Cryptanalysis of three quantum money schemes

We investigate the security assumptions behind three public-key quantum money schemes. Aaronson and Christiano proposed a scheme based on hidden subspaces of vector space $$\mathbb {F}_2^n$$ in 2012. It was conjectured by Pena et al. (IACR international workshop cryptography, pp 194–213. Springer, 2015) that hard problem underlying can be solved quasi-polynomial time. confirm this conjecture, hence prove is insecure, giving polynomial time algorithm for problem. Our computing Zariski tangent random point subspace. Zhandry (Quantum lightning never strikes same state twice 11, 2017. https://eprint.iacr.org/2017/1080/20171110:155027 ) multivariate hash functions. Zhandry’s insecure cloning with high probability. uses verification circuit to produce banknote from given serial number. Kane quaternion algebras, 2021. arXiv:2109.12643 algebras. The their represents an eigenvector set Hecke operators. give reduction linear algebra Although our does not break scheme, latter much easier understand, we hope opens new avenues future cryptanalyses scheme.