1 Introduction

Quantum cryptography has made a significant breakthrough, however how to ensure the authenticity of quantum information is still an essential problem. Therefore, quantum authentication [1,2,3] has been taken seriously. As an important part of quantum authentication, quantum signature (QS) [4,5,6,7] could solve the problem to some extent.

In 2001, Zeng et al. proposed the first quantum signature scheme based on the correlation of GHZ triplet states, which finished signature and verification with key [1]. In the same year, Gottesman and Chuang firstly brought out the idea of quantum digital signature (QDS) [8] and popularized the classical Lamport’s signature scheme [9] to quantum one with quantum one-way function and quantum public-key. Since then, many kinds of quantum signature schemes have been put forward [10,11,12,13,14], and a number of scholars analyzed and studied these schemes [15,16,17,18]. Nevertheless, Li et al. pointed out that some security flaws still existed in some proposed quantum signature schemes [18]. In 2014, Dunjko et al. proposed one quantum signature scheme just with linear optics, where no quantum memory was required [19]. To resolve the security problem, Amiri et al. invented a secure quantum signature scheme via insecure quantum channels and the transmission of significantly fewer quantum states [20], which is unconditionally secure against most general coherent attacks. In 2018, Chen et al. proposed one public-key quantum digital signature scheme with one-time pad private-key and public-key cryptosystem [21], which was easier to realize than many other quantum signature schemes. In the same year, Guo et al. presented a trusted third-party e-payment protocol based on quantum blind signature without entanglement [22]. Inspired by Guo et al., Zhao et al. proposed the concept of “bi-signature” to realize the signature scheme, where two people sign their signatures on the same message [23]. However, it is hard to require all participants to own quantum computing ability in the above quantum protocols. Fortunately, Boyer et al. first proposed the conception of “semi-quantum” [24] and the method of semi-quantum was successfully applied into semi-quantum key distribution (SQKD) protocols [25,26,27,28] and semi-quantum key agreement (SQKA) protocols [29, 30]. Obviously, semi-quantum is also suitable for QS and the first semi-quantum bi-signature scheme with two quantum signers and just one classical verifier is designed.

The structure of this paper is as follows. In Section 2, SQKD and the teleportation of W state are introduced. In Section 3, the semi-quantum bi-signature scheme is proposed. In Section 4, the analyses of security and efficiency are provided. In Section 5, a brief conclusion is reached.

2 Preliminary Theory

2.1 Semi-Quantum Key Distribution

Semi-quantum key distribution protocols, first introduced in 2007 by Boyer et al. [24], have the same goal: the establishment of a secret key, secure against an all-powerful adversary [31]. However now, instead of allowing both A and B to manipulate quantum resources (e.g., prepare and measure qubits in a variety of bases) as is permissible in a typical QKD protocol, only A is allowed such liberties while B is limited to performing certain “classical” or “semi-quantum” operations (what operations B is limited to are discussed shortly). In this scenario, A is called the quantum user while B is called the classical user (in a fully quantum protocol, such as BB84 [32], both A and B are fully quantum).

2.2 W State

With entanglement classification [33], Dur et al. presented a class of W states [34], i.e.,

$$ \mid W\Big\rangle =\frac{1}{\sqrt{2\alpha +2}}\left(|100\Big\rangle +\sqrt{\alpha }{e}^{\mathrm{i}{\theta}_1}|010\Big\rangle +\sqrt{\alpha +1}{e}^{\mathrm{i}{\theta}_2}|001\Big\rangle \right), $$
(1)

where α is a positive real parameter, θ1 and θ2 are phases. If α=1 and θ1  = θ2 = 0, Eq. (1) will become the most common W state:

$$ \mid W\Big\rangle {}_{123}=\frac{1}{2}{\left(|100\Big\rangle +|010\Big\rangle +\sqrt{2}|001\Big\rangle \right)}_{123}. $$
(2)

If someone chooses one group of orthogonal bases [35].

$$ \mid {\kappa}^{\pm}\Big\rangle =\frac{1}{2}\left(|010\Big\rangle +|001\Big\rangle \pm \sqrt{2}|100\Big\rangle \right), $$
(3)
$$ \mid {\gamma}^{\pm}\Big\rangle =\frac{1}{2}\left(|110\Big\rangle +|101\Big\rangle \pm \sqrt{2}|000\Big\rangle \right), $$
(4)

and he/she makes use of these bases to measure Particles 1, 2 in ∣W123 and a single particle a in state ∣φa = (α| 0〉 + β| 1〉)a, then the measurement outcomes can be expressed as

$$ {\displaystyle \begin{array}{l}\mid \varphi \left\rangle {}_a\mid W\right\rangle {}_{123}={\left(\alpha |0\Big\rangle +\beta |1\Big\rangle \right)}_a\otimes \frac{1}{2}{\left(|100\Big\rangle +|010\Big\rangle +\sqrt{2}|001\Big\rangle \right)}_{123}\\ {}\kern4em =\frac{1}{2}{\left[\alpha {\left(|010\Big\rangle +|001\Big\rangle \right)}_{a12}\mid 0\right\rangle}_3+\sqrt{2}\alpha \mid 000\left\rangle {}_{a12}\mid 1\right\rangle {}_3+\\ {}\kern6.25em \beta {\left(|110\Big\rangle +|101\Big\rangle \right)}_{a12}\mid 0\left\rangle {}_3+\sqrt{2}\beta \mid 100\right\rangle {}_{a12}\mid 1\left\rangle {}_3\right]\\ {}\kern4em =\frac{1}{2}{\left[\mid {\kappa}^{+}\right\rangle}_{a12}{\left(\alpha |0\Big\rangle +\beta |1\Big\rangle \right)}_3+\mid {\kappa}^{-}\Big\rangle {}_{a12}{\left(\alpha |0\Big\rangle -\beta |1\Big\rangle \right)}_3+\\ {}\kern6.25em \mid {\gamma}^{+}\left\rangle {}_{a12}{\left(\alpha |1\Big\rangle +\beta |0\Big\rangle \right)}_3+\mid {\gamma}^{-}\right\rangle {}_{a12}{\left(-\alpha |1\Big\rangle +\beta |0\Big\rangle \right)}_3\Big]\end{array}}. $$
(5)

By recalling the four local unitary operations \( {\sigma}_1=\left(\begin{array}{l}1\kern1em 0\\ {}0\kern1em 1\end{array}\right) \), \( {\sigma}_2=\left(\begin{array}{l}0\kern1em 1\\ {}1\kern1em 0\end{array}\right) \), \( {\sigma}_3=\left(\begin{array}{l}0\kern1em -1\\ {}1\kern1.25em 0\end{array}\right) \) and \( {\sigma}_4=\left(\begin{array}{l}1\kern1.25em 0\\ {}0\kern1em -1\end{array}\right) \), Eq. (5) can also be written as [35].

$$ \mid \varphi \left\rangle {}_a\mid W\right\rangle {}_{123}=\frac{1}{2}\left(|{\kappa}^{+}\Big\rangle {}_{a12}{\sigma}_1|\varphi \Big\rangle {}_3+|{\kappa}^{-}\Big\rangle {}_{a12}{\sigma}_4|\varphi \Big\rangle {}_3+|{\gamma}^{+}\Big\rangle {}_{a12}{\sigma}_2|\varphi \Big\rangle {}_3+|{\gamma}^{-}\Big\rangle {}_{a12}{\sigma}_3|\varphi \Big\rangle {}_3\right). $$
(6)

3 The Semi-Quantum Bi-Signature Scheme

In the proposed semi-quantum bi-signature scheme, signers Alice and Bob have quantum computing ability, while receiver and verifier Charlie has no quantum computing ability. Remarkably, Charlie can only measure, prepare and send particles with fixed quantum bases {| 0〉, | 1〉}. Eve is an impostor or attacker. M is the set of the message. The semi-quantum bi-signature scheme is composed of initialization phase, signature phase and verification phase, and the entire semi-quantum bi-signature scheme is shown in Fig. 1.

Fig. 1
figure 1

Process of the semi-quantum bi-signature scheme

Full size image

3.1 Initialization Phase

In the initialization phase, the message is processed and the states and semi-quantum keys are prepared to meet the needs of other two phases.

Step 1 Processing of the Message

Alice generates Sequence sm in a single particle state \( \left\{{s}_m=|{\varphi}_{m_i}\Big\rangle |i=1,2,\dots, n.\right\} \) according to the message M = {m1, m2, …, mn}, mi ∈ {0, 1}. If mi = 0, \( \mid {\varphi}_{m_i}\left\rangle =\mid 0\right\rangle \); if mi = 1, \( \mid {\varphi}_{m_i}\left\rangle =\mid 1\right\rangle \).

Step 2 Preparation of W States

Bob prepares n W states as Eq. (2) and divides these states into three sequences s1, s2 and s3. Alice prepares n W states as Eq. (7) and divides these states into three sequences s4, s5 and s6. Besides, Sequence si includes all the particles labeled i in W states.

$$ \mid W\Big\rangle {}_{456}=\frac{1}{2}{\left(|100\Big\rangle +|010\Big\rangle +\sqrt{2}|001\Big\rangle \right)}_{456}, $$
(7)

Step 3 Distribution of the Key

Alice and Charlie have pre-shared a semi-quantum key KAC as the private key while Bob and Charlie have pre-shared a private semi-quantum key KBC. Krawec’s protocol [31] is adopted as the way of SQKD in this paper. Concurrently, as long as one makes use of the private semi-quantum key KAC or KBC to communicate, the person is honest.

3.2 Signature Phase

In this phase, the signatures of Alice and Bob are generated, and then Alice and Bob send their signatures and other messages to Charlie. The transmissions of the sequences and messages are shown in Fig. 2.

Fig. 2
figure 2

The transmission of the sequences and the message

Full size image

Step 1 Distribution of State Sequences

Alice sends Sequences s5 and s6 to Bob and Charlie, respectively (Please refer to Fig. 3). Bob sends Sequences s1 and s2 to Alice (Please refer to Fig. 4).

Fig. 3
figure 3

Distribution of W states that Alice prepared

Full size image
Fig. 4
figure 4

Distribution of W states that Bob prepared

Full size image

Step 2 Measurement of State Sequences

Alice, Bob, and Charlie measure Sequences s4, s5, and s6 with Z-basis to generate the measurement results A = {| A1〉, | A2〉, …, | An〉}, B = {| B1〉, | B2〉, …, | Bn〉} and C = {| C1〉, | C2〉, …, | Cn〉}, respectively.

Step 3 Generation and Transmission of Alice’s Signature

Alice generates her private sequence \( {S}_A^{\hbox{'}}=\left\{\mid {s}_A^i\Big\rangle |i=1,2,\dots, n.\right\} \) with measurement outcome Ai and message sequence M, and the specific rule is shown in Table 1. Then Alice produces her signature SA as \( {K}_{AC}\oplus {S}_A^{\hbox{'}} \). Alice sends {SA, A} to Charlie.

Table 1 The specific signature rule
Full size table

Step 4 Von Neumann Measurement and Local Unitary Operations

(a) Alice measures Sequences sm, s1, s2 with the orthogonal bases {| κ±〉, | γ±〉} (Please refer to Fig. 5) and tells Bob the measurement results. (b) According to Alice’s measurement outcomes, Bob chooses the local operation from {σ1, σ2, σ3, σ4} and executes it on the state in Sequence s3 one by one, then Sequence s3 can be converted to sm. (d) Bob measures Sequence sm with Z-basis and gains the message sequence M.

Fig. 5
figure 5

Process of Von Neumann measurement

Full size image

Step 5 Generation and Transmission of Bob’s Signature

(a) Bob generates his private sequence \( {S}_B^{\hbox{'}}=\left\{\mid {s}_B^i\Big\rangle |i=1,2,\dots, n.\right\} \) with measurement outcome Bi and message sequence M, the specific signature rule is same as that of Alice. (b) Bob encrypts the private sequence \( {S}_B^{\hbox{'}} \) with KBC to generate his signature \( {S}_B={K}_{BC}\oplus {S}_B^{\hbox{'}} \). (c) Bob sends {SB, B} to Charlie.

3.3 Verification Phase

In this phase, Charlie verifies the signatures of Alice and Bob.

Step 1 Comparison of Measurement Results

Charlie compares the measurements A, B and C to determine whether the measurements meet the measurement requirement of W state. If the measurements do not satisfy the requirement, the signatures are both abandoned; otherwise, Charlie performs the next step.

Step 2 Decryption

Charlie produces Sequences \( {S}_A^{\hbox{'}} \) and \( {S}_B^{\hbox{'}} \) by decrypting SA and SB with KAC and KBC, respectively.

Step 3 Calculation of the Message Sequence

Charlie calculates the message sequence MA of Alice by Sequences \( {S}_A^{\hbox{'}} \) and A while he estimates the message sequence MB of Bob by Sequences \( {S}_B^{\hbox{'}} \) and B.

Step 4 Comparison of Message Sequences

Charlie compares two message sequences MA and MB. If MA is same as MB, Charlie accepts the signatures of Alice and Bob; otherwise, he refuses these two signatures. Then Charlie sends Alice and Bob KAC ⊕ MA and KBC ⊕ MB, respectively.

4 Security Analysis and Discussion

4.1 Security against Forgery

Generally, Eve has three possible ways to forge signatures in the proposed semi-quantum bi-signature scheme.

Eve may forge a new signature and replace the signature of Alice or Bob with her own one after she captures the message from Alice or Bob. If Eve attempts to achieve her purpose, she has to obtain the message sequence M. However, it is known that Eve cannot gain the message sequence M since it is transmitted by the teleportation of W state. Zhou et al. [36] have proved the teleportation of W state proposed by Agrawal [35] is secure and correct.

Eve may generate a signature of her chosen message to replace the signature of Alice or Bob. Since Eve doesn’t know the length of the message sequence M, she can only intercept {SA, A} or {SB, B} to achieve her goal. Obviously, Eve can gain nothing from SA or SB since she does not know the key KAC or KBC. Therefore, Eve can only utilize the measurement sequence A or B and her chosen message MEve to forge the signature of Alice or Bob, and the probability that she can achieve her purpose is

$$ {\rho}_1=\frac{1}{2^n}. $$
(8)

Since the number n is big enough, the probability ρ1 ≈ 0.

Eve may intercept the signature of Alice or Bob and send Charlie a new signature. However, the signatures of Alice and Bob are sequences encrypted and Eve knows nothing about the keys KAC and KBC. Apparently, Eve cannot forge the signature of Alice or Bob by intercepting the encrypted sequence SA or SB directly.

In addition, the identities of the participants have been verified during the distribution phase of semi-quantum keys KAC and KBC. In other words, if one can correctly communicate with the private semi-quantum key KAC or KBC, he/she is honest.

Therefore, the proposed semi-quantum bi-signature scheme can effectively resist the forgery attack.

4.2 Security against Repudiation

Non-repudiation is an important aspect of the signature scheme. In the proposed semi-quantum bi-signature scheme, Alice and Bob must not deny what they have signed on some previous information. Firstly, the signatures of Alice and Bob are encrypted by the private keys KAC and KBC, so they cannot disavow that they have utilized the keys. Secondly, Alice and Bob transmit the message sequence M by the teleportation of W state and they cannot repudiate the collapse of W state. Likewise, Alice, Bob and Charlie have one sequence of W states respectively, and they cannot disaffirm the collapse of W state.

Concurrently, Charlie cannot repudiate that he has received the signatures of Alice and Bob. On the one hand, in Step 4 of the verification phase, Charlie sends Alice and Bob the messages KAC ⊕ MA and KBC ⊕ MB respectively, so he cannot deny the application of the keys KAC and KBC. On the other hand, Charlie cannot disavow the collapse of W state.

Therefore, the proposed semi-quantum bi-signature scheme can effectively resist the repudiation of signers and verifier.

4.3 Security against Intercept-Resend Attack

On the one hand, Eve may intercept sequences s1 and s2 to steal the message. Nevertheless, the message is transmitted by the teleportation of W state. Thus Eve cannot steal any information of the real message by intercepting the sequences s1 and s2 according to [36].

On the other hand, Eve may intercept sequences s5 and s6 to steal the real message. For instance, if Eve prepares two auxiliary state sequences in the states \( \mid \varphi \left\rangle {}_E^1={\alpha}_1\mid 0\right\rangle +{\beta}_1\mid 1\Big\rangle \) (|α1|2 + |β1|2 = 1) and \( \mid \varphi \left\rangle {}_E^2={\alpha}_2\mid 0\right\rangle +{\beta}_2\mid 1\Big\rangle \) (|α2|2 + |β2|2 = 1), respectively. After intercepting state sequences s5 and s6, Eve sends these two auxiliary state sequences to Bob and Charlie, respectively. But when Bob and Charlie receive these two state sequences, they will measure them with corresponding bases, respectively. After measuring the states, Bob and Charlie can obtain the measurement outcomes {| 0〉, | 1〉} of Sequence s5 and s6 with probability |α1|2, |β1|2 and |α2|2, |β2|2, respectively. Apparently, the error rates for Eve are |α1|2, |β1|2 of Sequence s5 and |α2|2, |β2|2 of Sequence s6, respectively. Afterwards, the information of Bob (Charlie) can be expressed as [37]:

$$ {H}_e{,}_i(B)={H}_e{,}_i(C)=-{\left|{a}_i\right|}^2{\log}_2{\left|{a}_i\right|}^2-{\left|{\beta}_i\right|}^2{\log}_2{\left|{\beta}_i\right|}^2\le 1\mathrm{bit},\left(i=1,2.\right) $$
(9)

where He, i(X) denotes the Shannon entropy. According to the definition, the Shannon entropy can be expressed as:

$$ H(X)=-\sum \limits_x{p}_x{\log}_2{p}_x. $$
(10)

where X is a variable and px is the presence probability of X [38]. From Eq. (10), it can be obtained that He, i(B) = He, i(C) = 1 if and only if \( {\left|{\alpha}_i\right|}^2={\left|{\beta}_i\right|}^2=\frac{1}{2} \). If Eve intercepts Sequences s5 and s6, the mutual information between Alice and Bob (Charlie) is

$$ {I}_e\left(A,B\right)={H}_e(B)-{H}_e\left(B|A\right)<{H}_e(B)\le 1\ \mathrm{bit}, $$
(11)
$$ {I}_e\left(A,C\right)={H}_e(C)-{H}_e\left(\mathrm{C}|A\right)<{H}_e(C)\le 1\ \mathrm{bit}, $$
(12)

where He(B| A) and He(C| A) denote conditional entropy and He(B| A) > 0, He(C| A) > 0.

According to the Holevo limit [38], if there is no eavesdropper, the mutual information between Alice and Bob (Charlie) is

$$ I\left(A,B\right)=I\left(A,C\right)\le S\left(\rho \right)-\sum \limits_x{p}_xS\left({\rho}_x\right), $$
(13)

where S(ρ) =  − tr(ρlog2ρ) is the von Neumann entropy of state \( \rho =\sum \limits_x{p}_x{\rho}_x \). If Eve does not intercept Sequences s5 and s6, the mutual information between Alice and Bob (Charlie) is

$$ I\left(A,B\right)=I\left(A,C\right)=S\left(\rho \right)=-\sum \limits_x{\lambda}_x{\log}_2{\lambda}_x=1\ \mathrm{bit}, $$
(14)

where λx denotes the eigenvalue of state ρ. From Eqs. (11)–(14), it is clear that

$$ {I}_e\left(A,B\right)<I\left(A,B\right). $$
(15)
$$ {I}_e\left(A,C\right)<I\left(A,C\right). $$
(16)

Obviously, the mutual information between Alice and Bob (Charlie) under eavesdropping will be less than that without eavesdropping.

The proposed semi-quantum bi-signature scheme can effectively resist the intercept-resend attack.

4.4 Security against Entangle-Measure Attack

If Eve wants to destroy the signature scheme by the entangle-measure attack, she can only intercept Sequence s5 or s6 and entangle it with a pre-prepared intermediate state sequence. After that, Eve resends the intercepted sequence to the corresponding receiver. When the whole semi-quantum bi-signature scheme is finished, Eve measures the intermediate state sequence to extract some useful information about the signature of Alice or Bob. Without loss of generality, Eve’s unitary operation Ue can be described as

$$ {U}_{\mathrm{e}}\mid 0\left\rangle \mid E\right\rangle ={a}_e\mid 0\left\rangle \mid {e}_{00}\right\rangle +{b}_e\mid 1\left\rangle \mid {e}_{01}\right\rangle, $$
(17)
$$ {U}_{\mathrm{e}}\mid 1\left\rangle \mid E\right\rangle ={\mathrm{c}}_e\mid 0\left\rangle \mid {e}_{10}\right\rangle +{d}_e\mid 1\left\rangle \mid {e}_{11}\right\rangle, $$
(18)

where |e00〉,  | e01〉, | e10〉 and |e11〉 are pure states and |ae|2 +|be|2 =1, |ce|2 + |de|2 =1. According to the analyses in Ref. [39], it is clear that

$$ {I}_E\left(A,B\right)={I}_E\left(A,C\right)<{I}_{e,1}\left(A,B\right)={I}_{e,1}\left(A,C\right), $$
(19)

where IE(A, B) and IE(A, C) denote the mutual information between Alice and Bob and the mutual information between Alice and Charlie, respectively.

From Eq. (19), it is apparent that the mutual information with eavesdropping will be less than that without eavesdropping. Apparently, the proposed semi-quantum bi-signature scheme can resist the entangle-measure attack effectively.

4.5 Security Analysis of Semi-Quantum Key

The semi-quantum keys are generated with the protocol proposed in Ref. [31], and Krawec provided the security proof of the SQKD protocol. Besides, Krawec derived a new lower bound on the key rate in the asymptotic scenario and the adopted protocol can tolerate higher rates of error than previously thought.

4.6 Comparison with Typical Signature Schemes

The efficiency of the proposed semi-quantum bi-signature scheme can be calculated with the definition \( \eta =\frac{b_s}{q_t+{b}_t} \) [38], where \( {b}_s \) represents the number of useful particles while \( {q}_t \) and \( {b}_t \) denote the total amount of used qubits and the total number of classical bits, respectively. Thus, the efficiency of the proposed bi-signature scheme is \( \eta =\frac{2n+2n+2n}{2n+n+3n+3n}=\frac{2}{3}\approx 66.7\% \). Since the teleportation of W state makes full use of the qubits and classical bits, the efficiency of the proposed semi-quantum bi-signature scheme is relatively high. Comparisons of some typical quantum signature schemes or public-key schemes are collected in Table 2, where C and Q denote classical space and quantum space, respectively. If all the participants are quantum parties, the participant attribute is “quantum”; if there is a participant without quantum capability, the participant attribute is “semi-quantum”.

Table 2 Comparison with typical quantum signature schemes
Full size table

It is shown that all the participants are quantum parties in most typical quantum signature schemes while only the two signers are quantum parties in the proposed semi-quantum bi-signature scheme, which reduces the hardware requirements in implementing signature. Since the proposed semi-quantum bi-signature scheme transmits message with the teleportation of W state rather than with more qubits or classical bits, it is more efficient than some typical quantum signature schemes.

5 Conclusion

Based on the correlation of W state and the teleportation of W state, a semi-quantum bi-signature scheme is designed. Compared with previous quantum signature schemes, the semi-quantum bi-signature scheme with two signers who sign one same message is more useful in real life. The unconditional security is guaranteed by the teleportation of W states and semi-quantum key distribution, and security analyses show that the proposed semi-quantum bi-signature scheme can resist most attacks effectively. Remarkably, the proposed semi-quantum bi-signature scheme is more efficient and convenient than some typical quantum signature schemes.