Semi-device-independent quantum money

We go a step further, considering not only the verification device but also the source device as potentially untrusted, implemented by some adversary. This approach involves three parties: mint, bank, and a counterfeiter. They also possess the banknote and several devices. The banknote is a classical-quantum state of physical memory, shared between Bank and counterfeiter's wallet. A source-device (the device which produces a banknote) is at hand of the mint. Verification-device (a measurement device) and software that handles the usage of the devices is at the disposal of the counterfeiter whenever he wants to get a banknote to go through the verification process. The mint is honest, so it delivers the correct number of banknotes at a wish of the Bank according to the specification of the source device. Naturally, the Bank is also considered to be fully honest in all respects. Crucially, we consider the source-device and the verification-device as untrusted. It means that these devices may not work according to official specifications and are manufactured by some adversary in order to produce malformed banknotes. The counterfeiter is untrusted, and we consider that he may be aware of the inner workings of the source and terminal devices. In that, for reducing the number of actors, he can be considered to be an adversary himself. We consider then Bob, who is in the bank, and Frederick, who is the counterfeiter. When describing the honest implementation of the scheme, we also consider Alice as the honest client. When we pass to the proof, with a little abuse of notation, we consider, however, that she might collaborate with Frederick.

Before going into details, it is crucial to ask if the above scenario is indeed a one that can happen in real life, which would yield a direct motivation. At first thought, according to the traditional understanding, the whole mint is trusted, including all machines involved in the process of minting. However, the first thing to note is that the quantum money scheme is, in fact, a cybersecurity-based way of representing cash. We then observe the hidden assumption that mint's devices are honest, need not be practical from the perspective of cybersecurity. Following this, we describe the motivation from both the hacker's and the cryptanalyst's point of view.

First, from the hacker's perspective, considering the mint using the untrusted device is equivalent in cybersecurity language to finding the way to protect the mint (and so the Bank and honest clients) against a Trojan-Horse attack. Indeed, the source-device can be either (i) composed from parts designed with backdoors impossible to check by eye inspection or (ii) designed in a way open to security loopholes. Regarding (i), introducing backdoors in microchips on the physical level of their manufacturing has been recently demonstrated by an attack on random number generator [8]. Regarding (ii) exploiting the loopholes is the new area of successful experimental research aimed at hacking particular implementations of the quantum key distribution devices [9]. With these examples, mentioning the fact that the manufacturing process can be infected by classical viruses seems then unnecessary.

The problem of designing an unforgeable scheme of quantum money belongs to the class of problems from two-party cryptography (the trusted Bank can not trust clients who can be counterfeiters). Moreover, from the cryptoanalyst's perspective, any security proof is based on a set of assumptions. Finding an answer to the question what is the minimal set of assumptions that assure the same functionality? is then a practical application of Ockham's Razor principle commonly adopted in cryptography. Indeed, the quantum (or super quantum) device-independent information processing exemplifies it very well [10, 11]. The first protocol of quantum key distributions trusted all the inner working of the involved devices [12]. However, it turns out that one need not assume that these devices are produced according to specifications. They need not also be tested as being so since one can achieve the same goal (with a small price of lowering the key rate) without these assumptions. It has been demonstrated by the quantum device-independent security proofs [11]. The fewer assumptions a proof bases on, the more independent of the device the proof is. Any proof based on less number of assumptions about the inner working device than the fully device-dependent one is called now a semi-device-independent one [13].

We adopt this approach and terminology to study the problem: to what extent quantum money schemes can be made independent from the inner working of source and verification-devices used by the honest parties (Bank and mint) in creating and processing of the quantum money? As we will see, in the case of the problem presented above, the answer leading to narrowing the assumptions can be provided.

The main result presented here is a novel money scheme, secure against a broad class of joined attacks of the source quantum device and testing device. It can be viewed as a modification of the testing procedure of the original Wiesner's scheme both in measurement setup, as well as interpretation of the measurement results. We prove the security of the proposed scheme using strictly fewer assumptions than the original one.

To see this more precisely, let us briefly recall what Wiesner's scheme takes for granted. These are (i) dimension of each subsystem of a banknote (register of qubits), (ii) tensor product structure of both the banknote's state and the measurements for testing, (iii) state of each qubit of the banknote is from the set $\{\left|0\right\rangle ,\left|1\right\rangle ,\left|+\right\rangle ,\left|-\right\rangle \}$, and the measurements that are done on each of the qubits are projections in either classical $\{\left|0\right\rangle ,\left|1\right\rangle \}$ or superposed basis $\{\left|+\right\rangle ,\left|-\right\rangle \}$.

In our semi-device-independent approach, the assumptions (i)–(ii) are kept. However, we assume neither state of each qubit (each qubit of a banknote's register can be prepared differently), nor the form of measurement (each qubit can be verified due to some unknown measurement strategy, including a POVM). These two relaxations express our lack of trust towards source-device and verification-device, respectively.

An honest implementation of the banknote's state in our scheme is the same as in the original Wiesner's scheme. However, because the source-device is untrusted, an arbitrary state of the form:

$$\begin{eqnarray}&&\sum _{y=\left({y}_{0}^{i},{y}_{1}^{i}\right)\in \{0,1\}{}^{2n}}\left|y\right\rangle {\left\langle y\right|}_{\mathrm{Bank}^{\prime} {\rm{s}}\mathrm{branch}}\otimes {\left[\underset{i=1}{\overset{n}{\displaystyle \bigotimes }}{\rho }_{y}^{(i)}\right]}_{\mathrm{Alice}}\end{eqnarray} \tag{ 1 }$$

shared between the Bank's branch and Alice, that can pass certain test, is a valid banknote. (Here for simplicity a single Bank's branch is shown and we omit the obvious serial number.) The ${\rho }_{y}^{(i)}$'s are arbitrary states of qubits.

The idea of the verification in our scheme can be phrased in terms of a game. When Alice wants to get her banknote verified at some Bank's branch, the branch sends a random bit-string of length n to Alice. She should then give a correct answer (i.e. win the game) in as many as possible runs among all n. To this end, she can measure qubits of the banknote (via the tensor product of arbitrary measurements) subsequently and send corresponding answers. If the number of correct answers is high enough, the banknote is accepted as valid.

As a specific choice of a game, we base on the one used in [14], also known as a Random Access Code game [15]. Adapted to the case of our scenario, it is as follows. Alice is asked to guess correctly a randomly chosen bit (${y}_{0}^{i}$ or ${y}_{1}^{i}$), out of the two that form the Bank's part of the banknote (for each i ∈ [1, ..., n]). Alice correctly guesses the value of the bit chosen by the Bank's branch as many times as possible. An important aspect of this game is that it encapsulates the so-called dimension witness [16, 17]. It is a test assuring a lower bound on the dimension of the physical system. Enough number of guesses implies, in particular, that the system held by Alice (i.e. quantum part of the banknote) was not classical (excluding thereby trivial vulnerability to forging). Other important consequences of this fact are discussed further.

Crucial to our scheme was to find the threshold number θn of correct answers that imply acceptance. In that we base on a simple idea, that (roughly speaking) a finite-dimensional quantum system can not encode too many logically independent classical bits (call it a dimension constraint). A formal statement with the above meaning, used in [14], originates from [18] (see also [19]). In their case, a qubit can not hold both the value of two independent bits. The threshold θ, we design then to satisfy an inequality:

$$\begin{eqnarray}\begin{array}{rcl}\theta n & \equiv & \#\ \mathrm{of}\ \mathrm{correct}\ \mathrm{answers}\ \mathrm{in}\ \mathrm{the}\ \mathrm{game}\\ & \gt & \ \displaystyle \frac{1}{2}[\#\ \mathrm{of}\ \mathrm{all}\ \mathrm{possible}\ \mathrm{correct}\ \mathrm{answers}\ \mathrm{in}\ \mathrm{the}\ \mathrm{game}\ \mathrm{played}\ \mathrm{twice}].\end{array}\end{eqnarray} \tag{ 2 }$$

The fact that given the above condition, the same banknote will not get accepted twice comes then from an observation that there are no two disjoint parts of anything containing each more than its half. In our case of the number of correct guesses. We can place a non-trivial bound on the threshold θ, for the following reason. Trying to get accepted a banknote twice, Alice is visiting two different branches (the first one legally, and the second as a forgery called here Frederick). It implies playing the Random Access Code game twice. She would be then asked (with high probability) in half of the times for an answer that requires knowledge of two independent bits, which is, however, impossible due to the mentioned dimension constraint—each answer can be based on a single qubit only. It visualizes how our scheme differs from the original Wiesner's one. We do not require the banknote to be the same as it was manufactured. Instead, the number of correct answers matters, as we do not assume prior knowledge about particular states of each of the qubits of the banknote.

On the one hand, the verification procedure almost coincides with the preamble (testing part of) the SDI QKD protocol of [14] so that one might think, that security of the money scheme should follow from the security of the SDI QKD. However, the relation between the SDI QKD of [14], and the proposed here money scheme is not that direct, due to the difference between the mentioned security scenarios. In the QKD scenario, Bob trusts Alice, and there is also eavesdropper Eve. Contrary to this, the money scheme is a two-party cryptographic scenario: the Bank does not trust Alice (as she can come twice or collaborate with Frederick). To some extent action of Frederick can be viewed as the action of Eve, however only partially, as Alice can freely collaborate with Frederick, which is not the case in the QKD scenario, where she does not help Eve.

The relation between the SDI QKD and the SDI quantum money scheme is rather due to the fact that security proof for both schemes can be based on the same concepts: the dimension constraint and dimension witness. Regarding the idea of dimension witness contained in the Random Access Code game, it implies that the key can not be trivially copied on the way by Eve as the classical key could be, as well as it plays a role in that the banknote can not be trivially forged (as it is not classical). Regarding the dimension constraint, it implies both the proper balance between mutual information functions $(I(A:B)-I(A:E)\gt 0)$ for the key generation and, as we show, a threshold shown in equation (2), which is the base for our money scheme. The latter two facts are otherwise unrelated as it is reflected by the fact that the threshold parameter in our scheme θ ≈ 0.8475 differs from the threshold that enables key generation that approximately equals 0.8415.

Straightforward as it is, we find instructive to demonstrate also three malicious source-devices which, along with proper verifying-device, can get a malformed banknote accepted. We show that both Wiesner's and Gavinsky's schemes are vulnerable to all three attacks. We focus on the third attack and prove the security of the presented scheme. Although the assumptions behind our scheme may still be considered as numerous and, therefore, a strong set, they appear to be not too far from optimal. It is because, as it is easy to observe, the fully device-independent security proof of quantum money scheme can not hold. We will discuss it in the latter part of the paper.

Finally, motivated by many proposed quantum currencies, we study a possible consequence of the coexistence of at least two legitimate quantum payment schemes. It is long known that whenever there are two types of money: those with high intrinsic value and those with lower intrinsic value, and both are valid (e.g. as currencies), then people tend to spend the latter ones while keeping the former. This fact was observed and formulated as a law of economy, known today as Gresham's law, stated as follows: 'Bad money drives out good'. We formulate the quantum analog of this statement, which says: 'Bad quantum money drives out good quantum one'. It summarizes the consequences of the attack on the intrinsic value of money, which for historical reasons described further, we call Quantum Oresme–Copernicus–Gresham's law. Whether such law will happen to hold is hard to predict as of now. We propose then, to initiate a discussion on the quantum intrinsic value of the quantum money schemes. It is because the intrinsic value of a quantum currency may be attributed in a much different way than the intrinsic value of a classical one.

The manuscript is organized as follows. In section 2, we review previous quantum money schemes both in private-key and public-key settings. In section 3, we show three different attacks on existing quantum money schemes and briefly discuss that a fully device-independent quantum money scheme cannot exist. In section 4, we present the main results of that work, stating a scheme for semi-device-independent quantum money. In section 5 we discuss a possible quantum analog of the Oresme–Copernicus–Gresham's law. We conclude in section 6 by comparing our scheme to the existing ones (see 6.1), discussing the technological difficulties in possible implementation (see 6.2), and summarizing the paper with some interesting open problems (see 6.3). Additionally, in appendices A–C we present a rigorous security proof of the scheme, show that it is impossible to create fully device-independent quantum money scheme in appendix D, briefly describe honest implementation in appendix E, and discuss the amount of required memory in appendix F.

Around 1970 Stephen Wiesner suggested the first scheme of unforgeable quantum money. Unfortunately, his paper was rejected a few times and finally was published in 1983 [1]. Even though Wiesner claimed that the protocol is unconditionally secure, a full proof for the most generalized attacks was presented by Molina et al in 2013 [5].

Because the scheme requires the mint to maintain a massive database for all produced bills, Bennet et al [22] proposed a modification of the protocol, using a cryptographic pseudorandom function, to decrease the needed amount of the memory. The question if it is possible to reduce the database size without imposing any computational assumptions was analyzed by Aaronson [20]. Later he formally proved that the answer is negative and stated the so-called Tradeoff theorem for Quantum Money [23].

Although the above schemes are secure in a regime in which the mint destroys the verified banknote, it is dangerous when we allow to retrieve the bill after verification. So-called interactive attacks were independently proposed by Aaronson [21] and Lutomirski [24]. Even more sophisticated version of the interactive attack, based on the idea of Elitzur–Vaidman bomb tester, was later suggested by Nagaj et al [25].

The scenarios mentioned above require visiting the mint (or at least having a secure quantum channel), so Gavinsky suggested a version of quantum money with classical verification [7]. It is essential to notice that in Gavinsky's scheme, the Bank does not need to trust the measurement device. Such types of schemes are commonly called measurement-device-independent. Another similar scheme was also presented by Georgiou and Kerenidis [26].

Additionally, Pastawski et al [6] and, more recently, Amiri and Arrazola [27] analyze the more realistic scenario in the presence of noise and errors.

It is also worth to mention about fundamentally different approaches aimed at anonymity. Mosca and Stebila [28], (see also Tokunaga et al [29]) proposed quantum coins in such a way that all coins are identical. Their scheme uses a black-box model that makes thorough security analysis difficult.

Furthermore, Selby and Sikora [30] analyzed unforgeable money in the Generalized Probabilistic Theories.

We should also point out experimental results in the quantum money field were presented by three groups of Bartkiewicz et al [31], Bozzio et al [32], and Guan et al [33] respectively. Although the theoretical schemes are secure, in the case of real-life, more practical implementation, new vectors of attack could appear. For example, Jiráková et al [34] show an attack on quantum money implementation.

Soon after the first version of this paper was published on arXiv preprints repository, Bozzio et al [13] presented the result with a similar title 'Semi-device-independent quantum money with coherent states'. Their result requires stronger security assumptions (trusted source device) but is more focused on realistic implementations.

Also, recent paper by Kumar [35] introduces novel quantum money protocol with very high toleration to noise.

Finally, during the review process of our work Radian and Sattath proposed scheme called 'Semi-Quantum Money' [36]. The Authors of the latter article propose the scheme that achieves similar goals by allowing the mint only to perform classical operations. This approach is, however, based on computational assumptions, while in the present article, we focus on what can be achieved without such.

The biggest drawback of all private-key quantum money schemes is that only the mint can verify the bill. In order to improve this, an idea of public-key quantum money was invented. In that approach, not only the mint but anyone, even untrusted party, could verify the quantum banknote without communication with the mint. General formulation of the public-key quantum money was presented by Aaronson [21], and later, its security was analyzed by Aaronson and Christiano [37].

Following these seminal results, many candidates for the private-key quantum money scheme was presented. The first such scheme, based on stabilizer states, was proposed by Aaronson [21], but it was later broken by Lutomirski et al [38]. There were also some attempts exploring an idea of local Hamiltonian problem that can also be broken using a single-copy tomography presented by Farhi et al [39]. Another idea, based on the knot theory, was proposed by Farhi et al [40]. It remains unbroken, but there is no full security proof.

Until now, more papers concerning the public-key quantum money or an analysis of its security were published that we should point out here [41–43].

In the most recent work, Zhandry [44] proved that if the injective one-way functions and an indistinguishability obfuscator exist, then the scheme of the public-key quantum money exists. Furthermore, he shows how to adapt the Aaronson and Christiano's scheme [37] using these assumptions to get the secure public-key quantum money.

We should also mention ongoing research on the decentralized quantum currencies. First Jogenfors [45] proposed Quantum Bitcoin that connects ideas of quantum money and classical blockchain system like the one used in Bitcoin. Later Ikeda [46] presented another approach called qBitcoin based on quantum teleportation and a quantum chain instead of the classical blocks. Also, Sun et al [47] proposed a cryptocurrency called qulogicoin, based on another version of the quantum blockchain. Recently Adrian Kent proposed a concept of 'S-money' [48], and Kane created a new money scheme based on modular forms [49]. Finally, Andrea Coladangelo proposed a decentralized, blockchain-based, hybrid classical-quantum payment system [50], strengthening the quantum lightning scheme.

We aim to demonstrate that both the original Wiesner's scheme and that of Gavinsky are vulnerable to the joined attack. Moreover, the attack is general enough to apply to other private-key quantum money schemes, as it bases on dropping important security assumption: the privacy of the key. Before presenting the attacks we recall how an honest source prepare the state:

$$\begin{eqnarray}&&\sum _{(b,v)\in \{0,1\}{}^{2k}}\displaystyle \frac{1}{{4}^{k}}\left|b,v\right\rangle \left\langle b,v\right|\to \mathrm{honest}\ \sum _{(b,v)\in \{0,1\}{}^{2k}}\displaystyle \frac{1}{{4}^{k}}\left|b,v\right\rangle \left\langle b,v\right|\otimes \left|{\rho }_{(b,v)}^{W}\right\rangle \left\langle {\rho }_{(b,v)}^{W}\right|,\end{eqnarray} \tag{ 3 }$$

where ${\rho }_{k}^{W}\in \{\left|0\right\rangle ,\left|1\right\rangle ,\left|+\right\rangle ,\left|-\right\rangle \}$, the bit-string b tells the (random) choice of basis, while v corresponds to outcomes. In the original money, only the system W contains banknote's state.

Now we are ready to show here three attacks of different types. The first one enlarges the memory of the banknote, the second one uses additional entanglement, and the third makes it a classical state. The first reduces to simple imprinting of the secret key of the Bank directly in banknote's state. It is at the expense of enlarging dimension of its quantum memory:

$$\begin{eqnarray}&&\sum _{(b,v)\in \{0,1\}{}^{2k}}\displaystyle \frac{1}{{4}^{k}}\left|b,v\right\rangle \left\langle b,v\right|\to {\mathrm{attack}}_{1}\ \sum _{(b,v)\in \{0,1\}{}^{2k}}\displaystyle \frac{1}{{4}^{k}}\left|b,v\right\rangle \left\langle b,v\right|\otimes \left|{\rho }_{(b,v)}^{W}\right\rangle \left\langle {\rho }_{(b,v)}^{W}\right|\otimes \left|b\right\rangle {\left\langle b\right|}_{H}.\end{eqnarray} \tag{ 4 }$$

The mistrustfully prepared banknote has an additional 'hidden' register H enabling the attack. This register can be used to generate an unlimited number of identical banknotes via repetitive von Neumann measurement of the system W in the basis indicated by vector $\left|b\right\rangle {\left\langle b\right|}_{H}$. Allowing for such a strong attack, one can imagine that in principle, the whole string $\left|b,v\right\rangle$ could also be imprinted in money's memory at the price of doubling it. However, imprinting $\left|b\right\rangle$ is enough. The operation of copying such a 'banknote' can pass unnoticed from the point of view of the honest Client. From this trivial example, we have then learned that when the dimension of the banknote is unbounded, its security against forgery is compromised.

The second attack does not require extra memory in the banknote's state but makes use of an additional entanglement between adversary and the untrusted source device. Instead of preparing one from the four honest states $\{\left|0\right\rangle ,\left|1\right\rangle ,\left|+\right\rangle ,\left|-\right\rangle \}$, the source performs locally one from the four Pauli unitaries on a half of a singlet and sends it as a money state. Later the adversary performs global Bell measurement on the whole two-qubit system. That procedure, based on superdense coding [51], allows him to obtain both parts of the secret key and prepare an arbitrary number of valid banknotes.

In the third one, the untrusted quantum source device and the counterfeiter can attack jointly without increasing the memory of the banknote and without any additional entanglement, by using only classical states (diagonal in a single basis):

$$\begin{eqnarray}&&\sum _{(b,v)\in \{0,1\}{}^{2k}}\displaystyle \frac{1}{{4}^{k}}\left|b,v\right\rangle \left\langle b,v\right|\to {\mathrm{attack}}_{3}\ \sum _{(b,v)\in \{0,1\}{}^{2k}}\displaystyle \frac{1}{{4}^{k}}\left|b,v\right\rangle \left\langle b,v\right|\otimes \left|v\right\rangle {\left\langle v\right|}_{H}.\end{eqnarray} \tag{ 5 }$$

In each run, right before the measurement is physically done, the measurement device is given the type of basis b taking value 0 in case of $\{\left|0\right\rangle ,\left|1\right\rangle \}$ and 1 for $\{\left|+\right\rangle ,\left|-\right\rangle \}$. It can then safely output the value $\left|v\right\rangle {\left\langle v\right|}_{H}$ as a good answer. The two bits that cannot be encoded in 1 qubit are split into measurement type (revealed later), and its outcome. In the original Wiesner scheme, the Bank trusts both the production and verification devices. Dropping these assumptions, as we do, with the view of possible hardware Trojan horse attack, we observe that such protocol is vulnerable to forgery. The same holds for the ones by Gavinsky [7] and Molina et al [5].

In the case of scheme by Wiesner and Molina et al the attack is made as described above. On the other hand to break scheme proposed by Gavinsky one can encode classical values of ${h}_{1}:= {x}_{1}\oplus {x}_{2}$ and ${h}_{2}:= {x}_{1}\oplus {x}_{3}$ on two qubits. To win the game it is sufficient to output $a=0$ and $b={h}_{m}$ depending on question m. In the above, we use the notation from definition 1 and step 6 of the protocol from [7].

The scheme of money that we propose (see section 4.1), based on the semi-device-independent quantum key distribution protocol, is a partial countermeasure to these three attacks. In the latter protocol, one assumes that there are only qubits sent and no additional entanglement, so the first two attacks (by enlarging memory and superdense coding) are not applicable. On the other hand, the SDI QKD protocol only gets accepted if the data coming from quantum states is observed, i.e. that the systems communicated were not classical bits, disabling thereby the third attack. It, and the fact that the honest implementation of the quantum states processed by the parties in the SDI QKD is Wiesner's money, motivates us to study the security of Wiesner's scheme under the verification of the SDI QKD protocol (as we describe in detail in section 4.1). Before that, in the next section, we will present a minor result, a no-go for device-independent quantum money, which highlights the importance of our money scheme.

In this section, we will show that it is impossible to create a fully device-independent money scheme. We will prove this in a scenario where the Bank has at least two branches that do not communicate during the verification phase. In the device-independent approach, both source and measurement devices are untrusted, and there are no restrictions on state dimension or additional entanglement, as opposed to the semi-device-independent approach that we will present in the next sections. On the other hand, we allow all Bank's branches to have shared randomness that can be used both in the state preparation and verification phases. We also assume that the no-signaling condition is fulfilled, and post-processing is honest, which is the standard approach in most device-independent protocols.

Observation 1 It is impossible to create a fully device-independent money scheme with untrusted source and measurement devices that could be produced by an adversary.

Intuitively it is easy to see that we can break any money scheme using appropriate modification of the first attack from the previous section. Indeed, without communication between Bank's branches, a malicious quantum source device can always prepare two copies of the banknote in such a way that both will pass verification in different branches. The only way a branch can verify the banknote is to check correlations with the client's banknote. It is impossible to ensure that the verification will influence, or give knowledge about, correlations of another branch with a different malicious copy of the banknote. To justify these intuitions, we will provide more formal proof of the above theorem in appendix D.

Because of the impossibility result, we can ask how close one can go toward the device-independent approach. We partially answer this question by providing in the next section our main contribution, the semi-device-independent quantum money scheme. It requires weaker assumptions than any previous one. We prove its security against a broad class of essential attacks and conjecture that it is also secure in the general case.

Motivated by the fact that joined attacks can compromise the security of some private-key quantum money schemes, we will show a partial solution to this problem. In this section, we present a scheme for semi-device-independent private-key quantum money. The concept of a semi-device-independent quantum key distribution was discovered by Pawłowski and Brunner [14]. In that scheme, the sender has to trust neither the quantum source nor the measuring device. Instead, there are two nontrivial assumptions about the states sent to the receiver. Firstly, the states have limited dimensions and, secondly, there is no entanglement between the states and the adversary. See figure 2.

Zoom In Zoom Out Reset image size

Our scheme of money is similar to the SDI QKD scheme and has the assumption that each state that is sent from the sender to the receiver is qubit (have dimension d = 2). In order to introduce both the concept and notation, it is instructive to recap the semi-device-independent quantum key generation protocol [14] briefly. The key is produced as follows. The sender sets up n pairs of random bits $({y}_{0}^{i},{y}_{1}^{i}{)}_{i=1}^{n}$. In each run of the experiment $i\in [n]:= \{1,\ldots ,n\}$, upon pressing the correct button sender's device produces an untrusted state ${\rho }_{{y}_{0}^{i},{y}_{1}^{i}}$, which is assumed to be a qubit, and sends it to the receiver. The receiver's device is fully untrusted. It measures the state in an arbitrary manner (perhaps knowing state's preparation), yet upon a (random) input xⁱ, it has to output a bit aⁱ, which equals ${y}_{{x}^{i}}^{i}$. In the classical case, the maximal success probability of guessing the bits of the sender is only 3/4, while in quantum case, it is ${P}_{Q}:= {\cos }^{2}(\pi /4)\approx 0.8536$. If the guessing probability is larger than a certain value, the secure key can be established.

We are now ready to introduce our money scheme. In the SDI quantum money scheme, one branch of the Bank (mint) plays the role of the sender, while the client Alice is the receiver.

• Money generation protocol. In order to create the money, all k branches of the Bank have to possess common secret randomness (secret key) that is later stored in classical memories of the branches. Each portion of the bits $({y}_{0}^{i},{y}_{1}^{i}{)}_{i=1}^{n}$ of this key is attached to some serial number of a separate banknote SN in advance. (Note that the secret key can be obtained for example by measurement on the shared $2n$ GHZ states [52] or by encrypted classical communication.) To generate a quantum state of the banknote associated to the number SN one branch B_S (in practice the closest to Alice branch that can perform the function of the mint, i.e. posses quantum source devices) uses $({y}_{0}^{i},{y}_{1}^{i}{)}_{i=1}^{n}$ associated with this SN as a sequence of inputs to its untrusted quantum source devices $({S}^{i}{)}_{i=1}^{n}$. The latter devices, in turn, generates n qubits (${\rho }_{{y}_{0}^{i},{y}_{1}^{i}}$) that together form the quantum state of the banknote

$$\begin{eqnarray}&&\underset{i=1}{\overset{n}{\displaystyle \bigotimes }}{\rho }_{{y}_{0}^{i},{y}_{1}^{i}}.\end{eqnarray} \tag{ 6 }$$

The above state is sent to Alice's wallet (dedicated quantum memory device). In the end, the banknote, i.e. the joined state of k branches of the Bank and Alice's wallet takes the form:

$$\begin{eqnarray}&&\sum _{y=\left({y}_{0}^{i},{y}_{1}^{i}\right)\in \{0,1\}{}^{2n}}\left|y\right\rangle {\left\langle y\right|}_{{B}_{1}}\otimes ...\otimes \left|y\right\rangle {\left\langle y\right|}_{{B}_{k}}\otimes \left(\underset{i=1}{\overset{n}{\displaystyle \bigotimes }}{\rho }_{{y}_{0}^{i},{y}_{1}^{i}}\right).\end{eqnarray} \tag{ 7 }$$

• Money verification protocol at the Bank. In order to verify the money Alice comes to any branch of the Bank denote as B_l. The branch B_l generates a question bit-string $({x}^{i}{)}_{i\,=\,1}^{n}$, inputs the bits to the untrusted measurement devices $({M}^{i}{)}_{i\,=\,1}^{n}$ and collects the output bit-string $({a}^{i}{)}_{i=1}^{n}$. For a total data represented by a string of tuples: ${S}_{A}=({y}_{0}^{i},{y}_{1}^{i},{x}^{i},{a}^{i}{)}_{i=1}^{n}$ the branch B_l accepts it if the following condition is satisfied:

$$\begin{eqnarray}&&{X}_{A}({S}_{A}):= \left|\left\{i\in [n]:{a}^{i}={y}_{{x}^{i}}^{i}\right\}\right|\geqslant \theta n,\end{eqnarray} \tag{ 8 }$$

i.e. the number of correct guesses is above the threshold value $\theta n$ and rejects otherwise.

Apart from the above scheme, the second main result (see theorem 1) is the proof that $\theta \approx 0.8475$ will assure the security of the money scheme within considered set of assumptions. More precisely, in real-life application, one should consider the value of threshold to be a bit larger, $\theta =0.8475+2.6950\eta$, depending on how small the probability of error, i.e. forgery one would like to tolerate. It is however proven (see theorem 1) to be exponentially small in the length of the banknote, scaling as $O(\exp (-2{\eta }^{2}\left(1/2-\eta \right)n))$.

• Money verification protocol at a distance. Alice establishes an authenticated connection for classical communication with some (arbitrary) branch B_l of the Bank. The B_l gives her random inputs $({x}^{i}{)}_{i=1}^{n}$, that she should use together with her quantum state from the memory of her wallet as inputs to the untrusted terminal (her own, or, e.g. the one operated by a seller in a shop). The classical output $({a}^{i}{)}_{i=1}^{n}$ from the device (possibly modified by Alice to $(a{{\prime} }^{i}{)}_{i=1}^{n}$) is then sent to B_l that checks if the data $({y}_{0}^{i},{y}_{1}^{i},{x}^{i},a{{\prime} }^{i}{)}_{i=1}^{n}$ are acceptable if inequality (8) holds, and rejects it otherwise.

For the sake of clarity, the whole process of the creation and the verification of the semi-device-independent quantum money is illustrated in figure 3 (for the general scheme with many branches) and figure 4 (for the creation and verification). Generation and verification protocols are also summarized in tables 1 and 2 respectively. We state below certain remarks on the variants of the above approach.

Zoom In Zoom Out Reset image size

Zoom In Zoom Out Reset image size

Table 1.  Summary of semi-device-independent quantum money generation protocol.

Money generation protocol
Arguments:
$({B}_{i}{)}_{i=1}^{k}$—honest Bank's branches
BS—honest mint (Bank's branch that creates the money)
$({S}^{i}{)}_{i=1}^{n}$—untrusted source devices (with single qubit outputs)
A—possibly dishonest client Alice that posses quantum memory to store money (quantum wallet)
SN—serial number of the banknote
$({y}^{i}{)}_{i=1}^{n}:= ({y}_{0}^{i},{y}_{1}^{i}{)}_{i=1}^{n}$—classical keys of the banknote shared by Bank's branches
$\underset{i=1}{\overset{n}{\displaystyle \bigotimes }}{\rho }_{y}^{i}$—client's part of the banknote
Protocol steps:
1. Branches Bi generate common classical key string consist of pair of bits $({y}^{i})=({y}_{0}^{i},{y}_{1}^{i})$.
2. Mint BS input strings yiinto untrusted source devices Si.
3. Devices Si produce states ${\rho }_{y}^{i}$ that are sent to the client A together with serial number SN.
4. Client A stores states $\underset{i=1}{\overset{n}{\displaystyle \bigotimes }}{\rho }_{y}^{i}$ and SN in her quantum wallet.

Table 2.  Summary of semi-device-independent quantum money verification protocol.

Money verification protocol
Arguments:
$({B}_{i}{)}_{i=1}^{k}$—honest Bank's branches
Bl—honest Bank's branch that verifies the money
PPl—Bl's honest post-processing unit
$({M}^{i}{)}_{i=1}^{n}$—untrusted measurement devices
V—untrusted verification terminal
A—possibly dishonest client Alice that posses quantum memory to store money (quantum wallet)
SN—serial number of the banknote
$({y}^{i}{)}_{i=1}^{n}:= ({y}_{0}^{i},{y}_{1}^{i}{)}_{i=1}^{n}$—classical keys of the banknote shared by Bank's branches
$({x}^{i}{)}_{i=1}^{n}$—random questions send by verifying branch
$({a}^{i}{)}_{i=1}^{n}$—classical output generated by measurement devices
$\underset{i=1}{\overset{n}{\displaystyle \bigotimes }}{\rho }_{y}^{i}$—client's part of the banknote
Protocol steps:
1. Client A inputs her quantum states $\underset{i=1}{\overset{n}{\displaystyle \bigotimes }}{\rho }_{y}^{i}$ and SN into terminal V.
2. Bank's branch Bl that have a classical connection with V sends questions $({x}^{i}{)}_{i=1}^{n}$.
3. Terminal T, using devices , measures states $({M}^{i}{)}_{i=1}^{n}\underset{i=1}{\overset{n}{\displaystyle \bigotimes }}{\rho }_{y}^{i}$ according to questions $({x}^{i}{)}_{i=1}^{n}$.
4. The outputs of measurements $({a}^{i}{)}_{i=1}^{n}$ are sent to the branch Bl.
5. The branch counts the number c of correct guesses, i.e. number of i such that ${y}_{{x}_{i}}={a}_{i}$ using honest post-processing unit PP.
6. The branch accepts the banknote if c > θn and rejects otherwise.

Remark 1. One might think that mint could check the quantum source device before its official use. However, one can never exclude the attack based on clock: the quantum device starts misbehaving after it has been (with high probability) tested and treated as honest from that on. Even more importantly, the attack that we show is split between two devices: the quantum source device and the verification device. Since the verification device can also be dishonest, i.e. the honesty of which can again depend on the clock, it is then rather not possible to detect the attack before the money is produced.

Despite this fact, our scheme circumvents a class of attacks of this type by testing each banknote against it during the standard validation procedure. Our scheme can be therefore seen as testing outputs of two not fully trusted devices by inspecting if these outputs possess welcome property.

Remark 2 The branches can create money without communication. Using synchronized clocks, they can continuously generate new random inputs. When a client arrives, the serial number of her banknote would contain the time that uniquely indicates what remembered randomness verifying branch should use. Additionally, branches should agree among themselves on the allowed generation time to make sure not to generate two bills from the same randomness. A similar idea can also be implemented in some previous money schemes, for example, Wiesner's one.

We make now an explicit comparison of our protocol with that of the semi-device-independent QKD of Pawłowski and Brunner [14]. Although the honest implementation of two protocols and its assumptions are similar, the proof is fundamentally different. Furthermore, there are three more main differences.

• Memory requirements: A conceptual difference is that we defer the process of measurement and call the collection of states prepared by the source in SDI protocol the banknote. The process of the measurement is identified by us with the verification done later by the terminal. It is of particular convenience that the SDI protocol does not rely on the no-signaling principle, so the measurement of the banknotes can be done any time after they were prepared. In other words, our protocol needs quantum memory, while SDI QKD does not.

• Limited number of runs: A significant practical difference is that the SDI quantum money scheme corresponds to a limited SDI QKD protocol to the creation and the verification procedures without the privacy amplification and information reconciliation part. In particular, in our protocol, the number of runs of the corresponding SDI QKD experiment (i.e. the length of the banknote) is only long enough to enable estimation of the guessing probability which depends only on the possible systematic error in the experiment and the concentration property due to the law of large numbers. It is in contrast with the SDI QKD protocol, which involves as many runs (at least) as the number of key bits needed to be generated. Indeed, we do not aim at creating the secret key because—there is no phase of public reconciliation and privacy amplification. Preparing and verifying a long key is equivalent to creating and verifying a huge number of banknotes.

• An intermediate acceptance threshold: The third difference concerns the acceptance threshold. Acceptable range of the value of the probability of guessing ${P}_{\mathrm{guess}}$ of the string $({y}_{0}^{i}{y}_{1}^{i}{)}_{i=1}^{n}$ in the SDI QKD protocol varies from the maximal ${P}_{Q}\approx 0.8536$, which implies the highest possible key rate in this scenario, to the minimal ${P}_{\mathrm{crit}}^{\mathrm{key}}\approx 0.8415$, which implies zero key rate. Let us stress here, that any value between P_Q and ${P}_{\mathrm{crit}}^{\mathrm{key}}$ is acceptable, as leading to a non-zero key rate (yet, one aims at the highest). Instead, in the corresponding SDI quantum money scheme one needs the value of this parameter to be larger than ${P}_{\mathrm{crit}}^{\mathrm{money}}:= ({P}_{Q}+{P}_{\mathrm{crit}}^{\mathrm{key}})/2\approx 0.847\,55$. On the other hand, all money schemes with the acceptance threshold θ in the range $({P}_{\mathrm{crit}}^{\mathrm{money}},{P}_{Q}]$ are protected against forgery given large enough number of qubits of the banknote n.

In this section, we provide the proof of the main result: the SDI quantum money scheme is protected against the qubit-by-qubit forgery. That is, against the case when the source device, the counterfeiter, and the verification terminal possibly created by the counterfeiter cooperate in a manner that each qubit is attacked (prepared, copied and tested) independently. Under some additional necessary assumptions, which we list below, we show that two cooperating clients, Alice and Frederick, cannot get the banknote accepted as valid in two Bank's branches. As we show, the case of many Bank's branches follows from the security in the latter case. The case of a birthday attack of choosing the best pair of branches is then taken care of by the union bound. Indeed let us assume that the number of branches equals $k={\rm{poly}}(n)$, where n is the length of the banknote, which is a reasonable constraint possible to be satisfied. If for any pair the probability of successful counterfeiting is exponentially small ${\epsilon }_{2}(n)\sim O({e}^{-n})$, the highest probability of this event for k branches is not higher than ${\epsilon }_{k}:= \left(\displaystyle \genfrac{}{}{0em}{}{k}{2}\right){\epsilon }_{2}(n)$, which is still small (of order $O({e}^{-n})$).

• ASM1 Bank's branches have access to a private fully random number generator that they use to generate y's and x's.
• ASM2 Branches of the Bank use honest classical post-processing units in the verification procedure.
• ASM3 The dimension of the state that is produced at the output of the source is bounded, and there is no other information leaking from the source to Alice or Frederick.
• ASM4 The state produced by the source is unentangled from the dishonest parties (Alice and Frederick).
• ASM5 The source devices create the states in an independent way, which also implies that each of the sources has access only to its input (not the inputs of the other sources).
• ASM6 The measurement devices are independent, each measure only its subsystem, and the outputs of Alice and Frederick in each run are independent of the inputs and the outputs from other runs.

It is crucial to notice that our assumptions are strictly weaker than the one used in Wiesner's scheme. Furthermore, all existing quantum money schemes assume that the money state dimension is limited.

In particular case of the presented SDI quantum money scheme, in ASM3 we specify that each of the independent parts of the sources (as specified in ASM5) has output bounded by $d=2$, i.e. the source works by producing independently n qubits (however not necessarily in the same way). What we will prove, our assumptions imply security against the third attack presented above.

Now we are ready to formally state main result of our work. Let us define (see appendix C)

$$\begin{eqnarray}\begin{array}{rcl}{\beta }_{\eta } & = & {P}_{Q}\left(\displaystyle \frac{1}{2}+\eta \right)+\displaystyle \frac{M}{2}\left(\displaystyle \frac{1}{2}+\eta \right)+\eta \\ & = & \ \displaystyle \frac{9+2\sqrt{2}+\sqrt{3}}{16}+\displaystyle \frac{17+2\sqrt{2}+\sqrt{3}}{8}\eta \\ & \approx & \ 0.847\,5+2.695\,0\eta ,\end{array}\end{eqnarray} \tag{ 9 }$$

for some small η chosen in such a way that ${\beta }_{\eta }\leqslant {P}_{Q}$.

Theorem 1 Let acceptance threshold θ be larger than ${\beta }_{\eta }n$. Then, under Assumptions ASM1–ASM6, where k denotes the number of Bank's branches the probability of a successful forgery $P({{ \mathcal F }}_{\theta })$ is exponentially small in number of banknote's qubits n and is bounded by

$$\begin{eqnarray}&&P({{ \mathcal F }}_{\theta })\leqslant 10{k}^{2}{{\rm{e}}}^{-2{\eta }^{2}\left(\tfrac{1}{2}-\eta \right)n}.\end{eqnarray} \tag{ 10 }$$

Remark 3 It seems plausible that the assumption ASM6 could be omitted but, it would complicate the proof. The question of if we can omit the assumption ASM5 is a hard open problem, related to the formulation of the SDI QKD scheme and Random Access Codes [53, 54] in general. On the other hand, all other assumptions are necessary to prove the security of our scheme since rejecting any of them leads to a successful attack.

Let us briefly describe the idea of the proof of the security of the scheme. It is a consequence of two facts: (i) the monogamy inherent to the SDI key generation protocol and (ii) the fact that each Bank's branch queries independently from the other branches during the verification procedure. It will hold for the case when the Bank verifies the banknote via untrusted terminal, i.e. Alice (or Frederick) come to the Bank to get the banknote accepted. We can reduce the case with the communication to the latter, under the assumption that the strategy to lie about the outputs of the devices (which is then at a choice of the dishonest parties) is individual, independent for each of the runs of the protocol (see appendix A). As we discuss in section 6, this a bit unrealistic assumption that can be in principle dropped given the protocol of SDI QKD is proven to be secure against the general, so-called forward signaling attacks.

4.3.1. The case of an attack on a single qubit

Like in Wiesner's scheme, for a banknote to be accepted, its owner has to guess the bits of the Bank correctly. It is instructive to focus on the attack on a single qubit of the banknote to see that two dishonest persons, Alice and Frederick, cannot both pass the verification of our banknote. Suppose Alice and Frederick are trying to 'split' its use to maximize the probability of guessing P_guess in two experiments of some two branches of the Bank. Their joined attack can be described as a conditional probability distribution (a box): $P({a}_{F},{a}_{A}| {x}_{A},{x}_{F},{y}_{0},{y}_{1})$, where y₀ and y₁ are the secret keys of the Bank which Alice and Frederick are trying to guess, x_A and x_F are the random inputs, generated by the Bank, send to the verification device.

For simplicity of description, we will assume that Alice and Frederick come to the Bank, while the Bank sets the input to the devices (we will argue later how to relax this assumption partially). The joined attack aims at generating two bits a_A (by Alice), and a_F (by Frederick), such that the probability of guessing the x_Ath bit of ${y}_{B}=({y}_{0},{y}_{1})$ and x_Fth bit of y_B by Frederick are both maximal. The guessing probability for Alice and Frederick respectively read:

$$\begin{eqnarray}&&{P}_{{\rm{guess}}}^{A}=\displaystyle \frac{1}{8}\sum _{{y}_{0},{y}_{1},{x}_{A}}P({a}_{A}={y}_{{x}_{A}}| {y}_{0},{y}_{1},{x}_{A}),\end{eqnarray} \tag{ 11 }$$

and

$$\begin{eqnarray}&&{P}_{{\rm{guess}}}^{F}=\displaystyle \frac{1}{8}\sum _{{y}_{0},{y}_{1},{x}_{F}}P({a}_{F}={y}_{{x}_{F}}| {y}_{0},{y}_{1},{x}_{F}).\end{eqnarray} \tag{ 12 }$$

Let us observe first that in the case ${x}_{A}={x}_{F}$, they can both achieve the maximal possible probability of guessing ${P}_{Q}={\cos }^{2}(\pi /8)\approx 0.8536$ [14]. Indeed, Alice can come first to one branch and behave honestly having the guessing probability ${P}_{{\rm{guess}}}^{A}={P}_{Q}$, while Frederick can copy her answer, reaching the same probability of guessing. However, when ${x}_{A}\ne {x}_{F}={x}_{A}\oplus 1$, the dishonest parties need to guess opposite bits: y₀ (Alice) and y₁ (Frederick) or vice versa (with half probability). However, it is proven in [14] that

$$\begin{eqnarray}&&{P}_{{\rm{guess}}}^{{AF}}({y}_{0})+{P}_{{\rm{guess}}}^{{AF}}({y}_{1})\leqslant \displaystyle \frac{5+\sqrt{3}}{4}=: M.\end{eqnarray} \tag{ 13 }$$

Hence, even if Alice and Frederick were fully collaborating, the sum of the probabilities of guessing of the two bits is bounded.

Since ${x}_{A}={x}_{F}$ with the probability one half, averaging over the value of ${x}_{A}\oplus {x}_{F}$, we conclude that the average number of correctly guessed bits has an upper bound

$$\begin{eqnarray}&&\displaystyle \frac{1}{2}(2{P}_{Q}+M)=: B.\end{eqnarray} \tag{ 14 }$$

In the next section, we will generalize this bound to the case banknotes that consists of many (n) qubits. Due to the independent nature of the attack, it will suffice to multiply the above bound by n (up to fluctuations around the average). The corresponding bound enlarged by the maximal possible fluctuations reads then $n\beta$ with $\beta =2{P}_{Q}\left(1/2+\eta \right)+M\left(1/2+\eta \right)+2\eta$. We will then choose the threshold value θ to be larger than $\beta /2$. It will assure that the two dishonest parties cannot get the same banknote accepted in two Bank's branches, as their total sum of the guesses would be larger than $2\beta /2=\beta$, reaching the desired contradiction.

4.3.2. Extending the argument to the general case of the qubit-by-qubit attack

We would like to extend this reasoning to the case of the repeated experiment of n runs (n will be relatively small, as short as the length of a usual preamble of the QKD protocols). We assume here that the attack is 'id', i.e. by not necessarily equal however independently distributed random variables, according to the measure:

$$\begin{eqnarray}&&\mu \sim \underset{i=1}{\overset{n}{\displaystyle \bigotimes }}U\left({y}_{0}^{i},{y}_{1}^{i},{x}_{A}^{i},{x}_{F}^{i}\right)P\left({a}_{A}^{i},{a}_{F}^{i}| {y}_{0}^{i},{y}_{1}^{i},{x}_{A}^{i},{x}_{F}^{i}\right),\end{eqnarray} \tag{ 15 }$$

where $U({y}_{0}^{i},{y}_{1}^{i},{x}_{A}^{i},{x}_{F}^{i})$ denotes the uniform distribution over its arguments. We then observe that, instead of providing x_A to Alice and x_F to Frederick, the two branches of the Bank could give x_A to Alice and ${x}_{\oplus }:= {x}_{A}\oplus {x}_{F}$ to Frederick. This is because Alice and Frederick are collaborating, so they can compute value of x_F from these data in case it is needed. We can, therefore, change the scenario to one in which the parties are given $({x}_{A},{x}_{\oplus })$, if the probability measure is changed accordingly to the following one:

$$\begin{eqnarray}\begin{array}{c}\begin{array}{rcl}\mu ^{\prime} & \sim & \mathop{\mathop{\displaystyle \bigotimes }\limits^{n}}\limits_{i=1}U\left({y}_{0}^{i},{y}_{1}^{i},{x}_{A}^{i},{x}_{\oplus }^{i}\oplus {x}_{A}^{i}\right)P\left({a}_{A}^{i},{a}_{F}^{i}| {y}_{0}^{i},{y}_{1}^{i},{x}_{A}^{i},{x}_{\oplus }^{i}\oplus {x}_{A}^{i}\right).\end{array}\end{array}\end{eqnarray} \tag{ 16 }$$

The measure $\mu ^{\prime}$ acts on x_A and ${x}_{\oplus }$ in the same way as μ would act on x_A and x_F, so in some sense it is undoing the XOR operation. This modification of the scenario does not change the probability of successful forgery, i.e. the probability of an event in which both Alice will get accepted as supposed to have a valid banknote and so will happen to Frederick. To see this, we first note that a set of events (denoted as ${ \mathcal F }$) leading to a successful forgery reads:

$$\begin{eqnarray}&&{ \mathcal F }:= \left\{({y}_{0}^{i},{y}_{1}^{i},{x}_{A}^{i},{a}_{A}^{i},{x}_{F}^{i},{a}_{F}^{i}{)}_{i=1}^{n}\in \{0,1\}{}^{6n}:\ \left|\left\{i\in [n]:{a}_{A}^{i}={y}_{{x}_{A}^{i}}^{i}\right\}\right|\gt \theta n,\ \left|\left\{i\in [n]:{a}_{F}^{i}={y}_{{x}_{F}^{i}}^{i}\right\}\right|\gt \theta n\right\}.\end{eqnarray} \tag{ 17 }$$

We will also define a strategy S by

$$\begin{eqnarray}&&S:= ({y}_{0}^{i},{y}_{1}^{i},{x}_{A}^{i},{a}_{A}^{i},{x}_{F}^{i},{a}_{F}^{i}{)}_{i=1}^{n}.\end{eqnarray} \tag{ 18 }$$

We then prove (see corollary 1) that

$$\begin{eqnarray}\begin{array}{rcl}P({ \mathcal F }) & := & \sum _{S\in { \mathcal F }}{P}_{\sim \mu }({ \mathcal F })\\ & = & \ \sum _{S^{\prime} \in { \mathcal F }^{\prime} }{P}_{\sim \mu ^{\prime} }P(S^{\prime} )\\ & =: & \ P({ \mathcal F }^{\prime} ),\end{array}\end{eqnarray} \tag{ 19 }$$

where $S^{\prime} =({y}_{0}^{i},{y}_{1}^{i},{x}_{A}^{i},{a}_{A}^{i},{x}_{\oplus }^{i},{a}_{F}^{i}{)}_{i\,=\,1}^{n}$ and

$$\begin{eqnarray}&&\begin{array}{l}{ \mathcal F }^{\prime} := \left\{({y}_{0}^{i},{y}_{1}^{i},{x}_{A}^{i},{a}_{A}^{i},{x}_{\oplus }^{i},{a}_{F}^{i}{)}_{i=1}^{n}\in \{0,1\}{}^{6n}:\ \left|\left\{i\in [n]:{a}_{A}^{i}={y}_{{x}_{A}^{i}}^{i}\right\}\right|\gt \theta n,\\ \qquad \times \ \left|\left\{i\in [n]:{a}_{F}^{i}={y}_{{x}_{\oplus }^{i}\oplus {x}_{i}^{A}}^{i}\right\}\right|\gt \theta n\right\}.\end{array}\end{eqnarray} \tag{ 20 }$$

Because ${{\bf{x}}}_{\oplus }$ is created from fully random bits that are unknown for adversary during the creation of the money, we have

$$\begin{eqnarray}&&P({ \mathcal F }^{\prime} )=\sum _{{{\boldsymbol{x}}}_{\oplus }\in \{0,1\}{}^{n}}p({{\boldsymbol{x}}}_{\oplus })P({ \mathcal F }^{\prime} | {{\boldsymbol{x}}}_{\oplus }).\end{eqnarray} \tag{ 21 }$$

We can narrow considerations to the typical ${{\boldsymbol{x}}}_{\oplus }$, i.e. those having number of symbol 0 and 1 approximately $n/2$ times. More formally the set of typical sequences is defined as

$$\begin{eqnarray}&&{{ \mathcal T }}_{\eta }:= \left\{{\boldsymbol{x}}:\left|\displaystyle \frac{| {\boldsymbol{x}}{| }_{0}}{n}-\displaystyle \frac{1}{2}\right|\leqslant \eta \right\},\end{eqnarray} \tag{ 22 }$$

where $| {\boldsymbol{x}}{| }_{0}$ is the number of positions with symbol 0 in a bitstring ${\boldsymbol{x}}$. All sequences of the length n (given n is large enough) are with high probability typical (i.e. with a probability $1-\epsilon (\eta )$ for $\epsilon (\eta )=2\exp (-2{\eta }^{2}n)$). We have therefore

$$\begin{eqnarray}&&P({ \mathcal F }^{\prime} )\leqslant \sum _{{{\boldsymbol{x}}}_{\oplus }\in { \mathcal T }(\eta )}p({{\boldsymbol{x}}}_{\oplus })P({ \mathcal F }^{\prime} | {{\boldsymbol{x}}}_{\oplus })+\epsilon (\eta ).\end{eqnarray} \tag{ 23 }$$

We then see that one can fix a typical ${{\boldsymbol{x}}}_{\oplus }$, and prove that for any such ${{\boldsymbol{x}}}_{\oplus }$, the probability of acceptance is low. We will assure it by setting an appropriate θ, so that with a high probability over the conditional measure $\mu ^{\prime\prime} := \mu ^{\prime} ({{\boldsymbol{x}}}_{\oplus })/p({{\boldsymbol{x}}}_{\oplus })$ the strings $S^{\prime}$ emerging from the attack will be rejected as having too small number of guessed bits of $({y}_{0}^{i},{y}_{1}^{i}{)}_{i=1}^{n}$.

In more detail, we first note that for a fixed ${{\boldsymbol{x}}}_{\oplus }$, on average, over n runs with respect to the measure $\mu ^{\prime\prime}$, there are no more guessed inputs than ${nB}$ with B given in equation (14). It remains to take into account the fact that the observed number of the guessed inputs need not be equal to its average. However, ${{\boldsymbol{x}}}_{\oplus }$ is typical, hence the number of runs will be at least $n/2-\eta n$, so we can use the fact that the attack is performed in an independent manner. Due to Hoeffding's inequality, we obtain that the observed number of guessed inputs is with a high probability bounded from above by:

$$\begin{eqnarray}\begin{array}{rcl}n\beta & \equiv & n\left[(2{P}_{Q}\left(\displaystyle \frac{1}{2}+\eta \right)+M\left(\displaystyle \frac{1}{2}+\eta \right)+2\eta \right]\\ & = & \ n\left[\left(2\cos \left(\displaystyle \frac{\pi }{8}\right)+\displaystyle \frac{5+\sqrt{3}}{4}\right)\left(\displaystyle \frac{1}{2}+\eta \right)+2\eta \right],\end{array}\end{eqnarray} \tag{ 24 }$$

where η takes care of the maximal possible fluctuations.

Before we explicitly control these fluctuations, we first define four random variables describing the guessing at the ith run of the verification procedure by Alice and Frederick as

$$\begin{eqnarray}{X}_{i,A}^{{{\boldsymbol{x}}}_{\oplus }}:= \Bigg\{\begin{array}{ll}\delta \left({a}_{A}^{i},{y}_{{x}_{A}^{i}}^{i}\right): & {x}_{A}^{i}={x}_{F}^{i}\\ 0: & {x}_{A}^{i}\ne {x}_{F}^{i}\end{array},\end{eqnarray} \tag{ 25 }$$

$$\begin{eqnarray}{X}_{i,F}^{{{\boldsymbol{x}}}_{\oplus }}:= \Bigg\{\begin{array}{ll}\delta \left({a}_{F}^{i},{y}_{{x}_{A}^{i}}^{i}\right): & {x}_{A}^{i}={x}_{F}^{i}\\ 0: & {x}_{A}^{i}\ne {x}_{F}^{i}\end{array},\end{eqnarray} \tag{ 26 }$$

$$\begin{eqnarray}{Y}_{i,A}^{{{\boldsymbol{x}}}_{\oplus }}:= \Bigg\{\begin{array}{ll}\delta \left({a}_{A}^{i},{y}_{{x}_{A}^{i}}^{i}\right): & {x}_{A}^{i}\ne {x}_{F}^{i}\\ 0: & {x}_{A}^{i}={x}_{F}^{i}\end{array},\end{eqnarray} \tag{ 27 }$$

$$\begin{eqnarray}{Y}_{i,F}^{{{\boldsymbol{x}}}_{\oplus }}:= \Bigg\{\begin{array}{ll}\delta \left({a}_{F}^{i},{y}_{{x}_{A}^{i}\oplus 1}^{i}\right): & {x}_{A}^{i}\ne {x}_{F}^{i}\\ 0: & {x}_{A}^{i}={x}_{F}^{i}\end{array}.\end{eqnarray} \tag{ 28 }$$

Now we can get back to describing deviations from the average of the 4 random variables: ${\bar{X}}_{{{\boldsymbol{x}}}_{\oplus }}^{A},{\bar{X}}_{{{\boldsymbol{x}}}_{\oplus }}^{F},{\bar{Y}}_{{{\boldsymbol{x}}}_{\oplus }}^{A}$ and ${\bar{Y}}_{{{\boldsymbol{x}}}_{\oplus }}^{F}$ that are the sums over $i\in [n]$ for the variables described above. The values of ${\bar{X}}_{{{\boldsymbol{x}}}_{\oplus }}^{A}({\bar{X}}_{{{\boldsymbol{x}}}_{\oplus }}^{F})$ are the numbers of bits of $({y}_{0}^{i},{y}_{1}^{i})$ correctly guessed by Alice (Frederick) from the positions i satisfying ${x}_{A}^{i}\ne {x}_{F}^{i}$. Analogously, ${\bar{Y}}_{{{\boldsymbol{x}}}_{\oplus }}^{A}({\bar{Y}}_{{{\boldsymbol{x}}}_{\oplus }}^{F})$ describe the number of correct guesses for i such that ${x}_{A}^{i}={x}_{F}^{i}$. Details are given in lemma 2 and corollary 2 (see also appendix B for an explicit definition of random variables, their sum and expected values).

The last argument follows from a simple observation. Namely, if the total fraction of the correctly guessed positions by two persons is less than β, the minimum of the fractions of the correct guesses by each of them separately is not greater than $\beta /2$. Setting the acceptance threshold θ large enough that the minimum of the numbers of guesses is below θ, we assure that for each typical ${{\bf{x}}}_{\oplus }$ the banknote is rejected with the high probability in at least one branch. In particular, for any $\theta \gt \beta /2$ this probability is at least $1-8\exp (-{\eta }^{2}(n/2-\eta ))$, where for every typical ${{\bf{x}}}_{\oplus }$ the error $8\exp (-{\eta }^{2}(n/2-\eta ))$ upper bounds the probability of event that at least one of the 4 random variables ${\bar{X}}_{{{\boldsymbol{x}}}_{\oplus }}^{A},{\bar{X}}_{{{\boldsymbol{x}}}_{\oplus }}^{F},{\bar{Y}}_{{{\boldsymbol{x}}}_{\oplus }}^{A}$, ${\bar{Y}}_{{{\boldsymbol{x}}}_{\oplus }}^{F}$ is far from its respective average.

Taking into account equations (23) and (19), we obtain finally

$$\begin{eqnarray}&&P({ \mathcal F })\leqslant 5\epsilon ^{\prime} (\eta ),\end{eqnarray} \tag{ 29 }$$

with $\epsilon ^{\prime} (\eta ):= 2\ \exp (-{\eta }^{2}(n/2-\eta ))$.

In table 3, we present the comparison of different protocols, including the original protocol of Stephen Wiesner [1] and that of Dimitry Gavinsky [7], and show which parties and devices have to be trusted by the Bank in order to maintain security.

A fundamental obstacle in the realization of the presented one and many other money schemes is the fact that it relies on the existence of a reliable and long-time living quantum memory. It is hard to foresee when (if ever) such memories would be available. However, there are works in this direction. As an example of a recent substantial experimental progress in developing the quantum memory, we can invoke the paper by Wang et al [59], presenting a single-qubit quantum memory that exceeds coherence time of ten minutes. Furthermore, Harper and Flammia [60] demonstrated the first implementation of the error-correcting codes on a real quantum computer. It may indicate that the error-correcting codes can become useful in the near future quantum memories.

We want to emphasize here that the tasks of universal fault-tolerant quantum computing [61] and of a reliable quantum repeater [62] (for latest discovery see [63] and references therein) are both different from that of a fault-tolerant quantum storage (QS). The memory of the quantum computer need not be stable for a long time, because it is needed only for the time when the gates of the quantum algorithm are done, while the QS needs to be stable for a long time. However, operations on the QS are far from being universal [64], reduced to measurements in two bases (at least in the considered SDI quantum money scheme).

Although there is no physical law that bounds from above the time of coherence of a qubit state, achieving a reliable QS appears to be an arduous task, because of quantum decoherence, which is usually happening very fast. This is the reason why the very first idea (of QS needed for money schemes) that appear in theory may become the last one (after quantum computer and quantum Internet) to be realized in practice. It may also happen because, in contrast to quantum computing or secure quantum communication, the money scheme requires to be widely implemented in order to be useful.

It is also worth to notice that, recently, the first experimental implementation of quantum money schemes were performed [31–33]. It indicates that real-life implementation of quantum money could potentially be achievable using near-future technologies.

In this article, we have presented an alternative testing method for the original Wiesner's banknotes—a semi-device-independent quantum money scheme. To our knowledge, this is the first attempt to provide the quantum money scheme unforgeability of which would not entirely rely on trusting quantum source device and the inner workings of the verifying terminal at the same time.

Furthermore, we provide impossibility results for a fully device-independent quantum money scheme. It shows that our semi-device-independent approach is close to the strongest possible money scheme. To clarify, by the strongest, we mean here that we maximally reduce trust in the inner working of all quantum devices that are used in all stages of money production and verification.

We have provided a protocol of quantum money, which has relaxed assumptions with respect to Wiesner's protocol and is at the same time immune to a broader class of attacks.

Considered attacks and the aspect of classicality of the money have not been considered so far. The attacks are, in fact, hardware Trojan horse attacks that can exploit modification of both the production and verification process.

It is plausible that the proposed scheme inherits the security of the underlying, in our case, the original semi-device-independent quantum key distribution protocol. Given the full proof of security of the SDI QKD against a forward signaling adversary, as it is the case for the DI QKD [65] (see [66] for the latest breakthrough), it may follow that our suitably modified scheme is fully unforgeable. Sufficient modification concerns the communication in the verification procedure. The counterfeiter would need to give the answer(s) $({a}_{A}^{i},{a}_{F}^{i})$ after getting inputs $({x}_{A}^{i},{x}_{F}^{i})$, but before learning next inputs $({x}_{A}^{i+1},{x}_{F}^{i+1})$. In such a case, each possible history-dependent lie can be treated safely as a part of the attack of the device and hence would not affect the model. The rest of the proof would follow from similar arguments as above with proper use of the concentration of martingales. It is, therefore, important to verify if the SDI protocol is fully secure. An intermediate step would be to extend the security proof the presented SDI quantum money scheme to its variant given in [67] proves there to be secure against collective attacks.

One might think that we could have used the scheme of the device-dependent key secure against the quantum adversary [65] directly, avoiding thereby unnatural assumption that the terminal can change (lie about) output values only in an independent manner during verification procedure. It is indeed straightforward to extend the idea presented here for a single Bank's branch with much weaker assumptions. However, it needs suitable modifications leading to a novel scheme, in order to be extended to the case with multiple Bank's branches. This approach, therefore, results in a scheme fundamentally different from the original one and its follow-ups like the presented SDI quantum money scheme.

In general, SDI QKD and the SDI quantum money scheme are connected by the honest implementation and underlying game as well as by the common concepts that assure their security. However, they are also different, as we have discussed, in that, in particular, they have different thresholds for the number of correct guesses in the random access code game. It is because the conditions leading to security thresholds does not coincide, reflecting difference in security scenarios. It is important here to note that the moderate error threshold opens the possibility to some robustness to noise, which is important to study further (see in this context recent article [68]). It is also important to ask if other games than the random access code game, can lead to similar schemes via our concept of 'winning in more than half of possible times' as we exposed in equation (2). Considering other setups can lead possibly to weakening of the assumptions much in the same way as the assumptions of SDI QKD has been to some extent relaxed in [68] for private randomness certification.

Given a more promising for practical realization variant of this scheme exists, one should consider its robust version that can be realized in the laboratory, including all side effects that may potentially open it for the attacks of hackers. This aspect of the SDI QKD has been recently studied in [35, 67, 69–71].

Another important direction of development would be checking if the proposed scheme could be treated as an option for a user of the original Wiesner's scheme or its other extensions like Gavinsky's protocol. The resulting scheme would give higher protection against Trojan horse attacks, matching the best of two approaches. In the presented scheme, the banknotes (even in case of the honest client Alice) are inevitably lost during verification. It seems natural (like it is done by Gavinsky [7]) to extend our scheme to the case of the transactions, which we also defer to the future work.

Finally, in a bit speculative way, we have put forward a hypothesis called the Quantum Oresme–Copernicus–Gresham's law: an analog of the classical law of the economy, also known as Gresham's law. We have supported the possible validity of this hypothetical law based on different realizations of the SDI quantum money scheme, corresponding to the different values of the threshold leading to the acceptance of money. These speculations need further, more formal, exploration with examples based on more types of currencies, as well as an extension (what appears to be straightforward) to the case of resources within the paradigm of [72].