Realization of Quantum Digital Signatures without the requirement of quantum memory

Digital signatures are widely used to provide security for electronic communications, for example in financial transactions and electronic mail. Currently used classical digital signature schemes, however, only offer security relying on unproven computational assumptions. In contrast, quantum digital signatures (QDS) offer information-theoretic security based on laws of quantum mechanics (e.g. Gottesman and Chuang 2001). Here, security against forging relies on the impossibility of perfectly distinguishing between non-orthogonal quantum states. A serious drawback of previous QDS schemes is however that they require long-term quantum memory, making them unfeasible in practice. We present the first realisation of a scheme (Dunjko et al 2013) that does not need quantum memory, and which also uses only standard linear optical components and photodetectors. To achieve this, the recipients measure the distributed quantum signature states using a new type of quantum measurement, quantum state elimination (e.g. Barnett 2009, Bandyopadhyay et al 2013). This significantly advances QDS as a quantum technology with potential for real applications.

Digital signatures are used to ensure that messages cannot be forged or tampered with.Signed messages are also transferable, meaning that it is unlikely that one recipient accepts a message as genuine, while another recipient, to whom the message is forwarded, rejects it.This important property is also called non-repudiation; a sender cannot deny having sent a message.Digital signature schemes are different from encryption, which guarantees the privacy of a message.Both are important cryptographic tasks.Quantum key distribution (QKD) [7,8] can be used to distribute a secret key for information-theoretically secure encryption, and commercial systems are already available [9,10].Analogously, digital signature schemes relying on quantum mechanics [1][2][3][4] can also be made information-theoretically secure, in contrast to currently used classical digital signature schemes.In this work we show that quantum digital signature (QDS) and QKD require similar experimental components and a comparable level of experimental complexity.
Protocols for quantum digital signatures have a distribution stage and a messaging stage.We will describe the case with one sender and two recipients, but this can be extended to more recipients.In the distribution stage, the sender, Alice, transmits quantum signature states to the recipients, Bob and Charlie.She chooses a sequence of L states for each possible message that she might later want to send, for a suitable chosen integer L, and distributes one copy of each state sequence to each recipient.The quantum states are randomly chosen from a set of non-orthogonal states, in our realization four coherent states |α , |αe iπ/2 , |αe iπ and |αe 3iπ/2 , with known magnitude α.The chosen phase sequences are analogous to a private key, known only to Alice.In the simplest case, to send a one-bit message later on, Alice distributes two sequences of states to each of Bob and Charlie, one corresponding to the possible message "0", and one corresponding to the message "1".
In the subsequent messaging stage, Alice accompanies the message she sends with the classical information about the corresponding sequence of quantum states; in our realization, the sequence of phases.A recipient of a signed message tests that this agrees with the previously distributed quantum signature states, and accepts the message as genuine if there are sufficiently few mismatches for the whole sequence.Similarly, to forward a message, a recipient forwards the message together with the information about the corresponding quantum signature states.The new recipient again tests for mismatches and verifies if these are few enough.
Previous QDS schemes [1][2][3] required that recipients store the signature states in long-term quantum memory until the messaging stage.Once a recipient is given the private information about a signature state, say, that it should be Bob Charlie equal to some state |φ , the best way to test for a mismatch is to make a quantum measurement with measurement operators |φ φ|, 1 − |φ φ|.That is, to test if the state has any component orthogonal to the state it is declared to be.
The requirement for quantum memory is clearly unfeasible at present.There may be days, weeks, or longer between the distribution and the messaging stages, whereas state-of-the-art quantum memories cannot achieve coherence times longer than tens of minutes at room temperature [11,12].A protocol that circumvents quantum memory was suggested in [4], and our current experiment realizes a variant of this scheme.Here, the recipients measure the signature states directly at the end of the distribution stage.Only classical information needs to be stored.In [4], unambiguous state discrimination measurements were envisaged.In our realization, we improve on this idea so that Bob and Charlie instead use unambiguous quantum state elimination [5,6] to probabilistically exclude one or more phases for each signature state.
Our experimental setup is shown in Fig. 1.The state elimination measurement can for coherent states be realized using linear optics and photodetectors.Each recipient uses two detection systems, shown within dashed light blue lines in Figure 1, where the signature states are interfered with reference pulses of phase 0 in the top and phase π/2 in the bottom interferometer.Polarization routing [13] is employed for the orthogonally polarized signal and reference pulses, using the polarizing beam splitter (PBS) and combiners (PBC).The reference pulses enter through the left-hand input ports of beam splitters "2" and "3" while the delayed signal pulses enter through the top.Detecting photons in any of the output ports excludes one possible phase, similar to a recent realization of unambiguous state discrimination (USD) [14].Whereas USD requires excluding all but one of the quantum states, we only require elimination of at least one state (phase).This significantly increases the number of usable signature elements by requiring fewer detection coincidences.The process of USE is summarized here and described in more detail in the Appendix A. To estimate the resulting advantage, assume that the amplitude entering Bob's and Charlie's measurement setups is |β| 2 , and neglect e.g.phase imperfections.The probability of excluding the coherent state of opposite phase to the one that is sent is then 1 − exp(−|β| 2 ) = p, and the probabilities to exclude the other two are 1 − exp(−|β| 2 /2) = q.The probability of excluding all three states that were not sent is pq 2 , while the probability of excluding at least one of them is 1 − (1 − p)(1 − q) 2 , which is always greater.If, as in our experiment, |β| is small, then this quantity is much greater than pq 2 .
A forger must avoid declaring a phase that has been eliminated; more precisely, avoid this for sufficiently many signature sequence positions.If Bob (or Charlie) succeeds in eliminating three of the four possible phases for one signature position, then a forger must select the single remaining phase to avoid a mismatch.[19].Experimental data are averaged over several measurements and error bars in the count rate are the standard deviation.Horizontal error bars for the mean photon number are dominated by a worst-case assumption that the pulse-to-pulse variation in the output power of our laser is the experimentally measured maximum of ±1.5%.
phase is ruled out, a forger must avoid selecting this phase.With USE, therefore, many events which would count as non-detected if using USD will now contribute to the detection of forging.Consequently, using state elimination leads to an improvement in the signature generation rate.For both USE and USD, the forger's probability of avoiding too many mismatches decays exponentially with the signature length L.
A more detailed security analysis is found in [4] and in the Appendix A. We have examined security for a single use of the protocol, for general repudiation attacks and all forging attacks except those involving entangling operations on successive signature sequence states.So-called "composable security" remains an important issue.In short, security against forging follows since Alice's signature states are chosen from a set of non-orthogonal quantum states, which cannot be distinguished perfectly.Only Alice has the full description of these states.Note that the number of recipients depends on protocol parameters, since if too many copies of Alice's signature states are available, or if |α| 2 is too large, then the private phases could be determined reliably enough to forge a message unless protocol parameters such as L are adjusted.
To prevent repudiation, recipients must ensure that they are sufficiently unlikely to disagree on the validity of a message.Here, as in [3], this is achieved using an all-optical fiber multiport, shown in Fig. 1 within dashed brown lines.Bob and Charlie split the pulses received from Alice using a 50:50 beam splitter.Bob sends to Charlie half of the pulse he received from Alice, and Charlie does correspondingly.Bob then combines the component he received directly from Alice with the component he received from Charlie on another 50:50 beam splitter, and Charlie again does correspondingly.This symmetrizes Bob's and Charlie's quantum states for each position in the signature sequences, so that their measurement statistics at the output of the multiport are identical.By choosing a lower allowed fraction of mismatches s a for accepting a message received directly from Alice, and a higher allowed fraction s v for verifying that a forwarded message is genuine, it can be made unlikely that two recipients will disagree on the validity of a message, see [1,4] and Appendix A.
Moreover, the multiport guarantees that even if Alice uses general, possibly entangled quantum states, she still cannot make Bob and Charlie significantly disagree on the validity of a signature.In addition, by considering counts at the multiport null-ports, the recipients can guard against certain types of forging.
In [4] and in the Appendix A we show that the probabilities for repudiation and forging decay exponentially in L, by suitable choice of protocol parameters depending on the properties of an actual implementation.The scheme can also be made robust, that is, if all parties are honest, then the protocol runs as intended with high probability.In any implementation, errors will occur even if all parties are honest.Therefore to ensure robustness one should for example select s a > 0.
Defining the level of security in QDS is not straightforward, since different parties may be honest and dishonest.Here we assume that one chooses values of s a and s v such that the probabilities for repudiation, forging, and for rejection if all participants are honest are all equal (see Appendix A).The probability of any of these undesirable events occurring is then where g is the gap giving a lower bound on the advantage that someone (e.g.Alice) has if she knows the signature, compared to someone else (e.g. a forger) who makes a guess by performing a measurement on the signature copies (see Appendix A).In this paper, we will call the failure probability the security level of the QDS scheme.Eq. (1) shows that a greater gap g gives better protocol performance.
The figure of merit that we will use to quantify the performance of our experiment is the length of the signature L required to sign a "half-bit" message for a given security level.One can also define the rate of the signature as the number of bits per second that can be signed securely, given the clock rate of the source used.Our experiment uses a clock rate of 100 MHz, due to the temporal response profile of the Geiger-mode silicon single-photon avalanche diodes (Si-SPADs) [16].
We explored amplitudes from |α| 2 = 1 to 11. Coherent states are generated by a temperature-stabilized pulsed vertical cavity surface emitting laser (VCSEL) with wavelength 850.17 nm, attenuated to the desired mean photon number per pulse |α| 2 , defined at the launch from Alice into the multiport.For a given run of the experiment with some |α| 2 , we registered the phases that Bob and Charlie ruled out.
This experimental data gives the probabilities of excluding particular states, given that Alice sent a certain state.All losses are included, since these probabilities are determined from the experimentally measured ratio of detection events to the total number of pulses sent by Alice.For the QDS scheme to be secure, an honest participant must be able to detect a difference between forged and genuine signatures (see Appendix A).How large this difference is determines g (see [15,17]), and therefore through Eq. ( 1) determines the length L required for a desired security level.The gap g is proportional to the the transmittance (one minus the losses) (Appendix A) and therefore the length L for a fixed security level decreases quadratically as the transmittance increases.In short, the difference between the success and failure probabilities for USE determines how well a participant can identify a false declaration.
Experimental results are shown in Figure 2.Each data point represents the mean of several measurements.Vertical error bars are the standard deviation, and horizontal error bars the uncertainty in the mean photon number due to a pulse-to-pulse variation of < ±1.5% in VCSEL intensity.In Figure 2b "USE Success" means that at least one state was eliminated, as long as the state that Alice actually sent was not eliminated."USE Failure" means that the state that Alice actually sent was eliminated.The success probability for USD is also shown, and is considerably lower than for USE.With USE, one sometimes excludes more than one state.All "USD Success" events are included in the "USE Success" data.As already noted, with USE many events which would count as undetected in USD will now contribute to the detection of forging, in addition to all USD success events.The difference between the success and failure probabilities is greater for USE than it is for USD, similarly indicating that USE leads to a greater chance of detecting forging.
For all investigated values of |α| 2 , the success probability for USE is much higher than the failure rate.For higher failure rates, one has to set acceptance and verification thresholds s a and s v higher to ensure robustness.This in turn increases the signature length required to ensure the same security level.The primary cause of a "failure", for both USE and USD, was the fringe visibility of the detection setups, which was 80.9%.The multiport has a fringe visibility of 99.7%.
When determining the optimal |α| 2 , one has to consider that the gap also depends on p min , which is the minimum error probability that a forger obtains if he tries to guess Alice's signature by measuring a copy of the quantum signature (Appendix A).For very small α, p min is large, but detecting a false declaration is difficult, while for very large α, p min is small but detecting a false declaration is relatively easy.Since the ability to detect a false declaration is estimated from experimental data, and does not have an analytical expression, it is not straightforward to determine the optimum α.In our experiment, the best gap g = 1.20 × 10 −6 occurs for |α| 2 = 1.For a security level of 0.01% this gives L = 5.10 × 10 13 to sign a "half-bit".This is an impractical signature length, and below we will comment on planned improvements in order to make this rate more practical.
The signature length L increases with increased distance between parties, since g in Eq. ( 1) is proportional to the transmittance η.For example, if η is squared, then the L required for the same level of security will increase by a factor of η −2 .In any event, if honest recipients see a difference between a forged and a genuine signature, however small, then it is always possible to find values of s a , s v and L to give a desired level of security.
To conclude, we have experimentally demonstrated a first realization of a QDS scheme which does not require long-term quantum memory, and where the recipients use quantum state elimination.This is an important step in developing practical QDS systems.Our experiment uses phase-encoded coherent states.Recently, Arrazola and Lütkenhaus suggested using phase-encoded coherent states for quantum fingerprinting [18].In our demonstration, due to the difficulty of stabilizing a multiport with long optical paths the sender and receivers were only separated from each other by approximately five meters of optical fiber.Separate reference signals are needed for calibration before signature transmission, and as phase reference for the USE measurements.Tampering with reference pulses by a malevolent party should not lead to higher probability of forging or repudiation than tampering with signal states themselves (Appendix A).Also, reference signals can be bright, and thus can in principle be fully monitored through quantum tomography.
We are currently exploring three changes to significantly improve performance.First, by extrapolating data from a recent experiment on USE, we expect the optimal |α| 2 to be around 0.5.Due to the high losses of this early prototype we were unable to successfully resolve measurements at this |α| 2 .The second improvement is to use a protocol that does not require a multiport, to decrease loss.Non-repudiation then needs to be guaranteed in an alternative way, similar to our recently proposed alternative QDS schemes [20], which could be modified to use phase-encoded coherent states, similar to the current realization.We estimate that implementing these changes will result in a gap of g = 1.96 × 10 −4 , and length L = 1.19 × 10 9 for a security level of 0.01%.This protocol also potentially offers increased distances between sender and receivers.
Finally, increasing the clock rate, and therefore the transmission rate, is possible.The phase modulators, VCSEL, and driving electronics are capable of clock-rates up to 3.3 GHz.In the system described in this Letter we did not employ such clock-rates due to the limitations of the time-stamping electronics [21].
In the first part of this Supplementary Material we give details of the experimental methods used.We then more formally outline the protocol for a one-bit message.For longer messages, the protocol can be iterated, and the security parameters readjusted to compensate for the repeated (but independent) use of the single bit protocol.We then describe the unambiguous state elimination (USE) measurement employed by the recipients, and discuss some crucial properties of the multiport which the security against repudiation relies on.After this we state definitions of security, state some inequalities which are used in the security analysis, and then proceed to analyze security against repudiation and forging, and the robustness of the three-party no-memory QDS protocol, realized using coherent states with four possible phases.
We conclude with a summary of the performance of the protocol, suggestions for modifications that would increase the performance of the protocol, and estimate of the effect of these improvements.

Experimental Methods
In the experiments detailed in the main letter, the coherent states are generated by a temperature-stabilized pulsed vertical cavity surface emitting laser (VCSEL) emitting at a wavelength of 850.17 nm and attenuated to the desired mean photon number per pulse |α| 2 using spatial interception by a knife edge connected to a computer controlled stepper motor.The uncertainty in Alice's phase encoding was primarily due to amplitude fluctuation in the electrical driving signal to the lithium niobate (LiNbO 3 ) phase modulator and corresponded to ±1.6 × 10 −3 radians, or ±0.2% of the separation between the four phases used.The multiport exhibited a loss of 7.7 dB, the receiver's beamsplitter 5.1 dB and each demodulation interferometer 9.1 dB.
Photodetection is carried out by commercially available thick junction Geiger-mode silicon single-photon avalanche diodes (Si-SPADs) [23] with a mean detection efficiency of 40.5% (at a wavelength of 850 nm), dark count rate of 320 counts per second, and timing jitter of 380 ps, and time stamping electronics that could record photon arrival times at time intervals of 1 ps, but exhibited 12 ps independent timing jitter [21].Although using an emission wavelength near 1300 µm or 1550 µm would permit compatibility with standard telecommunications optical fiber, detector technologies for these wavelengths [24] are not as advanced as those at visible and shorter near infra-red wavelengths, and suffer from higher dark count and afterpulsing rates [25] which would increase error rates.
Although the dark count-rate of the detectors is relatively small and the possibility of intersymbol interference low, we time-gate the raw detector events using a window of duration ±1 ns centered on the expect photon arrival time to temporally filter spurious counts from the recorded events.At a delay of 10 ns after the detection peak the probability of a photo-generated count was 2 × 10 −6 [16].The time-gated count rate is approximately 91% of the raw count rate.
Phase is a relative measurement and a reference for zero phase must be provided in some manner.In our system we employ a technique frequently employed in quantum key distribution systems which use phase-encoded states [13].An asymmetric unbalanced Mach-Zehnder interferometer is used to provide a time-delayed reference pulse with zero phase, which propagates through the same fiber as the phase-modulated "signal".The phase reference pulse is delayed by 5 ns relative to the signature state pulse at Alice, and the delay is canceled in each receiver.The phase reference and signature state pulses have orthogonal polarizations and therefore can be correctly routed by the receivers using a polarization beamsplitter (PBS) [13].All fiber components are constructed from polarization-maintaining "panda eye" fiber [26] with a core diameter of 4.4 µm.Polarization routing increases the time-gated detector count-rate of our system from 43% of the raw count-rate as observed using a 50:50 beamsplitter to 91% of the raw count-rate when using a PBS.We comment further on establishing a common phase reference below in Section IV, in connection with the theoretical description of the USE measurement.
Changes in temperature or mechanically induced stress will result in changes in the relative path-lengths of the interferometers in the system.These changes in path-length lead to changes in the visibility and, typically, to increased errors.The recipients employ variable delay air-gaps consisting of a fixed collimating launch lens and a collection lens connected to a piezo-electric computer-controlled linear actuator to maximize the fringe visibility in the multiport and the demodulation interferometers [16,19].The piezo-electric linear actuators had a step size of approximately 15 nm and a maximum travel of approximately 1.5 µm.An adjustable position knife edge was placed in the collimated beam in each air-gap to match the loss in each optical path.A mutually known tuning signal is used to establish maximum fringe visibility prior to signature transmission.
For this demonstration a shared 10 MHz Rb clock was used to provide a reference for both sender and receivers, but it is possible to use separate clocks with connections to the signals broadcast by the global positioning system (GPS) satellites to maintain a shared time reference [27].For every element of each quantum signature (for k = 0, 1), they store which detectors detected photons; each detector rules out one possible phase state.They therefore store sets of six numbers (hexaplets) of the form {k, Here a φ = 0 means that no photons were detected at the ¬φ detector (that is, the phase φ is not ruled out), while a φ = 1 means that there was at least one photon detected at the ¬φ detector (that is, the phase φ is ruled out for this element).Note that by ¬φ detector we symbolize the "not φ" detector.

Messaging stage
1. To send a signed one-bit message m, Alice sends (m, P rivKey m ) to the desired recipient (say Bob).
2. Bob checks whether (m, P rivKey m ) matches his stored sequence.In particular, he counts the number of elements of P rivKey m which disagree with his stored hexaplets.Therefore, for a given element l of the signature, if Alice's declaration was φ, Bob needs to check if a φ is 0 or 1.If a φ = 1, he registers one mismatch.In other words, a mismatch is registered whenever Alice's declaration for a given element has been eliminated by Bob's USE measurement.Bob checks whether the number of mismatches is below s a L, where s a is an authentication threshold.
3. Provided the authentication threshold was not breached, before accepting the message, Bob checks that he has no reason to abort the protocol.If the number of signature elements for which non-zero null-port counts are registered is higher than a threshold rL for some 0 ≤ r < 1 he aborts.If the authentication threshold was not breached, and the protocol has not been aborted, Bob accepts the message coming from Alice.
4. To forward the message to Charlie, Bob forwards to Charlie the pair (m, P rivKey m ) he received from Alice.Charlie tests for mismatches similarly to Bob, but to protect against repudiation by Alice, he uses a different threshold.Charlie checks if the number of mismatches is below s v L where s v is the verification threshold, with 0 ≤ s a < s v < 1. 5. For Charlie to accept the forwarded message, provided the verification threshold was not breached, he confirms that he has no reason to abort the protocol by checking the null-port counts in the same way as Bob.

The USE measurement
In quantum communication it is important to be able to distinguish different signal states from each other.Signal states may be non-orthogonal, either on purpose, for example in protocols for quantum key distribution, or because of unavoidable noise.Quantum measurements aiming to distinguish between quantum states can be optimized in different ways, for example by minimizing the probability to select the wrong state (minimum-error measurement), by minimizing the average cost of selecting a measurement result (minimum-cost measurement), by maximizing the classical information in the result about what state was sent (maximum mutual information measurement) or by requiring that an obtained result is always correct, but the measurement is allowed to sometimes give an inconclusive answer.The last type of measurement is known as unambiguous state discrimination (USD).In all cases, these measurements aim to determine what state was sent, and are therefore called "quantum state discrimination" measurements.
One can also instead consider "quantum state elimination" or "quantum state exclusion", which in a sense is a generalization of state discrimination [5,6,29].The difference is that one no longer aims to identify which state was sent, but instead which state(s) were not sent, i.e. to rule out or eliminate one or more of the possible states.If one eliminates N − 1 states, this is the same as identifying the state that was sent, and it is in this sense that state discrimination is a special case of state elimination.Just as for quantum state discrimination, one can for example aim for minimum-error state elimination, minimum-cost state elimination or unambiguous state elimination (USE).In [29], Caves et al. discussed the compatibility of quantum-state assignments, and this can be seen as quantum state elimination.
The case of excluding one of three states was also explicitly given.In [5], Barnett discussed unambiguous quantum state elimination of a single state out of many possible ones, and was the first to use the term.More recently, this type of measurement was termed "quantum state exclusion" in [6].
In our protocol, Bob and Charlie perform unambiguous quantum state elimination.The advantage of using unambiguous measurements is that whenever Bob or Charlie obtains a result other than an inconclusive result, they can be certain that this result is correct (in the ideal case1 ).Bob does not know for which of the elements of the signature Charlie has obtained unambiguous outcomes (or what the outcomes are).In order to forge, he needs to make a guess for all the elements of the signature.Bob's best forging strategy will therefore be some type of minimum-cost state discrimination measurement.
The advantage of using state elimination instead of state discrimination is that the success probability for eliminating fewer than N − 1 out of N states can be (much) higher than the success probability of full USD, especially when considering experimental imperfections.Also, even if one aims to perform a full USD measurement, when it fails to unambiguously identify the state it may sometimes still rule out some of the states.This is the case for the best known linear optical realization of a USD measurement among symmetric coherent states, suggested by [30] and realized for four coherent states in [14].For an application such as quantum digital signatures, it is advantageous for Bob/Charlie USE The relative difference in length between the signal and reference paths is chosen to be equal to that introduced by Alice during state preparation, so that the two pulses arrive at the final beamsplitters (labelled 2 and 3) at the same time and experience interference [31].Figure (1b) The setup for unambiguous state elimination for four coherent states, using the same beam splitter labels as in part (a).For clarity, this and other subsequent figures in the Supplementary Material are drawn indicating free-space optics with beam splitter cubes and mirrors, whereas our experiment uses optical fiber as shown in Figure 1 of the main paper and part (a) of this figure.The beam is first directed onto the 50:50 beam splitter 1.One of the resulting beams is interfered with a reference beam in the state |α/ √ 2 using beam splitter 2, and the other one is interfered with a reference beam in the state |iα/ √ 2 using beam splitter 3. The reference beam is obtained from the reference pulse that Alice sends, as can be seen in part (a) of this figure.The four output states correspond to the four elimination outcomes.
Bob and Charlie to use all available information of what states have been ruled out.This is what led us to employ a USE rather than USD measurement in our realization of the QDS protocol.
In the current QDS protocol, Alice chooses from four coherent states {|α , |iα , |−α , |−iα }.The USE measurement results in eliminating one, two or three possible states (unambiguous or conclusive result) or none at all (ambiguous or inconclusive result).For each signature element, Bob directs the beam received from Alice onto a 50/50 beam splitter, and Charlie does the same.One of the resulting beams is interfered on another 50/50 beam splitter with a reference beam in the state |α/ √ 2 , and the other one is interfered with a reference beam in the state |iα/ √ 2 , as shown in Figure 3.Note that the reference beam is obtained from a reference pulse sent by Alice, in order to ensure that the outgoing states are as expected on recombination at beam splitters 2 and 3 (see below).Here we assume that the reference pulse is not tampered with.However, it is worth noting that intuitively one cannot obtain further repudiation and forging possibilities through tampering with the reference pulse.Repudiation is guaranteed by the symmetrization of the states due to the multiport, and this does not depend on the timing of the reference pulse.As far as forging is concerned, tampering with the reference pulse cannot help Bob to obtain further information about the signature, and since the original phase sent by Alice is unknown to him, he cannot use the reference pulse to steer the outcome of Charlie's USE measurement towards his declaration either.In principle, the correct phase reference states for the USE measurement could also be obtained without a reference pulse sent from Alice to Bob and Charlie.If the parties instead have synchronized clocks, then Bob and Charlie could themselves prepare the required USE reference states.
Given the above considerations, we can now see that the resulting output state, assuming that the incident state was |β , and assuming no losses, is  To summarize, any detector clicking rules out one possible state.If three detectors click we have fully and unambiguously (in the ideal case) determined which state Alice sent.In other cases, Bob or Charlie may only have eliminated some of the possible states.For every signature element, Bob and Charlie register which detectors (if any) click.In the messaging phase, when Alice (or a forger) declares what a particular signature element state was, Bob and Charlie check if this state was ruled out by their elimination measurement.If it was, they register a mismatch.Losses in the setup will not affect the conclusive nature of the outcomes, only the success probability.Dark counts and other imperfections, on the other hand, may lead to errors in conclusive outcomes.This will be discussed later in connection with experimental results.
We should also note that the USE measurement described above may not be the optimum USE measurement.Exploring the properties of optimal USE measurements is an interesting problem.Nevertheless, the great advantage is that the realization we have described requires only linear optics and commercially available photodetectors.

The multiport
The multiport is a passive linear optical device with four input modes and four output modes, comprising four 50/50 beamsplitters.Two of the input modes always contain the vacuum state.The beam splitters act on the field operators according to The multiport and the input-output relations for coherent state inputs are illustrated in Figure 4.The top two beam splitters are held by Bob and the lower two by Charlie.Since two of the four input modes of the multiport are always set to the vacuum state by Bob and Charlie, we will refer to the remaining two modes as the input modes of the multiport.For an input state where two of the input modes are in the vacuum state while the other two are coherent states α and β, the multiport acts according to Alice controls the (non-vacuum) input states of Bob and Charlie.As proven in detail in [28], it follows that the reduced state in Bob's signal port and the reduced state in Charlie's signal port are identical, for each individual signature element, even if the initial state sent by Alice was a general, possibly entangled state.That is, the reduced states for each signature element.This holds even if Alice employs any type of entanglement, such as entanglement between different signature elements, entanglement between Bob's and Charlie's states, or entanglement with some other state which could be retained by Alice.One can further prove a somewhat stronger property, that the resulting state for Bob and Charlie, for one signature element position, is symmetric under swap of Bob's and Charlie's subsystems.
The multiport we consider here has two recipients, but it can also be generalized to many recipients [2].

Definitions of security
The presented Quantum Digital Signature protocol is designed to be immune to two types of malicious activities: forging and repudiation.Immunity to forging means that any receiving party will with high probability reject any message which was not sent by Alice herself.Immunity to repudiation guarantees that if Bob accepts a message from Alice, then with high probability the same message will pass verification with Charlie as well.That is, Alice cannot make Bob and Charlie disagree on the validity (and consequently the content) of her message.More formally we have the following: • We say that a protocol realizing QDS is secure against forging if the probability of a recipient successfully producing, without receiving it from Alice, a private key for a message m, which will pass verification by the other recipients, is decaying exponentially quickly as a function of the quantum signature length L.
• We say that a protocol realizing QDS is secure against repudiation if, for any malicious activity by Alice, the probability of a message failing verification with one recipient once it has already passed authentication with another recipient is decaying exponentially quickly as a function of the quantum signature length L.
• We say that a protocol realizing QDS is robust if, when all parties are honest, a message will be authenticated and verified except with a probability decaying exponentially quickly as a function of the quantum signature length L.
We will examine one isolated run of the protocol.A more general treatment, such as analysis of composable security, we leave for future work.
Defining the level of security for a QDS scheme is complicated.Unlike for QKD, it is not fixed which participants are honest and which are malevolent.In other words, some choices of parameters may lead to a certain level of guaranteed security against forging and a different level for security against repudiation.However, one can choose s a and s v such that the resulting probabilities for any undesirable event (repudiation, forging or honest rejection) are equal.In this case, we will call the probability for an undesirable event the security level of the QDS scheme.In the last section, we will comment further on this, and on the resulting rate and length L required to sign a half-bit message for a given security level.
Both for repudiation and for forging one can distinguish different types of malicious attacks.In individual attacks, the cheating party employs a strategy separately and independently for each signature element.In collective attacks, there may be classical correlations between strategies for different signature elements.These attacks can also be called separable.Coherent attacks are the most general type; here a cheating party can employ any type of correlations, including entanglement and measurements in an entangled basis.For forging, we can additionally distinguish between passive and active attacks, depending on whether a forger acts maliciously only during the messaging stage, or also during the distribution stage.Security is proven for all types of repudiation attacks, and all types of forging except coherent forging attacks.We will treat individual repudiation and forging in more detail.The analysis for other types of attacks follows the treatment in [28], and we will only point out the differences.Intuitively, the protocol is secure also against coherent forging, but a full analysis of this remains an important task and is the subject of ongoing work.

Hoeffding's inequalities
In the security analysis, we will use the following forms of Hoeffding's inequalities [32].
Lemma 1 Let X 1 , • • • , X L be independent random variables, each attaining values 0 or 1.Let X = 1/L X i be the empirical mean of the variables, and let E( X) be the expected value of X.Then for all t ≥ 0 we have

Security against repudiation -cheating Alice
In a repudiation event, Alice manipulates the quantum signature states2 which are sent in the distribution stage, in such a way that during the messaging stage, the same declaration will be confirmed by one party (checking against the threshold s a ) but rejected when forwarded to another party (who checks against the threshold s v ).Repudiation is successful, if (say) Bob authenticates (BA), Charlie rejects (CR) and there is no abort (N A).To bound this probability, we can consider the minimum of the following two probabilities, Bob authenticating, and Charlie rejecting to verify, i.e.
There are two things to note to understand intuitively why such a bound would be useful.First, we should note that due to the symmetricity of the multiport P (BA) and P (CR) are not independent.Second, we should note that the threshold for Bob authenticating is lower than that of Charlie verifying.
Here we will consider individual strategies by Alice.General separable strategies and general coherent strategies, follow by reduction to individual strategies as in [28].Therefore the best general strategy for Alice is given by individual attacks.

a. Security against individual repudiation
In this type of attack Alice sends quantum signatures, possibly different, to Bob and Charlie.Each pair of Bob's and Charlie's corresponding quantum signature elements are not correlated with other pairs (classically or through entanglement), but are not necessarily identical, pair to pair.That is, the global state of the quantum signature is in a factorized form, with respect to the partition in different signature element pairs.There may be entanglement within each Bob-Charlie signature element pair.Because Bob and Charlie pass their quantum signatures through the multiport, the outbound quantum signature element at the signal ports of Bob and Charlie is always symmetric under swap of Bob and Charlie.That is, the quantum signatures Bob and Charlie collect at their multiport signal ports are such that the reduced density matrix for each element of the signature of Bob is the same as Charlie's.
For each signature element, Alice's declaration agrees with Bob's (Charlie's) measured eliminations with probability p i 1 if the declaration is not eliminated, and disagrees with probability p i −1 if it is eliminated (mismatch).Those probabilities, provided the multiport has been appropriately adjusted and calibrated, are identical for Bob and Charlie.We can define the average probabilities pj = 1/L i p i j , with j ∈ {1, −1}.Furthermore, we define as X−1 the empirical (observed) percentage of mismatches over the total number (L) of elements of the signature.
It is easy to see that Bob authenticating means that X−1 ≤ s a , which using Eq.(A6) leads to provided that p−1 ≥ s a + ǫ ′ .Note that ǫ ′ is an arbitrarily small positive number.We note that if this is satisfied, the probability decays exponentially.Charlie failing to verify means that X−1 ≥ s v which using Eq.(A5) leads to provided that p−1 ≤ s v − ǫ ′ .Alice's only freedom, in her attempt to repudiate, is to choose different p i j 's.In reality, Alice does not have full freedom for these choices (as the POVM elements of Bob and Charlie's measurements do not have orthogonal supports), but since we are looking for a bound, we may assume a worst-case setting and assume that she does have full freedom.Noting that p−1 + p1 = 1, Alice can only choose the optimum for repudiation value of p−1 .Therefore, provided that we choose the probability for repudiation decays exponentially for all choices of p−1 .From Eq. (A8), we can see that Alice's best strategy to achieve repudiation is to choose p−1 in such a way that the minimum of BA and CR is the greatest.From Eq's (A9-A10) we get that the optimum value is for p−1 = (s v + s a )/2.This gives the following bound for repudiation under individual attacks, It is interesting to note that there is an optimal value of p−1 from Alice's point of view, and that her repudiation probability depends on this.Therefore, for the given bound we consider, it is no better for her to choose different values for different p i −1 , and thus a strategy where Alice sends identical states for each signature element is at least as effective as full individual strategy for Alice.

Security against forging
As also noted in the main text, forging is defined as when a cheating party (say, Bob) convinces an honest party (Charlie) that Alice had sent a classical message k, when Alice has sent no message or another message.To do so, the malevolent party needs to guess Alice's declaration.Throughout this section, when we mention declaration, and matching and mismatching with the declaration, this is the "fake" declaration of Bob, which is made after Bob uses all his resources to make the best possible guess.Note also that security against forging as defined also ensures security against message tampering.
At the end of the distribution stage Bob/Charlie makes a USE measurement.The outcome of the measurement is that they rule out one or more of the possible phases.These outcomes should give a guaranteed minimum advantage to anyone who declares the actual phase sent, against anyone who declares some other phase.If this is the case, then there are choices of s a , s v and L that would make the protocol secure, as we will see below.
There are two different characterizations of forging attacks.The first concerns whether or not the malevolent party was dishonest from the beginning or only during the messaging stage.Passive forging is where Bob is honest during the distribution stage and simply attempts to guess the signature using his own copy, in such a way that his declaration gets accepted by Charlie.Active forging is where Bob is dishonest also during the distribution stage, where he attempts to modify Charlie's quantum signature so that it helps him subsequently during the messaging stage to make Charlie agree with his own declaration.Here we will first examine passive forging in greater detail, and then argue that active forging can be reduced to modified passive forging attacks by placing a limit on the multiport null-port counts during the distribution stage.
The second characterization concerns the type of measurements and actions that the malevolent party can do, similar to as for repudiation.There are three types of attacks, (1) individual attacks, where Bob is restricted to individually measuring the elements of his signature and also to tampering with the response states individually, (2) collective attacks, where Bob is allowed to include classical correlations between the measurements and response states for different signature elements and (3) coherent attacks, where Bob is allowed to make any possible joint measurement and also send any possible entangled state to Charlie.In this paper, we will only examine the first two types of attacks and leave coherent forging strategies for future work.
From Eq. (A11) it is clear that it is easier to attempt to forge a message in the verification stage rather than in the authentication stage.In other words, it is easier to convince Charlie that Bob forwards the message received from Alice, than Charlie convincing Bob that he directly sends the message (pretending to be Alice).
We have defined as successful forging the scenario where Charlie verifies the fake message sent by Bob and there was no abort.Abort occurs only when the null-port of the multiport register above than rL.When Alice is honest, abort may thus occur only if Bob attempts to tamper with the signature at the distribution stage, that is, for active forging.

a. Security against passive individual and collective forging
In passive attacks Bob does not interfere during the distribution of the signatures, and therefore Charlie obtains as quantum signatures what Alice, who is honest, sends.Bob's strategies comprise all the possible measurements he could perform on his copy of the quantum signature, resulting in a declaration for each signature element.Bob aims to minimize the probability that his declarations will lead to a rejection, when compared with the eliminations that Charlie has obtained from his USE measurements.Bob knows what measurement Charlie, who is honest, will make on the signature Charlie receives from Alice.In particular, Bob knows what Charlie's measurement statistics is, in what ways Charlie's measurement may be imperfect, and also what Charlie's verification threshold is, and Bob can adjust his measurement accordingly.Bob's optimal strategy will be a measurement which maximizes the probability of Charlie accepting Bob's declaration as a whole.Recall, Charlie accepts if the number of incorrectly declared phases is below a certain number, determined by the verification threshold.The optimal measurement for this problem is a so-called minimum cost measurement [33].In particular, any declaration of Bob, as a whole, for all signature elements, has a cost equal to the probability that Charlie will reject this declaration.This means that Bob's goal is not in general to minimize the probability of a mismatch for each individual element.Bob' goal is instead to meet the verification threshold.To take a simple example, suppose that there are two signature elements, and that Charlie will accept the message if there is at most one mismatch.Bob should then concentrate on avoiding two mismatches, and declarations with zero and one mismatches both carry no cost.
If Bob is limited to collective forging strategies, then it is in Bob's favor to minimize the probability of a mismatch for each individual element, as we will now argue.That is, it is optimal to make independent minimum-cost measurements for each signature element.Collective strategies would allow Bob to change the measurement he makes on subsequent signature elements, conditioned on the outcomes he obtained for previous elements.There is however no correlation between the phases of different signature elements, as Alice chooses these independently of each other.Charlie's eliminations also occur independently for each element of the signature.As long as Bob is not allowed to make a measurement in an entangled basis, any knowledge of the phase of one element does not alter his chances of guessing another element correctly, and does not alter what measurement he should make on this signature element.Therefore his best strategy is to make a minimum-cost measurement for each individual signature element.In other words, Bob cannot benefit from classical correlations between his measurements for different signature elements.Therefore, provided that one restricts attention to collective attacks, Bob's best strategy is to make a minimum-cost measurement for each signature element.We proceed to bound the probability of success for this type of individual forging attack.We will prove that the forging probability is less than the minimum-error probability multiplied by the guaranteed advantage that an honest participant has.
For a given individual signature element, we define the cost matrix as a matrix where the rows corresponds to which state Alice sent (| exp(iθ)α ), while the columns correspond to the detectors D(¬θ).Each matrix element C i,j can be taken equal to the probability that if the i'th state is sent, then Charlie's j'th detector clicks.This is because Bob should avoid declaring a phase that Charlie has eliminated.His cost for making a particular declaration will therefore be proportional to the probability that Charlie has ruled out this state.As we have mentioned earlier, in the ideal case, Charlie should never rule out the phase that Alice sends, and thus in the ideal case, Bob's cost matrix would have zeroes on the diagonal.However, due to losses and noise (mainly due to the multiport), we do have the following actual experimental cost matrix, for the case where (A13) In the experiment, we considered several different values for |α| 2 ranging form |α| 2 = 1 to 11.We chose to give the cost matrix for |α| 2 = 1 since, using the bounds we have, this gives the best performance (requires a smaller length L for given security level) among the tested values of α.The minimum guaranteed advantage is the smallest difference between a diagonal element and an off-diagonal element in the same row.The reason for this will become apparent soon.For our case the minimum advantage is 1.30 × 10 −5 , as is seen from the fourth row.In the general case, one has to assume that Bob has full knowledge of Charlie's actual measurement statistics, and thus this type of cost matrix should be used in a security analysis of an actual realization.We recall that X−1 is the empirically observed percentage of mismatches.Bob succeeds in forging, if Charlie, after receiving Bob's (fake) declaration, finds less than s v L mismatches ( X−1 ≤ s v ), and thus verifies.Consequently, Bob tries to guess the correct signature by making a minimum-cost measurement for each element signature, i.e. the measurement that, given the cost matrix in eq.(A13), minimizes the overall cost given by Here η i = 1/4 is the prior probability of each state (Alice sends each of the for phases with equal probability), and Π i are the elements of Bob's measurement, a probability operator measure (POM), also called a positive operator-valued measure (POVM).The minimum cost C min is the minimum possible probability that Bob's declaration for a single signature element has been eliminated by Charlie.We will give a bound for this cost, for our actual experimental realization, below.For now, we note that for each signature element we have a binary random variable that takes value "1" (match) or "−1" (mismatch), and C min is the expected probability for a mismatch.Since we assume that each of the elements is measured separately, the random variables are independent and the Hoeffding inequalities hold.Using eq.(A6) the probability of forging (which occurs if the observed mismatches are fewer than the threshold X−1 L ≤ s v L) is bounded as provided that we choose s v such that C min ≥ s v .If this holds, we see that the forging probability decays exponentially in the signature length L.
Before proceeding to derive a bound on the possible C min that Bob can achieve, we should point out that it is crucial that there is a gap between the minimum probability of a forger to have his declaration eliminated, C min , and the probability p h of the correct declaration being eliminated if all parties are honest.Defining this gap as g = C min − p h , the choices of s a and s v for a robust and secure protocol should be within this gap (we elaborate more on parameter choices at the end).
We proceed to bounding the minimum cost of the measurement that a malevolent Bob performs.Methods for bounding the minimum cost and properties of the minimum-cost measurements that are used here can be found in [17].Since we trying to find a bound on the forging probability, we assume the best case scenario for Bob, and therefore we are looking for a lower bound on the minimum cost.We will use three properties of minimum-cost measurements.To start with, the minimum cost for a given cost matrix C i,j can always be bounded by the cost of any other strictly smaller cost matrix C ′ ij ≤ C ij for all i, j.Secondly, define a constant-row matrix as a matrix of the form (A16) If we add or subtract such a constant-row matrix from any given cost matrix, then the measurement that minimizes the cost for the new cost matrix does not change, while the minimum cost simply shifts by a constant [17].It is easy to see that the average cost for any measurement, not just an optimal one, shifts by η i d i .Intuitively, for a constant-row cost matrix, no matter what measurement one makes, the cost of all outcomes (i.e. the matrix elements in a given row) are equal.The cost does not depend on what outcome is obtained, but only on which state Alice sends, which in its turn depends on the prior probabilities η i .The third property that we will use is the fact that the minimum-cost measurement for a cost matrix of error-type, for the case of symmetric pure states, is the square root measurement (SRM).A cost matrix is of error-type if all the diagonal elements are zero, and all the off-diagonal elements are positive and equal with each other.We call this error-type, because for such a cost matrix, guessing correctly has no cost (the diagonal elements), while any mistake carries an equal cost (the off-diagonal elements).The cost matrix for a minimum-error measurement, which results in the minimum probability of error p min , is of error-type, with off-diagonal elements having cost 1.This means that the minimum cost of any error-type cost matrix is proportional to the minimum-error probability p min .
To bound C min for the cost matrix in eq.(A13), we first define C h i,j = C i,i , a constant-row matrix for which all elements in every row are equal to the diagonal elements of the matrix C i,j .Then we define a cost matrix C ′ i,j = C i,j − C h i,j , which has the same minimum-cost measurement as C i,j , but with the minimum cost shifted by C h = 1/4 i C i,i .Finally we define another cost matrix C l i,j which is strictly smaller than C ′ i,j ≥ C l i,j for all i, j, such that C l i,j = min i =j C ′ i,j for i = j, and with zeroes on the diagonal.This final cost matrix C l i,j is of error-type, and the corresponding minimum-cost measurement is therefore the SRM and the minimum cost is proportional to p min .In our case, denoting the relevant minimum costs with C h and C l min , we have and also C h = p h = 4.18 × 10 −5 .This is the cost for the honest scenario, in other words, the probability that Charlie has eliminated the state that Alice actually sent, so that there would be a mismatch even if all parties including Bob are honest, and Bob simply forwards Alice's correct declaration.From the matrix C l we can see that the bound on the advantage of a correct declaration compared to a wrong declaration, i.e. the guaranteed advantage, is guad = 1.30 × 10 −5 .The bound on the gap is then given by g ≥ C l min = p min × guad (A21) We compute p min using the SRM [17], which for α 2 = 1 gives p min = 0.092.We obtain C l min = 1.20 × 10 −6 , which provides a bound on the gap g.To confirm that the bound on the minimum cost we obtained is relatively tight, we can obtain an upper bound for the minimum cost, along similar lines as the lower bound, which gives C u min = 2.19 × 10 −5 .We therefore obtain For active individual and collective forging attacks, the security analysis follows the treatment in [28].We will discuss and give the expressions for attacks where Bob behaves independently and identically for each quantum signature element (IID forging attacks).However, independent, non-identically distributed strategies (INID attacks), and also collective forging strategies, reduce to, and are not more powerful than, IID forging strategies.Here we refer the reader to [28].
In essence, active forging can be limited in the following way.Both Bob and Charlie keep track of the number of detections at the null-port of the multiport.If one of the parties receiving the signature states (say Bob) is dishonest during the distribution phase, the state he sends may not be identical to the state that Alice sends, and if so there will on average be some detections at the null-port of the multiport.Since the protocol is aborted if the detections on the null-port exceed some number rL, we can bound how much Bob can tamper with the signature states.This effectively reduces active forging to passive forging.Then the whole security analysis follows in a similar fashion as

FIG. 1 :
FIG.1: Experimental setup for distributing quantum digital signatures.VCSEL denotes a vertical cavity surface emitting laser.Alice uses a LiNbO3 phase modulator to apply a phase shift Φ, randomly chosen as 0, π/2, π or 3π/2, to each coherent state.The recipients Bob and Charlie use an all-optical fiber multiport to ensure non-repudiation and guard against forging, consisting of the four beam splitters within brown dashes.For detection, the setups within light blue dashes are used to eliminate one or more possible phases.The detectors are silicon single-photon avalanche diodes (SPADs).PBC denotes a polarization beam combiner and PBS denotes polarization beam splitters.

1 .
For each possible future message k = 0, 1, Alice generates two copies of a sequence of coherent states (called quantum signatures) QuantSig k = L l=1 ρ k l where ρ k l = |b k l α b k l α|, α is a real positive amplitude, b k l ∈ {1, i, −1, −i} are randomly chosen, and L is a suitably chosen integer.The state QuantSig k and the sequence of signs P rivKey k = (b k 1 , . . .b k L ) are called the quantum signature and the private key, respectively, for message k.The individual state ρ k l we call the l th quantum signature element state for message k. 2. Alice sends one copy of QuantSig k to Bob and one to Charlie, for each possible message k = 0 and k = 1. 3. Bob and Charlie send their sequences QuantSig k for k = 0 and k = 1, one signature element at a time, through the QDS multiport.For each signature element they (a) note whether photons are registered at their multiport null-port.They also (b) measure the multiport signal states using the USE measurement for {|α , |iα , | − α , | − iα } (see below).

FIG. 3 :
FIG.3: Figure(1a) The part of Figure1in the main paper which shows the detection system for unambiguous state elimination with four coherent states.PBS denotes a polarization beam splitter used to separate and route the orthogonally polarized signal and reference pulses.The signal pulse takes the long curved path, entering in the top input ports of beam splitters 2 and 3, while the reference takes the short straight path, entering in the left-hand input ports of beam splitters 2 and 3.The polarization of the signal pulse is rotated by 90 degrees in the long curved path so that it matches that of the reference pulse.The relative difference in length between the signal and reference paths is chosen to be equal to that introduced by Alice during state preparation, so that the two pulses arrive at the final beamsplitters (labelled 2 and 3) at the same time and experience interference[31].Figure(1b) The setup for unambiguous state elimination for four coherent states, using the same beam splitter labels as in part (a).For clarity, this and other subsequent figures in the Supplementary Material are drawn indicating free-space optics with beam splitter cubes and mirrors, whereas our experiment uses optical fiber as shown in Figure1of the main paper and part (a) of this figure.The beam is first directed onto the 50:50 beam splitter 1.One of the resulting beams is interfered with a reference beam in the state |α/ √ 2 using beam splitter 2, and the other one is interfered with a reference beam in the state |iα/ √ 2 using beam splitter 3. The reference beam is obtained from the reference pulse that Alice sends, as can be seen in part (a) of this figure.The four output states correspond to the four elimination outcomes.

FIG. 4 :
FIG. 4: The multiport consists of four beam splitters.The top two belong to Bob and the bottom two to Charlie.In the figure above, output coherent states are given for coherent states |α and |β in the non-empty input modes.Note that here we drew a free-space version, while in the experimental implementation we had a fiber-based version of the multiport.