In this paper, we put forward a weak blind quantum signature scheme based on quantum entanglement swapping of Bell states. Different from the existing quantum signature schemes, our scheme can offer two-step verification security services to ensure the validity of the verification. In order to guarantee the unconditional security of the scheme, the quantum key distribution protocol and one-time pad encryption algorithm are employed in our scheme. Besides, the entanglement swapping of Bell states mechanism enhances the security of verification criteria. The proposed scheme has the properties of nonforgeability, nonrepudiation, blindness, and traceability.
Quantum cryptography has received enormous attention in recent years for its proven unconditional security. In general, quantum cryptography includes quantum key distribution (QKD), quantum secret sharing, quantum secure direct communication, and quantum authentication. The purpose of a quantum signature, as part of quantum authentication, is to avoid the signature, and the initial message is forged from the internal dishonest participants or the external attackers; further, the signer cannot deny the signature.
Diffie and Hellman [1] first introduced the digital signature in 1976, which came to play a critical role in authentication, data integrity protection, and other cryptography fields. However, traditional signature schemes can easily be broken with the emergence of quantum computers because the security of these protocols depends on some unproven computational complexity, such as discrete logarithm or factoring problems. Therefore, in order to guarantee the security even against attackers with unlimited computational power, it is necessary to study quantum analogs of digital signature schemes. Gottesman and Chuang [2] proposed the first quantum signature protocol based on the one-way function. Zeng and Keitel [3] presented a pioneering arbitrated quantum signature scheme. Since then, many quantum signature strategies have been proposed [4–10].
However, the ordinary quantum signature mechanism is not a very suitable encryption approach for the E-payment system and E-voting system in which the message owner’s privacy should be protected. For instance, in an E-voting system, a ballot needs to be signed by the manager, but the content of the ballot could never be revealed to the manager. In blind signature schemes, the signer generates the signature yet knows nothing about the content that he/she has signed. The blind signature scheme can be divided into the weak blind signature and the strong blind signature on the basis of whether the message owner can be traced by the signatory. Wen et al.[11] proposed the first quantum weak blind signature scheme in 2008. However, Naseri [12] had shown that the protocol in its original form cannot fairly complete the task of a blind signature. Afterward, Su et al.[13] proposed a blind signature scheme based on two-state vector formalism with 100% efficiency. But Yang et al.[14] studied some possible attacks against Su et al.’s scheme and proposed an enhanced signature scheme. However, Zhang et al.[15] found the dishonest signer can reveal 25% of the message in Yang et al.’s enhanced scheme. Almost simultaneously, Su and Li [16] pointed out that Yang et al.’s enhanced protocol also has a loophole of participant attack. Soon after that, Wang and Wen [17] presented a fair blind signature scheme based on quantum mechanics. He et al.[18] pointed out this protocol cannot, unfortunately, satisfy the property of nonforgeability. After that, Zou and Qiu [19] further analyzed the security of this protocol and put forward a more subtle attack strategy. Recently, Yin et al.[20] proposed a blind signature scheme with -type entangled states, and Wang et al.[21] presented a weak blind quantum signature scheme based on GHZ states. Khodambashi and Zakerolhosseini [22] proposed a sessional blind signature based on quantum cryptography. But Su and Li [23] found that the signature protocol will cause the key information leakage. Wang et al.[24] also pointed out there are two security leaks in this protocol.
Sign up for Photonics Research TOC. Get the latest issue of Photonics Research delivered right to you!Sign up now
In this paper, we put forward a weak blind quantum signature protocol based on the entanglement swapping [25] of Bell states. We subject two photons, each of them, respectively, belongs to their own Bell states, to a Bell measurement by which the other two photons also become entangled. Thus, we can utilize the correlation of quantum entanglement swapping to act as the judge foundation in the verification phase. Moreover, the employment of QKD protocol [26] and one-time pad encryption algorithm [27] ensures the unconditional security of the scheme.
The rest of this paper is outlined as follows. In Section 2, we will briefly introduce the local unitary operation and quantum entanglement swapping mechanism. Then, we give a weak blind quantum signature scheme based on the entanglement swapping of Bell states in Section 3. In the next section, we demonstrate the security of our protocol. A conclusion is given in Section 5.
2. PRELIMINARIES
Generally, a practicable weak blind quantum signature protocol should meet the following requirements:
Nonforgery. Any counterfeits of the true signature will be discovered in the verification phase. That is, nobody can create the true signature except for the signer.
Nonrepudiation. The signature cannot be denied by the signer, and the original message cannot be denied by the message owner.
Blindness. The signer cannot learn the content of the message that he/she has signed.
Traceability. The message owner can be traced by the signer when a dispute investigation happens.
Before giving our scheme, we will briefly introduce the local unitary operation and the entanglement swapping of Bell states. The four Bell states can be denoted as where . Let , , , and as four local unitary operators, which can be used to perform unitary operation on one photon in a Bell state to form the secret information. One can see that , , , and . Suppose that Alice and Bob share Bell states and . Alice possesses the particles and , and Bob keeps the particles and . Thus, the following equations hold: Thus, when the local unitary operator acted on the Bell state is , Alice subjects particles and to a measurement in a Bell basis. If she finds them in the state , then qubits and measured by Bob will be in the Bell state . If Alice observes any other Bell states for particles and , particles and will also be entangled correspondingly.
3. DESCRIPTION OF THE PROPOSED SCHEME
In fact, quantum signature schemes containing a trusted arbitrator are shown to be applicable and useful, especially with reduced requirements on the trustworthiness of the arbitrator [28]. Our scheme involves four parties: Alice, Bob, Charlie, and an arbitrator. The message owner, Alice, transforms the initial message into the blind message; Bob is considered the signatory who signs on the blind message without knowing the content of the message; Charlie is regarded as the verifier who investigates the authenticity of the signature and the original message with the assistance of the arbitrator. The arbitrator controls the flow of the scheme and provides a useful message to help determine whether the signature is true. Now we will explain our blind quantum signature scheme from the following four stages.
A. Initial Phase
Step 1: Charlie shares the secret key with Alice and with Bob. The arbitrator shares the secret key with Alice, with Bob, and with Charlie. All these secret keys will be obtained via the proved unconditional security QKD protocol.
Step 2: The arbitrator prepares two Bell state sequences with length of , both in the state , that is, the total state is , where the subscripts , , , and express the four different photons. In order to further illustrate the scheme, we denote the single photon sequence as
Then, the arbitrator delivers the sequence to Alice and to Bob; he retains the sequences and .
Step 3: In order to prevent possible attack strategies, participants need to check the security of the communication channel. The arbitrator randomly selects sampling particles from and and measures them in the Bell basis. Then, the arbitrator publishes the positions of these particles and the measurement basis to Alice and Bob. If the arbitrator’s result is or , Alice and Bob will use the basis (otherwise use the basis ). After that, Alice and Bob declare their measurement results to the arbitrator. Finally, the arbitrator calculates the error rate by the outcomes of three parties according to Eq. (5); if the error rate exceeds a certain threshold, then this communication process is revoked. Otherwise, we proceed to the next step.
B. Blinding Phase
Step 1: Alice prepares an bit classical initial message sequence, .
Step 2: Alice selects the corresponding unitary operators to act on the photons according to . As shown in Table 1, for each , if , Alice will choose the operator and encode it into 2-bit message 11. One can see the other correspondences as well in Table 1.
m(i)
m(i−1)m(i)
Operator
Blind Message m′
0
1
01
σ2
10
1
11
σ4
00
0
10
σ3
01
0
00
σ1
11
Table 1. Initial Message is Converted into Blind Message
Step 3: Alice creates the secret messages and by encrypting in terms of the secret keys and with a classical one-time pad algorithm.
Step 4: Alice sends the secret blind message to Charlie and to the arbitrator.
C. Signing Phase
Step 1: Charlie decrypts with and obtains the blind message . Then, he decrypts to acquire the corresponding unitary operators; thus, he can deduce the original message . Similarly, the arbitrator can learn the unitary operators by decrypting with . For instance, if , then the operators Alice utilized is , and Charlie can learn that .
Step 2: The arbitrator performs the Bell measurement on the rest particles in and and records the result as with . At this point, the photons and have collapsed a certain Bell state due to the property of quantum entanglement swapping. The measurement basis Alice and Bob should use depends on and the operator as shown in Table 2. Let the basis correspond to a classical bit, respectively, i.e., to “0,” to “1,” then the arbitrator encrypts the classical bits with and via classical one-time pad algorithm, respectively, and sends the encrypted message to Alice and Bob.
Step 3: Alice and Bob decrypt the secret message with and to get the measurement basis. Then Alice and Bob measure their respective photons sequence and record their results as and with .
Step 4: Alice encrypts in terms of with quantum one-time pad encryption algorithm and gets the secret message . Bob encrypts with by the same encryption algorithm and obtains the signature . Then, Alice and Bob transmit and to Charlie, respectively.
D. Verification Phase
Step 1: After having received and , Charlie creates the ciphertext by encrypting and with and then sends to the arbitrator directly.
Step 2: The arbitrator decrypts with to get and . Then, the arbitrator decrypts with to obtain and decrypts with to get .
Step 3: The arbitrator generates a verification parameter , which will be helpful in making a decision about the authenticity of Bob’s signature. When the measurement results of the three parties meet the rules in Table 3, the arbitrator considers that the signature is true and sets ; otherwise, he sets . After that, the arbitrator obtains the cryptograph by encrypting , , and with ; then, he sends it back to Charlie.
Step 4: Charlie decrypts with to get , , and . Only when can Charlie accept Bob’s signature and go on to further the verification process. Now Charlie possesses two group unitary operators: one is deduced from the secret message , and the other comes from . Charlie compares two objects for reference equality and, if they are equal, accepts the signatures and the initial message ; otherwise, he rejects them.
4. SECURITY ANALYSIS AND DISCUSSION
In the following, we will prove that our scheme has the properties of noncounterfeit, nondisavowal, blindness, and traceability.
A. Impossibility of Forgery
First, the application of both QKD protocol and a quantum one-time pad encryption algorithm guarantees the nonforgeability of the scheme. We assume that Alice is a dishonest participant and attempts to forge Bob’s signature; however, it is impossible because Bob’s signature associates with , which is generated via an unconditionally secure QKD protocol, which is secretly held by Bob and the arbitrator. Random guesses would have only succeeded about half of the time for each bit. Therefore, the total success rate is almost zero when the information bit sequence is quite long. Even if Alice can obtain by some certain methods, the attacking strategy is still unlikely to succeed. The application of quantum entanglement swapping causes Alice and Bob’s measurement results to depend on the arbitrator’s measurement result, which is only known for himself. Because Alice cannot know the arbitrator’s result, she cannot learn Bob’s outcome as well. The correlations of the entanglement swapping of two EPR pairs will be destroyed if Alice uses the wrong one to replace Bob’s outcome.
Second, our scheme can resist the intercept-resend attack. In Step 2 (in Section 3.1), the arbitrator delivers the photon sequence to Alice and to Bob, respectively. If dishonest Alice attempts to intercept and resends the sequence to Bob, however, it is still inevitable that the attacking tactic will be discovered by the arbitrator in Step 3 (in Section 3.1). Thus, Alice can neither copy the qubits nor learn the right measurement basis Bob used. That is, the sequence is not equal to . Further, the use of will make the error rate exceed the threshold.
Furthermore, our scheme adds an extra verification step to determine the validity of the initial message. If the attacker tries to forge Alice’s initial message, it is no doubt that the attack can be found by Charlie by the comparison of two group operators. The fact remains that nobody can counterfeit Bob’s signature and Alice’s initial message for their own interests without being detected.
B. Impossibility of Disavowal
Bob cannot deny his signature because his signature message contains the secret key , which is secretly kept by Bob and the arbitrator. If Bob tries to deny his own signature, the arbitrator just needs to decrypt the signature and investigate whether the signature message associates with Bob’s secret key . If so, the arbitrator considers that the signature has been signed by Bob. Similarly, Alice also cannot disavow her initial message because her initial message contains , which is secretly kept by Alice and the arbitrator. The arbitrator can confirm whether the initial information belongs to Alice by .
C. Blindness
It is obvious that the signer Bob cannot learn the content of the original message in our signature scheme. Bob just needs to measure the particles sequence in the basis or and then generate the signature with a quantum one-time pad encryption algorithm.
D. Traceability
When Bob starts to suspect the message owner Alice’s motives, he can trace the identity of Alice with the assistance of the arbitrator. Because the secret key is shared between Alice and the arbitrator, Bob can trace the message owner Alice according to and the parameters set .
5. CONCLUSION
In this paper, we present a weak blind quantum signature protocol based on quantum entanglement swapping of Bell states. The proposed scheme adopts a two-step verification process to guarantee the security, i.e., the tasks of verifying the authenticity of the original message and the signature are carried out simultaneously. Through the security analysis discussed above, we confirm that it is impossible for anyone to counterfeit the signature in our scheme. Meanwhile, the signer cannot deny the signature, and the message owner cannot deny the initial message. The proposed scheme can also maintain the inherent characteristics of the weak blind quantum signature scheme, i.e., blindness and traceability.
ACKNOWLEDGMENT
Acknowledgment. This work is supported by the National Natural Science Foundation of China (grant no. 61273250).
[14] C. W. Yang, T. Hwang, Y. P. Luo. Enhancement on ‘quantum blind signature based on two-state vector formalism. Quantum Inf. Process., 12, 109-117(2013).