Speaker
Description
Modern cryptography covers much more than encryption of messages in order to keep them secret. Many other cryptographic primitives exist, and it is important to consider how the security of these will be affected in a quantum future. Digital Signatures are a widely used cryptographic primitive, found eg. in e-mail, e-commerce and digital banking, and they form the basis for larger protocols. A signature $\sigma_m$ appended to a classical message $m$ ensures the authenticity and transferability of the message, whilst preventing forgery and repudiation. By employing quantum mechanics to distribute the $\sigma_m$ between recipients, unconditionally secure signature schemes can be constructed [1-4].
As the development of quantum security progresses, one must consider how to implement these schemes using currently existing technology.
To this end, we present a continuous-variable quantum signature scheme with an emphasis on compatibility with existing telecommunication technologies. Our scheme is information-theoretically secure against repudiation attacks and collective forging attacks, and can be implemented even when some QKD-based signature protocols fail. We note that this is the first implemented continuous-variable quantum signature scheme which does not require secure quantum channels between participants, although discrete-variable protocols have been proposed and implemented [5-6].
In the simplest scenario, quantum digital signature (QDS) schemes involve three parties: Alice, who wishes to sign $m$, and two recipients, Bob and Charlie. In a Distribution stage, Alice forms sequences of quantum states, $\rho_{B}^m$ and $\rho_C^m$, and sends them to Bob and Charlie, who measure the states and record their outcomes. The quantum states can be thought of as Alice's public key''. Her correspondingprivate key'', containing classical information about which states she sent, is used as the signature $\sigma_m$. Crucially, since a QDS scheme relies on quantum measurement, recipients gain only partial information about $\sigma_m$. Later, in an entirely classical Messaging stage Alice sends $\left(m, \sigma_m\right)$. Bob and Charlie compare $\sigma_m$ to their measurement results, and accept or reject $m$ accordingly.
We have implemented our scheme by distributing an alphabet of phase-modulated coherent states over a $20$~km optical fiber, and have devised the corresponding security proof. In particular, we prove that a dishonest forger who interacts with the quantum states cannot then declare some $\sigma'_m$ which will be accepted by honest recipients, except with negligible probability (security against forging). The probability of successful forgery is related to the smooth min-entropy, which can be interpreted as the uncertainty that an eavesdropper has about an honest participant's measurement outcomes [7]. Hence, by estimating a lower bound for the smooth min-entropy we prove security of our protocol, considering the finite-size effects intrinsic to signatures. As tighter bounds are developed these can readily be incorporated. Furthermore, Bob's and Charlie's measurement outcomes are symmetrised with respect to Alice, which makes it unlikely that a dishonest Alice can find some $\sigma''_m$ which Bob will accept but that she can later deny sending (security against repudiation).
Our system is built from telecom components running at a wavelength of $1553.33$~nm and is completely fiber-integrated. The coherent states are distributed by Alice at a rate of $10$~GHz and are measured using homodyne detection at Bob/Charlie. With our security proof the signature lengths are of the order of $10^6$ to sign $m$ with a $0.01\%$ chance of failure, meaning a $1$~bit message can be signed in $0.1$~ms. This opens the possibility of efficiently distributing quantum signatures on a large scale with minimal installation cost, and makes our scheme competitive in a landscape where both practicality and security are important.
[1] D. Gottesman and I. Chuang, “Quantum Digital Signatures,” 0105032 [quant-ph]
[2] R. J. Collins, R. J. Donaldson, V. Dunjko, P. Wallden, P. J. Clarke, E. Andersson, J. Jeffers, and G. S. Buller, Phys. Rev. Lett. 113, 040502 (2014)
[3] V. Dunjko, P. Wallden, and E. Andersson, Phys. Rev. Lett. 112, 040502 (2014)
[4] C. Croal, C. Peuntinger, B. Heim, I. Khan, C. Marquardt, G. Leuchs, P. Wallden, E. Andersson, and N. Korolkova, Phys. Rev. Lett. 117, 100503 (2016)
[5] R. Amiri, P. Wallden, A. Kent, and E. Andersson, Phys. Rev. A 93, 032325 (2016)
[6] H.-L. Yin, W.-L. Wang, Y.-L. Tang, Q. Zhao, H. Liu, X.-X. Sun, W.-J. Zhang, H. Li, I. V. Puthoor, L.-X. You, E. Andersson, Z. Wang, Y. Liu, X. Juang, X. Ma, Q. Zhang, M. Curty, T.-Y. Chen, and J.-W. Pan, Phys. Rev. A. 95, 042338 (2017)
[7] R. König, R. Renner, and C. Shaffner, IEEE Trans. Inf. Theory 55, 4337 (2009)
Summary
We present an implement a continuous-variable quantum digital signatures (QDS) protocol, which guarantees the authenticity, integrity and transferability of a classical message. Our protocol is secure against eavesdropping by a malevolent party, and secure against a malevolent sender, Alice, trying to deny her message. Our implementation is highly compatible with existing telecom infrastructure.
| Topic: | Mini-workshop: Continuous Variables and Relativistic Quantum Information |
|---|