Quantum Copy-Protection and Quantum Money

Forty years ago, Wiesner proposed using quantum states to create money that is physically impossible to counterfeit, something that cannot be done in the classical world. However, Wiesner’s scheme required a central bank to verify the money, and the question of whether there can be unclonable quantum money that anyone can verify has remained open since. One can also ask a related question, which seems to be new: can quantum states be used as copy-protected programs, which let the user evaluate some function f, but not create more programs for f? This paper tackles both questions using the arsenal of modern computational complexity. Our main result is that there exist quantum oracles relative to which publicly-verifiable quantum money is possible, and any family of functions that cannot be efficiently learned from its input-output behavior can be quantumly copy-protected. This provides the first formal evidence that these tasks are achievable. The technical core of our result is a “Complexity-Theoretic No-Cloning Theorem,” which generalizes both the standard No-Cloning Theorem and the optimality of Grover search, and might be of independent interest. Our security argument also requires explicit constructions of quantum t-designs. Moving beyond the oracle world, we also present an explicit candidate scheme for publicly-verifiable quantum money, based on random stabilizer states; as well as two explicit schemes for copy-protecting the family of point functions. We do not know how to base the security of these schemes on any existing cryptographic assumption. (Note that without an oracle, we can only hope for security under some computational assumption.)

💡 Research Summary

The paper tackles two long‑standing open problems: (1) the existence of publicly‑verifiable quantum money that anyone can authenticate without a trusted bank, and (2) the possibility of quantum copy‑protection, i.e., quantum states that allow a user to evaluate a function f but prevent the user from creating additional usable copies of the program. Using modern computational‑complexity tools, the authors provide the first formal evidence that both tasks are achievable, albeit relative to a quantum oracle.

The technical centerpiece is the “Complexity‑Theoretic No‑Cloning Theorem” (Theorem 2). Given an n‑qubit pure state |ψ⟩ and an oracle U_ψ that flips the phase of |ψ⟩ while leaving all orthogonal states unchanged, the theorem shows that starting from k copies of |ψ⟩, producing ℓ > k copies with average fidelity increase δ requires Ω(δ²·2ⁿ·ℓ²/(k·log k − ℓ!)) oracle queries. This result simultaneously generalizes the standard quantum no‑cloning theorem (the case without an oracle) and the BBBV lower bound for quantum search (the case without an initial state). Consequently, any algorithm that attempts to clone the state must incur exponential query complexity.

Applying this theorem to quantum money, the authors consider a bank that issues n‑qubit “banknotes” drawn uniformly from the Haar measure. The oracle U provides two operations: (i) generation of a fresh banknote, and (ii) verification of a given banknote. The theorem guarantees that, even with access to k valid notes, producing a (k+1)‑st valid note requires exponentially many queries to U. Hence, relative to such an oracle, publicly‑verifiable quantum money exists. Moreover, because the oracle is the same for the bank, honest users, and adversaries, any proof of impossibility would have to be non‑relativizing (i.e., sensitive to the presence of a quantum oracle).

For quantum copy‑protection, the authors consider a family F of Boolean functions. For each f ∈ F, a quantum program |ψ_f⟩ is sampled from the Haar distribution, and the oracle U offers (i) preparation of |ψ_f⟩ given a classical description of f, and (ii) evaluation of f(x) using |ψ_f⟩ and an input x. The key observation is that if F is efficiently learnable from black‑box access, then any copy‑protection scheme must fail (the adversary can simply learn f and re‑prepare the program). Conversely, for any “unlearnable” family (i.e., not learnable by any polynomial‑time quantum algorithm), the authors construct a simulator that turns any successful piracy algorithm into a learning algorithm, contradicting the unlearnability assumption. The simulator relies on explicit quantum t‑designs that are indistinguishable from Haar‑random states for any algorithm making a limited number of oracle queries (Theorem 3). This establishes that, relative to the oracle, any unlearnable function family can be quantumly copy‑protected.

Beyond oracle results, the paper proposes concrete candidate schemes. For public quantum money, they suggest using random stabilizer states; forging such money reduces to decoding random linear codes over GF(2), a problem believed to be hard even for quantum computers. For copy‑protecting point functions (functions that output 1 only on a secret string s), two constructions are given: one based on random quantum circuits (as studied by Harrow and Low) and another using hidden subgroups of the symmetric group. Both schemes achieve the desired functionality but, crucially, their security is not currently reducible to any standard cryptographic assumption (e.g., quantum‑secure pseudorandom functions). The authors acknowledge this gap and note that any security proof for explicit schemes must incorporate their oracle‑based results as a special case, because an attacker could always treat the underlying circuits as black boxes.

In summary, the paper demonstrates that, assuming the existence of suitable quantum oracles, publicly‑verifiable quantum money and quantum copy‑protection for unlearnable function families are theoretically possible. The “Complexity‑Theoretic No‑Cloning Theorem” provides a powerful new tool linking cloning hardness with quantum search lower bounds. The explicit candidate constructions, while not yet grounded in standard assumptions, offer concrete directions for future work and suggest that practical implementations may eventually be feasible, especially for money schemes that require only single‑qubit measurements and no large‑scale entanglement. The work thus bridges quantum information physics, cryptography, and computational complexity, opening a new research frontier on unclonable quantum primitives.