Practical quantum tokens without quantum memories and experimental tests

Unforgeable quantum money tokens were the first invention of quantum information science, but remain technologically challenging as they require quantum memories and/or long-distance quantum communication. More recently, virtual “S-money” tokens were introduced. These are generated by quantum cryptography, do not require quantum memories or long-distance quantum communication, and yet in principle guarantee many of the security advantages of quantum money. Here, we describe implementations of S-money schemes with off-the-shelf quantum key distribution technology, and analyse security in the presence of noise, losses, and experimental imperfection. Our schemes satisfy near-instant validation without cross-checking. We show that, given standard assumptions in mistrustful quantum cryptographic implementations, unforgeability and user privacy could be guaranteed with attainable refinements of our off-the-shelf setup. We discuss the possibilities for unconditionally secure (assumption-free) implementations.


I. INTRODUCTION
Quantum tokens, also called quantum money, were invented by Wiesner [1] in 1970. In Wiesner's original quantum token scheme Bob (the bank) secretly and securely generates a classical serial number s and a quantum state |ψ of N qubits, prepared from a set of different bases, gives s and |ψ to Alice, and stores s and the classical description of |ψ in a database. Alice presents the token by giving s and |ψ back to Bob, and Bob validates or rejects the token after measuring the received quantum state in the basis in which |ψ was prepared. In refinements of this scheme [2][3][4][5][6][7][8][9][10], Alice can present the token to Bob or to one of a set of verifiers, by communicating the classical outcomes of quantum measurements applied on |ψ , as requested by Bob or the verifier. Alternatively, Alice presents the token by giving s and |ψ to the verifier, who applies quantum measurements on |ψ . The verifier communicates with Bob to validate or reject the token.
However, there exist purely classical token schemes that can also guarantee unforgeability with unconditional * D.Pitalua-Garcia@damtp.cam.ac.uk security. For example, the token may comprise a classical serial number s and a classical secret password x that Bob gives Alice and that Alice presents by giving to one of a set of verifiers; validation of the token comprises cross-checking; for example, the verifier communicates with Bob and validates the token if this has not been presented before and if the given serial number and password correspond to each other.
In addition to unforgeability, some important properties of quantum token schemes are the following. First, quantum tokens can be transferred while keeping Bob's database static. On the other hand, since classical information can be copied perfectly, in order to satisfy unforgebaility, when a purely classical token with serial number s is transferred from Alice to another party Charlie, Bob must change the classical data associated to s; for example, Bob must change x to another value x ′ and give s and x ′ to Charlie in the example above [2].
Second, some quantum token schemes satisfy instant validation. This means that the schemes do not require communication between the verifiers and Bob for validation after Alice presents the token [4]. This implies in particular that the token can be presented by Alice at one of a set of different spacetime points that can be spacelike separated without validation delays by the verifier due to cross-checking with Bob and/or with other verifiers.
Third, quantum token schemes satisfy future privacy for the user, or simply user privacy. That is, neither Bob, nor the verifiers, can know where and when Alice will present the token.
It is not difficult to construct purely classical token schemes that satisfy with unconditional security any two of unforgeability, instant validation and user privacy. For example, the classical token scheme above satisfies unforgeability and user privacy with unconditional security, but not instant validation. To the best of our knowl-edge no purely classical token scheme has been shown to satisfy all three properties simultaneously with unconditional security. Classical variations of the quantum token schemes we consider here, based on classical relativistic bit commitments, whose security is hypothesized but not proven, were proposed in Ref. [17], which considers their potential advantages and disadvantages. As far as we are aware, aside from these, there are no known classical schemes that plausibly satisfy all three properties simultaneously with unconditional security.
Among plausible future applications of quantum token schemes are very high value and time critical transactions requiring very high security, such as financial trading, where many transactions take place within half a millisecond [18], or network control, where semi-autonomous teams need authentication as fast as possible. A reasonable assumption for such applications is that tokens may be transferred a relatively small number of times among a relatively small set of parties -the tokens may be valid for a relatively short time, for example. In this context, Bob having a static database does not seem to be a great advantage of quantum token schemes over classical schemes whose databases must be updated after each transaction, given that processing classical information is much easier and cheaper than processing quantum information. Furthermore, for very high value transactions one might expect that the communication network among Bob and the verifiers is sufficiently protected that communication among them is very rarely (if ever) interrupted. So, in this context, it appears to be a major advantage of quantum token schemes over classical token schemes that a quantum token can be presented at one of a set of spacelike separated points with near instant validation without time delays due to cross-checking, while satisfying unforgeability and user privacy with unconditional security.
Standard quantum token schemes satisfying unforgeability, user privacy and instant validation with unconditional security require to store quantum states in quantum memories and/or to transfer quantum states over long distances in order to give Alice enough flexibility in space and time to present the token [1][2][3][4][5][6][7][8][9][10][13][14][15][16]. Recently, a quantum memory of a single qubit with a coherence time of over an hour has been experimentally demonstrated [19,20]. However, storing large quantum states for more than a fraction of a second remains challenging [21,22]. Furthermore, the transmission of quantum states over long distances in practice comprises the transmission of photons through optical fibre or through the atmosphere via satellites. In both cases a great fraction of the transmitted photons is lost. For these reasons, standard quantum token schemes are impractical for most purposes at present.
Recently, experimental investigations of quantum token schemes have been performed [23][24][25][26][27]. Refs. [23,27] investigated the experimental implementation of forging attacks on quantum token schemes. Ref. [24] presented a simulation of a quantum token scheme in IBM's five-qubit quantum computer. Refs. [25,26] reported proofof-principle experimental demonstrations of the preparation and verification stages of quantum token schemes, by transmitting quantum states encoded in photons over a short distance -for example, Ref. [26] reports optical fibre lengths of up to 10 meters. A full experimental demonstration of a quantum token scheme that includes storing quantum states in a quantum memory and/or transmitting quantum states over long distances remains an important open problem.
'S-money' [17] is a class of quantum token schemes, which is designed for the settings described above comprising networks with relativistic or other trusted signalling constraints. These schemes can guarantee many of the the security advantages of standard quantum token schemes -in particular, instant validation, unforgeability and user privacy -without requiring either quantum state storage or long distance transmission of quantum states. Furthermore, S-money tokens that can be transferred among several parties and that give the users a great flexibility in space and time to present the token are also possible [28]. In this paper, we begin to investigate how securely S-money schemes can be implemented in practice with current technology.
Our results are twofold. First, we introduce quantum token schemes that extend the quantum S-money scheme of Ref. [29] in practical experimental scenarios that consider losses, errors in the state preparations and measurements, and deviations from random distributions; and, in photonic setups, photon sources that do not emit exactly single photons, and single photon detectors with non-unit detection efficiencies and with non-zero dark count probabilities, which are threshold detectors, i.e. which cannot distinguish the number of photons in detected pulses. In our schemes, Alice can present the token at one of 2 M possible spacetime presentation points, which can have arbitrary timelike or spacelike separation, for any positive integer M . Our schemes satisfy instant validation and comprise Bob transmitting N quantum states to Alice over a distance which can be arbitrarily short, Alice measuring the received quantum states without storing them, and further classical processing and classical communication over distances which can be arbitrarily large. Thus, our schemes are advantageous over standard quantum token schemes because they do not need quantum state storage or transmission of quantum states over long distances. We use the flexible versions of S-money defined in Ref. [28], giving Alice the freedom to choose her spacetime presentation point after having performed the quantum measurements. We show that our schemes satisfy unforgeability and user privacy, given assumptions that have been standard in implementations of mistrustful quantum cryptography to date (see Table VI), but are nonetheless idealizations.
Second, we performed experimental tests of the quantum stage of one of our schemes for the case of two presentation points, which show that with refinements of our setup our schemes can be implemented securely, giv-ing guarantees of unforgeability and user privacy, based on the standard assumptions in experimental mistrustful quantum cryptography mentioned above.

A. Preliminaries and Notation
We present below two quantum token schemes that do not require quantum state storage, are practical to implement with current technology, and allow for experimental imperfections. We show that for a range of experimental parameters our token schemes are secure.
In the token schemes below, Bob (the bank) and Alice (the acquirer) agree on spacetime regions Q i where a token can be presented by Alice to Bob, for i ∈ {0, 1} M and for some agreed integer M ≥ 1. Bob has trusted agents B and B i controlling secure laboratories, and Alice has trusted agents A and A i controlling secure laboratories, for i ∈ {0, 1} M . The agent A i can send messages to B i in the spacetime region Q i , for i ∈ {0, 1} M . All communications among agents of the same party are performed via secure and authenticated classical channels, which can be implemented with previously distributed secret keys. Alice's agent A and Bob's agent B perform the specified actions in a spacetime region P that lies within the intersection of the causal pasts of all Q i , unless otherwise stated.
The token schemes comprise two main stages. Stage I includes the quantum communication between B and A, which can take place between adjacent laboratories, and must be implemented within the intersection of the causal pasts of all the presentation points. In particular, this stage can take an arbitrarily long time and can be completed arbitrarily in the past of the presentation points, which is very helpful for practical implementations. Stage II comprises only classical processing and classical communication among agents of Bob and Alice, and must be implemented very fast in order to satisfy some relativistic constraints. A token received by B b from A b at Q b can be validated by B b near-instantly at Q b , without the need to cross check with other agents. We note that Alice chooses her presentation point in stage II, meaning in particular that it can take place after her quantum measurements have been completed. This is basically the application of the refinement of flexible Smoney tokens discussed in Ref. [28], which gives Alice great flexibility in spacetime to choose her presentation point. See Tables I -III for details. In stage I, B generates quantum states randomly from a predetermined set and gives these to A. A measures the received states in bases from a predetermined set. A sends some classical messages to B, mainly to indicate the set of states that she successfully measured. For all i ∈ {0, 1} M , A communicates her classical outcomes to A i ; B sends classical messages to B i , indicating mainly the labels of the states reported by A to be successfully measured.
In stage II, Alice chooses the label b ∈ {0, 1} M of her chosen presentation point in the intersection of the causal pasts of the presentation points. Further classical communication steps among agents of Alice and Bob take place. The token schemes conclude by Alice giving a classical message x (the token) to Bob at her chosen presentation point Q b and Bob validating the token at Q b if x satisfies a mathematical condition.
The main difference between the first and second token schemes below (either in their idealized or realistic version) is that, in the first one, Alice measures each received qubit randomly in one of two predetermined bases, while in the second one Alice measures large sets of qubits in the same basis, which is chosen randomly by Alice from two predetermined bases. The first token scheme is more suitable to implement with setups used for quantum key distribution. The second token scheme requires a slightly different setup.
We say a token scheme satisfies instant validation if, for any presentation point Q i , an agent of Bob receiving a token from Alice at Q i can validate or reject the token nearly instantly at Q i , without the need to wait for any messages from other agents at spacetime points spacelike separated from Q i .
We say a token scheme is: • ǫ rob −robust if the probability that Bob aborts when Alice and Bob follow the token scheme honestly is not greater than ǫ rob , for any b ∈ {0, 1} M ; • ǫ cor −correct if the probability that Bob does not accept Alice's token as valid when Alice and Bob follow the token scheme honestly is not greater than ǫ cor , for any b ∈ {0, 1} M ; • ǫ priv −private if the probability that Bob guesses Alice's bit-string b before she presents her token to Bob is not greater than 1 2 M + ǫ priv , if Alice follows the token scheme honestly, for b ∈ {0, 1} M chosen randomly from a uniform distribution by Alice; • ǫ unf −unforgeable, if the probability that Bob accepts Alice's tokens as valid at any two or more different presentation points is not greater than ǫ unf , if Bob follows the token scheme honestly.
We say a token scheme using N transmitted quantum states is: • correct if it is ǫ cor −correct with ǫ cor decreasing exponentially with N .
• private if it is ǫ priv −private with ǫ priv approaching zero by increasing some security parameter.
• unforgeable if it is ǫ unf −unforgeable with ǫ unf decreasing exponentially with N .
Note that our definition of privacy is different because it depends on different parameters: see Lemma 4 below. In our schemes each of the N quantum states is a qubit state with probability 1 − P noqub , and a quantum state of arbitrary Hilbert space dimension greater than two with probability P noqub , where P noqub = 0 in ideal schemes and P noqub > 0 in practical schemes. In photonic implementations, each pulse transmitted by Bob is either vacuum or one-photon with probability 1 − P noqub , and multi-photon with probability P noqub .
Below we present token schemes for two presentation points (M = 1) that satisfy instant validation and that are robust, correct, private and unforgeable. The extension to 2 M presentation points for any M ∈ N is given in Appendix H. For clarity of the presentation we first present the ideal quantum token schemes IQT 1 and IQT 2 where there are not any losses, errors, or any other experimental imperfections. These are given in Table I. More realistic quantum token schemes QT 1 and QT 2 that allow for various experimental imperfections are presented in Tables II and III, respectively. An illustration of implementation in a token scheme for the case of two spacelike separated presentation points is given in Fig. 1. We use the following notation. We use bold font notation a for strings of bits. The bitwise complement of a string a is denoted byā. The kth bit entry of a string a is denoted by a k . We define the set [N ] = {1, 2, . . . , N }. The symbol '⊕' denotes bit-wise sum modulo 2 or sum modulo 2 depending on the context. We write the Bennett-Brassard 1984 (BB84) states [30] as |φ 00 = |0 , |φ 10 = |1 , |φ 01 = |+ and |φ 11 = |− , where |± = 1 √ 2 |0 ± |1 , and where D 0 = {|0 , |1 } and D 1 = {|+ , |− } are qubit orthonormal bases, called the computational and Hadamard bases, respectively. The Hamming distance is denoted by d(·, ·).
The quantum token schemes IQT 1 and IQT 2 given in Table I have the following properties. First, the token schemes are correct. Since we assume there are not any errors in the state preparations and measurements, if Alice and Bob follow the token scheme honestly then Bob validates Alice's token at her chosen presentation point Q b with unit probability. If Alice and Bob follow IQT 1 honestly, . Thus,d b = y, which means that y k = u k for all k ∈ ∆ b , hence, Alice measures in the same basis of preparation by Bob for all states |ψ k with labels k ∈ ∆ b . Therefore, Alice obtains the correct outcomes for these states: Similarly, if Alice and Bob follow IQT 2 honestly then we have that d b has bit entriesd b,k = b ⊕ c = z = y k , for k ∈ [N ]. Thus, as above,d b = y, i.e.d b corresponds to the string of measurement basis implemented by Alice. Therefore, in both token schemes IQT 1 and IQT 2 , Alice obtains x b = t b and Bob validates Alice's token at Q b with unit probability.
Second, the token schemes are robust. More precisely, neither Bob nor Alice have the possibility to abort. This is because we assume there are not any losses of the trans-FIG. 1. Illustration of implementation in a quantum token scheme. A case of two presentation points in a Minkowski spacetime diagram in 1 + 1 dimensions is illustrated. Bob has laboratories B, B0 and B1, controlled by agents B, B0 and B1 (yellow rectangles), and Alice has laboratories A, A0 and A1, controlled by agents A, A0 and A1 (green rectangles), adjacent to Bob's laboratories. The quantum communication stage takes place within B and A, can take an arbitrarily long time and can be completed arbitrarily in the past of the presentation points (Q0 and Q1). Alice's classical measurement outcomes x are kept secret by Alice and communicated to her laboratories A0 and A1 via secure and authenticated classical channels. In this illustrated example, Alice sends classical messages to Bob at the laboratory B, and either at B0 or B1. The messages sent to B can take place anywhere in the past of Q0 and Q1 after the quantum communication stage, and includes a message indicating the labels of the quantum states successfully measured by Alice. These messages are communicated from B to B0 and B1 via secure and authenticated classical channels. Alice chooses to present her token at Q b within the intersection of the causal pasts of Q0 and Q1. The message at either B0 or B1 is the bit c = b ⊕ z, effectively committing Alice to present her token at Q b . Alice presents the token by giving Bob x at Q b . The case b = 1 is illustrated. The small black box represents a fast classical computation performed at Bob's laboratory receiving the token, to validate or reject Alice's token, as described in step 12 of the scheme QT 1 (see Table II), for instance. As illustrated, this would require this computation to be completed within a time shorter than the time that light takes to travel between the locations of laboratories B0 and B1, which could be of 10 µs if B0 and B1 are separated by 3 km, for example. This is because, as discussed in the introduction, we require presentation and acceptance to be completed within spacelike separated regions in order to achieve an advantage over purely classical token schemes. mitted quantum states and that Alice successfully measures all the received quantum states. Thus, Alice does not need to report to Bob any labels of states that she successfully measured, in contrast to the extended token schemes QT 1 and QT 2 discussed below.
Third, the token schemes are private, i.e. Bob cannot obtain any information about b in the causal past of Q b . This is because the messages Alice sends Bob in the causal past of Q b carry no information about b and we assume that Alice's laboratories and communication Ideal quantum token scheme IQT 1 Stage I 1. For k ∈ [N ], B generates the qubit state |ψ k = |φt k u k randomly from the BB84 set and sends it to A with its label k. Let the N −bit strings t = (t1, . . . , tN ) and u = (u1, . . . , uN ) denote the states and bases of preparation by B.
2. For k ∈ [N ], A measures each received qubit randomly in the computational basis (y k = 0) or in the Hadamard basis (y k = 1) and obtains a string of N bit outcomes x. Let the N -bit string y = (y1, . . . , yN ) denote Alice's measurement bases.

10.
A sends a signal to A b indicating to present the token at Q b , and A b presents the token where av is the restriction of a string a ∈ {x, t} to entries a k with k ∈ ∆v, where ∆v = {k ∈ [N ]|d v,k = u k }, and whered v,k is the kth bit entry of the stringdv, for k ∈ [N ] and for v ∈ {0, 1}. That is, Bob validates the token if Alice reports the correct measurement outcome for each qubit that she measured in Bob's preparation basis.
2. The step 2 of IQT 1 is replaced by the following. A chooses a bit z randomly. A measures each received qubit in the computational basis if z = 0 or in the Hadamard basis if z = 1. The string y ∈ {0, 1} N denoting Alice's measurement bases has bit entries y k = z for k ∈ [N ].
6. The step 9 of IQT 1 is replaced by the following. For i ∈ {0, 1}, in the causal past of Qi, Bi computes the stringdi ∈ {0, 1} N with bit entriesd i,k = i ⊕ c, for k ∈ [N ]. 7. As steps 10 and 11 of IQT 1 . TABLE I. Ideal quantum token schemes IQT 1 and IQT 2 for two presentation points. Steps 1 to 8 in IQT 1 , and 1 to 5 in IQT 2 , take place within the intersection of the causal pasts of the presentation points. channels are secure.
Fourth, the token schemes are unforgeable. This follows from the following lemma, which is shown in Appendix D. Alternative proofs are given in Ref. [31], based on quantum state discrimination tasks. We have chosen the proof given in Appendix D because an extension of it allows us to to prove Theorem 1 too. Lemma 1. The quantum token schemes IQT 1 and IQT 2 are ǫ unf −unforgeable with Fifth, the token schemes satisfy instant validation. We note from step 11 of IQT 1 that a token received by Bob's agent B b from Alice's agent A b at a presentation point Q b can be validated by B b near-instantly at Q b . In particular, B b does not need to wait for any signals coming from other agents of Bob.
Finally, the token schemes above can be modified in various ways. For example, in IQT 1 , step 3 can be discarded, and step 10 can be replaced by the following: after choosing b, A sends x to A b and A b presents the token x to B b in Q b . In another variation, step 5 in IQT 1 can be modified so that B computes d i and sends it to B i ; in both versions of step 5, B i must have d i in the causal past of Q i , for i ∈ {0, 1}. In another variation, the step 9 in IQT 1 is performed only by Bob's agent B b receiving a token from Alice. The version we have chosen for step 9 allows B b to reduce the computation time after receiving a token, hence, allowing faster token validation. Further variations of the token schemes can be devised in order to satisfy specific requirements; for example, some steps might need to be completed within very short times, which might require to reduce the computations within these steps, which can be achieved by delegating some computations within some other steps, for instance. B. Practical quantum token schemes QT 1 and QT 2 for two presentation points The quantum token schemes QT 1 and QT 2 presented in Tables II and III extend the quantum token schemes IQT 1 and IQT 2 to allow for various experimental imperfections (see Table V), and under some assumptions (see Table VI). QT 1 and QT 2 can be implemented in practice with the photonic setups of Fig. 3.
The token schemes QT 1 and QT 2 can be modified in various ways, as discussed for the token schemes IQT 1 and IQT 2 .
Regarding correctness, we note in the token scheme QT 1 that if Alice follows the token scheme honestly and chooses to present the token in Q b , then we have thatd b has bit entriesd b,j = d b,j ⊕c = d j ⊕b⊕c = d j ⊕z = y j , for j ∈ [n]. Thus,d b = y, i.e.d b corresponds to the string of measurement bases implemented by Alice on the quantum states reported to be successfully measured. Similarly, in the token scheme QT 2 if Alice follows the token scheme honestly and chooses to present the token in Q b , then we have thatd b has bit entriesd b,j = b⊕c = z = y j , for j ∈ [n]. Thus, as above,d b = y, i.e.d b corresponds to the string of measurement bases implemented by Alice on the quantum states reported to be successfully measured. Therefore, in both token schemes QT 1 and QT 2 , if Alice can guarantee her error probability to be bounded by E < γ err then with very high probability she will make less than |∆ b |γ err bit errors in the |∆ b | quantum states that she measured in the basis of preparation by Bob.
Let P det be the probability that a quantum state |ψ k transmitted by Bob is reported by Alice as being successfully measured, with label k ∈ Λ, for k ∈ [N ]. Let E be the probability that Alice obtains a wrong measurement outcome when she measures a quantum state |ψ k in the basis of preparation by Bob; if the error rates E tu are different for different prepared states, labelled by t, and for different measurement bases, labelled by u, we simply take E = max t,u {E tu }.
The robustness, correctness, privacy and unforgeability of QT 1 and QT 2 are stated by the following lemmas, proven in Appendix E, and theorem, proven in Appendix G. These lemmas and theorem consider parameters γ det , γ err ∈ (0, 1), allow for the experimental imperfections of Table V and make the assumptions of Table  VI. A diagram presenting the conditions under which robustness, correctness and unforgeability are satisfied simultaneously is given in Fig. 4.
, B prepares bits t k and u k with respective probability distributions P k PS (t k ) and P k PB (u k ), satisfying 1 2 − βX ≤ P k X (t) ≤ 1 2 + βX, where βX ∈ 0, 1 2 is a small parameter, for X ∈ {PS, PB}, t ∈ {0, 1} and k ∈ [N ]. We define t = (t1, . . . , tN ) and u = (u1, . . . , uN ). For k ∈ [N ], B prepares a quantum system A k in a quantum state |ψ k and sends it to A with its label k. B chooses k ∈ Ω noqub with probability P noqub > 0 or k ∈ Ω qub with probability 1 − P noqub . For k ∈ Ω qub , |ψ k = |φ k t k u k is a qubit state, where φ k 0u |φ k 1u = 0 for u ∈ {0, 1}, where the qubit orthonormal basis D k u = {|φ k tu } 1 t=0 is the computational (Hadamard) basis up to an uncertainty angle θ on the Bloch sphere if u = 0 (u = 1). For k ∈ Ω noqub , |ψ k = |Φ k t k u k is a quantum state of arbitrary finite Hilbert space dimension greater than two. In photonic implementations, a vacuum or one-photon pulse has label k ∈ Ω qub , with a one-photon pulse encoding a qubit state, while a multi-photon pulse has label k ∈ Ω noqub and encodes a quantum state of finite Hilbert space dimension greater than two.
2. For k ∈ [N ], A measures A k in the qubit orthonormal basis Dw k , for w k ∈ {0, 1} and k ∈ [N ]. Due to losses, A only successfully measures quantum states |ψ k with labels k from a proper subset Λ of [N ]. Let W be the string of bit entries w k for k ∈ Λ and let n = |Λ|. Conditioned on k ∈ Λ, the probability that A measures A k in the basis Dw k satisfies PMB(w k ) = 1 2 , for w k ∈ {0, 1} and k ∈ [N ]. A reports to B the set Λ. B does not abort if and only if n ≥ γ det N .

3.
A chooses a one-to-one function g : Λ → [n], for example the numerical ordering, and sends it to B. Let yj ∈ {0, 1} indicate the basis Dy j on which the quantum state |ψ k is measured by A and let xj ∈ {0, 1} be the measurement outcome, where j = g(k), for k ∈ Λ and j ∈ [n]. Let y ∈ {0, 1} n and x ∈ {0, 1} n denote the strings of Alice's measurement bases and outcomes, respectively.

5.
A chooses a bit z with probability PE(z) that satisfies 1 2 − βE ≤ PE(z) ≤ 1 2 + βE, for z ∈ {0, 1}, and for a small parameter βE ∈ 0, 1 2 . A computes the string d ∈ {0, 1} n with bit entries dj = yj ⊕ z, for j ∈ [n]. A sends d to B. 7. B uses t, u, Λ and g to compute the strings s, r ∈ {0, 1} n , as follows. We define rj = t k , and sj = u k , where j = g(k), for j ∈ [n] and k ∈ Λ. We define r and s as the strings with bit entries rj and sj, for j ∈ [n]. B sends s and r to Bi, for i ∈ {0, 1}.

11.
A sends a signal to A b indicating to present the token at Q b , and A b presents the token x to B b in Q b .
12. B b validates the token x received in Q b if the Hamming distance between the strings x b and r b satisfies d(x b , r b ) ≤ |∆ b |γerr, where ∆v = {j ∈ [n]|dv,j = sj}, and where av is the restriction of a string a ∈ {x, r} to entries aj with j ∈ ∆v, for v ∈ {0, 1}. TABLE II. Practical quantum token scheme QT 1 for two presentation points. Steps 1 to 9 take place within the intersection of the causal pasts of the presentation points. See Table IV for a summary of the notation and Fig. 2  We define the function where There exist parameters satisfying the constraints (7), for which f (γ err ,β PS ,β PB ,θ,ν unf ,γ det ) > 0. For these parameters, QT 1 and QT 2 are ǫ unf −unforgeable with We note in step 0 of QT 1 and QT 2 that Alice and Bob agree on parameters N , β PB , γ det and γ err . As follows from Lemmas 2 -4, in order for Alice to obtain a required degree of correctness, robustness and privacy, she must guarantee her experimental parameters P det , E and β E to be good enough. This is independent of any experimental parameters of Bob, except for the previously agreed parameter β PB , which plays a role in correctness but not in robustness or privacy. Additionally, Alice must choose a suitable mathematical variable ν cor to compute a guaranteed degree of correctness, as given by the bound of Lemma 3.
On the other hand, as follows from Theorem 1, in order for Bob to obtain a required degree of unforgeability, he must guarantee his experimental parameters P noqub , θ, β PB and β PS to be good enough. This is independent of any experimental parameters of Alice. Additionally, Bob must choose a suitable mathematical variable ν unf to compute a guaranteed degree of unforgeability, as given by the bound of Theorem 1.
Furthermore, as follows from Lemma 4, in order for Alice to obtain a required degree of privacy, she must guarantee her experimental parameter β E to be small enough.
The parameters N , β PB , γ det and γ err agreed by Alice and Bob must be good enough to achieve their required degrees of robustness, correctness and unforgeability. But they must also be achievable given their experimental setting.
C. Extension of QT 1 and QT 2 to 2 M presentation points Extensions of the quantum token schemes QT 1 and QT 2 to 2 M presentation points, for any integer M ≥ 1, and the proof of the following theorem are given in Appendix H.
Theorem 2. For any integer M ≥ 1, there exist quantum token schemes QT M 1 and QT M 2 extending QT 1 and QT 2 to 2 M presentation points, in which Bob sends Alice N M quantum states, satisfying instant validation and the following properties. Consider parameters β PB , β PS , β E , P det , P noqub , E and θ satisfying the constraints (2), (4), (7) of Lemmas 2 and 3 and Theorem 1, for which the function f (γ err ,β PS ,β PB ,θ,ν unf ,γ det ) defined by (8) Table IV for a summary of the notation and Fig. 2 for an illustration of the scheme.

D. Quantum experimental tests
We performed experimental tests for the quantum stage of the QT 1 scheme for the case of two presentation points (M = 1), using the photonic setup of Fig. 3

Symbol
Brief description Q i and reporting strategy 1 (see Methods for details). Using a photon source with Poissonian distribution of average photon number µ = 0.09, and at repetition rate of 10 MHz, we generated a token of N = 4 × 10 7 photon pulses, with detection efficiency of η = 0.21, detection

No
Brief description Explanation and comments 1 For k ∈ [N ], there is a small probability P noqub > 0 for B to prepare a quantum state |ψ k of arbitrary finite Hilbert space dimension greater than two.
In photonic implementations, we define P noqub and Ω noqub ⊆ [N ] as the probability that a pulse is multi-photon and as the set of labels for multi-photon pulses (see Methods). We define Ω qub = [N ] \ Ω noqub as the set of labels for vacuum or one-photon pulses, where the subindex refers to 'qubit'. When showing unforgeability, we treat vacuum pulses as one-photon pulses encoding the qubit state Bob attempted to send. Since this gives Alice extra options that cannot make it more difficult for her to cheat, the deduced unforgeability bound holds in general. A Poissonian photon source (e.g. weak coherent) with average photon number µ << 1 gives P noqub = 1 − (1 + µ)e −µ = µ 2 2 + O(µ 3 ), while a heralded single-photon source can give extremely small values for P noqub , of the order of 10 −10 for usual experimental parameters.
2 For k ∈ Ω qub , B prepares |ψ k = |φ k t k u k in a qubit orthonormal basis D k u k that is the computational (Hadamard) basis within an uncertainty angle θ ∈ 0, π 4 on the Bloch sphere if u k = 0 (u k = 1).
Thus, the angle on the Bloch sphere between the states |φ k t0 and |φ k t1 is guaranteed to be within the range [ π 2 − 2θ, π 2 + 2θ], for k ∈ Ω qub . We define O(θ) = 1 √ 2 cos θ + sin θ , where the notation refers to 'overlap' on the Bloch sphere. It follows that 3 For k ∈ [N ], B generates the bits t k and u k with probability distributions P k PS (t k ) and P k PB (u k ) that have small deviations from the random distributions given by biases βPS, βPB > 0.
That is, we have 1 2 − βX ≤ P k X (t) ≤ 1 2 + βX, with 0 < βX < 1 2 , for t ∈ {0, 1}, k ∈ [N ] and X ∈ {PS, PB}. The subindices 'PS' and 'PB' refer to 'preparation state' and 'preparation basis', respectively. It is useful for our security analysis to define: λ(θ, βPB) = 1 A applying a measurement on a qubit basis D0 (D1) on a received quantum state that is not a qubit, i.e. for k ∈ Ω noqub , means that A sets her devices as she would do to apply a measurement in the qubit basis D0 (D1) -we note that A does not know the sets Ω qub and Ω noqub . For photonic setups, this may include arranging a set of wave plates, polarizing beam splitters and single photon detectors in a particular setting. If D0 and D1 are very different to the computational and Hadamard bases, the number of measurement errors in Alice's outcomes is high. But, this is considered in our security analysis via Alice's error rate. Moreover, the set of two measurement bases applied by A could vary slightly for different quantum states |ψ k , i.e., for different k ∈ [N ]. However, we can include these deviations from the measurement bases D0 and D1 of A in the bases D k u k of preparation by B, and assume that A applies either D0 or D1 to |ψ k , for k ∈ [N ]. In other words, the uncertainty angle θ on the Bloch sphere accounts for both preparation and measurement misalignments. Thus, our analysis is without loss of generality.
6 There are errors in Alice's quantum measurements.
Thus, Alice obtains some errors in the measurements that she performs in the same basis of preparation by Bob. For this reason, in the validation stage, Bob allows a fraction of bit errors in Alice's reported measurement outcomes, up to a predetermined small threshold γerr > 0, where 'err' stands for 'errors'. 7 A generates the bit z with probability distribution PE(z) that has small deviation from the random distribution given by a bias βE > 0.
That is, we have that The subindex 'E' refers to 'encoding'. A can guarantee the parameter βE to decrease exponentially with a number NCRB of close-to-random bits with biases not greater than βCRB ∈ 0, 1 2 , as follows from the Piling-up Lemma [33].
8 In photonic setups, the single photon detectors used by A are threshold, i.e. they cannot distinguish the number of photons activating a detection. Moreover, the detectors have non-zero dark count probabilities.
Thus, for some photon pulses received from B, more than one of the detectors of A click. In order to counter multi-photon attacks [32], in which B sends and tracks multi-photon pulses to obtain information about the measurement bases of A, and guarantee privacy, A must carefully choose how to report multiple clicks to B, i.e. how to define successful measurements. For this reason, in the second step of our token schemes QT 1 and QT 2 with the photonic setups of Fig. 3, A implements the reporting strategies 1 and 2, respectively. As follows from straightforward extensions of Lemmas 1 and 12 of Ref. [32], assumption F (see Table VI) guarantees that these reporting strategies offer perfect protection against arbitrary multi-photon attacks (see Lemma 5 in Methods).

Label Brief description Explanation and comments
That is, we assume that B prepares each qubit state from exactly two qubit bases. However, in the most general case (not considered here), B prepares each qubit state from a set of four qubit states that does not necessarily define two qubit basis. B B generates the bit strings t = (t1, . . . , tN ) and u = (u1, . . . , uN ) with probability distributions that are exactly products of single bit probability distributions.
In the general case (not considered here), the strings t and u could be generated with a probability distribution in which t and u, and different bit entries of t and u, could be correlated.
C The set Λ of labels transmitted to B in step 2 of QT 1 and QT 2 gives B no information about the string W and the bit z.
In the photonic setups of Fig. 3 to implement QT 1 and QT 2 , with the reporting strategies 1 and 2, respectively, assumption C (and also assumption D for QT 1 ) follows from assumptions E and F (see Lemma 5 in Methods). D In QT 1 , conditioned on reporting the quantum state |ψ k as successfully measured, i.e. conditioned on k ∈ Λ, A measures |ψ k in an orthogonal qubit basis Dw k with a probability distribution PMB(w k ) = 1 2 , for w k ∈ {0, 1} and k ∈ [N ], where the subindex denotes 'measurement basis'. This is a necessary, but in general not sufficient, condition for QT 1 to satisfy assumption C. If this assumption did not hold, there would be at least one label k ′ ∈ Λ for which PMB(w k ′ = i) > PMB(w k ′ = i ⊕ 1), for some i ∈ {0, 1}. Thus, B could in principle guess the entry w k ′ of W with probability greater than 1 2 . This would mean that the set Λ reported by A would have given B some information about W , in contradiction with assumption C. E B cannot use degrees of freedom not previously agreed for the transmission of the quantum states to affect, or obtain information about, the statistics of the quantum measurement devices of A.
This assumption guarantees that A is perfectly protected from any side-channel attack by B in any type of physical setup (not necessarily photonic) [32].
In our notation, the term 'detection efficiency' includes the quantum efficiency of the detectors of A and the transmission efficiency from the setup of B to the detectors. We note that the condition Exactly equal detection efficiencies cannot be guaranteed in practice. But, attenuators can be used to make the detector efficiencies approximately equal. Furthermore, A can effectively make the dark count probabilities of her detectors approximately equal by simulating dark counts in the detectors with lower dark count probabilities so that they approximate the dark count probability of the detector with highest dark count probability. To our knowledge, that dark counts and each photo-detection are independent random events is a valid assumption.
G In photonic setups, from the perspective of A, the pulses of B are mixtures of Fock states: in particular A has no information about relative phases of the components with definite photon number.
If this assumption is not satisfied, the quantum state received by A could not be described by our analysis, opening the possibility to attacks more powerful than the ones considered in our security proof (e.g. more powerful state discrimination attacks [34]). This assumption is consistent with our security analysis and is satisfied in practice if B uses a weak coherent source and he uniformly randomizes the phase of each pulse transmitted to A; or if B uses an arbitrary photonic source with arbitrary signal states and he applies a physical operation to the transmitted pulses with the property that it applies a random phase ϕ per photon -i.e. an l-photon pulse acquires an amplitude e ilϕ [35]. Alternatively, this condition can be satisfied to a good approximation if B uses a photonic source with low spatiotemporal coherence, for example, a source comprising LEDs [36], as in our experimental tests reported below. probability of P det = 0.019 and error rate of E = 0.058. We obtained deviations from the random distributions for the basis and state generation of β PB = 2.4 × 10 −3 and β PS = 3.6 × 10 −3 , respectively. In order to guarantee unforgeability using Theorem 1 we need to improve some experimental parameters (see Fig. 5).
Guaranteeing privacy in our schemes QT 1 and QT 2 can be satisfied with good enough random number generators, as follows from Lemma 4. Due to the piling-up lemma, by using a large number of close-to-random bits, we can guarantee ǫ priv to be arbitrarily small in practice.
Photonic setups to implement the quantum stage of QT 1 and QT 2 . In both QT 1 and QT 2 , the setup of honest B comprises an approximate single photon source and a polarization state modulator, encoding the quantum state |ψ k in the polarization degrees of freedom of a photon pulse labelled by k, for k ∈ [N ]. a In QT 1 , the setup of honest A comprises a 50:50 beam splitter, a wave plate, two polarizing beam splitters (PBS01 and PBS+−) and four threshold single photon detectors D0, D1, D+ and D−. In order to counter multi-photon attacks by B, A implements the following reporting strategy that we call here reporting strategy 1 : A assigns successful measurement outcomes in the basis D0 (D1) with unit probability for the pulses in which at least one of the detectors D0 and D1 (D+ and D−) click and D+ and D− (D0 and D1) do not click. As follows from Ref. [32], this reporting strategy offers perfect protection against arbitrary multi-photon attacks, given assumption F (see Table VI, and Lemma 5 in Methods). b In QT 2 , the setup of honest A comprises a wave plate set in one of two positions, according to the value of her bit z, a polarizing beam splitter and two threshold single photon detectors D0 and D1. In order to counter multi-photon attacks by B, A implements the following reporting strategy that we call here reporting strategy 2 : A reports to B as successful measurements those in which at least one of her two detectors click. As follows from Ref. [32], this reporting strategy offers perfect protection against arbitrary multi-photon attacks, given assumption F (see Table  VI, and Lemma 5 in Methods).

III. DISCUSSION
We have presented two quantum token schemes that do not require either quantum state storage or long distance quantum communication, and are practical with . The function f is defined by (8). If all the conditions are satisfied (filled area) then there exist a sufficiently large integer N such that QT 1 and QT 2 are ǫ rob -robust, ǫcor-correct and ǫ unf -unforgeable, for desired values of ǫ rob , ǫcor, ǫ unf > 0.
current technology. Our schemes allow for losses, errors in the state preparations and measurements, and deviations from random distributions; and, in photonic setups, photon sources that do not emit exactly single photons, and threshold single photon detectors with non-unit detection efficiencies and with non-zero dark count probabilities (see Table V). Our analyses follow much of the literature on practical mistrustful quantum cryptography (e.g. [37][38][39][40][41]) in making the assumptions of Table VI. Under these assumptions, we have shown that there exist attainable experimental parameters for which our schemes can satisfy instant validation, correctness, robustness, unforgeability and user privacy. Importantly, Theorem 2 shows that this holds, in principle, for 2 M presentation points with arbitrary M . As in the schemes of Ref. [28], our schemes allow the user to choose her presentation point Q b after her quantum measurements are completed, as long as she chooses Q b within the intersection of the causal past of all the presentation points. This means that the quantum communication stage of our schemes can take an arbitrarily long time and can be implemented arbitrarily in the past of the presentation points, which is very convenient for practical implementations.
We note that the security of our quantum token schemes does not rely on any spacetime constraints. In principle, all presentation points could be timelike separated, for example. However, as discussed in the introduction, in order for our quantum token schemes to have an advantage over purely classical schemes, some spacetime presentation points need to be spacelike separated.
In practice, this means that some classical processing and classical communication steps in our schemes must and β PS = 36 (10 -4 ). Guaranteed security ¢ < 10 -9 below the curves.
FIG. 5. Numerical example. The plots denote the maximum value βmax for βPB and βPS that our bounds can allow to guarantee correctness, robustness and unforgeability simultaneously in a numerical example with the allowed experimental imperfections of Table V and under the assumptions of Table VI for our quantum token schemes QT 1 and QT 2 . The region below the plotted curves denote the secure region in which we have set ǫ rob = ǫcor = ǫ unf = 10 −9 in Lemmas 2 and 3 and in Theorem 1. The plotted values keep all parameters fixed to the experimental values reported above, except for the deviations from the random distributions for basis and state generation, βPB and βPS, the uncertainty θ on the Bloch sphere in the state generation, and the error rate E. The blue curve denotes the values obtained for the experimentally obtained value E = 0.058. The red square denotes the assumed upper bound for our experimental values of θ ≤ 10 • , and corresponds to a value of βmax = 6 × 10 −6 , which is about 400 and 600 times smaller than the obtained experimental values of βPB = 2.4 × 10 −3 and βPS = 3.6 × 10 −3 , respectively. The orange and gray curves plot the values of βmax assuming E = 0.03 and E = 0.01, respectively. In an ideal case in which θ = 0 • and E = 0.01, the value for βmax would be approximately 6 × 10 −4 , which is about four and six times smaller than our obtained experimental values for βPB and βPS, respectively. In a more realistic case, with θ = 5 • and E = 0.03, our numerical example gives approximately βmax = 2.3×10 −4 ; meaning that with these experimental values, by reducing our obtained experimental values for βPB and βPS by respective factors of approximately 10 and 16, we could guarantee correctness, robustness and unforgeability simultaneously in our schemes.
be implemented sufficiently fast. This is in general feasible with current technology (for example, using field programmable gate arrays), if the presentation points are sufficiently far apart, as demonstrated by previous implementations of relativistic cryptographic protocols [38,39,[42][43][44]. Furthermore, Alice's and Bob's laboratories must be synchronized securely to a common reference frame with sufficiently high time precision. This can be implemented using GPS devices and atomic clocks [38,39,[42][43][44], for example. A detailed analysis of these experimental challenges is left for future work. Using quantum key distribution for secure communications in our quantum token schemes can be useful, but it is not crucial. As discussed, Alice's and Bob's agents must communicate via secure and authenticated classical channels, which can be implemented with previously distributed secret keys. In an ideal situation where Alice's and Bob's agents have access to enough quantum channels, for example in a quantum network [45][46][47][48] or in the envisaged quantum internet [49,50], these keys can be expanded securely with quantum key distribution [30,51,52]. However, it is also possible to distribute the secret keys via secure physical transportation, as implemented in previous demonstrations of relativistic quantum cryptography [38,39,[42][43][44].
We note that in our proof of unforgeability, our only potential restriction on the technology and capabilities of dishonest Alice is indirectly made through assumption G in photonic setups (see Table VI), in the case where Bob's photon source does not perfectly conceal phase information. In fact, we believe that assumptions A, B and G can be significantly weakened. Investigating unforgeability for realistic weaker forms of these assumptions is left as an open problem.
We implemented experimental tests of the quantum part of our scheme (QT 1 ) using a free space optical setup [53,54] for quantum key distribution (QKD) that was slightly adapted for our scheme, and which can operate at daylight conditions. Importantly, Bob's transmission device is small, hand-held and low cost. These type of QKD setups are designed for future daily-life applications, for example with mobile devices (see e.g. [55][56][57]).
Experiments with our relatively low precision devices do not guarantee unforgeability, but show it can be guaranteed with refinements. Crucial experimental parameters that we need to improve to achieve this are the deviations β PB and β PS from random basis and state generation, respectively. In our tests we obtained β PB = 2.4 × 10 −3 and β PS = 3.6 × 10 −3 . An implementation in which the uncertainty in basis choices was bounded by θ = 5 • and the error rate by E = 0.03 would guarantee unforgeability if β PB ≈ β PS ≈ 2.3 × 10 −4 (about a factor of 10 and 16 lower than our values). This highlights that it is crucial to consider the parameters β PS and β PB in practical security proofs. For example, if we simply assumed β PS = β PB = 0 as our experimental values then our results would imply that we had attained unforgeability, even for θ = 10 • (see Fig. 5). Taking β PS = β PB = θ = 0, as implicitly assumed in some previous analyses of practical mistrustful quantum cryptography (e.g. [38,39,41]), is unsafe.
User privacy can also be guaranteed by using good enough random number generators. However, further security issues arise from the assumptions that Bob cannot use degrees of freedom not previously agreed for the transmission of the quantum states to affect, or obtain information about, the statistics of Alice's quantum measurement devices; and, in photonic setups, that Alice's single photon detectors have equal efficiencies and equal dark count probabilities (assumptions E and F in Table VI). These issues are not specific to our implemen-tations or to quantum token schemes: they arise quite generally in practical mistrustful quantum cryptographic schemes in which one party measures states sent by the other. The attacks they allow, and defences against these (such as requiring single photon sources and using attenuators to equalize detector efficiencies) are analysed in detail elsewhere [32]. As noted in Ref. [32], further options, such as iterating the scheme and using the XOR of the bits generated, also merit investigation. Importantly, our analyses here take into account multi-photon attacks [32] in photonic setups, and the reporting strategies we have considered offer perfect protection against arbitrary multi-photon attacks, given our assumptions (see Fig. 3, and Lemma 5 in Methods).
In conclusion, our theoretical and experimental results give a proof of principle that quantum token schemes are implementable with current technology, and that, conditioned on standard technological assumptions, security can be maintained in the presence of the various experimental imperfections we have considered (see Table V). As with other practical implementations of mistrustful quantum cryptography (and indeed quantum key distribution), completely unconditional security would require defences against every possible collection of physical systems Bob might transmit to Alice, including programmed nano-robots that could enter and reconfigure her laboratory [58]. Attaining this is beyond current technology, but such far-fetched possibilities also illustrate that security based on suitable technological assumptions (which may depend on context) may suffice for practical purposes. More work on attacks and defences in practical mistrustful quantum cryptography is undoubtedly needed to reach consensus on trustworthy technologies. That said, as our schemes are built on simple mistrustful cryptographic primitives, we expect they can be refined to incorporate any agreed practical defences [32].

A. Protection against multi-photon attacks in photonic implementations
The following lemma is a straightforward extension of Lemmas 1 and 12 of Ref. [32] to the case of N > 1 transmitted photon pulses. Note that Alice (Bob) in our notation refers to Bob (Alice) in the notation of Ref. [32]. The proof is given in Appendix F.
Lemma 5. Suppose that Bob sends Alice N photon pulses, labelled by k ∈ [N ]. Let the kth pulse have L k photons. Let ρ be an arbitrary quantum state prepared by Bob in the polarization degrees of freedom of the photons sent to Alice, which can be arbitrarily entangled among all photons in all pulses and can also be arbitrarily entangled with an ancilla held by Bob. Let D 0 and D 1 be two arbitrary qubit orthogonal bases. Suppose that either Alice uses the setup of Fig. 3 with reporting strategy 1 to implement the quantum token scheme QT 1 (see Table  II), or Alice uses the setup of Fig. 3 with reporting strategy 2 to implement the quantum token scheme QT 2 (see Table III). Suppose also that assumptions E and F (see Table VI) hold. For k ∈ [N ], let m k = 1 if Alice assigns a successful measurement to the kth pulse and m k = 0 otherwise; let w k = 0 (w k = 1) if Alice assigns a measurement basis to the kth pulse in the basis D 0 (D 1 ). If Alice uses the setup of Fig. 3 and reporting strategy 1 to implement the scheme QT 1 , without loss of generality, suppose also that Alice sets If Alice uses the setup of Fig. 3 with reporting strategy 1 to implement the scheme QT 1 , then the probability that Alice reports the string m to Bob and assigns the string of measurement bases w, given ρ and L, is where for b ∈ {0, 1}, m, w ∈ {0, 1} N and a, L 1 , . . . , L N ∈ {0, 1, 2, . . .}. Furthermore, the probability P MB (w k ) that Alice assigns a measurement in the basis D w k , conditioned on the value m k = 1, for the kth pulse, satisfies for w k ∈ {0, 1} and k ∈ [N ]. If Alice uses the setup of Fig. 3 with reporting strategy 2 to implement the scheme QT 2 , then the probability that Alice reports the string m to Bob, given ρ, w and L, is where for m, w ∈ {0, 1} N and a, L 1 , . . . , L N ∈ {0, 1, 2, . . .}.
In any of the two cases, the message m gives Bob no information about the bit entries w k for which m k = 1. Equivalently, the set Λ ⊂ [N ] of labels transmitted to Bob in step 2 of QT 1 and QT 2 gives Bob no information about the string W and the bit z.

B. Clarification about unforgeability in photonic implementations
A subtle technical issue when implementing our quantum token schemes with photonic setups is that in our schemes we have assumed the quantum systems A k that Bob transmits to Alice to have finite Hilbert space dimension, for k ∈ [N ]. However, some light sources, like weak coherent sources, or other photon sources with Poissonian statistics, can emit pulses with a number of photons J, where J can tend to infinity, although with a probability tending to zero. This issue is easily solved by fixing a maximum number of photons J max and assuming that unforgeability is not guaranteed whenever Bob's photon source emits a pulse with more than J max photons. By fixing J max to be arbitrarily large, but finite, the probability that among the N emitted pulses there is at least one pulse with more than J max photons can be made arbitrarily small. Thus, with probability arbitrarily close to unity, honest Bob is guaranteed that each of his N emitted pulses does not have more than J max photons, i.e., the internal degrees of freedom -like the polarization degrees of freedom -of each pulse, represented by the quantum system A k , have a finite Hilbert space dimension.

C. Experimental setup
Our experimental setup is based on a free space optical quantum key distribution (QKD) system, which can operate at daylight conditions. This setup was developed by one of us (D. L.) during his PhD [54], based upon the work of Ref. [53]. The main features of our experimental setup are illustrated in Figs. 3 and 6.
Only minor changes to our quantum setup are needed to implement the quantum stage of QT 2 . For example, the 50:50 beam splitter in Alice's site can be replaced by a suitably placed mirror directing the received photon pulses to one of the two polarizing beam splitters. This mirror can be set in a movable arm, which positions the mirror in place if z has a specific value (e.g. if z = 1) and out of place, letting the photon pulses reach the other polarizing beam splitter, if z takes the other value (e.g. z = 0). The movable arm putting the mirror in place or out of place does not need to move very fast, as it remains in the same position during the transmission of all N pulses from Bob in the case of two presentation points, or during the transmission of each set of N pulses from the total of N M in the case of 2 M presentation points (see quantum token scheme QT M 2 in Appendix H).

D. Experimental tests and numerical example
The quantum stage of the token scheme QT 1 was implemented with the experimental setup described above.
Below we describe our experiment and the numerical example of Fig. 5. Unless we consider it necessary or helpful, all values smaller than unity obtained in our experiment and numerical example are given below rounded to two significant figures.
In the numerical example of Fig. 5 we used the previous experimental values, except for θ and E, which were varied as shown in the plots, and for β PB and β PS . In the plots of Fig. 5, if β PB ≤ β max and β PS ≤ β max hold, then we obtain from Lemmas 2 and 3 and from Theorem 1 that ǫ rob , ǫ cor , ǫ unf ≤ 10 −9 . We do not claim that our numerical example is optimal. In other words, we do not claim that with our experimental parameters every point above the curves of Fig. 5 is insecure, in the sense that the conditions ǫ rob , ǫ cor , ǫ unf ≤ 10 −9 do not hold. Our claim is only that given our experimental parameters, the regions of points below the curves of Fig. 5 satisfy the conditions ǫ rob , ǫ cor , ǫ unf ≤ 10 −9 .
For the three curves of Fig. 5 we set ν unf = 3.9 × 10 −3 . This is the minimum value for which the first term of ǫ unf in (10) equals 10 −9 2 . This is because, as we describe below, we also chose the parameters satisfying that the second term of ǫ unf in (10) equals 10 −9 2 , from which we have ǫ unf = 10 −9 . We recognize that although this particular choice seems natural, it probably does not optimize our results.
Then, for each of the three considered error rates E = 0.01, E = 0.03 and E = 0.058, and for each of the angles θ = 0 • , 1 • , . . . , 11 • , we set β PB = β PS = β max and varied β max , ν cor and γ err trying to find the maximum value of β max for which both terms of ǫ cor in (5) and the second term of ǫ unf in (10) were as close as possible to 10 −9 2 , but not bigger than 10 −9 2 , while guaranteeing that the constraints (4) and (7) were satisfied. Our results for β max are plotted in Fig. 5.
We describe how we obtained the experimental parameters presented above. At a repetition rate of 10 MHz, Bob transmitted photon pulses to Alice during four seconds. Thus, the number of transmitted pulses was N = 4 × 10 7 .
As discussed below, Alice assigned successful measurements using reporting strategy 1. The number of pulses for which Alice assigned successful measurement was n = 742491. The obtained estimation for the proba-  [54,59]. Neutral-density (ND) filters (small black cylinders) are used to attenuate the pulses down to the required mean photon number, which in our experiment was µ = 0.09. Since Bob's photon source consists of LEDs, and LEDs have low spatio-temporal coherence [36], no phase randomization is required to satisfy assumption G to a good approximation (see Table VI bility P det , was obtained as P det = n N = 0.019. The measured detection efficiency, including the quantum efficiency of the detectors and the transmission probability from Bob's setup to the detectors, was η = 0.21. We note that our obtained value of P det = 0.01856, which we reported above with the less precise value P det = 0.019, is a good approximation to the theoretical prediction in which the photon statistics of Bob's source follow a Poisson distribution with average photon number µ = 0.09, Alice uses reporting strategy 1 with her four detectors having the same efficiency η = 0.21, and the dark count probabilities are assumed to be zero. As follows from (12) and (13) in Lemma 5, this theoretical prediction for P det is given by 1,0 (0, 0, η, k) + G 1,1 (0, 0, η, k) where in the last line we used our experimental parameters µ = 0.09 and η = 0.21. This gives a ratio P det P theo det = 0.996. As mentioned in Fig. 3, Alice applies reporting strategy 1, in order to protect against multi-photon attacks [32] (see Lemma 5). That is, Alice assigns successful measurement outcomes in the basis D 0 (D 1 ) with unit probability for the pulses in which at least one of the detectors D 0 and D 1 (D + and D − ) click and D + and D − (D 0 and D 1 ) do not click. It is clear that when only the detector D i clicks, Alice associates the measurement outcome to the BB84 state |i , for i ∈ {0, 1, +, −}. However, it is not clear how Alice should assign measurement outcomes to the cases in which both D 0 and D 1 (D + and D − ) click and D + and D − (D 0 and D 1 ) do not click. The results of Lemma 5 are independent of how Alice assigns these outcomes. In order to make clear this generality of the results of Lemma 5, we have not included how these outcomes are assigned by Alice in the definition of reporting strategy 1 in Fig. 3. Nevertheless, how these outcomes are assigned by Alice plays a role in the error rate E, and thus also in the degrees of correctness and unforgeability that can be guaranteed (see Lemma 3 and Theorem 1). In our experiment, Alice assigns a random measurement outcome associated to the state |0 and |1 (|+ and |− ) when both D 0 and D 1 (D + and D − ) click and D + and D − (D 0 and D 1 ) do not click.
As mentioned above, in our experiment we obtained Alice's error rate E = 0.058, and deviations from the random distributions for basis and state generation by Bob of β PB = 2.4 × 10 −3 and β PS = 3.6 × 10 −3 , respectively. These values were computed as we describe below.

E. Statistical information
In our experimental tests, the number of photon pulses transmitted from Bob to Alice was N = 4 × 10 7 . The number of pulses for which Alice assigned successful measurement was n = 742491. The obtained estimation for the probability P det , was obtained as P det = n N = 0.019. The error rate E = 0.058 was computed as follows. From the n pulses that Alice assigned as successful measurements, n same tu pulses were prepared by Bob with polarization given by the qubit state |φ tu and were measured by Alice in the same basis of preparation by Bob (D u = {|φ tu } 1 t=0 ), from which n error tu gave Alice the outcome opposite to the state prepared by Bob, i.e. an error, for t, u ∈ {0, 1}. We computed E tu = n error tu n same tu , for t, u ∈ {0, 1}. The estimation for the error rate E was taken as E = max{E 00 , E 10 , E 01 , E 11 }. We obtained n same Our experimentally obtained estimations β PB = 2.4 × 10 −3 and β PS = 3.6 × 10 −3 were obtained from the number n of pulses that Alice reported as successfully measured. We did not use the whole number N of transmitted pulses for these estimations, because the software integrated in our experimental setup is configured to output data for the pulses that produce a detection event in at least one detector. From the n = 742491 pulses reported above, Bob produced n tu pulses in the state |φ tu , for t, u ∈ {0, 1}. We note that n = n 00 + n 10 + n 01 + n 11 . We computed β PB = n00+n10 n − 1 2 and β PS = max n00 n00+n10 − 1 2 , n01 n01+n11 − 1 2 | . We obtained n 00 = 185166, n 10 = 187842, n 01 = 184251, n 11 = 185232, β PB = 2.4 × 10 −3 and β PS = 3.6 × 10 −3 .

ACKNOWLEDGMENTS
The authors acknowledge financial support from the UK Quantum Communications Hub grants no. EP/M013472/1 and EP/T001011/1, and thank Siddarth Koduru Joshi for helpful conversations. A.K. and D.P.G. also thank Sarah Croke for helpful conversations. A.K. is partially supported by Perimeter Institute for Theoretical Physics. Research at Perimeter Institute is supported by the Government of Canada through Industry Canada and by the Province of Ontario through the Ministry of Research and Innovation.
Author contributions A.K and J.R. conceived the project. D.P.G. did the majority of the theoretical work, with input from A.K. D.L. devised the experimental setup and took the experimental data. D.P.G. analysed the experimental data and did the numerical work. A.K. and D.P.G. wrote the manuscript with input from D.L.
Competing interests: A.K. jointly owns the patent 'A. Kent, Quantum tokens, US Patent No. 10,790,972 (2020)' and similar patents in other jurisdictions, and has consulted for and owns shares in a corporate co-owner.
Data availability: the datasets generated and analysed during the current study are available from the corresponding author on reasonable request.
Materials and correspondence: correspondence and requests for materials should be addressed to D.P.G. (email: D.Pitalua-Garcia@damtp.cam.ac.uk).

Appendix A: Summary
These appendices provide the mathematical proofs of the lemmas and theorems given in the main text, as well as some known mathematical results, and new lemmas and a new theorem derived here to prove these results. Appendix B states some well known mathematical results that are used along this text. The rest of this text is divided in three parts. The first part comprises Appendices C and D. Appendix C provides Lemmas 6 and 7, which are used in other appendices to prove various results. In Appendix D, Lemma 1 is proved from Lemma 6. Thus, the first part, along with Appendix B is all that the reader requires for the security proof in the case of two presentation points (the case M = 1) in the ideal case where there are not any errors or losses, i.e. Lemma 1. The second part comprises Appendices E, F and G, which give mathematical details for the case of two presentation points in the general case that there are errors, losses and other experimental imperfections. The third part comprises Appendix H, which gives mathematical details for the case of 2 M presentation points, for any integer M ≥ 1, in the general case that there are errors, losses and other experimental imperfections.
In the second part, Lemmas 2, 3 and 4, which indicate the robustness, correctness and privacy for the token schemes QT 1 and QT 2 given in the main text, are proved in Appendix E. Appendix F proves Lemma 5, showing that reporting strategies 1 and 2 with the photonic setup of Fig. 3 guarantee perfect protection against arbitrary multi-photon attacks [32], given assumptions E and F of Table VI. Using Lemma 6, Appendix G proves Theorem 1, which corresponds to unforgeability for the token schemes QT 1 and QT 2 given in the main text.
In the third part, Theorem 2 given in the main text is proved in Appendix H in the following way. First, the quantum token scheme QT a is extended to a quantum token scheme QT M a for the case of 2 M presentation points, for any integer M ≥ 1, and for a ∈ {1, 2}. Then, Lemmas 8, 9 and 10 and Theorem 3, which respectively state the robustness, correctness, privacy and unforgeability for the token schemes QT M 1 and QT M 2 , are given and proved.
We can then write |ω where in the second line we used that D a is the greatest of the eigenvalues {µ a i } i . Now let |τ b ∈ H A be an eigenstate of D b whose corresponding eigenvalue is D b , i.e. the greatest eigenvalue of D b , and where D b = max a∈Ω D a , for some b ∈ Ω. Let |χ b ∈ H B be a pure state satisfying Π a |χ b = δ a,b |χ b , for a ∈ Ω. It can easily be verified that |τ b ⊗ |χ b is an eigenstate of O with eigenvalue D b = max a∈Ω D a , i.e. there is an eigenvalue of O equal to max a∈Ω D a . Thus, since O is positive semi definite, O is the greatest eigenvalue of O, hence, the result follows from (B5).

Appendix C: Useful mathematical results
In this appendix, we state and prove Lemmas 6 and 7. Lemma 6 extends results of Ref. [38], for example in allowing a small deviation from the random distribution, as characterized by the parameters β PS > 0 and β PB > 0. Lemma 6 is a central mathematical result that we use to prove Lemma 1 and Theorem 1 in Appendices D and G, respectively. Lemma 7 states an upper bound on the maximum eigenvalue of a particular qubit density matrix. It will be useful in the proof of Theorem 1 in Appendix G.
for some γ err ≥ 0. Let λ be a lower bound on the minimum of the function B(P 0 , O) evaluated over the range If γ err = 0 then it holds that Proof. For a, b, s ∈ {0, 1} N , we define u ∈ {0, 1} N satisfying u 0 = a 0 and u 1 = b 1 . Then, in (C1), we change variables r = x ⊕ u and we sum over x ∈ {0, 1} N , where '⊕' denotes bit-wise sum modulo 2. We obtain where w(x) denotes the Hamming weight of x. We note that D a,b is a positive semi definite operator, hence, D a,b corresponds to the greatest eigenvalue of D a,b , for a, b ∈ {0, 1} N . For given a, b ∈ {0, 1} N , in order to compute D a,b , we first evaluate the sum over s ∈ {0, 1} N in (C6). We obtain where for b, c ∈ {0, 1} and k ∈ [N ]. We note that ρ k b,c + ρ k b⊕1,c⊕1 = 1 since {|φ k r,s } r∈{0,1} is a qubit orthonormal basis for s ∈ {0, 1} and since {P k 0 , P k 1 } is a probability distribution, for k ∈ [N ]. Thus, ρ k b,c and ρ k b⊕1,c⊕1 are diagonal in the same basis, for b, c ∈ {0, 1} and k ∈ [N ]. Therefore, without loss of generality, we can write where µ k t,b⊕c ρ k for t ∈ {0, 1} N . Importantly, we see from (C11) that the eigenbasis of N k=1 ρ k x k ⊕a k ,x k ⊕b k is the same for all x ∈ {0, 1} N . Thus, from (C6), (C7) and (C11), we see that by taking the change of variables α k = a k ⊕ b k and β k = a k ⊕ t k , for k ∈ [N ]. Below we compute the maximum given by the second line of (C12). We consider two cases separately, the case γ err = 0, and the case 0 < γ err < λ. Within the second case we consider the subcases 0 < γ err < 1 N and γ err ≥ 1 N . We use the following definitions: where in the second line we used (C10), for k ∈ [N ]. We also define parameters λ 0 ≤ 1 and λ 1 that satisfy In the case γ err = 0, we have from (C12) that where in the second line we used (C13), in the third line we used (C14), and in the last line we used that λ 1 = λ, which is shown below. The bound (C4) follows from (C15).
We show below that the bound (C5) is satisfied too in the case that 1 N ≤ γ err < λ holds. It follows that (C5) holds if 0 < γ err < λ, as stated in the lemma.
We consider 1 N ≤ γ err < λ. For any α, β ∈ {0, 1} N and for any l ∈ [N ], we definex l = (x 1 , x 2 , . . . , x l−1 , x l+1 , x l+2 , . . . , x N ), and we can write We see that the term inside the second bracket cannot be smaller than the term inside the first one. Since this holds for any choice of l ∈ [N ], in order to maximize the quantity on the left-hand side, we need to maximize λ l β l ,α l for l ∈ [N ]. Thus, we obtain from (C12), (C13) and (C17) that Similarly, reasoning as in the previous lines, it is straightforward to obtain from (C14) and (C18) that We upper bound the right-hand side of (C19) using the Chernoff bound given by Proposition 1. Let X k be a random variable taking value X k = i with probability λ i , for i ∈ {0, 1} and k ∈ [N ]. Let X = N k=1 X k , whose average value is E(X) = N λ 1 . We have for 0 < γ err < λ, as claimed. We complete the proof below by showing that λ 1 = λ satisfies the condition (C14). We write . It is straightforward to verify that the density matrix ρ k b,c given by (C8) has eigenstates e k ±,b,c = 1 with eigenvalues for b, c ∈ {0, 1} and k ∈ [N ]. Thus, from the definition (C13) and from (C24), we obtain , by defining λ 0 as an upper bound on the maximum of the function A(P 0 , O) evaluated over the range P 0 ∈ [P LB 0 , P UB 0 ], with λ 0 < 1 − γ err , and by defining λ 1 = 1 − λ 0 , the conditions given by (C14) hold. We see from (C27) that the function B(P 0 , O) given by (C2) satisfies B(P 0 , O) = 1 − A(P 0 , O). Thus, we define λ 1 as a lower bound on the minimum of the function B(P 0 , O) evaluated over the range P 0 ∈ [P LB 0 , P UB 0 ], and we define λ = λ 1 . In the case that P LB 0 = 1 2 − β PB and P UB 0 = 1 2 + β PB for β PB ≥ 0, we define λ 1 as the minimum of the function B(P 0 , O) evaluated over the range P 0 ∈ [P LB 0 , P UB 0 ], and we define λ = λ 1 . It is straightforward to see from (C27) that in this case λ 1 = 1 . The result follows by noting that, as stated in the lemma, Lemma 7. Let ρ be a qubit density matrix given by where {|φ tu } t,u∈{0,1} is a set of qubit states satisfying φ 0u |φ 1u = 0 for u ∈ {0, 1}, where the qubit orthonormal basis D u = {|φ tu } 1 t=0 is the computational (Hadamard) basis within an uncertainty angle θ ∈ 0, π 4 on the Bloch sphere if u = 0 (u = 1); and where the binary probability distributions {P PB (u)} 1 u=0 and {P PS (t)} 1 t=0 satisfy 1 2 − β PB ≤ P PB (u) ≤ 1 2 + β PB and 1 2 − β PS ≤ P PS (u) ≤ 1 2 + β PS for u ∈ {0, 1}, and for given parameters β PB , β PS ∈ 0, 1 2 . Let µ + be the greatest eignevalues of ρ. It holds that where h(β PS , β PB , θ) = 2β PS 1 2 Proof. To simplify notation, we define P = P PB (0), 1 − P = P PB (1), R = P PS (0), and 1 − R = P PS (1). Since applying a unitary operation U on ρ does not change its eigenvalues, we define ρ ′ = U ρU † and we compute an upperbound on the greatest eigenvalue of ρ ′ . Since {|φ tu } 1 t=0 is a qubit orthonormal basis, for u ∈ {0, 1}, we can choose U such that U |φ t0 = |t and U |φ t1 = |t , where {|0 , |1 } is the computational basis, which has Bloch vectors in the z axis, and where {|0 , |1 } is another orthonormal basis with Bloch vectors on the z − x plane. Thus, we see that from the statement of the lemma, we can choose U such that |0 has a Bloch vector with angle ξ above the x axis, towards the z axis; hence, |1 has a Bloch vector with angle ξ below the −x axis, towards the −z axis; where ξ ∈ [−2θ, 2θ] for some θ ∈ 0, π 4 . Thus, using this notation, from (C28), we obtain where The Bloch vector of ρ 0 is (2R − 1)ẑ and the Bloch vector of ρ 1 is (2R − 1) cos ξx + sin ξẑ , wherex andẑ are unit vectors pointing along the x and z axes, respectively. Thus, the Bloch vector of ρ ′ is The eigenvalues of ρ ′ , hence also of ρ, are given by µ ± = 1 2 1 ± | r| . Thus, from (C33), the greatest eigenvalue is given by where | r| = |2R − 1| P + (1 − P ) sin ξ 2 + (1 − P ) 2 cos 2 ξ.
Appendix D: Proof of Lemma 1 Lemma 1. The quantum token schemes IQT 1 and IQT 2 are ǫ unf −unforgeable with Proof. In summary, the proof comprises reducing a general cheating strategy by Alice in the token schemes IQT 1 and IQT 2 to the task of producing the N −bit strings a and b given in Lemma 6, with γ err = 0, β PB = 0, and θ = 0, i.e. O(θ) ≡ O = 1 √ 2 . As we show, then Alice's success probability is upper bounded by the quantity max a,b∈{0,1} N D a,b , which for these parameters is Consider the token schemes IQT 1 and IQT 2 . In these token schemes Alice gives Bob a N −bit strings d = (d 1 , . . . , d N ) and a bit c. Using this information, honest Bob computes the N −bit stringd i = (d i,1 , . . . ,d i,N ) in the causal past of the presentation point Q i , wherẽ and i ∈ {0, 1}. In a general cheating strategy S, Alice applies a joint projective measurement on the quantum system A of N −qubits in the state |φ tu A = N k=1 |φ t k u k A k received from Bob and an ancilla E of arbitrary finite Hilbert space dimension in a quantum state |χ E , and obtains the classical message x = (d, c) of N + 1 bits that she gives Bob within the causal pasts of Q 0 and Q 1 and two N −bit (token) strings a = (a 1 . . . , a N ) and b = (b 1 , . . . , b N ) that she gives to Bob at Q 0 and Q 1 , respectively. Alice succeeds in making Bob validate these token strings at Q 0 and Q 1 if a 0 = t 0 and b 1 = t 1 , where x i is a restriction of the string x ∈ {a, b, t} to the bit entries Now consider the task of Lemma 6 with the following parameters. The states |φ k r,s are the BB84 states: |φ k 0,0 ≡ |φ 00 = |0 , |φ k 1,0 ≡ |φ 10 = |1 , |φ k 0,1 ≡ |φ 01 = |+ , |φ k 1,1 ≡ |φ 11 = |− , for k ∈ [N ]. It follows that O = 1 √ 2 . We also consider that P s = 1 2 N for s ∈ {0, 1} N , i.e. β PB = 0. It follows from Lemma 6 that We define the N −bit strings r = (r 1 , . . . , r N ), s = (s 1 , . . . , s N ) and h = (h 1 , . . . , h N ) in terms of the strings t, u and d and of the bit c of the token schemes IQT 1 and IQT 2 as follows: . Thus, the set S h i in Lemma 6 is the set ∆ i in the token schemes IQT 1 and IQT 2 : S h i = ∆ i , for i ∈ {0, 1}. It follows that the operator D a,b in Lemma 6 can be associated to Alice's cheating strategy in the token schemes IQT 1 and IQT 2 . We deduce this connection below.
We consider an entanglement-based version of the token schemes IQT 1 and IQT 2 . Bob prepares a pair of , sends the qubit A k to Alice, chooses u k ∈ {0, 1} with probability 1 2 and then measures the qubit B k in the basis D u k = {|φ tu k } 1 t=0 , obtaining the outcome |φ t k u k randomly, with Alice's qubit A k projecting into the same state, for t k ∈ {0, 1}. In a general cheating strategy S, Alice introduces an ancillary quantum system E of arbitrary finite Hilbert space dimension in a pure state |χ E and then applies a projective measurement on AE, with projector operators Π xab , where the measurement outcomes x = (d, c) ∈ {0, 1} N +1 and a, b ∈ {0, 1} N correspond to the classical messages that Alice gives Bob, and where A = A 1 · · · A N . The probability that Alice obtains outcomes x, a and b following her strategy S, for given values of u and t, is given by where Φ tu = |φ tu φ tu | A ⊗ |χ χ| E . We define the sets It follows that Alice's success probability P S satisfies where in the first line we used (D3) and (D4); and where in the second line we used (D4) and (D5), and the fact that the string z i has bit entries with labels from the set ∆ i satisfying ∆ 0 ∩ ∆ 1 = ∅ and ∆ 0 ∪ ∆ 1 = [N ], for i ∈ {0, 1} and z ∈ {a, b, t}. We define the quantum state where B denotes the system held by Bob and where We define the positive semi definite (and Hermitian) operators where in the second line we used Proposition 2; and where in the third line we used (D9) and Proposition 3, since {Π xab } x,a,b is a projective measurement acting on a finite dimensional Hilbert space and {D xab } x,a,b is a finite set of positive semi definite operators acting on a finite dimensional Hilbert space. We note that the operator D xab defined by (D8) equals the operator D ab given in Lemma 6, for the parameters γ err = 0, O = 1 √ 2 and β PB = 0 that we are considering here. Thus, from (D2) and (D10), and because this bound does not depend on x, we obtain Thus, the quantum token schemes IQT 1 and IQT 2 are Appendix E: Proofs of Lemmas 2, 3 and 4 We recall that Lemmas 2, 3 and 4 consider parameters γ det , γ err ∈ (0, 1), allow for the experimental imperfections of Table V and make the assumptions of Table VI. 1. Proof of Lemma 2 then QT 1 and QT 2 are ǫ rob −robust with We note that the condition (E1) is necessary to guarantee robustness, as in the limit N → ∞ the number n of quantum states |ψ k reported by Alice as being successfully measured tends to its expectation value E(n) = P det N with probability tending to unity. Thus, if P det < γ det then n < γ det N and Bob aborts with probability tending to unity for N → ∞.
Proof of Lemma 2. Let P abort be the probability that Bob aborts the token scheme if Alice and Bob follow the token scheme honestly. By definition of the token schemes QT 1 and QT 2 , we have (E3) We note that the expectation value of n is E(n) = N P det . From (E1), we have that 0 < 1 − γ det P det < 1. Thus, we obtain from a Chernoff bound of Proposition 1 that It follows from (E3) and (E4) that with ǫ rob given by (E2). It follows from (E5) that the token schemes QT 1 and QT 2 are ǫ rob -robust with ǫ rob given by (E2).

Proof of Lemma 3
Lemma 3. If then QT 1 and QT 2 are ǫ cor −correct with We recall that E = max t,u {E tu }, where E tu is Alice's error rate when Bob prepares states |φ k tu and Alice measures in the basis of preparation by Bob, for t, u ∈ {0, 1}. The condition with E min = min t,u {E tu }, is necessary to guarantee correctness. To see this, suppose that E min > γ err . In the limit N → ∞, we have |∆ b | → ∞, in which case the number of error outcomes n errors when Alice measures in the same basis of preparation by Bob satisfies n errors ≥ E min |∆ b | > γ err |∆ b | with probability tending to unity. Thus, with probability tending to unity, Bob does not accept Alice's token as valid, for N → ∞, if E min > γ err .
Proof of Lemma 3. Let P error be the probability that Bob does not accept Alice's token as valid if Alice and Bob follow the token scheme honestly. By definition of the token schemes QT 1 and QT 2 , we have where and where n errors is the number of bit errors in the substring x b of the the token x that Alice presents to Bob at Q b , compared to the bits of the substring r b of r encoded by Bob. From (E9), we have We show below that and that with ǫ cor given by (E7). Thus, the token schemes QT 1 and QT 2 are ǫ cor −correct with ǫ cor given by (E7), as claimed.
We show (E12). Let us assume for now that E tu = E for t, u ∈ {0, 1}. Given |∆ b |, we note that the expectation value of n error equals E|∆ b |. From (E6), we have 0 < γerr E − 1 < 1. Thus, from a Chernoff bound of Proposition 1, we have It follows from (E10) and (E16) that (E17) Since in general we have E tu ≤ E, for t, u ∈ {0, 1}, we can replace E max by E in (E17) and obtain (E12). We show (E13). Since for the quantum state |ψ k , with g(k) = j, for k ∈ Λ and j ∈ [n], B encodes the bit t k = r j in the basis labelled by u k = s j , with u k chosen with probability P k This is easily seen as follows. By the definition of ∆ b given in the token schemes QT 1 and QT 2 , we see that |∆ b | corresponds to the number of labels k ∈ Λ satisfying g(k) = j ∈ [n] for which it holds that y j = s j , where we recall y j and s j are the bits labelling the qubit measurement basis by Alice and the preparation basis by Bob, respectively. Thus, From the condition (E6), we have 0 < ǫ < 1. It follows that (E20) for some ǫ ′ satisfying 0 < ǫ ≤ ǫ ′ < 1. Thus, from the Chernoff bound of Proposition 1, we have where in the first line we used (E20); in the second line we used the Chernoff bound of Proposition 1; in the third line we used (E18) and 0 < ǫ ≤ ǫ ′ ; and in the last line we used (E19).

Proof of Lemma 4
Lemma 4. QT 1 and QT 2 are ǫ priv −private with Proof. From assumption C (see Table VI), the set Λ of labels transmitted to B in step 2 of QT 1 and QT 1 gives B no information about the string W and the bit z. Furthermore, from assumption E (see Table VI), B cannot use degrees of freedom not previously agreed for the transmission of the quantum states to affect, or obtain information about, the statistics of the quantum measurement devices of A. Moreover, in our setting, we assume that Alice's laboratories are secure and that communication among Alice's agents is made through secure and authenticated classical channels. It follows from these assumptions that the only way in which Bob can obtain information about Alice's bit b before she presents the token is via the message c = z ⊕ b.
In order to prove our result, let us assume that Bob knows Alice's probability distributions P E (z). Since this cannot make it more difficult for Bob to guess Alice's bit b, we can assume this without loss of generality. In the ideal case that the probability distribution P E (z) is totally random Bob cannot obtain any information about b. However, as stated by our allowed experimental imperfection 7 (see Table V), this probability distribution is only close to random: for a small parameters β E > 0, for z ∈ {0, 1}. Thus, Bob can guess b with some probability greater than 1 2 . Let P (i) bit (c) be the probability distribution for the bit c that A sends B, when b = i, for i, c ∈ {0, 1}. Since for c, i ∈ {0, 1}. For any two probability distributions P (x) and Q(x) over a set of values x ∈ X , the maximum probability P max to distinguish them is given by P max = 1 2 + 1 2 P − Q , where P − Q is their variational distance. Thus, Bob's probability P Bob to guess Alice's bit b is upper bounded by where in the second line we used the definition of the variational distance; in the third line we used (E24); and in the fourth line we used (E23). It follows from (E25) that the token schemes QT 1 and QT 2 are ǫ priv -private, with ǫ priv given by (E22), as claimed.
Appendix F: Proof of Lemma 5 Lemma 5. Suppose that Bob sends Alice N photon pulses, labelled by k ∈ [N ]. Let the kth pulse have L k photons. Let ρ be an arbitrary quantum state prepared by Bob in the polarization degrees of freedom of the photons sent to Alice, which can be arbitrarily entangled among all photons in all pulses and can also be arbitrarily entangled with an ancilla held by Bob. Let D 0 and D 1 be two arbitrary qubit orthogonal bases. Suppose that either Alice uses the setup of Fig. 3 with reporting strategy 1 to implement the quantum token scheme QT 1 (see Table  II), or Alice uses the setup of Fig. 3 with reporting strategy 2 to implement the quantum token scheme QT 2 (see Table III). Suppose also that assumptions E and F (see Table VI) hold. For k ∈ [N ], let m k = 1 if Alice assigns a successful measurement to the kth pulse and m k = 0 otherwise; let w k = 0 (w k = 1) if Alice assigns a measurement basis to the kth pulse in the basis D 0 (D 1 ). If Alice uses the setup of Fig. 3 and reporting strategy 1 to implement the scheme QT 1 , without loss of generality, suppose also that Alice sets w k = 0 with unit probability, if m k = 0, for k ∈ [N ]. Let m = (m 1 , . . . , m N ), w = (w 1 , . . . , w N ) and L = (L 1 , . . . , L N ).
If Alice uses the setup of Fig. 3 with reporting strategy 1 to implement the scheme QT 1 , then the probability that Alice reports the string m to Bob and assigns the string of measurement bases w, given ρ and L, is where for b ∈ {0, 1}, m, w ∈ {0, 1} N and a, L 1 , . . . , L N ∈ {0, 1, 2, . . .}. Furthermore, the probability P MB (w k ) that Alice assigns a measurement in the basis D w k , conditioned on the value m k = 1, for the kth pulse, satisfies for w k ∈ {0, 1} and k ∈ [N ].
If Alice uses the setup of Fig. 3 with reporting strategy 2 to implement the scheme QT 2 , then the probability that Alice reports the string m to Bob, given ρ, w and L, is for m, w ∈ {0, 1} N and a, L 1 , . . . , L N ∈ {0, 1, 2, . . .}.
In any of the two cases, the message m gives Bob no information about the bit entries w k for which m k = 1. Equivalently, the set Λ ⊂ [N ] of labels transmitted to Bob in step 2 of QT 1 and QT 2 gives Bob no information about the string W and the bit z.
Proof. We note from (F1) and (F2) that if Alice uses the setup of Fig. 3 with reporting strategy 1 to implement the scheme QT 1 , then Alice's probability P (1) rep (m, w|ρ, L) to report the message m to Bob and assign measurement basis with string of labels w is the same for all strings w satisfying that w k = 0 if m k = 0, for arbitrary fixed given values of m, ρ and L. It follows from this and from assumption E (see Table VI) that the message m gives Bob no information about the bit entries w k for which m k = 1.
Similarly, we note from (F4) and (F5) that if Alice uses the setup of Fig. 3 with reporting strategy 2 to implement the scheme QT 2 , then Alice's probability P (2) rep (m|w, ρ, L) to report the message m to Bob, given that she applied quantum measurements with string of labels w, is the same for all strings w, for arbitrary fixed given values of m, ρ and L. It follows from this and from assumption E (see Table VI) that the message m gives Bob no information about any bit entries w k of w. We note that in the scheme QT 2 , w k = z for k ∈ [N ], and for some bit z chosen by Alice. Thus, it follows that the message m gives Bob no information about the bit z.
Alice sending the message m to Bob is equivalent to Alice sending the set Λ of labels k ∈ [N ] for which m k = 1, i.e. the labels of pulses that were successfully measured by Alice. Furthermore, the string W is defined on the set of labels Λ, and has entries equal to w k , for k ∈ Λ, i.e. for k ∈ [N ] satisfying m k = 1. It follows that the set Λ ⊂ [N ] of labels transmitted to Bob in step 2 of QT 1 and QT 2 gives Bob no information about the string W and the bit z.
We prove (F1). We suppose that Alice uses the setup of Fig. 3 with reporting strategy 1 to implement the scheme QT 1 , and that assumptions E and F of Table VI hold. It is straightforward to obtain where τ k = (m 0 , w 0 , . . . , m k−1 , w k−1 ), P (1,k) rep (m k , w k |ρ, L, τ k ) is the probability that Alice reports the bit message m k to Bob and assigns a measurement in the basis D w k for the kth pulse, given ρ, L, and τ k , for k ∈ [N ]; and where without loss of generality we define m 0 = w 0 = 1.
From Lemma 12 of Ref. [32] and the definition (F2), after measuring the first pulse received from Bob, Alice reports the message m 1 = 1 to Bob and assigns a measurement outcome in the basis D w1 with probability for w 1 ∈ {0, 1}, which only depends on the dark count probabilities d 0 and d 1 , on the detector efficiency η, and on the number of photons L 1 of the first pulse, for an arbitrary quantum state ρ, which can be arbitrarily entangled with an ancilla held by Bob. We can consider this ancilla to include the pulses labelled by 2, 3, . . . , N . Similarly, for k ∈ {2, 3, . . . , N }, after measuring the pulses with labels 1, 2, . . . , k − 1, Alice obtains a value τ k according to her obtained detection statistics for these pulses, and the joint quantum state of the pulses with labels k, k+1, . . . , N and any ancilla held by Bob changes to some quantum state ρ k . Then, from Lemma 12 of Ref. [32] and the definition (F2), after measuring the kth pulse, Alice reports the message m k = 1 to Bob and assigns a measurement outcome in the basis D w k with probability for w k ∈ {0, 1}, which only depends on the dark count probabilities d 0 and d 1 , on the detector efficiency η, and on the number of photons L k of the kth pulse; in particular, P (1,k) rep (1, w k |ρ, L, τ k ) does not depend on the quantum state ρ k , which can be arbitrarily entangled with an ancilla held by Bob. In this case, we can consider this ancilla to include the pulses labelled by k + 1, k + 2, . . . , N . We note that since P (1,k) rep (1, w k |ρ, L, τ k ) does not depend on ρ k , it does not depend on ρ, apart from the number of photons L k of the kth pulse, and it does not depend on τ k either.
By definition of Alice's reporting strategy 1, we have for k ∈ [N ]. Thus, the claimed result (F1) follows straightforwardly from (F6) -(F9). We prove (F3). Let P (1,k) MB (w k |m k = 1, ρ, L, τ k ) be the probability that Alice assigns a measurement in the basis D w k , conditioned on the value m k = 1, for the kth pulse, given the values of ρ, L and τ k , for k ∈ [N ]. We have for w k ∈ {0, 1} and k ∈ [N ]; where in the second line we used (F7) and (F8), and the definition (F2); and in the third line we used that G 1,w k (d 0 , d 1 , η, L k ) > 0 from (F2) and from the fact that d 0 , d 1 , η ∈ (0, 1), as stated in assumption F (see Table VI). From (F11), since P (1,k) MB (w k |m k = 1, ρ, L, τ k ) does not depend on k, ρ, L or τ k , we have that for w k ∈ {0, 1} and k ∈ [N ], and the claimed result (F3) follows. We prove (F4). We suppose that Alice uses the setup of Fig. 3 with reporting strategy 2 to implement the scheme QT 2 , and that assumptions E and F of Table VI hold. We note that in the scheme QT 2 , the string w has bit entries w k = z, for a bit z chosen by Alice, and for k ∈ [N ]. However, the analysis below is more general, and works for arbitrary w ∈ {0, 1} N . It is straightforward to obtain P (2) rep (m|w, ρ, L) = N k=1 P (2,k) rep (m k |w, ρ, L,τ k ), whereτ k = (m 0 , . . . , m k−1 ) and P (2,k) rep (m k |w, ρ, L,τ k ) is the probability that Alice reports the bit message m k to Bob for the kth pulse, given ρ, L, w andτ k , for k ∈ [N ]; and where without loss of generality we define m 0 = 1.
From Lemma 1 of Ref. [32] and the definition (F5), after measuring the first pulse received from Bob in the basis D w1 , Alice reports the message m 1 = 1 to Bob with probability P (2,1) rep (1|w, ρ, L,τ 1 ) = G which only depends on the dark count probabilities d 0 and d 1 , on the detector efficiency η, and on the number of photons L 1 of the first pulse, for an arbitrary quantum state ρ, which can be arbitrarily entangled with an ancilla held by Bob. We can consider this ancilla to include the pulses labelled by 2, 3, . . . , N .
Similarly, for k ∈ {2, 3, . . . , N }, after measuring the pulses with labels 1, 2, . . . , k − 1 in the bases D w1 , . . . , D w k−1 , Alice obtains a valueτ k according to her obtained detection statistics for these pulses, and the joint quantum state of the pulses with labels k, k + 1, . . . , N and any ancilla held by Bob changes to some quantum state ρ k . Then, from Lemma 1 of Ref. [32] and the definition (F5), after measuring the kth pulse in the basis D w k , Alice reports the message m k = 1 to Bob with probability P (2,k) rep (1|w, ρ, L,τ k ) = G which only depends on the dark count probabilities d 0 and d 1 , on the detector efficiency η, and on the number of photons L k of the kth pulse; in particular, P (2,k) rep (1|w, ρ, L,τ k ) does not depend on the quantum state ρ k , which can be arbitrarily entangled with an ancilla held by Bob. In this case, we can consider this ancilla to include the pulses labelled by k + 1, k + 2, . . . , N . We note that since P (2,k) rep (1|w, ρ, L,τ k ) does not depend on ρ k , it does not depend on ρ, apart from the number of photons L k of the kth pulse, and it does not depend onτ k either.

Summary of the Proof
We allow Alice to have arbitrarily advanced quantum technology. In particular, we assume that Alice knows the set Ω qub and Ω noqub and that she receives all quantum systems A k , for k ∈ [N ]. Let |ψ A = ⊗ k∈[N ] |ψ k A k be the quantum state that Alice receives from Bob, where A is the global quantum system received from Bob.
Alice's more general cheating strategy in the token scheme QT 1 is as follows. In the intersection of the causal pasts of Q 0 and Q 1 , Alice adds an ancillary system E of arbitrary finite Hilbert space dimension in a quantum state |χ E and applies an arbitrary projective measurement on AE, which may depend on Ω qub and Ω noqub , and obtains an outcome that includes Λ, g, d and c satisfying the required constraints, as well as respective tokens a and b to give at the presentation points Q 0 and Q 1 . Alice sends Λ, g, d, and c to Bob, as required by the task. Alice gives Bob tokens a at Q 0 and b at Q 1 . Alice's more general cheating strategy in the token scheme QT 2 is equivalent, with the only difference that the string d is not required in Alice's measurement outcome. We recall that the jth entry of d in QT 1 is d j = y j ⊕ z, for j ∈ [n]. On the other hand, in QT 2 we have y j = z, for j ∈ [n]. Thus, without loss of generality, in Alice's general cheating strategy in the token scheme QT 2 we simply set d to be a fixed string with all bit entries being zero.
We note that if Q 1 is in the causal future of Q 0 Alice's agent A 0 can send a signal to A 1 indicating whether her token a was validated or not at Q 0 , and A 1 can in principle use this information to adapt her strategy at Q 1 . However, this possibility cannot increase Alice's probability to have tokens validated at both Q 0 and Q 1 . If A 0 fails in having a validated at Q 0 then Alice fails in her attempt to have Bob validating her tokens at both Q 0 and Q 1 . Thus, without loss of generality we assume that the signal sent from A 0 to A 1 indicates that a was successfully validated at Q 0 , which is equivalent to A 0 not sending any signal to A 1 and A 1 always acting as if a were successfully validated at Q 0 . The same reasoning applies if Q 0 is in the causal future of Q 1 . Furthermore, if Q 0 and Q 1 are spacelike separated A 1 cannot receive any signals informing her whether the token a was successfully validated at Q 0 before A 1 presents the token b at Q 1 . This means that the strategy outlined in the previous paragraph can be considered as the most general one.
If |Ω noqub | > ν unf N then we assume that Alice can succeed in giving valid tokens a and b at Q 0 and Q 1 . This is because, for example, if |Ω noqub | is too large, then there is not any constraint on the quantum states |ψ k for a large number of labels k, i.e for k ∈ Ω noqub . For example, if Bob's quantum state source is a Poissonian photon source (e.g. weak coherent) with average photon number µ << 1 then we associate pulses with two or more photons to have labels from the set Ω noqub , giving P noqub = 1 − (1 + µ)e −µ . In this case, the states |ψ k with k ∈ Ω noqub consist of two or more copies of quantum states |φ k t k u k and Alice can measure each copy in the corresponding basis, being able to present correct bit outcomes at Q 0 and Q 1 , for bit entries with labels k ∈ Ω noqub . But, since the probability P noqub that Bob prepares states |ψ k with labels k ∈ Ω noqub is bounded, the probability that |Ω noqub | > ν unf N is bounded by the first term of ǫ unf in (G4).
On the other hand, we show that there exist parameters satisfying the constraints (G1) for which f (γ err , β PS , β PB , θ, ν unf , γ det ) > 0. We show that, for these parameters, and for the case |Ω noqub | ≤ ν unf N , the probability that Alice gives valid tokens a and b at Q 0 and Q 1 is upper bounded by e −N f (γerr,βPS,βPB,θ,ν unf ,γ det ) . This analysis gives the second term of ǫ unf in (G4).
If |Ω noqub | ≤ ν unf N , from the conditions (G1) it follows that Alice must obtain the correct bits in two token strings a and b, given respectively at Q 0 and Q 1 , for a sufficiently large number of entries j ∈ ∆ 0 with j = g(k) for some k ∈ Ω qub , for a, and j ∈ ∆ 1 with j = g(k) for some k ∈ Ω qub , for b. That is, Alice could in principle learn perfectly the bit entries of both strings a 0 and b 1 with labels k ∈ Ω noqub , but the number of these entries is small and thus Alice must be able to obtain the correct bit entries of the strings a 0 and b 1 for a sufficiently large number of labels k ∈ Ω qub for which such bits are encoded in single qubits, and not in multiple copies of the same quantum states. The probability that Alice succeeds in this task is upper bounded using Lemma 6, which considers the ideal situation in which Bob encodes each bit in a single qubit.

Preliminaries
We consider that Alice performs an arbitrary cheating strategy S trying to have Bob validating tokens at Q 0 and Q 1 . Let P S be Alice's success probability. We show an upper bound on P S , for any strategy S. We assume that Alice has arbitrarily advanced quantum technology. In particular, we assume that Alice knows the set Ω qub , hence also the set Ω noqub , and that she receives all quantum systems A k transmitted by Bob, for k ∈ [N ].
Let P Ω qub S be Alice's success probability following the strategy S given a set Ω qub , and let P Ω qub be the probability that the set Ω qub is generated. We have where in the third line we used Pr[|Ω noqub | > ν unf N ] = m>ν unf N Ω qub :|Ω noqub |=m P Ω qub and the tivial bound P Ω qub S ≤ 1 for |Ω noqub | > ν unf N . Since for each element k ∈ [N ], Bob's agent B asigns it to be an element of the set Ω noqub with probability P noqub , the probability that Ω noqub has m elements is for m ∈ {0, 1, . . . , N }. To simplify notation, below we write m = |Ω noqub |. We use the Chernoff bound of Proposition 1 to show below that (G7) Let Z 1 , Z 2 , . . . , Z N be independent random variables, where Z k ∈ {0, 1} and Pr[Z k = 1] = P noqub for k ∈ [N ].
We can then write m = N k=1 Z k . The expectation value of m is E(m) = P noqub N . Let ǫ = ν unf P noqub − 1. It follows from (G1) that 0 < ǫ < 1. Thus, we have as claimed, where in the second line we used E(m) = P noqub N , 0 < ǫ = ν unf P noqub − 1 < 1 and the Chernoff bound of Proposition 1.
From (G5) and (G7), we have be the quantum state that Alice's agent A receives from Bob's agent B, where the global quantum system received by A is A = A 1 · · · A N , and where t = (t 1 , . . . , t N ) and u = (u 1 , . . . , u N ). We recall that Ω noqub = [N ] \ Ω qub . For a given set Ω qub ⊆ [N ], let x and x denote the substrings of the N −bit string x with bit entries k ∈ Ω qub and k ∈ Ω noqub , respectively, for x ∈ {u, t}. Thus, from (G10), we can write where and where A = k∈Ω qub A k and A = k∈Ω noqub A k . Let P tu be the probability distribution for the variables (t, u) ∈ {0, 1} N × {0, 1} N . By the statement of the theorem, we have where P k PB (0), P k PB (1) and P k PS (0), P k PS (1) are binary probability distributions, for k ∈ [N ]. Thus, for any sets F 0 ⊆ [N ] and F 1 = [N ]\F 0 with u 0 and u 1 being substrings of u, and with t 0 and t 1 being substrings of t, with bit entries with labels from the sets F 0 and F 1 , respectively, we use the notation P tu = P t0t1u0u1 = P t0t1 P u0u1 . Thus, we can express P where P tu is the probability distribution for the variables t, u; and where P Ω qub tu S is the probability that Alice succeeds in giving Bob valid tokens at the presentation points Q 0 and Q 1 by following the strategy S, given a set Ω qub and given variables t and u.
We show below that there exist parameters satisfying the constraints (G1) and satisfying where f (γ err ,β PS ,β PB ,θ,ν unf ,γ det ) is given by (G2). We show below that, for the parameters satisfying (G1) and (G15), it holds that for any finite dimensional quantum state |Φ tu A and for any set Ω qub satisfying m = |Ω noqub | ≤ ν unf N . It follows from (G9) and from (G14) -(G16) that Alice's probability to succeed in her cheating strategy is not greater than ǫ unf , with ǫ unf given by (G4). Thus, QT 1 and QT 2 are ǫ unf −unforgeable, with ǫ unf given by (G4), as claimed.
We show that there exist parameters satisfying the constraints (G1) for which (G15) holds. Consider parameters satisfying (G1) and the following constraint: Thus, from (G17) and (G19), we have as required by (G1). Then, since we have 0 < θ < π 4 , 0 < β PB < 1 2 and 0 < β PS < 1 2 , we obtain from the definition of h(β PS , β PB , θ) in (G3) that From (G21), we have where in the second line we used (G19) and (G22), and in the third line we used (G18). A general cheating strategy S by Alice is as follows. Alice receives the quantum system A from Bob in the quantum state |Ψ Ω qub tu A given by (G11), she adds an ancillary system E of arbitrary finite Hilbert space dimension in a quantum state |χ E and applies an arbitrary projective measurement {Π xab } x,a,b on AE, which may depend on Ω qub , and obtains an outcome (x, a, b), where x = (Λ, g, d, c, ζ), with Λ, g, d and c comprising the information that Alice must send Bob before token presentation satisfying the required constraints, a, b ∈ {0, 1} n are token strings to present at the respective presentation points Q 0 and Q 1 , and ζ is any other classical variable obtained by Alice's measurement. This means that Λ ⊆ [N ] with |Λ| = n, for some integer n ≥ γ det N and for a predetermined γ det ∈ (0, 1), g is a one-to-one function of the form g(k) = j for k ∈ Λ and j ∈ [n], d ∈ {0, 1} n and c ∈ {0, 1}. In the intersection of the causal pasts of Q 0 and Q 1 , Alice sends Λ, g, c and d to Bob, as required by the task. Bob does not abort as he receives the set Λ satisfying the required condition, as well as the g, d and c of the required form. Alice sends the tokens to her respective agents who present them at the corresponding presentation points.
Below, we show the bound (G16) on the probability P Ω qub tu S that Alice succeeds in giving Bob valid tokens at the presentation points Q 0 and Q 1 by following the strategy S, given a set Ω qub and given variables t and u. Thus, we consider that Alice gives tokens a ∈ {0, 1} n at Q 0 and b ∈ {0, 1} n at Q 1 .

Notation and useful relations
We recall notation. Using the set Λ and the function g : Λ → [n], we have the following relations between t, u ∈ {0, 1} N and r, s ∈ {0, 1} n . We have r j = t k , and s j = u k , where j = g(k), for j ∈ [n] and k ∈ Λ. We define r = (r 1 , . . . , r n ) and s = (s 1 , . . . , s n ). In the token scheme QT 1 , we have defined and a i as the restriction of a string a to entries a j with j ∈ ∆ i , for i ∈ {0, 1}. These variables are defined similarly in the token scheme QT 2 by simply setting d as a string whose bit entries are only zero. By definition of Λ, we have By definition of Ω qub and Ω noqub , we have We note that the sets ∆ i depend on x = (Λ, g, d, c, ζ), for i ∈ {0, 1}, but we do not write this dependence explicitly, in order to simplify the notation. Sinced 1,j = d 0,j ⊕ 1, for j ∈ [n], we have We define It follows that Similarly, we define Since the function g : Λ → [n] is one-to-one, there is a one-to-one correspondence between the elements of Λ (Λ) and the elements of ∆ (∆). Thus, from (G29) and (G30), we have We define From the definitions of ∆ 0 , ∆ 1 and ∆, we have We define for i ∈ {0, 1}. Since the function g : Λ → [n] is one-toone, we have from (G27), (G30), (G33) and (G34) that We define e, e, e 0 and e 1 to be the restrictions of the string e ∈ {0, 1} n to the bit entries e j with labels j ∈ ∆, j ∈ ∆, j ∈ ∆ 0 and j ∈ ∆ 1 , respectively, for e ∈ {a, b, r, s}. We have chosen the notation e and e instead of the more obvious e and e for consistency with the notation chosen below, which simplifies the notation in various equations that follow. From (G32), we have ∆ i ⊆ ∆ i , for i ∈ {0, 1}. Thus, and since e 0 and e 1 are restrictions of the string e to the bit entries e j with labels j ∈ ∆ 0 and j ∈ ∆ 1 , respectively, we have that e 0 and e 1 are substrings of the strings e 0 and e 1 , respectively, for e ∈ {a, b, r, s}. We define e i to be the restrictions of the string e ∈ {0, 1} N to the bit entries e k with labels k ∈ Λ i , for i ∈ {0, 1} and e ∈ {u, t}. Since the function g : Λ → [n] is one to one, there is a one to one correspondence between t i and r i , and between u i and s i , for i ∈ {0, 1}. We define the string e to be the restriction of the string e ∈ {0, 1} N to the bit entries e k with labels k ∈ Λ, for e ∈ {u, t}. We define e to be the restriction of e ∈ {0, 1} N to the bit entries e k with labels k ∈ Ω qub , for e ∈ {u, t}. Thus, from (G28), e is a sub-string of e, for e ∈ {u, t}. From (G36), we can write e = (e 0 , e 1 ), where e ∈ {0, 1} Λ , e 0 ∈ {0, 1} Λ 0 and e 1 ∈ {0, 1} Λ 1 , for e ∈ {t, u}. We define e ′ as the restriction of the string e ∈ {0, 1} N to the bit entries e k with labels k ∈ Ω qub \ Λ, for e ∈ {u, t}. It follows that we can write e = (e, e ′ ) = (e 0 , e 1 , e ′ ), where e ∈ {0, 1} Ω qub , e ∈ {0, 1} Λ , e ′ ∈ {0, 1} Ω qub \Λ , e 0 ∈ {0, 1} Λ 0 and e 1 ∈ {0, 1} Λ 1 , for e ∈ {t, u}.
As mentioned above, given our notation, there is a oneto-one correspondence between t i and r i , and between u i and s i , for i ∈ {0, 1}. Similarly, there is a one-to-one correspondence between t and r, and between u and s. We express these, and previously mentioned, one-to-one correspondences as follows for i ∈ {0, 1}.
In the rest of this proof we assume We consider the n−bit stringsd i = (d i,1 , . . . ,d i,n ) for i ∈ {0, 1}. By definition of the token scheme, we havẽ d i,j = d j ⊕ i ⊕ c, for j ∈ [n] and i ∈ {0, 1}. Thus, we haved 1,j =d 0,j ⊕ 1, for j ∈ [n], from which follows that the n−bit stringsd 0 andd 1 are the complement of each other. We have where in the first line we used (G33); in the second line we used (G30) and the fact that g : Λ → [n] is a one-toone function; in the third line we used (G26) and (G28); and in the last line we used (G25) and (G41). For a given possible outcome x, we define the sets and where δ is given by (G3). As this is useful below, we have clarified with the chosen notation that ξ x abu does not depend on tu. We show below that 0 <δ ≤ δ < λ(θ, β PB ). (G49) It follows straightforwardly that We show (G49). From the condition n ≥ γ det N for Bob not aborting and from (G1), we have Thus, from γ err > 0, (G27), (G33), (G42), (G48) and (G51), we haveδ > 0. From (G27), (G33), (G42) and (G48), we haveδ where in the third line we used the condition n ≥ γ det N for Bob not aborting, and in the last line we used (G1). Since δ = γerrγ det γ det −ν unf , as defined by (G3), (G49) follows from (G52).
The probability that Alice obtains outcomes x, a and b following her strategy S for given values of Ω qub , u and t is given by where and where |φ tu A and |Φ tu A are defined by (G12). Thus, Alice's success probability P where C denotes the constraint where in the first line we used (G43) and (G53); in the second line we used (G50); in the third line we used (G37), (G39), and (G46); in the fourth line we used that t i is in one to one correspondence with r i , for i ∈ {0, 1}; and in the last line we used (G37), (G39) and (G47).

Entanglement-based version
We use an entanglement-based version of the task to re-write the last line of (G55). For k ∈ Ω qub , Bob first prepares a pair of qubits B k A k in the Bell state , sends the qubit A k to Alice, chooses u k ∈ {0, 1} with probability P k PB (u k ) and then measures the qubit B k in the the basis D k u k = {|φ k tu k } 1 t=0 , obtaining the outcome |φ k t k u k randomly, with Alice's qubit A k projecting into the same state, for t k ∈ {0, 1}. We note that in order to deal with the fact that the probability P t does not necessarily correspond to the random distribution, for t ∈ {0, 1} Ω qub , we will need to introduce a factor of P t 2 |Ω qub | . For k ∈ Ω noqub , Bob generates the bits t k and u k in such a way that the strings t and u are generated with the probability distribution P tu . Given the obtained values for t and u, Bob prepares a finite dimensional quantum state |Φ tu A and sends it to Alice. Alice introduces an ancillary quantum system E of arbitrary finite Hilbert space dimension in a pure state |χ E and then applies a projective measurement on AE, with projector operators Π xab , where the possible measurement outcomes x = (Λ, g, d, c, ζ) and a, b ∈ {0, 1} n , run over the set of values satisfying the constraints, and where A = A 1 · · · A N = AA. We define the quantum state where B denotes the system held by Bob, Φ + BA = k∈Ω qub |Φ + Φ + | B k A k , and where the state Φ tu AE is defined by (G54). We define the positive semi definite (and Hermitian) operators where φ tu B is given by (G54), replacing A by B, i.e.
and where u runs over {0, 1} Ω qub , x runs over its set of possible values, and a and b run over {0, 1} n . It follows straightforwardly from (G53) -(G59), and from P tu = P t P u , which follows from (G13), that where in the second line we used Proposition 2; and where in the third line we used (G59) and Proposition 3, since {Π xab } x,a,b is a projective measurement acting on a finite dimensional Hilbert space, and {D xab } x,a,b is a finite set of positive semi definite operators acting on a finite dimensional Hilbert space. We show below that max x,a,b D xab ≤ e −N f (γerr,βPS,βPB,θ,ν unf ,γ det ) , with f (γ err , β PS , β PB , θ, ν unf , γ det ) given by (G2). Thus, the claimed bound (G16) follows from (G60) and (G61).

Using Lemma 6 to prove (G61)
We compute an upper bound on max x,a,b D xab . First, we define the set As explicitly stated by the notation, we note that the dependence of ξ x abu 0 u 1 on u is only via the sub-strings u 0 and u 1 . This follow in particular because the constant δ does not depend on u, as follows from (G3). Thus, from (G39), (G47), (G58) and (G62), we have and where B = B 0 B 1 B ′ . It follows from (G63) that We deduce an upper bound on max a,b D xab . For given values of x, a and b, we define the operator For a given x, it follows from (G49), (G62) and (G67), and from Lemma 6 that To see this more clearly, recall the following facts. First, e i is a bit string with bit entries e j with labels j ∈ ∆ i , for i ∈ {0, 1} and e ∈ {a, b, r, s}. Second, e i is a bit string with bit entries e k with labels k ∈ Λ i , for i ∈ {0, 1} and e ∈ {u, t}. Third, there is a one-to-one correspondence between the sets Λ i and ∆ i via the one-to-one function g, i.e k ∈ Λ i iff g(k) = j ∈ ∆ i , for i ∈ {0, 1}. Fourth, there is a one-to-one correspondence between u i and s i , and between t i and r i , i.e. u k = s j and t k = r j for j = g(k) and k ∈ Λ i , and for i ∈ {0, 1}. Fifth, the sets Λ 0 and Λ 1 do not intersect, hence the sets ∆ 0 and ∆ 1 do not intersect either, which implies that |Λ 0 ∪ Λ 1 | = |∆ 0 ∪ ∆ 1 | = |∆ 0 | + |∆ 1 |. Sixth, the bit entriesd 0,j = d j ⊕ c andd 1,j = d j ⊕ 1 ⊕ c of the respective stringsd 0 andd 1 defined in the token scheme QT 1 are different: d 0,j =d 1,j ⊕ 1; which are also different in the token scheme QT 2 by setting d j = 0 for j ∈ [n]. Seventh, . From the previous observations, we can associate the parameter N and the N −bit string h in Lemma 6 with |∆ 0 | + |∆ 1 | and with a string of bit entries h j =d 0,j for j ∈ ∆ 0 ∪ ∆ 1 , respectively. From (G49) and (G69), we associate the parameters γ err , λ and O in Lemma 6 with the parameters δ, λ(θ, β PB ) and O(θ) here, respectively. Thus, sinced 0,j =d 1,j ⊕ 1, for j ∈ ∆ 0 ∪ ∆ 1 , the set S h i in Lemma 6 corresponds to the set ∆ i here, for i ∈ {0, 1}. Thus, from (G62) and (G67), we can associate the operator D a,b in Lemma 6 with the operatorD xab here. Therefore, the bound (G68) follows from Lemma 6.

11.
A sends a signal to A b indicating to present the token at Q b , and A b presents the token x = (x 1 , . . . , 13. B b validates the token x received in Q b if two conditions hold: 1) B b does not receive signals from Bob's agent B i indicating that a token has been presented by Alice at Q i , for any i ∈ {0, 1} M such that Q i is in the causal past of Q b ; and 2) for all l ∈ [M ], the Hamming distance between the strings and where a l v is the restriction of a string a l ∈ {x l , r l } to entries a l j with j ∈ ∆ l v , for v ∈ {0, 1}. 2. The step 2 of QT M 1 is replaced by the following. A chooses a bit z l with probability P l E (z l ) satisfying 1 2 − β E ≤ P l E (z l ) ≤ 1 2 + β E , for z l ∈ {0, 1}, and for a small parameter β E ∈ 0, 1 2 . A measures A l k in the qubit orthonormal basis D z l , for k ∈ [N ]. Due to losses, A only successfully measures quantum states |ψ l k with labels (l, k) from a proper subset Λ l of [N ]. A reports to B the set Λ l with its label l. Let n l = |Λ l |. B does not abort if and only if n l ≥ γ det N .

As step 3 of QT M
1 . The string y l ∈ {0, 1} n of Alice's measurement bases has bit entries y l j = z l , for j ∈ [n].

Comments
We note that steps 1 to 11 and 1 to 7 of the token schemes QT M 1 and QT M 2 are straightforward extensions of the corresponding steps in the token schemes QT 1 and QT 2 , respectively. As we discussed above, this basically comprises applying the corresponding steps of QT 1 and QT 2 in M parallel and independent rounds. However, step 12 of QT M 1 is a new step, and steps 13 and 8 of QT M 1 and QT M 2 modify steps 12 and 8 of QT 1 and QT 2 , respectively, to account for the new step.
We note from steps 12 and 13 of QT M 1 , and from step 8 of QT M 2 , that a token received by Bob's agent B b from Alice's agent A b at a presentation point Q b can be validated by B b nearly instantly at Q b . In particular, B b does not need to wait for any signals coming from agents B i who have possibly received tokens from Alice's agents at presentation points Q i that are not in the causal past of Q b .
For M > 1, steps 12 and 13 of QT M 1 , and step 8 of QT M 2 , allow us to guarantee unforgeability, as discussed below. In the case M = 1, steps 12 and 13 of QT M 1 , and step 8 of QT M 2 , can simply be replaced by step 12 of QT 1 , and by step 8 of QT 2 , respectively.
Every observation made previously about the token schemes QT 1 and QT 2 also applies to the token schemes QT M 1 and QT M 2 . In particular, the schemes QT M 1 and QT M 2 also allow for the experimental imperfections of Table V and make the assumptions of Table VI, for the lth round and for l ∈ [M ]. Stage I includes the quantum communication, which can take place between adjacent laboratories, and must be implemented within the intersection of the causal pasts of all the presentation points. This stage can take an arbitrarily long time and can be completed arbitrarily in the past of the presentation points, which is very helpful for practical implementations. Stage II comprises only classical processing and communication, and must usually be completed within a very short time. We note that Alice chooses her presentation point in stage II, meaning in particular that it can take place after her quantum measurements have been completed, which gives Alice great flexibility in spacetime to choose her presentation point. The token schemes QT M 1 and QT M 2 can be modified in various ways, as discussed previously for the QT 1 and QT 2 schemes.

Robustness, correctness, privacy and unforgeability
As discussed for the token schemes QT 1 and QT 2 , in the token schemes QT M 1 and QT M 2 we define P det as the probability that a quantum state |ψ l k transmitted by Bob is reported by Alice as being successfully measured, with label (l, k) ∈ Λ l , for k ∈ [N ] and l ∈ [M ]. We define E as the probability that Alice obtains a wrong measurement outcome when she measures a quantum state |ψ l k in the basis of preparation by Bob; if the error rates E tu are different for different prepared states, labelled by t, and for different measurement bases, labelled by u, we simply take E = max t,u {E tu }.
The robustness, correctness, privacy and unforgeability of QT M 1 and QT M 2 are stated by the following lemmas and theorem. These lemmas and theorem consider parameters γ det , γ err ∈ (0, 1), allow for the experimental imperfections of Table V and make the assumptions of  Table VI, for each of the M rounds labelled by l ∈ [M ], as discussed above.
then QT M 1 and QT M 2 are ǫ M rob −robust with where (H3) Proof. Suppose that (H1) holds and that Alice and Bob follow the scheme QT M a honestly, for a ∈ {0, 1}. From Lemma 2, the probability P 1 abort that Bob aborts in the round label by l = 1 satisfies P 1 abort ≤ ǫ rob , with ǫ rob given by (H3). Since steps 1 to 10 of QT M 1 and steps 1 to 7 of QT M 2 are implemented in M independent rounds, we also have from Lemma 2 that the probability P l abort that Bob aborts in the lth round, given that he does not abort in the rounds 1, 2, . . . , l − 1, satisfies P l abort ≤ ǫ rob , with ǫ rob given by (H3), for l ∈ {2, . . . , M }. Thus, the probability P abort that Bob aborts in the scheme satisfies Thus, the schemes QT M 1 and QT M 2 are ǫ M rob −robust with ǫ M rob given by (H2), as claimed. The inequality in (H2) follows from Bernoulli's inequality.
Proof. Suppose that Alice follows the scheme QT M a honestly, for a ∈ {0, 1}. From assumption C (see Table VI), the set Λ l of labels transmitted to B in step 2 of QT M 1 and QT M 2 in the lth round gives B no information about the string W l and the bit z l , for l ∈ [M ]. Furthermore, from assumption E (see Table VI), B cannot use degrees of freedom not previously agreed for the transmission of the quantum states to affect, or obtain information about, the statistics of the quantum measurement devices of A. Moreover, in our setting, we assume that Alice's laboratories are secure and that communication among Alice's agents is made through secure and authenticated classical channels. It follows from these assumptions that the only way in which Bob can obtain information about Alice's bit string b = (b 1 , . . . , b M ) before she presents the token is via the bit messages c l = z l ⊕ b l , for l ∈ [M ]. Since Alice prepares the bits z l in independent rounds, for l ∈ [M ], the probability that Bob guesses Alice's bit string b is given by where P l Bob is the probability that Bob guesses Alice's bit b l , for l ∈ [M ].
We see that the steps 1 to 10 (1 to 7) of the lth round in QT M 1 (QT M 2 ) are equivalent to the corresponding steps in QT 1 (QT 2 ), for l ∈ [M ]. Thus, from Lemma 4, we have for l ∈ [M ], with ǫ priv given by (H10). From (H11) and (H12), we have that with ǫ M priv given by (H9). Thus, the schemes QT M 1 and QT M 2 are ǫ M priv −private with ǫ M priv given by (H9), as claimed.
Suppose that the constraints (H14) hold and that f (γ err ,β PS ,β PB ,θ,ν unf ,γ det ) > 0. Suppose that Bob follows the scheme QT M a honestly and Alice follows an arbitrary cheating strategy S, for a ∈ {0, 1}. From step 12 (8) of QT M 1 (QT M 2 ), Alice cannot succeed in making Bob validate tokens at timelike separated presentation points. For this reason, we consider without loss of generality that Alice tries to make Bob validate tokens at spacelike separated presentation points.
Let L ≤ 2 M be the number of spacelike separated presentation points. Alice's general cheating strategy S comprises using the received classical information and quantum sates from Bob to output classical data to give Bob as required by the scheme QT M 1 (QT M 2 ) in steps 1 to 8 (1 to 6), and to obtain a token to give Bob at each of the L spacelike separated presentation points. We note that in our schemes there are no penalties for Alice if Bob catches her cheating. Thus, it does not affect Alice to present tokens at all spacelike separated presentation points, even if this can in principle increase the probability that Bob catches her cheating. Moreover, by presenting tokens at all spacelike separated presentation points, Alice has a greater probability to make Bob validate tokens at any two or more different presentation points. For example, if by giving tokens at K < L spacelike separated presentation points Alice can make Bob validate tokens at any two or more different presentation points with probability P , Alice can additionally give a random token at another spacelike separated presentation point and in this way increase the probability to some value P ′ > P .
Let P spacelike be the set of labels i = (i 1 , . . . , i M ) ∈ {0, 1} M for the spacetime presentation points Q i that are spacelike separated. Let v, w ∈ P spacelike with v = w. Let a = (a 1 , . . . , a M ) and b = (b 1 , . . . , b M ) be the tokens that Alice gives Bob at Q v and Q w , respectively. Let P S vw be the probability that Bob validates the token a at Q v and the token b at Q w . Let P S be the probability that Bob validates tokens at any two or more different presentation points. We have We show below that for any v, w ∈ P spacelike with v = w, and for any cheating strategy S by Alice, where ǫ unf is given by (H18). By noticing that by definition, L = |P spacelike | is the number of spacelike separated presentation points and C is the number of pairs of spacelike separated presentation points, it follows from (H19) and (H20) that QT M 1 and QT M 2 are ǫ M unf unforgeable, with ǫ M unf given by (H17), as claimed.
We show (H20). Let v, w ∈ P spacelike with v = w. Let Bob validating the token a at Q v and the token b at Q w requires satisfaction of the conditions d(a l v l , r l v l ) ≤ |∆ l v l |γ err at Q v and d(b l w l , r l w l ) ≤ |∆ l w l |γ err at Q w , for all l ∈ [M ]. Thus, it requires in particular satisfaction of the conditions d(a l ′ 0 , r l ′ 0 ) ≤ |∆ l ′ 0 |γ err , d(b l ′ 1 , r l ′ 1 ) ≤ |∆ l ′ 1 |γ err , at Q v and Q w , respectively, where we used (H22). Since Bob follows the scheme honestly, he follows the steps 1 to 10 (1 to 7) of the l ′ th round in QT M 1 (QT M 2 ) independently of rounds with label l = l ′ . we see that Bob's steps 1 to 10 (1 to 7) of the l ′ th round in QT M 1 (QT M 2 ) and his l ′ th conditions for token validation at Q v and Q w given by (H23) are equivalent to Bob's corresponding steps and conditions for token validation at the two presentation points in QT 1 (QT 2 ). Thus, from Theorem 1, the probability that both conditions (H23) are satisfied is upper bounded by ǫ unf , with ǫ unf given by (H18). It follows that P S vw ≤ ǫ unf , (H24) for any v, w ∈ P spacelike with v = w, and for any cheating strategy S by Alice.
We note that Lemmas 8, 9 and 10 reduce to Lemmas 2, 3 and 4 in the case M = 1, respectively. Similarly, Theorem 3 reduces to Theorem 1 in the case M = 1 if the presentation points are spacelike separated. This follows straightforwardly from the fact that QT M a reduces to QT a for the case M = 1, for a ∈ {1, 2}, except for steps 12 and 13 of QT M 1 and step 8 of QT M 2 , which as mentioned above can simply be replaced by step 12 of QT 1 and step 8 of QT 2 in this case, respectively. In the case M = 1 with timelike separated presentation points, differently to Theorem 1, Theorem 3 sates that the probability that Bob validates tokens at both presentation points is zero. This is due to the extra step 12 (8) in QT M 1 (QT M 2 ). In any case, Theorem 3 is consistent with Theorem 1 in the case M = 1, if the presentation points are timelike or spacelike separated.