Researchers describe a full quantum-circuit implementation of a one‑shot signature scheme. In this kind of scheme, a signing key is a fragile quantum state that is destroyed when it is used. The authors give a two‑stage algorithm: a key generation step that produces a classical public key and a quantum secret key, and a signing step that processes the quantum secret key together with a message to output a classical signature. The signed message can be checked by an ordinary classical verifier, and the construction has no algorithmic error by design.

At a technical level the scheme works by preparing a quantum superposition over the elements of a random affine coset. A superposition means the quantum state encodes many possibilities at once. An affine coset is a shifted subspace of bit strings; the particular coset is chosen from the output of a puncturable pseudorandom function (PPRF). A circuit is then used to test membership in that coset. The PPRF is built from a pseudorandom generator inside a Goldreich–Goldwasser–Micali (GGM) construction, and the authors use a new quantum subroutine based on the Bruhat decomposition to sample affine subspaces.

The paper gives concrete resource counts for the circuits. The number of logical qubits needed scales as Θ(κ log(r) + n + l) and the gate count scales as Θ(n^3 + n l). Here r is the public key size, n + l is the signature size, l is the message length, and κ is the cryptographic security parameter with κ = Ω(n). The authors also give explicit numbers for different values of n, and they present a simpler signing method for l‑bit messages that uses one global measurement and a single multi‑control phase gate instead of repeating many instances.

Why this matters: one‑shot signatures are a core primitive for “local quantum cryptography,” where only the endpoints need quantum hardware while all communication stays classical. The one‑shot property is enforced physically by quantum measurement and the no‑cloning principle, so a signing key cannot be copied and reused. This primitive has known uses in delegated signatures, secure token transfer, and publicly verifiable randomness, and it connects to proposals for quantum money and other quantum payment ideas.