Demonstration of quantum-digital payments

The study addresses the vulnerability of classical digital payment systems whose security rests on computational hardness assumptions. In contemporary payments, uniqueness and unforgeability are enforced via cryptograms derived from secret customer tokens, merchant IDs, and one-time nonces. Adversaries with significant or unbounded computational power could, in principle, brute-force these functions, compromising sensitive data. While Quantum Key Distribution offers information-theoretic security for key exchange between trusted parties, it is not suitable for payments involving untrusted merchants and public channels. Prior quantum money and token proposals either require impractical long-term quantum memories or networks of trusted agents with authenticated channels and precise spacetime arrangements. The purpose of this work is to demonstrate a practical quantum-digital payment scheme that delivers information-theoretic security for the one-time property of cryptograms without relying on long-term quantum storage, trusted intermediate parties, or authenticated channels beyond an initial account setup between client and bank. The authors implement and validate the approach over a 641 m urban fiber link, targeting robustness to realistic noise and loss-dependent attacks.

The paper situates its contribution within several strands of research. Classical cryptography underpins digital payments via hash-based or encryption-based cryptograms, but faces risks from quantum-accelerated or powerful classical attacks. Quantum information-theoretic security has matured primarily through QKD, including long-distance fiber and satellite implementations, but QKD presumes mutually trusted parties and authenticated channels, which do not hold for payment scenarios with untrusted merchants. Device-independent QKD also ends with classical outputs processed by untrusted parties, making it inadequate for cryptogram enforcement. Earlier quantum money and tokenization proposals exploit the no-cloning theorem for unforgeability, yet many require quantum memories far exceeding current capabilities (microseconds to minutes) or rely on distributed trusted verifiers and authenticated spacetime constraints, which are operationally complex and vulnerable to GPS spoofing. The authors also reference recent analyses of multiphoton and side-channel attacks in mistrustful quantum cryptography, highlighting the importance of modeling realistic imperfections. Against this backdrop, the present work offers a protocol that needs only an initial authenticated setup between client and bank and otherwise operates over untrusted channels, using quantum states to enforce commitment and unforgeability and information-theoretic MACs to conceal client data.

Protocol design: The scheme mirrors classical digital payments but replaces the classical one-time payment token with a sequence of quantum states (the quantum token). After an initial authenticated account-creation step between the client and the Trusted Token Provider (TTP), the following steps occur for each payment: (2) The TTP generates a random bitstring b and a random basis string B of length λ. Each bit b_j is encoded in conjugate polarization bases B_j, forming the classical description (b, B) corresponding to a quantum token (P). The TTP stores (b, B) under the client ID C_D and sends (P) to the client over an untrusted quantum channel. (3) The client selects a merchant M_i from a securely pre-shared database and computes m_i = MAC(C, M_i) using an information-theoretically secure Message Authentication Code keyed by the secret token C. Interpreting m_i as a measurement basis string, the client measures the received quantum sequence (P) accordingly, yielding a classical outcome string κ that constitutes the cryptogram. (4) The client forwards κ and C_D to the merchant, who relays κ, M_i, and C_D to the TTP. (5) The TTP recomputes m_i = MAC(C, M_i) and accepts the transaction if and only if κ_j equals b_j for all positions where m_i,j equals B_j, otherwise rejects. Security parameters are set so that the success probability of producing two valid distinct cryptograms for different merchants (double-spending) p_a matches the MAC collision probability p_r, choosing p_a ≈ p_r = 1/√|C|. This determines the number N of quantum states per verified cryptogram bit and total token length λ = N · log2(|C|). Commitment stems from the irreversibility of quantum measurement with non-revealed bases; concealment of C is provided by the i.t.-secure MAC. Experimental implementation: The TTP uses an SPDC source to produce polarization-entangled photon pairs in the state (|HV⟩ − |VH⟩)/√2. One photon is measured at the TTP in either H/V or D/A basis (randomly chosen via a 50/50 beamsplitter), establishing the classical description (b, B) and remotely preparing the partner photon as the quantum token. The partner photon is sent over a 641 m deployed urban optical fiber to the client. The client commits to a merchant by setting the measurement basis according to the MAC output (for the two-merchant demonstration, using H/V or D/A). The cryptogram is then transmitted over a classical channel to the merchant and onwards to the TTP for verification. Hardware details: The entangled source uses a ppKTP crystal pumped by a CW 515 nm laser to generate color- and polarization-entangled photons at ~1500 nm and ~785 nm. A tunable bandpass filter equalizes spectral bandwidths; an unpoled KTP crystal compensates temporal distinguishability. The 1500 nm photons are detected at the client with superconducting nanowire detectors (~93% efficiency); 785 nm photons are detected at the TTP with avalanche detectors (~50% efficiency). Polarization drifts in the fiber are compensated with paddles. Time-tagging modules at both sites require post-processing to correct for offset, drift, electronic delays, and activation timing to recover coincidences. Security analysis: Practical imperfections (state-preparation inaccuracy, channel loss, detector inefficiency) necessitate allowing certain error and loss thresholds during verification. The authors model optimal adversarial strategies via semidefinite programming (SDP), optimizing over completely positive trace-preserving maps and incorporating multiphoton emissions without inter-number-state coherence, to determine a secure operating region in the error-loss plane where double-spending attempts must introduce detectable excess errors or losses. They analyze two limiting cheating strategies (basis-splitting leading to 50% losses with zero error; and intermediate-basis measurement around 22.5° yielding ~85.4% correct guesses with zero loss) and show the optimal strategy is a combination tailored to experimental parameters. Finite-size statistics are handled using Chernoff bounds to relate the number of quantum states N per cryptogram bit to the honest success probability p_h and dishonest success probability p_d.

• Practical demonstration over a 641 m deployed urban optical fiber link of a quantum-digital payment protocol that enforces the one-time nature of cryptograms with information-theoretic security, without trusted channels beyond initial account setup.
• Experimental performance: average error rates of 1.45 ± 0.01% (H/V) and 3.28 ± 0.01% (D/A); overall loss l = 22.40 ± 1.50%; measured multiphoton emission probability 6.76 ± 0.12%.
• Secure operating region: Using semidefinite programming, the measured point (error e_m = 3.28 ± 0.01%, loss l_m = 22.40 ± 1.50%) lies within the calculated secure region. A cheating party attempting double-spending at the same claimed loss level would necessarily introduce errors exceeding 3.79 ± 0.22%, enabling detection.
• Finite-size security: Chernoff-bound analysis shows that for N = 4.2 × 10^6 quantum states per verified cryptogram bit, the honest success probability p_h is close to 1 while the dishonest success probability p_d is 5.9 × 10^-45.
• Robustness to noise and loss-dependent (including reporting strategy) attacks is demonstrated; the protocol hides the client’s merchant choice until verification since measurement bases are never revealed.
• The protocol requires only single-photon detection at the client and no long-term quantum storage or network of trusted agents, improving practicality over prior proposals.

The findings demonstrate that quantum states can enforce the one-time property of payment cryptograms with information-theoretic guarantees even when all intermediate channels and parties (except the initial client–TTP setup) are untrusted. By mapping the measurement choice to the output of an information-theoretically secure MAC, the protocol binds the cryptogram to a specific client token and merchant via irreversible quantum measurement, while concealing the client’s secret and merchant choice. The experimental results fall within an SDP-derived secure region, showing that any double-spending strategy must incur detectable excess errors or losses under the observed operating conditions. Finite-size analysis quantifies how increasing the token length exponentially suppresses cheating success while maintaining near-unity honest acceptance. Compared to QKD-based or memory-dependent quantum payment proposals, this approach relaxes implementation requirements and avoids reliance on trusted verifiers or spacetime constraints. Practically, the demonstrated architecture can be integrated into mid-term quantum networks, with performance limited primarily by source brightness and classical synchronization overheads, both amenable to technological improvement.

This work introduces and experimentally validates a quantum-digital payment scheme that provides information-theoretic security for the one-time nature of cryptograms using quantum light, with minimal trust assumptions limited to an initial authenticated client–TTP setup. The implementation over a city fiber link, together with SDP-based security analysis and finite-size bounds, shows robustness to realistic noise and loss-dependent attacks and achieves extremely low cheating probabilities with sufficiently long tokens. The scheme removes the need for long-lived quantum memories and trusted verification networks and hides the merchant choice until verification. Future work may focus on boosting transmission and verification rates via brighter entangled sources and improved synchronization to approach sub-second operation, extending to larger merchant sets with optimized token partitioning, integrating n-time-secure MACs or appending QKD segments to refresh or grow the secret key C without limiting the number of purchases, and hardening against additional side channels in field deployments.

• Current demonstration incurs verification delays on the order of tens of minutes, driven by time-tagging drift correction and source rates; while technological, this affects immediate practicality compared to second-scale classical payments.
• Security relies on an initial authenticated channel between client and TTP and on an information-theoretically secure (possibly n-time) MAC; key reuse must be managed, necessitating key refresh or growth mechanisms.
• The experimental realization demonstrates two merchant bases; scaling to many merchants requires token splitting into sub-tokens and longer overall token lengths, increasing resource demands.
• Performance and security bounds depend on device imperfections (losses, error rates, multiphoton emissions) and modeling assumptions (no coherence between photon number states); adverse environmental or device side-channels could degrade security if not mitigated.
• Requires single-photon detection at the client and stable polarization over deployed fiber; field robustness to polarization drifts and network dynamics must be maintained.
• Correct merchant identification assumes a trustworthy merchant ID distribution mechanism (e.g., PKI or secure pre-shared database), which must be secured in practice.