Quantum Contract Signing with Entangled Pairs

Abstract

We present a quantum scheme for signing contracts between two clients (Alice and Bob) using entangled states and the services of a third trusted party (Trent). The trusted party is only contacted for the initialization of the protocol, and possibly at the end, to verify clients’ honesty and deliver signed certificates. The protocol is fair, i.e., the probability that a client, say Bob, can obtain a signed copy of the contract, while Alice cannot, can be made arbitrarily small, and scales as $N^{-1/2}$, where $4N$ is the total number of rounds (communications between the two clients) of the protocol. Thus, the protocol is optimistic, as cheating is not successful, and the clients rarely have to contact Trent to confirm their honesty by delivering the actual signed certificates of the contract. Unlike the previous protocol (Paunković et al., Phys. Rev. A 84, 062331 (2011)), in the present proposal, a single client can obtain the signed contract alone, without the need for the other client’s presence. When first contacting Trent, the clients do not have to agree upon a definitive contract. Moreover, even upon terminating the protocol, the clients do not reveal the actual contract to Trent. Finally, the protocol is based on the laws of physics, rather than on mathematical conjectures and the exchange of a large number of signed authenticated messages during the actual contract signing process. Therefore, it is abuse-free, as Alice and Bob cannot prove they are involved in the contract signing process.

1. Introduction

Quantum cryptography traces back to late 1960s and early 1970s work on quantum money by Stephen Wiesner. While this work was published only a decade later, in 1983 [1], it had a significant impact on what usually is considered the birth of quantum cryptography, the seminal BB84 paper on quantum key distribution (QKD) [2]. Secure quantum communication offers higher, unconditional (i.e., information theoretic) security levels, as opposed to the computational security of classical cryptography. As a consequence, it became among the most prominent of the emerging quantum technologies, and QKD systems are currently available on the market, such as ID Quantique, QuintessenceLabs, etc. Other related protocols, such as quantum secure direct communication [3], have also been developed. Nevertheless, there is much beyond key distribution that quantum cryptography can offer, such as quantum secret sharing [4], quantum private query [5,6], and quantum secure distributed learning [7]. Secure multiparty computation (SMC) [8] presents another class of cryptographic protocols in which the privacy of users’ data and inputs is protected. Instances of such schemes include private data mining and e-voting, to name a few. Recently, quantum solutions’ bit commitment and oblivious transfer, cryptographic primitives that allow for execution of SMC, have been proposed [9]. In the current work, we present a quantum solution to the contract signing problem.

Contract signing [10] is a security protocol that falls within the group of the so-called commitment protocols [11,12,13]. In general, the protocol can be defined for an arbitrary number of parties (clients engaged in the protocol). For simplicity, we discuss the case of a two-party protocol, which can be straightforwardly generalized to an arbitrary number of participants.

The participants, usually referred to as Alice and Bob, have a common contract upon which they decide to commit, or not. The commitments are traditionally done by simple signatures: having a text of the contract with Bob’s signature stamped on it, Alice can appeal to the authorities (the Judge), which in turn declares the document valid (i.e., binds the contract). In other words, having Bob’s signature gives Alice the power to enforce the terms of the contract. Consequently, signing his name on a copy of the contract means that Bob commits to the contract. The aim of a contract signing protocol is that either both clients obtain each others’ commitments or none of them do (the protocol is said to be fair). Further, if both clients follow the protocol correctly, both of them can obtain each others’ commitments with certainty (the protocol is then said to be viable).

If only Alice has a copy with Bob’s signature (i.e., only Bob is committed), she can later in time choose to either enforce, or not, the terms of the contract. Bob, however, has no power whatsoever: his future behavior is determined solely by Alice’s decisions. For example, Alice may have a document with Bob’s signature on it, declaring that he would buy a car from her, for a fixed amount of money. Knowing that only she has such a document, Alice can continue to negotiate the price of her car with other potential customers: in case she obtains a better offer, she is free to discard Bob’s offer and thus is able to earn more money. Bob does not have such an option: if Alice does not obtain a better offer, she can always force Bob to buy the car from her, by showing to the authorities the contract signed by Bob. Having no proven commitment (signature) from Alice, Bob cannot enforce the contract himself and is thus unable to prevent Alice from such behavior, which puts him in an unfair situation.

Achieving fairness is trivial when clients meet up and simultaneously sign copies of the contract, thus both obtaining each others’ commitments. Unfortunately, doing so when the clients are far apart, e.g., over the Internet, is difficult: indeed, sending his signed copy to Alice gives Bob no guarantee that he will obtain one from Alice; on the other hand, obtaining a signature from Alice before actually sending his gives Bob the advantage of having Alice’s commitment without committing himself.

It has been shown [10,14] that the fairness of a contract signing protocol with spatially-distant clients can be achieved only by introducing a trusted third party, usually referred to as Trent, during the phase of exchanging clients’ commitments. Trent’s role is to receive clients’ commitments and perform the exchange only upon obtaining signed copies of the contract from both clients. However simple and straightforward this solution may seem, it has a drawback, as Trent (in practice, a trusted agency accredited by the State that offers its time and resources for the exchange of money, e.g., public notaries) may be expensive. Therefore, the need for protocols using third parties as little as possible arises. Some contract signing protocols [15,16,17] do not require a trusted third party, but use a number of transmissions to send the pieces of signatures, or the partial information required to obtain the complete signature, in each message. Another possible way out is to design optimistic and/or probabilistic protocols.

In optimistic contract signing protocols [18], the exchange of commitments is, unless something goes wrong, executed solely by Alice and Bob. Only in case communication between the clients is interrupted (malfunction of the network, etc.), a trusted third party is involved [19]. In probabilistic protocols [20,21], by exchanging messages between each other, clients increase their probabilities to bind the contract. To be (probabilistically) fair, such protocols have to ensure that at each stage of the information exchange, the probabilities to bind the contract of both clients can be made arbitrarily close to each other (no client is significantly privileged). One such protocol is [21], for which the symmetry between the clients’ positions is strengthened by the requirement that the joint probability that one client can bind the contract, while the other cannot, can be made smaller than any given $\epsilon <1$. Finally, there is both a probabilistically fair and optimistic solution, with an optimal number of exchanged messages [20] for which even a stronger fairness condition is satisfied: the conditional probability that a client cannot bind the contract, when the other has already done so, can be made arbitrarily low.

Recently, a probabilistically fair and optimistic quantum protocol was presented in [22] (see a version using the simultaneous dense coding scheme in [23]). There, the trusted third party, Trent, was required to initiate the protocol and was contacted later only in case something went wrong. The protocol in [22] was also abuse-free [24], i.e., the clients cannot provide proofs of being involved in a contract signing procedure. Nevertheless, it has three important disadvantages: (i) Alice and Bob have to share the content of the contract with Trent; (ii) both clients have to be present in order to bind the contract, in case something goes wrong and Trent’s services are required; and (iii) they have to agree upon the content of the contract before the protocol initialization. In this paper, we propose an improved version of the contract signing protocol where (i) the clients never disclose the content of the contract to Trent, (ii) only one client is needed to bind the contract, and (iii) the clients can decide upon the contract after they initially contact Trent.

Regarding Point (iii) from the previous paragraph, note that often, when parties initiate business negotiations, this does not result in making a deal formalized by a contract. Thus, involving Trent, who charges for his services, might often result in the waste of clients’ resources, and Point (iii) might seem not to present a real advantage. Nevertheless, waiting for the last moment and contacting Trent only upon successful agreement and contract formulation might result in the system’s failure due to possible communication bottlenecks. Imagine the following situation. Alice and Bob negotiate buying/selling a certain product, say a security system, knowing that on a given date in the future, a big company will announce a new model with its novel performances. Obviously, the price of the model used will highly depend on the information about the new one, and Alice and Bob will only upon learning the new piece of information decide upon the final contract. The problem is, many other users may choose to make similar business contracts in the same period of time, and if they all have to only then contact Trent, this might cause a communication bottleneck and the failure of the system. Thus, being able to contact Trent in advance and then, only later, “offline” (without contacting the trusted agency) exchange the commitments might be useful, especially in “more serious” business deals including larger amounts of money.

In Section 2, we begin with the description of the contract signing protocol with all the different phases explained in detail. In Section 3, we provide the security analysis of the protocol, together with relevant numerical results. Finally, in Section 5, we present the conclusions and discuss the contributions to the area.

2. The Proposed Protocol

In the quantum contract signing proposal [22], Trent sends two strings of qubits, one to Alice and another to Bob, such that each qubit is randomly prepared in one of the four BB84 states. The commitments are done by measuring one of the two observables on all qubits given to a client: in case of accepting the contract, measurement in the computational basis is performed, while choosing to reject it, one measures in the diagonal basis. Since the two bases are mutually unbiased, as a consequence of the Heisenberg uncertainty principle, it is impossible to learn both properties simultaneously. Thus, measurement outcomes of each client serve as certificates of the commitments. In order to achieve the fairness criterion (the two commitment choices have to be the same), the measurements are done in rounds, such that only one qubit per client is measured in each round and the outcomes are exchanged. Since, in addition to qubit strings, Trent also informs Alice of Bob’s states (and vice versa), exchanging the outcomes allows clients to check each others’ honesty. In our current proposal, instead of accompanying qubits with the classical information about other client’s states, Trent exchanges entangled pairs. As a consequence of this change, in the current protocol, the choice of which out of the two observables clients measures in each round is different, as described below.

Consider two orthonormal qubit states $|0\rangle$ and $|1\rangle$ of the computational basis ${\mathcal{B}}_{+}$. The diagonal basis ${\mathcal{B}}_{\times }=\{|-\rangle ,|+\rangle \}$ is given by $|\pm \rangle =\frac{1}{\sqrt{2}}(|1\rangle \pm |0\rangle )$. We also define two measurement observables:

$$\begin{array}{cc}\hfill {\widehat{O}}_{+}=& 1·|1\rangle \langle 1|+0·|0\rangle \langle 0|,\hfill \\ \hfill {\widehat{O}}_{\times }=& 1·|+\rangle \langle +|+0·|-\rangle \langle -|.\hfill \end{array}$$

(1)

Let the bit string M be the contract upon which Alice and Bob agree. Let h be a publicly known hash function that they also agree to use. The value $h^{*}=h(M)$ will be the only information they provide to Trent about the contract M, when and if they contact him.

The protocol is described below in three parts: (i) initialization phase, Stage I: Alice and Bob contact the trusted party, Trent, who provides each of them with different secret classical information, to be used in the later phases of the protocol; Stage II: Trent prepares and distributes the states among the clients, to be used to sign the contract; (ii) exchange phase: the clients, using the states and the information provided by Trent, ping-pong the information needed to sign the contract; and (iii) binding phase: in this phase of the protocol, any one of the clients can contact Trent with his/her results in order to obtain an authorized document declaring the hash value $h^{*}=h(M)$ valid, which then validates the contract M.

Note that the exchange of classical information between Trent and the clients, in Stage I of the initialization phase, occurs over a private channel. During the rest of the protocol, the exchange of both quantum and classical information between Trent and the clients only needs to be authenticated. Classical authentication can be dealt with in a similar manner as in QKD, that is by assuming that a secret key is shared between Trent and the clients. How this key is exchanged depends on the level of security that we want to achieve: either an initial key is pre-shared (using a private channel), and then, it is enlarged using QKD (information-theoretical security); or a public key infrastructure is used (computational security). It is relatively easy to authenticate quantum information upon having classical authentication. It reduces to applying the cut-and-choose technique to verify the authenticity of quantum states exchanged, i.e., some random states are used by the clients and Trent to check whether the quantum channel was tampered with. This way, Trent discloses the description of the states over the authenticated classical channel, and the clients check if what they received is according to what was expected.

Below, we present the detailed description of the protocol.

Initialization phase: Stage I:

Parties involved: Alice, Bob, and Trent.

Input: Bit strings $k_A$ and $k_B$ of length $4N$ each and $2N$ randomly chosen indices from the set of indices of the $4N$ rounds of the protocol, $\mathcal{I}=\{1,2,\dots ,4N\}$.

Communication channel: Private classical channel between Trent and the clients.

Stage I of the initialization phase consists of the following steps:

• Alice and Bob contact Trent for his services and inform him about the future time, at which Trent will begin Stage II of the initialization phase.
• Trent provides Alice and Bob with randomly-generated bit strings $k_A$ and $k_B$, respectively, of length $4N$ each. Alice and Bob prepare the strings $H_{\mathtt{A}}=h(M)\oplus k_A$ and $H_{\mathtt{B}}=h(M)\oplus k_B$ (bit-wise XOR), respectively. Note that in order to exchange the commitments to the whole string, we have $4N=|h(M)|$. We define the honest observables ${\widehat{H}}_{{\mathtt{A}}_i}$ and ${\widehat{H}}_{{\mathtt{B}}_i}$ for Alice and Bob, respectively, to be measured at each step i of the protocol ($i\in \mathcal{I}$) as:

  $${\widehat{H}}_{{\mathtt{A}}_i}=\left\{\begin{array}{cc}{\widehat{O}}_{+}\hfill & \mathrm{if} H_{{\mathtt{A}}_i}=0,\hfill \\ {\widehat{O}}_{\times }\hfill & \mathrm{if} H_{{\mathtt{A}}_i}=1,\hfill \end{array}\right.$$

  (2)

  $${\widehat{H}}_{{\mathtt{B}}_i}=\left\{\begin{array}{cc}{\widehat{O}}_{+}\hfill & \mathrm{if} H_{{\mathtt{B}}_i}=0,\hfill \\ {\widehat{O}}_{\times }\hfill & \mathrm{if} H_{{\mathtt{B}}_i}=1,\hfill \end{array}\right.$$

  (3)

  where $H_{{\mathtt{A}}_i}$ is the i-th bit of the string $H_{\mathtt{A}}$ and analogously for Bob’s string $H_{\mathtt{B}}$. Note that the secret keys $k_A$ and $k_B$ are used by the clients to hide their respective honest observables from each other. As it will be clear later on, the introduction of these keys prevents the scenario of a dishonest client, say, Bob, attacking the quantum channel between Trent and Alice by measuring the correct honest observables on Alice’s qubits to obtain perfect correlations.
• Trent provides Alice with a set of 2N randomly-chosen indices from the total 4N indices, ${\mathcal{I}}^{(A)}\subset \mathcal{I}$. Analogously, he randomly chooses 2N indices ${\mathcal{I}}^{(B)}\subset \mathcal{I}$ and sends them to Bob.
• Trent provides Alice with 2N bits of Bob’s secret string $k_B$, corresponding to the above-mentioned 2N indices from ${\mathcal{I}}^{(A)}$. Analogously, he sends the $2N$ bits to Bob from Alice’s secret string $k_A$.

The initialization phase: Stage I ends with the following:

• Alice has a $4N$-long secret bit string $k_A$ and a set ${\mathcal{I}}^{(A)}\subset \mathcal{I}$ of $2N$ randomly-chosen indices from $\mathcal{I}$. Alice also has $k_{B_j}$ for all indices $j\in {\mathcal{I}}^{(A)}$.
• Bob has a $4N$-long secret bit string $k_B$ and a set ${\mathcal{I}}^{(B)}\subset \mathcal{I}$ of $2N$ randomly-chosen indices from $\mathcal{I}$. Bob also has $k_{A_j}$ for all indices $j\in {\mathcal{I}}^{(B)}$

Initialization phase: Stage II:

Parties involved: Alice, Bob, and Trent.

Input:$8N$ number of entangled pairs.

Communication channel: Authenticated classical and quantum channels between Trent and the clients.

The initialization phase: Stage II consists of the following steps (see Figure 1):

5.

Trent produces two ordered sets, each consisting of $4N$ entangled pairs ($8N$ pairs in total). Each pair of particles is in the state $|{\varphi }^{+}\rangle =\frac{1}{\sqrt{2}}(|0\rangle |0\rangle +|1\rangle |1\rangle )$. He sends one particle from each pair of the first set to Alice, and from the second set to Bob, keeping the order of the pairs preserved. Let us denote the ordered set of $4N$ particles given to Alice by $\mathcal{A}$ and those given to Bob by $\mathcal{B}$. The two ordered sets kept by Trent, each consisting of $4N$ particles entangled with particles sent to Alice and Bob, are denoted by ${\mathcal{T}}^{(A)}$ and ${\mathcal{T}}^{(B)}$, respectively. We would like to note that the use of ordered sets was previously proposed in [3], later called the block transmission technique, crucial to quantum secure direct communication.

6.

According to the set of $2N$ indices sent to Bob, ${\mathcal{I}}^{(B)}$, Trent divides ${\mathcal{T}}^{(A)}$ into two ordered subsets of $2N$ particles each: ${\mathcal{T}}_T^{(A)}$ and ${\mathcal{T}}_B^{(A)}$, with the $2N$ indices $j\in {\mathcal{I}}^{(B)}$ corresponding to the particles ${\mathcal{T}}_B^{(A)}$. Note that the original positions in ${\mathcal{T}}^{(A)}$ of each particle from ${\mathcal{T}}_T^{(A)}$ and ${\mathcal{T}}_B^{(A)}$ are preserved. In other words, for each particle from ${\mathcal{T}}_T^{(A)}$ and ${\mathcal{T}}_B^{(A)}$, Trent knows its position in ${\mathcal{T}}^{(A)}$ and, hence, with which particle in $\mathcal{A}$ it is entangled. The same is done with particles from ${\mathcal{T}}^{(B)}$, entangled with those in $\mathcal{B}$, obtaining ${\mathcal{T}}_T^{(B)}$ and ${\mathcal{T}}_A^{(B)}$.

7.

Trent sends the ordered subsets ${\mathcal{T}}_B^{(A)}$ and ${\mathcal{T}}_A^{(B)}$ to Bob and Alice, respectively, each consisting of 2N particles. The particles in ${\mathcal{T}}_B^{(A)}$ and ${\mathcal{T}}_A^{(B)}$ are entangled with the corresponding particles ($2N$ of them) in the sets $\mathcal{A}$ and $\mathcal{B}$, given to Alice and Bob, respectively. Note that knowing the indices ${\mathcal{I}}^{(A)}$, Alice knows which particle from ${\mathcal{T}}_A^{(B)}$ is entangled with $2N$ of the particles in $\mathcal{B}$; and analogously for Bob. Trent keeps the subsets ${\mathcal{T}}_T^{(A)}$ and ${\mathcal{T}}_T^{(B)}$ to himself, to be used during the binding phase.

The initialization phase: Stage II ends with the following:

• Alice has an ordered set $\mathcal{A}$ of $4N$ particles, entangled with $2N$ particles kept by Trent, ${\mathcal{T}}_T^{(A)}$, and additional $2N$ particles that are given to Bob, ${\mathcal{T}}_B^{(A)}$. She has another ordered set ${\mathcal{T}}_A^{(B)}$ of $2N$ particles, entangled with $2N$ particles given to Bob, chosen from $\mathcal{B}$ according to ${\mathcal{I}}^{(A)}$.
• Bob has an ordered set $\mathcal{B}$ of $4N$ particles, entangled with $2N$ particles kept by Trent, ${\mathcal{T}}_T^{(B)}$, and additional $2N$ particles that are given to Alice, ${\mathcal{T}}_A^{(B)}$. He has another ordered set ${\mathcal{T}}_B^{(A)}$ of $2N$ particles, entangled with $2N$ particles given to Alice, chosen from $\mathcal{A}$ according to ${\mathcal{I}}^{(B)}$.
• Trent keeps two ordered sets of $2N$ particles each, ${\mathcal{T}}_T^{(A)}$ and ${\mathcal{T}}_T^{(B)}$, entangled with $2N$ particles from $\mathcal{A}$ and $\mathcal{B}$, respectively.

Exchange phase:

Parties involved: Alice and Bob.

Input:

• The particles and indices Alice and Bob obtained at the end of the initialization phase.
• $h(M)$, the hash value of the contract M to be signed, obtained using publicly known function h.
• $H_{\mathtt{A}}=h(M)\oplus k_A$ and $H_{\mathtt{B}}=h(M)\oplus k_B$ for Alice and Bob, respectively.

Communication channel: Unauthenticated classical channel between the clients.

The exchange phase (see Figure 2) consists of $4N$ rounds. In each round, a client, say Alice, has a particle from $\mathcal{A}$, on which she measures ${\widehat{H}}_{{\mathtt{A}}_i}$, with $i\in \mathcal{I}$, and sends the results to Bob. In addition to this, in $2N$ rounds labeled by $j\in {\mathcal{I}}^{(A)}$, Alice measures ${\widehat{H}}_{{\mathtt{B}}_j}$ on the corresponding particles from ${\mathcal{T}}_A^{(B)}$. Note that Alice knows $k_{{\mathtt{B}}_j}$, and therefore, she knows $H_{{\mathtt{B}}_j}=h(M)\oplus k_{{\mathtt{B}}_j}$. Since Alice knows that those particles are entangled with Bob, she uses her measurement outcomes to compare them with the results received from Bob, thus checking his behavior. Bob performs his measurements analogously. These two kinds of measurements are shown in Figure 3.

8.

At the beginning of the exchange phase, Alice and Bob are in possession of $6N$ particles each. Alice has $4N$ particles denoted by $\mathcal{A}$ and $2N$ particles by ${\mathcal{T}}_A^{(B)}$, and analogously for Bob. On the $4N$ particles from $\mathcal{A}$, Alice measures her honest observable ${\widehat{H}}_{{\mathtt{A}}_i}$, with $i=1,\dots ,4N$. Bob measures ${\widehat{H}}_{{\mathtt{B}}_i}$ on his corresponding particles from $\mathcal{B}$. Their measurement outcomes form ordered sets of binary results ${\mathcal{R}}^{(A)}$ and ${\mathcal{R}}^{(B)},$ respectively, where:

$$\begin{array}{cc}\hfill {\mathcal{R}}^{(A)}=& {\mathcal{R}}_T^{(A)}\cup {\mathcal{R}}_B^{(A)},\hfill \\ \hfill {\mathcal{R}}^{(B)}=& {\mathcal{R}}_T^{(B)}\cup {\mathcal{R}}_A^{(B)}.\hfill \end{array}$$

(4)

We use ${\mathcal{R}}_T^{(A)}$ to denote Alice’s measurement results on the particles from $\mathcal{A}$ ($2N$ of them) that are entangled with ${\mathcal{T}}_T^{(A)}$ (kept by Trent) and ${\mathcal{R}}_B^{(A)}$ to denote her measurement results on the rest of the particles from $\mathcal{A}$ ($2N$ of them) entangled with ${\mathcal{T}}_B^{(A)}$ (given to Bob); and analogously for Bob’s results, ${\mathcal{R}}_T^{(B)}$ and ${\mathcal{R}}_A^{(B)}$. They send these results to each other, one-by-one: if Alice starts first: in the i-th step of the exchange, she sends to Bob her result ${\mathcal{R}}_i^{(A)}$, then Bob sends to Alice his result ${\mathcal{R}}_i^{(B)}$, and so on.

9.

For each round $i\in \mathcal{I}$ for which there exists $j\in {\mathcal{I}}^{(A)}$, such that $i=j$, Alice measures ${\widehat{H}}_{{\mathtt{A}}_j}$ on the corresponding particle from ${\mathcal{T}}_A^{(B)}$, to obtain ${\mathcal{R}}_{C_j}^{(B)}$ (see Figure 3). If Bob indeed measured his honest observable ${\widehat{H}}_{{\mathtt{B}}_i}$, then his measurement outcome will match Alice’s, ${\mathcal{R}}_i^{(B)}={\mathcal{R}}_{C_j}^{(B)}$. In the presence of noise, Alice applies a statistical test to verify if Bob provided enough consistent results (see Appendix A.1.2). In case $i\ne j\in {\mathcal{I}}^{(A)}$, Alice uses Bob’s result ${\mathcal{R}}_i^{(B)}\in {\mathcal{R}}_T^{(B)}$ for the optional binding phase, when Trent confronts Alice’s information about ${\mathcal{R}}_i^{(B)}$ with his own measurement outcomes. The same is done by Bob upon receiving ${\mathcal{R}}_i^{(A)}$ from Alice. Then: (i) if all measurement outcomes, ${\mathcal{R}}_C^{(A/B)}$ ($2N$ of them for each client), are found to be consistent by the end of the communication at step $4N$, both clients will, during the binding phase, obtain with certainty the certified document from Trent that allows them to acquire a signed contract from the authorities (see the description below of the binding phase); (ii) if one of the clients suspects dishonest behavior, the communication is stopped, and they measure their honest observables on all remaining qubits and proceed to the binding phase.

The exchange phase ends with the following: If no cheating occurred, Alice and Bob both obtain their own, as well as each others’ results, ${\mathcal{R}}^{(A)}$ and ${\mathcal{R}}^{(B)}$. In case the communication was interrupted at step m, a client, say, Alice, ends up with all of her own results ${\mathcal{R}}^{(A)}$ and those received from Bob by the step m (note that those do not necessarily need to be obtained by actually performing measurements on qubits).

Binding phase:

Parties involved: Trent and a client, say, Alice.

Input:

• The sets ${\mathcal{T}}_T^{(A)}$ and ${\mathcal{T}}_T^{(B)}$ of particles kept by Trent.
• The sets of Alice’s measurement results, ${\mathcal{R}}^{(A)}$, and those sent to Alice by Bob, ${\mathcal{R}}^{(B)}$. Note that in the case of Bob’s cheating, ${\mathcal{R}}^{(B)}$ might contain the wrong values, and in case the communication was interrupted at step m, it is only a partial set of results. For simplicity, we use the same symbol ${\mathcal{R}}^{(B)}$ for both sets of “honest”, as well as “dishonest” results.
• $h^{*}=h(M)$, the hash value of the contract M to be signed, obtained using publicly-known function h.
• A publicly-known distribution $p(\alpha )$ to choose the acceptance rate $\alpha$.

Communication channel: Private classical channel or in person.

The binding phase (see Figure 4) consists of the following step:

10.

During the binding phase, a single client, say Alice, presents her results to Trent in order to bind the contract, to receive a certified document, signed by Trent’s public key, declaring valid the hash value $h^{*}=h(M)$. Having such a certificate, Alice can appeal to the authorities to enforce the terms of the contract M: she presents the contract M and the signed document declaring the value $h^{*}$ valid, so that the authorities can verify that indeed $h^{*}=h(M)$ (note that the function h is publicly known). As pointed out in the Introduction, Trent is an agency accredited by the State (e.g., public notaries). To bind the contract, Alice provides the string $h^{*}=h(M)$ to Trent and presents her results ${\mathcal{R}}^{(A)}$, as well as those obtained from Bob, ${\mathcal{R}}^{(B)}$ (if the protocol was interrupted before its completion, Alice will guess the rest of Bob’s outcomes; see Appendix for details). Knowing $h^{*}$, Trent computes $H_{{\mathtt{A}}_j}=h^{*}\oplus k_{{\mathtt{A}}_j}$ and $H_{{\mathtt{B}}_j}=h^{*}\oplus k_{{\mathtt{B}}_j}$. Trent thus measures the honest observables ${\widehat{H}}_{{\mathtt{A}}_i}$ on N randomly-chosen qubits from the subset ${\mathcal{T}}_T^{(A)}$ and ${\widehat{H}}_{{\mathtt{B}}_i}$ on another N randomly-chosen qubits from ${\mathcal{T}}_T^{(B)}$ (the other $2N$ particles are kept for binding the contract for Bob, if requested). He also chooses independently at random $\alpha >1/2$, according to some publicly-known distribution $p(\alpha )$. Trent will give to Alice a certified document declaring the hash value $h^{*}$ valid (“bind the contract for Alice”) if the results ${\mathcal{R}}^{(A)}$ and ${\mathcal{R}}^{(B)}$ satisfy the following two conditions:

10a.

at least a fraction $\alpha$ of N Alice’s results from ${\mathcal{R}}_T^{(A)}$ is equal to Trent’s results on the corresponding entangled N particles from ${\mathcal{T}}_T^{(A)}$, and

10b.

at least a fraction $\alpha$ of N Bob’s results from ${\mathcal{R}}_T^{(B)}$ is equal to Trent’s results on the corresponding entangled N particles from ${\mathcal{T}}_T^{(B)}$.

The binding phase ends with the following: In case Trent finds Alice’s results consistent with his, she receives an authorized document from him declaring the hash value $h^{*}$ valid, which then allows her to obtain the certified copy of the contract M, for which $h^{*}=h(M)$.

3. Security Analysis

In our protocol, a cryptographic hash function h is used to map contract M to a bit string of fixed size $4N=|h(M)|$. Had Trent possessed an infinite computational power, he would be able to find the collisions, among which one message would be the contract M. Nevertheless, the problem of finding collisions for existing cryptographic hash functions (such as SHA256 and others) is not based on any mathematical or number theoretical conjecture, such as the hardness of factoring, but on the fact that the hashing function is highly irregular and non-linear. Its security is at the same level of symmetric cryptography (such as AES), which is assumed to be beyond the capacity of quantum technologies to attack, and moreover, AES is actually used in current commercial QKD services. Furthermore, note that at the time this paper was written, it was not yet found a single collision for SHA256 of two meaningless texts, and so, it is unforeseeable to find collisions for a given fixed text. Google used more than $9\times {10}^{18}$ hashes to find a meaningless collision of SHA1 [25], and SHA256 is considerably harder than SHA1. Finally, it is worthwhile noticing that the assumption that there exists an unbreakable hash function, the so-called random oracle model, is quite common, even when quantum information and computation is available [26]. In addition, having such computational power would also allow a cheating client (say, Bob) to find collisions as well, thus potentially giving him the opportunity to bind a different contract $M^{\prime }$, for which $h(M^{\prime })=h(M)$. Nevertheless, given a particular hash function h, it is negligible that other collisions different from the contract M would still represent meaningful contracts, let alone contracts that would be favorable to Bob.

Let us define the following probabilities for Alice to pass the above tests (a) and (b), in case the communication was interrupted at step m,

$$\begin{array}{ccc}\hfill P_{BTH}(m;\alpha )& -& \text{Probability that Bob passes Trent’s test on his own qubits},\hfill \\ \hfill P_{BTA}(m;\alpha )& -& \text{Probability that Bob passes Trent’s test on Alice’s qubits},\hfill \end{array}$$

$P_{ATH}(m;\alpha )$ and $P_{ATB}(m;\alpha )$ can be analogously defined as Alice’s probabilities to pass Tests (a) and (b). Additionally, we define Bob’s probability to pass Alice’s verification test on the results ${\mathcal{R}}_i^{(A)}\in {\mathcal{R}}_B^{(A)}$ (see Step (5) of Section 2) received from Alice by step m, as:

$$\begin{array}{ccc}\hfill P_{BAS}(m)& -& \text{Probability that Bob passes Alice’s test on their shared qubits},\hfill \end{array}$$

and analogously $P_{ABS}(m)$ for Alice.

It is easy to verify that, in the noiseless scenario, the protocol is optimistic. If both clients follow the protocol honestly till the end, both of them are able to enforce the contract: Alice will have all the consistent results for her own, as well as Bob’s qubits, allowing her to bind the contract with probability one (the same happens for Bob).

To analyze the probabilistic fairness quantitatively, we introduce the so-called probability to cheat, along the lines of the similar quantity analyzed in [22]. By $P_{bind}^{\mathcal{B}}(m;\alpha )=P_{BTH}(m;\alpha )·P_{BTA}(m;\alpha )$, we denote the probability that Bob passes Trent’s tests and can thus bind the contract, if the communication is interrupted at step m of the protocol, for a given choice of $\alpha$; and analogously for Alice. To reach step m, both clients have to pass each others’ verification, which is given by the probability $P(m)=P_{BAS}(m)·P_{ABS}(m)$. Bob’s probability to cheat at step m, for a given $\alpha$, is defined as the probability that he can bind the contract, while Alice cannot, multiplied by the probability to reach step m:

$$P_{ch}^{\mathcal{B}}(m;\alpha )=P(m)·P_{bind}^{\mathcal{B}}(m;\alpha )\left[1-P_{bind}^{\mathcal{A}}(m;\alpha )\right].$$

(5)

Note that the above probabilities also depend on the particular distribution of entangled pairs, denoted as “configuration $\mathcal{L}$”, given by probability $q(\mathcal{L})$, and in the case of a dishonest client, the cheating strategy. Furthermore, both the above, as well as any probability evaluated (with the exception of $p(\alpha )$) depend on N; therefore, we omit writing it, as it is implicitly assumed. Nevertheless, the dependence on configuration $\mathcal{L}$ is relevant in calculations, and below, we analyze it in detail.

As prescribed by the protocol, Trent gives $6N$ qubits to Alice: $4N$ qubits from $\mathcal{A}$ and $2N$ from ${\mathcal{T}}_A^{(B)}$ (see Figure 5), together with their relative positions. Analogously, Bob receives $6N$ qubits from $\mathcal{B}$ and ${\mathcal{T}}_B^{(A)}$. We assume that all the classical communications between Trent and clients are private and authenticated, based on, say, pre-shared symmetric key schemes. After the communication has stopped at step m, out of the $4N$ qubits to measure from $\mathcal{A}$ and $\mathcal{B}$, Alice and Bob will be left with ${\ell }^{(A)}$ and ${\ell }^{(B)}$ unmeasured qubits, respectively, with ${\ell }^{(A)}={\ell }^{(B)}=4N-m$. Note that, among the ${\ell }^{(A)}$ and ${\ell }^{(B)}$ qubits, not all will be used by Trent to bind the contract for Alice and Bob. In fact, the qubits that are entangled between Alice and Bob are irrelevant for their binding probabilities. They are used by the parties to check each others’ honesty. Let then ${\ell }^{(A)}$ be decomposed into ${\ell }_T^{(A)}$ and ${\ell }_B^{(A)}$, the qubits entangled with those held by Trent and by Bob, respectively. Analogously, let ${\ell }^{(B)}$ be decomposed into ${\ell }_T^{(B)}$ and ${\ell }_A^{(B)}$. Therefore:

$$\begin{array}{cccccc}\hfill \mathrm{Alice}:& \hfill (2N+2N)-m& =& {\ell }^{(A)}\hfill & =& {\ell }_T^{(A)}+{\ell }_B^{(A)}\hfill \\ \hfill \mathrm{Bob}:& \hfill (2N+2N)-m& =& {\ell }^{(B)}\hfill & =& {\ell }_T^{(B)}+{\ell }_A^{(B)}.\hfill \end{array}$$

(6)

In order to bind the contract, a client, say Bob, has to present his own measurement results, as well as those obtained from Alice. Then, Trent checks if they are correlated with those obtained on qubits in his possession. Unlike the previous proposal [22], in which both clients had to be present and show their results to Trent in order to both obtain signed contracts during the binding phase, in the current protocol, Bob does not need Alice to be summoned in order to bind the contract (and vice versa). Since the protocol should be symmetric to both clients, it should allow that they both, separately, are able to bind the contract. For this reason, when binding the contract to, say Bob, Trent does not check all of his results from ${\mathcal{T}}_T^{(A)}$ and ${\mathcal{T}}_T^{(B)}$ for qubits entangled with $\mathcal{A}$ and $\mathcal{B}$, respectively. Note that to check Bob’s results, Trent has to measure the honest observables ${\widehat{H}}_{{\mathtt{A}}_i}$ and ${\widehat{H}}_{{\mathtt{B}}_i}$ on his qubits, he obtains using the $h^{*}=h(M)$ provided by Bob. Therefore, if both clients were using the same sets of qubits (entangled with those in Trent’s possession) to bind the contract separately, a dishonest Bob would have a trivial successful cheating strategy. He measures his honest observables given by the mutually-agreed contract M, which allows him to bind that contract. Nevertheless, in case he later decides not to comply with it, he simply provides Trent with a random $h^{\prime }\ne h(M)$. As a consequence, Trent’s results will be uncorrelated with both Bob’s, as well as Alice’s results, i.e., neither client would be able to bind the contract M. This is precisely the reason for checking only N out of $2N$ qubits from ${\mathcal{T}}_T^{(A)}$ and ${\mathcal{T}}_T^{(B)}$, each.

Thus, Trent’s qubits are each divided into two equal subsets of the same size, ${\mathcal{T}}_T^{(A)}={\mathcal{T}}_{T1}^{(A)}\cup {\mathcal{T}}_{T2}^{(A)}$ and ${\mathcal{T}}_T^{(B)}={\mathcal{T}}_{T1}^{(B)}\cup {\mathcal{T}}_{T2}^{(B)}$: the sets with the $T1$ subscript are used for binding the contract to Alice, while those with $T2$ for Bob. Consequently, we have ${\ell }_T^{(A)}={\ell }_{T1}^{(A)}+{\ell }_{T2}^{(A)}$ and ${\ell }_T^{(B)}={\ell }_{T1}^{(B)}+{\ell }_{T2}^{(B)}$ (see Figure 5).

The overall configuration $\mathcal{L}$ of the entangled pairs distributed between Alice, Bob, and Trent is given by six numbers,

$$\begin{array}{c}\mathcal{L}=\left\{{\ell }_B^{(A)},{\ell }_{T1}^{(A)},{\ell }_{T2}^{(A)},{\ell }_A^{(B)},{\ell }_{T1}^{(B)},{\ell }_{T2}^{(B)}\right\},\\ \mathrm{with}q(\mathcal{L})\le q({\ell }_B^{(A)})·q({\ell }_{T1}^{(A)})·q({\ell }_{T2}^{(A)})·q({\ell }_A^{(B)})·q({\ell }_{T1}^{(B)})·q({\ell }_{T2}^{(B)}).\end{array}$$

(7)

Therefore, Bob’s probability to cheat, given by Equation (5), now written with the explicit dependence on the configuration $\mathcal{L}$, is:

$$P_{ch}^{\mathcal{B}}(m;\alpha |\mathcal{L})=P(m|{\ell }_B^{(A)},{\ell }_A^{(B)})·P_{bind}^{\mathcal{B}}(m;\alpha |{\ell }_{T2}^{(A)},{\ell }_{T2}^{(B)})·\left[1-P_{bind}^{\mathcal{A}}(m;\alpha |{\ell }_{T1}^{(A)},{\ell }_{T1}^{(B)})\right].$$

(8)

Averaging the “constituent” probabilities from the above equation over their respective configurations from $\mathcal{L}$ gives:

$$\begin{array}{c}P(m)={\langle P_{ABS}(m|{\ell }_B^{(A)})\rangle }_{{\ell }_B^{(A)}}·{\langle P_{BAS}(m|{\ell }_A^{(B)})\rangle }_{{\ell }_A^{(B)}},\\ P_{bind}^{\mathcal{B}}(m;\alpha )={\langle P_{BTH}(m;\alpha |{\ell }_{T2}^{(B)})\rangle }_{{\ell }_{T2}^{(B)}}·{\langle P_{BTA}(m;\alpha |{\ell }_{T2}^{(A)})\rangle }_{{\ell }_{T2}^{(A)}},\\ P_{bind}^{\mathcal{A}}(m;\alpha )={\langle P_{ATH}(m;\alpha |{\ell }_{T1}^{(A)})\rangle }_{{\ell }_{T1}^{(A)}}·{\langle P_{ATB}(m;\alpha |{\ell }_{T1}^{(B)})\rangle }_{{\ell }_{T1}^{(B)}},\end{array}$$

(9)

where ${\langle A\rangle }_{\ell }$ represents the expectation value of $A(\ell )$ over the values of ℓ. To simplify notation, in the following, we will use $P_{ABS}(m)={\langle P_{ABS}(m|{\ell }_B^{(A)})\rangle }_{{\ell }_B^{(A)}}$ and $P_{BTH}(m;\alpha )={\langle P_{BTH}(m;\alpha |{\ell }_{T2}^{(B)})\rangle }_{{\ell }_{T2}^{(B)}}$, and analogously for the other four probabilities from the right-hand sides of the above three equations.

Hence, with Bob’s probability to cheat, averaged over all configurations $\mathcal{L}$,

$$\begin{array}{ccc}\hfill P_{ch}^{\mathcal{B}}(m;\alpha )& =& \sum _{\mathcal{L}}q(\mathcal{L})P_{ch}^{\mathcal{B}}(m;\alpha |\mathcal{L})\hfill \\ & \le & P(m)·P_{bind}^{\mathcal{B}}(m;\alpha )\left[1-P_{bind}^{\mathcal{A}}(m;\alpha )\right],\hfill \end{array}$$

(10)

we have the expected probability to cheat as:

$${\overline{P}}_{ch}^{\mathcal{B}}(m)=\int p(\alpha )P_{ch}^{\mathcal{B}}(m;\alpha )d\alpha .$$

(11)

For honest clients that follow the protocol, the above probability is determined by the steps prescribed by the protocol (the “honest strategy”). In case a client, say Bob, does not follow the protocol, the above probability depends on the “cheating strategy” of a dishonest client. It turns out (see Appendix A.2) that the quantum part of the honest and the optimal cheating strategies is the same, i.e., the (quantum) measurements performed by a cheating Bob are the same as that of an honest one, given by his honest observables ${\widehat{H}}_{{\mathtt{B}}_i}$. In other words, the best a cheating Bob can do is to send to Alice the wrong results determined by a frequency f. This is a consequence of the fact that Bob does not know which of the qubits given to him are used to bind the contract by Trent and which to check his honesty by Alice (for details, see Appendix A.2).

In Appendix A.1, we derive the explicit expressions for the expected probability to cheat (11) for honest clients that follow the protocol, in the ideal noiseless case (Appendix A.1.1), as well as for noisy environments (Appendix A.1.2), thus showing the soundness of the protocol. In Figure 6a,b,d,e, we present the values of the maximal expected probability to cheat as a function of the total number of photons for the values of $4N$ up to 6000. In both cases (as well as for the case of a cheating client discussed below), the results are obtained for the uniform $p(\alpha )$ on the intervals $[0.9,0.99]$, $[0.8,0.99]$, and $[0.7,0.99]$, and with a noise parameter $\kappa =0.05$. The observed dependence ${max}_m{\overline{P}}_{ch}^{\mathcal{A}/\mathcal{B}}(m)\propto N^{-1/2}$ is confirmed by the proof of the asymptotic behavior, $P_{ch}(m;\alpha )\in \mathcal{O}(N^{-1/2})$ (see Theorem A1 from Appendix A.1.1).

In Appendix A.2, we evaluated the corresponding probabilities for the case of a cheating client who deviates from the protocol, in the presence of noise. In Figure 6c,f, we plot the values of the maximal expected probability to cheat against $4N$, for the optimal cheating strategy, showing the same dependence $\propto N^{-1/2}$. Further, in Appendix A.1 and Appendix A.2, we analyze the decrease of the expected probabilities to cheat in case the cheating strategy deviates from the optimal values of m or f.

The results presented in Figure 6 are obtained for a fixed value of the noise parameter $\kappa$. By increasing the noise, more and more “wrong” results are going to be obtained, such that even honest participants will either interrupt the communication during the exchange phase or will not be able to bind the contract with Trent. The figure of merit here is the final average probability to bind obtained for $m=4N$, given by Equations (A26)–(A28) from Appendix A.1.2 (note that, if upon exchanging all the messages, clients have high enough probability to bind the contract, then they would also be able to pass each others’ tests during the whole exchange phase with equally high probability).

Thus, for a fixed number of rounds, $4N$, range of $\alpha$, and its probability distribution $p(\alpha )$, one can straightforwardly obtain the threshold values for the noise parameter $\kappa$, both for the honest noisy, as well as for dishonest noisy cases (note that such threshold values depend on predetermined security level, i.e., the lower bound for the binding probability set by the users).

While such quantitative numbers can straightforwardly be obtained using the analysis presented in the paper, they would not be very informative. Namely, what one should do is to, given the noise level (given $\kappa$), determined by the actual implementation setup, optimize the rest of the relevant parameters ($N,p(\alpha )$ and its range). While conceptually, this is possible to do, it is clearly exceptionally demanding regarding the computational resources (note that in our analysis, we probed only three $\alpha$ ranges and only the simplest uniform distribution). Our paper is more of a proof of a concept, rather than the final analysis, which, as mentioned, is strongly implementation dependent.

Therefore, considering our limited computational power and the fact that the presented threshold values for $\kappa$ would probably differ from the ones to be obtained by optimizing the parameters of actual implementations, we decided to omit such numerical analysis. Note that the above discussion also applies for the cheating probability: to obtain the optimized cheating probability levels, one should vary all the relevant parameters. Nevertheless, while it is obvious that the binding probability will decrease as the noise increases, it was not at all obvious that it is even possible to establish upper bounds for the cheating probability, such that it can be made arbitrarily low.

The techniques presented in our paper use the “brute force” numerical approach in obtaining the final quantitative results (with the exception of our analytic proof of the asymptotic behavior given in Theorem A1 from Appendix A.1.1), which do not allow for drawing qualitative insights. Developing more closed analytic expressions for the final binding and cheating probabilities that can be analyzed beyond the final numerical values would be an interesting topic of future research.

4. Discussion

Like the previous version of the quantum contract-signing protocol [22], the proposed protocol relies on long-term stable quantum memories, namely keeping entangled pairs until the binding phase. The practical problem of long-term stable quantum memories can be overcome by a simple modification: instead of EPR pairs, Trent sends (over an authenticated quantum channel) two ordered sets of photons in pure BB84 states, one for Alice and the other for Bob. As soon as the clients receive their particles, they measure on them the honest observables according to $h(M)$. Thus, all the information kept by the parties is classical and can be used to check the agents’ behavior and honesty, similarly as in the protocol we proposed. This approach goes along the lines of reducing the security of BB84 to the E91 entangled QKD protocol. The details of such a reduction are a matter of a separate study.

Contract signing is an important and wide-spread cryptographic protocol, as performing transactions over the Internet is an important part of today’s society. Nevertheless, all such current classical implementations fully rely on the use of a third trusted party. Moreover, if buying directly from, say, Amazon, the trust is handed over to a signing party, Amazon itself. Within classical approaches, there are several service providers and applications that can mediate the contract signing process, such as EverSign, HelloSign, and DocuSign.

On the other hand, if the parties do not want to rely fully on a third party to exchange the signature between them, classical solutions, such as [15,16,17,18,19,20,21], mentioned in the Introduction, require the gradual exchange of signed parts of the message. Therefore, classical digital contract signing is a very demanding application from the point of view of communication and computation: the exchange process has a significant number of rounds, and each exchanged message has to be digitally signed using (computationally-demanding) public-key cryptographic systems and infrastructures. We refer the reader to the following survey [27] for a more detailed description of these protocols. As a consequence, such classical contract signing applications are, due to their current inefficiency, to the best knowledge of the authors, not present on the market. We note that this is precisely the reason classical solutions to secure multiparty computation privacy protocols are not widely available as well. Potentially fast exchange of (single or coherent) photon pulses might be one of the main advantages of quantum solutions to the mentioned cryptographic problems. Note that by now, it was the higher security levels that promoted quantum over classical cryptography. This novel feature, providing practical schemes not even available classically, might potentially be shown to be significant.

5. Conclusions

We presented a quantum protocol for signing contracts. We showed that, under the realistic assumptions of noise and measurement errors, the protocol was fair, and consequently optimistic as well. In particular, the maximal probability to cheat can be made arbitrarily low, as it scaled as $1/\sqrt{N}$, where $4N$ was the total number of rounds of the protocol. We also showed that our protocol was robust against noise. Indeed, even in a dishonest noisy case, the probability to cheat could be as low as $0.022$, for $4N=6000$, the noise parameter $\kappa =0.05$, and $\alpha \in [0.7,0.99]$. Moreover, already for $4N=400$, the probability to cheat was below $10\%$ (in the honest scenarios, this was so for $4N=300$). Given the noise level $\kappa$, finding optimal parameters N, the range of $\alpha$ and $p(\alpha )$, was straightforward using the “brute force” techniques presented in the current paper (running computer codes and simulations). Full analytical study of such optimization problem is a matter of future study.

Unlike the classical counterparts, the protocol was based on the laws of physics, and the clients did not need to exchange a huge number of signed authenticated messages during the actual contract signing process (the exchange phase). Thus, the protocol was abuse-free: a client cannot prove to be involved in the actual act of signing the contract. In contrast, in the classical counterparts, having the signed and authenticated messages received during the exchange phase, a client could show them to other interested clients to negotiate better terms of a financial transaction. In other words, classically, a dishonest client can abuse the signing process by falsely presenting his/her interest in the deal, while actually using the protocol to achieve a different goal(s). Unlike generic quantum security protocols (say, quantum key distribution), preforming quantum measurements different from those prescribed by the protocol cannot help a cheating client (see Appendix A.2 for details). In the current proposal, each client can independently obtain the signed contract, without the other client being present, which was not possible in [22]. Thus, the probability to cheat was assigned to a real event (whereas in [22], it was just a formal figure of merit). Unlike the classical counterparts (and the previous quantum proposal [22]), when first contacting Trent, the clients did not need to agree upon a definitive contract. Moreover, Trent never learned the actual content of the protocol, as the clients provided Trent its hash value, $h^{*}=h(M)$, given by publicly-known hash function h.