Quantum Money (Wiesner)

In short

Quantum money (Wiesner, 1970 — published 1983) is a banknote scheme in which each bill carries a classical serial number plus n qubits, each prepared in one of four states \{|0\rangle, |1\rangle, |+\rangle, |-\rangle\} chosen at random. The issuing bank keeps a private record of every serial number together with the (b_i, s_i) pair — the bit and the basis — for each of its qubits. Verification is easy for the bank: look up the record, measure each qubit in its stored basis, check the outcome. Forgery is hard for anyone else: not knowing the basis, the forger must guess, and an honest guess gets each qubit right with probability 1/2. For n = 100 qubits the forger's probability of producing a bill that passes verification is (1/2)^{100} \approx 10^{-30} — smaller than the probability of correctly guessing someone's ATM PIN six times in a row. The security is grounded not in computational hardness but in the no-cloning theorem: the forger cannot duplicate an unknown quantum state, so each qubit can only be measured once, and measuring in the wrong basis destroys the information. The scheme has one glaring limitation — only the bank can verify — which is why the last twenty years of quantum-money research has been about public-key quantum money (anyone can verify, only the bank can print). And one awkward limitation — you need a quantum memory that holds a state for as long as the bill is in circulation, which is years, and nobody has built one.

A ₹2000 note carries about twenty anti-counterfeiting features. Micro-lettering, colour-shifting ink, a three-dimensional security thread, raised print you can feel with your thumb, a see-through register when you hold it up to the light. Each of these raises the cost of forgery. None of them makes forgery physically impossible. A sufficiently well-funded counterfeiter — a state actor, a cartel, a dedicated chemistry lab — can reproduce every feature. The arms race is open-ended; there is no end state.

Now imagine a bill whose anti-counterfeiting feature is a theorem of physics. Not a clever material. Not a cryptographic signature. An actual law: no machine of any construction, now or in the future, can duplicate the thing on this note.

This idea is called quantum money, and it was written down in 1970 by a graduate student named Stephen Wiesner, in a manuscript titled Conjugate Coding. The manuscript was rejected from every journal Wiesner submitted it to. It finally appeared in SIGACT News in 1983 [1], after Charles Bennett and Gilles Brassard recognised its ideas were the foundation of quantum cryptography and pushed for publication. By then Wiesner had left physics. The paper is three pages long and invented, simultaneously, quantum money, quantum multiplexing (now called quantum oblivious transfer), and the no-cloning-based cryptographic style that became BB84 fourteen years later.

This chapter walks through the quantum-money scheme, derives the forgery-failure probability, and explains why — five decades after Wiesner conceived it — no bank anywhere has issued a quantum banknote, and what would have to change for that to happen.

The picture — what a quantum banknote looks like

A Wiesner banknote has two pieces. The first is a normal classical serial number, printed in ink on the bill, the way every rupee note already has a serial. The second is a row of n tiny boxes, each containing a single qubit prepared by the bank at the time the bill was printed.

A schematic Wiesner banknote: a classical serial number plus a row of $n$ qubit slots. Each qubit is prepared by the bank in one of four states, drawn uniformly at random.

The four states are |0\rangle, |1\rangle, |+\rangle, |-\rangle. The first two are the computational basis (Z-basis) eigenstates; the last two are the Hadamard basis (X-basis) eigenstates, with |+\rangle = \tfrac{1}{\sqrt 2}(|0\rangle + |1\rangle) and |-\rangle = \tfrac{1}{\sqrt 2}(|0\rangle - |1\rangle).

Two qubits from different bases are non-orthogonal. For instance \langle 0 | + \rangle = 1/\sqrt{2} — a |0\rangle measurement of a |+\rangle state has probability 1/2 of returning 0. That is the crucial fact the security rests on: measurements in the wrong basis give random outcomes.

The bank keeps a private database. For every serial number in circulation, the database stores, for each of the n qubit slots, a pair (b_i, s_i) where b_i \in \{0, 1\} is the bit and s_i \in \{Z, X\} is the basis. The mapping from (b_i, s_i) to the actual qubit state is

(b, Z) \to |b\rangle, \qquad (0, X) \to |+\rangle, \qquad (1, X) \to |-\rangle.

So (0, Z) \to |0\rangle, (1, Z) \to |1\rangle, (0, X) \to |+\rangle, (1, X) \to |-\rangle. Four combinations, four states.

The bank chooses (b_i, s_i) uniformly at random when it prints the bill. Each qubit is independent. There are 4^n possible quantum-state strings, each equally likely — a genuinely random quantum fingerprint stamped onto the bill.

The protocol — print, circulate, verify

The scheme has three phases.

Printing. The bank generates random bits b_1, b_2, \ldots, b_n and random bases s_1, s_2, \ldots, s_n. It prepares n qubits in the states |b_1\rangle_{s_1}, |b_2\rangle_{s_2}, \ldots, |b_n\rangle_{s_n}. It prints a bill with a new serial number \sigma, attaches the n qubits, and stores the record \sigma \to ((b_1, s_1), \ldots, (b_n, s_n)) in its database. The bill goes into circulation.

Circulating. The bill changes hands. Alice buys vegetables from Bhavana; Bhavana pays a rickshaw fare with it; the rickshaw driver deposits it at a tea stall. Nobody along the way knows the (b_i, s_i) record. They only see the serial number.

Verifying. Eventually someone brings the bill back to the bank (to deposit it, to exchange it for a newer bill, or because they are suspicious of it). The bank looks up \sigma, retrieves ((b_1, s_1), \ldots, (b_n, s_n)), and for each qubit measures it in basis s_i. The measurement returns a classical bit \tilde b_i. The bank checks that \tilde b_i = b_i for every i. If all n check out, the bill is genuine.

Verification for a single qubit. The bank uses its private record to pick the correct measurement basis, then checks the outcome against the stored bit. The full verification repeats this for all $n$ qubits on the bill.

Two things to notice. First, the bank's measurement gives a deterministic outcome on a genuine qubit — if the bill is honest, the qubit is an eigenstate of the correct basis, and the outcome is exactly b_i with probability 1. No randomness, no false rejections. Second, a dishonest bill — one that carries the wrong quantum state in some slot — will fail the check with non-zero probability at that slot. The forgery-success probability compounds across slots; the more slots, the harder to forge.

Why forgery fails — the probability calculation

A forger's job is: given a genuine bill, produce a second bill with the same serial number and a quantum state that passes verification. Two copies in circulation, both pass, the forger has doubled their money.

The forger does not know the (b_i, s_i) record — that is private to the bank. So the forger's only handle on each qubit is the qubit itself. What can they do with it?

Strategy 1 — just forward the original

The forger could hand the original bill to one receiver and keep nothing. That is not forgery; that is just spending the bill. Zero duplicate bills, zero forgery.

Strategy 2 — clone the qubits

If the forger could clone each qubit, they would have two identical quantum copies of the bill. Both would pass verification deterministically. This is exactly what the no-cloning theorem forbids. There is no unitary U taking |\psi\rangle \otimes |0\rangle to |\psi\rangle \otimes |\psi\rangle for arbitrary |\psi\rangle. The proof is three lines of linearity, and it has no escape. Cloning is out.

Strategy 3 — measure the qubit and re-prepare from the outcome

The forger measures each qubit in some basis, reads an outcome, then prepares two fresh qubits in that same outcome state, and attaches one copy to each bill. Let's compute the probability that a given forged qubit passes the bank's verification.

The forger does not know the bank's basis s_i. Call their chosen basis s'_i. Two cases:

Case A — s'_i = s_i (forger guesses the basis correctly). The measurement is in the same basis as the state's eigenbasis. The outcome is exactly b_i with probability 1. The forger prepares |b_i\rangle_{s_i} — identical to the original — and attaches it. The bank's verification succeeds with probability 1. For this slot, the forger gets it right deterministically.

Case B — s'_i \ne s_i (forger guesses the basis wrongly). The measurement is in the basis conjugate to the state's eigenbasis. The outcome is 0 with probability 1/2 and 1 with probability 1/2 — a uniform random bit, independent of b_i. Whichever outcome the forger sees, they prepare a qubit in |\text{outcome}\rangle_{s'_i} (the wrong basis). The bank then measures that fresh qubit in s_i, which is conjugate to s'_i, so the bank's outcome is again uniform random: 0 or 1 each with probability 1/2. The probability that the bank's outcome matches the stored b_i is exactly 1/2.

Why the bank's outcome is random in Case B: the forger has attached a qubit in an eigenstate of s'_i, but the bank measures in the conjugate basis s_i. A s'_i-eigenstate expanded in the s_i basis has amplitudes \pm 1/\sqrt 2, giving outcome probabilities 1/2 and 1/2 regardless of what the forger saw. The original b_i value has been erased by the forger's measurement; the fresh qubit carries no information about it.

The forger does not know which case they are in. They get Case A with probability 1/2 (there are two bases; uniform guess) and Case B with probability 1/2.

Probability that one forged qubit passes:

P_1 = \tfrac{1}{2} \cdot 1 + \tfrac{1}{2} \cdot \tfrac{1}{2} = \tfrac{3}{4}.

For n independent qubits, the probability that all forged slots pass is

P_{\text{forge}} = \left(\tfrac{3}{4}\right)^n.

Why the probabilities multiply: each slot is an independent qubit prepared with an independently-chosen basis. The forger's success on slot i is independent of their success on slot j, because the bank's record entries are independently random. Independent events compound by multiplication.

For n = 100, P_{\text{forge}} = (3/4)^{100} \approx 3.2 \times 10^{-13}. For n = 200, P_{\text{forge}} \approx 10^{-25}. For n = 1000, P_{\text{forge}} \approx 10^{-125} — a number smaller than the volume of the observable universe measured in Planck volumes.

The sharper bound with the optimal forger strategy

The measure-and-re-prepare strategy gives the forger 3/4 per qubit. Could a cleverer strategy do better? It turns out the answer is yes, slightly: a forger who uses an optimal universal quantum cloner (Bužek-Hillery, fidelity 5/6 per copy) can push the per-slot passing probability somewhat higher, but still strictly below 1, and the composite probability still decays exponentially in n. Optimisation over all possible attack strategies gives a per-qubit passing probability no better than about 5/6 \approx 0.833; for n = 100, this still yields P_{\text{forge}} \leq (5/6)^{100} \approx 9 \times 10^{-9} — one in a hundred million. Forgery security is robust.

The essential point: the best the forger can do is good but not perfect per qubit, and exponentially many qubits push the composite probability to cryptographically negligible levels. The n in the scheme is a knob the bank can turn. Wiesner's original proposal suggested n = 20; modern treatments recommend n \geq 100.

Forgery success decays exponentially in $n$. The solid curve is the simple measure-and-reprepare strategy; the dashed curve is the lower bound from the Bužek-Hillery optimal cloner. Either way, $n \geq 100$ drives the probability to cryptographically negligible values.

No classical security scheme delivers this guarantee without an unproved assumption. RSA's security rests on factoring being hard — which is a conjecture, not a theorem, and a quantum-computer-capable adversary can break it in polynomial time (Shor's algorithm). AES rests on the assumption that no efficient attack exists. Quantum money's security rests on the no-cloning theorem — a theorem, not a conjecture, provable in three lines, with no unproved assumptions about algorithmic difficulty.

Worked examples

Example 1 — A 4-qubit banknote, honest verification and a forgery attack

Walk through the full scheme on a bill with just n = 4 qubits. See both an honest verification and a forgery attempt end to end.

Setup — the bank issues the bill. The bank generates random bits and bases:

b = (0, 1, 0, 1), \qquad s = (Z, X, X, Z).

It prepares the four qubits:

(b_1, s_1) = (0, Z) \to |0\rangle, \quad (b_2, s_2) = (1, X) \to |-\rangle, \quad (b_3, s_3) = (0, X) \to |+\rangle, \quad (b_4, s_4) = (1, Z) \to |1\rangle.

The bill's quantum slots hold |0\rangle, |-\rangle, |+\rangle, |1\rangle and the serial number is, say, QMN-00042. The bank's database stores QMN-00042 \to (0,Z), (1,X), (0,X), (1,Z).

Honest verification. Alice brings the bill back to the bank. The bank looks up QMN-00042, reads the four pairs, and measures each qubit.

Slot 1: qubit is |0\rangle. Bank measures in Z. Outcome is 0 with probability 1. Matches b_1 = 0. ✓
Slot 2: qubit is |-\rangle. Bank measures in X. Outcome is 1 with probability 1. Matches b_2 = 1. ✓
Slot 3: qubit is |+\rangle. Bank measures in X. Outcome is 0 with probability 1. Matches b_3 = 0. ✓
Slot 4: qubit is |1\rangle. Bank measures in Z. Outcome is 1 with probability 1. Matches b_4 = 1. ✓

Why each outcome is deterministic: the qubit is an eigenstate of the measurement basis. A Z-basis measurement on a Z-basis eigenstate returns the eigenvalue with probability 1; the same for X. No randomness.

All four match. The bill is accepted.

Forgery attempt. An adversary, Mohan, has intercepted the bill. He cannot clone the qubits (no-cloning). His only option is to measure each one, read an outcome, and prepare two fresh qubits in that outcome state — one for each bill he wants to pass off.

Mohan does not know s. He guesses, let's say choosing s' = (Z, Z, X, X) — a reasonable random guess.

Slot 1: Mohan measures |0\rangle in Z. Basis matches (Z = Z). Outcome: 0 with probability 1. He prepares |0\rangle. Bank verification will succeed with probability 1. ✓
Slot 2: Mohan measures |-\rangle in Z. Basis mismatches (Z \ne X). Outcome: 0 with probability 1/2, 1 with probability 1/2. Say Mohan reads 0 and prepares |0\rangle. Bank will measure the fresh |0\rangle in X — outcome 0 or 1 with probability 1/2 each. Bank expects b_2 = 1; probability of match is 1/2.
Slot 3: Mohan measures |+\rangle in X. Basis matches (X = X). Outcome: 0 with probability 1. Prepares |+\rangle. Verification ✓.
Slot 4: Mohan measures |1\rangle in X. Basis mismatches. Outcome random. Say 1, prepares |-\rangle. Bank measures in Z: outcome random; match with b_4 = 1 has probability 1/2.

Mohan's overall probability of passing:

P_{\text{Mohan's forgery}} = 1 \cdot \tfrac{1}{2} \cdot 1 \cdot \tfrac{1}{2} = \tfrac{1}{4}.

Why the slots that mismatched gave only 1/2 per slot: Mohan's fresh qubit is in an eigenstate of his guessed basis, which is conjugate to the bank's measurement basis. A conjugate-basis measurement on an eigenstate of the wrong basis is uniformly random. The bank's stored b_i is fixed and independent of the forger's new state; the match is a coin flip.

That is for this specific basis guess. If instead Mohan averaged over a uniform random basis guess on each slot, the per-slot probability is \tfrac{1}{2}(1) + \tfrac{1}{2}(\tfrac{1}{2}) = \tfrac{3}{4}. For n = 4, averaged forgery success is (3/4)^4 = 81/256 \approx 0.316 — about 32%. Too high.

Result. A 4-qubit bill is far too short for security — about one forgery attempt in three gets through. Real deployments need n \geq 100. For n = 100, averaged forgery success is (3/4)^{100} \approx 3.2 \times 10^{-13} — one in three trillion.

The 4-qubit worked example. Honest verification passes deterministically. The forger's basis guess $(Z, Z, X, X)$ matches on two slots (pass probability 1) and mismatches on two slots (pass probability 1/2 each), giving overall forgery probability $1/4$.

Example 2 — A forger measures in the wrong basis and destroys the state

Zoom into one slot and watch the state collapse. The bank's qubit is |+\rangle. The forger, not knowing the basis, measures in Z. What happens?

Setup. Qubit state: |+\rangle = \tfrac{1}{\sqrt 2}(|0\rangle + |1\rangle). Forger's measurement basis: Z (computational). Bank's basis for this slot: X. Bank's stored bit: b = 0 (so bank expects an X-measurement outcome of 0).

Step 1 — compute Z-measurement outcome probabilities. Project |+\rangle onto |0\rangle and |1\rangle:

\mathrm{Prob}(Z\text{ outcome } 0) = |\langle 0 | + \rangle|^2 = \left|\tfrac{1}{\sqrt 2}\right|^2 = \tfrac{1}{2}.

\mathrm{Prob}(Z\text{ outcome } 1) = |\langle 1 | + \rangle|^2 = \left|\tfrac{1}{\sqrt 2}\right|^2 = \tfrac{1}{2}.

Why these inner products equal 1/\sqrt 2: |+\rangle = \tfrac{1}{\sqrt 2}(|0\rangle + |1\rangle), so \langle 0 | + \rangle = \tfrac{1}{\sqrt 2}(\langle 0|0\rangle + \langle 0|1\rangle) = \tfrac{1}{\sqrt 2}(1 + 0) = \tfrac{1}{\sqrt 2}. Similarly for \langle 1 | + \rangle.

Suppose the forger reads outcome 0. The state has collapsed to |0\rangle. Suppose instead outcome 1. The state has collapsed to |1\rangle. Either way, the original |+\rangle is gone. There is no way to recover it.

Step 2 — forger prepares a fresh qubit for each bill. The forger, having read 0, prepares |0\rangle and attaches it to both bills they want to pass off (the original one, and the forged second copy). Now there are two bills, each carrying |0\rangle in this slot.

Step 3 — compute the verification probability at the bank. The bank measures |0\rangle in X. Expand |0\rangle in the X basis:

|0\rangle = \tfrac{1}{\sqrt 2}(|+\rangle + |-\rangle).

So \mathrm{Prob}(X\text{ outcome } 0) = |\langle + | 0 \rangle|^2 = \tfrac{1}{2} and \mathrm{Prob}(X\text{ outcome } 1) = |\langle - | 0 \rangle|^2 = \tfrac{1}{2}.

Why the outcome is random: the fresh |0\rangle is an eigenstate of Z, not of X. A Z-eigenstate measured in X gives uniformly random outcomes. This is exactly the "conjugate basis" phenomenon.

The bank expects b = 0 (the stored bit). Match probability: \tfrac{1}{2}. The slot passes with probability 1/2.

Same analysis if the forger had read 1: prepares |1\rangle, bank's X-outcome is uniform, match probability 1/2. The forger's choice does not matter — once the wrong basis is chosen, the probabilities are locked.

Result. A single mismatched-basis slot gives the forger 1/2 probability of passing that slot, regardless of their measurement outcome and re-preparation choice. Compounded over n slots with independent basis guesses — half of which are wrong on average — the composite probability is (3/4)^n. The forger's probability of success shrinks to negligible for n \geq 100.

The failure path. Bank's $|+\rangle$ is measured by the forger in $Z$, collapsing randomly to $|0\rangle$ or $|1\rangle$. The forger prepares a fresh copy of that outcome state. When the bank later measures in $X$, the outcome is uniformly random, giving a $1/2$ match probability regardless of the forger's strategy.

Common confusions

"Quantum money is already in production somewhere." No. Nowhere in the world is a quantum banknote in circulation. The scheme requires each bill to carry a stable quantum memory for the bill's lifetime (typically years), and building a quantum memory with that coherence time, in the size and cost envelope of a banknote, is far beyond current technology. The scheme is a foundational idea; the hardware is decades away, if ever.
"The bank knows the state, so it could cheat." Yes, and this is the scheme's biggest weakness. The bank has full knowledge of every bill's quantum-state record, so the bank can verify any bill at will — but only the bank can verify. A merchant in a shop cannot check a bill without calling the bank. This central-authority dependence is a major restriction, equivalent to saying every transaction involving the bill must be cleared through the bank in real time. Modern work on public-key quantum money tries to fix this (see Going deeper).
"Quantum money is better than Bitcoin." Not in the same way. Bitcoin achieves decentralised unforgeability using a blockchain; anyone can verify a Bitcoin transaction without trusting a central authority. Quantum money (Wiesner) achieves physical unforgeability but requires trusting the bank to verify. They solve different problems, and each has features the other lacks. Cryptocurrencies also require energy-intensive proof of work; quantum money requires no computation at all to verify — just a quantum measurement.
"The no-cloning theorem is only approximate." Yes in a narrow sense, no in the sense that matters. An approximate universal cloner can achieve per-qubit fidelity up to 5/6 (Bužek-Hillery). But this imperfection is baked into the security proofs of quantum money — the security bound (3/4)^n in the naive analysis is strengthened to (1 - \Omega(1))^n in the full analysis, and the per-qubit passing probability of any attack stays strictly below 1 for non-trivial attacks. Approximate cloning does not rescue the forger.
"Quantum money stops all fraud." No. It stops duplication of a genuine bill. It does not stop other kinds of fraud — theft, extortion, counterfeit serial numbers (attempting to print a new bill from scratch, which the bank rejects because the serial is not in its database), etc. Quantum money is a specific protection against the specific attack of "make k copies of a genuine bill I legitimately own." That attack is the one classical ink-based security cannot fully stop; quantum money can, in principle.
"If I just hand my quantum bill to a forger, haven't I given up all security?" No. The forger, even holding the bill, cannot produce a second bill without failing verification — that is the whole point. In fact, once you have handed over the bill, you cannot produce a second copy either. Quantum money is single-bill, not copy-protected per user. It is an object that can exist only once.

Going deeper

You now have the scheme, the forgery probability, and both worked examples. The going-deeper sections cover the one major structural weakness of Wiesner money (the bank-only verification) and the roughly fifteen years of research on public-key quantum money that tries to fix it; the practical hardware problem of long-lived quantum memory; the connection to quantum lightning and its cryptographic cousins; the historical story of Wiesner's suppressed manuscript; and the place of quantum money in India's National Quantum Mission cryptographic pillar.

The bank-verification problem and public-key quantum money

Wiesner's scheme is private-key: only the bank can verify, because verification needs the secret (b_i, s_i) record. This is inconvenient for any real currency — every transaction would have to go through the bank in real time. Card payments already do this; but cash's point is that it works offline.

A better scheme would be public-key quantum money: anyone can verify a bill without consulting the bank, but only the bank can print new bills. This parallel exists in classical cryptography — RSA signatures are public-key verifiable, private-key signable. Doing the same with quantum states requires a quantum "public key" that encodes enough information to verify a specific quantum state without revealing enough to prepare that state.

Progress has been slow but real.

Aaronson (2009) proposed a first public-key quantum money scheme based on quantum knot polynomials. The security was plausible but unproven.
Farhi, Gosset, Hassidim, Lutomirski, Shor (2012), Quantum money from knots — a more concrete construction [2]. Security reduces to a hardness assumption about knot equivalence.
Aaronson and Christiano (2013) [3] gave an oracle-relativised public-key quantum money scheme with provable security in the oracle model, and a standard-model construction based on hidden subspaces in \mathbb{F}_2^n.
Zhandry (2019) proved a version of public-key quantum money secure assuming the existence of one-way functions and certain non-standard assumptions about quantum lightning.

No construction has been simultaneously (a) efficient, (b) provably secure under standard cryptographic assumptions, and (c) implementable on near-term hardware. Public-key quantum money remains an active research question, about two decades old, with significant theoretical progress but no proof-of-concept bill yet demonstrated.

The quantum memory problem

Even the original Wiesner scheme requires a quantum memory that holds coherent qubits for the lifetime of the bill in circulation — months to years. Current technology:

Superconducting qubits (IBM, Google): coherence time ≈ 10^{-4} s (100 microseconds). Completely inadequate.
Trapped ions (IonQ, Quantinuum): coherence time ≈ 10 s to 1 hour for nuclear-spin states. Still orders of magnitude too short for a banknote.
Nuclear spins in diamond (nitrogen-vacancy centres): room-temperature coherence up to 1 second demonstrated.
Rare-earth-doped crystals: up to 6 hours demonstrated in lab (Morgan et al., 2021) for Eu^{3+}:Y_2SiO_5. This is the current record.

Six hours is a breakthrough but still twelve orders of magnitude short of the years a banknote needs. Until room-temperature, low-cost quantum memory crosses the years barrier, quantum money is a thought experiment.

The memory requirement is what makes quantum money fundamentally different from quantum key distribution (BB84). In QKD, the qubits are used immediately — transmit, measure, done — and decoherence during the protocol (microseconds to seconds) is all that matters. In quantum money, the qubits sit on a bill for years. BB84 is implementable today; quantum money is not.

Quantum lightning

A variant of public-key quantum money due to Zhandry (2019): a scheme in which not only can nobody forge a bill, but the bank itself cannot. Formally, quantum lightning is a scheme where a bolt (a quantum state) is tied to a classical serial number in such a way that the probability of producing two bolts with the same serial is negligible, even for the mint.

This is a stronger property than standard quantum money and connects to deep questions in post-quantum cryptography. Constructions require non-standard assumptions (collision-resistant hash functions in the quantum random oracle model, or similar), and no quantum lightning scheme has been implemented to date.

The historical story — Wiesner's suppressed manuscript

Stephen Wiesner wrote Conjugate Coding as a first-year graduate student at Columbia, around 1969-1970. He circulated the manuscript to the physics and computer-science communities. It was rejected by at least three major journals, who considered the subject neither physics (no experiment) nor computer science (not yet a recognisable theoretical computer science problem).

Charles Bennett read the manuscript at Columbia and kept a copy. When Bennett and Brassard proposed BB84 quantum key distribution in 1984, they explicitly built on Wiesner's conjugate-coding idea. In 1983, Bennett persuaded Wiesner to submit the manuscript to SIGACT News (the ACM newsletter for theoretical computer science), where it was finally published with minor editing [1] — thirteen years after it was written.

By the time of publication, Wiesner had left physics and was working as a construction worker and labourer in Israel. He did not return to quantum information research. His 1970 manuscript, however, is now recognised as the founding document of quantum cryptography. Every modern quantum-cryptographic protocol — BB84, E91, B92, the entire post-2000 quantum-key-distribution tree — descends from it.

The historical lesson is not about Wiesner but about how foundational ideas often look to their first audiences. "Is this physics? Is this computer science? Is it applied? Is it theoretical?" The answer was "none, and all, and none of the existing fields had a home for it yet." Thirteen years later, those fields existed — in part because of Wiesner's manuscript.

Quantum money and India's National Quantum Mission

India's National Quantum Mission (₹6003 crore, 2023–2031) is organised around four pillars: quantum computation, quantum communication (including QKD), quantum sensing, and quantum materials. Quantum money does not appear as a named pillar, but the underlying technologies — long-lived quantum memories, single-photon sources, high-fidelity state preparation — overlap directly with both QKD and any future quantum-money deployment.

Institutes with active quantum-memory work include Raman Research Institute, Bengaluru (rare-earth doped crystals; photon-storage protocols), Tata Institute of Fundamental Research, Mumbai (trapped-ion and superconducting qubits), IIT Madras (atomic ensembles and quantum optics), and IIT Delhi (diamond NV centres). A practical near-term Indian deployment of quantum money remains unlikely for the reasons above (memory coherence times), but the base technology is being developed, and India has a reasonable chance of contributing to public-key quantum money proofs of concept within the mission's eight-year horizon.

RBI (Reserve Bank of India) has not published a policy on quantum cryptography for banknotes, though it has begun looking at post-quantum cryptographic standards for UPI and Aadhaar-based payment systems — a much nearer-term concern driven by the threat of Shor's algorithm to RSA/ECC signatures.

Where this leads next

No-cloning theorem — the three-line proof that a universal quantum cloner cannot exist, on which quantum money's security rests.
BB84 quantum key distribution — the scheme Bennett and Brassard built directly on Wiesner's conjugate coding, now deployed in satellite QKD experiments.
Measurement in arbitrary bases — the formalism behind Z-basis vs X-basis measurements that drives the forgery-failure analysis.
Quantum cryptography introduction — the broader field that began with Wiesner's 1970 manuscript.
Public-key quantum money — the active research frontier that tries to remove the bank's central-authority role.

References

Stephen Wiesner, Conjugate Coding (written ~1970, published 1983) — SIGACT News 15(1):78–88. The founding manuscript of quantum cryptography. Wikipedia summary with historical context: Quantum money.
Farhi, Gosset, Hassidim, Lutomirski, Shor, Quantum Money from Knots (2012) — arXiv:1004.5127. A public-key quantum money scheme based on knot polynomials.
Scott Aaronson and Paul Christiano, Quantum Money from Hidden Subspaces (2012) — arXiv:1203.4740. Oracle-secure public-key quantum money; the most-cited modern construction.
John Preskill, Lecture Notes on Quantum Computation, Ch. 4 (quantum cryptography) — theory.caltech.edu/~preskill/ph229. Pedagogical treatment of Wiesner's scheme and its descendants.
Nielsen and Chuang, Quantum Computation and Quantum Information (2010), §12.6 — Cambridge. Conjugate coding and the no-cloning basis of quantum cryptography.
Government of India, National Quantum Mission mission document — the ₹6003-crore, eight-year Indian quantum programme covering the hardware on which quantum cryptography rests.