Publicly Verifiable Quantum Money

Updated 25 December 2025

Publicly verifiable quantum money is a cryptographic scheme that issues quantum banknotes, verified by any party using quantum mechanics and computational complexity.
The protocol employs algorithms like KeyGen, Mint, and Verify, utilizing invariant, eigenstate, or hidden subspace methods to ensure authenticity and prevent duplication.
Its security relies on the no-cloning theorem and hard computational problems, while ongoing research tackles practical instantiation, noise tolerance, and efficiency challenges.

A publicly verifiable quantum money protocol is a cryptographic framework in which quantum banknotes—highly entangled quantum states—can be issued by a trusted party (or, in some designs, by any party) and can be efficiently authenticated by any verifier, without the need for access to a secret key maintained by the bank. The central property is that while authenticity can be publicly checked, it remains computationally infeasible for any adversary, classical or quantum, to create additional valid banknotes or to duplicate a genuine note—enforcing unforgeability via the laws of quantum mechanics and computational complexity.

1. Formal Framework and Core Definitions

A publicly verifiable quantum money scheme consists typically of three polynomial-time quantum algorithms:

KeyGen $(1^\lambda)$ : Outputs a public key (pk) and, in some constructions, a secret key (sk).
Mint: Produces a banknote, which may consist of a pair $(\sigma, \rho)$ where $\sigma$ is a classical serial number and $\rho$ a quantum state.
Verify: Takes pk, $\sigma$ , and $\rho$ as input and outputs $\{0,1\}$ , accepting only genuine notes.

Correctness requires that honest notes verify with overwhelming probability. Unforgeability demands that no efficient adversary, even with access to the public key and a minting oracle, can produce more accepting notes than it queried or duplicate a note.

The security definition is typically formalized as a "no-cloning" game: the adversary tries to prepare two or more states $\rho_1, \rho_2, \ldots$ such that all are accepted under Verify for the same serial number. Security is achieved when the probability of such a success is negligible in $\lambda$ (Liu et al., 2022).

2. Key Constructions and Instantiations

Publicly verifiable quantum money protocols have evolved through several paradigms, often reflecting foundational advances in quantum cryptography.

a) Invariant-Based Frameworks

A general and unifying schema is the invariant-money approach (Liu et al., 2022), where:

The banknote state is a uniform superposition over elements of a set $X$ sharing a classical invariant $I:X\to Y$ (e.g., group orbit, knot polynomial).
Public verification combines checking the invariant and applying a Markov-chain or spectral-mixing test to enforce uniformity over the invariant's fiber.

Table: Example Instantiations

Setting	Invariant $I(x)$	Permutations $o_i$
Grid knots (Farhi et al., 2010)	Alexander polynomial	Reidemeister moves
Group actions	Orbit label	Group element multiplication
Isogeny graphs	#E (curve order mod $N$ )	Low-degree isogeny walks
Encryption/FE schemes	Message hash $H(m)$	Ciphertext rerandomization

In all such schemes, correctness and unclonability follow from the expansion properties of the random walks and the conjectured hardness of finding paths or preimages in the combinatorial structures.

b) Joint Eigenstate (Commuting Operator) Approaches

Schemes constructing banknotes as joint eigenstates of families of commuting unitaries have been realized in both modular forms (Kane, 2018) and quaternion algebra settings (Kane et al., 2021). The minting algorithm prepares a uniform or maximally entangled state, performs parallel phase estimation of the operators, and collapses to a unique eigenstate with associated classical eigenvalues as the serial number.

Verification consists of checking a classical digital signature on the serial, followed by non-destructive quantum phase estimation to validate the eigenstate structure.

c) Hidden Subspaces and Subspace States

The hidden subspace construction (Aaronson et al., 2012) encodes a banknote as a uniform superposition over a random $n/2$ -dimensional subspace $A\subseteq\mathbb{F}_2^n$ , with the public key consisting of multivariate polynomials vanishing on $A$ and $A^\perp$ . Verification entails two projections: in the standard basis and after a Hadamard transform.

Security is based on the conjectured hardness of recovering the subspace from the public polynomials (a noisy multivariate system). No-cloning is further enforced by black-box lower bounds via quantum adversary methods.

d) Quantum Lightning and Random Quantum Hashes

Quantum Lightning (Zhandry, 2017) generalizes quantum money to the setting where even the creator cannot produce two states with the same serial ("collision-free"). The principal instantiation involves superpositions over preimages of a hash function defined by quadratic forms, with public verification via phase analysis and measurement. The scheme's unforgeability relies on the hardness of finding many colliding preimages in the random quadratic system (multi-collision resistance).

e) Obfuscation and Indistinguishability Obfuscators (iO)

Some of the most general schemes (e.g., anonymous quantum money (Cakan et al., 7 Nov 2024), iO-based subspace schemes (Zhandry, 2017)) depend on the existence of iO for circuits and, in some cases, LWE. Here the public verification circuits are obfuscated programs that test subspace (or other structure) membership without revealing trapdoor information. Rerandomizable encryption can be combined to ensure anonymity, and tracing keys can be embedded to support traceability.

3. Security Foundations and Hardness Assumptions

Publicly verifiable quantum money protocols derive their security from a combination of quantum information principles (e.g., the no-cloning theorem), information-theoretic arguments, and complex computational assumptions. The most prominent hardness assumptions include:

Discrete logarithm/group-action DLP for group action-based protocols (Doliskani et al., 24 Mar 2025).
Noisy Multivariate Polynomial Solving (subspace-hiding) (Aaronson et al., 2012, Zhandry, 2017, Cakan et al., 7 Nov 2024).
Indistinguishability Obfuscation (iO), which underpins the security of the most general (and privacy/anonymity-enhanced) schemes (Cakan et al., 7 Nov 2024).
Assumptions on Path-Finding and knowledge-of-path in random-walk expanders (for invariant money and knot-based schemes) (Liu et al., 2022).
Hardness of Decoding Random Linear Codes for random stabilizer-state schemes (Aaronson, 2011).
No-Go Theorems: Lattice-based constructions using standard LWE or SIS are provably insecure in the public-key setting due to "collapsing hash" phenomena and forgery attacks (Liu et al., 2022).

4. Verification Algorithms and Public Authenticity

A hallmark of publicly verifiable quantum money is the ability for any verifier, given only public parameters, to run a non-destructive (or sometimes gentle/destructive) procedure that confirms the note's authenticity:

In hidden subspace and subspace-state schemes, verification is a sequence of projections, often involving both the computational and Fourier/Hadamard bases.
In eigenstate schemes, phase estimation against a published eigenvalue list is combined with signature verification (Kane, 2018, Kane et al., 2021).
In "invariant money" frameworks, a Schwartz–Zippel style test for invariant equality is augmented with spectral/mixing tests based on reversible Markov chains.
For quantum lightning, modular subtests and measurements on multi-register states enforce both authenticity and unclonability via serial-number collision resistance (Zhandry, 2017).
For privacy-preserving schemes, obfuscated circuits mediate all membership and rerandomization checks (Cakan et al., 7 Nov 2024).

Notably, black-box techniques and adversary-method lower bounds provide formal unforgeability guarantees, with required adversary effort exponential in the security parameter for most models. Some constructions additionally provide rerandomization operations for privacy, and specialized tracing algorithms for auditability or regulatory compliance.

5. Limitations, Impossibility Results, and Open Problems

Despite significant progress, several limitations and impossibility results are established:

Black-Box Separations: Public-key quantum money cannot be realized by black-box constructions using only (classical-query) collision-resistant hash functions (Ananth et al., 2023). Schemes whose verification consists only of classical queries to a hash function are inherently insecure, since the adversary can efficiently synthesize states using classical transcript simulation and known state-synthesis techniques.
Lattice-Based Schemes: Any protocol built from typical lattice coset or Gaussian superpositions is vulnerable to attacks under standard LWE or SIS hardness; no secure construction is presently known from these assumptions (Liu et al., 2022).
Practicality and Efficiency: While several oracle or idealized schemes enjoy provable information-theoretic security, instantiation from standard cryptographic assumptions (without iO or oracles) remains open, or entails prohibitive computational costs. Efficient Markov mixing and efficient identification of invariants are unresolved in some frameworks (e.g., knots).
Adaptive Security: Many schemes, such as those using symmetric-subspace projectors, only achieve security against non-adaptive or rational adversaries, leaving full adaptive, composable security frameworks as an open direction (Behera et al., 2020).
Physical Realizability: Experimental realization is limited by noise tolerance, quantum memory, and measurement capabilities; recent work investigates error correction and partial classicalization to address these gaps (Guan et al., 2017, Yuen, 8 Jul 2024).

6. Extensions: Privacy, Anonymity, and Specialized Functionality

Recent work extends the base protocol class to accommodate privacy and advanced transactional requirements:

Anonymity: Using public-key rerandomizable encryption and iO, one can achieve anonymity against users and, with or without traceability, construct quantum money schemes that simultaneously support privacy and regulatory tracking requirements (Cakan et al., 7 Nov 2024).
Noise-Tolerant Schemes: Protocols integrating quantum error correction and subspace state verification extend public verifiability to physically noisy environments, maintaining completeness and unforgeability under bounded Pauli errors (Yuen, 8 Jul 2024).
Low Quantum Resource Implementations: As exemplified by conjugate-coding and one-time memory (OTM) based constructions, it is possible to design schemes where honest parties only require minimal quantum capability, with double-spending still ruled out by no-cloning (Genovese et al., 24 Dec 2025).
Instantaneous Cryptocurrency: In the quantum lightning paradigm, transaction finality can be realized locally and without any global ledger, with transfers governed entirely by serial-number uniqueness and public verification (Zhandry, 2017).
Quantum Voting: Public-key quantum money techniques enable universally verifiable voting protocols with classical ballots, leveraging the unclonability of associated quantum states (Cakan et al., 7 Nov 2024).

7. Outlook and Research Directions

The field of publicly verifiable quantum money continues to evolve at the intersection of quantum information theory, computational complexity, and cryptography. Open research frontiers include:

Finding fully practical and efficiently instantiable schemes under standard (non-iO) cryptographic assumptions.
Eliminating auxiliary oracles and obfuscation from constructions.
Achieving full adaptive and composable security, especially in the presence of noise and side-channel attacks.
Broadening application domains, such as quantum tokens, signatures, and cryptographically secure quantum payment networks.
Improving the noise threshold and error correction without sacrificing public verifiability or security guarantees.

Comprehensive progress requires advances in both quantum algorithmics and the deeper structure of quantum-secure hardness assumptions, with significant implications for the future of cryptographic currency and authenticated quantum information.