Quantum Digital Signatures (QDS)
- Quantum Digital Signatures (QDS) are schemes that use quantum mechanics to bind messages to a signer, ensuring authenticity, non-repudiation, and transferability.
- Protocols have evolved from relying on quantum memories to memoryless designs using QKD components, BB84 states, and one-time universal hashing methods.
- Recent advances include measurement-device-independent QDS, multibit ghost imaging, and integrated-photonic networks, achieving high-rate, long-distance secure signing.
Quantum digital signatures (QDS) are cryptographic schemes for signing classical messages that aim to guarantee authenticity, integrity, non-repudiation, transferability, and robustness with information-theoretic security grounded in quantum mechanics rather than computational hardness. In the standard three-party setting, Alice is the signer, Bob is the first recipient, and Charlie is the verifier. Across the literature, QDS has evolved from schemes that required quantum memories and authenticated quantum channels to memoryless protocols using quantum key distribution (QKD) components, measurement-device-independent constructions, one-time universal hashing frameworks for arbitrary-length documents, multibit protocols based on quantum temporal ghost imaging, continuous-variable protocols, and integrated-photonic network realizations (Wallden et al., 2014, Yao et al., 2019, Lin et al., 17 Mar 2026).
1. Definition and security objectives
QDS is the signing analogue of QKD in the sense that it provides information-theoretic guarantees, but the task is different. QKD establishes secret keys between two parties, whereas QDS is a higher-layer primitive that binds messages to a signer with non-repudiation and transferability. Classical signatures such as RSA and ECDSA rely on computational assumptions, while QDS derives security from quantum-mechanical constraints such as no-cloning, measurement disturbance, and entropy bounds on adversarial knowledge (Lin et al., 17 Mar 2026, Wallden et al., 2014).
The core security goals recur throughout the field. Unforgeability means that no recipient or external adversary can generate a valid signature on a message not signed by Alice. Non-repudiation means that Alice cannot make Bob accept while Charlie rejects. Transferability means that a message accepted by one honest recipient will also be accepted by another honest recipient upon forwarding. Robustness, or low honest-abort probability, means that honest executions rarely fail. In threshold-based protocols these goals are commonly enforced by distinct authentication and verification thresholds, with , or by exact digest equality in one-time universal hashing protocols (Wallden et al., 2014, Puthoor et al., 2017, Lin et al., 17 Mar 2026).
A recurring architectural decomposition has four stages: distribution, symmetrization, messaging, and verification. In distribution, correlated key material or signature elements are established. In symmetrization, recipients exchange information so that the signer cannot bias different recipients’ views. In messaging, Alice sends a signature together with the message or document. In verification, Bob and Charlie independently test consistency against their own data. Multi-recipient variants generalize the same logic beyond the Bob–Charlie setting (Lin et al., 17 Mar 2026, Weng et al., 2021).
2. Evolution of protocol design
The earliest proposals, beginning with the 2001 Gottesman–Chuang line, required long-term quantum memories and non-destructive state comparisons. That requirement was the principal reason such schemes were considered impractical. The first major transition was measurement-at-distribution: recipients immediately measured the quantum states and stored only classical data. In the 2013 memoryless coherent-state realization, Alice distributed sequences of phase-encoded coherent states, recipients applied unambiguous quantum state elimination, and non-repudiation was enforced through a multiport that symmetrized their reduced states (Collins et al., 2013, Dunjko et al., 2013).
A second transition replaced specialized optical elements by QKD-grade components. The 2014 BB84-state and QKD-generated-key protocols showed that QDS could be built from the same sources, modulators, detectors, synchronization, and decoy-state methods already used in QKD. In that work, protocol P1 used BB84 states and unambiguous state elimination, while protocol P2 used QKD-generated classical keys powering a classical digital-signature functionality. The same work also presented the first security proof for any QDS scheme against coherent forging attacks, specifically for BB84-state QDS (Wallden et al., 2014).
A third transition removed the assumption of authenticated or secure quantum channels from practical implementations. The 2015 practical protocol based on six-state non-orthogonal encoding, decoy-state modulation, and finite-size sampling analysis established that authenticated classical channels sufficed, and the 2016 experiment implemented that framework over up to 102 km. In parallel, the 2017 measurement-device-independent (MDI) line imported the central MDI-QKD idea into QDS: all measurements were relegated to an untrusted relay, thereby eliminating detector side-channel attacks from the trust model (Yin et al., 2015, Yin et al., 2016, Puthoor et al., 2017).
More recent work moved from one-bit signing to high-throughput and arbitrary-length signing. One branch signs a fixed-length digest of the full document using one-time universal hashing; another branch signs multi-slot temporal patterns through ghost-imaging correlations; still others exploit post-matching, likely bit strings, random pairing, twin-field architectures, continuous-variable encodings, and silicon photonics. A plausible implication is that contemporary QDS research is organized less by a single protocol family than by a set of reusable design patterns: asymmetric key sharing, entropy-based security bounds, decoy-state estimation, and increasingly hardware-aware implementations (Yao et al., 2019, Li et al., 2023, Du et al., 2024).
3. Signature material and protocol architectures
In sequence-of-state protocols, the signature material is a distributed list of quantum states or measurement outcomes indexed by future message values. In the BB84-state memoryless design, Alice prepares two copies of a signature string for each future one-bit message, Bob and Charlie randomly exchange roughly half the elements, and each recipient measures in a random BB84 basis to obtain an eliminated signature. Later, Alice declares the private key for message , Bob authenticates if mismatches are at most , and Charlie verifies if mismatches are at most with (Wallden et al., 2014).
In QKD-generated-key protocols, the signature material is purely classical. Alice shares different secret strings with Bob and Charlie, often via BB84 plus error correction and privacy amplification, and the recipients symmetrize by exchanging random subsets. Messaging then reduces to classical declaration and mismatch testing. This architecture directly motivated later hash-based QDS, where the document itself is not signed bit by bit; instead a digest is signed (Wallden et al., 2014, Yin et al., 2015).
In one-time universal hashing QDS, Alice shares keys with Bob and Charlie and forms her signer key by XOR. In the 2026 high-rate protocol, . For each message of bits, Alice selects $3n$ secret bits, splits them into and , constructs an 0 Toeplitz matrix 1, computes an 2-bit hash of the document, appends the random seed, and encrypts the resulting digest with a one-time pad: 3 Bob and Charlie exchange their shares over authenticated channels, reconstruct 4 and 5, decrypt 6, reconstruct 7, and accept if the recomputed digest matches exactly (Lin et al., 17 Mar 2026).
The 2019 multibit protocol follows a different route. Alice uses a time–energy entangled photon source, sends idler photons through a 50:50 beam splitter to Bob and Charlie, and encodes an 8-bit temporal pattern in a three-layer frame/slot/bin structure. Frame and bin numbers are publicly announced for sifting, while slot numbers remain private and carry the message. Bob and Charlie secretly exchange half of their frame/slot records, Alice later sends only the selected frame numbers 9, and the recipients reconstruct the message by temporal ghost imaging over two data blocks. The protocol signs 0 bits at once, excludes all-ones and all-zeros messages, and uses per-slot noise factors together with thresholds 1 to enforce transferability (Yao et al., 2019).
Other architectures modify the post-processing rather than the signing primitive. Post-matching removes the symmetrization step and the coincidence-detection bottleneck by aligning independently detected records after the fact; likely-bit-string QDS verifies against candidate raw-key strings consistent with observed error rates; and improved versions ask Alice to reveal key material only after both recipients confirm receipt of the packet, thereby removing the need to enumerate exponentially many likely strings (Lu et al., 2021, Qin et al., 2024).
4. Security models, parameters, and proof techniques
Threshold-based QDS security is commonly expressed through exponential concentration bounds. In the 2014 BB84-state protocol, repudiation obeys
2
while forging obeys
3
with 4 and 5 for the BB84 coherent-forging analysis. These bounds formalize the gap between honest mismatch rates and adversarial mismatch floors (Wallden et al., 2014).
In the multibit ghost-imaging protocol, the mismatch parameter is replaced by per-slot noise factors. The distribution-stage error rate is denoted 6, the effective number of signature elements is
7
and the forger’s guessing parameter is 8. The paper states
9
and
0
The slot-layer decision rule itself is Poissonian: 1 This recasts forging as a problem of hidden slot information rather than direct key mismatch (Yao et al., 2019).
Hash-based QDS replaces threshold comparisons by exact digest equality and moves the security analysis to universal hashing and min-entropy. In the 2026 one-time universal hashing implementation, the collision bound gives
2
with 3 and 4 yielding 5. Because symmetrization makes Bob and Charlie reconstruct identical 6 and 7, the same work sets 8, and robustness is dominated by error-correction failure,
9
This exact-equality regime is structurally different from mismatch-threshold QDS (Lin et al., 17 Mar 2026).
Later analyses weakened the key assumptions rather than the adversary. With imperfect quantum keys, the success probability of guessing an 0-bit key block satisfies
1
and the resulting authentication failure bounds become
2
The 2024 continuous-variable OTUH protocol uses the same min-entropy style,
3
but derives 4 from a fidelity test function and finite-size coherent-attack analysis rather than from discrete-variable decoy-state bounds (Li et al., 2023, Zhang et al., 2024).
5. Experimental implementations and performance
The first long-distance practical realization without any secure channel signed one-bit messages through up to 102 km optical fiber and continuously ran the system to sign the 32-bit message “USTC” at 51 km (Yin et al., 2016). That experiment used phase-randomized weak coherent BB84 states at 1550 nm, three-intensity decoy modulation 5, 6, 7, a 75 MHz clock, and SNSPDs with system detection efficiency about 8. The stated thresholds were 9 and 0 at 51 km, and the measured single-photon parameters included 1 around 2 and 3 around 4 (Yin et al., 2016).
Measurement-device-independent QDS was first field-tested over a metropolitan network covering a 200-square-kilometer area. That three-party experiment used an untrusted relay, Bell-state measurements, encrypted Bob–Charlie symmetrization based on MDI-QKD, and achieved a security level of about 5 for a binary message (Yin et al., 2017). The follow-up theoretical framework quantified minute-scale to hour-scale signature generation under realistic finite-key assumptions, and a 50 km example at 1 GHz reported 6, 7, 8, 9, and 0 (Puthoor et al., 2017).
The multibit ghost-imaging demonstration showed that about 4 s of single-photon measurement in the distribution stage suffices to sign a 10-bit message with failure probability below 1. In the experimental example, a 2 s data block gave 2 and 3, while optimization for 4 used 5, 6, and 7, achieving 8 (Yao et al., 2019).
Integrated and networked implementations then shifted the emphasis from proof-of-principle to deployability. The 2024 chip-based network used integrated silicon photonic transmitter and decoder chips, a one-decoy-state OTUH-QDS protocol, and achieved a maximum signature rate of 9 times per second for a 1 Mbit file over fiber distances up to 200 km (Du et al., 2024). The 2026 high-rate system combined Sagnac-based phase-stable polarization modulation, 1.25 GHz state preparation, and low-jitter SNSPDs, reporting $3n$0 tps at 75 km, $3n$1 tps at 100 km, $3n$2 tps at 150 km, $3n$3 tps at 200 km, and $3n$4 tps at 250 km with total loss $3n$5 dB. That same system signed 1 Mbit messages with overall $3n$6 and reported more than two orders of magnitude rate improvement under comparable loss (Lin et al., 17 Mar 2026).
6. Variants, multiparty extensions, and alternative physical platforms
Multiparty QDS generalizes the three-party logic to broadcasting and mass messaging. A 2021 six-state non-orthogonal framework reduced the number of quantum channels from $3n$7 to $3n$8 and used post-matching to increase data utilization efficiency from $3n$9 to 0. Under realistic parameters, it reported maximum transmission distances of 265 km for three-party, 220 km for four-party, and 156 km for five-party settings (Weng et al., 2021). A related 2021 symmetrization-free protocol based on post-matching showed that the signature rate scales linearly with the probability of detection events and was three orders of magnitude higher than the original protocol in a 100-km-long fiber simulation (Lu et al., 2021).
Random pairing is a protocol-agnostic refinement applied after the key-generation stage. It forms outcome bits by parity on random pairs, so that 1, transforms the bit-flip error rate according to 2, and increases the untagged fraction to 3. Applied to sending-or-not-sending and side-channel-free QDS, it was reported to increase the signature rate by more than 4 under noisy channel conditions (Qin et al., 2022).
Long-distance arbitrary-length signing has also been attacked through raw-key verification rather than final-key verification. The likely-bit-string method, applied to hash-function-based QDS, reported that both the baseline and improved variants can improve the signature rate by more than 100 times and increase the signature distance by about 150 km compared with hash function-based QDS protocols without likely bit strings (Qin et al., 2024). A closely related line showed that imperfect quantum keys can be used directly for one-time universal hashing without privacy amplification, with eight orders of magnitude improvement on signature rate for signing a megabit message compared with conventional single-bit schemes, and simulated implementation over a fiber distance of 650 km at approximately 5 tps using two-photon twin-field key generation (Li et al., 2023).
Alternative physical models broaden the same cryptographic logic. Counterfactual and twin-field QDS adapts interaction-free measurement and one-way twin-field interference to signature generation, with explicit Chernoff-style repudiation and forging bounds in terms of injected or decoy-assisted bits (Rao et al., 2023). Continuous-variable QDS uses coherent states, homodyne and heterodyne detection, and a fidelity test function
6
to obtain finite-size security against general coherent attacks. In simulation, the CV OTUH protocol reported an eight orders of magnitude reduction in signature length for a 1 megabit message signing task compared with existing CV QDS protocols, with 7 and 8 at 9 and 0 (Zhang et al., 2024).
7. Limitations, subtleties, and open problems
QDS is not a single security model but a family of models tied to specific trust assumptions. Trusted-measurement protocols assume honest detector behavior; MDI-QDS removes detector trust but still requires trusted sources, authenticated classical channels, and secure storage of local keys (Puthoor et al., 2017). Older BB84-state analyses are explicitly stand-alone rather than universally composable, and several papers identify full composable security, device-independent variants, and generalized coherent-attack proofs as open directions (Wallden et al., 2014, Collins et al., 2013).
Protocol-specific subtleties are often essential rather than cosmetic. The multibit ghost-imaging protocol excludes all-ones and all-zeros messages, because Bob could trivially forge by exploiting public frame sifting alone. Its scalability in 1 is limited by detector timing resolution, bin jitter, source bandwidth, stricter synchronization, and background sensitivity (Yao et al., 2019). Likewise, likely-bit-string verification can be computationally prohibitive without the improved method in which Alice reveals 2 only after both recipients have received 3 (Qin et al., 2024).
A recurring misconception is that QDS always requires perfectly secret keys. The imperfect-key OTUH line shows that privacy amplification can be omitted when the task is signature authentication rather than private communication, provided min-entropy leakage is explicitly bounded (Li et al., 2023). Another misconception is that arbitrary-length signing automatically follows from bit-wise QDS; in practice, one-bit protocols must be iterated, whereas hash-based and ghost-imaging protocols compress or block-encode longer documents directly (Yao et al., 2019, Lin et al., 17 Mar 2026).
Recent security reviews of preshared-key QDS based on universal hashing show that even mature practical designs can contain loopholes if authenticated communication failures, hash reuse, or forwarding rules are handled loosely. The 2025 analysis amended three existing protocols, explicitly accounted for the failure of information-theoretically secure authenticated communication, numerically optimized preshared-bit consumption and signature length, and identified the most efficient protocol among those compared (Grasselli et al., 7 Aug 2025). This suggests that the dominant open problems are no longer only physical implementation, but also exact composable formulations, tight finite-size optimization, and protocol hygiene across increasingly heterogeneous QDS architectures.