1 Introduction

Digital signature is a fundamental cryptographic primitive, which has been applied in many cases where the integrity and non-repudiation of messages are essential [1]. Nevertheless, the security of traditional digital signature schemes generally relies on some unproven assumptions related to the intractability of certain difficult mathematical problems, such as big number factorization problem and discrete logarithmic problem. With the rapid development of computing technology, especially the emergence of advanced quantum algorithms [2], the security of traditional digital signature schemes is facing serious challenge. Once quantum computers are produced, they can be easily broken. The conception of unconditionally secure signature (USS) was therefore introduced by Chaum and Roijakkers [3], which attracted much attention due to the superiority of unconditional security, and then different proposals have also been presented besides the scheme of Chaum and Roijakkers [4]. However, most of these schemes depend on the assumption of either authenticated broadcast channels or a trusted third party, and crucially, the use of secure channels is necessary in all of them, which is not possible to realize with information-theoretic security by using only classical communication in reality [5].

Fortunately, the security of quantum digital signatures is based on the fundamental principles of quantum mechanics, and therefore it provides a new feasible way for USS. So far, a lot of novel three-party USS proposals including both theoretical and experimental aspects [6,7,8,9,10,11,12,13,14,15,16,17,18,19] have been continuously presented since the conception of quantum digital signatures was firstly introduced in 2001 [20], which make USS more and more practical. Contrast to the three-party case, the application of multiparty quantum digital signature schemes is more extensive. Nevertheless, it is very difficult to generalize three-party quantum digital signature scheme to multiparty case because of its complex security. As a result, there are very few work on multiparty quantum digital signature schemes. Recently, Arrazola et al gave the first security framework suitable for quantum USS schemes involving an arbitrary number of participants [21]. In addition, they generalize a three-party quantum digital signature scheme to the multiparty case and then prove its security against forging, repudiation and non-transferability. Most important of all, this generalized scheme retains the original advantage of three-party case that can be implemented by using any point-to-point quantum key distribution network and hence is easily realized in practice.

In this work, we analyze the security of the generalized multiparty quantum digital signature scheme [21] and then propose a new attack strategy, that is a framing attack. Using this attack, a certain number of dishonest participants can make an honest participant be penalized without being caught cheating if they collude with each other. In order to prevent the framing attack, we give the security requirements on the relations between the signing key and each verification key, as well as the relations among different verification keys. Furthermore, if a multiparty quantum digital signature scheme satisfies the given requirements, it is also secure against forging and repudiation, and therefore this work is very useful to the next development of multiparty quantum digital signature schemes. On this basis, we present an effective way to deal with the security problem at the end.

2 The generalized multiparty quantum digital signature scheme

Before presenting the security analysis of the generalized multiparty quantum digital signature scheme, let us firstly give a simple introduction of this scheme. There are a signer \(P_{0}\) and N recipients \(P_{1},P_{2},\ldots ,P_{N}\) in this scheme, and the notations \(X=\{x_{1},x_{2},\ldots ,x_{M}\}\) and \(\varSigma =\{0,1\}^{K}\) denote the set of possible messages and the set of possible signatures, respectively, where \(K=nN\) is a total signature’s length (n is an integer and divisible by N). The fraction of dishonest participants can be defined as \(d_{f}=1-h/N\), which determines the maximum verification level \(l_{\mathrm{max}}\) by

$$\begin{aligned} (l_{\mathrm{max}}+1)d_{f}<\frac{1}{2}, \end{aligned}$$
(1)

where h is the number of honest participants. Then the program of this scheme can be described as follows.

  1. (1)

    Every recipient \(P_{i}\) \((i=1,2,\ldots ,N)\) shares a secret key of nM bits with \(P_{0}\) and a secret key of \(2\frac{nM}{N}(1+\left\lceil \texttt {log}_{2}n\right\rceil )\) bits with each of the other recipients \(P_{j}\) \((j\ne i\)), which can be completed by quantum key distribution, where M is a positive integer and denotes the number of possible messages in X.

  2. (2)

    For each possible message \(x\in X\), \(P_{0}\) selects a string \(\sigma ^{x}\) of \(K=nN\) bits uniformly randomly and divides it into N sections \(\{\sigma _{1}^{x},\sigma _{2}^{x},\ldots ,\sigma _{N}^{x}\}\). \(P_{0}\) transmits \(\sigma _{i}^{x}\) to \(P_{i}\) \((i=1,2,\ldots ,N)\) via a secure channel by the shared secret keys.

  3. (3)

    For each possible message \(x\in X\), \(P_{i}\) randomly divides the set \(\{1,2,\ldots ,n\}\) into N disjoint subsets \(\{p_{i,1}^{x}\), \(p_{i,2}^{x},\ldots ,p_{i,N}^{x}\}\) and uses the bit values of \(\sigma _{i}^{x}\) at the randomly chosen positions \(p_{i,j}^{x}\) to form the string \(v_{i,j}^{x}\).

  4. (4)

    For all \(i\ne j\), every participant \(P_{i}\) sends the string \(v_{i,j}^{x}\) and the positions \(p_{i,j}^{x}\) to participant \(P_{j}\) via a secure channel by their shared secret keys. \(P_{i}\) holds \(v_{i,i}^{x}\) and \(p_{i,i}^{x}\) to himself.

  5. (5)

    Every participant \(P_{j}\) defines a test for a section \(\sigma _{i}^{x}\) as the following. They form a shorter string \(\sigma _{i,j}^{x}\) from \(\sigma _{i}^{x}\) by choosing just the bits corresponding to the positions \(p_{i,j}^{x}\). Then the test is defined as

    $$\begin{aligned} T_{i,j,l}^{x}(\sigma _{i}^{x})=\left\{ \begin{array}{ccc} &{}1&{}~\texttt {if}~h(\sigma _{i,j}^{x},v_{i,j}^{x})<s_{l}\frac{n}{N} \\ &{}0&{}~~~~\texttt {otherwise} \end{array}\right. \end{aligned}$$
    (2)

    where \(h(\sigma _{i,j}^{x},v_{i,j}^{x})\) is the Hamming distance between \(\sigma _{i,j}^{x}\) and \(v_{i,j}^{x}\), and \(s_{l}\) is a defined fraction that satisfies

    $$\begin{aligned} \frac{1}{2}>s_{-1}>s_{0}>s_{1}>\cdots >s_{l_{\mathrm{max}}}. \end{aligned}$$
    (3)
  6. (6)

    The verification function for a message–signature pair is defined as

    $$\begin{aligned}&\texttt {Ver}_{(i,l)}(x,\sigma )\nonumber \\&=\left\{ \begin{array}{ccc} &{}\texttt {True}&{}~\texttt {if}~\sum _{j=1}^{n}T_{j,i,l}^{x}(\sigma _{j}^{x})>Nf_{l} \\ &{}\texttt {Faulse}&{}~~~~\texttt {otherwise} \end{array}\right. \end{aligned}$$
    (4)

    here \(f_{l}\) is a threshold given by

    $$\begin{aligned} f_{l}=\frac{1}{2}+(l+1)d_{f}. \end{aligned}$$
    (5)
  7. (7)

    \(\texttt {Sign}(x)=\sigma _{x}\) is the signature function.

  8. (8)

    The dispute resolution method is majority vote (MV).

3 The cryptanalysis

As mentioned in [21], the validity of a message–signature pair in traditional digital signature schemes based on public-key cryptography is tested by a public verification function, but different participants have different verification functions in USS schemes, which makes it possible in principle for two or more participants to disagree on the validity of a message–signature pair. Consequently, USS schemes must have a mechanism to judge the authenticity of a message–signature pair when some subset of users disagree whether a given message–signature pair should be accepted. In particular, dispute resolution is necessary to convince an outsider of the authenticity of a disputed message–signature pair. Anyone has an access to the public verification method in traditional digital signature schemes, in the sense there are no outsiders to the scheme. Furthermore, it has been shown that a USS scheme that satisfies the definition of unforgeability and has an appropriate dispute resolution method also satisfies non-repudiation and transferability, both of which are also essential for any reasonable signature scheme, which means that dispute resolution is very necessary and crucial to a USS scheme.

A simple strategy for dispute resolution is to designate a trusted arbiter who has the final word on the validity of a message–signature pair [22,23,24]. Obviously, the drawback of this strategy is the necessity of trust. Another strategy for dispute resolution is MV, in which more than half of the users determine the valid of a message–signature pair or not, and hence the security of the scheme does not depend on an arbiter any longer by this way. Contributing to this advantage, it has been adopted in many quantum digital signature schemes [6,7,8,9,10,11,12,13,14,15,16,17,18,19, 21]. However, the MV strategy requires all the participants to vote on the validity of a message–signature pair, and therefore it is rather complicated and resource expensive. Therefore, it is expected that dispute resolution will be invoked relatively rarely, otherwise it will greatly decrease the efficiency and restrict the application of this kind of quantum digital signature schemes in reality. To attain this goal, some necessary penalties should be introduced in the scheme, for example, the participant who loses in MV will be responsible for the expensive resources. By this way, whether a rational participant is honest or dishonest, he will avoid any action that could lead to someone invoking it if he might lose the dispute resolution. In this sense, the dispute resolution almost does not affect the effectiveness of the scheme.

To guarantee the security and reduce invoking dispute, two different types of thresholds \(s_{l}\) and \(f_{l}\) are chosen in the generalized multiparty quantum digital signature scheme, both rely on the verification level l and are determined by the real fraction \(d_{f}\) of dishonest participants. The first threshold \(s_{l}\) is used to determine whether a given part of the message–signature pair passes the test or not by Eq. (2). The second threshold \(f_{l}\) is used to determine how many parts of the message–signature pair need to pass the test in order for it to be accepted at this level by Eq. (4). It is evident that two honest participants can differ by at most \(d_{f}N\) tests, and therefore it is thought that the attack of making honest participants disagrees on the validity of a message–signature pair can be effectively prevented by choosing \(f_{l}\) and \(f_{l-1}\) such that

$$\begin{aligned} f_{l}-f_{l-1}>d_{f} \end{aligned}$$
(6)

from Eq. (4). Nevertheless, to choose the proper thresholds \(f_{l}\) and \(f_{l-1}\) that satisfy Ineq. (6), the numbers of dishonest participants must be clarified for each recipient \(P_{i}\) \((i=1,2,\ldots ,N)\).

Unfortunately, there is no way to discriminate a participant is honest or dishonest except the parties concerned, which means the real fraction \(d_{f}\) of dishonest participants is unknown to other participants. In general, both the threshold \(s_{l}\) and \(f_{l}\) should be preset according to the security requirement of practical application. As a result, there is no way to guarantee the thresholds \(f_{l}\) and \(f_{l-1}\) must satisfy the Ineq. (6), which will give a chance for dishonest participants to deceive. Specifically, here we propose a new attack strategy, for simplicity, we name it a framing attack, whereby dishonest participants can frame an honest participant in dispute resolution. Suppose that the verification threshold \(f_{l}\) is set in advance, and then the signer \(P_{0}\) can frame an honest participant if he/she colludes with \(n'\) dishonest participants, where \(n'=N-[Nf_{l}]-1<\frac{N}{2}\) and [ ] is a function of extracting the integral part of a real number.

Without loss of generalization, suppose that the prior \(n'\) participants \(P_{1},P_{2},\ldots ,P_{n'}\) are dishonest, and they collude with \(P_{0}\) to frame an honest participant \(P_{n'+1}\); the framing attack can be described as follows.

  1. (i)

    This step is the same as step (1).

  2. (ii)

    This step is also the same as step (2) except that the signer \(P_{0}\) sends a fake section \(\sigma _{n'+1}^{x'}\) to \(P_{n'+1}\).

  3. (iii)

    This step is also the same as step (3).

  4. (iv)

    For all \(i\ne j\), every participant \(P_{i}\) transmits the string \(v_{i,j}^{x}\) and the positions \(p_{i,j}^{x}\) to participant \(P_{j}\) over a secure channel by using their shared secret keys except that \(n'\) dishonest participants \(P_{1},P_{2},\ldots ,P_{n'}\) send a fake string \(v_{i,n'+1}^{x'}\) \((i=1,2,\ldots ,n'+1)\) to the participant \(P_{n'+1}\), respectively. The participant \(P_{i}\) keeps \(v_{i,i}^{x}\) and \(p_{i,i}^{x}\) to himself.

  5. (v)

    The remaining steps are also the same as that in the generalized multiparty quantum digital signature scheme.

From this attack, it can be seen that every participant \(P_{i}(i\ne n'+1)\) holds \(N-1\) normal strings \(v_{1,i}^{x},v_{2,i}^{x},\ldots ,v_{n',i}^{x},v_{n'+2,i}^{x},\ldots ,v_{N,i}^{x}\) and a fake string \(v_{n'+1,i}^{x}\) except that the participant \(P_{n'+1}\) holds \(N-n'-1\) normal strings \(v_{n'+2,n'+1}^{x},v_{n'+3,n'+1}^{x},\ldots ,v_{N,n'+1}^{x}\) and \(n'+1\) fake strings \(v_{1,n'+1}^{x},v_{2,n'+1}^{x},\ldots ,v_{n'+1,n'+1}^{x}\). As does in the generalized multiparty quantum digital signature scheme, all the normal strings can pass the verification at the level l in Formu. (2) because no extra errors are introduced, but the fake strings can be made not pass the same verification by the dishonest participants through flipping all or most of the bit values when sending them. Accordingly, for each participant \(P_{i}(i=1,2,\ldots ,n')\),

$$\begin{aligned} \sum _{j=1}^{n}T_{j,i,l}^{x}(\sigma _{j}^{x})=N-1>Nf_{l}. \end{aligned}$$
(7)

As a result, the message–signature pair \((x,\sigma _{x})\) can pass the verification of each participant \(P_{i}(i=1,2,\ldots ,n')\). Nevertheless, for the participant \(P_{n'+1}\),

$$\begin{aligned} \sum _{j=1}^{n}T_{j,n'+1,l}^{x}(\sigma _{j}^{x})= & {} N-(n'+1)\nonumber \\= & {} N-(N-[Nf_{l}]-1+1)\nonumber \\= & {} [Nf_{l}]\nonumber \\< & {} Nf_{l}, \end{aligned}$$
(8)

which means that the message–signature pair \((x,\sigma _{x})\) cannot pass the participant \(P_{n'+1}\)’s verification, and therefore there is a disagreement on the validity of the message–signature pair \((x,\sigma _{x})\). As mentioned in [21], when the validity of a message–signature pair \((x,\sigma _{x})\) is invoked, a MV dispute resolution method \(\texttt {MV}(x;\sigma _{x})\) is defined by the following rule:

  1. 1.

    \(\texttt {MV}(x;\sigma _{x})\) = Valid if \(\texttt {Ver}(i,-1)\)= True for more than half of the participants.

  2. 2.

    \(\texttt {MV}(x;\sigma _{x})\) = Invalid, otherwise, where \(\texttt {Ver}(i,-1)\) is the verification function at the level \(l=-1\).

Since \(s_{-1}>s_{0}>s_{1}>\cdots >s_{l_{\mathrm{max}}}\), we can get \(h(\sigma _{i,j}^{x},v_{i,j}^{x})<s_{-1}\frac{n}{N}\) from \(h(\sigma _{i,j}^{x},v_{i,j}^{x})<s_{l}\frac{n}{N}\). Therefore, for each participant \(P_{i}(i=1,2,\ldots ,n',n'+2,\ldots ,N)\), \(Ver(i,-1)\)=True. Clearly, there are \(N-1>\frac{N}{2}\) participants who will vote the message–signature pair \((x,\sigma _{x})\) is true when \(N>2\), and thus \(\texttt {MV}(x;\sigma _{x})\) = Valid. As mentioned above, the honest participant \(P_{n'+1}\) who loses in the MV will be responsible for the expensive resources. So far, the framing attack has been successfully completed.

It should be noted that this attack is significative in practice, for example, suppose that the honest participant \(P_{n'+1}\) is a bank, and the signer \(P_{0}\) represents a company, who signs a cheque, this cheque is refused by the bank \(P_{n'+1}\) because it can not pass the verification of the bank \(P_{n'+1}\) according to this attack, which will have a bad influence on the repudiation of the bank \(P_{n'+1}\).

4 The relations among different keys

In this section, we will give the relations between the signing key and the verification key, as well as the relations among different verification keys in the generalized multiparty quantum digital signature scheme, which are useful to deal with the framing attack. For simplicity, assume that the signing key for the message x is \(K_{P_{0}}^{x}\), and the corresponding verification key held by the recipient \(P_{i}\) \((i=1,2,\ldots ,N)\) is \(K_{P_{i}}^{x}\) .

Let us firstly analyze the relations between the signing key \(K_{P_{0}}^{x}\) and the verification key \(K_{P_{i}}^{x}\) in the generalized multiparty quantum digital signature scheme. As the same requirements as that in traditional digital signature schemes based on public-key cryptography, on the one hand, the signing key \(K_{P_{0}}^{x}\) and the verification key \(K_{P_{i}}^{x}\) must be closely correlated in order to make the message–signature \((x,\sigma _{x})\) pass the verification of recipient \(P_{i}\), on the other hand, to prevent the repudiation of the signer \(P_{0}\), the signing key \(K_{P_{0}}^{x}\) must be different and cannot be elicited from the verification key \(K_{P_{i}}^{x}\). Furthermore, the signing key \(K_{P_{0}}^{x}=\sigma ^{x}\) is factually the signature \(\sigma _{x}\) on the message x, but the verification key \(K_{P_{i}}^{x}\) is just a part of \(K_{P_{0}}^{x}\), i.e.,

$$\begin{aligned} K_{P_{i}}^{x}= & {} \sigma _{i}^{x}||v_{1,i}^{x}||v_{2,i}^{x}||\cdots ||v_{i-1,i}^{x}||v_{i+1,i}^{x}||\nonumber \\&\cdots ||v_{N-1,i}^{x}||v_{N,i}^{x}, \end{aligned}$$
(9)

where the notation || denotes the concatenation of bit string. Clearly, the signer \(P_{0}\) does not know the remaining bits of \(K_{P_{i}}^{x}\) except \(\sigma _{i}^{x}\) because he gains no access to the precise position \(p_{j,i}^{x}\) of each section \(v_{j,i}^{x}\) \((j\ne i)\) in \(K_{P_{0}}^{x}\). In other words, the signer \(P_{0}\) holds all bits of the signing key \(K_{P_{0}}^{x}\) and every recipient \(P_{i}\) only knows a fraction of it, i.e.,

$$\begin{aligned} \frac{1}{N}+(N-1)\frac{1}{N^2}=\frac{2N-1}{N^2}, \end{aligned}$$
(10)

but the signer \(P_{0}\) does not know the part \(K_{P_{i}}^{x}\) held by \(P_{i}\) except \(\sigma _{i}^{x}\), which is similar to establish an oblivious key between the signer \(P_{0}\) and the recipient \(P_{i}\). Due to the speciality, it is possible for multiple dishonest recipients to forge a valid message–signature pair \((x,\sigma _{x})\) if the fraction of the signing key \(K_{P_{0}}^{x}\) they know is enough large. As mentioned in the generalized multiparty quantum digital signature scheme [21], when a dispute on the validity of a message–signature pair \((x,\sigma _{x})\) appears, dispute resolution is invoked and then it gives the final judgement outcome by the MV strategy; specifically, if more than half of the participants vote “True” on \((x,\sigma _{x})\), all participants must accept it is valid. Additionally, a participant \(P_{i}\) votes “True” if and only if \(\texttt {Ver}(i,-1)\)=True in MV, here choosing \(l=-1\) is mainly to prevent the repudiation of the signer \(P_{0}\), but in this case,

$$\begin{aligned} f_{l}=f_{-1}=\frac{1}{2}+(-1+1)d_{f}=\frac{1}{2}. \end{aligned}$$
(11)

Consequently, the number of honest participants must be more than \(\frac{N}{2}\), which is in accord with the prior assumption on security. In reverse, only if the number of dishonest participants is limited to less than \(\frac{N}{2}\), the security of the scheme can be guaranteed, which means it can tolerant the worst case, i.e., there are \(\frac{N}{2}-1\) dishonest participants, in the case, \(\frac{N}{2}-1\) dishonest participants can know the fraction of the signing key \(K_{P_{0}}^{x}\) is

$$\begin{aligned}&||\bigcup _{j=1}^{\frac{N}{2}-1}K_{P_{i_{j}}}^{x}||\div ||K_{P_{0}}^{x}||\nonumber \\&\quad =\frac{1}{N}\left( \frac{N}{2}-1\right) +\frac{1}{N^{2}}\left( \frac{N}{2}-1\right) \left( \frac{N}{2}+1\right) \nonumber \\&\quad =\frac{3}{4}-\frac{N+1}{N^{2}} \end{aligned}$$
(12)

where \(i_{j}\in \{1,2,\dots ,N\}\) and the notation || || denotes the length of a bit string. The fraction \(\frac{3}{4}-\frac{N+1}{N^{2}}\) approaches to \(\frac{3}{4}\) with the increase of the number N. Therefore, the fraction of the signing key \(K_{P_{0}}^{x}\) that allows dishonest participants to know is not more than \(\frac{3}{4}-\frac{N+1}{N^{2}}\) in order to resist the joint forgery attack from them, and the upper bound is close to \(\frac{3}{4}\).

Secondly, let us analyze the relations among different verification keys \(K_{P_{1}}^{x},K_{P_{2}}^{x},\dots ,K_{P_{N}}^{x}\) in the generalized multiparty quantum digital signature scheme. Because each verification key \(K_{P_{i}}^{x}\) is a part of the signing key \(K_{P_{0}}^{x}\) and the signature \(\sigma _{x}\) on a message x is the signing key \(K_{P_{0}}^{x}\), any two verification keys \(K_{P_{i}}^{x}\) and \(K_{P_{j}}^{x}\) must be different to prevent the forgery of dishonest participants. At the same time, any two verification keys \(K_{P_{i}}^{x}\) and \(K_{P_{j}}^{x}\) must be closely correlated to guarantee the transferability of the message–signature pair \((x,\sigma _{x})\). From Eq. (9), it can be seen that each verification key \(K_{P_{i}}^{x}\) held by \(P_{i}\) constitutes of N sections, of which \(\sigma _{i}^{x}\) directly comes from the signer \(P_{0}\), and the remaining come from the other \(N-1\) recipients, respectively. By simple deducing, it can be found that the communal part between any two verification keys \(K_{P_{i}}^{x}\) and \(K_{P_{j}}^{x}\) are \(v_{i,j}^{x}\) and \(v_{j,i}^{x}\), that is \(K_{P_{i}}^{x}\bigcap K_{P_{j}}^{x}=v_{i,j}^{x}||v_{j,i}^{x}\), which takes up

$$\begin{aligned}&||K_{P_{i}}^{x}\bigcap K_{P_{j}}^{x}||\div ||K_{P_{i}}^{x}|| \nonumber \\&\quad = 2\times \frac{1}{N^{2}}\div \frac{2N-1}{N^2}\nonumber \\&\quad = \frac{2}{2N-1} \end{aligned}$$
(13)

of them, respectively.

To sum up, in the generalized multiparty quantum digital signature scheme, the relation between the signing key \(K_{P_{0}}^{x}\) and each verification key \(K_{P_{i}}^{x}\) is an imperfect oblivious key relation between the signer \(P_{0}\) and the recipient \(P_{i}\), and the signing key \(K_{P_{0}}^{x}\) cannot be elicited more than \(\frac{3}{4}-\frac{N+1}{N^{2}}\) from \(\frac{N}{2}-1\) different verification keys. Furthermore, any two verification keys \(K_{P_{i}}^{x}\) and \(K_{P_{j}}^{x}\) have a communal part to guarantee their correlation, but the fraction of the communal part between them is not very large \((\frac{2}{2N-1})\) to prevent the forgery of dishonest participants.

5 The way to resist the framing attack

Now let us discuss how to prevent the proposed framing attack. From Steps (ii) and (iv) in Sect. 3, it can be seen that the key to the success of this attack is that the dishonest participants \(P_{0},P_{1},P_{2},\ldots ,P_{n'}\) can send fake sections of verification key to the honest participant \(P_{n'+1}\) without being caught cheating. By this way, they make the fraction of fake sections in the verification key \(K_{P_{n'+1}}^{x}\) exceeds the allowable threshold \(1-f_{l}\), which gives rise to \(P_{n'+1}\)’s disagreement on the validity of the message–signature pair \((x,\sigma _{x})\). At the same time, they make more than half of the participants vote the message–signature pair \((x,\sigma _{x})\) is true in dispute resolution by sending the real sections to other participants. Thus, if there is a way for \(P_{n'+1}\) to detect the deception from these dishonest participants, the framing attack can be effectively prevented. Nevertheless, his verification key \(K_{P_{n'+1}}^{x}=\sigma _{n'+1}^{x}||v_{1,n'+1}^{x}||v_{2,n'+1}^{x}||\cdots ||v_{n',n'+1}^{x}||\) \(v_{n'+2,n'+1}^{x}||\cdots ||v_{N-1,n'+1}^{x}||v_{N,n'+1}^{x}\) directly comes from \(P_{0}\) and the other \(N-1\) recipients, which means everyone definitely knows the part sent by himself, and thus there is no way for \(P_{n'+1}\) to discriminate whether a received section is true or not in the distribution stage if the signer \(P_{0}\) colludes with the \(n'\) recipients \(P_{1},P_{2},\ldots ,P_{n'}\). What’s worse, there is also no way for \(P_{n'+1}\) to prove the fake sections come from these dishonest participants \(P_{0},P_{1},P_{2},\ldots ,P_{n'}\) in dispute resolution. Therefore, this way is not feasible with the present method of establishing the signing key and verification keys in the generalized multiparty quantum digital signature scheme.

The second way for \(P_{n'+1}\) is to avoid inducing disagreement on the validity of the message–signature pair \((x,\sigma _{x})\) by lowering the verification threshold \(f_{l}\). Nevertheless, the number \(n'\) of dishonest recipients is dependent on the threshold \(f_{l}\), and thus if the threshold \(f_{l}\) is set, there always exists such a number \(n'\) that can make the inequation

$$\begin{aligned} \sum _{j=1}^{n}T_{j,n'+1,l}^{x}(\sigma _{j}^{x})<Nf_{l} \end{aligned}$$
(14)

is right no matter how small \(f_{l}\) is. In addition, although the required number \(n'\) of dishonest recipients becomes more and more large with the lowering of the verification threshold \(f_{l}\), \(n'\) is always less than \(\frac{N}{2}\) under the condition that the threshold \(f_{l}\) must be not less than \(\frac{1}{2}\). Therefore, the disagreement on the validity of the message–signature pair \((x,\sigma _{x})\) always can be made by these dishonest participants \(P_{0},P_{1},P_{2},\ldots ,P_{n'}\), which means this way is also not feasible.

The third way for \(P_{n'+1}\) is to make at least \(\frac{N}{2}\) participants approve the message–signature pair \((x,\sigma _{x})\) is invalid in MV. For each other honest participant \(P_{i}(i=n'+2,\ldots ,N)\), \(\sum _{j=1}^{n}T_{j,i,l}^{x}(\sigma _{j}^{x})=N-1\), if \(P_{i}\) votes “Faulse”, the verification function \(\texttt {Ver}(i,-1)\)= True need be redefined as

$$\begin{aligned} \texttt {Ver}_{(i,l)}(x,\sigma )=\left\{ \begin{array}{ccc} &{}\texttt {True}&{}~\texttt {if}~\mathop \sum \nolimits _{j=1}^{n}T_{j,i,l}^{x}(\sigma _{j}^{x})=N\\ &{}\texttt {Faulse}&{}~~~~\texttt {otherwise} \end{array}\right. \end{aligned}$$
(15)

which will give rise to the worst security problem of repudiation because \(f_{l}=1\gg f_{-1}=\frac{1}{2}\). Accordingly, this way is also not feasible. Another possible way is not to penalize the loser in dispute resolution, but this will greatly affect the effectiveness of the scheme, and therefore a balance between the penalization and effectiveness should be considered in a practical application.

From the above analysis, it can be seen that there is no good way to prevent the framing attack with the present method of establishing the signing key and verification keys in the generalized multiparty quantum digital signature scheme.

Finally, let us study how to resist the framing attack by establishing new signing key and verification keys in multiparty quantum digital signature schemes. From the perspective of the relations among different keys, the main reason for this security problem is that the relation between the signing key \(K_{P_{0}}^{x}\) and each verification key \(K_{P_{i}}^{x}\) is not fully asymmetrical and each other recipient \(P_{j} (j\ne i)\) definitely knows one part \(v_{j,i}^{x}\) of \(K_{P_{i}}^{x}\), which gives a chance for these dishonest participants \(P_{0},P_{1},P_{2},\ldots ,P_{n'}\) to frame \(P_{n'+1}\) by sending him fake sections \(\sigma _{n'+1}^{x}||v_{1,n'+1}^{x}||v_{2,n'+1}^{x}||\cdots ||v_{n',n'+1}^{x}\). Therefore, if a perfect oblivious key is established between the signer \(P_{0}\) and each recipient \(P_{i} (i=1,2,\dots ,N)\), and any two verification keys \(K_{P_{i}}^{x}\) and \(K_{P_{j}}^{x}\) have a communal part unknown to both \(P_{i}\) and \(P_{j}\) while the fraction of this part satisfies some restriction, the framing attack can be effectively prevented. More specifically, to prevent the framing attack and guarantee the security of signature against forging and repudiation, the relations among different keys should satisfy the following security requirements.

  1. (a)

    The relation between the signing key \(K_{P_{0}}^{x}\) and each verification key \(K_{P_{i}}^{x}\) is perfectly oblivious, and \(\frac{||K_{P_{i}}^{x}||}{||K_{P_{0}}^{x}||} \ge \frac{2N-1}{N^2}\) for \(i=1,2,\dots ,N\).

  2. (b)

    \(\frac{||\bigcup _{j=1}^{\frac{N}{2}-1}K_{P_{i_{j}}}^{x}||}{||K_{P_{0}}^{x}||}\le \frac{3}{4}-\frac{N+1}{N^{2}}\), \(i_{j}\in \{1,2,\dots ,N\}\).

  3. (c)

    \(K_{P_{i}}^{x}\bigcap K_{P_{j}}^{x}\) is unknown to both \(P_{i}\) and \(P_{j}\), and \(\frac{2}{2N-1}\le \frac{||K_{P_{i}}^{x}\bigcap K_{P_{j}}^{x}||}{||K_{P_{i}}^{x}||}\le k_{s_{l}}\ll 1\) for all \(i \ne j\), where the upper bound \(\le k_{s_{l}}\) depends on the verification threshold \(s_{l}\).

The signing key \(K_{P_{0}}^{x}\) and each verification key \(K_{P_{i}}^{x}\) that satisfy all the requirements (a)–(c) can be established by an oblivious transfer from one to many. It should be noted that oblivious transfer has been realized and applied in quantum private queries [23,24,25,26,27,28]. Furthermore, both the upper bound and the lower bound in these requirements are obtained from the generalized multiparty quantum digital signature scheme, which may be not optimal, and therefore these requirements are not necessary to design a secure multiparty quantum digital signature scheme in the sense.

6 Conclusion

In conclusion, we analyze the security of a multiparty quantum digital signature scheme and propose a framing attack. Using this attack, a certain number of dishonest recipients \(P_{1},P_{2},\ldots ,P_{n'}\) can frame an honest participant \(P_{n'+1}\) without being caught cheating when they collude with the signer \(P_{0}\), which is in conflict with the security requirements of USS. Furthermore, we study the relations among different keys and then give the security requirements (a)–(c), which are sufficient to design a secure multiparty quantum digital signature scheme. On this basis, we present an effective way to deal with the security problem at the end. Finally, it should be noted that this analysis method may be valid to many multiparty digital signatures under the similar model as in [21], but it does not mean it can be extended to arbitrary multiparty digital signatures. For example, in a multiparty digital signature scheme with a trusty third party, the dispute is solved by the trusty third party but not MV, which excludes the conditions that this analysis method can be applied. We hope this work shed some light on the next development of multiparty quantum digital signatures.