Cryptanalysis of a Semi-Quantum Bi-Signature Scheme Based on W States

Recently, Zhao et al. proposed a semi-quantum bi-signature (SQBS) scheme based on W states with two quantum signers and just one classical verifier. In this study, we highlight three security issues with Zhao et al.’s SQBS scheme. In Zhao et al.’s SQBS protocol, an insider attacker can perform an impersonation attack in the verification phase and an impersonation attack in the signature phase to capture the private key. In addition, an eavesdropper can perform a man-in-the-middle attack to obtain all of the signer’s secret information. All of the above three attacks can pass the eavesdropping check. Without considering these security issues, the SQBS protocol could fail to ensure the signer’s secret information.

In 2019, Zhao et al. [82] proposed a semi-quantum bi-signature (SQBS) scheme based on W-like states [83][84][85] and a quantum teleportation technique [86]. In the SQBS protocol, two participants are quantum-capable signers, and one is conventionally capable verifier. The main technique is to transmit the secret message of the signature to another signer through W-state teleportation technology. Then, the two signers transmit the signature messages to the verifier via their pre-shared keys. Finally, the verifier confirms that the two received signatures are identical, and the signature is completed.
Although Zhao et al. [82] proposed an SQBS protocol and proved the security of their protocol, in this study we highlight three security problems with the proposed SQBS protocol [82].

1.
In the final step of the verification phase, the verifier (Charlie) performs an XOR operation with the pre-shared keys of two signers (Alice and Bob). If the verification passes, it means that the signature message is the same. Therefore, Bob can infer Alice's pre-shared key and forge Alice's signature later.

2.
In the final step of the signature phase, the signer (Alice) transmits the signature message and the W-state measurement results to the verifier (Charlie) through the public classical channel. The public classical channel can be eavesdropped on and tampered with. Therefore, Bob can use the received secret message, Alice's signature message, and measurement results to infer Alice's pre-shared key, which can then be used to forge Alice's signature.

3.
The signer (Alice) transmits the secret message to another signer (Bob) through W-state teleportation technology; however, Alice and Bob do not perform any eavesdropping checks during the teleportation stage. Therefore, the eavesdropper (Eve) will be able to capture the secret message through a man-in-the-middle attack.
The rest of this paper is organized as follows. In Section 2, we review Zhao et al.'s SQBS protocol. In Section 3, we discuss three security issues associated with the protocol. Finally, in Section 4 we present our conclusions and discussion.

Review of Zhao et al.'s SQBS Protocol
In Zhao et al.'s SQBS protocol [82], there are three participants: Alice and Bob (signers with quantum capabilities) and Charlie (a verifier with only classical capabilities); the classical capabilities of Charlie limit him to the use of the Z basis { |0 , |1 } to measure and generate single photons and to directly return the received quantum state. The eavesdropper, Eve, can perform any attack without violating the definition of quantum mechanics. generate single photons and to directly return the received quantum state. The eavesdropper, Eve, can perform any attack without violating the definition of quantum mechanics. Zhao et al.'s SQBS protocol is divided into three phases: the initial phase, the signature phase, and the verification phase. An overview of Zhao et al.'s SQBS protocol is shown in Figure 1. The detailed steps of Zhao et al.'s SQBS protocol are described as follows.

Initial Phase
In the initial phase, the pre-shared keys, and , are allocated, and the W-like state is prepared to provide the execution requirements in the subsequent signature phase and verification phase.
Alice prepares the secret message, The agreed encoding rule is as follows: if the classical bit is "0", then |0⟩ is generated; if the classical bit is "1", then |1⟩ is generated.
Step 3. Through Krawec's semi-quantum key distribution protocol [36], Alice and Charlie can share a private key, ; Bob and Charlie can share a private key, .

Initial Phase
In the initial phase, the pre-shared keys, K AC and K BC , are allocated, and the W-like state is prepared to provide the execution requirements in the subsequent signature phase and verification phase.
Step 1. Alice prepares the secret message, The agreed encoding rule is as follows: if the classical bit is "0", then | 0 is generated; if the classical bit is "1", then | 1 is generated. Step 2. Bob and Alice prepare n sets of W-like states, Step 3. Through Krawec's semi-quantum key distribution protocol [36], Alice and Charlie can share a private key, K AC ; Bob and Charlie can share a private key, K BC .

Signature Phase
This phase focuses on Alice and Bob generating their respective signatures and sending them to Charlie. In addition, Alice sends the secret message, M A = {m 1 , m 2 , . . . , m n }, to Bob through the quantum teleportation of the W-like state.
Step 1. Alice sends | W 5 and | W 6 of | to Alice and keeps | W 3 for himself.
Step 2. Alice, Bob, and Charlie perform Z-basis measurements on their respective | W 4 , | W 5 , and | W 6 and obtain the measurement results for A, B, and C. Alice's signature message (S A ) can be obtained through the coding rule listed in Table 1. Then, the signature message (S A ) and the pre-shared key (K AC ) perform the exclusive or (XOR) operation to obtain Alice's signature, S A = S A K AC . Finally, Alice sends the signature (S A ) and the measurement result (A) to Charlie through the public classical channel.
Step 4. Alice generates the secret message (M A ) as a single photon |M A according to the coding rules (i.e., if the classical bit is "0", then generate | 0 ; if the classical bit is "1", then | 1 is generated Finally, Bob measures |M B in Z basis to obtain Alice's secret message (M B ).  Table 1. Then, the signature message (S B ) and the pre-shared key (K BC ) can be used to perform the XOR operation to obtain Bob's signature, S B = S B K BC . Finally, Bob sends the signature (S B ) and the measurement result (B) to Charlie through the public classical channel.

Verification Phase
This stage involves Charlie verifying whether Alice's and Bob's signatures are correct; the verification steps are as follows.
Step 1. Charlie first checks that Alice's, Bob's, and his own measurement results (A, B,

Security Issues of Zhao et al.'s SQBS Protocol
In this study, we identified three security problems in Zhao et al.'s SQBS protocol: an impersonation attack in the verification phase, an impersonation attack in the signature Entropy 2022, 24, 1408 5 of 9 phase, and a man-in-the-middle attack. The mechanisms of these three attack patterns are explained below.

Impersonation Attack in the Verification Phase
Consider Bob as the insider attacker. If Bob wants to impersonate Alice's identity, he must obtain Alice's private key with Charlie, K AC . The following illustrates how Bob attacks.
In Step 4 of the verification phase, if Charlie accepts Alice's and Bob's signatures, then Charlie sends M A K AC and M B K BC to Alice and Bob, respectively. In this step, Bob intercepts the result of copying M A K AC . Furthermore, if the signature is passed, it means that Bob's message (M B ) is the same as M A . Therefore, Bob can deduce that M A K AC = M B K AC and learn the value of K AC . In this way, Bob can impersonate Alice's identity and communicate with Charlie through K AC .

Impersonation Attack in the Signature Phase
Similarly, considering Bob as the insider attacker, if Bob wants to impersonate Alice's identity, he must obtain Alice's private key, K AC . The following describes Bob's attack strategy. In Step 3 of the signature phase, Alice sends her signature (S A ) and the measurement result (A) to Charlie through the public classical channel. Hence, Bob can intercept and learn Alice's signature (S A ) and the measurement result (A). In Step 4 of the signature phase, Bob can obtain Alice's message (M B ) through the quantum teleportation of the W-like state. In this way, Bob has both M B and A and can deduce Alice's S A in Table 1. Then, through S A and S A , Bob can deduce Alice's private key, K AC = S A S A . Finally, Bob can impersonate Alice's identity through K AC to communicate with Charlie.

Man-in-the-Middle Attack
In the quantum signature protocol, the signer's message cannot be known by anyone other than the signer. Therefore, Alice's secret message (M A ) cannot be eavesdropped on. Once the signer's secret message is leaked, the protocol is declared a failure. In Zhao's SQBS protocol, the signers (Alice and Bob) protect Alice's secret messages (M A ) through the quantum teleportation of the W-like state. However, in this study, we revealed that the eavesdropper, Eve, can perform a man-in-the-middle attack to obtain Alice's secret message (M A ) without being detected. Because Alice and Bob do not have any protection or checking mechanism when executing quantum teleportation, Eve can capture the secret message (M A ). An overview of the man-in-the-middle attack on Zhao's SQBS protocol is shown in Figure 2. The attack strategy is described as follows.
Step A1. In Step 1  cepted | ⟩ in the W-basis | ⟩, | ⟩ . Then, Eve informs Bob of the measurement result ( ). Based on the measurement result ( ), Bob can perform the corresponding operation , , , in | ⟩ to obtain | ⟩ . Finally, | ⟩ is measured through the Z-basis to obtain Alice's secret message ( ).
Because Eve's attack does not destroy the secret message ( ), Charlie's inspection of Alice's and Bob's signatures will pass smoothly in the final verification stage. Therefore, Eve successfully executes the man-in-the-middle attack to capture Alice's secret message ( ) and is not discovered.

Conclusions
In this study, we highlight three security issues with Zhao et al.'s SQBS protocol: an impersonation attack in the verification phase, an impersonation attack in the signature phase, and a man-in-the-middle attack. In the impersonation attack, the insider attacker can capture the private key and impersonates the signer's identity to communicate with the verifier. In the man-in-the-middle attack, the eavesdropper can obtain all the signer's secret messages. All of the above three attacks can pass the eavesdropping check. Without considering these security issues, the SQBS protocol could fail to ensure the security of the signature. A possible solution is to add an eavesdropping check, for example, using decoy photons as an eavesdropping check. However, this requires an authenticated channel between the verifier and each signer and is therefore not very elegant. Improved solutions for this new issue in the SQBS protocol need to be designed in future research.   Because Eve's attack does not destroy the secret message (M A ), Charlie's inspection of Alice's and Bob's signatures will pass smoothly in the final verification stage. Therefore, Eve successfully executes the man-in-the-middle attack to capture Alice's secret message (M A ) and is not discovered.

Conclusions
In this study, we highlight three security issues with Zhao et al.'s SQBS protocol: an impersonation attack in the verification phase, an impersonation attack in the signature phase, and a man-in-the-middle attack. In the impersonation attack, the insider attacker can capture the private key and impersonates the signer's identity to communicate with the verifier. In the man-in-the-middle attack, the eavesdropper can obtain all the signer's secret messages. All of the above three attacks can pass the eavesdropping check. Without considering these security issues, the SQBS protocol could fail to ensure the security of the signature. A possible solution is to add an eavesdropping check, for example, using decoy photons as an eavesdropping check. However, this requires an authenticated channel between the verifier and each signer and is therefore not very elegant. Improved solutions for this new issue in the SQBS protocol need to be designed in future research.