Measurement Device Independent Quantum Digital Signature (MDI-QDS): Difference between revisions
No edit summary |
|||
(89 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
The [https://arxiv.org/pdf/1704.07178.pdf example protocol] achieves the functionality of [[Quantum Digital Signature]] (QDS) by allowing exchange of messages using the procedure studied in [[Prepare and Measure Quantum Digital Signature]] but without trusting one's measurement devices, thus making the protocol device independent. It uses the security proof of [[MDI-QKD]] to the QDS scheme for insecure channels [[Measurement Device Independent Quantum Digital Signature (MDI-QDS)#References|(1)]]. This scheme involves three parties and is designed for signing one bit and the authors suggest that longer messages can be signed by iterating the same process. All three [[Quantum Digital Signature#Properties|properties]] that define QDS i.e. non-repudiation, transferability and unforgeability are implied by the protocol.</br></br> | |||
'''Tags:''' [[:Category: Multi Party Protocols|Multi Party (three)]] | '''Tags:''' [[:Category: Multi Party Protocols|Multi Party (three)]], [[:Category: Quantum Enhanced Classical Functionality|Quantum Enhanced Classical Functionality]], [[:Category: Specific Task|Specific Task]], [[Quantum Digital Signature]] (QDS), [[Prepare and Send Quantum Digital Signature|Prepare and Measure QDS]] | ||
[[Category: Multi Party]][[Category: Quantum Enhanced Classical Functionality]][[Category: Specific Task]] | [[Category: Multi Party]][[Category: Quantum Enhanced Classical Functionality]][[Category: Specific Task]] | ||
==Assumptions== | ==Assumptions== | ||
* There exists authenticated classical channels between | * There exists authenticated classical channels between seller and buyer, and, seller and verifier. | ||
* Receiver and | * Receiver and verifier share a MDI-QKD link, used to transmit classical messages in full secrecy. | ||
* Adversary is allowed to perform coherent attacks, which is the most general class of attacks [[Quantum Key Distribution|QKD]] protocols are vulnerable to, due to experimental realisation. | |||
==Outline== | ==Outline== | ||
Quantum Digital Signature protocols can be separated into two stages: the distribution stage, where quantum public keys are sent to all recipients, and the messaging stage, where classical messages are sent and verified. Here, we take the case of three parties, one sender (referred to as seller) and two receivers (buyer and verifier) sharing a one bit message. | Quantum Digital Signature protocols can be separated into two stages: the distribution stage, where quantum public keys are sent to all recipients, and the messaging stage, where classical messages are sent and verified. Here, we take the case of three parties, one sender (referred to as seller) and two receivers (buyer and verifier) sharing a one bit message.<br/> | ||
The following protocol consists of only quantum communication in the distribution phase and only classical communication in the messaging phase. It uses the protocol for QDS with insecure channels and replaces KGP (Key generation protocol) with Measurement Device Independent KGP (MDI-KGP). Distribution phase can be divided into the following steps: | The following protocol consists of only quantum communication in the distribution phase and only classical communication in the messaging phase. It uses the protocol for QDS with insecure channels [[Measurement Device Independent Quantum Digital Signature (MDI-QDS)#References|(1)]] and replaces KGP (Key generation protocol) with Measurement Device Independent KGP (MDI-KGP). Distribution phase can be divided into the following steps: | ||
*'''Key Distribution:''' Seller uses MDI-KGP twice with | *'''Key Distribution:''' Seller uses MDI-KGP twice with buyer and verifier, to generate two different keys with each, one for message bit 0 and one for message bit 1. Seller's signature for a particular message bit is a conjugation/concatenation of corresponding key for message bit sent to the buyer and the verifier. Below is an overview of MGI-KGP extracted from [[MDI-QKD]] (page to be visited in case more explanation is required) | ||
*'''MDI-KGP:''' MDI-KGP | **'''MDI-KGP:''' MDI-KGP consists of only quantum communication part from MDI-QKD protocol in [[Measurement Device Independent Quantum Digital Signature (MDI-QDS)#References|(2)]]. This protocol requires an untrusted third party sitting in the middle of the participating parties, arbitrator. The following steps are performed with seller and each receiver, pairwise for each possible bit (0 and 1). Seller and receiver, both separately prepare a state in a randomly chosen basis (of the two chosen bases, say rectilinear ([[Glossary#Quantum States|X basis]]) and diagonal ([[Glossary#Quantum States|Z basis]])), and send it to the arbitrator. The arbitrator performs [[Glossary#Bell State Measurement|Bell State Measurement]] on the two incoming states. A successful BSM entangles the two states and the outcome of the measurement is one of the four [[Glossary#Bell State|Bell States]], which is declared by the arbitrator over public channel. This process is repeated until sifting condition is met. In '''sifting''', seller and receiver then exchange the preparation basis chosen for each event, which is neglected if the basis is mismatched. If matched then, depending on the basis chosen, data (classical information of their own states/ classical bits) corresponding to each event is classified into two sets. This is repeated unless cardinality of the two sets is above a certain threshold number of elements. The receiver flips his bits (set elements) for each event according to the table shown in [[Measurement Device Independent Quantum Digital Signature (MDI-QDS)#Pseudo Code|Pseudo Code]]. It is done to correlate seller's bits with receiver's bits. This marks the end of Sifting. Finally, one of the sets is used for error correction in MDI-QKD (not the concern of this protocol), while the other set is divided into two parts, one to be used as the code key and the other, to calculate the error rate. If error rate is greater than the tolerance value decided, the protocol is aborted by both parties. The signature/private key of seller for a particular message bit is the concatenation of both buyer and verifier's code keys corresponding to that bit. | ||
*'''Symmetrisation:''' Buyer and Verifier exchange half of their MGI-KGP keys over MDI-QKD link. These become the final keys of the recipients. This prevents a dishonest seller succeed in cheating by sending dissimilar public keys to the receiver and makes the protocol secure against repudiation. Thus ends the distribution phase. | |||
*'''Symmetrisation:''' Buyer and Verifier exchange half of their | |||
Similarly, Messaging Phase is divided into the following steps: | Similarly, Messaging Phase is divided into the following steps: | ||
*'''Signing:''' Sender sends desired message and the corresponding signature to the desired receiver (called buyer). Buyer | *'''Signing:''' Sender sends desired message and the corresponding signature to the desired receiver (called buyer). Buyer checks for mismatches, first with his half of the key, received directly from Seller and then, with verifier's half shared with him during symmterisation. If there are fewer mismatches than the decided threshold (to check for repudiation, determined by experimental parameters) then buyer accepts the signature. | ||
*'''Transfer:''' Buyer forwards the same message and private key to the other receiver (called verifier) who compares it with his | *'''Transfer:''' Buyer forwards the same message and private key to the other receiver (called verifier) who compares it with his key for this message bit in the same way as the buyer, but with a different threshold value (to check for forgery and repudiation). | ||
== | |||
==Requirements== | |||
*'''Network Stage:''' [[:Category:Prepare and Measure Network Stage|Prepare and Measure]][[Category:Prepare and Measure Network Stage]] | |||
*[[Authenticated quantum channel]] | |||
*[[Authenticated classical channel]] | |||
*'''Estimated parameters''' (for security level of order <math>10^{-5}</math>) | |||
**Signature length:<math>10^{6}</math> for each message bit 0 and 1. | |||
**Transmission distance: 50km | |||
**Estimated time to generate raw keys: 93 minutes (can be improved by using detectors with better efficiency) | |||
*MDI-QKD setup (without error correction and privacy amplification) | |||
==Knowledge Graph== | |||
{{graph}} | |||
==Properties== | ==Properties== | ||
* The strings generated by Sender and Receiver are free from detector side channel attacks as one does not trust measurement devices. | * The strings generated by Sender and Receiver are free from detector side channel attacks as one does not trust measurement devices. | ||
* Implementation of long distance MDI-QKD | * Implementation of long distance MDI-QKD [Measurement Device Independent Quantum Digital Signature (MDI-QDS)#References|(3)] employs establishes long distance QDS protocol without side channel attacks | ||
* It is valid against repudiation and forging attacks | *It removes all detector side-channel attacks | ||
== | * It is valid against repudiation and forging attacks | ||
==Protocol Description== | |||
<u>'''Stage 1'''</u> Distribution | |||
*'''Input''' Key Length (<math>L</math>), Threshold values (<math>s_a, s_v</math>), error threshold (<math>E_{tol}</math>), error rate parameter (<math>e</math>) | |||
*'''Output''' Seller: <math>S_B^0,S_B^1,S_V^0,S_V^1</math> Buyer: <math>B^0,B^1</math>; Verifier: <math>V^0,V^1</math> | |||
**'''Key Distribution:''' | |||
#For k = 0,1 | |||
##<math>S_B^k=B^k=</math>'''MDI-KGP'''(Seller, Buyer, Arbitrator,k) | |||
##<math>S_V^k=V^k=</math>'''MDI-KGP'''(Seller, Verifier, Arbitrator,k) | |||
**'''Symmetrisation''' | |||
#For k = 0,1 | |||
## Buyer chooses <math>I\subset_R\{1,2,...,L\}, |I|=[L/2]</math> | |||
## <math>\forall i\epsilon I</math>, Buyer sends Verifier <math>(k,i,B^k_i)</math> | |||
## Verifier chooses <math>J\subset_R\{1,2,...,L\}, |J|=[L/2]</math> | |||
## <math>\forall j\epsilon J</math>, Verifier sends Buyer <math>(k,j,V^k_j)</math> | |||
<u>'''Stage 2'''</u> Messaging | |||
*'''Input''' Seller: Message <math>m</math>, Private Key for <math>m</math>: <math>S^B_m,S^V_m</math> | |||
*'''Output''' Buyer: accept or abort, Verifier: accept or abort | |||
**'''Signing:''' | |||
# Seller sends Buyer (m,<math>S^B_m,S^V_m</math>) | |||
# For l = 1,2,..,L | |||
##If '''<math>l\epsilon \{1,2,...,L\}-I</math>''' | |||
###Buyer counts the number of mismatches (<math>B^m_l!=S^m_l</math>), b=b+1 | |||
##If '''<math>l\epsilon J</math>''' | |||
###Buyer counts the number of mismatches (<math>V^m_l!=S^m_l</math>), v=v+1 | |||
# If <math>(b < s_aL/2)</math>&&<math>(v < s_aL/2)</math>, Buyer accepts m else he aborts | |||
**'''Transfer''' | |||
# Buyer sends Verifier (m,<math>S^B_m,S^V_m</math>) | |||
# For l = 1,2,..,L | |||
##If '''<math>l\epsilon \{1,2,...,L\}-J</math>''' | |||
###Verifier counts the number of mismatches (<math>V^m_l!=S^m_l</math>), v=v+1 | |||
##If '''<math>l\epsilon I</math>''' | |||
###Verifier counts the number of mismatches (<math>B^m_l!=S^m_l</math>), b=b+1 | |||
# If <math>(b < s_vL/2)</math>&&<math>(v < s_vL/2)</math>, Verifier accepts m else he aborts | |||
===Subroutine: '''MDI-KGP'''(Seller, Receiver R, Arbitrator,i)=== | |||
*For k=0,L | |||
#Seller chooses <math>s_{\text{basis}}\epsilon \{X,Z\}</math> and generates <math>|a\rangle</math> | |||
#Receiver chooses <math>r_{\text{basis}}\epsilon \{X,Z\}</math> and generates <math>|b\rangle</math> | |||
#Seller.send(Arbitrator,<math>|a\rangle</math>) | |||
#Receiver.send(Arbitrator,<math>|b\rangle</math>) | |||
#<math>|\Psi\rangle</math>=Arbitrator.'''BSM'''(<math>|a\rangle</math>,<math>|b\rangle</math>) | |||
#If (<math>|\Psi\rangle!={}</math>)&&(<math>s_{\text{basis}}=r_{\text{basis}}</math>) | |||
###<math>A^i_R(k)=a</math> | |||
###If (<math>s_{\text{basis}}=r_{\text{basis}}=Z</math>) | |||
####If (<math>|\Psi\rangle=\frac{1}{\sqrt{2}}(|00\rangle+|11\rangle))||(|Psi\rangle=\frac{1}{\sqrt{2}}(|00\rangle-|11\rangle)</math>) '''then''' <math>R^i(k)=b</math> | |||
####If (<math>|\Psi\rangle=\frac{1}{\sqrt{2}}(|01\rangle+|10\rangle))||(|Psi\rangle=\frac{1}{\sqrt{2}}(|01\rangle-|10\rangle)</math>) '''then''' <math>R^i(k)=\tilde b</math> | |||
###If (<math>s_{\text{basis}}=r_{\text{basis}}=X</math>) | |||
####If (<math>|\Psi\rangle=\frac{1}{\sqrt{2}}(|++\rangle+|--\rangle))||(|Psi\rangle=\frac{1}{\sqrt{2}}(|+-\rangle+|-+\rangle)</math>) '''then''' <math>R^i(k)=b</math> | |||
####If (<math>|\Psi\rangle=\frac{1}{\sqrt{2}}(|++\rangle-|--\rangle))||(|Psi\rangle=\frac{1}{\sqrt{2}}(|01\rangle-|+-\rangle)</math>) '''then''' <math>R^i(k)=\tilde b</math> | |||
*Error rate calculation | |||
#Seller and Buyer choose <math>I\subset_R\{1,2,...,L\}, |I|=e</math> | |||
#<math>\forall i\epsilon I</math>, <math>E_k=\frac{1}{e}\sum_i(A^k_R(i)\oplus R^k(i))</math> | |||
#If <math>E_k>E_{tol}</math> '''then''' abort '''else''' | |||
# '''return''' (<math>A^k_R,R^k</math>) | |||
* For more detail on error rate and MDI-KGP Pseudo code, refer [[MDI-QKD]] | |||
==Further Information== | ==Further Information== | ||
MDI-QDS is so far the best [[:Category:Prepare and Measure Network Stage|Prepare and Measure Network Stage]] QDS protocol. It does not rely on the measurement devices and is easy from implementation point of view. Unlike classical schemes, this protocol does not assume a ''trusted'' arbitrator. As the platform of widely implemented MDI-QKD is available, MDI-QDS can be implemented most efficiently and provides the best security in the QDS protocols discovered so far. Another approach would be to adapt DI-QKD for key generation. Here one would neither trust the measurement devices nor the source. As seller and buyer both act as an adversary in QDS protocols, we do not want depend on our state preparation devices either. This has not been studied yet due to as QDS protocols discovered so far yet do not match up to the efficiency of classical and post-quantum digital signature schemes in terms of signing time, key length, etc. | |||
*'''Theoretical Papers''' | |||
#[http://adsabs.harvard.edu/abs/2011EPJD...61..773Y Guang et al (2011)] A scheme for untrusted arbitartor like MDI-QDS, but trusts its measurement devices | |||
*'''Experimental Papers''' | |||
#[https://arxiv.org/abs/1703.00493 Roberts et al (2017)] Implementation of the example protocol | |||
==References== | |||
# [https://arxiv.org/abs/1507.02975 AWKA (2015)] | |||
#[https://arxiv.org/abs/1109.1473 Lo et al (2011)] | |||
#[https://aip.scitation.org/doi/10.1063/1.4817672 Xu et al (2013)] | |||
<div style='text-align: right;'>''*contributed by Shraddha Singh''</div> | <div style='text-align: right;'>''*contributed by Shraddha Singh''</div> |
Latest revision as of 15:25, 16 October 2019
The example protocol achieves the functionality of Quantum Digital Signature (QDS) by allowing exchange of messages using the procedure studied in Prepare and Measure Quantum Digital Signature but without trusting one's measurement devices, thus making the protocol device independent. It uses the security proof of MDI-QKD to the QDS scheme for insecure channels (1). This scheme involves three parties and is designed for signing one bit and the authors suggest that longer messages can be signed by iterating the same process. All three properties that define QDS i.e. non-repudiation, transferability and unforgeability are implied by the protocol.
Tags: Multi Party (three), Quantum Enhanced Classical Functionality, Specific Task, Quantum Digital Signature (QDS), Prepare and Measure QDS
Assumptions[edit]
- There exists authenticated classical channels between seller and buyer, and, seller and verifier.
- Receiver and verifier share a MDI-QKD link, used to transmit classical messages in full secrecy.
- Adversary is allowed to perform coherent attacks, which is the most general class of attacks QKD protocols are vulnerable to, due to experimental realisation.
Outline[edit]
Quantum Digital Signature protocols can be separated into two stages: the distribution stage, where quantum public keys are sent to all recipients, and the messaging stage, where classical messages are sent and verified. Here, we take the case of three parties, one sender (referred to as seller) and two receivers (buyer and verifier) sharing a one bit message.
The following protocol consists of only quantum communication in the distribution phase and only classical communication in the messaging phase. It uses the protocol for QDS with insecure channels (1) and replaces KGP (Key generation protocol) with Measurement Device Independent KGP (MDI-KGP). Distribution phase can be divided into the following steps:
- Key Distribution: Seller uses MDI-KGP twice with buyer and verifier, to generate two different keys with each, one for message bit 0 and one for message bit 1. Seller's signature for a particular message bit is a conjugation/concatenation of corresponding key for message bit sent to the buyer and the verifier. Below is an overview of MGI-KGP extracted from MDI-QKD (page to be visited in case more explanation is required)
- MDI-KGP: MDI-KGP consists of only quantum communication part from MDI-QKD protocol in (2). This protocol requires an untrusted third party sitting in the middle of the participating parties, arbitrator. The following steps are performed with seller and each receiver, pairwise for each possible bit (0 and 1). Seller and receiver, both separately prepare a state in a randomly chosen basis (of the two chosen bases, say rectilinear (X basis) and diagonal (Z basis)), and send it to the arbitrator. The arbitrator performs Bell State Measurement on the two incoming states. A successful BSM entangles the two states and the outcome of the measurement is one of the four Bell States, which is declared by the arbitrator over public channel. This process is repeated until sifting condition is met. In sifting, seller and receiver then exchange the preparation basis chosen for each event, which is neglected if the basis is mismatched. If matched then, depending on the basis chosen, data (classical information of their own states/ classical bits) corresponding to each event is classified into two sets. This is repeated unless cardinality of the two sets is above a certain threshold number of elements. The receiver flips his bits (set elements) for each event according to the table shown in Pseudo Code. It is done to correlate seller's bits with receiver's bits. This marks the end of Sifting. Finally, one of the sets is used for error correction in MDI-QKD (not the concern of this protocol), while the other set is divided into two parts, one to be used as the code key and the other, to calculate the error rate. If error rate is greater than the tolerance value decided, the protocol is aborted by both parties. The signature/private key of seller for a particular message bit is the concatenation of both buyer and verifier's code keys corresponding to that bit.
- Symmetrisation: Buyer and Verifier exchange half of their MGI-KGP keys over MDI-QKD link. These become the final keys of the recipients. This prevents a dishonest seller succeed in cheating by sending dissimilar public keys to the receiver and makes the protocol secure against repudiation. Thus ends the distribution phase.
Similarly, Messaging Phase is divided into the following steps:
- Signing: Sender sends desired message and the corresponding signature to the desired receiver (called buyer). Buyer checks for mismatches, first with his half of the key, received directly from Seller and then, with verifier's half shared with him during symmterisation. If there are fewer mismatches than the decided threshold (to check for repudiation, determined by experimental parameters) then buyer accepts the signature.
- Transfer: Buyer forwards the same message and private key to the other receiver (called verifier) who compares it with his key for this message bit in the same way as the buyer, but with a different threshold value (to check for forgery and repudiation).
Requirements[edit]
- Network Stage: Prepare and Measure
- Authenticated quantum channel
- Authenticated classical channel
- Estimated parameters (for security level of order )
- Signature length: for each message bit 0 and 1.
- Transmission distance: 50km
- Estimated time to generate raw keys: 93 minutes (can be improved by using detectors with better efficiency)
- MDI-QKD setup (without error correction and privacy amplification)
Knowledge Graph[edit]
Properties[edit]
- The strings generated by Sender and Receiver are free from detector side channel attacks as one does not trust measurement devices.
- Implementation of long distance MDI-QKD [Measurement Device Independent Quantum Digital Signature (MDI-QDS)#References|(3)] employs establishes long distance QDS protocol without side channel attacks
- It removes all detector side-channel attacks
- It is valid against repudiation and forging attacks
Protocol Description[edit]
Stage 1 Distribution
- Input Key Length (), Threshold values (), error threshold (), error rate parameter ()
- Output Seller: Buyer: ; Verifier:
- Key Distribution:
- For k = 0,1
- MDI-KGP(Seller, Buyer, Arbitrator,k)
- MDI-KGP(Seller, Verifier, Arbitrator,k)
- Symmetrisation
- For k = 0,1
- Buyer chooses
- , Buyer sends Verifier
- Verifier chooses
- , Verifier sends Buyer
Stage 2 Messaging
- Input Seller: Message , Private Key for :
- Output Buyer: accept or abort, Verifier: accept or abort
- Signing:
- Seller sends Buyer (m,)
- For l = 1,2,..,L
- If
- Buyer counts the number of mismatches (), b=b+1
- If
- Buyer counts the number of mismatches (), v=v+1
- If
- If &&, Buyer accepts m else he aborts
- Transfer
- Buyer sends Verifier (m,)
- For l = 1,2,..,L
- If
- Verifier counts the number of mismatches (), v=v+1
- If
- Verifier counts the number of mismatches (), b=b+1
- If
- If &&, Verifier accepts m else he aborts
Subroutine: MDI-KGP(Seller, Receiver R, Arbitrator,i)[edit]
- For k=0,L
- Seller chooses and generates
- Receiver chooses and generates
- Seller.send(Arbitrator,)
- Receiver.send(Arbitrator,)
- =Arbitrator.BSM(,)
- If (Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle |\Psi\rangle!={}}
)&&()
- If ()
- If () then Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle R^i(k)=b}
- If () then
- If ()
- If () then
- If () then
- Error rate calculation
- Seller and Buyer choose
- ,
- If then abort else
- return ()
- For more detail on error rate and MDI-KGP Pseudo code, refer MDI-QKD
Further Information[edit]
MDI-QDS is so far the best Prepare and Measure Network Stage QDS protocol. It does not rely on the measurement devices and is easy from implementation point of view. Unlike classical schemes, this protocol does not assume a trusted arbitrator. As the platform of widely implemented MDI-QKD is available, MDI-QDS can be implemented most efficiently and provides the best security in the QDS protocols discovered so far. Another approach would be to adapt DI-QKD for key generation. Here one would neither trust the measurement devices nor the source. As seller and buyer both act as an adversary in QDS protocols, we do not want depend on our state preparation devices either. This has not been studied yet due to as QDS protocols discovered so far yet do not match up to the efficiency of classical and post-quantum digital signature schemes in terms of signing time, key length, etc.
- Theoretical Papers
- Guang et al (2011) A scheme for untrusted arbitartor like MDI-QDS, but trusts its measurement devices
- Experimental Papers
- Roberts et al (2017) Implementation of the example protocol
References[edit]