Experimental quantum e-commerce

Abstract

E-commerce, a type of trading that occurs at a high frequency on the internet, requires guaranteeing the integrity, authentication, and nonrepudiation of messages through long distance. As current e-commerce schemes are vulnerable to computational attacks, quantum cryptography, ensuring information-theoretic security against adversary’s repudiation and forgery, provides a solution to this problem. However, quantum solutions generally have much lower performance compared to classical ones. Besides, when considering imperfect devices, the performance of quantum schemes exhibits a notable decline. Here, we demonstrate the whole e-commerce process of involving the signing of a contract and payment among three parties by proposing a quantum e-commerce scheme, which shows resistance of attacks from imperfect devices. Results show that with a maximum attenuation of 25 dB among participants, our scheme can achieve a signature rate of 0.82 times per second for an agreement size of approximately 0.428 megabit. This proposed scheme presents a promising solution for providing information-theoretic security for e-commerce.

Quantum e-commerce can offer information-theoretic security with the resistance of imperfect devices and privacy leakage.

INTRODUCTION

Developing algorithms and quantum attacks threaten the security of classic cryptography (1–4). Because the security of current cryptographic schemes tends to rely on computationally hard mathematical problems (5–8), information-theoretic security against unlimited computational power has been a hot topic. Quantum mechanics law is one of the approaches (9–14). Quantum key distribution (QKD), which is the most mature application field of quantum technology, offers two remote users unconditionally secure keys (9, 10). Combined with one-time pad, QKD successfully guarantees the confidentiality of messages.

Secure identification is another important application domain in the realm of the quantum internet (15), which can help guarantee the security during financial transactions. E-commerce, as an indispensable part of daily life, requires identification of the parties and nonrepudiation of the contract. A commitment among different participants is required to guarantee the validity of a transaction. The security of classical e-commerce schemes tends to be based on public-key cryptography algorithms (5–8), which is only secure assuming the limited computation power, and there lacks an effective solution to defend against external attacks. In addition, the presence of dishonest participants may render the contract invalid. Cryptography contains four main information security objectives, confidentiality, integrity, authenticity, and nonrepudiation (16). The integrity, authenticity, and nonrepudiation of messages need to be assured in an e-commerce scheme. The integration of QKD with one-time pad, only promising confidentiality for messages, fails to accomplish this task. Quantum digital signatures (QDS) can provide information-theoretic security for the last three primitives and thus is suitable for e-commerce scenarios.

QDS was proposed first at 2001 (17). The original version has many impractical experimental requirements, which made its implementation impossible with available technology. With the development in the next decade, the requirements of swap test and quantum memory are removed (18–20). Nevertheless, their security analyses were based on secure quantum channels. In 2016, two schemes were proposed independently to solve this problem (21, 22). Triggered by the two protocols and developments in QKD (23–33), many achievements have been made theoretically (34–40) and experimentally (41–48).

Previous QDS schemes are inefficient when it comes to multibit cases, and their performances are far from classical solutions. Recently, a new scheme, based on secret sharing, one-time pad, and one-time universal hashing (OTUH), has been proposed (14). This scheme can sign an arbitrarily long document with a relatively short signature, whose performance outperforms all previous protocols. Furthermore, a variant of this scheme reduces the requirements on keys (49), in which the privacy amplification steps are removed. Besides, security proof of previous schemes tends to be based on assumptions on the ideal devices, and there has been a lack of QDS schemes with the ability to solve the loopholes from imperfect devices. To enhance the robustness to imperfect devices, our key generation process (KGP) draws on the development of QKD (23, 50–63). Four-phase measurement device–independent (MDI) QKD (63) is secure against possible source flaws and outperforms other protocols in key rate, and KGP of our scheme based on this protocol retains its advantage.

Here, we present a quantum solution for e-commerce scenarios by proposing an efficient quantum e-commerce scheme based on the ideas mentioned above, which offers security advantages over classical schemes. Motivated by the OTUH scheme (14, 49) and four-phase MDI-QKD (63), our scheme is able to sign multibit documents with high efficiency while mitigating the impact of imperfect devices and thus improves the overall security and practicality of the scheme. The signature rate is only limited by the minimum key rate of KGP between different participants and merchant. Our experimental implementation on a multiuser quantum network successfully signs a 0.428-megabit (Mb) agreement 0.82 times per second with a maximum attenuation of 25 dB between a participant and a merchant. We also characterize the imperfections of the sources experimentally. Our work contributes to the further development of e-commerce in the quantum era by providing a practical and efficient solution with enhanced security.

RESULTS

Protocol description

In a classical e-commerce scenario, a third party (TP) is always required and assumed as trusted. Thus, only those with high authority can be a TP, leading to a requirement of centralized systems. Here, we propose a three-party quantum e-commerce protocol with no assumptions on TP. The only requirement is that the majority of the three parties must be honest, which is a basic requirement of all three-party protocols. In the protocol, we describe a scenario where Client buys a product from Merchant through a network, and TP is an arbiter to help finish the whole process successfully. In the network with numerous nodes, TP can be an arbitrary party because there are no assumptions on it. A decentralized system can be realized based on our proposed three-party protocol. A schematic of the quantum e-commerce protocol is shown in Fig. 1A. The step-by-step procedure is comprehensively elucidated below and shown in Fig. 1B.

Fig. 1. Illustrations depicting the process and network of quantum e-commerce.

(A) Illustration of the process of quantum e-commerce. We consider the three-party scenario where Client buys a product from Merchant. TP is introduced as an arbiter to prevent either Merchant or Client from cheating. Merchant shares two sequences of coherent quantum states with Clinet and TP, respectively. Merchant then generates the contract with all information of the e-commerce and obtains a signature through a hash function and keys distilled by his sequences. Thereafter, Merchant sends the contract and signature to Client. Client, if agreeing with the contract, will send the contract, signature, and keys distilled by his consequence to TP. TP will then send keys distilled by his own sequence back to Client. Both Client and TP independently verify the signature through their own and received keys by hash functions. Client will pay the money to TP if he verifies the signature. TP will transfer the money to Merchant if he also passes the signature. (B) Flow chart of the protocol. Details of the procedure are explained in the protocol description step by step. (C) Diagram of users in quantum networks.

(i) Distribution: Four-phase MDI-KGP is used here to generate raw keys, and the form of quantum states is ${\otimes }_{i=1}^n\mid e^{i{\mathrm{\theta }}_i}\mathrm{\alpha }\rangle$ , where θ_i is the modulated phase and ∣α∣² is the intensity of pulses. Details about KGP can be seen in Materials and Methods. Merchant prepares two sequences of coherent states ∣X₁〉 and ∣X₂〉 and keeps the phase of every state. Client also prepares a sequence ∣Y₁〉, and the TP prepares ∣Y₂〉. Through a Merchant-Client quantum channel, Merchant sends ∣X₁〉 and Client sends ∣Y₁〉 to an untrusted intermediate Eve who performs interference measurements on the received pulses with a 50:50 beam splitter (BS) and two single-photon detectors and announces the detection results m₁. Likewise, ∣X₂〉 and ∣Y₂〉 are sent to an untrusted intermediate through the Merchant-TP channel, and the detection results m₂ are announced.

(ii) Signature: To sign a contract, Merchant distills a 3n-bit key $k_1^{\mathrm{M}}$ from ∣X₁〉 and m₁. He will select states in ∣X₁〉 that successfully intervene with that in ∣Y₁〉 according to the detection results m₁. He also communicates with Client through an authenticated channel to sift the keys and lastly chooses a 3n-bit substring to form $k_1^{\mathrm{M}}$ . Likewise, Merchant distills a 3n-bit key $k_2^{\mathrm{M}}$ from ∣X₂〉 and m₂.

The keys $k_1^{\mathrm{M}}\stackrel{m_1}{⟵}|X_1\rangle$ and $k_2^{\mathrm{M}}\stackrel{m_2}{⟵}|X_2\rangle$ are used to generate the signature of the contract. The signature is generated through a universal hash function $\text{Sig}=\text{Hash} (C,k_1^{\mathrm{M}}\oplus k_2^{\mathrm{M}})$ , with a length of n-bit, where C is the contract containing all details including timestamp and the identity of Merchant and Client. The function Hash is composed of a linear feedback shift register (LFSR) Toeplitz functions. Details are shown in Materials and Methods.

(iii) Transference: Merchant sends the contract and signature {C, Sig} to Client. If Client agrees with the contract, then he distills a key $k_1^{\mathrm{C}}\stackrel{m_1}{⟵}|Y_1\rangle$ , following the rules same as that of Merchant. He then sends $\{C,\mathit{Sig},k_1^{\mathrm{C}}\}$ to TP. TP also obtains $k_2^{\mathrm{T}}\stackrel{m_2}{⟵}|Y_2\rangle$ . He will send his key $k_2^{\mathrm{T}}$ to Client after he receives $\{C,\mathit{Sig},k_1^{\mathrm{C}}\}$.

(iv) Verification and payment: Both Client and TP independently verify the signature by calculating $\text{Hash}(C,k_1^{\mathrm{C}}\oplus k_2^{\mathrm{T}})$ and comparing the result with Sig. If the result is identical to Sig, the signature is successfully passed. Client will pay the money to TP if he verifies the signature. TP, after receiving the payment, will transfer the money to Merchant if he passes the signature. Otherwise, he will return the money to Client and announce that the contract is aborted.

In the distribution step, the participants essentially share correlated and secret quantum states. The secrecy of the interpreted keys, together with one-time hashing, protects the security of the program against Client’s tampering attacks. Note that the distribution step is different from QKD. Privacy amplification is removed because secrecy leakage of keys can be tolerated in signature tasks through OTUH (49). The transference step guarantees that Client and TP obtain the same final keys. Merchant’s repudiation attacks are prevented by TP because TP will always make the correct judgment if Client is honest.

In a traditional digital payment scheme, the TP is assumed trusted and corresponding to a central authority. Previous quantum-digital authentication/payment schemes follow this centralized structure where the security is guaranteed by the trusted central authority (12). In the proposed scheme, the assumption on the third party is removed and the security is guaranteed by the majority of honest parties. Under this structure, the status of the three parties is equal, and thus, the TP can be decentralized in real implementations. Compared with classical solutions, the proposed quantum e-commerce requires additional quantum channels of Merchant-Client and Merchant-TP while providing information-theoretic security and decentralized character, thus mitigating the burden of the authority and risk of insider attacks. The proposed scheme has great potential in a future block chain payment system.

Security analysis

The proposed scheme is a three-party protocol without strong assumptions on TP. In other words, the three parties have equal status, and the final decision is made by voting principle if disagreement happens. It must be assumed that, at most, one party can be malicious. Otherwise, malicious parties can cooperate to finish the attack by controlling the voting result. In security analysis, we consider four cases: honest abort, Merchant’s repudiation attack, Client’s forgery attack, and TP’s forgery attack.

Robustness

If Merchant and Client (or TP) share different key bits after the distribution stage, the protocol will be aborted even if the users are all honest. That is, an honest run abortion occurs. In the protocol, Merchant and Client (TP) perform error correction on their final keys, with a failure probability of no more than ϵ_EC. The correctness of classical information transference is protected by classical information technology such as authenticated channels, whose failure probability is set as no more than ϵ′. The probability that Merchant and Client share different final key is no more than ϵ_EC + ϵ′, and the same for Merchant and TP. Thus, the robustness bound is ϵ_rob = 2ϵ_EC + 2ϵ′. Because ϵ′ is a parameter of classical communication, we assume it as ϵ′ = 10⁻¹⁰ in the simulation.

Repudiation

In a repudiation attack, Merchant attempts to let Client accept the contract, while TP rejects it so that he can successfully deny the contract. For Merchant’s repudiation attacks, Client and TP are both honest and symmetric and thus hold the same new key strings. They will make the same decision for the same contract and signature. Repudiation attacks succeed only when errors occur in one of the transference steps. The repudiation bound is ϵ_rep = 2ϵ′.

Forgery

In Client’s forgery attack, Client will tamper the contract and attempts to let TP accept the tampered contract forwarded to him. According to our protocol, TP accepts the contract if and only if TP obtains the same result as Sig through one-time hash functions. Actually, this is the same as an authentication scenario where Client is the attacker attempting to forge the information sent from Merchant to TP. TP also has the motivation to perform forgery attack. He may attempt to intercept the contract C and tamper the information of price in it. If Client agrees with the tampered (higher) price, then TP can earn the price difference secretly. This is the same as an authentication scenario where TP is the attacker attempting to forge the information sent from Merchant to Client. Thus, Client and TP’s forgery attacks are equivalent, and we only analyze Client’s in the following.

In the hash function, $\text{Hash}(C,k_1^{\mathrm{M}}\oplus k_2^{\mathrm{M}})$ , $k_1^{\mathrm{M}}\oplus k_2^{\mathrm{M}}$

is actually divided into three n-bit substrings. Here, we rewrite it as $k_1^{\mathrm{M}}\oplus k_2^{\mathrm{M}}=(x_2,x_3,x_4)$  to keep consistent with that in Materials and Methods. Define ${\mathscr{H}}_n$ = H_min(X∣B)_ρ as the min-entropy of X and B, where X ∈ {x₂, x₃, x₄} and B represents Client’s guessing for X. We can estimate ${\mathscr{H}}_n$ through parameters in the distribution stage. More details are shown in Materials and Methods. Then, we can bind the probability that the attacker correctly guesses X when using an optimal strategy according to the definition of min-entropy (64)

$$P_{\text{guess}}(\mathbf{X}\mid \mathbf{B})=2^{-H_{\text{min}}{(\mathbf{X}\mid \mathbf{B})}_{\mathrm{\rho }}}=2^{-{\mathscr{H}}_n}$$ (1)

Thereafter, we can obtain the failure probability of an authentication scenario where Client is the attacker attempting to forge the information sent from Merchant to TP, which is equivalent to the forgery bound in our scheme (49)

$${\mathrm{ϵ}}_{\text{for}}=m·2^{1-{\mathscr{H}}_n}$$ (2)

The number of malicious parties is no more than one, i.e., at most one of the above cases happens. Thus, the total security bound, i.e., the maximum failure probability of the protocol, is ϵ_tot = max {ϵ_rob, ϵ_rep, ϵ_for}.

From the analysis above, it is obvious that ϵ_rob and ϵ_rep are constant, while ϵ_for is determined by the parameter n. In a practical implementation, the users will select a suitable value for n so that ϵ_tot satisfies the security requirement. The signature rate of the protocol is SR = n_x/3n, where n_x is the total counts under the X basis. We remark that in the analysis we assume that the delay of classical communication is negligible and only consider the quantum rate.

Experimental demonstration

We provide a proof-of-principle demonstration of the entire process here. The scenario considered involves transactional activities between Merchant and Client, with the requirement of a TP to facilitate the purchase transaction. The network consists of two TPs, denoted as TP₁ and TP₂, and two clients, denoted as Client₁ and Client₂. As illustrated in Fig. 1C, the channel loss between the Merchant and Client is a constant value of 20 dB, whereas the channel loss between the Merchant and TP₁ is 15 dB and that between the Merchant and TP₂ is 25 dB. Note that we added single-mode optical fiber spools (G.652.D) between the Merchant and Client₂ (shown in Fig. 2). Specifically, in the Sagnac loop, the lengths of fiber spools are as follows: 2072 m (0.73 dB) between Merchant and Eve, 2013 m (0.67 dB) between Client₂ and Eve, and 1064 m (0.46 dB) between Merchant and Client₂. Additional channel attenuation is introduced through variable optical attenuators (VOAs). As there are no assumptions on TP, in practical networks, there can be multiple TPs present.

Fig. 2. Experimental setup of KGP between Merchant and Client₂.

Here, we take KGP between Merchant and Client₂ as an example. The pulses are generated by a pulsed laser with an extincation ratio of over 30 dB and then split into two pulse sequences with a 50:50 BS. The pulses entering the loop are subjected to modulation by the phase modulator (PM) operated by either Merchant or Client. Monitor module consists of a dense wavelength division multiplexing (DWDM), a BS, and a photon detector (PD). After phase modulation, these two pulses interfere in the Eve’s BS and are detected by two superconducting nanowire single-photon detectors D₁ and D₂. Both the connections between Merchant and Eve and Client and Eve involve 2 km of optical fiber, and the total attenuation is 20 dB, achieved through VOA. Besides, there is an insertion of 1 km of optical fiber between Merchant and Client₂. Cir, circulator; PC, polarization controller.

The signature process requires key generation and distribution between Merchant-Client and Merchant-TP, which is facilitated by KGP. In this work, we consider the KGP based on four-phase MDI-QKD (63), which remains robust against imperfect devices. The system’s source flaws are characterized before KGP, including optical power fluctuation, extinction ratio of polarization, phase shift, and pattern effects, and are quantified through a detailed measurement process outlined in the Supplementary Materials. The keys used for signature are generated in a plug-and-play system (26, 63), and the global phase of pulses is stabilized by a Sagnac loop. We take KGP between Merchant and Client₂ as an example. Note that the experimental setups for KGP of other groups are similar to this one, with the difference being the removal of the optical fibers and polarization controllers in participants’ sites.

As depicted in Fig. 2, optical pulses modulated by users are generated by an untrusted TP, Eve, and the pulses are separated into two identical pulses. Merchant (Client₂) modulates the clockwise (anticlockwise) pulses. The probability of selecting X basis p_x is 90% and that of Y basis p_y is 10%. They encode the pulses according to the values of logic bits. After appropriate attenuation, quantum states ∣e^iθα〉 are successfully generated, where θ is the phase modulated by two participants, and the intensity of the pulse is ∣α∣². The use of the Sagnac loop has helped to solve the problem of phase locking, but it has also introduced security concerns due to the possibility of pulses generated by a TP. Therefore, a monitoring module has been added to the participant side to filter and monitor the intensity of the incident pulses, aiming to enhance the security of the system. Because of resource limitations, we did not include dense wavelength division multiplexings in the system and instead opted to replace the photon detectors with power meters during implementation. We would like to emphasize that these modifications have little impact on the results.

Two VOAs are placed between Merchant and Eve and between Client₂ and Eve, respectively, to simulate the additional attenuation caused by the communication channels. After interference at Eve’s BS, the results are detected by D₁ and D₂. The time window is selected on the basis of detection data, whose length is 2 ns. The detection efficiency η_d1 of D₁ is 84.4%, and the dark count rate p_d1 is 4.4 Hz. For D₂, the detection efficiency η_d2 is 85.5%, and the dark count rate p_d2 is 2.5 Hz. After error correction, Merchant gets $k_1^{\mathrm{M}}$ , and Client gets $k_1^{\mathrm{C}}$ . The same is for Merchant and TP, where Merchant gets $k_2^{\mathrm{M}}$ and TP gets $k_2^{\mathrm{T}}$.

For demonstration, we sign a file with a size of 0.428 Mb, which is approximately the size of Amazon Web Services Customer Agreement (428,072 bits) (65). Merchant generates the signature Sig by $\text{Hash}(C,k_1^{\mathrm{M}}\oplus k_2^{\mathrm{M}})$ and sends it and contract to Client. If Client agrees with the contract, then she (or he) will forward {Sig, $k_1^{\mathrm{C}}$ } to TP. LFSR-based Toeplitz function is used, and a detailed description can be seen in Materials and Methods. Upon receiving the signature and contract, TP sends his key $k_2^{\mathrm{T}}$ to Client. Then, Client and TP verify the signature independently by comparing the result of $\text{Hash}(C,k_1^{\mathrm{C}}\oplus k_2^{\mathrm{T}})$

to Sig. If the signature is successfully verified by both parties, Client will send money to TP, who will in turn pay the Merchant. Otherwise, the contract will be aborted.

Experimental results

Before KGP, we need to characterize the relative parameters corresponding to source flaws of this system. Similar to (63), we denote optical power fluctuation, phase shift, extinction ratio of polarization, and pattern effect ξ, δ, tanθ, and ψ, respectively. Note that although Trojan horse attacks (THAs) can be resisted in the schemes of two independent users, they cannot be resisted in the plug-and-play system, and we set the parameter of THAs to μ = 10⁻⁷ (66). Results are shown in Table 1.

Table 1. Four parameters related to the imperfection of realistic sources.

The parameters included the optical power fluctuation ξ, phase shift δ, the extinction ratio of polarization tanθ, pattern effect ψ, and THAs μ. Note that THAs cannot be quantified during our implementation, and we set it to a typical value 10⁻⁷ (66).

	ξ	δ	tanθ	ψ
Merchant - TP1	0.76%	0.038	10−2.92	5.58 × 10−3
Merchant - Client1	0.72%	0.035	10−3	5.89 × 10−3
Merchant - TP2	0.62%	0.035	10−2.98	6.91 × 10−3
Merchant - Client2	0.65%	0.037	10−3.07	7.35 × 10−3

The channel loss between Merchant and Client is fixed at 20 dB. The channel loss between Merchant and TP is set to two scenarios: 15 and 25 dB. During KGP, the system frequency is 100 MHz, and for each pair of participants, the system operates for 100 s. Signature rate under different losses (without fiber spools) is shown in Fig. 3A. As a proof-of-principle demonstration, we conducted KGP among different participants within a system. Sagnac loop in the system is used for stabilizing the global phase between two participants, and the bit error rate can be kept around 0.10%. In the scenario where the total length of optical fibers within the loop is approximately 5 km, the bit error rate can still be maintained at around 0.70%. Detailed data are shown in Table 2. Because of the consideration of imperfect sources, the increasing rate of phase error rate is higher compared to protocols of the same type. For Client₁, when signing a 0.428-Mb size document, if TP₁ is chosen as the TP, the key formed within 100 s can be used for signing 1183 times, while if TP₂ is chosen, the number of signature times is 82. Because of the lower signature rate in the case of selecting TP₂ (25 dB), for Client₂, the number of signature times remains at 82 when choosing TP₂. As shown in Fig. 3B, for the same key generation rate, a higher security level implies a smaller signing file size. There exists a trade-off between the security level and the size of the signed file. Besides, a minor increase in the signature key length can result in a substantial increase in the size of the signed files, which demonstrates its ability to sign multibit files. The signature rates of the three-party system are limited by the minimum key rate of KGP among the three parties. In practical scenarios, participants can store the keys in advance to reduce the time required for signature generation.

Fig. 3. Results of demonstration.

(A) Signature rate R under different losses. The total number of pulses sent is 10¹⁰. (B) The relationship between security level and different sizes of files with a key of the same length. The boundary line represents the scenario where the generation rate of keys per second is sufficient to sign a 0.428-Mb file at a security level of 5 × 10⁻¹⁰ 10 times with the same error rate under a 20-dB attenuation. In our implementation, a 0.428-Mb document can be signed 11.83 times while maintaining the 5 × 10⁻¹⁰ security level. Furthermore, with the keys generated within 1 s, a document of 0.102-terabit can be signed 10 times at a security level of 4 × 10⁻¹⁰ (ϵ_rob = 4 × 10⁻¹⁰).

Table 2. Summary of experimental data.

We tested the signature rate between different users. The number of total pulses sent is N = 10¹⁰. The intensity of pulses μ, the experimental bit error rate under X basis and Y basis $E_b^x$ and $E_b^y$ , the total number of leaked bits of information during error correction leak_EC, and signature rate SR are included in the table.

Participants	μ	${\mathit{E}}_{\mathit{b}}^{\mathit{x}}$	${\mathit{E}}_{\mathit{b}}^{\mathit{y}}$	${\mathit{E}}_{\mathit{p}}$	LeakEC	SR
Merchant - TP1	7.40 × 10−3	0.10%	0.07%	23.0%	185,875	60.10
Merchant - Client1	4.20 × 10−3	0.10%	0.06%	28.0%	59,209	11.83
Merchant - TP2	2.30 × 10−3	0.10%	0.10%	37.3%	18,129	0.82
Merchant - Client2	2.40 × 10−3	0.69%	0.55%	25.6%	168,844	4.47

DISCUSSION

We demonstrate the whole process of quantum e-commerce, which guarantees the one-time of purchase with information-theoretic security. As the length of the signature increases, the probability of cheating approaches zero. The QDS scheme can complete multiple contract signatures within 1 s, further narrowing the gap between quantum and classical schemes.

We have considered a real-world scenario where Merchant and Client need to carry out a transaction and establish a consensus to complete it. TP is introduced to finish the process. Unlike the classical setup where TPs are usually considered trustworthy by default, there are no assumptions on TP. We take the Amazon Web Services Customer Agreement (65) with the size of 428,072 bits and demonstrate the underlying principles of the process. Note that the size of the contract affects the final performance instead of the content. The signature rates of the system are limited by the minimum key rate of KGP among the three parties. Consequently, for Client₁, the signature rate of a 0.428-Mb document can reach 11.83 times/s when choosing TP₁ and 0.82 times/s with TP₂, and for Client₂, the signature rate can reach 4.47 times/s when choosing TP₁ and 0.82 times/s with TP₂.

The proposed quantum e-commerce scheme, using QDS, offers a solution for ensuring message authenticity and integrity in the presence of imperfect keys and devices. The elimination of privacy amplification reduces the computational resources and running time of postprocessing. Furthermore, a thorough experimental characterization of source flaws in the scheme is conducted. This feature distinguishes our scheme as a practical solution for addressing the issue of imperfect keys and devices in the field of quantum communication. The proposed scheme also demonstrates robustness against security levels and finite-size effects, making it highly compatible with future quantum networks and suitable for a variety of applications.

In summary, the proposed scheme can accomplish the task of e-commerce with practical devices and outperforms other quantum protocols. We have validated the effectiveness of our scheme through the demonstration of an e-commerce scenario, involving a transaction between Merchant and Client that required a consensus to complete. It presents a promising approach to ensuring message authenticity and integrity in the presence of imperfect keys and devices.

MATERIALS AND METHODS

We characterized the expression for basis-dependent states using our protocol. First, an ideal scenario is presented. Then, we discuss how to jointly consider different realistic source flaws (SPFs, side channels, THAs, and state correlations) to describe the basis-dependent states.

Four-phase MDI-KGP between Merchant and Client

During implementation, Merchant, Client, and TP send their quantum states to the intermediates who perform interference measurements on the received pulses and announce the outcomes. These three parties will later distill their keys through their quantum states, and measurement results are announced by the intermediates. This process, in detail, is equivalent to four-phase MDI-KGP between Merchant and Client and between Merchant and TP. Here, we give a brief introduction to four-phase MDI-KGP in Merchant-Client channel to show the details of steps 1 to 3 in the protocol description.

1) Preparation. Both of Merchant and Client randomly choose the X and Y bases with probabilities p_x (0 < p_x < 1) and p_y = 1 − p_x, respectively. For X basis, Merchant encodes a coherent state $\mid e^{i{k}_x^M\mathrm{\pi }}\mathrm{\alpha }\rangle$ with the logic bit $k_x^M\in \{0,1\}$ , where ∣α∣² is the intensity of the optical pulse. For Y basis, Merchant prepares a coherent state $\mid e^{i(k_y^M+\frac{1}{2})\mathrm{\pi }}\mathrm{\alpha }\rangle$ according to random logic bit $k_y^M\in \{0,1\}$ . Client prepares his own state $\mid e^{i{k}_x^C\mathrm{\pi }}\mathrm{\alpha }\rangle$ or $\mid e^{i(k_y^C+\frac{1}{2})\mathrm{\pi }}\mathrm{\alpha }\rangle$ according to the same rule. Then, Merchant and Client send their optical pulses to an untrusted relay, Eve, through insecure quantum channels.

2) Measurement. Eve performs interference measurements on the received pulses with a 50:50 BS and two single-photon detectors, denoted as D₁ and D₂, and records the detection results. Those where one and only one detector clicks are defined as an effective measurement.

3) Sifting. Merchant and Client repeat steps 1 and 2 for N times. $\mid X_1⟩={\otimes }_{i=1}^N|i⟩,|i⟩\in \{\mid e^{i{k}_x^M\mathrm{\pi }}\mathrm{\alpha }⟩,\mid e^{i(k_y^M+\frac{1}{2})\mathrm{\pi }}\mathrm{\alpha }⟩\}$ is all Merchant’s states in direct product state. Likewise, $\mid Y_1⟩=\mid Y_1⟩={\otimes }_{j=1}^N|j⟩,|j⟩\in \{\mid e^{i{k}_x^C\mathrm{\pi }}\mathrm{\alpha }⟩,\mid e^{i(k_y^C+\frac{1}{2})\mathrm{\pi }}\mathrm{\alpha }⟩\}$ is all Client’s states in direct product state. Eve announces the location of all effective measurements and which detector (D₁ or D₂) clicks. For every effective measurement announced by Eve, if D2 clicks, Client will flip his corresponding logic bit ( $k_x^C$ or $k_y^C$ ). Merchant and Client will only keep their logical bits of effective measurements and discard other bits. Then, they disclose their basis choices for effective measurements through authenticated classical channels and further classify their key bits with basis information.

4) Parameter estimation. Merchant and Client publicize all their bits in the Y basis to calculate the bit error rate $E_b^y$ and also obtain the number of counts n_x and n_y under X and Y bases, respectively.

5) Key distillation. Merchant and Client perform error correction on the remaining keys under the X basis with ε_cor-correctness to obtain the final keys.

Merchant then randomly disturbs the orders of his final key string and publicizes the new order to Client through authenticated channels. Subsequently, Client changes the orders of his key strings according to the order announced by Merchant. Last, Merchant and Client divide their final keys into 3n-bit strings, each of which is used to sign a message. Each of $k_1^{\mathrm{M}}$ , $k_2^{\mathrm{M}}$ , $k_1^{\mathrm{C}}$ , and $k_2^{\mathrm{T}}$ is one string.

LFSR-based Toeplitz hash functions

In the protocol, we use universal hash functions to generate the signature. Concretely, we choose LFSR-based Toeplitz hash function. In the description of the proposed scheme, we combine the process of exclusive OR (XOR) encryption on hash value into the hash function and express it as Hash(C, k) for simplicity. To show details of this function, we rewrite is as Hash(C, k) = Hash(x₁, x₂, x₃, x₄), where C = x₁ ∈ {0, 1}^∣C∣ corresponds to the contract and k = (x₂, x₃, x₄) ∈ {0, 1}³ⁿ corresponds to keys in step 2 of the protocol. The lengths of (x₂, x₃, x₄) are all n-bit. Denote the length of x₁ as m, i.e., ∣C∣ = m. Then

$$\text{Hash}({\mathbf{x}}_1,{\mathbf{x}}_2,{\mathbf{x}}_3,{\mathbf{x}}_4)={\mathbf{H}}_{nm}·{\mathbf{x}}_1\mathbf{}\oplus {\mathbf{x}}_4$$ (3)

where H_nm = f(x₂, x₃) is a LFSR-based Toeplitz matrix determined by x₂ and x₃. The random string x₂ maps a random irreducible polynomial p(x) = xⁿ + p_n−1xⁿ⁻¹ +…+ p₁x + p₀ in Galois Field (2) [GF(2)] of order n that decide the structure of LFSR. Details of generating a random irreducible polynomial can be found in the Supplementary Materials. Another random string x₃ = (a_n, a_n−1, …, a₂, a₁)^T, a_i ∈ {0, 1} is the initial state. LFSR will expand the initial state into a matrix H_nm with n rows and m columns. The structure of LFSR can be represented as an n × n matrix

$$\mathbf{W}=\left(\begin{array}{ccccc}{p}_{n-1}& p_{n-2}& \dots & p_1& p_0\\ 1& 0& \dots & 0& 0\\ 0& 1& \dots & 0& 0\\ \dots & \dots & \dots & \dots & \dots \\ 0& 0& \dots & 1& 0\end{array}\right)$$

The structure of LFSR-based Toeplitz matrix can be represented through W as H_nm = (x₃, Wx₃, …, W^m−1x₃) (67).

Calculation details

Here, we give an introduction to the calculation details of KGP used in the scheme. According to (63), only key bits under the X basis are used to form secure key bits. Because the privacy amplification step is removed in our scheme, the total unknown information of the l-bit string such as x_i, i ∈ {2,3,4} in LFSR-based Toeplitz hash functions considering finite-key effect is given by

$${\mathscr{H}}_n=l·[1-H({\overline{E}}_p^l)-\frac{1}{n_x}\text{lea}{\mathrm{k}}_{\text{EC}}-\frac{1}{n_x}\text{lo}{\mathrm{g}}_2\frac{2}{{\mathrm{ϵ}}_{\text{EC}}}]$$ (5)

where n_x is the total counts under the X basis. ${\overline{E}}_p^n$ is the upper bound of the phase error rate of all counts in an n-bit string. $\text{Lea}{\mathrm{k}}_{\text{EC}}=n_x\mathit{fH}(E_b^x)$ is the number of leaked bits of information during the error correction, where f is the error correction efficiency, and $E_b^{\mathrm{x}}$ is the bit error rate in X basis. $H(x)=-x{\text{log}}_{2}x-(1-x){\text{log}}_2(1-x)$ is the binary Shannon entropy function. ${\overline{E}}_p^l$ can be given by

$${\overline{E}}_p^l={\overline{E}}_p+{\mathrm{\gamma }}^U(l,n_x-n,E_p,\mathrm{ϵ})$$

where ${\mathrm{\gamma }}^U(l,k,\mathrm{\lambda },\mathrm{ϵ})=\frac{\frac{(1-2\mathrm{\lambda })\mathit{AG}}{l+k}+\sqrt{\frac{A^2{G}^2}{{(l+k)}^2}+4\mathrm{\lambda }(1-\mathrm{\lambda })G}}{2+2\frac{A^{2}G}{{(l+k)}^2}}$ represents the statistical fluctuation of the random sampling without replacement, with A = max {l, k} and $G=\frac{l+k}{\mathit{lk}}\text{ln}\frac{l+k}{2\mathrm{\pi }\mathit{lk}\mathrm{\lambda }(1-\mathrm{\lambda }){\mathrm{ϵ}}^2}$ (68), and ${\overline{E}}_p$ is the upper bound of phase error rate. E_p satisfies the following inequality (63, 69)

$$1-2\mathrm{\Delta }\le \sqrt{E_b^y{E}_p}+\sqrt{(1-E_b^y)(1-E_p)}$$ (7)

where Δ quantifies the imbalance of Alice’s and Bob’s quantum coins according to their basis selection. $E_b^y$ represents the bit error rate in the Y basis. In the symmetric scenario, the relation between Δ and fidelity can be simplified as (70)

$$1-2Q\mathrm{\Delta }=\text{Ma}{\mathrm{x}}_{{\mathrm{\delta }}_{\mathrm{\theta }},{\mathrm{\delta }}_{\mathrm{X}},{\mathrm{\delta }}_{\mathrm{Y}}}\mathit{\text{Re}}(e^{i{\mathrm{\delta }}_{\mathrm{\theta }}}\langle {\mathrm{\Psi }}_{Y,{\mathrm{\delta }}_Y}\mid {\mathrm{\Psi }}_{X,{\mathrm{\delta }}_{\mathrm{X}}}\rangle )\mid \langle {\mathrm{\Psi }}_Y\mid {\mathrm{\Psi }}_X\rangle \mid$$

where Q is the gain and δ_θ, δ_X, and δ_Y are free variables, the values of which range from 0 to 2π. Besides, ∣Ψ_Z,δZ⟩ is $(\mid 0_Z\rangle \mid {\mathrm{\Psi }}_{0\mathrm{Z}}\rangle +\mid 1_Z\rangle \mid {\mathrm{\Psi }}_{1\mathrm{Z}}\rangle )/\sqrt{2}$ . ∣Ψ_iZ⟩ means that the state is prepared under the Z basis (Z ∈ {X, Y}) with the bit value i (i ∈ {1,0}). The fidelity with imperfect sources can be expressed as

$$\begin{array}{cc}\hfill \langle {\mathrm{\Psi }}_X\mid {\mathrm{\Psi }}_Y\rangle =& \frac{1}{4}(1-\in )e^{-\mathrm{\mu }}{\text{cos}}^2\mathrm{\theta }[(1-\mathrm{i})\langle \mathrm{\alpha }\prime \mid {\text{ie}}^{i\mathrm{\delta }}\mathrm{\alpha }\prime \rangle \hfill \\ & +(1-\mathrm{i})\langle -e^{i\mathrm{\delta }}\mathrm{\alpha }\prime \mid {\text{ie}}^{i\mathrm{\delta }}\mathrm{\alpha }\prime \rangle \hfill \\ & +(1-\mathrm{i})\langle \mathrm{\alpha }\prime \mid {\text{ie}}^{i\mathrm{\delta }}\mathrm{\alpha }\prime \rangle \hfill \\ & +(1-\mathrm{i})\langle -e^{i\mathrm{\delta }}\mathrm{\alpha }\prime \mid {\text{ie}}^{i\mathrm{\delta }}\mathrm{\alpha }\prime \rangle ]\hfill \end{array}$$ (8)

where ϵ, μ, θ, and δ represent pulse correlations, THAs, side channels in the polarization space, and phase shift, respectively. Note that α′ is the actual intensity of pulses. According to the formulas above, we can get Δ.

Considering the finite key effect, we use the bound of the concentration inequality (63, 71) to derive the upper bound of E_p. The inequality is

$${\mathrm{\Lambda }}_n\le {\displaystyle \sum _{u=1}^n}\text{Pr}({\mathrm{\xi }}_u=1\mid {\mathrm{\xi }}_1,\dots ,{\mathrm{\xi }}_{u-1})+{\mathrm{\Delta }}_n$$ (9)

where ξ₁, …, ξ_n is a sequence of Bernoulli random variables and ${\mathrm{\Lambda }}_n={\sum }_{u=1}^n‍{\mathrm{\xi }}_u$ . ${\mathrm{\Delta }}_n=\sqrt{\frac{1}{2}\mathit{nln}{\mathrm{ϵ}}_F^{-1}}$ , where ϵ_F is the failure probability. $m_y=n_y{E}_b^y$ is the number of bit errors in the Y basis, and the upper bound of the expectation value $m_y^{*}$ is m_y + Δ_ny. Thus, ${E_b^y}^{*}=m_y^{*}/n_y$ and then $E_p^{*}$ can be calculated according to Eq. 7. Therefore, $m_p^{*}=n_x{E}_p^{*}$ . Then, estimate the upper bound ${\overline{m}}_x$ through the concentration inequality. ${\overline{E}}_p$ can be naturally calculated with ${\overline{E}}_p={\overline{m}}_p/n_x$ . We set all failure probabilities ${\mathrm{ϵ}}_{\text{EC}}=\overline{\mathrm{ϵ}}={\mathrm{ϵ}}_F=10^{-10}$ during calculation. Parameter n is optimized with the constraint that ϵ_tot ≤ 5 × 10⁻¹⁰.

Error correction algorithm

In our implementation, the error correction algorithm is used to ensure that the keys generated by both parties through the KGP process are completely identical, and the algorithm we use is Cascade algorithm (72). The block size for each error correction is set to 1 M, and the size of the remaining keys is smaller than 1 M and these keys are corrected together. The detailed process is presented as follows:

1) Alice and Bob randomly permute the original keys based on a preagreed random sequence and record the permutation information.

2) The permuted keys are divided into different segments of a fixed length. We set the length 600.

3) The parity check codes for each segment are computed, and both parties compare them over a publicly authenticated channel.

4) For segments with consistent parity check codes, no further processing is performed. For segments with different codes, error correction is performed using binary search.

5) When the iteration number is greater than 1, based on the recorded random permutation information from the previous round, the position of the key belonging to the error bit can be identified. Because in the previous round, all segments have the same parity check code, indicating either no errors or an even number of errors, if an error bit is discovered in this round, another error bit can be found. Another error bit is found using a binary search algorithm. This process continues until no further error bits can be found.

6) The above steps are repeated until the parity check codes for all segments are completely identical.

During implementation, we do not aim for optimal error correction performance, and the number of iterations is limited to a maximum of three. The error correction efficiency f is not more than 1.13 during our implementation.

Supplementary Materials

This PDF file includes:

Supplementary Text

Figs. S1 and S2

Tables S1 to S4

References