Experimental investigation of practical unforgeable quantum money

Wiesner's unforgeable quantum money scheme is widely celebrated as the first quantum information application. Based on the no-cloning property of quantum mechanics, this scheme allows for the creation of credit cards used in authenticated transactions offering security guarantees impossible to achieve by classical means. However, despite its central role in quantum cryptography, its experimental implementation has remained elusive because of the lack of quantum memories and of practical verification techniques. Here, we experimentally implement a quantum money protocol relying on classical verification that rigorously satisfies the security condition for unforgeability. Our system exploits polarization encoding of weak coherent states of light and operates under conditions that ensure compatibility with state-of-the-art quantum memories. We derive working regimes for our system using a security analysis taking into account all practical imperfections. Our results constitute a major step towards a real-world realization of this milestone protocol.

The fundamental property of quantum mechanics at the heart of quantum cryptography is the no-cloning theorem [1], which states that it is physically impossible to clone an unknown quantum system, that is, to generate two identical copies of the system starting from a single copy.This property in essence prevents a malicious party from recovering information about the system without disturbing it, something that is always possible in the classical world.In his seminal work [2], Wiesner used this property to show that by encoding classical information into conjugate quantum bases it is possible to protect the encoded information from forgery.For instance, classical bits can be encoded using the bases {|0 , |1 } and {|+ , |− }, with |± = (|0 ± |1 )/ √ 2, where the first qubit state in each basis encodes the bit 0 and the second the bit 1.Then, Heisenberg's uncertainty principle ensures that measuring the encoded qubit in one of the two bases destroys any information about the encoding in the other, while the no-cloning theorem ensures that only a party knowing the basis used for the encoding can unambiguously recover the encoded information upon measurement of the qubit.This idea was subsequently extensively used in many quantum cryptographic schemes [3], and in particular in the BB84 quantum key distribution protocol [4], which has since thrived as one of the most studied and successfully implemented quantum information applications [5,6].
The application that Wiesner's original work was interested in was unforgeable quantum money.The goal of a quantum money scheme is to perform an authenticated and efficient transaction between a client, a vendor and a bank via the use of a prepaid credit card (private-key money scheme) or between a client and a vendor via the use of banknotes (public-key money scheme), with maximal security guarantees.More precisely, in a quantum credit card system, a trusted bank uses a secret to preload a certain amount of money on a credit card, namely a device that contains encoded quantum information, and gives it to a client who can make payments to a vendor who has in his possession a credit card reader, namely a device that can access the card and communicate with the bank, which can then verify using the initial secret if the credit card is valid and can be used for the payment.The security guarantee is that the client cannot duplicate the credit card or increase the amount of money associated with it.In quantum banknotes, the difference is that the verification must be done without the help of the bank, hence there is no private key involved in the process.
In the classical world, money schemes are impossible with information-theoretic security and are therefore based on computational assumptions.In the quantum world, schemes for unforgeable quantum credit cards typically involve verification procedures with quantum communication with the bank [2].A simpler informationtheoretically secure credit card scheme using classical communication during verification was proposed [7], and is based on hidden matching quantum retrieval games [8,9]; these typically involve several rounds of communication between the vendor and the bank and the use of specific entangled states, although these requirements have been improved recently [10].This classical verification scheme has also been further simplified to use again the so-called BB84 states as in the original Wiesner scheme, additionally taking into account realistic conditions [11].As regards to quantum banknotes, it is known that even in the quantum world such schemes cannot base their security solely on the no-cloning theorem but must also use some computational assumptions, such as knot problems or quantum obfuscation [12][13][14][15][16][17].This computational security is still interesting since in the classical world there can be no notion of mathematical security for banknotes; their security is based only on the fact that it is difficult for a counterfeiter to copy a banknote due to its intricate coloring and hologram design.Recent experimental work has shown how such quantum banknotes can be constructed on-the-fly but also forged [18].On the other hand, unforgeable quantum credit card schemes have never been implemented until now.
Here we develop and implement an on-the-fly version of a practical unforgeable quantum money scheme for credit card transactions for the first time (independent work implementing a hidden matching version of quantum money has appeared since in [19]).Our protocol builds upon the work in [11] in conjunction with the techniques developed in [16], and uses only BB84 states and a single round of classical communication for the verification.Our construction allows us to formulate conditions for correctness and security that can be experimentally tested.In particular, we derive conditions in scenarios of practical interest, corresponding to quantum memories based on single emitters or on atomic ensembles [20][21][22], and to implementations with weak coherent states.In all cases, we demonstrate that these conditions are rigorously satisfied experimentally using a practical photonic setup based on polarization encoding of weak coherent states of light, and we analyze operational regimes where unforgeability is guaranteed.Our experiment includes the full procedure of credit card state generation, readout and verification and is compatible with the future use of quantum storage devices, hence paving the way for the realization of quantum money transactions with information-theoretic security impossible to achieve in the classical world.

Results
The quantum money protocol.To describe the protocol that we have analyzed, we first define a reduced scheme that guarantees a weak security condition, before extending it to a larger scheme with exponentially good security parameters.The reduced scheme is schematically shown in Fig. 1.
Let us assume that the bank prepares a prepaid credit card state, which for now consists of a single pair of qubits only, chosen from the following set using a random secret classical string s : The sequence of interactions between the credit card holder (client), the bank and the vendor involved in the transaction.In the preparation phase, the bank uses a secret key to prepare the quantum state loaded on the credit card, which is then given to the client.In the transaction phase, the vendor randomly selects one out of two challenge questions, measures the qubits and sends the outcome to the bank, who can then verify the validity of the credit card or detect a forgery attempt.
basis, while b = 1 indicates that the first one is encoded in the σ x basis and the second in the σ z basis.c 0 , c 1 are the two encoded bits, with 0 corresponding to the states |0 , |+ and 1 corresponding to the states |1 , |− .When a transaction is to be made, the following interactions occur: first, the client hands the credit card to the vendor, who chooses at random one out of two challenge questions and accesses the credit card, i.e., performs a measurement on the stored qubits in order to get an answer for the selected challenge.As a second step, the vendor sends the classical bits corresponding to the chosen challenge, along with the answer obtained upon measurement, to the bank.Finally, the bank verifies the authenticity of the credit card using the secret string s and responds with a yes or no.If the answer of the bank is yes then the transaction may occur, otherwise the card is rejected and declared as a counterfeit.
The two challenge questions, Q zz and Q xx , read: Q zz = Guess the two bits c 0 , c 1 , such that the guess corresponding to the qubit prepared in the σ z basis is correct.
Q xx = Guess the two bits c 0 , c 1 , such that the guess corresponding to the qubit prepared in the σ x basis is correct.
We may also define the conjunction of both challenges: The main idea here is that a valid credit card can always be verified in the ideal case: the vendor performs a measurement in the σ z ⊗ σ z basis in order to verify the Q zz challenge, and in the σ x ⊗ σ x basis in order to verify the Q xx challenge.In general, we denote by c the probability of successfully answering Q zz or Q xx , and we call this the correctness parameter.In the ideal case, c is equal to 1 for the above challenges: measuring both qubits in the σ z basis always answers the Q zz challenge correctly, and similarly for Q xx .In a realistic implementation, however, c might not be equal to 1 due to system imperfections.It might also take different values, c zz and c xx , for Q zz and Q xx , respectively.In this case, c can be calculated as the average of c zz and c xx , as we describe later.
Let us now see what happens if a dishonest client tries to duplicate the credit card.Since the 2-qubit state is unknown, there is no way that the two copies of the credit card can pass both challenges with high probability.The upper bound on this cheating probability has been derived in [7,11] and shown to be 3/4.A crucial property of the game is that if one plays in parallel t such games, then one can upper bound the probability a dishonest client can answer the challenge Q for all t games as (3/4) t [7].In other words, performing a general attack on the composite Hilbert space of all qubit pairs in the card cannot yield a higher cheating probability than performing an optimal attack on each individual pair.In general, we denote by the probability of successfully answering the conjunction challenge Q , i.e., the probability of successfully cheating, and we call this the security parameter materializing the non-clonability of the quantum state.We refer to such a challenge game as a (c, )-game G.
Starting from a (c, )-game G that consists of a single pair of qubits and for which the following relation between the correctness and the security parameter holds, we can construct a different game G that consists of n such pairs of qubits, where we denote by |$ s the 2nqubit state chosen by a randomly generated secret classical string s of length 3n.Here again, the vendor chooses at random one out of two challenge questions and performs a measurement on all 2n qubits accordingly (either σ z ⊗σ z on all n pairs or σ x ⊗σ x on all n pairs).If we now define the two challenges as: (i) answering the challenge Q zz correctly for at least a fraction c − δ of the n pairs, and (ii) answering the challenge Q xx for at least a fraction c − δ of the n pairs, where we define (see Methods) then we can use the analysis in [16], based on a Chernoff bound argument [23], and have that the correctness c and security of the game G satisfy This means that, for the game G , the correctness parameter c is exponentially close to 1 and the security parameter exponentially close to zero.Since in our initial game G we have = 3/4, then we can see from Eq. ( 2) that in any secure implementation of the game G we need to achieve c > 7/8 = 0.875.The more c exceeds this bound, the better security (i.e., the lower ) we will get for a game G of size n.
The above description provides a game with exponentially good security parameters.By including quantum states that correspond to many such games in the same credit card as well as a unique classical serial number, one can use theorems from [7,14,16] to extend the above scheme into a quantum prepaid credit card scheme, where the quantum credit card may be re-used multiple times and a dishonest client cannot create a copy of the credit card even if he has in his possession multiple credit cards.Hence, satisfying Eq. ( 2) experimentally is enough to implement a full quantum money scheme with information-theoretic security given by correctness and security parameters from Eq. ( 4).
Security analysis for weak coherent states.In our discussion up till now, we have assumed that the bank creates single-qubit states and stores them in the credit card.In practice, this assumption would be compatible with an implementation using either a quantum memory based on single emitters [24,25], which are expected to emit true single photons to be measured by the vendor for verification regardless of the input state used by the bank in the card preparation stage, or a quantum memory based on atomic ensembles [26,27] when the input state is a true single-photon state.In the following, we shall refer to this case as the "single-photon state" protocol.The correctness and security parameters defined above apply to this case.
In other cases of practical interest, however, we would like to use atomic-ensemble quantum memories and also weak coherent states as an input, as is typically the case, for instance, in quantum cryptographic applications [5].In this case, the memory preserves the Poisson photon statistics in the output state and simply introduces attenuation, hence reducing the average photon number per pulse µ that characterizes such states.The security threshold therefore has to be modified.More specifically, the bound that c must exceed has to be a function of µ.
In the following, we shall refer to this case as the "weak coherent state" protocol.Our security analysis first considers specific attacks that may take place in an experimental implementation where the phase of each state is not randomized, namely unambiguous state discrimination (USD) attacks.As a second step, we derive a rigorous bound that applies to all attacks in the phase randomized case.
Starting with the non phase-randomized case, USD attacks are possible only for sets of linearly independent states [28][29][30], which is the case for the set of states used in our protocol when physically realized with weak coherent state encoding.A dishonest client willing to copy the credit card can perform specific positive operator valued measurements (POVM) to perfectly discriminate and identify a fraction of the states in the card.Successfully identifying one state in a pair allows the successful cloning of the whole pair, since the adversary knows that the other state is prepared in the conjugate basis.Following the analysis in Refs.[29] and [30] for our set of states, for µ ≤ 2, and assuming that no phase randomization is performed on our states, gives a probability for successful USD By a Chernoff bound argument [23], we then have that for n pulses (in the 2n-qubit sequence) that are created according to the Poisson distribution with a mean photon number µ, with very high probability the number of pulses among these n pulses for which the USD is successful is very close to its expectation.In other words, if L 1 , ...L n are random variables that take the value 1 if the pulse leads to a successful USD, then we have for the sum where η > 0 is a parameter accounting for finite number statistics that can be optimized as discussed further on.
We can now define a new parameter δ as and restate the condition of Eq. ( 2) as leading to the following correctness and security parameters that take into account possible USD attacks: Note that the second term in the expression of comes from the fact that, in case L is bigger than its expectation, then the dishonest client can perfectly cheat on a larger number of pairs.A dishonest client may further boost his cheating probability by exploiting the losses present in a realistic implementation.In the presence of losses, the client having used USD to copy the card may indeed replace the states that he has successfully identified with states containing a higher average photon number µ at the input of the card reader, in order to increase the probability of detection by the vendor, and replace the ones that he failed to identify with vacuum states.Such a strategy will not be detected when a state is measured in the correct basis but it will induce an increase in the number of total clicks on the detectors registered by the card reader when a state is measured in the conjugate basis.As was shown in [29], in order for this cheating strategy to be detected and thus for the protocol to be secure, the total efficiency must fulfill the condition where η qm is the retrieval efficiency of the quantum memory in the original valid card and η det is the detection efficiency of the card reader.Thus, for the "weak coherent state" protocol, as long as it is possible to satisfy Eqs. ( 8) and ( 10) experimentally, then a quantum credit card scheme secure against USD attacks, characterized by correctness and security parameters given in Eq. ( 9), can be implemented.
In the case where phase randomization is performed, then each weak coherent state appears to the adversary as a Poisson distributed mixture of Fock states [31]: This allows us to derive a general security bound considering three distinct cases.If the state is a vacuum state, then there is no information content.If the state is a single-photon state, then the previous security analysis may be used against general attacks.If the state contains 2 photons or more, then we assume that the adversary may perfectly cheat.This allows us to derive a more pessimistic yet rigorous security threshold, where λ = 1−(1+µ)e −µ 1−e −µ , and As long as it is possible to satisfy Eq. ( 12) experimentally, then a quantum credit card scheme with information-theoretic security against all attacks performed on uniformly phase randomized weak coherent states, characterized by correctness and security parameters given in Eq. ( 13), can be implemented.
Experimental principle and setup.In order to test in practice the security conditions from Eqs. (2), ( 8) and (10) and identify suitable operation regimes, we have implemented an on-the-fly version of our quantum money protocol in which the qubit pairs of the credit card are sent directly to the vendor's card reader, without intermediate storage in a quantum memory.In our experiment we have not performed phase randomization (this  Experimental setup of the quantum money system.The credit card state preparation is performed using pulses carved from light emitted by a telecommunication wavelength laser diode using an acousto-optic modulator (AOM).A multi-stage polarization controller (EOSPACE) is then used to select the polarization states according to the protocol by applying suitable voltages.The average photon number of pulse µ is set by a variable optical attenuator (VOA) and is calibrated with a 99/1 beam splitter (BS) and a photodiode.The credit card reader is materialized by a standard polarization analysis setup including a half-wave plate (HWP), a polarization beam splitter (PBS) and two InGaAs single-photon avalanche photodiodes (ID201).The entire setup is synchronized using a multi-channel delay generator and is controlled by software incorporating the random state generation and data acquisition and processing.can be implemented subsequently in the same manner as [32]), hence the security bound of Eq. ( 12) has not been explicitly considered.The verification test consists in measuring the correctness parameters c zz for the challenge question Q zz and c xx for Q xx on blocks of n qubit pairs, each of which is randomly chosen from the set of Eq. ( 1).This is done by measuring each block in the σ z ⊗ σ z basis or in the σ x ⊗ σ x basis, respectively.As noted earlier, the correctness parameter is calculated as c = (c zz + c xx )/2, and must exceed the thresholds from Eqs. ( 2) and ( 8) in order for the credit card to be validated by the bank.This does not compromise the security of the implementation as it is always possible to symmetrize the data by relabeling the bases such that in practice the two parameters become effectively the same.Once c has been measured, the correctness and security of the full protocol can be estimated for the different scenarios from Eqs. ( 4) and (9).
The experimental setup is shown in Fig. 2. The qubit pairs of the credit card state are encoded in the polarization of weak coherent states of light produced with standard optical communication components.The light emitted at 1564 nm by a continuous-wave laser diode is first modulated using an acousto-optic modulator to produce pulses with a duration of 20 µs and a repetition rate of 20 kHz.A variable optical attenuator is used to reduce the intensity of the pulses and set the average photon number per pulse µ.Then, the light pulses go through a multi-stage polarization controller consisting of an electro-optic modulator, which sets the polarization of each pulse to horizontal, vertical, diagonal or antidiagonal, according to a suitable combination of applied voltages.These polarization states correspond to the qubit states |0 , |1 , |+ and |− , respectively.The voltage sequences applied to the controller are generated such that two successive pulses form a pair whose polarization state is randomly chosen from the set S pair , as required by our protocol.
The value of µ is fixed for each experiment at the output of the polarization controller, as described in more detail in the Methods.Finally, the pulses are directed to the credit card reader, where the polarization state of each pulse is measured in either the σ z or the σ x basis by the combination of a half-wave plate, set at an angle 0 • or 22.5 • with respect to the horizontal direction, respectively, and a polarization beam splitter whose outputs are directed to two single-photon detectors labeled D 0/+ and D 1/− .At the end of the experiment, the data sets corresponding to the credit card state generated by the bank, the bases selected by the vendor, and the measurement outcomes obtained for the different challenge questions are analyzed to assess the security of our implementation.

Quantum money results. The experimental results
for the values of c zz , c xx and c, obtained for weak coherent states with different values of µ ≤ 1, are shown in Fig. 3 (green symbols).We also display the security thresholds corresponding to Eq. ( 2) for the "singlephoton state" protocol (full pink line) and Eqs. ( 8) and (12) for the "weak coherent state" protocol, which is plotted for different values of the parameter η (dashed red and purple lines respectively).We post-select on events for which at least one of the detectors has clicked (see Methods for more details on the extraction of these parameters).We have also plotted simulations of the evolution of c with µ (cyan lines) according to a theoretical model that takes into account Poisson statistics of weak coherent states, dark count probability, finite detection efficiency, state purity and post-selection of pulses where at least one detector clicks (see Methods for more details).The best fit of our data points corresponds to a state purity p = 93%.This reduced purity with respect to the 99.5% purity obtained when all states in a block are, for instance, σ z eigenstates, is due to the large voltage differences that are required as an input to the polarization controller for different consecutive states in a block of random states.The limited response time of the involved electronics leads to state generation with nonoptimal purity.Note that, even though we are using an attenuated laser in the experiment, our data also gives us a good estimation of the performance we would obtain with true single photons emitted with an efficiency µ.Indeed (see Methods and Fig. 4), for our regime of parameters, the expected value of the correctness parameter c for single-photon states (blue lines in Fig. 3) is extremely close to those for weak coherent states.Thus, our experimental data can be analyzed for the various input state and quantum memory configurations considered here.
For the "weak coherent state" protocol, the security threshold of Eq. ( 8), taking into account USD attacks only, reaches 1 for µ 1.Hence, for larger values of µ, the protocol is insecure against USD attacks.Note that for the threshold of Eq. ( 12) which ensures against any attack (for phase-randomized states), it can be seen that µ must not exceed 0.40.The simulations in Fig. 3 also show that the protocol is insecure when the state purity p drops below 76%, since the value of c then falls below the USD attack security threshold.However, for 0.01 ≤ µ < 1 and for p ≥ 0.76, there is a wide region of parameters for which the protocol is secure against such attacks.Indeed, for our experimental results with p = 0.93, the protocol is secure against USD attacks for values of µ up to 1.In Fig. 4, we show the security regions corresponding to Eq. ( 10) as a function of µ and η tot = η qm η det : our experiments, with η qm = 1 and η det = 0.25, are situated in the secure region for all values of µ ≤ 2.
For the "single-photon state" protocol, the security threshold of Eq. ( 2) is constant and equal to 7/8 = 0.875 for all values of µ.Our experimental data, interpreted as if resulting from single-photon states with a polarization purity p = 0.93 and an efficiency 0.02 ≤ µ ≤ 1, are secure and show a value of c well above the security threshold.We also notice that the protocol can tolerate large attenuations even for relatively low values of purity.
The measured values for c allow us to estimate the number n of qubit pairs required for our prepaid quantum credit card scheme (corresponding to the game G ) to reach a high level of security.In Fig. 5, we show values for the correctness and security parameters c and defined in Eq. ( 4) for the "single-photon state" protocol, using the experimental values c = 0.953 ± 0.011 for µ = 1 (full red line), c = 0.966 ± 0.018 for µ = 0.10 (dashed red line) and c = 0.953±0.014for µ = 0.025 (dotted red line).We see that, as drops quickly with the number of qubit pairs n, a measured credit card state consisting of a number of pairs comprised between 10 4 and 10 5 is sufficient to reach an arbitrarily small cheating probability in this case, for a wide range of efficiencies µ ∈ [0.025; 1].Note that when estimating c and , we use the lowest value for the experimental value of c taking into account error bars of 5σ.In this way, there is a probability no higher than 10 −6 that the true c value actually lies beneath this point.
In Fig. 5, we also display values for the correctness and security parameters c and defined in Eq. ( 9) for the "weak coherent state" protocol, using the experimental values c = 0.953 ± 0.011 for µ = 1 (full blue line), c = 0.965 ± 0.010 for µ = 0.40 (mixed blue line), c = 0.966 ± 0.018 for µ = 0.10 (dashed blue line) and c = 0.953 ± 0.014 for µ = 0.025 (dotted blue line).The parameter η has an opposite effect in the two terms in the expression of and we find that these two terms must be roughly balanced.Values for η have therefore been chosen accordingly, and we see that the optimal values strongly depend on µ : they must be increased as µ decreases.We also notice that, in general, states with large values of µ require a higher number of detected pairs than states with small values of µ in order to reach the same security level.However, as long as µ is not too big, the minimal number of pairs remains of the order of 10 5 , and this effect is counter-balanced by the fact that a higher value of µ increases the number of useful detected pulses and hence the number n of detected pairs.Thus, despite this trade-off, in order to optimize the performance of the setup, it is in general preferable to keep Figure 5. Correctness and security parameters of the full scheme.Numerical calculations for the correctness parameter c (upper graph) and security parameter (lower graph) as a function of the number n of measured qubit pairs in the credit card, with experimental values of c = 0.953 ± 0.011 for µ = 1 (full red and blue lines), c = 0.965 ± 0.010 for µ = 0.40 (mixed blue line), c = 0.966 ± 0.018 for µ = 0.10 (dashed red and blue lines) and c = 0.953±0.014for µ = 0.025 (dotted red and blue lines).Note that the lowest values of the 5σ error bars are considered for plotting these bounds.Red lines correspond to the "single-photon state" protocol while blue lines correspond to the "weak coherent state" protocol.
µ as high as possible in order to maximize the number of detected pairs.We may therefore conclude that our proof-of-principle experiment for the "weak coherent state" protocol works optimally when µ ∈ [0.10; 0.40].

Discussion
The results that we have presented constitute the first on-the-fly implementation of provably unforgeable quantum money.Our implementation is based on a practical photonic setup with requirements close to those of standard quantum key distribution systems, which is used for quantum credit card on-the-fly generation and read-out.The validation of our quantum money protocol and the chosen experimental conditions anticipate the future use of state-of-the-art quantum storage devices, based on single emitters or atomic ensembles, for real-world realization of credit card states.
The integration of our system with a quantum memory requires further developments, in particular to ensure wavelength matching and synchronization, and the full system will be mainly limited by the performance of the quantum storage device, in particular with respect to timing and losses.Regarding losses, we remark that our implementation has minimal channel losses as the transaction is performed locally, while detection losses are processed through our post-selection procedure and taken into account in our security analysis when practical weak coherent states are used in the implementation.
Our work sets a complete theoretical and operational framework for quantum money, and is fully compatible with presently existing quantum memories.In this sense, we provide a crucial experimental benchmark for unforgeability of quantum money, and for any other application where our transaction framework may be relevant.

Methods
Derivation of δ.For the completeness of game G , we have that the honest client must ensure at least c − δ of the Q xx challenges, or at least c−δ of the Q zz challenges, are answered correctly.The correctness c in the first half of Eq. ( 4) comes from a simple Chernoff bound, since the client succeeds with probability c in the challenge.In order to prove that the security parameter is the one given in the second part of Eq. ( 4), it suffices to show that the cheating client has to ensure the challenge Q is answered correctly for a fraction of at least + δ of the games G in order to cheat in G .Note that the client must be able to ensure the correct answer for at least a fraction of c − δ of each of the two challenges and hence the fraction of games where both challenges must be answered is at least 2(c − δ) − 1, as illustrated below: Making this equal to + δ provides the value of δ for the "single-photon state" protocol: For the "weak coherent state" protocol, taking into account the Poissonian nature of these states, we have that the extra probability (1 + η)P D of successful USD per pulse goes straight to the adversary.Equation ( 14) may then be rewritten as Setting of µ.The value of µ in our experiment is defined as the average photon number per single-photon-detector gate at the output of the polarization controller.It can be expressed as follows: where λ = 1564 nm is the wavelength, h is Planck's constant, c is the speed of light in vacuum, τ gate = 500 ps is the duration of the detection gate of the single-photon detectors, τ pulse = 20 µs is the duration of the light pulses, f rep = 20 kHz is the repetition rate of these pulses, r split is the exact splitting ratio of the 99/1 beam splitter, η PC = 0.50 is the transmission coefficient of the polarization controller and P 99mean is the mean power measured at the 99 output of the 99/1 beam splitter.
Extraction of c zz and c xx .We estimate the values of the correctness parameters from the experimental results by post-selecting pulses where at least one of the singlephoton detectors clicked as follows: The parameter c zz is estimated from measurements performed in the σ z basis for the entire block, i.e., with the half-wave plate rotated to 0 • , while c xx is estimated from measurements performed in the σ x basis for the entire block, i.e., with the half-wave plate rotated to 22.5 • .
Statistical errors.The pulse sequences used for measuring c zz and c xx for each value of µ < 1 consisted of 3 × 10 6 pulses (i.e., 1.5 × 10 6 pairs) before post-selection.Each of the four polarization states was generated with probability 0.25, that is, each state was produced 7.5 × 10 5 times in the random sequence.The total number of post-selected pairs for each block was comprised between 1.3 × 10 5 and 2.6 × 10 5 depending on the value of µ and for a detection efficiency of 25%.Errors on the correctness parameters were estimated by propagating the Poisson errors of the click counting.
Theoretical models for c.The correctness parameter and its evolution with µ can be simulated with a simple theoretical model taking into account experimental parameters.This model was used to plot the simulation curves in Fig. 3.We model the polarization state generated by the polarization controller as a density matrix ρ = p|s s| + (1 − p) 1  2 , where |s is the ideal target state, with s = 0, 1, +, −, 1 is the identity matrix and p is the polarized fraction of the light.
In both cases, the state correctness, post-selected on events with at least one click, can be expressed as: .

Figure 1 .
Figure1.Practical quantum money protocol.The sequence of interactions between the credit card holder (client), the bank and the vendor involved in the transaction.In the preparation phase, the bank uses a secret key to prepare the quantum state loaded on the credit card, which is then given to the client.In the transaction phase, the vendor randomly selects one out of two challenge questions, measures the qubits and sends the outcome to the bank, who can then verify the validity of the credit card or detect a forgery attempt.

Figure 2 .
Figure 2. Experimental setup of the quantum money system.The credit card state preparation is performed using pulses carved from light emitted by a telecommunication wavelength laser diode using an acousto-optic modulator (AOM).A multi-stage polarization controller (EOSPACE) is then used to select the polarization states according to the protocol by applying suitable voltages.The average photon number of pulse µ is set by a variable optical attenuator (VOA) and is calibrated with a 99/1 beam splitter (BS) and a photodiode.The credit card reader is materialized by a standard polarization analysis setup including a half-wave plate (HWP), a polarization beam splitter (PBS) and two InGaAs single-photon avalanche photodiodes (ID201).The entire setup is synchronized using a multi-channel delay generator and is controlled by software incorporating the random state generation and data acquisition and processing.

Figure 3 .
Figure 3. Experimental results for different values of µ.Measured czz, cxx, and c values (green symbols) are plotted as a function of the average photon number per pulse µ.Each measured block consists of a number of post-selected pairs ranging from 1.3 × 10 5 for µ = 0.025 to 2.6 × 10 5 for µ = 0.40 and 2.0 × 10 5 for µ = 1.The red lines correspond to the security threshold for the "weak coherent state" protocol encompassing USD attacks for values of η = 0.020 and η = 0.402, while the purple line corresponds to the threshold for general attacks on phase-randomized weak coherent states, for the same values of η.The full pink line corresponds to the security threshold for the "single-photon state" protocol.The cyan curves correspond to theoretical simulations for weak coherent states assuming a dark count probability of 7 × 10 −5 , detection efficiency of 25%, state purity values of p = 0.76, 0.93, 1 and post-selection of pulses with at least one detector clicking.The blue curves correspond to the same theoretical simulations, this time for true single-photon states with an emission efficiency µ.The plotted error bars correspond to 5σ (see Methods).

Figure 4 .
Figure 4. Security regions for weak coherent states.B = ηtot +ln(1−PD)/µ is plotted as a function of the average number of photons per pulse µ and the total efficiency ηtot = ηqmη det .The security condition of Eq. (10) is fulfilled when B > 0.