Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.

Slides:

Advertisements

Similar presentations

Quantum Money Scott Aaronson (MIT) Based partly on joint work with Ed Farhi, David Gosset, Avinatan Hassidim, Jon Kelner, Andy Lutomirski, and Peter Shor.

Advertisements

Quantum Lower Bound for the Collision Problem Scott Aaronson 1/10/2002 quant-ph/ I was born at the Big Bang. Cool! We have the same birthday.

How Much Information Is In Entangled Quantum States? Scott Aaronson MIT |

Quantum t-designs: t-wise independence in the quantum world Andris Ambainis, Joseph Emerson IQC, University of Waterloo.

Quantum Versus Classical Proofs and Advice Scott Aaronson Waterloo MIT Greg Kuperberg UC Davis | x {0,1} n ?

Quantum Copy-Protection and Quantum Money Scott Aaronson (MIT) | | | Any humor in this talk is completely unintentional.

Quantum Software Copy-Protection Scott Aaronson (MIT) |

The Future (and Past) of Quantum Lower Bounds by Polynomials Scott Aaronson UC Berkeley.

Quantum Double Feature Scott Aaronson (MIT) The Learnability of Quantum States Quantum Software Copy-Protection.

New Evidence That Quantum Mechanics Is Hard to Simulate on Classical Computers Scott Aaronson Parts based on joint work with Alex Arkhipov.

Pretty-Good Tomography Scott Aaronson MIT. Theres a problem… To do tomography on an entangled state of n qubits, we need exp(n) measurements Does this.

How to Solve Longstanding Open Problems In Quantum Computing Using Only Fourier Analysis Scott Aaronson (MIT) For those who hate quantum: The open problems.

The Equivalence of Sampling and Searching Scott Aaronson MIT.

Quantum Money from Hidden Subspaces Scott Aaronson (MIT) Joint work with Paul Christiano A A.

Quantum Money from Hidden Subspaces Scott Aaronson (MIT) Joint work with Paul Christiano A A.

New Developments in Quantum Money and Copy-Protected Software Scott Aaronson (MIT) Joint work with Paul Christiano A A.

University of Queensland

Private-Key Quantum Money Scott Aaronson (MIT). Ever since theres been money, thereve been people trying to counterfeit it Previous work on the physics.

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Secure Multiparty Computations on Bitcoin

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Cryptography and Network Security

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

Hybrid Signcryption with Insider Security Alexander W. Dent.

Scott Aaronson (MIT) Forrelation A problem admitting enormous quantum speedup, which I and others have studied under various names over the years, which.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Short course on quantum computing Andris Ambainis University of Latvia.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

Oblivious Transfer based on the McEliece Assumptions

Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University.

Introduction to Modern Cryptography Homework assignments.

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.

On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.

Module 8 – Anonymous Digital Cash Blind Signatures DigiCash coins.

Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

Bob can sign a message using a digital signature generation algorithm

How to play ANY mental game

A Few Simple Applications to Cryptography Louis Salvail BRICS, Aarhus University.

1 CIS 5371 Cryptography 3. Private-Key Encryption and Pseudorandomness B ased on: Jonathan Katz and Yehuda Lindel Introduction to Modern Cryptography.

Ragesh Jaiswal Indian Institute of Technology Delhi Threshold Direct Product Theorems: a survey.

Unified, Minimal and Selectively Randomizable Structure-Preserving Signatures Masayaki Abe, NTT Jens Groth, University College London Miyako Ohkubo, NICT.

Topic 22: Digital Schemes (2)

Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.

Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.

Foundations of Cryptography Lecture 6 Lecturer: Moni Naor.

Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.

1 Information Security – Theory vs. Reality , Winter Lecture 10: Garbled circuits and obfuscation Eran Tromer Slides credit: Boaz.

Lecture 2: Introduction to Cryptography

Prepared by Dr. Lamiaa Elshenawy

CRYPTOGRAPHY AND NP-HARDNESS Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016.

Quantum Computing and the Limits of the Efficiently Computable Scott Aaronson (MIT) Papers & slides at

Topic 36: Zero-Knowledge Proofs

Quantum tokens for digital signatures

On the Size of Pairing-based Non-interactive Arguments

Digital Signature Schemes and the Random Oracle Model

Cryptography Lecture 19.

Investigating Provably Secure and Practical Software Protection

Impossibility of SNARGs

Digital Signatures Network Security.

Presentation transcript:

Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano

As long as there has been money, there have been people trying to copy it. Problem: whatever a bank can do to print money, a forger can do to copy it. Classically, we need a trusted third party to prevent double-spending…

The No-Cloning Theorem There is no procedure which duplicates a general quantum state. Can we use uncloneable quantum states as unforgeable currency?

A simple solution inspired by Wiesner [1969]: If I randomly give you one of the two pure states… or …you cant guess which I gave you with probability more than (3/4)… …and you cant faithfully copy it.

If I concatenate k of these states to produce I can recognize by measuring each bit in an appropriate basis… …but you cant copy except with exponentially small success probability. Wiesners Quantum Money

Problems with Wiesners Scheme ?? Only the bank that minted it can recognize money. In fact, the money becomes insecure as soon as we give the users a verification oracle. Modern goal: secure quantum money that anyone can verify …

Prior Art Aaronson, CCC2009: Showed there is no generic counterfeiting strategy using the verification procedure as a black box. Aaronson, CCC2009: Proposed an explicit quantum money scheme, which was broken in Lutomirski et al Farhi et al., ITCS 2012: Proposed a new money scheme based on knot diagrams. A significant advance, but its security is poorly understood. (Even when the knot diagrams are replaced by black-box idealizations.)

Our Results New, simple scheme: verification consists of measuring in just two complementary bases. Security based on a purely classical assumption about the hardness of an algebraic problem. A black-box version of our scheme, in which the bank provides perfectly obfuscated subspace membership oracles, is unconditionally secure. The same construction gives the first private-key money scheme which remains secure given interaction with the bank.

Completeness: Ver accepts valid notes w.h.p. Soundness: If a counterfeiter starts with n notes and outputs n+1, Ver rejects one w.h.p.

Quantum Money Mini-scheme Simplified scheme in which mint produces only one banknote. Quantum Money Mini-scheme Simplified scheme in which mint produces only one banknote. Soundness: For any counterfeiter C, if then w.h.p. either or rejects. Soundness: For any counterfeiter C, if then w.h.p. either or rejects. Completeness: VerOne accepts output of MintOne w.h.p. Full Quantum Money Scheme Public-Key Signature Scheme

Run KeyGen for a public key signature scheme Must either break signature scheme, or break mini-scheme.

The Hidden Subspace Scheme Apply membership test for Hadamard transform Apply membership test for Hadamard transform s is some data (TBD) which lets the user test membership in and. Accept if both tests accept

Proof of Black-Box Security Warm-up: Consider a counterfeiter C who doesnt make use of s at all. Let A and B be maximally overlapping subspaces. But C preserves inner products.

Proof of Black-Box Security Now consider a counterfeiting algorithm C which uses s as a black box: If C applies the black box to, it drives the inner product to 0! C has access to a different black box on different inputs.

Inner-Product Adversary Method Idea: Pick a uniformly random pair of (maximally overlapping) subspaces. Bound the expected inner product. For any, v almost certainly also isnt in B. So each query has an exponentially small impact on inner products. Any approximately successful counterfeiter must make Ω(2 n/4 ) queries.

Hiding Subspaces Need to provide classical data which allows a user to test membership in and without revealing them. To generate: sample polynomials which vanish when, then apply a change of basis. with We can add any constant amount of noise. One solution: Represent as a uniformly random system:

Proof of Security Suppose there were an efficient forging algorithm F. Then we can violate the conjecture: Conjecture: Given our obfuscations of and, no efficient quantum algorithm recovers a basis for with probability.

Status of Hardness Assumption …but we can use a membership oracle for to remove the noise. If, recovering given noisy polynomials that vanish on is equivalent to learning a noisy parity… If, recovering from a single polynomial is related to the Polynomial Isomorphism problem. For this is easy. For, the problem can be solved with a single hint from, which can be obtained with probability. For, known techniques dont seem to work.

Quantum + Hardness Assumptions Most quantum cryptography tries to eliminate cryptographic assumptions. But quantum money requires both: – If an adversary keeps randomly generating forgeries, eventually theyll get lucky. Combining hardness assumptions with the uncertainty principle may make new primitives possible. – Money – Copy-protection – Obfuscation? – …?

Software Copy-Protection Classical software can be freely copied. To prevent copying, a vendor must interact with the user on every execution. Can we design quantum copy- protected software?

Completeness: w.h.p. Soundness: A pirate cant output two states either of which can be used to evaluate. Caveats: Might be able to guess, might be able to learn an approximation to …

Black-Box Copy-Protection Scheme

Sketch of Security Proof Key idea: To make meaningful use of the oracle, must use both an element of and an element of. If is queried for some, halt and record. (We can simulate Pirate using oracle access to C) If we halt both, we recover elements of and, which is ruled out by the inner product adversary method. So one of them runs successfully without using the oracle. Therefore C is learnable, and we cant hope to stop Pirate! Goal: construct a simulator, which uses Pirate to learn C OR find an element of and an element of If is queried for some, halt and record.

Program Obfuscation? Challenge: Given C, produce Obfuscation(C), which allows the user to evaluate C but learn nothing else. Known to be impossible classically… …but the possibility of quantum obfuscation remains open (even of quantum circuits!)

Makes an arbitrary measurement of Simulated by simulator with black-box access to C Makes an arbitrary measurement of Completeness: w.h.p. Soundness: any measurement can be simulated using only black-box access to C.

Program Obfuscation? The state acts like a non-interactive 1-of-2 oblivious transfer. Q: Can we implement Yaos garbled circuits, with hidden subspaces as secrets instead of encryption keys? A: Yes, but hard to determine security.

Open Questions Break our candidate money scheme based on multivariate polynomials (?) Come up with new implementations of hidden subspaces Copy-protection without an oracle Program obfuscation Given oracle access to a subspace, prove you cant find a basis with probability.

Questions?