Quantum Money

Can we use quantum physics to make a secure financial system?

The No-Cloning Theorem

The No-Cloning Theorem has direct implications for the possibility of quantum money. Today, sophisticated techniques can create ever more realistic counterfeits (check out North Korean superdollars). Fortunately, no-cloning eliminates counterfeits, which would massively boost everyone’s trust in the system. However, money also needs to be verifiable. As a result, Wiesner developed a quantum money scheme to demonstrate how quantum money could be verified.

Wiesner’s Quantum Money Scheme

The No-Cloning Theorem has direct implications for the possibility of quantum money. Today, sophisticated techniques can create ever more realistic counterfeits (check out North Korean superdollars). Fortunately, no-cloning eliminates the possibility for counterfeits, which safeguards the essential element of trust in the system. However, money also needs to be verifiable. Consequently, Wiesner’s quantum money scheme was created to demonstrate how quantum money can be verified.

Wiesner’s Scheme works as follows. A central bank prints bills for users. Each bill consists of:

  1. A classical serial number of m bits (let’s call this string s)

  2. A quantum state of n qubits. When printed, the bank initializes the qubits according to the diagram below.

To verify a bill, users bring the note back to the bank. The bank computes a random function f on s, which generates a random string of length 2n. This confidentially informs the bank which basis to measure the n qubits of the note in, since only the bank knows the random function f! When the bank measures each qubit in the correct basis, the bank can compare whether the serial number matches the qubits (if the ith pair in f(s) is 01, the ith qubit should be 1, etc.).

Why can’t money be counterfeited? Imagine trying to deceive the bank into falsely verifying a bill. You would need to provide an m-bit serial number that corresponds to some n-qubits, where this correspondence is made by an unknown random function. Without additional information about f, we can only prepare n qubits at random. Sometimes we’ll get lucky, and our qubit will match the correct answer, or our qubit will be in the wrong basis but have half-chance to be measured correctly. But the probability of succeeding can be proven to be at most (¾)^n, which drops off exponentially for large n.

Even if we start with a legitimate note and try to duplicate it, the No-Cloning theorem forbids us from copying the qubits needed for verification.

Safeguards Against Attacks

Can we imagine exploiting the bank in other ways? Sure! Assume we can make as many verification attempts as we like, and the bank simply hands us back the note. Then, we could start with a legit bill, alter its first qubit to be 0, and see if the bank consistently approves the bill. Doing this for every state allows us to be confident of what value the first qubit should be, and we can imagine doing this for every qubit. Then, we could simply make many bills with the same serial number and corresponding qubits. Woohoo!

There is an easy fix, of course. Don’t allow so many failed verification attempts.

Alright, but what if we take inspiration from the Elitzur-Vaidman bombs, and test qubit states without tripping any “failed” attempt threshold? After all, Elitzur-Vaidman queries are overwhelmingly likely to succeed in verification.

Unfortunately (or fortunately), a quick fix for the bank is to create and return a new bill of the same initial value, instead of the potentially altered bill.

Nevertheless, Wiesner’s scheme has a major drawback, which we hinted at earlier. We have to take our bills to the bank to verify for every transaction! What a pain. We’d like to replicate the convenience of cash, but with high-grade quantum security. Thus, the next step for quantum money is public-key quantum money.