Presentation is loading. Please wait.

Presentation is loading. Please wait.

Quantum Money from Hidden Subspaces Scott Aaronson (MIT) Joint work with Paul Christiano A A.

Published byZachary Stevens Modified over 10 years ago

Similar presentations

Presentation on theme: "Quantum Money from Hidden Subspaces Scott Aaronson (MIT) Joint work with Paul Christiano A A."— Presentation transcript:

1 Quantum Money from Hidden Subspaces Scott Aaronson (MIT) Joint work with Paul Christiano A A

2 Ever since theres been money, thereve been people trying to counterfeit it Previous work on the physics of money: In his capacity as Master of the Mint, Isaac Newton worked on making English coins harder to counterfeit (He also personally oversaw hangings of counterfeiters)

3 Today: Holograms, embedded strips, microprinting, special inks… Leads to an arms race with no obvious winner Problem: From a CS perspective, uncopyable cash seems impossible for trivial reasons Any printing technology the good guys can build, bad guys can in principle build also x (x,x) is a polynomial-time operation

4 Whats done in practice: Have a trusted third party authorize every transaction OK, but sometimes you want cash, and that seems impossible to secure, at least in classical physics… (BitCoin: Trusted third party is distributed over the Internet)

5 No physical procedure can take an unknown quantum state and output two copies of it (or even a close approximation thereof) The No-Cloning Theorem

6 First Idea in the History of Quantum Info Wiesner 1969: Money thats information-theoretically impossible to counterfeit, assuming quantum mechanics Each banknote contains n qubits, secretly prepared in one of the 4 states |0,|1,|+,|- In a giant database, the bank remembers how it prepared every qubit on every banknote Want to verify a banknote? Take it to the bank. Bank uses its knowledge to measure each qubit in the right basis: OR (Recent) Theorem: A counterfeiter who doesnt know the state can copy it with probability at most (3/4) n

7 1.Banknotes could decohere in microseconds in your walletthe Schrödingers money problem! The reason why quantum money isnt yet practical, in contrast to (say) quantum key distribution 2.Bank needs a big database describing every banknote Solution (Bennett et al. 82): Pseudorandom functions 3.Only the bank knows how to verify the money 4.Scheme can be broken by interacting with the bank Drawbacks of Wiesners Scheme

8 Modern Goal: Public-Key Quantum Money Easy to prepare, hard to copy, verifiable by anyone KeyGenMint Ver k private k public |$ 1,|$ 2 …

9 Formally, a public-key quantum money scheme S consists of three polynomial-time quantum algorithms: S has completeness error if for all k public and valid $, S has soundness error if for all polynomial-time counterfeiters C mapping q banknotes to r>q banknotes, where Count returns the number of Cs output registers ¢ 1,…,¢ r that Ver accepts KeyGen(0 n ): Generates key pair (k private, k public ) Mint(k private ): Generates quantum banknote $ Ver(k public, ¢): Accepts or rejects claimed banknote ¢ Private-key quantum money scheme: Same except that k private =k public

10 Basic Observations Not obvious that public-key quantum money is possible! If it is, will certainly require computational assumptions, in addition to quantum mechanics Yet totally unclear which computational assumptions! Copying |$ need not involve learning a classical secret Without loss of generality, quantum money is reusable. If the completeness error is, then its possible to verify banknotes in a way that damages the valid ones by at most in trace distance ( reusable 1/ times) Can amplify completeness error to 1/exp(n) by repetition, without much harming the soundness error

11 Previous Work on Public-Key Quantum Money A., CCC2009 Defined the concept Secure construction using a quantum oracle (but security proof never published) Explicit candidate scheme based on random stabilizer statesbroken by Lutomirski et al. 2010 Farhi et al. 2010: Attack on large class of public-key quantum money schemes (to foil, use highly- entangled banknotes!) Farhi et al., ITCS2012: Quantum money from knots Important, original proposal, but little known about security Not even known which states | the verifier accepts Lutomirski 2011: Abstract version of knot scheme using a classical oracle (but proving its security still wide open; seems hard)

12 Our work: A new public-key quantum money scheme, based on hidden subspaces A A Much simpler than previous schemes For the first time, can base security on an assumption (about multivariate polynomial cryptography) that has nothing to do with quantum money Also for first time, can prove abstract version of scheme (involving a classical oracle) is unconditionally secure Verifier just projects onto valid money states, by measuring in two complementary bases Same construction yields the first private-key scheme thats provably interactively secure

13 Overview of Our Construction Mini-Scheme Mint prints a single banknote (s, s ) s.t. copying s is hard Signature Scheme Secure against nonadaptive quantum chosen-message attacks Public-Key Quantum Money Scheme OWF Secure against quantum attacks From Rompel 1990

14 Standard Construction of Quantum Money from Mini-Schemes + Signatures (Introduced by Lutomirski et al.; analyzed by us) Theorem: If you can create counterfeit banknotes $, then either you can copy ss, or else you can forge signatures To verify the banknote $=(s, s,w): 1.Check that (s, s ) is valid 2.Check that w is a valid digital signature of s

15 The Hidden Subspace Mini-Scheme Quantum money state: Corresponding serial number s: Somehow describes how to check membership in A and in A (the dual subspace of A), yet doesnt reveal A or A Mint can easily choose a random A and prepare |A

16 Procedure to Verify Money State (assuming ability to decide membership in A and A ) A A 1.Project onto A elements (reject if this fails) 2.Hadamard all n qubits to map |A to |A 3.Project onto A elements (reject if this fails) 4.Hadamard all n qubits to return state to |A Theorem: The above just implements a projection onto |A A|i.e., it accepts | with probability | |A | 2

17 Security of the Black-Box Scheme Intuitively, what can the counterfeiter do? Need to show: 2 (n) quantum queries to O i and O i are needed, even just to map |A i to |A i 2 Valid Banknotes:A,A Membership Oracles: Measure |A i just yields one A i or A i element Query O i or O i to learn a basis for A i takes (2 n/4 ) queries, by the BBBV Theorem (optimality of Grover search)

18 Common generalization of No-Cloning Theorem and BBBV Theorem |$1,000,000

19 Idea: Look at Inner Products Use Ambainiss quantum adversary method to show that the inner product between |A and |A can decrease by at most ~2 -n/4, as the result of a single query to O A or O A Problem: A query can decrease the inner product by (1) for some |A,|A pairs! But we show that it cant for most pairs A,A: neighboring n/2-dimensional subspaces in GF(2) n

20 The same construction immediately yields the first… Private-Key Quantum Money (with no oracle) Secure Against Interactive Attack Suppose |A i could be copied using poly(n) verification requests to the bank Then |A i could also be copied in our public- key scheme, using poly(n) oracle queries! Verification Requests

21 Obfuscation Challenge: Instantiate the oracles O A and O A, without revealing A such that all p i s vanish on A and all q i s vanish on A. Our Proposal: Use Multivariate Polynomials For each money state |A, mint publishes (as |A s serial number) uniformly-random degree-d polynomials Purely-classical obfuscation problem; seems interesting on its own! But if we want public-key money, we still have to face an interesting, purely-classical… The p i s and q i s can be generated in n O(d) time: generate them assuming A=span(x 1,…,x n/2 ); then apply a linear transformation

22 Verifying |A is simple! With overwhelming probability, But given only the p i s and q i s, not clear how to find any nonzero A or A elements in poly-time (even quantumly) Closely related to multivariate polynomial cryptography, and to the polynomial isomorphism problem Our scheme is breakable when d=1 (trivially) or d=2 (using theory of quadratic forms). And theres nontrivial structure when d=3 (Bouillaguet et al. 2011). So we recommend d 4 For more(?) security, can let an fraction of p i s and q i s be decoys

23 Security Reduction Direct Product Assumption: Given the polynomials p 1,…,p 2n and q 1,…,q 2n, no polynomial-time quantum algorithm can find a generating set for A with (2 -n/2 ) success probability Theorem: Assuming the DPA, our money scheme is secure Proof Sketch: Suppose theres a counterfeiter C that maps |A to |A 2. Then to violate the DPA: 1.Prepare a uniform superposition over all x GF(2) n 2.Project onto A elements (yields |A with probability 2 -n/2 ) 3.If step 2 works, run C repeatedly to get ~n copies of |A 4.Measure each copy of |A in the standard basis (with high probability, yields n/2 independent A elements)

24 Concluding Thoughts Why worry about quantum money, if it might be even further from practicality than scalable QC? Even if it decohered in seconds, public-key quantum money could still have applications! Example: Non-Interactive Uncloneable Signatures Niels Bohr: Uncertainty Principle should change our conception of science itself. Even given complete knowledge of the laws of physics, physical systems can always surprise us, due to our inability to know their initial states. Quantum money provides a wonderful playground for testing Bohrs claim, while also highlighting the role of computational complexity

25 Break our scheme! Or get stronger evidence for security Find other ways of hiding (complementary) subspaces Are there secure public-key quantum money schemes relative to a random oracle? Does private-key quantum money require either a giant database or a cryptographic assumption? Practicality Open Problems DUNCE DUNCE

26 Future Direction: Quantum Copy-Protection Finally, a serious use for quantum computing Goal: Quantum state | f that lets you compute an unknown function f, but doesnt let you efficiently create more states with which f can be computed Relative to a classical oracle, we have a candidate construction based on hidden subspaces. But its security rests on a still-unproved conjecture: Given oracle access to O A and O A, any quantum algorithm needs 2 (n) queries to find nonzero elements x A, y A with (2 -n/2 ) success probability

Download ppt "Quantum Money from Hidden Subspaces Scott Aaronson (MIT) Joint work with Paul Christiano A A."

Similar presentations

Quantum Money Scott Aaronson (MIT) Based partly on joint work with Ed Farhi, David Gosset, Avinatan Hassidim, Jon Kelner, Andy Lutomirski, and Peter Shor.

Quantum Money Scott Aaronson (MIT) Based partly on joint work with Ed Farhi, David Gosset, Avinatan Hassidim, Jon Kelner, Andy Lutomirski, and Peter Shor.
Quantum Lower Bound for the Collision Problem Scott Aaronson 1/10/2002 quant-ph/0111102 I was born at the Big Bang. Cool! We have the same birthday.

Quantum Lower Bound for the Collision Problem Scott Aaronson 1/10/2002 quant-ph/ I was born at the Big Bang. Cool! We have the same birthday.
How Much Information Is In Entangled Quantum States? Scott Aaronson MIT |

How Much Information Is In Entangled Quantum States? Scott Aaronson MIT |
The Learnability of Quantum States Scott Aaronson University of Waterloo.

The Learnability of Quantum States Scott Aaronson University of Waterloo.
Quantum t-designs: t-wise independence in the quantum world Andris Ambainis, Joseph Emerson IQC, University of Waterloo.

Quantum t-designs: t-wise independence in the quantum world Andris Ambainis, Joseph Emerson IQC, University of Waterloo.
Quantum Versus Classical Proofs and Advice Scott Aaronson Waterloo MIT Greg Kuperberg UC Davis | x {0,1} n ?

Quantum Versus Classical Proofs and Advice Scott Aaronson Waterloo MIT Greg Kuperberg UC Davis | x {0,1} n ?
Quantum Copy-Protection and Quantum Money Scott Aaronson (MIT) | | | Any humor in this talk is completely unintentional.

Quantum Copy-Protection and Quantum Money Scott Aaronson (MIT) | | | Any humor in this talk is completely unintentional.
Quantum Software Copy-Protection Scott Aaronson (MIT) |

Quantum Software Copy-Protection Scott Aaronson (MIT) |
The Future (and Past) of Quantum Lower Bounds by Polynomials Scott Aaronson UC Berkeley.

The Future (and Past) of Quantum Lower Bounds by Polynomials Scott Aaronson UC Berkeley.
Limitations of Quantum Advice and One-Way Communication Scott Aaronson UC Berkeley IAS Useful?

Limitations of Quantum Advice and One-Way Communication Scott Aaronson UC Berkeley IAS Useful?
Quantum Double Feature Scott Aaronson (MIT) The Learnability of Quantum States Quantum Software Copy-Protection.

Quantum Double Feature Scott Aaronson (MIT) The Learnability of Quantum States Quantum Software Copy-Protection.
New Evidence That Quantum Mechanics Is Hard to Simulate on Classical Computers Scott Aaronson Parts based on joint work with Alex Arkhipov.

New Evidence That Quantum Mechanics Is Hard to Simulate on Classical Computers Scott Aaronson Parts based on joint work with Alex Arkhipov.
Pretty-Good Tomography Scott Aaronson MIT. Theres a problem… To do tomography on an entangled state of n qubits, we need exp(n) measurements Does this.

Pretty-Good Tomography Scott Aaronson MIT. Theres a problem… To do tomography on an entangled state of n qubits, we need exp(n) measurements Does this.
QMA/qpoly PSPACE/poly: De-Merlinizing Quantum Protocols Scott Aaronson University of Waterloo.

QMA/qpoly PSPACE/poly: De-Merlinizing Quantum Protocols Scott Aaronson University of Waterloo.
The Equivalence of Sampling and Searching Scott Aaronson MIT.

The Equivalence of Sampling and Searching Scott Aaronson MIT.
The Computational Complexity of Linear Optics Scott Aaronson and Alex Arkhipov MIT vs.

The Computational Complexity of Linear Optics Scott Aaronson and Alex Arkhipov MIT vs.
Quantum Computing with Noninteracting Bosons

Quantum Computing with Noninteracting Bosons
Solving Hard Problems With Light Scott Aaronson (Assoc. Prof., EECS) Joint work with Alex Arkhipov vs.

Solving Hard Problems With Light Scott Aaronson (Assoc. Prof., EECS) Joint work with Alex Arkhipov vs.
Quantum Money from Hidden Subspaces Scott Aaronson (MIT) Joint work with Paul Christiano A A.

Quantum Money from Hidden Subspaces Scott Aaronson (MIT) Joint work with Paul Christiano A A.
New Developments in Quantum Money and Copy-Protected Software Scott Aaronson (MIT) Joint work with Paul Christiano A A.

New Developments in Quantum Money and Copy-Protected Software Scott Aaronson (MIT) Joint work with Paul Christiano A A.

Similar presentations

Ads by Google