Papers
Topics
Authors
Recent
Search
2000 character limit reached

Quantum Digital Signatures (QDS)

Updated 8 July 2026
  • Quantum Digital Signatures (QDS) are schemes that use quantum mechanics to bind messages to a signer, ensuring authenticity, non-repudiation, and transferability.
  • Protocols have evolved from relying on quantum memories to memoryless designs using QKD components, BB84 states, and one-time universal hashing methods.
  • Recent advances include measurement-device-independent QDS, multibit ghost imaging, and integrated-photonic networks, achieving high-rate, long-distance secure signing.

Quantum digital signatures (QDS) are cryptographic schemes for signing classical messages that aim to guarantee authenticity, integrity, non-repudiation, transferability, and robustness with information-theoretic security grounded in quantum mechanics rather than computational hardness. In the standard three-party setting, Alice is the signer, Bob is the first recipient, and Charlie is the verifier. Across the literature, QDS has evolved from schemes that required quantum memories and authenticated quantum channels to memoryless protocols using quantum key distribution (QKD) components, measurement-device-independent constructions, one-time universal hashing frameworks for arbitrary-length documents, multibit protocols based on quantum temporal ghost imaging, continuous-variable protocols, and integrated-photonic network realizations (Wallden et al., 2014, Yao et al., 2019, Lin et al., 17 Mar 2026).

1. Definition and security objectives

QDS is the signing analogue of QKD in the sense that it provides information-theoretic guarantees, but the task is different. QKD establishes secret keys between two parties, whereas QDS is a higher-layer primitive that binds messages to a signer with non-repudiation and transferability. Classical signatures such as RSA and ECDSA rely on computational assumptions, while QDS derives security from quantum-mechanical constraints such as no-cloning, measurement disturbance, and entropy bounds on adversarial knowledge (Lin et al., 17 Mar 2026, Wallden et al., 2014).

The core security goals recur throughout the field. Unforgeability means that no recipient or external adversary can generate a valid signature on a message not signed by Alice. Non-repudiation means that Alice cannot make Bob accept while Charlie rejects. Transferability means that a message accepted by one honest recipient will also be accepted by another honest recipient upon forwarding. Robustness, or low honest-abort probability, means that honest executions rarely fail. In threshold-based protocols these goals are commonly enforced by distinct authentication and verification thresholds, with sa<svs_a < s_v, or by exact digest equality in one-time universal hashing protocols (Wallden et al., 2014, Puthoor et al., 2017, Lin et al., 17 Mar 2026).

A recurring architectural decomposition has four stages: distribution, symmetrization, messaging, and verification. In distribution, correlated key material or signature elements are established. In symmetrization, recipients exchange information so that the signer cannot bias different recipients’ views. In messaging, Alice sends a signature together with the message or document. In verification, Bob and Charlie independently test consistency against their own data. Multi-recipient variants generalize the same logic beyond the Bob–Charlie setting (Lin et al., 17 Mar 2026, Weng et al., 2021).

2. Evolution of protocol design

The earliest proposals, beginning with the 2001 Gottesman–Chuang line, required long-term quantum memories and non-destructive state comparisons. That requirement was the principal reason such schemes were considered impractical. The first major transition was measurement-at-distribution: recipients immediately measured the quantum states and stored only classical data. In the 2013 memoryless coherent-state realization, Alice distributed sequences of phase-encoded coherent states, recipients applied unambiguous quantum state elimination, and non-repudiation was enforced through a multiport that symmetrized their reduced states (Collins et al., 2013, Dunjko et al., 2013).

A second transition replaced specialized optical elements by QKD-grade components. The 2014 BB84-state and QKD-generated-key protocols showed that QDS could be built from the same sources, modulators, detectors, synchronization, and decoy-state methods already used in QKD. In that work, protocol P1 used BB84 states and unambiguous state elimination, while protocol P2 used QKD-generated classical keys powering a classical digital-signature functionality. The same work also presented the first security proof for any QDS scheme against coherent forging attacks, specifically for BB84-state QDS (Wallden et al., 2014).

A third transition removed the assumption of authenticated or secure quantum channels from practical implementations. The 2015 practical protocol based on six-state non-orthogonal encoding, decoy-state modulation, and finite-size sampling analysis established that authenticated classical channels sufficed, and the 2016 experiment implemented that framework over up to 102 km. In parallel, the 2017 measurement-device-independent (MDI) line imported the central MDI-QKD idea into QDS: all measurements were relegated to an untrusted relay, thereby eliminating detector side-channel attacks from the trust model (Yin et al., 2015, Yin et al., 2016, Puthoor et al., 2017).

More recent work moved from one-bit signing to high-throughput and arbitrary-length signing. One branch signs a fixed-length digest of the full document using one-time universal hashing; another branch signs multi-slot temporal patterns through ghost-imaging correlations; still others exploit post-matching, likely bit strings, random pairing, twin-field architectures, continuous-variable encodings, and silicon photonics. A plausible implication is that contemporary QDS research is organized less by a single protocol family than by a set of reusable design patterns: asymmetric key sharing, entropy-based security bounds, decoy-state estimation, and increasingly hardware-aware implementations (Yao et al., 2019, Li et al., 2023, Du et al., 2024).

3. Signature material and protocol architectures

In sequence-of-state protocols, the signature material is a distributed list of quantum states or measurement outcomes indexed by future message values. In the BB84-state memoryless design, Alice prepares two copies of a signature string for each future one-bit message, Bob and Charlie randomly exchange roughly half the elements, and each recipient measures in a random BB84 basis to obtain an eliminated signature. Later, Alice declares the private key for message mm, Bob authenticates if mismatches are at most saLs_a L, and Charlie verifies if mismatches are at most svLs_v L with sa<svs_a < s_v (Wallden et al., 2014).

In QKD-generated-key protocols, the signature material is purely classical. Alice shares different secret strings with Bob and Charlie, often via BB84 plus error correction and privacy amplification, and the recipients symmetrize by exchanging random subsets. Messaging then reduces to classical declaration and mismatch testing. This architecture directly motivated later hash-based QDS, where the document itself is not signed bit by bit; instead a digest is signed (Wallden et al., 2014, Yin et al., 2015).

In one-time universal hashing QDS, Alice shares keys with Bob and Charlie and forms her signer key by XOR. In the 2026 high-rate protocol, Ka=KbKcK_a = K_b \oplus K_c. For each message of mm bits, Alice selects $3n$ secret bits, splits them into XaX_a and YaY_a, constructs an mm0 Toeplitz matrix mm1, computes an mm2-bit hash of the document, appends the random seed, and encrypts the resulting digest with a one-time pad: mm3 Bob and Charlie exchange their shares over authenticated channels, reconstruct mm4 and mm5, decrypt mm6, reconstruct mm7, and accept if the recomputed digest matches exactly (Lin et al., 17 Mar 2026).

The 2019 multibit protocol follows a different route. Alice uses a time–energy entangled photon source, sends idler photons through a 50:50 beam splitter to Bob and Charlie, and encodes an mm8-bit temporal pattern in a three-layer frame/slot/bin structure. Frame and bin numbers are publicly announced for sifting, while slot numbers remain private and carry the message. Bob and Charlie secretly exchange half of their frame/slot records, Alice later sends only the selected frame numbers mm9, and the recipients reconstruct the message by temporal ghost imaging over two data blocks. The protocol signs saLs_a L0 bits at once, excludes all-ones and all-zeros messages, and uses per-slot noise factors together with thresholds saLs_a L1 to enforce transferability (Yao et al., 2019).

Other architectures modify the post-processing rather than the signing primitive. Post-matching removes the symmetrization step and the coincidence-detection bottleneck by aligning independently detected records after the fact; likely-bit-string QDS verifies against candidate raw-key strings consistent with observed error rates; and improved versions ask Alice to reveal key material only after both recipients confirm receipt of the packet, thereby removing the need to enumerate exponentially many likely strings (Lu et al., 2021, Qin et al., 2024).

4. Security models, parameters, and proof techniques

Threshold-based QDS security is commonly expressed through exponential concentration bounds. In the 2014 BB84-state protocol, repudiation obeys

saLs_a L2

while forging obeys

saLs_a L3

with saLs_a L4 and saLs_a L5 for the BB84 coherent-forging analysis. These bounds formalize the gap between honest mismatch rates and adversarial mismatch floors (Wallden et al., 2014).

In the multibit ghost-imaging protocol, the mismatch parameter is replaced by per-slot noise factors. The distribution-stage error rate is denoted saLs_a L6, the effective number of signature elements is

saLs_a L7

and the forger’s guessing parameter is saLs_a L8. The paper states

saLs_a L9

and

svLs_v L0

The slot-layer decision rule itself is Poissonian: svLs_v L1 This recasts forging as a problem of hidden slot information rather than direct key mismatch (Yao et al., 2019).

Hash-based QDS replaces threshold comparisons by exact digest equality and moves the security analysis to universal hashing and min-entropy. In the 2026 one-time universal hashing implementation, the collision bound gives

svLs_v L2

with svLs_v L3 and svLs_v L4 yielding svLs_v L5. Because symmetrization makes Bob and Charlie reconstruct identical svLs_v L6 and svLs_v L7, the same work sets svLs_v L8, and robustness is dominated by error-correction failure,

svLs_v L9

This exact-equality regime is structurally different from mismatch-threshold QDS (Lin et al., 17 Mar 2026).

Later analyses weakened the key assumptions rather than the adversary. With imperfect quantum keys, the success probability of guessing an sa<svs_a < s_v0-bit key block satisfies

sa<svs_a < s_v1

and the resulting authentication failure bounds become

sa<svs_a < s_v2

The 2024 continuous-variable OTUH protocol uses the same min-entropy style,

sa<svs_a < s_v3

but derives sa<svs_a < s_v4 from a fidelity test function and finite-size coherent-attack analysis rather than from discrete-variable decoy-state bounds (Li et al., 2023, Zhang et al., 2024).

5. Experimental implementations and performance

The first long-distance practical realization without any secure channel signed one-bit messages through up to 102 km optical fiber and continuously ran the system to sign the 32-bit message “USTC” at 51 km (Yin et al., 2016). That experiment used phase-randomized weak coherent BB84 states at 1550 nm, three-intensity decoy modulation sa<svs_a < s_v5, sa<svs_a < s_v6, sa<svs_a < s_v7, a 75 MHz clock, and SNSPDs with system detection efficiency about sa<svs_a < s_v8. The stated thresholds were sa<svs_a < s_v9 and Ka=KbKcK_a = K_b \oplus K_c0 at 51 km, and the measured single-photon parameters included Ka=KbKcK_a = K_b \oplus K_c1 around Ka=KbKcK_a = K_b \oplus K_c2 and Ka=KbKcK_a = K_b \oplus K_c3 around Ka=KbKcK_a = K_b \oplus K_c4 (Yin et al., 2016).

Measurement-device-independent QDS was first field-tested over a metropolitan network covering a 200-square-kilometer area. That three-party experiment used an untrusted relay, Bell-state measurements, encrypted Bob–Charlie symmetrization based on MDI-QKD, and achieved a security level of about Ka=KbKcK_a = K_b \oplus K_c5 for a binary message (Yin et al., 2017). The follow-up theoretical framework quantified minute-scale to hour-scale signature generation under realistic finite-key assumptions, and a 50 km example at 1 GHz reported Ka=KbKcK_a = K_b \oplus K_c6, Ka=KbKcK_a = K_b \oplus K_c7, Ka=KbKcK_a = K_b \oplus K_c8, Ka=KbKcK_a = K_b \oplus K_c9, and mm0 (Puthoor et al., 2017).

The multibit ghost-imaging demonstration showed that about 4 s of single-photon measurement in the distribution stage suffices to sign a 10-bit message with failure probability below mm1. In the experimental example, a 2 s data block gave mm2 and mm3, while optimization for mm4 used mm5, mm6, and mm7, achieving mm8 (Yao et al., 2019).

Integrated and networked implementations then shifted the emphasis from proof-of-principle to deployability. The 2024 chip-based network used integrated silicon photonic transmitter and decoder chips, a one-decoy-state OTUH-QDS protocol, and achieved a maximum signature rate of mm9 times per second for a 1 Mbit file over fiber distances up to 200 km (Du et al., 2024). The 2026 high-rate system combined Sagnac-based phase-stable polarization modulation, 1.25 GHz state preparation, and low-jitter SNSPDs, reporting $3n$0 tps at 75 km, $3n$1 tps at 100 km, $3n$2 tps at 150 km, $3n$3 tps at 200 km, and $3n$4 tps at 250 km with total loss $3n$5 dB. That same system signed 1 Mbit messages with overall $3n$6 and reported more than two orders of magnitude rate improvement under comparable loss (Lin et al., 17 Mar 2026).

6. Variants, multiparty extensions, and alternative physical platforms

Multiparty QDS generalizes the three-party logic to broadcasting and mass messaging. A 2021 six-state non-orthogonal framework reduced the number of quantum channels from $3n$7 to $3n$8 and used post-matching to increase data utilization efficiency from $3n$9 to XaX_a0. Under realistic parameters, it reported maximum transmission distances of 265 km for three-party, 220 km for four-party, and 156 km for five-party settings (Weng et al., 2021). A related 2021 symmetrization-free protocol based on post-matching showed that the signature rate scales linearly with the probability of detection events and was three orders of magnitude higher than the original protocol in a 100-km-long fiber simulation (Lu et al., 2021).

Random pairing is a protocol-agnostic refinement applied after the key-generation stage. It forms outcome bits by parity on random pairs, so that XaX_a1, transforms the bit-flip error rate according to XaX_a2, and increases the untagged fraction to XaX_a3. Applied to sending-or-not-sending and side-channel-free QDS, it was reported to increase the signature rate by more than XaX_a4 under noisy channel conditions (Qin et al., 2022).

Long-distance arbitrary-length signing has also been attacked through raw-key verification rather than final-key verification. The likely-bit-string method, applied to hash-function-based QDS, reported that both the baseline and improved variants can improve the signature rate by more than 100 times and increase the signature distance by about 150 km compared with hash function-based QDS protocols without likely bit strings (Qin et al., 2024). A closely related line showed that imperfect quantum keys can be used directly for one-time universal hashing without privacy amplification, with eight orders of magnitude improvement on signature rate for signing a megabit message compared with conventional single-bit schemes, and simulated implementation over a fiber distance of 650 km at approximately XaX_a5 tps using two-photon twin-field key generation (Li et al., 2023).

Alternative physical models broaden the same cryptographic logic. Counterfactual and twin-field QDS adapts interaction-free measurement and one-way twin-field interference to signature generation, with explicit Chernoff-style repudiation and forging bounds in terms of injected or decoy-assisted bits (Rao et al., 2023). Continuous-variable QDS uses coherent states, homodyne and heterodyne detection, and a fidelity test function

XaX_a6

to obtain finite-size security against general coherent attacks. In simulation, the CV OTUH protocol reported an eight orders of magnitude reduction in signature length for a 1 megabit message signing task compared with existing CV QDS protocols, with XaX_a7 and XaX_a8 at XaX_a9 and YaY_a0 (Zhang et al., 2024).

7. Limitations, subtleties, and open problems

QDS is not a single security model but a family of models tied to specific trust assumptions. Trusted-measurement protocols assume honest detector behavior; MDI-QDS removes detector trust but still requires trusted sources, authenticated classical channels, and secure storage of local keys (Puthoor et al., 2017). Older BB84-state analyses are explicitly stand-alone rather than universally composable, and several papers identify full composable security, device-independent variants, and generalized coherent-attack proofs as open directions (Wallden et al., 2014, Collins et al., 2013).

Protocol-specific subtleties are often essential rather than cosmetic. The multibit ghost-imaging protocol excludes all-ones and all-zeros messages, because Bob could trivially forge by exploiting public frame sifting alone. Its scalability in YaY_a1 is limited by detector timing resolution, bin jitter, source bandwidth, stricter synchronization, and background sensitivity (Yao et al., 2019). Likewise, likely-bit-string verification can be computationally prohibitive without the improved method in which Alice reveals YaY_a2 only after both recipients have received YaY_a3 (Qin et al., 2024).

A recurring misconception is that QDS always requires perfectly secret keys. The imperfect-key OTUH line shows that privacy amplification can be omitted when the task is signature authentication rather than private communication, provided min-entropy leakage is explicitly bounded (Li et al., 2023). Another misconception is that arbitrary-length signing automatically follows from bit-wise QDS; in practice, one-bit protocols must be iterated, whereas hash-based and ghost-imaging protocols compress or block-encode longer documents directly (Yao et al., 2019, Lin et al., 17 Mar 2026).

Recent security reviews of preshared-key QDS based on universal hashing show that even mature practical designs can contain loopholes if authenticated communication failures, hash reuse, or forwarding rules are handled loosely. The 2025 analysis amended three existing protocols, explicitly accounted for the failure of information-theoretically secure authenticated communication, numerically optimized preshared-bit consumption and signature length, and identified the most efficient protocol among those compared (Grasselli et al., 7 Aug 2025). This suggests that the dominant open problems are no longer only physical implementation, but also exact composable formulations, tight finite-size optimization, and protocol hygiene across increasingly heterogeneous QDS architectures.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (18)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Quantum Digital Signatures (QDS).