Cryptanalysis of a Semi-Quantum Bi-Signature Scheme Based on W States

Abstract

Recently, Zhao et al. proposed a semi-quantum bi-signature (SQBS) scheme based on W states with two quantum signers and just one classical verifier. In this study, we highlight three security issues with Zhao et al.’s SQBS scheme. In Zhao et al.’s SQBS protocol, an insider attacker can perform an impersonation attack in the verification phase and an impersonation attack in the signature phase to capture the private key. In addition, an eavesdropper can perform a man-in-the-middle attack to obtain all of the signer’s secret information. All of the above three attacks can pass the eavesdropping check. Without considering these security issues, the SQBS protocol could fail to ensure the signer’s secret information.

1. Introduction

With advances in quantum information science, various quantum techniques have been applied in quantum cryptography, such as entanglement swapping [1], quantum teleportation [2,3,4], and quantum remote control [5,6,7,8,9,10]. Quantum cryptography techniques can be used in various network communication environments, among which quantum signature is an important topic. In 2001, Gottesman and Chuang [11] proposed the first quantum signature concept. In 2002, Zeng and Keitel [12] proposed the first arbitrated quantum signature protocol based on the Green–Horne–Zeilinger (GHZ) state. Since then, various quantum signature protocols have been proposed, for example, arbitrated quantum signature [13,14,15,16,17,18,19,20], quantum blind signature [21,22,23,24,25,26], quantum proxy signature [27,28], and quantum group signature [29]. Inspired by the above quantum signature schemes [11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29], Zhao et al. [30] proposed a signature scheme based on the concept of “bi-signature.” In Zhao et al.’s quantum bi-signature protocol, two participants sign their signatures on the same message.

The aforementioned quantum signature schemes [11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30] all require the assumption that all participants in the protocol are quantum-capable, i.e., they must have devices such as photonic generators, quantum memory, and photonic measurement devices. In the absence of these devices, quantum signature protocols [11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30] cannot be executed. However, quantum devices are not widely available, and not all participants have access to such devices. In 2007, Boyer et al. [31] introduced the concept of a semi-quantum environment. In 2009, the same authors [32] proposed two types of semi-quantum key distribution protocols. Since then, various semi-quantum cryptographic protocols and applications have flourished. For example, various applications of the semi-quantum key distribution (SQKD) protocol have been reported. Some studies [33,34,35,36] have implemented SQKD protocols using single photons. Zhu et al. [37] design a SQKD protocol involving GHZ states. Considering the multiparticipant scenario, researchers have [38,39,40] proposed mediated SQKD protocols. Some studies [41] also discuss the implementation of SQKD protocols by excluding the measurement capabilities of classical participants. On the other hand, several studies [42,43,44,45] have investigated the implementation of authenticated SQKD protocols. Unlike SQKD protocols, another application environment is one in which the boss has quantum capabilities, and the agent has only classical capabilities. The boss divides the secret key into several parts and gives them to the agents for custody. The agents must work together to obtain the boss’s secret key. Current semi-quantum secret-sharing protocols are available in single photons [46,47,48,49], entangled states [50,51,52,53], GHZ states [54,55,56,57], W states [58], and cluster states [59]. In 2014, Zou and Qiu [60] proposed a three-step semi-quantum secure direct communication (SQSDC) protocol allowing a classical participant who does not have a quantum register to securely send a secret message to a quantum participant. Since then, many SQSDC protocols with an entanglement state [61,62,63,64,65,66,67,68] and without entanglement [69] have been proposed. Private comparison is primitive for many cryptographic tasks, and recently, several schemes for semi-quantum private comparison with single photons [70,71,72,73], Bell states [74,75,76,77], GHZ-like states [78,79,80], and W states [81] have been proposed.

In 2019, Zhao et al. [82] proposed a semi-quantum bi-signature (SQBS) scheme based on W-like states [83,84,85] and a quantum teleportation technique [86]. In the SQBS protocol, two participants are quantum-capable signers, and one is conventionally capable verifier. The main technique is to transmit the secret message of the signature to another signer through W-state teleportation technology. Then, the two signers transmit the signature messages to the verifier via their pre-shared keys. Finally, the verifier confirms that the two received signatures are identical, and the signature is completed.

Although Zhao et al. [82] proposed an SQBS protocol and proved the security of their protocol, in this study we highlight three security problems with the proposed SQBS protocol [82].

• In the final step of the verification phase, the verifier (Charlie) performs an XOR operation with the pre-shared keys of two signers (Alice and Bob). If the verification passes, it means that the signature message is the same. Therefore, Bob can infer Alice’s pre-shared key and forge Alice’s signature later.
• In the final step of the signature phase, the signer (Alice) transmits the signature message and the W-state measurement results to the verifier (Charlie) through the public classical channel. The public classical channel can be eavesdropped on and tampered with. Therefore, Bob can use the received secret message, Alice’s signature message, and measurement results to infer Alice’s pre-shared key, which can then be used to forge Alice’s signature.
• The signer (Alice) transmits the secret message to another signer (Bob) through W-state teleportation technology; however, Alice and Bob do not perform any eavesdropping checks during the teleportation stage. Therefore, the eavesdropper (Eve) will be able to capture the secret message through a man-in-the-middle attack.

The rest of this paper is organized as follows. In Section 2, we review Zhao et al.’s SQBS protocol. In Section 3, we discuss three security issues associated with the protocol. Finally, in Section 4 we present our conclusions and discussion.

2. Review of Zhao et al.’s SQBS Protocol

In Zhao et al.’s SQBS protocol [82], there are three participants: Alice and Bob (signers with quantum capabilities) and Charlie (a verifier with only classical capabilities); the classical capabilities of Charlie limit him to the use of the Z basis $\left\{\left|0\right.⟩,\left|1\right.⟩\right\}$ to measure and generate single photons and to directly return the received quantum state. The eavesdropper, Eve, can perform any attack without violating the definition of quantum mechanics. Zhao et al.’s SQBS protocol is divided into three phases: the initial phase, the signature phase, and the verification phase. An overview of Zhao et al.’s SQBS protocol is shown in Figure 1. The detailed steps of Zhao et al.’s SQBS protocol are described as follows.

2.1. Initial Phase

In the initial phase, the pre-shared keys, $K_{AC}$ and $K_{BC}$, are allocated, and the W-like state is prepared to provide the execution requirements in the subsequent signature phase and verification phase.

 Step 1. 

Alice prepares the secret message, $M_A=\left\{m_1,m_2,\dots ,m_n\right\}$, where $m_i=\left\{0,1\right\}$. The agreed encoding rule is as follows: if the classical bit is “0”, then $\left|0⟩\right.$ is generated; if the classical bit is “1”, then $\left|1⟩\right.$ is generated.

 Step 2. 

Bob and Alice prepare n sets of W-like states, ${\left|W⟩\right.}_{123}=\frac{1}{2}{\left(\left|100\right.⟩+\left|010\right.⟩+\sqrt{2}\left|001\right.⟩\right)}_{123}$ and ${\left|W⟩\right.}_{456}=\frac{1}{2}{\left(\left|100\right.⟩+\left|010\right.⟩+\sqrt{2}\left|001\right.⟩\right)}_{456}$.

 Step 3. 

Through Krawec’s semi-quantum key distribution protocol [36], Alice and Charlie can share a private key, $K_{AC}$; Bob and Charlie can share a private key, $K_{BC}$.

2.2. Signature Phase

This phase focuses on Alice and Bob generating their respective signatures and sending them to Charlie. In addition, Alice sends the secret message, $M_A=\left\{m_1,m_2,\dots ,m_n\right\}$, to Bob through the quantum teleportation of the W-like state.

 Step 1. 

Alice sends ${\left|W⟩\right.}_5$ and ${\left|W⟩\right.}_6$ of ${\left|W⟩\right.}_{456}=\frac{1}{2}{\left(\left|100\right.⟩+\left|010\right.⟩+\sqrt{2}\left|001\right.⟩\right)}_{456}$ to Bob and Charlie, respectively, keeping ${\left|W⟩\right.}_4$ for herself. Then, Bob sends ${\left|W⟩\right.}_{12}$ of ${\left|W⟩\right.}_{123}=\frac{1}{2}{\left(\left|100\right.⟩+\left|010\right.⟩+\sqrt{2}\left|001\right.⟩\right)}_{123}$ to Alice and keeps ${\left|W⟩\right.}_3$ for himself.

 Step 2. 

Alice, Bob, and Charlie perform Z-basis measurements on their respective ${\left|W⟩\right.}_4$, ${\left|W⟩\right.}_5$, and ${\left|W⟩\right.}_6$ and obtain the measurement results for A, B, and C.

 Step 3. 

Based on Alice’s secret message ($M_A$) and the measurement result (A) of ${\left|W⟩\right.}_4$, Alice’s signature message (${S^{\prime }}_A$) can be obtained through the coding rule listed in

Table 1. The coding rule of signature message.

	${\mathit{M}}_{\mathit{A}}=0$	${\mathit{M}}_{\mathit{A}}=1$
$A=0$	${S^{\prime }}_A=1$	${S^{\prime }}_A=0$
$A=1$	${S^{\prime }}_A=0$	${S^{\prime }}_A=1$

. Then, the signature message (${S^{\prime }}_A$) and the pre-shared key ($K_{AC}$) perform the exclusive or (XOR) operation to obtain Alice’s signature, $S_A={S^{\prime }}_A⨁K_{AC}$. Finally, Alice sends the signature ($S_A$) and the measurement result (A) to Charlie through the public classical channel.

 Step 4. 

Alice generates the secret message ($M_A$) as a single photon $\left|M_A\right.⟩$ according to the coding rules (i.e., if the classical bit is “0”, then generate $\left|0⟩\right.$; if the classical bit is “1”, then $\left|1⟩\right.$ is generated). Next, Alice measures $\left|M_A\right.⟩$ with ${\left|W⟩\right.}_{12}$ in the W-basis $\left\{{\left|\kappa \right.}^{\pm }⟩=\frac{1}{2}\left(\left|010⟩\right.+\left|001⟩\right.\pm \sqrt{2}\left|100⟩\right.\right),{\left|\gamma \right.}^{\pm }⟩=\frac{1}{2}\left(\left|110⟩\right.+\left|101⟩\right.\pm \sqrt{2}\left|000⟩\right.\right)\right\}$ and announces the measurement result to Bob. Based on the measurement result, Bob can perform the corresponding operation $\left\{{\sigma }_1=\left[\begin{array}{cc}1& 0\\ 0& 1\end{array}\right],{\sigma }_2=\left[\begin{array}{cc}0& 1\\ 1& 0\end{array}\right],{\sigma }_3=\left[\begin{array}{cc}0& -1\\ 1& 0\end{array}\right],{\sigma }_4=\left[\begin{array}{cc}1& 0\\ 0& -1\end{array}\right]\right\}$ in ${\left|W⟩\right.}_3$ to obtain $\left|M_B\right.⟩$. Finally, Bob measures $\left|M_B\right.⟩$ in Z basis to obtain Alice’s secret message ($M_B$).

 Step 5. 

Based on the received secret message ($M_B$) and the measurement result (B) of ${\left|W⟩\right.}_5$, Bob can obtain the signature message (${S^{\prime }}_B$) via the coding rule listed in Table 1. Then, the signature message (${S^{\prime }}_B$) and the pre-shared key ($K_{BC}$) can be used to perform the XOR operation to obtain Bob’s signature, $S_B={S^{\prime }}_B⨁K_{BC}$. Finally, Bob sends the signature ($S_B$) and the measurement result (B) to Charlie through the public classical channel.

2.3. Verification Phase

This stage involves Charlie verifying whether Alice’s and Bob’s signatures are correct; the verification steps are as follows.

 Step 1. 

Charlie first checks that Alice’s, Bob’s, and his own measurement results (A, B, and C) are consistent with the W-like state, ${\left|W⟩\right.}_{456}=\frac{1}{2}{\left(\left|100\right.⟩+\left|010\right.⟩+\sqrt{2}\left|001\right.⟩\right)}_{456}$. If the measurement result does not match, the SQBS protocol is canceled; otherwise, Charlie continues with the next step.

 Step 2. 

Charlie can deduce Alice’s and Bob’s signature messages through $K_{AC}$ and $K_{BC}$ as ${S^{\prime }}_A=S_A⨁K_{AC}$ and ${S^{\prime }}_B=S_B⨁K_{BC}$, respectively.

 Step 3. 

Charlie can deduce Alice’s secret message ($M_A$) by ${S^{\prime }}_A$ and A through the coding rules listed in Table 1. Similarly, Charlie can deduce Bob’s secret message ($M_B$) by ${S^{\prime }}_B$ and B.

 Step 4. 

Charlie compares $M_A$ and $M_B$; if $M_A=M_B$, then Charlie accepts Alice’s and Bob’s signature; otherwise, Charlie rejects this signature. Finally, Charlie sends $M_A⨁K_{AC}$ and $M_B⨁K_{BC}$ to Alice and Bob, respectively.

3. Security Issues of Zhao et al.’s SQBS Protocol

In this study, we identified three security problems in Zhao et al.’s SQBS protocol: an impersonation attack in the verification phase, an impersonation attack in the signature phase, and a man-in-the-middle attack. The mechanisms of these three attack patterns are explained below.

3.1. Impersonation Attack in the Verification Phase

Consider Bob as the insider attacker. If Bob wants to impersonate Alice’s identity, he must obtain Alice’s private key with Charlie, $K_{AC}$. The following illustrates how Bob attacks.

In Step 4 of the verification phase, if Charlie accepts Alice’s and Bob’s signatures, then Charlie sends $M_A⨁K_{AC}$ and $M_B⨁K_{BC}$ to Alice and Bob, respectively. In this step, Bob intercepts the result of copying $M_A⨁K_{AC}$. Furthermore, if the signature is passed, it means that Bob’s message ($M_B$) is the same as $M_A$. Therefore, Bob can deduce that $M_A⨁K_{AC}=M_B⨁K_{AC}$ and learn the value of $K_{AC}$. In this way, Bob can impersonate Alice’s identity and communicate with Charlie through $K_{AC}$.

3.2. Impersonation Attack in the Signature Phase

Similarly, considering Bob as the insider attacker, if Bob wants to impersonate Alice’s identity, he must obtain Alice’s private key, $K_{AC}$. The following describes Bob’s attack strategy.

In Step 3 of the signature phase, Alice sends her signature ($S_A$) and the measurement result (A) to Charlie through the public classical channel. Hence, Bob can intercept and learn Alice’s signature ($S_A$) and the measurement result (A). In Step 4 of the signature phase, Bob can obtain Alice’s message ($M_B$) through the quantum teleportation of the W-like state. In this way, Bob has both $M_B$ and A and can deduce Alice’s ${S^{\prime }}_A$ in Table 1. Then, through ${S^{\prime }}_A$ and $S_A$, Bob can deduce Alice’s private key, $K_{AC}={S^{\prime }}_A⨁S_A$. Finally, Bob can impersonate Alice’s identity through $K_{AC}$ to communicate with Charlie.

3.3. Man-in-the-Middle Attack

In the quantum signature protocol, the signer’s message cannot be known by anyone other than the signer. Therefore, Alice’s secret message ($M_A$) cannot be eavesdropped on. Once the signer’s secret message is leaked, the protocol is declared a failure. In Zhao’s SQBS protocol, the signers (Alice and Bob) protect Alice’s secret messages ($M_A$) through the quantum teleportation of the W-like state. However, in this study, we revealed that the eavesdropper, Eve, can perform a man-in-the-middle attack to obtain Alice’s secret message ($M_A$) without being detected. Because Alice and Bob do not have any protection or checking mechanism when executing quantum teleportation, Eve can capture the secret message ($M_A$). An overview of the man-in-the-middle attack on Zhao’s SQBS protocol is shown in Figure 2. The attack strategy is described as follows.

 Step A1. 

In Step 1 of the signature phase, Bob sends the state ${\left|W⟩\right.}_{12}$ of ${\left|W⟩\right.}_{123}=\frac{1}{2}{\left(\left|100\right.⟩+\left|010\right.⟩+\sqrt{2}\left|001\right.⟩\right)}_{123}$ to Alice. At this point, Eve intercepts ${\left|W⟩\right.}_{12}$ and generates another set of W-like states, ${\left|W⟩\right.}_{123}^E=\frac{1}{2}{\left(\left|100\right.⟩+\left|010\right.⟩+\sqrt{2}\left|001\right.⟩\right)}_{123}^E$, and sends ${\left|W⟩\right.}_{12}^E$ to Alice.

 Step A2. 

In Step 4 of the signature phase, Alice measures $\left|M_A\right.⟩$ and ${\left|W⟩\right.}_{12}^E$ in the W-basis $\left\{{\left|\kappa \right.}^{\pm }⟩=\frac{1}{2}\left(\left|010⟩\right.+\left|001⟩\right.\pm \sqrt{2}\left|100⟩\right.\right),{\left|\gamma \right.}^{\pm }⟩=\frac{1}{2}\left(\left|110⟩\right.+\left|101⟩\right.\pm \sqrt{2}\left|000⟩\right.\right)\right\}$ and informs Bob of the measurement result. In this step, Eve intercepts Alice’s measurement result ($M{R}_A$); then, based on the measurement result ($M{R}_A$), Eve can perform the corresponding operation $\left\{{\sigma }_1,{\sigma }_2,{\sigma }_3,{\sigma }_4\right\}$ in ${\left|W⟩\right.}_3^E$ to obtain $\left|M_A\right.⟩$. Thus, Eve can measure $\left|M_A\right.⟩$ in the Z basis to obtain Alice’s secret message ($M_A$).

 Step A3. 

After Eve obtains $M_A$, Eve generates $\left|M_A\right.⟩$ and measures it with the intercepted ${\left|W⟩\right.}_{12}$ in the W-basis $\left\{{\left|\kappa \right.}^{\pm }⟩,{\left|\gamma \right.}^{\pm }⟩\right\}$. Then, Eve informs Bob of the measurement result ($M{R}_A^E$). Based on the measurement result ($M{R}_A^E$), Bob can perform the corresponding operation $\left\{{\sigma }_1,{\sigma }_2,{\sigma }_3,{\sigma }_4\right\}$ in ${\left|W⟩\right.}_3$ to obtain $\left|M_A\right.⟩$. Finally, $\left|M_A\right.⟩$ is measured through the Z-basis to obtain Alice’s secret message ($M_A$).

Because Eve’s attack does not destroy the secret message ($M_A$), Charlie’s inspection of Alice’s and Bob’s signatures will pass smoothly in the final verification stage. Therefore, Eve successfully executes the man-in-the-middle attack to capture Alice’s secret message ($M_A$) and is not discovered.

4. Conclusions

In this study, we highlight three security issues with Zhao et al.’s SQBS protocol: an impersonation attack in the verification phase, an impersonation attack in the signature phase, and a man-in-the-middle attack. In the impersonation attack, the insider attacker can capture the private key and impersonates the signer’s identity to communicate with the verifier. In the man-in-the-middle attack, the eavesdropper can obtain all the signer’s secret messages. All of the above three attacks can pass the eavesdropping check. Without considering these security issues, the SQBS protocol could fail to ensure the security of the signature. A possible solution is to add an eavesdropping check, for example, using decoy photons as an eavesdropping check. However, this requires an authenticated channel between the verifier and each signer and is therefore not very elegant. Improved solutions for this new issue in the SQBS protocol need to be designed in future research.