Editing Quantum Cheque

[https://link.springer.com/article/10.1007/s11128-016-1273-4 Quantum Cheque] is a private-key quantum money scheme that allows trusted banks to issue perfectly secure and verifiable quantum cheque books to account holders and also enables them to undertake monetary transactions with other parties. The quantum cheque is secure against [[non-signalling]] adversaries and cannot be counterfeited.

'''Tags:''' Private-Key Quantum Money, [[Quantum Digital Signature]], [[Quantum Key Distribution]], Quantum One-Way Function. 

== Assumptions ==
* The protocol assumes the account holder and the bank, to be honest. The bank is a trusted party, however, the branches may or may not be trusted.
* This protocol assumes perfect state preparations, transmissions, and measurements.
* The protocol takes the assumption that the Quantum Digital Signature and the Quantum key distribution schemes are unconditionally secure.
* The digital signature scheme must satisfy the following security conditions of unforgeability and non-repudiation

==Outline==

This protocol allows a quantum cheque to be issued using quantum cheque books to the bank customers. The customers can then carry forward transactions in a perfectly secure manner and these cheques can be en-cashed after being verified by the trusted bank or its branches, that communicate with the main branch securely. The quantum cheque follows all the properties of a classical cheque - verifiable by a trusted bank, cannot be disavowed by the issuer and cannot be counterfeited by an adversary. </br>

The entire bank transaction process can be divided into three stages, Gen, where the cheque book is generated for the account holder, Sign, where the account holder prepares a cheque and issues it to the third party and Verify, where the third party en-cashes the cheque depending upon its validity.

* '''Gen'''
** In this stage, the bank first creates a cheque book and a key for the account holder.
** Then, the bank and the account holder create a shared key using [[Quantum Key Distribution]]. Both parties agree upon the [[Quantum Digital Signature]]. The account holder stores his private key safely with himself and shares the public key with the bank. 
** The bank then prepares <math>n</math> GHZ triplet states (link to page) and stores only the third entangled qubit of every GHZ in the database, while handing over the first two qubits of every GHZ state to the account holder. Along with this, the bank also creates and shares a corresponding unique serial number for this cheque.
** Finally, the account holder has stored his identity, shared key, private key, public key, serial number and first two entangled qubits of every GHZ triplet state whereas the bank has stored each account holder's identity, shared key, public key, serial number and third entangled qubit of every GHZ triplet states in its database.<br></br>
* '''Sign'''
** In this stage, the issuer's key and amount to be signed is taken as input to produce a quantum state which acts like a cheque.
** Each account holder prepares <math>n</math> quantum states to issue a check worth some amount <math>M</math>. This quantum state is prepared by the quantum one-way function (Link to the page) which takes the shared key, identity of the account holder, a random number and the amount of money <math>M</math> to be signed as the input. Every state from these <math>n</math> quantum states is individually encoded with one of the account holder's entangled qubit of the GHZ states using Quantum Secret Sharing: Splitting of quantum information (Link to the page). The account holder then signs the serial number with their digital signature.
** The quantum cheque thus produces by the account holder contains the information - the identity of the account holder, serial number, generated a random number, digital signature, amount of money signed and the other entangled qubit of the GHZ state.<br></br>
* '''Verify'''
** In this method, the quantum cheque is verified by the trusted bank or its branches and the validity is checked.
** When the quantum cheque is produced at any valid branches of the bank by a third party, the information is securely communicated to the main branch. At the branch, an initial verification is carried by considering the identity of the issuer of the cheque, the serial number of the cheque and the digital signature of the issuer. If the cheque is valid, the verification process is continued, otherwise, the cheque is destroyed and the process is discontinued.
** The main branch performs a measurement on its copy of third entangled qubit of every GHZ triplet state which was stored in the database and securely communicates this result to the branch.
** The branch recovers the quantum state that was prepared by the account holder to issue the cheque, using the information received from the main branch. The branch also computes this same quantum states using the stored account holder's information like the shared key, the identity of the account holder, a random number and the amount of money <math>M</math> as input for verification. A swap test(Link to the page) is performed on both these states and if the cheque is only accepted if this test passes, else it is destroyed and aborted.

This scheme is proven to be impossible to counterfeit and impossible to repudiate. The quantum cheque is a quantum state and thus it cannot be copied or stolen by any eavesdropper, ensuring that only one copy of the quantum cheque exists.

==Requirements==
* Secure quantum channel to connect the branches of the bank to the main branch.
* Secure quantum channel to connect the bank to the account holder and to connect any other third party to the bank.
* This protocol required quantum memory to store issuer's quantum state of the cheque if the protocol is not running in real time.
* Private database for both account holder and bank.
* Measurement devices for the account holder and the main branch of the bank.

==Knowledge Graph==

{{graph}}
==Properties==

* In the signing process, the quantum one-way function used to create the cheque for the account holder is assumed to take polynomial time to compute and is hard to invert.
* In the verification process, the bank sets a thresholding security parameter <math>\kappa</math>. The swap test is passed if <math>\{ \langle\psi^{(i)}|\psi^{,(i)}\rangle \geq \kappa\}_{i=1:l}</math>
* No quantum memory would be required for the account holder to store the quantum check if the transaction is occurring in real time.
* This protocol can be realized, efficiently, with few qubit systems, without compromising on the security
* Security: This protocol is impossible to counterfeit and non-repudiation by signatory is impossible here.

==Notation==
* <math>k</math>: Shared key between account holder and bank where <math>k \in \{0,1\}^L</math>.
* <math>\Pi</math>: Digital signature scheme, where <math>\Pi=(Gen, Sign, Vrfy)</math>.
* <math>id</math>: Account holder's identity.
* <math>pk</math>: Account holder's public key.
* <math>sk</math>: Account holder's private key.
* <math>s</math>: Unique serial number where <math>s \in \{0,1\}^{l(n)}</math>.
* <math>{|\phi^{(i)}\rangle_{GHZ}}</math>: <math>n</math> GHZ triplet states where,
<div style="text-align: center;"><math>|\phi^{(i)}\rangle_{GHZ} = \frac{1}{\sqrt{2}}(|0^{(i)}\rangle_{A_1}|0^{(i)}\rangle_{A_2}|0^{(i)}\rangle_{B} + |1^{(i)}\rangle_{A_1}|1^{(i)}\rangle_{A_2}|1^{(i)}\rangle_{B})</math></div>
* <math>{|\phi^{(i)}\rangle_{A_1}}</math>: First entangled qubit from every GHZ triplet state which is given to account holder.
* <math>{|\phi^{(i)}\rangle_{A_2}}</math>: Second entangled qubit from every GHZ triplet state which is given to account holder.
* <math>{|\phi^{(i)}\rangle_{B}}</math>: First entangled qubit from every GHZ triplet state which stays with bank.
* <math>r</math>: Generated random number where <math>r \in \{0,1\}^L</math>.
* <math>M</math>: Amount of money account holder signs on the cheque.
* <math>f</math>: Quantum one way function.
* <math>x\mid\mid</math>y:  concatenation of two bit strings <math>x</math> and <math>y</math>.
* <math>{|\psi^{(i)}\rangle}</math>: quantum state prepared by the account where,
<div style="text-align: center;"><math>|\psi^{(i)}\rangle = f(k \mid\mid id\mid\mid r\mid\mid M\mid\mid i)</math></div>. This quantum state is also denoted as <math>\alpha_i|0\rangle + \beta_i|1\rangle</math>.
* <math>|\Phi^\pm\rangle</math>: Bell state <math>\frac{|00\rangle \pm |11\rangle}{\sqrt{2}}</math>
* <math>|\Psi^\pm\rangle</math>: Bell state <math>\frac{|10\rangle \pm |01\rangle}{\sqrt{2}}</math>
* <math>\sigma</math>: In <math>\chi</math>, output of signing with <math>s</math>.
* <math>\chi</math>: Quantum cheque where,
<div style="text-align: center;"><math>
        \chi = (id, s, r, \sigma, M, \{{|\phi^{(i)}\rangle_{A_1}}\}_{i=1:n})
</math></div>
* <math>\kappa</math>: Threshold constant set as a security parameter by the bank in the swap test. 
* <math>|\psi^{,(i)}\rangle</math>: Quantum state prepared by the bank for verification.

==Protocol Description==

'''Stage 1''': Gen</br>
'''Output''':  Account holder now holds <math>(id, pk, sk, k, s, \{|\phi^{(i)}\rangle_{A_1}|\phi^{(i)}\rangle_{A_2}\}_{i=1:n})</math> and Bank now holds <math>(id, pk, k, s, {\|\phi^{(i)}\rangle_{B}\}_{i=1:n})}</math> in their private databases.

* Account holder and Bank create <math>k</math>.
* Account holder and Bank agree on <math>\Pi</math>.
* Account holder submits <math>pk</math> to Bank.
* Account holder secretly stores <math>sk</math>.
* For <math>i = 1, 2, ...n</math>:
** Bank generates GHZ triple state <math>|\phi^{(i)}\rangle_{GHZ}</math>
** Bank stores <math>|\phi^{(i)}\rangle_{B}</math> in their private database.
** Bank gives <math>|\phi^{(i)}\rangle_{A_1}|\phi^{(i)}\rangle_{A_2}</math> to account holder.
* Bank prepares <math>s</math> and shares it with the account holder.
* For <math>i = 1, 2, ...n</math>:
** Account holder stores <math>|\phi^{(i)}\rangle_{A_1}|\phi^{(i)}\rangle_{A_2}</math> privately.
* Account holder now holds <math>(id, pk, sk, k, s, \{|\phi^{(i)}\rangle_{A_1}|\phi^{(i)}\rangle_{A_2}\}_{i=1:n})</math>
* Bank now holds <math>(id, pk, k, s, {|\phi^{(i)}\rangle_{B}\}_{i=1:n})}</math>


'''Stage 2''': Sign </br>
'''Output''': Account holder produces <math>\chi</math>

* Account holder generates <math>r</math>.
* For <math>i = 1, 2, ...n</math>:
** Account holder prepares <math>|\psi^{(i)}\rangle = f(k \mid\mid id\mid\mid r\mid\mid M\mid\mid i)</math>.
** Account holder encodes <math>|\psi^{(i)}\rangle</math> with <math>|\phi^{(i)}\rangle_{GHZ}</math> by combining <math>|\psi^{(i)}\rangle</math> with <math>|\phi^{(i)}\rangle_{A_1}</math> and performing a bell measurement on the two.
<div style="text-align: center;"><math>
                |\phi^{(i)}\rangle =  |\psi^{(i)}\rangle \otimes |\phi^{(i)}\rangle_{GHZ}
</math></div>
** Based on the measurement, account holder performs the suitable error correction, by applying the corresponding Pauli matrix, on <math>|\phi^{(i)}\rangle_{A_1}</math>:
         <div style="text-align: center;"><math>
            |\Phi^{(+)}\rangle  \xrightarrow{} I,
            |\Phi^{(-)}\rangle  \xrightarrow{} \sigma_z,
            |\Psi^{(+)}\rangle  \xrightarrow{} \sigma_x,
            |\Phi^{(-)}\rangle  \xrightarrow{} \sigma_y,
           </math></div>
* Account holder signs the serial number <math>s</math> using <math>\Pi</math>, as <math>\sigma \xleftarrow{} Sign_{sk}(s)</math>.
* Account holder produces <math>\chi</math>.

'''Stage 3''': Verify </br>
'''Output''': Cheque gets accepted or the process is aborted and the cheque is destroyed.

* Third party produces the <math>\chi</math> at a valid branch of the bank.
* Branch communicates with main branch of the bank and checks validity of <math>(id, s)</math> and runs <math>{Vrfy}_{pk}(\sigma, s)</math>. 
** If invalid:
*** Bank aborts the process and destroys the cheque.
** else:
*** Bank continues the verification process.
* Main branch of the bank performs the measurement in Hadamard basis on its copy of <math>|\phi^{(i)}\rangle_{B}</math> and obtains outcome <math>|+\rangle</math> or <math>|-\rangle</math>. 
* Main branch communicates this result with the local branch.
* For <math>i = 1, 2, ...n</math>:
** Based on outcome, branch performs the corresponding Pauli matrix operation on  <math>|\phi^{(i)}\rangle_{A_2}</math> to recover <math>|\Psi^{(i)}\rangle</math> : <math>|+\rangle \xrightarrow{} I, |-\rangle \xrightarrow{} \sigma_z</math>
* For <math>i = 1, 2, ...n</math>:
** Bank computes <math>|\Psi^{,(i)}\rangle </math>, where,
<div style="text-align: center;"><math>          
               |\Psi^{,(i)}\rangle = f(k \mid\mid id\mid\mid r\mid\mid M\mid\mid i)
</math></div>
* For <math>i = 1, 2, ...n</math>:
** Bank performs swap test on <math>|\Psi^{(i)}\rangle</math> and <math>|\Psi^{,(i)}\rangle</math>. 
*** If <math>\langle\Psi^{(i)}|\Psi^{,(i)}\rangle \geq \kappa</math>:
**** Bank aborts the process and destroys the cheque.
*** else:
**** Bank continues the verification process.
* Bank accepts the cheque.

==Further information==

<div style='text-align: right;'>''*contributed by Rhea Parekh''</div>