Signing Perfect Currency Bonds

Subhayan Roy Moulick∗ and Prasanta K. Panigrahi† Indian Institute of Science Education and Research Kolkata, Mohanpur 741246, West Bengal, India (Dated: May 23, 2019) We propose the idea of a Quantum Cheque Scheme, a cryptographic protocol in which any legitimate client of a trusted bank can issue a cheque, that cannot be counterfeited or altered in anyway, and can be verified by a bank or any of its branches. We formally define a Quantum Cheque and present the first Unconditionally Secure Quantum Cheque Scheme and show it to be secure against any no-signaling adversary. The proposed Quantum Cheque Scheme can been perceived as the quantum analog of Electronic Data Interchange, as an alternate for current e-Payment Gateways.

PACS numbers: 03.67.Dd, 03.67.Hk, 03.67.Ac

I. INTRODUCTION in addition to security against counterfeiters, owing its origin to the pioneering works of Mosca and Stebila [11]. Replication of classical information is a significant nui- They proposed a scheme based on blind quantum com- sance in copy-protection. Any physical entity created putation that required a verifier to do an obfuscated ver- classically can be, in principle, copied. Currency bonds, ification with the bank and learn only the validity of the printed on textile and paper, are no exception, and any quantum coin. This however is a private key protocol adversary, given sufficient time and resources, can be and requires communication with the bank. able to counterfeit currency bonds. However, the quan- In this paper we propose the idea of Quantum Cheques tum regime can circumvent this problem, exploiting the and present a construction of an Quantum Cheque ‘No Cloning Theorem’ [1], and pave way for unforgeable Scheme with Perfect Security against any No-Signaling Quantum Currency that are impossible to counterfeit adversary. Generally, in a Quantum Cheque Scheme, a and can have the property of perfect security. trusted bank acts as a key generation center and pro- The idea of Quantum Money was conceived by Wies- vides every account holder with a quantum analogue of ner in 1969 [2, 3]. While it inspired several fundamental a cheque book and can store relevant information about ideas, it did not receive much attention for the next 40 the cheque book secretly. Any account holder, who has years, possibly due to the limitations of technology. It a valid ’quantum cheque book’ can issue cheques that is only recently that, there has been a surge of interest can be verified by the bank or any of its branches, with in the possibility of exploiting the laws of quantum me- which the bank shares a classical communication chan- chanics to create unforgeable tokens for currency. While nel. We present the protocol in an idealized form assum- Wiesner’s original scheme was broken recently [4–6], the ing perfect state preparations, transmissions, and mea- idea of using quantum states to create unforgeable cur- surements, that can also be realized, efficiently, with few rency persisted. Recent progress in the area have been qubit systems, without compromising on the security. made by Aaronson [7], who formally studied public key Given the active research with the promise to imple- quantum money and showed its existence relative to a ment long distance quantum communication networks quantum oracle. In the same paper he also proposed a [12–14], a quantum cheque scheme can be perceived scheme, without an oracle, based on random stabilizer as the quantum analog of Electronic Data Interchange states. However, it was broken by Lutomirski et al. [8], (EDI), as an alternate for current e-Payment Gateways, within a year. Recently Farhi et al. [9], proposed a used widely in e-commerce, that authorizes credit card scheme for quantum money, using ideas from knot theory. payments, which rely on classical communication and Also Aaronson et al. [10], proposed a scheme for quan- computational assumptions for their security. While the arXiv:1505.05251v2 [quant-ph] 6 Aug 2015 tum money from hidden subspaces. While the security present classical protocols, rely on time-stamping com- of Aaronson et al.’s scheme can be proved using a black munications to ensure against double spending, a quan- box security and non-black box security under plausible tum protocol instinctually averts that problem, due to cryptographic assumptions, the security of Farhi et al.’s No-Cloning Theorem. Another major advantage of such scheme is not known and analyzing it would require an- quantum cheques will be the fact that they can be real- swering fundamental knot theory problems which has no ized through physical devices using quantum memories known practical solutions. [15, 16], as well as can be used to stream in the quan- Another research direction in quantum currency is the tum internet without the need for quantum memory[17]. invention of Quantum Coins, which aspires anonymity, With physical devices, equipped with quantum memories, one can imagine storing quantum states in their computers or smart cards to efficiently perform trans- actions in person or over the quantum internet. While, ∗ [email protected] without Quantum Memory, one would require the pro- † [email protected] tocol to run in real time, i.e., the Bank prepares and se- 2 curely sends the ’quantum cheque book’ to the account B. Fredkin Gate: holder, following which, the account holder (issuer) at once prepares the Quantum Cheque, presents it to the re- In the classical regime, comparing the equivalence of ceiver. The receiver then immediately relays the cheque two bit strings is strightforward, however, due to the no- to the Bank, who verifies its (in)validity right away. cloning theorem, Ψ might not be able to produce the ex- The paper is organized as follows. Section II discusses act ψ state. To compare states ψ and ψ0 , we utilize the cryptographic tools, required to realize the Quantum the| Fredkini gate (C-swap gate).| Wei prepare| i an ancilla Cheque Scheme, namely, Quantum One Way Functions, |0i+|1i qubit 2 and perform a controlled swap test on two Swap Testing Circuits, and Digital Signatures. Follow- state ψ and ψ0 . If ψ = ψ0 , the ancilla qubit, after ing that, in Section III, the Quantum Cheques are de- performing| i a Hadamard| i | operatori | i yields 0 , on measuring fined and an Unconditionally Secure Quantum Cheque on a computational basis, and is said to| i pass the swap Scheme is proposed therein. The security of the scheme test. For ψ ψ0 δ, the ancilla qubit, after perform- is analyzed in Section IV. Section V concludes the paper, ing the necessaryh | i ≤ Hadamard Gates, upon measurement briefly summarizing the ideas. 1+δ2 passes the test with probability 2 , and fails the test 1−δ2 with probability 2 . Evidently, the swap test always passes for the same inputs, and sometimes fails if they are II. PRELIMINARIES different. By repeating the swap test, one can amplify its efficiency. A. Quantum One Way Functions: ✤❴❴❴❴❴❴❴❴L ✤ ✤ ✙✙ ✤ ✤ ✙ ✤ 0 H H ✤ ✙✙ ✤ | i • ✤ ✙ ❴❴❴❴❴❴❴❴ ✤ For the present scheme one needs a limited-utility ψ quantum one way function [18, 19], based on the fun- | i damental properties of quantum system, where unlike Uswap ψ classical bits, qubits can exist in superpositions. An | ′i arbitrary quantum state Φ of a qubit resides in the | i Hilbert space C and can be written as, Φ = α 0 +β 1 , FIG. 1. depicts a circuit for the Fredkin Gate that non- | i | i | i 0 where α, β C, are the probability amplitudes, satisfy- destructively compares quantum states ψ and ψ , with an ing α 2 + β∈ 2 = 1 and 0 and 1 form an orthonormal additional ancilla qubit basis.| | The| distance| between| i two| qubiti states φ and φ0 p | i | i is defined as 1 φ φ0 2. Using volumetric analysis, − |h | i| ⊗n it may be seen that there exists n qubit states φk , ⊗n ⊗n 0 {| i } such that φk φk0 δ for k = k . Buhrman et al. C. Digital Signatures: | ≤ 6 n [20], showed for δ = 0.9, the size of the set can be 2O(2 ). A quantum one way function is defined as, A digital signature scheme, Π, is a 6-tuple (M, Σ, U, Gen, Sign, V rfy), where, ⊗n Ψ: k 0 ψk , × | i → | i M is the finite set of valid messages, Σ is the finite • ∗ set of valid signatures, and U is the finite set of where k 0, 1 and ψk is a n qubit quantum state, users. such that,∈ { } | i − The key-generation algorithm, Gen, takes in a se- Ψ is easy to compute, i.e., there exists a • curity parameter 1k, and outputs the Sign, V rfy • polynomial-time algorithm that can evaluate algorithms and the public parameters. ⊗n Ψ(k, 0 ) and outputs ψk , | i | i The signing algorithm, Sign, is a mapping, Sign : • M U Σ Ψ is hard to invert, i.e., given ψk , it is difficult to × → • | i compute k The verification algorithm, V rfy, is a mapping, • V rfy : M Σ U T rue, F alse . At this point, it may be noted that, this construc- × × → { } tion can be realized in agreement with Holevo’s theo- It is required that, for every (Sign, V rfy) Gen(1k), rem, which limits the amount of classical information for all k, and m M, and users i and j, it holds← that that can be extracted from a quantum state [21]. For ∈ a binary string, k, of length L, and C copies of ψk , one V rfyj(m, Signi(m),Ui) = T rue can only learn almost Cn bits of information. By| havingi L >> Cn, one could achieve a one way function, that is Informally, a digital signature scheme, Π, must satisfy impossible to invert. the following security conditions 3

1. Unforgeability: Except with a negligible (under a where X = χ1, χ2, , χq , is a counterfeiter that polynomial factor) probability, it should be impos- Counterfeits a{ cheque (formally··· } C defined later ) that out- 0 0 0 0 sible for an adversary to produce a valid signature puts X = χ1, χ2, , χq0 , that Verify accepts, and ∅ denotes an{ empty set.··· } 2. Non-repudiation: Except with a negligible (under a polynomial factor) probability, the signer should not be able disavow a legitimate signature. B. The Quantum Cheque Scheme: Here, we do not discuss explicit constructions of digital signatures in detail, and instead use an unconditionally For purposes of brevity, we introduce three parties, secure digital signature scheme, Π = (Gen, Sign, V rfy) Alice, Abby and Bank to describe the scheme. The Bank as a black box. Suitable constructions of an uncondition- can have several branches and can be thought of as a ally secure classical digital signature using multivariate set of parties connected by a (secure) classical channel polynomials have been proposed by Hanoka et al. [22], with the main branch. The main branch is denoted just Chuam and Roijakkers [23], where they assume the keys as Bank in the rest of the paper. Only the Bank is a are prepared by a trusted third party. A quantum dig- trusted party in the protocol, and not necessarily the ital signature scheme have been given by Chuang and branches. Alice plays the role of the customer, who issues Gottesman [18, 19]. the cheque to Abby, the vendor. Abby then submits it to the Bank (or any of its branches), to encash. The Bank (or any of its branches) verifies the (in)validity of III. QUANTUM CHEQUES the cheque. In the protocol, we only assume Alice and Bank are honest. Any other player can be dishonest and A. Definition of a Quantum Cheque Scheme: adversarial. Gen: Alice and the Bank create a shared key k. This Ideally, a cheque is expected to have the following prop- has to be done only once and can be efficiently realized erties, by using, for example, the BB84 Protocol or simply by Alice going to the Bank physically. A trusted bank or any of its branches must be able Alice and the Bank also agree on an informa- • to verify the authenticity of a cheque. tion theoretically secure digital signature scheme Π = (Gen, Sign, V rfy), and Alice submits her public key, pk, An issuer, after issuing a cheque, must not be able to the Bank and secretly stores her Private Key, sk. • to disavow issuing it. The Bank prepares a string of l GHZ states, No adversary must be able to counterfeit a cheque E E E E • (i) √1 (i) (i) (i) under some issuer’s name or use a cheque more than φ = 2 0 0 0 GHZ A1 A2 B once to withdraw money. E E E (i) (i) (i) + 1 1 1 Informally, a Quantum Cheque Scheme consists of A1 A2 B three algorithms, Gen, which takes as input a security parameter with 1 i l and corresponding unique serial number • s 0,≤1 n ≤and gives two of the three particles (entan- and probabilistically generates a ’cheque book’ and ∈ { } key for the issuer. gled qubits) from every GHZ triplet state and the serial number to Alice (via a secure channel), and stores the Sign, which takes as input the issuer’s key and third particle (entangled qubit) secretly along with other • amount to be signed, and produces a quantum state details in a private database. For conciseness, we adopt (i) χ called a Cheque. (This state χ is an ordered pair the notation φ i=1:l to denote a set(string) of { GHZ } (id, $, ρ$), where id and $ are classical description (1) (2) (l) states, φ GHZ , φ GHZ ,..., φ GHZ , through- of the issuer’s identity and amount signed respec- out the{ rest of the paper. } (i) (i) tively, and ρ$ is a quantum cheque state.) Alice now holds (id, pk, sk, k, s, φ , φ i=1:l). A1 A2 { (i) } Verify, which takes in as input the key, and the and the Bank holds (id, pk, k, s, φ i=1:l), { B} • alleged cheque χ and decides its (in)validity. Sign: To Sign a cheque worth amount M, Alice generates a random number r U{0,1}L and prepares a The Scheme is said to have a completeness error , if n-qubit state, ← valid cheques χ, ∀ ψalice = f(k id r M), P r V erify(χ) accepts 1 , | i || || || ≥ − where f : 0, 1 ∗ 0 ⊗n ψ is a quantum one The Scheme is said to have a soundness error δ, if { } × | i → | i counterfeiters , ∀ way function, k is the secret key otherwise shared only C between Alice and Bank, id is the identity of Alice and 0 0 P r X X = ∅ : X (X) δ, x y represents concatenation of two bit-strings x and y. \ 6 ← C ≤ || 4

(i)E Alice also prepares l states ψ i=1:l corresponding Verify: Abby when produces the Quantum Cheque { M } (i) ∗ χ = (id, s, r, σ, M, φ i=1:l, ψalice ) at any of the to the amount M using the one way function g : 0, 1 { A2 } | i 0 ψ , as { } × valid branches of the bank, the branch communicates | i → | i (securely) with the Bank’s main branch, and checks the E (i) validity of the (id, s) pair and runs a veriﬁcation using ψM = g(r M i) || || V rfypk(σ, s). If (id, s) and σ is invalid, the branch destroys the cheque and aborts. Else, the respective branch for all i, s.t. 1 i l. continues with the veriﬁcation. To create the≤ cheque,≤ Alice uses one of her entangled The main branch now performs a measurement, in the (i) (i)E qubits, φ , (with serial number s) to encode ψ A1 M Hadamard basis, on its copy of φ , to obtain outcomes | iB as follows [24]. + or and communicates (securely) the results via (i)E a| classicali |−i channel to the appropriate Branch. Based on To encode the i th qubit, ψ = αi 0 + βi 1 with − M | i | i the outcome, the Branch performs the following Pauli (i)E (i) (i)E the i th GHZ state, Alice combines ψM and one of her Matrix on φ , to recover ψ . − A2 M entangled qubits from the i th pair, φ(i) , and per- A1 − + I σZ forms a Bell measurement on the two. More concretely, | i → |−i → the four particle entangled state can be described as (i) This is done l times for each of φ A i=1:l, to re- E { 2 } E cover ψ(i) . The Bank computes ψ,(i) = E E M i=1:l M i=1:l (i) (i) { } { } φ = ψM φ GHZ g(r M i) i=1:l and performs a swap test on each state ⊗ | i { || E || } E ,(i) (i) 1 + ψM and ψM . = Ψ (αi 00 + βi 11 { } { } A1 A2B A2B 0 2 | i | i The Bank also computes ψalice = f(k id r M) and − + Ψ (α 00 β 11 (1) | i || || || A i A2B i A2B again performs a non-destructive swap test on states 1 | i − | i 0 + ψalice and ψalice . + Φ (βi 00 A B + αi 11 A B | i | i A1 | i 2 | i 2 The Bank (or branch) accepts the cheque if both − 0 + Φ (βi 00 αi 11 the swap tests pass, i.e., if ψalice ψ κ1 and A1 A2B A2B alice | i − | i D (i) ,(i)E h | i ≥ ψ ψ κ2 i=1:l, where κ1 and κ2 are the thresh- where Ψ+ , Ψ− , Φ+ , Ψ− denotes one of the four { M | M ≥ } Bell states,| thati | is theni | measuredi | i by Alice. olding constants, that serve as security parameters deter- If Alice’s result, from equation (1), is Ψ+ or Ψ− , mined by the bank. The Branch rejects and aborts the the Bank’s density matrix of its GHZ particle| i reads| i transaction otherwise, and also destroys the cheque.

2 2 ρB = αi 0 0 + βi 1 1 (2) | | | iBB h | | | | iBB h | IV. SECURITY OF THE QUANTUM CHEQUE while if Alice’s measurement outcome is Φ+ or Φ− , SCHEME the Bank’s density matrix of its GHZ particle| readsi | i A. Impossibility of Counterfeiting: 2 2 ρB = βi 0 0 + αi 1 1 (3) | | | iBB h | | | | iBB h | For purposes of contradiction, suppose there exists an Following that, Alice performs a suitable gate opera- adversary that breaks the proposed Quantum Cheque tion (Pauli matrix) based on the observed Bell State as Scheme, X.A Let χ Expt (1k) denote the experi- follows, A,X ment, ← + − Ψ I Ψ σZ k Sign(·) | + i → | − i → (params) Gen(1 ), χ (id, pkid) Φ σX Φ σY ← ← A | i → | i → (i) where params are the parameters generated by the algo- Now, the information of ψ has been split between rithm Gen( ), k the security parameter and is allowed φ(i) and φ(i) . Based on the observed Bell State, · A A2 B polynomially bounded number of queries to its signing Alice performs a suitable error correction (Pauli Matrix) oracle, Sign( ), for a signer id. Let M1,M2 ...Mq be (i) · { } on φ A , that she posses. This encoding procedure is the amounts queries the signing oracle in a particular 2 E A (i) experiment, to get Quantum Cheques χ1, χ2, . . . , χq re- carried out l times for each of the ψM i=1:l. { } { } spectively. Alice also signs the serial number s as σ Signsk(s). Let Counterfeit be the event, Alice ﬁnally produces a Quantum Cheque← (V erify(χ0) = 1) χ0 / χ , χ , . . . , χ E 1 2 q (i) ∧ ∈ χ = (id, s, r, σ, M, φ i=1:l, ψalice ) { A2 } | i We deﬁne, 0 k and gives it to Abby. SuccA,X = P r χ ExptA,X (1 ): Counterfeit ← 5

FIG. 2. (A) Circuit used for signing a Quantum Cheque by Alice, (B) The Quantum Cheque, (C) Circuit used for verifying the Quantum Cheque by the Bank

For the scheme X to be unconditionally secure, seminal work on quantum secret sharing. SuccA,X must be negligible for any adversary, , with The only remaining strategy for an adversary, that A unbounded computational resources and time where is has access to q cheques χ , χ . . . χ , is to per- A 1 2 q only limited by physical laws. form some unitary operation{ to at least} one of the 0 An unknown quantum state ψ cannot be perfectly cheques, χj and modify it and produce a tuple χ = cloned, as known from the no cloning| i theorem. Imperfect 0 0 0 0 ,(i) 0 0 (id, s , r , σ ,M , φ i=1:l , ψAlice ), such that χ / { } | i 0 0 ∈ cloning as shown by Buˇzekand Hillary [25], where an χ1, χ2 . . . χq and V erify accepts χ , where M = M algorithm that takes ψ as input and outputs two qubits { } ,(j) (j) 0 6 and j, s.t., φ = φ and ψ = ψAlice ∃ 6 | Alicei 6 | i such that the reduced density matrix of either output For purposes of contradiction, suppose the ad- qubit, ρ, satisfies ψ ρ ψ = 5/6. This was later proved to h | | i versary, successfully modifies a cheque χ = be optimal [26, 27]. By having the security parameter κ, A (i) 0 (id, s, r, σ, M, φ i=1:l , ψAlice ) to produce χ = used by the bank for the swap tests, such that κ > 0.91, it 0 0 0 {0 ,(i) } | 0 i (id, s , r , σ ,M , φ , ψ ). can be made impossible for any adversary to copy states { i=1:l} | Alicei and reuse the same cheque more than once. Basically since he cannot forge new cheques (due to It must be noted, an adversary, that successfully forges reasons mentioned earlier), he can only manipulate the a new cheque for an id, would require the knowledge qubits stored in the different registers of the quantum of the (classical) secret key, k, corresponding to id. cheques he has access to, up to an unbounded number of Unitary operations. Clearly if M 0 = M or r0 = r, then However, even if the adversary has access to q differ- 6 6 ent cheques with n qubits per cheque, signed by a key the adversary at least needs to produce a correspond- L ing signature state ψalice , which in turn would imply k 0, 1 , Holevo’s theorem limits the amount of clas- | i sical∈ { information} that can be extracted from a quantum the Quantum One Way Function is not secure, and that happens w.p. 2−(O(L)−qn). Another strategy for an state [21]. By having L >> qn, it can be made im- ≤ possible for an adversary to extract relevant information adversary would be to not modify the signature state, about the secret key, and can only guess the key with but the entangled qubits using only local operations on probability P 2−(O(L)−qn). the adversaries local system. ≤ Also, the fact that the adversary does not have access However, it can be seen for an entangled state, say Ψ = α 00 + β 11 represented by ρ = Ψ Ψ , and to the required pairs of GHZ states, that are otherwise | i | i | i | i h | shared only among a trusted Bank and the issuer, it is given access to only one qubit, ρa = T rb(ρab) , if it were possible to modify that to produce Ψ0 = α0 00 +β0 11 impossible for an adversary to produce a cheque χ that 0 0 | i | i | i would be verified by a Bank, due to the fact that entan- for a specific value of (α , β ), it would imply signaling. This is because the adversary can do a local operations glement is monogamous [28–31] and it would be impos- 0 0 (i)E and set the values of α and β to √1 and √ (or sible to produce states φ i=1:l. This can be traced − { M } vice versa) to send a message bit 0 (or 1), with a party back to the unconditional security of Hillary et al.’s [24] with whom he shares entanglement with, faster than the 6 speed of light. form of quantum cheques and presented the first con- So, any that can Counterfeit, can violate the No- struction for an unconditionally secure quantum cheque Signaling PrincipleA or breaks the QOWF. Hence as long scheme, where a bank and its client share GHZ states and as the No-Signaling Principle holds, the SuccA,X must a classical bit string as a secret key. The client can issue be 2−(O(L)−qn). quantum cheques, χ, and these quantum states can be ≤ physically stored in a quantum memory or transmitted in the anticipated quantum internet without the need B. Impossibility of Non-Repudiation by Signatory: for long term storage of qubits. The bank, or any of its branches that are connected by a classical channel, For purposes of contradiction, suppose there exists an can verify the (in)validity of an alleged quantum cheque. issuer, , which can repudiate a quantum cheque issued The proposed scheme is claimed to be unconditionally se- by it earlier.A Then we can construct an algorithm cure based on fundamental laws of quantum information that can break the unconditionally secure digital signa-B - Holevo’s Theorem and the No-Signaling Theorem. Also ture scheme Π and violate the property of nonrepudia- the fact that it is impossible to clone quantum states pre- tion. vents replication of quantum cheques for a utility gain of This is straightforward to see, where allows an adversary. Such cheques are expected to play a piv- to access the Sign Oracle and after polynomi-B otal role in the much anticipated quantum internet as allyA many queries, requests a cheque χ = payment gateways and can also be used in a consumerist B A market where the quantum states can be stored in quan- (id, s, r, σ, M, φ A2 i=1:l, ψA ) and a (possibly zero knowledge) proof,{| i P}, of | ’si capacity to repudiate the tum memories. cheque. then simply producesA (s, σ) as a signature ACKNOWLEDGMENTS and the proof,B P , as a challenge to the property of the non-repudiation of the claimed Unconditionally Secure Signature (USS) Scheme, Π. However, this leads to a contradiction to the assumption that Π is an unconditionally secure scheme. Here only a proof sketch is given. To analyze the security of the scheme to its full glory, is left for future study [32, 33].

V. CONCLUSION S.R.M. thanks Robin Kothari (MIT) for his helpful ref- erences to the literature of imperfect cloning and Madhur To conclude, we have put forward here, the idea of Srivastava (Cornell) and Anirban Dey for helpful discus- utilizing quantum states to fabricate currency bonds, in sions.

[1] W. Wooters and W. Zurek, Nature 299, 802 (1982). [10] S. Aaronson and P. Christiano, in Proc. of the 44th An- [2] S. Wiesner, ACM Sigact News 15, 78 (1983). nual ACM Symposium on Theory of Computing (ACM, [3] C. H. Bennett, G. Brassard, S. Breidbart, and S. Wies- 2012) pp. 41–60. ner, in Advances in Cryptology (Springer, 1983) pp. 267– [11] M. Mosca and D. Stebila, Error-Correcting Codes, Finite 275. Geometries and Cryptography 523, 35 (2010). [4] A. Lutomirski, arXiv preprint arXiv:1010.0256 (2010). [12] E. Biham, B. Huttner, and T. Mor, Phys. Rev. A 54, [5] A. Molina, T. Vidick, and J. Watrous, in Theory of 2651 (1996). Quantum Computation, Communication, and Cryptog- [13] H. Kimble, Nature 453, 1023 (2008). raphy, 2012 (Springer, 2013) pp. 45–64. [14] L.-M. Duan and C. Monroe, Rev. of Mod. Phys. 82, 1209 [6] A. Brodutch, D. Nagaj, O. Sattath, and D. Unruh, arXiv (2010). preprint arXiv:1404.1507 (2014). [15] C. A. Trugenberger, Phys. Rev. Lett. 87, 067901 (2001). [7] S. Aaronson, in Proc. of 24th Annual IEEE Conf. on [16] C. Simon, M. Afzelius, J. Appel, A. Boyer de La Giro- Computational Complexity(CCC), 2009 (IEEE, 2009) day, S. Dewhurst, N. Gisin, C. Hu, F. Jelezko, S. Kr¨oll, pp. 229–242. J. M¨uller, et al., Euro. Phys. J. D 58, 1 (2010). [8] A. Lutomirski, S. Aaronson, E. Farhi, D. Gosset, [17] W. Munro, A. Stephens, S. Devitt, K. Harrison, and A. Hassidim, J. Kelner, and P. Shor, arXiv preprint K. Nemoto, Nature Photonics 6, 777 (2012). arXiv:0912.3825 (2009). [18] D. Gottesman and I. Chuang, arXiv preprint quant- [9] E. Farhi, D. Gosset, A. Hassidim, A. Lutomirski, and ph/0105032 (2001). P. Shor, in Proc. of the 3rd Innovations in Theoretical [19] I. Chuang and D. Gottesman, “Quantum digital signa- Computer Science Conference (ACM, 2012) pp. 276–289. tures,” (2007), uS Patent 7,246,240. 7

[20] H. Buhrman, R. Cleve, J. Watrous, and R. deWolf, Phys. [27] D. Bruß, D. P. DiVincenzo, A. Ekert, C. A. Fuchs, Rev. Lett. 87, 167902 (2001). C. Macchiavello, and J. A. Smolin, Phys. Rev. A 57, [21] A. Holevo, Reports on Math. Phys. 12, 273 (1977). 2368 (1998). [22] G. Hanaoka, J. Shikata, Y. Zheng, and H. Imai, in Ad- [28] M. Fannes, J. Lewis, and A. Verbeure, Lett. Math. Phys. vances in CryptologyASIACRYPT 2000 (Springer, 2000) 15, 255 (1988). pp. 130–142. [29] R. F. Werner, Lett. Math. Phys. 17, 359 (1989). [23] D. Chaum and S. Roijakkers, in Advances in Cryptology- [30] V. Coﬀman, J. Kundu, and W. K. Wootters, Phys. Rev. CRYPTO90 (Springer, 1991) pp. 206–214. A 61, 052306 (2000). [24] M. Hillery, V. Buˇzek, and A. Berthiaume, Phys. Rev. A [31] A. Higuchi, A. Sudbery, and J. Szulc, Phys. Rev. Lett. 59, 1829 (1999). 90, 107902 (2003). [25] V. Buˇzekand M. Hillery, Phys. Rev. A 54, 1844 (1996). [32] P. W. Shor and J. Preskill, Phys. Rev. Lett. 85, 441 [26] N. Gisin and S. Massar, Phys. Rev. Lett. 79, 2153 (1997). (2000). [33] T.-G. Noh, Phys. Rev. Lett. 103, 230501 (2009).