One-Shot Signatures in Quantum Cryptography
- One-Shot Signatures are quantum primitives that use a consumable quantum signing key to generate a single valid signature with classical verification.
- They leverage quantum properties like no-cloning and destructive measurement to enforce one-time use, a feature unattainable with classical keys.
- Recent constructions employ efficient techniques involving indistinguishability obfuscation, LWE-based hashing, and permutable pseudorandom permutations to achieve robust security.
Searching arXiv for recent and foundational papers on one-shot signatures and related constructions. {"query":"one-shot signatures quantum classical verification one-shot signature arXiv", "max_results": 10} One-shot signatures (OSS) are a quantum-public-key signature primitive in which a signer, given a common reference string, generates a classical public verification key and a quantum signing key that can be used to sign exactly one message and is irreversibly consumed by signing. In the now-standard formalization, $\Setup$ produces a public , $\KeyGen(\mathsf{CRS})$ outputs , $\Sign(|sk\rangle,m)$ outputs a classical signature while destroying the secret state, and $\Verify(\mathit{pk},m,\sigma)$ is a deterministic classical predicate. Recent work has moved OSS from a speculative quantum-oracle concept to standard-model and efficient constructions, while also clarifying its relation to non-collapsing hashing, obfuscation, and classical single-use signatures (Shmueli et al., 16 Jul 2025, Huang et al., 13 Oct 2025).
1. Formal model and terminological scope
The basic OSS interface consists of four algorithms: $\mathsf{CRS}\leftarrow \Setup(1^\lambda),\qquad (\mathit{pk},|sk\rangle)\leftarrow \KeyGen(\mathsf{CRS}),$
$\sigma \leftarrow \Sign(|sk\rangle,m),\qquad \Verify(\mathit{pk},m,\sigma)\in\{\mathsf{accept},\mathsf{reject}\}.$
The defining feature is that $\Sign$ measures or otherwise irreversibly consumes 0, so no further signatures are possible. For schemes with perfect correctness, one requires
1
A standard one-time unforgeability condition asks that even a QPT adversary that obtains 2 and interacts with an honest signer once cannot later produce any additional valid signature except with negligible probability (Huang et al., 13 Oct 2025).
A second, equivalent-looking formalization used in the standard-model literature treats correctness and one-time unforgeability over a message space 3 and phrases security as the impossibility of producing two valid signatures 4 and 5 for the same public key. In that formulation, 6 is QPT, 7 is classical poly-time, and the quantum nature of OSS appears entirely in the signing key and the destructive signing procedure (Shmueli et al., 16 Jul 2025).
The term is not fully uniform across the literature. Some works on classical one-time signatures explicitly group “one-shot” and “one-time” together, particularly in oracle lower-bound settings (0801.3680). In current quantum cryptographic usage, however, OSS usually denotes the specifically quantum primitive with a single-use quantum signing state, whereas classical one-time signatures are separate constructions that share only the single-use semantics.
2. Classical impossibility and quantum feasibility
A central structural fact is that OSS are impossible classically in the intended self-destructing sense. If both the signing key and the signing process are classical, then after one valid signature the signer or adversary still has a classical copy of the signing key and can sign again, so one-time unforgeability plus enforced self-destruction is contradictory. This is the reason OSS are described as a uniquely quantum primitive: they rely on the no-cloning principle and on destructive measurement to make “exactly one signature” meaningful (Shmueli et al., 16 Jul 2025).
The quantum possibility was articulated by Amos, Georgiou, Kiayias, and Zhandry at STOC 2020. Their proposal used quantum signing keys and a classical verification algorithm, showing how a quantum state might be measured to yield one classical signature while becoming unusable thereafter. That early line of work also connected OSS to coset-partition hash functions and to separations involving post-quantum binding notions. However, a later analysis found a fatal bug in the original oracle-model proof, leaving the very existence of OSS open even in an idealized classical-oracle setting until subsequent work resolved it (Shmueli et al., 16 Jul 2025).
This correction matters conceptually. A common misconception is that OSS were already securely established once the STOC 2020 proposal appeared. The later literature instead treats that proposal as a motivating precursor whose proof technique did not survive scrutiny. The first provable standard-model OSS and the first unconditional construction relative to a classical oracle both came later (Shmueli et al., 16 Jul 2025).
3. Main construction paradigms
The first standard-model OSS are obtained under sub-exponentially secure indistinguishability obfuscation, sub-exponential one-way functions, and sub-exponentially secure LWE. The central technical device is a new primitive, the permutable pseudorandom permutation, which allows a PRP key to be “toggled” by composition with a known permutation while preserving indistinguishability of the toggle bit. This machinery is used to obtain full-domain trapdoor one-way permutations from obfuscation, and then to realize the non-collapsing-hash ingredients known to imply OSS (Shmueli et al., 16 Jul 2025).
At a high level, the standard-model construction begins from a classical random permutation oracle 8, defines a truncated hash 9, tags outputs with PRF-generated cosets, and proves collision resistance through a sequence of hybrid steps involving dual bloating, dual simulation, and reductions to collision finding in parallel-repeated $\KeyGen(\mathsf{CRS})$0-to-$\KeyGen(\mathsf{CRS})$1 functions. In the standard model, the random permutation is replaced by a permutable PRP, the coset tags by puncturable PRFs, and the final hard instance by an LWE-based trapdoor $\KeyGen(\mathsf{CRS})$2-to-$\KeyGen(\mathsf{CRS})$3 hash (Shmueli et al., 16 Jul 2025).
A later construction emphasizes simplicity and efficiency. It hashes an arbitrary polynomial-length message to a short string
$\KeyGen(\mathsf{CRS})$4
using a pairwise-independent hash family, and the signing key is built from copies of a coset-state superposition
$\KeyGen(\mathsf{CRS})$5
where $\KeyGen(\mathsf{CRS})$6 is a uniformly sampled secret offset. Taking $\KeyGen(\mathsf{CRS})$7 copies yields a total signing key size of $\KeyGen(\mathsf{CRS})$8 qubits. To sign $\KeyGen(\mathsf{CRS})$9, the signer measures each copy in a local 0 basis determined by 1 and 2, and the resulting classical outcomes form a signature of size 3 bits. Verification is purely classical: the verifier recomputes 4 and checks the correlation pattern implied by 5 and 6 (Huang et al., 13 Oct 2025).
This direct construction is positioned against the earlier Shmueli–Zhandry approach, which signed messages bit-by-bit. For polynomially long messages, that earlier approach is reported as using signing keys of 7 qubits and signatures of size 8 bits, whereas the newer construction reduces both to 9 and achieves perfect correctness (Huang et al., 13 Oct 2025).
4. Security notions and proof architecture
The basic security target is one-shot unforgeability: after one use of the signing key, no QPT adversary should be able to output any additional valid signature except with negligible probability. In the direct coset-state construction, the proof intuition is that once all copies are measured, the residual state is only classical garbage and no longer supports the correlations needed for a fresh message. The analysis further states that the measurement outcomes reveal exactly $\Sign(|sk\rangle,m)$0 bits of information about the $\Sign(|sk\rangle,m)$1-bit coset states, so with $\Sign(|sk\rangle,m)$2 the hidden offset retains $\Sign(|sk\rangle,m)$3 min-entropy, making forgery equivalent to guessing the offset or the relevant hash preimage, each with negligible success probability (Huang et al., 13 Oct 2025).
Correctness in that same scheme is exact because the signing procedure performs the very projective measurement that verification checks. The verifier therefore accepts every honestly generated signature with probability $\Sign(|sk\rangle,m)$4, yielding perfect correctness rather than merely overwhelming correctness (Huang et al., 13 Oct 2025).
A stronger property, emphasized in the efficient scheme, is strong signature incompressibility. The paper states that this implies a public-key quantum fire scheme with perfect correctness and is sufficient to repair an error in a recent firewall construction by Çakan, Goyal, and Shmueli. This places OSS in a broader family of “use-once” quantum access-control primitives, where unforgeability is not the only relevant notion; the inability to compress or repurpose the signing transcript also becomes essential (Huang et al., 13 Oct 2025).
The standard-model proof line is more elaborate. It combines iO, puncturable PRFs, permutable PRPs, and LWE-based trapdoor hashing through a sequence of hybrids that replace oracle steps by obfuscated code. Security is transferred by showing that each hybrid changes a QPT adversary’s view only negligibly, eventually reducing successful OSS forgery to hard collision-finding or inversion problems already implied by the underlying assumptions (Shmueli et al., 16 Jul 2025).
5. Assumptions, circuit realizations, and resource scaling
The efficient direct OSS construction is presented both in an oracle model and in the plain model, and its exposition states that no random oracle is needed for the main scheme beyond the idealized hash family $\Sign(|sk\rangle,m)$5, which may be instantiated from any post-quantum secure keyed hash, for example from LWE. The incompressibility argument is described as statistical, while a derived public-key quantum firewall additionally invokes post-quantum iO, with LWE sufficient to obtain iO in the CRS model (Huang et al., 13 Oct 2025).
A separate line gives a pre-obfuscation circuit-level implementation of an efficient OSS. In that realization, key generation produces a classical public key and a quantum secret key by preparing a superposition over a random affine coset determined by the output of a puncturable pseudorandom function together with a circuit that tests coset membership. Signing processes the secret state together with a message string to produce a classical signature, and verification is fully classical and deterministic. The paper states that there is no algorithmic error in the construction (Muraleedharan et al., 22 Jun 2026).
The asymptotic resource bounds in that circuit-level account are
$\Sign(|sk\rangle,m)$6
where $\Sign(|sk\rangle,m)$7 is the public-key size, $\Sign(|sk\rangle,m)$8 is the signature size, $\Sign(|sk\rangle,m)$9 is the message size, and 0 is the cryptographic security parameter. For single-bit messages, explicit reported counts include: for 1, 2 qubits, 3 X-gates, 4 CX-gates, and 5 CCX-gates; for 6, 7 qubits, 8 X-gates, 9 CX-gates, and $\Verify(\mathit{pk},m,\sigma)$0 CCX-gates; and for $\Verify(\mathit{pk},m,\sigma)$1, $\Verify(\mathit{pk},m,\sigma)$2 qubits, $\Verify(\mathit{pk},m,\sigma)$3 X-gates, $\Verify(\mathit{pk},m,\sigma)$4 CX-gates, and $\Verify(\mathit{pk},m,\sigma)$5 CCX-gates (Muraleedharan et al., 22 Jun 2026).
The same implementation-oriented analysis also makes explicit the obfuscation boundary. Security requires hiding the internal PPRF key and obfuscating the classical and hybrid classical–quantum circuits used for GGM lookup, affine-coset generation, and coset-membership testing. The text notes that classical iO would suffice for the purely classical components, while a practical complete plain-model scheme would additionally need an obfuscator for the remaining hybrid circuits (Muraleedharan et al., 22 Jun 2026).
6. Applications, variants, and relation to classical single-use signatures
OSS support a range of higher-level quantum cryptographic applications in which the signer’s local quantum capability is combined with classical communication and classical verification. Reported applications include delegated signatures, secured token transfer, publicly verifiable randomness, and public-key quantum firewalls. In the firewall application, combining OSS with a quantum one-time pad yields a public-key mechanism for encrypting quantum data that can only be activated once, and the efficient direct construction is specifically claimed to restore applications that were jeopardized by a gap in the earlier Çakan–Goyal–Shmueli reduction (Muraleedharan et al., 22 Jun 2026, Huang et al., 13 Oct 2025).
OSS also have structural consequences outside signatures themselves. The standard-model construction yields the first standard-model separation between classical-binding and collapse-binding for post-quantum commitments and hashing, and the same framework produces full-domain trapdoor one-way permutations from iO and one-way functions. A stated corollary is a two-message classical-verifier proof-of-quantumness protocol (Shmueli et al., 16 Jul 2025).
A notable variant is the two-tier one-shot signature scheme (2-OSS). In 2-OSS, the message space is $\Verify(\mathit{pk},m,\sigma)$6, verification for message $\Verify(\mathit{pk},m,\sigma)$7 is public, and verification for message $\Verify(\mathit{pk},m,\sigma)$8 is private and requires a secret setup key. The construction uses $\Verify(\mathit{pk},m,\sigma)$9 independent NTCF instances from LWE, with signing on $\mathsf{CRS}\leftarrow \Setup(1^\lambda),\qquad (\mathit{pk},|sk\rangle)\leftarrow \KeyGen(\mathsf{CRS}),$0 implemented by computational-basis measurements and signing on $\mathsf{CRS}\leftarrow \Setup(1^\lambda),\qquad (\mathit{pk},|sk\rangle)\leftarrow \KeyGen(\mathsf{CRS}),$1 implemented by Hadamard-basis measurements. Security is the impossibility of producing simultaneously a valid public-tier signature and a valid private-tier signature for the same verification key, and the primitive is used to construct digital signatures with revocable signing keys (Morimae et al., 2023).
The relation between quantum OSS and classical one-time signatures is close but not identical. Classical single-use signatures include oracle-based and hash-based constructions, PRNG-based one-time signatures, and one-time code-based systems such as SPANSE. Those schemes are valuable for post-quantum digital signatures, but they do not realize the quantum self-destruction property that defines OSS. Classical lower bounds illustrate the difference in flavor: every one-time signature scheme built black-box from a random oracle with $\mathsf{CRS}\leftarrow \Setup(1^\lambda),\qquad (\mathit{pk},|sk\rangle)\leftarrow \KeyGen(\mathsf{CRS}),$2 total queries has black-box security at most $\mathsf{CRS}\leftarrow \Setup(1^\lambda),\qquad (\mathit{pk},|sk\rangle)\leftarrow \KeyGen(\mathsf{CRS}),$3, while practical hash-based schemes such as W-OTS$\mathsf{CRS}\leftarrow \Setup(1^\lambda),\qquad (\mathit{pk},|sk\rangle)\leftarrow \KeyGen(\mathsf{CRS}),$4 require careful security reductions and parameter accounting (0801.3680, Kudinov et al., 2020). Other classical one-time designs, including PRNG-based OTS and dense-signature code-based schemes, similarly share the “sign once” usage pattern without depending on a consumable quantum state (Chen, 2024, Baldi et al., 2022).
Taken together, these developments position OSS as a distinctly quantum single-use signature primitive: impossible in the intended sense with purely classical keys, realizable with destructive quantum signing states, and now supported by standard-model existence theorems, more direct and efficient constructions, explicit circuit realizations, and a growing body of applications (Shmueli et al., 16 Jul 2025, Huang et al., 13 Oct 2025).