Energy efficient mining on a quantum-enabled blockchain using light

We outline a quantum-enabled blockchain architecture based on a consortium of quantum servers. The network is hybridised, utilising digital systems for sharing and processing classical information combined with a fibre--optic infrastructure and quantum devices for transmitting and processing quantum information. We deliver an energy efficient interactive mining protocol enacted between clients and servers which uses quantum information encoded in light and removes the need for trust in network infrastructure. Instead, clients on the network need only trust the transparent network code, and that their devices adhere to the rules of quantum physics. To demonstrate the energy efficiency of the mining protocol, we elaborate upon the results of two previous experiments (one performed over 1km of optical fibre) as applied to this work. Finally, we address some key vulnerabilities, explore open questions, and observe forward--compatibility with the quantum internet and quantum computing technologies.


Introduction
Blockchain technology has shown potential for transforming traditional industry with its key characteristics of decentralization, transparency, persistency, and auditability. Despite the great potential of blockchain, it faces numerous challenges, which limit the wide use of blockchain technology. For example, the energy consumption of the Bitcoin blockchain 1, 2, 3 has been predicted to eclipse total global energy consumption by 2020. 4 Blockchain technology also faces issues with security, privacy, and scalability. Blockchain consensus faces challenges too, for example, some popular proof-of-work 5 algorithms result in energy waste 6 whereas proof-of-stake 7 may result in resource or wealth concentration. 8 As a result, fundamental redesign of blockchain architectures may be required to ensure the technology is capable of widespread acceptance whilst retaining its attractive qualities. 9,10 This work is a contribution in that direction, which explores mining new blocks on a quantum-enabled blockchain using light generated by energy efficient quantum optical devices (See Figure 1 for a conceptual overview). Quantum optical devices are a new type of network infrastructure for secure transmission and processing of quantum information. These devices offer advantages over traditional network infrastructures due to the fact that the information is transmitted, encoded, and decoded using physical systems which adhere to the laws of quantum physics. Quantum optical devices operate at the single photon level, where a photon is the smallest permissible unit of light. Formally, a single bit of quantum information is called a quantum bit, or qubit, and in the case of optical encodings, information is encoded onto a photonic qubit using degrees of freedom which correspond to physical parameters of the photon (e.g. polarization, angular momentum, spatial mode, or a combination 11 ). This optical encoding, when paired with the quantum properties of qubits, guarantees an inherent protection against eavesdropping, 12,13,14 affords compatibility with quantum computing, 15,16,17,18,19 and permits secure information distribution and information teleportation on optical networks. 20  Clients and servers participate in an energy efficient interactive mining protocol for generating and committing entanglement as a resource towards securing a blockchain. In (a), servers announce candidate blocks to a pool of clients who verify blocks against verification criteria.
In (b), authenticated clients may participate in block mining through an interactive protocol.
Upon successful mining, the block is admitted into a consensus round for inclusion into the blockchain. Importantly, the physical network infrastructure is considered untrusted by the clients in the mining round, which includes the consortium of quantum servers. The authentication, mining, and consensus protocols are designed to detect malicious actions on behalf of the consortium and incentivise honest behaviours, such that quantum servers are held publicly accountable to act in the best interests of clients on the network. See main text for details.
Tests of this new infrastructure have proven the robustness of quantum optical devices in real-world scenarios. Some recent examples include quantum key distribution, 26, 27, 28, 29, 30 31 quantum verification, 32,33,34,35 and mobile quantum communication protocols, 36, 37, 38, 39 40 all of which are compatible with existing telecommunication networks. 41,42,43 Here, we present a means of integrating quantum optical devices into a blockchain architecture, and deliver an interactive quantum protocol designed for energy efficient mining on a blockchain using light, namely using entanglement as a resource for securing new blocks on a blockchain, which we term proof of entanglement (PoE). Entanglement is a new kind of resource that is as real as energy, 44 with applications in communication, cryptography, computation, and information distribution technologies.
In this work, we elaborate upon results from two previous proof-in-principle experiments, and explore how the PoE mining protocol may be readily implemented with a Sagnac interferometer, 45,46,47 functioning, in this case, as a quantum server. The role of the quantum server is to generate entanglement, encoded in photonic qubits, which is sent to clients on the network via direct fibre link. This approach to blockchain redesign with quantum compatibility in mind contrasts starkly with contemporary trends in information technology, whereby developers resist emerging quantum technologies (like quantum computing) by implementing "quantum-resistant" protocols and algorithms on traditional (i.e. non-quantum) platforms. 48,49,50 By presenting an alternative blockchain architecture, we hope to promote further investigation into issues and advantages of novel quantum-enabled blockchain protocols, 51,52,53,54,55,56 and more generally, offer insight into the process of mapping traditional scientific computing technologies onto newly emerging quantum technologies. 57,58,59,60,61,62

Structure of paper
In Section 3, we explore the connection between entanglement and trust. In Section 4, we detail the architecture and devices which support authentication, mining, and consensus on the quantum-enabled blockchain. In Section 5, we deliver our main result, the proofof-entanglement mining protocol. In Section 6 we explore the results of two previous proof-in-principle experiments which support a preliminary energy efficiency analysis of the network and protocol. Section 7 offers a discussion and analysis of vulnerabilities. Section 8 concludes the work.

Entanglement and trust
In 1935, researchers began exploring the notion that a pair of physical systems separated by vast distances might instantaneously influence one other. This idea sprouted from the mathematical formalism of the newly emerging quantum theory, and caused a great deal of controversy. 63 At the time, the strangeness of the predicted phenomenon caused Einstein to reject the possibility of such occurrences, under the assertion that the emerging quantum theory must be incomplete. 64 Since then, experimental investigations into the phenomenon of entanglement have rigorously proven and characterised the effect, 65,66,67,68,69,70,71,72,73,74,75,76,77 and today, entanglement is placed as the "missing link" for the unification of quantum theory and gravity. 78,79,80,81 Along the way, physical devices and algorithms have been developed in laboratories all over the world which have directly tested the existence and utility of the phenomenon. Recently, the devices involved in such tests have undergone rapid technological advancement, 82,83,84,85,86 and the majority of components, which typically consist of commercially available arrangements of lasers, mirrors, nonlinear crystals, optical detectors, and integrated photonic devices, have experienced reduced manufacturing costs and increased availability. 87 Interestingly, the interplay between the phenomenon of entanglement and the physical devices used in testing the existence of the phenomenon has also been the subject of intense research. These research outcomes have demonstrated that entanglement can be used as an indicator of device trustworthiness, such that, under appropriate circumstances, if entanglement is observed, then a device's behaviour may be certified as trustworthy. 88,89,90,91,92,93 This is termed device-independent entanglement verification, and is a powerful and practical application borne from research into the field of quantum information science. In these applications, initially untrusted pairs of non-communicating devices participate in a protocol which monitors the device's inputs and outputs, and, irrespective of the devices functionality, enacts a trust-test on the device's behaviour based upon the experimental data which may guarantee a correct and therefore trusted functionality. The confirmation of trustworthiness certifies that the devices physically interact with an entangled resource in such a way that the resultant correlations observed in the experimental data cannot be recreated or emulated by any arrangement of non-communicating analogue, digital, or quantum systems. 94 Thus, the devices either yield a correct and secure result, or the trust-test detects that the devices are insecure (either working incorrectly or are under the control of a dishonest party), and any subsequent protocols (which may deal with valuable, sensitive, or private information) are aborted. Such protocols are highly desirable for practical implementation as they provide a higher level of security, unachievable by traditional systems. Here, we apply this technology towards developing blockchain-specific protocols which are energy efficient and secure against general adversaries.

Devices and architecture of the quantum-enabled blockchain
The architecture we propose consists of i) a network consortium of quantum servers, comprised of quantum optical devices which generate light for encoding quantum information, ii) a pool of clients whom operate quantum modems for decoding quantum information stored in light, and iii) an optical fibre network which connects the client's quantum modems to the quantum servers. We assume a cryptographic scenario whereby the quantum servers and modems operate from secure environments which prevent unwanted information leakage. To communicate between one another, the servers and clients utilise insecure but authenticated classical channels and authenticated quantum channels (Figure 2(a)). The servers and clients are able to process classical information in a trusted way within their secure environment. Devices used for processing quantum information are assumed to operate in accordance with the laws of quantum physics, however in the mining round, no assumptions are made about the quantum servers or network infrastructure. An adversary may access (but not modify) classical information shared between the server and client, and may access and modify quantum information shared between them. An adversary is assumed complete knowledge of the authentication, mining, and consensus protocols, but does not have access to the random data generated by the client in their secure environment (except for information deduced from what they make public). Figure 2 (b) summarizes the network devices, device subsystems, and device's trust statuses, with quantum servers consisting of i) an attenuated and modulated laser source (for client authentication, described below), ii) a high-quality source of two-qubit photonic entanglement, iii) a device for performing measurements upon photonic qubits generated by the entanglement source, and iv) a source of randomness, for example, a quantum random number generator 95 (QRNG). Quantum modems contain i) an embedded photonic key and spatial light modulators (for client authentication, described below), ii) a measurement device for performing measurements upon photonic qubits, and iii) a QRNG, or a trusted and secure pseudo-random number generator.
Blockchain consensus protocols undertaken by a consortium of trusted entities have received little treatment in literature, but are of considerable interest in practice, with mainstream financial institutions actively exploring their use. 96 Traditionally, in a public blockchain everyone can participate in the consensus process. In a consortium blockchain, only a subset of "nodes", or in this case, quantum servers, are selected to participate in consensus. However, in the consortium blockchain architecture we propose, the consortium is considered untrusted at the start of each round of block creation, and must be publicly See main text for details. elected by network clients through successful interactions in the mining round in order to qualify for the consensus round. In this way, clients trust only their own personal devices and the transparent network code. We now explore the details of block creation, which consists of an authentication round, mining round, and consensus round. 4.1. Authentication Round-The authentication round utilises a decoy-state variant of the quantum secure authentication (QSA) protocol, 97,98,99 allowing for hardware-based authentication of clients.The QSA protocol is a quantum cryptographic security primitive for the purposes of identification, authentication, read-proof key storage, key distribution, tamper detection, anti-counterfeiting, software-to-hardware binding, and trusted computing. Formally, the QSA protocol does not rely upon pre-shared secrets or seed keys, does not depend on the secrecy of stored data, does not depend on unproven mathematical assumptions, affords tamper resistance of devices, and is straightforward to implement with current technology (see Appendix A for additional information). The QSA protocol utilises photonic qubits (or more generally, quantum states of light), generated by a quantum server and sent, via a quantum communication channel, to a client-controlled quantum modem. The modems store an embedded photonic key, formally referred to as a physically unclonable key, which are optically addressed and read using quantum states of light. Each photonic key is uniquely random by design, and is impossible to clone, spoof, or copy. 100,101,102 Using quantum readout of physically unclonable keys guarantees accurate real-time verification and makes spoofing fundamentally difficult due to the no-cloning theorem of quantum physics. 103 By utilising the quantum secure authentication protocol, vulnerability to the Sybil attack 104 is diminished as entry to the network is physically gated, incurring a resource cost in the case of multiple pseudonyms attributed to the same individual. As well as functioning as a secure hardware-based authenticator, the integrated photonic key may also serve as a physical address which can be uniquely attributed to a client on the network, allowing provision for dues paying or rewards to physical addresses that build a trustworthy reputation, and may be used in conjunction with a root seed for generating hierarchical deterministic wallets. 105 4.2. Mining Round-After authentication, the mining round utilises a variant of the EPR steering protocol, 106, 107, 108 termed the PoE protocol, which acts as an entanglement witness and trust-test on the behaviour of a quantum server in the consortium (described in detail below). The PoE protocol is interactive, and requires that the quantum server engage with clients on the network to generate the resource (entanglement or cumulative trust) for securing the blockchain, forming an example of resource-efficient mining. 109 At the start of a new mining round, each quantum server announces a candidate block. Clients observe the announcements and, pending successful block verification, nominate themselves to participate in block mining. Clients are free to choose which servers to interact with (provided they reside within the region of server coverage) and work to elect servers into the voting round based upon i) the validity of the candidate block (agreement with block verification metrics), ii) the reputation of the quantum server (historical performance), iii) the throughput of the quantum server (i.e. rate of entanglement generation), and iv) connection availability (server proximity and reliability). Servers then assemble a team of unique clients, self-nominated for mining (termed miners), to interactively generate and accumulate entanglement. Success in the mining round depends upon how much entanglement is generated by servers amongst their team of unique clients within the mining window. Quantum servers are thus incentivised to construct viable mining teams (in accordance with any construction metrics or regulations) and cultivate a reputation for honest behaviour. The subset of quantum servers in the consortium who "win" the mining round are then permitted to participate in the subsequent consensus round.
4.3. Consensus Round-The results of the mining round determine which subset of quantum servers in the consortium are elected into the consensus round. The number of servers in the subset are determined by network protocol, only their identities change from round to round. We explore a consensus mechanism based upon a modified delegated Byzantine fault tolerant protocol 110 (BFT) for securing new blocks and achieving decentralised consensus on the quantum-enabled blockchain. We choose a modified delegated BFT consensus protocol as it retains an element of decentralisation through interactive mining and circumvents the creation of branches off the main chain. Quantum servers that move into the consensus round are therefore always obligated to append newly mined blocks to the main chain with the most cumulative invested entanglement (or trust) recorded via PoE, and due to the mechanism of publicly electing delegates, the fate of the main chain is democratically guided as quantum servers must earn the right to vote in the consensus round through successful interactions with clients. Consensus finality (also referred to as forward security 111 ) is satisfied by all BFT and state-machine replication protocols, 112 and BFT is resistant to server outages or arbitrarily long periods of asynchrony. 113 Here, consensus finality is a property which guarantees that blocks cannot be removed from the chain once added, 114,115 facilitating rapid confirmation and inclusions of transactions into the blockchain once candidate blocks have been successfully mined. Upon initiation of the consensus round, one of the servers in the subset is nominated as a "speaker", with the remainder of servers presiding as "delegates", who are tasked with voting against the speaker's nomination. The speaker's nomination consists of the candidate block, mined by clients in the mining round, which the speaker presents on behalf of the clients for consideration by the consortium. Provided 66% of servers vote honestly, consensus will be reached. If the nomination and accompanying PoE are valid, then the block will be included in the chain. If the speaker's nomination is detected as being illegitimate (e.g. the speaker nominates a block with an invalid or falsified PoE), then the consensus round automatically starts anew, with a new speaker elected and the original speaker incurring a reputation loss and demotion to the role of delegate for that round. Section 7 covers potential attack vectors in more detail.

5.
The "proof-of-entanglement" mining protocol 5.1. Protocol background, assumptions, and characteristics-We now discuss the mining protocol in more detail. Candidate data blocks are announced to the network by quantum servers in the consortium, spreading to clients via the gossip protocol. The blocks must be compiled according to the network ruleset, consisting of a cryptographic hash of relevant information (e.g. recent transactions, code for smart contracts, digital media tags, etc.), which a quantum server recommends for inclusion into the blockchain data structure. Clients check the candidate blocks against key block verification criteria, and upon successful verification, will nominate themselves as miners for that block and wait to be placed in a mining team.
As clients are drawn from the mining team, one by one, they will participate in the interactive mining protocol to test measurement data (generated between their quantum modem and the quantum server) for quantum correlations which, importantly, cannot be faked (provided the clients satisfy criteria for one-sided device-independence, described below). Tests of quantum correlations (or tests of "quantumness") arise due to physical interactions with entangled quantum systems, and are witnessed by mathematical inequalities. These inequalities are derived from constraints imposed upon probability distributions which quantify the degree of maximum classical correlation allowed under the assumptions of realism (from objective determinism) and locality (from relativity). These mathematical inequalities are well studied (for example, Clauser-Horne-Shimony-Holt inequalities 116 or EPR-steering inequalities) and are known to act as an entanglement witness, allowing, in this case, a quantum server to prove honest distribution of entanglement to clients. For honest interactions, the entanglement generated in the mining round may then be "invested" towards securing the blockchain data structure in the subsequent consensus round. Dishonest interactions, which may attempt to fabricate entanglement by distributing unentangled qubits, falsify timestamps, or utilise Sybil or pre-mine attacks, are either detected or prohibited by the protocol, and are explored below in Section 7.
Formally, in the case of the mining protocol delivered here, the trust-test performed against the quantum server will meet the requirements for one-sided device-independence provided that i) the data produced by the client's device is the result of measurements performed upon photonic qubits (this may be verified using measurement data from the authentication round), ii) the client's device does not leak information (a standard cryptographic assumption, which may be enforced with proper device design and tamper detection), iii) measurement inputs on the client side are uniquely generated at the time of measurement by random and unpredictable processes (enacted with a QRNG), and iv) detection efficiencies of relevant parties are properly considered and accounted for (in this case, via client-side tests of loss-tolerant EPR-steering inequalities). Appendix B elaborates on the specific safeguards required for observing device-independent entanglement witnesses. By ensuring the requirements for one-sided device independent entanglement verification are met, clients may interact with the blockchain whilst assuming nothing about the operation or makeup of external servers or infrastructure. Furthermore, clients trust the transparent network code, which formally acts as a third party, but in the case of EPR steering inequalities simply amounts to clients trusting themselves. 117 Put differently, clients with limited "quantum powers" (namely, the ability to perform measurements upon photonic qubits) can use the mining protocol to monitor and verify the actions of quantum servers such that any deviations from trustworthy behaviour are easily detectable.

(?)
Optical Switch (no assumptions about physical implementation)

Entangled source
Step 1 Fig. 3. The PoE mining protocol, undertaken between a quantum server and client. Step numeration coincides with the steps of the PoE mining protocol outlined in the main text. In this example, the measurement device utilised by the client is assumed to perform polarisation measurements upon photonic qubits.
5.2. PoE mining protocol-One at a time, miners will be drawn from the mining team to participate in the interactive mining protocol, which proceeds as follows (Figure 3): Step 1. A miner u i is drawn from the mining team {u i } m , where m is the total number of miners in the team. Each miner is accompanied by metadata which informs the quantum server of key parameters (e.g. physical address, reputation, measurement strategy).
Step 2. The quantum server announces that it has transmitted a photonic qubit to the miner.
Step 3. The miner generates a random measurement input for their device. This input is generated by reading the bitwise output from the client's QRNG. The output is combined under modulo addition with the bit value (or values, depending on measurement strategy) of the candidate block hash nominated by the quantum server for mining. This forms the measurement input, which tethers the hash of the candidate block to the PoE in a random way that can be validated at a later time by studying the measurement data.
Step 4. The client announces their choice of measurement input k generated in Step 3 to the quantum server and performs a measurement upon the photonic qubit.
Step 5. The client privately records the measurement outcome B k .
Step 6. The quantum server announces a measurement outcome A k . Although no assumptions are made about the workings of the quantum server, correlated results will appear between the client's secretly recorded B k and the server's announced A k , provided entanglement is present between the quantum server and client.
Step 7. Steps 2-6 are repeated until sufficient statistics are collected for the chosen measurement strategy. The measurement duration for each setting is tuned according to the client's detection efficiency, to ensure the minimisation of statistical errors.
Step 8. The client calculates the heralding efficiency η of the quantum server and the EPR steering parameter S n (Equation 1, below) from the measurement data, and checks the calculated parameters against the inequality bound C n (η) required for entanglement verification (explored below). If the calculated EPR steering parameter does not exceed the bound required for entanglement verification, the network records a null event for that iteration (potentially incurring a reputation loss against the server) and the next miner is called in from Step 1. If a quantum server consistently fails to certify the presence of entanglement, it will be flagged for maintenance and may incur a reputation loss.
Step 9. If the EPR steering parameter exceeds the bound required for entanglement, the inequality successfully witnesses entanglement. The resultant PoE and measurement data required for the verification (e.g. S n , η) are appended to the block and attributed to the client u i .
Step 10. A new client is drawn from the team {u i } m , and Steps 1-9 are repeated until m clients have witnessed entanglement generation of the quantum server.
The PoE uniquely ties the entanglement investment to the candidate block, and upon exhausting its team of miners (or upon closure of the mining window), the quantum server announces it's accumulation of PoE for that round, such that the results cannot be modified without re-doing the PoE. Thus, if the quantum server is elected as speaker in the voting round, the server is obligated to nominate it's newly mined candidate block. The PoE is easily verified simply by running the measurement data through the verification witness to ensure that the key parameters S n (η) and η generated in the mining round observe entanglement. Here, the one-way functionality in resource expenditure, which is traditionally observed in proof-of-work systems, is also preserved via PoE, since generating the PoE requires physical interaction with an entangled quantum resource ("resource intensive"), but requires no physical interaction to certify the "quantumness" of the resultant verifier data ("resource light").

Energy cost and scalability analysis
Demonstrating transmission of entanglement over a channel such as an optical fiber is important for real-world viability of the PoE protocol. Thus, we utilise the results of two previous proof-in-principle experiments implemented with a polarization Sagnac interferometer (Figure 4) to demonstrate the robustness and energy efficiency of the protocol. In the first experiment, a lossy channel was inserted into the entanglement source to test the validity of the one-sided device independent entanglement verification protocol, even in cases of extreme photon loss. 118 This test characterised and addressed vulnerabilities in the entanglement verification protocol which might otherwise be used to exploit photon loss (on the "server" side) for fabricating entanglement. In the second experiment, a lossy channel was inserted between the output of the entanglement source (the "server") and the detection apparatus (the "client"), closely mimicking a real-world client-server configuration. 119 In this second test, the client trusted their own measurement device (equivalent to a simplified quantum modem), and holds the entanglement source (equivalent to a simplified quantum server) accountable to demonstrate honest behaviour by overcoming the inequality constraints placed upon the server's reported efficiencies tested in the first experiment. In implementing the PoE protocol, the client trusts their own device, so that protocol iterations which fail to detect a photonic qubit are safely discarded. However, the client cannot trust any claims the server makes about the propagation losses or the efficiency of its detectors. In particular, the client does not trust the server's claims about how often it sees a photonic qubit, conditional on the client's detecting one. Rather, the client makes use only of the server's heralding efficiency η: the probability that the server heralds the client's result by declaring a measurement outcome (or equivalently, nonzero prediction) A k for it. The quantity η is determined by the client wholly from the publicly announced frequencies of events to which the client (and the network) has direct access. The key result is that the client can circumvent loss-dependent vulnerabilities, even in the presence of arbitrarily high loss, by computing the witness S n based upon the shared correlations from the inequality and observing that the inequality is violated, thereby signifying entanglement. Here, the bound C n (η) is derived by the client, who in doing so, utilises the optimal cheating strategy available to the server for the observed efficiency and pre-determined measurement strategy {σ B k } n . The client's quantum mechanical measurement operator, denotedσ B k , defines their randomly selected choice of measurement setting k drawn from the pre-determined set. In our experimental demonstrations, these operators define projective polarization measurements, which in the formalism of optical quantum theory, map an incident qubit (optically encoded in polarization) onto a polarization measurement basis defined by the transmission and reflection ports of a polarizing beam splitter.
We utilise the results of the two previous experiments as an analysis and simulation of mining via PoE. To ensure a good signal-to-noise ratio of detection events on the client side, the photonic qubit detection rate was optimised to between ≈3000-6000 detection events per second. The total energy consumption used by the devices in the entanglement verification stage is estimated at 86W for the quantum server, which consisted of (not including passive optical elements, which do not consume electricity) two photon detectors (Perkin Elmer SPCM-AQR-14-FC), one temperature control unit (Thorlabs TEC200C), two waveplate controllers (Newport PR50CC), one continuous-wave laser (Toptica iBeam 405nm), and one coincidence electronics unit (UQDevices FPGA). The energy consumption for the client is estimated at 19W, consisting of one detector (Perkin Elmer SPCM-AQR-14-FC) and two waveplate controllers (Newport PR50CC). This measure of energy consumption excludes the energy costs associated with the PCs required to run the equipment, since PCs are assumed to be a pre-existing component in a server/client infrastructure. The devices considered in our analysis are simply those needed to upgrade an existing digital system infrastructure to include quantum capability. At any given moment, the rate of energy delivery per quantum server running the interactive PoE protocol with a client is estimated at 105W. For our energy cost analysis, assuming continuous operation over a 24 hour period and a 10 minute block mining window, the PoE protocol is predicted to service between 288 to 2880 clients (2 to 20 clients per mining team, randomly selected) who interactively mine 144 new blocks. Assuming energy efficient quantum servers with entanglement generation rates between those we tested (3000 entangled photon pairs per second) up to quantum servers based upon the latest integrated photonic technologies (6 × 10 7 photon pairs per second 120 ), each server can be expected to reliably service clients via direct fibre link in a 1km to 50km radius (assuming optical fiber transmission losses of 0.5dB/km, coupling losses of 80%, and detection losses of 50%). Assuming a consortium testnet of 2000 quantum servers, the energy consumption based on interactive mining via the PoE protocol is of order 210kW. Using specially designed hardware, renewable energy sources, and further optimising server throughput will help to keep energy consumption low, with the added bonus of forward-compatibility with a quantum internet and optical quantum computing technologies.

Discussion and analysis of vulnerabilities
We note that in a real-world implementation, the client must choose their measurement settings independently from one iteration of the mining protocol to the next, and safeguards must be in place to ensure that no information escapes from the client's devices unless they allow it. As these are standard assumptions in cryptographic proofs, these safeguards were not imposed in the previous experimental demonstrations. In addition, since we (the experimenters) controlled the server's implementation of honest or dishonest strategies, there was no need to enforce a strict time ordering of events. In a field deployment, the protocol requires that the client only accepts the server's announcements A k after the client measures their photonic qubit and declares their measurement setting k, in accordance with the PoE protocol described.
This latter requirement circumvents a potential vulnerability, exploitable by a quantum server, based upon falsified announcements of entanglement generation and fabricated qubit encodings which might allow a server to fabricate entanglement (termed a cheating strategy in literature). However, successfully exploiting these vulnerabilities requires that the server either: a) knows the variables determining the behaviour of the client's QRNG, or b) violates backward non-signalling, 121 whereby the server is able to send encoding information backwards in time to a photonic qubit ( Figure 5). In the case of the former (a), access to these variables was proven impossible in 1964 by Bell,122 who demonstrated that such variables do not exist for quantum systems, meaning no adversary can predict measurement outcomes prior to a measurement being made (called measurement-independence, see Appendix B). And in the latter case (b), signalling encoding information backwards in time for use in a cheating strategy based upon fabricated qubit encodings amounts to a violation of the standard assumption of locality (in relativistic mechanics, faster than light signalling and signalling backwards in time are indistinguishable). Thus, provided no information leaks out of the client's device, and the client's device performs measurements upon photonic qubits to test loss-tolerant EPR steering inequalities, the PoE will generate data that cannot be simulated or spoofed by a quantum server. This distinction of "quantumness" means that, as long as an inequality violation is observed, we have the guarauntee, independently of any implementation details on the server side, that the two systems measured by the client and server are entangled.
The risk of a traditional pre-mine attack against the network is diminished by infrastructure cost due to the interactive nature of the mining protocol. Because real data generated in a genuine round of block creation can be distinguished from attempted simulations of the required data, an attacker planning a pre-mine attack will need to collude with a large pool of clients to stage a Sybil attack, with each client needing their own quantum modem and photonic key. Furthermore, if mining pool construction demands a random selection of clients, an attacker would need to wait for an optimal mining team assemblage. This means an attacker planning a Sybil attack would be better incentivised to act as an honest participant. By ensuring the identities of quantum server operators/administrators are publicly known and certified prior to entry to the consortium and for participation in consensus via BFT, double spend attacks may be detected, recorded, and prevented in the consensus round (also at the start of the round of block creation through block verification by clients), provided two thirds of quantum servers on the network are acting honestly and serving the best interests of the network. Heavy increases in the throughput of a quantum server (in terms of entanglement generation rates) allows servers to overcome transmission losses more easily whilst remaining publicly accountable and limited in their capacity to arbitrarily command network consensus. This allows for an increased area of coverage and/or greater flexibility in constructing mining teams, which due to the interactive nature of the mining protocol, benefits clients too.
Other factors which affect mining rates include detection efficiencies, transmission loss, coupling efficiencies, measurement strategy, and the switching rate between measurement settings. To optimise network performance and ensure fair competition between servers, a provider might impose reward restrictions or sanctions against a subset of high-performance quantum servers, or choose to implement composition rules for constructing mining teams, opting for completely general mining (maximum competition and freedom amongst servers), standardised mining (some competition and restricted freedoms), or restricted mining (collaborative and regulated). Servers which perform well may build a strong reputation and potentially be rewarded, depending on the network objectives and ruleset. Measurements are denoted using pink (quantum server) and blue (client) crosses. Classical data is communicated with dashed lines in accordance with the mining protocol (main text).
Secret data is communicated with solid lines. Purple shading represents times during which the quantum server is able to transmit a photonic qubit, within the limitations of the protocol, to the client. Green shading represents times during which the server may announce measurement outcomes A k (recorded by the client after they perform their measurement). In (b), so-called cheating strategies are considered which permit false announcements, falsified timestamps, and fabricated qubit encodings (pink disk), which a server might utilise in an attempt to fabricate entanglement. Successful attempts require violating backwards non-signalling (A) or measurement-independence (B). See main text for details.
As a final commentary, at a high level, the quantum-enabled blockchain architecture we consider aims to incorporate four systems which work together to enable and incentivize trustworthy behaviour, these being 123 : morals, reputation, institutions, and security. The first two systems, morals and reputation, are supported through a system of peer-to-peer trust, whereby clients and servers come to trust one another through public interactions and build a reputation for honest behaviour. 124 The third system, institutions, traditionally have rules, contracts, and laws which formalize reputation and encourage people to behave according to the group norm (and enact sanctions against those who do not). The institutional trust system, supplanted by transparent network code, allows parties that don't trust each other (i.e. server/client pairs) to enter into an agreement through mutual trust in an overarching system of rules, laws, or logic that will help resolve disputes (implementing, for instance, protocols based upon the validity of relativity and quantum physics). The fourth system for incentivizing trustworthy behaviour, security systems, encompasses the wide variety of available security technologies used for detecting tampering, detecting device faults, detecting eavesdropping, ensuring records are immutable and auditable, ensuring anti-counterfeiting, and ensuring privacy through secure authentication and encryption technologies.
Blockchain technology allows developers to shift some of the trust in people and institutions to trust in technology. However, any evaluation of the security of the system has to take the whole socio-technical system into account. 125 In architectures which carry financial and social implications or consider social dynamics, it is not enough to focus solely on the technology and ignore the social element, as network trust can't be entirely replaced by algorithms and protocols. There is a social system too, where decisions in that system may be informed by accountability and reputation. Therefore, in this work, we aim to establish a network architecture whereby use of the network strengthens existing trust relationships. We aim to implement a trust model whereby abuses of trust do not incur irreversible damages to those exploited, but do incur reputation penalties for offenders. We argue that the system architecture we explore, were it not to utilise a blockchain architecture, would lack the flexibility required to support a broader social context which may utilise metrics for decision making and for quantifying accountability and reputation.

Conclusion
Here we have presented an interactive mining protocol for energy efficient mining on a quantum-enabled consortium blockchain. The architecture is designed to ensure that the consortium behaves in the best interest of the network, removing the need for trust in server operators or network administrators in the mining round. Instead, clients on the network need only trust the network code and their own devices, and the consortium is held accountable to act in accordance with the network ruleset. We explore the use of a quantum-secure authentication protocol for authenticating clients, hardware, and communication channels, for physical addressing, for prevention against a Sybil attack and for tamper detection of devices. The tamper detection supports the assumption that devices do not leak information and that devices function according to the rules of quantum mechanics, which permits the use of entanglement as a resource for securing the blockchain data structure through an interactive mining protocol.
Many potential improvements remain. The possibilities and ultimate limitations of a quantum-enabled blockchain remain largely unexplored, including benchmarks for transaction throughput, exploring alternative consensus mechanisms (for instance, those which allow for chain forks), alternative mining protocols, latency and storage optimisations, optimal signing and authentication schemes, optimal mining team construction algorithms, privacy, and a deep analysis of network vulnerabilities. We note that recent demonstrations of quantum-secured blockchain networks demonstrate the application of quantum digital signatures, 126 however, the architecture requires an additional infrastructure requirement, namely, that all quantum servers share quantum communication channels (i.e. optic fiber links) between one another, and furthermore does not address consensus. In future works, we plan to expand upon our proof-in-principle experimental demonstrations to include pro-motion into a voting round and quantum secure authentication capabilities, and additionally emphasise the scalability and compatibility of the quantum-enabled blockchain with current telecommunication infrastructure and emerging quantum technologies.
Looking forwards, there is a promising outlook for quantum networks and protocols, 127 128, 129, 130, 131, 132, 133 especially those which use limited infrastructures and supplement quantum computing. For instance, recent work on verifiable delegated quantum protocols 134, 135, 136 explore how clients with limited "quantum powers" -namely, the ability to perform measurements upon qubits, might interact with quantum technologies to verify the trustworthiness of data outputs. An example in the case of quantum computation is a client enacting a verifiable delegation protocol to ensure that an untrusted cloud-based quantum computer correctly performs encrypted quantum computations on behalf of a client. It may be useful to explore more deeply the utility of these kinds of protocols against untrusted quantum servers, and more generally to explore the utility of quantum modems for enacting verifiable delegated quantum protocols against quantum-enabled network infrastructures.
The quantum-enabled blockchain architecture we describe requires a fibre optic infrastructure, making the network challenging to implement on a large scale. However, the ability to witness entanglement in the presence of large losses opens new possibilities for security in long-range transmission of photonic entanglement over optical fiber, through free space, 137 or to a satellite. 138 The architecture we explore opens further avenues for quantum technologies in the blockchain space, with initial applications perhaps best suited for use in enterprise, due to the consortium architecture and ease of retrofitting short-to-medium range fibre optic interconnects. We expect this infrastructure would be particularly interesting to those with a vision for compatibility with quantum computing, the quantum internet, and the use of quantum cryptographic encryption protocols on a blockchain. 1.1. Background-In a real-world setting, the network ruleset for client authentication should meet modern cybersecurity standards for globally connected devices, 139 which naturally includes quantum optical devices embedded into a quantum-enabled blockchain. As a general rule, authentication mode should ensure 140 : i) All interactions between devices are mutually authenticated; ii) Continuous authentication is used when feasible and appropriate; iii) All communications between devices is encrypted; iv) Devices never trust unauthenticated data or code during boot-time; v) Devices are never permitted to run unauthorised code; vi) Devices never trust unauthenticated data during run-time; and vii) When used, cryptographic keys are protected, or are one-time use only (depending on protocol).

Notes and References
The integrity of QSA is guaranteed provided that 141 i) it is technically infeasible to make a physical clone of a photonic key, ii) an adversary is unable to apply arbitrary unitary transformations to high-dimensional quantum states with low losses (termed quantumcomputational unclonability 142 ), and iii) different challenges are allowed to be applied to the photonic key. The protocol utilises a challenge/response protocol 143 (i.e. round-by-round interaction between a client and quantum server). Clients request photonic challenges from the quantum servers, and due to the interactive nature of authentication and mining, it is in the best interest of quantum servers to support the authentication of clients. The QSA protocol is unique in that it results in an authenticated quantum channel, whilst circumventing the need for pre-shared secrets. This finds various applications, for example, in quantum key growing protocols 144 which may be used to generate symmetric encryption keys for quantum-safe communication without the need for pre-shared secrets.
1.2. Protocol overview-The photonic challenge is randomly chosen from a set of predetermined challenges, selected by the quantum server, and is sent to the client's quantum modem via a quantum communication channel for direct interaction with the client's photonic key. Interaction on the client side transforms the incident photonic challenge into a photonic response, which is detected on the client side. In accordance with the QSA protocol, the photonic response pairs uniquely with the photonic challenge, provided the challenge physically interacts with the correct photonic key. To guarantee accurate pairing, photonic keys are pre-characterised in a key enrolment stage, with each key requiring ≈50MB of characterisation data for accurate enrolment. Enrolment can be done in two ways: i) A certification authority or manufacturer enrols the key. In this case, a key identifier and a precise characterization of the key are entered into a publicly readable and tamper proof database (i.e the blockchain which the key will be used to access). Or, ii) a certificate authority signs a digital certificate containing the key identifier and characterization data. The certificate is then stored publicly, e.g. through inclusion to the blockchain. When a verifier wants to see if a certain key is authentic, the challenge-response behaviour is checked against the enrolled data, which in the case of quantum readout, does not require trust in the remote key reader. The authentication of the quantum channel is then based on the possession of a physical object, instead of knowledge of a pre-shared secret. An authentic detection event on the client side occurs when the response wavefront focusses cleanly onto an optical detector. The QSA protocol in its original form assumes that a client's quantum modem is immune to tampering, since an authentic detection event could be easily spoofed if the detector was illuminated in a way that appears consistent with correct authentication. However, the assumption of tampering immunity may be relaxed, provided that the quantum server is allowed to send decoy photonic challenges that are randomly and secretly mixed in with real photonic challenges. In this case, because a client is unable to infer whether an incident challenge is legitimate or a decoy (due to the no-cloning theorem of quantum physics), a dishonest client is left uncertain as to whether to correctly illuminate the detector on any given round. This addition of decoy challenges further protects the network from false authentications. Based on experimental demonstrations in literature, in the case of an honest client with a legitimate photonic key, ∼200-500 rounds of key interrogation via the challenge/response protocol is sufficient for successful authentication, with authentication concluding in ≈200ms-400ms (allowing provision for decoy photonic challenges), with false authentication rates of 1 in 100 billion.