View metadata, citation and similar papers at core.ac.uk Quantum Digital Signatures brought to you by CORE provided by CERN Document Server Daniel Gottesman and Isaac Chuang Computer Science Division, University of California, Berkeley, CA 94270 MIT Media Laboratory, Cambridge, MA 02139 The physics of quantum systems opens a door to tremen- bit message. It is not sufficient, however, to simply plug dously intriguing possibilities for cryptography, the art and in fk in place of f(k). First, due to the no-cloning the- science of communicating in the presence of adversaries [1]. orem,| i there can be no perfect equality test for quantum One major goal of classical cryptography is to certify the states. Also, as we show below, the nature of quantum origin of a message. Much like a handwritten signature states provides Alice with non-classical cheating strategies, on a paper document, a digital signature authenticates an and eavesdroppers with non-classical forgery mechanisms. electronic document and ensures that it has not been tam- And unlike classical schemes, only a limited number of pered with. The importance of digital signatures to mod- copies of the public key can be issued, or the scheme be- ern electronic commerce has become such that Rivest has comes insecure. Despite these difficulties, the protocol we written “[they] may prove to be one of the most fundamen- present, when used correctly, allows the probability of any tal and useful inventions of modern cryptography.” [2] This security failure to be made exponentially small with only is especially true of schemes where the signature can be rec- polynomial expenditure of resources. ognized using a widely available reference. The security of Let us begin with the quantum one-way function. Sup- all such public key digital signature schemes presently de- pose we take all classical bit strings k of length L,and pends on the inability of a forger to solve certain difficult assign to each one a quantum state fk of n qubits. Fur- mathematical problems, such as factoring large numbers | i ther, let the states be nearly orthogonal: fk fk δ for [3]. Unfortunately, with a quantum computer factoring be- |h | 0 i| ≤ k = k0; this allows L to be much larger than n. Buhrman, comes tractable [4], thus allowing signatures to be forged. Cleve,6 Watrous, and de Wolf introduced one such family as Here, we present a quantum digital signature scheme which quantum fingerprints,inwhichL = O(2n)andδ 0:9[7]. is absolutely secure, even against powerful quantum cheat- Another family is provided by the set of stabilizer≈ states ing strategies. It allows a sender (Alice) to sign a message [1], with L = n2=2+o(n2), and δ =1=√2. Both these sets so that the signature can be validated by one or more dif- are easy to create with any standard set of universal quan- ferent people, and all will agree either that the message tum gates. A third family of interest uses just n = 1 qubit came from Alice or that it has been tampered with. per state, and consists of the states cos(jθ) 0 +sin(jθ) 1 , | i | i Classical digital signature schemes can be created out of for θ = π/2L, and integer j. This family works for any any one-way function [5]. f(x) is a one-way function if it value of L,andgivesδ =cosθ. is easy to compute f(x)givenx, but computing x given The mapping k fk acts as a sort of “quantum one- f(x) is very difficult. This allows the following digital sig- way function” because7→ | iti is impossible to invert, but easy nature scheme [6]: Alice chooses k0 and k1, and publicly to compute and verify. Holevo’s theorem puts limits on announces f,(0;f(k0)) and (1;f(k1)). Later, to sign a sin- the amount of classical information that can be extracted gle bit b, Alice presents (b; kb). The recipient can easily from a quantum state [8]; in particular, measurements on compute f(kb) and check that it agrees with Alice’s ear- n qubits can give at most n classical bits of information. lier announcement, and since k0 and k1 were known only Thus, given t copies of the state fk , we can learn at most to Alice, this certifies that she must have sent the mes- tn bits of information about k,andwhen| i L tn 1, our sage. However, while there are many candidate one-way chance of successfully guessing the string k remains− small. functions, none have been proven to be secure, and some, We take for granted certain properties of classical func- such as multiplying together two primes (the inverse be- tions which are no longer so straightforward quantum- ing factoring the product), become insecure on a quantum mechanically. Given two outputs fk and fk ,howcanwe computer. This deficiency leaves a substantial gap in the | i | 0 i be sure that k = k0? This is done using a simple quantum cryptographic landscape. circuit [7], which we shall call the swap-test. Take the states Our quantum digital signature scheme is based on a fk and fk0 , and prepare a single ancilla qubit in the state quantum analogue of a one-way function which, unlike any (| 0i + 1|)=√i2. Next, perform a Fredkin gate (controlled- | i | i classical function, is provably secure from an information- swap) with the ancilla qubit as control and fk0 and fk theoretic standpoint, no matter how advanced the enemy’s as targets. Then perform a Hadamard on the| ancillai qubit| i computers. The key idea we introduce is a one-way func- and measure it. If the result is 0 , then the swap-test is tion whose input is a classical bit-string k, and output is a passed; this always happens if |fi = f . Otherwise, | k0 i | ki quantum state fk (versus, for instance, a function which if fk0 fk δ, the result 0 occurs with probability at maps quantum| statesi to quantum states). Like the above most|h (1| +i|δ ≤2)=2. If the result| i is 1 , then the test fails; | i classical scheme, we will require O(m) qubits to sign a m- this happens only when k = k0 and occurs with probability 6 1 2 (1 δ )=2. Clearly the swap test works equally well even if works in the presence of weak noise by letting c1 be greater the− states are not outputs of the function f —ifthestates than zero, and with other minor adjustments. are the same, they always pass the swap test, while if they The key distribution stage works as follows: are different, they sometimes fail. i i Another important property is the ability to verify the 1. Alice creates a set k0;k1 ,1 i M, of pairs of -bit strings. The {’s will} be used≤ ≤ to sign 0’s in the output of the function: given k, how do we check that a L k0 message, and the k1’s will be used to sign 1’s. Note state = fk ? This is straightforward: since the func- i i | i | i k0 and k1 are chosen independently and randomly for tion k 0 k fk is easy to compute, simply perform the inverse| i| i7→| operation,i| i and measure the second register. If each i. = fk , the measurement result will be nonzero with 2. Alice creates 2t copies of each of the states | i6 | i 2 probability 1 fk . f i ; f i . These will be Alice’s public keys. k0 k1 Blindly modifying−|h | i| classical cryptographic protocols to {| i | i} 3. Alice sends her public keys to a key distribution cen- use quantum one-way functions will generally fail. First, ter, and each of the t recipients downloads two copies given the output of a classical one-way function, someone of each fki ; fki . One copy will be used to verify with limited computational ability can learn nothing at 0 1 the message,{| i and| onei} to test for Alice cheating. The all about the input, whereas f always leaks a limited k public keys have been labelled by Alice, so the recip- amount of information about k|, thei input to the quantum ients know which key is which (but not the identities one-way function. This is why in our signature scheme, of the individual keys). Alice must limit the number of copies of her public keys in circulation. Second, verification of the identity of fk can 4. Finally, for each value of i, the recipients verify that only be done with some error. Third, quantum cheating| i they all received the same public keys using the swap strategies become available; for example Alice (the person test. Each recipient first performs a swap-test be- preparing the state) can prepare an entangled initial state, tween their two keys, then each passes one copy which enables her to delay choosing k until after she has to a single recipient. That recipient checks that given fk away. This fact spells the doom of any attempt these t test keys remain unchanged when any pair to use| quantumi one-way functions to perform bit commit- is swapped. If any of the public keys fail the test, ment [9,10], which is one application of classical one-way the protocol is aborted. Otherwise, discard the test functions. However, only Alice has the ability to change the keys. state, which enables us to use quantum one-way functions Assuming all recipients’ public keys pass the swap test, to perform digital signatures. ideally all the recipients would now have identical public Our digital signature protocol consists of two stages.