university of alberta13
International Journal of Theoretical
Physics
ISSN 0020-7748
Volume 53
Number 1
Int J Theor Phys (2014) 53:277-288
DOI 10.1007/s10773-013-1808-8
Security Weakness in Arbitrated Quantum Signature Protocols
いきものがかり
Feng Liu, Kejia Zhang & Tianqing Cao
Your article is protected by copyright and all rights are held exclusively by Springer Science +Busine
ss Media New York. This e-offprint is for personal u only and shall not be lf-archived in electronic repositories. If you wish to lf-archive your article, plea u the accepted manuscript version for posting on your own website. You may further deposit
the accepted manuscript version in any repository, provided it is only made publicly available 12 months after official publication
or later and provided acknowledgement is given to the original source of publication
and a link is inrted to the published article on Springer's website. The link must be accompanied by the following text: "The final publication is available at ”.
13
Int J Theor Phys(2014)53:277–288
DOI10.1007/s10773-013-1808-8
Security Weakness in Arbitrated Quantum Signature Protocols
Feng Liu·Kejia Zhang·Tianqing Cao
Received:31May2013/Accepted:28August2013/Published online:1November2013
©Springer Science+Business Media New York2013
Abstract Arbitrated quantum signature(AQS)is a cryptographic scenario in which the nder(signer),Alice,generates the signature of a message and then a receiver(verifier), Bob,can verify the signature with the help of a trusted arbitrator,Trent.In this paper,we point out there exist some curity weakness in two AQS protocols.Our analysis shows Alice can successfully disavow any of her signatures by a simple attack in thefirst protocol. Furthermore,we study the curity weakness of the cond protocol from the aspects of forgery and disavowal.Some potential improvements of this kind of protocols are given. We also design a new method to authenticate a signature or a message,which makes AQS protocols immune to Alice’s disavowal attack and Bob’s forgery attack effectively. Keywords Quantum signature·Arbitrated quantum signature·Security analysis
1Introduction
swallow
Digital signatures provide the methods to achieve source authentication and data integrity for digital messages in a publicly verifiable way,meaning that at signing time a signer commits herlf/himlf t
o a concrete message.The curity of all such classical digital signature protocols prently depends on the difficulty of some mathematical problems.However, classical digital signatures become increasingly vulnerable with more powerful quantum computation[1].Gottesman and Chuang[2]prented a quantum signature protocol by applying the quantum scenario to classical digital signatures.It ud quantum effects to pro-vide unconditionally cure signatures.And,it allowed a nder(Alice)to sign a message, so that the signature could be validated by one or more different people.In this ca,all F.Liu(B)·K.Zhang·T.Cao
State Key Laboratory of Networking and Switching Technology,Beijing University of Posts
and Telecommunications,Beijing100876,China
choke
e-mail:
F.Liu
School of Mathematics and Statistics Science,Ludong University,Yantai264025,China
would agree either that the message came from Alice or that it had been tampered with. However,the protocol can only sign classical messages.Since the quantum nature makes quantum
messages quite different from classical ones,signatures of quantum messages are more difficult[3–7].
In Refs.[8,9],Barnum et al.pointed out that if one wants to curely authenticate a quantum message,he or she must do a perfect encryption on it.This means,anyone el can learn nothing about the authenticated quantum message.Conquently,if a quantum signature protocol has the function of authentication,the receiver cannot learn anything about the content.However,in an application of signature it is generally necessary for the receiver to learn something about the content of the signed message[7].As a result,they drew the conclusion that signing a quantum message is impossible.For jumping out of the no-go theorem,Zeng and Keitel[3]propod a pioneering arbitrated quantum signature (AQS)protocol,which could be ud to sign both a classical message and a quantum one. This work gave an elementary model to sign a quantum message.In this protocol,Alice prepares more than one copy of a quantum message to be signed so that at least one copy among them exists in the signed message in the manner of plaintext.Not only is it true that Bob can learn the content of the signed quantum message but also he can verify the signature with the help of Trent,which is not contrary to Barnum et al.’s conclusion.
Subquently,many reaches of AQS have been propod.In2009,Li et al.[5]found Trent is unnecessa
ry to be entangled and thus the Greenberger-Horne-Zeilinger(GHZ)states ud in Ref.[3]can be replaced with Bell states.And,they prented a simplified AQS protocol with Bell states as the information carriers.In2010,Zou et al.[6]further simplified this protocol by achieving AQS without entangled states.Both of them still prerve the merits in Zeng and Keitel’s protocol[3].How to reu the shared key between Trent and Alice or Bob in a AQS protocol is an important problem in practical applications.Recently, an efficient arbitrated quantum signature protocol[10]is propod(for the sake of simplicity, we will call it Li’13protocol hereafter),in which Alice and Bob share a long-term cret key with Trent by utilizing the key together with a random number.The authors of Li’13 protocol also gave detailed theoretical analysis to show that the propod protocol is efficient and provably cure.In addition,Li et al.[11]propod an AQS protocol with message recovery in2009(Li’09protocol).It is bad on GHZ states,and can sign the message in the form of both known quantum states and unknown quantum states as Zeng and Keitel’s AQS protocol[3].
Cryptanalysis is an important and interesting work in cryptography.In the study of quan-tum cryptography,quite a few effective attack methods have been propod,such as den-coding attacks[12,13],denial-of-rvice(DoS)attacks[14,15],correlation-extractability attacks[16–19],teleportation attacks[20],intercept-rend attacks[21],participant at-tacks[13,22],and Trojan hor
springboard是什么attacks[23].Mastering more attack methods will be helpful for us to design new protocols with high curity.Taking protocols in Refs.[5,6]as exam-ples,Gao et al.[7]showed that Bob can perform existential forgeries of Alice’s signature. More riously,when the protocols are ud to sign a classical message,Bob can achieve universal forgery of Alice’s signature.Furthermore,Alice can successfully disavow the sig-nature she signed for Bob.Now,the curity analysis methods given by Gao et al.[7]have been proved to be the basic ways of analysing AQS protocols.
In this paper,we analyze the curity of Li’13protocol[10],andfind that Alice can successfully disavow the signature she has signed for Bob.That is to say,the weakness pointed out in Ref.[7]still exists in the Li’13protocol.Besides,we show that the weak-ness pointed out by[7,24–26]also exist in the Li’09protocol[11],and the corresponding attacking methods are applicable to it.Furthermore,some uful improved methods on the existing AQS protocols are given.
2Analysis of Li’13Protocol
In Ref.[10],Li et al.propod a new AQS protocol to reu the shared key between Trent and Alice or Bob without entangled states.In this ction,the Li’13protocol isfirstly described and our curity analysis is given then.
2.1Li’13Protocol
The AQS protocol without using entangled states[10]is as follows.
–Initializing pha:
(I1)U A,U B and U T reprent the k-bit identity of Alice,Bob,and Trent,respectively. (I2)P is the n-bit message string.
(I3)H l(·):{0,1}2l→{0,1}l,and H m(·,·):{0,1}l×{0,1}∗→{0,1}m are two cure hash functions,where m=l−k.
加拿大森林大火(I4)H is the Hadamard gate.
(I5)Alice and Bob share a2l-bit key with ,K AT and K BT respectively.
–Signing pha:mam
(S1)Alice randomly choos a number r A∈R{0,1}l.
一切顺利英文
(S2)Using the key K AT,Alice calculates
R A=H l(K AT)⊕r A⊕
H m(r A,P) U A
(1)
where is a symbol to concatenate two strings.
Then Alice encodes(r A,R A)and generates her signature
|S A =⊗l i=1H K i AT|r A i⊗l j=1H K l+j AT|R A j(2)
where K i
AT denotes the i th bit of K AT,and|R A j denotes the j th qubit of the ci-
lobster
phertext|R A .
(S3)Alice nds the signature|S A and the message P to Bob.In this way,anyone who gets|S A and P can implement the verification process with the help of Trent.And, if Bob is a designated or authorized receiver,the identity information of
U B,should be included in the message P.
–Verifying pha:
(V1)After Bob receives the signature|S A and the message P,he choos a random number r B∈R{0,1}l.
(V2)Using the key K BT,Bob calculates
R B=H l(K BT)⊕r B⊕
H m(r B,U B) U B
(3)
Then Bob encodes(r B,R B)into a qubit string
|y B =⊕l i=1H K i BT|r B i⊕l j=1H K l+j BT|R B j(4) Finally,Bob nds|S A ,|y B ,and P to Trent.
(V3)Trent measures the received qubits|S A with a basis depending on the cret key K AT:
if K i AT =0,the qubit |S A i is measured in the rectilinear basis {|0 ,|1 };
if K i AT =1,the qubit |S A i is measured in the diagonal basis {|+ ,|− }.Once Trent obtains measurement outcomes (r A ,R A ),he can verify the authen-ticity of P and the validity of |S A by making the following comparisons:if H m (r A ,P ) U A =H l (K AT )⊕r A ⊕R A ,Trent believes the signature is true and
ts parameter μT =1;if H m (r A ,P ) U A =H l (K AT )⊕r A ⊕R A ,Trent aborts the protocol.(V4)Trent measures the received qubits |y B according to the cret key K BT and obtains the measurement result (r B ,R B ).if H m (r B ,U B ) U B =H l (K BT )⊕r B ⊕R B ,Trent considers Bob is dishonest and aborts further operations;if H m (r B ,U B ) U B =H l (K BT )⊕r B ⊕R B ,Trent randomly choos a number r T ∈R {0,1}l and calculates
R T =H l (K BT )⊕r T ⊕ H m (r T ,P μT ) U T一次别离 豆瓣
(5)|y T =⊕l i =1H K i BT |r T i ⊕l j =1H K l +j BT |R T j (6)
and nds |S A ,|y T and P to Bob.(V5)Bob measures the qubits |y T by the cret key K BT and obtains (r T ,R T ).if H m (r T ,P 1) U T =H l (K BT )⊕r T ⊕R T ,Bob considers Alice’s signature is fake and discards P and |S A ;if H m (r T ,P 1) U T =H l (K BT )⊕r T ⊕R T ,Bob believes in Trent and accepts |S A as Alice’s signature of the message P .
2.2Cryptanalysis of the AQS Protocol
Generally,the curity of an AQS protocol requires that the signature should not be forged by the attacker (including Bob)and Alice cannot disavow her signature.Therefore,the main goal for the curity of AQS is to prevent the dishonest participants from deceiving.Using the methods in Ref.[7],we analyze how the Li’13protocol achieves the functions of a digital signature and try to find out some weakness.
2.2.1Features of the Li’13Protocol
In the above protocol,the preshared cret key K AT is ud together with a random number r A ,so the receiver Bob will not obtain the same polarization qubits even though the same message is signed again.And,the quantum no-cloning theorem and the property of quan-tum indistinguishability make eavesdroppers unable to obtain significant information from random qubit strings.Therefore,even if the cret key K AT is ud for veral times,the adversary Eve still cannot know the cret key K AT and forge Alice’s signature of the mes-sage favorable to her.On the other side,a signed message is related to Bob (i.e.,using Bob’s identity U B ),which stands against the attack [27]that different receivers to interchange their messages and the corresponding signatures arbitrarily.
Furthermore,it is shown in Ref.[10]that the propod AQS is insusceptible to Alice’s disavowal attack:Trent can confirm whether Alice has signed the message since the infor-mation of Alice’s cret key K AT is included in the signature |S A .Now we analyze how the protocol achieves the function in detail.