Algebraic Cryptanalysis of a Quantum Money Scheme The Noise-Free Case

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9020)


We investigate the Hidden Subspace Problem (\(\mathrm{HSP}_q\)) over \({\mathbb {F}}_q\):

Input : \(p_1,\ldots ,p_m,q_1,\ldots ,q_m\in {\mathbb {F}}_q[x_1,\ldots ,x_n]\) of degree \(d\ge 3\) (and \(n\le m\le 2n\)).

Find : a subspace \(A\subset {{\mathbb {F}}_q}^n\) of dimension \(n/2\) (\(n\) is even) such that
$$\begin{aligned} p_i(A)=0\,\,\forall i\in \{1,\ldots ,m\}\,\,\text {and}\,\, q_j(A^{\perp })=0\,\,\forall j\in \{1,\ldots ,m\}, \end{aligned}$$
where \(A^{\perp }\) denotes the orthogonal complement of \(A\) with respect to the usual scalar product in \({\mathbb {F}}_q\).

This problem underlies the security of the first public-key quantum money scheme that is proved to be cryptographically secure under a non quantum but classic hardness assumption. This scheme was proposed by S. Aaronson and P. Christiano [1] at STOC’12. In particular, it depends upon the hardness of \({\mathrm{HSP}}_2\). More generally, Aaronson and Christiano left as an open problem to study the security of the scheme for a general field \({\mathbb {F}}_q\). We present a randomized polynomial-time algorithm that solves the \({\mathrm{HSP}}_q\) for \(q>d\) with success probability \(\approx 1-1/q\). So, the quantum money scheme extended to \({\mathbb {F}}_q\) is not secure for big \(q\). Finally, based on experimental results and a structural property of the polynomials that we prove, we conjecture that there is also a randomized polynomial-time algorithm solving the \({\mathrm{HSP}}_2\) with high probability. To support our theoretical results we also present several experimental results confirming that our algorithms are very efficient in practice. We emphasize that [1] proposes a non-noisy and a noisy version of the public-key quantum money scheme. The noisy version of the quantum money scheme remains secure.


Success Probability Vector Subspace Homogeneous Component Algebraic Attack Noisy Version 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Aaronson, S., Christiano, P.: Quantum money from hidden subspaces. In: Proceedings of the 44th Symposium on Theory of Computing Conference, STOC 2012, New York, NY, USA, May 19–22, pp. 41–60 (2012)Google Scholar
  2. 2.
    Bardet, M., Faugère, J.-C., Salvy, B.: On the Complexity of the F5 Gröbner basis Algorithm. Journal of Symbolic Computation, 1–24Google Scholar
  3. 3.
    Bardet, M., Faugère, J.-C., Salvy, B.: On the complexity of Gröbner basis computation of semi-regular overdetermined algebraic equations. In: Proc. of International Conference on Polynomial System Solving (ICPSS), pp. 71–75 (2004)Google Scholar
  4. 4.
    Bardet, M., Faugère, J.-C., Salvy, B., Yang, B.-Y.: Asymptotic behaviour of the degree of regularity of semi-regular polynomial systems. In: Proc. of MEGA 2005, Eighth International Symposium on Effective Methods in Algebraic Geometry (2005)Google Scholar
  5. 5.
    Bennett, C.H., Brassard, G., Breidbard, S., Wiesner, S.: Quantum cryptography, or unforgeable subway tokens. In: Proceedings of CRYPTO, pp. 267–275 (1982)Google Scholar
  6. 6.
    Bosma, W., Cannon, J.J., Playoust, C.: The Magma algebra system I: The user language. Journal of Symbolic Computation 24(3–4), 235–265 (1997)CrossRefzbMATHMathSciNetGoogle Scholar
  7. 7.
    Brent, R.P., McKay, B.D.: Determinants and rank of random matrices over \(\mathbb{Z}_m\). Discrete Math. 66, 35–50 (1987)CrossRefzbMATHMathSciNetGoogle Scholar
  8. 8.
    Buchberger, B.: Ein Algorithmus zum Auffinden der Basiselemente des Restklassenringes nach einem nulldimensionalen Polynomideal. PhD thesis, University of Innsbruck (1965)Google Scholar
  9. 9.
    Buchberger, B.: Bruno Buchberger’s PhD thesis 1965: An algorithm for finding the basis elements of the residue class ring of a zero dimensional polynomial ideal. J. Symb. Comput. 41(3–4), 475–511 (2006)CrossRefzbMATHMathSciNetGoogle Scholar
  10. 10.
    Buchberger, B.: Comments on the translation of my phd thesis. J. Symb. Comput. 41(3–4), 471–474 (2006)CrossRefzbMATHMathSciNetGoogle Scholar
  11. 11.
    Courtois, N., Meier, W.: Algebraic attacks on stream ciphers with linear feedback. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 345–359. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  12. 12.
    Farhi, E., Gosset, D., Hassidim, A., Lutomirski, A., Shor, P.W.: Quantum money from knots, pp. 276–289 (2012)Google Scholar
  13. 13.
    Faugère, J.-C.: A new efficient algorithm for computing Gröbner bases (\({F}_4\)). Journal of Pure and Applied Algebra 139, 61–88 (1999)CrossRefzbMATHMathSciNetGoogle Scholar
  14. 14.
    Faugère, J.-C.: A new efficient algorithm for computing Gröbner bases without reduction to zero (\({F}_5\)). In: ACM Press (ed.) International Symposium on Symbolic and Algebraic Computation, ISAAC 2002, pp. 75–83 (2002)Google Scholar
  15. 15.
    Faugère, J.-C., Joux, A.: Algebraic cryptanalysis of hidden field equation (HFE) cryptosystems using Gröbner bases. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 44–60. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  16. 16.
    Faugère, J.-C., Perret, L.: Polynomial equivalence problems: algorithmic and theoretical aspects. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 30–47. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  17. 17.
    Gavinsky, D.: Quantum money with classical verification, pp. 42–52 (2012)Google Scholar
  18. 18.
    Mosca, M., Stebila, D.: Quantum coins. Error-Correcting Codes, Finite Geometry and Cryptography 523, 35–47 (2010)CrossRefMathSciNetGoogle Scholar
  19. 19.
    Patarin, J.: Hidden fields equations (HFE) and isomorphisms of polynomials (IP): two new families of asymmetric algorithms. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 33–48. Springer, Heidelberg (1996) CrossRefGoogle Scholar
  20. 20.
    Wiesner, S.: Conjugate coding. ACM SIGACT News 15(1), 78–88 (1983)CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  1. 1.Institute of Physical and Information Technologies (ITEFI) – Spanish National Research Council (CSIC)MadridSpain
  2. 2.Sorbonne Universités, UPMC Univ Paris 06, POLSYS, UMR 7606, LIP6ParisFrance
  3. 3.INRIA, Paris-Rocquencourt Center, POLSYS ProjectParisFrance
  4. 4.CNRS, UMR 7606, LIP6ParisFrance

Personalised recommendations