Public key quantum money can be seen as a version of the quantum no-cloning theorem that holds even when the quantum states can be verified by the adversary. In this work, we investigate quantum lightning , a formalization of “collision-free quantum money” defined by Lutomirski et al. [ICS’10], where no-cloning holds even when the adversary herself generates the quantum state to be cloned . We then study quantum money and quantum lightning, showing the following results: We demonstrate the usefulness of quantum lightning beyond quantum money by showing several potential applications, such as generating random strings with a proof of entropy, to completely decentralized cryptocurrency without a blockchain where transactions are instantaneous and local. We give win–win results for quantum money/lightning, showing that either signatures/hash functions/commitment schemes meet very strong recently proposed notions of security, or they yield quantum money or lightning. Given the difficulty in constructing public key quantum money, this suggests that natural schemes do attain strong security guarantees. We show that instantiating the quantum money scheme of Aaronson and Christiano [STOC’12] with indistinguishability obfuscation that is secure against quantum computers yields a secure quantum money scheme. This construction can be seen as an instance of our win–win result for signatures, giving the first separation between two security notions for signatures from the literature. Finally, we give a plausible construction for quantum lightning, which we prove secure under an assumption related to the multicollision resistance of degree-2 hash functions. Our construction is inspired by our win–win result for hash functions and yields the first plausible standard model instantiation of a non-collapsing collision-resistant hash function. This improves a result of Unruh [Eurocrypt’16] which is relative to a quantum oracle. Thus, we provide the first constructions of public key quantum money from several cryptographic assumptions. Along the way, we develop several new techniques including a new precise variant of the no-cloning theorem.

中文翻译：

---

量子闪电永远不会两次击中同一个状态。或者：来自密码学假设的量子货币

公钥量子货币可以被视为量子不可克隆定理的一个版本，即使对手可以验证量子状态，该定理也成立。在这项工作中，我们研究了量子闪电，这是 Lutomirski 等人定义的“无碰撞量子货币”的形式化。[ICS'10]，即使对手自己生成要克隆的量子态，也不能克隆。然后，我们研究了量子货币和量子闪电，显示了以下结果： 我们通过展示几个潜在的应用来证明量子闪电在量子货币之外的有用性，例如生成具有熵证明的随机字符串，以及无需区块链进行交易的完全去中心化的加密货币是瞬时的和局部的。我们为量子货币/闪电提供双赢的结果，表明签名/散列函数/承诺方案符合最近提出的非常强烈的安全概念，或者它们产生量子货币或闪电。鉴于构建公钥量子货币的难度，这表明自然方案确实获得了强大的安全保证。我们展示了实例化 Aaronson 和 Christiano [STOC'12] 的量子货币方案，该方案具有对量子计算机安全的不可区分性混淆，产生了安全的量子货币方案。这种结构可以看作是我们签名双赢结果的一个例子，首次将文献中的签名的两个安全概念分开。最后，我们为量子闪电给出了一个合理的构造，在与 2 次哈希函数的多重碰撞抗性相关的假设下，我们证明了该构造是安全的。我们的构建受到哈希函数双赢结果的启发，并产生了非折叠抗碰撞哈希函数的第一个合理的标准模型实例。这改进了与量子预言机相关的 Unruh [Eurocrypt'16] 的结果。因此，我们从几个密码学假设中提供了公钥量子货币的第一个构造。在此过程中，我们开发了几种新技术，包括不可克隆定理的新精确变体。我们从几个加密假设中提供了公钥量子货币的第一个构造。在此过程中，我们开发了几种新技术，包括不可克隆定理的新精确变体。我们从几个加密假设中提供了公钥量子货币的第一个构造。在此过程中，我们开发了几种新技术，包括不可克隆定理的新精确变体。