Security Weaknesses in Arbitrated Quantum Signature ... - Springer Link

5 downloads 101712 Views 425KB Size Report
Nov 1, 2013 - Abstract Arbitrated quantum signature (AQS) is a cryptographic scenario in ... applying the quantum scenario to classical digital signatures.
Int J Theor Phys (2014) 53:277–288 DOI 10.1007/s10773-013-1808-8

Security Weaknesses in Arbitrated Quantum Signature Protocols Feng Liu · Kejia Zhang · Tianqing Cao

Received: 31 May 2013 / Accepted: 28 August 2013 / Published online: 1 November 2013 © Springer Science+Business Media New York 2013

Abstract Arbitrated quantum signature (AQS) is a cryptographic scenario in which the sender (signer), Alice, generates the signature of a message and then a receiver (verifier), Bob, can verify the signature with the help of a trusted arbitrator, Trent. In this paper, we point out there exist some security weaknesses in two AQS protocols. Our analysis shows Alice can successfully disavow any of her signatures by a simple attack in the first protocol. Furthermore, we study the security weaknesses of the second protocol from the aspects of forgery and disavowal. Some potential improvements of this kind of protocols are given. We also design a new method to authenticate a signature or a message, which makes AQS protocols immune to Alice’s disavowal attack and Bob’s forgery attack effectively. Keywords Quantum signature · Arbitrated quantum signature · Security analysis

1 Introduction Digital signatures provide the methods to achieve source authentication and data integrity for digital messages in a publicly verifiable way, meaning that at signing time a signer commits herself/himself to a concrete message. The security of all such classical digital signature protocols presently depends on the difficulty of some mathematical problems. However, classical digital signatures become increasingly vulnerable with more powerful quantum computation [1]. Gottesman and Chuang [2] presented a quantum signature protocol by applying the quantum scenario to classical digital signatures. It used quantum effects to provide unconditionally secure signatures. And, it allowed a sender (Alice) to sign a message, so that the signature could be validated by one or more different people. In this case, all

B

F. Liu ( ) · K. Zhang · T. Cao State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China e-mail: [email protected] F. Liu School of Mathematics and Statistics Science, Ludong University, Yantai 264025, China

278

Int J Theor Phys (2014) 53:277–288

would agree either that the message came from Alice or that it had been tampered with. However, the protocol can only sign classical messages. Since the quantum nature makes quantum messages quite different from classical ones, signatures of quantum messages are more difficult [3–7]. In Refs. [8, 9], Barnum et al. pointed out that if one wants to securely authenticate a quantum message, he or she must do a perfect encryption on it. This means, anyone else can learn nothing about the authenticated quantum message. Consequently, if a quantum signature protocol has the function of authentication, the receiver cannot learn anything about the content. However, in an application of signature it is generally necessary for the receiver to learn something about the content of the signed message [7]. As a result, they drew the conclusion that signing a quantum message is impossible. For jumping out of the no-go theorem, Zeng and Keitel [3] proposed a pioneering arbitrated quantum signature (AQS) protocol, which could be used to sign both a classical message and a quantum one. This work gave an elementary model to sign a quantum message. In this protocol, Alice prepares more than one copy of a quantum message to be signed so that at least one copy among them exists in the signed message in the manner of plaintext. Not only is it true that Bob can learn the content of the signed quantum message but also he can verify the signature with the help of Trent, which is not contrary to Barnum et al.’s conclusion. Subsequently, many reaches of AQS have been proposed. In 2009, Li et al. [5] found Trent is unnecessary to be entangled and thus the Greenberger-Horne-Zeilinger (GHZ) states used in Ref. [3] can be replaced with Bell states. And, they presented a simplified AQS protocol with Bell states as the information carriers. In 2010, Zou et al. [6] further simplified this protocol by achieving AQS without entangled states. Both of them still preserve the merits in Zeng and Keitel’s protocol [3]. How to reuse the shared key between Trent and Alice or Bob in a AQS protocol is an important problem in practical applications. Recently, an efficient arbitrated quantum signature protocol [10] is proposed (for the sake of simplicity, we will call it Li’13 protocol hereafter), in which Alice and Bob share a long-term secret key with Trent by utilizing the key together with a random number. The authors of Li’13 protocol also gave detailed theoretical analysis to show that the proposed protocol is efficient and provably secure. In addition, Li et al. [11] proposed an AQS protocol with message recovery in 2009 (Li’09 protocol). It is based on GHZ states, and can sign the message in the form of both known quantum states and unknown quantum states as Zeng and Keitel’s AQS protocol [3]. Cryptanalysis is an important and interesting work in cryptography. In the study of quantum cryptography, quite a few effective attack methods have been proposed, such as densecoding attacks [12, 13], denial-of-service (DoS) attacks [14, 15], correlation-extractability attacks [16–19], teleportation attacks [20], intercept-resend attacks [21], participant attacks [13, 22], and Trojan horse attacks [23]. Mastering more attack methods will be helpful for us to design new protocols with high security. Taking protocols in Refs. [5, 6] as examples, Gao et al. [7] showed that Bob can perform existential forgeries of Alice’s signature. More seriously, when the protocols are used to sign a classical message, Bob can achieve universal forgery of Alice’s signature. Furthermore, Alice can successfully disavow the signature she signed for Bob. Now, the security analysis methods given by Gao et al. [7] have been proved to be the basic ways of analysing AQS protocols. In this paper, we analyze the security of Li’13 protocol [10], and find that Alice can successfully disavow the signature she has signed for Bob. That is to say, the weakness pointed out in Ref. [7] still exists in the Li’13 protocol. Besides, we show that the weaknesses pointed out by [7, 24–26] also exist in the Li’09 protocol [11], and the corresponding attacking methods are applicable to it. Furthermore, some useful improved methods on the existing AQS protocols are given.

Int J Theor Phys (2014) 53:277–288

279

2 Analysis of Li’13 Protocol In Ref. [10], Li et al. proposed a new AQS protocol to reuse the shared key between Trent and Alice or Bob without entangled states. In this section, the Li’13 protocol is firstly described and our security analysis is given then. 2.1 Li’13 Protocol The AQS protocol without using entangled states [10] is as follows. – Initializing phase: (I1) UA , UB and UT represent the k-bit identity of Alice, Bob, and Trent, respectively. (I2) P is the n-bit message string. (I3) Hl (·) : {0, 1}2l → {0, 1}l , and Hm (·, ·) : {0, 1}l × {0, 1}∗ → {0, 1}m are two secure hash functions, where m = l − k. (I4) H is the Hadamard gate. (I5) Alice and Bob share a 2l-bit key with Trent, i.e., KAT and KBT respectively. – Signing phase: (S1) Alice randomly chooses a number rA ∈R {0, 1}l . (S2) Using the key KAT , Alice calculates   RA = Hl (KAT ) ⊕ rA ⊕ Hm (rA , P )  UA

(1)

where  is a symbol to concatenate two strings. Then Alice encodes (rA , RA ) and generates her signature i

l+j

|SA  = ⊗li=1 H KAT |rA i ⊗lj =1 H KAT |RA j

(2)

i denotes the ith bit of KAT , and |RA j denotes the j th qubit of the ciwhere KAT phertext |RA . (S3) Alice sends the signature |SA  and the message P to Bob. In this way, anyone who gets |SA  and P can implement the verification process with the help of Trent. And, if Bob is a designated or authorized receiver, the identity information of Bob, i.e. UB , should be included in the message P .

– Verifying phase: (V1) After Bob receives the signature |SA  and the message P , he chooses a random number rB ∈R {0, 1}l . (V2) Using the key KBT , Bob calculates   (3) RB = Hl (KBT ) ⊕ rB ⊕ Hm (rB , UB )  UB Then Bob encodes (rB , RB ) into a qubit string i

l+j

|yB  = ⊕li=1 H KBT |rB i ⊕lj =1 H KBT |RB j

(4)

Finally, Bob sends |SA , |yB , and P to Trent. (V3) Trent measures the received qubits |SA  with a basis depending on the secret key KAT :

280

Int J Theor Phys (2014) 53:277–288

i if KAT = 0, the qubit |SA i is measured in the rectilinear basis {|0, |1}; i if KAT = 1, the qubit |SA i is measured in the diagonal basis {|+, |−}. Once Trent obtains measurement outcomes (rA , RA ), he can verify the authenticity of P and the validity of |SA  by making the following comparisons: if Hm (rA , P )  UA = Hl (KAT ) ⊕ rA ⊕ RA , Trent believes the signature is true and sets parameter μT = 1; if Hm (rA , P )  UA = Hl (KAT ) ⊕ rA ⊕ RA , Trent aborts the protocol. (V4) Trent measures the received qubits |yB  according to the secret key KBT and obtains the measurement result (rB , RB ). if Hm (rB , UB )  UB = Hl (KBT ) ⊕ rB ⊕ RB , Trent considers Bob is dishonest and aborts further operations; if Hm (rB , UB )  UB = Hl (KBT ) ⊕ rB ⊕ RB , Trent randomly chooses a number rT ∈R {0, 1}l and calculates

  RT = Hl (KBT ) ⊕ rT ⊕ Hm (rT , P  μT )  UT i

|yT  = ⊕li=1 H KBT |rT i ⊕lj =1 H

l+j KBT

|RT j

(5) (6)

and sends |SA , |yT  and P to Bob. (V5) Bob measures the qubits |yT  by the secret key KBT and obtains (rT , RT ). if Hm (rT , P  1)  UT = Hl (KBT ) ⊕ rT ⊕ RT , Bob considers Alice’s signature is fake and discards P and |SA ; if Hm (rT , P  1)  UT = Hl (KBT ) ⊕ rT ⊕ RT , Bob believes in Trent and accepts |SA  as Alice’s signature of the message P . 2.2 Cryptanalysis of the AQS Protocol Generally, the security of an AQS protocol requires that the signature should not be forged by the attacker (including Bob) and Alice cannot disavow her signature. Therefore, the main goal for the security of AQS is to prevent the dishonest participants from deceiving. Using the methods in Ref. [7], we analyze how the Li’13 protocol achieves the functions of a digital signature and try to find out some weaknesses. 2.2.1 Features of the Li’13 Protocol In the above protocol, the preshared secret key KAT is used together with a random number rA , so the receiver Bob will not obtain the same polarization qubits even though the same message is signed again. And, the quantum no-cloning theorem and the property of quantum indistinguishability make eavesdroppers unable to obtain significant information from random qubit strings. Therefore, even if the secret key KAT is used for several times, the adversary Eve still cannot know the secret key KAT and forge Alice’s signature of the message favorable to her. On the other side, a signed message is related to Bob (i.e., using Bob’s identity UB ), which stands against the attack [27] that different receivers to interchange their messages and the corresponding signatures arbitrarily. Furthermore, it is shown in Ref. [10] that the proposed AQS is insusceptible to Alice’s disavowal attack: Trent can confirm whether Alice has signed the message since the information of Alice’s secret key KAT is included in the signature |SA . Now we analyze how the protocol achieves the function in detail.

Int J Theor Phys (2014) 53:277–288

281

To show this, we begin with the role of Trent. In the AQS protocol, Trent can do the comparison whether   (7) Hm rA , P  UA = Hl (KAT ) ⊕ rA ⊕ RA in step (V3). When this equation holds, it implies that the signed message really come from Alice, because others do not know KAT . After the verifying phase, the quantum signature will be transmitted to Bob and Trent will have not of it. Furthermore, Bob does not know the content of the quantum signature because he cannot recognize it, owing to its quantum feature. Therefore, by sending his judgment μT to Bob, Trent can only tell Bob whether or not the just verified signature originated from Alice. That is to say, if μT = 1, Trent ensures that Alice send a certain quantum signature (to Bob) but the content is unknown to Bob. Based on the above analysis, there must be a way for Bob to verify the integrity of |SA  received from Trent, though the protocol does not refer to it. Otherwise it is just like a protocol for message encryption instead of a digital signature [7]. It is not difficult to imagine the situation where dispute appears, that is, Bob says that Alice signed a message P for him but Alice announces that she did not sign such a message for Bob (maybe she indeed signed a message for Bob before but it is not P ). In this condition, Trent requires Bob to provide the message P and Alice’s corresponding signature |SA . Then, Trent decrypts |SA  with |KAT , and verifies whether the equation (7) is set up, which is just like the process in step (V3). If the comparison result is positive, Trent concludes that P is indeed Alice’s signed message and Alice is disavowing her signature. On the contrary, Trent believes the signature is forged by Bob if the result is negative. In this case, Alice will have a chance to carry out her disavowal attack as follows. 2.2.2 A Weakness in the Li’13 Protocol As we know, Alice’s disavowal attack on AQS protocols, was firstly proposed by Gao et al. [7]. It is a special participant attack. In contrast to other opponents outside, the dishonest participants have many advantages. First, they know partial legal information. Second, they can tell a lie in the process of eavesdropping check to avoid introducing errors. Therefore, it is a powerful attack and should be paid more attention to. In fact, it has become an important study point [18, 28–32]. Now we give a detailed description of the special participant attack, Alice’s disavowal attack, on the AQS protocol [10] as follows. That is, Alice can successfully disavow any message she ever signed. (1) Suppose Alice signs a message P according to the steps in the protocol and one copy of (KAT , RA , rA ) is retained in step (S2). Then, Alice sends (|SA , |P ) to Bob in step (S3). (2) In step (V4), Alice intercepts (|SA , |yT , P ) and stores the qubits and the message, since she can access Trent’s transmissions. (3) Alice randomly selects a favorable message (e.g., a contract) P ∗ . Using the key KAT , Alice calculates     (8) RA∗ = Hl (KAT ) ⊕ rA ⊕ Hm rA , P ∗  UA . ∗ and RAj respec(4) Alice compares RA∗ with her retained information RA on qubits RAj tively. ∗ = RAj , Alice performs the Pauli operation I on |SA l+j , where |SA l+j = if RAj l+j

H KAT |RA j and I is the identity operator;

282

Int J Theor Phys (2014) 53:277–288 ∗ if RAj

= RAj , Alice performs the Pauli operation X on |SA l+j when KAT = 0, and l+j performs the Pauli operation Z on |SA l+j when KAT = 1. l+j

Then, Alice generates her signature |SA∗  on the message P ∗ , where  ∗  l+j  i S = ⊕l H KAT |rA i ⊕lj =1 H KAT RA∗ j . A i=1

(9)

(5) Alice resends (|SA∗ , |yT , P ) to Bob in step (V4). l+j

It is not difficult to see that H KAT is the encryption of the quantum one-time pad (QOTP) [33] and I , X or Z is also an encryption with Pauli operations. Therefore, the combination of these two encryptions is still an encryption via one of three Pauli operations {I, X, Z}. According to the equivalent relations ZH = H X, we have  ∗ S

A l+j

 ∗  l+j = H KAT X RAT j

(10)

∗ when RAj

= RAj . This attack is not difficult to understand. First, the original signed message (|SA , P ) is really signed by Alice and then it will pass the verification of Trent (μT = 1). Second, Alice only modifies |SA , which is a ciphertext for Bob and not useful for Bob’s verification in step(V5). Bob cannot verify the integrity of |SA , and will accept this signature without noticing Alice’s attack. Third, when Bob requires Alice to fulfill this contract later, Alice can disavow this contract by announcing that it is not the one she ever signed or it was illegally modified by Bob. Trent requires Bob to provide (|SA∗ , P ). Obviously, the modified signature will not pass Trent’s verification and consequently Trent will agree with Alice, believing that the signature was forged by Bob. The reasons for the success of Alice’s disavowal attack, and corresponding feasible improved methods can be seen in the discussion in Sect. 3.2.2.

3 Analysis of Li’09 Protocol In this section, we take the Li’09 protocol [11] as our example to show that it is susceptible to existing main attacks in the present study. Furthermore, we analyze the reasons why these attack strategies work on it, and try to find some methods to improve it. 3.1 Li’09 Protocol The AQS protocol with GHZ states [11] is as follows. – Initializing phase: Alice and Bob share their secret key KAT and KBT with Trent through a quantum key distribution protocol, proven as unconditionally secure, respectively. Trent creates and shares N GHZ √ states |ψ = (|ψ1 , |ψ2 , . . . , |ψN ) among Alice, Trent and Bob, such that |ψi  = 1/ 2(|000AT B + |111AT B ). – Signing phase: (S1) Alice obtains two copies of the message |P  = (|p1 , |p2 , . . . , |pN ) to be signed, where |pi  = αi |0 + βi |1, αi and βi are complex numbers with |αi |2 + |βi |2 = 1, 1 ≤ i ≤ N.

Int J Theor Phys (2014) 53:277–288

283

(S2) Using the key KAT , Alice calculates i+1

i

KAT KAT |RA  = UKAT |P  = ⊕N Z |pi  i=1 X

(11)

where UKAT = (UK1 AT , UK2 AT , . . . , UKNAT ) is a unitary operator. (S3) Alice combines each qubit in the second copy of |P  and the corresponding qubit in the GHZ states, obtaining the four-particle entangled states |φi  = |pi  ⊗ |ψi   + − A (αi |00T B + βi |11T B ) + |ψ12 A (αi |00T B = 1/2 |ψ12 + − βi |11T B ) + |φ12 A (βi |00T B + αi |11T B )  − + |φ12 A (βi |00T B − αi |11T B ) .

(12)

+ − + − A , |ψ12 A , |φ12 A and |φ12 A represent the four Bell states. where |ψ12 (S4) Alice applies Bell measurement on each four-particle entangled state |φi , obtaining the measurement result |MA  = (|MA1 , |MA2 , . . . , |MAN ), where |MAi  is one of the four Bell states. (S5) Alice encrypts |MA  and |RA  by KAT , obtaining and transmitting the signature |S = EKAT (|MA , |RA ) to Bob. Here, EKAT denotes the encryption of QOTP.

– Verifying phase: (V1) Using the key KBT , Bob calculates and sends the result |Y  = EKBT |S to Trent. Here EKBT denotes the QOTP encryption using the key KBT . (V2) Trent decrypts |Y  with KBT and gets |S. Then he decrypts |S with KAT and gets (|MA , |RA ). Furthermore, he carries out measurements on his GHZ particles in the rectilinear basis, and gets MT = (MT1 , MT2 , . . . , MTN ). Trent encrypts MA and MT with KBT and sends |V  = EKBT (|MA , |MT ) to Bob. (V3) Bob decrypts |V  with KBT and gains (|MA , |MT ). With appropriate Pauli transformations (according to equations (2) in [26]), Bob recovers the message |P . Then he calculates i

i+1

KBT KBT |RB  = UKBT |P  = ⊗N Z |pi  i=1 X

(13)

with KBT and sends the result |F  = EKBT |RB  to Trent. (V4) Trent decrypts |F  with KBT and gains |RB , and then recovers the message |P  = UK† BT |RB . Here UK† BT is a Hermitian conjugate operation. Trent encrypts |P  by KAT , obtaining i

i+1

KAT KAT |RA  = UKAT |P  = ⊕N Z |pi  i=1 X

(14)

and then verifies whether |RA  = |RA  by probabilistic comparison of quantum states [34]. If it is, he sets r = 0, otherwise r = 1. Trent recovers |P  from |RA  in terms of KAT (note that the compared states can be recovered after the comparison if they are indeed equal [7]). Finally, Trent encrypts and sends the result |G = EKBT (|S, |P , |r) to Bob.

284

Int J Theor Phys (2014) 53:277–288

(V5) Bob decrypts |G with KBT and gets the parameter r. Bob accepts Alice’s signature when r = 0; otherwise he rejects it. 3.2 Cryptanalysis of the AQS Protocol In this section, we study the security weaknesses in Li’09 protocol [11] and try to find some methods to improve it. Because the protocol [11] and some attack strategies are similar to Ref. [7], we will describe them just in brief words. 3.2.1 Bob’s Forgery Attack Can Bob successfully forge a signature without KAT ? Gao et al. [7] pointed out that Bob, as the receiver of Alice’s signature, indeed possesses Alice’s valid signature of a certain message. Therefore, he has the advantage to perform a known message attack [35]. According to the protocol, a valid signature of quantum message |P  should be in the form of   |S = EKAT |MA  ⊗ |RA    (15) = EKAT |MA  ⊗ UKAT |P  = EKAT |MA  ⊗ EKAT UKAT |P . Because EKAT |MA  has no contributions for Trent to resolve disputes, the key point is whether Bob can find a pair of qubit sequences (|P ∗ , |S ∗ ) which satisfies the relation |S ∗  = EKAT UKAT |P ∗ . Bob does not know KAT , so it seems Bob cannot forge Alice’s sig¯ |P ) nature. But he has a valid signed message (|S, |P ), which implies he has a pair (|S, ¯ = EKAT UKAT |P . Suppose Bob performs one Pauli operation on each qubit satisfying |S ¯ obtaining in |P , obtaining |P ∗ , and the same operation on the corresponding qubit in |S, |S ∗ , the pair (|P ∗ , |S ∗ ) will be a valid signed message. – The reason for the success of a forgery attack (i) The protocol uses the quantum one-time encryption based on Pauli operators [7, 24, 36]. While quantum encryption is used to hide quantum information securely, quantum signature protocols must provide additional functionalities, for example, the signed quantum data must be tamperproof. (ii) Trent does not know the content of the signed message because it comes from Bob only [7]. Therefore, when dispute appears, Trent can only require Bob to provide the signed message (|P , |S), and judge who is cheating by verifying the relevant equations. – Some feasible methods to against the attack According to launch the attack mode before or after the verifying phase, two methods against the Bob’s forgery attack are presented. (i) Alice prepares three copies of the message |P  in step (S1). Using the third copy, she calculates and sends |PAT  = EKAT |P  to Trent in step (S5). If Bob launches the attack mode before the verifying phase, Trent can detect the Bob’s illegal behavior. Concretely, after recovering the message |P  from |F  in step (V4), Trent decrypts |PAT  with |KAT  and gains |Pˆ . By probabilistic comparison of |Pˆ  and |P , Trent can assert whether there is Bob’s forgery attack. However, Trent need store a copy of message for every signature, which will bring much inconvenience in the realization of such protocol.

Int J Theor Phys (2014) 53:277–288

285

(ii) Alice prepares four copies of the message |P  in step (S1). Let h = Hl (KAT ), where Hl is a hash function. Split h into L substrings h1 , h2 , . . . , hL of log2 (l) bits each [37]. Interpreting each hj as an integer ij , Alice inserts the decoy states (|0, |1, |+, |−, |0, . . .) behind the forth copy |pij  orderly, to form |Pˆ . Then, Alice makes |Pˆ  as a part of signature in step (S5). Trent does not know the content of the signed message because it is a quantum one [7]. Fortunately, the signature has been improved for (|Pˆ , |S, r). By the shared key KAT and measuring the decoy states, Trent can arbitrate a dispute between Alice and Bob quickly and effectively. The proposed second method is important and interesting, because it ensures the message’s (a classical message or a quantum message) integrity can be publicly verified with the help of Trent. Two examples will show its important uses: First, an AQS protocol, using the method, will free from a special case of the denial-ofservice (DoS) attack mentioned in Ref. [14, 25]. Because Trent can verify the integrity of a signature, Bob cannot get any benefits easily from this DoS attack. Let us consider that Trent obtains |Pˆ  and measuring the information of decoy state using KAT . Then, the dishonest Bob cannot find an attack to modify the signature (|Pˆ , |S, r) and escape being detected. Second, if the AQS protocol in Ref. [3] uses the method, it cannot be forged using Pauli operators as Choi et al. mentioned in [24]. The reason for the success is completely similar to the first situation. 3.2.2 Alice’s Disavowal Attack Alice often attempts to cheat in AQS protocols [7]. That is, Alice can successfully disavow any message she ever signed. Clearly, suppose Alice signs a message (e.g., a contract) |P  according to the steps in the protocol and sends |S to Bob. When Trent sends |G to Bob in step (V4), Alice modifies the states of the ciphertext corresponding to the first N qubits ˆ |P , r)), so that the resulting states of these qubits are not ˆ = EKBT (|S, in |G (i.e., |G a valid signature of |P  anymore. Note that Alice can find these qubits in the ciphertext and then disturb them while leaving others unchanged since the qubit numbers in |MA , |RA , |P  and |r are determinate, and the encryption of QOTP is qubit by qubit. Most importantly, Bob cannot discover Alice’s modification on |MA  or |RA  because he does not know |KAT . When Bob requires Alice to fulfill this contract at a later time, Alice can disavow this contract by announcing that it is not the one she ever signed or it was illegally modified by Bob. Interestingly, Trent will stand on the side of Alice [7]. – The reason for the success of disavowal attack This attack is very simple to understand. First, Alice signs a message according to the steps in the protocol, and then it will pass the verification of Trent. Second, Alice intercepts the signature when Trent sends it to Bob after verification. Alice can find these qubits in the ciphertext and then disturb them while leaving others unchanged because the qubit numbers are determinate, and the encryption of QOTP is qubit by qubit. Third, Alice only modifies the signature itself, which is a ciphertext for Bob and not useful for Bob’s verification. So, Bob will accept this signature without noticing Alice’s attack. Finally [7], when dispute appears, Bob only provides the tampered signature to Trent and requires his judgment. Obviously the modified signature will not pass Trent’s verification, and consequently Trent will agree with Alice, believing that the signature was forged by Bob. – A feasible method to against the attack

286

Int J Theor Phys (2014) 53:277–288

When dispute appears in the protocol, Bob and Trent will carry out the verification interactively. To ensure the signature’s integrity, we consider using the second improved method (proposed in Sect. 3.2.1) to solve the forgery attack in the verifying phase. We describe it just in brief words, as follows. Let h = Hl (KBT ) and split h into L substrings h1 , h2 , . . . , hL . Interpret each hj as an integer ij , and Trent inserts the decoy states (|0, |1, |+, |−, |0, . . .) behind the first copy message |pij  orderly. The new message is denoted by |Pˆ . Trent sends the improved sigˆ = EKBT (|Pˆ , |S, r) to Bob in step (V4). By the shared key KBT and measuring nature |G the decoy states, Bob can find Alice’s disavowal attack in step (V5). 3.2.3 Alice’s Completed Attack In Ref. [26], Sun et al. showed that almost all AQS protocols are completely insecure if QOTP is used. Alice can obtain Bob’s secret key and disavow all her signatures successfully. With Bob’s secret key, Alice has the ability to change her signature into any useful message after she has sent the signature to Bob. ˆ |R) ˆ Alice’s attack starts from step (S5). Alice prepares an ordered N qubits (|M, ˆ = (|M, ˆ |R) ˆ to Bob. from {|0, |1, |+, |−} and records the result. Then she sends |S ˆ |R) ˆ will be known to nobody, and non-orthogonal states can’t be reliably disAs (|M, ˆ as the signed message. In tinguished, Bob will not notice Alice’s attack and accepts |S ˆ to Trent for verification. Alice inthe verifying phase (V1), Bob sends |Yˆ  = EKBT |S ˆ EKBT |R). ˆ Then Alice can learn Bob’s secret key EKBT tercepts it, obtaining (EKBT |M, exactly by performing corresponding {|0, |1} base or {|+, |−} base measurements on ˆ EKBT |R) ˆ qubit by qubit. (EKBT |M, Alice generates |Y  = EKBT |S using the key KBT , and sends it to Trent. Obviously the intercept-resend attack will pass verification, and hence Alice can completely obtain Bob’s secret key and change her signature for any useful message, which is described explicitly as above. – The reason for the success of the completed attack Bob cannot discover Alice’s modification on |S in step (V1), because he does not know KAT , and non-orthogonal states can’t be reliably distinguished. – A feasible method to against the attack In order to prevent the completed attack, Bob randomly inserts enough decoy particles into |Y  to form |Yˆ . Each decoy particle is randomly chosen from √ one of the four states √ {|0, |1, |+, |−}, where |+ = 1/ 2(|0 + |1) and |− = 1/ 2(|0 − |1). Afterwards, Bob sends |Yˆ  to Trent via a quantum channel in step (V1). Because Bob and Trent will carry out the verification interactively, they can make a public discussion on a set of qubits used to detect eavesdropping. Surely, Bob can using the second improved method (proposed in Sect. 3.2.1) to solve Alice’s completed attack. The method can reduce the interactive steps in the verifying phase.

4 Conclusions In this paper, we show that Li’13 protocol and Li’09 protocol have some security weaknesses. Due to the use of quantum one-time pad encryption in Li’13 protocol, Alice can always successfully disavow signatures by a simple attack. The disavow attack strategy and

Int J Theor Phys (2014) 53:277–288

287

security analysis are described in detail. Taking the Li’09 protocol as our example, we show that how the existing main attacking methods achieves their aims, and provide some simple methods to recover security against the corresponding attacks. And more importantly, we design a new method to authenticate the signature or message (classical or quantum), which makes AQS protocols immune to Alice’s disavowal attack and Bob’s forgery attack effectively. As far as we know, Zou et al. [6], Gao et al. [7], Choi et al. [24], Hwang et al. [25], Sun et al. [26], Li et al. [27], and Zhang et al. [36] have done a lot of meaningful work to make AQS protocols more perfect. We hope these appearing security weaknesses and improved methods are noticed in following works on AQS protocols. Acknowledgements This work is supported by NSFC (Grant Nos. 61272057, 61202434, 61170270, 61100203, 61003286, 61121061), NCET (Grant No. NCET-10-0260), Beijing Natural Science Foundation (Grant Nos. 4112040, 4122054), the Fundamental Research Funds for the Central Universities (Grant No. 2012RC0612, 2011YB01).

References 1. Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484 (1997) 2. Gottesman, D., Chuang, I.L.: Quantum digital signatures. e-Print arXiv:quant-ph/0105032 3. Zeng, G.H., Keitel, C.H.: Arbitrated quantum-signature scheme. Phys. Rev. A 65(4), 042312 (2002) 4. Zeng, G.H.: Reply to “Comment on ‘Arbitrated quantum-signature scheme”’. Phys. Rev. A 78(1), 016301 (2008) 5. Li, Q., Chan, W.H., Long, D.Y.: Arbitrated quantum signature scheme using Bell states. Phys. Rev. A 79(5), 054307 (2009) 6. Zou, X.F., Qiu, D.W.: Security analysis and improvements of arbitrated quantum signature schemes. Phys. Rev. A 82(4), 042325 (2010) 7. Gao, F., Qin, S.J., Guo, F.Z., et al.: Cryptanalysis of the arbitrated quantum signature protocols. Phys. Rev. A 84(2), 022344 (2011) 8. Barnum, H., Crépeau, C., Gottesman, D., et al.: Authentication of quantum messages. In: Proceedings of the 43rd Annual IEEE Symposium on the Foundations of Computer Science, p. 449. IEEE Computer Society Press, Washington (2002). e-Print arXiv:quant-ph/0205128 9. Barnum, H.: Quantum message authentication codes. e-Print arXiv:quant-ph/0103123 10. Li, Q., Li, C.Q., Long, D.Y., et al.: Efficient arbitrated quantum signature and its proof of security. Quantum Inf. Process. 12(7), 2427 (2013) 11. Li, Q., Du, R.G., Long, D.Y., et al.: Entanglement enhances the security of arbitrated quantum signature. Int. J. Quantum Inf. 7(5), 913 (2009) 12. Gao, F., Qin, S.J., Guo, F.Z., et al.: Dense-coding attack on three-party quantum key distribution protocols. IEEE J. Quantum Electron. 47(5), 630 (2011) 13. Qin, S.J., Gao, F., Wen, Q.Y., et al.: Improving the security of multiparty quantum secret sharing against an attack with a fake signal. Phys. Lett. A 357(2), 101 (2006) 14. Cai, Q.Y.: The “Ping-Pong” protocol can be attacked without eavesdropping. Phys. Rev. Lett. 91(10), 109801 (2003) 15. Gao, F., Guo, F.Z., Wen, Q.Y., et al.: Consistency of shared reference frames should be reexamined. Phys. Rev. A 77(1), 014302 (2008) 16. Gao, F., Wen, Q.Y., Zhu, F.C.: Comment on: “Quantum exam”. Phys. Lett. A 350(6), 174 (2006). Phys. Lett. A, 360, 748, 2007 17. Gao, F., Lin, S., Wen, Q.Y., et al.: A special eavesdropping on one-sender versus N-receiver QSDC protocol. Chin. Phys. Lett. 25(5), 1561 (2008) 18. Gao, F., Qin, S.J., Wen, Q.Y., et al.: Cryptanalysis of multiparty controlled quantum secure direct communication using Greenberger-Horne-Zeilinger state. Opt. Commun. 283(1), 192 (2010) 19. Huang, W., Zuo, H.J., Li, Y.B.: Cryptanalysis and improvement of a multi-user quantum communication network using χ -type entangled states. Int. J. Theor. Phys. 52(4), 1354–1361 (2013) 20. Gao, F., Wen, Q.Y., Zhu, F.C.: Teleportation attack on the QSDC protocol with a random basis and order. Chin. Phys. B 17(9), 3189 (2008)

288

Int J Theor Phys (2014) 53:277–288

21. Gao, F., Guo, F.Z., Wen, Q.Y., et al.: Comment on “Colloidal interactions and transport in nematic liquid crystals”. Phys. Rev. Lett. 101(2), 208901 (2008) 22. Gao, F., Qin, S.J., Wen, Q.Y., et al.: A simple participant attack on the Bradler-Dusek protocol. Quantum Inf. Comput. 7(4), 329 (2007) 23. Deng, F.G., Li, X.H., Zhou, H.Y., et al.: Improving the security of multiparty quantum secret sharing against Trojan horse attack. Phys. Rev. A 72(4), 044302 (2005) 24. Choi, J.W., Chang, K.Y., Hong, D.: Security problem on arbitrated quantum signature schemes. Phys. Rev. A 84(6), 062330 (2011) 25. Hwang, T., Luo, Y.P., Chong, S.K.: Comment on “Security analysis and improvements of arbitrated quantum signature schemes”. Phys. Rev. A 85(5), 056301 (2012) 26. Sun, Z.W., Du, R.G., Wang, B.H., et al.: Improvements on the security of arbitrated quantum signature protocols. e-Print arXiv:quant-ph/1107.2459v3 27. Li, Q., Li, C.Q., Wen, Z.H., et al.: On the security of arbitrated quantum signature schemes. e-print arXiv:quant-ph/1205.3265v1 28. Qin, S.J., Gao, F., Wen, Q.Y., et al.: Cryptanalysis of the Hillery-Buzek-Berthiaume quantum secret sharing protocol. Phys. Rev. A 76(6), 062324 (2007) 29. Guo, F.Z., Qin, S.J., Gao, F., et al.: Participant attack on a kind of MQSS schemes based on entanglement swapping. Eur. Phys. J. D 56(3), 445 (2010) 30. Wang, T.Y., Wen, Q.Y., Zhu, F.C.: Cryptanalysis of multiparty quantum secret sharing with Bell states and Bell measurements. Opt. Commun. 284(6), 1711 (2011) 31. Wang, T.Y., Wen, Q.Y.: Security of a kind of quantum secret sharing with single photons. Quantum Inf. Comput. 11(5–6), 434 (2011) 32. Wang, T.Y., Li, Y.P.: Cryptanalysis of dynamic quantum secret sharing. Quantum Inf. Process. 12(5), 1991 (2013) 33. Leung, D.W.: Quantum Vernam cipher. Quantum Inf. Comput. 2(1), 14 (2002) 34. Buhrman, H., Cleve, R., Watrous, J., et al.: Quantum fingerprinting. Phys. Rev. Lett. 87(16), 167902 (2001) 35. Goldwasser, S., Micali, S., Rivest, R.: A digital signature scheme secure against adaptive chosenmessage attack. SIAM J. Comput. 17(2), 281 (1988) 36. Zhang, K.J., Zhang, W.W., Li, D.: Improving the security of arbitrated quantum signature against the forgery attack. Quantum Inf. Process. 12(8), 2655 (2013) 37. Reyzin, L., Reyzin, N.: Better than BiBa: short one-time signatures with fast signing and verifying. e-Print archive http://eprint.iacr.org/2002/014