Quantum digital signature

Like classical digital signatures, quantum digital signatures make use of asymmetric keys. Thus, a person who wants to sign a message creates one or more pairs of sign and corresponding public keys. In general we can divide quantum digital signature schemes into two groups:

A scheme that creates a public quantum-bit key out of a private classical bit string: $k\mapsto |f_{k}\rangle$
A scheme that creates a public quantum-bit key out of a private quantum bit string: $|k\rangle \mapsto |f_{k}\rangle$

In both cases f is a one-way quantum function that has the same properties as a classical one-way function. That is, the result is easy to compute, but, in contrast to the classical scheme, the function is impossible to invert, even if one uses powerful quantum cheating strategies.

The most famous scheme for the first method above is provided by Gottesman and Chuang ^[1]

Requirements for a good and usable signature scheme

Most of the requirements for a classical digital signature scheme also apply to the quantum digital signature scheme.

In detail

The scheme has to provide security against tampering by
1. The sender after the message was signed (see bit commitment)
2. The receiver
3. A third party
Creating a signed message has to be easy
Every recipient has to get the same answer, when testing the message for validity (Valid, Non-Valid)

^[1]^[2]

Differences between classical and quantum one-way functions

Nature of the one-way function

A classical one-way function as said above is based on a classical infeasible mathematical task, whereas a quantum one-way function exploits the uncertainty principle which makes it impossible even for a quantum computer to compute the inverse. This is done by providing a quantum output state, with whom one cannot learn enough about the input string to reproduce it. In case of the first group of schemes this is shown by Holevo's theorem, which says, that from a given n-qubit quantum state one cannot extract more than n classical bits of information.^[3] One possibility to ensure that the scheme uses less qubits for a bit string of a certain length is by using nearly orthogonal states

|\langle f_{k}|f_{k}'\rangle |<\delta \qquad {\text{ for }}k\neq k'\land 0\leq \delta \leq 1

That gives us the possibility to induce a basis with more than two states.^[1] So to describe an information of $2^{n}$ bits, we can use less than n qubits. An example with a 3 qubit basis

$|0\rangle$
$|1\rangle$
${\frac {1}{\sqrt {2}}}(|0\rangle +|1\rangle )$

Only m qubits are needed to describe n classical bits when $3^{m}=2^{n}$ holds.

Because of Holevo's theorem and the fact, that m can be much smaller than n, we can only get m bits out of the n bits message. More general, if one gets T copies of the public key he can extract at most Tm bits of the private key. If $\delta$ is big $n-Tm$ becomes very large, which makes it impossible for a dishonest person to guess the sign key.

Note: You cannot distinguish between non-orthogonal states, if you only have a small amount of identical states. That's how the quantum one-way functions works.
Nevertheless $|f_{k}\rangle$ leaks information about the private key, in contrast to the classical public key, which forces one to get nothing or all about the private key.

Copying the public key

In the classical case we create a classical public key out of a classical sign key, thus it is easy to provide every potential recipient with a copy of the public key. The public key can be freely distributed. This becomes more difficult in the quantum case, because copying a quantum state is forbidden by the no cloning theorem, as long as the state itself is unknown.^[4] So public keys can only be created and distributed by a person who knows the exact quantum state he wants to create, thus who knows the sign key (This can be the sender or in more general a trustful institution). Nevertheless, in contrast to the classical public key there is an upper bound for the number of public quantum keys T which can be created, without enabling one to guess the sign key and thus endangering the security of the scheme ( $n-Tm$ has to be big)

Public Key should be the same for every recipient (Swap Test)

To make sure that every recipient gets identical results when testing the authenticity of a message, public keys distributed have to be the same. This is straightforward in the classical case, because one can easily compare two classical bit strings and see if those match. Nevertheless, in the quantum state it is more complicated. To test, if two public quantum states are the same one has to compare the following

|f_{k}'\rangle =|f_{k}\rangle

Swap test for qubits QDS Swap test.jpg — Swap test for qubits

This is done with the following quantum circuit which uses one Fredkin gate F, one Hadamard gate H and an ancilla qubit a. First of all the ancilla qubit is set to a symmetric state $|a\rangle ={\frac {1}{\sqrt {2}}}(|0\rangle +|1\rangle )$ .

Right after the ancilla qubit is used as a control on the targets $|f_{k}\rangle \$ and $\ |f_{k}'\rangle$ in a Fredkin Gate.

Furthermore, a Hadamard gate is applied on the ancilla qubit and finally the first qubit gets measured. If both states are the same, the result $|0\rangle$ is measured. If both states are nearly orthogonal, the result can be either $|0\rangle \$ or $\ |1\rangle$ .^[1]

The calculation of the swap test in more detail:

The overall state

|\psi _{0}\rangle =|a\rangle |f_{k}\rangle |f_{k}'\rangle

|\psi _{0}\rangle ={\frac {1}{\sqrt {2}}}{\bigg (}|0\rangle +|1\rangle {\bigg )}|f_{k}\rangle |f_{k}'\rangle

|\psi _{0}\rangle ={\frac {1}{\sqrt {2}}}{\bigg (}|0\rangle |f_{k}\rangle |f_{k}'\rangle +|1\rangle |f_{k}\rangle |f_{k}'\rangle {\bigg )}

After the Fredkin gate is applied

$\Rightarrow {\frac {1}{\sqrt {2}}}{\bigg (}|0\rangle |f_{k}\rangle |f_{k}'\rangle +|1\rangle \mathbf {|f_{k}'\rangle |f_{k}\rangle } {\bigg )}$

After the Hadamard gate is applied on the first qubit

$\Rightarrow {\frac {1}{2}}{\bigg [}{\bigg (}|0\rangle +|1\rangle {\bigg )}|f_{k}\rangle |f_{k}'\rangle +{\bigg (}|0\rangle -|1\rangle {\bigg )}|f_{k}'\rangle |f_{k}\rangle {\bigg ]}$

After sorting for $|0\rangle {\text{ and }}|1\rangle$

$\Rightarrow |\psi \rangle ={\frac {1}{2}}{\bigg [}|0\rangle {\bigg (}|f_{k}\rangle |f_{k}'\rangle +|f_{k}'\rangle |f_{k}\rangle {\bigg )}+|1\rangle {\bigg (}|f_{k}\rangle |f_{k}'\rangle -|f_{k}'\rangle |f_{k}\rangle {\bigg )}{\bigg ]}$

Now it is easy to see, if the states $|f_{k}\rangle =|f_{k}'\rangle \$ then $\ |\psi \rangle =|0\rangle |f_{k}\rangle |f_{k}\rangle$ , which gives us a 0 whenever it is measured.

An example of a signing-validation process using a simplified Gottesman-Chuang scheme

Signing Process

Let Person A (Alice) want to send a message to Person B (Bob). Hash algorithms won't be considered, so Alice has to sign every single bit of her message. Message-Bit b $\in \{0,1\}$ .

Alice chooses M pairs of private keys $\{k_{0}^{i},k_{1}^{i}\}\quad 1\leq i\leq M$

All the $k_{0}$ keys will be used to sign the message-bit if b = 0.
All the $k_{1}$ keys will be used to sign the message-bit if b = 1.

The function which maps $k\mapsto |f_{k}\rangle$ is known to all parties. Alice now computes the corresponding public keys $\{|f_{k_{0}}^{i}\rangle ,|f_{k_{1}}^{i}\rangle \}$ and gives all of them to the recipients. She can make as many copies as she needs, but has to take care, not to endanger the security $\left(n\gg Tm{\text{ has to hold }}\right)$ .

Her level of security limits the number of identical public keys she can create

If

message-bit b = 0, she sends all her private keys $k_{0}$ along with the message-bit b to Bob
message-bit b = 1, she sends all her private keys $k_{1}$ along with the message-bit b to Bob

Remember: In this example Alice picks only one bit b and signs it. She has to do that for every single bit in her message

Validation Process

Bob now possesses

The message-bit b
The corresponding private keys $k_{0}{\text{ or }}k_{1}$
All public keys $\{|f_{k_{0}}\rangle ,|f_{k_{1}}\rangle \}$

Now Bob calculates $|f_{k_{b}}\rangle$ for all received private keys (either $k_{0}{\text{ or }}k_{1}$ ).

After he has done so he makes use of the swap test to compare the calculated states with the received public keys. Since the swap test has some probability to give the wrong answer he has to do it for all the M keys and counts how many incorrect keys he gets r. It is obvious, that M is some kind of a security parameter. It is more unlikely to validate a bit wrong for bigger M.

If he only gets a few incorrect keys, then the bit is most probably valid, because his calculated keys and the public keys seem to be the same.
If he gets many incorrect keys, then somebody faked the message with high probability.

Avoid a message to be validated differently

One problem which arises especially for small M is, that the number of incorrect keys different recipients measure differ with probability. So to define only one threshold is not enough, because it would cause a message to be validated differently, when the number of incorrect keys r is very close to the defined threshold.

This can be prevented by defining more than one threshold. Because the number of errors increase proportional with M, the thresholds are defined like

Acceptance

T_{a}=c_{1}M

Rejection

T_{r}=c_{2}M

If the number of incorrect keys r is below $T_{a}$ , then the bit is valid with high probability
If the number of incorrect keys r is above $T_{r}$ , then the bit is faked with high probability
If the number of incorrect keys r is in-between both thresholds, then the recipient cannot be sure, if another recipient gets the same outcome, when validating the bit. Furthermore, he can't be even sure, if he validated the message right.

^[1]

If we assume perfect channels without noise, so the bit can't be changed due to the transfer, then the threshold $T_{a}$ can be set to zero, because the swap test passes always, when the compared states are the same

Message authentication

Message authentication codes (MACs) mainly aim at data origin authentication, but they can also provide non-repudiation in certain realistic scenarios when a trusted third party is involved. In principle, the same idea can be exploited in the framework of quantum MACs. However, a broad class of quantum MACs does not seem to offer any advantage over their classical counterparts. ^[5]

Related Research Articles

Quantum teleportation is a technique for transferring quantum information from a sender at one location to a receiver some distance away. While teleportation is commonly portrayed in science fiction as a means to transfer physical objects from one location to the next, quantum teleportation only transfers quantum information. Moreover, the sender may not know the location of the recipient, and does not know which particular quantum state will be transferred.

In quantum computing, a qubit or quantum bit is the basic unit of quantum information—the quantum version of the classic binary bit physically realized with a two-state device. A qubit is a two-state quantum-mechanical system, one of the simplest quantum systems displaying the peculiarity of quantum mechanics. Examples include the spin of the electron in which the two levels can be taken as spin up and spin down; or the polarization of a single photon in which the two states can be taken to be the vertical polarization and the horizontal polarization. In a classical system, a bit would have to be in one state or the other. However, quantum mechanics allows the qubit to be in a coherent superposition of both states simultaneously, a property that is fundamental to quantum mechanics and quantum computing.

In quantum computing, Grover's algorithm, also known as the quantum search algorithm, refers to a quantum algorithm for unstructured search that finds with high probability the unique input to a black box function that produces a particular output value, using just $evaluations of the function, where is the size of the function's domain. It was devised by Lov Grover in 1996.$

Quantum superposition is a fundamental principle of quantum mechanics. It states that, much like waves in classical physics, any two quantum states can be added together ("superposed") and the result will be another valid quantum state; and conversely, that every quantum state can be represented as a sum of two or more other distinct states. Mathematically, it refers to a property of solutions to the Schrödinger equation; since the Schrödinger equation is linear, any linear combination of solutions will also be a solution.

The Deutsch–Jozsa algorithm is a deterministic quantum algorithm proposed by David Deutsch and Richard Jozsa in 1992 with improvements by Richard Cleve, Artur Ekert, Chiara Macchiavello, and Michele Mosca in 1998. Although of little current practical use, it is one of the first examples of a quantum algorithm that is exponentially faster than any possible deterministic classical algorithm.

The Hadamard transform is an example of a generalized class of Fourier transforms. It performs an orthogonal, symmetric, involutive, linear operation on $2 m$ real numbers.

In quantum information theory, a quantum circuit is a model for quantum computation in which a computation is a sequence of quantum gates, which are reversible transformations on a quantum mechanical analog of an n-bit register. This analogous structure is referred to as an n-qubit register. The graphical depiction of quantum circuit elements is described using a variant of the Penrose graphical notation.

In quantum computing and specifically the quantum circuit model of computation, a quantum logic gate is a basic quantum circuit operating on a small number of qubits. They are the building blocks of quantum circuits, like classical logic gates are for conventional digital circuits.

Quantum error correction (QEC) is used in quantum computing to protect quantum information from errors due to decoherence and other quantum noise. Quantum error correction is essential if one is to achieve fault-tolerant quantum computation that can deal not only with noise on stored quantum information, but also with faulty quantum gates, faulty quantum preparation, and faulty measurements.

The Bell states or EPR pairs are specific quantum states of two qubits that represent the simplest examples of quantum entanglement; conceptually, they fall under the study of quantum information science. The Bell states are a form of entangled and normalized basis vectors. This normalization implies that the overall probability of the particle being in one of the mentioned states is 1: $. Entanglement is a basis-independent result of superposition. Due to this superposition, measurement of the qubit will collapse it into one of its basis states with a given probability. Because of the entanglement, measurement of one qubit will assign one of two possible values to the other qubit instantly, where the value assigned depends on which Bell state the two qubits are in. Bell states can be generalized to represent specific quantum states of multi-qubit systems, such as the GHZ state for 3 or more subsystems.$

In quantum computing, a quantum register is a system comprising multiple qubits. It is the quantum analog of the classical processor register. Quantum computers perform calculations by manipulating qubits within a quantum register.

In quantum information theory, superdense coding is a quantum communication protocol to communicate a number of classical bits of information by only transmitting a smaller number of qubits, under the assumption of sender and received pre-sharing an entangled resource. In its simplest form, the protocol involves two parties, often referred to as Alice and Bob in this context, which share a pair of maximally entangled qubits, and allows Alice to transmit two bits to Bob by sending only one qubit. This protocol was first proposed by Bennett and Wiesner in 1992 and experimentally actualized in 1996 by Mattle, Weinfurter, Kwiat and Zeilinger using entangled photon pairs. Superdense coding can be thought of as the opposite of quantum teleportation, in which one transfers one qubit from Alice to Bob by communicating two classical bits, as long as Alice and Bob have a pre-shared Bell pair.

In computer science, the controlled NOT gate is a quantum logic gate that is an essential component in the construction of a gate-based quantum computer. It can be used to entangle and disentangle Bell states. Any quantum circuit can be simulated to an arbitrary degree of accuracy using a combination of CNOT gates and single qubit rotations.

In cryptography, a Lamport signature or Lamport one-time signature scheme is a method for constructing a digital signature. Lamport signatures can be built from any cryptographically secure one-way function; usually a cryptographic hash function is used.

BB84 is a quantum key distribution scheme developed by Charles Bennett and Gilles Brassard in 1984. It is the first quantum cryptography protocol. The protocol is provably secure, relying on the quantum property that information gain is only possible at the expense of disturbing the signal if the two states one is trying to distinguish are not orthogonal and an authenticated public classical channel. It is usually explained as a method of securely communicating a private key from one party to another for use in one-time pad encryption.

In computational complexity theory and quantum computing, Simon's problem is a computational problem that is proven to be solved exponentially faster on a quantum computer than on a classical computer. The quantum algorithm solving Simon's problem, usually called Simon's algorithm, served as the inspiration for Shor's algorithm. Both problems are special cases of the abelian hidden subgroup problem, which is now known to have efficient quantum algorithms.

SARG04 is a quantum cryptography protocol derived from the first protocol of that kind, BB84.

Entanglement distillation is the transformation of N copies of an arbitrary entangled state $into some number of approximately pure Bell pairs, using only local operations and classical communication (LOCC).$

In quantum computing, the quantum Fourier transform is a linear transformation on quantum bits, and is the quantum analogue of the inverse discrete Fourier transform. The quantum Fourier transform is a part of many quantum algorithms, notably Shor's algorithm for factoring and computing the discrete logarithm, the quantum phase estimation algorithm for estimating the eigenvalues of a unitary operator, and algorithms for the hidden subgroup problem. The quantum Fourier transform was invented by Don Coppersmith.

Algorithmic cooling is an algorithmic method for transferring heat from some qubits to others or outside the system and into the environment, which results in a cooling effect. This method uses regular quantum operations on ensembles of qubits, and it can be shown that it can succeed beyond Shannon's bound on data compression. The phenomenon is a result of the connection between thermodynamics and information theory.

References

1 2 3 4 5 Daniel Gottesman, Isaac L. Chuang. Quantum Digital Signatures, arXiv:quant-ph/0105032v2, (November 15, 2001)
↑ Xin Lü, Deng-Guo Feng. Quantum Digital Signature Based on Quantum One-way Functions, arxiv:quant-ph/04030462v2, (June 24, 2004)
↑ Michael A. Nielsen, Isaac L. Chuang. Quantum Computation and Quantum Information 1st Ed., Cambridge University Press, p.531-536
↑ Michael A. Nielsen, Isaac L. Chuang. Quantum Computation and Quantum Information 1st Ed., Cambridge University Press, p.532
↑ Nikolopoulos, Georgios M.; Fischlin, Marc (2020). "Information-Theoretically Secure Data Origin Authentication with Quantum and Classical Resources". Cryptography. 4 (4): 31. arXiv: 2011.06849 . doi: 10.3390/cryptography4040031 .

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[Chuang-1] 1 2 3 4 5 Daniel Gottesman, Isaac L. Chuang. Quantum Digital Signatures, arXiv:quant-ph/0105032v2, (November 15, 2001)

[Feng-2] Xin Lü, Deng-Guo Feng. Quantum Digital Signature Based on Quantum One-way Functions, arxiv:quant-ph/04030462v2, (June 24, 2004)

[Holevo-3] Michael A. Nielsen, Isaac L. Chuang. Quantum Computation and Quantum Information 1st Ed., Cambridge University Press, p.531-536

[Cloning-4] Michael A. Nielsen, Isaac L. Chuang. Quantum Computation and Quantum Information 1st Ed., Cambridge University Press, p.532

[5] Nikolopoulos, Georgios M.; Fischlin, Marc (2020). "Information-Theoretically Secure Data Origin Authentication with Quantum and Classical Resources". Cryptography. 4 (4): 31. arXiv: 2011.06849 . doi: 10.3390/cryptography4040031 .

[1]

[2]

[3]

[4]

[5]

Quantum digital signature

Contents

Classical public-key method