1. Introduction
Since the introduction of Bitcoin in 2008 [
1], its underlying technology, the blockchain, has attracted significant research attention and has been widely applied in different fields, such as finance and medical health. In a typical blockchain system, a consensus mechanism elects a representative node for bookkeeping and to reach consistency on a new block; the signing and verification of a transaction are accomplished through a digital signature, and the integrity protection of the transaction records is achieved by a hash function. The accelerating development of quantum computing technology seriously threatens the security of classical blockchains. Specifically, this is reflected in three areas: attacks against consensus mechanisms, attacks against digital signatures, and attacks against hash functions. (1) Regarding consensus mechanisms, proof of work (PoW) is vulnerable to mining attacks [
2], while proof of stake (PoS) exposes stakers to the risk of losing their assets in staking transactions [
3], and the classic voting process in delegated proof of stake (DPoS) is susceptible to forging attacks [
4]. (2) With regards to the security of transactions, classic blockchain systems often use publickey digital signatures whose security relies on complex computational problems that are hard for a classic computer to solve. Discrete logarithm factoring problems and large number decomposition problems are generally used to construct publickey signature algorithms, such as elliptic curve cryptography (ECC), Rivest–Shamir–Adleman (RSA), digital signature algorithm (DSA), and elliptic curve digital signature algorithm (ECDSA). However, these algorithms are vulnerable to quantum computing attacks, as the quantum algorithm—Shor’s algorithm [
5]—can solve discrete logarithms or largenumber decomposition problems in polynomial time. Thus, an attacker using Shor’s algorithm can retrieve the private key from the signature and the public key. Therefore, these publickey digital signatures will be insecure when the adversary has access to a quantum computer in the quantum era. (3) Regarding the data security of transaction records, classical hash functions are vulnerable to preimage collision attacks, typically, Grover’s algorithm [
6] can be exploited to accelerate the search for collisions, perform tampering attacks and compromise the data integrity of blocks.
In order to eliminate the threat of quantum computing attacks on blockchain systems, scholars have conducted indepth research. Several postquantum signature schemes (PQS) have been proposed to address the threats brought by quantum adversaries, such as latticebased, codebased, hashbased, multivariatebased, and hybrid schemes [
7]. These PQS involve hard problems for the quantum adversaries to solve, and their security relies on computational complexity or other difficulties such as encoding. However, complex computation imposes a high computing resource overhead and low transaction throughput, reducing the efficiency of blockchain systems. Some postquantum algorithms may be currently secure against quantum adversaries but this still cannot be strictly proved theoretically, and with the proposal of new stronger quantum algorithms, these PQS algorithms may be breached or threatened.
Unlike PQS algorithms, quantum signatures (QS) security is not based on mathematical complexity problems. Instead, the security of QS relies on the physical properties of quantum mechanics, e.g., the quantum nocloning theorem [
8] and the Heisenberg uncertainty principle [
9], which is computingindependent.
Recent research proposes several quantum blockchain schemes to improve blockchain system security against quantum computing attacks. For instance, E. O. Kiktenko et al. [
10] proposed a quantumsecured blockchain scheme based on a hybrid network that comprises a quantum key distribution (QKD) [
11] network and a classic network. In their work, the original Byzantine fault tolerance (BFT) consensus mechanism is utilized to reach a consensus, and QKD is used for identity authentication. However, the drawback of BFT has limited their scheme’s scalability, as BFT efficiency declines sharply as the number of users increases. In 2019, D. Rajan and M. Visser [
12] conceptually developed a quantum blockchain based on entanglement in time, which is quite theoretical and cannot be accomplished based on existing technology. In 2020, Gao et al. [
13] introduced a quantum blockchain scheme based on DPoS and quantum entanglement, which assumed that each user has a quantum computer and thus currently has no practical value. Moreover, in 2021, Wen et al. [
14] proposed a quantum blockchain scheme using a quantum hash function (QHF), a quantum swap test circuit, and quantum teleportation. However, the quantum swap test circuit fails to distinguish two different quantum strings with a nonnegligible probability. Therefore the method’s data consistency checking is doubtful. In addition, in 2022, ElLatif et al. [
15] proposed a blockchain framework that involved QHF based on a quantum walk model, where the QHF was used for block linking. Although the blockchain scheme achieved integrity and confidentiality for data in Internet of Things (IoT) devices, the consensus mechanism was not mentioned in the paper. In the same year, Li et al. [
4] proposed a quantum blockchain scheme based on QDPoS, where all classical information of a block is encoded into a single qubit, and all the qubits (blocks) are entangled to form a chain. Given the practical difficulties of longterm storage of quantum entangled particles under current conditions, the verification of data integrity on this quantum blockchain is quite complex, resulting in their scheme still being somewhat impractical under current technological conditions. Moreover, the QS in their scheme is onetime, a signature generated by the signer can only be verified once and then disappears. If
n verifiers want to verify the transaction, the signer needs to perform the signing process
n times. The security of QS depends on the number of quantum public keys, resulting in inefficiency and high quantum resource overhead. In 2022, Ye et al. [
16] proposed a quantum blockchain scheme—QboT—for IoT by a QS, in QBoT, quantum state public keys are stored in blocks which is considered to be unpractical using current technology, as “
Longterm data storage is not possible because decoherence in the quantum world rapidly corrupts information, making it very difficult to rely on quantum memories/storage” [
17]. In 2022, Wang et al. [
18] proposed a blockchain scheme based on an improved DPoS consensus algorithm and a quantum signature. In their consensus, the voting process is somewhat neglected, their work would have been better if the postquantum security of the voting protocol had been taken into consideration.
The above work has made useful explorations into postquantum security of blockchain systems, yet the following problems still exist: (1) lack of a secure and efficient consensus mechanism, e.g., the BFT of [
10] limits the scale of the blockchain system, the schemes of [
16] and [
18] are based on DPoS, which may be fragile to quantum computing attacks during the voting process, while the scheme of [
15] lacks a consensus mechanism. (2) The schemes are not practical and efficient enough, such as the block structure design [
4,
16] that stores quantum state information will face the problem of suffering from noise interference, and the quantum swap test circuit has the problem of nonnegligible error rate when judging two different quantum strings [
14]. (3) The transaction verification process consumes large quantum resources or the signature scheme is not practical enough. For example, in the scheme of [
4], a quantum state public key needs to be consumed for each verification of the signature of a transaction; in the scheme of [
18], the signature can only be verified once by the designated verifier and cannot be reverified.
At the same time, the rapid development of quantum cryptography provides us with a key to unlock the toolbox for eliminating quantum computing attacks. Some quantum hash function schemes with good collision resistance have been proposed [
19,
20], and several secure quantum digital signature schemes based on the physical properties of quantum mechanics have been constructed [
21,
22,
23]. All these quantum cryptography components open a new path for us to design a postquantum secure blockchain scheme.
Inspired by the above work, this study proposes a quantumsecure blockchain scheme (QSB) by introducing an improved proof of authority (PoA) [
24] consensus algorithm and an IQS. As the quantum state particles collapse after measurement, a signature in quantum states will always “disappear” after verification, leading to a new problem for the QS. Specifically, a signature generated by QS can be verified only once, disappear, and cannot be verified again after the onetime verification. Therefore, many QS schemes do not support verifying a signature multiple times, unlike a classic publickey signature that can be verified by different parties as often as required. In a QS scheme, if a third party other than the signer and the verifier wants to check the validity of a signature after verification, he will fail in obtaining the quantumstate signature because it disappeared in the first verification. This QS characteristic will restrain applying QS in the blockchain.
To address this issue, a QS with signature proof retained is needed. Therefore, this paper proposes an IQS scheme. Given the robustness of a QS to quantum computing attacks, it can be used for transaction signing in the blockchain, as although the IQS can be verified only once and will collapse after verification, the signature proof will be left, convincing an unrelated party that the signature has been verified successfully. A third party other than the designated verifier can check the validity of the signature by the proof. Thus, the trust in QSB is improved in that IQS overcomes the weakness of a general QS.
The main contributions of this paper are concluded as follows.
A quantumsecure blockchain scheme (QSB) is proposed by utilizing a consensus mechanism, QPoA, and IQS. The QPoA is leveraged for block generation while the IQS is deployed in transaction verification. The QPoA adopts a behaviorscoring mechanism to improve the reliability of the validating nodes, and the IQS utilizes the validating node as a trusted third party to verify a transaction. By combining QPoA and IQS, QSB achieves a perfect balance of postquantum security and practicality.
A consensus algorithm—QPoA—is developed in QSB for new block generation. First, QPoA adopts the Knuth shuffling algorithm with QRNG to rearrange validating nodes in an unpredictable random manner, which offers nontransparency of the leader node’s identity and immunity from centralized attacks. Second, by deploying a quantum voting protocol instead of classical voting, the postquantum security of new block generation is enhanced. Third, by adopting an updating mechanism of validating nodes in QPoA, the trustworthiness of validating nodes is improved, therefore the trust establishment between two users in a transaction is better achieved.
An IQS scheme with an arbitrator is utilized in QSB to improve the security and efficiency of transactions. By storing the verification proof of the transaction in IQS, reverification for a transaction is achieved, solving the disputation of a lost quantum signature and making our IQS more trustworthy and practical.
Based on QSB, a digital document exchange platform is designed to secure digital documents’ transmission and record receiving and sending operations accurately. Security analysis demonstrates that QSB is secure from both classical and postquantum perspectives. Overall, the proposed QSB is a secure, practical, and efficient blockchain solution in the postquantum era.
The remainder of this paper is organized as follows.
Section 2 constructs a quantumsecure blockchain (QSB) scheme based on the QPoA consensus mechanism and the IQS, QPoA adopts a quantum voting protocol and QRNG for leader node election and leverages a dynamic updating mechanism to maintain the authority of nodes.
Section 3 represents a transaction process in QSB by IQS.
Section 4 conducts a security analysis of the proposed blockchain scheme, and
Section 5 discusses the usage of QSB in a digital document exchange application scenario. Finally,
Section 6 concludes this work.
2. QuantumSecure Blockchain Scheme
QKD is a protocol whereby two communicating parties establish a key by transmitting quantum state particles with the aim of sharing a string of keys (consisting of classical random bits, but also known as “quantum keys” because they are established quantumly) between the two parties. In 1984, Bennett and Brassard first introduced quantum cryptography and gave the first QKD protocol, the BB84 protocol [
11]. After nearly forty years of development, various QKD protocols [
25,
26,
27,
28,
29,
30] have been proposed based on different quantum mechanical properties, and the security of some typical QKD protocols has been rigorously proven to be informationtheoretic secure. Although some security threats against QKD such as eavesdropping [
31] may exist due to the imperfect nature of physical devices, adjusting parameters to increase the proportion of decoystate particles during the postprocessing of QKD can effectively mitigate such threats. As both QKD and onetime pad (OTP) encryption algorithms are informationtheoretic secure, they can be used in combination to achieve perfectly secure and confidential communications.
Practical research of QKD is also progressing rapidly. In 2021, Pan et al. demonstrated an airtoground quantum network. Based on the quantum satellite Micius, all users in the QKD network can communicate with each other over a distance of up to 4600 km through an integrated optical fiber and freespace QKD network [
32]. In 2022, Li et al. demonstrated an experiment for quantum state transfer (QST) across a distance of over 1200 km based on the entanglement between two faraway parties utilizing the quantum satellite Micius [
33].
QRNG technology [
34] is developing rapidly to be applied to QKD. Currently, QRNG is in the process of commercialization and the QRNG chip is maturing. In 2022, Quantum eMotion, a Canadian company, announced the design completion of its first blockchain application of QRNG technology.
In the network architecture of QSB, there are two layers of network in the distributed system, a classical network and a QKD network. All nodes are connected to each other by an authenticated quantum channel, and they can also communicate with each other in a classical channel. Any two nodes can implement the QKD protocol to share secret keys.
2.1. Blockchain Structure of QSB
The architecture of QSB is shown in
Figure 1. Each block consists of two parts: a block head and a block body. The block head contains the block proposer who generated and proposed the block, the QHF value of the previous block, the timestamp of block generation, and other necessary information. The block body contains transactions arranged in chronological order by their timestamps. Each block stores the QHF value of its previous block, and all blocks are linked to form a chain structure in this way.
2.2. Consensus Mechanism in QSB
PoW and PoS are the mainstream consensus mechanisms of blockchain systems. The PoW consensus mechanism elects a bookkeeping node by solving a cryptographic puzzle (mining), i.e., the miner node that successfully solves the specified cryptographic puzzle first will receive the mining rewards and obtain bookkeeping rights, which is resourceconsuming. In the PoS consensus mechanism, verifiers compete for bookkeeping rights of the new block by their stakes, and the one who has the most stake (including stake amount and holding time) will win the game and propose the new block. While PoS has good energy efficiency, there is a risk that the stake may become concentrated in the hands of a few participants, leading to a monopoly. The PoA is a blockchain consensus mechanism other than PoW and PoS, which Gavin Wood, the founder of Ethereum, first proposed. PoA is a reputationbased consensus mechanism that provides faster transactions. Based on the identity as a stake (IAS) mechanism, PoA provides a practical and efficient solution for blockchain networks (especially private blockchains). In QSB, an improved PoA consensus mechanism—QPoA—is developed.
The basic idea of PoA is to elect a central authority—leader node—to unify every node’s state, and the PoA network usually uses distributed accounting, where each node has a ledger. The consensus algorithm ensures that the state of each node is consistent to prevent inconsistency in everyone’s ledgers. The validator in the PoA network is the authority elected by everyone, and after the leader node proposes and validates a new block, the validating nodes synchronize the data from the leader node. PoA is a feasible consensus mechanism to maintain the consistency of all nodes’ states and effectively prevents doublespending attacks.
In the blockchain system, when a leader node has proposed a new block and has packaged it into the blockchain, we define it as one consensus. When all nodes in the list of validating nodes (denoted as LV) have been elected as the leader node for one time, we define it as one consensus round. The transaction process in one consensus is shown in
Figure 2.
Generating a new block in PoA is implemented by voting. All validating nodes vote on the candidate block proposed by the leader node, and the new block will be accepted and included in the blockchain if it gets at least $\u230a\frac{V}{2}\u230b+1$ affirmative votes (V is the number of validating nodes). Otherwise, it will be rejected.
Unlike mining in PoW, PoA maintains a list LV in the blockchain system, and the nodes in this list will generate a new block in turn. It should be noted that this is an energysaving process. Regarding the PoA process, for instance, before a new consensus round begins, V nodes are elected as the validating nodes, and the LV is generated and kept in the blockchain system. According to the order of nodes in the LV, the role of the leader node is passed from one validating node to the next in turn. At the beginning of a consensus, one node in the LV will be elected as the leader node to generate a new block.
For better understanding, the mathematical symbols in the article are defined in the notation table,
Table 1.
2.2.1. The Election of Leader Node in a Consensus
In PoA, the order of nodes in the LV is kept constant, and the validating nodes take turns acting as the leader node by this fixed sequence. This will bring about the problem of overexposure of the leader node’s identity, which will attract attacks. Once the leader node is attacked, the progress of new block generation will be delayed, thus reducing the efficiency of the whole blockchain system.
To tackle this issue, we introduce the Knuth shuffling algorithm [
35] to elect the leader node randomly to conceal its identity in each consensus. By adopting the quantum multiparty secure computing method, all validating nodes participate together to share a public parameter
P_{M} before the start of the
Mth consensus round. In the
Mth consensus round, the newly generated leader node in each consensus is shared among all validating nodes by encryption of
P_{M}, which is only known to the validating nodes, and other unrelated parties including ordinary nodes know nothing about it.
Moreover, by utilizing the fundamental randomness of certain quantum processes [
36], a QRNG can be used for random number generation in our scheme. The deployment of a QRNG in QPoA will make the leader node election totally unpredictable.
Specifically, to conceal the real identity of the leader node, we harness a QRNG [
34] to reorder the LV, concealing the identity of the leader node in each consensus. In this way, the leader nodes can be effectively protected from concentrated attacks like DDoS due to the randomization of the leader node’s appearance order. As shown in
Figure 3, each element of LV array stores the identity of a leader node.
The inputs are LV and
N (
N denotes the number of blocks in the current blockchain ledger), and the output is a reordered LV. t
_{N} is the timestamp of block
N that is used as the seed parameter for the QRNG. That is, t
_{N} is used as a random seed of QRNG to generate a random number C[i] and the Knuth shuffling algorithm uses C[i] to generate a new leader node in the next consensus. The algorithm for the leader node selection is presented in Algorithm 1.
Algorithm 1. The leader node selection algorithm 
Input: L, V, l, t_{N} //L is an array to store LV, each element stores an ID of a validating node; V denotes the number of elements in LV; l denotes the number of validating nodes that have already acted as the leader node in a consensus round; t_{N} denotes the timestamp of the latest block B_{N}. Output: L; L[i] int i,j; i = Vl; { C[i] = QRNG(ID_{(Vl)},t_{N}); // ID_{(Vl)} denotes identity of the current leader node j = C[i]%(i+1); tmp = L[i]; // L[i] stores ID of the ith validating node in LV L[i] = L[j]; L[j] = tmp; } if(l < V) l = l + 1; else l = 0; return L[i]; //The element in ith position in L, that is, L[i] stores the identity ID_{L}_{[i]}will be elected as the leader node in the forthcoming (K+1)th consensus

The newly generated list LV determines the leader node in the forthcoming consensus. The exact process of the leader node election in one consensus is shown in
Figure 4.
In each consensus round, all validating nodes use a verifiable multiparty QKD protocol [
37] to secretly share a classical public key
P, i.e., the shared parameter in the
Mth consensus round is
P_{M}. In a consensus of the
Mth consensus round, a leader node
ID_{l} is elected by the reordering algorithm in Algorithm 1, then
P_{M} is used to encrypt the identity of the new leader node
ID_{l} and
ID_{l} is published among all validating nodes in a secure quantum channel.
Figure 5 illustrates the leader node election in a complete consensus round by QPoA.
2.2.2. Generation of a New Block by Quantum Voting
In PoA, the leader node proposes a new block and sends it to all validating nodes for validation. The acceptance of a new block is implemented through classical voting. However, classical voting usually relies on a classic publickey cryptographic algorithm. For instance, in the PoAbased blockchain system Apla, the leader node signs a new block with a private key by the ECDSA algorithm in the voting process. This is quite insecure when quantum adversaries are considered due to the postquantum vulnerability of classic publickey cryptosystems. In contrast, this problem does not exist in a quantum voting scheme since its security is guaranteed by the principles of quantum mechanics. Therefore, adopting a quantum voting protocol will make the blockchain system immune from underlying quantum computing attacks. In 2017, Thapliyal et al. [
38] proposed an efficient quantum binary voting protocol by deploying controlled deterministic secure quantum communication (CDSQC) with a permutation of qubits. By exploiting the Bell state, the operation on a qubit can perform a voting ballot. By adopting this quantum voting protocol in QPoA, voting on the new block can be achieved postquantum securely.
QPoA adopts a quantum voting scheme based on CDSQC with a permutation of qubits [
38] for voting on a candidate block. The candidate block will be accepted and included in the blockchain if it gets more than half of the validating nodes’ affirmative votes. Otherwise, it will be discarded. Specifically, the leader node (for instance, David) publishes the new block on a bulletin board to enable all validating nodes to vote on it. The quantum voting in QPoA consists of three phases: initializing, voting, and counting. The detailed voting process is as follows.
 (1)
Initializing
There are N blocks in the blockchain ledger, and Charlie is the previous leader node that successfully packaged the latest block ${B}_{N}$ on the blockchain. Charlie acts as the scrutineer in the voting process. David is the current leader node, and he generates a new block ${B}_{N+1}$ as the candidate block. David initiates voting on ${B}_{N+1}$ by sending ${B}_{N+1}$ to all validating nodes, and David is the tallyman. The voters are all validating nodes except Charlie.
IStep 1: The controller, Charlie, sets up a bulletin board to release announcements. The data on the bulletin board cannot be tampered with as all nodes supervise it. By performing a multiparty QKD protocol [
30], a secret parameter
$P$ is shared among all validating nodes, including David. The sharing of the QHF parameter
$P$ is illustrated in
Figure 6. David calculates an authentication code
${h}_{N+1}$ for
${B}_{N+1}$ by a parameterized QHF [
19] with
$P$.
${h}_{N+1}=QHF(P,{B}_{N+1})$.Then David broadcasts (
${B}_{N+1}$,
${c}_{N+1}$) to all validating nodes, and the integrity of
${B}_{N+1}$ can be verified by
${h}_{N+1}$.
IStep 2: Through the QKD protocol [
11,
25,
26,
27,
28,
29,
30], David performs identity authentication for all voters. Then David initiates a voting request to all voters by publishing the candidate block
${B}_{N+1}$ with a deadline that is a time point
${t}_{end}$. David publishes the voting rule that all voters should obey. That is, performing
I on the received qubit represents a negative vote, while performing the Pauli gate X represents an affirmative vote.
The Bell states are denoted as follows:
Let $I=\left(\begin{array}{cc}1& 0\\ 0& 1\end{array}\right)$ be the unitary operator, $X=\left(\begin{array}{cc}0& 1\\ 1& 0\end{array}\right)$ be the X operator.
 (2)
Voting Phase
VStep 1: Charlie prepares n pairs of Bell state particles selected in $\{\left{\mathsf{\Phi}}^{+}\right.\u232a,\left{\mathsf{\Phi}}^{}\right.\u232a,\left{\mathsf{\Psi}}^{+}\right.\u232a,\left{\mathsf{\Psi}}^{}\right.\u232a\}$, which is denoted as $\{\left{S}_{1}\right.\u232a,\left{S}_{2}\right.\u232a\}$, $\left{S}_{1}\right.\u232a$ represents the sequence of the first qubits and $\left{S}_{2}\right.\u232a$ represents the sequence of the second qubits. Charlie sends the first qubit of the ith Bell state to the ith voter and prepares an nqubit sequence with the second qubits of all the Bell states, which is denoted as $\left{S}_{2}\right.\u232a$. After that, he performs a permutation operator on each particle in $\left{S}_{2}\right.\u232a$ to generate a new sequence $\left{\widehat{S}}_{2}\right.\u232a$ and sends $\left{\widehat{S}}_{2}\right.\u232a$ to David.
VStep 2: According to the previously established voting rules, every voter casts a vote by performing a corresponding operator on the received qubit. A voter operates
I on the qubit for a negative vote or operates
X on the qubit for an affirmative vote. The quantum circuit of quantum voting is illustrated in
Figure 7. Then the voter sends the voting result (the transformed qubit) to David, these transformed qubits formed a new sequence
$\left{\widehat{S}}_{1}\right.\u232a$.
VStep 3: After David receives the qubits of Bell states that carry the ballot information from all voters or the time reaches ${t}_{end}$, David informs Charlie that the collection of votes is accomplished.
 (3)
Counting Phase
Charlie informs David about the original state and the permutation operator information. Then David figures out that the specific qubit in
$\left{\widehat{S}}_{2}\right.\u232a$ was originally entangled with the qubit in
$\left{\widehat{S}}_{1}\right.\u232a$. After receiving the information from Charlie, David performs Bell measurements on each partner particle to get the voting result cast by every voter, as he already knows the original Bell states. For example, Charlie prepares a Bell state
$\left{\mathsf{\Phi}}^{+}\right.\u232a=\frac{1}{\sqrt{2}}(\left00\right.\u232a+\left11\right.\u232a)$ and sends the first particle to a voter. If the voter performs an X operator on the first particle, and Charlie performs an I operator on the second particle. After measurement by David, the outcome is
$\left{\mathsf{\Psi}}^{+}\right.\u232a=\frac{1}{\sqrt{2}}(\left10\right.\u232a+\left01\right.\u232a)$, Charlie announces the initial state
$\left{\mathsf{\Phi}}^{+}\right.\u232a=\frac{1}{\sqrt{2}}(\left00\right.\u232a+\left11\right.\u232a)$. Based on his measurement result and the initial state, David can deduce that the voter performed operation X, i.e., voted in approval. Due to the statistical nature of quantum measurements, judging whether two quantum states are identical is not as straightforward as comparing two classical numbers. In order to tell whether two quantum states are the same, the Quantum Swap Test Circuit (QSTC) proposed by Buhrman is used, as shown in
Figure 8.
Ultimately, by counting all votes, David publishes every voting result on the bulletin board and calculates the number of affirmative votes ${V}_{a}$. If ${V}_{a}>\frac{V}{2}$, block ${B}_{N+1}$ will be accepted and included in the blockchain. After the inclusion of block ${B}_{N+1}$, the timestamp of the (N + 1)th block ${t}_{N+1}$ will be used as a seed of QRNG to elect the next leader node from the left validating nodes in LV.
2.2.3. Generation of LV in a Consensus Round
By conventional PoA, generating a new block can be delayed or even fail because of some anomalous or malicious behavior of the leader node. Generally, the leader node will not perform malicious behaviors. However, if the reward brought by malicious behaviors is much greater than the loss of authority, the leader node may harm the blockchain system at the risk of having that authority revoked. To address this issue, QPoA introduces a dynamic updating mechanism for validating nodes based on the credit scores of the nodes.
We define five types of nodes in a blockchain system with QpoA, as reported in
Table 2, and we introduce a behaviorscoring mechanism in QpoA. The behaviors of the nodes are quantified by scores. A score will be set for each behavior based on how much the behavior damages the system, and a node will be assigned a corresponding score after performing each behavior.
We define $B$ types of malicious behaviors for the nodes, denoted by ${M}_{b}(1\le r\le B)$. Each ${M}_{b}$ is assigned a weight ${W}_{b}$,$\sum _{b=1}^{B}{W}_{b}}=1$. Furthermore, for a specific malicious behavior ${M}_{b}$, a threshold ${T}_{b}$ is assigned, which means that the behavior ${M}_{b}$ can be performed no more than ${T}_{b}$ times. If a node has a behavior ${M}_{b}$ for more than ${T}_{b}$ times, it will be demoted as a malicious node. The malicious behaviors are introduced as follows.
$b=1$ (fpb), represents the failure of proposing or including a valid block into the blockchain when it is a leader node ${W}_{b}={w}_{1},{T}_{b}={t}_{1}.$
$b=2$ (fvb), represents the failure of validating a valid block, i.e., giving a veto on a valid block ${W}_{b}={w}_{2},{T}_{b}={t}_{2}.$
$b=3$ (fvt), represents the failure of submitting a valid transaction, i.e., submitting an invalid transaction to the leader node ${W}_{b}={w}_{3},{T}_{b}={t}_{3}.$
$b=4$ (otherf), represents the communication response failure or offline status, or other failures
${W}_{b}={w}_{4},{T}_{b}={t}_{4}.$
where
${t}_{ri}$ denotes the number of times behavior
r is implemented by node
$i$.
In QpoA, we develop an updating mechanism. Updating the validating nodes includes excluding old validating nodes and including new ones.
After a consensus round completes, all validating nodes have performed the role of leader node, and the LV will be updated. Each validating node will obtain two behavior scores, for node $i$, ${S}_{mi}$ denotes the malicious behavior score. For node $i$, if it has malicious behavior $b$ more than ${T}_{b}$ times or ${S}_{mi}>{S}_{threshhold}$, it will be excluded from the LV and will be demoted as a malicious node, which cannot be elected as a validating node. After checking all validating nodes, the malicious nodes will be excluded, and the existing validating nodes and all authority nodes will form the set of validating node candidates for the next consensus round.
The behavior score is introduced to evaluate the behaviors of a node and is used to dynamically elect validating nodes to participate in each consensus round to enhance the degree of “decentralization”.
After calculation, malicious nodes will be excluded and new authority nodes will be added to form the LV for the next consensus round. The updating process of the validating nodes in QPoA is presented in
Figure 9.
All validating nodes share their secret parameter with each other through a secure quantum channel. The algorithm in Algorithm 1 will output a new reordered list from the LV using their parameters. The nodes in the leader node list will act as leader nodes in turn.
Compared to PoA, QPoA is more reliable since the validating node’s reputation is fully taken into consideration. With the evaluation of malicious behaviors by scores, maliciousness can be reduced and the trustworthiness of the validating node is improved in the consensus.
In summary, QPoA improves on the PoA consensus mechanism in three aspects. First, QPoA discards the classical voting method in PoA and adopts a quantum binary voting protocol [
38] instead, securing the voting process from quantum computing attacks. Second, QPoA deploys a quantum multiparty secure computing protocol [
37] to generate a shared key P that is used to share the leader node’s identity secretly. The Knuth shuffling method is adopted in the algorithm for the leader node selection, reordering the LV to hide the identity of the leader node from attacks. Third, by auditing the behavior of the validating nodes and quantifying malicious behaviors with a score, the authority of nodes can be dynamically adjusted according to their scores, which further improves the trustworthiness of the validating nodes and the efficiency of consensus.
3. The Transaction Process in QSB
In QSB, there are three parties participating in a transaction, the transaction initiator—Alice—the transaction receiver—Bob—and the trusted validating node—Trent. Alice signs the transaction and generates a signature, Trent verifies the signature, and, if verification passes, Bob accepts the transaction. Otherwise, the transaction will be discarded. The security of transaction initiation and verification is governed by the physical properties of quantum signatures. In this section, we will describe the complete process of a transaction in detail, including the four phases of initialization, key generation, signing, and verification. Moreover, with the virtue of QPoA, the trustworthiness of validating nodes is guaranteed, the trusted validating nodes act as verifiers for transactions, ensuring the security of transactions in QSB.
3.1. Initialization Phase
Let
$H=\frac{1}{\sqrt{2}}\left(\begin{array}{cc}1& 1\\ 1& 1\end{array}\right)$ be the Hadamard operator. The effect of the Hgate operating on a particle is equivalent to multiplying its corresponding matrix by the particle’s quantum state vector. The quantum logic gate H operation is depicted as follows:
where
$I$ is the unit operator. For any strings
$x=\left({x}_{1},{x}_{2},\dots ,{x}_{n}\right)$ and
$y=\left({y}_{1},{y}_{2},\dots ,{y}_{n}\right)$, we define that
$x\oplus y=\left({x}_{1}\oplus {y}_{1},{x}_{2}\oplus {y}_{2},\dots ,{x}_{n}\oplus {y}_{n}\right)$, where “⊕” denotes the addition operation under modular two.
In this phase, Alice and Bob secretly saved a oneway function $G:{\left\{0,1\right\}}^{*}\to {\left\{0,1\right\}}^{n}$ as their master key, and the output of $G$ is uniformly distributed. Suppose that the identification of Alice is $I{D}_{A}\in {(0,1)}^{n}$, the identification of Bob is $I{D}_{B}\in {(0,1)}^{n}$, and transaction information $Tx$ is encoded into a binary string $m=\left\{{m}_{i}\right\}\in {(0,1)}^{n},i=1,2,\dots ,n$.
3.2. Key Generation Phase
Alice, Bob, and Trent share their private keys by performing the following steps.
Kstep 1: Alice calculates $p=G\left(I{D}_{A}\right)$ with the master key $G$. In the same way, Bob calculates $q=G\left(I{D}_{B}\right)$.
Kstep 2: By performing the QKD protocol [
11,
25,
26,
27,
28,
29,
30], a temporary random secret key
$z=\left({z}_{1},{z}_{2},\dots ,{z}_{n}\right)$ is shared between Alice and Bob. Bob calculates
${l}_{1}\oplus z={{l}^{\prime}}_{1}$,
${l}_{2}\oplus z={{l}^{\prime}}_{2}$, and Bob publicly announces
${{l}^{\prime}}_{1}$ and
${{l}^{\prime}}_{2}$. Based on the secret pad
$z$, Alice decrypts the OTP ciphertexts
${{l}^{\prime}}_{1}$ and
${{l}^{\prime}}_{2}$, then gets their private parameters
${l}_{1}=z\oplus {{l}^{\prime}}_{1}$ and
${l}_{2}=z\oplus {{l}^{\prime}}_{2}$.
Kstep 3: By performing the QKD protocol [
11,
25,
26,
27,
28,
29,
30], the private key
${K}_{AT}$ is shared between Alice and Trent, and the private key
${K}_{BT}$ is shared between Bob and Trent. The structure of QS is shown in
Figure 10.
3.3. Signing Phase
Sstep 1: Alice secretly generates an nbits parameter
$r=\left({r}_{1},{r}_{2},\dots ,{r}_{n}\right)$, and Alice computes
The quantum signature on $m$ is $\left\delta \right.\u232a\mathsf{:}={\otimes}_{i=1}^{n}\left{\delta}_{i}\right.\u232a$.
Sstep 2: Alice generates $l(l>>2n)$ decoy particles, which are randomly distributed in {$\left0\right.\u232a,\left1\right.\u232a,\left+\right.\u232a,\left\right.\u232a$} to check for eavesdropping. These decoy particles will be randomly inserted into the sequence $\left\alpha \right.\u232a$ and $\left\delta \right.\u232a$, then the corresponding particle sequence $\left{\alpha}^{\prime}\right.\u232a$ and $\left{\delta}^{\prime}\right.\u232a$ are generated. After that, $\left{\alpha}^{\prime}\right.\u232a$ is sent to Bob and $\left{\delta}^{\prime}\right.\u232a$ is sent to Trent.
Sstep 3: Bob secretly generates an nbits parameter
$s=\left({s}_{1},{s}_{2},\dots ,{s}_{n}\right)$, and Bob computes
Sstep 4: Bob generates $l(l>>2n)$ decoy particles randomly distributed in {$\left0\right.\u232a,\left1\right.\u232a,\left+\right.\u232a,\left\right.\u232a$} to check for eavesdropping. These decoy particles are randomly inserted into the sequence $\left\beta \right.\u232a$ and $\left\gamma \right.\u232a$, then the corresponding particle sequence $\left{\beta}^{\prime}\right.\u232a$ and $\left{\gamma}^{\prime}\right.\u232a$ are generated. After that, $\left{\beta}^{\prime}\right.\u232a$ is sent to Alice and $\left{\gamma}^{\prime}\right.\u232a$ is sent to Trent.
Sstep 5: After confirming that $\left{\alpha}^{\prime}\right.\u232a$ has been received by Bob, $\left{\beta}^{\prime}\right.\u232a$ has been received by Alice, and $\left{\delta}^{\prime}\right.\u232a$ and $\left{\gamma}^{\prime}\right.\u232a$ have been received by Trent, the initial states and location information of the decoy particles in $\left{\alpha}^{\prime}\right.\u232a$ and $\left{\delta}^{\prime}\right.\u232a$ will be announced by Alice. Moreover, the initial states and location information of the decoy particles in $\left{\beta}^{\prime}\right.\u232a$ and $\left{\gamma}^{\prime}\right.\u232a$ will be announced by Bob. After that, Alice and Bob measure the decoy particles in the provided positions with the corresponding basis and compare the initial states with the measured results, respectively. If there is no error in checking, Bob proceeds to the next step. Otherwise, the protocol will be restarted.
3.4. Verification Phase
Vstep 1: After Alice has recovered $\left\beta \right.\u232a$, she calculates $q=G\left(I{D}_{B}\right)$, and according to $q$, she measures $\left\beta \right.\u232a$. If $q=0$, she will measure $\left\beta \right.\u232a$ with {$\left0\right.\u232a,\left1\right.\u232a$}, and if $q=1$, she will measure $\left\beta \right.\u232a$ with {$\left+\right.\u232a,\left\right.\u232a$}. Additionally, if $\left\beta \right.\u232a=\left0\right.\u232a$ or $\left+\right.\u232a$, then Alice gets $g=0$, and if $\left\beta \right.\u232a=\left1\right.\u232a$ or $\left\right.\u232a$, then Alice gets $g=1$.
Similarly, after Bob recovers $\left\alpha \right.\u232a$, he calculates $p=G\left(I{D}_{A}\right)$, and according to $p$, he measures $\left\alpha \right.\u232a$. If $p=0$, he will measure $\left\alpha \right.\u232a$ with {$\left0\right.\u232a,\left1\right.\u232a$}, and if $p=1$, he will measure $\left\alpha \right.\u232a$ with {$\left+\right.\u232a,\left\right.\u232a$}. Moreover, if $\left\alpha \right.\u232a=\left0\right.\u232a$ or $\left+\right.\u232a$, then Bob gets $f=0$, and if $\left\alpha \right.\u232a=\left1\right.\u232a$ or $\left\right.\u232a$, then Bob gets $f=1$.
Vstep 2: Alice calculates
According to Equation (
10), she obtains
Then she sends c to Trent.
According to Equation (
12), he gets
Then he sends $d$ to Trent.
Vstep 4: Trent measures $\left\delta \right.\u232a$, according to ${K}_{AT}$. If ${K}_{AT}=0$, he will measure $\left\delta \right.\u232a$ with {$\left0\right.\u232a,\left1\right.\u232a$}, and if ${K}_{AT}=1$, he will measure $\left\delta \right.\u232a$ with {$\left+\right.\u232a,\left\right.\u232a$}. In addition, if $\left\delta \right.\u232a=\left0\right.\u232a$ or $\left+\right.\u232a$, then Trent sets ${u}^{\prime}=0$, and if $\left\delta \right.\u232a=\left1\right.\u232a$ or $\left\right.\u232a$, then Trent sets ${u}^{\prime}=1$.
Similarly, Trent measures $\left\gamma \right.\u232a$, according to ${K}_{BT}$. If ${K}_{BT}=0$, he will measure $\left\gamma \right.\u232a$ with {$\left0\right.\u232a,\left1\right.\u232a$}, and if ${K}_{BT}=1$, he will measure $\left\gamma \right.\u232a$ with {$\left+\right.\u232a,\left\right.\u232a$}. If $\left\gamma \right.\u232a=\left0\right.\u232a$ or $\left+\right.\u232a$, then Trent sets ${v}^{\prime}=0$, and if $\left\gamma \right.\u232a=\left1\right.\u232a$ or $\left\right.\u232a$, then Trent sets ${v}^{\prime}=1$. Trent secretly keeps ${u}^{\prime}$ and ${v}^{\prime}$.
Vstep 5: According to sharing key
${K}_{AT}$ and
${K}_{BT}$, Trent computes
Finally, Trent compares the outcomes of Equations (
14) and (
15), and if
${\mu}_{1}={\mu}_{2}$, the signature is valid. Trent publishes
${\mu}_{1}$ and
${u}^{\prime}\oplus {v}^{\prime}$, and Alice and Bob publish
s,
r,
l_{1},
l_{2}. Otherwise, it will be abandoned. The whole process of signing and verification for a transaction is shown in
Figure 11.
Alice initiates a transaction Tx with Bob, Trent is a validating node and acts as the designated verifier to verify Tx by IQS. If the verification succeeds, Tx will be sent to the leader node David by Trent. David collects verified transactions from all validating nodes, adds them to the transaction queue, sorts them by their timestamp, and validates them one by one. A valid transaction will be packaged into a candidate block while an invalid one will be rejected. After valid transactions accumulate to a certain number or time reaches ${t}_{end}$, the candidate block ${B}_{N+1}$ will be published to all validating nodes for voting, if ${B}_{N+1}$ is accepted by the voting result, then Tx is included in the chain.
4. Security and Analysis of QSB
QSB can effectively resist common attacks against blockchain systems, such as 51% attacks, double spending attacks, and Sybil attacks.
Regarding 51% attacks, in QPoA, an attacker is required to control over 51% of validating nodes, which is quite different from the case in the PoWbased blockchain where an attacker is required to obtain 51% of the computational power of the whole network. It is almost impossible for an attacker to obtain control of such a large percentage of validating nodes in a permissioned blockchain network, which is more difficult than obtaining computational power. For example, in a PoWbased network, an attacker can increase the computation power of its controlled nodes to improve the chance of obtaining bookkeeping rights, while this makes no sense for QPoA because QPoA is computation independent, the computational power of the node has no effect on the block generation decisions.
Double spending attacks are eliminated in QSB by the leader node, as all verified transactions will be validated by the leader node one by one in a strict chronological order, any spent assets will be taken into consideration when validating a transaction. Additionally, even if an invalid doublespending transaction has been packaged in a candidate block, before the generation of this block, during the voting process participated in by all validating nodes, the invalid transaction will easily be found and the block will be rejected by voting.
As for Sybil attacks, QSB conceals the identity of the leader node by the leader node selection algorithm, the timestamp of a block is unpredictable and the randomness of QRNG also guarantees the randomization of the leader node. Furthermore, the identity of the leader node is shared among all validating nodes through a secure quantum channel with the help of public key P generated by secure multiparty QKD protocol [
37].
4.1. Security of QPoA Consensus Mechanism
The QPoA can initially set up authorized nodes called validating nodes with transaction verification and voting rights. A new transaction needs to be verified by the validating nodes before its publishment on the chain. For a new validating node enrolled at a later stage, the current validating nodes can also decide whether to allow it to join the LV by voting. The QPoA can greatly increase the speed because it reduces the computational cost of reaching consensus.
In addition, due to the adoption of a quantum voting protocol that is immune from quantum computing attacks, QPoA is postquantum secure.
4.2. Security of Transactions
In QSB, the security of a transaction is guaranteed by IQS. This section conducts a detailed security analysis of IQS, which includes unforgeability and resistance to repudiations and impersonation attacks.
4.2.1. InformationTheoretic Security of IQS
The quantum ciphertext should be informationtheoretically indistinguishable for a secure quantum cryptosystem under a quantum chosenplaintext attack (INDCPA) [
39].
Theorem 1 [
40]
. For all plaintexts $x$ and $y$, let the density operators of the cipher states
$E(x)$ and
$E(y)$ be
${\rho}_{x}$ and
${\rho}_{y}$, respectively. A quantum publickey encryption scheme is said to be informationtheoretically indistinguishable if, for every positive polynomial p(·) and every sufficiently large
$n$, Thus, based on Theorem 1, our scheme has ciphertext indistinguishability under quantum INDCPA.
Proof. Let
$\left{\alpha}^{*}\right.\u232a$ and
$\left\alpha \right.\u232a$ be the ciphertexts of different plaintexts
$m*$ and
$m$, respectively. For an adversary Eve, the density operators of
$\left{\alpha}^{*}\right.\u232a$ and
$\left\alpha \right.\u232a$ should take the possible values of private keys
$r$. Note that
$f$ satisfies Equation (
2), in which
$r$,
${K}_{AT}$,
${l}_{1}$, and
$m$ have uniform distributions. Hence, the density operator of
$\left\alpha \right.\u232a$ >can be computed as follows
Similarly, the density operator of
$\left{\alpha}^{*}\right.\u232a$ can be computed as follows
Let
$\left{b}^{*}\right.\u232a$ and
$\leftb\right.\u232a$ be the ciphertexts of different plaintexts
$m*$ and
$m$, respectively. For an adversary Eve, the density operators of
$\left{b}^{*}\right.\u232a$ and
$\leftb\right.\u232a$ should take the possible values of private keys
$s$. Note that
$s$ satisfies Equation (
6), in which
$s$,
${K}_{BT}$,
${l}_{2}$, and
$m$ have uniform distributions. Hence, the density operator of
$\leftb\right.\u232a$ can be computed as follows
Similarly, the density operator of
$\left{\beta}^{*}\right.\u232a$ can be computed as follows
Similarly, as Equations (
17)–(
20), it follows that
According to Theorem 1, these bounds make IQS theoretically information INDCPA secure. □
4.2.2. Secrecy of the Private Key
In IQS, Trent is a trusted node who will never disclose the private key of Alice and Bob. Hence, the adversary, Eve, tries to retrieve the private key only from the public information.
First, Eve cannot retrieve the private key from the identity. In the key generation phase, Alice and Bob generate their private keys $p=G\left(I{D}_{A}\right)$, $q=G\left(I{D}_{B}\right)$ with the master key $G$. As $G$ is a oneway function, if $G$ is chosen as a random oneway function, Eve can succeed in guessing $G$ with a negligible probability $\frac{1}{(2n)!}$. Therefore, it is infeasible for Eve to retrieve the private key from the identity.
Second, in the key generation phase, it is infeasible for Eve to retrieve private parameters from
${{l}^{\prime}}_{1}$ and
${{l}^{\prime}}_{2}$ announced by Alice and Bob. Note that
${l}_{1}\oplus z={{l}^{\prime}}_{1}$,
${l}_{2}\oplus z={{l}^{\prime}}_{2}$ where the secret
$z$ is generated by performing the secure QKD protocol. Therefore, Eve cannot get
$z$ due to the unconditional security of the QKD protocol. Here,
$z$ acts as a random pad,
${{l}^{\prime}}_{1}$ and
${{l}^{\prime}}_{2}$ can be seen as OTP ciphertexts [
18] of the private parameters
${l}_{1}$ and
${l}_{2}$. Since it is guaranteed by the unconditional security of OTP [
24], it is unworkable for Eve to retrieve the private key
${l}_{1}$ and
${l}_{2}$ from the OTP ciphertext
${{l}^{\prime}}_{1}$ and
${{l}^{\prime}}_{2}$ without knowing the secret pad
$z$. Therefore, the security of secret keys such as
${K}_{AT}$,
${K}_{BT}$,
$s$,
$r$,
${l}_{1}$,
${l}_{2}$ is provided by the unconditional information theoretical security of QKD protocols and OTP.
Finally, Eve cannot get the quantum ciphertexts $\left\alpha \right.\u232a$ and $\left\beta \right.\u232a$, which contain the information of the signer’s private key. In IQS, as decoy particles are utilized in eavesdropping checking in the quantum channel, Eve’s eavesdropping attacks will necessarily cause disturbances to the decoy particles, which will be found by the receiver easily in the signing and signature verification phases. Even if Eve obtains the quantum ciphertexts $\left\alpha \right.\u232a$ and $\left\beta \right.\u232a$ by chance, it is unworkable for Eve to retrieve the private key ${K}_{AT}$ and ${K}_{BT}$ from $\left\alpha \right.\u232a$ and $\left\beta \right.\u232a$ which is guaranteed by the informationtheoretical INDCPA security of IQS. Therefore, it is unworkable for Eve to retrieve the signer’s private key.
4.2.3. Security against Forgery
The unforgeability of QSB is analyzed in this section. According to the signing phase, the private key
${K}_{AT}$ and the secret pad
${l}_{1}$ are necessary for signing a message. However, according to the security analysis of the private key presented in
Section 4.2.2, Eve cannot retrieve the private key
${K}_{AT}$ and the secret pad
${l}_{1}$ from the public information. Similarly, according to Sstep3 in
Section 3.1, the private key
${K}_{BT}$ and the secret pad
${l}_{2}$ are necessary for signing a message. However, according to the security analysis of the private key in
Section 4.2.2, Eve cannot retrieve the private key
${K}_{BT}$ and the secret pad
${l}_{2}$ from the public information. Therefore, it is infeasible for Eve to forge a valid signature without
${K}_{AT}$,
${K}_{BT}$ and secret pads
${l}_{1}$ and
${l}_{2}$. Even Trent cannot forge the signer’s signature since he knows nothing about the secret pads
${l}_{1}$ and
${l}_{2}$, which are only possessed by Alice and Bob. Similarly, the receiver, Bob, cannot forge the signer’s signature since he knows nothing about the key
${K}_{AT}$ and private parameter
$r$ that Alice secretly generates.
4.2.4. Security against Repudiations
Nonrepudiation means that in a valid transaction, the signer, Alice, cannot deny the fact that she has signed the transaction, and the receiver, Bob, cannot deny the fact that he has accepted the verified signature.
In a typical transaction, the validating node Trent is a trusted third party that neither reveals the signer’s private key nor impersonates the signer to sign any message. From
Section 4.2.3, we know that the proposed QS is secure against forgery. Therefore, as long as the verification succeeds, the validity of the signature should not be denied by either the signer or the receiver.
In general, for a verified transaction, the state of the QS is changed after verification. This means both the signer and the receiver will lose the QS. Specifically, in our scheme, once the QS passes the verification by Trent, both Alice and Bob will lose the QS $\left\delta \right.\u232a$. So, the signer Alice may deny the fact that she has ever generated a QS, while the receiver Bob may deny the fact that he has ever received a QS. We call this a disputation of a lost quantum signature. Most of the existing QS schemes cannot arbitrate this kind of disputation, while the proposed IQS can arbitrate this kind of disputation.
Noting that the signature proof (
$m$,
$I{D}_{A}$,
$I{D}_{B}$,
$s$,
$r$,
${l}_{1}$,
${l}_{2}$,
${\mu}_{1}$,
${u}^{\prime}\oplus {v}^{\prime}$) is stored by Trent. Once the signer Alice denies the fact that she has ever generated the QS on m, Bob can submit a reverification request to Trent with partial transaction data (
$m$,
$I{D}_{A}$,
$I{D}_{B}$,
$s$,
${l}_{1}$,
${l}_{2}$). In response to the request, Trent recovers the corresponding signature proof (
$m$,
$I{D}_{A}$,
$I{D}_{B}$,
$s$,
$r$,
${l}_{1}$,
${l}_{2}$,
${\mu}_{1}$,
${u}^{\prime}\oplus {v}^{\prime}$) in which
r is published by Alice,
s is published by Bob,
${l}_{1}$,
${l}_{2}$ are copublished by Alice and Bob during the verification phase. Then Trent recovers the private key
${K}_{AT}$,
${K}_{BT}$ from
$I{D}_{A}$,
$I{D}_{B}$ respectively. Next, by Equations (
2) and (
6), Trent calculates
f and
g respectively. Moreover, according to Equations (
10)–(
14) and Equation (
15), Trent performs the following two calculations respectively.
After that, Trent compares ${\mu}_{1}*$, ${\mu}_{2}*$ with ${\mu}_{1}$. If ${\mu}_{1}*={\mu}_{2}*={\mu}_{1}$, Trent can confirm that Alice has generated the QS for Bob since only Alice can work out the valid $f$ with the private key ${K}_{AT}$ and $r$. Similarly, Bob cannot deny the fact that he has ever received the valid QS because Trent has stored the signature proof ($m$, $I{D}_{A}$, $I{D}_{B}$, $s$, $r$, ${l}_{1}$, ${l}_{2}$, ${\mu}_{1}$, ${u}^{\prime}\oplus {v}^{\prime}$). According to the partial transaction data ($m$, $I{D}_{A}$, $I{D}_{B}$, $r$, ${l}_{1}$, ${l}_{2}$) submitted by Alice and the signature proof ($m$, $I{D}_{A}$, $I{D}_{B}$, $s$, $r$, ${l}_{1}$, ${l}_{2}$, ${\mu}_{1}$, ${u}^{\prime}\oplus {v}^{\prime}$), Trent can calculate ${\mu}_{1}*$, ${\mu}_{2}*$ and verify whether ${\mu}_{1}*={\mu}_{2}*={\mu}_{1}$ as above. If ${\mu}_{1}*={\mu}_{2}*={\mu}_{1}$, Bob cannot deny the fact that he has ever received the valid QS, since only Bob can work out the valid g with the private key ${K}_{BT}$ and $s$. In summary, our scheme not only realizes transaction data nonrepudiation but is also able to arbitrate the potential disputation of lost quantum signatures, which cannot be achieved in most QS schemes.
4.3. Security of Transaction Records
A postquantum secured QHF is utilized in the block structure to maintain the data integrity of transaction records. As the multiparty QKD protocol provides secure sharing of QHF parameters among all the validating nodes. Without the parameter p, an adversary can not implement the preimage collision attack for the QHF. Due to the adoption of confidential quantum walk parameters, QHF is resistant to preimagecollision attacks faced by classical hash functions. In this way, transaction records on the blockchain ledger can be protected from tampering.
Overall, the postquantum security of QSB is enhanced from three aspects: consensus mechanism QPoA, transaction digital signature IQS, and tamperproof QHF.
4.4. Analysis of the Efficiency of QSB
First, it is well known that quantum resources are expensive at the current state of the art and an efficient transaction should use as few quantum resources as possible. In the literature [
4], in order to complete the verification of a single transaction, the distribution of O(
n^{2}) copies of quantum public key among
n nodes is implemented by O(
n^{2}) times communications, which consumes large quantum resources and quantum communication resources. The high overheads of quantum resources in both storage and communication will lead to a reduction in transaction efficiency. While in QSB, a transaction requires only the distribution of O(1) copies of quantum keys among three nodes and it is implemented by O(1) times communications, which largely saves quantum storage resources and quantum communication resources.
Second, the QPoA maintains the LV for new block generation by a rigorous and standardized vetting process, which is fair and transparent. The generation of a new LV is through a dynamic updating mechanism that can maintain the blockchain performing well during a consensus round, the time complexity of a consensus round in QSB is O(
V), while that of QDPoS is O(n) with
n >
V. QSB is also Byzantine fault tolerant, the tolerance rates of the faulty nodes is
n/2, which is a comparable performance to the literature [
4].
Third, in other quantum blockchain schemes, the nodes separately generate new blocks on their own, which is not robust. While in QSB, as the block is totally classical information that can be broadcast in a classical channel easily and no extra quantum information is required to be sent pointtopoint, accelerating the block generation process. While Refs. [
12,
41] send quantum data through quantum channels for verification with an extra consumption of 2
n qubits and n qubits, respectively.
In addition, in the QDPoS scheme, the election of onetime representative nodes is implemented through quantum voting with time complexity O(
n). While in QSB, the election of validating nodes is accomplished by QPoA without any quantum resource consumption, the consensus time complexity of QSB is just O(1). From the perspective of quantum voting, our scheme is more efficient than Ref. [
4].
4.5. Comparison
In QDPoS, the elected representative nodes take turns generating new blocks, this exposes the identity of the bookkeeping node which may attract attacks. Different from QDPoS, QPoA elects the leader node from the LV through a randomized algorithm with QRNG, which fully hides the identity of the leader node and protects the blockchain from centralized attacks, which may lead to a single point of failure.
As to the storage structure of blocks, [
4] stores blocks in quantum states, which is expensive and not convenient for data validation as a quantumstate block can be used only once and collapse. While in QSB, blocks are stored in classical states, the storage costs are low and data can be reused for replication and validation, enabling the blockchain system to be more practical. The comparisons of quantum blockchain schemes are made in
Table 3, demonstrating that QSB achieves a better balance of postquantum security, practicality, and efficiency.