 Hi everyone. My name is Basker Roberts and I'm a grad student at UC Berkeley. Today, I'll be presenting some joint work that I did with Mark Zandry on quantum money and more generally, how to verify unclonable quantum states. One of the foundational problems in unclonable cryptography is quantum money in which quantum states are used as cash. Now, there are two properties that cash or any physical representation of money should satisfy. The first is unclonability. So this means it should be hard for an adversary to create fake banknotes that look like the real thing and the second is local verification. This means you should be able to verify that the banknote you've been given is valid without communicating with the bank or any trusted third party during verification. For example, in the public key version of quantum money, the bank publishes a verification key that anyone can use to verify banknotes locally. In a classical world, digital currency can't hope to satisfy these properties because classical bit strings can be copied arbitrarily many times. However, the no-cloning theorem of quantum physics suggests that we might be able to satisfy these properties using quantum states. Beyond quantum money, there are other unclonable cryptographic primitives that we're interested in. For example, copy protection takes a function and makes it unclonable. It produces a quantum state that you can use to compute the function, but it's hard to create two states that will both compute the function correctly. Copy detection and secure software leasing are weaker. So in this setting, it's possible for the adversary to duplicate the functionality, but if they do that, we can detect it. Finally, unclonable signature tokens can be used to sign a message, but after signing a single message, the signature token becomes unusable. There have been recent proposals to construct these primitives and many of them are based on the techniques that were developed for quantum money. Our hope is that by improving the techniques for constructing quantum money, this will allow us to construct these other primitives as well. So what is the state of public key quantum money? We don't know of any construction of public key quantum money from well-studied assumptions. I'm particularly interested in Aaronson, Cristiano, and later Zandri's construction of public key quantum money from indistinguishability obfuscation. AC-12 proposed a construction of quantum money in which the banknotes are subspace states, which I'll define soon, and then Zandri showed how to verify these banknotes using post-quantum secure indistinguishability obfuscation. Now, we don't have a construction of post-quantum secure IO, so we need a new way to verify the banknotes, and that's the goal of this work. In public key quantum money, every verifier uses the same verification key, but this is unnecessarily restrictive. Instead, it suffices to give every verifier a unique verification key. Practically, this means that a verifier would request a new key from the bank when they want to begin transacting in the currency system. So since everyone has a different key, the verifiers can keep their keys secret, and this makes the adversaries job harder. Intuitively, it's harder for the adversary to fool a verifier when they don't know the verifier's key. In our paper, we use this idea to construct quantum money in the franchise verification model from one-way functions. Now, the construction has some drawbacks, which I'll discuss, and improving the construction is left for future work, but the purpose of this work is to introduce franchise verification and to show how it's useful for unclonable cryptography. In the rest of the talk, I'll review AC-12's construction of public key quantum money, and then I'll give our construction a franchise quantum money, and this will illustrate why franchise verification makes quantum money easier to construct. First, I'll go over the syntax for public key quantum money. The money scheme uses a public and secret key. The secret key is used by the bank to generate new banknotes. That's the mint function on this slide. The bank is trustworthy, and only they know the secret key. The public key can be used by anyone to verify that a given banknote is valid. So, in this notation, B is a bit that says whether or not the banknote was accepted by the verification function. Finally, we require that a valid banknote is perturbed negligibly by verification. Now, I'll summarize the construction of public key quantum money from IO. The banknote will be an N qubit string, and will treat each classical eigenstate as a vector in Z2 to the N. This is an N dimensional finite vector space. The secret key will be a random subspace of Z2 to the N called A. A has dimension N over 2, as does A perp, the orthogonal complement. Next, the banknote is a uniform superposition over all the elements of A. We call this a subspace state. Subspace states have a nice property that if you take the quantum Fourier transform of the state, you get another subspace state back. In particular, it's a uniform superposition over A perp. To verify the banknote will make two measurements, one in the computational basis and one in the Fourier basis. First, we check that the banknote is a superposition of elements of A. In this notation, OA is an oracle that decides membership in A. Then we take the quantum Fourier transform and check that the result is a superposition over elements of A perp. After this step, the valid banknote is the only state that will have passed verification with perfect probability. But in order for this to work, OA and OA perp are included in the public verification key. And as a result, we need to obfuscate those oracles using IO so that the adversary doesn't learn what A is. So if we want to get around using IO, we have a problem. We want to give the verifier the oracles without also giving them to the adversary, but we want to allow anyone, even a potential adversary, to verify banknotes. The solution is to give every verifier a unique key. In particular, we'll give each verifier some of the dimensions of A and A perp, but not all of them. Our franchise quantum money construction illustrates this idea. The master secret key and the banknote are the same as they were for public key quantum money. The main difference is the verification key. So we'll sample a subspace V that's contained within A and has dimension on the order of square root n and we'll sample another random subspace called w that lies inside of A perp. Then we'll give the verifier two oracles, one for w perp and one for v perp. Next, verification works similarly to before. Notice that A is contained in w perp and A perp is contained in v perp. So the oracles used in franchise verification are like looser versions of the oracles from public key verification. Finally, we don't need to obfuscate the franchised oracles because every verifier gets a different v and w. As I think about it, the reason why franchise verification avoids the need for obfuscation is that we're not trying to prevent an adversary from fooling any person. Instead, we're trying to prevent them from fooling any person other than themselves. There's a drawback to this construction, however, that I want to address. If multiple adversaries collude, they can pull their verification keys. And if there are more than square root n of them, they can learn all of A with good probability. Then they can counterfeit successfully. So we'll assume that the number of colluding adversaries is upper bounded by some function that's o of square root n. In the future, we hope to improve or eliminate the collusion bound. I'm optimistic that this is possible because that's the trajectory that trader tracing followed. Trader tracing is a form of encryption that was vulnerable to colluding adversaries. Early constructions used a collusion bound that grew linearly with the ciphertext size. Here, the ciphertext size is analogous to our banknote size. After a series of improvements, GKW18 gave a construction of trader tracing where the collusion bound grew exponentially in the ciphertext size. Finally, I'll talk about the security proof. There are actually two kinds of attacks that we want to rule out, counterfeiting and sabotage. We're already familiar with counterfeiting. In a sabotage attack, the adversary modifies a banknote so that one verifier accepts it, but then another verifier rejects it. This is possible in franchise verification because every verifier gets a different key, and it's a problem in money schemes because if you accept a banknote from someone else, you want to have confidence that you can then spend it. This is how money retains its value. We will prove the security of our franchised quantum money construction against both counterfeiting and sabotage. So here's an overview of the security proof. We have seen two kinds of verification so far, so in public key quantum money, the oracles were OA and OAPerp. We'll call this full verification because the verifier gets all of the dimensions of ANAPerp. The second kind of verification we've seen is franchised. The key to our proof is showing that an adversary who can interact with the verifier can't tell whether the verifier is full or franchised. In a little more detail, we'll consider a game in which the adversary is given at least as much power as they were given in the counterfeiting and sabotage security games. For instance, they have access to some number of valid banknotes, they can query the verifier, etc. Then at the end of the game, we ask the adversary to tell whether the verifier they were interacting with was full or franchised. And we'll show using the adversary method that they can't. This allows the franchised quantum money construction to inherit security properties from the public key quantum money construction. AC-12 showed that the public key quantum money construction is secure against counterfeiting and it's easy to show that it's also secure against sabotage. This is because it's a public key quantum money scheme, so every verifier gets the same key and verification is projective. Therefore, if a banknote is accepted by one verifier, it will certainly be accepted by a second verifier. Finally, we can say that our franchised quantum money construction is also secure against counterfeiting and sabotage, because otherwise an adversary would be able to distinguish between a franchised and a full verifier. In future work, I hope that we can improve or eliminate the collusion bound. And as I discussed earlier, I think that techniques from trader tracing may help. That's it and I'm happy to answer any questions you may have.