Secure and practical multiparty quantum digital signatures

Quantum digital signatures (QDSs) promise information-theoretic security against repudiation and forgery of messages. Compared with currently existing three-party QDS protocols, multiparty protocols have unique advantages in the practical case of more than two receivers when sending a mass message. However, complex security analysis, numerous quantum channels and low data utilization efficiency make it intractable to expand three-party to multiparty scenario. Here, based on six-state non-orthogonal encoding protocol, we propose an effective multiparty QDS framework to overcome these difficulties. The number of quantum channels in our protocol only linearly depends on the number of users. The post-matching method is introduced to enhance data utilization efficiency and make it linearly scale with the probability of detection events even for five-party scenario. Our work compensates for the absence of practical multiparty protocols, which paves the way for future QDS networks.


I. INTRODUCTION
Digital signature can verify the authenticity of digital messages and has been widely applied in e-mail, ecommerce and software distribution [1]. As e-commerce becomes more and more significant in modern society, the need of unconditionally secure digital signatures against hacking attacks has arisen. Classical digital signatures offer security based on the computational complexity of mathematical problems [2][3][4][5]. However, the task of rapidly solving these mathematical problems becomes feasible when a quantum computer is available [6][7][8][9][10]. Fortunately, quantum digital signatures (QDSs) can offer information-theoretic security relying on quantum mechanics against adversaries who are supposed to have unbounded ability allowed by physics.
The first QDS protocol was proposed in 2001 [11], but there are some challenging requirements, such as secure quantum channels and long-term quantum memory. After that, the requirement of quantum memory was removed by converting the quantum signatures to classic information through quantum measurements, which makes QDS closer to real implementation [12][13][14][15][16]. Whereas, the security analyses of early protocols still rely on secure quantum channels where there is no eavesdropping. To further improve practicality, two independent QDS protocols without secure quantum channels were proposed and proved to be secure, which are based on non-orthogonal encoding [17] and orthogonal encoding [18], respectively. After these two protocols, numerous excellent achievements of QDS have been made theoretically and experimentally [19][20][21][22][23][24][25][26][27][28][29][30][31][32][33][34][35]. Protocols based on orthogonal encoding [18,19,33] need * Electronic address: hlyin@nju.edu.cn † Electronic address: zbchen@nju.edu.cn additional symmetrization step which results in extra channels. Recently, drawing on the experience of the four-state Scarani-Acin-Ribordy-Gisin 2004 quantum key distribution (SARG04 QKD) protocol [36][37][38][39][40][41], a postmatching QDS protocol has been proposed based on non-orthogonal encoding [42]. It does not require additional symmetrization step and also achieves better performance than the original protocol [17]. Current QDS protocols mostly focus on three-party communication since the protocol involving more than two recipients will raise three major concerns. The first one is the increased number of quantum communication channels [43]. When extending orthogonal encoding protocol to multiparty scenarios, each pair of participants requires a quantum communication channel to symmetrize their secret keys. The M -party orthogonal encoding protocol requires M (M − 1)/2 quantum channels. As M increases, it becomes more complex and less practical to implement. The second one is the poor data utilization efficiency leading to low signature rate if we expand the original non-orthogonal encoding protocol to multiparty scenarios. This is because the original nonorthogonal encoding protocol only consider coincidence detection events as valid events. For M -party protocol, it requires all detectors of M − 1 recipients click. Let η be the probability that one recipient detector clicks. When the signer sends N quantum states to recipients, there are only N η M −1 valid events, which is far from enough to perform multiparty protocols. Besides, complex security analysis is also a difficulty to be overcome because there exists a situation where some participants collude with each other to deceive others [44]. Although the security analysis of multi-party quantum digital signature schemes based on orthogonal encoding has made progress [45,46], it does not give an exact example and concrete simulation results.
In this paper, we propose a six-state three-party QDS protocol to enhance performance of signature rate and

Quantum channel
Classical channel FIG. 1: Schematic diagrams of three-party, four-party and five-party protocol. The red line represents insecure quantum channel and the blue dash line is authenticated classical channel. θ is the angle between Alice-Bob and Alice-Charlie. a. Three-party protocol with θ = π 2 . b. Three-party protocol with θ = 2π 3 . c. Four-party protocol. d. Five-party protocol.
stability with the help of its higher bit error rate threshold compared with [42]. Furthermore, considering that three-photon or even four-photon components of six-state protocol can be used for the secure key, we extend this six-state protocol to four-party and five-party scenarios and overcome difficulties above, as shown in Fig. 1. According to our multiparty QDS framework, we simulate the performance of our three-party, four-party and fiveparty QDS and give a comparison among them. It is the first practical multiparty QDS framework and we provide security analysis.

II. PROTOCOL DESCRIPTION
Let us start by the common notation. The 'signer' Alice assigns any one of recipients as 'authenticator' and other recipients become 'verifiers' automatically. For simplicity, we always let Bob become the authenticator and other recipients become verifiers automatically. Note that in this article we consider the symmetric situation where the fiber lengths between Alice and any one of recipients we mentioned in the following are equal. We will introduce detailed security analysis in Methods. In Table  1, we give a concise description of the framework. Three-party protocol. We take three-participant scenario as an example and describe all processes in detail. Alice chooses Bob as authenticator and Charlie becomes verifier. In our protocol, there are insecure quantum channels connecting Alice with Bob and Alice with Charlie. Moreover, there are authenticated classical channels between any two of three participants. There are six quantum states: |+x , |−x , |+y , |−y , |+z , |−z . |±x are the eigenstates of Pauli X operator. |±y are the eigenstates of Pauli Y operator. |±z are the eigenstates of Pauli Z operator. These six states can be arranged into the 12 sets: {|ω 1 x , |ω 2 y }, {|ω 3 y , |ω 4 z } and {|ω 5 z , |ω 6 x }, where ω 1 , ω 2 , ω 3 , ω 4 , ω 5 , ω 6 ∈ {+, −}. The first state in each set is encoded with bit value 0 and the second is encoded with bit value 1.
There are three steps in our QDS protocol: key generation, estimation and messaging.
In the key generation step, Alice uses phaserandomized weak coherent-state source to prepare the six states. For each possible message m = 0 and m = 1, Alice prepares two different unrelated sequences of quantum states A B,m and A C,m with length N respectively. Each state is randomly selected from the six states with the same probability by Alice. We denote the light intensity as λ (λ ∈ {µ, ν, 0}). Each quantum state is prepared with the intensity µ, ν or 0 and the corresponding possibility p µ , p ν , p 0 respectively. Alice sends sequences A B,0 , A B,1 to Bob and A C,0 , A C,1 to Charlie through insecure quantum channels. Bob and Charlie receive the sequences and then measure each quantum state in the X, Y or Z basis at random. Bob (Charlie) announces all the click events in A B,m (A C,m ) through authenticated classical channel, denoted as S B,m (S C,m ). Afterwards, Alice Key generation Alice prepares M − 1 different quantum state sequences and sends them to M − 1 recipients respectively. All recipients measure quantum states they received in the X, Y or Z basis at random and announce all click events. All participants discard no-click data and keep click data to form their own strings. After that, they perform post-matching process and encode their processed data strings by our rule.

Estimation
Alice informs any verifier to randomly select a certain proportion of strings as test bits. The verifier announces the location of test bits and asks Alice to publicly announce the data information of test bits. The recipients estimate the mismatching rate of conclusive results between their own string and Alice's string.

Messaging
To sign one-bit message, Alice sends her own untested data string to Bob. Whether Bob accepts it depends on Bob's mismatching rate of conclusive results. If Bob accepts, Bob forwards it to all verifiers respectively. Whether verifiers accept it depends on their own mismatching rate. All participants negotiate whether aborting the protocol according to the majority voting principle.
discards no-click data and keeps click data of length n to form strings S AB,m and S AC,m . Alice publicly announces intensity information of all pulses and all three participants divide their remaining data strings into µ-string, ν-string and 0-string according to the intensity information. For instance, Bob divides S B,m into S µ B,m , S ν B,m and S 0 B,m according to the public intensity information. The three participants perform post-matching method [42]. Alice takes the order of quantum states in S λ AB,m as a reference and changes the order of S λ AC,m to make it same as the order of S λ AB,m . Alice requests Charlie to change the order of S λ C,m into the same order.
Note that S C,m is the measurement result of S AC,m , so S C,m is the measurement result of S AC,m . As a result, although Alice sends two different quantum-state sequences, after post-matching process, two identical sequences S AB,m and S AC,m are obtained This work (six state) Ref. [42] (four-state)

FIG. 2:
Comparison of performance between our three-party protocol and four-state protocol [42]. The detection efficiency is 93%. The dark counting rate is 1 × 10 −7 . The basis misalignment rate is 0.50%. The loss coefficient of fiber is 0.16 dB/km. As the fiber length increases, the superiority of our protocol becomes more apparent. The signature rate of our protocol is at least 400% higher than that of [42] in this case.
by Bob and Charlie respectively. We illustrate our rule to generate logic bits as follows. For each quantum state sent, Alice randomly chooses one of 12 sets so that the state she sent is one of the two states in the set. Then she assigns the quantum state to this set. When the measurement outcome is orthogonal to any quantum state of the assigned set, the receiver gets a conclusive result encoded with logic bit 0 (the first state) or logic bit 1 (the second state). Otherwise, the receiver gets an inconclusive result denoted as '⊥'. They do not announce whether the results are conclusive or inconclusive. Following the rule, all of three participants encode their data strings with K λ A,m , K λ B,m and K λ C,m respectively. The function of binary logic is to quantify the mismatching rate of conclusive results between Alice's binary encoded data string and each recipient's binary encoded data string in the estimation step, which is used in the later security analysis.
Here is the example of binary encoding process. The recipients randomly choose X, Y or Z basis to measure each quantum state Alice sent. Alice should publicly announce which of the 12 sets she picked for each state she sent. The set Alice picked should include the state she sent. The recipients will get a conclusive result if any one of the two states in the set is the eigenstate of the basis the recipient chose to measure. For example, Alice sends the state |+x . She will assign it to any one of {|+x , |+y }, {|+x , |−y }, {|+z , |+x } and {|−z , |+x }. When she assigns it to {|+x , |+y } and Bob's measurement outcome is |−y (|−x ), Bob will get a conclusive result with logic bit value 0 (1).
In the estimation step, we use superscript c to denote Comparison of performance between our three-party protocol and orthogonal encoding protocol [18]. We simulate two protocols under the same experimental parameters. The signature rate of our protocol is lower at short distance. However, it decays more slowly than orthogonal encoding protocol and shows better performance especially at long distance. In this case, our protocol has a longer transmission distance.
conclusive results, u to denote untested bits, t to denote test bits. The three participants estimate the bit error rate of single-photon pair components with decoy-state method in their µ strings. Alice announces the information of intensity λ = ν and λ = 0 publicly. Alice informs Charlie to randomly select a certain proportion, denoted as t, of µ strings as test bits. Charlie announces the location of test bits and asks Alice to publicly announce the data information of test bits. Denote the mismatching rate of conclusive results between K t A,m and K t B,m (between K t A,m and K t C,m ) as E ct B (E ct C ). Moreover, Bob and Charlie calculate the proportion of conclusive results in K B,m and K C,m respectively, denoted as P c B and P c C . If either of them deviates greatly from the ideal value 1 6 , they also abort the protocol. Afterwards, all of them throw away the test bits and conserve the untested bits of µ strings with remaining length (1 − t)n µ .
In the messaging step, to sign one-bit message m, Alice sends m, K u A,m to Bob. Bob checks the mismatching rate of conclusive results E cu B between K u A,m and K u B,m . If E cu B ≤ T a (T a is the authentication security threshold), Bob accepts the message. Otherwise, he rejects the message and aborts the protocol. When Bob accepts the message from Alice, he forwards m, K u A,m to verifier Charlie. After that, Charlie checks the mismatching rate of conclusive results E cu C between K u A,m and K u C,m . If E cu C ≤ T v (T v is the verification security threshold), Charlie accepts the message. Otherwise, Charlie rejects the message and aborts the protocol.
We define the signature rate as R := 1 2N , where 2N is the minimum number of pulses required to securely sign a one-bit message. We define that it is secure enough to sign a 1-bit message when the robustness ε rob , the probability of successful forgery ε f or , the probability of successful repudiation ε rep , the failure probability of the Chernoff bound 1 and the failure probability of random sampling without replacement 2 do not exceed their thresholds respectively. As shown in Fig. 2, we simulate the four-state protocol of [42] to compare it with our six-state protocol. The performance of our protocol is better than that of [42]. For example, when the fiber length is 150 km, the original four-state protocol requires about 2.93 × 10 10 pulses to sign a one-bit message. However, under the same conditions our six-state protocol only needs about 5.85 × 10 9 pulses. When the fiber length is 150 km, the signature rate of our protocol is approximately 500% higher than four-state . Moreover, we also simulate the performance of orthogonal encoding based protocol with symmetrization step in [18] to compare with our protocol as shown in Fig. 3. We denote the angle between Alice-Bob and Alice-Charlie as θ. Denote the distance between Alice and Bob (Charlie) as D AB (D AC ) and the distance between Bob and Charlie as D BC . For a symmetric case, D AB =D AC and D BC = 2D AB sin θ/2. D BC increases as θ gets larger. When θ is close to π , the transmission distance of QKD (D BC ) increases much faster than D AB . Detailed information can be found in Ref. [42]. Define the effective signature rate as R ef f := max{ 1 2N , R QKD 6L }, where L is the length of generated key and R QKD is the secret key rate of QKD. R QKD is simulated by the key rate formula of [47]. We simulate three cases of θ = π, θ = 2π 3 and θ = π 2 . Our protocol has a longer transmission distance and greater performance of signature rate especially at long distance in these cases where the signature rate of our protocol decays more slowly. We also simulate our protocol's performance under different dark counting rates and different basis misalignment rates as shown in Fig. 4 and Fig. 5 respectively. From two figures, we can see that our protocol shows obviously high error rate tolerance and stability against noise.
Four-party QDS protocol. In our four-party protocol, there are 'signer' Alice, 'authenticator' Bob, 'verifier' Charlie and 'verifier' David. Their positions are shown in Fig. 1c. The operation among Alice, Bob and Charlie are the same as three-party protocol, which we will not describe in detail here. We focus on the difference due to the new participant 'verifier' David instead. For each possible message m = 0 and m = 1, following the rule of generating logic bits, David encodes his data strings with K λ D,m in the key generation step. In the estimation step, the four participants estimate the bit error rate of triple-photon components with decoy-state method in their µ strings. Alice announces all information of intensity λ = ν and λ = 0. Then Alice informs any one of verifiers to randomly select a proportion of µ strings as test bits. All verifiers announce the location of their test bits respectively and request Alice to announce the data information of test bits publicly. Denote the mismatching rate of conclusive results between K t A,m and K t B,m as E ct B , the mismatching rate of conclusive results between K t A,m and K t C,m as E ct C and the mismatching rate of conclusive results between K t A,m and K t D,m as E ct D . Moreover, Bob, Charlie and David calculate the proportion of conclusive results in K B,m , K C,m and K D,m respectively, denoted as P c B , P c C and P c D . To sign one-bit message m, Alice sends m, K u A,m to Bob. Bob checks the mismatching rate of conclusive results E cu B between K u A,m and K u B,m . If E cu B ≤ T a , Bob accepts the message. Otherwise, he rejects the message and aborts the protocol. When Bob accepts the message from Alice, he forwards m, K u A,m to Charlie and David respectively. After that, Charlie checks the mismatching rate of conclusive results E cu C between K u A,m and K u C,m . If E cu C ≤ T Cv (T Cv is the verification security threshold of Charlie), Charlie accepts the message. Otherwise, Charlie rejects the message. David checks the mismatching rate of conclusive results E cu D between K u A,m and K u D,m . If E cu D ≤ T Dv (T Dv is the verification security threshold of David), David accepts the message. Otherwise, David rejects the message. Either of Charlie and David rejects the message means that the protocol will be aborted. All participants negotiate whether aborting the protocol or not according to the majority voting principle.
Five-party QDS protocol. When it comes to our five-party protocol, there are five participants 'signer' Alice, 'authenticator' Bob, 'verifier ' Charlie, 'verifier' David and 'verifier' Emery. Their positions are shown in Fig. 1d. The processes among Alice, Bob, Charlie and David are the same as the four-party protocol. We only focus on the operation involving Emery here.
In the key generation step, Emery encodes his data strings with K λ E,m following the process as we described above.
In the estimation step, the five participants estimate the bit error rate of four-photon component with decoystate method in their µ strings. Alice announces the information of intensity λ = ν and λ = 0. Alice informs any one verifier to randomly select a certain proportion of µ strings as test bits. The participants estimate their mismatch rate of conclusive results. Denote the mismatching rate of conclusive results between K t A,m and K t E,m as E ct E . Moreover, Emery calculates the proportion of conclusive results in K E,m , denoted as P c E . If any one of Bob, Charlie, David and Emery deviates greatly from the ideal value 1 6 , they abort the protocol. Afterwards, all of them throw away the test bits and keep the untested bits of µ strings with remaining length (1 − t)n µ . In the messaging step, Alice sends m, K u A,m to Bob in order to sign one-bit message m. Bob checks E cu B . If E cu B ≤ T a , Bob accepts the message. Otherwise, he rejects the message and aborts the protocol. When Bob accepts the message from Alice, he forwards m, K u A,m to Charlie, David and Emery respectively. Emery checks the mismatching rate of conclusive results E cu E between K u A,m and K u E,m . If E cu E ≤ T Ev (T Ev is the verification security threshold of Emery), Emery accepts the message. Otherwise, Emery rejects. All participants negotiate whether aborting the protocol or not according to the majority voting principle.
We build the framework for M -party (M =3, 4, 5) protocol about three security criteria: robustness, security against forgery and security against repudiation. Here, we apply majority voting principle to solve dispute. For four-party protocol, there are at most one dishonest participant. Any two of participants making the wrong decision leads to successful attack. For five-party protocol, we should consider the colluding attack where there are two dishonest participants. We can assume Emery is a fixed dishonest player and he will collude with the other dishonest participant (Alice or Bob). Emery always unconditionally supports his partner. In other words, Charlie and David must make the same correct decision. This situation is equivalent to the four-party scenario above where there exists only one dishonest participant among Alice, Bob, Charlie and David.
The upper bound and lower bound of expected value of parameter a can be given by a variant of Chernoff bound [48]: a * = a + β + 2βa + β 2 and a * = a − β 2 − 2βa + β 2 4 where β = ln 1 ε1 and 1 is the failure probability of the Chernoff bound. We use k to denote k-photon component, where k = M − 1.
a. (1) Robustness Robustness (ε rob ) represents the probability that the protocol is aborted when the antagonist is inactive. In messaging step, Bob does not accept the message if E cu B > T a . We can quantify robustness by random sampling without replacement theorem [48] in finite sample case. b.
(2) Security against forgery Forgery attack means Bob wishes that more than half of verifiers would accept the forwarded message forged by Bob {m, K BF }. In this case, Bob needs to obtain as much information as he can about quantum states that all verifiers receive, like an eavesdropper in SARG04 QKD protocol [21,36,38,41].
All positions of recipients are equal. Without loss of generality, we first consider the probability that Charlie is deceived by Bob. We exploit the decoy state method [49][50][51][52] to estimate the bit error rate e b of k-photon component.
Considering the process where Alice sends pulses to all recipients, we have where s cµ * C1 is the number of conclusive single-photon events in Charlie's µ string.
where Q ∈ Ω and and s µ * Q1 is the number of single-photon events in Q's µ strings. Therefore, we have where s cµ * Ck is the number of events that all recipients receive a single-photon in µ string and Charlie has a conclusive result simultaneously. For example, when it comes to four-party, and where t cµ * C1 is the number of single-photon error events of Charlie's conclusive results in µ string with respect to Alice. We can get where t cµ * Ck is the number of events that all recipients receive a single-photon in µ string, Charlie has a conclusive result and his classic bit mismatches with Alice's. Therefore, the bit error rate e b can be given by e b = t cµ * Ck /s cµ * Ck . The relationship between phase error rate e p and bit error rate e b [17] in six-state SARG04 protocol is where f (x) = 6−4x+ . E * BF k can be given by H(E * BF k ) = 1 − I B = 1 − H(e p |e b ), where H(e p |e b ) is the conditional Shannon entropy function, I B is mutual information provided by [17] and E * BF k is the expected value of minimum mismatching rate of conclusive results of the k-photon component between correct K u A,m and forged K u BF,m . We employ Chernoff Bound [53] and the probability of successful forgery (ε f or ) can be given by where T vk = T v n cu /n cu k is the error rate threshold of kphoton component, n cu = (1 − t)n c µ is the number of conclusive results in K u C,m and n cu k = (1 − t)s cµ Ck is the number of k-photon component in K u C,m . Note that f or is determined by the probability of deceiving the most vulnerable recipient. Therefore, c. (3) Security against repudiation Alice repudiates successfully when Bob accepts the message and more than half of the verifiers refuse to accept it. The probability of repudiation ε rep can be given by A is the solution of the following equation: with P c B T a < A < P c B T v − ∆ cu n cu . ∆ cu can be given by where ∆ cu BC is the relative Hamming distance between E cu B and E cu C , ∆ cu BD is the relative Hamming distance between E cu B and E cu D , ∆ cu BE is the relative Hamming distance between E cu B and E cu E . Therefore, the total security can be given by where 1 is the failure probability of the Chernoff bound and 2 is the failure probability of random sampling without replacement.
Note that as shown in Fig. 6, expanding the QDS framework to an increasing number of users implies that the signature rate R decreases more rapidly than just linearly as the number of parties increases. That is because, for M -party protocol, only the M − 1 photon component can be considered to be secure when we consider security against forgery. That means the addition of a new user requires an extra single photon reducing the efficiency which makes signature rate get lower as we pointed in Eq. (5). Additionally, the relationships between phase error rate e p and bit error rate e b of M −1 photon component in six-state SARG04 protocol are different as shown in Eq. (8). That will also influence the signature rate of multiparty QDS.
Furthermore, the increase of system loss and the decrease of detection efficiencies will both lead to the decrease of valid detection events when sending the same number of pulses. That means the statistical fluctuation will increase resulting in the increase of the probability of successful repudiation and forgery. Moreover, the enhancement of security constraint also results in the statistical fluctuation increasing. Therefore, more pulses are required to keep the protocol safe, i.e., the signature rate will be lower.

IV. CONCLUSION
In summary, we have presented a practical QDS framework that consists of multiple participants. In our threeparty protocol, signature rate, secure transmission distance and error tolerance achieve better performance because of higher error rate threshold. Additionally, as shown in Fig. 6, our protocol can be extended to multiparty scenarios with great performance. In our simulation, when the basis misalignment rate e d = 0.1% and dark counting rate p d = 1 × 10 −7 , our three-party, four-party and five-party QDS protocols can reach the transmission distance of 265 km, 220 km and 156 km respectively. When the fiber length is 150 km, the signature rates of three-party, four-party and five-party are 5.1 × 10 −10 , 8.3 × 10 −11 and 5.6 × 10 −13 respectively. As shown in Fig. 4, the signature rate does not decrease dramatically as e d increases, showing the great fault tolerance. For example, when fiber length is 150 km, the signature rates are 2.7×10 −10 , 8.5×10 −11 and 2.7×10 −11 under e d = 0.25%, 0.50% and 0.75% respectively.
The insurmountable barrier for original nonorthogonal encoding protocol to realize multiparty QDS protocol is low data utilization efficiency due to the requirement of coincidence detection. But our M -party protocol perfectly overcome this barrier because we can highly increase data utilization efficiency from O(η M −1 ) to O(η) with post-matching method, resulting in pronounced improvement of signature rate. Compared with orthogonal encoding protocol, our multiparty protocols are concise and maneuverable since our M -party protocol only needs M − 1 quantum channels as we shown in Fig. 1. The requirement of fewer quantum channels is a noticeable advantage of our QDS framework.
Also, in our work, we have presented security analysis of generalized multiparty QDS framework. These multiparty QDS protocols promise robustness, security against forgery and security against repudiation. We also solved the complex problem of colluding attack existing in the five-party scenario which never happens in three-party QDS by majority voting. This work provides specific ideas for practical multiparty QDS protocol. It will be interesting to apply ideas of our QDS framework to realize large-scale QDS networks in the near future.