Twin-Field Quantum Digital Signature with Fully Discrete Phase Randomization.

Quantum digital signatures (QDS) are able to verify the authenticity and integrity of a message in modern communication. However, the current QDS protocols are restricted by the fundamental rate-loss bound and the secure signature distance cannot be further improved. We propose a twin-field quantum digital signature (TF-QDS) protocol with fully discrete phase randomization and investigate its performance under the two-intensity decoy-state setting. For better performance, we optimize intensities of the signal state and the decoy state for each given distance. Numerical simulation results show that our TF-QDS with as few as six discrete random phases can give a higher signature rate and a longer secure transmission distance compared with current quantum digital signatures (QDSs), such as BB84-QDS and measurement-device-independent QDS (MDI-QDS). Moreover, we provide a clear comparison among some possible TF-QDSs constructed by different twin-field key generation protocols (TF-KGPs) and find that the proposed TF-QDS exhibits the best performance. Conclusively, the advantages of the proposed TF-QDS protocol in signature rate and secure transmission distance are mainly due to the single-photon interference applied in the measurement module and precise matching of discrete phases. Besides, our TF-QDS shows the feasibility of experimental implementation with current devices in practical QDS system.

1. Introduction

Digital signature is one of the kernel sciences behind classical cryptography [1]. It is particularly significant in modern communication as it can be used in a variety of applications, such as electronic mail, software distribution and financial transactions. The security of classical digital signature is guaranteed by computational difficulty assumption, which, however, will no longer be secure with the rapid development of quantum algorithms [2,3,4]. A full-fledged treatment for this issue towards quantum digital signature (QDS) [5] that paves a way to realize signature with information theory security is presented.

The first quantum signature protocol was introduced in 2001 [6], which can be considered as the original form of QDS. In general, earlier signature protocols [7,8,9,10,11,12] may impose several restrictions on QDS, such as non-destructive state comparison, long-time quantum memory and secure quantum channel, for obtaining a secure quantum signature. However, in practice, these requirements cannot be fully satisfied, resulting in security loopholes of real-life implementation. Subsequently, some practical QDS protocols [13,14,15,16,17,18] that do not attach these restrictions had been proposed and experimentally demonstrated.

For QDS protocols, a general scenario is that QDS can be divided into two assignments: distribution stage and messaging stage. The former uses the quantum part of quantum key distribution (QKD), i.e., key generation protocol (KGP), to distribute keys for users without further classical post-processing. The latter allows two receivers to verify the authenticity of a signature declaration. During the distribution stage, a KGP, such as BB84-KGP [19,20] or measurement-device-independent KGP (MDI-KGP) [21,22,23,24], will be adopted to generate correlated keys between users. However, the performance of both KGPs is restricted by the fundamental rate-loss limit (referred to as PLOB bound) [25,26], which is equal to , where is the channel transmittance; this implies that the key generation rate can only vary with the channel transmittance linearly, asymptotically as bits per channel use. Some newly proposed QKD protocols with better performance have accordingly improved the performance of KGPs, since KGP is regarded as a part of QKD. Recently, twin-field QKD (TF-QKD) protocol [27] has been proven to be capable of overcoming the PLOB bound. The reason is that the single-photon interference utilized in TF-QKD enables the key rate scale with the square root of the channel transmittance. Subsequently, various variants of original TF-QKD were designed and implemented for overcoming the PLOB bound [28,29,30,31,32,33,34,35,36,37,38,39].

In general, TF-QKD systems with decoy-state method [38,39,40,41,42] require users to emit coherent states with a continuous-phase-randomized source (CPRS); however, this is difficult to achieve in practice and may open a security loop. Remarkably, this issue can be solved by discrete-phase-randomized source (DPRS) instead and a rigorous security proof was already presented by Cao et al. [43]. The recently proposed TF-QKDs with discrete-phase-randomized source [44,45] closed the gap between theory and practice, and can be implemented with current optical devices. In particular, Zhang et al. [44] proposed a TF-QKD variant with M phase slices both in the code mode and the test mode. Currás-Lorenzo et al. [45] put forward a discrete-phase-randomized TF-QKD protocol with only two phases in the code mode, which provides a higher key rate than that in [44] since its key rate is not restricted by the sifting factor. Inspired by this work, we propose a practical discrete-phase-randomized TF-QDS protocol. In fact, TF-QDS is a kind of MDI-QDS performed at the single-photon level. We use a numerical approach to derive the bounds on parameters in the asymptotic case. For each given distance, we optimize the key rate over the signal intensity and decoy intensity of coherent pulses, and fix the vacuum intensity. For comparison, we plot the simulation results of various QDSs under the same experimental parameters and find that our TF-QDS can achieve higher signature rate and longer transmission distance compared with BB84-QDS [13] and MDI-QDS [16], when the number of discrete phase slices . The TF-QDS improves on current QDSs by overcoming the PLOB bound.

In addition, we compare the performance of our TF-QDS with two possible TF-QDSs constructed by two different KGPs: KGP with CPRS [38] and KGP with DPRS [44]. These two newly constructed protocols are called TF-QDS with CPRS and TF-QDS with DPRS, respectively. The simulation results demonstrate that our TF-QDS with can exceed the performance of TF-QDS with CPRS due to the exact matching of phases. Its signature rate is 5–15 times that of TF-QDS with CPRS when the transmission distance ranges from 100 km to 300 km, and the maximum signature distance obtainable can be increased by . Furthermore, we compare the performance between our TF-QDS and TF-QDS with DPRS for four different M. The results show that, for the same M, our method can achieve better performance in terms of both signature rate and secure distance. The reason for this is that in our protocol, only two phases are encoded in the code mode and the key generation rate is not restricted by M. On the other hand, the increase of M tightens the upper bound of Eve’s side information estimated in the test mode. Therefore, for our protocol, the signature rate increases with M. However, in TF-QDS with DPRS, M phases are encoded in the code mode, so its signature rate tends to zero with the increase of M, which is caused by the filtering factor.

In this work, we devote Section 2 to the description of our TF-QDS. We review the TF-KGP [45] in Section 3. In Section 4, the security analysis is carried out. We give numerical simulation results in Section 5, and summarize our work in Section 6.

2. TF-QDS Protocol with Fully Discrete Phase Randomization

We consider a simple structure for our TF-QDS protocol to sign a one-bit message: a signer, Alice, generates a signature declaration with TF-KGPs performed by Alice–Bob and Alice–Charlie in the key distribution stage, and then transmits it to one of two receivers (Bob and Charlie), say Bob. Bob first verifies the signature and then forwards it to Charlie who then further verifies its authenticity in the messaging stage. The detailed process for our TF-QDS is illustrated in Figure 1. It is therefore clear that at most one party is dishonest in such a tripartite setting. If there is more than one dishonest party, then the real protocol will actually fail. We describe our TF-QDS protocol as follows.

Figure 1

Schematic diagram of our TF-QDS. Alice and Bob (Alice and Charlie) prepare discrete-phase-randomized weak coherent-state pulses with a phase modulator (PM1). Intensity modulator (IM) is used to generate decoy states and PM2 is used to encode key bits. All the modulations are combined with random number generators (RNGs). The encoded pulses are attenuated by an attenuator (Att) and then sent out to the measurement site Eve. Alice’s and Bob’s (Alice’s and Charlie’s) pulses interfere at a 50:50 beam splitter (BS). The interference result is recorded with two single-photon detectors (SPDs). The solid lines represent the quantum channels (QCs) through which Alice and Bob (Alice and Charlie) use KGP to distribute keys. The dotted lines represent the authenticated classical channels (CCs) through which parties exchange and transmit some classical message. A TF-QKD link is shared between Bob and Charlie for performing the symmetrization of keys in full secrecy.

For each message or 1, Alice and Bob use the discrete-phase-randomized TF-KGP [45] to generate keys of length , Alice holds the key and Bob holds the key . Similarly, Alice and Charlie perform the discrete-phase-randomized TF-KGP [45] to generate keys and , respectively. The detailed steps for key distribution can be found in Section 3. Alice’s signature for m is .

For each m, Bob and Charlie perform the symmetrization of keys. That is, Bob (Charlie) randomly chooses half of the bits in his key (), called (), and then sends these bits to Charlie (Bob) using an authenticated classical channel. The remaining bits in () are named (). After the symmetrization of keys, Bob’s and Charlie’s keys are denoted as and respectively; therefore, Alice cannot distinguish whether a key is Bob’s or Charlie’s, which guarantees the security against repudiation. In addition, Bob (Charlie) can only obtain half of (), which guarantees the security against forging.

For signing a one-bit message m, Alice sends the signature declaration to Bob.

Bob checks and records the number of mismatches between the declaration and his key . Particularly, Bob separately calculates the number of mismatches for the key that received directly from Alice and the key that forwarded by Charlie. If the number of mismatches for both parts is fewer than , he accepts the signature, where is a small threshold determined by experimental parameters and a desired security level.

Bob then forwards to Charlie.

Charlie checks the number of mismatches between and . The verification method is similar to that performed by Bob, except with a different threshold , where . If the number of mismatches for and is fewer than , Charlie accepts as the original signature generated by Alice. It is worth noting that two different thresholds and are required to ensure the non-repudiation of QDS protocol.

3. TF-KGP

TF-KGP, as a part of QDS, is performed in pairs separately by Alice–Bob and Alice–Charlie to distribute keys without further error correction and privacy amplification. This section takes Alice and Bob as an example to review the TF-KGP with fully discrete phase randomization [45]. The distributed keys among Alice and Bob correspond to the keys and described in Section 2.

3.1. Preparation

See the tasks below for the states of Alice’s and Bob’s delivering to Eve depending on their chosen mode for transmission. Alice and Bob choose the code mode and test mode randomly. The code mode is used for key generation and the test mode is used for parameter estimation. For the code mode, Alice (Bob) prepares a bit () randomly and generates a coherent state (), where is the signal intensity. For the test mode, Alice (Bob) prepares a discrete-phase-randomized coherent state (), which is modeled by a random intensity ( is a vacuum intensity and is a decoy intensity) and a random phase ( and M is number of dividing the phase interval into slices [32]).

3.2. Measurement

An untrusted intermediate node, Eve, performs the single-photon interference on the incoming pulses through a 50:50 BS followed by two detectors SPD0 and SPD1. A successful round corresponds to only one detector being clicked, and is unsuccessful otherwise. Eve then announces the successful rounds publicly.

3.3. Sifting

Alice and Bob exchange their intensity and mode through an authenticated classical channel and retain data from those in which they have used the same mode. For rounds of code mode, Alice and Bob generate sifted keys and . By disclosing L bits of sifted keys, they can calculate the quantum bit error rate (QBER), , where and denote Alice’s and Bob’s exposed bits respectively, after which they are discarded. The remaining bits in and are Alice’s and Bob’s final keys and , respectively. It is necessary for Bob to flip his bits corresponding to rounds with SPD1 clicked. For rounds of test mode, Alice and Bob calculate the gains in which they both select the same intensity and the same phase , and the gains in which they select the same intensity and the opposite phase .

3.4. Parameter Estimation

Alice and Bob use the gains and to separately estimate the phase error rates and according to the numerical method (see Appendix A), where () indicates the phase error rate of successful code mode rounds in which Alice and Bob use the same (opposite) phase.

4. Security Analysis

We followed the method in Ref. [46] to estimate Eve’s smooth min-entropy [47] on Bob’s reserved key , and then use it to bound the probability that Eve makes errors less than a certain value.

Eve can obtain some information from parameter estimation and mode declaration. Here, we define and as the classical information disclosed during parameter estimation and mode declaration, respectively. is the extra information leaked to Eve under the case that Charlie is Eve. All these information is defined on one quantum system living in the Hilbert space, which is a combination of the following elements: , and , as well as Eve’s ancilla quantum system following her general attack. The information that Eve obtains about is summarized as E. Then, Eve’s smooth min-entropy with access to E is given by where the inequality holds up to . Here, denotes the information leaked to Eve, which can be bounded by the phase error rates and as where is a Shannon binary entropy function . The phase error rates cannot be directly observed from experiments, their estimation can be found in Appendix A. With the upper bound on , we can further evaluate Eve’s smooth min-entropy.

Secondly, according to the proposition in Ref. [16], the upper bound on the average probability that Eve’s eavesdropping makes at most r errors with the given smooth min-entropy is Furthermore, for large , the probability for Eve to make fewer than r errors for any is given by except with probability at most Thus, we can determine the condition that Eve can make fewer than r errors with a non-negligible probability as If this condition is met, the probability of Eve making fewer than r errors will be arbitrarily small by increasing the length of signature. We define as: A physical interpretation behind Equation (7) is that is the minimum error rate that Eve makes when guessing Bob’s key except with negligible probability . The upper bound on QBER between Alice’s and Bob’s keys is . Therefore, as long as the condition of is satisfied, we can obtain a secure signature by increasing , which means that

For demonstrating the security of TF-QDS protocol, we aim to show that the following three inherent properties for signature systems can be guaranteed [48].

4.1. Robustness

In the messaging phase, Bob would reject Alice’s signature declaration when the mismatch rate between bits received from either Alice or Charlie and Alice’s declaration is higher than . The QBER (mismatch rate) between Alice’s and Bob’s keys can be estimated by utilizing L bits. According to the Serfling inequality [49], we can obtain the upper bound on QBER as follows: where This suggests that the upper bound on QBER is true except with a small probability . The failure probability decays exponentially in the parameter L for any fixed value of the function . We set , where and correspond to the upper bounds on QBERs for Alice–Bob and Alice–Charlie, respectively. Here, we should make greater than , except with probability of at most , so the probability of an honest abort is restricted to

4.2. Non-Repudiation

Non-repudiation means that the signature declaration generated by an original signatory is accepted by one receiver but rejected by the other.

For repudiation, the number of mismatches between Alice’s declaration and Bob’s key must be less than , and that between and Charlie’s key must be greater than . This suggests that Alice should make Bob accept her signature and make Charlie reject her signature. That is, a necessary condition for successful repudiation is that the mismatch rate between and is not equal to that between and . In this protocol, the symmetrization of keys performed between Bob and Charlie makes their respective keys contain an equal error rate, resulting in security against repudiation. According to the results in Ref. [13], the probability of Alice’s successful repudiation can be bounded as where

4.3. Unforgeability

Forgery attack performed by a dishonest internal user is considered in our analysis since it is more convenient for insiders to perform a forgery attack than external attackers. Suppose that Bob wants to forge Alice’s signature: he needs to transmit Charlie a forged signature and make the number of mismatches contained in the forged signature fewer than . As mentioned above, is the upper bound on QBER between Alice’s and Charlie’s keys, and indicates the minimum error rate that Bob makes errors associated with Charlie’s key. When Equation (8) holds, we choose such that . This suggests that there is a higher probability for Charlie to accept Alice’s original signature. On the contrary, Charlie will likely reject Bob’s forged signature, since the probability of Bob creating a forged signature with an error rate fewer than is restricted by Equation (4) as except with probability at most . If the estimation of parameters and (containing and ) fails, which separately occur with probabilities and , then we think for simplicity that Bob can successfully forge Alice’s signature. Thus, the probability of Bob’s successful forging can be bounded as This equation is valid for any choice of parameters greater than zero. The probability for Bob to forge a signature can be arbitrarily small by increasing .

In summary, the security level is bounded as

5. Numerical Simulation

In this section, we give simulation results for TF-QDS with two-intensity decoy-state method in the asymptotic scenario. The channel model given in Ref. [45] is employed to obtain observable gains and QBERs for TF-KGP. For simplicity, we assume that the channel is symmetrical for each pair of parties. For each given distance, we optimize the key rate over the signal intensity and the decoy intensity of coherent pulses, and fix the vacuum intensity .

We plot the signature rate R as a function of the transmission distance with optimal values of intensities and for a given security level , as shown by dashed lines in Figure 2. The signature rate is defined as , where N indicates the total number of pulses required to sign a 1-bit message given a certain security level. If we set a fixed security level, then the signature rate can be bounded by Equation (12) with parameters , and . The optimal values of intensity with different numbers of phase slices M against the transmission distance can be found in Figure 3. These optimal values are obtained by maximizing the key rate of KGP. The experimental parameters used for numerical simulation refer to a recent experiment [50], which are listed in Table 1. We also give the simulation results of signature rate without performing any optimization for comparison. In this case, we plot the signature rate curves with fixed values of all intensities (, and ), represented by solid lines in Figure 2. As depicted in Figure 2, numerical optimization yields a significant improvement in transmission distance compared to nonoptimization, especially when M is relatively small. In particular, the maximum signature distance reached with intensity optimization increased by more than two times when .

Figure 2

Signature rate vs. the transmission distance with optimal intensities (dashed lines) and fixed intensities (solid lines) for four different numbers of phase slices M. ( blue, red, green, purple).

Figure 3

Optimal values of the signal intensity vs. the transmission distance for four different M.

Table 1

Parameter setting in simulation. —loss coefficient of fiber at telecommunication wavelength; —dark count rate of detectors; —detection efficiency of detectors; —optical misalignment error; f—error correction inefficiency.

α	p_d	η_d	e_d	f
0.16	10^−8	35%	2%	1.15

Furthermore, Figure 2 shows the performance of TF-QDS for different M. The maximum signature distances when and have only slight differences under the same experimental parameters, corresponding to 317 km and 325 km, respectively. This suggests that it is not necessary to increase the number of phase slices to achieve significant improvements. On the other hand, for , and , there is a distinct improvement in terms of signature distance for larger M.

We perform a numerical simulation of to evaluate the potential impact of using more decoy states in terms of performance. Figure 4 shows the comparison of simulation results for TF-QDS with different numbers of decoy intensities. The results show that the signature rate and transmission distance of TF-QDS with two decoy states is close to that of three [51] (and four) decoy states. Therefore, for our TF-QDS protocol, the two-intensity decoy state is sufficient for practical usage, and there is no need to introduce more decoy states for longer transmission distances.

Figure 4

Signature rate versus the transmittance distance by using two-intensity (green solid line), three-intensity (red dotted line) and four-intensity (purple dotted line) decoy-state methods for .

We compare the performance of our TF-QDS with BB84-QDS and MDI-QDS in Figure 5. For a fair comparison, we plot the signature rate curves of three QDSs by using the same experimental parameters without intensity optimization. The channel models given in Ref. [32] are utilized to calculate gains and QBERs for BB84-QDS and MDI-QDS. As shown in Figure 5, BB84-QDS shows the highest signature rate when the transmission distance is less than 45 km. Once the distance is more than 45 km, the signature rate of TF-QDS exceeds that of BB84-QDS. Compared with MDI-QDS, the signature rate of TF-QDS is always better than that of MDI-QDS when . In addition, TF-QDS can obtain a secure signature at longer transmission distance than BB84-QDS and MDI-QDS when . Among these QDS protocols, the maximum signature distance for TF-QDS is 520 km when , whereas the maximum signature distances for BB84-QDS and MDI-QDS are 182 km and 334 km, respectively. This is because the measurement module of TF-QDS is realized with single-photon interference which requires only one photon to survive the loss of over half of the transmission distance. Twin-field approach overcomes the PLOB bound and significantly extends the secure signature distance.

Figure 5

Results of our TF-QDS, BB84-QDS and MDI-QDS.

Our TF-QDS protocol is built upon the TF-KGP in Ref. [45] where users emit coherent-states with a discrete-phase-randomized source in the test mode. We can further propose two possible TF-QDS protocols: TF-QDS with CPRS and TF-QDS with DPRS, which are separately constructed by KGP in Ref. [38] and KGP in Ref. [44], respectively. We compare the performance of our TF-QDS with two newly constructed TF-QDSs with the same experimental parameters given in Ref. [38].

Firstly, we compare the simulation results of our TF-QDS and TF-QDS with CPRS in Figure 6. Remarkably, the results show that our TF-QDS with only six discrete phase slices can exceed the performance of TF-QDS with CPRS. In detail, our protocol can achieve a secure signature at the maximum transmission distance of 408 km with , while the maximum transmission distance for TF-QDS with CPRS is 388 km. Besides, its signature rate increases by more than one order of magnitude since 69 km. The reason for this improvement is that a tighter bound on the phase error rate can be obtained, since the phase post-selection in discrete version makes the users’ phases exactly matched.

Figure 6

Results of our TF-QDS and TF-QDS with CPRS.

Furthermore, we compare the performance between our TF-QDS and TF-QDS with DPRS for different M. Both TF-QDS protocols utilize a discrete-phase-randomized source, with the main difference being that, for the proposed TF-QDS, only two phases rather than M phases are encoded in the code mode. The simulation results are shown in Figure 7, where solid lines correspond to the results of our TF-QDS, and dashed lines correspond to the results of TF-QDS with DPRS. Figure 7 illustrates that our TF-QDS can deliver a higher signature rate than that of TF-QDS with DPRS for the same phase slice. The fact is that the signature rate of our protocol increases with M, while the signature rate of TF-QDS with DPRS approaches 0 as M increases, due to the sifting factor. Furthermore, our TF-QDS can transmit a longer signature distance when the same signature rate is obtained. The reason for this is that we can obtain a tighter bound on the phase error rate compared with TF-QDS with DPRS, as illustrated in Figure 8. Detailed data on signature rate R and transmission distance for both TF-QDSs are listed in Table 2.

Figure 7

Results of our TF-QDS and TF-QDS with DPRS for four different M.

Figure 8

Comparison the upper bound of phase error rate between our TF-QDS and TF-QDS with DPRS for .

Table 2

Comparison of signature rate R and transmission distance for our work and TF-QDS with DPRS for different M. More general comparison results are shown in Figure 6. The second and third rows indicate the signature rates of two protocols at 100 km and 200 km, respectively. The fourth row shows the secure transmission distances when the signature rate is and the bottom row gives the comparison of maximum transmission distances obtainable.

	Protocols	M=4	M=6	M=8	M=12
R at 100 km	This work	3.37×10^−9	3.66×10^−9	3.50×10^−9	3.42×10^−9
(bits/pulse)	TF-QDS with DPRS	1.30×10^−9	2.36×10^−9	2.27×10^−9	2.23×10^−9
R at 200 km	This work	2.08×10^−11	9.31×10^−11	8.77×10^−11	8.30×10^−11
(bits/pulse)	TF-QDS with DPRS	-	5.75×10^−11	5.64×10^−11	5.38×10^−11
Distance	This work	222.2	267.7	288.8	291.8
(km)	TF-QDS with DPRS	164.8	262.2	281.7	283.9
Maximum	This work	231.3	279.4	303.8	313.3
distance (km)	TF-QDS with DPRS	171.9	279.3	303.7	313.1

6. Conclusions

We present a TF-QDS protocol with fully discrete phase randomization. Unlike most previous variants of QDS that emit weak coherent-state pulses with a continuous-phase-randomized source, our TF-QDS uses a discrete-phase-randomized source instead, which can be realized with common optical components and further applied in practical QDS systems. As well as this, the protocol had been proved to be secure against forging and repudiation.

For better performance, we optimize intensities of signal state and decoy state to improve the signature rate. We compare the performance of our TF-QDS with BB84-QDS and MDI-QDS by numerical simulation. The results demonstrate that our TF-QDS can achieve the best performance in terms of signature rate and secure transmission distance when the phase slices . Moreover, we provide a clear comparison between several possible TF-QDSs constructed by different TF-KGPs and find that our TF-QDS with already exceeds TF-QDS with CPRS due to the exact matching of phases. The signature rate is 5–15 times that of TF-QDS with CPRS when the transmission distance ranges from 100 km to 300 km, and its maximum signature distance obtainable increases by . Furthermore, we compare the performance of our TF-QDS with TF-QDS with DPRS for four different M. The simulation results show that our TF-QDS achieves a higher signature rate and a longer secure distance than that of the TF-QDS with DPRS for the same M.

In summary, the proposed TF-QDS with fully discrete phase randomization is more feasible in experimental implementation; meanwhile, it is an effective solution for a higher signature rate over a longer transmission distance.