Demonstration of quantum-digital payments

Digital payments have replaced physical banknotes in many aspects of our daily lives. Similarly to banknotes, they should be easy to use, unique, tamper-resistant and untraceable, but additionally withstand digital attackers and data breaches. Current technology substitutes customers’ sensitive data by randomized tokens, and secures the payment’s uniqueness with a cryptographic function, called a cryptogram. However, computationally powerful attacks violate the security of these functions. Quantum technology comes with the potential to protect even against infinite computational power. Here, we show how quantum light can secure daily digital payments by generating inherently unforgeable quantum cryptograms. We implement the scheme over an urban optical fiber link, and show its robustness to noise and loss-dependent attacks. Unlike previously proposed protocols, our solution does not depend on long-term quantum storage or trusted agents and authenticated channels. It is practical with near-term technology and may herald an era of quantum-enabled security.

The development of quantum algorithms compromising modern cryptography has triggered a global research for stronger security levels [1][2][3]: the security of current cryptographic schemes relies on computationally hard mathematical problems (known as computational security), which should be replaced by quantum-resistant schemes.While research and standardization for such quantumresistant solutions is blossoming, some of them have already been broken by computational attacks [4][5][6].
Quantum-mechanical laws, on the other hand, can provide security against adversaries with unlimited computational power for some tasks [7,8].This type of security, known as information-theoretic security (i.t.-security), is one of the motivations towards a quantum internet [9].So far, Quantum Key Distribution (QKD) is the most mature and widely implemented quantum technology: it allows two mutually trusted parties to communicate securely over a public channel.QKD can already establish i.t.-secure connections over 500 km of optical fiber [10,11] and 1, 000 km of free space using satellites [12,13].
In the modern era of digital payments ranging from contactless purchases to online banking, a plethora of new security threats arise.One significant threat occurs when customers interact with untrusted merchants, who may not have sufficient means to protect against external hackers, or may be malicious themselves [14].In that case, a binding commitment between the customer, the merchant and the bank or payment-network is required to guarantee the validity of a transaction.Such a bond usually comes in the form of a cryptogram [15,16], which is the output of a hash function that guarantees the one-time nature of each purchase.Since not all parties involved are trusted, QKD is not suitable to provide i.t.security here, and other quantum solutions need to be established.Device-independent versions of QKD [17][18][19], which do not assume trusted quantum sources or detectors, are also inadequate, since the final classical output (i.e. the cryptogram) is handled by the untrusted parties themselves.
Motivated by the no-cloning property of quantum mechanics, previous works have investigated the potentials and drawbacks of using quantum light in the prevention of banknote counterfeiting [20][21][22] and double-spending with tokens or credit cards [23][24][25][26][27]. Introducing this fundamentally new type of money to everyday scenarios is, however, technologically challenging: quantum states must be stored over days or months to ensure flexible spending.This is far beyond state-of-the-art quantum storage times, which range from a few microseconds to a few minutes [28][29][30].Recently, an interesting alternative was proposed, replacing quantum storage by a network of trusted agents and authenticated channels, positioned at precise spatial locations with respect to the spending points [31,32].From a practical standpoint, this approach presents new drawbacks, as customers and online shoppers do not have the means to securely set up complex trust networks for everyday transactions.Furthermore, accurately monitoring the spatial and temporal coordinates of verifiers requires a trusted Global Positioning System (GPS), which opens the door to undesired spoofing-type attacks [33].
In this work, we show how quantum light can provide practical security advantages over classical methods in everyday digital payments.As shown in FIG. 1, we generate and verify i.t.-secure quantum cryptograms, in such a way FIG. 1. Simplified representation of quantum-digital payments.As in classical payments, we consider three parties: a Client, a Merchant and a Bank/Creditcard institute.In contrast to [32], we do not assume any quantum or classical communication channel to be trusted (i.e.CH 1, CH 2 and CH 3 are insecure), except an initial prior step between the Bank and Client for an account creation.All parties involved apart from the Bank can also act maliciously.During a payment, the Bank sends a set of quantum states to the Client's device (e.g.phone, computer, etc.), who measures them and transforms them into a quantum-secured payment tokencryptogram -which we display here as a one-time credit card.The Client uses this classical token for paying at the Merchant, who then contacts the Bank for payment verification.If the payment is accepted, the bank transfers the money from the Client's account to the Merchant's.
that the unforgeability and user privacy properties from previous experimental works holds [32], but all intermediate channels, networks and parties are untrusted, thus significantly loosening the security assumptions.Only one authenticated communication (between the client and their payment provider) has to take place at an arbitrary prior point in time.The concealment of the customers' sensitive information is guaranteed by an i.t.-secure function, and the commitment to the purchase is guaranteed by the laws of quantum mechanics.Additionally, no crosscommunication is required to validate the transaction in the case of multiple verifier branches.Our implementation is performed over a 641m urban fiber link, and can withstand the full spectrum of noise and loss-dependent attacks, including those exploiting reporting strategies [34].
Digital payments.We first describe the main security concepts of today's online and contactless purchases [15,16] (actual implementation may vary).Following FIG. 2, each Client initially sets up an account with a Trusted Token Provider (TTP) via a secure communication channel.The TTP is usually the Client's bank, credit card provider, or a trusted external company.Through this initial step, the Client is assigned a unique identification token C, which is stored securely on both the Client's and TTP's devices.The Client's stored data can be e.g. an electronic wallet or a virtual credit card stored on a smartphone, watch, etc.
When the Client wishes to purchase goods or services from a given Merchant M i , it has to be ensured that malicious parties, including untrusted Merchants, cannot spend in the Client's name at another place or time.That is why the Client receives a one-time payment token P from the Merchant or TTP, which is used to compute a cryptogram, an output of a function of their secret token C, the Merchant's public ID M i , and the one-time payment token P .We note here that the Merchant ID M i must be valid and honest (e.g.provided by a Public Key Infrastructure or a securely pre-shared locally stored database).This cryptogram, which we call κ (C, M i , P ), is communicated to the Merchant, who then sends it to the TTP for verification.The TTP can verify the signature and uniqueness of the cryptogram, since they have knowledge of all three inputs C, M i and P .
In real-world applications, the cryptogram is the output of a cryptographic hash-or encryption function [16,35] that is computationally secure.However, this would allow a malicious party with sufficient computational power to run through all input combinations of C, P and M i until they recover the one combination that matches the original cryptogram.In that case, the Client's ID and payment data are completely compromised.
Quantum advantage.Considering these attacks only, previous quantum digital signature schemes can provide i.t.-security [36,37].However, they typically require QKD channels and classical authentication between all three parties.
In this work, we propose a quantum solution that requires only one QKD for the initial step between Client and TTP (Step 1 in FIG. 2).It is similar to classical digital payments, but replaces the one-time payment token P by a sequence |P ⟩ of quantum states.That is to say, κ (C, M i , P ) becomes κ (C, M i , |P ⟩) and steps 2-5 from FIG. 2   Since p d and p t should be of the same order of magnitude we choose p d ≈ p t = 1/ |C|.This will yield the number N of quantum states necessary to verify one bit of the cryptogram.As the bit length of any MAC is defined as log 2 (|m|), the entire length of the quantum token will be given by λ = N • log 2 (|m|) = N • log 2 ( |C|).Any additional parameter that should be committed to during the transaction (e.g., payment amount) can be added as an input to the MAC function.
Just like QKD provides i.t.-security for key exchanges such as Diffie-Hellman [43], our scheme provides i.t.-security for the one-time property of cryptograms: while the concealment of C is guaranteed by the i.t.secure MAC, the commitment to M i is ensured by the irreversible nature of quantum measurements (see Methods).Notably, our quantum commitment is not limited by the impossibility theorem of quantum bit commitment [44,45], in which one of the two parties can delay their quantum measurements in time.This is because in our protocol one of the interacting parties is assumed to be honest (the TTP).
We note that our implementation contrasts with those of QKD schemes in two ways.First, the choice of measurement basis is deterministic as opposed to random.This effectively commits the purchase to a given Client token and Merchant.Second, the measurement bases are never publicly revealed, which has the interesting benefit of hiding the Merchant that was chosen by the Client until verification is required [32].
Loss-dependent security.Although the security of commitment is guaranteed by the laws of quantum mechanics in theory, certain considerations have to be taken into account in a practical setting: Due to imperfections of real devices (inaccurate state preparation, lossy quantum channels, non-unit detection efficiency), some quantum states will divert from their ideal classical descriptions, or get lost along the way.In fact, some bits in step 5 will be unequal, although measured in the same basis (i.e.(κ i ) j ̸ = b j when (m i ) j = B j ) and the protocol would abort even though it was followed honestly.This is why we have to allow for errors and losses during the verification procedure.In turn, a malicious party can exploit this new allowance to circumvent the commitment or double-spend the cryptogram.
As an example, assume that the TTP tolerates as many as 50% losses.A malicious Client could then measure half of the quantum token |P ⟩ in the basis for M 0 and the other half in the basis for M 1 , effectively creating two successfully committed tokens.While double-spending is certainly possible with a loss-rate as high as 50%, we use semidefinite programming to identify combinations of error-and loss-rates for which an attack can still be detected.Intuitively, the derivation involves searching for the cheating strategy that minimizes the malicious party's introduction of excess errors and losses in the protocol (see Methods).We note that, to the best of our knowledge, such powerful loss-dependent attacks were not considered in previous quantum token implementations [24,32].
Experimental demonstration.We implement our quantum-digital payment scheme over the deployed optical fiber link depicted in FIG. 3. The TTP employs a spontaneous parametric down conversion (SPDC) source to create a pair of polarization-entangled photons in the state The TTP keeps one of these photons and employs a 50/50 beamsplitter to probabilistically direct it to one of two polarization projection stages, measuring its polarization in either the linear H/V ( ) or diagonal D/A ( ) basis.This creates the random classical description (b, B) and remotely imprints the payment token |P ⟩ onto the second photon.
The payment token is sent to the Client, located in another building, through a 641m optical fiber link.Using a half-wave plate, the Client commits to exactly one Merchant from the set {M 0 , M 1 } by measuring either in the H/V basis for m 0 = MAC (C, M 0 ) or in the D/A basis for m 1 = MAC (C, M 1 ).In this way, the Client retrieves the classical cryptogram κ (C, M i , |P ⟩), and forwards it to the Merchant, who is, for convenience, located in the same laboratory.Note that in the case of more than two merchants, the token is split into several sub-tokens that are each measured either in H/V or D/A.We discuss how to adapt the token length in the following section.
At any later time, the Merchant transmits the cryptogram received by the Client back to the TTP, using a classical channel that links the two buildings.The TTP finally checks the compatibility of (b, B) with M i , C and κ i , and accepts or rejects the requested transaction.Results.We repeatably execute the experiment for both commitments in H/V and D/A.The average measured error rate is 1.45 ± 0.01% for H/V and 3.28 ± 0.01% for D/A.The overall losses, combining the deployed fiber link and the Client's setup (including detection efficiency), are estimated at 22.40 ± 1.50%, while the multiphoton emission probability, measured through a correlation measurement, is6.76 ± 0.12%.The detail of such values are presented in the Supplementary Information.
With a maximum measured error rate of e m = 3.28 ± 0.01% (D/A) and losses of l m = 22.40 ± 1.50%, we lie within the calculated secure region as depicted in FIG.4.a.In fact, according to our semidefinite programs (see Methods), a cheating party will introduce errors larger than e d = 3.79 ± 0.22% when double-spending with the same amount of claimed losses l = l m .With e m < e and l m < l by two standard deviations, we therefore demonstrate that a TTP can allow for honest experimental imperfections while ensuring protection against malicious parties.
The i.t.-secure implementation of our protocol depends only on statistical fluctuations arising from the finite number of generated quantum states: a malicious party may indeed successfully cheat by introducing fewer losses or errors than the expected asymptotic values displayed in FIG.4.a.
We use the Chernoff bounds from FIG. 4.b to estimate the dishonest success probability p d associated with the number N of quantum states required to verify one bit of the cryptogram.We also determine the probability p h that the protocol does not abort when followed honestly, which tends to p h ∼ 1 as N is increased.
Discussion.We propose and demonstrate a form of quantum payment that guarantees the one-time nature of purchases with i.t.-security.By increasing the length of the quantum token, the cheating probability becomes arbitrarily low in the presence of experimental imperfections such as noise and losses.The implementation does not require any challenging technology on the Client's side, besides single-photon detection.
While typical contactless payment delays are of the order of seconds, our quantum communication and verification provide i.t.-security within a few tens of minutes.These limitations are, however, only technological: quantum communication rates can be improved by using brighter quantum sources, while the verification delay originates from the correction of time-tagging drifts between the two buildings (see Methods).Indeed, brighter sources of entangled photon pairs have already been demonstrated, which could decrease the quantum token transmission time to under a second [46].
We finally note that practical digital payment schemes must allow for rejected payments without compromising the Client's sensitive data.In our scheme, the adversary can compromise the payment token |P ⟩ sent over the quantum channel, the cryptogram sent over the classical channel or the Client's choice of M i .
In the first two cases, quantum mechanics will ensure that the the TTP recognizes the malformed cryptogram and rejects the payment with arbitrarily high probability.The transaction may than be restarted.However, an i.t.-secure MAC must not re-use the key C (see Methods), which is why we propose the use of n-time-secure MAC to overcome this obstacle.This allows re-using C as an input for the following payments, which imposes a finite, arbitrary bound on the number of purchases [39,40].We can amend our protocol such that the number of purchases is not bounded by the MAC function, by growing C during the payment process: when the Client receives a new quantum token |P ⟩, we append additional quantum states for QKD, and use the cryptogram κ for authentication.To protect against the third case, it must be ensured that the Client's choice of M i is independent of any external bias.This can for example be guaranteed if a secure database of Merchants is initially distributed along with C and the Client chooses freely without any prior communication with the Merchant.Alternatively, the Merchant may send their ID to the Client, who uses the local database as a 2 nd factor authentication.
Our protocol's relaxed implementation requirements with respect to previous proposals, together with its errortolerance, facilitate its deployment in mid-term quantum networks.Classical networks host applications beyond mere communication tasks.Similarly, a future quantum internet will necessitate the maturation of various quantum primitives and applications beyond QKD [9,47].Our scheme advances the field of quantum payment schemes towards mid-term practical relevancy.

Methods
Cryptogram.A cryptogram is a cryptographic function that secures tokenized payments (e.g.online, contactless, and in-app-payments) against double-spending [15,16].The actual cryptographic mechanism varies per payment network, but a typical procedure is challenge-response.
Here, the Client is not only in possession of a payment token, but also shares a secret key with the TTP [35].During the payment, the Merchant generates a pseudorandom value (called a nonce), and sends it to the client who encrypts it with this key (typically, symmetric encryption with ≥ 128 bit key strength is used).The resulting cryptogram is sent alongside the payment metadata (e.g.merchant ID, amount, etc.) to the Merchant, who forwards it to the TTP.As the TTP is in possession of the key, they are able to decrypt and prove the correctness of the nonce for the given payment at the Merchant.Spending the token for another transaction is impossible under the assumptions of computationally secure encryption.where l ∈ N is some security parameter.This is similar to the probability of finding the decryption key for a given one-time pad.Different such schemes exist, in which a key k can either only be used once [37,38,41], a finite amount of times [39,40], or outputted tag length is variable [41,42].

Semidefinite programming.
Our quantumcryptographic security proof involves optimizing over semidefinite positive objects to find an adversary's optimal cheating strategy.Semidefinite programming provides a suitable framework for this, as it allows to optimize over semidefinite positive variables, given linear constraints [49].Most of the time, these variables are density matrices, measurement operators, or more general completely-positive trace-preserving maps [50].Semidefinite programs present an elegant dual structure, which associates a dual maximization problem to each primal minimization problem.The optimal value of the primal problem then upper bounds the optimal value of the dual problem, allowing to prove tight bounds on the adversarial cheating probability (see [26] for instance).
Optimal cheating strategy.Using semidefinite programs, we search for the optimal completely-positive tracepreserving quantum map which minimizes the introduction of noise and losses for an adversary attempting to double-spend the cryptogram.The security analysis takes into account multiphoton emission, and assumes the absence of coherence between photon number states.The latter is justified by the fact that SPDC produces states of the form ∞ n=0 √ c n |n⟩ 1 |n⟩ 2 in the {|n⟩} photon number basis [51], which leaves the individual subsystems in states of the form ∞ n=0 c n |n⟩ ⟨n|.The resulting cheating strategy is fairly intuitive when considering two extreme cases: when the tolerated error rate is zero, the malicious party splits the quantum token into two equal parts, and measures each half in a different basis.This leads to two tokens that are committed to different merchants with zero error, but with 50% losses on each.On the other hand, when the tolerated losses are zero, the malicious party measures all states in a basis that is rotated by 22.5 • with respect to the H/V basis.Such a measurement will identify the correct encoded bit with a probability of ∼ 85.4%.The actual optimal cheating strategy corresponding to our experimental parameters is a combination of these two extreme strategies.

State generation.
An SPDC process in a periodicallypoled KTP crystal is pumped with a continuous-wave 515 nm laser, yielding a pair of polarization-entangled and color-entangled photons.One photon is emitted at around 1500 nm, while its orthogonally polarized counterpart is emitted around 785 nm.Experimental demonstrations using a similar entanglement design were demonstrated in [52,53].Since the spectral bandwidths of the two SPDC processes are not equal, a tunable EXFO bandpass filter is inserted into the 1500 nm arm to equalize them and enhance the entanglement visibility.In order to render the two photons temporally indistinguishable, an unpoled KTP crystal of half the length of the ppKTP crystal, with axes rotated by 90 • with respect to the ppKTP axes, is inserted.
Single-photon detection.After the optical fiber link, the 1500 nm photons are detected with PhotonSpot superconducting nanowire single-photon detectors, with efficiencies around 93% (see Supplementary Information for detail), while the 785 nm photons are locally detected in the TTP's laboratory using Roithner avalanche singlephoton detectors, with efficiencies around 50%.A set of paddles, inserted before the polarization measurement, are used to compensate for polarization drifts over the fiber link.
Data post-processing.The TTP's and Client's singlephoton detectors are connected to two different Time-Tagging Modules (TTM).In order to recover coincidences between the two buildings, careful synchronisation of the two modules is required: first, the internal clocks of the respective modules bear an offset with respect to one Data was acquired for 60 min at a pump power of 35 mW.Coincidences were calculated using four different time windows: 0.33 ns (green), 0.99 ns (blue), 1.98 ns (red), 2.96 ns (violet).From this measurement, we determine g (2) h (0) = 0.030 10( 14) for the coincidence window used in the implementation of the protocol.Shaded areas represent error propagated uncertainties due to poissonian photon statistics.
another, due to the photon travel time through the optical fiber link.Second, the cycles of the internal clocks of the two TTMs drift with slightly different rates, resulting in an offset drift over time.Finally, there is an electronic delay due to different detector response times, and the TTMs only record time tags relative to the time they were activated.All these factors were corrected with our post-processing code.

Heralded second order correlation function measurement.
To measure the heralded second order correlation function g (2) h (τ ), the 1500 nm (telecom) photons created by our SPDC source are sent directly to an InGaAs detector (idler detector labelled D i ), while the 785 nm photons are routed to a 50/50 fiber beamsplitter, with both outputs connected to one detector each (labelled D 1 and D 2 ).

g (2)
h (τ ) can be written as [54] g where N i is the total number of events detected in the telecom detector during the measurement integration time; N i1 (0) are the 2-fold coincidence events between the telecom detector and D1 at 0 delay; N i2 (τ ) are the 2-fold coincidence events between the telecom detector and D2 at delay τ ; and N i12 (τ ) are the 3-fold coincidences between all 3 detectors with at delay τ = 0 between the telcom detector and D1, and delay τ to D2. Pumping the SPDC source with 35 mW, data was acquired for about 60 min.
h (τ ), with coincidence time windows of 0.33 ns, 0.99 ns, 1.98 ns, 2.96 ns is shown in FIG. 5. A source dominated by single-photons has a g (2) h (0) < 0.5, with g (2) h (0) = 0 for a true single-photon source.From our measurements with a coincidence window of 2.96 ns, which is close to the combined jitter of the SPADs and coincidence logic and therefore the most meaningful value, we determined g (2) h (0) = 0.030 10(14).
The tag space |T | depends on the message-and key space.For a message space of size |K| = |M| 2 , the probability of forging a valid authentication tag is A construction as above is referred to 1-time-secure, whereas similar other n-time-secure constructions exist if k ∈ K is to be used multiple times [11,12].
Note that, while assuming such a matrix is not necessary for ITS authentication, we use it as an example to simplify the above cheating probability derivation.

III. SECURITY AGAINST DOUBLE-SPENDING
A. For N = 1.
This section derives the security analysis for a token consisting of N = 1 quantum state.The aim is to derive a border between the secure region of operation, containing all pairs of experimental imperfections (l, e) for which the presence of a malicious party can be detected, and its corresponding insecure region, containing all pairs of dishonest experimental deviations (l, e) for which a malicious behavior cannot be detected.In both cases, l denotes the fraction of quantum states from |P ⟩ that are declared as losses, while e denotes the fraction of quantum states from |P ⟩ for which the declared measurement outcome disagrees with the classical description (b, B).
In the simplest case, a successful attack consists in producing two cryptograms κ 0 and κ 1 for two distinct Merchants M 0 and M 1 that both pass the TTP's verification test.We note that in this two-merchant scenario, the information contained in the output of the HMAC function is one bit regardless of the actual length of the output.We may therefore reduce the commitments M 0 and M 1 to measurements of |P ⟩ in the Z and X bases, respectively.
In order to succeed in their optimal attack, the dishonest party may perform any general quantum operation on |P ⟩, and replace all lossy and noisy channels by perfect ones.The TTP may then detect an attack only if their (potentially tampered with) measured noise and losses lie within the secure region of operation.We use SDP techniques from I A to minimize the errors e that the adversary must induce/declare while introducing at most l losses.We optimize over the set of all possible CPTP maps {Λ}, that produce two classical cryptograms living in Hilbert space H 0 ⊗ H 1 from the original experimental quantum token state ρ P living in H P .The resulting secure/insecure regions of operation are shown in Fig. 4.a in the main text.
We note that H 0 and H 1 are 3-dimensional Hilbert spaces spanned by classical answers {|a 0 ⟩ , |a 1 ⟩ , |∅⟩}, where |a 0 ⟩ and |a 1 ⟩ are orthonormal basis vectors indicating two possible classical answers (0 and 1 respectively), and |∅⟩ is a third basis vector (orthogonal to the two others) indicating the declaration of a lost state.On the other hand, H P is a 7-dimensional Hilbert space spanned by {|v⟩ , |q 0 ⟩ , |q 1 ⟩ , |m 0 ⟩ , |m 1 ⟩ , |m 2 ⟩ , |m 3 ⟩}, where |v⟩ is the vacuum state, |q 0 ⟩ and |q 1 ⟩ span a qubit space, and |m i ⟩ constitute the four orthogonal outcomes which materialize the four perfectly distinguishable states in the multiphoton subspace.Since the states produced by SPDC are of the form ∞ n=0 c n |n⟩ 1 |n⟩ 2 in the {|n⟩} photon number basis [13], this leaves the individual subsystems in states of the form ∞ n=0 c n |n⟩ ⟨n|.Our four states may then be written as the following density matrices : where |+⟩,|+i⟩, |−⟩, |−i⟩ are the usual X and Y eigenstates in the qubit space spanned by |q i ⟩ and the photon number populations p n are estimated from our experiment.This allows to express the experimental quantum token state ρ P as: The probability P 0 that κ 0 does not pass the TTP's verification is then given by: while the probability P 1 that κ 1 does not pass the TTP's verification reads: where |a ⊥ k ⟩ is the wrong, orthogonal answer to |a k ⟩.Using Eq. ( 6), we may rewrite these expressions as P 0 = Tr (E 0 J(Λ)) and P 1 = Tr (E 1 J(Λ)), where E 0 and E 1 are the error operators: where σ k denotes the complex conjugate of σ k .Following a similar reasoning, the probability that the dishonest party declares losses for κ 0 (resp.1) reads Tr (L 0 J(Λ)) (resp.Tr (L 1 J(Λ))), where L 0 and L 1 are the loss operators, containing the projection onto the state |∅⟩: We now search for the optimal CPTP map Λ that minimizes e for a fixed l.We recast this problem as the following primal SDP (which we choose to be a minimization problem rather than a maximization problem for the sake of intuition): The first constraint imposes that Λ is trace-preserving, the second imposes that the error rate for cryptogram κ 0 is at least equal to that for cryptogram κ 1 , the third and fourth impose that the losses declared for κ 0 and κ 1 do not exceed the expected honest losses, and the fifth imposes that Λ is completely positive.The numerical primal optimal values {e (primal,1) } of Eq. ( 14) are plotted in Fig. 4.a in the main text.as a function of loss tolerance l.Following the methods from I A, we derive the dual problem associated with Eq. ( 14) to prove that e (primal,1) provides a tight upper bound on the cheating probability.This problem can be written as: and its numerical optimal dual value e (dual,1) indeed satisfies e (primal,1) = e (dual,1) .Note that the error and loss operators are hermitian, i.e.L † x = L x and E † x = E x .
In this section we show that, when N → ∞, a malicious party does not gain any advantage in correlating the N states in the quantum token (i.e., that the single-state security bounds derived in III A still hold).Following the exponential de Finetti arguments from [14], it is sufficient to argue that, since our quantum token state is symmetric under arbitrary re-ordering of the N quantum states, the individual states are well approximated by a mixture of independent and identically distributed states.
The security analysis based on semidefinite programs is convenient for N = 1 quantum states, and for proving that the resulting cheating strategy is indeed optimal.In our particular case, one can also derive an analytical expression that fits the optimal cheating strategy derived in III A: which is a function of losses l and multiphoton emission probability p m .We can therefore easily determine how many errors a malicious Client has to introduce in order to comply to a certain constraint on losses and still double spend.Equivalently, through simple inversion of this equation, we can determine the amount of losses needed for successful cheating given the amount of declared errors e: Eq. ( 16) and Eq. ( 17) describe the secure region from Fig. 4.a in the main text.For simplicity, we define a new parameter M(e, l), which indicates the overall amount of mishaps (i.e.any combination of errors and losses) a TTP might receive from a malicious party.By upper bounding this expression, we can easily specify the secure region: C. For N finite Since N will be finite in a realistic implementation, it is necessary to study the effect of finite-length statistics on the honest and dishonest success probabilities p h and p d , respectively.A malicious party may indeed successfully cheat by introducing fewer losses or errors than the expected asymptotic values displayed in Fig. 4.a in the main text.We will make use of Chernoff-Hoeffding inequalities from Eq. (I C) to bound this probability.
While the TTP allows for a certain amount of losses and errors, in order for the protocol to work in a realistic, i.e. imperfect scenario, there is still some probability, that the honest parties actually introduce more than the expected number of errors and/or losses, i.e.M(e act h , l act h ).We denote the probability that this occurs as p fail h .Following Eq. (I C), it is possible to upper bound p fail h as: for some δ h .The honest success probability p h of the protocol is then defined as the probability that the protocol does not abort when it is followed honestly.Therefore it can be expressed as: As is apparent, the correctness increases exponentially with δ 2 h and N .However, since the TTP also has to allow for more errors and losses with increasing δ h , they are more vulnerable to malicious parties.We thus need to ensure that: This inequality upper bounds the allowed value of δ h without jeopardizing the information theoretical security of the protocol.
Similarly, it might be possible for a cheating party to introduce fewer errors and losses than expected from the theoretical security proof.Following Eq. (I C), we upper bound this probability p d as: for some δ d .Using Eq. ( 21), we must then ensure that: Since this is the amount of mishaps the TTP allows for in order to assure the correctness of the protocol.

IV. SECURITY OF THE CRYPTOGRAM
In our protocol, we use an i.t.-secure MAC to compute the measurement basis string for the quantum token |P ⟩.I.e., we measure |P ⟩ according to MAC(C i , M i ), where C i ∈ C is a preshared key of the Client with the TTP, and M i is the Merchant's ID where the payment token is spent.This facilitates the security of the quantum channels as well as the classical channels.
To guarantee a decent level of security, one has to fare the number of quantum states N for a single payment token (see III) We stress that this also holds for n-time-secure constructions (see II D), just that |C| needs to be chosen accordingly.

V. INTUITION ABOUT POTENTIAL ATTACKS ON UNTRUSTED CHANNELS
In the following we will discuss the potential attacks our protocol protects against, and en passant explain which part of our scheme serves which precise purpose.Note that the following is only an intuitive explanation of the rigorous security proof provided in the previous section.

A. Compromising classical channels
We have two classical channels in our protocol, namely CH2 (Client → Merchant) and CH3 (Merchant → TTP) in FIG. 1 of the main text.Since both of them are untrusted, it is possible for a malicious third party to intercept them and modify the cryptogram κ(C, M i , |P ⟩) towards another merchant M ′ i on CH2 or change the merchant's Id M i towards another merchant's M ′ i on CH3.
CH2: To be accepted by the TTP, the attacker has to find another κ ′ (C, M ′ i , |P ⟩) for the Client's secret C that commits the purchase to another Merchant M ′ i .This is impossible for two reasons: 1.) the attacker would need to determine C from the Client to calculate a second measurement bases m ′ = MAC(C, M ′ i ), which is supposed to be securely distributed between Client and TTP.It is impossible to determine C from κ as the function of the measurement basis MAC(C, M i ) is information-securely irreversible -and its output is additionally hidden in the quantum measurement and therefore unknown to the attacker.
2.) even if the attacker would have access to C for some reason -e.g. by accessing the Client's memory -, he would require the classical description of quantum token |P ⟩, since it is already measured and quantum measurements are destructive.However, the classical description is only known by the TTP and never communicated.

CH3:
To change M i that is communicated together with κ, the attacker has to find M ′ i that generates the same measurement bases m ′ = MAC(C, M ′ i ) that was used to generate κ.To do so, he would need access C, which is supposed to be securely distributed between Client and TTP.However, even if he would have access, the chances of finding a collusion such that MAC(C, M i ) = MAC(C, M ′ i ) for a given C are exponentially low due to the information-theoretic nature of the MAC function.
If the Merchant requires instant notification of the payments acceptance, however, this channel requires authentication s.t. the Client could not alter this message.
Please note, that both attacks can be performed by a malicious Merchant as well -who has access to both channels and is supposed to be untrusted -but fail for the same reason.

B. Compromising the quantum channel
A significant advantage of our scheme is that it is preferable but not necessary to authenticate the quantum channel used to distribute |P ⟩.Let us suppose that a malicious party intercepts the quantum states |P ⟩ and sends their own quantum states |P ′ ⟩ to the Client instead.After the Client measures |P ′ ⟩ in the basis MAC(C, M i ), they will hold the cryptogram κ ′ = κ(C, M i , |P ′ ⟩).If κ ′ reaches the TTP, the transaction will be declined since κ(C, M i , |P ′ ⟩) ̸ = κ(C, M i , |P ⟩) (within the error/loss tolerance allowed by the security analysis).This means, that the Client as well as the TTP will be able to detect that the quantum states have been tampered with and that precautions should be taken.Another possible cheating strategy is for the malicious party to use the quantum token |P ⟩ themself and measure it in another basis than the Client had intended.However, the malicious party does not know C, since it was securely distributed only between Client and TTP, and is thus unable to determine any measurement basis m j that will be accepted for the Merchant that they choose.

C. Compromising both channels simultaneously
Let us now suppose that a malicious party intercepts |P ⟩ on the quantum channel, replaces it with another quantum token |P ′ ⟩, and waits for the honest Client to send the resulting κ ′ on the classical channel.If the Client would measure |P ′ ⟩ in a basis that is dependent on C in a simple way, e.g.m i = M i ⊕ C then the malicious party gains knowledge of C, and can then substitute the Client's identity in multiple transactions.This is why we use a MAC instead: even if the malicious third party gets hold of κ ′ and, by knowing |P ′ ⟩, deduces the measurement basis m i , they are unable to retrieve C, because of the information theoretically secure nature of the used MAC, i.e. because the number of collision ensures that no cheating strategy would be better than guessing.Thus again, the TTP (and subsequently the Client) realise that something is wrong, while the secret Client token C remains hidden.Depending on the nature of the MAC the token C may resist a certain amount of failures, before it has to be exchanged.

D. Experimental details
This section is dedicated to our protocol performance and setup characterization.
are modified as follows: 2. The TTP generates a random bitstring b and a random conjugate basis-string B of length λ.Each bit b j is encoded onto a quantum state prepared in B j , where j ∈ {1; ...; λ}.This constitutes the classical description (b, B) of the quantum token |P ⟩, which the TTP stores under the Client's ID C ID (e.g.let λ = 4 with the basis B j ∈ {+/−; 0/1} such that (b, B) = "0101 0011" would result in |P ⟩ = "|+⟩ |−⟩ |0⟩ |1⟩").The length λ depends on the tolerated success probability of an attack and the number of available merchants.

3 .
Upon receiving |P ⟩, the Client chooses the Merchant M i out of a database that was securely pre-shared with the TTP.Next, they calculate m i = MAC(C, M i ), which is the output tag of an i.t.-secure Message Authentication Code (MAC) [38-42] that takes the secret token C and the chosen Merchant's public ID M i as input (see Methods).The Client interprets m i as a basis-string and privately measures the whole sequence |P ⟩ according to m i .The resulting string of measurement outcomes κ i mi ←− |P ⟩ constitutes the cryptogram.4. The Client sends κ i along with their ID C ID to the Merchant, who forwards this together with its M i as {κ i , M i , C ID } to the TTP for verification.5. To authorize the purchase, the TTP looks up C and (b, B), and calculates m i = MAC(C, M i ) for the Client's ID .The TTP accepts the transaction if and only if (κ i ) j = b j when (m i ) j = B j .The TTP rejects otherwise.The protocol's security depends on the upper bound of the success probability to produce two valid, distinct cryptograms κ i and κ j for two distinct Merchants M i and M j ; we call this p d (c.f.following two sections).Another possible attack is to forge an output tag, such that MAC(C, M i ) = MAC(C, M j ) ⇔ m i = m j ⇔ κ i = κ j ; we call the respective probability p t .In an i.t.-secure MAC, p t = 1/|m| = |M |/|C| = 1/ |C|, where |m|, |M | and |C| refer to the cardinality of the MAC, the Merchant ID and the Client's secret token respectively.Here we assume that |m| = |M | = |C|.

FIG. 2 .
FIG. 2. Classical digital payments.Step 0: The Client sets up an account at the Trusted Token Provider (TTP), providing their secret ID and sensitive credit card information through an authenticated and encrypted channel.Step 1: The Client authenticates with the TTP, and requests a cardholder token C, which the TTP sends through a secure channel.Step 2: The TTP randomly generates a one-time token P and sends it to the Client through a secure channel.Step 3: The Client's device uses the stored secret token C, the public merchant ID Mi, and the payment token P to compute a cryptogram κ (C, Mi, P ).Step 4: The Client spends the cryptogram at the chosen Merchant.Step 5: The Merchant verifies the cryptogram with the TTP, and accepts or rejects the transaction.
FIG. 3. Experimental quantum-digital payments.a) The Trusted Token Provider (TTP) creates entangled photon pairs using a Spontaneous Parametric Down Conversion (SPDC) source.One photon's polarization is randomly measured by the TTP in either the linear or diagonal basis, creating the classical description (b, B), which remotely prepares the quantum token |P ⟩ on the second photon.The latter is sent to the Client through a 641m long optical fiber link, who measures its polarization in a basis mi = MAC(C, Mi) specified by a Message Authentication Code (MAC) of the Merchant's ID Mi and the Client's private token C, and thereby obtains the cryptogram that is κi m i ←− |P ⟩.Classical communication between the TTP, Client and Merchant is used to verify the compatibility of κ, Mi and C with (b, B).Red (blue) lines indicate quantum (classical) channels.The arrow numbering indicates the steps from FIG. 2. b) Satellite image of the two buildings housing the TTP, Client and Merchant.A 641 m optical fiber link connects the parties.

FIG. 4 .
FIG. 4. Security for experimental quantum cryptograms.a) The semidefinite programming framework extracts a secure region of operation (turquoise) as a function of errors and losses.Our measured experimental performance (em = 0.0328 ± 0.0001; lm = 0.2239 ± 0.015) is indicated by the blue dot, and lies within the secure region.Error bars propagate poisson errors on coincidence counts.b) The dishonest success probability p d (green, upper bound) and honest success probability ph (red, lower bound) are displayed as a function of the number of quantum states N required to verify one bit of the cryptogram.These are derived using a Chernoff bound argument (see Supplementary Information) [48].As an example, an experimental token containing λ = N = 4.2 • 10 6 quantum states (vertical blue dashed line) achieves an honest success probability very close to p h ∼ 1 and a dishonest success probability p d = 5.9 • 10 −45 .

FIG. 5 .
FIG.5.Heralded second order correlation function.Data was acquired for 60 min at a pump power of 35 mW.Coincidences were calculated using four different time windows: 0.33 ns (green), 0.99 ns (blue), 1.98 ns (red), 2.96 ns (violet).From this measurement, we determine g with the number of merchants |M | and the size of the output tag |T |.In the case of a 1-time-secure function, we assume ∀t ∈ T that |T | = |K| = |C| ≫ |M | for a single authentication tag.The probability p t of forging the output of MAC(C i , M i ) should be similarly low as the dishonest success probability p d for a given sub-token size N (see III, Fig. 4 in the main text).Thus, we choose p d ∼ p t ⇒ p d ∼ |M | √ |C| ∼ 1 √ |C| , and the overall the token length λ = N • log 2 |C|.

TABLE 2 :
Setup characterization and protocol performance.