A Verifiable Arbitrated Quantum Signature Scheme Based on Controlled Quantum Teleportation

Abstract

In this paper, we present a verifiable arbitrated quantum signature scheme based on controlled quantum teleportation. The five-qubit entangled state functions as a quantum channel. The proposed scheme uses mutually unbiased bases particles as decoy particles and performs unitary operations on these decoy particles, applying the functional values of symmetric bivariate polynomial. As such, eavesdropping detection and identity authentication can both be executed. The security analysis shows that our scheme can neither be disavowed by the signatory nor denied by the verifier, and it cannot be forged by any malicious attacker.

1. Introduction

Since Bennett and Brassard [1] proposed the quantum key distribution (QKD) protocol in 1984, quantum cryptography has attracted extensive attention. Its security is guaranteed by the principles of quantum mechanics such as the Heisenberg uncertainty principle and the quantum no-cloning theorem. Quantum cryptography can provide the advantage of unconditional security, making the research of quantum cryptography increasingly important. Many important quantum cryptography branches have been developed, such as quantum key distribution [2,3], quantum signature (QS) [4,5,6], quantum teleportation (QT) [7], quantum authentication [8], and deterministic secure quantum communication [9].

Quantum signatures can be applied to verify the identity of the sender and the integrity of the information. The arbitrated quantum signature (AQS), providing many merits, has attracted much attention. In 2002, Zeng et al. [10] proposed the first arbitrated quantum signature scheme using the Green–Horne–Zeilinger (GHZ) state and the quantum one-time pad (QOTP). Based on the design of the classical arbitrated digital signature, the scheme provides a re-verification service for signatory and receiver using the online signature provided by a trusted third party arbitrator. In 2008, Curty and Lutkenhaus [11] investigated the scheme [10], and they claimed that it was not clearly described and that the safety analysis was incorrect. In response to the controversy of Curty et al., Zeng et al. [12] proved the scheme [10] in more detail. In 2009, to reduce the complexity and improve the efficiency of the protocol [10], Li et al. [13] proposed an AQS scheme based on the Bell states rather than the GHZ states and proved its advantages in terms of transmission efficiency and low complexity. Unfortunately, in 2010, Zou and Qiu [14] argued that Li’s AQS scheme can be disavowed by the receiver, and they proposed an AQS protocol that uses bulletin boards and other security schemes that do not use entangled state. Their scheme further simplified the protocol of Li et al., and an improved AQS scheme was designed using single particles that can resist the denunciation of the receiver, thus reducing the difficulty of the physical implementation of AQS. However, in 2011, Gao et al. [15] conducted the first comprehensive cryptanalysis of previous AQS schemes in terms of forgery and disavowal. They found that the existing AQS schemes based on QOTP encryption [13,14] all have some security problems. In other words, the receiver Bob can realize the existence of the forgery of a signature under the known message attack, while the sender Alice can successfully disavow any signature of hers through a simple attack. Choi et al. [16] found that most AQS protocols can be cracked through a specific existential forgery attack due to the careless taking advantage of the optimal quantum one-time pad based on Pauli operators. To overcome this weakness, they proposed a simple method to ensure the security of the signature. As Choi et al.proved, Bob could not simultaneously forge both the information and the signature to be verified by an arbitrator in the event of a dispute. In the same year, Yang et al. [17] demonstrated how to construct an arbitrated quantum signature protocol for classical messages using untrusted arbitrators. In order to solve the security problems experienced with the AQS protocol, Zhang et al. [18] analyzed the existing security problems [15,16] in 2013 and suggested some corresponding improvement strategies to counter forgery attacks. In order to solve the problem proposed by Gao et al. [15], Liu et al. [19] designed a new QOTP algorithm in 2014, which mainly relies on inserting decoy states into fixed positions, and constructed an unconditionally secure AQS scheme with fast signing and verifying using only a single particle state. In 2015, Li [20] used chained CNOT operation for encryption, instead of quantum one-time pad, to ensure the security of the protocol. To improve the efficiency of quantum bit to 100%, Yang [21] proposed an AQS scheme with the cluster state in 2016. In 2017, in order to resist forgery attacks and disavowal attacks, Zhang et al. [22] proposed a new quantum encryption based on the key-controlled chained CNOT operations (KCCC encryption), and through KCCC encryption, constructed an improved arbitrated quantum signature protocol. In 2016, Yang et al. [23] also proposed a theoretically extensible quantum digital signature with a star-like cluster state. In 2018, Shi et al. [24] proposed an arbitrated quantum signature scheme with the Hamiltonian algorithm based on blind quantum computation. Due to the application of blind quantum computation, it is not necessary to recover the original message during verification, which can improve the simplicity and operability of AQS. In the same year, Feng et al. [25] constructed an AQS scheme based on continuous variable squeezed vacuum states rather than coherent states to further improve coding efficiency and performance. In 2019, Feng et al. [26] proposed an AQS scheme with quantum walk-based teleportation, which does not require the preparation of entangled particles in advance, making the AQS protocol more flexible and practical. In 2020, Chen et al. [27] proposed an offline arbitrated semi-quantum signature scheme based on four-particle cluster states, in which the classical parties can sign with the assistance of a quantum arbitrator. Different from the typical arbitrated quantum signature schemes, the arbitrator in this protocol acts as a relay station of signature transmission and no longer interferes with the direct authentication of the signature, so that the signature receiver has completed authentication rights. There is no additional direct communication between the signatory and the receiver, which reduces the complexity of transmission. However, the above AQS scheme does not consider authentication between signatory, arbitrator, and verifier.

Quantum teleportation is a technology that uses the entangled state or cluster state to transmit information between two sides of communication. The first scheme of quantum teleportation was proposed by Bennett et al. [28] in 1993. It is a scheme of teleportation through classical channel and an EPR entangled channel. In 1998, Karlsson and Bourennane [29] proposed controlled quantum teleportation. Its basic idea is that the receiver reconstructs the unknown quantum state with the help of the controller. Until now, quantum teleportation has been studied using the GHZ states [30], W. states [31,32], cluster states [33], and other entangled states as quantum channels. In recent years, many quantum signature schemes have used entangled states as quantum channels, and methods were proposed to transmit unknown quantum states of a single particle [34] or double particles [35]. In 2005, Brown et al. [36] developed a computationally feasible entanglement measurement method based on negative bias transposition criterion, and found highly entangled four-qubit states and five-qubit states by searching. In 2008, Muralidharan and Panigrahi [37] investigated the usefulness of the five-qubit state introduced by Brown et al. [36] for quantum information applications such as quantum teleportation. The results show that this state can be used for perfect teleportation of arbitrary single- and two-qubit systems.

In this paper, we construct an arbitrated quantum signature scheme that can verify the identity of participants using five-qubit entangled states as quantum channels and controlled quantum teleportation. The security analysis result shows that our AQS scheme ensures that the signatory Alice cannot disavow, the verifier Bob cannot repudiate, and any illegal attacker can not forge. The proposed scheme uses mutually unbiased bases particles as decoy particles. It applies a pair of function values of symmetric binary polynomials to perform a unitary operation on decoy particles so that eavesdropping detection and identity verification between participants can be performed. In addition, the scheme only needs von Neumann measurement, Bell measurement, and a unitary operation to recover the single-particle qubit state. It replicates message from the signatory Alice to the verifier Bob, which is an attractive advantage for realizing an actual quantum communication network.

The scheme has the following advantages:

(1)

The mutually unbiased bases particles are used as decoy particles to prevent external adversaries from eavesdropping during transmission;

(2)

The receiver only needs to ask about the position of the decoy particles without asking what the measurement bases are in the process of eavesdropping detection;

(3)

The scheme provides the function of identity authentication among participants. It uses a pair of function values of symmetric binary polynomials as parameters of the unitary operation, which is used to act on the decoy particles to verify the identity of participants.

The rest of this article are organized as follows. In Section 2, the concepts of the arbitrated quantum signature, mutually unbiased bases and controlled quantum teleportation are introduced. In Section 3, the detailed process of the proposed protocol is described. In Section 4 and Section 5, the verifiability analysis and safety analysis are conducted, respectively. Finally, a brief conclusion is provided in Section 6.

2. Preliminaries

In this section, we first briefly review some notions concerning the arbitrated quantum signature scheme and the definition of mutually unbiased bases, which is presented in [38]. Then, we introduce controlled quantum teleportation, which is used in constructing the arbitrated quantum signature scheme. Finally, an example of controlled quantum teleportation is given.

2.1. Some Notions concerning the Arbitrated Quantum Signature

A digital signature scheme is a cryptographic primitive that provides the receiver of a message with assurance about the integrity of the data, and the identity of the sender/signatory. Furthermore, it offers unforgeable and undeniable property. Similarly, the arbitrated signature scheme is a digital signature scheme finished with the help of an arbitrator, who is a disinterested third party trusted to complete a protocol. Here “trusted” means that all people involved in the protocol accept what he says as true and what he does as correct, as well as that he will complete his part of the protocol [14]. The quantum signature is a quantum version of the classical digital signature.

2.2. Mutually Unbiased Bases

Definition 1

([38]). We suppose that $A_1={{\left\{|{\phi }_i⟩\right\}}^q}_{i=1}$ and $A_2={{\left\{|{\psi }_i⟩\right\}}^q}_{i=1}$ are two sets of standard orthogonal bases, which are defined over a q-dimensional complex space $C^q$. We state that $A_1$ and $A_2$ are mutually unbiased if the following relationship is satisfied: $|⟨{\phi }_i|{\psi }_j⟩|=\frac{1}{\sqrt{q}}$.

If any two sets of standard orthogonal bases $A_1,A_2,\cdots ,A_m$ in space $C^q$ is unbiased, then this set is called an unbiased bases set. Additionally, one can find at most $q+1$ mutually unbiased bases if q is an odd prime number. In particular, the computation basis is expressed as $\left\{|k⟩|k\in D\right\}$, where $D=\left\{0,1,\dots ,q-1\right\}$. In addition to the computation basis, the remaining q groups of unbiased bases can be expressed as $|{\phi }_l^{\left(j\right)}⟩=\frac{1}{\sqrt{q}}{\sum }_{k=0}^{q-1}{\omega }^{k\left(l+jk\right)}|k⟩$, where $\omega =e^{\frac{2\pi i}{q}}$ and $j\in D$ represent the number of the mutually unbiased bases and $l\in D$ list the number of vectors for the given bases. For $j\ne j^{\prime }$ these mutually unbiased bases satisfy the following conditions: $|⟨{{\phi }_l}^{\left(j\right)}|{{\phi }_l}^{\left(j^{\prime }\right)}⟩|=\frac{1}{\sqrt{q}}$.

Letting $X_q={\sum }_{n=0}^{q-1}{\omega }^n|n⟩⟨n|$, we have following operations:

$$\begin{array}{c}{X_q}^x|{{\phi }_l}^{\left(j\right)}⟩={X_q}^x\frac{1}{\sqrt{q}}{\sum }_{k=0}^{q-1}{\omega }^{k\left(l+jk\right)}|k⟩\hfill \\ =\frac{1}{\sqrt{q}}\left({\sum }_{n=0}^{q-1}{\omega }^{xn}|n⟩⟨n|\right)\left({\sum }_{k=0}^{q-1}{\omega }^{k\left(l+jk\right)}|k⟩\right)=\frac{1}{\sqrt{q}}\left({\sum }_{k=0}^{q-1}{\omega }^{k\left(l+x\right)+jk}|k⟩\right)=|{{\phi }_{l+x}}^{\left(j\right)}⟩.\hfill \end{array}$$

For the convenience of expression, ${X_q}^x$ is denoted as $U_x$ which is a unitary operator, that is, $U_x|{{\phi }_l}^{\left(j\right)}⟩=|{{\phi }_{l+x}}^{\left(j\right)}⟩$. Especially, we have $U_l|{{\phi }_0}^{\left(0\right)}⟩=|{{\phi }_l}^{\left(0\right)}⟩$.

2.3. Controlled Quantum Teleportation

Our arbitrated quantum signature scheme is based on controlled quantum teleportation. The five-qubit entangled state can be used to perfect the teleportation of arbitrary single- and two-qubit systems [37], which are suitable for maximum contact teleportation and satisfy the biggest task-oriented definition of entangled state [36]. Due to the above advantages, in this section, we use the five-qubit entangled state as the quantum channel to execute controlled quantum teleportation. The design form is as follows:

$${|\xi ⟩}_{12345}=\frac{1}{2}{\left(|001⟩|{\varphi }^{-}⟩+|010⟩|{\psi }^{-}⟩+|100⟩|{\varphi }^{+}⟩+|111⟩|{\psi }^{+}⟩\right)}_{12345}.$$

In the form above, $|{\varphi }^{+}⟩,|{\varphi }^{-}⟩,|{\psi }^{+}⟩,|{\psi }^{-}⟩$ represent the four Bell states of two particles, respectively, $|{\varphi }^{\pm }⟩=\frac{1}{\sqrt{2}}\left(|00⟩\pm |11⟩\right)$ and $|{\psi }^{\pm }⟩=\frac{1}{\sqrt{2}}\left(|01⟩\pm |10⟩\right)$. These states exhibit true multipartite entanglement from both negative bias measurements and von Neumann measurements. Even after tracking one or two qubits from this state, entanglement is maintained in the resulting subsystem, which is therefore highly robust.

In the quantum teleportation process, the participants are Alice, Trent, and Bob. Alice owns particles (M, 2, 3), Trent owns particles (1, 4), and Bob owns the particle (5).

The model of controlled quantum teleportation is shown in Figure 1.

Figure 1. The model of controlled quantum teleportation.

The working process of the controlled quantum teleportation is described below:

Step 1: Alice performs three-particle von Neumann measurements of the particles (M, 2, 3) in her possession. The three-particle von Neumann measurement basis is $\left\{\right|{\chi }^i⟩\}$$\left(i=1,2,\cdots ,8\right)$, as shown in Table 1.

Table 1. The three-particle von Neumann measurement basis.

${\chi }^1=\frac{1}{\sqrt{2}}\left(|000⟩+|111⟩\right)$	${\chi }^2=\frac{1}{\sqrt{2}}\left(|000⟩-|111⟩\right)$
${\chi }^3=\frac{1}{\sqrt{2}}\left(|001⟩+|110⟩\right)$	${\chi }^4=\frac{1}{\sqrt{2}}\left(|001⟩-|110⟩\right)$
${\chi }^5=\frac{1}{\sqrt{2}}\left(|010⟩+|101⟩\right)$	${\chi }^6=\frac{1}{\sqrt{2}}\left(|010⟩-|101⟩\right)$
${\chi }^7=\frac{1}{\sqrt{2}}\left(|100⟩+|011⟩\right)$	${\chi }^8=\frac{1}{\sqrt{2}}\left(|100⟩-|011⟩\right)$

Suppose Alice carries the information of the quantum state of particle M as ${|\gamma ⟩}_M={\left(\alpha |0⟩+\beta |1⟩\right)}_M$, where the coefficients $\alpha$ and $\beta$ are unknown and satisfy ${\left|\alpha \right|}^2+{\left|\beta \right|}^2=1$. The combined state of the entire system ${|\mathsf{\Psi }⟩}_{M12345}$ consisting of particles M and $\left(1,2,3,4,5\right)$ is given by the formula below.

$$\begin{array}{cc}\hfill {|\mathsf{\Psi }⟩}_{M12345}& ={|\gamma ⟩}_M\otimes {|\xi ⟩}_{12345}={\left(\alpha |0⟩+\beta |1⟩\right)}_M\otimes {|\xi ⟩}_{12345}\hfill \\ & ={\left(\alpha |0⟩+\beta |1⟩\right)}_M\otimes \frac{1}{2}{\left(|001⟩|{\varphi }^{-}⟩+|010⟩|{\psi }^{-}⟩+|100⟩|{\varphi }^{+}⟩+|111⟩|{\psi }^{+}⟩\right)}_{12345}\hfill \\ & ={\left(\alpha |0⟩+\beta |1⟩\right)}_M\otimes \frac{1}{2\sqrt{2}}\left(\right|00100⟩\hfill \\ & -|00111⟩+|01001⟩-|01010⟩+|10000⟩+|10011⟩+|11101⟩+{|11110⟩)}_{12345}\hfill \\ & =\frac{1}{2\sqrt{2}}\left[\alpha \right|000100⟩-\alpha |000111⟩+\alpha |001001⟩\hfill \\ & - \alpha |001010⟩+\alpha |010000⟩+\alpha |010011⟩+\alpha |011101⟩+\alpha |011110⟩\hfill \\ & + \beta |100100⟩-\beta |100111⟩+\beta |101001⟩-\beta |101010⟩\hfill \\ & + \beta |110000⟩+\beta |110011⟩+\beta |111101⟩+{\beta |111110⟩]}_{12345}.\hfill \end{array}$$

Step 2: Alice conveys her measurement outcomes to Bob through the classical channel. If Alice uses measurement basis $\left\{\right|{\chi }^i⟩\}$$\left(i=1,2,\cdots ,8\right)$ to measure ${|\mathsf{\Psi }⟩}_{M12345}$, then ${|\mathsf{\Psi }⟩}_{M12345}$ will collapse into the corresponding states shown in Table 2.

Table 2. The outcomes of Alice’s measuring ${|\mathsf{\Psi }⟩}_{M12345}$ with measurement basis $\left\{|{\chi }^i⟩\right\}$.

${⟨{\chi }_{M23}^1|\mathsf{\Psi }⟩}_{M12345}=\frac{1}{4}\left(\alpha |100⟩+\alpha |111⟩+\beta |101⟩+\beta |110⟩\right)$	${⟨{\chi }_{M23}^2|\mathsf{\Psi }⟩}_{M12345}=\frac{1}{4}\left(\alpha |100⟩+\alpha |111⟩-\beta |101⟩-\beta |110⟩\right)$
${⟨{\chi }_{M23}^3|\mathsf{\Psi }⟩}_{M12345}=\frac{1}{4}\left(\alpha |000⟩-\alpha |011⟩+\beta |001⟩-\beta |010⟩\right)$	${⟨{\chi }_{M23}^4|\mathsf{\Psi }⟩}_{M12345}=\frac{1}{4}\left(\alpha |000⟩-\alpha |011⟩-\beta |001⟩+\beta |010⟩\right)$
${⟨{\chi }_{M23}^5|\mathsf{\Psi }⟩}_{M12345}=\frac{1}{4}\left(\alpha |001⟩-\alpha |010⟩+\beta |000⟩-\beta |011⟩\right)$	${⟨{\chi }_{M23}^6|\mathsf{\Psi }⟩}_{M12345}=\frac{1}{4}\left(\alpha |001⟩-\alpha |010⟩-\beta |000⟩+\beta |011⟩\right)$
${⟨{\chi }_{M23}^7|\mathsf{\Psi }⟩}_{M12345}=\frac{1}{4}\left(\alpha |101⟩+\alpha |110⟩+\beta |100⟩+\beta |111⟩\right)$	${⟨{\chi }_{M23}^8|\mathsf{\Psi }⟩}_{M12345}=\frac{1}{4}\left(-\alpha |101⟩-\alpha |110⟩+\beta |100⟩+\beta |111⟩\right)$

Step 3: Trent uses Bell measurement basis $\left\{|{\varphi }^{+}⟩,|{\varphi }^{-}⟩,|{\psi }^{+}⟩,|{\psi }^{-}⟩\right\}$ to perform two-particle measurements on particles (1,4). After Trent measures ${⟨{\chi }_{M23}^i|\mathsf{\Psi }⟩}_{M12345}$ with Bell measurement basis $\left\{|{\varphi }^{+}⟩,|{\varphi }^{-}⟩,|{\psi }^{+}⟩,|{\psi }^{-}⟩\right\}$, ${⟨{\chi }_{M23}^i|\mathsf{\Psi }⟩}_{M12345}$ collapses to the corresponding state shown in Table 3.

Table 3. Outcomes of Trent’s measuring ${⟨{\chi }_{M23}^i|\mathsf{\Psi }⟩}_{M12345}$ with Bell measurement basis.

	$|{\mathit{\varphi }}_{14}^{+}⟩$	$|{\mathit{\varphi }}_{14}^{-}⟩$	$|{\mathit{\psi }}_{14}^{+}⟩$	$|{\mathit{\psi }}_{14}^{-}⟩$
${⟨{\chi }_{M23}^1|\mathsf{\Psi }⟩}_{M12345}$	${\left(\alpha |1⟩+\beta |0⟩\right)}_5$	${\left(-\alpha |1⟩-\beta |0⟩\right)}_5$	${\left(\alpha |0⟩+\beta |1⟩\right)}_5$	${\left(-\alpha |0⟩-\beta |1⟩\right)}_5$
${⟨{\chi }_{M23}^2|\mathsf{\Psi }⟩}_{M12345}$	${\left(\alpha |1⟩-\beta |0⟩\right)}_5$	${\left(-\alpha |1⟩+\beta |0⟩\right)}_5$	${\left(\alpha |0⟩-\beta |1⟩\right)}_5$	${\left(-\alpha |0⟩+\beta |1⟩\right)}_5$
${⟨{\chi }_{M23}^3|\mathsf{\Psi }⟩}_{M12345}$	${\left(\alpha |0⟩+\beta |1⟩\right)}_5$	${\left(\alpha |0⟩+\beta |1⟩\right)}_5$	${\left(-\alpha |1⟩-\beta |0⟩\right)}_5$	${\left(-\alpha |1⟩-\beta |0⟩\right)}_5$
${⟨{\chi }_{M23}^4|\mathsf{\Psi }⟩}_{M12345}$	${\left(\alpha |0⟩-\beta |1⟩\right)}_5$	${\left(\alpha |0⟩-\beta |1⟩\right)}_5$	${\left(-\alpha |1⟩+\beta |0⟩\right)}_5$	${\left(-\alpha |1⟩+\beta |0⟩\right)}_5$
${⟨{\chi }_{M23}^5|\mathsf{\Psi }⟩}_{M12345}$	${\left(\alpha |1⟩+\beta |0⟩\right)}_5$	${\left(\alpha |1⟩+\beta |0⟩\right)}_5$	${\left(-\alpha |0⟩-\beta |1⟩\right)}_5$	${\left(-\alpha |0⟩-\beta |1⟩\right)}_5$
${⟨{\chi }_{M23}^6|\mathsf{\Psi }⟩}_{M12345}$	${\left(\alpha |1⟩-\beta |0⟩\right)}_5$	${\left(\alpha |1⟩-\beta |0⟩\right)}_5$	${\left(-\alpha |0⟩+\beta |1⟩\right)}_5$	${\left(-\alpha |0⟩+\beta |1⟩\right)}_5$
${⟨{\chi }_{M23}^7|\mathsf{\Psi }⟩}_{M12345}$	${\left(\alpha |0⟩+\beta |1⟩\right)}_5$	${\left(-\alpha |0⟩-\beta |1⟩\right)}_5$	${\left(\alpha |1⟩+\beta |0⟩\right)}_5$	${\left(-\alpha |1⟩-\beta |0⟩\right)}_5$
${⟨{\chi }_{M23}^8|\mathsf{\Psi }⟩}_{M12345}$	${\left(-\alpha |0⟩+\beta |1⟩\right)}_5$	${\left(\alpha |0⟩-\beta |1⟩\right)}_5$	${\left(-\alpha |1⟩+\beta |0⟩\right)}_5$	${\left(\alpha |1⟩-\beta |0⟩\right)}_5$

Step 4: Trent sends his measurement results to Bob through the classical channel.

Step 5: Following Trent and Alice’s measurements, Bob performs an appropriate unitary operation $U_{\left(5\right)}$ and successfully reconstructs the original unknown quantum state ${|\gamma ⟩}_M$ on the particle (5).

The participants’ measurement outcomes and the unitary operation $U_{\left(5\right)}$ are shown in Table 4, in which MO represents the measurement outcomes and all the Pauli matrices are shown below.

$$\begin{array}{c}I=\left[\begin{array}{cc}1& 0\\ 0& 1\end{array}\right],{\sigma }_x=\left[\begin{array}{cc}0& 1\\ 1& 0\end{array}\right],{\sigma }_y=\left[\begin{array}{cc}0& -i\\ i& 0\end{array}\right],{\sigma }_z=\left[\begin{array}{cc}1& 0\\ 0& -1\end{array}\right].\end{array}$$

Table 4. The relationship between Alice’s, Trent’s measurement outcomes, and Bob’s unitary operation.

Alice’ MO	Trent’ MO	Bob’s State	${\mathit{U}}_{\left(5\right)}$	Trent’ MO	Bob’s State	${\mathit{U}}_{\left(5\right)}$
${\chi }^1=\frac{1}{\sqrt{2}}\left(|000⟩+|111⟩\right)$	$|{\varphi }_{14}^{+}⟩$	${\left(\alpha |1⟩+\beta |0⟩\right)}_5$	${\left({\sigma }_x\right)}_5$	$|{\psi }_{14}^{+}⟩$	${\left(\alpha |0⟩+\beta |1⟩\right)}_5$	$I_5$
	$|{\varphi }_{14}^{-}⟩$	${\left(-\alpha |1⟩-\beta |0⟩\right)}_5$	${\left(-{\sigma }_x\right)}_5$	$|{\psi }_{14}^{-}⟩$	${\left(-\alpha |0⟩-\beta |1⟩\right)}_5$	$-I_5$
${\chi }^2=\frac{1}{\sqrt{2}}\left(|000⟩-|111⟩\right)$	$|{\varphi }_{14}^{+}⟩$	${\left(\alpha |1⟩-\beta |0⟩\right)}_5$	${\left(i{\sigma }_y\right)}_5$	$|{\psi }_{14}^{+}⟩$	${\left(\alpha |0⟩-\beta |1⟩\right)}_5$	${\left({\sigma }_z\right)}_5$
	$|{\varphi }_{14}^{-}⟩$	${\left(-\alpha |1⟩+\beta |0⟩\right)}_5$	${\left(-i{\sigma }_y\right)}_5$	$|{\psi }_{14}^{-}⟩$	${\left(-\alpha |0⟩+\beta |1⟩\right)}_5$	${\left(-{\sigma }_z\right)}_5$
${\chi }^3=\frac{1}{\sqrt{2}}\left(|001⟩+|110⟩\right)$	$|{\varphi }_{14}^{+}⟩$	${\left(\alpha |0⟩+\beta |1⟩\right)}_5$	$I_5$	$|{\psi }_{14}^{+}⟩$	${\left(-\alpha |1⟩-\beta |0⟩\right)}_5$	${\left(-{\sigma }_x\right)}_5$
	$|{\varphi }_{14}^{-}⟩$	${\left(\alpha |0⟩+\beta |1⟩\right)}_5$	$I_5$	$|{\psi }_{14}^{-}⟩$	${\left(-\alpha |1⟩-\beta |0⟩\right)}_5$	${\left(-{\sigma }_x\right)}_5$
${\chi }^4=\frac{1}{\sqrt{2}}\left(|001⟩-|110⟩\right)$	$|{\varphi }_{14}^{+}⟩$	${\left(\alpha |0⟩-\beta |1⟩\right)}_5$	${\left({\sigma }_z\right)}_5$	$|{\psi }_{14}^{+}⟩$	${\left(-\alpha |1⟩+\beta |0⟩\right)}_5$	${\left(-i{\sigma }_y\right)}_5$
	$|{\varphi }_{14}^{-}⟩$	${\left(\alpha |0⟩-\beta |1⟩\right)}_5$	${\left({\sigma }_z\right)}_5$	$|{\psi }_{14}^{-}⟩$	${\left(-\alpha |1⟩+\beta |0⟩\right)}_5$	${\left(-i{\sigma }_y\right)}_5$
${\chi }^5=\frac{1}{\sqrt{2}}\left(|010⟩+|101⟩\right)$	$|{\varphi }_{14}^{+}⟩$	${\left(\alpha |1⟩+\beta |0⟩\right)}_5$	${\left({\sigma }_x\right)}_5$	$|{\psi }_{14}^{+}⟩$	${\left(-\alpha |0⟩-\beta |1⟩\right)}_5$	$-I_5$
	$|{\varphi }_{14}^{-}⟩$	${\left(\alpha |1⟩+\beta |0⟩\right)}_5$	${\left({\sigma }_x\right)}_5$	$|{\psi }_{14}^{-}⟩$	${\left(-\alpha |0⟩-\beta |1⟩\right)}_5$	$-I_5$
${\chi }^6=\frac{1}{\sqrt{2}}\left(|010⟩-|101⟩\right)$	$|{\varphi }_{14}^{+}⟩$	${\left(\alpha |1⟩-\beta |0⟩\right)}_5$	${\left(i{\sigma }_y\right)}_5$	$|{\psi }_{14}^{+}⟩$	${\left(-\alpha |0⟩+\beta |1⟩\right)}_5$	${\left(-{\sigma }_z\right)}_5$
	$|{\varphi }_{14}^{-}⟩$	${\left(\alpha |1⟩-\beta |0⟩\right)}_5$	${\left(i{\sigma }_y\right)}_5$	$|{\psi }_{14}^{-}⟩$	${\left(-\alpha |0⟩+\beta |1⟩\right)}_5$	${\left(-{\sigma }_z\right)}_5$
${\chi }^7=\frac{1}{\sqrt{2}}\left(|100⟩+|011⟩\right)$	$|{\varphi }_{14}^{+}⟩$	${\left(\alpha |0⟩+\beta |1⟩\right)}_5$	$I_5$	$|{\psi }_{14}^{+}⟩$	${\left(\alpha |1⟩+\beta |0⟩\right)}_5$	${\left({\sigma }_x\right)}_5$
	$|{\varphi }_{14}^{-}⟩$	${\left(-\alpha |0⟩-\beta |1⟩\right)}_5$	$-I_5$	$|{\psi }_{14}^{-}⟩$	${\left(-\alpha |1⟩-\beta |0⟩\right)}_5$	${\left(-{\sigma }_x\right)}_5$
${\chi }^8=\frac{1}{\sqrt{2}}\left(|100⟩-|011⟩\right)$	$|{\varphi }_{14}^{+}⟩$	${\left(-\alpha |0⟩+\beta |1⟩\right)}_5$	${\left(-{\sigma }_z\right)}_5$	$|{\psi }_{14}^{+}⟩$	${\left(-\alpha |1⟩+\beta |0⟩\right)}_5$	${\left(-i{\sigma }_y\right)}_5$
	$|{\varphi }_{14}^{-}⟩$	${\left(\alpha |0⟩-\beta |1⟩\right)}_5$	${\left({\sigma }_z\right)}_5$	$|{\psi }_{14}^{-}⟩$	${\left(\alpha |1⟩-\beta |0⟩\right)}_5$	${\left(i{\sigma }_y\right)}_5$

Based on Alice and Trent’s measurement outcomes, Bod performs the corresponding unitary operation $U_{\left(5\right)}$ on particle (5) and his result is $\alpha |0⟩+\beta |1⟩$. This is the original information particle state. That is, Alice successfully transmits the unknown quantum state to Bob under Trent’s control.

Example 1.

Suppose that the information particle states are $\left\{\right|0⟩,|1⟩,|+⟩,|-⟩,|+⟩,|0⟩,|-⟩$, $|1⟩$, $|1⟩$,$|0⟩\}$. Alice combines each information particle state and five-particle entangled state into a six-particle state sequence: $\left\{\right|0⟩\otimes {|\xi ⟩}_{12345}$, $|1⟩\otimes {|\xi ⟩}_{12345}$, ${|+⟩\otimes |\xi ⟩}_{12345}{,|-⟩\otimes |\xi ⟩}_{12345}{,|+⟩\otimes |\xi ⟩}_{12345}$, $|0⟩\otimes {|\xi ⟩}_{12345}{,|-⟩\otimes |\xi ⟩}_{12345},|1⟩\otimes {|\xi ⟩}_{12345}$, $|1⟩\otimes {|\xi ⟩}_{12345}$, $|0⟩\otimes {|\xi ⟩}_{12345}\}$. Alice performs von Neumann measurement of the particles (M,2,3) in the sequence. Suppose that von Neumann measurement outcomes are $\{{\chi }^1,{\chi }^5,{\chi }^7,{\chi }^2,{\chi }^8$, ${\chi }^3$, ${\chi }^4,{\chi }^4,{\chi }^8,{\chi }^6\}$, and Trent’s measurement outcomes of the particles (1,4) in the sequence are $\left\{\right|{\varphi }_{14}^{+}⟩$, $|{\varphi }_{14}^{-}⟩$, $|{\psi }_{14}^{+}⟩$, $|{\psi }_{14}^{-}⟩$, $|{\varphi }_{14}^{+}⟩$, $|{\psi }_{14}^{+}⟩$, $|{\psi }_{14}^{-}⟩$, $|{\varphi }_{14}^{-}⟩$, $|{\psi }_{14}^{+}⟩$, $|{\psi }_{14}^{-}⟩\}$. At this time, the states of all particles (5) should be ${\left(\alpha |1⟩+\beta |0⟩\right)}_5$, ${\left(\alpha |1⟩+\beta |0⟩\right)}_5$, ${\left(\alpha |1⟩+\beta |0⟩\right)}_5$, ${\left(-\alpha |0⟩+\beta |1⟩\right)}_5$, ${\left(-\alpha |0⟩+\beta |1⟩\right)}_5$, ${\left(-\alpha |1⟩-\beta |0⟩\right)}_5$, ${\left(-\alpha |1⟩+\beta |0⟩\right)}_5$, ${\left(\alpha |0⟩-\beta |1⟩\right)}_5$, ${\left(-\alpha |1⟩+\beta |0⟩\right)}_5$, ${\left(-\alpha |0⟩+\beta |1⟩\right)}_5$. After Bob performs the following unitary operation: $\{{\sigma }_x,{\sigma }_x,{\sigma }_x,-{\sigma }_z,-{\sigma }_z,-{\sigma }_x,-i{\sigma }_y,{\sigma }_z,-i{\sigma }_y,$ $-{\sigma }_z\}$, the states of the information particles are $\left\{\right|0⟩,|1⟩,|+⟩,|-⟩,|+⟩,|0⟩,|-⟩,|1⟩,$$|1⟩,$$|0⟩\}$.

3. The Proposed Verifiable Arbitrated Quantum Signature Scheme

In our scheme, Alice the signatory, Bob the verifier, and Trent the arbitrator are defined as the three participants. The arbitrator Trent should be trusted by both Alice and Bob. The detailed procedures of our scheme can be described as follows.

3.1. Initializing Phase

Step I1: Alice and Trent share secret key $K_A$ and Bob and Trent share secret key $K_B$. The secret key distribution task can be performed using the QKD protocol, which has been proven to provide unconditional security [39,40].

Step I2: Trent selects a $k-1$-order symmetric binary polynomial: $F(x,y)=a_{00}+a_{10}x+a_{01}y+a_{11}xy+a_{20}{x}^2+a_{02}{y}^2+a_{12}x{y}^2+a_{21}{x}^{2}y+a_{22}{x}^2{y}^2+\cdots +a_{k-1,k-1}{x}^{k-1}{y}^{k-1}$ mod q, where q is a prime number, $F(x,y)\in GF\left(q\right)[x,y]$, $a_{ij}\in F_q$, $i,j\in \{0,1,\cdots ,k-1\}$, $a_{ij}=a_{ji}$, $F_q$ is a finite field. Suppose that the public identity information for the participants Alice, Bob, and Trent is $x_A,x_B,x_T$. Trent computes two share polynomials $f_A\left(y\right)=F(x_A,y)$ and $f_B\left(y\right)=F(x_B,y)$. The share polynomial $f_A\left(y\right)$ is encrypted as $f_A^{{}^{\prime }}\left(y\right)=E_{K_A}\left(f_A\left(y\right)\right)$ and $f_A^{{}^{\prime }}\left(y\right)$ is sent to Alice. The share polynomial $f_B\left(y\right)$ is encrypted as $f_B^{{}^{\prime }}\left(y\right)=E_{K_B}\left(f_B\left(y\right)\right)$ and $f_B^{{}^{\prime }}\left(y\right)$ is sent to Bob.

Step I3: Alice receives $f_A^{{}^{\prime }}\left(y\right)$ and decrypts it with secret key $K_A$ to obtain $f_A\left(y\right)=F(x_A,y)$. Alice calculates $f_A\left(x_B\right)=F(x_A,x_B)$ and $f_A\left(x_T\right)=F(x_A,x_T)$ based on Bob’s and Trent’s public identity information $x_B$ and $x_T$. Similarly, Bob can calculate $f_B\left(x_A\right)=F(x_B,x_A)$ and $f_B\left(x_T\right)=F(x_B,x_T)$ based on Alice’s and Trent’s public identity information $x_A$ and $x_T$. Due to the symmetry of the binary polynomial, $f_A\left(x_B\right)=f_B\left(x_A\right)$, $f_A\left(x_T\right)=f_T\left(x_A\right)$, $f_B\left(x_T\right)=f_T\left(x_B\right)$.

Step I4: According to the value of $F(x_A,x_B)$ and $F(x_A,x_T)$, Alice executes the unitary operations $U_{F(x_A,x_B)}$ and $U_{F(x_A,x_T)}$ on $|\mu ⟩=|{\phi }_0^{\left(0\right)}⟩=\frac{1}{\sqrt{q}}{\sum }_{i=0}^{q-1}|i⟩$ to produce enough decoy particles: ${|\mu ⟩}_{A,B}=U_{F\left(x_A,x_B\right)}|{\phi }_0^{\left(0\right)}⟩=|{\phi }_{F\left(x_A,x_B\right)}^{\left(0\right)}⟩$ and ${|\mu ⟩}_{A,T}=U_{F\left(x_A,x_T\right)}|{\phi }_0^{\left(0\right)}⟩=|{\phi }_{F\left(x_A,x_T\right)}^{\left(0\right)}⟩$.

The parameter formation process of the initializing phase is shown in Figure 2.

Figure 2. Initializing phase schematic diagram.

3.2. Signing Phase

Step S1: Alice obtains a qubit string $|\mathsf{\Gamma }⟩$ based on the signature information m. Suppose there are n qubits in the information qubit string $|\mathsf{\Gamma }⟩=\left\{\right|{\gamma }_1⟩,|{\gamma }_2⟩$, ⋯, $|{\gamma }_n⟩\}$, where the symbol $\{\cdots \}$ represents the collection and $|{\gamma }_i⟩$ represents a single qubit in $|\mathsf{\Gamma }⟩$. Any qubit $|{\gamma }_i⟩$$\left(i=1,2,\cdots ,n\right)$ in $|\mathsf{\Gamma }⟩$ can be represented as a superposition of two eigenstates $|0⟩$ and $|1⟩$, namely, $|{\gamma }_i⟩={\alpha }_i|0⟩+{\beta }_i|1⟩$, where ${\alpha }_i,{\beta }_i$ are complex numbers that satisfy $|{\alpha }_i{|}^2+{\left|{\beta }_i\right|}^2=1$. Thus, the signed quantum information string of Alice can be represented as $|\mathsf{\Gamma }⟩=\left\{{\alpha }_1\right|0⟩+{\beta }_1|1⟩,{\alpha }_2|0⟩+{\beta }_2|1⟩,\cdots ,{\alpha }_n|0⟩+{\beta }_n|1⟩\}$. Note that if the signature quantum state is known, any copies of $|\mathsf{\Gamma }⟩$ can be prepared in advance. If the signature quantum state is unknown, at least three copies of $|\mathsf{\Gamma }⟩$ are necessary, among which one is combined with 5-particle entangled state, one produces a secret qubit string $|R_A⟩$, and the other is sent to Bob.

Step S2: Alice transforms the information qubit string $|\mathsf{\Gamma }⟩$ into a secret qubit string $|R_A⟩=M_{K_A}\left(|\mathsf{\Gamma }⟩\right)$ in terms of the secret key $K_A$. This transform method can be seen in [14].

Step S3: Alice prepares 5-particle entangled states. Alice combines each information qubit with 5-particle entangled state into the same long 6-particle qubit string. Each combinatorial state includes one information particle and five entangled particle. This 6-particle combination state can be described as follows:

$$\begin{array}{cc}\hfill |{\mathsf{\Psi }}^i{⟩}_{M12345}& = |{\gamma }_i{⟩}_M\otimes {|\xi ⟩}_{12345}={\left({\alpha }_i|0⟩+{\beta }_i|1⟩\right)}_M\otimes {|\xi ⟩}_{12345}\hfill \\ & = \frac{1}{2\sqrt{2}}\left[{\alpha }_i\right|000100⟩-{\alpha }_i|000111⟩+{\alpha }_i|001001⟩-{\alpha }_i|001010⟩+{\alpha }_i|010000⟩\hfill \\ & + {\alpha }_i|010011⟩+{\alpha }_i|011101⟩+{\alpha }_i|011110⟩+{\beta }_i|100100⟩-{\beta }_i|100111⟩\hfill \\ & + {\beta }_i|101001⟩-{\beta }_i|101010⟩+{\beta }_i|110000⟩+{\beta }_i|110011⟩+{\beta }_i|111101⟩\hfill \\ & + {\beta }_i{|111110⟩]}_{M12345}\hfill \end{array}$$

Step S4: Alice uses ${\mathsf{\Omega }}_A$ to represent the sequence of n (M, 2, 3) particles, where M represents the information particle to be signed. ${\mathsf{\Omega }}_T$ represents the sequence of n (1, 4) particles, and ${\mathsf{\Omega }}_B$ represents the sequence of n (5) particles. The decoy particles ${|\mu ⟩}_{A,T}=U_{F\left(x_A,x_T\right)}|{\phi }_0^{\left(0\right)}⟩=|{\phi }_{F\left(x_A,x_T\right)}^{\left(0\right)}⟩$ and ${|\mu ⟩}_{A,B}=U_{F\left(x_A,x_B\right)}|{\phi }_0^{\left(0\right)}⟩=|{\phi }_{F\left(x_A,x_B\right)}^{\left(0\right)}⟩$ are randomly inserted in ${\mathsf{\Omega }}_T$ and ${\mathsf{\Omega }}_B$ to form ${\mathsf{\Omega }}_T^{{}^{\prime }}$ and $\mathsf{\Omega }{{}^{\prime }}_B$, respectively. Alice sends ${\mathsf{\Omega }}_T^{{}^{\prime }}$ to Trent and $\mathsf{\Omega }{{}^{\prime }}_B$ to Bob.

Step S5: Alice performs von Neumann measurement on the particle sequence ${\mathsf{\Omega }}_A$ that she has mastered. Suppose the n-group von Neumann measurement results are $\delta \left({\mathsf{\Omega }}_A\right)=\{\delta \left({\mathsf{\Omega }}_{A,1}\right),\delta \left({\mathsf{\Omega }}_{A,2}\right),\cdots ,\delta \left({\mathsf{\Omega }}_{A,n}\right)\}$, where ${\mathsf{\Omega }}_{A,i}\in \{{\chi }^1,{\chi }^2,\cdots ,{\chi }^8\}$. Alice encrypts $|R_A⟩$ and $\delta \left({\mathsf{\Omega }}_A\right)$ to form the signature $|S⟩=E_{K_A}\left(|R_A⟩,\delta \left({\mathsf{\Omega }}_A\right)\right)$ by using quantum one-time pad algorithm [41]. Note that $\delta \left({\mathsf{\Omega }}_A\right)$, even if sometimes described as classical bits, can be converted to qubits from the measurement basis $\{{\chi }^1,{\chi }^2,\cdots ,{\chi }^8\}$. Alice sends the signature $|S⟩$ and 2 information qubit strings $|\mathsf{\Gamma }⟩$ to Bob.

3.3. Verification Phase

Step V1: After confirming that Bob received $\mathsf{\Omega }{{}^{\prime }}_B$, Alice tells Bob the position of the decoy particles and Bob executes the unitary operation $U_{-F\left(x_B,x_A\right)}$ on the decoy particle ${|\mu ⟩}_{A,B}$, that is, ${|\mu ⟩}_{B,A}=U_{-F\left(x_B,x_A\right)}{|\mu ⟩}_{A,B}$. Then, Bob measures the decoy particles using measurement basis $\{|{\phi }_l^{\left(0\right)}⟩$ $|l\in q\}$. If ${|\mu ⟩}_{B,A}\ne |{\phi }_0^{\left(0\right)}⟩$, it implies that the identity authentication between Alice and Bob cannot be passed or the decoy particle have been eavesdropped. Finally, Bob calculates the error rate based on measurement outcomes of the decoy particles. If the error rate is less than the previously given value, they perform the next step. Otherwise, the execution of the protocol is aborted. After Bob passes the eavesdropping detection and identity authentication of $\mathsf{\Omega }{{}^{\prime }}_B$, the decoy particles are removed and ${\mathsf{\Omega }}_B$ is restored. Similarly, after confirming that Trent received $\mathsf{\Omega }{{}^{\prime }}_T$, Alice tells Trent the position of the decoy particles and then Trent executes the unitary operations $U_{-F\left(x_T,x_A\right)}$ on the decoy particle ${|\mu ⟩}_{A,T}$, that is, ${|\mu ⟩}_{T,A}=U_{-F\left(x_T,x_A\right)}{|\mu ⟩}_{A,T}$. Then Trent measures the decoy particles using the measurement basis $\{|{\phi }_l^{\left(0\right)}⟩|l\in q\}$. If ${|\mu ⟩}_{T,A}\ne |{\phi }_0^{\left(0\right)}⟩$, it indicates that the identity authentication between Alice and Trent cannot be passed or that the particles are eavesdropped. Finally, Trent calculates the error rate based on measurement outcomes of the decoy particles. If the error rate is less than the previously given value, they perform the next step; otherwise, they abandon the agreement. After Trent performs the eavesdropping detection and identity authentication on $\mathsf{\Omega }{{}^{\prime }}_T$, the decoy particles are removed and ${\mathsf{\Omega }}_T$ is restored.

Step V2: After Bob receives $|S⟩$ which was sent by Alice, he encrypts $|S⟩$ and $|\mathsf{\Gamma }⟩$ with the secret key $K_B$ to obtain $Y_B=E_{K_B}\left(|S⟩,|\mathsf{\Gamma }⟩\right)$. Bob sends $Y_B$ to Trent via a quantum channel.

Step V3: After receiving $Y_B=E_{K_B}\left(|S⟩,|\mathsf{\Gamma }⟩\right)$, Trent decrypts it using secret key $K_B$ to obtain $|S⟩$ and $|\mathsf{\Gamma }⟩$, and decrypts $|S⟩$ using secret key $K_A$ to obtain $|R_A⟩$ and $\delta \left({\mathsf{\Omega }}_A\right)$. In the meantime, Trent measures ${\mathsf{\Omega }}_T$ with measurement basis $\left\{\right|{\varphi }^{+}⟩,|{\varphi }^{-}⟩,|{\psi }^{+}⟩,|{\psi }^{-}⟩\}$ to obtain the measurement outcome $\delta \left({\mathsf{\Omega }}_T\right)$. Trent uses the secret key $K_A$ to transform the information qubit string $|\mathsf{\Gamma }⟩$ into $|R_A^{{}^{\prime }}⟩$ and compare $|R_A⟩$ with $|R_A^{{}^{\prime }}⟩$. If $|R_A⟩=|R_A^{{}^{\prime }}⟩$, Trent sets the initial check parameter $\theta =1$; otherwise, he sets $\theta =0$. Note that this step and the subsequent comparison of the quantum states can be found in [14,42]. To ensure the integrity of the signature, Trent selects an appropriate hash function $H\left(.\right)$ and calculates $H\left(|S⟩\right)$.

Step V4: Trent encryptions $|S⟩$, $H\left(|S⟩\right)$, $\delta \left({\mathsf{\Omega }}_A\right)$, $\delta \left({\mathsf{\Omega }}_T\right)$, $\theta$ with secret key $K_B$ and sends $Y_{TB}=E_{K_B}\left(\right|S⟩$, $H\left(|S⟩\right),\delta \left({\mathsf{\Omega }}_A\right),\delta \left({\mathsf{\Omega }}_T\right),\theta )$ to Bob.

Step V5: Bob decrypts $Y_{TB}$ to obtain $|S⟩$, $H\left(\right|S⟩)$, $\delta \left({\mathsf{\Omega }}_A\right)$, $\delta \left({\mathsf{\Omega }}_T\right)$ and $\theta$. If $\theta =0$, Bob can assume that the signature was forged, he rejects the signature and exits the verification process; otherwise, Bob continues with the next verification process.

Step V6: According to the values of $\delta \left({\mathsf{\Omega }}_A\right)$ and $\delta \left({\mathsf{\Omega }}_T\right)$, Bob chooses the corresponding unitary operator $U_{\left(5\right)}$ in Table 4. Bob performs unitary operation $U_{\left(5\right)}$ on the particles in sequence ${\mathsf{\Omega }}_B$ and measures them to obtain the quantum state $|{\mathsf{\Gamma }}^{{}^{\prime }}⟩$. Notice that $|{\mathsf{\Gamma }}^{{}^{\prime }}⟩$ is the result of executing controlled quantum teleportation. Then, he compares whether it is equal to $|\mathsf{\Gamma }⟩$. If $|\mathsf{\Gamma }⟩\ne |{\mathsf{\Gamma }}^{{}^{\prime }}⟩$, Bob considers the signature invalid and rejects it. If $|\mathsf{\Gamma }⟩=|{\mathsf{\Gamma }}^{{}^{\prime }}⟩$, Bob calculates $H^{{}^{\prime }}\left(|S⟩\right)$ with the same hash function and compares $H^{{}^{\prime }}\left(|S⟩\right)$ with $H\left(|S⟩\right)$. If $H^{{}^{\prime }}\left(|S⟩\right)=H\left(|S⟩\right)$, Bob accepts $|S⟩$ as the signature of $|\mathsf{\Gamma }⟩$ from Alice; otherwise, the signature is rejected.

The schematic diagram of the main steps of the arbitrated quantum signature scheme is shown in Figure 3.

Figure 3. Schematic diagram of the main steps of the arbitrated quantum signature scheme.

4. Verifiability Analysis

We can prove that, in this scheme, identity authentication and eavesdropping detection can be conducted between Alice and Bob as well as between Alice and Trent according to the measurement outcomes of the decoy particles. An example for the proposed verifiable arbitrated quantum signature scheme can be seen in Appendix A.

In steps I3 and I4, according to Alice’s share polynomial $F(x_A,y)$ and Bob’s publicly identified information $x_B$, Alice calculates $F(x_A,x_B)$ and creates decoy particles ${|\mu ⟩}_{A,B}=U_{F(x_A,x_B)}|{\phi }_0^{\left(0\right)}⟩=|{\phi }_{F(x_A,x_B)}^{\left(0\right)}⟩.$ According to Bob’s share polynomial $F(x_B,y)$ and Alice’s publicly identified information $x_A$, Bob calculates $F(x_B,x_A)$. In step V1, after Bob receives ${|\mu ⟩}_{A,B}$, he performs the unitary operation $U_{-F(x_B,x_A)}$ on ${|\mu ⟩}_{A,B}$, that is ${|\mu ⟩}_{B,A}=U_{-F(x_B,x_A)}{|\mu ⟩}_{A,B}$. According to the properties of symmetric binary polynomials, we have $F(x_B,x_A)=F(x_A,x_B)$ and ${|\mu ⟩}_{B,A}=U_{-F(x_B,x_A)}{U}_{F(x_A,x_B)}|{\phi }_0^{\left(0\right)}⟩=|{\phi }_0^{\left(0\right)}⟩$. Without external eavesdropping and cheating on either side, Bob’s measurement outcomes of the decoy particles should be $|{\phi }_0^{\left(0\right)}⟩$; otherwise, it can be determined that either identity cheating on both sides or external eavesdropping are occurring. Therefore, Alice and Bob can verify whether identity cheating is occurring according to the measurement outcomes of the decoy particles. Similarly, identity verification and eavesdropping detection can also be conducted between Alice and Trent according to the measurement outcomes of the decoy particles.

5. Safety Analysis

A secure quantum signature scheme should be of an unforgeable and undeniable property. In other words, it should meet the following requirements: (1) The signature cannot be forged by an attacker (including external adversary Eve and malicious receiver Bob). (2) The signatory Alice cannot disavow the message and signature she sent, and the receiver Bob cannot disavow that he received the signature. (3) That can be arbitrated if the receiver Bob admits the fact of receiving the signature but disavows the integrity of the signature.

5.1. Impossibility of Forgery

If the external attacker Eve tries to forge Alice’s signature $|S⟩$ for her own benefit, she should know the key $K_A$. However, due to the unconditional security of quantum key distribution [39,40], this is not possible. In addition, the quantum one-time pad protocol [41] is used to improve the security. Therefore, Eve’s forgery is impossible.

If the malicious receiver Bob tries to forge Alice’s signature $|S⟩=E_{K_A}\left(\right|R_A⟩,\delta \left({\mathsf{\Omega }}_A\right))$ for his own benefit, he must also know Alice’s secret key $K_A$. However, for the same reason, he cannot obtain any information about the key $K_A$. Thus, Bob cannot obtain the correct $|R_A⟩$. Subsequently, the initial check parameter $\theta$ used in the verifying phase will not be right, so the arbitrator Trent will discover this forgery. In a worse case, even if key $K_A$ is exposed to Eve, she still cannot forge the signature because she cannot create the appropriate $|R_A⟩$ and $\delta \left({\mathsf{\Omega }}_A\right)$ to associate with the new message. Bob uses the correlation of the Bell state to find this kind of forged file; further verification of $|R_A⟩=|R_A^{\prime }⟩$ cannot be established without the correct $|R_A⟩$. However, if Bob knew the secret key $K_A$, forgery would be inevitable.

We can prove that Eve, an external attacker, cannot entangle a decoy particle or an information particle with an auxiliary particle to steal secret information and forge a signature. See Appendix B for details.

5.2. Impossibility of Disavowal by the Signatory and the Verifier

A secure quantum signature scheme should have undeniable property. In other words, once the quantum signature is verified as a valid signature, the signatory cannot disavow the fact that the quantum signature is generated by them. The receiver of the signature cannot disavow the fact that he has received the quantum signature.

5.2.1. Impossibility of Disavowal by the Signatory Alice

Suppose Alice tries to disavow the signature $|S⟩$ that she has signed. As shown in Figure 4, after receiving the signature $|S⟩$, Bob cannot decrypt it without the key $K_A$. He can only encrypt $|S⟩$ and $|\mathsf{\Gamma }⟩$ to obtain $Y_B$ and sends $Y_B$ to Trent. After receiving $Y_B$, the arbitrator Trent decrypts $Y_B=E_{K_B}\left(\right|S⟩,|\mathsf{\Gamma }⟩)$ and $|S⟩=E_{K_A}\left(\right|R_A⟩,\delta \left({\mathsf{\Omega }}_A\right))$ with $K_A$ and $K_B$. As the signature $|S⟩=E_{K_A}\left(\right|R_A⟩,\delta \left({\mathsf{\Omega }}_A\right))$ contains the key $K_A$ shared only by Alice and Trent, Trent can accurately confirm that the signature $|S⟩$ was signed by Alice. Whether $|S⟩$ is the signature of the message $|\mathsf{\Gamma }⟩$ is determined by the initial check parameter $\theta$ calculated by the arbitrator Trent. Because $|R_A⟩=M_{K_A}\left(\right|\mathsf{\Gamma }⟩)$, $|R_A^{\prime }⟩=M_{K_A}\left(\right|{\mathsf{\Gamma }}^{\prime }⟩)$, if $|R_A⟩=|R_A^{\prime }⟩$, namely $\theta =1$, then the signature $|S⟩$ was signed by Alice for the message $|\mathsf{\Gamma }⟩$.

Figure 4. Diagram of transferring signature information.

5.2.2. Impossibility of Disavowal by the Verifier Bob

Similarly, as long as Trent receives the $Y_B$ sent from Bob, because $Y_B=E_{K_B}\left(\right|S⟩,|\mathsf{\Gamma }⟩)$ contains the key $K_B$ shared only by Bob and Trent, Trent can confirm that Bob received the signature and cannot change it, that is, Bob cannot disavow the fact that he received the signature. If Alice changes signature $|S⟩$ to $|S^{\prime }⟩$, her behavior will be found when Bob calculates hash value $H^{\prime }\left(\right|S⟩)$ and compares it with $H\left(\right|S⟩)$. If Bob admits to receiving the signature, but disavows the integrity of the signature, it can be arbitrated according to the hash value $H\left(\right|S⟩)$ of $|S⟩$.

In this scheme, the eavesdropping detection also functions as identity authentication, which can strengthen the undeniable property of Alice and Bob. In conclusion, our verifiable arbitrated quantum signature scheme has undeniable security.

6. Conclusions

In this paper, we proposed a verifiable arbitrated quantum signature scheme based on five-qubit entangled state. The proposed scheme uses mutually unbiased bases particles as decoy particles, and performs unitary operations on these decoy particles using the function values of symmetric binary polynomials, which can carry out not only eavesdropping detection, but also identity authentication among participants.

Due to the unconditional security of quantum key distribution and the quantum one-time pad, the external attacker Eve cannot know Alice’s key $K_A$; she cannot forge Alice’s signature $|S⟩$ for her own benefit. For the same reason, Bob cannot forge Alice’s signature $|S⟩$, either. In order to avoid Alice’s disavowal, we set that when Trent receives Alice’s signature $|S⟩$, the hash function value $H\left(\right|S⟩)$ of the signature is calculated to ensure the integrity of the signature. After Trent receives $Y_B$ and decrypts $Y_B$ and $|S⟩=E_{K_A}\left(\right|R_A⟩,\delta \left({\mathsf{\Omega }}_A\right))$, the initial check parameter $\theta$ confirms that $|S⟩$ is jointly generated by $|\mathsf{\Gamma }⟩$ and $K_A$, which proves that Alice did not cheat. At this time, since Trent had no information on parameter ${\mathsf{\Omega }}_B$, he could not forge a new signature. After Bob receives $Y_{TB}=E_{K_B}\left(\right|S⟩,H\left(\right|S⟩),\delta \left({\mathsf{\Omega }}_A\right),\delta \left({\mathsf{\Omega }}_T\right),\theta )$ and decrypts it, as the information of $\delta \left({\mathsf{\Omega }}_A\right),\delta \left({\mathsf{\Omega }}_T\right)$ and ${\mathsf{\Omega }}_B$ are in his grasp at this time, he can use the function of quantum teleportation to reconstruct the information qubit $|\mathsf{\Gamma }⟩$ to judge whether to accept the quantum signature $|S⟩$ signed by Alice.

Different from the signature scheme in classical cryptography, the security of our scheme is guaranteed by the quantum one-time pad [41] and quantum key distribution [39,40]. Therefore, it is unconditionally secure. The five-qubit entangled state plays a key role in quantum information processing tasks and it is the threshold number of qubits required for quantum error correction [43]. The principle of five-photon entanglement and open teleportation was reported in [44] and proved that von Neumann measurement, Bell measurement, and single-particle measurement are all feasible under the current technical and experimental conditions, so the scheme has good application value. Compared with the existing arbitrated quantum signature scheme [10,13,14,17,27], our scheme has high stability and can avoid being disavowed for the integrality of signature $|S⟩$. But due to the large number of qubits used in the scheme, it also experiences the problem of low quantum efficiency.

Appendix A.1. Initializing Phase

Step I1: Alice and Trent share secret key $K_A=00101101100110101011$. Bob and Trent share secret key $K_B=10101001000100101011$.

Step I2: Trent selects a 4-order symmetric binary polynomial $F(x,y)=11+7x+4x^2+21x^3+18x^4+7y+9xy+5x^{2}y+10x^{3}y+13x^{4}y+4y^2+5x{y}^2+6x^2{y}^2+14x^3{y}^2+19x^4{y}^2+21y^3+10x{y}^3+14x^2{y}^3+22x^3{y}^3+2x^4{y}^3+18y^4+13x{y}^4+19x^2{y}^4+2x^3{y}^4+19x^4{y}^{4}mod23$. Suppose that Alice’s identity information is $x_A=7$, Bob’s identity information is $x_B=3$, and Trent’s identity information is $x_T=13$. Trent calculates three share polynomials $f_T\left(y\right)=F(13,y)=15y^4+11y^3+6y^2+12y+20$, $f_A\left(y\right)=F(7,y)=11y^4+15y^3+16y^2+21y+8$ and $f_B\left(y\right)=F(3,y)=4y^4+13y^3+12y^2+22y$. Trent encrypts $f_A\left(y\right)$ and sends $f_A^{\prime }\left(y\right)=E_{K_A}\left(f_A\left(y\right)\right)$ to Alice, and encrypts $f_B\left(y\right)$ and sends $f_B^{\prime }\left(y\right)=E_{K_B}\left(f_B\left(y\right)\right)$ to Bob.

Step I3: After Alice and Bob receive $f_A^{\prime }\left(y\right)$ and $f_B^{\prime }\left(y\right)$, respectively, Alice decrypts $f_A^{\prime }\left(y\right)$ by using keys $K_A$ to get $f_A\left(y\right)=F(7,y)$ and Bob decrypts $f_B^{\prime }\left(y\right)$ by using keys $K_B$ to get $f_B\left(y\right)=F(3,y)$. Alice calculates $f_A\left(x_B\right)=F(7,3)=16$ and $f_A\left(x_T\right)=F(7,13)=5$ based on Bob’s and Trent’s public identity information $x_B=3$ and $x_T=13$. Similarly, Bob calculates $f_B\left(x_A\right)=F(3,7)=16$ and $f_B\left(x_T\right)=F(3,13)=12$ based on Alice’s and Trent’s public identity information $x_A=7$ and $x_T=13$.

Step I4: Alice executes the unitary operations $U_{F(x_A,x_B)}=U_{16}$ and $U_{F(x_A,x_T)}=U_5$ on $|\mu ⟩=|{\phi }_0^{\left(0\right)}⟩=\frac{1}{\sqrt{q}}{\sum }_{i=0}^{q-1}|i⟩$ to produce enough decoy particles: ${|\mu ⟩}_{A,B}=U_{16}|{\phi }_0^{\left(0\right)}⟩=|{\phi }_{16}^{\left(0\right)}⟩$ and ${|\mu ⟩}_{A,T}=U_5|{\phi }_0^{\left(0\right)}⟩=|{\phi }_5^{\left(0\right)}⟩$.

Appendix A.2. Signing Phase

Step S1: Suppose that the information qubit string $|\mathsf{\Gamma }⟩$ obtained by Alice is $|\mathsf{\Gamma }⟩=\{|0⟩,|1⟩,|+⟩,|-⟩,|+⟩,|0⟩,|-⟩$, $|1⟩,|1⟩,|0⟩\}$.

Step S2: Using secret key $K_A=00101101100110101011$, Alice transforms the information qubit string $|\mathsf{\Gamma }⟩=\{|0⟩,|1⟩,|+⟩,|-⟩,|+⟩,|0⟩,|-⟩,|1⟩,|1⟩,|0⟩\}$ into $|R_A⟩=M_{K_A}\left(\right|\mathsf{\Gamma }⟩)={\sigma }_x^0{\sigma }_z^{0+1}|0⟩\otimes {\sigma }_x^0{\sigma }_z^{0+1}|1⟩\otimes {\sigma }_x^1{\sigma }_z^{1+1}|+⟩\otimes {\sigma }_x^0{\sigma }_z^{0+1}|-⟩\otimes {\sigma }_x^1{\sigma }_z^{1+1}|+⟩\otimes {\sigma }_x^1{\sigma }_z^{1+1}|0⟩\otimes {\sigma }_x^0{\sigma }_z^{0+1}|-⟩\otimes {\sigma }_x^1{\sigma }_z^{1+1}|1⟩\otimes {\sigma }_x^1{\sigma }_z^{1+1}|1⟩\otimes {\sigma }_x^0{\sigma }_z^{0+1}|0⟩={\sigma }_z|0⟩\otimes {\sigma }_z|1⟩\otimes {\sigma }_x|+⟩\otimes {\sigma }_z|-⟩\otimes {\sigma }_x|+⟩\otimes {\sigma }_x|0⟩\otimes {\sigma }_z|-⟩\otimes {\sigma }_x|1⟩\otimes {\sigma }_x|1⟩\otimes {\sigma }_z|0⟩=|0⟩(-|1⟩)|+⟩|+⟩|+⟩|1⟩|+⟩|0⟩|0⟩|0⟩$.

Step S3: Alice prepares 5-particle entangled states: ${|\xi ⟩}_{12345}=\frac{1}{2}\left(\right|001⟩|{\varphi }^{-}⟩+|010⟩|{\psi }^{-}⟩$ +$|100⟩|{\varphi }^{+}⟩$+$|111⟩|{\psi }^{+}$${⟩)}_{12345}.$ Alice combines each information qubit state with 5-particle entangled state into the same long 6-particle qubit string. The 6-particle qubit string is shown in Table A1.

Table A1. The 6-particle qubit string composed of information states and 5-particle entangled states.

$|{\mathsf{\Psi }}^1{⟩}_{M12345}=|{\gamma }_1{⟩}_M\otimes {|\xi ⟩}_{12345}={|0⟩}_M\otimes {|\xi ⟩}_{12345}=\frac{1}{2}\left(\right|0001⟩|{\varphi }^{-}⟩+|0010⟩|{\psi }^{-}⟩+|0100⟩|{\varphi }^{+}⟩+|0111⟩|{\psi }^{+}{⟩)}_{M12345}$

$|{\mathsf{\Psi }}^2{⟩}_{M12345}=|{\gamma }_2{⟩}_M\otimes {|\xi ⟩}_{12345}={|1⟩}_M\otimes {|\xi ⟩}_{12345}=\frac{1}{2}\left(\right|1001⟩|{\varphi }^{-}⟩+|1010⟩|{\psi }^{-}⟩+|1100⟩|{\varphi }^{+}⟩+|1111⟩|{\psi }^{+}{⟩)}_{M12345}$

$|{\mathsf{\Psi }}^3{⟩}_{M12345}=|{\gamma }_3{⟩}_M\otimes {|\xi ⟩}_{12345}={|+⟩}_M\otimes {|\xi ⟩}_{12345}=\frac{1}{2\sqrt{2}}\left(\right|0001⟩|{\varphi }^{-}⟩+|0010⟩|{\psi }^{-}⟩+|0100⟩|{\varphi }^{+}⟩+|0111⟩|{\psi }^{+}{⟩)}_{M12345}$ $+\frac{1}{2\sqrt{2}}\left(\right|1001⟩|{\varphi }^{-}⟩+|1010⟩|{\psi }^{-}⟩+|1100⟩|{\varphi }^{+}⟩+|1111⟩|{\psi }^{+}{⟩)}_{M12345}$

$|{\mathsf{\Psi }}^4{⟩}_{M12345}=|{\gamma }_4{⟩}_M\otimes {|\xi ⟩}_{12345}={|-⟩}_M\otimes {|\xi ⟩}_{12345}=\frac{1}{2\sqrt{2}}\left(\right|0001⟩|{\varphi }^{-}⟩+|0010⟩|{\psi }^{-}⟩+|0100⟩|{\varphi }^{+}⟩+|0111⟩|{\psi }^{+}{⟩)}_{M12345}$ $-\frac{1}{2\sqrt{2}}\left(\right|1001⟩|{\varphi }^{-}⟩+|1010⟩|{\psi }^{-}⟩+|1100⟩|{\varphi }^{+}⟩+|1111⟩|{\psi }^{+}{⟩)}_{M12345}$

$|{\mathsf{\Psi }}^5{⟩}_{M12345}=|{\gamma }_5{⟩}_M\otimes {|\xi ⟩}_{12345}={|+⟩}_M\otimes {|\xi ⟩}_{12345}=\frac{1}{2\sqrt{2}}\left(\right|0001⟩|{\varphi }^{-}⟩+|0010⟩|{\psi }^{-}⟩+|0100⟩|{\varphi }^{+}⟩+|0111⟩|{\psi }^{+}{⟩)}_{M12345}$ $+\frac{1}{2\sqrt{2}}\left(\right|1001⟩|{\varphi }^{-}⟩+|1010⟩|{\psi }^{-}⟩+|1100⟩|{\varphi }^{+}⟩+|1111⟩|{\psi }^{+}{⟩)}_{M12345}$

$|{\mathsf{\Psi }}^6{⟩}_{M12345}=|{\gamma }_6{⟩}_M\otimes {|\xi ⟩}_{12345}={|0⟩}_M\otimes {|\xi ⟩}_{12345}=\frac{1}{2}\left(\right|0001⟩|{\varphi }^{-}⟩+|0010⟩|{\psi }^{-}⟩+|0100⟩|{\varphi }^{+}⟩+|0111⟩|{\psi }^{+}{⟩)}_{M12345}$

$|{\mathsf{\Psi }}^7{⟩}_{M12345}=|{\gamma }_7{⟩}_M\otimes {|\xi ⟩}_{12345}={|-⟩}_M\otimes {|\xi ⟩}_{12345}=\frac{1}{2\sqrt{2}}\left(\right|0001⟩|{\varphi }^{-}⟩+|0010⟩|{\psi }^{-}⟩+|0100⟩|{\varphi }^{+}⟩+|0111⟩|{\psi }^{+}{⟩)}_{M12345}$ $-\frac{1}{2\sqrt{2}}\left(\right|1001⟩|{\varphi }^{-}⟩+|1010⟩|{\psi }^{-}⟩+|1100⟩|{\varphi }^{+}⟩+|1111⟩|{\psi }^{+}{⟩)}_{M12345}$

$|{\mathsf{\Psi }}^8{⟩}_{M12345}=|{\gamma }_8{⟩}_M\otimes {|\xi ⟩}_{12345}={|1⟩}_M\otimes {|\xi ⟩}_{12345}=\frac{1}{2}\left(\right|1001⟩|{\varphi }^{-}⟩+|1010⟩|{\psi }^{-}⟩+|1100⟩|{\varphi }^{+}⟩+|1111⟩|{\psi }^{+}{⟩)}_{M12345}$

$|{\mathsf{\Psi }}^9{⟩}_{M12345}=|{\gamma }_9{⟩}_M\otimes {|\xi ⟩}_{12345}={|1⟩}_M\otimes {|\xi ⟩}_{12345}=\frac{1}{2}\left(\right|1001⟩|{\varphi }^{-}⟩+|1010⟩|{\psi }^{-}⟩+|1100⟩|{\varphi }^{+}⟩+|1111⟩|{\psi }^{+}{⟩)}_{M12345}$

$|{\mathsf{\Psi }}^{10}{⟩}_{M12345}=|{\gamma }_{10}{⟩}_M\otimes {|\xi ⟩}_{12345}={|0⟩}_M\otimes {|\xi ⟩}_{12345}=\frac{1}{2}\left(\right|0001⟩|{\varphi }^{-}⟩+|0010⟩|{\psi }^{-}⟩+|0100⟩|{\varphi }^{+}⟩+|0111⟩|{\psi }^{+}{⟩)}_{M12345}$

Table A1. The 6-particle qubit string composed of information states and 5-particle entangled states.

$|{\mathsf{\Psi }}^1{⟩}_{M12345}=|{\gamma }_1{⟩}_M\otimes {|\xi ⟩}_{12345}={|0⟩}_M\otimes {|\xi ⟩}_{12345}=\frac{1}{2}\left(\right|0001⟩|{\varphi }^{-}⟩+|0010⟩|{\psi }^{-}⟩+|0100⟩|{\varphi }^{+}⟩+|0111⟩|{\psi }^{+}{⟩)}_{M12345}$

$|{\mathsf{\Psi }}^2{⟩}_{M12345}=|{\gamma }_2{⟩}_M\otimes {|\xi ⟩}_{12345}={|1⟩}_M\otimes {|\xi ⟩}_{12345}=\frac{1}{2}\left(\right|1001⟩|{\varphi }^{-}⟩+|1010⟩|{\psi }^{-}⟩+|1100⟩|{\varphi }^{+}⟩+|1111⟩|{\psi }^{+}{⟩)}_{M12345}$

$|{\mathsf{\Psi }}^3{⟩}_{M12345}=|{\gamma }_3{⟩}_M\otimes {|\xi ⟩}_{12345}={|+⟩}_M\otimes {|\xi ⟩}_{12345}=\frac{1}{2\sqrt{2}}\left(\right|0001⟩|{\varphi }^{-}⟩+|0010⟩|{\psi }^{-}⟩+|0100⟩|{\varphi }^{+}⟩+|0111⟩|{\psi }^{+}{⟩)}_{M12345}$ $+\frac{1}{2\sqrt{2}}\left(\right|1001⟩|{\varphi }^{-}⟩+|1010⟩|{\psi }^{-}⟩+|1100⟩|{\varphi }^{+}⟩+|1111⟩|{\psi }^{+}{⟩)}_{M12345}$

$|{\mathsf{\Psi }}^4{⟩}_{M12345}=|{\gamma }_4{⟩}_M\otimes {|\xi ⟩}_{12345}={|-⟩}_M\otimes {|\xi ⟩}_{12345}=\frac{1}{2\sqrt{2}}\left(\right|0001⟩|{\varphi }^{-}⟩+|0010⟩|{\psi }^{-}⟩+|0100⟩|{\varphi }^{+}⟩+|0111⟩|{\psi }^{+}{⟩)}_{M12345}$ $-\frac{1}{2\sqrt{2}}\left(\right|1001⟩|{\varphi }^{-}⟩+|1010⟩|{\psi }^{-}⟩+|1100⟩|{\varphi }^{+}⟩+|1111⟩|{\psi }^{+}{⟩)}_{M12345}$

$|{\mathsf{\Psi }}^5{⟩}_{M12345}=|{\gamma }_5{⟩}_M\otimes {|\xi ⟩}_{12345}={|+⟩}_M\otimes {|\xi ⟩}_{12345}=\frac{1}{2\sqrt{2}}\left(\right|0001⟩|{\varphi }^{-}⟩+|0010⟩|{\psi }^{-}⟩+|0100⟩|{\varphi }^{+}⟩+|0111⟩|{\psi }^{+}{⟩)}_{M12345}$ $+\frac{1}{2\sqrt{2}}\left(\right|1001⟩|{\varphi }^{-}⟩+|1010⟩|{\psi }^{-}⟩+|1100⟩|{\varphi }^{+}⟩+|1111⟩|{\psi }^{+}{⟩)}_{M12345}$

$|{\mathsf{\Psi }}^6{⟩}_{M12345}=|{\gamma }_6{⟩}_M\otimes {|\xi ⟩}_{12345}={|0⟩}_M\otimes {|\xi ⟩}_{12345}=\frac{1}{2}\left(\right|0001⟩|{\varphi }^{-}⟩+|0010⟩|{\psi }^{-}⟩+|0100⟩|{\varphi }^{+}⟩+|0111⟩|{\psi }^{+}{⟩)}_{M12345}$

$|{\mathsf{\Psi }}^7{⟩}_{M12345}=|{\gamma }_7{⟩}_M\otimes {|\xi ⟩}_{12345}={|-⟩}_M\otimes {|\xi ⟩}_{12345}=\frac{1}{2\sqrt{2}}\left(\right|0001⟩|{\varphi }^{-}⟩+|0010⟩|{\psi }^{-}⟩+|0100⟩|{\varphi }^{+}⟩+|0111⟩|{\psi }^{+}{⟩)}_{M12345}$ $-\frac{1}{2\sqrt{2}}\left(\right|1001⟩|{\varphi }^{-}⟩+|1010⟩|{\psi }^{-}⟩+|1100⟩|{\varphi }^{+}⟩+|1111⟩|{\psi }^{+}{⟩)}_{M12345}$

$|{\mathsf{\Psi }}^8{⟩}_{M12345}=|{\gamma }_8{⟩}_M\otimes {|\xi ⟩}_{12345}={|1⟩}_M\otimes {|\xi ⟩}_{12345}=\frac{1}{2}\left(\right|1001⟩|{\varphi }^{-}⟩+|1010⟩|{\psi }^{-}⟩+|1100⟩|{\varphi }^{+}⟩+|1111⟩|{\psi }^{+}{⟩)}_{M12345}$

$|{\mathsf{\Psi }}^9{⟩}_{M12345}=|{\gamma }_9{⟩}_M\otimes {|\xi ⟩}_{12345}={|1⟩}_M\otimes {|\xi ⟩}_{12345}=\frac{1}{2}\left(\right|1001⟩|{\varphi }^{-}⟩+|1010⟩|{\psi }^{-}⟩+|1100⟩|{\varphi }^{+}⟩+|1111⟩|{\psi }^{+}{⟩)}_{M12345}$

$|{\mathsf{\Psi }}^{10}{⟩}_{M12345}=|{\gamma }_{10}{⟩}_M\otimes {|\xi ⟩}_{12345}={|0⟩}_M\otimes {|\xi ⟩}_{12345}=\frac{1}{2}\left(\right|0001⟩|{\varphi }^{-}⟩+|0010⟩|{\psi }^{-}⟩+|0100⟩|{\varphi }^{+}⟩+|0111⟩|{\psi }^{+}{⟩)}_{M12345}$

Step S4: Alice inserts decoy particles ${|\mu ⟩}_{A,T}=U_{F(x_A,x_T)}|{\phi }_0^{\left(0\right)}⟩=U_{F(7,13)}|{\phi }_0^{\left(0\right)}⟩=|{\phi }_{F(x_A,x_T)}^{\left(0\right)}⟩=|{\phi }_5^{\left(0\right)}⟩$ and ${|\mu ⟩}_{A,B}=U_{F(x_A,x_B)}|{\phi }_0^{\left(0\right)}⟩=U_{F(7,3)}|{\phi }_0^{\left(0\right)}⟩=|{\phi }_{F(x_A,x_B)}^{\left(0\right)}⟩=|{\phi }_{16}^{\left(0\right)}⟩$ into sequence ${\mathsf{\Omega }}_T$ and ${\mathsf{\Omega }}_B$ to form ${\mathsf{\Omega }}_T^{{}^{\prime }}$ and ${\mathsf{\Omega }}_B^{{}^{\prime }}$, respectively. Alice sends ${\mathsf{\Omega }}_T^{{}^{\prime }}$ to Trent and ${\mathsf{\Omega }}_B^{{}^{\prime }}$ to Bob.

Step S5: Alice performs von Neumann measurement on the particles sequence ${\mathsf{\Omega }}_A$ that she has mastered. Suppose that 10-group von Neumann measurement outcomes are $\delta \left({\mathsf{\Omega }}_A\right)=\{{\chi }^1,{\chi }^4,{\chi }^2,{\chi }^7,{\chi }^3,{\chi }^6,{\chi }^8,{\chi }^5,{\chi }^1,{\chi }^7\}$. Alice encrypts $R_A$ and $\delta \left({\mathsf{\Omega }}_A\right)$ to form the signature:

$$|S⟩=E_{K_A}\left(\left\{\right|0⟩(-|1⟩\right)|+⟩|+⟩|+⟩|1⟩|+⟩|0⟩|0⟩|0⟩\},\{{\chi }^1,{\chi }^4,{\chi }^2,{\chi }^7,{\chi }^3,{\chi }^6,{\chi }^8,{\chi }^5,{\chi }^1,{\chi }^7\}).$$

Then, Alice sends the signature $|S⟩$ and 2 information qubit strings $|\mathsf{\Gamma }⟩$ to Bob.

Appendix A.3. Verifytion Phase

Step V1: After confirming that Bob received ${\mathsf{\Omega }}_B^{{}^{\prime }}$, Alice tells Bob the position of the decoy particles, and then Bob executes the unitary operation $U_{-F(x_B,x_A)}=U_{-16}$ on the decoy particle ${|\mu ⟩}_{A,B}$. That is, ${|\mu ⟩}_{B,A}=U_{-F(x_B,x_A)}{|\mu ⟩}_{A,B}=U_{-F(3,7)}{|\mu ⟩}_{A,B}=U_{-16}|{\phi }_{16}^{\left(0\right)}⟩=|{\phi }_0^{\left(0\right)}⟩$. Bob uses measurement basis $\{|{\phi }_l^{\left(0\right)}⟩|l\in q\}$ to measure the decoy particles. If ${|\mu ⟩}_{B,A}\ne |{\phi }_0^{\left(0\right)}⟩$, it implies that the identity authentication between Alice and Bob cannot be passed or the particles have been eavesdropped. Finally, Bob calculates the error rate based on measurement outcomes of the decoy particles. If the error rate is less than the previously given value, they perform the next step; otherwise, the execution of the protocol is aborted. After Bob passes the eavesdropping detection and identity authentication on ${\mathsf{\Omega }}_B^{{}^{\prime }}$, the decoy particles are removed and ${\mathsf{\Omega }}_B$ is recovered. Similarly, after confirming that Trent received ${\mathsf{\Omega }}_T^{{}^{\prime }}$, Alice tells Trent the position of the decoy particles, and then Trent executes the unitary operation $U_{-F(x_T,x_A)}=U_{-5}$ on the decoy particle ${|\mu ⟩}_{A,T}$. That is, ${|\mu ⟩}_{T,A}=U_{-F(x_T,x_A)}|{\mu }_{A,T}=U_{-5}{|\mu ⟩}_{A,T}=U_{-5}|{\phi }_5^{\left(0\right)}⟩=|{\phi }_0^{\left(0\right)}⟩$. Then Trent measures the decoy particles using the measurement basis $\{|{\phi }_l^{\left(0\right)}⟩|l\in q\}$. If ${|\mu ⟩}_{T,A}\ne |{\phi }_0^{\left(0\right)}⟩$, it implies that the identity authentication between Alice and Trent cannot be passed or that the particles are eavesdropped. Finally, Trent calculates the error rate based on measurement outcomes of the decoy particles. If the error rate is less than the previously given value, they perform the next step; otherwise, they abandon the agreement. After Trent performs the eavesdropping detection and identity authentication on ${\mathsf{\Omega }}_T^{{}^{\prime }}$, the decoy particles are removed and ${\mathsf{\Omega }}_T$ is restored.

Step V2: After Bob receives the $|S⟩$ which is sent by Alice, he encrypts $|S⟩$ and $|\mathsf{\Gamma }⟩$ with secret key $K_B$ to obtain $Y_B=E_{K_B}$$\left(\right|S⟩$, $|\mathsf{\Gamma }⟩)$, where $Y_B=E_{K_B}\left(E_{K_A}\left(\left\{\right|0⟩(-|1⟩\right)\right|$ +$⟩|$+$⟩|$+$⟩|1⟩|+⟩|0⟩|0⟩|0⟩\}$, $\{{\chi }^1,{\chi }^4,{\chi }^2,{\chi }^7,{\chi }^3,{\chi }^6,{\chi }^8,{\chi }^5,{\chi }^1,{\chi }^7\})$, $\left\{\right|0⟩|1⟩|+⟩|-⟩|+⟩|0⟩|-⟩$ $|1⟩|1⟩|0⟩\})$. Bob sends $Y_B$ to Trent via a quantum channel.

Step V3: After receiving $Y_B=E_{K_B}\left(\right|S⟩,|\mathsf{\Gamma }⟩)$, Trent decrypts it using secret key $K_B$ to obtain $|S⟩$ and $|\mathsf{\Gamma }⟩$, and decrypts $|S⟩$ using secret key $K_A$ to obtain $|R_A⟩$ and $\delta \left({\mathsf{\Omega }}_A\right)$. Where $|\mathsf{\Gamma }⟩=\{|0⟩|1⟩|+⟩|-⟩|+⟩|0⟩|-⟩|1⟩|1⟩|0⟩\}$, $|R_A⟩=M_{K_A}\left(\right|\mathsf{\Gamma }⟩)=|0⟩(-|1⟩\left)\right|$+$⟩|+⟩|$+$⟩|1⟩|$ +$⟩|0⟩|0⟩|0⟩$, $\delta \left({\mathsf{\Omega }}_A\right)=\{{\chi }^1,{\chi }^4,{\chi }^2$, ${\chi }^7,{\chi }^3$, ${\chi }^6,{\chi }^8,{\chi }^5,{\chi }^1,{\chi }^7\}$. In the meantime, Trent measures ${\mathsf{\Omega }}_T$ with measurement basis $\left\{\right|{\varphi }^{+}⟩,|{\varphi }^{-}⟩,|{\psi }^{+}⟩,|{\psi }^{-}⟩\}$ to obtain the measurement outcome $\delta \left({\mathsf{\Omega }}_T\right)$. We suppose that $\delta \left({\mathsf{\Omega }}_T\right)=\left\{\right|{\varphi }^{+}⟩,|{\varphi }^{-}⟩,|{\psi }^{+}⟩$, $|{\psi }^{-}⟩,|{\varphi }^{-}⟩,|{\psi }^{+}⟩,|{\varphi }^{-}⟩,|{\varphi }^{+}⟩,|{\varphi }^{+}⟩$, $|{\varphi }^{-}⟩\}$. Using the secret key $K_A$, Trent transforms the information qubit string $|\mathsf{\Gamma }⟩$ into $|R_A^{{}^{\prime }}⟩$ and compares $|R_A⟩$ with $|R_A^{{}^{\prime }}⟩$. If $|R_A⟩=|R_A^{{}^{\prime }}⟩$, Trent sets the initial check parameter $\theta =1$, otherwise he sets $\theta =0$.

Step V4: Trent encrypts $|S⟩$, $H\left(\right|S⟩)$, $\delta \left({\mathsf{\Omega }}_A\right)$, $\delta \left({\mathsf{\Omega }}_T\right)$, $\theta$ with secret key $K_B$ to obtain $Y_{TB}=E_{K_B}(E_{K_A}$$\left(\right\{|0⟩$$(-|1⟩)$ $|+⟩|+⟩|+⟩|1⟩|+⟩|0⟩|0⟩|0⟩\}$, $\{{\chi }^1,{\chi }^4,{\chi }^2,{\chi }^7,{\chi }^3,{\chi }^6,{\chi }^8,{\chi }^5$, ${\chi }^1,{\chi }^7\left\}\right)$, $H\left(\right|S⟩)$, $\delta \left({\mathsf{\Omega }}_A\right)$, $\delta \left({\mathsf{\Omega }}_T\right)$, $\theta )$ and sends it to Bob.

Step V5: Bob decrypts $Y_{TB}$ to obtain $|S⟩$, $H\left(\right|S⟩)$, $\delta \left({\mathsf{\Omega }}_A\right)$, $\delta \left({\mathsf{\Omega }}_T\right)$ and $\theta$. If $\theta =0$, Bob can assume that the signature was forged, he rejects the signature and exits the verification process. Otherwise, Bob continues to carry out the next verification process.

Step V6: According to the values of $\delta \left({\mathsf{\Omega }}_A\right)$ and $\delta \left({\mathsf{\Omega }}_T\right)$, Bob chooses the corresponding unitary operator $U_{\left(5\right)}=\{{\left({\sigma }_x\right)}_5$, ${\left({\sigma }_z\right)}_5$, ${\left({\sigma }_z\right)}_5$, $-{\left({\sigma }_x\right)}_5$, $I_5$, ${(-{\sigma }_z)}_5$, ${\left({\sigma }_z\right)}_5$, ${\left({\sigma }_x\right)}_5$, ${\left({\sigma }_x\right)}_5$, $(-I_5)\}$. Bob performs unitary operation $U_{\left(5\right)}$ on the particles in sequence ${\mathsf{\Omega }}_B$ and measures them to obtain the quantum state $|{\mathsf{\Gamma }}^{{}^{\prime }}⟩$, and then he compares whether it is equal to $|\mathsf{\Gamma }⟩=\{|0⟩|1⟩|+⟩|-⟩|+⟩|0⟩|-⟩|1⟩$$|1⟩|0⟩\}$. If $|\mathsf{\Gamma }⟩\ne |{\mathsf{\Gamma }}^{{}^{\prime }}⟩$, Bob considers the signature invalid and rejects it. If $|\mathsf{\Gamma }⟩=|{\mathsf{\Gamma }}^{{}^{\prime }}⟩$, Bob computes $H^{{}^{\prime }}\left(\right|S⟩)$ and compares $H^{{}^{\prime }}\left(\right|S⟩)$ with $H\left(\right|S⟩)$. If $H^{{}^{\prime }}\left(\right|S⟩)=H\left(\right|S⟩)$, Bob accepts $|S⟩$ as the signature of $|\mathsf{\Gamma }⟩$ sent by Alice. Otherwise, the signature is rejected.

Appendix B.1. Eve Cannot Entangle a Decoy Particle to Forge a Signature

We can prove that the external attacker Eve cannot entangle a decoy particle with an auxiliary particle to steal secret information and forge a signature.

Lemma A1.

For the measurement basis $|{\phi }_g^{\left(0\right)}⟩=\frac{1}{\sqrt{q}}{\sum }_{k=0}^{q-1}{\omega }^{kg}|k⟩$, $\omega =e^{\frac{2\pi i}{q}}$, we have ${\sum }_{m=0}^{q-1}|m⟩=\frac{1}{\sqrt{q}}{\sum }_{m=0}^{q-1}{\sum }_{g=0}^{q-1}{\omega }^{-mg}|{\phi }_g^{\left(0\right)}⟩$.

Proof. 

$$\begin{array}{cc}\hfill & \frac{1}{\sqrt{q}}\sum _{g=0}^{q-1}{\omega }^{-mg}|{\phi }_g^{\left(0\right)}⟩\hfill \\ \hfill & =\frac{1}{\sqrt{q}}[|{\phi }_0^{\left(0\right)}⟩+{\omega }^{-m}|{\phi }_1^{\left(0\right)}⟩+{\omega }^{-2m}|{\phi }_2^{\left(0\right)}⟩+\cdots +{\omega }^{-m\left(q-1\right)}|{\phi }_{q-1}^{\left(0\right)}⟩]\hfill \\ \hfill & =\frac{1}{\sqrt{q}}[\sum _{k=0}^{q-1}|k⟩+{\omega }^{-m}\sum _{k=0}^{q-1}{\omega }^k|k⟩+{\omega }^{-2m}\sum _{k=0}^{q-1}{\omega }^{2k}|k⟩+\cdots +{\omega }^{-m\left(q-1\right)}\sum _{k=0}^{q-1}{\omega }^{\left(q-1\right)k}|k⟩]\hfill \\ \hfill & =\frac{1}{\sqrt{q}}[\sum _{k=0}^{q-1}{\omega }^{-mg}|0⟩+\sum _{g=0}^{q-1}{\omega }^{g\left(1-m\right)}|1⟩+\sum _{g=0}^{q-1}{\omega }^{g\left(2-m\right)}|2⟩+\cdots +\sum _{g=0}^{q-1}{\omega }^{g\left(q-1-m\right)}|q-1⟩]\hfill \\ \hfill & \frac{1}{\sqrt{q}}\sum _{m=0}^{q-1}\sum _{g=0}^{q-1}{\omega }^{-mg}|{\phi }_g^{\left(0\right)}\hfill \\ \hfill & =\frac{1}{q}[\sum _{m=0}^{q-1}(\sum _{k=0}^{q-1}{\omega }^{-mg}|0⟩+\sum _{g=0}^{q-1}{\omega }^{g\left(1-m\right)}|1⟩+\sum _{g=0}^{q-1}{\omega }^{g\left(2-m\right)}|2⟩+\cdots +\sum _{g=0}^{q-1}{\omega }^{g\left(q-1-m\right)}|q-1⟩)]\hfill \\ \hfill & =\frac{1}{q}[\sum _{m=0}^{q-1}\sum _{k=0}^{q-1}{\omega }^{-mg}|0⟩+\sum _{m=0}^{q-1}\sum _{g=0}^{q-1}{\omega }^{g\left(1-m\right)}|1⟩+\sum _{m=0}^{q-1}\sum _{g=0}^{q-1}{\omega }^{g\left(2-m\right)}|2⟩+\cdots \hfill \\ \hfill & +\sum _{m=0}^{q-1}\sum _{g=0}^{q-1}{\omega }^{g\left(q-1-m\right)}|q-1⟩]\hfill \end{array}$$

$=\frac{1}{q}\left[q\right|0⟩+q|1⟩+\cdots q|q-1⟩]={\sum }_{m=0}^{q-1}|m⟩.$ □

Suppose that Eve prepares an auxiliary quantum state $|E⟩$, and she executes unitary operation $U_E$, which can entangle the auxiliary quantum states onto the transmitted particles to steal secret information by measuring the auxiliary particles. Consider the corresponding measurement basis $|{\phi }_l^{\left(0\right)}⟩=\frac{1}{\sqrt{q}}{\sum }_{k=0}^{q-1}{\omega }^{kl}|k⟩$, which is in the attack of decoy particles. According to Lemma 1, the following expression can be obtained by executing unitary operation $U_E$.

$$\begin{array}{cc}\hfill U_E|k⟩|E⟩& =\sum _{m=0}^{q-1}{a}_{km}|m⟩|{\epsilon }_{km}⟩\hfill \end{array}$$

(A1)

$$\begin{array}{cc}\hfill U_E|{\phi }_l^{\left(0\right)}⟩|E⟩& =U_E\left(\frac{1}{\sqrt{q}}\sum _{k=0}^{q-1}{\omega }^{kl}|k⟩\right)|E⟩\hfill \\ & =\frac{1}{\sqrt{q}}\sum _{k=0}^{q-1}{\omega }^{kl}\left(\sum _{m=0}^{q-1}{a}_{km}|m⟩|{\epsilon }_{km}⟩\right)\hfill \\ & =\frac{1}{\sqrt{q}}\sum _{k=0}^{q-1}\sum _{m=0}^{q-1}{\omega }^{kl}{a}_{km}\left(\frac{1}{\sqrt{q}}\sum _{g=0}^{q-1}{\omega }^{-mg}|{\phi }_l^{\left(0\right)}⟩\right)|{\epsilon }_{km}⟩\hfill \\ & =\frac{1}{\sqrt{q}}\sum _{k=0}^{q-1}\sum _{m=0}^{q-1}\sum _{g=0}^{q-1}{\omega }^{kl-mg}{a}_{km}|{\phi }_l^{\left(0\right)}⟩|{\epsilon }_{km}⟩.\hfill \end{array}$$

(A2)

where $\omega =e^{\frac{2\pi i}{q}}$ and $|E⟩$ express the initial auxiliary quantum state; $|{\epsilon }_{km}⟩$$(k,m=0,1,\cdots ,q-1)$ denotes the only pure state obtained by executing unitary operation $U_E$.

Therefore, their coefficients satisfy condition ${\sum }_{m=0}^{q-1}{\left|a_{km}\right|}^2=1(k=0,1,\cdots ,q-1)$. The unitary operation $U_E$ must satisfy the following conditions if there is no error introduced by Eve:

$$a_{km}=\left\{\begin{array}{cc}0\hfill & k\ne m\hfill \\ 1\hfill & k=m\hfill \end{array}\right.$$

$k,m\in 0,1,\cdots ,q-1$.

Consequently, $\left(A1\right)$ and $\left(A2\right)$ can be simplified as: $U_E|k⟩|E⟩=a_{kk}|k⟩|{\epsilon }_{kk}⟩$, $U_E|{\phi }_l^{\left(0\right)}⟩|E⟩$ $=\frac{1}{q}{\sum }_{k=0}^{q-1}{\sum }_{g=0}^{q-1}{\omega }^{k\left(l-g\right)}{a}_{kk}|{\phi }_l^{\left(0\right)}|{\epsilon }_{kk}⟩$.

Similarly, Eve can obtain the equations: ${\sum }_{k=0}^{q-1}{\omega }^{k\left(l-g\right)}{a}_{kk}|{\epsilon }_{kk}⟩=0$, where $g\ne l$, $g\in \{0,1,\cdots q-1\}$. For any $l\in \{0,1,\cdots q-1\}$, we can obtain q equations. According to these equations, the following formula can be calculated:

$$a_{00}|{\epsilon }_{00}⟩=a_{11}|{\epsilon }_{11}⟩=\cdots =a_{q-1,q-1}|{\epsilon }_{q-1,q-1}⟩.$$

This means that, no matter what quantum states are adopted, Eve can only obtain the same information from the auxiliary particles. Therefore, Eve fails to obtain any signature messages by conducting this kind of attack.

Appendix B.2. Eve Cannot Entangle an Information Particle to Forge a Signature

We can also prove that Eve cannot entangle an information particle with an auxiliary particle to steal secret information and forge a signature. Since Eve does not have the keys $K_A$ and $K_T$, there is only one opportunity for him to attack Bob’s information particle, i.e., during the transmission of the particle (5) from Alice to Bob in Step V6 of the verification phase. We can describe the effect of Eve’s eavesdropping on qubit (5) using the following equations:

$${\tilde{U}}_E|0⟩|E⟩=|0⟩|{\epsilon }_{00}⟩+|1⟩|{\epsilon }_{01}⟩,{\tilde{U}}_E|1⟩|E⟩=|0⟩|{\epsilon }_{10}⟩+|1⟩|{\epsilon }_{11}⟩,$$

$${\tilde{U}}_E|+⟩|E⟩=\frac{1}{2}\left[\right|+⟩\left(\right|{\epsilon }_{00}⟩+|{\epsilon }_{01}⟩+|{\epsilon }_{10}⟩+|{\epsilon }_{11}⟩)+|-⟩\left(\right|{\epsilon }_{00}⟩-|{\epsilon }_{01}⟩+|{\epsilon }_{10}⟩-|{\epsilon }_{11}⟩\left)\right],$$

$${\tilde{U}}_E|-⟩|E⟩=\frac{1}{2}\left[\right|+⟩\left(\right|{\epsilon }_{00}⟩+|{\epsilon }_{01}⟩-|{\epsilon }_{10}⟩-|{\epsilon }_{11}⟩)+|-⟩\left(\right|{\epsilon }_{00}⟩-|{\epsilon }_{01}⟩-|{\epsilon }_{10}⟩+|{\epsilon }_{11}⟩\left)\right],$$

where $|E⟩$ is Eve’s auxiliary state. $\left\{\right|{\epsilon }_{00}⟩,|{\epsilon }_{01}⟩,|{\epsilon }_{10}⟩,|{\epsilon }_{11}⟩\}$ are the pure auxiliary states determined uniquely by the unitary operation $U_E$. Therefore, $\left\{\right|{\epsilon }_{00}⟩,|{\epsilon }_{01}⟩,|{\epsilon }_{10}⟩,|{\epsilon }_{11}⟩\}$ must satisfy the relationship ${\tilde{U}}_E{\tilde{U}}_E^{+}=I$, i.e., $⟨{\epsilon }_{00}|{\epsilon }_{00}⟩+⟨{\epsilon }_{01}|{\epsilon }_{01}⟩=1$, $⟨{\epsilon }_{10}|{\epsilon }_{10}⟩+⟨{\epsilon }_{11}|{\epsilon }_{11}⟩=1$, $⟨{\epsilon }_{10}|{\epsilon }_{00}⟩+⟨{\epsilon }_{11}|{\epsilon }_{01}⟩=0$, $⟨{\epsilon }_{00}|{\epsilon }_{01}⟩+⟨{\epsilon }_{10}|{\epsilon }_{11}⟩=0$. If no errors are introduced in Bob’s detection, we can get $|{\epsilon }_{01}⟩=|{\epsilon }_{01}⟩=0$. This implies that if Eve wants to attack without introducing any error, his auxiliary state and Alice’s particle (5) will be in a tensor product state. Therefore, if Eve tries to take an attack strategy on the particle (5), he will be detected during the comparison between $|\mathsf{\Gamma }⟩$ and $|{\mathsf{\Gamma }}^{\prime }⟩$ in Step V6 of the verification phase.