# Arbitrated Quantum Digital Signature

This example protocol provides a quantum digital signature scheme where the public (known to all) and private (secret key preserved with the seller) keys are classical in nature, however the signature has a quantum nature. This scheme is based on public-key cryptography where the seller's identity is used to generate the public-key and one-time pad generates the private key.

Tags: Quantum Digital Signature, Public key cryptography, Specific Task, Multi Party

## Assumptions

• The protocol assumes perfect state preparation, transmissions, and measurements.
• Private-key generation (PKG) is a trusted third party, arbitrator.
• In the signing process, the quantum one-way function used to create the quantum digest is assumed to take polynomial time to compute and is hard to invert.
• Seller and PKG are assumed to have a pre-shared quantum key (say, using QKD)
• Secure quantum channel between seller and buyer is assumed

## Outline

Like other QDS protocols, it is divided into two phases: Distribution and Messaging. This scheme is presented between the seller (one who signs the message), the buyer (one whom the signed message is sent) and PKG (generates and distributes public-private key for the seller) and a buyer.
Distribution includes the generation of public and private keys as follows

• Key Generation: In this step, PKG generates the public key of the seller and generates a private key which is secretly sent to Seller over the insecure classical channel.
• Seller's public key is derived from her personal information such as her email-id over a public channel. A one-way function is chosen by PKG randomly and secretly (known as the master key), which uses the classical public key as its input.
• A random OTP of the same length as the outcome of the function (random key), is used to convert it (the outcome) into seller's private key by performing bit-wise modulo 2 sum (exclusive OR gate).
• The quantum pre-shared common key (assumption) is then used to one-time pad the private key via Quantum Vernam Cipher (1), (2). The one-time padded cipher-text is then communicated to the seller (over the insecure channel).
• Seller un-pads the cipher-text to obtain the private key using the pre-shared common key. Hence, in the end, everyone knows the seller's public key and, only PKG and seller know her private key.

Messaging comprises of the following steps

• Signing: In this step, the seller generates a signature quantum state using the message she wants to send, her public key and private key. The seller selects a quantum one-way function publicly to generate a quantum digest (directory) using these classical inputs. Seller repeats each step for each message bit.
• Seller selects two random strings and generates a quantum state of the message using these random strings to operate a Unitary gate and Hadamard Transform on a null/vacuum state (see Pseudo Code for operations)
• The public and the private key are used to perform Hadamard transformation on the state produced in the previous step in order to generate the signature quantum state.
• The Seller then performs some operation using her private key and measures the quantum state. It can be shown the states were one of the BB84 states and hence, can have one of the two possible bases (X basis, Z basis or + basis,x basis) and four possible states. She records the basis and classical bit representing the state obtained.
• Seller then concatenates these classical bits, the two random string bits, and a timestamp unique to the signature. The concatenated classical string is used as the input of publicly chosen QOWF, to get the output called 'quantum digest'. She produces some copies of quantum digest for each recipient (buyer).
• Seller then encrypts the timestamp and quantum output of QOWF with pre-shared common key via quantum vernam cipher. PKG unpads these and publicly announces for buyer's verification step.
• Sellers sends the signature to the buyer which includes the signature quantum state, message, timestamp and basis states.
• Verification: In this method, buyer checks the authenticity of the signature (whether the message has come from a genuine seller).
• The buyer performs some quantum gates on the signature quantum state, using seller's public key and message. He measures the resulting quantum state, using basis states for each qubit sent in the signature. The result thus, obtained is represnted by a classical string, in the same way as done by seller.
• The result should reveal the random string used by seller and hence, buyer can also generate the same number of copies of the quantum digest using the publicly known QOWF.
• Buyer, thus, compares his outputs of QOWF with the ones sent by the seller using quantum SWAP Test. If the number of matches is greater than the accepted/decided threshold value, the signature is accepted else it is rejected.

## Notation

• ${\displaystyle n}$: Total number of qubits of message.
• ${\displaystyle f}$: public function to obtain public key from user's email-id
• ${\displaystyle k_{pub}}$: Seller's public key, where ${\displaystyle k_{pub}\in \{0,1\}^{n}}$.
• ${\displaystyle k_{pri}}$: Seller's private, where ${\displaystyle k_{pri}\in \{0,1\}^{n}}$.
• ${\displaystyle k_{r}}$: Random OTP number selected by PKG to denote each of Seller's signatures, where ${\displaystyle k_{r}\in \{0,1\}^{n}}$.
• ${\displaystyle VC(x,y)}$: function VC performs one time pads 'y' using quantum pad key 'x' via Quantum Vernam Cipher (1), (2).
• ${\displaystyle k_{at}}$: Shared key between the Seller and PKG where ${\displaystyle k_{at}\in \{0,1\}^{n}}$.
• ${\displaystyle E_{k_{at}}}$: Quantum Vernam cipher encrypted state which uses ${\displaystyle k_{at}}$.
• ${\displaystyle G}$: PKG's master key which is a one way function where ${\displaystyle \{0,1\}^{n}{\xrightarrow {}}\{0,1\}^{n}}$ .
• ${\displaystyle F}$: Public quantum one way function selected by Seller to generate quantum digest.
• ${\displaystyle m}$: Message sent by Seller to the Buyer, where ${\displaystyle m\in \{0,1\}^{n}}$.
• ${\displaystyle s}$: Random string of uniform distribution selected by the Seller, where ${\displaystyle s\in \{0,1\}^{n}}$.
• ${\displaystyle t}$: Random string of uniform distribution selected by the Seller, where ${\displaystyle t\in \{0,1\}^{n}}$.
• ${\displaystyle l}$: qubit address
• ${\displaystyle |\phi \rangle _{a_{l},b_{l}}}$: Quantum state which is defined by

${\displaystyle |\phi \rangle _{a_{l},b_{l}}:=H^{a_{l}}U_{\frac {\pi }{4}}H^{b_{l}}|0\rangle }$

• ${\displaystyle |\phi \rangle _{a_{l},b_{l},c_{l}}}$: Quantum state which is defined by

${\displaystyle |\phi \rangle _{a_{l},b_{l},c_{l}}:=Y^{c_{l}}|\phi \rangle _{a_{l},b_{l}}}$

• ${\displaystyle |S\rangle _{k_{pri},m}}$: Signature quantum state for message ${\displaystyle m}$ which is the quantum state

${\displaystyle |S\rangle _{k_{pri},m}=\bigotimes _{l=1}^{n}H^{k_{pub_{l}}\oplus k_{pri_{l}}}|\phi \rangle _{s_{l},t_{l}\oplus m_{l},m_{l}}}$

• ${\displaystyle |P\rangle }$: Private key quantum state where ${\displaystyle |P\rangle \in \{|+\rangle ,|-\rangle ,|1\rangle ,|0\rangle \}^{n}}$ and it is the quantum state:

${\displaystyle |P\rangle :=H^{k_{pri}}|\phi \rangle _{s,t\oplus m}}$

• ${\displaystyle P}$: Classical 2n-bit for ${\displaystyle n}$-qubit ${\displaystyle |P\rangle }$ where ${\displaystyle |+\rangle }$ is encoded to 10, ${\displaystyle |-\rangle }$ to 11, ${\displaystyle |1\rangle }$ to 00 and ${\displaystyle |0\rangle }$ is encoded to 01.
• ${\displaystyle B_{l}}$: This is the set of the basis of each ${\displaystyle l^{t}h}$ qubit in ${\displaystyle |P\rangle }$.

${\displaystyle B_{l}\in \{+,\times \}}$

• ${\displaystyle B_{l}(|P_{l}\rangle )}$: Measurement of ${\displaystyle l^{th}}$ qubit in basis ${\displaystyle B_{l}}$
• ${\displaystyle b_{l}}$: measurement result of ${\displaystyle l^{th}}$ qubit in the concerned quantum state
• ${\displaystyle |F\rangle }$: Quantum digital digest received by PKG.
• ${\displaystyle |F\rangle '}$: Quantum digital digest generated by Buyer.
• ${\displaystyle u}$: The most number of Buyer in this scheme.
• ${\displaystyle w}$: Safety parameter threshold for acceptance.
• ${\displaystyle w_{0}}$: Security threshold decided in advance.
• ${\displaystyle w'}$: Number of times SWAP test is performed.
• ${\displaystyle |V\rangle _{m,k_{pub},S}}$: A quantum state, where

${\displaystyle |V\rangle _{m,k_{pub},S}:=Y^{m}H^{k_{pub}}|S\rangle _{k_{pri},m}}$ This state is also expressed as ${\displaystyle \beta |\phi \rangle _{k_{pri}\oplus s,t\oplus m}}$ where ${\displaystyle \beta \in \{1,-1,\iota ,-\iota \}}$

• ${\displaystyle Q}$: Classical bit string denoted as ${\displaystyle Q\in \{00,01,10,11\}^{n}}$. It is proven that ${\displaystyle P=Q}$.
• ${\displaystyle g(Q)}$: g is a classical function which when takes classical 2n bit string Q, gives seller's random string t as output. This function can be calculated.
• ${\displaystyle \delta }$: ${\displaystyle \langle F|F\rangle '}$, where ${\displaystyle \delta \in [0,1)}$.

## Hardware Requirements

• Network Stage:Prepare and Measure
• The total number of qubits used in this protocol is equal to the total number of qubits in the message.
• Secure quantum channel between seller and buyer

## Properties

• This protocol cannot be broken even if the adversary had unlimited computing power.
• In this protocol, it is proven that no adversary can break the secrecy of the seller's signature private key.
• The quantum digital signature produced in this protocol is impossible to repudiate and cannot be forged in any condition.
• In the protocol the public and the private key belonging to the classical bits, only the signature cipher has quantum nature.
• No Certificate Authority is required to manage digital public-key certificate of sellers.
• If ${\displaystyle |F\rangle =|F\rangle '}$, the measuring result ${\displaystyle |0\rangle }$ occurs with probability 1, otherwise it occurs with probability ${\displaystyle {\frac {1+\delta ^{2}}{2}}}$. Hence, when repeated for ${\displaystyle w}$ times, the probability of equality is at least 1-${\displaystyle ({\frac {1+\delta ^{2}}{2}})^{w}}$.

## Protocol Description

Stage 1 Key Distribution
Input: Seller and PKG (${\displaystyle k_{at}}$)
Output: Seller and PKG (${\displaystyle k_{pri}}$); Everyone (${\displaystyle k_{pub}}$)

1. PKG generates ${\displaystyle k_{pub}=f(}$Seller's email-id)
2. PKG randomly chooses ${\displaystyle G}$, ${\displaystyle k_{r}}$
3. PKG calculates ${\displaystyle k_{pri}:=G(k_{pub})\oplus k_{r}}$
4. PKG encrypts ${\displaystyle VC(k_{at},k_{pri})=E_{k_{at}}}$
5. Seller decrypts ${\displaystyle VC(k_{at},E_{k_{at}})=k_{pri}}$.

Stage 2.1 Messaging: Signature
Input: Seller (${\displaystyle k_{pri}}$, ${\displaystyle m}$, ${\displaystyle k_{pub}}$)
Output: PKG (${\displaystyle |F\rangle }$), Buyer (Signature ${\displaystyle (ts,m,B_{P},|S\rangle _{k_{pri},m})}$

1. Seller randomly chooses ${\displaystyle s}$ and ${\displaystyle t}$.
2. ${\displaystyle \forall l\epsilon \{1,..,n\}}$, Seller operates ${\displaystyle Y^{m_{l}}H^{s_{l}}U_{\frac {\pi }{4}}H^{t_{l}\oplus m_{l}}|0\rangle =|\phi \rangle _{s_{l},t_{l}\oplus m_{l},m_{l}}}$
3. ${\displaystyle \forall l\epsilon \{1,..,n\}}$, Seller generates ${\displaystyle |S\rangle _{{k_{pri}}_{l},m_{l}}=H^{k_{pub_{l}}\oplus k_{pri_{l}}}|\phi \rangle _{s_{l},t_{l}\oplus m_{l},m_{l}}}$
4. ${\displaystyle \forall l\epsilon \{1,..,n\}}$, Seller generates ${\displaystyle |P\rangle _{l}=H^{k_{pri_{l}}}|\phi \rangle _{s_{l},t_{l}\oplus m_{l}}}$
5. For ${\displaystyle l=1,2,...n}$:
1. Seller chooses ${\displaystyle B_{l}\epsilon _{R}\{+,\times \}}$
2. Seller measures in basis ${\displaystyle B_{l}:B_{l}(|P_{l}\rangle )=b_{l}}$
3. If ${\displaystyle B_{l}=+}$ then
1. If ${\displaystyle b_{l}=1}$ then ${\displaystyle P_{l}=00}$ else ${\displaystyle P_{l}=01}$
4. If ${\displaystyle B_{l}=\times }$ then
1. If ${\displaystyle b_{l}=1}$ then ${\displaystyle P_{l}=10}$ else ${\displaystyle P_{l}=11}$
6. For ${\displaystyle k=1,2,...uw}$:
1. For ${\displaystyle l=1,2,...n}$:
1. ${\displaystyle |F\rangle _{l}=|F(t_{l}||m_{l}||P_{l}||t_{l}s_{l})\rangle _{l}}$
7. Seller encrypts ${\displaystyle VC(k_{at},(ts,\otimes _{l=1}^{uw}|F\rangle ))=E_{k_{at}}}$ and sends to PKG
8. PKG decrypts ${\displaystyle VC(k_{at},E_{k_{at}})=(ts,\otimes _{l=1}^{uw}|F\rangle )}$
9. PKG announces publicly that the quantum digest is ready.
10. Seller transmits Signature ${\displaystyle (ts,m,B,|S\rangle _{k_{pri},m})}$ to buyer.

Stage 2.2 Messaging: Verification
Input: Buyer (Signature ${\displaystyle (ts,m,B,|S\rangle _{k_{pri},m})}$, public key ${\displaystyle (k_{pub})}$)
Output: Buyer accepts or rejects the signature

1. Buyer operates: ${\displaystyle Y^{m}H^{k_{pub}}|S\rangle _{k_{pri},m}=|V\rangle _{m,k_{pub},S}}$.
2. For ${\displaystyle l=1,2,...w}$:
1. Buyer measures ${\displaystyle |V\rangle _{{(m,k_{pub},S)}_{l}}}$ in basis ${\displaystyle B_{l}:B_{l}(|V_{l}\rangle _{{(m,k_{pub},S)}_{l}})=b_{l}}$
2. If ${\displaystyle B_{l}=+}$ then
1. If ${\displaystyle b_{l}=1}$ then ${\displaystyle Q_{l}=00}$ else ${\displaystyle Q_{l}=01}$
3. If ${\displaystyle B_{l}=\times }$ then
1. If ${\displaystyle b_{l}=1}$ then ${\displaystyle Q_{l}=10}$ else ${\displaystyle Q_{l}=11}$
3. Buyer obtains ${\displaystyle t=g(Q)}$
4. Buyer receives ${\displaystyle (ts,\otimes _{l=1}^{w}|F\rangle )}$ from PKG.
5. For ${\displaystyle k=1,2,...w'}$:
1. Buyer generates ${\displaystyle |F\rangle '=|F(t||m||Q||ts)\rangle }$
2. Buyer receives ${\displaystyle (ts,|F\rangle )}$ from PKG.
3. Buyer performs SWAP test: QSWAP(${\displaystyle |F\rangle ,|F\rangle '}$)
4. If QSWAP=true, then ${\displaystyle w'=w'+1}$
6. If ${\displaystyle w'>w_{0}}$ buyer accepts