Gottesman and Chuang Quantum Digital Signature: Difference between revisions

• Perfect devices and channels have been assumed
• It has been assumed that all recipients have received correct and identical copies of Seller's public key (explained later)
• All participants know, the map which takes private keys to public keys, threshold value of acceptance (${\displaystyle c_{1}}$ ) and threshold value for rejection (${\displaystyle c_{2}}$ )
• Distribution of public keys requires authenticated quantum and classical channels between all parties

The signature scheme proposed by Gottesman and Chuang is based on quantum one way functions, which takes classical bit string as input and outputs quantum states. Quantum Digital Signature (QDS) protocols can be divided into two phases: the distribution phase, where quantum signals (public keys) are sent to all recipients, and the messaging phase, where classical messages are signed, sent and verified. Here, we take the case of three parties, one sender (referred to as seller) and two receivers (buyer and verifier) sharing a one bit message. Distribution phase can be divided into the following two steps:

• Key Generation: For each message bit (say 0 and 1), seller selects some (say M) classical bit strings randomly. These are chosen to be her private keys for that message bit. Using this private key as input, seller generates output of the quantum one-way function/map, which she calls her public key and as assumed above, distributes them to each recipient, for each message bit. In the end of this step, each recipient has 2M public keys, M for message bit 0 and M for message bit 1. Following are a few suggestions for the quantum one way functions, by the authors.

Quantum One Way Functions: The author suggests quantum fingerprint states (1), stabilizer states (2) to represent classical strings in terms of quantum states. The number of qubits for the quantum state used, to represent each bit in the classical string, depends on which of the above methods is used. Another method where each classical bit is represented by one quantum bit, is also suggested.

• Key Distribution: The authors suggest a few methods for key distribution. One of them is the assumption of a trusted third party who receives public keys from seller, checks all the keys using Quantum SWAP Test and then if test is passed by each key sent, the trusted party distributes it to the recipients. A second method eliminates the requirement of a trusted third party and instead requires Sender to send two copies of each public key to each recipient, such that, in the end each recipient has 4M keys (2M public keys for each message bit). Both buyer and verifier perform quantum swap test on their supposedly identical copies of public keys. Then, if passed, Buyer sends one copy of his public key to the verifier, who then performs the SWAP test between the received copy and his copy of public key.

Similarly, messaging stage can be described as follows:

• Messaging: Seller sends her message bit with the associated private keys to the buyer. Buyer performs the map on the private key (quantum one way function takes the sent private key as input) and then compares the output thus generated with the public key received in the distribution stage. If the number of unmatched bits are below rejection threshold, the message is declared valid, else invalid. If the number of unmatched bits is below acceptance threshold, it is declared transferable, else not transferable.

A generalized scheme for more than three parties is given in the article. Also, for multi-bit messages, a scheme using error correcting codes has been suggested in brief.

• m: message bit (0 or 1)
• M: number of private keys chosen/produced for each message bit
• k: classical string/ private key
• ${\displaystyle k_{m}^{i}}$ : ${\displaystyle i^{th}}$  bit of private key k for message bit m
• ${\displaystyle |f(k)\rangle }$ : quantum output of quantum one way function (public key) with classical input bit k
• L: length of private key
• n: number of qubits in the quanutm state ${\displaystyle |f_{k}\rangle }$ 
• ${\displaystyle f_{new}}$ : quantum output of buyer when he uses the seller's sent signature (private key ${\displaystyle k_{b}^{i}}$  to sign message bit b) as an input to publicly known quantum one way function.
• ${\displaystyle c_{1}}$ : threshold for acceptance
• ${\displaystyle c_{2}}$ : threshold for rejection

• The public keys can be used only once.
• Only limited (T) distribution of public keys should be allowed, such that ${\displaystyle T<L/n}$ , where quantum public key is an 'n' qubit state.
• Unlike some classical information-theoretic (unconditional security) schemes which require secure anonymous broadcast channel or noisy channel, which are hard to achieve resources, the quantum scheme provides information-theoretic security by only demanding plausible quantum channels and modest interaction between parties involved.
• The scheme is secure against forgery if ${\displaystyle (1-\delta ^{2})(M-G)>c_{2}M}$ , where ${\displaystyle G=2^{-(L-Tn)}2M}$  and ${\displaystyle \delta }$  depends on public keys and hence, on quantum one way functions. ${\displaystyle \delta \sim 0.9}$  for quantum fingerprint states; ${\displaystyle \delta \sim 1/{\sqrt {2}}}$  for stabilizer states. For the method where one classical bit is represented by one qubit, which consists of the states ${\displaystyle cos(j\theta )+sin(j\theta )}$ , for ${\displaystyle \theta =\pi /2^{L}}$ , ${\displaystyle \delta =cos(\theta )}$ .
• The Seller can successfully repudiate by probability, ${\displaystyle p_{cheat}\sim O(d^{-M})}$ , for some ${\displaystyle d>1}$ .

• Network Stage:Quantum Memory
• Required parameters: Size of public key (n), private key (L), signed message (1, in above case)
• Scalability:
  • Size of public key increases as logarithm of number of recipients.
  • Size of private key, ${\displaystyle L\geq T}$  where T must be linear or quadratic in the number of recipients.
  • Size of signed message scales linearly with L.
  • Total amount of keys consumed scales linearly with number of messages sent.
• Benchmark values: No experimental implementation using qubits. See Experimental Papers (1) for implementation using coherent states.

Stage 1 Distribution

• Input L
• Output Seller: ${\displaystyle \{k_{0}^{i},k_{1}^{i}\}}$ , ${\displaystyle 1\leq i\leq M}$ , ${\displaystyle |\{f(k_{0}^{i})\rangle ,|f(k_{1}^{i})\rangle \}}$ 
  • Key Generation

1. For m = 0,1
   1. For i=0,M
      1. Seller generates classical bits ${\displaystyle k_{m}^{i}}$ 
   2. Seller performs quantum one way map: ${\displaystyle k_{m}^{i}\rightarrow |f(k_{m}^{i})\rangle }$  4 times for each element, so to have 4 copies denoted ${\displaystyle |f(k_{m}^{i})\rangle ^{j}}$  with j from 1 to 4

• • Key Distribution: (No Trusted Third Party Assumption)

1. For m = 0,1
   1. For i=0,M
      1. Seller sends ${\displaystyle |f(k_{m}^{i})\rangle ^{j}}$  to buyer for j=1,2 and verifier for j=3,4
      2. Buyer performs QSWAP TEST${\displaystyle (|f(k_{m}^{i})\rangle ^{1},|f(k_{m}^{i})\rangle ^{2})}$ 
      3. If QSWAP TEST= False, protocol aborted
      4. If QSWAP TEST= True, Buyer sends any of ${\displaystyle |f(k_{m}^{i})\rangle ^{2},|f(k_{m}^{i})\rangle ^{1}}$  (supposedly equal) to verifier, we will denote it with b superscript
      5. Verifier performs similar steps and sends any of ${\displaystyle |f(k_{m}^{i})\rangle ^{3},|f(k_{m}^{i})\rangle ^{4}}$  (supposedly equal) to buyer, we will denote it with v superscript
      6. Both perform QSWAP TEST${\displaystyle (|f(k_{m}^{i})\rangle ^{b},|f(k_{m}^{i})\rangle ^{v})}$  on the copies they have
      7. If QSWAP TEST= False, protocol aborted
      8. If QSWAP TEST= True, distribution successful

Stage 2 Messaging

• Input Seller: Message b, Private Key for ${\displaystyle k_{b}}$ 
• Output Buyer: 1-ACC (Message is valid and transferable), 0-ACC (Message is valid but not transferable), REJ (Message is invlaid)
  • Signing:

1. For i=1,M
2. Seller sends Buyer (b,${\displaystyle k_{b}^{i}}$ )
3. For l = 1,2,..,L
   1. Buyer performs ${\displaystyle k_{b}^{i}\rightarrow f_{new}}$ 
   2. Buyer performs QSWAP TEST${\displaystyle (f_{new},f_{k_{b}^{i}})}$ 
   3. If QSWAP TEST= False, ${\displaystyle s_{B}=s_{B}+1}$ 
4. If ${\displaystyle s_{B}<c_{1}M}$ , result 1-ACC
5. If ${\displaystyle c_{1}M<s_{B}<c_{2}M}$ , result 0-ACC
6. If ${\displaystyle s_{B}>c_{2}M}$ , result REJ

This protocol was the first ever scheme designed for Quantum Digital Signatures. Due to unavailability of quantum memory at the current stage, this scheme has not seen enough experimental implementations, yet variations of the same without the need of quantum memory has some progress such as Prepare and Measure Quantum Digital Signature, Measurement Device Independent Quantum Digital Signature (MDI-QDS), etc.. Following is the list of few more protocols with similar requirement (quantum memory) but small variations.

• Theoretical Papers

1. GC (2001) above protocol
2. ACJ (2006) discusses coherent states comparison with a QDS scheme outlined in the last section.
   1. Protocol uses the same protocol as (2) but replaces qubits with coherent states, thus replacing SWAP-Test with Coherent State Comparison. Additionally, it also requires quantum memory, authenticated quantum and classical channels, multiports.
   2. Security: Information-theoretic
3. Shi et al (2017) Discusses an attack and suggests corrections on existing QDS scheme using single qubit rotations. Protocol uses rotation, qubits, one-way hash function; Private keys: angle of rotation, Public keys: string of rotated quantum states.
   1. Requires random number generator, one-way hash function, quantum memory, key distribution.
   2. Security: Computational

• Experimental Papers

1. Clarke et al (2012) uses phase encoded coherent states, coherent state comparison
   1. Loss from multiport=7.5 dB, Length of the key= ${\displaystyle 10^{6}}$ 

1. Burhman et al (2001)
2. Nielsen M. A. and Chuang I. L. Quantum computation and quantum information. Cambridge University Press, Cambridge, UK, 2000.