Algebraic Cryptanalysis of a Quantum Money Scheme The Noise-Free Case

We investigate the Hidden Subspace Problem (HSPq) over Fq: Input : p1, . . . , pm, q1, . . . , qm ∈ Fq[x1, . . . , xn] of degree d ≥ 3 (and n ≤ m ≤ 2n). Find : a subspace A ⊂ Fq n of dimension n/2 (n is even) such that pi(A) = 0 ∀i ∈ {1, . . . , m} and qj(A ⊥) = 0 ∀j ∈ {1, . . . , m}, where A ⊥ denotes the orthogonal complement of A with respect to the usual scalar product in Fq. This problem underlies the security of the first public-key quantum money scheme that is proved to be cryptographically secure under a non quantum but classic hardness assumption. This scheme was proposed by S. Aaronson and P. Christiano [1] at STOC'12. In particular, it depends upon the hardness of HSP. More generally, Aaronson and Christiano left as an open problem to study the security of the scheme for a general field Fq. We present a randomized polynomial-time algorithm that solves the HSPq for q > 2 with success probability ≈ 1 − 1/q. So, the quantum money scheme extended to Fq is not secure. Finally, based on experimental results and a structural property of the polynomials that we prove, we conjecture that there is also a randomized polynomial-time algorithm solving the HSP2 with high probability. To support our theoretical results, we also present several experimental results confirming that our algorithms are very efficient in practice. We emphasize that [1] proposes a non-noisy and a noisy version of the public-key quantum money scheme. The noisy version of the quantum money scheme remains secure.

[1]  Dmitry Gavinsky,et al.  Quantum money with classical verification , 2014 .

[2]  Ueli Maurer,et al.  Advances in Cryptology — EUROCRYPT ’96 , 2001, Lecture Notes in Computer Science.

[3]  Scott Aaronson,et al.  Quantum money from hidden subspaces , 2012, STOC '12.

[4]  Serge Vaudenay,et al.  Advances in Cryptology - EUROCRYPT 2006 , 2006, Lecture Notes in Computer Science.

[5]  Bruno Buchberger Comments on the translation of my PhD thesis , 2006, J. Symb. Comput..

[6]  Stephen Wiesner,et al.  Conjugate coding , 1983, SIGA.

[7]  Jacques Patarin,et al.  Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): Two New Families of Asymmetric Algorithms , 1996, EUROCRYPT.

[8]  Jean-Charles Faugère,et al.  Polynomial Equivalence Problems: Algorithmic and Theoretical Aspects , 2006, EUROCRYPT.

[9]  B. Salvy,et al.  Asymptotic Behaviour of the Degree of Regularity of Semi-Regular Polynomial Systems , 2022 .

[10]  J. Faugère A new efficient algorithm for computing Gröbner bases (F4) , 1999 .

[11]  Dan Boneh,et al.  Advances in Cryptology - CRYPTO 2003 , 2003, Lecture Notes in Computer Science.

[12]  Antoine Joux,et al.  Algebraic Cryptanalysis of Hidden Field Equation (HFE) Cryptosystems Using Gröbner Bases , 2003, CRYPTO.

[13]  Gilles Brassard,et al.  Quantum Cryptography, or Unforgeable Subway Tokens , 1982, CRYPTO.

[14]  Bruno Buchberger,et al.  Bruno Buchberger's PhD thesis 1965: An algorithm for finding the basis elements of the residue class ring of a zero dimensional polynomial ideal , 2006, J. Symb. Comput..

[15]  Jean Charles Faugère,et al.  A new efficient algorithm for computing Gröbner bases without reduction to zero (F5) , 2002, ISSAC '02.

[16]  Avinatan Hassidim,et al.  Quantum money from knots , 2010, ITCS '12.

[17]  Willi Meier,et al.  Fast Algebraic Attacks on Stream Ciphers with Linear Feedback , 2003, CRYPTO.

[18]  M. Mosca,et al.  Quantum Coins , 2009, 0911.1295.

[19]  Jean-Charles Faugère,et al.  On the complexity of the F5 Gröbner basis algorithm , 2013, J. Symb. Comput..

[20]  John J. Cannon,et al.  The Magma Algebra System I: The User Language , 1997, J. Symb. Comput..

[21]  Brendan D. McKay,et al.  Determinants and ranks of random matrices over Zm , 1987, Discret. Math..

[22]  J. Faugère,et al.  On the complexity of Gröbner basis computation of semi-regular overdetermined algebraic equations , 2004 .