Quantum Group Signature Scheme Based on Chinese Remainder Theorem

A novel quantum group signature scheme is proposed based on Chinese Remainder Theorem (CRT), in order to improve the security of quantum signature. The generation and verification of the signature can be successfully conducted only if all the participants cooperate with each other and with the message owner's and the arbitrator's help. The quantum parallel algorithm is applied to efficiently compare the restored quantum message to the original quantum message. All the operations in signing and verifying phase can be executed in quantum circuits. It has a wide application to E-payment system, Online contract, Online notarization and etc.


Introduction
Digital signature is one of the most important part of modern cryptography, which serves as a basic module to design cryptography protocols [1].Digital signature is usually employed to guarantee the authenticity, integrity, and non-disavowal of transmitting messages.Group signature scheme was introduced in 1991 by Chaum and Heyst [2] firstly.In 1997, Camenisch and Stadler [3] improved Chaums scheme and developed the more efficient scheme CS97 for larger groups.CS97 was further enhanced by Bresson and Sterm [4] to be revocable for group numbers.Moreover, Ateniese and Camenisch [5] proposed a safe and efficient group signature scheme in 2000.Those are mostly based on the complexity of the system employed and they become increasingly vulnerable with more powerful computation.This difficulty can be overcome by quantum cryptography [6].The biggest difference between quantum cryptography and classical cryptography is that quantum cryptography is the combination of quantum mechanics and cryptography, where the security is ensured by physical principles such as the Heisenberg uncertainty principle and the quantum no-cloning theorem.Now quantum cryptography has attracted a great deal of attention because it can stand against quantum attack, and has put forward many advances in quantum cryptography, including quantum secret sharing, quantum key distribution (QKD) [7][8][9][10] and quantum secure direct communication (QSDC) [10][11][12][13][14].
Taking advantage of the quantum properties of physical, many quantum signature schemes have been introduced.Zeng et al. introduced a quantum signature scheme based on the classical signature theory and quantum cryptography [15][16][17][18], whose algorithm is a symmetrical quantum key cryptosystem with Greenberger-Horne-Zeilinger (GHZ) triplet states.Li et al. proposed an arbitrated quantum signature scheme using Bell states [19].Gottesman and Chuang proposed a quantum digital signature scheme based on quantum one-way function [20], and Lee also presented two quantum signature schemes with message recovery [21].Unconditional security of the above quantum signature schemes have been proved, but they are not designed for 'group'.Therefore, a group signature can be devised based on quantum cryptography.
In this paper, we propose a group signature scheme based on Chinese Remainder Theorem (CRT).In our scheme, secret key is unforgeable, generated by the owner, and can be shared with the arbitrator based on QSCD protocol.The signing group contains two participants, and they collaborate to sign on the message by applying CRT with arbitrator and restore the message by performing the inverse CRT with arbitrator's assistance for the verification of signature.However, any t-1 or fewer participants can neither sign on the message nor restore the signed message.The message owner cooperate to verify the message by applying a quantum comparison circuit for comparing the restored quantum message to the original quantum message and arbitrator could inform message owner and group participants of the verified result.Furthermore, all the quantum circuits and operation gates are packaged in black boxes [22] to enhance the security.
The rest of this paper is organized as follows.Sect. 2 introduces the basic knowledge about our scheme.Sect. 3 proposes a quantum group signature scheme which includes an initial phase, a signing phase, and a verification phase.Security analysis is made in Sect.4, and a brief conclusions are drawn in Sect. 5.

Preliminaries
The original Chinese Remainder Theorem was proposed by SunZi and later republished in 1247 by Qin [23].The CRT is ofen applied in computer science, such as RSA algorithm calculation, classical secret sharing and ect, and several versions of the Chinese Remainder Theorem have been proposed.The general CRT can be described as follows.
Lemma 1.Let n > 2, , , , n be relatively prime in pairs, and . The system of equations . The solution can be obtained as where , , and Y < B. mod 1 According to this theorem, Alice can obtain the group signature.Suppose Alice sends the message number x to the Bob(group participants), Bob encrypts x by the secret key i based on Equation (1), and the result i is the element of the sequence of the signature.In this way, Alice can obtain his group signature.

Scheme Descriptions
The text above shows the basic signing algorithm of this scheme.Next the details of the scheme can be illustrated as follows, which contains three participants Alice (the message owner), G (the signing group), and Trent (the arbitrator).The three phases of our quantum signature scheme is introduced as follows.

Initial Phase
Step 1. Set up a signing group G, whose participants are ( 1,2, , Bob n


Step 2. In this paper, we discuss the binary 3-qubit system, which can be defined as where   , , 0,1 x y z  .

Quantum Group Signing Phase
In this quantum group signature scheme, Alice prepares a quantum message.The group G generates a signature with assistance of Trent who doesn't understand the details about the signing algorithm.The participants of group G don't communicate with other.
Step , where   , , , , , 0,1 , x y z u v w binary strings xyz and correspond to the decimal numbers, and Step 3. Trent receives the According to Eq.( 3) , the quantum message P  can be rewritten as where . The states of P  refer to a binary sequence , so the corresponding classical message X can be acquired by Trent.
For example, if Trent receives a quantum sequence like   000 , 001 , 110 , it can be represented as where is the Bob  's private key, and the generated classical remainder.is K  and S  can be represented by 6-bit binary sequence and according to Equation (3) the state can be shown as Signature S can be donated as follows 1 2 , , , , where S  is the classical remainder, S  is the corresponding state of S  .
Step 5. Bob can send the signature S to Trent.

Verification Phase
A verification algorithm is developed here based on the CRT such that Alice is able to verify Bob's signature S .The verification process requires the assistance of Trent.
Step 1.When Trent receives Bob's signatures S , he restores message as Equation ( 2) to X  .The algorithm can be showed as follows, Step 2. Trent transforms X  to the binary sequence X   .The process can be described as follows, where d = 2.The binary sequence can be represented as , which corresponds to the states of P   .In this way, Trent gets the quantum message Step 3. Trent performs the corresponding reverse transformations ) on each state of   , , 0,1 x y z  P   .He can obtain the the states of P  .According to Equation (3), P  can be described as where . At last the restored message is acquered.Then Trent input it into the quantum verification circuit which is shown in Figure 1 [24] directly, and sends the signature S to Alice at the same time.
Step 4. The message owner Alice also input the originnal message P  into the quantum verification circuit at the same time.Then Alice starts to wait for the verifycation from Trent.
Step 5. We generalize the qubit string comparator introduced by Ref. [25] with quantum parallel algorithm [22] which makes the quantum computation on quantum message more effectively to compare The quantum circuit which is presented in Figure 1.In a measurement of the outputs ( and 2 ), if 1 = 1 and = 0 then

Conclusions
So far we have proposed a group signature scheme based on CRT.Now let us discuss the security of the group signature scheme.A secure quantum signature scheme should satisfy two requirements: one is that the message should not be forged by the attacker and the other is the impossibility of disavowal by the message originator and the signatory.

Impossibility of Forgery
In this scheme, the arbitrator Trent is trusted, K» cannot be forged.Anyone attempts to forge Bob's signature would definitely be detected.Specifically, assuming that Eve wants to imitate Bob's signature S sign on X which corresponding the message P .As shown by Equation (7), Eve must know the se-cret keys K  , but K  cannot be forged.
The signature is unforgeable even by the message owner Alice who knows the messages and the corresponding signatures because of the unforgeable secret keys.

Impossibility of Disavowal by the Signatory and the Message Originator
According to Equation (7), Bob(signatory) would send S to Trent.Since S includes the keys K  , which is only known by Bob and Trent, Bob cannot disavow his signa-ture S .
Alice also cannot disavow his recieving.Because the verifier Bob who really has verified the signature cannot later deny his involvement in that his verification of the message needs the help of Trent.If he denies his involvement, Trent can confirm that he tells a lie.

Conclusions
In this paper, we present a group signature scheme based on Chinese Remainder Theorem in which participants share their own key with arbitrator while they don't communicate with other.Only when all the t participants cooperate with each other and with the message owner's and the arbitrator's assistance, the signature can be generated and verified successfully.The analysis of this scheme and show that secure signature can be derived.Moreover, by allowing the arbitrator to keep a record of all intermediate transmissions and computations, it is able to arbitrate the dispute between two users.
the signature has obviously been forged and Trent may this signature immediately.If X X   , Trent goes on for further verification.


 .When 1 = 0 and 2 = 0, the arbitrator Trent informs Alice and Bob the signature is legal and credible, otherwise he informs them that signature is invalid.O O

Figure 1 .
Figure 1.The quantum circuit for comparing  P  2. Alice sends the sequence P to Trent with superdense coding.Alice encodes p  as p   denotes the own private key of Bob  and K  is relatively prime.