Can you sign a quantum state?

Cryptography with quantum states exhibits a number of surprising and counterintuitive features. In a 2002 work, Barnum et al. argued informally that these strange features should imply that digital signatures for quantum states are impossible (Barnum et al., FOCS 2002). In this work, we perform the first rigorous study of the problem of signing quantum states. We first show that the intuition of Barnum et al. was correct, by proving an impossibility result which rules out even very weak forms of signing quantum states. Essentially, we show that any non-trivial combination of correctness and security requirements results in negligible security. This rules out all quantum signature schemes except those which simply measure the state and then sign the outcome using a classical scheme. In other words, only classical signature schemes exist. We then show a positive result: it is possible to sign quantum states, provided that they are also encrypted with the public key of the intended recipient. Following classical nomenclature, we call this notion quantum signcryption. Classically, signcryption is only interesting if it provides superior efficiency to simultaneous encryption and signing. Our results imply that, quantumly, it is far more interesting: by the laws of quantum mechanics, it is the only signing method available. We develop security definitions for quantum signcryption, ranging from a simple one-time two-user setting, to a chosen-ciphertext-secure many-time multi-user setting. We also give secure constructions based on post-quantum public-key primitives. Along the way, we show that a natural hybrid method of combining classical and quantum schemes can be used to "upgrade" a secure classical scheme to the fully-quantum setting, in a wide range of cryptographic settings including signcryption, authenticated encryption, and chosen-ciphertext security

Quantum Tokens for Digital Signatures

The fisherman caught a quantum fish. "Fisherman, please let me go", begged the fish, "and I will grant you three wishes". The fisherman agreed. The fish gave the fisherman a quantum computer, three quantum signing tokens and his classical public key. The fish explained: "to sign your three wishes, use the tokenized signature scheme on this quantum computer, then show your valid signature to the king, who owes me a favor". The fisherman used one of the signing tokens to sign the document "give me a castle!" and rushed to the palace. The king executed the classical verification algorithm using the fish's public key, and since it was valid, the king complied. The fisherman's wife wanted to sign ten wishes using their two remaining signing tokens. The fisherman did not want to cheat, and secretly sailed to meet the fish. "Fish, my wife wants to sign ten more wishes". But the fish was not worried: "I have learned quantum cryptography following the previous story (The Fisherman and His Wife by the brothers Grimm). The quantum tokens are consumed during the signing. Your polynomial wife cannot even sign four wishes using the three signing tokens I gave you". "How does it work?" wondered the fisherman. "Have you heard of quantum money? These are quantum states which can be easily verified but are hard to copy. This tokenized quantum signature scheme extends Aaronson and Christiano's quantum money scheme, which is why the signing tokens cannot be copied". "Does your scheme have additional fancy properties?" the fisherman asked. "Yes, the scheme has other security guarantees: revocability, testability and everlasting security. Furthermore, if you're at sea and your quantum phone has only classical reception, you can use this scheme to transfer the value of the quantum money to shore", said the fish, and swam away.Comment: Added illustration of the abstract to the ancillary file

Can you sign a quantum state?

Cryptography with quantum states exhibits a number of surprising and counter-intuitive features. In a 2002 work, Barnum et al. argued that these features imply that digital signatures for quantum states are impossible [7]. In this work, we ask: can all forms of signing quantum data, even in a possibly weak sense, be completely ruled out? We give two results which shed significant light on this basic question. First, we prove an impossibility result for digital signatures for quantum data, which extends the result of [7]. Specifically, we show that no nontrivial combination of correctness and security requirements can be fulfilled, beyond what is achievable simply by measuring the quantum message and then signing the outcome. In other words, only classical signature schemes exist. We then show a positive result: a quantum state can be signed with the same security guarantees as classically, provided that it is also encrypted with the public key of the intended recipient. Following classical nomenclature, we call this notion quantum signcryption. Classically, signcryption is only interesting if it provides superior performance to encrypt-then-sign. Quantumly, it is far more interesting: it is the only signing method available. We develop “as-strong-as-classical” security definitions for quantum signcryption and give secure constructions based on post-quantum public-key primitives. Along the way, we show that a natural hybrid method of combining classical and quantum schemes can be used to “upgrade” a secure classical scheme to the fully-quantum setting, in a wide range of cryptographic settings including signcryption, authenticated encryption, and CCA security

Quantum Tokens for Digital Signatures

The fisherman caught a quantum fish. Fisherman, please let me go , begged the fish, and I will grant you three wishes . The fisherman agreed. The fish gave the fisherman a quantum computer, three quantum signing tokens and his classical public key. The fish explained: to sign your three wishes, use the tokenized signature scheme on this quantum computer, then show your valid signature to the king, who owes me a favor . The fisherman used one of the signing tokens to sign the document give me a castle! and rushed to the palace. The king executed the classical verification algorithm using the fish\u27s public key, and since it was valid, the king complied. The fisherman\u27s wife wanted to sign ten wishes using their two remaining signing tokens. The fisherman did not want to cheat, and secretly sailed to meet the fish. Fish, my wife wants to sign ten more wishes . But the fish was not worried: I have learned quantum cryptography following the previous story (The Fisherman and His Wife by the brothers Grimm). The quantum tokens are consumed during the signing. Your polynomial wife cannot even sign four wishes using the three signing tokens I gave you . How does it work? wondered the fisherman. Have you heard of quantum money? These are quantum states which can be easily verified but are hard to copy. This tokenized quantum signature scheme extends Aaronson and Christiano\u27s quantum money scheme, which is why the signing tokens cannot be copied . Does your scheme have additional fancy properties? the fisherman asked. Yes, the scheme has other security guarantees: revocability, testability and everlasting security. Furthermore, if you\u27re at sea and your quantum phone has only classical reception, you can use this scheme to transfer the value of the quantum money to shore , said the fish, and swam away

A minus sign that used to annoy me but now I know why it is there

We consider two well known constructions of link invariants. One uses skein theory: you resolve each crossing of the link as a linear combination of things that don't cross, until you eventually get a linear combination of links with no crossings, which you turn into a polynomial. The other uses quantum groups: you construct a functor from a topological category to some category of representations in such a way that (directed framed) links get sent to endomorphisms of the trivial representation, which are just rational functions. Certain instances of these two constructions give rise to essentially the same invariants, but when one carefully matches them there is a minus sign that seems out of place. We discuss exactly how the constructions match up in the case of the Jones polynomial, and where the minus sign comes from. On the quantum group side, one is led to use a non-standard ribbon element, which then allows one to consider a larger topological category.Comment: Expository paper. 16 pages. v2: Significant revision, including several new reference