Quantum Proxy Signature Scheme with Discrete Time Quantum Walks and Quantum One-Time Pad CNOT Operation

: The quantum proxy signature is one of the most significant formalisms in quantum signatures. We put forward a quantum proxy signature scheme using quantum walk-based teleportation and quantum one-time pad CNOT (QOTP-CNOT) operation, which includes four phases, i.e., initializing phase, authorizing phase, signing phase and verifying phase. The QOTP-CNOT is achieved by attaching the CNOT operation upon the QOTP and it is applied to produce the proxy signature state. The quantum walk-based teleportation is employed to transfer the encrypted message copy derived from the binary random sequence from the proxy signer to the verifier, in which the required entangled states do not need to be prepared ahead and they can be automatically generated during quantum walks. Security analysis demonstrates that the presented proxy signature scheme has impossibility of denial from the proxy and original signers, impossibility of forgery from the original signatory and the verifier, and impossibility of repudiation from the verifier. Notably, the discussion shows the complexity of the presented algorithm and that the scheme can be applied in many real scenarios, such as electronic payment and electronic commerce.


Introduction
Digital signature has been prevalent in past decades and applied in lots of scenes, such as electronic payment, electronic commerce and electronic government affairs, with strict demands for security. To satisfy the special requirements for diverse application scenarios, many ramifications of classical signature have occurred. The most concerning issue is the security of the classical signature scheme, which depends on computational complexity of some intractable problems involving the factorization of large numbers and the discrete logarithm. However, these problems can be efficiently solved by quantum algorithms with the development of quantum computation. For example, the former can be solved in polynomial time by Shor's quantum prime factorization algorithm [1]. Grover's algorithm [2] poses a great threat to symmetric cryptography by designing a more optimized brute force attack. Consequently, the classical signature schemes based on computational complexity are seriously struck and become insecure.
Motivated by the merits of quantum technology, many scholars converted their attention from classical signature into quantum signature, the security of which is guaranteed by quantum non-cloning theorem [3] and Heisenberg's uncertainty principle [4]. The development of quantum signature mainly relies on two essential techniques involving quantum teleportation and quantum encryption algorithm. Recently, quantum walks have been developed as an approach to realize quantum teleportation protocols [5,6], which can improve the efficiency of quantum teleportation in terms of entanglement generation and measurements. Afterwards, Shang and Li [7] showed the experimental realization of state transfer based on quantum walks with two coins. Chatterjee et al. [8] investigated the experimental implementation of quantum teleportation using coined quantum walks. Li et al. [9] also proposed a quantum teleportation scheme for transmitting an arbitrary multi-qubit state via multi-walker quantum walks. In addition, in 2017, Vlachou et al. [10] introduced the idea of developing quantum key distribution protocol using quantum walks. Inspired by the above-mentioned work, enthusiastic scholars have presented several achievements in quantum signature. For example, in 2019 Shi et al. [11] presented a quantum blind signature scheme based on quantum walk-based cryptosystem. In the same year, Feng et al. put forward an arbitrated quantum signature protocol with quantum walks on complete graphs [12] and on a closed cycle [13], in which the necessary entangled states do not need to be prepared in advance and they can be created naturally via quantum walks. Furthermore, when transmitting a d-dimensional quantum state, two projective measurements with d elements instead of one joint measurement with d 2 elements are required. The projective measurements are much easier to implement than the joint measurement in real experiments [5,6]. In 2020, Feng et al. [14] suggested another arbitrated quantum signature protocol, where quantum walk-based teleportation is applied to transfer the encrypted message copy and boson sampling-based random unitary encryption is used to generate the signature. Quite recently, Li et al. [15] applied quantum walks into quantum blind signature and presented the corresponding quantum blind signature scheme. Furthermore, quantum walks have been demonstrated to be realizable in different physical systems [16][17][18] and real experiments [19][20][21]. This stimulates us to explore more possibility of quantum walks into other types of quantum signature.
Quantum proxy signature is an important type or branch of quantum signature and its concept was first proposed by Mambo et al. [22] in 1996. In 2001, Gottesman and Chuang [23] introduced quantum mechanics into digital signature and proposed a quantum digital signature scheme based on one-way function. Soon later, Zeng and Keitel [24] proposed an arbitrated quantum signature scheme based on three-qubit Green-Horne-Zeilinger (GHZ) states, which provides an elegant framework for designing quantum signature schemes with the participation of a trusted arbitrator. Notably, quantum proxy signature is a special class in arbitrated quantum signature with distinct original signatory and proxy signatory. In 2010, Chang et al. [25] presented a proxy signature scheme by employing Einstein-Podolsky-Rosen (EPR) states as the quantum channel for teleportation. In 2011, Zhou et al. [26] proposed a quantum proxy signature scheme based on public verifiability, in which EPR states are combined with the unitary transformation to generate proxy signature. In 2014, Cao et al. [27] raised a quantum weak blind signature scheme with a genuinely entangled six-qubit state. Subsequently, Zhang and Jia [28] analyzed the cryptanalysis of Cao et al.'s work [27] and pointed out that the verifier can forge the signature by modifying the received message without being caught. Next year, Cao et al. [29] put forward a proxy weak blind signature using the controlled teleportation scheme with five-qubit entangled states as quantum channels. Based on the above-described research, it is known that entangled states take up a significant position in designing quantum signature schemes. Yet, the challenge is that the generation of the ideal entanglement resource is difficult in experiments. To this end, many scholars began to seek for other methods to evade this challenge. For example, in 2015, Xu et al. [30] brought forward a quantum proxy signature scheme in line with single-particle states instead of entangled states. In the next year, Guo et al. [31] suggested a strong blind quantum signature scheme with multi-proxy by executing appropriate unitary operators. In 2018, Qin et al. [32] brought forward a batch quantum multi-proxy signature, in which quantum controlled-not (CNOT) gates are employed to encode the information to be signed. Recently, Niu et al. [33] developed a quantum proxy blind signature based on superdense coding, where various unitary operators are used to blind two-bit classical information.
Compared to quantum proxy signature schemes without entanglement, it can be seen that the entanglement-based quantum proxy signature schemes have more ability to resist risks or attacks due to the disturbance detection owing to the existence of entanglement. In addition, we mentioned that the most challenge is the difficult generation of entanglement resource with the state-of-the-art technology, fortunately, which can be efficiently addressed using the models of quantum walks. On the other hand, in the existing quantum proxy signature schemes, the involved encryption algorithm is quantum one-time pad (QOTP), which may lead to different aspects of disavowal and forgery attacks [34,35]. To solve this issue, we improve the QOTP by introducing the CNOT operation. Therefore, motivated by quantum walk-based teleportation, we present a proxy signature scheme using quantum walks and QOTP-CNOT operation. The presented quantum proxy signature scheme makes the following contributions.

•
Before generating the proxy signature, the random binary sequence is circularly used to encrypt the original message. Then the QOTP-CNOT operation is used to generate the proxy signature state with the length of the secret keys being the same as that of the message to be encrypted, which reduces the length of the required keys by three times in terms of efficiency and improves the security of the presented scheme. The introduction of CNOT operation into the QOTP makes the encrypted qubit related to not only the qubit and the key of the current position but also other qubits and keys of other positions, which can resist against the proxy signatory's disavowal attack and the receiver's forgery attack on the proxy signature by modifying the qubits of particular positions in it.

•
Quantum walks on circles are used to transfer the random sequence to verify the validity of the proxy warranty and the corresponding quantum teleportation protocol is performed to transmit the message copy of ciphertext from the proxy signatory to the verifier, which assists the verifier to complete the verification of the validity of the proxy signature, in which it is unnecessary to generate entangled states in advance as quantum channels and the essential entangled states can be created by quantum walks. We note that this model differs from the formalisms of quantum walks employed in [12,14] and that it is firstly employed in quantum proxy signature.

•
The proposed scheme may be easy to implement owing to the experimental realizations of quantum walks [7,8] and the designed QOTP-CNOT encryption. Furthermore, it may be applied into electronic payment or electronic commerce.
The paper is organized as follows. In Section 2, we present the methods involving the employed models, i.e., quantum walks on circles and the corresponding quantum teleportation, and the designed quantum proxy signature scheme consisting of initializing phase, authorizing phase, signing phase and verifying phase. In Section 3, we elaborate on the results referring to the security of the scheme. In Section 4, we discuss the complexity and the applications of the presented scheme. In Section 5, a conclusion is shown.

Methods
Quantum walk is the quantum counterpart of classical random walk such as Brownian motion. In 1993, Aharonov et al. [36] first proposed the formalism of quantum walk. Then in 2001 Ambainis et al. and Aharonov et al. presented the formalisms of quantum walks on the line [37] and on the general graphs [38]. According to the time evolution, quantum walk is distinguished into discrete time quantum walk [39] and continuous time quantum walk [40]. In the following, we first focus on the discrete time quantum walk models we use in the subsequent process. Then we describe the proposed quantum proxy signature scheme.

Quantum Walks on Circles
In discrete time setting, the properties of quantum walk depend on quantum coins and shift operators. In this model, we assume that the walker hops along discrete positions on a circle graph.
The corresponding Hilbert space H is the tensor product of the position Hilbert space H p and the coin Hilbert space H c , i.e., where H p is spanned by the vertices on the circle with H p = {|x |x ∈ {0, 1, . . . , P − 1}} and P is the number of vertices, and H c is spanned by the two possible coin states {|R , |L } corresponding to the head and tail of a quantum coin [10]. The evolution for one step of the quantum walk is given by the unitary operator with where I p is the identity operator acting on H p , R c is a rotation gate acting on H c that is expressed as in terms of matrix where θ ∈ [0, 2π] refers to the rotation angle, and O is a conditional shift operator with the form of which simulates the movement of walker on the circle [41], as shown in Figure 1. In the following, we use this model to transmit the involved random sequence from the proxy signatory to the arbitrator to complete the validity of the proxy warranty. Trent Signing phase Initializing and authorizing phases Verifying phase

Teleportation with Quantum Walks on Circles
In view of the model of quantum walks on circles above, we describe the teleportation based on quantum walks on circles with two coins and P = 4 vertices. We postulate that Alice and Bob are the sender and the receiver, respectively, who participate in the communication, in which Alice wants to transfer an unknown qubit |φ i = α i |0 + β i |1 to Bob. Alice holds two particles a1 and a2, which separately carry the state of the first coin and the state of the position. While the state of the second coin is encoded onto particle b, which is possessed by Bob. The initial states of a1, a2 and b are denoted as |φ i , |0 and |+ . Thus, the whole initial state of the quantum walk system is with the particle order a2, a1, b and |+ = |0 +|1 √ 2 . We formulate the first step of the quantum walk as where is the coin operator employed on the first coin state, Q = ∑ x |x + 1 x| is the shift operator employed on the position space and Q † is the Hermitian operator of Q. According to Equation (4), for convenience of calculation, we equate |R to |0 and |L to |1 and then we can express the notation O with P = 4 as If C 1 = I, the initial system state |ψ 0 transforms into which produces the entanglement between position space and coin space referring to Alice and Bob. We describe the second step of the quantum walk as where and C 2 is the coin operator employed on the second coin state. If C 2 = I, the state of the system evolves into Subsequently, Alice first measures particle a2 using basis {|0 , |1 , |2 , |3 } corresponding to the classical results {0, 1, 2, 3}. Then Alice measures particle a1 using basis {|+ , |− } corresponding to the classical results {1, −1}. In the light of the measurement results of a2 and a1, Bob implements corresponding unitary operations to recover the qubit to be teleported, which is listed in Table 1. In the following, this teleportation scheme is employed to transfer the encrypted qubit message copy from the signatory to the verifier, which helps to complete the validity verification of the completed proxy signature.

Quantum Proxy Signature Scheme
The designed scheme involves four participants, i.e., the arbitrator Trent, the original signer Charlie, the proxy signer Alice and the verifier Bob, who cooperatively perform four desired phases, including the initializing phase, the authorizing phase, the signing phase and the verifying phase. The schematic of the scheme is depicted in Figure 2 and the details are elaborated in the respective four phases in the following. Remarkably, we suppose that the interactive communications among participants are executed via authenticated classical and quantum channels, which can be realized by means of current error correction and privacy amplification technologies [42] in secure communication protocols [43,44]. Thus, we mainly concentrate on the denial and the forgery attacks from the internal participants.   If Bob prospects to modify the qubit at particular position such as |ϕ j M ∈ |ϕ M to counterfeit a valid proxy signature and he coincidentally obtains the correct sequence S, he can recover |ϕ M with the unitary operations in terms of S to decide how to handle with |ϕ j M , which makes the final |ϕ M meet his own requirements. With that, |ϕ j M has been converted into Then he implements the same operation U Bob at the corresponding position in |S A and acquires In this case, the qubit |S A j+1 is be modified unexpectedly, due to Figure 2. Schematic of the designed quantum proxy signature scheme. Charlie, Alice, Bob, and Trent are the original signer, the proxy signer, the verifier and the arbitrator, respectively. Notably, blue dashed box represents the initializing phase and authorizing phase, and green represents the signing phase and orange represents the verifying phase.

Initializing Phase
In initializing phase, Charlie is required to prepare the quantum carriers of the original message and all the secret keys for encryption and decryption processes are produced.
Step 1 Charlie holds a classical binary string M with n1 bits, which is the original message to be signed and can be expressed as where M i ∈ {0, 1}, i = 1, . . . , n1. Then he or she encodes M into the corresponding qubit sequence |ϕ M with n1 qubits in the form of Step 2 Alice shares secret keys {K AT , K AC } with Trent and Charlie, respectively. Similarly, Trent shares secret keys {K BT , K CT } with Bob and Charlie. This procedure can be completed through QKD system [10,45,46].

Authorizing Phase
In authorizing phase, Charlie generates the warranty allowing Alice to execute the proxy signature.
Step 1 Charlie produces a quantum state |ϕ W with n2 qubits, which contains the information of Charlie's and Alice's identification and the warranty of proxy signature. In addition, |ϕ W is described as where which contains n = n1 + n2 qubits. We assume the dimension n of |ϕ M to be large enough, which enables small enough error probability of two rounds of comparisons for any two unknown qubit states and failure probability of the validity verification for the completed signature in the verifying phase.
Step 2 Charlie separately encrypts two copies of the new quantum state |ϕ M with K AC and K CT and gets |ϕ 1 Next he sends |ϕ 1 M to Alice and |ϕ 2 M to Trent.
Step 3 After receiving |ϕ 1 M , Alice obtains |ϕ M by decrypting it and thus she has the authority to help Charlie and Bob complete the signature as a proxy signer.

Signing Phase
In signing phase, Alice generates the proxy signature based on chosen signing algorithm, which is expected to ensure Alice's undeniability, the integrity and authenticity of the message to be signed.
Step 1 Alice randomly chooses from {0, 1} to generate an n-bit classical sequence Step 2 Alice encrypts |ϕ M through appropriate encryption algorithm based on S and obtains |ϕ M with |ϕ M = E S (|ϕ M ).
For an arbitrary qubit |ϕ i M in |ϕ M , it can be expressed as follows, where i + 1 = (i + 1) mod n. Concretely, according to (S i , S i+1 ) in S, Alice performs the corresponding unitary operator on the qubit |ϕ i M [33], which is listed in Table 2. The relationship of |ϕ M , S and |ϕ M is shown in Figure 3, in which it can be seen that the operation on the last qubit |ϕ n M of |ϕ M is controlled by (S n , S 1 ), which shows the random sequence is used circularly. Then Alice needs to broadcast the value of n. It should be noted that, in our scheme, three copies of |ϕ M are required. One of them is employed to create proxy signature state, the other is delivered to Bob along with the proxy signature state at the last step in the signing phase and the third one is transmitted by teleportation based on quantum walks on circles with two coins described in Section 2.2.

(S i , S i+1 ) Unitary Operator Matrix Representation
Step 3 Alice generates proxy signature state |S A by encrypting |ϕ M with K AT , i.e., where E K AT refers to the improved QOTP algorithm with assistant CNOT gates in terms of K AT . Before elaborating on the QOTP-CNOT operation, we first describe the QOTP algorithm in the following, where 2n random classical bits are required for the encryption of an unknown n-qubit quantum state with the guarantee of informational security [47,48]. Denote |φ as the n-qubit message expected to be encrypted with |φ i = α i |0 + β i |1 and K q as the 2n-bit key. The encryption process is formulated as where K p q is the pth bit of K q . The corresponding decryption process is Then the motivation of the QOTP-CNOT operation includes the following two aspects. The first aspect is from some classical coding schemes, such as the differential encoding, where the encrypted bits correlate with the other bits in order to improve its capacity of resisting disturbance. The second motivation originates from the existing quantum signature schemes, such as chain-based CNOT [49], key-controlled chained CNOT [50], which make the encrypted qubit related to not only the qubit and the key of the current position but also other qubits and keys of other positions. We thus design the improved QOTP encryption algorithm by introducing assistant CNOT gates. In addition, considering the storage space and usage efficiency of the secret key, we circularly use the key to accomplish the encryption task, the length of which is reduced into one third of the key required in the QOTP algorithm. Therefore, in terms of both security and efficiency, we put forward the QOTP-CNOT encryption algorithm, in which we write the required K AT as The length of K AT is assumed to be the same with the length of |ϕ M , i.e., n. Alice executes the corresponding operation on the qubit |ϕ i M in |ϕ M according to the values of (K i AT , K i+1 AT , K i+2 AT ), where K i AT decides whether σ x is operated on the corresponding qubit with (σ x ) K i AT and K i+1 AT controls the operation of σ z with (σ z ) K i+1 AT and K i+2 AT determines whether the CNOT operation is applied on |ϕ i M with |S A i−1 acting as the control qubit. The encryption process can be expressed as follows, Here let us consider an instance to expound on it. Given n = 8, |ϕ M = |01011101 and K AT = 01011001, in line with Equation (23), the encryption result of |ϕ M should be |00000100 , where the implementation of |ϕ 2 M = |1 can be demonstrated as follows. According to the associated key (K 2 AT , K 3 AT , K 4 AT ) = (1, 0, 1), we can obtain the qubit |S A 2 with the form of which coincides with the presented encryption and decryption processes of |ϕ M shown in Figures 4  and 5.
Step 4 To verify the validity of the proxy warranty, we apply the model of quantum walks on circles described in Section 2.1 to transmit the random sequence S from the proxy signer Alice to the arbitrator Trent. Assume that the number of the walking steps is t and P = 2 n , we denote |l ∈ {|0 , . . . , |P − 1 } as one vertex state, |d ∈ {|R , |L } as the coin state. Using these parameters, a quantum state can be randomly generated which is then distributed to Alice and Trent.
Step 5 Alice transforms the random sequence S as a decimal number s (this can be easily done) and obtains the following shift operator which is used to produce |ϕ(s) = (T s ⊗ I c )|ϕ U , (27) where I c is the identity operator acting on the coin state and which is transmited to Trent.
Step 6 Trent applies U −t k to |ϕ(s) and gains on which he performs the position measurement Denoting the measurement result as i s , i.e., i s = (l + s) mod P, we can obtain That is, Trent can easily recover S and obtain |ϕ M from |ϕ M according to the recovered S.
Step 7 After completing the verification of the proxy warranty, Alice produces a quantum state |φ A = (|S A , |ϕ M ) and sends it to Bob.

Verifying Phase
In verifying phase, Bob is required to verify the validity of the completed proxy signature and the integrality and authenticity of the conveyed messages based on chosen verifying algorithm with the assistance of Trent, who plays the role of the trusted third party to facilitate the interaction of Alice and Bob.
Step 1 After receiving |φ A , Bob encrypts |S A and |ϕ M using K BT and gets |φ B , i.e., which is then transmitted to Trent.
Step 2 Trent decodes |φ B to get |S A and |ϕ M . To begin with, with the acquired random sequence S by Steps 4-6 in the signing phase, Trent can perform the same unitary operators on |ϕ M and obtains |ϕ out M . He compares it with the obtained |ϕ M from Charlie to verify whether the warranty delegated by Charlie to Alice is valid. If the warranty is consilient, Trent implements the associated unitary operations based on S on |ϕ M or |ϕ out M to regain |ϕ M and achieves |S T with K AT . Afterwards, he compares |S T with |S A by using swap test technique [51], where the independent comparisons of |S T i and |S A i for n times are required. Thus, if the value of n is proper, for any ε > 0, the error probability can be reduced to [ 1 2 (1 + δ 2 )] n < ε. It acts the same when Bob implements the comparison of the quantum states |ϕ M and |ϕ out M to verify the completed signature in the later step. If the result τ is negative, the communication is terminated. Otherwise, Trent firstly decrypts |S T to gain |ϕ M and then encrypts |S A , |ϕ M and |τ to generate |φ T , i.e., which is delivered to Bob.
Step 3 Bob decrypts the received |φ T and achieves |S A , |ϕ M and |τ . If τ = 0, it shows that |S A is disavowed or forged by some manner. That is, |S A is invalid and the protocol will be abandoned. Otherwise, Bob compares |ϕ M and |ϕ out M , which is obtained from Alice via teleportation protocol based on quantum walks on circles with two coins described in Section 2.2. If |ϕ out M = |ϕ M , the communication fails. If |ϕ out M = |ϕ M , Bob makes a request for announcing the random sequence S from Alice.
Step 4 Alice publishes S on the public channel.
Step 5 After receiving S, Bob decodes |ϕ out M or |ϕ M and obtains the whole original message |ϕ M , in which the ith qubit |ϕ i M with m i = 1 reveals M i = 0 and |ϕ i M with m i = −1 reveals M i = 1. At this time, Bob can recognize (|S A , S) as Alice's completed proxy signature.

Results
In terms of secure criterions in quantum signature protocols, the designed signature scheme should satisfy the properties of non-deniability, non-forgeability, and non-repudiation. Based on these criterions, we analyze the security of our presented proxy signature scheme. Then we discuss the potentially practical application of our scheme.

Impossibility of Denials
In proxy signature scheme, the impossibility of denial refers to that the proxy signer Alice cannot deny her completed signature and that the original signer Charlie cannot deny his delegation.
For one thing, Alice cannot deny her completed signature. In the signing phase, Alice packages or encrypts quantum state |ϕ M obtained from Charlie using the random sequence S and gets |ϕ M . Then Alice creates the proxy signature state |S A by encrypting |ϕ M with the key K AT , i.e., |S A = E K AT (|ϕ M ), in which K AT is essential for the creation of |S A and it is generated by QKD system with perfect security. If Alice disavows the completed signature, the state |S A should be forwarded to Trent and then he judges whether K AT is contained in |S A . If the feedback is positive, then |S A must be produced by Alice. If Alice successfully disavows |S A resulting in |S A = |S T and the occurrence of disputes, fortunately, this attack can be found by Trent at Step 2 of verifying phase. Therefore, Trent is able to detect Alice's possible disavowals.
For another thing, Charlie cannot deny his delegation. In the authorizing phase, Charlie achieves a quantum state |ϕ M , which contains the information of his identification and proxy delegation. Then Charlie encrypts |ϕ M with K CT to acquire |ϕ 2 M , i.e., |ϕ 2 M = K CT (|ϕ M ), which is transferred to Trent and in which K CT is also generated via QKD system. Moreover, in the signing phase, Trent receives S from Alice via the model of quantum walks on circles and in the verifying phase Trent obtains |ϕ M from Bob included in quantum state |φ B . Next Trent can get |ϕ M on account of S and the corresponding operations listed in Table 2, which proves that Charlie does authorize Alice to perform the signature behaviour. If Charlie refuses to admit his delegation in the way of delivering fake messages |ϕ fake M = |ϕ M to Trent before the verifying process, it can be found at Step 2 in the verifying phase. Specifically, Trent compares |ϕ fake M with |ϕ out M derived from S and |ϕ M , and reaches |ϕ fake M = |ϕ out M . If Charlie desires to replace |ϕ out M to disturb Trent's verification, he must get hold of both U −t k and K BT to accomplish the modifications of S and |ϕ M without being caught, which is obviously impossible. Consequently, Charlie cannot disavow his delegation successfully.

Impossibility of Forgeries
In proxy signature scheme, the impossibility of forgery involves that the original signer Charlie and the verifier Bob cannot forge the proxy signer Alice's signature.
In case Charlie is dishonest and he expects to counterfeit Alice's signature based on the original messages |ϕ M held in his hand, he needs to obtain the random sequence S to accomplish the package and the key K AT to carry out the signature, where S is randomly chosen by Alice and K AT is produced via QKD system with perfect security. Thus, Charlie has no ability to forge the signature successfully in the manner of obtaining the keys including S. Take a step back, if Charlie produces a random sequence S with the same n-length of S, the successful possibility is only 1 2 n because the probability for each bit is 1 2 , which can be easily simulated via Matlab and shown in Figure 6, where P n represents the successful probability for creating the same sequence as S. It can be seen that P n shows an exponential decline and approaches to zero rapidly as n increases. Furthermore, even if Charlie happens to get the correct sequence S (as we know it has very low probability), K AT is still unknown for Charlie, which is the crucial element for the creation of the signature |S A . Hence Charlie cannot execute a successful forgery of Alice's signature. In case Bob is dishonest and he attempts to counterfeit the signature |S A = E K AT (|ϕ M ), for this purpose, Bob needs to obtain Alice's secret key K AT produced by QKD system. According to the public quantum states including |S A and |φ T separately received from Alice and Trent, he cannot acquire any information about K AT . Consequently, Bob cannot forge Alice's signature |S A by the method of obtaining K AT . In the QOTP-based quantum signature schemes [35,52], there exists one method for Bob to implement the forgery by the following manner. As the communication receiver, Bob is assumed to hold a valid message-signature pair (|ϕ , |S ). Then Bob can perform the same unitary operators U i on each qubit in |ϕ and the corresponding qubits in |S owing to the encryption manner of qubit by qubit in QOTP algorithm, and he may achieve a new valid message-signature pair without the need for K AT . Based on this, Bob can select his favorable message to perform the forgery attack and claim that it is completed by Alice. In this scenario, when Bob deliberately declares a dispute and lets Trent judge, Trent will stand on the side of Bob. As for this attack strategy, two aspects should be stated. On one hand, Bob cannot choose the preferred message for his own in that the original message |ϕ M exists in the form of ciphertext |ϕ M via random sequence S. On the other hand, we employ an improved QOTP by introducing assistant CNOT operations to generate the signature, which makes it difficult to find the correct qubit position and modify it due to the correlations among qubits in the signature. In the worse case, we assume that Bob obtains the correct sequence S by some method. If Bob attempts to modify the qubit |ϕ j M at some certain position in |ϕ M to forge a valid proxy signature, he can recover |ϕ M based on S and determine the position of |ϕ j M . Next Bob implements U Bob on |ϕ j M and packages the altered |ϕ M with S to get a new |ϕ M , in which |ϕ j M can be expressed as Subsequently Bob implements the same operation U Bob at the corresponding position in |S A and acquires At this moment, a new pair of message-signature (|ϕ M , |S A ) is achieved. Meanwhile, the qubit |S A j+1 is modified unexpectedly as follows, Normally |S A j+1 should be consistent with |S A j+1 , The difference between |S A j+1 and |S A j+1 is attributed to |S A j , which is associated with the next qubit in |S A due to the introduction of CNOT gate. Therefore, Bob cannot perform a valid or successful forgery for Alice's signature.

Impossibility of Repudiations
From a practical point of view, the verifier Bob cannot repudiate his received signature |S A from the proxy signer Alice, which can be proved in our presented proxy signature scheme. Normally, in the verifying phase, Bob encodes both |S A and |ϕ M acquired from Alice with K BT to obtain |φ B = E K BT (|S A , |ϕ M ) and delivers it to Trent, where K BT is guaranteed to be unconditionally safe via QKD protocol and cannot be accessed by others except for Bob and Trent. Then Trent can testify that |φ B contains K BT and get |S A and |ϕ M to perform the comparison, which implies Bob has obtained |S A . Actually, the random sequence S is a part of Alice's signature and is announced by public channel which is not obstructed and it is resistant to the modification of messages. As a result, Bob may disavow the integrality of the received signature (|S A , S). For example, Bob may claim |ϕ M = |ϕ out M under the fact of |ϕ M = |ϕ out M maliciously and consequently refuses to accept it. Nevertheless, as the communication receiver, Bob's intention is to decode the original message M. If Bob declares |ϕ M = |ϕ out M under the condition of |ϕ M = |ϕ out M , he cannot get the random sequence S to yield |ϕ M , from which the final original message M can be decoded. So this repudiation attack is impossible. In short, Bob cannot disavow the reception and the integrality of Alice's proxy signature (|S A , S).

Discussion of Complexity
In the above-described quantum proxy signature scheme, the complexity of the scheme attributes to the employed signing and verifying algorithms, which involve two encryption processes including the random sequence-based encryption algorithm and the QOTP-CNOT algorithm. In the former, a randomly produced binary sequence S with n bits is applied to encode the original message |ϕ M with the same length into |ϕ M . Its execution requires n unitary operations U i (i.e., Pauli operator, I, σ x , σ y , σ z ), which can be seen from Figure 3 and Table 2. In terms of key consumption, for encrypting an n-qubit message sequence, an n-length random binary sequence is enough due to the circular use, which differs from the QOTP encryption algorithm with 2n bits required [48]. Therefore, our scheme saves the length of the keys and the corresponding storage space. In the language of mathematics and computer, the time complexity and the space complexity of the random sequence-based encryption algorithm both are proportional to n. In the latter, i.e., the QOTP-CNOT algorithm, the secret key K AT with n qubits produced by QKD system is needed and the encryption operations (i.e., σ x , σ z and CNOT) are controlled by the key bits in K AT , i.e., (K i AT , K i+1 AT , K i+2 AT ) (i = 1, 2, . . . , n), as shown in Equation (23). This algorithm is used to encrypt |ϕ M derived from the original message |ϕ M with the random sequence S and then generate the quantum proxy signature state |S A . For encrypting an n-qubit message sequence |ϕ M , the maximum number of the involved unitary operations is 3n with the case of full 1 in K AT according to the encryption rules in the QOTP-CNOT operation, which is linear with n. Similarly, the secret key K AT is also used circularly and hence the key length is reduced by three times, which improves the utility efficiency of the key when compared with the QOTP-based signature schemes [31,33]. As a consequence, the time complexity and the space complexity of the proposed scheme are linear with n.

Discussion of Applications
At present, many researchers have developed various quantum signature protocols designed for special application scenarios, such as electronic payment, electronic voting, electronic commerce, electronic government, and so on [53][54][55][56][57]. Here, we discuss about the possible application of our presented proxy signature scheme in electronic payment as follows. Assume that Charlie is a customer who prefers shopping on the Internet, that Bob is the owner of an online shop, that Alice corresponds to electronic commerce platform and that Trent denotes bank. (i) If Charlie wants to purchase something, which is listed in Bob's store, he will add the merchandise into his fictitious shopping trolley and then submit the order form on the platform (Alice). (ii) Alice will pay for the bill using the credit card which Charlie binds with his account in advance. (iii) Alice handles with the information about Charlie's identification and his order form, and with that she sends the processed Charlie's identification information and the order form to Bob. During the three steps above, the bank Trent plays the role of supervisor, who publishes the credit card used for Charlie's consumption and guarantees the authorities and benefits of every participant. This trade process can be illustrated in Figure 7. Please note that we should consider more potential risks such as untrusted nodes and bounded [58] or more generally noisy-storage model [59] when the involved situations in the cryptography protocols are generalized to realize the network [60] in the future study .

Alice
Bob Charlie As the customer, when I shop online, I will list the merchandise in the order form and submit it to the electronic commerce platform.
Charlie's identification Order form

Handled information
As the electronic commerce platform, I handle with the messages submitted by the customer and pay for the bill with customer's credit card.
As the owner of the online store, I receive the handled information from the platform and accomplish the trade.

Trent
As the bank, I publish the card used for Charlie's purchase and supervise the whole process to guarantee the authorities and benefits of all participants. Figure 7. Application scene of our presented proxy signature scheme in electronic payment.

Conclusions
We presented a quantum proxy signature scheme with QOTP-CNOT operation and quantum walk-based teleportation by making full use of quantum walks on circles. Teleportation based on quantum walks on circles with 4 vertices is employed for the transmission of the encrypted message copy |ϕ M from Alice to Bob, which helps Bob to verify the consistency of |ϕ M . This teleportation can avoid the preparation of the required entanglement resource ahead, which can be produced via quantum walks. Quantum walks on circles are applied to transmit the random sequence S to verify the validity of the proxy warranty. The QOTP-CNOT operation is used to generate the proxy signature and it is designed by introducing the CNOT operation into the QOTP and the CNOT operation breaks the encryption manner of qubit by qubit, which makes multiple qubits interrelated. Security analysis indicates that our proposed scheme has the properties of impossibility of denial, impossibility of forgery and impossibility of repudiation attributing to the deployments of quantum walks on circles, QOTP-CNOT operation, random sequence along with public channel and QKD technologies. Discussion shows that the complexity of the algorithm is linear with the number n of qubits to be encrypted and the possible applications in electronic payment or electronic commerce. In the future, we can explore more applications of realizable quantum computing models such as quantum walks into quantum communication.

Conflicts of Interest:
The authors declare no conflict of interest.