Can you sign a quantum state?

Cryptography with quantum states exhibits a number of surprising and counterintuitive features. In a 2002 work, Barnum et al. argued informally that these strange features should imply that digital signatures for quantum states are impossible (Barnum et al., FOCS 2002). In this work, we perform the first rigorous study of the problem of signing quantum states. We first show that the intuition of Barnum et al. was correct, by proving an impossibility result which rules out even very weak forms of signing quantum states. Essentially, we show that any non-trivial combination of correctness and security requirements results in negligible security. This rules out all quantum signature schemes except those which simply measure the state and then sign the outcome using a classical scheme. In other words, only classical signature schemes exist. We then show a positive result: it is possible to sign quantum states, provided that they are also encrypted with the public key of the intended recipient. Following classical nomenclature, we call this notion quantum signcryption. Classically, signcryption is only interesting if it provides superior efficiency to simultaneous encryption and signing. Our results imply that, quantumly, it is far more interesting: by the laws of quantum mechanics, it is the only signing method available. We develop security definitions for quantum signcryption, ranging from a simple one-time two-user setting, to a chosen-ciphertext-secure many-time multi-user setting. We also give secure constructions based on post-quantum public-key primitives. Along the way, we show that a natural hybrid method of combining classical and quantum schemes can be used to "upgrade" a secure classical scheme to the fully-quantum setting, in a wide range of cryptographic settings including signcryption, authenticated encryption, and chosen-ciphertext security.

[1]  Dennis Kretschmann,et al.  The Information-Disturbance Tradeoff and the Continuity of Stinespring's Representation , 2008, IEEE Transactions on Information Theory.

[2]  I. Chuang,et al.  Quantum Digital Signatures , 2001, quant-ph/0105032.

[3]  Andreas J. Winter,et al.  Coding theorem and strong converse for quantum channels , 1999, IEEE Trans. Inf. Theory.

[4]  Anne Broadbent,et al.  Efficient Simulation for Quantum Message Authentication , 2016, ICITS.

[5]  Yuliang Zheng,et al.  Digital Signcryption or How to Achieve Cost(Signature & Encryption) << Cost(Signature) + Cost(Encryption) , 1997, CRYPTO.

[6]  Thomas Shrimpton A Characterization of Authenticated-Encryption as a Form of Chosen-Ciphertext Security , 2004, IACR Cryptol. ePrint Arch..

[7]  Isaac L. Chuang,et al.  Quantum Computation and Quantum Information (10th Anniversary edition) , 2011 .

[8]  Tal Rabin,et al.  On the Security of Joint Signature and Encryption , 2002, EUROCRYPT.

[9]  Yehuda Lindell,et al.  Introduction to Modern Cryptography , 2004 .

[10]  Stacey Jeffery,et al.  Quantum Homomorphic Encryption for Circuits of Low T-gate Complexity , 2014, CRYPTO.

[11]  Adam D. Smith,et al.  Authentication of quantum messages , 2001, The 43rd Annual IEEE Symposium on Foundations of Computer Science, 2002. Proceedings..

[12]  Elad Eban,et al.  Interactive Proofs For Quantum Computations , 2017, 1704.04487.

[13]  Louis Salvail,et al.  Actively Secure Two-Party Evaluation of Any Quantum Operation , 2012, CRYPTO.

[14]  Tommaso Gagliardoni,et al.  Computational Security of Quantum Encryption , 2016, ICITS.

[15]  Yehuda Lindell,et al.  Introduction to Modern Cryptography, Second Edition , 2014 .

[16]  Louis Salvail,et al.  Secure Two-Party Quantum Evaluation of Unitaries against Specious Adversaries , 2010, CRYPTO.

[17]  Gorjan Alagic,et al.  Quantum Non-malleability and Authentication , 2016, CRYPTO.

[18]  Tommaso Gagliardoni,et al.  Unforgeable Quantum Encryption , 2017, IACR Cryptol. ePrint Arch..