Experimental Quantum Message Authentication with Single Qubit Unitary Operation

: We have developed a quantum message authentication protocol that provides authentication and integrity of an original message using single qubit unitary operations. Our protocol mainly consists of two parts: quantum encryption and a correspondence check. The quantum encryption part is implemented using linear combinations of wave plates, and the correspondence check is performed using Hong–Ou–Mandel interference. By analyzing the coincidence counts of the Hong–Ou–Mandel interference, we have successfully proven the proposed protocol experimentally, and also showed its robustness against an existential forgery.

In this paper, we introduce a simple and practical quantum message authentication protocol with a quantum three-pass protocol [30][31][32][33] and a quantum encryption scheme [19,34]. This protocol is a lightweight to simplify the implementation by removing an arbitrator from our proposed quantum signature protocol [19]. Here, the quantum three-pass protocol is the quantum version of Shamir's three-pass protocol [1,35], and quantum encryption scheme is to prevent existential forgery, called Gao's forgery. More specifically, the core elements of the proposed protocol, such as the quantum three-pass protocol and the quantum encryption scheme, are implemented with only single qubit unitary operators. In other words, these can be implemented easily by using linear combinations of wave plates [36,37]. Additionally, the swap test that checks the correspondence of the original message and quantum message authentication code (QMAC) can be implemented using a Hong-Ou-Mandel interferometer [38][39][40]. In advance, as the Hong-Ou-Mandel interferometer is a destructive swap test [40], more resources are needed to implement a controlled swap test.
In Section 2, we briefly explain the concept of the proposed scheme. Section 3 presents a security analysis of the proposed protocol for Alice's private key, the forgery of QMAC pair, and the origin authentication of quantum message. Section 4 describes the experimental setup and measurement results. We conducted three experiments with the proposed protocol. First, we implemented a quantum three pass protocol, which is a method of conveying information in the proposed quantum message authentication. Second, we implemented a quantum encryption scheme with a single qubit unitary operator to prevent forgery. Finally, we confirmed that the QMAC pair with the quantum encryption scheme is robust to Gao's forgery. In Section 5, after a thorough discussion that includes the possibility of expanding the scheme to quantum signature and quantum entity authentication, we present the conclusions of this work.

Quantum Message Authentication Protocol
Quantum message authentication, which is similar to conventional message authentication, should provide message integrity and origin authentication. What differentiates quantum message authentication from conventional message authentication [41,42] is that the former uses quantum states | 0 and | 1 as a message represented by a sequence of "0" and "1" bits. In addition, using arbitrary quantum states as a message enables more information to be delivered at once [43,44]. Moreover, there is a significant difference that is described below. In modern cryptography, asymmetric key cryptography easily provides message integrity, message origin authentication, and nonrepudiation. Unfortunately, a quantum asymmetric key cryptosystem based on the quantum trapdoor one-way function do not exist, making the design of quantum authentication and quantum signature protocols difficult. To overcome this difficulty, we propose a new quantum message authentication protocol based on Shamir's three-pass protocol [1,35]. Shamir's three pass protocol has the advantage that two parties, e.g., Alice and Bob, can share information without exposing their own private keys. In the implementation, the central idea is that the commutative property [19] of exponential operation in Shamir's three-pass protocol is implemented using single-qubit rotation operators consisting of linear combinations of wave plates. To our knowledge, this is the first time a quantum message authentication protocol has been proposed using the quantum three-pass protocol, though other applications of the quantum three-pass protocol, such as direct communication [32], quantum key distribution [30], and quantum signature [19], have been proposed theoretically. Figure 1 schematically shows the quantum message authentication protocol that we implemented. Our quantum message authentication protocol consists of preparation, quantum message authentication, and verification phase.

Preparation Phase
In the preparation phase, Alice and Bob pre-share secret key sequences He then uses a swap test twice to confirm the similarity of the two arbitrary quantum states | M u , | M d and bit message sequence M. K AB and K H denote the secret key sequences that Alice and Bob previously shared. S is the private key sequence that only Alice knows, and B is the one known only to Bob.

Quantum Message Authentication Phase
The quantum message authentication phase is composed of two stages: quantum message generation, QMAC generation, and quantum encryption. In the quantum message generation stage, Alice generates a quantum message state pair by applying a single qubit rotation operator where d are the logical states | 0 | 0 or | 1 | 1 , corresponding to horizontally polarized photons | H | H and vertically polarized photons | V | V , respectively. The superscript (i) denotes the i th qubit, and subscripts u and d denote up and down, corresponding to the up-line and down-line, respectively, of the experimental setup used for our protocol. The rotation angle sequence M = (m 1 , m 2 , m 3 , . . . , m N ) is a bit message sequence, and we assume that it has already been published in public as in the case of a contract or an official document. The reason for publishing M is to prevent Alice from attempting to forge using a modulated QMAC pair, which is discussed in detail in Section 3.2 impossibility of forgery.
In the QMAC generation stage, Alice encrypts the quantum message pair | M u | M d of Equation (2) by using a single qubit rotation operator R y (s i ); Here, S = (s 1 , s 2 , s 3 , . . . , s N ) is a rotation angle sequence, 0 • ≤ s i ≤ 360 • . In addition, S is a private key known only to Alice. Furthermore, we call | M u | S d to a QMAC state pair.
In the quantum encryption stage, Alice applies quantum encryption σ k i AB H k i H to the QMAC state pair | M u | S d of Equation (4); Here, | M u ⊗ N i=1 σ k i AB H k i H | S d is an encrypted QMAC state pair, and then she sends it to Bob. This quantum encryption is an essential function for verifying that the entity sending the QMAC pair is Alice and for protecting against forgery.
The rotation angles m i and s 1 are the elements of the finite discrete variable set. For applying them to real protocols, Alice and Bob must preset the range of the finite discrete variable set and pre-decide how to divide the set range. For example, if Alice and Bob split the rotation angle from 0 • to 360 • in intervals of 10 • , then the finite discrete variable set becomes {0 • , 10 • , 20 • , . . . , 350 • }. Here, the size of the discrete variable set is determined by the performance of the experimental apparatus. Therefore, as the performance of experimental apparatus improves, the size of the discrete variable set increases. Increasing the size of the discrete variable set means that the rotation angle can be subdivided, and this can lead to authenticating more information compared with using the four states of the BB84 protocol. On the other hand, If the performance of the experimental apparatus is poor, the size of the discrete variable set decreases. Then, the rotation angle cannot be subdivided, and information that can be authenticated decreases. Additionally, in this situation, if the communication members use the subdivided rotation angles to such an extent that the experimental apparatus cannot distinguish, detecting the malicious behavior of Eve is impossible.

Verification Phase
The verification phase is divided into five stages: "quantum decryption", "Bob's encryption", "QMAC recovery", "Bob's decryption", and "swap test". In Stage 1, for quantum decryption, Bob uses secret key sequences K AB and K H , which were pre-shared with Alice to decrypt the encrypted QMAC state pair (5), received from Alice to obtain the QMAC state pair | M u | S d of Equation (4). In Stage 2, Bob's encryption, Bob generates his own private key sequence B = (b 1 , b 2 , . . . , b N ) and re-encrypts quantum state Then, he sends | S d to Alice while keeping the other quantum message state | M u . In Stage 3, QMAC recovery, Alice uses her own private key sequence S to apply rotation operator In Stage 4, Bob's decryption, Bob uses his own private key sequence B and applies rotation operator Because the proposed quantum message authentication based on the quantum three-pass protocol operates Alice's private key s i , there is a need for a method to verify the encrypted QMAC pair described thus far. This is an important element that the proposed protocol can guarantee the origin of quantum message. In addition, to avoid counterfeiting, it is assumed that quantum encryption such as σ k i AB H k i H in Equation (5) is applied to Alice and Bob in every process of exchanging quantum states.
In the final stage, Bob performs the swap test [42,45] Figure 2 shows the swap test in the circuit, and the result of inputting and in the second and third lines of the circuit is expressed as follows: If | m i u and m i d agree, the above equation becomes | 0 ancilla 1 √ 2 | m i u m i d + m i u | m i d , which makes the measurement outcome of the ancilla state to always be | 0 . However, if | m i u and m i d do not agree, the measurement outcome becomes | 0 with a probability 1 + ε 2 /2 or becomes | 1 with a probability 1 + ε 2 /2, where ε = d m i m i u | and 0 ≤ ε ≤ 1. Therefore, if the swap test result of the measurement is | 1 , we know that | m i u and m i d are different. If the result is | 1 , we cannot guarantee that | m i u and m i d are the same. The parameter ε is determined by the arbitrary quantum state components | m i u of Equation (6) and m i d of Equation (7). If the two rotation angles m i and m i are the same, i.e., m i = m i , then the value of parameter ε is 1. On the other hand, if the difference between m i and m i is 180 • , i.e., m i = m i ± 180 • , then the parameter ε is 0. As a result, according to rotation angles m i and m i , the parameter ε has a value between 0 and 1, 0 ≤ ε ≤ 1. Further, the probability of failure in the verification phase is the total error probability P e for N qubits as follows: Therefore, it is expected that the swap test will work well even though the quantum state sequence is finite. Hence, the probability of failure in the verification phase becomes lower, approaching P e as the size of the quantum state sequence N becomes considerably larger [42,45]. For an arbitrary | m i u , a random choice for m i d on the R y m i -rotation circle, the average of ε 2 is 1/2. In this case, the upper bound of the total error probability P e is (3/4) N . If the size of the quantum state sequence is 15, then the upper bound of the total error probability P e is only approximately 1.3%. Therefore, it is expected that the swap test will work well even though the quantum state sequence is finite.

Security of Alice's Private Key
Eve, including Bob, may try to obtain Alice's private key. Especially, as described in Section 2.3, malicious Bob may try to know Alice's private key sequence S = (s 1 , s 2 , s 3 , . . . , s N ), which consists of the degrees of rotation aboutŷ-axis from Equation (4). However, the security of Alice's private key sequence S is guaranteed by Holevo's theorem, as follows [19,32]: Here, H(S) is the Shannon entropy of the sequence of arbitrary rotation angle s i , V(ρ) is the von Neumann entropy of mixed state ρ that Eve can acquire through the arbitrary measurement of the quantum state | S d = ⊗ N i=1 R y (s i )| M d , and I(x, S) is the mutual information between arbitrary rotation s i and measurement outcomes x. As we can see in Equation (10), the amount of mutual information about the arbitrary rotation angle sequence S that Bob acquires using measurement outcomes x is limited, and thus, it is impossible for Eve to obtain the information of S. Based on the same principle, the security of Bob's private key sequence B = (b 1 , b 2 , b 3 , . . . , b N ) is guaranteed.

Impossibility of Forgery
Many quantum message authentication and signature protocols use quantum encryption implemented by Pauli operators to ensure message integrity and message origin authentication. A QMAC pair (or quantum signature pair), which is composed of a quantum message and an encrypted quantum message, checks the forgery and modulation of the QMAC pair (or quantum signature pair) using a swap test [34]. As described in Section 2.3, Bob validates the original quantum message state | M u and the recovered quantum message state | M d from the QMAC state pair of Equation (4) using the swap test. Bob can be sure that | M u and | M d are the same quantum state from the outcomes of the swap test. However, it is not known whether they match the original message M. Because of the limitations of this swap test, the proposed protocol can be falsified in two ways.
The first falsification method is that Alice creates a modulated QMAC pair  [46]. This is called Gao's forgery, and it can be considered as an existential forgery [34] of modern cryptosystems because it randomly forges QMAC pairs (or quantum signature pairs), which are arbitrary quantum states. The posing of this security problem by Gao et al. was a major turning point in the study of quantum message authentication (or quantum signature) protocols. In 2011, Choi et al. proposed the (I, H)-or (U, V)-type quantum encryption scheme to cope with Gao's forgery [47,48]. In 2013, Zhang et al. pointed out that the encryption scheme of Choi et al. was still insecure against Gao's forgery, and instead they proposed the keycontrolled-"I" quantum one-time pad or key-controlled-"T" quantum one-time pad [49,50] as an alternative. The four unitary operators of the controlled-I quantum one-time pad are W 00 = (σ x + σ z )/ √ 2, W 01 = σ y + σ z / √ 2, W 10 = I + iσ x − iσ y + iσ z / √ 2, and W 10 = I + iσ x + iσ y + iσ z / √ 2. However, the encryption scheme of Zhang et al. is not easy to implement with simple hardware. In contrast, we propose a quantum encryption scheme with a single qubit unitary operation by randomly using unitary operator H, which can be easily implemented by controlling wave plates and an authentication protocol. Therefore, the proposed protocol is robust against an existential forgery. Section 4.3 in Ref. [22] shows that unitary operators can be used randomly to prevent Gao's forgery. The detailed implementation of our experimental setup and the testing results of the quantum three-pass protocol and security against Gao's forgery are described in Section 4. Finally, to prevent Gao's forgery in the proposed protocol, the quantum encryption scheme should be applied to all processes in which Alice and Bob exchange quantum states.

Origin Authentication of Quantum Message
To clarify the origin of the quantum message, the proposed quantum message authentication operates by using not only the secret key pre-shared by Alice and Bob but also Alice's private key. In general, message authentication guarantees the origin of message authentication by using a secret key previously shared by Alice and Bob. At this time, as the user who can create a message authentication code (MAC) pair can be Alice or Bob, the origin of the message may become unclear. On the other hand, in the proposed protocol, Alice generates a QMAC pair | M u | S d of Equation (4) by using a private key sequence S = (s 1 , s 2 , s 3 , . . . , s N ) known only to her; thus, the possibility of such a dispute is very low. Figure 3a shows the implementation setup of our proposed quantum message authentication protocol. With this setup, we have experimentally proved that the proposed QMAC is robust against existential forgery. Each stage is implemented with a linear combination of wave plates; that is, the y-axis rotation operator R y (θ), the unitary operator H, and the Pauli operators are implemented by combinations of half-wave plates (HWPs) and quarter-wave plates (QWPs). Figure 3b schematically shows a possible forgery attack that Eve can try. Eve can attempt a forgery attack using the same Pauli operators σ e i = σ e i [46], or she can attempt a forgery attack using different Pauli operators σ e i = σ e i [49,50]. We define these two approaches as an original and improved Gao's Forgeries, respectively. To prevent Gao's forgeries, we need to choose unitary operator H randomly. We explain this in detail at the end of this section.

Experiment Setup and Measurement Results
We assume that Alice and Bob have already pre-shared the secret key sequences in the preparation phase. For the message authentication phase, we implemented message generation, QMAC generation, and quantum encryption using wave plates on Alice's side. To create correlated photon pairs, Type-I spontaneous parametric down-conversion (SPDC) photon pairs were generated in a beta barium borate (BBO) crystal pumped by a multimode diode laser with a 408-nm wavelength. The SPDC photon pairs have the same H-polarization and an 816-nm wavelength. The photon pairs are emitted with a noncollinear angle of 3.3 • . One of the photons goes through only the rotation operator for message generation, and the other experiences the sequence of operations from message generation through the quantum encryption scheme with a single qubit unitary operator. Then, they are delivered to Bob. For the verification phase, one photon is kept on Bob's side, and the other photon experiences quantum decryption and Bob's encryption implemented by the wave plate, after which Bob sends it to Alice. Alice then decrypts it by using QMAC recovery. In our experiment, we installed the QMAC recovery stage between Bob's encryption and Bob's decryption for convenience of implementation; it is marked by yellow shading in Figure 3a. Finally, after Bob's decryption, the swap test that verifies the agreement of the two photon sequences is performed using the Hong-Ou-Mandel interferometer. The Hong-Ou-Mandel dip confirms the similarity between the two photons, which is the last step of the implementation of the proposed quantum message authentication protocol. In other words, the realization of the quantum three-pass protocol, quantum encryption scheme, and the robustness of Gao's forgery can be confirmed by the Hong-Ou-Mandel Dip. Hong-Ou-Mandel interference is the same as the destructive swap test [40]. Because the destructive swap test does not have an ancilla qubit unlike the controlled swap test, the two quantum states that are compared are directly measured and collapsed. For this reason, we performed only the first swap test in the two swap tests shown in Figure  1. To implement the second swap test in Figure 1 using Hong-Ou-Mandel interference, there is a need for more resources (e.g., single photons and wave plates) than the current experimental setup. There are other ways to implement a second swap test by using an experimental controlled swap gate that was recently implemented [51].
We tested the feasibility of our protocol with the experimental setup for the case without Gao's forgery. First, we verified that the quantum three-pass protocol (Figure 3) was working correctly. As shown in Figure 4a, when the half-wave plate H1 s angle s i /4 is −120 • , the coincidence count reaches its minimum at the half-wave plate H3 s angles −s i /4 = 30 • , 120 • as expected. This indicates that Alice generates the QMAC state by applying rotation operator R y −120 • and then uses rotation operator R y −120 • ± πn/2 to recover the QMAC state, where n is an integer, because the period of the half-wave plate is π/2. The red plots represent the averages of the coincidence counts over one second. In Figure 4b, we recognize that Bob's encryption and decryption also work well. When the half-wave plate H2 s angle b i /4 is −60 • , the Hong-Ou-Mandel dip occurs at the half-wave plate H4 s angles −b i /4 = 60 • , 150 • . Bob uses rotation operator R y −60 • to re-encrypt the QMAC state, and then he decrypts the re-encrypted QMAC state by applying rotation operator R y 60 • ± πn/2 , where n is an integer. In Figure 4, the experimental data are the average of 10 measurements per 10 s. During this time, the averages of single counts were 27, 000 and 27, 000, respectively, and coincidence windows are 5 ns; the maximum value of the coincidence counts after accidental coincidences were removed was 127, and the minimum value was 2.
Second, we tested the quantum encryption and decryption. If Alice and Bob are proper users who previously shared secret key sequences K AB and K H then the quantum message states | M u and | M d should be identical. Bob can check the correspondence of these states using the Hong-Ou-Mandel interferometer [38,39]. Figure 4 shows the experimental results for Alice's quantum encryption and Bob's quantum decryption. P c is the coincidence probability of Hong-Ou-Mandel interference, and P c = 1 − P c represents the probability of two quantum message states matching. Figure 5a,b represents whether operator H exists or not, respectively. Although theoretically, the red blocks on the diagonal in both cases should be 100%, experimentally they are greater than 82% and 76%, respectively. On the other hand, the blue blocks off the diagonal, when Alice and Bob share different secret keys k i AB and k i H , | M u and | M d have different quantum states, and the respective probabilities are less than 41% and less than 46%. Considering that theoretically P c can only have less than 50%, the measurement results prove that our scheme works well. From these results, we can conclude that the encryption operates properly because P c is greater than 76% in the case of the same operators and P c is less than 46% in the case of different operators regardless of the existence of operator H. The above theoretical values are derived from the success probability 2 = d ψ i ψ i u 2 of the swap test, with | ψ i u = • . Errors in the experiment shown in Figure 5 could be due to an inherent error of the swap test, birefringence in the beam splitter, and/or systematic errors in the wave-plate setting [38,39,42,45]. From the measurement results given in Figures 4 and 5, we have demonstrated that our implementation succeeds in realizing the proposed protocol. Although there are some errors due to unavoidable imperfections of the realization, our practical implementation still performs message integrity and message origin authentication successfully only if our protocol is applied to multiple bits sequentially and analyzed statistically. Gao et al. demonstrated the possibility of existential forgery in the case of quantum message authentication that includes a swap test [34,46,48] In addition, the forged QMAC state pair by Eve's Pauli operator σ 10 = σ y is The forged QMAC state pair of Equation (13) transforms into the following state after a decryption process: Assuming that | M u and | S d of Equation (14) are the same, Eve succeeded in attacking because the Pauli operator σ y remained in the first and second qubits of Equation (14). This is the first method to forge the quantum message code or quantum signature pair proposed by Gao et al. [34,46,48].
As another example, if k i AB = 01, k i H = 1, an encrypted QMAC state pair is The forged QMAC state pair by Eve's Pauli operator σ 10 = σ y is The forged QMAC state pair transforms into the following state after a decryption process: (17) Despite the assumption that | M u and | S d of Equation (17) are the same, Eve's attack is unsuccessful. The reason is that the Pauli operators σ y and σ x remained in the first and second qubits of Equation (17), respectively. This is the (I, H)-type quantum encryption proposed to overcome Gao's forgery [47]. Zhang et al., however, showed that the (I, H)-type quantum encryption is not secure for improved Gao's forgery [49,50]. We [19,34] overcome the original Gao's forgery [46] or the improved Gao's forgery [49,50] with quantum encryption σ k i Figure 6. Coincidence probability by existential forgery. Red bars denote the case where Eve attempts original Gao's Forgery when operator H is not used in the quantum encryption scheme k i H = 0 . The blue bars show the case of attempting improved Gao's Forgery when operator H is used in the quantum encryption scheme k i H = 1 . P c is the coincidence probability. The black bars indicate the standard deviation of the coincidence counts for 1 s. k i AB is the same as in Figure 1. e i ∈ {00, 01, 10, 11} corresponds to the Pauli operator σ e i ∈ I, σ x , σ y , σ z that Eve uses to attempt Gao's Forgery 1.

Conclusions and Discussion
We have proposed a new quantum message authentication protocol including quantum encryption for improving security against an existential forgery. Additionally, a practical implementation of the proposed protocol has been developed and its robustness against existential forgery has been verified experimentally. It consists of wave plates and the Hong-Ou-Mandel interferometer. The measurement results for each function-QMAC generation and recovery, Bob's encryption and decryption, and quantum encryption and decryption-successfully show the feasibility of robustness against Gao's forgeries.
The system loss and the optical channel loss, etc., should be considered when applying our protocol to real implementation. Let us assume that Alice and Bob use the single photon detector with 20% efficiency and are connected by 30-km single-mode fiber with 0.2 dB/km loss. In a result, the total efficiency becomes 0.08% because the qubits are pass through total 100 km, and if the QMAC pairs are generated at 100 MHz, Bob can receive 8 × 10 4 pairs/s. As we mentioned in Section 2, the size of the quantum state sequence should be more than 15. Therefore, Alice must generate at least 1.9 × 10 4 QMAC pairs, i.e., 1.9 × 10 4 × 0.08% = 15 that is quite implementable number, and send them to Bob to ensure this accuracy of the swap test.
Our protocol can be used as an arbitrated quantum signature protocol if a trusted center (TC) is added in the communication channel used by Alice and Bob [19]. In addition, if freshness property is added to our protocol, it can be used for quantum entity authentication as well [1,52]. In conclusion, we have proposed the base technology for a complete quantum cryptosystem that provides confidentiality, authentication, integrity, and nonrepudiation.