Latest revision |
Your text |
Line 1: |
Line 1: |
| This [http://users.math.cas.cz/~gavinsky/papers/QuMoClaV.pdf example protocol] is a private-key protocol which implements Quantum Money, a unique object generated by a Trusted Third Party (TTP). It is then circulated among untrusted clients (Transferability). Each client should be able to prove the authenticity of his owned quantum money to a verifier. On the other hand, an adversary must fail in counterfeiting the quantum money with overwhelmingly high probability (Unforgeability). <br>
| | Quantum Money is a unique object generated by a Trusted Third Party (TTP). Then, it is circulated among untrusted clients (Transferability property). Each client should be able to prove the authenticity of his owned quantum money to a verifier. On the other hand, an adversary must fail in counterfeiting the quantum money with overwhelmingly high probability (Unforgeability property). <br> |
|
| |
|
| '''Tags:''' [[:Category: Multi Party Protocols|Multi Party Protocols]], [[:Category: Quantum Enhanced Classical Functionality|Quantum Enhanced Classical Functionality]], [[:Category: Specific Task|Specific Task]], Prepare (bank) and Measure (client) | | '''Tags''': Multiparty, Quantum Enhanced Classical functionality, prepare (bank) and measure (client) |
| [[Category: Specific Tasks]]
| |
| [[Category: Quantum Enhanced Classical Functionality]]
| |
| [[Category: Multi Party Protocols]]
| |
|
| |
|
|
| |
|
Line 11: |
Line 8: |
| * '''Quantum coin Generation''' - The TTP chooses k random 4-bit strings, keeps them in secret and produce k quantum states. A newly issued quantum coin consists of a piece of paper glued to k quantum registers that hold k quantum states. The piece of paper contains a unique identification tag and k initially unmarked positions, where the i-th position has to be marked in k-bit classical register P when the corresponding quantum state is used in the verification protocol. | | * '''Quantum coin Generation''' - The TTP chooses k random 4-bit strings, keeps them in secret and produce k quantum states. A newly issued quantum coin consists of a piece of paper glued to k quantum registers that hold k quantum states. The piece of paper contains a unique identification tag and k initially unmarked positions, where the i-th position has to be marked in k-bit classical register P when the corresponding quantum state is used in the verification protocol. |
| * '''Quantum coin Verification''' - To verify a quantum coin through classical communication with the TTP, its holder sends the identification number of the quantum coin to the TTP. Then, the TTP and the coin holder exchange some classical information for choosing some quantum registers. The coin holder measures the chosen registers and sends their corresponding classical information to the TTP. The TTP verifies the authenticity of the coin by the secret information he possesses. | | * '''Quantum coin Verification''' - To verify a quantum coin through classical communication with the TTP, its holder sends the identification number of the quantum coin to the TTP. Then, the TTP and the coin holder exchange some classical information for choosing some quantum registers. The coin holder measures the chosen registers and sends their corresponding classical information to the TTP. The TTP verifies the authenticity of the coin by the secret information he possesses. |
| ==Notations==
| |
| * <math>HMP_4</math>-states: <math>|\alpha(x)\rangle=\dfrac{1}{2}\sum_{1\leq i\leq4}(-1)^{x_i}|i\rangle</math>, <math>x\in\{0, 1\}^4</math>
| |
| * for <math>m, a, b \in \{0, 1\}</math>, <math>(x, m, a, b) \in HMP_4 </math> if <math> b = \begin{cases}
| |
| x_1 \oplus x_{2+m} & \text{if } a = 0 \\
| |
| x_{3-m} \oplus x_4 & \text{if } a = 1 \end{cases}</math>
| |
|
| |
|
| * <math>HMP_4</math>-queries: An <math>HMP_4</math>-query is an element <math>m \in \{0, 1\}</math>. A valid answer to the query w.r.t. <math>x \in \{0, 1\}^4</math> is a pair <math>(a, b) \in \{0, 1\} \times \{0, 1\}</math>, such that <math>(x, m, a, b) \in HMP_4</math>. An <math>HMP_4</math> -state can be used to answer an <math>HMP_4</math> -query with certainty: If <math> m = 0 </math>, let
| | == Properties == |
| <math> v_1 \overset{def}{=}\dfrac{|1\rangle+|2\rangle}{\sqrt{2}} </math> <math> v_2 \overset{def}{=}\dfrac{|1\rangle-|2\rangle}{\sqrt{2}} </math> <math> v_3 \overset{def}{=}\dfrac{|3\rangle+|4\rangle}{\sqrt{2}} </math> <math> v_4 \overset{def}{=}\dfrac{|3\rangle-|4\rangle}{\sqrt{2}} </math>
| |
| otherwise (m = 1), let
| |
| <math> v_1 \overset{def}{=}\dfrac{|1\rangle+|3\rangle}{\sqrt{2}} </math> <math> v_2 \overset{def}{=}\dfrac{|1\rangle-|3\rangle}{\sqrt{2}} </math> <math> v_3 \overset{def}{=}\dfrac{|2\rangle+|4\rangle}{\sqrt{2}} </math> <math> v_4 \overset{def}{=}\dfrac{|2\rangle-|4\rangle}{\sqrt{2}} </math>
| |
|
| |
|
| Measure <math>|\alpha(x_i)\rangle</math> in the basis <math>{v_1, v_2, v_3, v_4}</math>, and let <math>(a, b)</math> be <math>(0, 0)</math> if the outcome is <math>v_1</math>; <math>(0, 1)</math> in the case of <math>v_2</math>; <math>(1, 0)</math> in the case of <math>v_3</math>; <math>(1, 1)</math> in the case of <math>v_4</math>. Then <math>(x, m, a, b) \in HMP_4</math> always.
| | * '''Parameters''': HMP<sub>4</sub>-states, Let x ∈ {0, 1}<sup>4</sup>. The corresponding HMP<sub>4</sub>-states is |α(x)>\myeq\dfrac{1}{2}\sum_{1\leq i\leq4}(-1)^{x_i}\ket{i} |
|
| |
|
| ==Requirements==
| |
| *Network stage: [[:Category: Quantum Memory Network Stage|quantum memory network]][[Category:Quantum Memory Network Stage]].
| |
|
| |
| ==Knowledge Graph==
| |
|
| |
| {{graph}}
| |
|
| |
| == Properties ==
| |
| * '''General Features''': | | * '''General Features''': |
| ** No need to quantum communication for quantum coin verification. | | *** No need to quantum communication for quantum coin verification. |
| ** The classical communication channel used for verification can be unencrypted. | | ** The classical communication channel used for verification can be unencrypted. |
| ** The database of the bank is static, and therefore many de-centralized “verification branches” can exist that do not have to communicate with one another. | | ** The database of the bank is static, and therefore many de-centralized “verification branches” can exist that do not have to communicate with one another. |
| ** The number of verifications that a quantum coin can go through is limited. | | ** The number of verifications that a quantum coin can go through is limited. |
| | |
| *'''Security Claims''':
| |
| **The coins are exponentially hard to counterfeit.
| |
| **Secure against an adversary who uses adaptive “attempted verifications” in order to collect information about a coin.
| |
| | |
| ==Protocol Description==
| |
| '''Stage 1: Quantum coin generation'''<br>
| |
| ''Input'': A secret record consists of <math>k</math> entries <math>x_1, . . . , x_k</math>,<math> x_i\in \{0,1\}^4</math><br>
| |
| ''Output'': A “fresh” quantum coin<br>
| |
| The Trusted Third Party (TTP) chooses <math>x_1, . . . , x_k\in\{{0, 1}\}^4</math> at random, keeps them in secret and produces quantum states <math>|\alpha(x_1)\rangle, . . . , |\alpha(x_k)\rangle</math>.
| |
| A “fresh” quantum coin corresponding to this record consists of:
| |
| * <math>k</math> quantum registers consisting of 2 qubits each, where the <math>i</math>-th register contains <math>|\alpha(x_i)\rangle</math>;
| |
| * a <math>k</math>-bit classical register <math>P</math>, that is initially set to <math>0^k</math>;
| |
| * a unique identification number.
| |
| | |
| '''Stage 2: Quantum coin verification'''<br>
| |
| ''Input'': the identification number of the quantum coin<br>
| |
| ''Output'': Accept or Reject<br>
| |
| <br>
| |
| This stage is run as follows:
| |
| * The holder sends the identification number of the quantum coin to the TTP.
| |
| * The TTP chooses uniformly at random a set <math>L_{bn}\subset[k]</math> of size <math>t</math>, and sends it to the coin holder.
| |
| * The holder consults with <math>P</math> and chooses uniformly at random a set <math>L_{hl} \subset L_{bn}</math> consisting of <math>2t/3</math> yet unmarked positions. He sends <math>L_{hl}</math> to the bank and marks in <math>P</math> all the elements of <math>L_{hl}</math> as used.
| |
| * The TTP chooses at random <math>2t/3</math> values <math>m_i \in\{{0, 1}\}</math>, one for each <math>i \in L_{hl}</math> , and sends them to the coin holder.
| |
| * The holder measures the quantum registers corresponding to the elements of <math>L_{hl}</math> in order to produce <math>2t/3</math> pairs <math>(a_i, b_i)</math> (refer to <math>HMP_4</math>-queries in Notations), such that <math>(x_i,m_i, a_i, b_i)\in HMP_4</math> for all <math>i \in L_{hl}</math>. He sends the list of <math>(a_i, b_i)</math>s to the TTP.
| |
| * The TTP checks whether <math>(x_i,m_i, a_i, b_i)\in HMP_4</math> for all <math>i \in L_{hl}</math>, in which case it confirms validity of the quantum coin. Otherwise, the coin is declared to be a counterfeit.
| |
| | |
| ==Further Information==
| |
| Gavinsky, Dmitry. "Quantum money with classical verification." 2012 IEEE 27th Conference on Computational Complexity. IEEE, 2012, Available at: http://users.math.cas.cz/~gavinsky/papers/QuMoClaV.pdf
| |
|
| |
|
| <div style='text-align: right;'>''*contributed by Mashid Delavar''</div>
| | \paragraph{Security Claims} |
| | \begin{itemize} |
| | \item The coins are exponentially hard to counterfeit. |
| | \item secure against an adversary who uses adaptive “attempted verifications” in order to collect information about a coin. |
| | \end{itemize} |