Quantum cryptography is a new cryptosystem which combines quantum theory with classical cryptography.^[1] Because it is based on the Heisenberg uncertainty principle and quantum no-cloning theorem,^[2] it has provable security. Quantum cryptography includes a lot of branches, such as quantum key distribution (QKD), quantum secret sharing (QSS), quantum identification (QI), quantum secure direct communication (QSDC), quantum signature (QS), quantum encryption algorithm (QEA), etc.

A QS is considered as the additional information to the message for the purpose of preventing the message from being forged or tampered with.^[3] It is based on the physical properties which provide unconditional security and is one of the most important ways to realize identity and message authentication. QSs are classified into two categories, i.e., arbitrated quantum signatures (AQSs) and true quantum signatures (TQSs). An AQS always needs the participation of a trusted arbitrator. However, only in the case of dispute, a TQS requires a trusted arbitrator. Moreover, a QS algorithm must follow three principles, namely, non-forgery, non-repudiation, and quantum properties.

So far, scholars and researchers have proposed a lot of quantum signature schemes. In accordance with quantum one-way functions and quantum swap-test, Gottesman and Chuang first presented a quantum digital signature protocol in 2001.^[4] In 2002, Zeng and Keitel put forward a signature scheme based on the Greenberger–Horne–Zeilinger (GHZ) triplet states, whose realization depends upon a trusty arbitrator.^[1,5,6] In 2007, Wen and Liu presented a quantum signature protocol without the participation of the arbitrator.^[7] Then Zeng et al.^[3] presented a true quantum signature protocol based on a continuous variable entangled state in the same year. Shi et al. proposed a multiparty quantum proxy group signature scheme^[8] in 2011 and a (t,n)-threshold quantum group signature scheme^[9] in 2012 which are both based on quantum Fourier transform. In 2013, Shi et al.^[10] presented a batch proxy quantum blind signature scheme with three-dimensional two-particle-entangled quantum-trits. In 2014, Dunjko et al.^[11] introduced a quantum digital signature scheme, which applies coherent states without quantum memory. In 2014, Chao et al. investigated the cryptanalysis and the corresponding improvements of the previous proposed AQS schemes, and constructed a novel enhanced AQS scheme.^[12] Recently, Shang et al.^[13] first proposed a quantum homomorphic signature protocol by using entanglement swapping, which is used to authenticate data packets of multiple streams for quantum networks.

However, the signature protocols mentioned above either utilize discrete variables, or consider the situation for only one message. It is known that the transmission efficiency of discrete-variable protocols is much lower than that of continuous-variable protocols, and a single photon for the discrete variable is detected with difficulty. Thus the efficiency of signature protocols is expected to be improved with continuous variables. The coherent state is one of the continuous-variable states and it is the quantum state which is closest to the classical state. The entangled coherent state (ECS) which is made up of coherent states is wildly exploited in quantum information processing.^[14–16] There are two advantages of the ECS. On one hand, the ECS is robust to decoherence caused by the absorption of photons.^[17] On the other hand, quantum information processing based on the ECS can be achieved with existing experimental techniques, such as linear optics. What is more, the multi-signature requirement in the quantum communication network which involves multiple participants should be taken into consideration as well. In the e-commerce system, a classical dual signature can be utilized for realizing the connection of two different messages.^[18,19] In detail, the dual signature, which combines the customer’s order information and payment information that are encrypted with separate secret keys, can be used to solve the problem that the customer’s order information (payment information) should be hidden to the bank (business) while the payment information should be blindly forwarded to the bank by the business.

Inspired by the dual signature schemes and the advantages of continuous variables, a new quantum dual signature scheme based on coherent states with entanglement swapping^[20–22] is proposed in this paper. Compared with these discrete-variable schemes, the message and signature states in our scheme are convenient to generate and operate. Specifically, the quantum dual signature is generated by combining two signed messages with entanglement swapping. The information transmission in our scheme takes advantage of quantum teleportation of coherent states.^[23,24] Our proposed scheme is absolutely satisfied with the security criteria of the signature protocol.

The main contributions of this paper are presented below.

The rest of this paper is organized as follows. In Section 2, we introduce the beam splitter with coherent states. Section 3 describes the quantum dual signature algorithm including the initial phase, the signing phase, and the verification phase. The security of the proposed scheme is analyzed in Section 4. The quantum dual signature scheme which involves more than three participants is discussed in Section 5. Finally, conclusions are drawn in Section 6.

Beam splitters (BSs) are the most commonly applied optical components.^[24,25] They are passive components which do not need external energy and can actually operate in the laboratory. The BS couples incident lights or generates two light beams with the same frequency. A loss-less 50:50 BS is denoted with

This is a significant operation which can be used to generate ECSs. Generally, the bipartite ECS^[27] with two modes of the electromagnetic field is described as

Based on Eq. (2), if a coherent superposition state^[17]

Generally, we consider the following four two-mode ECSs^[28] as quasi-Bell states, i.e.,

The above operations of BSs are important to most of the quantum information processes which involve the coherent states. Additionally, ECSs are easier to detect. Therefore, we present the following quantum dual signature scheme based on the properties of ECSs and BSs.

The schematic representation of the propounded scheme is shown in Fig. 1. There are three participants, the signatory Alice, the verifiers Bob and Charlie. The proposal includes three phases, i.e., initial phase, signing phase, and verification phase, which are described in detail in the following.

Fig. 1.

Figure Option ViewDownloadNew Window

Fig. 1. Schematic representation of the quantum dual signature scheme. The signatory Alice first signs messages 1 and 2 which are required to be received by Bob and Charlie, respectively. Then she combines the two signatures into a dual signature and sends it to the verifier Bob. Bob verifies the part of the quantum dual signature which is related to message 1 and transmits the rest of the dual signature to Charlie. Subsequently, Charlie completes the verification for the signature of message 2. PS and BS are phase shifter and beam splitter, respectively. The U box stands for performing unitary operations.

3.1. Initial phase

In this phase, Alice generates coherent superposition states, encodes her own message states with the secret keys and acquires corresponding ECSs. The procedures are described below.

Step 1 Alice shares her secret key K_B (K_C) with the verifier Bob (Charlie) by using continuous-variable quantum key distribution (CVQKD) protocols which are demonstrated to be unconditionally secure.^[30–33]

Step 2 Alice prepares coherent superposition states |ψ〉_B = {|ψ〉_Bi| 1 ≤ i ≤ N} and |ψ〉_C = {|ψ〉_Ci| 1 ≤ i ≤ N}, where

N is the number of message states and N_α is the normalization factor. Then she modulates the message 1 (message 2), i.e., M₁ = {M_1i| 1 ≤ i ≤ N} (M₂ = {M_2i| 1 ≤ i ≤ N}), on coherent superposition states |ψ〉_B (|ψ〉_C). Here note that Alice needs to prepare several copies of these coherent superposition states for facilitating comparison and reducing error probability of the verification phase.

Step 3 Alice transforms the secret key K_B into , where . According to these keys, Alice encodes |ψ〉_Bi into |ψ〉′_Bi with the phase-shift operation P(θ_Bi) = exp(iθ_Bi a^†a). Likewise, on the basis of K_C, Alice performs the corresponding operation P(θ_Ci) = exp(iθ_Cia^†a) on |ψ〉_Ci to obtain . For simplicity, we define that θ_Bi(θ_Ci) = 0 when the key is equal to 00 or 11, while θ_Bi(θ_Ci) = π when the key is 01 or 10.

Step 4 Alice inputs and a vacuum state |0〉_Ei into the BS which is equipped with a pair of −π/2 phase shifters. As described in Section 2, Alice can acquire an ECS |ϕ〉_BEi, i.e.,

Similarly, she obtains |ϕ〉_CFi, i.e.,

where and are the normalization factors of |ϕ〉_BEi and |ϕ〉_CFi, respectively. The parameters x_B, y_B, x_C, and y_C are equivalent to 1 or −1.

3.2. Signing phase

This phase gives a specific description of the signature algorithm, i.e., Alice signs the message states by implementing unitary operations and merges these signed messages into a dual signature in the network. The technique used here is entanglement swapping which enables two parties that do not share quantum entanglement to share quantum entanglement with the assistance of a third party.^[20] The signing phase is carried out by the following procedures.

Step 1 The expression of |ϕ〉_BEi and |ϕ〉_CFi in Eqs. (13) and (14) can be rewritten separately in terms of the orthonormal bases |+〉 and |−〉 described in Eqs. (7) and (8), i.e.,

where

Alice chooses the operation based on her secret key , where the subscript X ∈ {B,C}. The corresponding relationship between the operation and the secret key is described in Table 1.

Table 1.

Table 1.

Table 1. The corresponding relationship between the operations and the secret keys. . 00 (I)X 01 (−σx)X 10 (iσy)X 11 (σz)X

Table 1. The corresponding relationship between the operations and the secret keys. .

Then Alice implements the corresponding operation on state |ϕ〉_BEi and derives the signature

where λ₁ = (−1)^k₁⊕k₂. k₁ (k₂) stands for the first (second) bit value of and the notation ⊕ stands for summation mod 2. Therefore, the signature of message 1 is

Similarly, she can also encode the state |ϕ〉_CFi to obtain the signature

where λ₂ = (−1)^k₃⊕k₄. k₃ (k₄) equals the first (second) bit value of . We achieve the signature

of message 2. Specifically, Alice’s two signatures based on different secret keys are shown in Table 2, where and .

Table 2.

Table 2.

Table 2. Alice’s signatures based on different secret keys. . 00 00 N1(|α〉B|α〉E −| − α〉B| − α〉E) N2(|α〉C|α〉F −| − α〉C| − α〉F) 00 01 N1(|α〉B|α〉E −| − α〉B| − α〉E) N2(| − α〉C|α〉F −|α〉C| − α〉F) 00 10 N1(|α〉B|α〉E −| − α〉B| − α〉E) N2(| − α〉C|α〉F+|α〉C| − α〉F) 00 11 N1(|α〉B|α〉E −| − α〉B| − α〉E) N2(|α〉C|α〉F+| − α〉C| − α〉F) 01 00 N1(| − α〉B|α〉E −|α〉B| − α〉E) N2(|α〉C|α〉F −| − α〉C| − α〉F) 01 01 N1(| − α〉B|α〉E −|α〉B| − α〉E) N2(| − α〉C|α〉F −|α〉C| − α〉F) 01 10 N1(| − α〉B|α〉E −|α〉B| − α〉E) N2(| − α〉C|α〉F+|α〉C| − α〉F) 01 11 N1(| − α〉B|α〉E −|α〉B| − α〉E) N2(|α〉C|α〉F+| − α〉C| − α〉F) 10 00 N1(| − α〉B|α〉E +|α〉B| − α〉E) N2(|α〉C|α〉F −| − α〉C| − α〉F) 10 01 N1(| − α〉B|α〉E +|α〉B| − α〉E) N2(| − α〉C|α〉F −|α〉C| − α〉F) 10 10 N1(| − α〉B|α〉E +|α〉B| − α〉E) N2(| − α〉C|α〉F+|α〉C| − α〉F) 10 11 N1(| − α〉B|α〉E +|α〉B| − α〉E) N2(|α〉C|α〉F+| − α〉C| − α〉F) 11 00 N1(|α〉B|α〉E +| − α〉B| − α〉E) N2(|α〉C|α〉F −| − α〉C| − α〉F) 11 01 N1(|α〉B|α〉E +| − α〉B| − α〉E) N2(| − α〉C|α〉F −|α〉C| − α〉F) 11 10 N1(|α〉B|α〉E +| − α〉B| − α〉E) N2(| − α〉C|α〉F+|α〉C| − α〉F) 11 11 N1(|α〉B|α〉E +| − α〉B| − α〉E) N2(|α〉C|α〉F+| − α〉C| − α〉F)

Table 2. Alice’s signatures based on different secret keys. .

Step 2 Alice combines her signatures and . Alice first combines states E and F in balanced BS and then counts the photon number in mode f or e, as shown in Fig. 2. In accordance with the principle of entanglement swapping, the system B is entangled to the system C, i.e., B and C are projected into the ECS

where , N_αBC is the normalization factor, and λ₃ = (−1)^k₁⊕k₃. Because the new state contains both signature information for message 1 and message 2, it is regarded as the dual signature S_BC = {|ϕ〉_BCi|1 ≤ i ≤ N}.

Fig. 2.

Figure Option ViewDownloadNew Window

Fig. 2. Entanglement swapping: in the beginning, there are two entangled links B–E and C–F. Here BS stands for a loss-less 50:50 beam splitter. Detectors 1 and 2 are photon detectors. Modes f and e stand for output modes of the BS. Alice randomly measures mode f or e and then different output states will be achieved. So entanglement between B and C is obtained after the measurement between E and F.

Step 3 Alice sends the dual signature S_BC to the verifier Bob with the teleportation of ECSs. In order to transmit the ECS |ϕ〉_BCi, we need at least a quantum channel |D〉_GHI which is a tripartite entangled state.^[23] The whole system which consists of the dual signature and quantum channel can be expressed as |Ψ〉 = |ϕ〉_BCi|D〉_GHI, where B, C, and G are at Alice’s side, and H and I are at Bob’s side.^[23] Alice successively applies the operation T_CB = P_BB_CBP_B and T_CG = P_GB_CGP_G to the whole system. Then, she performs a two-mode number measurement on modes C and G. Subsequently, she transmits the outcome of measurement to Bob through the classical channel. Therefore, Bob can obtain the information of the dual signature after he executes the corresponding unitary operations on particles H and I.^[23]

3.3. Verification phase

The verification phase requires Bob (Charlie) to verify the signatures of message 1 (message 2) and judge whether the message states are authentic. This process does not need the participation of the arbitrator, unless there are controversies.

Step 1 Once receiving Alice’s dual signature S_BC = {|ϕ〉_BCi| 1 ≤ i ≤ N}, Bob randomly chooses n states of them and records their numbers. Since Alice has negotiated with Bob that every quantum dual signature state corresponds to every binary bit in advance. Bob sends the homologous bits of the chosen states and numbers to Alice through a classical channel. Alice generates the signature states based on Bob’s binary sequence and compares them with her own signatures. The error rate ɛ_forgery ≤ ɛ₀ ensures that the following steps can continue to be executed, otherwise the protocol should be terminated, where ɛ₀ is error rate threshold.

Step 2 Based on , Bob implements the operation on state B of the dual signature, where the subscript ’Dec’ represents that the operation is carried out in the verification phase. The operators I, −σ_x, −iσ_y, and σ_z are chosen when are equal to 00, 01, 10, and 11, respectively.

Step 3 Bob performs the operation P(−θ_Bi) based on and obtains the ECS |ϕ〉_B′Ci.

Step 4 Bob gets the decoded message state and the encoded message state which separately relate to message 1 and message 2 by using Fourier multi-port devices.^[34] In detail, the multi-port device considered in our scheme has two input optical modes and two output optical modes.

Step 5 Bob transmits to Charlie. Once receiving , i.e., the signature of message 2, Charlie applies on it based upon the secret key . Likewise, the operators I, −σ_x, −iσ_y, and σ_z severally correspond to 00, 01, 10, and 11. Then Charlie performs the operation P(−θ_Ci) and obtains the decoded state of message 2.

Step 6 Bob (Charlie) asks Alice to send the related classical description (binary sequence) of the states of her message 1 (message 2). Then |ψ〉_Bi and |ψ〉_Ci are separately acquired by Bob and Charlie based on the relevant descriptions. Bob compares the decoded message states with the initial message states |ψ〉_Bi by applying BSs.^[35] If , one of the output modes may contain only the vacuum state. Then Bob gains the parameter

Charlie compares |ψ〉_Ci with , and gets the parameter

So Bob (Charlie) can draw a conclusion whether the signature is acceptable based on the parameter ϝ₁ (ϝ₂).

For the purpose of guaranteeing the security, the quantum signature scheme should satisfy two requirements.^[36] One is that the attacker and the disingenuous receiver cannot forge the signature after the completion of signing, and the other is the signatory and the receiver cannot disavow the signature. On the basis of the above security requirements of quantum signature scheme, our protocol provides theoretical security since the attacker cannot obtain the useful information about the secret key and the original message, the signatory is unable to disavow the signatures and the verifiers also cannot deny the received signatures. Subsequently, we analyze the security of the proposed scheme in detail.

4.1. Impossibility of forgery

According to our signature scheme, the two signatures of Alice are S_B and S_C, separately. If the attacker Eve attempts to forge Alice’s signatures, she has to be aware of the corresponding secret keys K_B or K_C. For the attacker, there are two ways to get the information about secret keys, i.e., she eavesdrops in the key distribution phase or obtains it from the signature.

However, due to the unconditionally secure CVQKD,^[37–41] it is impossible to eavesdrop the secret keys shared between the signatory and verifiers. Moreover, quantum one-time pad algorithm also ensures the security. On one hand, for preventing the recipient or the eavesdropper from forging a message in the quantum signature process, we should ensure that only Alice knows the complete information about message states. If the attacker obtains the signature, she is ignorant of the signature algorithm. Thus Eve cannot infer the secret key from the signature. On the other hand, according to the characteristics of entanglement, once Eve tries to measure the signature to get the information of the keys, the entangled state may collapse and the forgery behavior can be discovered definitely and then honest correspondents may give up this communication. So Eve fails to deduce the key.

In the worst situation, if Eve gets K_B (K_C), she still has no information about the message states that were distributed to Bob (Charlie) without destroying the entanglement states. Moreover, if Eve tampers with the signature, the following example shows that the forgery can be definitely detected.

Example

Comparing Eq. (23) with Eq. (24), it is easy to know that if Eve tampers with Alice’s signatures, the entangled state of B and C may be changed. Supposing , as shown in Table 3, the states of legal communication are shown in case 0. There are fifteen cases for Eve’s forgery and three cases (5, 10, and 15) may be successful. So the probability of forging a single state is P = 3/15 = 1/5. What is more, for another fifteen kinds of groups of secret keys, the probability is also 1/5. Thus, the probability of forging the entire signature is

where m is the number of states which are forged by Eve successfully. n is the total number of states which are chosen in the step 1 of the verification phase. Obviously, the probability ɛ_forgery satisfies the binomial distribution and the binomial coefficient is given by the expression n!/m!(n − m)!. As shown in Fig. 3, for each n, ɛ_forgery has a maximum value which indicates the success probability of forgery in the best case. However, the optimal forgery probability is smaller when n is larger. Obviously, it is difficult to forge the entire signature since the value of ɛ_forgery approaches 0 when n → ∞. It is also necessary to define a forgery threshold ɛ₀. Once the error rate ɛ_forgery exceeds the threshold ɛ₀, the scheme should be discontinued.

Fig. 3.

	Figure Option ViewDownloadNew Window
	Fig. 3. The forgery probability as a function of the amount of forged signature states. The three curves in lines correspond to n = 50, 100, and 200. It shows that ɛforgery has a maximum value for each n. But the optimal forgery probability is smaller when n is larger.

Table 3.

Table 3.

Table 3. The quantum dual signatures under different conditions. . Case f = 0 e = 0 0 00 00 N3(|α〉B|α〉C + | − α〉B| − α〉C) N3(|α〉B| − α〉C + | − α〉B|α〉C) 1 00 01 N3(|α〉B| − α〉C + | − α〉B|α〉C) N3(|α〉B|α〉C + | − α〉B| − α〉C) 2 00 10 N3(|α〉B| − α〉C − | − α〉B|α〉C) N3(|α〉B|α〉C − | − α〉B| − α〉C) 3 00 11 N3(|α〉B|α〉C − | − α〉B| − α〉C) N3(|α〉B| − α〉C − | − α〉B|α〉C) 4 01 00 N3(| − α〉B|α〉C + |α〉B| − α〉C) N3(|α〉B|α〉C + | − α〉B| − α〉C) 5 01 01 N3(| − α〉B| − α〉C + |α〉B|α〉C) N3(|α〉B| − α〉C + | − α〉B|α〉C) 6 01 10 N3(| − α〉B| − α〉C − |α〉B|α〉C) N3(|α〉B| − α〉C − | − α〉B|α〉C) 7 01 11 N3(| − α〉B|α〉C − |α〉B| − α〉C) N3(|α〉B|α〉C − | − α〉B| − α〉C) 8 10 00 N3(| − α〉B|α〉C − |α〉B| − α〉C) N3(|α〉B|α〉C − | − α〉B| − α〉C) 9 10 01 N3(| − α〉B| − α〉C − |α〉B|α〉C) N3(|α〉B| − α〉C − | − α〉B|α〉C) 10 10 10 N3(| − α〉B| − α〉C + |α〉B|α〉C) N3(|α〉B| − α〉C + | − α〉B|α〉C) 11 10 11 N3(| − α〉B|α〉C + |α〉B| − α〉C) N3(|α〉B|α〉C + | − α〉B| − α〉C) 12 11 00 N3(|α〉B|α〉C − | − α〉B| − α〉C) N3(|α〉B| − α〉C − | − α〉B|α〉C) 13 11 01 N3(|α〉B| − α〉C − | − α〉B|α〉C) N3(|α〉B|α〉C − | − α〉B| − α〉C) 14 11 10 N3(|α〉B| − α〉C + | − α〉B|α〉C) N3(|α〉B|α〉C + | − α〉B| − α〉C) 15 11 11 N3(|α〉B|α〉C + | − α〉B| − α〉C) N3(|α〉B| − α〉C + | − α〉B|α 〉C)

Table 3. The quantum dual signatures under different conditions. .

If the receiver Bob is malicious and attempts to forge Alice’s signature, he is obliged to know Charlie’s secret key K_C. However, his forgery fails since he cannot obtain the secret key K_C and has no idea of message 2. Besides, Charlie cannot forge the signature of message 1 since he has no chance of access to message 1’s signature. He also could not forge message 2’s signature, because he knows nothing about the message states of message 2. Based on the analysis, we can conclude that any forgery would fail.

4.2. Impossibility of disavowal by the signatory

In the proposed scheme, Alice signs messages 1 and 2 and integrates the two signatures to generate a dual signature, which includes the information of K_B (K_C) that is only distributed between Alice and Bob (Charlie). Thereby, it is easy to discover whether Alice disavows the signature or not. Furthermore, Alice may either recognize or disavow the signature, so the probability of disavowing a signature state is 1/2. Thus the probability of disavowal for the signature by Alice is

where l is the amount of signature states which are disavowed by the signatory. N stands for the length of signature. Similarly, the probability ɛ_disavowal satisfies the binomial distribution and the binomial coefficient

From Fig. 4, we also conclude that ɛ_disavowal can be very small when N is large enough. If ɛ_disavowal exceeds the disavowal threshold ɛ₁, it is concluded that Alice disavows her signature.

Fig. 4.

	Figure Option ViewDownloadNew Window
	Fig. 4. The disavowal probability as a function of the amount of disavowed signature states. The three curves in lines correspond to N = 50, 100, and 200. Similarly, ɛdisavowal has a maximum value for each N and the optimal disavowal probability is smaller with N being larger.

In particular, when there are disputations between signatory and verifiers, a trusted arbitrator is required. Alice just needs to transmit her messages and the corresponding signatures to the arbitrator. For example, if the signature which belongs to Alice can be decoded by Alice’s secret key, the signature has been executed by Alice, otherwise, Bob, Charlie or the attacker has forged the signature. It is apparent that the arbitrator plays an important role in judging whether Alice has disavowed her signatures when there are disputes or disagreements.

In the real life, a merchant often trades with some multiple customers and every customer has several different bank accounts. Thus the quantum dual signature scheme which contains more than three participants is discussed in this section. As shown in the following Fig. 5, Alice_i (2 ≤ i ≤ n) is a customer, Bob is business, and Charlie _j (2 ≤ j ≤ m) is bank. In the case that all Alice and Charlies are connected to Bob, thus any Alice to reach any Charlie should pass through Bob, namely, any Alice can correspond with any Charlie with the help of Bob.

Fig. 5.

Figure Option ViewDownloadNew Window

Fig. 5. Schematic representation of the quantum dual signature scheme which involves multiple participants in the network. Alicei (2 ≤ i ≤ n) is a customer who signs her own two messages and generates a dual signature by applying entanglement swapping. Bob is the business who verifies the order information’s signature. Charlie j (2 ≤ j ≤ m) is the bank who verifies the signature of payment information of the corresponding customer.

The multi-party quantum dual signature scheme also includes three phases, i.e., the initial phase, the signing phase and the verification phase. The main difference between the multi-party quantum dual signature scheme and the three-party one is that Alice_i needs to notify Bob of the trading bank in advance in the initial phase. We assume that Alice_i wants to pay the order with her account in the bank Charlie _j. The extensional scheme is briefly described as follows.

Step 0 Alice_i informs Bob that she wants to trade with him, and indicates to him which bank she wants to use through the classical channel. If Bob agrees to the transaction, he severally establishes the quantum channels with Alice_i and the corresponding bank Charlie _j.

Step 1 Alice_i encrypts message 1 (2) by using the shared secret key with the verifier Bob (Charlie _j).

Step 2 Alice_i generates the ECSs based on encrypted message states and then signs the ECSs by implementing unitary operations.

Step 3 Alice_i combines the signatures of messages 1 and 2 into the dual signature and sends the proceeding dual signature to Bob.

Step 4 Bob extracts and verifies message 1’s signature and transmits message 2’s signature to Charlie _j.

Step 5 Charlie _j verifies the signature of message 2 and judges whether the message is falsified.

The unconditional security of our extensional scheme can also be guaranteed. Moreover, it is obvious that the multi-party quantum dual signature scheme is preferably applicable to the network. It also has the important application value in the e-commerce system for its unconditional security.

A quantum dual signature scheme based on the ECSs and entanglement swapping is presented in this paper, in which a signatory and two verifiers are considered. The signatory Alice signs two different messages 1 and 2 which are separately sent to two diverse verifiers Bob and Charlie. Alice aggregates those two signatures to generate a quantum dual signature with entanglement swapping. In order to make this scheme suitable for the practical application, the signature verified by Charlie is forwarded by Bob. The verifier Bob (Charlie) can judge whether the signature of message 1 (2) is authentic and valid. Based on the security analysis with quantum properties, any attacker who attempts to counterfeit the signature would be detected, and the important rules impossible to forge, disavow or deny for the signature protocol are observed, thus our protocol can guarantee the security unconditionally. The three-party scheme can also be extended to the multi-party scheme which contains more than three participants, and the extensional scheme can remain safe. Furthermore, the proposed schemes are quite appropriate for the e-payment system if they involve further theoretical and technical supports.