Unforgeable noise-tolerant quantum tokens

Fernando Pastawski; Norman Y Yao; Liang Jiang; Mikhail D Lukin; J Ignacio Cirac

doi:10.1073/pnas.1203552109

. 2012 Sep 17;109(40):16079-16082. doi: 10.1073/pnas.1203552109

Unforgeable noise-tolerant quantum tokens

Fernando Pastawski ^a,¹, Norman Y Yao ^b, Liang Jiang ^c, Mikhail D Lukin ^b, J Ignacio Cirac ^a

PMCID: PMC3479565

Abstract

The realization of devices that harness the laws of quantum mechanics represents an exciting challenge at the interface of modern technology and fundamental science. An exemplary paragon of the power of such quantum primitives is the concept of “quantum money” [Wiesner S (1983) ACM SIGACT News 15:78–88]. A dishonest holder of a quantum bank note will invariably fail in any counterfeiting attempts; indeed, under assumptions of ideal measurements and decoherence-free memories such security is guaranteed by the no-cloning theorem. In any practical situation, however, noise, decoherence, and operational imperfections abound. Thus, the development of secure “quantum money”-type primitives capable of tolerating realistic infidelities is of both practical and fundamental importance. Here, we propose a novel class of such protocols and demonstrate their tolerance to noise; moreover, we prove their rigorous security by determining tight fidelity thresholds. Our proposed protocols require only the ability to prepare, store, and measure single quantum bit memories, making their experimental realization accessible with current technologies.

Contrary to classical intuition, possession of an object carrying quantum information does not guarantee that the holder can extract a complete description. Although measurements may provide partial access, they do not necessarily allow for a full reconstruction of the original quantum state. Wiesner realized that such quantum properties might enable the design of a quantum “bank note,” which is fundamentally immune to counterfeiting. Recent extensions to Wiesner’s original “quantum money” protocol (1) have garnered significant interest (2–7). One particular extension enables the authentication of quantum tokens via classical public communication with a trusted verifier (8). However, to tolerate noise, the verification process must condone a certain finite fraction of quantum bit (qubit failures); naturally, such a relaxation of the verification process enhances the ability for a dishonest user to forge quantum tokens. It is exactly this interplay that we, here, seek to address, by focusing on a class of “quantum token”-protocols that involve either direct physical or classical-communication verification of qubit memories.

Analysis

Quantum Ticket (Qticket).

Our approach to quantum tokens extends the original quantum money primitive (1) by ensuring tolerance to finite errors associated with encoding, storage and decoding of individual quantum bits (qubits). We denote the tokens within our first primitive as quantum tickets (qtickets); each qticket is issued by the mint and consists of a unique serial number and N component quantum states, Inline graphic , where each ρ_i is drawn uniformly at random from the set, , of polarization eigenstates of the Pauli spin operators. The mint secretly stores a classical description of ρ, distributed only among trusted verifiers. In order to redeem a qticket, the holder physically deposits it with a trusted verifier, who measures the qubits in the relevant basis. This verifier then requires a minimum fraction, F_tol, of correct outcomes in order to authenticate the qticket; following validation, the only information returned by the verifier is whether the qticket has been accepted or rejected.

The soundness of a qticket, i.e., the probability that an honest user is successfully verified, depends crucially on the experimental fidelities associated with single qubit encoding, storage, and decoding. Thus, for a given qubit ρ_i, we define the map, M_i, which characterizes the overall fidelity, beginning with the mint’s encoding and ending with the verifier’s validation; the average channel fidelity (9) is then given by, Inline graphic . With this definition, the verification probability of an honest user is

graphic file with name pnas.1203552109eq33.jpg

[1]

where Inline graphic , P_acc represents the projector onto the subspace of valid qtickets, , is the per qubit average experimental fidelity, and the relative entropy D is a measure of distinguishability between two binary probability distributions. Crucially, so long as the average experimental fidelity associated with single qubit processes is greater than the tolerance fidelity, an honest user is exponentially likely to be verified.

We consider each qubit in a qticket to be in one of six possible states; no more than one bit of information may be extracted by measuring the actual state, which is insufficient to recover the original classical description (10). Producing counterfeits without going through a classical description provides a more powerful approach. However, optimal cloning results, which represent a quantitative formulation of the celebrated no-cloning theorem (11) provide tight restrictions on the quality of such “duplicates” (12). Our security proof can be seen as an extension of these results; in particular, we demonstrate that any attempts to forge two copies from a single qticket will lead at least one of the copies to be sufficiently imperfect, ultimately yielding its rejection at the hands of a trusted verifier.

To determine a tight security threshold, we consider the counterfeiting of a single qticket. For a given tolerance fidelity (F_tol) set by the verifiers, a qticket is only accepted if at least F_tolN qubits are validated. In the event that a dishonest user attempts to generate two qtickets from a single valid original, each must contain a minimum of F_tolN valid qubits to be authenticated. As depicted in Fig. 1A, in order for each counterfeit qticket to contain F_tolN valid qubits, a minimum of (2F_tol - 1)N qubits must have been perfectly cloned. Thus, for a set tolerance fidelity, in order for a dishonest user to succeed, he or she must be able to emulate a qubit cloning fidelity of at least 2F_tol - 1. Crucially, so long as this fidelity is above that achievable for optimal qubit cloning (2/3) (12), a dishonest user is exponentially unlikely to succeed:

graphic file with name pnas.1203552109eq34.jpg

[2]

where T represents any completely positive trace preserving (CPTP) qticket counterfeiting map. To ensure 2F_tol - 1 > 2/3, the tolerance fidelity must be greater than 5/6, which is precisely the average fidelity of copies produced by an optimal qubit cloning map (12). In certain cases, an adversary may be able to sequentially engage in multiple verification rounds; however, the probability of successfully validating counterfeited qtickets grows at most quadratically in the number of such rounds, and hence, the likelihood of successful counterfeiting can remain exponentially small even for polynomially large numbers of verifications. Rigorous statement and proofs of these claims are published as SI Text available online.

Fig. 1. — (A) Depicts the pigeonhole type argument that is utilized in the proof of qticket soundness. For a tolerance fidelity F_tol, a qticket is only successfully authenticated if it contains at least F_tolN valid qubits. However, for two counterfeit qtickets, not all valid qubits must coincide. The minimum number of perfectly cloned qubits enabling both qtickets to be accepted is (2F_tol - 1)N. (B) Depicts the quantum retrieval type situation envisioned for cv-qtickets. For two verifiers asking complementary “challenge” questions, the optimal strategy is for the user to measure in an intermediate basis. Such a strategy saturates the tolerance threshold, .

Inline graphic — (A) Depicts the pigeonhole type argument that is utilized in the proof of qticket soundness. For a tolerance fidelity F_tol, a qticket is only successfully authenticated if it contains at least F_tolN valid qubits. However, for two counterfeit qtickets, not all valid qubits must coincide. The minimum number of perfectly cloned qubits enabling both qtickets to be accepted is (2F_tol - 1)N. (B) Depicts the quantum retrieval type situation envisioned for cv-qtickets. For two verifiers asking complementary “challenge” questions, the optimal strategy is for the user to measure in an intermediate basis. Such a strategy saturates the tolerance threshold, .

Classic Verification Qticket (CV-Qticket).

Our previous discussion of qtickets assumed that such tokens are physically transferable to trusted verifiers (e.g., concert tickets); however, in many situations, this assumption of physical deposition may either be impossible or undesirable. Recently, it has been shown (8) that it remains possible, even remotely, for a holder to prove the validity of a token by responding to a set of “challenge” questions; these questions can only be successfully answered by measuring an authentic token. Core to this approach, is to ensure that the challenge questions reveal no additional information about the quantum state of the token. The holder of a valid token should be capable of answering any single challenge question correctly yet be restricted to an exponentially small probability of satisfactorily answering two of them.

We now discuss a specific realization of such an approach, the classical verification quantum ticket (cv-qticket), and demonstrate its robustness against noise and operational imperfections. In contrast to the case of bare qtickets, a cv-qticket holder will be expected to answer challenge questions and hence to measure qubits himself. Our treatment will contemplate the possibility of a dishonest holder participating simultaneously in multiple remote verifications, which could in principle offer the counterfeiter an additional advantage with respect to the qticket scenario; in particular, certain measurement strategies, which may be chosen posterior to receiving a set of challenge questions, may yield an increased likelihood for multiple successful authentications.

One example of a cv-qticket framework utilizes as a building block a set of eight possible two-qubit product states, each consisting of two polarization eigenstates (one along X and the other along Z):

These states constitute a minimal set with the following properties: (1) Only preparation and measurement of qubit states is required. (2) Each state enables the deterministic answering of either of two complementary challenge questions (for example, a request to measure both X polarizations or both Z polarizations), thus, automatically ensuring soundness in the case of perfect experimental fidelity. (3) When attempting to use the state to answer two complementary challenges from independent verifiers, on average, only Inline graphic of replies is correct; thus allowing a dishonest user to emulate an experimental fidelity (per qubit) of no more than with respect to each verifier.

We then envision each cv-qticket to consist of n blocks, each containing r qubit pairs, and thus, a total of n × r × 2 qubits; as before, each of the qubit pairs is chosen uniformly at random from S. A challenge question consists of requesting the holder to measure each block (of qubits) along a basis chosen randomly among either X or Z; naturally, as depicted in Table 1, a valid qubit pair (within a block) is one in which the holder correctly answers the orientation for the particular qubit (within the pair) that was prepared along the questioned basis. For a given tolerance threshold Inline graphic , an overall answer will only be deemed correct if at least orientations within each of the n blocks are found valid. The motivation for taking blocks of 2r qubits is to exponentially suppress the probability that a counterfeiter provides more than correct answers among two complementary challenge blocks. In turn, because any two verifiers choose the questions for each block independently and at random, the probability that there exist no complementary blocks scales exponentially with the number of blocks as 2^-n. By contrast, if one were to dismiss this block structure, an adversary would be able to emulate a larger average experimental fidelity ( Inline graphic ) by choosing a measurement basis for each pair dependent on whether the corresponding requests are coinciding or complementary.

Table 1.

Verification of a single cv-qticket. Here, we consider a cv-qticket with n = 2 and r = 4, totaling eight qubit pairs and F_tol = 3/4 (for illustrative purposes only). The prepared qubit-pairs are chosen at random, as are the bank’s requested measurement bases (for each block). The holder’s answer has at most, a single error per block, which according to F_tol = 3/4 is allowed. Secure cv-qtickets require Inline graphic and a larger number of constituent qubits

Prepare
B:Ask	Z				X
H:Answer	0,0	0,1	1,1	0,1	−,+	+,−	−,+	+,−
Correct block	✓	✓	✓	✓	✓	✓	✓	×
Correct block	✓				✓
B:Result	Verified

Open in a new tab

By analogy to the qticket case, honest users are exponentially likely to be verified so long as Inline graphic ; in particular, because there now exist n blocks of qubits, each of which can be thought of as an individual qticket (with r qubits),

[3]

The proof of cv-qticket security is based upon a generalized formalism of quantum retrieval games (8, 13), in combination with a generalized Chernoff–Hoeffding bound (14) (details in SI Text). So long as Inline graphic , a dishonest user is exponentially unlikely to be authenticated by two independent verifiers. Interestingly, the threshold corresponds exactly to that achievable by either covariant qubit cloning (15) or by measurement in an intermediate basis (Fig. 1B), suggesting that both such strategies may be optimal (16). Similar to the qticket case, one finds that a dishonest user is exponentially likely to fail:

graphic file with name pnas.1203552109eq37.jpg

[4]

where v represents the number of repeated verification attempts. We note that the factor of Inline graphic results from a combinatorial statement accounting for the possibility of choosing which challenge question to answer first and then waiting for feedback from the verifier. Thus, so long as the hierarchy of fidelities is such that , it is possible to prove both soundness and security of the cv-qtickets protocol (see SI Text for rigorous statement and proofs).

Applications.

Next, we consider applications of the above primitives to practically relevant protocols. For instance, one might imagine a composite cv-qticket that allows for multiple verification rounds while also ensuring that the token cannot be split into two independently valid subparts (8). Such a construction may be used to create a quantum-protected credit card. Indeed, the classical communication that takes place with the issuer (bank) to verify the cv-qticket (via challenge questions) may be intentionally publicized to a merchant who needs to be convinced of the card’s validity. By contrast to modern credit card implementations, such a quantum credit card would be unforgeable and hence immune to fraudulent charges (Fig. 2A).

Fig. 2. — (A) Depicts the possibility of using the cv-qticket framework to implement a quantum-protected credit card. Unlike its classical counterpart, the quantum credit card would naturally be unforgeable, preventing thieves from being able to simply copy credit card information and perform remote purchases. (B) Depicts a dishonest user who attempts to copy a concert qticket (e.g., same serial number), enabling his friend to enter at an alternate checkpoint gate. Naively, each verifier can communicate with one another to prevent such abusive ticket cloning. However, such a safeguard can be overcome in the event that the communication among verifiers is either unsecured, unavailable, or severed (possibly by the dishonest user himself). The qticket is exempt from this type of attack because security is guaranteed even in the case of isolated verifiers.

An alternate advantage offered by the qticket framework is evinced in the case where verifiers may not possess a secure communication channel with each other. Consider, for example, a dishonest user who seeks to copy multiple concert tickets, enabling his henchmen to enter at different checkpoint gates. A classical solution would involve gate verifiers communicating amongst one another to ensure that each ticket serial number is only allowed entry a single time; however, as shown in Fig. 2B, such a safeguard can be overcome in the event that communication has been severed. By contrast, a concert ticket based upon the proposed qticket primitive would be automatically secure against such a scenario; indeed, the security of qtickets is guaranteed even when verifiers are assumed to be isolated. Such isolation may be especially useful for applications involving quantum identification tokens, where multiple verifiers may exist who are either unable or unwilling to communicate with one another.

Discussion

Although quantum primitives have been the subject of tremendous theoretical interest, their practical realization demands robustness in the face of realistic imperfections. Our above analysis demonstrates that such noise tolerance can be achieved for certain classes of unforgeable quantum tokens. Moreover, the derived tolerance thresholds are remarkably mild and suggest that proof of principle experiments are currently accessible in systems ranging from trapped ions (17, 18) and superconducting devices (19, 20) to solid-state spins (21–25). In particular, recent advances on single nuclear spins situated in a compact room-temperature solid have demonstrated that ultralong storage times can be attained in combination with high fidelity initialization and readout (24); such advances suggest that quantum devices based upon single qubit quantum memories may be both practical and realistically feasible.

Although our analysis has focused on describing a primitive based upon single tokens, natural extensions to the case of multiple identical quantum tokens open up the possibility of even more novel applications. In particular, as detailed in the SI Text, it is possible to extend our threshold results to the case where c identical copies of the quantum token are issued. In this case, to ensure that the production of c + 1 valid tokens is exponentially improbable, the required threshold fidelity must be greater than Inline graphic . The existence of such multiple identical tokens can provide a certain degree of anonymity for users and could be employed in primitives such as quantum voting. A crucial question that remains is whether a rigorous proof of anonymity can be obtained in a noisy environment. Furthermore, our proposed quantum tokens can also be seen as a basic noise tolerant building block for implementing more advanced application schemes; such schemes can range from novel implementations of quantum key distribution (16, 26,–28) based upon physical qubit transport to complex one-time-entry identification cards. Beyond these specific applications, a number of scientific avenues can be explored, including for example, understanding whether an interplay between computational assumptions and quantum memories can yield fundamentally new approaches to encryption.

Appendix

We now outline the proof for the security of the qticket protocol that is fully developed in the online SI Text. First, the claim in Eq. 2 is restated in terms of an equivalent one, which averages over the set of all pure product states instead of over Q. This reformulation is achieved by invoking the three-design property for the set Inline graphic , i.e., the fact that degree three polynomials in the state may equivalently be averaged over or over all possible pure qubit states. An explicit expression for P_acc is used to show that the security statement has degree three in each component. We then bound the average cloning probability for the set of k-qubit pure product states by (2/3)^k, following the lines of the original proof of optimal cloning by Werner (12). This bound can be seen as limiting the possibility of positively correlating the successful cloning of different components. From this hypothesis, a generalized Chernoff bound (14) applicable to (possibly) dependent random variables allows us to infer the validity of Eq. 2. Finally, the security with respect to v consecutive verification attempts, allowing for an adaptive counterfeiting strategy, is bound in terms of the situation of Eq. 2, where a map on a single qticket produces two counterfeits. In particular, we sum over the possible verification outcomes containing at least two positive replies and grouping these into Inline graphic disjoint scenarios. In turn, by fixing the initial verifier replies of each scenario, the adaptive counterfeiting strategy can be reinterpreted as a counterfeiting map.

We now sketch the security proof for cv-qtickets. Abstractly, cv-qtickets consist of a set of randomly produced states and requested challenge questions on these states. The formalism of quantum retrieval games (QRGs) specifically models this scenario (8, 13), allowing one to bound the probability with which optimal strategies can provide correct answers. This framework is presented in a largely self-contained manner because its generality and potential make it of independent interest. Using only the basic definitions for QRGs and some simple properties, we prove that, on average, given a state randomly chosen from S, and the two complementary challenge questions no more than Inline graphic of them may be answered satisfactorily. Generalized Chernoff bounds (14) are then applied to bound the likelihood of succeeding at threshold games, i.e., composite games where the correctness of an answer corresponds to correctly providing a certain fraction of the answer components. Full cv-qtickets are then modelled as QRG for scenarios in which the holder of a cv-qticket wishes to simultaneously answer questions from two independent verifiers without any additional aid. Finally, a combinatorial argument, similar to the one used for qtickets, is used to provide a polynomial upper bound on how the double verification probability may increase with the number v of verification attempts.

Supplementary Material

Supporting Information

supp_109_40_16079__index.html^{(771B, html)}

ACKNOWLEDGMENTS.

We thank Y. Chu, C. R. Laumann, and S. D. Bennett for insights and discussions. This work was supported in part by Deutsche Forschungsgemeinschaft (DFG) (SFB 631 and Nanosystem Initiative München NIM), Quantun Computing, Control and Communication (QCCC) elite network Bayern, the European Union project MALICIA, Catalunya Caixa, the National Basic Research Program of China (NBRPC) (973 program), the National Science Foundation (NSF), the Center for Ultracold Atoms (CUA), the Department of Energy (FG0297ER25308), the Defense Advanced Research Projects Agency (DARPA) quantum entanglement science and technology (QuEST), Multi University Research Initiative (MURI), Packard Foundation and the Sherman Fairchild Foundation.

Footnotes

The authors declare no conflict of interest.

This article is a PNAS Direct Submission.

This article contains supporting information online at www.pnas.org/lookup/suppl/doi:10.1073/pnas.1203552109/-/DCSupplemental.

References

1.Wiesner S. Conjugate coding. ACM SIGACT News. 1983;15:78–88. [Google Scholar]
2.Aaronson S. Quantum Copy-Protection and Quantum Money. Los Alamitos, CA: IEEE; 2009. pp. 229–242. [Google Scholar]
3.Lutomirski A, et al. Breaking and making quantum money: Toward a new quantum cryptographic protocol. 2009. arXiv:0912.3825.
4.Mosca M, Stebila D. Quantum coins. Error-correcting codes, finite geometries and cryptography. Proc Am Math Soc. 2010;523:35–47. [Google Scholar]
5.Farhi E, et al. Quantum state restoration and single-copy tomography for ground states of Hamiltonians. Phys Rev Lett. 2010;105:190503–190506. doi: 10.1103/PhysRevLett.105.190503. [DOI] [PubMed] [Google Scholar]
6.Farhi E, Gosset D, Hassidim A, Lutomirski A, Shor P. Quantum money from knots. 2010. arXiv:1004.5127. [DOI] [PubMed]
7.Lutomirski A. Component mixers and a hardness result for counterfeiting quantum money. 2011. arXiv:1107.0321.
8.Gavinsky D. Proceedings of the 2012 IEEE Conference on Computational Complexity (CCC) Portugal: IEEE Porto; 2011. Quantum money with classical verification; pp. 42–52. [Google Scholar]
9.Nielsen MA. A simple formula for the average gate fidelity of a quantum dynamical operation. Phys Lett A. 2002;303:249–252. [Google Scholar]
10.Holevo A. Statistical problems in quantum physics. In: Maruyama G, Prokhorov Y, editors. Proceedings of the Second Japan-USSR Symposium on Probability Theory. LNM. Vol. 330. Berlin, Heidelberg: Springer; 1973. pp. 104–119. [Google Scholar]
11.Wootters WK, Zurek WH. A single quantum cannot be cloned. Nature. 1982;299:802–803. [Google Scholar]
12.Werner RF. Optimal cloning of pure states. Phys Rev A. 1998;58:1827–1832. [Google Scholar]
13.Gutoski G, Watrous J. Toward a general theory of quantum games, STOC 2007. New York, NY: ACM; 2007. pp. 565–574. [Google Scholar]
14.Impagliazzo R, Kabanets V. Constructive proofs of concentration bounds. In: Serna M, Shaltiel R, Jansen K, Rolim J, editors. Lecture Notes in Computer Science. Vol. 6302. Berlin, Heidelberg: Springer; 2010. pp. 617–631. ((APROX 2010)/(RANDOM 2010)). [Google Scholar]
15.Bruss D, Cinchetti M, Mauro D’Ariano G, Macchiavello C. Phase-covariant quantum cloning. Phys Rev A. 2000;62:012302–012308. [Google Scholar]
16.Gisin N, Ribordy G, Tittel W, Zbinden H. Quantum cryptography. Rev Mod Phys. 2002;74:145–195. [Google Scholar]
17.Hume DB, Rosenband T, Wineland DJ. High-fidelity adaptive qubit detection through repetitive quantum non-demolition measurements. Phys Rev Lett. 2007;99:120502–120505. doi: 10.1103/PhysRevLett.99.120502. [DOI] [PubMed] [Google Scholar]
18.Langer C, et al. Long-lived qubit memory using atomic ions. Phys Rev Lett. 2005;95:060502. doi: 10.1103/PhysRevLett.95.060502. [DOI] [PubMed] [Google Scholar]
19.Wendin G. Scalable solid-state qubits: Challenging decoherence and read-out. Phil Trans R Soc A. 2003;361:1323–1338. doi: 10.1098/rsta.2003.1202. [DOI] [PubMed] [Google Scholar]
20.Gladchenko S, et al. Superconducting nanocircuits for topologically protected qubits. Nat Phys. 2009;5:48–53. [Google Scholar]
21.Dutt MVG, et al. Quantum register based on individual electronic and nuclear spin qubits in diamond. Science. 2007;316:1312–1316. doi: 10.1126/science.1139831. [DOI] [PubMed] [Google Scholar]
22.Morton JJL, et al. Solid-state quantum memory using the 31P nuclear spin. Nature. 2008;455:1085–1088. [Google Scholar]
23.Balasubramanian G, et al. Ultralong spin coherence time in isotopically engineered diamond. Nat Mater. 2009;8:383–387. doi: 10.1038/nmat2420. [DOI] [PubMed] [Google Scholar]
24.Maurer PC, et al. Room-temperature quantum bit memory exceeding one second. Science. 2012;336:1283–1286. doi: 10.1126/science.1220513. [DOI] [PubMed] [Google Scholar]
25.Steger M, et al. Quantum information storage for over 180 s using donor spins in a 28Si “semiconductor vacuum”. Science. 2012;336:1280–1283. doi: 10.1126/science.1217635. [DOI] [PubMed] [Google Scholar]
26.Bennet CH, Brassard G. Quantum cryptography: Public key distribution and coin tossing; Proceedings of IEEE International Conference on Computers Systems and Signal Processing; Bangalore, India: 1984. pp. 175–179. [Google Scholar]
27.Gottesman D, Lo H. Proof of security of quantum key distribution with two-way classical communications. IEEE Trans Inf Theory. 2003;49:457–475. [Google Scholar]
28.Scarani V, Renner R. Quantum cryptography with finite resources: Unconditional security bound for discrete-variable protocols with one-way postprocessing. Phys Rev Lett. 2008;100:200501. doi: 10.1103/PhysRevLett.100.200501. [DOI] [PubMed] [Google Scholar]

Associated Data

This section collects any data citations, data availability statements, or supplementary materials included in this article.

Supplementary Materials

Supporting Information

supp_109_40_16079__index.html^{(771B, html)}

1203552109_pnas.1203552109_SI.pdf^{(397.7KB, pdf)}

[B1] 1.Wiesner S. Conjugate coding. ACM SIGACT News. 1983;15:78–88. [Google Scholar]

[B2] 2.Aaronson S. Quantum Copy-Protection and Quantum Money. Los Alamitos, CA: IEEE; 2009. pp. 229–242. [Google Scholar]

[B3] 3.Lutomirski A, et al. Breaking and making quantum money: Toward a new quantum cryptographic protocol. 2009. arXiv:0912.3825.

[B4] 4.Mosca M, Stebila D. Quantum coins. Error-correcting codes, finite geometries and cryptography. Proc Am Math Soc. 2010;523:35–47. [Google Scholar]

[B5] 5.Farhi E, et al. Quantum state restoration and single-copy tomography for ground states of Hamiltonians. Phys Rev Lett. 2010;105:190503–190506. doi: 10.1103/PhysRevLett.105.190503. [DOI] [PubMed] [Google Scholar]

[B6] 6.Farhi E, Gosset D, Hassidim A, Lutomirski A, Shor P. Quantum money from knots. 2010. arXiv:1004.5127. [DOI] [PubMed]

[B7] 7.Lutomirski A. Component mixers and a hardness result for counterfeiting quantum money. 2011. arXiv:1107.0321.

[B8] 8.Gavinsky D. Proceedings of the 2012 IEEE Conference on Computational Complexity (CCC) Portugal: IEEE Porto; 2011. Quantum money with classical verification; pp. 42–52. [Google Scholar]

[B9] 9.Nielsen MA. A simple formula for the average gate fidelity of a quantum dynamical operation. Phys Lett A. 2002;303:249–252. [Google Scholar]

[B10] 10.Holevo A. Statistical problems in quantum physics. In: Maruyama G, Prokhorov Y, editors. Proceedings of the Second Japan-USSR Symposium on Probability Theory. LNM. Vol. 330. Berlin, Heidelberg: Springer; 1973. pp. 104–119. [Google Scholar]

[B11] 11.Wootters WK, Zurek WH. A single quantum cannot be cloned. Nature. 1982;299:802–803. [Google Scholar]

[B12] 12.Werner RF. Optimal cloning of pure states. Phys Rev A. 1998;58:1827–1832. [Google Scholar]

[B13] 13.Gutoski G, Watrous J. Toward a general theory of quantum games, STOC 2007. New York, NY: ACM; 2007. pp. 565–574. [Google Scholar]

[B14] 14.Impagliazzo R, Kabanets V. Constructive proofs of concentration bounds. In: Serna M, Shaltiel R, Jansen K, Rolim J, editors. Lecture Notes in Computer Science. Vol. 6302. Berlin, Heidelberg: Springer; 2010. pp. 617–631. ((APROX 2010)/(RANDOM 2010)). [Google Scholar]

[B15] 15.Bruss D, Cinchetti M, Mauro D’Ariano G, Macchiavello C. Phase-covariant quantum cloning. Phys Rev A. 2000;62:012302–012308. [Google Scholar]

[B16] 16.Gisin N, Ribordy G, Tittel W, Zbinden H. Quantum cryptography. Rev Mod Phys. 2002;74:145–195. [Google Scholar]

[B17] 17.Hume DB, Rosenband T, Wineland DJ. High-fidelity adaptive qubit detection through repetitive quantum non-demolition measurements. Phys Rev Lett. 2007;99:120502–120505. doi: 10.1103/PhysRevLett.99.120502. [DOI] [PubMed] [Google Scholar]

[B18] 18.Langer C, et al. Long-lived qubit memory using atomic ions. Phys Rev Lett. 2005;95:060502. doi: 10.1103/PhysRevLett.95.060502. [DOI] [PubMed] [Google Scholar]

[B19] 19.Wendin G. Scalable solid-state qubits: Challenging decoherence and read-out. Phil Trans R Soc A. 2003;361:1323–1338. doi: 10.1098/rsta.2003.1202. [DOI] [PubMed] [Google Scholar]

[B20] 20.Gladchenko S, et al. Superconducting nanocircuits for topologically protected qubits. Nat Phys. 2009;5:48–53. [Google Scholar]

[B21] 21.Dutt MVG, et al. Quantum register based on individual electronic and nuclear spin qubits in diamond. Science. 2007;316:1312–1316. doi: 10.1126/science.1139831. [DOI] [PubMed] [Google Scholar]

[B22] 22.Morton JJL, et al. Solid-state quantum memory using the 31P nuclear spin. Nature. 2008;455:1085–1088. [Google Scholar]

[B23] 23.Balasubramanian G, et al. Ultralong spin coherence time in isotopically engineered diamond. Nat Mater. 2009;8:383–387. doi: 10.1038/nmat2420. [DOI] [PubMed] [Google Scholar]

[B24] 24.Maurer PC, et al. Room-temperature quantum bit memory exceeding one second. Science. 2012;336:1283–1286. doi: 10.1126/science.1220513. [DOI] [PubMed] [Google Scholar]

[B25] 25.Steger M, et al. Quantum information storage for over 180 s using donor spins in a 28Si “semiconductor vacuum”. Science. 2012;336:1280–1283. doi: 10.1126/science.1217635. [DOI] [PubMed] [Google Scholar]

[B26] 26.Bennet CH, Brassard G. Quantum cryptography: Public key distribution and coin tossing; Proceedings of IEEE International Conference on Computers Systems and Signal Processing; Bangalore, India: 1984. pp. 175–179. [Google Scholar]

[B27] 27.Gottesman D, Lo H. Proof of security of quantum key distribution with two-way classical communications. IEEE Trans Inf Theory. 2003;49:457–475. [Google Scholar]

[B28] 28.Scarani V, Renner R. Quantum cryptography with finite resources: Unconditional security bound for discrete-variable protocols with one-way postprocessing. Phys Rev Lett. 2008;100:200501. doi: 10.1103/PhysRevLett.100.200501. [DOI] [PubMed] [Google Scholar]

PERMALINK

Unforgeable noise-tolerant quantum tokens

Fernando Pastawski

Norman Y Yao

Liang Jiang

Mikhail D Lukin

J Ignacio Cirac

Abstract