Practical Quantum Digital Signature

arXiv:1507.03333v3 [quant-ph] 22 Mar 2016 D rtcli h mrcia supino h au- the be- participants available. of feasible ing between assumption a channels impractical for quantum the left thenticated is problem protocol serious Up obviously QDS [10]. an interferometer date, lead- Mach-Zehnder to yet the [9], of multiport bilization sta- technology—long-distance optical challenging another an replaces to ing with and test [8] SWAP preparation the state complex pho- quantum and and for requirement optics memory on the linear circumvent test uses to detectors SWAP approach ton novel performing A as states. ( the such and operations, memory, lenging quantum ( long-term states, ing quantum function one-way complex ( channels, problems tum following ( the quantum therein: [7], a appear scheme [6], Lamport’s and protocol of QDS Gottesman version first its the Since guarantee proposed Chuang to on physics security. bases quantum (QDS) information-theoretic of par- signature laws the digital fundamental between Quantum therein, channels classical exists ticipants. secure assumption the resource-expensive namely, schemes are a signature there secure [1–5], Though unconditionally attacks. classical vulner- computing some become quantum complex- schemes to mathematical signature able on digital relying classical a However, ities, of on. distribution financial authenticity so software e-mails, and the in contracts, as applied electronic widely well transactions, are as They message signature. a of identity ∗ ‡ † [email protected] [email protected] [email protected] iia intrsamt etf h rvnneand provenance the certify to aim signatures Digital 1 ee ainlLbrtr o hsclSine tMicrosc at Sciences Physical for Laboratory National Hefei olcieatcs eie,orQSpooo a epracti be can protocol QDS our Besides, firs chann quantum the attacks. authenticated present collective of we assumption Here, the removes Q that participants. proposed between req previously channels the importantly, the tum most informatio date, and problems provide to challenging up fu various to However, on aims Based task. (QDS) graphic era. signature e-commerce digital today’s quantum in safeguards vital most ASnmes 36.d 36.k 03.67.Ac dis 03.67.Hk, key 03.67.Dd, quantum numbers: in PACS used as technology mature current under km urneignnrpdain nogaiiya ela t as well as unforgeability non-repudiation, Guaranteeing 2 P h A etrfrEclec nQQ n h yegtcInno Synergetic the and QIQP in Excellence for Center CAS The .INTRODUCTION I. P )tepeaainadtasiso of transmission and preparation the 2) )rqiigteatetctdquan- authenticated the requiring 1) nvriyo cec n ehooyo hn,Hfi Anhui Hefei, China, of Technology and Science of University nvriyo cec n ehooyo hn,Hfi Anhui Hefei, China, of Technology and Science of University u-e Yin, Hua-Lei rcia unu iia Signature Digital Quantum Practical P )ohrchal- other 4) ,2, 1, P Dtd etme ,2018) 5, September (Dated: ∗ )requir- 3) a Fu, Yao ,2, 1, † et ilacp ta el edfieaQSscheme QDS a define We well. as recip- the have it honest of to accept other recipient signature, will honest a ients an accepts Trans- message when it. signed that signed having signs means deny signer recipi- ferability cannot the honest he/she once valid other message, that a by a means accepted forge Non-repudiation intact be can ents. remains can one and that no signer signature namely, the mes- transmission, of from during piece comes given indeed a transfer- sage that and means non-repudiation Unforgeability unforgeability, ability. [3]: isfies 14]. [13, communi- sharing) quantum secret multiparty (quantum and 12] to cation [11, similar QKD are of protocol that QDS basic our the underlying communication, assumptions classical requiring of in merely authentication problem Therefore, the security impractical the channels. tackling the to quantum eliminates respect secure that of protocol assumption QDS propose first we states, state the coherent qubit weak single-photon prac- using of phase-randomized be paper, and to this QDS In a in value. of eliminated tical be quan- definition to authenticated has and channels of tum goal assumption the the Therefore, exactly QKD. authenticated is without channels distribution quantum guar- key Actually, secure eavesdropping. anteeing potential of chan- quantum because (secure) nels authenticated require distribution channels, not key classical does authenticated it quantum requires while 12] [11, that (QKD) eaves- Recall any allow not do dropping. that channels quantum secure the blt o navrayt raeavldsgaueis signature valid a create than to greater adversary not an for ability with ε inrt euit eiiaesgauei o greater not is signature legitimate than a repudiate to signer ε sec nor n egBn Chen Zeng-Bing and esyadgtlsgauepooo sscr fi sat- it if secure is protocol signature digital a say We to equivalent are channels quantum authenticated The scrt hni aifisboth satisfies it when -security nnrpdain with -non-repudiation, ε ε ieeto uhniae scr)quan- (secure) authenticated of uirement nor nor aseaiiyo intr soeo the of one is signature a of ransferability l n eateto oenPhysics, Modern of Department and ale al mlmne vrmr hn100 than more over implemented cally ε l hl eann eueaantthe against secure remaining while els nnrpdainwe h rbblt o the for probability the when -non-repudiation hrb,aQSpooo sdfie ohave to defined is protocol QDS a Thereby, . unu iia intr protocol signature digital quantum t unf dmna aso unu physics, quantum of laws ndamental -hoei euiyfrti crypto- this for security n-theoretic Spooosaeipatcldeto due impractical are protocols DS tribution. ufreblt,rpeetn htteprob- the that representing -unforgeability, ainCne o QIQP, for Center vation ε unf 306 China 230026, 306 China 230026, iial,w a rtclis protocol a say we Similarly, . ,2, 1, ‡ ε unf + ε ε unf nor ufreblt and -unforgeability ≤ ε sec Consider- . 2 ing robustness, εrob is the probability that the protocol to randomly choose test bits as well). Charlie announce will be aborted even with the absence of an adversary. the location of test bits and Alice publicly announces the In this paper, we consider a simple and most impor- bit information of those test bits. Bob (Charlie) calcu- c c tant case with three participants, i.e., one signer and two lates the mismatching rate eB (eC ) of conclusive results c c recipients. Then the property of transferability becomes from the test bits. When eB or eC gets too high, they c equivalent to non-repudiation [6, 8]. The QDS protocols announce to abort the protocol. Besides, when PB or c c using two copies of single-photon states and decoy-state PC shows a big deviation from the ideal value P =1/6, method are proposed in Sec. II and Sec. IV, with the they also announce to abort the protocol. Otherwise, security analyzed in Sec. III. Bob and Charlie announce the mismatching rate and the probability, ec , P c and ec , P c , respectively. Alice, { B B} { C C } Bob and Charlie only keep Mu untested bits, denoted by II. QDS WITH TWO COPIES OF SA, SB and SC. SINGLE-PHOTON STATES The messaging stage: To sign one-bit message m, Alice sends the message m and the corresponding bit string SA to the authenticator, Bob. Bob checks the mismatching There are three stages when implementing our three- c c c participant QDS protocol, namely, the distribution stage, rate PB EB between SA and SB, where EB is the mis- the estimation stage and the messaging stage. We in- matching rate of the conclusive results. The inconclusive troduce a two-photon six-state QDS protocol to illus- outcomes are considered to match Alice’s announcement bits automatically. If the mismatching rate Ec T (T trate our basic idea. There are six single-photon quan- B ≤ a a tum states, H , V , = ( H V )/√2, R = is the authentication security threshold), Bob accepts the | i | i |±i | i ± | i | i ( H + i V )/√2 and L = ( H i V )/√2. The message. Otherwise, he rejects it and announces to abort six| i states| cani be arranged| i into| twelvei − | setsi H , + , the protocol. After Bob accepts the message, he for- {| i | i} wards it and the corresponding bit string SA to the veri- + , V , V , , , H , H , R , R , V , c c {| i | i} {| i |−i} {|−i | i} {| i | i} {| i | i} fier Charlie. Charlie checks the mismatching rate PC EC V , L , L , H , + , R , R , , , L , c {| i | i} {| i | i} {| i | i} {| i |−i} {|−i | i} between SA and SC , where EC is the mismatching rate of L , + , where the first state of each set represents c {|logici | 0 andi} the second logic 1. the conclusive results. If the mismatching rate EC Tv (T is the verification security threshold), Charlie accepts≤ The distribution stage: For each possible future mes- v the forwarded message, otherwise he rejects it. sage m = 0 and m = 1, Alice prepares two copies of a sequence of N single-photon quantum states. For each Note that the distribution stage is a quantum process, quantum state, Alice randomly chooses one of the twelve while the estimation and messaging stage are classical sets and generates one of two non-orthogonal states in communication processes. The time interval between the the set. Afterwards, she sends one copy to Bob and distribution stage and estimation stage is arbitrary. The the other to Charlie through insecure (unauthenticated) estimation stage is employed to estimate the parameters quantum channels. For each quantum state, Bob and Ta and Tv, which are used for the messaging stage. Af- Charlie randomly and independently perform a polariza- ter the distribution stage, once Alice wants to sign the tion measurement with one of the three bases Z,X,Y , message, she will start the estimation stage and the mes- and store the corresponding classical bit. Bob{ and Char-} saging stage. As Alice is the signer, she can identify the lie will announce the result if their detectors have no click, one who is the desired recipient (namely the authentica- and then Alice, Bob and Charlie will discard all the cor- tor) before the estimation stage. Therefore, the roles of responding data and keep the left M bits. For each quan- Bob and Charlie are equivalent, either of them can be tum state, Alice announces from which set she selects the the receiver of the message and forwards it to the other. state through the authenticated classical channels. Bob (Charlie) compares his measurement outcomes with the two states. If his measurement outcome is orthogonal III. SECURITY ANALYSIS to one of the states, he concludes that the other state has been sent, which represents a conclusive result. Oth- In the three-participant QDS protocol, at most one erwise, he concludes that it is an inconclusive outcome. participant can be an adversary, because the majority c c Let PB (PC ) be the probability that Bob (Charlie) has a vote is usually used to resolve the dispute [5, 8]. Then, conclusive result for each received quantum state; in the the only potential attack strategy can be either the repu- c c c ideal case, PB = PC = P = 1/6. Note that Bob and diation of the signer or the forgery of the authenticator. Charlie do not announce whether they have a conclusive We are now interested in why our scheme can prevent outcome. adversary’s attack without authenticated quantum chan- The estimation stage: The signer Alice chooses the nels. For Alice’s repudiation attack, authenticated quan- desired recipient, for example Bob, who will be the au- tum channels cannot help her because the quantum states thenticator in the messaging stage. Then Alice informs are prepared by herself. During the estimation stage, the other recipient, Charlie, to randomly choose Mt bits exploiting the random sampling theorem, one can esti- as the test bits used to estimate correlation (if Charlie is mate the correlation strength between Bob’s and Char- the authenticator chosen by Alice, Alice will inform Bob lie’s received quantum states. Therefore, the SWAP test 3

FIG. 1. (color online). Practical implementation of the three-participant QDS protocols. Alice’s setups for Scheme I (II) are shown respectively on the upper (lower) panel on the left. For the parts of Bob and Charlie, the setups are located on the right, which are shared by both schemes. AM: amplitude modulator used to prepare decoy-state, PM: polarization modulator used to prepare polarization states or active basis selection, BS: 50:50 beam splitter used to prepare two copies of quantum states, PBS: polarization beam splitter, D1-D4: single-photon detectors. and symmetry operation of Bob’s and Charlie’s quantum where H(e e ) is the conditional Shannon entropy func- p| b states or classical bits can be removed in our protocol, tion; ep and eb are the phase and bit error rates, re- which are realized by authenticated quantum channels spectively. If a bit is flipped, the probability of a phase [4, 6, 8–10, 15, 16] or secure classical channels [4, 5, 17] 4+√2 shift will be 8 . In the QDS protocol, eb is the ex- in other protocols. For Bob’s forgery attack, exploit- pectation value of mismatching rate between Alice’s bits ing the random sampling theorem, Charlie can estimate and Charlie’s conclusive results in the untested portion. the correlation strength between the quantum states Al- c Therefore eb = eC + δ1, δ1 is the finite sample size effect ice sends and those Charlie receives without authenti- which can be quantified by the random sampling without cated quantum channels, whereas in previous protocols, replacement [22] with the failure probability ǫ1. In order authenticated quantum channels are required to guaran- to optimally implement the forgery attack, Bob will at- tee that one copy of the quantum state Charlie receives tempt to make the mismatching rate between his guessed has not been tampered with. Detailed security analysis bits and Charlie’s conclusive-result bits reach the mini- are shown in Appendix A. mum value Sc. Employing the properties of min-entropy When Bob forges, Alice and Charlie are automatically and max-entropy [19, 23], Sc can be given by regarded as honest. A successful forgery means that the dishonest Bob forges (tampers) the message bit and H(Sc) 1 IBC , (2) ≥ − Charlie accepts it. Bob is unable to discriminate two where H(x)= x log x (1 x) log (1 x) is the binary copies of six-state (or four-state) without any error, since − 2 − − 2 − an unambiguous discrimination among C linearly depen- Shannon entropy function. There is no chance for Bob dent qubit states is only possible when at least C 1 to make a successful forgery in the ideal case when Char- copies of the states are available [18]. For this reason,− lie’s verification threshold satisfies Tv < Sc. However, we can restrict Bob’s forgery attack even when quan- considering the sampling with finite number of indepen- tum channels are insecure. We consider the case that dent Bernoulli random values, the observed average value Bob is restricted to collective forgery attack where his can be less than the expectation value with a probabil- optimal strategy is to acquire the information of each ity quantified by the Chernoff bound [24, 25]. Thus, the quantum state Charlie receives as much as possible (ex- probability that Charlie accepts (CA) the message forged ploiting quantum de Finetti theorem [19], we expect that by Bob is negligible as our scheme could guarantee the security against coher- 2 (Sc Tv) c ent forgery attack, which should be studied in the future). ε1 = Pr(CA) exp[ − PC Mu], (3) ≤ − 2S Thus, Bob’s attack strategy in the two-photon six-state c c QDS protocol can be reduced to the eavesdropping attack where PC Mu is the number of Charlie’s untested of Eve in the six-state SARG04-QKD protocol [20, 21] conclusive-result bits. given that the two-photon source is used. With the en- When Alice repudiates, Bob and Charlie are automat- tanglement distillation techniques [11, 21], we can obtain ically regarded as honest. A successful repudiation hap- the upper bound of Bob’s information IBC about Char- pens when Alice disavows the signature, with the mes- lie’s conclusive-result bits as (see Appendix B) sage accepted by Bob and rejected by Charlie. Alice must treat each quantum state received by both Bob 2 √2 3 and Charlie in the same way since the conclusive re- IBC = H(ep eb), ep = − + eb, (1) | 4 2√2 sults of quantum states they acquire are random, which 4 is similar to Ref. [8]. Conclusive results of partial quantum states can be acquired by Bob and Charlie simul- taneously, which can be used in the estimation stage to estimate the correlation strength between the quantum states they receive. Thus, exploiting the technique introduced in Ref. [8], our QDS scheme can guarantee security against the coherent repudiation attack even if the symmetry operation (optical multiport) [8] is removed. Let ∆t (∆) be the mismatching rate between Bob’s and Char- lie’s test (untested) bit string when they both have conclusive results. Let PB (PC ) be the expectation value of the mismatching rate between Alice’s and Bob’s (Char- lie’s) untested bits. Due to random sampling, we have c c c c ∆t eB +eC, ∆t +δ2 = ∆ PC /PC PB/PB, where δ2 FIG. 2. (color online). Signature rates versus total se- is the≤ finite sample size effect≥ quantified− by the random cure transmission distance. For simulation purposes, we sampling without replacement [22] with failure probabil- employ the following experimental parameters: the intrin- ity ǫ . When the two thresholds satisfy T >T + ∆, the sic loss coefficient of the ultralow-loss telecom fiber chan- 2 v a −1 probability that Bob accepts (BA) a message and Charlie nel is 0.160 dB km [22]. For superconducting nanowire single-photon detectors, the detection efficiency is 93% and rejects (CR) it is negligible as 7 the dark count rate is 1.0 × 10− [28]. The quantum bit c 2 error rate between Alice’s and Bob’s (Charlie’s) system is (A PBTa) ε2 = Pr(BA, CR) = exp − Mu , (4) E ≃ 1.0%. The ratio of random sampling is β = Mt/M = −5 − 2A 30%. The security (robustness) bound is εsec < 1.0 × 10 −6 (εrob < 1.0 × 10 ). The verification and authentica- where A = PB is a physical solution of the following tion thresholds {Tv,Ta} of two-photon six-state (four-state) equation and inequalities QDS is {6.45%, 1.50%} ({4.05%, 1.20%}); {Tv,Ta} of six- state and four-state in Scheme I (II) are {4.07%, 1.17%} c 2 c c c 2 (A PBTa) [PC Tv PC (A/PB + ∆)] ({4.275%, 1.20%}) and {3.46%, 1.12%} ({3.44%, 1.12%}), re- − = −c c , spectively. The intensities of six-state for Scheme I are 2A 3PC (A/PB + ∆) (5) c c µ = 0.34, ν = 0.16, ω = 0.01 and 0. The probabilities of P Ta ν>ω> 0). in Appendix B. Their probability distributions are set as Pµ, Pν , Pω and P0. Two copies of quantum states can be generated by 50:50 beam splitter (BS). The phases of Al- IV. DECOY-STATE QDS ice’s signal laser pulses can be internally modulated [29], which guarantees the security against unambiguous- The above idea using two ideal single-photon sources state-discrimination attack [30]. In the distribution stage can be practically implemented by weak coherent states of Scheme II, with a 50:50 BS and two AMs, two copies of with the decoy-state method [26, 27]. The schematic lay- weak coherent state pulses are generated and utilized to out of our practical QDS with phase-randomized weak modulate the following seven sets of intensities: µ1,µ1 , coherent states, Scheme I and II, are shown in Fig. 1. µ , 0 , 0,µ , ν ,ν , ν , 0 , 0,ν and 0{, 0 with} { 1 } { 1} { 1 1} { 1 } { 1} { } Scheme I and Scheme II have a few additional parts than µ1 > ν1 > 0. Their probability distributions are set as the above two-photon six-state QDS scheme, i.e., decoy- Pµ1µ1 , Pµ10, P0µ1 , Pν1ν1 , Pν10, P0ν1 and P00. We de- state modulation and announcement. In the distribution fine µ1,µ1 as the signal-state set, while other six sets stage of Scheme I, Alice exploits amplitude modulator compose{ the} decoy-state set. In the estimation stage of 5

Scheme I (II), Alice announces the intensity information superpositions [34], can be used for QDS. It may not be of each pulse, the polarization information of all decoy easily generalized to more participants with the scheme states (decoy-state sets), and a portion β of the signal in this paper. In QDS with more participants, other as- state (signal-state set) that is randomly selected by Bob pects should be considered, such as colluding attack [5], or Charlie. For the signal state (signal-state set), the efficiency and resource, which should be studied in the fu- β portion of data are regarded as test bits, while the ture. We remark that after submitting our manuscript, remaining ones are untested bits to be used in the mes- we became aware of another independent work imple- saging stage. menting QDS with unauthenticated quantum channels, The randomly selected test bits are used to defeat the however, it still requires secure classical channels [17]. repudiation attack. The decoy-state method is used to estimate the yield and bit error rate of two-photon component, which are exploited to defeat the forgery attack. ACKNOWLEDGMENTS For Alice’s repudiation attack, the decoy-state method does not bring any advantage because the decoy state This work is supported by the Chinese Academy of data are not used for test bits. For Bob’s forgery attack, Sciences and the National Natural Science Foundation of the decoy-state method cannot bring any advantage since China under Grant No. 61125502. the decoy states are randomly prepared by Alice. The H.-L.Y. and Y.F. contributed equally to this work. standard error analysis method [31] is used for estimating the statistical fluctuation in the decoy-state method. We remark that the roles of Bob and Charlie in Scheme I Appendix A: DETAILED SECURITY ANALYSIS (II) are equivalent, either can be the authenticator. De- tailed analysis and calculations are shown in Appendix 1. Security against repudiation C. We simulate the signature rates R of our QDS schemes In a repudiation case, the dishonest signer Alice suc- as functions of total secure transmission distance L, as cessfully cheats two honest recipients Bob and Charlie. shown in Fig. 2. Here, the signature rate is defined as Here, Charlie selects the test bits which can be regarded R =1/(2N) because we employ 2N qubit states to sign as the random sampling since Charlie is an honest partic- one bit of classical message. We consider the symmetric ipant. We exploit the technique introduced in Ref. [8] to case where the distance between Alice and Bob (Charlie) prove that the general quantum repudiation attack (i.e., is L/2. For weak coherent states in Schemes I and II, we coherent attack) relative to individual repudiation attack present an analytical method to estimate the parameters does not provide any advantage. For each possible future of two-photon component. Figure 2 also shows signa- message to be signed, m = 0 and m = 1, Alice sends N ture rates of four-state QDS for comparison. The linear quantum states ρ 1 1 (arbitrary form) to Bob optical elements and threshold single-photon detectors B ,C ,...,BN CN and Charlie, respectively. Therein, M quantum states constituting measurement devices are used in our QDS are received both by Bob and Charlie. Bob and Charlie schemes by the universal squash model [32]. The detec- directly measure the received quantum states and store tor error model [33] is applied to calculate the detection them as classical bits. Charlie randomly selects M bits probability and error rate of quantum states. Accord- t from M bits as the test bits in the estimation stage. The ing to the simulation result, if we consider the system remaining M = M M untested bits are used in the with 10 GHz clock rate and six-state polarization encod- u t messaging stage. If− and only if both Bob and Charlie ing, we can generate a signature rate of 294 bps for a receive a quantum state can the event be used for pro- channel length of 100km with two copies of single-photon viding the security against repudiation. Otherwise, Alice source, 0.78 bps (1.12 bps) for Scheme I (II) with phase- can simply make Bob accept the message but Charlie re- randomized weak coherent states over the same distance. ject it. In the six-state QDS, for each received quantum state, the probability is P c =1/6 that Bob (Charlie) has a conclusive result combining with the set of quantum V. CONCLUSION state in the ideal case (P c = 1/4 for four-state QDS). Alice is not able to know which quantum state can be In this work, we propose a QDS protocol with the im- confirmed by Bob or Charlie. Therefore, from the per- mediate feasibility of implementing it over a distance of spective of Alice, she must treat each quantum state re- more than 100 km. The signature rate in our protocol can ceived by Bob (Charlie) in the same way. We define 1(0) achieve better performance at longer distance than previ- as the event that the measurement result of Bob or Char- ous protocols due to, among others, the Chernoff bound lie mismatches (matches) Alice’s announcement. If Bob and the decoy-state method. We anticipate that the sig- or Charlie does not have a conclusive result, the result is nature rate could be significantly increased by adopting considered to match Alice’s announcement automatically. tighter bound in the sampling theory, e.g., the tighter We encode each matching result of Bob’s and Charlie’s u u Chernoff bound in [29]. Similar to QKD, any photon- untested bits as classical-quantum state ϕB and ϕC , u u | i | i number distribution source, such as the coherent-state respectively, with ϕB, ϕC =0, 1. 6

The classical-quantum state of matching outcomes of Charlie receive are not correlated with others and not re- Bob and Charlie used in the messaging stage can be writ- quired to be identical. The matching result of Bob’s and ten as Charlie’s untested bits (used in the messaging stage) can be regarded as independent Bernoulli random variables M u that satisfy Pr(ϕu = 1) = pi and Pr(ϕu = 1) = pi , ρu = p(ϕu ,...,ϕu ) ϕu ϕu , Bi B Ci C B B1 BMu Bi Bi ¯ u ¯ u u i 1, 2,...,Mu . Let XB = 1/Mu i ϕBi and XC = ϕB ,...,ϕB i=1 1 Mu ∈ { u } X O 1/Mu ϕ , the expectation values of X¯B and X¯C are i Ci P Mu denoted as P = 1/M pi and P = 1/M pi , ρu = p(ϕu ,...,ϕu ) ϕu ϕu . P B u i B C u i C C C1 CMu Ci Ci respectively. An observed outcome of X¯B (X¯C ) is repre- u u ϕC ,...,ϕC i=1 P P 1 X Mu O sented asx ¯B (¯xC ). (A1) If the authentication mismatching rate satisfiesx ¯B c c ≤ The successful repudiation probability relies on the state PBTa (PB represents the probability of Bob’s conclusive ρu, results), Bob accepts the signed message. By exploiting Chernoff Bound [24, 25], the probability of Bob accepting ρu = ρu ρu . (A2) B ⊗ C (denoted as BA) a valid message can be given by c The repudiation process can be described by the follow- Pr(BA) = Pr(PB x¯B PB PBTa) ing classical-quantum state − ≥ − (P P c T )2 (A7) exp B − B a M , u u u ≤ − 2P u ep(ρ )= p(ρ ) Suc Suc + [1 p(ρ )] Fai Fai , B R | ih | − | ih (A3)| where Pr(BA) is a strictly decreasing function for pa- where the orthogonal states Suc and Fai represent rameter P , 1 P P c T . If the verification mis- success and failure of repudiation,| respectively.i | i The state B B B a matching ratex ¯≥ P≥c T (P c represents the probabil- ρu is a convex combination of states, C C v C ity of Charlie’s conclusive≥ results), Charlie will reject the signed message. By exploiting Chernoff Bound [24, 25], ρu = p(ϕu ,...,ϕu ) B1 BMu u u u u the probability of Charlie rejecting (denoted as CR) a ϕB ,ϕC ,...,ϕB ,ϕC 1 1 X Mu Mu valid message can be given by Mu c p(ϕu ,...,ϕu ) ϕu ϕu ϕu ϕu (A4) Pr(CR) = Pr(¯xC PC PC Tv PC ) C1 CMu Bi Bi Ci Ci − ≥ − i=1 (P c T P )2 (A8) O exp C v − C M , ≤ − 3P u = p(j)ρj . C j X where Pr(BA) is a strictly increasing function for param- c The successful repudiation probability is given by eter PC , 0 < PC < PC Tv. A successful repudiation means that Bob accepts the Tr[ Suc Suc ep(ρu)] signed message and Charlie rejects it. The probability | ih |R can be written as = Tr Suc Suc ep p(j)ρ | ih |R  j  Pr(BA, CR) sup min Pr(BA), Pr(CR) . (A9) j ≤ { { }} X    (A5) Under reasonable conditions, in order to make the value = p(j)Tr[ Suc Suc ep(ρ )] | ih |R j of Pr(BA, CR) as large as possible, Alice will make the j X parameter PC as large as possible and PB as small as = p(j)p(ρj ). possible. Because we remove the SWAP test [6] and j symmetry operation (optical multiport) [8] (to guaran- X tee that the quantum states that Bob and Charlie receive Since j p(j)p(ρj ) is a convex combination of probabili- are identical), PB = PC will no longer be satisfied. How- ties and j p(j) = 1, we have ever, we can restrict the difference between PC and PB. P Thereby, the upper bound of the successful repudiation P probability can be restricted. p(j)p(ρj ) p(j)max p(ρj ) = max p(ρj). ≤ j j (A6) j j For all quantum states received by both Bob and X X Charlie, Bob (Charlie) records a string of data = YB Therefore, the maximum value of the successful repudia- yB1 ,yB2 ,...,yBM ( C = yC1 ,yC2 ,...,yCM ). Here, tion probability is acquired based on one individual state {y represents the }ithY data and{ one has y } 0, 1, . Bi Bi ∈ { ⊥} ρj . That is, the optimal individual repudiation attack yBi = 0, 1 (yBi = ) represents that Bob has a conclu- can give out the upper bound of the repudiation attack. sive (inconclusive)⊥ outcome. Let t ( t ) be the test bit YB YC In the individual repudiation attack, Alice sends in- string which is a random sample of size Mt of B ( C ) u Yu Y dividual and possibly different quantum states to Bob and the remaining untested bit string is B ( C ). Sim- and Charlie. Each pair of the quantum states Bob and ilarly, the bit string of Alice is ( =Y t Y u ) and YA YA YA YA S 7

2(n + k)λ(1 λ) g(n, k, λ, ¯ǫ)= − r nk √n + kC(n,k,λ) ln , × s 2πnkλ(1 λ)¯ǫ − (A13) 1 1 1 C(n,k,λ) =exp p + 8(n + k) 12k − 12kλ +1 1 . FIG. 3. (color online). Schematic representation of diﬀerent − 12k(1 λ)+1 bit strings. The left black frame (right yellow frame) rectangle − represents the string of test (untested) bits. The horizontal c c where ǫ2 is the failure probability, PC PB Mu and red shadow (vertical blue shadow) represents the bit string of c c PC PBMt are the numbers of untested bits and test bits Bob’s (Charlie’s) conclusive results. given that both Bob and Charlie have the conclusive results, respectively. From Eq. (A7)-Eq. (A9), we know that the optimal probability that Bob accepts a message while Charlie re- we have yAi 0, 1 for the quantum states prepared by jects it is Alice. As is∈{ clear from} the above descriptions, we have u u u u u u (A P c T )2 ϕB = yA yB and ϕC = yA yC (0, 1 := 0). Let B a i i ⊕ i i i ⊕ i ⊕⊥ ε2 = Pr(BA, CR) = exp − Mu , (A14) c = ct cu and c = ct cu represent the bit − 2A B B B C C C YstringsY of Bob’s∪ Y and Charlie’sY Y conclusive∪ Y results, respec- c ct cu where A = PB is a physical solution of the following tively. AB = AB AB represents Alice announc- Y Y ∪ Y c ct cu equation and inequalities ing the bit string corresponding to B = B B , c ct cu Y Y ∪ Y while AC = AC AC represents Alice announcing c 2 c c c 2 Y Y ∪ Y c ct cu (A PBTa) [PC Tv PC (A/PB + ∆)] the bit string corresponding to C = C C . Let − = − , c ct cu c ct Ycu Y ∪ Y 2A 3P c (A/P c + ∆) (A15) B = B B ( C = C C ) represents the bit C B Z Z ∪ Z Z Z ∪ Z c c string of Bob (Charlie) given that Bob and Charlie both PB Ta

Exploiting relative Hamming distance and the random 2. Security against forgery sampling theorem, for the arbitrary bit string Alice announces, the expectation value ∆ can be given by In a forgery case, the dishonest recipient, Bob, can successfully deceive two honest participants, i.e., the signer Alice and the other recipient Charlie. Bob authenticates cu cu cu cu cu cu ∆ = dH( B , C ) dH( A , C ) dH( A , B ) the validity of the message sent by Alice, while Charlie Zcu Z cu ≥ Z cu Z cu − Z Z = dH( AC , C ) dH( AB , B ) veriﬁes the validity of the message forwarded by Bob. Yu Yu −c Y u Y u c Here, the test bits Charlie selects can be regarded as = dH( A, C )/PC dH( A, B )/PB Y Y − Y Y the random sampling since Charlie is an honest partici- = P /P c P /P c . C C B B pant. The forgery is successful when Charlie accepts (de- − (A10) noted as CA) the forged (tampered) message forwarded The test distance ∆t can be given by by Bob. For all conclusive measurement outcomes of the cu untested bits, Charlie records a string of data C = cu cu cu c Y y ,y ,...,y , where Lc = P Mu is the num- ∆ = d ( ct, ct) d ( ct, ct) + d ( ct, ct) { C1 C2 CLc } C t H ZB ZC ≤ H ZA ZB H ZA ZC ber of conclusive measurement outcomes of the untested = d ( ct , ct) + d ( ct , ct)= ec + ec . cu u cu H AB B H AC C B C bits. It is obvious to see C C and yCi 0, 1 Y Y Y Y (A11) cuY ⊆ Ycu cu ∈cu { } for i 1,...,Lc . Let BF = yBF1 ,yBF2 ,...,yBFL c c ∈ { } Y { c } Here, eB (eC) is the mismatching rate between Bob’s represents the bit string Bob forwards corresponding to cu (Charlie’s) conclusive results of test bits and Alice’s an- C . We consider the case that Bob is restricted to col- nouncement bits, which can be acquired in the estimation lectiveY forgery attack in which his optimal strategy is to stage. Taking into account the random sampling without correctly guess the information of each quantum state as replacement theorem [22], we have much as possible. We assume that the upper bound of Bob’s information IBC about Charlie’s conclusive result bits can be acquired with failure probability ǫ1. Note that c c c c ∆ = ∆t + δ2, δ2 =g[PCPB Mu, PC PBMt, ∆t,ǫ2], the values of estimating the information are diﬀerent for (A12) various protocols and will be analyzed in the following 8

cu c c section. Let Sc be the mismatching rate between BF where ε′ is the failure probability, PBMu and PBMt are and cu. In order to optimally implement the forgeryY the numbers of untested bits and test bits given that Bob YC attack, Bob will make Sc reach the minimum value with has conclusive results, respectively. If one has EB >Ta, IBC . So the minimum mismatching rate Sc can be given Bob rejects (denoted as BR) the message sent by Alice. by [19, 23] The probability can be written as

c c c c H(Sc) Hmax(C B) Hmin(C B)=1 IBC , (A16) εrob = Pr(BR) <ε′ =h(PB Mu, PB Mt, EB,Ta EB), ≥ | ≥ | − 2 − exp[ nkt ]C(n,k,λ) where H(x)= x log x (1 x) log (1 x) is the binary 2(n+k)λ(1 λ) − 2 − − 2 − h(n,k,λ,t)= − − , entropy function. The max-entropy Hmax(C B) is upper 2πnkλ(1 λ)/(n + k) | bounded by the minimum number of bits of additional − (A20) cu p information about C which are needed to perfectly re- cu Y cu construct C from BF . The min-entropy Hmin(C B) quantifiesY the minimumY uncertainty that Bob has about| Appendix B: Two copies of single-photon states cu C using the optimal attack strategy. Y Let c = ϕcu , ϕcu ,...,ϕcu be a set of independent XC { C1 C2 CLc } In the following, we analyze Bob’s information IBC Bernoulli random variables which represent the matching about Charlie’s conclusive result bits in the two-photon results between Charlie’s conclusive measurement out- six-state (four-state) QDS in detail. Besides, we calculate comes of the untested bits and those Bob forwards, i.e., the signature rate and the corresponding security bound cu cu cu ¯ c cu ϕCi = yCi yBFi . Let XC = 1/Lc i ϕCi , the expec- in the practical fiber-based protocol. ⊕ ¯ c ¯ c tation value of XC can be given by E[XC ] = Sc. An We consider the case that Bob is restricted to collec- ¯ c P c observed outcome of XC is represented asx ¯C . If the tive forgery attack in which his optimal strategy is to c verification mismatching rate satisfiesx ¯C Tv, Charlie correctly guess the information of each quantum state as accepts the forged message. There is no chance≤ that Bob much as possible. Therefore, the attack strategy of Bob successfully forges in the ideal conditions when the veri- in two-photon six-state QDS protocol is equivalent to the fication threshold of Charlie satisfies Tv

4+√2 to Bob through the insecure (unauthenticated) quantum 8 eb. With the same method, for the single-photon channel. After some possible intervention from Eve, Bob 3 six-state SARG04-QKD, we have ep = 2 eb and PY = receives the quantum state. Bob randomly applies the 3 ′ e . In the asymptotic case, I can be given by k 1 4 b BC rotation R− Tl−′ to the qubit state and a filtering operation whose successful operation is descried by Kraus op- IBC =IE = H(ep eb) erator F . A successful filtering corresponds to a conclu- | 1+ a e e sive result of Bob. Alice and Bob then publicly announce = (1 + a e e ) log − b − p − − b − p 2 1 e k,l and k′,l′ , meanwhile, they keep the quantum − b { } { } ep a eb a states with k = k′,l = l′. Bob randomly chooses some (ep a) log2 − (eb a) log2 − quantum states as test bits. Alice and Charlie measure − − 1 eb − − eb − them in Z basis. Then, they compare the partial mea- a a log2 , surement outcomes to estimate bit error rates and the − eb information that Eve acquires. (B6) Let ρqubit represents a pair of qubit states that Alice where H(ep eb) is the conditional Shannon entropy func- | 4+√2 and Bob share, which can be given by tion, a = PY = 8 eb quantifies the mutual information between bit and phase errors. k 1 u k ρqubit = Pˆ[IA ( F R− T − E Tl R ) ξl,k,u ], In the two-photon four-state QDS scheme, there are ⊗ B lB B B B | i l,k u four single-photon BB84 quantum states H , V , + = X X | i | i | i (B1) ( H + V )/√2, = ( H V )/√2. The four where l 0, 1, 2 , k 0, 1, 2, 3 , u 0, 1 and states| i can| bei divided|−i into four| setsi − |Hi , + , + , V , ∈{ } ∈{ } ∈{ } V , , , H , where the first{| statei | i} from{| eachi | seti} 1 k represents{| i |−i} logic{|−i 0| andi} the second state logic 1. In ad- ξl,k,u = [ ux TlR ϕ0 0z A ϕ0 B | i √2 h | | i| i | i dition to the preparation of quantum states, other pro- (B2) + u T Rk ϕ 1 ϕ ], cesses are the same with the two-photon six-state QDS h x| l | 1i| ziA| 1iB u scheme. The entanglement distillation protocol can be E = 0 E u , Pˆ(X Ψ )= X Ψ Ψ X†. B h x| B| xi | i | ih | converted to the unconditionally secure two-photon four- state SARG04-QKD. In the asymptotic case, the rela- E is a 4 4 matrix which depends on Eve’s operation B tionship between the phase error rate and the bit error and we can× safely assume that the final state of Eve’s rate can be given by [21] system is a particular state 0x . The probabilities of bit flip and phase shift can be given| i by 3 2x + 6 6√2x +4x2 ep = min xeb + − − , x. pbit = PX + PY , x 6 ∀ (B3) ( p ) pph = PZ + PY , (B7) Meanwhile, we can set a = PY = eb ep, which corre- where sponds to no mutual information between× bit and phase errors. P = Tr[ρ Ψ+ Ψ+ ], X qubit| ih | Hereafter, the detector error model [33] is applied to P = Tr[ρ Ψ− Ψ− ], (B4) Y qubit| ih | estimate the detection probability and error rate of quan- PZ = Tr[ρqubit Φ− Φ− ]. tum states. In the simulation, we simply apply the case | ih | that Alice and Bob do not interfere with the protocol. If Cpbit + C′pfil pph holds, then Ceb + C′ ep is expo- The overall gain Q can be given by nentially reliable≥ as the number of successfully≥ filtering states increases [21]. p = Tr[ρ ] is the trace of state Q = [1 (1 Y0)(1 ηB)][1 (1 Y0)(1 ηC )], (B8) fil qubit − − − − − − ρqubit. It is very clear to see that pfil, pbit and pph are the functions of eight elements and their conjugates, i.e., which indicates the ratio of the number of Bob’s and T T T pfil = ~c∗Afil~c , pbit = ~c∗Abit~c and pph = ~c∗Aph~c . Afil, Charlie’s detection coincidence events to Alice’s number A , and A are 8 8 matrices, the eight elements in ~c of emitted signals. Y0 represents the probability that bit ph × are directly taken from E . If CA +C′A A 0 is Bob’s (Charlie’s) detector clicks when the input of Bob B bit fil − ph ≥ a positive semi-definite matrix, Cp + C′p p will (Charlie) is a vacuum state. Because of active basis se- bit fil ≥ ph always be satisfied. After a complex calculation accord- lection, we have Y0 =2pd(1 pd), where pd represents the − αLAB/10 ing to the above formulas, we can acquire the relationship dark count rate of each detector. ηB = ηd 10− αLAC /10 × between phase error rate and bit error rate (ηC = ηd 10− ) represents the transmission efficiency from× Alice to Bob (Charlie). Here, we consider a 2 √2 3 widely used fiber-based setup model. Therein, ηd repre- ep = − + eb, (B5) 4 2√2 sents the detection efficiency, LAB (LAC) is the distance between Alice and Bob (Charlie), α is the intrinsic loss in the two-photon six-state SARG04-QKD. Therein, the coefficient of the fiber. Taking into account the universal probability that both bit and phase occur error is PY = squash model [32], the threshold single-photon detector 10 can be used in our scheme. The gain of Bob’s conclusive while the signer is honest. The decoy states are randomly results and Charlie’s conclusive results are given by prepared by Alice which can be used to prove the security against forgery attack. Therefore, the roles of Bob c 1 and Charlie are equivalent in the decoy-state-based QDS QB = z[(1 ηB)Y0 + ( + ed)ηB ][1 (1 Y0)(1 ηC )] − 2 − − − protocol, both Bob and Charlie could be the authentica- c = PB Q, tor. c 1 The overall gain Qλ can be given by QC = z[(1 ηC )Y0 + ( + ed)ηC ][1 (1 Y0)(1 ηB )] λ λ − 2 − − − 2 ηB 2 ηC c Qλ = [1 (1 Y0)e− ][1 (1 Y0)e− ], (C1) = PC Q, − − − − (B9) where λ µ, ν, ω, 0 . The gain of Bob’s conclusive re- where ed represents the misalignment in the channel, for sults and∈ Charlie’s { conclusive} results are given by 1 1 six-state scheme, z = 3 , for four-state scheme, z = 2 . λ 1 λ The overall quantum bit error rate (QBER) of Bob’s con- c 2 ηB 2 ηB Q =z[Y0e− + ( + ed)(1 e− )] clusive results and Charlie’s conclusive results are given Bλ 2 − λ ηC c by [1 (1 Y )e− 2 ]= P Q , × − − 0 Bλ λ λ 1 λ c c 1 c 2 ηC 2 ηC e Q = z[ (1 ηB)Y0 + edηB][1 (1 Y0)(1 ηC )], QCλ =z[Y0e− + ( + ed)(1 e− )] (C2) B B 2 − − − − 2 − λ 2 ηB c c c 1 [1 (1 Y0)e− ]= PCλQλ eC QC = z[ (1 ηC )Y0 + edηC ][1 (1 Y0)(1 ηB)], × − − 2 − − − − ∞ n λ λ (B10) = e− Y , n! Cn The amount of Charlie’s randomly selected test bits is n=0 M = βQN, the remaining bits M = (1 β)QN are X t u − untested bits. In the QDS protocol, eb is the expecta- where YCn is the yield given that Alice sends n-photon tion value of mismatching rate between Alice’s bits and pulse, both Bob’s and Charlie’s detectors click and Char- Charlie’s conclusive result bits in the untested portion. lie has a conclusive result. The overall QBER of Bob’s c conclusive results and Charlie’s conclusive results are Therefore eb = eC + δ1, δ1 is the finite sample size effect which can be quantified by the random sampling with- given by out replacement theorem [22] with failure probability ǫ1. λ λ c c 1 2 ηB 2 ηB Therefore, we have e Q =z[ e− Y0 + ed(1 e− )] Bλ Bλ 2 − λ c c c ηC δ = g[P M , P M ,e ,ǫ ]. (B11) [1 (1 Y )e− 2 ], 1 C u C t C 1 × − − 0 λ λ c c 1 ηC ηC Note that the security thresholds satisfy T

L error analysis method [31] to calculate the statistical ﬂuc- Tv2 and QC2 are the mismatching rate threshold and the tuation. Thus, we have gain (lower bound) of the two-photon component, respectively. The security level of the protocol can be written c U/L c nα1 as (QCλ) = QCλ 1 c , (C5) ± NλQCλ ! εsec = εnor + εunf (C11) where Nλ is the number of pulsesp given that Alice sends = ε1 + ε2 + ǫ2 +7ǫ3, c weak coherent states with intensity λ. NλQCλ is the number of pulses given that Alice sends weak coherent where 7ǫ3 is the failure probability due to the decoy-state states with intensity λ and Charlie has a conclusive re- method, and sult. Thus, we have Nλ = PλN and Pλ is the probability 2 1 ∞ t 2 of intensity λ. ǫ3 = e− dt, (C12) √2π 1 Only the contribution of signal-state can be used as Znα test bits and untested bits. The amount of Charlie’s ran- n is the number of standard deviations, we set n = domly selected test bits is M = βQ P N, the remaining α1 α1 t µ µ 4.753 for simulation. The probability of the robustness bits M = (1 β)Q P N are untested bits. The distance u µ µ is ∆ is written− as c c εrob = Pr(BR) <ε′ ∆ = ∆t + δ2, ∆t = eBµ + eCµ, (C6) c c c c (C13) c c c c = h[PBµMu, PBµMt,eBµ,Ta eBµ]. δ2 = g[PC PBMu, PC PB Mt, ∆t,ǫ2]. − Because an unambiguous discrimination among C linearly dependent states of a qubit space is only possible 2. Practical QDS with Scheme II when at least C 1 copies of the states are available − [18]. In the six-state QDS with phase-randomized weak The overall gain Qγχ can be given by coherent states, Bob cannot unambiguously discriminate γηB χηC the polarization states when Alice sends 3-photon or 4- Qγχ = [1 (1 Y0)e− ][1 (1 Y0)e− ], (C14) − − − − photon pulses. For simplicity, we only consider the contribution of the two-photon component. For vacuum- where γ,χ = µ1,µ1 , µ1, 0 , 0,µ1 , ν1,ν1 , ν , 0 ,{ 0,ν} and{ 0, 0 .} The{ gain} of{ Bob’s} conclusive{ } state and single-photon component, there is a negligible { 1 } { 1} { } probability to indicate a successful event due to the low results and Charlie’s conclusive results can be written as dark count rate. Therefore, we can assume that Bob can c γηB 1 γηB Q =z[Y e− + ( + e )(1 e− )] guess the bits of Charlie’s conclusive results without er- Bγχ 0 2 d − rors unless Alice sends two-photon component pulses. χηC c [1 (1 Y )e− ]= P Q , The optimal probability of Bob accepting the message × − − 0 Bγχ γχ c χηC 1 χηC while Charlie rejecting is Q =z[Y e− + ( + e )(1 e− )] Cγχ 0 2 d − (C15) c 2 (A PBµTa) γηB c ε = Pr(BA, CR) = exp[ − M ], (C7) [1 (1 Y0)e− ]= PCγχQγχ 2 − 2A u × − − ∞ ∞ n m γ γ χ χ where A is the physical solution of the following equation = e− e− YCnm, n! m! and inequalities, n=0 m=0 X X c 2 c c c 2 where Y is the yield that both Bob’s and Charlie’s (A P Ta) P Tv P A/P + ∆ Cnm − Bµ = Cµ − Cµ Bµ , detectors click and Charlie has a conclusive result given 2A c c 3PCµ A/P Bµ + ∆ that Alice sends n-photon pulses to Bob and m-photon pulses to Charlie. The overall QBER of Bob’s conclusive P c T

The optimal probability of Charlie accepting a forged c c 1 γηB γηB e Q =z[ e− Y + e (1 e− )] message is Bγχ Bγχ 2 0 d − χηC 2 L [1 (1 Y0)e− ], (Sc Tv2) QC2 c × − − ε1 = Pr(CA) = exp − P Mu , c Cµ c c 1 χηC χηC "− 2Sc QCµ # e Q =z[ e− Y0 + ed(1 e− )] Cγχ Cγχ 2 − (C16) (C9) γηB L [1 (1 Y0)e− ] QC2 c where c P Mu is the minimum number of Charlie’s × − − QCµ Cµ n m ∞ ∞ γ γ χ χ conclusive result bits in the untested bits given that Alice = e− e− e Y , n! m! Cnm Cnm sends two-photon component pulses, and n=0 m=0 X X c 2 QCµ L µ µ L where eCnm is the QBER. Exploiting the decoy-state Tv2 = Tv L ,QC2 = e− YC2. (C10) QC2 2 method [26, 27], the yield YC11 and QBER eC11 of the 12

L two-photon component in the signal-state set can be esti- QC11 c where Qc PCµ1µ1 Mu is the minimum number of Char- mated. It is clear that the estimation of Y and e is Cµ1µ1 C11 C11 lie’s conclusive result bits in the untested bits given that similar to that used in measurement-device-independent Alice sends two-photon component pulses, and QKD [29]. So YC11 and eC11 can be written as [14, 29] Qc 1 Cµ1µ1 L 2µ1 2 L Y Tv11 = Tv ,Q = e− µ Y , (C24) C11 ≥µ2ν2(µ ν ) QL C11 1 C11 1 1 1 − 1 C11 3 2ν1 c ν1 c ν1 c µ1(e QCν1ν1 e QCν10 e QC0ν1 ) L × − − Tv11 and QC11 are the mismatching rate threshold and nν3(e2µ1 Qc eµ1 Qc eµ1 Qc ) the gain (lower bound), respectively. The security level − 1 Cµ1µ1 − Cµ10 − C0µ1 of the protocol can be written as 3 3 c + (µ1 ν1 )QC00 − εsec = εnor + εunf o (C17) (C25) and = ε1 + ε2 + ǫ2 + 11ǫ4.

1 2ν1 c c ν1 c c eC11 2 e eCν1ν1 QCν1ν1 e eCν10QCν10 where 11ǫ4 is the failure probability due to the decoy- ≤ν1 YC11 − state method, and ν1 c c c c e eC0ν1 QC0ν1 + eC00QC00 . 2 1 ∞ t − 2 (C18) ǫ4 = e− dt, (C26) √2π 2 We exploit the standard error analysis method to calcu- Znα late the statistical fluctuation. Thus, we have nα2 is the number of standard deviations and we set nα2 =4.845 for simulation. c U/L c nα2 The probability of the robustness is (QCγχ) = QCγχ 1 . (C19)  ± c  NγχQCγχ εrob = Pr(BR) <ε′  q  Here, Nγχ is the number of pulses given that Alice sends c c c c = h[PBµ1µ1 Mu, PBµ1µ1 Mt,eBµ1µ1 ,Ta eBµ1µ1 ]. weak coherent states with intensity set γ,χ . Thus, − { } (C27) Nγχ = PγχN and Pγχ is the probability of intensity set γ,χ . { } Only the contribution of signal-state set can be used as 3. Decoy-state method cannot help the adversary test bits and untested bits. The amount of Charlie’s random selected test bits is M = βQ 1 1 P 1 1 N, and the t µ µ µ µ For Alice’s repudiation attack, the dishonest signer remaining bits M = (1 β)Q 1 1 P 1 1 N are untested u µ µ µ µ Alice attempts to cheat two honest recipients Bob and bits. The distance ∆ is written− as Charlie. Since quantum states are prepared by Alice, c c ∆ = ∆t + δ2, ∆t = eBµ1µ1 + eCµ1µ1 , multi-photon component will provide no advantages for c c c c (C20) δ2 = g[PC PBMu, PC PB Mt, ∆t,ǫ2]. Alice. Only the contribution of signal-state (set) can be use as test bits and untested bits in the QDS with phase- The optimal probability of Bob accepting the message randomized weak coherent states. The security analysis while Charlie rejecting is of repudiation attack does not use the information of the c 2 (A P Ta) decoy-state. Therefore, the decoy-state method does not ε = Pr(BA, CR) = exp[ − Bµ1µ1 M ], 2 − 2A u bring any advantage for Alice’s repudiation. (C21) In the case of Bob’s forgery attack, the dishonest au- where A is the physical solution of the following equation thenticator Bob attempts to cheat the honest signer Alice and inequalities, and the honest verifier Charlie. The decoy-state method (A P c T )2 is used to estimate the yield and bit error rate of two- − Bµ1µ1 a photon component sent by Alice given that Charlie has a 2A conclusive result. Furthermore, the decoy-state method 2 P c T P c A/P c + ∆ is used to estimate the minimum number (maximum Cµ1µ1 v Cµ1µ1 Bµ1µ1 (C22) = − , average information I ) of Charlie’s conclusive result 3P c A/P c + ∆ BC Cµ1µ1 Bµ1µ1 bits given that Alice sends two-photon component pulses, c c which is used for security against forgery attack. Thus, PBµ1µ1 Ta quantum channel to decide which be detected by the receiver as the effective event, such as qubit (location) has the chance to be detected by Char- the photon-number-splitting attack [35]. Therefore, the lie. The above two aspects are equivalent to that Bob decoy-state method cannot bring any advantage for Bob can decide the effective event. In the QKD protocol, Eve to forge in the QDS. can also decide which qubit (location) has the chance to

[1] D. Chaum and S. Roijakkers, in Advances in Cryptology- [19] R. Renner, PhD thesis, ETH Zurich. Preprint CRYPTO’90 (Springer, 1991) pp. 206–214. arXiv:0512258 (2005). [2] J. Shikata, G. Hanaoka, Y. Zheng, and H. Imai, in [20] V. Scarani, A. Ac´ın, G. Ribordy, and N. Gisin, Phys. Advances in Cryptology-EUROCRYPT 2002 (Springer, Rev. Lett. 92, 057901 (2004). 2002) pp. 434–449. [21] K. Tamaki and H.-K. Lo, Phys. Rev. A 73, 010302 [3] C. M. Swanson and D. R. Stinson, in Information Theo- (2006). retic Security (Springer, 2011) pp. 100–116. [22] B. Korzh, C. C. W. Lim, R. Houlmann, N. Gisin, M. J. [4] P. Wallden, V. Dunjko, A. Kent, and E. Andersson, Li, D. Nolan, B. Sanguinetti, R. Thew, and H. Zbinden, Phys. Rev. A 91, 042304 (2015). Nature Photon. 9, 163 (2015). [5] J. M. Arrazola, P. Wallden, and E. Andersson, [23] M. Tomamichel, C. C. W. Lim, N. Gisin, and R. Renner, arXiv:1505.07509 (2015). Nature Commun. 3, 634 (2012). [6] D. Gottesman and I. Chuang, arXiv preprint [24] H. Chernoff, Ann. Math. Stat. 23, 493 (1952). quant-ph/0105032v2 (2001). [25] M. Curty, F. Xu, W. Cui, C. C. W. Lim, K. Tamaki, and [7] L. Lamport, Technical Report CSL-98, SRI International H.-K. Lo, Nature Commun. 5, 3732 (2014). Palo Alto (1979). [26] X.-B. Wang, Phys. Rev. Lett. 94, 230503 (2005). [8] V. Dunjko, P. Wallden, and E. Andersson, Phys. Rev. [27] H.-K. Lo, X. Ma, and K. Chen, Phys. Rev. Lett. 94, Lett. 112, 040502 (2014). 230504 (2005). [9] P. J. Clarke, R. J. Collins, V. Dunjko, E. Andersson, [28] F. Marsili, V. B. Verma, J. A. Stern, S. Harrington, A. E. J. Jeffers, and G. S. Buller, Nature Commun. 3, 1174 Lita, T. Gerrits, I. Vayshenker, B. Baek, M. D. Shaw, (2012). R. P. Mirin, and S. W. Nam, Nature Photon. 7, 210 [10] R. J. Collins, R. J. Donaldson, V. Dunjko, P. Wallden, (2013). P. J. Clarke, E. Andersson, J. Jeffers, and G. S. Buller, [29] Y.-L. Tang, H.-L. Yin, S.-J. Chen, Y. Liu, W.-J. Zhang, Phys. Rev. Lett. 113, 040502 (2014). X. Jiang, L. Zhang, J. Wang, L.-X. You, J.-Y. Guan, D.- [11] V. Scarani, H. Bechmann-Pasquinucci, N. J. Cerf, X. Yang, Z. Wang, H. Liang, Z. Zhang, N. Zhou, X. Ma, M. Duˇsek, N. Lütkenhaus, and M. Peev, Rev. Mod. T.-Y. Chen, Q. Zhang, and J.-W. Pan, Phys. Rev. Lett. Phys. 81, 1301 (2009). 113, 190501 (2014). [12] H.-K. Lo, M. Curty, and K. Tamaki, Nature Photon. 8, [30] Y.-L. Tang, H.-L. Yin, X. Ma, C.-H. F. Fung, Y. Liu, 595 (2014). H.-L. Yong, T.-Y. Chen, C.-Z. Peng, Z.-B. Chen, and [13] M. Hillery, V. Buˇzek, and A. Berthiaume, Phys. Rev. A J.-W. Pan, Phys. Rev. A 88, 022308 (2013). 59, 1829 (1999). [31] X. Ma, B. Qi, Y. Zhao, and H.-K. Lo, Phys. Rev. A 72, [14] Y. Fu, H.-L. Yin, T.-Y. Chen, and Z.-B. Chen, Phys. 012326 (2005). Rev. Lett. 114, 090501 (2015). [32] C.-H. F. Fung, H. F. Chau, and H.-K. Lo, Phys. Rev. A [15] R. Amiri and E. Andersson, Entropy 17, 5635 (2015). 84, 020303 (2011). [16] R. J. Donaldson, R. J. Collins, K. Kleczkowska, R. Amiri, [33] C.-H. F. Fung, K. Tamaki, and H.-K. Lo, Phys. Rev. A P. Wallden, V. Dunjko, J. Jeffers, E. Andersson, and 73, 012337 (2006). G. S. Buller, Phys. Rev. A 93, 012329 (2016). [34] H.-L. Yin, W.-F. Cao, Y. Fu, Y.-L. Tang, Y. Liu, T.-Y. [17] R. Amiri, P. Wallden, A. Kent, and E. Andersson, arXiv Chen, and Z.-B. Chen, Opt. Lett. 39, 5451 (2014). preprint arXiv:1507.02975 (2015). [35] G. Brassard, N. Lütkenhaus, T. Mor, and B. C. Sanders, [18] A. Chefles, Phys. Rev. A 64, 062305 (2001). Phys. Rev. Lett. 85, 1330 (2000).