Experimental demonstration of complete quantum e-commerce based on an efficient quantum digital payment

Shuaishuai Liu; Yu Zhang; Shaobo Ren; Si Qiu; Zhenguo Lu; Xuyang Wang; Yongmin Li

doi:10.1364/PRJ.540123

1. INTRODUCTION

The rapid development of quantum computing heralds a potential impact on the existing encryption systems [1 –3]. Classic e-commerce usually uses security mechanisms such as public key cryptographic algorithms, digital signatures, and authentication for secure transactions [4 –6]. Such protocols may be vulnerable to the powerful computational capabilities of quantum computing. In the face of the challenges posed by quantum computing, quantum key distribution (QKD) shows its unique advantages [7 –12]. Its information-theoretic security (i.t.-security) is guaranteed by the theorems of quantum mechanics. It enables secure distribution of keys without limiting the ability of the adversary, and when combined with a one-time pad, can ensure secure transmission of private information. QKD is one of the most mature quantum technologies available and its proof-of-principle demonstration has been achieved at the thousand-kilometer level in both free space and fiber-optic links [13 –15].

In modern society, e-commerce is indispensable for a merchant and client. A complete e-commerce covers business information flow, financial flow, and logistics, which require collaboration among banks (trusted), trading platforms (trusted third parties), merchants, clients, and logistics companies (LCs) to complete the transaction of goods. During e-commerce transaction, security that mainly consists of authentication, nonrepudiation, and traceability is critical. QKD itself is an effective approach for secure key distribution; however, it can only guarantee the confidentiality of messages and cannot directly perform other cryptographic tasks required by e-commerce.

Quantum digital signatures (QDSs), as an important primitive in cryptography, provide effective solutions for five cryptographic tasks (integrity, authentication, nonrepudiation, traceability, and impartiality) in e-commerce. Since the first proposal of QDS [16], it has seen great progress in the past two decades. The initial requirements of secure quantum channels [17 –21] and quantum memory [22 –24] that are difficult to operate have been removed. A number of theoretical [25 –30] and experimental [31 –38] studies have been carried out, among which the QDS based on one-time universal hashing (OTUH) improves the contract signing rate by $10^{8}$ orders of magnitude [38]. Recently, quantum e-commerce that can provide i.t.-security was proposed [39]. The original scheme mainly focuses on the issue of subscription protocols between merchants, clients, and third-party platforms, while the protocols on payment, logistics, and reception of goods that are essential parts of the quantum e-commerce are lacking.

A banknote, with its advantages of being difficult to reproduce and portable, has replaced traditional physical money such as copper, silver, and gold as an efficient proof of transaction. Although banknotes are relatively difficult to forge, they are not completely impossible to forge. It is in this context that the concept of “quantum money” was introduced [40], whose unforgeable properties are guaranteed by the no-cloning theorem of quantum mechanics, which has stimulated extensive interests [41 –48], especially in the prevention of counterfeiting [41 –43]. The anti-counterfeiting features of quantum money bode well for their potential to replace traditional banknotes as a new type of currency in the future. However, banks need to pre-prepare and store quantum money with a trusted verifier [41] or the holder’s credit card [43], waiting for the holder to redeem it for payment or waiting to spend it. Quantum storage is a major challenge limiting the quantum money to be stored for long periods of time awaiting payment [49]. With the popularity of smartphones and the Internet, digital payments are showing a tendency to replace monetary payments. The appealing and original quantum digital payment (QDP) scheme, which uses a combination of QKD and quantum payment token preparation, transmission, and measurement effectively solves the security problem of digital payments [50]. However, banks and clients need to wait to prepare or measure quantum payment tokens at any time. Furthermore, the quantum tokens should consume around $10^{6}$ quantum states in order to achieve an honest success probability close to one and a negligible dishonest success probability. A QDP solution that is both efficient and simple is desired.

Here, we propose a complete quantum e-commerce scheme based on a simple and efficient QDP method. Our QDP scheme, with only one QKD link and bank verifying the signature, can achieve secure and efficient digital payments at any time and from any location. This solution eliminates the reliance on quantum memory in the traditional quantum money payment process and removes the need to wait for the preparation and measurement of quantum payment tokens. By employing a continuous-variable QKD (CV-QKD) system that eliminates the private amplification step, and two programmable optical switches, the complete quantum e-commerce transaction involving five parties is implemented. It achieves 411 times per second complete transactions in a trading network connected by five 80 km single-mode fibers, including the signing of three contracts and two independent currency payments. The involved CV-QKD has good compatibility with the coherent optical communication components and technology. The presented scheme paves the way for the practical application of quantum e-commerce and QDP.

2. QUANTUM E-COMMERCE AND QUANTUM-DIGITAL PAYMENTS

In quantum e-commerce, trusted third-party trading platforms (TTP-TPs) play a crucial role in the transaction process, such as the Amazon trading platform [51] and Taobao trading platform [52]. The merchants employ the TTP-TP to display and sell their goods. The clients browse and shop for their favorite items on them. During the transaction process, the bank serves as a trusted party to guarantee the security of payment for goods. The LC takes on the responsibility of transporting goods to ensure they reach the clients safely and on time. Ensuring the security of each step in the transaction process is the cornerstone of maintaining the security of the quantum e-commerce. The TTP-TP not only ensures the validity of the transaction between the merchant, the client, and the LC, but also provides nonrepudiation evidence to resolve any disputes that may arise among the three parties, i.e., traceability. For example, if clients find that the parameters or performances of the goods they receive do not match the description in the contract, they are entitled to request the merchant to provide a return or exchange service. The TTP-TP will monitor and guarantee the transaction items based on the appropriate evidences it obtains during the execution of the protocol.

The implementation process of the complete quantum e-commerce can be divided into six steps as shown in Fig. 1. Step 1: pre-distribution of keys; Step 2: the TTP-TP signs a subscription protocol with the merchant and the client; Step 3: the client pays the TTP-TP; Step 4: the TTP-TP signs a transport protocol with the merchant and the LC; Step 5: the TTP-TP signs a reception protocol with the LC and the client; Step 6: the TTP-TP deducts the commission as agreed and pays the remaining payment to the merchant. The specific procedure for each step is as follows.

(i) Pre-distribution of keys.We use the quadrature phase shift keying (QPSK) discrete-modulation CV-QKD system to distribute the key. The TTP-TP and the bank exploit the uniformly distributed binary quantum random number generator (QRNG) to generate two sets of modulation signals. The generated modulation signals are used to drive the in-phase quadrature (IQ) modulator that is operated in carrier suppressed single-sideband (CS-SSB) mode. The prepared sidemode coherent state can be represented as $| α_{k} ⟩ = | α \exp (i k π / 2) ⟩, k \in {0,1,2,3}$ . The modulation variance of the quantum signal is $V_{M} = 2 α^{2}$ [normalized to the shot noise units (SNUs)]. The TTP-TP employs a $1 \times 4$ programmable optical switch to route the quantum signals to different quantum channels in a time-division manner and distributes the keys to the merchant, client, LC, and bank, respectively. The bank sends the quantum signals directly to the client through an insecure quantum channel. For the receiving end, the client differs from the other participants in that it uses an additional $1 \times 2$ programmable optical switch to alternately receive the quantum signals from the TTP-TP and the bank. After receiving the quantum signals, the receivers independently perform heterodyne detection to extract the information in pilot tones for frequency and phase recovery. Based on this information, the raw keys are distilled. Subsequently, the TTP-TP performs a secure key rate estimation process and data reconciliation with all receivers except the bank (the private amplification step is removed here). Notice that the standard QPSK CV-QKD procedure including secure key rate estimation, data reconciliation, and private amplification is still performed between the bank and the client or TTP-TP.The process of the key pre-distribution involves five CV-QKD links. The links between the bank & client, and the TTP-TP & bank are intended for the execution of payment protocol I and payment protocol II, respectively. The links between the TTP-TP & merchant, the TTP-TP & client, and the TTP-TP & LC are used for the execution of the subscription, transport, and reception protocols. This design ensures that every step of the quantum e-commerce transaction is encrypted and verified with i.t.-security.
(ii) Subscription protocol.
- a.Merchant signature. In Fig. 2(a), the merchant uses the local QRNG to generate a random irreducible polynomial $p (x)$ . The merchant and TTP-TP extract a 3n-bit raw key string $K_{X}^{S}$ , and use n-bit of it $K_{X_{1}}^{S}$ to acquire a random initial column vector $s$ . The n-bit irreducible polynomial’s coefficients $p_{a}$ and the initial vector construct a random linear feedback shift register (LFSR)-based Toeplitz matrix $H_{n m}$ , where $n$ and $m$ are the numbers of rows and columns [53] (see further details in Appendix A). The merchant uses the matrix $H_{n m}$ to perform a hash operation on the subscription contract to obtain the hash value ${Hash}^{S} = H_{n m} \times W$ , where $W$ is the subscription contract, which includes the contract number, the basic information of both parties, merchant and client, the details of the goods, the liability for breach of contract, and other relevant information. The length of the subscription contract is $m$ . The merchant constructs the 2n-bit digest ${Dig}^{S} = ({Hash}^{S} | | p_{a})$ by concatenating the hash value and the coefficients of irreducible polynomial [38]. The signature is generated by encrypting the digest $S^{S} = {Dig}^{S} \oplus K_{X_{2,3}}^{S}$ with a 2n-bit key $K_{X_{2,3}}^{S}$ . Subsequently, the merchant sends the contract and the signature ${W, S^{S}}$ to the client over an authenticated classical channel.
- b.The client verifies the signature. Once the client receives the contract and signature, the information on the contract is checked. If the client does not agree with the content of the contract, the round of subscription is cancelled. Otherwise, they send the contract and signature to the TTP-TP through the authenticated classical channel. When TTP-TP receives the contract, it publishes the key $K_{Z}^{S} = K_{X}^{S} \oplus K_{Y}^{S}$ , where $K_{Y}^{S}$ is the key distributed between the TTP-TP and the client. The client recovers the 3n-bit key string $K_{X}^{S}$ , an expected digest, and irreducible polynomial’s coefficients by the XOR operation $K_{X}^{S} = K_{Y}^{S} \oplus K_{Z}^{S}$ , ${Dig}^{S} = S^{S} \oplus K_{X_{2,3}}^{S}$ , and then performs the same steps as the merchant signature to verify the consistency of the signature. If the validation passes, they inform TTP-TP of their result; otherwise they declare the round of subscription null and void.
- c.The TTP-TP verifies the signature. Once the TTP-TP receives the client’s validation result, they verify the consistency of the signature with the 3n-bit key $K_{X}^{S}$ . This process is implemented in the same way as the client’s validation. If the verification passes, the subscription protocol takes effect. Subsequently, the client pays the TTP-TP to execute the payment protocol I.
- (iii) Payment protocol I.During the payment process, the client must prevent malicious parties from attacking their bankroll, including the TTP-TP, which may illegally use the payment information provided by the client. To this end, we propose an efficient and simple QDP scheme that requires just one QKD link between the bank and the client and only the bank needs to verify the signature, as shown in Fig. 2(b). The detailed procedures are as follows.
  - a.The bank creates accounts and provides tokens. A secure e-account is a prerequisite for the client to make digital payments; the client applies for a credit card with the bank through an authenticated classic channel and gets a unique identifier (ID) $C_{ID}$ . The bank generates the cardholder token $C$ and encrypts it using the d-bit secure key string $K_{Y_{C}}^{P}$ , and then sends it to the client over an authenticated classical channel. Whenever a client initiates a payment request, the bank uses the h-bit secure key string $K_{Y_{P}}^{P}$ to encrypt a generated one-time payment token $P$ , and then sends the encrypted token to the client.
  - b.Client signature. The client signs the file $W_{P}$ consisting of the cardholder token $C$ , the payment token $P$ , the TTP-TP’s ID $T_{ID}$ , and the payment amount $M$ with the 3g-bit secure key $K_{Y}^{P}$ to get the signature $S_{C}^{P}$ . Then, they sends their ID and signature ${C_{ID}, S_{C}^{P}}$ to the TTP-TP. Next, the TTP-TP combines their own ID, the payment amount, and the information sent by the client ${T_{ID}, M, C_{ID}, S_{C}^{P}}$ to the bank.
  - c.The bank verifies the signature. Based on the information provided by TTP-TP, the bank locates cardholder token $C$ and payment token $P$ based on the client’s $C_{ID}$ , and verifies the signature with ${T_{ID}, M}$ . If the signature is verified correctly, the bank confirms the payment; otherwise it refuses the payment.
  - (iv) Transport protocol.Once the TTP-TP receives the required payment, they will notify the merchant to ship the goods. The LC signs a transport protocol with the merchant and sends the signature and contract to the merchant. The merchant verifies the contract and sends the signature of the LC and the contract to TTP-TP. The TTP-TP publishes the XOR key after it receives the relevant information. The merchant then verifies the signature. Subsequently, the TTP-TP performs the same signature verification operation and makes a decision based on signature consistency.
  - (v) Reception protocol.After the client receives the goods, the client signs a reception protocol with the LC to provide the official proof of reception and confirms that the delivery arrives without missing items or damaged goods, or later than the target date. The signing procedure of the reception protocol is similar to that of the subscription contract, requiring the signature of the client, verified by the LC and TTP-TP.
  - (vi) Payment protocol II.If the above signature is validated, the TTP-TP takes the appropriate commission and pays the remaining balance to the merchant. The details of the payment are similar to payment protocol I.

Figure 1.Schematic diagram of the quantum e-commerce. TTP-TP acts as a bridge among the merchant, the client, the LC, and the bank, with pre-distributed keys among all parties. It is necessary to pre-distribute keys among the bank and the client in order to safeguard the security of the payment. Firstly, the merchant and the client sign a subscription protocol. Next, the client and TTP-TP execute the payment protocol I. The merchant and the LC sign a transport protocol, and the goods are delivered to the clients. Finally, the LC and the client sign a reception protocol, and the TTP-TP takes a commission and executes payment protocol II.

Download full size

View all figures

Figure 2.Schematic diagrams of the subscription and payment protocols. (a) Subscription protocol. Firstly, the merchant drafts and signs the contract, and then sends the signature and the contract to the client. The client approves the contract and sends the merchant’s signature and contract to the TTP-TP. The TTP-TP publishes the key $K_{Z}^{S} = K_{X}^{S} \oplus K_{Y}^{S}$ . The client then verifies the signature. Once the validation of the signature is confirmed, the TTP-TP then performs another validation to ensure the legitimacy of the signature and the integrity of the contract. If the TTP-TP’s signature validation passes, the sign of the subscription protocol is complete. (b) Payment protocol I. The client creates an account at the bank and receives an identifier (ID) $C_{ID}$ . The bank generates a cardholder token $C$ based on each client’s ID. By using the d-bit secure key $K_{Y_{C}}^{P}$ , the bank encrypts the cardholder token $C$ and sends it to the client. The bank generates a one-time payment token $P$ and encrypts it using the h-bit secure key $K_{Y_{P}}^{P}$ , and then sends the encrypted token to the client. The client then signs the file $W_{P}$ consisting of the cardholder token $C$ , the payment token $P$ , the TTP-TP’s ID $T_{ID}$ , and the payment amount $M$ , and sends ${C_{ID}, S_{C}^{P}}$ to the TTP-TP. The TTP-TP combines the received information with their own private $T_{ID}$ and the payment amount $M$ , and forwards them to the bank. The bank verifies the signature and completes the payment.

Download full size

View all figures

3. SECURITY ANALYSIS

The three protocols signed in the quantum e-commerce scheme constitute a basis for clarifying the responsibilities of all parties during each transaction stage. This means that any falsification of goods, false denials of dispatch, and reception by the merchants, LC, and clients can be discovered. During the contract signing process, any party involved may be malicious. The remaining honest participants can collaborate with the TTP-TP to defeat the potential attack that the malicious party may initiate. Additionally, during the payment process, we must be alert to the possible fraudulent behavior by payees, while not ignoring the potential eavesdroppers who may attempt to intercept the payment information. In this section, we take the subscription protocol as an example (the security of the three contract signing protocols is equivalent), analyze the repudiation and forgery attacks that a malicious eavesdropper might implement, and analyze the robustness of the protocol when all participants are honest. We also consider potential threats that could be implemented by the payees or eavesdroppers during the payment, including modification of the payment amount, double spending, and modification of the receiving account, and consider the robustness of the payment protocol. Furthermore, we investigate the contract signing rate, the payment rate, and the transaction rate of quantum e-commerce.

A. Repudiation

In the case of a subscription protocol, if the merchant attempts to repudiate the transaction through a repudiation attack, even if the signature fails to pass the rigorous validation of the TTP-TP, we consider the merchant to have successfully executed a repudiation strategy for that transaction as long as it is acknowledged by the client. Both the client and TTP-TP are treated as trustworthy against possible repudiation attacks by the merchant. The client relies on the information disclosed by the TTP-TP, $K_{Z}^{S}$ , in conjunction with their own key, $K_{Y}^{S}$ , to derive the 3n-bit key $K_{X}^{S} = K_{Y}^{S} \oplus K_{Z}^{S}$ and then verify the signature. The TTP-TP uses the 3n-bit key string, $K_{X}^{S}$ , which is distributed directly with the merchant, to verify the signature. The TTP-TP and client use exactly the same key bits to verify the signature and therefore make consistent decisions. The repudiation attack only succeeds if the client sends the contract and signature to the TTP-TP in error. The bounds for successful repudiation are $ξ_{rep}^{S} = ξ_{C}$ . We assume the failure probability of information transmission over the classical channel is $ξ_{C} {= 10}^{- 11}$ .

For the payment protocols, it makes no sense to deny the payment operation. The only meaningful attack the payers can perform is to change the payment amount $M$ . Once the bank verifies the consistency of the signatures, it will make the payment based on the amount provided by the payee, rendering this attack ineffective.

B. Forgery

For a forgery attack of the subscription protocol, the client attempts to forge a contract and signature and cheats the TTP-TP to accept it. The TTP-TP will not release any information about the key $K_{Z}^{S}$ until they receive the contract document and the merchant’s signature sent by the client. The client cannot obtain the key bits $K_{X}^{S}$ used for the merchant’s signature until the contract and signature are sent. Moreover, the client will not get any information from the signature of the previous round because the LFSR-based Toeplitz matrix and the encryption key are refreshed in each round. The only thing the client can do is to guess the merchant’s key or the irreducible polynomial $p (x)$ that forms the LFSR-based Toeplitz matrix. (Our protocol has no private amplification step. Any attacker may get partial information about the key.) Next, we quantify the leakage and give bounds on the maximum probability that the client guesses the n-bit key [30]. We consider the collective attack in the asymptotic case, where the client performs independent interactions on the merchant’s quantum state to obtain a system $ρ_{C}^{x}$ , and performs the positive operator-valued measure (POVM) ${E_{C}^{x}}_{x}$ on it. The probability that the client guesses the right n-bit key $Q$ can be given by [54] $P_{guess} (Q | C) = \max_{{E_{C}^{x}}_{x}} Σ_{x} P_{x} tr (E_{C}^{x} ρ_{C}^{x}) {= 2}^{- H_{\min} {(Q | C)}_{ρ}},$ (1)where $C$ is the client’s attack system; $H_{\min} {(Q | C)}_{ρ}$ is the minimum entropy. The n-bit key string $Q$ is generated in the pre-distribution phase; then $H_{\min} {(Q | C)}_{ρ}$ can be evaluated, and the above equation can be rewritten as $P_{guess} (Q | C) {= 2}^{- ℜ_{n}} .$ (2)

This means that the maximum probability that the client guesses the n-bit key string correctly is $2^{- ℜ_{n}}$ , where $ℜ_{n}$ is the unknown information in the n-bit key string $Q$ . According to the key rate calculation formula in the asymptotic case, it is given by [55,56] $ℜ_{n} = n k^{\infty},$ (3) $K^{\infty} = \min_{ρ_{A B} ϵ S} D (G (ρ_{A B}) ‖ Z [G (ρ_{A B})]) - p_{pass} δ_{EC},$ (4)where $D (ρ ‖ σ) = Tr (ρ \log_{2} ρ) - Tr (ρ \log_{2} σ)$ is the quantum relative entropy; $G$ represents a map that is positive and trace non-increasing for post-processing processes. $ρ_{A B}$ denotes the joint state of the transmitter and the receiver after the quantum state of the transmitter has been transmitted through an insecure quantum channel. The set $S$ contains all density operators that are compatible with the experimental observations. $Z$ denotes a pinching quantum channel for achieving key mapping results. $p_{pass}$ is the probability of sifting a raw key. $δ_{EC}$ is the leakage information during error correction. Based on the probability that the client guesses the n-bit key string $Q$ correctly, we can quantify the upper bound of the probability that the client guesses the irreducible polynomial and forges a message for the TTP-TP as [30] $ξ_{for} = m \cdot 2^{1 - ℜ_{n}} .$ (5)

Equation (5) gives the optimal attack strategy for the client (see Appendix B for the details).

There are two type of forgery attacks against the payment protocols.

Forgery attack type I: the payee fabricates a fictitious payment amount and forges the payer’s signature, with the intention of collecting payments that exceed the agreed amount between the parties. Further, the malicious eavesdroppers may attempt to forge payee account IDs and payer signatures to obtain illicit funds. These attack strategies are similar to the client forgery attack against the subscription protocol. In the subscription protocol, the client can obtain the contract and signature information provided by the merchant. In contrast, the payee and malicious eavesdroppers can only acquire the signature of the payer and partial information related to the file $W_{P}$ in the payment protocol. The attack capabilities of the payee and malicious eavesdroppers are relatively limited, and the security bound of the subscription protocol remains applicable. Thus, the security bounds for such an attack are given by $ξ_{p} = m^{'} \cdot 2^{1 - g},$ (6)where $m^{'}$ is the length of the file $W_{P}$ .

Forgery attack type II: the malicious party may attempt to implement double spending using the signature. Notice that this is virtually impossible because the payer’s cardholder token and the payment token are not publicly available, and the payment token and signature bit are refreshed every round. In this case, getting all guesses exactly right is an almost impossible event, rendering this attack negligible.

C. Robustness

Given that all participants are trustworthy, the subscription protocols may still face the possibility of unexpected failure under certain conditions, that is, the error correction process in the pre-distribution of keys, and the use of classical authentication channels to send and disclose information. Although the failure probability of these two cases is very small, it still needs to be taken into account. During the pre-distribution of keys, the TTP-TP and the merchant (or the client) perform the error correction to obtain a final identical key, with a failure probability not exceeding $ξ_{EC}$ . Furthermore, the failure probability that they send key $K_{Z}^{S}$ , or contracts and signatures over a classical authentication channel does not exceed $ξ_{C}$ . If any of the above aspects fails, it will result in the failure of the contract signing. Therefore, the bound of terminating the protocol when all participants are honest is $ξ_{rob}^{S} = 2 ξ_{EC} + 3 ξ_{C}$ . In experiment, we assume the failure probability of the error correction $ξ_{EC} {= 10}^{- 11}$ .

The robustness of the payment protocol is similar to that of the subscription protocol. The payment protocol includes one QKD link and four classical channel links. Thus, the bound of the robustness is $ξ_{rob}^{P} = ξ_{EC} + 4 ξ_{C}$ .

There is no more than one malicious party in each round of the subscription protocol, i.e., at most one of the two attacks can occur. We can write the maximum probability that the transaction will fail and the security bound is given by $ξ_{tot} = 3 m \cdot 2^{1 - ℜ_{n}} + 2 m^{'} \cdot 2^{1 - g} .$ (7)

D. Rate

For a single protocol, the optical switch will switch between two participants (merchant & client, or merchant & LC, or LC & client). The signing rates for the subscription protocol, the transport protocol, and the reception protocol are given by $R_{s_{y}} = \frac{R u}{2 (3 n_{y})},$ (8) $u = (1 - a) (1 - FER),$ (9)where $R$ is the repetition rate of the system, $3 n_{y}, y \in {1,2,3}$ is the consumed key bits for signing the subscription protocol, the transport protocol, and the reception protocol, respectively, $a$ is the ratio of the raw data consumed by the parameter estimation, and FER is the frame error rate during the error correction process. In the experiment, we have set the security bound $ξ_{for} = 2 \times 10^{- 10}$ for each protocol. According to Eq. (5), we can determine the amount of unknown key $ℜ_{n}$ consumed during the signing process. From Eqs. (3) and (4), the $n_{y}$ -bit key consumption for each signing can be determined. The factor 2 arises from the switching of the optical switch between two participants.

The QDP rate is given by $R_{p_{j}} = \frac{R u k^{\infty}}{3 g_{j} + h},$ (10)where $R_{p_{j}}, j \in {I, II}$ are the payment rates for payment protocol I and payment protocol II, respectively. In Eq. (10), we do not take into account the d-bit key consumed by the encrypted cardholder $C$ , as it is used only once. The QDP utilizes secure keys to encrypt one-time payment tokens $P$ and sign the file $W_{P}$ ; thus in each QDP process, we only need to consider the consumption of secure keys.

Considering the time multiplexing due to the optical switches and the serial operation of the subscription protocol, the payment protocol II, the transport protocol, and the reception protocol, the transaction rate of the quantum e-commerce is given by $R_{e} = \frac{1}{\frac{1}{R_{p_{II}}} + \frac{1}{R_{s_{1}}} + \frac{1}{R_{s_{2}}} + \frac{1}{R_{s_{3}}}},$ (11)where $1 / R_{p_{II}}$ , $1 / R_{s_{1}}$ , $1 / R_{s_{2}}$ , and $1 / R_{s_{3}}$ are the time consumption for a single run of the corresponding protocols. Because the payment protocol I is running in parallel with other protocols, it is not included in Eq. (11), as shown in Fig. 3(a).

Figure 3.Experimental quantum e-commerce. (a) Time allocation of the optical switches. We evenly divide the working time of the optical switches into seven intervals. The subscription protocol, the transport protocol, and the reception protocol are allocated two intervals each, while the payment protocol II occupies one interval. During the time slot when the TTP-TP is conducting key distribution with the client, the bank and the client will suspend their key distribution operations. Outside of this time slot, the bank and the client will recover their key distribution. (b) Experimental setup. The TTP-TP prepares quantum states and sends them to the merchant, the client, the LC, and the bank, respectively. Moreover, the bank sends the prepared quantum states to the client. After receiving the quantum signals, they measure both quadratures of the quantum states using heterodyne detection. By data post-processing, keys are shared between the parties. Then the quantum e-commerce is implemented following the procedures in Section 2. IQ, in-phase and quadrature modulator; BS, beam splitter; PD, photoelectric detector; HD, heterodyne detector; VOA, variable optical attenuator; OS, optical switch; PC, polarization controller.

Download full size

View all figures

4. EXPERIMENT AND RESULTS

A. Experimental Setup

The experimental setup of the quantum e-commerce is shown in Fig. 3(b). In the experiment, we employ time-division multiplexing (TDM) and frequency-division multiplexing (FDM) techniques to construct an efficient point-to-multipoint CV-QKD system, and achieve effective isolation of the pilot tone from the quantum signals. A continuous-wave single-frequency laser at wavelength of 1550.12 nm (NKT Koheras BASIK X15) is injected into an IQ modulator (iXblue MXIQER-LN-30) to generate quantum signal with QPSK modulation and the pilot tone. The DC bias voltage of the IQ modulator is controlled by a commercial automatic locking module. The pilot tone and the quantum signal (repetition rate 625 MHz) are configured with 800 MHz frequency intervals [Fig. 4(a)]. This arrangement allows simple and accurate frequency and phase recovery for quantum signals. The radio frequency (RF) electrical signals loaded onto the IQ modulator are generated by converting the digital signals into analogue signals using an arbitrary waveform generator with a 12.5 Gsamples/s sampling rate (AWG, Tektronix, AWG70002A). A $1 \times 4$ programmable optical switch is placed after the IQ modulator to route the quantum signals to different quantum channels. A variable optical attenuator is added to the output port of transmitter to adjust the modulation variance of each quantum signal. The prepared quantum signals are sent to the merchant, the client, the LC, and the bank via four independent 80 km standard single-mode fibers, respectively.

Figure 4.Digital signal processing in the quantum e-commerce. (a) Generation of the quantum signal and the pilot tone at the transmitter. The TTP-TP and the bank generate modulation signals with quantum true random numbers, which are boosted to a sampling rate of 12.5 Gsamples/s by upsampling. Then, the upsampling signals are pulse shaped and frequency up-shifted to 1.2 GHz. Finally, the pilot tone (400 MHz sinusoidal signal) is added in. (b) Extraction of the quantum signal at the receiver. The fast Fourier transform (FFT) transforms the acquired signal into frequency domain to retrieve the frequency of the pilot tone. The quantum signal and the pilot tone are downconverted to the baseband and low-pass filtered to eliminate the out-of-band noises. The phase of the quantum signal is recovered using that of the pilot tone.

Download full size

View all figures

At the receiver site, the participants use a manual polarization controller to recover the polarization state of the quantum signal to enable interference between the quantum signal and the local local oscillator (LLO) [57 –63]. The participants independently prepared their LLO with a frequency interval of 2 GHz to the quantum signal, and the power of the LLO is 4 mW. This not only significantly reduces the interference of low-frequency noise on the quantum signal, but also circumvents the adverse effects of the negative first-order sidebands [64]. Subsequently, the signal interferes with the LLO at a 50:50 optical fiber coupler and the interfered optical signals are directly fed into a heterodyne detector with a bandwidth of 1.6 GHz (HD, Thorlabs, PDB480C-AC). The output signals from the heterodyne detector are sampled by a 6.25 Gsamples/s oscilloscope (MSO, Tektronix, MSO64B) and stored on the computer’s hard disc for digital signal processing (DSP). In addition, the bank acts as a receiver as well as a transmitter. A 10/90 passive beam splitter is employed to split a small portion of the LO for the preparation of quantum states with QPSK modulation. The preparation process of the quantum state is similar to that of the TTP-TP. The prepared quantum signals are sent to the client via an 80 km standard single-mode fiber. In order to receive the quantum signals from the TTP-TP and the bank with a single HD, a $1 \times 2$ programmable optical switch is used to route the quantum signals.

B. Digital Signal Processing

Figure 4 shows the DSP procedures used to generate and extract the quantum signals [65]. The modulation signals are upsampled (12.5 Gsamples/s) and pulse shaped using a digital rising cosine (RC) filter with a roll-off factor of 0.2. Then, it is frequency up-shifted to 1.2 GHz and summed with the pilot tone (400 MHz sinusoidal signal) to form the final digital signal. The spectrum of the digital signal is depicted in Fig. 4(a). The QPSK coherent states generated are given by $| α ⟩ = | x + i p ⟩ \exp (i ω t) = | [x \cos (ω t) - p \sin (ω t)] + i [x \sin (ω t) + p \cos (ω t)] ⟩,$ (12)where $x \cos (ω t) - p \sin (ω t)$ and $x \sin (ω t) + p \cos (ω t)$ are the real and imaginary parts of the complex amplitude of the coherent states, which are proportional to the generated $I$ and $Q$ digital signals, respectively.

The acquired signals from the HD are transformed into frequency domain by fast Fourier transform (FFT). The power spectra of the electronic noise, shot noise, quantum signals, and pilot tone at the receiver are shown in Fig. 4(b). Based on the estimated optical frequency offsets between the transmitter and receiver, the pilot tone and quantum signal are down-converted and low-pass filtered to remove the out-of-band noise. Subsequently, the pilot tone is used to recover the phase of the quantum signal. In order to estimate the frequency deviation and phase fluctuation accurately, the signal to noise ratio of the pilot tone in our experiments is set to around 32 dB.

C. Experimental Results

The experimental parameters of the quantum e-commerce over 80 km standard single-mode fibers are listed in Table 1. In order to optimize the performance of the protocol, the experimental modulation variance at the transmitter is optimized by the theoretical simulation. From Table 1, we see that the detection efficiency and excess noise are the key factors affecting the key rate at the same transmission loss. The signing rate is limited by the minimum key rate, by which we can determine a signing rate of $1.51 \times 10^{3}$ for signing a 33 kilobits file with $2 \times 10^{- 10}$ security bound.Table 1.

Experimental Parameters of the Quantum e-Commerce at 80 km Single-Mode Fiber^a

Participants	$V_{M} (SNU)$	$v_{el} (SNU)$	$η (%)$	$ε (SNU)$	$ℜ$ or $K_{p}$ (bits per second)	Protocol	$R_{s_{y}}$ or $R_{p_{j}}$ (times per second)
TTP-TP & merchant	1.00	0.22	0.52	0.0056	$4.13 \times 10^{5}$	Subscription protocol	$1.43 \times 10^{3}$
TTP-TP & LC	1.01	0.22	0.61	0.0050	$5.38 \times 10^{5}$	Transport protocol	$1.43 \times 10^{3}$
TTP-TP & client	1.00	0.24	0.49	0.0039	$4.38 \times 10^{5}$	Reception protocol	$1.51 \times 10^{3}$
TTP-TP & bank	1.01	0.26	0.50	0.0064	$4.14 \times 10^{5}$	Payment protocol I	$1.96 \times 10^{3}$
Bank & client	1.04	0.24	0.49	0.0110	$3.00 \times 10^{5}$	Payment protocol II	$2.70 \times 10^{3}$

$V_{M}$ , modulation variance of the quantum signal; $v_{el}$ , electronic noise for heterodyne detection; $η$ , detection efficiency; $ε$ , excess noise; $ℜ$ , unknown bits per second distributed between the TTP-TP & merchant, TTP-TP & LC, and TTP-TP & client; $K_{p}$ , secret key rate of TTP-TP & bank and bank & client; $R_{s_{y}}$ , the signing rate for signing a 33 kilobits file with security bound $2 \times 10^{- 10}$ ; $R_{p_{j}}$ , payment rate with security bound $2 \times 10^{- 10}$ .

The experimental excess noise of the quantum commerce between different participants at 80 km single-mode fiber is shown in Fig. 5. Thirty data blocks, corresponding to an operation time of 8 h, are shown. For each experimental point, a data size of $5.12 \times 10^{8}$ is used to estimate the excess noise. The average excess noises for the TTP-TP & merchant, TTP-TP & LC, TTP-TP & client, TTP-TP & bank, and bank & client are 0.0056, 0.0050, 0.0039, 0.0064, and 0.011 SNUs, respectively. The results indicate that the excess noise of the system is suppressed to a low level and can keep stable. The main source of excess noise contribution to the system is the phase noise between the LLO and the quantum signal.

Figure 5.Excess noise of the CV-QKD between different participants at 80 km single-mode fiber. The solid circles denote experimental points; the dashed line indicates the average value of the excess noise.

Download full size

View all figures

Figure 6 shows the results of contract signing rate, payment rate, and transaction rate as a function of distance in quantum e-commerce. The signing rates of the subscription protocol, transport protocol, and reception protocol are depicted in Fig. 6(a). The blue solid line is the theoretical simulation using the experimental parameters. The red circle, purple triangle, and green pentagram are the experiment results. In Fig. 6(b), the payment rates for the payment protocols I and II are shown. The payment rates take into account the secure key consumption of the payment tokens and signing. By using Eq. (11) and the experimental parameters, the transaction rate of the complete quantum e-commerce is determined to 411 times per second, as depicted in Fig. 6(c). It consists of the signing of three files and two digital payments. Most of the time, the key distribution between the bank and client can operate in parallel with the key distribution between the TTP-TP & merchant, LC, and bank; therefore no additional time overhead is required.

Figure 6.Contract signing rates, payment rates, and transaction rates versus the distance in quantum e-commerce. (a) Signing rates for the subscription protocol, the transport protocol, and the reception protocol. (b) Payment rates for the payment protocol I and payment protocol II. (c) Transaction rates for the complete quantum e-commerce. The solid line denotes the result of the theoretical simulation. Circles, triangles, and pentagrams denote the experimental results.

Download full size

View all figures

The transaction rate between the quantum e-commerce and the size of the signature file is depicted in Fig. 7. The shadow areas indicate the transaction rates for different sizes of files at higher security levels of $ξ_{tot} {< 10}^{- 9}$ . For the same level of security, the larger the signature file, the lower the transaction rate for the quantum e-commerce. Moreover, when the size of signature files increases to $10^{7}$ bits, the transaction rate starts to present a linear reduction with the size of the signature files.

Figure 7.Transaction rate versus the signature file size in quantum e-commerce. The blue line indicates the transaction rates of a complete quantum e-commerce with $10^{- 9}$ security level at 80 km single-mode fiber. The shadow area denotes a higher security level of $ξ_{tot} {< 10}^{- 9}$ . For a file of 100 megabits size, we can still achieve a secure transaction rate of 341 per second.

Download full size

View all figures

5. DISCUSSION AND CONCLUSION

In our complete quantum e-commerce scheme, we assume that the third-party trading platform (TP-TP) is trusted. On the one hand, the e-commerce trading platforms are tightly regulated by the government. On the other hand, just as in classical e-commerce, the clients will judge the credibility of a trading platform by checking the credit qualification (certification) and users’ comments. Both merchants and clients tend to choose the TP-TP with good reputations for transactions. Therefore, the credibility of TP-TP is a reasonable assumption and crucial for the practical application of quantum e-commerce. Additionally, the TTP-TP can be treated as untrusted TP-TP. In the decentralized scheme [39], the untrusted TP-TP does not obtain the client’s key before the client receives the merchant’s contract and signature. Therefore, our scheme needs to change the structure of the key distribution; more precisely, the signer distributes keys to the untrusted TP-TP and the signature verifier. Then, after rigorous analysis of the potential attacks that the TTP-TP may carry out, which are equivalent to the forgery attacks that the signature verifiers implement, our scheme can be easily adapted to be decentralized in principle.

During the execution of the subscription, transport, and reception protocols, we use the shared keys by TTP-TP and the participants after the error correction and the privacy amplification step is not implemented. Given that the key length used in the signing process is relatively short, the finite size effect has a significant impact on the security. In our present work, we primarily focus on the design and proof-of-principle experimental verification of the QDP and quantum e-commerce schemes; the finite size effect will be investigated in our future research.

We propose and experimentally demonstrate a complete quantum e-commerce scheme based on an efficient and practical QDP method with i.t.-security. The quantum e-commerce scheme consists of subscription, payment, transport, and reception stages and involves five parties. It guarantees integrity, authentication, nonrepudiation, traceability, and impartiality during the transaction process. By choosing the Taobao seller service agreement as an example, our experimental system is capable of supporting 411 times transactions per second. The transactions rate can be improved by exploiting higher speed quantum communication systems in the future. For the future quantum Internet, various quantum enabled technologies and applications are essential. Our scheme advances the field of practical quantum e-commerce.

Category: Quantum Optics

Received: Aug. 21, 2024

Accepted: Dec. 5, 2024

Published Online: Feb. 14, 2025

The Author Email: Yongmin Li (yongmin@sxu.edu.cn)

DOI:10.1364/PRJ.540123