Chen Zengbing-Yin Hualei's group at Nanjing University achieves the world's first fully functional quantum security network

Recently, the Chen Zengbing-Yin Hualei group at the School of Physics, State Key Laboratory of Solid State Microstructure Physics, and Collaborative Innovation Center of Artificial Microstructure Science and Technology of Nanjing University, in collaboration with Matrix Time Digital Technology Co., Ltd. has made an important breakthrough in quantum security technology by successfully transmitting megabit images non-repudiation based on asymmetric quantum cryptography for the first time at a distance of over 100 km. The group creatively proposed "one-at-a-time hashing", which combines the asymmetric feature of secret sharing and the "one-at-a-time" encryption principle to construct a commercially available quantum digital signature framework. For example, the framework can improve the signature rate by hundreds of millions of times by signing a megabit document. The practical quantum digital signature protocol consumes only a few hundred bits of asymmetric quantum key to achieve an information-theoretic secure digital signature for almost any length of file, thus ensuring the authenticity, integrity and non-repudiation of the file transmission. At the same time, the quantum digital signature framework is compatible with various quantum secret sharing and quantum key distribution protocols.

Based on this, the team experimentally demonstrates the world's first fully functional quantum security network, which realizes the full elements of information security - confidentiality, authenticity, integrity and non-repudiation - protection, and provides a technically complete digital economy, digital currency, etc. The research results are presented in the "Experimental Quantum Security Base. The research results were published online in National Science Review [DOI: 10.1093/nsr/nwac228, 2022] under the title "Experimental quantum secure network with digital signatures and encryption".

The first author of the paper is Associate Professor Yin Hualei of Nanjing University, and the corresponding authors are Associate Professor Yin Hualei and Dr. Fu Yao of Nanjing University and Professor Chen Zengbing of Nanjing University. This research work was supported by the Natural Science Foundation of Jiangsu Province, the Central Universities Basic Research Business Fund, and the Key Research and Development Program of Nanjing Jiangbei New District.

Cryptography can protect the four basic elements of information security: confidentiality, authenticity, integrity and non-repudiation. Encryption and digital signature are the two pillars of modern cryptography, where encryption ensures the confidentiality of message transmission; digital signature ensures the authenticity, integrity and non-repudiation of message transmission. As such, encryption and digital signatures are the cornerstones of current Internet security, supporting the trillions of dollars per year that keep the digital economy running securely and efficiently. Among them, digital signatures are widely used in e-commerce, payment, email and web browsing, which are closely related to the life of the general public. Take e-commerce as an example, every year Double Eleven is an annual event in China's e-commerce industry, with hundreds of millions of users spending money through Taobao, Jingdong, Jindo and other shopping malls. Only by ensuring the authenticity, integrity and non-repudiation of the order information and payment records in each transaction can users and merchants conduct e-commerce activities with confidence. How to ensure the security of the orders that are constantly generated? Alipay's payment process uses a digital signature algorithm based on a public key encryption system to ensure security, as shown in Figure 1. The merchant and Alipay each generate a pair of public and private keys, and the merchant's public and private keys are used to sign and verify the payment order, while Alipay's public and private keys are used to sign and verify the payment information. With the advent of the era of quantum computing, encryption and digital signature based on public key cryptography are insecure under quantum computing attacks, and there are huge security risks.

As early as 1949, Shannon used information theory to prove that the "one-at-a-time" encryption algorithm could achieve information-theoretic security (perfect secrecy). The so-called "one-at-a-time" encryption algorithm needs to satisfy two characteristics: the key must be greater than or equal to the length of the message and be a true random number, and each key can only be used once and then discarded. In order to achieve "one-at-a-time" encryption, one needs to continuously generate true random numbers and share them securely between two communicating users. Based on the basic principles of quantum mechanics, quantum key distribution ensures that a completely private random key is shared between two communicating users. The combination of quantum key distribution and "one-at-a-time" encryption ensures that the transmitted message is confidential and informationally secure. After nearly 40 years of development since the first quantum key distribution (BB84) protocol was proposed in 1984, quantum key distribution systems have developed rapidly in terms of high security, high code rate, miniaturization and networking, and have become productized and standardized. Quantum confidentiality communication has been playing an important role in several institutions and sectors at home and abroad, for example, the integrated quantum confidentiality communication network between heaven and earth based on the Beijing-Shanghai quantum backbone and the Mozi quantum satellite has realized the confidential intercontinental video call between the Chinese Academy of Sciences and the Austrian Academy of Sciences.

However, current quantum-secure communications use symmetric encryption, which can only meet the confidentiality requirements and cannot meet the asymmetric encryption requirements needed for non-repudiation. For this reason, the development of quantum digital signatures based on the principles of quantum mechanics is a natural choice. The possibility of quantum digital signatures, referred to as the GC01 signature protocol, was first explored by D. Gottesman at the University of California, Berkeley, and I. L. Chuang at the Massachusetts Institute of Technology, back in 2001. Starting from the framework of L. B. Lamport's (Turing Award winner) one-time classical digital signature scheme, they accomplished digital signatures by constructing quantum one-way functions, which provided a research paradigm for subsequent quantum digital signature protocols. However, the GC01 signature protocol requires, on the one hand, demanding techniques that far exceed current experimental conditions, including the preparation and transmission of complex high-dimensional single-photon fingerprint states, ultra-high-dimensional exchange operations, and long-lived quantum storage; on the other hand, it requires the assumption of quantum channel security that contradicts the nature of security (note: quantum channel insecurity is a prerequisite for quantum cryptography research). In 2014, a multinational European collaboration evaded the technical requirements for long-lived quantum storage based on the removal of high-dimensional single-photon fingerprint states and ultra-high-dimensional exchange operations [Phys. Rev. Lett. 112, 040502 (2014); Phys. Rev. Lett. 113, 040502 (2014)]. 2016, Chinese Yin, Hualei et al [Phys. Rev. A 93, 032316 (2016)] and R. Amiri et al [Phys. Rev. A 93, 032325 (2016)] from the UK proposed the first information-theoretically secure quantum digital signature scheme using non-orthogonal and orthogonal coding approaches, respectively, from the underlying theory related to quantum cryptography development. Subsequently, a lot of research has been conducted by multinational scholars on the theoretical and experimental aspects of quantum digital signatures. However, all quantum digital signatures obey the research paradigm of GC01, i.e., signatures are generated by quantum one-way functions, and only single-bit messages can be signed at a time. For the long message case, it is necessary to sign bit by bit after inserting a specific sequence in the message. Therefore, the efficiency of current quantum digital signature schemes in practical scenarios is extremely low and far from meeting the practical requirements.

Figure 2. Flow chart of quantum digital signature for "120th anniversary of Nanjing University"

In the National Science Review paper, the joint Nanjing University-Matrix Time team abandoned the GC01 signature paradigm and constructed a new paradigm for quantum digital signatures. The work uses a universal hash function (Universal hash) to map arbitrarily long messages to digests containing only a few hundred bits, which has a provable theoretical upper bound on the collision probability and is strongly collision-resistant, a property that is an essential requirement for an ideal hash function.

The authors cleverly construct the asymmetric quantum key relationship and message exchange sequence among the signature sender, receiver and verifier, which organically combine the asymmetric properties of "one hash at a time", secret sharing and the cryptographic properties of "one secret at a time" encryption principle. The digital signature with information-theoretic security is realized by combining the cryptographic features of "one-at-a-time hashing", secret sharing and "one-at-a-time encryption". As shown in Figure 2, the full-domain hash function is determined by the quantum key (called quantum private key) and quantum random number of the sender, and the signature is generated by the message through the action of the hash function and then the output digest is encrypted by one-at-a-time encryption. This approach ensures that the signature string does not reveal any information about the quantum private key and the full domain hash function. The quantum keys of the three parties satisfy a perfect secret sharing relationship to ensure the asymmetric characteristics of the receiver and the signer. The receiver can only obtain the complete quantum private key and the full domain hash function information of the signer with the help of the verifier's quantum key after he/she declares to the verifier that he/she has received the signature and forwards the message, the signature and his/her quantum key (called quantum public key) together to the verifier. The strong collision resistance of the full-domain hash function prevents the receiver from tampering with the signed message in advance. At the same time, the receiver and the verifier obtain the signer's quantum private key and full domain hash function by exchanging their respective quantum keys to achieve symmetry, and then complete the hash verification, so the signer cannot make the receiver and the verifier disagree and cannot perform repudiation attacks. The "one hash at a time" and "one secret at a time" guarantee that the quantum private key and the global hash function of each signature are independent of the previous and next rounds, which protects the security of any multiple rounds of signatures in practical scenarios. The article calculates that, with each signature consuming 384 bits of asymmetric key, it is possible to use a signature of length up to264=16E(E=G2) bit messages are signed with a failure probability of no more than10-9

Figure 3. Megabit image non-repudiation transmission over 100 km

As shown in Figure 3, the joint Nanjing University-Matrix Time team constructs a quantum communication network based on the decoy state BB84 quantum key distribution to generate quantum keys on the Alice-Bob and Alice-Charlie links of 101 km and 126 km, respectively. The signing party Alice forms an asymmetric quantum key relationship secretly shared by the three parties through a heterodyne operation, resulting in a quantum digital signature demonstration for 130,250 bytes of images.

The experimental results show that the work possesses an 8-9 order of magnitude advantage in signature rate relative to previous quantum digital signature schemes, which is significantly superior to practicality. In addition, the joint Nanjing University-Matrix Time team has built a fully functional quantum security network based on the quantum digital signature experiment and demonstrated three other cryptographic tasks in the network: encryption, secret sharing and conference key negotiation. The work theoretically achieves a paradigm breakthrough in quantum digital signatures, improving the efficiency of signatures hundreds of millions of times; experimentally demonstrates the world's first full-featured quantum security network, achieving the full elements of information security for data - confidentiality, authenticity, integrity, and non-repudiation - and The full-featured protection of all elements of data information security - confidentiality, authenticity, integrity and non-repudiation - was demonstrated. The collection of quantum cryptography technologies that protect all security elements of information constitutes a "quantum security toolbox" that will become an unbreakable and technologically complete security base in the digital economy. Therefore, the publication of this work means that the joint Nanjing University-Matrix Time team is the first research team in the world to master all the technical capabilities of the quantum security toolbox. Based on the quantum security toolbox technology, the currently established metropolitan, intercity and satellite-terrestrial quantum confidentiality communication networks at home and abroad can be immediately upgraded to a quantum security network that simultaneously achieves full functional protection of data confidentiality, authenticity, integrity and non-repudiation.

Link to paper：

https://academic.oup.com/nsr/advance-article/doi/10.1093/nsr/nwac228/6769862