With the development of science and technology and the appearance of various special conditions that cause signers to be unable to sign, proxy signature is gradually becoming a hot spot in cryptography research. This paper combines proxy signature, quantum teleportation, and multi-party verification and proposes a multi-party verifiable quantum proxy signature scheme based on quantum teleportation. This scheme has the following characteristics: The authentication method based on the $Hash$ function can effectively solve the problem of identity identification among members; in order for the proxy signer to be able to verify the correctness of the proxy authorization, a form of proxy signature authorization that concatenates the identity information of the original signer is used. The security analysis shows that our scheme is unforgeable and undeniable and can resist intercept-resend attacks and cheating attacks.

## I. INTRODUCTION

Cryptography is a subject that studies the secure transmission of data, and digital signature scheme plays a key role in cryptography. However, with the development of science and technology, especially the proposal of the $Shor$ algorithm,^{1} the security of some traditional digital signature schemes has been greatly challenged, so more and more researchers have begun to pay attention to the design and implementation of quantum digital signature schemes. In 2001, Gottesman and Chuang^{2} proposed the first quantum signature scheme, which was a quantum signature scheme based on quantum one-way functions. In 2004, Lee *et al.*^{3} proposed two quantum signature schemes for message recovery based on trusted arbiters: one using bulletin boards and the other was not used. However, both schemes offered message confidentiality and higher transmission efficiency. In 2009, Wen *et al.*^{4} proposed a weak blind signature scheme based on EPR pair correlation. This scheme can guarantee both unconditional security and anonymity of the message owner. At the same time, the scheme also had the characteristics of unforgeability, non-repudiation, blindness, and traceability. In 2015, Yoon *et al.*^{5} proposed a quantum signature scheme based on a two-qubit quantum search algorithm. In order to ensure the secure transmission of the signature, the scheme used a quantum search algorithm which was not used in previous quantum signature schemes. In 2020, Xin *et al.*^{6} proposed an identity-based public key quantum signature scheme. In this scheme, the signer used his identity as the public key, and the private key was generated by a trusted private key generator. The verifier can verify the validity of the quantum signature by using the identity information of the signer. In 2023, Song *et al.*^{7} proposed a quantum threshold signature scheme based on a mutually unbiased basis. The signers executed the signature algorithm sequentially until the last signer obtained the final signature. The scheme was resistant to interception-forgery attacks, collusion attacks, and denial attacks. In addition to the above literatures, other schemes such as arbitrated quantum signature,^{8,9} quantum blind signature,^{10–13} quantum homomorphic signature,^{14} and various other types of quantum signature^{15–17} have been proposed successively.

Quantum teleportation is a new communication method that utilizes dispersive quantum entanglement and physical information conversion to transfer quantum states to locations at arbitrary distances. It no longer transmits classical information but quantum information carried by quantum states. With the help of quantum entanglement, the quantum state to be transported will mysteriously disappear in one place and mysteriously reappear in another without any carrier. In 1998, Karlsson and Bourennane^{18} investigated for the first time the “teleportation” of a quantum state, using three-particle entanglement to either of two receivers. One of the two receivers can completely reconstruct the quantum state based on the measurements of the other receiver. In 2010, Wen *et al.*^{19} proposed a group signature scheme utilizing quantum teleportation. The scheme employed quantum key preparation, quantum encryption algorithm, and quantum invisible transfer state to generate group signature and guarantee unconditional security. In 2014, Su and Li^{20} found that the scheme proposed by Wen *et al.*^{19} was susceptible to an insider attack, through which all legitimate group members can forge signatures by utilizing the inverse exchange relation between the Pauli matrix $Y$ and the encrypted matrix $H$ and the bulletin board. Based on this, an improved scheme was proposed to enhance the security by incorporating a post-transmission eavesdropping detection process. In 2016, Chen and Han^{21} proposed a quantum group signature scheme with a specified receiver based on controlled quantum teleportation of a three-particle entangled $W$ state. Compared with previous schemes, this scheme had stronger applicability. In 2018, Li and Guo^{22} proposed a multi-blind signature scheme for quantum broadcasting based on controlled quantum teleportation. In this scheme, the four-particle cluster state played the role of quantum channel, and an improved quantum one-time encryption plate model was introduced to ensure that the quantum information was not tampered. In 2020, Zheng *et al.*^{23} proposed an arbitrated quantum signature scheme using two three-qubit $GHZ$ states for quantum teleportation. This scheme can resist denial attacks by pre-sharing two secret quantum key strings and introducing two random numbers. In 2022, Lu *et al.*^{24} proposed a verifiable arbitrated quantum signature scheme based on controlled quantum teleportation. By using mutual unbiased basis particles as decoy particles, the scheme used function values of symmetric binary polynomials to perform unitary operations on decoy particles, which can simultaneously perform eavesdropping detection and identity verification. Although the above schemes have their own different advantages, but with the emergence of various special circumstances, the original signer cannot sign as promised things often happen, in order to deal with such situations, proxy signature scheme has become a necessary mean to solve such situations.

In some special cases, such as when the original signer cannot sign due to business or illness, a proxy can be authorized to act as his signature proxy. Only after the original signer sends authorization to the proxy signer, can the proxy signer generate a proxy signature related to the proxy authorization to sign the information to be signed instead of the original signer. In 1996, Mambo *et al.*^{25} proposed a new type of digital proxy signature for the first time. Proxy signature allowed a designated person called a proxy signer to sign on behalf of the original signer, and in contrast to the continuous execution of ordinary digital signature schemes, it had a direct form where the verifier did not require the public key of a user other than the original signer during the verification phase. In 2008, Yang^{26} proposed a multi-proxy quantum group signature scheme with threshold shared verification. The original signer might authorize a proxy group to act as his proxies. A proxy signature representing the original signer can only be generated if all signers in the proxy group work together. In 2011, Zhou *et al.*^{27} proposed a new scheme to generate proxy signatures using $EPR$ quantum entangled states and unitary operations. Because the proxy signer needed to declare his public key when the final signature was generated, the quantum proxy signature scheme proposed by this scheme can be publicly verified. In 2017, Guo *et al.*^{28} proposed a new quantum proxy blind signature scheme. In this scheme, a special type of non-maximum-entangled three-qubit state was introduced as a quantum channel, which can achieve more efficient teleportation. In 2021, Yu and Zhang^{29} proposed a method that combined threshold proxy multiple signatures in classical cryptography with quantum signatures, which not only retained the generality, threshold, multiplicity, and forwardness of classical schemes, but also made the scheme have the security of quantum signatures. In 2022, Fan *et al.*^{30} proposed a multi-proxy signature scheme using five-qubit entangled state based on controlled quantum teleportation. The scheme used quantum Fourier transform as the encryption method to encrypt the message, which improved the quantum efficiency. However, most of the existing quantum proxy signature schemes still use a single verifier, which often occurs when the verifier cannot be verified in time in practical applications. The multi-party verification method can effectively solve this problem. In this paper, the multi-party verification method is applied to proxy signature, and a new quantum proxy signature scheme is proposed.

Based on the threshold signature scheme with threshold verification proposed by Yang *et al.*,^{31} this paper proposes a multi-party verifiable quantum proxy signature scheme based on quantum teleportation. In this scheme, the original signer needs to send the signature authorization to the proxy signer. Only after confirming the legitimacy of the authorization, the proxy signer can generate the proxy signature associated with the authorization; the scheme uses quantum teleportation between the proxy signer and the verifier, which increases the security and effectiveness of the scheme. Multi-party verification can also ensure the unforgeable and undeniable of the scheme.

The main contributions of this article are as follows:

An authentication method based on $Hash$ function is used, which can effectively solve the identity identification problem between members in the scheme.

In order to better verify the correctness of proxy authorization by original signer, a proxy signature authorization form is proposed to concatenate the identity information of the original signer with the binary information generated by the unitary operation of the key.

The combination of proxy signature and multi-party verification can deal with special cases such as the failure of the original signer to sign or the failure of some verifiers to verify.

The rest of this article is organized as follows. In Sec. II, we describe some of the preliminary knowledge used in this scheme. In Sec. III, the detailed process of a multi-party verifiable quantum proxy signature scheme based on quantum teleportation is introduced. In Sec. IV, an example scheme is given. In Sec. V, we give the correctness analysis of the scheme. In Sec. VI, we give the security analysis of the scheme. In Sec. VII, efficiency analysis is made. In Sec. VIII, a brief conclusion is given.

## II. PRELIMINARY

### A. Shamir threshold scheme

$Shamir$ threshold scheme^{32} is first proposed in 1979 based on the Lagrange interpolation and vector method. The basic idea is that the distributor uses secret polynomials, decomposes secret $S$ into $n$ sub-secrets, distributes to the holder, of which no less than $t$ sub-secrets can recover secret $S$, any less than $t$ sub-secrets cannot get any ciphertext information.

#### 1. Decomposition phase

#### 2. Reduction phase

We can construct a polynomial $f ( x )= w t \u2212 1 x t \u2212 1+ w t \u2212 2 x t \u2212 2$ $+\cdots + w 1 x 1+ w 0modq$, or we can find the original secret $S$.

### B. Multi-party verification method

Thus, each participant can obtain a binary key $ K [ i ]$ corresponding to polynomial $ K i$, and according to the nature of the $Shamir$ threshold secret sharing polynomial, each $ K [ i ]$ satisfies $ K A T= \u2295 i = 1 t K [ i ]$. At the same time, during the signing process, the proxy signer $Charlie$ has the authorization information given to him by the original signer $Alice$. $Charlie$ will get the unitary operation $ U K A T$ associated with key $ K A T$ from the authorization information $W$(but $Charlie$ does not know the specific form of $ K A T$), after calculating the quantum state $ | P B C \u27e9$, the obtained $ U K A T | P B C \u27e9$ is sent to the multi-party verifier by quantum teleportation.

When the multi-party verifiers get the state $ U K A T | P B C \u27e9$ transmitted by $Charlie$, they obtain the corresponding unitary operation $ U K [ i ]$ according to the key $ K [ i ]$ in their hand and perform unitary operation $ U K [ i ] U K A T | P B C \u27e9$ on the state. Since the property of $ K A T= \u2295 i = 1 t K [ i ]$ is satisfied, the unitary operation effect of key $ K A T$ can be canceled after $t$ unitary operations on the state by $t$ participants, and the result can be $\zeta | P B C \u27e9$, where $\zeta $ is the global phase factor and cannot affect the final measurement result.

### C. Quantum teleportation

Suppose $Alice$ has two qubits, called $M$ and $A$, and $Bob$ has one qubit, called $B$. We know that $A$ and $B$ are in the maximally entangled state (i.e., one of the $Bell$ states), that is, $ | \phi + \u27e9= 1 2$ $ ( | 00 \u27e9 + | 11 \u27e9 )$, and $M$ is $a | 0 \u27e9+b | 1 \u27e9$, and now our goal is to use the entanglement of $A$ and $B$ to transfer the $M$ state to the $B$ particle.

Now $Alice$ tells $Bob$ the result of the measurement, and $Bob$ only needs to continue the following step.

After the above calculation process, $Bob$ can return to the same state as $M$.

## III. THE PROPOSED SCHEME

In this scheme, there are a total of five participants, they are

$Alice$ : the information owner and original signer,

$Charlie$: the proxy signer,

$Bob$: the signature verifier,

$Trent$: the trust center,

$ R 1,\u2026, R n$: the multi-party verifiers.

The scheme in this paper consists of three parts, which are initialization phase, signature phase, and verification phase. The details of this scheme are as follows:

### A. Initializing phase

(

*I*1) As is shown in Fig. 1, share key $KAC$ ( $L$ pairs of $a1,ic1,i$) between $Alice$ and $Charlie$, share key $KAB$( $L$ bits length) between $Alice$ and $Bob$, share key $KAT$ ( $L$ pairs of $a2,it2,i$) between $Alice$ and $Trent$, share key $KBC$ ( $L$ pairs of $b2,ic2,i$) between $Charlie$ and $Bob$, share key $KCT$( $2L$ bits length) between $Charlie$ and $Trent$, share key $KBT$ ( $L$ pairs of $b1,it1,i$) between $Bob$ and $Trent$, share key $KTR1,KTR2,\u2026,KTRn$ (both $L$ bits lengths) between $Trent$ and $R1,R2,\u2026,Rn$. The distribution of these keys can be done through the Quantum Key Distribution $(QKD)$^{33,34}protocol, which has been shown to have unconditional security.(

*I*2) As is shown in Fig. 2, $Hash$ function $HAC(\u22c5)$ is shared between $Alice$ and $Charlie$, and $Hash$ function $HCB(\u22c5)$ is shared between $Charlie$ and $Bob$.(

*I*3) As is shown in Fig. 3, $Trent$ first applies the random number generator to generate two random $L$-bit classical strings $xA$ and $xC$, which are sent to $Alice$ and $Charlie$, respectively, by the method shown in Ref. 35. When $Alice$ and $Charlie$ receive $xA$ and $xC$, they immediately apply $Hash$ functions $HAC(\u22c5)$ and $HCB(\u22c5)$, respectively, and publish the results of $HAC(xA)$ and $HCB(xC)$.- (
*I*4) The quantum secret sharing scheme in Ref. 36 is used to share $n$ different $xj(xj\u22600,j=1,2,\u2026,n)$ with receiver $R1,R2,\u2026,Rn$ by $Trent$, where $xj$’s length is $2L$ bits. $Trent$ also randomly and independently selects the secret $w1,w2,\u2026,wt\u22121$ on field $F2N$( $N=2L$). He computes $yj=f(x~j)$, $j=1,2,\u2026,n$ on the field $F2N$, where $x~j$ is a polynomial representation of $xj$. By performing the above steps, $Trent$ can get the $n$ shares $y1,y2,\u2026,yn$ of key $KAT$ on field $F2N$, where$f(0)=w0=K~AT$ ( $K~AT$ is a polynomial representation of $KAT$).(1)$f(x)=wt\u22121xt\u22121+wt\u22122xt\u22122+\cdots +w1x1+w0mod2N,$ (

*I*5) $Trent$ encrypts the resulting $y~i$( $y~i$ is a binary representation of $yi$) with key $KTRi$ to get $EKTRi(y~i)$ and sends it to every multi-party verifier $Ri(i=1,2,\u2026,n)$. Then $Trent$ announces $xi$.(

*I*6) Each implementation of this scheme requires the participation of $t$ multi-party verifiers. For convenience, we assume that $R1,R2,\u2026,Rt$ participate in the implementation of this scheme.When $Ri$ receives $y~i(i=1,2,\u2026,t)$, he computes and secretly stores the following values in field $F2N$:then there is a binary representation of $Ki$ in the form $K[i]=(e1[i],f1[i],e2[i],f2[i],\u2026,eL[i],fL[i])$, where $ej[i],fj[i]\u2208{0,1}$, each $Ri$ secretly calculates and saves $K[i]$, and $K[i]$ also satisfies the formula: $KAT=\u2295i=1tK[i]$.(2)$Ki=yi\u220f1\u2264l\u2264t,l\u2260ix~lx~l\u2212x~imod2N,$(

*I*7) $Charlie$ also needs to share the $L$ pairs of $EPR$ entangled state $|\phi +\u27e9AB$ with $Bob$, particle $A$ is preserved by $Charlie$, and particle $B$ is preserved by $Bob$. This scheme uses $EPR$ entangled state as quantum channel to realize quantum secure communication.

### B. Signing phase

- (
*S*1) First, $Alice$ makes the XOR operations between initial information $m$ and key $ K A B$ to obtain information generation parameter $\lambda =m\u2295 K A B= { m 1 \u2295 K A B 1 , m 2 \u2295 K A B 2 , \u2026 , m L \u2295 K A B L}$ and prepares quantum state $ | P A C \u27e9= | \psi \lambda 1 \u2295 a 1 , 1 , c 1 , 1 \u27e9\u2297 | \psi \lambda 2 \u2295 a 1 , 2 , c 1 , 2 \u27e9\u2297\cdots $ $\u2297 | \psi \lambda L \u2295 a 1 , L , c 1 , L \u27e9$ according to information generation parameter $\lambda $ and key $ K A C$, where for each $i\u2208 { 1 , 2 , \u2026 , L}$, $ | \psi \lambda i \u2295 a 1 , i , c 1 , i \u27e9$ belongs to one of the following four states:$ | \psi 0 , 0 \u27e9 = | 0 \u27e9 , | \psi 1 , 0 \u27e9 = | 1 \u27e9 , | \psi 0 , 1 \u27e9 = | + \u27e9 = 1 2 ( | 0 \u27e9 + | 1 \u27e9 ) , | \psi 1 , 1 \u27e9 = | \u2212 \u27e9 = 1 2 ( | 0 \u27e9 \u2212 | 1 \u27e9 ) .$Then, $Alice$ obtains the corresponding unitary operation according to key $ K A T$,For each $i\u2208 { 1 , 2 , \u2026 , L}$, $ U i ( V i )$ belongs to one of the following values:$ U K A T = U 1 V 1 \u2297 U 2 V 2 \u2297 \cdots \u2297 U L V L = U ( a 1 , 1 ) V ( t 1 , 1 ) \u2297 U ( a 1 , 2 ) V ( t 1 , 2 ) \u2297 \cdots \u2297 U ( a 1 , L ) V ( t 1 , L ) .$$ U ( 0 ) = I , U ( 1 ) = i \sigma y , V ( 0 ) = I , V ( 1 ) = H .$We have the following matrices for the associated unitary operation:$I= [ 1 0 0 1 ],i \sigma y= [ 0 1 \u2212 1 0 ],H= 1 2 [ 1 1 1 \u2212 1 ].$ - (
*S*2) $Alice$ applies special coding rules to encode the unitary operation $ U K A T$ to get $ w U K A T$, where we make$I\u219200,H\u219201,i \sigma y\u219210,i \sigma yH\u219211.$Then, after $Alice$ concatenates the encoded unitary operation $ w U K A T$ and $ x A$, $ K A C$ is applied for encryption to get $W= E K A C ( w U K A T \u2225 x A )$, and it is used as the authorization code of $Alice$.

Then, $Alice$ randomly inserts decoy particles composed of two orthogonal basis $ B z$ and $ B x$ into the quantum state $ | P A C \u27e9$ to obtain a new quantum state $ | P \u2032 A C \u27e9$, while recording the positions and states of the decoy particles.

Next, $Alice$ sends $W$ and $ | P \u2032 A C \u27e9$ to $Charlie$ via classical and quantum channel, respectively.

(

*S*3) $Alice$ applies $ K A T$ encryption to the information generation parameter $\lambda $ to get $ E K A T ( \lambda )$ and sends it to $Trent$.(

*S*4) After ensuring that $Charlie$ has received the information, $Alice$ announces the positions and states of the decoy particles. $Charlie$ uses the same basis as the decoy particle to measure the quantum state at the same position and compares the measured results with those published by $Alice$. If the error rate is greater than the preset threshold value, $Charlie$ aborts the scheme; otherwise, $Charlie$ considers that the transmission is not eavesdropped and continues the following step. Eavesdropping detection similar to this process is required in the subsequent quantum state transfer process.After $Charlie$ removes the decoy particles in $ | P \u2032 A C \u27e9$, $ | P A C \u27e9$ is recovered, and $ | P A C \u27e9$ is measured according to the measurement basis determined by the even bits of key $ K A C$, and the measurement result is performed XOR with the odd bits of key $ K A C$ to get the information generation parameter $\lambda $.

Then, $Charlie$ applies key $ K A C$ to decrypt $W$ to get $ w U K A T$ and $ x A$, and $Hash$ function $ H A C ( \u22c5 )$ is applied to operate $ x A$ to get $ H A C ( x A ) \u2032$, which is compared with the previously published $ H A C ( x A )$. If they are not equal, then $Charlie$ aborts the scheme; otherwise, $Charlie$ assumes that the sender is indeed $Alice$ and continues with the next step.

$Charlie$ decodes $ w U K A T$ according to encoding rule Eq. (8), so that the unitary operation generated by $Alice$ according to key $ K A T$ can be obtained. But $Charlie$ does not know what $ K A T$ is about.

- (
*S*5) According to information generation parameter $\lambda $ and key $ K B C$, $Charlie$ prepares quantum state $ | P B C \u27e9= | \psi \lambda 1 \u2295 b 2 , 1 , c 2 , 1 \u27e9$ $\u2297 | \psi \lambda 2 \u2295 b 2 , 2 , c 2 , 2 \u27e9\u2297\cdots \u2297 | \psi \lambda L \u2295 b 2 , L , c 2 , L \u27e9$, where for each $i\u2208 { 1 , 2 , \u2026 , L}$, $ | \psi \lambda i \u2295 b 2 , i , c 2 , i \u27e9$ belongs to one of the following four states:$ | \psi 0 , 0 \u27e9 = | 0 \u27e9 , | \psi 1 , 0 \u27e9 = | 1 \u27e9 , | \psi 0 , 1 \u27e9 = | + \u27e9 = 1 2 ( | 0 \u27e9 + | 1 \u27e9 ) , | \psi 1 , 1 \u27e9 = | \u2212 \u27e9 = 1 2 ( | 0 \u27e9 \u2212 | 1 \u27e9 ) .$Then, $Charlie$ applies $ U K A T$ to $ | P B C \u27e9$ to get $ | P \u2032 B C \u27e9= U K A T | P B C \u27e9$. Next, $Charlie$ takes $ | P \u2032 B C \u27e9$ as the information $ | P \u2032 B C \u27e9 M$ that needs to be transmitted and transmits it through a quantum secure channel composed of $EPR$ entangled particles, the specific form of which is$ | \phi + \u27e9 A B= 1 2 ( | 00 \u27e9 + | 11 \u27e9 ) A B.$The resulting combination of $ | P \u2032 B C \u27e9 M$ and $ | \phi + \u27e9 A B$ iswhere $ | \phi + \u27e9, | \phi \u2212 \u27e9, | \psi + \u27e9, | \psi \u2212 \u27e9$ represent the four two-particle $Bell$ states, and the specific forms are, respectively,$ | \Phi \u27e9 M A B = | P \u2032 B C \u27e9 M \u2297 | \phi + \u27e9 A B = ( \alpha | 0 \u27e9 + \beta | 1 \u27e9 ) M \u2297 1 2 ( | 00 \u27e9 + | 11 \u27e9 ) A B = 1 2 ( \alpha | 000 \u27e9 + \alpha | 011 \u27e9 + \beta | 100 \u27e9 + \beta | 111 \u27e9 ) M A B = 1 2 ( | \phi + \u27e9 M A \u2297 ( \alpha | 0 \u27e9 + \beta | 1 \u27e9 ) B + | \phi \u2212 \u27e9 M A \u2297 ( \alpha | 0 \u27e9 \u2212 \beta | 1 \u27e9 ) B + | \psi + \u27e9 M A \u2297 ( \alpha | 1 \u27e9 + \beta | 0 \u27e9 ) B + | \psi \u2212 \u27e9 M A \u2297 ( \alpha | 1 \u27e9 \u2212 \beta | 0 \u27e9 ) B ) ,$$ | \phi + \u27e9 = 1 2 ( | 00 \u27e9 + | 11 \u27e9 ) , | \phi \u2212 \u27e9 = 1 2 ( | 00 \u27e9 \u2212 | 11 \u27e9 ) , | \psi + \u27e9 = 1 2 ( | 01 \u27e9 + | 10 \u27e9 ) , | \psi \u2212 \u27e9 = 1 2 ( | 01 \u27e9 \u2212 | 10 \u27e9 ) .$$Charlie$ uses $Bell$ basis $ { | \phi + \u27e9 , | \phi \u2212 \u27e9 , | \psi + \u27e9 , | \psi \u2212 \u27e9}$ to carry out $Bell$ measurement on particles $M,A$ in his possession, and the measurement result $G$ shown in the first column of Table I is obtained, and particle $B$ in the hand of $Bob$ also shows the collapse result shown in the second column of Table I.

- (
*S*6) First, $Charlie$ encodes the measurement result $G$, applying the encoding rule as follows:$ | \phi + \u27e9 M A \u2192 00 , | \phi \u2212 \u27e9 M A \u2192 01 , | \psi + \u27e9 M A \u2192 10 , | \psi \u2212 \u27e9 M A \u2192 11.$

Then, $Charlie$ applies key $ K B C$ to encrypt the encoded measurement result $ G \u2032$ to obtain $S= E K B C ( G \u2032 )$ and uses it as his proxy signature for the initial information $m$. $Charlie$ then encrypts $S$ with key $ K C T$ and gets $ E K C T ( S )$ which he sends to $Trent$.

Particles M, A’s
. | The collapse result of . |
---|---|

measurement result G
. | particle B
. |

$ | \phi + \u27e9 M A= 1 2 ( | 00 \u27e9 + | 11 \u27e9 ) M A$ | $ ( \alpha | 0 \u27e9 \u2212 b | 1 \u27e9 ) B$ |

$ | \phi \u2212 \u27e9 M A= 1 2 ( | 00 \u27e9 \u2212 | 11 \u27e9 ) M A$ | $ ( \alpha | 0 \u27e9 + b | 1 \u27e9 ) B$ |

$ | \psi + \u27e9 M A= 1 2 ( | 01 \u27e9 + | 10 \u27e9 ) M A$ | $ ( \alpha | 1 \u27e9 + b | 0 \u27e9 ) B$ |

$ | \psi \u2212 \u27e9 M A= 1 2 ( | 01 \u27e9 \u2212 | 10 \u27e9 ) M A$ | $ ( \alpha | 1 \u27e9 + b | 0 \u27e9 ) B$ |

Particles M, A’s
. | The collapse result of . |
---|---|

measurement result G
. | particle B
. |

$ | \phi + \u27e9 M A= 1 2 ( | 00 \u27e9 + | 11 \u27e9 ) M A$ | $ ( \alpha | 0 \u27e9 \u2212 b | 1 \u27e9 ) B$ |

$ | \phi \u2212 \u27e9 M A= 1 2 ( | 00 \u27e9 \u2212 | 11 \u27e9 ) M A$ | $ ( \alpha | 0 \u27e9 + b | 1 \u27e9 ) B$ |

$ | \psi + \u27e9 M A= 1 2 ( | 01 \u27e9 + | 10 \u27e9 ) M A$ | $ ( \alpha | 1 \u27e9 + b | 0 \u27e9 ) B$ |

$ | \psi \u2212 \u27e9 M A= 1 2 ( | 01 \u27e9 \u2212 | 10 \u27e9 ) M A$ | $ ( \alpha | 1 \u27e9 + b | 0 \u27e9 ) B$ |

$Charlie$ connects $\lambda $ with his own ID number $ x C$ in series, encrypts it with $ K B C$ getting $ E K B C ( \lambda \u2225 x C )$, and sends it to $Bob$ over a classical channel.

### C. Verifying phase

(

*V*1) When $Bob$ receives $ E K B C ( \lambda \u2225 x C )$ from $Charlie$, he uses key $ K B C$ to decrypt $ E K B C ( \lambda \u2225 x C )$ to get $\lambda $ and $ x C$, applies $Hash$ function $ H C B ( \u22c5 )$ to calculate $ x C$, and gets $ H C B ( x C ) \u2032$. If the value is not equal to the previously announced $ H C B ( x C )$, $Bob$ will abort the scheme; otherwise, $Bob$ will think that the message sender is really $Charlie$. Continue with the next step.$Bob$ applies information generation parameter $\lambda $ and key $ K B T$ to prepare quantum state $ | P B T \u27e9= | \psi \lambda 1 \u2295 b 1 , 1 , t 1 , 1 \u27e9$ $\u2297 | \psi \lambda 2 \u2295 b 1 , 2 , t 1 , 2 \u27e9\u2297\cdots \u2297 | \psi \lambda L \u2295 b 1 , L , t 1 , L \u27e9$, where for each $i\u2208 { 1 , 2 , \u2026 , L}$, $ | \psi \lambda i \u2295 b 1 , i , t 1 , i \u27e9$ belongs to one of the following four states:$ | \psi 0 , 0 \u27e9 = | 0 \u27e9 , | \psi 1 , 0 \u27e9 = | 1 \u27e9 , | \psi 0 , 1 \u27e9 = | + \u27e9 = 1 2 ( | 0 \u27e9 + | 1 \u27e9 ) , | \psi 1 , 1 \u27e9 = | \u2212 \u27e9 = 1 2 ( | 0 \u27e9 \u2212 | 1 \u27e9 ) .$Then, $Bob$ randomly inserts decoy particles composed of two orthogonal bases $ B z$ and $ B x$ into quantum state $ | P B T \u27e9$ to obtain a new quantum state $ | P \u2032 B T \u27e9$, while recording the positions and states of the decoy particles. $Bob$ then sends $ | P \u2032 B T \u27e9$ to $Trent$ via a quantum channel.

(

*V*2) $Trent$ recovers $ | P B T \u27e9$ after passing the eavesdropping detection. $Trent$ decrypts the $ E K A T ( \lambda )$ received from $Alice$ to obtain $\lambda $ and applies key $ K B T$ and $\lambda $ to prepare the quantum state $ | P \u2033 B T \u27e9$. The preparation rules are the same as Eq. (4). $Trent$ compares $ | P \u2033 B T \u27e9$ and $ | P \u2032 B T \u27e9$ with the method in Ref. 37 to obtain parameter $\theta $. If they are the same, the parameter is $\theta =1$; otherwise, the parameter is $\theta =0$.(

*V*3) When $Trent$ receives the $ E K C T ( S )$ from $Charlie$, he applies the key $ K C T$ to decrypt $ E K C T ( S )$ and gets $S$. The $Hash$ function $H ( \u22c5 )$ is applied to it to get $H ( S )$.$Trent$ encrypts $S,H ( S ),\theta $ with $ K B T$ and gets $ E K B T ( S , H ( S ) , \theta )$, which is sent to $Bob$ over a classical channel.

(

*V*4) When $Bob$ receives the encrypted message from $Trent$, he applies key $ K B T$ to decrypt it and gets $S,H ( S ),\theta $. If $\theta =0$, the continuation of the scheme is suspended; otherwise, $Bob$ continues with the next step.$Bob$ uses key $ K B C$ to decrypt $S$ to get the encoded measurement result $ G \u2032$ and uses coding rule Eq. (13) to recover $G$. $Bob$ then performs the unitary operation on the particle $B$ he owns in terms of $G$ to get $ | P \u2033 B C \u27e9$, as shown in Table II.

TABLE II.*Bob*gets the .The corresponding unitary operation . measurement result *G*.performed on particle *B*.$ | \phi + \u27e9 M A= 1 2 ( | 00 \u27e9 + | 11 \u27e9 ) M A$ *I*$ | \phi \u2212 \u27e9 M A= 1 2 ( | 00 \u27e9 \u2212 | 11 \u27e9 ) M A$ *σ*_{z}$ | \psi + \u27e9 M A= 1 2 ( | 01 \u27e9 + | 10 \u27e9 ) M A$ *σ*_{x}$ | \psi \u2212 \u27e9 M A= 1 2 ( | 01 \u27e9 \u2212 | 10 \u27e9 ) M A$ *iσ*_{y}*Bob*gets the .The corresponding unitary operation . measurement result *G*.performed on particle *B*.$ | \phi + \u27e9 M A= 1 2 ( | 00 \u27e9 + | 11 \u27e9 ) M A$ *I*$ | \phi \u2212 \u27e9 M A= 1 2 ( | 00 \u27e9 \u2212 | 11 \u27e9 ) M A$ *σ*_{z}$ | \psi + \u27e9 M A= 1 2 ( | 01 \u27e9 + | 10 \u27e9 ) M A$ *σ*_{x}$ | \psi \u2212 \u27e9 M A= 1 2 ( | 01 \u27e9 \u2212 | 10 \u27e9 ) M A$ *iσ*_{y}The unitary operation corresponds to the following unitary matrices:$Bob$ then inserts the decoy particles into $ | P \u2033 B C \u27e9$ and sends it to $ R 1$ via a quantum channel.$ I = [ 1 0 0 1 ] , \sigma x = [ 0 1 1 0 ] , i \sigma y = [ 0 1 \u2212 1 0 ] , \sigma z = [ 1 0 0 \u2212 1 ] .$- (
*V*5) $ R 1$ removes the decoy particles to recover $ | P \u2033 B C \u27e9$ and applies the unitary operation $ Q [ 1 ]$ corresponding to $ K [ 1 ]$ to $ | P \u2033 B C \u27e9$, thereby obtaining a new quantum state $ | \psi 1 \u27e9= Q [ 1 ] | P \u2033 B C \u27e9$. Among them,For each $i\u2208 { 1 , 2 , \u2026 , L}$, the value of $U ( e i [ 1 ] ) ( V ( f i [ 1 ] ) )$ is the same as the corresponding rule of Eq. (6).$ Q [ 1 ] = U 1 [ 1 ] V 1 [ 1 ] \u2297 U 2 [ 1 ] V 2 [ 1 ] \u2297 \cdots \u2297 U L [ 1 ] V L [ 1 ] = U ( e 1 [ 1 ] ) V ( f 1 [ 1 ] ) \u2297 U ( e 2 [ 1 ] ) V ( f 2 [ 1 ] ) \u2297 \cdots \u2297 U ( e L [ 1 ] ) V ( f L [ 1 ] ) .$Subsequently, $ R 1$ inserts the decoy particles into $ | \psi 1 \u27e9$, sends it to $ R 2$ through a quantum channel, and records the positions and states of the decoy particles.

(

*V*6) After confirming that $ R j ( j = 2 , 3 , \u2026 , t )$ has received the information, $ R j \u2212 1$ announces the positions and states of the decoy particles. $ R j$ uses the same basis as the decoy particles to measure the quantum states at the same positions and compares the measured results with the results published by $ R j \u2212 1$. If the error rate is greater than the preset threshold, $ R j$ will abort the scheme; otherwise, $ R j$ will consider that the transmission has not been eavesdropped and continue the following step.$ R j ( j = 2 , 3 , \u2026 , t )$ removes the decoy particles to recover $ | \psi j \u2212 1 \u27e9$ and applies the unitary operation $ Q [ j ]$ corresponding to $ K [ j ]$ to $ | \psi j \u2212 1 \u27e9$, thereby obtaining a new quantum state $ | \psi j \u27e9= Q [ j ] | \psi j \u2212 1 \u27e9$. Among them,For each $i\u2208 { 1 , 2 , \u2026 , L}$, the value of $U ( e i [ j ] ) ( V ( f i [ j ] ) )$ is the same as the corresponding rule of Eq. (6).$ Q [ j ] = U 1 [ j ] V 1 [ j ] \u2297 U 2 [ j ] V 2 [ j ] \u2297 \cdots \u2297 U L [ j ] V L [ j ] = U ( e 1 [ j ] ) V ( f 1 [ j ] ) \u2297 U ( e 2 [ j ] ) V ( f 2 [ j ] ) \u2297 \cdots \u2297 U ( e L [ j ] ) V ( f L [ j ] ) .$When $j<t$, $ R j$ inserts the decoy particles into $ | \psi j \u27e9$ and sends it to $ R j + 1$ through the quantum channel, and records the positions and states of the decoy particles. When $j=t$, $ R t$ inserts the decoy particles into $ | \psi t \u27e9$ and sends it to $Bob$ via a quantum channel.

(

*V*7) $Bob$ removes the decoy particles to recover $ | \psi t \u27e9$, measures $ | \psi t \u27e9$ according to the measurement basis determined by the even number of bits of key $ K B C$, and makes XOR operations between the measurement results and the odd number of bits of key $ K B C$, thus obtaining $ \lambda \u2032$. $Bob$ compares $ \lambda \u2032$ with the $\lambda $ he received from $Charlie$. If $ \lambda \u2032\u2260\lambda $, he rejects the signature. Otherwise, $Bob$ performs XOR operations between $ \lambda \u2032$ and $ K A B$ to get the initial message $m$ and accepts $S= E K B C ( G \u2032 )$ as the proxy signature for $m$. The information interaction flow of the whole scheme is shown in Fig. 4.

## IV. EXAMPLE OF THE SCHEME

Assuming that $Alice$ wants to sign the initial message $m= { 0 , 1 , 0 , 1 , 1}$ by proxy, we perform the following procedures.

### A. Initializing phase

(

*I*1) Share the key $ K A C= { 1 , 0 , 1 , 1 , 0 , 1 , 0 , 1 , 1 , 1}$ between $Alice$ and $Charlie$; share the key $ K A B= { 1 , 0 , 0 , 1 , 1}$ between $Alice$ and $Bob$; share the key $ K A T= { 1 , 0 , 1 , 0 , 0 , 0 , 1 , 1 , 1 , 1}$ between $Alice$ and $Trent$; share the key $ K B C= { 1 , 1 , 0 , 1 , 0 , 1 , 1 , 0 , 1 , 1}$ between $Charlie$ and $Bob$; share the key $ K C T$ $= { 1 , 0 , 1 , 0 , 0 , 1 , 1 , 0 , 1 , 0}$ between $Charlie$ and $Trent$; share the key $ K B T= { 0 , 1 , 0 , 1 , 0 , 1 , 0 , 0 , 0 , 1}$ between $Bob$ and $Trent$; share keys $ K T R 1= { 0 , 1 , 0 , 1 , 0}, K T R 2= { 0 , 1 , 1 , 0 , 0}, K T R 3$ $= { 1 , 0 , 1 , 0 , 0}, K T R 4= { 0 , 0 , 1 , 1 , 0}, K T R 5= { 1 , 0 , 1 , 0 , 0}$ between Trent and $ R 1, R 2, R 3, R 4, R 5$.(

*I*2) $Alice$ shares a $Hash$ function $ H A C ( \u22c5 )$ with $Charlie$, and $Charlie$ shares a $Hash$ function $ H C B ( \u22c5 )$ with $Bob$.(

*I*3) $Trent$ first applies a random number generator to generate two classical bit strings $ x A=01111$ and $ x C= 10 111$ and sends them to $Alice$ and $Charlie$, respectively. When $Alice$ and $Charlie$ receive $ x A=01111$ and $ x C= 10 111$, they immediately apply $Hash$ functions $ H A C ( \u22c5 )$ and $ H C B ( \u22c5 )$, respectively, and publish the results $ H A C ( x A )$ and $ H C B ( x C )$.- (
*I*4) $Trent$ and each receiver in ${ R 1, R 2, R 3, R 4, R 5}$ share a different, non-zero $ x j$ of 10 bits length, where $j=1,2,\u2026,5$. $Trent$ also randomly and independently selects the secret $ w 1=z, w 2= z 2$ on the field $ F 2 10$. He computes $ y j=f ( x j )$ over the field $ F 2 10$, where $j=1,2,\u2026,5$. $Trent$ generates five shares $ y 1, y 2,\u2026, y 5$ of key $ K A T$ on field $ F 2 10$, where$f ( 0 )= w 0= K ~ A T= z 9+ z 7+ z 3+ z 2+ z 1+1$.$f ( x )= z 2 x 2+zx+ z 9+ z 7+ z 3+ z 2+ z 1+1 mod 2 10,$ (

*I*5) $Trent$ encrypts the generated $ y ~ i$ by key $ K T R i$ and sends it to each multi-party verifier $ R i ( i = 1 , 2 , 3 , 4 , 5 )$ and then announces $ x i$. The results are shown in Table III.(

*I*6) Three multi-party verifiers are required to participate in the implementation of this scheme. For convenience, we assume that $ R 1, R 2, R 3$ participate in the implementation of this scheme.When $ R i$ receives $ ( x ~ i , y i ) ( i = 1 , 2 , 3 )$, he computes and secretly stores the following values $ K i$ in the field $ F 2 10$, whereThen, $ K [ i ]= ( e 1 [ i ] , f 1 [ i ] , e 2 [ i ] , f 2 [ i ] , \u2026 , e 5 [ i ] , f 5 [ i ] )$ is shown in Table IV , and $ K [ i ]$ also satisfies the formula: $ K A T= \u2295 i = 1 3 K [ i ]$.$ K i= y i \u220f 1 \u2264 l \u2264 3 , l \u2260 i x ~ l x ~ l \u2212 x ~ i mod 2 10.$(

*I*7) Subsequently, $Charlie$ and $Bob$ share five-pair $EPR$ entangled states $ | \phi + \u27e9 A B= 1 2 ( | 00 \u27e9 + | 11 \u27e9 ) A B$, where particle $A$ is kept by $Charlie$ and particle $B$ is kept by $Bob$.

$ x ~ i$ . | y_{i}
. |
---|---|

$ x ~ 1=z$ | y_{1} = z^{9} + z^{7} + z^{4} + z^{3} + z^{1} + 1 |

$ x ~ 2= z 2$ | y_{2} = z^{9} + z^{7} + z^{6} + z^{2} + z^{1} + 1 |

$ x ~ 3= z 2+z$ | $ y 3= z 9+ z 7+ z 6+ z 4+ z 1+1$ |

$ x ~ 4= z 2+z+1$ | $ y 4= z 9+ z 7+ z 6+ z 4+ z 2+z$ |

$ x ~ 5= z 3+ z 2$ | y_{5} = z^{9} + z^{8} + z^{7} + z^{6} + z^{4} + z^{2} + z^{1} + 1 |

$ x ~ i$ . | y_{i}
. |
---|---|

$ x ~ 1=z$ | y_{1} = z^{9} + z^{7} + z^{4} + z^{3} + z^{1} + 1 |

$ x ~ 2= z 2$ | y_{2} = z^{9} + z^{7} + z^{6} + z^{2} + z^{1} + 1 |

$ x ~ 3= z 2+z$ | $ y 3= z 9+ z 7+ z 6+ z 4+ z 1+1$ |

$ x ~ 4= z 2+z+1$ | $ y 4= z 9+ z 7+ z 6+ z 4+ z 2+z$ |

$ x ~ 5= z 3+ z 2$ | y_{5} = z^{9} + z^{8} + z^{7} + z^{6} + z^{4} + z^{2} + z^{1} + 1 |

The calculation result of . | . |
---|---|

multi-party verifier . | Corresponding private key . |

K_{1} = z^{9} + z^{7} + z^{4} + z^{3} + z^{1} + 1 | K^{[1]} = {1, 0, 1, 0, 0, 1, 1, 0, 1, 1} |

K_{2} = z^{9} + z^{7} + z^{6} + z^{2} + z^{1} + 1 | K^{[2]} = {1, 0, 1, 1, 0, 0, 0, 1, 1, 1} |

$ K 3= z 9+ z 7+ z 6+ z 4+ z 1+1$ | K^{[3]} = {1, 0, 1, 1, 0, 1, 0, 0, 1, 1} |

The calculation result of . | . |
---|---|

multi-party verifier . | Corresponding private key . |

K_{1} = z^{9} + z^{7} + z^{4} + z^{3} + z^{1} + 1 | K^{[1]} = {1, 0, 1, 0, 0, 1, 1, 0, 1, 1} |

K_{2} = z^{9} + z^{7} + z^{6} + z^{2} + z^{1} + 1 | K^{[2]} = {1, 0, 1, 1, 0, 0, 0, 1, 1, 1} |

$ K 3= z 9+ z 7+ z 6+ z 4+ z 1+1$ | K^{[3]} = {1, 0, 1, 1, 0, 1, 0, 0, 1, 1} |

### B. Signing phase

(

*S*1) First, $Alice$ performs the XOR operations between the initial information $m= { 0 , 1 , 0 , 1 , 1}$ and the key $ K A B= { 1 , 0 , 0 , 1 , 1}$ to obtain the information generation parameter $\lambda =m\u2295 K A B$ $= { 1 , 1 , 0 , 0 , 0}$ and then combines the key $ K A C= { 1 , 0 , 1 , 1 , 0 , 1 , 0 , 1 , 1 , 1}$ to prepare the quantum state $ | P A C \u27e9= | 0 \u27e9\u2297 | + \u27e9$ $\u2297 | + \u27e9\u2297 | + \u27e9\u2297 | \u2212 \u27e9$.Then, $Alice$ uses the key $ K A T= { 1 , 0 , 1 , 0 , 0 , 0 , 1 , 1 , 1 , 1}$ to obtain the corresponding unitary operation: $ U K A T=i \sigma y\u2297i \sigma y\u2297I\u2297i \sigma yH\u2297i \sigma yH$.

(

*S*2) $Alice$ encodes the unitary operation $ U K A T=i \sigma y\u2297i \sigma y\u2297I$ $\u2297i \sigma yH\u2297i \sigma yH$ with special coding rules to get $ w U K A T= { 10 , 10 , 00 , 11 , 11}$.Then, after $Alice$ concatenates the encoded unitary operation $ w U K A T= { 10 , 10 , 00 , 11 , 11}$ and $ x A=01111$, she uses $ K A C= { 1 , 0 , 1 , 1 , 0 , 1 , 0 , 1 , 1 , 1}$ to encrypt it to get

*W*$= E K A C ( w U K A T \u2225 x A )$ and uses $W$ as herself authorization code.Then, $Alice$ randomly inserts decoy particles composed of two orthogonal basis into the quantum state $ | P A C \u27e9= | 0 \u27e9\u2297 | + \u27e9$ $\u2297 | + \u27e9\u2297 | + \u27e9\u2297 | \u2212 \u27e9$ to obtain a new quantum state $ | P \u2032 A C \u27e9$ and records the positions and states of the decoy particles.

Next, $Alice$ sends $W$ and $ | P \u2032 A C \u27e9$ to $Charlie$ via classical and quantum channel, respectively.

(

*S*3) $Alice$ applies $ K A T= { 1 , 0 , 1 , 0 , 0 , 0 , 1 , 1 , 1 , 1}$ to the information generation parameter $\lambda = { 1 , 1 , 0 , 0 , 0}$ to get $ E K A T ( \lambda )$ and sends it to $Trent$.(

*S*4) After ensuring that $Charlie$ receives the message, $Alice$ announces the positions and states of the decoy particles. $Charlie$ uses the same basis as the decoy particles to measure the quantum states at the same positions, compares the measurement results with the results published by $Alice$, and finds that there is no eavesdropping, $Charlie$ continues the next step.After obtaining $ | P A C \u27e9= | 0 \u27e9\u2297 | + \u27e9\u2297 | + \u27e9\u2297 | + \u27e9\u2297 | \u2212 \u27e9$, $Charlie$ measures $ | P A C \u27e9$ according to the measurement basis determined by the even bits of key $ K A C= { 1 , 0 , 1 , 1 , 0 , 1 , 0 , 1 , 1 , 1}$ and makes XOR operations between the measurement results and the odd bits of key $ K A C$ to obtain the information generation parameter $\lambda = { 1 , 1 , 0 , 0 , 0}$.

Then, $Charlie$ decrypts $W$ with key $ K A C$ to get $ w U K A T$ and $ x A$ and applies $Hash$ function $ H A C ( \u22c5 )$ to calculate $ x A$ to get $ H A C ( x A ) \u2032$. Compared with the previously published $ H A C ( x A )$, $Charlie$ finds that the two are the same. $Charlie$ believes that the sender of the message is indeed $Alice$ and continues the following step.

$Charlie$ decodes $ w U K A T$ according to the encoding rule Eq. (8) so that the unitary operation $ U K A T=i \sigma y\u2297i \sigma y\u2297I\u2297i \sigma yH$ $\u2297i \sigma yH$ generated by $Alice$ according to the key $ K A T$ can be obtained.

(

*S*5) $Charlie$ applies the information generation parameter $\lambda = { 1 , 1 , 0 , 0 , 0}$ and key $ K B C= { 1 , 1 , 0 , 1 , 0 , 1 , 1 , 0 , 1 , 1}$ to prepare the quantum state $ | P B C \u27e9= | + \u27e9\u2297 | \u2212 \u27e9\u2297 | + \u27e9$ $\u2297 | 1 \u27e9\u2297 | \u2212 \u27e9$.Then, $Charlie$ applies $ U K A T=i \sigma y\u2297i \sigma y\u2297I\u2297i \sigma yH\u2297i \sigma yH$ to $ | P B C \u27e9= | + \u27e9\u2297 | \u2212 \u27e9\u2297 | + \u27e9\u2297 | 1 \u27e9\u2297 | \u2212 \u27e9$ to get $ | P \u2032 B C \u27e9= | \u2212 \u27e9$ $\u2297 ( \u2212 | + \u27e9 )\u2297 | + \u27e9\u2297 ( \u2212 | + \u27e9 )\u2297 | 0 \u27e9$. Next, $Charlie$ takes $ | P \u2032 B C \u27e9$ as the information $ | P \u2032 B C \u27e9 M$ that needs to be transmitted and sends it through a quantum-secure channel made up of $EPR$ entangled particles $ | \phi + \u27e9 A B= 1 2 ( | 00 \u27e9 + | 11 \u27e9 ) A B$.

The form of the combined state obtained from $ | P \u2032 B C \u27e9 M$ and $ | \phi + \u27e9 A B$ is$ | \Phi \u27e9 M A B = | P \u2032 B C \u27e9 M \u2297 | \phi + \u27e9 A B = ( \alpha | 0 \u27e9 + \beta | 1 \u27e9 ) M \u2297 1 2 ( | 00 \u27e9 + | 11 \u27e9 ) A B = 1 2 ( \alpha | 000 \u27e9 + \alpha | 011 \u27e9 + \beta | 100 \u27e9 + \beta | 111 \u27e9 ) M A B = 1 2 ( | \phi + \u27e9 M A \u2297 ( \alpha | 0 \u27e9 + \beta | 1 \u27e9 ) B + | \phi \u2212 \u27e9 M A \u2297 ( \alpha | 0 \u27e9 \u2212 \beta | 1 \u27e9 ) B + | \psi + \u27e9 M A \u2297 ( \alpha | 1 \u27e9 + \beta | 0 \u27e9 ) B + | \psi \u2212 \u27e9 M A \u2297 ( \alpha | 1 \u27e9 \u2212 \beta | 0 \u27e9 ) B ) .$$Charlie$ uses $Bell$ basis $ { | \phi + \u27e9 , | \phi \u2212 \u27e9 , | \psi + \u27e9 , | \psi \u2212 \u27e9}$ to make five $Bell$ measurements of his particles $M,A$ and obtains the measurement results $G$ as shown in the second column of Table V. In addition, particle $B$ in $Bob$’s hand will also show the collapse results as shown in the third column of Table V.

(

*S*6) First, $Charlie$ encodes the measurement results $G$ to get $ G \u2032= { 10 , 00 , 01 , 11 , 01}$.

|P′_{BC}〉_{M}
. | Particles M, A measurement results G
. | Results of the collapse of particle B
. |
---|---|---|

| − 〉 | $ | \psi + \u27e9 M A= 1 2 ( | 01 \u27e9 + | 10 \u27e9 ) M A$ | $ 1 2 ( | 1 \u27e9 \u2212 | 0 \u27e9 ) B$ |

−| + 〉 | $ | \phi + \u27e9 M A= 1 2 ( | 00 \u27e9 + | 11 \u27e9 ) M A$ | $ 1 2 ( \u2212 | 0 \u27e9 \u2212 | 1 \u27e9 ) B$ |

| + 〉 | $ | \phi \u2212 \u27e9 M A= 1 2 ( | 00 \u27e9 \u2212 | 11 \u27e9 ) M A$ | $ 1 2 ( | 0 \u27e9 \u2212 | 1 \u27e9 ) B$ |

−| + 〉 | $ | \psi \u2212 \u27e9 M A= 1 2 ( | 01 \u27e9 \u2212 | 10 \u27e9 ) M A$ | $ 1 2 ( \u2212 | 1 \u27e9 + | 0 \u27e9 ) B$ |

|0〉 | $ | \phi \u2212 \u27e9 M A= 1 2 ( | 00 \u27e9 \u2212 | 11 \u27e9 ) M A$ | |0〉_{B} |

|P′_{BC}〉_{M}
. | Particles M, A measurement results G
. | Results of the collapse of particle B
. |
---|---|---|

| − 〉 | $ | \psi + \u27e9 M A= 1 2 ( | 01 \u27e9 + | 10 \u27e9 ) M A$ | $ 1 2 ( | 1 \u27e9 \u2212 | 0 \u27e9 ) B$ |

−| + 〉 | $ | \phi + \u27e9 M A= 1 2 ( | 00 \u27e9 + | 11 \u27e9 ) M A$ | $ 1 2 ( \u2212 | 0 \u27e9 \u2212 | 1 \u27e9 ) B$ |

| + 〉 | $ | \phi \u2212 \u27e9 M A= 1 2 ( | 00 \u27e9 \u2212 | 11 \u27e9 ) M A$ | $ 1 2 ( | 0 \u27e9 \u2212 | 1 \u27e9 ) B$ |

−| + 〉 | $ | \psi \u2212 \u27e9 M A= 1 2 ( | 01 \u27e9 \u2212 | 10 \u27e9 ) M A$ | $ 1 2 ( \u2212 | 1 \u27e9 + | 0 \u27e9 ) B$ |

|0〉 | $ | \phi \u2212 \u27e9 M A= 1 2 ( | 00 \u27e9 \u2212 | 11 \u27e9 ) M A$ | |0〉_{B} |

$Charlie$ then encrypts $ G \u2032= { 10 , 00 , 01 , 11 , 01}$ with the key $ K B C= { 1 , 1 , 0 , 1 , 0 , 1 , 1 , 0 , 1 , 1}$ to obtain $S= E K B C ( G \u2032 )$, which he uses as his proxy signature for the initial message $m$. Then, $Charlie$ encrypts $S$ with the key $ K C T= { 1 , 0 , 1 , 0 , 0 , 1 , 1 , 0 , 1 , 0}$ and sends it to $Trent$.

$Charlie$ uses $ K B C$ to encrypt the $\lambda = { 1 , 1 , 0 , 0 , 0}$ and his identity code $ x C= 10 111$ to obtain $ E K B C ( \lambda \u2225 x C )$ and sends it to $Bob$ through the classical channel.

### C. Verifying phase

(

*V*1) After receiving $ E K B C ( \lambda \u2225 x C )$ from $Charlie$, $Bob$ uses the key $ K B C= { 1 , 1 , 0 , 1 , 0 , 1 , 1 , 0 , 1 , 1}$ to obtain $\lambda = { 1 , 1 , 0 , 0 , 0}$ and $ x C= 10 111$ and applies $Hash$ function $ H C B ( \u22c5 )$ to $ x C$ to get $ H C B ( x C ) \u2032$. Compared with $ H C B ( x C )$ published before, it is found that the two are the same. $Bob$ believes that the sender of the message is indeed $Charlie$ and proceeds with the following step.According to the information generation parameter $\lambda ={ 1 , 1 , 0 , 0 , 0}$ and key $ K B T={ 0 , 1 , 0 , 1 , 0 , 1 , 0 , 0 , 0 , 1}$, $Bob$ prepares the quantum state $ | P B T \u27e9= | \u2212 \u27e9\u2297 | \u2212 \u27e9\u2297 | + \u27e9\u2297 | 0 \u27e9\u2297 | + \u27e9$.

Then, $Bob$ randomly inserts the decoy particles composed of two orthogonal bases into the quantum state $ | P B T \u27e9= | \u2212 \u27e9\u2297 | \u2212 \u27e9\u2297 | + \u27e9\u2297 | 0 \u27e9\u2297 | + \u27e9$ to obtain a new quantum state $ | P \u2032 B T \u27e9$ and records the positions and states of the decoy particles. $Bob$ then sends $ | P \u2032 B T \u27e9$ to $Trent$ through the quantum channel.

(

*V*2) After ensuring that $Trent$ receives the information, $Bob$ announces the positions and states of the decoy particles. $Trent$ uses the same basis as the decoy particles to measure the quantum states at the same positions, compares the measurement results with $Bob$’s published results, and finds that there is no eavesdropping. $Trent$ continues with the next step. After $Trent$ removes the decoy particles in $ | P \u2032 B T \u27e9$, $ | P B T \u27e9$ is recovered.$Trent$ decrypts the $ E K A T ( \lambda )$ received from $Alice$ to obtain $\lambda = { 1 , 1 , 0 , 0 , 0}$, applies the key $ K B T= { 0 , 1 , 0 , 1 , 0 , 1 , 0 , 0 , 0 , 1}$ and $\lambda $ to prepare the quantum state $ | P \u2033 B T \u27e9= | \u2212 \u27e9\u2297 | \u2212 \u27e9\u2297 | + \u27e9\u2297 | 0 \u27e9\u2297 | + \u27e9$, and compares $ | P \u2033 B T \u27e9$ with $ | P B T \u27e9$ to obtain the parameter $\theta =1$.

(

*V*3) When $Trent$ receives the $ E K C T ( S )$ from $Charlie$, he applies the key $ K C T= { 1 , 0 , 1 , 0 , 0 , 1 , 1 , 0 , 1 , 0}$ to decrypt and gets $S$. The $Hash$ function $H ( \u22c5 )$ is applied to $S$, and $H ( S )$ is obtained.After $Trent$ encrypts $S,H ( S ),\theta $ with $ K B T= { 0 , 1 , 0 , 1 , 0 , 1 , 0 , 0 , 0 , 1}$, he gets $ E K B T ( S , H ( S ) , \theta )$, which is sent to $Bob$ over the classical channel.

(

*V*4) When $Bob$ receives the encrypted message $ E K B T ( S , H ( S ) , \theta )$ from $Trent$, he applies key $ K B T= { 0 , 1 , 0 , 1 , 0 , 1 , 0 , 0 , 0 , 1}$ to it and gets $S,H ( S ),\theta $. Finding $\theta =1$, $Bob$ continues with the next step.$Bob$ uses key $ K B C$ to decrypt $S$ to get $ G \u2032= { 10 , 00 , 01 , 11 , 01}$, and code rule Eq. (13) to recover $G$. Then, according to $G$, the unitary operation shown in Table VI is performed on the particle $B$ in his possession to obtain $ | P \u2033 B C \u27e9= | \u2212 \u27e9\u2297 ( \u2212 | + \u27e9 )$ $\u2297 | + \u27e9\u2297 ( \u2212 | + \u27e9 )\u2297 | 0 \u27e9$.

Then, $Bob$ inserts the decoy particles into $ | P \u2033 B C \u27e9= | \u2212 \u27e9$ $\u2297 ( \u2212 | + \u27e9 )\u2297 | + \u27e9\u2297 ( \u2212 | + \u27e9 )\u2297 | 0 \u27e9$ and records the positions and states of the decoy particles, and sends it to $ R 1$ through the quantum channel.

(

*V*5) After confirming that $ R 1$ has received the quantum information, $Bob$ announces the positions and states of the decoy particles. $ R 1$ uses the same basis as the decoy particles to measure the quantum states at the same positions, compares the measurement results with the results published by $Bob$, and finds that the transmission is not eavesdropped, $ R 1$ continues the next step.$ R 1$ removes the decoy particles to recover $ | P \u2033 B C \u27e9= | \u2212 \u27e9\u2297 ( \u2212 | + \u27e9 )\u2297 | + \u27e9\u2297 ( \u2212 | + \u27e9 )\u2297 | 0 \u27e9$, and the unitary operation $ Q [ 1 ]=i \sigma y\u2297i \sigma y\u2297H\u2297i \sigma y\u2297i \sigma yH$ corresponding to $ K [ 1 ]= { 1 , 0 , 1 , 0 , 0 , 1 , 1 , 0 , 1 , 1}$ is applied to $ | P \u2033 B C \u27e9$, thus a new quantum state $ | \psi 1 \u27e9= ( \u2212 | + \u27e9 )\u2297 ( \u2212 | \u2212 \u27e9 )\u2297 | 0 \u27e9\u2297 ( \u2212 | \u2212 \u27e9 )\u2297 | \u2212 \u27e9$ can be obtained.

Subsequently, $ R 1$ inserts the decoy particles into $ | \psi 1 \u27e9$ and records the positions and states of the decoy particles, and sends it to $ R 2$ through the quantum channel.

(

*V*6) After confirming that $ R 2$ has received the information, $ R 1$ announces the positions and states of the decoy particles. $ R 2$ applies the same basis as the decoy particles to measure the quantum states at the same positions, compares the measurement results with the published results of $ R 1$, finds that the transmission is not eavesdropped, and $ R 2$ continues the next step.$ R 2$ removes the decoy particles to recover $ | \psi 1 \u27e9$, and the unitary operation $ Q [ 2 ]=i \sigma y\u2297i \sigma yH\u2297I\u2297H\u2297i \sigma yH$ corresponding to $ K [ 2 ]= { 1 , 0 , 1 , 1 , 0 , 0 , 0 , 1 , 1 , 1}$ is applied to $ | \psi 1 \u27e9= ( \u2212 | + \u27e9 )$ $\u2297 ( \u2212 | \u2212 \u27e9 )\u2297 | 0 \u27e9\u2297 ( \u2212 | \u2212 \u27e9 )\u2297 | \u2212 \u27e9$, thus a new quantum state $ | \psi 2 \u27e9= ( \u2212 | \u2212 \u27e9 )\u2297 ( \u2212 | 0 \u27e9 )\u2297 | 0 \u27e9\u2297 ( \u2212 | 1 \u27e9 )\u2297 | 0 \u27e9$ can be obtained.

By analogy, $ R 3$ applies the unitary operation $ Q [ 3 ]=i \sigma y\u2297i \sigma yH\u2297H\u2297I\u2297i \sigma yH$ corresponding to $ K [ 3 ]$ $= { 1 , 0 , 1 , 1 , 0 , 1 , 0 , 0 , 1 , 1}$ to $ | \psi 2 \u27e9= ( \u2212 | \u2212 \u27e9 )\u2297 ( \u2212 | 0 \u27e9 )\u2297 | 0 \u27e9$ $\u2297 ( \u2212 | 1 \u27e9 )\u2297 | 0 \u27e9$ to obtain a new quantum state $ | \psi 3 \u27e9= | + \u27e9\u2297 ( \u2212 | \u2212 \u27e9 )\u2297 | + \u27e9\u2297 ( \u2212 | 1 \u27e9 )\u2297 | \u2212 \u27e9$. $ R 3$ inserts the decoy particles into $ | \psi 3 \u27e9$ and sends it to $Bob$ through the quantum channel, recording the positions and states of the decoy particles.

(

*V*7) After confirming that $Bob$ has received the quantum information, $ R 3$ announces the positions and states of the decoy particles. $Bob$ applies the same basis as the decoy particles to measure the quantum states at the same positions, compares the measurement results with the published results of $ R 3$, finds that the transmission is not eavesdropped, and $Bob$ continues with the next step.

. | . | . | The state after performing the . |
---|---|---|---|

G
. | Initial state . | Unitary operation . | corresponding unitary operation . |

|ψ^{+}〉_{MA} | $ 1 2 ( | 1 \u27e9 \u2212 | 0 \u27e9 ) B$ | σ_{x} | $ 1 2 ( | 0 \u27e9 \u2212 | 1 \u27e9 ) B$ |

|φ^{+}〉_{MA} | $ 1 2 ( \u2212 | 0 \u27e9 \u2212 | 1 \u27e9 ) B$ | I | $ 1 2 ( \u2212 | 0 \u27e9 \u2212 | 1 \u27e9 ) B$ |

|φ^{−}〉_{MA} | $ 1 2 ( | 0 \u27e9 \u2212 | 1 \u27e9 ) B$ | σ_{z} | $ 1 2 ( | 0 \u27e9 + | 1 \u27e9 ) B$ |

|ψ^{−}〉_{MA} | $ 1 2 ( \u2212 | 1 \u27e9 + | 0 \u27e9 ) B$ | iσ_{y} | $ 1 2 ( \u2212 | 0 \u27e9 \u2212 | 1 \u27e9 ) B$ |

|φ^{−}〉_{MA} | |0〉_{B} | σ_{z} | |0〉_{B} |

. | . | . | The state after performing the . |
---|---|---|---|

G
. | Initial state . | Unitary operation . | corresponding unitary operation . |

|ψ^{+}〉_{MA} | $ 1 2 ( | 1 \u27e9 \u2212 | 0 \u27e9 ) B$ | σ_{x} | $ 1 2 ( | 0 \u27e9 \u2212 | 1 \u27e9 ) B$ |

|φ^{+}〉_{MA} | $ 1 2 ( \u2212 | 0 \u27e9 \u2212 | 1 \u27e9 ) B$ | I | $ 1 2 ( \u2212 | 0 \u27e9 \u2212 | 1 \u27e9 ) B$ |

|φ^{−}〉_{MA} | $ 1 2 ( | 0 \u27e9 \u2212 | 1 \u27e9 ) B$ | σ_{z} | $ 1 2 ( | 0 \u27e9 + | 1 \u27e9 ) B$ |

|ψ^{−}〉_{MA} | $ 1 2 ( \u2212 | 1 \u27e9 + | 0 \u27e9 ) B$ | iσ_{y} | $ 1 2 ( \u2212 | 0 \u27e9 \u2212 | 1 \u27e9 ) B$ |

|φ^{−}〉_{MA} | |0〉_{B} | σ_{z} | |0〉_{B} |

$Bob$ removes the decoy particles to recover $ | \psi 3 \u27e9$ and measures $ | \psi 3 \u27e9$ according to the measurement basis determined by the even bits of key $ K B C$, and makes the XOR operations with the odd bits of key $ K B C$ to obtain $ \lambda \u2032= { 1 , 1 , 0 , 0 , 0}$. Comparing $ \lambda \u2032$ with the $\lambda $ received from $Charlie$ and finding $ \lambda \u2032=\lambda $, $Bob$ makes the XOR operations between $ \lambda \u2032$ and $ K A B= { 1 , 0 , 0 , 1 , 1}$ to get the initial message $m= { 0 , 1 , 0 , 1 , 1}$ and accepts that $S= E K B C ( G \u2032 )$ is the proxy signature for the initial message $m$.

## V. CORRECTNESS ANALYSIS

After $t$ operations by the multi-party verifiers, the verifier $Bob$ can successfully measure and recover the information output $ \lambda \u2032$.

In the verification phase, if $Bob$ compares the measurement result $ \lambda \u2032$ with the information generation factor $\lambda $ received from the proxy signer $Charlie$, he finds $ \lambda \u2032=\lambda $, then the proxy signature proposed by this scheme is correct.

After $Charlie$ measures particles $M,A$, particle $B$ will collapse due to the entanglement properties of the $EPR$ pair. After $Bob$ performs the corresponding unitary operation on particle $B$, particle $B$ can become the same state as particle $M$. $Bob$ sends the recovered states to the multi-party verifiers, and after $t$ multi-party verifiers perform corresponding unitary operations, all the states have been restored to the original quantum states encoded by $Charlie$. $Bob$ can then determine the measurement basis based on the even bits of $ K B C$ and apply the odd bits of $ K B C$ and the measurement result to make the XOR operations. $Bob$ finally finds $ \lambda \u2032=\lambda $, then the signature in the signature scheme proposed in this paper is valid. □

## VI. SECURITY ANALYSIS

### A. Undeniability

In this scheme, we get that neither the original signer $Alice$ nor the proxy signer $Charlie$ can deny their authorization and signature, and the verifier $Bob$ cannot deny that he has received the signature. According to the sending process of the authorization code in Sec. III B, we learn that $Charlie$ needs to use $ K A C$ to decrypt the authorization $W$ sent by $Alice$. However, all key distribution is done through the $QKD$ protocol, which is unconditionally secure. $Charlie$ has no way of knowing the key $ K A T$ between $Alice$ and $Trent$, so $Charlie$ cannot deny the authorization. Based on the above analysis, the original signer $Alice$ cannot deny her authorization. Likewise, because of the unconditional security of the $QKD$ protocol, $Charlie$ cannot deny his proxy signature. In the verification phase, $Bob$ can decrypt $ E K B T ( S , H ( S ) , \theta )$ with key $ K B T$, and then decrypt $S= E K B C ( G )$ with key $ K B C$ to get $G$, so $Bob$ cannot deny that he has received a signature generated by $Charlie$ that $Trent$ sent to $Bob$.

### B. Unforgeability

#### 1. Eve cannot forge the signature

Suppose the attacker or adversary $Eve$ wants to forge $Charlie$’s signature. He needs to know the key $ K A T$ shared between $Alice$ and $Trent$, and the key $ K B C$ shared between $Charlie$ and $Bob$. However, $Eve$ does not know the above keys, because the key distribution in this article is done through the quantum channel, $QKD$ protocol has unconditional security. As a result, $Eve$ has no way of knowing the key shared between $Charlie$ and $Bob$ to complete signature $S$.

#### 2. Alice cannot forge the signature

Because the original signer $Alice$ has no way of knowing the key $ K B C$ shared between the proxy signer $Charlie$ and the verifier $Bob$, she cannot forge the signature.

#### 3. Bob cannot forge the signature

If the verifier $Bob$ wants to forge a signature, he needs to know the key $ K A T$ between $Alice$ and $Trent$. Because the key distribution in this paper is completed through the quantum channel, $QKD$ protocol has unconditional security. So the verifier $Bob$ cannot forge the signature.

### C. Dispute resolution mechanism for signature verification

The verifier $Bob$ cannot deny that he has verified signature $S$ during the verifying phase. Because the trusted third party $Trent$ sends the $ E K B T ( S , H ( S ) , \theta )$ to the verifier $Bob$ during the verifying phase. Only $Bob$ can decrypt $ E K B T ( S , H ( S ) , \theta )$ using $ K B T$ to get $S$ and the signature $S$ using $ K B C$ to obtain the measurement result $G$. To complete the quantum teleportation to obtain the transferred quantum state for the following multi-party verification process. So Bob cannot deny that he has verified the signature.

### D. Security against intercept-resend attack

The quantum state sent by $ R j$ is the tensor product of multiple qubits. Each qubit is randomly located in one of two conjugate bases. When the external adversary $Eve$ does not know $ e i [ j ] ( f i [ j ] )$, he cannot perform the correct unitary operation on each qubit. If he adopts an intercept-resend attack, he can only implement the unitary operation by guessing, and the probability of not being detected is $ ( 1 4 ) L$. In addition, due to the inserted position of the decoy particle and the randomness of the quantum state, the probability of $Eve$ not being detected by just guessing is $ ( 1 4 ) n$(if the number of decoy particles is $n$). Therefore, the scheme is resistant to intercept-resend attack.

### E. Security against (*t* − 1)-party cheating attack

Suppose a dishonest verifier $ R i$ tries to find the value of another verifier $ R j$’s key, and then collaborates with $t\u22122$ other verifiers to recover the secret message. $ R i$ prepares a false signal and sends it to $ R j$. From the false signal that $ R j$ operates on, $ R i$ tries to get $ R j$’s key.

Without losing generality, we assume that $ R j$ performs one of four unitary operations with equal probability for each qubit and that the unitary operations performed by each qubit are independent. It is therefore illustrative to consider $ R i$ eavesdropping on a qubit.

The false signal of $ R i$ can be represented as $ | \gamma \u27e9= | 0 \u27e9 ( a | 0 \u27e9 + b | 1 \u27e9 )+ | 1 \u27e9 ( c | 0 \u27e9 + d | 1 \u27e9 )$, where $ | a | 2+ | b | 2+ | c | 2$ $+ | d | 2=1$, for simplicity, we consider each probability amplitude to be a real number, but the security proof applies equally to complex numbers.

However, when $ R i$ prepares legal qubits, $I ( R i , R j )$ can also reach a maximum, that is, the values of $a,b,c,d$ meet $ad+bc=0$. Since there are many values of $a$ that satisfy the above conditions, they are not listed in detail here. So $ R i$ cannot get more information by sending a false signal than by sending a legitimate one. $ R i$’s eavesdropping will introduce errors and result in invalid signatures.

### F. Security against *t*-party collusion attack

Suppose that no less than $t$ multi-party verifiers collude to forge signature, all the multi-party verifiers can only recover the key $ K A T$ together, and then they pretend to be the original signer $Alice$ and send the forged $ E K A T ( \lambda )$ to trusted third party $Trent$, because they do not know $ K AC$ and the identity information $ x A$ of $Alice$. Therefore, $Charlie$ cannot be deceived successfully to make the scheme proceed smoothly. So the scheme can resist the collusion attack of $t$ multi-party verifiers.

## VII. EFFICIENCY ANALYSIS

As shown in Table VII, the scheme in this paper is compared with Refs. 31, 39, and 40 mainly in terms of quantum teleportation, multi-party verification, and efficiency. When $t$ is greater than or equal to 3, it can be found that the efficiency of our scheme is better than that of Refs. 39 and 40. When $t$ is greater than or equal to 13, the efficiency of our scheme is better than that of Ref. 31. In general, the value of $t$ is generally large enough, so the efficiency of our scheme has certain advantages compared with that of Refs. 31, 39, and 40.

Scheme . | Quantum teleportation . | Multi-party verification . | Efficiency . |
---|---|---|---|

Ref. 31 | × | ✓ | $ 1 2 t + 2$ |

Ref. 39 | × | × | $ 1 6 t + 3$ |

Ref. 40 | × | × | $ 1 6 t + 4$ |

Our scheme | ✓ | ✓ | $ 1 t + 15$ |

## VIII. CONCLUSION

This paper proposes a multi-party verifiable quantum proxy signature scheme based on quantum teleportation. Different from the schemes in Refs. 31, 39, and 40, we combine quantum teleportation, multi-party verification, and quantum proxy signature. Using $Hash$ functions $ H A C ( \u22c5 )$ and $ H B C ( \u22c5 )$ for authentication can effectively solve the identity problem between the original signer $Alice$ and the proxy signer $Charlie$, and between the proxy signer $Charlie$ and the verifier $Bob$ in the scheme. Using the special proxy signature authorization form $W= E K A C ( w U K A T \u2225 x A )$, the proxy signer can verify the correctness of the original signer’s authorization, and the proxy signer can apply the unitary operation $ U K A T$ corresponding to the key $ K A T$ to generate the signature without knowing the key $ K A T$. At the same time, our scheme is resistant to intercept-resend attack and $(t\u22121)$-party cheating attack. This scheme uses $Bell$ state as the channel of quantum teleportation. $Bell$ state has the characteristics of simple preparation and other. Compared with Refs. 31, 39, and 40, the efficiency of the scheme has been significantly improved, so it has good application prospects.

## ACKNOWLEDGMENTS

We would like to thank the anonymous reviewers for their valuable comments. This work was supported by Special Project for International Cooperation in Science and Technology of Qinghai Province (No. 202402050039)

## AUTHOR DECLARATIONS

### Conflict of Interest

The authors have no conflicts to disclose.

### Author Contributions

**Chengxiang Wang:** Conceptualization (equal); Data curation (equal); Formal analysis (equal); Project administration (equal); Validation (equal); Writing – original draft (equal); Writing – review & editing (equal). **Dianjun Lu:** Conceptualization (equal); Formal analysis (equal); Supervision (equal); Validation (equal); Writing – review & editing (equal). **Fuyao Tian:** Supervision (equal); Validation (equal); Writing – review & editing (equal). **Weixin Yao:** Validation (equal); Writing – review & editing (equal).

## DATA AVAILABILITY

The data that support the findings of this study are available from the corresponding author upon reasonable request.