Skip to main content

Another Round of Breaking and Making Quantum Money:

How to Not Build It from Lattices, and More

  • Conference paper
  • First Online:
Advances in Cryptology – EUROCRYPT 2023 (EUROCRYPT 2023)

Abstract

This work provides both negative and positive results for publicly verifiable quantum money.

  • In the first part, we give a general theorem, showing that a certain natural class of quantum money schemes from lattices cannot be secure. We use this theorem to break the recent quantum money proposal of Khesin, Lu, and Shor ([KLS22]).

  • In the second part, we propose a framework for building quantum money and quantum lightning we call invariant money which abstracts and formalizes some ideas of quantum money from knots [FGH+12] and its precedent work [LAF+10]. In addition to formalizing this framework, we provide concrete hard computational problems loosely inspired by classical knowledge-of-exponent assumptions, whose hardness would imply the security of quantum lightning, a strengthening of quantum money where not even the bank can duplicate banknotes.

  • We discuss potential instantiations of our framework, including an oracle construction using cryptographic group actions and instantiations from rerandomizable functional encryption, isogenies over elliptic curves, and knots.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Sometimes it is also referred to as public-key quantum money. We may use the two terms interchangeably.

  2. 2.

    Quantum oracles are quantum circuits accessible only as a black-box unitary. They are generally considered as strong relativizing tools when used in proofs. Classical oracles are black-box classical circuits, a much weaker tool.

  3. 3.

    This holds true even for certain weaker versions such as copy detection, also known as infinite term secure software leasing.

  4. 4.

    We thank the authors of [KLS22] for patiently answering our numerous questions about their work, which was instrumental in helping us identify the flaw.

  5. 5.

    Previously, [LZ19] showed that SIS was collapsing for a super-polynomial modulus.

  6. 6.

    The recent attacks [CD22, MM22, Rob22] on SIDH do not apply to the isogeny building blocks we need. We will elaborate in the full version.

  7. 7.

    [FGH+12] did not analyze correctness of their knot-based proposal, nor analyze the states accepted by their verifier and formalize the property needed for a security proof. [LAF+10] had informal correctness analysis on their proposal, but also did not analyze the security property needed.

  8. 8.

    We once again want to emphasize that the authors of [KLS22] were exceptionally helpful and we thank them for their time spent helping us understand their work.

  9. 9.

    Due to certain concerns about security, [FGH+12] actually sets X to contain extra information beyond a knot diagram.

  10. 10.

    Technically, it is a uniform superposition over the pre-images of some y in the image of I. If multiple O have the same y, then the superposition will be over all such O.

  11. 11.

    Or more generally, if multiple O have the same y, then accepting states are exactly those that place equal weight on elements of each O, but the weights may be different across different O.

  12. 12.

    Nevertheless we provide a discussion on the knot money instantiation in the knot instantiation section of the full version.

  13. 13.

    Throughout the sections on invariant quantum money framework and construction in the full verison, we will sometimes interchangeably use “money” or “lightning”. But in fact the proposed candidates are all candidates for quantum lightning.

  14. 14.

    This seems like a very plausible assumption to us: classically, the knowledge of exponent would almost trivially hold over generic groups.

  15. 15.

    They are real-valued, since \(M_O\) is symmetric, owing to the fact that we assumed the \(\sigma _i\) are perfectly matched into pairs that are inverses of each other.

References

  1. Aaronson, S.: Quantum copy-protection and quantum money. In: Proceedings of the 2009 24th Annual IEEE Conference on Computational Complexity, CCC 2009, pp. 229–242, Washington, DC, USA, 2009. IEEE Computer Society (2009)

    Google Scholar 

  2. Aaronson, S., Christiano, P.: Quantum money from hidden subspaces. In: Karloff, H.J., Pitassi, T. (eds.) 44th Annual ACM Symposium on Theory of Computing, pp. 41–60, New York, NY, USA, 19–22 May 2012. ACM Press (2012)

    Google Scholar 

  3. Alamati, N., De Feo, L., Montgomery, H., Patranabis, S.: Cryptographic group actions and applications. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12492, pp. 411–439. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64834-3_14

    Chapter  Google Scholar 

  4. Amos, R., Georgiou, M., Kiayias, A., Zhandry, M.: One-shot signatures and applications to hybrid quantum/classical authentication. In: Proceedings of the 52nd Annual ACM SIGACT Symposium on Theory of Computing, pp. 255–268 (2020)

    Google Scholar 

  5. Ananth, P., La Placa, R.L.: Secure software leasing. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12697, pp. 501–530. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77886-6_17

    Chapter  Google Scholar 

  6. Aaronson, S., Liu, J., Liu, Q., Zhandry, M., Zhang, R.: New approaches for quantum copy-protection. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12825, pp. 526–555. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84242-0_19

    Chapter  Google Scholar 

  7. Bennett, C.H., Brassard, G.: Quantum public key distribution reinvented. SIGACT News 18(4), 51–53 (1987)

    Article  Google Scholar 

  8. Brakerski, Z., Christiano, P., Mahadev, U., Vazirani, U.V., Vidick, T.: A cryptographic test of quantumness and certifiable randomness from a single quantum device. In: Thorup, M. (ed.) 59th Annual Symposium on Foundations of Computer Science, pp. 320–331, Paris, France, 7–9 October 2018. IEEE Computer Society Press (2018)

    Google Scholar 

  9. Brakerski, Z., Döttling, N., Garg, S., Malavolta, G.: Factoring and pairings are not necessary for IO: circular-secure LWE suffices. Cryptology ePrint Archive, Report 2020/1024 (2020). https://eprint.iacr.org/2020/1024

  10. Ben-David, S., Sattath, O.: Quantum tokens for digital signatures (2016). https://arxiv.org/abs/1609.09047

  11. Boneh, D., Freeman, D.M.: Linearly homomorphic signatures over binary fields and new tools for lattice-based signatures. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 1–16. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19379-8_1

    Chapter  Google Scholar 

  12. Bartusek, J., Guan, J., Ma, F., Zhandry, M.: Return of GGH15: provable security against zeroizing attacks. In: Beimel, A., Dziembowski, S. (eds.) TCC 2018. LNCS, vol. 11240, pp. 544–574. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03810-6_20

    Chapter  MATH  Google Scholar 

  13. Broadbent, A., Gutoski, G., Stebila, D.: Quantum one-time programs. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 344–360. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_20

    Chapter  Google Scholar 

  14. Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.) 45th Annual ACM Symposium on Theory of Computing, pp. 575–584, Palo Alto, CA, USA, 1–4 June 2013. ACM Press (2013)

    Google Scholar 

  15. Castryck, W., Decru, T.: An efficient key recovery attack on SIDH (preliminary version). Cryptology ePrint Archive (2022)

    Google Scholar 

  16. Coladangelo, A., Liu, J., Liu, Q., Zhandry, M.: Hidden Cosets and applications to unclonable cryptography. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12825, pp. 556–584. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84242-0_20

    Chapter  Google Scholar 

  17. Colbeck, R.: Quantum and relativistic protocols for secure multi-party computation (2009)

    Google Scholar 

  18. Coladangelo, A.: Smart contracts meet quantum cryptography (2019)

    Google Scholar 

  19. Pena, M.C., Díaz, R.D., Faugère, J.C., Encinas, L.H., Perret, L.: Non-quantum cryptanalysis of the noisy version of Aaronson-Christiano’s quantum money scheme. IET Inf. Secur. 13(4), 362–366 (2019)

    Article  Google Scholar 

  20. Coladangelo, A., Sattath, O.: A quantum money solution to the blockchain scalability problem. Quantum 4, 297 (2020)

    Article  Google Scholar 

  21. Coudron, M., Yuen, H.: Infinite randomness expansion with a constant number of devices. In: Shmoys, D.B. (ed.) 46th Annual ACM Symposium on Theory of Computing, pp. 427–436, New York, NY, USA, 31 May–3 June 2014. ACM Press (2014)

    Google Scholar 

  22. Damgård, I.: Towards practical public key systems secure against chosen ciphertext attacks. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 445–456. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_36

    Chapter  Google Scholar 

  23. Farhi, E., Gosset, D., Hassidim, A., Lutomirski, A., Nagaj, D., Shor, P.: Quantum state restoration and single-copy tomography for ground states of Hamiltonians. Phys. Rev. Lett. 105(19), 190503 (2010)

    Article  Google Scholar 

  24. Farhi, E., Gosset, D., Hassidim, A., Lutomirski, A., Shor, P.W.: Quantum money from knots. In: Goldwasser, S. (ed.) ITCS 2012: 3rd Innovations in Theoretical Computer Science, pp. 276–289, Cambridge, MA, USA, 8–10 January 2012. Association for Computing Machinery (2012)

    Google Scholar 

  25. Gentry, C., Gorbunov, S., Halevi, S.: Graph-induced multilinear maps from lattices. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 498–527. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46497-7_20

    Chapter  Google Scholar 

  26. Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Ladner, R.E., Dwork, C. (eds.) 40th Annual ACM Symposium on Theory of Computing, pp. 197–206, Victoria, BC, Canada, 17–20 May 2008. ACM Press (2008)

    Google Scholar 

  27. Kane, D.M.: Quantum money from modular forms (2018). https://arxiv.org/abs/1809.05925

  28. Khesin, A.B., Lu, J.Z., Shor, P.W.: Publicly verifiable quantum money from random lattices (2022). https://arxiv.org/abs/2207.13135v2

  29. Kane, D.M., Sharif, S., Silverberg, A.: Quantum money from quaternion algebras. Cryptology ePrint Archive, Report 2021/1294 (2021). https://eprint.iacr.org/2021/1294

  30. Lutomirski, A., et al.: Breaking and making quantum money: toward a new quantum cryptographic protocol. In: Yao, A.C.-C. (ed.) ICS 2010: 1st Innovations in Computer Science, pp. 20–31, Tsinghua University, Beijing, China, 5–7 January 2010. Tsinghua University Press (2010)

    Google Scholar 

  31. Lutomirski, A.: An online attack against Wiesner’s quantum money (2010). https://arxiv.org/abs/1010.0256

  32. Liu, Q., Zhandry, M.: Revisiting post-quantum Fiat-Shamir. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 326–355. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_12

    Chapter  Google Scholar 

  33. Maino, L., Martindale, C.: An attack on SIDH with arbitrary starting curve. Cryptology ePrint Archive (2022)

    Google Scholar 

  34. Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) 37th Annual ACM Symposium on Theory of Computing, pp. 84–93, Baltimore, MA, USA, 22–24 May 2005. ACM Press (2005)

    Google Scholar 

  35. Roberts, B.: Security analysis of quantum lightning. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12697, pp. 562–567. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77886-6_19

    Chapter  Google Scholar 

  36. Robert, D.: Breaking SIDH in polynomial time. Cryptology ePrint Archive (2022)

    Google Scholar 

  37. Radian, R., Sattath, O.: Semi-quantum money. In: Proceedings of the 1st ACM Conference on Advances in Financial Technologies, AFT 2019, pp. 132–146, New York, NY, USA. Association for Computing Machinery (2019)

    Google Scholar 

  38. Unruh, D.: Computationally binding quantum commitments. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 497–527. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_18

    Chapter  Google Scholar 

  39. Wiesner, S.: Conjugate coding. SIGACT News 15(1), 78–88 (1983)

    Article  MATH  Google Scholar 

  40. Wee, H., Wichs, D.: Candidate obfuscation via oblivious LWE sampling. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12698, pp. 127–156. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77883-5_5

    Chapter  Google Scholar 

  41. Zhandry, M.: Quantum lightning never strikes the same state twice. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 408–438. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4_14

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Jiahui Liu .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2023 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Liu, J., Montgomery, H., Zhandry, M. (2023). Another Round of Breaking and Making Quantum Money:. In: Hazay, C., Stam, M. (eds) Advances in Cryptology – EUROCRYPT 2023. EUROCRYPT 2023. Lecture Notes in Computer Science, vol 14004. Springer, Cham. https://doi.org/10.1007/978-3-031-30545-0_21

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-30545-0_21

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-30544-3

  • Online ISBN: 978-3-031-30545-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics