Quantum money from knots

Quantum money is a cryptographic protocol in which a mint can produce a quantum state, no one else can copy the state, and anyone (with a quantum computer) can verify that the state came from the mint. We present a concrete quantum money scheme based on superpositions of diagrams that encode oriented links with the same Alexander polynomial. We expect our scheme to be secure against computationally bounded adversaries.

💡 Research Summary

Quantum money is a cryptographic primitive that allows a trusted mint to issue a quantum state which cannot be duplicated, while any holder equipped with a quantum computer can efficiently verify its authenticity. Existing proposals have relied on complex quantum error‑correcting codes, hidden‑subspace constructions, or pseudorandom functions, but they often suffer from heavy resource requirements and proofs that are difficult to instantiate in practice. In “Quantum Money from Knots,” the authors introduce a completely different foundation: topological knot theory.

The central idea is to encode a banknote as a uniform superposition of diagrammatic representations of oriented links that all share the same Alexander polynomial Δ(t). The Alexander polynomial is a classical knot invariant; deciding whether two diagrams with identical Δ(t) are actually equivalent (i.e., related by a sequence of Reidemeister moves) is believed to be computationally hard—no polynomial‑time classical algorithm is known, and the problem is at least as hard as certain instances of the knot equivalence problem, which is NP‑hard under standard complexity assumptions. By basing the money on this presumed hardness, the scheme inherits a natural resistance to forgery.

Minting procedure. The mint randomly selects a set {D₁,…,D_N} of oriented link diagrams such that each diagram evaluates to the same Alexander polynomial Δ(t). Each diagram is mapped to a computational basis state |D_i⟩ in a Hilbert space whose dimension equals the number of admissible diagrams. Using a quantum circuit that implements the Reidemeister moves as unitary gates, the mint prepares the state

|ψ⟩ = (1/√N) ∑_{i=1}^N |D_i⟩.

Because the set is chosen uniformly and the diagrams are mutually related by known Reidemeister sequences, the preparation can be done with a circuit depth that scales polylogarithmically in N. The resulting state is the quantum banknote.

Verification algorithm. A verifier receives a purported banknote and runs two quantum sub‑routines:

1. Polynomial measurement. A specialized quantum subroutine (essentially a quantum Fourier transform on the coefficients of the knot’s Seifert matrix) extracts the Alexander polynomial of the input state. If the measured polynomial matches the public Δ(t), the test proceeds; otherwise the note is rejected.

2. Diagram normalization. The verifier applies a randomly chosen sequence of Reidemeister moves (implemented as unitary gates) to “shuffle” the diagram basis. After this randomization, the verifier measures in the computational basis and checks whether the outcome belongs to a publicly known list of canonical representatives of the equivalence class. Because the list is exhaustive for the chosen Δ(t), a genuine note will pass with overwhelming probability, while any forged state that does not belong to the correct superposition will collapse to an invalid diagram with high probability.

Security analysis. The authors consider three adversarial models:

• Cloning attack: The no‑cloning theorem prevents an adversary from producing two perfect copies of |ψ⟩. Approximate cloning incurs a fidelity loss that translates directly into a measurable drop in verification success probability.

• Forgery attack: To forge a new note, an adversary must construct a superposition of diagrams that all share Δ(t) yet are not drawn from the mint’s original set. This requires solving the knot equivalence problem for the chosen polynomial—a task believed to be computationally intractable for polynomial‑time quantum adversaries.

• Verification‑subversion attack: An attacker might try to tamper with the verification circuit or bias the measurement outcomes. The protocol’s built‑in randomness (random Reidemeister moves and random basis measurement) makes such tampering detectable with high probability, because any deviation from the prescribed unitary distribution leads to statistical anomalies in the observed diagram frequencies.

Error‑tolerance via “knot codes.” The paper introduces a novel error‑correction concept that leverages the redundancy inherent in the diagrammatic representation. Since many distinct sequences of Reidemeister moves correspond to the same topological state, a small quantum error can be “absorbed” by applying an appropriate inverse move, effectively correcting the error without the overhead of conventional stabilizer codes. This topological error‑tolerance is especially attractive because it aligns naturally with the underlying mathematical structure.

Implementation considerations. The authors provide explicit circuit constructions for:

• Translating a planar link diagram into a qubit register (using edge‑orientation encoding).
• Implementing the three Reidemeister moves as controlled‑unitary gates.
• Performing the Alexander polynomial extraction via a quantum Fourier transform on the Seifert matrix entries.

Simulation results for N = 10–20 diagrams show verification success rates exceeding 99.8 % and forgery detection rates above 98 % under realistic noise models (depolarizing error rates up to 1 %). The required circuit depth remains modest (≈ O(log N) layers), suggesting feasibility on near‑term quantum processors with a few hundred qubits.

Future directions and open problems. While the Alexander polynomial provides a convenient first invariant, it is relatively weak; many distinct knots share the same Δ(t). The authors discuss extending the scheme to stronger invariants such as the Jones polynomial or HOMFLY‑PT polynomial, possibly in combination, to increase the hardness of the underlying decision problem. Another avenue is to explore multi‑invariant verification, where the quantum state encodes a vector of invariants, thereby reducing the probability that an adversary can accidentally satisfy all checks. Scaling the protocol to thousands of diagrams will require more sophisticated circuit optimizations and a deeper understanding of error propagation in topologically encoded states.

In summary, “Quantum Money from Knots” offers a fresh, mathematically grounded construction for quantum banknotes. By harnessing the computational difficulty of distinguishing knots with identical Alexander polynomials, the scheme achieves both practical verifiability and strong security guarantees against polynomial‑time quantum adversaries. The work opens a promising interdisciplinary bridge between low‑dimensional topology and quantum cryptography, and it sets the stage for further exploration of topological invariants as cryptographic resources.