Can you sign a quantum state?

Cryptography with quantum states exhibits a number of surprising and counterintuitive features. In a 2002 work, Barnum et al. argue that these features imply that digital signatures for quantum states are impossible (Barnum et al., FOCS 2002). In this work, we ask: can all forms of signing quantum data, even in a possibly weak sense, be completely ruled out? We give two results which shed significant light on this basic question. First, we prove an impossibility result for digital signatures for quantum data, which extends the result of Barnum et al. Specifically, we show that no nontrivial combination of correctness and security requirements can be fulfilled, beyond what is achievable simply by measuring the quantum message and then signing the outcome. In other words, only classical signature schemes exist. We then show a positive result: a quantum state can be signed with the same security guarantees as classically, provided that it is also encrypted with the public key of the intended recipient. Following classical nomenclature, we call this notion quantum signcryption. Classically, signcryption is only interesting if it provides superior performance to encypt-then-sign. Quantumly, it is far more interesting: it is the only signing method available. We develop “as-strong-as-classical” security definitions for quantum signcryption and give secure constructions based on post-quantum public-key primitives. Along the way, we show that a natural hybrid method of combining classical and quantum schemes can be used to “upgrade” a secure classical scheme to the fully-quantum setting, in a wide range of cryptographic settings including signcryption, authenticated encryption, and CCA security.

💡 Research Summary

The paper addresses two fundamental questions about cryptographic authentication of quantum data: (i) whether digital signatures for quantum states can exist at all, and (ii) if not, what alternative primitive can provide comparable integrity and authenticity guarantees. The authors first formalize a quantum signature scheme (QS) as a pair of quantum polynomial‑time algorithms (Sign, Ver) and define correctness with respect to an arbitrary quantum channel N: Ver ∘ Sign should reproduce the input state up to negligible error. Because quantum information cannot be cloned, the traditional notion that a signature is merely auxiliary data is abandoned; instead, verification must recover (part of) the original quantum message.

With this broad definition, the paper proves a strong impossibility result that extends the earlier argument of Barnum et al. (FOCS 2002). Theorem 1.2 shows that any QS that satisfies full correctness cannot achieve even a weak one‑time security guarantee: for any two‑outcome measurement M, the scheme is at most (1‑negl)‑secure. Moreover, if a QS is ε‑one‑time secure for a pair of measurements {M₀, M₁}, then the two measurements must be (1‑ε)‑commuting. The proof uses a reduction that turns a distinguishing attack on the measurement outcomes into a malleability attack on the signature, relying on Stinespring dilations and a channel‑approximation lemma. Consequently, a quantum signature can only sign classical information extracted by commuting measurements, i.e., classical bits, confirming that genuine quantum‑state signatures are impossible.

Recognizing that the impossibility stems from the lack of encryption, the authors introduce quantum signcryption (QSC) as the only viable alternative. A QSC consists of three QPT algorithms: KeyGen, which outputs a signing/decryption key pair (sdk, vek); SignEnc, which uses the sender’s private key and the receiver’s public key to both encrypt and “sign” a quantum state; and VerifyDec, which uses the receiver’s private key and the sender’s public key to decrypt and verify. The scheme guarantees correctness (no rejection on honest execution) and is designed to provide two security notions: (a) outsider security, where both parties keep their private keys secret, and (b) insider security, where one party’s private key may be compromised but the other’s still protects the communication. Outsider security is captured via a real/ideal experiment framework that employs a “cheat‑detecting” oracle: the ideal experiment encrypts half of a maximally entangled pair and stores the other half; the decryption oracle checks for entanglement to detect cheating. Insider security is defined as QIND‑CCA2 security of the induced public‑key encryption, adapting recent techniques for quantum authenticated encryption.

To construct concrete QSC schemes, the paper proposes a generic hybrid transformation Π_Hyb