Measurement-Device-Independent Quantum Digital Signatures
Ittoop Vergheese Puthoor, Ryan Amiri, Petros Wallden, Marcos Curty,, Erika Andersson

TL;DR
This paper introduces a measurement-device-independent quantum digital signature scheme that enhances security against detector side-channel attacks, leveraging principles from MDI-QKD for practical implementation.
Contribution
The paper proposes the first MDI-QDS protocol that is secure against all detector side-channel attacks, inspired by recent advances in MDI-QKD.
Findings
Protocol is theoretically secure against side-channel attacks.
Compatible with existing MDI-QKD experimental setups.
Potential for practical implementation in secure communications.
Abstract
Digital signatures play an important role in software distribution, modern communication and financial transactions, where it is important to detect forgery and tampering. Signatures are a cryptographic technique for validating the authenticity and integrity of messages, software, or digital documents. The security of currently used classical schemes relies on computational assumptions. Quantum digital signatures (QDS), on the other hand, provide information-theoretic security based on the laws of quantum physics. Recent work on QDS shows that such schemes do not require trusted quantum channels and are unconditionally secure against general coherent attacks. However, in practical QDS, just as in quantum key distribution (QKD), the detectors can be subjected to side-channel attacks, which can make the actual implementations insecure. Motivated by the idea of…
| Bell state reported by Eve | ||||
| Alice’s & Bob’s basis | ||||
| basis | Bit flip | Bit flip | – | – |
| basis | Bit flip | – | Bit flip | – |
| Detectors | (min) | |||
|---|---|---|---|---|
| Standard single-photon detectors Ursin2007 | 14.5 | 6.02 | 5.58 | 93 |
| InGaAs avalanche photodiodes detectors (APD) Comandar2015 | 30 | 130 | 1.8 | 30 |
| InGaAs/InP APD Comandar2015b | 55 | 500 | 0.87 | 14.5 |
| Superconducting nanowire single-photon detectors (SNSPDs) Marsili2013 | 93 | 1 | 0.098 | 1.6 |
| Detectors | (min) | |
| Standard single-photon detectors Ursin2007 | 10.5 | 175 |
| InGaAs APD Comandar2015 | 3.35 | 55.83 |
| InGaAs/InP APD Comandar2015b | 1.63 | 27.1 |
| SNSPDs Marsili2013 | 0.18 | 3 |
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Measurement-Device-Independent Quantum Digital Signatures
Ittoop Vergheese Puthoor1
Ryan Amiri1
Petros Wallden2
Marcos Curty3
Erika Andersson1
1SUPA, Institute of Photonics and Quantum Sciences, Heriot-Watt University, Edinburgh EH14 4AS, United Kingdom
2LFCS, School of Informatics, University of Edinburgh, 10 Crichton Street, Edinburgh EH8 9AB, United Kingdom
3EI Telecomunicacin, Department of Signal Theory and Communications, University of Vigo, Vigo E-36310, Spain
Abstract
Digital signatures play an important role in software distribution, modern communication and financial transactions, where it is important to detect forgery and tampering. Signatures are a cryptographic technique for validating the authenticity and integrity of messages, software, or digital documents. The security of currently used classical schemes relies on computational assumptions. Quantum digital signatures (QDS), on the other hand, provide information-theoretic security based on the laws of quantum physics. Recent work on QDS Amiri2015 ; Yin2015 shows that such schemes do not require trusted quantum channels and are unconditionally secure against general coherent attacks. However, in practical QDS, just as in quantum key distribution (QKD), the detectors can be subjected to side-channel attacks, which can make the actual implementations insecure. Motivated by the idea of measurement-device-independent quantum key distribution (MDI-QKD), we present a measurement-device-independent QDS (MDI-QDS) scheme, which is secure against all detector side-channel attacks. Based on the rapid development of practical MDI-QKD, our MDI-QDS protocol could also be experimentally implemented, since it requires a similar experimental setup.
I Introduction
Digital signatures are techniques for guaranteeing the authenticity and integrity of a message. They play a significant role for example in financial transactions, software distribution, and e-mail. Signature schemes allow a sender to exchange messages with many recipients, with the assurance that the messages cannot be forged or tampered with. In addition, signed messages are also transferable, and cannot be repudiated. Transferability means that a message, which is accepted by an honest recipient, will also be accepted by another recipient if the message is forwarded. Non-repudiation is related to transferability and means that a sender cannot successfully deny having sent a signed message.
Classical digital signature schemes rely on public-key encryption. The security of such protocols is based on the assumed computational difficulty of inverting certain cryptographic functions. For example, an algorithm that is widely used for generating digital signatures is the Rivest-Shamir-Adleman (RSA) Rivest1978 cryptosystem, which relies on the difficulty of factoring the product of two large prime numbers. However, if a quantum computer is built, this may threaten the security of such protocols. This is a main motivation for developing unconditionally secure signature schemes Swanson2011 ; Amiri2015a , including quantum digital signature (QDS) schemes Gottesman2001 ; Andersson2006 ; Clarke2012 ; Dunjko2014 ; Collins2014 . The latter are essentially quantum versions of Lamport’s one-time signature scheme Lamport1979 , and can offer information-theoretic security relying on the fundamental laws of quantum physics.
Previous QDS schemes Andersson2006 ; Clarke2012 ; Dunjko2014 ; Collins2014 improved on the seminal work in Gottesman2001 by removing the need for quantum memory. Wallden et.al. Wallden2015 proposed more practical QDS schemes which could be realized using QKD Bennett1984 components. In these QDS schemes, Alice encodes her signatures in quantum states, and sends a copy of each state to both Bob and Charlie. Bob and Charlie are only able to gain partial information on the overall signature state, due to its quantum nature. Until recently, the security analysis of all QDS schemes assumed authenticated quantum channels. In Amiri2015 ; Yin2015 , all trust assumptions on the quantum channels are removed, which is a significant improvement compared to the previous schemes.
It is however more challenging to guarantee the security of practical implementations of QDS schemes. This is so because practical realisations do not typically conform to the requirements imposed by the theory, as real devices can behave differently from the models considered in the security proofs. As a result, we have that any imperfection which is not accounted for might constitute a “side channel” which could be used by an adversary to render the QDS scheme insecure. Here, the most critical devices are arguably the single-photon detectors Qi2007 ; Lamas2007 ; Zhao2008 ; Xu2010 ; Lydersen2010 ; Weier2011 ; Gerhardt2011 ; Jouguet2013 . For example, an adversary can use detector loopholes to learn about a participant’s (say Bob’s) measurement results, and could then forge a message with Bob. In the context of QKD, detector side-channels can be successfully removed by means of measurement-device-independent QKD (MDI-QKD) Lo2012 . In this approach, Alice and Bob do not perform any measurement but only send quantum signals to be measured. Thus, the advantage of MDI-QKD is that the legitimate parties need not hold a measurement device and may treat the measurement apparatus as a “black box”, which may be fully controlled by Eve. This is important as it eliminates the requirement to certify the detectors in a QKD standarization process. Therefore, the bit strings generated by Alice and Bob are free from detector side-channel attacks as they do not employ any detector. Hence, this only requires Alice and Bob to characterize the quantum states which they send through the channel. This characterization should take place in a protected environment outside the influence of the adversary, which in principle is feasible. Since the invention of MDI-QKD, such schemes have been very actively studied both theoretically Tamaki2012 ; Ma2012 ; Xu2013 ; Curty2014 and experimentally Rubenok2013 ; Ferreira2013 ; Liu2013 ; Tang2014 ; Tang2014a ; Comandar2015 .
In this paper, we present a QDS protocol which eliminates all detector side-channel attacks by employing the concept of measurement-device-independence. This is desirable for actual practical use of QDS schemes. The main contribution of this work is to adapt the rigorous security proof of MDI-QKD given in Curty2014 , taking into account finite-size effects, to the QDS protocol proposed in Amiri2015 . The resulting security proof is valid against general forging and repudiation attacks. Long-distance implementation of MDI-QKD Rubenok2013 ; Ferreira2013 ; Liu2013 ; Tang2014 ; Tang2014a ; Comandar2015 has been recently achieved, and the experimental parameters allowing for MDI-QKD could equally well allow for implementation of our QDS protocol. Hence, we envisage not just a long-distance implementation of a QDS protocol, but an implementation that is secure against detector side-channel attacks.
II The protocol
We outline our protocol for three parties, with a sender, Alice, and two recipients Bob and Charlie. The set-up for MDI-QDS is illustrated in Fig. 1. We assume that between Alice and Bob, and between Alice and Charlie, there exist authenticated classical channels. There is no need for “direct” quantum channels between Alice and Bob, between Alice and Charlie, nor between Bob and Charlie. Each party has an untrusted and imperfect quantum channel with the relay (Eve). Bob and Charlie share a MDI-QKD link, which can be used to transmit classical messages in full secrecy. This is separately indicated in the figure, but could also be realised with Eve as relay. Any classical secret communication channel between Bob and Charlie would in fact suffice in place of this MDI-QKD link. We will describe the procedure for signing a one-bit message. For signing longer messages, the procedure can be suitably iterated, meaning that the signature length scales linearly with message length.
Alice, Bob and Charlie each use a laser source to generate quantum signals that are diagonal in the Fock basis. Sources producing such signals include attenuated laser diodes emitting phase-randomised weak coherent pulses (WCPs), triggered spontaneous parametric down-conversion sources and practical single-photon sources. The scheme makes use of a measurement-device-independent key generating protocol (MDI-KGP), performed in pairs separately by Alice-Bob and Alice-Charlie; see Section III for more details. The purpose of such an MDI-KGP scheme is to use the noisy untrusted quantum channels to generate two correlated bit strings, one for each participant in an MDI-KGP. The noise level is defined in terms of the relative Hamming distance between these strings. When the noise level is below a tolerated value, the relative Hamming distance between the respective strings of the participants is smaller than the relative Hamming distance between any string that an eavesdropper could produce, and the participant’s string.
The QDS scheme above is related to the one proposed in Amiri2015 , with a difference in the KGP. It comprises of two stages, a distribution stage, where all quantum communication takes place, and a messaging stage, which can occur much later, and where only classical communication is used.
II.1 Distribution stage
(1) For each possible future message =0 or 1, Alice uses the MDI-KGP to generate four different correlated bit strings, , each one of length . The superscript denotes the participant with whom Alice performed the MDI-KGP, and the subscript represents the future message, which is to be decided later by her. Bob holds the strings and Charlie holds the strings . Because of the KGP, it will be guaranteed that contains fewer mismatches with than does any string produced by an eavesdropper, and similarly for the other pairs of strings. Alice’s signature for the future message will be . The fact that only Alice knows all signatures for a message protects the protocol against forging.
(2) For each future message, Bob and Charlie symmetrize their keys. This is done by each of them choosing at random half of the bit values in their keys () and sending these bit values (as well as the corresponding positions) to the other participant using their secret classical channel. This will ensure that Alice cannot make Bob and Charlie disagree on the validity of a signature, if a message is forwarded from Bob to Charlie or vice versa in the messaging stage. If Bob (or Charlie) chooses to forward an element of (or ) in the distribution stage to Charlie (or Bob), he will not, if he is honest, further use it to check the validity of a signature. Bob and Charlie will only use the bits they did not forward, and those received from the other participant. This is not strictly necessary, but simplifies the analysis of repudiation by a dishonest Alice in that from Alice’s point of view, the probabilities are equal for Bob and Charlie to check a particular key bit. We denote their symmetrized keys by and , with the superscript indicating whether the key is held by Bob or Charlie. Bob (and Charlie) keep a record of whether an element in () came directly from Alice or whether it was forwarded to him by Charlie (or Bob).
Each of the symmetrized strings held by Bob and Charlie now contains half of and half of . For each future possible message , Bob and Charlie each have a bit string of length . Alice has no information on whether it is Bob’s or Charlie’s that contains a particular element of the string , which is of length . This protects against repudiation. Bob has access to all of and half of . He does not know the other half of which Charlie chose to keep. This protects the protocol against forging by Bob (and similarly against forging by Charlie).
II.2 Messaging stage
(1) To send a signed one-bit message , Alice sends to the desired recipient (say Bob).
(2) Bob checks whether matches his , and records the number of mismatches he finds. He separately checks the part of his key received directly from Alice and the part of the key received from Charlie. If there are fewer than mismatches in both halves of the key, where is a small threshold determined by the observed experimental parameters (see Appendix D for more details) and the desired security level of the protocol, then Bob accepts the message.
(3) To forward the message to Charlie, Bob forwards the pair that he received from Alice.
(4) Charlie tests for mismatches in a similar way, but using a different threshold in order to protect against repudiation by Alice. He accepts the forwarded message if the number of mismatches in both halves of his key is below where is another threshold, with . An important and necessary feature of unconditionally secure signature schemes Swanson2011 ; Arrazola2015 is that the recipients have to use different thresholds or acceptance criteria for messages received directly from the sender and for forwarded messages.
III Measurement-device-independent key generation protocol
MDI-QKD protocols Lo2012 ; Curty2014 ; Xu2015a are schemes that remove all detector side-channel attacks. This is very important when we consider detector loopholes in conventional QKD implementations Qi2007 ; Jouguet2013 . Similarly, the key generation protocol, which is part of the QDS scheme we are describing, can be made measurement-device-independent. Essentially, Alice and Bob (or Alice and Charlie) only perform the quantum part of the MDI-QKD scheme to generate raw different keys (the and described above) with imperfectly correlated and not completely secret bit strings. That is, Alice and Bob do not perform error correction and privacy amplification. This is sufficient for quantum signatures, since it is the number of mismatches with the recipient’s key that matters for the signature protocol; perfectly correlated, perfectly secret strings are not necessary. The aim is to show that except with negligible probability, where is the Hamming distance between and , and is Eve’s attempt at guessing . It can also be possible that the adversary Eve is Charlie (for the KGP performed between Alice and Bob, and for the KGP performed by Alice and Charlie, Eve could be Bob). The security of the signature protocol is proved in Sec. IV.
The underlying MDI-QKD protocol, upon which the KGP is built, is the decoy-state BB84 protocol using phase-randomized WCPs considered in Lo2012 . We follow the steps of the protocol in Curty2014 , using the basis for key generation, but do not proceed with error correction and privacy amplification.
The different steps of the MDI-KGP are as follows.
(1) State preparation: Alice and Bob repeat the first two steps of the protocol for until the conditions in the Sifting stage are met. For each , Alice chooses an intensity , a basis , and a random bit with probability . Here ( where ) is the intensity of the signal (decoy) states. Next, she generates a quantum signal (e.g, a phase-randomized WCP) of intensity prepared in the basis state of given by . Similarly, Bob does the same. Alice and Bob then send their states to Eve via the quantum channel.
(2) Measurement: If Eve is honest, she makes a Bell state measurement of the signals she has received. Whether Eve is honest or not, she informs Alice and Bob through a public channel of whether or not her measurement was successful. If successful, she declares the Bell state that is obtained.
(3) Sifting: If Eve reports a successful result, Alice and Bob communicate through an authenticated channel their intensity and basis settings. For each Bell state , we define two groups of sets: and . is a set that identifies signals where Eve declares a Bell state and Alice and Bob have selected the intensities and and the basis . Similarly, is a set that identifies signals where Eve declares a Bell state and Alice and Bob have selected the intensities and and the basis . The protocol is repeated until and footnote1 . After this, Bob flips part of his bits to correctly correlate them with those of Alice. This is shown in Table 1.
(4) Parameter Estimation: Alice and Bob use random bits from to form the code bit strings and , respectively. The remaining bits from are used to compute the error rate where and are Alice’s and Bob’s bits respectively. The bit string of length is used to estimate the correlation between Alice and Bob’s strings generated from the basis, after which they are discarded. If , then Alice and Bob abort the protocol. If , Alice and Bob use and to estimate and . The parameter is a lower bound for the number of bits in where Bob sent a vacuum state. is the part of which he chooses to keep with himself while he forwards the other remaining part, , to Charlie during the key symmetrization process. That is, . In a similar way, is a lower bound for the number of bits in where Alice and Bob sent a single-photon state. is an upper bound for the single-photon phase error rate. If , the code bit strings and are discarded, and the protocol is aborted only if .
We will assume that Eve implements her Bell state measurement using linear optics. The measurement setup is illustrated in Fig. 2; it is able to identify two of the four Bell states. Alice and Bob choose and as their respective secret keys and of length (where ), for which they obtained the smallest phase error rate . Here, we will consider a finite number of states that are sent and measured, where Eve is allowed to perform general coherent attacks.
Our strategy is to find Eve’s information in terms of the smooth min-entropy Tomamichel2011 , and then use it to bound the probability that she can make a signature declaration making fewer errors than a certain value. We begin by finding Eve’s smooth min-entropy on Bob’s bit string , by following the same strategy as in Amiri2015 . In spite of the fact that the KGP is built on MDI-QKD, the security analysis for the MDI-KGP does not follow directly from the security of the MDI-QKD protocol. One reason is that the goal of an adversary in the signature protocol is different from that of an eavesdropper in MDI-QKD. For the signature protocol, what matters is the number of mismatches with a recipient’s key; for QKD, what matters is the information an eavesdropper can hold about a key. These are related but not identical.
Previous work Amiri2015 followed Lim2014 to find Eve’s smooth min-entropy in a similar way as for decoy-state QKD. Another important difference from QKD is that in the signature protocol, Bob effectively gives the extra information to Eve (with respect to forging with Bob, Charlie can be “Eve”). In a similar way, let us denote the classical random variables and as the information gained by Eve from parameter estimation and basis declarations for all the pulses sent by Alice and Bob, respectively. Since Bob, if he is honest, does not use , this could be treated as the part of the string that is sacrificed for parameter estimation, as explained in Tomamichel2015 . We combine all of Eve’s information into one quantum system living in the Hilbert space . This comprises the space containing Eve’s ancilla quantum system following her general attack, , as well as the spaces containing the states encoding the strings and . Then, according to Curty2014 , Eve’s smooth min-entropy, which quantifies the average probability that she guesses within a certain threshold using the optimal strategy with access to , is given by
[TABLE]
where and is the state shared by Eve and the part of the key that Bob kept and did not forward. We are interested in a regime where the first two terms on the RHS of equation (1) are much larger than the term as and are typically of the order say . Therefore, we arrive at the following approximation of equation (1):
[TABLE]
Appendix A provides a brief analysis of the estimation of the parameters , , and , and Appendix B briefly describes the steps involved to obtain equation (1).
Note that equation (2) is similar to equation (1) obtained in Amiri2015 . The next task is to bound the number of errors that Eve is likely to make when guessing Bob’s key, given the bound on her smooth min-entropy. For this, we use Proposition in Amiri2015 and follow the same argumentation.
Proposition 1
Amiri2015 * If Bob and Eve share the state then, for any eavesdropping strategy, Eve’s average probability of making at most mistakes when guessing can be upper bounded as*
[TABLE]
The proof of this proposition follows the lines introduced in Appendix B of Amiri2015 . For large , it can be shown from Markov’s inequality that equation (3) implies
[TABLE]
except with probability at most
[TABLE]
where is the lower bound on the count rate for the basis pulses containing photons. Therefore, we arrive at the condition that determines whether or not Eve is able to make fewer than errors with non-negligible probability, given as
[TABLE]
If the condition holds, then can be increased to make Eve’s probability of making fewer than errors arbitrarily small. We define by the equation
[TABLE]
The meaning of this is that is the minimum rate at which Eve can make errors for the code string associated with the Bell state (except with negligible probability ). Suppose the error rate on the basis measurements between Alice and Bob is upper bounded as . As long as , there exists a choice of parameters and a sufficiently large signature length which makes the protocol secure. This means that MDI-QDS is possible as long as
[TABLE]
IV Security analysis
We will now prove the security of the signature protocol, i.e. the robustness (probability of an honest run aborting), security against forging (probability that a recipient generates a signature, not originating from Alice, that is accepted as authentic) and repudiation (or transferability) (probability that Alice generates a signature that is accepted by Bob but then when forwarded, is rejected by Charlie). In what follows we assume that Alice-Bob and Alice-Charlie have each used the MDI-KGP to generate bit strings of length , to use in the QDS protocol described above.
(a) Robustness. Bob rejects a signed message if the bits received from either Alice or Charlie have a mismatch rate higher than with Alice’s signature. We note that Alice and Bob use a random sample, bits from , to obtain the error rate . This implies that the error rate between the strings ( and ) generated using the basis satisfies the inequality Serfling1974
[TABLE]
where
[TABLE]
This means that the upper bound which we obtain from equation (9) on the error rate between Alice’s and Bob’s strings is true except with a very small probability , and this probability can be fixed as small as desired. For any fixed value of the function , the failure probability decays exponentially fast in the parameter . Then we set , where and refer to the upper bound obtained in equation (9) for the cases Alice-Bob and Alice-Charlie, and we choose such that . We have that the probability that Bob will find an error rate higher than is bounded by
[TABLE]
where the factor of 2 accounts for the fact that the abort can be due to either the states received from Alice or the states received from Charlie.
(b) Security against repudiation. Successful repudiation by Alice means, in the three-party scenario, that she makes Bob accept a declaration that was sent to him by her, while Charlie rejects the same declaration when Bob forwards it to him (or similarly for a message forwarded from Charlie to Bob). Intuitively, security against repudiation follows because of the symmetrisation performed by Bob and Charlie using the secret classical channel. Even if Alice knows and can control the error rates between , and , , she cannot control whether the errors end up with Bob or Charlie. After symmetrisation the keys and will each have the same expected number of errors. To repudiate, one key must contain significantly more errors than the other. Using results from Amiri2015 , we obtain
[TABLE]
For a formal proof, please see Appendix C. Note that the probability of repudiation decays exponentially as the length of the signature increases.
(c) Security against forging. It is easier for either Bob or Charlie to forge than it is for any other external party. Therefore, we will consider forging by an internal party. In order to forge a message, Bob must give a declaration to Charlie that has fewer than mismatches with the (to Bob) unknown half of sent directly from Alice to Charlie, and also fewer than mismatches with the half he himself forwarded to Charlie. An adversarial Bob will obviously be able to meet the threshold on the part he forwarded to Charlie. We therefore consider only the unknown half that Charlie received directly from Alice. We have that the maximum rate at which Alice will make errors with Charlie’s key is given by . From Eq. (7), we also know the minimum rate at which Bob will make errors with the code string associated with the Bell state of Charlie’s key; we have denoted this by . Assuming (8) holds, we choose such that . In this case, Charlie will likely accept a legitimate signature sent by Alice, since the upper bound on their error rate, , is less than the threshold . On the other hand, Charlie will likely reject any dishonest signature declaration by Bob, since the probability of Bob finding a signature with an error rate smaller than is restricted by (4) as
[TABLE]
except with probability at most given by (5). If the estimation of the parameter fails, which can happen with probability , we will assume for simplicity that Bob is able to successfully forge with certainty. In a similar way as in Amiri2015 , we are then able to bound Bob’s probability of successfully forging as
[TABLE]
This equation is valid for any choice of parameters () greater than [math]. Thereby, Bob’s probability to forge can be made arbitrarily small by increasing . The addition of accounts for the probability that the upper bound on is incorrect and and are the error probabilities associated with the estimation of and respectively (see Appendix A).
V Comparison to MDI-QKD
According to Curty2014 , in MDI-QKD the length of the secret bit string associated to the Bell state is given by
[TABLE]
if the protocol is -secret, with and . Here is the failure probability of privacy amplification, and the term is the information that is revealed by Alice in the error correction step. The meaning of the remaining epsilons can be found in Curty2014 . The correctness of the protocol is guaranteed by the error correction step, and we say that the protocol is -correct if the probability that Alice’s and Bob’s bit strings are not identical is not greater than . In the asymptotic limit of very large data blocks, one can neglect certain terms that reduce the secret key length and thereby equation (15) can be rewritten as
[TABLE]
Here, increase the secret key rate, while and reduce it. These parameters depend on the sifted key length Curty2014 . , where is referred to as the leakage parameter, which depends on the value of , and denotes the binary Shannon entropy. is assumed to be 1.16 in Curty2014 but can generally be in the range 1.1 - 1.2, and when the parameter may be greater than 1.16. Therefore, for a sifted key length , equation (16) can be written as
[TABLE]
In a similar way as in Amiri2015 , when we compare equations (8) and (17), we find that there are Alice-Bob and Alice-Charlie quantum channels for which quantum signatures are possible and yet practical MDI-QKD is not, since the error threshold is less strict for the quantum channels used to perform the KGP in the signature protocol.
VI Discussion
In this section, we analyse the number of quantum transmissions necessary to sign a message with a security level of the order of and respectively. If the security level of the protocol is of the order of, say, , then this means that the probabilities of honest abort, forging and repudiation are all less than .
Using realistic experimental quantities, we estimate that a signature length of (for each of the possible single bit messages [math] and ) can be used to securely sign a single bit message, sent over a distance of 50 km. Essentially, it would require Bob or Charlie to transmit approximately quantum states (per bit to be signed) to Alice during their KGPs (for full details see Appendix D). With a source with a pulse rate of 1GHz, we can calculate that it would take approximately 93 minutes to generate a raw key when the experiment uses standard single-photon detectors with detection efficiency () of 14.5%. This is for a security level of the order of . By using detectors with higher detection efficiency we can improve the time of generating a raw key () since sending a smaller number of signals () is then required to sign a single-bit message.
Table 2 shows the raw key generation times for various detectors that could be used in the protocol. We find that the most advanced superconducting nanowire single-photon detectors (SNSPDs) having efficiency Marsili2013 would only require Bob or Charlie to send signals to perform the protocol with a secure threshold of the order of . This would require just above a minute to generate the raw key. In order to improve the security threshold of the protocol (say ), Bob or Charlie would need to send a higher number of signals compared to the previous case. Table 3 shows the raw key generation times and the number of signals that are required to send for the protocol to be secure for a threshold of the order of .
The protocol is secure to the order of for a distance of 50 km, which in comparison is an improvement over the previous scheme Amiri2015 having with a security threshold of . The simulation results demonstrate that even with practical signals (for example, phase-randomised WCPs) and a finite size of data (say to signals) it is possible to perform secure MDI-QDS (with security threshold ) over long distances (up to about 150 km). Since the experimental platform for the implementation of MDI-QKD can also be used for MDI-QDS with slight modifications, in particular in the post-processing of measurement results, we expect MDI-QDS could be widely used in practical QDS systems in the near future.
VII Conclusion
In summary, we have presented a MDI-QDS protocol and proven it unconditionally secure against general attacks. It improves on previous quantum signature protocols by removing all detector side-channel attacks. This is essentially achieved by adapting the rigorous security proof of MDI-QKD given in Curty2014 , taking into account finite size effects, to the QDS protocol proposed in Amiri2015 and we have presented that the resulting security proof is valid against general forging and repudiation attacks.
Acknowledgements.
The authors would like to thank Marco Lucamarini for discussions. This work was supported by the UK Engineering and Physical Sciences Research Council (EPSRC) under EP/M013472/1. R. A. acknowledges the support of the EPSRC CM-CDT. M.C. gratefully acknowledges support from the Galician Regional Government (program “Ayudas para proyectos de investigacion desarrollados por investigadores emergentes” EM2014/033, and consolidation of Research Units: AtlantTIC), the Spanish Ministry of Economy and Competitiveness (MINECO), the Fondo Europeo de Desarrollo Regional (FEDER) through grant TEC2014-54898-R.
Appendix A Estimation of relevant parameters
In this Appendix we briefly discuss the estimation of the parameter . This is a two-step process. First, we calculate a lower bound for the number of indices in where Bob sent a vacuum state. This lower bound is denoted . Second, we compute from using the Serfling inequality for random sampling without replacement Serfling1974 . The other parameters, and , are also estimated using a similar approach. A detailed explanation is provided in the supplementary notes of Curty2014 .
We assume that Alice and Bob use two decoy states each and the photon-number distribution of their signals is Poissonian. That is, , with , , with , and the probability that Alice (Bob) sends an -photon (-photon) signal when she (he) selects the intensity () is given by ().
Let denote the number of signals sent by Alice and Bob with and photons respectively, when they select the basis and Eve declares the Bell state . Now, for each combination of values and , the signal and decoy states provide a random sample of the population of all signals containing and photons respectively. Therefore, one can apply the standard large deviation theory technique, in particular a multiplicative form of the Chernoff bound Curty2014 . Then, if
[TABLE]
and
[TABLE]
with the parameter given by
[TABLE]
this implies that
[TABLE]
except with error probability . Here, refers to the conditional probability that Alice and Bob have selected the intensity settings and respectively, given that their signals contain and photons respectively, prepared in the basis. The parameter with and , and the function .
By using similar arguments, the quantity can be written as
[TABLE]
except with error probability , where . To obtain a lower bound for , one can minimise equation (20) given the linear constraints imposed by equation (19) . This is solved both analytically and numerically in the supplementary notes of Curty2014 . Then using Serfling inequality Serfling1974 , we find
[TABLE]
except with error probability
[TABLE]
where corresponds to the total error probability in the estimation of and the function is defined as .
A similar approach is followed to estimate and with associated error probabilities and respectively. We obtain
[TABLE]
except with error probability
[TABLE]
where . Here, , except with error probability where the parameter . Finally, the parameter is given as
[TABLE]
except with error probability
[TABLE]
where the function is defined as . The quantity is a lower bound for the number of signals where Alice and Bob send a single-photon state prepared in the basis and where Eve declares the Bell state , is an upper bound for the total number of errors in these signals, and and represent, respectively, their associated error probabilities. For more details about how to calculate these parameters, please see Curty2014 .
We have, therefore, that the error probability associated with the estimation of the different parameters is given by , with given by equation (9).
Appendix B Eve’s smooth-min entropy
The goal of this Appendix is to derive equation (B). The analysis follows the procedure introduced in Curty2014 . For this, let denote the smooth min-entropy which quantifies the average probability that the adversary guesses correctly using the optimal strategy with access to . Now the bits of can be distributed among three different strings, and . The first string contains bits where Bob sent a vacuum state, the second where Alice and Bob sent a single-photon state, and contains the rest of bits. Using the result of chain rule of entropies Vitanov2013 , we obtain
[TABLE]
where . Here, it is taken into consideration that , and . The final part arises as the vacuum states contain no information about their bit values, which are uniformly distributed. In order to get the lower bound for the term , it is considered that Alice and Bob prepare perfect BB84 states. Then, this quantity can be written in terms of the smooth max-entropy between them, which is directly bounded by the strength of the correlations Tomamichel2012 . From the entropy uncertainty relation Tomamichel2011 , we obtain
[TABLE]
Using the above equation in equation (27), we get
[TABLE]
We are interested in a regime where the first two terms on the RHS of equation (B) are much larger than the term, as and are typically of the order say . Therefore, if we neglect this term, we obtain equation (2) of the main paper,
[TABLE]
Appendix C Security against repudiation
We follow the approach in Wallden2015 . If Alice tries to repudiate a message, she sends a declaration which Bob will accept and Charlie will reject. For this to happen, Bob must accept both the elements that Alice sent directly to him, and the elements that Charlie forwarded to him. In order for Charlie to reject he needs only to reject either the elements he received from Alice, or the elements Bob forwarded to him (or both). Intuitively, security against repudiation follows because of the symmetrisation performed by Bob and Charlie using the secret classical channel. In the distribution stage, to send the future message , Alice uses the MDI-KGP with Bob and Charlie to generate strings of length . Suppose that Bob holds the string and Charlie holds the string . Now, for simplicity, we consider that Alice has full power and we assume that later on, in the messaging stage, she is able to fully control the number of mismatches her signature declaration contains with and . Let us denote the mismatch rates by and respectively. Then, the symmetrisation process means that Bob and Charlie will randomly (and unknown to Alice) receive elements of the other’s string. We aim to show that any choice of and leads to an exponentially decaying probability of repudiation. Then we have two cases as in Wallden2015 :
Case 1: First, let us assume that . In this case, Bob receives elements from the set , which contains exactly mismatches with Alice’s future declaration. In order to accept the message, Bob must get fewer than errors. Using Hoeffding1963 we can bound the probability that Bob gets fewer than mismatches as
[TABLE]
To repudiate, Alice must make Bob accept the message, which means that Bob must accept both the part received from Alice and the part received from Charlie. Since the probability of repudiation must be less than or equal to the above expression, and so must also decrease exponentially.
Case 2: Suppose . In this case, if , the above argument shows that it is highly likely that Bob will reject the message, so we examine only the case where . Consider first the set . We can use the same arguments as above to bound the probability of selecting more than mismatches as
[TABLE]
Then, Alice succeeds if Charlie finds more than mismatches either from the set or the set . Using , we can see that, for the choice of , we have
[TABLE]
So again, the probability of Alice successfully repudiating decreases exponentially in the size of the signature, and Alice’s best strategy would be to pick , in which case
[TABLE]
Appendix D Calculation of the number of quantum transmissions required per signed bit
D.1 Parameters and constraints
Similar to Amiri2015 , the correctness and security of the protocol depends on the three equations (11), (12) and (14), which in turn depend on the choice of parameters and . The parameters are considered such that . We say that is the maximum of the worst-case error rates that Alice makes with Bob’s key (found from the Alice-Bob MDI-KGP), and the worst-case error rates Alice makes with Charlie’s key (found from the Alice-Charlie MDI-KGP). Similarly, is the minimum of the adversary’s error rates found from the Alice-Bob and Alice-Charlie MDI-KGP. We follow Amiri2015 to choose the parameters that minimise the number of quantum transmissions required per signed bit. This will be larger than the signature length, , due to factors such as channel loss, detection efficiency and parameter estimation procedures. Because of this, Bob will have to transmit more than quantum states to generate a signature of length .
In the next section, we will calculate the length of the signature and the number of quantum transmissions necessary to sign a message with a security level of . This means that the probabilities of honest abort, forging and repudiation, given respectively by (11), (14) and (12), are all less than . To find the length per possible one-bit message, of the signature necessary to securely sign a one-bit message, we must first choose the parameters and . That is, a signature sequence of length needs to be transmitted for the possible message “0”, and for the possible message ‘1”, so that the total signature sequence has length . Ideally, our choice would minimise . We choose to set and
[TABLE]
These may not be the optimal choices of these parameters. However, a natural choice would be to choose the parameters in order to equally partition the gap between and .
D.2 The number of quantum transmissions required per signed bit
In this section, we use experimental data provided by Ursin2007 to give an optimal estimate of the number of states Bob needs to transmit over a km quantum channel to securely sign a one bit message. We set in all equations that follow. The experiment in Ursin2007 considers a free-space channel, we assume a fibre-based channel with a loss coefficient of dB/km. Here, we consider standard single-photon detectors where the detection efficiency of the relay is and the background rate is . The overall misalignment in the channel is assumed to be and the bound is fixed to be . The other parameters involved are:
- •
Source: 1 GHz pulse rate
- •
Basis probabilities: , .
- •
Intensity levels: .
- •
Intensity probabilities: , .
We consider the total number of signals sent by Bob to be , and find the raw key to contain bit values from basis measurement outcomes. Assuming that of the detected signals are used for error rate estimation (), we obtain a signature length of . Of these, Bob will randomly choose to be , another will be used as .
For the given intensity levels and intensity choice probabilities, we observe an error rate in the basis given by . This error rate arises from the channel misalignment together with the dark-count rate of the detectors. We can then use Eq.(9) to upper bound the true error rate as .
We use Appendix A to estimate the relevant parameters by setting all as , and thereby we can calculate the min-entropy. Finally, setting , we get
[TABLE]
Then using (7) we find as , and so we obtain and . Setting as and substituting these values into equations (11), (14) and (12), we find , , and . Thus we observe that when states are transmitted, the protocol is secure to a level of the order of for a distance of km. The analysis for the other cases shown in Tables II and III is done in a similar way.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1(1) R. Amiri, P. Wallden, A. Kent and E. Andersson, ”Secure quantum signatures using insecure quantum channels”, Phys. Rev. A 93 , 032325 (2016).
- 2(2) H-L. Yin, Y. Fu and C. Zeng-Bing, ”Practical Quantum Digital Signature”, Phys. Rev. A 93 , 032316 (2016).
- 3(3) R. L. Rivest, A. Shamir and L. Adleman, ”A Method for Obtaining Digital Signatures and Public-key Cryptosystems”, Commun. ACM 21 , pp. 120-126 (1978).
- 4(4) C. M. Swanson, and D. R. Stinson, “Unconditionally secure signature schemes revisited”, Information Theoretic Security, Proceedings of ICITS 2011, LNCS, Amsterdam, vol. 6673 , pp. 100-116 (2011).
- 5(5) R. Amiri and E. Andersson, ”Unconditionally Secure Quantum Signatures”, Entropy 17 , 5635 (2015).
- 6(6) D. Gottesman and I. Chuang, “Quantum Digital Signatures”, ar Xiv:quant-ph/0105032 v 2 (2001).
- 7(7) E. Andersson, M. Curty and I. Jex, ”Experimentally realizable quantum comparison of coherent states and its applications”, Phys. Rev. A 74 , 022304 (2006).
- 8(8) P. J. Clarke, R. J. Collins, V. Dunjko, E. Andersson, J. Jeffers and G. S. Buller, ”Experimental demonstration of quantum digital signatures using phase-encoded coherent states of light”, Nat. Commun. 3 , 1174 (2012).
