QUANTUM TOKENS

FI ELD OF THE INVENTION

The present invention relates to secure authentication. More particularly, the invention provides an authentication token that cannot be forged, and can be transmitted by electromagnetic waves and/or other standard means of communication, as well as a method for issuing and validating the token.

BACKGROU ND TO THE I NVENTION AND PRIOR ART

The redemption of tokens of various descriptions in exchange for goods and services, access to resources and other capabilities is a commonplace part of life today. For example, money and other forms of credit may exchanged for physical or virtual goods; passwords may be used to gain access to certain networks or data. However, in a world in which a token-issuing party does not or cannot have implicit trust in the party receiving the token for future validation, there can be an underlying desire to ensure that the token cannot be exploited unfairly. For instance, the token issuer may require assurance that the token cannot be copied and used many times, thereby giving access to more resources than it is intended to allow. That imperative (and indeed the motivation to the token recipient to forge the token) can and often does scale with the inherent value of the resource in question.

Accordingly, the provision of a secure authentication token is a known problem in the field of cryptography.

Various classical token-issuing schemes exist. Everyday currency is the most immediate example. However, as is known, no standard banknote is impossible to copy: forgery is a real world problem. Further, where a transaction is characterised by an overriding urgency or otherwise short timescales, classical, tangible banknotes and coins are of limited use insofar as the speed with which they can be transferred from one place to the next is fundamentally restricted. This property makes material money an asset of limited value in many situations, such as modern financial trading networks.

Turning then to virtual tokens, one solution commonly adopted is to issue a password at a first point, P, in space and time (for example, in return for payment) that can be used by the recipient as an authentication token at any one of a finite number of future points

Qi (j = \, 2, ... ri) in space-time. However, an immediate drawback of such an approach is that there can be no a priori prohibition on the receiving party redeeming the token at a plurality of those future points: once the password is known, it simply needs to be recalled and repeated in order to gain access to multiple resources consecutively or even simultaneously. Because of this risk, the token issuing party may feel obliged to check, when the password is returned at a given point Q_{k} by the recipient in exchange for access the relevant resource, that the same password has not been used at any point either in the causal past of or space-like separated from Q_{k}. This can be cumbersome and can incur unacceptable delay, particularly if any of the points Qi are space-like separated from one another.

In some instances, the issuing party may determine a unique password (passwordi) f°^{r use} at each of the Q(, ask, at point P, the receiving party at which future point they intend to use the password; and issue the relevant password accordingly. However, this approach may be appropriate only in a limited number of circumstances. For example, the receiving party may not know at which of the Qi they will want to redeem the token being issued at point P. Furthermore, even if he does know, he may wish to keep this information private: for instance, if the token is to be used to place a stock trade at some point Q_{k} on a global financial network, the trader may not wish to give the market advance warning of the time or place of his intended trade.

Since the introduction of Wiesner's 'quantum money' in 1983 (see Wiesner, S. Conjugate coding. Sigact News 15, 78-88 (1983)), attempts have been made to exploit the properties of quantum mechanical systems to provide an unforgeable authentication token. In the simplest version of the quantum money approach, the token takes the form of a stored quantum state, the classical description of which is not known to the recipient. Since the laws of quantum mechanics dictate that such a state cannot be copied without destroying the original, these solutions are unconditionally secure. The term 'unconditional security' is used herein to refer to security that can be proven by relying only on established laws of physics, provided the protocol is followed faithfully. That is, such security proofs do not rely on the assumed practical intractability of a computational problem that can, in principle, be solved.

Furthermore, since quantum states can be encoded in photons of light or other

electromagnetic radiation, with sufficiently good technology quantum money tokens can be

sent at light speed: they do not suffer the drawback mentioned above of classical, physical tokens such as banknotes. Moreover, known techniques such as quantum teleportation and quantum secret sharing allow quantum states to be transmitted in a way that allows more flexibility in response to incoming data than would be possible by sending a token along a single, defined path at speeds up to and including light speed. Some examples of the advantages to be gained by exploiting these techniques are discussed in Kent, A.

Quantum tasks in Minkowski space. Classical and Quantum Gravity 29, 224013 (2012); and in Hayden, P. et ai , preprint 1210.0913 [quant-ph] (2012).

Many quantum money solutions have the further advantage of providing both perfect 'future privacy' and perfect 'past privacy', innate to many classical approaches. By future privacy here is meant that the party issuing the token at point P cannot know when or where it will be presented for redemption until the very moment that it is so presented. Thus, the recipient need not disclose details of his future movements in exchange for the token.

Similarly, past privacy refers to the ability of the recipient to redeem the token at point Q_{k} without unavoidably revealing information about his or the token's whereabouts between P and Q_{k}: so long as they are stored and transmitted securely, quantum tokens carry no record of their past locations. Future privacy and past privacy can be desirable or even imperative not only for individuals but also, for example, in the context of financial trading, where a record of past locations of the token implies a record of past locations where a trade could have been made. Such a record can encode valuable, exploitable information about trading strategies.

However, as is known to those of skill in the field quantum money solutions are not, to date, technically feasible: at present, the art lacks adequate technology for storing and reliably transmitting, at light speed, general quantum states. Progress towards a truly operational realisation of a quantum authentication token is likely to be slow, and it is probable that the technology, even when available, will at least initially be cumbersome and/or prohibitively expensive. Indeed, it is not implausible that the communication of classical data will always be significantly easier than the transmission of information encoded in quantum states.

We have appreciated that it would be advantageous to provide an unconditionally secure authentication scheme that does not rely on lengthy storage or transmission of quantum states.

SUMMARY OF THE INVENTION

The invention is defined in the independent claims, to which reference is now directed. Preferred features are set out in the dependent claims.

In its broadest aspect, the invention provides a scheme that uses quantum information to obtain some of the important advantages of quantum money just outlined, in a way that is technologically feasible today. In particular, the token itself in the present schemes is classical, so that the invention does not rely on the presently problematic long-term storage or transportation of quantum states. In spite of this, embodiments of the invention provide a token that cannot be copied, and which is limited in transmission speed only by the light signalling bound. According to the invention, the future privacy of the token recipient may be respected; and certain embodiments within the scope of the invention may also guarantee past privacy.

According to one aspect of the invention, there is provided a method comprising the steps of receiving, at a first space-time point, a plurality of random quantum states, each of the quantum states chosen from a set of non-orthogonal quantum states, and applying a predetermined measurement to the quantum states to obtain a token comprising a sequence of classical measurement outcomes. The method further includes the step of presenting, at a second space-time point in the causal future of the first space-time point, the token in return for access to a resource.

According to another aspect of the invention, there is provided a method comprising the steps of generating, at a first space-time point, a plurality of random quantum states, each of the quantum states chosen from a set of non-orthogonal quantum states, and receiving, at a second space-time point in the causal future of the first space-time point, a token comprising a sequence of classical measurement outcomes. The method further includes the step of verifying whether the token corresponds to a statistically plausible result for a pre-determined measurement of the quantum states.

References herein to events or to the performance of method steps 'at' a space-time point are intended to comprise occurrences within an agreed, small (four-dimensional) region around the relevant point. For example, as the skilled person will appreciate the exchange of information generally requires classical and/or quantum data to be sent through agreed channels between two nearby secure sites controlled respectively by either of the parties to the exchange.

Furthermore, the term 'random' is intended throughout to mean perfect or near-perfect randomness. In preferred embodiments of the invention, the states are generated perfectly at random with a view to excluding any possibility that the scheme may successfully be cheated. However, those of skill in the field will appreciate that some deviations from perfect randomness can be tolerated, provided that the bounds on that deviation are known: in particular, slight deviations from perfect randomness do not, materially, compromise security, and are intended to fall within the scope of the claimed invention.

Preferably, the quantum states represent quantum bits, qubits. In some embodiments, each of the plurality of qubits may be encoded in a photon of electromagnetic energy or, alternatively, in a weak light pulse with low expected photon number. The invention in these embodiments may advantageously be simple to implement.

BRIEF DESCRIPTION OF THE DRAWINGS

Embodiments of the invention will now be described, by way of illustrative and enabling example only, with reference to the accompanying drawings, in which:

figure 1 is a schematic diagram of two-dimensional space-time, illustrating an exemplary situation in which the present invention finds application;

figure 2 is a flow chart illustrating a method of generating an authentication token in accordance with one aspect of the invention; and

figure 3 is a flow chart illustrating a second method of generating an authentication token in accordance with one aspect of the invention.

DETAILED DESCRIPTION

As outlined above, the light-speed signalling bound is one important motivation for the invention. In view of this, the present schemes will be described in a relativistic context, in which some or all of the space-time points of interest may be space-like separated from one another. This is not essential, however, and the more general application of the invention to non-relativistic settings will be apparent to those of skill in the art.

Figure 1 is a schematic diagram of a simplified, two-dimensional space-time, illustrating an exemplary situation in which the present invention finds application.

A first party (A) wishes to receive from a second party (B) at a point P = (x_{0}, t_{0}) in space and time a token that can she can return to him, in exchange for an asset, at some point Q_{k} in the future of P. The token may be a voucher, password or other encoding of information of any of the sorts discussed above for allowing access to a particular resource. For example, in some embodiments of the invention the token acts as physical money, exchangeable for goods and/or services. In other embodiments, the token is a password for gaining access to a given network, which may be presented in digital form; in yet further embodiments, it represents virtual credit for use, for instance, in trading on a financial network. It is stressed that these applications are listed by way of example only.

As mentioned above and as will be discussed further below, in the present schemes the token received by A at P is to be valid for use only at a single space-time point, Q_{k}, in the causal future of P. (The dashed lines in figure 1 denote the light cone originating at P.) In the present scenario, A may choose to redeem the token at any one point Q_{k} that is within a finite set of discrete space-time points {Qi = (x_{ir} tj)}, where i = 1, 2, ... , n for some u < co e i. In some embodiments, n may be on the order of 10^{3}, though depending upon the application of interest it may alternatively be many orders of magnitude larger or as small as 2.

Importantly, in view of the motivations discussed above embodiments of the present invention make no reliance on any level of trust between the parties A and B. It is assumed that A may try to cheat B by, for example, presenting the token more than once, or by attempting to forge the token. Similarly, as will be discussed below it is assumed that A requires future privacy; that is, she does not wish to reveal to B her chosen point Q_{k} until that event itself is actually realised. (The consideration of past privacy is excluded in this particular embodiment.)

The following discussion assumes that the token issuer B is more generally an 'agency', with a network of agents distributed across the points Q_{t} at which the token may be redeemed (as well as at point P) and each equipped with appropriate quantum

sending/receiving devices and measurement apparatus.

In some embodiments, the token user A may also be a similar agency with a similar network of agents. For instance, A and B could both be financial institutions participating in a global financial network, with trading systems controlled by human agents and/or computers at many locations around the world.

Alternatively, A may be represented by a private individual (or a small set of individuals) who may only visit some of the points Qi and who wishes to keep her (or wish to keep their) movements, and in particular the token's location, private as far as possible. She may, for example, be equipped with a small device capable of receiving and measuring quantum states sent over short distances. Those states may originate from devices, which may resemble automatic teller machines, designed to generate and transmit quantum states securely and to receive classical data in a way that allows them to implement protocols for quantum key distribution and related cryptographic tasks. Such machines may be located around the world and controlled by a bank or consortium of banks or some other agency.

In any event, the invention supposes that B's agents operate with complete trust in one another and are able to share secret information securely between themselves. Thus, all of B's agents are aware of all quantum data that may potentially have been used to generate the data presented to them. In other words, the classical description of the string of random qubits sent by B to A at P is known to all of B's agents. These data may be either secretly pre-agreed, or sent secretly at light speed or at the fastest speed practical for the given network either before or after generation of the token, but sufficiently quickly so as to be available at any of the allowed space-time points at which the token might be redeemed.

Similarly, A's agents are assumed to operate with complete mutual trust and may also be able to share secret information securely among themselves at or near light speed. If light-speed or near-light-speed transmission is not feasible, then the scheme is still useful but the mobility of A's token is restricted. The schemes discussed below give A security based on the assumption that any sharing of information between her agents is done securely, and using separate communications channels to those used by B and his agents.

In communicating with their respective agents, both A and B could use any standard cryptographically secure communications scheme and any standard communications system. Some embodiments may make use of one-time pads to encrypt and decrypt the communications in accordance with Vernam G.S. Cipher printing telegraph systems for secret wire and radio telegraphic communications. Journal American Institute of Electrical Engineers XLV, 109-1 15 (1926) so as to ensure theoretically perfect security. These pads could be generated ahead of time and/or during the protocol, for example by using standard quantum key distribution schemes implemented by commercially available quantum cryptography apparatus. As the skilled reader will appreciate, many quantum key

distribution schemes exist and are known. A recent review is given, for example, in Lo, H-K. et al. Secure quantum key distribution. Nature photonics 8, 595-604 (2014).

Furthermore, the present discussion assumes that both parties, together with any agents, have access to standard classical computing devices for carrying out the appropriate calculations and storing the resulting data.

Figure 2 is a flowchart illustrating a method 20 of generating an authentication token for use at a single future space-time point in accordance with a first embodiment of the invention. In a first step 22, party B generates a sequence of N quantum states, chosen independently at random. For good security, N is preferably on the order of 10^{3} or larger. In this embodiment, the states are ideally qubits realised as polarisation states of single photons or, realistically, weak light pulses with average photon number below one. The generation and transmission of photonic qubits is a well-known technique, details of which can be found, for example, in Lo, H-K. et al. Secure quantum key distribution. Nature photonics 8, 595 (2014) (and the references cited therein) and in Lunghi, T. et al.

Experimental bit commitment based on quantum communication and special relativity.

Phys. Rev. Lett. 111 , 180504 (2013). In other embodiments, alternative two-level quantum mechanical systems such as electrons may be used instead to encode bits of quantum information in a suitable known manner. Furthermore, though qubit implementations are presently preferred for reasons of simplicity both of exposition and of implementation, the skilled reader will appreciate that the invention is not limited to the use of two-level quantum states, and still further embodiments may implement the present methods using d-level systems such as trapped ions to encode so-called qudit quantum states.

According to the present embodiment, each of the quantum states generated by party B is a pure state chosen from one of two possible bases: the computational basis, made up of the states |0) and | 1), where |0) represents a photon polarised in the vertical direction and | 1) a photon polarised in the horizontal direction; and the Hadamard basis, comprising the states |+) := ^=(|0) + | 1)). This set of four states (referred to herein as the 'BB84 states') is given by way of example only, and in other embodiments the states generated by B may be chosen instead from any number of (complete or incomplete) bases. A necessary condition is that the possible states are not mutually orthogonal. In preferred

embodiments, the states are quite far from mutually orthogonal, such as the BB84 states; the six states of the protocol described in Βαιβ, D. Optimal eavesdropping in quantum cryptography with six states. Phys. Rev. Lett. 81 , 3018 (1998); or the infinite number of

states described in US 7,983,422. Reference is also made to Bennett, C. Quantum cryptography using any two non-orthogonal states. Phys. Rev. Lett. 68, 3121 (1992).

Furthermore, it is not essential for the states sent by B to A to be pure states such as those just listed. Indeed, experimental noise will in practice ensure that the states are not perfectly pure. As those of skill in the art will be aware, the identification of acceptable levels of noise and errors is routine.

Thus, the composite state generated by party B at point P may be, for example,

\ψ) = I °>i I +>21— >3■■■ I ^{0});■■■ | 1)JV. where the tensor products between the individual photon states, omitted for simplicity of notation, are implied. Again, the present embodiment assumes a product state \ψ) for simplicity of discussion and of implementation. However, the generation by B of JV-partite entangled states for transmission to A is not excluded provided, as above, that it is chosen from a suitably large list of states (for example, 2^{N} or more states) that are not close to pairwise orthogonal.

Once generated, party B passes or sends the state \ψ) to party A, at step 24. In this example, since the individual qubit states are encoded as individual photons they may be sent through optical fibre or free space using standard, commercially available quantum key distribution sending and receiving apparatus. For example, the adaptation of the setup described in Lunghi, T. et al. Experimental bit commitment based on quantum

communication and special relativity. Phys. Rev. Lett. 111 , 180504 (2013) to the present schemes is straightforward. To give a concrete example, B may send to A a string of states in an agreed time sequence that constitutes a short transmission burst (such as 1000 states every microsecond within an agreed millisecond, for example).

In this embodiment, the short-distance communication at step 24 is the only point of the scheme at which transportation of quantum information is required. The skilled reader will appreciate that, although some errors may be incurred at this step, errors up to a threshold value can be allowed for by taking the number N of states to be sufficiently large to compensate for the associated error probability.

On receiving the composite state \ψ), A proceeds to carry out a pre-determined sequence of measurements on the qubit states at step 26. This measurement may take place at P or, should Alice have the technological capabilities to store and/or transmit quantum states reliably, at a later time and/or at a different point in space. In either case, the choice of measurement in this example assumes that A already knows, at the time of measurement, at which future point Q_{k} she will want to redeem the token: the way in which she measures the state \ψ) is determined based on that choice. The measurements will be discussed in further detail below. At step 28, A then records the measurement outcome for each qubit classically. For example, she may write down the classical bits defining the outcomes, or input them to a computer memory. According to the invention, the resulting string of bits represents a (classical) token that A can then take with her through space-time to her chosen trade-in point (x_{k}, t_{k}) , or send to her agent at the point x_{k} in space, to arrive by time t_{k} , for future redemption in return for an asset from B.

Those of skill in the art will appreciate that, in practice, A may attempt to measure each of the N states but obtain results only for a subset of those states. This may be because of losses in transmission, for example. In some embodiments, A may in this case provide feedback to B in real- or near-real-time about which qubit states produced a measurement outcome, based on the timings of the positive measurement results. Thus, for example, she may tell B that she obtained results for states 2, 5, 18, 23, and so on, in the sequence. Accordingly, the token in these cases may comprise only the successful measurement outcomes, and B need only communicate to his agents at each space-time point Q_{t} the classical descriptions of those states. (As will be clear to the skilled reader, in situations in which losses are high the number of states generated and sent by B should be sufficiently high to ensure a final token of adequate length for security, in accordance with the discussion above.)

As mentioned, the measurements performed by A are chosen in dependence on the point Q_{k} at which she decides that she will want to cash in her token. In this embodiment, the parties A and B pre-agree a set of measurement strings {M_{t} = {M , ... , each of which will give a corresponding string of outcomes that can be valid only at a single one of the points Q_{t} . In other words, A cannot obtain (by any strategy) two strings of answers that would be statistically plausible results of two distinct measurement operators M_{k} and M_{j}, j≠ k on a state

=

\ Φι)ι■■■ \ ΦΝ)Ν with the pre-agreed measurement operators M_{k}, agreed to be those that will generate a token valid at Q_{k} , A cannot obtain (by any strategy) a string of answers that would be a statistically plausible result of any other operator M_{j},j≠ k according to the probability distribution assigned by quantum theory on the outcomes of the various measurements on the state. That is, given the state \ψ) and measurement M each

possible outcome of each possible measurement for which

= X on states for which \φι)ι = \φ) may be expected to occur a given number of times, on average. A's token is said not to represent a statistically plausible set of measurement outcomes for an operator Mj,j≠ k on \ψ) if, after allowing for an accepted level of errors and according to standard statistical significance tests, the data making up the token does not conform to those expectations in respect of that operator on the given state. One set of measurement strings that is appropriate for the set of photonic qubits of the present embodiment, each in one of the BB84 states as given above, will now be derived. It is stressed that the following derivation is given by way of non-limiting, enabling example only, and those of skill in the art will appreciate that many alternative, appropriate measurements may readily be derived.

As mentioned, A may choose at P that she will redeem her token at any one of n space-time points in the causal future of P. Writing 2^{r_ 1} < n≤ 2^{r} for some r E , the input state \ψ) may be chosen to comprise N = rS qubits, where S e N is preferably on the order of 10^{3} or greater for good security. In that case, and writing k - 1 =

i^{n} binary form, the measurement M_{k}^{l} to be applied to the Z^{th} qubit in seeking to generate a token valid at the chosen space-time point Q_{k} may be chosen as follows.

Assume that r'S + 1≤ I≤ (r' + 1)5 for some r' < r, and solve for r'. Then if, in the binary representation of k - 1 :

b_{ri} = 0, take ¾ =

b_{ri} = 1 , take M_{k}^{l} = {Pl, Pi},

where P_{Q}^{l} = \ 0)(0 \ ^{l}, P[ = P+^{l} = and Pi = are projections onto the

BB84 states of the 2-dimensional Hilbert space of qubit I, which may be carried out in accordance with any existing practical art.

With the measurement strings so defined, security follows because B (or his corresponding agent) can check that the token presented to him at Q_{k} corresponds to a statistically plausible set of outcomes of the measurements M_{k} on the state = φ^! ... \ φ_{Ν})_{Ν}, the classical description of which he knows and keeps secret. It can be shown that A is unable to operate on \ψ) in such a way, consistent with the known laws of physics, as to produce statistically plausible outcomes for more than one of the measurement strings M , thus, she cannot cheat by using the state to generate a token that will be valid at more than one ssppaaccee--ttiimmee ppooiinntt iinn tthhee ffuuttuurree ooff PP.. IInn ppaarrttiiccuullaarr,, ssiinnccee sshhee ccaannnnoott cclloonnee tthhee ssttaattee sshhee ccaannnnoott cchheeaatt eeiitthheerr bbyy ccaarrrryyiinngg oouutt ddiiffffeerreenntt mmeeaassuurreemmeennttss oonn ttwwoo oorr mmoorree ccooppiieess ooff iitt ttoo oobbttaaiinn mmoorree tthhaann oonnee ttookkeenn..

F Fuuttuurree pprriivvaaccyy aallssoo ffoolllloowwss,, bbeeccaauussee AA ccaann kkeeeepp hheerr cchhooiiccee ooff QQ_{KK} ((ii..ee..,, ooff MM_{kk})) sseeccrreett uunnttiill 55 sshhee rreettuurrnnss tthhee ttookkeenn.. AAddddiittiioonnaallllyy,, lliigghhtt--ssppeeeedd ttrraannssmmiissssiioonn ooff tthhee ttookkeenn iiss ppoossssiibbllee ssiinnccee iitt aammoouunnttss ttoo nnootthhiinngg mmoorree tthhaann aa ccllaassssiiccaall ssttrriinngg ooff bbiittss,, wwhhiicchh ccaann bbee sseenntt bbyy rraaddiioo wwaavveess oorr bbyy aannyy ootthheerr kknnoowwnn mmeeaannss..

O Onnee ccaann eeaassiillyy iimmaaggiinnee ssiittuuaattiioonnss iinn wwhhiicchh AA mmiigghhtt nnoott kknnooww,, oorr pprreeffeerr nnoott ttoo ddeecciiddee,, aatt PP wwhheenn aanndd wwhheerree sshhee wwiillll wwaanntt ttoo rreeddeeeemm hheerr ttookkeenn.. FFoorr eexxaammppllee,, iiff tthhee ttookkeenn rreepprreesseennttss

1 100 ccrreeddiitt ffoorr aa ttrraaddee,, tthheenn AA mmaayy wwaanntt ttoo kkeeeepp tthhee ooppttiioonn ooff mmaakkiinngg tthhee ttrraaddee aannyywwhheerree iinn aa gglloobbaall ttrraaddiinngg nneettwwoorrkk aatt ttiimmee tt_{tt} ,, oorr ooff wwaaiittiinngg uunnttiill aa llaatteerr ttiimmee tt_{22} ,, oorr aa llaatteerr ssttiillll tt_{33} ,, aanndd ssoo oonn.. HHeerr cchhoosseenn llooccaattiioonn mmaayy aallssoo bbee ttiimmee--ddeeppeennddeenntt,, aanndd tthhiiss sseeqquueennccee mmaayy nnoott bbee kknnoowwnn ttoo hheerr iinn aaddvvaannccee.. FFoorr iinnssttaannccee,, ttrraaddiinngg ccoonnddiittiioonnss aatt hheerr ffiirrsstt cchhoosseenn ppooiinntt ((ssaayy,, LLoonnddoonn aatt tt_{tt})) mmaayy ddeetteerrmmiinnee bbootthh wwhheetthheerr sshhee sshhoouulldd ttrraaddee aanndd,, iiff nnoott,, wwhheerree sshhee sshhoouulldd

1 155 ccoonnssiiddeerr nneexxtt..

A A sseeccoonndd eemmbbooddiimmeenntt ooff tthhee pprreesseenntt iinnvveennttiioonn ffiinnddss aapppplliiccaattiioonn iinn tthhiiss sscceennaarriioo.. TThhee ffoolllloowwiinngg ddiissccuussssiioonn aassssuummeess ffoorr ssiimmpplliicciittyy tthhaatt AA mmaayy wwaanntt ttoo ccaasshh iinn hheerr ttookkeenn aatt oonnee ooff aa ffiirrsstt sseett {{QQ^^}} ooff ssppaaccee--ttiimmee ppooiinnttss iinn tthhee ccaauussaall ffuuttuurree ooff PP oorr,, aalltteerrnnaattiivveellyy,, ttoo ddeeffeerr

rreeddeemmppttiioonn ttoo oonnee aanndd ssoo oonn,, wwhheerree aallll ooff tthhee

points in each set points in the preceding set,

Q ' j. The application of the present embodiment also extends to more general configurations, not limited by causal relations in this way, and the assumption is made merely for ease of illustration. B's agents at all points are assumed to be able to generate and transmit quantum states as well as receive tokens. The method then proceeds 25 following the sequence 30 outlined in figure 3.

In a first stage 32 of the method according to this embodiment, A and B proceed as described above with reference to figure 2. Thus, at space-time point P, B generates at step 322 a sequence of qubits and passes those, along a suitable channel, to A at step 324. At step 326, A measures the qubits using measurement operators M_{k} that she and B

30 have agreed will give a valid token at the future point Q^ , at which she decides she may

want to trade or otherwise gain access to the relevant resource or asset. Following step 328, at which she records her measurement outcomes classically as above, she then carries this token with her (or sends it to an agent) through space-time to the point

On reaching at step 34, A decides whether or not to trade in the token generated at P. If not, B's corresponding agent generates a new quantum state

sends this to A as before.

In some realisations, A may have agents at all who may all accept new states from B's corresponding agents at those points. In this way, B need not be made to learn any information about A's initial choice of location should she choose to postpone her trade-in of her token.

Based on a decision that she may now want to trade at point

A then carries out, at Q^, the appropriate string of measurements M_{kz} on the newly-supplied state

(Here, it is assumed for simplicity that each set [<2 ^{m)}] includes 2^{r} or fewer space-time points, and that the agreement between A and B is that A will choose from measurement strings defined in the manner described above each time she receives a new state |^^{(m)}). This is not essential, however, and the measurements at some or all stages may in other embodiments be different.) The resulting N bits of information represent an extension of the token generated at P, to which they can simply be appended to define a new token that will be valid at

As will be apparent if, on reaching

A again decides to postpone her trade, the process just described can be iterated until she does decide to redeem her token. The token grows linearly in length at each stage. In particular, under the present assumptions, the length of the token generated at stage m - 1 for presentation to B at stage m will be on the order of mN. It is noted that B's agents at all points are assumed to be aware of the identities of all strings of states sent, both P and at all intervening points at which A elected to extend, rather than to redeem, her token.

The scheme may be iterated for any number of rounds, limited only by technological constraints.

Security can be shown to follow from the security proofs derived in Kent, A. Unconditionally secure bit commitment by transmitting measurement outcomes. Phys. Rev. Lett. 109, 130501 (2012); in Croke, S. et al. Security details for bit commitment by transmitting measurement outcomes. Phys. Rev. A 86, 052309 (2012); and in Lunghi, T. et al.

Experimental bit commitment based on quantum communication and special relativity. Phys. Rev. Lett. 111 , 180504 (2013).

At each stage, A needs to generate a valid set of measurement outcomes for the new state supplied to her at that stage. Since the states supplied at each stage are independent, she can only generate two valid tokens if she can generate two valid sets of measurement outcomes for the states supplied at at least one point which, as discussed above, is not statistically feasible.

The embodiment just described with reference to figure 3 offers future privacy, but not past privacy: on returning the final token to B at stage m + 1, A concedes information about her location at all past points Q^, Q^, - , Q^ visited, at which she had the option to trade with B. Past privacy for A can be guaranteed by refining the verification of the token, as follows.

In the embodiments discussed above, the token presented by A to B at her final chosen point is simply a classical string of bits. In a further embodiment, A may instead encrypt the data using any standard cryptographically or unconditionally secure bit commitment scheme. Additionally, B presents to A the requirements for a token to be valid at (in particular, to correspond to a valid path from P to Q^) in the form of a testing algorithm. This may be a simple list of all acceptable tokens, for example. Alternatively and more efficiently, B could specify the statistical tests that he would apply to the token presented by A.

Having exchanged this information, A and B in this revised embodiment proceed through a zero-knowledge proof protocol of the sort known in the art and described, for example, in Brassard, G. et al. Minimum disclosure proofs of knowledge. J. Computer and System Sciences 37, 156 (1988). This may allow the simultaneous guarantee for B that the token presented to him is valid; and for A that B learns no information about the path of the token other than its endpoint.

In a yet further variant of the second embodiment of figure 3, A may commit herself from the outset to a given path of points P→ → →^{■■■}→ Q^, each point in the sequence being in the causal future of the one preceding it. In this example, A receives from B at point P a set of mN random quantum states, and uses those to obtain an m-part token by carrying out the pre-agreed measurements M_{k} on the first N states, M_{kz} on the second N states, and so on. To use the token at Qj for any 1≤ p≤ m, she simply hands

to B's agent at the first p segments of the token, in either encrypted or unencrypted form as discussed above, and B verifies that these define a valid causal path. Once the token has been used and accepted at Q^, A may discard the remaining unused measurement data.

Thus, a semi-classical form of Wiesner's quantum money has been disclosed that provides unconditionally secure future position commitment. The invention finds application in any situation in which two non-trusting parties must co-operate in such a way that one can fairly and securely purchase, acquire or otherwise obtain from the other an asset or access to a resource.