Quantum dual signature scheme based on coherent states with entanglement swapping
Liu Jia-Li, Shi Rong-Hua, Shi Jin-Jing†, , Lv Ge-Li, Guo Ying
School of Information Science and Engineering, Central South University, Changsha 410083, China

 

† Corresponding author. E-mail: shijinjing@csu.edu.cn

Project supported by the National Natural Science Foundation of China (Grant Nos. 61272495, 61379153, and 61401519) and the Research Fund for the Doctoral Program of Higher Education of China (Grant No. 20130162110012).

Abstract
Abstract

A novel quantum dual signature scheme, which combines two signed messages expected to be sent to two diverse receivers Bob and Charlie, is designed by applying entanglement swapping with coherent states. The signatory Alice signs two different messages with unitary operations (corresponding to the secret keys) and applies entanglement swapping to generate a quantum dual signature. The dual signature is firstly sent to the verifier Bob who extracts and verifies the signature of one message and transmits the rest of the dual signature to the verifier Charlie who verifies the signature of the other message. The transmission of the dual signature is realized with quantum teleportation of coherent states. The analysis shows that the security of secret keys and the security criteria of the signature protocol can be greatly guaranteed. An extensional multi-party quantum dual signature scheme which considers the case with more than three participants is also proposed in this paper and this scheme can remain secure. The proposed schemes are completely suited for the quantum communication network including multiple participants and can be applied to the e-commerce system which requires a secure payment among the customer, business and bank.

1. Introduction

Quantum cryptography is a new cryptosystem which combines quantum theory with classical cryptography.[1] Because it is based on the Heisenberg uncertainty principle and quantum no-cloning theorem,[2] it has provable security. Quantum cryptography includes a lot of branches, such as quantum key distribution (QKD), quantum secret sharing (QSS), quantum identification (QI), quantum secure direct communication (QSDC), quantum signature (QS), quantum encryption algorithm (QEA), etc.

A QS is considered as the additional information to the message for the purpose of preventing the message from being forged or tampered with.[3] It is based on the physical properties which provide unconditional security and is one of the most important ways to realize identity and message authentication. QSs are classified into two categories, i.e., arbitrated quantum signatures (AQSs) and true quantum signatures (TQSs). An AQS always needs the participation of a trusted arbitrator. However, only in the case of dispute, a TQS requires a trusted arbitrator. Moreover, a QS algorithm must follow three principles, namely, non-forgery, non-repudiation, and quantum properties.

So far, scholars and researchers have proposed a lot of quantum signature schemes. In accordance with quantum one-way functions and quantum swap-test, Gottesman and Chuang first presented a quantum digital signature protocol in 2001.[4] In 2002, Zeng and Keitel put forward a signature scheme based on the Greenberger–Horne–Zeilinger (GHZ) triplet states, whose realization depends upon a trusty arbitrator.[1,5,6] In 2007, Wen and Liu presented a quantum signature protocol without the participation of the arbitrator.[7] Then Zeng et al.[3] presented a true quantum signature protocol based on a continuous variable entangled state in the same year. Shi et al. proposed a multiparty quantum proxy group signature scheme[8] in 2011 and a (t,n)-threshold quantum group signature scheme[9] in 2012 which are both based on quantum Fourier transform. In 2013, Shi et al.[10] presented a batch proxy quantum blind signature scheme with three-dimensional two-particle-entangled quantum-trits. In 2014, Dunjko et al.[11] introduced a quantum digital signature scheme, which applies coherent states without quantum memory. In 2014, Chao et al. investigated the cryptanalysis and the corresponding improvements of the previous proposed AQS schemes, and constructed a novel enhanced AQS scheme.[12] Recently, Shang et al.[13] first proposed a quantum homomorphic signature protocol by using entanglement swapping, which is used to authenticate data packets of multiple streams for quantum networks.

However, the signature protocols mentioned above either utilize discrete variables, or consider the situation for only one message. It is known that the transmission efficiency of discrete-variable protocols is much lower than that of continuous-variable protocols, and a single photon for the discrete variable is detected with difficulty. Thus the efficiency of signature protocols is expected to be improved with continuous variables. The coherent state is one of the continuous-variable states and it is the quantum state which is closest to the classical state. The entangled coherent state (ECS) which is made up of coherent states is wildly exploited in quantum information processing.[1416] There are two advantages of the ECS. On one hand, the ECS is robust to decoherence caused by the absorption of photons.[17] On the other hand, quantum information processing based on the ECS can be achieved with existing experimental techniques, such as linear optics. What is more, the multi-signature requirement in the quantum communication network which involves multiple participants should be taken into consideration as well. In the e-commerce system, a classical dual signature can be utilized for realizing the connection of two different messages.[18,19] In detail, the dual signature, which combines the customer’s order information and payment information that are encrypted with separate secret keys, can be used to solve the problem that the customer’s order information (payment information) should be hidden to the bank (business) while the payment information should be blindly forwarded to the bank by the business.

Inspired by the dual signature schemes and the advantages of continuous variables, a new quantum dual signature scheme based on coherent states with entanglement swapping[2022] is proposed in this paper. Compared with these discrete-variable schemes, the message and signature states in our scheme are convenient to generate and operate. Specifically, the quantum dual signature is generated by combining two signed messages with entanglement swapping. The information transmission in our scheme takes advantage of quantum teleportation of coherent states.[23,24] Our proposed scheme is absolutely satisfied with the security criteria of the signature protocol.

The main contributions of this paper are presented below.

The rest of this paper is organized as follows. In Section 2, we introduce the beam splitter with coherent states. Section 3 describes the quantum dual signature algorithm including the initial phase, the signing phase, and the verification phase. The security of the proposed scheme is analyzed in Section 4. The quantum dual signature scheme which involves more than three participants is discussed in Section 5. Finally, conclusions are drawn in Section 6.

2. Beam splitter with coherent states

Beam splitters (BSs) are the most commonly applied optical components.[24,25] They are passive components which do not need external energy and can actually operate in the laboratory. The BS couples incident lights or generates two light beams with the same frequency. A loss-less 50:50 BS is denoted with

and it transforms the coherent state |α1|β2 to be

where and âj respectively represent the bosonic creation and annihilation operators of system j ∈ {1,2}. It is well known that a −π/2 phase shifter can be described with the unitary operator . Equipping the BS with a pair of −π/2 phase shifters, then we can obtain the operator[26] T12 = P2B12P2 which transforms the state |α1|β2 to be

This is a significant operation which can be used to generate ECSs. Generally, the bipartite ECS[27] with two modes of the electromagnetic field is described as

where μ and ν are complex numbers. |α〉 and |γ〉 (|β〉 and |δ〉) are coherent states of system 1 (2).

Based on Eq. (2), if a coherent superposition state[17]

and a vacuum state |0〉2 are input states of the BS which is accompanied by two −π/2 phase shifters, the outcome will be

where |α〉 and | − α〉 are coherent states with opposite amplitudes, Nα and are the normalization factors. Thus, we acquire the ECS |ϕ12 which plays an important role in our scheme.

Generally, we consider the following four two-mode ECSs[28] as quasi-Bell states, i.e.,

where N1 and N2 are normalization factors. Then we construct a pair of orthonormal bases[28] which are conducted by |α〉 and | − α〉, i.e.,

where Nω = cos2 2ω is the normalization factor, and the parameter ω satisfies sin2ω = 〈α| − α〉. We also define four operators I, σx, iσy, and σz and their functions[29] are shown as follows:

The above operations of BSs are important to most of the quantum information processes which involve the coherent states. Additionally, ECSs are easier to detect. Therefore, we present the following quantum dual signature scheme based on the properties of ECSs and BSs.

3. Quantum dual signature scheme

The schematic representation of the propounded scheme is shown in Fig. 1. There are three participants, the signatory Alice, the verifiers Bob and Charlie. The proposal includes three phases, i.e., initial phase, signing phase, and verification phase, which are described in detail in the following.

Fig. 1. Schematic representation of the quantum dual signature scheme. The signatory Alice first signs messages 1 and 2 which are required to be received by Bob and Charlie, respectively. Then she combines the two signatures into a dual signature and sends it to the verifier Bob. Bob verifies the part of the quantum dual signature which is related to message 1 and transmits the rest of the dual signature to Charlie. Subsequently, Charlie completes the verification for the signature of message 2. PS and BS are phase shifter and beam splitter, respectively. The U box stands for performing unitary operations.
3.1. Initial phase

In this phase, Alice generates coherent superposition states, encodes her own message states with the secret keys and acquires corresponding ECSs. The procedures are described below.

Step 1 Alice shares her secret key KB (KC) with the verifier Bob (Charlie) by using continuous-variable quantum key distribution (CVQKD) protocols which are demonstrated to be unconditionally secure.[3033]

Step 2 Alice prepares coherent superposition states |ψB = {|ψBi| 1 ≤ iN} and |ψC = {|ψCi| 1 ≤ iN}, where

N is the number of message states and Nα is the normalization factor. Then she modulates the message 1 (message 2), i.e., M1 = {M1i| 1 ≤ iN} (M2 = {M2i| 1 ≤ iN}), on coherent superposition states |ψB (|ψC). Here note that Alice needs to prepare several copies of these coherent superposition states for facilitating comparison and reducing error probability of the verification phase.

Step 3 Alice transforms the secret key KB into , where . According to these keys, Alice encodes |ψBi into |ψ〉′Bi with the phase-shift operation P(θBi) = exp(Bi aa). Likewise, on the basis of KC, Alice performs the corresponding operation P(θCi) = exp(Ciaa) on |ψCi to obtain . For simplicity, we define that θBi(θCi) = 0 when the key is equal to 00 or 11, while θBi(θCi) = π when the key is 01 or 10.

Step 4 Alice inputs and a vacuum state |0〉Ei into the BS which is equipped with a pair of −π/2 phase shifters. As described in Section 2, Alice can acquire an ECS |ϕBEi, i.e.,

Similarly, she obtains |ϕCFi, i.e.,

where and are the normalization factors of |ϕBEi and |ϕCFi, respectively. The parameters xB, yB, xC, and yC are equivalent to 1 or −1.

3.2. Signing phase

This phase gives a specific description of the signature algorithm, i.e., Alice signs the message states by implementing unitary operations and merges these signed messages into a dual signature in the network. The technique used here is entanglement swapping which enables two parties that do not share quantum entanglement to share quantum entanglement with the assistance of a third party.[20] The signing phase is carried out by the following procedures.

Step 1 The expression of |ϕBEi and |ϕCFi in Eqs. (13) and (14) can be rewritten separately in terms of the orthonormal bases |+〉 and |−〉 described in Eqs. (7) and (8), i.e.,

where

Alice chooses the operation based on her secret key , where the subscript X ∈ {B,C}. The corresponding relationship between the operation and the secret key is described in Table 1.

Table 1.

The corresponding relationship between the operations and the secret keys.

.

Then Alice implements the corresponding operation on state |ϕBEi and derives the signature

where λ1 = (−1)k1k2. k1 (k2) stands for the first (second) bit value of and the notation ⊕ stands for summation mod 2. Therefore, the signature of message 1 is

Similarly, she can also encode the state |ϕCFi to obtain the signature

where λ2 = (−1)k3k4. k3 (k4) equals the first (second) bit value of . We achieve the signature

of message 2. Specifically, Alice’s two signatures based on different secret keys are shown in Table 2, where and .

Table 2.

Alice’s signatures based on different secret keys.

.

Step 2 Alice combines her signatures and . Alice first combines states E and F in balanced BS and then counts the photon number in mode f or e, as shown in Fig. 2. In accordance with the principle of entanglement swapping, the system B is entangled to the system C, i.e., B and C are projected into the ECS

where , NαBC is the normalization factor, and λ3 = (−1)k1k3. Because the new state contains both signature information for message 1 and message 2, it is regarded as the dual signature SBC = {|ϕBCi|1 ≤ iN}.

Fig. 2. Entanglement swapping: in the beginning, there are two entangled links B–E and C–F. Here BS stands for a loss-less 50:50 beam splitter. Detectors 1 and 2 are photon detectors. Modes f and e stand for output modes of the BS. Alice randomly measures mode f or e and then different output states will be achieved. So entanglement between B and C is obtained after the measurement between E and F.

Step 3 Alice sends the dual signature SBC to the verifier Bob with the teleportation of ECSs. In order to transmit the ECS |ϕBCi, we need at least a quantum channel |DGHI which is a tripartite entangled state.[23] The whole system which consists of the dual signature and quantum channel can be expressed as |Ψ〉 = |ϕBCi|DGHI, where B, C, and G are at Alice’s side, and H and I are at Bob’s side.[23] Alice successively applies the operation TCB = PBBCBPB and TCG = PGBCGPG to the whole system. Then, she performs a two-mode number measurement on modes C and G. Subsequently, she transmits the outcome of measurement to Bob through the classical channel. Therefore, Bob can obtain the information of the dual signature after he executes the corresponding unitary operations on particles H and I.[23]

3.3. Verification phase

The verification phase requires Bob (Charlie) to verify the signatures of message 1 (message 2) and judge whether the message states are authentic. This process does not need the participation of the arbitrator, unless there are controversies.

Step 1 Once receiving Alice’s dual signature SBC = {|ϕBCi| 1 ≤ iN}, Bob randomly chooses n states of them and records their numbers. Since Alice has negotiated with Bob that every quantum dual signature state corresponds to every binary bit in advance. Bob sends the homologous bits of the chosen states and numbers to Alice through a classical channel. Alice generates the signature states based on Bob’s binary sequence and compares them with her own signatures. The error rate ɛforgeryɛ0 ensures that the following steps can continue to be executed, otherwise the protocol should be terminated, where ɛ0 is error rate threshold.

Step 2 Based on , Bob implements the operation on state B of the dual signature, where the subscript ’Dec’ represents that the operation is carried out in the verification phase. The operators I, −σx, −iσy, and σz are chosen when are equal to 00, 01, 10, and 11, respectively.

Step 3 Bob performs the operation P(−θBi) based on and obtains the ECS |ϕB′Ci.

Step 4 Bob gets the decoded message state and the encoded message state which separately relate to message 1 and message 2 by using Fourier multi-port devices.[34] In detail, the multi-port device considered in our scheme has two input optical modes and two output optical modes.

Step 5 Bob transmits to Charlie. Once receiving , i.e., the signature of message 2, Charlie applies on it based upon the secret key . Likewise, the operators I, −σx, −iσy, and σz severally correspond to 00, 01, 10, and 11. Then Charlie performs the operation P(−θCi) and obtains the decoded state of message 2.

Step 6 Bob (Charlie) asks Alice to send the related classical description (binary sequence) of the states of her message 1 (message 2). Then |ψBi and |ψCi are separately acquired by Bob and Charlie based on the relevant descriptions. Bob compares the decoded message states with the initial message states |ψBi by applying BSs.[35] If , one of the output modes may contain only the vacuum state. Then Bob gains the parameter

Charlie compares |ψCi with , and gets the parameter

So Bob (Charlie) can draw a conclusion whether the signature is acceptable based on the parameter ϝ1 (ϝ2).

4. Security analysis

For the purpose of guaranteeing the security, the quantum signature scheme should satisfy two requirements.[36] One is that the attacker and the disingenuous receiver cannot forge the signature after the completion of signing, and the other is the signatory and the receiver cannot disavow the signature. On the basis of the above security requirements of quantum signature scheme, our protocol provides theoretical security since the attacker cannot obtain the useful information about the secret key and the original message, the signatory is unable to disavow the signatures and the verifiers also cannot deny the received signatures. Subsequently, we analyze the security of the proposed scheme in detail.

4.1. Impossibility of forgery

According to our signature scheme, the two signatures of Alice are SB and SC, separately. If the attacker Eve attempts to forge Alice’s signatures, she has to be aware of the corresponding secret keys KB or KC. For the attacker, there are two ways to get the information about secret keys, i.e., she eavesdrops in the key distribution phase or obtains it from the signature.

However, due to the unconditionally secure CVQKD,[3741] it is impossible to eavesdrop the secret keys shared between the signatory and verifiers. Moreover, quantum one-time pad algorithm also ensures the security. On one hand, for preventing the recipient or the eavesdropper from forging a message in the quantum signature process, we should ensure that only Alice knows the complete information about message states. If the attacker obtains the signature, she is ignorant of the signature algorithm. Thus Eve cannot infer the secret key from the signature. On the other hand, according to the characteristics of entanglement, once Eve tries to measure the signature to get the information of the keys, the entangled state may collapse and the forgery behavior can be discovered definitely and then honest correspondents may give up this communication. So Eve fails to deduce the key.

In the worst situation, if Eve gets KB (KC), she still has no information about the message states that were distributed to Bob (Charlie) without destroying the entanglement states. Moreover, if Eve tampers with the signature, the following example shows that the forgery can be definitely detected.

Example

Comparing Eq. (23) with Eq. (24), it is easy to know that if Eve tampers with Alice’s signatures, the entangled state of B and C may be changed. Supposing , as shown in Table 3, the states of legal communication are shown in case 0. There are fifteen cases for Eve’s forgery and three cases (5, 10, and 15) may be successful. So the probability of forging a single state is P = 3/15 = 1/5. What is more, for another fifteen kinds of groups of secret keys, the probability is also 1/5. Thus, the probability of forging the entire signature is

where m is the number of states which are forged by Eve successfully. n is the total number of states which are chosen in the step 1 of the verification phase. Obviously, the probability ɛforgery satisfies the binomial distribution and the binomial coefficient is given by the expression n!/m!(nm)!. As shown in Fig. 3, for each n, ɛforgery has a maximum value which indicates the success probability of forgery in the best case. However, the optimal forgery probability is smaller when n is larger. Obviously, it is difficult to forge the entire signature since the value of ɛforgery approaches 0 when n → ∞. It is also necessary to define a forgery threshold ɛ0. Once the error rate ɛforgery exceeds the threshold ɛ0, the scheme should be discontinued.

Fig. 3. The forgery probability as a function of the amount of forged signature states. The three curves in lines correspond to n = 50, 100, and 200. It shows that ɛforgery has a maximum value for each n. But the optimal forgery probability is smaller when n is larger.
Table 3.

The quantum dual signatures under different conditions.

.

If the receiver Bob is malicious and attempts to forge Alice’s signature, he is obliged to know Charlie’s secret key KC. However, his forgery fails since he cannot obtain the secret key KC and has no idea of message 2. Besides, Charlie cannot forge the signature of message 1 since he has no chance of access to message 1’s signature. He also could not forge message 2’s signature, because he knows nothing about the message states of message 2. Based on the analysis, we can conclude that any forgery would fail.

4.2. Impossibility of disavowal by the signatory

In the proposed scheme, Alice signs messages 1 and 2 and integrates the two signatures to generate a dual signature, which includes the information of KB (KC) that is only distributed between Alice and Bob (Charlie). Thereby, it is easy to discover whether Alice disavows the signature or not. Furthermore, Alice may either recognize or disavow the signature, so the probability of disavowing a signature state is 1/2. Thus the probability of disavowal for the signature by Alice is

where l is the amount of signature states which are disavowed by the signatory. N stands for the length of signature. Similarly, the probability ɛdisavowal satisfies the binomial distribution and the binomial coefficient

From Fig. 4, we also conclude that ɛdisavowal can be very small when N is large enough. If ɛdisavowal exceeds the disavowal threshold ɛ1, it is concluded that Alice disavows her signature.

Fig. 4. The disavowal probability as a function of the amount of disavowed signature states. The three curves in lines correspond to N = 50, 100, and 200. Similarly, ɛdisavowal has a maximum value for each N and the optimal disavowal probability is smaller with N being larger.

In particular, when there are disputations between signatory and verifiers, a trusted arbitrator is required. Alice just needs to transmit her messages and the corresponding signatures to the arbitrator. For example, if the signature which belongs to Alice can be decoded by Alice’s secret key, the signature has been executed by Alice, otherwise, Bob, Charlie or the attacker has forged the signature. It is apparent that the arbitrator plays an important role in judging whether Alice has disavowed her signatures when there are disputes or disagreements.

4.3. Impossibility of denial by the verifiers

The verifier Bob cannot deny his behavior. After the operation of entanglement swapping, Alice sends the dual signature SBC to Bob. It is clear that Bob knows the secret keys KB and he performs some operations on the dual signature during the verification phase. He is willing to verify the signature meaning that he received the dual signature which contains information of Alice’s signatures, and he has verified the signature indeed without later denying his involvement and actions. In the same way, Charlie also fails to deny. Based on KC, Charlie performs measurements and operations after receiving the signature of message 2. So he cannot deny his behaviors.

According to the above analysis, we can determine that the proposed signature scheme can provide us theoretical security.

5. Extension

In the real life, a merchant often trades with some multiple customers and every customer has several different bank accounts. Thus the quantum dual signature scheme which contains more than three participants is discussed in this section. As shown in the following Fig. 5, Alicei (2 ≤ in) is a customer, Bob is business, and Charlie j (2 ≤ jm) is bank. In the case that all Alice and Charlies are connected to Bob, thus any Alice to reach any Charlie should pass through Bob, namely, any Alice can correspond with any Charlie with the help of Bob.

Fig. 5. Schematic representation of the quantum dual signature scheme which involves multiple participants in the network. Alicei (2 ≤ in) is a customer who signs her own two messages and generates a dual signature by applying entanglement swapping. Bob is the business who verifies the order information’s signature. Charlie j (2 ≤ jm) is the bank who verifies the signature of payment information of the corresponding customer.

The multi-party quantum dual signature scheme also includes three phases, i.e., the initial phase, the signing phase and the verification phase. The main difference between the multi-party quantum dual signature scheme and the three-party one is that Alicei needs to notify Bob of the trading bank in advance in the initial phase. We assume that Alicei wants to pay the order with her account in the bank Charlie j. The extensional scheme is briefly described as follows.

Step 0 Alicei informs Bob that she wants to trade with him, and indicates to him which bank she wants to use through the classical channel. If Bob agrees to the transaction, he severally establishes the quantum channels with Alicei and the corresponding bank Charlie j.

Step 1 Alicei encrypts message 1 (2) by using the shared secret key with the verifier Bob (Charlie j).

Step 2 Alicei generates the ECSs based on encrypted message states and then signs the ECSs by implementing unitary operations.

Step 3 Alicei combines the signatures of messages 1 and 2 into the dual signature and sends the proceeding dual signature to Bob.

Step 4 Bob extracts and verifies message 1’s signature and transmits message 2’s signature to Charlie j.

Step 5 Charlie j verifies the signature of message 2 and judges whether the message is falsified.

The unconditional security of our extensional scheme can also be guaranteed. Moreover, it is obvious that the multi-party quantum dual signature scheme is preferably applicable to the network. It also has the important application value in the e-commerce system for its unconditional security.

6. Conclusion

A quantum dual signature scheme based on the ECSs and entanglement swapping is presented in this paper, in which a signatory and two verifiers are considered. The signatory Alice signs two different messages 1 and 2 which are separately sent to two diverse verifiers Bob and Charlie. Alice aggregates those two signatures to generate a quantum dual signature with entanglement swapping. In order to make this scheme suitable for the practical application, the signature verified by Charlie is forwarded by Bob. The verifier Bob (Charlie) can judge whether the signature of message 1 (2) is authentic and valid. Based on the security analysis with quantum properties, any attacker who attempts to counterfeit the signature would be detected, and the important rules impossible to forge, disavow or deny for the signature protocol are observed, thus our protocol can guarantee the security unconditionally. The three-party scheme can also be extended to the multi-party scheme which contains more than three participants, and the extensional scheme can remain safe. Furthermore, the proposed schemes are quite appropriate for the e-payment system if they involve further theoretical and technical supports.

Reference
1Zeng GKeitel C H2002Phys. Rev. A65042312
2Greenberger DHentschel KWeinert F2009Compendium of Quantum Physics: Concepts, Experiments, History and PhilosophyBerlinSpringer
3Zeng GLee MGuo YHe G Q2007Int. J. Quantum Infor.5553
4Gottesman DChuang I2001 arXiv: 0105032 [quant-ph]
5Curty MLütkenhaus N2008Phys. Rev. A77046301
6Zeng G2008Phys. Rev. A78016301
7Wen XLiu Y2007The First International Symposium on Data, Privacy, and E-CommerceNovember 1–3, 2007Chengdu, China496
8Shi JShi RTang YLee M H2011Quantum Infor. Process.10653
9Shi JShi RGuo YPeng XLee M HPark D2012Int. J. Theor. Phys.511038
10Shi JShi RGuo YPeng XTang Y2013Sci. China-Infor. Sci.56052115
11Dunjko VWallden PAndersson E2014Phys. Rev. Lett.112040502
12Wang CLiu J WShang T2014Chin. Phys. B23060309
13Shang TZhao X JWang CLiu J W2015Quantum Infor. Process.14393
14Zhou D LKuang L M2009Chin. Phys. B181328
15Wang XSanders B C2011Phys. Rev. A65012303
16Zhang Y MLi X WYang WJin G R2013Phys. Rev. A88043832
17Van Enk S JHirota O2001Phys. Rev. A64022313
18Chao WHu Z2011International Conference on Intelligence Science and Information Engineering 2011 85
19Zhang C YChao W2011International Symposium on Intelligence Information Processing and Trusted ComputingOctober 22–23, 2011Wuhan, China245
20Sangouard NSimon CGisin NLaurat JTualle-Brouri RGrangier P2010J. Opt. Soc. Am. B27A137
21Weedbrook CPirandola SGarcía-Patrón RCerf N JRalph T CShapiro J HLloyd S2012Rev. Mod. Phys.84621
22Braunstein S LVan Loock P2005Rev. Mod. Phys.77513
23Wang X2001Phys. Rev. A64022302
24Cai X HGuo J RNie J HJia J P2006Chin. Phys.15488
25Kim M SSon WBužek VKnight P L2002Phys. Rev. A65032323
26Liao J QKuang L M2006Chin. Phys.152246
27Zhou D LKuang L M2009Chin. Phys. B181328
28Jeong HKim M SLee J2001Phys. Rev. A64052308
29Joo JGinossar E 2015 arXiv: 1509.02859 [quant-ph]
30Grosshans FGrangier P2002Phys. Rev. Lett.88057902
31Yang JXu BPeng XGuo H2012Phys. Rev. A85052302
32Walk NRalph T CSymul TLam P K2013Phys. Rev. A87020303
33Gong L HSong H CHe C SLiu YZhou N R2014Phys. Scr.89035101
34Vourdas ADunningham J A2005Phys. Rev. A71013809
35Andersson ECurty MJex I2006Phys. Rev. A74022304
36Li QChan W HLong D Y2009Phys. Rev. A79054307
37Lodewyck JBloch MGarcía-Patrón RFossier SKarpov EDiamanti EDebuisschert TCerf N JTualle-Brouri RMcLaughlin S WGrangier P2007Phys. Rev. A76042305
38García-Patrón RCerf N J2006Phys. Rev. Lett.97190503
39Li YZhang JZhang J XZhang T C2006Chin. Phys. B151766
40He G QZhu S WGuo H BZeng G H2008Chin. Phys. B171263
41Zhu JHe G QZeng G H2007Chin. Phys.161364