1 Introduction

With the combination of information theory and quantum mechanics, quantum information has been developed into a novel interdisciplinary subject in recent years. Quantum cryptography, as an emerging and rapidly developing subdiscipline, has become a hot research topic in the field of quantum information. In contrast to the security of classical public key cryptography, the security of quantum cryptography is based on the principle of quantum mechanics instead of computational complexity. Nowadays, many protocols have been presented in quantum cryptography, such as quantum key distribution [13], quantum encryption algorithm[4, 5], quantum secure authentication[6, 7], quantum secret sharing [810], quantum secure direct communication, quantum signature scheme, etc. Most notably, it has been proved that quantum key distribution protocol is unconditionally secure in both theoretical researches and experimental works.

Different from the quantum key distribution protocol which is used to set up a random secret key between two parties, a quantum secure direct communication is a protocol whose aim is to transmit important information directly. Deng et al. [11] proposed a two-step quantum direct communication protocol using the Einstein-Podolsky-Rosen (EPR) pair block. Then they also proposed a secure direct communication with a quantum one-time pad [12]. In their scheme, a batch of single photons was used directly to encode a secret message. A deterministic secure communication without using entanglement was presented by Cai et al. [13], the security of their scheme is based on the security proof of BB84 protocol. Wang et al. [14] put forward a multiparty controlled quantum secure direct communication using Greenberger-Horne-Zeilinger (GHZ) state.

In recent years, much more attention has been paid to quantum signature scheme, which is one of the most important ingredients of quantum cryptography. An arbitrated quantum signature (AQS) scheme based on a three-particle GHZ state was proposed by Zeng et al. [15]. Since then, many arbitrated quantum signature schemes [1619] have been put forward. More recently, Wen et al. [2022] presented different kinds of quantum signature schemes based on quantum teleportation.

Chaum [23] first proposed a blind signature scheme. It allows a signer to sign a message without knowing the content of the message. A weak blind signature scheme based on the characteristic of EPR pairs was presented by Wen et al. [24]. However, Naseri [25] showed that their scheme does not complete the task of a blind signature fairly. A fair quantum blind signature was proposed by Wang et al. [26], which is composed of a signing protocol and a link-recovery protocol. Afterwards, He et al. [27] investigated the scheme and pointed out that it can not satisfy the property of unforgeability. Wang et al. [28] proposed a quantum blind signature protocol using GHZ states. A quantum partially blind signature was presented by Cai et al. [29] to protect the signer’s legitimate interest.

The concept of proxy signature was first introduced by Mambo, Usuda and Okamoto in 1996 [30]. It allows a proxy signer to sign a message on behalf of an original signer in the case that the original signer is not present because of business trip, illness or other limits. A quantum proxy signature scheme based on controlled quantum teleportation was proposed by Cao et al. [31]. A genuinely entangled five-qubit state was used in their scheme, which is not easier generated than the non-maximally entangled state in experimental condition. Zhou et al. [32] presented a quantum proxy signature scheme with public verifiability. But they must use the operation of quantum states comparison which increases the implementation complexity.

In a practical application, an original signer needs to delegate a proxy signer to sign a message because he is not present. Meanwhile, the anonymity of the message needs to be guaranteed. For example, in an e-payment system, a customer provides a merchant with an e-currency to purchase some goods, but the e-currency should be signed blindly by an agent whose signing authority is delegated by a bank. However, all these schemes mentioned above can not fulfill the task. In this paper, a novel quantum proxy blind signature scheme is proposed to conquer this problem.

The rest of this paper is organized as follows. In Section 2, a basic theory of controlled quantum teleportation is introduced. In Section 3, we describe the novel quantum proxy blind signature scheme in detail. The security analysis and discussion are given in Section 4. Finally, conclusions are drawn in Section 5.

2 Preliminary Theory

The novel quantum proxy blind signature scheme is based on controlled teleportation. In this section, the controlled teleportation is introduced by using a special form of non-maximally entangled three-qubit state. It is generally admitted that the generation and storage of maximally entangled states are not easily realized in a practical application because of noise, decoherence, etc. Thus, the utilization of non-maximally entangled states is becoming increasingly important. To guarantee perfect teleportation, we choose the following special state as quantum channel

$$ |\phi\rangle_{123}=\frac{1}{\sqrt{2}}(\sin{\theta}|000\rangle-\cos{\theta}|011\rangle +\cos{\theta}|110\rangle+\sin{\theta}|101\rangle)_{123}, $$
(1)

where \(\theta \neq \frac {k\pi }{2}\ (k \in \mathbb {Z})\).

As showed in Fig. 1, this controlled teleportation involves the following three partners: a sender Alice, a controller Charlie and a receiver Bob. Alice owns particle 1, Charlie holds particle 2 and particle 3 belongs to Bob. Suppose that an arbitrary single-qubit state to be teleported in Alice’s hands has the form

$$ |\varphi\rangle_{m}=(\alpha|0\rangle+\beta|1\rangle)_{m}, $$
(2)

where α , β are unknown amplitudes that satisfy |α|2+|β|2=1. So the joint state of the total system is

$$\begin{array}{@{}rcl@{}} |\psi_{0}\rangle&=&|\varphi\rangle_{m} \otimes |\phi\rangle_{123}=(\alpha|0\rangle+\beta|1\rangle)_{m} \otimes \\&&\frac{1}{\sqrt{2}}(\sin{\theta}|000\rangle-\cos{\theta}|011\rangle+\cos{\theta}|110\rangle+\sin{\theta}|101\rangle)_{123}. \end{array} $$
(3)
Fig. 1
figure 1

a: Alice wants to teleport the state |φ〉 in particle m to Bob, the particles 1, 2, 3 are entangled. b: Charlie agrees the two parties to achieve their teleportation by performing operations on particle 2

Full size image

If the controller Charlie agrees the two parties of communication to achieve their teleportation, he first sends his particle 2 through a Hadamard gate, obtaining

$$\begin{array}{@{}rcl@{}} |\psi_{1}\rangle&=&(\alpha|0\rangle+\beta|1\rangle)_{m} \otimes \frac{1}{2} (\sin{\theta}|000\rangle+\sin{\theta}|010\rangle-\cos{\theta}|001\rangle+\cos{\theta}|011\rangle \\ &&+\cos{\theta}|100\rangle-\cos{\theta}|110\rangle+\sin{\theta}|101\rangle+\sin{\theta}|111\rangle)_{123} \\ &=&(\alpha|0\rangle+\beta|1\rangle)_{m} \otimes \frac{1}{2} [(\sin{\theta}|00\rangle-\cos{\theta}|01\rangle+\cos{\theta}|10\rangle+\sin{\theta}|11\rangle)_{13}|0\rangle_{2} \\ &&(\sin{\theta}|00\rangle+\cos{\theta}|01\rangle-\cos{\theta}|10\rangle+\sin{\theta}|11\rangle)_{13}|1\rangle_{2}]. \end{array} $$
(4)

Then he measures his particle 2 with the basis {|0〉,|1〉}, and records the measurement result as R C , then sends it to Alice. After that, the system of Alice and Bob will collapse into the state |ψ 2〉 or |ψ 3〉 which depends on R C = 0 or R C = 1, where

$$\begin{array}{@{}rcl@{}} &&|\psi_{2}\rangle=(\alpha|0\rangle+\beta|1\rangle)_{m} \otimes \frac{1}{\sqrt{2}} (\sin{\theta}|00\rangle-\cos{\theta}|01\rangle+\cos{\theta}|10\rangle+\sin{\theta}|11\rangle)_{13}, \end{array} $$
(5)
$$\begin{array}{@{}rcl@{}} &&|\psi_{3}\rangle=(\alpha|0\rangle+\beta|1\rangle)_{m} \otimes \frac{1}{\sqrt{2}} (\sin{\theta}|00\rangle+\cos{\theta}|01\rangle-\cos{\theta}|10\rangle+\sin{\theta}|11\rangle)_{13}. \end{array} $$
(6)

Afterwards, Alice carries out the following steps according to R C received from Charlie (See Fig. 2).

  • Case 1:     If R C = 0, Alice sends her particles m and 1 through a CNOT gate (particle m is control qubit, particle 1 is target qubit), obtaining

    $$\begin{array}{@{}rcl@{}} |\psi_{21}\rangle&=&\frac{1}{\sqrt{2}}[\alpha|0\rangle_{m} (\sin{\theta}|00\rangle-\cos{\theta}|01\rangle+\cos{\theta}|10\rangle+\sin{\theta}|11\rangle)_{13} \\ &&+\beta|1\rangle_{m}(\sin{\theta}|10\rangle-\cos{\theta}|11\rangle+\cos{\theta}|00\rangle+\sin{\theta}|01\rangle)_{13}]. \end{array} $$
    (7)

    Then she performs a Hadamard gate on her particle m, obtaining

    $$\begin{array}{@{}rcl@{}} |\psi_{22}\rangle&=&\frac{1}{2}[\alpha(|0\rangle+|1\rangle)_{m} (\sin{\theta}|00\rangle-\cos{\theta}|01\rangle+\cos{\theta}|10\rangle+\sin{\theta}|11\rangle)_{13} \\ &&+\beta(|0\rangle-|1\rangle)_{m}(\sin{\theta}|10\rangle-\cos{\theta}|11\rangle\!+\cos{\theta}|00\rangle+\sin{\theta}|01\rangle)_{13}]. \end{array} $$
    (8)

    This state can be regrouped in the following form

    $$\begin{array}{@{}rcl@{}} |\psi_{22}\rangle&=&\frac{1}{2}\{|00\rangle_{m1}[(\alpha\sin{\theta}+\beta\cos{\theta})|0\rangle +(\beta\sin{\theta}-\alpha\cos{\theta})|1\rangle]_{3} \\ &&+|01\rangle_{m1}[(\alpha\cos{\theta}+\beta\sin{\theta})|0\rangle +(\alpha\sin{\theta}-\beta\cos{\theta})|1\rangle]_{3} \\ &&+|10\rangle_{m1}[(\alpha\sin{\theta}-\beta\cos{\theta})|0\rangle -(\alpha\cos{\theta}+\beta\sin{\theta})|1\rangle]_{3} \\ &&+|11\rangle_{m1}[(\alpha\cos{\theta}-\beta\sin{\theta})|0\rangle +(\alpha\sin{\theta}+\beta\cos{\theta})|1\rangle]_{3}\}. \end{array} $$
    (9)

    Alice uses a two-qubit computation basis to measure her particles m and 1, and records the measurement result as |S A 〉, where |S A 〉∈{|00〉,|01〉,|10〉,|11〉}. Then Alice transmits R C and |S A 〉 to Bob.

  • Case 2:     If R C = 1, the state |ψ 3〉 can be re-written as follows

    $$\begin{array}{@{}rcl@{}} |\psi_{3}\rangle&=&\frac{1}{2}\{|\phi^{+}\rangle_{m1}[(\alpha\sin{\theta}-\beta\cos{\theta})|0\rangle +(\alpha\cos{\theta}+\beta\sin{\theta})|1\rangle]_{3} \\ &&|\phi^{-}\rangle_{m1}[(\alpha\sin{\theta}+\beta\cos{\theta})|0\rangle +(\alpha\cos{\theta}-\beta\sin{\theta})|1\rangle]_{3}\ \\ &&|\psi^{+}\rangle_{m1}[(\beta\sin{\theta}-\alpha\cos{\theta})|0\rangle +(\alpha\sin{\theta}+\beta\cos{\theta})|1\rangle]_{3}\ \\ &&|\psi^{-}\rangle_{m1}[-(\beta\sin{\theta}+\alpha\cos{\theta})|0\rangle +(\alpha\sin{\theta}-\beta\cos{\theta})|1\rangle]_{3}\}, \end{array} $$
    (10)

    the (10) involves the following four Bell states

    $$ |\phi^{\pm}\rangle=\frac{1}{\sqrt{2}}(|00\rangle\pm|11\rangle), \ \ |\psi^{\pm}\rangle=\frac{1}{\sqrt{2}}(|01\rangle\pm|10\rangle). $$
    (11)
Fig. 2
figure 2

The operations carried out by Alice in two cases

Full size image

Alice performs a Bell-state measurement on her particles m and 1, then records the measurement result as |S A 〉, where |S A 〉∈{|ϕ +〉,|ϕ 〉,|ψ +〉,|ψ 〉}. After that, Alice transfers R C and |S A 〉 to Bob.

After receiving R C and |S A 〉, Bob needs to perform an appropriate unitary transformation on particle 3 in order to reconstruct the teleported state |φ〉. The corresponding relationship between the measurement results and Bob’s unitary transformations is summarized in Table 1. Thus, the arbitrary single-qubit state |φ〉 has been perfectly teleported from the sender Alice to the receiver Bob under Charlie’s control.

Table 1 The relationship between measurement results and Bob’s unitary transformations
Full size table

It should be noted that the teleported state |φ〉 is an arbitrary single-qubit state, so the following four states are suitable for the aforementioned teleportation.

$$ |x_{\pm}\rangle=\frac{1}{\sqrt{2}}(|0\rangle\pm|1\rangle), \ \ |y_{\pm}\rangle=\frac{1}{\sqrt{2}}(|0\rangle\pm \mathrm{i}|1\rangle). $$
(12)

3 Quantum Proxy Blind Signature Scheme

As showed in Fig. 3, the proposed quantum proxy blind signature scheme involves the following five participants: a message sender U, an original signer Charlie, a proxy signer Alice, a receiver (verifier) Bob and a trusted arbitrator Trent. Our scheme consists of four phases: initializing phase, delegating phase, signing phase, and verifying phase.

Fig. 3
figure 3

Schematic diagram of transmission when Alice signs a message

Full size image

3.1 Initializing Phase

  • Step 1:     Charlie sets up n non-maximally entangled three-qubit states as showed in (1).

  • Step 2:     Afterwards, Charlie takes first particles, second particles and third particles from these states to form the ordered sequences Q 1, Q 2 and Q 3, respectively. To guarantee the security of distribution, Charlie generates some decoy particles which are critical for statistical analysis of eavesdropping. Each decoy particle is randomly selected from {|0〉,|1〉,|x +〉,|x 〉}. Then Charlie randomly inserts these decoy particles into Q 1 to form a new sequence \(Q_{1}^{\prime }\). Similarly, \(Q_{3}^{\prime }\) can be constructed in the same method. It should be paid attention to that Charlie must record the insertion positions and original states of the decoy particles in order to detect the eavesdropping. Finally, he distributes \(Q_{1}^{\prime }\) and \(Q_{3}^{\prime }\) to Alice and Bob, respectively, and leaves Q 2 to himself.

  • Step 3:     After confirming that Alice (Bob) has received the sequence \(Q_{1}^{\prime }\) (\(Q_{3}^{\prime }\)), Charlie announces the insertion positions and the corresponding measurement bases. Alice (Bob) measures the decoy particles according to Charlie’s announcement, then tells Charlie her (his) measurement outcomes. After comparing the measurement outcomes with the original states, Charlie can detect the existence of eavesdroppers. If there is no eavesdroppers or the probability of being eavesdropped is lower than a presupposed threshold, the rest steps of this protocol can be continued. Otherwise, they abort this communication and restart. Hence, the three participants have securely shared n non-maximally entangled three-qubit states.

3.2 Delegating Phase

  1. Step 1:

    Charlie performs Hadamard gates on his particles of sequence Q 2, then he measures the particles under the basis {|0〉,|1〉} and records measurement results as

    $$ R=(R_{1},R_{2},\cdots,R_{n}), $$
    (13)

    where every R i ∈ {0, 1}(i = 1, 2, ⋯ ,n). Then Charlie sends R to the proxy signer Alice by using the quantum secure direct communication (QSDC) protocol such as the ones in [1113].

  2. Step 2:

    After being notified that Alice has obtained the delegation message R, Charlie confirms that the delegation is accomplished. Otherwise, the delegation is failed.

3.3 Signing Phase

  • Step 1:     If the sender U’s message needs to be signed, then U transforms his message into an n-bit message string m = (m 1, m 2, ⋯ ,m n ).

  • Step 2:     Afterwards, U blinds the message m into a quantum state |m〉 in the following way. Here, we only give out the blinding process of the i-th message bit m i , and other ones can also be blinded in the same manner.

    1. (1)

      If m i = 0, U blinds it into |x +〉 or |x 〉 with equal probability 1/2.

    2. (2)

      Otherwise, the message m i will be randomly blinded into |y +〉 or |y 〉.

    After that, the n-bit message m has been blinded into n-qubit |m〉 which has the form |m〉 = (|m 1〉,|m 2〉,⋯ ,|m n 〉), where every |m i 〉∈{|x +〉,|x 〉,|y +〉,|y 〉} (i = 1,2,⋯ ,n). Here, let two classical bits 00 (01,10,11) correspond to the quantum state |x +〉 (|x 〉,|y +〉,|y 〉), which is only known to U and the arbitrator Trent. Thus, the blinded message |m〉 could be encoded into 2n classical bits m , which has the form

    $$ m^{\prime}=(m_{1}^{\prime},m_{2}^{\prime},\cdots,m_{n}^{\prime}). $$
    (14)

  • *Step 3:     Then U transmits |m〉 to the proxy signer Alice. To guarantee the security of quantum channel between U and Alice, they also use the technique of eavesdropping check similar to the method shown in 3.1. Then U transfers m to Trent using the QSDC protocols in [1113].

  • Step 4:     After the second eavesdropping check, Alice obtains the blinded message |m〉, then Alice signs it according to Charlie’s delegation message R. For example, if R i = 0, Alice first sends |m i 〉 and the i-th particle of Q 1 through a CNOT gate (|m i 〉 is control qubit, the i-th particle of Q 1 is target qubit), then he sends |m i 〉 through a Hadamard gate. Afterwards, Alice uses a two-qubit computation basis to measure the two particles and obtains |S i 〉, where |S i 〉∈{|00〉,|01〉,|10〉,|11〉}. If R i = 1, Alice directly performs a Bell-state measurement on |m i 〉 and the i-th particle of Q 1, then obtains |S i 〉, where |S i 〉∈{|ϕ +〉,|ϕ 〉,|ψ +〉,|ψ 〉}. Therefore, Alice gets her proxy blind signature |S〉 about the blinded message |m〉, where |S〉 has the form

    $$ |S\rangle=(|S_{1}\rangle,|S_{2}\rangle,\cdots,|S_{n}\rangle). $$
    (15)

  • Step 5:     By using the QSDC protocols in [1113], Alice sends R to Bob. To ensure the security of transmission, Alice transmits |S〉 to Bob using the similar strategy as showed in 3.1.

3.4 Verifying Phase

  • Step 1:     Bob receives R from Alice. After the third eavesdropping check, Bob obtains Alice’s proxy blind signature |S〉.

  • Step 2:     According to R and |S〉, Bob gets |b〉 by performing appropriate unitary transformations listed in Table 1 on his particles of sequence Q 3, where |b〉 = (|b 1〉,|b 2〉,⋯ ,|b n 〉). Then Bob transmits |b〉 to the arbitrator Trent. To check the security of channel between Bob and Trent, they use the same strategy as described in 3.1.

  • Step 3:     After the fourth eavesdropping check, Trent obtains |b〉. Once Trent receives m from U, he can obtain the original message m by extracting the odd number bits of m . After that, Trent measures |b〉 according to m. For instance, if m i = 0, Trent uses the basis {|x +〉,|x 〉} to measure |b i 〉; if m i = 1, he measure it with the basis {|y +〉,|y 〉}. Then he encodes the measurement results into b by using the same method as U used. After that, Trent obtains b which has the form

    $$ b=(b_{1},b_{2},\cdots,b_{n}). $$
    (16)

    Now, Trent compares b with m , if b = m , then he tells Bob that |S〉 is valid proxy blind signature signed by Alice; otherwise, he rejects it.

4 Security Analysis and Discussion

In this section, we will show that our scheme satisfies the properties of undeniability, unforgeability, blindness, untraceability, and it can resist intercept-resend attack.

4.1 Undeniability

Firstly, we show that it is impossible for Alice to deny her signature. According to the Step 4 in 3.3, Alice must use Charlie’s delegation message R, the sequence Q 1 and the blinded message |m〉 to generate her proxy blind signature |S〉. But, it is difficult for any other people to get the sequence Q 1 because it is transmitted by using the eavesdropping check. Therefore, Alice can not deny her signature.

Secondly, Bob can not deny receiving the signature |S〉. The reason is that Bob needs Trent’s further verification and his willingness to verify the signature implies he has received it. Besides, Zou et al. [33] pointed out that, in some existing AQS schemes [15, 34], the receiver Bob can tell a lie to deny the integrality of the signature successfully without being detected. However, in our scheme, it is clear that the eventual verification is carried out by Trent so Bob has no chance to do that. Therefore, Bob can not deny the integrality of the signature |S〉 and our scheme can resist the attack proposed in [33, 35].

4.2 Unforgeability

Another security issue will be discussed, i.e., the impossibility of forgery by both dishonest internal attackers and malicious external ones. Firstly, it is impossible for Bob to forge Alice’s signature. According to the Step 4 in 3.3, Bob can not generate the correct signature |S〉 without the sequence Q 1. However, the photon sequence is transmitted by using the technique of eavesdropping check, so anyone can not obtain it except for Alice. Hence, Bob can not forge Alice’s signature. Similarly, the same situation will appear in front of U. In a word, the dishonest internal attackers can not forge Alice’s signature.

Secondly, we consider the forgery made by the external attacker Eve. As demonstrated above, Eve can not forge Alice’s signature under the condition that he has no information about Charlie’s delegation message R, the sequence Q 1 and the blinded message |m〉. Therefore, if Eve attempts to forge Alice’s signature successfully, he needs to obtain the aforesaid elements. However, it is impossible, because the elements are transmitted in secure ways. Therefore, Eve can not forge Alice’s signature.

Thirdly, Zhang et al. [36] noted that the receiver Bob can forge a valid signature for his benefit without being detected. This is because Bob is the only verifier of the signature and this gives him sufficient opportunities to forge the signature. To prevent the security loophole, the validity of the signature should be verified by Bob and other participants. In view of this point, we introduce an arbitrator Trent to help Bob verify the signature. So Bob has no chance to forge the signature using the similar method showed in [36].

4.3 Blindness

According to the Step 2 in 3.3, the message m = (m 1, m 2, ⋯ ,m n ) has been blinded into |m〉 = (|m 1〉,|m 2〉,⋯ ,|m n 〉) by the message sender U, where every |m i 〉 ∈ {|x +〉,|x 〉,|y +〉,|y 〉}. If Alice tries to determine the blinded message |m〉 after receiving it from U, the only way is to perform measurements. If Alice randomly selects basis {|x +〉,|x 〉} or {|y +〉,|y 〉} to measure |m〉, then the probability that she can determine it is \(\frac {1}{2^{n}}\), which will vanish zero if n is large enough. Thus, Alice can not learn the blinded message |m〉, so the original message m is unknown to her. Therefore, the proxy signer Alice can not know the content of the message m when she signs it.

4.4 Untraceability

In our scheme, although the message owner U does not unblind the signature |S〉, the proxy signer Alice can not trace him. More specifically, the signature |S〉 consists of nonorthogonal two-qubit states, so Alice can not identify it. Hence, Alice can not trace the message m when one of message-signature pairs (m,|S〉) is published. Therefore, our scheme has the property of untraceability and could be applied to an e-payment system.

4.5 Impossibility of Intercept-resend Attack

Firstly, if an adversary Eve intercepts the quantum state |m composed of |m〉 and some decoy particles, then he resends another quantum state to Alice. However, this trick will be detected by the security check between U and Alice. Besides, although Eve obtains the quantum state |m, he can not extract the blinded message |m〉, since he does not know the insertion positions of the decoy particles. Similarly, this trick is invalid for the quantum state |S〉 and |b〉. Therefore, our scheme can resist intercept-resend attack [37, 38].

5 Conclusion

In this paper, we have proposed a novel quantum proxy blind signature scheme. It is shown that, the original signer Charlie can delegate his signing authority to the proxy signer Alice by performing Hadamard gates and single-qubit measurements. The sender U produces two groups of nonorthogonal single-photon states to blind his message. According to Charlie’s delegation message, Alice implements corresponding operations to generate her signature. The receiver Bob performs appropriate unitary transformations to obtain |b〉, and sends it to Trent. After receiving |b〉, Trent first measures it, then he can easily verify the signature by a comparison. In addition, we have given the security analysis and discussion in detail.

This scheme has some advantages. Firstly, we use the QSDC protocol to guarantee the secure transmission of classical message while other schemes [22, 39, 40] use one-time pad to do it. However, these schemes are easily cracked by the intercept-resend attack [38, 41, 42]. Secondly, differing from some existing signature schemes [31, 43] using maximally entangled state, we replace it with non-maximally entangled state which is easier generated than the former. Thirdly, the proxy signer Alice’s signature depends on Charlie’s delegation message, which is different from the related schemes [31, 43, 44] whose different delegation messages correspond to one kind of signature. Fourthly, the sender U prepares two groups of nonorthogonal single-photon states to guarantee the anonymity of his message, which is easily realized than the generation of entangled state [24, 28] with present technology. Fifthly, the arbitrator Trent can keep the receiver Bob from denying and forging the signature [33, 35, 36], so the security of this scheme has been enhanced. Finally, the proposed scheme is secure and it combines proxy signature with blind signature, so it has a more wide application.