Algebraic cryptanalysis of a quantum money scheme: The noise-free case

Abstract

We investigate the Hidden Subspace Problem (HSPq) over Fq: Input: p1,..., pm, q1,..., qm ∈ Fq[x1,..., xn] of degree d ≥ 3 (and n ≤ m ≤ 2n). Find: a subspace A ⊂ Fqn of dimension n/2 (n is even) such that pi(A) = 0 ∀i ∈ {1,..., m} and qj(A⊥) = 0 ∀j ∈ {1,..., m}, where A⊥ denotes the orthogonal complement of A with respect to the usual scalar product in Fq. This problem underlies the security of the first public-key quantum money scheme that is proved to be cryptographically secure under a non quantum but classic hardness assumption. This scheme was proposed by S. Aaronson and P. Christiano [1] at STOC’12. In particular, it depends upon the hardness of HSP2. More generally, Aaronson and Christiano left as an open problem to study the security of the scheme for a general field Fq. We present a randomized polynomial-time algorithm that solves the HSPq for q > d with success probability ≈ 1–1/q. So, the quantum money scheme extended to Fq is not secure for big q. Finally, based on experimental results and a structural property of the polynomials that we prove, we conjecture that there is also a randomized polynomial-time algorithm solving the HSP2 with high probability. To support our theoretical results we also present several experimental results confirming that our algorithms are very efficient in practice. We emphasize that [1] proposes a non-noisy and a noisy version of the public-key quantum money scheme. The noisy version of the quantum money scheme remains secure.