Security of quantum digital signatures for classical messages

Quantum digital signatures can be used to authenticate classical messages in an information-theoretically secure way. Previously, a novel quantum digital signature for classical messages has been proposed and gave an experimental demonstration of distributing quantum digital signatures from one sender to two receivers. Some improvement versions were subsequently presented, which made it more feasible with present technology. These proposals for quantum digital signatures are basic building blocks which only deal with the problem of sending single bit messages while no-forging and non-repudiation are guaranteed. For a multi-bit message, it is only mentioned that the basic building blocks must be iterated, but the iteration of the basic building block still does not suffice to define the entire protocol. In this paper, we show that it is necessary to define the entire protocol because some attacks will arise if these building blocks are used in a naive way of iteration. Therefore, we give a way of defining an entire protocol to deal with the problem of sending multi-bit messages based on the basic building blocks and analyse its security.

D igital signature (DS) is a fundamental cryptographic primitive, which has been frequently used in ecommerce and e-government to ensure both the integrity and the origin of a message. However, the degree of security provided by current classical digital signature (CDS) schemes generally depends on certain unproven assumptions related to the intractability of certain difficult mathematical problems, such as big number factorization problem 1 and discrete logarithmic problem 2 . With the rapid development of quantum computing 3 , the security of such CDS schemes is seriously challenged.
Fortunately, quantum digital signature (QDS) provides a way of authenticating classical messages with information-theoretic security against forging and repudiation. Gottesman and Chuang introduced the concept of QDS in 2001, and proposed the first QDS scheme for classical messages based on quantum one-way functions 4 .
Recently, a novel QDS proposal for classical messages was put forth (named C-proposal hereafter), which has been implemented using phase-encoded coherent states of light in experiments 5 . However, it needs quantum memory like previous proposals, which makes it also unfeasible in practice with current technology. To deal with this problem, Dunjko et al gave the first practical QDS proposal for classical messages, in which quantum memory is no longer required 6 ; in addition, this proposal has been implemented using just standard linear optical components and photodetectors 7 . Furthermore, Dunjko et al presented another two different QDS protocols for classical messages, which essentially only use the same experimental requirements as quantum key distribution 8 . Most important of all, in contrast with other DS schemes, this kind of proposals 5-8 have an important advantage: the trusted authorities are not needed any longer.
These QDS proposals 5-8 are basic building blocks, which only deal with the problem of sending single bit messages while no-forging and non-repudiation are guaranteed. For a long multi-bit message, it is only mentioned that the basic building blocks must be iterated, but the iteration of the basic building blocks still does not suffice to define the entire protocol, and therefore there still must be an additional set of rules which stipulate how disputes are resolved, or how validity of a long message is proven and so on.
In this paper, we show that it is necessary to define the entire protocol because some attacks will arise if these basic building blocks are used just in a naive way of iteration. Furthermore, based on the basic building blocks in these proposals [5][6][7][8] , we propose an entire protocol to deal with the problem of sending multi-bit messages, in which the rules on how to resolve disputes, and how to prove the validity of a multi-bit message and so on are given.

Results
As mentioned above, these QDS proposals [5][6][7][8] are basic building blocks, which only deal with the problem of sending single bit messages while no-forging and non-repudiation are guaranteed. For a long multi-bit message, it is only mentioned that the basic building block must be iterated, but the iteration of the basic building block still does not suffice to define the entire protocol. Specifically, some attacks will arise if these building blocks are used to deal with the problem of sending a multi-bit message in a naive way of iteration. Without loss of generality, we take three players' case of C-proposal as an example.
The C-proposal. Before presenting the attacks, let us give a simple introduction of C-proposal, which can be described in Figure 1.
The analysis of C-proposal. From C-proposal, it can be seen that if its basic building blocks are used to deal with the problem of sending a multi-bit message just in a naive way of iteration, and a signed multibit message (M, PrivKey M ) (we will call it a message-signature pair hereafter) will be verified in the way of bit by bit, and there is no correlation among quantum signatures on signed message bits except that their labels are pre-determined and sequential. Furthermore, as mentioned in Ref. 8, a QDS protocol has two stages: a preparation stage (distribution) and a message stage. The distribution stage serves to establish the required classical-quantum (or fully classical) correlations, which can later, in the message stage, be used by the sender to transmit messages to the recipients. Additionally, no further communication with any of the other players is required when the sender (say Alice) sends a message-signature pair to a recipient, and both the transferal and the verification of the message-signature pair should no longer require any feedback from Alice at all; in addition, Alice may send a lot of different message-signature pairs to the recipient and other ones later (in the message stage). Therefore, the verifier Charlie knows neither the length of a signed message nor the initial label of quantum signature for the message sent by the recipient. These will give a chance for a dishonest recipient (say Bob) to forge an integrated message-signature pair by the following known-message attacks.
Forgery attack 1. Suppose that Bob has obtained a valid messagesignature pair (M, PrivKey M ) from Alice, where M~m 1 m 2 k k Á Á Á m n k , and PrivKey M~P rivKey m1 PrivKey m2 Á Á Á PrivKey mn , here jj denotes the concatenation of bits or bit strings. He chooses some continuous bits from M (e.g., the first half bits) and the corresponding private keys from PrivKey M , which are denoted as (M9, and Then he sends the new message-signature pair (M9, PrivKey M9 ) to Charlie. It can be seen that the forged message-signature pair (M9, PrivKey M9 ) is a subset of the valid message-signature pair (M, PrivKey M ) and each signed bit m k is not changed, i # k # j, i.e., M9 # M, PrivKey M9 # PrivKey M . Therefore, each bit-signature pair (m k , PrivKey m k ) of (M9, PrivKey M9 ) matches the corresponding . The pair (m, PrivKey m ) is called a private key pair for message m.
(2) Alice generates two copies of a sequence of coherent states QuantSig 0~6 L l~1 r k l with the coherent phases matching the angles in the sequence PrivKey 0 , thus r 0 and PrivKey M 00P Then he sends the forged message-signature pair (M0, PrivKey M0 ) to Charlie. Clearly, M''(M 1 |M 2 , PrivKey M'' (PrivKey M1 |PrivKey M2 , and therefore by similar analysis as that in forgery attack 1, the forged message-signature pair (M0, PrivKey M0 ) will also pass Charlie's verification.
It is noted that the label of quantum signature for the last bit of M 1 and the label of quantum signature for the first bit of M 2 must be successive in forgery attack 2, i.e., if the label of quantum signature QuantSig m' n 1 for m' n1 is l, then that for m'' 1 must be l 1 1, which ensures the labels of quantum signature for the forged messagesignature pair (M0, PrivKey M0 ) are sequential and Bob's deception is not detected by Charlie. Additionally, an outside adversary Eve also can forge a valid message-signature pair when the message-signature pairs are transmitted over an insecure channel. For example, she intercepts them when Alice sends message-signature pairs to a legal recipient, and then she forges a new message-signature pair by the way that Bob does in the above forgery attacks.
As mentioned in Refs. 9, 10, a signature scheme is broken if an opponent can do any of the following with a nonnegligible probability: Universal forgery (total break), in which he/she can forge a signature for any message.
Selective forgery, in which he/she can forge a signature for a particular message chosen by him/her. Existential forgery, where he/she can forge a signature for at least one message, but he/she has no control over the message whose signature he obtains, i.e., the message may be random or nonsensical.
However, if the basic building blocks in these proposals [5][6][7][8] are used to deal with the problem of sending a multi-bit message in a naive way of iteration, a dishonest recipient or an outside adversary can successfully forge a valid signature for a particular message (chosen from a valid signed message by himself in advance) by the above known-message attacks. Furthermore, the forged message is not random or nonsensical in many cases. For example, if the signed message sent by Alice is a contract, forgery attack 1 allows Bob to delete some items that may be not beneficial to him, and forgery attack 2 allows him to add some new items from another one. Moreover, as a legal replacement for handwritten signatures, DS is not only used to send a message; in addition, the signatory of a signature scheme would like to feel that he/she may sign arbitrary documents prepared by others without fear of compromising his/her security, such as the case of a notary public who must sign more-or-less arbitrary documents on demand 10 . Therefore, it is a natural and reasonable assumption that an opponent may gain access to valid signatures for any messages of his/her choice (where each message may be chosen in a way that depends on the signatures of previously chosen messages), i.e., we should allow an opponent can do a forgery in the model of adaptive chosen-message attacks; in this case, the opponent can forge a valid signature on any message chosen by himself/herself in advance.

Discussion
It has been shown that the iteration of the basic building blocks of dealing with the problem of sending single bit messages still does not suffice to define the entire protocol. Therefore, it is a necessary and significative work to study the problem of sending multi-bit messages based on the basic building blocks.
As we know, the main tasks of DS are to prevent impersonation, repudiation and message tampering in data transfer, of which the key is to guarantee the integrity of signed messages, i.e., any alteration of a signed message will be detected in the process of verifying. In these proposals [5][6][7][8] , nobody can forge a valid signature for a single message bit except with a negligible probability. Furthermore, the label of quantum signature for each message bit is predetermined and sequential. Therefore, if the start and the end of a signed message are tagged, i.e., both the initial label and the last one of quantum signatures for the signed message cannot be changed, whereby the integrity of a signed message can be guaranteed. To this goal, one way is that Charlie can acquire the two labels from the signatory Alice before verifying, but it needs some communications or feedbacks between them, which is obviously contradictory to the natural requirement for DS transferal and verification, and another way is that both the start and the end of a signed message are different from the message bits, meanwhile the signatures for them are not to be forged, which can be realized by a special encoding way. In the following, we propose an entire protocol to deal with the problem of sending multi-bit messages, in which the validity of the special encoding way to guarantee the integrity of a signed multi-bit message is proven.

Methods
A method to define an entire protocol for dealing with the problem of sending a multi-bit message is described as follows.