Rigorous security proof for Wiesner's quantum money?

Question

In his celebrated paper "Conjugate Coding" (written around 1970), Stephen Wiesner proposed a scheme for quantum money that is unconditionally impossible to counterfeit, assuming that the issuing bank has access to a giant table of random numbers, and that banknotes can be brought back to the bank for verification. In Wiesner's scheme, each banknote consists of a classical "serial number" $s$, together with a quantum money state $|\psi_s\rangle$ consisting of $n$ unentangled qubits, each one either

$$|0\rangle,\ |1\rangle,\ |+\rangle=(|0\rangle+|1\rangle)/\sqrt{2},\ \text{or}\ |-\rangle=(|0\rangle-|1\rangle)/\sqrt{2}.$$

The bank remembers a classical description of $|\psi_s\rangle$ for every $s$. And therefore, when $|\psi_s\rangle$ is brought back to the bank for verification, the bank can measure each qubit of $|\psi_s\rangle$ in the correct basis (either $\{|0\rangle,|1\rangle\}$ or ${|+\rangle,|-\rangle}$), and check that it gets the correct outcomes.

On the other hand, because of the uncertainty relation (or alternatively, the No-Cloning Theorem), it's "intuitively obvious" that, if a counterfeiter who doesn't know the correct bases tries to copy $|\psi_s\rangle$, then the probability that both of the counterfeiter's output states pass the bank's verification test can be at most $c^n$, for some constant $c<1$. Furthermore, this should be true regardless of what strategy the counterfeiter uses, consistent with quantum mechanics (e.g., even if the counterfeiter uses fancy entangled measurements on $|\psi_s\rangle$).

However, while writing a paper about other quantum money schemes, my coauthor and I realized that we'd never seen a rigorous proof of the above claim anywhere, or an explicit upper bound on $c$: neither in Wiesner's original paper nor in any later one.

So, has such a proof (with an upper bound on $c$) been published? If not, then can one derive such a proof in a more-or-less straightforward way from (say) approximate versions of the No-Cloning Theorem, or results about the security of the BB84 quantum key distribution scheme?

Update: In light of the discussion with Joe Fitzsimons below, I should clarify that I'm looking for more than just a reduction from the security of BB84. Rather, I'm looking for an explicit upper bound on the probability of successful counterfeiting (i.e., on $c$)---and ideally, also some understanding of what the optimal counterfeiting strategy looks like. I.e., does the optimal strategy simply measure each qubit of $|\psi_s\rangle$ independently, say in the basis

$$\{ \cos(\pi/8)|0\rangle+\sin(\pi/8)|1\rangle, \sin(\pi/8)|0\rangle-\cos(\pi/8)|1\rangle \}?$$

Or is there an entangled counterfeiting strategy that does better?

Update 2: Right now, the best counterfeiting strategies that I know are (a) the strategy above, and (b) the strategy that simply measures each qubit in the $\{|0\rangle,|1\rangle\}$ basis and "hopes for the best." Interestingly, both of these strategies turn out to achieve a success probability of (5/8)ⁿ. So, my conjecture of the moment is that (5/8)ⁿ might be the right answer. In any case, the fact that 5/8 is a lower bound on c rules out any security argument for Wiesner's scheme that's "too" simple (for example, any argument to the effect that there's nothing nontrivial that a counterfeiter can do, and therefore the right answer is c=1/2).

Update 3: Nope, the right answer is (3/4)ⁿ! See the discussion thread below Abel Molina's answer.

This post has been migrated from (A51.SE)

Comments

Joe, I checked the Lo-Chau paper, and unless I missed it, it didn't give an *explicit* upper bound on the copying probability -- just said that it decreases exponentially. In retrospect, I should've written my question differently: I already know how to give a "proof" using phrases like "surely it should be possible." ;-) My question is to give a proof that comes with a reasonable, explicit upper bound on c.

This post has been migrated from (A51.SE)

---

There is certainly a more direct way. You could simply write the eavesdropper as a unitary operator across the the note + an ancilla system. Expand it into a sum over Paulis, and then calculate the average projection onto the correct subspace as a function of the weight of the Paulis on the note subspace. You get exponential surpression in terms of the weight over that subspace. However for every qubit the operator doesn't act on you lose information in your clone, and the chance of it passing the test decreases exponentially. Balancing the two should then give a bound on $c$.

This post has been migrated from (A51.SE)

---

Given how basic the question is, I'm amazed no one has done this calculation before! I could try it, but I'd first have to look up what it means to expand a unitary into a sum over Paulis. In the meantime, I was sort of hoping that a security proof could give some insight into the question of *what the best counterfeiting strategy looks like.* In particular: is the best strategy simply to measure each qubit independently, say in the cos(pi/8),sin(pi/8) basis? Or is there an entangled counterfeiting strategy that does better?

This post has been migrated from (A51.SE)

---

The trivial cheating strategy succeeds w.p. $2^-n$: just leave the original valid bill alone and use a completely random state as the copy. Solving this problem completely requires some care in defining the types of cheating strategies that are allowed. There's an [interactive strategy](http://arxiv.org/abs/1010.0256) that takes linear time and works every time if the bank isn't careful about how it answers requests to verify bills, and a fully satisfactory proof would take queries to the bank into account.

This post has been migrated from (A51.SE)

---

Andy: What's ironic is that Paul Christiano and I now know how to prove the security of a *different* quantum money scheme, even against "interactive strategies" like the one you mention. (We call a scheme "query-secure" if it has that stronger security guarantee, though we'd be open to a better term.) For Wiesner's original scheme, by contrast, the very fact that any security proof needs to *break down* for interactive strategies, seems to be one factor that makes such a proof trickier.

This post has been migrated from (A51.SE)

---

Thanks for the welcome and the answer, Joe! FWIW, I share your intuition that a security proof for Wiesner's scheme ought to be "strictly easier" than a security proof for BB84. However, with that argument (like with every other one), I keep coming back to the same question: "so then what's the upper bound on c?"

This post has been migrated from (A51.SE)

---

Surely it is upper bounded by the probability of determining the key in BB84.

This post has been migrated from (A51.SE)

Answer 1

It seems like this interaction can be modeled in the following way:

1. Alice prepares one of the states $|000\rangle$, $|101\rangle$,$(|0\rangle+|1\rangle)|10\rangle/\sqrt{2}$, $(|0\rangle-|1\rangle)|11\rangle/\sqrt{2}$, according to a certain probability distribution, and sends the first qubit to Bob.
2. Bob performs an arbitrary quantum channel that sends his qubit to two qubits, which are then returned to Alice.
3. Alice performs a projective measurement on the four qubit on her possession.

If I am not wrong about this (and sorry if I am), this falls within the formalism from Gutoski and Watrous presented here and here, which implies that:

1. From Theorem 4.9 in the second of those, it is optimal to Bob to act independently when Alice repeats this process with several qubits in an independent way, if the objective of Bob is to always fool Alice.
2. It is possible to obtain the value of c from a small semidefinite program. You can find more details of how to obtain this program in Section 3 here. See the comments for the cvx code for the program and its value.

This post has been migrated from (A51.SE)

Comments

Even so, I wonder if it's just a coincidence that the same success probability 3/4 appears in both places, or if there's some deeper reason for it.

This post has been migrated from (A51.SE)

---

@Scott: if you do this for six-state BB84, you get success probability $(2/3)^n$, which is the same success probability as the similar naive strategy with verification for one money state. I don't know what happens for 3-dimensional quantum states, but it should be easy to check for 9-state 3-d BB84 (or $d^2$-state $d$-dimensional BB84), since we know the optimal quantum cloner in this case, and if 3-dimensions works the same as 2, then the optimal quantum cloner should also be optimal for your question.

This post has been migrated from (A51.SE)

---

@Abel: Incidentally, if you haven't noticed, it's possible to rewrite the action of your cloner on the BB84 states in a much more symmetric way. Namely, let |B> be the conjugate state to |A>. Then for all |A> in {|0>,|1>,|+>,|->}, your cloner maps |A> to (3|AA>+|BB>)/sqrt(10) with probability 5/6, and to (|AB>+|BA>)/sqrt(2) with probability 1/6.

This post has been migrated from (A51.SE)

---

@AbelMolina: I did a minor edit on your post to typeset the states in point one. I've triple checked that the states match with what you had before, but it'd be wise for you to check too. If you are at all uncomfortable with the change, you may of course roll back to the previous version.

This post has been migrated from (A51.SE)

---

Since @AbelMolina's answer has been converted too an arXiv paper, http://arxiv.org/abs/1202.4010 , I add the link for future readers.

This post has been migrated from (A51.SE)

---

I also included cos(π/8)|0⟩±sin(π/8)|1⟩ and sin(π/8)|0⟩±cos(π/8)|1⟩, and the answer seems to be still 3/4.

This post has been migrated from (A51.SE)

---

In fact, for any state $\alpha | 0 \rangle + \beta |1\rangle$, $\alpha$ and $\beta$ real, the strategy has 3/4 chance of success. I just did the calculations.

This post has been migrated from (A51.SE)

Answer 2

The question of cloning the BB84 states was covered in the paper "Phase covariant quantum cloning" by Dagmar Bruß, Mirko Cinchetti, G. Mauro D'Ariano, and Chiara Macchiavello [Phys Rev. A, 62, 012302 (2000), Eq. 36]. They give an optimal cloner for these states (which is also an optimal cloner for any states $\alpha |0\rangle + \beta |1\rangle$ with $\alpha$, $\beta\in \mathbb{R}\:$). They do not optimize using the same fidelity measure that you are asking about, but I suspect that their cloner is optimal for your question. Their cloner gives success probability

$$\left(\frac{1}{2}+ \frac{1}{\sqrt{8}}\right)^{2n} \approx .72855^n$$ for counterfeiting $n$ BB84 states, quite a bit better than $(\frac{5}{8})^n$.

UPDATE: Bruß et al.'s optimal cloner is given by $\sum_{i=1}^2 A_i \rho A_i^\dagger$ where

$$A_1 = \left( \begin{array}{cc} \frac{1}{2}+\frac{1}{\sqrt{8}} & 0\\ 0 & \frac{1}{\sqrt{8}}\\ 0 & \frac{1}{\sqrt{8}}\\ \frac{1}{2}-\frac{1}{\sqrt{8}} & 0 \end{array} \right) \ \ \ \ A_2 = \left(\begin{array}{cc} 0& \frac{1}{2}-\frac{1}{\sqrt{8}} \\ \frac{1}{\sqrt{8}}&0\\ \frac{1}{\sqrt{8}}&0\\ 0&\frac{1}{2}+\frac{1}{\sqrt{8}} \end{array} \right) .$$

The optimal cloner found by the solution to Abel's semindefinite program is $\sum_{i=1}^2 A_i \rho A_i^\dagger$ where:

$$A_1 = \frac{1}{\sqrt{12}}\left( \begin{array}{cc} 3 & 0\\ 0 & 1\\ 0 & 1\\ 1 & 0 \end{array} \right) \ \ \ \ A_2 = \frac{1}{\sqrt{12}}\left(\begin{array}{cc} 0& 1 \\ 1&0\\ 1&0\\ 0&3 \end{array} \right) .$$

These clearly come from the same family of transformations, but have been optimized to satisfy different objective functions. This family of covariant transformations appears to be given by

$$A_1 = \frac{1}{\sqrt{2x^2+4y^2}}\left( \begin{array}{cc} x+y & 0\\ 0 & y\\ 0 & y\\ x-y & 0 \end{array} \right) \ \ \ \ A_2 = \frac{1}{\sqrt{2x^2+4y^2}}\left(\begin{array}{cc} 0& x-y \\ y&0\\ y&0\\ 0&x+y \end{array} \right) .$$

This post has been migrated from (A51.SE)

Comments

Thanks, Peter! It would be great to show optimality or even near-optimality of their cloner. For that, I guess the first step would be showing that the optimal attack is individual rather than collective.

This post has been migrated from (A51.SE)

---

If Abel Molina's approach works, it should demonstrate this. If not, you should be able to use the techniques in the optimal cloner papers to get an upper bound, but I don't immediately know what it would be.

This post has been migrated from (A51.SE)

---

By adding the states $(|0\rangle + i |1\rangle)/\sqrt{2}$ and $(|0\rangle - i |1\rangle)/\sqrt{2}$ to the original four, it seems that the optimum falls to $c = 2/3$. An optimal channel for Bob is again given by Peter's family of channels, with $x = y = 1$.

This post has been migrated from (A51.SE)

---

@John: this transformation is the original quantum cloner of Bužek and Hillery. I think what's going on is that there's a one-parameter family of covariant quantum cloners for real-amplitude qubit states. If you require covariance for all states, not just real-amplitude ones, you get only the $x=y=1$ one. (Covariant here means: if you apply the same real rotation to the input and the output state spaces, you get the same transformation. Of course, this is still true if you apply a rotation to the input space first, so you have to also require that the overlap is maximized with no rotation.)

This post has been migrated from (A51.SE)

Answer 3

I don't know of a published security proof. I would think the simplest way and strongest bound would come from approximate no-cloning, but I guess you'd need a version specialized for the BB84 states. Even a reduction from BB84 is not obvious, since the security condition for BB84 is different.

I do think you can get a proof straightforwardly as a consequence of the security proof of uncloneable encryption (quant-ph/0210062). This won't get a tight upper bound on the cheating probability, but at least it gives security.

In uncloneable encryption, A sends B a classical message using quantum states. (A and B share a secret key.) The security condition is two-fold: a) When Eve intercepts the initial transmission, she gets no information about message. b) Whatever strategy Eve adopts, either she will be caught by Bob with very high probability, or her residual state $\rho_k$ when the key is k has almost no information about the message. b says that if Eve is unlikely to be caught, she retains no information about the message even if she later learns the key used by A and B. This is interpreted as a no-cloning result: Eve could steal the ciphertext, but she cannot copy it without messing up Bob's received message.

This can be used to create a quantum money scheme: Bank A uses uncloneable encryption to encrypt a random string the "message". There is an uncloneable encryption scheme which is basically BB84, so this could give Weisner's scheme. Eve intercepts the money, interacts with it, and sends the modified original on to Bank B. She also tries to make a copy, which goes to Bank C. Banks B and C accept if the state provided to them passes the uncloneable encryption eavesdropping test, and if they decode the correct random "message" string. Uncloneable encryption property b says that, with high probability, either B's copy fails the eavesdropping test or C's copy contains almost no information about the message. This is stronger than needed, but sufficient to prove security.

For best asymptotic attack, I would imagine, due to quantum de Finetti, that the best collective attack is the same as the best individual attack.

This post has been migrated from (A51.SE)

Comments

Thanks so much, Daniel! I'll continue looking for an argument that gives an explicit bound on c, but in the meantime, this is extremely helpful. I went ahead and marked your answer as "accepted."

This post has been migrated from (A51.SE)