Bitcoin vs. Quantum Money: the problem of accountability
Yesterday, I read a very nice article about the insecurity of bitcoin to quantum computers. This is not as trivial as it sounds!
There is another quantum / classical issue that I find interesting, which has a different flavor.
I’ll try to keep this post as simple as possible, and accessible both to the quantum, and the bitcoin / cryptocurrency community.
The main problem with digital money is the “double spending” problem: suppose Alice has 1 coin in a digital wallet. She could pass that “virtual coin” both to Bob and to Charlie. Who owns the coin – Bob or Charlie? Bitcoin solves this problem elegantly using a “proof of work” mechanism, which I won’t get into in this post. There are plenty of good resources that explain that.
Quantum Money solves this problem by exploiting a quantum phenomenon, which is called the No Cloning Theorem: copying an unknown quantum state is impossible.
The main advantage of quantum money with respect to bitcoin is anonymity. In the bitcoin protocol, all the transactions are public, and saved on a data-structure called the “block-chain”, and although a person may use multiple addresses, the anonymity isn’t guaranteed. On the other hand, a transaction using quantum money does not leave a trace. A second advantage is that if two persons meet, communication isn’t needed in order to make a transaction. This is not the case in bitcoin, which requires Alice to digitally sign a message saying “Alice transfers 1 bitcoin to Bob”, and propagate it to the network. A third advantage is that quantum money does not require a network of machines that uses a lot of honest computational power in order to run securely (otherwise, there is a problem of 51% attack). Quantum money can also be used as digital money: since quantum money is based solely on quantum information, it can be transferred on the “quantum internet” easily, just like bitcoin. Both of them are “peer to peer” in the sense that the transaction does not require a trusted 3rd party, like a bank or a broker.
It may seem that quantum money is better in every aspect. There is a catch, which I believe was unnoticed, which is accountability.
Suppose Alice wants to buy Bob’s bicycle, using bitcoin over the internet. Bob emails his bitcoin address to Alice (and digitally signs the message). Alice sends bitcoins to Bob’s address. Now, Bob runs away with the money. When using bitcoin, Alice can prove to the police that she paid Bob: she has a copy of Bob’s address (signed by him), and the record that she paid to Bob’s address appears on the block-chain. Therefore, the police can point the finger to Bob.
Let’s look what happens in the quantum case: when Alice sends Bob the quantum money, it leaves no trace. Bob can argue that he didn’t get the quantum money, and Alice can’t prove to the police that she sent Bob the quantum money.
One way to solve it is to use “quantum escrow”, which is not needed in bitcoin: Alice can prove that she paid Bob, without the assistance of a trusted party that was involved in the transaction.
I wish to stress that this “non-accountability” property also occurs in other quantum cryptography protocols, for example in quantum coin flipping, quantum bit commitment, and others. I’m not sure whether this could be overcomed. The main missing ingredient is the analogue of digital signatures of quantum information.
My Quantum Thoughts 