Semi-device-independent quantum money

The seminal idea of quantum money, not forgeable due to laws of Quantum Mechanics, proposed by Stephen Wiesner, has laid the foundations for the Quantum Information Theory in the early ’70s. Recently, several other schemes for quantum currencies have been proposed, all, however, relying on the assumption that the quantum source device, acts according to its specification. This makes several known quantum money protocols vulnerable to the so-called hardware Trojan horse attacks. We, therefore, study the following problem: to what extent quantum money schemes can be made independent from the inner working of source and verification-devices used by the honest parties (bank and mint) in creating and processing the quantum money? Drawing inspirations from the semi-device-independent quantum key distribution protocol, we introduce the first scheme of quantum money with this assumption partially relaxed, along with the proof of its unforgeability. Finally, we formulate and discuss a quantum analog of the Oresme–Copernicus–Gresham’s law of economy, that may hold in the future.


I. INTRODUCTION
Quantum Information Science originates from the seminal idea of the scheme of quantum money due to Stephen Wiesner [1]. According to his brilliant concept, the randomly polarized photons could in principle represent the banknote, while the Banks secret key represents the random choices of polarizations. During verification the Bank checks and accepts the banknote if the photons appear to be polarized as they have been designed and rejects otherwise. Although it is rather intuitive that due to quantum no-cloning [2][3][4] the banknote can not be forged without disturbing it, this scheme, has been proven to be secure against counterfeiter only recently [5]. Wiesner's scheme bases strongly on the assumption that measurements of the verification are performed according to the specification. Dmitry Gavinsky [6] has designed a protocol powerful enough to drop this assumption. However security of the latter relies on the honesty of the provider of the banknotes (a possibly malicious mint). To our knowledge, there is no scheme which stays unbroken under a joined attack -collaboration of the mint and counterfeiter who can change the functionality of the inner workings of the terminal that verifies the banknote.
In this manuscript we make the first, significant step towards a scheme of money working without both the as-sumption about trusted source and that of trusted measurements i.e. remaining unbroken under joined attack. More precisely we show how to change the verification procedure of Wiesner's banknote in order to assure its security against a variant of the joined attack -the production and counterfeiting performed in a qubit-by-qubit manner.
It is easy to see, that protection of Wiesner's banknotes against the joined attack, demands a sufficient control over the banknote state's dimension. At the same time for the banknote to be protected its state can not be classical (diagonal in single basis). In both cases we demonstrate straightforward attacks. We then start from an observation that the well known quantum cryptographic scheme, the protocol of Paw lowski and Brunner of semidevice independent quantum key distribution [7] matches these two cases. It (i) assumes that the traveling quantum data have bounded dimension (in considered case the bound is 2 i.e. we consider qubits) and (ii) assures, via testing an equivalent of a dimension witness, that the data are not classical.
We first note, that according to the honest implementation of the SDI QKD protocol, the receiver-sender state, is exactly in form of Wiesner's banknote. We further propose that the verification of this banknote should be performed exactly as it is done during verification of the SDI QKD protocol. In the latter the honest measuring device does not check correctness of the correlations in the two polarization bases of the original banknote's state, but in the rotated bases [8] as it is specified by the honest implementation of the SDI QKD protocol.
The security analysis of the SDI money scheme needs to take into account that the receiver (Alice) in the corresponding SDI QKD, is not trusted. In that sense, the schemes of money are two-party cryptographic problems. In a single verification of a banknote Alice is asked to give certain answers (guessing bits of the key of one branch of the Bank). Upon successful verification, in order to pass the verification for the second time in the other branch she can copy the correct answers given from the first one. We are able to find the necessary and sufficient value of the threshold θ in corresponding SDI QKD protocol which guarantees protection against forgery in the SDI money scheme. Namely, we prove that the owner of a single banknote can not be accepted in two (or a reasonable, i.e. polynomial in banknote's length number of) branches of the Bank, that employs verification with this threshold θ. It is sufficient and also necessary that the threshold is the one that in the corresponding SDI QKD protocol would imply more than a half of the maximal key rate. It is important to note that in the SDI money scheme only the preparation and the verification part of the corresponding SDI QKD is performed, while the privacy amplification and information reconciliation is not done. In particular the number of runs is only big enough in order to collect sufficient data for tomography of the guessing probability.
Due to the fact that we base on the original SDI QKD protocol [7], which is to our best knowledge proven to be secure against individual attacks, the SDI money scheme inherits the similar security level, which in our context we call the qubit by qubit counterfeiting. Major property of this attack is that the malicious mint, during production of Wiesner's banknote can perform a qubit in a different state than given in the specification, independently in each round. Later a counterfeiter can again try to copy the banknote by individual copy operations applied on each qubit separately. It is also vital for the scheme that the collaboration of the mint and counterfeiter is restricted in a way that mint does not pass a state entangled with the banknote to the counterfeiter. We prove the security in this scenario for the case when the Bank verifies the banknote. We then present also a bit more relaxed case when the counterfeiter can lie in some way about the classical data generated during verification of the banknote. It is known that the banknote in the original Wiesner scheme needs to be destroyed. In the considered case by the nature of measurement test incompatible with the basis of the banknote the honest verification destroys the banknote.
A number (in fact, more than 20) of various quantum money schemes has been recently proposed [1,5,6,[9][10][11][12][13][14][15][16][17][18][19][20][21][22][23]. We then ask if the Oresme-Copernicus-Gresham (OCG) Law of economy (known also as the Gresham's Law [24][25][26][27][28][29]) will be also applicable to the quantum schemes of money. If so, the Quantum Oresme-Copernicus-Gresham law would have a form: Bad quantum money drives out good quantum one We exemplify this general hypothesis on the base of presented scheme: the realizations of SDI money schemes with acceptance level θ ≥ θ would drive out SDI money schemes with higher acceptance level θ > θ . This is because the banknotes in the latter schemes are more robust to noise, hence they could in principle by stored for longer. One can expect that in analogy to the OCG law, individuals would tend to keep rather the banknotes that are more robust to noise banknotes, while spending the less robust once more often.
The manuscript is organized as follows. In Section II we review previous quantum money schemes both in private key and public key settings. In Section III we present the main result of that work, stating a scheme for a semi-device independent quantum money. In Section IV we discuss a possible quantum analogue of the Oresme-Copernicus-Gresham Law. We conclude in Section V by comparing our scheme to the existing ones, discussing the technological difficulties in possible implementation, and summarizing the paper with some interesting open problems. Additionally, in Appendices A, B, and C we present a rigorous security proof of the scheme, briefly describe honest implementation in Appendix D and discuss the amount of required memory in Appendix E.

II. PREVIOUS WORKS
An idea of quantum money proposed by Stephen Wiesner was to our knowledge the first application of the quantum effects to the information theoretic, in fact cryptographic task. In this section we will discuss the previous research in this topic using division into private and public key quantum money suggested by Aaronson [11,30]. In the private key quantum money schemes only the mint itself can verify the banknote. On the other hand, in the public key quantum money schemes anyone can verify the banknote using publicly available verification procedure, but still no one, except the mint, cannot copy or create new banknote. We will conclude by giving (in Figure 1) a comprehensive comparison of different classical and quantum moneys scheme together with their security assumptions.

A. Private key quantum money
Around 1970 Stephen Wiesner suggested the first scheme of unforgeable quantum money. Unfortunately his paper was rejected few times and finally was published in 1983 [1]. Even though Wiesner claimed that the protocol is unconditionally secure, a full proof for the most generalized attacks was presented by Molina et al. in 2013 [5]. Because of the fact that the scheme requires the mint to maintain a huge database for all produced bills, Bennet et al. [9] proposed a modification of the protocol, using a cryptographic pseudorandom function, to decrease needed amount of the memory. The question if it is possible to reduce the database size without imposing any computational assumptions was analyzed by Aaronson [30]. Later he formally proved that the answer is negative and stated so called Tradeoff Theorem for Quantum Money [31].

Money
Although the above schemes are secure in a regime in which the mint destroy the banknote after verification, allowing to retrieve verified bill is dangerous. So called interactive attacks were independently proposed by Aaronson [11] and Lutomirski [32]. Even more sophisticated version of interactive attack, based on idea of Elitzur-Vaidman bomb tester, was later suggested by Nagaj et al. [33].
The above mentioned scenarios requires visiting the mint, or at least having secure quantum channel so Gavinsky suggested version of quantum money with classical verification [6].
Additionally Pastawski et al. [14] analyze more realistic scenario in the presence of noise and errors.
It is also worth to mention about fundamentally different approaches aimed at anonymity. Mosca and Stebila [12], (see also Tokunaga et al. [10]) proposed quantum coins in such a way that all coins are identical. Their scheme uses black box model that makes thorough secu-rity analysis difficult.
Finally Selby and Sikora [23] analyzed unforgeable money in the Generalized Probabilistic Theories.

B. Public key quantum money
The biggest drawback of all private key quantum money schemes is that only the mint can verify the bill. To get rid of this problem, an idea of a public key quantum money, was invented. In that approach not only the mint, but anyone, even untrusted party, could verify the quantum banknote without communication with the mint. General formulation of the public key quantum money was presented by Aaronson [11] and later it security was analyzed by Aaronson and Christiano [15].
Following these seminal results many candidates for the private key quantum money scheme was presented. The first such scheme, based on stabilizer states, was proposed by Aaronson [11] but it was later broken by Lutomirski et al. [13]. There were also some attempts exploring an idea of local hamiltonians problem also broken by Farhi et al. [34] using a single-copy tomography. Another idea, based on knot theory, was proposed by Farhi et al. [16]. It remains unbroken but there is no full security proof.
Until now more papers concerning the public key quantum money or an analysis of its security was published that we should point out here [35][36][37].
In the most recent work, Mark Zhandry [18] proved that if the injective one-way functions and a indistinguishability obfuscator exist, then the scheme of the public key quantum money exists. Furthermore he shows how to adapt the Aaronson and Christianos scheme [15] using these assumptions to get the secure public key quantum money.
We should also mention an ongoing research on decentralized quantum currencies. First Jogenfors [17] proposed Quantum Bitcoin that connects ideas of quantum money and classical blockchain system like the one used in Bitcoin. Later Ikeda [19] presented another approach called qBitcoin based on quantum teleportation and a quantum chain, instead of the classical blocks. Also a cryptocurrency called qulogicoin, based on another version of the quantum blockchain, was also proposed by Sun et al. [20]. Recently Adrian Kent proposed a concept of "supermoney" [21] and Daniel Kane created a new money scheme based on modular forms [22].

III. SEMI-DEVICE INDEPENDENT QUANTUM MONEY
In this section we first demonstrate simple attacks on some of the private key quantum money schemes, including Wiesner's and Gavinsky's ones , which are based on the cooperation of the mint and the counterfeiter. We then describe the scheme for semi-device independent quantum money in Sec III B. Next we compare our money scheme with the corresponding SDI QKD protocol of Paw lowski and Brunner, that we use as a base (see Sec. III C). Finally in Sec. III D we show the idea of the proof, details of which are presented in the Supplemental Material.
A. Simple joined attacks: when the mint and counterfeiter collaborate We aim to demonstrate that both the original Wiesner scheme and that of Gavinsky are vulnerable to the joined attack. Moreover the attack is general enough to apply to other private quantum money schemes, as it bases on dropping important security assumption: the privacy of the key. We show here two attacks of different types. The first one enlarges the memory of the banknote, while the second makes it a classical state. The first reduces to simple imprinting of the secret key of the Bank directly in banknote's state. This is at the expense of enlarging dimension of its quantum memory: where ρ W k ∈ {|0 , |1 , |+ , |− }, the bit-string b tells the (random) choice of basis, while v corresponds to outcomes. In the original money only the system W contains banknote's state. The mistrustfully prepared banknote has an additional "hidden" register H enabling the attack. This register can be used to generate unlimited number of the same banknote via repetitive von Neumann measurement of system W in the basis indicated by vector |b b| H . Allowing for such a strong attack, one can imagine that in principle the whole string |b, v could be also imprinted in money's memory at a price of doubling it, however imprinting |b is enough. Operations of copying such a "banknote" can pass unnoticed from the point of view of the honest Client. From this trivial example we have then learned that in the case of an unbounded dimension of the banknote, its security against forgery is compromised.
More importantly, the mint and the counterfeiter can attack jointly without increasing the memory of the banknote, by using only classical states (diagonal in a single basis): In each run, right before the measurement is physically done, the measurement device is given the type of basis b taking value 0 in case of {|0 , |1 } and 1 for {|+ , |− }. It can then safely output the value |v v| H as a good answer. The two bits that cannot be encoded in 1 qubit are split into measurement type (revealed later), and its outcome.
The scheme of money that will be presented in the next section bases on the semi-device independent quantum key distribution protocol that matches as a partial countermeasure to these two attacks. In the latter protocol one assumes that there are only qubits sent, so the attack, 1 (by enlarging memory) is not applicable at all. On the other hand, SDI QKD protocol gets accepted only if the data coming from quantum states is observed, i.e. that the systems communicated were not classical bits, disabling thereby the second attack. This, and the fact that the honest implementation of the quantum states processed by the parties in SDI QKD are Wiesner's money, motivates us to study security of Wiesner's scheme under the verification of the SDI QKD protocol (as we describe in detail in the following section).

B. Semi-device independent quantum money protocol
Motivated by the fact that joined attacks can compromise the security of some private quantum money schemes we will show a partial solution to this problem. In this Section we present a scheme for semi-device independent private key quantum money. The concept of as semi-device independent quantum key distribution was discovered by Paw lowski and Brunner [7]. In that scheme the sender does not have to trust neither the source nor the measuring device. Instead, the nontrivial assumptions are that the states sent to the receiver have limited dimension and are disentangled from adversary. See Our scheme of money will be based on the SDI QKD scheme with the assumption that the dimension of each state send from sender to the receiver is a qubit (d = 2). In order to introduce both the concept and a notation it is instructive to recap briefly the semi-device independent quantum key generation protocol [7]. The key is produced as follows. The sender sets up n pairs of random bits (y i 0 , y i 1 ) n i=1 . In each run of the experiment i ∈ [n] := {1, . . . , n}, upon pressing the correct button sender's device produces an untrusted state ρ y i 0 ,y i 1 , which is assumed to be a qubit, and sends it to the receiver. Receiver's device is fully untrusted. It measures the state in an arbitrary manner (perhaps knowing state's preparation), yet upon a (random) input x i it has to output a bit a i which equals y i x i . In the classical case, the success probability of guessing the bits of sender is only 3/4, while in quantum case it is P Q := cos 2 (π/4) ≈ 0.8536. If the guessing probability is larger than a certain value, the secure key can be established.
In the SDI quantum money scheme the branches of the Bank play the roles of senders, while the client Alice is the receiver.
• Creation of a single banknote. To create the money all k branches of the Bank have to posses a common secret randomness that is later stored in classical memories of the branches. Each portion of the bits (y i 0 , y i 1 ) n i=1 of this key is attached to some serial number of a separate banknote SN in advance. (Note that the secret key can be obtained for example by measurement on the shared 2n GHZ states [38] or by encrypted classical communication). To generate a quantum state of the banknote associated to the number SN one branch B S (in practice the closest to Alice) uses (y i 0 , y i 1 ) n i=1 associated with this SN as a sequence of inputs to its untrusted device S (source). The latter device in turn generates n qubits (ρ y i 0 ,y i 1 ) that together form the quantum state of the banknote: The above state is sent to Alice's wallet (dedicated quantum memory device). In the end the joined state of k branches of the Bank and Alice's wallet takes the form: • Verification at the Bank. Alice comes to any branch B l . The B l generates a bit-string (x i ) n i=1 , inputs the bits to the untrusted terminal T , and collects the output bit-string (a i ) n i=1 . For a total data represented by a string of tuples: the Bank accepts it if the following condition is satisfied: i.e. the number of correct guesses is above the threshold value θn, and rejects otherwise.
• Verification at a distance. Alice establishes an authenticated connection for classical communication with some (arbitrary) branch B l of the Bank. The B l gives her random inputs (x i ) n i=1 , that she should use together with her quantum state from the memory of her wallet as inputs to the untrusted terminal (her own, or, e.g., the one operated by a seller in a shop). The classical output (a i ) n i=1 from the device (possibly modified by Alice to (a i ) n i=1 ) is then sent to B l that checks if the data (y i 0 , y i 1 , x i , a i ) n i=1 are acceptable if inequality (5) holds, and rejects it otherwise.
For the sake of clarity the whole process of the creation and the verification of the semi-device independent quantum money is illustrated in Figure 4 (for the general scheme with many branches) and Figure 5 (for the creation and verification at the same branch). We state below certain remarks on the variants of the above approach.
Remark 1 (The creation of the banknote without communication). The branches can create the money without the communication. Using synchronized clocks, they can continuously generate new random inputs. When a client arrives, the serial number of her banknote would contain time that uniquely indicates what remembered randomness verifying branch should use. Additionally branches should agree among themselves on the allowed generation time to make sure not to generate two bills from the same randomness. Similar idea can be also implemented in some previous money schemes, for example Wiesner's one.
Remark 2 (Reusing randomness during a reverification). Frederick can adopt a strategy to try verify the same banknote many times, waiting for such a random string from bank's branch. For example he would like to have the size of set D(x ⊕ ) from the proof (see Appendix B) as big as possible the size of which would be providing verification of the banknote. In order to prevent this, the verifying branch, after the first attempt of the verification, should store the verification randomness in the memory and use it in all next tries of the verification of that banknote.
Remark 3 (Predefined agreement on the queries of the branches). Instead of using an independent randomness by all branches during the verification, the branches could earlier agree on some verification string for all banknotes. It is possible to do it in similar manner like in the banknote generation procedure. Although it is not necessary in order to maintain the security, this approach could reduce complexity of the proof and decrease a number of the qubits required in the protocol.

C. Comparison of the SDI QKD and SDI money scheme
We make now an explicit comparison of our protocol with that of the semi-device independent of Paw lowski and Brunner [7]. There are three main differences.

• Memory requirements
A conceptual difference is that we defer the process of measurement and call the states prepared by the source in SDI protocol collectively the banknote. The process of the measurement is identified by us to Alice's memory. When Alice wants to verify the money she visits some branch B l . This branch generates random binary string x = (x) n i=1 of length n and feeds as an input to untrusted measurement devices of the terminal M = (M i ) n i=1 , which generates a string a = (ai) n i=1 . The branch then estimates the probability distribution P (a|xy) and accepts the banknote as valid or rejects it dependently on whether the condition Eq (5) is met.
with the verification done by the terminal at some later time. It is of particular convenience that the SDI protocol does not rely on the no-signaling principle, so the measurement of the banknotes can be done any time after they were prepared. In other words, our protocol needs the quantum memory while SDI does not.
• Limited number of runs A significant practical difference is that SDI quantum money scheme corresponds to a limited SDI QKD protocol to the creation and the verification procedures without the privacy amplification and information reconciliation part. In particular, in our protocol the number of runs of the corresponding SDI QKD experiment (i.e., the length of the banknote) is only long enough to enable estimation of the guessing probability which depends only on the possible systematic error in the experiment and the concentration property due to law of large numbers. This is in contrast with the SDI QKD protocol which involves as many runs (at least) as the number of key bits are needed to be generated. Indeed, we do not aim at creating the secret key, because -there is no phase of the public reconciliation and the privacy amplification. Preparing and verifying long key is equivalent to creating and verifying a huge number of banknotes.

• An intermediate acceptance threshold
The third difference concerns the acceptance FIG. 5. The procedure of generation and verification of a single banknote in the SDI money scheme. The n untrusted source devices independently produce qubit states ρ y i 0 y i 1 that form in total the banknote that is kept in Alice's wallet and is exposed to the counterfeiting by her or Frederick (or even both). The verification of the banknote is done by n independent (not necessarily identical) untrusted parts of a verification terminal, each checking if a i = y i x i A (i.e., if the its output is equal to one of the two bits of Bank's note at run i chosen randomly as x i A ). The banknote gets accepted if the number of correctly guessed bits exceeds βn with β = 2PQ (1/2 + η) + M (1/2 + η) + 2η, where η depends on n (taking care of possible fluctuations of the number of guesses). The number of qubits of the banknote n is large enough to satisfy β < PQ with a high probability, so that the honest implementation and verification of the banknote leads to its acceptance.

threshold.
Acceptable range of the value of the probability of guessing P guess of the string (y i 0 y i 1 ) n i=1 in the SDI QKD protocol varies from the maximal P Q ≈ 0.8536, which implies the highest possible key rate in this scenario, to the minimal P key crit ≈ 0.8415, which implies zero key rate. Let us stress here, that any value between P Q and P key crit is acceptable, as leading to a non-zero key rate (yet, one aims at the highest). Instead, in the corresponding SDI money scheme one needs the value of this parameter to be larger than P money crit := 1/2(P Q + P key crit ) ≈ 0.84755. On the other hand, all money schemes with the acceptance threshold θ in the range (P money crit , P Q ] are protected against forgery given large enough number of qubits of the banknote n.

D. Security proof of the SDI money scheme
In this section we provide the proof of the main result: the SDI quantum money scheme is protected against the qubit-by-qubit forgery. That is, against the case when the mint and the counterfeiter (as well as the verification terminal possibly created by the counterfeiter) cooperate in a manner that each qubit is attacked (prepared, copied and tested) independently. Under some additional necessary assumptions, which we list below, we show that two, cooperating clients, Alice and Frederick, cannot get the banknote accepted as valid in two Bank's branches. As we show, the case of many Bank's branches follows from the security in the latter case. The case of a birthday attack of choosing best pair of branches is then taken care of by the union bound. Indeed let us assume that number of branches equals k = poly(n), where n is the length of the banknote, which is a reasonable constraint possible to be satisfied. If for any pair the probability of successful counterfeiting is exponentially small 2 (n) ∼ O(e −n ), the highest probability of this event for k branches is not higher than k := k 2 2 (n), which is still small (of order O(e −n )).
Before we will present the proof, we will first state explicitly all more or less implicit assumptions of our scheme. First note, that in general (not only in the SDI money scheme) one needs to take into account the following assumptions: ASM1 Bank's branches have access to a private fully random number generator that they use to generate y's and x's.
ASM2 Bank's branches use an honest classical postprocessing unit in the verification procedure.
ASM3 The dimension of the state that is produced at the output of the source (i.e. mint) is bounded and there is no other information leaking from the source to Alice or Frederick.
ASM4 The state produced by the source is unentangled from the dishonest parties (Alice and Frederick).
ASM5 The source devices create the states in independent way, what also implies that each sources have access only to the its input (not the inputs of the other sources).
ASM6 The measurement devices are independent, each measure only its subsystem, and the outputs of Alice and Frederick in each run are independent from the inputs and the outputs from another runs.
In particular case of the presented SDI money scheme, in ASM3 we specify that each of the independent parts of the sources (as specified in ASM5) has output bounded by d = 2, i.e. the source works by producing independently n qubits (however not necessarily in the same way, see Fig 3). Remark 4 (On the possible weakening of the assumptions). It seems plausible that the assumption ASM6 could be omitted but it would complicate the proof. The question if we can omit the assumption ASM5 is a hard open problem, related to the formulation of the SDI QKD scheme and Random Access Codes [39,40] in general. On the other hand, all other assumptions are necessary to prove the security of our scheme since rejecting any of them leads to a successful attack.
Let us briefly describe the idea of the proof of the security of the scheme. It is a consequence of two facts: (i) the monogamy inherent to the SDI key generation protocol and (ii) the fact that each Bank's branch queries independently from the other branches during the verification procedure. It will hold for the case when the Bank verifies the banknote via untrusted terminal, i.e. Alice (and / or Frederick) come to the Bank to get the banknote accepted. The case with the communication is then reduced to the latter, under assumption that the strategy to lie about the outputs of the devices (which is then at a choice of the dishonest parties) is individual, independent for each of the runs of the protocol (see the Supplemental Material, Section A). As we discuss in Section V, this a bit unrealistic assumption that can be in principle dropped given the protocol of SDI QKD is proven to be secure against the general, so called forward signaling attacks.

The case of attack on a single qubit
By definition, much like in the original Wiesner scheme, for a banknote to be accepted, its owner has to guess correctly the bits of the Bank. To see that two dishonest persons, Alice and Frederick, can not both pass the verification of our banknote it is instructive to focus on the attack on a single qubit of the banknote. Suppose Alice and Frederick are trying to "split" its use to maximize the probability of guessing P guess in two experiments of some two branches of the Bank. Their joined attack can be described as a conditional probability distribution (a box): P (a F , a A |x A , x F , y 0 , y 1 ), where y 0 and y 1 are the secret keys of the Bank which Alice and Frederick are trying to guess, x A and x B are the random inputs to the box generated by the Bank.
For simplicity of description we will assume that Alice and Frederick comes to the Bank, while the Bank who sets the input to the devices (we will argue later how to partially relax this assumption). The joined attack aims at generating two bits a A (by Alice) and a F (by Frederick), such that the probability of guessing the x A th bit of y B = (y 0 , y 1 ) and x F th bit of y B by Frederick are both maximal. The guessing probability for Alice and Frederick respectively read: and Let us observe first that in the case x A = x F , they can both achieve the maximal possible probability of guessing P Q = cos 2 (π/8) ≈ 0.8536 [7]. Indeed, Alice can come first to one branch, and behave honestly having the guessing probability P A guess = P Q , while Frederick can copy her answer, reaching the same probability of guessing. However, when x A = x F = x A ⊕ 1, the dishonest parties need to guess opposite bits: y 0 (Alice) and y 1 (Frederick) or vice versa (with half probability). However, it is proven in [7] that Hence, even if Alice and Frederick were fully collaborating, the sum of the probabilities of guessing of the two bits is bounded. Since x A = x F with the probability one half, averaging over the value of x A ⊕ x F we conclude that the average number of correctly guessed bits has an upper bound In what follows we will prove that due to the independent nature of the attack, the above bound, multiplied by the number of runs n, applies (up to fluctuations η around the average). The corresponding bound enlarged by the maximal possible fluctuations reads then nβ with β = 2P Q (1/2 + η) + M (1/2 + η) + 2η. We will then choose the threshold value θ to be larger than β/2. This will assure, that the two dishonest parties can not get the same banknote accepted in two Bank's branches, as their total sum of the guesses would be larger than 2β/2 = β, reaching the desired contradiction.

Extending the argument to the general case of the qubit-by-qubit attack
We would like to extend this reasoning to the case of the repeated experiment of n runs (n will be relatively small, as short as the length of an usual preamble of the QKD protocols). We assume here that the attack is "id", i.e. by not necessarily equal however independently distributed random variables, according to the measure: where U (y i 0 , y i 1 , x i A , x i F ) denotes the uniform distribution over its arguments. We then observe that, instead of providing x A to Alice and x F to Frederick, the two branches of the Bank could give x A to Alice and x ⊕ := x A ⊕ x F to Frederick. This is because Alice and Frederick are collaborating, so they can compute back value of x F from these data in case it is needed. We can therefore change the scenario to one in which the parties are given (x A , x ⊕ ), if the probability measure is changed accordingly to the following one: The measure µ acts on x A and x ⊕ in the same way as µ would acts on x A and x F , so in some sense it is undoing the XOR operation. This modification of scenario does not change the probability of successful forgery, i.e. the probability of an event in which both Alice will get accepted as supposed to have a valid banknote and so will happen to Frederick. To see this, we first note that a set of events (denoted as F ORGE) leading to a successful forgery reads: We then prove (see Corollary 1) that Due to the fact that x ⊕ is created before creation of the money and hence before any moment when attack on it can happen, we have We can narrow considerations to the typical x ⊕ , i.e. those having number of symbol 0 and 1 approximately n/2 times where |x| 0 is the number of positions with symbol 0 in a bitstring x. All sequences of the length n (given n is large enough) are with high probability typical (i.e. with a probability 1 − (η) for (η) = 2 exp(−2η 2 n)). We have therefore We then see that one can fix a typical x ⊕ , and prove that for any such x ⊕ the probability of acceptance is low. We will assure it by setting an appropriate θ, so that with a high probability over the conditional measure µ := µ (x ⊕ )/p(x ⊕ ) the strings S emerging from the attack will be rejected as having too low number of guessed bits of (y i 0 , y i 1 ) n i=1 . In more detail, we first note that for a fixed x ⊕ , on average over n runs with respect to the measure µ , there are no more guessed inputs than nB with B given in Eq. (9). It remains to take into account the fact, that the observed number of the guessed inputs need not to be equal to its average. However x ⊕ is typical, hence the number of runs will be at least n/2 − ηn, so we can use that the attack is performed in the independent manner (see Fig. 3). Due to Hoeffding's inequality, we obtain that the observed number of guessed inputs is with a high probability bounded from above by: where η takes care of the maximal possible fluctuations. Before we explicitly control these fluctuations, we first define four random variables describing the guessing at the ith run of the verification procedure by Alice and Frederick as Now we can get back to describing deviations from the average of the 4 random variables:X A x⊕ ,X F x⊕ ,Ȳ A x⊕ and Y F x⊕ that are the sums over i ∈ [n] for the variables described above. The values ofX A x⊕ (X F x⊕ ) are the numbers of bits of (y i 0 , y i 1 ) correctly guessed by Alice (Frederick) from the positions i satisfying x i A = x i F . Analogously, Y A x⊕ (Ȳ F x⊕ ) describe the number of correct guesses for i such that x i A = x i F . Details are given in Theorem 1 and Corollary 2 of the Supplemental Material (see also Appendix B for an explicit definition of random variables, their sum and expected values).
The last argument follows from a simple observation. Namely, if the total fraction of the correctly guessed positions by two persons is less than β, the minimum of the fractions of the correct guesses by each of them separately is not greater than β/2. Setting the acceptance threshold θ large enough that the minimum of the numbers of guesses is below θ, we assure that for each typical x ⊕ the banknote is rejected with the high probability in at least one branch. In particular, for any θ > β/2 this probability is at least 1−4 cot 2 exp(−η 2 (n/2−η)), where for every typical x ⊕ the error 4 cot 2 exp(−η 2 (n/2 − η)) upper bounds the probability of event that at least one of the 4 random variablesX A x⊕ ,X F x⊕ ,Ȳ A x⊕ ,Ȳ F x⊕ is far from its respective average.

IV. QUANTUM ORESME-COPERNICUS-GRESHAM'S LAW
One of the famous laws of economy is: • Bad money drives out good.
This law states, colloquially speaking, that if certain money is cheaper to produce, then it will eventually subside the one that is more expensive to produce, where expensive is understood not in terms of face value but in terms of intrinsic value. Although it was named after Sir Gresham, it has been observed by others, even much earlier before. The two most cited authors are Nicole Oresme [26] and Nicolaus Copernicus [27], so that the above law is also refereed to as Copernicus', or the Oresme-Copernicus-Gresham's Law. However, the first known appearance of a similar statement is in the comedy "The Frogs", written by the Ancient Greek playwright Aristophanes around 405 BC [25]. For a overview of the law see e.g. [24].
From the perspective of the economy the concept of money is a matter of a social agreement and properties of a given material/procedure used to produce a coin or a banknote. So it might appear that there is no need to consider a quantum variant of Gresham's law per se, because one can apply the OCG Law to the new method of mining -from quantum states. This is what happens to classical crypto-currencies. Instead, formulating quantum analog of the OCG Law we would like to compare quantum currencies with each other within quantum domain. This is because one could choose a "cheaper" way to produce money -from quantum states that are "cheaper" to obtain whatever means "cheaper" to quantum technology at a given moment of development of quantum technology. We therefore would like to introduce and discuss a version of Quantum Gresham's law in the following way: • Bad quantum money drives out good quantum one.
Deciding whether to keep a given quantum currency or not may be a complex process, depending on various mutually dependent parameters, the importance of which varies over a change of preferences of particular individuals or societies. It is therefore too early and hence too hard to foresee the behavior of the quantum currency flow between the schemes provided they happen to be realized experimentally.
Example 1. For the presented SDI quantum money scheme, to be unforgeable via qubit-by-qubit way, it is enough that the source of the banknote (if it able to produce a large number of banknotes) manages to produce SDI key at a rate θ > β/2. It is however not demanded that θ ≈ P Q , i.e. that the source would be able to produce money equivalent to low number of runs of the SDI key generation experiment with the maximal possible rate P Q . Suppose that some provider P I is able to produce the SDI money which passes the acceptance threshold θ = β/2+2δ for some δ > 0. Next, suppose that some other provider P II is be able to produce a reliable SDI money with the lower acceptance threshold β/2 + δ. As we have proved in Theorem 2, banknotes of both providers are valid and can not be forged under certain assumptions. However the banknote of the provider P I can be attributed a larger quantum commodity value defined as the SDI key rate of a source which produced the banknote. From perspective of banknote's holder, this key rate implies nonzero rate of the min-entropy of banknote's quantum state and hence nonzero rate of the private randomness. An additional reason to keep the P I type money and spend more often P II type is that the first one are more robust to noise. Indeed, even decrease by δ of the observed fraction of the correct guesses will not invalidate the banknote.
We make then the following observation: Observation 1. If the Quantum Oresme-Copernicus-Gresham law applies, the SDI money with lower acceptance threshold θ would drive out the SDI money with higher θ. (We note here, that we have implicitly assumed that the hardware parameters of the realization by P I and P II are comparable. Otherwise, realization of the banknote according to type P II ' receipt can be simply too expensive, e.g. in energy spent on keeping them in a quantum wallet).
The above example is very limited, as it concerns different ways of realization of the same money scheme (i.e. currency). It is however plausible that if the quantum version of the OCG law turns out to be true, the individuals will tend to keep the most secure, cheapest to produce and to store money of the highest commodity value (in the sense of its use for quantum information processing), and will spend the other currencies more often. Going a bit further, one can consider monies in theory T (for such a general approach see [23]), and have a "T Oresme-Copernicus-Gresham Law", a theory-dependent version describing flow of currencies valid in a theory T . An interesting special case would be the "multi-theory OCG Law" that could govern the flow of currencies between different sub-theories. A natural example of the latter would be Classical-Quantum Oresme-Copernicus-Gresham Law, expressing the behavior of everyday currencies and the quantum ones on the same footing.

A.
A comparison of the money schemes In the Table I we present the comparison of different protocols, including original protocol of Stephen Wiesner [1] and that of Dimitry Gavinsky [6], and show which (parameters of) quantum devices have to be trusted by the Bank in order to maintain security.

B. How close we are to practice?
A fundamental obstacle in realization of the presented one and many other money schemes is the fact that it relies on existence of a reliable and long-time living quantum memory. It is hard to foresee when (if ever) such memories would be available, however there are works towards this direction. As an example of a recent huge experimental progress in developing the quantum memory we can invoke paper by Wang et al. [41], presenting a single-qubit quantum memory that exceeds coherence time of ten minutes. Furthermore Harper and Flammia [42] demonstrated the first implementation of the error correcting codes on a real quantum computer. This may indicate, that the error correcting codes can become useful in the near future quantum memories.
We want to emphasize here that the tasks of universal fault-tolerant quantum computing [43] and of a reliable quantum repeater [44] (for latest discovery see [45] and references therein) are both different from that of a faulttolerant quantum random access memory (QRAM). The memory of the quantum computer need not be stable for a long time, because it is needed only for the time when the gates of quantum algorithm are done, while the QRAM needs to be stable for a long period of time. However, operations on the QRAM are far from being universal [46], reduced to measurements in two bases (at least in the considered SDI money scheme). In that respect the QRAM appears to have much easier functionality. The easiness of operations of the QRAM is more comparable with that of the single quantum repeater station (at least for the 1st generation quantum repeater [47]). However the 1st generation single repeater's node needs to achieve the operation of entanglement swapping of two photons incoming from different origins, which is a totally different task. In the case of the QRAM states are prepared and need not be send, i.e. QRAM can be done without the use of photons. This should simplify this task in comparison to the task of achieving quantum Internet. (Note also that a station of the 3rd generation quantum repeater is close in performance to the smallsize universal quantum computer [47]).
However, although there is no physical law that bounds from above the time of coherence of a qubit state, achieving a reliable QRAM appears to be an extremely hard task, because of quantum decoherence, that is usually happening very fast. This is the reason why the very first idea (of QRAM needed for money schemes) appearing in the theory may become the last one (after quantum computer and quantum Internet) to be realized in practice. This may also happen due to the fact, that the classical money schemes are reliable enough so that the need for their quantum versions is far less than the need for the fast information processing and having the secure communication.

V. DISCUSSION
In this article we have presented an alternative method of testing of the original Wiesner banknotes -a Semi-Device Independent quantum money scheme. To our knowledge this is the first attempt to provide the private money scheme unforgeability of which would not fully relay on trusting the mint (source of the banknote) and the inner workings of the verifying terminal at the same time.
We have proven that the scheme cannot be broken by a forgery who copies the banknote in a qubit by qubit manner in the scenario when the banknote is returned to the Bank for verification, provided the banknote was created in a qubit-by-qubit manner (each qubit created independently). The scheme remains secure in a case of verification by the classical communication at a distance, upon the assumption that the counterfeiter lies about the outputs in the independent manner during the verification procedure.
We have thereby also made an explicit connection of the money schemes with the idea of a private key which is not classical, but from the other theory (generalized probability theory), exploring thereby directions presented in [6,23]. This idea has far reaching consequences if one does not insist on the device independence of the money and will be discussed in more details in [48], wherein particular generic scheme based on monogamy [49] of the underlying protocol / key. It is plausible that the proposed scheme inherits the security of the underlying, in our case the original semidevice independent quantum key distribution protocol. Given the full proof of security of the SDI QKD against a forward signaling adversary, as it is the case for the DI QKD [50] (see [51] for the latest breakthrough), it may follow that our suitably modified scheme is fully unforgeable. The sufficient modification concerns the communication in verification procedure. The counterfeiter would need to give the answer(s) (a i A , a i F ) after getting inputs (x i A , x i F ), but before learning next inputs (x i+1 A , x i+1 F ). In such a case each possible history-dependent lie can be treated safely as a part of the attack of the device, and hence would not affect the model. The rest of the proof would follow from similar arguments as above with a proper use of the concentration of martingales. It is therefore important to verify if the SDI protocol is fully secure. An intermediate step would be to extend the security proof the presented SDI money scheme to its variant given in [52], prove there to be secure against collective attacks.
One might think that we could have used directly the scheme of the device dependent key secure against the quantum adversary [50], avoiding thereby unnatural assumption about altering outputs by the terminal in an independent manner during verification procedure. It is indeed straightforward to extend the idea presented here for a single Bank's branch with much weaker assumptions. However it needs suitable modifications leading to novel scheme(s), in order to be extended to the case with multiple Bank's branches. This approach therefore results in a scheme fundamentally different from the original one and its follow-ups like the presented SDI money scheme, and will be presented in [48].
We have compared the SDI money scheme with the protocol of the SDI QKD, showing that they differ in three ways. Firstly, the money scheme requires a reliable quantum memory, while the SDI QKD does not. Most of quantum money schemes suffer from this problem, i.e. it is not a special property of our scheme (however, see the recent proposal by A. Kent [21]). Secondly, in principle, the money scheme does not need the number of runs of the experiment, as producing the key is out of focus, conversely to the goal of the SDI QKD protocol. However, the presented SDI scheme based on qubits leads to the banknotes of the significant quantum memory (as we exemplify in Section E), because number of qubits n has to diminish the effect of fluctuations η. Fortunately, our security proof seems to be straightforwardly adaptable to the SDI schemes based on the SDI QKD protocol with more than two inputs on Bank's side and (if needed) the dimension of the system [39,40]. Considering such an ex-tension would be of high importance for more practical examples. Thirdly, our money scheme needs a moderate error tolerance, roughly speaking just little above the one implying one half of the possible key rate achievable in the corresponding SDI scheme. This, in principle opens an area for the robustness of the money scheme against noise. Given the banknotes are initially prepared at high quality, it can drop, significantly yet without compromising security against forgery, to the value corresponding to about half of the maximal possible key rate of the SDI protocol.
Given a more promising for practical realization variant of this scheme exists, one should consider its robust version, that can be realized in laboratory including all side effects, that may potentially open it for the attacks of hackers. This aspect of the SDI QKD has been recently studied in [52][53][54][55].
Another important direction of development would be checking if the proposed scheme could be treated as an option for a user of the original Wiesner scheme or its other extensions like Gavinsky's protocol. The resulting scheme would give higher protection against malicious money provider, matching the best of two approaches. In the presented scheme, the banknotes (even in case of the honest client Alice) are inevitably lost during their verification. It seems natural then (like it is done by Gavinsky [6]) to extend our scheme to the case of the transactions which we also defer to the future work.
Finally, in a bit speculative way, we have put forward a hypothesis called the Quantum Oresme-Copersnicus-Gresham's Law : an analogue of the classical law of the economy also known as Gresham's Law. This law states that the bad money (with lower intrinsic value) drives out the good one (with higher intrinsic value), as the latter is less often spend. We have exemplified this law on the basis of different realizations of the SDI money scheme, corresponding to the different values of the threshold leading to the acceptance of money. These speculations need further, more formal, exploration with examples based on more types of currencies, as well as an extension (what appears to be straightforward) to the case of resources [56] within the paradigm of [57]. It is easy to see that P Q > M/2. Lets us now define notation used in the rest of the paper. By y's we denote the inputs used by the Bank in order to create the money, x's stand for the questions that the branches verifying Alice and Frederick ask them,x represents real value that Alice and Frederick input into the devices, and we use a's for Alice's and Frederick's outputs. Furthermore, i in an upper index denotes the i-th run of the protocol that acts on the i-th quantum subsystem. The general attack performed in the qubit-by-qubit manner can be described by a probability measure on the data used in the verification protocol. Part of the data are generated by the Bank (inputs to the verification procedure) while the outputs a A and a F are generated by the Alice and Frederick according to their choice of the conditional distribution. The total joint distribution of the inputs and outputs reads In what follows we will simplify it due to certain assumptions. We know, from the definition of money generating protocol, that if Frederick wants to verify the same banknote as Alice, then y's are the same for all branches, so we can omit variables for each branch and write just y i 0 and y i 1 . Furthermore, if Bank's branches input appropriate bits to the devices themselves, than we are sure that Observation 2. Our scheme remains secure if we allow Alice and Frederick to set device inputs, under assumption that they do it in an independent way in each run. Any run-independent cheating strategy of Alice or Frederick based on using inputsx i A ,x i F different from x i A , x i F provided by the Bank can be incorporated into inner working of the untrusted devices and we can also omit it.
Since we assume that y's and x's are generated by Bank are fully random we can rewrite the above formula as where U , here and in all measures defined later, stands for the uniform distribution over appropriate variables. Now we can define the set describing successful forgery, meaning that both Alice and Frederick are accepted using the same banknote.
We also define sequences Now we can make the following observation that is an easy consequence of the security proof of [7]. For clarity, we change notation by substituting B and E by A and F , respectively.

Observation 3.
P AF (a 0 ) + P AF (a 1 ) ≤ M. (A8) Proof. From Eq. (12) of [7] and the comment that follows the equation we know that Using Eq. (13) of [7], we obtain P AF (a 0 ) + P AF (a 1 ) ≤ 1 2 The right side is equal to M , which completes the proof.
We will use numerously the concentration property of a distribution of independently distributed n random variables on [e i , f i ] due to Hoeffding, of the form whereX = (1/n) i X i . We will use the above fact for the case of random variables on interval [0,1], which reads For a bitstring x of length n we will denote by |x| 0 the number of occurrences of symbol 0 in x (analogously |x| 1 will denote the number of 1s in x). Thus, where η ≥ 0. Due to the above concentration, probability mass function is concentrated on the so-called η-typical sequences, defined as the values of x satisfying ||x| 0 /n − 1/2| ≤ η. In other words, for a set there is, where the probability is taken from a uniform distribution U (x) of sequences x := (x i ) n i=1 over {0, 1} n . In particular, for two sequences x A and x F drawn independently at random from {0, 1} n , where by ⊕ we mean the bit-wise XOR operation on the bits of x A and x F . Indeed, for any fixed x A the distribution of x F ⊕ x A is uniform if such was that of x F . We can use then the typicality argument and average over p(x A ). At the expense of small error one can deal only with such as S that have η-typical inputs x A and x F . Such S will be called η-typical : The set of η-typical S will be denoted as T (η).
In what follows we will show that the probability of acceptance of a banknote twice, i.e. P (F ORGE), is equal to the probability accepting it twice in a different scenario (the XOR scenario). In the latter Alice gets x A while Frederick is given x A ⊕ x F . In spite of the fact that it will not be the case in real life, this transformation of the scenario (and the corresponding probability measure) will simplify our considerations.
The XOR scenario is obtained from the original one by the following map on the events S: We will refer to the transformed event as the one having x i ⊕ on the position where x F is in S: We define the set of all forged S in a way analogous to the definition of the set F ORGE: A new probability measure µ defined on the set of events S is defined as Observation 4. The map π: 1. is bijective and involutive, 2. satisfies S ∈ F ORGE ⇔ S ∈ F ORGE , 3. satisfies µ (S ) = µ(S).
Proof. The bijectivity follows directly from the fact that (x A , x F ) is bijectively mapped to (x A , x A ⊕ x F ). The first input is preserved, while the second one can be reconstructed uniquely by XORing inputs. It is also easy to see that π is an involution, since ( We show now the Property 2. Let S ∈ F ORGE. This happens if and only if The event S equals (y i Since the left conditions are identical, we only have to prove equality on the right conditions. By definition of a map π −1 , we obtain what proves an appropriate equality and implies that S ∈ F ORGE ⇔ S ∈ F ORGE . Finally, we argue that the Property 3 also holds. Let us fix arbitrary S. Hence, where π −1 above denotes that equality follows from the properties of the inverse of map π, which due to involution property is equal to π .
Alice, as before, gets bit x i A , but Frederick obtains XOR of bits x i A and x i F . Despite this, "original" box, due to "wirings", receives x i A and x i F . We have then an important corollary, that we can focus now on the XOR scenario because the probability of forgery in the latter equals to the probability of forgery in the former.
One can focus on the typical sequences S, i.e. those for which x ⊕ ∈ T Y P (η), at the expense of exponentially small inaccuracy in estimating the probability of forgery due to measure µ . Lemma 1.
Proof. With a little abuse of notation we will mean by (y 0 , y 1 , x A , a A , x ⊕ , a F ) the properly ordered sequence of tuples , where y 0 = (y 0 ) n i=1 , and by analogy the same for other symbols.
We will show first a sequence of (in)equalities: We have used the fact that the distribution of x ⊕ is the same (uniform) irrespectively of a particular attack. This is because the distributions of x A and x F with respect to the measure µ are uniform and independent from the attack, as being prior to the attack, while x ⊕ has distribution of x A ⊕ x F according to the definition of a measure µ . In the last inequality we have used typicality argument from Eq. (B6).
Due to time dependencies between the variables, The advantage of the measure µ is that we can easily divide the set of each run i according to the values of the x i ⊕ . Technical as it sounds, it will simplify the argument. In the runs where x i ⊕ = 0, the best strategy achieves quantum value P Q for both Alice and Frederick. However, for x ⊕ = 1 they are in a position of Alice guessing the opposite bit to the one which Frederick is at the same time in this run i to guess. Hence, they are limited as it is shown in the original paper by Paw lowski and Brunner [7].
From now on, we will fix x ⊕ := (x i ⊕ ) n i=1 and prove a common bound on guessing for all of its typical values. We can then define new conditional measure µ that depends on x ⊕ as We will now show that, on average, the forgeries Alice and Frederick have total number of correctly guessed bits of y 0 , y 1 bit-strings bounded from above by certain value. Let us first define the set of indexes and its complementD(x ⊕ ). It is important to notice that, for runs in the set D(x ⊕ ), Alice and Frederick will be asked about the same Bank's bit and in the case ofD(x ⊕ ) they will have to guess two different bits of the Bank. Then we can consider four types or random variables defined on Ω i , each depending on the value of the x ⊕ . It is important to notice that these variables describe the probabilities of guessing appropriate bits in ith run, by Alice and Frederick respectively and furthermore have strong connection with the definition of F ORGE.
where the sample space is defined as while x i ⊕ (S i ) denotes taking a variable with a label x i ⊕ from the sequence S i . We will also define sums and the random variables built from X i and Y i , that is their sums: From Eq. (B20) we know that the measure µ is a product of measures what implies thatX A x⊕ ,X F x⊕ ,X x⊕ ,Ȳ A x⊕ ,Ȳ F x⊕ ,Ȳ x⊕ are described by Poisson distribution. The respective averages over measure µ read Although the above averages are defined on the whole range [n], they depend only on their respective subsets: We will prove now, that the above averages are bounded if the attack is done under assumption that the adversaries are quantum and they attack in a qubit-by qubit manner (see ASM 3-6 in Section III D).
Proof. We will separately prove that the first term of LHS is bounded by the first term of RHS, and later that the second terms bound each other, respectively. The best quantum strategy for a single person (say, Alice) in a single run of experiment is upper bounded by P Q , while the other party is asked to guess the same bit as Alice was asked, so can copy her answer. We have Now, for each i ∈ D, there is: where we here used Eq. (7) of [7] (note the change of notation: our x, y i , a A correspond to y, a i , b there, respectively). Analogously, for i ∈ D, Summing the above inequalities over i ∈ D we obtain EX x⊕ ≤ 2P Q |D(x ⊕ )|. More elaborative is relating the second terms of (B35). We begin analogously: For each i ∈D(x ⊕ ), where in the pre-last inequality we have used the fact, that Alice and Frederic can collaborate.This can only increase the average probability of guessing. In the last inequality we have rephrased the results of [7] as in Observation 3. Summing up over i ∈D(x ⊕ ), we obtain i∈D(x⊕) as it was claimed.
We have shown above that the average number of guessed bits has an upper bound. We are going now to argue about the concentration properties of the random variables which are involved in the above process.
We assume here that x ⊕ is fixed, and results in the well defined sets D(x ⊕ ) andD(x ⊕ ). For brevity, we will sometimes omit x ⊕ from the notation of D. We will also define subsequences S 0 and S 1 of particular realization of strategy S , In the spirit of the above technical lemma, we will consider four random variables, each reporting the distance between the theoretical average value of a number of guessed inputs and the observed number of guessed inputs for the respective dishonest party on the respective set (D(x ⊕ ) orD(x ⊕ )), where the probability of the above measures is taken over the measure µ . Now, thanks to the union bound, we obtain: For any x ⊕ , there is The above rather technical results are summarized bellow in the upper bound on the total number of guesses. Namely, we will show that for a fixed x ⊕ , and an attack defining the measure µ = µ |x⊕ , the random variable of total number of guesses defined as a function of S (x ⊕ ) sampled from µ is bounded from above with high probability, as it is close to the sum of averages that are bounded. Indeed, let us define the random variable of total number of guesses, We additionally define two other useful variables,Z Lemma 2. For any fixed x ⊕ ∈ T (η), where B := 2P Q 1 2 + η n + M 1 2 + η n + 2ηn.
Proof. From the Corollary 2, omitting the modulus, we obtain a sequence of inequalities In the second inequality we have used Theorem 1. In the next one we have used definition ofZ x⊕ , and then we have used the typicality of x ⊕ , which implies upper bounds on the power of sets D(x ⊕ ) andD(x ⊕ ). This implies as we have claimed.
for some small η chosen in such a way that β η ≤ P Q .
Theorem 2 (Security of Semi-Device Independent Quantum Money). Let acceptance threshold θ be larger than β η n.
Then, under Assumptions A1-A7 (see Section III D), where k denotes number of Bank's branches the probability of a successful forgery P (F ORGE θ ) is exponentially small in number of banknote's qubits, and is bounded by Proof. Using Corollary 1, Lemma 1, and Observation 5 we obtain the following bound on P (F ORGE) Since there are many Bank's branches, collaborating Alice and Frederick can use birthday attack in order to choose two branches that have the biggest common set D. For k branches we apply union bound obtaining another factor k 2 what finalizes the proof. FIG. 6. Logarithmic plot that shows how the inverse forgery probability depends on the number of qubits. The red line represents the bound for η = ηmax. The green one visualizes a more realistic scenario with η = 9ηmax/10, since we have to take into account imperfection of quantum devices. The blue line describes even more realistic approach wherein still we demand that η = 9ηmax/10 but also we allow the Bank to have up to 10 branches.
It is easy to calculate numerically that this bound becomes trivial when the number of qubits n is smaller than 463018. Furthermore when we demand that the probability of forgery is smaller than some security parameter and we want to assume more realistic scenario the number of required qubits grows significantly. We present this growth for several exemplary cases on Figure 6. Although one cannot expect that such a large number of qubits will be available in quantum memories soon, let us emphasize that the bounds used in the proof of Theorem 2 are not tight, and there is some room for improvement. What is more important, we expect that using a more complex random access codes i.e. ones with more inputs and outputs can lead to significant decrease of the number of required qubits as it is discussed in Section V.