One-shot signatures (OSS) are a powerful and uniquely quantum cryptographic primitive which allows anyone, given common reference string, to come up with a public verification key $\mathsf{pk}$ and a secret signing state $|\mathsf{sk}\rangle$. With the secret signing state, one can produce the signature of any one message, but no more. In a recent breakthrough work, Shmueli and Zhandry (CRYPTO 2025) constructed one-shot signatures, either unconditionally in a classical oracle model or assuming post-quantum indistinguishability obfuscation and the hardness of Learning with Errors (LWE) in the plain model. In this work, we address the inefficiency of the Shmueli-Zhandry construction which signs messages bit-by-bit, resulting in signing keys of $\Theta(\lambda^4)$ qubits and signatures of size $\Theta(\lambda^3)$ bits for polynomially long messages, where $\lambda$ is the security parameter. We construct a new, simple, direct, and efficient one-shot signature scheme which can sign messages of any polynomial length using signing keys of $\Theta(\lambda^2)$ qubits and signatures of size $\Theta(\lambda^2)$ bits. We achieve corresponding savings in runtimes, in both the oracle model and the plain model. In addition, unlike the Shmueli-Zhandry construction, our scheme achieves perfect correctness. Our scheme also achieves strong signature incompressibility, which implies a public-key quantum fire scheme with perfect correctness among other applications, correcting an error in a recent work of \c{C}akan, Goyal and Shmueli (QCrypt 2025) and recovering their applications.

翻译：单次签名（OSS）是一种强大且独特的量子密码学原语，它允许任何人在给定公共参考字符串的情况下，生成一个公开验证密钥 $\mathsf{pk}$ 和一个秘密签名态 $|\mathsf{sk}\rangle$。利用该秘密签名态，可以为任意一条消息生成签名，但仅限一次。在近期的一项突破性工作中，Shmueli 和 Zhandry（CRYPTO 2025）构造了单次签名方案，要么在经典预言机模型中无条件安全，要么在标准模型中基于后量子不可区分混淆与容错学习（LWE）的困难性假设。本文旨在解决 Shmueli-Zhandry 构造的效率问题，该构造按比特签名消息，导致对于多项式长度的消息，其签名密钥需要 $\Theta(\lambda^4)$ 个量子比特，签名大小为 $\Theta(\lambda^3)$ 比特，其中 $\lambda$ 为安全参数。我们构造了一种新颖、简单、直接且高效的单次签名方案，能够使用 $\Theta(\lambda^2)$ 个量子比特的签名密钥和 $\Theta(\lambda^2)$ 比特大小的签名，为任意多项式长度的消息签名。我们在预言机模型和标准模型中都实现了相应的运行时间节省。此外，与 Shmueli-Zhandry 构造不同，我们的方案实现了完美正确性。我们的方案还实现了强签名不可压缩性，这暗示了一个具有完美正确性的公钥量子防火墙方案以及其他应用，从而修正了 \c{C}akan、Goyal 和 Shmueli（QCrypt 2025）近期工作中的一处错误，并恢复了他们的应用。