Prepare and Measure Quantum Digital Signature: Difference between revisions

From Quantum Protocol Zoo
Jump to navigation Jump to search
mNo edit summary
No edit summary
 
(16 intermediate revisions by 2 users not shown)
Line 1: Line 1:
This [https://arxiv.org/abs/1403.5551 example protocol] achieves the task of [[Quantum Digital Signature]] which allows for the exchange of single or multiple bit classical messages from sender to multiple recipients such that parties are required to prepare and measure quantum states instantly without having to store them. For simplicity, most protocols take into account the case of one sender and two recipients (Seller, buyer, and verifier) exchanging single-bit classical messages.</br> It ensures that the sender (seller) cannot deny at a later stage having signed the message, a recipient (buyer) cannot fake or alter the QDS and another sender (verifier) can use the above two properties to verify if the sent message is signed by the genuine sender, thus, satisfying properties of  [[Quantum Digital Signature#Properties|transferability]], [[Quantum Digital Signature#Properties|non-repudiation]] and [[Quantum Digital Signature#Properties|unforgeability]]. It allows the user to sign electronic documents.</br>
This [https://arxiv.org/abs/1403.5551 example protocol] achieves the task of [[Quantum Digital Signature]] which allows for the exchange of single or multiple bit classical messages from sender to multiple recipients such that parties are required to prepare and measure quantum states instantly without having to store them. For simplicity, most protocols take into account the case of one sender and two recipients (Seller, buyer, and verifier) exchanging single-bit classical messages.</br> It ensures that the sender (seller) cannot deny at a later stage having signed the message, a recipient (buyer) cannot fake or alter the QDS and another sender (verifier) can use the above two properties to verify if the sent message is signed by the genuine sender, thus, satisfying properties of  [[Quantum Digital Signature#Properties|transferability]], [[Quantum Digital Signature#Properties|unforgeability]] and [[Quantum Digital Signature#Properties|non-repudiation]] respectively. It allows the user to sign electronic documents.</br>


'''Tags:''' [[:Category:Multi Party Protocols|Multi Party (three)]], [[:Category:Quantum Enhanced Classical Functionality|Quantum Enhanced Classical Functionality]], [[:Category:Specific Task|Specific Task]], [[Quantum Digital Signature]], [[Quantum Digital Signature with Quantum Memory]], [[Measurement Device Independent Quantum Digital Signature (MDI-QDS)]], Unconditional Security
'''Tags:''' [[:Category:Multi Party Protocols|Multi Party (three)]], [[:Category:Quantum Enhanced Classical Functionality|Quantum Enhanced Classical Functionality]], [[:Category:Specific Task|Specific Task]], [[Quantum Digital Signature]], [[Quantum Digital Signature with Quantum Memory]], [[Measurement Device Independent Quantum Digital Signature (MDI-QDS)]], Unconditional Security
Line 9: Line 9:


==Outline==
==Outline==
Quantum Digital Signature (QDS) protocols can be separated into two stages: the distribution stage, where quantum signals (public keys) are sent to all recipients, and the messaging stage, where classical messages are signed, sent and verified. Here, we take the case of three parties, one sender (referred to as seller) and two receivers (buyer and verifier) sharing a one-bit message.  
Quantum Digital Signature (QDS) protocols can be separated into two stages: the distribution phase, where quantum signals (public keys) are sent to all recipients, and the messaging phase, where classical messages are signed, sent and verified. Here, we take the case of three parties, one sender (referred to as seller) and two receivers (buyer and verifier) sharing a one-bit message.  
Distribution phase can be divided into the following steps:
Distribution phase can be divided into the following steps:
*''' Key Distribution:''' Seller generates her (public key, private key) pair and shares the public key with both receivers in this step. For each possible message (0 or 1), she generates two identical sequences/copies (one for each receiver per possible message) of randomly chosen BB84 ∈ {0,1,+,−} states. The sequence of states is called quantum public key and its classical description, private key. She then sends copies of each quantum public key to the receivers while keeping both the private keys secret to herself. At the end of this step, the seller has two private keys, one for each possible message. Similarly, each receiver has two quantum public keys, one for each possible message.
*''' Key Distribution:''' Seller generates her (public key, private key) pair and shares the public key with both receivers in this step. For each possible message (0 or 1), she generates two identical sequences/copies (one for each receiver per possible message) of randomly chosen BB84 ∈ {0,1,+,−} states. The sequence of states is called quantum public key and its classical description, private key. She then sends copies of each quantum public key to the receivers while keeping both the private keys secret to herself. At the end of this step, the seller has two private keys, one for each possible message. Similarly, each receiver has two quantum public keys, one for each possible message.
*''' State Elimination:''' Receivers store their classical records of the quantum public keys in this step. For each quantum public key received, a receiver randomly chooses X or Z basis for each qubit and measures. Whatever outcome he gets, the receiver is certain that seller could not have generated a state orthogonal to his outcome. So, he records the state orthogonal to his outcome as the eliminated signature element. Such measurement is called ’Quantum State Elimination’. The sequence thus generated by measurement of all the qubits in a public key is called receiver’s eliminated signature for the respective quantum public key. Thus, each receiver finally has two eliminated signatures, one for each possible message.
*''' State Elimination:''' Receivers store their classical records of the quantum public keys in this step. For each quantum public key received, a receiver randomly chooses pauli X or Z basis for each qubit and measures. Whatever outcome he gets, the receiver is certain that seller could not have generated a state orthogonal to his outcome. So, he records the state orthogonal to his outcome as the eliminated signature element. Such measurement is called ’Quantum State Elimination’. The sequence thus generated by measurement of all the qubits in a public key is called receiver’s eliminated signature for the respective quantum public key. Thus, each receiver finally has two eliminated signatures, one for each possible message.
*'''Symmetrisation:''' The two receivers exchange half of their randomly chosen eliminated signature elements. This prevents a dishonest seller to succeed in cheating by sending dissimilar public keys to the receivers. Thus ends the distribution phase.
*'''Symmetrisation:''' The two receivers exchange half of their randomly chosen eliminated signature elements. This prevents a dishonest seller to succeed in cheating by sending dissimilar public keys to the receivers. Thus ends the distribution phase.
[[File:Prepare and Measure Quantum Digital Signature (QDS).png|right|thumb|1000px|<math>\rightarrow</math>: Classical channel</br> ~>: Quantum channel]]


Similarly, Messaging Phase is divided into the following steps:
Next the messaging phase is divided into the following steps:
*''' Signing:''' Seller sends desired classical one-bit message and the corresponding private key to the desired receiver (called buyer). Buyer compares the private key with his eliminated signature for the corresponding message and counts the number of mismatches (eliminated signature element in seller’s private key).
*''' Signing:''' Seller sends desired classical one-bit message and the corresponding private key to the desired receiver (called buyer). Buyer compares the private key with his eliminated signature for the corresponding message and counts the number of mismatches (eliminated signature element in seller’s private key).
*''' Transfer:''' Buyer forwards the same message and private key to the other receiver (called verifier) who compares it with his eliminated signature for this message.
*''' Transfer:''' Buyer forwards the same message and private key to the other receiver (called verifier) who compares it with his eliminated signature for this message.
Line 33: Line 32:
**<math>m_{b^k_l}</math>: measurement outcome of <math>b^k_l</math>
**<math>m_{b^k_l}</math>: measurement outcome of <math>b^k_l</math>


==Hardware Requirements==
==Requirements==
** Network Stage: [[:Category:Prepare and Measure Network Stage|Prepare and Measure Network Stage]]
** Network Stage: [[:Category:Prepare and Measure Network Stage|Prepare and Measure Network Stage]]
**Network Stage parameters of relevance: <math>\epsilon_T, \epsilon_M</math>
**Network Stage parameters of relevance: <math>\epsilon_T, \epsilon_M</math>
Line 39: Line 38:
**Requires [[authenticated quantum channel]] (assumption removed in a variant of the protocol)
**Requires [[authenticated quantum channel]] (assumption removed in a variant of the protocol)
**Benchmark values per qubit: QBER: 1-3<math>\%</math>, Transmission distance(d): 200 km, Key Length: 2Mbits, Estimated time: 3.5s, attenuation: 45.8dB at 200kms
**Benchmark values per qubit: QBER: 1-3<math>\%</math>, Transmission distance(d): 200 km, Key Length: 2Mbits, Estimated time: 3.5s, attenuation: 45.8dB at 200kms
==Knowledge Graph==
{{graph}}


==Properties==
==Properties==
Line 47: Line 50:
**provides security against forgery, i.e. any recipient (verifier) with high probability rejects any message which was not originally sent by the seller herself. Forging probability is given by the formula, <math>P(\text{forge})\le e^{-(c_{\min}-2s_v)^2L}</math>, where <math>c_{\min}</math> is 3/8 (calculated using uncertainty principle).
**provides security against forgery, i.e. any recipient (verifier) with high probability rejects any message which was not originally sent by the seller herself. Forging probability is given by the formula, <math>P(\text{forge})\le e^{-(c_{\min}-2s_v)^2L}</math>, where <math>c_{\min}</math> is 3/8 (calculated using uncertainty principle).


==Pseudocode==
==Protocol Description==


<u>'''Stage 1'''</u> Distribution
<u>'''Stage 1'''</u> Distribution
Line 60: Line 63:
#For k = 0,1
#For k = 0,1
##For l = 1,2,...,L
##For l = 1,2,...,L
### Buyer chooses <math>b^k_l \epsilon_R {0,1}</math>  
### Buyer chooses <math>b^k_l \epsilon_R \{0,1\}</math>  
###If <math>b^k_l=0</math>, Buyer measures his qubit in X basis <math>\{|+\rangle,|-\rangle\}</math>
###If <math>b^k_l=0</math>, Buyer measures his qubit in X basis <math>\{|+\rangle,|-\rangle\}</math>
###If <math>b^k_l=0</math>, Buyer measures his qubit in Z basis <math>\{|0\rangle,|1\rangle\}</math>
###If <math>b^k_l=1</math>, Buyer measures his qubit in Z basis <math>\{|0\rangle,|1\rangle\}</math>
###'''return''' <math>m_{b^k_l}</math>
###'''return''' <math>m_{b^k_l}</math>
###<math>B^k_l=1-m_{b^k_l}</math>
###<math>B^k_l=1-m_{b^k_l}</math>


**Verifier repeats steps 2(a)-2(b) with randomly chosen basis <math>v^k_l</math> to get his eliminated signature elements <math>V^k_l</math>
**Verifier repeats State Elimination steps with randomly chosen basis <math>v^k_l</math> to get his eliminated signature elements <math>V^k_l</math>


**'''Symmetrisation'''
**'''Symmetrisation'''
Line 81: Line 84:
*'''Input''' Seller: Message m, Private Key for m: <math>\{\beta^m_1,...,\beta^m_L\}</math>
*'''Input''' Seller: Message m, Private Key for m: <math>\{\beta^m_1,...,\beta^m_L\}</math>
*'''Output''' Buyer: accept or abort, Verifier: accept or abort
*'''Output''' Buyer: accept or abort, Verifier: accept or abort
**'''Signing:''' ’mismatch’ is when Buyer finds an eliminated signature element in Seller’s private key
**'''Signing:''' `mismatch’ is when Buyer finds an eliminated signature element in Seller’s private key
# Seller sends Buyer (m,<math>\{\beta^m_1,...,\beta^m_L\}</math>)
# Seller sends Buyer (m,<math>\{\beta^m_1,...,\beta^m_L\}</math>)
# For l = 1,2,..,L
# For l = 1,2,..,L
##Buyer counts the number of mismatches (<math>B^m_l=V^m_l</math>) and returns <math>S_b</math>
##Buyer counts the number of mismatches (<math>B^m_l=\beta^m_l</math>) and returns <math>S_b</math>
# If <math>S_b < s_aL/2</math>, Buyer accepts m else he aborts
# If <math>S_b < s_aL/2</math>, Buyer accepts m else he aborts
**'''Transfer'''
**'''Transfer'''
# Buyer sends Verifier (m,<math>\{\beta^m_1,...,\beta^m_L\}</math>)  
# Buyer sends Verifier (m,<math>\{\beta^m_1,...,\beta^m_L\}</math>)  
# For l = 1,2,....,L
# For l = 1,2,....,L
##Verifier counts the number of mismatches (<math>V^m_l=B^m_l</math>) and returns <math>S_v</math>
##Verifier counts the number of mismatches (<math>V^m_l=\beta^m_l</math>) and returns <math>S_v</math>
# If <math>S_v < s_vL/2</math>, Verifier accepts m else he aborts
# If <math>S_v < s_vL/2</math>, Verifier accepts m else he aborts


==Further Information==
==Further Information==
The protocol under discussion (1) was the first version of Quantum Digital Signatures with only prepare and measure QKD components. The assumption authenticated quantum channel would render it useless as authenticated quantum channel is a more complex protocol. Thus in (6), a variant of this protocol overcomes this assumption by using a Key generation protocol (not QKD) for authentication where, instead of Seller, Buyer and Verifier sends quantum public keys to the Seller to measure in randomly chosen basis and generate her private keys. Following description for various papers on QDS protocols and their variants have been written keeping in mind the hardware requirements, assumptions, security and method used. One of the papers discusses generalisation of protocols to more than 3 parties and another one discusses security for iterating in case of sending multiple bits.
The protocol under discussion (1) was the first version of Quantum Digital Signatures with only prepare and measure QKD components. The assumption authenticated quantum channel would render it useless as authenticated quantum channel is a more complex protocol. Thus in (6), a variant of this protocol overcomes this assumption by using a Key generation protocol (not QKD) for authentication where, instead of Seller, Buyer and Verifier sends quantum public keys to the Seller to measure in randomly chosen basis and generate her private keys. This variant is the '''simplest''' QDS protocol from the point of view of implementation. Following description for various papers on QDS protocols and their variants have been written keeping in mind the hardware requirements, assumptions, security and method used. One of the papers discusses generalisation of protocols to more than 3 parties and another one discusses security for iterating in case of sending multiple bits.
*'''Theoretical Papers'''
*'''Theoretical Papers'''
#[https://arxiv.org/abs/1403.5551  WDKA (2015)] above example
#[https://arxiv.org/abs/1403.5551  WDKA (2015)] above example
Line 103: Line 106:
##No explicit security proof provided.
##No explicit security proof provided.
#[https://arxiv.org/abs/1505.07509 AWA (2015)] security proof for generalisation of [https://arxiv.org/abs/1403.5551  WDKA (2015)] and [https://arxiv.org/abs/1309.1375 DWA (2013)] to more than two recipients case.
#[https://arxiv.org/abs/1505.07509 AWA (2015)] security proof for generalisation of [https://arxiv.org/abs/1403.5551  WDKA (2015)] and [https://arxiv.org/abs/1309.1375 DWA (2013)] to more than two recipients case.
#[https://www.researchgate.net/publication/280062082_Practical_Quantum_Digital_Signature YFC (2016)] first QDS scheme without authenticated (trusted) quantum channels. Demonstrates one protocol with two implementation, two copies of single photon method and  decoy state method. First uses single qubit photons in three bases; Private key: classical description of states, Public key: pair of [[non-orthogonal states]] in any two of the three bases.  
#[https://arxiv.org/abs/1507.03333 YFC (2016)] first QDS scheme without authenticated (trusted) quantum channels. Demonstrates one protocol with two implementation, two copies of single photon method and  decoy state method. First uses single qubit photons in three bases; Private key: classical description of states, Public key: pair of [[non-orthogonal states]] in any two of the three bases.  
##'''Requires''' authenticated classical channels, [[polarisation measurement]] in three bases, [[Unambiguous State Discrimination (USD)]] (State Elimination), uses quantum correlations to check authentication.  Decoy State method uses [[Coherent States|phase-randomised weak coherent states]], [[50:50 Beam Splitter (BS)]].  
##'''Requires''' authenticated classical channels, [[polarisation measurement]] in three bases, [[Unambiguous State Discrimination (USD)]] (State Elimination), uses quantum correlations to check authentication.  Decoy State method uses [[Coherent States|phase-randomised weak coherent states]], [[50:50 Beam Splitter (BS)]].  
##Security: [[Information-theoretic]].
##Security: [[Information-theoretic]].
#[https://www.researchgate.net/publication/280034032_Secure_Quantum_Signatures_Using_Insecure_Quantum_Channels AWKA (2015)] QDS scheme without authenticated quantum channels using parameter estimation phase. Uses a Key Generation Protocol (KGP) where noise threshold for Seller-Buyer and Seller-Verifier is better than when distilling secret key from QKD. Seller sends different key to Buyer and Verifier using KGP. This anomaly is justifiable due to symmetrisation.
#[https://arxiv.org/abs/1507.02975 AWKA (2015)] QDS scheme without authenticated quantum channels using parameter estimation phase. Uses a Key Generation Protocol (KGP) where noise threshold for Seller-Buyer and Seller-Verifier is better than when distilling secret key from QKD. Seller sends different key to Buyer and Verifier using KGP. This anomaly is justifiable due to symmetrisation.
##'''Requires''' authenticated classical channels, [[Decoy State QKD]] setup.  
##'''Requires''' authenticated classical channels, [[Decoy State QKD]] setup.  
##Security: [[Information-theoretic]].
##Security: [[Information-theoretic]].
#[https://www.nature.com/articles/srep09231 WCRZ (2015)] demonstrates sending multi-bit classical messages using [https://www.researchgate.net/publication/280034032_Secure_Quantum_Signatures_Using_Insecure_Quantum_Channels AWKA (2015)] or other similar protocols.</br>
#[https://www.nature.com/articles/srep09231 WCRZ (2015)] demonstrates sending multi-bit classical messages using [https://arxiv.org/abs/1507.02975 AWKA (2015)] or other similar protocols.</br>
#[http://iopscience.iop.org/article/10.1088/1742-6596/766/1/012021 MH (2016)] security proof for generalisation of [https://www.researchgate.net/publication/280034032_Secure_Quantum_Signatures_Using_Insecure_Quantum_Channels AWKA (2015)] to more than two recipients case.
#[http://iopscience.iop.org/article/10.1088/1742-6596/766/1/012021 MH (2016)] security proof for generalisation of [https://arxiv.org/abs/1507.02975 AWKA (2015)] to more than two recipients case.
*'''Experimental Papers'''
*'''Experimental Papers'''
#[https://physics.aps.org/featured-article-pdf/10.1103/PhysRevLett.113.040502 CDDWCEJB (2014)] first experimental demonstration of a QDS scheme without quantum memory, implements a variant of [https://arxiv.org/abs/1309.1375 DWA (2013)]. Uses unambiguous state elimination (USE) instead of unambiguous state determination (USD)
#[https://physics.aps.org/featured-article-pdf/10.1103/PhysRevLett.113.040502 Collins et al (2014)] first experimental demonstration of a QDS scheme without quantum memory, implements a variant of [https://arxiv.org/abs/1309.1375 DWA (2013)]. Uses unambiguous state elimination (USE) instead of unambiguous state determination (USD)
##Per half-bit message: rate=1.4 bits per second, security bound=0.01%, Length of the key (L)= <math>10^{13}</math>
##Per half-bit message: rate=1.4 bits per second, security bound=0.01%, Length of the key (L)= <math>10^{13}</math>
#[https://researchportal.hw.ac.uk/en/publications/experimental-demonstration-of-kilometer-range-quantum-digital-sig DCKAWDJAB(2015)] Implements [https://arxiv.org/abs/1403.5551  WDKA (2015)].
#[https://arxiv.org/abs/1509.07827 Donaldson et al (2015)] Implements [https://arxiv.org/abs/1403.5551  WDKA (2015)].
##Uses [[Coherent States|phase encoded coherent states]]
##Uses [[Coherent States|phase encoded coherent states]]
## Per half a bit message: Transmission Distance(d)=500 m, Length of the key(L)=<math>1.93*10^9</math> for security 0.01%, estimated time to sign (<math>t</math>)=20 seconds, channel loss= 2.2 dBkm<math>^{-1}</math> at <math>\lambda=850m</math>
## Per half a bit message: Transmission Distance(d)=500 m, Length of the key(L)=<math>1.93*10^9</math> for security 0.01%, estimated time to sign (<math>t</math>)=20 seconds, channel loss= 2.2 dBkm<math>^{-1}</math> at <math>\lambda=850m</math>
#[https://www.ncbi.nlm.nih.gov/pubmed/27805641 CAFHSTTABS (2016)] Implements modified [https://www.researchgate.net/publication/280034032_Secure_Quantum_Signatures_Using_Insecure_Quantum_Channels AWKA (2015)]
#[https://www.ncbi.nlm.nih.gov/pubmed/27805641 Collins et al (2016)] Implements modified [https://arxiv.org/abs/1507.02975 AWKA (2015)]
##Uses differential phase shift QKD for QDS
##Uses differential phase shift QKD for QDS
## message signing rate= 1 or 2 bits per second for security parameter=0.0001, Length of keys(L)=2Mbits, Transmission distance=90 km, QBER=1.08%, attenuation=0.32 dBkm<math>^{-1}</math>
## message signing rate= 1 or 2 bits per second for security parameter=0.0001, Length of keys(L)=2Mbits, Transmission distance=90 km, QBER=1.08%, attenuation=0.32 dBkm<math>^{-1}</math>
#[https://www.nature.com/articles/s41598-017-03401-9 CAFHSTTSAB (2017)] Implements modified [https://www.researchgate.net/publication/280034032_Secure_Quantum_Signatures_Using_Insecure_Quantum_Channels  AWKA (2015)] using DPS QKD  
#[https://www.nature.com/articles/s41598-017-03401-9 Collins et al (2017)] Implements modified [https://www.researchgate.net/publication/280034032_Secure_Quantum_Signatures_Using_Insecure_Quantum_Channels  AWKA (2015)] using DPS QKD  
##Per half a bit message: Channel loss=43 dB, transmission distance= 132 km, security parameter=<math>10^{-4}</math>
##Per half a bit message: Channel loss=43 dB, transmission distance= 132 km, security parameter=<math>10^{-4}</math>
#[https://www.researchgate.net/publication/305809099_Experimental_Quantum_Digital_Signature_over_102_km YFLTWYZCWZCCP (2018)] Implements decoy state QDS scheme in [https://www.researchgate.net/publication/280062082_Practical_Quantum_Digital_Signature YFC (2016)]  
#[https://journals.aps.org/pra/abstract/10.1103/PhysRevA.95.032334 Yin et al (2018)] Implements decoy state QDS scheme in [https://arxiv.org/abs/1507.03333 YFC (2016)]  
##Uses nanowire single photon detectors (SNSPD), BB84 state encoding, decoy state modulation.
##Uses nanowire single photon detectors (SNSPD), BB84 state encoding, decoy state modulation.
## Signed a 32 bit message "USTC" over transmission distance 102 km, authentication threshold =2%, verification threshold=0.6%, security bound parameter=<math>10^{-5}</math>, estimated time=360 seconds for one bit message
## Signed a 32 bit message "USTC" over transmission distance 102 km, authentication threshold =2%, verification threshold=0.6%, security bound parameter=<math>10^{-5}</math>, estimated time=360 seconds for one bit message
#[https://journals.aps.org/prapplied/abstract/10.1103/PhysRevApplied.10.034033 ZZDZGW (2018)] Implements a [[Decoy State QKD|passive decoy state]] protocol which uses Passive BB84 Key Generation protocol (KGP) to share public keys from Bob and Charlie to Alice.
#[https://journals.aps.org/prapplied/abstract/10.1103/PhysRevApplied.10.034033 Zhang et al (2018)] Implements a [[Decoy State QKD|passive decoy state]] protocol which uses Passive BB84 Key Generation protocol (KGP) to share public keys from Bob and Charlie to Alice.
## Uses parametric down-conversion (PDC) source, secure to coherent attacks
## Uses parametric down-conversion (PDC) source, secure to coherent attacks
## Per half a bit message:Transmission Distance(d)=100 km, QBER(%)=<math>2.95%-3.28%</math> for security parameter=<math>10^{-4}</math>, attenuation=45.8 dB at 200 km estimated time to sign (<math>t</math>)=7 seconds
## Per half a bit message:Transmission Distance(d)=100 km, QBER(%)=<math>2.95%-3.28%</math> for security parameter=<math>10^{-4}</math>, attenuation=45.8 dB at 200 km estimated time to sign (<math>t</math>)=7 seconds

Latest revision as of 15:24, 16 October 2019

This example protocol achieves the task of Quantum Digital Signature which allows for the exchange of single or multiple bit classical messages from sender to multiple recipients such that parties are required to prepare and measure quantum states instantly without having to store them. For simplicity, most protocols take into account the case of one sender and two recipients (Seller, buyer, and verifier) exchanging single-bit classical messages.
It ensures that the sender (seller) cannot deny at a later stage having signed the message, a recipient (buyer) cannot fake or alter the QDS and another sender (verifier) can use the above two properties to verify if the sent message is signed by the genuine sender, thus, satisfying properties of transferability, unforgeability and non-repudiation respectively. It allows the user to sign electronic documents.

Tags: Multi Party (three), Quantum Enhanced Classical Functionality, Specific Task, Quantum Digital Signature, Quantum Digital Signature with Quantum Memory, Measurement Device Independent Quantum Digital Signature (MDI-QDS), Unconditional Security

Assumptions[edit]

  • Honest majority assumption: assumes that more than half of the number of participating parties are honest. In the present case, at least two parties are honest.
  • It requires authenticated quantum and classical channel. This assumption has been overcome by a variant (AWKA (2015)) of the protocol.

Outline[edit]

Quantum Digital Signature (QDS) protocols can be separated into two stages: the distribution phase, where quantum signals (public keys) are sent to all recipients, and the messaging phase, where classical messages are signed, sent and verified. Here, we take the case of three parties, one sender (referred to as seller) and two receivers (buyer and verifier) sharing a one-bit message. Distribution phase can be divided into the following steps:

  • Key Distribution: Seller generates her (public key, private key) pair and shares the public key with both receivers in this step. For each possible message (0 or 1), she generates two identical sequences/copies (one for each receiver per possible message) of randomly chosen BB84 ∈ {0,1,+,−} states. The sequence of states is called quantum public key and its classical description, private key. She then sends copies of each quantum public key to the receivers while keeping both the private keys secret to herself. At the end of this step, the seller has two private keys, one for each possible message. Similarly, each receiver has two quantum public keys, one for each possible message.
  • State Elimination: Receivers store their classical records of the quantum public keys in this step. For each quantum public key received, a receiver randomly chooses pauli X or Z basis for each qubit and measures. Whatever outcome he gets, the receiver is certain that seller could not have generated a state orthogonal to his outcome. So, he records the state orthogonal to his outcome as the eliminated signature element. Such measurement is called ’Quantum State Elimination’. The sequence thus generated by measurement of all the qubits in a public key is called receiver’s eliminated signature for the respective quantum public key. Thus, each receiver finally has two eliminated signatures, one for each possible message.
  • Symmetrisation: The two receivers exchange half of their randomly chosen eliminated signature elements. This prevents a dishonest seller to succeed in cheating by sending dissimilar public keys to the receivers. Thus ends the distribution phase.

Next the messaging phase is divided into the following steps:

  • Signing: Seller sends desired classical one-bit message and the corresponding private key to the desired receiver (called buyer). Buyer compares the private key with his eliminated signature for the corresponding message and counts the number of mismatches (eliminated signature element in seller’s private key).
  • Transfer: Buyer forwards the same message and private key to the other receiver (called verifier) who compares it with his eliminated signature for this message.

Notation[edit]

    • L: Length of keys used
    • : Threshold value for signing
    • : Threshold value for verification
    • : Quantum Public key for message k
    • : Classical Private key for classical one-bit message k
    • : Classical description of qubit in
    • Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle B^m} : Buyer's Eliminated Signature for message m
    • : Verifier's Eliminated Signature for message m
    • : Buyer’s random bit to determine the measurement basis of Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle l^{th}} qubit in
    • : Verifier’s random bit to determine the measurement basis of qubit in
    • : measurement outcome of

Requirements[edit]

    • Network Stage: Prepare and Measure Network Stage
    • Network Stage parameters of relevance:
    • Requires BB84 QKD setup (preparation and measurement of quantum states in two bases), authenticated classical channel
    • Requires authenticated quantum channel (assumption removed in a variant of the protocol)
    • Benchmark values per qubit: QBER: 1-3, Transmission distance(d): 200 km, Key Length: 2Mbits, Estimated time: 3.5s, attenuation: 45.8dB at 200kms

Knowledge Graph[edit]

Properties[edit]

  • The protocol-
    • involves three parties (Seller, Buyer, Verifier) exchanging one-bit classical messages.
    • provides information-theoretic security
    • provides security against repudiation, i.e. the probability that seller succeeds in making buyer and seller disagree on the validity of her sent quantum signature decays exponentially with L, as stated by the formula .
    • provides security against forgery, i.e. any recipient (verifier) with high probability rejects any message which was not originally sent by the seller herself. Forging probability is given by the formula, Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle P(\text{forge})\le e^{-(c_{\min}-2s_v)^2L}} , where Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle c_{\min}} is 3/8 (calculated using uncertainty principle).

Protocol Description[edit]

Stage 1 Distribution

  • Input L
  • Output Seller: ; Buyer: ; Verifier:
    • Key Distribution:
  1. For k = 0,1
    1. Seller prepares quantum public key , where
    2. She sends Buyer (k,Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle |\psi^k\rangle} )
    3. She sends Verifier (k,)
    • State Elimination:
  1. For k = 0,1
    1. For l = 1,2,...,L
      1. Buyer chooses Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle b^k_l \epsilon_R \{0,1\}}
      2. If , Buyer measures his qubit in X basis
      3. If , Buyer measures his qubit in Z basis
      4. return Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle m_{b^k_l}}
    • Verifier repeats State Elimination steps with randomly chosen basis to get his eliminated signature elements Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle V^k_l}
    • Symmetrisation
    1. For k = 0,1
      1. Buyer chooses I
      2. Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \forall i\epsilon I} , Buyer sends Verifier Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle (k,i,b^k_i,B^k_i)}
      3. Verifier chooses J
      4. Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \forall j\epsilon J} , Verifier sends Buyer
      5. Buyer replaces
      6. Verifier replaces

Stage 2 Messaging

  • Input Seller: Message m, Private Key for m:
  • Output Buyer: accept or abort, Verifier: accept or abort
    • Signing: `mismatch’ is when Buyer finds an eliminated signature element in Seller’s private key
  1. Seller sends Buyer (m,Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \{\beta^m_1,...,\beta^m_L\}} )
  2. For l = 1,2,..,L
    1. Buyer counts the number of mismatches () and returns
  3. If , Buyer accepts m else he aborts
    • Transfer
  1. Buyer sends Verifier (m,)
  2. For l = 1,2,....,L
    1. Verifier counts the number of mismatches () and returns
  3. If , Verifier accepts m else he aborts

Further Information[edit]

The protocol under discussion (1) was the first version of Quantum Digital Signatures with only prepare and measure QKD components. The assumption authenticated quantum channel would render it useless as authenticated quantum channel is a more complex protocol. Thus in (6), a variant of this protocol overcomes this assumption by using a Key generation protocol (not QKD) for authentication where, instead of Seller, Buyer and Verifier sends quantum public keys to the Seller to measure in randomly chosen basis and generate her private keys. This variant is the simplest QDS protocol from the point of view of implementation. Following description for various papers on QDS protocols and their variants have been written keeping in mind the hardware requirements, assumptions, security and method used. One of the papers discusses generalisation of protocols to more than 3 parties and another one discusses security for iterating in case of sending multiple bits.

  • Theoretical Papers
  1. WDKA (2015) above example
  2. DWA (2013) first QDS scheme without quantum memory based on Coherent State Comparison.
    1. Requires Coherent States, authenticated quantum and classical channels, multiports, Unambiguous State Discrimination (USD) (State Elimination), no symmetrisation required.
    2. Security: Information-theoretic
  3. AL (2014) establishes coherent state mapping of (2). Replaces SWAP Test with beam splitters. Uses Unambiguous State Discrimination (USD) (State Elimination).
    1. Requires Phase encoded Coherent states, Balanced Beam Splitters.
    2. No explicit security proof provided.
  4. AWA (2015) security proof for generalisation of WDKA (2015) and DWA (2013) to more than two recipients case.
  5. YFC (2016) first QDS scheme without authenticated (trusted) quantum channels. Demonstrates one protocol with two implementation, two copies of single photon method and decoy state method. First uses single qubit photons in three bases; Private key: classical description of states, Public key: pair of non-orthogonal states in any two of the three bases.
    1. Requires authenticated classical channels, polarisation measurement in three bases, Unambiguous State Discrimination (USD) (State Elimination), uses quantum correlations to check authentication. Decoy State method uses phase-randomised weak coherent states, 50:50 Beam Splitter (BS).
    2. Security: Information-theoretic.
  6. AWKA (2015) QDS scheme without authenticated quantum channels using parameter estimation phase. Uses a Key Generation Protocol (KGP) where noise threshold for Seller-Buyer and Seller-Verifier is better than when distilling secret key from QKD. Seller sends different key to Buyer and Verifier using KGP. This anomaly is justifiable due to symmetrisation.
    1. Requires authenticated classical channels, Decoy State QKD setup.
    2. Security: Information-theoretic.
  7. WCRZ (2015) demonstrates sending multi-bit classical messages using AWKA (2015) or other similar protocols.
  8. MH (2016) security proof for generalisation of AWKA (2015) to more than two recipients case.
  • Experimental Papers
  1. Collins et al (2014) first experimental demonstration of a QDS scheme without quantum memory, implements a variant of DWA (2013). Uses unambiguous state elimination (USE) instead of unambiguous state determination (USD)
    1. Per half-bit message: rate=1.4 bits per second, security bound=0.01%, Length of the key (L)=
  2. Donaldson et al (2015) Implements WDKA (2015).
    1. Uses phase encoded coherent states
    2. Per half a bit message: Transmission Distance(d)=500 m, Length of the key(L)= for security 0.01%, estimated time to sign ()=20 seconds, channel loss= 2.2 dBkm at
  3. Collins et al (2016) Implements modified AWKA (2015)
    1. Uses differential phase shift QKD for QDS
    2. message signing rate= 1 or 2 bits per second for security parameter=0.0001, Length of keys(L)=2Mbits, Transmission distance=90 km, QBER=1.08%, attenuation=0.32 dBkm
  4. Collins et al (2017) Implements modified AWKA (2015) using DPS QKD
    1. Per half a bit message: Channel loss=43 dB, transmission distance= 132 km, security parameter=
  5. Yin et al (2018) Implements decoy state QDS scheme in YFC (2016)
    1. Uses nanowire single photon detectors (SNSPD), BB84 state encoding, decoy state modulation.
    2. Signed a 32 bit message "USTC" over transmission distance 102 km, authentication threshold =2%, verification threshold=0.6%, security bound parameter=, estimated time=360 seconds for one bit message
  6. Zhang et al (2018) Implements a passive decoy state protocol which uses Passive BB84 Key Generation protocol (KGP) to share public keys from Bob and Charlie to Alice.
    1. Uses parametric down-conversion (PDC) source, secure to coherent attacks
    2. Per half a bit message:Transmission Distance(d)=100 km, QBER(%)= for security parameter=, attenuation=45.8 dB at 200 km estimated time to sign ()=7 seconds


*contributed by Shraddha Singh