Quantum Vault: Secure Access via Quantum States
- Quantum Vault is a security architecture that uses quantum states and measurements to restrict access without relying on classical secrets.
- It underpins systems such as quantum token authentication, custodial digital currency, and bounded disclosure in quantum databases.
- Implementations demonstrate tamper-evident verification and high-security metrics via techniques like SWAP tests, ensemble measurements, and quantum obfuscation.
“Quantum Vault” denotes a family of quantum-security architectures in which access to a protected asset is mediated by quantum states, quantum measurements, or quantum-secure delegation rather than by an ordinary classical secret alone. Across recent literature, the protected asset may be an authentication token, a quantum banknote, a basis-string message, a database row, a quantum circuit, or the output of a quantum program. The unifying idea is not a single protocol but a recurring security pattern: the protected object remains usable only under a quantum comparison, a hidden entanglement structure, a bounded set of destructive measurements, or a quantum-secure intermediary (Tsunaki et al., 5 May 2026, Broadbent et al., 2024, Gatti et al., 26 Aug 2025).
1. Conceptual scope and taxonomy
In the most explicit usage, a quantum vault is the bank’s retained quantum copy of a token state, replacing classical state descriptions that could otherwise be stolen and used for forgery (Tsunaki et al., 5 May 2026). In another explicit usage, a quantum vault is a custodial intermediary, concretely modeled as a Money Services Business (MSB), that stores and manages users’ quantum banknotes while end users remain classical (Broadbent et al., 2024). A third line of work uses the term for bounded-disclosure data access: a database row is recovered by choosing a measurement basis, and the superposition then collapses so that unqueried rows become physically inaccessible from that copy (Gatti et al., 26 Aug 2025).
Related literatures broaden the concept further. Quantum lock and quantum locker proposals encode correctness conditions into dark states, hidden atomic pairings, or quantum one-time passwords, so that unauthorized access either fails noisily or destroys the credential (Ozhigov, 2017, Dash et al., 2017). Quantum data locking and homomorphic evaluation schemes push the same intuition toward encrypted computation: a short secret key, a hidden mask, or an MLWE/BNSF quotient can keep a classical message, a quantum state, or a quantum program operationally inaccessible to an untrusted evaluator (Huang et al., 2020, Goertzel, 30 Apr 2025).
This suggests an umbrella definition: a quantum vault is any architecture in which quantum mechanics is used to constrain access, duplication, interpretation, or executable meaning of a protected resource. A recurring source of confusion is that the term does not always denote a persistent quantum memory. In several papers it denotes an authentication lock, a custodial service, or a secure-access layer rather than a general-purpose encrypted store (Broadbent et al., 2024, Ozhigov, 2017, Lakshmi et al., 10 Jun 2025).
2. Token authentication and issuer-held quantum reference states
The most direct “Quantum Vault” proposal is “Quantum Vault: Secure Token Authentication Without Classical State Information Benchmarked on IBMQ” (Tsunaki et al., 5 May 2026). Its central observation is that many quantum token architectures remain vulnerable if the issuer stores classical side information about token states; stealing that database permits forgery without violating the no-cloning theorem. The proposed remedy is to remove classical state information altogether and retain a second quantum copy at the issuer. The bank prepares two identical Haar-random single-qubit pure states, gives one copy to the user, stores the other in the vault, and discards the preparation angles (Tsunaki et al., 5 May 2026).
Authentication is performed by a repeated SWAP test. For one run, the expected ancilla output is
and over repetitions the decision statistic is
Hardware-imperfect behavior is modeled as
with the contrast and the offset (Tsunaki et al., 5 May 2026). On IBMQ Kingston, Fez, and Marrakesh, the paper reports single-token fake acceptance probabilities , $0.635$, and $0.713$, respectively, but bill-level attack probabilities collapse exponentially with the number of independently prepared token pairs. For bills of tokens, the forged-bill acceptance probabilities are 0, 1, and 2, while the false-negative target is below 3 (Tsunaki et al., 5 May 2026). The protocol is therefore not strong because one token is almost impossible to forge; it is strong because multi-token acceptance becomes a very sharp binomial tail.
A closely related but distinct credential model appears in “Ensemble-Based Quantum-Token Protocol Benchmarked on IBM Quantum Processors” (Tsunaki et al., 2024). There, each token is an ensemble device rather than a single isolated qubit, and authentication is defined through an observable
4
with acceptance based on the fraction of qubits consistent with 5 after the bank’s inverse rotation (Tsunaki et al., 2024). On IBM hardware, the paper reports an acceptance probability of 6 for a single forged token in contrast to 7 for the bank’s own tokens, and states that with 49 tokens the forged-token acceptance probability is below 8 even on the worst IBMQ benchmark (Tsunaki et al., 2024). The conceptual difference is important: the issuer-held quantum reference-state vault (Tsunaki et al., 5 May 2026) removes classical side information, whereas the ensemble-token protocol (Tsunaki et al., 2024) treats the token itself as a physically unclonable credential. Both, however, realize a vault-like access rule by making successful authentication depend on quantum state relations that cannot be reproduced cheaply from classical information alone.
3. Quantum locks, quantum lockers, and tamper-evident access control
Earlier work framed the same access-control idea as a lock. In “Quantum lock on dark states” (Ozhigov, 2017), the public part of the lock is a tensor product of two-atom singlets stored in a cavity, and the secret key is the hidden partition 9 of 0 atoms into 1 disjoint pairs. Authentication consists of moving proposed pairs slowly and synchronously from the main cavity to a control cavity. If the moved pair is a true singlet pair from the hidden partition, no photons are emitted; if the pair is wrong, destructive interference is lost and photon emission becomes possible, producing a detectable alarm (Ozhigov, 2017). The lock is therefore simultaneously an authentication device and a tamper-evident mechanism. It is better described as a quantum access-control structure than as an encrypted data store.
The physical basis of that lock is the Tavis–Cummings model, with collective lowering operator
2
and lock states built from weighted singlets (Ozhigov, 2017). The paper’s security claim is explicitly physical rather than computational: the hidden pairing cannot be learned without interactions that disturb the dark-state structure and trigger photon emission. The claim of “perfect secrecy” should therefore be read within that experimental access model rather than as a modern cryptographic proof against arbitrary coherent attacks (Ozhigov, 2017).
A different access-control construction appears in “Quantum Locker Using a Novel Verification Algorithm and Its Experimental Realization in IBM Quantum Computer” (Dash et al., 2017). Here the locker stores a basis-string message internally and releases it only if the retriever presents a valid quantum one-time password
3
with three secret continuous parameters (Dash et al., 2017). Verification is based on repeated weak measurement. For input
4
the ancilla-coupling unitary
5
biases generic superpositions toward 6, while 7 remains fixed (Dash et al., 2017). The locker applies the inverse rotation to the presented OTP, feeds the result through the verification box, and transfers the stored message only if the final measurement indicates 8 (Dash et al., 2017). This is again vault-like in the access-control sense, but the paper itself notes that the verification is probabilistic and that only the verification primitive, not the full locker, was experimentally realized on IBM hardware (Dash et al., 2017).
Taken together, these works establish a recurring pattern. A “vault” may be implemented not by hiding ciphertext in storage, but by embedding the access predicate into dark-state structure, weak-measurement dynamics, or unknown quantum credentials. Unauthorized probing is then either destructive, noisy, or statistically suppressive rather than merely computationally difficult (Ozhigov, 2017, Dash et al., 2017).
4. Custodial vaults, private databases, and secure-access layers
The term also appears at the systems-architecture level. “A Quantum Vault Scheme for Digital Currency” defines the quantum vault as a quantum-enabled intermediary, concretely modeled as an MSB, that performs receiver-side minting, storage, verification, transfer, and destruction of quantum banknotes on behalf of classical users (Broadbent et al., 2024). The underlying money interface is
9
with public verification
0
and certificate-of-destruction functionality
1
Here the vault is not a cryptographic primitive with a standalone formal definition; it is a custodial role in a three-layer infrastructure comprising issuing authority, quantum-capable intermediaries, and classical wallets (Broadbent et al., 2024). The main advantage is deployability without consumer quantum wallets. The main tradeoff is custodial trust, together with the explicit statement that the model does not fully realize strong local offline transitivity (Broadbent et al., 2024).
“Private Quantum Database” pushes the vault idea toward bounded data disclosure (Gatti et al., 26 Aug 2025). A relational table of size 2 is encoded as a sequence of QRAC states over mutually unbiased bases, with one basis per row and
3
The client receives only 4 copies of each encoded state, chooses up to 5 target row-bases, and divides those copies among them (Gatti et al., 26 Aug 2025). Measuring in one basis reconstructs the selected row chunk, while the act of measurement collapses the state and makes incompatible-basis information physically inaccessible from that copy. In a 2-qubit, 5-row, 130-bit example, the reported probability of correctly retrieving all 130 bits is 6 for 7 and 8 for 9 when 0; at 1, the corresponding values are 2 and 3 (Gatti et al., 26 Aug 2025). This is a bounded-retrieval vault semantics rather than a general-purpose database abstraction.
A third systems interpretation appears in “Secure Data Access in Cloud Environments Using Quantum Cryptography” (Lakshmi et al., 10 Jun 2025). There the useful contribution is a quantum-safe access layer in which authenticated users and a cloud server establish a secret via BB84-based QKD, then use the resulting key in an OTP-style XOR workflow: 4 The paper repeatedly uses “QOTP,” but the mechanism it actually instantiates is a classical one-time-pad/XOR over classical cloud data, not Pauli masking of quantum states (Lakshmi et al., 10 Jun 2025). Read as a vault design, it contributes BB84 key establishment, intrusion-evident channel setup, and session-bound access control, but not a complete quantum storage system. This is one of the clearest examples of the term being used for secure access rather than for a quantum memory vault proper (Lakshmi et al., 10 Jun 2025).
5. Circuit, program, and output protection
Quantum-vault ideas also arise in protecting executable artifacts rather than credentials or records. “CLOAQ: Combined Logic and Angle Obfuscation for Quantum Circuits” treats a valuable quantum circuit as the protected asset exposed to an untrusted compiler (Langford et al., 27 Feb 2026). The method combines logic obfuscation on non-phase gates with phase-angle obfuscation on phase gates. Security is evaluated by total variation distance
5
On benchmark circuits, correctly de-obfuscated circuits achieve low TVD—Adder 6, Basis Change 7, Fredkin 8, Wstate 9—while wrong-key locked variants produce high TVD, with combined obfuscation giving 0, 1, 2, and 3, respectively (Langford et al., 27 Feb 2026). The circuit sent into the toolchain is therefore a compilable but misleading artifact; authorized access consists of key-driven de-obfuscation after compilation. This is a circuit-IP vault rather than a storage vault.
At the program-evaluation level, “Efficient Quantum-Safe Homomorphic Encryption for Quantum Computer Programs” presents what is effectively a post-quantum encrypted-computation vault (Goertzel, 30 Apr 2025). Its cryptographic foundation is MLWE plus bounded natural super functors. A secret depolarizing BNSF mask
4
hides amplitudes, while each quantum state is stored as an MLWE ciphertext pair and quantum operations are evaluated homomorphically because of BNSF naturality (Goertzel, 30 Apr 2025). Security is formalized in the qIND-CPA game with coherent encryption-oracle access and reduced through four hybrids to decisional MLWE (Goertzel, 30 Apr 2025). The design also adds a typed QC-bridge for encrypted measurement feedback, encrypted Pauli twirls for circuit privacy, MLWE “capsules” for secret knowledge bases, and a 5-calculus driver that records auditable traces on an RChain-style ledger (Goertzel, 30 Apr 2025). The abstract reports that a 100-qubit, depth-6 teleportation-based proof runs in about 10 ms, the public key seed is 32 bytes, and even a CCA-level key stays below 300 kB (Goertzel, 30 Apr 2025). That is not a consumer vault, but it is a concrete design for storing and using quantum programs under encryption.
A more lightweight locking variant appears in “Fault tolerant quantum data locking” (Huang et al., 2020). There, a classical message 7 is encoded as an 8-qubit codeword 9 and scrambled with a Clifford-only pseudo-random circuit 0, selected by a short classical key. The key length obeys
1
and for approximate 2-designs this becomes
2
The resulting object is a lockbox for classical information carried by quantum states under a bounded-quantum-memory assumption (Huang et al., 2020). In vault terms, it is especially relevant for encrypting the output of a quantum computer without resorting to full private quantum channels.
6. Physical realizations, trust assumptions, and limitations
A recurring misconception is that every quantum-vault proposal is a complete, reusable, general-purpose secure quantum memory. The literature does not support that broad reading. Many proposals are specialized authentication devices, bounded-disclosure access layers, or secure-compilation primitives. The bank-held reference-state vault is consumptive on present hardware because repeated SWAP testing degrades the token pair (Tsunaki et al., 5 May 2026). The private quantum database is explicitly a bounded-retrieval mechanism and not a general-purpose storage engine (Gatti et al., 26 Aug 2025). The cloud-access proposal is a QKD-backed secure-access framework whose “QOTP” is actually OTP-style XOR over classical data (Lakshmi et al., 10 Jun 2025). The digital-currency vault introduces custodial trust and does not provide a formal malicious-vault theorem (Broadbent et al., 2024).
Hardware demonstrations reinforce that specialization. “Quantum-activated neural reservoirs on-chip open up large hardware security models for resilient authentication” presents a GST-based quantum-activated recurrent neural reservoir with more than 3 trillion hardware nodes/cm3, 0.07 nW electric power per readout channel, 99.6% reliability, 100% user authentication accuracy, ideal 50% key uniqueness, and a claimed capacity to store more than 4 keys in a footprint of 1 cm5 (He et al., 2024). Yet the paper itself is best read as a hardware authentication primitive or PUF-like root of trust rather than a full vault implementation. Its clearest immediate relevance is gated key release and challenge–response authentication, not general secure storage (He et al., 2024).
Security claims are also heterogeneous in strength. Some are formal reductions, as in the MLWE/BNSF qIND-CPA construction (Goertzel, 30 Apr 2025). Others are empirical and heuristic, as in CLOAQ’s TVD-based evaluation without direct implementation of advanced deobfuscation attacks (Langford et al., 27 Feb 2026). Others are physical-model claims that depend on access assumptions, as in the dark-state lock’s “perfect secrecy” framing (Ozhigov, 2017). The weak-measurement locker explicitly notes a small false-accept path, and its security argument is physics-based rather than composably formalized (Dash et al., 2017). Even strong token results depend on the bank’s ability to maintain quantum memory or ensemble hardware over time (Tsunaki et al., 5 May 2026, Tsunaki et al., 2024).
Finally, the phrase should be distinguished from the decentralized storage system “Vault: Decentralized Storage Made Durable,” which is not a quantum proposal at all but a rateless-erasure-coded permissionless storage system (Sun et al., 2023). Within quantum-security research proper, “Quantum Vault” is therefore best understood as a convergent label for several architectures that share a common objective—restricting access through quantum mechanics—while differing sharply in protected asset, trust model, physical platform, and level of formal security.