Protocols for counterfactual and twin-field quantum digital signature

Quantum digital signature (QDS) is the quantum version of its classical counterpart, and can offer security against attacks of repudiation, signature forging and external eavesdropping, on the basis of quantum mechanical no-go principles. Here we propose a QDS scheme based on quantum counterfactuality, which leverages the concept of interaction-free measurement. Employing the idea behind twin-field cryptography, we show how this two-way protocol can be turned into an equivalent non-counterfactual, one-way protocol, that is both more practical and also theoretically helpful in assessing the experimental feasibility of the first protocol. The proposed QDS protocol can be experimentally implemented with current quantum technology.


I. INTRODUCTION
In contrast to classical cryptography, where the security is due to complexity of the computational problem, the quantum counterpart offers information-theoretic security based on the quantum mechanical principles [1,2].The role of quantum cryptography for varied purposes of communication tasks has been explored extensively in the last four decades.Among them, quantum key distribution (QKD) is the foremost cryptographic task.Several protocols for QKD [1,[3][4][5][6][7][8][9] have been proposed and realized in this period (for a review, see Ref. [10]).For the present work, a particularly relevant protocol for QKD (among the above mentioned protocol) is counterfactual QKD proposed by Noh [7].
The concept of interaction-free measurement (IFM), which is the principle behind counterfactuality in certain QKD schemes, involves the counterintuitive idea that quantum superposition can be used to enable the detection of a particle far away from a place where it is blocked [11].The idea of IFM has been exploited for various cryptographic protocols such as key distribution [5,12,13], direct communication [14,15], counterfactual universal computation [16] and others.
In the prototypical counterfactual QKD protocol ("Noh09") [7], Alice prepares single-photon states in {H, V } basis and sends them sequentially through an unbiased beam-splitter (BS) of a Michelson interferometer.One arm of the interferometer is retained in the Alice's station, whilst the other arm reaches Bob.He may either reflect H polarization while blocking V , or vice-versa.Alice and Bob generate a secure key using only those bits when Bob blocks the input polarization and the detections happen at Alice's detector D 1 counterfactually.In Noh09, the efficiency is given by j=R H ,R V P D1|j P j = RT  2 , where R and T are reflectivity and transmittivity with R + T = 1.When Alice's and Bob's choices are of equal probability, including reflectivity and transmittivity, then one attains the efficiency of 1/8.However, it was recently shown [13] that by making use of non-counterfactual bits and a simple modification to the original protocol, one may triple the efficiency i.e., up to 3/8.
The concept of Digital Signature (DS) was first introduced by Diffie and Hellman [17], and could potentially play a crucial role for various cryptographic protocols [18][19][20][21][22].A DS protocol involves a sender (Alice) who transmits a digitally signed message M to the forwarder (Bob), who may forward it to the receiver (Charlie).Even though the message itself is not secret, it should be authenticated, and it needs to be secure against forgery and repudiation.In other words, neither can the sender repudiate her signed message, nor can the forwarder forge or modify the sender's signature if he chooses to forward the message.The main advantage of a DS scheme is that the signed message can be transferred, but cannot be tampered with, so that a third party could also verify the sender's signature and authenticate the message.
However, since the security of the classical DS schemes is proven by the computational hardness of a mathematical assumption, they cannot offer unconditional security.There lies the advantage of a quantum digital signature (QDS) scheme [18], which utilizes the quantum-secure public keys to validate the message and thus presents an information-theoretic security.Some of the recent works in the area of QDS that exploit various quantum features for security are, the QDS protocol with QKD components [23], QDS without the need for quantum memory [24], QDS accounting the difficulties in its practical application [21], QDS without perfect keys [25], an MDI version of the QDS protocol [26], QDS in a secure network [27], and others.
The primary security concerns of a (Q)DS protocol are, (a) repudiation by the sender; (b) forgery by the forwarder; and (c) transferability.Repudiation is the act of the sender successfully denying to have sent the message.Forgery refers to the act by an intermediate recipient to forge the signature (i.e., alter the message) of the sender.Another important feature of a QDS protocol is it's transferability, which indicates that if one trusted recipient accepts the message, then another trusted recipient will also accept it if forwarded.Interestingly, in a tripartite scheme, non-repudiation of the message is correlated to its transferability, and can be verified by the mechanism for dispute resolution [28].In the majority voting for dispute resolution, these two are identical, as a sender who is dishonest will necessarily make the message non-transferable, if repudiation happens.If the sender makes the forwarder accept the message while receiver reject it, it signifies both non-transferability and repudiation.Hence, given a message is rejected by Charlie, it is associated with repudiation by Alice [21,22,29].Thus, similar to various other existing QDS schemes, we assume that the receiver is trusted.
The present work is inspired by the idea of utilizing the principle of IFM for a tripartite QDS scheme, and involves effective realization using the setup of the counterfactual QKD protocol.Use of quantum counterfactuality for a QDS scheme provides certain advantages, as the protocol involves only orthogonal states and the experimental setup is simpler [10].Quantum counterfactuality-based QKD protocols have already been experimentally implemented using coherent states [30], thereby making our modified protocol feasible.Finally, the aspect of nonlocality in the context of quantum counterfactuality is interesting [31], and our work may potentially lead to studies on tripartite and multipartite scenarios.Note that our work is distinct from various other quantum counterfactual-based three-party protocols, such as certification authorization [32], generation of cat states [33], quantum key distribution protocol [34], and others.In addition, our work also contrasts with other QDS schemes, as we do not require non-orthogonal states [23,28], the modified protocol inherently has MDI-like setup [26,29], the protocol does not require symmetrization [35], and it is different from other twin-field based protocols in that we do not have the step of key generation protocol [36].Furthermore, the requirement of two-way channel is also relaxed in the modified protocol in Sec.V.
The nature of counterfactuality in the direct communication schemes [14,15,37] is highly debated [38][39][40][41].Specifically, the issue of weak trace left by the particle is the underlying focus of the debate and thus the need for a more stringent definition of counterfactuality.These schemes are based on the quantum Zeno effect, and they include detections from both the detectors for key generation.However, in the present context, the QDS scheme needs sifting and hence only a subset of detections are used as key bits (D 1 detections).Thus the relevance of the argument is limited to only certain counterfactuality-based schemes.
The rest of the paper is structured as follows.In Sec.II, we present a novel quantum digital signature protocol based on the counterfactual QKD setup.In Sec.III, we prove the security of the protocol against sender's repudiation and forwarder's forgery.Additionally, we prove the security of the protocol against an eavesdropper's forgery at the level of entanglement in Sec.IV.In practice, the above three-party, two-way, counterfactual QDS scheme is faced with two challenges: the generation of redundant bits lowering efficiency; and, furthermore restricted range due to the requirement of two-way quantum communication.In Sec.V, we show that this scheme is equivalent to a twin-field setup based one-way QDS protocol which addresses both problems, with certain advantages in deriving secure bounds.Finally, we present our conclusions in Sec.VI.

II. THE PROTOCOL
As noted before, a quantum digital signature protocol would have three stages: distribution, messaging, and forwarding.Let Alice, Bob, and Charlie be the involved parties, who agree on an assigned task: sender Alice transmits the signed message, forwarder Bob verifies the signature and authenticates the message.He may choose to forward the message to Charlie, the receiver, who in turn verifies Alice's signature and authenticates the message.The following assumptions are made in the proposed three-party QDS scheme: (a) The receiver is always trusted; (b) All three parties share an authenticated classical communication channel.Note that these two assumptions suffice for the existence of a QDS protocol with a given number of pre-authenticated parties.However, given that the communication lines are insecure and possibly noisy, the protocol must be made secure against an external Eavesdropper.The authenticated internal parties can detect Eve by measuring the error in the channel.We shall revisit this aspect in Sec.IV.The simultaneity in Bob's and Charlie's operations is also assumed to be perfectly timed, along with negligible imperfections in the experimental apparatus.However, since no party colludes with any other, Bob's and Charlie's operations are independent.In some QDS protocols, the message and signature may be made publicly available, but neither can the message be tampered nor can the signature be forged.In our work, we adopt this relaxation and show that the protocol is secure against certain eavesdropping attacks.Now, we describe a counterfactual QDS scheme as follows.(D1) For a future one-bit message M = {m} where "m = 0, 1", Alice prepares a string of N photons in the {H, V } polarization basis.Each photon is sequentially incident on a beam-splitter (BS) of a Michelson interferometer, with reflectivity and transmissivity being R and T , respectively.The end-arms of the interferometer are at Bob's and Charlie's lab, Fig.The POVMs at the respective detector of Bob's and Charlie's station are M H = diag(0, 1, 0) and M V = diag(0, 0, 1).Similar to Noh09, the respective detection probabilities are, (D3) The string Σ of bits corresponding to Alice's D 1 detections forms the sifted key [42].Here, Alice's D 1 detections are comprised of (i) counterfactual events; (ii) ones due to non-interference of photon amplitudes (due to both parties reflecting, but only one applying the operation σ x ); and (iii) Bob's or Charlie's injected photons.Note that (i), (ii) and (iii) are mutually exclusive, and a sifted key bit can be generated if and only if any one of them happens.
(D4) After Bob and Charlie announce their coordinates of application of σ x to Alice, all the involved parties collaboratively estimate the error in the channel, and if found to exceed an agreed limit, they abort the protocol.Here it is assumed that the BS is unbiased and the fractions (r, f ) ≪ 1.
(D5) The sifted key Σ is of length (⌊ N 8 ⌋ + ∆), where ⌊•⌋ is the floor function and ∆ corresponds to the contributions from non-counterfactual events.Hence no less than (⌊ N 8 ⌋) of these could be used as Alice's private key.Here, the state |φ⟩ m represents Alice's signature Count sig , and Messaging stage (M1) Alice informs Bob the message m, along with her private key Count key and the corresponding D 1 detection coordinates, in a public channel.
(M2) For each k th b bit in Alice's private key Count key , with k b denoting bits in Σ which Bob knows, he verifies the bit value against his injected bit that led to a D 1 detection.He accepts the message if the mismatches are below a threshold.
Forwarding stage (F1) Should Bob choose to forward the message m, we assume that he forwards it to Charlie.If Bob does so, then he also forwards Alice's private key Count key to Charlie.
(F2) Charlie too verifies the Alice's key Count key by performing the same procedure described in the Step (M2), but against the set {k c }, where k c ∈ {k} denotes the bits in Σ that Charlie knows.This verifies the message, given the mismatches are below the threshold.
Until the messaging stage, the protocol is symmetric with respect to Bob and Charlie.That is, Alice can choose to send (m, Count key ) to either Bob or Charlie and he becomes the forwarder.Below we address the issue of security due to the involved, untrusted parties.The involved parties also estimate error in the channel (in Step (D4)), wherein they may also verify the security of the channel.This is addressed in the Sec.IV.

III. SECURITY AGAINST ALICE'S REPUDIATION AND BOB'S FORGERY
QDS is a cryptographic protocol, wherein the primary security concern is the mistrustful parties and a subset of them could potentially cheat.In the present case of a tripartite scheme, no more than one party is assumed to be dishonest.Message authentication is established by verifying the sender's signature, along with the assumption of an authenticated classical channel shared between parties.Below we address the security of the scheme against Alice's repudiation and Bob's forgery.The transferability of the message can be shown from security against repudiation.

Security against Alice's repudiation
After Alice sends (m, Count key ), she commits to the message and the private key.Both Bob and Charlie could independently verify her commitment, and we note that the necessity of classical and quantum communication for the same is relaxed here.Now, Alice's cheat strategies include: (C.i) Announcing one or more of the D 1 detections as D 2 detections -she would necessarily reduce her private key, while not able to change the elements of private key or the signature; (C.i) Announcing one or more of the D 2 detections as D 1 detections -she would be potentially caught as Bob and Charlie can test for such cases against both applying (R j , R j ); (C.iii) Changing H ↔ V in D 1 -she would be potentially caught when Bob or Charlie verify against their injected bits.
The optimal cheat strategy for Alice would be to flip the bits from the latter two cases.If successful, this would make Bob accept the given signature bit while making Charlie to reject it.Consider the case in which Bob injects only one bit after a detection at D B , which in turn ends up in D 1 detector.There are ∼ 2 × 2 (N/8) possible sequences of Σ for this single injection case.Similarly, for a higher injected fraction r, we notice that the possible sequences for Σ is of the order ∼ 2 (N/4) •2 2r , accounting for 2r injections by Bob and Charlie.
Suppose she flips a fraction τ A in Σ.Then, from the Chernoff bound [43], the success probability of her repudiation is, with

Security against Bob's forgery
Bob's forging action here corresponds to him sending (m ′ , Count ′ key ) to Charlie, in a way that Charlie accepts the new message m ′ .Suppose Bob flips a fraction τ B in Σ.Then, similar to Eq. ( 2), we get the success probability of forgery to be where, ⟨Y ⟩ B = Σ(r c ) − N r b /8, and Σ(r c ) signifies Σ being a function of r c .However, in the present context, it can be shown that Bob's best strategy is to flip the bits corresponding to his injected photons in Σ, because he knows that Charlie is definitely unaware of those injected bits.Then, with unit probability, he succeeds in forging Alice's signature and change the message to m ′ .However, we shall employ classical error correcting scheme to make the protocol robust against Bob's forgery.An alternative solution, but requiring more resource is briefly addressed in Sec.VI.
Bob can potentially flip all of his N r b 8 injected bits during forwarding stage.We include all the injected bits for error correction.We have classical error correction code here of [n, k, d] where n = ⌊ N 8 ⌋ + ∆ is the total number of D 1 detections, k is the rate of error correction and d is the distance of error in the code.
We have the following bounds arising from the required error correcting properties.Here we use the notation n ≈ N 4 ( 1 2 + r), where r b = r c = r (r c is the Charlie's injected fraction) and n ≥ |M| = 1.The singleton bound [44] requires k + d ≤ n + 1, which in our case is: ∀ k = |M| n (rate of error correcting code) and provided r ≤ 1 2 .The bounds in Eq. ( 3) and Eq. ( 4) are plotted in Fig. 2.  We can replace r ′ with r (where r ′ < r) in both the bounds, as doing so does not change the nature of the value of N min .Also as observed in the above graph, the Hamming bound implies a higher N min /bit value at all stages than the Singleton bound, and thus places the actual bound for the protocol.The above passive attack [24] involves Bob being honest during distribution stage, and later trying to forge Alice's signature.However, we may consider the active attack, wherein Bob is malicious in the distribution itself.But the underlying security remains same, wherein Alice and Charlie can test for Bob be-ing malicious using the statistics of counterfactual detections.

IV. SECURITY AGAINST EAVESDROPPING
The discussions so far have assumed that there is no eavesdropper's interference.This is reasonable in a mistrustful protocol, where the players themselves pose the main security threat to each other.However, in a practical situation, an eavesdropper Eve may be present, whose objectives are given later.As noted in Sec.II, the internal members of protocol are oblivious to the presence of Eve, it is natural to assume that no party colludes with Eve.In the case of collusion, there is no specific advantage they get in terms of cheating, assuming that they cheat out of their own self-interest.Therefore, it suffices to prove security against an external, unauthenticated Eve.
Given that the protocol is asymptotically secure against Alice's repudiation and Bob's forgery, in this section, we will show that it is asymptotically secure against eavesdropping.Since we prove security at the entanglement level, it may be presumed that the protocol is secure against more general attacks.Note that the message itself is not the secret, but Alice's signature is.So Eve would try to get information of Count sig so that she can tamper with Alice's message later.
The basic yet powerful attack Eve could do is the interceptresend attack, where she would block/resend a photon during the quantum communication stage.The best possible attack strategy for Eve would be to use the same reflect or absorb operator at both the arms (i.e., E B -Eve's ancilla at arm b and E C -Eve's ancilla at arm c).Whenever there is a detection at Eve's detector, she would either choose to send the identical photon towards Bob/Charlie or towards Alice.Even when there is no detection, she would get the bit's info, but not induce any error.Thus she can get the complete information of all the bits from this attack with only 50% detections (50% error).
As a countermeasure for this, we propose an extra stage.As mentioned after the protocol stages, before announcing her mask µ, Alice could potentially check for Eve's presence.Alice, Bob and Charlie may test for coherence between the two arms by verifying the condition {R H , R H } (for H photon) or {R V , R V } (for V photon), that must deterministically give rise to a D 2 detection.
A. On the unconditional security of the scheme Now we sketch an unconditional proof of security, where the idea is to consider all choices of Alice and Bob at a quantum level.This leads to a master entanglement in a larger Hilbert space, which makes it easier to analyze the security against Eve.For simplicity, the Bob-injected and Charlieinjected qubits are not taken into account, but this extension can be made in an analogous way.By the method of the larger Hilbert space, Alice's random states are replaced by the quantum superposition , and Bob's & Charlie's random operations for measurement are given by a coherent superposition of their actions and , respectively.In the same vein, the initial joint state between Alice, Bob, Charlie and the BS arms is given by , with X ∈ {H, V } and correspondingly, when light from the arms re-enters the BS, its operation is Then the final state, conditioned on Alice's D 2 detections, is showing the entanglement of the photon between actions by Alice, Bob and Charlie.In the kets, the first, second and third registers represents actions by Alice, Bob and Charlie.Therefore, the state in Eq. ( 6), restricted to Alice and Bob, reduces to the pure, entangled state: where . The key idea behind invoking the larger Hilbert space is the monogamy of entanglement.This implies that if Alice and Bob can perform Bell state analysis to certify that they possess the entangled state Eq. ( 7) to sufficient degree of certainty, then even without any knowledge of the details if Eve's attack, they can be sure that her state is sufficiently uncorrelated with their private information.
With this, they verify that the statistics of their state verifies Eq. ( 7) and not a mixed state, such as that obtained by tracing out Eve's particle in Eq. (6).It suffices for us to note here that for the above reason, a security analysis on the level of entanglement enables Alice and Bob to obtain unconditional security.Furthermore, composability of the scheme could be an interesting future work.For the remaining section, restricting to a trivial practical scenario, we return to a more conventional method of error analysis.Here, the protocol is considered with the security against certain individual attacks.

B. Security against individual attacks
The error induced by Eve can be quantified as follows.Assuming Eve does not collude with involved parties and they remain trusted for the protocol against an information leakage to an eavesdropper, the error here would be the non-D 1 detections with respect to Bob's and Charlie's operations, that gives rise to D 1 detections.Given that Alice has sent an arbitrary state, we estimate the QBER as where ) .
We know that P (D 1 |R V R V ) and P (D 1 |R H R H ) have two contributions, namely counterfactual error -p 1 /p 2 (where a D 1 detection happens for a D 2 , ideally should be zero) and incoherent error -r 2 (error produced due to Bob/Charlie injected bits).Thus let The total number of D 1 detections are with p 3 being the detector error (such as dark count) [Note that p 3 is not a factor of p 1 /p 2 , and solely depends on D 1 alone].If Bob's and Charlie's choice of basis for measurement is unbiased, then . Thus using this in Eq. ( 8), we get If This shows the increase of error rate with increase in p.
If Eve does IRUD attack, then p 1 , p 2 and p 3 gets the value, proportional to the rate of eavesdropping.We find that if Eve's attack rate is w to get polarization information of the Alice sent bits, then the error rate parameters are given by p 1 = p 2 = w 4 (1 + r), and p 3 = w 2 (1 + r), respectively.Thus error rate e becomes e = 1 2 Alice's information and Eve's information after eavesdropping are I A = 1 − h(e) and I E = w 2 , respectively where h(•) is the Shannon entropy.We know that the parties can have a secure communication if I A > I E .Thus the secure QDS can happen only when e max ≤ 15.3%, when r = 0.01.11).The proposed protocol is thus secure only when emax ≤ 15.3% under the considered attack scheme.
We have not considered the injected photons by Bob and Charlie in the above security analysis.However, since this is a two-way protocol, Eve may attack the arms twice -before and after Bob's/Charlie's operation, like Wòjcik's attack on ping-pong protocol [46].
A similar attack strategy has already been analysed for Noh09 by two of us [13], where it is shown that Eve gets complete information of D B detections, but not of counterfactual ones.Here, if she were to employ such an attack-unattack strategy, she would get information of all the Bob-injected and Charlie-injected bits that lead to D 1 detections.A simpler fix to this issue would be to enable Bob and Charlie to flip the reflected polarizations, as in the original work.Then check for coherence between the arms on those instances where they both applied reflect operation and flipped the reflected polarization (a detailed analysis has already been presented in Ref. [13]).This would restrict Eve to perfectly remove footprint and introduce error.To make the protocol simpler, Alice may throw away all inconsistent polarization detections of both D 1 and D 2 .Thus, the injected bits are present from which security against Alice's repudiation is proven (asymptotically), while also giving security against an eavesdropper.

V. MODIFIED PROTOCOL
A practical implementation of the above protocol requires the use of single photons, a somewhat expensive resource when required in sufficiently high rate.Furthermore, it is faced with two further challenges: (a) the generation of redundant bits, i.e., secret, shared bits that the protocol fails to exploit to improve key rate; and (b) a restriction on the secure range owing to the protocol being two-way in nature.
The protocol proposed in Sec.II does not exploit all the secret bits generated between Bob and Charlie.In particular, for a given D 1 detection, either one of the parties injected a bit or it was counterfactual in nature.Both could potentially lead to an element of Count key , and form Alice's signature Count sig .The table I lists the secret key bit and the information shared between the respective parties.

Secret bit
Alice Bob Charlie j -polarization Yes Yes(i)/No No/Yes(i) bit bc -{R j , R j } No Yes Yes Table I.Conditioned on a D1 detection, two secret bits are created that are shared between different pairs of parties.Here 'Yes(i)' indicates the knowledge of the polarization j due to injection.
It turns out that one can address all these problems by resorting to an analogous twin-field setup based, one-way QDS protocol that largely retains the logical structure of the above protocol, while eliminating the redundancies.Moreover, a twin-field scheme requires only weak coherent pulses, rather than single-photons.Here we note that this modified protocol still has certain fraction of bits that are wasted, but they are not the secret bits.Conversely, no potential secret bits are thrown away in the sifting.Now imagine a modified protocol, which, as will be clarified, may be considered as the twin-field, one-way analogue of the above counterfactual, two-way protocol.In the modified scheme, Bob and Charlie prepare and send particles to Alice in the configuration as in Fig. 1.If they are single-photons (as in the primary scheme), then we are led to a two-particle interference.Thus, we employ phase-modulated weak coherent pulses, prepared in H or V polarization.In this case, conditioned on single-photon detections by Alice at detector D 1 or D 2 , we reproduce the same scenario as in the primary scheme.
Hence if the two incoming pulses are prepared in identical polarization with same phase modulations, then a D 2 detection happens.However, D 1 detection could happen in the rest of the cases.Interestingly, this can be reduced to the primary scheme, by enabling an announcement by parties if they choose π−phase.Thus, given no announcement of π−phase modulation, a detection at detector D 1 indicates Alice of different polarization setting, but not the encoding (as in the case of bit bc of Table I).This modified protocol potentially eliminates the issue of redundancy and it is one-way in nature.Ad-ditionally, the requirement of single-photon states is relaxed as well.Therefore, this protocol could be viewed as the complementary of the primary scheme that is two-way and counterfactual in nature.
But Alice can have the knowledge of bit bc by placing a polarization filter before the beam-splitter.Specifically, Alice could place polarization filters (through which pulse of polarization j passes, and pulse of polarization j is blocked) in both the arms.Then a D 1 detection, along with a detection at one of the filters, would necessarily reveal the bit bc to Alice.Nevertheless, the security against repudiation due to injection in the primary scheme can be achieved by enabling only one party sending the pulse.Thus, Bob and Charlie can utilize bit bc of these cases, to check against Alice's repudiation.Specifically, Bob and Charlie could exchange information of sent or not sent pulses, thereby performing symmetrization.
By way of making explicit the parallelism and contrast between the primary scheme and the modified protocol, we number the steps of the latter in a way that corresponds sequentially to that of the former scheme.The distribution scheme in the original protocol becomes as follows.
(D1) Alice sets an identical polarization filter for H or V in her end of the communication paths to Bob and Charlie.
(D2) Bob and Charlie either send weak coherent signal pulses (signal window) or strong decoy pulses (decoy window), prepared in the basis H or V .Each signal pulse is randomly phase-modulated with probability p 0 for 0-phase and (1 − p 0 ) for π-phase, given p 0 ≫ (1 − p 0 ).On fraction r of their detections, they send no pulse towards Alice's station.
(D3) The string Σ of bits corresponding to Alice's D 1 detections and no π−phase announcement by either of the parties, solely from the signal window, forms the sifted key.Here, Alice's D 1 detections are comprised of the cases where Bob and Charlie sending weak pulses of different polarization.The decoy pulses are sent by choosing a specific phase and intensity from a preagreed set of values.
(D4) Bob and Charlie announce part of the data where they sent either the decoy pulses or weak pulses with π−phase, and together with Alice, they collaboratively estimate the error in the channel using decoy pulses.If it is found to exceed an agreed limit, they abort the protocol.The security can be proven from the fact that, conditioned on a single-photon detection at one of the detectors in Alice's station, the states are non-orthogonal, as ⟨α|β⟩ = e −|α 2 −β 2 | .Specifically, given the lower-bounded single photon detection count n 1 and upper-bounded error rate of single-photon states e 1 , the key length that can be used for Alice's signature is found to be where k corresponds to the input data used by Bob or Charlie to estimate error and E represents the presence of Eve.The two bounds corresponding to signal window in Eq. ( 12) can be estimated, as below.
The values of n 1 and e 1 in Eq. ( 12) correspond to signal states in the scheme.However, we employ standard method of using decoy pulses to estimate them [47,48], as follows.This is possible due to the fact that the respective yield (or gain), and error rate of n-photon state remains to be same for both signal and decoy pulses [49].
When decoy mode is chosen, Bob and Charlie choose their polarization setting to be either j (with mean-photon number |α| 2 ) or j (with mean-photon number |α ′ | 2 and α > α ′ ).If n 1 is the single-photon detection count of decoy states, we obtain where the first two terms in RHS correspond to the detection at D 1 for either polarization setting j or j by Alice, respectively, the third term for the setting that blocks both the pulses (detections from dark counts alone) and χ 1 = y=α,α ′ (yP 0y e −y ) is the probability of single-photon events, with P 0y indicating the probability with which Bob sent pulse was blocked and Charlie sent pulse y was detected at Alice's station.Similarly, if e 1 indicates the error rate of single-photon states of the decoy states, 1 + e .
Here the first term in RHS corresponds to the case wherein a D 1 detection happens when the identical pulses are sent and the second term indicates the detections at both-the filter and one of the detectors.This can be estimated using Here e (2) 1 is the total number of detections, summed over both the polarizations j ∈ {α, α ′ }, P y(xx) denotes both sending pulse y with phase x, n f j & n jf indicate the detection at a filter and a detector and is the observed value due to statistical fluctuations by Hoeffding inequality [50], with ϵ F denoting the failure probability.Note that these estimations are for decoy states, and to estimate n 1 and e 1 (of signal states) we use Serfling inequality as, where Γ(a, b, c) = (a − b + 1)b ln(c −1 )/(2a) is the factor of sampling without replacement in Serfling's inequality.
In addition to the error rate of single-photon states e 1 estimated using the decoy states as in Eq. ( 16), one can also estimate the overall quantum bit error rate E tot , as where n ss (resp., n 00 ) corresponds to the number of events of Bob and Charlie both sending pulses (resp., neither sending a pulse) in signal window, and Alice announcing a D 1 detection, and n tot being number of successful detections in signal window.This can effectively be used for classical post processing of error correction in Eq. ( 12) as, with f representing the error correction efficiency factor.The various quantities of above equations are suitably estimated as in Refs.[36,48] and the protocol is numerically simulated, as given in Fig. 4.

VI. DISCUSSION & CONCLUSION
We have presented a quantum digital signature scheme whose security is guaranteed by quantum counterfactuality.The proposed scheme is different from other QDS protocols in that we make use of only orthogonal states and require neither the quantum memory nor the multiport [18,51].
In the proposed QDS scheme, Alice sends the quantum states to Bob and Charlie, along with the detection coordinates corresponding to her signature Count sig , in the distribution stage.The sending of the message, with her private key Count key , happens only in the messaging stage.However, the security against Alice's repudiation comes from state comparison as well as injected bits.This is different from the other QDS schemes, the security against repudiation is either through state comparison by Bob and Charlie [18] or by their symmetrization of states [35].It is easily implementable with the presently available technology.The bounds presented give evidence for security concerns against repudiation and signature forging.We have also considered an eavesdropper's attack and security regarding that has been addressed in detail.We point out that the injection of photons is equivalent to the principle of symmetrization employed in various other QDS protocols.Hence, the protocol can be thought of belonging to the same class of such QDS protocols.In particular, the asymptotic security of the present scheme is in line with conventional security addressed in QDS schemes.However, an unconditional security is yet to be established for the present scheme.
Incidentally, though a beam-splitter of a Michelson interferometer is present in the protocol, and thereby involves a multiport for the scheme, the important distinction from other multiport-based schemes is that we need only one BS and it is associated with the sender alone.The QKD component itself involves a BS, and no further extension is required for the QDS scheme.Hence the assertion that the protocol requires neither the quantum memory nor the multiport to prove the security.
We note here that the essentiality of the error correction in the primary scheme is not discussed in various other QDS protocols [23,24,28].Specifically, the impossibility of Bob using information due to symmetrization, to forge Alice's signature during forwarding, is paramount in proving the security.Therefore, we employ the error correction in our scheme.However, another slight modification, at the cost of greater quantum resources, could potentially detect Bob's forgery.
In particular, we propose a variant of the primary QDS scheme, wherein Alice prepares the N -qubit composite state |φ i ⟩ for γ > 1 rounds and i ∈ {γ}.The corresponding set of D 1 detections of i-th round be Σ i , given Bob and Charlie could change their operations at each round.After γ rounds, Alice chooses her signature Σ and announces the corresponding D 1 detections.Therefore, at the end of distribution stage, Bob's and Charlie's knowledge of |φ⟩ would be close to each other.
Suppose the j-th bit (j ∈ {1, 2, • • • , N }) resulted in a D 1 detection due to Bob's injection in the i-th round.He would flip the bit when forwarding the message to Charlie.However, Charlie too could know the polarization of the j-th bit from (k ̸ = i)-th round.Thus, the probability for Bob to successfully forge decreases as γ increases.Thus, the error correction is not required in this modified protocol.Additionally, the injection too could in principle be relinquished, as the security against repudiation might be proven from an identical argument as above.
It is important to note that Eve could get information from an optimal quantum cloning machine, as the state |φ⟩ is identical in each round [52,53].The guessing probability of state discrimination could be potentially improved [54,55], estimated using Helstrom bound [56].In various other QDS schemes too, multiple copies of identical states are sent by the sender to two or more parties.This issue of multiple copies being used could further impact on multiparty QDS schemes [57,58] as well.However, in the context of present work, this can be thwarted by varying the composite state |φ i ⟩ in each round, such that the fidelity between the two composite states (of any two rounds) is close (but not equal) to unity.
The phenomenon of counterfactual security [13] in QKD is inconsequential here, as only the D 1 detections are used for generation of Alice's signature.If one uses all of D B and D C detections, then the QDS protocol becomes insecure as one party (forwarder) can cheat by flipping those bits.Also from the noiseless attack, Eve can potentially get full information of D B and D C detections.But if she eavesdrops for counterfactual detections, she must produce error as she selectively cannot attack on those instances.
We have also proposed a modified QDS protocol based on the idea of twin-field cryptography.Specifically, another set of secret bits shared between Bob and Charlie in the primary protocol were unused in the primary protocol, and therein lies the possibility of utilizing that using TF-QKD setup.The primary advantage of this would be the nature of protocol being one-way, and using coherent states for the key generation.We note that the framework of the protocol remains to be same.It is worth pointing out here that the idea used above, of converting a two-way scheme to its one-way equivalent by replacing the single-photon qubits in the original scheme by weak coherent pulses in the latter, can also be applied in a QKD situation, e.g., to the Noh09 protocol [7] for counterfactual QKD.
The proposed scheme can be potentially generalized to a multiparty scenario with multiple forwarders.The quantum part of the protocol would be similar, with Alice sending states through an n-input n-output beam-splitter.The potential key length of Alice's signature would increase for such a setup, as the probability for a counterfactual detection increases.However, the underlying security would be from the injected bits, as in the proposed scheme.The limitation of these protocols is that, similar to other QDS protocols, this is one-time secure protocol.In other words, for every new message, the parties must perform a run of the protocol.Eavesdropper can launch more powerful incoherent attacks, but the nature of security remains same -she cannot remove her footprint if she extracts information.
Finally, note that in any QDS protocol, the assumption that the receiver or verifier is trusted follows the tradition in the classical DS literature.It is an interesting question what modifications are to be made to a given (counterfactual) QDS protocol to ensure security against Charlie's dishonesty.We leave this as an open question.

Figure 1 .
Figure 1.Experimental setup for the counterfactual QDS scheme.Alice prepares single-photon orthogonal states and sends it to a beam-splitter (BS) of a Michelson interferometer.At the ends of two arms are Bob and Charlie, who may choose to either block or reflect a polarization.The switch (SW) would have a polarization-BS followed by a circulator (C), for the polarization dependent measurement.The subset of polarization of the photons detected at detector D1 forms Alice's potential signature.
is the expectation value of the variable X representing the number of D 1 detections from injected photons and r b (r c ) is the Bob's (Charlie's) injected fraction.Thus, the probability with which she can escape reduces exponentially, if (a) Alice flips more bits; (b) total number of bits N increases or; (c) the ratio of injected photons increases.Below we shall show why the third case may lead to greater probability of successful forgery by Bob, and hence keep it very low.

Figure 3 .
Figure3.Graph of difference in mutual information v/s error rate in the channel, from Eq.(11).The proposed protocol is thus secure only when emax ≤ 15.3% under the considered attack scheme.