Multi-Partied Quantum Digital Signature Scheme Without Assumptions On Quantum Channel Security

In this study, we generalized quantum digital signature scheme for three-partied[5] to the multi-partied. Also we analyzed this scheme for repudiation, forgery and colluding adversaries.


Introduction
Digital signatures are like signatures on paper. The main purpose is to identify the signatory and to determine any falsification made on the document. Available methods of digital signature are based on difficult mathematical problems [8]. However, to solve this problem several quantum algorithms are proposed [1]. Gottesman and Chuang [7] has proposed concept of quantum digital signature. The method of Gottesman and Chuang [7] becomes unsuccessful as in the states of swap-test |ψ B |φ C + |φ B |ψ C . Complete-symmetry test in Buhrman et.al [2] is used to solve this problem. Andersson et al. [9] showed that coherent states and linear optical elements can be used instead of swap-test experimentally.Dunjko at al [10] showed that QDS can be generated without quantum memory. They used optic and photon detector. Walden et all . [11] showed that available usable/sell-able quantum key distribution devices can be used for the solution of the some problems. Juan Miguel Arrazola et all. [3] generalized the schema of Dunjko and Wallden [10] to the multiuser schema. Hua-Lei Yin et all. [4] show that it is not necessary authenticated quantum channel. Amiri et all . [5,6] developed quantum signature without needing all security assumptions on quantum channel.
In this study, we generalized quantum digital signature scheme for three-partied [5] to the multi-partied. We don't have any assumptions about trust of quantum channels between participants. And all participants creates keys and send part of it to the message sender so that sender can not create any entangled keys and sends them to the participants to repudiate them. And, also we analyzed this scheme for repudiation, forgery and colluding adversaries.

Key Generation Stage
In this study, to create correlated but not the same keys between participants, we have used quantum key distribution(QKD) [13,14] via phase randomized weak-coherent states and decoy states [15]. We don't do post-processing stage of QKD so that these keys have some little mismatches. Asymmetric coding of BB84 [17] was used. {X, Z} basis are chosen with different probabilities {p X , p Z }. p X ≥ 1/2 , p Z = 1−p X and also intensities{µ 1 , µ 2 , µ 3 } of laser pulses can be chosen with different probabilities {p µ 1 , p µ 2 , p µ 3 }.Where µ 1 > µ 2 + µ 3 and µ 2 , µ 3 ≥ 0. The intensities {µ 2 , µ 3 } are used for decoy states. Secret keys will be created from the measurement results which Alice and Bob choose X basis and same intensities.
Following the same procedure in [5] Bob is sender and Alice is receiver to prevent against Alice who can create entangled states. Also she can send the same key to the other participants. After measurement, Bob selects L + n cor bits from X µ and randomly divide L bits into two part with length L/2, (K B keep , K B f orward ). K B f orward bits will be used to forward to the other participants. n cor bits, Cor B X , from X basis measurements will be shared via classical channel to calculate correlation between Alice's and Bob's keys {K A m , K B m }. Cor B X wont be used into protocol. Z µ will be used to estimate Eve's information about Bob's key. To achieve this we will use the smooth min-entropy. We would like to bound Eve's success rate about signature creation which includes less errors from certain number of errors. So we will calculate the smooth min entropy of Eve about Bob's key K B keep . Bob has following key set . Alice also has these keys with the same manner. As mentioned, Cor B X will be used to calculate correlation betweenK A and K B . Z B can be used to gain information about eavesdropper existence. In the protocol K B f orward will be sent to other participants to protect himself against repudiation from Alice.
Since The number of mismatches with receiver's key is important for quantum signature protocols. We will show how we can bound the forger's mismatch count for our protocol. Thus if we provide bigger mismatch count for forger's (message,signature) pair then any receiver wont accept the message with small probability. Our main goal is to achieve that is the Eve's guess about Bob's key by using all collected information about keys. Where d(., .) represents Hamming distance between the two states. Min and Smooth entropy [19] are used to calculate information of states.
Lim et al. [12] and Ma et al. [16] gives bounds for Eve's information about Bob's key in the context of QKD. We will use same ways to bound Eve's mismatch count about Bob's key. But Eve has extra information K B f orward . By extracting error correction and privacy amplification steps in [12], we can write following [5]: Where S X,0 , S X,1 corresponds respectively number of vacuum events and number of single photon events in X basis measurements. We discard double photon events and never use in the protocol due to photon-splitting attacks. Where φ X,1 = c X,1 /S X,1 is the phase error rate in X measurements where c X,1 is the number of phase errors. And h(.) is binary entropy [16]. As shown and proofed in [5]: This shows Eve's probability of making at most r mistakes by using best strategies to guess X keep with all information he/she has. In this equation ρ X keep E is − close to near optimal ρ X keep E . As L/2 grows binom coefficient can be written as L/2 k ≈ 2 (L/2)h( r L/2 ) . By using this approximation and Eq.(1), Eq.(2) can be written as: We can get L/2 parenthesis as follows: If we have neglected in Eq.(4), we get the following equation.
Which determines Eve's probability of making fewer than r errors. To bound this probability we can define minimum error rate ER Eve of Eve as follows: If we achieve error rate between Alice-Bob lesser than error rate of Eve about Bob's key X B keep then the protocol will be secure.
WhereẼR AB is observed from {Cor B X , Cor A X } keys and ε ER AB is calculated from Serfling inequality as follows [20]: If we select acceptance threshold value t v 1 >ẼR AB in the protocol then we can bound ER Eve with small probability like in Eq.(8).

Multi-Partied Quantum Signature Protocol with Majority Vote Dispute Resolution
Arrazola et.al. [18] defined properties of the multi-party unconditionally secure signature(USS) protocols to achieve their security goals as Non-Forgery,Non-repudiation and Transferability.
Quantum Signature Protocol has been formed with the following sets and functions [18]: We assumed that P 0 is sender and P i , i = 1..N − 1 are the other possible receivers and dispute resolvers. (ii) X is possible messages set and Σ is the possible signature set of the messages X. (iii) Sign(x) is a signature function that maps X → Σ. That Sign(x) function gets x value and returns σ ∈ Σ. (iv) l = {−1, 0, 1, 2, 3, ..l max } is the set of verification levels that l verification level means that how many times a signed message can be transferred to the other participants. l max ≤ N −1. l = 0 guarantees that this message comes from signer but does not guarantees it can be forwarded other participants. l = −1 level will be used in Majority-Vote dispute resolution so l = −1 level is used to prevent repudiation from sender. (v) V er(X, Σ, P, l) → {T rue, F alse} gets message, signature, participant and verification level and returns {T rue, F alse} which means this message and signature will be accepted by P i participant at level l.
All participants have imperfect quantum channels and authenticated classical channels between them to make post-processing. We can outline the protocol for single bit value m = {0, 1}. To generalize to the multi-bit message, the protocol can be repeated. The protocol can be outlined as follows: (i) Key Generation And Distribution Stage: P i , i = 1..N − 1 participants uses individually Key Generation Stage to create and share L length key pairs (a) P 0 sends (m, Sig m ) one bit message to P 1 (or any P i ).
(b) P 1 checks the Sig m with his unsent and forwarded parts of K P 1 m , and keys which are sent by other participants. Then P 1 saves separately unmatched bit counts. P 1 accepts the message if the following mismatch count rules are hold.
1. The mismatch count of unsent part of the key K P 1 m , and the parts of the S P 1 m which are received from other participants is less than t v 1 L/2. Where t v 1 < 1/2 is a acceptance threshold that is determined by the security level and settings of the protocol. Our protocols verification function can be defined as follows: V er(m, Sig m , P i , l = −1) = True |V er(m, Sig m , P j , l = 0) = T rue| > N −1 V er(m, Sig m , P i , l = 0) = True Where M C(.) is mismatch count in the parts of the signature. If we select t v j as in Eq. (12) then V er(m, Sig m , P i , l ≥ 1) will be hold. 2. The mismatch count of sent part of the key K P 1 m is less than t v 1 L/2. (c) P 1 forwards the data (m, Sig m ) to the one of the other participant P j , j = 2..N − 1, say P 2 . (d) P 2 checks the unmatched count in the same manner with P 1 but he/she uses different threshold value t v 2 . Where 0 < t v 1 < t v 2 < 1/2. Every participant must use different acceptance threshold for the (m, Sig m ) which is sent from P 0 or forwarded by other participant. The number of forward determines the threshold, so every forward process needs bigger threshold. This is necessary of all unconditionally secure signature protocols [18]. P 2 then forwards (m, Sig m ) to the other participant. (e) All participants can use the same manner except with bigger threshold values.
Majority-Vote Dispute Resolution: This method is invoked whenever there is a disagreement on a message's signature is valid for all users. When this method returns F alse all participants accept that signature is invalid otherwise valid. If more than half of the users get V er(x, σ, i, −1) = T rue than signature is valid for all users otherwise invalid.

Security Analysis
We can define this protocol's security analysis as follows: (i) Non-forgery: Since all participants has half keys of the other participants, they can try to forge any other participant. We assume P i wants to forge P j , j = i, i, j >= 1..N − 1. To achieve forging P i must send (m, Sig m ) to P j with fewer than t v j L/2 mismatch count. Due to P i knows only half key of the P j , K P j , then P i cannot achieve t v j L/2 threshold condition for the other part of P j , K P j . Let ER M AX = max ER P i P j , i, j = 0..N − 1 is the maximum of the error rates observed between {Cor P i X and Cor P j X } with k size. By calculating Eq.(6) for all key generation stages between P 0 and P j , j = 1..N − 1 then we can get ER M IN Eve = min ER Eve(P 0 ,P j ),j=1..N −1 . If we select t v j between 0 ≤ ER M AX < t v j < ER M IN Eve ≤ 1/2 then P j participant will accept the legitimate (m, Sig m ) from P 0 and also will reject forged (m, Sig m ) from the participant P i , i = j, i, j = 1..N − 1. Because all verification functions must be different we can choose acceptance threshold values as follows: Every threshold value is different from the other at least h. Then threshold values holds By increasing L this protocol will be much secure. If at least (N −1)/2 participants are dishonest in the protocol, non-forgery condition cannot be achieved. (ii) Non-repudiation: P 0 wants that P i , i = 1..N − 1 accepts validity of (m, Sig m ). When P i forwards (m, Sig m ) to the other participants P j , j = i, j = 1..N − 1, they rejects the same (m, Sig m ). In order that P j participant reject (m, Sig m ), he/she has bigger mismatch count than t v j L/2 mismatch count some part of Sig m . If P i accepts the message which is sent by P 0 , then P i has lesser mismatch count than t v j L/2 mismatch count for all parts of Sig m . Note that P i has half parts of other P j participants' exact keys K P j due to protocol. To repudiate P 0 must inject more errors P j 's key part but it is impossible due to key sharing part of protocol.

Conclusion
In this study we have try to develop multi-participant quantum digital signature protocol by extending Amiri [5]. We generalized this protocol to the multi-participant case. We used majority vote dispute resolution and bounded-ordered acceptance thresholds for this protocol to make secure against repudiation and forgery. We also used decoy states against to the photon number splitting attack. Also majority vote dispute resolution method has advances according to using arbiter. Since the acceptance mechanism of the majority vote method is distributed to the all participants, this method is much more secure than arbiter.