Efficient arbitrated quantum signature and its proof of security

Abstract

In this paper, an efficient arbitrated quantum signature scheme is proposed by combining quantum cryptographic techniques and some ideas in classical cryptography. In the presented scheme, the signatory and the receiver can share a long-term secret key with the arbitrator by utilizing the key together with a random number. While in previous quantum signature schemes, the key shared between the signatory and the arbitrator or between the receiver and the arbitrator could be used only once, and thus each time when a signatory needs to sign, the signatory and the receiver have to obtain a new key shared with the arbitrator through a quantum key distribution protocol. Detailed theoretical analysis shows that the proposed scheme is efficient and provably secure.

Appendix

Here we give the proof of Theorem 1.

Theorem 1 If the keyed hash function \(h\) is \((\varepsilon ^{\prime }, t^{\prime }, q,l)\) -weakly collision-resistant, then the proposed QS scheme is an \((\varepsilon , t, q_{sig},q_h)\) -secure QS scheme. And \(\varepsilon , \varepsilon ^{\prime }, t\), and \(t^{\prime }\) meet the following relation

$$\begin{aligned} \left(1-\left(\frac{1}{2}\right)^{l+n}\right)\cdot \varepsilon \cdot \frac{1}{q_{sig}+q_h} \le \varepsilon ^{\prime }, \end{aligned}$$

where \(q \le q_{sig}+q_h, t^{\prime } \le t + q\cdot T_{rn}; T_{rn}\) is the time to generate a random number.

Proof

Assume an adversary \(E\) who is restricted to make signature queries for at most \(q_{sig}\) times and hash queries up to \(q_h\) times, has potential to produce a valid signature of a message without being asked with probability greater than \(\varepsilon \) in the time bound \(t\), then we can prove that a challenger \(C\) can break the weak collision resistance property of \(h\) with probability larger than \(\varepsilon ^{\prime }\) within \(t^{\prime }\) using this event, which is in contradict with that \(h\) is a \((\varepsilon ^{\prime },t^{\prime },q,l)\)-weakly collision-resistant hash function.

Let the length of binary string \(M\) be \(l+n\). The target of \(C\) is to find a different binary string \(M^{\prime }\) which makes \(h(M^{\prime })=h(M)\).

• Set up: \(C\) lets \(K_{UT}\) be the shared key between \(U\) and \(T\), chooses a random number \(r(1\le r \le q_h+q_{sig})\), and sets the counter \(c = 0\).

• Hash queries: \(E\) asks the value of \(h\) when inputting \(P_j\). In order to respond to \(E\)’s queries, \(C\) has to keep a hash table in which each element is a triad \((P_j,r_j,w_j)\) and the number of elements before running the procedure is 0. At some time when \(E\) begins to request the value of \(h\) corresponding to the input \(P_j, C\) increases the counter \(c\) by 1 and makes different responses as follows:

  • If \(c<r , C\) chooses a random number \(r_j\), and sends \(r_j\) and \(P_j\) queried by \(E\) to oracle \(h\). \(h\) returns \(h(r_j,P_j)\) as a response. \(C\) keeps \((P_j,r_j,w_j) \) in the hash table and then forwards \(w_j\) to \(E\).

  • If \(c=r, C\) guesses that \(E\) may attempt to attack the QS scheme at the moment, so he sends \(M\) to \(h\). \(h\) responds by offering \(w_j=h(M) \) to \(C\). The triad \((P_j,r_j,w_j)\) is saved in the hash table and \(w_j\) is forwarded to \(E\).

  • Otherwise, C loses the game and stops the currently running procedure.

• Signature queries: \(E\) asks the signature of message \(P_j\). \(C\) sets \(c=c+1\) and makes different responses according to whether the corresponding triad \((P_j,r_j,w_j)\) is in the hash table:

  • If \((P_j,r_j,w_j)\) is in the hash table and \(c\ne r, C\) returns the signature \(|S_j\rangle \) of message \(P_j\) in light of \(r_j, w_j, U\), and \(K_{UT}\).

  • If \((P_j,r_j,w_j)\) is in the hash table and \(c = r, C\) fails and terminates the implementation.

  • If \((P_j,r_j,w_j)\) is not in the hash table, \(C\) runs the procedure for hash query to obtain \(w_j=h(r_j,P_j) \), and keep \((P_j,r_j,w_j)\) in the hash table. If \(c = r, C\) announces failure and puts an end to the procedure, else responds \(E\) with the signature \(|S_j\rangle \) of message \(P_j\) according to \(r_j, w_j, U\), and \(K_{UT}\).

• Output: \(E\) outputs a message-signature pair \((P_i,|S_i\rangle )\) and the signature query for \(P_i\) has not been made before. \(C\) checks whether \((P_i,r_i,w_i)\) has been in the hash table. If not, \(C\) makes a hash query procedure and adds the corresponding element to the hash table. If \(c\ne r, C\) fails and terminates the procedure; else measures \(|S_i\rangle \) to get \(r_i^{\prime }||R_i^{\prime }\) depending on \(K_{UT}\). If the signature \(|S_i\rangle \) is valid, then

  $$\begin{aligned} w_i ||U= \left(Truc_l (K)\oplus r_A^{\prime }\right)\oplus R_A^{\prime }, \end{aligned}$$

  and

  $$\begin{aligned} w_i = h\left(r_i^{\prime }, P_i\right)= h(M). \end{aligned}$$

  So \(C\) can output \(r_i^{\prime }||P_i \). If \(|S_i\rangle \) is invalid, \(C\) loses the game and stops the procedure.

Assume \(E\) outputs a valid message-signature pair \((P_i,|S_i\rangle ) \). Then if \(C\) wants to succeed in find collisions, the following three conditions should be satisfied at the same time.

• Condition 1 \((C1)\): when \(c=r, E\) makes a hash query instead of a signature query;

• Condition 2 \((C2)\): the finally outputted message \(P_i\) should be queried when \(c=r\);

• Condition 3 \((C3)\): the output of \(C r_i^{\prime }||P_i \) is not equal to \(M\).

The probability that \(C1\) holds is \(P(C1)\ge \frac{q_h}{q_{sig}+q_h}\) and the conditional probability \(P(C2|C1)\ge \frac{1}{q_h}\) since \(E\) may make illegal queries. In addition, due to the randomness of \(r_i^{\prime }\) and \(P_i\), so \(P(C3|C1, C2)\approx 1-(\frac{1}{2})^{l+n} \). Therefore,

$$\begin{aligned}&\frac{q_h}{q_{sig}+q_h}\cdot \frac{1}{q_h}\cdot \left(1-\left(\frac{1}{2}\right)^{l+n}\right) \cdot \varepsilon \\&= \left(1-\left(\frac{1}{2}\right)^{l+n}\right)\cdot \varepsilon \cdot \frac{1}{q_{sig}+q_h}\\&\le \varepsilon ^{\prime }, \end{aligned}$$

where \(q \le q_{sig}+q_h, t^{\prime } \le t + q\cdot T_{rn} , T_{rn} \) is the time to generate a random number.