## Abstract

Quantum digital signature (QDS) has been proved to be secure in theory, but will inevitably be interfered by channel noise during the practice transmission of qubits. We propose two practical fault tolerant quantum digital signature protocols for the collective noises. For resisting the collective noises, a decoherence-free subspace (DFS) containing four logical qubits has been constructed, which improves the performance of QDS protocols in terms of communication fidelity. Moreover, we prove that the protocols are secure against forging and repudiation attacks, and further discuss the influence of different verification thresholds on the security and give a quantitative analysis.

© 2022 Optica Publishing Group under the terms of the Optica Open Access Publishing Agreement

## 1. Introduction

Digital signature as a branch of cryptography plays an important role in data integrity protection and identity authentication. However, the security of traditional digital signature mainly relies on the computational complexity of large number factorization and other difficult mathematical problems. In 1994, Shor [1] proposed a quantum algorithm which can quickly crack the traditional digital signature, typically, such as the RSA signature [2].

Quantum digital signature (QDS) offers a means of generating the private signature relying on information theoretical limit and quantum mechanics. The first QDS protocol proposed by Gottesman and Chuang [3] is secure in theory but requires the Swap test, long-term quantum memory and secure quantum channel. The above requirements and restrictions make QDS difficult to implement with current available technology. Hereafter, Andersson [4] proposed a practical QDS protocol, which replaces the Swap test with an optical multiport, but still requires quantum memory. In 2012, QDS protocol based on coherent states had been proposed and experimentally implemented [5]. Dunjko et al. [6] proposed a QDS protocol that does not require long-term quantum memory, but still employs a multiport to ensure non-repudiation. However, multiport alignment is relatively difficult and can cause huge losses [7] as the distance increases. Subsequently, a more practical QDS protocol which has the same optical components as quantum key distribution (QKD) [8] had been proposed. Later, the requirement of QDS for trusted quantum channels was also removed [9–15].

In the actual communication environment, due to the fluctuation of fiber birefringence, photons are highly susceptible to interference of quantum channel noises, resulting in the decoherence of quantum states. Therefore, the noise problem is urgent to be solved. Collective noises as a major type of channel noises can be divided into the collective-dephasing noise and collective-rotation noise [16–18]. This work specifically considers how to make the QDS protocols work well under collective noise channels. With the existing technology, constructing a decoherence-free subspace (DFS) [19–21] may be an effective way. The DFS comprises of some logical qubits, and each logical qubit consists of several physical qubits. These logical qubits have the same noise factor after passing through the collective noise channel, thereby the effect of noise can be compensated automatically. In 2003, Boileau et al. [22] proposed a robust polarization-based QKD protocol that can eliminate the collective noises. In 2014, Huang et al. [23] gave an experimental implementation of a two-party quantum key agreement (QKA) protocol using logical qubits under a noisy channel. He et al. [24] proposed two QKA protocols using five-particle logical quantum states against collective noises in 2017.

Inspired by Ref. [8], this paper proposes fault tolerant practical quantum digital signature protocols that specifically against collective noises. The outline of protocols is similar to that in Ref. [8] but with different information carriers. Reference [8] had proven that their QDS is secure against coherent attacks and further proven that it can resist forging attack and repudiation attack. We follow the security analysis method in Ref. [8] to analyze the security of our QDS and prove that our QDS retains the security property of the original protocol. Besides, we discuss the influence of verification thresholds ${s_v}$ and ${s_a}$ on security and make a quantitative analysis. By constructing a DFS, this work further improves the performance of QDS over collective noise channel in terms of communication fidelity.

## 2. Protocol

In this section, we will introduce the details of two fault tolerant QDS protocols. Generally, QDS consists of two stages: the distribution stage and messaging stage. We consider the simplest nontrivial setting of QDS, which has three parties: the sender Alice, the receivers Bob and Charlie. Alice signs a message and passes it to Bob. Bob first verifies the authenticity of the message and forwards it to Charlie. Charlie then verifies it. Here, we assume that there exist secure (authenticated) quantum channel between Bob and Charlie. Fig. 1 shows the practical implementation of our QDS protocols. They have the same optical components with QKD [25,26].

#### 2.1 QDS against collective-dephasing noise

Generally, the effect of collective-dephasing noise on qubit $|0\rangle$ and $|1\rangle$ can be modeled as [27,28]:

among them $\varphi$ is a noise parameter and it changes over time. With the results in Ref. [29], we use a pair of qubits to encode a bit, a simplified example is the following encoding: where the subscript $dp$ represents encoded logical qubits. $|0_{dp}\rangle$ and $|1_{dp}\rangle$, each of which is composed of two physical qubits with an antiparallel parity, have the same noise factor $e^{i\varphi }$ and thus can resist the collective-dephasing noise. A feasible encoding implementation [25] can be described that a pair of noncollinear, polarization entangled photons is produced via spontaneous parametric down-conversion from NC pumped by a brief pulse, see Fig. 1. The superposition states of the two logical qubits can also withstand the collective-depahsing noise and can be written as:These four logical qubits $|0_{dp}\rangle$, $|1_{dp}\rangle$ and $|+_{dp}\rangle$, $|-_{dp}\rangle$ can form a DFS to eliminate the effect of collective-dephasing noise.

**Distribution stage**

- (D1) Alice generates two copies of sequences for one bit message $k=0,1$, and each element of the sequence is randomly selected from four logical quantum states $|0_{dp}\rangle$, $|1_{dp}\rangle$, $|+_{dp}\rangle$ and $|-_{dp}\rangle$. The sequence is called the quantum signature. The signature $QSig_k=\bigotimes ^{L}_{l=1}\rho ^{k}_{l}$, where $\rho ^{k}_{l}=|b^{k}_{l}\rangle \langle b^{k}_{l}|$ is a reduced density matrix, $|b^{k}_{l}\rangle \in \{|0_{dp}\rangle,|1_{dp}\rangle,|+_{dp}\rangle,|-_{dp}\rangle \}$. $L$ is an appropriate integer selected for the length of signature. $P_{k_i}$ is the classical description of $|b^{k}_{i}\rangle$, which is symbolic information. We set up such a correspondence: $P_{k_i}\rightarrow |b^{k}_{i}\rangle$, $i\in \{1,\dots,L\}$. For example, the classical description of $|0_{dp}\rangle$ is 0, therefore, $0\rightarrow |0_{dp}\rangle$, so there are $1\rightarrow |1_{dp}\rangle$, $+\rightarrow |+_{dp}\rangle$, $-\rightarrow |-_{dp}\rangle$. The symbol sequence $PK_k=(P_{k_1},\dots,P_{k_L})$ is called the private key for message $k$.
- (D2) Alice sends two copies of $QSig_k$ to Bob and Charlie respectively.
- (D3) Bob and Charlie exchange half of their quantum signatures through a secure quantum channel, which will guarantee that Alice cannot repudiation.
If we take Bob as an example, the process of message exchange can be described that: When Bob receives a signature sent by Alice, for each signature element, he selects one of the following two options: (1) to keep and measure it, the specific measurement method can be seen in step (D4); (2) to forward it and its corresponding position to Charlie. Therefore, half of signature elements hold by Bob are from Alice’s signature and the other half from Charlie’s signature. Charlie performs the same process of signature message exchange as Bob.

- (D4) Bob randomly chooses either the basis $\{|0_{dp}\rangle,|1_{dp}\rangle \}$ or the basis $\{|+_{dp}\rangle,|-_{dp}\rangle \}$ to measure each signature element he possesses. The measurement results will be compared with the private keys sent by Alice during the messaging stage to verify whether the signature is authenticity.
Assuming that Bob receives $|0_{dp}\rangle$ and chooses the basis $\{|0_{dp}\rangle,|1_{dp}\rangle \}$, he can obtain the measurement result $|0_{dp}\rangle$; however, if Bob chooses $\{|+_{dp}\rangle,|-_{dp}\rangle \}$, he can obtain $|+_{dp}\rangle$ or $|-_{dp}\rangle$ with equal probability. That is, if Bob gets the result $|1_{dp}\rangle$, this means that Alice is impossible to send the state $|0_{dp}\rangle$, so $|0_{dp}\rangle$ can be excluded. Bob keeps a record of excluded states and its corresponding position.

**Messaging stage**

- (M1) Alice sends $(k,PK_k)$ to Bob for each possible bit message $k$.
- (M2) Bob checks whether $(k,PK_k)$ matches with his sequence of excluded signature elements.
He first checks the part of the signature elements that he received directly from Alice. If the number of mismatches between this part and the corresponding private key elements is less than $s_aL/2$, he then verifies the other part of the signature elements that he exchanged with Charlie. If the number of mismatches is also less than $s_aL/2$, Bob accepts the signature, where $s_a$ is the verification threshold.

- (M3) Bob forwards the pair $(k,PK_k)$ to Charlie.
- (M4) Charlie checks the number of mismatches between the signature sequence and private key. The procedure is similar to step (M2). If there are fewer than $s_vL/2$ mismatches in both halves of the signature sequence, Charlie accepts the forwarded message, where $s_v$ is the verification threshold, with $0<s_a<s_v<1/2$.

#### 2.2 QDS against collective-rotation noise

In general, the effect of collective-rotation noise on qubit $|0\rangle$ and $|1\rangle$ can be modeled as [30]: $U_r|0\rangle =\cos \theta |0\rangle +\sin \theta |1\rangle$, $U_r|1\rangle =-\sin \theta |0\rangle +\cos \theta |1\rangle$, among them $\theta$ is a parameter of the noise and it changes over time. Logical qubits immune to the collective-rotation noise can be expressed as:

which have the same noise factor. The superposition states of the two logical qubits can also withstand the collective-rotation noise and can be written as:The steps for protocol against the collective-rotation noise are similar to the protocol above. Here we just provide the modified steps: For this protocol, Alice also generates two copies of sequences, but the elements are selected from the set $|0_{r}\rangle$, $|1_{r}\rangle, |+_{r}\rangle$, and $|-_{r}\rangle$ in step (D1). And two groups of bases are replaced with $\{|+_{r}\rangle,|-_{r}\rangle \}$ and $\{|0_{r}\rangle,|1_{r}\rangle \}$. With subsequent steps and devices similar to the initial protocol, this QDS protocol can withstand the collective-rotation noise.

## 3. Security analysis

In this section, we followed the method in Ref. [8] to prove the security of our QDS protocol, i.e., robustness, unforgeability and non-repudiation. Based on this, we further discuss the influence of verification thresholds ${s_v}$ and ${s_a}$ on security of QDS and give a quantitative analysis. In addition, we analyze the interference of collective noises for travelling qubits. And the communication fidelity under the collective noise models is further investigated.

#### 3.1 Security against repudiation

In order to repudiate, Alice should send a private key that will be accepted by Bob and rejected by Charlie. Bob and Charlie convert the quantum states excluded during the distribution stage into classical message and store it. Each element in the private key is called as a declaration. If the declaration does not match the stored classical message, i.e., the declaration received from Alice happens to be the excluded message, we denote as 1. If the message is matched, it means that the declaration is not the excluded message, which is denoted as 0. We assume that Alice has the ability to control the number of mismatches between her signature and private key in the messaging stage. Therefore, we have a outcome sequence $r=(b_1,\dots,b_L,c_1,\dots,c_L)$, where $b=(b_1,\dots,b_L)$ is the subset that Alice initially sent to Bob and $c=(c_1,\dots,c_L)$ is the subset sent to Charlie. The mismatch rate in $b$ is $p_b$ and in $c$ is $p_c$.

In order for Bob to accept the message, Alice needs Bob to accept the message she directly sent to him and the message forwarded by Charlie. Although Alice can control the mismatch rate of the part of signature she sent, she cannot obtain the mismatch rate of the other part of the signature forwarded by Charlie.

Considering the case of $p_c>s_a$ and Bob chooses $L/2$ elements from the subset $c$. On one hand, Alice wants Bob to accept message, she should make Bob commit fewer than $s_aL/2$ mismatches. The probability of Bob making fewer than $s_aL/2$ mismatches is bounded by

On the other hand, Alice should make Charlie reject the message, either the message from her or from Bob. When $p_c\leq s_a$, if $p_b>s_a$, Bob has a high probability of rejecting the message. So we just discuss $p_b\leq s_a$. Charlie selects $L/2$ elements from the subset $b$, if Alice wants Charlie to reject message, Alice needs to make Charlie commit more than $s_vL/2$ mismatches. According to the result in Ref. [8], the number of mismatches from Bob more than $s_vL/2$ is denoted as $C_1$. Then we can bound the probability as

Alice wants to repudiate successfully only if Charlie makes more than $s_vL/2$ mismatches from $b$ or $c$. The number of mismatches more than $s_vL/2$ is denoted as $C$. We tightened the boundary condition, due to $p_b,p_c\leq {s_a}$, so

Alice’s best strategy is to send declaration with $p_b=p_c=(s_v+s_a)/2$. Using [31], we can bound the probability of repudiation as

Figure 2 and Fig. 3 illustrate the probability of Alice’s signature being successfully repudiated $P(Repudiation)$ as functions of the length of signature $L$ with different verification thresholds. We can see that $P(Repudiation)$ decreases exponentially as $L$ increases. Figure 2 plots the relationship between $P(Repudiation)$ and $L$ with different $s_a$. It can be seen that $P(Repudiation)$ increases with the increase of $s_a$ when $L$ remains unchanged. Figure 3 shows the corresponding relationship with different $s_v$. The results show that $P(Repudiation)$ is related to the difference between thresholds $s_a$ and $s_v$. In order to reduce the probability of successful repudiation, the difference between two thresholds should be set to a larger value.

#### 3.2 Security against forging

Security against forging means that any recipient will reject a signature that is not originally generated by Alice. If Bob wants to successfully forge Alice’s signature, Bob needs to guess the signature elements that Alice sent to Charlie correctly. However, it is impossible for Bob to always get Charlie’s message correctly. For example, if Alice sends $|1_{dp}\rangle$, $|0_{dp}\rangle$ is more likely to be ruled out by Charlie, so Bob declares $|0_{dp}\rangle$ that will cost more. According to the analysis method in Ref. [8], an optimal strategy is to perform any POVM $\Pi$, where $\Pi =\{q|0_{dp}\rangle,(1-q)|+_{dp}\rangle,q|1_{dp}\rangle,(1-q)|-_{dp}\rangle \}$. Then the cost matrix is given by

In the worst case scenario, Bob knows which states are kept by Charlie. If Charlie retains the $L/2$ elements. Bob can make his best guess with copies of the $L/2$ elements he knows. For the protocols to be secure, we need $C_{min}> \frac {s_vL/2}{L/2}$. Therefore, we can bound the probability of forging by using Hoeffding inequalities [33]

Figure 4 plots the relationship between the probability of Bob’s successful forging $P(Forging)$ and the signature length $L$ with different $s_v$. As shown in Fig. 4, the probability of successful forging decreases exponentially as $L$ increases. In addition, $P(Forging)$ is related to threshold $s_v$, i.e., it decreases as $s_v$ decreases if $L$ remains unchanged. Therefore, for ensuring the security of protocols against forging attack, a slightly smaller $s_v$ should be selected.

#### 3.3 Robustness

Robustness means that Bob reject Alice’s signature declaration when all participants are honest. Bob analyzes the mismatch rate between the signature he received with his private key. In detail, if the mismatch rate either between the signature received directly from Alice and his private key or between the signature received from Charlie and private key exceeds $s_a$, Bob will terminate the protocols. Assuming that the error rate between Alice’s and Bob’s key is $p^B_t$ and the error rate between Alice’s and Charlie’s key is $p^C_t$. Here we set $p_t=\max (p^B_t,p^C_t)$, the probability of an honest run abort is given by

Figure 5 illustrates the probability of an honest run aborting vs signature length with different verification threshold $s_a$ and error rate $p_t$, As seen in Fig. 5, the robustness of QDS will be improved if the different between $s_a$ and $p_t$ is set to be large enough.

Combined with the requirements of unforgeability, non-repudiation and robustness, thresholds should be set to satisfy $p_t<s_a<s_v$. The protocol can achieve better robustness if $p_t$ is set to a smaller value since $p_t$ represents the maximum bit error rate between peers. Considering the non-repudiation, $s_v$ should be set to a larger value for getting a possible large different value with $s_a$. However, the requirement of unforgeability for $s_v$ is just the opposite, it needs a smaller $s_v$ to resist forgery attack. In conclusion, in numerical simulation and experimental implementation $s_v$ is often set to be less than eavesdropper’s minimum error rate, and $s_a$ is set between the interval $p_t$ and $s_v$.

#### 3.4 Communication fidelity

In this section, we discuss the influence of collective noise on the traveling quantum states by calculating communication fidelity. Communication fidelity can be used to describe the closeness between the input quantum states and output quantum states. Generally, the communication fidelity of two pure states can be written as

We compare the fidelity of the physical quantum states and logical quantum states under the collective noise model. After physical qubits passing through the collective-dephasing noise channel, the input qubits become

The fidelity between input and output qubits can be obtained by using Eq. (17):

Similarly, after logical qubits passing through the collective-dephasing noise channel, one can obtain

It can be seen that the logical qubits have the same noise factor $e^{i\varphi }$ after passing through the collective-dephasing noise channel. Correspondingly, a phase shifter $e^{-i\varphi }$ can be added in front of the receiving device to eliminate the disturbance. Thus, this QDS protocol can resist the collective-dephasing noise and offer higher fidelity.

Then, we analyze the interference of collective-rotation noise on physical and logical quantum states. After physical qubits passing through the noisy channel, they will be expressed as

The communication fidelity between input and output physical qubits can be given by:

And logical qubits passing through the collective-rotation noise channel, the input states will become

It can be seen that these logical qubits ${|0_{r}\rangle,|1_{r}\rangle,|+_{r}\rangle,|-_{r}\rangle }$ remain unchanged during the process of transmission and the communication fidelity between input and output logical qubits is equal to 1.

Therefore, it can be deduced that the communication fidelity of Ref. [8] under two kinds of collective noise is given by respectively

The communication fidelity of Ref. [8] under two kinds of noise is related to the parameters $\varphi$ and $\theta$ respectively and shows periodic fluctuations of cosine squared with parameters. However, the fidelity of our protocols under the collective noise channel is equal to 1, which means that logical qubits are not affected by the collective noise. Therefore, our QDS protocol has the advantage of fidelity in the collective noise channel compared with Ref. [8].

## 4. Conclusion

This paper proposes fault tolerant practical QDS protocols against collective noises. The eavesdropper has no chance to eavesdrop beneath a mask of collective noises since the quantum channel transmits all the logical qubits, which are not affected by the collective noises. Meanwhile, the logical qubits as information carrier transmitted over collective noise channels can provide higher communication fidelity respect to the existing quantum signature protocols. In addition, we have demonstrated that the protocols are secure against the forging attack and repudiation attack, and we further discuss the influence of different thresholds on the security of protocols and give a quantitative analysis.

## Funding

National Natural Science Foundation of China (Grant No. 61801385); China Postdoctoral Science Foundation (Grant No. 221628); National Key Research and Development Program of China (Grant No. 2020JQ-602); Natural Science Foundation of Shaanxi Provincial Department of Education.

## Acknowledgments

This work is supported by the National Natural Science Foundation of China (Grant No.61801385), China Postdoctoral Science Foundation (Grant No.221628), Natural Science Basic Research Plan in Shaanxi Province of China (Grant No.2020JQ-602) and Foundation of Shaanxi Province Education Department.

## Disclosures

The authors declare no conflicts of interest.

## Data availability

Data underlying the results presented in this paper are not publicly available at this time but may be obtained from the authors upon reasonable request.

## References

**1. **P. Shor, “Algorithms for quantum computation: discrete logarithms and factoring,” in Proceedings 35th Annual Symposium on Foundations of Computer Science, (1994), pp. 124–134.

**2. **E. Milanov, “The rsa algorithm,” in RSA Laboratories pp. 1–11 (2009).

**3. **I. Chuang and D. Gottesman, “Quantum digital signatures,” (2002).

**4. **E. Andersson, M. Curty, and I. Jex, “Experimentally realizable quantum comparison of coherent states and its applications,” Phys. Rev. A **74**(2), 022304 (2006). [CrossRef]

**5. **P. J. Clarke, R. J. Collins, V. Dunjko, E. Andersson, J. Jeffers, and G. S. Buller, “Experimental demonstration of quantum digital signatures using phase-encoded coherent states of light,” Nat. Commun. **3**(1), 1174 (2012). [CrossRef]

**6. **V. Dunjko, P. Wallden, and E. Andersson, “Quantum digital signatures without quantum memory,” Phys. Rev. Lett. **112**(4), 040502 (2014). [CrossRef]

**7. **R. J. Collins, R. J. Donaldson, V. Dunjko, P. Wallden, P. J. P. J. Clarke, E. Andersson, J. Jeffers, and G. S. Buller, “Realization of quantum digital signatures without the requirement of quantum memory,” Phys. Rev. Lett. **113**(4), 040502 (2014). [CrossRef]

**8. **P. Wallden, V. Dunjko, A. Kent, and E. Andersson, “Quantum digital signatures with quantum-key-distribution components,” Phys. Rev. A **91**(4), 042304 (2015). [CrossRef]

**9. **H.-L. Yin, Y. Fu, and Z.-B. Chen, “Practical quantum digital signature,” Phys. Rev. A **93**(3), 032316 (2016). [CrossRef]

**10. **R. Amiri, P. Wallden, A. Kent, and E. Andersson, “Secure quantum signatures using insecure quantum channels,” Phys. Rev. A **93**(3), 032325 (2016). [CrossRef]

**11. **H.-L. Yin, Y. Fu, H. Liu, Q.-J. Tang, J. Wang, L.-X. You, W.-J. Zhang, S.-J. Chen, Z. Wang, Q. Zhang, T.-Y. Chen, Z.-B. Chen, and J.-W. Pan, “Experimental quantum digital signature over 102 km,” Phys. Rev. A **95**(3), 032334 (2017). [CrossRef]

**12. **H.-J. Ding, J.-J. Chen, L. Ji, X.-Y. Zhou, C.-H. Zhang, C.-M. Zhang, and Q. Wang, “280-km experimental demonstration of a quantum digital signature with one decoy state,” Opt. Lett. **45**(7), 1711–1714 (2020). [CrossRef]

**13. **Y.-S. Lu, X.-Y. Cao, C.-X. Weng, J. Gu, Y.-M. Xie, M.-G. Zhou, H.-L. Yin, and Z.-B. Chen, “Efficient quantum digital signatures without symmetrization step,” Opt. Express **29**(7), 10162–10171 (2021). [CrossRef]

**14. **S. Richter, M. Thornton, I. Khan, H. Scott, K. Jaksch, U. Vogl, B. Stiller, G. Leuchs, C. Marquardt, and N. Korolkova, “Agile and versatile quantum communication: Signatures and secrets,” Phys. Rev. X **11**(1), 011038 (2021). [CrossRef]

**15. **C.-X. Weng, Y.-S. Lu, R.-Q. Gao, Y.-M. Xie, J. Gu, C.-L. Li, B.-H. Li, H.-L. Yin, and Z.-B. Chen, “Secure and practical multiparty quantum digital signatures,” Opt. Express **29**(17), 27661–27673 (2021). [CrossRef]

**16. **Z. J. Zhang, “Robust multiparty quantum secret key sharing over two collective-noise channels,” Phys. A (Amsterdam, Neth.) **361**(1), 233–238 (2006). [CrossRef]

**17. **X.-H. Li, F.-G. Deng, and H.-Y. Zhoul, “Efficient quantum key distribution over a collective noise channel,” Phys. Rev. A **78**(2), 022321 (2008). [CrossRef]

**18. **Y. Chang, S. Zhang, and J. Li, “Robust epr-pairs-based quantum secure communication with authentication resisting collective noise,” Sci. China: Phys., Mech. Astron. **57**(10), 1907–1912 (2014). [CrossRef]

**19. **J. Kempe, D. Bacon, D. A. Lidar, and K. B. Whaley, “Theory of decoherence-free fault-tolerant universal quantum computation,” Phys. Rev. A **63**(4), 042307 (2001). [CrossRef]

**20. **E. Knill, R. Laflamme, and L. Viola, “Theory of quantum error correction for general noise,” Phys. Rev. Lett. **84**(11), 2525–2528 (2000). [CrossRef]

**21. **W. Huang, F. Z. Guo, and Z. Huang, “Three-particle qkd protocol against a collective noise,” Opt. Commun. **284**(1), 536–540 (2011). [CrossRef]

**22. **J.-C. Boileau, D. Gottesman, R. Laflamme, D. Poulin, and R. W. Spekkens, “Robust polarization-based quantum key distribution over a collective-noise channel,” Phys. Rev. Lett. **92**(1), 017901 (2004). [CrossRef]

**23. **W. Huang, Q. Su, X. Wu, Y.-B. Li, and Y. Sun, “Quantum key agreement against collective decoherence,” Int. J. Theor. Phys. **53**(9), 2891–2901 (2014). [CrossRef]

**24. **Y.-F. He and W.-P. Ma, “Two quantum key agreement protocols immune to collective noise,” Int. J. Theor. Phys. **56**(2), 328–338 (2017). [CrossRef]

**25. **Z. D. Walton, A. F. Abouraddy, A. V. Sergienko, B. E. A. Saleh, and M. C. Teich, “Decoherence-free subspaces in quantum key distribution,” Phys. Rev. Lett. **91**(8), 087901 (2003). [CrossRef]

**26. **R. J. Donaldson, R. J. Collins, K. Kleczkowska, R. Amiri, P. Wallden, V. Dunjko, J. Jeffers, E. Andersson, and G. S. Buller, “Experimental demonstration of kilometer-range quantum digital signatures,” Phys. Rev. A **93**(1), 012329 (2016). [CrossRef]

**27. **C.-W. Yang, C.-W. Tsai, and T. Hwang, “Thwarting intercept-and-resend attack on zhang’s quantum secret sharing using collective rotation noises,” Quantum Inf. Process. **11**(1), 113–122 (2012). [CrossRef]

**28. **T.-Y. Ye, “Robust quantum dialogue based on the entanglement swapping between any two logical bell states and the shared auxiliary logical bell state,” Quantum Inf. Process. **14**(4), 1469–1486 (2015). [CrossRef]

**29. **G. M. Palma, K.-A. Suominen, and A. Ekert, “Quantum computers and dissipation,” Proc. R. Soc. London, Ser. A **452**(1946), 567–584 (1996). [CrossRef]

**30. **Y. G. Yang, Y. W. Teng, H. P. Chai, and Q. Y. Wen, “Fault-tolerant quantum secret sharing against collective noise,” Phys. Scr. **83**(2), 025003 (2011). [CrossRef]

**31. **V. Chvátal, “The tail of the hypergeometric distribution,” Discrete Mathematics **25**(3), 285–287 (1979). [CrossRef]

**32. **P. Wallden, V. Dunjko, and E. Andersson, “Minimum-cost quantum measurements for quantum information,” J. Phys. A: Math. Theor. **47**(12), 125303 (2014). [CrossRef]

**33. **W. Hoeffding, “Probability inequalities for sums of bounded random variables,” J. Am. Stat. Assoc. **58**(301), 13–30 (1963). [CrossRef]