Twin-Field Quantum Digital Signature with Fully Discrete Phase Randomization

Quantum digital signatures (QDS) are able to verify the authenticity and integrity of a message in modern communication. However, the current QDS protocols are restricted by the fundamental rate-loss bound and the secure signature distance cannot be further improved. We propose a twin-field quantum digital signature (TF-QDS) protocol with fully discrete phase randomization and investigate its performance under the two-intensity decoy-state setting. For better performance, we optimize intensities of the signal state and the decoy state for each given distance. Numerical simulation results show that our TF-QDS with as few as six discrete random phases can give a higher signature rate and a longer secure transmission distance compared with current quantum digital signatures (QDSs), such as BB84-QDS and measurement-device-independent QDS (MDI-QDS). Moreover, we provide a clear comparison among some possible TF-QDSs constructed by different twin-field key generation protocols (TF-KGPs) and find that the proposed TF-QDS exhibits the best performance. Conclusively, the advantages of the proposed TF-QDS protocol in signature rate and secure transmission distance are mainly due to the single-photon interference applied in the measurement module and precise matching of discrete phases. Besides, our TF-QDS shows the feasibility of experimental implementation with current devices in practical QDS system.


Introduction
Digital signature is one of the kernel sciences behind classical cryptography [1]. It is particularly significant in modern communication as it can be used in a variety of applications, such as electronic mail, software distribution and financial transactions. The security of classical digital signature is guaranteed by computational difficulty assumption, which, however, will no longer be secure with the rapid development of quantum algorithms [2][3][4]. A full-fledged treatment for this issue towards quantum digital signature (QDS) [5] that paves a way to realize signature with information theory security is presented.
The first quantum signature protocol was introduced in 2001 [6], which can be considered as the original form of QDS. In general, earlier signature protocols [7][8][9][10][11][12] may impose several restrictions on QDS, such as non-destructive state comparison, long-time quantum memory and secure quantum channel, for obtaining a secure quantum signature. However, in practice, these requirements cannot be fully satisfied, resulting in security loopholes of real-life implementation. Subsequently, some practical QDS protocols [13][14][15][16][17][18] that do not attach these restrictions had been proposed and experimentally demonstrated.
For QDS protocols, a general scenario is that QDS can be divided into two assignments: distribution stage and messaging stage. The former uses the quantum part of quantum key distribution (QKD), i.e., key generation protocol (KGP), to distribute keys for users without further classical post-processing. The latter allows two receivers to verify the authenticity of a signature declaration. During the distribution stage, a KGP, such as

TF-QDS Protocol with Fully Discrete Phase Randomization
We consider a simple structure for our TF-QDS protocol to sign a one-bit message: a signer, Alice, generates a signature declaration with TF-KGPs performed by Alice-Bob and Alice-Charlie in the key distribution stage, and then transmits it to one of two receivers (Bob and Charlie), say Bob. Bob first verifies the signature and then forwards it to Charlie who then further verifies its authenticity in the messaging stage. The detailed process for our TF-QDS is illustrated in Figure 1. It is therefore clear that at most one party is dishonest in such a tripartite setting. If there is more than one dishonest party, then the real protocol will actually fail. We describe our TF-QDS protocol as follows.  Figure 1. Schematic diagram of our TF-QDS. Alice and Bob (Alice and Charlie) prepare discrete-phaserandomized weak coherent-state pulses with a phase modulator (PM1). Intensity modulator (IM) is used to generate decoy states and PM2 is used to encode key bits. All the modulations are combined with random number generators (RNGs). The encoded pulses are attenuated by an attenuator (Att) and then sent out to the measurement site Eve. Alice's and Bob's (Alice's and Charlie's) pulses interfere at a 50:50 beam splitter (BS). The interference result is recorded with two single-photon detectors (SPDs). The solid lines represent the quantum channels (QCs) through which Alice and Bob (Alice and Charlie) use KGP to distribute keys. The dotted lines represent the authenticated classical channels (CCs) through which parties exchange and transmit some classical message. A TF-QKD link is shared between Bob and Charlie for performing the symmetrization of keys in full secrecy.

1.
For each message m = 0 or 1, Alice and Bob use the discrete-phase-randomized TF-KGP [45] to generate keys of length n k , Alice holds the key K AB m and Bob holds the key K B m . Similarly, Alice and Charlie perform the discrete-phase-randomized TF-KGP [45] to generate keys K AC m and K C m , respectively. The detailed steps for key distribution can be found in Section 3. Alice's signature for m is Sig m = (K AB m , K AC m ).

2.
For each m, Bob and Charlie perform the symmetrization of keys. That is, Bob (Charlie) randomly chooses half of the bits in his key K B m (K C m ), called K B m, f orward (K C m, f orward ), and then sends these bits to Charlie (Bob) using an authenticated classical channel. The remaining bits in K B m (K C m ) are named K B m,keep (K C m,keep ). After the symmetrization of keys, Bob's and Charlie's keys are denoted as S B m = (K B m,keep , K C m, f orward ) and S C m = (K C m,keep , K B m, f orward ) respectively; therefore, Alice cannot distinguish whether a key is Bob's or Charlie's, which guarantees the security against repudiation. In addition, Bob (Charlie) can only obtain half of K C m (K B m ), which guarantees the security against forging.

1.
For signing a one-bit message m, Alice sends the signature declaration (m, Sig m ) to Bob.

2.
Bob checks and records the number of mismatches between the declaration Sig m and his key S B m . Particularly, Bob separately calculates the number of mismatches for the key K B m,keep that received directly from Alice and the key K C m, f orward that forwarded by Charlie. If the number of mismatches for both parts is fewer than S a (n k /2), he accepts the signature, where S a < 1/2 is a small threshold determined by experimental parameters and a desired security level.

4.
Charlie checks the number of mismatches between Sig m and S C m . The verification method is similar to that performed by Bob, except with a different threshold S v , where 0 < S a < S v < 1/2. If the number of mismatches for K C m,keep and K B m, f orward is fewer than S v (n k /2), Charlie accepts Sig m as the original signature generated by Alice. It is worth noting that two different thresholds S a and S v are required to ensure the non-repudiation of QDS protocol.

TF-KGP
TF-KGP, as a part of QDS, is performed in pairs separately by Alice-Bob and Alice-Charlie to distribute keys without further error correction and privacy amplification. This section takes Alice and Bob as an example to review the TF-KGP with fully discrete phase randomization [45]. The distributed keys among Alice and Bob correspond to the keys K AB m and K B m described in Section 2.

Preparation
See the tasks below for the states of Alice's and Bob's delivering to Eve depending on their chosen mode for transmission. Alice and Bob choose the code mode and test mode randomly. The code mode is used for key generation and the test mode is used for parameter estimation. For the code mode, Alice (Bob) prepares a bit k a (k b ) randomly and generates a coherent state |(−1) k a √ µ (|(−1) k b √ µ ), where µ is the signal intensity. For the test mode, Alice (Bob) prepares a discrete-phase-randomized coherent state | β a e iθ a (| β b e iθ b ), which is modeled by a random intensity β a (β b ) ∈ {β 0 , β 1 , µ} (β 0 = 0 is a vacuum intensity and β 1 is a decoy intensity) and a random phase θ a (θ b ) = 2πm/M (m ∈ {0, 1, 2, . . ., M − 1} and M is number of dividing the phase interval [0, 2π) into slices [32]).

Measurement
An untrusted intermediate node, Eve, performs the single-photon interference on the incoming pulses through a 50:50 BS followed by two detectors SPD0 and SPD1. A successful round corresponds to only one detector being clicked, and is unsuccessful otherwise. Eve then announces the successful rounds publicly.

Sifting
Alice and Bob exchange their intensity and mode through an authenticated classical channel and retain data from those in which they have used the same mode. For rounds of code mode, Alice and Bob generate sifted keys k A and k B . By disclosing L bits of sifted keys, they can calculate the quantum bit error rate (QBER), where k r A and k r B denote Alice's and Bob's exposed bits respectively, after which they are discarded. The remaining n k bits in k A and k B are Alice's and Bob's final keys K AB m and K B m , respectively. It is necessary for Bob to flip his bits corresponding to rounds with SPD1 clicked. For rounds of test mode, Alice and Bob calculate the gains {Q β } in which they both select the same intensity and the same phase θ a = θ b , and the gains {Q − β } in which they select the same intensity and the opposite phase θ a = θ b ± π.

Parameter Estimation
Alice and Bob use the gains {Q β } and {Q − β } to separately estimate the phase error rates e ph,same and e ph,di f f according to the numerical method (see Appendix A), where e ph,same (e ph,di f f ) indicates the phase error rate of successful code mode rounds in which Alice and Bob use the same (opposite) phase.

Security Analysis
We followed the method in Ref. [46] to estimate Eve's smooth min-entropy [47] on Bob's reserved key K B m,keep , and then use it to bound the probability that Eve makes errors less than a certain value.
Eve can obtain some information from parameter estimation and mode declaration. Here, we define κ and ζ as the classical information disclosed during parameter estimation and mode declaration, respectively. K B m, f orward is the extra information leaked to Eve under the case that Charlie is Eve. All these information is defined on one quantum system living in the Hilbert space, which is a combination of the following elements: κ, ζ and K B m, f orward , as well as Eve's ancilla quantum system following her general attack. The information that Eve obtains about K B m,keep is summarized as E. Then, Eve's smooth min-entropy with access to E is given by where the inequality holds up to log 2 (1/ k ). Here, I AE denotes the information leaked to Eve, which can be bounded by the phase error rates e ph,same and e ph,di f f as where h(x) is a Shannon binary entropy function h( The phase error rates cannot be directly observed from experiments, their estimation can be found in Appendix A. With the upper bound on I AE , we can further evaluate Eve's smooth min-entropy. Secondly, according to the proposition in Ref. [16], the upper bound on the average probability that Eve's eavesdropping makes at most r errors with the given smooth minentropy is Furthermore, for large n k , the probability for Eve to make fewer than r errors for any g > 0 is given by P (Eve makes fewer than r errors) : except with probability at most Thus, we can determine the condition that Eve can make fewer than r errors with a nonnegligible probability as If this condition is met, the probability of Eve making fewer than r errors will be arbitrarily small by increasing the length of signature. We define p E as: A physical interpretation behind Equation (7) is that p E is the minimum error rate that Eve makes when guessing Bob's key except with negligible probability F . The upper bound on QBER between Alice's and Bob's keys is E k . Therefore, as long as the condition of p E > E k is satisfied, we can obtain a secure signature by increasing n k , which means that For demonstrating the security of TF-QDS protocol, we aim to show that the following three inherent properties for signature systems can be guaranteed [48].

Robustness
In the messaging phase, Bob would reject Alice's signature declaration when the mismatch rate between n k /2 bits received from either Alice or Charlie and Alice's declaration is higher than S a . The QBER (mismatch rate) E k between Alice's and Bob's keys can be estimated by utilizing L bits. According to the Serfling inequality [49], we can obtain the upper bound on QBER as follows: where τ( n k 2 , L, P ) = This suggests that the upper bound on QBER is true except with a small probability P . The failure probability decays exponentially in the parameter L for any fixed value of the function τ. We set E k := max{E k,B , E k,C }, where E k,B and E k,C correspond to the upper bounds on QBERs for Alice-Bob and Alice-Charlie, respectively. Here, we should make S a greater than E k , except with probability of at most P , so the probability of an honest abort is restricted to P(honest abort) ≤ 2 p .

Non-Repudiation
Non-repudiation means that the signature declaration generated by an original signatory is accepted by one receiver but rejected by the other.
For repudiation, the number of mismatches between Alice's declaration Sig m and Bob's key S B m must be less than S a (n k /2), and that between Sig m and Charlie's key S C m must be greater than S v (n k /2). This suggests that Alice should make Bob accept her signature and make Charlie reject her signature. That is, a necessary condition for successful repudiation is that the mismatch rate between Sig m and S B m is not equal to that between Sig m and S C m . In this protocol, the symmetrization of keys performed between Bob and Charlie makes their respective keys contain an equal error rate, resulting in security against repudiation. According to the results in Ref. [13], the probability of Alice's successful repudiation can be bounded as where

Unforgeability
Forgery attack performed by a dishonest internal user is considered in our analysis since it is more convenient for insiders to perform a forgery attack than external attackers. Suppose that Bob wants to forge Alice's signature: he needs to transmit Charlie a forged signature and make the number of mismatches contained in the forged signature fewer than S v (n k /2). As mentioned above, E k is the upper bound on QBER between Alice's and Charlie's keys, and p E indicates the minimum error rate that Bob makes errors associated with Charlie's key. When Equation (8) holds, we choose S v such that E k < S v < p E . This suggests that there is a higher probability for Charlie to accept Alice's original signature. On the contrary, Charlie will likely reject Bob's forged signature, since the probability of Bob creating a forged signature with an error rate fewer than S v is restricted by Equation (4) as P (Bob makes fewer than S v (n k /2) errors) := p ≤ g, except with probability at most F . If the estimation of parameters E k and e ph (containing e ph,same and e ph,di f f ) fails, which separately occur with probabilities P and ph , then we think for simplicity that Bob can successfully forge Alice's signature. Thus, the probability of Bob's successful forging can be bounded as This equation is valid for any choice of parameters greater than zero. The probability for Bob to forge a signature can be arbitrarily small by increasing n k . In summary, the security level is bounded as ξ = max{P(honest abort), P(repudiation), P(forge)}.

Numerical Simulation
In this section, we give simulation results for TF-QDS with two-intensity decoy-state method in the asymptotic scenario. The channel model given in Ref. [45] is employed to obtain observable gains and QBERs for TF-KGP. For simplicity, we assume that the channel is symmetrical for each pair of parties. For each given distance, we optimize the key rate over the signal intensity µ and the decoy intensity β 1 of coherent pulses, and fix the vacuum intensity β 0 = 0.
We plot the signature rate R as a function of the transmission distance with optimal values of intensities µ and β 1 for a given security level 10 −8 , as shown by dashed lines in Figure 2. The signature rate is defined as R = 1/N, where N indicates the total number of pulses required to sign a 1-bit message given a certain security level. If we set a fixed security level, then the signature rate can be bounded by Equation (12) with parameters e ph,same (e ph,di f f ), E k and P E . The optimal values of intensity µ with different numbers of phase slices M against the transmission distance can be found in Figure 3. These optimal values are obtained by maximizing the key rate of KGP. The experimental parameters used for numerical simulation refer to a recent experiment [50], which are listed in Table 1. We also give the simulation results of signature rate without performing any optimization for comparison. In this case, we plot the signature rate curves with fixed values of all intensities (µ = 0.06, β 1 = 10 −4 and β 0 = 0), represented by solid lines in Figure 2. As depicted in Figure 2, numerical optimization yields a significant improvement in transmission distance compared to nonoptimization, especially when M is relatively small. In particular, the maximum signature distance reached with intensity optimization increased by more than two times when M = 4. Furthermore, Figure 2 shows the performance of TF-QDS for different M. The maximum signature distances when M = 8 and M = 12 have only slight differences under the same experimental parameters, corresponding to 317 km and 325 km, respectively. This suggests that it is not necessary to increase the number of phase slices to achieve significant improvements. On the other hand, for M = 4, M = 6 and M = 8, there is a distinct improvement in terms of signature distance for larger M.   We perform a numerical simulation of M = 8 to evaluate the potential impact of using more decoy states in terms of performance. Figure 4 shows the comparison of simulation results for TF-QDS with different numbers of decoy intensities. The results show that the signature rate and transmission distance of TF-QDS with two decoy states is close to that of three [51] (and four) decoy states. Therefore, for our TF-QDS protocol, the two-intensity decoy state is sufficient for practical usage, and there is no need to introduce more decoy states for longer transmission distances.
We compare the performance of our TF-QDS with BB84-QDS and MDI-QDS in Figure 5. For a fair comparison, we plot the signature rate curves of three QDSs by using the same experimental parameters without intensity optimization. The channel models given in Ref. [32] are utilized to calculate gains and QBERs for BB84-QDS and MDI-QDS. As shown in Figure 5, BB84-QDS shows the highest signature rate when the transmission distance is less than 45 km. Once the distance is more than 45 km, the signature rate of TF-QDS exceeds that of BB84-QDS. Compared with MDI-QDS, the signature rate of TF-QDS is always better than that of MDI-QDS when M ≥ 6. In addition, TF-QDS can obtain a secure signature at longer transmission distance than BB84-QDS and MDI-QDS when M ≥ 6. Among these QDS protocols, the maximum signature distance for TF-QDS is 520 km when M = 12, whereas the maximum signature distances for BB84-QDS and MDI-QDS are 182 km and 334 km, respectively. This is because the measurement module of TF-QDS is realized with single-photon interference which requires only one photon to survive the loss of over half of the transmission distance. Twin-field approach overcomes the PLOB bound and significantly extends the secure signature distance. Our TF-QDS protocol is built upon the TF-KGP in Ref. [45] where users emit coherentstates with a discrete-phase-randomized source in the test mode. We can further propose two possible TF-QDS protocols: TF-QDS with CPRS and TF-QDS with DPRS, which are separately constructed by KGP in Ref. [38] and KGP in Ref. [44], respectively. We compare the performance of our TF-QDS with two newly constructed TF-QDSs with the same experimental parameters given in Ref. [38].
Firstly, we compare the simulation results of our TF-QDS and TF-QDS with CPRS in Figure 6. Remarkably, the results show that our TF-QDS with only six discrete phase slices can exceed the performance of TF-QDS with CPRS. In detail, our protocol can achieve a secure signature at the maximum transmission distance of 408 km with M = 6, while the maximum transmission distance for TF-QDS with CPRS is 388 km. Besides, its signature rate increases by more than one order of magnitude since 69 km. The reason for this improvement is that a tighter bound on the phase error rate can be obtained, since the phase post-selection in discrete version makes the users' phases exactly matched.  Furthermore, we compare the performance between our TF-QDS and TF-QDS with DPRS for different M. Both TF-QDS protocols utilize a discrete-phase-randomized source, with the main difference being that, for the proposed TF-QDS, only two phases rather than M phases are encoded in the code mode. The simulation results are shown in Figure 7, where solid lines correspond to the results of our TF-QDS, and dashed lines correspond to the results of TF-QDS with DPRS. Figure 7 illustrates that our TF-QDS can deliver a higher signature rate than that of TF-QDS with DPRS for the same phase slice. The fact is that the signature rate of our protocol increases with M, while the signature rate of TF-QDS with DPRS approaches 0 as M increases, due to the sifting factor. Furthermore, our TF-QDS can transmit a longer signature distance when the same signature rate is obtained. The reason for this is that we can obtain a tighter bound on the phase error rate compared with TF-QDS with DPRS, as illustrated in Figure 8. Detailed data on signature rate R and transmission distance for both TF-QDSs are listed in Table 2.   Figure 6. The second and third rows indicate the signature rates of two protocols at 100 km and 200 km, respectively. The fourth row shows the secure transmission distances when the signature rate is 10 −12 and the bottom row gives the comparison of maximum transmission distances obtainable.

Conclusions
We present a TF-QDS protocol with fully discrete phase randomization. Unlike most previous variants of QDS that emit weak coherent-state pulses with a continuousphase-randomized source, our TF-QDS uses a discrete-phase-randomized source instead, which can be realized with common optical components and further applied in practical QDS systems. As well as this, the protocol had been proved to be secure against forging and repudiation.
For better performance, we optimize intensities of signal state and decoy state to improve the signature rate. We compare the performance of our TF-QDS with BB84-QDS and MDI-QDS by numerical simulation. The results demonstrate that our TF-QDS can achieve the best performance in terms of signature rate and secure transmission distance when the phase slices M ≥ 6. Moreover, we provide a clear comparison between several possible TF-QDSs constructed by different TF-KGPs and find that our TF-QDS with M = 6 already exceeds TF-QDS with CPRS due to the exact matching of phases. The signature rate is 5-15 times that of TF-QDS with CPRS when the transmission distance ranges from 100 km to 300 km, and its maximum signature distance obtainable increases by 5%. Furthermore, we compare the performance of our TF-QDS with TF-QDS with DPRS for four different M. The simulation results show that our TF-QDS achieves a higher signature rate and a longer secure distance than that of the TF-QDS with DPRS for the same M.
In summary, the proposed TF-QDS with fully discrete phase randomization is more feasible in experimental implementation; meanwhile, it is an effective solution for a higher signature rate over a longer transmission distance. (A6) The estimation of upper bound on e ph,same can be considered an optimization problem and solved by a linear programming [45] shown in Equation (A7).
where Ψ = {β 1 , µ} is the collection of all test-mode intensities, but not including vacuum, and F β 1 ,β 2 n is given by (A8)