Differential-quadrature-phase-shift quantum digital signature

Kyo Inoue; Toshimori Honjo

doi:10.1364/OE.468156

1. Introduction

Digital signature (DS) is a technology in which a recipient receiving a digital message with a signature key confirms whether the message is sent from a party who publicly distributed an authentication key in advance, by comparing the signature key with the authentication key. The key function of DS is that a signature key cannot be forged by a malicious party who attempts to impersonate the message sender. While this function is based on mathematics or computational complexity in conventional DS systems, quantum digital signature (QDS) guarantees the security of keys based on quantum mechanical properties of light. Several QDS protocols have been proposed, such as the first proposal using a SWAP test and quantum memory [1], one employing a multiport setup [2, 3], one using quantum elimination measurement [4, 5], and one utilizing quantum key distribution (QKD) [6].

Among these protocols, experimental studies have primarily employed the QKD-based protocol [7–11], wherein a message sender and recipients individually share a sifted key using a QKD system. After the QKD transmission, the recipients exchange a portion of the sifted key bits via a secured channel protected by QKD. Then, the recipients hold the exchanged bits and the rest of the original sifted key bits as authentication keys, and the sender holds the sum of the sifted key bits shared with the recipients as a signature key. This QDS protocol has been widely demonstrated, maybe because it fully relies on the QKD technology that has been well developed as the most implementable quantum communication system. However, the scheme uses a number of QKD channels, i.e., a channel between the message sender and each recipient and that between recipients, which makes the key distribution process complex and costly. As a simplified QDS protocol, another scheme that has no bit exchange between recipients after signal transmission using QKD apparatus was proposed [5]. However, some post-processing, such that the recipients announce the photon detection time, and the sender announces the pulse intensity and asks the recipients to arrange the measurement results, are still performed through authenticated channels.

Based on the above background, the authors recently presented another simplified QDS protocol named “differential phase-shift QDS” (DPS-QDS) [12]. A message sender broadcast a weak coherent pulse train with binary phases, and a message recipient measures it with a delay interferometer followed by single-photon detectors. The key distribution stage is accomplished with this signal transmission. There is no post-processing except that the sender alone publicly announces a portion of the pulse phases without using an authenticated channel. Therefore, the key distribution stage is simpler than that in conventional QDS protocols.

Sequentially to DPS-QDS, this study proposes another QDS scheme extended from DPS-QDS, called “differential-quadrature-phase-shift QDS” (DQPS-QDS). A message sender broadcasts a weak coherent pulse train with four phases of {0, π/2, π, 3π/2}, that is similar to the signal transmitted in differential-quadrature-phase-shift (DQPS) QKD [13], to all recipients simultaneously. The recipients measure the DQPS signal and create an authentication key from the measurement results for each. Similarly to DPS-QDS, there is no post-processing except that the sender alone announces information regarding the broadcasted signal without using an authentication channel. Different from the DPS scheme, four phases are used instead of two, which makes the system robust against eavesdropping, although the measurement system is complex.

The security issues for the proposed protocol are also discussed, using binominal distributions instead of Hoeffding’s inequality [14], that is an approximate approach and has been conventionally employed for analyzing the QDS performance to handle a long key with a small computation cost. Subsequently, the system parameters are calculated based on the security analysis. The results indicate that the conventional analysis using Hoeffding’s inequality may overestimate system performance.

2. Protocol

2.1 Signal transmission

The system configuration of the proposed QDS scheme is shown in Fig. 1, where three parties are assumed: one message sender (Alice) and two recipients (Bob and Charlie). In this setup, Alice broadcasts sequential coherent pulses simultaneously to the recipients. Each pulse is phase-modulated by {0, π/2, π, 3π/2} with a mean photon number of less than one (e.g., 0.1–0.2). The recipients measure the broadcasted pulses using the apparatus shown in the inset of Fig. 1, where the incoming pulses are split and incident to two delay Mach–Zehnder interferometers (MZI-1 and MZI-2) with a delay time equal to the pulse interval, followed by single-photon detectors (detectors 11 and 12 at the MZI-1 output and detectors 21 and 22 at the MZI-2 output). The path phase differences in the interferometers (MZI-1 and MZI-2) are 0 and π/2, respectively. This signal transmission system is similar to that in DQPS-QKD [13].

Fig. 1. Setup of proposed QDS system, where PM is a phase modulator, att is an attenuator, MZI is a Mach–Zehnder interferometer, and D is a single-photon detector.

Download Full Size | PDF

In the above setup, the recipients detect photons randomly and occasionally in time, because of a small photon number. They record the time and detector that counts a photon, a set of which is denoted as a bit. The detection event occurs according to the phase difference between neighboring pulses in the incoming signal. The relationship between the phase difference and clicking detectors is summarized in Table 1, where the detection probabilities, under the condition that a photon is counted at one of the four detectors, are listed. For a phase difference of 0, for example, detectors 11, 21, and 22 count a photon with probabilities of 0.5, 0.25, and 0.25, respectively. In this case, when a photon is counted at the MZI-1 output, detector 11 definitely clicks, while the detection event is probabilistic at the MZI-2 output. The detection at MZI-1 is definite for a phase difference of {0, π} and that at MZI-2 is definite for a phase difference of a phase difference of {π/2, 3π/2}. These definite detection events are shaded in Table 1. Otherwise, which detector clicks is probabilistic.

Table 1. Probability of photon count by each detector for each phase difference, conditioned that a photon is detected.

View Table | View all tables in this article

2.2 Signature and authentication keys

After the signal transmission described in the previous subsection, Alice and the recipients create a signature key and authentication keys, respectively, as follows. First, Alice publicly announces whether the phase differences of adjacent pulses in the broadcasted signal is either one of {0, π} or either one of {π/2, 3π/2}. With this information, the recipients discards the bits recorded from probabilistic detection events, such as the detection at MZI-1 for a phase difference of {π/2, 3π/2} and that at MZI-2 for a phase difference of {0, π}. Which bits are discarded is held secretly in the recipients.

Next, the recipients in unison select a portion of Alice’s pulses, e.g., from the ith to jth pulses, and ask her to publicly announce their phases by means that all recipients equally access them, such as, for example, posting them on an electric bulletin board. Note that the recipients ask to announce the phases of all pulses from the ith to jth, not only pulses that clicked their detectors as in QKD. After Alice’s public announcement, the recipients confirm with each other whether they obtain an identical information. Subsequently, they pick-up pulses from Alice’s information, that induced their own definite detections, check whether their bits are matched to the phases of the picked-up pulses, and evaluate the mismatch rate in the measurement results. This mismatch rate is called the “bit error rate” (BER) hereafter. Note that this BER estimation is performed by each recipient individually, in which the pulses picked-up by each recipient are mostly different because photons were randomly detected at each recipient.

After the BER estimation, the recipients discard the bits used for the BER estimation, and Alice discards the disclosed phases. The recipients then hold the remaining bits as their own authentication keys, and Alice holds the remaining phase data as her signature key. The signature key is considerably longer than the authentication keys because the photon detection rate at a recipient is low. The key distribution stage is completed with the above procedures. Unlike in conventional QDS protocols, information exchange between Alice and the recipients and/or that between the recipients is not conducted after the signal transmission. Therefore, secured channels and/or authenticated channels are not needed. This is owing to that the recipients do not disclose any information regarding their measurement, and thus Alice does not know the authentication key of each recipient.

After the key distribution stage, Alice sends a message with the signature key to the recipients, who then compare the signature key with their own authentication keys. When the bit mismatch ratio is lower than a threshold value s_a, the received message is acknowledged as legitimate.

3. Security

The security issues to be addressed in QDS include robustness, forging, and repudiation. In this section, these issues are discussed for DQPS-QDS.

3.1 Robustness

When the mismatch ratio between a signature and an authentication key is higher than a threshold s_a, a recipient rejects a message to which the signature key is attached. QDS systems should guarantee that this rejection probability is negligibly small for a legitimate signature key. This function is called “robustness.”

Provided that the number of bits in an authentication key (or the key length) is L and the bit mismatch probability is e per bit, the probability of n bits out of L being mismatched with the signature key, P_n_|L, is expressed as

(1)$${P_{n|L}} = \left( {\begin{array}{*{20}{c}} L\\ n \end{array}} \right) \times {e^n} \times {({1 - e} )^{L - n}}. $$

This is the probability of the bit mismatch ratio being n/L. Using this expression, the probability that the bit mismatch ratio is higher than s_a and then the signature key is rejected, P(honest abort), is expressed as

(2)$$P(\textrm{honest abort}) = \sum\limits_{n = {s_\textrm{a}}L}^L {\left( {\begin{array}{*{20}{c}} L\\ n \end{array}} \right) \times {e^n} \times {{({1 - e} )}^{L - n}}}, $$

where e is the BER evaluated in the key distribution stage.

For a QDS system to operate properly, the key length L and threshold s_a are selected such that P(honest abort) is negligibly small, e.g., less than 10⁻⁴.

3.2 Forging

Forging in QDS systems is a fraudulent action by a malicious party attempting to impersonate Alice who distributes authenticate keys. The malicious party falsifies Alice’s signature key and sends his/her message with it, impersonating Alice. Here, a malicious party does not have to falsify the entire signature key because not all the key data are used for authentication by a recipient whose authentication key length is shorter than the signature key length. A malicious party can cheat a recipient if he/she knows the authentication key of a target recipient. When a large number of authentication key bits of the target recipient are stolen, the success probability of the forging is high. QDS systems should be designed to guarantee that the forging probability is negligibly small. In the following, the system parameters that satisfy this condition are discussed for DQPS-QDS.

Here, a situation is assumed in which malicious Bob, who is the most formidable eavesdropper, attempts to cheat Charlie. Bob can know a portion of Charlie’s key by legitimately measuring Alice’s signal sent to Bob immediately outside Alice’s site. This eavesdropping scheme is similar to a beam-splitting attack in QKD. However, unlike in the beam-splitting attack in QKD, Bob does not employ a strategy of storing Alice’s signal and measuring it after the photon detection time and the measurement basis are disclosed, as in QKD. This is because such information is not disclosed and thus is unavailable for Bob in the present QDS scheme. Instead, he straightforwardly measures Alice’s signal using the normal apparatus shown in the inset of Fig. 1. In this measurement, the probability of detecting a photon at a time slot at which Charlie detects a photon is approximately equal to the mean photon number in one pulse, and the probability that Bob’s measuring interferometer matches that of Charlie is 1/2. Therefore, the probability that Bob obtains Charlie’s key through this eavesdropping, η_d, is η_d = μ /2 per bit where μ is the mean photon number sent from Alice per pulse.

In addition to the aforementioned direct measurement, Bob can obtain a portion of Charlie’s key by attacking the transmission line from Alice to Charlie, similarly to eavesdropping against QKD transmission. However, unlike QKD, a sophisticated attack using quantum entanglement and quantum memory is meaningless against the present QDS system because information on Charlie’s measurement, i.e., the photon detection time and the measurement basis, are not disclosed. Therefore, Bob conducts a simple intercept–resend (IR) attack, wherein he directly measures Alice’s signal using the normal apparatus shown in the inset of Fig. 1 and resends a pair of pulses with the measured phase difference when he counts a photon, as illustrated in Fig. 2. However, this eavesdropping induces a bit mismatch between Alice’s and Charlie’s keys as follows.

Fig. 2. Bob’s intercept-resend attack against transmission line from Alice to Charlie.

Download Full Size | PDF

In the intercepting stage, Bob occasionally detects a photon and obtains the relative phase of two neighboring pulses because the photon number is low. When he succeeds in the measurement, he resends one photon that is superpositioned over two pulses with the obtained relative phase. Otherwise, he resends nothing. Subsequently, two isolated pulses, not a pulse sequence as in the normal condition, arrive at Charlie. From such pulses, Charlie counts the photon possibility at three time slots: the arrival time of the first pulse passing through the short path in the interferometer, that of the first pulse through the long path and the second pulse through the short path, and that of the second pulse through the long path. In the first and third time slots, no interference occurs and one of the detectors clicks randomly. Subsequently, Charlie’s data created from these detection events can be mismatched with Alice’s data. This mismatch probability is 0.5 × 0.5 = 0.25, because the probability of detecting a photon at the first or third time slot is 0.5 and the conditional probability of mismatch is 0.5.

In addition, bit mismatch can result from photon detection in the second time slot. As indicated in Table 1, Bob cannot perfectly identify the phase difference in Alice’s signal, even when the measurement is succeeded. Subsequently, he sometimes resends two pulses whose phase difference differs from Alice’s one. When Charlie detects a photon in the second time slot and measures the phase difference, the measurement result can differ from Alice’s original phase difference. The flow of the phase difference in the IR attack, under the condition that Alice’s relative phase is 0, is illustrated in Fig. 3. The solid and dotted arrows in the figure represent signal paths with occurring probabilities of 0.5 and 0.25, respectively. In the case shown in Fig. 3, Charlie discards the measurement results of π/2 and 3π/2 and creates key bits from the results of 0 and π according to Alice’s information on her phase modulation. From Fig. 3, the probabilities of Charlie’s result being 0 and π, are 0.5 × 0.5 + 0.25 × 0.25 + 0.25 × 0.25 = 0.5 and 0.25 × 0.25 + 0.25 × 0.25 = 0.125, respectively. Subsequently, the bit mismatch probability with respect to Alice is 0.125/(0.5 + 0.125) = 0.2. Then, the mismatch probability induced by a photon detection at the second time slot is 0.2 × 0.5 = 0.1, where a multiplied factor of 0.5 is the detection probability at the second time slot under the condition that a photon is detected.

Fig. 3. Flow of relative phase in the IR attack, under the conditions that Alice’s phase difference is 0 and a photon is detected in the second time slot at receiver: the solid and dotted arrows represent signal paths with occurring probabilities of 0.5 and 0.25, respectively.

Download Full Size | PDF

Summarizing the above two causes, the probability of a bit mismatch induced by the IR attack is 0.25 + 0.1 = 0.35. Bob can conduct the IR attack against a portion of the transmitted signal such that the eavesdropping-induced bit mismatch is masked by the original mismatches due to system imperfections. The upper bound of the eavesdropping ratio, r, can be regarded as r = e/0.35, where e is the BER evaluated in the key distribution stage.

When the IR attack is conducted and Charlie detects a photon in the second time slot, Bob probabilistically knows Charlie’s bit. In the case shown in Fig. 3, Bob knows Charlie’s bit when he measures and resends a phase difference of 0, the probability of which is 0.5. Otherwise, he has no information about Charlie’s bit. Thus, Bob’s eavesdropping probability is 0.5, provided that the IR attack is performed. Subsequently, the probability that Bob knows Charlie’s key through the partial IR attack is η_IR = r × 0.5 = (10/7)e, and that in the total including the direct measurement is η = η_d + η_IR = μ/2 + (10/7)e.

In order to prevent Bob’s forging, Charlie sets the authentication threshold with which Bob’s falsified key is rejected. When Bob knows Charlie’s key with a probability of η per bit, the bit-mismatch ratio between Bob’s falsified key and Charlie’s authentication key is (1 – η)/2 per bit. Therefore, the probability of success of forging, P(forge), is expressed as

(3)$$P(\textrm{forge}) = \sum\limits_{n = 0}^{{s_\textrm{a}}L} {\left( {\begin{array}{*{20}{c}} L\\ n \end{array}} \right) \times {{\left( {\frac{{1 - \eta }}{2}} \right)}^n} \times {{\left( {1 - \frac{{1 - \eta }}{2}} \right)}^{L - n}}}, $$

where L is Charlie’s key length and s_a is the authentication threshold. Charlie selects a threshold such that P(forge) is negligibly small.

3.3 Repudiation

Repudiation is an unfair action by a malicious sender, who makes a signature key to be authorized by a first recipient but to be rejected by a second recipient who receives the signature key from the first recipient. One strategy of repudiation is that Alice dishonestly sends different pulse trains to the recipients in the key distribution stage and creates a signature key from one of the pulse trains. However, this strategy is prohibited by the BER estimation process, in which Alice is required to publicly announce a sequence from the pulse train. Alice’s dishonest action of sending different pulse trains is revealed by comparing the publicly announced sequence with each authentication key created from the broadcasted signal. Therefore, malicious Alice should create a signature key that is accepted by one recipient but rejected by the other, under the condition that the recipients’ keys are created from an identical pulse train.

In the present QDS scheme, Alice does not know each recipient’s key, because information on photon detection, i.e., the photon detection time and the interferometer at which a photon is detected, is not disclosed. Therefore, Alice cannot intentionally introduce bit mismatch in a target recipient. Instead, she randomly flips some phase differences in her signature key as {0 ↔ π}{π/2 ↔ 3π/2}, expecting that the modified key is mismatched with a target recipient while it is matched with the others. In the three-party QDS system illustrated in Fig. 1, repudiation is successful when Alice’s key is accepted by Bob and rejected by Charlie, in case that Alice sends the signature key to Bob who then forwards it to Charlie. Using binominal distributions as in the previous subsections, the success probability of repudiation, P(rep), can be expressed as P(rep) = P(Bob accept) × P(Charlie reject)

(4)$$= \left\{ {\sum\limits_{n = 0}^{{s_\textrm{a}}L} {\left( {\begin{array}{*{20}{c}} L\\ n \end{array}} \right){{(e + {e_\textrm{A}})}^n}{{(1 - e - {e_\textrm{A}})}^{L - n}}} } \right\} \times \left\{ {\sum\limits_{n = {s_\textrm{v}}L}^L {\left( {\begin{array}{*{20}{c}} L\\ n \end{array}} \right){{(e + {e_\textrm{A}})}^n}{{(1 - e - {e_\textrm{A}})}^{L - n}}} } \right\},$$

where e is the BER evaluated in the key distribution stage, which is assumed to be identical in Bob and Charlie, e_A is Alice’s phase-flipping ratio, L is the authentication key length, s_a is Bob’s authentication threshold, and s_v is Charlie’s authentication threshold for a transferred key.

Alice selects e_A to maximize P(rep) and Charlie selects s_v such that P(rep) is negligibly small for any e_A.

4. Calculation

Based on the previous section, we calculated the system parameters with which the proposed system is securely operated. Figure 4 shows the results obtained using Eqs. (2) and (3), where the authentication threshold s_a and key length L, with which P(honest abort) = 10⁻⁴ and P(forge) = 10⁻⁴, are plotted by circles and crosses, respectively. The BER was assumed to be e = 0.05. In the figure, the robustness condition is satisfied, i.e., P(honest abort) < 10⁻⁴, with (s_a, L) in the area above the circles, and forging is prevented, i.e., P(forge) < 10⁻⁴, with (s_a, L) in the area below the crosses. Therefore, (s_a, L) in the gray region guarantees the QDS operation in terms of robustness and forging.

Fig. 4. Authentication threshold, s_a, and key length, L, with which the robustness condition is satisfied and forging is prevented: the BER is assumed to be e = 0.05, circles and crosses denote (s_a, L) that provides P(honest abort) = 10⁻⁴ and P(forging) = 10⁻⁴, respectively; gray zone indicates (s_a, L) that guarantees robustness and prevents forging simultaneously; and solid and broken lines are calculation results based on Hoeffding’s inequality for robustness and forging, respectively.

Download Full Size | PDF

Equations (2) and (3) are used in the above calculations, which assume binomial distributions for the probability density of the bit mismatch ratio, as discussed in the previous section. In contrast, conventional analyses on QDS systems have employed Hoeffding’s inequality [14], which is an approximate approach cutting the computation cost of calculating binominal distributions. In these analyses, the upper bounds of P(honest abort) and P(forge) were expressed in an exponential form [2–6]. Applying their evaluation scheme to the present system, the upper bounds are expressed as [12]

(5)$$P(\textrm{honest abort}) \le exp [ - 2{({s_\textrm{a}} - e)^2}L]$$

and

(6)$$P(\textrm{forge}) \le exp [ - {({s_\textrm{a}} - \frac{{1 - \eta }}{2})^2}L].$$

For reference, the upper bounds of P(honest abort) and P(forge) calculated using the above inequalities are also plotted in Fig. 4 by solid and broken lines, respectively. The figure indicates that the parameter conditions determined by Hoeffding’s inequality have some margin compared with the values determined by the binomial distributions.

Figure 4 shows the calculation results for a BER of e = 0.05. Similar calculations were also conducted for BER values of e = 0.10, 0.15, and 0.20. The results are plotted in Fig. 5. The figure shows that, for a larger BER, the authentication threshold s_a and the key length L should be larger for the QDS operation, and that the system with a BER larger than 0.20 cannot satisfy the robustness condition while prohibit forging simultaneously. In other words, a BER up to 0.15 is allowable for the proposed QDS scheme.

Fig. 5. Authentication threshold, s_a, and key length, L, with which robustness is satisfied and forging is prevented: closed and open symbols indicate (s_a, L) that cause P(honest abort) and P(forge) to be 10⁻⁴, respectively, and the system BER is assumed to be e = 0.10, 0.15, or 0.20.

Download Full Size | PDF

For a QDS system to prevent repudiation, the authentication threshold for a forwarded key, s_v, should be properly selected. Therefore, we performed calculations regarding s_v, using Eq. (4). The result is shown in Fig. 6, where the success probability of repudiation by malicious Alice, P(rep), is plotted as a function of the authentication threshold for a forwarded key. The original system BER was e = 0.05, and the key length and authentication threshold for a directly received key were assumed to be L = 70 and s_a = 0.20, respectively, which were quoted from the calculation results for robustness and forging shown in Fig. 4. Various e_a values, i.e., Alice’s additional mismatch rate, were examined in the calculations. Figure 6 reveals that the highest s_v value that satisfies P(rep) = 10⁻⁴ is 0.475 for e_a = 0.28. For all other e_a, P(rep) is less than 10⁻⁴ at s_v = 0.475. Therefore, this value can be employed as the authentication threshold for a forwarded key.

Fig. 6. Success probability of repudiation as a function of the authentication threshold for a forwarded key, s_v, where the original BER is e = 0.05, authentication threshold s_a is 0.20, key length L is 70, and Alice’s additional mismatch rate is assumed to be e_A = 0.26, 0.28, 0.30, 0.32, 0.34, or 0.36.

Download Full Size | PDF

The above calculation assumes a system with a BER of e = 0.05. Similar calculations were conducted for e = 0.10 and 0.15, from which the authentication threshold s_v making P(rep) less than 10⁻⁴ for any e_A was evaluated. Table 2 summarizes the results, where the key length L and authentication threshold for a directly received key s_a, determined from Fig. 5, are listed. The threshold for a forwarded key can be set based on the calculation results. In the previously proposed DPS-QDS [12], which is the base of the present protocol, the authentication key length is 150 for a BER of 0.01. The required key length is shorter in the present QDS. This is owing to the use of four phases instead of two, which improves the tolerance against eavesdropping.

Table 2. Authentication thresholds for systems with different BERs, where L is key length, s_a is threshold for a directly received key, and s_v is threshold for a forwarded key.

View Table | View all tables in this article

5. Summary

A novel QDS scheme, DQPS-QDS, was proposed. It uses a weak coherent pulse train with four phases of {0, π/2, π, 3π/2}, i.e., the signal transmitted in DQPS-QKD. A sender broadcasts a DQPS signal to recipients, who measure the phase differences of neighboring pulses and create authentication keys from the measurement results. Unlike conventional QDS protocols, there is no post-processing of information exchange between the sender and recipients and/or that between the recipients. Therefore, secured channels and/or authenticated channels are not needed, and the key distribution process is simpler than those in conventional QDS protocols.

The security issues of robustness, forging, and repudiation were also discussed, employing binominal distributions for the probability density of the false operation rate, instead of Hoeffding’s inequality usually used in conventional QDS studies. Calculation examples of the system parameters to satisfy the security conditions, i.e., the key length and authentication thresholds for a signature key directly received from the sender and that forwarded from a recipient, respectively, were presented.

Disclosures

The authors declare no conflict of interest.

Data availability

Data underlying the results presented in this paper may be obtained from the authors upon reasonable request.

References

1. D. Gottesman and I. Chung, “Quantum digital signature,” arXiv: quant-ph/010532 (2001).

2. O. Clarke, R. Collins, V. Dunjko, E. Andersson, J. Jeffers, and G. Buller, “Exerimental demonstration of quantum digital signature using phase-encoded coherent states of light,” Nat. Commun. 3(1), 1174 (2012). [CrossRef]

3. V. Dunko, P. Wallden, and E. Andersson, “Quantum digital signatures without quantum memory,” Phys. Rev. Lett. 112(4), 040502 (2014). [CrossRef]

4. P. Wallden, V. Dunjko, A. Kent, and E. Andersson, “Quantum digital signature with quantum-key-distribution components,” Phys. Rev. A 91(4), 042304 (2015). [CrossRef]

5. Y. Lu, X. Cao, C. Weng, J. Gu, Y. Xie, M. Zhou, H. Yin, and Z. Chen, “Efficient quantum digital signature without symmetrization step,” Opt. Express 29(7), 10162–10171 (2021). [CrossRef]

6. R. Amiri, P. Wallden, A. Kent, and E. Andersson, “Secure quantum signatures using insecure quantum channels,” Phys. Rev. A 93(3), 032325 (2016). [CrossRef]

7. R. J. Collins, R. Amiri, M. Fujiwara, T. Honjo, K. Shimizu, K. Tamaki, M. Takeoka, M. Sasaki, E. Andersson, and G. S. Buller, “Experimental transmission of quantum digital signatures over 90-km of installed optical fiber using a differential phase shift quantum key distribution system,” Sci. Rep. 7(1), 3235 (2017). [CrossRef]

8. H. Yin, Y. Fu, Q. Tang, J. Wang, L. You, W. Zhang, S. Chen, Z. Wang, Q. Zhang, T. Chen, Z. Chen, and J. Pan, “Experimental quantum digital signature over 102 km,” Phys. Rev. A 95(3), 032334 (2017). [CrossRef]

9. C. Zhang, X. Zhou, H. Ding, C. Zhang, G. Guo, and Q. Wang, “Proof-of-principle demonstration of passive decoy-state quantum digital signatures over 200 km,” Phys. Rev. Appl. 10(3), 034033 (2018). [CrossRef]

10. X. B. An, H. Y. Zhang, G. C. Zhang, W. Chen, S. Wang, Z. Q. Yin, Q. Wang, D. Y. He, P. L. Hao, S. F. Liu, X. Y. Zhou, G. C. Guo, and Z. F. Han, “Practical quantum digital signature with a gigahertz BB84 quantum key distribution system,” Opt. Lett. 44(1), 139–142 (2019). [CrossRef]

11. H. J. Ding, J. J. Chen, L. Ji, X. Y. Zhou, C. H. Zhang, C. M. Zhang, and Q. Wang, “280-km experimental demonstration of a quantum digital signature with one decoy state,” Opt. Lett. 45(7), 1711–1714 (2020). [CrossRef]

12. K. Inoue and T. Honjo, “Differential-phase-shift quantum digital signature without disclosing measurement information,” J. Phys. Commun. 6(7), 075003 (2022). [CrossRef]

13. K. Inoue and Y. Iwai, “Differential-quadrature-phase-shift quantum key distribution,” Phys. Rev. A 79(2), 022319 (2009). [CrossRef]

14. W. Hoeffding, “Probability inequalities for sums of bounded random variables,” J. Am. Stat. Assoc. 58(301), 13–30 (1963). [CrossRef]

Differential-quadrature-phase-shift quantum digital signature

Abstract

1. Introduction

2. Protocol

2.1 Signal transmission

2.2 Signature and authentication keys

3. Security

3.1 Robustness

3.2 Forging

3.3 Repudiation

4. Calculation

5. Summary

Disclosures

Data availability

References

Data availability

Cited By

Figures (6)

Tables (2)

Equations (6)

Optics Express

phase difference
detector	0	π	π/2	3π/2
D11	0.5	0.0	0.25	0.25
D12	0.0	0.5	0.25	0.25
D21	0.25	0.25	0.0	0.5
D22	0.25	0.25	0.5	0.0

BER
	0.05	0.10	0.15
L	70	0.200	0.475
s_a	120	0.218	0.423
s_v	280	0.235	0.365

BER
	0.05	0.10	0.15
L	70	0.200	0.475
s_a	120	0.218	0.423
s_v	280	0.235	0.365