Quantum Money from Hidden Subspaces

1
Quantum Money from Hidden Subspaces
A?
A
Scott Aaronson (MIT) Joint work with Paul
Christiano
2
Ever since theres been money, thereve been
people trying to counterfeit it
Previous work on the physics of money In his
capacity as Master of the Mint, Isaac Newton
added milled edges to English coins to make them
harder to counterfeit
(Newton also personally oversaw hangings of
counterfeiters)
3
Today Holograms, embedded strips,
microprinting, special inks Leads to an arms
race with no obvious winner
Problem From a CS perspective, uncopyable cash
seems impossible for trivial reasons
Any printing technology the good guys can build,
bad guys can in principle build also x ? (x,x) is
a polynomial-time operation
4
Whats done in practice Have a trusted third
party authorize every transaction
(BitCoin Trusted third party is distributed
over the Internet)
OK, but sometimes you want cash, and that seems
impossible to secure, at least in classical
physics
5
The No-Cloning Theorem
No physical procedure can take an unknown quantum
state and output two copies of it (or even a
close approximation thereof)
6
First Idea in the History of Quantum Info
Wiesner 1969 Money thats information-theoretical
ly impossible to counterfeit, assuming quantum
mechanics
Each banknote contains n qubits, secretly
prepared in one of the 4 states 0?,1?,?,-?
(Recent) Theorem A counterfeiter who doesnt
know the state can copy it with probability at
most (3/4)n
In a giant database, the bank remembers how it
prepared every qubit on every banknote
Want to verify a banknote? Take it to the bank.
Bank uses its knowledge to measure each qubit in
the right basis
OR
7
Drawbacks of Wiesners Scheme

1. Banknotes could decohere in microseconds in your
   walletthe Schrödingers money problem! The
   reason why quantum money isnt yet practical, in
   contrast to (say) quantum key distribution
2. Bank needs a big database describing every
   banknote Solution (Bennett et al. 82)
   Pseudorandom functions
3. Only the bank knows how to verify the money
4. Scheme can be broken by interacting with the bank

8
Modern Goal Public-Key Quantum MoneyEasy to
prepare, hard to copy, verifiable by anyone
kprivate
KeyGen
Mint
kpublic
1?,2?
Ver
9
Formally, a public-key quantum money scheme S
consists of three polynomial-time quantum
algorithms
KeyGen(0n) Generates key pair (kprivate,
kpublic) Mint(kprivate) Generates quantum
banknote Ver(kpublic, ) Accepts or rejects
claimed banknote
S has completeness error ? if for all kpublic and
valid ,
Private-key quantum money schemeSame except
that kprivatekpublic
S has soundness error ? if for all
polynomial-time counterfeiters C mapping q
banknotes to rgtq banknotes,
where Count returns the number of Cs output
registers 1,,r that Ver accepts
10
Basic Observations
Not obvious that public-key quantum money is
possible! If it is, will certainly require
computational assumptions, in addition to quantum
mechanics Yet totally unclear which
computational assumptions! Copying ? need not
involve learning a classical secret Without loss
of generality, quantum money is reusable. If the
completeness error is ?, then its possible to
verify banknotes in a way that damages the valid
ones by at most in variation
distance Can amplify completeness error to
1/exp(n) by repetition, without much harming the
soundness error
11
Previous Work on Public-Key Quantum Money
A., CCC2009 Defined the conceptSecure
construction using a quantum oracle (but security
proof never published)Explicit candidate scheme
based on random stabilizer statesbroken by
Lutomirski et al. 2010
Farhi et al. 2010 Attack on large class of
public-key quantum money schemes(to foil, use
highly-entangled banknotes!)
Farhi et al., ITCS2012 Quantum money from
knots Important, original proposal, but little
known about securityNot even known which states
?? the verifier acceptsLutomirski 2011
Abstract version of knot scheme using a
classical oracle (but proving its security still
wide open seems hard)
12
Our work A new public-key quantum money scheme,
based on hidden subspaces
Verifier just projects onto valid money states,
by measuring in two complementary bases
Much simpler than previous schemes
Same construction yields first private-key scheme
thats provably interactively secure
For the first time, can base security on an
assumption (about multivariate polynomial
cryptography) that has nothing to do with quantum
money
Also for the first time, can prove the abstract
version (involving a classical oracle) is
unconditionally secure
13
Overview of Our Construction
Public-Key Quantum Money Scheme
Signature SchemeSecure against nonadaptive
quantum chosen-message attacks
Mini-Scheme Mint prints a single banknote (s,?)
s.t. copying ? is hard
From Rompel 1990
OWFSecure against quantum attacks
14
Formally, a public-key mini-scheme M consists of
two polynomial-time quantum algorithms
Mint(0n) Generates (s,?), where s classical
serial number Ver() Accepts or rejects claimed
banknote
M has completeness error ? if for all valid
banknotes (s,?),
M has soundness error ? if for all
polynomial-time counterfeiters C mapping (s,?) to
two copies of ?,
Well especially like projective mini-schemes
those where Ver just projects onto a pure state
??s???s
15
Standard Construction of Quantum Money from
Mini-Schemes Signatures(Introduced by
Lutomirski et al. analyzed by us)

• To verify the banknote (s,?,w)
• Check that (s,?) is valid
• Check that w is a valid digital signature of s

Theorem If you can create counterfeit banknotes
, then either you can copy ?s, or else you can
forge signatures
16
The Hidden Subspace Mini-Scheme
Quantum money state
Mint can easily choose a random A and prepare A?
Corresponding serial number s Somehow
describes how to check membership in A and in A?
(the dual subspace of A), yet doesnt reveal A or
A?
17
Procedure to Verify Money State(assuming ability
to decide membership in A and A?)

1. Project onto A elements (reject if this fails)
2. Hadamard all n qubits to map A? to A??
3. Project onto A? elements (reject if this fails)
4. Hadamard all n qubits to return state to A?

A?
A
Theorem The above just implements a projection
onto A??Ai.e., it accepts ?? with probability
??A?2
18
Security of the Black-Box Scheme
Valid Banknotes
A,A? Membership Oracles
Intuitively, what can the counterfeiter do?
Measure Ai? ? just yields one Ai or Ai?
element Query Oi or Oi? to learn a basis for Ai ?
takes ?(2n/4) queries, by the BBBV Theorem
(optimality of Grover search)
Need to show 2?(n) quantum queries to Oi and Oi?
are needed, even just to map Ai? to Ai??2
19
(No Transcript)
20
Idea Look at Inner Products
A,A neighboring n/2-dimensional subspaces in
GF(2)n
Use Ambainiss quantum adversary method to show
that the inner product between A? and A? can
decrease by at most 2-n/4, as the result of a
single query to OA or OA? Problem A query can
decrease the inner product by ?(1) for some
A?,A? pairs! But we show that it cant for
most pairs
21
Finishing the Security Proof
Our Inner-Product Adversary Method shows that
?(2n/4) queries are needed for almost-perfect
copying of A?. But what about copying with
1/poly(n) fidelity? Key idea Since our scheme is
projective, can amplify fidelity to A??2 using
fixed-point quantum search (a recent variant of
Grovers algorithm due to Tulsi, Grover, and
Patel)
What about counterfeiters that only copy some
A?s and not others? Key idea The
counterfeiting problem is random self-reducible!
Before trying to copy A?, hit it with a random
invertible linear transformation on GF(2)n
22
The same construction immediately yields the
firstPrivate-Key Quantum Money (with no oracle)
Secure Against Interactive Attack
Suppose Ai? could be copied using poly(n)
verification requests to the bank Then Ai? could
also be copied in our public-key scheme, using
poly(n) oracle queries! ??
23
But if we want public-key money, we still have to
face an interesting, purely-classical
Obfuscation Challenge Instantiate the oracles
OA and OA?, without revealing A
Our Proposal Use Multivariate Polynomials For
each money state A?, mint publishes (as A?s
serial number) uniformly-random degree-d
polynomials
such that all pis vanish on A and all qis
vanish on A?.
The pis and qis can be generated in nO(d) time
generate them assuming Aspan(x1,,xn/2) then
apply a linear transformation
Purely-classical obfuscation problem seems
interesting on its own!
24
Verifying A? is simple! With overwhelming
probability,
But given only the pis and qis, not clear how
to find any nonzero A or A? elements in poly-time
(even quantumly) Closely related to multivariate
polynomial cryptography, and to the polynomial
isomorphism problem Our scheme is breakable when
d1 (trivially) or d2 (using theory of quadratic
forms). And theres nontrivial structure when
d3 (Bouillaguet et al. 2011). So we recommend
d?4
For more(?) security, can let an ? fraction of
pis and qis be decoys
25
Security Reduction
Direct Product Assumption Given the polynomials
p1,,p2n and q1,,q2n, no polynomial-time quantum
algorithm can find a generating set for A with
?(2-n/2) success probability
Theorem Assuming the DPA, our money scheme is
secure

• Proof Sketch Suppose theres a counterfeiter C
  that maps A? to A??2. Then to violate the DPA
• Prepare a uniform superposition over all x?GF(2)n
  
• Project onto A elements (yields A? with
  probability 2-n/2)
• If step 2 works, run C repeatedly to get n
  copies of A?
• Measure each copy of A? in the standard basis
  (with high probability, yields n independent A
  elements)

26
Concluding ThoughtsWhy worry about quantum
money, if it might be even further from
practicality than scalable QC?
Niels Bohr Uncertainty Principle should change
our conception of science itself. Even given
complete knowledge of the laws of physics,
physical systems can always surprise us, due to
our inability to know their initial
states. Quantum money provides a wonderful
playground for testing Bohrs claim, while also
highlighting the role of computational complexity
Even if it decohered in seconds, public-key
quantum money could still have applications!
Example Non-Interactive Uncloneable Signatures
27
Open Problems
Break our scheme! Or get stronger evidence for
security Find other ways of hiding
(complementary) subspaces Are there secure
public-key quantum money schemes relative to a
random oracle? Does private-key quantum money
require either a giant database or a
cryptographic assumption? Practicality
28
Future Direction Quantum Copy-Protection
Finally, a serious use for quantum computing
Goal Quantum state ?f? that lets you compute an
unknown function f, but doesnt let you
efficiently create more states with which f can
be computed
Relative to a classical oracle, we have a
candidate construction based on hidden subspaces.
But its security rests on a still-unproved
conjecture
Given oracle access to OA and OA?, any quantum
algorithm needs 2?(n) queries to find nonzero
elements x?A, y?A? with ?(2-n/2) success
probability