A Simple and Efficient One-Shot Signature Scheme

TL;DR

The paper presents a new direct one-shot signature scheme that signs polynomial-length messages in a single shot with signing keys of size $Θ(λ^2)$ qubits and public keys/signatures of size $Θ(λ^2)$ bits, all while achieving perfect correctness and strong unforgeability. It avoids the previous DS22/AGKZ20 reductions used to build OSS from non-collapsing hash functions, instead leveraging a coset-subspace construction with Grover-style signing, leading to substantial efficiency gains. The construction yields incompressibility properties, enabling public-key quantum fire and related primitives with perfect correctness, and it corrects gaps in prior work such as CGS25. The results significantly reduce quantum resource requirements for OSS and open pathways to robust quantum money, quantum fire schemes, and other advanced quantum cryptographic primitives. Overall, the work provides a simple, direct, and efficient OSS that scales to polynomial-length messages with strong security guarantees, underpinning powerful applications in quantum cryptography.

Abstract

One-shot signatures (OSS) are a powerful and uniquely quantum cryptographic primitive which allows anyone, given common reference string, to come up with a public verification key $\mathsf{pk}$ and a secret signing state $|\mathsf{sk}\rangle$. With the secret signing state, one can produce the signature of any one message, but no more. In a recent breakthrough work, Shmueli and Zhandry (CRYPTO 2025) constructed one-shot signatures, either unconditionally in a classical oracle model or assuming post-quantum indistinguishability obfuscation and the hardness of Learning with Errors (LWE) in the plain model. In this work, we address the inefficiency of the Shmueli-Zhandry construction which signs messages bit-by-bit, resulting in signing keys of $Θ(λ^4)$ qubits and signatures of size $Θ(λ^3)$ bits for polynomially long messages, where $λ$ is the security parameter. We construct a new, simple, direct, and efficient one-shot signature scheme which can sign messages of any polynomial length using signing keys of $Θ(λ^2)$ qubits and signatures of size $Θ(λ^2)$ bits. We achieve corresponding savings in runtimes, in both the oracle model and the plain model. In addition, unlike the Shmueli-Zhandry construction, our scheme achieves perfect correctness. Our scheme also achieves strong signature incompressibility, which implies a public-key quantum fire scheme with perfect correctness among other applications, correcting an error in a recent work of Çakan, Goyal and Shmueli (QCrypt 2025) and recovering their applications.

Figures (4)

• Figure 1: OSS parameters for signing polynomially long messages. By standard collision-resistant hashing, it suffices to sign $\lambda$-bit messages. The public-key size in the plain model SZ25 construction consists of $O(\lambda)$ repetitions of a base public key of $O(\lambda^4)$ bits, whereas our scheme has a single one.
• Figure 2: Our OSS scheme in the classical oracle model using oracles $\mathcal{P}$, $\mathcal{P}^{-1}$ and $\mathcal{D}$. For ease of exposition, we choose to give the signing algorithm the public key $\mathsf{pk}$ in addition to the state $\ket{\mathsf{sk}}$; this is without loss of generality.
• Figure 3: Incompressible OSS scheme in the classical oracle model using oracles $\mathcal{P}$, $\mathcal{P}^{-1}$, $\mathcal{D}$ and $\mathcal{D}_0$.
• Figure 4: Incompressible OSS scheme in the plain model.

Theorems & Definitions (76)

• Theorem 1.1: Informal
• Theorem 1.2: Informal
• Definition 1: One-Shot Signatures, adapted from AGKZ20SZ25
• Remark 3.1
• Remark 4.1
• Remark 4.2
• Lemma 4.3
• proof
• Lemma 4.4: The Bloating Lemma
• Lemma 4.5: The "Dual is Useless" Lemma