Quantum Inf Process (2013) 12:549558

DOI 10.1007/s11128-012-0398-3

An inter-bank E-payment protocol based on quantum

proxy blind signature
Xiaojun Wen Yongzhi Chen Junbin Fang

Received: 7 December 2011 / Accepted: 15 March 2012 / Published online: 4 April 2012
Springer Science+Business Media, LLC 2012

Abstract Security and anonymity are essential to E-payment systems. However,

with the increasing computing power, existing E-payment systems will gradually
become insecure. In this paper, we propose an inter-bank E-payment system which
is based on quantum proxy blind signature. Adopting the techniques of quantum
key distribution, one-time pad and quantum proxy blind signature, our quantum
E-payment system could protect users anonymity as the traditional E-payment systems do, and also have unconditional security which the classical E-payment systems
cannot provide. Furthermore, compared with the existing quantum E-payment systems, the proposed system could support inter-bank transactions.
Keywords E-payment system Inter-bank Quantum proxy blind signature
Unconditional security

X. Wen (B)
School of Electronics and Information Engineering, Shenzhen Polytechnic,
Shenzhen 518055, China
e-mail: szwxjun@sina.com
Y. Chen
Department of Electronics and Information Engineering,
Shijiazhuang University, Shijiazhuang 050035, China
J. Fang (B)
Department of Computer Science, The University of Hong Kong,
Hong Kong SAR, China
e-mail: junbinfang@gmail.com

123

550

X. Wen et al.

1 Introduction
Nowadays, E-commerce is in a period of rapid development and choosing an appropriate method of payment is very important for E-commerce transaction. Electronic
Cash (E-cash), which has the properties of anonymity and off-line transferability, is
becoming an ideal payment method, compared with other methods. Since Chaum has
proposed the concept of E-cash, many researchers dedicated to study E-cash system
and proposed a number of E-cash payment schemes [15].
Blind signature and group signature are the key techniques for implementing
E-payment systems. However, in modern cryptography, the classical group signature
and blind signature schemes are based on the computational complexity problems,
such as factorization problem, discrete logarithm problem, quadratic residue problem,
which could not be proved to be absolutely secure [6]. So the current E-cash systems,
which are based on the classical signature schemes, can not be proved to be unconditionally secure. Especially with the increasing computing power, these algorithms or
schemes will gradually become insecure at all. Fortunately, it has been proved that the
defect of modern cryptography can be overcome by quantum cryptography due to the
two outstanding characteristics of quantum cryptography - the unconditional security
and detectability of eavesdropping.
Since Bennett and Brassard [7] published their famous quantum key distribution
protocol in 1984 (named BB84 protocol), quantum cryptography has achieved great
success in secrecy communications fields. Subsequently, there were a lot of studies
on quantum signatures and quantum authentication [811]. However, the application
of quantum cryptography in E-cash is still very few. Recently, we firstly proposed
an E-payment protocol based on quantum group signature to solve the conditional
security problem in E-payment system [12]. In succession, we also proposed another
E-payment system based on quantum blind and group signature, employing two TTPs
(Third Trusted Party) instead of one to enhance the systems robustness [13]. However,
the limitation of these two protocols is that they can be only applied to the business
transactions within the same bank. In real life, there are many business transactions
between different banks and an E-payment system supports secure inter-bank transactions is desired from the view of practical application.
In this paper, we propose a new E-payment protocol to solve the problem and
support the radically secure E-payment between two different banks. In our system,
quantum proxy blind signature is adopted to implement the inter-bank payment and
guarantee its unconditional security. To the best of our knowledge, this is the first application of quantum proxy blind signature to an E-payment system. Compared with the
existing classical E-payment systems, unconditional security can be guaranteed by
the proposed system. Compared with the existing quantum E-payment systems, the
inter-bank transaction can be supported by this system.
The rest of this paper is organized as follows. In Sect. 2, we introduce the basic
theories of the quantum proxy signature and quantum blind signature algorithm. In
Sect. 3, we propose the E-payment protocol between two banks. The security analysis
and discussions are presented in Sect. 4. Finally, in Sect. 5, we discuss the results and
draw conclusions.

123

An inter-bank E-payment protocol based on quantum proxy blind signature

551

2 Preliminary theory
2.1 Proxy blind signature
Proxy signature is the original signer gives the signature ability to a proxy signer, so
that the proxy signer can sign messages on behalf of original signer [14]. As for blind
signature, the message owner could get the authentic signature for his own message,
but not reveal the specific content of the message. In some cases, such as an inter-bank
trading system, both the property of proxy signature and that of blind signature were
required for application and security concern, so proxy blind signature was proposed.
2.2 The correlation of triplet entangled state | 
Suppose that Alice, Bob1, Bob2 share three particles in entangled state [15]:
1
(|000 + |110 + |011 + |101)123
2
1
= (|+ + + + | )123
2

| 123 =

(1)

where
1
1
|+ = (|0 + |1) , | = (|0 |1)
2
2

(2)

and Alice holds particle1, Bob1 holds particle3 and Bob2 holds particle2, respectively,
as shown in Fig. 1.
Formula 1 can be rewritten as
| 123 =


1
(|00 + |11)12 |03 + (|01 + |10)12 |13
2

(3)

Firstly, Bob1 measures his particle3 in base B Z = {|0, |1}, then the particles 1
and 2 would become one of the states:
 +


1
1
=3 0| 123 = (|00 + |11)12 = (|++ + |)12
2
2
 +
1
1

= 1| 123 = (|01 + |10)12 = (|++ |)12
12 3
2
2
12

Bob1
1

Alice

Bob1

Bob2

(4)
(5)

Fig. 1 Schematic of transmission on the triplet

123

552

X. Wen et al.

Table 1 The possible results after Alice, Bob1and Bob2 choosing the different measuring bases
Bob1s result of
particle3 using B Z

The same base

chose by Alice
and Bob2

Alices result of
particle1

Bob2s result of
particle2

|03

Bz

|0
|1
|+
|
|0
|1
|+
|

|0
|1
|+
|
|1
|0
|+
|

Bx
|13

Bz
Bx

Deduct
Bank1

Customer

If Bob2 Chooses a
base different
from Alice, he
will get a random
result

Alice

Bob1
Purchase

delegate

Proxy Blind Signature

Bank2
Bob2

Deposit

Merchant

Charlie

Fig. 2 Framework of the inter-bank E-payment system

Secondly, Alice randomly chooses the base B Z = {|0, |1}, or B X = {|+, |} to
measure her particle1.Finally, Bob2 measures his particle2 randomly. If Bob2 Chooses
the same base as Alices to measure his particle, he will get a certain result (as shown
in Table 1). However, after Alices measurement, if Bob2 chooses a measurement base
different from Alices, he will get a random result.
3 The inter-banks quantum E-payment system
As shown in Fig. 2, our inter-bank E-payment system involves four roles as following:
(1)
(2)
(3)
(4)

Alice: the customer;

Bob1: the bank where Alice open her account;
Charlie: the merchant;
Bob2: the bank where Charlie open his account.

Informed by Alice, the bank Bob1 deducts the corresponding amount of money
from Alices account and transfers the money to the bank Bob2 and delegate Bob2
sign to merchant Charlie, such that Charlie should receive the proper money in his
account. After verifying the proxy blind signature from Bob2, the merchant Charlie
gives the corresponding goods to Alice. The whole transaction is finished.

123

An inter-bank E-payment protocol based on quantum proxy blind signature

553

In the proposed E-payment system, the following security objectives can be

achieved: (a) The information of money transfer (namely M1) transmitted among
Alice, Bob1, Bob2 and Charlie should not be tampered by adversary; (b) To protect
the privacy of the customer, the bank Bob1 and Bob2 should keep blind from Alices
consumption content, i.e., the purchase information of Alice (namely M2). So, the
E-payment information of Alice is divided to two parties: M1 and M2, M1 is open to
bank but M2 is blind, and both M1 and M2 couldnt be tampered by any others.
3.1 Initial phase
Step 1. Quantum key distribution
Alice shares secret key K AC (2n bit) with Charlie, K AB1 (n-bit) with Bob1,while
Bob2 shares secret key K B2C (3n-bit) with Charlie, K B1B2 (n-bit) with Bob1,respectively. To ensure unconditional security, these secret keys have been distributed by the
famous QKD protocol BB84 [7].
Step 2. Quantum channel setup
Alice sets up the quantum channel by preparing Q(Q > N ) triplets (in state of
| 123 , denoted as {|(1)123 , |(2)123 , . . ., |(i)123 , . . ., |(Q123 )} and distributing
two photons of each triplet to Bob1 and Bob2 respectively (as shown in Fig. 1). Bob1
randomly chooses (Q N ) triplets to take on the channel detection. Firstly, Bob1
measures his (Q N )(Q N >= n) photons with the base Bx , and then announces
his measuring results in public; Secondly, Bob2 measures the corresponding photons
with the base Bx , and announces his measuring results in public too. After receiving
Bob1s and Bob2s messages, Alice checks the correlation of the (Q N ) measuring
results by measuring her corresponding photons with the base Bx . If these results
satisfy the correlation in Formula 1, the safe channel would be set up successfully.
In this step, the safe channel can be used to communication in security via prevent
intercepting, its security is provided by detecting eavesdropper.
Step 3 Message preparation
Alice divides her purchase message into two parts: M1(n-bit), involving the amount
that Alice ought to pay and the information of Charlies opening account in the Bank
Bob2; M2(n bit), including Alices detailed purchase information which can not be
seen by others. So Alice needs to blind the part M2.
Alice Informs Bob1, Bob2 and Charlie, the transaction begins.
3.2 Proxy delegation phase
Step 1. Alice encrypts her partial message M1 with the key K AB1 and sends it to the
bank Bob1. She informs Bob1 that she wants to pay the certain amount to Charlies
account in the bank Bob2.
Step 2. Bob1 measures the corresponding photons (the particle3 of each triplet) with
the basis B Z , gets the measuring results S1 ={s1 (1), s1 (2)), ,s1 (i), . . ., s1 (n)}(s1 (i)

123

554

X. Wen et al.

{0,1}, 0 denotes |0 as 1 denotes |1}), then he encrypts it to get E K B1B2 (S1 ),
where S1 may be regards as Bob1s proxy certificate.
Step 3. Bob1 sends E K B1B2 (S1 ) to Bob2.
In this phase, the unconditional security is guaranteed by the use of quantum key
K AB1 and K B1B2 , and the one-time pad encryption algorithm. The subsequent phases
also have the similar analysis.
3.3 Blind the message M2 phase
Step 1. Alice measures her particle1 sequence according to her partial message
M2 = {m(1), m(2), . . ., m(i), . . .m(n)},which is Alices detailed purchase payment. If m(i) = 0, she measures particle1 with the base Bz = {|0, |1}, Ifm(i) = 1,
she chooses the base Bx = {|+, |}.
She records the measuring results as m  = {m  (1), m  (2), . . ., m  (i), . . ., m  (n)}
(m  (i) {|0, |1, |+, |}). One of the four states (|0, |1, |+, |) could be
encoded into two classical bits, the measuring rule and encoding rule are as shown in
Table 2.
Thus, m  (i) comprises 2-bit classical information, and the message M2 (n-bit) has
been blinded into m  (2n-bit).
Step 2. Alice encryptsm  with the key K AC to get the secret message
 
MAC = E K AC m 

(6)

Then she sends the secret message M AC to the merchant Charlie.

Since both m  and K AC are 2n-bit, Alice adopts one-time pad as the encryption
algorithm to guarantee the unconditional security.
3.4 Sign the blind message phase
Step 1. After receiving E K B1B2 (S1 ) from Bob1, the bank Bob2 decrypts it to get
the proxy certificate S1 . Bob2 measures his particle2 sequence with the corren+2i1
(the odd bits of his key K B2C ),
sponding base Bz or Bx according to K B2C
then encodes his measuring results into 2n-bit classical message(denoted as S2 =
{s2 (1), s2 (2)), . . ., s2 (i), . . ., s2 (n)}(s2 (i) {00, 01, 10, 11}). The measuring and
encoding rules are as shown in Table 2.
Table 2 The measuring and
encoding rules for the quantum
states

123

n+2i1
m(i)or K B2C

Measuring
base

Measuring
result

2-Bit
classical code

Bz

Bx

|0
|1
|+
|

00
01
10
11

An inter-bank E-payment protocol based on quantum proxy blind signature

555

Step 2. The bank Bob2 combines S1 withS2 in turn to get S = {s1 (1),
s1 (2)), . . ., s1 (i), . . ., s1 (n), s2 (1), s2 (2)), . . ., s2 i), . . ., s2 (n)}(s1 (i) {0, 1}, s2 (i)
break {00, 01, 10, 11}), and encrypts S with the key K B2C (3n-bit) to get
S = E K B2C {S} , E is one-time pad, S is the proxy blind signature of the
message m  .
Step 3. Bob2 sends S to the merchant Charlie.

3.5 Verification phase

Step 1. Charlie receives the secret message M AC from Alice, then decrypts it with
his key K AC to get the blind message (m  (1), m  (2), . . ., m  (i), . . ., m  (n)).
Step 2. Charlie transforms the blind message m  to the original message M2. According to the blind message, Charlie could know the original message m by the inverse
operation of Table 2.
For example, if m  = (m  (1), m  (2), . . ., m  (4)) = (01101100), then we will get
m = (m(1), m(2), . . ., m(4)) = (0110). The deduction process is shown in Table 3.
Step 3. Charlie receives the proxy blind signature of the message M2, i.e.S =
E K B2C {S}, from Bob2, then he decrypts S with his key K B2C to get S1 , S2 .
Step 4. Charlie accepts S as the valid proxy blind signature for message M2 when the
2i1
, S1 (i)and S2 (i) satisfy the verifying rule as shown
parameters m(i), m  (i), K B2C
in Table 4. Otherwise, he rejects it.
Step 5. If there is no dispute, Charlie could receive the proper amount from Alices
account and deposit it in Bank Bob2 while the same amount money will be deducted
from Alices account in bank Bob1. At the same time, Charlie should send the corresponding goods to Alice. The transaction is finished.

Table 3 The deduction process of blind message m  to original message m (take an example for m  =
(01101100))
n

m
Alices measure result
Alices measure base
m

01
|1
Bz
0

10
|+
Bx
1

11
|
Bx
1

00
|0
Bz
0

Table 4 The verifying rules

S1 (i) m  (i)
n+2i1
m(i) = K B2C
0
1
1
1
1
n+2i1
m(i)  = K B2C
0
1

S2 (i)

m  (i) = S2 (i)
00
01
01
00
10
10
11
11
No correlation between m  (i) and S2 (i)

123

556

X. Wen et al.

4 Scheme properties and security analysis

4.1 Blind property
In the whole transaction, the bank Bob1 and Bob2 are kept blind from the message
M2s content, however, Bob2 could sign the message M2 on behalf of Bob1 by measuring his particle2 sequence. And Charlie would verify and accept the message signed
by Bob2.
4.2 Security analysis for attacks
(1) Message and signature security
In our scheme, the verifiers could rebuild the message M2 as well as verify the
signature by quantum entanglement properties of the triples in state | . As the
message is transmitted by the physical effect of the entangled triplets, it cannot
be intercepted or tampered by attackers.
(2) Forgery impossibility
In our scheme, the original bank Bob1 and the proxy bank Bob2 are trusty. Those
who attempt to forge signatures would definitely be detected. Assume that Eve
wants to forge Bob2s signature. As Eve has neither the secret key K B2C shared
by Bob2 and Charlie nor the secret key K B1B2 shared by Bob2 and Bob1, she cannot send secret messages to Charlie or Bob1 with the keys K AC or K AB1. Even
if Eve gets K AC or K AB1 , she still cannot get the photons distributed to Bob2
without destroying the correlation of qubits. Thus, the attacks will be detected
and Bob2s signature cannot be forged. Similarly, the original bank Bob1s proxy
certificate cannot be forged either.
(3) Disavowal impossibility
During the phase of signature verifying, Charlie should use his key K AC to
decrypts the secret message M AC , in order to rebuild the original message M2.
In addition, Alice has to encrypt her partial message M1 with the key K AB1
and send it to the bank Bob1. As Alice shares K AB1 with Bob1, Bob1 could
use it to decrypt the message M1 to identify Alice in case of disputes. Thus,
Alice cannot deny her purchase message M1 which contains the amount she
ought to pay Charlie. Similarly, as Charlie shares K AC with Alice, and use it to
decrypt the blind message m  , Charlie cannot deny the receipt of the payment
message.
In conclusion, our inter-bank E-payment protocol cannot be deceived or attacked.
4.3 Unconditional security
The unconditional security of our system is ensured through quantum secret key distribution, one-time pad and quantum transmission channel. First, the protocol BB84
is adopted for quantum key distribution, which is proved to be unconditionally secure
[7]. Second, we also employ one-time pad for the encryption algorithm to achieve

123

An inter-bank E-payment protocol based on quantum proxy blind signature

557

the theoretically proved security. Finally, our protocol is based on the secure quantum channel, which has instantaneous transmission not restricted by distance, time or
obstacles. Therefore, our scheme is unconditionally secure.

5 Conclusion
In this paper, we propose an inter-bank E-payment protocol based on quantum proxy
blind signature. Compared with the previous works, our protocol could not only protect the users anonymity but also implement the inter-bank payment. Moreover, we
use quantum entanglement, quantum key distribution and one-time pad algorithm to
guarantee the protocols unconditional security.
Furthermore, it can be implemented easily with the current experimental conditions,
as the key techniques of our protocol only rely on the von Neumann measurement and
|  states preparation. Although photon transmission in the quantum channel are difficult to approach 1 due to the channel noises, with the development of the quantum
information technique, our scheme can be applied successfully.
Acknowledgments This work was supported by a project funded by the China Postdoctoral Science
Foundation (project number 20080440896) and the Open Research Foundations of both State Key Laboratory of Information Security (Graduate School of Chinese Academy of Sciences) and Key Laboratory
of Communications and Information System (Beijing Jiaotong University). The work was also partially
supported by HKU Seed Funding for Basic Research (200811159155).

References
1. Chaum, D., Heyst, E.: Group Signatures, Advances in Cryptology-Eurocrypt91 LNCS 547. pp. 257
265. Springer, Berlin (1992)
2. Maitland, G., Boyd, C.: Fair Electronic Cash Based on a Group Signature Scheme, ICICS 2001, LNCS
2229. pp. 461465. Springer, Berlin (2001)
3. Canard, S., Traor, J.: Fair E-cash Systems Based on Group Signature Schemes, ACISP 2003, LNCS
2727. pp. 237248. Springer, Berlin (2003)
4. Traor, J.: Group Signatures and Their Relevance to Privacy-Protecting Offline Electronic Cash Systems, ACISP99, LNCS 1587. pp. 228243. Springer, Berlin (1999)
5. Qiu, W., Chen, K., Gu, D.: A New Off-Line Privacy Protecting E-Cash System with Revocable Anonymity, ISC 2002, LNCS 2433. pp. 177190. Springer, Berlin (2002)
6. Nielsen, M., Chuang, I.: Quantum Computation and Quantum Information. Cambridge University
Press, Cambridge (2000)
7. Shor, P., Preskill, J: Simple proof of security of the BB84 quantum key distribution protocol. Phys.
Rev. Lett. 85, 441444 (2000)
8. Zeng, G., Keitel, C.H.: An arbitrated quantum signature algorithm. Phys. Rev. A 65, 042312
042317 (2002)
9. Gottesman, D., Chuang, I.: http://arxiv.org/abs/quant-ph/0105032.pdf (2001)
10. Wen, X., Niu, X., Ji, L., Tian, Y.: A weak blind signature scheme based on quantum cryptography. Opt.
Commun. 282, 666669 (2009)
11. Wen, X., Tian, Y., Niu, X.: A group signature scheme based on quantum teleportation. Physica
Scripta 81, 055001055005 (2010)
12. Wen, X.: An E-payment system based on quantum group signature. Physica Scripta 82, 065403
065407 (2010)
13. Wen, X., Nie, Z.: An E-payment system based on quantum blind and group signature. In: International
Symposium on Data, Privacy, and E-Commerce, America (2010)

123

558

X. Wen et al.

14. Sun, H., Hsieh, B., Tseng, S.: On the security of some proxy blind signature schemes. J. Syst.
Softw. 74, 297302 (2005)
15. Gao, T., Yan, F., Wang, Z.: Controlled quantum teleportation and secure direct communication. Chin.
Phys. 14(05), 893897 (2005)

123