Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Browse files

Added prelim files for final project LaTeX.

  • Loading branch information...
commit f0489bee9cc0208faf9e4910d730613de51c6ed5 1 parent ac72c03
Paul Pham authored
13 CSE599D/11wi/ppham-project-abstract.tex
@@ -0,0 +1,13 @@
+In this project, I critique the public-key quantum money scheme of
+\cite{Farhi2010} based on the hardness of finding equivalent
+mathematical knots and creating a weighted superposition of
+corresponding grid diagrams that correspond to the same Alexander
+I sketch a loose upper bound for the damage to a valid
+money state from the verification procedure and characterize the
+desired behavior of Markov chain mixing in order to distinguish
+valid and invalid money states with a polynomial number of trials.
+In conclusion, I propose extensions to this work to create
+a more concrete scheme and to defend against future attacks.
49 CSE599D/11wi/ppham-project-attacks.tex
@@ -0,0 +1,49 @@
+\section{Possible Attacks}
+Since this scheme of quantum money from knots is based on conjectures, this
+points the way to several future attacks.
+\item Reverse engineering from the Alexander polynomial $p$. If the attacker
+could easily find all equivalent grid diagrams to a single "canonical" grid
+diagram corresponding to the serial number, he could create the correctly
+weighted superposition to duplicate $\ket{\$_p}$. Call
+$\mathcal{G}_{2\overline{D}}$ the set of all grid diagrams of up to size
+The attacker could enumerate over
+exponentially many grid moves within $\mathcal{G}_2\overline{D}$,
+or he could enumerate over all grids in $\mathcal{G}_2\overline{D}$ assuming
+he has an oracle for determining if two grid diagrams are equivalent.
+Both would take exponential time.
+Alternatively, suppose that a polynomial time algorithm exists to extract from
+each grid diagram
+(encoded in $O(\overline{D}^2)$
+bits) either the moves to get to all but exponentially many equivalent
+diagrams or (even more unlikely) the equivalent diagrams themselves.
+We would have to be able to upper bound the number of equivalent grid diagrams to
+also be $O(\overline{D}^2)$, which we currently don't know how to do.
+It turns out that a certain class of states can be efficiently copied, which
+includes the eigenstates of some classical reversible circuit.
+A special case of this
+are the states $\ket{\psi_{n,k}}$ used to enact arbitrary controlled phase
+rotations in the quantum compiling algorithm of Kitaev, Shen, and Vyalyi
+\cite{KSV02}, where the state to copy (say $\ket{\psi_{n,1}}$ which is hard
+to produce) is of the
+same form as the "empty" register to hold the new copy ($\ket{\psi_{n,0}}$, which
+is easy to produce). As in
+\ket{\psi_{n,1}}\otimes\ket{\psi_{n,0}} \rightarrow
+If it turns out that weighted superpositions of equivalent
+grid diagrams are within that class of states, then the valid money state
+$\ket{\$_p}$ could be copied into an entangled pair
+$\ket{\$_p} \otimes \ket{\$_p}$
+can somehow be used toese are somehow encoded in the grid diagram itself,
+waiting to be extracted.
+he might be able to somehow extractEven if he is given an
+oracle to
+come up with a "canonical" grid diagram corresponding to the serial number and
52 CSE599D/11wi/ppham-project-damage.tex
@@ -0,0 +1,52 @@
+\section{Damage from Measuring Valid Money States}
+In Step 3, we are cutting off the tails of the Gaussian distribution
+to eliminate a certain class of equivalent knot diagrams with size close
+to $2\overline{D}$ or $2$ which are easy to create due to the edge cases
+in our Markov chain moves. Otherwise, these easily forgeable states would
+pass Step 4. How do we know this projection won't significantly damage a valid
+money state?
+First let's define the set of all equivalent
+grid diagrams $G$ with Alexander polynomial $p$ and with dimension outside
+the cutoff regions:
+\mathcal{G} = \{
+G:A(G)=p \land d(G) \in
+[2, \frac{\overline{D}}{2})
+\cap (\frac{3\overline{D}}{2},2\overline{D}]
+Then lets take the norm of the difference between the original valid money state
+$\ket{\psi}$ and the same state after its tails have been cut off,
+$\ket{\tilde{\psi}}$, which ends up just being the sum of the coefficients
+of grid diagrams in $\mathcal{G}$.
+|| \ket{\psi} - \ket{\tilde{\psi}} || \le
+\sum_{G \in \mathcal{G}} (\sqrt{q(d(G))})^2
+Recall that $q(d)$ is designed to be a Gaussian distribution with
+standard deivation $\sqrt{\overline{D}}/2$, which we can recenter to zero mean.
+Then we
+can calculate the area under the distribution from
+$\frac{\overline{D}}{2}$ to $\frac{3\overline{D}}{2}$ using the error function:
+F(\mu + n\sigma; \mu, \sigma^2) - F(\mu - n\sigma; \mu, \sigma^2) =
+\Phi(n) - \Phi(-n) \\ = \textrm{erf}(\frac{n}{\sqrt{2}}) =
+Here, $n = \sqrt{\overline{D}}/2$, and we can approximate the
+error function by:
+erf(\frac{\overline{D}}{2\sqrt{2}}) =
+\sqrt{1 - \exp(-\Omega(\overline{D}^2))} = 1 - \exp(\Omega(\overline{D}^2))
58 CSE599D/11wi/ppham-project-future.tex
@@ -0,0 +1,58 @@
+\section{Future Extensions}
+To extend this scheme or prove it secure, we would need a better
+understanding of knots and quantum algorithms for them. The
+two obvious future extensions are to come up with a quantum algorithm
+for knot equivalence to attach the security of this scheme directly or
+to prove an eigenvalue gap for the Markov chain in the verification
+scheme. Aside from those, here are a
+few other interesting directions:
+\item Current schemes do not address the demand for currency.
+For a given security parameter $\overline{D}$,
+are there sufficiently many Alexander polynomials (serial numbers)
+available to supply the world with enough quantum bills?
+To do this, we would need to lower-bound the number of
+different knots that can be embedded in grid diagrams of up to size
+$2\overline{D}$, not including the unknot which has empirically been shown
+occupy the vast majority of grid diagrams.
+Quantum bills and coins currently have no denomination associated with
+them and so are of unit value.
+Is it possible to associate a denomination with quantum money, or to have
+it be dividable or combinable?
+It turns out that a certain class of states can be efficiently copied, which
+includes the eigenstates of the addition operator, $\ket{\psi_{n,k}}$,
+used to enact arbitrary controlled phase
+rotations in the quantum compiling algorithm of Kitaev, Shen, and Vyalyi
+\cite{KSV02}. The state to copy (say $\ket{\psi_{n,1}}$, which is hard
+to produce), but is of the
+same form as the "empty" register to hold the new copy
+($\ket{\psi_{n,0}}$, which
+is easy to produce). As in
+\ket{\psi_{n,1}}\otimes\ket{\psi_{n,0}} \rightarrow
+If it turns out that weighted superpositions of equivalent
+grid diagrams are within that class of states, then the valid money state
+$\ket{\$_p}$ could be copied into an entangled pair
+$\ket{\$_p} \otimes \ket{\$_p}$, either have of which would pass
+Interesting results which have emerged since the main paper \cite{Farhi2010}
+include a new online attack for Wiesner's original scheme
+\cite{Lutomirski2010} which involves the bank returning bogus bills.
+Incidentally, the related work \cite{Lutomirski 2010} addresses this same
+concern of a mint artificially inflating currency by releasing additional bills,
+and then sketches a solution using a \emph{collision-free} quantum money
+However, if one is not satisfied with the hardness of finding a connecting
+sequence of Reidemeister moves between any two grid diagrams, we can increase
+the hardness even further by embedding knots into three dimensions, using
+so-called \emph{cube diagrams}\cite{Baldridge2009}.
41 CSE599D/11wi/ppham-project-intro.tex
@@ -0,0 +1,41 @@
+General quantum states cannot be cloned, but this apparent
+algorithmic disadvantage can be turned into a cryptographic advantage.
+Money is a common implementation of a
+real-life, physical one-way function:
+we want valid bills and coins to be easily creatable (via a
+\emph{minting algorithm} possibly with some classical secret) by a central
+bank but easily checkable (by a public \emph{verification algorithm})
+by anyone with access to a quantum computer.
+This project provides a critical summary of a recent proposed
+ quantum money scheme based on the properties
+mathematical knots \cite{Farhi2010}.
+The interested reader is referred to that paper for
+a good summary of prior work.
+While a promising approach, this scheme's Markov-chain-based
+verification algorithm is incomplete
+and may not be able to distinguish valid and invalid quantum money states.
+First, we briefly review knots and how they are used
+in the minting algorithm to create valid money states.
+Second, we move on to the main part of this paper, the dissection of the
+verification algorithm, including a calculation bounding how much
+damage is done to a valid money state and a discussion about our
+desired mixing properties for the Markov chain part.
+Then we expand upon existing attacks for this scheme.
+Finally, we conclude with future extensions to this exciting work to
+make the scheme more concrete.
+%\section{Related Work}
+%The unforgeability of quantum money was studied as early as Wiesner
+%\cite{}. Although his scheme provides information-theoretic security
+%in the sense of relying directly on the laws of physics, it has the
+%severe disadvantage of involving the mint in every transaction.
+%Ideally, we would like our quantum money to be publicly verifiable, that is,
+%without resorting to the trusted authority for every interaction.
+%Aaronson proved that public-key quantum money was possible relative to an oracle
19 CSE599D/11wi/ppham-project-knots.tex
@@ -0,0 +1,19 @@
+\section{Knots and Grid Diagrams}
+Knots are three-dimensional mathematical objects analogous to a (directed) string
+that can be arbitrarily tangled with itself. Knots can be projected into
+two-dimensions where every string crossing is drawn as solid (the overcrossing
+segment) or broken (the undercrossing segment). However, string is a loose
+and messy analogy to deal with. To discretize knots into a useful computational
+tool, we can embed them into two-dimensional $d \times d$ grid diagrams,
+containing $d$ each of $X$ and $O$ markers, with exactly one of each in every
+column and row.
+A link is a collection of
+one or more directed knots, possibly separable.
+If a link is separable, or if a link is the unknot the Alexander polynomial of
+its corresponding grid diagrams is 0.
+Just as knots are invariant under Reidemeister moves,
+the Alexander polynomial is an invariant of knots embedded in grid diagrams
+under equivalent moves.
56 CSE599D/11wi/ppham-project-markov.tex
@@ -0,0 +1,56 @@
+\section{Markov Chain Mixing to Distinguish Money States}
+In Step 4 of the verification scheme, we apply a Markov chain
+$\hat{B}$ and then
+project onto its +1 eigenstates. This depends on valid money states
+being very close to +1 eigenstates of $\hat{B}$, much closer than
+the eigenstates corresponding to invalid money.
+Valid money states cannot be exactly +1 eigenstates, because those
+include mixing from grid diagrams in $\mathcal{G}$ above,
+with size in the tails that we cut off in Step 3. Therefore, our only
+hope is that the eigenvalues for $\ket{\$_p}$ being exponentially
+close to one and the eigenvalues for all other states being at least
+polynomially farther away.
+Unfortunately, we don't understanding enough about knots to make that
+claim for this particular Markov chain. This is the biggest open
+question and avenue for attack in our knot-based scheme.
+In particular, we don't know
+the eigenvalue gap, if any, between the lowest eigenvalue of
+a $\ket{\$_p}$ (call it $(1-a), a \in [0,1)$) and the highest eigenvalue of any other
+eigenstates (call it $(1-b), b \in [0,1)$). We are guaranteed to be exponentially close
+to some eigenstate of $\hat{B}$ after calculating and measuring the
+Alexander polynomial in Step 2 above.
+However, as dreamers, we can imagine what desirable properties we would
+like to prove for $\hat{B}$. First, we would like $b > a$, so that
+there is a gap. First, we would like to show that $a$ is
+small, so a $\ket{\$_p}$ doesn't degrade under
+$r$ repetitions of Markov chain verification and still projects
+to a +1 eigenstate with high probability.
+a = \frac{1}{\exp(\Omega(\overline{D}))}
+Second, we would like to show that $b$ is polynomially away from 1, so
+that under $r$ repetitions of Markov chain verification, it
+projects to a +1 eigenstate with low probability.
+b = \frac{1}{\Omega(\overline{D})}
+We would like to show that difference in probabilities increases
+exponentially close to 1 with $r$:
+(1-a)^r - (1-b)^r \ge (1 - ra) - (1 - rb) \\
+= r(b-a) =
+\frac{1}{\exp(\Omega(\overline{D}))} - \frac{1}{\Omega(\overline{D})}
+Therefore, if $(b-a)$ also increases exponentially closer to 1, we can
+get away with $r = \textrm{poly}(\overline{D})$ repetitions, so that our
+Markov chain verification procedure is tractable.
58 CSE599D/11wi/ppham-project-model.tex
@@ -0,0 +1,58 @@
+\section{Quantum Money}
+Consider notes which consist of a quantum state $\ket{\$_p}$ in
+a fixed basis $\mathcal{B}$
+and a classical serial number $p$,
+together with a global classical function $A$ which computes
+$p$ from the basis states. $\ket{\$_p}$ is a (possibly weighted) superposition
+of basis states $\ket{G}$ which are equivalent in the sense that they all map
+to the same value.
+\ket{\$_p} = \frac{1}{\sqrt{N}} \sum_{G:A(G)=p} q_G \ket{G}
+With respect to some security parameter $\overline{D}$,
+we would like a different serial number $p$ to be produced each time
+with probability exponentially close to 1 to prevent forgery through
+of the minting algorithm. For each $p$, or even from each $\ket{G}$ where
+$A(G)=p$, it should be difficult to find all equivalent basis states and
+to forge their superposition. We will see later that it is useful to
+shape the weights $q_G$ of the superposition, rather than have uniform
+distribution. So how do we do this? Two words: knots, maybe.
+Knots are like a loop of string which can be arbitrarily tangled
+itself in three dimensions. We
+can represent them in two-dimensions with $d \times d$
+\emph{grid diagrams}, where strands
+pass vertically and horizontally between $d$ \textsf{X} and
+$d$ \textsf{O} markers,
+one of each kind of marker in each column and row.
+Equivalently, we can encode a grid diagram purely through
+a pair of disjoint permutations $\Pi_{\textsf{X}}$
+and $\Pi_{\textsf{O}}$ on the integers $\{1, \ldots, d\}$.
+An Alexander polynomial can be computed for each knot based on its
+crossings and is invariant under the Reidemeister moves. Therefore,
+all grid diagrams of the same knot have the same Alexander polynomial
+and can be transformed into one another.
+However, it is conjectured to be hard (even for a quantum computer, on
+average) to be able to generate all such equivalent
+grid diagrams, or even more simply to determine if two grid diagrams are
+equivalent. However, we can easily create a quantum
+superposition of all grid encodings, compute their Alexander polynomials
+$p$ into a second register, then measure $p$ to be left with the
+superposition of all corresponding equivalent grid diagrams.
+This one-wayness, due to quantum measurement, combined with the classical
+one-wayness of digitally signing $p$, result in the one-wayness of
+the minting algorithm.
+Based on the leading notation above, you have probably guessed that the
+basis $\mathcal{B}$ consists of all grid diagrams of size $d$ which ranges
+from $2$ to $2\overline{D}$. The size of a grid diagram is
+denoted as $d(G)$.
63 CSE599D/11wi/ppham-project-verify.tex
@@ -0,0 +1,63 @@
+So how do we verify a valid money state $\ket{\$_p}$ made up of possibly
+exponentially many, hard-to-find
+equivalent grid diagrams? The great insight of this knot scheme is that
+the local moves to transform one grid diagram into another can be
+compactly represented as a Markov chain. Simply allow a given state to
+mix according to this Markov chain for long enough, and it should reach
+some stationary distribution (the +1 eigenstates). If we truly started
+out with a valid $\ket{\$_p}$, then mixing won't change it. After we
+project onto the $+1$ eigenstates, with high probability $\ket{\$_p}$ will
+have outcome $+1$.
+However, there is one big wrinkle in that we have to limit ourselves
+to grid diagrams of a finite size (say $2\overline{D}$), and any moves
+which go beyond that limit will not happen in our Markov chain.
+There may be equivalent grid diagrams close to that size limit that will
+not mix as a result, and therefore these relatively small superpositions
+may be easy to forge. To get around this, we can define our superposition
+weights (and our corresponding Markov chain moves) to heavily favor
+grid diagrams close to some mean (say $\overline{D}$) and where we can
+cut off the tails without damaging out states too much. Therefore,
+we define the $q_G=q(d(G))$ weights in the previous section to be a
+function of the grid diagram's size and to give a
+Gaussian distribution centered at $\overline{D}$ with standard deviation
+The distribution is integer-valued, and the Markov chain walks over
+configuration pairs $(G,i)$ of diagram grid $G$ and a label
+$i \in [q(d(G))]$. Moves that takes us from $G$ to $G'$ where
+$i \ge q(d(G'))$ are not allowed.
+So that settles that. Now we're ready to tackle
+the main steps of verifying whether a pair $(\ket{\phi},p)$ is valid
+quantum knot money as follows. Keep in mind that
+rejection at any step results in
+the whole procedure rejecting.
+Verify that $\ket{\phi}$ is a superposition of valid encoded grid diagrams.
+Measure the Alexander polynomial on the state $\ket{\phi}$. If it is equal to $p$,
+continue. At this point, $\ket{\phi}$ is some superposition of
+equivalent grid diagrams, but we must make sure it is the correctly weighted
+superposition produced by our minting algorithm.
+Measure the projector onto grid diagrams with size in the range
+$\left[ \frac{\overline{D}}{2}, \frac{3\overline{D}}{2} \right]$,
+essentially cutting off its tails.
+If you get outcome $+1$,
+Apply $r$ trials of
+Markov chain verification and accept only if all trials have outcome +1.
+Two important things are worth noting about the last two steps, both of
+which we
+will examine in greater detail: the damage done to a valid money state by
+cutting off its tails,
+and how well the mixing properties of the Markov chain allow us
+to distinguish valid from invalid money states.
88 CSE599D/11wi/ppham-project.bib
@@ -0,0 +1,88 @@
+author = {Aaronson, Scott},
+doi = {10.1109/CCC.2009.42},
+file = {:Users/ppham/Downloads/noclone-ccc.pdf:pdf},
+isbn = {978-0-7695-3717-7},
+journal = {2009 24th Annual IEEE Conference on Computational Complexity},
+month = jul,
+pages = {229--242},
+publisher = {Ieee},
+title = {{Quantum Copy-Protection and Quantum Money}},
+url = {},
+year = {2009}
+abstract = {In this short note we highlight some of the differences between cube diagrams and grid diagrams. We also list examples of small cube diagrams for all knots up to 7 crossings and give some examples of links.},
+arxivId = {0907.5401},
+author = {Baldridge, Scott and McCarty, Ben},
+file = {:Users/ppham/Library/Application Support/Mendeley Desktop/Downloaded/Baldridge, McCarty - 2009 - Small examples of cube diagrams of knots.pdf:pdf},
+keywords = {Geometric Topology},
+month = jul,
+pages = {15},
+title = {{Small examples of cube diagrams of knots}},
+url = {},
+eprint = {abs/0907.5401},
+year = {2009}
+abstract = {Quantum money is a cryptographic protocol in which a mint can produce a quantum state, no one else can copy the state, and anyone (with a quantum computer) can verify that the state came from the mint. We present a concrete quantum money scheme based on superpositions of diagrams that encode oriented links with the same Alexander polynomial. We expect our scheme to be secure against computationally bounded adversaries.},
+arxivId = {1004.5127},
+author = {Farhi, Edward and Gosset, David and Hassidim, Avinatan and Lutomirski, Andrew and Shor, Peter},
+file = {:Users/ppham/Library/Application Support/Mendeley Desktop/Downloaded/Farhi et al. - 2010 - Quantum money from knots.pdf:pdf},
+keywords = {Cryptography and Security,Quantum Physics},
+month = apr,
+pages = {22},
+title = {{Quantum money from knots}},
+url = {},
+eprint = {abs/1004.5127},
+year = {2010}
+abstract = {Given a single copy of a quantum state |$\backslash$psi>, the no cloning theorem greatly limits the amount of information which can be extracted from it. On the other hand, given only a procedure which verifies the state, for example access to a measurement \{1-|psi><psi|, |psi><psi|\}, we cannot prepare |psi> or learn any information about it in polynomial time. In this paper, we consider the scenario in which we are given both a single copy of |psi> and the ability to verify it. We show that in this setting, we can do several things efficiently. We present a new algorithm called quantum state restoration which allows us to copy small subsystems of |psi>. In addition, we present algorithms that can perform tomography on small subsystems of |psi>, and we show to use these algorithms to estimate the statistics of any POVM acting on |psi> in time polynomial in the number of outcomes of the POVM. These algorithms put severe limitations on possible quantum money schemes.},
+arxivId = {0912.3823},
+author = {Farhi, Edward and Gosset, David and Hassidim, Avinatan and Lutomirski, Andrew and Nagaj, Daniel and Shor, Peter},
+file = {:Users/ppham/Library/Application Support/Mendeley Desktop/Downloaded/Farhi et al. - 2009 - Quantum state restoration and single-copy tomography.pdf:pdf},
+keywords = {Quantum Physics},
+month = dec,
+pages = {13},
+title = {{Quantum state restoration and single-copy tomography}},
+url = {},
+eprint = {abs/0912.3823},
+year = {2009}
+abstract = {Public-key quantum money is a cryptographic protocol in which a bank can create quantum states which anyone can verify but no one except possibly the bank can clone or forge. There are no secure public-key quantum money schemes in the literature; as we show in this paper, the only previously published scheme [1] is insecure. We introduce a category of quantum money protocols which we call collision-free. For these protocols, even the bank cannot prepare multiple identical-looking pieces of quantum money. We present a blueprint for how such a protocol might work as well as a concrete example which we believe may be insecure.},
+arxivId = {0912.3825},
+author = {Lutomirski, Andrew and Aaronson, Scott and Farhi, Edward and Gosset, David and Hassidim, Avinatan and Kelner, Jonathan and Shor, Peter},
+keywords = {Quantum Physics},
+month = dec,
+pages = {14},
+title = {{Breaking and making quantum money: toward a new quantum cryptographic protocol}},
+url = {},
+year = {2009}
+abstract = {Wiesner's quantum money [5] is a simple, information-theoretically secure quantum cryptographic protocol. In his protocol, a mint issues quantum bills and anyone can query the mint to authenticate a bill. If the mint returns bogus bills when it is asked to authenticate them, then the protocol can be broken in linear time.},
+arxivId = {1010.0256},
+author = {Lutomirski, Andrew},
+file = {::},
+keywords = {Quantum Physics},
+month = oct,
+pages = {2},
+title = {{An online attack against Wiesner's quantum money}},
+url = {},
+year = {2010}
+ author = "A. Yu. Kitaev, A.H. Shen, M.N. Vyalyi",
+ title = "Classical and Quantum Computation",
+ publisher = "American Mathematical Society",
+ address = "Providence, Rhode Island",
+ year = "2002"
51 CSE599D/11wi/ppham-project.tex
@@ -0,0 +1,51 @@
+\title{Quantum Money From Knots}
+%\subtitle{CSE 599D Winter 2011: Final Project}
+\date{18 March 2011}
+\author{Paul Pham}
+\newcommand{\ket}[1]{|#1 \rangle}
+\newcommand{\bra}[1]{\langle #1 |}
+\newcommand{\braket}[2]{\langle #1|#2 \rangle}
+\newcommand{\norm}[1]{\parallel #1 \parallel}
9 CSE599D/11wi/ppham-ps4.tex
@@ -137,6 +137,15 @@ \section{Optimality of super-dense coding and teleportation}
% Part C
+To teleport each of $n$ qubits, Alice needs to send two cbits to tell Bob
+in which basis to measure using the teleportation protocol. If she were able
+to do this with fewer than $2n$ cbits, with the EPR pairs that she shares with
+Bob being the entangled state, then we would violate the bound in
+the parts above.
+% Part D
12 CSE599D/11wi/temp.bib
@@ -0,0 +1,12 @@
+abstract = {Wiesner's quantum money [5] is a simple, information-theoretically secure quantum cryptographic protocol. In his protocol, a mint issues quantum bills and anyone can query the mint to authenticate a bill. If the mint returns bogus bills when it is asked to authenticate them, then the protocol can be broken in linear time.},
+arxivId = {1010.0256},
+author = {Lutomirski, Andrew},
+file = {::},
+keywords = {Quantum Physics},
+month = oct,
+pages = {2},
+title = {{An online attack against Wiesner's quantum money}},
+url = {},
+year = {2010}
Please sign in to comment.
Something went wrong with that request. Please try again.