choosing k until after she has given fk away. nitions in only three respects: First, the possibility of result Her ability to do this spells the doom of any attempt| i to use 0-ACC is not available in most classical signature schemes quantum one-way functions to perform bit commitment[18, (although some allow it). Second, we only require that the 19], which is one application of classical one-way functions. security criteria hold with high probability (again true of But only Alice has the ability to change the state, and it some classical schemes). Third, and most notably, the public will not help her in this instance. This saving grace enables keys in our scheme are quantum states rather than classical us to use quantum one-way functions to perform digital sig- strings. natures. Most of the new difficulties introduced by quantum states can be dealt with by using many public keys per This protocol is applicable to a variety of cryptographic message bit instead of just one. In the remainder of the problems. For instance, Alice may wish to sign a contract paper, we discuss the details of this modification, and more with Bob such that Bob can prove to Judge Charlie that importantly address the issue of Alice’s quantum cheating the contract is valid. In this case, Bob should accept the strategies. contract whenever he gets result 1-ACC for a message, and Charlie should accept unless he gets result REJ. This 4. QUANTUM SIGNATURE PROTOCOL problem can also be solved by a variety of classical pro- We now present the signature protocol, beginning first with tocols, of course. However, most only offer security against a definition of what such a protocol should accomplish and computationally-bounded attacks. Others offer information- how its security is evaluated; following this we present the theoretic security, but require additional resources during quantum protocol in detail. the key distribution phase (see section 6), such as a secure anonymous broadcast channel[11] or a noisy channel[13, 12], Definition. We adopt essentially the usual definition of a which are difficult to justify as physical resources. In addi- one-use digital signature; that is, Alice has a set of private tion, the classical information-theoretic protocols use dis- keys and all recipients have copies of the corresponding pub- tinct private keys and require substantial interaction among lic keys. Given a message b, Alice can then produce a single the participants during the key distribution phase, whereas signed message (b,s(b)). Conversely, given any message, sig- the quantum protocol we present below requires only a phys- nature pair (b′,s′) any recipient can process the pair to reach ically plausible quantum channel and modest interactivity one of three possible conclusions: quite similar to that required by classical public key distribution.

1-ACC: Message is valid, can be transferred Quantum signature protocol specification. As the private keys for our protocol, Alice chooses a number of pairs 0-ACC: Message is valid, might not be transferable i i of L-bit strings k0,k1 , 1 i M. The k0’s will later be REJ: { } ≤ ≤ Message is invalid used to sign a message b = 0, and the k1’s will be used to i i sign b = 1. Note k0 and k1 are chosen independently and ′ randomly for each i, and M keys are used to sign each bit. The first two results imply that Alice sent the message b . M is the security parameter; the protocol is exponentially They differ in that result 1-ACC means the recipient is sure secure in M when the other parameters are fixed. The states any other recipient will also conclude the message is valid f i , f i (for each i) will then be Alice’s public keys for (thus the message is “transferable”), whereas result 0-ACC {| k0 i | k1 i} allows the possibility that a second recipient might conclude an appropriate quantum one-way function f. The public the message is invalid (the number “1” or “0” refers to the keys are “public,” in the sense that no particular security measures are necessary in distributing them: if a number The second scenario is the standard forging scenario. In this of copies fall into the hands of potential forgers, the pro- case, Alice and at least one recipient Bob are honest. Other tocol remains secure. Note that the creation of these keys recipients or some third party are dishonest, and they wish ′ is up to Alice (or someone she trusts), because unknown to convince Bob that a message b = b is valid. Naturally, quantum states cannot be perfectly copied, according to the the forgers can always prevent any6 message from being re- no-cloning theorem[20]. We begin by making the simplify- ceived, or cause Bob to reject a valid message, but we do ing assumption that all recipients have received correct and not consider this to be a success for the cheaters. identical copies of Alice’s public keys; we will revisit this assumption later in the paper. The security proof for this scenario is straightforward. In the worst case, the forger Eve has access to all T copies of each All participants in the protocol will know how to imple- public key. By Holevo’s theorem, Eve can acquire at most i ment the map k fk . All participants will also know two T n bits of information about each bit string k . When Alice 7→ | i b numbers, c1 and c2, thresholds for acceptance and rejection sends the signed message, Eve may attempt to substitute a ′ i used in the protocol. A bound on the allowed value of c2 different b = b and (possibly) different values of the k ′ to 6 b will be given as part of the proof of security, below. c1 can go with it. However, since she lacks at least L T n bits of in- − be zero in the absence of noise; the gap c2 c1 limits Alice’s formation about any public key which Alice hasn’t revealed, − − chance of cheating. We assume perfect devices− and channels she will only guess correctly on about G = 2 (L T n)(2M) throughout this paper, but our protocol still works in the keys. Furthermore, if she wishes to change a key whose iden- 2 presence of weak noise by letting c1 be greater than zero, tity she did not guess correctly, she has only probability δ and with other minor adjustments. We further require that of successfully revealing the key. Each recipient measures ′ Alice limits distribution of the public keys so that T < L/n M keys, so when b = b , each recipient will find (with high 6 2 copies of each key are available (recall that fk is an n qubit probability) that at least (1 δ )(M G) O(√M) public | i − − 2 − state). keys fail. We will pick c2 so that (1 δ )(M G) > c2M, which means each recipient either receives− the− correct mes- Alice can now send a single-bit message b using the following sage, or rejects the message with high probability. procedure: 6. KEY DISTRIBUTION 1 2 M For the first scenario, where Alice is dishonest, we will sim- 1. Alice sends the signed message (b,kb ,kb ,... ,kb ) over an insecure classical channel. Thus, Alice reveals the plify to the case where there are only two recipients, Bob and identity of half of her public keys. Charlie. However, before tackling the proof, we must return to the issue of key distribution. Here, Alice wishes Bob (for 2. Each recipient of the signed message checks each of the i instance) to accept the message and Charlie to reject it. revealed public keys to verify that k f i . Recip- b 7→ | kb i Certainly, if Alice can give completely different public keys ient j counts the number of incorrect keys; let this be to Bob and Charlie, she can easily repudiate her messages; sj . therefore, any signature scheme, classical or quantum, must 3. Recipient j accepts the message as valid and transfer- be accompanied by a key distribution scheme to eliminate this possibility. able (result 1-ACC) if sj c1M, and rejects it as ≤ invalid (result REJ) if sj c2M. If c1M

5. PROOF OF SECURITY I: FORGERY Alice can prepare any state she wishes for the public keys, We need to prove the security of this scheme against two sce- including entangled states and states outside the family fk . narios of cheaters. In the first scenario, only Alice is dishon- For instance, she can prepare a symmetric state, such| asi est; her goal is to get recipients to disagree about whether ψ B φ C + φ B ψ C . Because this state is invariant under a message is valid or not (i.e., she wishes to “repudiate” it). |swaps,i | i it always| i | passesi all tests, so that the key distribution We will show that if one recipient unconditionally accepts center concludes that Bob and Charlie will have the same (sj < c1M), then it is very unlikely that another will uncon- key. But that is an illusion — clever trickery by Alice who ditionally reject (sj′ > c2M). However, we delay this proof can nevertheless arrange that Bob and Charlie disagree on i until after discussing distribution of the public keys. the validity of the corresponding private key kb. However, Alice cannot control which of them receives the valid key; it of the message. We do this by studying a global pure state goes randomly to Bob or Charlie. Thus, since M is large, Ψ , which describes all of the public keys as well as any | i the difference sB sC is O(√M) with high probability, state that Alice may have which is entangled with the keys. which makes it| very− unlikely| that Bob and Charlie will get Any state which passes the initial swap tests will be sym- definitive but differing results. That is, when one of them metric between the test keys and the kept keys; in fact, it (say, Bob) accepts a message (1-ACC), that is sB < c1M, is symmetric between any individual test key and the cor- Charlie almost never rejects it (REJ), which would happen responding kept key. Therefore, we can safely assume Alice if sC > c2M. The gap between c1M and c2M protects them prepares Ψ with this property. From now on, when we against Alice’s machinations. speak of the| i swap test, we only refer to the second swap test between the two test keys. Of course, assuming a universally trusted third (or in this case, fourth) party always simplifies cryptographic proto- Now, for each set of four keys (two test and two kept), the cols, so for the full proof, we wish to consider a more sophis- most general state is a superposition of two types of terms. ticated scenario. In this case, we assume that Bob and Char- A type-1 term may pass the swap test, but leaves Bob and lie have each received their public keys directly from Alice, Charlie in agreement, on average, about the validity of the perhaps in person, perhaps via a private key authenticated keys, while a type-2 term frequently fails the swap test. To channel. Then to test their keys classically, Bob and Char- perform the decomposition, we expand the kept keys and the ′ a a a a lie would announce and compare them. For our quantum test keys each in the basis f f , f⊥ f⊥ , + , and , protocol, they can instead perform the following distributed where the first ket is Bob’s,| i| thei second| i| isi Charlie’s,| i |−f =i a | i swap test: Each of Bob and Charlie receives from Alice two f i for the current value of b and i, the states f⊥ form an kb copies of each public key (so there are a total of T = 4 | i a a| i a orthonormal basis with f , and = f f⊥ f⊥ f . copies of each public key in circulation). For each value of Thus, a dishonest Alice might,| i for instance,|± i | preparei| i ± the | stai| tei i and b, the recipients verify that they all received the same a a ψ = f K f K + T + + K f T f T , where the subscript public key f i . To do so, each recipient first performs a | i | i | i | i | i | i | i | kb i K indicates kept keys and T indicates test keys. A type-1 swap test between their two keys, then passes one copy to term is any term for which both the kept and test keys are ′ a single recipient (Bob, for instance). Bob then checks that a a a in a state f f , f⊥ f⊥ , or + . Note that a sum of these two test keys pass the swap test as well. If any keys type-1 terms| i| (suchi | as i|ψ , above)i | mayi always pass the swap fail either test, the protocol is aborted. Otherwise, discard test, but also has equal| i amplitudes for Bob and Charlie to the test keys. The remaining “kept” keys are used to verify pass key verification. A type-2 term is any term includ- messages in the main protocol. ing a a state for the kept keys, the test keys, or both. For the|− type-2i terms, we explicitly note the symmetry be- A dishonest recipient can always cause the key distribution tween the kept and test keys, meaning the superposition phase to abort, but nothing more. He could also allow a ′ ′ ′ ( +a a + a +a )/√2 is the only way a +a dishonest Alice to incorrectly pass the test, but the notion K T K T can| appear.i |− i In particular,|− i | i any sum of type-2 terms|− respect-i| i of a digital signature is only meaningful when at least two ing this symmetry must have at least a 50% chance of failing participants are honest. When Alice is honest, no cheater the swap test. On the other hand, some superpositions of has an opportunity to alter someone else’s public key, so the type-2 terms can give different chances for Bob and Char- scheme remains secure against forgery. lie to pass key verification. Also note that the subspace of type-1 terms is orthogonal to the subspace of type-2 terms. We wish to emphasize that the above suggestions for key distribution are by no means the only possibilities. The dis- Expanding every set of keys in Ψ in this way gives a global tributed swap test can easily be generalized to the case of state which we can again divide| upi into two terms: Ψ + multiple recipients (see Section 8), for instance, and many 1 Ψ . Every summand in Ψ contains at most r |type-2i classical methods of key distribution can be adapted for the 2 1 tensor| i factors, where r = cM| fori some constant c > 0; the quantum case to allow a variety of security assumptions. rest are type-1 terms. Ψ consists of terms with more than Ideally, it would be possible to state a simple security cri- 2 r type-2 tensor factors.| i terion that would evaluate whether a given method of key distribution is successful or not without reference to the par- We wish to show first that for the state Ψ , s s ticular quantum public key protocol for which the keys are 1 B C will be small. If there were only a single summand| i | in−Ψ ,| intended, but we do not attempt to formulate such a defini- 1 this would clearly be true, since each type-1 factor has| ani tion. equal probability of contributing to sB and to sC , and there are only a few type-2 terms. However, different summands of Ψ1 with different patterns of type-1 and type-2 states 7. PROOFOFSECURITYII:REPUDIATION | i might interfere quantum-mechanically. To show sB sC AND TRANSFERABILITY is small even in this case, it will be sufficient to| look− just| We now return to the security of our digital signature pro- at the kept keys, and furthermore only at the states +a ′ a a a | i tocol, and show that it prevents Alice from cheating (repu- and — the states f f and f⊥ f⊥ always produce diating a message she has signed). Whatever the method |− i | i| i | i| i exactly the same contribution to sB and to sC , and cannot ′ of key distribution, some form of swap test is likely to be interfere with each other. In fact, +a and a cannot ′ present, so we assume the use of a distributed swap test. interfere when a = a , so we can restrict| i attention|− i to just Our goal is to compute the probability pcheat that Alice can two states + and6 . On the other hand, the combination pass all the swap tests but achieve sB sC > (c2 c1)M, 0 = ( + |+i )/|−i√2 will always cause Bob’s key to pass meaning that Bob and Charlie disagree| − about| the− validity | i | i |−i and Charlie’s to fail, whereas 1 =( + )/√2 gives the perform a second symmetry test, and keeps the last copy for opposite result. | i | i−|−i his own symmetry test. Each recipient now has t test keys, and performs a symmetry test on those keys. He rejects the This allows us to simplify the problem. We can invoke set of keys if it fails either of the symmetry tests he per- the lemma from Appendix A to show that, for large M formed. If we restrict attention to any particular pair of re- and sufficiently small c, the probability that sB sC < cipients, this procedure essentially reduces to the distributed | − | (c2 c1)M for Ψ1 is exponentially small in M; less than swap test again, so the proof of the previous section tells us − −− − | −i 2 [1 H((1 c2+c1)/2) H(c)]M , in fact, although this is not at that for any two recipients i and j, the probability that the all a tight bound. keys pass the symmetry test but si sj > (c2 c1)M is exponentially small in M. This shows| − the| signature− proto- For Ψ2 , we wish to show that the probability of passing col remains secure with the distributed symmetry test and the swap| i test is very small. To see this, it will suffice to many recipients. consider a modified swap test which passes any state of the test keys except a ; certainly the probability of passing We can also create additional thresholds to allow more than |− i this test can be no smaller than the probability of passing one transfer. That is, 0 = c0 < c1 <... 0, this is exponentially small in M. other people of the message’s validity sequentially, even if each wants to be sure later people accept it as well. The

Now we can put this together to obtain a bound on pcheat, security of s-acceptance follows immediately from the proof which is the probability that the state both passes the swap of security in the last section, simply substituting cr cr−1 − test and produces s s > (c c )M. The Ψ term for c2 c1. B C 2 1 1 − might have a good chance| − of| passing− all swap tests,| buti yields an exponentially small chance of giving the required sepa- Another useful extension is the ability to expand the original ration between sB and sC . The Ψ2 term might have O(1) symmetry test to additional groups of keys. Assume we have | i probability of having sB sC > (c2 c1)M, but only has an a single recipient Bob who communicates with two separate − O(2 r ) chance of passing| − all| swap tests.− The best case for sets of recipients; we will assume Bob is not allied with the constructive interference between the two terms gives a total sender Alice. Suppose Bob receives s + 1 keys originally, probability pcheat at most twice the sum of the two proba- and performs a test on them for complete symmetry. Then bilities for Ψ1 and Ψ2 , which is still exponentially small he keeps one key for verifying a signature, and uses some | i | i −M in M. Therefore, Alice has pcheat O(d ) probability of (but not all) of the s test keys to perform a distributed ∼ successfully cheating for some d> 1. symmetry test with a group R1 of recipients. The extra test keys certainly do not affect the security of the distributed 8. GENERALIZATIONS AND EXTENSIONS symmetry test. Suppose Bob uses the remaining test keys to perform a distributed symmetry test with a second group One straightforward generalization is to use the distributed of recipients R , possibly at a much later time. Then if swap test with many recipients. To do this, we can re- 2 Charlie is in R and Diane is in R , we know that (with high place the swap test with a test for complete symmetry of 1 2 probability) either the keys fail a test, or that s s < s states [10]. Instead of preparing an ancilla in the state B C ∆M and that s s < ∆M for some ∆, in| which− case| ( 0 + 1 )/√2, we prepare a superposition over states in- B D it is also true that| −s | s < 2∆M. In other words, even dexed| i by| i all permutations of s elements. Then perform the C D though Charlie and| Diane− have| not interacted directly, the permutation σ conditioned on the ancilla being in the state gap between s and s is still bounded, but by twice the σ , and finally measure the ancilla to see if it remains in C D margin between two recipients in the same group. the| i original superposition. If the state of keys being tested is completely symmetric, it always will pass, otherwise it has While we have described a procedure for signing single-bit some chance to fail. Furthermore, note that, for any state messages, multi-bit messages can be sent by repeating the of the keys, the probability that any particular pair of keys process, using M pairs of public keys for each message bit. out of the s keys being tested will fail a regular swap test is However, a much more efficient procedure is to first encode no larger than the chance that the full set of keys fails the the message in a classical error-correcting code with dis- symmetry test, so for any pair of keys, the symmetry test is tance M, and to use a single pair of public keys for each at least as sensitive as the swap test. encoded bit. The single-bit protocol can be viewed as a spe- cial case of this using a repetition code. Valid messages are The distributed symmetry test then allows public key distri- codewords of the error-correcting code; to change from one bution for t> 2 recipients. Each person receives t + 1 copies valid message to another requires altering M bits. There- of each public key (so there are T = t(t + 1) copies in cir- fore, the above security proofs hold with only two changes: culation) and tests them for complete symmetry. Assuming G, the number of keys successfully guessed by Eve, is now they pass, each recipient keeps one copy of each key to verify − − 2 (L T n)(2N), where N is the length of the full encoded a signature, sends one copy to each of the other recipients to message. In addition, if Alice attempts to cheat, she can is the requirement that the length of a signed message also produce a difference sB sC proportional to N, not M, scale linearly with L. There does not seem to be a funda- using type-1 terms. We| should− | thus have M scale linearly mental requirement for this, luckily, so it seems plausible with N when the latter is very large. that an improved protocol is possible for which the length of messages scales at most logarithmically with T . 9. CONCLUSIONS Scaling of resources with other variables can probably be im- The digital signature scheme provided here has many poten- proved as well. Earlier, we showed how to reduce the amount tial applications. It combines unconditional security with of key required to send long messages; perhaps further im- the flexibility of a public key system. An exchange of dig- provement is possible. Classical private-key authentication ital signature public keys is sufficient to provide authenti- allows the expenditure of only a logarithmic amount of key cation information for a quantum key distribution session. in the length of the message; it is reasonable to speculate Quantum digital signatures could be used to sign contracts that similar efficiency could be achieved here. Efficiently or other legal documents. In addition, digital signatures signing known quantum states would allow this, for instance, are useful components of other more complex cryptographic since then we could sign a quantum fingerprint [10] of the procedures. message. One particularly interesting application is to create a kind Since our scheme requires a new set of keys for each mes- of quantum public key cryptography. If Bob has Alice’s sage, the total amount of key consumed also scales linearly public key, but Alice has nothing from Bob, then Bob can with the number of messages sent. It would be preferable to initiate a quantum key distribution session with Alice. Bob reduce this to the levels allowed by classical protocols: the will be sure that he is really talking to Alice, even though log of the number of messages, or even constant (although Alice has no way to be sure that Bob is who he says he is. it seems unlikely that is possible). Either would imply sub- Therefore, the key generated this way can be safely used to stantial reuse of public keys. Designing such a protocol will send messages from Bob to Alice, but not vice-versa. be a difficult task, however, since usual classical techniques for reusing signature keys cannot be applied to quantum However, quantum public keys have a number of disadvan- public keys. tages. It is not possible to sign a general unknown quantum state, even with computational security [3]; this is unfortu- In summary, we have demonstrated the existence of an un- nate, since a common classical method for distributing pub- conditionally secure public key digital signature scheme, some- lic keys is to have a trusted “Certificate Authority” (whose thing which is not possible classically. Many potential im- public key is already well-known) sign them for later trans- provements remain, however. The possibilities and ulti- missions. However, perhaps this can be circumvented: the mate limitations of quantum public key cryptography re- quantum public keys of our protocol are known quantum main largely unexplored. states, so perhaps there is some way to securely sign them for distribution at a later time. Acknowledgements: We thank C. Bennett, C. Crepeau, D. DiVincenzo, D. Leung, H. K. Lo, D. Mayers, M. Mosca, Note that in a purely classical scheme, the public key can be J. Smolin, B. Terhal, and W. van Dam for helpful com- given out indiscriminately. This cannot be true of a quan- ments. DG was supported by a Clay long-term CMI prize tum scheme: when there are very many copies of a public fellowship. ILC was supported in part by the Things That key, sufficiently careful measurements can completely deter- Think consortium and the QuARC project under a DARPA mine its state, and therefore one may as well treat the public Quantum Information Science and Technology grant. key as classical. In that case, security must be dependent on computational or similar assumptions. Thus, any quantum digital signature scheme will necessarily require limited 10. REFERENCES circulation of the public key. This is primarily a question of [1] Aharonov, D., Ta-Shma, A., Vazirani, U., and efficiency, since sufficiently large L allows many keys to be Yao, A. Quantum bit escrow. In Proceedings of the issued. 32nd Annual ACM Symposium on Theory of Computing (New York, 2000), ACM Press, So how do the required resources scale with the number of pp. 705–714. quant-ph/0004017. recipients? There are three resources that one might con- [2] Ambainis, A., Nayak, A., Ta-Shma, A., and sider: the size of each public key, the size of a single signed Vazirani, U. Quantum dense coding and a lower message, and size of the private key. In our case, a single bound for 1-way quantum finite automata. In public key need only scale as the logarithm of the number Proceedings of the 31st Annual ACM Symposium on of receivers. This is good, since the public keys are made of Theory of Computing (New York, 1999), ACM Press, qubits, which may be the most expensive component. How- pp. 376–383. quant-ph/9804043. ever, the length L of the private key must be at least equal to T , the total number of public keys in circulation, which [3] Barnum, H., Crepeau, C., Gottesman, D., Smith, must be linear or quadratic in the number of recipients. It A., and Tapp, A. Authentication of quantum remains possible that an improved proof or protocol could messages. in preparation (2001). reduce the required L substantially, although we are not op- timistic on this point. However, this is not too serious, since [4] Bennett, C. H., and Brassard, G. Quantum the classical memory used to store the private key is already public key distribution reinvented. Sigact News 18(4) quite cheap. A more serious flaw in our current protocol (1987), 51–53. [5] Bennett, C. H., Brassard, G., and Ekert, A. K. [22] Rivest, R. Cryptography, vol. 1. Elsevier, Quantum cryptography. Sci. Am. 267, 4 (Oct. 1992), Amsterdam, The Netherlands, 1990, pp. 717–755. 50. [23] Rivest, R. L., Shamir, A., and Adleman, L. A [6] Bennett, C. H., and DiVincenzo, D. P. Quantum method of obtaining digital signatures and public-key information and computation. Nature 404 (2000), cryptosystems. Comm. Assoc. Comput. Mach. 21 247–55. (1978), 120–126. [7] Bennett, C. H., and Shor, P. W. Quantum [24] Rompel, J. One-way functions are necessary and information theory. IEEE Transactions on sufficient for secure signatures. Proc. 22th Ann. ACM Information Theory 44, 6 (1998), 2724–42. Symp. on Theory of Computing (STOC ’90) (1990), 387–394. [8] Brassard, G. The dawn of a new era for quantum cryptography: The experimental prototype is working! [25] Shor, P. W. Polynomial-time algorithms for prime Sigact News 20(4) (1989), 78–82. factorization and discrete logarithms on a quantum computer. SIAM J. Comp. 26, 5 (1997), 1484–1509. [9] Brassard, G. Cryptology column — 25 years of quantum cryptography. Sigact News 27(3) (1996), APPENDIX 13–24. A. LEMMA FOR PROOF OF TRANSFER- [10] Buhrman, H., Cleve, R., Watrous, J., and ABILITY de Wolf, R. Quantum fingerprinting. Phys. Rev. Lemma 1. For any ∆ > 0, there exists a c> 0 such that, Lett. 87 (2001), 167902. for large M, the following holds: Given a state Ψ1 of M | i [11] Chaum, D., and Roijakkers, S. Unconditionally qubits which is a sum of tensor products of + and with at most r = cM factors in any term, then| i measurement|−i secure digital signatures. Lecture Notes in Computer |−i Science 537 (1991), 206–214. in the 0 , 1 basis will with high probability produce a result with weight| i | betweeni M(1/2 ∆) and M(1/2+∆). [12] Crepeau,´ C. Efficient cryptographic protocols based − on noisy channels. In Advances in Cryptology: Proceedings of Eurocrypt ’97 (Berlin, 1997), That is, if we have a superposition of words of weight at Springer-Verlag, pp. 306–317. most r, the weight measured in the Hadamard-rotated basis will be near M/2. [13] Crepeau,´ C., and Kilian, J. Weakening security assumptions and oblivious transfer. In Lecture Notes Proof: This is easy to show. There can be at most about in Computer Science: Advances in Cryptology: M N = r terms in the sum Ψ1 . Note that log2 N Proceedings of Crypto ’88 (Berlin, 1990), MH(r/M) = MH(c), where |H(ix) is the Hamming en-≈

S. Goldwasser, Ed., vol. 403, Springer-Verlag, pp. 2–7. tropy H(x) = x log2 x (1 x) log(1 x). Thus, the − 2 − − − probability y Ψ1 to get a particular string y in the 0 , [14] Gottesman, D., and Lo, H.-K. From quantum |h | i| − | i 1 basis is at most N/2M 2(H(c) 1)M . Since there are cheating to quantum security. Physics Today 53, 11 |abouti 2 M strings outside≈ the allowed range, the (Nov. 2000), 22. M(1/2−∆) total probability of being outside the allowed range is at [15] Holevo, A. S. Problems in the mathematical theory most about of quantum communication channels. Rep. Math. − − 21+[H(1/2 ∆)+H(c) 1]M . (1) Phys. 12(2) (1977), 273–278. This is small for large M whenever [16] Lamport, L. Constructing digital signatures from a one-way function. Technical Report CSL-98, SRI H(1/2 ∆) + H(c) < 1. (2) − International (October 1979). Since H(1/2 ∆) < 1 for any ∆ > 0, and H(c) 0 as − → Lo, H.-K. c 0, the lemma follows. [17] Quantum Cryptology. World Scientiﬁc, → 1998. [18] Lo, H.-K., and Chau, H. F. Is quantum bit commitment really possible? Phys. Rev. Lett. 78, 17 (1997), 3410–3413. [19] Mayers, D. Unconditionally secure quantum bit commitment is impossible. Phys. Rev. Lett. 78 (1997), 3414. [20] Nielsen, M. A., and Chuang, I. L. Quantum computation and quantum information. Cambridge University Press, Cambridge, UK, 2000. [21] Pfitzmann, B. Sorting out signature schemes. CWI Quarterly 8, 2 (1995), 147–172.