1 Introduction

The rapid development and growing adoption of quantum cryptographic techniques have provided unconditional security for most of the conventional security issues. In 1984, Bennett and Brassard [1] published pioneering work in quantum cryptography. Since then, many quantum cryptographic schemes have been proposed, including quantum teleportation [2,3,4,5,6,7], quantum secure direct communication [8,9,10,11], quantum secret sharing [12,13,14,15,16,17], quantum private comparison [18,19,20,21], quantum anonymous voting [22], quantum anonymous ranking [23], quantum private query [24,25,26,27], and others. Compared to quantum key distribution (QKD) [1] in which one party generates a secret key, quantum key agreement (QKA) allows two or more parties to share equal roles in creating a secret key through public channels where any non-trivial subset of parties cannot deduce the generated key. In 2004, Zhou et al. [28] introduced the first QKA protocol by exploiting maximally entangled states and quantum teleportation. Unfortunately, Tsai and Hwang [29] found that their protocol is not fair, and the shared key can be determined by one party alone.

Subsequently, many two-party QKA protocols have been proposed [30,31,32]. Later, Shi and Zhong [33] suggested the first multiparty QKA protocol using entanglement swapping. Their multiparty protocol utilizes a Bell state as the quantum resource and the Bell measurement as the primary operation. Since then, many multiparty QKA protocols based on Shi and Zhong’s [33] work have been presented [34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49]. Recently, Wang and Ma [50] presented two QKA protocols with single photons in both the polarization and the spatial-mode degrees of freedom. The first protocol enables three parties to generate a secret key using public channels, while the second protocol extends the three-party QKA case to the multiparty case. Their scheme improved the capacity of the transmitted information and introduced high-efficiency performance. Moreover, Wang and Ma claimed that their protocol could achieve privacy. However, we show that in the multiparty QKA case of Wang–Ma protocol, two dishonest parties may collude to eavesdrop on the private key of an honest party using a fake sequence of single photons. Moreover, this manuscript suggests a simple solution to address this defect and proposes a modified version of the Wang–Ma multiparty QKA protocol.

The rest of this paper is as follows. A review of the Wang–Ma multiparty QKA protocol is introduced in Sect. 2. Section 3 analyses the security of the Wang–Ma protocol. Section 4 introduces an improvement to Wang–Ma multiparty QKA protocol. Finally, Sect. 5 concludes this work.

2 Review of the Wang–Ma multiparty QKA protocol

Here, a brief review of Wang–Ma multiparty QKA protocol is presented (Fig. 1). In their protocol, a single-photon state \( \left| \phi \right\rangle = \left| \phi \right\rangle_{P} \otimes \left| \phi \right\rangle_{S} \) in both polarization and spatial-mode degrees of freedom was used, where \( \left| \phi \right\rangle_{P} \) denotes the single-photon states in the polarization degree of freedom and \( \left| \phi \right\rangle_{S} \) denotes the single-photon states in the spatial-mode degree of freedom. In addition, two measuring bases are chosen in the polarization degree of freedom (i.e. \( Z_{P} = \{ \left| H \right\rangle ,\left| V \right\rangle \} \,\,{\text{and }}\,{\text{X}}_{P} = \{ \left| S \right\rangle_{P} ,\left| A \right\rangle_{P} \} \)) and two measuring bases are chosen in the spatial-mode degree of freedom (i.e. \( Z_{S} = \{ \left| {b_{1} } \right\rangle ,\left| {b_{2} } \right\rangle \} \, \) and \( {\text{X}}_{S} = \{ \left| s \right\rangle_{S} ,\left| a \right\rangle_{S} \} \)).\( \left| H \right\rangle \) and \( \left| V \right\rangle \) are the horizontal polarization and vertical polarization of particles, respectively. \( \left| {b_{1} } \right\rangle \) and \( \left| {b_{2} } \right\rangle \) represent the upper spatial mode and the lower spatial mode of particles, respectively, where

$$ \begin{aligned} \left| S \right\rangle_{P} & = \tfrac{1}{\sqrt 2 }(\left| H \right\rangle + \left| V \right\rangle ),\quad \left| A \right\rangle_{P} = \tfrac{1}{\sqrt 2 }(\left| H \right\rangle - \left| V \right\rangle ) \\ \left| s \right\rangle_{S} & = \tfrac{1}{\sqrt 2 }(\left| {b_{1} } \right\rangle + \left| {b_{2} } \right\rangle ),\quad \left| a \right\rangle_{S} = \tfrac{1}{\sqrt 2 }(\left| {b_{1} } \right\rangle - \left| {b_{2} } \right\rangle ). \\ \end{aligned} $$

Two unitary operations are also used in each degree of freedom as follows:

$$ \begin{aligned} I_{P} & = \left| H \right\rangle \left\langle H \right| + \left| V \right\rangle \left\langle V \right|,\quad \;U_{P} = \left| V \right\rangle \left\langle H \right| - \left| H \right\rangle \left\langle V \right|, \\ I_{S} & = \left| {b_{1} } \right\rangle \left\langle {b_{1} } \right| + \left| {b_{2} } \right\rangle \left\langle {b_{2} } \right|,\quad U_{S} = \left| {b_{2} } \right\rangle \left\langle {b_{1} } \right| - \left| {b_{1} } \right\rangle \left\langle {b_{2} } \right|. \\ \end{aligned} $$

Based on the above unitary operations we have

$$ \begin{aligned} I_{P} \left| H \right\rangle & = \left| H \right\rangle ,\quad I_{P} \left| V \right\rangle = \left| V \right\rangle ,\quad \;\;\;\;I_{P} \left| S \right\rangle_{P} = \left| S \right\rangle_{P} ,\quad I_{P} \left| A \right\rangle_{P} = \left| A \right\rangle_{P} , \\ I_{S} \left| {b_{1} } \right\rangle & = \left| {b_{1} } \right\rangle ,\quad I_{S} \left| {b_{2} } \right\rangle = \left| {b_{2} } \right\rangle ,\quad \;\;I_{S} \left| s \right\rangle_{S} = \left| S \right\rangle_{S} ,\quad \;I_{S} \left| a \right\rangle_{s} = \left| a \right\rangle_{s} , \\ U_{P} \left| H \right\rangle & = - \left| V \right\rangle ,\quad U_{P} \left| V \right\rangle = \left| H \right\rangle ,\quad U_{P} \left| S \right\rangle_{P} = \left| A \right\rangle_{P} ,\quad U_{P} \left| A \right\rangle_{P} = - \left| S \right\rangle_{P} , \\ U_{S} \left| {b_{1} } \right\rangle & = - \left| {b_{2} } \right\rangle ,\quad U_{S} \left| {b_{2} } \right\rangle = \left| {b_{1} } \right\rangle ,\quad U_{S} \left| s \right\rangle_{S} = \left| a \right\rangle_{S} ,\quad U_{S} \left| a \right\rangle_{S} = - \left| s \right\rangle_{S} . \\ \end{aligned} $$

In the multiparty case of Wang–Ma protocol, \( M \) parties (e.g. \( P_{1} ,P_{2} , \ldots ,P_{M} \)) want to agree on a shared secure key. The steps of their protocol can be summarized as follows:

  1. (1)

    Initialization stage Each party \( P_{i} \) (\( i \in \{ 1,2, \ldots ,M\} \)) prepares \( 2N \) classical bits string (\( K_{i} \)) as a sub-secret key, where \( K_{i} = \{ (r_{i1} ,s_{i1} )(r_{i2} ,s_{i2} )\, \ldots \,(r_{iN} ,s_{iN} )\} \).

  2. (2)

    Preparation stage Each party \( P_{i} \) generates a sequence (\( S_{i} \)) of ordered \( N \) single photons in both polarization and spatial-mode degrees of freedom. Each photon \( S_{i} \) is in the state \( \left| \phi \right\rangle = \left| \phi \right\rangle_{P} \otimes \left| \phi \right\rangle_{S} \). \( P_{i} \) also generates \( kN_{i} \) decoy single photons and inserts them into \( S_{i} \) producing a new sequence \( S_{i}^{i} \). Then \( P_{i} \) sends \( S_{i}^{i} \) to \( P_{i + 1} \).

  3. (3)

    Security detection stage \( P_{i + 1} \) uses the quantum filter and the photon number splitter device for avoiding a Trojan horse attack. Upon receiving \( S_{i}^{i} \), \( P_{i} \) informs \( P_{i + 1} \) the positions and the corresponding measuring bases of all decoy particles. Hence, \( P_{i} \) and \( P_{i + 1} \) can check the security of the transmission. If the transmission is not secure, they terminate the protocol. Otherwise, \( P_{i} \) and \( P_{i + 1} \) continue to the encoding stage.

  4. (4)

    Encoding stage \( P_{i + 1} \) discards the decoy photons then he applies collective unitary operations to the remaining \( N \) photons according to \( K_{i + 1} \). That is, if the \( i{\text{th}} \) bit values of \( P_{i + 1} \)’s sub-secret key are \( (r_{(i + 1,i)} ,s_{(i + 1,i)} ) = 00\,(11) \), he will apply \( I_{P} \oplus I_{S} (U_{P} \oplus U_{S} ) \) to the \( i{\text{th}} \) photon. But, if the bit values are \( (r_{(i + 1,i)} ,s_{(i + 1,i)} ) = 01\,(10) \), he will apply \( I_{P} \oplus U_{S} (U_{P} \oplus I_{S} ) \) to the \( i{\text{th}} \) photon.

  5. (5)

    Additional operation stage The party \( P_{i + 1} \) randomly selects the \( j{\text{th}} \) photon and randomly applies another extra collective unitary operation to it. Then,\( P_{i + 1} \) prepares \( kN_{i + 1} \) decoy single photons and inserts them into \( S_{i} \) producing a new sequence \( S_{i}^{i + 1} \). Then \( P_{i + 1} \) sends \( S_{i}^{i + 1} \) to \( P_{i + 2} \).

  6. (6)

    Particles exchange stage The parties \( P_{i + 2} , \ldots ,P_{i - 1} \) execute steps (3), (4), and (5) in turn. That is, one by one, they check the security of transmission. If so, they encode their keys with \( S_{i} \) and apply another extra collective unitary operation to some selected single photons. Afterwards, they insert decoy particles randomly into the sequence \( S_{i} \) and send it to the next party.

  7. (7)

    Key extraction stage Upon confirming that every party (\( P_{1} , \cdots ,P_{i} , \cdots ,P_{M} \)) has executed the steps \( (1) - (6) \), the parties \( P_{M} , \cdots ,P_{i - 1} , \cdots ,P_{M - 1} \) send the sequences \( S_{0}^{M} , \cdots ,S_{i}^{i - 1} , \cdots ,S_{M}^{M - 1} \) to \( P_{1} , \cdots ,P_{i} , \cdots ,P_{M} \). They then check the security of the quantum channels as described in step (3). If the error rate is less than a preset threshold, every party publicly announces the information of extra collective unitary operations. \( P_{i} \) then applies same extra unitary operations to the corresponding single photons. Since \( P_{i} \) knows the initial states of all single photons in \( S_{i} \), he can recover \( K_{i}^{'} \) by measuring \( S_{i} \). Hence, \( P_{i} \) can deduce the final shared key \( K \), where \( K = K_{i} \oplus K_{i}^{'} \).

3 Security analysis of the Wang–Ma multiparty QKA protocol

This section analyses the security of the Wang–Ma QKA protocol and introduces two cases. In Case 1, Wang and Ma claimed that the above multiparty QKA protocol could achieve privacy. However, Case 1 shows that Wang–Ma multiparty QKA protocol is not secure against a collusive attack performed by a group of two dishonest parties. Moreover, in Case 2, if two nested groups of dishonest parties or more try to adopt our suggested attack strategy, they will not succeed in stealing the private information of other parties as depicted in Fig. 2 and Table 2. Case 1 and Case 2 can be described in detail as follows.

Fig. 1
figure 1

Wang–Ma three-party QKA protocol [50]. The lines between every two parties represent the quantum channels. \( U^{A} \),\( U^{B} \), and \( U^{C} \) represent the collective unitary operation according to the sub-secret keys of Alice, Bob, and Charlie, respectively. \( U^{AC} \),\( U^{BC} \), and \( U^{CC} \) represent another extra collective unitary operation applied to some single photons, those operated photons randomly selected by Alice, Bob, and Charlie, respectively

Full size image

3.1 Case 1: Wang–Ma protocol is not secure against our attack strategy

This collusive attack shows that two dishonest parties can eavesdrop on the sub-secret key of an honest party without being detected. For convenience, we assume that five parties \( P_{0} ,P_{1} ,P_{2} ,P_{3} \), and \( P_{4} \) are wanting to agree upon a secure shared key. According to the Wang–Ma protocol, the initiator \( P_{0} \)\( (P_{1} /P_{2} /P_{3} /P_{4} ) \) generates \( N \) single photons in both polarization and spatial-mode degrees of freedom and transmits them to \( P_{1} \)\( (P_{2} /P_{3} /P_{4} /P_{0} ) \). Then \( P_{1} \)\( (P_{2} /P_{3} /P_{4} /P_{0} ) \) applies joint unitary operations to the received photons based on his/her sub-secret key and sends the new states to \( P_{2} \)\( (P_{3} /P_{4} /P_{0} /P_{1} ) \). Also \( P_{2} \)\( (P_{3} /P_{4} /P_{0} /P_{1} ) \), \( P_{3} \)\( (P_{4} /P_{0} /P_{1} /P_{2} ) \), and \( P_{4} \)\( (P_{0} /P_{1} /P_{2} /P_{3} ) \) follow the same process of \( P_{1} \)\( (P_{2} /P_{3} /P_{4} /P_{0} ) \) and send the new states to \( P_{3} \)\( (P_{4} /P_{0} /P_{1} /P_{2} ) \), \( P_{4} \)\( (P_{0} /P_{1} /P_{2} /P_{3} ) \), and \( P_{0} \)\( (P_{1} /P_{2} /P_{3} /P_{4} ) \), respectively. Finally, according to the key extraction stage, \( P_{0} \)\( (P_{1} /P_{2} /P_{3} /P_{4} ) \) can obtain the final shared key.

However, for example, if \( P_{1} \) and \( P_{3} \) are dishonest parties, they can easily eavesdrop on the sub-secret key of the honest party \( P_{2} \). That is, in step (4), the dishonest party \( P_{1} \) encodes the received photons with collective unitary operations decided according to the bit values of his sub-secret key. He also applies some extra collective unitary operations according to step (5). Then \( P_{1} \) sends the new photons (\( S_{2} \)) to the dishonest party \( P_{3} \) instead of the honest party \( P_{2} \) as illustrated in Fig. 2a. Also, \( P_{1} \) generates a fake sequence (\( S_{F1}^{1} \)) of ordered \( N \) single photons in both polarization and spatial-mode degrees of freedom as in step (2). Afterwards, \( P_{1} \) generates \( kN \) decoy photons and inserts them into the fake sequence \( S_{F1}^{1} \) for security checking. Then, \( P_{1} \) sends the sequence \( S_{F1}^{1} \) to the honest party \( P_{2} \). Upon receiving \( S_{F1}^{1} \), \( P_{2} \) executes the step \( (3) - (5) \) loyally because he does not know that the received sequence is fake. Hence, \( P_{2} \) encodes the received photons with collective unitary operations decided according to the bit values of his sub-secret key, and he also applies some extra collective unitary operations. Then \( P_{2} \) sends the new sequence (\( S_{F1}^{2} \)) to \( P_{3} \). \( P_{3} \) checks the security of the transmission with \( P_{2} \) using the decoy photons (Fig. 2).

Fig. 2
figure 2

Graphical representation of our suggested collusive attack strategy. In section a, the two dishonest parties \( P_{1} \) and \( P_{3} \) may collude to eavesdrop on the sub-secret key of the honest party \( P_{3} \) according to our attack strategy. In section b, \( \{ P_{1} ,P_{3} \} \) and \( \{ P_{2} ,P_{4} \} \) are two groups of dishonest parties, where the two dishonest parties in each group try to eavesdrop on the private information of the honest ones; in that case, Wang–Ma protocol is secure against our attack strategy

Full size image

Since \( P_{1} \) and \( P_{3} \) know all the information about \( S_{F1}^{1} \), \( P_{1} \) and \( P_{3} \) can easily recover \( P_{2} \)’s unitary operations that are applied to \( S_{F1}^{1} \) by comparing the measuring result of \( S_{F1}^{2} \) and the original states as shown in Table 1. For clarity, for \( N = 1 \), assume that \( P_{2} \)’s (the honest party) sub-secret key is “10”. According to Table 1, without considering the security check process, assume that the initiator \( P_{0} \) sends \( S_{0}^{1} \) (e.g. \( \left| H \right\rangle \left| {b_{1} } \right\rangle \)) to the dishonest party \( P_{1} \). \( P_{1} \) applies \( U^{1} = ({\text{e}} . {\text{g}} .\;\{ U_{P} \otimes I_{S} \} ) \) and \( U^{1C} = ({\text{e}} . {\text{g}} .\;\{ U_{P} \otimes U_{S} \} ) \) to the state \( \left| H \right\rangle \left| {b_{1} } \right\rangle \), where \( U^{1} \) represents unitary operation corresponding to the private information of \( P_{1} \) and \( U^{1C} \) represents an additional unitary operation to be applied to some particles. So, the evolved state is \( \left| H \right\rangle \left| {b_{2} } \right\rangle \). Also, \( P_{1} \) sends a fake state \( S_{F1}^{1} \)(e.g. \( \left| V \right\rangle \left| {b_{1} } \right\rangle \)) to the honest party \( P_{2} \). \( P_{2} \) applies \( U^{2} = \{ U_{P} \otimes I_{S} \} \) (where \( U^{2} \) represents his private information (i.e. 10)) and \( U^{2C} = ({\text{e}} . {\text{g}} .\;\{ U_{P} \otimes U_{S} \} ) \) to the fake state \( \left| V \right\rangle \left| {b_{1} } \right\rangle \). \( P_{2} \) then sends the evolved state to the dishonest \( P_{3} \). Subsequently, \( P_{3} \) measures \( P_{2} \)’s states getting the state \( \left| V \right\rangle \left| {b_{2} } \right\rangle \). \( P_{1} \) and \( P_{3} \) compare the initial fake state (i.e. \( \left| V \right\rangle \left| {b_{1} } \right\rangle \)) with the measuring result (i.e. \( \left| V \right\rangle \left| {b_{2} } \right\rangle \)), which means that \( P_{2} \) applied the overall unitary operation \( I_{P} \otimes U_{S} \) to \( \left| V \right\rangle \left| {b_{1} } \right\rangle \).

Table 1 Evolved states of the dishonest party \( P_{1} \) and the honest party \( P_{2} \)
Full size table

However, the goal of \( P_{1} \) and \( P_{3} \) is not to know the overall unitary operation but to recover \( U^{2} \) that represents the private information of \( P_{2} \). Thus, \( P_{1} \) and \( P_{3} \) register the previous information and wait for step (7), where every party publicly announces the information of extra collective unitary operation (i.e. \( U^{2C} = \{ U_{P} \otimes U_{S} \} \)). Finally, \( P_{1} \) and \( P_{3} \) can easily recover \( U^{2} ({\text{i}} . {\text{e}} .\;\{ U_{P} \otimes I_{S} \} ) \) with the help of Table 2 and \( U^{2C} = \{ U_{P} \otimes U_{S} \} \).

Table 2 Unitary operations that can be applied to the fake initial state (\( \left| V \right\rangle \left| {b_{1} } \right\rangle \)) when the evolved state is \( \pm \left| V \right\rangle \left| {b_{2} } \right\rangle \)
Full size table

3.2 Case 2: Wang–Ma protocol is secure against our attack strategy

Figure 2b shows that Wang–Ma protocol can resist our suggested attack strategy. For clarity, according to Fig. 2b, assume that there are two nested groups of dishonest parties \( \{ P_{1} ,P_{3} \} \) and \( \{ P_{2} ,P_{4} \} \), each group would like to steal the private information of the middle party. At the beginning, the initiator \( P_{0} \) sends the initial states \( S_{0}^{1} \) to \( P_{1} \). \( P_{1} \) applies her unitary operations to \( S_{0}^{1} \) and sends the evolved states to \( P_{3} \). Also \( P_{1} \) prepares a fake sequence (\( S_{F1}^{1} \)) and sends it to \( P_{2} \). Because \( \{ P_{2} ,P_{4} \} \) is another group of dishonest parties, they will not perform the process of the protocol honestly. So, \( P_{2} \) sends another fake sequence (\( S_{F2}^{1} \)) to \( P_{3} \). Now, \( P_{2} \) and \( P_{3} \) encode their information with two fake sequences producing two evolved fake sequences \( U^{2} U^{2C} S_{F1}^{2} \) and \( U^{3} U^{3C} S_{F2}^{3} \), respectively. Accordingly, \( P_{4} \) sends fake evolved sequence (i.e. \( U^{3} U^{3C} S_{F2}^{3} \)) to \( P_{0} \). Finally, in step (7), \( P_{0} \) checks the security of transmission, and she will find that the error rate is greater than the preset threshold, because the received operated sequence is not real. As a result, \( P_{0} \) ends the protocol and announces that the transmission is not secure. So, we can say that the Wang–Ma protocol is secure against our attack strategy in that case.

4 Improvement to Wang–Ma multiparty QKA protocol

In Wang–Ma multiparty QKA protocol, the security of the transmission between every two parties is checked by the parties themselves. Thus, this strategy enables the dishonest parties to deceive the honest ones and steal their sub-secret keys. Following some previous works [15, 46, 51] for solving such kinds of collusive attacks, we present here modifications to the steps 2, 3, and 7 of Wang–Ma multiparty QKA protocol to solve this defect (see also Fig. 3). The modifications are:

Fig. 3
figure 3

Graphical representation of our improvement to Wang–Ma multiparty QKA protocol for \( M = 4 \)

Full size image

(2*) Preparation stage The initiator \( P_{i} \) generates a sequence \( S_{i} \) of ordered \( N \) single photons in both polarization and spatial-mode degrees of freedom. And each photon in \( S_{i} \) in the state \( \left| \phi \right\rangle = \left| \phi \right\rangle_{P} \otimes \left| \phi \right\rangle_{S} \). \( P_{i} \) generates \( kN_{i} \) decoy single photons, where each photon is randomly in one of the states \( \{ \left| H \right\rangle ,\left| V \right\rangle ,\left| A \right\rangle_{P} ,\left| S \right\rangle_{P} \} \) for checking the quantum channel between \( P_{i} \) and \( P_{i + 1} \), and inserts them into \( S_{i} \). Also, \( P_{i} \) generates \( k^{i} \) decoy single photons and inserts them into \( S_{i} \) producing a new sequence \( S_{i}^{i} \). Then \( P_{i} \) sends \( S_{i}^{i} \) to \( P_{i + 1} \). Here, \( k^{i} \) is the decoy photon subsequence used for checking the security of the overall transmission, by the initiators \( P_{i} \).

(3*) Security detection stage \( P_{i + 1} \) uses the quantum filter and the photon number splitter device for avoiding a Trojan horse attack. Upon receiving \( S_{i}^{i} \), \( P_{i} \) informs \( P_{i + 1} \) the positions and the corresponding measuring bases of \( kN_{i} \). Hence, \( P_{i} \) and \( P_{i + 1} \) can check the security of the transmission. If the transmission is not secure, they terminate the protocol. Otherwise, \( P_{i} \) and \( P_{i + 1} \) continue to the encoding stage.

(7*) Key extraction stage Upon confirming that \( P_{1} , \ldots ,P_{i} , \ldots ,P_{M} \) have finished the step \( (1) - (6) \), the parties \( P_{M} , \ldots ,P_{i - 1} , \ldots ,P_{1} \) send \( S_{0}^{1} , \ldots ,S_{i}^{i - 1} , \ldots ,S_{M}^{M - 1} \) to \( P_{1} , \ldots ,P_{i} , \ldots ,P_{M} \), respectively. Afterwards, \( P_{M} \) and \( P_{1} \),…, \( P_{i - 1} \) and \( P_{i} \),…, \( P_{M - 1} \) and \( P_{M} \) check the security of the quantum channel using the decoy photons technique. If the transmission is not safe, they terminate the protocol. Otherwise, they move to the sub-step (7.1*).

(7.1*) Additional security detection stage Firstly, every party announces the information of the extra collective unitary operations. Secondly, \( P_{i} \) announces the positions of \( k^{i} \) and asks every party to announce the information of the collective unitary operations that were applied to it. \( P_{i} \) then applies the same unitary operations to \( k^{i} \) and measures each photon in \( k^{i} \) with the corresponding basis. Hence, \( P_{i} \) can judge whether the final transmission is secure or not. If not, \( P_{i} \) ends the protocol and announces that there is a collusive attack. Otherwise, \( P_{i} \) measures each photon in \( S_{i} \) with the corresponding basis. Finally, since \( P_{i} \) knows the initial states of all single photons in \( S_{i} \), \( K_{i}^{'} \) can be recovered by measuring \( S_{i} \). Hence, \( P_{i} \) can deduce the final shared key \( K \), where \( K = K_{i} \oplus K_{i}^{'} \).

Steps (1*), (4*), (5*), and (6*) will remain the same as steps (1), (4), (5), and (6) in Sect. 2. According to the above improvement, if the dishonest parties try to eavesdrop on the honest one by adopting the collusive attack strategy mentioned in Sect. 3.1, they will be detected in Step (7*) by the initiator \( P_{i} \). Thus, the privacy problem mentioned in Case 1 can be addressed.

5 Conclusion

This paper shows the security flaw of the Wang–Ma multiparty QKA protocol. In their protocol, the quantum channels among participants are checked using the decoy photon technique. However, we proved that two dishonest participants could deduce the secret key of an honest participant using a fake sequence of single photons without being detected. Moreover, an additional security detection process is suggested to avoid the security loophole in Wang–Ma’s protocol.