Almost Public Quantum Coins

TL;DR

This work proposes a way to lift any private quantum coin scheme -- which is known to exist based on the existence of one-way functions -- to a scheme that closely resembles a public quantum coins scheme, which is the first construction that is very close to an inefficient unconditionally secure public quantum money scheme.

Abstract

In a quantum money scheme, a bank can issue money that users cannot counterfeit. Similar to bills of paper money, most quantum money schemes assign a unique serial number to each money state, thus potentially compromising the privacy of the users of quantum money. However in a quantum coins scheme, just like the traditional currency coin scheme, all the money states are exact copies of each other, providing a better level of privacy for the users. A quantum money scheme can be private, i.e., only the bank can verify the money states, or public, meaning anyone can verify. In this work, we propose a way to lift any private quantum coin scheme -- which is known to exist based on the existence of one-way functions, due to Ji, Liu, and Song (CRYPTO'18) -- to a scheme that closely resembles a public quantum coin scheme. Verification of a new coin is done by comparing it to the coins the user already possesses, by using a projector on to the symmetric subspace. No public coin scheme was known prior to this work. It is also the first construction that is very close to a public quantum money scheme and is provably secure based on standard assumptions. Finally, the lifting technique, when instantiated with the private quantum coins scheme~\cite{MS10}, gives rise to the first construction that is close to an inefficient unconditionally secure public quantum money scheme.

Figures (8)

• Figure 1: The above figure contains the structural diagram for the unforgeability properties. The figure contains nodes which are either squares, rectangles, diamonds or ellipses. It also contains arrows which connect two nodes. A rectangle represents a security definition and a square represents the existence of a security definition, which holds unconditionally. It also contains the reference of the proof. An ellipse represents the assumption on the existence of a security notion. Arrows are of two types: solid arrow and dashed arrow. A solid arrow connecting two nodes A and B means if A holds for some construction then B also holds for that construction. A dashed arrow connecting two nodes A and B means if A exists, then B exists via some construction. Most arrows contain a reference to the proof. However, there are two arrows which follow immediately, and hence, we do not have references for them. The rectangles or squares with thick outline contain security notions regarding a private coin scheme whereas the ones with thin outline contain security notions regarding our construction, which is a comparison-based public quantum coin scheme with private verification. All the results for our construction hold with respect to the all-or-nothing utility, and for the private scheme, we use the flexible utility. There is also the user manual depicted in a diamond box, which points to the security notion that ensures the user-manual is secure. The notions of security, including non-adaptive security which was not presented in the introduction, are discussed in \ref{['subsec:unforgeability and security', 'appendix:multi-ver-unforge']}.
• Figure 2: The above figure represents the structural diagram for security against sabotage. The notations are the same as that for the previous figure. All the results for our construction hold with respect to the all-or-nothing loss function. We would like to point out that the proof of \ref{['prop: multi_ver-unforge']} used in \ref{['fig:struct_unforgeability']} uses the rectangle containing the security notion multiverifier nonadaptive rational security against private sabotage in this figure. The notions of security are discussed in \ref{['appendix:fairness', 'appendix:multi-ver-fair']}.
• Figure 3: In this figure, we see the relation between the different subspaces. The space $\mathbb{H}^{(m+1)\kappa}$ represented by the entire large rectangle is decomposed as the direct sum of the spaces $\mathbb{Good}^{{(m+1)\kappa}, {(n+1)\kappa}}$ and $\mathbb{Bad}^{{(m+1)\kappa}, {(n+1)\kappa}}$ represented by the left and right rectangles respectively. The subspace labeled $\text{Im}(\Pi_{\mathbb{Sym}^{(m+1)\kappa}}\Pi_{\widetilde{\mathbb{Good}}^{{m\kappa}, {n\kappa}}})$ in the figure, is the image of the operator $\Pi_{\mathbb{Sym}^{(m+1)\kappa}}\Pi_{\widetilde{\mathbb{Good}}^{{m\kappa}, {n\kappa}}}$.
• Figure 4: Nonadaptive Security against private sabotage
• Figure 5: Nonadaptive Security against public sabotage

Theorems & Definitions (70)

• Theorem 1: Informal Main Result
• Definition 1: Private quantum money (adapted from Aar09)
• Definition 2: Inefficient Quantum Money
• Definition 3: Public quantum money (generalized from Aar09)
• Definition 4: Quantum Coins (adapted from MS10)
• Definition 5: Public Quantum Coins with Private Verification
• Definition 6: $\mathsf{Count}$
• Definition 7
• Definition 8: Standard Unforgeability
• Definition 9: Rational Unforgeability