>> 
Yeah. Thanks everybody for coming. I don't
think it needs a long introduction. Eddie
Farhi is here again. He's becoming a regular
visitor here at Google and specifically in
Santa Monica, helping us with our work, and
applying his adiabatic algorithm to problems
in machine learning. But Eddie will talk today
about a new passion of his which is Quantum
Money. So I'm looking forward to this talk.
>> FARHI: Okay. Thank you. Can everybody hear
me? We're okay remotely? Okay, thank you.
So I'm going to be talking about Quantum Money,
and this is a project that I've worked on
with my students; David Gossett, and Andrew
Lutomirski, and post-doc Avinatan Hassidim,
and Peter Shor who is not a student. He's
a very well-known guy in the world of quantum
information. And let's see. If we begin, I
guess I don't know how to--I guess I have
to go here to advance. Okay. So, I--this talk
is about quantum money. And therefore, I'm
going to just have to help you a little bit
with--some very basic notions in quantum mechanics
so we're all on the same page. I assume that
people know like what a vector is and know
a little bit about linear algebra. Maybe you
don't know that much about quantum mechanics.
So I'm going to start by reviewing just a
few points in quantum mechanics. And for those
of you who know it, it will be very boring,
and a few--those of you who don't, hopefully
you'll learn a couple of things. So also there's
an issue of notation which I wish to establish.
In quantum mechanics, quantum states are vectors
in a d dimensional vector space. A quantum
state is something that describes the quantum
system and that is used--and that itself is
a d dimensional vector. In a--it happens that
in quantum mechanics, these are vector spaces
over the complex numbers so you can add vectors
with complex coefficients. An important thing
about the--so we have a vector space H and
vectors are written in this notation which
are called kets, that little thing there,
that's half of a bracket, it's called the
ket. And the thing inside the ket is the name
of the vector. So you can write anything in
there that describes the vector. So that's
the vector psi. You could write dog or you
could write my favorite vector, whatever you
want inside the ket. It's not an argument
of a function, it's the name of the vector.
Okay? And so psi is an element to the Hilbert
space which--and that's what we mean by vectors.
And a very simple example is if I have d equals
two, two dimensional--Hilbert space, I could
have two basis vectors for the space which
I call 'up' and 'down'. Those are just two
different vectors. They're orthogonal. And
then psi, a general vector could be a linear
combination of the two basis vectors where
alpha and beta are complex numbers. And if--and
if--if these--if up and down have norm one
and they're orthogonal, then if alpha squared
plus beta squared equals one, then psi would
be a normalized vector. So just--this is old
fashion linear algebra over the complex numbers,
but you just have to be sure that the ket,
you remember, is a vector. Okay? Now, just
a couple more words about quantum mechanical
notation stuff before we get into it, as I
go. Now, the quantum mechanics is the description
of nature at its most fundamental level. You
know what? You should remember that--there
has never been a violation of quantum mechanics
ever seen. Quantum mechanics describes the
theory of elementary particles, the strong,
the weak, the electromagnetic force are described
quantum mechanically. Everything that's going
to happen at the LHC is going to--is presumably
described by quantum mechanics. Well, I should
say everything except of--been seen at any
existing accelerator has been described by
quantum mechanics. All of chemistry is described
by quantum mechanics, the entire periodic
table, the properties of materials like superconductors
are described by quantum mechanics. So for
the sake of this talk, we are going to assume
that quantum mechanics is true and it is the
fundamental theory at base which describes
the world around us. It is the God-given theory.
And we're not going to get into a discussion
about whether quantum mechanics--you don't
like it because of whatever problem you might
have with it, or Einstein didn't like it.
We're not going to go there. We're just going
to accept quantum mechanics as true. Okay?
And now one the basic principles of quantum
mechanics that we need to know. Well, there
are not too many basic principles. The first
is that states--quantum systems are described
by states in the Hilbert space and hopefully,
I've helped you a little bit with that notation
on my previous slide. The other thing that's
important in quantum mechanics is that states
evolve in time and the evolution of states
is determined by that equation I've written
there which is called the Schrödinger equation.
And what it tells you is that if you--if the
time derivative of the state--first of all,
i is the square root of minus one. We're dealing
with complex numbers here. So the square root
of minus one times the time derivative of
the state is a particular operator or matrix,
called the Hamiltonian, times the state. So
this is the evolution equation. It's a--it's
a first order differential equation that tells
you that if you know the state at one time,
you can integrate that differential equation
and know the state at later times. In that
sense, quantum mechanics is deterministic.
If you know the state of a quantum system
at an early time, it evolves deterministically
according to the Schrödinger equation. What's
different--this is like F equals MA where
you say the acceleration--you could write
it as acceleration as force over mass, so
it tells you the time derivative is something
and in different problems, you have different
Hamiltonians. So if you're describing the
theory of the weak interactions, you have
a relativistic Hamiltonian. If you're describing
the hydrogen atom, you have a different Hamiltonian.
But that's specific to the situation and part
of the job in physics, obviously, is to discover
which Hamiltonians govern the evolution of
systems. But the basic picture that that time
evolution is how things occur is what we call
the Schrödinger equation and there's never
been a violation of that equation ever seen,
okay? That is consistent with every observation;
that systems evolve according to the Schrödinger
equation. Well, are there any questions? If
you would, please, it's a small group. So
if you have any questions, go ahead and ask
me. Okay, we're comfy with this so far? Okay.
Yes?
>> So, you got a Hamiltonian as a function
behind there?
>> FARHI: It could be. It could be a time-dependent
Hamiltonian. It'll be just like--just in general,
it could be. It might be time-independent.
>> Okay.
>> FARHI: But you could have--the Hamiltonian
determines the dynamics and it could be changing,
right? For example, suppose, you know, you
have two nuclei and their bouncing back and
forth like this, and you want to describe
an electron going around. Well, that electron
sees a time-dependent Hamiltonian.
>> Okay. I guess I wanted [INDISTINCT].
>> Can you repeat questions for the VC, please?
>> FARHI: Oh, the question is--he was curious
about why the Hamiltonian could be time-dependent.
It's like in Newtonian mechanics; you could
have a time-dependent force.
>> I guess, you know, I was just wondering
if this is like really, really powerful. You
know, it says something about, you know, how
they evolved. Like, are there limits on what,
like, on the Hamiltonian, like what kind of
function do you need?
>> FARHI: The question is, "Are there limits
on what type of Hamiltonians you can have?"
Well, that really depends on the physical
situation. You know, whether the Hamiltonian--if
the--from the point of view of this, I'm going
to say no. But, yes--I mean, that's a question
about nature. You know, if you say, "Are there
limits on the form of the Hamiltonian?" That's
a question about what does Mother Nature choose
and why? You know, we only see Hamiltonians
consistent with the theory of relativity.
You know, we--you know, why the Hamiltonians
that we have--that's a question of what are
the actual specific laws of nature. This is
sort of the framework. Yeah.
>> So does that mean that's--or something
like [INDISTINCT]?
>> FARHI: He--the question is for--let's say
quantum electro dynamics, yes, it's a Hamiltonian.
Yes. I mean, if you have a relativistic quantum
field theory, there is a Hamiltonian. It's
not simple and you can't [INDISTINCT] hard
to find its ground state, but, yes, there
is a Hamiltonian in relativistic quantum electrodynamics--in
quantum electrodynamics. Okay. Now the other
thing is that when you--when you want to determine
a property of a system, what you do is you
measure things and everything you measure
corresponds to something called the Hermitian
operator. Hermitian just means that--well,
it's just a special little property. It means
its igon values are real. And one of the features
of quantum mechanics is that when you measure
a system, you measure the--what you can only
ever get is an igon value of the associated
operator. That's all that ever comes out of
a measurement. If you measure energy of a
system, you'll only get an igon value. That's
when we learn--remember that energy is quantized
because if you look at the--a Hamiltonian
that describes the hydrogen atom, the levels
are quantized and that means that none of
the energy is allowed. There are certain igon
values and those are the only things you'll
ever get when you make a measurement. And
that's also very basic to quantum mechanics.
I can't really explain why that is. I don't
really know why that is. That's just the way
it is. Okay? So lets--I want to--now, I got
a couple of consequences of this. There's
the Schrödinger equation again; I wrote it.
But what that tells you, since it's a linear
equation, the time derivative is a linear
thing. I--that--it's--that tells you that
if you integrate that equation up, the state
you get at a late time, T, relative to the
state of time zero, is obtained by a unit--a
unitary operator. Unitary is a special type
of linear operator. But what it says is that
the--if you know the state at an initial time
and you would like to know the state at a
later time, after you've integrated the Schrödinger
equation, you discover that the state at a
later time is simply a matrix or a linear
operator acting on the initial state. Okay?
Now, so quantum mechanics is linear. Well,
measurements are not. So let's get back to
that--we're just talking about the Schrödinger
evolution. What does that mean? What does
that mean? That means that if you know the
state--suppose you know that--you have a system
which at time zero is psi one, and at time
T becomes psi one of t, or your system at
time zero is psi two, which evolves to psi
two of t. Then if your initial state was a
linear superposition of psi one at zero and
psi two of zero, the outcome is the linear
combination alpha psi one of t plus beta psi
two of t at the later time. That's what linear
means. Okay? If I have two inputs, if my--if
I have an input and it goes here, and I have
another input and it goes there, if I take
a linear combination of the inputs, I get
the same linear combination of the outputs.
Okay? That's what I mean by linear, and quantum
mechanics is linear. All right? Are you with
me? That's very fundamental to quantum mechanics.
There has never been a violation of quantum
of linearity seen. Now, we're going to use
this to prove a theorem, okay? We're now going
to prove--we're going to ask the following
question, "Can I copy an unknown quantum state?
Can I take a state which is unknown to me,
a quantum system, and make an identical copy
of it without destroying the original state?"
And the answer to that is no and I'm going
to prove that to you right now. Suppose I
would like to build what's called a quantum
cloner. A quantum cloner is something that
would take an unknown quantum state and replace
that at a blank register. So I'm writing psi
blank. I have an unknown quantum state and
a blank register or a blank state. I mean,
a blank--like I have two states; psi and then
a state called b. And I want that to evolve,
according to quantum law, into psi, psi. I
want to copy psi into the space held by b.
Okay? So I would like--that's what would be
called a quantum cloner. Well that's impossible
because it's not a linear transformation.
That's like taking x to x squared. If I double
psi, I make--I multiply the output by four.
Okay? That's just not linear if you do that.
That's--you know, that's like a quadratic
function. So the fact is, is that this is
not a linear transformation and in fact, this
means that this is called the Quantum No-Cloning
Theorem. And it says that the quantum operations
do not allow you to take an unknown quantum
state and make a copy of it. And I really
just proved it because of the lack--because
that's a--it's not a linear transformation.
I've argued that quantum mechanic is linear.
Okay? So this is called the Quantum No-Cloning
Theorem and this has huge implications for
information security which I'm now going to
address because there's no such thing, classically.
There's no possibility of me being able to
tell you that if I have a bitstring, I can't
make a copy of it. That's just--there's no
such thing that prevents that classically,
and quantum mechanically, it is not possible.
Now, this actually means, since quantum mechanically
you can not copy an unknown state, this means--you
know, this is called the Quantum No-Cloning
Theorem, and this property allows you to send
secure messages. By secure, I don't mean that
they're encrypted, but what I mean is that
if--you can be guaranteed that there's no
eavesdropping. So let me show you how that
works because this is going to be the prelude
to quantum money. I have not forgotten that
my talk is about quantum money. I'm just building
you up to it, okay? I haven't forgotten, okay?
So let's see how this works. Let's see how
we're going to use the Quantum No-Cloning
to say--to send your messages. So Alice wants
to send Bob a message and we're nervous that
there's an--that this Eve sits between Alice
and Bob, and she might read the message, write
it down, and then send it on to Bob. And what
we're now going to show is that that can not
happen with the proper quantum protocol. Okay?
So--and in fact, classically, what I mean
with--in the absolute quantum case, there's
no way based on--there's absolutely no way
to guarantee the security of a message going
from here to there. There's nothing I can
do that guarantees that someone can't intercept
the classical bitstring, write it down, and
then send it on. But let's see how to do that
quantum mechanically. So--wait. I need to
do one more little aside on a quantum measurement
which is the following thing. I already told
you about the state psi which can be alpha
up plus beta down, where alpha squared plus
beta squared; that's the general state. Now,
we can think in this little two dimensional
Hilbert space of up being the vector one zero
and down being the vector zero one. And these
are igon states of that little diagonal operator
sigma z, which is 1 0, 0 -1. Can you all see
that? If you multiply sigma z times 1 0, you
get it back. And if you multiply 0 1 by that,
you get it back a -1 times the state. Now--but
there are other vectors I can look at which
I'm going to call plus and minus. Plus is
1 over root 2, 1 1, and note, it's an igon
state of that little off diagonal operator
sigma x 0 1, 1 0. You can just check that.
Multiply sigma x times 1 1, and you're going
to get back to 1, 1. Multiply sigma x times
1 -1, you get minus the vector. Okay? Now,
if you're on the up state and you measure
sigma z, what you're going to find is you're
going to get back the number 1. Remember I
told you early on that when you measure an
operator, you'll only get the igon value?
Well if you're in this state, which is an
igon state, with igon value 1 and you measure
it, you're going to get a 1 and the state
up, undamaged. If you measure minus--if you
take the state minus and you measure sigma
x, you're going to get a -1 and the state
minus, undamaged. But now, if I'm in the state
plus and I measure sigma z, plus is not an
igon state of sigma z. Plus is one over root
2 up plus 1 over root 2 down. And what quantum
law says is that if you measure sigma z on
the plus state, what you're going to get is,
with 50percent probability, you're going to
get a 1 and return the state up which is the
igon state of sigma z. And with 50percent
probability, you're going to get down and
the igon state--your going to get -1 and the
state down. So what happens here, if you make
a measurement, is that these measurements
destroy the state because this measurement
of sigma z took the state plus but what came
out was a state up or a state down, because
I measured something, and when I make the
measurement, I always get an igon state of
the operator after the measurement. Now, let's
see how we're going to use that. So, now I
want to send--now, I'm going to show you how
Alice can send Bob--now, Alice is going to
send a secured message to Bob. Let me show
you how Alice does that. Alice sends the state
plus minus up plus down down plus. Okay? Now,
Alice then publicly announces X X Z X Z Z
X. So she announces that publicly. Alice--Bob
has the state and Alice announces that straight,
publicly. Well after she announces it, Bob
measure sigma x sigma x sigma z sigma x sigma
z sigma z sigma x. And since these are igon
states of those operators, out comes 1 -1
1 1 -1 -1 1 because those are the igon values
of those things. Those are all igon states
of these things. Okay? And that's the message.
Okay? The message is the igon values that
she measures. Now why is this secure? Because
suppose Eve intercepts the message, she intercepts
the message--first of all, she cannot copy
the state because of the No-Cloning Theorem.
She can't make a copy of it. So what might
she attempt to do? She might say, "Well, I'm
going to try measure the different components.
I'm going to see what they are." But the announcement
of what the directions are has not yet been
made because it's not announced until Bob
gets the state. So she cannot copy the state,
she only has it. If she could copy it, she'd
be very well off, but she can't. So she's
stuck with it. She's going to do something
to it and then send it on. So--but she doesn't
know what direction to measure in. So if she--so
the first member--remember the first thing
she gets is called plus. So if she measures
sigma x, the state plus is undamaged. But
if she measures sigma z, she gets up or down.
Remember that from the previous page? So now--and
then--so now she has this thing, and she sends
it to Bob. Okay? Now, Bob--if Bob gets the
first bit which is now up or down, he's supposed
to measure sigma x. So when he measures sigma
x, he gets plus or minus one each with 50
percent probability. So there's a 50 percent
chance he gets the wrong answer. So what Alice
does is after the bits are sent, she says,
"Hey, Bob, certain of those bits were test
bits, like the first bit was really just a
test bit, and you better have obtained--what
was it--plus one when you measured it." But
there's a 50 percent chance he got a minus
one. Okay? And we have...
>> Is it 25 percent?
>> ...a fixed probability of error. Then if
you have--if 100 out of my zillion bits or--if
100 out of my million bits are test bits and
there's a 50 percent chance of there being
an error, you have only a one in two to the
hundred chance that the error's undetected.
So this means that Alice--after Alice sends
the message and announces which are the test
bits, Bob can be sure that in fact the message
was not read. So that's huge. Yes.
>> There was [INDISTINCT] question.
>> FARHI: Yes, I didn't hear it.
>> He said something about 25 percent [INDISTINCT].
>> FARHI: Oh, yeah, 25 percent. Yeah, yeah,
he's right. It was only 50 percent conditioned
on--it was conditioned on something. I think
he's right. It is 25 percent. Mine was 50
conditioned on something. Yes, it was 25 percent.
Good. He's paying attention.
>> Okay.
>> FARHI: Good. All right. So that's right.
So this makes--and this is one of the big
things of quantum information that we have
secure communication. So now we're going to
use this idea to make quantum money. Okay?
So let's follow the same--and this was introduced
by this guy named Stephen Wiesner. This is
one of the first ideas for making secure--using
quantum information. He didn't--he didn't
have all these terms, but this is one of the
first ideas--using the ideas of quantum mechanics
for security. And so Wiesner's idea was a
quantum money state is just going to be a
product plus up down minus minus minus. And
if you have a state like that--so--and now
the quantum money I'm going to give you is
a quantum state. I hand you the quantum state.
Now, this thing has the great virtue that
it cannot be copied because of the Quantum
No-Cloning Theorem, and measuring it will
not allow you to copy it. And obviously, when
we talk about money, one virtue--what do we
want money to have? I'm going to talk about
virtues of money. But one clear virtue we
would like a bill to have is the inability
for it to be copied. If I can guarantee you
that a bill cannot be copied based on laws
of physics, well then I'm really offering
you something which is incredibly secure.
And in fact, let me just show you an example.
See this bill here, this is a classical bill
and my 9-year-old son--this is a counterfeit
bill that my 9-year-old son made and it looks
very good. If I'll pass it around, you'll
see. So it's very easy to counterfeit money.
This would--this would make it through a soda
machine without any problem. And my kid made
it. So there's no security against...
>> [INDISTINCT]
>> Okay.
>> FARHI: Okay. So this shows that, you know,
counterfeiting is easy. Anybody who wants
to see the bill, I'll show it to them. Okay.
So now what's the problem with this money?
So the problem with this money is, as a secure
form of money, is that if you want to--the
mint--I give you this money which is just
a bunch of quantum state, it's just quantum--a
product state, it's just a bunch of spins
pointing in different directions. Now, the
No-Cloning Theorem, which we've discussed,
prevents you from copying the bill. That's
a good thing. Now the mint that made the money
knows that the first spin is a plus igon state
of the sigma x operator and the second--the
second--excuse me--spin is an up relative
to the sigma z operator, et cetera. So if
you send the money back to the mint, the mint
can determine that it's still an unaltered
money state because the mint can check that
that first bit really is an igon state of
the sigma x operator. So if the money you
spent sent back to the mint, the mint can
verify that it's good money. So there's--oh,
there's a picture of the bill. I forgot to
show the quantum bill with all the spin states
in it which you can pass along, okay? But
this bill, you have to send--it can't be duplicated.
But now, you send this bill--but the problem
with this money is the following thing; you
want the merchant to be able to verify the
money without sending it back to the mint.
Now, you could say tell the merchant--you
could say, "Well, let's let merchant know
which axis those spins are pointing along."
So if the merchant knows that the first is
sigma x and the next is sigma z, the merchant
could measure the state and verify it. But
as soon as the--I--you know, you let the merchant
do that, you've given the merchant the power
to make another copy. Because if the merchant
knows that the first spin is a plus igon state
of sigma x, the merchant just can make [INDISTINCT]
plus [INDISTINCT] state of sigma x. And the
next spin is what we would say an up igon
state of sigma z, the merchant makes one of
those. So the problem here is that if the
merchant knows the quantization access and
the igon value of each qubit, then the merchant
can verify the money. So we would--we would
like--we would like--so he can make another
bill; that's just what we said. So what we
seek is a quantum money scheme with a verification
procedure that does not allow the merchant
to make fresh bills. Okay, that's what we
want. We want the merchant to be able to hold
the money up to the light and say, "This is
a good bill." The merchant--and still, the
merchant shouldn't be able to copy the money
because of No-Cloning, but the power of verification
should not allow the merchant to make a new
bill. And that's the tricky part of the quantum
money scheme. That's what's hard to achieve.
So what would quantum money consist of? Quantum
money--each bill has a serial number and an
associated quantum state that's associated
with the serial number, and the mint should
be able to produce bills, that is to say serial
numbers in quantum states. And if a merchant
is handed a bill, the merchant should be able
to verify--have a verification algorithm that
takes the quantum money, outputs good money
if it's good, without destroying the state.
You want to be able to just be sure that when
you put the money into the verifier, the verifier
says good, but outputs the money. It doesn't
eat it, which is very tricky, quantum mechanically,
to not destroy the state. And we also want
this to have the property that if I give you
the serial number and the money, it is hard
to make two states, psi and psi prime, each
of which passes the verification. So we want
it to be difficult to make a copy of even
though you have a verifier. If I didn't have
the verifier, you couldn't make the copy.
But then you just know you have the state
and you don't know what properties attach.
So, we're going to have a little blueprint
for quantum money, and then we'll talk about
Knot theory, and then we'll put it all together,
okay? So here's a little blueprint for quantum
money. First, imagine you have a big set,
like the integers from 1 to 2 to the thousand.
Just some discreet set, which is very big.
And I want to have some function which is
easy to compute, and it takes everything in
the big set into some target set, and the
target set is also big but not as big as b.
So, for example, if b is size 2 to the thousand,
maybe the target set is 2 to the 500; still
very big. I want you to think about, you know,
two to the something as a big number. And
I want this function as many to one. For many
things mapped to each target value, and I
want f, it would be easy to compute. So this
is going to be the beginning of my blueprint.
So what--how are we going to--what's the blueprint
here? The mint is going to make an initial
state and the initial quantum state has two
parts. The first register contains a uniform
superposition of all things in the big set.
Quantum mechanically, it's very easy to make
that. It's very easy to make like the uniform
superposition of a state which consist of
all the integers from one to 2,000. You can
actually do that. And the next register is
a blank register now which I'm going to use
in a second. The mint has a quantum computer--and
the quantum computers can do anything classical
computers can do. So the mint can compute
the value of the function into the next register.
So now, my big superposition over all values
of b, come with an additional label which
is the value of a function. So now what the
mint does is it measures the second register.
And whenever--the mint--when the mint measures
the second register, the mint gets a value;
I'm going to call that p. And so what the
state is after this measurement is the sum
of all values little--or all--little b such
that f of little b is p. So what this money
state is actually going to consist of is a
superposition of all things b which have the
function value p. That's what the money state
is going to be. It's going to be a superposition
of all things b with the value p. Okay? So
now we're going to talk about the Knot theory.
I guess I have to end at 4 o'clock, right?
Because Google runs--no? I can go on for another
minute if I need to? Okay. I'll try to end
at 4:00. Oh, that's my screensaver. Well nothing
embarrassing, right? Why did it do that? Hold
it.
>> Escape.
>> FARHI: Escape? Why is it doing that? Oh,
there it goes. Sorry. That's my dashboard.
Okay. It's always nerve-racking when that
happens. You'll never know what--show you
the world, you know. I try to keep my computer
very clean, but sometimes you never know.
Okay. So now we're going to talk about knots,
links, and grid diagrams. So now we're going
to do a little bit of Knot theory. Okay? Not
too much Knot theory. So what's a knot? A
knot is a loop of string in three dimensions.
So just think of having a loop of string in
three dimensions. So it's a map form the circle
S1 into R3. And a link is a bunch of intertwined
knots. So I could have a bunch of knots which
are intertwined. And if you have a bunch of
knots which make a link in three dimensions,
you can depict it by projecting it into two
dimensions. So if I project the three dimensional
object into two dimensions, I get a picture
like that. And what's important about this
picture is that there are arcs where you see
the segments of the thing projected down and
then you have to distinguish whether a strand
is crossing over or under another strand.
So when you make the projection, you have
to remember whether if something is going
over or under. And that's easily depicted
in this picture here where you see clearly
that, you know, the over one--the broken piece
[INDISTINCT] the over one. So that's a picture
of a link and it's a diagram which depicts
the link. Okay? Now, two links are said to
be equivalent if one could be smoothly morphed
into the other without cutting the string.
So if I have--I just want to distort the strands,
the string, but I never cut it. I never pushed
one strand through another. We could get more
mathematical here in the definition, but it's
just this. It's just--there's no more content
to the--that, you know, talking about continuous
and homeomorphous, [INDISTINCT] anything;
it's not going to help you. It's just smooth
in this stereometric sense. Okay? Now, if
two links, L1 and L2, are equivalent, it turns
out, they are equivalent if and only if their
associated diagrams, D1 and D2, can be transformed
one into the other using a set of moves called
Reidemeister moves. So let's see what these
moves are. The first move, over there--I'm
not supposed to use the laser pointer--so
the first move takes the green strand and
shoves it under the red strand. And you can
see that that doesn't change the--it doesn't
really change the link itself. It's just pushing
a little piece under without cutting. The
next thing you can do is you can take a little--a
strand, the green strand, and you can put
a little twist in it. Well, that doesn't change
it because I could untwist that. The third
thing I can do is I could take three strands;
the red one, the black one, and the green
one. And note the way the green is underneath
both the red and the black, on the bottom
part of the page. Well, I can just slide it
up, the green one. So it's below the red and
the black, but above the cross. Now, I hope
it's clear that if you make these moves on
two link diagrams, they--you do not change--when
you make these moves, you're making moves
that keep you in your equivalence class because
it doesn't change--the equivalence class is
all things that are--can be smoothly morphed
one to the other, and these moves respect
the equivalence class. Does that seem clear?
But the theorem here is it goes the other
way, which is that if two knots are equivalent,
then the associated link diagrams can be connected
by a sequence of such moves. Okay. So these
moves allow you to connect any two equivalence
of links. So the point here is that if two
link--yes.
>> [INDISTINCT].
>> They're in the same equivalence class.
What I mean is that the two--the two diagrams
represent links which can be in three dimensions
distorted one to the other. The equivalence
class is under smooth defamation which do
not cut the strands. Does that seem okay?
It's pretty...
>> [INDISTINCT].
>> I'm sorry?
>> [INDISTINCT].
>> Well, I guess connected, yeah, in that
sense. I guess so. They're connected by the
sequence of moves. Okay? Now--so let's take
a look at this--the first--let's look at that
red circle. That's a link diagram for what's
called the 'unknot' because it's just the
most simple knot. It's just the circle mapped
to the circles called the 'unknot'. But if
I make a Reidemeister move on it, I can turn
it into that figure eight, but that's the
same knot. And then I could make it more complicated,
make it look more like a pretzel. Well I can
keep making these moves on it until it'll
look like a huge mess. Okay? I just did--made
a couple of moves. But If I kept making Reidemeister
moves, so the kind I showed you before, I
can end up with something which will look
like a huge mess but will still be the unknot.
Okay? Now, so given two link diagrams, there
is no known procedure to determining that
the associated links are equivalent. There's
no known procedure. In fact, it's worse than
that. There's no known procedure for finding
the Reidemeister moves that take one diagram
to the other. And, in fact, this problem is
not even known to be in NP, for the computer
scientist out there. Okay? It's not known
to be in NP. So that means that this problem
is hard. It doesn't mean that it is hard;
it means that it's believed to be hard because
no one knows how to do these things. So it's
very--what I'm telling you here, the lesson
of this, is if I give you two very complicated
link diagrams and I ask you, "Do they represent
equivalent knots?", you can't figure it out.
And even if I give two, from equivalent knots,
and I say, "Find the moves that take one to
the other," there's no way to do that. I mean,
there's no known way to do that efficiently.
And that is going to be the basis of the security
of all quantum money scheme because, you see,
our quantum money scheme, since it involves
something--well, let me try to--how can I
say it? When you--if you have security--if
you can only have provable security, then
you need to base your security on the presumed
hardness of a problem. Like, for example,
the security of RSA is based on the presumed
difficulty of factoring. Yes.
>> [INDISTINCT] you mentioned--you have two
things [INDISTINCT] and they basically the
same [INDISTINCT]. I guess I'm asking...
>> FARHI: Well, no. The first says that--no,
the first says, "I can't tell if they're equivalent."
And the second says, "If they are equivalent,
I can't find the moves that take one to the
other."
>> Okay.
>> FARHI: Those are slightly different statements.
>> [INDISTINCT] obviously, but if you have
two diagrams and a series of moves so whether
or not if that's [INDISTINCT].
>> FARHI: Yes, but it's not known that the
list is short. I mean, for example, if you
want to get into the question of NP...
>> Yeah.
>> FARHI: ...it's not known whether--there's
not known--there's no short witness. I mean,
it may be an exponential number of moves to
take one to the other.
>> Oh, yeah. I think I got it.
>> FARHI: There's no--there's no known short
witness; it could be exponential. Okay. Now,
there's another thing here called the knot
invariant. So they're all properties of knots
which are invariant under the moves. And an
example of this is called the Alexander Polynomial.
This is a function of--you take a knot and
you look at the diagram that represents it.
And given that, there's an algorithm that
allows you to compute a function which happens
to be a polynomial. But that's--what it really
is, is it's just a set of numbers which are
the coefficients of this polynomial which
characterize the knot. So there are--if I
give you a knot, you can compute a particular
property it has. It's called the Alexander
Polynomial. We're not going to use the fact
that it is a polynomial. We're just going
to think of it as a list of numbers, the coefficients
that make up the polynomial, but it's called
the Alexander Polynomial. Now, if two linked
diagrams come from two equivalent knots, they
have the same Alexander Polynomial. That's
one of the reasons mathematicians like the
Alexander Polynomial because two equivalent
knots have the same Alexander Polynomial,
but the converse is not true. It is not true
that if two linked diagrams have the--or two
knots have the same Alexander Polynomial that
they are equivalent. Otherwise, I could solve
the problem on the other page. I would just
measure the Alexander Polynomial. So you can
find different--you can find inequivalent
links with the same Alexander Polynomial.
And of course, if someone found a polynomial
or a function of the diagram that was, you
know, one to one with the equivalence class,
that'll be huge. That'll be a huge result--Knot
theory. So let me just say one more thing.
I need something called the grid diagram.
You see, we work in a finite dimensional Hilbert
space and I need some discrete way of representing
link diagrams so that I can encode them as
bitstrings because I need to work in a discrete
space, I need to think of things as bitstrings.
And those pictures that I drew with those
arcs and curves, it's not so obvious why those
are represented by bitstrings. But you can
represent all these diagrams by bitstrings.
It's kind of easy to see why because all you
need to do is kind of take the arcs and sort
of make them horizontal and vertical, and
put them on a grid, and then it wont change
the diagram. And then--in fact, if you look
at this one here--look at that little two
green two knots and two links--I can represent
that as a grid diagram like that where I'm
putting things on definite locations on a
grid and I have--and I encode the diagram
by the location of the x's and o's on the
grid. I put arrows on these because these
are oriented. Oriented means that each strand
has a direction. That I do because of the
Alexander Polynomial. That's a triviality.
I mean, a non-necessary detail. The point
of this picture is to show you that I can--I
can make a discrete representation of the
link diagram, so that I can encode it. Oh,
why did it do that again? Let me make that
go away. Go away. I'm sorry. Say what?
>> Press escape.
>> FARHI: Sorry. So grid diagrams are discreet
representations of links. And Reidemeister
moves, those moves can be formulated as grid
moves. And--but Reidemeister moves can change
the number of crossings. Remember that, when
I introduced the little twist? Or when I took
two things that were disconnected and I crossed
them? So if you make Reidemeister moves on
grid diagrams, you can change the dimension
of the grid diagram. So, for example, if I
have a set of grid moves--by grid moves, I
mean Reidemeister moves encoded on grid diagrams--if
I have a finite list of grid moves, they can--they
can change the dimension of the grid diagram.
They can either leave it [INDISTINCT] or they
can make it bigger or smaller by adding crosses.
They can make it bigger or smaller. But if
you start at--in an arbitrated grid diagram,
g twiddle, and I apply a sequence of randomly
selected Reidemeister moves, I will end up
with a random grid diagram equivalent to g
twiddle. So now let me get to the quantum
money. What's the quantum money? The quantum
money, we start in an initial state which
is the sum of all grid diagrams g--by g, I
mean it's some kind of discreet encoding of
the grid diagram which I said I could do,
and then I have an extra register. Now, I
need to put a little weight function in there
because the set of all grid diagram is infinite
and I don't really want it to be infinite,
so I need to cut this off in some way, and
we have kind of a smooth way of cutting it
off. So there's a row of function which I
need for technical details. So row of g is
a weight which depends only at the dimension
of g. And the number of grid diagrams of dimension
d grows like d factorial squared, so I want
to cut this off. And then what we'll do with
our--the mint that takes the initial state
and computes the Alexander Polynomial of the
grid diagram into the next register. And then
the mint measures the second register and
gets the result p. So now the quantum money
is actually the uniform superposition over
all grid diagrams with some kind of weighing
with the same Alexander Polynomial. So that
fits my scheme. Okay. Now, this is a massive
sum of grid diagrams with the same Alexander
Polynomial. Now, how does the merchant verify
the money? So, first of all, remember that
I can make a move on a grid diagram and get
another one. So after each possible grid moves,
I could take one of these state factors g
and get another one g prime. It may be the
same if the grid move doesn't do anything
to it, but it may change it. Now, this now
a quantum operator. So I took this classical
Reidemeister move and I turned it into a quantum
[INDISTINCT]. Now, for simplicity, let's just
take row to be 1, my weight function to be
1, otherwise life is too complicated. So I
put a little twiddle on my money state because
I want to indicate that I've made the untrue
assumption that row is 1 for the sake of my
little discussion. So the money is this uniform
supposition of all grid diagrams with Alexander
Polynomial p. It's not normalized now because
of the infinite sum, because I got rid of
my cutoff. So--but if I--the point thing here
is that if I act with a Reidemeister move--I
have all grid diagrams with this Alexander
Polynomial--but if I make a move, I get back
the--every state goes to somewhere else, you
know, one to one fashion. So this uniform
superposition of all possible grid diagrams
is invariant under the move because it has
every possible grid diagram in it. And the
moves just take it to--it just takes each
one to another or leaves it alone. So my state,
my money state, is invariant on all the grid
moves and that's because it contains all grid
diagrams with the Alexander Polynomial and
the grid moves don't change the Alexander
Polynomial. So the merchant verifies the quantum
state like checking that it is invariant under
all the grid moves. And in fact this--maybe
I'll skip this slide--the merchant can check
all grid moves at once. I won't show you how
you do this. This is maybe too technical,
quantum mechanically. So the merchant can
check all the grid moves at once using--the
miracles of quantum mechanics. So, like, he
can or she can actually make a check where
he looks at every conceivable grid move at
one time. And so the quantum money state is
invariant under all grid moves and, therefore,
with a quantum computer the merchant can verify
that tendered money is invariant. And that
means that we--oh, man, every time I touch
it, I get the same thing. Go away. So what
this--so this is our money scheme. The mint
can produce pairs; p and the state dollar
p. Each serial number is different because--I
don't know, when you make a measurement, what
Alexander Polynomial you're going to get.
And a rogue mint cannot produce the same serial
number. The reason is--it's because, you see,
the Alexander Polynomial that comes out is
a random--it's a random--it looks like a random
string and there's no way that a rogue mint
can, given that serial number, make the superposition--well,
excuse me. I should say, we don't know how.
We don't know how and nobody seems to be able
to figure out how given an Alexander Polynomial
value, you can find--make the superposition
over all grid diagrams with that Alexander
Polynomial. And if the mint tries to counterfeit
the money by making its own, its Alexander
Polynomials will be different. Yeah.
>> How did you get the all the [INDISTINCT]
or did you get the same Alexander Polynomial
[INDISTINCT]?
>> FARHI: Because we start in the uniform
superposition of every imaginable grid diagram.
We then compute the Alexander Polynomial to
the next register. And then--so now, we have
a superposition of all grid diagrams and each
one has its associated Alexander Polynomial.
We then measure the second register. And when
you make a measurement, you get one value
of the Alexander Polynomial and the register
just to the left of it states the sum of all
the grid diagrams with that value. That...
>> [INDISTINCT]
>> FARHI: I'm sorry?
>> Sum--is that--are you [INDISTINCT] superposition?
>> FARHI: Yes, superposition, superposition.
Yes, superpositions. Meaning to say it's a
superposition. So money has certain features.
A rogue mint cannot produce the same serial
numbers; tendered money can be verified; we
do not know how to counterfeit the bills;
and our security is based on the inability
to tell if two mint diagrams represent equivalent
links. Yeah.
>> [INDISTINCT].
>> FARHI: A mint cannot produce two bills
with the same serial number. A mint can only--a
mint can only produce--when a mint does a
production run, it gets a series of serial
numbers which you cannot determine in advance.
No two are the same. And in fact, in order
for the money to be truly secure, the mint
has to publish a list of valid serial numbers
because, otherwise, a rogue mint could simply
redo what the first mint did. So there has--so
the merchant has to have a list of valid serial
numbers. But the point is, of this money scheme,
is that the merchant never has to make contact
with the mint again. The merchant is independent
of the mint. No individual bills have to go
back to the mint. You don't have to send your
credit card number back to the credit card
company in order to verify it. The merchant
can just take care of it on the spot. And
that's it; we made quantum money. So that's
my talk.
>> [INDISTINCT].
>> FARHI: I'm sorry?
>> I said step four, profit.
>> FARHI: Profit. Yeah, I don't know. Talk
to my--that's what my family says, you know,
"What's the good of this?" So... Yeah?
>> [INDISTINCT].
>> FARHI: Well, that's right. But it could
be that there's a quantum Internet and, you
know, photons come down the quantum Internet
and they appear on your, you know, down fiber
optic cables. Because there is--remember I--remember
the reason when I did that little introduction
about secure communication, is because people
do send photons down quantum fibers, be sure
that there's no eavesdropping and quantum
states all sent down fiber optic cables. So
if you had a quantum Internet, you could communicate
in this way.
>> And it would be easy for people to destroy
them.
>> FARHI: Very easy. But that--you know, it's
very easy for you to destroy money, right?
If you--I'd take your wallet, I can reduce
its value to zero. This is not any great power
I have. I can easily do it. Yeah. Yeah?
>> [INDISTINCT]?
>> FARHI: No. It's really a measurement process.
I was a little bit--there really is a measurement.
>> [INDISTINCT] like measurement [INDISTINCT]
state in a class [INDISTINCT]?
>> FARHI: Well, no, it doesn't change the
state at all. In fact, what happens is, when
the money comes in, and it comes out, and
it says good money, the money is not damaged
at all. The money is an igon state of the
operator--of the verification operator, which
I didn't really show, and it's completely
undamaged. You don't want the money to be
damaged by the verification. So there's no
damage to the money, assuming everything works,
you know. So--yeah?
>> Is there a way to verify without [INDISTINCT]
the money? Like there's no--there's no real
way to--let's say, I have this [INDISTINCT],
like they don't know that you have the money
[INDISTINCT]?
>> FARHI: Well, I don't know about that. That
would be interesting whether, you know, you
could say, "I have--you know, I want to convince
you that I have valid money, but I don't hand
it to you."
>> Yeah.
>> [INDISTINCT]
>> FARHI: I don't know. I don't know. I'm
sorry?
>> [INDISTINCT] you can't convince somebody
that you have the money [INDISTINCT].
>> FARHI: I see. He's just saying, we should
be able to verify the money before I hand
it to you.
>> [INDISTINCT] Yes.
>> [INDISTINCT].
>> FARHI: I could have a clear--I could have
escrow account. I could--there could be a
quantum--yeah, there could be trusted parties.
You know, I could set up a business, maybe
this is how I'll make money; you hand me your
quantum money, and I will verify that it's
quantum money, and you pay me to verify that
because you don't have a quantum computer,
and then I'll pass it back to you. And if
it's no good, I can say, "Don't deal with
that guy." That's a money-making scheme. Go
ahead.
>> Is there a way to have a data payload associated
with a serial number?
>> FARHI: A data payload?
>> I mean, is there some data associated with
your serial number?
>> FARHI: Oh, yeah, but it's not that big,
right, because, you know, suppose I have a
zillion bills and each one has a serial number
that's, you know, 10,000 bits long. It's still
pretty small. I think the database of all
bills with their associated security numbers
is quite small. We could also use some kind
of public digital signatures. We could also
probably use it as digital signatures where,
you know, [INDISTINCT] I'm sorry, I lost the
mic.
>> It's still attached to the [INDISTINCT].
>> FARHI: Okay. Well, I'll hold it then. Okay?
Could you still hear me remotely? Yeah. They
left? Yeah, okay, go ahead. All right, are
there any other questions?
>> Just the superpositions, [INDISTINCT] seems
to be really huge.
>> FARHI: Huge superposition, that's what
makes it hard to make. If it was a small--you
see, if I gave you--if I give you an Alexander
Polynomial, I can find a graph--excuse me--a
grid diagram that represents a link with that
Alexander Polynomial. What's very hard to
make is the huge superposition. I mean, making
huge superpositions over things is--if people
who know a little bit more about quantum information,
that's a very desirable thing to be able to
do. Like, for example, if I give you a--do
people know what the graph isomorphism problem
is? The graph isomorphism problem is the following
problem; I give you two graphs, and I ask
you whether there's a permutation of the vertices
of one graph that makes--turns it into the
other. Now, that problem is actually easy
on average, but there's no known algorithm
that will solve it in the worst case. There
is a very simple quantum way to do it. And
the simple quantum way to do it is if I gave
you a graph--I mean, excuse me. I don't mean
to actually do it. There's a simple idea which,
if you could implement, would do it. Suppose
I gave you a graph and I gave you--and I could
turn the graph into the superposition over
all permutations of the graph. Well, if I
give you another graph and I turn it into
the superposition of all permutations of that
graph, if those two graphs are isomorphic,
then those two superpositions are the same
because it's all permutations of the graph.
So two--so two graphs which are isomorphic
map to the same two superpositions, and you
could always check if two vectors are the
same. So if you could make a massive superposition
of all permutations of a graph, you would
solve graph isomorphism. And nobody knows
how to do that. Making massive superpositions
is difficult. Now, you could ask, "Why didn't
we do--make our money using graph--the inability
to make that superposition for graph isomorphism?"
and that's because graph isomorphism is easy
on average.
