Papers
Topics
Authors
Recent
Search
2000 character limit reached

Quantum Money: Protocols and Applications

Updated 6 July 2026
  • Quantum money is a cryptographic system using quantum states where the no-cloning theorem ensures unforgeability through various bill and coin models.
  • It employs diverse verification protocols—including private-key, public-key, and noise-tolerant schemes—to secure token authenticity against counterfeiting.
  • Recent research spans from quantum lightning and semi-quantum models to cloud-based systems, impacting secure payments and broader financial architectures.

Quantum money is a cryptographic primitive in which a bank issues quantum states that can later be verified as authentic but cannot be efficiently counterfeited. Its basic security intuition comes from the no-cloning theorem, yet modern schemes combine no-cloning with explicit minting and verification algorithms, soundness definitions, and—in many public-key proposals—computational assumptions. The subject now spans private-key and public-key verification, bill and coin models, noise-tolerant and experimentally realizable protocols, and several adjacent paradigms such as quantum lightning, semi-quantum money, and relativistic token systems [(Aaronson et al., 2012); (Behera et al., 2020); (Pastawski et al., 2011); (Zhandry, 2023)].

1. Core definitions and taxonomic axes

At the highest level, quantum money schemes are organized along two orthogonal dimensions. The first is private versus public verification. In private or secret-key schemes, only the bank can run the verification algorithm; this is the Wiesner paradigm. In public schemes, the bank publishes a classical or quantum verification key so that anyone can check authenticity. The second is bills versus coins. Bills carry a unique serial number or classical label, so each bill is in a different quantum state. Coins are exact copies of the same quantum state, so no two coins can be distinguished, which gives better privacy properties (Behera et al., 2020).

A related strengthened notion is quantum lightning. In a quantum money mini-scheme, the adversary is forbidden from producing two valid banknotes with the same serial number starting from one valid banknote. Quantum lightning strengthens this by requiring that no one, not even the honest generation algorithm, can produce two valid banknotes with the same serial (Zhandry, 2023).

Form Verification Distinguishing feature
Private bills Only the bank verifies Unique serial number; different state per bill
Public bills Anyone verifies using a published key or oracle Unlimited public verification, but bills can be tracked
Private coins Only the bank verifies All coins are exact copies
Almost-public coins Users verify by comparison to coins they already possess No serial number; comparison-based verification

This taxonomy is not merely terminological. It determines what kinds of privacy are achievable, what classical infrastructure is needed, and whether verification can be local, bank-mediated, or comparison-based. A common misconception is that “public quantum money” is a single settled notion. In the literature it ranges from black-box public verifiers, to almost-public comparison tests, to franchised schemes with per-user secret verification keys, to hybrid systems where verification is classical but destructive (Behera et al., 2020, Roberts et al., 2021, Radian et al., 2019).

2. Foundational constructions and the security model

Wiesner’s original scheme remains the conceptual starting point. For a serial number ss, the bank stores a secret key k(s){0,1,+,}nk^{(s)} \in \{0,1,+,-\}^n, and the banknote state is

$| \$_s \rangle = |k_1^{(s)}\rangle \otimes |k_2^{(s)}\rangle \otimes \cdots \otimes |k_n^{(s)}\rangle.</p><p>Verificationisstrict:thebankmeasureseachqubitinthebasisspecifiedbythesecretdescriptionandreturnsthenoteifallqubitspass(<ahref="/papers/1404.1507"title=""rel="nofollow"dataturbo="false"class="assistantlink"xdataxtooltip.raw="">Brodutchetal.,2014</a>).</p><p>Thefirstpublickeyschemewithablackboxsecurityproofwasthehiddensubspaceconstruction.Itworksover</p> <p>Verification is strict: the bank measures each qubit in the basis specified by the secret description and returns the note if all qubits pass (<a href="/papers/1404.1507" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Brodutch et al., 2014</a>).</p> <p>The first public-key scheme with a black-box security proof was the hidden-subspace construction. It works over \mathbb{F}_2^n,choosingahiddensubspace, choosing a hidden subspace Sandmintingthebanknote</p><p> and minting the banknote</p> <p>|S\rangle = 2^{-k/2}\sum_{x\in S}|x\rangle,</p><p>with</p> <p>with H^{\otimes n}|S\rangle = |S^\perp\rangle.The<ahref="https://www.emergentmind.com/topics/verifier"title=""rel="nofollow"dataturbo="false"class="assistantlink"xdataxtooltip.raw="">verifier</a>performsonlytwocomplementarytests,oneinthestandardbasisandoneintheHadamardbasis.Intheblackboxversion,forging. The <a href="https://www.emergentmind.com/topics/verifier" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">verifier</a> performs only two complementary tests, one in the standard basis and one in the Hadamard basis. In the black-box version, forging r>qbanknotesfrom banknotes from qgenuineoneswithnonnegligibleprobabilityrequires genuine ones with nonnegligible probability requires T=\Omega(2^{n/4})$ oracle calls (Aaronson et al., 2012).

The hidden-subspace work also supplied a private-key repair of a major flaw in Wiesner’s original model. This mattered because no-cloning by itself does not prevent all attacks once a verifier becomes an adaptive oracle. Nagaj et al. showed efficient adaptive attacks on Wiesner’s scheme when valid money is accepted and passed on while invalid money is destroyed. One attack is based on Elitzur–Vaidman bomb testing and another on protective measurements; together they allow polynomial-query recovery of the underlying state. The proposed countermeasures include note refresh, one-time use, and avoiding reuse of the same post-verification state (Brodutch et al., 2014).

This episode established a central point of the field: unforgeability is a property of the whole protocol, not just the state ensemble. Verification leakage, post-measurement state return, and adaptive access are all first-class security variables [(Aaronson et al., 2012); (Brodutch et al., 2014)].

3. Noise tolerance, classical verification, and experimental realizations

Practical quantum money must tolerate noise, loss, and imperfect devices. Pastawski et al. introduced qtickets and cv-qtickets, showing that security can be stated through explicit fidelity thresholds. For qtickets, forging probability is exponentially suppressed provided k(s){0,1,+,}nk^{(s)} \in \{0,1,+,-\}^n0; for cv-qtickets, the threshold is

k(s){0,1,+,}nk^{(s)} \in \{0,1,+,-\}^n1

Honest-holder success and dishonest-holder forging probabilities are bounded by Chernoff-type and relative-entropy expressions that depend only on average experimental fidelity (Pastawski et al., 2011).

A more implementation-oriented private scheme is based on Sampling Matching. In this model a banknote consists of k(s){0,1,+,}nk^{(s)} \in \{0,1,+,-\}^n2 independently chosen k(s){0,1,+,}nk^{(s)} \in \{0,1,+,-\}^n3-bit strings encoded either as single-photon superpositions over k(s){0,1,+,}nk^{(s)} \in \{0,1,+,-\}^n4 modes or as weak coherent-state blocks. Verification uses a single round of classical interaction between local verifier and bank; the verifier’s quantum hardware is fixed, uses only passive linear optical components, and in the coherent-state version requires a single k(s){0,1,+,}nk^{(s)} \in \{0,1,+,-\}^n5 beam splitter and two single-photon threshold detectors. The scheme achieves re-usability growing linearly with note size and unconditional security against any adversary trying to forge the banknote while tolerating noise of up to k(s){0,1,+,}nk^{(s)} \in \{0,1,+,-\}^n6; as k(s){0,1,+,}nk^{(s)} \in \{0,1,+,-\}^n7, the bound tends to the conjectured optimal k(s){0,1,+,}nk^{(s)} \in \{0,1,+,-\}^n8 (Kumar, 2019).

Two 2017 experiments demonstrated that these ideas are not purely formal. One implementation used polarization encoding of weak coherent states and classical verification. In the single-photon model the security condition is k(s){0,1,+,}nk^{(s)} \in \{0,1,+,-\}^n9, while the measured correctness parameter was $| \$_s \rangle = |k_1^{(s)}\rangle \otimes |k_2^{(s)}\rangle \otimes \cdots \otimes |k_n^{(s)}\rangle.$0. For cards of size $| \$_s \rangle = |k_1^{(s)}\rangle \otimes |k_2^{(s)}\rangle \otimes \cdots \otimes |k_n^{(s)}\rangle.$1 pairs, the honest-user acceptance probability exceeded $| \$_s \rangle = |k_1^{(s)}\rangle \otimes |k_2^{(s)}\rangle \otimes \cdots \otimes |k_n^{(s)}\rangle.$2 and the forging probability was driven below $| \$_s \rangle = |k_1^{(s)}\rangle \otimes |k_2^{(s)}\rangle \otimes \cdots \otimes |k_n^{(s)}\rangle.$3 (1705.01428). A second experiment prepared banknotes as coherent-state four-pulse blocks, measured a total of $| \$_s \rangle = |k_1^{(s)}\rangle \otimes |k_2^{(s)}\rangle \otimes \cdots \otimes |k_n^{(s)}\rangle.$4 states in one verification round, and limited the forging probability to $| \$_s \rangle = |k_1^{(s)}\rangle \otimes |k_2^{(s)}\rangle \otimes \cdots \otimes |k_n^{(s)}\rangle.$5. At a 10 MHz source rate, verifying $| \$_s \rangle = |k_1^{(s)}\rangle \otimes |k_2^{(s)}\rangle \otimes \cdots \otimes |k_n^{(s)}\rangle.$6 states took $| \$_s \rangle = |k_1^{(s)}\rangle \otimes |k_2^{(s)}\rangle \otimes \cdots \otimes |k_n^{(s)}\rangle.$7 ms (Guan et al., 2017).

These results do not remove the quantum-memory bottleneck for general deployment, but they show that preparation, transmission, and verification of quantum banknotes can already be studied with realistic imperfections rather than idealized qubits (1705.01428, Guan et al., 2017).

4. Public verification, public coins, and intermediate trust models

A longstanding difficulty is to obtain public-key quantum money from standard assumptions. One response has been to weaken “public” in carefully controlled ways. The almost-public quantum coin construction starts from any private quantum coin scheme and lifts it to a comparison-based public verification method. A public coin is

$| \$_s \rangle = |k_1^{(s)}\rangle \otimes |k_2^{(s)}\rangle \otimes \cdots \otimes |k_n^{(s)}\rangle.$8

with $| \$_s \rangle = |k_1^{(s)}\rangle \otimes |k_2^{(s)}\rangle \otimes \cdots \otimes |k_n^{(s)}\rangle.$9, and a receiver verifies a new coin by combining it with a coin already in a wallet and measuring the projector onto the symmetric subspace,

$\mathbb{F}_2^n$0

No public quantum coin scheme was known before this work, and the construction is provably secure based on standard assumptions through pseudorandom-state families derived from quantum-secure one-way functions (Behera et al., 2020).

A different intermediate model is franchised quantum money. Here anyone can verify banknotes locally, but every user receives a unique secret verification key. The model adds sabotage resistance to ordinary unforgeability: a malicious user should not be able to create a state that passes for one honest verifier and fails for another after the first verification. A construction based on one-way functions uses subspace states

$\mathbb{F}_2^n$1

together with signatures and encryption, and it remains secure against counterfeiting and sabotage under one-way functions (Roberts et al., 2021).

The notion of semi-quantum money goes further by asking for a classical bank and classical verification communication. In this model minting and verification both use only classical messages between the bank and the user, even though the user holds a quantum token. The public memory-dependent construction uses quantum lightning with bolt-to-certificate; the private memoryless construction uses Noisy Trapdoor Claw-Free Functions, and a perfect parallel repetition theorem for NTCF-based 1-of-2 puzzles is a main technical ingredient (Radian et al., 2019).

More recent work shifts the quantum burden almost entirely away from end users. In cloud-based semi-quantum money, the bank and users are purely classical, and all quantum work is outsourced to a semi-honest quantum cloud via quantum fully homomorphic encryption and indistinguishability obfuscation (Zhang et al., 2024). In the quantum vault model, quantum storage and processing are delegated to an intermediary vault or MSB, while wallets remain classical and interact with vaults and banks through classical links (Broadbent et al., 2024). This suggests a broad design space in which quantum money is preserved as the underlying no-cloning asset, while minting, custody, and verification are redistributed across classical infrastructure.

5. Public-key candidates, oracle constructions, and cryptanalysis

Several public-key or public-verification candidates pursue very different mathematical back ends. Farhi et al. proposed quantum money from knots, where a banknote is a superposition of planar grid diagrams encoding oriented links with the same Alexander polynomial. Public verification combines recomputation of the Alexander polynomial with a quantum Markov-chain test based on grid moves, and the scheme was presented as secure against computationally bounded adversaries (Farhi et al., 2010).

Oracle-based subspace ideas remain central. A recent extension gives noise-tolerant public-key quantum money from a classical oracle. In this construction, a valid banknote is a subspace state possibly affected by noise, and verification projects onto the span

F2n\mathbb{F}_2^n2

by checking classical membership in larger spaces derived from the underlying code. Minting is realized by preparing conjugate-coding states and applying a unitary that permutes the standard basis vectors (Yuen, 2024).

Two post-2022 proposals move toward more conventional post-quantum hardness assumptions. One is publicly verifiable quantum money from random lattices, based on Gaussian superpositions over random lattices, with a verification-of-authenticity procedure based on the lattice discrete Fourier transform and an unforgeability proof under the hardness of the short vector problem (Khesin et al., 2022). Another is quantum money from abelian group actions, which gives public-key quantum money and quantum lightning from regular, efficiently recognizable abelian group actions, potentially instantiated from suitable isogenies over elliptic curves. The valid banknote for serial F2n\mathbb{F}_2^n3 has the form

F2n\mathbb{F}_2^n4

and security is proved in the generic group model under an interactive “2×” assumption (Zhandry, 2023).

Concrete isogeny-based candidates have also attracted cryptanalysis. For the Montgomery–Sharif scheme based on class group actions on elliptic curves, Kim, Heo, and Hong gave a division-polynomial attack using rational points and quadratic twists. The attack provides an asymptotic speedup of roughly F2n\mathbb{F}_2^n5 over brute force, and it also yields a more efficient verification procedure, but the overall cost remains exponential in F2n\mathbb{F}_2^n6; at F2n\mathbb{F}_2^n7, forging remains entirely out of reach (Kim et al., 1 Aug 2025).

The technical picture is therefore mixed. Public verification is well populated by oracle models and candidates, but security arguments vary sharply between black-box lower bounds, generic-model reductions, and concrete but still assumption-heavy proposals [(Aaronson et al., 2012); (Zhandry, 2023); (Khesin et al., 2022)].

6. Distributed issuance, payment systems, and broader financial architectures

Quantum money has also been studied as a systems primitive rather than only a banknote primitive. Quantum patchwork money addresses the case of multiple untrustworthy banks. Each bank F2n\mathbb{F}_2^n8 generates a public-key shard F2n\mathbb{F}_2^n9, and a combiner bank forms the patchwork note

SS0

If each shard scheme has completeness error SS1, then the combined scheme has completeness error SS2, with soundness and copy-resistance inherited from the shards. The reissue protocol is intended both to repair damage and to expose unauthorized duplicates (Sano, 2022).

Another systems line combines quantum money with classical ledgers. A hybrid payment system built from a classical blockchain with stateful smart contracts and quantum lightning uses quantum states as banknotes while the ledger tracks valid serial numbers and dispute resolution. The scheme is decentralized, payments are as quick as quantum communication regardless of the total number of users, and a rightful owner can recover lost value by redeeming a bolt-to-certificate on-chain (Coladangelo et al., 2020).

Broader financial interpretations have been proposed as well. A 2025 perspective describes quantum money as “symbolic value encoded in a quantum state,” studies teleportation-based transfer over terrestrial and satellite quantum networks, and argues that if only a central bank can prepare genuine money states SS3, then no-cloning constrains money creation by enforcing SS4, where SS5 is the total physically pre-minted quantum money (Czerwinski, 14 Jul 2025). This suggests a possible connection between cryptographic unforgeability and monetary control, although such macro-financial implications remain architectural rather than protocol-level facts.

Finally, not all high-security token systems that inherit the rhetoric of quantum money require long-lived quantum banknotes. Quantum S-money tokens eliminate the need for quantum memories and long-distance quantum communication while preserving unforgeability, user privacy, and instant validation under relativistic constraints. In a 2024 field experiment, the measured quantum transaction time was about SS6 over an intra-city SS7 km fiber link, yielding a SS8 advantage over classical cross-checking; over an inter-city SS9 km fiber link, the measured quantum transaction time was about S=2k/2xSx,|S\rangle = 2^{-k/2}\sum_{x\in S}|x\rangle,0, yielding a S=2k/2xSx,|S\rangle = 2^{-k/2}\sum_{x\in S}|x\rangle,1 comparative advantage over ideal free-space classical cross-checking (Jiang et al., 2024).

Across these directions, one conclusion is stable: the no-cloning theorem is the primitive resource, but the engineering and trust model are not fixed. Quantum money can appear as a bank-held note, a locally verifiable public state, a comparison-based coin, a franchised credential, a semi-quantum protocol with a classical bank, a cloud-served token, or a networked asset backed by smart contracts. The persistent open problem is not whether quantum states can encode unforgeable value, but how to do so with public verifiability, standard assumptions, realistic noise tolerance, and deployable infrastructure at the same time (Roberts et al., 2021, Behera et al., 2020, Zhang et al., 2024).

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Quantum Money.