Journal of Modern Physics, 2013, 4, 8388 doi:10.4236/jmp.2013.45B014 Published Online May 2013 (http://www.scirp.org/journal/jmp) An Arbitrated Quantum Signature Scheme Based on Chaotic Quantum Encryption Algorithm Ying Guo1, Jun Xie1, Jun Li2, Moon Ho Lee2 1School of Information Science and Engineering, Central South University, Changsha, China 2Department of Electronics and Information Engineering, Chonbuk National University, Jeonju, Korea Email: yingguo@csu.edu.cn, moonho@jbnu.ac.kr Received 2013 ABSTRACT An arbitrated quantum signature (AQS) scheme is demonstrated via the improved quantum chaotic encryption algo rithm with the quantum onetime pad based on chaotic operation string. In this scheme, the signatory signs the message and the receiver verifies the signature's validity with the aid of the arbitrator who plays a crucial role when a dispute arises. Analysis shows that the signature can neither be forged nor disavowed by the malicious attacker. Keywords: Component; Formatting; Style; Styling; Insert 1. Introduction Digital signature that enables to settle disputes about the authenticity of the message is an essential cryptographic primitive. It has been applied in secure electronic com merce, whose security depends much on the intractability of factoring large numbers or solving discrete logarithms. However, it would be broken via Shor's algorithm when a quantum computer would be available someday [1]. Consequently, quantum signature has been suggested to provide the authenticity and nonrepudiation of quantum states with unconditional security based on quantum me chanics [2,3]. There are usually two essential require ments in quantum signature, i.e., unforgeability and un deniability [4]. An arbitrated quantum signature (AQS) scheme [2] was proposed to sign the quantum message via quantum onetime pad [5] using the GreenbergerHorneZeilinger (GHZ) states with availability of the trusted arbitrator. The security depends on the secure keys shared among legal users. However, it could be repudiated by the dis honest receiver [6]. After that an improved AQS scheme was presented using Bell states instead of GHZ states while providing a higher efficiency in transmission and reducing the complexity of its implementation [7]. However, it was pointed out that the yielded signature could still be repudiated by the receiver as the original scheme did [6]. Although two AQS schemes were pro posed to solve this problem, the receiver would actively negate the signature since he may get the benefits from the denialofservice (DoS) attack strategy without being detected [8, 9]. Actually, in an AQS scheme the entrusted arbitrator plays an important role when a dispute arises among par ticipants. Since the arbitrator may not solve a dispute when Bob claims that the verification of the signature is not successful, the previous AQS schemes are not always valid due to the contradiction to the undeniable require ment of signatures [2,3,7]. Recently, it has been pointed out [13,14] that those AQS schemes [2,3,7] provide se curity only against a total break attack and there is an existential forgery attack that can validly modify the sig nature. In order to conquer this shortcoming, we desig nate an AQS scheme using an improved quantum chaotic encryption algorithm with classical communications that are assumed to be susceptible to eavesdropping but not to the injection or alteration of the message [1012]. The quantum chaotic encryption system has several interest ing characteristics, such as the sensitive dependence on initial conditions and system parameters, pseudo random property, nonperiodicity and topological transitivity, etc. These characteristics meet some secure requirements such as diffusion and mixing in quantum cryptosystem. The present scheme can not only avoid being disavowed by the receiver, but also can preserve all merits in the previous schemes. As far as we know, the chaosbased AQS scheme with diffusion quantum operations has not been reported. In this paper, we propose an AQS scheme via the improved quantum chaotic encryption algorithm. This paper is or ganized as follows. In section II, we designate a quantum chaotic encryption algorithm based on the quantum onetime pad depending on the chaotic operation string performed on quantum states. In section III, we develop Copyright © 2013 SciRes. JMP
Y. GUO ET AL. 84 an AQS scheme based on the improved quantum chaotic encryption algorithm. It involves three participants, in cluding the signatory, the receiver and the arbitrator, in three phases, i.e., initializing phase, signing phase and verifying phase. In section IV we analyze the security of the AQS scheme according to the requirements of the quantum signature. It is shown that the present scheme is secure due to the implementation of the quantum chaotic encryption algorithm. Finally, conclusions are drawn in section IV. 2. Quantum Chaotic Encryption Algorithm We let Pauli matrices , and denote PauliX, PauliZ and PauliY gates respectively. Let P be a quantum message described as 1n with PP P 01 1,,Pin , ii i. Subsequently, E denotes the conventional quantum onetime pad for a given string of length 2n, i.e., 1 ,, 2n 21 2 1, ii n uvi i EP P , (1) with where I denotes an iden tity operation. ,,,, uv xzy I Recall that for a given key of length 2n there is a chaotic encryption algorithm ex pressed in a recursive fashion 00,1 0,2 ,, n kk k 1, 1,,, iTi kCkir (2) where denotes the cryptogram string of length 2n that is used for the quantum encrypting algorithm in Equation(1), and T is a chaotic keydependent trans formation. In detail, we write ,0, for each a string of length 2n in the round, r k k C 2 1 ,, ii kk th n ii 0, , .ir The string consists of r rounds of identical trans formations applied in a sequence to the initial key . The chaotic transformation CT is defined as 0 k , 11,11,11, 11,1 ,, ,, ikikkiikik kk fkkt (3) where ,0,21 denotes a subkey that controls the round, each function i (,,) ii in tt t th i is obtained via discretiza tion of a conventional nonlinear map with mixing prop erty and robust chaos, 0,0,2,0 ,, iin i tk k 1, ,il and 1,, 2.kn k The decrypting structure undoes the transformations of the encrypting structure where r de crypting rounds are applied to the received vector r to recover 0. In each decrypting round, the inverse trans formation can be described as k 1,1, 111,11,11, 1 ,, ,. ikikkiik ik kkfk kt (4) We note that the aforementioned chaotic map f can be generated in a quadratic (logistic) chaotic map [20] given by 222 22 floor2/2,if 2 () 21, if 2 nn jj j jnn j yy y fy y 2n (5) with 222 ,1 floor2/ 2for nn jjjjj yyy yk ,1 ,1 . jk t jk k It can be implemented in two steps [21]. In the first step, the logistic map is scaled so that input and output values are in the interval [0, 22n]. The second step is discretization of the newly derived map. In addition, this map can also be generated in an ex ponential chaotic map 22 2 mod 2+1, if 2 () 0, if 2 j ynn j jn j ay fy y (6) with 2 mod 21, j yn j ya 2 where the number a is a gen erator of the multiplicative group of nonzero elements of the Galois field of order . 21 n In what follows, we consider an improved quantum chaotic encryption algorithm with a quantum onetime pad based on the chaotic string throughout this paper. Assume that the Hadamard gate can be defined as h 12 . xz According to the algorithm in Equa tion(1) for a given chaotic string of length 2n, we obtain the similar quantum chaotic encryption algorithm given by 21 2 1 () ii n . hi i EP P (7) It is obvious that one can not obtain the exact relation ship hxh due to the properties of Pauliopera tions [1]. This feature can be well suitable for a particular purpose of the generation of the quantum signature that can not be forged or disavowed by the attacker. 3. Prepare Arbitrated Quantum Signature Scheme with Chaotic Encryption As an AQS scheme, it should satisfy at least two con straints, i.e., one is that the signature should not be forged by the attacker and another is the impossibility of disavowal of the signatory and receiver. It usually in volves three participants, including the signatory Alice, the receiver Bob and the trusted arbitrator Charlie, in three signing phases, i.e., initializing phase, signing phase and verifying phase. In the previous AQS scheme [2,3], it has been stated that Bob can not disavow that he has obtained the signature. However, he can repudiate the integrality of the signature since he can reject the signature in verifying phase [6,8,9]. It means that Bob can admit receipt of the signature but deny its correctness. In order to conquer this shortcoming, we design an im proved AQS scheme based on the quantum chaotic en cryption algorithm with the prepared chaotic string using Copyright © 2013 SciRes. JMP
Y. GUO ET AL. 85 the shared key and subkey. Suppose that Alice wants to sign the quantum message 1n PP P and has at least three copies of P. In order to obtain a low error probability in verify ing phase, we can assume that n is large enough; other wise we can use m P instead of P, where m is a large enough integer. Then the proposed AQS scheme goes as follows. 3.1. Initializing Phase Step I1. Alice shares an initial secret key 0 of length 2n with Charlie through quantum key distribution (QKD) protocol [10,11]. Then she selects another private subkey a k 1,, a ttt 0 b r of length 2n kept by herself. Implement ing the chaotic encrypting algorithm in Equation (2), she achieves a string a of length 2n. Similarly, Bob gen erates another sequence using his initially secret key and subkey shared beforehand with Charlie. b tb Step I2. Charlie generates n Bell states 1 (, , n ) with 10011,1, ,, 2 iababi n where the subscripts a and b denote the photons that are transmitted to Alice and Bob via the authenticated quan tum channel [15,16]. 3.2. Signing Phase Step S1. Alice transforms the message P into the ran dom qubit string ' a t using the quantum one time pad algorithm expressed in Equation (7) with her subkey ta. For each resulting qubit, one obtains PEP '' ' 01 ii i P . Step S2. Alice performs a quantum chaotic encryption algorithm with the encrypted string and generates a the chaotic qubit string '.P a a SE Step S3. Alice combines each qubit ' i P with Bell state . i The combined system ' ii Pi can be rewritten as '' '' '' '' 1[ψ01ψ01 2 1010], iiii ii ii i (8) After implementing Bell state measurements on her photon pairs, she obtains () :1,, i aa Mi n where ()i a M denotes one of Bell states performed on the ith photon pair. Step S4. Alice transforms a into another random qubit string ' a ata EM using the quantum one time pad algorithm with her subkey . a t Step S5. Alice transmits '' ,, aa SPMS to Bob via the authenticated quantum channels. 3.3. Verifying Phase Step V1. Bob performs the quantum chaotic encryption algorithm on ' P and a S using his chaotic string b .Then he obtains ', b b TEPS a , which is sent to Charlie. Step V2. Charlie decrypts b T using the calculated string b with parameters and , and obtains 0 b kb t ' and a S. Similarly, he performs a quantum chaotic encryption algorithm on ' P using another string a with parameters and , and obtains 0 a ka t ',P a c SE which should be consistent with a S. After comparing two unknown states a S and c S [1719], he sets the verification parameter 1V if a SSc ; otherwise he sets V = 0. Step V3. Charlie performs another quantum chaotic encryption algorithm on ',a S and V using the chaotic string b , and achieves ',, b ca TEPSV . Then he sends c T back to Bob. Step V4. Bob decrypts c T using and obtains b ' P, a S and V. If 0V , then it shows that the sig nature has been obviously forged; otherwise Bob informs Alice to publish her subkey ta and goes on to the next verification. Step V6. Alice publishes the subkey ta by the secure public channel. Step V7. After Bob receives ta, he recovers Alice's en crypted qubit string a from ' a . After that he obtains ' b P on his photons after implementing some suitable unitary operation based on the yielded states a [1]. Then he makes a comparison between ' b P and ' . If ' b' P, he gives it up; otherwise he restores the initial message P from ' P with . He holds a t a S as Alice's signature for the message P. We note that in this AQS scheme it can achieve a function of the signature. Actually, in verifying phase Charlie can obtain a that depends on parameters 0 a and t a, and hence he can judge whether the equation a RRc holds or not. When it holds, the signed message has really come from Alice since others do not know and ta and hence generate the chaotic string 0 a k a [20,21]. After Charlie's verification, the message is transmto Bob, and hence he does not know the content itted Copyright © 2013 SciRes. JMP
Y. GUO ET AL. 86 of the message excepts for his judgment V that shows its authenticity. Actually, it provides a potential approach for Charlie to resolve a dispute between Alice and Bob. Otherwise it is an exact message authentication instead of a signature. For example, Bob says that Alice signed for the message ,P but Alice announces that she did not sign such a message (maybe she indeed signed another message P ). In this condition, Charlie requires Bob to provide ' P and a S, encrypts ' to obtain c S with the chaotic string a , andn verifies her the whet a S equals to c S oot. If the comparison result is pive, it impliet Alice is disavowing her signature. Otherwise, the signature is forged by Bob. In addition, this AQS scheme can be similarly exten r n rgery Attack osits tha ded on 4. Security Analysis eme based on an 4.1. Impossibility of Fo gnature the basis of the quantum chaotic encryption algorithm in terms of the GHZ triplet states or the singlequbit states without being entangled. As the aforementioned statements, it can also strengthen the security of the cor responding signature in a smallscale quantum computa tion network. So far we have proposed an AQS sch improved quantum chaotic encryption algorithm. In this section, what we are concerned is the security of this scheme. If an attacker Eve tries to forge Alice's sia S for her own sake, she should know the initially s secret key 0 a k and subkey a t. However, it is impossi ble due to unconditionalecurity of quantum key distribution (QKD) [10,11]. In addition, the usage of the chaotic encryption algorithm enhances the security of the present scheme [20,21]. In a worse case that 0 a k is ex posed to Eve, she can not succeed in forging t signa ture since she can not create the appropriate Bell state measurement hared the s he a related to the transformed mes sage ' . A, Bob would completely find the forgering the correlation of Bell states since the fur ther verification about the condition ctually y us '' b PP could not be hold without the correct measurt ement resula . Consequently, the forgery of Eve is impossible. If the malicious Bob attempts to counterfeit Alice's signature a S in verifying phase, he also has to know Alice's secret key 0 a k to generate a S. However, the information that he can achieve betrays nothing about 0 a k from a S due to the properties of the chaotic op ion strinerformed in quantum chaotic encryption algorithm [20,21]. Therefore, Bob can not forge Alice's signature. Furtherm eratg p ore, in the previous AQS schemes [13,14], the security is mostly ensured against the distillation of the secret key from the transmitted signature. Unfortunately, there are some security flaws due to the usage of quan tum onetime pad with Pauli operations x and z that have a relation zzx . Thereforthere is possible forgery attaes a dishonest user to modify the signature even without any knowledge of the secret key. Without loss of generality, we consider a case that the malicious Bob is an attacker. The goal of Bob's forgery attack is to change the message and signature e, a ck that enabl ,a PS to ,a S by performing operation withwledge of a k and a t and 1 n ii QU hence b out any kno0 , on, where i U denotes a singqubit uitary operatii.e., le n ,. aa QP SS In this attack, Bob does not c message but how to use the relation of the message and signature. It has been shown that the previous schemes may be cracked by this forgery attack because all operations performed for random rotation and encryption are only Pauli opera tions that commute or anticommute with each other. Namely, taking a message ,Q are about the content of the P, the signature is in form of ER P, where R and Enote a quantum random opeand a quantum onetime pad encryption, re spectively. If Bob implements a forgery attack by per forming an operation Q, then the resulting signature be comes de ration QER P. In the verifying phase, Charlie obtains †† REQ Therefore, Bob could select a suitable hat commutes with E and R since the en cryption is based on the usage of Pauli operations ER n P. operatio Q t and z that commute or anticommute with each oth [1]. Hever, in the present scheme, the signing process is based on the quantum chaotic encryption algorithm that depends on the chaotic operation string including opera tions er ow and h , instead of and . It is easy to prove that there is no nontrivial quantum operation Q that commutes with x and h . It implies that Bob can not implement this fery atk successfully, and his dis honest behaviors will be detected with high probability due to the composite chaotic character of the quantum chaotic encryption algorithm derived from a nonlinear system that makes the yielded qubit sequence in posses sion of a fantastic random [20, 21]. org tac 4.2. Impossibility of Disavowal Attack gnature for Suppose that Alice wants to disavow her si her own benefits. In this case, Charlie is required to make a judgment. Actually, Charlie can confirm that Alice has signed the message since Alice's initial secret key 0 a k and subkey a t are both involved in the chaotic stri a ng and hencin the signature e a S. Thus Alice can not y signing the message denPaddition, Alice may not publish her correct sub a t in the public board after Bob completes his comparn operations for the . In key iso Copyright © 2013 SciRes. JMP
Y. GUO ET AL. 87 verification. This gives Alice an opportunity to send any subkey ' a t that may not be equal to a t. However, Bob and Chae can only accept Alice's signature rli' a S that contains ' instead of a ta S that embraces ore over, the correct subkey has been shared borehand with Charlie. If Alice set' aa tt a t ef . M a t s , it can be completely detected by Charlie since he generate has toc S using the quantum chaotic encryption algorithm deent on subkey ' a t, which results in pend ca SS in verifying phase. Ieans that Alice has ob the correct subkey a t if she wants to transmit the message with her real signure. Someone may worry about that the at tacker may change the published subkey ta in verifying phase so that Bob can not recover the message t m at to send B P without a t. We note that the deployed classic channe assumed securely established, and the alteration of the subkey a t would not happen. In order to avoid disavowal l is of Bob, we would not let B be ob achieve the whole signature in verifying phase. Ac tually, Alice only sign the transformed message via the quantum chaotic encryption algorithm based on the chaotic operation string. To restore the initial message P, Bob has to require Alice to publish her subkey a t then recovers the measurement result and a from the re ceived string ' a . It implies that Bas no chance to repudiate the received signature. Moreover, Bob can not ob h disavow the receipt of ',a PS since he has trans mitted b T that containl secret key b s his initia0 and subkey to Charlie for the verification of the siture. For theurther verification, Charlie needs to decrypt a t f gna b T to recover ' P and a S with 0 b k and b t. Also, btains he o ' SEP a c . Ifca SS, then Bob's disavowal is In addition, Bob wou detected. ld not repudiate the integrality of the signature. We consider a case that Bob claims '' b PP even when '' b P since Charlie would not check whether ' a is corr rk on ect or not. However, this attack can not wo the present scheme due to the fact he has to recover the initial message P with a that is obtained from ' a in verifyinphase. ly, if Bob claims g Name '' b PP it means that he has not received the correct signature , a S. It shows that Bob can not repudiate the integrality of the signature. Actually, in order to avoid being disavowed by Bob, this scheme utilizes the secure classic channel for the trans mission of the subkey a t that is assumed not be sus 5. Conclusions We have investigated an AQS scheme ceptible to be altered by an attacker [16]. based on the cryption system in three phases, i.e., ning phase and verifying phase. The Sci (60902044, 61272495), the lents in University, China [1] M. Nielsen and I. Chuang, “Quantum computation and quantum infoUniversity Press, Cambridge, 20 .042312 quantum chaotic en initialing phase, sig signatory sign the message via the improved quantum chaotic encryption algorithm based on the chaotic opera tion string tied to the initial key and subkey shared with the arbitrator. The receiver verifies the signature with the aid of the arbitrator, who plays a crucial role when a pos sible dispute arises. The security is ensured by the em ployment of the quantum chaotic encryption system with the secret key and subkey being embedded in. Security analysis shows that the signature can not be forged by the attacker. In addition, neither the signatory nor the re ceiver can successfully disavow the signed message. 6. Acknowledgements This work was supported by the National Natural ence Foundation of China New Century Excellent Ta (NCET110510), and partly by the World Class Univer sity R322010000200140 NRF, MEST 2012002521 NRF, and Fundamental Research 20100020942 NRF, Korea. REFERENCES rmation,” Cambridge 00. [2] G. Zeng and C. H. Keitel, “Arbitrated QuantumSignature Scheme,” Physical Review A, Vol. 65, No. 4, 2002, 04231 2. doi:10.1103/PhysRevA.65 [3] G. H. Zeng, “Reply to ‘Comment on Arbitrated Quan tumSignature Scheme’,” Physical Review A, Vol. 78, No. 1, 2008, 016301. doi:10.1103/PhysRevA.78.016301 [4] D. Gottesman and I. Chuang, arXiv:quantph/0105031v2. [5] P. O. Boykin and V. Roychowdhur tion of Quantum Bits,” Physical Rey, “Optimal Encryp view A, Vol. 67, No. 4, 2003, 042317 . doi:10.1103/PhysRevA.67.042317 [6] G. Zou and D. Qiu, “Security Analysis and Improvements of Arbitrated Quantum Signature Schemes,” Physical Re view A, Vol. 82, No. 4, 2010, 042325. doi:10.1103/PhysRevA.82.042325 [7] Q. Li, W. H. Chan and D. Y. Long, “Arbitrated Quantum Signature Scheme Using Bell States,” Physica Vol. 79. No. 5, 2009, 054307. l Review A, doi:10.1103/PhysRevA.79.054307 [8] T. Hwang, Y. Luo and S. Chong, “Comment on ‘Security Analysis and Improvements of nature Schemes’,” Physical Revie Arbitrated Quantum Sig w A, Vol. 85, No.5, 2012, 056301. doi:10.1103/PhysRevA.85.056301 [9] Q. Y. Cai, “The ‘PingPang’ Protocol Can Be Attacked Copyright © 2013 SciRes. JMP
Y. GUO ET AL. Copyright © 2013 SciRes. JMP 88 without Eavesdropping,” Physical Review letters, Vol. 91, 2003, 109801. doi:10.1103/PhysRevLett.91.109801 [10] A. K. Ekert, “Quantum Cryptography Based on Bell，s Theorem,” Physical Review Letters, Vol. 67, No. 6, 1991, pp. 661663. doi:10.1103/PhysRevLett.67.661 [11] C. H. Bennett, “Quantum Cryptography Using Any Two Nonorthogonal,” Physical Review Letters, Vol. 68, 1992, pp. 31213124. doi:10.1103/PhysRevLett.68.3121 [12] S. K. Chong, Y. P. Luo and T. Hwang, “On ‘Arbitrated Quantum Signature of Classical Messages Against Col lective Amplitude Damping Noise’,” Optics Communica tions, Vol. 284, No. 3, 2011, pp. 893895. doi:10.1016/j.optcom.2010.09.080 [13] J. W. Choi, K. Y. Chang and D. Hong, “Security Problem on Arbitrated Quantum Signature Schem Review A, Vol. 84. No. 6, 2011, 062 es,” Ph 330. 84, 062330. ysical doi:10.1103/PhysRevA.84.062330. [14] F. Gao, S.J. Qin, F.Z. Guo and Q.Y. Wen, “Cryptana lysis of the Arbitrated Quantum Signature Protoco Physical Review A, Vol. 84, 2011, 02 ls,” 2344. doi:10.1103/PhysRevA.84.022344 [15] M. Curty, D. J. Santos, E. Pierez, and P. Gar ciaFernandez, “Qubit Authentication,” Physical Review A. Vol. 66. No. 2, 2002, 022301. doi:10.1103/PhysRevA.66.022301 Cirac and P. Zoller, [16] L.M. Duan, M. D. Lukin, J. I. “LongDistance Quantum Communication with Atomic Ensembles and Linear Optics,” Nature. Vol. 414, 2001, pp. 413418. doi:10.1038/35106500 [17] H. Buhrman, R. Cleve, J. Watrous and R. de Wolf, “Quantum Fingerprinting,”Physical Review Letters. Vol. 87, 2001, 167902. doi:10.1103/PhysRevLett.87.167902 [18] Q. Li, W. H. Chan and D. Y. Long, “Arbitrated Quantum 9.054307 Signatyre Scheme Using Bell States,” Physical Review A. Vol. 79, 2009, 054307. doi:10.1103/PhysRevA.7 of Mixed Quantum [19] S. Pang and S. Wu, “Comparison States,” Physical Review A, Vol. 84, 2011, 012336. doi:10.1103/PhysRevA.84.012336 [20] M. S. Baptista, “Cryptography With Chaos,”Physics Let ters A. Vol. 240. No. 12, 1998, pp. 5054. doi: 10.1016/S03759601(98)000863 [21] G. Jakimoski and L. Kocarev, “Circuits and SystemsⅠ: Fundamental Theory and Applications on,” IEEExplore. Vol. 48. No. 2, 2001, pp. 163169. doi:10.1109/81.904880
