As mentioned above, these QDS proposals5,6,7,8 are basic building blocks, which only deal with the problem of sending single bit messages while no-forging and non-repudiation are guaranteed. For a long multi-bit message, it is only mentioned that the basic building block must be iterated, but the iteration of the basic building block still does not suffice to define the entire protocol. Specifically, some attacks will arise if these building blocks are used to deal with the problem of sending a multi-bit message in a naive way of iteration. Without loss of generality, we take three players' case of C-proposal as an example.

The C-proposal

Before presenting the attacks, let us give a simple introduction of C-proposal, which can be described in Figure 1.

Figure 1 C-proposal. (1) To sign a single bit (message m = 0 or 1) in the future, Alice generates two sequences and , where . The pair (m, PrivKey m ) is called a private key pair for message m. (2) Alice generates two copies of a sequence of coherent states with the coherent phases matching the angles in the sequence PrivKey 0 , thus , where α is a real positive amplitude. A sequence of such states is called a quantum signature. She sends a copy of the quantum signature to each of Bob and Charlie each, informing them that they correspond to message m = 0. Alice then does analogously for the message m = 1. (3) Bob and Charlie send their copies of the sequences QuantSig 0 and QuantSig 1 through a multiport, saving the output states in quantum memory, noting which quantum signature corresponds to message m = 0 and which to m = 1. (4) To sign a single bit m with Bob, Alice sends the pair (m, PrivKey m ) to Bob over an untrusted channel. To authenticate the signature, Bob generates coherent states of amplitude α with the relative phase defined by the declared private key and interferes them individually with the states he has in his quantum memory. He monitors the number of photodetection events on his signal null-port arm and confirms the authenticity of the message if the number of photodetection events was below s a L. (5) To forward m, Bob forwards to Charlie the pair (m, PrivKey m ). Charlie then performs an analogous procedure to Bob and he accepts the message coming from Alice if his number of photodetection events is below s v L. Full size image

The analysis of C-proposal

From C-proposal, it can be seen that if its basic building blocks are used to deal with the problem of sending a multi-bit message just in a naive way of iteration and a signed multi-bit message (M, PrivKey M ) (we will call it a message-signature pair hereafter) will be verified in the way of bit by bit and there is no correlation among quantum signatures on signed message bits except that their labels are pre-determined and sequential. Furthermore, as mentioned in Ref. 8, a QDS protocol has two stages: a preparation stage (distribution) and a message stage. The distribution stage serves to establish the required classical-quantum (or fully classical) correlations, which can later, in the message stage, be used by the sender to transmit messages to the recipients. Additionally, no further communication with any of the other players is required when the sender (say Alice) sends a message-signature pair to a recipient and both the transferal and the verification of the message-signature pair should no longer require any feedback from Alice at all; in addition, Alice may send a lot of different message-signature pairs to the recipient and other ones later (in the message stage). Therefore, the verifier Charlie knows neither the length of a signed message nor the initial label of quantum signature for the message sent by the recipient. These will give a chance for a dishonest recipient (say Bob) to forge an integrated message-signature pair by the following known-message attacks.

Forgery attack 1. Suppose that Bob has obtained a valid message-signature pair (M, PrivKey M ) from Alice, where and , here || denotes the concatenation of bits or bit strings. He chooses some continuous bits from M (e.g., the first half bits) and the corresponding private keys from PrivKey M , which are denoted as (M′, PrivKey M ′ ), where

and

Then he sends the new message-signature pair (M′, PrivKey M ′ ) to Charlie. It can be seen that the forged message-signature pair (M′, PrivKey M ′ ) is a subset of the valid message-signature pair (M, PrivKey M ) and each signed bit m k is not changed, i ≤ k ≤ j, i.e., M′ ⊆ M, PrivKey M ′ ⊆ PrivKey M . Therefore, each bit-signature pair (m k , ) of (M′, PrivKey M ′ ) matches the corresponding quantum signature stored by Charlie, which means Bob's forgery introduces no error and therefore the forged message-signature pair (M′, PrivKey M ′ ) will be accepted by Charlie. For example, suppose that Bob has received a message-signature pair (M, PrivKey M ) from Alice, where M = “don't pay Bob 100$.” then Bob will be able to send Charlie the message M′ (M′ = “pay Bob 100$.”) and the corresponding PrivKey M ′ to Charlie, claiming that it comes from Alice, where the initial “Don't” is omitted. For M′ ⊆ M, PrivKey M ′ ⊆ PrivKey M , Charlie will accept that it comes from Alice and give 100$ to Bob.

Forgery attack 2. Suppose that Bob has obtained two valid message-signature pairs (M 1 , ) and (M 2 , ) from Alice, where , , and . He chooses some continuous bits from M 1 and M 2 (e.g., the last half bits of M 1 and the first half bits of M 2 ) with their corresponding private keys to form a new message-signature pair (M″, PrivKey M ″ ), where

and

Then he sends the forged message-signature pair (M″, PrivKey M ″ ) to Charlie. Clearly, , and therefore by similar analysis as that in forgery attack 1, the forged message-signature pair (M″, PrivKey M ″ ) will also pass Charlie's verification.

It is noted that the label of quantum signature for the last bit of M 1 and the label of quantum signature for the first bit of M 2 must be successive in forgery attack 2, i.e., if the label of quantum signature for is l, then that for must be l + 1, which ensures the labels of quantum signature for the forged message-signature pair (M″, PrivKey M ″ ) are sequential and Bob's deception is not detected by Charlie. Additionally, an outside adversary Eve also can forge a valid message-signature pair when the message-signature pairs are transmitted over an insecure channel. For example, she intercepts them when Alice sends message-signature pairs to a legal recipient and then she forges a new message-signature pair by the way that Bob does in the above forgery attacks.

As mentioned in Refs. 9, 10, a signature scheme is broken if an opponent can do any of the following with a nonnegligible probability:

Universal forgery (total break), in which he/she can forge a signature for any message.

Selective forgery, in which he/she can forge a signature for a particular message chosen by him/her.

Existential forgery, where he/she can forge a signature for at least one message, but he/she has no control over the message whose signature he obtains, i.e., the message may be random or nonsensical.

However, if the basic building blocks in these proposals5,6,7,8 are used to deal with the problem of sending a multi-bit message in a naive way of iteration, a dishonest recipient or an outside adversary can successfully forge a valid signature for a particular message (chosen from a valid signed message by himself in advance) by the above known-message attacks. Furthermore, the forged message is not random or nonsensical in many cases. For example, if the signed message sent by Alice is a contract, forgery attack 1 allows Bob to delete some items that may be not beneficial to him and forgery attack 2 allows him to add some new items from another one. Moreover, as a legal replacement for handwritten signatures, DS is not only used to send a message; in addition, the signatory of a signature scheme would like to feel that he/she may sign arbitrary documents prepared by others without fear of compromising his/her security, such as the case of a notary public who must sign more-or-less arbitrary documents on demand10. Therefore, it is a natural and reasonable assumption that an opponent may gain access to valid signatures for any messages of his/her choice (where each message may be chosen in a way that depends on the signatures of previously chosen messages), i.e., we should allow an opponent can do a forgery in the model of adaptive chosen-message attacks; in this case, the opponent can forge a valid signature on any message chosen by himself/herself in advance.