Signature-masked authentication is a type of authentication that a user can obtain services when the service provider ensured that the user has the corresponding credentials issued by a trusted central authentication (CA). In this paper, we introduce a new quantum signature-masked authentication scheme based on private key, in which, the centre of CA exports not only the original credential that certificates for the user by adding the user’s secret information but also private key between the user Alice and the service provider Bob. The shared private key makes it possible for the communicators to protect their encoded quantum message from CA cheating. It is proved that the scheme can resist the forgery attack, impersonation attack and outside attack. Also, as a potential application of the scheme, an electronic voting method by using signature-masked authentication is introduced.

Keywords: signature-masked authentication, quantum key distribution, greenberger-horne-zeilinger, digital video broadcasting

The most successful subject of quantum cryptography is quantum key distribution (QKD), which was firstly constructed by Bennett et al.¹ in 1984. It is believed that QKD is the first applied quantum information processing and its unconditional security has been proven.^2,3 Most recently, in addition to QKD, quantum cryptography protocols have been widely studied in many fields such as quantum digital signature, quantum message authentication, quantum image encryption and quantum steganography. Quantum digital signature is an important topic and a primitive component of modern cryptography. The digital signature is a mathematical scheme that maintains the authenticity of the data and digital document in channel.⁴ A secure quantum signature scheme requires that each user is able to generate his (her) own signature effectively and verifies the validity of another user"s signature on a specific document. Also, no one is able to efficiently generate the signatures of other users on documents that those users didn"t sign. Therefore, it can be used to guarantee the authenticity, integrity and non-disavowal of transmitted messages or the signer of a document.

Digital signature is commonly used in software distributions and financial transactions where it is important to detect forgery or tampering. The first quantum digital signature scheme was proposed by Gottesman, et al.⁵ Then, research made several advances. The problem of how to authenticate quantum information sent through a quantum channel between two communicating parties with the minimum amount of resources is addressed by M Curty, et al.⁷ and they define that one elementary quantum message (a qubit) can be authenticated with a key of minimum length. An algorithm by using a symmetrical quantum key cryptosystem and Greenberger-Horne-Zeilinger (GHZ) triplet states relies on the availability of an arbitrator suggested by G Zeng, et al.⁸ Based on two-particle entangled Bell states, Q Li, et al.⁹ proposed an arbitrated quantum signature scheme while providing a higher efficiency in transmission and reducing the complexity of implementation. In 2004 H Lee, et al.¹⁰ presented two quantum signature schemes with message recovery which relies on the availability of an arbitrator that one of them by using a public board while the others does not. However both schemes provide confidentiality of the message and a higher efficiency in transmission. A quantum digital signature scheme was proposed based on quantum mechanics by using public quantum keys publicized by the signatory to verify the validity of the signature introduced by X Lu, et al.¹¹ A prototype of quantum signature scheme using single photons and its extensions were presented.¹² A protocol which can be used in multi-user quantum signature was based on the correlation of GHZ states and the controlled quantum teleportation proposed by X Wen, et al.¹³ Also, a true quantum signature algorithm based on continuous-variable entanglement state is proposed¹⁴ and by employing the signature key, a message state is encoded into a 2k-particle entangled state and a two-particle entangled state is prepared. The resulting states are exploited as a signature of the message state. Yang¹⁵ proposed a multi-proxy quantum group signature scheme with threshold shared verification. In 2010, Naseri¹⁶ revisited a weak blind signature scheme based on the correlation of Einstein-Padolsky-Rosen pairs and was shown that the scheme in its original form does not complete the task of a blind signature fairly. In addition, two papers in this field were presented.^17,18

In many cryptography applications, there is a trusted centre of CA that exports the credential certificates to the qualified users. The user can obtain its services, when the service provider is ensured that users have the corresponding credentials issued by the CA. This type of authentication is called signature-masked authentication. In quantum signature-masked authentication scheme, the user can not send signature of the CA directly to the service provider while the service provider can be convinced that the user is legitimate and really knows the signature. Signature-masked authentication is widely used in many systems such as the identity authentication between Digital Set-Top-Box (DSTB) and smart card in secure Digital Video Broadcasting (DVB) service system.

Recently, some signature masked authentication has been proposed successively. The security of Zhang"s scheme analyze and a new quantum signature-masked authentication scheme proposed that in this scheme a semi-trusted center of CA issues the original credential certificates for a user and the final credential certificates is generated by adding her secret information.¹⁹ By using the Weil pairing based cryptographic primitives, signature-masked authentication schemes can be developed. In such a scheme, a legitimate user obtains a signature from a Certificate Authority, and for getting services from a service provider, he convinces the service provider that he has the signature without transmitting the original signature of the provider.²⁰ A secure quantum identification system combining a classical identification procedure and quantum key distribution is proposed.²¹ For user authenticated quantum key distribution in jammable public channel between Alice and Bob via an arbitrator Trent, the secure protocols provide data integrity and mutual identification of the messenger and recipient.²² A secure quantum key verification scheme, which can simultaneously distribute the quantum secret key and verify the communicators identity proposed.²³ Also in references²⁴⁻²⁶ quantum image encryption based on generalized Arnold transforms, quantum image XOR operations and generalized affine transform and logistic map was proposed by NR Zhou, et al.²⁴ Three protocols of quantum steganography based on probability measurements, the tensor product of Bell states and via a GHZ(4) state proposed in references.^27,28 In addition, an arbitrated Quantum Signature Scheme based on Cluster States with high-Efficient was proposed in reference.²⁹ what"s more, in relation to the quantum information a lot of research has been done³⁰⁻³⁴ that these methods can be used to exchange information in a safe way. This paper is organized as follows: In section 2, we introduce a quantum identity authentication based on public key as Zhang"s scheme³⁵ and we use the elementary method of this scheme in our new protocol. In section 3, we propose a quantum signature-masked authentication scheme based on the private key. In section 4, the security of the new protocol is analyzed. In section 5, a new electronic voting scheme proposed by using the protocol that is introduced in section 3. Conclusion is given in the last section.

In this section, we review the Zhang’s protocol. This protocol includes three participants, Alice as a user, Bob as a service provider and a centre of CA. Three phases of Zhang’s protocol are preparation phase, signature phase and authentication phase, which are as follows:

Preparation phase

Alice randomly selects a public key $K_a=\left(a_1\mathrm{,}{b}_1\mathrm{,}{a}_2\mathrm{,}{b}_2\mathrm{,}{a}_n\mathrm{,}{b}_n\right)$ for identity and sends it to CA. Then CA examines the qualification of Alice, if CA accepts Alice as a legitimate user, CA generates a private key $K_b=\left(e_1\mathrm{,}{f}_1\mathrm{,}{e}_2\mathrm{,}{f}_2\mathrm{,}{e}_n\mathrm{,}{f}_n\right)$ and sends it to Alice in a secure way. Also CA calculates $K=K_a\oplus K_b=\left(k_1^a\mathrm{,}{k}_1^b\mathrm{,}{k}_2^a\mathrm{,}{k}_2^b\mathrm{,}\mathrm{..}{k}_n^a\mathrm{,}{k}_n^b\right)$ and secretly stores it, where $\left(a_i\mathrm{,}{b}_i\mathrm{,}{e}_i\mathrm{,}{f}_i\mathrm{,}{k}_i^a\mathrm{,}{k}_i^b\right)\in \left\{\mathrm{0,1}\right\}$, and $\oplus$ represents bitwise exclusive-OR.

Signature phase

Suppose that an authentication message of Alice is $M=\left(c_1\mathrm{,}{c}_2\mathrm{,}{c}_n\right)$, where $C_i$ in $\{0,1\}$. Alice generates a quantum state encoded with $K_b$ expressed by $\mathrm{<mo>|</mo>}\varphi \rangle \mathrm{<mo>=</mo><mo>|</mo>}{\phi }_{c_1\oplus e_1\mathrm{,}{f}_1}\rangle \otimes \mathrm{<mo>|</mo>}{\phi }_{c_2\oplus e_2\mathrm{,}{f}_2}\rangle \otimes \otimes \mathrm{<mo>|</mo>}{\phi }_{c_i\oplus e_i\mathrm{,}{f}_i}\rangle$ , where a qubit $\mathrm{<mo>|</mo>}{\phi }_{c_i\oplus e_i\mathrm{,}{f}_i}\rangle \mathrm{,}i=(1,2,n)$  is one of the following states:

${\phi }_{\mathrm{0,0}}\rangle =|0\rangle$  (1)

${\phi }_{\mathrm{1,0}}\rangle =|1\rangle$

$\mathrm{<mo>|</mo><mo>|</mo>}{\phi }_{\mathrm{0,1}}\rangle =\frac{|0\rangle +|1\rangle }{\sqrt{2}}$

$\mathrm{<mo>|</mo>}{\phi }_{\mathrm{1,1}}\rangle =\frac{|0\rangle -|1\rangle }{\sqrt{2}}\mathrm{.}$

According to values of $f_i$, the quantum basis are selected. If $f_i=0$, then $c_i\oplus e_i$ is encoded in the Z-basis $c_i\oplus e_i$ and if $f_i=1$, then $c_i\oplus e_i$ is encoded in the X-basis $\left\{\right|+⟩,$

Alice sends the encoded quantum state $|\varphi ⟩$ to CA (to check eavesdropping, Alice inserts some decoy particles $S_{el}$ in the quantum state$|\varphi ⟩$. As soon as receiving $|\varphi ⟩$, CA applies $W^{\left[1\right]}$ to $|\varphi ⟩$ according to K

$W^{[1]}\mathrm{<mo>:</mo><mo>|</mo>}\varphi \rangle \to \mathrm{<mo>|</mo>}{\varphi }^{\prime }\rangle \mathrm{,}$

where $W^{\left[1\right]}$  is defined as

$W^{[1]}\mathrm{<mo>=</mo>}{U}_1^{[1]}{V}_1^{[1]}\otimes U_2^{[1]}{V}_2^{[1]}\otimes \mathrm{..}\otimes U_{\nu }^{[1]}{V}_n^{{}^{[1]}}$  (2)

and

$U_i^{[1]}\mathrm{<mo>=</mo>}U\mathrm{<mo\; stretchy="false">(</mo>}{k}_i^a\mathrm{<mo\; stretchy="false">)</mo>,}{V}_i^{[1]}\mathrm{<mo>=</mo>}V\mathrm{<mo\; stretchy="false">(</mo>}{k}_i^b\mathrm{<mo\; stretchy="false">)</mo>}$

$U(1)=i{\sigma }_y=|0\rangle \langle 1|-|1\rangle \langle 0|$  (3)

$U(0)=|0\rangle \langle 0|+|1\rangle \langle 1|$  

$V(1)=H\mathrm{<mo>=</mo>}\frac{1}{\sqrt{2}}(|0\rangle +|1\rangle )\langle 0|+\frac{1}{\sqrt{2}}(|0\rangle -|1\rangle )\langle 1|$  

$V(0)=|0\rangle \langle 0|+|1\rangle \langle 1|.$  

CA encodes quantum state $|{\varphi }^{\text{'}}⟩$, and he/she forms M sequence. For eavesdropping check CA prepares and inserts some decoy photons randomly in one of the states in eq. (1) into the sequence. Afterwards, CA sends quantum state $|{\varphi }^{\text{'}}⟩$ and all decoy photons to Bob.

Authentication phase

When Bob receives all photons and states, CA announces publicly the positions and the states of decoy photons. Therefore, using the decoy photon security checking method, they can check if the quantum channel is secure or not.^17,18 If they are confirmed that the channel is secure, Bob applies $W^{\left[2\right]}$ to $|{\varphi }^{\text{'}}⟩$ according to $K_a$

$W^{[2]}\mathrm{<mo>:</mo><mo>|</mo>}{\varphi }^{\prime }\rangle \to \mathrm{<mo>|</mo>}{{\varphi }^{\prime }}^{\prime }\rangle \mathrm{,}$  

where

$W^{[2]}=U_1^{[2]}{V}_1^{[2]}\otimes U_2^{[2]}{V}_2^{[2]}\otimes \mathrm{..}\otimes U_n^{[2]}{V}_n^{[2]}$  (4)

and

$U_i^{[2]}=U\mathrm{<mo\; stretchy="false">(</mo>}{a}_i\mathrm{<mo\; stretchy="false">)</mo>,}{V}_i^{[2]}=V\mathrm{<mo\; stretchy="false">(</mo>}{b}_i\mathrm{<mo\; stretchy="false">)</mo>}$  (5)

$U(1)=i{\sigma }_y=|0\rangle \langle 1|-|1\rangle \langle 0\mathrm{<mo>|</mo>}$  

$U(0)=|0\rangle \langle 0|+|1\rangle \langle 1|$  

$V(1)=H=\frac{1}{\sqrt{2}}(|0\rangle +|1\rangle )\langle 0|+\frac{1}{\sqrt{2}}(|0\rangle -|1\rangle )\langle 1|$  

$V(0)=|0\rangle \langle 0|+|1\rangle \langle 1|.$  

Bob measures $|{\varphi }^{\text{'}}⟩$ on the basis (0,0,0) and gets message $\left(c_1{\text{'}}^{\text{'}}{c}_2\mathrm{,}\mathrm{.}{c}_n\right)\text{'}$. If $\left(c_1\mathrm{,}{c}_2\mathrm{,}{c}_n\right)=(c_1{\text{'}}^{\text{'}}{c}_2\mathrm{,}\mathrm{.}{c}_n\text{'}\mathbf{)}$ the signature is valid. Otherwise, the signature is invalid.

Prior to present our scheme, let us say few words about the security of Zhang’s protocol. There are two objections to this Protocol, which are forgery attack and impersonation attack.¹⁹

Forgery attack

One means that Alice knows public key $K_a$  and private key $K_b$  namely $K\mathrm{<mo>=</mo>}{K}_a\oplus K_b$ , therefore CA and also Alice similarly can make the signature $|{\varphi }^{\text{'}}⟩$ which is called credential certificates in the traditional cryptography. Therefore, when Bob reserves the signature $|{\varphi }^{\text{'}}⟩$, he cannot recognize the true source of quantum state $|{\varphi }^{\text{'}}⟩$, which may be Alice sent or CA. If Alice is malicious, she can forge valid signature by herself to get some services from the services provider Bob.

Impersonation attack in this protocol CA may be untrusted. In the preparation phase CA got public key $K_a$ from Alice. An impersonation attack refers to an attack in which CA generates a quantum state $|{\varphi }^{\text{'}}⟩$ and obtain Alice’s signature (credential certificates) without Alice’s participation. Therefore, CA wants to get Alice’s privacy information by forging her credential certificates, but Zhang’s scheme cannot check the malicious CA from the legitimate user Alice.

Because of these two attacks, Zhang’s scheme is limited in many network systems.¹⁹ For example, in many cryptographic application when a user wants to some services from a service provider (e.g. a user applies for a driving license from the traffic management department), firstly he has to prove to the service provider that he is eligible (e.g. he has passed the driving examination) he has a credential certificate issued by a trusted center of CA. Therefore, the service provider prepares the service to the user. So the Zhang’s scheme is not secure. Considering the disadvantages of the Zhang’s scheme, in the next section, by using a private key, a new secure protocol for quantum signature-masked authentication is proposed and a new method of electronic voting is introduced by this scheme.

In the reference¹⁹ a quantum signature-masked authentication scheme introduced which seems very complicated. In this paper by removing some parts of previous method and making the necessary changes, we propose a quantum signature-masked authentication scheme based on the private key. This new introduced method is just as secure and is simpler than the previous one. Then by using this new method we introduce secure electronic voting scheme in the next section. Similar to the Zhang’s scheme, our protocol involves a user Alice, a service provider Bob and a center of CA and includes but the following is set up, signature-masked and authentication phases.

Alice and Bob select a public key $P_A$ and $P_B$ respectively:

$P_A\mathrm{<mo>=</mo>}\mathrm{<mo\; stretchy="false">(</mo>}{a}_1^A\mathrm{,}{b}_1^A\mathrm{,}{a}_2^A\mathrm{,}{b}_2^A\mathrm{,}{a}_n^A\mathrm{,}{b}_n^A\mathrm{<mo\; stretchy="false">)</mo>}$ (6)

$P_B\mathrm{<mo>=</mo>}\mathrm{<mo\; stretchy="false">(</mo>}{a}_1^B\mathrm{,}{b}_1^B\mathrm{,}{a}_2^B\mathrm{,}{b}_2^B\mathrm{,}{a}_n^B\mathrm{,}{b}_n^B\mathrm{<mo\; stretchy="false">)</mo>}$ , (7)

where $a_i^A\mathrm{,}{b}_i^A\mathrm{,}{a}_i^B\mathrm{,}{b}_i^B\in \{0,1\}\mathrm{,0}\le i\le n$ . Alice and Bob send $P_A$  and $P_B$  to CA, while they insert sufficiently large number of decoy particles into them for eavesdropping check.

Once CA receives $P_A$  and $P_B$ , Alice and Bob announce publicly the positions and the states of the decoy particle. CA performs a suitable measurement on each decoy particle with the same basis as Alice and Bob chose. Then, comparing his measurement results with Alice’s and Bob’s announcement, CA can examine the qualification of Alice and Bob. If the CA accepts Alice and Bob as legitimated users, he/she generates private keys $S_A$  and $S_B$  for Alice and Bob respectively and sends them in a secure quantum way:

$S_A\mathrm{<mo>=</mo>}\mathrm{<mo\; stretchy="false">(</mo>}{c}_1^A\mathrm{,}{d}_1^A\mathrm{,}{c}_2^A\mathrm{,}{d}_2^A\mathrm{,}{c}_n^A\mathrm{,}{d}_n^A\mathrm{<mo\; stretchy="false">)</mo>}$ (8)

$S_B\mathrm{<mo>=</mo>}\mathrm{<mo\; stretchy="false">(</mo>}{c}_1^B\mathrm{,}{d}_1^B\mathrm{,}{c}_2^B\mathrm{,}{d}_2^B\mathrm{,}{c}_n^B\mathrm{,}{d}_n^B\mathrm{<mo\; stretchy="false">)</mo>}$  (9)

where $c_i^A\mathrm{,}{d}_i^A\mathrm{,}{c}_i^B\mathrm{,}{b}_i^B\in \{0,1\}\mathrm{,0}\le i\le n\mathrm{.}$

CA calculates and secretly stores $E_{\text{C}}\mathrm{<mo>=</mo>}{S}_A\oplus S_B\mathrm{<mo>=</mo><mo\; stretchy="false">(</mo>}{e}_1\mathrm{,}{f}_1\mathrm{,}{e}_2\mathrm{,}{f}_2\mathrm{,}\mathrm{,}{e}_n\mathrm{,}{f}_n\mathrm{<mo\; stretchy="false">)</mo>}$  where $e_i\mathrm{,}{f}_i\in \{0,1\}$ and $\oplus$ represents bitwise exclusive-OR.

Signature-masked phase

Alice’s authentication message is:

$M\mathrm{<mo>=</mo>}\mathrm{<mo\; stretchy="false">(</mo>}{m}_1\mathrm{,}{m}_2\mathrm{,}\mathrm{.}{m}_n\mathrm{<mo\; stretchy="false">)</mo>}$  (10)

 where $m_i\in \{0,1\}\mathrm{,0}\le i\le n$ . Alice generates an encoded quantum state $|{\varphi }^{\text{'}}⟩$ according to $S_A$:

$\mathrm{<mo>|</mo>}\varphi \rangle \mathrm{<mo>=</mo><mo>|</mo>}{\phi }_{m_1\oplus c_1^A\mathrm{,}{d}_1^A}\rangle \otimes \mathrm{<mo>|</mo>}{\phi }_{m_2\oplus c_2^A\mathrm{,}{d}_2^A}\rangle \otimes \mathrm{......}\otimes \mathrm{<mo>|</mo>}{\phi }_{m_n\oplus c_n^A\mathrm{,}{d}_n^A}\rangle$  (11)

 where for each $i=1,2,n$ , a qubit $\mathrm{<mo>|</mo>}{\phi }_{m_i\oplus c_i^A\mathrm{,}{d}_i^A}\rangle$  is one of the following states:

$\mathrm{<mo>|</mo>}{\phi }_{\mathrm{0,0}}\rangle =|0\rangle$

$\mathrm{<mo>|</mo>}{\phi }_{\mathrm{1,0}}\rangle =|1\rangle$  

$\mathrm{<mo>|</mo>}{\phi }_{\mathrm{0,1}}\rangle =\frac{|0\rangle +|1\rangle }{\sqrt{2}}$

$\mathrm{<mo>|</mo>}{\phi }_{\mathrm{1,1}}\rangle =\frac{|0\rangle -|1\rangle }{\sqrt{2}}\mathrm{.}$

Alice selects a private key $R_A=\left(g_1\mathrm{,}{h}_1\mathrm{,}{g}_2\mathrm{,}{h}_2\mathrm{,}\mathrm{..}{g}_n\mathrm{,}{h}_n\right)$ where $g_i\mathrm{,}{h}_i\in \left\{\mathrm{0,1}\right\}\mathrm{,0}\le i\le n$ and sends it to Bob in a secure quantum channel. In this part Alice again uses decoy particles eavesdropping check method for sending $R_A$ to Bob.

Alice applies $W^{\left[1\right]}$ to $|{\varphi }^{\text{'}}⟩$ according to RA and obtains the signature $|{\varphi }^{\text{'}}⟩$ 

$W^{\left[1\right]}:|\varphi ⟩\to |{\varphi }^{\text{'}}⟩\mathrm{,}$

$W^{\left[1\right]}$ is defined as

$W^{[1]}=U_1^{[1]}{V}_1^{[1]}\otimes U_2^{[1]}{V}_2^{[1]}\otimes \mathrm{..}\otimes U_n^{[1]}{V}_n^{[1]}$  (12)

where

$U_i^{[1]}=U\mathrm{<mo\; stretchy="false">(</mo>}{g}_i\mathrm{<mo\; stretchy="false">)</mo>,}{V}_i^{[1]}=U\mathrm{<mo\; stretchy="false">(</mo>}h\mathrm{<mo\; stretchy="false">)</mo>}$  (13)

$U(1)=i{\sigma }_y=|0\rangle \langle 1|-|1\rangle \langle 0\mathrm{<mo>|</mo>}$

$U(0)=|0\rangle \langle 0|+|1\rangle \langle 1|$

$V(1)=H=\frac{1}{\sqrt{2}}(|0\rangle +|1\rangle )\langle 0|+\frac{1}{\sqrt{2}}(|0\rangle -|1\rangle )\langle 1|$  

$V(0)=|0\rangle \langle 0|+|1\rangle \langle 1|.$

Then Alice sends $|{\varphi }^{\text{'}}⟩$ to CA through a secure quantum channel.

CA applies $W^{\left[2\right]}$ to $|{\varphi }^{\text{'}}⟩$according to $E_{\text{C}}\mathrm{<mo>=</mo>}{S}_A\oplus S_B$  and obtains the signature $\mathrm{<mo>|</mo>}S\rangle \mathrm{.}$  

$W^{[2]}:\mathrm{<mo>|</mo>}{\varphi }^{\prime }\rangle \to \mathrm{<mo>|</mo>}S\rangle \mathrm{,}$

$W^{\left[2\right]}$ is defined as

$W^{[2]}=U_1^{[2]}{V}_1^{[2]}\otimes U_2^{[2]}{V}_2^{[2]}\otimes \mathrm{..}\otimes U_{\nu }^{[2]}{V}_{\nu }^{[2]}$  (14)

where

$U_i^{[2]}=U\mathrm{<mo\; stretchy="false">(</mo>}{e}_i\mathrm{<mo\; stretchy="false">)</mo>,}{V}_i^{[2]}=U\mathrm{<mo\; stretchy="false">(</mo>}f\mathrm{<mo\; stretchy="false">)</mo>}$  (15)

$U(1)=i{\sigma }_y=|0\rangle \langle 1|-|1\rangle \langle 0|$

$U(0)=|0\rangle \langle 0|+|1\rangle \langle 1|$

$V(1)=H=\frac{1}{\sqrt{2}}(|0\rangle +|1\rangle )\langle 0|+\frac{1}{\sqrt{2}}(|0\rangle -|1\rangle )\langle 1|$

$V(0)=|0\rangle \langle 0|+|1\rangle \langle 1|.$

Finally, CA sends signature $\mathrm{<mo>|</mo>}S\rangle$ to Bob.

Authentication phase

Bob authenticates Alice’s individuality, then applies$W^{\left[3\right]}$  to $\mathrm{<mo>|</mo>}S\rangle$  according to $Z_b\mathrm{<mo>=</mo>}{S}_B\oplus R_A\mathrm{<mo>=</mo><mo\; stretchy="false">(</mo>}{q}_1\mathrm{,}{t}_1\mathrm{,}{q}_2\mathrm{,}{t}_2\mathrm{,}{q}_n\mathrm{,}{t}_n\mathrm{<mo\; stretchy="false">)</mo>}$  obtains the signature $\mathrm{<mo>|</mo>}{S}^{\prime }\rangle$ , where:

$W^{[3]}\mathrm{<mo>:</mo><mo>|</mo>}S\rangle \to \mathrm{<mo>|</mo>}{S}^{\prime }\rangle \mathrm{,}$

$W^{[3]}=U_1^{[3]}{V}_1^{[3]}\otimes U_2^{[3]}{V}_2^{[3]}\otimes \otimes U_n^{[3]}{V}_n^{[3]}$  (16)

and

$U_n^{[3]}\mathrm{<mo>=</mo>}U\mathrm{<mo\; stretchy="false">(</mo>}{q}_i\mathrm{<mo\; stretchy="false">)</mo>,}{V}_n^{[3]}\mathrm{<mo>=</mo>}V\mathrm{<mo\; stretchy="false">(</mo>}t\mathrm{<mo\; stretchy="false">)</mo>}$  (17)

$U(1)=i{\sigma }_y=|0\rangle \langle 1|-|1\rangle \langle 0|$

$U(0)=|0\rangle \langle 0|+|1\rangle \langle 1|$

$V(1)=H=\frac{1}{\sqrt{2}}(|0\rangle +|1\rangle )\langle 0|+\frac{1}{\sqrt{2}}(|0\rangle -|1\rangle )\langle 1|$

$V(0)=|0\rangle \langle 0|+|1\rangle \langle 1|.$

Bob measures $\mathrm{<mo>|</mo>}{S}^{\prime }\rangle$  on the basis (0,0,0) and gets message $M^{\prime }\mathrm{<mo>=</mo><mo\; stretchy="false">(</mo>}{m}_1{\text{'}}^{\prime }{m}_2\mathrm{,}\mathrm{..}{m}_n\mathrm{<mo\; stretchy="false">)</mo>}\text{'}$ . If $\mathrm{<mo\; stretchy="false">(</mo>}{m}_1\mathrm{,}{m}_2\mathrm{,}\mathrm{.,}{m}_n\mathrm{<mo\; stretchy="false">)</mo><mo>=</mo><mo\; stretchy="false">(</mo>}{m^{\prime }}_1{m^{\prime }}_2\mathrm{,}\mathrm{.}{m^{\prime }}_n\mathrm{<mo\; stretchy="false">)</mo>}$  the signature is valid. Otherwise, the signature is invalid.

We can show correctness of the proposed quantum signature-masked authentication scheme based on private key as follow.

The initial quantum state $|\varphi ⟩$ generated according to $S_A$  by Alice. During the signature-masked and authentication phases, it passes the following process:

$messageM{\to }^{S_A}\mathrm{<mo>|</mo>}\varphi \rangle {\to }^{R_A}\mathrm{<mo>|</mo>}{\varphi }^{\prime }\rangle {\to }^{S_A\oplus S_B}\mathrm{<mo>|</mo>}S\rangle {\to }^{S_B\oplus R_A}\mathrm{<mo>|</mo>}{S}^{\prime }\rangle$  (18)

 By equations (8), (9) and $R_A$ we have:

$d_i^A\mathrm{<mo>=</mo>}{h}_i\oplus d_i^A\oplus d_i^B\oplus d_i^B\oplus h_i$ (19)

$d_i^A\mathrm{<mo>=</mo>}{h}_i\oplus d_i^A\oplus d_i^B\oplus d_i^B\oplus h_i$ (20)

As previously noted, Bob can measure $\mathrm{<mo>|</mo>}{S}^{\prime }\rangle$  on the basis $\left(\right|0⟩,|0⟩,\mathrm{..}|0⟩)$ and get $\left({m^{\text{'}}}_1{m^{\text{'}}}_2\mathrm{,}{m^{\text{'}}}_n\right),$  and it is easy to verify $\mathrm{<mo\; stretchy="false">(</mo>}{m^{\prime }}_1\mathrm{,}{m^{\prime }}_2\mathrm{,}\mathrm{.}{m^{\prime }}_n\mathrm{<mo\; stretchy="false">)</mo><mo>=</mo><mo\; stretchy="false">(</mo>}{m}_1\mathrm{,}{m}_2\mathrm{,}{m}_n\mathrm{<mo\; stretchy="false">)</mo>}$  holds.

In this section, a security of the proposed scheme is analyzed and it has been shown that the protocol withstands forgery attack, impersonation attack and outside attack. First of all, it’s noted that all states and keys are transferred in secure quantum channel and sent by using the decoy particles eavesdropping check method. Therefore, the probability of an attack is low. It is also possible one of the user, the service provider or the center of authentication is untrustworthy.

Alice forgery attack

Let us discuss how the proposed protocol withstands the Alice forgery attack.

In this scheme, Alice may be dishonest. We show that she cannot forge $|S⟩$. The verifying process of the signature $|{\varphi }^{\text{'}}⟩$ must use the private keys $S_A$ and $S_B$, so the receiver Bob can confirm Alice’s legation with the help of CA. An effective $|S⟩$ needs using the knowledge of the Bob’s private key $S_B$, because Alice does not know the value of $S_B$, she cannot forge signature $|S⟩$. Concluding, a malicious Alice cannot forge credential certificates by herself to get some services from the service provider Bob.

Bob forgery attack

Suppose that, an attacker wants to impersonate the service provider Bob to verify Alice’s identity in order to provide some false services. In the verify phase, a verifier has to use his private key $S_B$ and the shared private keys $R_A$ between Alice and Bob to verify the validity of Alice’s credential certificates $|S⟩$ . Only the service provider B ob has the two keys $S_B$ and $R_A$. So no one can verify the validity of Alice’s credential certificates except Bob. As well as, one possible strategy for the malicious Bob that tries to forge Alice’s signature is to obtain the private key $R_A$ to generate $|{\varphi }^{\text{'}}⟩$, however, since the key is distributed through quantum key distribution, it would be impossible, . Moreover, the service provider Bob does not know Alice’s private key$S_A$, therefore Alice’s credential certificates $|{\varphi }^{\text{'}}⟩$ cannot be forged by the service provider.

Impersonation attack

The new proposed scheme based on private key can withstand the impersonation attack. May be, an attacker may impersonate the user Alice in order to use some services from the service provider Bob. Firstly, CA may forge Alice’s credential certificates $|{\varphi }^{\text{'}}⟩$, then impersonate Alice to obtain some services from the service provider Bob, actually CA may be destructive. CA can not generate a valid , because an effective $|{\varphi }^{\text{'}}⟩$ needs using the knowledge of the shared key $R_A$ that is transmitted between Alice and Bob in secure quantum channel. So, the quantum state $|{\varphi }^{\text{'}}⟩$ is unknown to CA and CA cannot impersonate the user Alice to get some services from the service provider Bob.

Outside attack

Alice, Bob and CA as the participants, are still unable to forge signatures, let assume an outsider attacker Eve. All the keys, quantum states and messages transmitted through quantum channel are encrypted by using a decoy particles encryption algorithm. Also, in our proposed scheme based on a private key, the CA issues the original signature for the qualified Alice. Because no one knows the two private keys $S_A$ and $S_B$ except CA, only CA can generate $|S⟩$. Therefore, our scheme is manageable and withstands the outside attack.

In this section, we proposed a new method of Electronic voting by using the quantum signature- masked authentication based on private key that introduced in previous section. Electronic voting includes the following several parties:

1. Elector and owner of the vote message is the voter Alice.
2. Charlie is the vote management center and signer that checks the qualification of voters, distributes ballots.
3. Bob is the center of counting votes and teller.
4. Diana is a scrutineer that supervises the behaviour of Charlie. Charlie and Diana will verify the messages and signatures.

Proposed Electronic voting contains three phases:

1. Setup
2. Vote stage
3. Counting ballots and supervising.

Set up phase

First, the voter Alice sends her identification information to the vote management center Charlie. Then Charlie checks whether Alices identity is eligible and whether this vote is the first one. If not, he will refuse to award tickets. Conversely, if Alice satisfies the vote conditions, the vote management center will randomly assign Alice a unique vote ID and this means that the voter registration is successful. After registration, the public keys $P_A$ and $P_B$ and private keys $S_A$ and $S_B$ such as (6), (7), (8), (9) share between Alice, Bob and Charlie. Charlie calculates and secretly stores $E_{\text{C}}\mathrm{<mo>=</mo>}{S}_A\oplus S_B\mathrm{.}$

Vote stage

Alice converts the vote message M into a n-bit binary sequence. That is

$M\mathrm{<mo>=</mo>}\mathrm{<mo\; stretchy="false">(</mo>}{m}_1\mathrm{,}{m}_2\mathrm{,}\mathrm{.}{m}_n\mathrm{<mo\; stretchy="false">)</mo>}$ ,                         (21)

where $m_i\in \{0,1\}\mathrm{,0}\le i\le n$ . The vote message M is blind to quantum state $|{\varphi }^{\text{'}}⟩$ according to $S_A$ as defined in previous section by (11). Alice sends $|{\varphi }^{\text{'}}⟩$ to scrutineers Diana.

Alice selects a serial number as binary sequences $R_A{g}_1\mathrm{,}{h}_1\mathrm{,}{g}_2\mathrm{,}{h}_2\mathrm{,}\mathrm{,}{g}_n\mathrm{,}{h}_n$ where $g_i\mathrm{,}{h}_i\in \{0,1\}\mathrm{,0}\le i\le n$  and sends it to the center of counting votes Bob.

Alice applies $W^{\left[1\right]}$ according to serial number $R_A$ to $|{\varphi }^{\text{'}}⟩$ obtains the signature $|{\varphi }^{\text{'}}⟩$ and sends it to the vote management center Charlie. The $W^{\left[1\right]}$ define by (12).

The vote management Charlie applies $W^{\left[2\right]}$ : $\mathrm{<mo>|</mo>}{\varphi }^{\prime }\rangle \to \mathrm{<mo>|</mo>}S\rangle$  according to $E_{\text{C}}\mathrm{<mo>=</mo>}{S}_A\oplus S_B$ and sends signature $|S⟩$ to teller Bob.

Counting ballots and supervising

The center of counting votes Bob after receiving the signed votes and authenticates Alice’s $W^{\left[3\right]}$  : $\mathrm{<mo>|</mo>}S\rangle \to \mathrm{<mo>|</mo>}{S}^{\prime }\rangle$  according to private key and serial number $Z_b\mathrm{<mo>=</mo>}{S}_B\oplus R_A\mathrm{<mo>=</mo>}\mathrm{<mo\; stretchy="false">(</mo>}{q}_1\mathrm{,}{t}_1\mathrm{,}{q}_2\mathrm{,}{t}_2\mathrm{,}{q}_n\mathrm{,}{t}_n\mathrm{<mo\; stretchy="false">)</mo>}\mathrm{.}$

Bob sends $\mathrm{<mo>|</mo>}{S}^{\prime }\rangle$  to scrutineers Diana.

Bob measures $\mathrm{<mo>|</mo>}{S}^{\prime }\rangle$  on the basis $\left(\right|0⟩,|0⟩,|0⟩)$  and gets $\mathrm{<mo\; stretchy="false">(</mo>}{m^{\prime }}_1\mathrm{,}{m^{\prime }}_2\mathrm{,}\mathrm{.,}{m^{\prime }}_n\mathrm{<mo\; stretchy="false">)</mo>},$ if $\mathrm{<mo\; stretchy="false">(</mo>}{m^{\prime }}_1\mathrm{,}{m^{\prime }}_2\mathrm{,}{m^{\prime }}_n\mathrm{<mo\; stretchy="false">)</mo><mo>=</mo><mo\; stretchy="false">(</mo>}{m}_1\mathrm{,}{m}_2\mathrm{,}{m}_n\mathrm{<mo\; stretchy="false">)</mo>}$ the vote is legible and signature masked can be verified otherwise, vote and signature is invalid.

Under the scrutineer Diana, the teller Bob gets every voter’s ballot. Diana as a supervisor compares the signature message $\mathrm{<mo>|</mo>}{S}^{\prime }\rangle$  that Bob sent with the $\mathrm{<mo>|</mo>}\varphi \rangle$ . If these two states are equal, it means the signature masked and vote is valid if not, which indicates the presence of cheating.

For the voters to confirm information later, every voter’s ballot number and election contents are posted on bulletin boards.

Finally, if there is no dispute announce to the public that that the election is effective and announce the election results.

The proposed electronic voting is secure because the quantum- signature masked authentication protocol that used for voting is protected under the each kind of attack (as explained in section 4).

In summary, a quantum signature-masked authentication scheme based on private key is pro- posed. Different from previous protocols, by using the private key $R_A$ that is only known by Alice and Bob, the center of CA does not know the contents of the message. The user’s final credential certificate is issued by hers and CA together. It has been shown that the proposed protocol can resist not only inside attacks such as the participant’s Alice’s forgery attack, Bob’s forgery attack, impersonation attack but also it is secure against outside attacks which can be widely used in many systems, such as the identity authentication between Digital Set-Top-Box (DSTB) and smart card in secure Digital Video Broadcasting (DVB) service system. Also, we introduce a new electronic voting scheme by using this secure method.

This work is supported by Kermanshah Branch, Islamic Azad University

1. CH Bennett, G Brassard. Quantum Cryptography Public Key Distribution and Coin Tossing. In Proceedings of IEEE International Conference on Computers Systems and Signal Processing; 1984 December; India. p. 175−179.
2. D Mayers. Unconditional security in quantum cryptography. Journal of the ACM. 2001;48(3):351−406.
3. P Shor, J Priskill. Simple proof of security of the bb84 quantum key distribution protocol. Physical Review Letters. 2000;85:441−444.
4. O Goldreich. Foundations of Cryptography. UK: Cambridge university press; 2001.
5. D Gottesman, I Chuang. Quantum digital signatures. 2001. p. 8.
6. H Barnum, C Crepeau, D Gottesman, et al. Authentication of quantum messages. The 43rd Annual IEEE Symposium on Foundations of Computer Science; 2002 Nov 19; IEEE: Canada. p. 449−458.
7. M Curty, DJ Santos, E Perez, et al. Qubit authentication. Physical Review A. 2002;66(2):022301.
8. G Zeng, CH Keitel. Arbitrated quantum−signature scheme. Physical Review A. 2002;65(4):042312.
9. Q Li, WH Chan, DY Long. Arbitrated quantum signature scheme using Bell states. Physical Review A. 2009;79(5):054307.
10. H Lee, C Hong, H Kim, et al. Arbitrated quantum signature scheme with message recovery. Physics Letters A. 2004;321(5−6):295−300.
11. X Lu, D Feng. Quantum digital signature based on quantum one-way functions. The 7th International Conference on Advanced Communication Technology; 2005 July 21−23; South Korea. p. 514−517.
12. J Wang, Q Zhang, C Tang. Quantum signature scheme with single photons. Optoelectronics Letters. 2006;2(3):209−212.
13. X Wen, Y Liu, Y Sun. Quantum multi-signature protocol based on teleportation. Zeitschrift fur Naturforschung A. 2007;62(3−4)147−151.
14. G Zeng, M Lee, Y Guo, et al. Continuous variable quantum signature algorithm. International Journal of Quantum Information. 2007;5(4):553−573.
15. YG Yang. Multi-proxy quantum group signature scheme with threshold shared verification. Chinese Physics B. 2008;17(2):415.
16. M Naseri. A weak blind signature based on quantum cryptography. International Journal of the Physical Sciences. 2011;6(21):5051−5053.
17. Naseri M. Comment on: “secure direct communication based on ping-pong protocol” [ Quantum Inf. Process. 8, 347 ( 2009)]. Quantum Information Processing. 2010;9(6):693−698.
18. Sheikhehi F, Naseri M. Probabilistic bidirectional quantum secure communication based on a shared partially entangled states. International Journal of Quantum Information. 2011;9(supp 0l):357−365.
19. WM Shi, YG Yang, YH Zhou. Quantum signature masked authentication schemes. Optik. 2015;126(23):3544−3548.
20. FG Zhang, K Kim. Signature-masked Authentication Using the Bilinear Pairings. Cryptology and Information Security Laboratory (CAIS), Information and Communications University, South Korea. 2002.
21. M Dusek, O Haderka, M Hendrych, et al. Quantum identification system. Physical Review A. 1999;60:149156.
22. D Ljunggren, M Bourennane, A Karlsson, et al. Authority−based user authenticationin quantum key distribution. Physical Review A. 2000;62:022305.
23. GH Zeng, WP Zhang. Identity verification in quantum key distribution. Physical Review A. 2001;61:022303.
24. N Zhou, T Hua, L Gong, et al. Quantum image encryption based on generalized Arnold transform and double random phase encoding. Quantum Information Processing. 2015;14(4):1193−1213.
25. H Liang, X Tao, N Zhou. Quantum image encryption based on generalized affine transform and logistic map. Quantum Information Processing. 2016;15(7):2701−2724.
26. L Gong, X He, Sh Cheng, et al. Quantum image encryption algorithm based on quantum image XOR operations. International Journal of Theoretical Physics. 2016;55(7):3234−3250.
27. ZH Wei, XB Chen, XX Niu, et al. A novel quantum steganography protocol based on probability measurements. International Journal of Quantum Information. 2013;11(7):1350068.
28. SJ Xu, XB Chen, XX Niu, et al. High-efficiency quantum steganography based on the tensor product of Bell states. Science China−Physics Mechanics and Astronomy. 2013;56(9):1745−1754.
29. N Fatahi, M Naseri, LH Gong, et al. High−Efficient Arbitrated Quantum Signature Scheme Based on Cluster States. International Journal of Theoretical Physics. 2016;56(2):609−616.
30. M Naseri, Sh Heidari, M Baghfalaki, et al. A new secure quantum watermarking scheme. Optik. 2017;139:77−86.
31. M Naseri, M Abdolmaleky, F Parandin, et al. A New Quantum Gray−Scale Image Encoding Scheme, Communication in Theoretical Physics. 2018;69(2):215226.
32. M Naseri, Sh Heidari, R Gheibi, et al. A novel quantum binary images thinning algorithm: A quantum version of the Hilditch’ s algorithm. Optik. 2017;131:678−686.
33. M Naseri, N Fatahi, A Farouk, et al. Applications of Quantum Mechanics in Secure Communication. In Hassanien A, Elhoseny M, Kacprzyk J, editors. Quantum Computing: An Environment for Intelligent Large Scale Real Application. Cham: Springer; 2018; p. 25−40.
34. M Naseri, LH Gong, M Houshmand, et al. An Anonymous Surveying Protocol via Greenberge-Horne-Zeilinger States. International Journal of Theoretical Physics. 2016;55(10):4436−4444.
35. XL Zhang. One-way quantum identity authentication based on public key. Chin Sci Bull. 2009;54:2018202.