Top Banner

Click here to load reader

Quantum Money Scott Aaronson (MIT) Based partly on joint work with Ed Farhi, David Gosset, Avinatan Hassidim, Jon Kelner, Andy Lutomirski, and Peter Shor

Mar 26, 2015



  • Slide 1

Quantum Money Scott Aaronson (MIT) Based partly on joint work with Ed Farhi, David Gosset, Avinatan Hassidim, Jon Kelner, Andy Lutomirski, and Peter Shor Slide 2 Ever since theres been money, thereve been people trying to counterfeit it In his capacity as Master of the Mint, Isaac Newton added milled edges to English coins to make them harder to counterfeit (Newton also personally oversaw hangings of many counterfeiters) One of the oldest security problems facing human civilization; has to be solved reasonably well before a market economy becomes possible Slide 3 Leads to an arms race with no obvious winner Today: Holograms, embedded strips, microprinting, special inks Problem: From a CS perspective, uncopyable cash seems impossible for trivial reasons Any printing technology the good guys can build, bad guys can in principle build also x (x,x) is a polynomial-time operation Slide 4 Whats done in practice: Have a trusted third party (the bank) authorize every transaction OK, but there are some cases where you want the convenience, privacy, and anonymity of cash, and it seems you can never make cash cryptographically secure Indeed you cant, in classical physics Slide 5 Uncertainty Principle: You can measure a particles position, or its momentum, but not both to unlimited precision Logical consequence: No-Cloning Theorem Slide 6 First Idea in the History of Quantum Info Wiesner 1969: Money thats impossible to counterfeit, assuming only the validity of quantum mechanics Each bill includes a few hundred qubits (say electrons), secretly polarized in one of four random directions In a giant database, the bank remembers how it polarized every electron on every bill Want to verify a bill? Take it to the bank. Bank uses its knowledge of the polarizations to measure each electron in the appropriate basis: or Slide 7 Theorem: A counterfeiter who doesnt know a bills state can copy it with probability at most (5/6) n (where n is the number of electrons per bill) Drawbacks of Wiesners scheme? 1.Need to keep bills from decohering in your wallet! 2.Bank needs to maintain a giant polarization database Solution (Bennett et al. 82): Pseudorandom functions 3.Only the bank knows how to authenticate the bills No analogue of a convenience-store clerk holding up a bill to the light Slide 8 Which brings us to Public-Key Quantum Money (Secure Quantum Money That Anyone Can Authenticate) Overview of Results [A., CCC 2009] Public-key quantum money requires computational assumptions Secure public-key quantum money is possible, if counterfeiters only have black-box access to checking device (Already nontrivial: Complexity-Theoretic No-Cloning Theorem) Explicit (non-black-box) candidate scheme, based on random stabilizer states Slide 9 [AFGHKLS, submitted, 2009] Break of Aaronsons scheme New candidate scheme, where not even the bank can duplicate a bill (Security assumption: Our scheme cant be broken) Related task [A., CCC09]: Quantum software copy-protection Generic copy-protection secure against black-box adversaries Explicit candidate schemes for copy-protecting the family of point functions Slide 10 Definition of Quantum Money Schemes n: Security parameter (all computations should be polynomial in n) B: Poly-size quantum circuit (the bank), which maps a secret key s {0,1} n to a public key e s and quantum banknote s A: Poly-size quantum circuit (the authenticator), which takes (e, ) as input and either accepts or rejects (B,A) has completeness error if for every s, (B,A) has soundness error if for every poly(n)-size quantum circuit C (the counterfeiter) mapping s k to r>k output registers s 1,, s r, Slide 11 Counterfeiter only gets s : scheme is private-key Counterfeiter gets both s and e s : scheme is public-key Goal: A public-key scheme where completeness error and soundness error are both exponentially small Question: Does verifying a bill also destroy it? Answer: Not if is small enough! Slide 12 Theorem: No public-key quantum money scheme can be information-theoretically secure. Proof Sketch: A counterfeiter with unlimited computation time can do this Let U be an ensemble of possible quantum money states Initially, U 0 contains s for every s {0,1} n For t:=0 to n-1 { If the legitimate authenticator A s* accepts a random state from U t with high probability, were done! Otherwise, get a legitimate quantum money state s* Find an authenticator A s that rejects most states in U t, but accepts s* Let U t+1 be the set of states in U t that A s accepts w.h.p. } Slide 13 Public-Key Quantum Money Secure Against Black-Box Adversaries Doesnt Wiesners scheme already provide this? No! A counterfeiter could copy a bill, by using the checking device to figure out the polarization of one qubit at a time Slide 14 Solution: The bank chooses an n-qubit quantum money state | uniformly at random under the Haar measure The checking device, U, accepts | and rejects every state orthogonal to | Key Question: Can a counterfeiter create additional copies of |, using k=poly(n) copies of | together with poly(n) queries to U? If the counterfeiter only had | k, and not U: No, by the No-Cloning Theorem If the counterfeiter only had U, and not | k : No, by the optimality of Grovers search algorithm U must be queried (2 n/2 ) times to find | But what if the counterfeiter has both? Slide 15 Complexity-Theoretic No-Cloning Theorem Let | be an n-qubit state. Suppose were given | k, as well as a black box U that accepts | and rejects all states orthogonal to |. Then to prepare r>k states 1,, r such that we need this many queries to U: Proof requires generalizing Ambainiss adversary method, to the case where the quantum algorithms initial state already encodes some information about the target state Slide 16 Explicit Candidate Scheme A stabilizer state is a state obtainable from |00 by applying Hadamard, Controlled-NOT, and Phase gates only: In my scheme, a dollar bill consists of: L random stabilizer states |C 1,,|C L on n qubits each A table of measurements to apply to the |C is A (conventional) digital signature of the table These states can always be efficiently prepared! Slide 17 The table: For each |C i, we have lots of random garbage measurements, but also a secret fraction that commute with |C i To verify a bill: 1.Verify the tables digital signature 2.For each i, apply a random measurement M ij to |C i 3.Accept if more than of the measurements do Hope: Learning classical descriptions of the |C i s, or copying them in any other way, is computationally intractable (a noisy parity problem) Slide 18 Two cases: 1. is extremely small. Then the test is too weak, and we can guess our own states |C i that pass the test 2. is reasonably large. Then for each |C i, consider a graph of the possible measurements, with an edge between M ij and M ik iff they commute with each other: Breaking Aaronsons Scheme M i1 M i2 M i3 M i4 M i5 M i6 The secret measurements that commute with |C i also commute with each other. Thus, the problem reduces to finding a planted clique in a random-looking graph. Here were able to adapt an eigenvector-based algorithm of Alon, Krivelevich, and Sudakov (SODA98) for finding large planted cliques in random graphs Slide 19 1.Start with an equal superposition over all n-bit strings 2.Compute randomly-chosen hash functions h 1,,h m :{0,1} n {0,1} (with m ~ n) 3.Measure h 1 (x),,h m (x), leaving a superposition | over all xs for which h 1,,h m take on prescribed values r 1,,r m 4.As the dollar bill, distribute |, r=(r 1,,r m ), and a conventional digital signature of r Our New Scheme Slide 20 To verify a bill | |r |sig(r) : 1.Verify rs digital signature. 2.Construct a Markov chain M, whose stationary distribution is uniform over the set S = {x : h 1 (x)=r 1,,h m (x)=r m }. Using M, verify that | is an equal superposition over S. Conjecture: Any quantum algorithm needs exponential time to copy | Striking feature of this scheme: The bank cant copy |, any more than a counterfeiter can!! Nor (we believe) can the bank efficiently create two bills with the same serial number r Unlike with the stabilizer scheme, here theres no obvious classical secret that lets you copy a bill if you learn it Slide 21 Quantum Software Copy-Protection A task closely related to quantum moneywhich like the latter, seems on the verge of being possible We know copy-protection is fundamentally impossible in the classical world (not that thats stopped people from trying) Finally, a serious use for quantum computing Question: Can you have a quantum state | f that lets you efficiently compute an unknown Boolean function f:{0,1} n {0,1}, but cant be efficiently used to prepare more states that also let you efficiently compute f? Slide 22 Question: When you run a quantum program | f, do you also destroy that program? For the software company, maybe that would be a feature, not a bug! However, if you buy k copies of | f, for some k=poly(n), you can make the damage to | f k on each run exponentially small One Implication: Any quantum copy-protection scheme will have to rely on computational assumptions (just like the public-key quantum money schemes) Slide 23 Obvious obstruction to copy-protection: Suppose you could efficiently learn f, given oracle access to f. Then theres no hope of copy-protecting f, using quantum mechanics or anything else. Theorem: Modulo that obstruction, its possible to quantumly copy-protect any family of functions, provided the pirates have only black-box access to the device that measures the states | f. Proof follows the same outline as black-box security proof for quantum money, but is more complicated Need to construct a simulator, which converts any algorithm for pirating | f into an algorithm for learning f Slide 24 Copy-Protecting Point Functions Possible Solution: Use s to generate a pseudorandom quantum circuit U s, then set To compute f s (x), measure in the standard basis, and see if you get back th