1 Introduction

Now, the world is a digital word. Every day, many digital messages are exchanged by the internet. And most often, the transmitted messages have to be authenticated by the message receivers. That is, the receivers need to check where the messages come from, and whether they have been eavesdropped or disturbed by an adversary before receiving them. To address the need of authenticating digital messages, Diffie et al. [1] proposed the idea of digital signature. Generally, in a digital signature system, the signatory creates his/her signature by encrypting the message with some secret key, and the signature receiver can verifies its validity with the public key of the signer. By the digital signature technologies, one can efficiently authenticate the received digital messages.

Since the introduction of the digital signature, the researchers proposed many different classical signature schemes for the applications in different environments [2,3,4,5,6]. However, the security of all these classical digital signatures is heavily dependent on the mathematic computation problems [7, 8], which may be efficiently solved with the help of the modern quantum computer [9,10,11,12].

To make the digital signature be secure against the quantum computer, Gottesman and Chuang [13] introduced the concept of quantum digital signature, whose security was found on some physical theorems and quantum properties of the particles instead of the unproved mathematical assumptions. Therefore, the quantum signature has the good merit of physical security. Based on the work in [13], many novel quantum signature schemes were proposed [14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47]. In the schemes [13, 40,41,42], the signers’ signing keys and public keys can only be used one time. To make the quantum signature more secure and practical, Zeng and Christoph developed the AQS [14], in which the signing key can be reused. In the AQS, an arbitrator, which is a party trusted by all participants, is introduced. The arbitrator takes part in the key generation phase so that the participants can share some private keys, which are used to sign and verify a message. During the signature verification phase, the arbitrator can securely help the signature verifier verify the quantum signature. What is more, the arbitrator is very helpful in solving the disputations between the signer and the verifier. Therefore, compared with the quantum signature in [13, 40,41,42], Zeng and Christoph’s AQS was more efficient and practicable. Based on the Zeng et al.’s idea, many AQSs schemes [15,16,17,18,19,20,21, 23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39, 43,44,45,46,47,48,49,50,51] were proposed. For example, Yang et al. presented the weak arbitrator-based AQSs [15, 16, 44, 45] so as to improve the security of the AQS scheme. Jiang’s AQS [17] was based on the product states with local indistinguishability so that the AQS could be more practicable. Although there were lots of AQSs, their security was not strictly proved. That is, there was not strictly proof to support the security of the proposed AQS schemes. In fact, many AQS schemes have been proven to be insecure against various attacks duo to two main reasons as follows.

First, according to Kerckhofs’s principle, the security of the modern cryptography systems should depend on the secrecy of the users’ private keys rather than the cryptography algorithm. Especially, in a signing system, if the signer’s private key is broken, anyone can produce the forgery of the quantum signature by using the broken key. Generally, in an AQS scheme, the signer’s private key is created by performing the unconditionally secure quantum key distribution protocol (e.g., BB84 Protocol [52]) such that the private key cannot be broken during the key generation phase of the scheme. However, it should be noted that in a quantum signature scheme, the signature is generated by performing the quantum encryption with the signer’s private key. Therefore, the quantum signature also includes the information of the private key. To guarantee the security of the private key, the quantum signature ciphertext should be information-theoretically secure [53,54,55]. That is, the quantum signature should be theoretically indistinguishable such that the adversary cannot derive any useful information about the private key from the quantum signature. However, the information-theoretical security of most existing quantum signature schemes cannot be strictly proved. This means that for these schemes, the adversaries may get some information about the private keys by performing some measurement attacks or other unknown attacks to the quantum signatures. For example, in 2019, Chen et al. [56] proved the private keys of the quantum signature systems based on quantum one-time pad (QOTP) [57] could be broken by performing the controlled SWAP attack. This means the adversary can get some information about the private keys of the signers in the QOTP-based quantum signature systems (e.g., [14, 25,26,27,28, 36, 39, 43]) by the controlled SWAP attack. Therefore, the quantum signature ciphertext should be theoretically indistinguishable and the quantum signature scheme should be information-theoretically secure.

Second, can a quantum signature with unconditionally secure signing key (private key) be secure against forgery? The answer is no due to much strong proof. For example, under the man-in-the-middle attack, Luo’s AQS [16] can be forged [22]. Although Jiang presented some security analysis in [17], his AQS can still be forged by a quantum adversary [23]. In [29], Zhou et al. showed that the quantum signature in [30] could be forged by adaptively performing some Hadamard gates on the signed message without knowing the private key of the signer. Similarly, Ding et al. [31] demonstrated that the quantum signature in [32] was not secure, because the signature receiver could generate a forgery by adaptively performing NOT gate to the received signature without knowing the signer’s private key as well. He et al. [33] proved that in [34], the adversary could create a forgery by performing the NOT and Hadamard operators on the received signature, because he/she knew the structure of the original message. Gao et al.’s research results showed that some AQS schemes using Pauli operators were insecure against the participant’s forgery [24]. Some other results [35,36,37,38] also showed various forgery attacks to the quantum signatures [36, 48,49,50,51] without knowing the signers’ private keys. Why many quantum signatures can be forged? In fact, in these quantum signature schemes, there are two common features. First, in these schemes, the authors analyzed that their quantum signatures were secure against forgery because the forger could not master the private keys. Then, this kind of security analysis is not comprehensive, because many quantum signatures with unconditionally secure private keys can still be forged. On the other hand, their security against forgery cannot be proved with strict formal mathematical proof. No formal proof can sufficiently support that the unforgeability of these quantum signatures strictly depends on the basic principles of the quantum mechanics such as the non-cloning theorem and the theoretical indistinguishability of the quantum states. How can we guarantee the security of a quantum signature such that its unforgeability is strictly dependent on the basic principles of the quantum mechanics? A general idea is that the unforgeability of the quantum signature should be proved with the strict proof based on the principles of the quantum mechanics. That is, we should mathematically prove that if an adversary can generate a forgery for the quantum signature, his/her actions will violate some quantum principles. This is the idea of provable security for a quantum signature.

In this paper, the main contribution is that we propose the first provably secure AQS with strictly security proof. Different from most of the AQSs, the proposed scheme can be proved to be information-theoretically secure, and its security against forgery can be proved under the basic principle of quantum mechanics as well. In this ASQ, the signature is produced with the controlled particles such that the signed particles have the same states, which can be used to prove the theoretical indistinguishability of the proposed AQS. Thus, the secrecy of the signatory’s private key can be proved. On the other hand, we prove that the unforgeability of the proposed AQS with the non-cloning principle. That is, for the proposed scheme, if an adversary can produce a forgery of the signature, his/her actions will violate the non-cloning principle. This means it is impossible for the adversary to generate a forgery for our signature under the basic principle of quantum mechanics. On the other hand, compared with the similar schemes, our AQS has the better merits in security and efficiency as well.

The following contents of our paper include: AQS scheme in Sect. 2, AQS security proof, security and efficiency comparisons in Sect. 3, and paper conclusion in Sect. 4. On the other hand, in appendix A and appendix B, a simple simulation of our scheme is presented.

2 The proposed AQS

In the proposed AQS scheme, the operators \(H = \left( {\left| 0 \right\rangle \left\langle 0 \right| + \left| 1 \right\rangle \left\langle 0 \right| + \left| 0 \right\rangle \left\langle 1 \right| - \left| 1 \right\rangle \left\langle 1 \right|} \right)/\sqrt 2\) and \(X = \left| 0 \right\rangle \left\langle 1 \right|{ + }\left| 1 \right\rangle \left\langle 0 \right|\) are used. We define the operator H0 = X0 = I, in which I is the identity map. Assume that \(f:\{ 0, \, 1\}^{*} \to \{ 0, \, 1\}^{n} \, \) is a public one-way hash function, which has the uniform output. On the other hand, we assume Alice is the message signatory. Bob acts as the receiver. On the other hand, Trent is employed as the arbitrator, who is trusted by all of the other parties.

Our AQS includes the following three phases: initialization, signature generation phase and message verification phase.

2.1 Initializing phase

In this phase, the partners share the private key and entangled particle sequence. The following are the initializing steps.

IS-1: By performing Bennett and Brassard’s quantum key distribution protocol (BB84 Protocol) [52], Trent and Alice share a random n-bit private key \(k=(k_{1},k_{2},...,k_{n})\).

IS-2: In this step, the private key k is used. Trent prepares n entangled-triple particles \(\phi_{1}\), \(\phi_{2}\),…, \(\phi_{n}\). The state of each particle \(\phi_{i}\) is \(\left| {\phi_{i} } \right\rangle = \frac{1}{\sqrt 2 }\left( {\left| {0_{i}^{(T1)} 0_{i}^{(T2)} 0_{i}^{A} } \right\rangle \, + \left| {1_{i}^{(T1)} 1_{i}^{(T2)} 1_{i}^{A} } \right\rangle } \right)\), where \(i = 1,2, \ldots ,n\). According to the private key k = (k1, k2,…, kn), for each \(\phi_{i}\), if ki = 0, Trent performs the operator \(I \otimes I \otimes I\) on the particle \(\phi_{i}\), or he performs the operator \(H \otimes H \otimes H\) on the particle \(\phi_{i}\). Thus, the state of each entangled \(\phi_{i} \left( {i = 1,2, \ldots ,n} \right)\) is changed into.

$$ \left| {\phi_{i} } \right\rangle = \left\{ \begin{gathered} \frac{1}{\sqrt 2 }\left( {\left| {0_{i}^{(T1)} 0_{i}^{(T2)} 0_{i}^{A} } \right\rangle \, + \left| {1_{i}^{(T1)} 1_{i}^{(T2)} 1_{i}^{A} } \right\rangle \, } \right),\quad {\text{if}}\,\,k_{i} = 0 \hfill \\ \frac{1}{\sqrt 2 }\left( {\left| { +_{i}^{(T1)} +_{i}^{(T2)} +_{i}^{A} } \right\rangle + \left| { -_{i}^{(T1)} -_{i}^{(T2)} -_{i}^{A} } \right\rangle } \right),\quad {\text{if}}\,\,k_{i} = 1 \hfill \\ \end{gathered} \right., $$
(1)

where \(\left| + \right\rangle = \left( {\left| 0 \right\rangle + \left| 1 \right\rangle } \right)/\sqrt 2\) and \(\left| - \right\rangle = \left( {\left| 0 \right\rangle - \left| 1 \right\rangle } \right)/\sqrt 2\). According to the entangled particles \(\phi_{1} ,\phi_{2} , \ldots ,\phi_{n}\), Trent composes three particle sequences \(G_{T1} = \{ t_{1}^{(T1)} , \, t_{2}^{(T1)} , \ldots , \, t_{n}^{(T1)} \}\), \(G_{T2} = \{ t_{1}^{(T2)} , \, t_{2}^{(T2)} , \ldots , \, t_{n}^{(T2)} \}\) and GA = {a1, a2,…, an}, in which \(t_{i}^{(T1)}\),\(t_{i}^{(T2)}\), and \(a_{i} \, (i = 1, \, 2, \ldots , \, n)\) represent the first, the second and the third particle of \(\phi_{i}\), respectively.

IS-3: Trent randomly produces sufficient decoy particles whose states come from the non-orthogonal set \(\left\{ {\left| 0 \right\rangle ,\left| 1 \right\rangle ,\left| + \right\rangle ,\left| - \right\rangle } \right\}\). Then, Trent mixes them with GA at random and gets the new non-orthogonal sequence \(G_{A}^{\prime }\). After that, Trent transmits the sequence \(G_{A}^{\prime }\) to Alice.

IS-4: After Alice receives \(G_{A}^{\prime }\), Trent publishes the information of the decoy particles including their positions and correct states. Then, Alice measures all the decoy particles in \(G_{A}^{\prime }\) and checks whether the measurement results are the same as those published by Trent. Once the error rate is above the established standards set by the system, the partners restart the protocol. Or Alice gets GA from the sequence \(G_{A}^{\prime }\) by deleting the decoy particles. GA is kept by Alice as her private sequence.

2.2 Signing phase

Suppose that Alice will sign a classical message c ∈ {0, 1}*. Alice generates the signature by the steps as follows.

SS-1: Alice computes the message digest f(k||c) = m = (m1, m2,…, mn) with her key k and the hash function f, where the symbol “||” denotes the connection of the bit strings. After that, Alice prepares a particle sequence S = {s1, s2,…, sn}, and the state of the i-th particle si of the sequence S is \(\left| {s_{i} } \right\rangle = \left| {m_{i} } \right\rangle\).

SS-2: According to the private key k, the private sequence GA = {a1, a2,…, an} and the sequence S = {s1, s2,…, sn}, Alice performs n controlled unitary operations as follows.

For the ith operation \((i = 1, \, 2, \ldots , \, n)\), if ki = 0, Alice executes the controlled NOT operator on ai and si, where ai is operated as the controlled particle, while si as the target particle. Thus, the particles \(t_{i}^{(T1)}\), \(t_{i}^{(T2)}\), ai and si are entangled together with the state

$$ \left| {\chi_{{t_{i}^{(T1)} ,t_{i}^{(T2)} ,a_{i} ,s_{i} }} } \right\rangle = \left\{ \begin{gathered} \frac{1}{\sqrt 2 }\left( {\left| {0_{i}^{(T1)} 0_{i}^{(T2)} 0_{i}^{A} 0_{i}^{S} } \right\rangle + \left| {1_{i}^{(T1)} 1_{i}^{(T2)} 1_{i}^{A} 1_{i}^{S} } \right\rangle } \right),\quad {\text{if}}\,\, \, m_{i} = 0 \hfill \\ \frac{1}{\sqrt 2 }\left( {\left| {0_{i}^{(T1)} 0_{i}^{(T2)} 0_{i}^{A} 1_{i}^{S} } \right\rangle + \left| {1_{i}^{(T1)} 1_{i}^{(T2)} 1_{i}^{A} 0_{i}^{S} } \right\rangle } \right),\quad {\text{if}}\,\, \, m_{i} = 1 \hfill \\ \end{gathered} \right.. $$
(2)

For the ith operation \((i = 1, \, 2, \ldots , \, n)\), if ki = 1, Alice executes the operator H on ai. Then, she performs the controlled NOT operation on ai and si, where ai is operated as the controlled particle, while si the target particle. Next, Alice performs the H operations on the particles ai and si, respectively. Thus, the entangled state of \(t_{i}^{(T1)}\), \(t_{i}^{(T2)}\), ai and si is changed into

$$ \left| {\chi_{{t_{i}^{(T1)} ,t_{i}^{(T2)} ,a_{i} ,s_{i} }} } \right\rangle = \left\{ \begin{gathered} \frac{1}{\sqrt 2 }\left( {\left| { +_{i}^{(T1)} +_{i}^{(T2)} +_{i}^{A} +_{i}^{S} } \right\rangle + \left| { -_{i}^{(T1)} -_{i}^{(T2)} -_{i}^{A} -_{i}^{S} } \right\rangle } \right),\quad {\text{if}}\,\, \, m_{i} = 0 \hfill \\ \frac{1}{\sqrt 2 }\left( {\left| { +_{i}^{(T1)} +_{i}^{(T2)} +_{i}^{A} -_{i}^{S} } \right\rangle + \left| { -_{i}^{(T1)} -_{i}^{(T2)} -_{i}^{A} +_{i}^{S} } \right\rangle } \right),\quad {\text{if}}\,\, \, m_{i} = 1 \hfill \\ \end{gathered} \right.. $$
(3)

After that, Alice sends c and S to Bob. Bob keeps the particle sequence S as the quantum signature on c.

The simple schematic diagram of the signing process is shown in Fig. 1.

Fig. 1
figure 1

Schematic diagram of the signing process

Full size image

2.3 Verifying phase

In our scheme, Alice is the signer. In this phase, the quantum signature S signed by Alice is verified. This phase includes three verification steps:

VS-1: Bob publishes c. Then, by the decoy particles and the methods in steps IS-3 and IS-4, Bob sends Trent the sequence S.

VS-2: According to k, the private sequence \(G_{T1} = \{ t_{1}^{(T1)} , \, t_{2}^{(T1)} , \ldots , \, t_{n}^{(T1)} \}\) and the sequence S = {s1, s2,…, sn}, Trent performs n controlled unitary operations as follows.

For the ith operation \((i = 1, \, 2, \ldots , \, n)\), if ki = 0, Trent executes the controlled NOT operator on the controlled \(t_{i}^{(T1)}\) and the target particle si. Then, the entangled state of \(t_{i}^{(T1)}\), \(t_{i}^{(T2)}\), ai and si evolves into

$$ \left| {\chi_{{t_{i}^{(T1)} ,t_{i}^{(T2)} ,a_{i} ,s_{i} }} } \right\rangle = \left\{ \begin{gathered} \frac{1}{\sqrt 2 }\left( {\left| {0_{i}^{(T1)} 0_{i}^{(T2)} 0_{i}^{A} } \right\rangle + \left| {1_{i}^{(T1)} 1_{i}^{(T2)} 1_{i}^{A} } \right\rangle } \right)\left| {0_{i}^{S} } \right\rangle ,\quad {\text{if}}\,\,m_{i} = 0 \hfill \\ \frac{1}{\sqrt 2 }\left( {\left| {0_{i}^{(T1)} 0_{i}^{(T2)} 0_{i}^{A} } \right\rangle + \left| {1_{i}^{(T1)} 1_{i}^{(T2)} 1_{i}^{A} } \right\rangle } \right)\left| {1_{i}^{S} } \right\rangle ,\quad {\text{if}}\,\,m_{i} = 1 \hfill \\ \end{gathered} \right.. $$
(4)

For the ith operation (i = 1, 2,…, n), if ki = 1, Trent performs the H operations on the particles \(t_{i}^{(T1)}\) and si, respectively. Then, he performs the controlled NOT operator on \(t_{i}^{(T1)}\) and si so that \(t_{i}^{(T1)}\) is operated as the controlled particle, while si the target particle. At last, he applies operator H to \(t_{i}^{(T1)}\). Then, the entangled state of \(t_{i}^{(T1)}\), \(t_{i}^{(T2)}\), ai and si evolves into

$$ \left| {\chi_{{t_{i}^{(T1)} ,t_{i}^{(T2)} ,s_{i} }} } \right\rangle = \left\{ \begin{gathered} \frac{1}{\sqrt 2 }\left( {\left| { +_{i}^{(T1)} +_{i}^{(T2)} +_{i}^{A} } \right\rangle + \left| { -_{i}^{(T1)} -_{i}^{(T2)} -_{i}^{A} } \right\rangle } \right)\left| {0_{i}^{S} } \right\rangle ,\quad {\text{if}}\,\,m_{i} = 0 \hfill \\ \frac{1}{\sqrt 2 }\left( {\left| { +_{i}^{(T1)} +_{i}^{(T2)} +_{i}^{A} } \right\rangle + \left| { -_{i}^{(T1)} -_{i}^{(T2)} -_{i}^{A} } \right\rangle } \right)\left| {1_{i}^{S} } \right\rangle ,\quad {\text{if}}\,\,m_{i} = 1 \hfill \\ \end{gathered} \right.. $$
(5)

VS-3: Trent measures each particle si (i = 1, 2,…, n) with z-basis \(\left\{ {\left| 0 \right\rangle ,\left| 1 \right\rangle } \right\}\). By the measurement result of si, Trent sets

$$ m_{i}^{\prime } = \left\{ \begin{gathered} 0,\quad {\text{if}}\,\,\left| {s_{i} } \right\rangle = \left| 0 \right\rangle \hfill \\ 1,\quad {\text{if}}\,\,\left| {s_{i} } \right\rangle = \left| 1 \right\rangle \hfill \\ \end{gathered} \right.,\quad i = {1},{ 2}, \ldots ,n. $$
(6)

Thus, Trent gets \(m^{\prime } = \left( {m_{1}^{\prime } ,m_{2}^{\prime } , \ldots ,m_{n}^{\prime } } \right)\). Then, by the shared k and the message c published by Bob, Trent computes the message digest m = f(k||c). Next, he checks whether \(m = m^{\prime }\). If \(m = m^{\prime }\)(\(m \ne m^{\prime }\)), Trent publishes “Yes” (“No”), and Bob accepts (denies) the validity of the quantum signature. If the signature is valid, Trent also keeps (c, m, Bob) as the “proof” of the quantum signature so as to solve the disputation that may occur between Alice and Bob in the future.

3 Analysis of the security

The correctness of the AQS can be easily verified. This section first showed the theoretical security proof for the proposed AQS. Then, the unforgeability of the quantum signature is proved. At last, the no-repudiation of the signature is analyzed.

3.1 Information-theoretical security

In this section, first, by analyzing the density operator of the quantum signature, it is found that all the quantum signatures have the same state. What is more, any unitary operator attack to the quantum signature cannot change its density operator. This means that the adversary cannot get useful information about the private key by performing the unitary operator attack. Second, we analyze information-theoretical security of the proposed scheme. In [55], Yang et al. proved that for a quantum signature scheme, its information-theoretical security relies on the trace distance of the different quantum signatures. Then, by analyzing the trace distance of different quantum signatures, we prove that the trace distance of different quantum signatures is zero. Then, the proposed AQS can be proved to be information-theoretically secure.

Theorem 1.

The quantum signatures on all the messages have the same density operator.

Proof.

Note that any c and its signature S satisfies Eqs. (2) and (3). Hence, the density operator of si is.

$$ \rho_{{s_{i} }} = \left\{ \begin{gathered} \frac{1}{2}\left( {\left| {0_{i}^{S} } \right\rangle \left\langle {0_{i}^{S} } \right| + \left| {1_{i}^{S} } \right\rangle \left\langle {1_{i}^{S} } \right|} \right) = \frac{I}{2},\quad {\text{if}}\,\,m_{i} = 0, \, k_{i} = 0 \hfill \\ \frac{1}{2}\left( {\left| {1_{i}^{S} } \right\rangle \left\langle {1_{i}^{S} } \right| + \left| {0_{i}^{S} } \right\rangle \left\langle {0_{i}^{S} } \right|} \right) = \frac{I}{2},\quad {\text{if}}\,\,m_{i} = 1, \, k_{i} = 0 \hfill \\ \frac{1}{2}\left( {\left| { +_{i}^{S} } \right\rangle \left\langle { +_{i}^{S} } \right| + \left| { -_{i}^{S} } \right\rangle \left\langle { -_{i}^{S} } \right|} \right) = \frac{I}{2},\quad {\text{if}}\,\,m_{i} = 0, \, k_{i} = 1 \hfill \\ \frac{1}{2}\left( {\left| { -_{i}^{S} } \right\rangle \left\langle { -_{i}^{S} } \right| + \left| { +_{i}^{S} } \right\rangle \left\langle { +_{i}^{S} } \right|} \right) = \frac{I}{2},\quad {\text{if}}\,\,m_{i} = 1, \, k_{i} = 1 \hfill \\ \end{gathered} \right.. $$
(7)

Therefore, for any message c, the corresponding density operator of signature S is always \(\rho_{s} = \frac{{ \otimes_{i = 1}^{n} I}}{{2^{n} }}\). Therefore, the quantum signatures on all the messages have the same density operator. □

Suppose that an adversary Eve attempts to get some information on the signer’s secret k by performing some unitary operator \(U = \otimes_{i = 1}^{n} U_{i}\) on the signature S. However, we can prove that the operation U cannot change the density operator of the state of the signatures S.

Theorem 2.

If an adversary Eve performs some unitary operator \(U = \otimes_{i = 1}^{n} U_{i}\) on the signature S, the density operator of the signature will not have any change. That is, for each message-signature pair (c, S), after the unitary operator attack \(U = \otimes_{i = 1}^{n} U_{i}\) on S, the density operator of the state of the disturbed quantum signature S is always \(\rho_{s} = \frac{{ \otimes_{i = 1}^{n} I}}{{2^{n} }}\).

Proof.

Note the signature S and the message c satisfy Eqs. (2) and (3). If an adversary Eve applies some unitary operator \(U = \otimes_{i = 1}^{n} U_{i}\) to S, the density operator of si can be computed as follows.

$$ \rho_{{s_{i} }} = \left\{ \begin{gathered} \frac{1}{2}U_{i} \left( {\left| {0_{i}^{S} } \right\rangle \left\langle {0_{i}^{S} } \right| + \left| {1_{i}^{S} } \right\rangle \left\langle {1_{i}^{S} } \right|} \right)U_{i}^{ + } = \frac{I}{2},\quad {\text{if}}\,\,m_{i} = 0, \, k_{i} = 0 \hfill \\ \frac{1}{2}U_{i} \left( {\left| {1_{i}^{S} } \right\rangle \left\langle {1_{i}^{S} } \right| + \left| {0_{i}^{S} } \right\rangle \left\langle {0_{i}^{S} } \right|} \right)U_{i}^{ + } = \frac{I}{2},\quad {\text{if}}\,\,m_{i} = 1, \, k_{i} = 0 \hfill \\ \frac{1}{2}U_{i} \left( {\left| { +_{i}^{S} } \right\rangle \left\langle { +_{i}^{S} } \right| + \left| { -_{i}^{S} } \right\rangle \left\langle { -_{i}^{S} } \right|} \right)U_{i}^{ + } = \frac{I}{2},\quad {\text{if}}\,\,m_{i} = 0, \, k_{i} = 1 \hfill \\ \frac{1}{2}U_{i} \left( {\left| { -_{i}^{S} } \right\rangle \left\langle { -_{i}^{S} } \right| + \left| { +_{i}^{S} } \right\rangle \left\langle { +_{i}^{S} } \right|} \right)U_{i}^{ + } = \frac{I}{2},\quad {\text{if}}\,\,m_{i} = 1, \, k_{i} = 1 \hfill \\ \end{gathered} \right.. $$
(8)

Therefore, if an adversary Eve applies some unitary operator \(U = \otimes_{i = 1}^{n} U_{i}\) to S, the density operator of the state of the disturbed quantum signatures S is \(\rho_{s} = \frac{{ \otimes_{i = 1}^{n} I}}{{2^{n} }}\). Therefore, for any unitary operator attack, the signature density operator will not have any change. □

The following theorem shows that the AQS’s information-theoretical security can also be proved. This means that the adversary can get no information about the secret key of the signatory from the published quantum signature by the unitary operation attack.

Theorem 3.

For any message c and unitary operator attack \(U = \otimes_{i = 1}^{n} U_{i}\) on the signature S, the mutual information between private key space K and the probabilistic polynomial-time quantum adversary Eve is zero. That is,

$$ I\left( {K;{\text{Eve}}\left| {c, \, S, \, U} \right.} \right) = 0. $$
(9)

Proof.

Note that the mutual information.

$$ I\left( {K;{\text{Eve}}\left| {c, \, S, \, U} \right.} \right) = H(K\left| {c, \, S, \, U} \right.) - H(K\left| {c, \, S, \, U,{\text{Eve}}} \right.). $$
(10)

Because \(H(K\left| {c, \, S, \, U} \right.) \le H(K)\), we can get

$$ I\left( {K;{\text{Eve}}\left| {c, \, S, \, U} \right.} \right) \le H(K) - H(K\left| {c, \, S, \, U,{\text{Eve}}} \right.). $$
(11)

Because the private k is randomly generated by performing the unconditional secure quantum protocol on key sharing [52], the private key space K has a uniform distribution. Therefore, the entropy of K is

$$ H\left( K \right) = n. $$
(12)

Now, we consider the probability of Eve’s successfully guessing the private key k under the unitary operator attack with the public message c and the quantum signature S. By Theorem 2 and Eq. (8), we can get that for any c, k and unitary operator attack U, the signature S has the same density operator. Therefore, According to Theorem 2 and Eq. (8), Eve can guess the private key k from c, S and the unitary operation attack U with a probability

$$ \Pr (k\left| {c, \, S, \, U,Eve} \right.) = \frac{1}{{2^{n} }}. $$
(13)

Hence, the conditional entropy

$$ \begin{aligned} H(K\left| {c, \, S, \, U,{\text{Eve}}} \right.) & = - \sum\limits_{k} {\Pr (k\left| {c, \, S, \, U,{\text{Eve}}} \right.)\log \Pr (k\left| {c, \, S, \, U,{\text{Eve}}} \right.)} \\ & = - \sum\limits_{k} {\left( {\frac{1}{{2^{n} }}\log \frac{1}{{2^{n} }}} \right)} \\ & = n. \\ \end{aligned} $$
(14)

Therefore, by Eqs. (11, 12, 14), we can get \(I\left( {K;{\text{Eve}}\left| {c, \, S, \, U} \right.} \right) = 0\). □

Theorem 3 shows that if an adversary Eve tries to perform some unitary operator attack, he will get nothing about the signatory’s secret key from the published information.

Now, for the proposed scheme, we prove that there exists no polynomial algorithm Cn such that the signatures on different messages can be efficiently distinguished.

It should be noted that the quantum signature is generated by encrypting the message c. Then, our scheme can be viewed as one quantum encryption scheme. In [53,54,55], for the quantum signature, its information-theoretical security is defined as follows.

Definition 1.

We call a quantum signature is information-theoretically secure, if there exists no polynomial distinguishing algorithm Dn such that it can distinguish the quantum signatures S and S* with a non-negligible probability, where S and S* are the quantum signatures on any two different messages c and c* in the message space {0, 1}n, respectively. That is, for any positive polynomial p(·) and sufficient large n, a quantum signature scheme with information-theoretical security should satisfy

$$ \left| {{\text{Pr}}\left[ {D_{n} \left( {S^{*} } \right) \, = \, 1} \right] \, - {\text{ Pr}}\left[ {D_{n} \left( S \right) \, = \, 1} \right] \, } \right| < 1/p\left( n \right). $$
(15)

The results in [55] show that for a quantum signature scheme, its information-theoretical security relies on the trace distance of the different quantum signatures.

Theorem 4

[55]. A quantum signature has information-theoretical security only if, for each polynomial p and different messages c and c*, the trace distance.

$$ D(\rho_{c} ,\rho_{c*} ) < 1/p(n), $$
(16)

where \(\rho_{c}\)(\(\rho_{{c^{*} }}\)) denotes the density operator of the signature S (S*) on c(c*).

Theorem 5.

Our new AQS has the information-theoretical security.

Proof.

Let c and c* be any two different messages. Let S and S* be the quantum signatures on the messages c and c*, respectively. We use \(\rho_{c}\) and \(\rho_{{c^{*} }}\) which denote the density operators of the states of the quantum signatures S and S*, respectively. According to Theorem 1, it follows that

$$ \rho_{c} = \rho_{{c^{*} }} = \frac{{ \otimes_{i = 1}^{n} I}}{{2^{n} }}. $$
(17)

According to Eq. (17), we can get

$$ D(\rho_{c} ,\rho_{c*} ) = 0. $$
(18)

It is clear that Eq. (18) satisfies the result of Theorem 4. Therefore, our scheme can be of information-theoretical security. □

The result of Theorem 5 means that no distinguishing algorithm Dn can distinguish the signatures S and S* efficiently. This means that for our quantum signature scheme, no efficient distinguishing algorithm Dn can break the signer’s key. Otherwise, given any two quantum signatures S and S* on different messages c and c*, respectively, the quantum adversary can use the private key to accurately generate the corresponding quantum signatures on c and c* such that S and S* can be distinguished by performing the quantum swap test algorithm [58], which contradicts the theoretical security of our AQS that proved in Theorem 5. Therefore, there is no efficient distinguishing algorithm that can break the signatory’s private key. The proposed AQS can guarantee the secrecy of signatory’s private key.

3.2 Unforgeability

In this section, we prove that it is infeasible to generate a forgery for the proposed quantum signature without knowing the private of the signer. First, based on the non-orthogonality of \(\left\{ {\frac{1}{\sqrt 2 }\left( {\left| {000} \right\rangle + \left| {111} \right\rangle } \right),\frac{1}{\sqrt 2 }\left( {\left| { + + + } \right\rangle + \left| { - - - } \right\rangle } \right)} \right\}\), the non-cloning theorem for the non-orthogonal entangled-triple sequence \(\Pi = \left\{ {\pi_{1} ,\pi_{2} , \ldots ,\pi_{k} } \right\}\) is proved, in which each \(\pi_{i} \in \left\{ {\frac{1}{\sqrt 2 }\left( {\left| {000} \right\rangle + \left| {111} \right\rangle } \right),\frac{1}{\sqrt 2 }\left( {\left| { + + + } \right\rangle + \left| { - - - } \right\rangle } \right)} \right\}\). Then, we prove that if an adversary can forge the quantum signature, his forgery action will violate the non-cloning theorem for the non-orthogonal entangled-triple sequence \(\Pi\). This means it is infeasible for the adversary to forge the quantum signature of the signer.

Theorem 6.

Given an entangled-triple sequence \(\Pi = \left\{ {\pi_{1} ,\pi_{2} , \ldots ,\pi_{k} } \right\}\), in which each entangled \(\pi_{i}\) (1 ≤ i ≤ k) is randomly selected in the set \(\left\{ {\frac{1}{\sqrt 2 }\left( {\left| {000} \right\rangle + \left| {111} \right\rangle } \right),\frac{1}{\sqrt 2 }\left( {\left| { + + + } \right\rangle + \left| { - - - } \right\rangle } \right)} \right\}\), there is not any unitary operator W so that the sub-system of each \(\pi_{i}\) can be cloned. That is, there is not any unitary operator W so that.

$$ W\left( {\frac{1}{\sqrt 2 }\left( {\left| {000} \right\rangle + \left| {111} \right\rangle } \right)\left| \varepsilon \right\rangle } \right) = \frac{1}{\sqrt 2 }\left( {\left| {0000} \right\rangle + \left| {1111} \right\rangle } \right) $$
(19)

and

$$ W\left( {\frac{1}{\sqrt 2 }\left( {\left| { + + + } \right\rangle + \left| { - - - } \right\rangle } \right)\left| \varepsilon \right\rangle } \right) = \frac{1}{\sqrt 2 }\left( {\left| { + + + + } \right\rangle + \left| { - - - - } \right\rangle } \right). $$
(20)

where \(\varepsilon\) is an auxiliary particle.

Proof.

Let \(\Pi = \left\{ {\pi_{1} ,\pi_{2} , \ldots ,\pi_{k} } \right\}\) be an entangled-triple sequence, in which each entangled \(\pi_{i}\) (1 ≤ i ≤ k) is randomly selected in the set \(\left\{ {\frac{1}{\sqrt 2 }\left( {\left| {000} \right\rangle + \left| {111} \right\rangle } \right),\frac{1}{\sqrt 2 }\left( {\left| { + + + } \right\rangle + \left| { - - - } \right\rangle } \right)} \right\}\). Note that the states \(\frac{1}{\sqrt 2 }\left( {\left| {000} \right\rangle + \left| {111} \right\rangle } \right)\) and \(\frac{1}{\sqrt 2 }\left( {\left| { + + + } \right\rangle + \left| { - - - } \right\rangle } \right)\) are non-orthogonal. Therefore, the entangled-triple sequence \(\Pi\) is a non-orthogonal sequence, which cannot be accurately distinguished. Suppose there is some unitary operator W so that Eqs. (19, 20) hold. From Eqs. (19, 20), we can get.

$$ \left( {\left\langle {000} \right| + \left\langle {111} \right|} \right)\left( {\left| { + + + } \right\rangle + \left| { - - - } \right\rangle } \right) = \left( {\left\langle {0000} \right| + \left\langle {1111} \right|} \right)\left( {\left| { + + + + } \right\rangle + \left| { - - - - } \right\rangle } \right), $$
(21)

from which we can get a conflict equation \( 1= \sqrt 2\). Therefore, there is not any unitary operator W so that the sub-system of each \(\pi_{i}\) can be cloned.

Theorem 7.

Without the knowledge of the signer’s private key, it is not feasible for the adversary Eve to produce a forged quantum signature.

Proof.

Suppose Eve is a quantum adversary, who plays the role of the forger. Note that Sect. 3.1 has proved the information-theoretical security for the proposed AQS, which can ensure the secrecy of signatory’s key. For our scheme, to forge the quantum signature, Eve has to query the oracle f for its output. Suppose that Eve can successfully forge a signature S on some message c without knowing the signatory’s key k. And the answer for the output of the query on the oracle f about the message c is m = (m1, m2,…, mn) ∈ {0, 1}n. Note that the quantum signature S satisfies Eqs. (2, 3). This means that the state sequence of entangled particle sequence including the forged quantum signature S is.

$$ \chi_{T1,T2,A,S} = \left\{ {\left| {\chi_{{t_{1}^{(T1)} ,t_{1}^{(T2)} ,a_{1} ,s_{1} }} } \right\rangle ,\left| {\chi_{{t_{2}^{(T1)} ,t_{2}^{(T2)} ,a_{2} ,s_{2} }} } \right\rangle , \ldots ,\left| {\chi_{{t_{n}^{(T1)} ,t_{n}^{(T2)} ,a_{n} ,s_{n} }} } \right\rangle } \right\}, $$
(22)

in which each

$$ \left| {\chi_{{t_{i}^{(T1)} ,t_{i}^{(T2)} ,a_{i} ,s_{i} }} } \right\rangle \in \left\{ \begin{gathered} \frac{1}{\sqrt 2 }\left( {\left| {0000} \right\rangle + \left| {1111} \right\rangle } \right), \, \frac{1}{\sqrt 2 }\left( {\left| {0001} \right\rangle + \left| {1110} \right\rangle } \right), \hfill \\ \frac{1}{\sqrt 2 }\left( {\left| { + + + + } \right\rangle + \left| { - - - - } \right\rangle } \right),\frac{1}{\sqrt 2 }\left( {\left| { + + + - } \right\rangle + \left| { - - - + } \right\rangle } \right) \hfill \\ \end{gathered} \right\}\quad \left( {i = {1},{ 2,} \ldots ,n} \right). $$
(23)

According to m = (m1, m2,…, mn) and the forged quantum signature S, Eve composes a new particle sequence \(S|_{{m_{{i_{j} }} = 0}}\). That is, for each particle si (1 ≤ i ≤ n) of the particle sequence S, if mi = 0, Eve puts the particle si into the set \(S|_{{m_{{i_{j} }} = 0}}\). Assume that

$$ S|_{{m_{{i_{j} }} = 0}} = \left\{ {s_{{i_{1} }} ,s_{{i_{2} }} , \ldots ,s_{{i_{l} }} } \right\}, $$
(24)

where i1, i2,…,il ∈ {1, 2,…, n} and the corresponding \(m_{{i_{1} }} = m_{{i_{2} }} = \cdots = m_{{i_{l} }} = 0\). According to Eq. (1), it follows that

$$ \Phi {|}_{{m_{{i_{j} }} = 0}} = \left\{ {\left| {\phi_{{i_{1} }} } \right\rangle ,\left| {\phi_{{i_{2} }} } \right\rangle , \ldots ,\left| {\phi_{{i_{l} }} } \right\rangle } \right\} \in \left\{ {\frac{1}{\sqrt 2 }\left( {\left| {000} \right\rangle + \left| {111} \right\rangle } \right),\frac{1}{\sqrt 2 }\left( {\left| { + + + } \right\rangle + \left| { - - - } \right\rangle } \right)} \right\}^{l} , $$
(25)

which is corresponding to Eq. (24). After the successful forgery, Eve queries about the private particles indexed by i1, i2,…,il, the signing system outputs the particle sequence \(\Phi {|}_{{m_{{i_{j} }} = 0}}\) for Eve. Because \(\Phi {|}_{{m_{{i_{j} }} = 0}}\) is a non-orthogonal particle sequence, the particles in \(\Phi {|}_{{m_{{i_{j} }} = 0}}\) cannot be accurately distinguished from each other. Therefore, for Eve, \(\Phi {|}_{{m_{{i_{j} }} = 0}}\) is an unknown quantum sequence.

On the other hand, according to Eq. (22) and i1, i2,…,il, the signing system outputs a sequence

$$ \chi_{T1,T2,A,S} |_{{m_{{i_{j} }} = 0}} = \left\{ {\left| {\chi_{{t_{{i_{1} }}^{(T1)} ,t_{{i_{1} }}^{(T2)} ,a_{{i_{1} }} ,s_{{i_{1} }} }} } \right\rangle ,\left| {\chi_{{t_{{i_{2} }}^{(T1)} ,t_{{i_{2} }}^{(T2)} ,a_{{i_{2} }} ,s_{{i_{2} }} }} } \right\rangle , \ldots ,\left| {\chi_{{t_{{i_{l} }}^{(T1)} ,t_{{i_{l} }}^{(T2)} ,a_{{i_{l} }} ,s_{{i_{l} }} }} } \right\rangle } \right\}. $$
(26)

Now, we compare the form of each particle of the particle sequence \(\Phi {|}_{{m_{{i_{j} }} = 0}}\) with that of the particle sequence \(\chi_{T1,T2,A,S} |_{{m_{{i_{j} }} = 0}}\). According to Eqs. (2, 3, 2426), it follows that if \(k_{{i_{j} }} = 0\) (j = 1, 2,…, l)

$$ \left\{ {\begin{array}{*{20}l} {\left| {\phi _{{i_{j} }} } \right\rangle = \frac{1}{{\sqrt 2 }}\left( {\left| {0_{{i_{j} }}^{{(T1)}} 0_{{i_{j} }}^{{(T2)}} 0_{{i_{j} }}^{A} } \right\rangle + \left| {1_{{i_{j} }}^{{(T1)}} 1_{{i_{j} }}^{{(T2)}} 1_{{i_{j} }}^{A} } \right\rangle {\text{ }}} \right)} \hfill \\ {\left| {\chi _{{t_{{i_{j} }}^{{(T1)}} ,t_{{i_{j} }}^{{(T2)}} ,a_{{i_{j} }} ,s_{{i_{j} }} }} } \right\rangle = \frac{1}{{\sqrt 2 }}\left( {\left| {0_{{i_{j} }}^{{(T1)}} 0_{{i_{j} }}^{{(T2)}} 0_{{i_{j} }}^{A} 0_{{i_{j} }}^{S} } \right\rangle + \left| {1_{{i_{j} }}^{{(T1)}} 1_{{i_{j} }}^{{(T2)}} 1_{{i_{j} }}^{A} 1_{{i_{j} }}^{S} } \right\rangle } \right)} \hfill \\ \end{array} } \right.. $$
(27)

If \(k_{{i_{j} }} = 1\) (j = 1, 2,…, l)

$$ \left\{ {\begin{array}{*{20}l} {\left| {\phi _{{i_{j} }} } \right\rangle = \frac{1}{{\sqrt 2 }}\left( {\left| { + _{{i_{j} }}^{{(T1)}} + _{{i_{j} }}^{{(T2)}} + _{{i_{j} }}^{A} } \right\rangle {\text{ }} + \left| { - _{{i_{j} }}^{{(T1)}} - _{{i_{j} }}^{{(T2)}} - _{{i_{j} }}^{A} } \right\rangle {\text{ }}} \right)} \hfill \\ {\left| {\chi _{{t_{{i_{j} }}^{{(T1)}} ,t_{{i_{j} }}^{{(T2)}} ,a_{{i_{j} }} ,s_{{i_{j} }} }} } \right\rangle = \frac{1}{{\sqrt 2 }}\left( {\left| { + _{{i_{j} }}^{{(T1)}} + _{{i_{j} }}^{{(T2)}} + _{{i_{j} }}^{A} + _{{i_{j} }}^{S} } \right\rangle + \left| { - _{{i_{j} }}^{{(T1)}} - _{{i_{j} }}^{{(T2)}} - _{{i_{j} }}^{A} - _{{i_{j} }}^{S} } \right\rangle } \right)} \hfill \\ \end{array} } \right.. $$
(28)

According to Eqs. (24, 25, 27, 28), we can get that if Eve can produce a valid forged signature S, he can clone a particle sequence \(S|_{{m_{{i_{j} }} = 0}} = \left\{ {s_{{i_{1} }} ,s_{{i_{2} }} , \ldots ,s_{{i_{l} }} } \right\}\) from the unknown entangled-triple sequence \(\Phi {|}_{{m_{{i_{j} }} = 0}} = \left\{ {\phi_{{i_{1} }} ,\phi_{{i_{2} }} , \ldots ,\phi_{{i_{l} }} } \right\}\), which is conflict to the non-cloning theorem (proved in Theorem 6) for the sub-system of each entangled \(\phi_{{i_{j} }}\). Therefore, it will be infeasible for Eve to forge the quantum signature of the signer.

3.3 Non-repudiation

In Sect. 3.2, for the proposed AQS, we have proved its unforgeability. Therefore, once the verification shows the validity of the signature, both the signer and the signature receiver cannot refuse its validity due to the unforgeability of the quantum signature.

For the signature, when the partners finish checking its validity, either the signatory or the signature receiver will lose the state of signature, because it has been changed after the signature verification. The signatory may deny her signature generation for the signature receiver. And the signature receiver may refuse his participation of the signature verification. In this case, Trent can solve the disputation between the signer and the signature receiver. Note that in the proposed scheme, the message digest of c is computed by m = f(k||c). That is, to compute the digest m, the private key k has to be used as the input of the one-way function f. Therefore, without k, it is not feasible for the adversary to compute the digest m. At the same time, without the input k of f, the adversary can guess the message digest m by the negligible probability \(\frac{1}{{2^{n} }}\) because of the uniform distribution of f. This means that only the signatory can generate m by her key k. Note that in the new AQS, when verifying a signature, Trent keeps the triple (c, m, Bob) as the “proof” of the quantum signature. If the signatory denies her signature generation for the signature receiver, Trent can recover the proof (c, m, Bob) to prove that signer has ever produced the valid signature S, because only the signer can produce the message digest m = f(k||c) with the private key k. On the other hand, it is infeasible for Bob to deny the truth of the signature verification due to the verification proof (c, m, Bob), in which c was announced by Bob.

According to the analysis above, it follows that both the signature receiver and the signer cannot refuse a valid signature. At the same time, the signer cannot deny her signature generation for the signature receiver, and the signature receiver cannot refuse his participation of the signature verification. Therefore, we can get the non-repudiation of the proposed AQS.

3.4 Security and efficiency comparisons

In this section, the security and efficiency of the similar schemes are compared. Here, we ignore the AQSs which have been proved to be insecure against forgery attacks and disavowal attacks.

First, although the private keys of most quantum signature systems were created with the unconditionally secure quantum key distribution protocol (e.g., BB84 Protocol), they still could be broken by some novel attacks or some unknown unitary operator attacks to the quantum signatures, which include the information of the private keys. For example, Chen et al. [56] found that the private keys of the QOTP [57]-based quantum signature schemes could be broken by performing the controlled SWAP attacks to the quantum signatures. This means the QOTP-based signatures in [14, 25,26,27,28, 36, 39, 43] is not immune to the controlled SWAP attacks. Therefore, to guarantee the security of private keys of the quantum signing systems, the quantum signature ciphertexts should be information-theoretically secure such that there is not any unitary operator attack or polynomial distinguishing algorithm which can distinguish the quantum signature ciphertexts with a non-negligible probability. In Sect. 3.1, we have proved the information-theoretical security of the proposed AQS scheme. However, in the similar schemes, the information-theoretical security of the quantum signatures was not proved.

Second, to our knowledge, in most of the quantum signature schemes including the schemes in [18, 23, 36, 44,45,46,47], the unforgeability of the signature was analyzed by emphasizing the secrecy of the private keys of the signers. However, according to the review of the quantum signature in Sect. 1, we know that many quantum signatures can be forged by various forgery attacks without knowing the private keys of the signers. No sufficient formal proof can mathematically prove that the unforgeability of these schemes relies on the basic the quantum theories. In this paper, we prove that the unforgeability of the proposed scheme depends on the non-cloning theorem. That is, if the adversary can forge the signature, his/her actions will violate the non-cloning theorem. This means that it is infeasible for the adversary to forge the quantum signature. However, in the similar schemes, no sufficient formal security proof can mathematically prove that the unforgeability of these schemes is strictly dependent on the basic principles of the quantum mechanics.

Third, we compare the qubit efficiency of the similar AQSs. In [59], the qubit efficiency is defined as \(\eta { = }\delta_{1} /\delta_{2}\), where \(\delta_{1} (\delta_{2} )\) denotes the number of transmitted bits (qubits) in the quantum protocol. In our AQS, 2n qubits are transmitted during the signature generation and verification phases, while n bits classical message bits are authenticated. Therefore, the qubit efficiency of the proposed AQS is about 50%(the decoy particles which are used to check the quantum channel are ignored). In Table 1, the qubit efficiency of the other similar schemes is computed as well.

Table 1 Security and efficiency comparisons
Full size table

Fourth, in the schemes of [18, 43, 45,46,47], the arbitrators or the signature receivers had to perform the quantum state comparison algorithm [58] so as to verify the signature. Note that the quantum state comparison test may fail with probability \(\left( {1 + \theta^{2} } \right)/2\), where \(\theta = \left| {\left\langle {\alpha } \mathrel{\left | {\vphantom {\alpha \beta }} \right. \kern-\nulldelimiterspace} {\beta } \right\rangle } \right| \in \left( {0,1} \right)\) dependents on the compared states. Then, the signature can be successfully verified by the quantum state comparison algorithm with probability \(p = 1 - \left( {\frac{{1 + \theta^{2} }}{2}} \right)^{t}\), where t denotes the count of performing the quantum state comparison. Therefore, in [18, 43, 45,46,47], to make the comparison result be reliable, the verifiers should perform the state comparison many times so that \(p = 1 - \left( {\frac{{1 + \theta^{2} }}{2}} \right)^{t} \to 1(t \to + \infty )\). What is more, the signers should produce many copies of the quantum signature and transmit them to the receivers for the use of quantum state comparison. All of these will greatly decrease the computation efficiency and the qubit efficiency of the AQSs. In our AQS, the quantum signature is verified without performing any quantum state comparison algorithm. Therefore, compared with the similar AQSs [18, 43, 45,46,47], our scheme has the better computation efficiency.

4 Conclusions

First, in most of the existing AQSs, the signers’ private keys were created with the unconditionally secure quantum key distribution protocol so that the private keys cannot be broken during the key generation phase. However, the adversary may break the private keys by performing some novel attacks (e.g., the controlled SWAP attacks) or some unknown attacks to the quantum signatures, which include the information of the private keys. Therefore, the quantum signature ciphertext should be theoretically indistinguishable and the quantum signature scheme should be information-theoretically secure such that the adversary can get no useful information about the private key of the signer from the quantum signatures.

Second, in most of the quantum signature schemes, the unforgeability of the signatures was analyzed by emphasizing the secrecy of the private keys of the signers. This kind of security analysis is not comprehensive. According to the review of the quantum signature schemes, we found many quantum signatures could still be forged, even if the private keys of the signers were unconditionally secure. Therefore, the unforgeablity of an AQS should be provably secure. The unforgeability of the quantum signature should be proved with the strict proof based on the principles of the quantum mechanics. We can prove that if an adversary can generate a forgery for the quantum signature, his/her actions will violate some quantum principles.

Third, we proposed such an AQS with provable security. The proposed AQS was different from the other existing AQS schemes. Its security can be supported by the information-theoretical indistinguishability of the non-orthogonal quantum states and the non-cloning theorem. In the proposed scheme, we proved the non-cloning theorem for the sub-system of the entangled-triple particles with non-orthogonal states. The unforgeability of the proposed scheme was proved as well. Theorem 7 shows that the unforgeability of the proposed AQS was put on the quantum mechanics. That is, the adversary forgery will lead to some conflict actions on the quantum principles. The security proof of our AQS also showed the idea of provable security for a quantum signature.

On the other hand, in the proposed AQS, the participants need not perform the probabilistic quantum state comparison test. The proposed scheme has better qubit efficiency.

Therefore, compared with the other similar schemes, ours has the better security and efficiency.