Single-Use Quantum Money Protocol

• Single-use quantum money is a scheme that uses unclonable quantum tokens which, upon measurement, convert to classical strings to guarantee one-time usability.
• The protocol employs classical verification and swap tests to ensure token authenticity, detect issuer tracking, and protect user privacy.
• Practical applications include secure currency transactions, anonymous one-time pads, and voting systems, all backed by rigorous quantum security principles.

Single-use quantum money denotes quantum tokens or bills that can be spent (or verified) once, with unforgeability and privacy underpinned by the quantum no-cloning theorem. The central feature of these schemes is that quantum states (often prepared by a bank or authority) are fundamentally unclonable, making counterfeiting infeasible. The scheme described by (Gavinsky et al., 7 Oct 2025) achieves single-use, classically-verifiable, user-auditable tokens with unconditional security and practical operational requirements. The issuing authority distributes quantum states that downconvert to classical strings at the point of use, ensuring both privacy and robustness against various attack modalities.

1. Quantum Money Construction and Downconversion

The protocol’s construction is predicated on the bank minting a series of identical pure quantum states, each derived from a secret key $S$. Explicitly, for a sufficiently large integer $\mathcal{N}$, the minting operation is

$\Mint(S) = \Bigl(|\phi(S)\rangle\Bigr)^{\otimes \mathcal{N}},$

where every user receives a quantum token represented by a copy of $|\phi(S)\rangle$. Upon receipt, the user immediately performs a projective measurement (typically in the computational basis), collapsing the quantum state to a classical outcome. This measurement yields a tuple $(I, R)$ where $I$ is an index (designating which substring of $S$ was measured) and $R$ is the observed classical string corresponding to the outcome. The process purposely “consumes” the quantum state, and only the classical string is retained for later use.

This “downconversion” step achieves two security objectives. First, it eliminates the need for long-term quantum memory on the user’s side, immediately turning the quantum resource into a classical string for subsequent transmission and verification. Second, it guarantees that the quantum bill is single-use: after measurement, the state cannot be used to produce another valid payment.

2. Classical Verification and Unforgeability

Classical verification is performed by submitting the tuple $(I, R)$ to a bank-controlled validator, which checks against a secret string $S$ used during minting. The function

$\Test(S, H, (I, R)) = \begin{cases} \top, & \text{if } R = S|_{(I)} \text{ and } (I,R) \notin H, \ \bot, & \text{otherwise} \end{cases}$

determines whether a token is valid and has not previously been spent; $H$ is the history of accepted pairs to guarantee strict single-use. If $R$ matches the designated substring of $S$ indexed by $I$, and the pair has not yet appeared in $H$, the token is accepted, otherwise rejected.

Unforgeability derives from the no-cloning theorem and the measurement process: attempting to duplicate the token, even with full access to the protocol, is prohibited by the quantum state’s inherent unclonability. Any adversary able to query the minting device and attempt to reconstruct valid tuples at scale runs into results from quantum query complexity—the exponential hardness of producing multiple correct classical outcomes. Thus, double-spending (reusing $R$) or counterfeiting (generating a new valid $(I, R)$) is provably infeasible.

3. Auditing and Privacy: Swap Testing for Anonymity

A major privacy concern in quantum money is the possibility of tracking: if the bank subtly deviates from minting identical quantum states (embedding a unique “mark” in each bill), the bank may later deanonymize users by correlating spent tokens with issuance. To counteract this, the protocol incorporates an auditing mechanism based on the quantum swap test.

Let $|\phi\rangle$, $|\psi\rangle$ be two quantum tokens—the user’s and a “pattern” (potentially exchanged from another user). The swap test projects onto the symmetric/antisymmetric subspaces, outputting “0” (“identical”) with probability

$$P(0) = \frac{1}{2} + \frac{1}{2} |\langle\phi|\psi\rangle|^2.$$

If the states are perfectly identical, the probability is $1$; any deviation (due to marking or tracking by the bank) measurably increases the probability of output “1.” The protocol thus empowers users to detect, with arbitrarily high probability, whether their token is indistinguishable from honest tokens—enabling real-time public auditing for issuer misbehavior.

If an audit swap test fails, this is incontrovertible evidence that the bank produced “marked” tokens, violating user anonymity.

4. Security Guarantees and Theoretical Foundations

Unconditional security of the protocol follows from two sources. First, the no-cloning theorem prevents copying of unknown quantum states; hence, a token cannot be multiplied for double-spending. Second, the security proof of the auditing procedure leverages quantum state distinguishability bounds and query-complexity lower bounds. If the bank attempts to introduce distinguishability between tokens, the swap test detects the deviation with a probability directly proportional to the trace distance between honest and marked tokens.

The security argument proceeds by chain inequalities for repeated swap tests and demonstrates that any attempt by the bank to embed trackable information in the token set is met with near-certain detection (for sufficiently chosen $\mathcal{N}$ and swap test repetitions). Thus, the protocol is secure against both external adversaries and a malicious issuer.

5. Operational Requirements and Practicality

The scheme is engineered for practicality by ensuring that quantum resources are only required during the token distribution phase. A user needs neither to store quantum states nor to transmit them for verification. After the quantum state is “spent” (measured), only short classical strings (the tuple $(I, R)$) are retained and sent for validation. This sharp division—quantum during issuance, classical during use—minimizes the technological burden.

Crucially, no long-distance quantum communication is needed for verification, and repeated operation does not necessitate quantum repeaters or networks. Auditing (swap testing) is performed as a local quantum operation prior to measurement, which is technologically attainable with near-term devices.

6. Extensions: Anonymous One-Time Pads and Voting

Because the measurement outcome $R$ is, from the bank’s perspective, a random classical string unlinked to the user’s identity (assuming honest minting and auditing), the protocol naturally extends to cryptographic primitives beyond quantum money.

• Anonymous one-time pads: The string $R$ can be used as an unconditionally secure symmetric key for encrypting a message $M$ (e.g., $C = R \oplus M$). Since the bank cannot associate $R$ to the user, the scheme produces both information-theoretic security and privacy.
• Voting: Each user obtains a single-use quantum token as a voting right. The single-use property enforces one vote per token. Anonymity—enforced by the swap test audit—guarantees untraceable, unforgeable ballots.

These extensions further illustrate the broad cryptographic applicability of the protocol.

7. Comparison with Other Single-Use Quantum Money Constructions

Unlike other single-use quantum money proposals that may require quantum memories, distributed trust, or complex quantum-classical handshake protocols, this scheme achieves single-use, classically-verifiable quantum tokens with both unconditional unforgeability and robust, user-auditable privacy (Gavinsky et al., 7 Oct 2025). The reliance on immediate measurement and local swap testing effectively quarantines quantum technology to the distribution phase, allowing practical deployment scenarios, and the security claims are substantiated with rigorous quantum information-theoretic arguments.

Feature	This Protocol	Classical Tokens	Quantum-Memory Schemes
Unforgeability	Unconditional (no-cloning)	Conditional (cryptography-based)	Conditional/unconditional
Verification pathway	Classical	Classical	Quantum
User privacy (against issuer tracking)	Audit via swap test	No	Variable
Quantum memory needed	No	No	Yes
Applications	Money, OTP, Voting	Money, OTP, Voting	Money, Multi-use tokens

This protocol thereby achieves single-use quantum money with classically scalable verification, unconditional security, and user-auditable privacy, setting a reference standard for next-generation quantum currency schemes.