# Practically Feasible Robust Quantum Money with Classical Verification

## Abstract

**:**

## Featured Application

**Information-theoretic secure private quantum money.**

## Abstract

## 1. Introduction

## 2. Materials and Methods

#### 2.1. Definitions for Private Quantum Money

**Definition**

**1.**

- 1.
- The bank algorithm produces a quantum note $ = (ρ, s.n.) where ρ is a quantum state of the note and s.n. is the classical serial number of the note.
- 2.
- Verification is a protocol with classical communication that is run on the note $, between the noteholder H who claims to possess the note $ and the bank. The output of the protocol is a bit declared by the bank to denote whether the note is valid or not. We denote this final bit as ${\mathit{Ver}}_{H}^{B}(\$)$ which is 1 when the bank validates the note and 0 otherwise.

- Correctness: The scheme is $\u03f5$ correct if, for every honest holder H, it holds that$$\mathbb{P}[{\mathrm{Ver}}_{H}^{B}(\$)=1]\u2a7e1-\u03f5$$
- Unforgeability: the scheme is $\u03f5$ unforgeable if for any quantum adversary who possesses m notes, has interacted a finitely bounded number of times with the bank and has managed to produce ${m}^{\prime}$ notes ${\$}_{1},{\$}_{2},\cdots ,{\$}_{{m}^{\prime}}$, it holds that,$$\mathbb{P}\left[\left(\underset{i\in \left[{m}^{\prime}\right]}{\bigwedge}{\mathrm{Ver}}_{H}^{B}\left({\$}_{i}\right)=1\right)\wedge ({m}^{\prime}>m)\right]\u2a7d\u03f5,$$

**Definition**

**2.**

- 1.
- The bank algorithm produces a quantum note $ = ρ where ρ is a quantum state of the note.
- 2.
- Verification is a protocol with classical communication that is run on the note $, between the noteholder H who claims to possess the note $ and the bank. The output of the protocol is a bit declared by the bank to denote whether the note is valid or not. We denote this final bit as ${\mathit{Ver}}_{H}^{B}(\$)$ which is 1 when the bank validates the note and 0 otherwise.

- Correctness: the scheme is $\u03f5$ correct if, for every honest holder H, it holds that$$\mathbb{P}[{\mathrm{Ver}}_{H}^{B}(\$)=1]\u2a7e1-\u03f5$$
- Unforgeability: the scheme is $\u03f5$ unforgeable if for any quantum adversary who possesses the note $, has interacted a finitely bounded number of times with the bank and has managed to produce two notes ${\$}_{1}$ and ${\$}_{2}$, it holds that,$$\mathbb{P}\left[\left({\mathrm{Ver}}_{H}^{B}\left({\$}_{1}\right)=1\wedge {\mathrm{Ver}}_{H}^{B}\left({\$}_{1}\right)=1\right)\right]\u2a7d\u03f5$$

#### 2.2. Tools for the Money Scheme

#### 2.2.1. Sampling Matching Problem

#### 2.2.2. Sampling Matching Scheme with Single-Photon States

- Simultaneous single-photon clicks in $\{{c}_{k},{c}_{l}\}$ or $\{{d}_{k},{d}_{l}\}$, for two distinct modes $(k,l)$, implies ${x}_{k}\oplus {x}_{l}=0$.
- Simultaneous single-photon clicks in $\{{c}_{k},{d}_{l}\}$ or $\left\{{d}_{k}{c}_{l}\right\}$, for two distinct modes $(k,l)$, implies ${x}_{k}\oplus {x}_{l}=1$.
- Two photons in the same mode ${c}_{k}$ or ${d}_{k}$ does not reveal the parity outcome for Bob and hence results in inconclusive outcome.

## 3. Results

#### 3.1. Private Quantum Money Scheme

- Note verification procedure requiring a single round classical communication between the local verifier and the bank,
- Fixed verification circuit for a given input size of the note,
- Multiple note re-usability, meaning the same note can be reused by the holder a number (linear in the size of the note) of times,
- Unconditional security against any adversary trying to forge the banknote while tolerating a noise of up to $21.4\%$.

#### 3.1.1. Note Preparation Phase

- The bank independently and uniformly randomly chooses q n-bit binary strings ${x}_{1},{x}_{2},\dots ,{x}_{q}\in {\{0,1\}}^{n}$
- The bank encodes each binary string ${x}_{j}$ into the single-photon state in superposition over n modes,$$|{x}_{j}\rangle =\frac{1}{\sqrt{n}}\sum _{k=1}^{n}{(-1)}^{{x}_{j,k}}{\widehat{a}}_{k}^{\u2020}|0\rangle ,$$
- The bank creates a classical binary register r and initializes it to ${0}^{q}$. This register keeps the track of positions j where the states have been used for the verification.
- The bank creates a counter variable count and initializes it to 0. This keeps a track of the number of verification attempts.
- The bank sends the quantum note ($, r) to the holder.

#### 3.1.2. Verification Phase

#### Local testing

- The holder gives the note ${\$}^{\prime}(=:\$$ if the holder is honest) to Ver.
- Ver checks for the number of times the note has been re-used by verifying that the hamming distance of r register $d(r,{0}^{q})\u2a7dT$, where T is a predefined maximum number of copies in the note that are allowed for verification. If $d(r,{0}^{q})>T$, the note is rendered useless.
- Ver uniformly and randomly selects a subset $L\subset \left[q\right]$ copies from the states marked $r=0$. All the corresponding L copies in the r register are then marked to 1.
- For each chosen copy $j\in L$, Ver prepares his local coherent state $|\beta \rangle $ and runs the SM scheme (Section 2.2.2).
- jVer first checks if he gets two photon clicks in all the chosen L copies. If not, he rejects (this is a check against all those attacks where the adversary removes the single-photon state and introduces either vacuum or a multi-photon state).
- Ver counts the number of successful copies ${l}_{succ}$, where he obtains two single-photon clicks in two different modes. For these copies he outputs the parity outcome ${d}_{j}={x}_{j,k}\oplus {x}_{j,l}$ where the clicks have been obtained in modes k and l. For the rest of the copies, he sets ${d}_{j}=\u2300$.
- Ver checks if ${l}_{succ}\u2a7e{l}_{min}$, where ${l}_{min}={\mathbb{E}}_{h}\left[{l}_{succ}\right](1-\u03f5)$ is the minimum number of copies that will locally guarantee his acceptance of the note, where $0\u2a7d\u03f5\u2a7d1$ is the desired security factor. Here ${\mathbb{E}}_{h}\left[{l}_{succ}\right]$ is the expected number of copies where the honest noteholder obtains two single-photon clicks in two different modes when Ver runs the SM scheme.
- Ver proceeds to the classical communication step with the bank only when the note passes this test.

#### Communication with the bank

- Ver forwards the outcomes $\{j,(k,l),{d}_{j}\}$ for each $j\in L$ to the bank through a classical authenticated channel.
- The bank checks if $count<\lceil \frac{T}{|L|}\rceil $, otherwise the verification attempt is rendered invalid. Here $\lceil \xb7\rceil $ is the ceiling function.
- For each copy $j\in L$ with ${d}_{j}\ne \varnothing $, the bank compares the parity value ${d}_{j}$ with the secret string ${x}_{j}$. He validates the note if the number of correct outcomes$${l}_{succ}^{cor}\u2a7e{\mathbb{E}}_{h}\left[{l}_{succ}^{cor}\right](1-\delta ),$$
- The bank updates the count by 1.

#### 3.2. Correctness

#### 3.3. Unforgeability of Banknotes

#### 3.4. Quantum Money Scheme with Coherent states

#### 3.4.1. Description of the Money Scheme

#### 3.4.2. Note Preparation Phase

- The bank independently and randomly chooses qn-bit binary strings ${x}_{1},{x}_{2},\dots ,{x}_{q}\in {\{0,1\}}^{n}$
- The bank encodes each the binary string ${x}_{j}$ into the phase randomized coherent state $|{\alpha}_{{x}_{j}}\rangle $, with an average photon number 1,$$|{\alpha}_{{x}_{j}}\rangle =\underset{k=1}{\overset{n}{\u2a02}}{|{(-1)}^{{x}_{j,k}}\frac{1}{\sqrt{n}}\rangle}_{k},$$
- The bank creates a classical binary register r and initializes it to ${0}^{q}$. This register keeps the track of positions j where the states have been used for the verification.
- The bank creates a counter variable count and initializes it to 0. This keeps a track of the number of verification attempts.
- The bank sends the quantum note ($, r) to the holder.

#### 3.4.3. Verification Phase

#### Local testing

- The holder gives the note ${\$}^{\prime}(=:\$$ if the holder is honest) to Ver.
- Ver checks the re-usability of the note by verifying that the hamming distance of r register $d(r,{0}^{q})\u2a7dT$, where T is a predefined maximum number of copies in the note that are allowed for verification. If $d(r,{0}^{q})>T$, the note is rendered useless and must be returned to the bank.
- Ver uniformly and randomly selects a subset $L\subset \left[q\right]$ copies from the states marked $r=0$. He marks all the corresponding $|L|$ copies in the r register to 1.
- For each copy $j\in L$, Ver prepares his local coherent state $|{\beta}_{j}\rangle ={\u2a02}_{k=1}^{n}{|\frac{1}{\sqrt{n}}\rangle}_{k}$ and runs the SM scheme (Figure 6).
- Ver counts the number of successful copies ${l}_{succ}$, where he obtains exactly two single-photon clicks in two different time modes. For these copies he outputs the parity outcome ${d}_{j}={x}_{j,k}\oplus {x}_{j,l}$ where the clicks have been obtained in times modes k and l. For the rest of the copies, he sets ${d}_{j}=\u2300$.
- Ver checks if ${l}_{succ}\u2a7e{l}_{min}$, where ${l}_{min}={\mathbb{E}}_{h}\left[{l}_{succ}\right](1-\u03f5)$ is the minimum number of copies that will locally guarantee his acceptance of the note, where $0\u2a7d\u03f5\u2a7d1$ is the security factor. Here ${\mathbb{E}}_{h}\left[{l}_{succ}\right]$ is the expected number of copies where the honest noteholder obtains exactly two single-photon clicks when Ver runs the SM scheme.
- Ver proceeds to the communication with the bank only when the note passes this test.

#### Communication with the bank

- 8.
- Ver forwards the outcomes $\{j\in L,(k,l),{d}_{j}\}$ to the bank.
- 9.
- The bank checks if $count<\lceil \frac{T}{|L|}\rceil $, otherwise he renders the verification attempt as invalid.
- 10.
- For each copy $j\in L$ with ${d}_{j}\ne \u2300$, the bank compares the parity value ${d}_{j}$ with the secret string ${x}_{j}$. He validates the note if the number of correct outcomes$${l}_{succ}^{cor}\u2a7e{\mathbb{E}}_{h}\left[{l}_{succ}^{cor}\right](1-\delta ),$$
- 11.
- The bank updates the count by 1.

## 4. Discussion

## Funding

## Acknowledgments

## Conflicts of Interest

## Abbreviations

SM | sampling matching |

HM | hidden matching |

SDP | semi-definite programming |

## References

- Wiesner, S.S. Wiesner, Sigact News 15, 78 (1983). Sigact News
**1983**, 15, 78. [Google Scholar] [CrossRef] - Wootters, W.K.; Zurek, W.H. A single quantum cannot be cloned. Nature
**1982**, 299, 802–803. [Google Scholar] [CrossRef] - Bennett, C.H.; Brassard, G. Quantum cryptography: Public key distribution and coin tossing. Theor. Comput. Sci.
**2014**, 560, 7–11. [Google Scholar] [CrossRef] - Gottesman, D.; Chuang, I. Quantum digital signatures. arXiv
**2001**, arXiv:quant-ph/0105032. [Google Scholar] - Ambainis, A. A new protocol and lower bounds for quantum coin flipping. J. Comput. Syst. Sci.
**2004**, 68, 398–416. [Google Scholar] [CrossRef] - Broadbent, A.; Fitzsimons, J.; Kashefi, E. Universal blind quantum computation. In Proceedings of the 2009 50th Annual IEEE Symposium on Foundations of Computer Science, Atlanta, GA, USA, 24–27 October 2009; pp. 517–526. [Google Scholar]
- Crépeau, C.; Gottesman, D.; Smith, A. Secure multi-party quantum computation. In Proceedings of the Thiry-Fourth Annual ACM Symposium on Theory of Computing, Montreal, QC, Canada, 19–21 May 2002; pp. 643–652. [Google Scholar]
- Broadbent, A.; Schaffner, C. Quantum cryptography beyond quantum key distribution. Des. Codes Cryptogr.
**2016**, 78, 351–382. [Google Scholar] [CrossRef] - Lutomirski, A. An online attack against Wiesner’s quantum money. arXiv
**2010**, arXiv:1010.0256. [Google Scholar] - Brodutch, A.; Nagaj, D.; Sattath, O.; Unruh, D. An adaptive attack on Wiesner’s quantum money. arXiv
**2014**, arXiv:1404.1507. [Google Scholar] - Gavinsky, D. Quantum money with classical verification. In Proceedings of the 2012 IEEE 27th Annual Conference on Computational Complexity (CCC), Porto, Portugal, 26–29 June 2012; pp. 42–52. [Google Scholar]
- Georgiou, M.; Kerenidis, I. New constructions for quantum money. In Proceedings of the 10th Conference on the Theory of Quantum Computation, Communication and Cryptography (TQC 2015), Brussels, Belgium, 20–22 May 2015; Volume 44. [Google Scholar]
- Amiri, R.; Arrazola, J.M. Quantum money with nearly optimal error tolerance. Phys. Rev. A
**2017**, 95, 062334. [Google Scholar] [CrossRef] - Gavinsky, D.; Kempe, J.; Kerenidis, I.; Raz, R.; De Wolf, R. Exponential separations for one-way quantum communication complexity, with applications to cryptography. In Proceedings of the Thirty-Ninth Annual ACM Symposium on Theory of Computing, San Diego, CA, USA, 11–13 June 2007; pp. 516–525. [Google Scholar]
- Arrazola, J.M.; Karasamanis, M.; Lütkenhaus, N. Practical quantum retrieval games. Phys. Rev. A
**2016**, 93, 062311. [Google Scholar] [CrossRef] - Pastawski, F.; Yao, N.Y.; Jiang, L.; Lukin, M.D.; Cirac, J.I. Unforgeable noise-tolerant quantum tokens. Proc. Natl. Acad. Sci. USA
**2012**, 109, 16079–16082. [Google Scholar] [CrossRef] - Aaronson, S.; Christiano, P. Quantum money from hidden subspaces. In Proceedings of the Forty-Fourth Annual ACM Symposium on Theory of Computing, New York, NY, USA, 19–22 May 2012; pp. 41–60. [Google Scholar]
- Farhi, E.; Gosset, D.; Hassidim, A.; Lutomirski, A.; Shor, P. Quantum money from knots. In Proceedings of the 3rd Innovations in Theoretical Computer Science Conference, Cambridge, MA, USA, 8–10 January 2012; pp. 276–289. [Google Scholar]
- Moulick, S.R.; Panigrahi, P.K. Quantum cheques. Quantum Inf. Process.
**2016**, 15, 2475–2486. [Google Scholar] [CrossRef] - Radian, R.; Sattath, O. Semi-Quantum Money. arXiv
**2019**, arXiv:1908.08889. [Google Scholar] - Bozzio, M.; Orieux, A.; Vidarte, L.T.; Zaquine, I.; Kerenidis, I.; Diamanti, E. Experimental investigation of practical unforgeable quantum money. npj Quantum Inf.
**2018**, 4, 5. [Google Scholar] [CrossRef] - Guan, J.Y.; Arrazola, J.M.; Amiri, R.; Zhang, W.; Li, H.; You, L.; Wang, Z.; Zhang, Q.; Pan, J.W. Experimental preparation and verification of quantum money. Phys. Rev. A
**2018**, 97, 032338. [Google Scholar] [CrossRef] - Kumar, N.; Kerenidis, I.; Diamanti, E. Experimental demonstration of quantum advantage for one-way communication complexity surpassing best-known classical protocol. Nat. Commun.
**2019**, 10, 1–10. [Google Scholar] [CrossRef] - Ben-David, S.; Sattath, O. Quantum tokens for digital signatures. arXiv
**2016**, arXiv:1609.09047. [Google Scholar] - Goldreich, O. The Foundations of Cryptography, Volume 2, Chapter Encryption Schemes; Cambridge University Press: Cambridge, UK, 2004. [Google Scholar]
- Upfal, E.; Mitzenmacher, M. Probability and Computing: Randomized Algorithms and Probabilistic Analysis; Cambridge University Press: Cambridge, UK, 2005. [Google Scholar]
- Bar-Yossef, Z.; Jayram, T.S.; Kerenidis, I. Exponential separation of quantum and classical one-way communication complexity. In Proceedings of the Thirty-Sixth Annual ACM Symposium on Theory of Computing, Chicago, IL, USA, 13–15 June 2004; pp. 128–137. [Google Scholar]
- Molina, A.; Vidick, T.; Watrous, J. Optimal counterfeiting attacks and generalizations for Wiesner’s quantum money. In Proceedings of the Conference on Quantum Computation, Communication, and Cryptography, Tokyo, Japan, 17–19 May 2012; pp. 45–64. [Google Scholar]
- Croke, S.; Kent, A. Security details for bit commitment by transmitting measurement outcomes. Phys. Rev. A
**2012**, 86, 052309. [Google Scholar] [CrossRef] - Jamiołkowski, A. Linear transformations which preserve trace and positive semidefiniteness of operators. Rep. Math. Phys.
**1972**, 3, 275–278. [Google Scholar] [CrossRef] - Yao, A.C. Lower bounds by probabilistic arguments. In Proceedings of the 24th Annual Symposium on Foundations of Computer Science (sfcs 1983), Tucson, AZ, USA, 7–9 November 1983; pp. 420–428. [Google Scholar]
- Holevo, A.S. Information-theoretical aspects of quantum measurement. Probl. Peredachi Informatsii
**1973**, 9, 31–42. [Google Scholar] - Lvovsky, A.I.; Sanders, B.C.; Tittel, W. Optical quantum memory. Nat. Photonics
**2009**, 3, 706. [Google Scholar] [CrossRef] - Julsgaard, B.; Sherson, J.; Cirac, J.I.; Fiurášek, J.; Polzik, E.S. Experimental demonstration of quantum memory for light. Nature
**2004**, 432, 482. [Google Scholar] [CrossRef] [PubMed] - Fleischhauer, M.; Lukin, M.D. Quantum memory for photons: Dark-state polaritons. Phys. Rev. A
**2002**, 65, 022314. [Google Scholar] [CrossRef] - Kozhekin, A.; Mølmer, K.; Polzik, E. Quantum memory for light. Phys. Rev. A
**2000**, 62, 033809. [Google Scholar] [CrossRef] - Arrazola, J.M.; Diamanti, E.; Kerenidis, I. Quantum superiority for verifying NP-complete problems with linear optics. npj Quantum Inf.
**2018**, 4, 56. [Google Scholar] [CrossRef]

**Figure 1.**Sampling matching problem. Alice receives an input $x\in {\{0,1\}}^{n}$ and Bob does not receive any input. Alice sends a message $m\left(x\right)$ to Bob who outputs the tuple $\{(k,l)\in {\mathcal{T}}_{n},{x}_{k}\oplus {x}_{l}\}$ where the from the message $m\left(x\right)$, a tuple $(k,l)$ is sampled from the set of possible distinct tuples ${\mathcal{T}}_{n}$. Bob’s objective is to output the parity correctly with high probability.

**Figure 2.**Superposition circuit of Alice to create a single-photon state in equal superposition over n modes. This is realized by passing a single-photon through a cascade of $n-1$ 50/50 beam splitters and subjecting each output mode to a phase-shift that depends on the corresponding string $x\in {\{0,1\}}^{n}$.

**Figure 3.**Sampling matching circuit model in single-photon encoding. Alice encodes a secret string $x\in {\{0,1\}}^{n}$ in the single-photon state |x〉 in an equal superposition over n modes. This is then sent to Bob. Bob creates his local superposition state and applies mode-by-mode beam splitter operation with Alice’s state. The results are observed in the $2n$ photon number resolving detectors.

**Figure 4.**Illustration of a 50/50 beam splitter transforming input modes $\{{\widehat{a}}_{k}^{\u2020},{\widehat{b}}_{k}^{\u2020}\}$ into the output modes $\{{\widehat{c}}_{k}^{\u2020},{\widehat{d}}_{k}^{\u2020}\}$.

**Figure 5.**Illustration of our private quantum money scheme based on the verification protocol using the sampling matching scheme. In the note preparation phase, the bank independently and uniformly randomly selects q n-bit binary strings $\{{x}_{1},\cdots ,{x}_{q}\}$ and prepares single-photon superposition note states $\$=|{x}_{1}\rangle \otimes |{x}_{2}\rangle \otimes \cdots \otimes |{x}_{q}\rangle $. The bank further initializes a r register to keep a track of the number of positions in $\left[q\right]$ where the states have been used for verification and the count register to keep track of a number of verification attempts on the note. The note $(\$,r)$ is then sent to the holder. To be able to carry out any transaction, the holder sends the note to an honest verifier. In the verification phase, the verifier selects a fraction of the q copies of the note state which have $r=0$. He creates his local state $|\beta \rangle $ and applies the sampling matching (SM)-scheme on those selected copies. The verifier sends the outcome of the measurement scheme to the bank. Finally, the bank compares the outcomes with his secret string ${x}_{j}$’s and outputs a bit ${\mathrm{Ver}}_{H}^{B}$ stating whether the note is valid or not.

**Figure 6.**SM circuit implementation using weak coherent states, 50/50 beam splitter (BS) and single-photon threshold detectors. The upper arm illustrates an honest holder’s state as a coherent state $|{\alpha}_{x}\rangle $, which consists of a sequence of coherent pulses. The coherent state is encoded with a random phase $x\in {\{0,1\}}^{n}$ through the phase modulator (PM). The lower arm is used by the verifier to produce a local reference coherent state $|\beta \rangle $, consisting of a sequence of coherent pulses, with an average photon number of 1. The verifier interferes with the states into the 50/50 BS and infers the parity information from the detector clicks in ${D}_{0}$ and ${D}_{1}$. This allows him to obtain the parity outcome of a tuple in ${\mathcal{T}}_{n}$. The red dot in the 1st and 3rd time sequence denotes that the verifier observed clicks at ${D}_{1}$ and ${D}_{0}$ detectors respectively for these time steps. Thus he infers the parity outcome for the tuple $(1,3)$, ${x}_{1}\oplus {x}_{3}=1$.

**Figure 7.**Illustration of our quantum money scheme based on the verification protocol using the SM-scheme. In the note preparation phase, the bank independently and randomly selects q n-bit binary strings and produces note coherent states $\$=|{\alpha}_{{x}_{1}}\rangle \otimes |{\alpha}_{{x}_{2}}\rangle \otimes \cdots \otimes |{\alpha}_{{x}_{q}}\rangle $. The bank initializes the r register to keep a track of the number of positions in $\left[q\right]$ where the states have been used for verification and the count register to keep track of the number of verification attempts on the note. The note $(\$,r)$ is then sent to the holder. To carry out a transaction, the holder sends the note to an honest verifier of the bank. In the verification phase, the verifier selects a fraction of the q copies of the note state with positions 0 in the r register. He creates his local state $|{\beta}_{j}\rangle $ and applies the SM-scheme on those selected copies. If the note passes the local test of the verifier, he sends the measurement outcomes of the test to the bank. Finally, the bank compares the outcomes with his secret string ${x}_{j}$’s and outputs a bit ${\mathrm{Ver}}_{H}^{B}$ stating whether the note is valid or not.

© 2019 by the author. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Kumar, N. Practically Feasible Robust Quantum Money with Classical Verification. *Cryptography* **2019**, *3*, 26.
https://doi.org/10.3390/cryptography3040026

**AMA Style**

Kumar N. Practically Feasible Robust Quantum Money with Classical Verification. *Cryptography*. 2019; 3(4):26.
https://doi.org/10.3390/cryptography3040026

**Chicago/Turabian Style**

Kumar, Niraj. 2019. "Practically Feasible Robust Quantum Money with Classical Verification" *Cryptography* 3, no. 4: 26.
https://doi.org/10.3390/cryptography3040026