Andrew Lutomirski,Scott Aaronson,Edward Farhi,David Gosset,Avinatan Hassidim,Jonathan Kelner,Peter Shor

DOI: https://doi.org/10.48550/arXiv.0912.3825

2009-12-21

Abstract:Public-key quantum money is a cryptographic protocol in which a bank can create quantum states which anyone can verify but no one except possibly the bank can clone or forge. There are no secure public-key quantum money schemes in the literature; as we show in this paper, the only previously published scheme [1] is insecure. We introduce a category of quantum money protocols which we call collision-free. For these protocols, even the bank cannot prepare multiple identical-looking pieces of quantum money. We present a blueprint for how such a protocol might work as well as a concrete example which we believe may be insecure.

Quantum Physics

Jiahui Liu,Hart Montgomery,Mark Zhandry

DOI: https://doi.org/10.48550/arXiv.2211.11994

2022-12-31

Abstract:Public verification of quantum money has been one of the central objects in quantum cryptography ever since Wiesner's pioneering idea of using quantum mechanics to construct banknotes against counterfeiting. So far, we do not know any publicly-verifiable quantum money scheme that is provably secure from standard assumptions. In this work, we provide both negative and positive results for publicly verifiable quantum money. **In the first part, we give a general theorem, showing that a certain natural class of quantum money schemes from lattices cannot be secure. We use this theorem to break the recent quantum money scheme of Khesin, Lu, and Shor. **In the second part, we propose a framework for building quantum money and quantum lightning we call invariant money which abstracts some of the ideas of quantum money from knots by Farhi et al.(ITCS'12). In addition to formalizing this framework, we provide concrete hard computational problems loosely inspired by classical knowledge-of-exponent assumptions, whose hardness would imply the security of quantum lightning, a strengthening of quantum money where not even the bank can duplicate banknotes. **We discuss potential instantiations of our framework, including an oracle construction using cryptographic group actions and instantiations from rerandomizable functional encryption, isogenies over elliptic curves, and knots.

Cryptography and Security,Quantum Physics

Amit Behera,Or Sattath

2024-02-29

Abstract:In a quantum money scheme, a bank can issue money that users cannot counterfeit. Similar to bills of paper money, most quantum money schemes assign a unique serial number to each money state, thus potentially compromising the privacy of the users of quantum money. However in a quantum coins scheme, just like the traditional currency coin scheme, all the money states are exact copies of each other, providing a better level of privacy for the users. A quantum money scheme can be private, i.e., only the bank can verify the money states, or public, meaning anyone can verify. In this work, we propose a way to lift any private quantum coin scheme -- which is known to exist based on the existence of one-way functions, due to Ji, Liu, and Song (CRYPTO'18) -- to a scheme that closely resembles a public quantum coin scheme. Verification of a new coin is done by comparing it to the coins the user already possesses, by using a projector on to the symmetric subspace. No public coin scheme was known prior to this work. It is also the first construction that is very close to a public quantum money scheme and is provably secure based on standard assumptions. Finally, the lifting technique, when instantiated with the private quantum coins scheme~\cite{MS10}, gives rise to the first construction that is close to an inefficient unconditionally secure public quantum money scheme.

Quantum Physics,Cryptography and Security

Aharon Brodutch,Daniel Nagaj,Or Sattath,Dominique Unruh

DOI: https://doi.org/10.48550/arXiv.1404.1507

2016-05-10

Abstract:Unlike classical money, which is hard to forge for practical reasons (e.g. producing paper with a certain property), quantum money is attractive because its security might be based on the no-cloning theorem. The first quantum money scheme was introduced by Wiesner circa 1970. Although more sophisticated quantum money schemes were proposed, Wiesner's scheme remained appealing because it is both conceptually clean and relatively easy to implement. We show efficient adaptive attacks on Wiesner's quantum money scheme [Wie83] (and its variant by Bennett et al. [BBBW83]), when valid money is accepted and passed on, while invalid money is destroyed. We propose two attacks, the first is inspired by the Elitzur-Vaidman bomb testing problem [EV93, KWH+95], while the second is based on the idea of protective measurements [AAV93]. It allows us to break Wiesner's scheme with 4 possible states per qubit, and generalizations which use more than 4 states per qubit.

Quantum Physics,Cryptography and Security

Scott Aaronson

DOI: https://doi.org/10.1109/CCC.2009.42

2011-10-25

Abstract:Forty years ago, Wiesner proposed using quantum states to create money that is physically impossible to counterfeit, something that cannot be done in the classical world. However, Wiesner's scheme required a central bank to verify the money, and the question of whether there can be unclonable quantum money that anyone can verify has remained open since. One can also ask a related question, which seems to be new: can quantum states be used as copy-protected programs, which let the user evaluate some function f, but not create more programs for f? This paper tackles both questions using the arsenal of modern computational complexity. Our main result is that there exist quantum oracles relative to which publicly-verifiable quantum money is possible, and any family of functions that cannot be efficiently learned from its input-output behavior can be quantumly copy-protected. This provides the first formal evidence that these tasks are achievable. The technical core of our result is a "Complexity-Theoretic No-Cloning Theorem," which generalizes both the standard No-Cloning Theorem and the optimality of Grover search, and might be of independent interest. Our security argument also requires explicit constructions of quantum t-designs. Moving beyond the oracle world, we also present an explicit candidate scheme for publicly-verifiable quantum money, based on random stabilizer states; as well as two explicit schemes for copy-protecting the family of point functions. We do not know how to base the security of these schemes on any existing cryptographic assumption. (Note that without an oracle, we can only hope for security under some computational assumption.)

Quantum Physics,Computational Complexity

Bhaskar Roberts,Mark Zhandry

DOI: https://doi.org/10.48550/arXiv.2110.09733

2021-10-19

Abstract:The construction of public key quantum money based on standard cryptographic assumptions is a longstanding open question. Here we introduce franchised quantum money, an alternative form of quantum money that is easier to construct. Franchised quantum money retains the features of a useful quantum money scheme, namely unforgeability and local verification: anyone can verify banknotes without communicating with the bank. In franchised quantum money, every user gets a unique secret verification key, and the scheme is secure against counterfeiting and sabotage, a new security notion that appears in the franchised model. Finally, we construct franchised quantum money and prove security assuming one-way functions.

Cryptography and Security,Quantum Physics

Jian-Yu Guan,Juan Miguel Arrazola,Ryan Amiri,Weijun Zhang,Hao Li,Lixing You,Zhen Wang,Qiang Zhang,Jian-Wei Pan

DOI: https://doi.org/10.1103/physreva.97.032338

2018-01-01

Abstract:A quantum money scheme enables a trusted bank to provide untrusted users with verifiable quantum banknotes that cannot be forged. In this work, we report an experimental demonstration of the preparation and verification of unforgeable quantum banknotes. We employ a security analysis that takes experimental imperfections fully into account. We measure a total of $3.6\times 10^6$ states in one verification round, limiting the forging probability to $10^{-7}$ based on the security analysis. Our results demonstrate the feasibility of preparing and verifying quantum banknotes using currently available experimental techniques.

Alper Cakan,Vipul Goyal,Takashi Yamakawa

2024-11-07

Abstract:Quantum information allows us to build quantum money schemes, where a bank can issue banknotes in the form of authenticatable quantum states that cannot be cloned or counterfeited. Similar to paper banknotes, in existing quantum money schemes, a banknote consists of an unclonable quantum state and a classical serial number, signed by bank. Thus, they lack one of the most fundamental properties cryptographers look for in a currency scheme: privacy. In this work, we first further develop the formal definitions of privacy for quantum money schemes. Then, we construct the first public-key quantum money schemes that satisfy these security notions. Namely, - Assuming existence of indistinguishability obfuscation (iO) and hardness of Learning with Errors (LWE), we construct a public-key quantum money scheme with anonymity against users and traceability by authorities. Since it is a policy choice whether authorities should be able to track banknotes or not, we also construct an untraceable money scheme from the same cryptographic assumptions, where no one (not even the authorities) can track banknotes. Further, we show that the no-cloning principle, a result of quantum mechanics, allows us to construct schemes, with security guarantees that are classically impossible, for a seemingly unrelated application: voting! - Assuming iO and LWE, we construct a universally verifiable quantum voting scheme with classical votes. Finally, as a technical tool, we introduce the notion of publicly rerandomizable encryption with strong correctness, where no adversary is able to produce a malicious ciphertext and a malicious randomness such that the ciphertext before and after rerandomization decrypts to different values! We believe this might be of independent interest. - Assuming LWE, we construct a (post-quantum) classical publicly rerandomizable encryption scheme with strong correctness.

Quantum Physics,Cryptography and Security

Peter Yuen

2024-07-09

Abstract:Quantum money is the task of verifying the validity of banknotes while ensuring that they cannot be counterfeited. Public-key quantum money allows anyone to perform verification, while the private-key setting restricts the ability to verify to banks, as in Wiesner's original scheme. The current state of technological progress means that errors are impossible to entirely suppress, hence the requirement for noise-tolerant schemes. We show for the first time how to achieve noise-tolerance in the public-key setting. Our techniques follow Aaronson and Christiano's oracle model, where we use the ideas of quantum error correction to extend their scheme: a valid banknote is now a subspace state possibly affected by noise, and verification is performed by using classical oracles to check for membership in "larger spaces." Additionally, a banknote in our scheme is minted by preparing conjugate coding states and applying a unitary that permutes the standard basis vectors.

Quantum Physics

Mathieu Bozzio,Adeline Orieux,Luis Trigo Vidarte,Isabelle Zaquine,Iordanis Kerenidis,Eleni Diamanti

DOI: https://doi.org/10.1038/s41534-018-0058-2

2017-12-22

Abstract:Wiesner's unforgeable quantum money scheme is widely celebrated as the first quantum information application. Based on the no-cloning property of quantum mechanics, this scheme allows for the creation of credit cards used in authenticated transactions offering security guarantees impossible to achieve by classical means. However, despite its central role in quantum cryptography, its experimental implementation has remained elusive because of the lack of quantum memories and of practical verification techniques. Here, we experimentally implement a quantum money protocol relying on classical verification that rigorously satisfies the security condition for unforgeability. Our system exploits polarization encoding of weak coherent states of light and operates under conditions that ensure compatibility with state-of-the-art quantum memories. We derive working regimes for our system using a security analysis taking into account all practical imperfections. Our results constitute a major step towards a real-world realization of this milestone protocol.

Quantum Physics

Yuichi Sano

DOI: https://doi.org/10.48550/arXiv.2205.09303

2022-05-19

Quantum Physics

Abstract:While classical money can be copied, it is impossible to copy quantum money in principle, with only the bank that issues it knowing how to generate it, meaning only the bank can make exact copies. Not all reliable banks, such as central banks, will issue quantum money, so there is the possibility that untrustworthy banks are distributing fake or multiple copies of the same quantum money without the users' knowledge. As such, we propose a quantum patchwork money scheme in which banks cannot distribute exact copies to users. This scheme involves multiple banks providing public-key quantum money as shards and generating quantum patchwork money by combining them. The banks can use the quantum patchwork money without completely trusting the other banks. In addition, nonbank users can use safely the quantum patchwork money without trusting any banks potentially focused on self-interest by adding a protocol for monitoring the distribution of copies.

Hosoyamada, Akinori,Yamakawa, Takashi

DOI: https://doi.org/10.1007/s00145-024-09517-2

2024-08-23

Journal of Cryptology

Abstract:Since the celebrated work of Impagliazzo and Rudich (STOC 1989), a number of black-box impossibility results have been established. However, these works only ruled out classical black-box reductions among cryptographic primitives. Therefore, it may be possible to overcome these impossibility results by using quantum reductions. To exclude such a possibility, we have to extend these impossibility results to the quantum setting. In this paper, we study black-box impossibility in the quantum setting. We first formalize a quantum counterpart of fully black-box reduction following the formalization by Reingold, Trevisan and Vadhan (TCC 2004). Then we prove that there is no quantum fully black-box reduction from collision-resistant hash functions to one-way permutations (or even trapdoor permutations). We take both of classical and quantum implementations of primitives into account. This is an extension to the quantum setting of the work of Simon (Eurocrypt 1998) who showed a similar result in the classical setting.

computer science, theory & methods,engineering, electrical & electronic,mathematics, applied

Dmytro Gavinsky

DOI: https://doi.org/10.48550/arXiv.1109.0372

2012-03-15

Abstract:We propose and construct a quantum money scheme that allows verification through classical communication with a bank. This is the first demonstration that a secure quantum money scheme exists that does not require quantum communication for coin verification. Our scheme is secure against adaptive adversaries - this property is not directly related to the possibility of classical verification, nevertheless none of the earlier quantum money constructions is known to possess it.

Quantum Physics,Cryptography and Security

Zhengfeng Ji,Yi-Kai Liu,Fang Song

DOI: https://doi.org/10.1007/978-3-319-96878-0_5

2017-01-01

Abstract:We propose the concept of pseudorandom states and study their constructions, properties, and applications. Under the assumption that quantum-secure one-way functions exist, we present concrete and efficient constructions of pseudorandom states. The non-cloning theorem plays a central role in our study---it motivates the proper definition and characterizes one of the important properties of pseudorandom quantum states. Namely, there is no efficient quantum algorithm that can create more copies of the state from a given number of pseudorandom states. As the main application, we prove that any family of pseudorandom states naturally gives rise to a private-key quantum money scheme.

Mark Zhandry

2024-03-08

Abstract:We give a construction of public key quantum money, and even a strengthened version called quantum lightning, from abelian group actions, which can in turn be constructed from suitable isogenies over elliptic curves. We prove security in the generic group model for group actions under a plausible computational assumption, and develop a general toolkit for proving quantum security in this model. Along the way, we explore knowledge assumptions and algebraic group actions in the quantum setting, finding significant limitations of these assumptions/models compared to generic group actions.

Quantum Physics,Cryptography and Security

Amit Behera,Giulio Malavolta,Tomoyuki Morimae,Tamer Mour,Takashi Yamakawa

2024-10-14

Abstract:While in classical cryptography, one-way functions (OWFs) are widely regarded as the "minimal assumption," the situation in quantum cryptography is less clear. Recent works have put forward two concurrent candidates for the minimal assumption in quantum cryptography: One-way state generators (OWSGs), postulating the existence of a hard search problem with an efficient verification algorithm, and EFI pairs, postulating the existence of a hard distinguishing problem. Two recent papers [Khurana and Tomer STOC'24; Batra and Jain FOCS'24] showed that OWSGs imply EFI pairs, but the reverse direction remained open. In this work, we give strong evidence that the opposite direction does not hold: We show that there is a quantum unitary oracle relative to which EFI pairs exist, but OWSGs do not. In fact, we show a slightly stronger statement that holds also for EFI pairs that output classical bits (QEFID). As a consequence, we separate, via our oracle, QEFID, and one-way puzzles from OWSGs and several other Microcrypt primitives, including efficiently verifiable one-way puzzles and unclonable state generators. In particular, this solves a problem left open in [Chung, Goldin, and Gray Crypto'24]. Using similar techniques, we also establish a fully black-box separation (which is slightly weaker than an oracle separation) between private-key quantum money schemes and QEFID pairs. One conceptual implication of our work is that the existence of an efficient verification algorithm may lead to qualitatively stronger primitives in quantum cryptography.

Quantum Physics,Cryptography and Security

Jonathan Jogenfors

DOI: https://doi.org/10.1109/BLOC.2019.8751473

2016-04-06

Abstract:The digital currency Bitcoin has had remarkable growth since it was first proposed in 2008. Its distributed nature allows currency transactions without a central authority by using cryptographic methods and a data structure called the blockchain. In this paper we use the no-cloning theorem of quantum mechanics to introduce Quantum Bitcoin, a Bitcoin-like currency that runs on a quantum computer. We show that our construction of quantum shards and two blockchains allows untrusted peers to mint quantum money without risking the integrity of the currency. The Quantum Bitcoin protocol has several advantages over classical Bitcoin, including immediate local verification of transactions. This is a major improvement since we no longer need the computationally intensive and time-consuming method Bitcoin uses to record all transactions in the blockchain. Instead, Quantum Bitcoin only records newly minted currency which drastically reduces the footprint and increases efficiency. We present formal security proofs for counterfeiting resistance and show that a quantum bitcoin can be re-used a large number of times before wearing out - just like ordinary coins and banknotes. Quantum Bitcoin is the first distributed quantum money system and we show that the lack of a paper trail implies full anonymity for the users. In addition, there are no transaction fees and the system can scale to any transaction volume.

Quantum Physics,Cryptography and Security

Yichi Zhang,Siyuan Jin,Yuhan Huang,Bei Zeng,Qiming Shao

2024-07-16

Abstract:In the 1970s, Wiesner introduced the concept of quantum money, where quantum states generated according to specific rules function as currency. These states circulate among users with quantum resources through quantum channels or face-to-face interactions. Quantum mechanics grants quantum money physical-level unforgeability but also makes minting, storing, and circulating it significantly challenging. Currently, quantum computers capable of minting and preserving quantum money have not yet emerged, and existing quantum channels are not stable enough to support the efficient transmission of quantum states for quantum money, limiting its practicality. Semi-quantum money schemes support fully classical transactions and complete classical banks, reducing dependence on quantum resources and enhancing feasibility. To further minimize the system's reliance on quantum resources, we propose a cloud-based semi-quantum money (CSQM) scheme. This scheme relies only on semi-honest third-party quantum clouds, while the rest of the system remains entirely classical. We also discuss estimating the computational power required by the quantum cloud for the scheme and conduct a security analysis.

Quantum Physics,Cryptography and Security,Distributed, Parallel, and Cluster Computing

John Bostanci,Barak Nehoran,Mark Zhandry

2024-11-01

Abstract:Aaronson, Atia, and Susskind established that swapping quantum states $|\psi\rangle$ and $|\phi\rangle$ is computationally equivalent to distinguishing their superpositions $|\psi\rangle\pm|\phi\rangle$. We extend this to a general duality principle: manipulating quantum states in one basis is equivalent to extracting values in a complementary basis. Formally, for any group, implementing a unitary representation is equivalent to Fourier subspace extraction from its irreducible representations. Building on this duality principle, we present the applications: * Quantum money, representing verifiable but unclonable quantum states, and its stronger variant, quantum lightning, have resisted secure plain-model constructions. While (public-key) quantum money has been constructed securely only from the strong assumption of quantum-secure iO, quantum lightning has lacked such a construction, with past attempts using broken assumptions. We present the first secure quantum lightning construction based on a plausible cryptographic assumption by extending Zhandry's construction from Abelian to non-Abelian group actions, eliminating reliance on a black-box model. Our construction is realizable with symmetric group actions, including those implicit in the McEliece cryptosystem. * We give an alternative quantum lightning construction from one-way homomorphisms, with security holding under certain conditions. This scheme shows equivalence among four security notions: quantum lightning security, worst-case and average-case cloning security, and security against preparing a canonical state. * Quantum fire describes states that are clonable but not telegraphable: they cannot be efficiently encoded classically. These states "spread" like fire, but are viable only in coherent quantum form. The only prior construction required a unitary oracle; we propose the first candidate in the plain model.

Quantum Physics,Cryptography and Security

Hazel Murray,Jerry Horgan,Joao F. Santos,David Malone,Harun Siljak

DOI: https://doi.org/10.1109/ISSC49989.2020.9180218

2020-06-03

Abstract:Quantum computing has the power to break current cryptographic systems, disrupting online banking, shopping, data storage and communications. Quantum computing also has the power to support stronger more resistant technologies. In this paper, we describe a digital cash scheme created by Dmitry Gavinsky, which utilises the capability of quantum computing. We contribute by setting out the methods for implementing this scheme. For both the creation and verification of quantum coins we convert the algebraic steps into computing steps. As part of this, we describe the methods used to convert information stored on classical bits to information stored on quantum bits.

Quantum Physics,Emerging Technologies