Abstract

Forty years ago, Wiesner pointed out that quantum mechanics raises the striking possibility of money that cannot be counterfeited according to the laws of physics. We propose the first quantum money scheme that is (1) public-key, meaning that anyone can verify a banknote as genuine, not only the bank that printed it, and (2) cryptographically secure, under a hardness assumption that has nothing to do with quantum money. Our scheme is based on hidden subspaces, encoded as the zero-sets of random multivariate polynomials. A main technical advance is to show that the black-box version of our scheme, where the polynomials are replaced by classical oracles, is unconditionally secure. Previously, such a result had only been known relative to a quantum oracle (and even there, the proof was never published). Even in Wiesner's original setting -- quantum money that can only be verified by the bank -- we are able to use our techniques to patch a major security hole in Wiesner's scheme. We give the first private-key quantum money scheme that allows unlimited verifications and that remains unconditionally secure, even if the counterfeiter can interact adaptively with the bank. Our money scheme is simpler than previous public-key quantum money schemes, including a knot-based scheme of Farhi et al. The verifier needs to perform only two tests, one in the standard basis and one in the Hadamard basis -- matching the original intuition for quantum money, based on the existence of complementary observables. Our security proofs use a new variant of Ambainis's quantum adversary method, and several other tools that might be of independent interest.

Highlights

  • The simplest known proof of a quantum lower bound for index erasure is via a reduction from Aaronson’s quantum lower bound for the collision problem [1]

  • Regardless of whether our particular scheme stands or falls, we introduce at least four techniques that should be useful for the design and analysis of any public-key quantum money scheme

  • Using a construction introduced by Lutomirski et al [32] and Farhi et al [24], we show that, given any mini-scheme M, one can obtain a full-fledged quantum money scheme by combining M with any digital signature scheme secure against quantum attacks

Read more

Summary

Introduction

“Information wants to be free”—this slogan expresses the idea that classical bits, unlike traditional economic goods, can be copied an unlimited number of times. Essentially all electronic commerce involves a trusted third party, such as a credit card company, to mediate transactions. Without such a third party entering at some stage, it is impossible to prevent electronic cash from being counterfeited, regardless of what cryptographic assumptions one makes.. The No-Cloning Theorem is closely related to the uncertainty principle, which says that there exist “complementary” properties of a quantum state (for example, its position and momentum) that cannot both be measured to unlimited accuracy.

The history of quantum money
The challenge
Our results
Motivation
Preliminaries
Cryptography
Quantum information
Quantum search
Formalizing quantum money
Quantum money schemes
Mini-schemes
The standard construction
Inner-product adversary method
Idea of method
The method
Classical oracle scheme
The hidden subspace mini-scheme
Formal specification
Analysis
Explicit quantum money scheme
Useful facts about polynomials
Explicit hidden-subspace mini-scheme
Justifying our hardness assumption
Private-key quantum money
Open problems
Quantum copy-protection and more
Full Text
Published version (Free)

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call