Yao Qian: Quantum Money: An Academic Imagination

Text: Yao Qian (then general manager of China Securities Depository and Clearing Corporation, former director of the Digital Currency Research Institute of the Central Bank)

Source: Tsinghua Financial Review

This article believes that whether quantum computing makes blockchain and digital currencies lose their development significance is not conclusive in the short term. But with the development of technology, the currency form and currency technology will inevitably change accordingly. In the future quantum era, quantum currency may be on the stage of history. This article analyzes the concept, origin, logic and basic principles of quantum money, and points out the core problems and research directions of quantum money. Although there are still flaws in quantum currency theory, it is worth our attention and exploration.

In recent years, quantum computing has developed rapidly. Not long ago, Google announced the realization of quantum hegemony, and China's "Tianhe II" supercomputer calculated the quantum hegemony standard. The so-called quantum hegemony means that if a quantum computer can prove that the computing power of a certain problem far exceeds the best supercomputer at present, it will realize the hegemony of the traditional computer over the quantum computer. The development of quantum computing has greatly challenged the existing cryptosystems. In theory, quantum algorithms can decipher asymmetric cryptographic algorithms such as Diffie-Hellman algorithm, RSA algorithm, and elliptic curve algorithm.

Since cryptography is a key element of the blockchain and a technical foundation for the security and credibility of digital currencies, people cannot help worrying about whether the development of quantum computing will pose a threat to the security of the blockchain and digital currencies. Some people even assert that In front of quantum computers, blockchain is not worth mentioning. But for now, the conclusion is still too early. First, quantum computing algorithms (such as Grover and Shor algorithms) pose a greater threat to asymmetric cryptosystems, but they have relatively less impact on symmetric cryptography and hashing algorithms. Second, there is currently no evidence to confirm or falsify quantum computers that can solve the NP (Nondeterministic Polynomial, non-deterministic polynomial) complete problem, nor can it be easily concluded that in the quantum computing environment, cryptography based on computational complexity has no future. The third is that cryptography has traditionally developed in the confrontation of encoding and deciphering, attack and defense, and spear and shield. It cannot be said that there is quantum computing, and cryptography is not good. Quantum computing also has its weaknesses, and it can also construct quantum resistance. Cryptosystems, such as multivariable public key cryptosystems, digital signature schemes based on hash functions, cryptographic systems based on error correction codes, and lattice-based cryptosystems.

Therefore, it is not easy to say whether quantum computing has lost the development significance of blockchain and digital currencies. But one thing is for sure: with the development of technology, the currency form and currency technology will inevitably change accordingly. In the quantum era, cryptocurrency based on blockchain technology may continue to exist, but it may use more advanced anti-quantum cryptography. Another possibility is that it will be replaced by a new type of currency technology based on quantum technology, which is now the quantum currency that some academics are exploring.

The concept of quantum money

Quantum currency is essentially a digital currency based on cryptography. The core of quantum currency that is superior to classic digital currency is the quantum anti-counterfeiting technology realized by using quantum superposition state and quantum computing. This technology comprehensively uses the cutting-edge knowledge of multiple subject areas such as physics, computer science and cryptography, and can finally solve the problem of currency double spend without introducing a bookkeeping mechanism. The ideal quantum currency can simultaneously realize the characteristics of digital currency that are easy to identify, difficult to counterfeit, cannot be copied, and convenient to use. At the same time, it combines the advantages of traditional currency (banknotes) and classic digital currency, and avoids the disadvantages that are inherently difficult to overcome.

In 1969, Stephen Wiesner, a graduate student at Columbia University in the United States, first proposed the concept of quantum currency. He envisioned equipping the currency with a quantum device that stores photons, and using the quantum state as the currency's anti-counterfeiting mark. . In 1982, Bennett and others attempted to build the first public-key quantum currency. Their scheme allows only one currency to be spent once, calling it a "metro pass." Later it was discovered that there were two insecure factors in their design: one was an insecure protocol based on unknown transfers; the other was that it could be cracked by the Shor algorithm. In 2003, Tokunaga et al. Improved Weisner's scheme, instead of requiring the central bank to track every currency issued, but using a special method to ensure that the currency is still valid after being modified. This allows currency holders to check the currency before the bank checks it. Modifications are made to implement currency transactions, but the disadvantage is that once a bank finds a counterfeit banknote, it must immediately release information to clear all transaction information before the counterfeit banknote, so this solution is not easy to implement. In 2009, Aaronson proposed a complex theoretical non-clonable theorem. Assuming that there is a mechanism to verify whether a given state is equal to an effective quantum currency state, a currency counterfeiter must also possess the verification mechanism if he wants to counterfeit currency. In 2010, Mosca and Stebila pointed out that even if a currency counterfeiter has a quantum currency verification mechanism, he still cannot produce more quantum currency than his initial state. The authorizer runs a fuzzy verification method and does not get any useful information before the final result is obtained. During the verification process, he must communicate with the bank. This scheme is a quantum currency private key scheme. In 2012, Lutomirski et al. Used a kink invariant method to propose a true quantum currency public key scheme. However, the security of the scheme has not yet been proven. In 2015, Subhayan et al. Proposed a quantum check protocol in which any legitimate client of a trusted bank holds a "quantum check book" that can issue checks and share a classic channel with the bank. Its branches complete currency verification.

Understanding the logical starting point of quantum money: counterfeiting and double spending

The history of currency development is the history of the development of anti-counterfeiting technology, as well as the history of constant struggle between producers and counterfeiters. Whether it is a shell, metal, paper, plastic or electronic currency, preventing counterfeiting is the most important goal of currency production. Especially in the era of credit currency, the value attribute of currency itself has gradually weakened, and currency anti-counterfeiting is particularly important. It can be said that currency cannot be talked about without counterfeiting. However, there has never been a currency in history that can completely solve the problem of forgery. The history of currency counterfeiting is almost as long as the history of currency development. Until now, there have been cases of counterfeit banknotes in various countries such as RMB, USD and Euro.

One of the fundamental reasons why traditional currency counterfeiting is repeatedly banned is the easy-forgery feature of classical physics. According to the basic principles of classical physics, the physical state can be accurately measured. As long as the material can be reorganized according to the measurement results with sufficient accuracy to meet the test, the purpose of counterfeiting money can be achieved. Various anti-counterfeiting technologies developed by traditional currency production institutions, such as the pattern, sawtooth of metal currency, watermarks of banknotes, security lines, fibers, light-varying inks, and gravure features, are essentially just raising counterfeit currency Threshold, but it cannot be banned fundamentally. Although it can be said that the cost of counterfeiting is high enough that counterfeiting currency is not profitable, thereby avoiding counterfeiting, with the continuous development of technology and the widespread application of sophisticated technology to the civilian field, the threshold for counterfeiting technology may also drop. If the counterfeiters invest enough material resources, financial resources and intelligence, any traditional currency anti-counterfeiting technology may theoretically be cracked.

For electronic money and digital money, the form is a series of binary information. The problem they need to solve is more trouble than the security of paper money, because information can be easily copied in the computer. This information can be protected from forgery using cryptographic techniques. For example, digital currency issuers can sign each digital currency issued, so everyone can easily verify the authenticity of the currency. In addition, digital currencies also have a double spend problem. In the transactions between Party A and Party B, if no one else knows, Party A can secretly back up the same digital currency before the transaction with Party B, and then pretend that the transaction with Party B did not occur and trade with Party C. The solution is to use a ledger to record the transactions that have occurred to avoid the same digital currency being spent multiple times. This ledger can be a centralized ledger such as a bank or Alipay, or a distributed ledger based on blockchain technology like Bitcoin. Quantum money uses the principle of quantum non-cloning to solve the problem of currency counterfeiting and double spending.

Basic Principles of Quantum Money

Qubits, quantum superpositions

In classical computers, bits "0" and "1" are both represented by classical physical quantity codes, such as voltage and magnetic field direction, and the measurement result of classical physical quantities is uniquely determined, that is, a classic bit cannot be in two States (such as being in both "high voltage" and "low voltage" states). Qubits are stored based on the quantum states of microscopic particles. The most important feature that distinguishes them from classical physical states is that they can be in the superposition of several microscopic quantum states at the same time. For example, if | 0> is used to indicate the ground state or spin down of an electron, and | 1> is used to indicate the excited state or spin up, a microscopic quantum state can be expressed as |> = a | 0> + b | 0>, where a and b are both complex numbers, and their sum of squares of module length is 1. Figure 1 shows a comparison of classic data bits and quantum data bits. The representation of classic data bits is either 0 or 1, and the quantum data bits are a superposition of │0> and │1>, which can be either 0 or 1.

How quantum currency is anti-counterfeiting

The micro-quantum state itself contains a wealth of information, but we can only obtain its information through measurement, and the behavior of the measurement will in turn affect the quantum state, causing the measured quantum state to collapse. In the end, each qubit is only measured after the measurement. You can get information about the collapsed quantum state. On the other hand, in the quantum world, cloning is impossible. In other words, there is no circuit that can perform such a function: the input is any unknown quantum state, and the output is two of the quantum state. This is the basic principle of quantum non-cloning (replication).

The principle of quantum non-cloning constitutes the theoretical basis of quantum money. Quantum money is also a series of information in nature, which is similar to electronic money and digital money, but the difference is that in addition to classic binary coded information, quantum money also contains quantum information stored in the form of qubits. The advantage of using qubits is that each qubit can store much more information than the classic bit in the form of a superposition state, and this information cannot be accurately measured. According to the principle of quantum non-cloning, the measurement of qubits will inevitably cause the quantum state to collapse to one of the superimposed states, thereby permanently losing all information about other uncollapsed states. In this way, the information of quantum currency can be essentially prevented from being measured and copied, because quantum physics guarantees that the measurement of qubits cannot obtain complete information. In addition, quantum currencies can also use cryptographic techniques similar to digital currencies to avoid counterfeiting by attackers.

Quantum unclonable theorem also prevents double spending of quantum money. Specifically, the owner of a quantum currency can only own quantum states, but cannot know what each quantum state is. If he wants to know, he can only measure, but once measured, the quantum state will collapse into another quantum state ( One of the original superposition states) is equivalent to the owner of the quantum currency destroying his own currency. This design of "holding the quantum state but not knowing the quantum state" effectively prevents currency double spending, because if the owner of the quantum currency knows what the quantum state in his hand is, he can actually "clone" many copies.

Quantum currency peer-to-peer payment

Compared with traditional currency, the biggest advantage of digital currency is that it is convenient to transfer. It only needs to transmit information through the network, and does not need to transfer physical objects like traditional currency. The same is true for quantum money. It only needs to transfer the information contained in the quantum state. The transmitted quantum state information can be achieved either by sending particles (such as photons) containing the information, or by quantum communication in the classic channel-that is, the two parties in the communication share an entangled quantum state in advance, and then only the classic channel is transmitted through the classic channel. Binary information can accomplish the task of transmitting complex quantum states.

Therefore, quantum currency-based transactions can be conducted directly between the parties to the transaction (at most, only a trusted third party needs to distribute the entangled quantum states in advance), and no third party ledger verification is required.

The core problem of quantum currency: how to check money

Although "holding a quantum state but not knowing the quantum state" enables us to use the quantum non-clonable theorem to solve the double spend problem of quantum money, it also brings a new problem, namely how to check money. In the transaction that Party A paid to Party B, since Party B does not know the information of the quantum state that he holds and cannot obtain enough information through measurement, how does he confirm that this is a legal quantum currency and not manufactured by Party A at will? Or has it been observed by Party A? And if measurement is allowed to verify whether the quantum currency is legal, Party A can measure the quantum state of its own quantum currency, and then construct a new quantum state according to the collapsed state before sending it to Party B. Because Party A has all the information about the collapsed state, he can reconstruct a collapsed quantum state and send it to Party C. This causes the double spend problem. Therefore, Party B cannot determine whether Party A has spent this quantum currency, and it cannot determine whether the collapse state was caused by its own observation or Party A's observation.

In theory, a nondestructive quantum currency banknote check is feasible. The collapse of a quantum superposition state occurs when there are multiple superposition states, and if there is only one state, no collapse will occur. Therefore, the "appropriate" transformation can be selected so that the quantum states of each legal quantum currency will show a unique state that will not collapse at the "appropriate" qubit position after this transformation, and then measure these in part The state of the qubit does not measure other qubits in the superposition state, so that the information of the quantum state can be obtained without damaging the original quantum state. And if the original quantum state was constructed by "appropriate" cryptographic signature coding, these measured information can verify the legality of the quantum currency encoded by the original quantum state.

A theoretically available quantum currency solution must make the right choices in all three of the "appropriate" places mentioned above and give a mathematical proof. In addition to the function of non-destructive banknote detection, it must also ensure that there are no loopholes in the banknote detection program. To solve these problems, it is necessary to give full play to the role of cryptography and combine it with quantum computing to explore quantum encryption means to make the inspection of quantum currency achieve physical security.

The research questions about the quantum currency banknote detection mechanism also include: Can the banknote detection be separated from the central bank, and will the holders complete the inspection / inspection process independently? Will it cause losses to the quantum state? Does it support multiple banknote checks? Does the loss cause a certain probability of error? How to deal with noise?


Science always develops in hypothetical confirmation and falsification, which may be the value of hypothesis. "Blockchain is not worth mentioning in front of quantum computers" Of course, it is also a hypothesis. In a sense, asking questions is more important than solving them. The imagination of digital currency can be traced back to the dream of cryptography since the 1970s: can the cash in hand be encrypted like a mail, encrypted and signed, and then sent from one end to the other. This dream has gradually developed into a digital currency experiment that has swept the world under the relentless exploration of David Chom, Satoshi Nakamoto and others. History has shown that the evolution and connotation of currency forms have been profoundly affected by previous scientific and technological advances. This process will not end in the quantum era, but will continue to develop. At present, quantum technology cannot support quantum currency, and there are flaws in quantum currency theory. Some scholars even think that it is difficult to say whether it is applicable in the future. But the development of quantum computing is accelerating. The quantum era is no longer far away and is approaching us. The challenges and opportunities brought by new technologies deserve our attention and exploration.

This article only represents personal academic opinions and does not represent the opinions of the institution. This article was published in the December 2019 issue of Tsinghua Financial Review and published on December 5, 2019.