Bitcoin vs.

Quantum money

Or Sattath (UC Berkeley)

Two approaches against
counterfeiting
 Reach consensus: who has the money?
 Examples: Bitcoin, ripple, paypal, banks.
 Seems necessary in electronic cash.

 No copying of a physical medium.

 Fiat money, gold, quantum money.

 As we will see, the problems we will

encounter are different from Bitcoin.
What is quantum money?
 It has similar properties to Bitcoin, achieved
in a very different way.
 It is based on the laws of Quantum
mechanics.
 Requires a Quantum Computer - not yet
available.
Overview
 Quantum mechanics and quantum
computation
 Wiesner’s quantum money scheme
 The properties of (more recent) quantum
money schemes.
 Is quantum money Bitcoin’s Friend or Foe?
Could Bitcoin be upgraded to QubitCoin?
Quantum Mechanics
 A theory which describes nature in the tiniest
to medium scales.
 Extremely well confirmed: Richard Feynman
compared its precision to predicting the
width of North America to an accuracy of
one human hair’s breadth.
 Quantum mechanics has some non-intuitive
properties.
Quantum Computing
 Computers that directly exploit the laws of
quantum mechanics.
 Quantum computers are not yet fully
implemented.
 Can solve several computational problems
exponentially faster than classical computers.
 Cannot solve NP-Complete problems efficiently.
 Can break Bitcoin’s digital signature scheme. See
http://bitcoinmagazine.com/6021/bitcoin-is-not-quantum
-safe-and-how-we-can-fix
/ for a fix.
Qubit
 A bit is a classical, (i.e. non-quantum)
abstraction of a system that can be in one of
two states.
 The implementation is not really important: hard drive,
memory, DVD, etc.
 A qubit is the quantum analogue of that.
To the blackboard…
Fact: The no cloning theorem
 It is impossible, by the laws of quantum
mechanics, to copy a qubit in an unknown
state.
 Intuition: tightly related to the uncertainty
principle. Cloning  no uncertainty. Also
vice versa.
Wiesner’s Quantum
Money Scheme
 First Quantum Information protocol (circa
1970).
 The bank has an algorithm for issuing
quantum money.
 The bank has (another) algorithm to test the
validity of quantum money.
 It is infeasible to counterfeit quantum money
(i.e. takes exponential time).
 Wiesner’s money – issuance
 Each note has two parts: a classical serial number,
and a quantum state.
 The classical serial number appears on the note.
 For each serial number, the bank keeps a random
(secret) classical sequence such as: +00-1-+
 The bank prepares the quantum state associated with
the secret sequence, and puts it on the bill.
21768 ↗→→↘↑↘
Classical part: ↗ Quantum part
serial number
Wiesner’s money - validation
 The user sends the note to the bank for
validation.
 The bank looks for the secret sequence
associated with the serial number.
 The bank measures each of the qubits in their
appropriate basis.
 If all the outcomes are as expected, the note
is declared as valid, otherwise as invalid.
Properties of Wiesner’s
Scheme
 Downsides:
 Communication with the bank is required for each validation.
(Anonymity issues)
 The bank can issue more money - without the users awareness.
 Security is tricky. [Lutomirski’10, Sattath & Nagaj’14]

 Upsides:
 Especially useful as a token, such as a bus ticket, where it is
not traded.
 Requires only a quantum calculator (not a full blown quantum
computer): only single qubit operations / memory /
measurements needed.
 Quantum memory is the only missing part.
Modern quantum money
schemes
 In the modern schemes, everybody can
verify the bills – the bank is not needed.
[Farhi et al.’10, Aaronson & Christiao’12]
 The bank cannot print more money without
users awareness. (Farhi et al.)
 Aaronson & Christiano’s security is based on the hardness
of a classical problem relative to a quantum attacker
(NICE!).
Is there a way to upgrade
Bitcoin to QubitCoin?
 A user will add the following message to the
blockchain:
“I declare that my bitcoin associated with
this private key is invalid; I created a
QubitCoin with an associated serial number
X.”
 The serial number is enough to validate the
money. (but the serial number is not enough
to copy the money)
 Comparison between Bitcoin
and QubitCoin
Bitcoin Quantum
Money
Security cost

~1% of total value in Security comes for

mining fees / rewards free. No miners…
is required.
 Comparison between Bitcoin
and QubitCoin
Bitcoin Quantum
Money
Security cost
Privacy / Anonymity
Bitcoin is
pseudonymous.
Improvements using
coin-join, ring Quantum money is
signatures, and zero- traceless.
knowledge proofs (zero-
cash).
 Comparison between Bitcoin
and QubitCoin
Bitcoin Quantum
Money
Security cost
Privacy / Anonymity
Issuer cannot forge
legitimate money
After (honest)
issuance, the issuer has
no way to forge
money.
 Comparison between Bitcoin
and QubitCoin
Bitcoin Quantum
Money
Security cost
Privacy / Anonymity
During issuance, the
Issuer cannot forge
issuer has no way to
legitimate money forge

Issuer cannot forge during

issuance
 Comparison between Bitcoin
and QubitCoin (continued)
Bitcoin Quantum
Money
Proof of payment
Buyer can convince a
third party that he has Problem: Transactions are
paid for a service. traceless.
See BIP-70. Partial solution:
installments, and digitally
signed receipts.
 Comparison between Bitcoin
and QubitCoin (continued)
Bitcoin Quantum
Money
Proof of payment
Digital transmission

*Requires a quantum
internet
 Comparison between Bitcoin
and QubitCoin (continued)
M-of-N Multi-sig, distributed Bitcoin Quantum
exchanges, assurance contracts, Money
Proof of payment
saving accounts, atomic cross
Same limitations
chain transactions, smart
Digitalproperty…
transmission as cash and gold.
Bitcoin 2.0 (smart
contracts, etc.)
 Comparison between Bitcoin
and QubitCoin (continued)
Bitcoin Quantum
Money
Proof of payment
As many copies of the
Digital transmission
private keys can be saved.
Complicated. -of-n or
less is impossible
Bitcoin
One copy2.0 (smart for
is sufficient (cloning).
contracts, etc.)
restoration.
Backup
Conclusions
 Peer to peer networks have disadvantages.
 Not everything should be distributed.

 Quantum money may be used in a

centralized way by central banks.
 ~$800M printing cost in the USA per year.
 ~3000 arrests per year.

 May be a strong competitor to Bitcoin, that is

hard to de-centralize, in the long run.
 Two way pegging (Bitcoin and QubitCoin)
References
 S. Wiesner. "Conjugate coding." ACM Sigact News 15.1
(1983): 78-88.
 E. Farhi, et al. "Quantum money from knots." Proceedings
of the 3rd Innovations in Theoretical Computer Science
Conference. ACM, 2012.
 S. Aaronson, and P. Christiano. "Quantum money from
hidden subspaces." Proceedings of the forty-fourth annual
ACM symposium on Theory of computing. ACM, 2012.
 A. Lutomirski. "An online attack against Wiesner's
quantum money."arXiv preprint arXiv:1010.0256 (2010).