Cryptanalysis of three quantum money schemes

Abstract

We investigate the security assumptions behind three public-key quantum money schemes. Aaronson and Christiano proposed a scheme based on hidden subspaces of the vector space $$\mathbb {F}_2^n$$ F 2 n in 2012. It was conjectured by Pena et al. (IACR international workshop on public-key cryptography, pp 194–213. Springer, 2015) that the hard problem underlying the scheme can be solved in quasi-polynomial time. We confirm this conjecture, and hence prove that the scheme is insecure, by giving a polynomial time quantum algorithm for the underlying problem. Our algorithm is based on computing the Zariski tangent space of a random point in the hidden subspace. Zhandry (Quantum lightning never strikes the same state twice 11, 2017. https://eprint.iacr.org/2017/1080/20171110:155027 ) proposed a scheme based on multivariate hash functions. We prove that Zhandry’s scheme is insecure by giving a polynomial time quantum algorithm for cloning a money state with high probability. Our algorithm uses the verification circuit of the scheme to produce a banknote from a given serial number. Kane et al. (Quantum money from quaternion algebras, 2021. arXiv:2109.12643 ) proposed a scheme based on quaternion algebras. The underlying hard problem in their scheme is cloning a quantum state that represents an eigenvector of a set of Hecke operators. We give a polynomial time quantum reduction from this hard problem to a linear algebra problem. Although our reduction does not break this scheme, the latter problem is much easier to understand, and we hope that our reduction opens new avenues to future cryptanalyses of the scheme.