Tokenized Signatures in Quantum Cryptography

• Tokenized signatures are protocols that generate a one-time quantum token linked to classical keys, ensuring unclonability and secure delegation.
• They leverage hidden subspace techniques and quantum measurements to achieve revocability, testability, and everlasting security against forgery.
• Applications range from secure access control and offline key management to converting quantum tokens into classical signatures through collision-resistant hashes.

A tokenized signature scheme in quantum cryptography is a protocol that combines the informational unclonability of quantum states with standard cryptographic notions of signatures, yielding a fully public-key, one-time-use quantum token that enables the bearer to sign a single message. The token is consumed upon use, resulting in a classical signature verifiable via a known public key. The underlying construction draws inspiration from quantum money, particularly the Aaronson–Christiano hidden-subspace scheme, and extends it to practical digital signatures with additional functionalities such as revocability and testability. Tokenized signatures thus allow cryptographically secure delegation of signing authority with intrinsic copy-resistance and significant flexibility.

1. Formal Definition and Syntax

A tokenized signature scheme (TS) consists of the following quantum-capable algorithms:

• KeyGen: $(k_{pk}, k_{sk}) \gets \mathsf{KeyGen}(1^\kappa)$ generates a public and secret key pair given security parameter $\kappa$.
• TokGen: $\tau \gets \mathsf{TokGen}(k_{sk})$ creates a fresh, unclonable quantum signing token $\tau$ using the secret key.
• Sign: $\sigma \gets \mathsf{Sign}(\alpha, \tau)$ consumes the quantum token $\tau$ to sign a classical message $\alpha$, yielding a classical signature $\sigma$. The quantum state is irrecoverably destroyed.
• Verify: $b = \mathsf{Verify}(k_{pk}, \alpha, \sigma)$ is a classical algorithm that checks signature validity using only the public key.

Correctness requires $$\Pr[\sigma\!\gets\!\mathsf{Sign}(\alpha,\tau):\mathsf{Verify}(k_{pk},\alpha,\sigma)=1] = 1$$ for freshly minted $\tau$. Unforgeability guarantees that a quantum polynomial-time (QPT) adversary, given $\ell$ tokens, cannot sign more than $\ell$ distinct messages except with negligible probability.

2. Core Construction: The Hidden-Subspace One-Bit Scheme

The base construction employs the Aaronson–Christiano hidden-subspace approach, originally devised for quantum money:

• Choose a random subspace $A \leq \mathbb{F}_2^n$ such that $\dim(A) = n/2$.
• The quantum signing token is $$|A\rangle = \frac{1}{\sqrt{|A|}} \sum_{a \in A} |a\rangle$$.
• Public key: an obfuscated subspace membership predicate for both $A$ and its dual $A^\perp$:

$$\chi_{A^*}(p, x) = \begin{cases} 1 & p = 0\ \wedge\ x \in A, \ 1 & p = 1\ \wedge\ x \in A^\perp, \ 0 & \text{otherwise} \end{cases}$$

• Signing: To sign bit $\alpha$:
  • If $\alpha=0$, measure $|A\rangle$ in the computational basis: output $a \in A$.
  • If $\alpha=1$, apply Hadamard gates ($H^{\otimes n}$) to get $|A^\perp\rangle$; measure to output $b \in A^\perp$.
  • Output $\sigma = a$ or $b$ (unless the all-zero vector, which is forbidden).
• Verification: Accept if $\chi_{A^*}(\alpha, \sigma) = 1$ and $\sigma \neq 0^n$.

This protocol is information-theoretically correct and achieves strong unclonability: no QPT adversary can extract more than a single valid signature per token.

3. Lifting to Full Digital Signatures

Three standard steps generalize the scheme:

1. One-Bit to $r$-Bit One-Time: Run multiple one-bit schemes in parallel for message blocks.
2. Hash-and-Sign: Use a quantum-secure collision-resistant hash function $h: \{0,1\}^* \to \{0,1\}^r$ so that only hashes of messages are ever signed, ensuring collision-freeness reduces to unforgeability.
3. Amplify One-Time to Many-Use: Combine with a standard classical EUF-CMA digital signature (or symmetric MAC). Each signing uses a fresh quantum token; the package includes a classical signature of the token’s public key.

The result is a full-fledged, many-use signature system: any message can be signed (once per token), and the system inherits the unclonability and information-theoretic properties from the quantum primitive.

4. Security Arguments and Properties

4.1 Unforgeability via Quantum Money Lower Bounds

The adversary’s task reduces to finding both a nontrivial member of $A$ and $A^\perp$ from a single token—provably hard in the black-box oracle model. Theorems from Aaronson–Christiano and subsequent generalizations yield the following quantum lower bound:

$T = \Omega(\sqrt{\epsilon}\ 2^{n/4})$

queries are needed to output both signatures with success probability $\epsilon$, which is infeasible for moderate $n$ ($n \approx 200$ suffices).

With a virtual-black-box (VBB) obfuscator for subspace-membership predicates, the same argument applies in practice: access to the public key does not materially aid the adversary except for negligible terms.

4.2 Revocability and Testability

Revocability:

The protocol allows status checking (was a token spent?) via the following:

• Randomly select a message, attempt to sign using $\tau$, and verify. Fresh tokens accept with high probability. Spent tokens (post-measurement) cannot pass the test, except with negligible probability.

Testability:

Given read-only access, one may test token validity (without signing) by projective measurement. Any valid $\tau$ will pass, while adversarial states or spent tokens will fail except with negligible probability.

Everlasting Revocability:

Even a computationally unbounded adversary cannot, after measurement, produce more than one valid signature or evade revocation, establishing “everlasting” security.

4.3 Theorems

Some critical formal results (as in the referenced work):

• Unforgeability (Theorem 3.1, 3.6, 4.1.3): No QPT adversary given $\ell$ tokens can sign on $\ell+1$ distinct messages.
• Revocability (Theorem 3.2): Every unforgeable TS is revocable.
• Testability (Theorem 3.3): Any testable TS gives a public quantum money scheme.
• Everlasting Security: The one-bit hidden-subspace TS is information-theoretically one-time and everlasting-revocable.

5. Applications and Extensions

Applications arise in scenarios demanding non-repudiation and controlled delegation without exposing persistent keys:

• Access Control: Provide limited signing rights (e.g., for financial transactions) where each action consumes a quantum token.
• Online/Offline Key Management: Keep master keys offline; use tokens for controlled online signature issuance.
• Byzantine Consensus: Strong guarantees against equivocation in distributed protocols.
• Quantum Money and Cash-Out Mechanisms: A testable TS gives rise to a public-key quantum money scheme, and any token can be “cashed out” into a classical signed check by destroying the quantum token and creating a public signature.

Notably, the TS framework enables secure, auditable conversion of quantum “bills” into classical payment instruments—a practical bridge for quantum-secure commerce.

6. Practical Considerations, Limitations, and Open Questions

A TS construction depends on:

• The existence and efficiency of obfuscators for vector subspace membership. Standard models rely on VBB, though indistinguishability obfuscation may suffice.
• Quantum state coherence: tokens must survive real transmission and storage constraints.
• Fault tolerance: handling noisy or lossy quantum memories is an ongoing research direction.

Open questions include practical instantiation of required obfuscators under realistic assumptions, generalization to tokenized blind/ring signatures, and robustness under noise.

7. Summary Table

Property	Achieved in TS Scheme	Caveat/Condition
Correctness	Yes: perfect for fresh token	Requires no overuse
Unforgeability	Information-theoretic in black-box/VBB settings	Efficient obfuscator needed
Revocability	Yes: public test, no secret key
Testability	Yes: projective measurement of fresh state	Requires oracles or obfuscated pk
Everlasting Security	Yes: unbounded attacker cannot forge after spending

The tokenized signature framework merges quantum money’s unclonability with classical signature semantics, yielding a cryptographically robust and versatile primitive for future quantum networks and secure delegated signing.