Quantum Signing Tokens
- Quantum signing tokens are quantum state-based cryptographic primitives that provide one-time signing capabilities and delegated authentication with information-theoretic security.
- They employ methods such as hidden subspace states, BB84 product states, and entanglement swapping to achieve unforgeability, revocability, and robust performance under noise.
- Practical implementations integrate classical verification and specialized hardware, ensuring near-instant local validation and noise tolerance (up to 14% in some BB84-based schemes).
Quantum signing tokens are cryptographic primitives in which signing or authorization power is embodied in a quantum state, or in token data whose security derives from an earlier quantum interaction. In the canonical tokenized-signature model, a classical secret key mints quantum one-time signing tokens that are consumed during signing; in related Tokenized Message Authentication Codes, a quantum token delegates the ability to authenticate at most one document; in relativistic S-money, the token is a spacetime-constrained authentication object whose eventual presentation point can be chosen late and validated locally (Ben-David et al., 2016, Behera et al., 2021, Kent et al., 2019). The subject therefore spans abstract unclonable-signing constructions, entanglement-based quantum digital signatures, one-shot signatures based on coset states, and practical token architectures that either eliminate user-side quantum memory or embed the token in specialized hardware (Nadeem et al., 2015, Shmueli et al., 6 Nov 2025, Tsunaki et al., 5 May 2026).
1. Conceptual foundations and scope
Quantum signing tokens emerged from several partially overlapping lines of work. In one line, the goal is a standard digital signature scheme with the familiar properties of message dependence, signer specificity, and later verifiability, but with information-theoretic rather than computational security. The 2015 entanglement-based quantum digital signature scheme explicitly defines a standard signature as one whose signature depends on the message to be signed, is built from information publicly known and unique to the signatory, and can be stored by all recipients for later verification (Nadeem et al., 2015).
A second line treats signing capability itself as a single-use quantum resource. “Quantum Tokens for Digital Signatures” formalizes a tokenized signature scheme in which a classical secret key generates quantum one-time signing tokens, and a signing algorithm consumes such a token to produce a classical signature that is checked by a deterministic classical verifier (Ben-David et al., 2016). This directly connects signing to unclonability: one token corresponds to one signing opportunity.
A third line broadens the notion from document signing to delegated authentication. The TMAC formulation describes a Tokenized Message Authentication Code in which Alice issues a quantum signing token from a classical secret key and the holder can sign at most one document; the paper explicitly presents this as a delegation primitive that allows limited signing authority without disclosing the long-term key (Behera et al., 2021).
A fourth line generalizes “signing” into spacetime authorization. Flexible S-money defines virtual tokens that can be validly presented only at pre-agreed spacetime points , with near-instant local verification and unforgeability guaranteed by relativistic signalling constraints and an earlier quantum exchange (Kent et al., 2019). This suggests that “quantum signing token” is best understood as a family of unclonable authorization mechanisms rather than a single formal object.
2. Formal models and representative constructions
The tokenized-signature abstraction is usually given by four algorithms: $\mathsf{KeyGen}(1^\kappa)\to (pk,sk),\quad \mathsf{TokenGen}(sk)\to \stamp,\quad \mathsf{Sign}(\alpha,\stamp)\to sig,\quad \mathsf{Verify}(pk,\alpha,sig)\to \{0,1\}.$ Correctness requires that a token generated from can sign any permitted message so that classical verification accepts (Ben-David et al., 2016). In the TMAC setting the syntax is analogous,
but the primitive is MAC-like rather than public-key (Behera et al., 2021).
The first major tokenized-signature construction is based on Aaronson–Christiano hidden-subspace quantum money. For a random subspace of dimension , the token is the uniform superposition over . Signing bit $0$ amounts to measuring in the computational basis and outputting a nonzero element of ; signing bit $\mathsf{KeyGen}(1^\kappa)\to (pk,sk),\quad \mathsf{TokenGen}(sk)\to \stamp,\quad \mathsf{Sign}(\alpha,\stamp)\to sig,\quad \mathsf{Verify}(pk,\alpha,sig)\to \{0,1\}.$0 applies $\mathsf{KeyGen}(1^\kappa)\to (pk,sk),\quad \mathsf{TokenGen}(sk)\to \stamp,\quad \mathsf{Sign}(\alpha,\stamp)\to sig,\quad \mathsf{Verify}(pk,\alpha,sig)\to \{0,1\}.$1, which maps the state to the corresponding dual-space superposition, and then measures to obtain a nonzero element of $\mathsf{KeyGen}(1^\kappa)\to (pk,sk),\quad \mathsf{TokenGen}(sk)\to \stamp,\quad \mathsf{Sign}(\alpha,\stamp)\to sig,\quad \mathsf{Verify}(pk,\alpha,sig)\to \{0,1\}.$2. Verification checks subspace membership, so the signature is classical while the signing resource is quantum (Ben-David et al., 2016).
A simpler construction uses BB84 product states. In the one-bit noisy TMAC, the secret key is $\mathsf{KeyGen}(1^\kappa)\to (pk,sk),\quad \mathsf{TokenGen}(sk)\to \stamp,\quad \mathsf{Sign}(\alpha,\stamp)\to sig,\quad \mathsf{Verify}(pk,\alpha,sig)\to \{0,1\}.$3 with $\mathsf{KeyGen}(1^\kappa)\to (pk,sk),\quad \mathsf{TokenGen}(sk)\to \stamp,\quad \mathsf{Sign}(\alpha,\stamp)\to sig,\quad \mathsf{Verify}(pk,\alpha,sig)\to \{0,1\}.$4, and the token is
$\mathsf{KeyGen}(1^\kappa)\to (pk,sk),\quad \mathsf{TokenGen}(sk)\to \stamp,\quad \mathsf{Sign}(\alpha,\stamp)\to sig,\quad \mathsf{Verify}(pk,\alpha,sig)\to \{0,1\}.$5
To sign bit $\mathsf{KeyGen}(1^\kappa)\to (pk,sk),\quad \mathsf{TokenGen}(sk)\to \stamp,\quad \mathsf{Sign}(\alpha,\stamp)\to sig,\quad \mathsf{Verify}(pk,\alpha,sig)\to \{0,1\}.$6, the holder measures in basis $\mathsf{KeyGen}(1^\kappa)\to (pk,sk),\quad \mathsf{TokenGen}(sk)\to \stamp,\quad \mathsf{Sign}(\alpha,\stamp)\to sig,\quad \mathsf{Verify}(pk,\alpha,sig)\to \{0,1\}.$7, obtaining a classical string $\mathsf{KeyGen}(1^\kappa)\to (pk,sk),\quad \mathsf{TokenGen}(sk)\to \stamp,\quad \mathsf{Sign}(\alpha,\stamp)\to sig,\quad \mathsf{Verify}(pk,\alpha,sig)\to \{0,1\}.$8. Verification defines the basis-matching set
$\mathsf{KeyGen}(1^\kappa)\to (pk,sk),\quad \mathsf{TokenGen}(sk)\to \stamp,\quad \mathsf{Sign}(\alpha,\stamp)\to sig,\quad \mathsf{Verify}(pk,\alpha,sig)\to \{0,1\}.$9
and accepts when the restricted strings agree on the checked positions (Behera et al., 2021). The construction uses only simple tensor-product BB84 states and no entanglement.
A distinct construction replaces one-way-function-style public keys with multiparty controlled EPR channels. In that scheme, entanglement swapping and teleportation generate two different quantum states that are non-locally correlated rather than multiple copies of a unique signature state. Alice, Bob, and Charlie each hold only part of the relevant control data, and verification depends on consistency relations induced by the controlled entangled channel (Nadeem et al., 2015).
Flexible S-money has a different formal structure. In its refined two-stage form, an early quantum-information stage establishes a private random string 0, and a later classical stage chooses the presentation point label 1 by sending
2
At presentation, the user unveils 3, and the issuer checks
4
This decouples token acquisition from the eventual decision of where the token will be valid (Kent et al., 2019).
3. Security notions, guarantees, and limitations
The defining security notion is unforgeability, but its exact formulation depends on the model. For tokenized signatures, an adversary given 5 tokens should not be able to produce valid signatures for 6 different messages. This “one token = one signing capability” principle is the core quantitative expression of quantum single-use authority (Ben-David et al., 2016). The same pattern appears in TMAC, where an adversary given 7 tokens, together with signing and verification oracles, should not be able to output valid signatures for 8 fresh documents (Behera et al., 2021).
Several stronger or adjacent notions appear in the literature. Tokenized signatures define revocability, and the paper proves that every unforgeable tokenized-signature scheme is revocable. They also define testability, under which a token can be checked without being consumed, and show that every testable tokenized signature is a public quantum money scheme. The same work further introduces one-time everlasting revocability, under which even an unbounded adversary given the token but not the public key cannot both keep a valid residual token and output a valid fresh signature (Ben-David et al., 2016).
In the entanglement-based quantum digital signature scheme, security is phrased in the classical signature vocabulary of non-masquerading, non-repudiation, non-forgery, and transferability. The central argument is that signatures are distributed as non-locally correlated quantum/classical data, so neither Alice nor Bob alone controls enough information to cheat Charlie consistently (Nadeem et al., 2015).
Relativistic token schemes add a distinct privacy notion. Flexible S-money provides future privacy: the issuer should not learn in advance which presentation point will eventually be chosen, because the later classical message 9 reveals nothing about 0 when 1 remains hidden. The same paper is explicit that it focuses on future privacy rather than the stronger “past privacy” property (Kent et al., 2019).
Noise tolerance has become a central practical metric. The BB84-based TMAC proves that, assuming post-quantum one-way functions exist, for every 2 with 3, there exists a TMAC scheme that is 4-noise tolerant and existentially unforgeable against classical signing and verification oracles; the paper highlights the concrete corollary of 14% noise tolerance (Behera et al., 2021). At the same time, that work is explicit about limitations: the security notion is not strong unforgeability, it does not cover quantum superposition access to the verification oracle, and the 14% claim is under an IID corruption model rather than arbitrary adversarial noise (Behera et al., 2021).
A recurring misconception is that no-cloning alone resolves all token-security questions. “Quantum Vault” identifies an overlooked attack in which the adversary steals the issuer’s classical side information about the token states, thereby forging counterfeit tokens without violating the no-cloning theorem. Its proposal removes classical descriptions of token states and replaces them with a bank-held quantum copy, shifting authentication from classical-state comparison to quantum-to-quantum comparison (Tsunaki et al., 5 May 2026).
4. Memory, transfer, and spacetime structure
Quantum signing tokens differ sharply in how they handle quantum memory. Earlier standard quantum digital signature schemes based on quantum one-way functions required long-term quantum memory for storing quantum signatures and often used swap tests or direct quantum comparison in verification. The multiparty-controlled-EPR approach was proposed specifically to avoid that practical drawback while preserving information-theoretic security (Nadeem et al., 2015).
Tokenized signatures in the hidden-subspace model still rely on a stored quantum token, but the token is destroyed by the signing measurement. That model also motivates applications in which quantum money can be turned into a classical “check”: a holder signs a statement transferring a bill with a given serial number, and the recipient presents the signed statement to a bank for replacement issuance (Ben-David et al., 2016). In that sense, tokenized signatures link unclonable tokens to classically transferable value.
One-shot signature research seeks to reduce the quantum-memory burden rather than eliminate it. “Unclonable Cryptography in Linear Quantum Memory” studies one-shot signatures and more general quantum signing tokens and proves, relative to a classical oracle, secure OSS for 5-bit messages with 6-sized quantum secret keys and strong unforgeability. Its central technical objects are coset states, and the main improvement is a reduction in secret-key size that is asymptotically optimal in some regimes (Shmueli et al., 6 Nov 2025). A subsequent circuit-level implementation makes this more explicit: the public key is classical, the secret key is a quantum superposition over a hidden affine coset
7
and the secret key state is
8
That work states that the logical qubit number scales like 9 and the gate complexity scales like 0 (Muraleedharan et al., 22 Jun 2026).
At the opposite extreme are schemes designed to remove user-side quantum memory entirely. Flexible S-money shifts all quantum work into an early setup stage and then allows later decision and presentation using only classical communication. The user can determine the valid presentation point anywhere in the causal past of all valid presentation points, and the refinement allows flexible transfer of tokens among users without compromising user privacy (Kent et al., 2019). Practical S-money implementations make the same architectural point more directly: Bob sends BB84 states, Alice measures immediately, and the spendable token thereafter is classical, while still supporting near-instant validation without cross-checking (Kent et al., 2021).
5. Experimental realizations and hardware platforms
Experimental work has bifurcated into virtual-token realizations and stored-state realizations. The practical S-money implementation with off-the-shelf QKD hardware showed that quantum-token generation can be integrated with standard photonic technology while tolerating noise, losses, and experimental imperfection; the presented token is classical, but unforgeability and privacy derive from the earlier quantum phase (Kent et al., 2021). A full experimental demonstration of quantum S-tokens then reported a heralded single-photon source with 88.24% system efficiency, token length 1, and measured transaction-time advantages of 2 over an intra-city 3 km optical-fibre network and 4 comparative advantage over an inter-city 5 km field-deployed fibre network (Jiang et al., 2024).
A separate line retains physical quantum tokens but changes the reference architecture. “Quantum Vault” stores a copy of the token at the bank and authenticates via a SWAP test between the user token and the vault token. Benchmarks on three IBMQ processors reported false-negative probabilities lower than 6 and successful-attack probabilities of 7 for quantum bills composed of 8 tokens, even in the worst-performing hardware (Tsunaki et al., 5 May 2026). This architecture explicitly aims to remove classical token-state metadata as a single point of failure.
The ensemble-based protocol benchmarked on IBM Quantum processors replaces single isolated qubits by ensembles. In that model, legitimate tokens achieve acceptance probabilities above 0.999, while a forged single token can be accepted with probability as low as 0.059. The paper further reports that, even in the worst IBMQ case, with fewer than 9 tokens the acceptance probability of forged tokens is below 0 (Tsunaki et al., 2024). Its emphasis is hardware agnosticism: the protocol is described by an observable operator, measurement uncertainty, and a normalized contrast parameter rather than by any platform-specific Hamiltonian.
Solid-state proposals concentrate on memory-enabled tokens. “Secure Quantum Token Processing with Color Centers in Diamond” describes a memory-enabled Wiesner-style token scheme using sawfish nanophotonic crystal cavities and fractional Raman gates. It reports gate fidelities of 1 for optical Raman control and 2 for microwave control, and an optimal acceptance rate of 3 for a 4 km link under the stated assumptions; the paper argues that the MHz regime becomes possible through parallelization and improved efficiencies (Strocka et al., 6 Mar 2025). Closely related work on hybrid spin-photon interfaces uses electron and nuclear spins in diamond plus time-bin photons, with preparation, storage, and verification tied together by hybrid tripartite entanglement and Bell-state measurements. In the idealized single-shot setting it states that an adversary’s forging probability is at most 5, while average verification fidelity depends on storage time, phase noise, and basis mismatch through
6
6. Adjacent notions, terminology boundaries, and current trajectory
The literature uses “quantum signature,” “quantum token,” and “quantum signing token” in overlapping but non-identical ways. Some schemes are document-signature primitives with explicit signing and verification algorithms; others are payment, authentication, or authorization objects whose behavior is signature-like only in a broader systems sense. Flexible S-money belongs to the latter category: it is best understood as a relativistic quantum authentication or signing primitive because a hidden quantum-derived commitment and a later classical disclosure bind the valid spacetime label without revealing it beforehand (Kent et al., 2019).
There are also proposals that use quantum randomness or quantum circuits without yet constituting secure quantum signing tokens in the cryptographic sense. QSignAI, for example, presents a production-deployed open-source platform in which a Telegram bot routes each participant’s first message through a two-circuit pipeline on AWS Braket SV1, generating a quantum-randomness-seeded identity signature and a visual badge. The paper is explicit that this mechanism is a pedagogical ToyLWE-style construction, that the current deployment runs on a classical simulator rather than a physical QPU, and that the real path is replacement with CRYSTALS-Dilithium; it therefore describes a quantum-randomness-seeded identity display system rather than a formally secure signing-token scheme (Liu et al., 26 May 2026).
Pedagogical work has also broadened the conceptual reach of the subject. The qandy-model treatment of quantum digital signatures shows that complementarity, no-cloning, and measurement disturbance are sufficient to explain QDS protocols without invoking full qubit algebra. In that recasting, qandy strings play the role of distributed public keys, symmetrization prevents repudiation, and statistical thresholds govern forgery and honest-abort probabilities (Mor et al., 2021).
Across these directions, the field has moved from hidden-subspace money-based abstractions and entanglement-based QDSS toward three engineering objectives: reducing or eliminating long-term quantum memory, making verification classical or locally instantaneous, and quantifying security under realistic noise and hardware constraints. A plausible implication is that “quantum signing tokens” now names a layered research area with at least four stable subfamilies: tokenized signatures and TMACs, one-shot signatures based on coset states, relativistic S-money authorization tokens, and bank- or device-bound authentication tokens realized in photonic, superconducting, or solid-state hardware (Ben-David et al., 2016, Behera et al., 2021, Shmueli et al., 6 Nov 2025, Jiang et al., 2024).