quantum money from hidden subspaces scott aaronson (mit) joint work with paul christiano a a
TRANSCRIPT
Quantum Money from Hidden Subspaces
Scott Aaronson (MIT)Joint work with Paul Christiano
A
A
Ever since there’s been money, there’ve been people trying to counterfeit it
Previous work on the physics of money:
In his capacity as Master of the Mint, Isaac Newton added milled edges to English coins to make them harder to counterfeit
(Newton also personally oversaw hangings of counterfeiters)
Today: Holograms, embedded strips, “microprinting,” special inks…
Leads to an arms race with no obvious winner
Problem: From a CS perspective, uncopyable cash seems impossible for trivial reasons
Any printing technology the good guys can build, bad guys can in principle build also
x (x,x) is a polynomial-time operation
What’s done in practice: Have a trusted third party authorize every transaction
OK, but sometimes you want cash, and that seems impossible to secure, at least in classical physics…
(BitCoin: “Trusted third party” is distributed over the Internet)
No physical procedure can take an unknown quantum state and output two copies of it
(or even a close approximation thereof)
The No-Cloning Theorem
First Idea in the History of Quantum InfoWiesner 1969: Money that’s information-theoretically impossible to counterfeit, assuming quantum mechanics
Each banknote contains n qubits, secretly prepared in one of the 4 states |0,|1,|+,|-
In a giant database, the bank remembers how it prepared every qubit on every banknote
Want to verify a banknote? Take it to the bank. Bank uses its knowledge to measure each qubit in the right basis:
(Recent) Theorem: A counterfeiter who doesn’t know
the state can copy it with
probability at most (3/4)n
OR
1. Banknotes could decohere in microseconds in your wallet—the “Schrödinger’s money problem”!
The reason why quantum money isn’t yet practical, in contrast to (say) quantum key distribution
2. Bank needs a big database describing every banknoteSolution (Bennett et al. ‘82): Pseudorandom
functions
3. Only the bank knows how to verify the money
4. Scheme can be broken by interacting with the bank
Drawbacks of Wiesner’s Scheme
“Modern” Goal: Public-Key Quantum MoneyEasy to prepare, hard to copy, verifiable by anyone
KeyGen Mint
Ver
kprivate
kpublic
|$1,|$2…
Formally, a public-key quantum money scheme S consists of three polynomial-time quantum algorithms:
S has completeness error if for all kpublic and valid $,
.1accepts ,$VerPr public k
S has soundness error if for all polynomial-time counterfeiters C mapping q banknotes to r>q banknotes,
q,$,,$,CountPr 1publicpublic qkCk where Count returns the number of C’s output registers ¢1,…,¢r that Ver accepts
KeyGen(0n): Generates key pair (kprivate, kpublic)
Mint(kprivate): Generates quantum banknote $
Ver(kpublic, ¢): Accepts or rejects claimed banknote ¢
Private-key quantum money scheme:Same except that kprivate=kpublic
Basic ObservationsNot obvious that public-key quantum money is possible!
If it is, will certainly require computational assumptions, in addition to quantum mechanics
Yet totally unclear which computational assumptions! Copying |$ need not involve learning a classical
secret
Without loss of generality, quantum money is reusable. If the completeness error is , then it’s possible to verify banknotes in a way that damages the valid ones by at most in variation distance
Can amplify completeness error to 1/exp(n) by repetition, without much harming the soundness error
Previous Work on Public-Key Quantum MoneyA., CCC’2009
Defined the conceptSecure construction using a quantum oracle (but security proof never published)Explicit candidate scheme based on random stabilizer states—broken by Lutomirski et al. 2010
Farhi et al. 2010: Attack on large class
of public-key quantum money
schemes(to foil, use highly-
entangled banknotes!)
Farhi et al., ITCS’2012: “Quantum money from knots”
Important, original proposal, but little known about securityNot even known which states | the verifier acceptsLutomirski 2011: “Abstract” version of knot scheme using a classical oracle (but proving its security still wide open; seems hard)
Our work: A new public-key quantum money scheme, based on hidden subspaces
A
A
Much simpler than previous
schemes
For the first time, can base security on an assumption (about multivariate polynomial cryptography) that
has nothing to do with quantum money
Also for the first time, can prove the “abstract” version (involving a classical oracle) is unconditionally
secure
Verifier just projects onto valid money states, by
measuring in two complementary basesSame construction yields first private-key
scheme that’s provably “interactively secure”
Overview of Our Construction
“Mini-Scheme”Mint prints a single banknote
(s,) s.t. copying is hard
Signature SchemeSecure against
nonadaptive quantum chosen-message attacks
Public-Key Quantum Money Scheme
OWFSecure against quantum
attacks
From Rompel 1990
Formally, a public-key mini-scheme M consists of two polynomial-time quantum algorithms:
M has completeness error if for all valid banknotes $=(s,),
.1accepts ,VerPr s
M has soundness error if for all polynomial-time counterfeiters C mapping (s,) to two copies of ,
.accepts,,DoubleVerPr sCs
Mint(0n): Generates $=(s,), where s = classical serial number
Ver(¢): Accepts or rejects claimed banknote ¢
We’ll especially like projective mini-schemes: those where Ver just projects onto a pure state =|ss|
“Standard Construction” of Quantum Money from Mini-Schemes + Signatures
(Introduced by Lutomirski et al.; analyzed by us)
Theorem: If you can create counterfeit banknotes $, then either you can copy ’s, or else you can forge signatures
sks ,Sign,,:$ privateTo verify the banknote $=(s,,w):
1.Check that (s,) is valid
2.Check that w is a valid digital signature of s
The Hidden Subspace Mini-Scheme
Ax
nxA
4/2
1:
Quantum money state:
2
dim
2
nA
GFA nR
Corresponding “serial number” s: Somehow describes how to check membership in A and in A (the dual subspace of A), yet doesn’t reveal A or A
Mint can easily choose a random A and prepare |A
Procedure to Verify Money State(assuming ability to decide membership in A and A)
A
A
1. Project onto A elements (reject if this fails)
2. Hadamard all n qubits to map |A to |A
3. Project onto A elements (reject if this fails)
4. Hadamard all n qubits to return state to |A
Theorem: The above just implements a projection onto |AA|—i.e., it accepts | with probability ||A|2
Security of the Black-Box Scheme
Intuitively, what can the counterfeiter do?
11,OO
22 ,OO
11, As
Need to show: 2(n) quantum queries to Oi and Oi
are needed, even just to map |Ai to |Ai2
22 , As
Valid Banknotes:
A,A Membership Oracles:
Measure |Ai just yields one Ai or Ai element
Query Oi or Oi to learn a basis for Ai takes (2n/4)
queries, by the BBBV Theorem (optimality of Grover search)
Common generalization of No-Cloning Theorem and
BBBV Theorem
|$1,000,000
Idea: Look at Inner Products
Use Ambainis’s quantum adversary method to show that the inner product between |A and |A’ can decrease by at most ~2-n/4, as the result of a single query to OA or OA
Problem: A query can decrease the inner product by (1) for some |A,|A’ pairs! But we show that it can’t for most pairs
A
'A
2A
2'
A
2
1'
2AA
4
1'
222 AA
A,A’: “neighboring” n/2-dimensional
subspaces in GF(2)n
Finishing the Security ProofOur “Inner-Product Adversary Method” shows that (2n/4) queries are needed for almost-perfect copying of |A. But what about copying with 1/poly(n) fidelity?
Key idea: Since our scheme is projective, can amplify fidelity to |A2 using fixed-point quantum search (a recent variant of Grover’s algorithm due to Tulsi, Grover, and Patel)
What about counterfeiters that only copy some |A’s and not others?
Key idea: The counterfeiting problem is random self-reducible! Before trying to copy |A, hit it with a random invertible linear transformation on GF(2)n
The same construction immediately yields the first…
Private-Key Quantum Money (with no oracle) Secure Against Interactive Attack
Suppose |Ai could be copied using poly(n) verification requests to the bank
Then |Ai could also be copied in our public-key scheme, using poly(n) oracle queries!
11, As 22 , As
22
11
,
,
As
AsVerification Requests
Obfuscation Challenge: “Instantiate” the oracles OA and OA
, without revealing A
,22:,,,,, 2121 GFGFqqpp nnn
such that all pi’s vanish on A and all qi’s vanish on A.
Our Proposal: Use Multivariate Polynomials For each money state |A, mint publishes (as |A’s “serial number”) uniformly-random degree-d polynomials
But if we want public-key money, we still have to face an interesting, purely-classical…
The pi’s and qi’s can be generated in nO(d) time: generate them assuming A=span(x1,…,xn/2); then apply a linear transformation
Verifying |A is simple! With overwhelming probability,
0
0
21
21
xqxqAx
xpxpAx
n
n
But given only the pi’s and qi’s, not clear how to find any nonzero A or A elements in poly-time (even quantumly)
Closely related to multivariate polynomial cryptography, and to the polynomial isomorphism problem
Our scheme is breakable when d=1 (trivially) or d=2 (using theory of quadratic forms). And there’s nontrivial structure when d=3 (Bouillaguet et al. 2011). So we recommend d4
For more(?) security, can let an fraction of pi’s and qi’s be “decoys”
Security ReductionDirect Product Assumption: Given the polynomials p1,…,p2n and q1,…,q2n, no polynomial-time quantum algorithm can find a generating set for A with (2-n/2) success probability
Theorem: Assuming the DPA, our money scheme is secure
Proof Sketch: Suppose there’s a counterfeiter C that maps |A to |A2. Then to violate the DPA:
1.Prepare a uniform superposition over all xGF(2)n
2.Project onto A elements (yields |A with probability 2-n/2)
3.If step 2 works, run C repeatedly to get ~n copies of |A
4.Measure each copy of |A in the standard basis (with high probability, yields n independent A elements)
Concluding ThoughtsWhy worry about quantum money, if it might be even
further from practicality than scalable QC?
Even if it decohered in seconds, public-key quantum money could still have applications!
Example: Non-Interactive Uncloneable Signatures
Niels Bohr: Uncertainty Principle should change our conception of science itself. Even given complete knowledge of the laws of physics, physical systems can always “surprise” us, due to our inability to know their initial states.
Quantum money provides a wonderful playground for testing Bohr’s claim, while also highlighting the role of computational complexity
Break our scheme! Or get stronger evidence for security
Find other ways of hiding (complementary) subspaces
Are there secure public-key quantum money schemes relative to a random oracle?
Does private-key quantum money require either a giant database or a cryptographic assumption?
“Practicality”
Open Problems DUNCE
DUNCE
Future Direction: Quantum Copy-Protection
Finally, a serious use for quantum computing
Goal: Quantum state |f that lets you compute an unknown function f, but doesn’t let you efficiently create more states with which f can be computedRelative to a classical oracle, we have a candidate construction based on hidden subspaces. But its security rests on a still-unproved conjecture:
Given oracle access to OA and OA, any quantum
algorithm needs 2(n) queries to find nonzero elements xA, yA with (2-n/2) success probability