Experimental demonstration of practical unforgeable quantum money Mathieu Bozzio, 1, 2 Adeline Orieux, 1, 3 Luis Trigo Vidarte, 1, 4 Isabelle Zaquine, 2 Iordanis Kerenidis, 3, 5 and Eleni Diamanti 1 1 LIP6, CNRS, Universit´ e Pierre et Marie Curie, Sorbonne Universit´ es, 75005 Paris, France 2 LTCI, T´ el´ ecom ParisTech, Universit´ e Paris-Saclay, 75013 Paris, France 3 IRIF, Universit´ e Paris Diderot, Sorbonne Paris Cit´ e, 75013 Paris, France 4 LCF, Institut d’Optique Graduate School, CNRS, Universit´ e Paris-Saclay, 91127 Palaiseau, France 5 Center for Quantum Technologies, National University of Singapore, Singapore Wiesner’s unforgeable quantum money scheme is widely celebrated as the first quantum information applica- tion. Nevertheless, despite its central role in quantum cryptography, its experimental implementation has remained elusive because of the lack of realistic protocols adapted to practical quantum storage devices and verification techniques. Here, we experimentally demonstrate a quantum money protocol that rigorously satisfies the security condition for unforgeability, using a practical system exploiting single-photon polarization encoding of highly atten- uated coherent states of light for on-the-fly credit card state generation and readout. Our implementation includes classical verification and is designed to be compatible with state-of-the-art quantum memories, which have been taken into account in the security analysis, together with all system imperfections. Our results constitute a major step towards a real-world realization of this milestone quantum information protocol. Introduction. The principle behind quantum money is to ensure unforgeability of tokens, banknotes or credit cards by encoding them with qubit states prepared in one of two possible conjugate bases [1]. The no-cloning theorem then ensures that a malicious party willing to duplicate the money cannot copy the unknown qubit state perfectly. Several schemes for unforgeable quantum credit cards have been proposed, usually involving verification procedures that require quantum communication with an honest bank as in Wiesner’s original work [1]. A scheme involving classical communication during the verification process has also been proposed [2], making use of hidden- matching quantum retrieval games [3, 4], as well as a more practical scheme making use of simple BB84-type states [5]. Recently, quantum banknotes have been implemented “on-the-fly” but also shown to be forgeable [6]. Unforgeable quantum credit cards, on the other hand, have not been implemented to date. Protocol. The quantum money protocol that we have analyzed and implemented is based on [5, 7] and has a number of desirable features, including single-round classical verification, credit card re-usability, and information- theoretic security with exponentially good parameters. In our protocol, the bank stores an amount of money into a credit card using a unique secret string and gives the card to the client. When a transaction is to be made, the following interactions occur: first, the client gives the credit card to a vendor, who chooses at random one out of two challenge questions and accesses the credit card (i.e., performs a measurement on the stored qubits) in order to get an answer to the challenge; second, the vendor sends to the bank the challenge and the answer and the bank, using its initial secret string, verifies the authenticity of the credit card and responds with a yes or no. If the bank’s answer is yes then the transaction may occur, otherwise the card is rejected and declared as a counterfeit. The basic unit of the credit card state consists of a qubit pair, chosen by a secret classical string s from the set S pair = {|0+〉, |0−〉, |1+〉, |1−〉, | +0〉, | +1〉, |− 0〉, |− 1〉}, where |0〉, |1〉 and |+〉, |−〉 are the Pauli σ z and σ x basis eigenstates, respectively. The string s consists of three bits, indicating the basis of the first qubit in the pair and the selected states of the two qubits. During the verification procedure, the vendor chooses one of the two challenges, Q zz or Q xx , which for a single qubit pair read, respectively : “Provide two outcomes for the measurement of each qubit in the pair in the σ z (resp. σ x ) basis, such that the outcome corresponding to the qubit prepared in the σ z (resp. σ x ) basis is correct”. Then, he performs a measurement on the credit card, namely he measures each qubit in the pair in the σ z (resp. σ x ) basis and sends the outcomes to the bank, which uses the secret information s to verify if the credit card is valid or not. In principle a valid credit card can always be verified. We denote by c the probability of successfully answering Q zz or Q xx (correctness parameter), which in the ideal case is 1 for the above challenges (measuring both qubits in the