With the development of science and technology and the appearance of various special conditions that cause signers to be unable to sign, proxy signature is gradually becoming a hot spot in cryptography research. This paper combines proxy signature, quantum teleportation, and multi-party verification and proposes a multi-party verifiable quantum proxy signature scheme based on quantum teleportation. This scheme has the following characteristics: The authentication method based on the H a s h function can effectively solve the problem of identity identification among members; in order for the proxy signer to be able to verify the correctness of the proxy authorization, a form of proxy signature authorization that concatenates the identity information of the original signer is used. The security analysis shows that our scheme is unforgeable and undeniable and can resist intercept-resend attacks and cheating attacks.

Cryptography is a subject that studies the secure transmission of data, and digital signature scheme plays a key role in cryptography. However, with the development of science and technology, especially the proposal of the S h o r algorithm,1 the security of some traditional digital signature schemes has been greatly challenged, so more and more researchers have begun to pay attention to the design and implementation of quantum digital signature schemes. In 2001, Gottesman and Chuang2 proposed the first quantum signature scheme, which was a quantum signature scheme based on quantum one-way functions. In 2004, Lee et al.3 proposed two quantum signature schemes for message recovery based on trusted arbiters: one using bulletin boards and the other was not used. However, both schemes offered message confidentiality and higher transmission efficiency. In 2009, Wen et al.4 proposed a weak blind signature scheme based on EPR pair correlation. This scheme can guarantee both unconditional security and anonymity of the message owner. At the same time, the scheme also had the characteristics of unforgeability, non-repudiation, blindness, and traceability. In 2015, Yoon et al.5 proposed a quantum signature scheme based on a two-qubit quantum search algorithm. In order to ensure the secure transmission of the signature, the scheme used a quantum search algorithm which was not used in previous quantum signature schemes. In 2020, Xin et al.6 proposed an identity-based public key quantum signature scheme. In this scheme, the signer used his identity as the public key, and the private key was generated by a trusted private key generator. The verifier can verify the validity of the quantum signature by using the identity information of the signer. In 2023, Song et al.7 proposed a quantum threshold signature scheme based on a mutually unbiased basis. The signers executed the signature algorithm sequentially until the last signer obtained the final signature. The scheme was resistant to interception-forgery attacks, collusion attacks, and denial attacks. In addition to the above literatures, other schemes such as arbitrated quantum signature,8,9 quantum blind signature,10–13 quantum homomorphic signature,14 and various other types of quantum signature15–17 have been proposed successively.

Quantum teleportation is a new communication method that utilizes dispersive quantum entanglement and physical information conversion to transfer quantum states to locations at arbitrary distances. It no longer transmits classical information but quantum information carried by quantum states. With the help of quantum entanglement, the quantum state to be transported will mysteriously disappear in one place and mysteriously reappear in another without any carrier. In 1998, Karlsson and Bourennane18 investigated for the first time the “teleportation” of a quantum state, using three-particle entanglement to either of two receivers. One of the two receivers can completely reconstruct the quantum state based on the measurements of the other receiver. In 2010, Wen et al.19 proposed a group signature scheme utilizing quantum teleportation. The scheme employed quantum key preparation, quantum encryption algorithm, and quantum invisible transfer state to generate group signature and guarantee unconditional security. In 2014, Su and Li20 found that the scheme proposed by Wen et al.19 was susceptible to an insider attack, through which all legitimate group members can forge signatures by utilizing the inverse exchange relation between the Pauli matrix Y and the encrypted matrix H and the bulletin board. Based on this, an improved scheme was proposed to enhance the security by incorporating a post-transmission eavesdropping detection process. In 2016, Chen and Han21 proposed a quantum group signature scheme with a specified receiver based on controlled quantum teleportation of a three-particle entangled W state. Compared with previous schemes, this scheme had stronger applicability. In 2018, Li and Guo22 proposed a multi-blind signature scheme for quantum broadcasting based on controlled quantum teleportation. In this scheme, the four-particle cluster state played the role of quantum channel, and an improved quantum one-time encryption plate model was introduced to ensure that the quantum information was not tampered. In 2020, Zheng et al.23 proposed an arbitrated quantum signature scheme using two three-qubit G H Z states for quantum teleportation. This scheme can resist denial attacks by pre-sharing two secret quantum key strings and introducing two random numbers. In 2022, Lu et al.24 proposed a verifiable arbitrated quantum signature scheme based on controlled quantum teleportation. By using mutual unbiased basis particles as decoy particles, the scheme used function values of symmetric binary polynomials to perform unitary operations on decoy particles, which can simultaneously perform eavesdropping detection and identity verification. Although the above schemes have their own different advantages, but with the emergence of various special circumstances, the original signer cannot sign as promised things often happen, in order to deal with such situations, proxy signature scheme has become a necessary mean to solve such situations.

In some special cases, such as when the original signer cannot sign due to business or illness, a proxy can be authorized to act as his signature proxy. Only after the original signer sends authorization to the proxy signer, can the proxy signer generate a proxy signature related to the proxy authorization to sign the information to be signed instead of the original signer. In 1996, Mambo et al.25 proposed a new type of digital proxy signature for the first time. Proxy signature allowed a designated person called a proxy signer to sign on behalf of the original signer, and in contrast to the continuous execution of ordinary digital signature schemes, it had a direct form where the verifier did not require the public key of a user other than the original signer during the verification phase. In 2008, Yang26 proposed a multi-proxy quantum group signature scheme with threshold shared verification. The original signer might authorize a proxy group to act as his proxies. A proxy signature representing the original signer can only be generated if all signers in the proxy group work together. In 2011, Zhou et al.27 proposed a new scheme to generate proxy signatures using E P R quantum entangled states and unitary operations. Because the proxy signer needed to declare his public key when the final signature was generated, the quantum proxy signature scheme proposed by this scheme can be publicly verified. In 2017, Guo et al.28 proposed a new quantum proxy blind signature scheme. In this scheme, a special type of non-maximum-entangled three-qubit state was introduced as a quantum channel, which can achieve more efficient teleportation. In 2021, Yu and Zhang29 proposed a method that combined threshold proxy multiple signatures in classical cryptography with quantum signatures, which not only retained the generality, threshold, multiplicity, and forwardness of classical schemes, but also made the scheme have the security of quantum signatures. In 2022, Fan et al.30 proposed a multi-proxy signature scheme using five-qubit entangled state based on controlled quantum teleportation. The scheme used quantum Fourier transform as the encryption method to encrypt the message, which improved the quantum efficiency. However, most of the existing quantum proxy signature schemes still use a single verifier, which often occurs when the verifier cannot be verified in time in practical applications. The multi-party verification method can effectively solve this problem. In this paper, the multi-party verification method is applied to proxy signature, and a new quantum proxy signature scheme is proposed.

Based on the threshold signature scheme with threshold verification proposed by Yang et al.,31 this paper proposes a multi-party verifiable quantum proxy signature scheme based on quantum teleportation. In this scheme, the original signer needs to send the signature authorization to the proxy signer. Only after confirming the legitimacy of the authorization, the proxy signer can generate the proxy signature associated with the authorization; the scheme uses quantum teleportation between the proxy signer and the verifier, which increases the security and effectiveness of the scheme. Multi-party verification can also ensure the unforgeable and undeniable of the scheme.

The main contributions of this article are as follows:

  1. An authentication method based on H a s h function is used, which can effectively solve the identity identification problem between members in the scheme.

  2. In order to better verify the correctness of proxy authorization by original signer, a proxy signature authorization form is proposed to concatenate the identity information of the original signer with the binary information generated by the unitary operation of the key.

  3. The combination of proxy signature and multi-party verification can deal with special cases such as the failure of the original signer to sign or the failure of some verifiers to verify.

The rest of this article is organized as follows. In Sec. II, we describe some of the preliminary knowledge used in this scheme. In Sec. III, the detailed process of a multi-party verifiable quantum proxy signature scheme based on quantum teleportation is introduced. In Sec. IV, an example scheme is given. In Sec. V, we give the correctness analysis of the scheme. In Sec. VI, we give the security analysis of the scheme. In Sec. VII, efficiency analysis is made. In Sec. VIII, a brief conclusion is given.

S h a m i r threshold scheme32 is first proposed in 1979 based on the Lagrange interpolation and vector method. The basic idea is that the distributor uses secret polynomials, decomposes secret S into n sub-secrets, distributes to the holder, of which no less than t sub-secrets can recover secret S, any less than t sub-secrets cannot get any ciphertext information.

1. Decomposition phase

Assuming there is a secret S to be protected, the secret distributor needs to arbitrarily take t 1 random numbers on field F q and construct the following polynomial:
f ( x ) = w t 1 x t 1 + w t 2 x t 2 + + w 1 x 1 + w 0 modq ,
where w 0 = S, all operations are performed in the finite field F q. Take any n number and put x 1 , x 2 , , x n into the polynomial to get f ( x 1 ) , f ( x 2 ) , , f ( x n ). ( x 1 , f ( x 1 ) ) , ( x 2 , f ( x 2 ) ) , , ( x n , f ( x n ) ) is then distributed to n validators.

2. Reduction phase

Get the data from any t verifiers, assume ( x 1 , f ( x 1 ) ) , ( x 2 , f ( x 2 ) ) , , ( x t , f ( x t ) ), enter, and solve the polynomial coefficients,
f ( x 1 ) = w t 1 x 1 t 1 + w t 2 x 1 t 2 + + w 1 x 1 1 + w 0 modq , f ( x 2 ) = w t 1 x 2 t 1 + w t 2 x 2 t 2 + + w 1 x 2 1 + w 0 modq , f ( x t ) = w t 1 x t t 1 + w t 2 x t t 2 + + w 1 x t 1 + w 0 modq .
Simplification can be obtained in the following form:
f ( x ) = i = 1 t f ( x i ) j = 1 , j i t x x i x i x j , S = w 0 = i = 1 t f ( x i ) j = 1 , j i t x j x j x i .

We can construct a polynomial f ( x ) = w t 1 x t 1 + w t 2 x t 2 + + w 1 x 1 + w 0 modq, or we can find the original secret S.

Multi-party verification is one way to verify the correctness of a signature. The multi-party verification method proposed in this paper is as follows. Assuming that t participants are the multi-party verifiers R 1 , , R t of this scheme, then T r e n t will share f ( x i ) with the t participants respectively, then the t participants can calculate according to the published x i and his own f ( x i ), the calculation formula is as follows:
K i = f ( x i ) j = 1 , j i t x j x j x i .

Thus, each participant can obtain a binary key K [ i ] corresponding to polynomial K i, and according to the nature of the S h a m i r threshold secret sharing polynomial, each K [ i ] satisfies K A T = i = 1 t K [ i ]. At the same time, during the signing process, the proxy signer C h a r l i e has the authorization information given to him by the original signer A l i c e. C h a r l i e will get the unitary operation U K A T associated with key K A T from the authorization information W(but C h a r l i e does not know the specific form of K A T), after calculating the quantum state | P B C , the obtained U K A T | P B C is sent to the multi-party verifier by quantum teleportation.

When the multi-party verifiers get the state U K A T | P B C transmitted by C h a r l i e, they obtain the corresponding unitary operation U K [ i ] according to the key K [ i ] in their hand and perform unitary operation U K [ i ] U K A T | P B C on the state. Since the property of K A T = i = 1 t K [ i ] is satisfied, the unitary operation effect of key K A T can be canceled after t unitary operations on the state by t participants, and the result can be ζ | P B C , where ζ is the global phase factor and cannot affect the final measurement result.

Suppose A l i c e has two qubits, called M and A, and B o b has one qubit, called B. We know that A and B are in the maximally entangled state (i.e., one of the B e l l states), that is, | φ + = 1 2 ( | 00 + | 11 ), and M is a | 0 + b | 1 , and now our goal is to use the entanglement of A and B to transfer the M state to the B particle.

Consider these three particles as a system,
| Φ M A B = ( a | 0 + b | 1 ) M 1 2 ( | 00 + | 11 ) A B = 1 2 ( a | 000 + a | 011 + b | 100 + b | 111 ) M A B = 1 2 ( | φ + M A ( a | 0 + b | 1 ) B + | φ M A ( a | 0 b | 1 ) B + | ψ + M A ( a | 1 + b | 0 ) B + | ψ M A ( a | 1 b | 0 ) B ) .
The next step is to measure the M and A particles with four B e l l basis { | φ + , | φ , | ψ + , | ψ }, then the measurement has four possible outcomes, each of which will give a B particle,
| φ + = 1 2 ( | 00 + | 11 ) ( a | 0 + b | 1 ) B , | φ = 1 2 ( | 00 | 11 ) ( a | 0 b | 1 ) B , | ψ + = 1 2 ( | 01 + | 10 ) ( a | 1 + b | 0 ) B , | ψ = 1 2 ( | 01 | 10 ) ( a | 1 b | 0 ) B .

Now A l i c e tells B o b the result of the measurement, and B o b only needs to continue the following step.

If the measurement result is | φ + , the I operation is performed; if the measurement result is | φ , the σ z operation is performed; if the measurement result is | ψ + , the σ x operation is performed; if the measurement result is | ψ , the i σ y operation is performed. Where { I , σ x , i σ y , σ z } are the P a u l i operators, the corresponding matrix is, respectively,
I = [ 1 0 0 1 ] , σ x = [ 0 1 1 0 ] , i σ y = [ 0 1 1 0 ] , σ z = [ 1 0 0 1 ] .

After the above calculation process, B o b can return to the same state as M.

In this scheme, there are a total of five participants, they are

  1. A l i c e : the information owner and original signer,

  2. C h a r l i e: the proxy signer,

  3. B o b: the signature verifier,

  4. T r e n t: the trust center,

  5. R 1 , , R n: the multi-party verifiers.

The scheme in this paper consists of three parts, which are initialization phase, signature phase, and verification phase. The details of this scheme are as follows:

  • (I1) As is shown in Fig. 1, share key KAC (L pairs of a1,ic1,i) between Alice and Charlie, share key KAB(L bits length) between Alice and Bob, share key KAT (L pairs of a2,it2,i) between Alice and Trent, share key KBC (L pairs of b2,ic2,i) between Charlie and Bob, share key KCT(2L bits length) between Charlie and Trent, share key KBT (L pairs of b1,it1,i) between Bob and Trent, share key KTR1,KTR2,,KTRn (both L bits lengths) between Trent and R1,R2,,Rn. The distribution of these keys can be done through the Quantum Key Distribution (QKD)33,34 protocol, which has been shown to have unconditional security.

  • (I2) As is shown in Fig. 2, Hash function HAC() is shared between Alice and Charlie, and Hash function HCB() is shared between Charlie and Bob.

  • (I3) As is shown in Fig. 3, Trent first applies the random number generator to generate two random L-bit classical strings xA and xC, which are sent to Alice and Charlie, respectively, by the method shown in Ref. 35. When Alice and Charlie receive xA and xC, they immediately apply Hash functions HAC() and HCB(), respectively, and publish the results of HAC(xA) and HCB(xC).

  • (I4) The quantum secret sharing scheme in Ref. 36 is used to share n different xj(xj0,j=1,2,,n) with receiver R1,R2,,Rn by Trent, where xj’s length is 2L bits. Trent also randomly and independently selects the secret w1,w2,,wt1 on field F2N(N=2L). He computes yj=f(x~j), j=1,2,,n on the field F2N, where x~j is a polynomial representation of xj. By performing the above steps, Trent can get the n shares y1,y2,,yn of key KAT on field F2N, where
    f(x)=wt1xt1+wt2xt2++w1x1+w0mod2N,
    (1)
    f(0)=w0=K~AT (K~AT is a polynomial representation of KAT).
  • (I5) Trent encrypts the resulting y~i(y~i is a binary representation of yi) with key KTRi to get EKTRi(y~i) and sends it to every multi-party verifier Ri(i=1,2,,n). Then Trent announces xi.

  • (I6) Each implementation of this scheme requires the participation of t multi-party verifiers. For convenience, we assume that R1,R2,,Rt participate in the implementation of this scheme.

    When Ri receives y~i(i=1,2,,t), he computes and secretly stores the following values in field F2N:
    Ki=yi1lt,lix~lx~lx~imod2N,
    (2)
    then there is a binary representation of Ki in the form K[i]=(e1[i],f1[i],e2[i],f2[i],,eL[i],fL[i]), where ej[i],fj[i]{0,1}, each Ri secretly calculates and saves K[i], and K[i] also satisfies the formula: KAT=i=1tK[i].
  • (I7) Charlie also needs to share the L pairs of EPR entangled state |φ+AB with Bob, particle A is preserved by Charlie, and particle B is preserved by Bob. This scheme uses EPR entangled state as quantum channel to realize quantum secure communication.

FIG. 1.

Quantum key distribution diagram.

FIG. 1.

Quantum key distribution diagram.

Close modal
FIG. 2.

Hash function sharing diagram.

FIG. 2.

Hash function sharing diagram.

Close modal
FIG. 3.

Identity information and secret sharing process.

FIG. 3.

Identity information and secret sharing process.

Close modal
Assuming A l i c e wants to sign initial information,
m = { m 1 , m 2 , , m i , , m L } , m i { 0 , 1 } .
(3)
  • (S1) First, A l i c e makes the XOR operations between initial information m and key K A B to obtain information generation parameter λ = m K A B = { m 1 K A B 1 , m 2 K A B 2 , , m L K A B L } and prepares quantum state | P A C = | ψ λ 1 a 1 , 1 , c 1 , 1 | ψ λ 2 a 1 , 2 , c 1 , 2 | ψ λ L a 1 , L , c 1 , L according to information generation parameter λ and key K A C, where for each i { 1 , 2 , , L }, | ψ λ i a 1 , i , c 1 , i belongs to one of the following four states:
    | ψ 0 , 0 = | 0 , | ψ 1 , 0 = | 1 , | ψ 0 , 1 = | + = 1 2 ( | 0 + | 1 ) , | ψ 1 , 1 = | = 1 2 ( | 0 | 1 ) .
    (4)
    Then, A l i c e obtains the corresponding unitary operation according to key K A T,
    U K A T = U 1 V 1 U 2 V 2 U L V L = U ( a 1 , 1 ) V ( t 1 , 1 ) U ( a 1 , 2 ) V ( t 1 , 2 ) U ( a 1 , L ) V ( t 1 , L ) .
    (5)
    For each i { 1 , 2 , , L }, U i ( V i ) belongs to one of the following values:
    U ( 0 ) = I , U ( 1 ) = i σ y , V ( 0 ) = I , V ( 1 ) = H .
    (6)
    We have the following matrices for the associated unitary operation:
    I = [ 1 0 0 1 ] , i σ y = [ 0 1 1 0 ] , H = 1 2 [ 1 1 1 1 ] .
    (7)
  • (S2) A l i c e applies special coding rules to encode the unitary operation U K A T to get w U K A T, where we make
    I 00 , H 01 , i σ y 10 , i σ y H 11.
    (8)

    Then, after A l i c e concatenates the encoded unitary operation w U K A T and x A, K A C is applied for encryption to get W = E K A C ( w U K A T x A ), and it is used as the authorization code of A l i c e.

    Then, A l i c e randomly inserts decoy particles composed of two orthogonal basis B z and B x into the quantum state | P A C to obtain a new quantum state | P A C , while recording the positions and states of the decoy particles.

    Next, A l i c e sends W and | P A C to C h a r l i e via classical and quantum channel, respectively.

  • (S3) A l i c e applies K A T encryption to the information generation parameter λ to get E K A T ( λ ) and sends it to T r e n t.

  • (S4) After ensuring that C h a r l i e has received the information, A l i c e announces the positions and states of the decoy particles. C h a r l i e uses the same basis as the decoy particle to measure the quantum state at the same position and compares the measured results with those published by A l i c e. If the error rate is greater than the preset threshold value, C h a r l i e aborts the scheme; otherwise, C h a r l i e considers that the transmission is not eavesdropped and continues the following step. Eavesdropping detection similar to this process is required in the subsequent quantum state transfer process.

    After C h a r l i e removes the decoy particles in | P A C , | P A C is recovered, and | P A C is measured according to the measurement basis determined by the even bits of key K A C, and the measurement result is performed XOR with the odd bits of key K A C to get the information generation parameter λ.

    Then, C h a r l i e applies key K A C to decrypt W to get w U K A T and x A, and H a s h function H A C ( ) is applied to operate x A to get H A C ( x A ) , which is compared with the previously published H A C ( x A ). If they are not equal, then C h a r l i e aborts the scheme; otherwise, C h a r l i e assumes that the sender is indeed A l i c e and continues with the next step.

    C h a r l i e decodes w U K A T according to encoding rule Eq. (8), so that the unitary operation generated by A l i c e according to key K A T can be obtained. But C h a r l i e does not know what K A T is about.

  • (S5) According to information generation parameter λ and key K B C, C h a r l i e prepares quantum state | P B C = | ψ λ 1 b 2 , 1 , c 2 , 1 | ψ λ 2 b 2 , 2 , c 2 , 2 | ψ λ L b 2 , L , c 2 , L , where for each i { 1 , 2 , , L }, | ψ λ i b 2 , i , c 2 , i belongs to one of the following four states:
    | ψ 0 , 0 = | 0 , | ψ 1 , 0 = | 1 , | ψ 0 , 1 = | + = 1 2 ( | 0 + | 1 ) , | ψ 1 , 1 = | = 1 2 ( | 0 | 1 ) .
    (9)
    Then, C h a r l i e applies U K A T to | P B C to get | P B C = U K A T | P B C . Next, C h a r l i e takes | P B C as the information | P B C M that needs to be transmitted and transmits it through a quantum secure channel composed of E P R entangled particles, the specific form of which is
    | φ + A B = 1 2 ( | 00 + | 11 ) A B .
    (10)
    The resulting combination of | P B C M and | φ + A B is
    | Φ M A B = | P B C M | φ + A B = ( α | 0 + β | 1 ) M 1 2 ( | 00 + | 11 ) A B = 1 2 ( α | 000 + α | 011 + β | 100 + β | 111 ) M A B = 1 2 ( | φ + M A ( α | 0 + β | 1 ) B + | φ M A ( α | 0 β | 1 ) B + | ψ + M A ( α | 1 + β | 0 ) B + | ψ M A ( α | 1 β | 0 ) B ) ,
    (11)
    where | φ + , | φ , | ψ + , | ψ represent the four two-particle B e l l states, and the specific forms are, respectively,
    | φ + = 1 2 ( | 00 + | 11 ) , | φ = 1 2 ( | 00 | 11 ) , | ψ + = 1 2 ( | 01 + | 10 ) , | ψ = 1 2 ( | 01 | 10 ) .
    (12)

    C h a r l i e uses B e l l basis { | φ + , | φ , | ψ + , | ψ } to carry out B e l l measurement on particles M , A in his possession, and the measurement result G shown in the first column of Table I is obtained, and particle B in the hand of B o b also shows the collapse result shown in the second column of Table I.

  • (S6) First, C h a r l i e encodes the measurement result G, applying the encoding rule as follows:
    | φ + M A 00 , | φ M A 01 , | ψ + M A 10 , | ψ M A 11.
    (13)

Then, C h a r l i e applies key K B C to encrypt the encoded measurement result G to obtain S = E K B C ( G ) and uses it as his proxy signature for the initial information m. C h a r l i e then encrypts S with key K C T and gets E K C T ( S ) which he sends to T r e n t.

TABLE I.

Particles M, A’s measurement result G and the collapse result of particle B.

Particles M, A’sThe collapse result of
measurement result Gparticle B
| φ + M A = 1 2 ( | 00 + | 11 ) M A  ( α | 0 b | 1 ) B 
| φ M A = 1 2 ( | 00 | 11 ) M A  ( α | 0 + b | 1 ) B 
| ψ + M A = 1 2 ( | 01 + | 10 ) M A  ( α | 1 + b | 0 ) B 
| ψ M A = 1 2 ( | 01 | 10 ) M A  ( α | 1 + b | 0 ) B 
Particles M, A’sThe collapse result of
measurement result Gparticle B
| φ + M A = 1 2 ( | 00 + | 11 ) M A  ( α | 0 b | 1 ) B 
| φ M A = 1 2 ( | 00 | 11 ) M A  ( α | 0 + b | 1 ) B 
| ψ + M A = 1 2 ( | 01 + | 10 ) M A  ( α | 1 + b | 0 ) B 
| ψ M A = 1 2 ( | 01 | 10 ) M A  ( α | 1 + b | 0 ) B 

C h a r l i e connects λ with his own ID number x C in series, encrypts it with K B C getting E K B C ( λ x C ), and sends it to B o b over a classical channel.

  • (V1) When B o b receives E K B C ( λ x C ) from C h a r l i e, he uses key K B C to decrypt E K B C ( λ x C ) to get λ and x C, applies H a s h function H C B ( ) to calculate x C, and gets H C B ( x C ) . If the value is not equal to the previously announced H C B ( x C ), B o b will abort the scheme; otherwise, B o b will think that the message sender is really C h a r l i e. Continue with the next step.

    B o b applies information generation parameter λ and key K B T to prepare quantum state | P B T = | ψ λ 1 b 1 , 1 , t 1 , 1 | ψ λ 2 b 1 , 2 , t 1 , 2 | ψ λ L b 1 , L , t 1 , L , where for each i { 1 , 2 , , L }, | ψ λ i b 1 , i , t 1 , i belongs to one of the following four states:
    | ψ 0 , 0 = | 0 , | ψ 1 , 0 = | 1 , | ψ 0 , 1 = | + = 1 2 ( | 0 + | 1 ) , | ψ 1 , 1 = | = 1 2 ( | 0 | 1 ) .
    (14)

    Then, B o b randomly inserts decoy particles composed of two orthogonal bases B z and B x into quantum state | P B T to obtain a new quantum state | P B T , while recording the positions and states of the decoy particles. B o b then sends | P B T to T r e n t via a quantum channel.

  • (V2) T r e n t recovers | P B T after passing the eavesdropping detection. T r e n t decrypts the E K A T ( λ ) received from A l i c e to obtain λ and applies key K B T and λ to prepare the quantum state | P B T . The preparation rules are the same as Eq. (4). T r e n t compares | P B T and | P B T with the method in Ref. 37 to obtain parameter θ. If they are the same, the parameter is θ = 1; otherwise, the parameter is θ = 0.

  • (V3) When T r e n t receives the E K C T ( S ) from C h a r l i e, he applies the key K C T to decrypt E K C T ( S ) and gets S. The H a s h function H ( ) is applied to it to get H ( S ).

    T r e n t encrypts S , H ( S ) , θ with K B T and gets E K B T ( S , H ( S ) , θ ), which is sent to B o b over a classical channel.

  • (V4) When B o b receives the encrypted message from T r e n t, he applies key K B T to decrypt it and gets S , H ( S ) , θ. If θ = 0, the continuation of the scheme is suspended; otherwise, B o b continues with the next step.

    B o b uses key K B C to decrypt S to get the encoded measurement result G and uses coding rule Eq. (13) to recover G. B o b then performs the unitary operation on the particle B he owns in terms of G to get | P B C , as shown in Table II.

    TABLE II.

    Bob gets the measurement result G and the corresponding unitary operation performed on particle B.

    Bob gets theThe corresponding unitary operation
    measurement result Gperformed on particle B
    | φ + M A = 1 2 ( | 00 + | 11 ) M A I 
    | φ M A = 1 2 ( | 00 | 11 ) M A σz 
    | ψ + M A = 1 2 ( | 01 + | 10 ) M A σx 
    | ψ M A = 1 2 ( | 01 | 10 ) M A y 
    Bob gets theThe corresponding unitary operation
    measurement result Gperformed on particle B
    | φ + M A = 1 2 ( | 00 + | 11 ) M A I 
    | φ M A = 1 2 ( | 00 | 11 ) M A σz 
    | ψ + M A = 1 2 ( | 01 + | 10 ) M A σx 
    | ψ M A = 1 2 ( | 01 | 10 ) M A y 

    The unitary operation corresponds to the following unitary matrices:
    I = [ 1 0 0 1 ] , σ x = [ 0 1 1 0 ] , i σ y = [ 0 1 1 0 ] , σ z = [ 1 0 0 1 ] .
    (15)
    B o b then inserts the decoy particles into | P B C and sends it to R 1 via a quantum channel.
  • (V5) R 1 removes the decoy particles to recover | P B C and applies the unitary operation Q [ 1 ] corresponding to K [ 1 ] to | P B C , thereby obtaining a new quantum state | ψ 1 = Q [ 1 ] | P B C . Among them,
    Q [ 1 ] = U 1 [ 1 ] V 1 [ 1 ] U 2 [ 1 ] V 2 [ 1 ] U L [ 1 ] V L [ 1 ] = U ( e 1 [ 1 ] ) V ( f 1 [ 1 ] ) U ( e 2 [ 1 ] ) V ( f 2 [ 1 ] ) U ( e L [ 1 ] ) V ( f L [ 1 ] ) .
    (16)
    For each i { 1 , 2 , , L }, the value of U ( e i [ 1 ] ) ( V ( f i [ 1 ] ) ) is the same as the corresponding rule of Eq. (6).

    Subsequently, R 1 inserts the decoy particles into | ψ 1 , sends it to R 2 through a quantum channel, and records the positions and states of the decoy particles.

  • (V6) After confirming that R j ( j = 2 , 3 , , t ) has received the information, R j 1 announces the positions and states of the decoy particles. R j uses the same basis as the decoy particles to measure the quantum states at the same positions and compares the measured results with the results published by R j 1. If the error rate is greater than the preset threshold, R j will abort the scheme; otherwise, R j will consider that the transmission has not been eavesdropped and continue the following step.

    R j ( j = 2 , 3 , , t ) removes the decoy particles to recover | ψ j 1 and applies the unitary operation Q [ j ] corresponding to K [ j ] to | ψ j 1 , thereby obtaining a new quantum state | ψ j = Q [ j ] | ψ j 1 . Among them,
    Q [ j ] = U 1 [ j ] V 1 [ j ] U 2 [ j ] V 2 [ j ] U L [ j ] V L [ j ] = U ( e 1 [ j ] ) V ( f 1 [ j ] ) U ( e 2 [ j ] ) V ( f 2 [ j ] ) U ( e L [ j ] ) V ( f L [ j ] ) .
    (17)
    For each i { 1 , 2 , , L }, the value of U ( e i [ j ] ) ( V ( f i [ j ] ) ) is the same as the corresponding rule of Eq. (6).

    When j < t, R j inserts the decoy particles into | ψ j and sends it to R j + 1 through the quantum channel, and records the positions and states of the decoy particles. When j = t, R t inserts the decoy particles into | ψ t and sends it to B o b via a quantum channel.

  • (V7) B o b removes the decoy particles to recover | ψ t , measures | ψ t according to the measurement basis determined by the even number of bits of key K B C, and makes XOR operations between the measurement results and the odd number of bits of key K B C, thus obtaining λ . B o b compares λ with the λ he received from C h a r l i e. If λ λ, he rejects the signature. Otherwise, B o b performs XOR operations between λ and K A B to get the initial message m and accepts S = E K B C ( G ) as the proxy signature for m. The information interaction flow of the whole scheme is shown in Fig. 4.

FIG. 4.

Scheme flow diagram.

FIG. 4.

Scheme flow diagram.

Close modal

Assuming that A l i c e wants to sign the initial message m = { 0 , 1 , 0 , 1 , 1 } by proxy, we perform the following procedures.

  • (I1) Share the key K A C = { 1 , 0 , 1 , 1 , 0 , 1 , 0 , 1 , 1 , 1 } between A l i c e and C h a r l i e; share the key K A B = { 1 , 0 , 0 , 1 , 1 } between A l i c e and B o b; share the key K A T = { 1 , 0 , 1 , 0 , 0 , 0 , 1 , 1 , 1 , 1 } between A l i c e and T r e n t; share the key K B C = { 1 , 1 , 0 , 1 , 0 , 1 , 1 , 0 , 1 , 1 } between C h a r l i e and B o b; share the key K C T = { 1 , 0 , 1 , 0 , 0 , 1 , 1 , 0 , 1 , 0 } between C h a r l i e and T r e n t; share the key K B T = { 0 , 1 , 0 , 1 , 0 , 1 , 0 , 0 , 0 , 1 } between B o b and T r e n t; share keys K T R 1 = { 0 , 1 , 0 , 1 , 0 } , K T R 2 = { 0 , 1 , 1 , 0 , 0 } , K T R 3 = { 1 , 0 , 1 , 0 , 0 } , K T R 4 = { 0 , 0 , 1 , 1 , 0 } , K T R 5 = { 1 , 0 , 1 , 0 , 0 } between Trent and R 1 , R 2 , R 3 , R 4 , R 5.

  • (I2) A l i c e shares a H a s h function H A C ( ) with C h a r l i e, and C h a r l i e shares a H a s h function H C B ( ) with B o b.

  • (I3) T r e n t first applies a random number generator to generate two classical bit strings x A = 01111 and x C = 10 111 and sends them to A l i c e and C h a r l i e, respectively. When A l i c e and C h a r l i e receive x A = 01111 and x C = 10 111, they immediately apply H a s h functions H A C ( ) and H C B ( ), respectively, and publish the results H A C ( x A ) and H C B ( x C ).

  • (I4) T r e n t and each receiver in { R 1 , R 2 , R 3 , R 4 , R 5 } share a different, non-zero x j of 10 bits length, where j = 1 , 2 , , 5. T r e n t also randomly and independently selects the secret w 1 = z , w 2 = z 2 on the field F 2 10. He computes y j = f ( x j ) over the field F 2 10, where j = 1 , 2 , , 5. T r e n t generates five shares y 1 , y 2 , , y 5 of key K A T on field F 2 10, where
    f ( x ) = z 2 x 2 + z x + z 9 + z 7 + z 3 + z 2 + z 1 + 1 mod 2 10 ,
    f ( 0 ) = w 0 = K ~ A T = z 9 + z 7 + z 3 + z 2 + z 1 + 1.
  • (I5) T r e n t encrypts the generated y ~ i by key K T R i and sends it to each multi-party verifier R i ( i = 1 , 2 , 3 , 4 , 5 ) and then announces x i. The results are shown in Table III.

  • (I6) Three multi-party verifiers are required to participate in the implementation of this scheme. For convenience, we assume that R 1 , R 2 , R 3 participate in the implementation of this scheme.

    When R i receives ( x ~ i , y i ) ( i = 1 , 2 , 3 ), he computes and secretly stores the following values K i in the field F 2 10, where
    K i = y i 1 l 3 , l i x ~ l x ~ l x ~ i mod 2 10 .
    Then, K [ i ] = ( e 1 [ i ] , f 1 [ i ] , e 2 [ i ] , f 2 [ i ] , , e 5 [ i ] , f 5 [ i ] ) is shown in Table IV , and K [ i ] also satisfies the formula: K A T = i = 1 3 K [ i ].
  • (I7) Subsequently, C h a r l i e and B o b share five-pair E P R entangled states | φ + A B = 1 2 ( | 00 + | 11 ) A B, where particle A is kept by C h a r l i e and particle B is kept by B o b.

TABLE III.

Trent generated ( x ~ i , y i ) pairs.

x ~ iyi
x ~ 1 = z y1 = z9 + z7 + z4 + z3 + z1 + 1 
x ~ 2 = z 2 y2 = z9 + z7 + z6 + z2 + z1 + 1 
x ~ 3 = z 2 + z  y 3 = z 9 + z 7 + z 6 + z 4 + z 1 + 1 
x ~ 4 = z 2 + z + 1  y 4 = z 9 + z 7 + z 6 + z 4 + z 2 + z 
x ~ 5 = z 3 + z 2 y5 = z9 + z8 + z7 + z6 + z4 + z2 + z1 + 1 
x ~ iyi
x ~ 1 = z y1 = z9 + z7 + z4 + z3 + z1 + 1 
x ~ 2 = z 2 y2 = z9 + z7 + z6 + z2 + z1 + 1 
x ~ 3 = z 2 + z  y 3 = z 9 + z 7 + z 6 + z 4 + z 1 + 1 
x ~ 4 = z 2 + z + 1  y 4 = z 9 + z 7 + z 6 + z 4 + z 2 + z 
x ~ 5 = z 3 + z 2 y5 = z9 + z8 + z7 + z6 + z4 + z2 + z1 + 1 
TABLE IV.

The calculation result of multi-party verifier and the corresponding private key.

The calculation result of
multi-party verifierCorresponding private key
K1 = z9 + z7 + z4 + z3 + z1 + 1 K[1] = {1, 0, 1, 0, 0, 1, 1, 0, 1, 1} 
K2 = z9 + z7 + z6 + z2 + z1 + 1 K[2] = {1, 0, 1, 1, 0, 0, 0, 1, 1, 1} 
K 3 = z 9 + z 7 + z 6 + z 4 + z 1 + 1 K[3] = {1, 0, 1, 1, 0, 1, 0, 0, 1, 1} 
The calculation result of
multi-party verifierCorresponding private key
K1 = z9 + z7 + z4 + z3 + z1 + 1 K[1] = {1, 0, 1, 0, 0, 1, 1, 0, 1, 1} 
K2 = z9 + z7 + z6 + z2 + z1 + 1 K[2] = {1, 0, 1, 1, 0, 0, 0, 1, 1, 1} 
K 3 = z 9 + z 7 + z 6 + z 4 + z 1 + 1 K[3] = {1, 0, 1, 1, 0, 1, 0, 0, 1, 1} 

  • (S1) First, A l i c e performs the XOR operations between the initial information m = { 0 , 1 , 0 , 1 , 1 } and the key K A B = { 1 , 0 , 0 , 1 , 1 } to obtain the information generation parameter λ = m K A B = { 1 , 1 , 0 , 0 , 0 } and then combines the key K A C = { 1 , 0 , 1 , 1 , 0 , 1 , 0 , 1 , 1 , 1 } to prepare the quantum state | P A C = | 0 | + | + | + | .

    Then, A l i c e uses the key K A T = { 1 , 0 , 1 , 0 , 0 , 0 , 1 , 1 , 1 , 1 } to obtain the corresponding unitary operation: U K A T = i σ y i σ y I i σ y H i σ y H.

  • (S2) A l i c e encodes the unitary operation U K A T = i σ y i σ y I i σ y H i σ y H with special coding rules to get w U K A T = { 10 , 10 , 00 , 11 , 11 }.

    Then, after A l i c e concatenates the encoded unitary operation w U K A T = { 10 , 10 , 00 , 11 , 11 } and x A = 01111, she uses K A C = { 1 , 0 , 1 , 1 , 0 , 1 , 0 , 1 , 1 , 1 } to encrypt it to get W = E K A C ( w U K A T x A ) and uses W as herself authorization code.

    Then, A l i c e randomly inserts decoy particles composed of two orthogonal basis into the quantum state | P A C = | 0 | + | + | + | to obtain a new quantum state | P A C and records the positions and states of the decoy particles.

    Next, A l i c e sends W and | P A C to C h a r l i e via classical and quantum channel, respectively.

  • (S3) A l i c e applies K A T = { 1 , 0 , 1 , 0 , 0 , 0 , 1 , 1 , 1 , 1 } to the information generation parameter λ = { 1 , 1 , 0 , 0 , 0 } to get E K A T ( λ ) and sends it to T r e n t.

  • (S4) After ensuring that C h a r l i e receives the message, A l i c e announces the positions and states of the decoy particles. C h a r l i e uses the same basis as the decoy particles to measure the quantum states at the same positions, compares the measurement results with the results published by A l i c e, and finds that there is no eavesdropping, C h a r l i e continues the next step.

    After obtaining | P A C = | 0 | + | + | + | , C h a r l i e measures | P A C according to the measurement basis determined by the even bits of key K A C = { 1 , 0 , 1 , 1 , 0 , 1 , 0 , 1 , 1 , 1 } and makes XOR operations between the measurement results and the odd bits of key K A C to obtain the information generation parameter λ = { 1 , 1 , 0 , 0 , 0 }.

    Then, C h a r l i e decrypts W with key K A C to get w U K A T and x A and applies H a s h function H A C ( ) to calculate x A to get H A C ( x A ) . Compared with the previously published H A C ( x A ), C h a r l i e finds that the two are the same. C h a r l i e believes that the sender of the message is indeed A l i c e and continues the following step.

    C h a r l i e decodes w U K A T according to the encoding rule Eq. (8) so that the unitary operation U K A T = i σ y i σ y I i σ y H i σ y H generated by A l i c e according to the key K A T can be obtained.

  • (S5) C h a r l i e applies the information generation parameter λ = { 1 , 1 , 0 , 0 , 0 } and key K B C = { 1 , 1 , 0 , 1 , 0 , 1 , 1 , 0 , 1 , 1 } to prepare the quantum state | P B C = | + | | + | 1 | .

    Then, C h a r l i e applies U K A T = i σ y i σ y I i σ y H i σ y H to | P B C = | + | | + | 1 | to get | P B C = | ( | + ) | + ( | + ) | 0 . Next, C h a r l i e takes | P B C as the information | P B C M that needs to be transmitted and sends it through a quantum-secure channel made up of E P R entangled particles | φ + A B = 1 2 ( | 00 + | 11 ) A B.

    The form of the combined state obtained from | P B C M and | φ + A B is
    | Φ M A B = | P B C M | φ + A B = ( α | 0 + β | 1 ) M 1 2 ( | 00 + | 11 ) A B = 1 2 ( α | 000 + α | 011 + β | 100 + β | 111 ) M A B = 1 2 ( | φ + M A ( α | 0 + β | 1 ) B + | φ M A ( α | 0 β | 1 ) B + | ψ + M A ( α | 1 + β | 0 ) B + | ψ M A ( α | 1 β | 0 ) B ) .

    C h a r l i e uses B e l l basis { | φ + , | φ , | ψ + , | ψ } to make five B e l l measurements of his particles M , A and obtains the measurement results G as shown in the second column of Table V. In addition, particle B in B o b’s hand will also show the collapse results as shown in the third column of Table V.

  • (S6) First, C h a r l i e encodes the measurement results G to get G = { 10 , 00 , 01 , 11 , 01 }.

TABLE V.

Particles M, A measurement results G and results of the collapse of particle B.

|PBCMParticles M, A measurement results GResults of the collapse of particle B
| − 〉  | ψ + M A = 1 2 ( | 01 + | 10 ) M A  1 2 ( | 1 | 0 ) B 
−| + 〉  | φ + M A = 1 2 ( | 00 + | 11 ) M A  1 2 ( | 0 | 1 ) B 
| + 〉  | φ M A = 1 2 ( | 00 | 11 ) M A  1 2 ( | 0 | 1 ) B 
−| + 〉  | ψ M A = 1 2 ( | 01 | 10 ) M A  1 2 ( | 1 + | 0 ) B 
|0〉  | φ M A = 1 2 ( | 00 | 11 ) M A |0〉B 
|PBCMParticles M, A measurement results GResults of the collapse of particle B
| − 〉  | ψ + M A = 1 2 ( | 01 + | 10 ) M A  1 2 ( | 1 | 0 ) B 
−| + 〉  | φ + M A = 1 2 ( | 00 + | 11 ) M A  1 2 ( | 0 | 1 ) B 
| + 〉  | φ M A = 1 2 ( | 00 | 11 ) M A  1 2 ( | 0 | 1 ) B 
−| + 〉  | ψ M A = 1 2 ( | 01 | 10 ) M A  1 2 ( | 1 + | 0 ) B 
|0〉  | φ M A = 1 2 ( | 00 | 11 ) M A |0〉B 

C h a r l i e then encrypts G = { 10 , 00 , 01 , 11 , 01 } with the key K B C = { 1 , 1 , 0 , 1 , 0 , 1 , 1 , 0 , 1 , 1 } to obtain S = E K B C ( G ), which he uses as his proxy signature for the initial message m. Then, C h a r l i e encrypts S with the key K C T = { 1 , 0 , 1 , 0 , 0 , 1 , 1 , 0 , 1 , 0 } and sends it to T r e n t.

C h a r l i e uses K B C to encrypt the λ = { 1 , 1 , 0 , 0 , 0 } and his identity code x C = 10 111 to obtain E K B C ( λ x C ) and sends it to B o b through the classical channel.

  • (V1) After receiving E K B C ( λ x C ) from C h a r l i e, B o b uses the key K B C = { 1 , 1 , 0 , 1 , 0 , 1 , 1 , 0 , 1 , 1 } to obtain λ = { 1 , 1 , 0 , 0 , 0 } and x C = 10 111 and applies H a s h function H C B ( ) to x C to get H C B ( x C ) . Compared with H C B ( x C ) published before, it is found that the two are the same. B o b believes that the sender of the message is indeed C h a r l i e and proceeds with the following step.

    According to the information generation parameter λ = { 1 , 1 , 0 , 0 , 0 } and key K B T = { 0 , 1 , 0 , 1 , 0 , 1 , 0 , 0 , 0 , 1 }, B o b prepares the quantum state | P B T = | | | + | 0 | + .

    Then, B o b randomly inserts the decoy particles composed of two orthogonal bases into the quantum state | P B T = | | | + | 0 | + to obtain a new quantum state | P B T and records the positions and states of the decoy particles. B o b then sends | P B T to T r e n t through the quantum channel.

  • (V2) After ensuring that T r e n t receives the information, B o b announces the positions and states of the decoy particles. T r e n t uses the same basis as the decoy particles to measure the quantum states at the same positions, compares the measurement results with B o b’s published results, and finds that there is no eavesdropping. T r e n t continues with the next step. After T r e n t removes the decoy particles in | P B T , | P B T is recovered.

    T r e n t decrypts the E K A T ( λ ) received from A l i c e to obtain λ = { 1 , 1 , 0 , 0 , 0 }, applies the key K B T = { 0 , 1 , 0 , 1 , 0 , 1 , 0 , 0 , 0 , 1 } and λ to prepare the quantum state | P B T = | | | + | 0 | + , and compares | P B T with | P B T to obtain the parameter θ = 1.

  • (V3) When T r e n t receives the E K C T ( S ) from C h a r l i e, he applies the key K C T = { 1 , 0 , 1 , 0 , 0 , 1 , 1 , 0 , 1 , 0 } to decrypt and gets S. The H a s h function H ( ) is applied to S, and H ( S ) is obtained.

    After T r e n t encrypts S , H ( S ) , θ with K B T = { 0 , 1 , 0 , 1 , 0 , 1 , 0 , 0 , 0 , 1 }, he gets E K B T ( S , H ( S ) , θ ), which is sent to B o b over the classical channel.

  • (V4) When B o b receives the encrypted message E K B T ( S , H ( S ) , θ ) from T r e n t, he applies key K B T = { 0 , 1 , 0 , 1 , 0 , 1 , 0 , 0 , 0 , 1 } to it and gets S , H ( S ) , θ. Finding θ = 1, B o b continues with the next step.

    B o b uses key K B C to decrypt S to get G = { 10 , 00 , 01 , 11 , 01 }, and code rule Eq. (13) to recover G. Then, according to G, the unitary operation shown in Table VI is performed on the particle B in his possession to obtain | P B C = | ( | + ) | + ( | + ) | 0 .

    Then, B o b inserts the decoy particles into | P B C = | ( | + ) | + ( | + ) | 0 and records the positions and states of the decoy particles, and sends it to R 1 through the quantum channel.

  • (V5) After confirming that R 1 has received the quantum information, B o b announces the positions and states of the decoy particles. R 1 uses the same basis as the decoy particles to measure the quantum states at the same positions, compares the measurement results with the results published by B o b, and finds that the transmission is not eavesdropped, R 1 continues the next step.

    R 1 removes the decoy particles to recover | P B C = | ( | + ) | + ( | + ) | 0 , and the unitary operation Q [ 1 ] = i σ y i σ y H i σ y i σ y H corresponding to K [ 1 ] = { 1 , 0 , 1 , 0 , 0 , 1 , 1 , 0 , 1 , 1 } is applied to | P B C , thus a new quantum state | ψ 1 = ( | + ) ( | ) | 0 ( | ) | can be obtained.

    Subsequently, R 1 inserts the decoy particles into | ψ 1 and records the positions and states of the decoy particles, and sends it to R 2 through the quantum channel.

  • (V6) After confirming that R 2 has received the information, R 1 announces the positions and states of the decoy particles. R 2 applies the same basis as the decoy particles to measure the quantum states at the same positions, compares the measurement results with the published results of R 1, finds that the transmission is not eavesdropped, and R 2 continues the next step.

    R 2 removes the decoy particles to recover | ψ 1 , and the unitary operation Q [ 2 ] = i σ y i σ y H I H i σ y H corresponding to K [ 2 ] = { 1 , 0 , 1 , 1 , 0 , 0 , 0 , 1 , 1 , 1 } is applied to | ψ 1 = ( | + ) ( | ) | 0 ( | ) | , thus a new quantum state | ψ 2 = ( | ) ( | 0 ) | 0 ( | 1 ) | 0 can be obtained.

    By analogy, R 3 applies the unitary operation Q [ 3 ] = i σ y i σ y H H I i σ y H corresponding to K [ 3 ] = { 1 , 0 , 1 , 1 , 0 , 1 , 0 , 0 , 1 , 1 } to | ψ 2 = ( | ) ( | 0 ) | 0 ( | 1 ) | 0 to obtain a new quantum state | ψ 3 = | + ( | ) | + ( | 1 ) | . R 3 inserts the decoy particles into | ψ 3 and sends it to B o b through the quantum channel, recording the positions and states of the decoy particles.

  • (V7) After confirming that B o b has received the quantum information, R 3 announces the positions and states of the decoy particles. B o b applies the same basis as the decoy particles to measure the quantum states at the same positions, compares the measurement results with the published results of R 3, finds that the transmission is not eavesdropped, and B o b continues with the next step.

TABLE VI.

The G obtained by Bob and the corresponding unitary operation performed on particle B.

The state after performing the
GInitial stateUnitary operationcorresponding unitary operation
|ψ+MA  1 2 ( | 1 | 0 ) B σx  1 2 ( | 0 | 1 ) B 
+MA  1 2 ( | 0 | 1 ) B I  1 2 ( | 0 | 1 ) B 
MA  1 2 ( | 0 | 1 ) B σz  1 2 ( | 0 + | 1 ) B 
|ψMA  1 2 ( | 1 + | 0 ) B y  1 2 ( | 0 | 1 ) B 
MA |0〉B σz |0〉B 
The state after performing the
GInitial stateUnitary operationcorresponding unitary operation
|ψ+MA  1 2 ( | 1 | 0 ) B σx  1 2 ( | 0 | 1 ) B 
+MA  1 2 ( | 0 | 1 ) B I  1 2 ( | 0 | 1 ) B 
MA  1 2 ( | 0 | 1 ) B σz  1 2 ( | 0 + | 1 ) B 
|ψMA  1 2 ( | 1 + | 0 ) B y  1 2 ( | 0 | 1 ) B 
MA |0〉B σz |0〉B 

B o b removes the decoy particles to recover | ψ 3 and measures | ψ 3 according to the measurement basis determined by the even bits of key K B C, and makes the XOR operations with the odd bits of key K B C to obtain λ = { 1 , 1 , 0 , 0 , 0 }. Comparing λ with the λ received from C h a r l i e and finding λ = λ, B o b makes the XOR operations between λ and K A B = { 1 , 0 , 0 , 1 , 1 } to get the initial message m = { 0 , 1 , 0 , 1 , 1 } and accepts that S = E K B C ( G ) is the proxy signature for the initial message m.

Theorem 1

After t operations by the multi-party verifiers, the verifier B o b can successfully measure and recover the information output λ .

Proof.
First, since the multi-party verifier has a binary key K [ i ] that belongs only to himself, the key K [ i ] corresponds to the polynomial: K i = y ~ i j = 1 , j i t x j x j x i, and each K i is one of the terms of S h a m i r secret sharing polynomial recovery secrets. In this scheme, when K A T = ( a 2 , 1 , t 2 , 1 , a 2 , 2 , t 2 , 2 , , a 2 , L , t 2 , L ), K [ i ] = ( e 1 [ i ] , f 1 [ i ] , e 2 [ i ] , f 2 [ i ] , , e L [ i ] , f L [ i ] ), then the following formula is established:
i = 1 t e 1 [ i ] = a 2 , 1 , i = 1 t f 1 [ i ] = t 2 , 1 , i = 1 t e 2 [ i ] = a 2 , 2 , i = 1 t f 2 [ i ] = t 2 , 2 , , i = 1 t e L [ i ] = a 2 , L , i = 1 t f L [ i ] = t 2 , L .
We use the same correspondence rules to encode these keys into corresponding unitary operations. Therefore, we propose a scheme which is similar to the quantum one-time pad, in which the signer first uses a unitary operation U K A T to operate on the quantum state | P B C , and then the multi-party verifiers use t-subunitary operations U K [ i ] to eliminate the effect of unitary operation U K A T. Although there can be a global phase factor in the final calculation result, the global phase factor does not affect the final result generated after measurement using basis B z and B x. B o b can obtain the measurement result λ after measuring the quantum state | ψ t according to the measurement basis determined by the even bits of the key, so it can be proved that the multi-party verification method of this scheme is correct and effective.  □
Theorem 2

In the verification phase, if B o b compares the measurement result λ with the information generation factor λ received from the proxy signer C h a r l i e, he finds λ = λ, then the proxy signature proposed by this scheme is correct.

Proof.

After C h a r l i e measures particles M , A, particle B will collapse due to the entanglement properties of the E P R pair. After B o b performs the corresponding unitary operation on particle B, particle B can become the same state as particle M. B o b sends the recovered states to the multi-party verifiers, and after t multi-party verifiers perform corresponding unitary operations, all the states have been restored to the original quantum states encoded by C h a r l i e. B o b can then determine the measurement basis based on the even bits of K B C and apply the odd bits of K B C and the measurement result to make the XOR operations. B o b finally finds λ = λ, then the signature in the signature scheme proposed in this paper is valid.  □

In this scheme, we get that neither the original signer A l i c e nor the proxy signer C h a r l i e can deny their authorization and signature, and the verifier B o b cannot deny that he has received the signature. According to the sending process of the authorization code in Sec. III B, we learn that C h a r l i e needs to use K A C to decrypt the authorization W sent by A l i c e. However, all key distribution is done through the Q K D protocol, which is unconditionally secure. C h a r l i e has no way of knowing the key K A T between A l i c e and T r e n t, so C h a r l i e cannot deny the authorization. Based on the above analysis, the original signer A l i c e cannot deny her authorization. Likewise, because of the unconditional security of the Q K D protocol, C h a r l i e cannot deny his proxy signature. In the verification phase, B o b can decrypt E K B T ( S , H ( S ) , θ ) with key K B T, and then decrypt S = E K B C ( G ) with key K B C to get G, so B o b cannot deny that he has received a signature generated by C h a r l i e that T r e n t sent to B o b.

1. Eve cannot forge the signature

Suppose the attacker or adversary E v e wants to forge C h a r l i e’s signature. He needs to know the key K A T shared between A l i c e and T r e n t, and the key K B C shared between C h a r l i e and B o b. However, E v e does not know the above keys, because the key distribution in this article is done through the quantum channel, Q K D protocol has unconditional security. As a result, E v e has no way of knowing the key shared between C h a r l i e and B o b to complete signature S.

2. Alice cannot forge the signature

Because the original signer A l i c e has no way of knowing the key K B C shared between the proxy signer C h a r l i e and the verifier B o b, she cannot forge the signature.

3. Bob cannot forge the signature

If the verifier B o b wants to forge a signature, he needs to know the key K A T between A l i c e and T r e n t. Because the key distribution in this paper is completed through the quantum channel, Q K D protocol has unconditional security. So the verifier B o b cannot forge the signature.

The verifier B o b cannot deny that he has verified signature S during the verifying phase. Because the trusted third party T r e n t sends the E K B T ( S , H ( S ) , θ ) to the verifier B o b during the verifying phase. Only B o b can decrypt E K B T ( S , H ( S ) , θ ) using K B T to get S and the signature S using K B C to obtain the measurement result G. To complete the quantum teleportation to obtain the transferred quantum state for the following multi-party verification process. So Bob cannot deny that he has verified the signature.

The quantum state sent by R j is the tensor product of multiple qubits. Each qubit is randomly located in one of two conjugate bases. When the external adversary E v e does not know e i [ j ] ( f i [ j ] ), he cannot perform the correct unitary operation on each qubit. If he adopts an intercept-resend attack, he can only implement the unitary operation by guessing, and the probability of not being detected is ( 1 4 ) L. In addition, due to the inserted position of the decoy particle and the randomness of the quantum state, the probability of E v e not being detected by just guessing is ( 1 4 ) n(if the number of decoy particles is n). Therefore, the scheme is resistant to intercept-resend attack.

Suppose a dishonest verifier R i tries to find the value of another verifier R j’s key, and then collaborates with t 2 other verifiers to recover the secret message. R i prepares a false signal and sends it to R j. From the false signal that R j operates on, R i tries to get R j’s key.

Without losing generality, we assume that R j performs one of four unitary operations with equal probability for each qubit and that the unitary operations performed by each qubit are independent. It is therefore illustrative to consider R i eavesdropping on a qubit.

The false signal of R i can be represented as | γ = | 0 ( a | 0 + b | 1 ) + | 1 ( c | 0 + d | 1 ), where | a | 2 + | b | 2 + | c | 2 + | d | 2 = 1, for simplicity, we consider each probability amplitude to be a real number, but the security proof applies equally to complex numbers.

R j applies one of the four unitary operations with equal probability to the qubit he receives. The quantum state can be expressed as
κ = 1 4 | γ γ | + 1 4 ( U I ) | γ γ | ( U + I ) + 1 4 ( V I ) | γ γ | ( I V + ) + 1 4 ( U V I ) | γ γ | ( V + U + I ) .
The interaction information between R i and R j extracted from this quantum state can be represented by the von-Neumann entropy, I ( R i , R j ) S ( T r e ( κ ) ). To compute the von-Neumann entropy, we need to compute the eigenvalue of T r e ( κ ), which is the root of the characteristic polynomial d e t ( T r e ( κ ) λ I ). We have
λ 1 , 2 = 1 2 ( 1 + 2 a b + 2 c d ) .
Therefore, there are
I ( R i , R j ) λ 1 log 2 λ 1 λ 2 log 2 λ 2 .
For λ 1 = λ 2 = 1 2, I ( R i , R j ) reaches a maximum of 1 bit. Therefore, R i can eavesdrop on 1 bit of operation information for every 2 bits of operation information on each qubit.

However, when R i prepares legal qubits, I ( R i , R j ) can also reach a maximum, that is, the values of a , b , c , d meet a d + b c = 0. Since there are many values of a that satisfy the above conditions, they are not listed in detail here. So R i cannot get more information by sending a false signal than by sending a legitimate one. R i’s eavesdropping will introduce errors and result in invalid signatures.

Suppose that no less than t multi-party verifiers collude to forge signature, all the multi-party verifiers can only recover the key K A T together, and then they pretend to be the original signer A l i c e and send the forged E K A T ( λ ) to trusted third party T r e n t, because they do not know K A C and the identity information x A of A l i c e. Therefore, C h a r l i e cannot be deceived successfully to make the scheme proceed smoothly. So the scheme can resist the collusion attack of t multi-party verifiers.

According to Ref. 38, the quantum efficiency of this scheme can be defined as
η = b s q m + b m .
Here, b s represents the number of bits of information M, q m represents the number of qubits transmitted on the quantum channel, and b m represents the number of classical bits transmitted on the classical channel. In this scheme, we do not consider the length of eavesdropping detection and initial detection parameter. In our scheme, the length of initial information m is L bits. In the whole scheme, the total length of information transmitted by A l i c e and C h a r l i e is 4 L bits, the length of information transmitted by A l i c e and T r e n t is L bits, the length of information transmitted by C h a r l i e and T r e n t is 2 L bits, and the total length of information transmitted between C h a r l i e and B o b is 2 L bits. B o b transmits L bits of quantum information to T r e n t, and T r e n t transmits 4 L bits of classical information to B o b, and a total of ( t + 1 ) L bits of quantum information are transmitted in the multi-party verification stage. Thus, the efficiency of our scheme is
η = b s q m + b m = L 4 L + L + 2 L + 2 L + L + 4 L + ( t + 1 ) L = 1 t + 15 .

As shown in Table VII, the scheme in this paper is compared with Refs. 31, 39, and 40 mainly in terms of quantum teleportation, multi-party verification, and efficiency. When t is greater than or equal to 3, it can be found that the efficiency of our scheme is better than that of Refs. 39 and 40. When t is greater than or equal to 13, the efficiency of our scheme is better than that of Ref. 31. In general, the value of t is generally large enough, so the efficiency of our scheme has certain advantages compared with that of Refs. 31, 39, and 40.

TABLE VII.

Scheme comparison.

SchemeQuantum teleportationMulti-party verificationEfficiency
Ref. 31  × ✓  1 2 t + 2 
Ref. 39  × ×  1 6 t + 3 
Ref. 40  × ×  1 6 t + 4 
Our scheme ✓ ✓  1 t + 15 
SchemeQuantum teleportationMulti-party verificationEfficiency
Ref. 31  × ✓  1 2 t + 2 
Ref. 39  × ×  1 6 t + 3 
Ref. 40  × ×  1 6 t + 4 
Our scheme ✓ ✓  1 t + 15 

This paper proposes a multi-party verifiable quantum proxy signature scheme based on quantum teleportation. Different from the schemes in Refs. 31, 39, and 40, we combine quantum teleportation, multi-party verification, and quantum proxy signature. Using H a s h functions H A C ( ) and H B C ( ) for authentication can effectively solve the identity problem between the original signer A l i c e and the proxy signer C h a r l i e, and between the proxy signer C h a r l i e and the verifier B o b in the scheme. Using the special proxy signature authorization form W = E K A C ( w U K A T x A ), the proxy signer can verify the correctness of the original signer’s authorization, and the proxy signer can apply the unitary operation U K A T corresponding to the key K A T to generate the signature without knowing the key K A T. At the same time, our scheme is resistant to intercept-resend attack and ( t 1 )-party cheating attack. This scheme uses B e l l state as the channel of quantum teleportation. B e l l state has the characteristics of simple preparation and other. Compared with Refs. 31, 39, and 40, the efficiency of the scheme has been significantly improved, so it has good application prospects.

We would like to thank the anonymous reviewers for their valuable comments. This work was supported by Special Project for International Cooperation in Science and Technology of Qinghai Province (No. 202402050039)

The authors have no conflicts to disclose.

Chengxiang Wang: Conceptualization (equal); Data curation (equal); Formal analysis (equal); Project administration (equal); Validation (equal); Writing – original draft (equal); Writing – review & editing (equal). Dianjun Lu: Conceptualization (equal); Formal analysis (equal); Supervision (equal); Validation (equal); Writing – review & editing (equal). Fuyao Tian: Supervision (equal); Validation (equal); Writing – review & editing (equal). Weixin Yao: Validation (equal); Writing – review & editing (equal).

The data that support the findings of this study are available from the corresponding author upon reasonable request.

2.
D.
Gottesman
and
I.
Chuang
, arXiv:0105032v2 (2001).
3.
H.
Lee
,
C. H.
Hong
,
H.
Kim
,
J.
Lim
, and
H. J.
Yang
,
Phys. Lett. A
321
,
295
(
2004
).
4.
X. J.
Wen
,
X. M.
Niu
,
L. P.
Ji
, and
Y.
Tian
,
Opt. Commun.
282
,
666
(
2009
).
5.
C. S.
Yoon
,
M. S.
Kang
,
J. I.
Lim
, and
H. J.
Yang
,
Phys. Scr.
90
,
015103
(
2015
).
6.
X. J.
Xin
,
Z.
Wang
,
Q. L.
Yang
, and
F. G.
Li
,
Int. J. Mod. Phys. B
34
,
2050087
(
2020
).
7.
X. L.
Song
,
F. Y.
Li
, and
S. W.
Hu
,
Int. J. Mod. Phys. B
37
,
2350199
(
2023
).
8.
X. J.
Xin
,
L.
Ding
,
T. Y.
Zhang
,
Q. L.
Yang
, and
C. Y.
Li
,
Quantum Inf. Process.
21
,
390
(
2022
).
9.
X. J.
Xin
,
L.
Ding
,
Q. L.
Yang
,
C. Y.
Li
,
T. Y.
Zhang
, and
Y. X.
Sang
,
Quantum Inf. Process.
21
,
246
(
2022
).
10.
R. B.
Lu
,
J. X.
Zhong
,
Y. Q.
Shi
,
B. L.
Liao
,
L.
Luo
, and
L.
Lan
,
Quantum Inf. Process.
22
,
157
(
2023
).
11.
J. X.
Zhong
,
B. L.
Liao
,
Y. Q.
Shi
, and
R. B.
Lu
,
Int. J. Mod. Phys. B
36
,
2250128
(
2022
).
12.
Z.
Wang
,
J.
Li
,
X. B.
Chen
, and
C. Q.
Ye
,
Quantum Inf. Process.
21
,
386
(
2022
).
13.
Z. M.
Deng
,
D. J.
Lu
,
T.
Chen
,
H. J.
Mou
, and
X. J.
Wei
,
Int. J. Theor. Phys.
62
,
201
(
2023
).
14.
T.
Chen
,
D. J.
Lu
,
Z. M.
Deng
, and
H. J.
Mou
,
Laser Phys. Lett.
20
,
105205
(
2023
).
15.
S. N.
Gao
,
X. J.
Chen
,
H. B.
Li
,
W.
Susilo
, and
Q.
Huang
,
Comput. Stand. Interfaces
88
,
103782
(
2024
).
16.
D. K.
Mou
,
Y. M.
Dong
, and
R.
Yan
,
J. Appl. Phys.
134
,
074401
(
2023
).
17.
G.
Chen
,
Y. Q.
Wang
,
L. Y.
Jian
,
Y.
Zhou
,
S. M.
Liu
,
J. W.
Luo
, and
K.
Yang
,
J. Appl. Phys.
133
,
064402
(
2023
).
18.
A.
Karlsson
and
M.
Bourennane
,
Phys. Rev. A
58
,
4394
(
1998
).
19.
X. J.
Wen
,
Y.
Tian
,
L. P.
Ji
, and
X. M.
Niu
,
Phys. Scr.
81
,
055001
(
2010
).
20.
Q.
Su
and
W. M.
Li
,
Int. J. Theor. Phys.
53
,
1208
(
2014
).
21.
F. L.
Chen
and
Z. F.
Han
,
Int. J. Quantum Inf.
14
,
1650041
(
2016
).
22.
Z. Q.
Li
and
H. J.
Zuo
,
Phys. Scr.
93
,
095102
(
2018
).
23.
T.
Zheng
,
Y.
Chang
, and
S. B.
Zhang
,
Quantum Inf. Process.
19
,
163
(
2020
).
24.
D. J.
Lu
,
Z. H.
Li
,
J.
Yu
, and
Z. W.
Han
,
Entropy
24
,
111
(
2022
).
25.
M.
Mambo
,
K.
Usuda
, and
E.
Okamoto
,
IEICE Trans. Fund. Electron. Commun. Comput. Sci.
79
,
1338
(
1996
).
27.
J. X.
Zhou
,
Y. J.
Zhou
,
X. X.
Niu
, and
Y. X.
Yang
,
Sci. China Phys. Mech. Astron.
54
,
1828
(
2011
).
28.
W.
Guo
,
S. C.
Xie
, and
J. Z.
Zhang
,
Int. J. Theor. Phys.
56
,
1708
(
2017
).
29.
J.
Yu
and
J. H.
Zhang
,
Int. J. Theor. Phys.
60
,
2709
(
2021
).
30.
T. T.
Fan
,
D. J.
Lu
,
M. G.
You
, and
S. J.
Qian
,
Int. J. Theor. Phys.
61
,
273
(
2022
).
31.
Y. G.
Yang
and
Q. Y.
Wen
,
Sci. China Ser. G
51
,
1079
(
2008
).
33.
34.
P. W.
Shor
and
J.
Preskill
,
Phys. Rev. Lett.
85
,
441
(
2000
).
35.
Q. Y.
Cai
and
B. W.
Li
,
Chin. Phys. Lett.
21
,
601
(
2004
).
36.
Z. J.
Zhang
and
Z. X.
Man
,
Phys. Rev. A
72
,
022303
(
2005
).
37.
X. F.
Zou
and
D. W.
Qiu
,
Phys. Rev. A
82
,
042325
(
2010
).
38.
Q. Q.
He
,
X. J.
Xin
, and
Q. L.
Yang
,
Quantum Inf. Process.
20
,
26
(
2021
).
39.
X. Q.
Liang
,
Y. L.
Wu
,
Y. H.
Zhang
,
S. S.
Wang
, and
G. B.
Xu
,
Int. J. Theor. Phys.
58
,
31
(
2019
).
40.
W.
Guo
,
J. Z.
Zhang
,
Y. P.
Li
, and
W.
An
,
Int. J. Theor. Phys.
55
,
3524
(
2016
).