Efficient Quantum Digital Signatures over Long Distances with Likely Bit Strings

Ji-Qian Qin State Key Laboratory of Low Dimensional Quantum Physics, Department of Physics,
Tsinghua University, Beijing 100084, China Zong-Wen Yu Data Communication Science and Technology Research Institute,
Beijing 100191, China Xiang-Bin Wang [email protected] State Key Laboratory of Low Dimensional Quantum Physics, Department of Physics,
Tsinghua University, Beijing 100084, China Jinan Institute of Quantum technology, SAICT, Jinan 250101, China Shanghai Branch, CAS Center for Excellence and Synergetic Innovation Center in Quantum Information and Quantum Physics, University of Science and Technology of China, Shanghai 201315, China Shenzhen Institute for Quantum Science and Engineering, and Physics Department, Southern University of Science and Technology, Shenzhen 518055, China Frontier Science Center for Quantum Information, Beijing 100084, China

Abstract

Quantum digital signatures (QDSs) can provide information-theoretic security of messages against forgery and repudiation. Compared with previous QDS protocols that focus on signing one-bit messages, hash function-based QDS protocols can save quantum resources and are able to sign messages of arbitrary length. Using the idea of likely bit strings, we propose an efficient QDS protocol with hash functions over long distances. Our method of likely bit strings can be applied to any quantum key distribution-based QDS protocol to significantly improve the signature rate and dramatically increase the secure signature distance of QDS protocols. In order to save computing resources, we propose an improved method where Alice participates in the verification process of Bob and Charlie. This eliminates the computational complexity relating to the huge number of all likely strings. We demonstrate the advantages of our method and our improved method with the example of sending-or-not-sending QDS. Under typical parameters, both our method and our improved method can improve the signature rate by more than $100$ times and increase the signature distance by about $150$ km compared with hash function-based QDS protocols without likely bit strings.

I Introduction

Digital signature [1] is a useful technique for guaranteeing the security of message transfer among the signer and receivers, i.e., it can provide security of the message against forging and repudiation. Forgery means that a receiver accepts a message from a forger rather than from the signer and repudiation means that the signer can repudiate his or her signature. Different from classical digital signatures, quantum digital signatures (QDSs) [2] can provide information-theoretic security that does not depend on computational complexity.

With the removal of the two assumptions of quantum memory and secure quantum channels [3, 4, 5], QDS becomes practicable [6, 7, 8, 9, 10, 11, 12, 13]. Recently, there have been many breakthroughs [14, 15, 16, 17, 18, 19, 20, 21, 22]. in quantum key distribution (QKD). Based on mature QKD devices, one can sign one-bit messages with bit strings generated by quantum communication of QKD [5]. The sending-or-not-sending (SNS) protocol [19] can tolerate large misalignment error, while retaining measurement device independent (MDI) security and a high key rate of twin-field (TF) QKD [18] on the scale of the square root of channel transmittance. Naturally, SNS QDS has higher efficiency over long distances [23, 24] compared with BB84 (the quantum key distribution scheme developed by Bennett and Brassard in 1984) QDS and MDI QDS.

Compared with one-bit messages, QDS of multibit messages is more practicable. It would be inefficient to simply iterate a QDS based on one-bit messages to sign multibit messages. In classical digital signature, one can use the hash function method to sign multibit messages [25, 26] with classical secure keys. Naturally, if we replace the classical secure keys here by the secure final keys from QKD, one can have a type of QDS with quantum security. In this type of implementation, the secure distance of QDS is just that of QKD. To further improve the secure distance and signature rate of QDS, here, using the idea of likely bit strings [5], we propose to use the raw key without any error correction or private amplification to sign multibit messages. Note that the method given in Ref. [5] is for one-bit messages, whereas we design a new hash function-based QDS protocol to sign messages of arbitrary length. Moreover, different from Refs. [27, 28, 29], which use final keys (with error correction and private amplification) as well as hash functions to sign and verify messages of arbitrary length, using the idea of likely bit strings, we perform the QDS protocol with raw keys as well as hash functions. We then propose an improved method where Alice participates in the verification process of Bob and Charlie. This improved method removes the computational complexity such as listing the huge number of hashing values of all likely strings.

II quantum digital signature with likely bit strings

Consider a QDS protocol with one signer and two receivers. As shown in Fig. 1, Alice is a signer and Bob and Charlie are two receivers. In order to avoid misunderstanding, we emphasize that, different from the usual use of Charlie for an unreliable relay’s name in MDI QKD, here we use Charlie for one receiver’s name. Alice signs the $m$ -bit message $M$ , and Bob (Charlie) decides whether to accept $M$ based on the result of comparison between the actual digests and the expected digests, where the generation of digests requires hash functions [26] derived from associated bit strings among the signer and receivers. In our QDS protocol, instead of using final keys of QKD to generate hash functions, we use raw keys to generate hash functions.

Alice and Bob (Charlie) perform a key-generating protocol (KGP) to generate the associated bit strings $X^{B}_{A}$ and $X^{B}$ ( $X^{C}_{A}$ and $X^{C}$ ), where $X^{B}_{A}$ ( $X^{C}_{A}$ ) belongs to Alice and $X^{B}$ ( $X^{C}$ ) belongs to Bob (Charlie). The KGP is the quantum communication of QKD, and there are many kinds, including BB84 [30], MDI [15, 14, 16, 31], SNS TF [18, 19], etc. After performing the KGP, Alice, Bob, and Charlie each have bit strings $\{X^{A},X^{B},X^{C}\}$ with $n$ bits, where $X^{A}=X^{B}_{A}\oplus X^{C}_{A}$ , and $\oplus$ denotes bit addition modulo $2$ . They use the same process to generate another set of associated bit strings $\{Y^{A},Y^{B},Y^{C}\}$ with $2n$ bits, where $Y^{A}=Y^{B}_{A}\oplus Y^{C}_{A}$ and $Y^{B}_{A}$ , $Y^{B}$ ( $Y^{C}_{A}$ , $Y^{C}$ ) are generated in KGP between Alice and Bob (Charlie). We denote the bit-flip error rate between bit strings $X_{A}^{B}$ and $X^{B}$ , $Y_{A}^{B}$ and $Y^{B}$ , $X_{A}^{C}$ and $X^{C}$ , and $Y_{A}^{C}$ and $Y^{C}$ as $e_{1}$ , $e_{2}$ , $e_{3}$ , and $e_{4}$ , respectively.

Refer to caption — Figure 1: Our efficient QDS over long distances with likely bit strings. Alice is a signer and sends the message and the corresponding signature $(M,S)$ to a receiver, Bob. Bob forwards $(M,S)$ to another receiver Charlie, along with the bit strings and the corresponding bit-flip error rates $(X^{B},e_{1},Y^{B},e_{2})$ . Then, Charlie sends the bit strings and the corresponding bit-flip error rates $(X^{C},e_{3},Y^{C},e_{4})$ to Bob. Bob (Charlie) determines whether to accept the message $M$ based on the result of the comparison function $\mathbb{C}^{B}$ (11) ( $\mathbb{C}^{C}$ (18)).

II.1 Signing stage

Alice uses local $n$ -bit quantum random numbers $p^{A}$ to randomly generate an irreducible polynomial $p$ of degree $n$ [25, 28]. After that, based on the irreducible polynomial and the local bit string $X^{A}$ , Alice generates a linear feedback shift register (LFSR)-based Toeplitz matrix [26] $H^{A}$ with $n$ rows and $m$ columns, where $n$ and $m$ are the lengths of $X^{A}$ and message $M$ , respectively. Alice acts the matrix $H^{A}$ on the message $M$ to generate the hash value $h$ ,

H^{A}\cdot M=h,

(1)

where $h$ is a vector of $n$ bits. It should be noted that in practice, the LFSR-based Toeplitz matrix and the hash value can be computed simultaneously in order to reduce the time consumption. In order to make it easier to understand, we present it in a step-by-step manner in this work.

Based on the above steps, Alice generates a digest $D$ of message $M$ ,

D=(h,p^{A}),

(2)

where $D$ is a $2n$ -bit string consisting of $h$ with $n$ bits and $p^{A}$ with $n$ bits.

Next, Alice encrypts the digest $D$ with a bit string $Y^{A}$ with $2n$ bits to generate the signature $S$ of the message $M$ ,

S=D\oplus Y^{A}.

(3)

At the end of the signing stage, Alice sends the message along with the corresponding signature $(M,S)$ to a receiver for verification.

II.2 Verification stage

The receivers Bob and Charlie generate a series of likely bit strings based on the local bit strings and the bit-flip error rates. They use these likely bit strings for verification.

II.2.1 Verification of Bob

As shown in Fig. 1, when Bob receives the message and the corresponding signature $(M,S)$ from Alice, he forwards them to Charlie and sends the local bit strings and the corresponding bit-flip error rates $(X^{B},e_{1},Y^{B},e_{2})$ to Charlie. Then, Charlie sends the local bit string and the corresponding bit-flip error rates $(X^{C},e_{3},Y^{C},e_{4})$ to Bob.

Based on the bit strings $X^{B}$ , $X^{C}$ and the corresponding bit-flip error rates $e_{1}$ , $e_{3}$ , Bob generates a series of likely bit strings $\{K_{i}^{XB}\}$ locally,

\{K_{i}^{XB}\}=f(X^{B}\oplus X^{C},e_{1},e_{3}),

(4)

where $i=1,2,\dots,n_{x}$ , and $n_{x}$ is the number of likely bit strings,

\begin{split}&n_{x}=2^{nH_{2}(E_{x})}.\\ \end{split}

(5)

in which $H_{2}(.)$ is the binary Shannon entropy. The function $f(X^{B}\oplus X^{C},e_{1},e_{3})$ means that based on the bit string $X^{B}\oplus X^{C}$ and the corresponding bit-flip error rate $E_{x}$ , which has a maximum value of $(e_{1}+e_{3})$ , Bob can generate likely bit strings $\{K_{i}^{XB}\}$ relative to $X^{A}$ , i.e., $X^{A}\in\{K_{i}^{XB}\}$ .

Similarly, Bob can generate a series of likely bit strings $\{K^{YB}_{j}\}$ relative to $Y^{A}$ ,

\{K^{YB}_{j}\}=f(Y^{B}\oplus Y^{C},e_{2},e_{4}),

(6)

where $j=1,2,\dots,n_{y}$ , and $n_{y}$ is the number of likely bit strings,

\begin{split}&n_{y}=2^{2nH_{2}(E_{y})}.\\ \end{split}

(7)

The function $f(Y^{B}\oplus Y^{C},e_{2},e_{4})$ means that, based on the bit string $Y^{B}\oplus Y^{C}$ and the corresponding bit-flip error rate $E_{y}$ , which has a maximum value of $(e_{2}+e_{4})$ , Bob can generate likely bit strings $\{K^{YB}_{j}\}$ relative to $Y^{A}$ , i.e., $Y^{A}\in\{K_{j}^{YB}\}$ . Of course, the bit-flip error rates $E_{x}$ and $E_{y}$ must satisfy $E_{x},\ E_{y}\in(0,0.5)$ .

After generating the likely bit strings locally, Bob decrypts the signature $S$ with likely bit strings $\{K_{j}^{YB}\}$ to obtain $n_{y}$ expected digests,

S\oplus\{K_{j}^{YB}\}=\{(h_{j}^{B},p_{j}^{B})\},

(8)

where $j=1,2,\dots,n_{y}$ .

Bob then judges whether the expected hash values received from Alice have been generated from one likely bit string according to the expected hash values he received and his own raw keys. Bob can do this job in the following way, for example: Bob generates $n_{x}n_{y}$ LFSR-based Toeplitz matrices [26] $\{H_{i,j}^{B}\}$ based on likely bit strings $\{K_{i}^{XB}\}$ and $\{p_{j}^{B}\}$ . After that, Bob performs $n_{x}n_{y}$ LFSR-based Toeplitz matrices $\{H_{i,j}^{B}\}$ on the message $M$ to obtain $n_{x}n_{y}$ actual hash values,

\{H^{B}_{i,j}\}\cdot M=\{\mathbb{h}^{B}_{i,j}\},

(9)

which together with $\{p_{j}^{B}\}$ form actual digests,

\{(\mathbb{h}^{B}_{i,j},p_{j}^{B})\}.

(10)

Finally, Bob compares expected digests $\{(h_{j}^{B},p_{j}^{B})\}$ (8) with actual digests $\{(\mathbb{h}_{i,j}^{B},p_{j}^{B})\}$ (10) using the following comparison function $\mathbb{C}^{B}$ ,

\mathbb{C}^{B}=\left\{\begin{array}[]{l}1\quad\exists\ C_{i,j}^{B}=1,\\ 0\quad\mathrm{else},\\ \end{array}\right.

(11)

where $C^{B}_{i,j}$ is

C^{B}_{i,j}=\left\{\begin{array}[]{l}1\quad h_{j}^{B}=\mathbb{h}_{i,j}^{B},\\ 0\quad\mathrm{else}.\\ \end{array}\right.

(12)

Obviously, this comparison function implies that Bob makes at most $n_{x}n_{y}$ comparisons. If $\mathbb{C}_{B}=1$ , Bob accepts the message $M$ ; otherwise, Bob rejects the message $M$ .

II.2.2 Verification of Charlie

Charlie uses similar steps to generate the following two sets of likely bit strings $\{K^{XC}_{i}\}$ and $\{K^{YC}_{j}\}$ ,

\{K^{XC}_{i}\}=f(X^{B}\oplus X^{C},e_{1},e_{3}),

(13)

\{K^{YC}_{j}\}=f(Y^{B}\oplus Y^{C},e_{2},e_{4}),

(14)

where $i=1,2,\dots,n_{x}$ and $j=1,2,\dots,n_{y}.$

Then, Charlie decrypts the signature $S$ with $\{K_{j}^{YC}\}$ to obtain $n_{y}$ likely expected digests,

S\oplus\{K_{j}^{YC}\}=\{(h_{j}^{C},p_{j}^{C})\}.

(15)

Charlie then judges whether the expected hash values received from Bob have been generated from one likely bit string according to the expected hash values he received and his own raw keys. Charlie can do this job in the following way, for example: Based on likely bit strings $\{K_{i}^{XC}\}$ and $\{p_{j}^{C}\}$ , Charlie can obtain $n_{x}n_{y}$ LFSR-based Toeplitz matrices [26] $\{H_{i,j}^{C}\}$ . After that, Charlie performs $\{H_{i,j}^{C}\}$ on the message $M$ to obtain $n_{x}n_{y}$ actual hash values,

\{H^{C}_{i,j}\}\cdot M=\{\mathbb{h}^{C}_{i,j}\},

(16)

which together with $\{p_{j}^{C}\}$ form the actual digests,

\{(\mathbb{h}^{C}_{i,j},p_{j}^{C})\}.

(17)

Finally, Charlie compares expected digests $\{(h_{j}^{C},p_{j}^{C})\}$ (15) with actual digests $\{(\mathbb{h}_{i,j}^{C},p_{j}^{C})\}$ (17) using the following comparison function $\mathbb{C}^{C}$ ,

\mathbb{C}^{C}=\left\{\begin{array}[]{l}1\quad\exists\ C_{i,j}^{C}=1,\\ 0\quad\mathrm{else},\\ \end{array}\right.

(18)

where $C^{C}_{i,j}$ is

C^{C}_{i,j}=\left\{\begin{array}[]{l}1\quad h_{j}^{C}=\mathbb{h}_{i,j}^{C},\\ 0\quad\mathrm{else}.\\ \end{array}\right.

(19)

Obviously, this comparison function implies that Charlie makes at most $n_{x}n_{y}$ comparisons. If $\mathbb{C}_{C}=1$ , Charlie accepts the message $M$ ; otherwise, Charlie rejects the message $M$ .

III Security Analysis

In the QDS protocol with three participants, at most one participant is malicious due to the majority principle. We analyze the security of our QDS protocol in terms of forgery attacks, repudiation attacks, and robustness [5, 28].

First, we consider that Bob is malicious, i.e., he wants to launch a forgery attack. A successful forgery of Bob means that he can make Charlie accept a tampered message $M^{\prime}$ , where $M^{\prime}\neq M$ . In our protocol, Bob needs to send the message and the corresponding signature $(M,S)$ to Charlie before Charlie sends $X^{C}$ and $Y^{C}$ to Bob. Therefore, if Bob successfully guesses $X^{C}$ and $Y^{C}$ , then combined with $X^{B}$ and $Y^{B}$ , he can tamper with the message $M$ for Charlie to accept $M^{\prime}$ . The probability of successfully guessing the bit string $X^{C}$ and $Y^{C}$ in Charlie’s hand is

p_{g}\leq 2^{-n\cdot H_{2}(p_{e})},

(20)

where $p_{e}$ is the minimum rate at which Bob can make errors when guessing $X^{C}$ and satisfies

H_{2}(p_{e})=\Delta_{1}[1-H_{2}(e^{ph})],

(21)

in which $H_{2}(.)$ is the binary Shannon entropy, and $\Delta_{1}$ and $e^{ph}$ are the proportion of effective bits of a single-photon state in $X^{C}$ and the phase-flip error rate of $X^{C}$ , respectively. We define the bits generated in time windows of KGP where the clicks of detectors satisfy certain conditions as effective bits. For example, in SNS KGP [19], a bit generated in a time window with only one detector clicks is an effective bit.

In addition to guessing the bit strings of Charlie, Bob has another method of forgery, which is to directly construct a set of tampered messages and corresponding signatures $(M^{\prime},S^{\prime})$ for Charlie to accept, where $M^{\prime}\neq M$ and $S^{\prime}\neq S$ or $S^{\prime}=S$ . Because of the collision probability of LFSR-based Toeplitz matrices and the characteristics of our comparison function, Charlie may accept the tampered message $M^{\prime}$ with a very small probability. The collision refers to the situation where different messages correspond to the same hash value. The collision probability of LFSR-based Toeplitz matrices is at most $\frac{m}{2^{n-1}}$ [26], where $m$ is the length of the message and $n$ is the degree of irreducible polynomials used to generate the LFSR-based Toeplitz matrices. In our protocol, Charlie decides whether to accept the message based on the comparison function $\mathbb{C}_{C}$ (18), which compares the expected digests with the actual digests at most $n_{x}n_{y}$ times. For one fixed set of $(i,j)$ , the upper bound of the probability that the expected hash value $h_{j}^{C,M^{\prime}}$ and actual hash value $\mathbb{h}_{i,j}^{C,M^{\prime}}$ of $M^{\prime}$ satisfy $h_{j}^{C,M^{\prime}}=\mathbb{h}_{i,j}^{C,M^{\prime}}$ is $\frac{m}{2^{n-1}}$ . For other $(n_{x}n_{y}-1)$ sets of $(i,j)$ , the upper bound of the probability that the hash values of $M^{\prime}$ satisfy $h_{j}^{C,M^{\prime}}=\mathbb{h}_{i,j}^{C,M^{\prime}}$ is $(\frac{m}{2^{n-1}})^{2}$ . According to our comparison function, Charlie will reject $M^{\prime}$ only if the results of all $n_{x}n_{y}$ comparisons are not equal. As long as there is one equal comparison result, Charlie will accept $M^{\prime}$ . Therefore, the probability that Charlie accepts $(M^{\prime},S^{\prime})$ is

p_{h}\leq 1-(1-\frac{m}{2^{n-1}})[1-(\frac{m}{2^{n-1}})^{2}]^{n_{x}n_{y}-1}.

(22)

Combining the above two scenarios, the probability of Bob’s successful forgery is

p_{f}=\{p_{g},p_{h}\}_{\max}.

(23)

Next, we consider that Alice is malicious, i.e., she wants to deny her signature. If Alice can make Bob accept the message $M$ and Charlie reject $M$ , then she can deny the signed message, which is a successful repudiation attack. In our protocol, when Bob and Charlie are both honest, they generate the same possible bit strings locally, i.e., $\{K_{i}^{XB}\}=\{K_{i}^{XC}\}$ and $\{K_{j}^{YB}\}=\{K_{j}^{YC}\}$ . Then, they generate the same LFSR-based Toeplitz matrices locally as well. Therefore, if Bob accepts the message $M$ , then Charlie must also accept $M$ . So, the probability of successful repudiation is

p_{re}=0.

(24)

Finally, we need to analyze the robustness of our QDS protocol, i.e., the case where Bob rejects the message $M$ if all participants are honest. In this case, the likely bit strings $\{K_{i}^{XB}\}$ and $\{K_{j}^{YB}\}$ generated by Bob must contain $X^{A}$ and $Y^{A}$ , respectively, i.e., $X^{A}\in\{K_{i}^{XB}\}$ and $Y^{A}\in\{K_{j}^{YB}\}$ . According to our comparison function $\mathbb{C}_{B}$ (11), Bob must accept the message $M$ . Therefore, the probability that Bob rejects the message when all participants are honest is

p_{ro}=0.

(25)

Based on the above analysis, we can define $\varepsilon$ as the security level [5] of our QDS protocol:

Definition 1

( $\varepsilon$ -secure). If $\varepsilon$ satisfies

\varepsilon=\{p_{f},p_{re},p_{ro}\}_{\max},

(26)

then we say that the security level of the QDS protocol is $\varepsilon$ , or that the QDS protocol is $\varepsilon$ -secure.

IV Improved method

In our protocol, we have given an example of the way for receivers to verify that the expected hash values received from Alice have been generated from one likely bit string, by listing all possible hash values from likely strings. In order to save computing resources, here we propose an improved method where Alice is involved in the verification process. The improved method does not require large complex computing relating to the huge number of likely strings while keeping the good performance of QDS in terms of the signature rate and distance without consuming large computing resources.

IV.1 Improved protocol

In the signing stage of the protocol, Alice follows the steps described in Sec. II to generate the signature $S$ of message $M$ . At the end of the signing stage, Alice sends $(M,S)$ to a receiver for verification.

In the verification stage, Bob forwards $(M,S)$ received from Alice to Charlie and also sends the bit strings $(X^{B},Y^{B})$ to Charlie. Then Bob informs Alice that he has received $(M,S)$ . Next, Charlie sends the bit strings $(X^{C},Y^{C})$ to Bob and informs Alice that he has received $(M,S)$ . Alice separately verifies whether both Bob and Charlie have received $(M,S)$ . If both Bob and Charlie have received $(M,S)$ , then Alice publishes $(X^{A},Y^{A})$ ; otherwise, the protocol is terminated.

Bob verifies the message $M$ based on the local bit strings and the information published by Alice. Bob obtains the expected digest $D^{E}_{B}$ using $Y^{A}$ and $S$ ,

D^{E}_{B}=(h^{B},p^{B})=S\oplus Y^{A}.

(27)

Next, based on $X^{A}$ and $p^{B}$ , Bob generates the LFSR-based Toeplitz matrix $H^{B}$ and acts it on the message $M$ to obtain the actual hash value

H^{B}\cdot M=\mathbb{h}^{B}.

(28)

If $\mathbb{h}^{B}=h^{B}$ , Bob accepts the message $M$ ; otherwise, Bob rejects the message $M$ .

Charlie uses similar steps for verification. Charlie obtains the expected digest $D^{E}_{C}$ using $Y^{A}$ and $S$ ,

D^{E}_{C}=(h^{C},p^{C})=S\oplus Y^{A}.

(29)

Next, based on $X^{A}$ and $p^{C}$ , Charlie generates the LFSR-based Toeplitz matrix $H^{C}$ and acts it on the message $M$ to obtain the actual hash value

H^{C}\cdot M=\mathbb{h}^{C}.

(30)

If $\mathbb{h}^{C}=h^{C}$ , Charlie accepts the message $M$ ; otherwise, Charlie rejects the message $M$ .

IV.2 Security analysis of improved protocol

We can perform a similar security analysis of the improved protocol in terms of unforgeability, nonrepudiation and robustness using the methods in Sec. III. In our improved protocol, Alice will not publish $(X^{A},Y^{A})$ until she confirms that both Bob and Charlie have received $(M,S)$ . That is, Bob does not know the bit string $(X^{A},Y^{A})$ before he sends the message to Charlie. Therefore, for Bob, the probability that he makes Charlie accept the forged message is still $p_{f}$ (23), i.e., either due to successfully guessing Charlie’s local bit string $X^{C}$ , $Y^{C}$ or due to the collision probability of LFSR-based Toeplitz matrices. In terms of nonrepudiation, since both Bob and Charlie in the improved protocol use $(X^{A},Y^{A})$ published by Alice in their verification stage, their results of verification are consistent. Therefore, the probability of successful repudiation is still $p_{re}$ (24). In terms of robustness, when all participants are honest, Alice will publish bit $(X^{A},Y^{A})$ after she has confirmed that both Bob and Charlie have received $(M,S)$ . Then, Bob will obtain $\mathbb{h}^{B}=h^{B}$ using the bit string published by Alice. Thus Bob will accept the message $M$ when all participants are honest, i.e., the probability associated with robustness is still $p_{ro}$ (25). In general, the expression for the security level $\varepsilon$ of the improved protocol is the same as that (26) of the protocol introduced in Sec.II.

Compared with our protocol in Sec. II, our improved protocol can significantly reduce the computing resources without compromising security and efficiency. In our improved protocol, instead of using the old verification method, which may need large computing resources, such as listing all possible hash values from likely strings, Bob and Charlie utilize the bit strings published by Alice for verification, which completely eliminates the need for large computing resources.

V Discussion

Our protocol can be applied to any QKD-based QDS protocol. Using existing mature QKD devices, based on the idea of likely bit strings, we can implement efficient QDS over longer distances. We use the signature rate [23, 24] $R$ to describe the efficiency of the QDS protocol,

R=\frac{m}{2N},

(31)

where $m$ is the length of the message $M$ and $N$ is the total number of pulses in the KGP between Alice and Bob, i.e., the whole process of generating $X_{A}^{B}$ and $Y_{A}^{B}$ . The total number of pulses in the KGP between Alice and Charlie, i.e., the whole process of generating $X_{A}^{C}$ and $Y_{A}^{C}$ , in the symmetric case is also $N$ . Therefore, Eq. (31) has a factor of $2$ in the denominator.

We demonstrate the advantages of our method and improved method using QDS with SNS KGP [19] as an example. Alice performs the quantum communication of SNS QKD, i.e., SNS KGP, with Bob and Charlie, respectively, to generate the associated bit strings. After the associated bit strings are generated among the participants, the signing and verification steps can be performed as described in Sec. II and Sec. IV. In practical applications of QDS, the total number of pulses is finite. We need to estimate the parameters while considering the effects of finite data size. In our QDS protocol as well as security analysis, we need to obtain the bit-flip error rate $E$ , the proportion of effective bits of a single-photon state $\Delta_{1}$ , and the phase-flip error rate $e^{ph}$ of the associated bit strings. In the Appendix A, we describe in detail how to obtain these parameters.

In Fig. 2, considering the effects of finite data size, we compare the signature rate with our method, our improved method and the method using final keys. The solid line indicates the signature rate obtained by our method and our improved method, and the broken line indicates the signature rate obtained by the method of final keys. As can be seen in Fig. 2, both our method and our improved method can significantly improve the signature rate and dramatically increase the secure distance of QDS. The signature rate can be improved by more than $100$ times, and the secure distance can be increased by about $150$ km using our method or our improved method under the system parameters in Table 1 and the length of the message $m=10^{20}$ . It should be emphasized that, as introduced in Sec. IV, the improved method can improve the performance of QDS in terms of signature rate and distance as well as save computing resources.

Table 1: System parameters used in our numerical simulation. Notation:

\alpha

is the loss coefficient of the fiber;

e_{d}

is the misalignment error rate;

p_{d}

is the dark count rate of the detector;

\eta_{d}

is the efficiency of the detector;

\xi

and

\varepsilon_{p}

are failure probabilities in parameter estimation, which are described in detail in the Appendix A; and

\varepsilon

is the security level of our QDS protocol.

$\alpha$	$e_{d}$	$p_{d}$	$\eta_{d}$	$\xi$	$\varepsilon_{p}$	$\varepsilon$
$0.2\ \mathrm{dB/km}$	$2\%$	$10^{-8}$	$50\%$	$10^{-12}$	$10^{-10}$	$10^{-10}$

During the implementation of our protocol, the actual number of comparisons $n_{0}$ that the receiver needs to perform satisfies $n_{0}\leq n_{x}n_{y}$ . This is because, according to the characteristics of our comparison functions $\mathbb{C}^{B}$ (11) and $\mathbb{C}^{C}$ (18), as soon as an equal set of expected and actual digests is found, the receiver can stop the subsequent comparisons and accept the message $M$ .

In this work, we use LFSR Toeplitz hash functions [26] in our QDS protocol. Of course, our method of using likely bit strings for QDS can be extended to the case of using other types of hash functions. For protocols that use other types of hash functions, the corresponding security analysis can be performed using similar ideas based on the collision probability of hash functions as in this work.

In order to reduce the consumption of computing resources, we propose an improved protocol based on our protocol in Sec. II. In our improved protocol, Alice is involved in the verification process of Bob and Charlie. On the one hand, Alice publishes the bit strings $(X^{A},Y^{A})$ after confirming that both Bob and Charlie have received $(M,S)$ . Therefore, this does not pose a threat to security. On the other hand, Bob and Charlie can directly use $(X^{A},Y^{A})$ published by Alice for verification, which no longer need to consume large computing resources.

In conclusion, based on the idea of likely bit strings, we propose an efficient and practicable QDS protocol over long distances. Our method only requires mature QKD devices, while improving the performance of QDS in terms of signature rate and distance. With typical parameters, our method of likely bit strings can improve the signature rate by more than $100$ times and increase the distance of QDS by about $150$ km compared with a hash function-based QDS protocol using final keys. To save computing resources, we propose an improved method, which can significantly improve the signature rate and distance of QDS without large computing resources.

Acknowledgements.

We acknowledge partial financial support by the National Natural Science Foundation of China, Grants No.12174215, No.12374473, and No.11974204; and by the Taishan Scholars Program.

Appendix A Sending-or-Not-Sending Key Generation Protocol

We take the QDS with SNS KGP as an example to demonstrate the advantages of our method of likely bit strings. We generate the associated bit strings by the quantum communication of SNS QKD [19, 32, 33].

In each time window, Alice (Bob) chooses the window as a signal window or decoy window with probability $p_{z}$ or $(1-p_{z})$ . In the signal window, Alice (Bob) writes down the bit value $1$ ( $0$ ) when sending the phase-randomized coherent state of intensity $\mu$ to Eve with probability $q$ and writes down the bit value $0$ ( $1$ ) when not sending the coherent state, i.e., sending the vacuum state, to Eve with probability $(1-q)$ . In the decoy window, Alice (Bob) randomly sends phase-randomized coherent states of intensities $\mu_{0}=0$ , $\mu_{1}$ , and $\mu_{2}$ , with probability $p_{0}$ , $p_{1}$ , and $(1-p_{0}-p_{1})$ , to Eve. Eve performs measurements using beam splitters and announces the outcome of measurements. We can record the event where one and only one detector clicks as an effective event. The corresponding time window of an effective event is an effective window and the corresponding bit is an effective bit. The effective bits used for parameter estimation are discarded. And then, Alice and Bob obtain the associated bit strings of raw keys.

The receivers can construct likely bit strings based on the bit strings of raw keys and the bit-flip error rates and use these likely bit strings for verification. In the following, we show how to obtain the bit-flip error rate $E$ , the proportion of effective bits of a single-photon state $\Delta_{1}$ , and the phase-flip error rate $e^{ph}$ of the associated bit strings taking into account the effects of finite data size.

Effective events can be divided into three categories with counting rates $S_{C}$ , $S_{D}$ and $S_{V}$ , respectively, with

\begin{split}&S_{C}=2[(1-p_{d})e^{-\eta\mu/2}-(1-p_{d})^{2}e^{-\eta\mu}],\\ &S_{D}=2[(1-p_{d})e^{-\eta\mu}I_{0}(\eta\mu)-(1-p_{d})^{2}e^{-2\eta\mu}],\\ &S_{V}=2p_{d}(1-p_{d}),\\ \end{split}

(32)

where $S_{C}$ corresponds to the case where one and only one participant chooses to send and the other participant chooses not to send, and $S_{D}$ and $S_{V}$ represent the case where both participants choose to send and both participants choose not to send, respectively. The notation $p_{d}$ represents the dark count rate of detectors, $\eta=10^{-\frac{\alpha l}{10}}\eta_{d}$ is the total system efficiency, $\alpha$ is the loss coefficient of the fiber, $l$ is half of the distance between the two participants (we assume that the node used for measurement in QDS with SNS KGP is midway between the two participants), $\eta_{d}$ represents the detection efficiency, $\mu$ is the intensity of the coherent state and $I_{0}(x)$ is the $0$ -order hyperbolic Bessel function of the first kind.

Based on the above three counting rates $S_{C}$ , $S_{D}$ and $S_{V}$ , we can obtain their effective event numbers $n_{C}$ , $n_{D}$ , and $n_{V}$ as follows:

\begin{split}&n_{C}=2Np_{z}^{2}q(1-q)S_{C},\\ &n_{D}=Np_{z}^{2}q^{2}S_{D},\\ &n_{V}=Np_{z}^{2}(1-q)^{2}S_{V}.\\ \end{split}

(33)

Here $N$ is the total number of pluses in SNS KGP between two participants, $p_{z}$ is the probability that the participant chooses the time window as a signal window (i.e., the participant chooses the time window as a decoy window with probability $(1-p_{z})$ ) and $q$ represents the probability that the participant chooses to send.

Therefore, the bit-flip error rate $E_{T}$ of the bit strings generated by SNS KGP is

\begin{split}&E_{T}=\frac{n_{D}+n_{V}}{{N_{t}}},\\ \end{split}

(34)

where $N_{t}$ is the total number of three effective events

\begin{split}&N_{t}=n_{C}+n_{D}+n_{V}.\\ \end{split}

(35)

It should be noted that, in experiments, the bit-flip error rate $E_{T}$ can be directly observed. In our numerical simulations, we use the expression (34) of $E_{T}$ . We randomly select $T$ (in our simulation, we set $T=\gamma N_{t}$ and $\gamma=10\%$ ) bits to obtain their bit-flip error rate, which is used to estimate the bit-flip error rate $E$ of the remaining bits [34, 5, 8],

\begin{split}&E\leq E_{T}+\mu(n,T,\varepsilon_{p}),\\ \end{split}

(36)

with

\begin{split}&\mu(n,T,\varepsilon_{p})=\sqrt{\frac{(n-T+1)\ln(\frac{1}{\varepsilon_{p}})}{2nT}},\\ \end{split}

(37)

where $\varepsilon_{p}$ is the failure probability of this estimation, and $n$ is the length of $X^{A}$ ,

n=\lfloor\frac{N_{t}-T}{3}\rfloor.

(38)

Next, we analyze how to obtain the proportion $\Delta_{1}$ of effective bits of a single-photon state and phase-flip error rate $e^{ph}$ of the bit string $X^{C}$ , which are used in the calculation of $p_{e}$ (21).

We use the Chernoff bound [35] to estimate the expected values $\phi$ from the observed values, which can be obtained directly in experiments, and then we use the Chernoff bound to estimate the real values $\varphi$ of a specific experiment from the expected values. The lower and upper bounds of the expected value are denoted by $\phi^{L}$ and $\phi^{U}$ , respectively,

\begin{split}&\phi^{L}(X)=\frac{X}{1+\delta_{1}(X)},\\ &\phi^{U}(X)=\frac{X}{1-\delta_{2}(X)},\\ \end{split}

(39)

and $\delta_{1}(X)$ and $\delta_{2}(X)$ satisfy

\begin{split}&(\frac{e^{\delta_{1}}}{(1+\delta_{1})^{1+\delta_{1}}})^{\frac{X}{1+\delta_{1}}}=\frac{\xi}{2},\\ &(\frac{e^{-\delta_{2}}}{(1-\delta_{2})^{1-\delta_{2}}})^{\frac{X}{1-\delta_{2}}}=\frac{\xi}{2},\\ \end{split}

(40)

where $\xi$ denotes the failure probability of estimation.

The lower and upper bounds of the real value are denoted by $\varphi^{L}$ and $\varphi^{U}$ , respectively,

\begin{split}&\varphi^{L}(Y)=[1+\delta_{1}^{\prime}(Y)]Y,\\ &\varphi^{U}(Y)=[1-\delta_{2}^{\prime}(Y)]Y,\\ \end{split}

(41)

and $\delta_{1}^{\prime}(X)$ and $\delta_{2}^{\prime}(X)$ satisfy

\begin{split}&(\frac{e^{\delta_{1}^{\prime}}}{(1+\delta_{1}^{\prime})^{1+\delta_{1}^{\prime}}})^{Y}=\frac{\xi}{2},\\ &(\frac{e^{-\delta_{2}^{\prime}}}{(1-\delta_{2}^{\prime})^{1-\delta_{2}^{\prime}}})^{Y}=\frac{\xi}{2},\\ \end{split}

(42)

where $\xi$ represents the failure probability of estimation.

Based on the analysis in SNS QKD [19, 32, 33], we can obtain the lower bound of the expected value of the counting rate of single-photon state $\langle s_{1}^{\mathrm{L}}\rangle$ and the upper bound of the expected value of the phase-flip error rate $\langle e^{\mathrm{ph},\mathrm{U}}\rangle$ ,

\langle s_{1}\rangle\geq\langle s_{1}^{L}\rangle=\frac{1}{2}(\langle s^{L}_{01}\rangle+\langle s^{L}_{10}\rangle),

(43)

where $\langle s_{01}^{{L}}\rangle$ and $\langle s_{10}^{{L}}\rangle$ satisfy

\begin{split}&\langle s_{01}^{{L}}\rangle=\frac{\mu_{2}^{2}e^{\mu_{1}}\langle S_{01}^{{L}}\rangle-\mu_{1}^{2}e^{\mu_{2}}\langle S_{02}^{{U}}\rangle-(\mu_{2}^{2}-\mu_{1}^{2})\langle S^{{U}}_{00}\rangle}{\mu_{1}\mu_{2}(\mu_{2}-\mu_{1})},\\ &\langle s_{10}^{{L}}\rangle=\frac{\mu_{2}^{2}e^{\mu_{1}}\langle S_{10}^{{L}}\rangle-\mu_{1}^{2}e^{\mu_{2}}\langle S_{20}^{{U}}\rangle-(\mu_{2}^{2}-\mu_{1}^{2})\langle S^{{U}}_{00}\rangle}{\mu_{1}\mu_{2}(\mu_{2}-\mu_{1})},\\ \end{split}

(44)

and

\langle e^{{ph}}\rangle\leq\langle e^{{ph},{U}}\rangle=\frac{\langle T_{\Delta}^{{U}}\rangle-\frac{1}{2}e^{-2\mu_{1}}\langle S^{{L}}_{00}\rangle}{2\mu_{1}e^{-2\mu_{1}}\langle s_{1}^{{L}}\rangle}.

(45)

The notation $S_{ij}$ , $i,j\in\{0,1,2\}$ , in the above equations denotes the counting rate of source $\mu_{i}\mu_{j}$ when participants choose coherent state $\mu_{i}$ and $\mu_{j}$ to send. In the decoy window, participants randomly select three different intensities $\mu_{0}=0,\ \mu_{1},\ \mu_{2}$ of phase-randomized coherent states with probability $p_{0},\ p_{1},\ (1-p_{0}-p_{1})$ , respectively. The notation $\langle T_{\Delta}^{{U}}\rangle$ can be calculated by

\langle T_{\Delta}\rangle\leq\langle T_{\Delta}^{{U}}\rangle=\frac{\phi^{{U}}(n_{\Delta^{+}}^{l}+n_{\Delta^{-}}^{r})}{2N_{\Delta^{\pm}}},

(46)

where $n_{\Delta^{+}}^{l}$ and $n_{\Delta^{-}}^{r}$ represent effective events heralded by the left and right detector, respectively,

n_{\Delta^{+}}^{l}=n_{\Delta^{-}}^{r}=[T_{X}(1-2e_{d})+e_{d}S_{X}]N_{\Delta^{\pm}},

(47)

N_{\Delta^{\pm}}=\frac{\Delta}{2\pi}(1-p_{z})^{2}p_{1}^{2}N,

(48)

and

T_{X}=\frac{1}{\Delta}\int_{-\frac{\Delta}{2}}^{\frac{\Delta}{2}}(1-p_{d})e^{-2\eta\mu_{1}\cos^{2}{\frac{\delta}{2}}}d\delta-(1-p_{d})^{2}e^{-2\eta\mu_{1}},

(49)

\begin{split}S_{X}=&\frac{1}{\Delta}\int_{-\frac{\Delta}{2}}^{\frac{\Delta}{2}}(1-p_{d})e^{-2\eta\mu_{1}\sin^{2}{\frac{\delta}{2}}}d\delta-(1-p_{d})^{2}e^{-2\eta\mu_{1}}\\ &+T_{X}.\\ \end{split}

(50)

We set $\Delta=\frac{\pi}{15}$ in our simulation.

Based on $\langle s_{1}^{{L}}\rangle$ (43) and $\langle e^{{ph},{U}}\rangle$ (45), we can use Chernoff bound to estimate the real values $\Delta_{1}$ and $e^{ph}$ from the expected values,

\Delta_{1}=\frac{\varphi^{{L}}(n\langle\Delta_{1}^{L}\rangle)}{n},

(51)

e^{{ph}}=\frac{\varphi^{{U}}(n\Delta_{1}\langle e^{{ph},{U}}\rangle)}{n\Delta_{1}},

(52)

where

\langle\Delta_{1}^{{L}}\rangle=\frac{2Np_{z}^{2}q(1-q)\mu e^{-\mu}\langle s_{1}^{{L}}\rangle}{N_{t}}.

(53)

According to the bit-flip error rate $E$ (36), the proportion of effective bits of a single-photon state $\Delta_{1}$ (51), and the phase-flip error rate $e^{ph}$ (52), we can optimize the signature rate $R$ by selecting the appropriate $(N,\mu,\mu_{1},\mu_{2},q,p_{z},p_{0},p_{1})$ given security level $\varepsilon$ and other system parameters.

References

Diffie and Hellman [1976] W. Diffie and M. Hellman, New directions in cryptography, IEEE Transactions on Information Theory 22, 644 (1976).
Gottesman and Chuang [2001] D. Gottesman and I. Chuang, Quantum digital signatures, arXiv preprint quant-ph/0105032 (2001).
Dunjko et al. [2014] V. Dunjko, P. Wallden, and E. Andersson, Quantum digital signatures without quantum memory, Physical review letters 112, 040502 (2014).
Yin et al. [2016] H.-L. Yin, Y. Fu, and Z.-B. Chen, Practical quantum digital signature, Physical Review A 93, 032316 (2016).
Amiri et al. [2016] R. Amiri, P. Wallden, A. Kent, and E. Andersson, Secure quantum signatures using insecure quantum channels, Physical Review A 93, 032325 (2016).
Donaldson et al. [2016] R. J. Donaldson, R. J. Collins, K. Kleczkowska, R. Amiri, P. Wallden, V. Dunjko, J. Jeffers, E. Andersson, and G. S. Buller, Experimental demonstration of kilometer-range quantum digital signatures, Physical Review A 93, 012329 (2016).
Collins et al. [2016] R. J. Collins, R. Amiri, M. Fujiwara, T. Honjo, K. Shimizu, K. Tamaki, M. Takeoka, E. Andersson, G. S. Buller, and M. Sasaki, Experimental transmission of quantum digital signatures over 90 km of installed optical fiber using a differential phase shift quantum key distribution system, Optics letters 41, 4883 (2016).
Puthoor et al. [2016] I. V. Puthoor, R. Amiri, P. Wallden, M. Curty, and E. Andersson, Measurement-device-independent quantum digital signatures, Physical Review A 94, 022328 (2016).
Roberts et al. [2017] G. Roberts, M. Lucamarini, Z. Yuan, J. Dynes, L. Comandar, A. Sharpe, A. Shields, M. Curty, I. Puthoor, and E. Andersson, Experimental measurement-device-independent quantum digital signatures, Nature communications 8, 1 (2017).
Yin et al. [2017a] H.-L. Yin, Y. Fu, H. Liu, Q.-J. Tang, J. Wang, L.-X. You, W.-J. Zhang, S.-J. Chen, Z. Wang, Q. Zhang, et al., Experimental quantum digital signature over 102 km, Physical Review A 95, 032334 (2017a).
Yin et al. [2017b] H.-L. Yin, W.-L. Wang, Y.-L. Tang, Q. Zhao, H. Liu, X.-X. Sun, W.-J. Zhang, H. Li, I. V. Puthoor, L.-X. You, et al., Experimental measurement-device-independent quantum digital signatures over a metropolitan network, Physical Review A 95, 042338 (2017b).
Zhang et al. [2018] C.-H. Zhang, X.-Y. Zhou, H.-J. Ding, C.-M. Zhang, G.-C. Guo, and Q. Wang, Proof-of-principle demonstration of passive decoy-state quantum digital signatures over 200 km, Physical Review Applied 10, 034033 (2018).
An et al. [2019] X.-B. An, H. Zhang, C.-M. Zhang, W. Chen, S. Wang, Z.-Q. Yin, Q. Wang, D.-Y. He, P.-L. Hao, S.-F. Liu, et al., Practical quantum digital signature with a gigahertz bb84 quantum key distribution system, Optics Letters 44, 139 (2019).
Braunstein and Pirandola [2012] S. L. Braunstein and S. Pirandola, Side-channel-free quantum key distribution, Phys. Rev. Lett. 108, 130502 (2012).
Lo et al. [2012] H.-K. Lo, M. Curty, and B. Qi, Measurement-device-independent quantum key distribution, Phys. Rev. Lett. 108, 130503 (2012).
Zhou et al. [2016] Y.-H. Zhou, Z.-W. Yu, and X.-B. Wang, Making the decoy-state measurement-device-independent quantum key distribution practically useful, Physical Review A 93, 042324 (2016).
Li et al. [2023] Y.-H. Li, S.-L. Li, X.-L. Hu, C. Jiang, Z.-W. Yu, W. Li, W.-Y. Liu, S.-K. Liao, J.-G. Ren, H. Li, L. You, Z. Wang, J. Yin, F. Xu, Q. Zhang, X.-B. Wang, Y. Cao, C.-Z. Peng, and J.-W. Pan, Free-space and fiber-integrated measurement-device-independent quantum key distribution under high background noise, Phys. Rev. Lett. 131, 100802 (2023).
Lucamarini et al. [2018] M. Lucamarini, Z. L. Yuan, J. F. Dynes, and A. J. Shields, Overcoming the rate-distance limit of quantum key distribution without quantum repeaters, Nature 557, 400 (2018).
Wang et al. [2018] X.-B. Wang, Z.-W. Yu, and X.-L. Hu, Twin-field quantum key distribution with large misalignment error, Physical Review A 98, 062323 (2018).
Wang et al. [2022] S. Wang, Z.-Q. Yin, D.-Y. He, W. Chen, R.-Q. Wang, P. Ye, Y. Zhou, G.-J. Fan-Yuan, F.-X. Wang, W. Chen, et al., Twin-field quantum key distribution over 830-km fibre, Nature photonics 16, 154 (2022).
Liu et al. [2023] Y. Liu, W.-J. Zhang, C. Jiang, J.-P. Chen, C. Zhang, W.-X. Pan, D. Ma, H. Dong, J.-M. Xiong, C.-J. Zhang, et al., Experimental twin-field quantum key distribution over 1000 km fiber distance, Physical Review Letters 130, 210801 (2023).
Fan-Yuan et al. [2022] G.-J. Fan-Yuan, F.-Y. Lu, S. Wang, Z.-Q. Yin, D.-Y. He, W. Chen, Z. Zhou, Z.-H. Wang, J. Teng, G.-C. Guo, et al., Robust and adaptable quantum key distribution network without trusted nodes, Optica 9, 812 (2022).
Zhang et al. [2021] C.-H. Zhang, X. Zhou, C.-M. Zhang, J. Li, and Q. Wang, Twin-field quantum digital signatures, Optics Letters 46, 3757 (2021).
Qin et al. [2022] J.-Q. Qin, C. Jiang, Y.-L. Yu, and X.-B. Wang, Quantum digital signatures with random pairing, Physical Review Applied 17, 044047 (2022).
Menezes et al. [1997] A. J. Menezes, P. C. Van Oorschot, and S. A. Vanstone, Handbook of applied cryptography crc press, CRC Press, Boca Raton (1997).
Krawczyk [1994] H. Krawczyk, Lfsr-based hashing and authentication, in Annual International Cryptology Conference (Springer, Berlin, 1994) pp. 129–139.
Amiri et al. [2018] R. Amiri, A. Abidin, P. Wallden, and E. Andersson, Efficient unconditionally secure signatures using universal hashing, in International Conference on Applied Cryptography and Network Security (Springer, Leuven, 2018) pp. 143–162.
Yin et al. [2023] H.-L. Yin, Y. Fu, C.-L. Li, C.-X. Weng, B.-H. Li, J. Gu, Y.-S. Lu, S. Huang, and Z.-B. Chen, Experimental quantum secure network with digital signatures and encryption, National Science Review 10, nwac228 (2023).
Kiktenko et al. [2022] E. O. Kiktenko, A. Zelenetsky, and A. K. Fedorov, Practical quantum multiparty signatures using quantum-key-distribution networks, Physical Review A 105, 012408 (2022).
Bennett and Brassard [2014] C. H. Bennett and G. Brassard, Quantum cryptography: Public key distribution and coin tossing, Theoretical Computer Science 560, 7 (2014), theoretical Aspects of Quantum Cryptography – celebrating 30 years of BB84.
Jiang et al. [2021] C. Jiang, Z.-W. Yu, X.-L. Hu, and X.-B. Wang, Higher key rate of measurement-device-independent quantum key distribution through joint data processing, Physical Review A 103, 012402 (2021).
Yu et al. [2019] Z.-W. Yu, X.-L. Hu, C. Jiang, H. Xu, and X.-B. Wang, Sending-or-not-sending twin-field quantum key distribution in practice, Scientific reports 9 (2019).
Jiang et al. [2019] C. Jiang, Z.-W. Yu, X.-L. Hu, and X.-B. Wang, Unconditional security of sending or not sending twin-field quantum key distribution with finite pulses, Physical Review Applied 12, 024061 (2019).
Serfling [1974] R. J. Serfling, Probability inequalities for the sum in sampling without replacement, The Annals of Statistics 2, 39 (1974).
Chernoff [1952] H. Chernoff, A measure of asymptotic efficiency for tests of a hypothesis based on the sum of observations, The Annals of Mathematical Statistics , 493 (1952).