For many years, it was generally trusted that a simple handwritten signature was hard to forge and, therefore, could be taken as certification that the signatory was willing to be considered a source of the message and agreed with the contents. In addition, there was an acceptance that a signed message would be validated by a third party, which allowed complex transaction systems to operate with reasonable ease.

The field of digital signatures seeks to restore some of the practical security aspects of handwritten signatures lost in the transition to digital communications. Digital signatures must guarantee no forging (that a message is signed by the legitimate sender and has not been modified), and non-repudiation. (Alice cannot successfully deny that she sent the message.) Currently used digital signature schemes typically rely on “one-way” functions, which are computationally easy to evaluate in one direction, but computationally difficult to invert without additional information. However, there is no existing proof of the long-term security of these signature schemes, and they are vulnerable to algorithmic breakthroughs, emerging quantum data processing technologies and even significant large-scale investment in conventional computational technologies; thus, they only offer “computational security” against an attacker with the currently accepted standards of reasonable computational resources.

Naturally, there is a strong motivation to develop digital signature schemes that offer “information-theoretical security,” meaning that they are secure against all attackers, even those with unlimited computational resources The Wegman–Carter message authentication scheme offers information-theoretical security. However, to guarantee non-repudiation as well, one possibility is to use quantum digital signatures (QDSs). QDS schemes operate using technology similar to that of quantum key distribution (QKD), but employ protocols that do not require distillation of a fully secret key. Indeed, it is possible that both QKD and QDS schemes can work in parallel along the same optical fibers. This Letter demonstrates, to the best of our knowledge, the first implementation of QDS in an installed optical fiber infrastructure, as well as the longest QDS link reported so far.

The first experimental demonstration of QDS operated over a limited transmission distance of 5 m, using an all-optical multiport to guarantee transferability of the phase-encoded coherent states that composed the signature [1]. The multiport was two interwoven optical fiber Mach–Zehnder interferometers and exhibited path-length instability and relatively high optical loss of 7.5 dB. Furthermore, this first experimental demonstration required a quantum memory at each receiver to store the optical coherent states until the classical description was transmitted. This transmission could occur a significant time after the quantum transmission, therefore rendering this protocol impractical.

The requirement for quantum memory was removed in a subsequent revision to the protocol which employed unambiguous state elimination (USE) measurement of the optical coherent states at the receiver [2]. A further revision to the protocol removed the requirement for the multiport [3], permitting operation at transmission distances of up to 2 km [4]. The primary limit on the transmission distance of this system was the comparatively high loss of the optical fiber, $2.2\mathrm{dB}{\mathrm{km}}^{-1}$ at the wavelength of 850 nm used for these experiments. This wavelength was chosen to offer compatibility with a low-noise semiconductor silicon single-photon avalanche diode (Si-SPAD) single-photon detectors [5]. Recent developments in semiconductor [6] and superconducting [7] single-photon detection technologies offer the prospect of low-noise operation at wavelengths in the traditional telecommunications wavelength bands around 1550 nm.

Digital signature protocols have two stages, a distribution stage and a messaging stage. The distribution stage establishes signatures to enable signed messages to be sent and received in the messaging stage, which is entirely classical and could occur at any future date. Figure 1 shows a basic schematic of the operation of the revised protocol used in this Letter. Distinct from many quantum communications protocols, Bob and Charlie here were senders of photons, while Alice was the receiver. Here, we will describe how to sign a 1 bit message, $m$; longer messages may be sent by suitably iterating this procedure.

 

Fig. 1. Schematic representation of the processes carried out to perform the distribution stage of QDS. Bob and Charlie conduct QKD with Alice, without error correction and privacy amplification, to generate partially correlated bit sequences. These are then post-processed over a shared QKD link between Bob and Charlie to generate the QDSs.

Download Full Size | PDF

In the distribution stage, Bob and Charlie independently choose two random sequences of bits, one sequence for each possible message, 0 or 1. In the simple example that follows, we focus on Bob sending a single-bit string to Alice for the future message 0. We do this with the understanding that he also does this with a separate bit string for future message 1, and that Charlie does the same for both single-bit messages 0 and 1. To communicate his bit strings to Alice, Bob carries out a partial QKD [8] procedure, without error correction and privacy amplification. Subsequently, Bob discards any bits for which Alice received no measurement outcome. Bob sends states until Alice has received a pre-specified number of measurement outcomes. Following this, Alice’s bit string will be partially correlated with Bob’s but, since we do not perform the classical post-processing of QKD, the correlation and secrecy of their bit strings will not be perfect, and an eavesdropper could have partial information.

Alice and Bob then agree on and sacrifice a small number, $k$, of the bits in their keys to estimate the error rate between their strings, leaving a remaining key of length $L$. For each possible future message, Bob and Charlie randomly and independently choose $L/2$ of the bits in their strings to forward to the other recipient. Bob and Charlie keep secret from Alice the bits that are forwarded and the bits that are retained. This last step is achieved using a full QKD link between Bob and Charlie to provide a secure communications channel.

At the end of the distribution stage, for each future message, Alice holds information on the strings sent by both Bob and Charlie, while Bob holds only partial information on the string sent by Charlie and, similarly, Charlie holds only partial information on the string sent by Bob.

In the original theoretical outline [3], it was proposed that the communication between Alice and Bob, and between Alice and Charlie, be carried out using phase-basis set QKD with the BB84 protocol conducted to generate a raw key, but without error correction or privacy amplification performed. Here we report the first application of differential phase shift (DPS) QKD [8] to QDS. We employed the 1 GHz clock rate DPS QKD system developed by NTT as part of the Tokyo QKD Network [9,10], as shown in schematic form in Fig. 2. In our demonstration, Bob and Charlie alternately performed partial DPS QKD with Alice to generate partly correlated bit strings that can be used for the formation of signatures. DPS QKD has the advantage that there is no requirement for basis set reconciliation and, consequently, no associated discarding of photon detection events. The system transmitted over a 45 km long fiber in a loopback configuration, as shown in Fig. 2, with approximately half the fiber being in underground ducting and half being overhead lines. The round-trip exhibited a loss of 31 dB, and the Alice receiver optics had an additional loss of 10 dB. The system employed a mean photon number per pulse ($\mu$) at the output of Alice of 0.2 photons per pulse. The superconducting niobium-nitride meander structure nanowire single-photon detectors had a detection efficiency of 30% and a dark count rate, in the absence of signal photons, of 100 counts per second. This compares to a detection efficiency of 40.5% and a dark count rate of 320 counts per second for the Si-SPADs used in previous systems at a wavelength of 850 nm [1,2,4]. The combination of these factors meant that the mean detector event rate during operation was approximately 10 k counts per second. Bob and Charlie each generated a shared bit string of 2 Mbits with Alice at a quantum bit error rate of 1.08% by transmitting a unique sequence to her. The Bob–Charlie bit exchange was then carried out over a classical channel secured using a separate BB84 QKD system developed by NEC and NICT and operating over a 22 km long optical fiber channel [11].

 

Fig. 2. DPS system employed to carry out QDS generation. LD is a CW laser diode; IM is an intensity modulator used to generate optical pulses at a clock rate of 1 GHz; PM is a phase modulator used to encode the potential bit value, chosen using a pseudo-random bit sequence from a field programmable gated array. The optical attenuator, ATT, selects a desired mean photon level, while E/O is an electrical to optical encoder that transmits the clock pulse used to phase-lock the sender and receiver. At the receiver, Alice, the photons from the sender, Bob or Charlie, were detected by superconducting single-photon detectors and a digital signal processor) used to compile the data for signature generation. Clock recovery is carried out by the optical to electrical encoder O/E. MZI is a delay of duration $T$, the time between successive pulses introduced by the IM.

Download Full Size | PDF

In the second stage of the protocol, the messaging stage, Alice chooses a message $m$ and sends it together with her corresponding $2L$ measurement outcomes of the states sent to her by both Bob and Charlie for message $m$. All communication during the messaging stage takes place over pairwise authenticated classical communication channels; quantum communication is needed only in the distribution stage. Naturally, the quantum effects must be considered to quantify the information obtainable by an eavesdropper in the distribution stage, as this will directly affect the security of the scheme. For the scheme to be robust and secure, we require three security guarantees to hold with the high probability. First, we require that if all participants are honest, the protocol does not abort. Second, we require that no one can send a message to Bob or Charlie pretending to be Alice, and get that message accepted. We call this security against forging. Third, we require that Alice cannot send a message that will be accepted by one participant and rejected by the other. We call this security against repudiation/non-transferability. For more exact security definitions, we direct the reader to the recent work of Arrazola et al. [12].

Suppose Alice sends the message to Bob. To accept the message, Bob checks Alice’s private key against the key he sent for the message $m$. He accepts the message if he finds fewer than $L{s}_a$ mismatches, where $s_a$ is an authentication threshold; otherwise, he rejects it.

If Bob wishes to forward the message, he sends the message, together with Alice’s private key, to Charlie. Charlie then checks for mismatches in the same way as before, but applies a different verification threshold $s_v$, which is greater than $s_a$. The message is only accepted if there are fewer than $L{s}_v$ mismatches; otherwise, it is rejected. It is important that the threshold for accepting a message directly from Alice is different from the threshold for accepting a forwarded message; otherwise, Alice could repudiate with a high probability. Signing a message uses up the distributed signatures, which cannot be reused.

To provide a security analysis, we use the approach outlined by Diamanti [13] to bound Eve’s ability to successfully forge. Namely, for the given experimental set up, we can find Eve’s probability of successfully guessing each bit sent by Bob/Charlie to Alice. The results are valid only for a restricted class of attacks by Eve, namely individual attacks and sequential attacks. Individual attacks are attacks in which the eavesdropper acts separately and independently on each qubit sent over the quantum channel. Collective measurements and operations entangling successive qubits are not allowed. Sequential attacks are an extended form of the “intercept and resend” strategy, whereby Eve waits for a certain number of consecutive detection events and modifies her strategy accordingly. Though these attacks may seem restrictive, they essentially include all attacks possible with current technology. Further, security in the completely general setting could be proven using the results of Tamaki et al. [14], but would require a slightly modified experimental setup, as well as photon number resolving detectors.

Using adapted forms of Eqs. (3.23) and (3.28) of [13], we find that Eve’s probability of incorrectly guessing the bit sent by Bob is

With this, we can use Hoeffding’s inequalities [15], together with the methods in our previous work [3], to find

We say that the protocol is secure to a level of $ϵ$, if the above three quantities are all less than $ϵ$. To make all probabilities approximately equal (unless we have a reason to favor one over any other), we define $g=P_e-e$ and set $s_a=e+g/4$, $s_v=e+3g/4$. In our previous demonstrations of QDS, the $ϵ$ parameter was chosen to be ${10}^{-4}$. If this is applied to our system, we require $L=\mathrm{2,502}$ counts at a receiver to sign a half-bit, or approximately two bits could be signed per second. QKD systems typically employ a smaller $ϵ$ parameter of around ${10}^{-10}$, and applying this to our system gives $L=\mathrm{5,992}$ counts to sign a half-bit (either $m=0$ or $m=1$) or approximately one signed bit per second.

We have successfully conducted the first experimental demonstration of QDSs over 90 km of installed optical fiber. Depending on the desired level of security (as characterized by the parameter $ϵ$), the system can sign around one or two bits per second (assuming a value for $ϵ$ of ${10}^{-4}$ and ${10}^{-10}$, respectively). This compares very favorably, as shown in Fig. 3, with our previous demonstrations which, for an $ϵ$ of ${10}^{-4}$, would take either eight years to sign a half-bit [2] in the case of the multiport system or 20 s in the optimum case of the short wavelength system at a distance of 500 m [4]. Recent work applying continuous-variable QKD over a 1.6 km free-space link to QDS achieved a signing rate of approximately 33 half bits per second for an $ϵ$ of ${10}^{-4}$ [17]. By demonstrating that optical fiber QKD systems can be used to provide the complimentary security of digital signatures, this work offers the prospect of commercial systems capable of offering both QKD and QDS. It is our estimation that a 1550 nm wavelength BB84 based QKD system at the same clock rate and transmission distance will operate with comparable performance to the DPS system presented here.

 

Fig. 3. Comparison between the work presented in this Letter (blue filled square), previous optical fiber-based demonstrations employing USE at the same ${|\alpha |}^2$ of 0.2 (red hollow triangles), previous optical fiber-based demonstrations employing USE at a near optimal ${|\alpha |}^2$ of 0.4 (magenta hollow circles), and a recent work employing continuous variable QKD to QDS over a free-space link (orange hollow star); see the dataset [16].

Download Full Size | PDF