A Constructive Quantum Lov\'asz Local Lemma for Commuting Projectors

The Quantum Satisfiability problem generalizes the Boolean satisfiability problem to the quantum setting by replacing classical clauses with local projectors. The Quantum Lov\'asz Local Lemma gives a sufficient condition for a Quantum Satisfiability problem to be satisfiable [AKS12], by generalizing the classical Lov\'asz Local Lemma. The next natural question that arises is: can a satisfying quantum state be efficiently found, when these conditions hold? In this work we present such an algorithm, with the additional requirement that all the projectors commute. The proof follows the information theoretic proof given by Moser's breakthrough result in the classical setting [Mos09]. Similar results were independently published in [CS11,CSV13]

On preparing ground states of gapped Hamiltonians: An efficient Quantum Lov\'asz Local Lemma

A frustration-free local Hamiltonian has the property that its ground state minimises the energy of all local terms simultaneously. In general, even deciding whether a Hamiltonian is frustration-free is a hard task, as it is closely related to the QMA1-complete quantum satisfiability problem (QSAT) -- the quantum analogue of SAT, which is the archetypal NP-complete problem in classical computer science. This connection shows that the frustration-free property is not only relevant to physics but also to computer science. The Quantum Lov\'asz Local Lemma (QLLL) provides a sufficient condition for frustration-freeness. A natural question is whether there is an efficient way to prepare a frustration-free state under the conditions of the QLLL. Previous results showed that the answer is positive if all local terms commute. In this work we improve on the previous constructive results by designing an algorithm that works efficiently for non-commuting terms as well, assuming that the system is "uniformly" gapped, by which we mean that the system and all its subsystems have an inverse polynomial energy gap. Also, our analysis works under the most general condition for the QLLL, known as Shearer's bound. Similarly to the previous results, our algorithm has the charming feature that it uses only local measurement operations corresponding to the local Hamiltonian terms.Comment: 39 page

Quantum Tokens for Digital Signatures

The fisherman caught a quantum fish. "Fisherman, please let me go", begged the fish, "and I will grant you three wishes". The fisherman agreed. The fish gave the fisherman a quantum computer, three quantum signing tokens and his classical public key. The fish explained: "to sign your three wishes, use the tokenized signature scheme on this quantum computer, then show your valid signature to the king, who owes me a favor". The fisherman used one of the signing tokens to sign the document "give me a castle!" and rushed to the palace. The king executed the classical verification algorithm using the fish's public key, and since it was valid, the king complied. The fisherman's wife wanted to sign ten wishes using their two remaining signing tokens. The fisherman did not want to cheat, and secretly sailed to meet the fish. "Fish, my wife wants to sign ten more wishes". But the fish was not worried: "I have learned quantum cryptography following the previous story (The Fisherman and His Wife by the brothers Grimm). The quantum tokens are consumed during the signing. Your polynomial wife cannot even sign four wishes using the three signing tokens I gave you". "How does it work?" wondered the fisherman. "Have you heard of quantum money? These are quantum states which can be easily verified but are hard to copy. This tokenized quantum signature scheme extends Aaronson and Christiano's quantum money scheme, which is why the signing tokens cannot be copied". "Does your scheme have additional fancy properties?" the fisherman asked. "Yes, the scheme has other security guarantees: revocability, testability and everlasting security. Furthermore, if you're at sea and your quantum phone has only classical reception, you can use this scheme to transfer the value of the quantum money to shore", said the fish, and swam away.Comment: Added illustration of the abstract to the ancillary file

Quantum Prudent Contracts with Applications to Bitcoin

Smart contracts are cryptographic protocols that are enforced without a judiciary. Smart contracts are used occasionally in Bitcoin and are prevalent in Ethereum. Public quantum money improves upon cash we use today, yet the current constructions do not enable smart contracts. In this work, we define and introduce quantum payment schemes, and show how to implement prudent contracts -- a non-trivial subset of the functionality that a network such as Ethereum provides. Examples discussed include: multi-signature wallets in which funds can be spent by any 2-out-of-3 owners; restricted accounts that can send funds only to designated destinations; and "colored coins" that can represent stocks that can be freely traded, and their owner would receive dividends. Our approach is not as universal as the one used in Ethereum since we do not reach a consensus regarding the state of a ledger. We call our proposal prudent contracts to reflect this. The main building block is either quantum tokens for digital signatures (Ben-David and Sattath QCrypt'17, Coladangelo et al. Crypto'21), semi-quantum tokens for digital signatures (Shmueli'22) or one-shot signatures (Amos et al. STOC'20). The solution has all the benefits of public quantum money: no mining is necessary, and the security model is standard (e.g., it is not susceptible to 51\% attacks, as in Bitcoin). Our one-shot signature construction can be used to upgrade the Bitcoin network to a quantum payment scheme. Notable advantages of this approach are: transactions are locally verifiable and without latency, the throughput is unbounded, and most importantly, it would remove the need for Bitcoin mining. Our approach requires a universal large-scale quantum computer and long-term quantum memory; hence we do not expect it to be implementable in the next few years.Comment: Minor change

Redesigning Bitcoin's fee market

The security of the Bitcoin system is based on having a large amount of computational power in the hands of honest miners. Such miners are incentivized to join the system and validate transactions by the payments issued by the protocol to anyone who creates blocks. As new bitcoins creation rate decreases (halving every 4 years), the revenue derived from transaction fees start to have an increasingly important role. We argue that Bitcoin's current fee market does not extract revenue well when blocks are not congested. This effect has implications for the scalability debate: revenue from transaction fees may decrease if block size is increased. The current mechanism is a "pay your bid" auction in which included transactions pay the amount they suggested. We propose two alternative auction mechanisms: The Monopolistic Price Mechanism, and the Random Sampling Optimal Price Mechanism (due to Goldberg et al.). In the monopolistic price mechanism, the miner chooses the number of accepted transactions in the block, and all transactions pay exactly the smallest bid included in the block. The mechanism thus sets the block size dynamically (up to a bound required for fast block propagation and other security concerns). We show, using analysis and simulations, that this mechanism extracts revenue better from users, and that it is nearly incentive compatible: the profit due to strategic bidding relative to honest biding decreases as the number of bidders grows. Users can then simply set their bids truthfully to exactly the amount they are willing to pay to transact, and do not need to utilize fee estimate mechanisms, do not resort to bid shading and do not need to adjust transaction fees (via replace-by-fee mechanisms) if the mempool grows. We discuss these and other properties of our mechanisms, and explore various desired properties of fee market mechanisms for crypto-currencies

The Complexity of the Separable Hamiltonian Problem

In this paper, we study variants of the canonical Local-Hamiltonian problem where, in addition, the witness is promised to be separable. We define two variants of the Local-Hamiltonian problem. The input for the Separable-Local-Hamiltonian problem is the same as the Local-Hamiltonian problem, i.e. a local Hamiltonian and two energies a and b, but the question is somewhat different: the answer is YES if there is a separable quantum state with energy at most a, and the answer is NO if all separable quantum states have energy at least b. The Separable-Sparse-Hamiltonian problem is defined similarly, but the Hamiltonian is not necessarily local, but rather sparse. We show that the Separable-Sparse-Hamiltonian problem is QMA(2)-Complete, while Separable-Local-Hamiltonian is in QMA. This should be compared to the Local-Hamiltonian problem, and the Sparse-Hamiltonian problem which are both QMA-Complete. To the best of our knowledge, Separable-SPARSE-Hamiltonian is the first non-trivial problem shown to be QMA(2)-Complete

Semi-Quantum Money

Quantum money allows a bank to mint quantum money states that can later be verified and cannot be forged. Usually, this requires a quantum communication infrastructure to transfer quantum states between the user and the bank. This work combines the notion of classical verification -- introduced by Gavinsky (CCC 2012) -- with the notion of user-generated money -- introduced here -- to introduce Semi-Quantum Money, the first quantum money scheme to require only classical communication with the (entirely classical) bank. This work features constructions for both a public memory-dependent semi-quantum money scheme, based on the works of Zhandry and Coladangelo, and for a private memoryless semi-quantum money scheme, based on the notion of Noisy Trapdoor Claw Free Functions (NTCF) introduced by Brakerski et al. (FOCS 2018). In terms of technique, our main contribution is a strong parallel repetition theorem for NTCF.Comment: 58 pages LaTeX; minor change