Quantum Dual Signature with Coherent States Based on Chained Phase-Controlled Operations

Abstract

A novel encryption algorithm called the chained phase-controlled operation (CPCO) is presented in this paper, inspired by CNOT operation, which indicates a stronger correlation among message states and each message state depending on not only its corresponding key but also other message states and their associated keys. Thus, it can prevent forgery effectively. According to the encryption algorithm CPCO and the classical dual signature protocols, a quantum dual signature scheme based on coherent states is proposed in this paper. It involves three participants, the customer Alice, the merchant Bob and the bank Trent. Alice expects to send her order message and payment message to Bob and Trent, respectively. It is required that the two messages must be linked to guarantee the payment is paid for the corresponding order. Thus, Alice can generate a quantum dual signature to achieve the goal. In detail, Alice firstly signs her two messages with the shared secret key. Then She connects the two signatures into a quantum dual signature. Finally, Bob and Trent severally verify the signatures of the order message and the payment message. Security analysis shows that our scheme can ensure its security against forgery, repudiation and denial. In addition, simulation experiments based on the Strawberry Fields platform are performed to valid the feasibility of CPCO. Experimental results demonstrate that CPCO is viable and the expected coherent states can be acquired with high fidelity, which indicates that the encryption algorithm of the scheme can be implemented on quantum devices effectively.

1. Introduction

The digital signature, which is an important way to realize identity and message authentication, is one of the significant cryptographic building blocks and has been extensively employed in secure electronic commerce. A digital signature is considered to be additional information to the message [1] and it can prevent cheating legitimate users, including forging the sender’s signature by the receiver, and repudiating the signature by the sender [2]. There are lots of classical digital signature schemes [3,4,5] including post-quantum signature [6], whose security depends on complex algorithms or unresolved mathematical problems, such as the discrete logarithm problem [7] and the prime factorization problem [8]. However, with the advent of quantum computing and quantum algorithms [9,10], these classical signature schemes are likely to be compromised [11,12]. For example, the security of the signature with prime factorization may be quickly broken [13,14] by Shor’s algorithm [15] in the near future. Hence research imminently needs to blaze a trail in the security improvement of signature schemes with another way. The product of combination of quantum cryptography and classical signature schemes, the so-called quantum signature, can effectively contend with the attacks brought by quantum computation. With physical properties, such as Heisenberg uncertainty [16] and the quantum no-cloning theorem [17], a quantum signature can have unconditional security in theory, so that more and more scholars invest in research on this topic [18,19,20]. For adjusting to diverse application scenarios, arbitrated quantum signature (AQS) [11,12,21], quantum group signature (QGS) [22,23], quantum proxy signature (QPS) [24,25], quantum blind signature (QBS) [26,27] or their combinations [28,29,30], have been proposed, which are apparently corresponding to various classical digital signature schemes.

In 2001, Gottesman et al. [31] first proposed a quantum digital signature based on fundamental principles of quantum physics, i.e., a quantum analogue of one-way functions, which required $\mathbf{O}\left(m\right)$ qubits to encrypt m-bit message. On the basis of Greenberger-Horne-Zeilinger (GHZ) triplet states, Zeng et al. [32] and Keitel [33] put forward a quantum signature scheme, whose realization depends upon a trusty arbitrator, namely AQS schemes [21,34] which can be adapted to both known and unknown quantum states and still provide certain degree of security by employing quantum key distribution (QKD) protocols and quantum one-time pads (QOTPs) [35,36]. Ref. [2,34] pointed out that forgery attacks may occur in AQS schemes which use QOTP. On the one hand, the QOTP encrypts data qubit by qubit and the key bits are independent of each other. On the other hand, Pauli operations commute or anticommute with each other, i.e., the Pauli operators can exchange each other. Therefore, the recipient Bob may forge the sender’s signature under known message by using the encryption features of QOTP. Xu et al. [37] designed a quantum group blind signature scheme to provide anonymity of voters in an e-voting system and Ref. [22] proposed a QGS scheme without the help of arbitrator, which can be used in e-government and e-business. Dunjko et al. [38] introduced a quantum digital signature scheme applying coherent states which is experimentally feasible to access. For pushing the limit of single stream in quantum networks, Shang et al. [39] first proposed a quantum homomorphic signature protocol by using entanglement swapping, which is used to authenticate data packets of multiple stream for quantum networks. Then other quantum homomorphic [40,41] signatures have been proposed successively.

It is common knowledge that account information and trading activities of a consumer are required to not be leaked to others. A dual signature [42,43,44], which combines the customer’s order information and payment information that are encrypted with separate secret keys, can be used to solve the problem that the customer’s order information (payment information) should be hidden from the bank (business) while the payment information should be blindly forwarded to the bank by the business. It is a new way to sign on transaction information and plays an important role in e-payment system to ensure the secure communication among the consumer, merchant, and bank. The dual signature has a good development in classical cryptography, and a quantum dual signature scheme [44] was introduced based on coherent states with entanglement swapping in 2016. Compared to the classical dual signatures, the quantum dual signature which involves quantum algorithms and QKD protocols could be more secure and efficient, and it also has a wide application to the ecommerce system as a classical dual signature.

In 2103, Zhang et al. [45] presented two types of improved encryption algorithms which are called Key-Controlled-‘I’ QOTP and Key-Controlled-‘T’ QOTP determined by the shared key and can prevent forgery attacks effectively. In 2015, Li et al. [46] proposed a novel chained CNOT operations encryption where one qubit is encrypted not only based on the corresponding qubit and key but also based on other qubits and keys, which is more secure compared with QOTP. Therefore, inspired by the chained CNOT operations and classical dual signature, we design a new encryption algorithm for signatures, i.e., the chained phase-controlled operation (CPCO) to construct a quantum dual signature scheme. Meanwhile, coherent states that can be easily generated [47,48] by current quantum technologies are used as the input resources. Strong analysis we present proves that the scheme can resist the attacks on forging sender’s signature, disavowing own signature, denying the received signature, and also the Gao’s attack in Ref. [2]. Simulation experiments of the CPCOs are performed on quantum software platform, namely Strawberry Fields [49], and the experimental results declares that the designed encryption algorithm can be implemented by quantum devices.

It is worth mentioning that a secure quantum signature protocol must meet the following security conditions [8]: (1) Non-forgery: The signature cannot be forged by any attacker. Only the legitimate signer can generate a valid signature. (2) Non-repudiation: Any participant cannot deny what she/he has done. That is to say, the signer cannot later successfully disavow that she/he has signed a message and the receiver cannot deny her/his receiving or the integrity of the signature. (3) Quantum properties: Quantum signature algorithms contain pure quantum mechanics properties, and there are no classical counterparts. In this paper, we mainly focus on these security conditions to verify the feasibility of our scheme.

2. Methods

2.1. The Preparation of Keys

In our proposed scheme, the keys are used with the permutation of the decimal sequence like $(1,2,\dots ,n)$ rather than binary sequence. So we should process the original key which are obtained from the QKD protocols [50,51,52,53]. Detailedly, if Alice wants to share secret keys with Bob (Trent), the steps can be generalized as follows:

• Alice shares n-bit string $K_{original}=\left\{K_{original}^l\right|1\le l\le n\}$ with Bob (Trent) via a QKD protocol, where $K_{original}^l\in \{0,1\}$.
• The final key $K_{final}$ is obtained according to the positions of 0 and 1.

  (1)

  The position of the first, the second and the last 0 is assigned to $K_{final}^1$, $K_{final}^2$ and $K_{final}^l$ respectively, where $l=0$.

  (2)

  The positions of 1 are assigned to the remaining $K_{final}^{l+1},\dots ,K_{final}^n$. Then we have $K_{final}=\left\{K_{final}^l\right|1\le l\le n\}$.

For example, if $K_{original}=\left\{00101\right\}$, then $K_{final}=\{1,2,4,3,5\}$.

2.2. The Chained Phase-Controlled Operations

As we know, the CNOT operator is a two-qubit gate and its function is given by

$$\begin{array}{c}\hfill |c\rangle |t\rangle \to |c\rangle |t\oplus c\rangle ,\end{array}$$

(1)

where the two qubits $|c\rangle$ and $|t\rangle$ are the control qubit and the target qubit, respectively. The notation ⊕ stands for summation mod 2. The target bit flips when $|c\rangle =|1\rangle$, otherwise, the target bit stays unchanged. We draw inspiration from CNOT operation and put forward a new encryption algorithm, namely the CPCO. A phase-controlled operation (PCO) can be defined as $PCO{\left(\right|M\rangle }_j{,|M\rangle }_{K_j})$, where $K_j$ is the j-th value of the final key, ${|M\rangle }_j$ is the control coherent state and ${|M\rangle }_{K_j}$ is the target coherent state, and ${|M\rangle }_j{,|M\rangle }_{K_j}\in \left\{\right|\alpha \rangle ,|-\alpha \rangle ,|i\alpha \rangle ,|-i\alpha \rangle \}$ [54]. In addition, the coherent state ${|M\rangle }_j$ satisfies ${|M\rangle }_j=|x_j+i{p}_j\rangle$, where $x_j\in \mathbb{R}$ and $p_j\in \mathbb{R}$ are separately the amplitude and phase of ${|M\rangle }_j$. The results of PCO operations applied to message ${|M\rangle }_j$ can be derived as follows.

$$PCO{\left(\right|M\rangle }_j{,|M\rangle }_{K_j}{\left)\right|M\rangle }_{K_j}=\left\{\begin{array}{cc}P\left(\frac{\pi }{2}\right){|M\rangle }_{K_j},\hfill & K_j\ne j,x_j\ne 0and{p}_j=0,\hfill \\ {P\left(\pi \right)|M\rangle }_{K_j},\hfill & K_j\ne j,x_j=0and{p}_j\ne 0,\hfill \\ {P\left(0\right)|M\rangle }_{K_j},\hfill & K_j=j,\hfill \end{array}\right.$$

(2)

where $P\left(\theta \right)$ is a phase shift operator which fulfils $P\left(\theta \right)=$ exp $(i\theta {\widehat{a}}^{†}\widehat{a})$, and $\theta \in \{\frac{\pi }{2},\pi \}$ is angle of phase changed, ${\widehat{a}}^{†}$ and $\widehat{a}$ are bosonic creation and annihilation operators, respectively. The 50/50 beam splitter can be used to achieve the measurements of amplitude and phase. Two coherent states $|\mu \rangle$ and $|\nu \rangle$ are input into the beam splitter, then $|\frac{\mu +\nu }{\sqrt{2}}\rangle$ and $|\frac{\mu -\nu }{\sqrt{2}}\rangle$ are acquired from modes 1 and 2, respectively. Hence given coherent state ${|\alpha \rangle }_s$ and ${|M\rangle }_j$ are input into the 50/50 beam splitter, vacuum states can be acquired from one of the two output modes according to the judgement ${|M\rangle }_j$ is equal to $|\alpha \rangle$ or $|-\alpha \rangle$. Otherwise, both output of modes are not vacuum states.

Suppose the message which is composed of coherent states is $|M\rangle ={\otimes }_{j=1}^N{|M\rangle }_j$, where N stands for the message length and the secret key is K. Then the encryption process based on the CPCO is deduced as:

$$\begin{array}{cc}\hfill |C\rangle & =E_K|M\rangle \hfill \\ \hfill & =PCO{\left(\right|M\rangle }_n{,|M\rangle }_{K_n}{)PCO\left(\right|M\rangle }_{n-1}{,|M\rangle }_{K_{n-1}}{)\dots PCO\left(\right|M\rangle }_1{,|M\rangle }_{K_1}\left)\right|M\rangle ,\hfill \end{array}$$

(3)

where $E_K$ means the encryption algorithm. Meanwhile, the corresponding decryption process is

$$\begin{array}{cc}\hfill |M\rangle & =D_K|C\rangle \hfill \\ \hfill & =DPCO{\left(\right|M\rangle }_1{,|M\rangle }_{K_1}{)DPCO\left(\right|M\rangle }_2{,|M\rangle }_{K_2}{)\dots DPCO\left(\right|M\rangle }_n{,|M\rangle }_{K_n}\left)\right|C\rangle ,\hfill \end{array}$$

(4)

where $D_K$ and $DPCO$, stands for decryption algorithm and the phase-controlled operation for decryption respectively. The detailed functions of $DPCO{\left(\right|M\rangle }_j{,|M\rangle }_{K_j})$ are

$$DPCO{\left(\right|M\rangle }_j{,|M\rangle }_{K_j}{\left)\right|M\rangle }_{K_j}=\left\{\begin{array}{cc}P(-\frac{\pi }{2}){|M\rangle }_{K_j},\hfill & K_j\ne j,x_j\ne 0and{p}_j=0,\hfill \\ {P(-\pi )|M\rangle }_{K_j},\hfill & K_j\ne j,x_j=0and{p}_j\ne 0,\hfill \\ {P\left(0\right)|M\rangle }_{K_j},\hfill & K_j=j.\hfill \end{array}\right.$$

(5)

For example, suppose $n=4$, the key $K=\{1,4,2,3\}$ and the message $|M\rangle ={|\alpha \rangle }_1{|-\alpha \rangle }_2{|-i\alpha \rangle }_3{|i\alpha \rangle }_4$. Then the encoded message is

$$\begin{array}{cc}\hfill |C\rangle & =E_K|M\rangle \hfill \\ \hfill & =PCO{\left(\right|M\rangle }_4{,|M\rangle }_{K_4}{)PCO\left(\right|M\rangle }_3{,|M\rangle }_{K_3}{)\dots PCO\left(\right|M\rangle }_1{,|M\rangle }_{K_1}{)\left(\right|\alpha \rangle }_1{|-\alpha \rangle }_2\hfill \\ \hfill & {|-i\alpha \rangle }_3{|i\alpha \rangle }_4)\hfill \\ \hfill & =PCO{\left(\right|M\rangle }_4{,|M\rangle }_3{)PCO\left(\right|M\rangle }_3{,|M\rangle }_2{)\dots PCO\left(\right|M\rangle }_1{,|M\rangle }_1{)\left(\right|\alpha \rangle }_1{|-\alpha \rangle }_2\hfill \\ \hfill & {|-i\alpha \rangle }_3{|i\alpha \rangle }_4)\hfill \\ \hfill & ={|\alpha \rangle }_1{|\alpha \rangle }_2{|\alpha \rangle }_3{|-\alpha \rangle }_4,\hfill \end{array}$$

(6)

Also the decoded message is acquired as:

$$\begin{array}{cc}\hfill |M\rangle & =D_K|C\rangle \hfill \\ \hfill & =DPCO{\left(\right|M\rangle }_1{,|M\rangle }_{K_1}{)DPCO\left(\right|M\rangle }_2{,|M\rangle }_{K_2}{)\dots DPCO\left(\right|M\rangle }_4{,|M\rangle }_{K_4}{)\left(\right|\alpha \rangle }_1\hfill \\ \hfill & {|\alpha \rangle }_2{|\alpha \rangle }_3{|-\alpha \rangle }_4)\hfill \\ \hfill & =DPCO{\left(\right|M\rangle }_1{,|M\rangle }_1{)DPCO\left(\right|M\rangle }_2{,|M\rangle }_4{)\dots DPCO\left(\right|M\rangle }_4{,|M\rangle }_3{)\left(\right|\alpha \rangle }_1{|\alpha \rangle }_2\hfill \\ \hfill & {|\alpha \rangle }_3{|-\alpha \rangle }_4)\hfill \\ \hfill & ={|\alpha \rangle }_1{|-\alpha \rangle }_2{|-i\alpha \rangle }_3{|i\alpha \rangle }_4.\hfill \end{array}$$

(7)

It can be seen that one state is not only related to its corresponding key bit and message state but also related to the key and state in other positions. Thus, this new method in our scheme makes a stronger correlation between message states, and in later section, we prove that the encryption algorithm based on CPCO can avoid attacker’s forgery.

2.3. Quantum Dual Signature Scheme

The schematic representation of the propounded scheme is shown in Figure 1. The signatory Alice firstly signs the messages ${|M\rangle }_O$ and ${|M\rangle }_P$ which are required to be separately received by Bob and Trent, and she combines the two signatures into a quantum dual signature. Next, Bob verifies the signature of order message and derives the parameter $V_B$ which is a reference point for Bob to judge whether transmit relevant information to Trent or reject the signature directly. Subsequently, Trent completes the verification for the signature of ${|M\rangle }_P$ and sends a parameter $V_T$ to Bob. The quantum dual signature scheme involves three participants, i.e., the signatory Alice, the order message verifier Bob and the payment message verifier Trent, and three phases, i.e., the initial phase, the signing phase and the verification phase that can be described in detail as follows.

2.3.1. Initial Phase

In this phase, the participants share the necessary keys and Alice blinds her messages based on agreed principles. The procedures are described as below.

• Alice has two classical messages, i.e., the order message $M_O={\otimes }_{s=1}^x{m}_O^s$ and the payment message $M_P={\otimes }_{t=1}^y{m}_P^t$, where $m_O^s$, $m_P^t\in \{0,1\}$. x and y separately stand for the lengths of $M_O$ and $M_P$.
• Based on QKD protocols, the original keys $K_{AB}^{ori}$, $K_{AT}^{ori}$ and $K_{BT}^{ori}$ are shared between Alice and Bob, Alice and Trent, and Bob and Trent, respectively. $K_{AB}^{ori}$ has $x+y$ bits. The lengths of $K_{AT}^{ori}$ and $K_{BT}^{ori}$ are y bits.
• According to the method mentioned in the section of preparation of the key, the final keys $K_{AB}$, $K_{AT}$ and $K_{BT}$ are obtained. Each of them is a disorderly permutation of $(1,2,\dots n)$.
• Alice selects a random x-bit binary sequence $K_{RO}$. According to each $m_O^s{K}_{RO}^s$, Alice prepares the relevant coherent state. The corresponding relationships are shown in

  Table 1. The corresponding relations between $m_O^s{K}_{RO}^s$ and ${|M\rangle }_O^s$.

  ${\mathit{m}}_{\mathit{O}}^{\mathit{s}}{\mathit{K}}_{\mathit{RO}}^{\mathit{s}}$	${|\mathit{M}\rangle }_{\mathit{O}}^{\mathit{s}}$
  00	$|\alpha \rangle$
  01	$|-\alpha \rangle$
  10	$|-i\alpha \rangle$
  11	$|i\alpha \rangle$

  . Therefore, the order information is blinded into ${|M\rangle }_O^{\prime }={\otimes }_{s=1}^x{|M\rangle }_O^s$.
• Similarly, Alice generates another y-bit binary sequence $K_{RP}$. Based on each $m_P^t{K}_{RP}^t$, she acquires blind payment message ${|M\rangle }_P^{\prime }={\otimes }_{t=1}^y{|M\rangle }_P^t$. The corresponding relations are shown in

  Table 2. The corresponding relations between $m_P^t{K}_{RP}^t$ and ${|M\rangle }_P^t$.

  ${\mathit{m}}_{\mathit{O}}^{\mathit{t}}{\mathit{K}}_{\mathit{RO}}^{\mathit{t}}$	${|\mathit{M}\rangle }_{\mathit{O}}^{\mathit{t}}$
  00	$|i\alpha \rangle$
  01	$|-i\alpha \rangle$
  10	$|-\alpha \rangle$
  11	$|\alpha \rangle$

  .

2.3.2. Signing Phase

This phase gives a specific description of the signature algorithm, i.e., Alice signs the message states by implementing CPCO and merges these two signatures into a quantum dual signature. The signing phase is carried out by following procedures.

• Alice signs ${|M\rangle }_P^{\prime }$ based on the CPCOs with secret key $K_{AT}$ and obtains ${|S\rangle }_P=E_{K_{AT}}{\left(\right|M\rangle }_P^{\prime })$.
• Alice signs ${|M\rangle }_O^{\prime }$ and acquires signature ${|S\rangle }_O=E_{K_{AB\left(x\right)}}{\left(\right|M\rangle }_O^{\prime })$ according to $K_{AB}$, where $K_{AB\left(x\right)}$ represents the front x numbers of $K_{AB}$.
• Alice connects ${|S\rangle }_O$ and ${|S\rangle }_P$ together and acquires ${|M\rangle }_{OP}={|S\rangle }_O\otimes {|S\rangle }_P$ whose length is $x+y$.
• Alice signs ${|M\rangle }_{OP}$ based on the key $K_{AB}$. Then she gets the quantum dual signature ${|S\rangle }_D=E_{K_{AB}}{\left(\right|M\rangle }_{OP})$.
• Alice transmits ${|S\rangle }_D$ and ${|M\rangle }_O^{\prime }$ to Bob. Meanwhile, she sends ${|M\rangle }_P^{\prime }$ to Trent.

2.3.3. Verification Phase

The verification phase requires Bob (Trent) to verify the signature of order message (payment message) and judge whether the signature ${|S\rangle }_O$ (${|S\rangle }_P$) is valid. The detailed steps are as displayed follows.

• Once receiving Alice’s signature, Bob randomly chooses $n_a$ ($n_a<x+y$) states from it and records the numbers. Simultaneously, Alice and Bob negotiate the correspondence between signatures and binary bits. For example, they use 00, 01, 10 and 11 to stand for $|\alpha \rangle$, $|i\alpha \rangle$, $|-\alpha \rangle$ and $|-i\alpha \rangle$, respectively.
• Bob sends numbers and corresponding bits of the chosen states to Alice. Alice judges whether the signatures are right based on the correspondence between signatures and binary bits. If ${\epsilon }_{forgery}^B<{\epsilon }_B$, subsequent steps continue. Otherwise the protocol is terminated. ${\epsilon }_{forgery}^B$ represents the probability of mistakes between the recovered signatures and the original signatures, and ${\epsilon }_B$ represents the error threshold.
• Bob decodes ${|S\rangle }_D$ and derives ${|M\rangle }_{OP}$. Then Bob divides ${|M\rangle }_{OP}$ into two parts with length x and y respectively. Thus, Bob obtains ${|S\rangle }_O$ and ${|S\rangle }_P$.
• Bob encodes ${|M\rangle }_O^{\prime }$ and derives ${|S\rangle }_O^{\prime }=E_{K_{AB\left(x\right)}}{\left(\right|M\rangle }_O^{\prime })$ with CPCO based on secret key $K_{AB\left(x\right)}$.
• Bob verifies whether ${|S\rangle }_O^{\prime }$ is matched to ${|S\rangle }_O$. Then he obtains the parameter

  $$V_B=\left\{\begin{array}{cc}1,\hfill & {|S\rangle }_O^{\prime }={|S\rangle }_O,\hfill \\ 0,\hfill & {|S\rangle }_O^{\prime }\ne {|S\rangle }_O.\hfill \end{array}\right.$$

  (8)
  If $V_B$ is equal to 0, Bob rejects the quantum dual signature directly; otherwise, Bob encrypts ${|S\rangle }_P$ with the key $K_{BT}$ and acquires

  $${|M\rangle }_T=E_{K_{AB}}{\left(\right|S\rangle }_P).$$

  (9)
  Then he sends ${|M\rangle }_T$ to Trent. Here we need to emphasize that the business Bob needs to validate the identity of the customer Alice and the details of order before the bank Trent verifies the signature of payment message. This is the reason the payment message is forwarded to Trent by Bob.
• Trent decrypts ${|M\rangle }_T$ with $K_{AT}$ and obtains ${|S\rangle }_P$.
• Trent randomly selects $m_a$ states from ${|S\rangle }_P$ and records their numbers. Trent and Alice negotiate the correspondence between signatures and $m_a$-length binary bits. Trent transmits numbers and corresponding bits of the chosen states to Alice. Alice judges whether the signatures are right and acquires the error probability ${\epsilon }_{forgery}^T$. If ${\epsilon }_{forgery}^T<{\epsilon }_T$, next steps continue, otherwise the protocol is stopped, where ${\epsilon }_{forgery}^T$ represents the error probability of signatures of payment messages, and ${\epsilon }_T$ represents the error threshold.
• Trent computes ${|S\rangle }_P^{\prime }=E_{K_{AT}}{\left(\right|M\rangle }_P^{\prime })$ and judges whether ${|S\rangle }_P^{\prime }={|S\rangle }_P$ to determine the parameter

  $$V_T=\left\{\begin{array}{cc}1,\hfill & {|S\rangle }_P^{\prime }={|S\rangle }_P,\hfill \\ 0,\hfill & {|S\rangle }_P^{\prime }\ne {|S\rangle }_P.\hfill \end{array}\right.$$

  (10)
  Next Trent sends the result $V_T$ to Bob.
• Bob can draw a conclusion that Alice’s signatures are valid if $V_B=V_T=1$. In this situation, Bob can require Alice to inform the key $K_{RO}$.
• Alice receives Bob’s demand which means the successful verification of ${|S\rangle }_O$ and ${|S\rangle }_P$. Then Alice informs Bob (Trent) the key $K_{RO}$ ($K_{RP}$).
• Bob recovers $M_O$ from ${|M\rangle }_O^{\prime }$ on the basis of principles which are negotiated between them in advance. In detail, the principles of recovering messages are

  $$m_O^s=\left\{\begin{array}{cc}{K}_{RO}^s\oplus 0,\hfill & x_{M_O^s}\ge 0and{p}_{M_O^s}\ge 0,\hfill \\ K_{RO}^s\oplus 1,\hfill & others,\hfill \end{array}\right.$$

  (11)

  where $x_{M_O^s}$ and $p_{M_O^s}$ are amplitude and phase of the coherent state ${|M\rangle }_O^s$, respectively.
• Trent also can recover $M_P$ from ${|M\rangle }_P^{\prime }$ based on the principles that

  $$m_P^t=\left\{\begin{array}{cc}{K}_{RP}^t\oplus 0,\hfill & x_{M_P^t}\ge 0and{p}_{M_P^t}\ge 0,\hfill \\ K_{RP}^t\oplus 1,\hfill & others,\hfill \end{array}\right.$$

  (12)

  where $x_{M_P^t}$ and $p_{M_P^t}$ are amplitude and phase of the coherent state ${|M\rangle }_P^t$, separately. In this case, the transaction is completed.

3. Results

As mentioned above, a secure quantum signature scheme should meet at least three requirements, i.e., non-forgery, non-repudiation and quantum properties [8]. In general, the requirement that protocol has quantum properties is easy to achieve. However, non-forgery and non-repudiation are difficult to meet. In our scheme, the above three requirements are completely satisfied. Any attacker cannot obtain the whole information about the secret key. Neither the external attacker nor the signature receiver can forge the signature. Furthermore, the signatory is unable to disavow the signature after she has signed on the messages. The receiver is failed to deny the received signature after he has performed operations as well.

It should be noted that the bank Trent is always honest. He plays an important role in judging whether Alice has disavowed her signatures when there are disputes or disagreements. Subsequently, the security analyses of the proposed scheme are described in detail.

3.1. Security of Keys

Original keys are acquired with the security QKD protocols in this scheme. Therefore, it is impossible for an attacker to crack the keys which are shared between the signer and the verifier. In fact, two situations that make encryption with CPCO have no influence on the message $|M\rangle$ need to be considered. One is that the bits of the original key are all 0 (1), i.e., $K_{original}=\{00\dots 0\}$ or $K_{original}=\{11\dots 1\}$. The other is that only the last bit of the original key is 1, i.e., $K_{original}=\{00\dots 001\}$. For example, if $n=5$, $|M\rangle ={|\alpha \rangle }_1{|-i\alpha \rangle }_2{|\alpha \rangle }_3{|-\alpha \rangle }_4{|i\alpha \rangle }_5$ and $K_{original}=\left\{00000\right\}$ or $K_{original}=\left\{00001\right\}$, then $K_{final}=\{1,2,3,4,5\}$. According to the negotiated rules and Equation (2), the phase-shift operation $P\left(0\right)$ is performed. Hence the signature $|S\rangle$ finally equals to the original message $|M\rangle$ referred to Equation (13).

$$\begin{array}{cc}\hfill |S\rangle & =E_{K_{AT}}{\left(\right|M\rangle }_P^{\prime })\hfill \\ \hfill & =PCO{\left(\right|M\rangle }_5{,|M\rangle }_5{)PCO\left(\right|M\rangle }_4{,|M\rangle }_4{)\dots PCO\left(\right|M\rangle }_1{,|M\rangle }_1)\hfill \\ \hfill & {\left(\right|\alpha \rangle }_1{|-i\alpha \rangle }_2{|\alpha \rangle }_3{|-\alpha \rangle }_4{|i\alpha \rangle }_5)\hfill \\ \hfill & ={|\alpha \rangle }_1{|-i\alpha \rangle }_2{|\alpha \rangle }_3{|-\alpha \rangle }_4{|i\alpha \rangle }_5=|M\rangle .\hfill \end{array}$$

(13)

However, the probability of the two situations above is very small. Here, denote the probability which corresponds to the first (second) situation as P ($P^{\prime }$). P and $P^{\prime }$ can be calculated as Equation (14).

$$P={\left(\frac{1}{2}\right)}^n,P^{\prime }={\left(\frac{1}{2}\right)}^{n-1}.$$

(14)

As shown in Figure 2, the probability P becomes smaller with the increase of n, if the length of original key can remain greater than 10-bit, P tends to zero, thus the final key is extremely efficient. No doubt that the same analyses can be applied to the second situation. Moreover, CPCO can involve a huge difference between plain and cipher even the number of swap in $K_{final}$ is just one, which can ensure the security of the quantum dual signature scheme.

3.2. Impossibility of Forgery

If the attacker Eve attempts to forge Alice’s signatures ${|S\rangle }_O$ or ${|S\rangle }_P$, she has to know the corresponding secret keys $K_{AB}$ or $K_{AT}$. However, the original keys are shared with unconditionally secure QKD protocol [55], it is impossible for her to eavesdrop the secret keys distributed between signatory and verifiers. Moreover, the final keys are obtained according to the rules which are consensuses among legal participants. The attacker is completely unaware of the rules, so Eve cannot know the keys $K_{AB}$ and $K_{AT}$. Thus, we describe two theorems of our encryption algorithm which are used to valid the security of our signature scheme.

Theorem 1.

Several errors in the final secret key K may cause an obvious deviation in the result of encryption.

For example, if $n=4$, $K=\{3,1,2,4\}$ and $|M\rangle ={|\alpha \rangle }_1{|-i\alpha \rangle }_2{|i\alpha \rangle }_3{|-\alpha \rangle }_4$, the result of encryption is

$$\begin{array}{cc}\hfill |C\rangle & =PCO(M_4,M_4)PCO(M_3,M_{2}PCO(M_2,M_1)PCO(M_1,M_3))\hfill \\ \hfill & {\left(\right|\alpha \rangle }_1{|-i\alpha \rangle }_2{|i\alpha \rangle }_3{|-\alpha \rangle }_4)\hfill \\ \hfill & ={|-\alpha \rangle }_1{|\alpha \rangle }_2{|-\alpha \rangle }_3{|-\alpha \rangle }_4.\hfill \end{array}$$

(15)

When the key is changed into $K=\{1,3,2,4\}$, the result will become,

$$\begin{array}{cc}\hfill |C\rangle & =PCO(M_4,M_4)PCO(M_3,M_2)PCO(M_2,M_3)PCO(M_1,M_1)\hfill \\ \hfill & {\left(\right|\alpha \rangle }_1{|-i\alpha \rangle }_2{|i\alpha \rangle }_3{|-\alpha \rangle }_4)\hfill \\ \hfill & ={|\alpha \rangle }_1{|i\alpha \rangle }_2{|-i\alpha \rangle }_3{|-\alpha \rangle }_4.\hfill \end{array}$$

(16)

According to Equations (15) and (16), we realize that any error in the key may lead to a chain reaction in the encryption result. In

Table 3. Encryption results based on different secret keys in the case of $|M\rangle ={|\alpha \rangle }_1{|-i\alpha \rangle }_2{|i\alpha \rangle }_3{|-\alpha \rangle }_4$.

K	${\mathit{E}}_{\mathit{K}}\left(\right|\mathit{M}\rangle )$
1,2,3,4	${|\alpha \rangle }_1{|-i\alpha \rangle }_2{|i\alpha \rangle }_3{|-\alpha \rangle }_4$
1,2,4,3	${|\alpha \rangle }_1{|-i\alpha \rangle }_2{|-\alpha \rangle }_3{|\alpha \rangle }_4$
1,3,2,4	${|\alpha \rangle }_1{|i\alpha \rangle }_2{|-i\alpha \rangle }_3{|-\alpha \rangle }_4$
1,3,4,2	${|\alpha \rangle }_1{|\alpha \rangle }_2{|-i\alpha \rangle }_3{|\alpha \rangle }_4$
1,4,2,3	${|\alpha \rangle }_1{|i\alpha \rangle }_2{|-\alpha \rangle }_3{|\alpha \rangle }_4$
2,1,3,4	${|i\alpha \rangle }_1{|\alpha \rangle }_2{|i\alpha \rangle }_3{|-\alpha \rangle }_4$
2,3,1,4	${|i\alpha \rangle }_1{|\alpha \rangle }_2{|-\alpha \rangle }_3{|-\alpha \rangle }_4$
2,3,4,1	${|-\alpha \rangle }_1{|\alpha \rangle }_2{|-\alpha \rangle }_3{|-i\alpha \rangle }_4$
2,4,1,3	${|-\alpha \rangle }_1{|\alpha \rangle }_2{|-i\alpha \rangle }_3{|-i\alpha \rangle }_4$
3,1,2,4	${|-\alpha \rangle }_1{|\alpha \rangle }_2{|-\alpha \rangle }_3{|-\alpha \rangle }_4$
3,4,1,2	${|i\alpha \rangle }_1{|\alpha \rangle }_2{|-\alpha \rangle }_3{|\alpha \rangle }_4$
4,1,2,3	${|-\alpha \rangle }_1{|i\alpha \rangle }_2{|-i\alpha \rangle }_3{|-i\alpha \rangle }_4$

, we enumerate all the encryption results based on different keys in the case of $|M\rangle ={|\alpha \rangle }_1{|-i\alpha \rangle }_2{|i\alpha \rangle }_3{|-\alpha \rangle }_4$. In accordance with Table 3, we know that any result is different from others. So the Theorem 1 is reasonable.

Theorem 2.

Errors in the message $|M\rangle$ may cause an obvious deviation in the result of encryption.

We also suppose $n=4$ and $K=\{3,1,2,4\}$. However, the message $|M\rangle ={|\alpha \rangle }_1{|-i\alpha \rangle }_2{|i\alpha \rangle }_3{|-\alpha \rangle }_4$ is replaced by $|M\rangle ={|i\alpha \rangle }_1{|-i\alpha \rangle }_2{|i\alpha \rangle }_3{|-\alpha \rangle }_4$. Then the result of encryption is

$$\begin{array}{cc}\hfill |C\rangle & =PCO(M_4,M_4)PCO(M_3,M_2)PCO(M_2,M_1)PCO(M_1,M_3)\hfill \\ \hfill & {\left(\right|i\alpha \rangle }_1{|-i\alpha \rangle }_2{|i\alpha \rangle }_3{|-\alpha \rangle }_4)\hfill \\ \hfill & ={|-i\alpha \rangle }_1{|i\alpha \rangle }_2{|-i\alpha \rangle }_3{|-\alpha \rangle }_4.\hfill \end{array}$$

(17)

Comparing Equation (15) with Equation (17), it is easy to prove that a discrepancy in message may cause some errors in the ciphertext. Therefore, the Theorem 2 is tenable. According to the above two Theorems, it is concluded that any changes to the message or the key may lead to a wrong signature and the attack can be definitely detected. Once the forgery behavior is discovered, the honest correspondents may terminate this communication.

Even if Eve intercepts part of $K_{AB}\left(K_{AT}\right)$, she may fail to forge the signature of message $M_O$ ($M_P$) because Alice blinds her order message (payment message) based on the secret key $K_{RO}$ ($K_{RP}$). Therefore, only Alice knows the complete information about original messages. The operation that blinding the message is benefit to prevent the recipient or the eavesdropper forging messages in quantum signature procedures. Moreover, even though Eve intercepts some keys, she also needs to conjecture the rest to maximize the probability of success. As described in Theorem 1, an incorrect key may cause noticeable errors so that ${\epsilon }_{forgery}^T$ is greater than ${\epsilon }^T$, thus the forgery behaviors can be discovered. For a more powerful attacker who is not the internal communicator, the success probability of forging Alice’s signature is $P_{f_A}={\left(\frac{1}{2}\right)}^{n_a+m_a+m_b}\frac{1}{x+y}Pro{\left(\right|M\rangle }_O^{\prime }{,|S\rangle }_O)Pro{\left(\right|M\rangle }_P^{\prime }{,|S\rangle }_P)$, where $Pro$ is the probability of successful match between forged ${|M\rangle }_O^{\prime }$ and ${|S\rangle }_O$ (${|M\rangle }_P^{\prime }$ and ${|S\rangle }_P$). It means that $P_{f_A}$ can be 0 with unconditional secure QKD protocols. Furthermore, leave the security probability ($Pro$) of QKD aside, we analyse the impossible forgery with specific conditions seen in Figure 3, in which we can discover the maximum value of $P_{f_A}$ is just 0.007 for a powerful attacker when $x+y=2$ and $n_a+m_a+m_b=3$. When the length of $x+y$ or $n_a+m_a+m_b$ reaches to 100 bits, $P_{f_A}$ may approach to 0. No doubt that the scheme can better resist forgery with the addition of QKD.

If the receiver Bob is malicious and he attempts to forge Alice’s signature ${|S\rangle }_P$ for his own benefit. The success probability of forging Alice’s signature for Bob is $P_{f_B}={\left(\frac{1}{2}\right)}^{m_a}Pro{\left(\right|M\rangle }_P^{\prime }{,|S\rangle }_P)$. Even though Bob can intercept and forge ${|M\rangle }_P^{\prime }$ and ${|S\rangle }_P$, his forgery is unsuccessful since he knows nothing about $K_{AT}$, i.e., $P_{f_B}\cong 0$. However, Ref. [2] pointed out that forgery attack against QOTP can be successful even if the attacker does not know $K_{AT}$. Here, we prove that our scheme also can resist this kind of attack. In our protocol,

$$\begin{array}{cc}\hfill {|S\rangle }_P& =E_{K_{AT}}{|M\rangle }_P^{\prime }=PCO{\left(\right|M\rangle }_{P_n}^{\prime }{,|M\rangle }_{P_{K_n}}^{\prime }{)\cdots PCO\left(\right|M\rangle }_{P_1}^{\prime }{,|M\rangle }_{P_{K_1}}^{\prime }{\left)\right|M\rangle }_P^{\prime }\hfill \\ \hfill & ={|S\rangle }_{P1}{|S\rangle }_{P2}\cdots {|S\rangle }_{Pn}.\hfill \end{array}$$

(18)

Due to the PCO operations, the ${|S\rangle }_{P1}$ is not only depended on ${|M\rangle }_{P_j}^{\prime }$ for $j=1,2,\cdots n$, but also determined by other qubits of ${|M\rangle }_P^{\prime }$. According to Gao’s [2] analyses, Bob may forge Alice’s signature without $K_{AT}$ with following operations:

$$\begin{array}{cc}\hfill {|S\rangle }_P^{\prime }& ={U|S\rangle }_P\hfill \\ \hfill & ={U|S\rangle }_{P1}{|S\rangle }_{P2}{\cdots |S\rangle }_{Pj}\cdots {|S\rangle }_{Pn}\hfill \\ \hfill & ={|S\rangle }_{P1}{|S\rangle }_{P2}{\cdots |S\rangle }_{Pj}^{\prime }\cdots {|S\rangle }_{Pn},\hfill \end{array}$$

(19)

where $U=I⨂I\cdots ⨂U_j⨂\cdots I$ represents any unitary operations and the U is only applied to ${|S\rangle }_{Pj}$ to convert it to ${|S\rangle }_{Pj}^{\prime }$. Bob then sends ${|S\rangle }_P^{\prime }$ to Trent for the purpose of forging signature. Trent verifies message from Bob according to whether $E_{K_{AT}}{|M\rangle }_P^{\prime }$ is matched to ${|S\rangle }_P$ which is actually replaced with ${|S\rangle }_P^{\prime }$. It is apparent that $E_{K_{AT}}{|M\rangle }_P^{\prime }\ne {|S\rangle }_P^{\prime }$ for the correspondence among the plaintext ${|M\rangle }_P^{\prime }$, the key $E_{K_{AT}}$, and the ciphertext ${|S\rangle }_P$.

What happens if Bob replaces the plain with ${|M\rangle }_P^{″}={U|M\rangle }_P^{\prime }={⨂}_{j=1}^n{U}_j{|M\rangle }_{P_j}^{\prime }$. Trent can perform the following verifications in this situation, i.e.,

$$\begin{array}{cc}\hfill {|S\rangle }_T& =E_{K_{AT}}{|M\rangle }_P^{″}\hfill \\ \hfill & =PCO{\left(\right|M\rangle }_{P_n}^{\prime }{,|M\rangle }_{P_{K_n}}^{\prime }{)\cdots PCO\left(\right|M\rangle }_{P_j}^{″}{,|M\rangle }_{P_{K_j}}^{\prime }{)\cdots PCO\left(\right|M\rangle }_{P_1}^{\prime }{,|M\rangle }_{P_{K_1}}^{\prime }{\left)\right|M\rangle }_P^{\prime }\hfill \\ \hfill & ={|S\rangle }_{T1}{|S\rangle }_{T2}\cdots {|S\rangle }_{Tn}.\hfill \end{array}$$

(20)

According to Theorem 2, a few changes in the message ${|M\rangle }_P^{\prime }$ may cause an obvious deviation in the result of encryption ${|S\rangle }_P^{\prime }$. That is to say, many ${|S\rangle }_{Pj}$ for $j=1,2\cdots n$ are changed which leads to ${|S\rangle }_T\ne {|S\rangle }_P^{\prime }$. Hence the forgery signature cannot pass Trent’s verification even if the equation ${\epsilon }_{forgery}^T<{\epsilon }^T$ holds, i.e., such an attack is invalid in the scheme. Based on the analysis, we can conclude that any forgery would be failed in our scheme.

3.3. Impossibility of Disavowal by the Signatory

In the proposed scheme, Alice can try two methods to disavowal her signature. One is directly denying signature. Then Trent judges whether the formula $E_{K_{AT}}{|M\rangle }_P^{\prime }={|S\rangle }_P$ holds. Due to the fact that the key $K_{AT}$ ($K_{AB}$) is only distributed between Alice and Trent (Bob), the trusted Trent can confirm that Alice has already signed the payment message since ${|S\rangle }_P$ contains the information of Alice’s secret key $K_{AT}$. The other is replacing correct quantum states. Message ${|M\rangle }_T$ may be intercepted and replaced with ${|M\rangle }_T^{\prime }$ by powerful Alice. Trent decrypts the message and obtains the signature ${|S\rangle }_P^{\prime }$ which can be derived according to Equation (21).

$$\begin{array}{cc}\hfill {|S\rangle }_P^{\prime }& =D_{K_{BT}}{|M\rangle }_T^{\prime }\hfill \\ \hfill & =DPCO{\left(\right|M\rangle }_{T1}^{\prime }{,|M\rangle }_{T_{k1}}^{\prime }{)\cdots DPCO\left(\right|M\rangle }_{Tn}^{\prime }{,|M\rangle }_{T_{kn}}^{\prime }).\hfill \end{array}$$

(21)

Then $E_{K_{AT}}{|M\rangle }_P^{\prime }\ne {|S\rangle }_P^{\prime }$ holds. Because ${|S\rangle }_P$ can be quite different from ${|S\rangle }_P^{\prime }$ according to Theorem 2, Trent may admit that the signature is not from Alice indeed. However, there is the phase of error probability judgement in the scheme. When Alice disavows the signature and the formula ${\epsilon }_{forgery}^T<{\epsilon }^T$ is not satisfied, Trent would randomly select $m_b$ states from ${|S\rangle }_P^{\prime }$ and record their numbers, then negotiate the correspondence between the signature and $m_b$-length binary bits with Bob. Trent transmits numbers and corresponding bits of the chosen states to Bob who can return the judgement that whether ${\epsilon }_{forgery}^{T_B}$ is less than ${\epsilon }_{T_B}$. Obviously, if the signature is indeed from Alice, the equation ${\epsilon }_{forgery}^{T_B}<{\epsilon }_{T_B}$ must be satisfied. Alice cannot disavow her signature anyway. Moreover, if Alice disavows her signature ${|S\rangle }_O$, Bob can require Trent to make a judgment. In detail, Bob sends the key $K_{AB}$ and the encoded message ${|M\rangle }_O^{\prime }$ to Trent. Then Trent verifies whether the equation ${|S\rangle }_O=E_{K_{AB\left(x\right)}}{\left(\right|M\rangle }_O^{\prime })$ is satisfied. If the equation holds, the signature is signed by Alice and her behavior of disavowing the signature is ended in failure.

3.4. Impossibility of Denial by the Verifier

The verifier Bob cannot deny after he has received ${|S\rangle }_D$ and ${|M\rangle }_O^{\prime }$. If Bob sends ${|M\rangle }_T$ to Trent in the verification phase, it implies that he has already received ${|S\rangle }_D$ and carried out some operations on it. In addition, if Bob asks Alice to publish the key $K_{RO}$, it means that Bob has verified whether the equation ${|S\rangle }_O^{\prime }=E_{K_{AB\left(x\right)}}{\left(\right|M\rangle }_O^{\prime })$ is equal to ${|S\rangle }_O$ and Trent also has verified ${|S\rangle }_P$. Thus, Bob has verified the signature indeed without later denying his involvement and actions. In another situation, Bob cannot acquire $K_{RO}$ from Alice if he claims ${|S\rangle }_O^{\prime }\ne {|S\rangle }_O$ maliciously, and the original message $M_O$ is impossible to be cracked. In addition, Trent is reliable and that the verifier denies the received signature is out of question.

4. Discussion

Quantum dual signature which involves three parties, Alice, Bob and Trent, is suitable for e-commerce. With QKD protocols, communicators can share secret keys with each other for signaturing or de-signaturing massage. Assume that the process of QKD is secure, the quantum dual signature scheme may mainly face three threats, i.e., forging, disavowing, denying Alice’s signature. For forging signature, we analyze the situation and discover that when the attackers are strongly powerful, the success probability of forging signature Alice’s is also small. Actually, three methods can be introduced for reducing $P_{f_A}$: one is increasing the length of randomly choosing states in the step 1 of the verification phase, the second is increasing the length of message, and the last is improving the security of QKD. In fact, with the current quantum technologies, attackers find it more difficult to forge the signature since they cannot capture transmitted information, such as ${|S\rangle }_D$ and ${|M\rangle }_O^{\prime }$, without any error.

Denial may lead to delaying or even stoping communication, which should be avoided in practice. In the scheme, a situation that Bob claims he receives nothing but he has already received Alice’s signature may occur and it can be alleviated as follows: Alice waits for a moment then she sends another signature to him again, which may lengthen the communication time, while the scheme is still secure because $K_{RO}$ is only known by Alice. In other words, Alice never sends original keys to Bob unless she accepts these verifications from Bob and Trent. i.e., Bob cannot deny Alice’s signature when he has sent verifications, since the loyal Trent knows the communication process.

In addition, the simulations of the CPCOs are implemented on Strawberry Fields [49] interactive web app to valid the feasibility of the scheme. The related parameters for the experiment are shown in

Table 4. Experimental results with the the key-length $n=4$, $K_{final}=\{2,4,1,3\}$. “Modes” represent the position of input and output ports of the design schematic, such as, $q{\left[k\right]}_{\{k=0,1,2,3\}}$ is the k-th port.

Modes	$\mathit{q}\left[0\right]$	$\mathit{q}\left[1\right]$	$\mathit{q}\left[2\right]$	$\mathit{q}\left[3\right]$
$Input$	$|0+2i\rangle$	$|-1+0i\rangle$	$|4+0i\rangle$	$|0+3i\rangle$
$Expected Output$	$|-2+0i\rangle$	$|1+0i\rangle$	$|0+4i\rangle$	$|0-3i\rangle$

, and the schematic is shown in Figure 4. In particular, four input coherent states are designed as $|0+2i\rangle$, $|-1+0i\rangle$, $|4+0i\rangle$ and $|0+3i\rangle$, and $K_{final}=\{2,4,1,3\}$. According to the CPCO rule, the encryption process can be stated as

$$\begin{array}{c}PCO(M_3,M_4)PCO(M_1,M_3)PCO(M_4,M_2)PCO(M_2,M_1)|0+2i\rangle |-1+0i\rangle |4+0i\rangle |0+3i\rangle \hfill \\ =|-2+0i\rangle |1+0i\rangle |0+4i\rangle |0-3i\rangle .\hfill \end{array}$$

(22)

In $PCO(M_2,M_1)|0+2i\rangle |-1+0i\rangle$, for example, the output phase of the first port is shifted by $\pi$. As a consequence, the control-phase gate $P_{21}$ in Figure 4 can be set to achieve the goal in the simulation. Simulated results are presented in Figure 5 where the subfigures (a), (b), (c), and (d) separately represent the quadrature outputs of the first, the second, the third and the forth port and $x,p\in (-5,5)$, i.e., the cutoff dimension is 5. It can be seen that the correct quantum coherent states can be acquired with the 80% fidelity. For example, in Figure 5a, the probability of $x=-2$ is 0.8 and the probability of $p=0$ is also 0.8. Therefore, the coherent state $|-2+0i\rangle$ will be output with the high probability 0.8.

5. Conclusions

A quantum dual signature scheme based on CPCOs and coherent states is presented in this paper, which can be used to guarantee the communication security between customer, merchant, and bank. The customer Alice has an order message and payment message which are separately sent to the merchant Bob and the bank Charlie. For preventing eavesdropping and attacking, Alice signs her two messages based on the CPCO encryption which can defend attacker’s forgery effectively. To ensure that the payment corresponds to the order, Alice then aggregates the two signatures to generate a quantum dual signature. The receiver Bob verifies the order message’s signature to confirm the identity of Alice and the information of order. When the signature of order message is valid, Bob transmits the payment message’s signature which is blind to him and Trent. Then Trent verifies whether the signature of payment message is authentic and sends the result to Bob. Security analysis shows that our scheme satisfies the security criteria of quantum signature. In other words, impossibility of forging, disavowing or denying for the signature protocol are observed in our scheme. In addition, simulation experiments are performed on the Strawberry Fields platform. The experimental results show that the proposed CPCOs are feasible and expected coherent states are obtained with high fidelity, which demonstrates that the scheme could be implemented on real quantum devices.