We investigate the security assumptions behind three public-key quantum money schemes. Aaronson and Christiano proposed a scheme based on hidden subspaces of the vector space $\mathbb{F}_2^n$ in 2012. It was conjectured by Pena et al in 2015 that the hard problem underlying the scheme can be solved in quasi-polynomial time. We confirm this conjecture by giving a polynomial time quantum algorithm for the underlying problem. Our algorithm is based on computing the Zariski tangent space of a random point in the hidden subspace. Zhandry proposed a scheme based on multivariate hash functions in 2017. We give a polynomial time quantum algorithm for cloning a money state with high probability. Our algorithm uses the verification circuit of the scheme to produce a banknote from a given serial number. Kane proposed a scheme based on modular forms in 2018. The underlying hard problem in Kane's scheme is cloning a quantum state that represents an eigenvector of a set of Hecke operators. We give a polynomial time quantum reduction from this hard problem to a linear algebra problem. The latter problem is much easier to understand, and we hope that our reduction opens new avenues to future cryptanalyses of this scheme.
翻译:我们调查了三个公用钥匙量子资金计划背后的安全假设。 Aaronson 和 Christiano 于2012年提出了一个基于矢量空间隐藏子空间的子空间的计划 $\ mathb{F ⁇ 2 ⁇ n$ 2012年, Pena等人于2015年推测, 计划背后的难题可以在准极代时间里解决。 我们通过给基本问题提供一个多元时间量子算法来证实这一推测。 我们的算法基于计算Zariski 随机点空间在隐藏子空间中的随机点空间。 Zhandry 于2017年提出了一个基于多变数 hash函数的计划。 我们给出了一个基于多变数函数功能的混合时间量算法, 用于极有可能克隆一个货币状态。 我们的算法使用该计划的核查电路从一个特定序列号中产生一张钞票。 Kane 2018年提出了一个基于模块形式的计划。 Kane 计划背后的硬质算法是克隆一个量子状态, 代表一套赫克操作者的随机点。 我们在2017年提出了一个基于多变数时间减少一个硬问题到一个线形阿尔布拉计划。 我们比较容易理解这个未来的希望。