Arbitrated quantum signature schemes without using entangled states
AArbitrated quantum signature schemes without using entangled states
Xiangfu Zou , and Daowen Qiu , , ∗ Department of Computer Science, Zhongshan University, Guangzhou 510275, China Department of Mathematics and Physics, Wuyi University, Jiangmen 529020, China SQIG–Instituto de Telecomunica¸c˜oes, IST, TULisbon, Av. Rovisco Pais 1049-001, Lisbon, Portugal (Dated: January 25, 2010)A digital signature is a mathematical scheme for demonstrating the authenticity of a digitalmessage or document. For signing quantum messages, some arbitrated quantum signature schemeshave being proposed. However, in the existing literature, arbitrated quantum signature schemesdepend on entanglement. In this paper, we present two arbitrated quantum signature schemeswithout utilizing entangled states in the signing phase and the verifying phase. The first proposedscheme can preserve the merits in the existing schemes. Then, we point out, in this scheme andthe prior schemes, there exists a problem that Bob can repudiate the integrality of the signatures.To conquer this problem, we construct another arbitrated quantum signature scheme without usingquantum entangled states but using a public board. The new scheme has three advantages: it doesnot utilize entangled states while it can preserve all merits in the existing schemes; the integralityof the signature can avoid being disavowed by the receiver; and, it provides a higher efficiency intransmission and reduces the complexity of implementation. Furthermore, we present a techniquesuch that the quantum message can keep secret to the arbitrator in a arbitrated quantum signaturescheme.
PACS numbers: 03.67.Dd, 03.65.Ud
I. Introduction
The most spectacular discovery in quantum computingto date is that quantum computer can efficiently performsome tasks which are not feasible on a classical computer.For example, Shor’s quantum algorithm [1] can solve effi-ciently two enormously important problems: the problemof finding the prime factors of an integer and the discretelogarithm problem. This means most of the classical pub-lic key cryptography are not secure if quantum computerscould be available someday. Fortunately, quantum cryp-tography (quantum key distribution) depends on funda-mental laws of physics to provide unconditional security[2–9].Digital signature and authentication is an essentialingredient of classical cryptography and has been em-ployed in various applications. Similar to the classicalpublic key cryptography, most classical digital signatureschemes based on the public key cryptography can bebroken by Shor’s algorithm [1]. So, many researchers andscholars turn to investigate quantum signature and au- ∗ Electronic address: [email protected] (D.W. Qiu). thentication, which is supposed to provide an alternativewith unconditional security. Recently, some progress hasbeen made on quantum signature [10–22]. In particular,an arbitrated quantum signature (AQS) scheme providingmany merits was proposed by Zeng and Keitel [12]. ThisAQS scheme was further discussed in the correspondingcomments [23, 24]. In such a scheme, both known andunknown quantum states could be signed, and the un-conditional security is ensured by using the correlationof Greenberger-Horne-Zeilinger (GHZ) triplet states [25]and quantum one-time pads [26].Very recently, Li et al. [13] presented an arbitratedquantum signature scheme using two-particle entangledBell states instead of GHZ states. The scheme using Bellstates can preserve the merits in the original scheme [12]while providing a higher efficiency in transmission andreducing the complexity of implementation.We observe that the main functions of quantum en-tangled states (GHZ states and Bell states) in Refs.[12, 13, 24] are to assist Alice to transfer quantum statesto Bob. However, Alice transfers quantum states to thearbitrator by the ciphertext encrypted with the secret key 𝐾 𝐴 . Similarly, Alice can transfer quantum states to Bobwith a shared secret key. Considering that the prepa-ration, distribution and keeping of GHZ states and Bellstates are not easy to be implemented with the present-day technologies, we construct a new arbitrated quan-tum signature scheme without using quantum entangledstates. Furthermore, we discover that Bob can repudi-ate the integrality of the signature in the proposed AQSscheme and the AQS schems in Refs. [12, 13, 24]. There-fore, we give a new AQS scheme that can avoid beingdisavowed for the integrality of the signature by the re-ceiver Bob.The remainder of this paper is organized as follows.First, in Section II, we briefly recall some notions and no-tations concerning AQS. In Section III, we give an AQSscheme similar to the schemes in Refs. [12, 13] but with-out using entangled states. In Section IV, we discuss thesecurity of the scheme proposed in the previous sectionand point out that, in the proposed scheme and the priorschemes, there exists a problem that Bob can repudiatethe integrality of the signatures. In Section V, to con-quer the problem mentioned in Section IV, we give a newarbitrated quantum signature scheme without using en-tangled states but using a public board. In Section VI,we discuss the security of the scheme proposed in the pre-vious section. The new scheme can conquer the problemmentioned in Section IV and preserve all merits in theforegoing schemes while providing a higher efficiency intransmission and reducing the complexity of implemen-tation. Furthermore, we present a technique such thatthe quantum message can keep secret to the arbitrator.Finally, in Section VII, we make a conclusion.In general, notation used in this paper will be explainedwhenever new symbols appear. II. Preliminaries
In this section, we briefly recall some notions and no-tations concerning AQS.We use Pauli matrices 𝜎 𝑥 and 𝜎 𝑧 to denote the 𝑋 and 𝑍 gates, respectively. Let ∣ 𝑃 ⟩ be a quantum message as ∣ 𝑃 ⟩ = ∣ 𝑃 ⟩ ⊗ ∣ 𝑃 ⟩ ⊗ ⋅ ⋅ ⋅ ⊗ ∣ 𝑃 𝑛 ⟩ with ∣ 𝑃 𝑖 ⟩ = 𝛼 𝑖 ∣ ⟩ + 𝛽 𝑖 ∣ ⟩ .For convenience, 𝐸 𝐾 denotes the quantum one-timepads encryption, proposed by Boykin and Roychowdhury[26], according to some key 𝐾 ∈ { , } ∗ satisfying ∣ 𝐾 ∣ ≥ 𝑛 as follows: 𝐸 𝐾 ( ∣ 𝑃 ⟩ ) = 𝑛 ⊗ 𝑖 =1 𝜎 𝐾 𝑖 − 𝑥 𝜎 𝐾 𝑖 𝑧 ∣ 𝑃 𝑖 ⟩ , (1)where 𝐾 𝑗 denotes the 𝑗 -th bit of 𝐾 . Similarly, 𝑅 𝐾 de- notes the unitary transformation 𝑅 𝐾 ( ∣ 𝑃 ⟩ ) = 𝑛 ⊗ 𝑖 =1 𝜎 𝐾 𝑖 𝑥 𝜎 𝐾 𝑖 +1 𝑧 ∣ 𝑃 𝑖 ⟩ . (2)A secure arbitrated (quantum) signature schemeshould satisfy two requirements: one is that the signa-ture should not be forged by the attacker (including themalicious receiver) and the other is the impossibility ofdisavowal by the signatory and the receiver [12, 13, 24]. III. An AQS scheme without using entangledstates
From the arbitrated quantum signature schemes inRefs. [12, 24] and [13], we discover that the main func-tions of quantum entangled states, GHZ states and Bellstates, are to assist Alice to transfer quantum states toBob. However, Alice transfers quantum states to the ar-bitrator by the ciphertext encrypted with the secret key 𝐾 𝐴 . Similarly, Alice can transfer quantum states to Bobwith a shared secret key. Considering that the prepa-ration, distribution and keeping of GHZ states and Bellstates are not easy to be implemented with the present-day technologies, we construct a new arbitrated quan-tum signature scheme without using entangled quantumstates in the signing phase and the verifying phase.The presented scheme also involves three participants,namely, signatory Alice, receiver Bob, and the arbitra-tor, and includes three phases, the initializing phase, thesigning phase, and the verifying phase.Suppose Alice need sign the quantum message ∣ 𝑃 ⟩ = ∣ 𝑃 ⟩ ⊗ ∣ 𝑃 ⟩ ⊗ ⋅ ⋅ ⋅ ⊗ ∣ 𝑃 𝑛 ⟩ with ∣ 𝑃 𝑖 ⟩ = 𝛼 𝑖 ∣ ⟩ + 𝛽 𝑖 ∣ ⟩ and hasat least three copies of ∣ 𝑃 ⟩ . For obtaining a low enougherror probability in the verifying phase, we can supposethat 𝑛 is large enough; otherwise, we use ∣ 𝑃 ⟩ ⊗ 𝑚 insteadof ∣ 𝑃 ⟩ , where 𝑚 is any a large enough integer. A. Initializing phase
Step I1.
Alice shares the secret keys 𝐾 𝐴𝑎 and 𝐾 𝐴𝐵 with the arbitrator and Bob, respectively, by using the quantum key distribution (QKD) protocols [2–4] thatwere proved to be unconditionally secure [5–8]. Similarly,Bob shares the secret key 𝐾 𝐵𝑎 with the arbitrator. B. Signing phase
Step S1.
Alice computes ∣ 𝑅 𝐴𝑎 ⟩ = 𝑅 𝐾 𝐴𝑎 ( ∣ 𝑃 ⟩ ) and gen-erates ∣ 𝑆 𝑎 ⟩ = 𝐸 𝐾 𝐴𝑎 ( ∣ 𝑃 ⟩ , ∣ 𝑅 𝐴𝑎 ⟩ ). Step S2.
Alice computes ∣ 𝑅 𝐴𝐵 ⟩ = 𝑅 𝐾 𝐴𝐵 ( ∣ 𝑃 ⟩ ), gener-ates her signature ∣ 𝑆 ⟩ = 𝐸 𝐾 𝐴𝐵 ( ∣ 𝑅 𝐴𝐵 ⟩ , ∣ 𝑆 𝑎 ⟩ ), and sends itto Bob. If they are far away from each other, they can usequantum repeaters [27, 28] and fault-tolerant quantumcomputation [29, 30] to ensure the signature ∣ 𝑆 ⟩ beingtransferred perfectly. C. Verifying phase
Step V1.
Bob decrypts ∣ 𝑆 ⟩ with 𝐾 𝐴𝐵 and gets ∣ 𝑅 𝐴𝐵 ⟩ and ∣ 𝑆 𝑎 ⟩ . Step V2.
Bob generates ∣ 𝑌 𝐵 ⟩ = 𝐸 𝐾 𝐵𝑎 ( ∣ 𝑆 𝑎 ⟩ ) and sendsit to the arbitrator. Step V3.
The arbitrator decrypts ∣ 𝑌 𝐵 ⟩ and obtains ∣ 𝑆 𝑎 ⟩ . Then, he gets ∣ 𝑃 ⟩ and ∣ 𝑅 𝐴𝑎 ⟩ from ∣ 𝑆 𝑎 ⟩ with 𝐾 𝐴𝑎 . Step V4.
The arbitrator obtains ∣ 𝑃 𝑎 ⟩ = 𝑅 − 𝐾 𝐴𝑎 ( ∣ 𝑅 𝐴𝑎 ⟩ )and compares it with ∣ 𝑃 ⟩ using the approach in Refs.[13, 31]. If ∣ 𝑃 𝑎 ⟩ = ∣ 𝑃 ⟩ , he sets the verification parameter 𝛾 = 1; otherwise 𝛾 = 0. Step V5.
The arbitrator sends the encrypted results ∣ 𝑌 𝑎𝐵 ⟩ = 𝐸 𝐾 ′ 𝐵𝑎 ( ∣ 𝑃 ⟩ , 𝛾 ) where the 𝑖 th bit of 𝐾 ′ 𝐵𝑎 is the(4 𝑛 + 𝑖 )-th bit of 𝐾 𝐵𝑎 . Step V6.
Bob decrypts ∣ 𝑌 𝑎𝐵 ⟩ and obtains ∣ 𝑃 ⟩ and 𝛾 .If 𝛾 = 0, Bob considers that the signature has been ob-viously forged and rejects; otherwise, he does the furtherverification. Step V7.
Bob gets ∣ 𝑃 𝐵 ⟩ = 𝑅 − 𝐾 𝐴𝐵 ( ∣ 𝑅 𝐴𝑎 ⟩ ) and comparesit with ∣ 𝑃 ⟩ using the approach in Refs. [13, 31]. If ∣ 𝑃 𝐵 ⟩ = ∣ 𝑃 ⟩ , Bob accepts the signature ∣ 𝑆 ⟩ ; otherwise, he rejectsit. IV. Security analysis and discussion of the AQSscheme without using entangled states
A secure quantum signature scheme should satisfythree requirements [12, 13, 24]: the signature should notbe forged by the attacker (including the malicious re-ceiver); the signature should not be disavowed by thesignatory; and the signature should not be disavowed bythe receiver. We can show that the proposed scheme canoffer security as the scheme in Refs. [12, 13]. First, weshow the proposed AQS scheme without using entangledstates can satisfy the first two requirements. Then, we point out that the proposed AQS scheme and the exist-ing schemes in Refs. [12, 13] can not satisfy the thirdrequirement.
A. Impossibility of forgery
If the malicious receiver Bob attempts to counterfeitAlice’s signature ∣ 𝑆 ⟩ = 𝐸 𝐾 𝐴𝐵 ( ∣ 𝑅 𝐴𝐵 ⟩ , ∣ 𝑆 𝑎 ⟩ ) to his ownbenefit, he has to know Alice’s secret key 𝐾 𝐴𝑎 to con-struct ∣ 𝑆 𝑎 ⟩ . However, this is impossible due to the un-conditionally secure quantum key distribution. Besides,the use of quantum one-time pad algorithm enhances thesecurity. Thus, Bob cannot get the correct ∣ 𝑆 𝑎 ⟩ . There-fore, the arbitrator will discover this forgery. If the at-tacker Eve tries to forge Alice’s signature ∣ 𝑆 ⟩ for her ownsake, she also should know the secret keys 𝐾 𝐴𝑎 and 𝐾 𝐴𝐵 .However, the public information that he can obtain suchas ∣ 𝑆 ⟩ , ∣ 𝑌 𝐵 ⟩ , and ∣ 𝑌 𝑎𝐵 ⟩ betrays nothing about the secretkeys 𝐾 𝐴𝑎 and 𝐾 𝐴𝐵 . Hence, the forgery for Eve is alsoimpossible. B. Impossibility of disavowal by the signatory
If the signatory Alice and the receiver Bob disagreewith each other, the arbitrated trusted by both of themshould be required to make a judgment. Assume thatAlice disavows her signature. Then the arbitrator canconfirm that Alice has signed the message since the in-formation of Alices secret key 𝐾 𝐴𝑎 is involved in ∣ 𝑆 𝑎 ⟩ of the signature ∣ 𝑆 ⟩ = 𝐸 𝐾 𝐴𝐵 ( ∣ 𝑅 𝐴𝐵 ⟩ , ∣ 𝑆 𝑎 ⟩ ). Hence Alicecannot deny having signed the message. C. Bob can repudiate the integrality of thesignature
Suppose Bob repudiates the receipt of the signature.Then the arbitrator also can confirm that Bob has re-ceived the signature ∣ 𝑆 𝑎 ⟩ since he needs the assistanceof the arbitrator to verify the signature. For instance,the information of his key 𝐾 𝐵𝑎 is included in ∣ 𝑌 𝐵 ⟩ = 𝐸 𝐾 𝐵𝑎 ( ∣ 𝑆 𝑎 ⟩ ). So Bob cannot disavow that he has received ∣ 𝑆 𝑎 ⟩ .However, Bob can repudiate the integrality of the sig-nature ∣ 𝑆 ⟩ because he can reject the signature in StepV7. Similarly, Bob can repudiate the integrality of thesignature in the AQS schemes in Refs. [12, 13, 24].Are there some methods to improve the AQS schemesto avoid being disavowed the integrality of the signatureby Bob? We will give a new AQS scheme satisfying thatthe receiver Bob can not disavow the integrality of thesignature. V. An AQS scheme unable to be disavowed by Bob
We have known that the existing AQS schemes cannot avoid being disavowed for the integrality of the sig-nature by Bob. In this section, we will present a new AQSscheme without using quantum entangled states that canavoid being disavowed for the integrality of the signatureby the receiver Bob.Note that the QKD schemes [2–4] utilize generallya public board or a classical channel that can not beblocked. Lee et al. [15] proposed an AQS scheme with apublic board which can be adapted to sign classical mes-sages. Also, we use a public board or a classical channelthat can not be blocked to improve the AQS schemes toavoid being disavowed for the integrality of the signatureby Bob. To avoid being disavowed by Bob, we must setthe arbitrator’s verifying after Bob’s verifying.The presented scheme also involves three participants,namely, signatory Alice, receiver Bob, and the arbitra-tor, and includes three phases, the initializing phase, thesigning phase, and the verifying phase.
A. Initializing phase
Step I1 ′ . Alice shares the secret keys 𝐾 𝐴𝑎 and 𝐾 𝐴𝐵 with the arbitrator and Bob, respectively, by usingthe quantum key distribution protocols [2–4] that wereproved to be unconditionally secure [5–8]. Similarly, Bobshares the secret key 𝐾 𝐵𝑎 with the arbitrator. B. Signing phase
Step S1 ′ . Alice randomly chooses a number 𝑟 ∈{ , } 𝑛 and computes ∣ 𝑃 ′ ⟩ = 𝐸 𝑟 ( ∣ 𝑃 ⟩ ), and ∣ 𝑅 𝐴𝐵 ⟩ = 𝑅 𝐾 𝐴𝐵 ( ∣ 𝑃 ′ ⟩ ). Step S2 ′ . Alice generates ∣ 𝑆 𝑎 ⟩ = 𝐸 𝐾 𝐴𝑎 ( ∣ 𝑃 ′ ⟩ ). Step S3 ′ . Alice generates her signature ∣ 𝑆 ⟩ = 𝐸 𝐾 𝐴𝐵 ( ∣ 𝑃 ′ ⟩ , ∣ 𝑅 𝐴𝐵 ⟩ , ∣ 𝑆 𝑎 ⟩ ) and sends it to Bob. If they arefar away from each other, they can use quantum repeaters[27, 28] and fault-tolerant quantum computation [29, 30]to ensure the signature ∣ 𝑆 ⟩ being transferred perfectly. C. Verifying phase
Step V1 ′ . Bob decrypts ∣ 𝑆 ⟩ with 𝐾 𝐴𝐵 and gets ∣ 𝑃 ′ ⟩ , ∣ 𝑅 𝐴𝐵 ⟩ , and ∣ 𝑆 𝑎 ⟩ . Step V2 ′ . Bob obtains ∣ 𝑃 ′ 𝐵 ⟩ = 𝑅 − 𝐾 𝐴𝐵 ( ∣ 𝑅 𝐴𝐵 ⟩ ) andcompares it with ∣ 𝑃 ′ ⟩ using the approach in Refs. [13,31]. If ∣ 𝑃 ′ 𝐵 ⟩ = ∣ 𝑃 ′ ⟩ , he generates and sends ∣ 𝑌 𝐵 ⟩ = 𝐸 𝐾 𝐵𝑎 ( ∣ 𝑃 ′ ⟩ , ∣ 𝑆 𝑎 ⟩ ) to the arbitrator. Otherwise, he rejectsthe signature. Step V3 ′ . The arbitrator decrypts ∣ 𝑌 𝐵 ⟩ and obtains ∣ 𝑃 ′ ⟩ and ∣ 𝑆 𝑎 ⟩ depending on the secret key 𝐾 𝐵𝑎 . Step V4 ′ . The arbitrator obtains ∣ 𝑃 ′ 𝑎 ⟩ = 𝐸 − 𝐾 𝐴𝑎 ( ∣ 𝑆 𝑎 ⟩ )and compares it with ∣ 𝑃 ′ ⟩ . If ∣ 𝑃 ′ 𝑎 ⟩ ∕ = ∣ 𝑃 ′ ⟩ , he tells Bob toreject the signature by the public board and the schemeaborts. Otherwise, he tells Alice and Bob the fact, ∣ 𝑃 ′ 𝑎 ⟩ = ∣ 𝑃 ′ ⟩ , by the public board. Step V5 ′ . Alice publishes 𝑟 by the public board. Step V6 ′ . Bob gets back ∣ 𝑃 ⟩ from ∣ 𝑃 ′ ⟩ by 𝑟 . VI. Security analysis of the AQS scheme using apublic board and comparison with other AQSschemes
Impossibility of forgery in the AQS scheme using apublic board in Section V can be discussed as that ofthe AQS scheme without entangled states in Section III.Similarly, we can prove the impossibility of being dis-avowed by the signatory. Here, we only discuss the im-possibility of being disavowed by the receiver Bob in theAQS scheme using a public board presented in SectionV.
A. Impossibility of disavowal by the receiver
It is clear that Bob must know the secret key 𝐾 𝐴𝐵 and ∣ 𝑃 ′ ⟩ = 𝑅 − 𝐾 𝐴𝐵 ( ∣ 𝑅 𝐴𝐵 ⟩ ) by Step V2 ′ . Furthermore, Bobmust have the secret key 𝐾 𝐵𝑎 and ∣ 𝑃 ′ ⟩ = 𝐸 − 𝐾 𝐴𝐵 ( ∣ 𝑆 𝑎 ⟩ ) byStep V3 ′ and Step V4 ′ . In addition, Bob can get back ∣ 𝑃 ⟩ from ∣ 𝑃 ′ ⟩ by Step V5 ′ and Step V6 ′ . By the uncon-dition security of the QKD and the quantum one-timepad, other people could not know both 𝐾 𝐴𝐵 and 𝐾 𝐵𝑎 .So, Bob can not disavow the receipt of the signature ∣ 𝑆 ⟩ and the message ∣ 𝑃 ⟩ . Statement 1.
It is necessary that we only sent ∣ 𝑃 ′ ⟩ inthe scheme. Bob can confirm that ∣ 𝑆 ⟩ is Alice’s signatureand get ∣ 𝑃 ⟩ in Step V2 ′ if we use ∣ 𝑃 ⟩ instead of ∣ 𝑃 ′ ⟩ inthe scheme. So, Bob need not send ∣ 𝑌 𝐵 ⟩ to the arbitratorthat means Bob has a chance to disavow the receipt ofthe signature ∣ 𝑆 ⟩ and the message ∣ 𝑃 ⟩ . Statement 2.
If the message ∣ 𝑃 ⟩ needs to keep secret tothe arbitrator, we only need to modify Step V6 ′ as “Alicepublishes 𝑟 ⊕ 𝐾 ′ 𝐴𝐵 by the public board” where the 𝑖 thbit of 𝐾 ′ 𝐴𝐵 is ( 𝑖 + 6 𝑛 )-th bit of 𝐾 𝐴𝐵 . Statement 3.
Similarly, the new techniques that Bobcan not repudiate the integrality of the signature ∣ 𝑆 ⟩ andthe message ∣ 𝑃 ⟩ can keep secret to the arbitrator, can beused to improve the prior arbitrated quantum signatureschemes [12, 13]. B. Comparing with other AQS schemes
The proposed arbitrated quantum signature schemewith a public board without using entangled states cannot be disavowed by the receiver Bob while it maintainsall merits of the AQS scheme using two-particle entangledBell states in Ref. [13] and the AQS scheme using three-particle entangled GHZ states in Ref. [12]. The schemecan be adapted to both known and unknown quantumstates and still provides unconditional security by em-ploying QKD technology [2–9] and quantum one-timepads [26]. Furthermore, the AQS scheme with a pub-lic board is more efficient in the following two aspects.One is that the total number of the transmitted qubits(bits), when 𝑛 -qubit message is signed, is decreased asdescribed in Table I. By Ref. [13], we know that theAQS scheme using Bell states is more efficient than thatusing GHZ states. So, we only need to compare it withthe scheme using Bell states in Ref. [13]. Though Alice TABLE I: Comparing of the transmitted qubits quantityTransmission The scheme using The scheme usingBell states [13] a public boardAlice → Bob 4 𝑛 𝑛 Bob → The arbitrator 4 𝑛 𝑛 The arbitrator → Bob 6 𝑛 + 1 0The arbitrator publics 0 a constantAlice publics 0 2 𝑛 needs to publish the 2 𝑛 -bit randem string 𝑟 , the totalnumber of the transmitted bits and qubits is decreasedsignificantly.The other is that the complexity of implementing thescheme is reduced. Though the proposed scheme with a public board needs some local operations, it need notprepare and send Bell states and GHZ states because itdoes not use entangled states.From the discussions above, we conclude that the pro-posed scheme with a public board achieves a higher effi-ciency in transmission and can be implemented easily. VII. Conclusions
In this paper, we have proposed two arbitrated quan-tum signature schemes. This two scheme can be adaptedto both known and unknown quantum states and stillprovide unconditional security by employing QKD tech-nology [2–9] and quantum one-time pads [26]. In thefirst one, we have not used quantum entangled statesand proved it preserves the merits in the prior schemes[12, 13]. Furthermore, we have pointed out that there ex-ists a problem that Bob can repudiate the integrality ofthe signatures in the first scheme proposed in the paperand the prior schemes [12, 13]. To conquer this prob-lem, we have constructed a new arbitrated quantum sig-nature scheme without using quantum entangled statesbut using a public board. The new scheme has threeadvantages. First, it does not utilize entangled stateswhile it can preserve all merits in the existing schemes[12, 13]. Secondly, the integrality of the signature canavoid being disavowed by the receiver. In addition, itprovides a higher efficiency in transmission and reducesthe complexity of implementation. We have presented atechnique such that the message ∣ 𝑃 ⟩ can keep secret tothe arbitrator. Furthermore, we have pointed out thatthe new techniques can be used to improve on the priorarbitrated quantum signature schemes [12, 13]. Acknowledgements
This work is supported in part by the National Nat-ural Science Foundation (Nos. 60573006, 60873055),the Research Foundation for the Doctorial Programof Higher School of Ministry of Education (No.20050558015), Program for New Century Excellent Tal-ents in University (NCET) of China, and by projectof SQIG at IT, funded by FCT and EU FEDERprojects Quantlog POCI/MAT/55796/2004 and QSecPTDC/EIA/67661/2006, IT Project QuantTel, NoEEuro-NF, and the SQIG LAP initiative. [1] P. W. Shor,
Proceedings of the 35th Annual Symposiumon Foundations of Computer Science (IEEE, Los Alami-tos, 1994), Pages 124. P. W. Shor, SIAM Rev. , 303(1999).[2] C. H. Bennett and G. Brassard, Proceedings of the IEEEInternational Conference on Computers, Systems andSignal Processing (IEEE, New York, 1984), p. 175.[3] A. K. Ekert, Phys. Rev. Lett. , 661 (1991).[4] C. H. Bennett, Phys. Rev. Lett. , 3121 (1992).[5] H.-K. Lo and H. F. Chau, Science , 2050 (1999).[6] P. W. Shor and J. Preskill, Phys. Rev. Lett. , 441(2000).[7] D. Mayers. Journal of the ACM , 351 (2001).[8] H. Inamori, N. L¨utkenhaus, D. Mayers. Euro. Phys. J. D , 599 (2007).[9] M. A. Nielsen and I. L. Chuang. Quantum Conputationand Quantum Information . (Cambridge University Press,Cambridge, 2000).[10] H. Barnum, C. Cr´epeau, D. Gottesman, A. Smith, andA. Tapp,
Proceedings of the 43rd Annual IEEE Sympo-sium on Foundations of Computer Science (IEEE, LosAlamitos, 2002), p. 449.[11] M. Curty, D. J. Santos, E. P´erez, and P. Garc´ıa-Fern´andez, Phys. Rev. A , 022301 (2002).[12] G. H. Zeng and C. H. Keitel. Phys. Rev. A , 042312(2002).[13] Q. Li, W. H. Chan, and D. Y. Long, Phys. Rev. A ,054307 (2009).[14] D. Gottesman and I. L. Chuang.arXiv: quant-ph/0105032 (2001).[15] H. Lee, C. Hong, H. Kim, J. Lim, and H. J. Yang, Phys.Lett. A , 295 (2004).[16] X. L¨u and D. G. Feng, Proceedings of the First Inter-national Symposium on Computational and InformationScience (Springer, Berlin, 2004), p. 1054.[17] J. Wang, Q. Zhang, and C. J. Tang,
Proceedings of theEighth International Conference on Advanced Communi- cation Technology (IEEE, New York, 2006), p. 1375.[18] X. J. Wen, Y. Liu, and Y. Sun, Z. Naturforsch. A: Phys.Sci. , 147 (2007).[19] G. H. Zeng, M. Lee, Y. Guo, and G. Q. He, Int. J. Quan-tum Inf. , 553 (2007).[20] Y. G. Yang, Chin. Phys. B , 415 (2008).[21] X. L¨u and D. Feng, Proceedings of the SeventhInternational Conference on Advanced Communica-tion Technology (IEEE, Korea, 2005), p. 514 (Also,arxiv: quant-ph/04030462).[22] Z. Cao and O. Markowitch,
Proceedings of the Sixth In-ternational Conference on Information Technology: NewGenerations (IEEE, Las Vegas, 2009), p. 1574.[23] M. Curty and N. L¨utkenhaus, Phys. Rev. A , 046301(2008).[24] G. H. Zeng, Phys. Rev. A , 016301 (2008).[25] D. M. Greenberger, M. A. Horne, and A. Zeilinger, inBells Theorem, Quantum Theory, and Conceptions ofUniverse, edited by M. Kaftos (Kluwer, Dordrecht, 1989);D. M. Greenberger, M. A. Horne, A. Shimony, and A.Zeilinger, Am. J. Phys. , 1131 (1990).[26] P. O. Boykin and V. Roychowdhury, Phys. Rev. A ,042317 (2003).[27] H.-J. Briegel, W. D¨ur, J. I. Cirac, and P. Zoller, Phys.Rev. Lett. , 5932 (1998).[28] L.-M. Duan, M. D. Lukin, J. I. Cirac, and P. Zoller, Na-ture (London) , 413 (2001).[29] D. Aharonov and M. Ben-Or, Proceedings of the 29th An-nual ACM Symposium on Theory of Computing (ACM,New York, 1997), p. 176.[30] P. W. Shor,
Proceedings of the 37th Symposium onFoundations of Computer Science (IEEE, Los Alamitos,1996), p. 56.[31] H. Buhrman, R. Cleve, J. Watrous, and R. de Wolf, Phys.Rev. Lett.87