Figure 1

C-proposal.

(1) To sign a single bit (message m = 0 or 1) in the future, Alice generates two sequences and , where . The pair (m, PrivKey_m) is called a private key pair for message m. (2) Alice generates two copies of a sequence of coherent states with the coherent phases matching the angles in the sequence PrivKey₀, thus , where α is a real positive amplitude. A sequence of such states is called a quantum signature. She sends a copy of the quantum signature to each of Bob and Charlie each, informing them that they correspond to message m = 0. Alice then does analogously for the message m = 1. (3) Bob and Charlie send their copies of the sequences QuantSig₀ and QuantSig₁ through a multiport, saving the output states in quantum memory, noting which quantum signature corresponds to message m = 0 and which to m = 1. (4) To sign a single bit m with Bob, Alice sends the pair (m, PrivKey_m) to Bob over an untrusted channel. To authenticate the signature, Bob generates coherent states of amplitude α with the relative phase defined by the declared private key and interferes them individually with the states he has in his quantum memory. He monitors the number of photodetection events on his signal null-port arm and confirms the authenticity of the message if the number of photodetection events was below s_aL. (5) To forward m, Bob forwards to Charlie the pair (m, PrivKey_m). Charlie then performs an analogous procedure to Bob and he accepts the message coming from Alice if his number of photodetection events is below s_vL.