A multiparty quantum proxy group signature scheme ... - Springer Link

Quantum Inf Process (2011) 10:653–670 DOI 10.1007/s11128-010-0225-7

A multiparty quantum proxy group signature scheme for the entangled-state message with quantum Fourier transform Jinjing Shi · Ronghua Shi · Ying Tang · Moon Ho Lee

Received: 15 May 2010 / Accepted: 30 December 2010 / Published online: 9 January 2011 © Springer Science+Business Media, LLC 2011

Abstract A novel multiparty quantum proxy group signature scheme is proposed based on the discrete quantum Fourier transform in order to improve the efficiency and the security of quantum signature for an n-dimensional quantum message, in which the generation and verification of the signature can be successfully conducted only if all the n participants cooperate with each other and with the message owner’s, the receiver’s and the arbitrator’s help. The quantum parallel algorithm is applied to efficiently compare the restored quantum message to the original quantum message both of which contain a large amount of information. All the operations in signing and verifying phase can be executed in quantum circuits. The analysis shows that our scheme is more efficient than other traditional quantum signature schemes, and a secure quantum proxy group signature can be achieved effectively for a contract that needs the cosigner of multi participants. It has a wide application to E-payment system, Online contract, Online notarization and etc. Keywords Quantum signature · Group signature · Proxy signature · Quantum computation · Quantum Fourier transform

J. Shi (B) · R. Shi School of Information Science & Engineering, Central South University, 410083 Changsha, China e-mail: [email protected] Y. Tang School of Physics Science & Technology, Central South University, 410083 Changsha, China e-mail: [email protected] M. H. Lee Institute of Information and Communication, Chonbuk National University, 561-756 Chonju, Korea e-mail: [email protected]

123

654

J. Shi et al.

1 Introduction A classical digital signature is an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document. It ensures that the original content of the message or document is unchanged [1]. In the classical cryptography, the proxy signature [2] which has characteristics of distinguishability, unforgeability, verifiability, identifiability and undeniableness, allows the signer to specify other one to verify his signature [3]. A group signature scheme introduced by Chaum [4] firstly, is a method for allowing a member of a group to sign a message on behalf of the group [3] anonymously. It is a form of digital signature as well. But those classical schemes could be easily broken by the emergence of quantum computers. That is why more and more quantum signature schemes based on quantum computation are proposed. Currently, Zeng et al. introduced a quantum signature scheme based on the classical signature theory and quantum cryptography [5–8], whose algorithm is a symmetrical quantum key cryptosystem with Greenberger-Horne-Zeilinger (GHZ) triplet states. Li et al. proposed an arbitrated quantum signature scheme using Bell states [9]. Gottesman and Chuang proposed a quantum digital signature scheme based on quantum one-way function [10], and Lee also presented two quantum signature schemes with message recovery [11]. In 2008, Yang and Wen suggested a multi-proxy quantum group signature scheme with threshold shared verification [12], in which only the cooperation of all the signers in the proxy group can generate the proxy signature on behalf of the original signer. However, in the previous schemes, all the signed messages are expressed by the direct product quantum states merely, and the signature scheme for quantum messages which are in entangled states has not been discussed yet. Because the quantum message has large amount of information, an efficient modus of quantum operation can be applied in the signature scheme for quantum messages to improve both the efficiency and the security. With the rapid development of quantum information processing technology, quantum operation [13] plays an important role in many active fields such as quantum computation, quantum information, quantum error-correcting codes and quantum fault-tolerant computation [14–16]. The most spectacular discovery in quantum computing to date is that quantum computation can perform efficiently in some complicated tasks which are not feasible with a classical computation [17]. Quantum computation is also a strategy in which information is processed in a way that preserves quantum coherence [18]. The quantum Fourier transform (QFT) [17,19] which is a part of quantum computation, is a linear transformation on quantum bits and a quantum analogue of the discrete Fourier transform. QFT can be widely applied in many branches of science. For instance, in 2009, Huang et al. applied quantum Fourier transform to present a multiparty quantum secret sharing scheme [20], which is an (n, n)-threshold scheme [3]. Certainly, QFT can be generalized to the quantum signature scheme for quantum messages in entangled states, that is an undiscussed topic. A multiparty quantum proxy group signature scheme is proposed by developing the application of QFT in quantum information and communication for a contract that needs the cosigner of multi-participant. The message expected to be signed is a quantum message with a large amount of von Neumann entropy [17] in the

123

A multiparty quantum proxy group signature scheme

655

n-dimensional Hilbert space. The signing group contains n participants, and they cooperate to sign on the message by applying QFT with message owner’s authorization and restore the message by performing the inverse QFT with receiver’s authorization for the verification of signature. However, any n − 1 or fewer participants can neither sign on the message nor restore the signed message. Furthermore, all the operations can be performed in quantum circuits and operation gates are packaged in black boxes [17] to enhance the security. The quantum parallel algorithm [17] is applied in the verification phase to design a quantum comparison circuit for comparing the restored quantum message to the original quantum message. The rest of this paper is organized as follows. Section 2 proposes the multiparty quantum proxy group signature scheme. A security analysis is made in Sect. 3, and discussions are stated in Sect. 4. Finally, the conclusions are drawn in Sect. 5.

2 Multiparty quantum proxy group signature scheme Before presenting the multiparty quantum proxy group signature scheme, the algorithm of QFT is introduced, which servers as a crucial role in the signing phase. The classical (unitary) Fourier transform acts on a vector in C N (x0 , . . . , x N −1 ) and maps it to the vector (y0 , . . . , y N −1 ) according to the formula: N −1 1 x j e2πi jk/N . yk ≡ √ N j=0

(1)

The QFT is the classical discrete Fourier transform applied to the vector of amplitudes of a quantum state [17], and it is a linear operator which acts on any of the computational basis vectors |0, . . . , |N − 1. Suppose N = 2n when specializing it to the case of n qubits, we have the orthonormal basis consisting of the vectors |0, . . . , |2n − 1, and the QFT can be described by the following transformation, 2 −1 1 2πi jk/2n | j −→ √ e |k. 2n k=0 n

QFT

(2)

The essential advantage of quantum computation over classical computation is that the quantum mechanical principle of superposition of states allows all possible inputs to be processed at the same time [21]. Consequently, if the quantum register is in an n −1 arbitrary superposition of the basis vectors, i.e. 2j=0 x j | j, the QFT will rotate that 2n −1 state into another superposition of the basis vectors, i.e. k=0 yk |k, in which the output amplitudes yk are the classical discrete Fourier transform of the input amplitudes x j . Further more, QFT can be implemented with a quantum circuit which requires only (n 2 ) elementary quantum gates. Such a circuit can be easily derived if Eq. 2 is rewritten as a tensor product of the n qubits, i.e.,

123

656

J. Shi et al. QFT

| j1 j2 . . . jn −→

1 2n/2

(|0 + e2πi0. jn |1) ⊗ (|0 + e2πi0. jn−1 jn |1)

· · · ⊗ (|0 + e2πi0. j1 j2 ... jn |1),

(3)

here 0. jι jι+1 . . . jn = jι /2 + jι+1 /4 + · · · + jn /2n−ι+1 . In other words, the operation of QFT on n qubits can be factored into a tensor product of n single-qubit operations [19]. In fact, each of those single-qubit operations can be implemented efficiently by using an H (Hadamard) gate and R (controlled phase) gates [22] which are controlled by the next qubit. The first term requires an H gate, the next one requires an H gate and an R gate, and each following term requires an additional R gate. Subsequently, swap operations are utilized to reverse the order of qubits to derive the state described in Eq. 3. The multiparty quantum proxy group signature (MQPGS) can be defined as the combination of quantum proxy signature and quantum group signature for some special situations. For instance, an original signer cannot provide a signature for some reasons such as the line of duty and so on, and only the cooperation of all members in the proxy group can generate the proxy group signature on behalf of the original signer [12]. Especially, the MQPGS scheme can be applied to a contract that needs the cosigner of multi-participant to become effective. The security of MQPGS contains impossibility of forgery and impossibility of disavowal by the signatory and the receiver [23]. Then the scheme is introduced as the following three phases, i.e., the initial phase, the quantum proxy group signing phase, and the verification phase. The scheme involves four partners, the message owner Alice, the proxy signing group G, the arbitrator Trent and the receiver Bob. In the signing phase, the group G signs on Alice’s message with QFT. In the verification phase, Bob verifies the signature with Trent’s help.

2.1 Initial phase This phase involves two parts, the generation of operation gates and quantum circuits. Step 1. Generation of operation gates. n H gates and n(n − 1)/2 R gates are designed for the n participants {G 1 , G 2 , . . . , G k , . . . , G n } of the proxy signing group G. According to Ref. [24], the Hadamard gate is expressed as 1 1 1 , H=√ 2 1 −1

(4)

and the controlled phase gate is expressed as ⎡

1 ⎢0 Rk = ⎢ ⎣0 0

123

0 1 0 0

0 0 1 0

⎤ 0 ⎥ 0 ⎥ (k = 2, 3, . . . n). ⎦ 0 k 2πi/2 e

(5)


657

Fig. 1 The quantum circuit diagram for generating signature, restoring the signed message and verification. There are five parts I, II, III, IV and V. The qubit stream going from left to right including parts I, II and III denotes the process of generating signature and from right to left including parts III, II and IV denotes the process of restoring the signed message. ➀ and ➁ are swap gates which can not be enabled simultaneously. When generating signature, swap gate ➁ is enabled by Alice. When restoring the signed message, swap gate ➀ is enabled by Bob

R gates with different phases can be distinguished by the subscript k, and in the light of the requirement of QFT there are n − 1 R2 gates, n − 2 R3 gates · · · n − (k − 1)Rk gates · · · and one Rn gate. The description and principle of those generated gates which can be considered as keys for a signature are packaged in some secret black boxes [17] respectively, and the black boxes containing gates H, R2 , . . . Rk , . . . Rn can be numbered as (1), (2), . . . (k), . . . (n) serially. Only if there is a request for a signature, the operation gates can be distributed to the n participants of group G, and each of them owns completely different gates. The details about the distribution are described in the step 2 of Sect. 2.2. Step 2. Generation of the quantum circuit. The quantum circuit diagram for generating signature, restoring the signed message and verification is presented in Fig. 1, and the five parts I, II, III, IV and V are packaged in black boxes respectively.

2.2 Quantum proxy group signing phase In this quantum proxy group signature scheme, Alice prepares a quantum message which needs to be signed and authorizes the group G to generate her proxy signature. Trent arranges the order of group participants’ signing operations. But he doesn’t understand the details about the signing algorithm, and the participants of group G who don’t communicate with any other participants manage different quantum gates. n n Step 1. Alice creates a quantum message |ψ M p1 p2 ... pn . |ψ M p1 p2 ... pn can be considered as a quantum system of n-entangled-particle, whose computational basis states are {|0, |1} and those quantum states are specified by 2n amplitudes [17] i.e.,

123

658

J. Shi et al. n

n |ψ M p1 p2 ... pn

=

2

αi |m i1 m i2 . . . m in p1 p2 ... pn ,

(6)

i=1

2 n where αi is a complex number and i=1 |αi |2 = 1. m i1 m i2 . . . m in ∈ {0, 1} and they are continuous binary numbers satisfying (m i1 · 2n−1 + m i2 · 2n−2 · · · + m in · 20 ) + 1 = n m (i+1)1 · 2n−1 + m (i+1)2 · 2n−2 · · · + m (i+1)n · 20 . |ψ M p1 p2 ... pn is the superposition n of 2 possible states, and each possible state corresponding to an amplitude αi can be rewritten as a tensor product [27], i.e., αi |m i1 p1 ⊗ |m i2 p2 · · · ⊗ |m in pn . Subn sequently, Alice sends the quantum message |ψ M p1 p2 ... pn to her agent group G and n meanwhile shares the original message |ψ M p1 p2 ... pn with the arbitrator Trent secretly. She modulates the quantum circuit to be the mode of generating signature and grants group G the right to use the quantum circuit. Step 2. Trent chooses a random integer λ from {1, 2, . . . , n} and generates a random integer ϒ ∈ {1, 2, . . . , 2λ } with one-time pad method [25]. He prepares a quantum sequence |O T P and makes it shared by the message owner Alice and the legal receiver Bob according to the binary form of ϒ. For example, the number 469 is represented by a register in the state |1 ⊗ |1 ⊗ |1 ⊗ |0 ⊗ |1 ⊗ |0 ⊗ |1 ⊗ |1 ⊗ |1. Step 3. Trent separately informs each participant of group G which operation gates he or she should manage according to the random integer λ. If

λ = 1, G 1 manages all the H gates, corresponding to Table 1; λ = 1, G 1 manages all the Rλ gates, corresponding to Table 2.

Then the rest participants of G manage the remaining gates orderly and the corresponding relationship among them is described in Tables 1 or 2. Specifically, Trent transforms the box number of each operation gate to be a quantum state according to its binary form, for instance, No. (6) can be transformed to be the state |110. He sends those states with BB84 protocol [26] to the appropriate participants in accordance with Tables 1 or 2. For example, if the participant G n−λ+3 receives the state |10, he or she possesses all the No. (2) boxes and manages all the R2 gates. n Step 4. The participants of group G receives |ψ M p1 p2 ... pn collectively and start to sign on the quantum message. For simplifying the signing process, the situation of

Table 1 General corresponding relationship between group participants, operation gates and box numbers Participants

G1

G2

···

Gk

···

G n−1

Gn

Gates

H

R2

···

Rk

···

Rn−1

Rn

Box no.

(1)

(2)

···

(k)

···

(n − 1)

(n)

Table 2 Random corresponding relationship between group participants, operation gates and box numbers Participants

G1

G2

···

G n−λ+1

G n−λ+2

G n−λ+3

···

Gates

Rλ

Rλ+1

···

Rn

H

R2

···

Rλ−1

Box no.

(λ)

(λ + 1)

···

(n)

(1)

(2)

···

(λ − 1)

123

Gn


659

Fig. 2 Quantum circuit of generating signature for the quantum message in 3-entangled-particle system. The swap gate is at the end of the circuit

signing on the quantum message in the 3-entangled-particle system can be discussed firstly, and then it can be generalized to the n-entangled-particle system. – (i) According to Eq. 6, the quantum message in 3-entangled-particle system can be described as 3 x yz = α1 |000x yz + α2 |001x yz + α3 |010x yz + α4 |011x yz + α5 |100x yz |ψ M

+ α6 |101x yz + α7 |110x yz + α8 |111x yz ,

(7)

where the subscript x, y, z denote the three particles separately and |α1 |2 + |α2 |2 + |α3 |2 + |α4 |2 + |α5 |2 + |α6 |2 + |α7 |2 + |α8 |2 = 1. If the random integer λ = 2, the quantum circuit for generating signature is displayed in Fig. 2. There are three participants {G 1 , G 2 , G 3 } of signing group G, the participant G 1 manages two R2 gates, G 2 manages one R3 gate and G 3 manages three H gates. – (ii) Referring to Ref. [28], different operations can be acted on particles x, y and z. The first particle x is operated by the participant G 3 with H gate to derive the state 1 {α1 (|0 + |1)x |00 yz + α2 (|0 + |1)x |01 yz + α3 (|0 + |1)x |10 yz 21/2 + α4 (|0 + |1)x |11 yz + α5 (|0 − |1)x |00 yz + α6 (|0 − |1)x |01 yz + α7 (|0 − |1)x |10 yz + α8 (|0 − |1)x |11 yz }.

(8)

Next, the controlled phase gates R2 and R3 are applied to x by participants G 1 and G 2 successively. Here y and z are control particles of gates R2 and R3 separately, and x is the target particle [24]. At the end of this procedure, the obtained state is πi 1 4 |1 α |0 + e (|0 + |1) |00 + α |01 yz 1 x yz 2 x 21/2 πi 3πi + α3 |0 + e 2 |1 |10 yz + α4 |0 + e 4 |1 |11 yz x x 5πi πi + α5 (|0 − e |1)x |00 yz + α6 |0 − e 4 |1 |01 yz x 3πi 7πi + α7 |0 − e 2 |1 |10 yz + α8 |0 − e 4 |1 |11 yz . x

x

(9)

– (iii) When the similar procedure is performed on particles y and z continuously and swap operations are used to reverse the order of qubits, the final state can be expressed as follows, i.e., the signed message is

123

660

J. Shi et al. 3 | M x yz =

1 F α (|0 + |1)z (|0 + |1) y (|0 + |1)x 23/2 1 πi πi |0 + e 4 |1 + α2F (|0 + eπi |1)z |0 + e 2 |1 y x πi πi F |0 + e 2 |1 + α3 (|0 + |1)z |0 + e 2 |1 y x 3πi 3πi F πi |0 + e 4 |1 + α4 (|0 + e |1)z |0 + e 2 |1 y F + α5 (|0 + |1)z (|0 + |1) y (|0 − eπi |1)x

x

πi 5πi |0 − e 4 |1 + α6F (|0 + eπi |1)z |0 + e 2 |1 y x 3πi F πi + α7 (|0 + |1)z (|0 + e |1) y |0 − e 2 |1 x 3πi 7πi F πi 2 4 , (10) |0 − e |1 + α8 (|0 + e |1)z |0 + e |1 y

x

where α1F , α2F , . . . α8F denote the classical discrete Fourier transformation of the amplitudes α1 , α2 , . . . α8 respectively [21]. They are amplitudes for their corresponding possible states separately after QFT. – (iv) If the quantum message described in Eq. 6 is in the n-entangled-particle sysn tem, the details of gate arrangement for the group G signing on |ψ M p1 p2 ... pn n with QFT are presented in Table 3. The first particle of |ψ M p1 p2 ... pn is operated by participants G n−λ+2 , G n−λ+3 , G n−λ+4 , . . . G n−λ and G n−λ+1 with gates H, R2 , R3 , . . . Rn−1 and Rn separately. The remaining particles are all operated by different combinations of signing participants according to Table 3 continuously and swap operations are finally applied to reverse the order of qubits. That process is similar to the situation of signing on the quantum message in the 3-entangled-particle system. Consequently, the signed state of quantum message in the n-entangled-particle system can be expressed as follows, n

n p1 p2 ... pn | M

=

2 1

2n/2

αiF (|0 + e2πi0.m in |1) pn (|0 + e2πi0.m i(n−1) m in |1) pn−1

i=1

· · · ⊗ (|0 + e2πi0.m i1 m i2 ...m in |1) p1 ,

(11)

where αiF denotes the classical discrete Fourier transformation of the amplitude αi [21] and 0.m iι m i(ι+1) . . . m in = m iι /2 + m i(ι+1) /4 + · · · + m in /2n−ι+1 . The quantum circuit is presented as parts I, II and III in Fig. 1, and the operation gates are fitted in part II orderly in accordance with Table 3. n Step 5. The group G sends the signed quantum message | M p1 p2 ... pn to the receiver Bob. The quantum proxy group signing phase is ended.

123


661

n Table 3 Gate arrangement for the QFT on each particle of |ψ M p1 p2 ... pn

Particles of n |ψ M p1 p2 ... pn

Ordered gates of participants

Number of participants

p1

H [G n−λ+2 ], R2 [G n−λ+3 ], R3 [G n−λ+4 ], . . . Rn−1 [G n−λ ], Rn [G n−λ+1 ]

n

p2

n−1

. . .

H [G n−λ+2 ], R2 [G n−λ+3 ], R3 [G n−λ+4 ], . . . Rn−1 [G n−λ ] . . .

. . .

pn−1

H [G n−λ+2 ], R2 [G n−λ+3 ]

2

pn

H [G n−λ+2 ]

1

For example, ’H [G n−λ+2 ]’ denotes the H gate managed by the participant G n−λ+2

2.3 Verification phase A verification algorithm is developed here based on the inverse QFT such that the n receiver Bob utilizes the quantum circuit to restore the signed message | M p1 p2 ... pn

with Alice’s authorization and group G s assistance and verifies the legality and authenticity of the signature with the arbitrator Trent’s help. The arrangement of operation n gates for the inverse QFT on each particle of | M p1 p2 ... pn is presented in Table 4. n Step 1. When Bob receives the signed message | M p1 p2 ... pn , he informs Alice with confirmation qubits and they both send their shared quantum sequence |O T P to the arbitrator Trent. Step 2. Trent authenticates Bob’s identity by matching |O T P from Bob to Alice’s |O T P with BB84 protocol [26]. If Bob is verified as a legal user, Trent informs Alice to modulate the quantum circuit to the mode of restoring signed message and grant Bob the right to use the quantum circuit. The position of each operation gate equipped in the part II of Fig. 1 is the same as that of the signature generation mode, only inputs and outputs are reversed.

n Table 4 Gate arrangement for the inverse QFT on each particle of | M p1 p2 ... pn

Particles of n | M p1 p2 ... pn

Ordered gates of participants

Number of participants

p1

Rn [G n−λ+1 ], Rn−1 [G n−λ ], . . . R3 [G n−λ+4 ], R2 [G n−λ+3 ], H [G n−λ+2 ]

n

p2

Rn−1 [G n−λ ],…R3 [G n−λ+4 ], R2 [G n−λ+3 ], H [G n−λ+2 ] . ..

n−1 . ..

pn−1

R2 [G n−λ+3 ], H [G n−λ+2 ]

2

pn

H [G n−λ+2 ]

1

. ..

123

662

J. Shi et al.

n Step 3. Bob inputs | M p1 p2 ... pn into this quantum circuit from part II of Fig. 1. The n first particle of | M p1 p2 ... pn is operated by participants G n−λ+1 , G n−λ , . . . G n−λ+4 , G n−λ+3 and G n−λ+2 with gates Rn , Rn−1 , . . . R3 , R2 and H separately. The remaining particles are all operated by different combinations of signing participants according to Table 4 continuously and swap operations are finally applied to reverse the order of qubits. At last, the restored quantum message n p1 p2 ... pn

|R M ⎧ 2n ⎨ 1 −1 QFT = Un αiF (|0 + e2πi0.m in |1) pn ⎩ 2n/2 i=1

⊗(|0 + e2πi0.m i(n−1) m in |1) pn−1 ⊗ · · · (|0 + e2πi0.m i1 m i2 ...m in |1) p1

⎫ ⎬ ⎭

n

=

2

α i |m i1 m i2 . . . m in p1 p2 ... pn

(12)

i=1

is derived, and it is outputted from part IV of the quantum circuit and then inputted into the quantum verification circuit which is part V in Fig. 1 directly. At the moment, the message owner Alice prohibits the group G s and Bob’s rights of using the quantum circuit. n Step 4. The arbitrator Trent also inputs the original message |ψ M p1 p2 ... pn which is obtained secretly in step 3 of Sect. 2.2 into the quantum verification circuit at the same time. Then Bob starts to wait for the verification result from Trent. Step 5. We generalize the qubit string comparator introduced by Ref. [29] with quantum parallel algorithm [17] which makes the quantum computation on quantum mesn

n sage more effectively to compare |R M p1 p2 ... pn with |ψ M p1 p2 ... pn . The quantum circuit which is involved in the part V of Fig. 1 is presented in Fig. 3. In a measurement n > R n ; if O = 0 and of the outputs (O1 and O2 ), if O1 = 1 and O2 = 0 then ψ M 1 M n n n = R n . Taking O2 = 1 then ψ M < R M ; at last, if O1 = 0 and O2 = 0 then ψ M M 8 3 3 = αi |m i1 m i2 m i3 p1 p2 p3 and |R M the quantum strings |ψ M p1 p2 p3 = p1 p2 p3 i=1 8

i=1 αi |m i1 m i2 m i3 p1 p2 p3 in the 3-particle-entangled system for example, with 2 3 > R 3 probability α22 α1 + α32 (α1 2 + α2 2 ) · · · + α82 (α1 2 + α2 2 · · · + α7 2 ) for ψ M M 2 2 2 2

and hence |O1 O2 = |10; with probability α1 (α2 + α3 · · · + α8 ) + α22 (α3 2 + 3 < R 3 and hence |O O = |01; and with α4 2 · · · + α8 2 ) · · · + α72 α8 2 for ψ M 1 2 M 2 2 2 2 2 3 = R 3 and hence |O O = |00.

probability α1 α1 + α2 α2 · · · + α8 α8 2 for ψ M 1 2 M More generally analyzing, the states of outputs |O1 O2 for comparing two quantum strings in the n-entangled-particle system can be summarized as follows, ⎛ |O1 O2 = ⎝

n

2 i=2

αi2

i−1 k=1

⎞

⎛

n −1 2

2 αk ⎠ |10+ ⎝

i=1

2

⎛ n ⎞ 2 2 2 αk ⎠ |01+ ⎝ αi2 αi ⎠ |00.

k=i+1

i=1

n

αi2

⎞

(13)

123


663

n

n Fig. 3 The quantum circuit for comparing |R M p1 p2 ... pn to |ψ M p1 p2 ... pn in the black box. Each n

n particle of |R M and |ψ is inputed into this quantum circuit from left, and (2) is

p1 p2 ... pn M p1 p2 ... pn a processing unit of (1)

Step 6. The arbitrator Trent measures the outputs |O1 O2 with the operator M00 = |0000| to obtain the probability of state |00, i.e., n

P(|00) = O1 O2 |M00 |O1 O2 =

2

αi2 αi . 2

(14)

i=1

When α1 = α2 = α3 · · · = α2n = 2−n/2 and α 1 = α 2 = α 3 · · · = α 2n =

, m = m , . . . m 2−n/2 , P(|00) = 21n , and only if ∀αi = α i and m i1 = m i1 i2 in = i2 1

m in (i = 1, 2, . . . n), P(|00) ≥ 2n . The arbitrator Trent informs Alice and Bob the 2 n 2 2 αi αi ≥ 21n which is a signature is legal and credible if Trent detects that i=1 tolerable threshold [30], otherwise, he informs them that signature is invalid.

3 Security analysis At the very beginning, the security can be analyzed based on the von Neumann entropy. It is proved that the quantum message has abilities to resisting attacks itself in terms of calculating the von Neumann entropies of the original and the signed quantum message.

123

664

J. Shi et al.

In Eq. 6, the von Neumann entropy of the original quantum message is S(ρψ Mn ) = −tr (ρψ Mn log2 ρψ Mn ),

(15)

2 n 2 αi |m i1 m i2 . . . m in m in . . . m i2 m i1 | as it is presented in Ref. [17]. where ρψ Mn = i=1 By the Theorem 11.8 of Ref. [17], the entropy is at most log2 n in the n-dimensional Hilbert space, and only if the system is in the completely mixed state I /n, the entropy is equal to log2 n. For simply calculating the von Neumann entropy of the signed quantum message n | M p1 p2 ... pn , Eq. 11 can be rewritten as follows, n

n | M p1 p2 ... pn

=

2

αiF |φi1 ⊗ |φi2 · · · ⊗ |φik · · · ⊗ |φin ,

(16)

i=1

where |φik = √1 (|0+e2πi0. ji(n−k+1) ji(n−k+2) ... jin |1). Hence the von Neumann entropy 2 n for a possible state of | M p1 p2 ... pn can be derived from the definition of conditional entropy and Joint Entropy Theorem [17], i.e., S(i) = −

n

tr (ρφik log2 ρφik ) − tr αiF log2 αiF ,

(17)

k=1

where ρφik = 21 |00| + 21 e4πi0. ji(n−k+1) ji(n−k+2) ... jin |11|. Then the von Neumann entropy of the signed quantum message which is described in Eq. 11 can be expressed as n

S(ρ Mn ) =

2 i=1

n

S(i) = −

2 n

n

tr ρφik log2 ρφik −

i=1 k=1

2

tr αiF log2 αiF . (18)

i=1

In a word, the von Neumann entropy introduced in Eqs. 15 and 18 stands for the uncertainty degree of the original and the signed quantum message respectively. Moreover, the larger the von Neumann entropy, the higher the uncertainty degree. When α1 = α2 · · · = α2n = 2−n/2 , α1F = α2F · · · = α2Fn = 2−n/2 and ∀ρφik = 21 (k = 1, 2, . . . n; i = 1, 2, . . . 2n ), the maximum von Neumann entropy of the original quantum message is S ρψ Mn

max

= log2 n,

(19)

and the maximum von Neumann entropy of the signed quantum message is S ρ Mn

max

123

n

= n · 2n−1 + n · 2 2 −1 .

(20)


665

If n → ∞, S ρψ Mn → ∞, and S ρ Mn → ∞, so they are large enough to max max withstand attacks. It implies that even if an attacker obtains one or some parts of the quantum message, the original state can not be completely achieved. Then, we show that the proposed scheme can offer unconditional security according to the signature characteristics which demand that the signature should not be forged by the attacker or disavowed by the signatary and the receiver either. Moreover, resisting attacks in the channel also contributes to the security of our scheme. 3.1 Impossibility of forgery In the quantum proxy group signing phase, all the rights to use the quantum circuit are granted before generation of signature and prohibited at the end of restoring quantum message by Alice. Any illegal participant has no right to use the circuit to forge the signature. If some attackers attempt to counterfeit the proxy group signature of the signing group G for their own benefits, and even though they gain the right to use the quantum circuit by cheating, they have to fake the operation gates which must be used in the signing phase. There are two situations, an individual forgery and the n − 1 participants’ collective forgery. Then we analyzed them separately. 3.1.1 Individual forgery In the quantum group signing phase, the arbitrator Trent chooses a random integer λ ∈ {1, 2, . . . , n} to determine a distinct corresponding relationship between group participants and operation gates (n participants corresponded to n H gates and n(n −1)/2 R gates) to sign on a quantum message, thus there are n probabilities. Assume that there is an attacker Eve, who is likely to be a classical attacker or a dishonest participant. The two probable statuses are discussed as follows respectively. Classical attacker: If Eve is a classical attacker, and she expects to prepare an operation gate with cheating method. She forges an H gate and an R gate, i.e.,

1 h e1 h e2 , He = √ 2 h e3 h e4

⎡

re11 ⎢ re21 Re = ⎢ ⎣ re31 re41

re12 re22 re32 re42

re13 re23 re33 re43

⎤ re14 re24 ⎥ ⎥. re34 ⎦ re44

(21)

In Eq. 21, h e1 , h e2 , h e3 , h e4 ∈ {−1, 1}, and re11 , re12 , re13 , re14 , re21 , re22 , re23 , re24 , k re31 , re32 , re33 , re34 , re41 , re42 , re43 ∈ {0, 1}, re44 ∈ {e2πi/2 , k ∈ (2, 3, . . . n)}. Moreover, Eve doesn’t understand the operations in the quantum signing circuit, and she never know how many H and R gates are required for generation of signature in that way. Then the probability of a classical attacker’s correct forgery is 1 Pc = n

1 · n

1 2

!4 "

2 × · n(n − 1)

1 2

!15

1 · n−1

"# =

1 218

· n 3 (n

− 1)2

, (22)

123

666

J. Shi et al.

and hence the probability of detecting Eve is 1 − Pc = 1 −

1 218

· n 3 (n

− 1)2

> 0.9999995, (n ≥ 2).

(23)

Dishonest participant: If Eve is a dishonest participant of the signing group G, she may forge an H gate and an R gate with her professional knowledge about operation gates. It is unnecessary for her to conjecture h e1 , h e2 , h e3 , h e4 , re11 , re12 , re13 , re14 , re21 , re22 , re23 , re24 , re31 , re32 , re33 , re34 , re41 , re42 and re43 , therefore, the probability of a dishonest participant’s correct forgery is 2 1 2 1 1 · · = 3 Pd = , n n n(n − 1) n − 1 n (n − 1)2

(24)

and hence the probability of detecting Eve is 1 − Pd = 1 −

2 > 0.9814, (n ≥ 3). n 3 (n − 1)2

(25)

The discussions above show that no matter a classical attacker or a dishonest participant, they may hardly succeed in forging the quantum proxy group signature because of the high probability (expressed in Eqs. 23 and 25) of being detected when they fake the operation gates. Moreover, all the n participants of group G should take part in the signing phase. It means that the group signature can not be completed with only one person’s work. Therefor, the individual forgery is not a menace for the proposed scheme. 3.1.2 n − 1 participants’ collective forgery Suppose a dishonest participant G p of group G aims at finding out an operation gate of the participant G q and then forges the signature with n − 2 participants together. The probability of detecting a dishonest participant’s forgery has been discussed in Eq. 25. In that way, the probability of detecting n − 1 participants’ forgery is 1 − Pdn−1 = 1 −

2 n 3 (n − 1)2

n−1 ≥ 0.9996, (n ≥ 3).

(26)

Even though their forgery of the n − 1 operation gates is successful, and the quantum circuit structure presented in Fig. 1 is also obtained by them with improper means. The QFT applied in group signature demands that all the operation gates involved in quantum circuit are ordered as Table 3. Any participant may never know the order of operation gates which is necessary for the part II of Fig. 1, because the arrangement of operation gates and participants (described in Tables 1, 2 and 3) is determined by the random integer λ ∈ {1, 2, . . . , n} which is chosen by the message owner Alice secretly. Therefore, they have but to conjecture the order, and the probability % $ no choice n(n−1) !. of correct conjecture is 1/ 2

123


667

If the controlled-phase-gate commutation of QFT is taken into account, which is somewhat different from that of the cluster state [31,32]. Assume those dishonest participants are clever enough and they just commute an R gate with another R gate instead of an H gate (because the commutation between an R gate and an H gate makes the error rate much higher). Take the 3-entangled-particle system for example, if the gates R2 and R3 which are acted on the particle x and controlled by particles y and z separately in Fig. 2 are commuted with each other, the state described in Eq. 9 may be converted to another state, i.e., πi 1 2 |1 α |0 + e (|0 + |1) |00 + α |01 yz 1 x yz 2 x 21/2 πi 3πi + α3 |0 + e 4 |1 |10 yz + α4 |0 + e 4 |1 |11 yz x x πi πi + α5 (|0 − e |1)x |00 yz + α6 |0 − e 2 |1 |01 yz x πi 7πi + α7 |0 − e 4 |1 |10 yz + α8 |0 − e 4 |1 |11 yz . x

x

(27)

It is discovered that the lowest error rate for once commutation is 1/2 when we compare Eqs. 27–9, and the situation for the n-entangled-particle system is similar. Thus the probability of detecting n − 1 participant’s gate commutations is higher than n−1 . Therefore, it is very difficult for them to forge the quantum group signature 1− 21 through QFT. Furthermore, the QFT can not be executed favoringly for lack of the n-th participant. It means n − 1 participants may never sign on the quantum message, and generally speaking, the collective forgery of any n − 1 or fewer participants is almost impossible. In summary, by means of the analysis of individual forgery and n − 1 participants’ collective forgery, we can confirm that it is impossible for any one to forge the quantum proxy group signature.

3.2 Impossibility of disavowal by the signatary and the receiver This proposed proxy group signature scheme demands that all the n participants of the signing group G cooperate to sign on the message with their own operation gates, and different participants’ gates are distinct. Hence the signed quantum message introduced in Eq. 11 contains the signing information of every signatary, and any participant can not disavow the signature with mutual supervision. Moreover, the signed quantum n message | M p1 p2 ... pn is sent to the receiver Bob in the last part of the quantum proxy group signing phase, and Bob can act as a notary if there are signing participants repudiating that signature. In the verification phase, the receiver Bob and the arbitrator Trent collectively authenticate the proxy group signature with the quantum parallel algorithm, which is implemented by comparing the restored quantum message to the original quantum message with the quantum comparison circuit packaged in a black box. The result of this authentication, which is exported from the black box without anyone’s tampering,

123

668

J. Shi et al.

is measured by Trent. In that process, they have no chance to deny the signature if it is certified to be legal and authentic by Trent. Therefore, it is impossible for the signataries and the receiver to disavow the quantum group signature.

3.3 Resisting attacks in the channel In the quantum proxy group signing phase, each particle of the quantum message n |ψ M p1 p2 ... pn is operated by different combined participants with different ordered operation gates, and the state of δ-th particle controls gates R2 , R3 , . . . Rδ which are acted on previous δ − 1 particles in QFT. Suppose Eve can take the intercept-andresend attack in the channel, and she intercepts state |0 or |1 of the δ-th particle n of |ψ M p1 p2 ... pn during communications. Hence the error state appears on the δ-th particle, and it affects previous δ − 1 particles. Then the error rate for once interceptand-resend attack is pe =

1 n

1 2 δ n + + ··· + + ··· + n n n n

! =

1 1 + > 0.5. 2 2n

(28)

The pemin = 0.5 is a tolerable threshold which may be large enough for Eve to be detected. When the attack is more than once, the error rate will be higher. So the attacks in the channel can be resisted.

4 Discussions The computation complexity of the signing algorithm in the proposed scheme can be discussed. It is proved that the quantum signing algorithm based on QFT is more excellent than other traditional quantum signing algorithms, which can be described as following aspects. We denote the quantum signing algorithm based on QFT by ‘O’, and the traditional quantum signing algorithm by ‘T ’. The quantum message in entangled states (described in Eq. 6) contains 2n possible quantum states, each of which is a quantum sequence, and n qubits are included in each sequence. Then there are n · 2n qubits totally, and the computation complexity is (n · 2n ) when ‘T ’ is applied. However, in our presented signature scheme, the quantum proxy group signature for that quantum message can be generated by imposing QFT. Summing up the number of H gates and R gates which are displayed in Table 3 gives 1+2+· · ·+n = n(n +1)/2, and hence the computation complexity is (n 2 ). When comparing the computation complexity between ‘T ’ and ‘O’, we can discover that the computation complexity of ‘O’ is much smaller than that of ‘T ’. Therefore, the quantum signature scheme based on QFT is more efficient than the traditional quantum signature schemes. Moreover, this proposed scheme has some specialties in complexity of implementation, and the details are presented in Table 5. A distinct quantum proxy group signature can be generated for a different message since the large number of different cooperated combinations of signatory are determined by random integer λ.

123

A multiparty quantum proxy group signature scheme Table 5 The specialties of the proposed signature scheme

Complexity of implementation

669 Details

Number of operation gates

n(n + 1)/2

Computation complexity

(n 2 )

Number of signataries

n

Number of different cooperated combinations of signatory Number of different managements of operation gates in QFT circuits

n! n

In addition, it is worth mentioned that the verification phase involves a quantum parallel algorithm to verify the legality and authenticity of the quantum proxy group signature more efficiently. All the quantum circuits including the signing circuit, the restoring circuit and the comparison circuit are packaged in the black boxes for higher security. The quantum parallel algorithm improves the speed of quantum computation, and the operations of black box make attackers have no way to start. 5 Conclusions A multiparty quantum proxy group signature scheme for the quantum message in the n-dimensional Hilbert space is proposed based on the discrete quantum Fourier transform. The applied efficient QFT and quantum parallel algorithm can solve the problem of fast signing on the quantum message which is in entangled quantum states and needs the multiparty signature. Security analysis shows that this scheme can provide an available and legal quantum proxy group signature with unconditional security. Meanwhile the discussions introduce the specialties of our scheme and present the advantages over other traditional quantum signature schemes, for instance, the higher efficiency, larger amount of information and a distinct signature for a different message. Acknowledgments Many thanks to the reviewers and editors of QINP for their very constructive and valuable comments and suggestions for improving our paper. This work was supported by the National Fundamental Research Program (Grant Nos. 2006CB0L0106), the National Natural Science Foundation of China (Grant Nos. 60773013, 60902044) and BK21 (the Second stage, Korea).

References 1. William, S.: Cryptography and Network Security: Principles and Practice. pp. 67–70. 2nd edn. Prentice Hall, New Jersey (2003) 2. Mambo, M., Usuda, K., Okamoto, E.: Proxy signatures for delegating signing operation. In: Proceedings Third ACM Conference on Computer and Communications Security, pp. 48–57. New Delhi, India (1996) 3. Schneier, B.: Applied Cryptography: Protocols, Algorithms, and Source Code in C. pp. 79–80. 2nd edn. John Wiley and Sons, New York (1996) 4. Chaum, D., Heyst, E.V.: Group signatures, advances in cryptography-EUROCRYPT’91. Lect. Notes Comput. Sci. 547, 257–265 (1991)

123

670

J. Shi et al.

5. Zeng, G.H., Keitel, C.H.: Arbitrated quantum signature scheme. Phys. Rev. A. 65, 042312, 1–6 (2002) 6. Curty, M., Lutkenhaus, N.: Comment on “Arbitrated quantum-signature scheme”. Phys. Rev. A. 77, 046301, 1–4 (2008) 7. Zeng, G.H.: Reply to “Comment on ‘Arbitrated quantum-signature scheme”’. Phys. Rev. A. 78, 016301, 1–5 (2008) 8. Zeng, G.H., Lee, M.H., Guo, Y., He, G.Q.: Continuous variable quantum signature algorithm. Int. J. Quant. Inf. 5(4), 553–573 (2007) 9. Li, Q., Chan, W.H., Long, D.Y.: Arbitrated quantum signature scheme using Bell states. Phys. Rev. A. 79, 054307, 1–4 (2009) 10. Gottesman, D., Chuang, I.: Quantum digital signatures, arXiv:quant-ph/0105032v2, pp. 1–8 (2001) 11. Lee, H., Hong, C.H., Kim, H.: Arbitrated quantum signature scheme with message recovery. Phys. Lett. A. 32, 295–300 (2004) 12. Yang, Y.G.: Multi-proxy quantum group signature scheme with threshold shared verification. Chin. Phys. B. 17(2), 415–418 (2008) 13. Duan, R.Y., Ji, Z.F., Feng, Y., Ying, M.S.: Quantum operation, quantum Fourier transform and semidefinite programming. Phys. Lett. A. 323, 48–56 (2004) 14. Gottesman, D.: Fault-Tolerant Quantum Computation With Constant Error Rate, arXiv: quantph/9802007 15. Calderbank, A.R., Shor, P.W.: Good quantum error-correcting codes exist. Phys. Rev. A. 54, 1098– 1105 (1996) 16. Shor, P.W.: Scheme for reducing decoherence in quantum computer memory. Phys. Rev. A. 52, R2493CR2496 (1995) 17. Nielsen, M., Chuang, I.: Quantum Computation and Quantum Information. pp. 171–180. Cambridge University Press, Cambridge (2000) 18. Weinstein, Y.S., Pravia, M.A., Fortunato, E.M., Lloyd, S., Cory, D.G.: Implementation of the quantum Fourier transform. Phys. Rev. Lett. 86(9), 1889–1891 (2001) 19. Hales, L., Hallgren, S.: An improved quantum Fourier transform algorithm and applications. 41st Annual Symposium Foundations Comput. Sci. 12–14, 515–525 (2000) 20. Huang, D.Z., Chen, Z.G., Guo, Y.: Multiparty quantum secret sharing using quantum Fourier transform. Commun. Theor. Phys. 51(2), 221–226 (2009) 21. Nagy, M., Akl, S.G.: Technical Report No. 2006–507 Coping with Decoherence: Parallelizing the Quantum Fourier Transform, pp. 1–12 (2006) 22. Benenti, G., Casati, G., Strini, G.: Principles of quantum computation and information: Basic tools and special topics. pp. 251–279. World Scientific Publishing Co. Pte. Ltd, Singapore (2007) 23. Zou, X.F., Qiu, D.W.: Security analysis and improvements of arbitrated quantum signature schemes. Phys. Rev. A. 82, 042325, 1–10 (2010) 24. Karafyllidis, I.G.: Visualization of the quantum Fourier transform using a quantum computer simulator. Quant. Inf. Proc. 2(4), 271–288 (2003) 25. Croft, N.J., Olivier, M.S.: Using an approximated one-time pad to secure short messaging service (SMS). In: Southern African Telecommunication Networks and Applications Conference 2005 (SATNAC 2005) Proceedings, vol. 1, pp. 71–76. Champagne Castle, South Africa (2005) 26. Bennett, C.H., Brassard, G.: Quantum cryptography: public key distribution and coin tossing. In: Proceedings of IEEE International Conference on Computers, Systems, and Signal Processing, pp. 175–179. IEEE Press, New York, Bangalore (1984) 27. Griffiths, R.B., Niu, C.S.: Semiclassical Fourier transform for quantum computation. Phys. Rev. Lett. 76(17), 3228–3231 (1996) 28. Deng, F.G., Li, X.H., Li, C.Y., Zhou, P., Zhou, H.Y.: Multiparty quantum-state sharing of an arbitrary two-particle state with Einstein-Podolsky-Rosen pairs. Phys. Rev. A. 72, 044301, 1–4 (2005) 29. Oliveira, D.S., Ramos, R.V.: Quantum bit string comparator: circuits and applications. Quat. Comput. Comput. 7(1), 17–26 (2007) 30. Guo, Y., Zeng, G.H., Chen, Z.G.: Multiparty quantum secret sharing of quantum states with quantum registers. Chin. Phys. Lett. 24(4), 863–866 (2007) 31. Briegel, H.J., Raussendorf, R.: Persistent entanglement in arrays of interacting particles. Phys. Rev. Lett. 86(5), 910–913 (2001) 32. Nielsen, M.A.: Cluster-state quantum computation. Reports Maths. Phys. 57(1), 147–161 (2006)

123