Transcript New Developments in Quantum Money and Copy-Protected Software A A Scott Aaronson (MIT) Joint work with Paul Christiano.

New Developments in Quantum
Money and Copy-Protected
Software
A
A
Scott Aaronson (MIT)
Joint work with Paul Christiano
Ever since there’s been money, there’ve been people
trying to counterfeit it
Previous work on the physics of money:
In his capacity as Master of the Mint, Isaac Newton
worked on making English coins harder to counterfeit
(He also personally oversaw hangings of counterfeiters)
Today: Holograms, embedded
strips, “microprinting,” special
inks…
Leads to an arms race with no
obvious winner
Problem: From a CS perspective, uncopyable cash
seems impossible for trivial reasons
Any printing technology the good guys can
build, bad guys can in principle build also
x  (x,x) is a polynomial-time operation
What’s done in practice: Have a trusted third party
authorize every transaction
(BitCoin: “Trusted third party” is
distributed over the Internet)
OK, but sometimes you want cash, and that seems
impossible to secure, at least in classical physics…
The No-Cloning Theorem

 
No physical procedure can take an unknown
quantum state and output two copies of it
(or even a close approximation thereof)
First Idea in the History of Quantum Info
Wiesner 1969: Money that’s information-theoretically
impossible to counterfeit, assuming quantum mechanics
Each banknote contains
n qubits, secretly
prepared
Molina, Vidick, Watrous
2012:in Aone of the 4
states |0,|1,|+,|-
counterfeiter who doesn’t
know
the state can copy it with
In a giant database, the bank remembers how it prepared
n
probability
at most
every qubit on
every banknote
(3/4)
Want to verify a banknote? Take it to the bank. Bank uses
its knowledge to measure each qubit in the right basis:
OR
Drawbacks of Wiesner’s Scheme
1. Banknotes could decohere in your wallet—the
“Schrödinger’s money problem”!
The reason why quantum money isn’t yet practical, in
contrast to (say) quantum key distribution
2. Bank needs a big database describing every banknote
Solution (Bennett et al. ‘82): Pseudorandom functions
3. Only the bank knows how to verify the money
4. Scheme can be broken by interacting with the bank
“Modern” Goal: Public-Key Quantum Money
Easy to prepare, hard to copy, verifiable by anyone
kprivate
KeyGen
kpublic
Mint
|$1,|$2…
Ver
Formally, a public-key quantum money scheme S consists of
three polynomial-time quantum algorithms:
KeyGen(0n): Generates key pair (kprivate, kpublic)
Mint(kprivate): Generates quantum banknote $
Ver(kpublic, ¢): Accepts or rejects claimed banknote ¢
S has completeness error  if for all kpublic and valid $,


Pr Ver kpublic ,$ accepts  1   .
Private-key quantum money scheme:
S has soundness error  if for all polynomial-time
Same except that k to r>q
=kbanknotes,
public
counterfeiters C mapping q banknotesprivate


Pr Countkpublic , Ckpublic ,$1,,$q   q  
where Count returns the number of C’s output registers
¢1,…,¢r that Ver accepts
Basic Observations
Not obvious that public-key quantum money is possible!
If it is, will certainly require computational assumptions,
in addition to quantum mechanics
Without loss of generality, quantum money is reusable.
If the completeness error is , then it’s possible to verify
banknotes in a way that damages the valid ones by at
most
 in trace distance ( reusable 1/ times)
Previous Work on Public-Key Quantum Money
A., CCC’2009
Secure construction using a quantum oracle (but security
proof never published)
Explicit candidate scheme based on random stabilizer
states—broken by Lutomirski et al. 2010
Farhi et al., ITCS’2012: “Quantum money from knots”
Important, original proposal, but little known about security
Not even known which states | the verifier accepts
Lutomirski 2011: “Abstract” version of knot scheme using a
classical oracle (but proving its security still wide open; seems hard)
Our work: A new public-key quantum
money scheme, based on hidden subspaces

A
Much simpler than previous schemes: verifier
just projects onto valid money states, by
measuring in two complementary bases
For the first time, can base security on an assumption
(about multivariate polynomial cryptography) that
has nothing
A to do with quantum money
Also for first time, can prove “abstract” version of scheme
(involving a classical oracle) is unconditionally secure
Same construction yields the first private-key
scheme that’s provably “interactively secure”
Overview of Our Construction
Public-Key Quantum Money Scheme
“Mini-Scheme”
Mint prints a single banknote
(s,s) s.t. copying s is hard
Signature Scheme
Secure against
nonadaptive quantum
chosen-message attacks
From Rompel 1990
OWF
Secure against quantum
attacks
“Standard Construction” of Quantum
Money from Mini-Schemes + Signatures
(Introduced by Lutomirski et al.; analyzed by us)
$ : s, s , Sign kprivate, s 
To verify the banknote $=(s,s,w):
1. Check that (s,s) is valid
2. Check that w is a valid digital signature of s
Theorem: If you can create counterfeit banknotes $, then
either you can copy s’s, or else you can forge signatures
The Hidden Subspace Mini-Scheme
Quantum money state:
A :
1
2
n/4

xA
x
A  R GF 2
n
n
dim A 
2
Mint can easily choose a random A and prepare |A
Corresponding “serial number” s: Somehow
describes how to check membership in A and in A
(the dual subspace of A), yet doesn’t reveal A or A
Procedure to Verify Money State
(assuming ability to decide membership in A and A)
1. Project onto A elements
A
(reject if this fails)
2. Hadamard all n qubits to
map |A to |A
3. Project onto A elements
A
(reject if this fails)
4. Hadamard all n qubits to
return state to |A
Theorem: The above just implements a projection onto
|AA|—i.e., it accepts | with probability ||A|2
Security of the Black-Box Scheme
Valid Banknotes: A,A Membership Oracles:
s1 , A1

1
O1 ,O
s2 , A2

2
O2 ,O
Intuitively, what can the counterfeiter do?
Measure |Ai  just yields one Ai or Ai element
Query Oi or Oi to learn a basis for Ai  takes (2n/4)
queries, by the BBBV Theorem (optimality of Grover search)
Need to show: 2(n) quantum queries to Oi and
Oi are needed, even just to map |Ai to |Ai2
Common
generalization
of No-Cloning
Theorem and
BBBV Theorem
|$1,000,000
Idea: Look at Inner Products
A,A’: “neighboring”
n/2-dimensional
subspaces in GF(2)n
A'
A'
A
A A'
2
1

2
2
A
A
2
A'
2 2
2
1

4
Use Ambainis’s quantum adversary method to show that
the inner product between |A and |A’ can decrease by at
most ~2-n/4, as the result of a single query to OA or OA
Problem: A query can decrease the inner product by (1) for
some |A,|A’ pairs! But we show that it can’t for most pairs
Finishing the Security Proof
Our “Inner-Product Adversary Method” shows that
(2n/4) queries are needed for almost-perfect copying of
|A. But what about copying with 1/poly(n) fidelity?
Key idea: Since our scheme is projective, can amplify fidelity to
|A2 using fixed-point quantum search (a recent variant of
Grover’s algorithm due to Tulsi, Grover, and Patel)
What about counterfeiters that only copy some |A’s and
not others?
Key idea: The counterfeiting problem is random self-reducible!
Before trying to copy |A, hit it with a random invertible linear
transformation on GF(2)n
The same construction immediately yields the first…
Private-Key Quantum Money (with no oracle)
Secure Against Interactive Attack
s1 , A1
s2 , A2
Verification Requests
s1 , A1
s2 , A2

Suppose |Ai could be copied using poly(n)
verification requests to the bank
Then |Ai could also be copied in our publickey scheme, using poly(n) oracle queries!

But if we want public-key money, we still
have to face an interesting, purely-classical…
Obfuscation Challenge: “Instantiate” the
oracles OA and OA, without revealing A
Our Proposal: Use Multivariate Polynomials
For each money state |A, mint publishes (as |A’s “serial
number”) uniformly-random degree-d polynomials
p1,, p2n , q1,, q2n : GF2  GF2,
n
such that all pi’s vanish on A and all qi’s vanish on A.
The pi’s and qi’s can be generated in nO(d) time: generate them
assuming A=span(x1,…,xn/2); then apply a linear transformation
Verifying |A is simple! With overwhelming probability,
x A 
p1 x     p2 n x   0
x  A  q1 x     q2 n x   0

But given only the pi’s and qi’s, not clear how to find any
nonzero A or A elements in poly-time (even quantumly)
Closely related to multivariate polynomial cryptography,
and to the polynomial isomorphism problem
Our scheme is breakable when d=1 (trivially) or d=2 (using
theory of quadratic forms). And there’s nontrivial structure
when d=3 (Bouillaguet et al. 2011). So we recommend d4
Security Reduction
Direct Product Assumption: Given the polynomials p1,…,p2n
and q1,…,q2n, no polynomial-time quantum algorithm can
find a generating set for A with (2-n/2) success probability
Theorem: Assuming the DPA, our money scheme is secure
Proof Sketch: Suppose there’s a counterfeiter C that maps
|A to |A2. Then to violate the DPA:
1. Prepare a uniform superposition over all xGF(2)n
2. Project onto A elements (yields |A with probability 2-n/2)
3. If step 2 works, run C repeatedly to get ~n copies of |A
4. Measure each copy of |A in the standard basis
(with high probability, yields n/2 independent A elements)

Open Problems

Break our scheme! Or get stronger evidence for security
Find other ways of hiding (complementary) subspaces
Are there secure public-key quantum money schemes
relative to a random oracle?
Does private-key quantum money require either a giant
database or a cryptographic assumption?
“Practicality”
New Direction: Quantum Copy-Protection
Finally, a serious use for quantum computing
Goal: Quantum state |f that lets you compute an
unknown function f, but doesn’t let you efficiently
create more states with which f can be computed
New Developments (A.-Christiano, not yet written)!
- By modifying our hidden-subspace money scheme, we
give a quantum copy-protection scheme with a classical
oracle, which works for any f’s and is proven secure
- We have a candidate quantum copy-protection scheme
with no oracle, but haven’t yet proved its security
Quantum Copy-Protection Relative to a
Classical Oracle
Quantum program:
(same as for money
scheme)
A :
1
2
n/4
x
xA
The classical oracle O, given a Boolean function f:
If xA\{0n} and yA\{0n}, then O(0,x,z)O(1,y,z)=f(z).
Otherwise, O(b,x,z)=0.
Given |A and O, one can evaluate f. But using the InnerProduct Adversary Method and random self-reducibility,
we prove that given |A and O, one can’t find nonzero
elements of both A and A with 1/poly(n) probability
Explicit Quantum Copy-Protection Scheme
Starting point: Yao’s garbled circuit construction (1986)
Assuming 1-out-of-2 oblivious-transfer, lets Alice send
Bob a circuit C such that Bob can evaluate C on one input
x, yet he learns nothing about C’s internal structure
We use hidden subspace states |A1,|A2,… to
implement the oblivious transfer “non-interactively”
To prove security, an excellent starting point would be
to prove the following “direct product conjecture”:
Given oracle access to OA and OA, any quantum
algorithm needs 2(n) queries to find nonzero
elements xA, yA with (2-n/2) success probability