7

1

Aaronson and Christiano call public-key or private-key quantum mini-schemes $\mathcal M$ **secret-based** if a mint works by *first* uniformly generating a secret random classical strings $r$, and *then* generating a banknote $\$:=(s_r,\rho_r)$, where $s_r$ is a (classical) serial number corresponding to the quantum state $\rho_r$.

They state:

Intuitively, in a secret-based scheme, the bank can generate many identical banknotes $s$ by simply reusing $r$, while in a non-secret-based scheme,

not even the bankmight be able to generate two identical banknotes. （emphasis in original).

In characterizing a putative distributed quantum currency based on Aaronson and Christiano's secret-based scheme, Jogenfors describes a "reuse attack." For example he colorfully envisions someone, say Alice, who has minted and distributed a coin $\$_r$, and learns that the coin is in possession of a political rival Bob; she uses her secret knowledge of $r$ to mint and distribute a large number of identical coins $\$_r$, thus devaluing the coins in Bob's possession. Jogenfors describes a novel approach to prevent this attack, for example as discussed here.

However, would the above attack even work with a non-secret-based scheme?

If not even Alice can produce copies of her own coins that she's minted, then she has no way devaluing any others that have been distributed.