Do we have to trust the bank in "Quantum Money from Hidden Subspaces?"

8

3

What level of trust in the bank is needed in "Quantum Money from Hidden Subspaces" of Aaronson and Christiano?

The bank's mint works by first generating a uniformly random classical secret string $r$, and then generating a banknote $\$_r=(S_r,\rho_r)$. The authors state that the bank can generate many identical banknotes by simply reusing the secret $r$.

  • But after the currency is distributed, is $r$ needed, either by the bank or by the users, ever again? If so, does the bank need to keep it safe and secure? If not, should the bank "forget" or destroy the secret $r$ used in the mini-scheme, lest it fall into a forger's hand?

  • Can the mint use $r$ to produce many coins with a specific serial number $S_r$, potentially targeting a specific holder of currency for devaluation?

  • Can the users of the currency know how many coins are actively in circulation, without having to trust the mint?

The authors of Hidden Subspaces note that in "Quantum Money from Knots" of Farhi, Gosset, Hassidim, Lutomirski, and Shor, not even the mint is likely able to generate two identical banknotes.

But I think that the inability of banks to copy their own currency is a feature, not a bug, of "Quantum Money from Knots", because the actions of the mint are public and known. The total amount of currency is known; no secret $r$ is needed to be kept safe or destroyed; the mint can "destroy" a coin by removing it from the public list of serial numbers (Alexander polynomials,) but cannot target a coin for devaluation by minting many copies.

Mark S

Posted 2018-07-13T02:59:55.450

Reputation: 4 273

1

While this is somewhat orthogonal to the question, the Aaronson-Christiano quantum money protocol has been broken. And Daniel Kane has a new quantum money protocol based on modular forms.

– Peter Shor – 2019-11-11T00:49:07.150

1

Aside: Have you seen this question I asked about time entangled quantum blockchains?

– user820789 – 2018-07-13T03:56:41.557

1

@meowzz, yes thanks - this is helpful. Is your question more along the engineering challenges vs. the theoretical challenges? Also, the "Quantum Bitcoin" paper of Jorgenson does a good job of summarizing the state of the art, but I think I would disagree that FGHLS requires a "centralized" bank. Any mint in FGHLS can publish, in the open, the list of serial numbers. Such a mint cannot overproduce without having to update the list of serial numbers. But because, as far as I can tell, the mint in Aaronson and Chistiano "hides" the secret $r$...

– Mark S – 2018-07-13T12:01:57.067

1as such, we need to trust this mint? (I'll be honest, I understand FGHLS better than Aaronson and Christiano at the moment.) – Mark S – 2018-07-13T12:03:30.193

Answers

3

Aaronson and Christiano proved the security of their scheme in an oracle model, where they assume the verifier has access to a membership oracle to some subspace $A$. In order to turn this into actual quantum money, it is "sufficient" to implement "such an oracle".

How would one do that? And what is "such an oracle"? Well, the simplest question is to implement the oracle as a bank which would answer queries for you, that is, to implement private quantum money. If someone would manage to create a classical program they could give you, such that whatever you could learn from inspecting the program you could also learn just by querying it, this would constitute a full blown black box. This is the notion of Virtual Black Box (VBB), and it is known to be impossible under a variety of assumptions.

Thus, a weaker notion is required. AC tried an ad-hoc approach, where they suggested a specific subspace obfuscator (a sufficiently large list of random low degree polynomials which vanish on the hidden subspace), which were famously broken shortly after.

In a yet to be published work, Mark Zhandry has shown how an appropriate obfuscator could be constructed under the assumption of indistinguishability obfuscators and the existence of one way bijections (cf. chapter 5), which is considerably milder than the black box assumption but is still quite stronger than, say, one way functions.

So the state of the art for AC's construction is that it can be made public under the assumption of indistinguishability obfuscation (and one way bijections).

Edit: After reading the comment I realized that I've missed some of the nuance on the question.

In ACs scheme $r$ is a basis for the vector space used to construct the money state. $S_r$ is a membership oracle for that space and its dual. The basis itself is no longer required for verification. Yes, holding on to r allows to create many bills with identical serial numbers, though don't understand their incentive to do so. Also note that in the AC schemes, a small amount of identical bills (linear in the security parameter) suffices to learn how to create infinitely many identical bills without ever being told $r$ (because if you measure, say $n$ random vectors from an $n/2$-dimensional space, you get a spanning set with overwhelming probability).

Also, as far as I understand, neither of the two schemes you mentioned allows for users to know how many coins were minted without trusting the mint.

Shai Deshe

Posted 2018-07-13T02:59:55.450

Reputation: 166

I'm confused why AC needs $r$ in the first place. When they instantiate their black-box with the (quasi-polynomially broken) obfuscation, they seem to use $r$ for both the obfuscation and the digital signing. Their mint can generate currencies having the same serial number. This seems different from the FGHLS knots coins, or Kane's modular form approach. Also, Nakamoto taught that there's a risk in having the bank even keep secret the total amount of currency that actually has been produced, and there are advantages to having a public list, in the open, of all transactions. – Mark S – 2019-12-21T18:24:31.213

I edited my answer – Shai Deshe – 2019-12-22T13:45:15.433

As for knots/modular forms, I don't see why the entirety of the list of serial numbers (say Alexander polynomials) be made public and in plaintext, say in a database that is replicated amongst users of the coin. The number of entries in the database would correspond to the total number of coins produced. – Mark S – 2019-12-22T13:58:28.403

Also btw your link is to a 3blue1brown video - was this your intent? – Mark S – 2019-12-22T23:33:04.490

1

No, that was a mistake which I will leave for posterity, here is the actual link: https://eprint.iacr.org/2017/1080.pdf

– Shai Deshe – 2019-12-23T10:31:55.903

Reagrding the so called list of serial numbers, what prevents the bank from adding fake serial numbers? It is easy to generate arbitrary Alexander polynomials, even classically. Or conversely, how do you trust them to add the serial number of every coin minted to the list? – Shai Deshe – 2019-12-23T10:33:21.360

If the bank were to add a large number of fake serial numbers to the database, without having produced them, the value of each individual coin held by users would be deprecated by the law of supply and demand. This is one reason why, for example, some people worried about quantitative easing. Furthermore, if the database were distributed, then any unscheduled change to the database (caused by adding/deleting entries) would have to be distributed, and noticed by those who have a copy of the distributed database. With a distributed database, the bank in FGHLS is motivated to stay honest. – Mark S – 2019-12-23T13:01:20.240

Well, that is an interesting argument, but when we discuss security we usually do not assume incentives, but try to formally prove security in light of an arbitrary (that is, not necessarily rational) adversaries. The security notions of AC, or Farhi et. al., do not assume anything about the goals of the adversary. – Shai Deshe – 2019-12-25T12:20:32.503

Note that Farhi et. al.'s assumption that it is hard to create a superposition of an arbitrary Alexander polynomial is highly conjectural. I'm no expert on knot theory, but I've heard people claim that some major advancements are in order before we could determine whether this conjecture is reasonable. – Shai Deshe – 2019-12-25T12:23:06.557

FGHLS have a number of stated and unstated assumptions. For example, it's reasonable but assumed that their Markov chain mixes in time polynomial in the security parameter - if it takes longer, then the verification process would be longer as well. I also think they assume that the number of unique Alexander polynomials grows very fast as well, and that these polynomials are distributed somewhat uniformly over grid diagrams.

However, I posit that considering the (game-theoretic) incentives of the actors was certainly beneficial to bitcoin's adoption. – Mark S – 2019-12-25T13:07:19.927

Here is the arxiv link to Zhandry's paper. It's disfavored to link to pdf's, and better to link to the abstract. This is because many users do not have the bandwidth to d/l a ~50 page PDF, only to find out from reading the abstract that it is not what they were looking for.

– Mark S – 2019-12-25T14:32:12.203

The ArXiV version is a bit outdated compared to the eprint version I linked. – Shai Deshe – 2019-12-26T08:37:42.350

I think the most problematic assumption in FGHLS is that there aren't any states other than the superposition of knots which could be fixed by the Markovian process they propose (i.e., that the money is hard to forge). Also, I don't see how any of these schemes fit with a Bitcoin like protocol, as they do not incorporate any proof of work. Zhandry's proposal does allow for a proof of work, bit without any difficulty adjustment, which is also unrealistic. – Shai Deshe – 2019-12-26T08:43:40.747

1@Shai Deshe: you can prove that the only states which are perfectly fixed by the Markovian process in our paper are the quantum money states. But if the Markov chain mixes slowly, then you might get states which are close enough to fixed to pass the verification test (but I don't see why creating these states shouldn't be as hard as forging the money in the first place). I'd say the most problematic assumption is that there's no easy way to create a superposition of an arbitrary Alexander polynomial. – Peter Shor – 2019-12-27T04:29:40.887