Quantum Bitcoin: An Anonymous and Distributed Currency Secured by the NoCloning Theorem of Quantum Mechanics
Abstract
The digital currency Bitcoin has had remarkable growth since it was first proposed in 2008. Its distributed nature allows currency transactions without a central authority by using cryptographic methods and a data structure called the blockchain. In this paper we use the nocloning theorem of quantum mechanics to introduce Quantum Bitcoin, a Bitcoinlike currency that runs on a quantum computer. We show that our construction of quantum shards and two blockchains allows untrusted peers to mint quantum money without risking the integrity of the currency. The Quantum Bitcoin protocol has several advantages over classical Bitcoin, including immediate local verification of transactions. This is a major improvement since we no longer need the computationally intensive and timeconsuming method Bitcoin uses to record all transactions in the blockchain. Instead, Quantum Bitcoin only records newly minted currency which drastically reduces the footprint and increases efficiency. We present formal security proofs for counterfeiting resistance and show that a quantum bitcoin can be reused a large number of times before wearing out – just like ordinary coins and banknotes. Quantum Bitcoin is the first distributed quantum money system and we show that the lack of a paper trail implies full anonymity for the users. In addition, there are no transaction fees and the system can scale to any transaction volume.
references.bib \DefineBibliographyStringsenglishurlseen = accessed, \DeclareCiteCommand\fullcite \@nocounterrmaxnames\usebibmacroprenote \usedriver\DeclareNameAliassortnamedefault \thefieldentrytype \multicitedelim \usebibmacropostnote \pdfstringdefDisableCommands\pdfstringdefDisableCommands
1 Introduction
Modern society relies on money to function. Trade and commerce is performed using physical tokens (coins, banknotes) or electronically (credit cards, bank transfers, securities). Recently, cryptographic currencies such as Bitcoin have emerged as a new method to facilitate trade in a purely digital environment without the need for a backing financial institution. Common to all functioning currencies is demand together with a controlled supply. Traditional, governmentbacked currencies mint currency according to rules decided by politics while Bitcoin works according to predefined rules. The currencies are then protected from counterfeiting, either by physical copyprotection in the case of coins, banknotes and cashier’s checks, or in Bitcoin by applying cryptography. A detailed description of Bitcoin is given in Section 2.
The laws of quantum mechanics have given rise to interesting applications in computer science, from the quadratic speedup of unstructured database search due to \textciteGrover1996 to the polynomialtime algorithm for integer factorization by \textciteShor1994. These “quantum” algorithms are faster than their classical counterparts, showing that some computing problems can be solved more efficiently if a classical computer is replaced by a quantum one. In addition, quantum states are disturbed when measured, which has given rise to to quantum cryptography protocols such as BB84 [Bennett1984] and E91 [Ekert1991], where the latter uses the quantum phenomena of entanglement. See \textciteBroadbent2015 for a recent survey of quantum cryptography.
This begs the question: can quantum mechanics help us design new, improved money systems? The answer is yes. As shown by \textciteWiesner1983, the nocloning theorem [Wootters1982] provides an effective basis for copy protection, although Wiesner’s results predated the actual theorem. See Section 3 for a more detailed history of quantum money.
This paper introduces Quantum Bitcoin, a new currency that combines the copyprotection of quantum mechanics with Bitcoin to build a payment system with several advantages over existing systems. We present some necessary background in Sections 2 and 3, followed by the main contribution in Section 4. Then, we list the numerous advantages of Quantum Bitcoin in Section 5 and conclude in Section 6. Due to space constraints, the security analysis has been moved to Appendix A.
2 The Bitcoin protocol
The Bitcoin protocol was proposed in 2008 by \textciteNakamoto2008. The true identity behind that pseudonym still remains a mystery, but the concepts introduced in the original whitepaper have proven themselves by giving rise to a currency with a market cap exceeding 6.4 billion USD as of April 2016.
In order for a currency to function, there must be a finite amount in circulation as well as a controlled supply of new currency. Traditional currencies such as USD and EUR are controlled by a central organization, usually called the central bank. Bitcoin instead uses cryptography to distribute this task over a peertopeer network of users on the Internet.
Central to Bitcoin is the blockchain, which is a distributed ledger that records all transactions of every user. Using the blockchain, a user can compute his or her account balance by summing over all transactions to and from that account. A transaction is initiated by the sending party by digitally signing and then broadcasting a transaction message. The receiver of the transaction sees the transaction message, but is advised to wait until third parties, miners independently verify its validity. Otherwise, the sender could perform doublespending, where the same unit of currency is simultaneously and fraudulently sent to several receivers without them noticing.
A miner receives the broadcast transaction message and checks his or her local copy of the blockchain to check the transaction against the miner’s local policy [Okupski2015]. Usually, this means that the sender of the transaction must prove that he or she has knowledge of the private key corresponding to the public key of the originating account by using a signature. Also, the miner checks that the transferred bitcoin have not been spent. If the transaction is valid, the miner wants to append it to the blockchain.
Appending new data to the blockchain is the critical part of the Bitcoin protocol, and it requires authentication of the appended data. Without authentication, a malicious miner could add invalid transactions to the blockchain, thereby defrauding users. Traditional authentication methods cannot be used for this purpose, as Bitcoin miners are only loosely organized, anonymous and untrusted. Instead, \textciteNakamoto2008 uses a proofofwork puzzle, an idea introduced by \textciteBack2002. Here, miners authenticate their verification by proving that they have spent computing power, and therefore energy. This prevents the Sybil attack [Douceur2002], in which an attacker can flood a hypothetical voting mechanism. Such an attack becomes prohibitively expensive since each “vote” must be accompanied by a proof of spent energy.
The essentials of a proofofwork puzzle is as follows: The data is appended to a random nonce value to produce . This is fed to a hash function to produce the hash value . Next, the hash value is compared to a certain threshold. If (interpreted as an integer on hexadecimal form) is smaller than the threshold value, the transaction is verified and together with is then broadcast to the network. The nonce value can be seen as a solution to the proofofwork puzzle . The solution is easily verified, as it only requires one hashing operation . If the nonce is not a solution to the proofofwork puzzle, the miner will have to try a new random nonce and the process repeats. In fact, finding preimages to secure hash functions is computationally difficult and requires a large number of trials.
Bitcoin implements the proofofwork puzzle by packing a number of transactions into a socalled block. Each block contains, among other things, a timestamp, the nonce, the hash value of the previous block, and the transactions [Okupski2015]. The previous hash value fulfills an important function, as it prevents the data in previous blocks being modified. This imposes a chronological order of blocks, and the first Bitcoin block, called the Genesis block was mined on January 3rd 2009.
Bitcoin miners are rewarded for their work by giving them newly minted bitcoin. In fact, this is the only way in which new bitcoin are added to the network and this rate must be controlled and predictable in order to prevent runaway inflation. As more and more miners solve the proofofwork puzzle, the faster new blocks will be found, and new bitcoin will be at a runaway rate. The same thing happens as computers become faster and more specialized. Bitcoin prevents inflation by dynamically scaling the difficulty of the proofofwork puzzle to reach a target of one block found, on average, every ten minutes [Okupski2015]. The difficulty is controlled via the threshold, or the number of leading zeros required in the hash value. In Appendix A.2 we designate as the average time between blocks, so that Bitcoin uses . A quantitative study by \textciteKarame2012 suggests that the distribution of measured mining times corresponds to a shifted geometric distribution with parameter 0.19.
The mining reward is implemented as a special type of transaction, called a coinbase [Okupski2015] which is added to the block by the miner. The reward size was originally 50 bitcoin, and is halved every 210000 blocks or approximately four years. This predictable reduction of mining reward is an inflation control scheme since it controls the longterm supply of new currency. It is expected that the last new bitcoin will be mined in the year 2140, when the reward falls below , the smallest accepted bitcoin denomination. There will only be 21 million bitcoin at this point, however mining is expected to continue since miners also collect transaction fees [Nakamoto2008, Kaskaloglu2014].
When a new block is found it is added to the blockchain. All other miners must then restart their progress, as the transactions they attempted to include have already been included in a block. There is a possibility that a block has been mined by a malicious miner, so the other miners will themselves check all transactions in that block to see that they are valid. If a miner is satisfied with the block and its hash value, it will restart the mining process based on the newly mined block. If the block is invalid, it will be ignored by the network.
There is also a possibility of two miners independently mining a block, causing a fork. There will then be ambiguity as to which block is considered the valid one, and miners will randomly choose which block they choose as starting point. With high probability, one of these branches will be the longest one, causing the majority of miners to switch to that branch. Thus, the network resolves forks by itself, at the cost of a nonzero probability that newly mined blocks will be abandoned. Therefore, Bitcoin users are advised to wait until a transaction has been confirmed by at least six consecutive blocks [Karame2012]. Otherwise, there is a possibility that the block containing the transaction is invalid, thereby invalidating the entire transaction.
The goal of the blockchain is to prevent invalid transactions. To perform a doublespend, an attacker must convince a user by mining at least six blocks. A benevolent miner will not verify an invalid transaction, so the only way to get it included in a block is for the attacker to mine it himself. This is done in competition with the benevolent miners, so the probability of success depends on the number of proofofwork trials per second the attacker can perform. In addition, the miner must win against the benevolent miners six times – in a row.
According to \textciteNakamoto2008 the probability for a malicious miner to succeed in verifying an invalid transaction is exponentially small in the number of confirmations as long as a majority of miners (i.e. computing power) is used for benevolent purposes. This implies that the Bitcoin protocol is resistant to doublespending attacks. However, each confirmation takes 10 minutes to finish, so those six confirmations need one hour to finish, making transactions slow. In addition, \textciteKarame2012 found considerable variance in the time it takes to mine a block; they measured a standard deviation of mining time of almost 15 minutes. Bitcoin users must therefore make a decision between security and faster transaction times.
3 Previous Proposals for Quantum Money
As early as around 1970, \textciteWiesner1983 proposed a scheme that uses the quantum mechanics to produce unforgeable quantum banknotes [Broadbent2015], however it took time for this result to be published. The paper was initially rejected [Brassard2005] and according to \textciteAaronson2012 it took 13 years until it was finally publishedin 1983 [Wiesner1983]. In the same year, BBBV [Bennett1983] made improvements to Wiesner’s scheme, such as an efficient way to keep track of every banknote in circulation. Another, more recent, extension by \textcitePastawski2012 increases the tolerance against noise. Even more recently, \textciteBrodutch2014 presented an attack on the Wiesner and BBBV schemes.
After BBBV, quantum money received less attention due to the seminal 1984 paper by \textciteBennett1984 that created the field of quantum key distribution (QKD). Following two decades where virtually no work was done on quantum money, \textciteMosca2006,Mosca2007,Mosca2009 proposed quantum coins around ten years ago. In contrast to quantum banknotes (where each banknote is unique), quantum coins are all identical.
We distinguish between private key and publickey quantum money systems. In a privatekey system, only the bank that minted the quantum money can verify it as genuine, while a publickey system allows anyone to perform this verification. The advantages of a publickey system over a privatekey one are obvious, assuming similar security levels. Until recently, all quantum money proposals were privatekey, however in 2009 \textciteAaronson2009 proposed the first publickey quantum money system. While this system was broken in a short time by \textciteLutomirski2009, it inspired others to reestablish security. A novel proposal by \textciteFarhi2010 produced a publickey system using knot theory and superpositions of link diagrams, and this idea was further developed by \textciteLutomirski2011. Finally, \textciteAaronson2012 based a publickey quantum money scheme on the hiddensubspace problem.
Another important distinction is between systems that have unconditional security, and those secure under computational hardness assumptions. In an unconditionally secure quantum money scheme, no attacker can break the system even when given unlimited computation time. For instance, Wiesner’s scheme is unconditionally secure while BBBV is not. According to \textciteFarhi2010, publickey quantum money cannot be unconditionally secure. Instead, the proposals by \textciteAaronson2009, Farhi2010, Aaronson2012 all rely on computational hardness assumptions, as will ours.
Common to all proposals discussed above is a centralized topology, with a number of users and one “bank” that issues (and possibly verifies) money. This requires all users to fully trust this bank, as a malevolent bank can perform fraud and revoke existing currency.
4 Quantum Bitcoin
In this paper we present the inner workings of Quantum Bitcoin, a quantum currency with no central authority. As with most quantum money schemes the central idea is the nocloning theorem [Wootters1982] which shows that it is impossible to copy an arbitrary quantum state . Quantum mechanics therefore provides an excellent basis on which to build a currency, as copyprotection is “built in”. In Appendix A we quantify the level of security the nocloning theorem gives, and show that our Quantum Bitcoin are secure against counterfeiting. For brevity, we will refer to the classical Bitcoin protocol simply as “Bitcoin” for the rest of the paper.
4.1 Prerequisites
Quantum Bitcoin uses a classical blockchain, just like the Bitcoin protocol. For the purposes of this paper, we model the blockchain as a randomaccess ordered array with timestamped dictionary entries. Blocks can be added to the end of the chain by solving a proofofwork puzzle, and blocks in the chain can be read using a lookup function. In the Quantum Bitcoin blockchain, the blocks only contain descriptions of newly minted Quantum Bitcoin. Transactions are not recorded as they are finalized locally. We can therefore model each block as a dictionary data structure, where dictionaries are keyvalue pairs that match serial numbers to public keys^{1}^{1}1Do not confuse the public key with the key of the dictionary . We will use the following formal definition:
Definition
A classical distributed ledger scheme consists of the following classical algorithms:

is an algorithm which takes as input, where is a classical serial number and a classical public key. The algorithm fails if the serial number already exists in a block in the ledger. Otherwise, it begins to solve a proofofwork puzzle by repeated trials of random nonce values. The algorithm passes if the puzzle is solved, at which time the ledger pair is added as a new block.

is a polynomialtime algorithm that takes as input a serial number and outputs the corresponding public key if it is found in the ledger. Otherwise, the algorithm fails.
While our formal definition is independent of the underlying block format and security rules, we suggest adopting those used in Bitcoin. In addition, runs continuously until it passes – if another miner solves a proofofwork puzzle it simply restarts the process transparently to the caller.
Quantum Bitcoin also uses classical digital signatures. The scheme used by Bitcoin is 256bit ECDSA, but we will not commit to a specific algorithm for Quantum Bitcoin. Instead, we use the following abstract model, adapted from \textciteAaronson2012:
Definition
A classical publickey digital signature scheme consists of three probabilistic polynomialtime classical algorithms:

which takes as input a security parameter and randomly generates a key pair .

which takes as input a private key and a message and generates a (possibly randomized) signature .

, which takes as input , a message , and a claimed signature , and either accepts or rejects.
The key pair follows the usual conventions for publickey cryptography: The private key is to be kept secret, and it should be computationally infeasible for an attacker to derive from . In Quantum Bitcoin, is only used to mint new currency and should therefore be discarded when this is completed.
4.2 The Hidden Subspace MiniScheme
Quantum Bitcoin uses a socalled minischeme model, inspired by \textciteLutomirski2009,Farhi2010,Aaronson2012. As will become clear in Appendix A, a minischeme setup allows for a simple way to prove the security of Quantum Bitcoin. The minischeme can only mint and verify one single Quantum Bitcoin, and in Sections 4.3 and 4.4 we extend this to a full Quantum Bitcoin system using a blockchain. The explicit minischeme we adopt is an adaptation of the Hidden Subspace minischeme system introduced by \textciteAaronson2012. In this scheme, Quantum Bitcoin states are on the form
(1) 
where is a subspace of . Here, are bit strings of length and the subspace is randomly generated from a set of secret generators. In the same spirit, we define as the orthogonal complement to , that is, the set of such that for all . Next, we define a membership oracle :
(2) 
which is used to decide membership in . We will later show how this oracle can be explicitly implemented. Using , we can implement a projector onto the set of basis states in :

Initiate a control qubit

Apply to the control qubit

Apply to conditioned on the control qubit being in state

Measure the control qubit in the Hadamard basis

Postselect on getting the outcome
Therefore, operates on in the following way:
(3) 
We define and in a similar way as above, except we instead operate on . Together with the projectors and we can create a unitary operator
(4) 
where denotes the quantum Fourier transform over . We will use to verify Quantum Bitcoin states, where we interpret as passing and as failing. \Textcite[p. 28]Aaronson2012 show that is a projector onto , and that accepts an arbitrary state with probability . Formally, we can define the minischeme as follows:
Definition
The Hidden Subspace minischeme consist of two polynomialtime algorithms and .
Before we detail the minting and verification algorithms, we we need a way to generate and verify quantum states and serial numbers. These algorithms should have the following general structure:
Definition
A state generator takes a random bit string and returns , where is a bit string and is a set of linearly independent generators for a subspace . We require that the serial numbers are distinct for every .
Definition
A serial number verifier takes a serial number and passes if it is a valid serial number for some and fails otherwise.
The algorithms for and can be implemented using a random oracle, or explicitly using a scheme such as the multivariate polynomial scheme introduced by \textcite[pp. 32–38]Aaronson2012. We are now ready to complete the description of the minischeme with the following algorithms:
Definition
takes as input a security parameter . It then randomly generates a secret bit key which it passes to the state generator . The returned value is which is used in Equation (1) to produce the Quantum Bitcoin , where .
Definition
takes as input an alleged Quantum Bitcoin /c and performs the following checks, in order:

Form check: Accept if and only if /c has the form , where is a classical serial number and is a quantum state.

Serial number check: Accept if and only if the Serial Number Verifier accepts

Apply to and accept if and only if
Note that the verification procedure immediately fails if any of the above steps fail.
4.3 Naive Construction of Quantum Bitcoin
The minischeme can only mint and verify one single quantum bitcoin, so to build a usable Quantum Bitcoin ecosystem we need to extend the model with a mechanism for minting and verifying any amount. For this purpose we will define the full Quantum Bitcoin scheme, , and implement it as an extension of the minischeme . The connection between and is derived from the “standard construction” by \textciteLutomirski2009,Farhi2010,Aaronson2012. Formally, the definition of the Quantum Bitcoin scheme is as follows:
Definition
A publickey distributed Quantum Bitcoin scheme consists of the following algorithms:

, a polynomialtime algorithm which takes as input a security parameter and randomly generates a key pair .

which takes a security parameter and a private key and generates a produces a quantum bitcoin $.

, a polynomialtime algorithm which takes as input an alleged quantum bitcoin /c and a corresponding public key and either accepts or rejects.
Given a minischeme , a digital signature scheme and a distributed ledger scheme , we will construct a first, intuitive, version of the Quantum Bitcoin scheme . Later, we extend this standard construction to protect against the reuse attack.
To begin the construction, we define to simply be from the digital signature scheme. Next, we define the algorithm for for an alleged quantum bitcoin /c:

Check that /c is on the form , where the is a classical serial number, a quantum state, and a classical digital signature.

Call to retrieve the public key associated with the serial number .

Call to verify the digital signature of the quantum bitcoin.

Call from the minischeme.
The verification algorithm pass if and only if all of the above steps pass. The main challenge of constructing Quantum Bitcoin is that the miners are untrusted which is in contrast to previous quantum money schemes where minting is done by a trusted entity such as a bank. In the same spirit as Bitcoin, the intention is to take individually untrusted miners and still be able to trust them as a group [Nakamoto2008]. Our first, Bitcoininspired attempt at the algorithm therefore becomes the following:

Call to randomly generate a key pair .

Generate a quantum bitcoin candidate by calling , which returns , where is a classical serial number and is a quantum state.

Sign the serial number: .

Call to attempt to append the serial number and the public key to the ledger.

If failed, start again from step 2.

If the serial number was successfully appended, put the serial number, quantum state and signature together to create the quantum bitcoin .
We can immediately identify the first major advantage of Quantum Bitcoin. Whereas Bitcoin requires each transaction to be recorded into the blockchain – a timeconsuming process, Quantum Bitcoin transactions finalize immediately. Due to the nocloning theorem of quantum mechanics, the underlying quantum state in the Quantum Bitcoin cannot be duplicated, thereby preventing counterfeiting in itself (see Appendix A). The only step of the protocol that uses is minting, which “normal” users don’t have to worry about.
4.4 Preventing the Reuse Attack
Our first attempts at the and algorithms appear to work, but there is a problem. In Quantum Bitcoin there is no trust assumption, so the users minting Quantum Bitcoin can no longer be trusted to play by the rules as in the system by \textciteAaronson2012. This leads to a weakness that can be exploited using a reuse attack: Ideally, the output of the minting algorithm and state generator should be a unpredictable, even when fed the same argument twice. Unfortunately, we must assume that all steps in are deterministic, with the obvious exception of . Therefore, it is possible that a malicious miner generates a quantum bitcoin, appends it to the blockchain, and then covertly reuse to produce any number of quantum bitcoin that all pass verification.
This is a serious problem, since it allows that malicious miner to undermine the payment system at any time. Imagine a scenario where a miner learns that the quantum bitcoin he or she mined last year now is in possession by a political opponent. The miner could then use to create a number of identical, genuine, quantum bitcoin and disperse them everywhere. The natural consequence is that the quantum bitcoin held by the opponent becomes worthless. Compare this with Bitcoin. There, the blockchain records all transactions and a miner therefore relinquishes control over the mined bitcoin as soon as it is handed over to a recipient. In Quantum Bitcoin, however, there is no record of who owns what, so there is no way to distinguish between the real and counterfeit quantum bitcoin.
We prevent the reuse attack by adding a secondary stage to the minting algorithm, where data is also appended to a new ledger . In Appendix A.2 that this method makes the reuse attack improbable. For the secondary mining step we introduce security parameters and and the algorithm is as follows:

A miner (this time called a quantum shard miner) uses the above “intuitive” minting scheme, but the finished product is instead called a quantum shard.

Quantum shard miners sell the quantum shards on a marketplace.

Another miner (called a quantum bitcoin miner) purchases quantum shards on the marketplace that, for all , fulfill the following conditions:

accepts

The timestamp of the quantum shard in the Quantum Shard ledger fulfills , where is the current time.


The quantum bitcoin miner calls to randomly generate a key pair .

The quantum bitcoin miner takes the serial numbers of the quantum shards and compiles the classical descriptor and signs it as .

The quantum bitcoin miner takes the quantum shards and, together with , produces a quantum bitcoin candidate: .

The quantum bitcoin miner calls to attempt to pair the quantum bitcoin miner’s public key with the classical descriptor in the ledger. Here, we require that fails if any of the quantum shards already have been combined into a quantum bitcoin that exists in the ledger .
This process is the complete quantum mining protocol, and it works because each participant is incentivized: quantum shard miners invest computing power to produce quantum shards, which quantum bitcoin miners want for quantum bitcoin production. As there is only a finite number of quantum shards, they will have nonzero monetary value, thus rewarding the quantum shard miners for the energy necessarily consumed. In turn, quantum bitcoin miners invest computing power to mint quantum bitcoin from quantum shards. The quantum bitcoin miners are rewarded with valid quantum bitcoin, which, due to their limited supply, are expected to have nonzero monetary value.
According to \textciteNakamoto2008, such incentives “may help nodes to stay honest” and an attacker who has access to more computing power than the rest of the network combined finds that it is more rewarding to play by the rules than commit fraud. Also, the reuse attack is prevented because twostage mining makes it overwhelmingly difficult for a single entity to first produce quantum shards and then combine them to a quantum bitcoin.
Note the requirement that the quantum shards are less than old. This is needed because the probability of an attacker successfully mining a quantum shard approaches 1 as time goes to infinity. Therefore, given enough time, a malicious miner can produce valid quantum shards which it then could combine into a valid quantum bitcoin. The parameter prevents this from happening by expiring old quantum shards before this can happen. In addition, while the algorithm makes use of two ledgers instead of one, it should be trivial to encode the two ledgers into one single blockchain.
What remains is to slightly modify to take twostage mining into account. We introduce an additional security parameter which will be determined later.

Check that /c is on the form , where the are classical serial numbers, are quantum states, and (including ) are digital signatures.

Call to retrieve the public key of the quantum bitcoin miner associated with the classical descriptor .

Call to verify the digital signature of the quantum bitcoin.

For each , call in order to retrieve the corresponding public keys from the quantum shard miners.

For each , call to verify the digital signatures of each of the quantum shards.

For , call to verify the quantum bitcoin states.
The above algorithm checks the digital signatures of both the quantum bitcoin and all contained quantum shards before calling the verification procedure of the minischeme . The verification passes if and only if at least of the invocations of pass.
This concludes the description of Quantum Bitcoin. We have defined the minting and verification algorithms and shown how it ties together with the blockchain to build a working currency. What about security? In Appendix A we will give formal security proofs that {enumerate*}[label=()]
Quantum Bitcoin resists counterfeiting, or, more explicitly, that the false positive and false negative error probabilities of are exponentially small in ,
that the probability of a successful reuse attack is exponentially small in , and
that a quantum bitcoin can be used, or verified, an exponential number of times (in ) before wearing out.
5 Comparison to Classical Bitcoin
We will now compare Quantum Bitcoin to the classical Bitcoin protocol by \textciteNakamoto2008 and show that Quantum Bitcoin has several advantages. Bitcoin transactions must be verified by thirdparty miners. The time this takes averages on one hour, but as previously mentioned the waiting time has considerable variance [Karame2012]. Bitcoin transactions are therefore slow; too slow for ma customer to wait in the checkout line. In contrast, Quantum Bitcoin transactions are immediate and only requires the receiver to have readonly access to a reasonably recent copy of the blockchain. We also note that Quantum Bitcoin transactions are local, so that no blockchain must be updated, nor does it require a third party to know of the transaction.
These local transactions are independent of network access. Bitcoin requires twoway communication with the Internet, while Quantum Bitcoin transactions can be performed in remote areas, including in space. The readonly blockchain access requirement makes it possible to store a local offline blockchain copy in, for example, a book. To receive Quantum Bitcoin transaction, the user simply needs to read from this book, given that the quantum bitcoin to be verified is older than the book in question.
Another performance advantage is scalability. According to \textciteGarzik2015, Bitcoin as originally proposed by \textciteNakamoto2008 has an estimated global limit of seven transactions per second. In comparison, the local transactions of Quantum Bitcoin implies that there is no upper limit to the transaction rate. It should be noted, however, that the minting rate is limited by the capacity of the Quantum Shard and Quantum Bitcoin blockchains. By placing the performance restriction only in the minting procedure, the bottleneck should be much less noticeable than if it were in the transaction rate as well.
Local transactions also mean anonymity, since only the sender and receiver are aware of the transaction even occurring. No record, and therefore no paper trail, is created. In essence, a Quantum Bitcoin transaction is similar to that of ordinary banknotes and coins, except no central point of authority has to be trusted. Bitcoin, on the other hand, records all transactions in the blockchain which allows anybody with a copy to trace transaction flows, even well after the fact. This has been used by several authors [Reid2013, Meiklejohn2013, Moser2013, Venkatakrishnan2013, Kondor2014, Androulaki2013] to deanonymize Bitcoin users.
Another advantage of Quantum Bitcoin is that transactions are free. Classical Bitcoin transactions usually require a small fee [Nakamoto2008] to be paid to miners in order to prevent transaction spam and provide additional incentives for miners. It is also believed that these fees will allow mining to continue past the year 2140, when the last new bitcoin is expected to be mined. In Bitcoin, mining is required for transactions to work, but this is not the case in Quantum Bitcoin, again due to local transactions. Even better, if Quantum Bitcoin adopts an inflation control scheme similar to that of Bitcoin, there will be no need for Quantum Bitcoin mining when the 21 million quantum bitcoin have been found. Users will still be able to perform transactions even though mining has stopped. When this occurs, it is realistic to publish a “final version” of the Quantum Bitcoin blockchain in a book which then would contain descriptors of all quantum bitcoin that will ever exist.
Compared to Bitcoin, the blockchain of Quantum Bitcoin is smaller and grows at a more predictable rate. By nature, data added to a blockchain can never be removed, and as of March 2016 the size of the Bitcoin blockchain exceeds . This large size has made it difficult to implement a complete Bitcoin implementation on smaller devices. Quantum Bitcoin also has a growing blockchain, however it only grows when minting currency, not due to transactions.
Per the discussion in the previous paragraph, Quantum Bitcoin mining could become superfluous when all quantum bitcoin have been mined, which leads to an upper limit of the Quantum Bitcoin blockchain. For example, if we limit the number of quantum bitcoin to 21 million (as above) and choose 512bit serial numbers and a 256bit digital signature scheme , the Quantum Bitcoin blockchain will only ever grow to roughly in size plus some overhead. This is an order of magnitude smaller than the Bitcoin blockchain today, and much more manageable.
6 Conclusion and Future Work
Quantum Bitcoin is a tangible application of quantum mechanics where we construct the ideal distributed, publiclyverifiable payment system. The currency works on its own without a central authority, and can start to work as soon as it is experimentally possible to prepare, store, measure and reconstruct quantum states with low enough noise. The nocloning theorem provides the foundation of copyprotection, and the addition of a blockchain allows us to produce currency in a distributed and democratic fashion. Quantum Bitcoin is the first example of a secure, distributed payment system with local transactions and can provide the basis for a new paradigm for money, just like Bitcoin did in 2008.
Two parties can transfer quantum bitcoin by transferring the Quantum Bitcoin state over a suitable channel and reading off a publiclyavailable blockchain. Transactions are settled immediately without having to wait for confirmation from miners, and the Quantum Bitcoin can be used and reconstructed an exponential number of times before they wear out. There is no transaction fee, yet the system can scale to allow an unlimited transaction rate.
Note that while Quantum Bitcoin is secure against any counterfeiter with access to a quantum computer, the protocol is not unconditionally secure. The corresponding security proofs must therefore place the standard complexity assumptions on the attacker. See Appendix A for the complete security analysis.
We invite further study of our proposal and welcome attempts at attacking this novel protocol. There are also some challenges that should be addressed in future work: quantum bitcoin are atomic and there is currently no way to subdivide quantum bitcoin into smaller denominations, or merge them into larger ones. A practical payment system would benefit greatly from such mechanisms as it otherwise becomes impossible to give change in a transaction. The security proofs in this paper should also be extended to the nonideal case with the addition of noise, decoherence and other experimental effects.
Acknowledgements
The author would like to thank Niklas Johansson and Prof. JanÅke Larsson for interesting discussions, feedback and proofreading the manuscript.
Appendix A Security Analysis
In this section we perform the security analysis of Quantum Bitcoin and show that it is secure against counterfeiting. Here, we reap the benefits of the minischeme setup as the proof becomes relatively easy. We begin by quantifying the probability of false negatives and false positives in the verification process and then we show that the minischeme is secure, followed by the observation that a secure minischeme implies security of the full system .
a.1 Counterfeiting
Our formal security analysis begins by modeling a counterfeiter, which is a quantum circuit that produces new, valid, quantum bitcoin outside of the normal minting procedure.
Definition
A counterfeiter is a quantum circuit of polynomial size (in ) which maps a polynomial (in ) number of valid quantum bitcoin to a polynomial number (in ) of new, possibly entangled alleged quantum bitcoin.
A more detailed description of the “composite” counterfeiter of Quantum Bitcoin is given in \textcite[pp. 42–43]Aaronson2012. We next need to quantify the probability of a counterfeit quantum bitcoin to be accepted by the verification procedure. This is the probability of a false positive:
Definition
A Quantum Bitcoin scheme has soundness error if, given any counterfeiter and a collection of valid quantum bitcoin we have
(5) 
where is a counter that takes as input a collection of (possiblyentangled) alleged quantum bitcoin and outpts the number of indices such that accepts
Conversely, we quantify the probability of false negative, i.e. the probability that a valid quantum bitcoin is rejected by the verification procedure:
Definition
A Quantum Bitcoin scheme has completeness error if accepts with probability at least for all valid quantum bitcoin . If then has perfect completeness.
Next, we continue with analyzing the minischeme. Recall that a minischeme only mints and verifies one single quantum bitcoin, so that a minischeme counterfeiter only takes the single valid quantum bitcoin as input. To perform this analysis, we need a technical tool, the double verifier [Aaronson2012]:
Definition
For a minischeme , we define the double verifier as a polynomialtime algorithm that takes as input a single serial number and two (possiblyentangled) quantum states and and accepts if and only if and both accept.
Now, we define the soundness and completeness error for the minischeme:
Definition
A minischeme has soundness error if, given any counterfeiter , accepts with probability at most . Here the probability is over the quantum bitcoin or quantum shard output by as well as the behavior of and .
Definition
A minischeme has completeness error if accepts with probability at least for all valid quantum bitcoin or quantum shards . If then has perfect completeness.
We call a system secure if it has completeness error and soundness error exponentially small in . While sounds like a high error probability, \textcite[pp. 42–43]Aaronson2012 show that the completeness error of a secure system can be made exponentially small in at the small cost of increasing the soundness error from 0 to be exponentially small in .
What remains is to show that the Quantum Bitcoin system is, in fact, secure. This would be difficult had we not used the minischeme model, but now we can do this in a single step. The following theorem is adapted from \textcite[p. 20]Aaronson2012:
Theorem (Security From The MiniScheme)
If there exists a secure minischeme , then there also exists a secure Quantum Bitcoin scheme . In particular, the completeness and soundness errors of are exponentially small in .
In order to prove Theorem A.1, we need the following lemma, adapted from \textcite[pp. 42–43]Aaronson2012:
Lemma
We are now ready to prove Theorem A.1:
Proof
We use the quantum state generator from Definition 4.2 as a oneway function: given a bit string , outputs (among others) an unique bit serial number . If there exists a polynomialtime quantum algorithm to recover from it would be possible for a counterfeiter to copy quantum bitcoin, which is a contradicts the security of the minischeme. Therefore, is a oneway function secure against quantum attack. Since such oneway functions are necessary and sufficient for secure digital signature schemes [Rompel1990], we immediately get a digital signature scheme secure against quantum chosenplaintext attacks. Next, we show that and together produce a secure “naive” Quantum Bitcoin system , which is done in \textcite[p. 20]Aaronson2012.
Finally, we choose and use lemma A.1 to show that the “composite” Quantum Bitcoin system described in Section 4.4 has completeness error and any soundness error such that . Thus, we can make have soundness and completeness errors exponentially small in . Therefore, the Quantum Bitcoin system is secure.
This is the elegance of the minischeme model, where a secure minischeme immediately gives us the full, secure system. Note that in the proof of lemma A.1 the security parameter is taken to be sufficiently small. A counterfeiter who wants to break the security of is forced to break the security of , so if we now show that is indeed secure we are finished:
Theorem (Security Reduction for the HiddenSubspace MiniScheme)
The minischeme , which is defined relative to the classical oracle , has zero completeness and soundness error exponentially small in .
Proof
The InnerProduct Adversary Method by \textcite[p. 31]Aaronson2012 gives an upper bound to the information gained by a single oracle query. Theorem A.1 then shows that the minischeme is secure since a valid quantum shard always passes verification (zero completeness error), and counterfeit quantum shard pass with only an exponentially small probability (soundness error is exponentially small in ).
We can now state the main result:
Corollary (Counterfeiting Resistance of Quantum Bitcoin)
The Quantum Bitcoin system is secure. In particular, the completeness and soundness errors of are exponentially small in .
Proof
Theorem A.1 shows that is secure, and from Theorem A.1 it then follows that is secure. Explicitly, any counterfeiter must make queries to successfully copy a single quantum bitcoin. For large enough , this is computationally infeasible. In particular, Theorem A.1 shows that the completeness and soundness errors of are exponentially small in .
Note that Quantum Bitcoin is not unconditionally secure. Therefore, it is conjectured that a hypothetical attacker without access to an exponentially fast computer cannot perform the exponential number of queries required to perform counterfeiting. Note that, according to \textciteFarhi2010, publickey quantum money cannot be unconditionally secure, so this should not come as a surprise.
a.2 The Reuse Attack
Now we analyze the effect of the security parameters and on the probability of a reuse attack. A reuse attack is when the same entity first mines a number of quantum shards, then combines them into a quantum bitcoin. The security parameter controls the number of quantum shards required per quantum bitcoin, and is the maximum age of the quantum shards.
For an attacker to perform the reuse attack, he or she must therefore mine quantum shards in seconds after a first quantum shard has been mined. Recall from Section 4.4 that quantum shards expire after seconds. In reality the attacker must both mint quantum shards and combine them into quantum bitcoin before runs out. We simplify the analysis, however, by making it easier for the attacker and allow time to mine quantum shards, and then again time to mine quantum bitcoin. We define as the average number of blocks mined before runs out, where is the average time between mined blocks. We have the following theorem:
Theorem (Probability of Reuse Attack)
The success probability of reuse attack in a secure Quantum Bitcoin system with completeness error is exponentially small in as long as the attacker controls less than of the computing power and .
Proof
We model the reuse attack by assigning to the probability of an attacker mining the next block in either the quantum shard or Quantum Bitcoin blockchain. can be understood as the proportion of the world’s computing power controlled by the attacker. is exponentially small in , so with sufficiently large, the completeness error is much smaller than . The probability of the attacker mining of these quantum shards is then
(6) 
However, due to the way the verification algorithm works, the attacker only needs quantum shards, so adding this worstcase scenario gives
(7) 
Next, the attacker must combine these quantum shards into a Quantum bitcoin before another runs out. The probability for this is the probability of mining a single block:
(8) 
The total probability of reuse attack is then
(9) 
We bound the binomial coefficient by above using the formula
(10) 
which gives
(11) 
We set which gives . Such exist since , which is the case since the Quantum Bitcoin system is secure. We then have
(12) 
and note that
(13) 
where the upper bound of approaches as goes to 1, under the condition that . If is greater than , the upper bound on is even lower. However, is exponentially small in , so we can expect the bound to be the correct one, given large enough . Under the above constraints we get and . Plugging in all this in Equation (12) we get the following strict upper bound for the reuse attack probability:
(14) 
In other words, Quantum Bitcoin is secure against reuse attack as long as the attacker controls less than of the computing power. Note that Equation (14) is the worstcase approximation and we should expect a much lower attack probability in a real scenario. What remains is to determine the parameter introduced in the above proof. Too large, and it will be difficult for any quantum bitcoin to be mined as every single quantum shard must be sold to a Quantum Bitcoin miner before runs out. Too small, and it becomes easier for a malicious miner to perform the reuse attack. The smaller we make , the larger must be in order to achieve the required bound on the attack probability.
a.3 Quantum Bitcoin Longevity
What remains is to show that a quantum bitcoin does not wear out too quickly, i.e. that they can be verified enough number of times to be usable. To prove this, we will use the following lemma due to \textciteAaronson2004:
Lemma (Almost as Good as New)
Suppose a measurement on a mixed state yields a particular outcome with probability . Then after the measurement, one can recover a state such that
We now state the main longevity theorem:
Theorem (Quantum Bitcoin Longevity)
The number of times a quantum bitcoin can be verified and reconstructed is exponentially large in .
Proof
Corollary A.1 shows that the completeness error of is exponentially small in . When verifying a genuine quantum bitcoin , the verifier performs the measurement on the underlying quantum states , which yields the outcome “Pass” with probability . Then lemma A.3 shows that we can recover the underlying quantum states of so that . As is exponentially small in , the trace distance becomes exponentially small in as well. Each time such a quantum bitcoin is verified and reconstructed, the trace distance between the “before” and “after” is exponentially small in . Given any threshold after which we consider the quantum bitcoin “worn out”, the number of verifications it survives before passing this threshold is exponential in .
Theorem A.3 shows that a quantum bitcoin can be verified and reused many times before the quantum state is lost (assuming the absence of noise and decoherence). This is of course analogous to traditional, physical banknotes and coins which are expected to last for a large enough number of transactions before wearing out.