Tao Shang , Zhuang Pei, Ranyiliu Chen and Jianwei Liu

Abstract:InJanuary2015,thefirstquantumhomomorphicsignatureschemewasproposed creatively.However,only one verifier is allowed to verify a signature once in this scheme.In order to support repeatable verification for general scenario,we propose a new quantum homomorphic signature scheme with repeatable verification by introducing serial verification model and parallel verification model.Serial verification model solves the problem of signature verification by combining key distribution and Bell measurement.Parallel veri fication model solves the problem of signature duplication by logically treating one particle of an EPR pair as a quantum signature and physically preparing a new EPR pair.These models will be beneficial to the signature verification of general scenarios.Scheme analysis shows that both intermediate verifiers and terminal verifiers can successfully verify signatures in the same operation with fewer resource consumption,and especially the verified signature in entangled states can be used repeatedly.

Keywords:Quantum homomorphic signature,repeatable verification,serial model,parallel model,bell measurement.

1 Introduction

Withtherapiddevelopmentofquantumcomputingtechnology[Liu,Xu,Yangetal.(2018)]and the feasibility of new quantum bit preparation technologies[Wang,Yang and Mousoli(2018)],quantum cryptographic protocols like quantum signature can play the full role of unconditional security.Quantum signature is a combination of quantum theory and classical digital signature.Unlike quantum-secure signatures which are based on classical hard problems against quantum adversaries,quantum signature can provide unconditionally secure signature by taking advantage of quantum effects.It has been paid much attention and many quantum signature schemes have been proposed.

In 2001,Gottesman et al.[Gottesman and Chuang(2001)]proposed the first quantum signature scheme based on quantum one-way functions and quantum Swap-test.In this scheme,the public key can only be used once for signing merely one bit of message each time.In 2002,Zeng et al.[Zeng and Keitel(2002)]proposed a pioneering arbitrated quantum signature(AQS)protocol which can be used to sign both classical message and quantum one.This scheme uses the correlation of Greenberger-Horne-Zeilinger(GHZ)triplet states and quantum one-time pads to ensure the security.As a necessary and important technique,probabilistic comparison of two unknown quantum states[Barnett,Chefles and Jex(2003);Filippov and Ziman(2012)]was also introduced to verify the validity of a signature.This work provides an elementary model to sign a quantum message.Although it was mentioned that both known and unknown quantum states could be signed,there were some corresponding comments about whether it was suitable for unknown messages[Curty and Lutkenhaus(2008);Zeng(2008)].Then a variety of quantum signature schemes were proposed.

As a kind of efficient signature,homomorphic signature[Johnson,Molnar,Song et al.(2002)]allows intermediate verifiers to generate a new signature by directly manipulating the original signatures of received messages without encryption operation.It has drawn much attention and many schemes have been proposed in classical cryptography.Classical homomorphic signature schemes are used to protect classical information in communication networks.However,it is believed that homomorphic signature of quantum information is more meaningful and difficult than its counterpart in classical cryptography.In 2015,Shang et al.[Shang,Zhao,Wang et al.(2015)]creatively treated entanglement swapping as a homomorphic operation and proposed the first quantum homomorphic signature(QHS)scheme.The scheme is additively homomorphic and can generate quantum signatures for classical messages,but only one verifier is allowed to verify the signature once in this scheme.In 2017,Shang et al.[Li,Shang and Liu(2017)]further proposed the quantum homomorphic signature scheme for continuous variables.In 2018,Shang et al.[Shang,Li and Liu(2018)]analyzed the measurement-device independency of the signature scheme.In fact,it is actually required that more than one verifier needs to verify a signature many times.The solution to such problems will be beneficial to the application of quantum homomorphic signature to general scenarios.

In this paper,from the viewpoint of repeatable verification of quantum signature in general scenarios,we propose a new quantum homomorphic signature scheme with repeatable verification which assures intermediate verifiers as well as terminal verifiers can verify signatures repeatedly.

2 Related works

2.1 Quantum homomorphic signature scheme

It is crucial for Shang et al.’s scheme[Shang,Zhao,Wang et al.(2015)]to treat one particle of an EPR pair as a quantum signature and entanglement swapping as a quantum homomorphic operation.The signed message is classical information and the corresponding signature is quantum information.

Figure 1:Quantum homomorphic signature scheme

As shown in Fig.1,the messages that the signersA1andA2want to send are the classical bitsX1andX2,respectively.The messages and the corresponding signatures will first be sent to the aggregatorM1.By performing entanglement swapping on the received quantum signatures,M1can generate the homomorphic signature of the encoded informationX1⊕X2.The encoded information and its signature will finally be sent to the verifierM2for verification.

The scheme consists of four algorithms,namely Setup,Sign,Combine and Verify.

(1)Setup

Step 1:quantum key distribution.A1(A2)chooses two classical bitsY1(Y2)as its secret key and shares this key withM2by the quantum key distribution protocol.Here,an improved BB84 protocol with authentication[Beige,Englert and Kurtsiefer(2002)]is used to ensure the security.

Step 2:EPR pair distribution.M1prepares two EPR pairs:

M1sends particles 2 and 4(namely|?〉2and|?〉4)toA1andA2,respectively.

(2)Sign

After receiving the particle fromM1,A1(A2)chooses a unitary operator according to the result ofX1⊕Y1(X2⊕Y2),and performs a corresponding operation on the particle 2(4).The particle 2(4)after the operation is viewed as the signature of the informationX1(X2).The unitary operator corresponding to the result ofXi⊕Yiis chosen as follows:

After the phase of Sign,the two EPR pairs become:

(3)Combine

Step 1:A1(A2)sends the encrypted informationX1⊕Y1(X2⊕Y2)and its signature|ψ′〉2namely the particle 2(4),to the aggregatorM1.

Step 2:M1performs a Bell measurement on the particles(1,3),the measurement result is noted as.According to entanglement swapping,the particles(2,4)will fall into a certain state.Here,the particle 4,namely,is exactly the signature of the informationX1⊕X2.

Step 3:M1sends the classical informationX1⊕Y1⊕X2⊕Y2and the particles(1,2,3,4)(namelyto the verifierM2.

(4)Verify

WhenM2gets the classical information and all the particles fromM1,it can verify the signature in the following steps:

Step 1:M2first performs a Bell measurement on the particles(1,3)to get,and then performs a Bell measurement on the particles(2,4)to get

Step 3:M2comparesZwithX1⊕Y1⊕X2⊕Y2.IfZ=X1⊕Y1⊕X2⊕Y2,M2accepts the signature;otherwise,M2denies the signature.

2.2 Main problems

For the quantum homomorphic signature scheme,there still exist several problems for general scenarios.

(1)An intermediate verifier cannot verify signatures.

Figure 2:Successive signature verification

Figure 3:Signature duplication

As shown in Fig.1,the aggregatorM1in this scheme can also be viewed as an intermediate verifier.While it can generate a quantum homomorphic signature from two received signaturesS1andS2,it cannot verify the latter ones in advance.If the messageXi⊕Yior its signatureSiwas changed during transmission,this change will not be found until all information arrives at the terminal verifierM2.Such problem is not evident in Shang et al’s scheme since the information passes through only two verifiers.As the number of intermediate verifiers increases,the problem will become really serious.

As we can see in Fig.2,the signerAfirst generates a signatureS1of the information X1,then the information and its signature passes through a series of intermediate verifiers(or verifier groups)till they finally arrive at the terminal verifierVn.Since the intermediate verifiers(verifier groups)cannot verify the signatures,all errors during the transmission can only be found by the terminal verifierVn,which not only causes the waste of resources,but also reduces the efficiency of communication.The more intermediate verifiers(verifier groups)there are,the more serious the problem will be.

(2)The duplication of quantum signature is not provided.

Let us take a look at the case of Fig.3.Here,we add a terminal verifierM3.Since the classical informationX1⊕Y1⊕X2⊕Y2could be easily duplicated,M1can send it toM2andM3at the same time.However,as there is only one share of quantum particles,just one verifier(M2orM3)can fulfill the verification of a signature.In order to assure that multiple verifiers can verify signatures,we should introduce the duplication of quantum signatures.

(3)The signature betweenM1andM2can be forged.

Assume that an attacker can intercept the classical informationX1⊕Y1⊕X2⊕Y2and the particles(1,2,3,4),then it can forge the signature.Here we take an example to illustrate it.

Example 1:Suppose that the state of the particles(1,3)after the entanglement swapping is,as a result=c·U(X1⊕ Y1⊕ X2⊕ Y2)(4).The verifier accepts the signature as long as the received classical messageZmatches the Bell state(here,Z=X1⊕ Y1⊕ X2⊕ Y2).For this reason,an attacker can forge the signature in a simple way.

An attacker just needs to replace the classical bitsX1⊕Y1⊕X2⊕Y2by a corrupt dataE while preparing two entangled particles(5,6)such that=c·U(E)(4).Obviously,the verifier would confirm the signature according to the received informationEand the particles(1,3,5,6).In other words,the attacker has forged the signature successfully.

3 Proposed QHS scheme

With regard to the problems in Section 2,we provide corresponding solutions.Firstly,we construct the serial verification model,and introduce key distribution and Bell measurement for intermediate verifiers to verify signatures.Secondly,we construct the parallel verification model,and realize the duplication of signatures by logically treating one particle of an EPR pair as a quantum signature and physically preparing a new EPR pair.

3.1 Serial verification model

Generally,in a homomorphic signature scheme,an intermediate verifier must verify the receivedsignaturesatfirstbeforegeneratinganewhomomorphicsignature.Forthisreason,we intend to realize the verification of quantum homomorphic signature for intermediate verifiers.Unlike classical homomorphic signatures who use public and private key pairs,the original quantum homomorphic signature scheme cannot take effect in that way.So we introduce key distribution to guarantee the verification of quantum homomorphic signature for intermediate verifiers.

We define serial verification as the case in which a message and its signature successively pass through a series of intermediate verifiers(or verifier groups)and finally reach terminal verifiers.In general,the serial verification model has an inverted pyramid-shaped structure as shown in Fig.4.

As we can see in Fig.4,A1,A2andA3are the signers;B1andB2are the intermediate verifiers(the first intermediate verifier group);C1is the terminal verifier(the second intermediate verifier group).The signed messages and their signatures will pass through the intermediate verifiers and finally arrive at the terminal verifier.

Compared to the original quantum homomorphic signature scheme,our scheme has made some changes.The main ideas are described as follows:

Figure 4:Serial verification model

1)In the original quantum homomorphic signature scheme,the EPR pairs are prepared by the first verifier group(e.g.,M1in Fig.1).On one hand,this means that the members of thefirst verifier group must be trusted nodes.On the other hand,this causes the dissimilarity of the verification operation between the verifiers.In order to assure the repeatability of our scheme,i.e.,all the verifiers can fulfill the verification of signatures in the same operation,the EPR pairs are prepared by the original signers.In fact,such change makes no difference to the generation of signatures and does not affect the properties of our scheme.

2)To solve the forgery problem in the original quantum homomorphic signature scheme,we transmit the encrypted classical informationEPri(Xi)instead ofXi⊕Yi.Here,Priis the private key of a signer for signing the messageXiandEis the encryption algorithm.To fulfill the verification of a signature,a signer has to send its public keyPbito its corresponding verifier so that the verifier can getXi=DPbi(EPri(Xi))with the decryption algorithmD.In our scheme,(Pri,Pbi)is called a signature key pair,andYiis called an encryption key.

According to the serial verification model,our quantum homomorphic signatures scheme can be described in the following steps.

(1)Setup

Step 1:secret key generation and distribution.The signer first generates a signature key pair(Pri,Pbi).Then it keeps the private keyPriand sends the public keyPbito its corresponding verifier by the quantum key distribution protocol such as an improved BB84 protocol with authentication[Beige,Englert and Kurtsiefer(2002)].In particular,A1sends its public keyPb1toB1;A2sendsPb2toB1andB2;A3sendsPb4toB2.In order to simplify the description and help the understanding of our scheme,we number the secret key pairs according to the messages.For example,the signerA2only needs to generate one secret key pair(Pr2,Pb2),but we also call it(Pr3,Pb3)when it is used to encrypt and decrypt the informationX3.In the following part,we will not point out this usage unless necessary.

The encryption keyYiis used for the confidentiality of a message and can also be shared by an improved BB84 protocol with authentication.

Step 2:EPR pair preparation.A1prepares an EPR pair;A2prepares two EPR pairsand;A3prepares an EPR pair.Here,

(2)Sign

A1calculates the result ofX1⊕Y1,and according to this result it performs a unitary operation on the particle 2.After this operation,the particle 2 can be viewed as the signature of X1(Note that the particles 1 and 2 are still entangled).Similarly,we can get the signatures ofX2,X3,andX4.

After the phase of Sign,the states of the entangled particles become

The signers then send the encrypted informationEPri(Xi)and the signature particles to their corresponding verifiers.To be concrete,A1sends the classical informationEPr1(X1)and the quantum particles(1,2)toB1;A2sendsEPr2(X2)and the particles(3,4)toB1;A2sendsEPr3(X3)and the particles(5,6)toB2;A3sendsEPr4(X4)and the particles(7,8)toB2.

(3)Verify original signatures

WhenB1receives the informationEPr1(X1)and its signatureS1(namely the particles(1,2)),it first gets the informationX1=DPb1(EPr1(X1))with the help of the public keyPb1and calculates the exclusive OR resultX1⊕Y1.Then it performs a Bell measurement on the particles(1,2).If the measurement result equals toU(X1⊕ Y1)(2)|φ+〉12,B1accepts the signature;otherwise,it denies the signature.

B1andB2can verify the other signatures in the same way.

(4)Combine

After the intermediate verifiers have verified the received signatures,they can generate the quantum homomorphic signature of the encoded message by entanglement swapping.The details of entanglement swapping are described in Shang et al.[Shang,Zhao,Wang et al.(2015)].

WhileB1measures the particles(1,3)to get,the particles(2,4)will collapse to a certain state.Here,is the generated quantum homomorphic signature which is also the signature of the messageX5=X1⊕X2.

B2can generate the signature ofX6=X3⊕X4in the same way.

(5)Verify homomorphic signatures

Step 1:generation and distribution of secret keys.B1calculates a new encryption key Y5=Y1⊕Y2and shares it withC1by the improved quantum key distribution protocol.B1generates a signature key pair(Pr5,Pb5),then it keeps the private keyPr5and sends the public keyPb5toC1by the improved quantum key distribution protocol.

Step 2:translation from quantum states to classical bits.B1translates the Bell measurement result of the particles(1,3)to classical bits according to the following rules:

Assume that the measurement result of the particles(1,3)in the entanglement swapping is=,then the state of the particles(2,4)will be=c·U(X1⊕Y1⊕X2⊕.In this case,the measurement result of the particles(1,3)will be translated into the classical bits 10.

By sending the classical bits,B1only needs to send 2 particles other than 4 particles to the terminal verifierC1,so doesB2.We can imagine that no matter how many verifiers there are,each intermediate verifier just needs to send 2 particles to its successor.Thus the number of quantum particles is reduced along with the verification of signatures.

Step 3:transmission of related information.First,B1sends the classical bits 10 toC1.To ensure the security,we use the improved quantum key distribution protocol.Then,B1sends the encoded and encrypted informationEPr5(X5)=EPr5(X1⊕X2)and the signature particles(2,4)toC1.

Step 4:verification of quantum homomorphic signature.As we just mentioned,if the state of the particles(1,3)is,the particles(2,4)will be in the corresponding state.According to the classical bits shared withB1,C1can easily derive.C1calculates X5=DPb5(EPr5(X5))andX5⊕Y5=X1⊕Y1⊕X2⊕Y2.Then it performs a Bell measurement on the particles(2,4).If the result equals to,it accepts the signature;otherwise,it denies the signature.

The signature ofX6=X3⊕X4can be verified in the same way.

When the number of verifiers in the serial verification model increases,we just need to repeat the above process and all verifiers can fulfill the verification of signatures.

3.2 Parallel verification model

As we mentioned earlier,the original scheme lacks the duplication of signatures,which makes it impossible for all verifiers to realize the verification in the case where an intermediate verifier is followed by more than one successors.So we add the operation of signature duplication and construct the parallel verification model.Here parallel verification refers to the situation in which a message and its signature have to be sent to more than one verifiers at the same time.

Figure 5:Parallel verification model

Fig.5showsascenariooftheparallelverificationmodel.Here,wehaveignoredthesigners and some intermediate verifiers to make the model more clear.Mis an intermediate verifier and hasNsuccessorsT1,T2,···,Tn.

Assume that,after the combination of signatures,Mholds an encoded and encrypted messageX1?=EPr1(X1),a new encryption keyY1,and two pairs of entangled particles(1,3)and(2,4),with the particle 4 representingX1’s signatureS1.Here,Pr1is the private key ofMand the corresponding public key isPb1.By the steps of Verify,all thensuccessors ofMcan achieve the verification of the signatureS1.

The signature scheme for the parallel verification model is similar to that for the serial verification model.The first four algorithms of Setup,Sign,Verify original signatures,and Combine,are the same,and only the algorithm Verify homomorphic signatures is different.So we just present the algorithm Verify*homomorphic signatures.

(5)Verify*homomorphic signatures

Step 1:distribution of secret keys.Mshares the keyY1and its public keyPb1with itsn successors by the improved quantum key distribution protocol.

Step 2:translation from quantum states to classical bits.Assume that the state of the particles(1,3)is=,then it will be translated to be the classical bits 10.

Step 3:signature duplication.As the signatureS1is represented by the quantum particle 4,we cannot copy it independently without destroying it.However,if we treat the particles(2,4)as a whole,we can duplicate the signature by preparing new EPR pairs in the same state.

According to the assumption of Step 2,the state of the particles(2,4)will be=.Then we just need to preparen-1new EPR pairs such that the state of theithEPR pair is,withi ∈ [2,n].Now we havenshares of the signature particles,so all thensuccessors of the intermediate verifierMcan achieve the verification of the signatureS1.

Step 4:transmission of related information.First,Msends the encoded and encrypted informationX1?and the classical bits 10 to itsnsuccessors.Then,it sends theithEPR pair to its successive verifierTi.Here,i∈[1,n].

Figure 6:The situation of receiving more than two signatures

Step 5:signature verification.After receiving the information and the EPR pairfrom M,Tifirst derives the stateaccording to the classical bits 10.Then it calculates X1=DPb1(X1?)andX1⊕Y1,and performs a Bell measurement on the received EPR pairIf==c·U(X1⊕ Y1)(b),Tiaccepts the signature;otherwise,it denies the signature.Thus,all thensuccessors ofMcan verify the signature ofX1.

3.3 Application to general scenarios

Apart from the serial verification model and the parallel verification model,we should also consider the situation in which an intermediate verifier receives more than two signatures at the same time.Although this situation has already been discussed[Shang,Zhao,Wang et al.(2015)],there is still need to illuminate it in our scheme.

As shown in Fig.6,A1,A2andA3are the signers or the intermediate verifiers,M1is an intermediate verifier,andM2is a successor ofM1.The messages sent toM1areX1,X2andX3with their corresponding signature particles(1,2),(3,4)and(5,6).In this situation,M1can generate the quantum homomorphic signature by the following steps.

Step 1:M1receives the messages and signatures fromA1,A2andA3,and then verifies the signatures by Bell measurement.Now the particles(1,2),(3,4)and(5,6)are all in Bell states.

Step 2:M1performs a Bell measurement on the particles(1,3)to get,then the state of the particles(2,4)will be|ψ′〉24=c1·U(X1⊕ Y1⊕ X2⊕ Y2)(4).

Step 3:M1performs a Bell measurement on the particles(2,5)to get,then the state of the particles(4,6)will be=c1·c2·U(X1⊕Y1⊕X2⊕Y2⊕X3⊕Y3)(6).Now the particle 6 is the signature of the encoded messageX1⊕X2⊕X3.Then it can send the particles(4,6)and the classical bits related totoM2for verification.

Based on the above models,we can apply our quantum homomorphic signature scheme to general scenarios now.

Figure 7:General scenario

Fig.7 shows a general scenario based on serial verification model and parallel verification model.Let us have a look at how the quantum homomorphic signature scheme can be accomplished in this situation.

(1)Setup

Step1:secretkey generationanddistribution.A1generatesasignaturekeypair(Pr1,Pb1)and sends its public keyPb1toC1.Similarly,A1,A2share their public keysPb2,Pb3with B1,respectively.A2shares its public keyPb4withB2.ThenA3shares the public keys Pb5,Pb6,andPb7withB1,B2andC3,respectively.Similarly,the signers share an encryption keyYiwith their corresponding signer.

Step 2:EPR pair preparation.A1prepares two EPR pairs,.A2prepares two EPR pairs,.A3prepares three EPR pairs,,and.

(2)Sign

A1performs a unitary operation on the particle 2 according to the result ofX1⊕Y1to generate the signature ofX1.Similarly,A1,A2,A3can generate the signatures ofX2,X3,···,X7.Then the signers send the encrypted informationXi?=EPri(Xi)and the signature particles(2i-1,2i)to their corresponding verifiers.

(3)Verify original signatures

After receiving the classical information and the quantum particles fromA1,C1calculates X1=DPb1(EPr1(X1))andX1⊕Y1.Then it performs a Bell measurement on the particles(1,2).If the measurement result is=c ·U(X1⊕ Y1)(2),C1accepts the signature ofX1;otherwise,it denies the signature.

The signatures ofX2,X3,···,X7can be verified in the same way.

(4)Combine

B1receives three signatures at the same time.Then it can generate the signature of the encoded informationX2⊕X3⊕X5by applying the method in Fig.6 after verifying the received signatures.B2can generate the signature of the encoded informationX4⊕X6in the same way.

(5)Verify*homomorphic signatures

WhenB1andB2have generated the homomorphic signatures,they have to send them to the terminal verifiers for verification.Note that bothB1andB2has two successors,so their signatures need to be duplicated.Then the terminal verifiers can achieve the verification of signatures by the same steps as those in the parallel verification model.

Actually,serial verification model can also be found in this scenario.IfC1andC3were ignored,the rest part can be treated as serial verification model.

4 Scheme analysis

4.1 Security analysis

Our signature scheme should achieve three basic proprieties,i.e.,verifiability,undeniability and unforgeability.

1)Verifiability:A verifier is able to verify the validity of a signature after receiving it from its corresponding signer.

2)Undeniability:Once a signer has signed a message,it cannot deny its signature later.

3)Unforgeability:No one can generate a valid signature of a certain signer except for itself.It should be emphasized that in our scheme an intermediate verifier can also be viewed as a signer for its successive verifiers.When we analyze the security of a signature scheme,we generally pay attention to two important security requirements,i.e.,undeniabiliy and unforgeability.In this part,the security analysis of our scheme will be based on the serial verification model,because the only difference between serial verification model and parallel verification model is the phase of Verify homomorphic signatures,and such difference does not affect the security of our scheme.

In order to prove the undeniability and the unforgeability,we first give the following two lemmas.

Lemma 1:The keyYiand the public keyPbiare shared by a signer and its corresponding verifier(s)securely.

Proof:In our scheme,a signer shares the keyYiand the public keyPbiwith its corresponding verifier(s)by the quantum key distribution protocol such as an improved BB84 protocol with authentication[Beige,Englert and Kurtsiefer(2002)],which has been proved to be unconditionally secure.Hence the keyYiandPbiare shared securely.This means that any attacker cannot capture the keyYior the public keyPbi.

Lemma 2:It is impossible to calculate the keyYiand the public keyPbiby means of classical message and its corresponding quantum signature.

Proof:As shown in Fig.8,there are two cases in which an attacker can capture a classical message and its corresponding quantum signature particles.We will prove that in both cases the attacker cannot calculate the keyYior the public keyPbi.The details are described as follows:

Figure 8:Attack model aimed at signature key

1)If an attacker captures the classical messageEPri(Xi)and its corresponding quantum signatureSiwhich are sent by an original signer,it cannot obtain the keyYior the keyPbi.

Assume that an attacker captures the classical messageEPr1(X1)and the signatureS1.Here,S1=Sign(X1)==c ·U(X1⊕ Y1)(2).By performing a Bell measurement on the particles(1,2),the attacker can getX1⊕Y1.But,with the information EPr1(X1)andX1⊕Y1,it can get neitherPr1norY1.

2)If an attacker captures the classical messageEPri(Xi)and its corresponding quantum signatureSiwhich are sent by an intermediate signer,it cannot obtain the keyYior the key Pbi.

Assume that an attacker captures the classical messageEPr5(X5)(remember thatX5=X1⊕X2)and the signatureS5sent by the intermediate signerB1.Here,S5=Sign(X1⊕X2)==c1·U(X1⊕Y1⊕X2⊕Y2)(4).Unlike in the previous case,this time the attacker cannot even getX1⊕Y1⊕X2⊕Y2by performing a Bell measurement.In order to getX1⊕Y1⊕X2⊕Y2,the attacker has to know,which is the entanglement swapping result without performing unitary operations on the particles 2 and 4.However,depends on the result ofwhich is transmitted securely fromB1toC1by two classical bits.So it is impossible for the attacker to obtainX1⊕Y1⊕X2⊕Y2,much less the keyY5=Y1⊕Y2.Obviously,the attacker cannot obtain the public keyPb5,either.

Property 1:Anyone cannot forge a signature.

Proof:As mentioned above,here we consider both the forgery of a third-party attacker and the forgery of a verifier.Therefore,the proof is divided into two parts.

1)Any third-party attacker cannot forge a signature.

In the original homomorphic signature scheme,the aggregator sends the informationX1⊕Y1⊕X2⊕Y2and the particles(1,2,3,4)to the verifier.We have shown that in this case a third-party attacker can forge the signature by preparing a corrupt dataZand two entangled particles(5,6)with=c ·U(Z)(4).

In our scheme,we have made some changes to solve that problem.One is that we transmit EPri(Xi)instead ofXi⊕Yi,and the other is that we transmit the Bell measurement result of an EPR pair by two classical bits.Now we will prove that these changes can prevent any third-party attacker from obtaining the secret keysYiandPriwhich are indispensable to generate a valid signature.

Suppose that a third-party attacker wants to forge a signature of the signerB1.It prepares a corrupt dataZand two entangled particles(a,b).In order that the corrupt data and the particles pass the verification,the state of the particles(a,b)should satisfy=c·U(Z ⊕Y5)(4).However,it is impossible for the attacker to prepare the particles(a,b)in the right state because Lemma 1 and Lemma 2 show that any attacker cannot obtain the keyY5.So a third-party attacker cannot forge a signature.

In the second case,we will show that even with the keyY5an attacker cannot forge a signature either.

2)Any verifier cannot forge a signature.

Here,suppose that the verifierC1wants to forge a signature of the signerB1.Compared with a third-party attacker,the verifierC1can get the keyY5and the public keyPb5of its corresponding signerB1.With the keyY5,C1can prepare a corrupt dataZand two entangled particles(a,b)with=c·U(Z ⊕Y5)(4).In order that the corrupt data and the particles pass the verification,C1needs to process the dataZfirst before sending it toaverifier.AfterreceivingtheprocesseddataZ?andtheparticles(a,b)fromC1,averifier calculatesDPb5(Z?)⊕ Y5and performs a Bell measurement on the particles(a,b)for verification.The forged signature will pass the verification if and only ifDPb5(Z?)⊕Y5=Z⊕Y5,which meansZ?=EPr5(Z).This is impossible because the private keyPr5is only kept byB1.Thus,any verifier cannot forge a signature.

Property 2:Any signer cannot deny its signature.

Proof:Suppose that a verifier receives an encrypted messageX?and the corresponding signature particles from a signerS.The verifier will first calculateDPbi(X?)⊕ Yi,where Pbiis the public key of the signerS.Then it will perform a Bell measurement on the signature particles to verify the signature of the informationXi.Once the data and the particles pass the verification,we can derive thatDPbi(X?)⊕ Yi=Xi⊕ Yi,which means thatX?=EPri(Xi).As the private keyPriis only kept by the signerSand no one can forge a signature,we can conclude that the messageX?and the corresponding signature particles are generated byS.So the signerScannot deny its signature.

In addition,our quantum signature scheme is also additively homomorphic,which can be proved just as in Shang et al.[Shang,Zhao,Wang et al.(2015)].

4.2 Resource consumption analysis

We will analyze two types of resource consumption.

(1)Consumption of quantum resource

Here,the quantum resource consumed mainly refers to the EPR pairs.As for our scheme,new signatures are generated from the old ones,so there is no need to prepare extra EPR pairs except in the situation where a signature needs to be duplicated.Therefore,the EPR pairs consumed come from two parts:ne part is the EPR pairs used to generate the original signatures,and the other part is those used to duplicate the signatures.Assume that there aremoriginalmessagestobesignedattheverybeginningandnsignaturestobeduplicated during the implementation of the scheme,then the number of the EPR pairs consumed in our scheme will bem+n.

By contrast,if we use an ordinary quantum signature scheme other than the homomorphic one,the consumption of the EPR pairs could be extremely large.Whenever a message is sent,a signature,namely an EPR pair,is needed.IfNmessages are sent during the whole process,the number of the EPR pairs consumed will beN.

Let us take the parallel verification model as an example.In Fig.5,we can easily obtain thatm+n=5,N=7.In general,Ncould be much larger thanm+n.

(2)Consumption of secret keys

We will first analyze the consumption of signature key pairs.In fact,every signer in our scheme has to generate its own signature key pair.Therefore,if there are in totalpsigners in our scheme,the number of the signature key pairs consumed will bep.The consumption of signature key pairs will be the same in an ordinary quantum signature scheme.

Different from the signature key pairs,the number of encryption keys is only determined by the number of original signers because all the other encryption keys are calculated from the original ones.Therefore,if there areqoriginal signers in our scheme,the total number of the signature key pairs consumed will beq.As for an ordinary quantum signature scheme,the number of the encryption keys consumed could beporq.If the verifiers calculate new encryption keys from the original ones,the number of the encryption keys consumed will beq.However,if the verifiers prepare a new signature key every time,the number will be p.Generally,pis much larger thanq.

5 Conclusion

In this paper,we proposed a new quantum homomorphic signature scheme with repeatable verification,which can be used in general scenarios.A serial verification model was provided to solve the problem of signature verification for intermediate verifiers.A parallel verification model was provided to solve the problem of signature duplication for multiple terminal verifiers.These models will be beneficial to the signature verification of general scenarios.Scheme analysis shows that our scheme consumes much less quantum resource compared with ordinary quantum signature schemes.

Acknowledgement:This project was supported by the National Natural Science Foundation of China(No.61571024)and the National Key Research and Development Program of China(No.2016YFC1000307)for valuable helps.