Semi-quantum Money

Abstract

Quantum money allows a bank to mint quantum money states that can later be verified and cannot be forged. Usually, this requires a quantum communication infrastructure to perform transactions. Gavinsky (CCC 2012) introduced the notion of classically verifiable quantum money, which allows verification through classical communication. In this work, we introduce the notion of classical minting and combine it with classical verification to introduce semi-quantum money. Semi-quantum money is the first type of quantum money to allow transactions with completely classical communication and an entirely classical bank. This work features constructions for both a public memory-dependent semi-quantum money scheme and a private memoryless semi-quantum money scheme. The public construction is based on the works of Zhandry  and Coladangelo, and the private construction is based on the notion of noisy trapdoor claw-free functions (NTCF) introduced by Brakerski et al. (FOCS 2018). In terms of technique, our main contribution is a perfect parallel repetition theorem for NTCF.

Appendices

A Nomenclature

:

Counterfeiter of a full blown private quantum money scheme (also NTCF adversary in Sect. 4)

\(B\) :

A bank

\(\mathcal {B}\) :

Counterfeiter of a private quantum money mini-scheme

\(\mathcal {C}\) :

Counterfeiter of a private quantum money 2-of-2 mini-scheme (also quantum lightning certificate forger)

\(\mathcal {D}\) :

An encryption distinguisher—i.e., an adversary whose goal is to distinguish between an actual encryption and a random string

\(\$_C\) :

A quantum money scheme with classical minting

\(\$_P\) :

Our public semi-quantum money scheme based on quantum lightning with bolt-to-certificate

\(\$_\mathcal {Z}\) :

Our private semi-quantum money construction based on 1-of-2 puzzles

\(\mathsf {DS}\) :

A digital signature scheme

ENC:

A symmetric encryption scheme

\(\mathcal {F}\) :

A MAC or digital signature forger—i.e., an adversary whose goal is to break the security of a MAC or digital signature scheme

\(\in _R\) :

For a finite set S we denote \(s \in _R S\) to be the process in which s is sampled uniformly from S

\(\mathcal {L}\) :

A quantum lightning adversary, i.e., an adversary whose goal is to pass verification for two bolts with the same serial number

LWE:

Learning with errors

MAC:

Message authentication code

[n]:

We denote \([n] \equiv \{1, \ldots , n\}\)

NTCF:

Noisy Trapdoor Claw-free Function

\(P\) :

A payer in a transaction

PQ-EU-CMA:

Post-quantum existentially unforgeable under an adaptive chosen-message attack

PQ-IND-CPA:

Post-quantum indistinguishable encryptions under a chosen-plaintext attack

\(\mathsf {QL}\) :

A quantum lightning scheme

\(R\) :

A receiver in a transaction

\(\mathcal {T}\) :

A QPT 2-of-2 solver—an adversary that attempts to solve both challenges of a 1-of-2 puzzle

\(V_2\) :

An algorithm that verifies solutions for both challenges of a puzzle

\( \mathcal Z\) :

A 1-of-2 puzzle

\(\hat{\mathcal Z}\) :

A weakly verifiable puzzle

B Preliminaries

This appendix contains mainly the standard definitions of private-key encryption and message authentication codes (MAC) and can be safely skipped by readers already familiar with these notions.

We use the standard definitions for negligible, non-negligible and noticeable functions—see, e.g., [27].

Definition 32

(Private-key encryption system, [31, Definition 3.7]) A private-key encryption scheme consists of three PPT algorithms \(\mathsf {key\text {-}gen}\), \(\mathsf {encrypt}\) and \(\mathsf {decrypt}\) such that:

1. 1.

   The randomized key-generation algorithm \(\mathsf {key\text {-}gen}\) takes as input and outputs a key .

2. 2.

   The (possibly randomized) encryption algorithm takes as input a key k and a plaintext message \(m \in \{0, 1\}^*\), and outputs a ciphertext \(c \leftarrow \mathsf {encrypt}_k(m)\).

3. 3.

   The deterministic decryption algorithm \(\mathsf {decrypt}\) takes as input a key k and a ciphertext c, and outputs a message \(m {:}{=}Dec_k(c)\).

A private-key encryption system is required to have perfect completeness, meaning that for every , every k output by , and every \(m \in \{0, 1\}^*\), it holds that .

Definition 33

(PQ-IND-CPA, adapted from [31, Definition 3.22]) A private-key encryption scheme \(\Pi \) has post-quantum indistinguishable encryptions under a chosen-plaintext attack (PQ-IND-CPA) if for every QPT distinguisher \(\mathcal {D}\) there is a negligible function such that, for all :

The indistinguishability game :

1. 1.

   A key k is generated by running .

2. 2.

   The distinguisher \(\mathcal {D}\) is given input and classical oracle access to \(\mathsf {encrypt}_k(\cdot )\), and outputs a pair of messages \(m_0, m_1\) of the same length.

3. 3.

   A uniform bit \(b \in _R \{0, 1\}\) is chosen, and then a ciphertext \(c \leftarrow \mathsf {encrypt}_k(m_b)\) is computed and given to \(\mathcal {D}\).

4. 4.

   \(\mathcal {D}\) continues to have oracle access to \(\mathsf {encrypt}_k(\cdot )\) and outputs a bit \(b'\).

5. 5.

   The output of the game is defined to be 1 if \(b'=b\), and 0 otherwise. In the former case, we say that \(\mathcal {D}\) succeeds.

Definition 34

(Message authentication code [31, Definition 4.1]) A message authentication code (MAC) consists of 3 PPT algorithms , and \(\mathsf {verify}\) satisfying:

1. 1.

   \(\mathsf {key\text {-}gen}\) takes as input the security parameter and outputs a key k

2. 2.

   takes as input a key k and a message \(m \in \{0,1\}^*\) and outputs a tag .

3. 3.

   \(\mathsf {verify}\) takes as input a key k, a message m, and a tag t. It outputs a bit \(b {:}{=}\mathsf {verify}_k(m,t)\), with \(b=1\) meaning valid and \(b=0\) meaning invalid.

A MAC is required to have perfect completeness, i.e., for every , every key and every \(m \in \{0,1\}^*\), it holds that .

Definition 35

(PQ-EU-CMA MAC, adapted from [31, Definition 4.2]) A message authentication code \(\Pi \) is Post-Quantum Existentially Unforgeable under an adaptive Chosen-Message Attack (PQ-EU-CMA) if for every QPT forger \(\mathcal {F}\), there exists a negligible function such that:

The CMA message authentication game :

1. 1.

   A key k is generated by running .

2. 2.

   The forger \(\mathcal {F}\) is given input , classical oracle access to and classical oracle access to \(\mathsf {verify}_k(\cdot )\). (Note that the forger cannot query the oracles in superposition.) The forger eventually outputs (m, t). Let \(\mathcal {Q}\) denote the set of all queries that \(\mathcal {F}\) asked its signing oracle.

3. 3.

   \(\mathcal {F}\) succeeds if and only if (1) \(\mathsf {verify}_k(m,t) = 1\) and (2) \(m \notin \mathcal {Q}\). In that case, the output of the game is defined to be 1.

Definition 36

(Digital signature scheme [31, Definition 12.1]) A digital signature scheme consists of three PPT algorithms \(\mathsf {key\text {-}gen}\), \(\mathsf {sign}\) and \(\mathsf {verify}\) such that:

1. 1.

   The key-generation algorithm \(\mathsf {key\text {-}gen}\) takes as input a security parameter and outputs a pair of keys (pk, sk). These are called the public key and the private key, respectively. We assume that pk and sk each has length of at least and that can be determined from either.

2. 2.

   The signing algorithm \(\mathsf {sign}\) takes as input a private key sk and a message m. It outputs a signature \(\sigma \leftarrow \mathsf {sign}_{sk}(m)\).

3. 3.

   The deterministic verification algorithm \(\mathsf {verify}\) takes as input a public key pk, a message m and a signature \(\sigma \). It outputs a bit \(b \leftarrow \mathsf {verify}_{sk}(m,\sigma )\), with \(b=1\) meaning valid and \(b=0\) meaning invalid.

A digital signature scheme is required to have perfect completeness, meaning that except with negligible probability over (pk, sk) output by , it holds that \(\mathsf {verify}_{pk}(m, \mathsf {sign}_{sk}(m))=1\) for every legal message m.

Definition 37

(PQ-EU-CMA digital signature scheme, adapted from [31, Definition 12.2]) A digital signature scheme \(\Pi \) is Post-Quantum Existentially Unforgeable under an adaptive Chosen Message Attack (PQ-EU-CMA) if for every QPT forger \(\mathcal {F}\), there exists a negligible function such that:

The signature experiment :

1. 1.

   \(\mathsf {key\text {-}gen}\) is run to generate to obtain keys (pk, sk).

2. 2.

   Forger \(\mathcal {F}\) is given pk and access to a signing oracle \(\mathsf {sign}_{sk}(\cdot )\). The forger than outputs \((m, \sigma )\). Let Q denote the set of all queries that \(\mathcal {F}\) asked its oracle.

3. 3.

   \(\mathcal {F}\) succeeds iff \(\mathsf {verify}_{pk}(m, \sigma )=1\) and \(m \notin Q\). In this case, the output of the experiment is defined to be 1 (and otherwise 0).

Lemma 38

(Difference Lemma [47, Lemma 1]) Let A, B, F be events defined in some probability distribution, and suppose that \(A \wedge \lnot F \iff B \wedge \lnot F\). Then, .

C Quantum Lightning with Bolt-to-Certificate

The following definitions are taken almost verbatim from [18]. The definitions originate in [53] and [17], but in this work we use the notations of the superseding work [18].

Definition 39

(Quantum Lightning [53]) A quantum lightning scheme consists of a PPT algorithm (where is a security parameter) which samples a pair of QPT algorithms \((\mathsf {gen\text {-}bolt}, \mathsf {verify\text {-}bolt})\). \(\mathsf {gen\text {-}bolt}\) outputs a pair of the form . We refer to \(\vert \psi \rangle \) as a “bolt” and to s as a “serial number.” \(\mathsf {verify\text {-}bolt}\) takes as input a pair of the same form, and outputs either “accept” (1) or “reject” (0). They satisfy the following:

• 

• For all :

  

Definition 40

(Security [53]) A quantum lightning scheme \(\mathsf {QL}\) is secure if, for all QPT bolt forgers \(\mathcal {L}\):

The bolt forging game :

1. 1.

   The challenger runs and sends \((\mathsf {gen\text {-}bolt}, \mathsf {verify\text {-}bolt})\) to \(\mathcal {L}\).

2. 2.

   \(\mathcal {L}\) produces a pair .

3. 3.

   The challenger runs \(\mathsf {verify\text {-}bolt}(\cdot , s)\) on each half of \(\vert \Psi _{12} \rangle \). The output of the game is 1 if both outcomes are “accept” (and otherwise 0).

Definition 41

(Bolt-to-certificate) For a quantum lightning scheme \(\mathsf {QL}\) to have bolt-to-certificate capability, we change the procedure slightly, so that it outputs a quadruple

$$\begin{aligned} (\mathsf {gen\text {-}bolt}, \mathsf {verify\text {-}bolt}, \mathsf {gen\text {-}certificate}, \mathsf {verify\text {-}certificate})\;, \end{aligned}$$

where \(\mathsf {gen\text {-}certificate}\) is a QPT algorithm that takes as input a quantum money state and a serial number and outputs a classical string of some fixed length for some polynomially bounded function l, to which we refer as a certificate, and \(\mathsf {verify\text {-}certificate}\) is a PPT algorithm that takes as input a serial number and a certificate, and outputs “accept” (1) or “reject” (0).

Let . We say that a quantum lightning scheme \(\mathsf {QL}\) has bolt-to-certificate capability if:

• 

• For all QPT algorithms \(\mathcal {C}\):

  

The certificate forging game :

1. 1.

   The challenger runs

   

   and sends the quadruple to \(\mathcal {C}\).

2. 2.

   \(\mathcal {C}\) returns and \((\vert \psi \rangle , s)\).

3. 3.

   The challenger runs \(\mathsf {verify\text {-}certificate}(s,c)\) and \(\mathsf {verify\text {-}bolt}(\vert \psi \rangle , s)\), and outputs 1 if they both accept (otherwise outputs 0).

D Trapdoor Claw-Free Families

Most of this section is taken verbatim from Brakerski et al. [13]. Let be a security parameter, and let \(\mathcal {X}\) and \(\mathcal {Y}\) be finite sets (depending on ). For our purposes, an ideal family of functions \(\mathcal {F}\) would have the following properties. For each public key k, there are two functions \(\{f_{k,b}:\mathcal {X}\rightarrow \mathcal {Y}\}_{b\in \{0,1\}}\) that are both injective, that have the same range (equivalently, \((b,x)\mapsto f_{k,b}(x)\) is 2-to-1), and that are invertible given a suitable trapdoor \(t_k\) (i.e., \(t_k\) can be used to compute x given b and \(y=f_{k,b}(x)\)). Furthermore, the pair of functions should be claw-free: it must be hard for an attacker to find two pre-images \(x_0,x_1\in \mathcal {X}\) such that \(f_{k,0}(x_0) = f_{k,1}(x_1)\). Finally, the functions should satisfy an adaptive hardcore bit property, which is a stronger form of the claw-free property: assuming for convenience that \(\mathcal {X}= \{0,1\}^w\), we want it to be computationally infeasible to simultaneously generate \((b,x_b)\in \{0,1\}\times \mathcal {X}\) and a nonzero string \(d\in \{0,1\}^w\) such that with a non-negligible advantage over \(\frac{1}{2}\) the equation \(d\cdot (x_0\oplus x_1)=0\) holds, where \(x_{1-b}\) is defined as the unique element such that \(f_{k,1-b}(x_{1-b})=f_{k,b}(x_b)\).

Unfortunately, we (as well as Brakerski et al.) do not know how to construct a function family that exactly satisfies all these requirements under standard cryptographic assumptions. Instead, Brakerski et al. construct a family that satisfies slightly relaxed requirements based on the hardness of the learning with errors (LWE) problem, and we will show that these are still adequate for our purposes. The requirements are relaxed as follows. First, the range of the functions is no longer a set \(\mathcal {Y}\); instead, it is \(\mathcal {D}_{\mathcal {Y}}\), the set of probability densities over \(\mathcal {Y}\). That is, each function returns a density, rather than a point. The trapdoor injective pair property is then described in terms of the support of the output densities: These supports should either be identical for a colliding pair or be disjoint in all other cases.

The consideration of functions that return densities elicits an additional requirement of efficiency: there should exist a quantum polynomial-time procedure that efficiently prepares a superposition over the range of the function, i.e., for any key k and \(b\in \{0,1\}\), the procedure can prepare a state that is close (up to a negligible trace distance) to the state

$$\begin{aligned} \frac{1}{\sqrt{\mathcal {X}}}\sum _{x\in \mathcal {X}, y\in \mathcal {Y}}\sqrt{f_{k,b}(x)(y)}\vert x \rangle \vert y \rangle \;. \end{aligned}$$

We modify the adaptive hardcore bit requirement slightly. Since the set \(\mathcal {X}\) may not be a subset of binary strings, we first assume the existence of an injective, efficiently invertible map \(J:\mathcal {X}\rightarrow \{0,1\}^w\). Next, we only require the adaptive hardcore bit property to hold for a subset of all nonzero strings rather than for the set \(\{0,1\}^w\setminus \{0^w\}\). Finally, membership in the appropriate set should be efficiently checkable, given access to the trapdoor.

Definition 42

(NTCF family) Let be a security parameter. Let \(\mathcal {X}\) and \(\mathcal {Y}\) be finite sets. Let \(\mathcal {K}_{\mathcal {F}}\) be a finite set of keys. A family of functions

$$\begin{aligned} \mathcal {F} \,=\, \big \{f_{k,b} : \mathcal {X}\rightarrow \mathcal {D}_{\mathcal {Y}} \big \}_{k\in \mathcal {K}_{\mathcal {F}},b\in \{0,1\}} \end{aligned}$$

is called a noisy trapdoor claw-free (NTCF) family if the following conditions hold:

1. 1.

   Efficient Function Generation. There exists an efficient probabilistic algorithm \(\mathsf {key\text {-}gen}_{\mathcal {F}}\) which generates a key \(k\in \mathcal {K}_{\mathcal {F}}\) together with a trapdoor \(t_k\):

   
2. 2.

   Trapdoor Injective Pair. For all keys \(k\in \mathcal {K}_{\mathcal {F}}\), the following conditions hold.

   1. (a)

      Trapdoor: For all \(b\in \{0,1\}\) and \(x\ne x' \in \mathcal {X}\), \(\textsc {Supp}(f_{k,b}(x))\cap \textsc {Supp}(f_{k,b}(x')) = \emptyset \). Moreover, there exists an efficient deterministic algorithm \(\text {INV}_{\mathcal {F}}\) such that for all \(b\in \{0,1\}\), \(x\in \mathcal {X}\) and \(y\in \textsc {Supp}(f_{k,b}(x))\), \(\text {INV}_{\mathcal {F}}(t_k,b,y) = x\).

   2. (b)

      Injective pair: There exists a perfect matching \(\mathcal {R}_k \subseteq \mathcal {X}\times \mathcal {X}\) such that \(f_{k,0}(x_0) = f_{k,1}(x_1)\) if and only if \((x_0,x_1)\in \mathcal {R}_k\).

3. 3.

   Efficient range superposition.²⁴ There exists an efficient procedure SAMP\(_{\mathcal {F}}\) that on input k and \(b\in \{0,1\}\) prepares a state \(\vert \psi ' \rangle \) which has a negligible trace distance to the state

   $$\begin{aligned} \vert \psi \rangle = \frac{1}{\sqrt{|\mathcal {X}|}}\sum _{x\in \mathcal {X},y\in \mathcal {Y}}\sqrt{(f_{k,b}(x))(y)}\vert x \rangle \vert y \rangle \;. \end{aligned}$$
4. 4.

   Adaptive Hardcore Bit. For all keys \(k\in \mathcal {K}_{\mathcal {F}}\), the following conditions hold, for some integer w that is a polynomially bounded function of .

   1. (a)

      For all \(b\in \{0,1\}\) and \(x\in \mathcal {X}\), there exists a set \(G_{k,b,x}\subseteq \{0,1\}^{w}\) such that \(\Pr _{d\leftarrow _U \{0,1\}^w}[d\notin G_{k,b,x}]\) is negligible, and moreover there exists an efficient algorithm that checks for membership in \(G_{k,b,x}\) given k, b, x and the trapdoor \(t_k\).

   2. (b)

      There is an efficiently computable injection \(J:\mathcal {X}\rightarrow \{0,1\}^w\), such that \(J\) can be inverted efficiently on its range, and such that the following holds. If

      

      (8)

      ²⁵ then for any quantum polynomial-time procedure \(\mathcal {A}\) there exists a negligible function \(\mu (\cdot )\) such that

      

      (9)

Theorem 43

(Informal) Under the assumption that the learning with errors (LWE) problem with certain parameters is hard for \(\textsf {BQP}\), an NTCF family exists.

The hardness definition of LWE and the exact parameters required for the theorem above are given in [13, Theorem 26].

E The Advantage of Memoryless Money

When discussing any form of quantum money, we must consider the motivation, i.e., the benefits over classical constructions—for example, we could construct a rudimentary private classical money scheme in the following way: Upon minting, the bank would produce a random serial number significantly long for some security parameter and sign it using a MAC. The bank would maintain a database of all banknotes that have already been spent, and upon verification, after verifying the MAC tag of the banknote, the bank would search for its serial number within the database—if it is not there, the verification succeeds and the serial number is added to the database, and if it is there the bank would know the money was already spent and thus verification will fail (of course, the bank would have to mint a new banknote for the user after a successful verification). Gavinsky [24] discusses a similar notion.

This scheme is counterfeit-resistant according to our security definitions. However, it is memory-dependent (also known as state-based); i.e., the bank has to maintain a database to represent an ongoing state, remembering the banknotes that were spent. On its own, a memory-dependent protocol is not a terrible problem; many services maintain a database. This, however, becomes a liability when considering multiple branches of the same bank: a central database must maintain the shared state and synchronize the access to it (otherwise information would have to propagate between the branches, causing potential security breaches during the propagation time); this has a toll in terms of response time and communication.

Constructing a memory-dependent (classical) private money scheme is trivial—the scheme above is an extremely simple example—so such a construction is not particularly interesting. The case is different, however, in the public setting; constructing even a memory-dependent quantum money scheme that is publicly secure is challenging (and impossible to achieve classically), and thus such a construction is an interesting result.

In semi-quantum money we assumed the users are quantum while the bank branches are classical. It is natural to consider reversing this setting so that the users are classical and only the bank branches are quantum. We note that in any setting where the users are classical, any verification must involve communication between all branches: Consider an adversary which receives one bill from the bank by following the minting protocol. The adversary now has a classical state, which we denote by S. At this point, if the adversary follows the (honest) verification protocol with branch \(B_1\), verification would accept, since his bill was valid. The adversary could now rewind his classical state to S and run the verification with branch \(B_2\). Since the branches are not allowed to communicate, the second branch would also accept. In other words, double-spending becomes trivial in any scheme in which there are multiple, non-communicating quantum bank branches. We emphasize that our private semi-quantum money construction does not require communication between the bank branches.

F Parallel Repetition of Weakly Verifiable Puzzles

As seen in Sect. 4.3, our main tool for proving parallel repetition for 1-of-2 puzzles is the notion of weakly verifiable puzzles introduced by [15]. This section provides a brief informal overview of their parallel repetition proof for weakly verifiable puzzles (Theorem 20).

The goal is to show a reduction from an algorithm A (which in our case may be quantum) that solves n weakly verifiable puzzles in parallel with probability at least for some non-negligible h to an algorithm \(A'\) solving a single puzzle with probability at least . This shows that the best strategy for solving n puzzles has the same probability (up to a negligible difference) of solving each puzzle separately.

Denote the event where A solves the puzzle \(p_i\) correctly by \(S_i\), and denote the event where A solves puzzles \(p_k, \ldots , p_n\) correctly by \(R_k\). We call a puzzle coordinate \(i \in [n]\) good if it holds that , i.e., if the probability that A solved \(p_i\) correctly conditioned on the probability that A solved \(p_{i+1}, \ldots , p_{n}\) correctly is at least h, where the probability is taken over the randomness of A as well as over the random choices of puzzles \(p_1, \ldots , p_n\). We make the following statistical observation:

The last inequality holds because we know the probability of A to solve all n puzzles is at least \(h^n\). Therefore, we conclude that at least one of the following must hold: either \(\underset{p_1,\ldots ,p_n}{\Pr }[S_1|R_2] \ge h\), or \(\underset{p_1,\ldots ,p_n}{\Pr }[R_2] \ge h^{n-1}\). Meaning either 1 is a good coordinate, or the probability that A solves the last \(n-1\) puzzles of its input is at least \(h^{n-1}\).

If 1 is a good coordinate, then \(A'\) solves its original puzzle in the following way: \(A'\) runs A with \((p, p_2, \ldots , p_n)\)—where p is the original challenge puzzle and \(p_2, \ldots , p_n\) are randomly generated by \(A'\)—until puzzles \(p_2, \ldots , p_n\) were solved correctly.²⁶ Since 1 is a good coordinate, we know that if A solved puzzles \(p_2, \ldots , p_n\) correctly, the first puzzle is also solved correctly with probability at least h, as needed.

If 1 is not a good coordinate, then we know the probability of A to solve \(n-1\) puzzles is at least \(h^{n-1}\). This provides us with a solver for \(n-1\) puzzles with probability at least , and the reduction continues by induction. Eventually, \(A'\) will either reach a good coordinate i and solve it with probability at least h as described above, or arrive at a solver that solves a single puzzle—the last puzzle—with probability at least h.

To find out whether i is a good coordinate, A estimates \(\underset{p_1,\ldots ,p_n}{\Pr }[S_i|R_{i+1}]\). This is done by generating n puzzles, and running A multiple times, all the while checking whether puzzles \(p_{i+1}, \ldots , p_n\) were solved correctly, and if so checking whether puzzle \(p_i\) was also solved correctly. Since , this estimation can be done efficiently with high probability.

The proof itself in [15] is more complex than the outline given here. For example, we cannot know for sure if a coordinate is a good coordinate, since we can only estimate the probabilities within some polynomial bounds—the original proof deals with these issues.

Note that this parallel repetition is “perfect”—i.e., it shows that the best strategy for solving multiple puzzles has the same probability as solving them separately (up to a negligible difference). This would not be the case if we had more than 2 rounds—for 3 rounds the repetition would not be perfect, and for 4 rounds the soundness error does not decrease exponentially at all [10]. We can see that the proof above indeed would not work for more than 2 rounds: In our reduction, when we find a good coordinate i, we run the multiple-puzzle adversary multiple times until the puzzles \(p_{i+1}, \ldots , p_n\) are solved correctly, and then our original puzzle is solved correctly with probability h. But in the case of multiple rounds, the single-puzzle adversary is required to provide the multiple-puzzle adversary with messages from the challenger for all the puzzles, including the original one. The answers of the multiple-puzzles adversary for each puzzle can therefore depend on messages for all the puzzles, but we can run the protocol for the original puzzle with the challenger only once—i.e., we cannot provide the challenger’s answers for the original puzzles more than once. Therefore, we cannot condition on the adversary solving \(p_{i+1}, \ldots , p_n\) correctly, meaning that if we can run the adversary only once our success probability will not be h as needed.

G Transaction Figures

This section contains figures showing transactions can be made with each flavor of quantum money and the kind of communication they require (quantum or classical). Fat arrows \(\Rightarrow \) indicate quantum communication, and thin arrows \(\rightarrow \) indicate classical communication. A two-sided arrow indicates two-sided communication (Figs. 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15).

Fig. 2

Regular (non-quantum) money direct transaction. The communication required is one-way, though usually two-way communication is used to send confirmations for actions

Fig. 3

Regular (non-quantum) money bank transaction. Though it is possible for communication between payer and bank to be one-way, usually the authentication process is an interactive protocol, and the payer receives confirmation from the bank, making communication two-way

Fig. 4

Private quantum money direct transaction

Fig. 5

Quantum money bank transaction

Fig. 6

Private classically verifiable direct transaction. In step (b), receiver acts as a relay between payer and bank and thus can be sure the banknote was valid

Fig. 7

Classically verifiable bank transaction

Fig. 8

Private classically verifiable direct transaction for a scheme which allows multiple verifications for the same banknote. Note that after a finite number of verifications the banknote is destroyed and communication with the bank is required, like in Fig. 6

Fig. 9

Classically verifiable bank transaction for a scheme which allows multiple verifications for the same banknote. For some such schemes, it could be possible to have a classical verification that ensures the banknote was destroyed, in which case a transaction through the bank could be executed like in Fig. 11

Fig. 10

Private classical minting direct transaction

Fig. 11

Classical minting bank transaction

Fig. 12

Private semi-quantum direct transaction. In step (b), receiver acts as a relay between payer and bank and thus can be sure the banknote was valid

Fig. 13

Semi-quantum bank transaction

Fig. 14

Public quantum money direct transaction

Fig. 15

One-shot signature direct transaction