Measurement-Device Independency Analysis of Continuous-Variable Quantum Digital Signature

With the practical implementation of continuous-variable quantum cryptographic protocols, security problems resulting from measurement-device loopholes are being given increasing attention. At present, research on measurement-device independency analysis is limited in quantum key distribution protocols, while there exist different security problems for different protocols. Considering the importance of quantum digital signature in quantum cryptography, in this paper, we attempt to analyze the measurement-device independency of continuous-variable quantum digital signature, especially continuous-variable quantum homomorphic signature. Firstly, we calculate the upper bound of the error rate of a protocol. If it is negligible on condition that all measurement devices are untrusted, the protocol is deemed to be measurement-device-independent. Then, we simplify the calculation by using the characteristics of continuous variables and prove the measurement-device independency of the protocol according to the calculation result. In addition, the proposed analysis method can be extended to other quantum cryptographic protocols besides continuous-variable quantum homomorphic signature.


Introduction
Quantum cryptography is believed to be unconditionally secure because its security is ensured by physical laws rather than computational complexity. In virtue of no-cloning theorem and uncertainty principle, an attacker can neither distinguish between two non-orthogonal quantum states nor copy an unknown quantum state. Many quantum cryptographic protocols have been proposed based on this feature of quantum states and have been proved secure in both theoretical and experimental ways.
According to the fact that a quantum system has either a discrete spectrum or a continuous spectrum, quantum information can be classified into two categories, namely discrete variables and continuous variables. Discrete-variable quantum cryptographic protocols are more widely studied but are more expensive than continuous-variable ones. Continuous-variable quantum cryptography has gained much attention for practical advantages of low cost, high efficiency and compatibility with current optical fiber communication systems. Since continuous-variable quantum cryptographic protocols are very probable to be implemented in practice, such analysis which assumes all devices are perfect is insufficient to judge whether a protocol is truly secure or not. An attacker could exploit the loopholes of a device to successfully attack a protocol even though it is proved theoretically secure. To analyze the practical security of a quantum cryptographic protocol, the definition of device independency was proposed. If a protocol can complete its task securely, even if all is greater than its standard deviation. Since the random variable follows the Gaussian distribution, the probability can be immediately obtained without calculation.

Measurement-Device Independency
If a quantum cryptographic protocol can complete its task securely with untrusted measurement devices, it is called a measurement-device-independent protocol. To analyze the security of a quantum cryptographic protocol under the worst case, we assume measurement devices are prepared and controlled by an attacker and can work in the way that is most favorable to the attacker. Concretely, the assumptions are: (1) An attacker can tamper and forge the output of measurement devices.
(2) An attacker can eavesdrop quantum channels by any means. For simplicity, we call the above assumptions the MDI assumptions. In other words, if the task of a quantum cryptographic protocol is completed under the MDI assumptions, the protocol is measurement-device-independent.
To date, there are only achievements of MDI analysis for QKD protocols. The first MDI-QKD protocol was proposed by Lo et al. [6], which is a discrete-variable quantum cryptographic protocol. The security proof utilizes the monogamous nature of quantum entanglement and removes detector side-channel attacks while it is not a mathematical proof. In the same year, Ma and Razavi [17] proposed the alternative schemes for MDI-QKD using phase and path or time encoding. In the security analysis, the lower bound of secret key rate was calculated. A protocol is secure if its secret key rate is higher than the lower bound. In 2014, several CV-MDI-QKD protocols were proposed [7]. In the security analysis, the secret key rate of an equivalent one-way CVQKD model was calculated, which is the lower bound for the proposed protocol. Calculation was simplified by applying the theorem of the optimality of Gaussian collective attacks [18]. The analysis of other CV-MDI-QKD protocols [8,9] are similar in calculating the lower bound of secret key rate.
Obviously, we cannot directly calculate the secret key rate of a non-CVQKD protocol, so we should put forward a new method of analyzing its measurement-device independency.

Continuous-Variable Quantum Homomorphic Signature
In CVQDS protocols, there are usually at most three participants, i.e., a signer, a verifier and an arbitrator. Since the verifier and the arbitrator are assumed to be honest, the only untrusted party is the signer, so it seems easy to analyze measurement-device independency. Nevertheless, in 2017, Li et al. [19] proposed a continuous-variable quantum homomorphic signature (CVQHS) scheme, where an aggregator generates a homomorphic quantum signature for verifying the identities of multiple data sources. The aggregator has access to all quantum and classical data in the network, so the scheme probably will not be secure if an attacker takes control of the devices of the aggregator. The existence of an untrusted aggregator has posed a new challenge in analyzing the measurement-device independency of CVQDS.
Li's CVQHS scheme is based on continuous-variable entanglement swapping and provides additive and subtractive homomorphism. The basic model of the CVQHS scheme is shown in Figure 1. The CVQHS scheme is defined by a tuple of algorithms (Setup, Sign, Combine, Verify) and is briefly described as follows.
(1) Setup Step 1. A shares two secret keys k A 1 and k A 2 with V by continuous-variable quantum key distribution. Meanwhile, B shares two secret keys k B 1 and k B 2 with V. The secret keys are real numbers.
(2) Sign Step 1. A signs its classical message a by displacing the quadratures of |α 2 . The signature x k A 2 and p k A 2 are determined by the classical message and k A 2 : Similarly, B signs its classical message b by displacing the quadratures of |α 4 .
Step 2. A sends the signature |α 2 and the classical message m A to M, while B sends the signature |α 4 and the classical message m B to M.
(3) Combine Step 1. M applies Bell detection on |α 1 and |α 3 and obtains the classical measurement results Step 2. M mixes |α 2 and |α 4 at a 50:50 BS and obtains two new signatures Step 3. M sends the quantum states |α 1 , |α 2 , |α 3 , |α 4 and the classical message Step 1. V measures the x quadrature of |α 2 and the p quadrature of |α 4 by homodyne detection and obtains the measurement results x and p .
Step 2. V measures the x quadrature of |α 1 and the p quadrature of |α 3 by homodyne detection and obtains x 1 and p 3 . Then, V calculates where τ is the transmissivity of quantum channels.
Step 3. V calculates a and b from the received classical message according to pre-shared secret keys. To verify the authenticity and integrity of the signatures, If H x ≤ H th and H p ≤ H th , V will confirm that |α 2 and |α 4 are the signatures of M and accept the classical messages a and b. Otherwise, V will deny the signatures. H th is the verification threshold.

Measurement-Device Independency Analysis Method
If the task of a quantum cryptographic protocol is completed under the MDI assumptions, the protocol is measurement-device-independent. The task of CVQHS is to verify the identities of different data sources at a low error rate. Thus, in the measurement-device analysis of the CVQHS scheme, we can calculate the upper bound of the error rate. If the upper bound is negligible under the MDI assumptions, the CVQHS scheme is measurement-device-independent.
The upper bound of the error rate is the error rate under the worst case when an attacker can carry out any possible attack. Thus, we will find out the optimal attack model and calculate the error rate under the model.

Attack Model
Considering all possible cases which are shown in Figure 2, the error rate is equal to the probability of a forged signature passing verification plus the probability of a legal signature being denied. Obviously, the probability of a legal signature being denied is only affected by noise. Thus, we only consider the attack model of the case that an attacker tries to forge a signature. In the CVQHS scheme, when an attacker Eve has secret keys and is able to prepare quantum states which are entangled with those at honest signers, it can forge a signature that can pass verification.
Throughout the CVQHS scheme, only the aggregator M and the verifier V use measurement devices. Here, we assume the measurement devices controlled by V are trusted because the protocol will be extremely inefficient and meaningless if the verifier is dishonest. Thus, the MDI assumptions only apply to the measurement devices controlled by M, namely a 50:50 BS and two homodyne detectors which are used to perform Bell detection, and a 50:50 BS for mixing two quantum signatures. According to Assumption (1), Eve is able to tamper and forge the results of Bell detection and the mixtures of quantum signatures at the combining phase. Thus, Eve can forge a quantum signature that can pass verification as long as it obtains the pre-shared secret keys. Thus, the security of the CVQHS scheme is guaranteed by the secrecy of secret keys. The probability of a forged signature passing verification is equal to the probability of Eve obtaining secret keys. At this point, the complicated attack model which contains forgery is simplified as a simple eavesdropping model.
According to Assumption (2), Eve is able to eavesdrop all quantum channels by any means. From the perspective of an attacker's ability, eavesdropping can be divided into three types, namely coherent attack, collective attack and individual attack. Coherent attack is the most general attack by which an attacker can perform joint quantum operations and joint measurement to all quantum states sent via quantum channels. The proof of security against coherent attack is the strictest proof for security, but the model of coherent attack cannot be effectively parameterized. A common approach is to extend the security against collective attack to coherent attack by using the exponential de Finetti theorem [20]. Collective attack is a special case of coherent attack, where an attacker can only perform quantum operations individually on each quantum state.
Fortunately, analysis shows that the security bound under coherent attack is the same as that under collective attack for QKD protocols [21]. This result can be applied to CVQHS because a signature in the scheme is a single quantum state. The quantum states in a quantum channel are not correlated, so introducing correlations to them by performing joint operations will not help the attacker obtain more information. Therefore, we can analyze the security against collective attack.

Probability of a Forged Signature Passing Verification
At the first step of the setup phase, the signers and the verifier share secret keys. Assume they use a MDI-QKD protocol in this step; then, Eve can only obtain the secret keys by eavesdropping the quantum channels. The information on the secret keys that Eve can obtain is the mutual information I(k : E), where k = (k 1 , k 2 ) denotes the secret keys and E is the quantum system of Eve. The larger the mutual information I(k : E) is, the more information Eve can obtain. When I(k : E) = H(k), Eve can recover the secret keys accurately. The upper bound of I(k : E) is usually used to estimate the security of a protocol.
The quantum states in the CVQHS scheme are Gaussian states, whose von Neumann entropy can be calculated based on their covariance matrices. Assume the original entangled states prepared by the aggregator have the same density matrix, i.e., ρ 12 =ρ 34 =ρ in . Their covariance matrix is where V = cosh 2r is the variance of two-mode squeezed states. Assume the quantum channels are modeled as |α → | √ τα + where τ(0 < τ < 1) is transmissivity and |α N = |x N + ip N is thermal noise. Assume thermal noise in each quantum channel is independently and identically distributed and their quadratures follow Gaussian distribution: x N , p N ∼ N(0, V N ). After |α2 and |α4 are transmitted twice via noisy quantum channels, the covariance matrix becomes After entanglement swapping, the covariance matrix ofρ 2 4 =|α 2 |α 4 is Then, |α 2 and |α 4 are mixed at a 50:50 beam splitter, outputting |α 2 and |α 4 . Beam splitter is a Gaussian operator, which does not change the von Neumann entropy of a quantum system. Thus, the von Neumann entropy ofρ 2 4 can be calculated based on V 2 4 .
S(ρ 2 4 |k A 1 ) is the von Neumann entropy ofρ 2 4 when k A 1 is given. It can be calculated based on a new covariance matrix Simple calculation shows that I(k A 1 : E) = 0, which means Eve cannot obtain any information on k A 1 . Similarly, we can calculate that I(k A 2 : E) = 0. Thus, Eve cannot obtain any information on the pre-shared secret keys between the signers and the verifier. The probability of a forged signature passing verification is the probability of Eve guessing the exact secret keys, which is negligible.
In the above theoretical analysis, we only considered the case of collective attack, which is proved to be the optimal attack model. In fact, simulation or experiment considering more complex scenarios can be conducted to verify our calculation results in future works. It will be much easier to obtain the error rate for complex scenarios such as coherent attack and forgery, which involve complex modeling and calculation in theoretical analysis and cannot be efficiently parameterized [21]. Special attack models may be also implemented to discuss how parameters affect the result of CVQHS.

Probability of a Legal Signature Being Denied
In the CVQHS scheme, if the deviation between the value calculated from a signature and the value calculated from pre-shared messages is larger than certain verification threshold, the signature will be denied by the verifier. The deviation can be caused by an attacker or noise. Here, it is assumed that the verifier receives a signature that is generated by a legal signer and not tampered by an attacker. Thus, the probability only depends on noise.
A verification threshold H th in a noisy environment is given in Ref. [19], which is equal to the variance of x V − τx V . In the verification phase, the verifier compares ( it will deny the signature. Denote x V − τx V as a random variable X whose first and second moments are EX = 0 and DX = H th . Thus, the probability of a legal signature being denied is Since X is a linear combination of quadratures, secret keys and classical messages, it follows the Gaussian distribution. According to the property of Gaussian distribution, P(X 2 > H th ) ≈ 0.32. Thus, the probability of a legal signature being denied is 0.32.
By adding up two probabilities in Sections 3.2 and 3.3, we can conclude that the upper bound of the error rate of the CVQHS scheme is 0.32 when all measurement devices are untrusted. Although 0.32 is not negligible, the probability of correctly verifying the identities is twice of error rate. Thus, the CVQHS scheme is deemed to be measurement-device-independent.

Discussion
Firstly, we discuss how the parameters of the CVQHS scheme affect the error rate. The calculation of probability of a forged signature passing verification involves three parameters, namely the variance V of two-mode squeezed states, the transmissivity τ of quantum channels, and the variance V N of thermal noise of quantum channels. According to calculation result, the probability is always 0 provided V is nonzero, which means an attacker cannot obtain the pre-shared secret keys as long as the entangled states are properly prepared and not collapsed before being used for generating quantum signatures. Noisy quantum channels do not have any influence on the probability of a forged signature passing verification. It is the randomness of quantum states that prevents the pre-shared secret keys from being leaked during transmission.
The calculation of probability of a legal signature being denied involves the values of both quadratures of entangled states, pre-shared secret keys, the transmissivity and the variance of thermal noise of quantum channels, and the verification threshold. In the calculation, the parameters follow Gaussian distribution so the probability can be easily obtained. The probability is influenced by the verification threshold H t h. If H t h is larger, the will decrease but it will be easier for a forged quantum signature to pass verification. If H t h is smaller, the probability will increase. Thus, the verification should be carefully set in order to lower the error rate.
Secondly, we discuss the application of our analysis method. Our analysis method can be summarized in the following three steps: Step 1. Analyze the objective of the protocol and find the parameter that can be used to decide whether the protocol has completed its task.
Step 2. Analyze the topology and the communication pattern of the protocol to obtain a simplified attack model, which may be a sufficiently studied attack.
Step 3. Calculate the parameter under the attack model to judge the measurement-device independency of the protocol.
In our analysis procedure, the parameter is the upper bound of error rate and the attack model can be simplified as collective attack. Although we only analyze the CVQHS scheme, the analysis method can be applied to other CVQDS protocols by means of calculating the same parameter under a similar attack model.
Concretely, the objective of a CVQDS protocol is to verify the identity of a data source, which is the same as the CVQHS scheme. Thus, at Step 1, the parameter will be the upper bound of error rate as well. From the perspective of verification results, errors can be classified into two types. The first type of error is the case where a tampered or forged quantum signature passes verification. The second type of error is the case where a legal quantum signature which is not tampered by attackers gets denied by the verifier. To calculate the error rate, we should respectively construct models for the two type of errors. The first type of error usually evolves attackers so we should construct an attack model. The second type of error is caused by noise so we should also construct a model for noisy quantum channels.
Constructing an attack model at Step 2 is the key step of our MDI analysis method. The most effective way of attack can be found by means of applying MDI assumptions to the protocol. Attack models may be different for different CVQDS protocols if the protocols have different network topologies and communication patterns. Since most of the CVQDS protocols do not involve an untrusted aggregator, we believe attack models for CVQDS protocols will be simpler than the CVQHS scheme. Furthermore, it seems that the attack model of a CVQDS protocol can often become an eavesdropping model because it is necessary for an attacker to obtain secret keys. After simplification, the calculation process at Step 3 will be similar to our calculation.
The above analysis procedure seems to be a general formalism for analyzing measurement-device independency. In this procedure, the key point of analyzing a protocol is to find an appropriate parameter and constructing an attack model. For a complicated protocol carried out in a large-scale network, it may have several tasks that affect each other and each task is completed by several nodes.
It will be difficult to find an appropriate parameter at Step 1. In addition, unintended entanglement among different nodes will not only affect the quantum states transmitted between two legal nodes in an unexpected way, but also increase the complexity of analysis and calculation. It will be difficult to construct an attack model that is simple enough for calculation. Thus, MDI analysis method of quantum cryptographic protocols except CVQDS protocols still needs to be explored.

Conclusions
In this paper, we analyze the measurement-device independency of continuous-variable quantum digital signature. According to the objective of CVQDS, we proposed that a CVQDS protocol is measurement-device-independent if its error rate is negligible on condition that all measurement devices are untrusted. Concretely, we take a continuous-variable quantum homomorphic signature protocol as an example. The error rate of the CVQHS scheme is equal to the probability of a forged signature passing verification plus the probability of a legal signature being denied. In the analysis procedure, we constructed an attack model in order to calculate the error rate. The attack model was simplified as collective attack by means of applying MDI assumptions to the protocol. Calculation was also simplified by using an advantage of Gaussian states, i.e., the von Neumann entropy of a Gaussian state can be calculated from its first and second moments. Calculation results show that the error rate is 0.32 so that the CVQHS scheme is deemed to be measurement-device-independent. Although we only analyzed the measurement-device independency of the CVQHS scheme, our analysis can be summarized in three steps and applied to other CVQDS protocols. Whether this approach is a general formalism for analyzing the measurement-device independency of all quantum protocols is still an open question and will be discussed in future works.