Abstract
This work provides both negative and positive results for publicly verifiable quantum money.
-
In the first part, we give a general theorem, showing that a certain natural class of quantum money schemes from lattices cannot be secure. We use this theorem to break the recent quantum money proposal of Khesin, Lu, and Shor ([KLS22]).
-
In the second part, we propose a framework for building quantum money and quantum lightning we call invariant money which abstracts and formalizes some ideas of quantum money from knots [FGH+12] and its precedent work [LAF+10]. In addition to formalizing this framework, we provide concrete hard computational problems loosely inspired by classical knowledge-of-exponent assumptions, whose hardness would imply the security of quantum lightning, a strengthening of quantum money where not even the bank can duplicate banknotes.
-
We discuss potential instantiations of our framework, including an oracle construction using cryptographic group actions and instantiations from rerandomizable functional encryption, isogenies over elliptic curves, and knots.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Sometimes it is also referred to as public-key quantum money. We may use the two terms interchangeably.
- 2.
Quantum oracles are quantum circuits accessible only as a black-box unitary. They are generally considered as strong relativizing tools when used in proofs. Classical oracles are black-box classical circuits, a much weaker tool.
- 3.
This holds true even for certain weaker versions such as copy detection, also known as infinite term secure software leasing.
- 4.
We thank the authors of [KLS22] for patiently answering our numerous questions about their work, which was instrumental in helping us identify the flaw.
- 5.
Previously, [LZ19] showed that SIS was collapsing for a super-polynomial modulus.
- 6.
- 7.
- 8.
We once again want to emphasize that the authors of [KLS22] were exceptionally helpful and we thank them for their time spent helping us understand their work.
- 9.
Due to certain concerns about security, [FGH+12] actually sets X to contain extra information beyond a knot diagram.
- 10.
Technically, it is a uniform superposition over the pre-images of some y in the image of I. If multiple O have the same y, then the superposition will be over all such O.
- 11.
Or more generally, if multiple O have the same y, then accepting states are exactly those that place equal weight on elements of each O, but the weights may be different across different O.
- 12.
Nevertheless we provide a discussion on the knot money instantiation in the knot instantiation section of the full version.
- 13.
Throughout the sections on invariant quantum money framework and construction in the full verison, we will sometimes interchangeably use “money” or “lightning”. But in fact the proposed candidates are all candidates for quantum lightning.
- 14.
This seems like a very plausible assumption to us: classically, the knowledge of exponent would almost trivially hold over generic groups.
- 15.
They are real-valued, since \(M_O\) is symmetric, owing to the fact that we assumed the \(\sigma _i\) are perfectly matched into pairs that are inverses of each other.
References
Aaronson, S.: Quantum copy-protection and quantum money. In: Proceedings of the 2009 24th Annual IEEE Conference on Computational Complexity, CCC 2009, pp. 229–242, Washington, DC, USA, 2009. IEEE Computer Society (2009)
Aaronson, S., Christiano, P.: Quantum money from hidden subspaces. In: Karloff, H.J., Pitassi, T. (eds.) 44th Annual ACM Symposium on Theory of Computing, pp. 41–60, New York, NY, USA, 19–22 May 2012. ACM Press (2012)
Alamati, N., De Feo, L., Montgomery, H., Patranabis, S.: Cryptographic group actions and applications. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12492, pp. 411–439. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64834-3_14
Amos, R., Georgiou, M., Kiayias, A., Zhandry, M.: One-shot signatures and applications to hybrid quantum/classical authentication. In: Proceedings of the 52nd Annual ACM SIGACT Symposium on Theory of Computing, pp. 255–268 (2020)
Ananth, P., La Placa, R.L.: Secure software leasing. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12697, pp. 501–530. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77886-6_17
Aaronson, S., Liu, J., Liu, Q., Zhandry, M., Zhang, R.: New approaches for quantum copy-protection. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12825, pp. 526–555. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84242-0_19
Bennett, C.H., Brassard, G.: Quantum public key distribution reinvented. SIGACT News 18(4), 51–53 (1987)
Brakerski, Z., Christiano, P., Mahadev, U., Vazirani, U.V., Vidick, T.: A cryptographic test of quantumness and certifiable randomness from a single quantum device. In: Thorup, M. (ed.) 59th Annual Symposium on Foundations of Computer Science, pp. 320–331, Paris, France, 7–9 October 2018. IEEE Computer Society Press (2018)
Brakerski, Z., Döttling, N., Garg, S., Malavolta, G.: Factoring and pairings are not necessary for IO: circular-secure LWE suffices. Cryptology ePrint Archive, Report 2020/1024 (2020). https://eprint.iacr.org/2020/1024
Ben-David, S., Sattath, O.: Quantum tokens for digital signatures (2016). https://arxiv.org/abs/1609.09047
Boneh, D., Freeman, D.M.: Linearly homomorphic signatures over binary fields and new tools for lattice-based signatures. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 1–16. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19379-8_1
Bartusek, J., Guan, J., Ma, F., Zhandry, M.: Return of GGH15: provable security against zeroizing attacks. In: Beimel, A., Dziembowski, S. (eds.) TCC 2018. LNCS, vol. 11240, pp. 544–574. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03810-6_20
Broadbent, A., Gutoski, G., Stebila, D.: Quantum one-time programs. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 344–360. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_20
Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.) 45th Annual ACM Symposium on Theory of Computing, pp. 575–584, Palo Alto, CA, USA, 1–4 June 2013. ACM Press (2013)
Castryck, W., Decru, T.: An efficient key recovery attack on SIDH (preliminary version). Cryptology ePrint Archive (2022)
Coladangelo, A., Liu, J., Liu, Q., Zhandry, M.: Hidden Cosets and applications to unclonable cryptography. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12825, pp. 556–584. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84242-0_20
Colbeck, R.: Quantum and relativistic protocols for secure multi-party computation (2009)
Coladangelo, A.: Smart contracts meet quantum cryptography (2019)
Pena, M.C., Díaz, R.D., Faugère, J.C., Encinas, L.H., Perret, L.: Non-quantum cryptanalysis of the noisy version of Aaronson-Christiano’s quantum money scheme. IET Inf. Secur. 13(4), 362–366 (2019)
Coladangelo, A., Sattath, O.: A quantum money solution to the blockchain scalability problem. Quantum 4, 297 (2020)
Coudron, M., Yuen, H.: Infinite randomness expansion with a constant number of devices. In: Shmoys, D.B. (ed.) 46th Annual ACM Symposium on Theory of Computing, pp. 427–436, New York, NY, USA, 31 May–3 June 2014. ACM Press (2014)
Damgård, I.: Towards practical public key systems secure against chosen ciphertext attacks. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 445–456. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_36
Farhi, E., Gosset, D., Hassidim, A., Lutomirski, A., Nagaj, D., Shor, P.: Quantum state restoration and single-copy tomography for ground states of Hamiltonians. Phys. Rev. Lett. 105(19), 190503 (2010)
Farhi, E., Gosset, D., Hassidim, A., Lutomirski, A., Shor, P.W.: Quantum money from knots. In: Goldwasser, S. (ed.) ITCS 2012: 3rd Innovations in Theoretical Computer Science, pp. 276–289, Cambridge, MA, USA, 8–10 January 2012. Association for Computing Machinery (2012)
Gentry, C., Gorbunov, S., Halevi, S.: Graph-induced multilinear maps from lattices. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 498–527. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46497-7_20
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Ladner, R.E., Dwork, C. (eds.) 40th Annual ACM Symposium on Theory of Computing, pp. 197–206, Victoria, BC, Canada, 17–20 May 2008. ACM Press (2008)
Kane, D.M.: Quantum money from modular forms (2018). https://arxiv.org/abs/1809.05925
Khesin, A.B., Lu, J.Z., Shor, P.W.: Publicly verifiable quantum money from random lattices (2022). https://arxiv.org/abs/2207.13135v2
Kane, D.M., Sharif, S., Silverberg, A.: Quantum money from quaternion algebras. Cryptology ePrint Archive, Report 2021/1294 (2021). https://eprint.iacr.org/2021/1294
Lutomirski, A., et al.: Breaking and making quantum money: toward a new quantum cryptographic protocol. In: Yao, A.C.-C. (ed.) ICS 2010: 1st Innovations in Computer Science, pp. 20–31, Tsinghua University, Beijing, China, 5–7 January 2010. Tsinghua University Press (2010)
Lutomirski, A.: An online attack against Wiesner’s quantum money (2010). https://arxiv.org/abs/1010.0256
Liu, Q., Zhandry, M.: Revisiting post-quantum Fiat-Shamir. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 326–355. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_12
Maino, L., Martindale, C.: An attack on SIDH with arbitrary starting curve. Cryptology ePrint Archive (2022)
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) 37th Annual ACM Symposium on Theory of Computing, pp. 84–93, Baltimore, MA, USA, 22–24 May 2005. ACM Press (2005)
Roberts, B.: Security analysis of quantum lightning. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12697, pp. 562–567. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77886-6_19
Robert, D.: Breaking SIDH in polynomial time. Cryptology ePrint Archive (2022)
Radian, R., Sattath, O.: Semi-quantum money. In: Proceedings of the 1st ACM Conference on Advances in Financial Technologies, AFT 2019, pp. 132–146, New York, NY, USA. Association for Computing Machinery (2019)
Unruh, D.: Computationally binding quantum commitments. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 497–527. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_18
Wiesner, S.: Conjugate coding. SIGACT News 15(1), 78–88 (1983)
Wee, H., Wichs, D.: Candidate obfuscation via oblivious LWE sampling. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12698, pp. 127–156. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77883-5_5
Zhandry, M.: Quantum lightning never strikes the same state twice. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 408–438. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4_14
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Liu, J., Montgomery, H., Zhandry, M. (2023). Another Round of Breaking and Making Quantum Money:. In: Hazay, C., Stam, M. (eds) Advances in Cryptology – EUROCRYPT 2023. EUROCRYPT 2023. Lecture Notes in Computer Science, vol 14004. Springer, Cham. https://doi.org/10.1007/978-3-031-30545-0_21
Download citation
DOI: https://doi.org/10.1007/978-3-031-30545-0_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-30544-3
Online ISBN: 978-3-031-30545-0
eBook Packages: Computer ScienceComputer Science (R0)