New Developments in Quantum Money and Copy-Protected Software

1
New Developments in Quantum Money and
Copy-Protected Software
A?
A
Scott Aaronson (MIT) Joint work with Paul
Christiano
2
Ever since theres been money, thereve been
people trying to counterfeit it
Previous work on the physics of money In his
capacity as Master of the Mint, Isaac Newton
worked on making English coins harder to
counterfeit
(He also personally oversaw hangings of
counterfeiters)
3
Today Holograms, embedded strips,
microprinting, special inks Leads to an arms
race with no obvious winner
Problem From a CS perspective, uncopyable cash
seems impossible for trivial reasons
Any printing technology the good guys can build,
bad guys can in principle build also x ? (x,x) is
a polynomial-time operation
4
Whats done in practice Have a trusted third
party authorize every transaction
(BitCoin Trusted third party is distributed
over the Internet)
OK, but sometimes you want cash, and that seems
impossible to secure, at least in classical
physics
5
The No-Cloning Theorem
No physical procedure can take an unknown quantum
state and output two copies of it (or even a
close approximation thereof)
6
First Idea in the History of Quantum Info
Wiesner 1969 Money thats information-theoretical
ly impossible to counterfeit, assuming quantum
mechanics
Each banknote contains n qubits, secretly
prepared in one of the 4 states 0?,1?,?,-?
Molina, Vidick, Watrous 2012 A counterfeiter who
doesnt know the state can copy it with
probability at most (3/4)n
In a giant database, the bank remembers how it
prepared every qubit on every banknote
Want to verify a banknote? Take it to the bank.
Bank uses its knowledge to measure each qubit in
the right basis
OR
7
Drawbacks of Wiesners Scheme

1. Banknotes could decohere in your walletthe
   Schrödingers money problem! The reason why
   quantum money isnt yet practical, in contrast
   to (say) quantum key distribution
2. Bank needs a big database describing every
   banknote Solution (Bennett et al. 82)
   Pseudorandom functions
3. Only the bank knows how to verify the money
4. Scheme can be broken by interacting with the bank

8
Modern Goal Public-Key Quantum MoneyEasy to
prepare, hard to copy, verifiable by anyone
kprivate
KeyGen
Mint
kpublic
1?,2?
Ver
9
Formally, a public-key quantum money scheme S
consists of three polynomial-time quantum
algorithms
KeyGen(0n) Generates key pair (kprivate,
kpublic) Mint(kprivate) Generates quantum
banknote Ver(kpublic, ) Accepts or rejects
claimed banknote
S has completeness error ? if for all kpublic and
valid ,
Private-key quantum money schemeSame except
that kprivatekpublic
S has soundness error ? if for all
polynomial-time counterfeiters C mapping q
banknotes to rgtq banknotes,
where Count returns the number of Cs output
registers 1,,r that Ver accepts
10
Basic Observations
Not obvious that public-key quantum money is
possible! If it is, will certainly require
computational assumptions, in addition to quantum
mechanics Without loss of generality, quantum
money is reusable. If the completeness error is
?, then its possible to verify banknotes in a
way that damages the valid ones by at most
in trace distance (? reusable 1/?? times)
11
Previous Work on Public-Key Quantum Money
A., CCC2009 Secure construction using a quantum
oracle (but security proof never
published)Explicit candidate scheme based on
random stabilizer statesbroken by Lutomirski et
al. 2010
Farhi et al., ITCS2012 Quantum money from
knots Important, original proposal, but little
known about securityNot even known which states
?? the verifier acceptsLutomirski 2011
Abstract version of knot scheme using a
classical oracle (but proving its security still
wide open seems hard)
12
Our work A new public-key quantum money scheme,
based on hidden subspaces
Much simpler than previous schemes verifier just
projects onto valid money states, by measuring in
two complementary bases
For the first time, can base security on an
assumption (about multivariate polynomial
cryptography) that has nothing to do with quantum
money
Also for first time, can prove abstract version
of scheme (involving a classical oracle) is
unconditionally secure
Same construction yields the first private-key
scheme thats provably interactively secure
13
Overview of Our Construction
Public-Key Quantum Money Scheme
Signature SchemeSecure against nonadaptive
quantum chosen-message attacks
Mini-Scheme Mint prints a single banknote
(s,?s) s.t. copying ?s is hard
From Rompel 1990
OWFSecure against quantum attacks
14
Standard Construction of Quantum Money from
Mini-Schemes Signatures(Introduced by
Lutomirski et al. analyzed by us)

• To verify the banknote (s,?s,w)
• Check that (s,?s) is valid
• Check that w is a valid digital signature of s

Theorem If you can create counterfeit banknotes
, then either you can copy ?ss, or else you can
forge signatures
15
The Hidden Subspace Mini-Scheme
Quantum money state
Mint can easily choose a random A and prepare A?
Corresponding serial number s Somehow
describes how to check membership in A and in A?
(the dual subspace of A), yet doesnt reveal A or
A?
16
Procedure to Verify Money State(assuming ability
to decide membership in A and A?)

1. Project onto A elements (reject if this fails)
2. Hadamard all n qubits to map A? to A??
3. Project onto A? elements (reject if this fails)
4. Hadamard all n qubits to return state to A?

A?
A
Theorem The above just implements a projection
onto A??Ai.e., it accepts ?? with probability
??A?2
17
Security of the Black-Box Scheme
Valid Banknotes
A,A? Membership Oracles
Intuitively, what can the counterfeiter do?
Measure Ai? ? just yields one Ai or Ai?
element Query Oi or Oi? to learn a basis for Ai ?
takes ?(2n/4) queries, by the BBBV Theorem
(optimality of Grover search)
Need to show 2?(n) quantum queries to Oi and Oi?
are needed, even just to map Ai? to Ai??2
18
(No Transcript)
19
Idea Look at Inner Products
A,A neighboring n/2-dimensional subspaces in
GF(2)n
Use Ambainiss quantum adversary method to show
that the inner product between A? and A? can
decrease by at most 2-n/4, as the result of a
single query to OA or OA? Problem A query can
decrease the inner product by ?(1) for some
A?,A? pairs! But we show that it cant for
most pairs
20
Finishing the Security Proof
Our Inner-Product Adversary Method shows that
?(2n/4) queries are needed for almost-perfect
copying of A?. But what about copying with
1/poly(n) fidelity? Key idea Since our scheme is
projective, can amplify fidelity to A??2 using
fixed-point quantum search (a recent variant of
Grovers algorithm due to Tulsi, Grover, and
Patel)
What about counterfeiters that only copy some
A?s and not others? Key idea The
counterfeiting problem is random self-reducible!
Before trying to copy A?, hit it with a random
invertible linear transformation on GF(2)n
21
The same construction immediately yields the
firstPrivate-Key Quantum Money (with no oracle)
Secure Against Interactive Attack
Suppose Ai? could be copied using poly(n)
verification requests to the bank Then Ai? could
also be copied in our public-key scheme, using
poly(n) oracle queries! ??
22
But if we want public-key money, we still have to
face an interesting, purely-classical
Obfuscation Challenge Instantiate the oracles
OA and OA?, without revealing A
Our Proposal Use Multivariate Polynomials For
each money state A?, mint publishes (as A?s
serial number) uniformly-random degree-d
polynomials
such that all pis vanish on A and all qis
vanish on A?.
The pis and qis can be generated in nO(d) time
generate them assuming Aspan(x1,,xn/2) then
apply a linear transformation
Purely-classical obfuscation problem seems
interesting on its own!
23
Verifying A? is simple! With overwhelming
probability,
But given only the pis and qis, not clear how
to find any nonzero A or A? elements in poly-time
(even quantumly) Closely related to multivariate
polynomial cryptography, and to the polynomial
isomorphism problem Our scheme is breakable when
d1 (trivially) or d2 (using theory of quadratic
forms). And theres nontrivial structure when
d3 (Bouillaguet et al. 2011). So we recommend
d?4
24
Security Reduction
Direct Product Assumption Given the polynomials
p1,,p2n and q1,,q2n, no polynomial-time quantum
algorithm can find a generating set for A with
?(2-n/2) success probability
Theorem Assuming the DPA, our money scheme is
secure

• Proof Sketch Suppose theres a counterfeiter C
  that maps A? to A??2. Then to violate the DPA
• Prepare a uniform superposition over all x?GF(2)n
  
• Project onto A elements (yields A? with
  probability 2-n/2)
• If step 2 works, run C repeatedly to get n
  copies of A?
• Measure each copy of A? in the standard basis
  (with high probability, yields n/2 independent A
  elements)

25
Open Problems
Break our scheme! Or get stronger evidence for
security Find other ways of hiding
(complementary) subspaces Are there secure
public-key quantum money schemes relative to a
random oracle? Does private-key quantum money
require either a giant database or a
cryptographic assumption? Practicality
26
New Direction Quantum Copy-Protection
Finally, a serious use for quantum computing
Goal Quantum state ?f? that lets you compute an
unknown function f, but doesnt let you
efficiently create more states with which f can
be computed
New Developments (A.-Christiano, not yet
written)! - By modifying our hidden-subspace
money scheme, we give a quantum copy-protection
scheme with a classical oracle, which works for
any fs and is proven secure - We have a
candidate quantum copy-protection scheme with no
oracle, but havent yet proved its security
27
Quantum Copy-Protection Relative to a Classical
Oracle
Quantum program (same as for money scheme)
The classical oracle O, given a Boolean function
fIf x?A\0n and y?A?\0n, then
O(0,x,z)?O(1,y,z)f(z). Otherwise, O(b,x,z)0.
Given A? and O, one can evaluate f. But using
the Inner-Product Adversary Method and random
self-reducibility, we prove that given A? and O,
one cant find nonzero elements of both A and A?
with ?1/poly(n) probability
28
Explicit Quantum Copy-Protection Scheme
Starting point Yaos garbled circuit
construction (1986) Assuming 1-out-of-2
oblivious-transfer, lets Alice send Bob a circuit
C such that Bob can evaluate C on one input x,
yet he learns nothing about Cs internal structure
We use hidden subspace states A1?,A2?, to
implement the oblivious transfer
non-interactively
To prove security, an excellent starting point
would be to prove the following direct product
conjecture
Given oracle access to OA and OA?, any quantum
algorithm needs 2?(n) queries to find nonzero
elements x?A, y?A? with ?(2-n/2) success
probability