# Experimental Quantum Message Authentication with Single Qubit Unitary Operation

^{1}

^{2}

^{3}

^{4}

^{*}

Next Article in Journal

Next Article in Special Issue

Next Article in Special Issue

Previous Article in Journal

Previous Article in Special Issue

Previous Article in Special Issue

Center for Quantum Information, Korea Institute of Science and Technology (KIST), Seoul 02792, Korea

Korean Intellectual Property Office (KIPO), Government Complex Daejeon Building 4, 189, Cheongsa-ro, Seo-gu, Daejeon 35208, Korea

Division of Nano and Information Technology, Korea Institute of Science and Technology School, Korea University of Science and Technology, Seoul 02792, Korea

Department of Physics, Korea University, Sejong 30019, Korea

Author to whom correspondence should be addressed.

Academic Editors: Maria Bondani, Alessia Allevi and Stefano Olivares

Received: 28 February 2021
/
Revised: 12 March 2021
/
Accepted: 13 March 2021
/
Published: 16 March 2021

(This article belongs to the Special Issue Basics and Applications in Quantum Optics)

We have developed a quantum message authentication protocol that provides authentication and integrity of an original message using single qubit unitary operations. Our protocol mainly consists of two parts: quantum encryption and a correspondence check. The quantum encryption part is implemented using linear combinations of wave plates, and the correspondence check is performed using Hong–Ou–Mandel interference. By analyzing the coincidence counts of the Hong–Ou–Mandel interference, we have successfully proven the proposed protocol experimentally, and also showed its robustness against an existential forgery.

Modern cryptography provides four functions, namely, confidentiality, authentication, integrity, and nonrepudiation [1,2]. Therefore, as a substitution candidate for next-level secure cryptography, quantum cryptography should also have the ability to offer these four functions. Remarkable progress has been made in the area of confidentiality because the quantum key distribution (QKD) protocol that provides confidentiality has been considerably improved [3,4,5,6]. QKD aims to enable communication partners, e.g., Alice and Bob, to share secret keys and ultimately perform a one-time pad communication. Those protocols provide unconditional confidentiality based on the principle that an arbitrary unknown quantum state cannot be copied and that quantum measurement is irreversible [7,8,9,10]. On the other hand, many researchers have also studied how to use these secret keys in quantum message authentication [11,12,13], arbitrated quantum signature [14,15,16,17,18,19], or quantum digital signature [20,21,22,23,24,25,26,27,28,29], providing authentication, integrity, and non-repudiation.

In this paper, we introduce a simple and practical quantum message authentication protocol with a quantum three-pass protocol [30,31,32,33] and a quantum encryption scheme [19,34]. This protocol is a lightweight to simplify the implementation by removing an arbitrator from our proposed quantum signature protocol [19]. Here, the quantum three-pass protocol is the quantum version of Shamir’s three-pass protocol [1,35], and quantum encryption scheme is to prevent existential forgery, called Gao’s forgery. More specifically, the core elements of the proposed protocol, such as the quantum three-pass protocol and the quantum encryption scheme, are implemented with only single qubit unitary operators. In other words, these can be implemented easily by using linear combinations of wave plates [36,37]. Additionally, the swap test that checks the correspondence of the original message and quantum message authentication code (QMAC) can be implemented using a Hong–Ou–Mandel interferometer [38,39,40]. In advance, as the Hong-Ou-Mandel interferometer is a destructive swap test [40], more resources are needed to implement a controlled swap test.

In Section 2, we briefly explain the concept of the proposed scheme. Section 3 presents a security analysis of the proposed protocol for Alice’s private key, the forgery of QMAC pair, and the origin authentication of quantum message. Section 4 describes the experimental setup and measurement results. We conducted three experiments with the proposed protocol. First, we implemented a quantum three pass protocol, which is a method of conveying information in the proposed quantum message authentication. Second, we implemented a quantum encryption scheme with a single qubit unitary operator to prevent forgery. Finally, we confirmed that the QMAC pair with the quantum encryption scheme is robust to Gao’s forgery. In Section 5, after a thorough discussion that includes the possibility of expanding the scheme to quantum signature and quantum entity authentication, we present the conclusions of this work.

Quantum message authentication, which is similar to conventional message authentication, should provide message integrity and origin authentication. What differentiates quantum message authentication from conventional message authentication [41,42] is that the former uses quantum states $\left|0\u27e9\right.$ and $\left|1\u27e9\right.$ as a message represented by a sequence of “0” and “1” bits. In addition, using arbitrary quantum states as a message enables more information to be delivered at once [43,44]. Moreover, there is a significant difference that is described below. In modern cryptography, asymmetric key cryptography easily provides message integrity, message origin authentication, and nonrepudiation. Unfortunately, a quantum asymmetric key cryptosystem based on the quantum trapdoor one-way function do not exist, making the design of quantum authentication and quantum signature protocols difficult. To overcome this difficulty, we propose a new quantum message authentication protocol based on Shamir’s three-pass protocol [1,35]. Shamir’s three pass protocol has the advantage that two parties, e.g., Alice and Bob, can share information without exposing their own private keys. In the implementation, the central idea is that the commutative property [19] of exponential operation in Shamir’s three-pass protocol is implemented using single-qubit rotation operators consisting of linear combinations of wave plates. To our knowledge, this is the first time a quantum message authentication protocol has been proposed using the quantum three-pass protocol, though other applications of the quantum three-pass protocol, such as direct communication [32], quantum key distribution [30], and quantum signature [19], have been proposed theoretically. Figure 1 schematically shows the quantum message authentication protocol that we implemented. Our quantum message authentication protocol consists of preparation, quantum message authentication, and verification phase.

In the preparation phase, Alice and Bob pre-share secret key sequences ${K}_{AB}=\left({k}_{AB}^{1},{k}_{AB}^{2},\dots ,{k}_{AB}^{N}\right)$ and ${K}_{H}=\left({k}_{H}^{1},{k}_{H}^{2},\dots ,{k}_{H}^{N}\right)$ that determine which single-qubit operation is chosen. The sequences ${K}_{AB}=\left({k}_{AB}^{1},{k}_{AB}^{2},\dots ,{k}_{AB}^{N}\right)$ and ${K}_{H}=\left({k}_{H}^{1},{k}_{H}^{2},\dots ,{k}_{H}^{N}\right)$ are a classical bit sequence with the size of $2N$ and $N$ respectively, where ${k}_{AB}^{i}\in \left\{00,01,10,11\right\},$ ${k}_{H}^{i}\in \left\{0,1\right\}$. The secret keys ${k}_{AB}^{i}$ and ${k}_{H}^{i}$ correspond to the Pauli operators ${\sigma}_{{k}_{AB}^{i}}\in \left\{I,{\sigma}_{x},{\sigma}_{y},{\sigma}_{z}\right\}$ and the operator ${H}^{{k}_{H}^{i}}\in \left\{{H}^{0}=I,{H}^{1}=H\right\}$. Here, operator is a linear combination of the Pauli operators $\left\{I,{\sigma}_{x},{\sigma}_{y},{\sigma}_{z}\right\}$ and unitary operator ${H}^{\u2020}H=H{H}^{\u2020}=I$.

$$H=\left(I-i{\sigma}_{x}-i{\sigma}_{y}-i{\sigma}_{z}\right)/2$$

The quantum message authentication phase is composed of two stages: quantum message generation, QMAC generation, and quantum encryption. In the quantum message generation stage, Alice generates a quantum message state pair
by applying a single qubit rotation operator
where $M=\left({m}_{1},{m}_{2},{m}_{3},\dots ,{m}_{N}\right)$ is a rotation angle sequence,$0\xb0\le {m}_{i}\le 360\xb0$, and ${\left|\phi \u27e9\right.}_{u}^{\left(i\right)}{\left|\phi \u27e9\right.}_{d}^{\left(i\right)}$ are the logical states $\left|0\u27e9\left|0\u27e9\right.\right.$ or $\left|1\u27e9\left|1\u27e9\right.\right.$, corresponding to horizontally polarized photons $\left|H\u27e9\left|H\u27e9\right.\right.$ and vertically polarized photons $\left|V\u27e9\left|V\u27e9\right.\right.$, respectively. The superscript $\left(i\right)$ denotes the $i$ th qubit, and subscripts $u$ and $d$ denote up and down, corresponding to the up-line and down-line, respectively, of the experimental setup used for our protocol. The rotation angle sequence $M=\left({m}_{1},{m}_{2},{m}_{3},\dots ,{m}_{N}\right)$ is a bit message sequence, and we assume that it has already been published in public as in the case of a contract or an official document. The reason for publishing $M$ is to prevent Alice from attempting to forge using a modulated QMAC pair, which is discussed in detail in Section 3.2 impossibility of forgery.

$${\left|M\u27e9\right.}_{u}{\left|M\u27e9\right.}_{d}=\left[{\otimes}_{i=1}^{N}{R}_{y}\left({m}_{i}\right){\left|\phi \u27e9\right.}_{u}^{\left(i\right)}\right]\left[{\otimes}_{i=1}^{N}{R}_{y}\left({m}_{i}\right){\left|\phi \u27e9\right.}_{d}^{\left(i\right)}\right]$$

$${R}_{y}\left({m}_{i}\right)=\left(\begin{array}{cc}cos\frac{{m}_{i}}{2}& -sin\frac{{m}_{i}}{2}\\ sin\frac{{m}_{i}}{2}& cos\frac{{m}_{i}}{2}\end{array}\right),$$

In the QMAC generation stage, Alice encrypts the quantum message pair ${\left|M\u27e9\right.}_{u}{\left|M\u27e9\right.}_{d}$ of Equation (2) by using a single qubit rotation operator ${R}_{y}\left({s}_{i}\right)$;

$${\left|M\u27e9\right.}_{u}{\left|S\u27e9\right.}_{d}\phantom{\rule{0ex}{0ex}}={\left|M\u27e9\right.}_{u}\left[{\otimes}_{i=1}^{N}{R}_{y}\left({s}_{i}\right){\left|M\u27e9\right.}_{d}\right]\phantom{\rule{0ex}{0ex}}=\left[{\otimes}_{i=1}^{N}{R}_{y}\left({m}_{i}\right){\left|\phi \u27e9\right.}_{u}^{\left(i\right)}\right]\left[{\otimes}_{i=1}^{N}{R}_{y}\left({s}_{i}\right){R}_{y}\left({m}_{i}\right){\left|\phi \u27e9\right.}_{d}^{\left(i\right)}\right].$$

Here, $S=\left({s}_{1},{s}_{2},{s}_{3},\dots ,{s}_{N}\right)$ is a rotation angle sequence, $0\xb0\le {s}_{i}\le 360\xb0$. In addition, $S$ is a private key known only to Alice. Furthermore, we call ${\left|M\u27e9\right.}_{u}{\left|S\u27e9\right.}_{d}$ to a QMAC state pair.

In the quantum encryption stage, Alice applies quantum encryption ${\sigma}_{{k}_{AB}^{i}}{H}^{{k}_{H}^{i}}$ to the QMAC state pair ${\left|M\u27e9\right.}_{u}{\left|S\u27e9\right.}_{d}$ of Equation (4);

$${\left|M\u27e9\right.}_{u}\left[{\otimes}_{i=1}^{N}{\sigma}_{{k}_{AB}^{i}}{H}^{{k}_{H}^{i}}{\left|S\u27e9\right.}_{d}\right].$$

Here, ${\left|M\u27e9\right.}_{u}\left[{\otimes}_{i=1}^{N}{\sigma}_{{k}_{AB}^{i}}{H}^{{k}_{H}^{i}}{\left|S\u27e9\right.}_{d}\right]$ is an encrypted QMAC state pair, and then she sends it to Bob. This quantum encryption is an essential function for verifying that the entity sending the QMAC pair is Alice and for protecting against forgery.

The rotation angles ${m}_{i}$ and ${s}_{1}$ are the elements of the finite discrete variable set. For applying them to real protocols, Alice and Bob must preset the range of the finite discrete variable set and pre-decide how to divide the set range. For example, if Alice and Bob split the rotation angle from $0\xb0\mathrm{to}360\xb0$ in intervals of $10\xb0$, then the finite discrete variable set becomes $\left\{0\xb0,10\xb0,20\xb0,\dots ,350\xb0\right\}$. Here, the size of the discrete variable set is determined by the performance of the experimental apparatus. Therefore, as the performance of experimental apparatus improves, the size of the discrete variable set increases. Increasing the size of the discrete variable set means that the rotation angle can be subdivided, and this can lead to authenticating more information compared with using the four states of the BB84 protocol. On the other hand, If the performance of the experimental apparatus is poor, the size of the discrete variable set decreases. Then, the rotation angle cannot be subdivided, and information that can be authenticated decreases. Additionally, in this situation, if the communication members use the subdivided rotation angles to such an extent that the experimental apparatus cannot distinguish, detecting the malicious behavior of Eve is impossible.

The verification phase is divided into five stages: “quantum decryption”, “Bob’s encryption”, “QMAC recovery”, “Bob’s decryption”, and “swap test”. In Stage 1, for quantum decryption, Bob uses secret key sequences ${K}_{AB}$ and ${K}_{H}$, which were pre-shared with Alice to decrypt the encrypted QMAC state pair ${\left|M\u27e9\right.}_{u}\left[{\otimes}_{i=1}^{N}{\sigma}_{{k}_{AB}^{i}}{H}^{{k}_{H}^{i}}{\left|S\u27e9\right.}_{d}\right]$ in Equation $\left(5\right)$, received from Alice to obtain the QMAC state pair ${\left|M\u27e9\right.}_{u}{\left|S\u27e9\right.}_{d}$ of Equation $\left(4\right)$. In Stage 2, Bob’s encryption, Bob generates his own private key sequence $B=\left({b}_{1},{b}_{2},\dots ,{b}_{N}\right)$ and re-encrypts quantum state ${\left|S\u27e9\right.}_{d}={\otimes}_{i=1}^{N}{R}_{y}\left({s}_{i}\right){\left|M\u27e9\right.}_{d}$ with it to obtain quantum state ${\left|S\prime \u27e9\right.}_{d}={\otimes}_{i=1}^{N}{R}_{y}\left({b}_{i}\right){\left|S\u27e9\right.}_{d}$. Then, he sends ${\left|S\prime \u27e9\right.}_{d}$ to Alice while keeping the other quantum message state ${\left|M\u27e9\right.}_{u}$. In Stage 3, QMAC recovery, Alice uses her own private key sequence $S$ to apply rotation operator ${\otimes}_{i=1}^{N}{R}_{y}\left(-{s}_{i}\right)$ to quantum state ${\left|S\prime \u27e9\right.}_{d}$ and sends quantum state ${\left|S\prime \prime \u27e9\right.}_{d}={\otimes}_{i=1}^{N}{R}_{y}\left(-{s}_{i}\right){\left|S\prime \right.}_{d}$ to Bob. In Stage 4, Bob’s decryption, Bob uses his own private key sequence $B$ and applies rotation operator ${\otimes}_{i=1}^{N}{R}_{y}\left(-{b}_{i}\right)$ to quantum state ${\left|S\prime \prime \u27e9\right.}_{d}$ to obtain quantum message state ${\left|M\prime \u27e9\right.}_{d}={\otimes}_{i=1}^{N}{R}_{y}\left(-{b}_{i}\right){\left|S\prime \prime \u27e9\right.}_{d}$. Because the proposed quantum message authentication based on the quantum three-pass protocol operates Alice’s private key ${s}_{i}$, there is a need for a method to verify the encrypted QMAC pair described thus far. This is an important element that the proposed protocol can guarantee the origin of quantum message. In addition, to avoid counterfeiting, it is assumed that quantum encryption such as ${\sigma}_{{k}_{AB}^{i}}{H}^{{k}_{H}^{i}}$ in Equation $\left(5\right)$ is applied to Alice and Bob in every process of exchanging quantum states.

In the final stage, Bob performs the swap test [42,45] twice to verify the QMAC state pair. In the first swap test, Bob verifies whether quantum message state ${\left|M\u27e9\right.}_{u}$ and quantum message state ${\left|M\prime \u27e9\right.}_{d}$ are the same. If the test result reveals that ${\left|M\u27e9\right.}_{u}$ and ${\left|M\prime \u27e9\right.}_{d}$ agree, Bob accepts QMAC state pair ${\left|M\u27e9\right.}_{u}{\left|S\u27e9\right.}_{d}$ sent by Alice. Otherwise, he does not accept it. In the second swap test, Bob generates quantum state $\left|M\prime \prime \u27e9\right.$ corresponding to the public bit message sequence $M$ and verifies that it matches quantum message state ${\left|M\u27e9\right.}_{u}$ or ${\left|M\prime \u27e9\right.}_{d}$. If the test result reveals that ($\left|M\prime \prime \u27e9\right.$, ${\left|M\u27e9\right.}_{u}$) or ($\left|M\prime \prime \u27e9\right.$, ${\left|M\prime \u27e9\right.}_{d}$) agree, then the integrity of QMAC state pair ${\left|M\u27e9\right.}_{u}{\left|S\u27e9\right.}_{d}$ is verified completely. For the second swap test, it is noted that the first swap test requires a non-demolition swap test. Figure 2 shows the swap test in the circuit, and the result of inputting
and
in the second and third lines of the circuit is expressed as follows:

$${\left|{m}_{i}\u27e9\right.}_{u}={R}_{y}\left({m}_{i}\right){\left|\phi \u27e9\right.}_{u}^{\left(i\right)}$$

$${\left|{m}_{i}^{\prime}\u27e9\right.}_{d}={R}_{y}\left({m}_{i}^{\prime}\right){\left|\phi \u27e9\right.}_{d}^{\left(i\right)}$$

$$\frac{1}{\sqrt{2}}{\left|0\u27e9\right.}_{ancilla}\left[\frac{1}{\sqrt{2}}\left({\left|{m}_{i}\u27e9\right.}_{u}{\left|{m}_{i}^{\prime}\u27e9\right.}_{d}+{\left|{m}_{i}^{\prime}\u27e9\right.}_{u}{\left|{m}_{i}\u27e9\right.}_{d}\right)\right]+\frac{1}{\sqrt{2}}{\left|1\u27e9\right.}_{ancilla}\left[\frac{1}{\sqrt{2}}\left({\left|{m}_{i}\u27e9\right.}_{u}{\left|{m}_{i}^{\prime}\u27e9\right.}_{d}-{\left|{m}_{i}^{\prime}\right.}_{u}{\left|{m}_{i}\u27e9\right.}_{d}\right)\right].$$

If ${\left|{m}_{i}\u27e9\right.}_{u}$ and ${\left|{m}_{i}^{\prime}\u27e9\right.}_{d}$ agree, the above equation becomes ${\left|0\u27e9\right.}_{ancilla}\left[\frac{1}{\sqrt{2}}\left({\left|{m}_{i}\u27e9\right.}_{u}{\left|{m}_{i}^{\prime}\u27e9\right.}_{d}+{\left|{m}_{i}^{\prime}\u27e9\right.}_{u}{\left|{m}_{i}\u27e9\right.}_{d}\right)\right]$, which makes the measurement outcome of the ancilla state to always be $\left|0\u27e9\right.$. However, if ${\left|{m}_{i}\u27e9\right.}_{u}$ and ${\left|{m}_{i}^{\prime}\u27e9\right.}_{d}$ do not agree, the measurement outcome becomes $\left|0\u27e9\right.$ with a probability $\left(1+{\epsilon}^{2}\right)/2$ or becomes $\left|1\u27e9\right.$ with a probability $\left(1+{\epsilon}^{2}\right)/2$, where $\epsilon ={|}_{d}\u27e8{m}_{i}^{\prime}\left|{m}_{i}{\u27e9}_{u}\right|$ and $0\le \epsilon \le 1$. Therefore, if the swap test result of the measurement is $\left|1\u27e9\right.$, we know that ${\left|{m}_{i}\u27e9\right.}_{u}$ and ${\left|{m}_{i}^{\prime}\u27e9\right.}_{d}$ are different. If the result is $\left|1\u27e9\right.$, we cannot guarantee that ${\left|{m}_{i}\u27e9\right.}_{u}$ and ${\left|{m}_{i}^{\prime}\u27e9\right.}_{d}$ are the same. The parameter $\epsilon $ is determined by the arbitrary quantum state components ${\left|{m}_{i}\u27e9\right.}_{u}$ of Equation $\left(6\right)$ and ${\left|{m}_{i}^{\prime}\u27e9\right.}_{d}$ of Equation $\left(7\right)$. If the two rotation angles ${m}_{i}$ and ${m}_{i}^{\prime}$ are the same, i.e., ${m}_{i}={m}_{i}^{\prime}$, then the value of parameter $\epsilon $ is $1$. On the other hand, if the difference between ${m}_{i}$ and ${m}_{i}^{\prime}$ is $180\xb0$, i.e., ${m}_{i}={m}_{i}^{\prime}\pm 180\xb0$, then the parameter $\epsilon $ is $0$. As a result, according to rotation angles ${m}_{i}$ and ${m}_{i}^{\prime}$, the parameter $\epsilon $ has a value between 0 and 1, $0\le \epsilon \le 1$. Further, the probability of failure in the verification phase is the total error probability ${P}_{e}$ for $N$ qubits as follows:

$${P}_{e}\le {\otimes}_{i=1}^{N}\left[\left(1+{{|}_{d}\u27e8{m}_{i}^{\prime}\left|{m}_{i}{\u27e9}_{u}\right|}^{2}\right)/2\right]$$

Therefore, it is expected that the swap test will work well even though the quantum state sequence is finite. Hence, the probability of failure in the verification phase becomes lower, approaching ${P}_{e}$ as the size of the quantum state sequence $N$ becomes considerably larger [42,45]. For an arbitrary ${\left|{m}_{i}\u27e9\right.}_{u}$, a random choice for ${\left|{m}_{i}^{\prime}\u27e9\right.}_{d}$ on the ${R}_{y}\left({m}_{i}^{\prime}\right)$—rotation circle, the average of ${\epsilon}^{2}$ is $1/2$. In this case, the upper bound of the total error probability ${P}_{e}$ is ${\left(3/4\right)}^{N}$. If the size of the quantum state sequence is $15$, then the upper bound of the total error probability ${P}_{e}$ is only approximately $1.3\%$. Therefore, it is expected that the swap test will work well even though the quantum state sequence is finite.

Eve, including Bob, may try to obtain Alice’s private key. Especially, as described in Section 2.3, malicious Bob may try to know Alice’s private key sequence $S=\left({s}_{1},{s}_{2},{s}_{3},\dots ,{s}_{N}\right)$, which consists of the degrees of rotation about $\widehat{y}$-axis from ${\left|S\u27e9\right.}_{d}={\otimes}_{i=1}^{N}{R}_{y}\left({s}_{i}\right){\left|M\u27e9\right.}_{d}$ in Equation $\left(4\right)$. However, the security of Alice’s private key sequence $S$ is guaranteed by Holevo’s theorem, as follows [19,32]:

$$I\left(x,S\right)\le V\left(\rho \right)\le H\left(S\right)$$

Here, $H\left(S\right)$ is the Shannon entropy of the sequence of arbitrary rotation angle ${s}_{i}$, $V\left(\rho \right)$ is the von Neumann entropy of mixed state $\rho $ that Eve can acquire through the arbitrary measurement of the quantum state ${\left|S\u27e9\right.}_{d}={\otimes}_{i=1}^{N}{R}_{y}\left({s}_{i}\right){\left|M\u27e9\right.}_{d}$, and $I\left(x,S\right)$ is the mutual information between arbitrary rotation ${s}_{i}$ and measurement outcomes $x$. As we can see in Equation $\left(10\right)$, the amount of mutual information about the arbitrary rotation angle sequence $S$ that Bob acquires using measurement outcomes $x$ is limited, and thus, it is impossible for Eve to obtain the information of $S$. Based on the same principle, the security of Bob’s private key sequence $B=\left({b}_{1},{b}_{2},{b}_{3},\dots ,{b}_{N}\right)$ is guaranteed.

Many quantum message authentication and signature protocols use quantum encryption implemented by Pauli operators to ensure message integrity and message origin authentication. A QMAC pair (or quantum signature pair), which is composed of a quantum message and an encrypted quantum message, checks the forgery and modulation of the QMAC pair (or quantum signature pair) using a swap test [34]. As described in Section 2.3, Bob validates the original quantum message state ${\left|M\u27e9\right.}_{u}$ and the recovered quantum message state ${\left|M\prime \u27e9\right.}_{d}$ from the QMAC state pair of Equation $\left(4\right)$ using the swap test. Bob can be sure that ${\left|M\u27e9\right.}_{u}$ and ${\left|M\prime \u27e9\right.}_{d}$ are the same quantum state from the outcomes of the swap test. However, it is not known whether they match the original message $M$. Because of the limitations of this swap test, the proposed protocol can be falsified in two ways.

The first falsification method is that Alice creates a modulated QMAC pair
with the two same quantum states ${\left|\tilde{M}\u27e9\right.}_{u}$ and ${\left|\tilde{M\prime}\u27e9\right.}_{d}$ that do not correspond to the original message $M$ and sends it to Bob. In this case, Bob cannot detect Alice’s malicious behaviour even if he verifies that the two quantum states ${\left|\tilde{M}\u27e9\right.}_{u}$ and ${\left|\tilde{M\prime}\u27e9\right.}_{d}$ are the same from the QMAC pair by using the swap test. To prevent this, Alice must disclose message $M$. Additionally, Bob needs an additional process to validate $\left|M\prime \prime \u27e9\right.$, which is converted to a quantum state, and ${\left|M\u27e9\right.}_{u}$ or ${\left|M\prime \u27e9\right.}_{d}$ by using the swap test.

$$I\left(x,S\right)\le V\left(\rho \right)\le H\left(S\right)$$

Second, Eve can try Gao’s forgery to apply Pauli operators to a QMAC pair [34,46]. Recently, Gao et al. showed that even if an adversary applies the arbitrary Pauli operator to the QMAC pair (or quantum signature pair), the swap test could not detect it because of the commutation relation of Pauli operators [46]. This is called Gao’s forgery, and it can be considered as an existential forgery [34] of modern cryptosystems because it randomly forges QMAC pairs (or quantum signature pairs), which are arbitrary quantum states. The posing of this security problem by Gao et al. was a major turning point in the study of quantum message authentication (or quantum signature) protocols. In 2011, Choi et al. proposed the (I, H)- or (U, V)-type quantum encryption scheme to cope with Gao’s forgery [47,48]. In 2013, Zhang et al. pointed out that the encryption scheme of Choi et al. was still insecure against Gao’s forgery, and instead they proposed the key-controlled-"I" quantum one-time pad or key-controlled-"T" quantum one-time pad [49,50] as an alternative. The four unitary operators of the controlled-I quantum one-time pad are ${W}_{00}=\left({\sigma}_{x}+{\sigma}_{z}\right)/\sqrt{2}$, ${W}_{01}=\left({\sigma}_{y}+{\sigma}_{z}\right)/\sqrt{2}$, ${W}_{10}=\left(I+i{\sigma}_{x}-i{\sigma}_{y}+i{\sigma}_{z}\right)/\sqrt{2}$, and ${W}_{10}=\left(I+i{\sigma}_{x}+i{\sigma}_{y}+i{\sigma}_{z}\right)/\sqrt{2}$. However, the encryption scheme of Zhang et al. is not easy to implement with simple hardware. In contrast, we propose a quantum encryption scheme with a single qubit unitary operation by randomly using unitary operator $H$, which can be easily implemented by controlling wave plates and an authentication protocol. Therefore, the proposed protocol is robust against an existential forgery. Section 4.3 in Ref. [22] shows that unitary operators can be used randomly to prevent Gao’s forgery. The detailed implementation of our experimental setup and the testing results of the quantum three-pass protocol and security against Gao’s forgery are described in Section 4. Finally, to prevent Gao’s forgery in the proposed protocol, the quantum encryption scheme should be applied to all processes in which Alice and Bob exchange quantum states.

To clarify the origin of the quantum message, the proposed quantum message authentication operates by using not only the secret key pre-shared by Alice and Bob but also Alice’s private key. In general, message authentication guarantees the origin of message authentication by using a secret key previously shared by Alice and Bob. At this time, as the user who can create a message authentication code (MAC) pair can be Alice or Bob, the origin of the message may become unclear. On the other hand, in the proposed protocol, Alice generates a QMAC pair ${\left|M\u27e9\right.}_{u}{\left|S\u27e9\right.}_{d}$ of Equation $\left(4\right)$ by using a private key sequence $S=\left({s}_{1},{s}_{2},{s}_{3},\dots ,{s}_{N}\right)$ known only to her; thus, the possibility of such a dispute is very low.

Figure 3a shows the implementation setup of our proposed quantum message authentication protocol. With this setup, we have experimentally proved that the proposed QMAC is robust against existential forgery. Each stage is implemented with a linear combination of wave plates; that is, the y-axis rotation operator ${R}_{y}\left(\theta \right)$, the unitary operator $H$, and the Pauli operators are implemented by combinations of half-wave plates (HWPs) and quarter-wave plates (QWPs). Figure 3b schematically shows a possible forgery attack that Eve can try. Eve can attempt a forgery attack using the same Pauli operators ${\sigma}_{{e}_{i}}={\sigma}_{{e}_{i}^{\prime}}$ [46], or she can attempt a forgery attack using different Pauli operators ${\sigma}_{{e}_{i}}\ne {\sigma}_{{e}_{i}^{\prime}}$ [49,50]. We define these two approaches as an original and improved Gao’s Forgeries, respectively. To prevent Gao’s forgeries, we need to choose unitary operator $H$ randomly. We explain this in detail at the end of this section.

We assume that Alice and Bob have already pre-shared the secret key sequences in the preparation phase. For the message authentication phase, we implemented message generation, QMAC generation, and quantum encryption using wave plates on Alice’s side. To create correlated photon pairs, Type-I spontaneous parametric down-conversion (SPDC) photon pairs were generated in a beta barium borate (BBO) crystal pumped by a multimode diode laser with a 408-nm wavelength. The SPDC photon pairs have the same H-polarization and an 816-nm wavelength. The photon pairs are emitted with a noncollinear angle of $3.3\xb0$. One of the photons goes through only the rotation operator for message generation, and the other experiences the sequence of operations from message generation through the quantum encryption scheme with a single qubit unitary operator. Then, they are delivered to Bob. For the verification phase, one photon is kept on Bob’s side, and the other photon experiences quantum decryption and Bob’s encryption implemented by the wave plate, after which Bob sends it to Alice. Alice then decrypts it by using QMAC recovery. In our experiment, we installed the QMAC recovery stage between Bob’s encryption and Bob’s decryption for convenience of implementation; it is marked by yellow shading in Figure 3a. Finally, after Bob’s decryption, the swap test that verifies the agreement of the two photon sequences is performed using the Hong–Ou–Mandel interferometer. The Hong–Ou–Mandel dip confirms the similarity between the two photons, which is the last step of the implementation of the proposed quantum message authentication protocol.

In other words, the realization of the quantum three-pass protocol, quantum encryption scheme, and the robustness of Gao’s forgery can be confirmed by the Hong–Ou–Mandel Dip. Hong–Ou–Mandel interference is the same as the destructive swap test [40]. Because the destructive swap test does not have an ancilla qubit unlike the controlled swap test, the two quantum states that are compared are directly measured and collapsed. For this reason, we performed only the first swap test in the two swap tests shown in Figure 1. To implement the second swap test in Figure 1 using Hong–Ou–Mandel interference, there is a need for more resources (e.g., single photons and wave plates) than the current experimental setup. There are other ways to implement a second swap test by using an experimental controlled swap gate that was recently implemented [51].

We tested the feasibility of our protocol with the experimental setup for the case without Gao’s forgery. First, we verified that the quantum three-pass protocol (Figure 3) was working correctly. As shown in Figure 4a, when the half-wave plate $\mathrm{H}1\prime $s angle ${s}_{i}/4$ is $-{120}^{\xb0}$, the coincidence count reaches its minimum at the half-wave plate $\mathrm{H}3\prime $s angles $-{s}_{i}/4={30}^{\xb0},{120}^{\xb0}$ as expected. This indicates that Alice generates the QMAC state by applying rotation operator ${R}_{y}\left(-{120}^{\xb0}\right)$ and then uses rotation operator ${R}_{y}\left(-{120}^{\xb0}\pm \pi n/2\right)$ to recover the QMAC state, where $n$ is an integer, because the period of the half-wave plate is $\pi /2$. The red plots represent the averages of the coincidence counts over one second. In Figure 4b, we recognize that Bob’s encryption and decryption also work well. When the half-wave plate $\mathrm{H}2\prime $s angle ${b}_{i}/4$ is $-{60}^{\xb0}$, the Hong–Ou–Mandel dip occurs at the half-wave plate $\mathrm{H}4\prime $s angles $-{b}_{i}/4={60}^{\xb0},{150}^{\xb0}$. Bob uses rotation operator ${R}_{y}\left(-{60}^{\xb0}\right)$ to re-encrypt the QMAC state, and then he decrypts the re-encrypted QMAC state by applying rotation operator ${R}_{y}\left({60}^{\xb0}\pm \pi n/2\right)$, where $n$ is an integer. In Figure 4, the experimental data are the average of $10$ measurements per $10$ s.

During this time, the averages of single counts were $27,000$ and $27,000$, respectively, and coincidence windows are $5$ ns; the maximum value of the coincidence counts after accidental coincidences were removed was $127$, and the minimum value was $2$.

Second, we tested the quantum encryption and decryption. If Alice and Bob are proper users who previously shared secret key sequences ${K}_{AB}$ and ${K}_{H}$ then the quantum message states ${\left|M\u27e9\right.}_{u}$ and ${\left|M\prime \u27e9\right.}_{d}$ should be identical. Bob can check the correspondence of these states using the Hong–Ou–Mandel interferometer [38,39]. Figure 4 shows the experimental results for Alice’s quantum encryption and Bob’s quantum decryption. ${P}_{c}$ is the coincidence probability of Hong–Ou–Mandel interference, and ${\overline{P}}_{c}=1-{P}_{c}$ represents the probability of two quantum message states matching. Figure 5a,b represents whether operator $H$ exists or not, respectively. Although theoretically, the red blocks on the diagonal in both cases should be $100\%$, experimentally they are greater than $82\%$ and $76\%$, respectively. On the other hand, the blue blocks off the diagonal, when Alice and Bob share different secret keys ${k}_{AB}^{i}$ and ${k}_{H}^{i}$, ${\left|M\u27e9\right.}_{u}$ and ${\left|M\prime \u27e9\right.}_{d}$ have different quantum states, and the respective probabilities are less than $41\%$ and less than $46\%$. Considering that theoretically ${\overline{P}}_{c}$ can only have less than $50\%$, the measurement results prove that our scheme works well. From these results, we can conclude that the encryption operates properly because ${\overline{P}}_{c}$ is greater than $76\%$ in the case of the same operators and ${\overline{P}}_{c}$ is less than $46\%$ in the case of different operators regardless of the existence of operator $H$. The above theoretical values are derived from the success probability ${\u03f5}^{2}={{|}_{d}\u27e8{\psi}_{i}^{\prime}\left|{\psi}_{i}{\u27e9}_{u}\right|}^{2}$ of the swap test, with ${\left|{\psi}_{i}\u27e9\right.}_{u}={U}_{i}{R}_{y}\left({m}_{i}\right){\left|0\u27e9\right.}_{u}^{\left(i\right)}$, ${\left|{\psi}_{i}^{\prime}\u27e9\right.}_{d}={U}_{i}^{\prime}{R}_{y}\left({m}_{i}\right){\left|0\u27e9\right.}_{d}^{\left(i\right)}$, ${U}_{i},{U}_{i}^{\prime}\in \left\{I,{\sigma}_{x},{\sigma}_{y},{\sigma}_{z},H,{\sigma}_{x}H,{\sigma}_{y}H,{\sigma}_{z}H\right\}$, and ${m}_{i}={135}^{\xb0}$. Errors in the experiment shown in Figure 5 could be due to an inherent error of the swap test, birefringence in the beam splitter, and/or systematic errors in the wave-plate setting [38,39,42,45].

From the measurement results given in Figure 4 and Figure 5, we have demonstrated that our implementation succeeds in realizing the proposed protocol. Although there are some errors due to unavoidable imperfections of the realization, our practical implementation still performs message integrity and message origin authentication successfully only if our protocol is applied to multiple bits sequentially and analyzed statistically.

Gao et al. demonstrated the possibility of existential forgery in the case of quantum message authentication that includes a swap test [34,46,48]. In other words, if the QMAC state pair that Alice generates is not encrypted, Alice cannot detect Eve’s intervention. In the quantum encryption ${\sigma}_{{k}_{AB}^{i}}{H}^{{k}_{H}^{i}}$ in Equation $\left(5\right)$, the secret key ${k}_{AB}^{i}\in \left\{00,01,10,11\right\}$ and ${k}_{H}^{i}\in \left\{0,1\right\}$ correspond to the Pauli operator ${\sigma}_{{k}_{AB}^{i}}\in \left\{I,{\sigma}_{x},{\sigma}_{y},{\sigma}_{z}\right\}$ and the operator ${H}^{{k}_{AB}^{i}}\in \left\{I,H\right\}$ of quantum encryption with a single qubit unitary operator, respectively. The two bits information ${e}_{i}\in \left\{00,01,10,11\right\}$ corresponds to the Pauli operator ${\sigma}_{{e}_{i}}\in \left\{I,{\sigma}_{x},{\sigma}_{y},{\sigma}_{z}\right\}$ for Gao’s Attack. For example, if ${k}_{AB}^{i}=01$, ${k}_{H}^{i}=0$, an encrypted QMAC state pair is

$${\left|M\u27e9\right.}_{u}\left[{\mathsf{\sigma}}_{01}{H}^{0}{\left|S\u27e9\right.}_{d}\left]={\left|M\u27e9\right.}_{u}\right[{\mathsf{\sigma}}_{\mathrm{x}}{\left|S\u27e9\right.}_{d}\right]$$

In addition, the forged QMAC state pair by Eve’s Pauli operator ${\mathsf{\sigma}}_{10}\left(={\mathsf{\sigma}}_{\mathrm{y}}\right)$ is

$${\mathsf{\sigma}}_{10}{\left|M\u27e9\right.}_{u}\left[{\mathsf{\sigma}}_{10}{\mathsf{\sigma}}_{01}{H}^{0}{\left|S\u27e9\right.}_{d}\right]={\mathsf{\sigma}}_{\mathrm{y}}{\left|M\u27e9\right.}_{u}\left[{\mathsf{\sigma}}_{\mathrm{y}}{\mathsf{\sigma}}_{\mathrm{x}}{\left|S\u27e9\right.}_{d}\right]$$

The forged QMAC state pair of Equation $\left(13\right)$ transforms into the following state after a decryption process:

$${\mathsf{\sigma}}_{10}{\left|M\u27e9\right.}_{u}\left[{\left({H}^{\u2020}\right)}^{0}{\mathsf{\sigma}}_{01}{\mathsf{\sigma}}_{10}{\mathsf{\sigma}}_{01}{H}^{0}{\left|S\u27e9\right.}_{d}\right]={\mathsf{\sigma}}_{\mathrm{y}}{\left|M\u27e9\right.}_{u}\left[{\mathsf{\sigma}}_{\mathrm{x}}{\mathsf{\sigma}}_{\mathrm{y}}{\mathsf{\sigma}}_{\mathrm{x}}{\left|S\u27e9\right.}_{d}\right]={\mathsf{\sigma}}_{\mathrm{y}}{\left|M\u27e9\right.}_{u}\left[-{\mathsf{\sigma}}_{\mathrm{y}}{\left|S\u27e9\right.}_{d}\right].$$

Assuming that ${\left|M\u27e9\right.}_{u}$ and ${\left|S\u27e9\right.}_{d}$ of Equation $\left(14\right)$ are the same, Eve succeeded in attacking because the Pauli operator ${\mathsf{\sigma}}_{\mathrm{y}}$ remained in the first and second qubits of Equation $\left(14\right)$. This is the first method to forge the quantum message code or quantum signature pair proposed by Gao et al. [34,46,48].

As another example, if ${k}_{AB}^{i}=01,{k}_{H}^{i}=1$, an encrypted QMAC state pair is

$${\left|M\u27e9\right.}_{u}\left[{\mathsf{\sigma}}_{01}{H}^{1}{\left|S\u27e9\right.}_{d}\left]={\left|M\u27e9\right.}_{u}\right[{\mathsf{\sigma}}_{\mathrm{x}}H{\left|S\u27e9\right.}_{d}\right].$$

The forged QMAC state pair by Eve’s Pauli operator ${\mathsf{\sigma}}_{10}\left(={\mathsf{\sigma}}_{\mathrm{y}}\right)$ is

$${\mathsf{\sigma}}_{10}{\left|M\u27e9\right.}_{u}\left[{\mathsf{\sigma}}_{10}{\mathsf{\sigma}}_{01}{H}^{1}{\left|S\u27e9\right.}_{d}\left]={\mathsf{\sigma}}_{\mathrm{y}}{\left|M\u27e9\right.}_{u}\right[{\mathsf{\sigma}}_{\mathrm{y}}{\mathsf{\sigma}}_{\mathrm{x}}H{\left|S\u27e9\right.}_{d}\right].$$

The forged QMAC state pair transforms into the following state after a decryption process:

$${\mathsf{\sigma}}_{10}{\left|M\u27e9\right.}_{\mathrm{u}}\left[{\left({H}^{\u2020}\right)}^{1}{\mathsf{\sigma}}_{01}{\mathsf{\sigma}}_{10}{\mathsf{\sigma}}_{01}{H}^{1}{\left|S\u27e9\right.}_{\mathrm{d}}\right]={\mathsf{\sigma}}_{\mathrm{y}}{\left|M\u27e9\right.}_{u}\left[{H}^{\u2020}{\mathsf{\sigma}}_{\mathrm{x}}{\mathsf{\sigma}}_{\mathrm{y}}{\mathsf{\sigma}}_{\mathrm{x}}H{\left|S\u27e9\right.}_{d}\left]={\mathsf{\sigma}}_{\mathrm{y}}{\left|M\u27e9\right.}_{1}\right[-{\mathsf{\sigma}}_{\mathrm{x}}{\left|S\u27e9\right.}_{2}\right]$$

Despite the assumption that ${\left|M\u27e9\right.}_{u}$ and ${\left|S\u27e9\right.}_{d}$ of Equation $\left(17\right)$ are the same, Eve’s attack is unsuccessful. The reason is that the Pauli operators ${\mathsf{\sigma}}_{\mathrm{y}}$ and ${\mathsf{\sigma}}_{\mathrm{x}}$ remained in the first and second qubits of Equation $\left(17\right)$, respectively. This is the (I, H)-type quantum encryption proposed to overcome Gao’s forgery [47]. Zhang et al., however, showed that the (I, H)-type quantum encryption is not secure for improved Gao’s forgery [49,50]. We [19,34] overcome the original Gao’s forgery [46] or the improved Gao’s forgery [49,50] with quantum encryption ${\mathsf{\sigma}}_{{k}_{AB}^{i}}{H}^{{k}_{H}^{i}}$, which randomly uses operator $H.$ Here, the number of all possible cases of quantum encryption ${\mathsf{\sigma}}_{{k}_{AB}^{i}}{H}^{{k}_{H}^{i}}\in \left\{I,{\mathsf{\sigma}}_{\mathrm{x}},{\mathsf{\sigma}}_{\mathrm{y}},{\mathsf{\sigma}}_{\mathrm{z}},H,{\mathsf{\sigma}}_{\mathrm{x}}H,{\mathsf{\sigma}}_{\mathrm{y}}H,{\mathsf{\sigma}}_{\mathrm{z}}H\right\}$ is 8. Furthermore, except ${\mathsf{\sigma}}_{{e}_{i}}=I$, there are three possible ways that Eve can attack with ${\mathsf{\sigma}}_{{e}_{i}}$. Therefore, there are a total of 24 forgery cases using the Pauli operator ${\mathsf{\sigma}}_{{e}_{i}}$ in the encrypted QMAC state pair ${\left|M\u27e9\right.}_{u}\left[{\mathsf{\sigma}}_{{k}_{AB}^{i}}{H}^{{k}_{H}^{i}}{\left|S\u27e9\right.}_{d}\right]$ of Equation $\left(5\right)$ in the manuscript, Table 1 lists these 24 cases, and Figure 6 shows the results of the experiment with the existential forgery using the Pauli operator for 12 cases in Table 1.

We have proposed a new quantum message authentication protocol including quantum encryption for improving security against an existential forgery. Additionally, a practical implementation of the proposed protocol has been developed and its robustness against existential forgery has been verified experimentally. It consists of wave plates and the Hong–Ou–Mandel interferometer. The measurement results for each function—QMAC generation and recovery, Bob’s encryption and decryption, and quantum encryption and decryption—successfully show the feasibility of robustness against Gao’s forgeries.

The system loss and the optical channel loss, etc., should be considered when applying our protocol to real implementation. Let us assume that Alice and Bob use the single photon detector with 20% efficiency and are connected by 30-km single-mode fiber with 0.2 dB/km loss. In a result, the total efficiency becomes $0.08\%$ because the qubits are pass through total 100 km, and if the QMAC pairs are generated at 100 MHz, Bob can receive $8\times {10}^{4}\mathrm{pairs}/\mathrm{s}$. As we mentioned in Section 2, the size of the quantum state sequence should be more than $15$. Therefore, Alice must generate at least $1.9\times {10}^{4}$ QMAC pairs, i.e., $\left(1.9\times {10}^{4}\right)\times 0.08\%=15$ that is quite implementable number, and send them to Bob to ensure this accuracy of the swap test.

Our protocol can be used as an arbitrated quantum signature protocol if a trusted center (TC) is added in the communication channel used by Alice and Bob [19]. In addition, if freshness property is added to our protocol, it can be used for quantum entity authentication as well [1,52]. In conclusion, we have proposed the base technology for a complete quantum cryptosystem that provides confidentiality, authentication, integrity, and nonrepudiation.

M.-S.K. conceived the main idea. M.-S.K. wrote the manuscript. M.-S.K. and Y.-S.K. developed the experimental setup and performed the experiment. M.-S.K., Y.-S.K., J.-W.C., H.-J.Y. and S.-W.H. analyzed the results. S.-W.H. supervised the whole project. All authors reviewed the manuscript. All authors have read and agreed to the published version of the manuscript.

Korea Institute of Science and Technology (2E30620); National Research Foundation of Korea (2019 M3E4A107866011, 2019M3E4A1079777, 2019R1A2C2 006381); Institute for Information and Communications Technology Promotion (2020-0-00947, 2020-0-00972).

Not applicable.

Not applicable.

Not applicable.

The authors declare no conflict of interest.

- Menezes, A.J.; Van Oorschot, P.C.; Vanstone, S.A. Handbook of Applied Cryptography; CRC Press: Boca Raton, FL, USA, 1997. [Google Scholar]
- Stinson, D.R. Cryptography; Chapman & Hall/CRC: Boca Raton, FL, USA, 2006. [Google Scholar]
- Bennett, C.H. Quantum crytography. In Proceedings of the International Conference on Computers, Systems & Signal Processing, Bangalore, India, 10–12 December 1984; pp. 175–179. [Google Scholar]
- Bennett, C.H. Quantum cryptography using any two nonorthogonal states. Phys. Rev. Lett.
**1992**, 68, 3121–3124. [Google Scholar] [CrossRef] - Fuchs, C.A.; Gisin, N.; Griffiths, R.B.; Niu, C.-S.; Peres, A. Optimal eavesdropping in quantum cryptography. I. Information bound and optimal strategy. Phys. Rev. A
**1997**, 56, 1163. [Google Scholar] [CrossRef][Green Version] - Scarani, V.; Acin, A.; Ribordy, G.; Gisin, N. Quantum cryptography protocols robust against photon number splitting attacks for weak laser pulse implementations. Phys. Rev. Lett.
**2004**, 92, 057901. [Google Scholar] [CrossRef][Green Version] - Brassard, G.; Crépeau, C. 25 years of quantum cryptography. ACM Sigact News
**1996**, 27, 13–24. [Google Scholar] [CrossRef] - Lo, H.K.; Chau, H.F. Unconditional security of quantum key distribution over arbitrarily long distances. Science
**1999**, 283, 2050–2056. [Google Scholar] [CrossRef] [PubMed][Green Version] - Shor, P.W.; Preskill, J. Simple proof of security of the BB84 quantum key distribution protocol. Phys. Rev. Lett.
**2000**, 85, 441–444. [Google Scholar] [CrossRef][Green Version] - Gisin, N.; Ribordy, G.; Tittel, W.; Zbinden, H. Quantum cryptography. Rev. Mod. Phys.
**2002**, 74, 145. [Google Scholar] [CrossRef][Green Version] - Curty, M.; Santos, D.J. Quantum authentication of classical messages. Phys. Rev. A
**2001**, 64. [Google Scholar] [CrossRef][Green Version] - Barnum, H.; Crépeau, C.; Gottesman, D.; Smith, A.; Tapp, A. Authentication of quantum messages. In Proceedings of the 43rd Annual IEEE Symposium on the Foundations of Computer Science, Vancouver, BC, Canada, 19 November 2002; pp. 449–458. [Google Scholar]
- Kang, M.S.; Choi, Y.H.; Kim, Y.S.; Cho, Y.W.; Lee, S.Y.; Han, S.W.; Moon, S. Quantum message authentication scheme based on remote state preparation. Phys. Scr.
**2018**, 93. [Google Scholar] [CrossRef] - Zeng, G.; Keitel, C.H. Arbitrated quantum-signature scheme. Phys. Rev. A
**2002**, 65, 042312. [Google Scholar] [CrossRef][Green Version] - Lee, H.; Hong, C.; Kim, H.; Lim, J.; Yang, H.J. Arbitrated quantum signature scheme with message recovery. Phys. Lett. A
**2004**, 321, 295–300. [Google Scholar] [CrossRef] - Li, Q.; Chan, W.; Long, D.-Y. Arbitrated quantum signature scheme using Bell states. Phys. Rev. A
**2009**, 79, 054307. [Google Scholar] [CrossRef] - Zou, X.; Qiu, D. Security analysis and improvements of arbitrated quantum signature schemes. Phys. Rev. A
**2010**, 82, 042325. [Google Scholar] [CrossRef] - Yoon, C.S.; Kang, M.S.; Lim, J.I.; Yang, H.J. Quantum signature scheme based on a quantum search algorithm. Phys. Scr.
**2014**, 90, 015103. [Google Scholar] [CrossRef] - Kang, M.-S.; Hong, C.-H.; Heo, J.; Lim, J.-I.; Yang, H.-J. Quantum signature scheme using a single qubit rotation operator. Int. J. Theor. Phys.
**2015**, 54, 614–629. [Google Scholar] [CrossRef] - Gottesman, D.; Chuang, I. Quantum digital signatures. arXiv
**2001**, arXiv:quant-ph/0105032. [Google Scholar] - Clarke, P.J.; Collins, R.J.; Dunjko, V.; Andersson, E.; Jeffers, J.; Buller, G.S. Experimental demonstration of quantum digital signatures using phase-encoded coherent states of light. Nat. Commun.
**2012**, 3. [Google Scholar] [CrossRef] [PubMed][Green Version] - Collins, R.J.; Donaldson, R.J.; Dunjko, V.; Wallden, P.; Clarke, P.J.; Andersson, E.; Jeffers, J.; Buller, G.S. Realization of Quantum Digital Signatures without the Requirement of Quantum Memory. Phys. Rev. Lett.
**2014**, 113. [Google Scholar] [CrossRef] [PubMed][Green Version] - Dunjko, V.; Wallden, P.; Andersson, E. Quantum Digital Signatures without Quantum Memory. Phys. Rev. Lett.
**2014**, 112. [Google Scholar] [CrossRef][Green Version] - Wallden, P.; Dunjko, V.; Kent, A.; Andersson, E. Quantum digital signatures with quantum-key-distribution components. Phys. Rev. A
**2015**, 91. [Google Scholar] [CrossRef][Green Version] - Amiri, R.; Wallden, P.; Kent, A.; Andersson, E. Secure quantum signatures using insecure quantum channels. Phys. Rev. A
**2016**, 93. [Google Scholar] [CrossRef][Green Version] - Donaldson, R.J.; Collins, R.J.; Kleczkowska, K.; Amiri, R.; Wallden, P.; Dunjko, V.; Jeffers, J.; Andersson, E.; Buller, G.S. Experimental demonstration of kilometer-range quantum digital signatures. Phys. Rev. A
**2016**, 93. [Google Scholar] [CrossRef][Green Version] - Yin, H.L.; Fu, Y.; Chen, Z.B. Practical quantum digital signature. Phys. Rev. A
**2016**, 93. [Google Scholar] [CrossRef][Green Version] - Collins, R.J.; Amiri, R.; Fujiwara, M.; Honjo, T.; Shimizu, K.; Tamaki, K.; Takeoka, M.; Sasaki, M.; Andersson, E.; Buller, G.S. Experimental demonstration of quantum digital signatures over 43 dB channel loss using differential phase shift quantum key distribution. Sci. Rep.
**2017**, 7. [Google Scholar] [CrossRef] - Yin, H.L.; Fu, Y.; Liu, H.; Tang, Q.J.; Wang, J.; You, L.X.; Zhang, W.J.; Chen, S.J.; Wang, Z.; Zhang, Q.; et al. Experimental quantum digital signature over 102 km. Phys. Rev. A
**2017**, 95. [Google Scholar] [CrossRef][Green Version] - Chan, K.W.C.; El Rifai, M.; Verma, P.; Kak, S.; Chen, Y. Multi-photon quantum key distribution based on double-lock encryption. In Proceedings of the CLEO: QELS_Fundamental Science, San Jose, CA, USA, 10–15 May 2015; p. FF1A.3. [Google Scholar]
- Kak, S. A three-stage quantum cryptography protocol. Found. Phys. Lett.
**2006**, 19, 293–296. [Google Scholar] [CrossRef][Green Version] - Nikolopoulos, G.M. Applications of single-qubit rotations in quantum public-key cryptography. Phys. Rev. A
**2008**, 77, 032348. [Google Scholar] [CrossRef][Green Version] - Yang, L.; Wu, L.-A.; Liu, S. Quantum three-pass cryptography protocol. In Proceedings of the Quantum Optics in Computing and Communications, Shanghai, China, 13 September 2002; pp. 106–112. [Google Scholar]
- Kang, M.S.; Choi, H.W.; Pramanik, T.; Han, S.W.; Moon, S. Universal quantum encryption for quantum signature using the swap test. Quantum Inf. Process.
**2018**, 17. [Google Scholar] [CrossRef] - Massey, J.L.; Omura, J.K. Method and Apparatus for Maintaining the Privacy of Digital Messages Conveyed by Public Transmission. US4567600A, 28 January 1986. [Google Scholar]
- Clarke, R.B.M.; Kendon, V.M.; Chefles, A.; Barnett, S.M.; Riis, E.; Sasaki, M. Experimental realization of optimal detection strategies for overcomplete states. Phys. Rev. A
**2001**, 64. [Google Scholar] [CrossRef][Green Version] - Hecht, E.J.I. Optics, 4th ed.; Addison-Wesley: San Francisco, CA, USA, 2002; Volume 3, p. 2. [Google Scholar]
- Horn, R.T.; Babichev, S.; Marzlin, K.-P.; Lvovsky, A.; Sanders, B.C. Single-qubit optical quantum fingerprinting. Phys. Rev. Lett.
**2005**, 95, 150502. [Google Scholar] [CrossRef][Green Version] - Massar, S. Quantum fingerprinting with a single particle. Phys. Rev. A
**2005**, 71, 012310. [Google Scholar] [CrossRef][Green Version] - Garcia-Escartin, J.C.; Chamorro-Posada, P. Swap test and Hong-Ou-Mandel effect are equivalent. Phys. Rev. A
**2013**, 87, 052330. [Google Scholar] [CrossRef][Green Version] - Curty, M.; Lutkenhaus, N. Comment on “arbitrated quantum-signature scheme”. Phys. Rev. A
**2008**, 77. [Google Scholar] [CrossRef][Green Version] - Zeng, G.H. Reply to “Comment on ‘Arbitrated quantum-signature scheme’”. Phys. Rev. A
**2008**, 78. [Google Scholar] [CrossRef] - Riebe, M.; Haffner, H.; Roos, C.F.; Hansel, W.; Benhelm, J.; Lancaster, G.P.T.; Korber, T.W.; Becher, C.; Schmidt-Kaler, F.; James, D.F.V.; et al. Deterministic quantum teleportation with atoms. Nature
**2004**, 429, 734–737. [Google Scholar] [CrossRef] [PubMed] - Nielsen, M.A.; Chuang, I.L. Quantum Computation and Quantum Information; Cambridge University Press: Cambridge, UK, 2000. [Google Scholar]
- Buhrman, H.; Cleve, R.; Watrous, J.; de Wolf, R. Quantum fingerprinting. Phys. Rev. Lett.
**2001**, 87. [Google Scholar] [CrossRef] [PubMed][Green Version] - Gao, F.; Qin, S.J.; Guo, F.Z.; Wen, Q.Y. Cryptanalysis of the arbitrated quantum signature protocols. Phys. Rev. A
**2011**, 84. [Google Scholar] [CrossRef][Green Version] - Choi, J.W.; Chang, K.Y.; Hong, D. Security problem on arbitrated quantum signature schemes. Phys. Rev. A
**2011**, 84. [Google Scholar] [CrossRef][Green Version] - Kang, M.S.; Hong, C.H.; Heo, J.; Lim, J.I.; Yang, H.J. Comment on “Quantum Signature Scheme with Weak Arbitrator”. Int. J. Theor. Phys.
**2014**, 53, 1862–1866. [Google Scholar] [CrossRef] - Zhang, K.J.; Qin, S.J.; Sun, Y.; Song, T.T.; Su, Q. Reexamination of arbitrated quantum signature: The impossible and the possible. Quantum Inf. Process.
**2013**, 12, 3127–3141. [Google Scholar] [CrossRef] - Zhang, K.-J.; Zhang, W.-W.; Li, D. Improving the security of arbitrated quantum signature against the forgery attack. Quantum Inf. Process.
**2013**, 12, 2655–2669. [Google Scholar] [CrossRef] - Ono, T.; Okamoto, R.; Tanida, M.; Hofmann, H.F.; Takeuchi, S. Implementation of a quantum controlled-SWAP gate with photonic circuits. Sci. Rep.
**2017**, 7. [Google Scholar] [CrossRef] [PubMed] - Hong, C.H.; Heo, J.; Jang, J.G.; Kwon, D. Quantum identity authentication with single photon. Quantum Inf. Process.
**2017**, 16. [Google Scholar] [CrossRef]

${\mathit{H}}^{{\mathit{k}}_{\mathit{H}}^{\mathit{i}}}$ | ${\mathit{\sigma}}_{{\mathit{k}}_{\mathit{A}\mathit{B}}^{\mathit{i}}}$ | ${\mathit{\sigma}}_{{\mathit{e}}_{\mathit{i}}}$ | Up(u) Qubit | Down(d) Qubit |
---|---|---|---|---|

${H}^{0}=I$ | ${\mathsf{\sigma}}_{00}=\mathrm{I}$ | ${\mathsf{\sigma}}_{01}={\mathsf{\sigma}}_{x}$ | ${\mathsf{\sigma}}_{\mathrm{x}}{\left|M\u27e9\right.}_{u}$ | ${\mathsf{\sigma}}_{\mathrm{x}}{\left|S\u27e9\right.}_{d}$ |

${\mathsf{\sigma}}_{10}={\mathsf{\sigma}}_{y}$ | ${\mathsf{\sigma}}_{\mathrm{y}}{\left|M\u27e9\right.}_{u}$ | ${\mathsf{\sigma}}_{\mathrm{y}}{\left|S\u27e9\right.}_{d}$ | ||

${\mathsf{\sigma}}_{11}={\mathsf{\sigma}}_{z}$ | ${\mathsf{\sigma}}_{\mathrm{z}}{\left|M\u27e9\right.}_{u}$ | ${\mathsf{\sigma}}_{\mathrm{z}}{\left|S\u27e9\right.}_{d}$ | ||

${\mathsf{\sigma}}_{01}={\mathsf{\sigma}}_{x}$ | ${\mathsf{\sigma}}_{01}={\mathsf{\sigma}}_{x}$ | ${\mathsf{\sigma}}_{\mathrm{x}}{\left|M\u27e9\right.}_{u}$ | ${\mathsf{\sigma}}_{\mathrm{x}}{\mathsf{\sigma}}_{\mathrm{x}}{\mathsf{\sigma}}_{\mathrm{x}}{\left|S\u27e9\right.}_{d}={\mathsf{\sigma}}_{\mathrm{x}}{\left|S\u27e9\right.}_{d}$ | |

${\mathsf{\sigma}}_{10}={\mathsf{\sigma}}_{y}$ | ${\mathsf{\sigma}}_{\mathrm{y}}{\left|M\u27e9\right.}_{u}$ | ${\mathsf{\sigma}}_{\mathrm{x}}{\mathsf{\sigma}}_{y}{\mathsf{\sigma}}_{\mathrm{x}}{\left|S\u27e9\right.}_{d}=-{\mathsf{\sigma}}_{y}{\left|S\u27e9\right.}_{d}$ | ||

${\mathsf{\sigma}}_{11}={\mathsf{\sigma}}_{z}$ | ${\mathsf{\sigma}}_{\mathrm{z}}{\left|M\u27e9\right.}_{u}$ | ${\mathsf{\sigma}}_{\mathrm{x}}{\mathsf{\sigma}}_{z}{\mathsf{\sigma}}_{\mathrm{x}}{\left|S\u27e9\right.}_{d}=-{\mathsf{\sigma}}_{z}{\left|S\u27e9\right.}_{d}$ | ||

${\mathsf{\sigma}}_{10}={\mathsf{\sigma}}_{y}$ | ${\mathsf{\sigma}}_{01}={\mathsf{\sigma}}_{x}$ | ${\mathsf{\sigma}}_{\mathrm{x}}{\left|M\u27e9\right.}_{u}$ | ${\mathsf{\sigma}}_{y}{\mathsf{\sigma}}_{\mathrm{x}}{\mathsf{\sigma}}_{y}{\left|S\u27e9\right.}_{d}=-{\mathsf{\sigma}}_{\mathrm{x}}{\left|S\u27e9\right.}_{d}$ | |

${\mathsf{\sigma}}_{10}={\mathsf{\sigma}}_{y}$ | ${\mathsf{\sigma}}_{\mathrm{y}}{\left|M\u27e9\right.}_{u}$ | ${\mathsf{\sigma}}_{y}{\mathsf{\sigma}}_{y}{\mathsf{\sigma}}_{y}{\left|S\u27e9\right.}_{d}={\mathsf{\sigma}}_{y}{\left|S\u27e9\right.}_{d}$ | ||

${\mathsf{\sigma}}_{11}={\mathsf{\sigma}}_{z}$ | ${\mathsf{\sigma}}_{\mathrm{z}}{\left|M\u27e9\right.}_{u}$ | ${\mathsf{\sigma}}_{y}{\mathsf{\sigma}}_{z}{\mathsf{\sigma}}_{y}{\left|S\u27e9\right.}_{d}=-{\mathsf{\sigma}}_{z}{\left|S\u27e9\right.}_{d}$ | ||

${\mathsf{\sigma}}_{11}={\mathsf{\sigma}}_{z}$ | ${\mathsf{\sigma}}_{01}={\mathsf{\sigma}}_{x}$ | ${\mathsf{\sigma}}_{\mathrm{x}}{\left|M\u27e9\right.}_{u}$ | ${\mathsf{\sigma}}_{z}{\mathsf{\sigma}}_{x}{\mathsf{\sigma}}_{z}{\left|S\u27e9\right.}_{d}=-{\mathsf{\sigma}}_{x}{\left|S\u27e9\right.}_{d}$ | |

${\mathsf{\sigma}}_{10}={\mathsf{\sigma}}_{y}$ | ${\mathsf{\sigma}}_{\mathrm{y}}{\left|M\u27e9\right.}_{u}$ | ${\mathsf{\sigma}}_{z}{\mathsf{\sigma}}_{y}{\mathsf{\sigma}}_{z}{\left|S\u27e9\right.}_{d}=-{\mathsf{\sigma}}_{y}{\left|S\u27e9\right.}_{d}$ | ||

${\mathsf{\sigma}}_{11}={\mathsf{\sigma}}_{z}$ | ${\mathsf{\sigma}}_{\mathrm{z}}{\left|M\u27e9\right.}_{u}$ | ${\mathsf{\sigma}}_{z}{\mathsf{\sigma}}_{z}{\mathsf{\sigma}}_{z}{\left|S\u27e9\right.}_{d}={\mathsf{\sigma}}_{z}{\left|S\u27e9\right.}_{d}$ | ||

${H}^{1}=H$ | ${\mathsf{\sigma}}_{00}=\mathrm{I}$ | ${\mathsf{\sigma}}_{01}={\mathsf{\sigma}}_{x}$ | ${\mathsf{\sigma}}_{\mathrm{x}}{\left|M\u27e9\right.}_{u}$ | ${H}^{\u2020}{\mathsf{\sigma}}_{x}H{\left|S\u27e9\right.}_{d}={\mathsf{\sigma}}_{\mathrm{z}}{\left|S\u27e9\right.}_{d}$ |

${\mathsf{\sigma}}_{10}={\mathsf{\sigma}}_{y}$ | ${\mathsf{\sigma}}_{\mathrm{y}}{\left|M\u27e9\right.}_{u}$ | ${H}^{\u2020}{\mathsf{\sigma}}_{y}H{\left|S\u27e9\right.}_{d}={\mathsf{\sigma}}_{x}{\left|S\u27e9\right.}_{d}$ | ||

${\mathsf{\sigma}}_{11}={\mathsf{\sigma}}_{z}$ | ${\mathsf{\sigma}}_{\mathrm{z}}{\left|M\u27e9\right.}_{u}$ | ${H}^{\u2020}{\mathsf{\sigma}}_{z}H{\left|S\u27e9\right.}_{d}={\mathsf{\sigma}}_{y}{\left|S\u27e9\right.}_{d}$ | ||

${\mathsf{\sigma}}_{01}={\mathsf{\sigma}}_{x}$ | ${\mathsf{\sigma}}_{01}={\mathsf{\sigma}}_{x}$ | ${\mathsf{\sigma}}_{\mathrm{x}}{\left|M\u27e9\right.}_{u}$ | ${H}^{\u2020}{\mathsf{\sigma}}_{\mathrm{x}}{\mathsf{\sigma}}_{x}{\mathsf{\sigma}}_{\mathrm{x}}H{\left|S\u27e9\right.}_{d}={\mathsf{\sigma}}_{\mathrm{z}}{\left|S\u27e9\right.}_{d}$ | |

${\mathsf{\sigma}}_{10}={\mathsf{\sigma}}_{y}$ | ${\mathsf{\sigma}}_{\mathrm{y}}{\left|M\u27e9\right.}_{u}$ | ${H}^{\u2020}{\mathsf{\sigma}}_{\mathrm{x}}{\mathsf{\sigma}}_{y}{\mathsf{\sigma}}_{\mathrm{x}}H{\left|S\u27e9\right.}_{d}=-{\mathsf{\sigma}}_{x}{\left|S\u27e9\right.}_{d}$ | ||

${\mathsf{\sigma}}_{11}={\mathsf{\sigma}}_{z}$ | ${\mathsf{\sigma}}_{\mathrm{z}}{\left|M\u27e9\right.}_{u}$ | ${H}^{\u2020}{\mathsf{\sigma}}_{\mathrm{x}}{\mathsf{\sigma}}_{z}{\mathsf{\sigma}}_{\mathrm{x}}H{\left|S\u27e9\right.}_{d}=-{\mathsf{\sigma}}_{y}{\left|S\u27e9\right.}_{d}$ | ||

${\mathsf{\sigma}}_{10}={\mathsf{\sigma}}_{y}$ | ${\mathsf{\sigma}}_{01}={\mathsf{\sigma}}_{x}$ | ${\mathsf{\sigma}}_{\mathrm{x}}{\left|M\u27e9\right.}_{u}$ | ${H}^{\u2020}{\mathsf{\sigma}}_{y}{\mathsf{\sigma}}_{x}{\mathsf{\sigma}}_{y}H{\left|S\u27e9\right.}_{d}=-{\mathsf{\sigma}}_{\mathrm{z}}{\left|S\u27e9\right.}_{d}$ | |

${\mathsf{\sigma}}_{10}={\mathsf{\sigma}}_{y}$ | ${\mathsf{\sigma}}_{\mathrm{y}}{\left|M\u27e9\right.}_{u}$ | ${H}^{\u2020}{\mathsf{\sigma}}_{\mathrm{y}}{\mathsf{\sigma}}_{y}{\mathsf{\sigma}}_{\mathrm{y}}H{\left|S\u27e9\right.}_{d}={\mathsf{\sigma}}_{x}{\left|S\u27e9\right.}_{d}$ | ||

${\mathsf{\sigma}}_{11}={\mathsf{\sigma}}_{z}$ | ${\mathsf{\sigma}}_{\mathrm{z}}{\left|M\u27e9\right.}_{u}$ | ${H}^{\u2020}{\mathsf{\sigma}}_{\mathrm{y}}{\mathsf{\sigma}}_{z}{\mathsf{\sigma}}_{\mathrm{y}}H{\left|S\u27e9\right.}_{d}=-{\mathsf{\sigma}}_{y}{\left|S\u27e9\right.}_{d}$ | ||

${\mathsf{\sigma}}_{11}={\mathsf{\sigma}}_{z}$ | ${\mathsf{\sigma}}_{01}={\mathsf{\sigma}}_{x}$ | ${\mathsf{\sigma}}_{\mathrm{x}}{\left|M\u27e9\right.}_{u}$ | ${H}^{\u2020}{\mathsf{\sigma}}_{z}{\mathsf{\sigma}}_{x}{\mathsf{\sigma}}_{z}H{\left|S\u27e9\right.}_{d}=-{\mathsf{\sigma}}_{\mathrm{z}}{\left|S\u27e9\right.}_{d}$ | |

${\mathsf{\sigma}}_{10}={\mathsf{\sigma}}_{y}$ | ${\mathsf{\sigma}}_{\mathrm{y}}{\left|M\u27e9\right.}_{u}$ | ${H}^{\u2020}{\mathsf{\sigma}}_{z}{\mathsf{\sigma}}_{y}{\mathsf{\sigma}}_{z}H{\left|S\u27e9\right.}_{d}=-{\mathsf{\sigma}}_{x}{\left|S\u27e9\right.}_{d}$ | ||

${\mathsf{\sigma}}_{11}={\mathsf{\sigma}}_{z}$ | ${\mathsf{\sigma}}_{\mathrm{z}}{\left|M\u27e9\right.}_{u}$ | ${H}^{\u2020}{\mathsf{\sigma}}_{z}{\mathsf{\sigma}}_{z}{\mathsf{\sigma}}_{z}H{\left|S\u27e9\right.}_{d}={\mathsf{\sigma}}_{y}{\left|S\u27e9\right.}_{d}$ |

Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |

© 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).