Efficient Quantum Digital Signatures without Symmetrization Step

Quantum digital signatures (QDS) exploit quantum laws to guarantee non-repudiation, unforgeability and transferability of messages with information-theoretic security. Current QDS protocols face two major restrictions, including the requirement of the symmetrization step with additional secure classical channels and quadratic scaling of the signature rate with the probability of detection events. Here, we present an efficient QDS protocol to overcome these issues by utilizing the classical post-processing operation called post-matching method. Our protocol does not need the symmetrization step, and the signature rate scales linearly with the probability of detection events. Simulation results show that the signature rate is three orders of magnitude higher than the original protocol in a 100-km-long fiber. This protocol is compatible with existing quantum communication infrastructure, therefore we anticipate that it will play a significant role in providing digital signatures with unconditional security.


I. INTRODUCTION
Cryptography is essential for uncounted amount of applications that rely on non-repudiation, integrity and confidentiality of data. The two pillars of modern cryptography are encryption and digital signatures [1], where encryption guarantees confidentiality and digital signatures provide integrity and non-repudiation. Traditionally, public-key cryptography algorithms, such as the Rivest-Shamir-Adleman algorithm [2], are designed to simultaneously provide encryption and digital signature service. However, relying on the computational difficulty of certain mathematical problems, public-key cryptosystems are usually vulnerable to quantum computing attacks [3]. Quantum key distribution (QKD) allows two remote users to share a secret key string with information-theoretic security [4,5]. By combining onetime pad encryption [6] and QKD, one can implement information communication with perfect confidentiality [7]. In addition, the direct transmission of private information is made possible in principle by quantum encryption [8].
Digital signatures are widely applied in e-mails, electronic commerce and software distribution to ensure data integrity and non-repudiation [9]. Similar to QKD used for encryption service, quantum digital signatures (QDS) are expected to provide information-theoretic security to sign documents. The first QDS protocol was proposed in 2001 [10], but it is unfeasible because of challenging experimental requirements. In the next decade or so, great efforts have been made in developing QDS protocols and an important achievement was the removal of the requirement of quantum memory [11][12][13][14][15]. Nevertheless, the security analysis of the early QDS protocols are * hlyin@nju.edu.cn † zbchen@nju.edu.cn based on secure quantum channels, i.e., there is no eavesdropping, which is a conflicting assumption. In 2016, two independent QDS protocols were proposed and proved to be secure against the general attacks without the assumption of secure quantum channels [16,17]. Importantly, their experimental devices and techniques have already been widely employed in QKD. These two protocols are important steps towards practical QDS [9]. The one in [16] is based on non-orthogonal encoding. The other [17] utilizes orthogonal encoding, which results in the need of an additional symmetrization step in the protocol. In addition, great achievements have been made in the experimental and theoretical research of informationtheoretically secure QDS [18][19][20][21][22][23][24][25][26][27][28][29], including the field test of measurement-device-independent (MDI) QDS [21]. For the orthogonal encoding based protocol [17] (see also [18,27]), the need of the symmetrization step, which requires an additional secure classical channel, is the main issue. Currently, secure classical channels can only be realized by combining QKD and one-time pad encryption. The symmetrization step will consume 6L bits of secret key generated by QKD if one uses L bits as the signature [21]. Specially, in the worst case where the signer is located in the middle of two receivers, the low secret key rate of QKD between the two receivers severely limits the real-time signature rate of QDS. Besides, considering a quantum network with J users, there will be a need of J(J − 1)/2 secure classical channels [22], which is an unrealistically high amount in a real quantum network. For the non-orthogonal encoding based protocol [16], it does not require the symmetrization step. However, the signer has to send the same quantum states to two receivers. Only coincidence detection events, i.e., the two receivers both have click, are valid events. Let η be the probability that one receiver has click, if the signer sends N quantum states to the two receivers, there will be only η 2 N valid events. Therefore, the signature rate quadratically scales with the probability of detection events.
Here, inspired by the original protocol in [16], we propose an efficient quantum digital signature protocol without symmetrization step. A novel classical postprocessing operation called post-matching method is exploited in our protocol. With the help of the postmatching method, the requirement of coincidence detection is removed. Given that the signer sends N quantum states to receivers, there will be ηN valid events. Therefore the signature rate decays linearly with the probability of detection events. Simulation results show that the signature rate of our scheme is 2 or even 3 orders of magnitude higher than that of Ref. [16] in large attenuation case, and is comparable to orthogonal encoding based protocol.

II. PROTOCOL DESCRIPTION
There are three participants in our protocol, namely the signer Alice and the receiver Bob and Charlie. As determined by Alice, either Bob or Charlie can be the authenticator of the signature, and the other becomes the verifier. There are noisy insecure quantum channels connecting Alice-Bob and Alice-Charlie, and authenticated classical channels between the three participants. There are three stages in our protocol: key generation, estimation and messaging. In our protocol, the three stages can be performed separately, which means they can generate raw keys and store them for a long time, and continue the estimation and messaging stage whenever Alice wants to sign the message. This makes our protocol more practical.
Our protocol exploits non-orthogonal encoding to generate logical bits [30]. There are four quantum states: where the first state in each set is encoded with bit value 0 and the second is encoded with 1. Alice randomly sends quantum states to receivers and assigns each quantum state to a set. The receivers randomly choose Z or X basis to perform polarization measurement on each quantum state. If the measurement outcome is orthogonal to one of the states in the set, the receiver obtains a conclusive result with bit value 0 or 1, otherwise the receiver obtains an inconclusive result, denoted by ⊥. Note that the set assigned by Alice should contain the quantum state she sent. For example, if Alice sends |H , she should assign it to set {|H , |+ } or {|− , |H }. When she assigns it to the set {|H , |+ } and Bob's measurement outcome is |− (|V ), Bob obtains a conclusive result with bit value 0 (1).
The decoy-state method [31,32] with three intensities is exploited to deal with photon-number-splitting attack for coherent state source. Data from the decoy state and vacuum state will be used for parameter estimation, and only data from the signal state will be used as test bits and secret keys. The setup for our QDS protocol is presented in Fig. 1. In the following part of the paper, we use superscripts c, u, t, * , overline (underline), to denote conclusive results, untest bits, test bits, expected value and the upper bound (lower bound) of expected value, respectively. We also use subscripts P (P ∈ {A, B, C}), 11 and λ (λ ∈ {µ, ν, 0}) to denote Alice (Bob, Charlie), single-photon pair components and intensity respectively. Detailed descriptions of our protocol are given below.
(1) Alice randomly selects a quantum state {|H , |V , |+ , |− } with the same possibility and an intensity {µ, ν, 0} (signal, decoy and vacuum state) with possibilities p µ , p ν and p 0 respectively. For each possible message m (m = 0 or 1), Alice prepares two different quantum state sequences with length N , namely A B,m , and A C,m . Alice sends A B,m to Bob and A C,m to Charlie through insecure quantum channels.
(2) For each quantum state, Bob and Charlie randomly choose X or Z basis to perform polarization measurement. Bob announces all the click events in A B,m through authenticated classical channel. Alice and Bob discard all the data that has no click. They keep the left data of length n, denote as S AB,m (kept by Alice) and S B,m (kept by Bob). Alice and Charlie perform the same step. As a result, Alice has four data strings S AB,0 , S AB,1 , S AC,0 and S AC,1 , Bob (Charlie) has two strings S B,0 (S C,0 ) and S B,1 (S C,1 ). Since Alice randomly and independently chooses quantum states, the quantum states that Bob and Charlie receive are uncorrelated.
(3) Alice announces the intensity information of all pulses. According to the intensity information, the three participants divide each of their data strings into three strings, namely µ string, ν string and 0 string. For example, Bob divides S B,m into S µ B,m , S ν B,m and S 0 B,m . (4) For the data strings corresponding to each intensity λ (λ ∈ {µ, ν, 0}), Alice takes S λ AB,m as the reference and changes the order of elements in S λ AC,m . Denote the changing result as S ′λ AC,m , Alice should make S λ AB,m and S ′λ AC,m identical. Without loss of generality, she requests Charlie to change the order of elements in S λ C,m into the same order. We call this the post-matching method. After post-matching, the data obtained by Bob and Charlie  can be correlated. Detailed description of post-matching method is given in Fig. 2.
(5) Using the rules for generating logical bits, Alice randomly assigns each element in S λ AB,m a set. The three participants 'translate' their data strings into raw key strings denoted as K λ A,m , K λ B,m and K λ C,m . Note that they do not announce which bits are conclusive results.
2. Estimation. (1) The signer Alice chooses the desired authenticator of the signature, and the other participant automatically becomes the verifier. Here we assume Bob is the authenticator. The three participants publicly announce all data of ν strings and 0 strings and the value of n λ (the length of λ string). They estimate bit error rate of single-photon pair components in µ strings using decoy state method. The verifier Charlie randomly selects a proportion of t in the µ string as test bits and asks Alice to publicly announce the value of these bits. We denote test bit strings as K t A,m , K t B,m and K t C,m . Let E ct B (E ct C ) be the mismatch rate of conclusive results between K t A,m and K t B,m (K t A,m and K t C,m ). Bob and Charlie calculate E ct B and E ct C . Note that when E ct B or E ct C gets too high, the signing process of this round is highly possible to fail. In this case they abort the protocol. In addition, Bob and Charlie calculate the proportion of conclusive results in K B,m and K C,m , denoted as P c B and P c C , respectively. If P c B or P c C shows a big deviation from the ideal value 1 4 , they will also abort the protocol. The three participants discard the test bits and keep the remaining untest bits in µ strings with length n u . We denote these untest bit strings as K u A,m , K u B,m and K u C,m . They will be used as secret keys to sign the message in the messaging stage.
(2) Bob and Charlie announce {E ct B , P c B } and {E ct C , P c C }. The three participants publicly negotiate to determine the values of authentication security threshold T a and verification security threshold T v .
3. Messaging. (1) To sign a one-bit message m, Alice sends the message and the corresponding secret key {m, K u A,m } to the authenticator Bob. Bob calculates the mismatch rate of conclusive results between K u A,m and K u B,m , which is denoted as E cu B . If E cu B < T a , Bob accepts the message and forwards {m, K u A,m } to Charlie, otherwise he rejects the message and announces to abort the protocol.
(2) After receiving {m, K u A,m } forwarded by Bob, Charlie calculates the mismatch rate of conclusive results E cu C between K u A,m and K u C,m . Charlie accepts the message if E cu C < T v . When both Bob and Charlie accept the message, Alice successfully signs the message.

III. SECURITY ANALYSIS
In our protocol, Alice randomly chooses unrelated quantum states to send to Bob and Charlie. After postmatching, it is equivalent to Alice simultaneously sending the same quantum states to Bob and Charlie. To perform post-matching, Alice exposes information of order, but does not leak information of quantum states. In this case, eavesdroppers can not obtain more information of quantum states compared with the case where Alice actually sends two copies of quantum states. Thus the security analysis of our protocol can directly follow the lines in Ref. [16]. In the three-participant scenario, transferability and nonrepudiation are equivalent. Accordingly, there are three security criteria: robustness, security against forging and security against repudiation. For simplicity, we just briefly present our results. For more detail, refer to Ref. [16].
1. Robustness. The robustness means the probability of an honest abort ǫ rob . In messaging stage, Bob rejects the message sent by Alice when E cu B > T a . In the case of finite sample size, the robustness can be quantified by exploiting random sampling without replacement theorem [33].
2. Security against forging. In a forgery attack, Bob sends the message he wishes to forge and its corresponding secret key {m, K BF,m } to Charlie. The forgery attack is successful if Charlie accepts Bob's forged message. An honest Bob knows only about 1 4 of conclusive results in K u A,m . If Bob is an adversary, his optimal strategy is to acquire information of quantum states Charlie receives as much as possible, which is equivalent to the eavesdropping attack of Eve in four-state Scarani-Acin-Ribordy-Gisin 2004 (SARG04) QKD with two-photon source [30,34,35].
We assume only single-photon pairs that Alice sends to Bob and Charlie are secure. In this case, Bob and Charlie both receive a single-photon. Using Chernoff bound [36], the probability of a successful forgery attack ε f or can be given by where E * BF 11 is the expected value of minimum mismatch rate of conclusive results of the single-photon pair components between K u A,m and K u BF,m , T v11 = T v n cu /n cu 11 is the error rate threshold of single-photon pair, n cu = (1 − t)n c µ is the number of conclusive results in K u C,m , n cu 11 = (1 − t)s cµ C11 is the number of single-photon pair components in K u C,m and s cµ C11 is the number of events in which Bob and Charlie both receive a single-photon in µ string and Charlie has a conclusive result.
To obtain the value of E * BF 11 , one should exploit decoy state method to estimate s cµ C11 and t cµ C11 , where t cµ C11 is the number of events that Bob and Charlie both receive a single-photon in µ string, Charlie has a conclusive result, and his classical bit is mismatching with Alice's. We use n P λ to denote the number of detection events of the participant P of intensity λ and m P α to denote the number of mismatching bits. The expected value of parameter x can be acquired by the variant of Chernoff bound [33]: with β = ln 1 ε1 , where ǫ 1 is the failure probability of the Chernoff bound.
Separately consider the process that Alice sends pulses to Bob and to Charlie, we have and where s µ B1 is the number of single-photon events in Bob's µ string and s cµ C1 is is the number of conclusive singlephoton events in Charlie's µ string. s cµ * C11 can be given by Bring in Eqs.(2) (3), we have We also have and where t cµ C1 is the number of single-photon errors of Charlie's conclusive results in µ string with respect to Alice. t cµ * C11 can be given by: Bring in Eqs. (6) (7), we have 3. Security against repudiation. Alice successfully repudiates the message when Bob accepts the message while Charlie rejects it, i.e., E cu B < T a and E cu C > T v . Alice does not know which bits are conclusive results for Bob (Charlie) and has to treat each bit in K B,m and K C,m with the same status. For Bob and Charlie, the difference between E cu B and E cu C can be restricted by inequalities of the relative Hamming distance. The upper bound of the relative Hamming distance between K cu B,m and K cu C,m (denoted by ∆ cu BC ) can be given by using the random sampling without replacement theorem [33]. The probability of successful repudiation ε rep can be given by where A is the solution of the following equation and inequalities: The overall secrecy is: where ǫ 2 is the failure probability of random sampling without replacement. The detection efficiency is 52%, the dark counting rate is 1.3 × 10 −7 , the basis misalignment rate is 0.15%, the insert loss is 1.2 dB, and the loss coefficient of fiber is 0.194 dB/km.

IV. PERFORMANCE
In order to show the performance of our protocol, we simulate a fiber-based QDS system. Define signature rate R := 1 2N , where 2N is the minimum number of pulses required to securely sign a one-bit message. Fig. 3 shows the signature rate R as a function of transmission distance. We consider the case where channels between Alice-Bob and Alice-Charlie are symmetric.
The security bounds are set to ε f or ≤ 10 −10 , ε rob ≤ 10 −10 , ε rep ≤ 10 −10 and ε 1 = ε 2 ≤ (10 −9 −3×10 −10 )/12. We numerically optimize the minimum number of pulses required to securely sign a one-bit message with the free parameters {µ, ν, p µ , p ν , t} by global search algorithm. For a fair comparison, we simulate the performance of the original protocol in Ref. [16] with the same experimental parameters. As shown in Fig. 3, the solid red line represents the signature rate of this work and the blue dashed line represents the original QDS protocol. Obviously, our protocol requires far less number of pulses to sign a one-bit message. Specifically, at 50 km and 100 km, our protocol requires 3.3 × 10 8 and 3.4 × 10 9 pulses to sign a one-bit message, but the protocol in Ref. [16] requires 3.8 × 10 10 and 3.7 × 10 12 pulses. The signature rate of our protocol is 2 or even 3 orders of magnitude higher than the original protocol at long distance.
We also simulate the performance of orthogonal encoding based protocol [17] with the cost of symmetrization taken into consideration. Assume Bob and Charlie utilize three-intensity decoy-state BB84 QKD protocol to perform symmetrization. Define the effective signature rate R eff := min{ 1 2N , RQKD 6L }, where L is the length of key generated by key generation protocol in [17] and R QKD is the secret key rate of QKD. Note that 6L RQKD is the number of pulses required for QKD to perform symmetrization [21]. R QKD is simulated by the key rate formula in [37], where  [17]. The security bounds and experiment parameters are the same as Fig. 3. we choose error-correction efficiency f = 1.22, data postprocessing block size N = 10 10 , secrecy ε sec = 10 −10 and the same experimental parameters as Fig. 3.
Denote the angle between Alice-Bob and Alice-Charlie as θ, the distance between Alice and Bob (Charlie) as D AB (D AC ), and the distance between Bob and Charlie as D BC . In symmetric case, D AB = D AC , and D BC = 2 sin( θ 2 )D AB . At short distance where R QKD is very high, R eff is mainly determined by 1 2N . When θ is close to π, the transmission distance of QKD (D BC ) increases much faster than D AB . In this case, R eff is determined by RQKD 6L at long distance. We simulate the case of θ = 2 3 π and θ = π. As shown in Fig. 4, the signature rate of [17] is higher than that of our protocol at short distance, but when distance between the two receivers is large, the signature rate will be severely limited by the low secret key rate of QKD in the symmetrization step. By contrast, our protocol decays much slower and has a significantly longer transmission distance.
In addition, the typical experimental parameters and corresponding signature rate of some recent QDS experiments are listed in Table. I. This work shows a comparable performance with orthogonal encoding based protocol [25] even though the latter does not execute the symmetrization step. We remark that the symmetrization step is essential to the complete protocol, as demonstrated in experiments [21,22].

V. CONCLUSION
In this paper, we have proposed a non-orthogonal encoding based efficient quantum digital signature protocol. A novel method called post-matching is applied, which can increase the signature rate from decaying with η 2 to η. Our protocol has a high signature rate and does not require the symmetrization operation thereby overcomes the major obstacles of existing QDS protocols. This pro- Ref. [19] Ref. [21] Ref. [22] Ref. [26] Ref. [25] This work  Protocol  SARG04  MDI  MDI  BB84  BB84  SARG04  Repetition rate  75MHz  75MHz  1GHz  50MHz  1GHz  1GHz  Transmission distance  102  tocol can be directly implemented with current commercially available QKD devices. Therefore, it should be the preferred solution to the application of QDS. This work is a great step for the development of quantum network with QDS. Moreover, we believe the key idea of post-matching method has the potential to be applied in various cryptographic tasks that require to establish multiparty correlations, such as multiparty quantum commu-