Asynchronous measurement-device-independent quantum digital signatures

Jing-Wei Bian Bing-Hong Li Yuan-Mei Xie National Laboratory of Solid State Microstructures and School of Physics, Collaborative Innovation Center of Advanced Microstructures, Nanjing University, Nanjing 210093, China Department of Physics and Beijing Key Laboratory of Opto-electronic Functional Materials and Micro-nano Devices, Key Laboratory of Quantum State Construction and Manipulation (Ministry of Education), Renmin University of China, Beijing 100872, China Hua-Lei Yin [email protected] Department of Physics and Beijing Key Laboratory of Opto-electronic Functional Materials and Micro-nano Devices, Key Laboratory of Quantum State Construction and Manipulation (Ministry of Education), Renmin University of China, Beijing 100872, China National Laboratory of Solid State Microstructures and School of Physics, Collaborative Innovation Center of Advanced Microstructures, Nanjing University, Nanjing 210093, China Beijing Academy of Quantum Information Sciences, Beijing 100193, China Zeng-Bing Chen [email protected] National Laboratory of Solid State Microstructures and School of Physics, Collaborative Innovation Center of Advanced Microstructures, Nanjing University, Nanjing 210093, China

Abstract

Quantum digital signatures (QDSs), which distribute and measure quantum states by key generation protocols and then sign messages via classical data processing, are a key area of interest in quantum cryptography. However, the practical implementation of a QDS network has many challenges, including complex interference technical requirements, linear channel loss of quantum state transmission, and potential side-channel attacks on detectors. Here, we propose an asynchronous measurement-device-independent (MDI) QDS protocol with asynchronous two-photon interference strategy and one-time universal hashing method. The two-photon interference approach protects our protocol against all detector side-channel attacks and relaxes the difficulty of experiment implementation, while the asynchronous strategy effectively reduces the equivalent channel loss to its square root. Compared to previous MDI-QDS schemes, our protocol shows several orders of magnitude performance improvements and doubling of transmission distance when processing multi-bit messages. Our findings present an efficient and practical MDI-QDS scheme, paving the way for large-scale data processing with non-repudiation in quantum networks.

I INTRODUCTION

Threatened by quantum attacks and the continually emerging algorithms, the security of current classical cryptographic schemes is facing challenges. This is especially true in our contemporary society where the rapid development of internet and communication technologies results in an increasing amount of data and information that needs to be collected, stored, processed, and transmitted. Therefore, it is necessary to develop modern cryptography to ensure the corresponding basic elements of information security: confidentiality, integrity, authenticity, and nonrepudiation [1, 2].

Quantum technology, which is based on quantum mechanic laws, is regarded as a profoundly promising frontier in the realm of cryptography and offers a significant approach to ensuring information security [3, 4]. As the most mature technology in the realm of quantum technology, quantum key distribution [5] has undergone rapid development [6, 7]. However, it has had various security loopholes in detection [8, 9] until the measurement-device-independent (MDI) quantum key distribution was proposed [10], which addressed all security concerns on the detection end [11]. Despite significant development [12, 3], the key rates of most forms of MDI protocols were still constrained by the absolute repeaterless secret-key capacity [13, 14, 15]. Efforts have been made to break this bound [16, 17, 18, 19], one of which includes an alternative variant of MDI quantum key distribution [18, 19] called asynchronous MDI quantum key distribution. This variant has the ability to asynchronously pair two successful clicks over an extended pairing time, thereby establishing a two-photon Bell state. As a result, the secret-key capacity is broken, leading to a higher key rate and an increased distance. In addition, the asynchronous MDI scheme offers the advantage of removing the necessity for global phase tracking and phase locking. This has been confirmed through experiments that also demonstrated its superior rate and extended range [20, 21, 22].

Despite the fact that combined quantum key distribution with one-time pad can ensure confidentiality against eavesdropping, technologies safeguarding the remaining three elements are more prevalent in today’s society [1]. Digital signatures, which provide the integrity, authenticity, and non-repudiation of data processing, are a suitable technique that holds broad and promising application prospects in contemporary society [23, 24, 25]. However, widely used classical digital signature schemes provide only computational security, so unconditionally secure classical protocols have been proposed, trying to solve the problem [26, 27, 28]. However, they can provide information-theoretic security under only the following two circumstances. One is the existence of an authenticated broadcast channel and secure classical channels which means that more than two out of three participants are honest [29]. The other requires a trusted authority who creates and distributes keys to each participant, and this makes the protocol vulnerable to targeted attacks against the trusted authority or even to dishonesty or incompetence on the part of the trusted authority [27, 28]. Both of these two circumstances are infeasible in the practical world.

Unlike classical protocols, quantum digital signatures (QDSs) [30, 31, 32, 33] are a kind of digital signature whose security relies on the secrecy and asymmetry of shared keys generated through quantum key generation protocols (KGPs) [34], without further assumptions like an authenticated broadcast channel or a trusted authority [30, 26, 27, 28]. As a result, they only require authenticated classical channels and insecure quantum channels to provide information-theoretic security. First proposed in 2001 [30], QDS faced some impractical experimental requirements that hindered its implementation. However, after approximately a decade of development, these obstacles were successfully eliminated [31, 32, 33]. Efforts have been undertaken to eliminate the reliance on secure quantum channels [35, 36], thereby triggering many achievements both theoretically [37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48] and experimentally [49, 50, 51, 52, 53, 54, 55, 56, 57]. However, several limitations persist across all these schemes. Protocols that employ orthogonal encoding necessitate extra symmetrization steps, leading to the need for more secure channels [36]. On the other hand, schemes that use non-orthogonal encoding do not depend on additional KGP channels. However, their signature rate is susceptible to the misalignment error of the quantum channel [35, 43, 46]. More importantly, these protocols can only sign one bit at a time, which results in a low signature rate when signing multi-bit documents. One-time universal hashing (OTUH) QDS represented an efficient change [2, 58], which has made significant advancement in multi-bit signatures from single-bit signatures. Due to the application of universal hash functions, the signature length becomes insensitive to the document volume, thus enhancing the signature rate significantly. This original version is efficient, but it requires perfect keys with complete secrecy. A recently proposed variant successfully resolved this problem, which reduced the requirements on perfect keys by encrypting the generator key of the hashing function [58].

In this work, we propose a protocol named asynchronous MDI-QDS, which delves deeply into the potential of the OTUH method. Our protocol is carried out with the use of the asynchronous MDI method and the OTUH method. In the asynchronous MDI method, two participants send pulses to a measurement node to perform single-photon interference (SPI). Then, utilizing time multiplexing, the asynchronous two-photon interference strategy matches two successful SPI events in different time bins that are phase-correlated to obtain an asynchronous two-photon Bell state, and then, the key rate is enhanced to $O(\sqrt{\eta})$ scaling, where $\eta$ is the total channel transmittance between the two participants. This leads to a significant enhancement in the signature rates and an extension of the signature distance. In the OTUH method, the signature is generated by the hash function described in Appendix A operating on the multibit documents. Compared to single-bit QDS protocols, which sign only one bit at a time and consume resources in a linear fashion with the document volume increasing, the signature rate of our OTHU protocol has a great enhancement. Moreover, the success probability of attacks from the external increases linearly as the document volume increases, which is discussed in detail in Appendix C. Given the OTUH method, our protocol is unconditionally secure, allowing the imperfection of the secret keys distributed. This removes the necessity for privacy amplification.

Our approach ensures that the shared keys we utilize are immune to detector side-channel attacks. This is accomplished by the incorporation of the MDI concept [10]. At the heart of our protocol lies the implementation of the asynchronous two-photon interference strategy, which leads to a significant enhancement in the signature rates and an extension of the signature distance. According to the OTUH, our protocol is robust to the document volume and we can attain signature rates that are several orders of magnitude higher without the need for perfect keys when the document volume is large, compared to the MDI signature schemes without OTUH [37]. Furthermore, when compared to the twin-field scheme with single-photon interference referenced in Ref. [58], our asynchronous MDI scheme holds an advantage as it does not require global phase tracking and phase locking. This implies that our protocol is not only easier to implement but also stands as a more practical scheme for future quantum networks. We analyze the formation process of shared keys, and we demonstrate the variations of $H_{\text{min}}^{\varepsilon}$ and $H_{\text{max}}^{\varepsilon_{\text{cor}}}$ with the signature distance by simulation. During this demonstration, we clearly reveal the formation process of these shared keys. This is based on the existing relationship between these quantum entropies and the unknown information to a potential attacker. By conducting simulations and comparisons, we have been able to demonstrate the significant performance of our approach, as well as clearly illustrating the formation process of the signatures utilized in our protocol.

The structure of the article is as follows. In Sec. II, we introduce the content of our protocol, including the process of distribution and messaging. In Sec. III, we simulate and analyze the formation process of the shared keys during the distribution stage, and we demonstrate the composition of the raw key. Then we compare the performance of our asynchronous MDI-QDS protocol with the MDI-QDS described in Ref. [37] to emphasize the excellence of our protocol. In Sec. IV, the article is concluded.

Refer to caption — FIG. 1: Schematic of the setup of the distribution stage of the proposed QDS protocol. Everyone generates weak coherent pulses with their own independent ultrastable lasers without mutual phase tracking. After encoding, they will send the pluses to Eve, who will perform the interference measurement and records successful clicks. The encoder consists of three intensity modulators, two phase modulators, an electrically driven polarization controller, and a variable optical attenuator. IM represents intensity modulator, PM represents phase modulator, EPC represents electrically driven polarization controller, and VOM represents variable optical attenuator. There is an optical switch in the node of Eve that can switch and select between different optical paths.

II PROTOCOL CONTENT

II.1 Distribution stage

Our protocol employs the asynchronous MDI-KGP scheme for sharing keys among participants. In the distribution stage, we assume that in this three-party procedure, the matters of Alice-Bob and Alice-Charlie are independent and can be executed separately. The setup is shown in Fig. 1.

II.1.1 Preparation

Consider each time slot $i\in{\{1,2,\ldots,N\}}$ . Alice and Bob each prepare a weak laser pulse $\ket{e^{i\theta_{a(b)}}\sqrt{k_{a(b)}}}$ independently. Here, $\theta_{a(b)}$ is a phase value derived from $2\pi m_{a(b)}/M$ , where $m_{a(b)}\in{\{0,1,\ldots,M-1\}}$ , and $k_{a(b)}$ is an intensity chosen from the set $\{\mu_{a(b)},\nu_{a(b)},o_{a(b)}\}$ with the probabilities $p_{\mu_{a(b)}},p_{\nu_{a(b)}}$ and $p_{o_{a(b)}}=1-p_{\mu_{a(b)}}-p_{\nu_{a(b)}}$ . The intensities within this set correspond to the signal, decoy, and vacuum state, in that order. Following this preparation phase, Alice and Bob transmit their pulses to a measurement node, referred to as Eve, via insecure channels. Although a similar process is also conducted between Alice and Charlie, we focus solely on the interaction between Alice and Bob in our discussion for simplicity.

II.1.2 Measurement and click filtering

For each bin, Eve conducts an interference measurement on the received pulses and logs the successful click events. Subsequently, she broadcasts the successful clicks along with the corresponding detector that registered the click. Following this, Alice and Bob publicly declare the events where they applied the decoy intensity $\nu_{a(b)}$ to the transmitted pulse. A click filtering process is then carried out, resulting in the discarding of clicks $(\mu_{a}|\nu_{b})$ and $(\nu_{a}|\mu_{b})$ . All other clicks, apart from those discarded, are retained.

II.1.3 Coincidence pairing

Our protocol does not pair pulses sent simultaneously as coincidences. Instead, we adopt a strategy that avoids the need for global phase tracking and phase locking. For the clicks we retain, we pair them with the nearest clicks within a time interval $T_{c}$ to form successful coincidences. If we fail to find a nearest click for a given click, we discard it. Upon successfully pairing coincidences, Alice and Bob calculate the total intensity $k^{\text{tot}}_{a(b)}$ of the two time bins they used. They also compute the phase difference between the earlier time bin ( $e$ ) and the later time bin ( $l$ ), denoted as $\phi_{a(b)}=\theta^{l}_{a(b)}-\theta^{e}_{a(b)}$ . We denote the set of coincidences $[k^{\text{tot}}_{a},k^{\text{tot}}_{b}]$ as $S_{[k^{\text{tot}}_{a},k^{\text{tot}}_{b}]}$ .

II.1.4 Sifting

After computing their results, Alice and Bob announce $k^{\text{tot}}_{a(b)}$ and $\phi_{a(b)}$ . They discard any results where the total intensity satisfies $k^{\text{tot}}_{a(b)}\geq\mu_{a(b)}+\nu_{a(b)}$ . For the Z-basis, Alice (Bob) extracts a bit 0 (1) if she (he) sends $\mu_{a(b)}$ in the early time bin and $o_{a(b)}$ in the late time bin. Otherwise, Alice (Bob) extracts an opposite bit.

For the X-basis, we use coincidences $[2\nu_{a},2\nu_{b}]$ to extract bits. Alice and Bob first calculate $\phi_{ab}=\phi_{a}-\phi_{b}$ , which represents the phase difference between the phase difference of Alice and Bob in the early time and the later time. They then calculate $\phi=\phi_{ab}\mod 2\pi$ . If the result is 0 or $\pi$ , Alice and Bob will extract 0 in the X-basis. If the result is 0 and both detectors click, Bob will flip the bit. If the result is $\pi$ and only a detector clicks and the same detector clicks twice, Bob will flip too. If the result is other values except 0 and $\pi$ , we will discard this coincidence.

II.1.5 Parameter estimation

Alice and Bob can then obtain their own raw key from the Z-basis, which has the length of $n_{z}$ . The parameters $s^{z}_{0},s^{z}_{11},\phi^{z}_{11}$ will also be computed and retained. These parameters represent the length of the bits derived from the vacuum events, single-photon events, and the phase-error rate of the single-photon events, respectively. The error rate of the bits in the Z-basis $E_{z}$ will also be computed. The details of the estimation could be found in Appendix B. All these are useful in post-processing, which will help to get the length of shared keys and the signature.

II.1.6 Error correction

After obtaining the raw key, Alice and Bob will distill it using error correction with a correction factor of $\varepsilon_{\text{cor}}$ [59, 60]. The length of keys will remain $n_{z}$ , and the unknown information to a potential attacker will be represented as $\mathcal{H}$ [58]. During this stage, there is no need to perform privacy amplification. Subsequently, Alice randomly disturbs the order of the key and announces the new order to Bob through an authenticated channel. This will allow them both to obtain the final key. These keys will then be divided into several strings of $n$ -bits, which will play an important role in the messaging stage.

The entire distribution process will also involve both Alice and Charlie. For the sake of simplicity, we did not previously mention that the keys of a certain length are also distributed between them. Once these keys have been distributed, they will be divided into several segments, each of which will be used for specific operations in the subsequent process.

II.2 Messaging stage

In this section, we demonstrate the key aspect of the protocol, which is to perfectly correlate the bits among three parties, as described in Ref. [58]. This requires an asymmetric key relationship among the three parties. We use one-time almost XOR universal₂ (AXU) hashing, specifically, the Linear Feedback Shift Register (LFSR)-based Toeplitz hashing, to generate the protocol’s signature. The strings of length $n_{z}$ on the sides of Alice, Bob, and Charlie have already been divided into segments of length $n$ . These segments are denoted as $\{X_{a},X_{b},X_{c},Y_{a},Y_{b},Y_{c},Z_{a},Z_{b},Z_{c}\}$ , each of which has a length of $n$ . The subscripts $\{a,b,c\}$ indicate that the string belongs to Alice, Bob, or Charlie, respectively. These strings satisfy the equations

X_{a}=X_{b}\oplus X_{c},

Y_{a}=Y_{b}\oplus Y_{c},

Z_{a}=Z_{b}\oplus Z_{c}.

We will use these strings to execute the protocol between the three parties. And the schematic of the messaging stage is shown in Fig. 2.

II.2.1 Signing of Alice

Alice holds a set of $n$ -bit long strings $\{X_{a},Y_{a},Z_{a}\}$ . First, she uses a quantum random number generator to produce an $n$ -bit long random string, which is called $p_{a}$ . This string is used to create a monic irreducible polynomial $p(x)$ of order $n$ in GF $(2)$ . Second, Alice uses the bit string $Y_{a}$ and the irreducible polynomial (quantum random number $p_{a}$ ) to generate a random linear feedback shift register-based (LFSR-based) Toeplitz matrix $H_{nm}$ , which has $n$ rows and $m$ columns. She applies this matrix to the $m$ -bit document Doc, resulting in an $n$ -bit hash value $\text{Dig}=H_{nm}\cdot\text{Doc}$ . Third, Alice encrypts Dig using $Z_{a}$ to obtain the final signature $\text{Sig}=\text{Dig}\oplus Z_{a}$ . In addition, Alice encrypts $p_{a}$ by $X_{a}$ to get $\mathcal{P}=p_{a}\oplus X_{a}$ . Fourth, Alice transmits the set $\{\text{Sig},\mathcal{P},\text{Doc}\}$ to Bob through an authenticated classical channel.

II.2.2 Verification of Bob

Upon receiving the signal from Alice, Bob transmits $\{\text{Sig},\mathcal{P},\text{Doc}\}$ and $\{X_{b},Y_{b},Z_{b}\}$ to Charlie. After receiving the signal from Bob, Charlie transfers $\{X_{c},Y_{c},Z_{c}\}$ to Bob. At this point, Bob has the set of strings $\{\text{Sig},\mathcal{P},\text{Doc},X_{b},Y_{b},Z_{b},X_{c},Y_{c},Z_{c}\}$ , which will be used to perform the verification stage. All data are transmitted through an authenticated channel. First, Bob generates the new strings $\{K_{X_{b}}=X_{b}\oplus X_{c},K_{Y_{b}}=Y_{b}\oplus Y_{c},K_{Z_{b}}=Z_{b}\oplus Z_{c}\}$ via XOR operation. Second, using $K_{X_{b}}$ and $K_{Z_{b}}$ , Bob obtains $p_{b}$ and the expected digest via XOR decryption. Then, with $K_{Y_{b}}$ , Bob uses it and $p_{b}$ to form an LFSR-based Toeplitz matrix, and obtains the actual digest via a hash operation with the matrix. Third, Bob accepts the signature if the actual digest equals the expected digest, and then informs Charlie of this result. If the two digests are not identical, he will reject the signature and announces the protocol’s abortion. The signature will be established if Bob accepts it, and the establishment of the signature does not require consideration of Charlie, who plays the role of a notary.

II.2.3 Verification of Charlie

If Charlie receives a successful signal from Bob, he will perform the verification stage just like Bob. At this point, Charlie has the same set of strings as Bob, which is $\{\text{Sig},\mathcal{P},\text{Doc},X_{b},Y_{b},Z_{b},X_{c},Y_{c},Z_{c}\}$ . First, Charlie generates the new strings $\{K_{X_{c}}=X_{b}\oplus X_{c},K_{Y_{c}}=Y_{b}\oplus Y_{c},K_{Z_{c}}=Z_{b}\oplus Z_{c}\}$ via the XOR operation. Second, He exploits $K_{X_{c}}$ and $K_{Z_{c}}$ to obtain the expected digest and string $p_{c}$ via XOR decryption. Then, Using $K_{Y_{c}}$ , he obtains the actual digest via a hash operation like Bob. Third, if the two digests are identical, he will accept the protocol; otherwise, he will reject it.

Under this framework, various AXU hash functions could be employed to play a major role. In our protocol, we specifically exploit the LFSR-based Toeplitz hashing, which is a fantastic function that can map a document of any length to a fixed length.

From the description above, we know that in order to sign a message of m-bits length, Alice should distribute six bit strings $X_{b},Y_{b},Z_{c}$ to Bob, and $X_{a},Y_{c},Z_{c}$ to Charlie. The subscript indicates the participant performing the KGP with Alice, where $b$ represents Bob and $c$ represents Charlie. We set the fixed length of strings as $n$ . With each channel generating three strings, and the length $n_{Z}$ of the raw key distributed in each channel, we could calculate the signature rate [58]:

R_{\text{sig}}=\frac{n_{z}}{3n}.

(1)

III SIMULATION AND DISCUSSION

$\eta_{d}$	$p_{d}$	$f$	$\alpha_{f}$	$e_{d}$	$\varepsilon$	$F$
$80\%$	$2.5\times 10^{-10}$	1.1	0.16	0.04	$1\times 10^{-10}$	$1\text{GHz}$

TABLE I: This table contains the parameters of the simulation we set, in which

\eta_{d}

and

p_{d}

represents the detection efficiency and the dark count rate of the detectors we use.

f

is the error correction efficiency.

e_{d}

represents the misalignment error rate, and

\alpha_{f}

is the attenuation coefficient of the fiber. The parameter

\varepsilon

is the value of the variables

\varepsilon^{\prime}

\hat{\varepsilon}

and

\varepsilon_{\text{cor}}

F

is the system clock frequency

During the distribution stage, we have performed the parameter estimation and error correction. After the distribution stage, the unknown information to a possible attacker $\mathcal{H}$ could be expressed with the smooth min-entropy and the smooth max-entropy as:

\begin{split}\mathcal{H}\geq H_{\text{min}}^{\varepsilon}-H_{\text{max}}^{\varepsilon_{\text{cor}}},\end{split}

(2)

in which the $H_{\text{min}}^{\varepsilon}$ and the $H_{\text{max}}^{\varepsilon_{\text{cor}}}$ could be separately expressed as

\begin{split}H_{\text{min}}^{\varepsilon}\geq s_{0}^{z}+s_{11}^{z}[1-H(\phi_{11}^{z})]-2\text{log}_{2}(\frac{2}{\varepsilon^{\prime}\hat{\varepsilon}}),\end{split}

(3)

\begin{split}H_{\text{max}}^{\varepsilon_{\text{cor}}}=n_{z}fH(E_{z})+\text{log}_{2}(\frac{2}{\varepsilon_{\text{cor}}}),\end{split}

(4)

where $f$ is the error correction efficiency, $s_{0}^{z}$ is the number of vacuum events, $s_{11}^{z}$ is the number of single-photon pairs event, $\phi^{z}_{11}$ represents the number of the phase error rate of single-photon pairs, and $E_{z}$ is the bit error rate of Z-basis during the distribution stage. The function is the binary Shannon entropy function, which could be expressed as:

H(x)=-x\text{log}_{2}x-(1-x)\text{log}_{2}(1-x),

(5)

Using these two entropies, we could get the length of $\mathcal{H}$ :

\begin{split}\mathcal{H}&\geq s_{0}^{z}+s_{11}^{z}[1-H(\phi_{11}^{z})]-n_{z}fH(E_{z})\\ &\quad-2\text{log}_{2}(\frac{2}{\varepsilon^{\prime}\hat{\varepsilon}})-\text{log}_{2}(\frac{2}{\varepsilon_{\text{cor}}}),\end{split}

(6)

of which the details will be introduced in Appendix D, which involves the details of these smooth entropies.

In order to delve deeper into the dimensionality of $\mathcal{H}$ , we separately examined the two key components, $H_{\text{min}}^{\varepsilon}$ and $H_{\text{max}}^{\varepsilon_{\text{cor}}}$ . This included an analysis of the variations in their numerical values and the changes in the percentage they represent in the raw key $n_{z}$ . In this context, we set the $N$ to $10^{12}$ , which represents the total number of transmitted pulse pairs. The parameters of the simulation we set could be found in Table I.

By simulating the implementation of the distribution stage with these parameters, we are able to observe the variation of the absolute values of the smooth min- and max-entropies, $H_{\text{min}}^{\varepsilon}$ and $H_{\text{max}}^{\varepsilon_{\text{cor}}}$ with respect to distance $l$ . $H_{\text{min}}^{\varepsilon}$ represents the maximum length of a bit string that can be computed from the raw key before error correction, which is $\varepsilon$ -closing to a perfectly uniform string. This string is independent of the side information eavesdropped by Eve. $H_{\text{max}}^{\varepsilon_{\text{cor}}}$ represents the amount of information consumed in error correction.

The shaded area between two curves represents the unknown information $\mathcal{H}$ . As can be seen in Fig. 3, with the increase in the distance, the absolute value of $H_{\text{min}}^{\varepsilon}$ and $H_{\text{max}}^{\varepsilon_{\text{cor}}}$ decreased by a similar slope. However, since this is a semi-logarithmic plot with the y-axis on a logarithmic scale, $\mathcal{H}$ was decreasing exponentially. Towards the end of Fig. 3, the length of $\mathcal{H}$ experienced a sharp decrease, corresponding to the drop-off of the rates of the KGP process. As the attenuation of signals increases to a significant degree, the total amount of information that can be transmitted decreases substantially. Concurrently, the influence of noise becomes increasingly significant. This results in the observed drop-off. This process could be seen more intuitively in Fig. 4.

In Fig. 4, we illustrate the variation of the percentage of the smooth min-entropy $H_{\text{min}}^{\varepsilon}$ and the smooth max-entropy $H_{\text{max}}^{\varepsilon_{\text{cor}}}$ occupied in the raw key with respect to distance $l$ . The percentage of the smooth min-entropy $H_{\text{min}}^{\varepsilon}$ shows a slight decrease, but overall, it remains almost unchanged before 410 km, and the percentage of the smooth max-entropy $H_{\text{max}}^{\varepsilon_{\text{cor}}}$ shows a very slight increase, with almost no change before 410 km as well. After 410 km the percentage of $H_{\text{min}}^{\varepsilon}$ undergoes a sharp decrease. This is primarily due to the reduced number of pulses that reach this distance, coupled with the increasingly pronounced impact of noise. The combined sum of these two entropies was notably less than 1. This is attributed to the constant need to discard a certain amount of information before error correction, specifically $(1-H_{\text{min}}^{\varepsilon})$ , to maintain security against potential external threats.

Given the relationship between entropy and information [61], we apply this principle within quantum systems as well as hybrid classical-quantum systems to generate keys and estimate signature length, thereby ensuring security. This is precisely where QDS protocols distinguish themselves from classical ones, as well as in the characteristic of not requiring assumptions of an authenticated broadcast channel or a trusted authority [26, 27, 28].

To showcase the superior performance of our protocol, we conducted simulations comparing our protocol with the MDI-QDS [37]. For reasonable comparison, we use the best known MDI-KGP method to distribute quantum states used for MDI-QDS [37], i.e., a four-intensity decoy-state protocol with the double-scanning method [62]. These simulations were performed under varying data sizes $N$ of $10^{12}$ , $10^{13}$ , and $10^{14}$ , with the document message size capped at $10^{3}$ bits. The results of this simulation could be seen in Fig. 5.

In this simulation, it is demonstrated that the maximum signature distance of the proposed protocol is extended by approximately two times compared to MDI-QDS. The substantial improvement observed can be attributed to the implementation of the asynchronous two-photon interference strategy. During the distribution stage, we asynchronously pair two successful clicks within a long pairing time. These asynchronous pairs are then used to generate the key for messaging and signature. This approach aids in breaking through the secret-key capacity barrier without the need for global phase locking [21] during the distribution stage. As a result, the distribution distance of the distribution stage is approximately doubled compared to the MDI-QDS.

As depicted in Fig. 5, when compared to the MDI-QDS [37] that does not incorporate OTUH, the signature rates of our proposed asynchronous MDI-QDS protocol are enhanced by six to seven orders of magnitude. The observed enhancement is derived from the advantages of our OTUH scheme, of which the details concerning the secure information in the raw key, denoted as $\mathcal{H}$ , have been thoroughly discussed in Sec. III. Our OTUH scheme is capable of projecting a document containing a large volume of information to an adjustable hash value. Consequently, our protocol is not sensitive to the size of the document and can perform more effectively when handling documents of larger sizes.

IV CONCLUSION

On the whole, we propose an asynchronous MDI-QDS protocol with OTUH, which could achieve a higher signature rate and longer signature distance than other schemes. In our paper, we delve into the composition of the raw key and explore the relationship between its various components, entropy, and information. This analysis provides a comprehensive understanding of the formation process of the shared keys in our QDS protocol and offers profound insights into the OTUH-QDS process. By simulating and comparing our proposed protocol with the MDI-QDS described in [37], it turns out that our protocol has significant improvements in terms of signature rates and distance due to the applications of OTUH and the asynchronous two-photon interference strategy. By employing the asynchronous two-photon interference strategy [18], the maximum signature distance can be significantly extended, potentially up to twice the distance without the asynchronous two-photon interference strategy, because of the reduced channel loss. With OTUH employed, our protocol has strong robustness against the document volume. This makes our protocol have a significant performance when handling extensive documents, especially several orders of magnitude higher compared to the MDI-QDS without OTUH. Furthermore, our protocol does not need global phase tracking and phase locking compared to the twin-field scheme with single-photon interference referenced in Ref. [58], thus making our protocol more practical and easier to implement. The feasibility of the asynchronous distribution scheme has been experimentally qualified [21], which means that the realization of our proposed protocol is easier and not far from reality.

ACKNOWLEDGMENTS

This study was supported by the National Natural Science Foundation of China (No. 12274223) and the Program for Innovative Talents and Entrepreneurs in Jiangsu (No. JSSCRC2021484).

APPENDIX A LFSR-BASED TOEPLITZ HASH FUNCTION

An $(m,n)$ -family $H$ of hash functions is a collection of functions that map the set of binary strings of length $m$ into the set of binary strings of length $n$ [63]. The LFSR-based Toeplitz hash function can be expressed as

h_{p,s}(M)=H_{nm}\cdot M,

(7)

which can map the binary string $M$ of length $m$ to a binary string $h_{p,s}(M)$ of length $n$ , and the LFSR-based Toeplitz matrix $H_{nm}$ is a matrix of size n by m constructed from an irreducible polynomial $p(x)$ over GF(2) of degree $n$ and an initial state $s$ .

The $m$ -bits message $M$ can be represented as $(M_{0},M_{1},\cdots,M_{m-1})^{T}$ ; the initial state $s$ can be denoted as $(S_{n},S_{n-1},\cdots,S_{1})^{T}$ , and $p(x)$ is an irreducible polynomial over GF(2) of degree n, which can be expressed as $p(x)=x^{n}+p_{n-1}x^{n-1}+\cdots+p_{1}x+p_{0}$ . This polynomial is obviously characterized by its coefficients of the order of $x$ from $0$ to $n-1$ , so we could rewritten it as $p=(p_{n-1},p_{n-2},\cdots,p_{1},p_{0})^{T}$ . The matrix $H_{nm}$ could be constructed from $s$ and $p$ as follows [63, 58]:

First, we need to define an n-by-n matrix $W$ which is solely determined by the $p$ .

W=\begin{pmatrix}p_{n-1}&p_{n-2}&\cdots&p_{1}&p_{0}\\ 1&0&\cdots&0&0\\ 0&1&\cdots&0&0\\ \vdots&\vdots&\ddots&\vdots&\vdots\\ 0&0&\cdots&1&0\end{pmatrix},

(8)

From the definition of the matrix $W$ , we could find that, $p(x)$ is the characteristic polynomial of the matrix $W$ . Then according to Hamilton-Cayley theorem, $p(W)=0$ [64].

Applying this matrix $W$ to the vector $s$ , we could get $s_{1}=(S_{n+1},S_{n},\cdots,S_{2})^{T}$ , where $S_{n+1}=p\cdot s$ . We could see that the function of the matrix $W$ is to shift down each element of the vector s and prepend a new element $p\cdot s$ .

Repeating this operation $m-1$ times and denoting the vector $s$ as $s_{0}$ , we can get a set of vectors $\{s_{0},s_{1},\cdots,s_{m-1}\}$ satisfying:

s_{i+1}=W\cdot s_{i},

(9)

Since $s_{0}=s$ , we could express each element of this set with $W$ and $s$ as:

s_{i}=W^{i}\cdot s\ \ \ (0\leq i\leq m-1),

(10)

So we could get an n-by-m matrix $(s_{0},s_{1},\cdots,s_{m-1})$ , which has the ability to map a $m$ -bits vector to a $n$ -bits vector. This matrix is the LFSR-based Toeplitz matrix $H_{nm}$ we want.

H_{nm}=(s_{0},s_{1},\cdots,s_{m-1}),

(11)

We we can rewrite the function as:

\begin{split}h_{p,s}(M)&=H_{nm}\cdot M\\ &=(s_{0},s_{1},\cdots,s_{m-1})\cdot\begin{pmatrix}M_{0}\\ M_{1}\\ \vdots\\ M_{m-1}\end{pmatrix}\\ &=\mathcal{M_{W}}(W)\cdot s,\end{split}

(12)

in which we have:

\begin{split}\mathcal{M_{W}}(M)&=M_{m-1}\cdot W^{m-1}+M_{m-2}\cdot W^{m-2}+\cdots\\ &+M_{1}\cdot W+M_{0},\end{split}

(13)

So, if $p(x)|\mathcal{M_{W}}(x)$ , $\mathcal{M_{W}}(W)$ will be equal to $0$ , and then $h_{p,s}(M)=0$ .

APPENDIX B CALCULATION OF PARAMETERS

According to Eq. (1), to calculate the signature rate $R_{\text{sig}}$ , we need to calculate the length of raw key $n_{z}$ and the length of the signature $n$ after the distribution stage.

For the purpose of calculating these two parameters, there exist some parameters we need to estimate during the distribution stage, which includes the lower bound of vacuum events and single-photon pairs in the Z basis $\underline{s}_{0}^{z}$ and $\underline{s}_{11}^{z}$ ; the upper bound of the phase error rate $\overline{\phi}_{11}^{z}$ ; the length of the raw key $n_{z}$ ; and the bit error rate in the Z basis $E_{z}$ .

The overline and the underline represent the Chernoff bounds of the variables, which could be introduced as below [21, 65]:

Let $x$ represent the observed value and $x^{*}$ represent the expected value, and we have the upper and lower bounds of the observed value [21, 65]:

\begin{split}\overline{x}&=O^{U}(x^{*})\\ &=x^{*}+\frac{\beta}{2}+\sqrt{2\beta x^{*}+\frac{\beta^{2}}{4}},\end{split}

(14)

and

\begin{split}\underline{x}&=O^{L}(x^{*})\\ &=x^{*}-\sqrt{2\beta x^{*}},\end{split}

(15)

and the upper and lower bounds of the expected value:

\overline{x}^{*}=x+\beta+\sqrt{2\beta x+\beta^{2}},

(16)

and

\underline{x}^{*}=\max\{x-\frac{\beta}{2}-\sqrt{2\beta x+\frac{\beta^{2}}{4}},\ 0\},

(17)

where $\beta=\ln\epsilon^{-1}$ .

Furthermore, the random sampling theorem will also be applied in our calculation, which is given as below [21, 65]:

\overline{\chi}\leq\lambda+\gamma^{U}(n,k,\lambda,\epsilon),

(18)

where

\gamma^{U}(n,k,\lambda,\epsilon)=\frac{\frac{(1-2\lambda)AG}{n+k}+\sqrt{\frac{A^{2}G^{2}}{(n+k)^{2}}+4\lambda(1-\lambda)G}}{2+2\frac{A^{2}G}{(n+k)^{2}}},

(19)

in which

A=\max\{n,k\},

(20)

and

G=\frac{n+k}{nk}\ln(\frac{n+k}{2\pi nk\lambda(1-\lambda)\epsilon^{2}}).

(21)

When Alice and Bod send When Alice and Bob send intensities $k_{a}$ and $k_{b}$ with phase difference $\theta$ , the gain corresponding to only detector $L$ and $R$ click can be represented as below [21]:

\begin{split}q_{(k_{a}|k_{b})}^{\theta,L}&=y_{(k_{a}|k_{b})}^{R}e^{\eta_{d}^{R}\sqrt{\eta_{a}k_{a}\eta_{b}k_{b}}\cos\theta}\cdot\\ &\times(1-y_{(k_{a}|k_{b})}^{L}e^{-\eta_{d}^{L}\sqrt{\eta_{a}k_{a}\eta_{b}k_{b}}}\cos\theta),\end{split}

(22)

\begin{split}q_{(k_{a}|k_{b})}^{\theta,R}&=y_{(k_{a}|k_{b})}^{L}e^{-\eta_{d}^{L}\sqrt{\eta_{a}k_{a}\eta_{b}k_{b}}\cos\theta}\cdot\\ &\times(1-y_{(k_{a}|k_{b})}^{R}e^{\eta_{d}^{R}\sqrt{\eta_{a}k_{a}\eta_{b}k_{b}}}\cos\theta),\end{split}

(23)

in which $\eta_{a(b)}=10^{-\frac{\alpha l_{a(b)}}{10}}$ , and

\begin{split}y_{(k_{a}|k_{b})}^{L(R)}=(1-p_{d}^{L(R)})\cdot e^{-\frac{\eta_{d}^{L(R)}(\eta_{a}k_{a}+\eta_{b}k_{b})}{2}},\end{split}

(24)

where $\eta_{d}^{L(R)}$ and $p_{d}^{L(R)}$ represents the detection efficiency and the dark count rate of the detector $D_{L(R)}$ respectively. The overall gain $q_{(k_{a}|k_{b})}$ can be expressed as:

\begin{split}q_{(k_{a}|k_{b})}&=\frac{1}{2\pi}\int_{0}^{2\pi}(q_{(k_{a}|k_{b})}^{\theta,L}+q_{(k_{a}|k_{b})}^{\theta,R})d\theta\\ &=y_{(k_{a}|k_{b})}^{L}I_{0}(\eta_{d}^{L}\sqrt{\eta_{a}k_{a}\eta_{b}k_{b}})+y_{(k_{a}|k_{b})}^{R}I_{0}(\eta_{d}^{R}\sqrt{\eta_{a}k_{a}\eta_{b}k_{b}})-2y_{(k_{a}|k_{b})}^{L}y_{(k_{a}|k_{b})}^{R}\cdot I_{0}[(\eta_{L}-\eta_{R})\sqrt{\eta_{a}k_{a}\eta_{b}k_{b}}],\end{split}

(25)

where $I_{0}(x)$ refers to the zero-order modified Bessel function of the first kind.

Denote the probability of having a click event as $q_{\text{tot}}$ . Click filtering applied, $q_{\text{tot}}$ could be expressed as:

\begin{split}q_{\text{tot}}&=\sum_{k_{a},k_{b}}{p_{k_{a}}p_{k_{b}}q_{(k_{a}|k_{b})}}-p_{\mu_{a}}p_{\nu_{b}}q_{(\mu_{a}|\nu_{b})}\\ &-p_{\nu_{a}}p_{\mu_{b}}q_{(\nu_{a}|\mu_{b})}.\end{split}

(26)

The probability of at least one click event occurring following a given time bin with a click event within the time interval $T_{c}$ could be expressed as [21]:

q_{T_{c}}=1-(1-q_{\text{tot}})^{N_{T_{c}}},

(27)

where $N_{T_{c}}=FT_{c}$ is the number of time bins within the time interval $T_{c}$ , and $F$ is the system clock frequency, which can be found in Table I. Therefore, the total number of valid successful pairing results and the average of the pairing interval could be obtained:

n_{\text{tot}}=\frac{Nq_{\text{tot}}}{1+1/q_{T_{c}}},

(28)

T_{\text{mean}}=\frac{1-N_{T_{c}}q_{\text{tot}}(1/q_{T_{c}}-1)}{Fq_{\text{tot}}}.

(29)

Having calculated these parameters above, $n_{[k_{a}^{\text{tot}},k_{a}^{\text{tot}}]}$ , the total number of set $S_{[k_{a}^{\text{tot}},k_{a}^{\text{tot}}]}$ , could be obtained [21]. But this formula is inapplicable to the set $S_{[2\nu_{a},2\nu_{b}]}$ . The total number of set $S_{[k_{a}^{\text{tot}},k_{a}^{\text{tot}}]}(k_{a(b)}^{\text{tot}}\neq 2\nu_{a(b)})$ and $S_{[2\nu_{a},2\nu_{b}]}$ could be expressed respectively as follows:

\begin{split}n_{[k_{a}^{\text{tot}},k_{a}^{\text{tot}}]}=n_{\text{tot}}\times\sum_{k_{a}^{e}+k_{a}^{l}=k_{a}^{\text{tot}}}\sum_{k_{b}^{e}+k_{b}^{l}=k_{b}^{\text{tot}}}{\frac{p_{k_{a}^{e}}p_{k_{b}^{e}}q_{(k_{a}^{e}|k_{b}^{e})}}{q_{\text{tot}}}\frac{p_{k_{a}^{l}}p_{k_{b}^{l}}q_{(k_{a}^{l}|k_{b}^{l})}}{q_{\text{tot}}}}.\end{split}

(30)

\begin{split}n_{[2\nu_{a},2\nu_{b}]}=\frac{n_{\text{tot}}}{M\pi}\cdot\int_{0}^{2\pi}{(\frac{p_{\nu_{a}}p_{\nu_{b}}q_{(\nu_{a}|\nu_{b})}^{\theta}}{q_{\text{tot}}}\frac{p_{\nu_{a}}p_{\nu_{b}}q_{(\nu_{a}|\nu_{b})}^{\theta}}{q_{\text{tot}}})}d\theta,\end{split}

(31)

Furthermore, The total number of errors in the Z basis and X basis can be written as follows:

\begin{split}m_{[\mu_{a},\mu_{b}]}=n_{\text{tot}}\cdot(\frac{p_{\mu_{a}^{e}}p_{\mu_{b}^{e}}q_{(\mu_{a}^{e}|\mu_{b}^{e})}p_{o_{a}^{l}}p_{o_{b}^{l}}q_{(o_{a}^{l}|o_{b}^{l})}}{q_{\text{tot}}^{2}}+\frac{p_{o_{a}^{e}}p_{o_{b}^{e}}q_{(o_{a}^{e}|o_{b}^{e})}p_{\mu_{a}^{l}}p_{\mu_{b}^{l}}q_{(\mu_{a}^{l}|\mu_{b}^{l})}}{q_{\text{tot}}^{2}}),\end{split}

(32)

\begin{split}m_{[2\nu_{a},2\nu_{b}]}=&\frac{n_{\text{tot}}}{M\pi}\cdot\int_{0}^{2\pi}\Big{\{}(1-e_{d})\times\left[\frac{p_{\nu_{a}}^{2}p_{\nu_{b}}^{2}q_{(\nu_{a}|\nu_{b})}^{\theta,L}q_{(\nu_{a}|\nu_{b})}^{\theta+\delta,R}}{q_{\text{tot}}^{2}}+\frac{p_{\nu_{a}}^{2}p_{\nu_{b}}^{2}q_{(\nu_{a}|\nu_{b})}^{\theta,R}q_{(\nu_{a}|\nu_{b})}^{\theta+\delta,L}}{q_{\text{tot}}^{2}}\right]\\ &+e_{d}\cdot\left[\frac{p_{\nu_{a}}^{2}p_{\nu_{b}}^{2}q_{(\nu_{a}|\nu_{b})}^{\theta,L}q_{(\nu_{a}|\nu_{b})}^{\theta+\delta,L}}{q_{\text{tot}}^{2}}\frac{p_{\nu_{a}}^{2}p_{\nu_{b}}^{2}q_{(\nu_{a}|\nu_{b})}^{\theta,R}q_{(\nu_{a}|\nu_{b})}^{\theta+\delta,R}}{q_{\text{tot}}^{2}}\right]\Big{\}}d\theta,\end{split}

(33)

Where $e_{d}$ represents the misalignment error rate, which can be found in Table I. Then we could estimate the parameters we want.

(i) $\underline{s}_{0}^{z}$ : $\underline{s}_{0}^{z}$ is the lower bound of the observed value of the total number of vacuum components in the Z basis, which means that Alice sends a vacuum state in the Z basis. The lower bound of the expected value of the total number of vacuum components in the Z basis, $\underline{s}_{0}^{z*}$ , could be expressed as [21]:

\begin{split}\underline{s}_{0}^{z*}=\frac{e^{-\mu_{a}}p_{[\mu_{a},\mu_{b}]}}{p_{[o_{a},\mu_{b}]}}\underline{n}_{[o_{a},\mu_{b}]}^{*},\end{split}

(34)

where

\begin{split}p_{[k_{a}^{\text{tot}},k_{b}^{\text{tot}}]}=\sum_{k_{a}^{e}+k_{a}^{l}=k_{a}^{\text{tot}}}\sum_{k_{b}^{e}+k_{b}^{l}=k_{b}^{\text{tot}}}{\frac{p_{k_{a}^{e}}p_{k_{b}^{e}}}{p_{s}}\frac{p_{k_{a}^{l}}p_{k_{b}^{l}}}{p_{s}}},\end{split}

(35)

and

p_{s}=1-p_{\mu_{a}}p_{\nu_{b}}-p_{\nu_{a}}p_{\mu_{b}}.

(36)

According to Eqs. (34) (35) (36) and (15), the lower bound of the observed value of the total number of vacuum components in the Z basis $\underline{s}_{0}^{z}=O^{L}(\underline{s}_{0}^{z*})$ could be obtained.

(ii) $\underline{s}_{11}^{z}$ : $\underline{s}_{11}^{z}$ is the lower bound of the observed value of the number of single-photon pairs in the Z basis, which means that both Alice and Bob send a single-photon state in the Z basis. The lower bound of the expected value of the number of single-photon pairs in the Z basis, $\underline{s}_{11}^{z*}$ , could be expressed as [21]:

\begin{split}\underline{s}_{11}^{z*}&\geq\frac{e^{-\mu_{a}-\mu_{b}}p_{[\mu_{a},\mu_{b}]}}{\nu_{a}\nu_{b}(\mu^{\prime}-\nu^{\prime})}\\ &\times\left\{\mu_{a}\mu_{b}\mu^{\prime}\left(e^{\nu_{a}+\nu_{b}}\frac{\underline{n}_{[\nu_{a},\nu_{b}]}^{*}}{p_{[\nu_{a},\nu_{b}]}}\right.\right.\\ &\left.\left.-e^{\nu_{b}}\frac{\overline{n}_{[o_{a},\nu_{b}]}^{*}}{p_{[o_{a},\nu_{b}]}}-e^{\nu_{a}}\frac{\overline{n}_{[\nu_{a},o_{b}]}^{*}}{p_{[\nu_{a},o_{b}]}}+\frac{\underline{n}_{[o_{a},o_{b}]}^{*}}{p_{[o_{a},o_{b}]}}\right)\right.\\ &\left.-\nu_{a}\nu_{b}\nu^{\prime}\left(e^{\mu_{a}+\mu_{b}}\frac{\overline{n}_{[\mu_{a},\mu_{b}]}^{*}}{p_{[\mu_{a},\mu_{b}]}}\right.\right.\\ &\left.\left.-e^{\mu_{b}}\frac{\underline{n}_{[o_{a},\mu_{b}]}^{*}}{p_{[o_{a},\mu_{b}]}}-e^{\mu_{a}}\frac{\underline{n}_{[\mu_{a},o_{b}]}^{*}}{p_{[\mu_{a},o_{b}]}}+\frac{\underline{n}_{[o_{a},o_{b}]}^{*}}{p_{[o_{a},o_{b}]}}\right)\right\},\end{split}

(37)

where

\begin{split}&\mu^{\prime}=\mu_{a},\nu^{\prime}=\nu_{a}\ \qquad\text{if}\ \frac{\mu_{a}}{\mu_{b}}\leq\frac{\nu_{a}}{\nu_{b}}\\ &\mu^{\prime}=\mu_{b},\nu^{\prime}=\nu_{b}\ \qquad\text{if}\ \frac{\mu_{a}}{\mu_{b}}>\frac{\nu_{a}}{\nu_{b}}.\end{split}

(38)

According to Eqs. (37) (38) (35) (36) and (15), the lower bound of the observed value of the total number of single-photon pairs in the Z basis $\underline{s}_{11}^{z}=O^{L}(\underline{s}_{11}^{z*})$ could be obtained.

(iii) $n_{z}$ and $E_{z}$ : $n_{z}$ and $E_{z}$ each represents the length of the raw key without error correction and the bit error rate in the Z basis, which could be easily calculated through [21]

n_{z}=n_{[\mu_{a},\mu_{b}]},

(39)

and

E_{z}=\frac{m_{[\mu_{a},\mu_{b}]}}{n_{z}},

(40)

where $n_{[\mu_{a},\mu_{b}]}$ represents the total number of bits in the Z basis, and $m_{[\mu_{a},\mu_{b}]}$ represents the number of errors in the Z basis.

(iv) $\overline{\phi}_{11}^{z}$ : $\overline{\phi}_{11}^{z}$ is the upper bound of the phase error rate in the Z basis, which could be estimated from $e_{11}^{x}$ , the upper bound of the bit error rate of single-photon pair in the X basis. It could be expressed as [21]:

\overline{e}_{11}^{x}=\frac{\overline{t}_{11}^{x}}{\underline{s}_{11}^{x}},

(41)

in which $\overline{t}_{11}^{x}$ represents the upper bound of the observed value of the number of single-photon pair errors of the X basis and $\underline{s}_{11}^{x}$ represents the lower bound of the observed value of the number of single-photon pairs in the X basis.

The lower bound of the expected value of the number of single-photon pairs in the X basis could be expressed as:

\begin{split}\underline{s}_{11}^{x*}&\geq\frac{e^{-2\nu_{a}-2\nu_{b}}4p_{[2\nu_{a},2\nu_{b}]}}{\mu_{a}\mu_{b}(\mu^{\prime}-\nu^{\prime})}\\ &\times\left\{\mu_{a}\mu_{b}\mu^{\prime}\left(e^{\nu_{a}+\nu_{b}}\frac{\underline{n}_{[\nu_{a},\nu_{b}]}^{*}}{p_{[\nu_{a},\nu_{b}]}}\right.\right.\\ &\left.\left.-e^{\nu_{b}}\frac{\overline{n}_{[o_{a},\nu_{b}]}^{*}}{p_{[o_{a},\nu_{b}]}}-e^{\nu_{a}}\frac{\overline{n}_{[\nu_{a},o_{b}]}^{*}}{p_{[\nu_{a},o_{b}]}}+\frac{\underline{n}_{[o_{a},o_{b}]}^{*}}{p_{[o_{a},o_{b}]}}\right)\right.\\ &\left.-\nu_{a}\nu_{b}\nu^{\prime}\left(e^{\mu_{a}+\mu_{b}}\frac{\overline{n}_{[\mu_{a},\mu_{b}]}^{*}}{p_{[\mu_{a},\mu_{b}]}}\right.\right.\\ &\left.\left.-e^{\mu_{b}}\frac{\underline{n}_{[o_{a},\mu_{b}]}^{*}}{p_{[o_{a},\mu_{b}]}}-e^{\mu_{a}}\frac{\underline{n}_{[\mu_{a},o_{b}]}^{*}}{p_{[\mu_{a},o_{b}]}}+\frac{\underline{n}_{[o_{a},o_{b}]}^{*}}{p_{[o_{a},o_{b}]}}\right)\right\}.\end{split}

(42)

The upper bound of the number of single-photon pair errors of the X basis is:

\overline{t}_{11}^{x}\leq m_{[2\nu_{a},2\nu_{b}]}-\underline{m}_{[2\nu_{a},2\nu_{b}]}^{0},

(43)

where

\begin{split}\underline{m}_{[2\nu_{a},2\nu_{b}]}^{0*}&=e^{-2\nu_{a}}\frac{p_{[2\nu_{a},2\nu_{b}]}}{2p{[o_{a},2\nu_{b}]}}\underline{n}_{[o_{a},2\nu_{b}]}^{*}\\ &+e^{-2\nu_{b}}\frac{p_{[2\nu_{a},2\nu_{b}]}}{2p{[2\nu_{a},o_{b}]}}\underline{n}_{[2\nu_{a},o_{b}]}^{*}\\ &-e^{-2\nu_{a}-2\nu_{b}}\frac{p_{[2\nu_{a},2\nu_{b}]}}{2p{[o_{a},o_{b}]}}\overline{n}_{[o_{a},o_{b}]}^{*},\end{split}

(44)

which represents the expected value of the lower bound of the error bit number in the X basis given that at least one of Alice and Bob sends a vacuum component.

Then we could get the upper bound of the bit error rate of single-photon pair in the X basis from Eqs. (41) $-$ (44) and (15).

Using the random sampling without a replacement theorem, with a failure probability $\epsilon_{e}$ , we have the upper bound of a single-photon pair phase error rate in the Z basis[21] :

\overline{\phi}_{11}^{z}\leq\overline{e}_{11}^{x}+\gamma^{U}(\underline{s}_{11}^{z},\underline{s}_{11}^{x},\overline{e}_{11}^{x},\epsilon_{e}).

(45)

(v) $n$ : Setting the length of signature $n$ , the minimum length of $n$ that satisfies the security requirements, that is to say, satisfies Eq. (47), could be estimated with the calculated values of the parameters above by using the random sampling without replacement.[58, 65] The parameters in Eq. (47), $\underline{s}^{zn}_{0}$ , the lower bound of vacuum events in a $n$ -bit a selected key group, $\underline{s}^{zn}_{11}$ , the lower bound of single-photon pairs events in the $n$ -bit string, and $\underline{\phi}^{zn}_{11}$ , the upper bound of the phase error rate of single-photon pairs in the $n$ -bit string all need to satisfy [58]:

\begin{split}\underline{s}_{0}^{zn}&\geq n[\underline{s}_{0}^{z}/n_{z}-\gamma^{U}(n,n_{z}-n,\underline{s}_{0}^{z}/n_{z},\epsilon)],\\ \underline{s}^{zn}_{11}&\geq n[\underline{s}_{11}^{z}/n_{z}-\gamma^{U}(n,n_{z}-n,\underline{s}_{11}^{z}/n_{z},\epsilon)],\\ \overline{\phi}_{11}^{zn}&\leq\overline{\phi}_{11}^{z}+\gamma^{U}(\underline{s}_{11}^{zn},\underline{s}_{zz}^{z}-\underline{s}_{11}^{zn},\overline{\phi}_{11}^{z},\epsilon).\end{split}

(46)

Then we have:

\mathcal{H}_{n}\leq\underline{s}_{0}^{zn}+\underline{s}^{zn}_{11}[1-H({\color[rgb]{0,0,0}\overline{\phi}^{zn}_{11}})]-\lambda_{\rm EC},

(47)

which represents the total unknown information of the $n$ -bit string.

APPENDIX C SECURITY ANALYSIS

In order to disturb the authentication process, the attacker should try to make a difference in the results of the verification of Bob and Charlie [2]. Due to the existence of the leakage of information during the distribution stage, we divide this analysis into two parts. The first one takes the external attacker into account and the second one focuses on the QDS participants, mainly taking the internal attacker into account.

C.1 Attack from external attackers

Unlike quantum key distribution that generates keys with perfect secrecy, in our protocol the keys are imperfectly secret. Any possible attackers may obtain partial information on the keys [58]. For the convenience of describing, we set the $m$ -bits document $M$ , then we could obtain that $\text{Sig}=h(M)\oplus r$ , in which the function $h$ represents the hash function and the string $r$ represents the $Z_{a}$ in the description section. We could suppose the existence of an external attacker Eve, who has the ability to intercept and capture strings $\{\text{Sig},M\}$ , tamper with it, and send it to the recipient, who will examine the signal he received before accepting it.

Here we consider three types of attacks. The first one is to tamper the message randomly and relies entirely on fortune. The second one is to guess only $p_{a}$ . The third one is to guess the keys from the captured signature.

C.1.1 Tampering randomly

We imagine a classical information $X$ of n-bits, and the attacker has access to a quantum system $E$ whose state $\rho^{x}_{E}$ depends on $X$ . The attacker Eve can use $E$ to guess the string $X$ using an optimal strategy. We define $\mathcal{H}_{n}=H_{\text{min}}(X|E)_{\rho}$ as the min-entropy of $X$ and $E$ , which can be estimated from the distribution stage [58]. According to the definition of min-entropy [61], we could get the probability of Eve correctly guessing $X$ :

P_{\text{guess}}(X|E)=2^{-H_{\text{min}}(X|E)_{\rho}}=2^{-\mathcal{H}_{n}},

(48)

and the $\mathcal{H}_{n}$ could be estimated from:

\mathcal{H}_{n}\leq\underline{s}^{zn}_{0}+\underline{s}^{zn}_{11}[1-H({\color[rgb]{0,0,0}\overline{\phi}^{zn}_{11}})]-\lambda_{\rm EC},

(49)

where $f$ is the error correction efficiency; $\underline{s}^{zn}_{0}$ is the lower bound of vacuum events in the $n$ -bit string; $\underline{s}^{zn}_{11}$ is the lower bound of single-photon pairs events in the n-bit string; and $\underline{\phi}^{zn}_{11}$ represents the upper bound of the phase error rate of single-photon pairs in the n-bit string; $\lambda_{\rm EC}=nfH(E_{z})$ is the information consumed in the error correction stage of this string. All these parameters could be estimated from the distribution stage which is introduced in Appendix B

After capturing $\{M,\text{Sig}\}$ , what Eve should do is to tamper a new signal $\{M^{\prime},\text{Sig}^{\prime}\}$ and send it to the recipient, which will check that the signal satisfies $\text{Sig}^{\prime}=h(M^{\prime})\oplus r$ before accepting it. If the recipient accepts the $\{\text{Sig}^{\prime},M^{\prime}\}$ , this attack will be deemed successful. The core point of the tamper is to make the $\text{Sig}^{\prime}$ and $M^{\prime}$ meet $\text{Sig}^{{}^{\prime}}=h(M^{\prime})\oplus r$ , therefore, what the specific value of $\text{Sig}^{\prime}$ or $M^{\prime}$ is really does not matter so much. So, we can fix one of them and guess the other, and then the unknown information needing to be guessed is reduced to $n$ bits. So, for the first type of attack, $\mathcal{H}_{n}$ is equal to $n$ . The success probability of this attack is:

P_{1}=2^{-n}.

(50)

C.1.2 Guessing keys

From the discussion above, we could know that the essence of attack is to guess the encryption method, in other words, the hash function in our method. The LFSR-based Toeplitz hash function we use can be expressed as:

h(M)=H_{nm}\cdot M.

(51)

The crux of the function is the matrix $H_{nm}$ , which is generated using $Y_{a}$ and $p_{a}$ in the messaging stage. From the Appendix A, we could know that the attacker needs only to know $p_{a}$ , so that Eve can easily generate a message $m$ of m-bits which satisfies $h(m)=0$ , and the only requirement $m$ that needs to meet is $p_{a}(x)|m(x)$ , in which $p_{a}(x)$ and $m(x)$ are polynomials generated from $p_{a}$ and $m$ . We could get the success probability of this kind of attack [58].

P_{2}=m\cdot 2^{1-\mathcal{H}_{n}}=\epsilon_{\text{LFSR}}.

(52)

We can obviously find that $P_{2}=\epsilon_{\text{LFSR}}\geq P_{1}$ in most occasions.

C.1.3 Recovering keys from the signature

This type of attack means that the attacker will try to recover the keys from the signature captured. In order to perform this kind of attack, the attacker needs to guess $Z_{a}$ and then perform the recovering algorithm. This will obviously lead to a smaller success probability compared to $\epsilon_{\text{LFSR}}$ [58].

C.2 Attack from internal attackers

In this section we will put our attention on the QDS participants, considering the attackers from the internal, Alice or Bob. We don’t consider Charlie as the attacker because he plays the role of notary. We divide this section into three sections, each considering one type of attack or error.

C.2.1 Robustness

This part will mainly consider the failure probability of the protocol when there are no attackers from the inside and outside. In other words, the three parties—Alice, Bob and Charlie—are all truthful. Therefore, the failure only occurs when Alice and Bob or Charlie share different keys after distribution stage, which will happen if there are some errors in the process of error correction or classical message transmission. We denoted this probability $\epsilon_{\text{rob}}=2\varepsilon_{\text{cor}}+2\varepsilon^{\prime}$ , in which $\varepsilon_{\text{cor}}$ and $\varepsilon^{\prime}$ represents the error probability of error correction and classical message transmission, respectively.

C.2.2 Repudiation

This kind of attack means that Alice wants to repudiate the established signature which was accepted by Bob, by making it rejected by Charlie, the notary. To make it accepted by Bob, there must be no error in distribution stage, so the only scenario in which repudiation succeeds is when there are errors existing in the process of the key exchange step. So the success probability can be expressed as $\epsilon_{\text{rep}}=2\varepsilon^{\prime}$ .

C.2.3 Forgery

In this attack, Bob will play the role of the attacker who wants to tamper with the message sent from Alice and send it to Charlie. Comparing this attack with external attacks, we could find that this attack is equal to the external attack where Bob plays the role of an external attacker. So we could get the success probability [58]:

\epsilon_{\text{for}}=m\cdot 2^{1-\mathcal{H}_{n}}

(53)

From the discussion above, we see that the security bound of the scheme could be expressed as $\epsilon=\max\{\epsilon_{\text{rob}},\epsilon_{\text{rep}},\epsilon_{\text{for}}\}.$ Above all, according to Eqs. (53) and (49), the security bound $\epsilon$ increases linearly as the document volume $m$ increases, but decreases exponentially as the unknown information of the potential attacker $\mathcal{H}_{n}$ increases.

APPENDIX D SMOOTH MIN- AND MAX-ENTROPIES

The concept smooth min- and max-entropies is derived from the concept of min- and max-entropies, which is defined as below [61]:

Definition D.1.

Min-/Max-entropy: Let $\rho=\rho_{AB}$ be a bipartite density operator. The min-entropy of $A$ conditioned on $B$ is defined by:

H_{\text{min}}(A|B):=-\underset{\sigma_{B}}{\text{inf}}D_{\infty}(\rho_{AB}||id_{A}\otimes\sigma_{B}),

(54)

where the infimum ranges over all normalized density operators $\sigma_{B}$ on subsystem $B$ and where

D_{\infty}(\tau||\tau^{\prime}):=\text{inf}\{\lambda\in R:\tau\leq 2^{\lambda}\tau^{\prime}\}.

(55)

The max-entropy is defined by:

H_{\text{max}}(A|B):=-H_{\text{min}}(A|C),

(56)

where the min-entropy on the right-hand side is evaluated for a purification $\rho_{ABC}$ of $\rho_{AB}$ .

Subsequently, we elucidate the definition of the smooth min- and max-entropies [61], which is derived from min- and max-entropies for an optimal state $\rho^{\prime}$ in a $\varepsilon$ -neighborhood of $\rho$ .

Definition D.2.

Smooth Min-/Max-Entropy Let $\rho=\rho_{AB}$ be a bipartite density operator and let $\varepsilon\geq 0$ . The $\varepsilon$ -smooth min- and max-entropies of $A$ conditioned on $B$ are given by:

H_{\text{min}}^{\varepsilon}(A|B)_{\rho}:=\underset{\rho^{\prime}}{\text{sup}}H_{\text{min}}(A|B)_{\rho^{\prime}},

(57)

H_{\text{max}}^{\varepsilon}(A|B)_{\rho}:=\underset{\rho^{\prime}}{\text{inf}}H_{\text{max}}(A|B)_{\rho^{\prime}},

(58)

where the supremum ranges over all density operators $\rho^{\prime}=\rho^{\prime}_{AB}$ which are $\varepsilon$ -close to $\rho$ .

The smooth min- and max-entropies are closely related to quantum information and cryptography, which can help to analyze the length of the final key during the distribution through the theorems below [61]:

Theorem D.1.

Let $X$ be a classical random variable and let $B$ be (possibly quantum-mechanical) side information. The smooth min-entropy is closely related to randomness extraction, which can, in the context of cryptography, turn a (only partially secure) raw key $X$ into a fully secure key $f(X)$ which is uniform and independent of the side information $B$ [61].

The maximum number of uniform and independent bits that can be extracted from $X$ is directly given by the smooth min-entropy of $X$ . Let $l_{\mathrm{extr}}^{\varepsilon}(X|B)$ be the maximum length of a bit string that can be computed from $X$ such that $f(X)$ is $\varepsilon$ -close to a string which is perfectly uniform and independent of the side information $B$ . Then, the following connection exists:

l_{\mathrm{extr}}^{\varepsilon}(X|B)=H_{\mathrm{min}}^{\varepsilon^{\prime}}(X|B)+O(\mathrm{log}(1/\varepsilon)),

(59)

where $\varepsilon^{\prime}\in[\frac{1}{2}\varepsilon,2\varepsilon]$ .

Theorem D.2.

Considering a tripartite pure state $\ket{\Psi_{ABC}}$ , the smooth max-entropy is closely related to state merging, which aims to redistribute the $A$ -part to the system $B$ by local operations and classical communications (LOCC) between $A$ and $B$ . Depending on the (reduced) state, this either consumes or generates bipartite entanglement [61].

Let $l_{\mathrm{merg}}^{\varepsilon}(A|B)_{\rho}$ be the minimal (maximal) number of ebits of entanglement required (generated) by this process the distinction between consumed/generated entanglement is reflected by the sign of the quantity $l_{\mathrm{merg}}^{\varepsilon}(A|B)_{\rho}$ ], such that the outcome is $\varepsilon$ -close to the desired output. Then, the following connection exists:

l_{\mathrm{merg}}^{\varepsilon}(A|B)_{\rho}=H_{\mathrm{max}}^{\varepsilon^{\prime}}(A|B)_{\rho}+O(\mathrm{log}1/\varepsilon),

(60)

where $\varepsilon^{\prime}\in[\frac{1}{2}\varepsilon,2\varepsilon]$ .

Supposing an eavesdropper Eve, we define $\bm{Z}$ as the raw key and $\bm{E}$ as the information of Eve learned from $\bm{Z}$ before error correction. We also define $\bm{Z}^{\prime}$ as the key after error correction and $\bm{E}^{\prime}$ as all information of Eve learned from $\bm{Z}$ after error correction. Let $\mathbb{H}$ denote the maximum length of a bit string that can be computed from $Z$ and $\varepsilon$ -secure from the side information $E^{\prime}$ , i.e., $H_{\text{min}}^{\varepsilon}(\bm{Z}|\bm{E}^{\prime})$ , according to Theorem D.1. And we can easily get the expression of $H_{\text{min}}^{\varepsilon}(\bm{Z}|\bm{E}^{\prime})$ in accordance with Definition D.1 D.2, Theorem D.1 D.2 and the chain-rule inequality for smooth entropies [66]:

\begin{split}\mathbb{H}\geq H_{\text{min}}^{\varepsilon}(\bm{Z}|\bm{E})-H_{\text{max}}^{\varepsilon_{\text{cor}}}(\bm{Z}^{\prime}|\bm{Z}).\end{split}

(61)

Denote $H_{\text{min}}^{\varepsilon}(\bm{Z}|\bm{E})$ as $H_{\text{min}}^{\varepsilon}$ and $H_{\text{max}}^{\varepsilon_{\text{cor}}}(\bm{Z}^{\prime}|\bm{Z})$ as $H_{\text{max}}^{\varepsilon_{\text{cor}}}$ , then Eq.(61) could be simplified into Eq. (2) in Section III.

Split $\bm{Z}$ into three parts: $\bm{Z}_{0}$ , $\bm{Z}_{11}$ and $\bm{Z}_{\text{rest}}$ , where $\bm{Z}_{0}$ s the bits where Alice sent a vacuum state, $\bm{Z}_{11}$ is the bits where both Alice and Bob sent a single photon and $\bm{Z}_{\text{rest}}$ is the rest of bits. Using a chain-rule for smooth entropies [66], we could get the expression:

\begin{split}&H_{\text{min}}^{\varepsilon}(\bm{Z}|\bm{E})\geq H_{\text{min}}^{\varepsilon^{\prime}+2\varepsilon_{e}+(\hat{\varepsilon}+2\hat{\varepsilon}^{\prime}+\hat{\varepsilon}^{\prime\prime})}(\bm{Z}_{0}\bm{Z}_{11}\bm{Z}_{\text{rest}}|\bm{E})\\ &\geq s_{0}^{z}+H_{\text{min}}^{\varepsilon_{e}}(\bm{Z}_{11}|\bm{Z}_{0}\bm{Z}_{\text{rest}}E)-2\text{log}_{2}\frac{2}{\varepsilon^{\prime}\hat{\varepsilon}},\end{split}

(62)

where $\varepsilon=\varepsilon^{\prime}+2\varepsilon_{e}+(\hat{\varepsilon}+2\hat{\varepsilon}^{\prime}+\hat{\varepsilon}^{\prime\prime})$ .

Using the entropic uncertainty relation [67], we have:

\begin{split}H_{\text{min}}^{\varepsilon_{e}}(\bm{Z}_{11}|\bm{Z}_{0}\bm{Z}_{\text{rest}}E)&\geq s_{11}^{z}-H_{\text{max}}^{\varepsilon_{e}}(\bm{X}_{11}|\bm{X}^{\prime}_{11})\\ &\geq s_{11}^{z}[1-H(\phi_{11}^{z})].\end{split}

(63)

According to Eqs. (62) (63), we could get Eq. (3). Furthermore, the amount of bit information consumed during the error correction step could be expressed as:

\begin{split}H_{\text{max}}^{\varepsilon_{\text{cor}}}(\bm{Z}^{\prime}|\bm{Z})&=\lambda_{EC}+\text{log}_{2}(\frac{2}{\varepsilon_{\text{cor}}})\\ &=n_{z}fH(E_{z})+\text{log}_{2}(\frac{2}{\varepsilon_{\text{cor}}}),\\ &\end{split}

(64)

where $f$ is the error correction efficiency. It can be rewritten as Eq. (4).

According to Eqs. (61)-(64), we have:

\begin{split}\mathbb{H}&=H_{\text{min}}^{\varepsilon}(\bm{Z}|\bm{E}^{\prime})\\ &\geq s_{0}^{z}+s_{11}^{z}[1-H(\phi_{11}^{z})]-n_{z}fH(E_{z})\\ &\quad-2\text{log}_{2}(\frac{2}{\varepsilon^{\prime}\hat{\varepsilon}})-\text{log}_{2}(\frac{2}{\varepsilon_{\text{cor}}}),\end{split}

(65)

where $\varepsilon_{\text{sec}}=2(\varepsilon^{\prime}+2\varepsilon_{e}+\hat{\varepsilon}+2\hat{\varepsilon}^{\prime}+\hat{\varepsilon}^{\prime\prime})$ . Then, we could finally get Eq. (6) in Section III.

APPENDIX E SIMULATION DETAILS OF MDI-QDS

In the MDI-QDS [37], the KGP protocol used between Alice, Bob and Charlie is a four-intensity protocol [62]. We take the KGP between Alice and Bob as an example, during which Alice and Bob send pulses of intensity $k_{a(b)}\in\{\mu_{a(b)},\nu_{a(b)},\omega_{a(b)},o_{a(b)}\}$ . Here we denote the number and error number of detection events where Alice selects $k_{a}$ and Bob selects $k_{b}$ in the Z(X) basis as $n_{k_{a}k_{b}}^{z(x)}$ and $m_{k_{a}k_{b}}^{z(x)}$ . They can be given by:

\begin{split}n_{k_{a}k_{b}}^{z}=Np_{k_{a}}p_{k_{b}}(1-p_{d})^{2}&e^{-\frac{k_{a}\eta_{a}+k_{b}\eta_{b}}{2}}\left\{p_{d}\cdot[I_{0}(\sqrt{k_{a}\eta_{a}k_{b}\eta_{b}}-(1-p_{d})e^{-\frac{k_{a}\eta_{a}+k_{b}\eta_{b}}{2}}]\right.\\ &\left.+[1-(1-p_{d})e^{-\frac{k_{a}\eta_{a}}{2}}][1-(1-p_{d})e^{-\frac{k_{b}\eta_{b}}{2}}]\right\},\end{split}

(66)

n_{k_{a}k_{b}}^{x}=Np_{k_{a}}p_{k_{b}}y_{k_{a}k_{b}}^{2}[1+2y_{k_{a}k_{b}}^{2}-4y_{k_{a}k_{b}}I_{0}(\frac{\sqrt{k_{a}\eta_{a}k_{b}\eta_{b}}}{2})+I_{0}(\sqrt{k_{a}\eta_{a}k_{b}\eta_{b}})],

(67)

m_{k_{a}k_{b}}^{z}=Np_{k_{a}}p_{k_{b}}p_{d}(1-p_{d})^{2}e^{-\frac{k_{a}\eta_{a}+k_{b}\eta_{b}}{2}}[I_{0}(\sqrt{k_{a}\eta_{a}k_{b}\eta_{b}}-(1-p_{d})e^{-\frac{k_{a}\eta_{a}+k_{b}\eta_{b}}{2}}],

(68)

m_{k_{a}k_{b}}^{x}=Np_{k_{a}}p_{k_{b}}y_{k_{a}k_{b}}^{2}\left\{1+y_{k_{a}k_{b}}^{2}-2y_{k_{a}k_{b}}I_{0}(\frac{\sqrt{k_{a}\eta_{a}k_{b}\eta_{b}}}{2})+e_{d}[I_{0}(\sqrt{k_{a}\eta_{a}k_{b}\eta_{b}})-1]\right\},

(69)

where

y_{k_{a}k_{b}}=(1-p_{d})\cdot e^{-\frac{\eta_{d}(\eta_{a}k_{a}+\eta_{b}k_{b})}{2}},

(70)

and $e_{d}=0.04$ .

By using the decoy-state analysis and the double-scanning method [62], we can get the parameters of MDI-KGP as follows:

\begin{split}&\underline{n}_{0}^{z*}=\text{max}\left\{\frac{e^{-\mu_{a}}p_{\mu_{a}}}{p_{o_{a}}}\underline{n}^{z*}_{o_{a}\mu_{b}},\frac{e^{-\mu_{b}}p_{\mu_{b}}}{p_{o_{b}}}\underline{n}^{z*}_{\mu_{b}o_{a}}\right\},\\ &\underline{n}_{11}^{z*}=\frac{\mu_{a}\mu_{b}e^{-\mu_{a}-\mu_{b}}p_{\mu_{a}}p_{\mu_{b}}}{\nu_{a}\nu_{b}\omega_{a}\omega_{b}(\omega^{\prime}-\nu^{\prime})}\left(\underline{P}^{+*}-\overline{P}^{-*}+\underline{\hat{M}}^{*}-\overline{\hat{H}}^{*}\right),\\ &\overline{t}_{11}^{x*}=\frac{p_{\nu_{a}}p_{\nu_{b}}}{\omega_{a}\omega_{b}\omega^{\prime}e^{\nu_{a}+\nu_{b}}}\left(\hat{M}-\frac{\hat{H}}{2}\right),\\ &\overline{t}_{11}^{z*}=\frac{\mu_{a}\mu_{b}e^{-\mu_{a}-\mu_{b}}p_{\mu_{a}}p_{\mu_{b}}}{\nu_{a}\nu_{b}e^{-\nu_{a}-\nu_{b}}p_{\nu_{a}}p_{\nu_{b}}}\cdot\overline{t}_{11}^{x*},\\ &\overline{\phi}^{z}_{11}=\frac{\overline{t}_{11}^{x}}{\underline{n}_{11}^{z}},\\ &E_{z}=\frac{m^{z}_{\mu_{a}\mu_{b}}}{n^{z}_{\mu_{a}\mu_{b}}},\end{split}

(71)

in which

\begin{split}&\omega^{\prime}=\omega_{a},\nu^{\prime}=\nu_{a},\ \text{if}\frac{\omega_{a}}{\omega_{b}}\leq\frac{\nu_{a}}{\nu_{b}},\\ &\omega^{\prime}=\omega_{b},\nu^{\prime}=\nu_{b},\ \text{if}\frac{\omega_{a}}{\omega_{b}}>\frac{\nu_{a}}{\nu_{b}},\end{split}

(72)

and

\begin{split}&P^{+*}=\omega_{a}\omega_{b}\omega^{\prime}e^{\nu_{a}+\nu_{b}}\frac{(n_{\nu_{a}\nu_{b}}^{x}-m_{\nu_{a}\nu_{b}}^{x})^{*}}{p_{\nu_{a}}p_{\nu_{b}}}\\ &\ \ +\nu_{a}\nu_{b}\nu^{\prime}e^{\omega_{a}}\frac{n^{x*}_{\omega_{a}o_{b}}}{p_{\omega_{a}}p_{o_{b}}}+\nu_{a}\nu_{b}\nu^{\prime}e^{\omega_{b}}\frac{n^{x*}_{o_{a}\omega_{b}}}{p_{o_{a}}p_{\omega_{b}}}\\ &P^{-*}=\nu_{a}\nu_{b}\nu^{\prime}e^{\omega_{a}+\omega_{b}}\frac{n^{x*}_{\omega_{a}\omega_{b}}}{p_{\omega_{a}}p_{\omega_{b}}}+\nu_{a}\nu_{b}\nu^{\prime}\frac{n^{x*}_{o_{a}o_{b}}}{p_{o_{a}}p_{o_{b}}},\\ &\hat{M}^{*}=\omega_{a}\omega_{b}\omega^{\prime}e^{\nu_{a}+\nu_{b}}\frac{m^{x*}_{\nu_{a}\nu_{b}}}{p_{\nu_{a}}p_{\nu_{b}}},\\ &\hat{H}^{*}=\omega_{a}\omega_{b}\omega^{\prime}\left(e^{\nu_{b}}\frac{n_{o_{a}\nu_{b}}^{x*}}{p_{o_{a}}p_{\nu_{b}}}+e^{\nu_{a}}\frac{n_{\nu_{a}o_{b}}^{x*}}{p_{\nu_{a}}p_{o_{b}}}-\frac{n_{o_{a}o_{b}}^{x*}}{p_{o_{a}}p_{o_{b}}}\right).\end{split}

(73)

During the distribution, we scan $(\hat{H},\hat{M})$ to make the shared keys as secure as possible through the following programming:

\text{min}\ \ \ R

(74)

\begin{split}\text{such that}\ \ \ \ &\underline{\hat{H}}\leq\hat{H}\leq\overline{\hat{H}},\\ &\underline{\hat{M}}\leq\hat{M}\leq\overline{\hat{M}},\end{split}

(75)

where

\begin{split}R=&\frac{1}{N}\left\{\underline{n}_{0}^{z}+\underline{n}_{11}^{z}\left[1-H(\overline{\phi}^{z}_{11})\right]-\lambda_{EC}\right.\\ &\left.-\text{log}_{2}\frac{2}{\varepsilon_{\text{cor}}}-2\text{log}_{2}\frac{2}{\varepsilon^{\prime}\hat{\varepsilon}}-2\text{log}_{2}\frac{1}{2\varepsilon_{\text{PA}}}\right\}.\end{split}

(76)

and

\lambda_{EC}=n^{z}_{\mu_{a}\mu_{b}}fH(E_{z}).

(77)

Denote the total length of raw key $n^{z}_{\mu_{a}\mu_{b}}$ as $n_{z}$ . Denote the length of the signature as $L$ and the document volume as $m$ . The signature rate per pulse pair could be given by:

R_{sig}=\frac{n_{z}}{2Lm}.

(78)

in which, the length L is restricted by the security bound as follows [37]:

P(\text{honest abort})\leq 2e^{-(s_{a}-\overline{E}_{z})^{2}L}

(79)

P(\text{repudiation})\leq 2e^{-(\frac{s_{a}-s_{v}}{2})^{2}L}

(80)

P(\text{forge})\leq 2e^{-(p_{E}-s_{v})^{2}L}

(81)

where

s_{a}=\overline{E}_{z}+\frac{p_{E}-\overline{E}_{z}}{4},

(82)

s_{v}=\overline{E}_{z}+\frac{3(p_{E}-\overline{E}_{z})}{4},

(83)

and $p_{E}$ could be derived from:

c_{0}+c_{1}\left[1-H(\overline{\phi}^{z}_{11})\right]=H(p_{E}),

(84)

where $c_{0}=\underline{n}_{0}^{z}/n_{z}$ and $c_{1}=\underline{n}_{11}^{z}/n_{z}$ .

References

Menezes et al. [2018] A. J. Menezes, P. C. Van Oorschot, and S. A. Vanstone, Handbook of applied cryptography (CRC press, 2018).
Yin et al. [2023] H.-L. Yin, Y. Fu, C.-L. Li, C.-X. Weng, B.-H. Li, J. Gu, Y.-S. Lu, S. Huang, and Z.-B. Chen, Experimental quantum secure network with digital signatures and encryption, Natl. Sci. Rev. 10, nwac228 (2023).
Xu et al. [2020] F. Xu, X. Ma, Q. Zhang, H.-K. Lo, and J.-W. Pan, Secure quantum key distribution with realistic devices, Rev. Mod. Phys. 92, 025002 (2020).
Weng et al. [2023] C.-X. Weng, R.-Q. Gao, Y. Bao, B.-H. Li, W.-B. Liu, Y.-M. Xie, Y.-S. Lu, H.-L. Yin, and Z.-B. Chen, Beating the fault-tolerance bound and security loopholes for byzantine agreement with a quantum solution, Research 6, 0272 (2023).
Bennett and Brassard [2014] C. H. Bennett and G. Brassard, Quantum cryptography: Public key distribution and coin tossing, Theor. Comput. Sci. 560, 7 (2014), theoretical Aspects of Quantum Cryptography – celebrating 30 years of BB84.
Pirandola et al. [2020] S. Pirandola, U. L. Andersen, L. Banchi, M. Berta, D. Bunandar, R. Colbeck, D. Englund, T. Gehring, C. Lupo, C. Ottaviani, J. L. Pereira, M. Razavi, J. S. Shaari, M. Tomamichel, V. C. Usenko, G. Vallone, P. Villoresi, and P. Wallden, Advances in quantum cryptography, Adv. Opt. Photon. 12, 1012 (2020).
Chen et al. [2021] Y.-A. Chen, Q. Zhang, T.-Y. Chen, W.-Q. Cai, S.-K. Liao, J. Zhang, K. Chen, J. Yin, J.-G. Ren, Z. Chen, et al., An integrated space-to-ground quantum communication network over 4,600 kilometres, Nature (London) 589, 214 (2021).
Zhao et al. [2008] Y. Zhao, C.-H. F. Fung, B. Qi, C. Chen, and H.-K. Lo, Quantum hacking: Experimental demonstration of time-shift attack against practical quantum-key-distribution systems, Phys. Rev. A 78, 042333 (2008).
Lydersen et al. [2010] L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, and V. Makarov, Hacking commercial quantum cryptography systems by tailored bright illumination, Nat. Photon. 4, 686 (2010).
Lo et al. [2012] H.-K. Lo, M. Curty, and B. Qi, Measurement-device-independent quantum key distribution, Phys. Rev. Lett. 108, 130503 (2012).
Braunstein and Pirandola [2012] S. L. Braunstein and S. Pirandola, Side-channel-free quantum key distribution, Phys. Rev. Lett. 108, 130502 (2012).
Yin et al. [2016a] H.-L. Yin, T.-Y. Chen, Z.-W. Yu, H. Liu, L.-X. You, Y.-H. Zhou, S.-J. Chen, Y. Mao, M.-Q. Huang, W.-J. Zhang, H. Chen, M. J. Li, D. Nolan, F. Zhou, X. Jiang, Z. Wang, Q. Zhang, X.-B. Wang, and J.-W. Pan, Measurement-device-independent quantum key distribution over a 404 km optical fiber, Phys. Rev. Lett. 117, 190501 (2016a).
Pirandola et al. [2017] S. Pirandola, R. Laurenza, C. Ottaviani, and L. Banchi, Fundamental limits of repeaterless quantum communications, Nat. Commun. 8, 15043 (2017).
Das et al. [2021] S. Das, S. Bäuml, M. Winczewski, and K. Horodecki, Universal limitations on quantum key distribution over a network, Phys. Rev. X 11, 041016 (2021).
Takeoka et al. [2014] M. Takeoka, S. Guha, and M. M. Wilde, Fundamental rate-loss tradeoff for optical quantum key distribution, Nat. Commun. 5, 5235 (2014).
Azuma et al. [2015] K. Azuma, K. Tamaki, and W. J. Munro, All-photonic intercity quantum key distribution, Nat. Commun. 6, 10171 (2015).
Lucamarini et al. [2018] M. Lucamarini, Z. L. Yuan, J. F. Dynes, and A. J. Shields, Overcoming the rate–distance limit of quantum key distribution without quantum repeaters, Nature (London) 557, 400 (2018).
Xie et al. [2022] Y.-M. Xie, Y.-S. Lu, C.-X. Weng, X.-Y. Cao, Z.-Y. Jia, Y. Bao, Y. Wang, Y. Fu, H.-L. Yin, and Z.-B. Chen, Breaking the rate-loss bound of quantum key distribution with asynchronous two-photon interference, PRX Quantum 3, 020315 (2022).
Zeng et al. [2022] P. Zeng, H. Zhou, W. Wu, and X. Ma, Mode-pairing quantum key distribution, Nat. Commun. 13, 3903 (2022).
Zhu et al. [2023] H.-T. Zhu, Y. Huang, H. Liu, P. Zeng, M. Zou, Y. Dai, S. Tang, H. Li, L. You, Z. Wang, Y.-A. Chen, X. Ma, T.-Y. Chen, and J.-W. Pan, Experimental mode-pairing measurement-device-independent quantum key distribution without global phase locking, Phys. Rev. Lett. 130, 030801 (2023).
Zhou et al. [2023] L. Zhou, J. Lin, Y.-M. Xie, Y.-S. Lu, Y. Jing, H.-L. Yin, and Z. Yuan, Experimental quantum communication overcomes the rate-loss limit without global phase tracking, Phys. Rev. Lett. 130, 250801 (2023).
Zhu et al. [2024] H.-T. Zhu, Y. Huang, W.-X. Pan, C.-W. Zhou, J. Tang, H. He, M. Cheng, X. Jin, M. Zou, S. Tang, X. Ma, T.-Y. Chen, and J.-W. Pan, Field test of mode-pairing quantum key distribution (2024), arXiv:2403.09339 .
Cao et al. [2024] X.-Y. Cao, B.-H. Li, Y. Wang, Y. Fu, H.-L. Yin, and Z.-B. Chen, Experimental quantum e-commerce, Sci. Adv. 10, eadk3258 (2024).
Schiansky et al. [2023] P. Schiansky, J. Kalb, E. Sztatecsny, M.-C. Roehsner, T. Guggemos, A. Trenti, M. Bozzio, and P. Walther, Demonstration of quantum-digital payments, Nat. Commun. 14, 3849 (2023).
Jing et al. [2024] X. Jing, C. Qian, C.-X. Weng, B.-H. Li, Z. Chen, C.-Q. Wang, J. Tang, X.-W. Gu, Y.-C. Kong, T.-S. Chen, H.-L. Yin, D. Jiang, B. Niu, and L.-L. Lu, Experimental quantum byzantine agreement on a three-user quantum network with integrated photonics (2024), arXiv:2403.11441 .
Amiri and Andersson [2015] R. Amiri and E. Andersson, Unconditionally secure quantum signatures, Entropy 17, 5635 (2015).
Chaum and Roijakkers [1991] D. Chaum and S. Roijakkers, Unconditionally-secure digital signatures, in Advances in Cryptology-CRYPTO’ 90, edited by A. J. Menezes and S. A. Vanstone (Springer Berlin Heidelberg, Berlin, Heidelberg, 1991) pp. 206–214.
Hanaoka et al. [2000] G. Hanaoka, J. Shikata, Y. Zheng, and H. Imai, Unconditionally secure digital signature schemes admitting transferability, in International Conference on the Theory and Application of Cryptology and Information Security (2000).
Lamport et al. [1982] L. Lamport, R. Shostak, and M. Pease, The byzantine generals problem, ACM Trans. Program. Lang. Syst. 4, 382–401 (1982).
Gottesman and Chuang [2001] D. Gottesman and I. Chuang, Quantum digital signatures (2001), arXiv:quant-ph/0105032 .
Clarke et al. [2012] P. J. Clarke, R. J. Collins, V. Dunjko, E. Andersson, J. Jeffers, and G. S. Buller, Experimental demonstration of quantum digital signatures using phase-encoded coherent states of light, Nat. Commun. 3, 1174 (2012).
Dunjko et al. [2014] V. Dunjko, P. Wallden, and E. Andersson, Quantum digital signatures without quantum memory, Phys. Rev. Lett. 112, 040502 (2014).
Collins et al. [2014] R. J. Collins, R. J. Donaldson, V. Dunjko, P. Wallden, P. J. Clarke, E. Andersson, J. Jeffers, and G. S. Buller, Realization of quantum digital signatures without the requirement of quantum memory, Phys. Rev. Lett. 113, 040502 (2014).
Wallden et al. [2015] P. Wallden, V. Dunjko, A. Kent, and E. Andersson, Quantum digital signatures with quantum-key-distribution components, Phys. Rev. A 91, 042304 (2015).
Yin et al. [2016b] H.-L. Yin, Y. Fu, and Z.-B. Chen, Practical quantum digital signature, Phys. Rev. A 93, 032316 (2016b).
Amiri et al. [2016] R. Amiri, P. Wallden, A. Kent, and E. Andersson, Secure quantum signatures using insecure quantum channels, Phys. Rev. A 93, 032325 (2016).
Puthoor et al. [2016] I. V. Puthoor, R. Amiri, P. Wallden, M. Curty, and E. Andersson, Measurement-device-independent quantum digital signatures, Phys. Rev. A 94, 022328 (2016).
Shang et al. [2016] T. Shang, Q. Lei, and J. Liu, Quantum random oracle model for quantum digital signature, Phys. Rev. A 94, 042314 (2016).
Yang et al. [2017] Y.-G. Yang, Z.-C. Liu, J. Li, X.-B. Chen, H.-J. Zuo, Y.-H. Zhou, and W.-M. Shi, Theoretically extensible quantum digital signature with starlike cluster states, Quantum Inf. Process. 16, 12 (2017).
Thornton et al. [2019] M. Thornton, H. Scott, C. Croal, and N. Korolkova, Continuous-variable quantum digital signatures over insecure channels, Phys. Rev. A 99, 032341 (2019).
Qu et al. [2019] W. Qu, Y. Zhang, H. Liu, T. Dou, J. Wang, Z. Li, S. Yang, and H. Ma, Multi-party ring quantum digital signatures, J. Opt. Soc. Am. B 36, 1335 (2019).
Zhang et al. [2020] C.-M. Zhang, Y. Zhu, J.-J. Chen, and Q. Wang, Practical quantum digital signature with configurable decoy states, Quantum Inf. Process. 19, 151 (2020).
Lu et al. [2021] Y.-S. Lu, X.-Y. Cao, C.-X. Weng, J. Gu, Y.-M. Xie, M.-G. Zhou, H.-L. Yin, and Z.-B. Chen, Efficient quantum digital signatures without symmetrization step, Opt. Express 29, 10162 (2021).
Zhang et al. [2021] C.-H. Zhang, X. Zhou, C.-M. Zhang, J. Li, and Q. Wang, Twin-field quantum digital signatures, Opt. Lett. 46, 3757 (2021).
Zhao et al. [2021] W. Zhao, R. Shi, J. Shi, P. Huang, Y. Guo, and D. Huang, Multibit quantum digital signature with continuous variables using basis encoding over insecure channels, Phys. Rev. A 103, 012410 (2021).
Weng et al. [2021] C.-X. Weng, Y.-S. Lu, R.-Q. Gao, Y.-M. Xie, J. Gu, C.-L. Li, B.-H. Li, H.-L. Yin, and Z.-B. Chen, Secure and practical multiparty quantum digital signatures, Opt. Express 29, 27661 (2021).
Qin et al. [2022] J.-Q. Qin, C. Jiang, Y.-L. Yu, and X.-B. Wang, Quantum digital signatures with random pairing, Phys. Rev. Appl. 17, 044047 (2022).
Zhang et al. [2022] M.-H. Zhang, J.-H. Xie, J.-Y. Wu, L.-Y. Yue, C. He, Z.-W. Cao, and J.-Y. Peng, Practical long-distance twin-field quantum digital signatures, Quantum Inf. Process. 21, 150 (2022).
Yin et al. [2017a] H.-L. Yin, W.-L. Wang, Y.-L. Tang, Q. Zhao, H. Liu, X.-X. Sun, W.-J. Zhang, H. Li, I. V. Puthoor, L.-X. You, E. Andersson, Z. Wang, Y. Liu, X. Jiang, X. Ma, Q. Zhang, M. Curty, T.-Y. Chen, and J.-W. Pan, Experimental measurement-device-independent quantum digital signatures over a metropolitan network, Phys. Rev. A 95, 042338 (2017a).
Collins et al. [2016] R. J. Collins, R. Amiri, M. Fujiwara, T. Honjo, K. Shimizu, K. Tamaki, M. Takeoka, E. Andersson, G. S. Buller, and M. Sasaki, Experimental transmission of quantum digital signatures over 90 km of installed optical fiber using a differential phase shift quantum key distribution system, Opt. Lett. 41, 4883 (2016).
Yin et al. [2017b] H.-L. Yin, Y. Fu, H. Liu, Q.-J. Tang, J. Wang, L.-X. You, W.-J. Zhang, S.-J. Chen, Z. Wang, Q. Zhang, T.-Y. Chen, Z.-B. Chen, and J.-W. Pan, Experimental quantum digital signature over 102 km, Phys. Rev. A 95, 032334 (2017b).
Roberts et al. [2017] G. Roberts, M. Lucamarini, Z. Yuan, J. Dynes, L. Comandar, A. Sharpe, A. Shields, M. Curty, I. Puthoor, and E. Andersson, Experimental measurement-device-independent quantum digital signatures, Nat. Commun. 8, 1098 (2017).
Zhang et al. [2018] C.-H. Zhang, X.-Y. Zhou, H.-J. Ding, C.-M. Zhang, G.-C. Guo, and Q. Wang, Proof-of-principle demonstration of passive decoy-state quantum digital signatures over 200 km, Phys. Rev. Appl. 10, 034033 (2018).
An et al. [2019] X.-B. An, H. Zhang, C.-M. Zhang, W. Chen, S. Wang, Z.-Q. Yin, Q. Wang, D.-Y. He, P.-L. Hao, S.-F. Liu, X.-Y. Zhou, G.-C. Guo, and Z.-F. Han, Practical quantum digital signature with a gigahertz bb84 quantum key distribution system, Opt. Lett. 44, 139 (2019).
Ding et al. [2020] H.-J. Ding, J.-J. Chen, L. Ji, X.-Y. Zhou, C.-H. Zhang, C.-M. Zhang, and Q. Wang, 280-km experimental demonstration of a quantum digital signature with one decoy state, Opt. Lett. 45, 1711 (2020).
Richter et al. [2021] S. Richter, M. Thornton, I. Khan, H. Scott, K. Jaksch, U. Vogl, B. Stiller, G. Leuchs, C. Marquardt, and N. Korolkova, Agile and versatile quantum communication: Signatures and secrets, Phys. Rev. X 11, 011038 (2021).
Pelet et al. [2022] Y. Pelet, I. V. Puthoor, N. Venkatachalam, S. Wengerowsky, M. Lončarić, S. P. Neumann, B. Liu, Željko Samec, M. Stipčević, R. Ursin, E. Andersson, J. G. Rarity, D. Aktas, and S. K. Joshi, Unconditionally secure digital signatures implemented in an eight-user quantum network, New J. Phys. 24, 093038 (2022).
Li et al. [2023] B.-H. Li, Y.-M. Xie, X.-Y. Cao, C.-L. Li, Y. Fu, H.-L. Yin, and Z.-B. Chen, One-time universal hashing quantum digital signatures without perfect keys, Phys. Rev. Appl. 20, 044011 (2023).
Brassard and Salvail [1994] G. Brassard and L. Salvail, Secret-key reconciliation by public discussion, in Workshop on the Theory and Application of Cryptographic Techniques on Advances in Cryptology, EUROCRYPT ’93 (Springer-Verlag, Berlin, Heidelberg, 1994) p. 410–423.
Yan et al. [2008] H. Yan, T. Ren, X. Peng, X. Lin, W. Jiang, T. Liu, and H. Guo, Information reconciliation protocol in quantum key distribution system, in 2008 Fourth International Conference on Natural Computation, Vol. 3 (2008) pp. 637–641.
Konig et al. [2009] R. Konig, R. Renner, and C. Schaffner, The operational meaning of min- and max-entropy, IEEE Trans. Inf. Theory 55, 4337 (2009).
Jiang et al. [2021] C. Jiang, Z.-W. Yu, X.-L. Hu, and X.-B. Wang, Higher key rate of measurement-device-independent quantum key distribution through joint data processing, Phys. Rev. A 103, 012402 (2021).
Krawczyk [1994] H. Krawczyk, Lfsr-based hashing and authentication, in Advances in Cryptology — CRYPTO ’94, edited by Y. G. Desmedt (Springer Berlin Heidelberg, Berlin, Heidelberg, 1994) pp. 129–139.
Mertzios and Christodoulou [1986] B. Mertzios and M. Christodoulou, On the generalized cayley-hamilton theorem, IEEE Trans. Automat. Contr. 31, 156 (1986).
Yin et al. [2020] H.-L. Yin, M.-G. Zhou, J. Gu, Y.-M. Xie, Y.-S. Lu, and Z.-B. Chen, Tight security bounds for decoy-state quantum key distribution, Sci. Rep. 10, 14312 (2020).
Vitanov et al. [2013] A. Vitanov, F. Dupuis, M. Tomamichel, and R. Renner, Chain rules for smooth min- and max-entropies, IEEE Trans. Inf. Theory 59, 2603 (2013).
Tomamichel and Renner [2011] M. Tomamichel and R. Renner, Uncertainty relation for smooth entropies, Phys. Rev. Lett. 106, 110506 (2011).