#
A View from **Emerging Technology From the arXiv**

## Will Quantum Money Breed Quantum Crime?

A new scheme for making quantum money could lead to cash that cannot be counterfeited. But it may also lead to a new breed of quantum crime.

In the last couple of years, a number of quantum dignitaries have become interested in the (relatively) ancient problem of quantum money.

The challenge is to create a quantum state that can work as a form of money. Just like ordinary cash, quantum cash would be exchanged in lieu of goods. It would be sent and received over the internet without the need to involve third party parties such as banks and credit card companies. That would make transactions anonymous and difficult to trace, unlike today’s online transactions which always leave an electronic paper trail. That’s one big advantage over today’s money.

Another is that quantum states cannot be copied so quantum cash cannot be forged.

But quantum cash must have another property: anybody needs to be able to check that the money is authentic. That turns out to be hard because measurements on quantum states tend to destroy them. It’s like testing classical bills by seeing whether they burn.

But there is a way round this based on the ideas behind public-key encryption. The idea here is to find a mathematical process that is easy to do in one direction but hard in the opposite direction. Multiplication is the famous example. It’s easy to multiply two numbers together to get a third but hard to start with the third number and work out which two factors created it.

Public-key encryption exploits this asymmetry. The scheme is to publish a public key that anybody can use to encrypt a message. This is an easy process like multiplication. However, decrypting the message is hard for anyone who doesn’t have another key which is kept private. This is equivalent to the factoring process.

The curious thing about this process is that its security is unproven. Everyone just accepts that it is secure because nobody has found a way to factor numbers easily, despite many years of trying.

There maybe a way to factor numbers easily and if it is found public-key encryption would become useless overnight. But until then, everybody thinks this method is secure. The important thing is that public key encryption is not based on any mathematical proof of security but rests on the common belief that it probably is secure.

The question for quantum money gurus us whether a similarly asymmetric process can lead to a similar security assurance for quantum cash.

Last year, we looked at one scheme put forward by a group at the Massachusetts Institute of Technology in Cambridge. This group has been making and breaking quantum money schemes for some time now.

Their idea is to create quantum money that consists of two parts: a quantum state, like the quantum properties of a group of photons, and a classical serial number that is matched to the quantum state.

Any user of quantum money can verify that this money is kosher using a quantum algorithm running on a quantum computer. If the serial number matches the quantum state, the computer returns the money for future use. If it doesn’t match, the money must be a forgery. In this case the money is destroyed.

The security of this scheme rests on the difficulty that a forger would have creating a quantum state that can fool the verifying algorithm.

The trouble is that all the quantum money schemes until now have turned out to be insecure. There are always various loopholes that a forger can use to trick the verifying algorithm into accepting counterfeit quantum states.

Today this group (or at least most of them) led by Edward Farhi put forward a new approach which they hope will be secure. Their quantum cash is based on a new kind of asymmetry: that two identical knots can look entirely different. So while it may be easy to make either knot, it is hard to find a way to transform one into the other.

Farhi and co say: “The purported security of our quantum money scheme is based on the assumption that given two different looking but equivalent knots, it is difficult to explicitly find a transformation that takes one to the other.”

That looks interesting but it faces the challenge of common acceptance. It may be that the quantum knot approach is secure and so will not be broken in the near future. But not breaking such a scheme is not the same as proving it secure. So it may also defy attack and yet still be insecure in some yet-to-be-discovered way.

What Farhi and co are hoping is that in 20 years, when a quantum internet capable of carrying quantum cash has finally been built, that the quantum knot conundrum will still look as asymmetric as it does now.

By then, we might be ready to accept it as the basis of quantum money.

Even then, there is another problem with quantum money that will make it impractical for most people to accept. And that is the limitations of the verifying algorithm. This returns your quantum money if it is real and destroys it if it is a forgery.

The focus so far has been on the chances that the algorithm will accept a piece of forged quantum cash. And the (hoped for) answer is that the probability of this happening can be made arbitrarily small so quantum cash will be effectively unforgeable.

But most legitimate users will want the answer to the converse problem: what are the chances that the algorithm will destroy a perfectly good piece of quantum cash?

The quantum eggheads may attempt to reassure users by saying that the losses can be made arbitrarily small. That isn’t going to work. What they’re saying is that a small percentage of your hard-earned quantum cash will always disappear into thin air whenever you use it. Few individuals are likely to accept this this kind of ‘quantum tax’, far less a bank which processes billionsof dollars every day.

One way round this would be simply to mint more quantum money to make up for the losses. The problem here is the statistical nature of the process. It’s not hard to imagine malicious users stealing money and then claiming it has been lost to quantum taxes. Or claiming for quantum taxes which have not been incurred.

So while quantum cash prevents one type of malicious behaviour, it opens up an entirely new area of quantum crime. And that may be too high a price to pay.

Ref: arxiv.org/abs/1004.5127: Quantum money from knots