Quantum Money from Abelian Group Actions

Author Mark Zhandry

Thumbnail PDF


  • Filesize: 0.85 MB
  • 23 pages

Document Identifiers

Author Details

Mark Zhandry
  • NTT Research, Sunnyvale, CA, USA


We thank Hart Montgomery for many helpful discussions about isogenies.

Cite AsGet BibTex

Mark Zhandry. Quantum Money from Abelian Group Actions. In 15th Innovations in Theoretical Computer Science Conference (ITCS 2024). Leibniz International Proceedings in Informatics (LIPIcs), Volume 287, pp. 101:1-101:23, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2024)


We give a construction of public key quantum money, and even a strengthened version called quantum lightning, from abelian group actions, which can in turn be constructed from suitable isogenies over elliptic curves. We prove security in the generic group model for group actions under a plausible computational assumption, and develop a general toolkit for proving quantum security in this model. Along the way, we explore knowledge assumptions and algebraic group actions in the quantum setting, finding significant limitations of these assumptions/models compared to generic group actions.

Subject Classification

ACM Subject Classification
  • Theory of computation → Quantum complexity theory
  • Quantum Money
  • Cryptographic Group Actions
  • Isogenies


  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    PDF Downloads


  1. Scott Aaronson. Quantum copy-protection and quantum money. In Proceedings of the 2009 24th Annual IEEE Conference on Computational Complexity, CCC '09, pages 229-242, Washington, DC, USA, 2009. IEEE Computer Society. URL: https://doi.org/10.1109/CCC.2009.42.
  2. Scott Aaronson and Paul Christiano. Quantum money from hidden subspaces. In Howard J. Karloff and Toniann Pitassi, editors, 44th ACM STOC, pages 41-60. ACM Press, May 2012. URL: https://doi.org/10.1145/2213977.2213983.
  3. Navid Alamati, Luca De Feo, Hart Montgomery, and Sikhar Patranabis. Cryptographic group actions and applications. In Shiho Moriai and Huaxiong Wang, editors, ASIACRYPT 2020, Part II, volume 12492 of LNCS, pages 411-439. Springer, Heidelberg, December 2020. URL: https://doi.org/10.1007/978-3-030-64834-3_14.
  4. Navid Alamati, Giulio Malavolta, and Ahmadreza Rahimi. Candidate trapdoor claw-free functions from group actions with applications to quantum protocols. In Eike Kiltz and Vinod Vaikuntanathan, editors, TCC 2022, Part I, volume 13747 of LNCS, pages 266-293. Springer, Heidelberg, November 2022. URL: https://doi.org/10.1007/978-3-031-22318-1_10.
  5. James Bartusek, Jiaxin Guan, Fermi Ma, and Mark Zhandry. Return of GGH15: Provable security against zeroizing attacks. In Amos Beimel and Stefan Dziembowski, editors, TCC 2018, Part II, volume 11240 of LNCS, pages 544-574. Springer, Heidelberg, November 2018. URL: https://doi.org/10.1007/978-3-030-03810-6_20.
  6. Amit Behera and Or Sattath. Almost public quantum coins. Cryptology ePrint Archive, Report 2020/452, 2020. URL: https://eprint.iacr.org/2020/452.
  7. Shalev Ben-David and Or Sattath. Quantum tokens for digital signatures, 2016. URL: https://arxiv.org/abs/1609.09047.
  8. Charles H. Bennett, Ethan Bernstein, Gilles Brassard, and Umesh Vazirani. Strengths and weaknesses of quantum computing. SIAM J. Comput., 26(5):1510-1523, October 1997. Google Scholar
  9. Ward Beullens, Thorsten Kleinjung, and Frederik Vercauteren. CSI-FiSh: Efficient isogeny based signatures through class group computations. In Steven D. Galbraith and Shiho Moriai, editors, ASIACRYPT 2019, Part I, volume 11921 of LNCS, pages 227-247. Springer, Heidelberg, December 2019. URL: https://doi.org/10.1007/978-3-030-34578-5_9.
  10. Dan Boneh, Jiaxin Guan, and Mark Zhandry. A lower bound on the length of signatures based on group actions and generic isogenies. In Carmit Hazay and Martijn Stam, editors, EUROCRYPT 2023, Part V, volume 14008 of LNCS, pages 507-531. Springer, Heidelberg, April 2023. URL: https://doi.org/10.1007/978-3-031-30589-4_18.
  11. Xavier Bonnetain and André Schrottenloher. Quantum security analysis of CSIDH. In Anne Canteaut and Yuval Ishai, editors, EUROCRYPT 2020, Part II, volume 12106 of LNCS, pages 493-522. Springer, Heidelberg, May 2020. URL: https://doi.org/10.1007/978-3-030-45724-2_17.
  12. Zvika Brakerski, Paul Christiano, Urmila Mahadev, Umesh V. Vazirani, and Thomas Vidick. A cryptographic test of quantumness and certifiable randomness from a single quantum device. In Mikkel Thorup, editor, 59th FOCS, pages 320-331. IEEE Computer Society Press, October 2018. URL: https://doi.org/10.1109/FOCS.2018.00038.
  13. Zvika Brakerski, Nico Döttling, Sanjam Garg, and Giulio Malavolta. Factoring and pairings are not necessary for iO: Circular-secure LWE suffices. Cryptology ePrint Archive, Report 2020/1024, 2020. URL: https://eprint.iacr.org/2020/1024.
  14. Wouter Castryck and Thomas Decru. An efficient key recovery attack on SIDH. In Carmit Hazay and Martijn Stam, editors, EUROCRYPT 2023, Part V, volume 14008 of LNCS, pages 423-447. Springer, Heidelberg, April 2023. URL: https://doi.org/10.1007/978-3-031-30589-4_15.
  15. Wouter Castryck, Tanja Lange, Chloe Martindale, Lorenz Panny, and Joost Renes. CSIDH: An efficient post-quantum commutative group action. In Thomas Peyrin and Steven Galbraith, editors, ASIACRYPT 2018, Part III, volume 11274 of LNCS, pages 395-427. Springer, Heidelberg, December 2018. URL: https://doi.org/10.1007/978-3-030-03332-3_15.
  16. Andrew Childs, David Jao, and Vladimir Soukharev. Constructing elliptic curve isogenies in quantum subexponential time. Journal of Mathematical Cryptology, 8(1):1-29, 2014. Google Scholar
  17. Leonardo Colò and David Kohel. Orienting supersingular isogeny graphs. Journal of Mathematical Cryptology, 14:414-437, October 2020. URL: https://doi.org/10.1515/jmc-2019-0034.
  18. Marta Conde Pena, Raul Durán Díaz, Jean-Charles Faugère, Luis Hernández Encinas, and Ludovic Perret. Non-quantum cryptanalysis of the noisy version of aaronson–christiano’s quantum money scheme. IET Information Security, 13(4):362-366, 2019. Google Scholar
  19. Jean-Marc Couveignes. Hard homogeneous spaces. Cryptology ePrint Archive, Report 2006/291, 2006. URL: https://eprint.iacr.org/2006/291.
  20. Luca De Feo, Tako Boris Fouotsa, Péter Kutas, Antonin Leroux, Simon-Philipp Merz, Lorenz Panny, and Benjamin Wesolowski. SCALLOP: Scaling the CSI-FiSh. In Alexandra Boldyreva and Vladimir Kolesnikov, editors, PKC 2023, Part I, volume 13940 of LNCS, pages 345-375. Springer, Heidelberg, May 2023. URL: https://doi.org/10.1007/978-3-031-31368-4_13.
  21. Luca De Feo, David Jao, and Jérôme Plût. Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. Journal of Mathematical Cryptology, 8(3):209-247, 2014. Google Scholar
  22. Luca De Feo and Michael Meyer. Threshold schemes from isogeny assumptions. In Aggelos Kiayias, Markulf Kohlweiss, Petros Wallden, and Vassilis Zikas, editors, PKC 2020, Part II, volume 12111 of LNCS, pages 187-212. Springer, Heidelberg, May 2020. URL: https://doi.org/10.1007/978-3-030-45388-6_7.
  23. Julien Duman, Dominik Hartmann, Eike Kiltz, Sabrina Kunzweiler, Jonas Lehmann, and Doreen Riepel. Generic models for group actions. In Alexandra Boldyreva and Vladimir Kolesnikov, editors, PKC 2023, Part I, volume 13940 of LNCS, pages 406-435. Springer, Heidelberg, May 2023. URL: https://doi.org/10.1007/978-3-031-31368-4_15.
  24. Mark Ettinger and Peter Høyer. On quantum algorithms for noncommutative hidden subgroups. Advances in Applied Mathematics, 25(3):239-251, 2000. URL: https://doi.org/10.1006/aama.2000.0699.
  25. Edward Farhi, David Gosset, Avinatan Hassidim, Andrew Lutomirski, and Peter W. Shor. Quantum money from knots. In Shafi Goldwasser, editor, ITCS 2012, pages 276-289. ACM, January 2012. URL: https://doi.org/10.1145/2090236.2090260.
  26. Georg Fuchsbauer, Eike Kiltz, and Julian Loss. The algebraic group model and its applications. In Hovav Shacham and Alexandra Boldyreva, editors, CRYPTO 2018, Part II, volume 10992 of LNCS, pages 33-62. Springer, Heidelberg, August 2018. URL: https://doi.org/10.1007/978-3-319-96881-0_2.
  27. Craig Gentry, Sergey Gorbunov, and Shai Halevi. Graph-induced multilinear maps from lattices. In Yevgeniy Dodis and Jesper Buus Nielsen, editors, TCC 2015, Part II, volume 9015 of LNCS, pages 498-527. Springer, Heidelberg, March 2015. URL: https://doi.org/10.1007/978-3-662-46497-7_20.
  28. Aayush Jain, Huijia Lin, and Amit Sahai. Indistinguishability obfuscation from well-founded assumptions. In Samir Khuller and Virginia Vassilevska Williams, editors, 53rd ACM STOC, pages 60-73. ACM Press, June 2021. URL: https://doi.org/10.1145/3406325.3451093.
  29. Daniel M. Kane. Quantum money from modular forms, 2018. URL: https://arxiv.org/abs/1809.05925.
  30. Daniel M. Kane, Shahed Sharif, and Alice Silverberg. Quantum money from quaternion algebras. Cryptology ePrint Archive, Report 2021/1294, 2021. URL: https://eprint.iacr.org/2021/1294.
  31. Andrey Boris Khesin, Jonathan Z Lu, and Peter W Shor. Publicly verifiable quantum money from random lattices, 2022. URL: https://arxiv.org/abs/2207.13135.
  32. Jiahui Liu, Hart Montgomery, and Mark Zhandry. Another round of breaking and making quantum money: How to not build it from lattices, and more. In Carmit Hazay and Martijn Stam, editors, EUROCRYPT 2023, Part I, volume 14004 of LNCS, pages 611-638. Springer, Heidelberg, April 2023. URL: https://doi.org/10.1007/978-3-031-30545-0_21.
  33. Qipeng Liu and Mark Zhandry. Revisiting post-quantum Fiat-Shamir. In Alexandra Boldyreva and Daniele Micciancio, editors, CRYPTO 2019, Part II, volume 11693 of LNCS, pages 326-355. Springer, Heidelberg, August 2019. URL: https://doi.org/10.1007/978-3-030-26951-7_12.
  34. Andrew Lutomirski. An online attack against wiesner’s quantum money, 2010. URL: https://arxiv.org/abs/1010.0256.
  35. Andrew Lutomirski, Scott Aaronson, Edward Farhi, David Gosset, Jonathan A. Kelner, Avinatan Hassidim, and Peter W. Shor. Breaking and making quantum money: Toward a new quantum cryptographic protocol. In Andrew Chi-Chih Yao, editor, ICS 2010, pages 20-31. Tsinghua University Press, January 2010. Google Scholar
  36. Luciano Maino and Chloe Martindale. An attack on SIDH with arbitrary starting curve. Cryptology ePrint Archive, Report 2022/1026, 2022. URL: https://eprint.iacr.org/2022/1026.
  37. Ueli M. Maurer. Abstract models of computation in cryptography (invited paper). In Nigel P. Smart, editor, 10th IMA International Conference on Cryptography and Coding, volume 3796 of LNCS, pages 1-12. Springer, Heidelberg, December 2005. Google Scholar
  38. Hart Montgomery and Mark Zhandry. Full quantum equivalence of group action DLog and CDH, and more. In Shweta Agrawal and Dongdai Lin, editors, ASIACRYPT 2022, Part I, volume 13791 of LNCS, pages 3-32. Springer, Heidelberg, December 2022. URL: https://doi.org/10.1007/978-3-031-22963-3_1.
  39. Emmanuela Orsini and Riccardo Zanotto. Simple two-round OT in the explicit isogeny model. Cryptology ePrint Archive, Report 2023/269, 2023. URL: https://eprint.iacr.org/2023/269.
  40. Lorenz Panny. Csi‑fish really isn't polynomial‑time, 2023. URL: https://yx7.cc/blah/2023-04-14.html.
  41. Chris Peikert. He gives C-sieves on the CSIDH. In Anne Canteaut and Yuval Ishai, editors, EUROCRYPT 2020, Part II, volume 12106 of LNCS, pages 463-492. Springer, Heidelberg, May 2020. URL: https://doi.org/10.1007/978-3-030-45724-2_16.
  42. Oded Regev. On lattices, learning with errors, random linear codes, and cryptography. In Harold N. Gabow and Ronald Fagin, editors, 37th ACM STOC, pages 84-93. ACM Press, May 2005. URL: https://doi.org/10.1145/1060590.1060603.
  43. Damien Robert. Breaking SIDH in polynomial time. In Carmit Hazay and Martijn Stam, editors, EUROCRYPT 2023, Part V, volume 14008 of LNCS, pages 472-503. Springer, Heidelberg, April 2023. URL: https://doi.org/10.1007/978-3-031-30589-4_17.
  44. Bhaskar Roberts. Security analysis of quantum lightning. In Anne Canteaut and François-Xavier Standaert, editors, EUROCRYPT 2021, Part II, volume 12697 of LNCS, pages 562-567. Springer, Heidelberg, October 2021. URL: https://doi.org/10.1007/978-3-030-77886-6_19.
  45. Bhaskar Roberts and Mark Zhandry. Franchised quantum money. In Mehdi Tibouchi and Huaxiong Wang, editors, ASIACRYPT 2021, Part I, volume 13090 of LNCS, pages 549-574. Springer, Heidelberg, December 2021. URL: https://doi.org/10.1007/978-3-030-92062-3_19.
  46. Alexander Rostovtsev and Anton Stolbunov. Public-Key Cryptosystem Based On Isogenies. Cryptology ePrint Archive, Report 2006/145, 2006. URL: https://eprint.iacr.org/2006/145.
  47. Peter W. Shor. Algorithms for quantum computation: Discrete logarithms and factoring. In 35th FOCS, pages 124-134. IEEE Computer Society Press, November 1994. URL: https://doi.org/10.1109/SFCS.1994.365700.
  48. Victor Shoup. Lower bounds for discrete logarithms and related problems. In Walter Fumy, editor, EUROCRYPT'97, volume 1233 of LNCS, pages 256-266. Springer, Heidelberg, May 1997. URL: https://doi.org/10.1007/3-540-69053-0_18.
  49. Vladimir Shpilrain. Cryptanalysis of stickel’s key exchange scheme. In Edward A. Hirsch, Alexander A. Razborov, Alexei Semenov, and Anatol Slissenko, editors, Computer Science - Theory and Applications, pages 283-288, Berlin, Heidelberg, 2008. Springer Berlin Heidelberg. Google Scholar
  50. E. Stickel. A new method for exchanging secret keys. In Third International Conference on Information Technology and Applications (ICITA'05), volume 2, pages 426-430, 2005. URL: https://doi.org/10.1109/ICITA.2005.33.
  51. Hoeteck Wee and Daniel Wichs. Candidate obfuscation via oblivious LWE sampling. In Anne Canteaut and François-Xavier Standaert, editors, EUROCRYPT 2021, Part III, volume 12698 of LNCS, pages 127-156. Springer, Heidelberg, October 2021. URL: https://doi.org/10.1007/978-3-030-77883-5_5.
  52. Stephen Wiesner. Conjugate coding. SIGACT News, 15(1):78-88, January 1983. URL: https://doi.org/10.1145/1008908.1008920.
  53. Takashi Yamakawa and Mark Zhandry. Verifiable quantum advantage without structure. In 63rd FOCS, pages 69-74. IEEE Computer Society Press, October / November 2022. URL: https://doi.org/10.1109/FOCS54457.2022.00014.
  54. Mark Zhandry. Quantum lightning never strikes the same state twice. In Yuval Ishai and Vincent Rijmen, editors, EUROCRYPT 2019, Part III, volume 11478 of LNCS, pages 408-438. Springer, Heidelberg, May 2019. URL: https://doi.org/10.1007/978-3-030-17659-4_14.
  55. Mark Zhandry. Redeeming reset indifferentiability and applications to post-quantum security. In Mehdi Tibouchi and Huaxiong Wang, editors, ASIACRYPT 2021, Part I, volume 13090 of LNCS, pages 518-548. Springer, Heidelberg, December 2021. URL: https://doi.org/10.1007/978-3-030-92062-3_18.
  56. Mark Zhandry. To label, or not to label (in generic groups). In Yevgeniy Dodis and Thomas Shrimpton, editors, CRYPTO 2022, Part III, volume 13509 of LNCS, pages 66-96. Springer, Heidelberg, August 2022. URL: https://doi.org/10.1007/978-3-031-15982-4_3.
  57. Mark Zhandry. Quantum money from abelian group actions. Cryptology ePrint Archive, Paper 2023/1097, 2023. URL: https://eprint.iacr.org/2023/1097.