1. Introduction
Digital signatures (DSs) [1] are cryptography schemes that ensure the authenticity, integrity, and non-repudiation of digital messages. They are widely used in software distribution, financial transactions, and electronic government services. Common classical DS schemes include Rivest–Shamir–Adleman, Digital Signature Algorithm (DSA), elliptic curve DSA, and ElGamal, all of which rely on computational complexity assumptions. With the advent of quantum computers [2, 3], these assumptions may no longer hold [4], posing a significant threat to the security of classical DS protocols.
Quantum digital signature (QDS), analogous to quantum key distribution (QKD) [5], can provide information-theoretic security based on the principles of quantum mechanics. The first QDS protocol [41], proposed by Gottesman and Chuang in 2001, was based on the one-time signatures concept [6] but required impractical elements such as non-destructive state comparison, long-time quantum memory and authenticated quantum channels. Subsequent research [7–10] has significantly improved the practicality of QDS, with protocols that reduce technical complexity to a level similar to decoy-state QKD [11, 12]. In particular, some QDS protocols have introduced features such as measurement-device independence [13–15] and twin-field techniques [16, 17] to enhance security and communication distance. In addition, a one-time universal-hashing QDS framework has recently been proposed to significantly improve the signature rate [18, 19]. These developments have brought QDS closer to practical deployment in real quantum communication systems [20–24]. Nonetheless, most of these protocols still require precise calibration of reference frames to maintain consistent encoding and decoding bases among different users.
However, reference frame alignment is a non-trivial and resource-consuming task, especially in large-scale or mobile quantum networks. Active or passive calibration schemes [25–27] increase system complexity, require additional communication overhead, and limit the scalability of QDS implementations. In practice, even small reference misalignment can severely degrade system performance and lead to increased error rates or signature verification failures. Therefore, it is of great significance to develop a QDS protocol that remains secure and efficient without the need for reference frame alignment.
To address this limitation, we propose a reference-frame-independent quantum digital signature (RFI-QDS) protocol that eliminates the need for users to share a common reference frame. Unlike conventional QDS schemes relying on precise polarization or phase calibration, our RFI-QDS directly inherits the robustness of reference-frame-independent quantum key distribution (RFI-QKD), enabling secure signature generation even under unknown or drifting reference frames [28]. Recent studies on RFI-QKD have demonstrated its remarkable stability and practicality in long-distance and networked quantum communication scenarios, making it a powerful foundation for alignment-free protocols [29–31]. While RFI-QKD focuses on key generation and thus requires error correction and privacy amplification, our RFI-QDS removes these steps and directly utilizes the correlated raw keys for digital signatures, achieving higher efficiency without compromising security. This design substantially reduces system complexity and overhead, making it especially suitable for large-scale or mobile quantum networks where calibration is costly or impractical. Furthermore, by integrating a compact finite-size estimation approach, the protocol achieves an improved balance between statistical fluctuation and signature efficiency. These features collectively demonstrate the practical significance and scalability of the proposed RFI-QDS protocol for future quantum communication infrastructures.
2. Materials and methods
2.1. Protocol description
In a typical QDS system involving three parties—a signer (Alice) and two recipients (Bob and Charlie)—a shared reference frame is required to assure consistent communication between parties. However, an active or passive calibration scheme [25–27] often introduces system complexity and reduces efficiency, especially in networks with multiple recipients. To overcome this limitation, our RFI-QDS utilizes three encoding bases, where the Z basis is well aligned, and the X and Y bases may differ by a deflection angle β. The encoding bases are related as follows:
$\begin{eqnarray}{Z}_{B(C)}={Z}_{A},\end{eqnarray}$
$\begin{eqnarray}{X}_{B(C)}={X}_{A}\cos {\beta }_{B(C)}+{Y}_{A}\sin {\beta }_{B(C)},\end{eqnarray}$
$\begin{eqnarray}{Y}_{B(C)}={Y}_{A}\cos {\beta }_{B(C)}-{Y}_{A}\sin {\beta }_{B(C)},\end{eqnarray}$
where the subscripts A and B(C) denote Alice’s decoding and Bob’s (Charlie’s) encoding bases, respectively. Alice and the recipients distill raw keys from the Z basis data, and estimate Eve’s information using X and Y basis measurements. This method removes the need for reference frame alignment.Following the framework proposed in [10], our RFI-QDS consists of a distribution stage and a messaging stage. In the distribution stage, Alice and Bob (Charlie) make use of an RFI key-generating protocol (KGP) [32] to generate correlated bit strings. In the messaging stage, Alice signs and sends signature, while Bob and Charlie perform verification. It is observed that the distribution stage involves both quantum and classical communication, while the messaging stage is entirely classical. The detailed steps of the protocol are:
Distribution stage–(1) Bob (Charlie) generates Nt weak coherent pulses, each of which is randomly modulated to an eigenstate of {ZB, XB, YB}({ZC, XC, YC}) and intensity choices $k\in { \mathcal K }:= \{\mu ,\nu ,\omega \}$ (signal, decoy, vacuum) with probability pk. These pulses are sent to Alice, who measures them in randomly chosen bases {ZA, XA, YA}, via a quantum channel.
(2) Bob (Charlie) and Alice publicly announce their basis choices for each pulse over an authenticated channel and retain the results from {ZZ, XX, XY, YX, YY} basis combination. Bob (Charlie) also announces the intensity selection to which each pulse belongs.
(3) Alice–Bob (Alice–Charlie) extract sifted keys from ZZ-basis data and perform parameter estimation from {XX, XY, YX, YY} data. In addition, a small subset of ZZ-basis bits (with a sampling ratio of 0.055 in our simulation) is sacrificed for error testing, while the remaining bits form the signature key pool. This ratio can be flexibly adjusted and optimized according to the total number of pulses and finite-size statistical requirements.
(4) For a message m (m = 0, 1), Alice and Bob (Alice and Charlie) select a length-L block from the key pool to generate the signature sequence ${K}_{m}^{B}$ and ${B}_{m}^{A}$ (${K}_{m}^{C}$ and ${C}_{m}^{A}$), where ${K}_{m}^{B}$ and ${K}_{m}^{C}$ are held by Alice, and ${B}_{m}^{A}$ (${C}_{m}^{A}$) by Bob (Charlie).
(5) Bob and Charlie symmetrize their keys by randomly exchanging half of their bits (as well as the corresponding positions) via a secure classical channel. The retained and forwarded halves form symmetric keys: ${S}_{m}^{B}=\left({B}_{m,\rm{keep}\,}^{A},{C}_{m,\,\rm{forward}}^{A}\right)$ and ${S}_{m}^{C}=\left({C}_{m,\rm{keep}\,}^{A},{B}_{m,\,\rm{forward}}^{A}\right)$.
Messaging stage–(6) To sign message m, Alice sends message–signature pair (m, sigm) to a recipient, say Bob, where ${\,\rm{sig}\,}_{m}=({A}_{m}^{B},{A}_{m}^{C})$.
(7) Upon receiving the message–signature pair from Alice, Bob verifies the signature by comparing it with his locally retained key ${S}_{m}^{B}$. The message is accepted only if the mismatches are below saL/2 in both key halves; otherwise, it is rejected. Here sa < 1/2 is a small threshold associated with the desired security of the protocol.
(8) Bob forwards (m, sigm) to Charlie, who performs analogous verification with a stricter threshold sv (sa < sv < 1/2), to prevent repudiation.
The above steps (1)–(3) adapt the RFI-QKD framework but omit error correction and privacy amplification. In step (5), the Bob–Charlie secure channel we consider here is classical but can be implemented via QKD or removed using post-matching methods [23].
For the KGP, we consider the most general coherent attacks allowed by quantum mechanics. That is, we analyze the protocol’s resilience against eavesdropping by estimating Eve’s accessible information via the smooth min-entropy [33, 34]. This enables us to derive bounds on the probability of a successful forgery attempt under coherent attacks. Specifically, the smooth min-entropy from single-photon components in the half of keys kept by Bob or Charlie in the presence of Eve is
$\begin{eqnarray}{H}_{\min }^{\epsilon }\left({U}_{m,\,\rm{keep}\,}^{A}| E\right)\gtrsim {\underline{s}}_{L,1}\left(1-{I}_{E}\right),\end{eqnarray}$
where the inequality holds up to a small additive term proportional to log2(1/ε). Here U ∈ {B, C} represents the recipient Bob or Charlie, and E is Eve’s quantum system living in the Hilbert space ${{ \mathcal H }}_{E}$. ${\underline{s}}_{L,1}$ and IE denote the lower bound of single-photon counts and Eve’s information on ${U}_{m,\,\rm{keep}\,}^{A}$, respectively.2.2. Finite-size estimates
To support multiple message signing within a limited time frame, the protocol must balance signature block size against statistical fluctuations in parameter estimation. Smaller blocks introduce larger fluctuations, degrading both parameter estimation and signature rates. Here, we adopt a refined finite-size analysis that maximizes the number of extractable signatures while minimizing statistical uncertainties. Figure 1 illustrates the parameter estimation workflow, with details as follows.
Figure 1. The relationships of different data blocks and the route of estimating parameters. npool is the length of key pool. |
According to results in [34], we derive the number of single-photon events and single-photon bit errors in the ZZ basis:
$\begin{eqnarray}\begin{array}{l}{\underline{s}}_{ZZ,1}\geqslant \frac{{\tau }_{1}\mu }{\mu \left(\nu -\omega \right)-\left({\nu }^{2}-{\omega }^{2}\right)}\\ \times \,\left[\frac{{\rm{e}\,}^{\nu }{n}_{ZZ,\nu }^{-}}{{p}_{\nu }}-\frac{{\,\rm{e}}^{\omega }{n}_{ZZ,\omega }^{+}}{{p}_{\omega }}\right.\left.+\frac{{\nu }^{2}-{\omega }^{2}}{{\mu }^{2}}\left(\frac{{\underline{s}}_{ZZ,0}}{{\tau }_{0}}-\frac{{\,\rm{e}\,}^{\mu }{n}_{ZZ,\mu }^{+}}{{p}_{\mu }}\right)\right],\end{array}\end{eqnarray}$
$\begin{eqnarray}{\bar{v}}_{ZZ,1}\leqslant \frac{{\tau }_{1}}{\nu -\omega }\left(\frac{{\,\rm{e}\,}^{\nu }{m}_{{\rm{ZZ}},\nu }^{+}}{{p}_{\nu }}-\frac{{\,\rm{e}\,}^{\omega }{m}_{{\rm{ZZ}},\omega }^{-}}{{p}_{\omega }}\right).\end{eqnarray}$
Here ${\tau }_{n}:= {\sum }_{k\in { \mathcal K }}{p}_{k}{\,\rm{e}\,}^{-k}{k}^{n}/n!$ is the probability that Bob or Charlie prepares an n-photon state, and ${n}_{ZZ,k}^{+}$ and ${n}_{ZZ,k}^{-}$ (${m}_{ZZ,k}^{+}$ and ${m}_{ZZ,k}^{-}$) denote lower and upper bound on the number of detection events nZZ,k (the number of erroneous bits mZZ,k) for k ∈ {μ, ν, ω}, respectively. For finite sample sizes, using Hoeffding’s inequality for independent events [42], we have that $\begin{eqnarray}{n}_{ZZ,k}^{\pm }:= \left[{n}_{ZZ,k}\pm \sqrt{\frac{{n}_{ZZ}\mathrm{ln}\left(1/{\varepsilon }_{\,\rm{PE}\,}\right)}{2}}\right],\quad \forall k\in { \mathcal K },\end{eqnarray}$
$\begin{eqnarray}{m}_{ZZ,k}^{\pm }:= \left[{m}_{ZZ,k}\pm \sqrt{\frac{{m}_{ZZ}\mathrm{ln}\left(1/{\varepsilon }_{\,\rm{PE}\,}\right)}{2}}\right],\quad \forall k\in { \mathcal K },\end{eqnarray}$
with ${n}_{ZZ}={\sum }_{k\in { \mathcal K }}{n}_{ZZ,k}$ and ${m}_{ZZ}={\sum }_{k\in { \mathcal K }}{m}_{ZZ,k}$. These bounds hold with probability at least 1 − ϵPE. Moreover, the vacuum contribution ${\underline{s}}_{ZZ,0}$ is estimated as $\begin{eqnarray}{\underline{s}}_{ZZ,0}\geqslant \frac{{\tau }_{0}}{\nu -\omega }\left(\frac{\nu {\rm{e}\,}^{\omega }{n}_{ZZ,\omega }^{-}}{{p}_{\omega }}-\frac{\omega {\,\rm{e}}^{\nu }{n}_{ZZ,\nu }^{+}}{{p}_{\nu }}\right).\end{eqnarray}$
The corresponding single-photon error rate is then ${\bar{e}}_{ZZ,1}={\bar{v}}_{ZZ,1}/{\underline{s}}_{ZZ,1}$. Analogous bounds apply to {XX, XY, YX, YY} basis combinations.Using the Serfling inequality [35, 36], we project ${\underline{s}}_{ZZ,1}$ and ${\bar{e}}_{ZZ,1}$ to the actual signature length L:
$\begin{eqnarray}{\underline{s}}_{L,1}={\underline{s}}_{ZZ,1}\frac{L}{2{n}_{ZZ}}-{\rm{\Lambda }}\left({n}_{ZZ},\frac{L}{2},{\varepsilon }_{\,\rm{PE}\,}\right),\end{eqnarray}$
$\begin{eqnarray}{\bar{e}}_{L,1}={\bar{e}}_{ZZ,1}+\frac{1}{{\underline{s}}_{L,1}}{\rm{\Lambda }}\left({\underline{s}}_{ZZ,1},{\underline{s}}_{L,1},{\varepsilon }_{\,\rm{PE}\,}\right),\end{eqnarray}$
where ${\rm{\Lambda }}(x,y,z)=\sqrt{(x-y+1)y\mathrm{ln}\left({z}^{-1}\right)/(2x)}$.According to RFI-QKD [28], Eve’s information on retained key ${U}_{m,\,\rm{keep}\,}^{A}$ is
$\begin{eqnarray}{I}_{E}=\left(1-{\bar{e}}_{L,1}\right){H}_{2}\left(\frac{1+u}{2}\right)+{\bar{e}}_{L,1}{H}_{2}\left(\frac{1+v}{2}\right),\end{eqnarray}$
where $\begin{eqnarray}u=\min \left\{\sqrt{C/2}/\left(1-{\bar{e}}_{L,1}\right),1\right\},\end{eqnarray}$
$\begin{eqnarray}v=\sqrt{C/2-{\left(1-{\bar{e}}_{L,1}\right)}^{2}{u}^{2}}/{\bar{e}}_{L,1},\end{eqnarray}$
and $\begin{eqnarray}\begin{array}{rcl}C & = & {\left(1-2{\bar{e}}_{XX,1}\right)}^{2}+{\left(1-2{\bar{e}}_{XY,1}\right)}^{2}\\ & & +{\left(1-2{\bar{e}}_{YX,1}\right)}^{2}+{\left(1-2{\bar{e}}_{YY,1}\right)}^{2}.\end{array}\end{eqnarray}$
2.3. Security analysis
Following the framework of [10], we evaluate the security of the proposed RFI-QDS protocol by deriving explicit bounds for each attack scenario. In addition, in the following content, we assume that Alice and Bob (Charlie) have each chosen a string of length L from their signature key pool.
First, for any eavesdropping strategy, Eve’s probability of correctly guessing at most r bits of retained keys ${U}_{m,\,\rm{keep}\,}^{A}$ (where U ∈ {B, C}) is bounded by
$\begin{eqnarray}\left\langle {p}_{r}\right\rangle \leqslant \displaystyle \sum _{k=0}^{r}\left(\begin{array}{c}\frac{L}{2}\\ k\end{array}\right){2}^{-{H}_{\min }^{\epsilon }\left({U}_{m,\,\rm{keep}\,}^{A}| E\right)}+\epsilon ,\end{eqnarray}$
where ${H}_{\min }^{\epsilon }$ denotes the smooth min-entropy. For any probability a > 0, applying Markov’s inequality, we obtain pr < a except with probability at most $\begin{eqnarray}{p}_{F}:= \frac{1}{a}\left(\Space{0ex}{0.25ex}{0ex}{2}^{-\frac{L}{2}\left\{\frac{2}{L}{H}_{\min }^{\epsilon }\left({U}_{m,\,\rm{keep}\,}^{A}| E\right)-{H}_{2}\left(\frac{2r}{L}\right)\right\}}+\epsilon \Space{0ex}{0.25ex}{0ex}\right).\end{eqnarray}$
This equation says whether or not Eve is able to make fewer than r errors with non-negligible probability and is conditioned by $\begin{eqnarray}\frac{2}{L}{H}_{\min }^{\epsilon }\left({U}_{m,\,\rm{keep}\,}^{A}| E\right)-{H}_{2}\left(\frac{2r}{L}\right)\gt 0.\end{eqnarray}$
If the condition holds, then L can be increased to make the probability of Eve making fewer than r errors arbitrarily small. We define minimum rate pE at which Eve can make errors in ${U}_{m,\,\rm{keep}\,}^{A}$ by the equation $\begin{eqnarray}\frac{2{\underline{s}}_{L,1}}{L}\left(1-{I}_{E}\right)-{H}_{2}\left({p}_{E}\right)=0.\end{eqnarray}$
Assuming that the error rate on ${U}_{m,\,\rm{keep}\,}^{A}$ is upper bounded by ${\hat{E}}_{\,\rm{keep}\,}$, if ${p}_{E}\gt {\hat{E}}_{\,\rm{keep}\,}$, then there exists a choice of parameters and a sufficiently large signature length which makes the protocol secure. That is to say, RFI QDS is possible as long as $\begin{eqnarray}\frac{2{\underline{s}}_{L,1}}{L}\left(1-{I}_{E}\right)-{H}_{2}\left({\hat{E}}_{\,\rm{keep}\,}\right)\gt 0.\end{eqnarray}$
To be considered a useful scheme, QDS also should be secure against both forging and repudiation. Security against forging means that the probability of a recipient successfully forging, without receiving it from Alice, a message m, which will pass verification by the other recipients, is decaying exponentially quickly as a function of the quantum signature length L. Security against repudiation guarantees that, for any malicious activity by Alice, the probability of a message rejected by Charlie once it has already accepted by Bob is decaying exponentially quickly as a function of the quantum signature length L. In addition, the protocol should be robust, meaning that if, when all parties are honest, a message will be authenticated and verified except with a probability decaying exponentially quickly as a function of the quantum signature length L.
(a) Robustness. A QDS scheme is only useful if it only fails with small probability. If all parties are honest, Bob should accept the message as being genuine, unless the L/2 bits received from either Alice or Charlie have more than saL/2 mismatches with Alice’s signature. We define the observed error rate from the error test performed by Alice and Bob as ${E}_{\,\rm{test}\,}^{B}$. Using the Serfling inequality [35], we can bound the actual error rate in the strings ${B}_{\,\rm{keep}\,}^{A}$ by
$\begin{eqnarray}{E}_{\rm{keep}\,}^{B}\leqslant {E}_{\,\rm{test}}^{B}+\frac{2}{L}\sqrt{\frac{\left(\frac{L}{2}+1\right)\left(\frac{L}{2}+{n}_{\,\rm{test}\,}\right)\mathrm{ln}\left(\frac{1}{{\varepsilon }_{\rm{PE}\,}}\right)}{2{n}_{\,\rm{test}}}}.\end{eqnarray}$
This bound holds except with probability εPE, meaning that the true error rate between Alice’s and Bob’s keys will be less than ${E}_{\,\rm{keep}\,}^{B}$ except with probability at most εPE. Similarly, we can bound the actual error rate in the strings ${C}_{\,\rm{keep}\,}^{A}$ by ${E}_{\,\rm{keep}\,}^{C}$ and set ${\hat{E}}_{\,\rm{keep}\,}:= max\{{E}_{\rm{keep}\,}^{B},{E}_{\,\rm{keep}}^{C}\}$. If we choose sa such that ${s}_{a}\gt {\hat{E}}_{\,\rm{keep}\,}$, the probability of honest abort is bounded by $\begin{eqnarray}P\left(\rm{Honest abort}\,\right)\leqslant 2{\varepsilon }_{\,\rm{PE}},\end{eqnarray}$
where the factor of 2 accounts for the fact that the honest abort can be due to states from either Alice or Charlie.(b) Security against forging. It is easier for either Bob or Charlie to forge than for any other external party. Therefore, we will consider the case where Bob attempts to cheat Charlie. For this purpose, Bob must give a declaration $\left(m,{\,\rm{Sig}\,}_{m}\right)$ to Charlie that has fewer than svL/2 mismatches with both halves of Charlie’s strings ${S}_{m}^{C}$, where ${S}_{m}^{C}=\left({C}_{m,\rm{keep}\,}^{A},{B}_{m,\,\rm{forward}}^{A}\right)$. Since Bob can control the half ${B}_{m,\,\rm{forward}\,}^{A}$ that he sends to Charlie in the distribution stage, he will obviously be able to meet the threshold. Bob therefore must try to guess the unknown half ${C}_{m,\,\rm{keep}\,}^{A}$ received directly from Alice. For Charlie, he can choose sv satisfying ${\hat{E}}_{\,\rm{keep}\,}\lt {s}_{v}\lt {p}_{E}$. In such case, Charlie will likely accept a legitimate signature sent by Alice, and reject any dishonest signature declaration by Bob. According to equations (17 ) and (18 ), the probability of Bob finding a signature with fewer than svL/2 errors is bounded by ${p}_{{s}_{v}L/2}\leqslant a$ except with probability at most
$\begin{eqnarray}{p}_{F}:= \frac{1}{a}\left(\Space{0ex}{0.25ex}{0ex}{2}^{-\frac{L}{2}\left\{\frac{2{\underline{s}}_{L,1}}{L}\left(1-{I}_{E}\right)-{H}_{2}\left({s}_{v}\right)\right\}}+\epsilon \Space{0ex}{0.25ex}{0ex}\right).\end{eqnarray}$
Considering all the failure probabilities during the parameter estimation procedure, we are then able to bound Bob’s probability of successfully forging as $\begin{eqnarray}P\left(\rm{Forge}\,\right)=a+{p}_{F}+38{\varepsilon }_{\,\rm{PE}},\end{eqnarray}$
where the addition of 38ϵPE is the error term due to finite-sample size. Since the protocol is symmetric with respect to the two recipients Bob and Charlie, this bound applies when Charlie tries to forge.According to the above security analysis, we can calculate the signature rate. In each run, let Nt denote the total number of pulses used for key distribution, which yields a key of length npool for subsequent signature generation. Based on the specified security parameters, we can optimize the key length, L, required to sign a half-bit signature. Consequently, the signature rate can be expressed as
$\begin{eqnarray}R=\frac{{n}_{\,\rm{pool}\,}}{2L{N}_{t}}.\end{eqnarray}$
3. Numerical simulation
In this section, we conduct numerical simulations to assess the performance of our proposed protocol and compare it with a conventional BB84-based QDS scheme. The simulations are performed under specific conditions: the intensity of the vacuum state is set to 10−5, the security thresholds are configured as ϵPE = 10−12, a = 10−10, ε = 10−10, and ϵsec = 10−10. These parameters ensure that the probabilities of honest abort, forging, and repudiation remain below 10−10, thus maintaining the protocol’s security.
Figure 2 illustrates the signature rates (bit/pulse) of both the proposed RFI-QDS protocol and the conventional BB84-QDS protocol as a function of transmission distance. The solid red curve shows the performance of the RFI-QDS protocol, while the blue dash-dot curve represents the BB84-QDS protocol for comparison. The simulation results indicate that the RFI-QDS protocol consistently achieves higher signature rates than the BB84-QDS protocol across all transmission distances. Notably, when the reference misalignment angle is set to β = π/4, the signature rate of the RFI-QDS protocol is nearly an order of magnitude greater than that of the BB84-QDS protocol, demonstrating the RFI-QDS protocol’s strong robustness to reference frame misalignment and superior adaptability under varying environmental conditions.
Figure 2. Signature rates versus transmission distance for the proposed RFI-QDS (represented by red solid curves) and the conventional BB84-QDS (represented by blue dash-dot curves) protocols. For both sets of curves (of the same colour), the upper line corresponds to the reference misalignment angles β = 0, while the lower line corresponds toβ = π/4. All simulations are performed with a total pulse number Nt = 1012. |
Figure 3 shows the finite-size signature rates (bit/pulse) of the proposed RFI-QDS protocol as a function of transmission distance for different total numbers of pulses Nt, specifically Nt = 109, 1010, 1011, and 1012. As expected, the signature rate decreases with increasing transmission distance due to channel losses and statistical fluctuations. However, increasing the total number of pulses significantly improves performance by reducing finite-size effects, thereby maintaining higher signature rates over longer distances. Notably, even with Nt = 109, the refined finite-size analysis still allows secure transmission over distances exceeding 100 km, demonstrating the robustness of the proposed protocol. This trend highlights the practical importance of optimizing Nt in real implementations to balance system efficiency and finite-size security requirements.
Figure 3. Finite-size signature rates of the proposed RFI-QDS protocol versus transmission distance for different total pulse numbers Nt. The curves from top to bottom correspond to Nt = 109, 1010, 1011, 1012, respectively, under a reference misalignment of β = 0. |
4. Conclusion
In conclusion, we have proposed an RFI-QDS protocol that effectively overcomes the limitations of reference frame calibration required in conventional QDS schemes. Building upon the robustness of RFI-QKD, our protocol enables secure and efficient signature generation even under unknown or drifting reference frames. By integrating a compact finite-size estimation framework, the proposed scheme achieves an improved balance between statistical accuracy and signature efficiency, making it well suited for realistic finite-data scenarios. Numerical simulations verify that eliminating reference alignment not only simplifies system implementation but also enhances overall performance and scalability. With the rapid development of quantum communication in terms of integration and high speed, the proposed RFI-QDS provides a promising pathway toward large-scale, networked, and mobile quantum communication systems, such as in [37, 38] and smart grids [39, 40].