Edinburgh Research Explorer Measurement-device-independent quantum digital signatures

Digital signatures play an important role in software distribution, modern communication, and ﬁnancial transactions, where it is important to detect forgery and tampering. Signatures are a cryptographic technique for validatingtheauthenticityandintegrityofmessages,software,ordigitaldocuments.Thesecurityofcurrentlyused classical schemes relies on computational assumptions. Quantum digital signatures (QDS), on the other hand, provide information-theoretic security based on the laws of quantum physics. Recent work on QDS Amiri et al. , Phys. Rev. A 93 , 032325 (2016); Yin, Fu, and Zeng-Bing, Phys. Rev. A 93 , 032316 (2016) shows that such schemes do not require trusted quantum channels and are unconditionally secure against general coherent attacks. However, in practical QDS, just as in quantum key distribution (QKD), the detectors can be subjected to side-channelattacks,whichcanmaketheactualimplementationsinsecure.Motivatedbytheideaofmeasurement-device-independent quantum key distribution (MDI-QKD), we present a measurement-device-independent QDS (MDI-QDS) scheme, which is secure against all detector side-channel attacks. Based on the rapid development of practicalMDI-QKD,ourMDI-QDSprotocolcouldalsobeexperimentallyimplemented,sinceitrequiresasimilar experimental setup.

Previous QDS schemes [5][6][7][8] improved on the seminal work in [4] by removing the need for quantum memory.Wallden et al. [10] proposed more practical QDS schemes which could be realized using QKD [11] components.In these QDS schemes, Alice encodes her signatures in quantum states, and sends a copy of each state to both Bob and Charlie.Bob and Charlie are only able to gain partial information on the overall signature state, due to its quantum nature.Until recently, the security analysis of all QDS schemes assumed authenticated quantum channels.In [12,13], all trust assumptions on the quantum channels are removed, which is a significant improvement compared to the previous schemes.
It is however more challenging to guarantee the security of practical implementations of QDS schemes.This is so because practical realizations do not typically conform to the requirements imposed by the theory, as real devices can behave differently from the models considered in the security proofs.As a result, we have that any imperfection which is not accounted for might constitute a "side channel" which could be used by an adversary to render the QDS scheme insecure.Here, the most critical devices are arguably the single-photon detectors [14][15][16][17][18][19][20][21].For example, an adversary can use detector loopholes to learn about a participant's (say Bob's) measurement results, and could then forge a message with Bob.In the context of QKD, detector side channels can be successfully removed by means of measurementdevice-independent QKD (MDI-QKD) [22].In this approach, Alice and Bob do not perform any measurement but only send quantum signals to be measured.Thus the advantage of MDI-QKD is that the legitimate parties need not hold a measurement device and may treat the measurement apparatus as a "black box," which may be fully controlled by Eve.This is important as it eliminates the requirement to certify the detectors in a QKD standarization process.Therefore, the bit strings generated by Alice and Bob are free from detector side-channel attacks as they do not employ any detector.Hence this only requires Alice and Bob to characterize the quantum states which they send through the channel.This characterization should take place in a protected environment outside the influence of the adversary, which in principle is feasible.Since the invention of MDI-QKD, such schemes have been very actively studied both theoretically [23][24][25][26] and experimentally [27][28][29][30][31][32].
In this paper, we present a QDS protocol which eliminates all detector side-channel attacks by employing the concept of measurement device independence.This is desirable for actual practical use of QDS schemes.The main contribution of this work is to adapt the rigorous security proof of MDI-QKD given in [26], taking into account finite-size effects, to the QDS protocol proposed in [12].The resulting security proof is valid against general forging and repudiation attacks.Long-distance implementation of MDI-QKD [27][28][29][30][31][32] has been recently achieved, and the experimental parameters allowing for MDI-QKD could equally well allow for implementation of our QDS protocol.Hence we envisage not just a long-distance implementation of a QDS protocol, but an implementation that is secure against detector side-channel attacks.

II. PROTOCOL
We outline our protocol for three parties, with a sender, Alice, and two recipients Bob and Charlie.The setup for MDI-QDS is illustrated in Fig. 1.We assume that between Alice and Bob, and between Alice and Charlie, there exist authenticated classical channels.There is no need for "direct" quantum channels between Alice and Bob, between Alice and Charlie, nor between Bob and Charlie.Each party has an untrusted and imperfect quantum channel with the relay (Eve).Bob and Charlie share a MDI-QKD link, which can be used to transmit classical messages in full secrecy.This is separately indicated in the figure, but could also be realized with Eve as relay.Any classical secret communication channel between Bob and Charlie would in fact suffice in place of this MDI-QKD link.We will describe the procedure for signing a one-bit message.For signing longer messages, the procedure can be suitably iterated, meaning that the signature length scales linearly with message length.
Alice, Bob, and Charlie each use a laser source to generate quantum signals that are diagonal in the Fock basis.Sources producing such signals include attenuated laser diodes emitting phase-randomized weak coherent pulses (WCPs), triggered spontaneous parametric down-conversion sources, and practical single-photon sources.The scheme makes use of a measurement-device-independent key generating protocol (MDI-KGP), performed in pairs separately by Alice-Bob and Alice-Charlie; see Sec.III for more details.The purpose of such an MDI-KGP scheme is to use the noisy untrusted quantum channels to generate two correlated bit strings, one for each participant in an MDI-KGP.The noise level is defined in terms of the relative Hamming distance between these strings.When the noise level is below a tolerated value, the relative Hamming distance between the respective strings of the participants is smaller than the relative Hamming distance between any string that an eavesdropper could produce, and the participant's string.
The QDS scheme above is related to the one proposed in [12], with a difference in the KGP.It comprises of two stages, a distribution stage, where all quantum communication takes place, and a messaging stage, which can occur much later, and where only classical communication is used.
A. Distribution stage (1) For each possible future message m = 0 or 1, Alice uses the MDI-KGP to generate four different correlated bit strings, 1 , each one of length L. The superscript denotes the participant with whom Alice performed the MDI-KGP, and the subscript represents the future message, which is to be decided later by her. Bob holds the strings K B 0 ,K B 1 and Charlie holds the strings K C 0 ,K C 1 .Because of the KGP, it will be guaranteed that A B 0 contains fewer mismatches with K B 0 than does any string produced by an eavesdropper, and similarly for the other pairs of strings.Alice's signature for the future message m will be Sig m = (A B m ,A C m ).The fact that only Alice knows all signatures for a message m protects the protocol against forging.
(2) For each future message, Bob and Charlie symmetrize their keys.This is done by each of them choosing at random half of the bit values in their keys (K B m ,K C m ) and sending these bit values (as well as the corresponding positions) to the other participant using their secret classical channel.This will ensure that Alice cannot make Bob and Charlie disagree on the validity of a signature, if a message is forwarded from Bob to Charlie or vice versa in the messaging stage.If Bob (or Charlie) chooses to forward an element of K B m (or K C m ) in the distribution stage to Charlie (or Bob), he will not, if he is honest, further use it to check the validity of a signature.Bob and Charlie will only use the bits they did not forward, and those received from the other participant.This is not strictly necessary, but simplifies the analysis of repudiation by a dishonest Alice in that from Alice's point of view, the probabilities are equal for Bob and Charlie to check a particular key bit.(1) To send a signed one-bit message m, Alice sends (m,Sig m ) to the desired recipient (say Bob).
(2) Bob checks whether (m,Sig m ) matches his S B m , and records the number of mismatches he finds.He separately checks the part of his key received directly from Alice and the part of the key received from Charlie.If there are fewer than s a (L/2) mismatches in both halves of the key, where s a < 1/2 is a small threshold determined by the observed experimental parameters (see Appendix D for more details) and the desired security level of the protocol, then Bob accepts the message.
(3) To forward the message to Charlie, Bob forwards the pair (m,Sig m ) that he received from Alice.
(4) Charlie tests for mismatches in a similar way, but using a different threshold in order to protect against repudiation by Alice.He accepts the forwarded message if the number of mismatches in both halves of his key is below s v (L/2), where s v is another threshold, with 0 < s a < s v < 1/2.An important and necessary feature of unconditionally secure signature schemes [2,33] is that the recipients have to use different thresholds or acceptance criteria for messages received directly from the sender and for forwarded messages.

III. MEASUREMENT-DEVICE-INDEPENDENT KEY GENERATION PROTOCOL
MDI-QKD protocols [22,26,34] are schemes that remove all detector side-channel attacks.This is very important when we consider detector loopholes in conventional QKD imple-mentations [14,21].Similarly, the key generation protocol, which is part of the QDS scheme we are describing, can be made measurement device independent.Essentially, Alice and Bob (or Alice and Charlie) only perform the quantum part of the MDI-QKD scheme to generate raw different keys (the A B m and K B m described above) with imperfectly correlated and not completely secret bit strings.That is, Alice and Bob do not perform error correction and privacy amplification.This is sufficient for quantum signatures, since it is the number of mismatches with the recipient's key that matters for the signature protocol; perfectly correlated, perfectly secret strings are not necessary.The aim is to show that (A B m ,K B m ) < (E guess ,K B m ) except with negligible probability, where (x,y) is the Hamming distance between x and y, and E guess is Eve's attempt at guessing K B m .It can also be possible that the adversary Eve is Charlie (for the KGP performed between Alice and Bob, and for the KGP performed by Alice and Charlie, Eve could be Bob).The security of the signature protocol is proved in Sec.IV.
The underlying MDI-QKD protocol, upon which the KGP is built, is the decoy-state BB84 protocol using phaserandomized WCPs considered in [22].We follow the steps of the protocol in [26], using the Z basis for key generation, but do not proceed with error correction and privacy amplification.
The different steps of the MDI-KGP are as follows.
(1) State preparation.Alice and Bob repeat the first two steps of the protocol for i = 1, . . .,N until the conditions in the sifting stage are met.For each i, Alice chooses an intensity a ∈ {a s ,a d 1 ,a d 2 }, a basis α ∈ {Z,X}, and a random bit r ∈ {0,1} with probability p a,α /2.Here a s (a d j where j ∈ {1,2}) is the intensity of the signal (decoy) states.Next, she generates a quantum signal (e.g., a phase-randomized WCP) of intensity a prepared in the basis state of α given by r.Similarly, Bob does the same.Alice and Bob then send their states to Eve via the quantum channel.
(2) Measurement.If Eve is honest, she makes a Bell state measurement of the signals she has received.Whether Eve is honest or not, she informs Alice and Bob through a public channel of whether or not her measurement was successful.If successful, she declares the Bell state that is obtained.
(3) Sifting.If Eve reports a successful result, Alice and Bob communicate through an authenticated channel their intensity and basis settings.
Bell We will assume that Eve implements her Bell state measurement using linear optics.The measurement setup is illustrated in Fig. 2; it is able to identify two of the four Bell states.Alice and Bob choose Z k and Z k as their respective secret keys A B m and K B m of length L (where L = n k ), for which they obtained the smallest phase error rate e k,1 .Here, we will consider a finite number of states that are sent and measured, where Eve is allowed to perform general coherent attacks.Our strategy is to find Eve's information in terms of the smooth min-entropy [36], and then use it to bound the probability that she can make a signature declaration making fewer errors than a certain value.We begin by finding Eve's smooth min-entropy on Bob's bit string Z k,keep , by following the same strategy as in [12].In spite of the fact that the KGP is built on MDI-QKD, the security analysis for the MDI-KGP does not follow directly from the security of the MDI-QKD protocol.One reason is that the goal of an adversary in the signature protocol is different from that of an eavesdropper in MDI-QKD.For the signature protocol, what matters is the number of mismatches with a recipient's key; for QKD, what matters is the information an eavesdropper can hold about a key.These are related but not identical.
Previous work [12] followed [37] to find Eve's smooth min-entropy in a similar way as for decoy-state QKD.Another important difference from QKD is that in the signature protocol, Bob effectively gives the extra information Z k,forward to Eve (with respect to forging with Bob, Charlie can be "Eve").In a similar way, let us denote the classical random variables R k and as the information gained by Eve from parameter estimation and basis declarations for all the pulses sent by Alice and Bob, respectively.Since Bob, if he is honest, does not use Z k,forward , this could be treated as the part of the string R k that is sacrificed for parameter estimation, as explained in [38].We combine all of Eve's information into one quantum system living in the Hilbert space H E .This comprises the space containing Eve's ancilla quantum system following her general attack, H E , as well as the spaces containing the states encoding the strings R k , and Z k,forward .Then, according to [26], Eve's smooth min-entropy, which quantifies the average probability that she guesses Z k,keep within a certain threshold using the optimal strategy with access to E k , is given by where ε k ε k + εk and ρ is the state shared by Eve and the part of the key that Bob kept and did not forward.We are interested in a regime where the first two terms on the right-hand side (RHS) of Eq. ( 1) are much larger than the log 2 term as ε k and εk are typically of the order say 10 −5 -10 −10 .Therefore, we arrive at the following approximation of Eq. ( 1): Appendix A provides a brief analysis of the estimation of the parameters n k,0 , n k,1 , and e k,1 , and Appendix B briefly describes the steps involved to obtain Eq. ( 1).Note that Eq. ( 2) is similar to Eq. (1) obtained in [12].The next task is to bound the number of errors that Eve is likely to make when guessing Bob's key, given the bound on her smooth min-entropy.For this, we use Proposition 1 in [12] and follow the same argumentation.
Proposition 1. [12].If Bob and Eve share the state ρ then, for any eavesdropping strategy, Eve's average probability of making at most r mistakes when guessing Z k,keep can be upper bounded as The proof of this proposition follows the lines introduced in Appendix B of [12].For large n k , it can be shown from Markov's inequality that Eq. (3) implies P (Eve makes fewer than r errors) := p r g, ( except with probability at most where c k,i := 2n k,i /n k is the lower bound on the count rate for the Z basis pulses containing i photons.Therefore, we arrive at the condition that determines whether or not Eve is able to make fewer than r errors with non-negligible probability, given as If the condition holds, then n k can be increased to make Eve's probability of making fewer than r errors arbitrarily small.We define p E by the equation The meaning of this is that p E is the minimum rate at which Eve can make errors for the code string associated with the Bell state k (except with negligible probability p F ). Suppose the error rate on the Z basis measurements between Alice and Bob is upper bounded as E k .As long as p E > E k , there exists a choice of parameters and a sufficiently large signature length which makes the protocol secure.This means that MDI-QDS is possible as long as

IV. SECURITY ANALYSIS
We will now prove the security of the signature protocol, i.e., the robustness (probability of an honest run aborting), security against forging (probability that a recipient generates a signature, not originating from Alice, that is accepted as authentic), and repudiation (or transferability) (probability that Alice generates a signature that is accepted by Bob but then, when forwarded, is rejected by Charlie).In what follows we assume that Alice-Bob and Alice-Charlie have each used the MDI-KGP to generate bit strings of length L = n k , to use in the QDS protocol described above.
(a) Robustness.Bob rejects a signed message if the n k 2 bits received from either Alice or Charlie have a mismatch rate higher than s a with Alice's signature.We note that Alice and Bob use a random sample, R k bits from Z a s ,b s k , to obtain the error rate E a s ,b s k .This implies that the error rate E a s ,b s k between the strings (Z k,keep and Z k,keep ) generated using the Z basis satisfies the inequality [39] where This means that the upper bound which we obtain from Eq. ( 9) on the error rate between Alice's and Bob's strings is true except with a very small probability ε P E , and this probability can be fixed as small as desired.For any fixed value of the function μ, the failure probability decays exponentially fast in the parameter R k .Then we set E k := max{E k,B ,E k,C }, where E k,B and E k,C refer to the upper bound obtained in Eq. ( 9) for the cases Alice-Bob and Alice-Charlie, and we choose s a such that s a > E k .We have that the probability that Bob will find an error rate higher than s a is bounded by where the factor of 2 accounts for the fact that the abort can be due to either the states received from Alice or the states received from Charlie.
(b) Security against repudiation.Successful repudiation by Alice means, in the three-party scenario, that she makes Bob accept a declaration (m,Sig m ) that was sent to him by her, while Charlie rejects the same declaration when Bob forwards it to him (or similarly for a message forwarded from Charlie to Bob).Intuitively, security against repudiation follows because of the symmetrization performed by Bob and Charlie using the secret classical channel.Even if Alice knows and can control the error rates between A B m , A C m and K B m , K C m , she cannot control whether the errors end up with Bob or Charlie.After symmetrization the keys S B m and S C m will each have the same expected number of errors.To repudiate, one key must contain significantly more errors than the other.Using results from [12], we obtain For a formal proof, please see Appendix C. Note that the probability of repudiation decays exponentially as the length n k of the signature increases.
(c) Security against forging.It is easier for either Bob or Charlie to forge than it is for any other external party.Therefore, we will consider forging by an internal party.In order to forge a message, Bob must give a declaration (m,Sig m ) to Charlie that has fewer than s v n k /2 mismatches with the (to Bob) unknown half of S C m sent directly from Alice to Charlie, and also fewer than s v n k /2 mismatches with the half he himself forwarded to Charlie.An adversarial Bob will obviously be able to meet the threshold on the part he forwarded to Charlie.We therefore consider only the unknown half that Charlie received directly from Alice.We have that the maximum rate at which Alice will make errors with Charlie's key is given by E k .From Eq. ( 7), we also know the minimum rate at which Bob will make errors with the code string associated with the Bell state k of Charlie's key; we have denoted this by p E .Assuming (8) holds, we choose s v such that E k < s v < p E .In this case, Charlie will likely accept a legitimate signature sent by Alice, since the upper bound on their error rate, E k , is less than the threshold s v .On the other hand, Charlie will likely reject any dishonest signature declaration by Bob, since the probability of Bob finding a signature with an error rate smaller than s v is restricted by (4) as P (Bob makes fewer than s v n k /2 errors) := p r g (13) except with probability at most p F given by (5).If the estimation of the parameter E k fails, which can happen with probability ε P E , we will assume for simplicity that Bob is able to successfully forge with certainty.In a similar way as in [12], we are then able to bound Bob's probability of successfully forging as This equation is valid for any choice of parameters (g,ε P E ,ε k,0 ,ε k,1 ,ε k,e ) greater than zero.Thereby, Bob's probability to forge can be made arbitrarily small by increasing n k .
The addition of ε P E accounts for the probability that the upper bound on E k is incorrect and ε k,0 ,ε k,1 and ε k,e are the error probabilities associated with the estimation of n k,0 , n k,1 , and e k,1 , respectively (see Appendix A).

V. COMPARISON TO MDI-QKD
According to [26], in MDI-QKD the length l k of the secret bit string associated to the Bell state k is given by if the protocol is sec secret, with sec = k k,sec and k,sec = 2(ε k + 2ε k,e + εk ) Here ε k,P A is the failure probability of privacy amplification, and the term leak EC,k is the information that is revealed by Alice in the error correction step.The meaning of the remaining epsilons can be found in [26].The correctness of the protocol is guaranteed by the error correction step, and we say that the protocol is cor correct if the probability that Alice's and Bob's bit strings are not identical is not greater than cor .In the asymptotic limit of very large data blocks, one can neglect certain terms that reduce the secret key length and thereby Eq. ( 15) can be rewritten as Here, c k,i := n k,i /n k increase the secret key rate, while n k c k,1 h(e k,1 ) and leak EC,k reduce it.These parameters depend on the sifted key length n k [26].
), where ζ is referred to as the leakage parameter, which depends on the value of n k , and h(.) denotes the binary Shannon entropy.
ζ is assumed to be 1.16 in [26] but can generally be in the range 1.1-1.2, and when n k < 10 5 the parameter ζ may be greater than 1.16.Therefore, for a sifted key length n k 2 , Eq. ( 16) can be written as In a similar way as in [12], when we compare Eqs. ( 8) and ( 17), we find that there are Alice-Bob and Alice-Charlie quantum channels for which quantum signatures are possible and yet practical MDI-QKD is not, since the error threshold is less strict for the quantum channels used to perform the KGP in the signature protocol.

VI. DISCUSSION
In this section, we analyze the number of quantum transmissions necessary to sign a message with a security level of the order of 10 −5 and 10 −10 , respectively.If the security level of the protocol is of the order of, say, 10 −5 , then this means that the probabilities of honest abort, forging, and repudiation are all less than 10 −5 .
Using realistic experimental quantities, we estimate that a signature length of n k = 8.9 × 10 6 (for each of the possible single bit messages zero and 1) can be used to securely sign a single bit message, sent over a distance of 50 km.Essentially, it would require Bob or Charlie to transmit approximately N sig = 5.58 × 10 12 quantum states (per bit to be signed) to Alice during their KGPs (for full details, see Appendix D).With a source with a pulse rate of 1 GHz, we can calculate that it would take approximately 93 min to generate a raw key when the experiment uses standard single-photon detectors with detection efficiency (η D ) of 14.5%.This is for a security level of the order of 10 −5 .By using detectors with higher detection efficiency we can improve the time of generating a raw key (t r ) since sending a smaller number of signals (N sig ) is then required to sign a single-bit message.
Table II shows the raw key generation times for various detectors that could be used in the protocol.We find that the most advanced superconducting nanowire single-photon detectors (SNSPDs) having 93% efficiency [42] would only require Bob or Charlie to send 6.4 × 10 10 signals to perform the protocol with a secure threshold of the order of 10 −5 .This would require just above a minute to generate the raw key.In order to improve the security threshold of the protocol (say 10 −10 ), Bob or Charlie would need to send a higher number of signals compared to the previous case.Table III    Standard single-photon detectors [40] 10.5 175 InGaAs APD [32] 3.35 55.83 InGaAs/InP APD [41] 1.63 27.1 SNSPDs [42] 0. 18 3 required to send for the protocol to be secure for a threshold of the order of 10 −10 .The protocol is secure to the order of 10 −10 for a distance of 50 km, which in comparison is an improvement over the previous scheme [12] having a security threshold of 10 −4 .The simulation results demonstrate that even with practical signals (for example, phase-randomized WCPs) and a finite size of data (say 10 11 to 10 14 signals) it is possible to perform secure MDI-QDS (with security threshold 10 −10 ) over long distances (up to about 150 km).Since the experimental platform for the implementation of MDI-QKD can also be used for MDI-QDS with slight modifications, in particular in the postprocessing of measurement results, we expect MDI-QDS could be widely used in practical QDS systems in the near future.

VII. CONCLUSION
In summary, we have presented a MDI-QDS protocol and proven it unconditionally secure against general attacks.It improves on previous quantum signature protocols by removing all detector side-channel attacks.This is essentially achieved by adapting the rigorous security proof of MDI-QKD given in [26], taking into account finite-size effects, to the QDS protocol proposed in [12] and we have presented that the resulting security proof is valid against general forging and repudiation attacks.
A similar approach is followed to estimate n k,1 and e k,1 with associated error probabilities ε k,1 and ε k,e , respectively.We obtain except with error probability where the function ϒ(x,y,z) is defined as ϒ(x,y,z) = (x + 1) ln(z −1 )/[2y(x + y)].The quantity n k,1 is a lower bound for the number of signals where Alice and Bob send a single-photon state prepared in the X basis and where Eve declares the Bell state k, e k,1 is an upper bound for the total number of errors in these signals, and ε k,e and ε k,e represent, respectively, their associated error probabilities.For more details about how to calculate these parameters, please see [26].
We have, therefore, that the error probability associated with the estimation of the different parameters is given by ε P E + ε k,0 + ε k,1 + ε k,e , with ε P E given by Eq. ( 9).

APPENDIX B: EVE'S SMOOTH-MIN ENTROPY
The goal of this Appendix is to derive Eq. (B2).The analysis follows the procedure introduced in [26].For this, let H ε k min (Z k,keep |E k ) denote the smooth min-entropy which quantifies the average probability that the adversary guesses Z k,keep correctly using the optimal strategy with access to E k .Now the bits of Z k,keep can be distributed among three different strings, Z 0 k,keep , Z 1 k,keep , and Z rest k,keep .The first string contains bits where Bob sent a vacuum state, the second where Alice and Bob sent a single-photon state, and Z rest k,keep contains the rest of the bits.Using the result of chain rule of entropies [43], we obtain where , it is considered that Alice and Bob prepare perfect BB84 states.Then, this quantity can be written in terms of the smooth max-entropy between them, which is directly bounded by the strength of the correlations [44].From the entropy uncertainty relation [36], we obtain ).
Using the above equation in Eq. (B1), we get We are interested in a regime where the first two terms on the RHS of Eq. (B2) are much larger than the log 2 term, as ε k and εk are typically of the order say 10 −5 -10 −10 .Therefore, if we neglect this log 2 term, we obtain Eq. ( 2) of the main paper,

APPENDIX C: SECURITY AGAINST REPUDIATION
We follow the approach in [10].If Alice tries to repudiate a message, she sends a declaration (m,Sig m ) which Bob will accept and Charlie will reject.For this to happen, Bob must accept both the elements that Alice sent directly to him, and the elements that Charlie forwarded to him.In order for Charlie to reject he needs only to reject either the elements he received from Alice, or the elements Bob forwarded to him (or both).Intuitively, security against repudiation follows because of the symmetrization performed by Bob and Charlie using the secret classical channel.In the distribution stage, to send the future message m, Alice uses the MDI-KGP with Bob and Charlie to generate strings of length n k = L. Suppose that Bob holds the string (b 1 , . . .,b L ) and Charlie holds the string (c 1 , . . .,c L ).Now, for simplicity, we consider that Alice has full power and we assume that later on, in the messaging stage, she is able to fully control the number of mismatches her signature declaration contains with (b 1 , . . .,b L ) and (c 1 , . . .,c L ).Let us denote the mismatch rates by e B and e C , respectively.Then, the symmetrization process means that Bob and Charlie will randomly (and unknown to Alice) receive L/2 elements of the other's string.We aim to show that any choice of e C and e B leads to an exponentially decaying probability of repudiation.Then we have the two following cases as in [10].
Case 1. First, let us assume that e C > s a .In this case, Bob receives L/2 elements from the set {c 1 , . . .,c L }, which contains exactly e C L mismatches with Alice's future declaration.In order to accept the message, Bob must get fewer than s a L/2 errors.Using [45] we can bound the probability that Bob gets

FIG. 1 .
FIG.1.Schematic diagram of a setup for MDI-QDS.Alice, Bob, and Charlie prepare quantum signals in different BB84 polarization states, using a polarization modulator (Pol-Mod).In addition, they generate decoy states with an intensity modulator (Decoy-IM).The signals are then sent to an untrusted party Eve, who acts like a relay and is supposed to perform a Bell state measurement, which projects the incoming signals into a Bell state.The channels between Alice-Eve, Bob-Eve, and Charlie-Eve are quantum channels (QC).Eve performs the measurement separately for the pairs Alice-Bob and Alice-Charlie.Bob and Charlie share a MDI-QKD link (gray channel), which can be used to transmit classical messages in full secrecy.The pairs Alice-Bob and Alice-Charlie have pairwise authenticated classical channels (CC) indicated as dashed lines, through which they can communicate their basis settings for the different key positions.
For each Bell state k, we define two groups of sets: Z a,b k and X a,b k .Z a,b k is a set that identifies signals where Eve declares a Bell state k and Alice and Bob have selected the intensities a and b and the basis Z.Similarly, X a,b k is a set that identifies signals where Eve declares a Bell state k and Alice and Bob have selected the intensities a and b and the basis X.The protocol is repeated until |Z a,b k | N a,b k and |X a,b k | M a,b k ∀a,b,k [35].After this, Bob flips part of his bits to correctly correlate them with those of Alice.This is shown in Table I. (4) Parameter estimation.Alice and Bob use n k random bits from Z a s ,b s k to form the code bit strings Z k and Z k , respectively.The remaining R k bits from Z a s ,b s k are used to compute the error rate E a s ,b s k = 1R k l r l ⊕ r l , where r l and r l are Alice's and Bob's bits, respectively.The bit string of length R k is used to estimate the correlation between Alice and Bob's strings generated from the Z basis, after which they

FIG. 2 .
FIG. 2. Schematic diagram of Eve's measurement device.The combination of polarizing beam splitters (PBSs) and a 50:50 beam splitter (BS) projects the incoming signals from Alice and Bob or Charlie into horizontal (H) and vertical (V) polarization states.A joint click on the single-photon detectors D 1H and D 2V , or D 1V and D 2H , represents a projection into the Bell state |ψ − , while a joint click in D 1H and D 1V , or D 2V and D 2H , indicates a projection into the Bell state |ψ + .

Messaging stage
B.

TABLE I .
Processing of data in the sifting stage.The Bell states are defined as |ψ to estimate n k,0 ,n k,1 and e k,1 .The parameter n k,0 is a lower bound for the number of bits in Z k,keep where Bob sent a vacuum state.Z k,keep is the part of Z k which he chooses to keep with himself while he forwards the other remaining part, Z k,forward , to Charlie during the key symmetrization process.That is, |Z k,keep | = |Z k,forward | = n k /2.In a similar way, n k,1 is a lower bound for the number of bits in Z k,keep where Alice and Bob sent a single-photon state.e k,1 is an upper bound for the single-photon phase error rate.If e k,1 e tol , the code bit strings Z k and Z k are discarded, and the protocol is aborted only if e k,1 e tol ∀k.
shows the raw key generation times and the number of signals that are

TABLE II .
Raw key generation times for various detectors that could be used in a MDI-QDS protocol for a distance of 50 km and a security threshold of 10 −5 .The parameters η D (%), Y 0 , and N sig denote respectively the detection efficiency, dark count rate of Eve's detectors, and the number of signals that Bob or Charlie sends to Alice during their KGPs.t r is the time taken to generate the raw key and to estimate t r we assume a source with a pulse rate of 1 GHz.

TABLE III .
Raw key generation times for a distance of 50 km with a security threshold of 10 −10 .For the definition of the different parameters, see the caption of TableII.
|E k ) H 0 min (Z 0 k,keep |E k ) = H min (Z 0 k,keep ) = n k,0.The final part arises as the vacuum states contain no information about their bit values, which are uniformly distributed.In order to get the lower bound for the termH k min (Z 1 k,keep |Z 0 k,keep Z rest k,keep E k ) Here, it is taken into consideration that H ˆ k min (Z rest k,keep |Z 0 k,keep E k ) 0, and H