Practical Quantum Digital Signature 1,2, 1,2, 1,2, Hua-Lei Yin, ∗ Yao Fu, † and Zeng-Bing Chen ‡ 1Hefei National Laboratory for Physical Sciences at Microscale and Department of Modern Physics, University of Science and Technology of China, Hefei, Anhui 230026, China 2The CAS Center for Excellence in QIQP and the Synergetic Innovation Center for QIQP, University of Science and Technology of China, Hefei, Anhui 230026, China (Dated: September 5, 2018) Guaranteeing non-repudiation, unforgeability as well as transferability of a signature is one of the most vital safeguards in today’s e-commerce era. Based on fundamental laws of quantum physics, quantum digital signature (QDS) aims to provide information-theoretic security for this crypto- graphic task. However, up to date, the previously proposed QDS protocols are impractical due to various challenging problems and most importantly, the requirement of authenticated (secure) quan- tum channels between participants. Here, we present the first quantum digital signature protocol that removes the assumption of authenticated quantum channels while remaining secure against the collective attacks. Besides, our QDS protocol can be practically implemented over more than 100 km under current mature technology as used in quantum key distribution. PACS numbers: 03.67.Dd, 03.67.Hk, 03.67.Ac I. INTRODUCTION The authenticated quantum channels are equivalent to the secure quantum channels that do not allow any eaves- Digital signatures aim to certify the provenance and dropping. Recall that while quantum key distribution identity of a message as well as the authenticity of a (QKD) [11, 12] requires authenticated classical channels, signature. They are widely applied in e-mails, financial it does not require authenticated (secure) quantum chan- transactions, electronic contracts, software distribution nels because of potential eavesdropping. Actually, guar- and so on. However, relying on mathematical complex- anteeing secure key distribution without authenticated ities, classical digital signature schemes become vulner- quantum channels is exactly the goal and definition of able to quantum computing attacks. Though there are QKD. Therefore, the assumption of authenticated quan- some classical unconditionally secure signature schemes tum channels has to be eliminated in a QDS to be of prac- [1–5], a resource-expensive assumption exists therein, tical value. In this paper, using single-photon qubit state namely, the secure classical channels between the par- and phase-randomized weak coherent states, we propose ticipants. Quantum digital signature (QDS) bases on the first QDS protocol that eliminates the impractical fundamental laws of quantum physics to guarantee its assumption of secure quantum channels. Therefore, in information-theoretic security. Since Gottesman and respect to tackling the security problem merely requiring Chuang proposed the first QDS protocol [6], a quantum the authentication of classical communication, the basic version of Lamport’s scheme [7], the following problems assumptions underlying our QDS protocol are similar to appear therein: (P 1) requiring the authenticated quan- that of QKD [11, 12] and multiparty quantum communi- tum channels, (P 2) the preparation and transmission of cation (quantum secret sharing) [13, 14]. complex one-way function quantum states, (P 3) requir- We say a digital signature protocol is secure if it sat- ing long-term quantum memory, and (P 4) other chal- isfies [3]: unforgeability, non-repudiation and transfer- lenging operations, such as performing SWAP test on ability. Unforgeability means that a given piece of mes- the states. A novel approach uses linear optics and pho- sage indeed comes from the signer and remains intact arXiv:1507.03333v3 [quant-ph] 22 Mar 2016 ton detectors to circumvent the requirement for quantum during transmission, namely, no one can forge a valid memory and complex state preparation [8] and replaces signature that can be accepted by other honest recipi- the SWAP test with an optical multiport [9], yet lead- ents. Non-repudiation means that once the signer signs ing to another challenging technology—long-distance sta- a message, he/she cannot deny having signed it. Trans- bilization of the Mach-Zehnder interferometer [10]. Up ferability means that when an honest recipient of the to date, an obviously serious problem left for a feasible signed message accepts a signature, other honest recip- QDS protocol is the impractical assumption of the au- ients will accept it as well. We define a QDS scheme thenticated quantum channels between participants be- to have εunf-unforgeability, representing that the prob- ing available. ability for an adversary to create a valid signature is not greater than εunf. Similarly, we say a protocol is with εnor-non-repudiation when the probability for the signer to repudiate a legitimate signature is not greater ∗ [email protected] than εnor. Thereby, a QDS protocol is defined to have † [email protected] εsec-security when it satisfies both εunf-unforgeability and ‡ [email protected] ε -non-repudiation, with ε + ε ε . Consider- nor unf nor ≤ sec 2 ing robustness, εrob is the probability that the protocol to randomly choose test bits as well). Charlie announce will be aborted even with the absence of an adversary. the location of test bits and Alice publicly announces the In this paper, we consider a simple and most impor- bit information of those test bits. Bob (Charlie) calcu- c c tant case with three participants, i.e., one signer and two lates the mismatching rate eB (eC ) of conclusive results c c recipients. Then the property of transferability becomes from the test bits. When eB or eC gets too high, they c equivalent to non-repudiation [6, 8]. The QDS protocols announce to abort the protocol. Besides, when PB or c c using two copies of single-photon states and decoy-state PC shows a big deviation from the ideal value P =1/6, method are proposed in Sec. II and Sec. IV, with the they also announce to abort the protocol. Otherwise, security analyzed in Sec. III. Bob and Charlie announce the mismatching rate and the probability, ec , P c and ec , P c , respectively. Alice, { B B} { C C } Bob and Charlie only keep Mu untested bits, denoted by II. QDS WITH TWO COPIES OF SA, SB and SC. SINGLE-PHOTON STATES The messaging stage: To sign one-bit message m, Alice sends the message m and the corresponding bit string SA to the authenticator, Bob. Bob checks the mismatching There are three stages when implementing our three- c c c participant QDS protocol, namely, the distribution stage, rate PB EB between SA and SB, where EB is the mis- the estimation stage and the messaging stage. We in- matching rate of the conclusive results. The inconclusive troduce a two-photon six-state QDS protocol to illus- outcomes are considered to match Alice’s announcement bits automatically. If the mismatching rate Ec T (T trate our basic idea. There are six single-photon quan- B ≤ a a tum states, H , V , = ( H V )/√2, R = is the authentication security threshold), Bob accepts the | i | i |±i | i ± | i | i ( H + i V )/√2 and L = ( H i V )/√2. The message. Otherwise, he rejects it and announces to abort six| i states| cani be arranged| i into| twelvei − | setsi H , + , the protocol. After Bob accepts the message, he for- {| i | i} wards it and the corresponding bit string SA to the veri- + , V , V , , , H , H , R , R , V , c c {| i | i} {| i |−i} {|−i | i} {| i | i} {| i | i} fier Charlie. Charlie checks the mismatching rate PC EC V , L , L , H , + , R , R , , , L , c {| i | i} {| i | i} {| i | i} {| i |−i} {|−i | i} between SA and SC , where EC is the mismatching rate of L , + , where the first state of each set represents c logic{| i | 0 andi} the second logic 1. the conclusive results. If the mismatching rate EC Tv (T is the verification security threshold), Charlie accepts≤ The distribution stage: For each possible future mes- v the forwarded message, otherwise he rejects it. sage m = 0 and m = 1, Alice prepares two copies of a sequence of N single-photon quantum states. For each Note that the distribution stage is a quantum process, quantum state, Alice randomly chooses one of the twelve while the estimation and messaging stage are classical sets and generates one of two non-orthogonal states in communication processes. The time interval between the the set. Afterwards, she sends one copy to Bob and distribution stage and estimation stage is arbitrary. The the other to Charlie through insecure (unauthenticated) estimation stage is employed to estimate the parameters quantum channels. For each quantum state, Bob and Ta and Tv, which are used for the messaging stage. Af- Charlie randomly and independently perform a polariza- ter the distribution stage, once Alice wants to sign the tion measurement with one of the three bases Z,X,Y , message, she will start the estimation stage and the mes- and store the corresponding classical bit. Bob{ and Char-} saging stage. As Alice is the signer, she can identify the lie will announce the result if their detectors have no click, one who is the desired recipient (namely the authentica- and then Alice, Bob and Charlie will discard all the cor- tor) before the estimation stage. Therefore, the roles of responding data and keep the left M bits. For each quan- Bob and Charlie are equivalent, either of them can be tum state, Alice announces from which set she selects the the receiver of the message and forwards it to the other. state through the authenticated classical channels. Bob (Charlie) compares his measurement outcomes with the two states. If his measurement outcome is orthogonal III. SECURITY ANALYSIS to one of the states, he concludes that the other state has been sent, which represents a conclusive result.