Attack on a classical analogue of the Dunjko, Wallden, Kent and Andersson quantum digital signature protocol

A quantum digital signature (QDS) protocol is investigated in respect of an attacker who can impersonate other communicating principals in the style of Lowe’s attack on the Needham-Schroeder public-key authentication protocol. A man-in-the-middle attack is identified in respect of a classical variant of the protocol and it is suggested that a similar attack would be effective against the QDS protocol. The attack has been confirmed through initial protocol modelling using a automated theorem prover, ProVerif.

💡 Research Summary

The paper investigates a man‑in‑the‑middle (MITM) attack on a classical analogue of the quantum digital signature (QDS) protocol P2 originally proposed by Dunjko, Wallden, Kent and Andersson. By adapting Gavin Lowe’s well‑known attack on the Needham‑Schroeder public‑key authentication protocol, the authors demonstrate how an adversary Eve can impersonate Bob and Charlie, reorder secret keys, and flip the signed message bit while preserving the appearance of a valid signature.

In the classical version, Alice distributes two secret bit‑strings (k₀, k₁) to Bob and Charlie over secure channels. Each receiver applies a random mask n to its keys, producing masked partial keys that are exchanged. When Alice later sends a signed one‑bit message (m, k_m^B, k_m^C) to Bob, Bob verifies it using his masked key and the partial key received from Charlie, then forwards the same tuple to Charlie for verification. The protocol assumes that all channels are confidential and that the association between keys, masks, and message bits is fixed.

The attack proceeds as follows: Eve intercepts Alice’s key distribution, swaps the two keys intended for Bob, and later swaps the corresponding masked partial keys returned by Bob and Charlie. During the messaging phase, Eve flips the message bit m before it reaches Bob, who validates the signature against the swapped key and masked partial key, thus accepting a forged message. When Bob forwards the tuple to Charlie, Eve flips the bit back, allowing Charlie to verify the original message correctly. Consequently, Bob authenticates a tampered message while Charlie authenticates the genuine one, breaking both authenticity and integrity guarantees.

The authors model the protocol in the Applied Pi Calculus and use the automated verifier ProVerif to confirm that the attack trace is reachable. Although the analysis is currently limited to the classical analogue, the authors argue that the same key‑reassignment and masking steps exist in the quantum version, where the quantum channel only distributes the keys without revealing them to Eve. Therefore, the attack could be transferred to the quantum protocol P2, provided that Eve can manipulate the classical post‑processing stages.

Future work is outlined to extend the formal verification to quantum process algebras such as CQP or qCCS, to resolve open questions about event labeling and process dependencies in quantum models, and to develop concrete countermeasures that bind the message bit to its signature in a way that prevents the described key‑swap manipulation.