Cryptanalysis of Three Quantum Money Schemes

TL;DR

This paper demonstrates that three proposed quantum money schemes are insecure by providing polynomial-time quantum algorithms to break each scheme, challenging their foundational security assumptions.

Contribution

The paper presents the first polynomial-time quantum algorithms that successfully compromise three different quantum money schemes, revealing their underlying assumptions are flawed.

Findings

Aaronson-Christiano scheme can be broken using Zariski tangent space computation.

Zhandry's scheme can be cloned with high probability using the verification circuit.

Kane-Sharif-Silverberg scheme's hard problem reduces to a linear algebra problem.

Abstract

We investigate the security assumptions behind three public-key quantum money schemes. Aaronson and Christiano proposed a scheme based on hidden subspaces of the vector space $\mathbb{F}_2^n$ in 2012. It was conjectured by Pena et al in 2015 that the hard problem underlying the scheme can be solved in quasi-polynomial time. We confirm this conjecture by giving a polynomial time quantum algorithm for the underlying problem. Our algorithm is based on computing the Zariski tangent space of a random point in the hidden subspace. Zhandry proposed a scheme based on multivariate hash functions in 2017. We give a polynomial time quantum algorithm for cloning a money state with high probability. Our algorithm uses the verification circuit of the scheme to produce a banknote from a given serial number. Kane, Sharif and Silverberg proposed a scheme based on quaternion algebras in 2021. The underlying hard problem in their scheme is cloning a quantum state that represents an eigenvector of a set of Hecke operators. We give a polynomial time quantum reduction from this hard problem to a linear algebra problem. The latter problem is much easier to understand, and we hope that our reduction opens new avenues to future cryptanalyses of this scheme.