[MUSIC PLAYING]
PETER SHOR: So this is a
new quantum cryptographic
protocol-- well, not new.
We've had quantum money
protocols for around 10 years.
But this is a new
quantum money protocol.
And the big, I guess, lie
about the name quantum money
is you couldn't actually
use it for quantum money.
It has all the properties
to be good for money.
But since quantum states only
last for around maybe a minute
or two, you really don't
want quantum money.
Because you don't
want your money
to disappear after
two or three minutes.
But the outline of
the talk, I'm first
going to talk about the
motivation for looking
at quantum money, and
the history, and then
the background, and then
the work in progress,
which isn't up yet.
But I'm writing it.
So quantum money-- well, the
big problem with money, maybe,
is that you can make copies.
So if you have a physical
piece of money, what you can do
is you can be very clever
in manufacturing it
and put all sorts of things
in it which are hard to copy.
But then, of course, the
counterfeiters get clever too
and figure out how to copy it.
So you have a race
between the counterfeiters
and the governments.
So if you actually had
entirely digital money,
it would be perfectly
possible to make a copy.
So that wouldn't work.
Now quantum states, there's
something called a no-cloning
theorem, which says you cannot
make a copy of an unknown
quantum state.
So it seems that those
would be perfect for money.
So this was Wiesner's idea.
And he came up with the idea in
1969 and wrote the manuscript.
And it took 14 years
to get it published.
And that would not have happened
without Charlie Bennett sending
it to someone he knew who worked
on this newsletter for this,
I guess, ACM SIGACT special
interest group, which
isn't even a real journal.
It's-- whatever the editor wants
to put in it, gets put in it.
So anyway, we have
this quantum money--
Wiesner.
Now it turns out
that Wiesner's scheme
had some real drawbacks of it.
Namely, if you wanted to verify
a piece of quantum money,
you had to send it back to
some central authority who
knew the secret that
was used to make it.
So that was really the problem.
So these quantum money
schemes that I'll talk about
do not have this drawback.
You can verify them just with
a piece of the quantum money.
So now I want to talk a bit
about cryptography background.
For many years, until
the 1970s, cryptography
was done with ad
hoc cryptosystems.
And many of these turned
out to be eventually broken.
So over the last few
decades, cryptography
has become much
more mathematical.
And theoretical
computer scientists
try to prove the security
of cryptosystems.
There are two kinds of proofs
of security and cryptography.
There's informationally
secure cryptosystems
and computationally
secure cryptosystems.
An informationally
secure cryptosystem
has the property that
no matter how powerful
a computer an adversary
has, they will not
be able to break
the cryptosystem,
because they don't have
access to enough information.
The disadvantage
with information
less secure cryptosystems
is that there is only
a very few cryptographical
protocols that can
be made informationally secure.
The computationally
secure cryptosystems,
the security of the
cryptosystem relies
on the difficulty of
solving some computationally
hard problem, like maybe
prime factorization.
And the difficulty with
computationally secure
cryptosystems is that
theoretical computer scientists
don't know how to prove that any
of these problems that they're
based on are really secure.
So the best
guarantee of security
is to find some problem
that a lot of people
have tried to crack
and have failed.
So quantum cryptography,
that BB84 protocol
for quantum key distribution,
which was actually
inspired by Wiesner's
quantum money,
can be proved
informationally secure,
assuming the laws of
quantum mechanics.
So this solved a task which
was impossible to perform
with a classical computer.
So one of the motivations for
the quantum money research
was thinking about whether there
are any cryptographic tasks
that a quantum
computers might perform
with computational
security but were
impossible for a digital
computer to perform.
And we think quantum
money is one of these.
And there have been a bunch of
previous proposals for quantum
money, starting with ours,
which was based on [INAUDIBLE]..
Recall that computationally
secure quantum money
needs some hard problem.
So each of these has a
different hard problem.
And of course, the
problem of these
is that some of
the hard problems
turned out not to be hard.
So what this quantum
money protocol does
is it bases its
difficulty on problems
from lattice cryptography.
And a lot of people think
lattice cryptography is hard,
because post-quantum
cryptography--
so the public key cryptosystems
which quantum computer cannot
be broken--
one of the major contenders
for the replacement of RSA
is based on lattice
cryptosystems.
So people think they're hard.
So what is quantum money?
Well, we would like one of
the players in the protocol,
and we'll call her the mint,
to able to make a state, which
we'll call the
quantum money state,
and a verification protocol.
And note that both of these
are dependent on i, which
we'll call the serial number.
So each quantum money state
has the serial number.
And you need to input the serial
number into the verification
protocol to verify that quantum
money state, so that, A,
the quantum money state will
pass the test of verification,
B, the test does not destroy
the quantum money state, and C,
an aspiring counterfeiter who
holds both the quantum money
state and knows the protocol
for verifying it cannot produce
a state of two quantum systems
that both pass the test P sub
i.
So that's what we would like.
So how does the quantum
money protocol work?
Well, we'll outline it.
And what we're going
to do is we're first
going to give a little bit
of background about lattices.
Then we're going to
sketch our first candidate
for quantum lattice money.
And then we'll explain
why it doesn't work,
and very, very briefly
say how to fix it.
So what is a lattice?
A lattice is the set of
all integer combinations
of n vectors and n dimensions.
So it looks something like this.
And these n vectors
can either be long,
like these blue vectors,
or they're short,
like these two red vectors.
And these two blue vectors
and two red vectors
are supposed to give
the same lattice.
So this is a basis
of long vectors.
This is a basis
of short vectors.
And the hard lattice problem is,
given a basis of long vectors
for L, find a basis of
reasonably short vectors.
And the best we know
how to do is essentially
the L-cubed algorithm.
And what that does is it finds
a basis exponentially longer,
where exponential
in the dimension,
than the shortest
possible basis.
So we need to say a couple more
things you can do with lattice.
There's something called
bounded distance decoding.
So suppose you have
a vector x that
is very close to one of
our lattice vectors v. Then
we can find the latest
vector in polynomial time.
And what does very close mean?
Well, it means it's
exponentially closer
than the shortest
vector in the lattice.
There's also Gaussian sampling.
If you have a big enough
ball around some vector x,
we can sample lattice vectors
v with probability proportional
to a Gaussian around
that vector x.
But this ball has
to be big enough.
Well, what does it mean?
It means that the standard
deviation of the Gaussian
should be exponentially
larger than the shortest
basis of the lattice.
And we can take the Gaussian
sampling algorithm, which
is classical, and turn it
into a Gaussian superposition
algorithm.
So if sigma is exponentially
larger than the shortest basis,
we can create a supervision
of lattice vectors
and a Gaussian ball around x
in quantum polynomial time.
And this is done with the same
technique as Gaussian sampling,
but adapted to quantum outcomes.
Now we're going to be talking
about a subclass of lattices,
which are basically, you have
the lattice points and a P
to the n cube.
And you can get the
lettuce in the whole space
by just tiling the
space with cubes.
And in our lattice, there's
P to the n minus 1 lattice
vectors in the cube.
There's something
called a dual lattice.
And the dual lattice is
the set of all vectors
that are perpendicular
to vectors in a lattice.
And the dual lattice for this
classic lattice is very sparse.
So there's exactly one
vector in each hyperplane.
So there's only P
vectors in the cube.
So the lattice points
in the dual lattice
are much, much sparser
than the lattice points
in the primary lattice.
And we can show that
if the short vector
problem is hard in
arbitrary lattices,
is still hard in these lattices.
And the last thing is
we can define a quantum
Fourier transform that
takes vectors in the lattice
to a superposition of
vectors in the lattice.
And ignore the equation.
You don't need to know it.
What you need to know is the
properties of this quantum
Fourier transform.
So the quantum Fourier
transform takes a Gaussian
superposition--
so that's a little ball
with all the lattice
vectors in this little ball--
around the origin to a Gaussian
superstition of lattice
vectors around each of the
vectors in the dual lattice.
And if the original Gaussian
has a large standard deviation,
the superpositions around each
doctor and the dual lattice
are small, and vice versa.
OK, so here's the vice versa.
The small lattice vector turns
into superpositions of Gaussian
around large superpositions
around each vector
of the dual lattice.
And if you start with a Gaussian
ball centered at a dual lattice
vector that's not 0, you
still get the Gaussian balls
around each dual lattice vector.
But each of them is multiplied
by some complex space.
OK, So now what is
a simple algorithm?
The simple quantum money state
is the Gaussian supervision
of lattice factors in a small
ball around a dual lattice
vector w.
And you can create it by
starting with a large vector
that you can get because this
is a large Gaussian ball.
And then taking the
Fourier transform,
you get small Gaussian balls
around each dual lattice point.
And now you just measure the
closest dual lattice point
with bounded distance decoding.
And you're left with
one small quantum
ball around a random
dual lattice point.
And why shouldn't
you be able to copy?
So suppose you could copy
this small quantum ball.
Then you'd get two quantum
balls, the original
and the copy.
And you could measure a
lattice vector in here
and a lattice vector in here.
They're very unlikely to
be the same lattice vector.
But their difference
is a lattice vector,
and it's close to 0.
So you get a short vector.
So that's why you should
not be able to copy.
So why doesn't
this protocol work?
Well, we don't know
how to distinguish
between having just one
lattice vector near w
and a Gaussian superposition
of lattice vectors
near that lattice point w.
So someone who wanted to
counterfeit this money
could simply measure one lattice
vector from the Gaussian ball
and make arbitrarily
many copies of that.
And here's one way that we try
to verify the quantum money
state.
One way is check that
it's a supervision
of all vectors near some
dual lattice vector w.
And then we take the
Fourier transform.
We get large lattice
balls around each thing.
We translate them and
see what the overlap
is using the SWAP test.
And you can predict
the exact overlap,
because you know the
state well enough.
But the problem is that
the SWAP test is linear,
which means you cannot
tell the difference between
a superposition of this Gaussian
ball and just a random point
in the original Gaussian ball.
So how do you fix it?
Well, you use, as your money,
two copies of this Gaussian
superstition around the
dual lattice vector w.
And what that does
is the SWAP test is
quadratic rather than linear.
So you can distinguish
between a random vector
and a Gaussian superposition.
And this is a long calculation.
We won't go into it, because
we only have one minute left.
And the hardness assumption
is given two copies
of the Gaussian superposition
around the dual that structure,
you cannot find two
independent short vectors.
And there's only one obvious
way to find a short vector.
And it doesn't give
you two of them.
So that's why we
think this is secure.
There is another difficulty for
the corrected algorithm, which
is that the mint, the person
creating the quantum money,
needs to know a short
basis for this lattice.
But this, you can
assume that they do.
So the preparation
of the lattice state
isn't quite as elegant it is
for the original quantum money
protocol, but at least
it does seem to work.
So challenges-- what
can you go from here?
You can find a more
convincing argument
for why this scheme works.
You could try to find other
quantum money schemes.
You can improve this
quantum money scheme.
It's not going to be
practical anytime soon,
because it requires an
enormous amount of resources.
So definitely way out
[? the NISQ ?] regime.
But we haven't-- it's not clear
that there is not a quantum
money scheme in the
[? NISQ ?] regime.
And finally, you
can ask, are there
other cryptographic protocols,
which are impossible
classically, but which can be
done on a quantum computer?
And maybe you can even ask
whether the same techniques
can be used to construct them.
[MUSIC PLAYING]
