Quantum Copy-Protection and Quantum Money

TL;DR

This paper explores the theoretical feasibility of quantum money and copy-protection, providing complexity-based evidence and explicit schemes, advancing the understanding of quantum cryptographic primitives.

Contribution

It introduces a complexity-theoretic no-cloning theorem, demonstrates the possibility of publicly-verifiable quantum money in oracle models, and presents explicit schemes for quantum money and copy-protection.

Findings

Existence of quantum oracles enabling publicly-verifiable quantum money.

Quantum copy-protection for functions not efficiently learnable from input-output behavior.

Explicit candidate schemes for quantum money and copy-protection based on stabilizer states.

Abstract

Forty years ago, Wiesner proposed using quantum states to create money that is physically impossible to counterfeit, something that cannot be done in the classical world. However, Wiesner's scheme required a central bank to verify the money, and the question of whether there can be unclonable quantum money that anyone can verify has remained open since. One can also ask a related question, which seems to be new: can quantum states be used as copy-protected programs, which let the user evaluate some function f, but not create more programs for f? This paper tackles both questions using the arsenal of modern computational complexity. Our main result is that there exist quantum oracles relative to which publicly-verifiable quantum money is possible, and any family of functions that cannot be efficiently learned from its input-output behavior can be quantumly copy-protected. This provides the first formal evidence that these tasks are achievable. The technical core of our result is a "Complexity-Theoretic No-Cloning Theorem," which generalizes both the standard No-Cloning Theorem and the optimality of Grover search, and might be of independent interest. Our security argument also requires explicit constructions of quantum t-designs. Moving beyond the oracle world, we also present an explicit candidate scheme for publicly-verifiable quantum money, based on random stabilizer states; as well as two explicit schemes for copy-protecting the family of point functions. We do not know how to base the security of these schemes on any existing cryptographic assumption. (Note that without an oracle, we can only hope for security under some computational assumption.)