1 Introduction

Classical digital signature (CDS) can authenticate the integrity of a signed message and the identity of a signatory. It has been widely used in many practical occasions [1, 2], such as e-payment system, e-government, and so on. As we know, the security of classical digital signature (CDS) generally depends on the assumption of computational complexity (e.g. the factoring problem and discrete logarithm problem). However, the security of CDS is seriously challenged because of rapid development of quantum algorithms. Fortunately, quantum digital signature, which is based on the laws of quantum mechanics, is attracting a lot of attention since it can resist the attacks of quantum algorithms.

To achieve different purposes, various quantum signature schemes, such as arbitrated quantum signature (AQS) [3,4,5,6,7,8,9], quantum group signature (QGS) [10,11,12], quantum proxy signature (QPS) [13,14,15], quantum blind signature (QBS) [16,17,18,19], have been proposed. In Ref. [3], Zeng et al. gave the first AQS model by using the correlation of Greenberger-Horne-Zeilinger (GHZ) triplet states. Inspired by this pioneering work, Li et al. [7] replaced GHZ states with Bell states to give a more efficient AQS scheme. Later, Zou et al. [8] pointed out that these two schemes are insecure since the receiver can deny a valid signature and presented two new AQS schemes. Gao et al. [20] and Hwang et al. [21] pointed out that most of the previous signature schemes cannot resist a known message attack of the receiver. Recently, Yang et al. presented an AQS scheme [22] with cluster states. This scheme can achieve an efficiency of 100%. Inspired by the work [22], Fatahi et al. proposed a high-efficient arbitrated quantum signature scheme based on cluster states. However, these schemes are very difficult to implement since it is very difficult to prepare these cluster states under current conditions.

The local distinguishability of orthogonal product states is an important research topic in the field of quantum information. In recent years, many results about the local distinguishability of orthogonal product states have been proposed [23,24,25,26,27,28]. As we know, the preparation of product states consumes less resources compared with entangled states.

In this paper, we propose an AQS scheme which is based on the local indistinguishability of orthogonal product states. In this scheme, different particles of a state that comes from a set of indistinguishable product states are transmitted separately, which can improve the security of the scheme. The rest of the paper is organised as follows. In Section 2, some fundamental preliminaries are introduced. In Section 3, we give a detailed description for the proposed AQS scheme. In Section 4, We discuss the security and efficiency of the proposed scheme. At last, a short conclusion is given in Section 5.

2 Preliminaries

In this section, we introduce some preliminaries that are used in what follows. We say a set of orthogonal product states is locally indistinguishable [28, 29] if it cannot be perfectly distinguished by local operations and classical communications (LOCC).

Theorem 1

The set of orthogonal product states (1)

$$\begin{array}{@{}rcl@{}} &&|\psi_{1}\rangle=|0\rangle_{1}|0\rangle_{2}|0\rangle_{3},\\ &&|\psi_{2}\rangle=|1\rangle_{1}|1\rangle_{2}|1\rangle_{3},\\ &&|\psi_{3,4}\rangle=\frac{1}{\sqrt{2}}(|0\rangle\pm|1\rangle)_{1}|0\rangle_{2}|1\rangle_{3},\\ &&|\psi_{5,6}\rangle=\frac{1}{\sqrt{2}}|1\rangle_{1}(|0\rangle\pm|1\rangle)_{2}|0\rangle_{3},\\ &&|\psi_{7,8}\rangle=\frac{1}{\sqrt{2}}|0\rangle_{1}|1\rangle_{2}(|0\rangle\pm|1\rangle)_{3} \end{array} $$
(1)

cannot be perfectly distinguished by LOCC.

Proof

Now we prove these states (1) cannot be perfectly distinguished by LOCC. To distinguish these eight product states, one of the three parties must start with a positive-operator-valued measure (POVM). Without loss of generality, suppose that the first party goes first with a set of general 2 × 2 POVM elements \(\{M^{\dagger }_{k}M_{k}; k = 1,2,\ldots ,l_{1}\}\), where

$$ \begin{array}{l} M_{k}^{\dag}M_{k}= \left[ \begin{array}{cc} m_{00}^{k} &m_{01}^{k}\\ m_{10}^{k} &m_{11}^{k} \end{array} \right] \end{array} $$

under the basis {|0〉,|1〉}. It is noted that the postmeasurement states must be pairwise orthogonal for making further discrimination feasible. That is, the states that are orthogonal on the first side should maintain the orthogonality on the first side after the measurement.

For the states |ψ5〉 and |ψ7〉, we have

$$\langle\psi_{5}|M_{k}^{\dag}M_{k}\otimes (I_{2\times2}^{\dag}I_{2\times2})\otimes (I_{2\times2}^{\dag}I_{2\times2})|\psi_{7}\rangle = 0 $$

and

$$\langle\psi_{7}|M_{k}^{\dag}M_{k}\otimes (I_{2\times2}^{\dag}I_{2\times2})\otimes (I_{2\times2}^{\dag}I_{2\times2})|\psi_{5}\rangle = 0. $$

Thus, we can get

$$\frac{1}{2}\langle1|M_{k}^{\dag}M_{k}|0\rangle[(\langle0|+\langle1|)I_{2\times2}^{\dag} I_{2\times2}|1\rangle][\langle0|I_{2\time2}^{\dag}I_{2\times2}(|0\rangle+|1\rangle)]= 0 $$

and

$$\frac{1}{2}\langle0|M_{k}^{\dag}M_{k}|1\rangle[\langle1|I_{2\times2}^{\dag} I_{2\times2}(|0\rangle+|1\rangle)][(\langle0|+\langle1|)I_{2\times2}^{\dag}I_{2\times2}|0\rangle]= 0. $$

So, we have

$$\begin{array}{@{}rcl@{}} m_{10}^{k}= 0, \end{array} $$
(2)
$$\begin{array}{@{}rcl@{}} m_{01}^{k}= 0. \end{array} $$
(3)

For the states |ψ3〉 and |ψ4〉, we have

$$\langle\psi_{3}|M_{k}^{\dag}M_{k}\otimes (I_{2\times2}^{\dag}I_{2\times2})\otimes (I_{2\times2}^{\dag}I_{2\times2})|\psi_{4}\rangle= 0. $$

Thus,

$$\frac{1}{2}[(\langle0|+\langle1|)M_{k}^{\dag}M_{k}[|0\rangle-|1\rangle][\langle0|I_{2\times2}^{\dag} I_{2\times2}|0\rangle][\langle1|I_{2\times 2}^{\dag}I_{2\times2}|1\rangle]= 0. $$

So, we have

$$\begin{array}{@{}rcl@{}} m_{00}^{k}=m_{11}^{k}. \end{array} $$
(4)

This means that any of the POVM elements of the first party should be in the form

$$ \begin{array}{l} M_{k}^{\dag}M_{k}= \left[ \begin{array}{cc} m_{00}^{k} &0 \\ 0 &m_{00}^{k} \end{array} \right] \end{array}. $$
(5)

Consider the product states |ψ6〉 and |ψ8〉. If the first party discriminates these states outright then for one of states |ψ6〉 and |ψ8〉,

$$\langle\psi_{i}|M_{k}^{\dag}M_{k}\otimes (I_{2\times2}^{\dag}I_{2\times2})\otimes (I_{2\times2}^{\dag}I_{2\times2})|\psi_{i}\rangle= 0. $$

But given (5),

$$\langle\psi_{i}|M_{k}^{\dag}M_{k}\otimes (I_{2\times2}^{\dag}I_{2\times2})\otimes (I_{2\times2}^{\dag}I_{2\times2})|\psi_{i}\rangle=m_{00}^{k}. $$

Therefore, \(m_{00}^{k}= 0\) and, since POVM elements must be positive, \(M_{k}^{\dag }M_{k}\) is the null matrix.

According to the above analysis, all of the first party’s POVM elements must be proportional to the identity. Thus, the first party cannot go first; by the symmetry of states (1), neither the second party nor the third party can do it. Therefore, these states are locally indistinguishable. This completes the proof. □

3 The Proposed AQS Scheme

The proposed scheme involves three participants, namely, the signatory Alice, the receiver Bob and the arbitrator Trent. It should be noted that the arbitrator Trent is a disinterested third party and is trusted by Alice and Bob. The scheme is composed of three phases: initializing phase, signing phase, and verifying phase.

3.1 Initializing Phase

Suppose that m = {m1,m2,⋯ ,mn} is a 3n-bit message to be signed, where mi ∈{000,001,010,011,100,101,110,111} for i = 1,2,…,n.

  1. (1)

    Trent establishes an n-bit shared secret key \(K_{AT}=\{K_{AT}^{1},K_{AT}^{2},\ldots ,K_{AT}^{n}\}\) with Alice and an n-bit shared secret key \(K_{BT}=\{K_{BT}^{1},K_{BT}^{2},\ldots ,K_{BT}^{n}\}\) with Bob by quantum key distribution protocol [30,31,32,33,34,35,36].

  2. (2)

    Alice establishes an n-bit shared secret key \(K_{AB}=\{K_{AB}^{1}, K_{AB}^{2},\ldots ,K_{AB}^{n}\}\) with Bob by quantum key distribution protocol [30,31,32,33,34,35,36].

3.2 Signing Phase

  1. (1)

    Alice encodes the message m as a quantum sequence |S〉 according to the following rules:

    $$\begin{array}{@{}rcl@{}} &&m_{i}= 000: \longmapsto|S^{i}\rangle=|\psi_{1}\rangle=|0\rangle_{1}|0\rangle_{2}|0\rangle_{3},\\ &&m_{i}= 111: \longmapsto|S^{i}\rangle=|\psi_{2}\rangle=|1\rangle_{1}|1\rangle_{2}|1\rangle_{3},\\ &&m_{i}= 001: \longmapsto|S^{i}\rangle=|\psi_{3}\rangle=\frac{1}{\sqrt{2}}(|0\rangle+|1\rangle)_{1}|0\rangle_{2}|1\rangle_{3},\\ &&m_{i}= 010: \longmapsto|S^{i}\rangle=|\psi_{4}\rangle=\frac{1}{\sqrt{2}}(|0\rangle-|1\rangle)_{1}|0\rangle_{2}|1\rangle_{3},\\ &&m_{i}= 100: \longmapsto|S^{i}\rangle=|\psi_{5}\rangle=\frac{1}{\sqrt{2}}|1\rangle_{1}(|0\rangle+|1\rangle)_{2}|0\rangle_{3},\\ &&m_{i}= 011: \longmapsto|S^{i}\rangle=|\psi_{6}\rangle=\frac{1}{\sqrt{2}}|1\rangle_{1}(|0\rangle-|1\rangle)_{2}|0\rangle_{3},\\ &&m_{i}= 101: \longmapsto|S^{i}\rangle=|\psi_{7}\rangle=\frac{1}{\sqrt{2}}|0\rangle_{1}|1\rangle_{2}(|0\rangle+|1\rangle)_{3},\\ &&m_{i}= 110: \longmapsto|S^{i}\rangle=|\psi_{8}\rangle=\frac{1}{\sqrt{2}}|0\rangle_{1}|1\rangle_{2}(|0\rangle-|1\rangle)_{3}, \end{array} $$
    (6)

    where |Si〉 is the i-th product state of the sequence |S〉 for i = 1,2,…,n.

  2. (2)

    Alice firstly generates the quantum sequence |S〉. Then, she picks out the j-th particle of each product state of |S〉 to form the sequence |S(j)〉 for j = 1,2,3.

  3. (3)

    For the first sequence |S(1)〉, Alice performs the following unitary operation on the i-th particle \(|S_{(1)}^{i}\rangle \) according to the i-th bit of KAB to get a new particle \(|\overline {S}_{(1)}^{i}\rangle \), i.e., \(H^{K_{AB}^{i}}|S_{(1)}^{i}\rangle =|\overline {S}_{(1)}^{i}\rangle \), where

    $$\begin{array}{ll} H\equiv \frac{1}{\sqrt{2}} \left[ \begin{array}{cc} 1 &1 \\ 1 &-1 \end{array} \right] \end{array} $$

    is the Hadamard gate, \(H^{K_{AB}^{i}}=I\) (unit operator) if \(K_{AB}^{i}= 0\) and \(H^{K_{AB}^{i}}=H\) (Hadamard gate) if \(K_{AB}^{i}= 1\) for i = 1,2,⋯ ,n.

    By this step, Alice changes the sequence |S(1)〉 to a new sequence \(|\overline {S}_{(1)}\rangle \).

  4. (4)

    For the second sequence |S(2)〉, Alice performs the following unitary operation on the i-th particle \(|S_{(2)}^{i}\rangle \) according to the i-th bit of KAT to get a new particle \(|\overline {S}_{(2)}^{i}\rangle \), i.e., \(H^{K_{AT}^{i}}|S_{(2)}^{i}\rangle =|\overline {S}_{(2)}^{i}\rangle \), where H is the Hadamard gate, \(H^{K_{AT}^{i}}=I\) (unit operator) if \(K_{AT}^{i}= 0\) and \(H^{K_{AT}^{i}}=H\) (Hadamard gate) if \(K_{AT}^{i}= 1\) for j = 1,2,⋯ ,n.

    By this step, Alice changes the sequence |S(2)〉 to a new sequence \(|\overline {S}_{(2)}\rangle \).

  5. (5)

    Firstly, Alice generates 3l decoy particles that are randomly in one of the four states: |0〉, |1〉, |+〉 and |−〉 for checking eavesdropping, where \(|+\rangle =\frac {1}{\sqrt {2}}(|0\rangle +|1\rangle )\) and \(|-\rangle =\frac {1}{\sqrt {2}}(|0\rangle -|1\rangle )\). Next she randomly inserts these 3l decoy particles into the quantum sequences \(|\overline {S}_{(1)}\rangle \), \(|\overline {S}_{(2)}\rangle \), |S(3)〉 and gets three corresponding sequences: \(|\overline {S}_{(1)}^{\prime }\rangle \), \(|\overline {S}_{(2)}^{\prime }\rangle \) and \(|S_{(3)}^{\prime }\rangle \). Then she encrypts m with KAB to get an encrypted message \(C=E_{K_{AB}}(m)\). Finally, Alice sends \(\{|\overline {S}_{(1)}^{\prime }\rangle ,|\overline {S}_{(2)}^{\prime }\rangle ,|S_{(3)}^{\prime }\rangle , C\}\) to Bob.

  6. (6)

    After confirming that Bob has received \(\{|\overline {S}_{(1)}^{\prime }\rangle ,|\overline {S}_{(2)}^{\prime }\rangle ,|S_{(3)}^{\prime }\rangle , C\}\), Alice announces the positions and the initial states of the decoy particles in the quantum sequences \(|\overline {S}^{\prime }_{(1)}\rangle \), \(|\overline {S}^{\prime }_{(2)}\rangle \) and \(|S^{\prime }_{(3)}\rangle \). Then for each of the decoy particles, Bob measures it with the corresponding basis and compares the measurement outcome with its initial state. If there exist no errors, Bob continues to the next step; otherwise, he restarts the protocol.

  7. (7)

    After checking eavesdropping, Bob can recover the quantum sequences \(|\overline {S}_{(1)}\rangle \), \(|\overline {S}_{(2)}\rangle \) and |S(3)〉. For the i-th particle \(|\overline {S}_{(1)}^{i}\rangle \) of \(|\overline {S}_{(1)}\rangle \), Bob performs the operation \(H^{K_{AB}^{i}}\), where \(H^{K_{AB}^{i}}=I\) if \(K_{AB}^{i}= 0\) and \(H^{K_{AB}^{i}}=H\) if \(K_{AB}^{i}= 1\) for i = 1,2,…,n. Thus Bob can get the sequence |S(1)〉 since \(H^{K_{AB}^{i}}|\overline {S}_{(1)}^{i}\rangle =|S_{(1)}^{i}\rangle \). For the i-th particle \(|S_{(3)}^{i}\rangle \) of |S(3)〉, Bob performs the operation \(H^{K_{BT}^{i}}\). Thus Bob can get the sequence \(|\overline {S}_{(3)}\rangle \) according to \(H^{K_{BT}^{i}}|{S}_{(3)}^{i}\rangle =|\overline {S}_{(3)}^{i}\rangle \) for i = 1,2,…,n.

  8. (8)

    Bob decrypts C to get the message m by \(m=D_{K_{AB}}(C)\) and encrypts m to get \(\overline {C}\) by \(\overline {C}=E_{K_{BT}}(m)\).

    Bob stores SA = {|S(1)〉, \(|\overline {S}_{(2)}\rangle \), \(|\overline {S}_{(3)}\rangle \), \(\overline {C}\}\) as Alice’s signature about the message m.

3.3 Verifying Phase

  1. (1)

    For checking eavesdropping, Bob generates 3l decoy states that are randomly in one of the four states: |0〉, |1〉, |+〉 and |−〉, where \(|+\rangle =\frac {1}{\sqrt {2}}(|0\rangle +|1\rangle )\) and \(|-\rangle =\frac {1}{\sqrt {2}}(|0\rangle -|1\rangle )\). Then he randomly inserts these 3l decoy states into the quantum sequences |S(1)〉, \(|\overline {S}_{(2)}\rangle \) and \(|\overline {S}_{(3)}\rangle \) to get three quantum sequences \(|S_{(1)}^{\prime \prime }\rangle \), \(|\overline {S}_{(2)}^{\prime \prime }\rangle \) and \(|\overline {S}_{(3)}^{\prime \prime }\rangle \). Bob sends the quantum sequences \(\{|S_{(1)}^{\prime \prime }\rangle \), \(|\overline {S}_{(2)}^{\prime \prime }\rangle \), \(|\overline {S}_{(3)}^{\prime \prime }\rangle \}\) and the encrypted message \(\overline {C}\) to Trent.

  2. (2)

    After confirming that Trent has received the quantum sequences \(\{|S_{(1)}^{\prime \prime }\rangle \), \(|\overline {S}_{(2)}^{\prime \prime }\rangle \), \(|\overline {S}_{(3)}^{\prime \prime }\rangle \}\) and the encrypted message \(\overline {C}\), Bob announces the positions and the initial states of the decoy particles in these three sequences. Then for each of the decoy particles, Bob measures it with the corresponding basis and compares the measurement outcome with its initial state. If there exist no errors, Trent continue to the next step; otherwise, he restarts the protocol.

  3. (3)

    After checking eavesdropping, Trent can recover the quantum sequences |S(1)〉, \(|\overline {S}_{(2)}\rangle \) and \(|\overline {S}_{(3)}\rangle \). For the i-th particle \(|\overline {S}_{(2)}^{i}\rangle \) of \(|\overline {S}_{(2)}\rangle \), Trent performs the operation \(H^{K_{AT}^{i}}\), where \(H^{K_{AT}^{i}}=I\) if \(K_{AT}^{i}= 0\) and \(H^{K_{AT}^{i}}=H\) if \(K_{AT}^{i}= 1\) for i = 1,2,…,n. Thus Trent can recover the sequence |S(2)〉 since \(H^{K_{AT}^{i}}|\overline {S}_{(2)}^{i}\rangle =|{S}_{(2)}^{i}\rangle \). For the i-th particle \(|\overline {S}_{(3)}^{i}\rangle \) of \(|\overline {S}_{(3)}\rangle \), Trent performs the operation \(H^{K_{BT}^{i}}\), where \(H^{K_{BT}^{i}}=I\) if \(K_{BT}^{i}= 0\) and \(H^{K_{BT}^{i}}=H\) if \(K_{BT}^{i}= 1\) for i = 1,2,…,n. Thus Trent can recover the sequence |S(3)〉.

  4. (4)

    Firstly, Trent recovers the sequence |S〉 by |S(1)〉, |S(2)〉 and |S(3)〉. Secondly, Trent measures each product state of |S〉 with the product basis (1) and records the measurement outcomes. Here we denote the measurement outcomes as \(\overline {m}\).

  5. (5)

    Trent recovers the message m by \(m=D_{K_{BT}}(\overline {C})\) and compares m with \(\overline {m}\). If \(m=\overline {m}\), he announces Alice’s signature is valid; while he announces Alice’s signature is invalid if \(m\neq \overline {m}\).

4 Security and Efficiency Analysis

In this section, we will first discuss the security of the scheme and then analyze the efficiency of the scheme. As we know, a secure AQS should meet two properties:

  • Unforgeability. Neither an outside attacker nor the signature receiver can generate a valid signature except a legal signatory.

  • Undeniability. If a signatory had signed a valid signature, he cannot successfully deny the signature.

4.1 Unforgeability

As a signature scheme, unforgeability is an important property. We will show that nobody can forge Alice’s valid signature. In fact, there exist two kinds of attacks. One is the outside attacks; the other is the participant’s attacks.

  1. (1)

    Outsider attacks

    From the steps of quantum signature, an outside attacker has two chances to attack our proposed scheme. The first time is when Alice sends \(\{|\overline {S}_{(1)}^{\prime }\rangle , |\overline {S}_{(2)}^{\prime }\rangle , |S_{(3)}^{\prime }\rangle , C\}\) to Bob. The second time is when Bob sends the quantum sequences \(|S_{(1)}^{\prime \prime }\rangle \), \(|\overline {S}_{(2)}^{\prime \prime }\rangle \) and \(|\overline {S}_{(3)}^{\prime \prime }\rangle \) to Trent. In fact, the sequences \(\{|\overline {S}_{(1)}^{\prime }\rangle \), \(|\overline {S}_{(2)}^{\prime }\rangle \), \(|S_{(3)}^{\prime }\rangle \}\) and the sequences \(\{|S_{(1)}^{\prime \prime }\rangle \), \(|\overline {S}_{(2)}^{\prime \prime }\rangle \), \(|\overline {S}_{(3)}^{\prime \prime }\rangle \}\) are inserted into decoy particles which are randomly in one of the four states {|0〉,|1〉,|+〉,|−〉}. Just like the situation in BB84 protocol [37], if an outside attacker eavesdrops in the transmission process of quantum sequences, his/her eavesdropping actions will inevitably disturb part of the decoy particles. Thus his/her eavesdropping actions must be found by Bob or Trent.

  2. (2)

    Participant’s attacks

    We consider the situation that Bob is a dishonest participant who wants to forge a valid signature of Alice. To forge a valid signature, Bob needs to know the shared key KAT of Alice and Trent. Thus Bob should know which state each particle of the sequence \(|\overline {S}_{(2)}\rangle \) is in. Of course Bob couldn’t measure these particles directly because he is not sure which basis of the two mutually unbiased bases {|0〉,|1〉} and {|+〉,|−〉} is correct for each particle of \(|\overline {S}_{(2)}\rangle \). Now we consider that Bob uses entanglement-measure attack to get the key KAT. That is, he performs a collective operation U on each particle and an auxiliary system |ε〉. Without loss of generality, suppose that the operation U holds:

    $$\begin{array}{@{}rcl@{}} U(|0\rangle|\varepsilon\rangle)=\lambda_{1}|\xi_{1}\varepsilon_{1}\rangle+ \lambda_{2}|\xi_{2}\varepsilon_{2}\rangle \end{array} $$
    (7)
    $$\begin{array}{@{}rcl@{}} U(|1\rangle|\varepsilon\rangle)=\mu_{1}|\zeta_{1}\varepsilon^{\prime}_{1}\rangle+ \mu_{2}|\zeta_{2}\varepsilon^{\prime}_{2}\rangle \end{array} $$
    (8)

    Here, |λ1|2 + |λ2|2 = |μ1|2 + |μ2|2 = 1, \(\langle \xi _{1}|\xi _{2}\rangle =\langle \varepsilon _{1}|\varepsilon _{2}\rangle =\langle \zeta _{1}|\zeta _{2}\rangle =\langle \varepsilon ^{\prime }_{1}|\varepsilon ^{\prime }_{2}\rangle = 0\). (The right parts of (7) and (8) are in the forms of Schmidt decomposition.) If Bob wants to extract the useful information to be used to discriminate the particles |0〉 and 1〉 in \(|\overline {S}_{(2)}\rangle \) precisely, the two reduced density matrices of Bob’s auxiliary systems |λ1|2|ε1〉〈ε1| + |λ2|2|ε2〉〈ε2| and \(|\mu _{1}|^{2}|{\varepsilon }_{1}^{\prime }\rangle \langle {\varepsilon }_{1}^{\prime } |+| \mu _{2}|^{2}| {\varepsilon }_{2}^{\prime }\rangle \langle {\varepsilon }_{2}^{\prime }|\) must be discriminated precisely. That means \(\langle \varepsilon _{i}|\varepsilon ^{\prime }_{j}\rangle = 0\), where i,j = 1,2. With this condition, the unitary transformation of U on the particles |+〉 and |−〉 of \(|\overline {S}_{(2)}\rangle \) has the universal form

    $$\begin{array}{@{}rcl@{}} U(\frac{1}{\sqrt{2}}(|0\rangle+\delta|1\rangle)|\varepsilon\rangle)=\frac{1}{\sqrt{2}} (\lambda_{1}|\xi_{1}\varepsilon_{1}\rangle+ \lambda_{2}|\xi_{2}\varepsilon_{2}\rangle+\delta\mu_{1}|\zeta_{1}\varepsilon^{\prime}_{1}\rangle+\delta \mu_{2}|\zeta_{2}\varepsilon^{\prime}_{2}\rangle)\\ \end{array} $$

    where δ = 1,− 1. Thus the reduced density matrices of auxiliary particles |+〉 and |−〉 of Bob are all

    \(\frac {1}{2}(|\lambda _{1}|^{2}|\varepsilon _{1}\rangle \langle \varepsilon _{1}|+|\lambda _{2}|^{2} |\varepsilon _{2}\rangle \langle \varepsilon _{2})+|\mu _{1}|^{2}|\varepsilon _{1}^{\prime }\rangle \langle \varepsilon _{1}^{\prime }| +|\mu _{2}|^{2}|\varepsilon ^{\prime }_{2}\rangle \langle \varepsilon ^{\prime }_{2}|)\). This means that Bob cannot discriminate |+〉 and |−〉 of \(|\overline {S}_{(2)}\rangle \). Thus, Bob cannot get all the information of the sequence \(|\overline {S}_{(2)}\rangle \) by entanglement-measure attack. Therefore, he cannot get the key KAT.

    In fact, it means that Bob has a method to discriminate |0〉,|1〉,|+〉,|−〉 of \(|\overline {S}_{(2)}\rangle \) if he can get all the information of the sequence \(|\overline {S}_{(2)}\rangle \). However, this is impossible since |0〉,|1〉 and |+〉,|−〉 come from two mutually orthogonal unbiased basis.

4.2 Undeniability

Suppose that Alice has signed a signature SA for a message m, but she wants to deny that he has signed the signature. In our scheme, it is easy for Trent to detect her deception. This is because the shared key KAT of Alice and Trent is contained in the signature SA. Once Trent has successfully verified the signature, Alice cannot deny its validity.

On the other hand, Bob cannot deny that he had received Alice’s signature after Trent has successfully verified Alice’s signature. This is because the sequences that Bob sent to Trent contain the information of the shared key KBT of Bob and Trent. In short, neither Alice nor Bob can deny a valid signature.

4.3 Efficiency Analyses

In Refs. [38, 39], quantum efficiency is introduced to evaluate the efficiency of quantum protocols. For a quantum protocol, quantum efficiency is defined as

$$\begin{array}{@{}rcl@{}} \eta=\frac{b_{s}}{q_{t}+b_{t}} \end{array} $$
(9)

where bs represents the total number of the transmitted message bits, qt is the number of the qubits exchanged in the protocol (the qubits used for checking eavesdropping are not counted) and bt is the number of classical bits exchanged for decoding of the message (classical bits utilized for eavesdropping check are not counted).

In our scheme, Bob receives a 3n bits classical message while Trent receives a 3n bits classical message and 3n qubits. A total of 6n qubits are transmitted among Alice, Bob and Trent. It is obvious that bs = 9n, qt = 6n and bt = 6n. Thus we can get the efficiency of our scheme is 9n/(6n + 6n) = 75%.

We compare the efficiency of our scheme with that of Refs. [22] and [40] (See Table 1). It is obvious that our scheme is more efficient. Furthermore, compared with entangled states, product states can be obtained straightforwardly and no ancillary particles are required, thus our scheme is easier to implement than the schemes using cluster states.

Table 1 Comparison between the existing schemes and our scheme
Full size table

5 Conclusions

In this paper, we propose an AQS scheme based on orthogonal product states that cannot be perfectly distinguished by LOCC. The proposed scheme can resist all known attacks. Compared with the existing schemes, our scheme is more efficient and easy to realize since the preparation and storage of orthogonal product states are relatively simple. It should be pointed out that the different particles of each orthogonal product state are separately transmitted in our scheme, which can ensure the security of the scheme.

The local distinguishability of orthogonal product states has got a lot of attention in the past two decades [23,24,25,26,27,28]. Our scheme is a useful exploration about the application of local indistinguishable orthogonal product states since there exist a few research results in this field [41,42,43,44,45,46,47,48,49,50].