A Quantum Money Solution to the Blockchain Scalability Problem

02/27/2020 ∙ by Andrea Coladangelo, et al. ∙ 0

We put forward the idea that classical blockchains and smart contracts are potentially useful primitives not only for classical cryptography, but for quantum cryptography as well. Abstractly, a smart contract is a functionality that allows parties to deposit funds, and release them upon fulfillment of algorithmically checkable conditions, and can thus be employed as a formal tool to enforce monetary incentives. In this work, we give the first example of the use of smart contracts in a quantum setting. We describe a simple hybrid classical-quantum payment system whose main ingredients are a classical blockchain capable of handling stateful smart contracts, and quantum lightning, a strengthening of public-key quantum money introduced by Zhandry (Eurocrypt'19). Our hybrid payment system employs quantum states as banknotes and a classical blockchain to settle disputes and to keep track of the valid serial numbers. It has several desirable properties: it is decentralized, requiring no trust in any single entity; payments are as quick as quantum communication, regardless of the total number of users; when a quantum banknote is damaged or lost, the rightful owner can recover the lost value.



There are no comments yet.


page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Cryptocurrencies, along with blockchains and smart contracts, have recently risen to popular attention, the most well-known examples being Bitcoin and Ethereum [40, 12]. Informally, a blockchain is a public ledger consisting of a sequence of blocks. Each block typically contains information about a set of transactions, and a new block is appended regularly via a consensus mechanism that involves the parties of a network and no a priori trusted authority. A blockchain is endowed with a native currency which is employed in transactions, and whose basic unit is a “coin”. The simplest type of transaction is a payment, which transfers coins from one party to another. However, more general transactions are allowed, which are known as smart contracts. These can be thought of as contracts stored on a blockchain, and whose consequences are executed upon fulfilment of algorithmically checkable conditions.

A central issue that needs to be resolved for blockchains to achieve mass-adoption is scalability. This refers to the problem of increasing the throughput of transactions (i.e. transactions per second) while maintaining the resources needed for a party to participate in the consensus mechanism approximately constant, and while maintaining security against adversaries that can corrupt constant fractions of the parties in the network. For example, Bitcoin and Ethereum, can currently handle only on the order of transactions per second (Visa for a comparison handles about per second)OrSource? The following source https://usa.visa.com/run-your-business/small-business-tools/retail.html suggests  1700 transactions per second, and supports up to 24,000 tps. It seems that this source is rather old  2010.blue.

In this work, we show that quantum information is inherently well-suited to tackle this problem. We show that a classical blockchain can be leveraged using tools from quantum cryptography (in particular, quantum money) to provide a simple solution to the scalability problem.111We clarify that this solution only solves the scalability problem for payment transactions, and not for the more general smart contracts transactions.

The main quantum ingredient that we employ is a primitive called quantum lightning, formally introduced by Zhandry [56] and inspired by Lutomirski et al.’s notion of collision resistant quantum money [33]

. In a public-key quantum money scheme, a bank is entrusted with generating quantum states (we refer to these as quantum banknotes) with an associated serial number, and a public verification procedure allows anyone in possession of the banknote to check its validity. Importantly, trust is placed in the fact that the central bank will not create multiple quantum banknotes with the same serial number. A quantum lightning scheme has the additional feature that no generation procedure, not even the honest one (and hence not even a bank!), can produce two valid money states with the same serial number, except with negligible probability. This opens to the possibility of having a completely decentralized quantum money scheme. However, if the system ought to be trust-less, some issues need to be addressed: most importantly, who is allowed to mint money? Who decides which serial numbers are valid? Our solution leverages a (classical) blockchain to address these questions.

Our contributions

We design a hybrid classical-quantum payment system that uses quantum states as banknotes and a classical blockchain to settle disputes and to keep track of the valid serial numbers. This is, to the best of our knowledge, the first example of the use of a classical blockchain in combination with quantum cryptographic toolsOrThis is tricky. [26]? I suggest adding the words “provably secure”. Though, I don’t think we should cite him in the extended abstract.blue. Our payment system has the following desirable features:

  • It is decentralized, requiring no trust in any single entity.

  • Payments involve the exchange of quantum banknotes, and enjoy many of the properties of cash, which cryptocurrencies do not have. For example, transactions are not recorded on the blockchain, and they involve only the payer and the payee. Thus the throughput is unbounded. Payments are as quick as quantum communication, and they do not incur transaction fees.

  • The rightful owner of a quantum banknote can recover the original value, even if the quantum banknote is damaged or lost; an adversary who tried to abuse this feature would be penalized financially.

Our contribution is primarily conceptual, but our treatment is formal: we work within the Generalized Universal Composability framework (GUC) of Canetti et al. [13], and we formulate an ideal functionality for a blockchain that supports smart contracts. Note that we do not prove composable security of our payment system. Instead, we prove a “one-shot” version of security, assuming parties have access to such an ideal functionality. Nonetheless, we find it desirable to work within the GUC framework, and we discuss the reason for this choice in more detail below. We also provide an informal construction of our payment system on the Bitcoin blockchain. Its treatment is less rigorous, but it addresses some ways in which the payment system could be optimized.

As a further technical contribution, in order to achieve part (iii), we formalize a novel property of quantum lightning schemes, which we call “bolt-to-signature” capability and is reminiscent of one-time digital signatures. We provide a provably secure construction of a lightning scheme with such a property (assuming a secure lightning scheme which might not satisfy this). The construction is based on the hash-and-sign paradigm as well as Lamport signatures scheme. It allows a user holding a valid quantum lightning state with serial number to sign a message with respect to . The security guarantees are that no one who does not possess a lightning state with serial number can forge signatures with respect to , and once the lightning state is utilized to produce even a single signature, it will no longer pass the lightning verification procedure. We envision that such a primitive could find applications elsewhere and is of independent interest.

How to model a blockchain?

OrI copy/pasted the “how to model a blockchain” paragraph, and made lots of changes to it - see below.blue

The essential properties of blockchains and smart contracts can be abstracted by modeling them as ideal functionalities in the Universal Composability (UC) framework of Canetti [15]. Such a framework provides both a formal model for multiparty computation, and formal notions of security with strong composability properties. The approach of studying blockchains and smart contracts within such a framework was first proposed by Bentov al. in [8], and explored further in [7]. The main reason why such an approach is desirable is that it abstracts the features of blockchains and smart contracts into building blocks that can be utilized to design more complex protocols in a modular way. The limitation of the works [8, 7] is that they modify the original model of computation of UC in order to incorporate coins, but they do not prove that a composition theorem holds in this variant. A more natural approach was proposed by Kiayias et al. in [29], which uses the Generalized Universal Composability (GUC) framework by Canetti et al. [13].

In this work, we define a ledger functionality in the GUC framework which supports universal smart contracts. We use this as an abstraction layer which significantly simplifies exposition and the security analysis. The downside of this approach is that, to the best of our knowledge, there is no known proof of a GUC-secure realization of an ideal functionality for a ledger supporting smart contracts by any cryptocurrency.OrWhat’s the difference between GUC and UC? Why UC is not sufficient for our implication?blue Proving that a complicated system such as Bitcoin or Ethereum GUC-securely realizes a simple ledger functionality, even without the support for smart contracts, requires already substantial work [3]. The upside is that, as soon as one provides a GUC secure realization on some cryptocurrency of our ideal ledger functionality, one can replace the latter in our payment system with its real world implementation, and the security of our payment system would hold verbatim, by the composition properties of the GUC framework. For this reason, we find the approach very desirable. Other approaches that do not fall into the GUC framework include [30] and [20].

We emphasize that we do not prove that our payment system can be composed securely, i.e. we do not define an ideal functionality for our payment system and prove a secure realization of it. Rather, the security we prove is only “one-shot”.

OrIf there exists a real-world GUC realization, then our payment system could be realized as well, and be secure. On the other hand, we do not model our payment system using ideal functionalities, and in particular, it cannot be used in other protocols.blue

A sketch of our payment system

The main ingredient that we employ is quantum lightning. As suggested by Zhandry, this primitive seems well-suited for designing a decentralized payment system, as it is infeasible for anyone to copy banknotes (even a hypothetical bank). However, since the generation procedure is publicly known, there needs to be a mechanism that regulates the generation of new valid banknotes (to prevent parties from continuously generating banknotes).

We show how stateful smart contracts on a classical blockchain can be used to provide such a mechanism. For instance, they allow to easily keep track of a publicly trusted list of valid serial numbers. We elaborate on this. In our payment system, the native coin of a classical blockchain is used as a baseline classical currency. Any party can spend coins on the classical blockchain to add a serial number of their choice to the list of valid serial numbers. More precisely, they can deposit any amount (of their choice) of coins into an appropriately specified smart contract and set the initial value of a serial number state variable to whatever they wish (presumably the serial number of a quantum banknote that they have just generated locally). They have thus effectively added to the blockchain a serial number associated to a quantum banknote that, in virtue of this, we can think of as having “acquired” value . Payments are made by transferring quantum banknotes: party , the payer, transfers his quantum banknote with serial number to party , the payee, and references a smart contract whose serial number state variable is . Party then locally verifies that the received banknote is valid. This completes the transaction. Notice that this does not involve interaction with any other third party, and only requires read access to the blockchain. Of course, the same quantum banknote can be successively spent an unlimited number of times in the same manner, without ever posting any new transaction on the blockchain. The latter is only invoked when a banknote is first generated, and in case of a dispute. Thus, throughput of transactions is no longer a concern. Likewise, long waiting times between when a payment is initiated and when it is confirmed (which are typically in the order of minutes – for example, it is recommended to accept a Bitcoin transaction after 6 confirmations, which takes an hour in expectation) are also no longer a concern since payments are verified immediately by the payee. One can think of the quantum banknotes as providing an off-chain layer that allows for virtually unlimited throughput. We give an extended comparison of our payment system with other off-chain solutions, like Bitcoin’s Lightning Network, in Section 8.

The full payment system includes two additional optional features:

  • A mechanism that allows any party in possession of a quantum banknote to recover the coins deposited in the corresponding smart contract. Together with the mechanism outlined earlier, this makes quantum banknotes and coins on the blockchain in some sense interchangeable: one can always convert one into the other by publishing a single transaction on the blockchain.

  • A mechanism that allows any honest party who has lost or damaged a valid quantum banknote to change the serial number state variable of the corresponding smart contract to a fresh value of their choice.

These two additional desirable features are realizable as long as the quantum lightning scheme employed satisfies an additional property. We formalize this property, which we call “bolt-to-certificate capability”, and show that Zhandry’s proposed constructions satisfy this property. The latter asserts informally that it is possible to measure a valid quantum banknote and obtain a classical certificate, but it is impossible to simultaneously hold both a valid banknote and a valid certificate. In other words, the classical certificate acts as a “proof of destruction”: a certificate which guarantees that no quantum lightning state with the corresponding serial number exists. We also introduce a novel implementation of a one-time signature scheme based on the “bolt-to-certificate capability”, and inspired by Lamport’s signature scheme. This protects honest parties who broadcast a classical certificate to the network from having their classical certificate stolen before it is registered on the blockchain.

We emphasize that the bolt-to-certificate capability of the lightning scheme is only required in order to achieve the two additional features (i) and (ii) above, but is not necessary in order to achieve the basic functionality of our payment system described above.

Limitations of our solution

We see two main limitations to our payment system:

  • The technologies needed to implement our payment system will not be available in the foreseeable future. For instance, it would require the ability of each party to store large entangled quantum states for extended periods of time. It would also require that each party be able to send quantum states to any party it wishes to make payments to. The latter could be achieved, for example, in a network in which any two parties have the ability to request joint EPR pairs (i.e. maximally entangled pairs of qubits), which is one of the primary components of a “quantum internet”

    [52]. One can view our scheme as a possible use case of a quantum internet.

  • The only known concrete constructions of a quantum lightning scheme rely on non-standard assumptions for security. The construction of Farhi et al. [22] is secure based on the hardness of. The construction of Zhandry [56] is secure based on an assumption related to the multi-collision resistance of certain degree-2 hash functions. Arguably, neither of these assumptions is well-studied. OrOriginally, it was: “Our construction is based on the existence of a secure quantum lightning scheme. There is only one known concrete construction for quantum lightning whose security hinges on a non-standard computational assumption about the multi-collision resistance of certain degree-2 hash functions.” But what about the construction of Farhi et al.? See sec:farhi_et_al. I changed it to the slightly more concise version above.blue

In sec: comparison, we extensively discuss the disadvantages (as well as the advantages) of our payment system vis-à-vis with other classical alternatives – namely, a standard crypto-currency such as Bitcoin and second layer solutions such as the Lightning Network.


Section 2 covers preliminaries: 2.1 covers basic notation; 2.2 introduces quantum lightning; 2.3 gives a concise overview of the Universal Composability framework of Canetti [15]. Section 3 gives first an informal description of blockchains and smart contracts, followed by a formal definition of our global ideal functionality for a transaction ledger that handles stateful smart contracts. Section 4 describes our payment system. In Section 5, we describe an adversarial model, and then prove security guarantees with respect to it.

2 Preliminaries

2.1 Notation

For a function , we say that is negligible, and we write , if for any positive polynomial and all sufficiently large ’s, . A binaryrandom variable is a random variable over . We say that two ensembles of binary random variables and are indistinguishable if,

We use the terms PPT and QPT as abbreviations of probabilistic polynomial time and quantum polynomial time respectively.

2.2 Quantum money and quantum lightning

Quantum money is a theoretical form of payment first proposed by Wiesner [53], which replaces physical banknotes with quantum states. In essence, a quantum money scheme consists of a generation procedure, which mints banknotes, and a verification procedure, which verifies the validity of minted banknotes. A banknote consists of a quantum state together with an associated serial number. The appeal of quantum money comes primarily from a fundamental theorem in quantum theory, the No-Cloning theorem, which informally states that there does not exist a quantum operation that can clone arbitrary states. A second appealing property of quantum money, which is not celebrated nearly as much as the first, is that quantum money can be transferred almost instantaneously (by quantum teleportation for example). The first proposals for quantum money schemes required a central bank to carry out both the generation and verification procedures. The idea of public key quantum money was later formalized by Aaronson [1]. In public-key quantum money, the verification procedure is public, meaning that anyone with access to a quantum banknote can verify its validity.

In this section, we focus on quantum lightning, a primitive recently proposed by Zhandry [56], and we enhance this to a decentralized quantum payment system. Informally, a quantum lightning scheme is a strengthening of public-key quantum money. It consists of a public generation procedure and a public verification procedure which satisfy the following two properties:

  • Any quantum banknote generated by the honest generation procedure is accepted with probability negligibly close to by the verification procedure.

  • No adversarial generation procedure (not even the honest one) can generate two banknotes with the same serial number which both pass the verification procedure with non-negligible probability.

As mentioned earlier, there is only one known construction of quantum lightning, by Zhandry [56], who gives a construction which is secure under a computational assumption related to the multi-collision resistance of some degree-2 hash function. Zhandry also proves that any non-collapsing hash function can be used to construct quantum lightning. However, to the best of our knowledge, there are no known hash functions that are proven to be non-collapsing. In this section, we define quantum lightning formally, but we do not discuss any possible construction. Rather, in Section 4, we will use quantum lightning as an off-the-shelf primitive. [Quantum lightning [56]] A quantum lightning scheme consists of a PPT algorithm (where is a security parameter) which samples a pair of polynomial-time quantum algorithms , . gen-bolt outputs pairs of the form . We refer to as a “bolt” and to as a “serial number”. ver-bolt takes as input a pair of the same form, and outputs either “accept” (1) or “reject” (0). They satisfy the following:

  • (1)

    We also require that verification does not perturb the bolt, except negligibly.

  • For all ,


The two requirements simply ask that, with overwhelming probability, for any validly generated bolt , there is a single serial number such that is accepted by the verification procedure.

For security, we require that no adversarial generation procedure can produce two bolts with the same serial number. Formally, we define security via the following game between a challenger and an adversary .

  • The challenger runs and sends to .

  • produces a pair .

  • The challenger runs on each half of . The output of the game is if both outcomes are “accept”.

We let be the random variable which denotes the output of the game.

[Security [56]] A quantum lightning scheme is secure if, for all polynomial-time quantum adversaries ,

We define an additional property of a quantum lightning scheme, which in essence establishes that one can trade a quantum banknote for some useful classical certificate. Intuitively, this is meant to capture the fact that in the proposed construction of quantum lightning by Zhandry, one can measure a bolt with serial number in the computational basis to obtain a pre-image of under some hash function. However, doing so damages the bolt so that it will no longer pass verification. In order to define this additional property, we change the procedure slightly, so that it outputs a tuple , where gen-certificate is a QPT algorithm that takes as input a quantum money state and a serial number and outputs a classical string of some fixed length for some polynomially bounded function , which we refer to as a certificate, and verify-certificate is a PPT algorithm which takes as input a serial number and a certificate, and outputs “accept” () or “reject” (). The additional property is defined based on the following game Forge-certificate between a challenger and an adversary :

  • The challenger runs and sends the tuple to .

  • returns and .

  • The challenger runs and . Outputs if they both accept.

Let be the random variable for the output of the challenger in the game above.

[Trading the bolt for a classical certificate] Let . We say that a quantum lightning scheme has “bolt-to-certificate capability” if:

  • (5)
  • For all polynomial-time quantum algorithms ,

Notice that property also implies that for most setups and serial numbers it is hard for any adversary to find a such that without access to a valid state whose serial number is . In fact, if there was an adversary which succeeded at that, this could clearly be used to to construct an adversary that succeeds in Forge-certificate: Upon receiving from the challenger, computes generates ; then runs on input to obtain some . returns and to the challenger. We emphasize that in game Forge-certificate it is the adversary himself who generates the state . This is important because when we employ the quantum lightning scheme later on parties are allowed to generate their own quantum banknotes.

Proposition 1.

Any scheme that uses Zhandry’s construction instantiated with a non-collapsing hash function [56] satisfies the property of Definition 2.2.


We refer the reader to [56] for a definition of non-collapsing hash function. In Zhandry’s construction based on a non-collapsing hash function, outputs . A bolt generated from gen-bolt has the form , where for all and , where is a non-collapsing hash-function, and is polynomial in the security parameter . verify-bolt has the form of -fold product of a verification procedure “Mini-Ver” which acts on a single one of the registers. In Zhandry’s construction, the serial number associated to the bolt above is .

We define as the QPT algorithm that measures in the standard basis, and outputs the outcome. When applied to an honestly generated bolt, the outcomes are pre-images of , for . We define as the deterministic algorithm which receives a serial number and a certificate and checks that for all , .

Is is clear that holds.

For property , suppose there exists such that is non-negligible. We use to construct an adversary that breaks collision-resistance of a non-collapsing hash function as follows: runs . Let be the non-collapsing hash function hard-coded in the description of verify-bolt. sends the tuple to , where the latter two are defined as above in terms of . returns , where is parsed as . then measures each of the registers of to get . If , then outputs . We claim that with non-neglibile probability outputs a collision for . To see this, notice that since wins Forge-certificate with non-negligible probability, then must pass verify-bolt with non-negligible probability; and from the analysis of [56], any such state must be such that at least one of the registers is in a superposition which has non-negligible weight on at least two pre-images. For more details, see the proof of Theorem 5 in [56], and specifically the following claim:

If the bolts are measured, two different pre-images of the same y, and hence a collision for


r, will be obtained with probability at least 1/200.

Proposition 2.

Zhandry’s construction based on the multi-collision resistance of certain degree-2 hash functions (from section 6 of [56]) satisfies the property of Definition 2.2.

The proof is similar to the proof of Proposition 1. We include it for completeness in Appendix A.1.

Zhandry’s construction from prop: extra property 2 only requires a common random string (CRS) for QL.Setup. This fact will be relevant when we discuss a concrete implementation in a system such as Bitcoin. Of course, the advantage is that there is no need for a trusted setup. For more details, see sec: practical implementation on Bitcoin.

Another Quantum Lightning Scheme?

Farhi et al. [23] constructed a public quantum money scheme which they conjectured have the following property:

A rogue mint running the same algorithm as the mint can produce a new set of money pairs, but (with high probability) none of the serial numbers will match those that the mint originally produced.

This is less formal, but we believe captures Zhandry’s security definition of a quantum lightning (though it was introduced roughly 7 years earlier).

Since we have two potential constructions to build upon, we briefly compare the two. First, Farhi et al. only provide several plausibility arguments supporting the security of their scheme, but their work does not contain any security proof. In a follow-up work, Lutomirski [34] showed a security reduction from a problem related to counterfeiting Farhi et al.’s money scheme. Even though it does not have a (proper) security proof, Farhi et al.’s scheme was first published 8 years ago, and was not broken since then. Zhandry’s construction is proved to be secure under a non-standard hardness assumption, which was first introduced in that work. In his Eurocrypt talk, Zhandry reports that the construction is “broken in some settings” – see https://youtu.be/fjumbNTZSik?t=1302.222Additionally, the hardness assumption was changed between the second and third version on the IACR e-print. This might suggest that the original hardness assumption was also broken. The most updated e-print version does not discuss that discrepancy. Second, the scheme of Farhi et al. does not need a setup. Third, the scheme of Farhi et al. does not have a bolt-to-certificate capability. This property is required to transform the quantum money back to a coin – see sec: main. Altogether, the mechanism which we propose in this work will only be relevant in the far future. If by then Zhandry’s construction will be considered secure, the test-of-time advantage of Farhi et al.’s scheme will be irrelevant by then, and the CRS requirement seems easy to satisfy, and therefore, Zhandry’s construction is a better candidate.

2.3 Universal Composability

This section is intended as a concise primer about the Universal Composability (UC) model of Canetti [15]. We refer the reader to [15] for a rigorous definition and treatment of the UC model and of composable security, and to the tutorial [16] for a more gentle introduction. At the end, we provide a brief overview of the Generalized UC model (GUC) [13]. While introducing UC and GUC, we also setup some of the notation that we will employ in the rest of the paper. As mentioned in the Introduction, we elect to work in the GUC, because this provides a convenient formal abstraction layer for modeling a ledger functionality that supports smart-contracts, and allows for a clean security proof in the idealized setting in which parties have access to this functionality.

The reader familiar with the UC and GUC framework may wish to skip ahead to the next section.

In the universal composability framework (UC), parties are modelled as Interactive Turing Machines (ITM) who can communicate by writing on each other’s externally writable tapes, subject to some global constraints. Informally, a protocol is specified by a code

for an ITM, and consists of various rounds of communication and local computation between instances of ITMs (the parties), each running the code on their machine, on some private input.

Security in the UC model is defined via the notion of emulation. Informally, we say that a protocol emulates a protocol if whatever can be achieved by an adversary attacking can also be achieved by some other adversary attacking . This is formalized by introducing simulators and environments.

Given protocols and , we say that emulates (or “is as secure as”) in the UC model, if for any polynomial-time adversary attacking protocol , there exists a polynomial-time simulator attacking such that no polynomial-time distinguisher , referred to as the environment, can distinguish between running with and running with . Here, the environment is allowed to choose the protocol inputs, read the protocol outputs, including outputs from the adversary or the simulator, and to communicate with the adversary or simulator during the execution of the protocol (without of course being told whether the interaction is with the adversary or with the simulator). In this framework, one can formulate security of a multiparty cryptographic task by first defining an ideal functionality that behaves exactly as intended, and then providing a “real-world” protocol that emulates, or “securely realizes”, the ideal functionality .

We give more formal definitions for the above intuition. To formulate precisely what it means for an environment to tell two executions apart, one has to formalize the interaction between and the protocols in these executions. Concisely, an execution of a protocol with adversary and environment consists of a sequence of activations of ITMs. At each activation, the active ITM runs according to its code, its state and the content of its tapes, until it reaches a special wait state. The sequence of activations proceeds as follows: The environment gets activated first and chooses inputs for and for all parties. Once or a party is actived by an incoming message or an input, it runs its code until it produces an outgoing message for another party, an output for , or it reaches the wait state, in which case is activated again. The execution terminates when produces its output, which can be taken to be a single bit. Note that each time it is activated, is also allowed to invoke a new party, and assign a unique PID (party identifier) to it. Allowing the environment to invoke new parties will be particularly important in Section 5, where we discuss security. There, the fact that the environment has this ability implies that our security notion captures realistic scenarios in which the set of parties is not fixed at the start, but is allowed to change. Moreover, each invocation of a protocol is assigned a unique session identifier SID, to distinguish it from other invocations of . We denote by the output of environment initialized with input , and security parameter in an execution of with adversary .

We are ready to state the following (slightly informal) definition.

A protocol UC-emulates a protocol if, for any PPT adversary , there exists a PPT simulator such that, for any PPT environment , the families of random variables and are indistinguishable.

Then, given an ideal functionality which captures the intended ideal behaviour of a certain cryptographic task, one can define the ITM code , which behaves as follows: the ITM running simply forwards any inputs received to the ideal functionality . We then say that a “real-world” protocol securely realizes if emulates according to Definition 2.3.

A composition theorem

The notion of security we just defined is strong. One of the main advantages of such a security definition is that it supports composition, i.e. security remains when secure protocols are executed concurrently, and arbitrary messages can be sent between executions. We use the notation for a protocol that makes up to polynomially many calls to another protocol . In a typical scenario, is a protocol that makes use of an ideal functionality , and is the protocol that results by implementing through the protocol (i.e. replacing calls to by calls to ). It is natural to expect that if securely realizes , then securely realizes . This is the content of the following theorem.

[Universal Composition Theorem] Let , , be polynomial-time protocols. Suppose protocol UC-emulates . Then UC-emulates .

Replacing by for some ideal functionality in the above theorem yields the composable security notion discussed above.

Generalized UC model

The formalism of the original UC model is not able to handle security requirements in the presence of a “global trusted setup”. By this, we mean some global information accessible to all parties, which is guaranteed to have certain properties. Examples of this are a public-key infrastructure or a common reference string. Emulation in the original UC sense is not enough to guarantee composability properties in the presence of a global setup. Indeed, one can construct examples in which a UC-secure protocol for some functionality interacts badly with another UC-secure protocol and affects its security, if both protocols make reference to the same global setup. For more details and concrete examples see [13].

The generalized UC framework (GUC) of Canetti et al. [13] allows for a “global setup”. The latter is modelled as an ideal functionality which is allowed to interact not only with the parties running the protocol, but also with the environment. GUC formulates a stronger security notion, which is sufficient to guarantee a composition theorem, i.e. ideal functionalities with access to a shared global functionality can be replaced by protocols that securely realize them in the presence of . Further, one can also replace global ideal functionalities with appropriate protocols realizing them. This kind of replacement does not immediately follow from the previous composition theorem and requires a more careful analysis, as is done in [14], where sufficient conditions for this replacement are established.

Universal Composability in the quantum setting

In our setting, we are interested in honest parties, adversaries and environments that are quantum polynomial-time ITMs. The notion of Universal Composability has been studied in the quantum setting in [5], [49] and [50]. In particular, in [50], Unruh extends the model of computation of UC and its composition theorems to the setting in which polynomial-time classical ITMs are replaced by polynomial-time quantum ITMs (and ideal functionalities are still classical). The proofs are essentially the same as in the classical setting. Although the quantum version of the Generalized UC framework has not been explicitly studied in [50], one can check that the proofs of the composition theorems for GUC from [13] and [14] also go through virtually unchanged in the quantum setting.

3 Blockchains and smart contracts

In this section, we start by describing blockchains and smart contracts informally. We follow this by a more formal description. As mentioned in the introduction, the essential features of blockchains and smart contracts can be abstracted by modeling them as ideal functionalities in the Universal Composability framework of Canetti [15]. In this section, we introduce a global ideal functionality that abstracts the properties of a transaction ledger capable of handling stateful smart contracts. We call this , which we describe in Fig. 1. AndreaThe rest of this paragraph is newred We remark that is somewhat of an idealized functionality which allows us to obtain a clean description and security proof for our payment system. However, does not capture, for example, attacks that stem from miners possibly delaying honest parties’ messages from being recorded on the blockchain. We discuss this and other issues extensively in Section 6. We also discuss ways to resolve such issues in detail, but we do not formally incorporate these in the description of our our payment system in Section 4: since we view our contribution as primarily conceptual, we elect to keep the exposition and security proof of the basic payment system as clean and accessible as possible.

Informally, a blockchain is a public ledger consisting of a sequence of blocks. Each block typically contains information about a set of transactions, and a new block is appended regularly via a consensus mechanism that involves the nodes of a network. A blockchain is equipped with a native currency which is employed in transactions, and whose basic unit is referred to as a coin.

Each user in the network is associated with a public key (this can be thought of as the user’s address). A typical transaction is a message which transfers coins from a public key to another. It is considered valid if it is digitally signed using the secret key corresponding to the sending address.

More precisely, in Bitcoin, parties do not keep track of users’s accounts, but rather they just maintain a local copy of a set known as “unspent transaction outputs set” (UTXO set). An unspent output is a transaction that has not yet been “claimed”, i.e. the coins of these transactions have not yet been spent by the receiver. Each unspent output in the UTXO set includes a circuit (also known as a “script”) such that any user that can provide an input which is accepted by the circuit (i.e. a witness) can make a transaction that spends these coins, thus creating a new unspent output. Hence, if only one user knows the witness to the circuit, he is effectively the owner of these coins. For a standard payment transaction, the witness is a signature and the circuit verifies the signature. However, more complex circuits are also allowed, and these give rise to more complex transactions than simple payments: smart contracts. A smart contract can be thought of as a transaction which deposits coins to an address. The coins are released upon fulfillment of certain pre-established conditions.

In [8] and [7], smart contracts are defined as ideal functionalities in a variant of the Universal Composability (UC) model [15]. The ideal functionality that abstracts the simplest smart contracts was formalized in [8], and called “Claim or Refund”. Informally, this functionality specifies that a sender locks his coins and chooses a circuit , such that a receiver can gain possession of these coins by providing a witness such that before an established time, and otherwise the sender can reclaim his coins. The “Claim or Refund” ideal functionality can be realized in Bitcoin as long as the circuit can be described in Bitcoin’s scripting language. On the other hand, Ethereum’s scripting language is Turing-complete, and so any circuit can be described.

“Claim or refund” ideal functionalities can be further generalized to “stateful contracts”. In Ethereum, each unspent output also maintains a state. In other words, each unspent output comprises not only a circuit , but also state variables. Parties can claim partial amounts of coins by providing witnesses that satisfy the circuit in accordance with the current state variables. In addition, also specifies an update rule for the state variables, which are updated accordingly. We refer to these type of transactions as stateful contracts, as opposed to the “stateless” contract of “Claim or Refund”. Stateful contracts can be realized in Ethereum, but not in Bitcoin. From now onwards, we will only work with stateful contracts. We will use the terms “smart contracts” and “stateful contracts” interchangeably.

We emphasize that our modeling is inspired by [8] and [7], but differs in the way that coins are formalized. One difference from the model of Bentov et al. is that there, in order to handle coins, the authors augment the original UC model by endowing each party with a wallet and a safe, and by considering coins as atomic entities which can be exchanged between parties. To the best of our knowledge, this variant of the UC framework is not subsumed by any of the previously studied variants, and thus it is not known whether a composition theorem holds for it.

On the other hand, we feel that a more natural approach is to work in the Generalized UC model [13], and to define a global ideal functionality which abstracts the essential features of a transaction ledger capable of handling stateful smart contracts. This approach was first proposed by Kiayias et al. [29]. The appeal of modeling a transaction ledger as a global ideal functionality is that composition theorems are known in the Generalized UC framework. In virtue of this, any secure protocol for some task that makes calls to can be arbitrarily composed while still maintaining security. This means that one need not worry about composing different concurrent protocols which reference the same transaction ledger. One would hope that it is also the case that a secure protocol that makes calls to remains secure when the latter are replaced by calls to secure real-world realizations of it (on Ethereum for example). This requires a more careful analysis, and Canetti et al. provide in [14] sufficient conditions for this replacement to be possible. We do not prove that a secure real-world realization of on an existing blockchain exists, but we believe that , or a close variant of it, should be securely realizable on the Ethereum blockchain. In any case, we work abstractly by designing our payment system, and proving it secure, assuming access to such an ideal functionality. The appeal of such an approach is that the security of the higher-level protocols is independent of the details of the particular real-world implementation of .

Next, we describe our global ideal functionality . In doing so, we establish the notation that we will utilize in the rest of the paper.

Global ledger ideal functionality

We present in Fig. 1 our global ledger ideal functionality . In a nutshell, this keeps track of every registered party’s coins, and allows any party to transfer coins in their name to any other party. It also allows any party to retrieve information about the number of coins of any other party, as well as about any previous transaction. The initial amount of coins of a newly registered party is determined by its PID (recall that in a UC-execution the PID of each invoked party is specified by the environment; see Section 2.3 for more details). Moreover, handles (stateful) smart contracts: it accepts deposits from the parties involved in a contract and then pays rewards appropriately. Recall that in stateful smart contracts a party or a set of parties deposit an amount of coins to the contract. The contract is specified by a circuit , together with an initial value for a state variable st. A state transition is triggered by any party with PID sending a witness which is accepted by in accordance with the current state and the current time . More precisely, the contract runs , which outputs either “” or a new state (stored in the variable st) and a number of coins that is released to . Each contract then repeatedly accepts state transitions until it has distributed all the coins that were deposited into it at the start. Notice that can accept different witnesses at different times (the acceptance of a witness can depend on the current time and the current value of the state variable st). Information about existing smart contracts can also be retrieved by any party.

The stateful-contract portion of resembles closely the functionality from [7]. Our approach differs from that of [7] in that the we make the smart contract functionality part of the global ideal functionality which also keeps track of party’s coins and transactions. In [7] instead, coins are incorporated in the computation model by augmenting the ITMs with wallets and safes (this changes the model of computation in a way that is not captured by any of the the previously studied variants of the UC framework).

We implicitly assume access to an ideal functionality for message authentication which all parties employ when sending their messages, and also to a global ideal functionality for a clock that keeps track of time. We assume implicitly that makes calls to the clock and keeps track of time. Alternatively, we could just have maintain a local variable that counts the number of transactions performed, and a local time variable , which is increased by every time the number of transactions reaches a certain number, after which the transaction counter is reset (this mimics the process of addition of blocks in a blockchain, and time simply counts the number of blocks). From now onwards, we do not formally reference calls to or to the clock to avoid overloading notation. We are now ready to define .

  Global ledger ideal functionality

Initialize the sets , , . (Throughout, the variable denotes the current time.)

Add party:

Upon receiving a message AddParty from a party with PID , send (AddedParty, ) to the adversary; upon receiving a message ok from the adversary, and if this is the first request from , add to the set parties. Set and .

Retrieve party:

Upon receiving a message (RetrieveParty, ) from some party (or the adversary), output (RetrieveParty, , ) to (or to the adversary), where if , and otherwise. (We slightly abuse notation here in that, when taken as part of a message, is treated as a string, but, when called by the functionality, is a variable with attributes and ).

Add transaction:

Upon receiving a message (AddTransaction, , ) from some party with PID , and , do the following:

  • If and , update and . Set . Add a variable named to AllTransactions, with attribute . Send a message (Executed, ) to .

  • Else, return to .

Retrieve transaction:

Upon receiving a message (RetrieveTransaction, ) from some party (or the adversary), output (RetrieveTransaction, , ), where if , and otherwise.

Add/trigger smart contract:

Upon receiving a message (AddSmartContract, Params=), where is a set of PID’s, is a set of “initial deposits”, with being the amount required initially from the party with PID , is a circuit, and is the initial value of a state variable st, check that . If not, ignore the message; if yes, set . Add a variable named to contracts with attributes , and . Send a message (RecordedContract, ) to . Then, do the following:

  • Initialization phase: Wait to get message from party with PID for all . When all messages are received, and if, for all , , then, for all , update: and . Set (We assume that changes dynamically with st).

  • Execution phase: Repeat until termination: Upon receiving a message of the form at time from some party with PID (where it can also be ) such that , do the following:

    • If , update and

    • Update .

    • If , let . Send the message (Reward, , ) to the party with PID and update and . If and , send the message (Reward, , ) to the party with PID , and update and . Else, if , send the message (Reward, , ) to the party with PID , and update and . Then, terminate.

Retrieve smart contract:

Upon receiving a message (RetrieveContract, ) from some party (or the adversary), output (RetrieveContract, , ), where if , and otherwise.


Figure 1: Global ledger ideal functionality

We think of “Retrieve” operations as being fast, or free, as they do not alter the state of the ledger. We think of “Add” operations as being slow, as they alter the state of the ledger.

From now on, we will often refer to the number of coins of a contract with session identifier as the coins deposited in the contract. When we say that a contract releases some coins to a party with PID , we mean more precisely that updates its local variables and moves coins from to .

4 A payment system based on quantum lightning and a classical blockchain

In this section, we describe our payment system. We give first an informal description, and in Section 4.1 we give a formal description.

The building block of our payment system is a quantum lightning scheme, reviewed in detail in Section 2.2. Recall that a quantum lightning scheme consists of a generation procedure which creates quantum banknotes, and a verification procedure that verifies them and assigns serial numbers. The security guarantee is that no generation procedure (not even the honest one) can create two banknotes with the same serial number except with negligible probability. As mentioned earlier, this property is desirable if one wants to design a decentralized payment system, as it prevents anyone from cloning banknotes (even the person who generates them). However, this calls for a mechanism to regulate generation of new valid quantum banknotes.

In this section, we describe formally a proposal that employs smart contracts to provide such a mechanism. As we have described informally in the introduction, the high-level idea is to keep track of the valid serial numbers using smart contracts. Any party is allowed to deposit any amount of coins (of their choice) into a smart contract with specific parameters (see definition 2 below), and with an initial value of his choice for a serial number state variable. We can think of the quantum banknote with the chosen serial number as having “acquired” value . A payment involves only two parties: a payer, who sends a quantum banknote, and a payee who receives it and verifies it locally. As anticipated in the introduction, the full payment system includes the following additional features, which we describe here informally in a little more detail (all of these are described formally in Section 4.1):

  • Removing a serial number from the list of valid serial numbers in order to recover the amount of coins deposited in the corresponding smart contract. This makes the two commodities (quantum banknotes and coins on the blockchain) interchangeable. This is achieved by exploiting the additional property of of some quantum lightning scheme from Definition 2.2. Recall that, informally, this property states that there is some classical certificate that can be recovered by measuring a valid quantum banknote, which no efficient algorithm can recover otherwise. The key is that once the state is measured to recover this certificate, it is damaged in a way that it only passes verification with negligible probability (meaning that it can no longer be spent). We allow users to submit this classical certificate to a smart contract, and if the certificate is consistent with the serial number stored in the contract, then the latter releases all of the coins deposited in the contract to the user.

  • Allowing a party to replace an existing serial number with a new one of their choice in case they lose a valid quantum state (they are fragile after all!). We allow a user to file a “lost banknote claim” by sending a message and some fixed amount of coins to a smart contract whose serial number is the serial number of the lost banknote. The idea is that if no one challenges this claim, then after a specified time user can submit a message which changes the value of the serial number state variable to a value of his choice and recovers the previously deposited coins. On the other hand, if a user maliciously files a claim to some contract with serial number , then any user who possesses the valid banknote with serial number can recover the classical certificate from Definition 2.2, and submit it to the contract. This releases all the coins deposited in the contract to (including the deposited by to make the claim). As you might notice, this requires honest users to monitor existing contracts for “lost banknote claims”. This, however, is not much of a burden if is made large enough (say a week or a month). The requirement of being online once a week or once a month is easy to meet in practice.

4.1 The payment system and its components

In this section, we describe in detail all of the components of the payment system. It consists of the following: a protocol to generate valid quantum banknotes; a protocol to make a payment; a protocol to file a claim for a lost banknote; a protocol to prevent malicious attempts at filing claims for lost banknotes; and a protocol to trade a valid quantum banknote in exchange for coins.

Let . From now onwards, we assume that

where the latter is the setup procedure of a quantum lightning scheme with bolt-to-certificate capability (i.e. a quantum lightning scheme that satisfies the additional property of Definition 2.2). We are thus assuming a trusted setup for our payment system (note there are practical ways to ensure that such a setup, which is a one-time procedure, is performed legitimately even in a network where many parties might be dishonest). We also assume that all parties have access to an authenticated and ideal quantum channel.

Recall from the description of that each smart contract is specified by several parameters: is a set of PIDs of parties who are expected to make the initial deposit, with being the required initial deposit amounts; a circuit specifies how the state variables are updated and when coins are released; an initial value for the state variable st; a session identifier .

In Definition 2 below, we define an instantiation of smart contracts with a particular choice of parameters, which we refer to as banknote-contracts. Banknote-contracts are the building blocks of the protocols that make up our payment system. We describe a banknote-contract informally before giving a formal definition.

A banknote-contract is a smart contract initialized by a single party, and it has a state variable of the form . The party initializes the banknote-contract by depositing a number of coins and by setting the initial value of serial to any desired value. The banknote-contract handles the following type of requests:

  • As long as (which signifies that there are no currently active lost-banknote claims), any party can send the message BanknoteLost, together with a pre-established amount of coins to the contract. This will trigger an update of the state variable ActiveLostClaim to reflect the active lost-banknote claim by party .

  • As long as there is an active lost-banknote claim, i.e. , any party can challenge that claim by submitting a message to the contract, where is a proposed new serial number. We say that is a valid classical certificate for the current value of serial if . Such a can be thought of as a proof that whoever is challenging the claim actually possessed a quantum banknote with serial number , and destroyed it in order to obtain the certificate , and thus that the current active lost-banknote claim is malicious. If is a valid classical certificate for , then serial is updated to the new value submitted by , who also receives all of the coins deposited in the contract (including the coins deposited by the malicious claim).

  • If party has previously submitted a lost-banknote claim, and his claim stays unchallenged for time , then party can send a message to the contract, where is a proposed new serial number. Then the contract returns to the coins he initially deposited when making the claim, and updates serial to .

  • Any party can submit to the contract a message . If is a valid classical certificate for the current value of of serial, then the contract releases to all the coins currently deposited in the contract. This allows party to “convert” back his quantum banknote into coins.

Next, we will formally define banknote-contracts, and then formally describe all of the protocols that make the payment system.

takes as input strings and , where is meant to be the PID of some party , and we refer to as the “witness”, denotes the “current time” mantained by , is the current value of the state variable, and is the number of coins that are being deposited to the smart contract with the current message. has hardcoded parameters: the amount of coins needed to file a claim for a lost money state, the time after which an unchallenged claim can be settled ( and are fixed constants agreed upon by all parties, and they are the same for all banknote-contracts), the length of a certificate in the lightning scheme, a description of verify-certificate. The circuit outputs new values for the state variables and an amount of coins as follows:

On input , does the following:

  • If :

    • If and , then outputs (to symbolize that at time party with PID has claimed to have lost the money state with serial number , and that zero coins are being released).

    • If , where and , then outputs

  • If for some :

    • If , where and , and then outputs .

    • If , and , then outputs .


Figure 2: Circuit for banknote-contracts

(Banknote-contract) A banknote-contract, is a smart contract on specified by parameters of the following form: for some , for some , for some , and circuit , where is defined as in Fig. 2.

For convenience, we denote by serial and ActiveLostClaim respectively the first and second entry of the state variable of a banknote-contract.

Generating valid quantum banknotes

We describe the formal procedure for generating a valid quantum banknote.

Protocol carried out by some party with PID .

Input of : An integer such that in ( is the “value” of the prospective banknote).

  • Run .

  • Send to , where . Upon receipt of a message of the form (RecordedContract, ), send the message (InitializeWithCoins, , Params) to .


Figure 3: Generating a valid banknote

Making a payment

We describe formally the protocol for making a payment in Fig. 4. Informally, the protocol is between a party , the payer, and a party , the payee. In order to pay party with a bolt whose serial number is , party sends the valid bolt to party , the payee, together with the of a smart contract with . Party verifies that corresponds to a banknote-contract with , and verifies that the banknote passes verification and has serial number .

  The protocol is between some party with PID (the payer) and a party with PID (the payee):

Input of : , a valid bolt with serial number . the session identifier of a smart contract on such that , and .

  • sends to .

  • sends a message (RetrieveContract, ) to . Upon receiving a message (RetrieveContract, , ) from (where if is honest), does the following:

    • If , then checks that the parameters Params are of the form of a banknote-contract (from Definition 2). If so, runs and checks that the outcome is . If so, sends the message accept to .

    • Else, sends the message reject and the state back to .


Figure 4: Protocol for making and verifying a payment

Recovering lost banknotes

As much as we can hope for experimental progress in the development of quantum memories, for the foreseeable future we can expect quantum memories to only be able to store states for a time on the order of days. It is thus important that any payment system involving quantum money is equipped with a procedure for users to recover the value associated to quantum states that get damaged and become unusable. Either users should be able to “convert” quantum money states back to coins on the blockchain, or they should be able, upon losing a quantum banknote, to change the serial number state variable of the associated smart contract to a new serial number (presumably of freshly generated quantum banknote). Here, we describe a protocol for the latter. After this, we will describe a protocol for the former.

Informally, a party who has lost a quantum banknote with serial number associated to a smart contract with session identifier , makes a “lost banknote claim” at time by depositing a number of coins to that banknote-contract. Recall the definition of banknote-contracts from Definition 2, and in particular of the circuit :

  • If party is honest, then after a time has elapsed, he will be able to update the state variable serial of the banknote-contract from to (where is presumably the serial number of a new valid bolt that party has just generated).

  • If party is dishonest, and he is claiming to have lost a banknote with serial number that someone else possesses, then the legitimate owner can run where is the legitimate bolt, and obtain a valid certificate . He can then send to the contract and a new serial number (presumably of a freshly generate bolt) and obtain coins from the contract (the coins deposited by in his malicious claim).

We describe the protocol formally in Fig. 5.

One might wonder whether, in practice, an adversary can instruct a corrupt party to make a “lost banknote claim”, and then intercept an honest party’s classical certificate before this is posted to the blockchain, and have a second corrupt party post it instead. This attack would allow the adversary to “steal” the honest party’s value. Or alternatively, an adversary could monitor the network for lost-banknote claims by honest parties, and whenever he sees one he will delay this claim, and instruct a corrupt party to make the same claim so that it is registered first on the ledger. In our analysis, we do not worry about such attacks, as we assume access to the ideal functionality , which, by definition, deals with incoming messages in the order that they are received. We also assume in our adversarial model, specified more precisely in Section 5, that the adversary does not have any control over the delivery of messages (and their timing). If one assumes a more powerful adversary (with some control over the timing of delivery of messages), then the first issue can still be resolved elegantly. The second issue has a satisfactory resolution but it is trickier to analyze formally. We discuss this in more detail in Section 6.

  Protocol carried out by party with PID for changing the serial number of a smart contract.

’s input: the serial number of a (lost) quantum banknote. the session identifier of a banknote-contract such that .

  • sends ) to . This updates to (where is the current time mantained by ), and deposits coins into the contract.

  • After time , sends to . If was honest then is updated to , and coins are released to .


Figure 5: Protocol for changing the serial number of a smart contract

Next, we give a protocol carried out by all parties to prevent malicious attempts at changing the state variable serial of a smart contract. Informally, this involves checking the blockchain regularly for malicious attempts at filing lost-banknote claims.

Recall that was defined in Definition 2.


Protocol carried out by a party to prevent malicious attempts at changing the state variable serial of a smart contract.

Input of : A triple , where is a quantum banknote with serial number , and is the session identifier of a banknote-contract such that

At regular intervals of time , do the following:

  • Send a message (RetrieveContract, ) to . Upon receiving a message (RetrieveContract, , ) from , if for some and for some banknote-contract parameters Params:

    • Run .

    • Sample .

    • Send to . (If was honest, this updates and releases coins to ).


Figure 6: Protocol for preventing malicious attempts at changing the state variable serial of a smart contract.

Trading a quantum banknote for coins:

Finally, we describe a protocol for trading a quantum banknote to recover all the coins deposited in its associated banknote-contract.


Protocol carried out by a party .

Input of : A tuple , where is a quantum banknote with serial number , and is the session identifier of a banknote-contract such that and .

  • Run .

  • Send message to . This releases coins to .


Figure 7: Protocol for trading a quantum banknote for coins.

5 Security

We first specify an adversarial model. Security with respect to this adversarial model is formally captured by Theorem 5. At a high-level, Theorem 5 establishes that, within this adversarial model, no adversary can increase his “value” beyond what he has legitimately spent or received to and from honest parties. This captures, for example, the fact that the adversary will not be able to double-spend his banknotes, or successfully file a “lost banknote claim” for banknotes he does not legitimately possess.

Adversarial model

We assume that all the messages of honest parties are sent using the ideal functionality for authenticated communication , and that the adversary sees all messages that are sent (in UC language, we assume that the adversary is activated every time a party sends a message) but has no control over the delivery of messages (whether they are delivered or not) and their timing. Our payment system can be made to work also if we assume that the adversary can delay delivery of honest parties’ messages by a fixed amount of time (see the remark preceding Fig. 5 for more details), but, for simplicity, we do not grant the adversary this power.

The adversary can corrupt any number of parties, and it may do so adaptively, meaning that the corrupted parties are not fixed at the start, but rather an honest party can become corrupted, or a corrupted party can return honest, at any point. The process of corruption is modeled analogously as in the original UC framework, where the adversary simply writes a corrupt message on the incoming tape of an honest party, upon which the honest party hands all of its information to the adversary, who can send messages on the corrupted party’s behalf. Our setting is slightly more involved in that corrupted parties also possess some quantum information, in particular the quantum banknotes. We assume that when an adversary corrupts a party he takes all of its quantum banknotes. Importantly, we assume that these are not returned to the party once the party is no longer corrupted. It might seem surprising that we do not upper bound the fraction of corrupted parties. Indeed, such a bound would only be needed in order to realize securely the ideal functionality (any consensus-based realization of would require such a bound). Here, we assume access to such an ideal functionality, and we do not worry about its secure realization. Naturally, when replacing the ideal functionalities with real-world realizations one would set the appropriate bound on the corruption power of the adversary, but we emphasize that our schemes are independent of the particular real-world realization. Note that we do not fix a set of parties at the start, but rather new parties can be created (see below for more details).

We assume that (ITMs of) honest parties run the code . This represents the “honest” code which executes the protocols from Section 4 as specified. The input to then specifies when and which protocols from Section 4 are to be executed. As part of , we specify that, upon invocation, a party sends a message AddParty to to register itself. We also specify as part of that an honest party runs the protocol of Fig. 6 (to prevent malicious claims for lost banknotes). Moreover, for notational convenience, we specify as part of that each party maintains a local variable banknoteValue, which keeps track of the total value of the quantum banknotes possessed by the party. banknoteValue is initialized to , and updated as follows. Whenever a party successfully receives a quantum banknote (i.e. is the payee in the protocol from Fig. 4 and does not abort) of value (i.e. the associated smart contract has coins deposited), then updates . Similarly, when sends a quantum banknote of value , it updates . Finally, we specify also as part of , that whenever a party that was corrupted is no longer corrupted, it resets (this is because we assumed that quantum banknotes are not returned by the adversary). The following paragraph leads up to a notion of security and a security theorem.

Let be a quantum polynomial-time adversary and a quantum polynomial-time environment. Consider an execution of with adversary and environment (see Section 2.3 for more details on what an “execution” is precisely). We keep track of two quantities during the execution, which we denote as AdversaryValueReceived and AdversaryValueCurrentOrSpent (These quantities are not computed by any of the parties, adversary or environment. Rather, they are just introduced for the purpose of defining security). The former represents the amount of value, coins or banknotes, that the adversary has received either by virtue of having corrupted a party, or by having received a payment from an honest party. The latter counts the total number of coins currently possessed by corrupted parties, as recorded on , and the total amount spent by the adversary to honest parties either via coins or via quantum banknotes (it does not count the value of quantum banknotes currently possessed; these only count once they are successfully spent). Both quantities are initialized to , and updated as follows throughout the execution:

  • When corrupts a party : let be the number of coins of according to the global functionality and be ’s banknoteValue just before being corrupted. Then, , and .

  • When a corrupted party with coins and ceases to be corrupted and returns honest, .

  • When an honest party pays coins to a corrupted party, . Likewise, when an honest party sends a quantum banknote of value to a corrupted party, through the protocol of Fig. 4, then (even if the corrupted party does not return accept) .

  • When succesfully spends a quantum banknote of value to an honest party , i.e. a corrupted party is the payer in the protocol from Fig. 4 and is the payee and returns accept, or when pays coins to an honest party, then .

  • When a corrupted party receives coins from a banknote-contract, then . Notice that this can happen only in two ways: successfully converts a quantum banknote of value to coins on (via the protocol of Fig. 7), or a corrupted party successfully challenges a BanknoteLost claim (in this case ).

Intuitively, if our payment scheme is secure, then at no point in time should the adversary be able to make . This would mean that he has successfully spent/stolen value other than the one he received by virtue of corrupting a party or receiving honest payments. The following theorem formally captures this notion of security. First, we denote by the maximum value of during an execution of with adversary and environment , with global shared functionality .

[Security] For any quantum polynomial-time adversary and quantum polynomial-time environment ,

The rationale behind considering executions of and quantifying over all possible adversaries and environments is that doing so captures all possible ways in which a (dynamically changing) system of honest parties running our payment system alongside an adversary can behave (where the adversary respects our adversarial model).

Recall that, in an execution of , the environment has the ability to invoke new parties and assign to them new unique PIDs. Since in the PIDs are used to register parties and initialize their number of coins, this means that the environment has the ability to pick the initial number of coins of any new party that it invokes. Moreover, by writing inputs to the parties input tapes, the environment can instruct honest parties to perform the honest protocols from Section 4 in any order it likes. Quantifying over all adversaries and environments, in the statement of Theorem 5 means that the adversary and the environment can intuitively be thought of as one single adversary. The statement of the theorem thus captures security against realistic scenarios in which new parties can be adversarially created with an adversarially chosen number of coins, and they can be instructed to perform the honest protocols of the payment system from Section 4, in whatever sequence is convenient to the adversary.

Proof of Theorem 5.

Suppose for a contradiction that there exists and such that


Then, we go through all of the possible ways that an adversary can increase its net value, i.e. increase the quantity : the adversary can do so through actions from items (ii), (iv) and (v) above. Amongst these, it is easy to see that action (ii) never results in . Thus, in order for (8) to hold, it must be the case that one of the following happens with non-negligible probability within an execution of with adversary and environment .

  • An action from item (iv) resulted in a positive net value for , i.e. . Notice that for this to happen it must be the case that has double-spent a banknote, i.e. has produced two banknotes with the same serial number that have both been accepted by honest parties in a payment protocol of Fig. 4, and so they have both passed verification. But then, it is straightforward to see that we can use this adversary, together with to construct an adversary that breaks the security of the quantum lightning scheme (i.e. game Counterfeit): simply simulates an execution of protocol with adversary and environment , and with non-negligible probability the adversary in this execution produces two banknotes with the same serial number. uses these banknotes to win the security game of quantum lightning.

  • An action from item (v) resulted in a positive net value for . Then, notice that for this to happen it must be that either:

    • has sent a message to for some and such that , where , and the last “make a payment” protocol (from Fig. 4) referencing had an honest party as payee which remained honest at least up until after sent his message (or the banknote-contract was initialized by an honest user and the banknote was never spent). But then, one of the following must have happened:

      • possessed a bolt with serial number at some point, before was spent to the honest user. Then, this adversary would have recovered a valid and also spent a bolt with serial number successfully to an honest user. But such an , together with , can be used to win game Forge-certificate from Definition 2.2 with non-negligible probability, with a similar reduction to the one above, thus violating the property of Definition 2.2.

      • recovered such that without ever possessing a valid bolt with serial number . Again, such an adversary could be used, together with to win Forge-certificate from Definition 2.2).

      • has successfully changed the serial number of contract to from some previous without possessing a bolt with serial number . This cannot happen since any honest user who possesses the valid bolt with serial number performs the protocol of Fig. 6.

    • has sent a message to for some such for some with honest and such that . Since is honest, he must be the last to have possessed a valid bolt with serial number . Then, there are two possibilities:

      • never possessed a valid bolt with serial number , and succeeded in recovering such that . Analogously to earlier, this adversary, together with , can be used to win Forge-certificate.

      • possessed a bolt with serial number at some point, before was spent to an honest user. Analogously to earlier, this means such an both recovered a with and spent a bolt with serial number successfully. Such an can be used, together with , to win Forge-certificate.


The security guarantee of Theorem 5 establishes that an adversary cannot end up with more value than he started with (after taking into account the amount he received from honest parties and the amount he succesfully spent to honest parties). However, we do not analyze formally attacks which do not make the adversary gain value directly, but which “sabotage” honest parties, making them lose value. We believe that it should be possible to capture such attacks within our model by modifying the way we keep track of the adversary’s value, but we leave this analysis for future work. We discuss and formalize the notion of “sabotage” in detail in subSection 6.3.

6 Practical issues in a less idealized setting

The ideal functionality defined in Section 3 does not capture adversaries that are allowed to see messages sent by honest parties to before they are registered on the ledger, and who could try to use this information to their advantage: by definition of , messages are processed and registered on the ledger in exactly the order that they are sent, and are not seen by the adversary until they make it onto the ledger. While such a definition of makes for a clear exposition and clean proof of security, it is in practice unrealistic. In typical real-world implementations of blockchains, miners (and hence potentially adversaries) can see a pool of pending messages which have not yet been processed and registered on the blockchain, and can potentially delay the processing of certain messages, while speeding up the processing of others. This opens the possibility to the attacks discussed in the following subsection.

6.1 Attacks outside of the idealized setting

  1. An adversary could file a malicious “lost banknote claim” (running the protocol of Fig. 5) corresponding to a serial number of a quantum banknote that he does not possess. This would prompt an honest party who possesses a valid quantum banknote with serial number to publish the classical certificate , in order to stop the malicious claim. If the adversary could read this message before it is published on the ledger, it could instruct a corrupt party to also publish , and attempt to have this message appear first on the ledger. This would effectively result in the adversary having stolen the honest party’s value associated to the serial number .

  2. Suppose an honest party wants to trade their quantum banknote with serial number (registered on the ledger) for the coins deposited in the corresponding contract. The honesty party executes the protocol of Fig. 7. This includes publishing the classical certificate associated to . An adversary who sees before it is registered on the ledger, could instruct a corrupt party to make the same claim for for the coins in the contract associated to . Even the corrupt party’s message is processed quicker than the honest party’s message, the adversary has succeeded in stealing the coins deposited in the contract.

  3. Suppose an honest party has lost a valid quantum banknote with serial number associated to some contract on the ledger. The honest party files a “lost banknote claim” by executing the protocol of Fig. 5. An adversary who hears this before the claim is registered on the ledger could instruct a corrupt party to make a similar claim, and have it appear on the ledger before the honest claim. This would result in the corrupt party obtaining a valid quantum banknote associated to the above contract.

  4. The unforgeability property alone is not enough for public quantum money, as it allows sabotage: an attacker might be able to burn other people’s money, without a direct gain from the attack. Consider an adversary that wants to harm its competitor. The adversary does not follow the honest protocol that generates the quantum money state. Instead, it creates a quantum money which passes verification once, and fails the second time. This way, the adversary could buy some merchandise using this tweaked quantum money. When the merchant will try to pay to others using this quantum money, the verification will fail – the receiver will run the verification (and this is exactly the second verification), which will cause it to fail.

    Indeed, the security proof (see Theorem 5) guarantees that an adversary cannot end up with more money that he was given. It does not rule out sabotage.

In the next Section 6.2, we will introduce a novel property of quantum lightning schemes, which we call bolt-to-signature capability, we give a provably-secure construction of it. We will employ this in Section 6.4 to give a somewhat elegant resolution to issues (i) and (ii) above. In Section 6.3, we discuss a possible resolution to issue (iv).

6.2 Trading a Bolt for a Signature

We define a new property of a quantum lightning scheme which we call “trading a bolt for a signature” (and we say that a lightning scheme has bolt-to-signature capability). This is an extension of the property of “trading a bolt for a certificate” defined in Section 2.2. The known concrete constructions of quantum lightning do not possess this property, but we will show (Fig. 8) that a lightning scheme with bolt-to-certificate capability can be bootstrapped to obtain a lightning scheme with bolt-to-signature capability. We envision that this primitive could find application elsewhere, and is of independent interest.

We start with an informal description of this property, highlighting the difference between the certificate and signature properties. Suppose Alice shows Bob a certificate with a serial number . Bob can conclude that Alice cannot hold a bolt with the same serial number. In particular, if she held such bolt, it means she must have measured and destroyed it to produce the certificate. For the bolt-to-signature property, we ask the following:

  • There is a way for Alice, who holds a bolt with serial number , to produce a signature of any message of her choice, with respect to serial number .

  • The signature should be verifiable by anyone who knows .

  • Just like a certificate, anyone who accepts the signature of with respect to can conclude that Alice can no longer hold a quantum money with serial number ;

  • (one-time security) As long as Alice signs a single message , no one other than Alice should be able to forge a signature for a message (even though her state is no longer a valid bolt, Alice can still sign more than one message, but the unforgeability guarantee no longer holds).

A quantum lightning with bolt-to-signature capability is a quantum lightning scheme with two additional algorithms: gen-sig is a QPT algorithm which receives as input a quantum state, a serial number, and a message of any length, and outputs a classical signature. verify-sig is a PPT algorithm which receives a serial number, a message of any length and a signature, and either accepts or rejects. Thus, we modify the setup procedure of the lightning scheme so that QL.Setup outputs a tuple .

The definition of the property has a completeness and a soundness part. The latter is formally defined through the following game Forge-sig. The game Forge-sig is similar in spirit to the game for onetime security of a standard digital signature scheme – see, e.g. [27, Definition 12.14],  [24, Definition 6.4.2].

  • The challenger runs and sends this tuple to .

  • sends and to the challenger.

  • The challenger runs . If this rejects, the challenger outputs “”. Else it proceeds to the next step.

  • Let be the leftover state. The challenger runs and sends to .

  • returns a pair .

  • The challenger checks that and runs . If the latter accepts, the challenger outputs “”.

Let be the random variable for the outcome of the game.

[Trading a bolt for a signature] We say that a quantum lightning scheme has bolt-to-signature capability if the following holds:

  • For every :