Arbitrated quantum signature scheme with continuous-variable squeezed vacuum states

Cite this Article

Feng Yan-Yan, Shi Rong-Hua, Guo Ying. Arbitrated quantum signature scheme with continuous-variable squeezed vacuum states. Chinese Physics B, 2018, 27(2): 020302 Copy to clipboard

Permissions

Arbitrated quantum signature scheme with continuous-variable squeezed vacuum states

Feng Yan-Yan, Shi Rong-Hua, Guo Ying^†

School of Information Science and Engineering, Central South University, Changsha 410083, China

† Corresponding author. E-mail: guoyingcsu@sina.com

Abstract

We propose an arbitrated quantum signature (AQS) scheme with continuous variable (CV) squeezed vacuum states, which requires three parties, i.e., the signer Alice, the verifier Bob and the arbitrator Charlie trusted by Alice and Bob, and three phases consisting of the initial phase, the signature phase and the verification phase. We evaluate and compare the original state and the teleported state by using the fidelity and the beam splitter (BS) strategy. The security is ensured by the CV-based quantum key distribution (CV-QKD) and quantum teleportation of squeezed states. Security analyses show that the generated signature can be neither disavowed by the signer and the receiver nor counterfeited by anyone with the shared keys. Furthermore, the scheme can also detect other manners of potential attack although they may be successful. Also, the integrality and authenticity of the transmitted messages can be guaranteed. Compared to the signature scheme of CV-based coherent states, our scheme has better encoding efficiency and performance. It is a potential high-speed quantum signature scheme with high repetition rate and detection efficiency which can be achieved by using the standard off-the-shelf components when compared to the discrete-variable (DV) quantum signature scheme.

PACS: 03.67.-a;03.67.Ac;03.67.Dd;03.67.Hk

Keyword:arbitrated quantum signature;squeezed vacuum state;continuous variable;quantum teleportation

Show Figures

1. Introduction

A quantum signature is the development or extension of a digital signature. In classical cryptography schemes, the digital signature has a great importance by guaranteeing the proof of the source and the integrity and authenticity of messages. Accordingly, digital signatures have been applied in a wide variety of fields, for example, electronic government affairs, electronic medical and electronic payment. Its security is based on computational complexity. Nevertheless, in theory, any cryptography scheme on account of computational complexity can be compromised. The well-known RSA public key cryptography system has been proven to be quickly cracked via future quantum computers,^[1,2] and hence the demand for a more secure cryptography system has become even more urgent. Quantum cryptography can be a powerful solution to this problem and it is the product of the combination of the fundamentals of quantum mechanics and classical cryptography theory. Unlike the mathematics-based classical cryptography, the security of quantum cryptography is guaranteed by the quantum non-cloning theorem and Heisenberg’s uncertainty principle, which serve as the internal condition and the external protection, respectively. Designing the secure quantum cryptography protocols based on the special properties of the quantum state is an important research direction of quantum cryptography. Quantum cryptography protocols can be subdivided into QKD, quantum secret sharing (QSS), quantum secure direct communication (QSDC), quantum identity authentication (QIA), quantum signature (QS), quantum coin flipping (QCF), quantum money (QM),^[3] quantum private query (QPQ),^[4–6] and quantum secure computation (QSC),^[7,8] among which the latter four have recently become hot topics and QS is an important foundation of the secure quantum information system and quantum cryptography schemes.

So far, quantum signature schemes have been extensively researched for realizing different purposes, for instance, arbitrated quantum signature (AQS),^[9–18] quantum homomorphic signature (QHS),^[19,20] quantum blind signature (QBS),^[21–24] quantum group signature (QGS),^[25–28] quantum proxy signature (QPS),^[29] quantum digital signature (Q-DS),^[30–32] and quantum dual signature (QDS).^[33,34] Among these schemes, we focus on the AQS scheme. The frame of the AQS scheme was initially raised by Zeng and Keitel^[9] by employing three-particle entangled Greenberger–Horne–Zeilinger (GHZ) states. Curty et al.^[11] investigated and argued that the proposal^[9] was not clearly operationally defined and ambiguous. Later Zeng gave a more detailed demonstration and presentation^[12] of the previous scheme.^[9] Next, instead of GHZ triplet states, Li et al.^[13] exploited two-particle entangled Bell states to design an AQS scheme, which shows the advantages referring to a better efficiency in transmission and a low complexity in implementation. Zou and Qiu claimed that the above schemes cannot guarantee the disavowal from the receiver and presented an AQS scheme^[14] with a public board. Choi et al.^[15] also pointed out the security problem on AQS schemes. Li et al.^[16] proposed an AQS protocol replacing the quantum one-time pad with the chained CNOT operations. Yang et al. put forward an AQS protocol^[17] with cluster states, which can achieve an efficiency with 1. Note that these above-mentioned schemes are based on discrete variable (DV) quantum states.

Up to now, quantum signatures can be categorized into two forms, i.e., a DV-based quantum signature and a CV-based quantum signature. The DV-based quantum signature schemes have achieved a great deal of success, which belong to quantum cryptography schemes. Undeniably, the DV-based quantum cryptography schemes have also lots of limitations and difficulties and they are facing more and more challenges.^[35] For one thing, the production and the detection of a single photon are tricky and the generation of entangled photon pairs is also very troublesome. The production efficiency of a single photon is very low and it may suffer from the potential photon number splitting attack.^[36] Furthermore, the detection of a single photon is confronted with severe limitations. Correspondingly, in practical experiments, weak laser is applied to replace single photon.^[37] For another, the communication rate of DV-based quantum cryptography is relatively low. Under such a circumstance, the CV-based quantum cryptography, which uses strong light replacing the single photon or entangled photon pairs, comes out. Compared to the DV-based quantum cryptography, the CV-based quantum cryptography has the strengths^[35] referring to simple preparation, superior transmission rate, high detection efficiency and repetition rate and easy implementation in the experiments. In the CV-based quantum communication protocols, the messages are encoded onto the amplitude and phase of CV-based quantum states and can be transmitted with a greater communication rate, such as CV-based quantum teleportation.^[38] The required manipulations and measurements can be realized in quantum optics in a simple and efficient way, and the shift amount in the quadrature phase space can be measured by homodyne detection. Therefore, investigations into the CV-based quantum cryptography are of great significance. In the last couple of years, Zeng et al.^[39] initially researched the CV quantum signature algorithm with CV entangled states in 2007, which is a true quantum signature algorithm using a key-pair, i.e., public verification key and private signature key, and exploits a quantum circuit to compare the original states and the decoded states. It provides a fresh idea and a more efficient method to explore quantum signatures. In 2016, we proposed an AQS scheme based on CV coherent states,^[18] which serve as the carrier of the signing messages. Its security is guaranteed by the CV-QKD and the CV-based quantum teleportation, which show a potential high-speed AQS algorithm with high communication rate and detection efficiency. In the same year, Huang et al.^[40] raised CV-based QIA with a two-mode squeezed vacuum state and coherent state. It is worth mentioning that an AQS scheme is of a better application when compared with a true signature scheme, especially with the reduced requirements on the trustworthiness of the arbitrator.^[9]

Motivated by the structure of the AQS with CV-based coherent states, we suggest an AQS scheme with CV-based squeezed vacuum states, which are the simplest squeezed states. The proposed scheme makes the following contributions.

(i) Compared to the above-mentioned DV-based quantum signature schemes, the primary advantage is that the amount of information contained in CV-based quantum states is much larger. Moreover, the CV-based squeezed vacuum states, the carrier of the transmitted messages, are easy to generate and convenient to use. Most importantly, the essential operations, preparation (degenerate parametric process), transmission, manipulation and measurement can be efficiently executed in quantum optics.

(ii) Compared to the existing CV-based quantum signature schemes,^[18,39] the proposed AQS scheme is of a better application than a true quantum signature scheme. Additionally, the effect of squeezed states is in principle better than that of coherent states in terms of the encoding efficiency and the communication quality.

(iii) The proposed scheme can be implemented by using sources of an optical parametric oscillator (OPO), beam splitter (BS), amplitude (AM), and phase modulators (PM), which are compatible with standard telecommunication technology.

The rest of this paper is arranged as follows. Section 2 introduces the CV-based quantum signature algorithm with three phases. Section 3 analyzes the security of the proposed CV-based quantum signature scheme. Finally, the discussions and the conclusions are presented in Section 4.

2. CV-based quantum signature algorithm

For a secure quantum signature scheme, there are a few rules^[9] to be expected to be accomplished.

i) No disavowals On one hand, the signer cannot disavow the signed message and the yielded signature. On the other hand, the recipient cannot deny the received message and the homologous signature.

ii) No forgeries and no modifications Anyone cannot forge or modify the signed message or the generated signature derived from the sender successfully.

iii) Fixed assignments Each message corresponds to a specified signature.

To simplify the scheme design and the subsequent security analyses, the classical communication is assumed to be performed in the authenticated channel, and the quantum channel from the sender to the recipient is also authenticated. Note that the current error correction and privacy amplification techniques^[41] may be employed to realize the authenticated channels and the former can be achieved by communicating bit messages, where is the error rate. If this assumption does not hold, the process of transferring data will suffer from the potential eavesdropping attack, tampering attack, individual attack, collective attack, and coherent attack, among which the latter three attacks are widely studied in CV-QKD. Three participants, i.e., the sender Alice, the recipient Bob and the third party Charlie, are contained in the suggested scheme, which is composed of three phases, i.e., an initializing phase, a signing phase and a verifying phase. As depicted in Fig. 1, in the initializing phase, the secret keys K_a and K_b and the CV-based Einstein–Podolsky–Rosen (CV-EPR) pairs are generated and distributed. For example, K_a and K_b are prepared over the CV-QKD protocol and then separately assigned to Alice and Bob. The CV-EPR pairs can be obtained by coupling two squeezed states in a 50:50 BS. In the signing phase, the signature of the message is created by using the appropriate CV-based encryption algorithm with K_a by Alice, who then sends the message-signature pair ( , ) to Bob. In the verifying phase, Bob encrypts the performed phase and amplitude modulation M^b and the received parameters and with K_b and gets , which is dispatched to Charlie. Next, Charlie designs a verification parameter t for the comparison with and then transmits the value of t to Bob who makes a judgement whether the protocol should continue certifying the original message and the teleported message . The labels I and II in Fig. 1 denote the initial verification for the comparison of and , and the second verification for the comparison of and , respectively. Note that the encryption key K_s and the decryption key K_v can be symmetrical or asymmetric. We consider that K_s and K_v are symmetrical and call the possible external attacker Eve. In what follows, we formulate the three phases and the concrete steps of each phase in detail.

	Figure Option View Download New Window
	Fig. 1. (color online) The participants and phases of the signature scheme.

2.1. Initial phase

As the first stage to the quantum signature scheme, we state how the secret keys and the CV-based quantum entangled states are created and assigned.

2.2. Signature phase

As the critical stage to the quantum signature scheme, we elaborate on how to create the signature of the transmitted message. This phase can ensure the integrality and reliability of the message and deter the possible disavowal attacks from Alice.

	Figure Option View Download New Window
	Fig. 2. (color online) The phase space presentation of the squeezed vacuum state (b) along the quadrature x derived from the vacuum state (a).

Table 1.

Encoding and phase angle transformation process.

The variances of a vacuum state are given by

with the canonical communication relation

(

). A squeezed vacuum state is formulated as such a state with reduced variance from the vacuum variance in one quadrature at the expense of increased variance in the other, i.e.,

.^[38,48] The relationship

is satisfied, meaning that the state is the minimum uncertainty state. Taking into account some inevitable losses in real experiments, we acquire that the squeezed states are not pure, but mixed states. The mixed squeezed vacuum state is considered to be a squeezed thermal state. If the x quadrature is squeezed, then the corresponding variances can be given by

where

denotes the variance of an initial thermal state and β is the inverse temperature

with

being the Boltzmann constant and T is the temperature. Such a squeezed thermal state is no longer the minimum uncertainty state, holding the inequality

, as shown in Fig. 3.

	Figure Option View Download New Window
	Fig. 3. (color online) The relationship . The squeezed vacuum states with denoted by the shaded part which is the target area of our study or and the squeezed thermal states with .

Generally, the Gaussian state can be fully characterized by parameters r, β, angle θ in the coordinates, and the displacement α₀. Setting and we perform the quantum teleportation of the squeezed vacuum state due to the fidelity as a criteria independent on θ and α₀. The Wigner function^[49] of the squeezed thermal state is expressed as

where x and p serve as the coordinate axes in the phase space. The Wigner function of a vacuum state with r = 0 and

is illustrated in Fig. 4. Note that the squeezed thermal states involve the states whose squeezed variances are larger than the vacuum variance, i.e.,

. In this paper, we consider the squeezed vacuum state having the squeezed variance

and the corresponding quantum teleportation technology.

	Figure Option View Download New Window
	Fig. 4. (color online) The Wigner function for a vacuum state with r = 0 and .

Equation (10) plays an important role in ensuring the security of the signature, which includes two aspects. Firstly, the dishonest and hostile participants cannot falsify Alice’s signature. Secondly, Alice herself cannot deny her completed signature. To be specific, taking into account the confidentiality of the key K_a shared by Alice and Charlie, we infer that Alice cannot disavow the completed signature in the face of Charlie and Bob successfully and that Bob and the possible attacker cannot counterfeit the signature easily. We note that equation (5) reveals that is obtained by encrypting the message , and thus has a connection with .

2.3. Verification phase

As the last stage to the quantum signature scheme, the purpose is to verify the validity of the signature . After receiving the message-signature pair , Bob is capable of verifying the signature and confirming the authenticity and integrity of the message. Notably, Charlie is required to participate in this phase to assist the verification in that Bob has no access to Alice’s key K_a. This phase is composed of the following steps.

To implement quantum teleportation^[38] in real experiments, the following inequalities should be satisfied

Taking x quadrature as an example, we demand

, i.e.,

. Similarly, the inequality

holds. Therefore, the squeezed variances of the squeezed vacuum state are teleported successfully and Bob receives the transmitted squeezed vacuum state

followed by the signature

. Otherwise, Bob quits.

The above-described procedure is the application of the quantum teleportation with the CV-based squeezed vacuum states which is generally evaluated by calculating fidelity F denoting the overlap of the input and output states. F = 0 means that the teleported state is orthogonal to the input state and F = 1 means that holds. For pure state and mixed state, the expression of the fidelity is different. If the input state is a pure state, the fidelity is given by

with the output state

. For

, the fidelity reaches 1, i.e., F = 1.

If an input state is a mixed state (the mixed squeezed vacuum state is regarded as a squeezed thermal state), the fidelity is expressed as

which similarly shows the match of the states

and

. The higher the fidelity F is, the better the receiver reconstructs. In real experiments, the fidelity for the mixed squeezed vacuum states in Eq. (19) can be calculated as^[51]

where Y takes the form

We denote the squeezing parameter r_j and the inverse temperature β_j as

where

. Accordingly, the fidelity can be calculated with the measured practical variances.

In fact, the comparison of the input squeezed vacuum state ( ) and the received squeezed vacuum state ( ) can be realized with BSs and photon detectors with a high success probability in experiments.^[52] Given two squeezed vacuum states and with and , where and are the normalization constants. As shown in Fig. 5, if two creation operators and are incident on a balanced BS, the yielding output operators and are

Then, a BS transforms the two squeezed vacuum states

and

. We obtain

	Figure Option View Download New Window
	Fig. 5. The BS couples the two input operators of and in a linear way.

For , we find that both output modes contain only even numbers of photons. If an odd number of photons are detected in either of the outputs with perfect photon detectors, it signifies that . Correspondingly, if an even number of photons are detected, it signifies that . In experiments, counting photons is rather cumbersome,^[52] however photon chopping implemented by using a time resolved multi-port splitter may be possible for small photon numbers. Therefore, the two squeezed vacuum states can be compared by judging the relations of the squeezing factors and with detecting the number of photons.

3. Security analyses

To begin with, we recall that Charlie serves as an important role in the proposed AQS scheme. In the initial stage, Charlie creates the CV-based EPR entangled state and the secret key K_a (K_b) shared with Alice (Bob). In the verification stage, Charlie defines the verification parameter t for comparing the secret quantum states and . In essence, Charlie plays the genuine role of the arbitrator to resolve the possible disputes between Alice and Bob. Hence, he must be absolutely trustworthy in this scheme. Subsequently, we first make the security analyses on the suggested scheme with respect to the security rules, i.e, impossibility of disavowals, impossibility of forgeries and impossibility of repudiations. Furthermore, according to the cryptanalysis in Ref. [53], we analyze the security of the proposed AQS scheme against Bob’s forgery and Alice’s disavowal under the circumstance of a known message attack.

3.1. Security against disavowals

From the expression in Eq. (10), we see that Alice generates the signature of the message with the key K_a which is of the essence for the generation of . If Alice disavows her accomplished signature giving rise to the disputes with Bob, it can be easily detected and then solved by timely transmitting the signature to Charlie. From the key K_a point of view, if contains K_a, the signature must have been created by Alice, otherwise, we infer that the signature has been forged by the internal dishonest Bob or the external attacker Eve. Furthermore, we can quantify the possibility of disavowal. Note that Alice may disavow or accept the generated signature . The probability of disavowal or acceptance from Alice is respective 1/2. We call “disavowal” and “acceptance” as dichotomous variables. It conforms to the definition of the Binomial distribution. We assume that k denotes the amount of disavowed signature from n amount of the target signature. So the probability of disavowal about the signature from Alice is

where

is the Binomial coefficient and can be written as

Assume that

is the appropriate threshold of

. As depicted in Fig. 6, the success disavowal probability

is a function of k for the respective n = 50, n = 100, and n = 150, each of which holds a maximum probability value. Also, it becomes smaller with the larger n. Thus, we can figure out that the probability

can be very small for the large enough n. If the calculated probability

exceeds

, it is regarded as the “disavowal” behavior. Therefore, the proposed AQS scheme can work well against the disavowal attack strategy.

	Figure Option View Download New Window
	Fig. 6. (color online) The success disavowal probability as a function of k for the respective n = 50, n = 100, and n = 150.

3.2. Security against forgeries

For the purpose of their benefit, a dishonest Bob or an external attacker may try to forge Alice’s signature. In what follows, we show that any attempt to forge the signature will be absolutely detected.

Assume that Bob is dishonest and (is) in an attempt to forge Alice’s signature . If he succeeds, he must know the components of including K_a, M_d, and . Nevertheless, obtaining the above ingredients for Bob is impossible. Firstly, K_a is shared by Alice and Charlie and prepared by the CV-QKD with the unconditional security. Bob has no ability to obtain the key K_a, which is the biggest obstacle for successfully forging the signature. Furthermore, we claim that the yielded quantum state is related to K_a due to the relation of , where λ is the corresponding eigenvalue of the eigenvector K_a.^[9] This leads to the unavailability of the correct without the key K_a, which implies that t = 0 will be obtained in the verification phase. Therefore, Charlie can easily detect the forgery strategy from Bob.

The dishonest participant generally has more right than an external attacker. We have analyzed that the forgery strategy from the dishonest Bob is impossible to succeed, and hence the attacker is bound to be unsuccessful in our scheme. This is because there is no information about the keys K_a and K_b via the exposure of the public parameters , , , and , which are generated by the CV-based quantum cryptography with high security. Even if the attacker achieves K_a and K_b, according to Eq. (10), the forgery of the signature remains impossible due to the additional requirements of and M^d. The attacker has no access to M^d teleported through a secure classical channel, which is not an expensive resource. Therefore, with the incorrect M^d resulting in the final incorrect recovery of the original message , we cannot get the relation . That is, the forgery attack from the attacker cannot work. In short, neither the internal dishonest participant nor the external attacker can forge the signature successfully.

3.3. Security against repudiations

From the application’s point of view, the scheme should satisfy that the receiver Bob cannot repudiate his receiving of the signature of the message . Our scheme contains this property. In Step 1 of the verification phase, we assume that Bob transmits to Alice in place of Charlie. Afterwards, Alice generates the new signature , i.e.,

and then sends it to Charlie. After receiving

, Charlie transforms

in Step 2 of the verification stage as

We see that the new signature

contains the keys K_a and K_b. Therefore, following the security analyses against disavowals, if Bob repudiates his receiving of the signature, his action can be found by transmitting

to Charlie. Note that the repudiation probability by Bob can also be calculated via the employed method of the disavowal probability by Alice and the same conclusion can be drawn.

3.4. Alice’s disavowal

Based on the cryptanalysis in Ref. [53], another disavowal attack strategy by Alice may be successful. For example, when Charlie, sends to Bob in Step 2 of verification phase, Alice has a chance to modify the signature in terms of phase resulting in the modified signature that is not a valid signature of anymore, which seems to be successful. Meanwhile, since Bob does not hold the secret K_a, he cannot find Alice’s modification on . Therefore, when a dispute appears, Bob transmits to Charlie. The modified signature will not pass Charlie’s verification and Charlie will stand on the side of Alice, believing that Bob forged the signature. Therefore, the proposed AQS scheme cannot deter this attack under non-authenticated channels. Fortunately, no matter whether Charlie judges who disavows or forges the signature, such a kind of communication will be terminated eventually.

3.5. Bob’s forgery

In Subsection 3.2, we have demonstrated that Bob’s forgery strategy by obtaining the key K_a is impossibly successful. However, based on the cryptanalysis in Ref. [53], another forgery attack strategy by Bob without K_a may be successful. For example, we assume that Bob has a valid message-signature pair ( , ) of Alice, and he performs the so-called CV-based Pauli gates (P_i is any Pauli operation belonging to ) on the squeezed vacuum states in , and the same operations on the last n quantum states in , which is required in the situation where the employed encryption and decryption algorithms are one of the CV-based Pauli gates. The yielding new pair ( ) will be a successful forgery. Hence, Bob can select the most preferred message from at least different forgeries and state that it is derived from Alice. In this situation, Charlie will agree with Bob although Alice is actually aggrieved. Therefore, the proposed AQS scheme cannot deter this attack under the circumstance of the known message attack. Fortunately, no matter whether Charlie judges who disavows or forges the signature, such a kind of communications can be terminated eventually.

4. Discussion and conclusion

In principle, when playing the role of information carrier, squeezed states are better than coherent states. In our scheme, the original binary-valued messages are encoded onto the CV-based squeezed vacuum states, as listed in Table 1. On one hand, the encoding efficiency has distinct advantages over that in the DV-based signature schemes due to the intrinsic CV-based spectrum. From Table 1, we see that two binary bits can be encoded with a phase transformation, which is more efficient than the quantum state conjugate coding manner in Ref. [18] where only one binary bit can be encoded. We acquire that the length of the corresponding binary-valued classical information string is the respective 2n and n for the n squeezed vacuum states and coherent states. On the other hand, the performance of the proposed signature scheme is partially evaluated using fidelity due to the application of the CV-based quantum teleportation. It is demonstrated that the fidelity of quantum teleportation based on squeezed (vacuum) states is higher than that of the quantum teleportation with coherent states.^[38,54] Therefore, our scheme has better encoding efficiency and performance. Additionally, as depicted in Fig. 7, the proposed scheme can be achieved in the experiments and the experimental setup of our scheme can be easily obtained due to the achievable CV-based quantum teleportation and CV-QKD.

	Figure Option View Download New Window
	Fig. 7. Experimental setup for the proposed AQS scheme. OPO (i = 1,2,3): optical parametric oscillator, LO: local oscillator for x and p, D: detector for x and p, BS: 50:50 beam splitter except the marked one 99:1, AM: amplitude modulator, PM: phase modulator.

We have proposed an AQS scheme with CV-based squeezed vacuum states, which requires three participants to jointly complete the initial phase, the signature phase and the verification phase. In the initial phase, the secure keys are prepared and distributed to the legal participants. In the signature phase, the signature is finally generated by employing the unitary phase transformation and the CV-based quantum encryption algorithm. In the verification phase, the validity of the yielded signature is verified via the comparison of the transmitted messages and the recovered messages with the fidelity and the BS technology. The security of our scheme is ensured by the CV-based quantum teleportation and the CV-QKD. Security analyses demonstrate that the proposed scheme can deter the disavowal and forgery attack strategies with the shared keys. However, it is not resistant to Alice’s disavowal and Bob’s forgery strategies in the circumstance of known message attack, which will be improved in the future study. In addition, the scheme has better coding efficiency and communication performance. Therefore, the proposed AQS scheme may be practical for the general authentication system and the voting mechanism.

Reference

[1]	Nielsen M A Chuang I L 2000 Quantum information Cambridge Cambridge University Press
[2]	Wang B Wu X Meng F 2017 J. Comput. Appl. Math. 313 185
[3]	Amiri R Arrazola J M 2017 Phys. Rev. 95 062334
[4]	Gao F Liu B Huang W Wen Q Y 2015 IEEE. J. Sel. Top. Quant. 21 98
[5]	Wei C Y Wang T Y Gao F 2016 Phys. Rev. 93 042318
[6]	Wei C Y Cai X Q Liu B Wang T Gao F 2017 IEEE T Comput. 10.1109/TC.2017.2721404
[7]	Shi R H Mu Y Zhong H Zhang S 2015 Phys. Rev. 92 022309
[8]	Shi R H Mu Y Zhong H Zhang S Cui J 2016 Inform. Sci. 370�?71 147
[9]	Zeng G Keitel C H 2002 Phys. Rev. 65 042312
[10]	Lee H Hong C Kim H Lim J Yang H J 2004 Phys. Lett. 321 295
[11]	Curty M Lütkenhaus N 2008 Phys. Rev. 77 046301
[12]	Zeng G 2008 Phys. Rev. 78 016301
[13]	Li Q Chan W H Long D Y 2009 Phys. Rev. 79 054307
[14]	Zou X Qiu D 2010 Phys. Rev. 82 042325
[15]	Choi J W Chang K Y Hong D 2011 Phys. Rev. 84 062330
[16]	Li F G Shi J H 2015 Quantum Inf. Process. 14 2171
[17]	Yang Y G Lei H Liu Z C Zhou Y H Shi W M 2016 Quantum Inf. Process. 15 2487
[18]	Guo Y Feng Y Huang D Shi J 2016 Int. J. Theor. Phys. 55 2290
[19]	Shang T Zhao X Wang C Liu J 2015 Quantum Inf. Process. 14 393
[20]	Wang B Yang H Meng F 2017 Calcolo 54 117
[21]	Su Qi Huang Z Wen Q L W 2010 Opt. Commun. 283 4408
[22]	Wang T Y Wen Q Y 2010 Chin. Phys. 19 060307
[23]	Shi J J Shi R H Guo Y Peng X Q 2013 Sci. China-Inform Sci. 56 1
[24]	Fan L JZhang H Qin S L Guo F Z 2016 Int. J. Theor. Phys. 55 1028
[25]	Yang Y G Wen Q Y 2008 Sci. China Ser. G: Phys., Mech. Astron. 51 1505
[26]	Wen X Tian Y Ji L Niu X 2010 Phys. Scr. 81 055001
[27]	Shi J Shi R Tang Y Lee M H 2011 Quantum Inf. Process. 10 653
[28]	Xu G B Zhang K J 2015 Quantum Inf. Process. 14 2577
[29]	Wang T Y Wei Z L 2012 Quantum Inf. Process. 11 455
[30]	Gottesman D Chuang I 2001 arXiv preprint quant-ph0105032
[31]	Collins R J Donaldson R J Dunjko V Wallden P Clarke P J Andersson E Jeffers J Buller G S 2014 Phys. Rev. Lett. 112 040502
[32]	Yin H L Fu Y Chen Z B 2016 Phys. Rev. 93 032316
[33]	Li W Shi R Huang D Shi J Guo Y 2016 Phys. Scr. 91 035101
[34]	Liu J L Shi R H Shi J J Lv G L Guo Y 2016 Chin. Phys. 25 080306
[35]	Braunstein S L Van Loock P 2005 Rev. Mod. Phys. 77 513
[36]	Wang X B 2005 Phys. Rev. Lett. 94 230503
[37]	Scarani V Acin A Ribordy G Gisin N 2004 Phys. Rev. Lett. 92 057901
[38]	Takei N Aoki T Koike S Yoshino K Wakui K Yonezawa H Hiraoka T Mizuno J Takeoka M Ban M Furusawa A 2005 Phys. Rev. 72 042304
[39]	Zeng G Lee M Guo Y He G 2007 Int. J. Quantum Inf. 5 553
[40]	Ma H Huang P Bao W Zeng G 2016 Quantum Inf. Process. 15 2605
[41]	Jouguet P Kunz-Jacques S Leverrier A 2011 Phys. Rev. 84 062317
[42]	Cerf N J Levy M Van Assche G 2001 Phys. Rev. 63 052311
[43]	Guo Y Liao Q Wang Y Huang D Huang Peng Zeng G 2017 Phys. Rev. 95 032304
[44]	Guo Y Xie C Liao Q Zhao W Zeng G Huang D 2017 Phys. Rev. 96 022320
[45]	Huang D Huang P Lin D Zeng G 2016 Sci. Rep. 6 19201
[46]	Li Y M Wang X Y Bai Z L Liu W Y Yang S S Peng K C 2017 Chin. Phys. 26 040303
[47]	Einstein A Podolsky B Rosen N 1935 Phys. Rev. 47 777
[48]	Walls D F Milburn G J 2007 Quantum Optics Springer Science, Business Media
[49]	Jeong H Ralph T C Bowen W P 2007 J. Opt. Soc. Am. 24 355
[50]	Furusawa A Sfrensen J L Braunstein S L Fuchs C A Kimble H J Polzik E S 1998 Science 282 706
[51]	Twamley J 1996 J. Phys. A: Math. Gen. 29 3723
[52]	Andersson E Curty M Jex I 2006 Phys. Rev. 74 022304
[53]	Gao F Qin S J Guo F Z Wen Q Y 2011 Phys. Rev. 84 022344
[54]	Kogias I Ragy S Adesso G 2014 Phys. Rev. 89 052324