On the (Im)plausibility of Public-Key Quantum Money from Collision-Resistant Hash Functions

TL;DR

This paper investigates the fundamental limitations of constructing public-key quantum money schemes from collision-resistant hash functions, providing a black-box separation result that highlights key theoretical constraints.

Contribution

It presents the first black-box separation showing collision-resistant hash functions cannot be used to construct public-key quantum money with classical verification queries.

Findings

Collision-resistant hash functions are insufficient for black-box quantum money schemes.

Introduces novel quantum complexity and simulation techniques, including Zhandry's compressed oracle.

Establishes fundamental theoretical limitations for cryptographic assumptions in quantum money.

Abstract

Public-key quantum money is a cryptographic proposal for using highly entangled quantum states as currency that is publicly verifiable yet resistant to counterfeiting due to the laws of physics. Despite significant interest, constructing provably-secure public-key quantum money schemes based on standard cryptographic assumptions has remained an elusive goal. Even proposing plausibly-secure candidate schemes has been a challenge. These difficulties call for a deeper and systematic study of the structure of public-key quantum money schemes and the assumptions they can be based on. Motivated by this, we present the first black-box separation of quantum money and cryptographic primitives. Specifically, we show that collision-resistant hash functions cannot be used as a black-box to construct public-key quantum money schemes where the banknote verification makes classical queries to the hash function. Our result involves a novel combination of state synthesis techniques from quantum complexity theory and simulation techniques, including Zhandry's compressed oracle technique.