Experimental quantum secure network with digital signatures and encryption

Abstract Cryptography promises four information security objectives, namely, confidentiality, integrity, authenticity and non-repudiation, to support trillions of transactions annually in the digital economy. Efficient digital signatures, ensuring integrity, authenticity and non-repudiation of data with information-theoretical security are highly urgent and intractable open problems in cryptography. Here, we propose a high-efficiency quantum digital signature (QDS) protocol using asymmetric quantum keys acquired via secret sharing, one-time universal2 hashing and a one-time pad. We just need to use a 384-bit key to sign documents of lengths up to 264 with a security bound of 10−19. If a one-megabit document is signed, the signature efficiency is improved by more than 108 times compared with previous QDS protocols. Furthermore, we build the first all-in-one quantum secure network integrating information-theoretically secure communication, digital signatures, secret sharing and conference key agreement and experimentally demonstrate this signature efficiency advantage. Our work completes the cryptography toolbox of the four information security objectives.


I. INTRODUCTION
Fast developing driverless, blockchain and artificial intelligence technologies, as well as digital currency systems, will soon require a more robust network with security against quantum attacks [1].A promising blueprint for such a network ensures hash functions, encryption algorithms, and digital signatures with informationtheoretical security, which cannot be met in the current Internet with public-key infrastructure [2].Currently, widely implemented one-way hash functions, such as Message Digest-5 [3] and Secure Hash Algorithm-1 [4], are no longer secure.For example, since 2017, one can utilize two different files to obtain the identical hash value after conducting Secure Hash Algorithm-1 [5].Additionally, in 2020, the public-key encryption algorithms [6][7][8], based on the computational complexity of factorization and discrete logarithm, have both been compromised at the 795-bit level [8].More seriously, quantum computers can in principle attack public-key cryptosystems with any number of bits [9].
Unlike public-key cryptography, one-time pad (OTP) encryption based on a symmetric key allows a message to be transmitted with information-theoretical confidentiality [10] over a standard communication channel, with the symmetric key being securely established using quantum key distribution [11] and the attackers' computational power being unrestricted.Currently, there are several experimental demonstrations and commercial applications of quantum key distribution around the world [12][13][14][15][16].
FIG. 1. Schematic diagram of classical digital signatures.Alice uses a private key to encrypt the digest to obtain the signature, where the digest is acquired via a fixed one-way hash function.She sends the document along with the signature to Bob. Bob utilizes the same one-way hash function and the corresponding public key to acquire two digests.Then, he only accepts the signature if the two digests are identical.Thereinto, a digital certificate issued by the certificate authority (CA) guaranties the validity of the public key.Here, we omit the generation process of the private and public keys.
Quantum key distribution [11] and quantum secure direct communication [17][18][19] only ensure confidentiality, which is, however, an incomplete solution to the remaining cryptographic tasks.Three other fundamental information security objectives are integrity, authenticity, and non-repudiation [2].These other tasks are usually realized in classical cryptosystems by digital signatures using one-way hash functions and public-key encryption algorithms, as shown in Fig. 1.Digital signatures [2] play a vital role in software distribution, e-mails, web browsing, and financial transactions, but they become insecure as one-way hash functions and public-key encryption algorithms used therein are breakable by either classical or quantum computers [20].
Unlike classical solutions [2], quantum digital signatures (QDS) use quantum laws to sign a document with information-theoretical integrity, authenticity, and nonrepudiation.In 2001, the first rudiment of the QDS was introduced [21], but it could not be implemented.Developments in the last decade have removed impractical requirements of the QDS, such as high-dimensional singlephoton state [22], quantum memory [23], and secure quantum channels [24][25][26][27], enabling demonstrations of the QDS in various experimental systems [28][29][30][31][32].However, the resulting schemes still have serious limitations that require an approximately 10 5 -bit key to sign only a one-bit document.For a gigahertz system, the best signature rate reported thus far is less than 1 time per second (tps) for a one-bit at a 100-km transmission distance [31].Additionally, it is unknown how to efficiently sign multi-bit documents with information-theoretical security [33], which makes all known single-bit-type QDS protocols far from practical applications [21][22][23][24][25][26][27][28][29][30][31][32].Thus, a high-efficiency QDS that is as feasible as quantum private communication (using quantum key distribution) [12] is highly desirable and remains an unsolved open problem.Note that a probabilistic one-time delegation of signature authority protocol was proposed and demonstrated using entanglement correlation [34].
Here, we propose a one-time universal 2 hashing (OTUH)-QDS protocol capable of signing an arbitrarily long document with information-theoretical security.For example, just with a 384-bit key, our protocol can sign documents of up to 2 64 lengths with a security bound of 10 −19 .Furthermore, we propose, for the first time, the concept of OTUH: a completely random and different universal 2 hash function [35] used for each digital signature.Our protocol not only uses OTUH and OTP as the underlying cryptography layer but also uses secret sharing to realize the perfect bits correlation of the three parties, and then build an asymmetric key relationship for Alice and Bob.Secret sharing can be implemented with information-theoretical security using quantum secret sharing, quantum key distribution, or future quantum internet with solid-state entanglement.Additionally, we simulate the performances of our OTUH-QDS protocol based on various quantum communication protocols.The simulation results show that for a gigahertz system, the signature rates are more than 10 4 tps in the metropolitan area, which represents an efficiency improvement of at least eight orders of magnitude for signing a one-megabit document.Additionally, we experimentally construct a quantum secure network to re-alistically demonstrate cryptographic primitives [2] with information-theoretical security, such as private communication, digital signatures, secret sharing, and conference key agreement.In our experiment, the signature efficiency can be achieved 1.43 × 10 8 times that of the previous work in Ref. [25] considering the improvements in signature rates for signing a 130,250-byte document over 101-km fiber, and the security bound is as small as 10 −32 , which shows a significant advantage.

Efficient QDS protocol
Before executing our OTUH-QDS protocol, three parties, Alice, Bob, and Charlie, will perform the predistribution stage, which is analogous to the private and public keys generation procedure in classical digital signatures.Alice, Bob, and Charlie each have two key bit strings {X a , X b , X c } with n bits and {Y a , Y b , Y c } with 2n bits, where the key bit strings meet the perfect correlation The pre-distribution stage can be realized using quantum communication protocols (see Methods), such as quantum key distribution [36][37][38][39][40] and quantum secret sharing [41][42][43][44][45]. Before executing the signature, Alice is the signer, and both Bob and Charlie can be the receiver because of the symmetry between Bob and Charlie.Here, we suppose that Alice signs an m-bit document, denoted by Doc, to the desired recipient, Bob.Therefore, Bob is the specified receiver, and Charlie automatically becomes the verifier.Our proposed approach utilizes secret sharing, OTUH, and OTP to generate and verify signatures, as shown in Fig. 7a.We remark that the keys of signer, Alice, and receiver, Bob, are asymmetric because X a = X b and Y a = Y b .After completing the predistribution stage, the three parties can implement the signature stage at any time.
(i) Signing of Alice-First, Alice uses a local quantum random number, which can be characterized by an n-bit string p a (see Supplementary data), to randomly generate an irreducible polynomial p(x) of degree n [2].Second, she uses the initial vector (key bit string X a ) and irreducible polynomial (quantum random number p a ) to generate a random linear feedback shift registerbased (LFSR-based) Toeplitz matrix [46] H nm , with n rows and m columns.Third, she uses a hash operation with Hash= H nm • Doc to acquire an n-bit hash value of the m-bit document.Fourth, she exploits the hash value and the irreducible polynomial to constitute the 2n-bit digest Dig = (Hash||p a ).Fifth, she encrypts the digest with her key bit string Y a to obtain the 2n-bit signature Sig = Dig ⊕ Y a using OTP.Finally, she uses the public channel to send the signature and document {Sig, Doc} to Bob. (iii) Verification of Charlie-If Bob announces that he accepts the signature, Charlie then uses his original key and the key sent to Bob to create two new key bit strings Charlie employs K Yc to acquire an expected digest and bit string p c via XOR decryption.Charlie uses a hash operation to obtain an n-bit hash value and then constitutes a 2n-bit actual digest, where the hash function is an LFSR-based Toeplitz matrix generated by initial vector K Xc and irreducible polynomial p c .Charlie accepts the signature if the two digests are identical.Otherwise, Charlie rejects the signature.
To show more clearly how our protocol works, Fig. 7b shows an example of signing a document "The 120th an-niversary of Nanjing University."

Security proof
In a QDS scheme, either Alice or Bob can be the attacker.Thus, Alice and Bob distrust each other, whereas the verifier, Charlie, is always trusted.Bob and Charlie will cooperate to counter Alice's repudiation attack.Alice and Charlie will collaborate to counter Bob's forgery attack.Besides, we also consider the robustness of our protocol.
Security against forgery.When Charlie accepts the tampered document forwarded by Bob, Bob's forgery attack is considered successful.There are two cases of Bob's forgery attack.First, Bob can generate a new document and signature if Alice has not signed a document at all.Second, Bob can change the document and signature if Alice has signed the document.According to our protocol, Charlie accepts the signature if and only if he obtains the identical digest by decrypting the signature with OTP and hashing the document with OTUH, respectively.Note that before Bob forwards the document, signature, and his key bit strings to Charlie, Bob cannot obtain the key bit strings of Charlie.In the first case, Bob has no information since Alice did not send any information.The only thing Bob can do is correctly guess Alice's key bit strings X a and Y a , i.e., guessing Charlie's key bit strings X c and Y c based on X a = X b ⊕ X c and Y a = Y b ⊕ Y c .The probability of guessing correctly is at most 1/2 n since Bob has no information of key bit strings X a and Y a with n and 2n bits, respectively.In the second case, Bob also has no information on the universal 2 hash function (initial vector X a and irreducible polynomial p a for the LFSR-Based Toeplitz matrix) used by Alice since the digest has been encrypted to a signature using OTP.Besides, Bob cannot obtain any information from the previous signing round because their keys are refreshed and the corresponding universal 2 hash function is updated in each round in our protocol.Compared to guessing the key bit strings of Alice or Charlie, Bob's best strategy is to guess the irreducible polynomial p a of the LFSR-Based Toeplitz matrix.The collision probability of universal 2 hashing by the LFSR-based Toeplitz matrix can be determined by m/2 n−1 (see Methods), which implies that one can find two distinct documents with identical hash values by randomly guessing the irreducible polynomial p a .Therefore, for any case, the probability of a successful forgery can be bounded by where m is the length of the document Doc and n is the order of the irreducible polynomial p a .
Note that our proof is information-theoretically secure, even though Bob has unlimited computing power.We emphasize the importance of our proposed OTUH, where the universal 2 hash function is only used once and then updated.Bob cannot obtain any information from the previously signed round because their keys and irreducible polynomial are refreshed in every round.Bob cannot do anything at all apart from randomly guessing.Moreover, before Bob sends the document and signature to Charlie, Bob cannot be sure if he guessed correctly even if he exhausts all the possibilities.Bob's forgery attack in our OTUH-QDS protocol is successfully related to Eve's attack in information-theoretically secure message authentication [46,47] (details can be found in Supplementary data).
Security against repudiation.Successful repudiation means that Alice makes Bob accept the signature, while Charlie rejects it.For Alice's repudiation attacks, Bob and Charlie are both honest and trust each other.Note that Bob and Charlie must forward their key bit strings to each other through an authenticated classical channel.The authenticated channel used ensures that Alice knows about the transmitted information between Bob and Charlie but cannot tamper with it.Then, Bob and Charlie can recover the identical key bit strings through the XOR operation Bob and Charlie obtain the same irreducible polynomial p b = p c through OTP decryption.They will make the same decision for the same document, signature, key bit strings, and irreducible polynomial.Therefore, our QDS protocol is naturally immune to repudiation.The probability of repudiation is zero when we ignore the insignificant failure probability of secure message authentication.
Note that in all known QDS protocols, the symmetry between Bob and Charlie is used to counter Alice's repudiation attacks.Compared to partial symmetry in previous protocols, Bob and Charlie will have identical key bit strings in our protocol after performing the QDS process.In addition, there is no help for Alice's repudiation attack, even though she is dishonest in the pre-distribution stage because we allow Alice to obtain all information from Bob (Charlie) about X b(c) and Y b(c) .
Robustness.The robustness quantifies the probability that Bob rejects the signature when the three parties are truthful.If Alice, Bob, and Charlie are all truthful, there are the relations of irreducible polynomial p a = p b = p c and key bit strings Thus, they will use the same universal 2 hash function and generate the same actual digest.The signature will be accepted naturally.The probability of honest aborting is zero, though, in the pre-distribution stage, we ignore the insignificant failure probability of classical bit error-correction of quantum communication protocols.
Note that the verification step of error correction in quantum key distribution and quantum secret sharing is usually realized using the universal 2 hashing and OTP, which is related to the information-theoretically secure message authentication [47].The verification step ensures that the classical bit error correction is successful with a small failure probability.

Simulation results of the QDS
Secret sharing in the pre-distribution stage allows the key bit strings of Alice, Bob, and Charlie to satisfy which can be implemented with information-theoretical security using quantum secret sharing, quantum key distribution, or future quantum internet with solid-state entanglement.Meanwhile, a full-blown quantum internet, with functional quantum computers and quantum repeaters as nodes connected through quantum channels, is being developed.The first prototype of the quantum internet has been realized with remote solid-state qubits [48] in multiparty entanglements applicable to secret sharing.To date, there is no workable quantum-secure asymmetric cryptosystem.With the help of secret sharing, our framework represents the first practical quantum asymmetric cryptosystem (X a = X b and Y a = Y b ) immediately applicable to secure digital signatures.
digital signatures up to 10 4 tps, even for the 2 64 -bit document.Therefore, one can conduct tens of thousands of transactions per second secured by digital signatures in the metropolitan area network [12].
Our OTUH-QDS protocol has two significant features.First, as the length of the signed document increases up to 10 19 bits, the key bits consumed by our protocol are almost constant, while having sufficient security as discussed above.This means that the signature efficiency of our protocol has a significant advantage over previous single-bit-type QDS protocols [21][22][23][24][25][26][27][28][29][30][31][32].As the length of the document is increased from 1 to 10 19 bits, our quantum resource consumption (384-bit key) does not change, which means that the signature time will not increase.Therefore, our protocol has the signature efficiency advantage from 10 2 to 10 21 , compared to previous protocols that need at least 10 5 bits to sign one bit [28][29][30][31][32]. Second, our OTUH-QDS protocol is flexible for all applications.In our QDS protocol, all known and future developed quantum secret sharing and quantum key distribution protocols can be used for the perfect bits correlation of the three parties (secret sharing).Additionally, the universal 2 hash function should not be restricted to the LFSR-based Toeplitz matrix [46], which is used here just as an example.

Experimental results of the QDS
To verify the efficiency and feasibility of our OTUH-QDS protocol, we established a three-node quantum secure network containing two end nodes (Bob and Charlie) and an intermediate node (Alice), as shown in Fig. 4a.Two point-to-point quantum key distribution links are built between Alice-Bob and Alice-Charlie using the decoy-state protocol with a time-bin phase encoding system [49].Bob (Charlie) multiplexes the 1570-nm synchronization pulse with a 1550-nm quantum signal by a dense wavelength division multiplexer, transmitted through a 101-km (126-km) single-mode optical fiber to Alice; the corresponding loss of quantum channels is 19 (24.3) dB, and the system clock frequency is 200 MHz.To reduce the insertion loss of the receiving end, we take advantage of time-division multiplexing by manually switching fiber links.A classic network is used to communicate in the postprocessing stage, including parameter estimation, error correction, and privacy amplification (details can be found in the Supplementary data).
In Fig. 4b, the blue (red) symbol refers to the experimental secret key rates of quantum key distribution between Bob-Alice (Charlie-Alice) with 6021 (470) bits per second by considering the finite-size effects, fitting well with our simulation curves.The blue and red curves are both flattened in the short distance since we introduce dead times of 10 and 25 µs for the gated-mode In-GaAs/InP single-photon detector, respectively.
Here, we describe the experimental demonstration of quantum digital signatures for a 130,250-byte (1.042 × 10 6 -bits) document over 101-km fiber, as shown in Fig. 4c.The secret sharing is realized so that Alice performs an XOR operation for her two key bit strings.
One key bit string is shared with Bob using the time-bin phase encoding quantum key distribution, and the other is shared with Charlie by exploiting another quantum key distribution system.The signed document includes the timestamp, identity number of the desert image, and the image itself.The digest is composed of the 128-bit hash value generated through OTUH and the 128-bit ir- reducible polynomial, and then, it is encrypted to form a signature by OTP.Both the digest and signature are displayed as bar codes and have the same size of 32 bytes (256 bits).The actual and expected digests are identical, indicating that we have applied successful quantum digital signatures with information-theoretical security.
For a fair comparison, we also demonstrate the singlebit-type QDS of Ref. [25] using the same experimental system.Table I shows the results.For signing a singlebit document, the length of the raw key using the method in Ref. [25] (without error correction and privacy amplification) is 2.88 × 10 6 bits.For a multi-bit document, for example, one megabit, at least the length of the key with 2.88 × 10 12 bits is required [28,33].Therefore, the signature rate of our OTUH-QDS protocol is 1.22 tps, whereas using the method of Ref. [25], it is only 3.23 × 10 −9 tps if we let the size of each signed document be 10 6 bits.Fig. 4c depicts the experimental demonstration of the QDS.We only require less than one second to run the quantum secure network, whereas using the method of Ref. [25], it will take approximately as long as four years to accumulate data.
We would like to clarify two main reasons why our protocol shows a huge improvement in the signature efficiency compared with early QDS schemes.First, the early QDS protocols set the threshold value and com-TABLE I. List of the experimental results of the QDS in Ref. [25] and our OTUH-QDS protocol.At each time, a document of 10 6 bits is assumed to be signed.
Ref. [25] our protocol distance between Bob and Charlie (km) 101+126=227 101+126=227 keys consumption (bit)  pare it with the mismatch rate of bit strings that are from the other two parties to determine whether to accept or not.However, after error correction and privacy amplification in our pre-distribution stage, the secret keys of the three parties are perfectly correlated, which satisfies the relationship Besides, Bob and Charlie have identical key bit strings instead of partial symmetric key bit strings in previous protocols.This change in key bit strings will result in approximately two orders of magnitude improvement in the signature efficiency due to removing the reception threshold inequality and the corresponding statistical fluctuations.Second, we use the universal 2 hash function to implement uniform mapping of long documents to short hash values with information-theoretical security.Any attempt to change the document will change the hash value with probability 1 − ǫ for .Since the hash value and universal 2 hash function are completely unknown (encrypted by a one-time pad), one cannot do anything but randomly guess them.Therefore, we can use a fixed key length to sign documents of almost any length.However, the core of the previous QDS solutions is for the signer to sign document with bit by bit [33], which means that one needs at least m times the key length to sign an m-bit document.Moreover, in previous studies, informationtheoretical security has not been proven for signing multi-bit documents.However, in our experiment, it will result in at least six orders of magnitude improvement in the signature efficiency for the 1.042 × 10 6 -bit-signed document.

Demonstration of other cryptographic tasks
To demonstrate the full-function information security objectives, shown in Fig. 5, we demonstrate the other three cryptographic tasks in our quantum secure network with information-theoretical security, including encryption, secret sharing, and conference key agreement.Fig. 5a illustrates quantum private communication with Alice's help as a trust relay.Alice performs an XOR operation for her two key bit strings that are shared with Bob and Charlie.To realize secure encryption between Bob and Charlie, Alice announces the XOR result as a key relay to make Bob and Charlie share identical keys.To realize quantum communication, a prairie image with 112,500 bytes is encrypted via OTP.
In the secret-sharing task, Alice is an honest dealer, while Bob and Charlie are the players.Therefore, either Bob or Charlie is a dishonest player, which can be ensured in quantum key distribution links Charlie-Alice (Bob is the attacker) and Bob-Alice (Charlie is the attacker), respectively.Before the implementation of secure secret sharing, only Alice knows that the XOR result is her key bit string.Quantum secret sharing of an image of a mountain with a size of 79,800 bytes has been implemented, as shown in Fig. 5b.Only Bob and Charlie cooperate to recover the correct image, while a single player cannot recover the image and only obtains the complete noise map.
For the conference key agreement task, Alice, Bob, and Charlie are all honest participants and should have the same keys.This requirement can be realized with information-theoretical security if Alice's XOR result is published and Charlie changes his key to the same as Bob's through XOR operation.An image of a lake with a size of 139,500 bytes is adopted to implement quantum group encryption, as shown in Fig. 5c.Any of the three parties can individually obtain the correct image in the group encryption session.
The cryptographic tasks feature high efficiency and information-theoretical security on our quantum secure network using the current quantum technology.We remark that the trusted relay node Alice is required only in the private communication between Bob and Charlie on our quantum secure network.The other three tasks, digital signatures, secret sharing, and conference key agreement, are not required since all nodes are the task participants.Note that combining quantum secure direct communication and classical cryptography, secure quantum network can be constructed without quantum repeater as proposed in Ref. [50].

III. CONCLUSIONS
In conclusion, we successfully demonstrated a fullfunction quantum secure network that meets all information security objectives, namely, confidentiality, integrity, authenticity, and non-repudiation.
Particularly, we theoretically propose and experimentally implement an OTUH-QDS protocol that shows a 100-million-fold signature efficiency improvement.As such, digital signatures, which are critical in internet-based digital processing systems, are now promoted to be information-theoretically secure and commercially applicable by OTP, OTUH, and secret sharing.Our framework requires few resources to sign an almost arbitrarily long document, outperforming all previous protocols not only in signing efficiency but also in security.Of course, the full-function quantum secure network can be implemented by more advanced technology, such as a future quantum internet.Its successful implementation by a practical quantum secure network under current technology lays a firm foundation for a quantum secure layer of the current internet.Such a quantum secure internet, enabling main secure cryptographic tasks simultaneously, paves the way for the quantum age of the digital economy.

Pre-distribution stage
The pre-distribution stage ensures that each participant has two key bit strings and meets the secret sharing relationship X a = X b ⊕ X c and Y a = Y b ⊕ Y c , which can be realized using quantum communication protocols with information-theoretical security.
There are two quantum key distribution links if quantum key distribution protocols are being observed.The Bob-Alice (Charlie-Alice) link will generate the symmetric quantum keys, denoted as S b ba = S a ba (S c ca = S a ca ), and even dishonest Charlie (Bob) has no knowledge about it.Alice implements an XOR operation to obtain her new quantum key S a = S a ba ⊕ S a ca .Therefore, since Alice has all the knowledge of Bob and Charlie's keys, she can only be the signer, while Bob and Charlie can be the receivers.We remark that the XOR operation of Alice generates asymmetry between Alice and Bob.
Alice, Bob, and Charlie can directly generate the perfect correlation quantum keys S a = S b ⊕ S c if quantum secret sharing protocols are being observed.Traditional quantum secret sharing protocols require that the dealer Alice is honest and the player Bob or Charlie can be allowed to be dishonest.The dishonest Bob and Charlie do not know S a and they can be the receiver.Note that since Alice can obtain all information of S b and S c if she is dishonest in performing traditional quantum secret sharing, Alice cannot be a receiver if traditional quantum secret sharing protocols are being used.However, if one adopts measurement-device-independent quantum secret sharing [42], all three participants will not know any information about others' quantum keys; anyone of them can be a receiver or signer.

One-time universal 2 hash function
A collection H of hash functions h: S→T is said to be universal 2 [35] if for every two different x, y ∈ S, we have This means that the universal 2 hash function can uniformly map the long documents to short hash values with a small collision probability.The random matrices belong to the universal 2 hash functions, which require mn random bits for specifying hash functions (seen as an mn Boolean matrix) to transform the m-bit document into an n-bit hash value.To reduce the cost of random bits, the Toeplitz matrix [2], which requires only m + n − 1 random bits, is widely used in randomness extraction and privacy amplification, and its collision probability is 1/2 n .Nevertheless, it still requires the length of random input bits to be longer than that of the document.Fortunately, the LFSR-based Toeplitz matrix [46] is the almost universal 2 hash function, where the hash function is determined by an irreducible polynomial p(x) of degree n over the Galois field GF(2) and n-bit random initial vector.The collision probability of the LFSR-based Toeplitz matrix [46] is m/2 n−1 (see Supplementary data).The initial vector and irreducible polynomial of the LFSR-based Toeplitz matrix are randomly changed for each signature, which is an important and novel requirement of our OTUH-QDS protocol.

Cryptography toolbox
Here, we introduce threats faced by information processing (as shown in Fig. 6), the corresponding information security objectives and classical cryptographic techniques to tackle such threats [51].First, eavesdropping, which threatens the confidentiality of information, can be prevented using symmetric cryptography and asymmetric cryptography (i.e., public-key cryptography).Second, tampering, which destroys the integrity of data, can be approached with a one-way hash function, message authentication code and digital signatures.Third, disguise, in which the attacker pretends to be the real information sender, can deal with message authentication codes and digital signatures.Finally, one may repudiate his or her certain behavior, and the digital signatures provide the efficacy of non-repudiation.

One-time pad
Define that encryption algorithm E maps plaintexts m ∈ M to ciphertexts c ∈ C. According to Shannon's information theory, an algorithm E is perfectly secret if C and M are independent, i.e., Pr(m, c) = Pr(m) × Pr(c).The one-time pad [10] encryption satisfies the above definition, where a plaintext is paired using the XOR operation with a random secret key of the same length.Learning the ciphertext does not increase any plaintext information.In addition, each encryption requires a new and independent random key; hence, knowing details about the previous key does not help the attacker.
In our one-time universal 2 hashing quantum digital signatures (OTUH-QDS) scheme, we utilize the one-time pad to encrypt the hash value and the irreducible polynomial to acquire the signature so that we can completely conceal the information of (almost) universal 2 hash functions.

LFSR-based Toeplitz hashing and message authentication
The LFSR-based Toeplitz matrix [46] is the almost universal 2 hash function, where the hash function is determined by an irreducible polynomial p(x) = x n + a n−1 x n−1 + ... + a 1 x + a 0 of degree n over the Galois field GF(2) and n-bit random initial vector, just requiring a total of 2n bits.The randomness of the initial vector and irreducible polynomial together guarantees the security of LFSR-based Toeplitz hashing.The collision probability of LFSR-based Toeplitz hashing is bounded by ǫ = m/2 n−1 , which quantifies the upper bound on the probability of finding any two different documents with the same hash value.The LFSR-based Toeplitz hashing operation can be written as h p,s (M )= H nm • M = Failure probability of authentication.-Here,we first provide the information-theoretical security proof of message authentication [46].We remark that the security proof in the original literature is omitted [46], we provide a detailed proof here, and the conclusions are consistent.Suppose the message authentication scenario that an attacker Eve captures a tag and message {T ag, M } from the sender Aida, as shown in Fig. 7a.Note that the tag is acquired by using random secret key Key to encrypt hash value Hash with a one-time pad, i.e., T ag = h p,s (M ) ⊕ Key.Eve cannot obtain any information of the Toeplitz hash function and the hash value due to the one-time pad.Eve can only randomly guess the initial vector s and irreducible polynomial p. Eve can tamper with the message successfully if and only if he guesses a combination {t, m} with a very small probability that meets the relationship h p,s (m) = t.Eve sends a new (tampered) tag and message {T ag ′ = T ag ⊕ t, M ′ = M ⊕ m} to the recipient Basel.In this case, the recipient will accept the message because of the relationship h p,s (M ⊕ m) = h p,s (M ) ⊕ h p,s (m) = T ag ⊕ t ⊕ Key.It must be mentioned that m = 0 due to the requirement of a valid forge.Thus, the failure probability ǫ aut of authentication by using LFSR-based Toeplitz hashing can be defined by the probability of one successfully choosing a combination {t, m} with the relationship h(m) = t and m = 0, We remark that the attacker Eve does not have any prior information about p and s and can only guess randomly.Moreover, before Eve sends the tag and message to the recipient, Eve also cannot be sure if he guessed correctly even if he exhausts all the possibilities, which is with the information-theoretical security [46].To quantify the failure probability ǫ aut , we need to consider two cases, t = 0 and t = 0. Note that h p,s (M ) can be rewritten as where W is the n × n circulant matrix with the first row being p. Denote the characteristic value of W as λ i (i = 1, 2, 3, ..., n).One can diagonalize the matrix m−1 i=0 M i+1 W i , and the diagonal elements are m(λ i ).After calculation, it can be verified that p(x) is just the characteristic polynomial of W , which means that there is the relationship p(λ i ) = 0.For the first case h p,M (s) = t = 0, since s = 0, h p,M (s) = 0 only if there exists a zero diagonal element in the diagonalized matrix, i.e., it has a zero characteristic value.Thus, there exists a λ i satisfying m(λ i ) = 0.This is equivalent to p(x)|m(x) since p(λ i ) = 0.The probability of such an event is at most the number of possible irreducible factors of M (x) divided by the total number of irreducible polynomials of degree n.The former is at most m/n, and the latter is at least 2 n−1 /n [2].Thus, the probability of h p,s (m) = t = 0 is at most (m/n)/(2 n−1 /n) = m/2 n−1 .We include all the cases in which there exists a λ i satisfying m(λ i ) = 0 in the first case, which is equivalent to the fact that the rank of m−1 i=0 M i+1 W i is less than n.Thus, for the second case h p,M (s) = t = 0, the rank of • s is a bijection, i.e., one-to-one mapping.There are 2 n − 1 possible values of s = 0 corresponding to the 2 n − 1 different tag values, so the probability of h p,s (m) = t = 0 is 1/(2 n − 1).Therefore, the upper bound on the failure probability of message authentication using LFSR-based Toeplitz hashing is [46] ( We remark that message authentication is the premise and foundation for realizing the information-theoretical security of quantum key distribution [47], where the basis sift, error verification, and privacy amplification steps all require message authentication to ensure the information-theoretical security.
4. Secure OTUH-QDS against Bob's forgery attack Now, we will show that Bob's forgery attack in our OTUH-QDS protocol will be related to Eve's attack in secure message authentication, as shown in Fig. 7b.These two types of attacks are different but have many correlations.In message authentication, the message sender Adia and recipient Basel are honest and trust each other all the time.They will get together to against Eve's attack.A successful attack in message authentication is when Eve changes the tag and message and the recipient will accept it.In our OTUH-QDS, there are two types of Bob's forgery attacks since the signer Alice cannot be regarded as always honest.The first type is that Bob can generate a new signature and document if Alice has not signed a document at all.The second type is that Bob can change the signature and document if Alice has signed a document.Note that Bob does not have any information about the initial vector and the irreducible polynomial before he forwards the signed signature and document to charlie, which is the same as Eve in message authentication.We assume that the informationtheoretically secure message authentication and OTUH-QDS will be performed many rounds to transfer multiple messages and sign multiple documents, respectively.Obviously, for the first round, the initial vector and irreducible polynomial are new and random.The failure probability is the same between Eve's attack in message authentication and Bob's forgery attack with the second type in OTUH-QDS since the attacker's purpose and the conditions for success are exactly the same, i.e., the failure probability are both m/2 n−1 .
However, there is an important difference between message authentication and OTUH-QDS in the second round and beyond.In message authentication (Adia and Basel are always honest), the input initial vector and the irreducible polynomial can be fixed [12,47] in later rounds since the attacker Eve cannot know the initial vector and the irreducible polynomial after message authentication has been performed.Bob also does not have any information about the initial vector and the irreducible polynomial before forwarding the signed document and signature to charlie.However, Charlie will forward his key bit strings to Bob after Charlie receives the document and signature forwarded by Bob.Thus, Bob can obtain all the information of the initial vector and the irreducible polynomial after the implementation of each round of digital signatures.To forbid Bob to exploit the information from the previous round to implement the attack.An important observation in our OTUH-QDS protocol is that the initial vector and the irreducible polynomial cannot be fixed and must be randomly updated in every round.In other words, the universal 2 hash function will only be used once and then be updated.Thus, we denote it as one-time universal 2 hashing, which is similar to the one-time pad.

Algorithms for testing irreducibility of polynomials over GF(2)
Irreducible polynomial.-Acrucial point is that in every round, the signer must randomly choose an irreducible polynomial in our OTUH-QDS scheme.In our protocol, Alice finishes this task with an n-bit quantum random number.Denote the format of the irreducible polynomial as p( where a i = 0 or 1.Then p(x) can be characterized by an n-bit string p = (a n−1 , a n−2 , • • • , a 1 , a 0 ), i.e., every bit of the string determines a corresponding coefficient of p(x).To generate the irreducible polynomial, Alice first uses the n-bit random number to generate a polynomial p 1 (x), and checks out whether p 1 (x) is irreducible.If p 1 (x) is irreducible, it will be used to generate the LFSR-based Toeplitz matrix.Otherwise, Alice utilizes a new n-bit random number to obtain a new string and generates a new polynomial and then examines whether it is an irreducible polynomial.Alice will repeat this step until she generates an irreducible polynomial.For example, choose n = 128.Assume Alice first generates p 1 (x) = x 128 + x 29 + x 25 + x + 1.Then, she will find it reducible and successively generate and examine p 2 (x) = x 128 + x 50 + x 27 + x 2 + 1 and p 3 (x) = x 128 + x 29 + x 27 + x 2 + 1.Finally, she finds p 3 (x) irreducible and chooses p 3 (x) as the irreducible polynomial to generate the Toeplitz matrix.Note that for an irreducible polynomial p(x), one always has a 0 = 1.Thus, we can use n − 1 random bits (a n−1 , a n−2 , • • • , a 1 , 1) to generate the polynomial.We remark that the quantum random number used for generating the irreducible polynomial is produced locally by Alice's quantum random number generator.
The test algorithm.-Thefollowing is the concrete method we employed to check whether a polynomial over GF(2) is irreducible or not.Suppose p(x) is a polynomial of order n in GF(2).According to [52], the necessary and sufficient condition for p(x) being irreducible is: where d is any prime factor of n and gcd (f (x), g(x)) represents the greatest common divisor (GCD) of f (x) and g(x).In our scheme, n = 128 = 2 7 , i.e., n only has one prime factor "2". Thus, to verify condition (2), we just need to examine gcd x 2 64 − x, p(x) = 1.To speed up our calculation, we utilize fast modular composition (FMC) algorithms and an extended Euclidean algorithm [53].The FMC algorithms can calculate x 2 128 and x 2 64 mod p(x) with high speed by calculating x 2 2 7 and x 2 2 6 , while the extended Euclidean algorithm can quickly finish the GCD calculation.Thus, conditions (A) and (B) can be verified efficiently.In our simulation, we search 1000 irreducible polynomials, and on average, it takes 73.6 tests to find an irreducible polynomial, consistent with the conclusion [46] that the total number of irreducible polynomials of order n in GF( 2) is at least 2 n−1 /n and at most 2 n /n [2].We implement our simulation in a desktop with an Intel i5-10400 CPU (with RAM of 8 GB), and on average, it takes approximately 0.36 seconds to generate an irreducible polynomial of order 128 from a 128-bit random input.

Numerical simulation of our QDS via quantum key distribution element
Considering the case that we have two quantum key distribution links between Alice-Bob and Alice-Charlie, the two links have the same loss.Alice and Bob share one set of secret keys S 1 , while Alice and Charlie share the other set of secret keys S 2 by implementing quantum key distribution (QKD) with the key rate R QKD .For the requirement of secret sharing, Alice, Bob and Charlie utilize K a , K b and K c as their correlation keys, respectively, where K a = S 1 ⊕ S 2 , K b = S 1 and K c = S 2 .Therefore, the signature rate can be defined as R QDS = R QKD /3n, since one needs a 3n-bit key to implement OTUH and OTP in our OTUH-QDS protocol.(6.1) Sending-or-not-sending twin-field quantum key distribution [36].The secure key rate is given by where t is the probability of sending the signal pulse at a signal window, µ is the intensity of the signal pulse, Y 1 is the counting rate of Z 1 -windows, Q Z is the observed counting rate of Z-windows, e ph 1 = e X1 1 is the phase-flip error rate for Z 1 -windows, E Z is the bit error rate for Z-windows, and f is the error correction efficiency.The yield Y 1 and error rate e X1 1 can be estimated by exploiting the decoy-state method, where ν is the intensity of the decoy pulse, Q ka,k b is the gain when Alice chooses intensity k a and Bob chooses intensity k b (k a , k b ∈ {µ, ν, 0}), E pm νν is the bit error rate, Q pm νν is the gain of intensity ν for both Alice and Bob after successful postselected phase-matching and Y 0 = Q 00 is the counting rate of the vacuum state.
The gain Q ka,k b can be given as where η = η 2 d × 10 −αL/10 is the total efficiency and η d , α and L are the detector efficiency, attenuation coefficient and distance, respectively.p d is the dark count rate, and I 0 (x) is the modified Bessel function of the first kind.The gain Q pm νν and bit error rate E pm νν can be given by where e x d is the misalignment rate of the X basis.Therein, the correct gain Q pm c,νν and incorrect gain Q pm e,νν are and where erf(x) and erfi(x) are the error function and imaginary error function, respectively.The gain Q Z and bit error rate E Z can be given by and In the simulation, we set p d = 10 −8 , f = 1.1, η d = 85%, e d = 2% and α = 0.167 dB/km.The light intensities and probability t are globally optimized.
Here we present the simulation details of the phasematching quantum key distribution.The overall secure key rate is given by where Q µ is the total gain of the signal pulses, 2/D is the phase-sifting factor with D = 16, f is the error correction efficiency, h(x is the binary entropy function, E ph is the phase error rate and E b is the bit error rate.The overall phase-error rate [54] is bounded by E ph ≤ 1 − q 1 , where q 1 = µe −µ Y 1 /Q µ .By using the decoy state method with three intensities, the yield of the single-photon component can be given as For simulation, the gain of intensity k (k ∈ {µ, ν, 0}) is (6.3)Discrete-modulated continuous-variable quantum key distribution [38].
In the case of reverse reconciliation, the secret key rate under collective attacks in the asymptotic limit is given by R QKD = p pass [I(X; Z) − max ρ∈S χ(Z : E)], where I(X; Z) is the classical mutual information between Alice's string X and the raw key string Z, χ(Z : E) is the information of Eve's knowledge about the raw key string Z and p pass = 1 − 1 2 ∆c −∆c P (q|0)dq − 1 2 ∆c −∆c P (q|1)dq is the sifting probability.P (q|0) and P (q|1) are probability distributions of Bob's homodyne detection conditioned that Alice generates bit 0 or 1.The set S contains all density operators compatible with experimental observations.According to [38], this key rate can be reformulated as a convex optimization problem, and the secret key rate is R = min ∆c P (q|1)dq .The convex optimization problem can be described as follows: where n = 1 2 (q 2 + p2 − 1) = â † â and d = q2 − p2 = â2 + (â † ) 2 .We consider a quantum channel with transmittance η = 10 −0.167L/10 where L is the distance and excess noise ξ = 0.01.In such a model, we have The expectation values can be given by q = 2ηRe(α), α is the amplitude of the signal, and we optimize α the interval of [0.35, 0.6] with a step of 0.01.
From an information-theoretic point of view, in the case of reverse reconciliation, Alice and Bob can distill perfectly correlated secret key bits provided that the amount of information they share I AB is higher than the information acquired by Eve χ BE under collective attacks.Therefore, the secret key rate is defined as R = I AB − χ AB .Considering the inefficiency of error correction, a factor β is introduced as the reconciliation efficiency, and the secret key rate formula is R QKD = βI AB − χ AB .In our numerical simulation, we use β = 0.95.We calculate the mutual information using where V is the variance of the thermal state observed at Alice's lab, and χ tot is the total excess noise added between Alice and Bob.Here, we detail the formula of χ tot as follows: where T is the transmission of the quantum channel, ξ is the excess noise, v el is the electronic noise and η is the detection losses.To draw the line, we set η = 0.85, v el = 0, ξ = 0.01, T = 10 −0.167L/10 and V is optimized.L is the distance.Under collective attacks, Eve's accessible information is upper bounded by the Holevo quantity χ BE satisfying where G(x) = (x + 1)log 2 (x + 1) − x log 2 x, and {λ i } are the symplectic eigenvalues of the covariance matrix characterizing the quantum state. where .
For the measurement-device-independent quantum key distribution, we consider Alice and Bob sending a coherent state and the ideal case where only the channel loss and detector efficiency are taken into consideration.The secret key rate is given by where e is the natural constant, η = η d × 10 −αL/20 is the total channel transmittance and L is the distance between Alice and Bob.We set η d = 85%, α = 0.167 dB/km.

Numerical simulation of our QDS via quantum secret sharing element
Different from quantum key distribution, quantum secret sharing can directly offer secret sharing correlation with unconditional security via quantum laws.
In quantum secret sharing of three users, Alice is the dealer, while both Bob and Charlie are players.Even though one of Bob and Charlie is dishonest, they can also generate the secure correlation key K a = K b ⊕ K c .We assume that the distances of Alice-Bob and Alice-Charlie are the same.The signature rate can be defined as R QDS = R QSS /3n, since one needs a 3n-bit key for OTUH and OTP.
Using the Greenberger-Horne-Zeilinger (GHZ) state can realize quantum secret sharing directly.Here, we consider an equivalent prepare-and-measure protocol.In our simulation, we only consider the photon loss in the quantum channel and detector.Therefore, the secret key rate is given by where η = η d × 10 −αL/10 , η d = 85% and α = 0.167 dB/km.L is the distance between Alice and Bob (Charlie).
By exploiting the postselected GHZ state, one can also realize quantum secret sharing.We only consider the photon loss from quantum channels and detectors here.
The secret key rate of using a single-photon source can be given by Here, we have η = η d × 10 −αL/10 , η d = 85%, α = 0.167 dB/km and assume that there is no loss of Alice's photon.The factor 1/4 comes from only two of eight GHZ states that can be identified.L is the distance between Alice and Bob (Charlie).
The secret key rate per pulse of the round-robin quantum secret sharing with a twin-field for sending d coherent pulses each train in the case of the inside adversary can be written as where we have Q = min{Q A , Q B }. Q A and Q B are the gains of Charlie's successful detection from Alice and Bob, respectively.The phase error rate is The average gain Q and bit error rate e b of each train can be written as and where η = η d × 10 −αL/10 is the efficiency between Alice and Bob (Charlie).In addition, we have the gains Q A = Q B = Q/2 due to the symmetry.Let n be the total photon number in a train of optical pulses with total intensity µ.Then, the probability of finding more than n th photons in a train of optical pulses can be written as where n th is an integer constant chosen in this protocol.
For the simulation, we set p d = 10 −8 , f = 1.1, η d = 85%, α = 0.167 dB/km and e d = 2%.The intensity µ, the selected integer n th and the number of optical pulses d are globally optimized.
For the single-qubit quantum secret sharing protocol with a single photon source, the final key rate can be easily derived based on phase-error correction where is the total transmittance; 2L is the total distance.The intensity µ is globally optimized.We set p d = 10 −8 , f = 1.1, η d = 85%, α = 0.167 dB/km and e d = 2%.
The final key rate for differential-phase-shift quantum secret sharing using a twin-field is bounded by where Q µ is the gain of the whole system.h is the Shannon entropy, and f is the error correction efficiency.P co is the upper bound of collision probability when considering individual attacks, which can be concluded as The total gain and the total error rate with an intensity of µ are given by where e d is the misalignment error rate of detectors.η = η d × 10 −αL/10 is the efficiency between Alice and Bob (Charlie), where η d is the detection efficiency of Charlie's detectors.The intensity is globally optimized.We set p d = 10 −8 , f = 1.16, η d = 85%, α = 0.167 dB/km and e d = 2%.

Experimental details
In the transmitting end, a master laser generates a repetition rate of 200 MHz and phase-randomized laser pulses 1.6 ns-wide at 1550.12 nm.To avoid using a phase modulator, we utilize two slave lasers to generate relative phases 0 and π by using the quantum properties of the beam splitter.An asymmetric interferometer with a 2 ns time delay divides each master pulse into two pairs of optical pulses with relative phases 0 and π.Then, the two pairs of optical pulses are injected into two slave lasers through the optical circulator.With the help of controlling the trigger electrical signal of two slave lasers, one generates a quantum signal only in the first time-bin or the second time-bin to constitute the Z basis, and one prepares a quantum signal both in two time-bins with a 0 or π phase difference to constitute the X basis.A 50 GHz bandwidth fiber Bragg grating is exploited to precompensate for pulse broadening and to remove extra spurious emission.The 2 ns-wide synchronization pulses with repetition rates of 100 kHz are transmitted via the quantum channel by using wavelength division multiplexed.The slave pulse width is 400 ps, which is much larger than the 10 ps timing resolution of the programmable delay chip, which means that the time consistency can be accurately calibrated.The spectral consistency is naturally satisfied through the laser seeding technique [55].
In the receiving end, a 30:70 biased beam splitter is used to perform passive basis detection after a wavelength division demultiplexer.A probability of 30% is measured in phase interference and the probability of 70% is used to receive in the time basis.A Faraday-Michelson interferometer realizes the phase measurement, where phase drift is compensated in real time by using the phase shifter.Two single photon detectors are used to measure the first time bin and the second time bin in the Z basis.Another two single photon detectors are used to measure the 0 and π phase difference in the X basis.The total insertion losses of the time and phase bases are 4.25 and 8 dB, respectively.The efficiency of single-photon detectors is 20% at a 160 dark count per second.To decrease the after-pulse probability, we set the dead times to 10 and 25 µs for the Bob-Alice and Charlie-Alice links, respectively.
A four-intensity decoy-state protocol [56][57][58] is adopted, where the intensities of the Z basis are set as µ = 0.35 and ν = 0.15, and the intensity of the X basis is ω = 0.3.The intensity of the vacuum state is 0, which does not contain any basis information.The corresponding probabilities are p µ = 0.78, p ν = 0.1, p ω = 0.08 and p 0 = 0.04.Thereinto, the amplitude modulator generates two different intensities, and the intensity of ω is double that of ν since it has two pulses in the X basis.
The error correction and privacy amplification are carried out using a field-programmable gate array.Each time, privacy amplification will be performed after accumulating data approximately to the size of 4 Mb via approximately ten times of error correction, where the data size excludes the amount of information leaked in error correction.For the link of Alice-Bob with 101 km (Alice-Charlie with 126 km), one needs to accumulate approximately 153 (560) seconds of data for privacy amplification to extract a secure key.Here, we only list the experimental data of one set and calculation results related to privacy amplification, as shown in Tables II and III.
To compare with the experimental results, we use the relevant experimental parameters to simulate the secure key rate, as shown in Table III.The length of the final key, which is ε cor -correct and ε sec -secret, can be given where h(x) := −x log 2 x − (1 − x) log 2 (1 − x), and x (x) denotes the upper (lower) bound of the observed value x.Using the decoy-state method for finite sample sizes, the expected numbers of vacuum events s zz * 0 and singlephoton events s zz * 1 can be written as and where n z(x) k is the count of k (k ∈ {µ, ν, ω}) intensity pulse measured in the Z(X) basis, and x * is the corresponding expected value of given observed value x.The upper and lower bounds can be acquired [60]  2p0 n x * 0 .For a given expected value, the upper and lower bounds of the observed value can be given as x = x * + β 2 + 2βx * + β 2 4 and x = x * − √ 2βx * , respectively.By using random sampling without replacement, the phase error rate in the Z basis is where we have γ U (n, k, λ, ǫ) = Experimental demonstration the single-bit-type QDS of Ref. [25].
All the shared keys do not require error correction, and privacy amplification, i.e., n µ , can be used for signature.For a one-bit message, suppose that 2L bits of keys are used.Then the security level of the signature can be bounded by [31] ǫ = max(P (honest abort), P (repudiation), P (f orge)), where we choose s a = E + pe−E 3 , s v = E + 2(pe−E)

3
, and E is the upper bound bit error rate of the signal state.p e can be determined by where c zz i = s zz i /n µ .Note that it is different between the Bob-Alice link and Charlie-Alice link.The parameters E and p e should choose the maximal and minimum values, respectively.By using the experimental data, we can estimate p e = 7.06%, s v = 5.79%, s a = 4.52% and E = 3.24%.Thus, to sign one bit, we need raw keys with 2L = 1.09 × 10 6 (4.66 × 10 5 ) bits, and the probability of honest abort, repudiation and forge are P (honest abort) = P (repudiation) = P (f orge) = ǫ = 10 −38 (10 −16 ), respectively.When the length of the document is one megabit, the signature security bound ǫ = 10 −16 is ǫ = 1 − (1 − ǫ10 6 ) ≈ 10 6 • ǫ = 10 −32 (10 −10 ).

FIG. 2 .
FIG. 2. Schematic diagram for the QDS and the corresponding example.(a) Compared with the classical scheme, Charlie plays the role of a certificate authority.Alice's key can be viewed as a quantum private key, while Bob's key is a quantum public key; in our protocol, they are asymmetric.The information-theoretically secure OTUH replaces the fixed one-way hash function.Here, we omit the pre-distribution stage for information-theoretically secure asymmetric quantum key generation, which replaces the classical private and public key generation process.(b) As an example, we sign a document of "The 120th anniversary of Nanjing University."The details of the document, digest, signature, irreducible polynomial, and key bit strings are shown in hexadecimal.

FIG. 4 .
FIG. 4. Experimental setup of the quantum secure network.(a) Bob (Charlie) exploits a master laser, an asymmetric interferometer, two slave lasers, two circulators (Circ), and a beam splitter (BS) to prepare optical pulses in the Z and X bases by controlling the trigger electrical signal of slave lasers.The decoy signals are generated by the amplitude modulator (AM), whereas the vacuum state is produced by removing the triggered signal of slave lasers.The optical pulses pass through a set of fiber Bragg grating (FBG), circulator, and attenuator (Att) to be modulated at the single-photon level.The synchronization (Syn) signal is transmitted to quantum channels with a dense wavelength division multiplexer (DWDM).The synchronization pulse is detected by an avalanche photodiode (APD).A biased beam splitter is utilized to realize a passive basis measurement with a single-photon detector (SPD).An asymmetric interferometer is formed by two Faraday mirrors (FM), a phase shifter (PS), and a beam splitter.The quantum signals sent by Bob (Charlie) are received by Alice by time-division multiplexing (TDM).(b) Experimental results of the decoy-state quantum key distribution.The blue and red curves of the secret key rate correspond to the simulation results using experimental parameters.(c) Demonstration of quantum digital signatures.The document to be signed with a length of 130,250 bytes includes the timestamp, identity number of the desert image, and the image itself.

FIG. 5 .
FIG. 5. Experimental demonstration of other cryptographic tasks.All encrypted images and secret (conference) keys are demonstrated as images of white noise.(a) Encryption.A prairie image with a size of 112,500 bytes is encrypted via an OTP, utilizing identical secret keys shared between Bob and Charlie, to realize the perfectly private communication.(b) Secret sharing.An image of a mountain with a size of 79,800 bytes is used to realize provable secret sharing.Bob and Charlie can decrypt the image only when they work together to reconstruct the secret keys of Alice.(c) Conference key agreement.An image of a lake with a size of 139,500 bytes is adopted to implement group encryption.All users of this group can obtain the information of the encrypted figure separately.

FIG. 7 .
FIG. 7. Comparing message authentication and digital signatures.(a) Information-theoretically secure message authentication.Aida and Basel are the message sender and recipient, respectively, while Eve is the attacker.Eve tries to make Basel accept the tampered tag and message {T ag ′ , M ′ }.The black dotted line represents Eve's attack process.(b) OTUH-QDS.For Bob's forgery attack, he tries to make Charlie accept the forged siganture and document {Sig ′ , Doc ′ }.The red solid line represents the authentication classical channel, which has information-theoretical security by performing message authentication.

TABLE II .
List of the experimental data used for one-time secure key generation.

TABLE III .
List of the calculation results used for one-time secure key generation.

TABLE IV .
Simulation parameters of the link between Alice-Bob (Charlie).e z d and e x d are the misalignment rates of the Z and X bases, and t dead is the dead time of the detector.