A Quantum Dual-Signature Protocol Based on SNOP States without Trusted Participant

Quantum dual-signature means that two signed quantum messages are combined and expected to be sent to two different recipients. A quantum signature requires the cooperation of two verifiers to complete the whole verification process. As an important quantum signature aspect, the trusted third party is introduced to the current protocols, which affects the practicability of the quantum signature protocols. In this paper, we propose a quantum dual-signature protocol without arbitrator and entanglement for the first time. In the proposed protocol, two independent verifiers are introduced, here they may be dishonest but not collaborate. Furthermore, strongly nonlocal orthogonal product states are used to preserve the protocol security, i.e., no one can deny or forge a valid signature, even though some of them conspired. Compared with existing quantum signature protocols, this protocol does not require a trusted third party and entanglement resources.


Introduction
With the development of the Internet, network communications have become more and more frequent in daily life. Therefore, it is particularly important to improve the security of network communications. Digital signatures are not only widely employed to authenticate the identity of communication participants, but also ensure the integrity of legal messages. For example, encrypting and signing the transmitted messages, verifying the identity of all parties, are necessary to ensure the security of network communications. As we know, the applied classic digital signature protocols are based on computational complexity, such as the decomposition of a large prime number. However, with the development of quantum algorithms [1], classic cryptographic protocols are becoming increasingly insecure. Fortunately, various quantum cryptography protocols, such as quantum key distribution (QKD) [2][3][4], controlled quantum teleportation [5][6][7][8][9][10], quantum secret sharing [11][12][13][14][15] and quantum secure direct communication [16][17][18][19], can be implemented on quantum networks [20][21][22][23][24]. Since their security is based on the laws of quantum mechanics, they are immune to the attacks on quantum computers. During them, designing digital signature protocols based on quantum technology is an important research aspect of quantum cryptographic protocols.
In 2001, Gottesman et al. [25] first proposed a quantum digital signature based on the fundamental principles of quantum physics, i.e., a quantum analogue of one-way functions which required O(m) qubits is used to encrypt an m-bit message. In 2002, Zeng et al. [26] put forward a signature protocol based on the GHZ states, whose realization depends upon a trust arbitrator. Since then, many variations of quantum signature protocols have been presented. For example, Li et al. [27] proposed an arbitrated quantum signature protocol using Bell states instead of GHZ states. Zou et al. [28] presented an arbitrated quantum signature protocol without using entangled states. In 2016, Liu et al. [29] proposed a quantum dual-signature protocol, which combines two signed messages expected to be sent to two different recipients. In their protocol, the entanglement swapping with coherent states is applied. Compared to classic signatures, the quantum signature which involves quantum algorithms, could be more secure and efficient. As we know, quantum signatures also have wide applications in the ecommerce system as classic signatures.
All these protocols are based on the assumption that a trusted third party exists in the quantum network, though this is not practical. In 2015, Kang et al. [30] first proposed a controlled mutual quantum entity authentication using entanglement swapping by introducing an untrusted third party. However, the controller may perform an internal attack, because the others do not test the correlation of the entangled state. In order to prevent this security loophole, a checking procedure was added to confirm the correlation of the entangled state (see Ref. [31]). Nevertheless, Wang et al. [32] pointed out that there is still a secure flaw in Kang's improved protocol [31], that is, the untrusted third party can obtain the shared key between the other participants without being detected. In 2016, Li et al. [33] proposed a secure quantum blind dual-signature scheme without arbitrators. It does not rely on an arbitrator in the verification phase as the previous quantum signature schemes do. The security is guaranteed by the entanglement in quantum information processing. Compared with the existing quantum signature protocols, it reduces the over rights of the third party in verification. However, the research on quantum digital signatures without arbitrators is still in its infancy.
The existing quantum digital signatures without arbitrators are usually implemented by entangled states. As we know, the preparation of entanglement in experiments is difficult. Therefore, it is very urgent to propose a more practical quantum signature protocol without arbitrators. Recently, the expression of quantum nonlocality has attracted more attention. In 2019, Halder et al. [34] first proposed a strong quantum nonlocality without entanglement and presented two explicit strongly nonlocal sets of quantum states in C 3 ⊗ C 3 ⊗ C 3 and C 4 ⊗ C 4 ⊗ C 4 quantum systems. For the sake of simplicity, we define these states as SNOP states. Compared with normal nonlocal orthogonal product states, SNOP states have strong quantum nonlocality for tripartite, i.e., they are locally irreducible in every bipartition. In this situation, if the private messages are encoded into SNOP states, the security of the private messages is ensured. This means that the attacker cannot determine the accurate whole state even if they obtain two particles of the SNOP states. A secure quantum signature protocol has to meet at least two requirements, i.e., non-forgery and non-repudiation. In this case, we propose a quantum dual-signature protocol based on SNOP states without a trusted third party. The security of our protocol is guaranteed by the secret encryption algorithm [35] and SNOP states. The encryption algorithm is mainly used to resist external attackers. Furthermore, each bipartite of the SNOP states is locally irreducible to resist internal attacks. In this case, the security of our protocol is shown, i.e., neither an external attacker nor an internal one can forge a signature. Moreover, no one can deny the signature.
The rest of the paper is arranged as follows: In Section 2, some preliminary theories are introduced. In Section 3, we describe the quantum dual-signature protocol including the initializing phase, signing phase and verification phase. The security of our protocol is analyzed in Section 4. Finally, a short conclusion is given in Section 5.

Preliminaries
In this section, we describe an encryption algorithm-Key-Controlled-'I'QOTP. Then, a set of SNOP states to encode messages are introduced.

Key-Controlled-'I'QOTP
As we know, the quantum one time pad (QOTP) is an important way to generate quantum signatures [36]. However, Gao et al. [37] pointed out that there exist some security problems in these protocols. In the above security analysis of AQS protocols, one of the most basic assumptions is that the signature is generated by encrypting bitwise messages. In this case, the receiver may forge a legal signature by performing a corresponding operator to the signature and message without secret keys. In 2013, Zhang et al. [35] presented two types of improved encryption algorithms, called Key-Controlled-'I'QOTP and Key-Controlled-'T'QOTP, to prevent forgery attacks effectively. Here, we briefly introduce Key-Controlled-'I'QOTP.
Firstly, a set W with four Clifford operators is introduced to encrypt the message |P to obtain |S . Secondly, the two bits K i and K 2n−i+1 in the shared key string K are appointed to determine the corresponding operator in Table 1. Moreover, the message |P is encrypted into |S in the form of Equation (1). Table 1. Corresponding encryption operators in "Key-Controlled-'I'QOTP".
Encryption Operator Here, we take n = 1, i = 1, |P = α|0 +β|1 and K 1 K 2 = 00 as an example to demonstrate how to encrypt quantum states using secret keys. This is the way to generate quantum signatures in subsequent protocols.
Zhang et al. proved that this encryption algorithm can be applied to generate signatures which cannot be forged by the receiver. Therefore, in order to ensure security, Key-Controlled-'I'QOTP is used in the following quantum dual-signature protocol.

SNOP States
In order to show our protocol, a type of SNOP states is introduced.
In Ref. [34], these states are proved to be locally irreducible in all bipartitions. Since local irreducibility is a sufficient condition for strong nonlocality, these states are strongly nonlocal. In this situation, as the messages are encoded into SNOP states, the security of the private messages is ensured. This means that the attacker cannot determine the accurate forms even if they obtain two particles of the SNOP states.

Quantum Dual-Signature Protocol with SNOP States
In this section, a quantum dual-signature protocol is given. Firstly, the identity of the participants and the process of the protocol are described in Section 3.1. Then, the specific protocol process is divided into the following three phases: the initializing phase, signing phase and verification phase.

Brief Description
There exist three roles in our protocol:

1.
Alice is the applicant and signer; 2.
Bob is the first verifier of the message; 3.
Charlie is the second verifier.
When the applicant Alice needs to warrant a document, she first signs the application document; then, she sends the document to the first verifier Bob to verify one part of the document; next, Bob sends it to Charlie to verify the other part. The process of this protocol can be briefly seen in Figure 1.

Initializing Phase
Step I1 (Secret Key Assignment): Alice shares the two keys' sequences K AB and K AC with Bob and Charlie, respectively. Bob shares the key sequence K BC with Charlie. This can be achieved with the quantum key distribution (QKD) technique [2][3][4].
Step I2 (Message Encoding): The message M is divided into n groups, M = M 1 ||M 2 ||· · ·||M n ; here M t is a 4-bit of a classical bit sequence, where t = 1, 2, 3, · · · , n. Alice encodes each M t to a quantum sequence |S with the 16 states in Table 2; the remaining 11 states are used to detect eavesdropping in Table 3. Table 2. SNOP states used to encrypt messages.

Message
States Message States Step I3 (Generating Quantum Sequence): Alice generates three identical sequences |S , where the first sequence is denoted by |S a , the second one is |S b and the last one is |S c . By picking out each particle of above sequences, the corresponding quantum sequences |S a 1 , |S a 2 , |S a 3 , |S b 1 , |S b 2 , |S b 3 , |S c 1 , |S c 2 and |S c 3 are generated. For example, we suppose that |S =|ϕ 1 |ϕ 2 |ϕ 3 |ϕ 4 |ϕ 13 |ϕ 14 |ϕ 15 |ϕ 16 . Then, the specific forms of |S a , |S b and |S c are depicted in Equation (4).

Signing Phase
Step S (Sending Sequence to Bob): Firstly, Alice encrypts S a 3 and |S b 3 with K AB to obtain |S a 3 and |S b 3 ; then, she encrypts |S c 1 , |S c 3 , |S a 3 and |S b 3 with K AC to obtain S AC .
Secondly, Alice encrypts S a 2 and S c 2 with K AC to obtain | S a 2 and | S c 2 ; then, she encrypts |S a 1 , |S b 1 , | S a 2 , |S b 2 , | S c 2 and S AC with K AB to obtain S AB as her signature. Finally, she inserts the decoy states randomly in S AB to obtain S AB and sends it to Bob. The symbolic representation can be seen in Table 4.

Verification Phase
Step V1 (Detect Eavesdropping): After Bob announces that he has received the sequences S AB , Alice tells Bob the positions and the initial states of the decoy particles. Then, Bob measures each of the decoy particles with the corresponding basis and compares the measurement outcome with its initial state to check for eavesdropping. If the error probability is within a certain threshold, Bob recovers the sequences S AB ; otherwise, he aborts the protocol.
Step V2 (Bob s Veri f ication o f the First Stage): Bob decrypts S AB and verifies whether |S a 1 is equal to |S b 1 with SWAP operations [38][39][40]. Here, V B 1 represents the results.
If V B 1 = 0, he rejects the quantum signature directly; otherwise, he sends S B to Charlie.
Step V3 (Charlie s Veri f ication o f the First Stage): Charlie decrypts S B , verifies whether |S a 2 is equal to |S c 2 and generates V C .
If V C is equal to 0, Charlie will reject the quantum signature directly; otherwise, he will decrypt S AC and send S C to Bob.
Step V4 (Bob sVeri f ication o f the Second Stage): Bob first decrypts S C with K BC and K AB ; then, he verifies whether |S a 3 is equal to |S b 3 and generates V B 2 .
If V B 2 is equal to 0, Bob will reject the quantum signature directly; otherwise, he will recover the sequence |S by |S b 1 , |S b 2 and |S b 3 to obtain m b j according to the rule in Table 5.
Step V5 (Charlie s Veri f ication o f the Second Stage): Similarly, Charlie recovers the sequence |S according to |S c 1 , |S c 2 and |S c 3 , by the rules in Table 5, to obtain m c j . If m b j = m c j , Charlie will announce it is the valid signature of m j ; otherwise, he will reject this signature. The process can be briefly seen in Figure 2.

Security and Efficiency Analysis
As mentioned above, a secure quantum signature protocol has to meet at least two requirements, i.e., non-forgery and non-repudiation. In our protocol, the above requirements are completely satisfied. The security of our protocol is guaranteed by the secret encryption algorithm Key-Controlled-'I'QOTP and SNOP states. The encryption algorithm is mainly used to resist external attackers. Furthermore, each bipartite of the SNOP states is locally irreducible to resist internal attacks. In this case, the security of our protocol is shown, i.e., neither an external attacker nor an internal one can forge a signature. Moreover, no one can deny the signature. The specific analysis can be seen in the following subsections.

Resistance to Outside Attacks Based on Encryption Algorithm
(i) Eve Forges Alice s Signature. In order to forge Alice's signature, Eve has to intercept the sequences in Step S. Then, he could change Alice's signature and replace S AB with S AB . However, since the original keys are shared with QKD, it is impossible for her to succeed. If he attempts to forge Alice's signature without K AB , he will perform an operator corresponding to the signature and message. In our protocol, as Key-Controlled-'I'QOTP is used to generate signature S AB , he would not be able to identify the forms of encryption operators except for Alice and Bob, as shown in Table 6.  Table 6, it can be seen that, if Eve wants to forge one qubit of Alice's signature with σ x or σ y , the probability of success will be 1 3 . Moreover, the probability will be 1 2 if the forgery operation is σ z . Furthermore, if the length of the message is m, the probability P E of Eve's forgery's success will be

Encryption Eve's Possible Decryptions Eve's Forgery of Operation Signature
where k(0 ≤ k ≤ m, 0 ≤ m ≤ n) represents the total number of qubits which Eve wants to forge the sequence by σ x and σ y ; (m − k) represents the number of qubits forged by σ z . With this encryption algorithm, Eve can be detected during Bob's verification phase.
(ii) Eve Forges Bob s Veri f ication Results. For Eve to intercept the sequences in Step V2, he has to change the sequence S B with S B and send it to Charlie. Similarly, Eve cannot know the secret key K BC . Therefore, Eve's forgery will be discovered by Charlie once Eve changes only a small part of S B . Similarly, if Eve forges Charlie's verification results, similarly, his forgery will be found by Bob.

Resistance to Inside Attacks Based on SNOP States
Above, we guarantee that two verifiers are not dishonest at the same time. This assumption is satisfied with the actual situation. In fact, if both verifiers are dishonest, the protocol will be insecure and impractical. Here, we discuss the dishonesty of the verifier, specifically in the case in which one verifier wants to forge a signature to evade the verification of the other one.
According to our analysis above, the encryption algorithm can resist some forgery attacks, but, for internal attackers who know the secret key, the security needs to be further discussed as follows. Here, SNOP states provides a nature property for resisting internal attacks, i.e., they are locally irreducible in every bipartition. This means that the attacker cannot determine the accurate whole state even if they obtain two particles of the SNOP states. The specific analysis can be seen in the following subsections.
(i) Bob s Forgery. This is different from Eve's forgery of Alice's signature; Bob does not need to intercept the sequences because he has the secret key K AB . If he attempts to replace S AC with S AC in Step V2, his forgery will not succeed. Since the sequences S AC are generated by Key-Controlled-'I'QOTP with the key K AC , Bob cannot identify the forms of encryption operators, except for Alice and Charlie. Similar to the analysis above, Bob's forgery will be discovered by Charlie in Step V3.
Based on the analysis above, we assume that Bob attempts to restore all the SNOP states by the sequences |S b 1 and |S b 2 . He can only choose the measurement basis randomly. There are three possible cases seen in Table 7. The probability that he chooses any basis is 1 3 . From Table 7, we can deduce that the probability of choosing the correct measurement basis and obtain one bit, as shown in Equation (19).
For the n length of the quantum sequence, it is not difficult to see that the probability of Bob's successful attack P tends to be zero with the increase in n in Equation (20).
(ii) Charlie s Forgery. We assume Charlie tries to modify |S a 3 and |S b 3 according to the sequence |S c 3 in his hands to make |S a 3 and |S b 3 equal. Similarly, Charlie cannot identify the forms of the encryption operators without the key K AB . If |S a 3 = |S b 3 , Charlie's forgery will be discovered by Bob in Step V4. The process can be briefly seen in Figure 3.

Non-Repudiation
Alice could attempt to deny her signature in two ways. One is directly denying her signature. Here Alice's signatures S AB and S AC are generated by K AB and K AC , only known to Bob and Charlie. Once Bob and Charlie have verified the validity of the signatures, she will not be able to deny them. Moreover, since Key-Controlled-'I'QOTP is used, no one can find the corresponding location without knowing K AB and K AC . If |S a 1 = |S b 1 and |S a 2 = |S c 2 , it will be impossible for Alice to deny. The other way is that Alice denied the signature after Bob verified it. If m b j = m c j , Bob and Charlie will be able to judge whether Alice denies. The sequences |S a 3 and |S b 3 are encrypted with the key K AB and the key K AB is generated by Key-Controlled-'I'QOTP. Therefore, Charlie cannot know the secret key K AB . If Charlie attempts to modify the sequence, Bob will find this attack in Step V4. Similarly, Alice will not succeed in denying the signature after Charlie's verification.

Discussion and Conclusions
We summarize and compare our protocol with the quantum signature protocols proposed above in Table 8. Compared with the existing quantum signature protocols, our protocol does not need a trusted third party and entanglement resources for the first time. Comparing with the existing quantum signature protocols, the signature of our protocol requires the cooperation of two verifiers to complete the whole verification process without an arbitrator. In this case, the function has wide applications in practical management. By introducing SNOP states, the present protocol seems more efficient and easier to be realized in noisy intermediate-scale quantum (NISQ) devices, as no entangled resources are required. According to our analysis, the protocol based on SNOP states is immune to attacks from the inside and outside. In other words, the attacker cannot determine the accurate whole state even if they obtain two particles of the SNOP states. Furthermore, we give a potential application for the SNOP states and put forward a series of ideas. We think SNOP states could also be applied to electronic payments, voting systems and so on. Moreover, we believe that SNOP states must have better application scenarios in the future. Finally, we hope that our results are instructive to further research on other quantum cryptographic protocols.

Conflicts of Interest:
The authors declare no conflict of interest.

Abbreviations
The following abbreviations are used in this manuscript:

QKD
quantum key distribution SNOP strongly nonlocal orthogonal product QOTP quantum one time pad AQS arbitrated quantum signature NISQ noisy intermediate-scale quantum