Back to research
Feb 26, 2025
One-Shot Signatures: A New Paradigm in Quantum Cryptography
Explore one-shot signatures, a post-quantum cryptographic scheme ensuring secure digital transactions, preventing key reuse, and resisting quantum attacks. Learn how this single-use signature supports signature delegation, proof of quantumness, and blockchain-less cryptocurrency designs.
One-Shot Signatures: A New Paradigm in Quantum Cryptography

Introduction

In today’s digital world, where data and information hold significant value as personal or corporate assets, a crucial question arises: How can people securely exchange information or send messages—whether financial transactions, legal documents, or authentication requests—while ensuring their accuracy and validity? One fundamental solution to this problem lies in cryptography, specifically in the concept of digital signatures.

Digital signatures provide a mechanism for verifying the authenticity and integrity of messages. However, quantum computing algorithms are capable of breaking widely used classical digital signature schemes, raising concerns about their security. Traditional schemes, such as those relying on RSA or ECC, are vulnerable to quantum attacks like Shor’s algorithm. To address these challenges, post-quantum cryptographic digital signature schemes have emerged as a promising solution. 

To understand the importance of post-quantum cryptographic signatures, it is essential to distinguish between quantum cryptography and hybrid quantum cryptography. Quantum cryptography assumes that all parties have access to quantum resources, enabling protocols such as Quantum Key Distribution (QKD). In contrast, hybrid quantum cryptography focuses on scenarios where classical devices leverage quantum servers, integrating quantum advantages without requiring full-scale quantum adoption.

One particularly intriguing cryptographic concept that aligns with hybrid quantum cryptography is the one-shot signature—a mechanism designed for single-use applications, offering unique security benefits. But what exactly is a one-shot signature, and how can it serve as a fundamental building block in hybrid quantum cryptography?

Understanding One-Shot Signatures

The concept of one-shot signatures, first introduced in 2020, refers to a digital signature scheme where the secret key is a quantum state meant for a single use—once it is used to sign a message, it is automatically destroyed. This ensures the key cannot be reused, copied, or duplicated after signing.

In this scheme, anyone with a quantum computer can generate a classical public key pk along with a quantum secret key |sk⟩. According to the principles of quantum mechanics, when the signer uses |sk⟩ to sign a message m, producing a signature σ, this quantum state collapses. Furthermore, due to the no-cloning theorem, it is impossible to duplicate the quantum state meaning an attacker cannot create another valid message-signature pair. This provides strong security guarantees, ensuring that even if an attacker accesses the original signing process, they cannot forge additional signatures.

The proposed One-shot signature scheme is based on the Common Reference String (CRS) model, which is suitable for specific use cases but has limited general applicability. The CRS model is a cryptographic framework where all parties involved in a protocol have access to a publicly known string, crs, that is generated in a trusted manner. This string is drawn from a specific distribution and used in cryptographic operations, such as zero-knowledge proofs and the broader analysis of cryptographic protocols. The primary assumption in the CRS model is that the initial setup phase (i.e., generating and distributing the crs) is performed by a trusted third party (TTP), which is considered a significant drawback. Despite this limitation, the CRS model can be incorporated into hybrid cryptographic systems, as both classical and quantum entities can access this resource.

Below, we will explain one-shot signature functionality and present a straightforward application to illustrate the concept.

How One-Shot Signatures Work

In a one-shot signature scheme, there are two parties and three algorithms. The protocol is executed over a classical communication channel between a classical verifier, Alice, and a quantum server, Bob. The scheme consists of the following components: quantum key generation (Gen), a quantum signing algorithm (Sign), and classical verification (Ver), as detailed below:

1. Key Generation (Gen)

  • The signer (Bob) generates:
    • A quantum signing key (|sk⟩) that is ephemeral and can be used only once.
    • A classical public verification key (pk) that remains accessible.

2. Signing (Sign)

  • Bob uses the quantum signing key (|sk⟩) to sign a message (m).
  • The process produces a classical signature (σ).
  • The quantum key (|sk⟩) is automatically destroyed, preventing any further use.

3. Verification (Ver)

  • Anyone with the public key (pk) - in this case, Alice - can verify the signature (σ) on the message (m).
  • This guarantees message authenticity while preserving the one-shot security property.

The above scheme guarantees that it is impossible for anyone to generate a public key along with two valid signatures for different messages. This security property is enforced by the nature of the quantum signing key (|sk⟩), which collapses upon use due to the principles of quantum mechanics and the no-cloning theorem. As a result, once the key is used to sign a message, it is destroyed, making it infeasible for an adversary to produce multiple valid signatures under the same public key.

Applications of One-Shot Signatures

1. Signature Delegation

In the context of one-shot signatures, a key application is the signature delegation scheme, which allows a party (Alice) to delegate signing authority to another party (Bob) for a single message only. In this scenario, an additional party, the verifier, is involved. The verifier is responsible for checking both the validity of Alice’s authorisation to Bob and the authenticity of the signature signed by Bob.

To mitigate risks from Bob’s quantum capabilities, Alice employs a post-quantum signature scheme, generating a signing key (PQC.sk) and verification key (PQC.vk). The verification key is then shared with the verifier. Bob, as the quantum entity, requests authorization from Alice using the one-shot signature scheme, sending a classical value y linked to his quantum key. Once Alice provides the authorization σ, Bob can proceed with signing a message of his choice.

The protocol follows these steps:

  • Alice generates a classical signing key (sk) and a verification key (vk) using a post-quantum signature scheme.
  • Bob use the one-shot sign scheme to create a quantum signing key |sk⟩ and a classical public key y, and send y to Alice to seek for authorisation.
  • Alice signs a delegation statement, granting Bob permission to sign exactly one message.
  • Bob signs the message, and his quantum key is automatically destroyed after use.
  • The verifier checks the validity of Alice’s delegation and Bob’s signed message. If both verification steps succeed, the verifier accepts the signature.

2. Proof of quantumness:

Another key application of one-shot signatures is in proof of quantumness. Imagine a classical client enlists a service to perform an expensive quantum computation. For example, the client may have some data encrypted with a quantum fully homomorphic encryption (qFHE) scheme and wants the service to perform computations on the data (e.g. run a predictive machine learning algorithm on encrypted medical records). First, how can the client even be sure that the service has quantum capabilities? One method to be sure of this is for the client and service to engage in a proof of quantumness protocol. In a nutshell, proof of quantumness is a 2 party protocol between a prover and a verifier. The prover convinces the verifier of their quantum capabilities by answering some challenge query set by the verifier, who accepts or rejects this response. 

How do one shot signatures help us build such a protocol? It is actually quite easy! Assume there exists a secure one-shot signature scheme. The quantum prover generates a signing key/public key pair using the one-shot signature key generation algorithm and sends the public key to the classical verifier. The verifier then selects a random message and asks the prover to sign it. If the prover successfully returns a valid signature, it proves that they had access to quantum resources, as any adversary who can generate a valid signature without the (quantum) signing key has produced a successful forgery of the signature scheme. If our underlying one shot signature scheme is secure, this can never happen!

3. Secure Digital Transactions

Due to the single-use nature of the quantum secret key, one-shot signatures serve as a foundation for securing financial transactions, smart contracts, and blockchain technologies. 

A key application is the “budget signature”, which introduces a way to control the number of signatures that can be generated under a given public key. A budget signature extends the concept of one-shot signatures by introducing a limited signing capacity, assigning a budget B to a public key to ensure that signatures can only be generated within a predefined limit. When signing a message, portion B of the budget is consumed, enforcing controlled usage, while the verification process ensures that the signer does not exceed the allocated budget.

Additionally, one-shot signatures enable the construction of a blockchain-less cryptocurrency design! The design combines the ideas of proof of work along with the signature delegation we can do with one-shot signatures. 

In this cryptocurrency, a coin is a public key - (quantum) secret key pair. To mine a coin, we keep running Gen(crs) until we get a pair (pk, |sk⟩) where the public key string pk starts with a specified amount of zeros (this ensures enough work was done to obtain such a coin). If Alice wants to transfer his coin to participant Bob, we use the signature delegation protocol. In more detail, Alice and Bob engage in the following interaction:

Such a decentralized currency requires very little consensus - the participants only need to agree on what the crs is for the underlying one shot signature scheme! Since double spending physically cannot occur due to the one shot property, we do not need to maintain a public ledger (i.e. a blockchain)! Finally, we only need to send classical public keys when sending money; no quantum communication is needed.  

Advantages of One-Shot Signatures

Restating once again, one-shot signatures provide strong security guarantees by eliminating risks associated with key reuse, ensuring that each signing key is used only once and cannot be duplicated or exploited, thus preventing replay attacks or double-spending. Their post-quantum nature makes them particularly valuable in the era of quantum computing, as they are designed to remain secure against quantum adversaries who could break traditional digital signatures, while still allowing for the continued use of existing classical devices. Additionally, the protocol enables efficient delegation, allowing a signer to authorize another party to sign exactly one message on their behalf without exposing long-term secret keys. This makes one-shot signatures a promising tool for achieving a balance between security, efficiency, and future-proof cryptographic guarantees.

How do we Build a One Shot Signature?

Despite their vast applications, developing a secure one-shot signature scheme remains an open challenge. One approach is to use one-shot chameleon hashing. A one-shot chameleon hash is a collision resistant hash function that also has a quantum “inversion algorithm.” This algorithm takes a quantum secret key |sk⟩, a hash value y, and returns a value x which hashes to y. In more detail, our one-shot signature scheme would be as follows:

  • Key generation: run the chameleon hash key generation algorithm. This outputs a classical hash value h and a quantum state |sk⟩. Set the one-shot public key to be h and the secret signing key to be |sk⟩.
  • Signing: To sign a message m, run the chameleon inversion algorithm on m using |sk⟩. We get some output string x, which is our signature. The secret key |sk⟩ self destructs after we obtain our signature x.
  • Verifying: Check if x hashes to y.

Great! So to build a one-shot signature, we just need to build a one-shot chameleon hash function. Unfortunately, this seems to be quite difficult. The authors who proposed one-shot signatures attempted to present a secure construction. While there is no attack on it, it was recently shown that their security proof is flawed. Designing a provably secure one-shot signature scheme is still something we have yet to see.

Can we use existing hash functions (like SHA) to build the hash functions needed for one-shot signatures? Unfortunately, some recent results tell us this is simply impossible. A paper shows that building one-shot signatures requires hashes that are slightly weaker from a security point of view. In particular, hash functions that are collision resistant but not collapsing can be used to build one-shot signatures. However, the standard hash constructions we know all possess the collapsing property (including SHA if you believe it is a random oracle). So to design a one-shot signature, the underlying hash function we will need cannot look like any other hash we have seen before, which makes designing such a hash an incredibly interesting open problem. 

Challenges and Future Research

As discussed, a major hurdle lies in the construction details of the hash function—the core component of one-shot signatures, which are still not well-defined. In early 2025, the author of the original paper identified a fundamental flaw in the proof, yet this does not diminish the significance of the One-shot signature concept. 

Another challenge lies in protecting the implementation details—akin to line-by-line code in software and programming—of the one-shot signature and equivocal hash functions from the quantum server executing the computation. While obfuscation could be a potential solution, the efficient application of post-quantum obfuscation remains unclear, and quantum obfuscation is still an open problem.

Despite these challenges, one-shot signatures offer promise for applications across various protocols, not only in cryptography but also in blockchain, decentralized finance (DeFi), and digital identity management.

Conclusion

As the world shifts its focus toward quantum computing and the continuous advancement of quantum technology, the need for quantum-secure cryptographic solutions becomes more urgent than ever. One-shot signatures emerge as a powerful tool in this transition, offering enhanced security, post-quantum resilience, and efficient delegation. Their ability to prevent key reuse, enable secure digital transactions, and support decentralized systems makes them a crucial building block for bridging the gap between classical and quantum cryptographic settings.

While challenges remain, ongoing research will be crucial in realizing the full potential of one-shot signature schemes. As quantum computing continues to advance, further exploration of one-shot signatures and their applications will be key to shaping the future of secure communication, decentralized finance, and digital identity management in a quantum-driven world.