Demonstration of quantum-digital payments

TL;DR

This work shows how quantum light can secure daily digital payments by generating inherently unforgeable quantum cryptograms, implemented over an urban optical fiber link, and shows its robustness to noise and loss-dependent attacks.

Abstract

Digital payments have replaced physical banknotes in many aspects of our daily lives. Similarly to banknotes, they should be easy to use, unique, tamper-resistant and untraceable, but additionally withstand digital attackers and data breaches. Current technology substitutes customers' sensitive data by randomized tokens, and secures the payment's uniqueness with a cryptographic function, called a cryptogram. However, computationally powerful attacks violate the security of these functions. Quantum technology comes with the potential to protect even against infinite computational power. Here, we show how quantum light can secure daily digital payments by generating inherently unforgeable quantum cryptograms. We implement the scheme over an urban optical fiber link, and show its robustness to noise and loss-dependent attacks. Unlike previously proposed protocols, our solution does not depend on long-term quantum storage or trusted agents and authenticated channels. It is practical with near-term technology and may herald an era of quantum-enabled security.

Figures (5)

• Figure 1: Simplified representation of quantum-digital payments. As in classical payments, we consider three parties: a Client, a Merchant and a Bank/Creditcard institute. In contrast to Kent:npj22, we do not assume any quantum or classical communication channel to be trusted (i.e. CH 1, CH 2 and CH 3 are insecure), except an initial prior step between the Bank and Client for an account creation. All parties involved apart from the Bank can also act maliciously. During a payment, the Bank sends a set of quantum states to the Client's device (e.g. phone, computer, etc.), who measures them and transforms them into a quantum-secured payment token -- cryptogram -- which we display here as a one-time credit card. The Client uses this classical token for paying at the Merchant, who then contacts the Bank for payment verification. If the payment is accepted, the bank transfers the money from the Client's account to the Merchant's.
• Figure 2: Classical digital payments.Step $0$: The Client sets up an account at the ttp, providing their secret ID and sensitive credit card information through an authenticated and encrypted channel. Step $1$: The Client authenticates with the ttp, and requests a cardholder token $C$, which the ttp sends through a secure channel. Step $2$: The ttp randomly generates a one-time token $P$ and sends it to the Client through a secure channel. Step $3$: The Client's device uses the stored secret token $C$, the public merchant ID $M_i$, and the payment token $P$ to compute a cryptogram $\kappa\left(C,M_i,P\right)$. Step $4$: The Client spends the cryptogram at the chosen Merchant. Step $5$: The Merchant verifies the cryptogram with the ttp, and accepts or rejects the transaction.
• Figure 3: Experimental quantum-digital payments.a) The ttp creates entangled photon pairs using a spdc source. One photon's polarization is randomly measured by the ttp in either the linear or diagonal basis, creating the classical description $(b,\mathcal{B})$, which remotely prepares the quantum token $\ket{P}$ on the second photon. The latter is sent to the Client through a $641$m long optical fiber link, who measures its polarization in a basis $m_i = M\!AC(C, M_i)$ specified by a hmac of the Merchant's ID $M_i$ and the Client's private token $C$, and thereby obtains the cryptogram that is $\kappa_i \overset{m_i}{\longleftarrow} \ket{P}$. Classical communication between the ttp, Client and Merchant is used to verify the compatibility of $\kappa$, $M_i$ and $C$ with $(b,\mathcal{B})$. Red (blue) lines indicate quantum (classical) channels. The arrow numbering indicates the steps from \ref{['fig:classical']}. b) Satellite image of the two buildings housing the ttp, Client and Merchant. A 641m optical fiber link connects the parties.
• Figure 4: Security for experimental quantum cryptograms.a) The semidefinite programming framework extracts a secure region of operation (turquoise) as a function of errors and losses. Our measured experimental performance ($e_m=0.0328 \pm 0.0001; l_m=0.2239 \pm 0.015$) is indicated by the blue dot, and lies within the secure region. Error bars propagate poisson errors on coincidence counts. b) The dishonest success probability $p_d$ (green, upper bound) and honest success probability $p_h$ (red, lower bound) are displayed as a function of the number of quantum states $N$ required to verify one bit of the cryptogram. These are derived using a Chernoff bound argument (see Supplementary Information) DP09. As an example, an experimental token containing $\lambda= N=4.2\cdot 10^{6}$ quantum states (vertical blue dashed line) achieves an honest success probability very close to $p_h\sim 1$ and a dishonest success probability $p_d = 5.9\cdot 10^{-45}$.
• Figure 5: Heralded second order correlation function. Data was acquired for 60min at a pump power of 35mW. Coincidences were calculated using four different time windows: 0.33ns (green), 0.99ns (blue), 1.98ns (red), 2.96ns (violet). From this measurement, we determine $g^{(2)}_h(0)=0.0301\pm0.00014$ for the coincidence window used in the implementation of the protocol. Shaded areas represent error propagated uncertainties due to poissonian photon statistics.