1 / 28

New Developments in Quantum Money and Copy-Protected Software

New Developments in Quantum Money and Copy-Protected Software. A . A. Scott Aaronson (MIT) Joint work with Paul Christiano. Ever since there’s been money, there’ve been people trying to counterfeit it. Previous work on the physics of money:

nguyet
Download Presentation

New Developments in Quantum Money and Copy-Protected Software

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. New Developments in Quantum Money and Copy-Protected Software A A Scott Aaronson (MIT) Joint work with Paul Christiano

  2. Ever since there’s been money, there’ve been people trying to counterfeit it Previous work on the physics of money: In his capacity as Master of the Mint, Isaac Newton worked on making English coins harder to counterfeit (He also personally oversaw hangings of counterfeiters)

  3. Today: Holograms, embedded strips, “microprinting,” special inks… Leads to an arms race with no obvious winner Problem: From a CS perspective, uncopyable cash seems impossible for trivial reasons Any printing technology the good guys can build, bad guys can in principle build also x  (x,x) is a polynomial-time operation

  4. What’s done in practice: Have a trusted third party authorize every transaction (BitCoin: “Trusted third party” is distributed over the Internet) OK, but sometimes you want cash, and that seems impossible to secure, at least in classical physics…

  5. The No-Cloning Theorem No physical procedure can take an unknown quantum state and output two copies of it(or even a close approximation thereof)

  6. First Idea in the History of Quantum Info Wiesner 1969: Money that’s information-theoretically impossible to counterfeit, assuming quantum mechanics Each banknote contains n qubits, secretly prepared in one of the 4 states |0,|1,|+,|- Molina, Vidick, Watrous 2012: A counterfeiter who doesn’t know the state can copy it with probability at most (3/4)n In a giant database, the bank remembers how it prepared every qubit on every banknote Want to verify a banknote? Take it to the bank. Bank uses its knowledge to measure each qubit in the right basis: OR

  7. Drawbacks of Wiesner’s Scheme • Banknotes could decohere in your wallet—the “Schrödinger’s money problem”!The reason why quantum money isn’t yet practical, in contrast to (say) quantum key distribution • Bank needs a big database describing every banknoteSolution(Bennett et al. ‘82): Pseudorandom functions • Only the bank knows how to verify the money • Scheme can be broken by interacting with the bank

  8. “Modern” Goal:Public-Key Quantum MoneyEasy to prepare, hard to copy, verifiable by anyone kprivate KeyGen Mint kpublic |$1,|$2… Ver

  9. Formally, a public-key quantum money scheme S consists of three polynomial-time quantum algorithms: KeyGen(0n): Generates key pair (kprivate, kpublic) Mint(kprivate): Generates quantum banknote $ Ver(kpublic, ¢): Accepts or rejects claimed banknote ¢ S has completeness error if for all kpublic and valid $, Private-key quantum money scheme:Same except that kprivate=kpublic S has soundness error if for all polynomial-time counterfeiters C mapping q banknotes to r>q banknotes, where Count returns the number of C’s output registers ¢1,…,¢r that Ver accepts

  10. Basic Observations Not obvious that public-key quantum money is possible! If it is, will certainly require computational assumptions, in addition to quantum mechanics Without loss of generality, quantum money is reusable. If the completeness error is , then it’s possible to verify banknotes in a way that damages the valid ones by at most in trace distance ( reusable 1/ times)

  11. Previous Work on Public-Key Quantum Money A., CCC’2009 Secure construction using a quantum oracle (but security proof never published)Explicit candidate scheme based on random stabilizer states—broken by Lutomirski et al. 2010 Farhi et al., ITCS’2012: “Quantum money from knots” Important, original proposal, but little known about securityNot even known which states | the verifier acceptsLutomirski 2011: “Abstract” version of knot scheme using a classical oracle (but proving its security still wide open; seems hard)

  12. Our work: A new public-key quantum money scheme, based on hidden subspaces Much simpler than previous schemes: verifier just projects onto valid money states, by measuring in two complementary bases A For the first time, can base security on an assumption (about multivariate polynomial cryptography) that has nothing to do with quantum money A Also for first time, can prove “abstract” version of scheme (involving a classical oracle) is unconditionally secure Same construction yields the first private-key scheme that’s provably “interactively secure”

  13. Overview of Our Construction Public-Key Quantum Money Scheme Signature SchemeSecure against nonadaptive quantum chosen-message attacks “Mini-Scheme” Mint prints a single banknote (s,s) s.t. copying s is hard From Rompel 1990 OWFSecure against quantum attacks

  14. “Standard Construction” of Quantum Money from Mini-Schemes + Signatures(Introduced by Lutomirski et al.; analyzed by us) • To verify the banknote $=(s,s,w): • Check that (s,s) is valid • Check that w is a valid digital signature of s Theorem: If you can create counterfeit banknotes $, then either you can copy s’s, or else you can forge signatures

  15. The Hidden Subspace Mini-Scheme Quantum money state: Mint can easily choose a random A and prepare |A Corresponding “serial number” s: Somehow describes how to check membership in A and in A (the dual subspace of A), yet doesn’t reveal A or A

  16. Procedure to Verify Money State(assuming ability to decide membership in A and A) • Project onto A elements (reject if this fails) • Hadamard all n qubits to map |A to |A • Project onto A elements (reject if this fails) • Hadamard all n qubits to return state to |A A A Theorem: The above just implements a projection onto |AA|—i.e., it accepts | with probability ||A|2

  17. Security of the Black-Box Scheme Valid Banknotes: A,A Membership Oracles: Intuitively, what can the counterfeiter do? Measure |Ai  just yields one Ai or Ai element Query Oi or Oi to learn a basis for Ai  takes (2n/4) queries, by the BBBV Theorem(optimality of Grover search) Need to show: 2(n) quantum queries to Oi and Oi are needed, even just to map |Ai to |Ai2

  18. Common generalization of No-Cloning Theorem and BBBV Theorem |$1,000,000

  19. Idea: Look at Inner Products A,A’: “neighboring” n/2-dimensional subspaces in GF(2)n Use Ambainis’s quantum adversary method to show that the inner product between |A and |A’ can decrease by at most ~2-n/4, as the result of a single query to OA or OA Problem: A query can decrease the inner product by (1) for some |A,|A’ pairs! But we show that it can’t for most pairs

  20. Finishing the Security Proof • Our “Inner-Product Adversary Method” shows that (2n/4) queries are needed for almost-perfect copying of |A. But what about copying with 1/poly(n) fidelity? • Key idea: Since our scheme is projective, can amplify fidelity to |A2 using fixed-point quantum search (a recent variant of Grover’s algorithm due to Tulsi, Grover, and Patel) • What about counterfeiters that only copy some |A’s and not others? • Key idea: The counterfeiting problem is random self-reducible! Before trying to copy |A, hit it with a random invertible linear transformation on GF(2)n

  21. The same construction immediately yields the first…Private-Key Quantum Money (with no oracle) Secure Against Interactive Attack Verification Requests Suppose |Ai could be copied using poly(n) verification requests to the bank Then |Ai could also be copied in our public-key scheme, using poly(n) oracle queries!

  22. But if we want public-key money, we still have to face an interesting, purely-classical… Obfuscation Challenge: “Instantiate” the oracles OA and OA, without revealing A Our Proposal: Use Multivariate PolynomialsFor each money state |A, mint publishes (as |A’s “serial number”) uniformly-random degree-d polynomials such that all pi’s vanish on A and all qi’s vanish on A. The pi’s and qi’s can be generated in nO(d) time: generate them assuming A=span(x1,…,xn/2); then apply a linear transformation Purely-classical “obfuscation” problem; seems interesting on its own!

  23. Verifying |A is simple! With overwhelming probability, But given only the pi’s and qi’s, not clear how to find any nonzero A or A elements in poly-time (even quantumly) Closely related to multivariate polynomial cryptography, and to the polynomial isomorphism problem Our scheme is breakable when d=1 (trivially) or d=2 (using theory of quadratic forms). And there’s nontrivial structure when d=3 (Bouillaguet et al. 2011). So we recommend d4

  24. Security Reduction Direct Product Assumption: Given the polynomials p1,…,p2n and q1,…,q2n, no polynomial-time quantum algorithm can find a generating set for A with (2-n/2) success probability Theorem: Assuming the DPA, our money scheme is secure • Proof Sketch: Suppose there’s a counterfeiter C that maps |A to |A2. Then to violate the DPA: • Prepare a uniform superposition over all xGF(2)n • Project onto A elements (yields |A with probability 2-n/2) • If step 2 works, run C repeatedly to get ~n copies of |A • Measure each copy of |A in the standard basis (with high probability, yields n/2 independent A elements)

  25. r r DUNCE DUNCE Open Problems Break our scheme! Or get stronger evidence for security Find other ways of hiding (complementary) subspaces Are there secure public-key quantum money schemes relative to a random oracle? Does private-key quantum money require either a giant database or a cryptographic assumption? “Practicality”

  26. New Direction: Quantum Copy-Protection Finally, a serious use for quantum computing Goal: Quantum state |f that lets you compute an unknown function f, but doesn’t let you efficiently create more states with which f can be computed New Developments (A.-Christiano, not yet written)! - By modifying our hidden-subspace money scheme, we give a quantum copy-protection scheme with a classical oracle, which works for any f’s and is proven secure - We have a candidate quantum copy-protection scheme with no oracle, but haven’t yet proved its security

  27. Quantum Copy-Protection Relative to a Classical Oracle Quantum program:(same as for money scheme) The classical oracle O, given a Boolean function f:If xA\{0n} and yA\{0n}, then O(0,x,z)O(1,y,z)=f(z). Otherwise, O(b,x,z)=0. Given |A and O, one can evaluate f. But using the Inner-Product Adversary Method and random self-reducibility, we prove that given |A and O, one can’t find nonzero elements of both A and A with 1/poly(n) probability

  28. Explicit Quantum Copy-Protection Scheme Starting point: Yao’s garbled circuit construction (1986) Assuming 1-out-of-2 oblivious-transfer, lets Alice send Bob a circuit C such that Bob can evaluate C on one input x, yet he learns nothing about C’s internal structure We use hidden subspace states |A1,|A2,… to implement the oblivious transfer “non-interactively” To prove security, an excellent starting point would be to prove the following “direct product conjecture”: Given oracle access to OA and OA, any quantum algorithm needs 2(n) queries to find nonzero elements xA, yA with (2-n/2) success probability

More Related