# Rigorous security proof for Wiesner's quantum money?

+ 32 like - 0 dislike
1228 views

In his celebrated paper "Conjugate Coding" (written around 1970), Stephen Wiesner proposed a scheme for quantum money that is unconditionally impossible to counterfeit, assuming that the issuing bank has access to a giant table of random numbers, and that banknotes can be brought back to the bank for verification. In Wiesner's scheme, each banknote consists of a classical "serial number" $s$, together with a quantum money state $|\psi_s\rangle$ consisting of $n$ unentangled qubits, each one either

$$|0\rangle,\ |1\rangle,\ |+\rangle=(|0\rangle+|1\rangle)/\sqrt{2},\ \text{or}\ |-\rangle=(|0\rangle-|1\rangle)/\sqrt{2}.$$

The bank remembers a classical description of $|\psi_s\rangle$ for every $s$. And therefore, when $|\psi_s\rangle$ is brought back to the bank for verification, the bank can measure each qubit of $|\psi_s\rangle$ in the correct basis (either $\{|0\rangle,|1\rangle\}$ or ${|+\rangle,|-\rangle}$), and check that it gets the correct outcomes.

On the other hand, because of the uncertainty relation (or alternatively, the No-Cloning Theorem), it's "intuitively obvious" that, if a counterfeiter who doesn't know the correct bases tries to copy $|\psi_s\rangle$, then the probability that both of the counterfeiter's output states pass the bank's verification test can be at most $c^n$, for some constant $c<1$. Furthermore, this should be true regardless of what strategy the counterfeiter uses, consistent with quantum mechanics (e.g., even if the counterfeiter uses fancy entangled measurements on $|\psi_s\rangle$).

However, while writing a paper about other quantum money schemes, my coauthor and I realized that we'd never seen a rigorous proof of the above claim anywhere, or an explicit upper bound on $c$: neither in Wiesner's original paper nor in any later one.

So, has such a proof (with an upper bound on $c$) been published? If not, then can one derive such a proof in a more-or-less straightforward way from (say) approximate versions of the No-Cloning Theorem, or results about the security of the BB84 quantum key distribution scheme?

Update: In light of the discussion with Joe Fitzsimons below, I should clarify that I'm looking for more than just a reduction from the security of BB84. Rather, I'm looking for an explicit upper bound on the probability of successful counterfeiting (i.e., on $c$)---and ideally, also some understanding of what the optimal counterfeiting strategy looks like. I.e., does the optimal strategy simply measure each qubit of $|\psi_s\rangle$ independently, say in the basis

$$\{ \cos(\pi/8)|0\rangle+\sin(\pi/8)|1\rangle, \sin(\pi/8)|0\rangle-\cos(\pi/8)|1\rangle \}?$$

Or is there an entangled counterfeiting strategy that does better?

Update 2: Right now, the best counterfeiting strategies that I know are (a) the strategy above, and (b) the strategy that simply measures each qubit in the $\{|0\rangle,|1\rangle\}$ basis and "hopes for the best." Interestingly, both of these strategies turn out to achieve a success probability of (5/8)n. So, my conjecture of the moment is that (5/8)n might be the right answer. In any case, the fact that 5/8 is a lower bound on c rules out any security argument for Wiesner's scheme that's "too" simple (for example, any argument to the effect that there's nothing nontrivial that a counterfeiter can do, and therefore the right answer is c=1/2).

This post has been migrated from (A51.SE)
Welcome to TP.SE Scott! Good to see you here.

This post has been migrated from (A51.SE)
It seems like Wiesner's scheme corresponds exactly to BB84 where you post select on Bob having chosen exactly the same bases of measurement as Alice has for preparation (since the bank is both Alice and Bob). Clearly the bank could instead chose the measurement basis randomly, and simulate BB84, which would yield strictly weaker security (since you would consider exactly the same measurements but only on a subset of qubits), so you can surely use a proof of BB84 to lower bound the security of the quantum money scheme. Perhaps I'm missing something though.

This post has been migrated from (A51.SE)
Thanks for the welcome and the answer, Joe! FWIW, I share your intuition that a security proof for Wiesner's scheme ought to be "strictly easier" than a security proof for BB84. However, with that argument (like with every other one), I keep coming back to the same question: "so then what's the upper bound on c?"

This post has been migrated from (A51.SE)
Surely it is upper bounded by the probability of determining the key in BB84.

This post has been migrated from (A51.SE)
Also, while it would be OK to deduce the security of Wiesner's scheme from the security of BB84 if that's the only/best alternative, I hold out the hope that there should be a more direct and informative proof. Furthermore, it seems plausible that a direct proof would be needed for getting an explicit upper bound on c, or for getting a "reasonable" such bound (more like 0.9 than like 0.99999).

This post has been migrated from (A51.SE)
Joe, I checked the Lo-Chau paper, and unless I missed it, it didn't give an *explicit* upper bound on the copying probability -- just said that it decreases exponentially. In retrospect, I should've written my question differently: I already know how to give a "proof" using phrases like "surely it should be possible." ;-) My question is to give a proof that comes with a reasonable, explicit upper bound on c.

This post has been migrated from (A51.SE)
There is certainly a more direct way. You could simply write the eavesdropper as a unitary operator across the the note + an ancilla system. Expand it into a sum over Paulis, and then calculate the average projection onto the correct subspace as a function of the weight of the Paulis on the note subspace. You get exponential surpression in terms of the weight over that subspace. However for every qubit the operator doesn't act on you lose information in your clone, and the chance of it passing the test decreases exponentially. Balancing the two should then give a bound on $c$.

This post has been migrated from (A51.SE)
Given how basic the question is, I'm amazed no one has done this calculation before! I could try it, but I'd first have to look up what it means to expand a unitary into a sum over Paulis. In the meantime, I was sort of hoping that a security proof could give some insight into the question of *what the best counterfeiting strategy looks like.* In particular: is the best strategy simply to measure each qubit independently, say in the cos(pi/8),sin(pi/8) basis? Or is there an entangled counterfeiting strategy that does better?

This post has been migrated from (A51.SE)
The trivial cheating strategy succeeds w.p. $2^-n$: just leave the original valid bill alone and use a completely random state as the copy. Solving this problem completely requires some care in defining the types of cheating strategies that are allowed. There's an [interactive strategy](http://arxiv.org/abs/1010.0256) that takes linear time and works every time if the bank isn't careful about how it answers requests to verify bills, and a fully satisfactory proof would take queries to the bank into account.

This post has been migrated from (A51.SE)
Andy: What's ironic is that Paul Christiano and I now know how to prove the security of a *different* quantum money scheme, even against "interactive strategies" like the one you mention. (We call a scheme "query-secure" if it has that stronger security guarantee, though we'd be open to a better term.) For Wiesner's original scheme, by contrast, the very fact that any security proof needs to *break down* for interactive strategies, seems to be one factor that makes such a proof trickier.

This post has been migrated from (A51.SE)

+ 22 like - 0 dislike

It seems like this interaction can be modeled in the following way:

1. Alice prepares one of the states $|000\rangle$, $|101\rangle$,$(|0\rangle+|1\rangle)|10\rangle/\sqrt{2}$, $(|0\rangle-|1\rangle)|11\rangle/\sqrt{2}$, according to a certain probability distribution, and sends the first qubit to Bob.
2. Bob performs an arbitrary quantum channel that sends his qubit to two qubits, which are then returned to Alice.
3. Alice performs a projective measurement on the four qubit on her possession.

If I am not wrong about this (and sorry if I am), this falls within the formalism from Gutoski and Watrous presented here and here, which implies that:

1. From Theorem 4.9 in the second of those, it is optimal to Bob to act independently when Alice repeats this process with several qubits in an independent way, if the objective of Bob is to always fool Alice.
2. It is possible to obtain the value of c from a small semidefinite program. You can find more details of how to obtain this program in Section 3 here. See the comments for the cvx code for the program and its value.
This post has been migrated from (A51.SE)
answered Oct 25, 2011 by (260 points)
Thanks, Abel -- if this works, it will be an amazing way to completely destroy this problem! (And, incidentally, one of the clearest demonstrations of the power of the Gutoski-Watrous quantum games formalism.)

This post has been migrated from (A51.SE)
Btw, I marked this as my "accepted answer" now. Sorry, Daniel! :-D

This post has been migrated from (A51.SE)
I'm curious; if you added the four states $\cos(\pi/8) |0\rangle \pm \sin(\pi/8) |1 \rangle$ and $\sin(\pi/8) |0\rangle \pm \cos(\pi/8) |1 \rangle$ to the Bell states, would the value still be 3/4? That is, is the answer true for all inputs with real coefficients, or just the four Bell states? This might help us narrow down possible strategies.

This post has been migrated from (A51.SE)
The strategy is given by a quantum channel whose Choi-Jamielkowski representation is an optimal solution to the semidefinite program. See http://www.cs.uwaterloo.ca/~amolinap/optSolution.txt for a link to such a solution (the least significant qubit is the one received by Bob, and the other two are the ones he sends to Alice). If my calculations are correct, the corresponding channel sends |0> to (|01>+|10>)/√2 with probability 1/6, and to (3|00>+|11>)/√10 with probability 5/6. |1> is sent to (|01>+|10>)/√2 with probability 1/6, and to (|00>+3|11>)/√10 with probability 5/6

This post has been migrated from (A51.SE)
Similarly, (|0>+|1>)/√2 is sent to (|11>-|00>)/√2 with probability 1/6, and to (|00>+1/2|01>+1/2|10>+|11>)/√(5/2) with probability 5/6. Similarly, (|0>-|1>)/√2 is sent to (|11>-|00>)/√2 with probability 1/6, and to (|00>-1/2|01>-1/2|10>+|11>)/√(5/2) with probability 5/6.

This post has been migrated from (A51.SE)
@AbelMolina: I did a minor edit on your post to typeset the states in point one. I've triple checked that the states match with what you had before, but it'd be wise for you to check too. If you are at all uncomfortable with the change, you may of course roll back to the previous version.

This post has been migrated from (A51.SE)

This post has been migrated from (A51.SE)
+ 16 like - 0 dislike

The question of cloning the BB84 states was covered in the paper "Phase covariant quantum cloning" by Dagmar Bruß, Mirko Cinchetti, G. Mauro D'Ariano, and Chiara Macchiavello [Phys Rev. A, 62, 012302 (2000), Eq. 36]. They give an optimal cloner for these states (which is also an optimal cloner for any states $\alpha |0\rangle + \beta |1\rangle$ with $\alpha$, $\beta\in \mathbb{R}\:$). They do not optimize using the same fidelity measure that you are asking about, but I suspect that their cloner is optimal for your question. Their cloner gives success probability $$\left(\frac{1}{2}+ \frac{1}{\sqrt{8}}\right)^{2n} \approx .72855^n$$ for counterfeiting $n$ BB84 states, quite a bit better than $(\frac{5}{8})^n$.

UPDATE: Bruß et al.'s optimal cloner is given by $\sum_{i=1}^2 A_i \rho A_i^\dagger$ where

$$A_1 = \left( \begin{array}{cc} \frac{1}{2}+\frac{1}{\sqrt{8}} & 0\\ 0 & \frac{1}{\sqrt{8}}\\ 0 & \frac{1}{\sqrt{8}}\\ \frac{1}{2}-\frac{1}{\sqrt{8}} & 0 \end{array} \right) \ \ \ \ A_2 = \left(\begin{array}{cc} 0& \frac{1}{2}-\frac{1}{\sqrt{8}} \\ \frac{1}{\sqrt{8}}&0\\ \frac{1}{\sqrt{8}}&0\\ 0&\frac{1}{2}+\frac{1}{\sqrt{8}} \end{array} \right) .$$

The optimal cloner found by the solution to Abel's semindefinite program is $\sum_{i=1}^2 A_i \rho A_i^\dagger$ where:

$$A_1 = \frac{1}{\sqrt{12}}\left( \begin{array}{cc} 3 & 0\\ 0 & 1\\ 0 & 1\\ 1 & 0 \end{array} \right) \ \ \ \ A_2 = \frac{1}{\sqrt{12}}\left(\begin{array}{cc} 0& 1 \\ 1&0\\ 1&0\\ 0&3 \end{array} \right) .$$

These clearly come from the same family of transformations, but have been optimized to satisfy different objective functions. This family of covariant transformations appears to be given by

$$A_1 = \frac{1}{\sqrt{2x^2+4y^2}}\left( \begin{array}{cc} x+y & 0\\ 0 & y\\ 0 & y\\ x-y & 0 \end{array} \right) \ \ \ \ A_2 = \frac{1}{\sqrt{2x^2+4y^2}}\left(\begin{array}{cc} 0& x-y \\ y&0\\ y&0\\ 0&x+y \end{array} \right) .$$

This post has been migrated from (A51.SE)
answered Oct 26, 2011 by (780 points)
Thanks, Peter! It would be great to show optimality or even near-optimality of their cloner. For that, I guess the first step would be showing that the optimal attack is individual rather than collective.

This post has been migrated from (A51.SE)
If Abel Molina's approach works, it should demonstrate this. If not, you should be able to use the techniques in the optimal cloner papers to get an upper bound, but I don't immediately know what it would be.

This post has been migrated from (A51.SE)
By adding the states $(|0\rangle + i |1\rangle)/\sqrt{2}$ and $(|0\rangle - i |1\rangle)/\sqrt{2}$ to the original four, it seems that the optimum falls to $c = 2/3$. An optimal channel for Bob is again given by Peter's family of channels, with $x = y = 1$.

This post has been migrated from (A51.SE)
@John: this transformation is the original quantum cloner of Bužek and Hillery. I think what's going on is that there's a one-parameter family of covariant quantum cloners for real-amplitude qubit states. If you require covariance for all states, not just real-amplitude ones, you get only the $x=y=1$ one. (Covariant here means: if you apply the same real rotation to the input and the output state spaces, you get the same transformation. Of course, this is still true if you apply a rotation to the input space first, so you have to also require that the overlap is maximized with no rotation.)

This post has been migrated from (A51.SE)
+ 14 like - 0 dislike

I don't know of a published security proof. I would think the simplest way and strongest bound would come from approximate no-cloning, but I guess you'd need a version specialized for the BB84 states. Even a reduction from BB84 is not obvious, since the security condition for BB84 is different.

I do think you can get a proof straightforwardly as a consequence of the security proof of uncloneable encryption (quant-ph/0210062). This won't get a tight upper bound on the cheating probability, but at least it gives security.

In uncloneable encryption, A sends B a classical message using quantum states. (A and B share a secret key.) The security condition is two-fold: a) When Eve intercepts the initial transmission, she gets no information about message. b) Whatever strategy Eve adopts, either she will be caught by Bob with very high probability, or her residual state $\rho_k$ when the key is k has almost no information about the message. b says that if Eve is unlikely to be caught, she retains no information about the message even if she later learns the key used by A and B. This is interpreted as a no-cloning result: Eve could steal the ciphertext, but she cannot copy it without messing up Bob's received message.

This can be used to create a quantum money scheme: Bank A uses uncloneable encryption to encrypt a random string the "message". There is an uncloneable encryption scheme which is basically BB84, so this could give Weisner's scheme. Eve intercepts the money, interacts with it, and sends the modified original on to Bank B. She also tries to make a copy, which goes to Bank C. Banks B and C accept if the state provided to them passes the uncloneable encryption eavesdropping test, and if they decode the correct random "message" string. Uncloneable encryption property b says that, with high probability, either B's copy fails the eavesdropping test or C's copy contains almost no information about the message. This is stronger than needed, but sufficient to prove security.

For best asymptotic attack, I would imagine, due to quantum de Finetti, that the best collective attack is the same as the best individual attack.

This post has been migrated from (A51.SE)
answered Oct 24, 2011 by (240 points)
Thanks so much, Daniel! I'll continue looking for an argument that gives an explicit bound on c, but in the meantime, this is extremely helpful. I went ahead and marked your answer as "accepted."

This post has been migrated from (A51.SE)

 Please use answers only to (at least partly) answer questions. To comment, discuss, or ask for clarification, leave a comment instead. To mask links under text, please type your text, highlight it, and click the "link" button. You can then enter your link URL. Please consult the FAQ for as to how to format your post. This is the answer box; if you want to write a comment instead, please use the 'add comment' button. Live preview (may slow down editor)   Preview Your name to display (optional): Email me at this address if my answer is selected or commented on: Privacy: Your email address will only be used for sending these notifications. Anti-spam verification: If you are a human please identify the position of the character covered by the symbol $\varnothing$ in the following word:p$\hbar$ysicsO$\varnothing$erflowThen drag the red bullet below over the corresponding character of our banner. When you drop it there, the bullet changes to green (on slow internet connections after a few seconds). To avoid this verification in future, please log in or register.