How to make unforgeable money in generalised probabilistic theories

We discuss the possibility of creating money that is physically impossible to counterfeit. Of course,"physically impossible"is dependent on the theory that is a faithful description of nature. Currently there are several proposals for quantum money which have their security based on the validity of quantum mechanics. In this work, we examine Wiesner's money scheme in the framework of generalised probabilistic theories. This framework is broad enough to allow for essentially any potential theory of nature, provided that it admits an operational description. We prove that under a quantifiable version of the no-cloning theorem, one can create physical money which has an exponentially small chance of being counterfeited. Our proof relies on cone programming, a natural generalisation of semidefinite programming. Moreover, we discuss some of the difficulties that arise when considering non-quantum theories.


Introduction
Since the discovery of quantum physics, there has been an ongoing effort to understand the technological impact it may have. For example, it has been used to develop new technologies through a better control and understanding of microscopic systems, and, moreover, we are still trying to understand all of the information-theoretic advantages. That is, we strive to better understand how the 'weirdness' of the theory can be exploited for practical purposes. There are countless examples found in the studies of quantum computation, information processing, and cryptography, and more are being discovered every day. In this work, we focus on the important cryptographic task of creating money which is physically unforgeable.
The money we use in our day to day lives only has value because it is difficult to counterfeit. If we could easily duplicate it in some way then it would not take long before people were indeed taking advantage of this fact. Indeed, despite the best government efforts, it was estimated that around 3% of certain coins in the UK, for example, were counterfeits. As it stands it is a constant battle between those that design the coins and those that try to counterfeit them.
There are numerous protocols for creating quantum money, [1,15,25, 33] to name a few. In fact, the very first cryptographic task using quantum information was a money scheme in Wiesner's seminal paper [33]. The key idea behind Wiesner's protocol, and those that followed, is that quantum theory could promise security based on the impossibility of cloning an unknown quantum state, and not on any technological limitations. In other words, security based on the laws of physics rather than the limited resources of the counterfeiters.
This however is not the strongest form of security that one could imagine: it is contingent on our current best guess regarding the underlying physics which describes the world. A more reliable form of security would be independent of a specific physical theory, and instead, be based on primitive physical principles that we may expect to hold regardless of the ultimate theory of nature. The framework of Generalised Probabilistic Theories (GPTs) provides an operational framework in which we can address such problems. For example the possibility of key distribution [6] and impossibility of bit commitment [8,31] have been demonstrated for a wide range of physical theories.
In this paper we explore the possibility of unforgeable money in the GPT framework. Not only does this offer the potential for a much stronger foundation on which to base cryptographic security, but, it allows us to gain insight into quantum protocols by highlighting the key features of quantum theory necessary for security.
To prove our main result, we rely on the use of cone programming, also called linear conic optimisation. Cone programming is a generalisation of semidefinite programming which is another class of optimisation problems which has seen many uses in quantum theory. The generalisation of semidefinite programming to cone programming mirrors that of quantum theory to GPTs. For this reason, cone programming is a natural tool to have handy when studying post-quantum theories. Although cone programming is a well-studied area of optimisation theory, it has only had a small number of applications in quantum theory [3,16,22,26,32] and in GPTs [2,14,19,21,31]. We hope this work will inspire future applications of cone programming in the study of GPTs and solidify it as an indispensable mathematical tool.

Unforgeable money: the idea
The idea behind the first quantum scheme for unforgeable money is quite simple: if a banknote contains unknown physical states, then the no-cloning theorem proves that the money cannot be duplicated. However, even within quantum theory there are some caveats. Due to the uncertainty principle, one cannot ascertain the exact state of a quantum system. Thus, one could imagine a perfect copy is not needed to counterfeit money, only the ability to cheat someone who might be testing if counterfeiting occurred (with a reasonable probability of success).
In Wiesner's original scheme [33], the bank randomly selects one of the following four qubits |0 , |1 , |+ , |− and embeds it into the banknote. When the holder of the banknote wants to verify the banknote is authentic, they tell the bank the serial number, then the bank looks up what the state should be, then measures to see if the state is intact. Indeed, there is a less-than-perfect chance of creating two banknotes which will each pass this verification. Intuitively, the more qubits the bank puts into the banknote, the harder it is to counterfeit. This intuition was later proven to be true in [25] through the use of semidefinite programming.
In this paper, we wish to see if something like the above holds in GPTs. Of course, one needs to define what the physical states are, and how the bank verifies them. Without going into detail yet, we just assume the bank embeds a physical state into the banknote, and independently verifies each copy individually. The bank's verification must be a physical process, and we desire it to be secure against all physically-realisable counterfeiting machines. Roughly speaking, let C represent the bank's entire strategy of creating and verifying a banknote, and let P be the set of all physical counterfeiting machines (not necessarily perfect ones). Then we would like to design a money scheme such that the following quantity is as small as possible: where C(X) denotes the probability that the two copies of the counterfeiter each pass the bank's verification procedure. We shortly introduce the physics required to establish meaningful definitions of C and P.

Background: Generalised probabilistic theories
We now introduce the mathematics of the framework for generalised probabilistic theories that we use in this paper (those familiar with this topic can skim this section for notation and proceed to Section 5). For simplicity we present the mathematical bare bones of the framework, but note that this can be derived from the basic operational ideas regarding the classical interface for a theory [29,30]. The framework we present here is closely related to many other approaches to generalised probabilistic theories (e.g., [5,12,17,23,24,27,28]), but, in particular to the work of [8] and [18] which also take a diagrammatic framework as a foundation.
The starting point for our framework is the notion of a process theory [10,11,29]. The key feature of a process theory is that it provides a diagrammatic representation of the theory. There are two primitive components of a process theory, physical systems, denoted by labeled wires, and physical processes which can have input and output systems, denoted as a labeled box with input wires at the bottom and output wires at the top. These processes can be 'wired together' to form diagrams, for example, (2) Such diagrams are themselves valid processes in the theory; in this case with a composite system AC as an input and BE as an output. Simply put, processes are closed under being wired together. Processes with no inputs (such as c in the above diagram) are called states, those with no outputs (such as b above) are called effects, and those with neither are simply called numbers. Numbers can be, for example, obtained when composing a state with an effect, and so, as we are interested in probabilistic theories, these numbers are taken to be the non-negative reals, R + . Equality of processes can then be characterised in terms of these numbers, the idea being that if two processes give the same probabilities in all situations then the are the equal. This defines the notion of tomography, which formally can be expressed as f, g : A → B are equal if and only if (3) We consider process theories that come with a way to discard (or simply ignore) systems. For this purpose we introduce a discarding effect for each system A denoted as: (4) Moreover we require that the composite of discarding effects is the discarding effect for the composite system In particular, discarding "nothing", i.e., the trivial system, is just the number 1.
These discarding effects then allow us to define a notion of causality for processes [8,9,20]. Specifically, a process f is causal if and only if The reason for naming these 'causal' is not immediately apparent, however it can be shown that restricting to the causal processes of a theory ensures compatibility with the causal structure of relativity [20]. For example, this ensures that there is no signalling back in time [8] or faster than the speed of light [9]. On the other hand, restricting to just the causal processes is a step too far. Indeed, the only causal number is 1 and so such processes only describe deterministic situations. We want to discuss probabilistic scenarios where the numbers correspond to the probability that some event occurs. To deal with this we therefore also work with subcausal processes, that is, processes which can occur as some probabilistic 'branch' of a deterministic process. To formalise this branching structure we introduce diagrammatic sums, i.e., a sum of processes that distributes over diagrams: where ξ is shorthand notation for an arbitrary diagram of the form An important consequence of this sum is that it allows us to define a partial order for processes: where z is another process in the theory. In particular, given this partial order we can define the subcausal processes as those for which the following holds: Importantly, the set of subcausal processes is closed under composition and the subcausal numbers are given by the interval [0, 1] so this faithfully captures the probabilistic part of the process theory as we required.
In the definition of this ordering we have assumed that z is a physical process. Later we consider the case when z is not a physical process, but belongs to some set K, and denote such an ordering by '≤ K '. Note that such an ordering may not have any physical meaning, but it will have a mathematical meaning once we set up the mathematical structure behind the sets of different processes. It is understood that the 'absence of explicitly mentioning such a set' means that K is the set of processes. For example, in Eq. (9), '≤' is shorthand for K being the set of processes from A to B and in Eq. (10) it is shorthand for K being the set of effects on B.
Given this structure one can observe that the set of processes {f i } with a given (potentially composite) input A and (potentially composite) output B has a rich linear structure. Specifically, using the sum defined in Eq. (7), we can form (non-negative) linear combinations as which is itself a valid process. These processes therefore form a convex cone, denoted as K B A , which naturally extends to a vector space V B A which is spanned by the cone. Note that this also holds for states and effects as they are just special instances of processes, i.e., we obtain a cone of states K A (which have no input) and a cone of effects K A (which have no output). The causal processes form a convex set inside this cone, that is, if f and g are causal then it is simple to check that is causal as well for any p ∈ [0, 1]. This convex set can be characterised by those processes in K B A that satisfy Eq. (6). Importantly for our result, it can then be shown that there are causal processes in the interior of the cone K B A . Additionally, we will make the assumption that the cones are closed (as in practice a theory should be operationally indistinguishable from its closure) and finite-dimensional (as it is impossible in practice to do an infinite number of experiments to characterise processes).
We illustrate these concepts with three specific examples of processes, below.
States: In general this can be an arbitrary convex cone, the causal states are given by the intersection of this cone with a single hyperplane and the subcausal states lie between this hyperplane and the zero vector (i.e. the point), as depicted below.

State cone
Hyperplane Causal states Subcausal states (13) Effects: We have only a single causal effect, the discarding effect itself. The subcausal effects lie between the discarding effect and the zero vector.

Effect cone
Discarding effect Subcausal effects (14) Transformations: The set of causal processes is a more complicated set, but importantly, it is still an affine constraint, namely Eq. (6), on the transformation cone. The subcausal transformations lie between this affine constraint and the zero vector.

Background: Cone programming
Cone programming is the study of optimization problems of the form where K and K are finite-dimensional convex cones, C and b are vectors, φ is a linear function, and X is the variable over which we wish to optimize. Before continuing, we must introduce the notion of a dual cone.
Definition 1. Given a convex cone K, we define its dual cone as In this section, we study the cone program of the form below: where K 1 and K 2 are closed convex cones. The first step in understanding a cone program is to examine its dual cone program, which is another cone program related to the original. In this case, the dual is given as where φ * is the adjoint of φ.
Suppose there exists an X satisfying and a y satisfying Then we have γ = β and both problems attain an optimal solution. This is known as strong duality, the proof of which is beyond the scope of this section. We refer the interested reader to the book [7] for a proof.
All of the results relying on cone programming in this paper only use strong duality. The dual yields a new perspective on studying a cone program while strong duality proves that it is very useful, especially when we want a new way to write the optimal value.

GPT Money: the scheme and measuring its security
We now describe the physical process of creating the banknote, its verification, and what counterfeiting machines a counterfeiter can use.

Preparation:
The bank selects a causal state s i of some system A from the ensemble ε A = {(p 1 , s 1 ), . . . , (p n , s n )} with p 1 , . . . , p n > 0 and n i=1 p i = 1. Therefore, for all i we have The bank puts the state into the banknote and records its serial number as well as the state selected.

Verification (of a single copy):
The bank uses the effect e i to verify the state s i where e i is subcausal and always accepts s i , i.e., for each i, we have and This way the verification always passes when the state is untampered. Note that one could consider more general bank strategies, but, as we are interested in proving the impossibility of counterfeiting, allowing for more general strategies could only make the counterfeiters job more difficult.  23) and (24), we call the set a bank strategy. Note that this fully describes what the bank does to prepare and verify a banknote.
Counterfeiting machines: We now flesh out the details of the set of physical counterfeiting machines P. The counterfeiters strategy is simple to define, it is a physical process which takes in the state of system A given by bank, and outputs some state of system AA which is intended to be two copies of the original 1 . Mathematically, it can be represented by some subcausal χ ∈ K AA A , i.e., Thus, the set of physical counterfeiting machines is given as Security: Suppose the bank is independently given each output system and so independently tests each of them with the relevant effect 2 . The overall bank verification process is therefore given by the following diagram: With these definitions in hand, the quantity we use to measure the security of the money scheme is given by In the rest of the paper, we study this quantity.
6 Designing secure GPT money schemes (and when it is not possible) We now study the optimization problem (29) with the hopes of finding bank strategies S A which make α A as small as possible. We start with a very weak condition which we call Weak No-Counterfeiting which roughly states that a counterfeiter cannot cheat perfectly. This is of course not useful for cryptographic purposes. Therefore, we later discuss how to start with this condition and strengthen it by driving the maximum success probability of a counterfeiter down to a negligible amount. We therefore prove that all GPTs fall into one of two categories: there is either perfect counterfeiting (this is the case for classical theory) or practical security (this is the case for quantum theory). Interestingly, there is no middle ground.

Perfect counterfeiting
In order to understand what we need to achieve security we first consider the converse problem: what does it mean for perfect counterfeiting to be possible? This seems closely related to the clonability or broadcastability of the ensemble ε A = {(p 1 , s 1 ), . . . , (p n , s n )}. Specifically, if one could perfectly clone the states then this would immediately provide a perfect counterfeiting strategy. That is, given a channel ∆ such that, for all s i : then if the counterfeiter used this channel we would find that This implies α A = 1 and so counterfeiting can be achieved perfectly. This is exactly what happens in the case of classical theory. Moreover, it was shown in [4] that the possibility of cloning arbitrary ensembles singles out classical theory from a wide class of GPTs 3 . However, there are other ways in which one could find that perfect counterfeiting is possible. One way is if the bank strategy is too restricted. For example, if we take for all i, then the bank is learning nothing about the returned banknotes. Obviously, the counterfeiter would always pass the verification irrespective of what counterfeiting procedure they used. Therefore, the task of finding a secure money scheme for the bank does not only require a non-cloneable ensemble ε A = {(p 1 , s 1 ), . . . , (p n , s n )}, but also a decent choice of each verification effect e i . To this end, we now consider different security notions for the entire bank strategy S A = {(p 1 , s 1 , e 1 ), . . . , (p n , s n , e n )}.

Weak security
We start with a definition. This is mathematically the weakest condition that can be used to rule out perfect counterfeiting. However, it is not the most physically motivated assumption. We therefore address how it can be derived from an assumption regarding the bank strategy. s 1 , e 1 ), . . . , (p n , s n , e n )} satisfies VS if and only if the effects uniquely pick out the states in the ensemble. I.e., for all i, we have:

Definition 4 (Verification Sharpness (VS)). The bank strategy
where s is an arbitrary subcausal state.
Verification Sharpness is defined to rule out the case discussed in the previous subsection where the bank's measurements were too restricted, e.g., each e i is just the discarding effect. The effects in the Verification Sharpness condition are idealised in the sense that any deviation from the honest state will be caught by the bank with non-zero probability. In quantum theory, if the states are pure, then the effect can be chosen to be the rank-1 projection onto that state. Thus, in quantum theory, VS holds when the states in the ensemble are pure.

Definition 5 (Broadcasting Map). A broadcasting map, B, for a set of states {s i } is any subcausal map satisfying:
We now show that under the VS condition, a violation of WNC is equivalent to being able to broadcast the ensemble. s 1 , e 1 ), . . . , (p n , s n , e n )} satisfies VS. Then perfect counterfeiting is equivalent to the broadcastability of the states {s 1 , . . . , s n }.

Lemma 1. Suppose a bank strategy S
We postpone a proof to Appendix A since it follows easily from (independent) analysis later in the paper.
In [4] it was shown that broadcastability (or the special case of clonability) of an ensemble implies it must be classical (at least in their framework which assumes the No-Restriction Hypothesis [8] and Tomographic Locality [17]). Hence, we obtain the following corollary by restricting our consideration to the class of GPTs that they consider. [8] and Tomographic Locality [17], VS implies that the strategy must satisfy WNC.

Corollary 1. In any non-classical GPT satisfying the No-Restriction Hypothesis
Clearly, the WNC condition is not good enough on its own to have secure money as the counterfeiter could still cheat with very large probability. In the next subsection, we introduce a variant which is more meaningful for cryptographic security. For this purpose, we prove that bank strategies satisfying WNC can be modified such that the states span the vector space V A . s 1 , e 1 ), . . . , (p n , s n , e n )} is said to be spanning if {s 1 , . . . , s n } span the vector space V A .

Definition 6. A bank strategy S
We have the following lemma.

Lemma 2. If WNC holds, then there is a spanning bank strategy S
Proof. Suppose we have a bank strategy S A with security parameter α A < 1 (which exists since WNC holds. Then given a basis of causal states 4 {b j } m j=1 of V A , we can construct the bank strategy S A = {(1/m, b j , )}. The security parameter for the strategy S A is denoted α A (which clearly equals 1). Let S A be the bank strategy which uses S A or S A chosen uniformly at random. As S A is a spanning bank strategy, we see that S A is as well. The proof now follows since as α A < 1 and α A = 1.
Thus, for the rest of the paper, we may restrict our attention to spanning bank strategies when requiring WNC to hold.

Practical security
We start by defining a condition which allows for a practical level of security.

Definition 7 (Strong No-Counterfeiting (SNC)). A theory satisfies SNC if for any δ > 0 there exists a bank strategy S A such that α A ≤ δ.
Assuming SNC, the bank can therefore choose a value for δ with which it is comfortable, then proceed to use the appropriate ensemble in the banknote and the corresponding effects in its verification. Note also that there is no hope of doing better than this, i.e., we cannot take δ = 0 as there is always some probability that the counterfeiter could make a lucky guess and prepare a new note in exactly the right state. In particular, if p i = max{p 1 , . . . , p n }, then the counterfeiter can always use the counterfeiting machine which succeeds with probability at least p i > 0. (Even if a counterfeiter did not know the bank's strategy, they could use the strategy (36) but instead of s i , use a state in the interior of the cone to show that α A > 0.) In this subsection we assume that the theory satisfies WNC (i.e., there is a bank strategy in the theory which satisfies WNC) and ask if this can be extended to a proof of SNC. Specifically we consider boosting the security by having multiple independent copies of a bank strategy on each banknote. For example, let S A and S B be two bank strategies. We now study the case if the bank were to use both S A and S B by sampling a state from one, then the other independently, and including both sampled states on the banknote. Let S AB be the new (product) bank strategy and let α AB be the optimal probability that a counterfeiter can successfully cheat S AB . It seems like it should be true that α AB = α A α B . Indeed this is the case for quantum theory [25]. However, there are examples, even in classical theory, where similar tasks do not have such a product theorem (one example can be found in the study of nonlocal games [13]). Therefore, such a result is not so forthcoming.
Indeed, the fact that α AB may not equal α A α B is a big difference between the setting of GPTs and quantum theory. We could impose certain physical principles (each of which hold in quantum theory) in order to enforce α AB = α A α B , but we will show how to circumvent this problem entirely without the need to assume these extra physical principles.
Let us consider a counterfeiting strategy χ AB ∈ K AABB AB as illustrated diagrammatically, below Clearly it is possible to achieve 5 success probability α A α B by the counterfeiter by simply doing his optimal procedure on A and B independently: (38) Ideally we would like to show that they cannot do any better than this, but as mentioned above, this may not always be the case.
We now show that although α AB might be greater than α A α B , it cannot be too much greater. To this end, we relax α A to a new quantity α A > 0 (defined in the next subsection) which satisfies the following two properties: We see that (39) together with Lemma 2 says that if WNC holds for any bank strategy, then this new quantity is bounded away from 1 for some spanning bank strategy. Combining this with (40), we have that the success probability of cheating the bank decreases exponentially using the n-fold repetition of this spanning bank strategy. This is summarised in the following lemma. In the following subsection we define a relaxation from α to α and demonstrate that it satisfies Eqs. (39) and (40). Thus the weakest form of security possible implies the promise of practical security. ber on any f ∈ K B A . In particular, this implies that K A ⊆ K * A and K A ⊆ K A * , that is, the state cone lives inside the dual of the effect cone, and vice versa.
To define α, we relax the set of physical counterfeiting machines P to P, where P is a set of "counterfeiting machines" which are possibly not physically realizable. However, whilst a counterfeiter may not be able to physically performχ ∈ P, it is nonetheless useful to consider.
Recall we have P defined as where we have now explicitly denoted that the set defining the ordering is the effect cone for A. This is the cone that we will extend for the relaxation. Specifically, we replace K A with K A * which, as mentioned above, contains K A . Therefore, we define the relaxation which may contain non-physical counterfeiting machines. They must still, by assumption, be in the process cone. But, there is no guarantee that they are causal or even subcausal, therefore they could lead to obtaining 'probabilities' greater than 1. This is clearly a relaxation as for any GPT, we have K A ⊆ K A * . However, certain GPTs satisfy a property known as the No-Restriction Hypothesis [8], which states that K A = K A * . For such theories we have P A = P A and so the relaxation is trivial. In particular this is the case for quantum theory. Therefore, the proof of our main result greatly simplifies in the case of quantum theory and any other theory satisfying the No-Restriction Hypothesis.
Define the quantity α to be which is defined to be optimizing the same quantity as α, i.e., the same C process. Also, we have 0 < α ≤ α since P ⊆ P. Here, we use tildes to denote something that may not be physical to make the distinction clear. Below is the main technical result of this paper. The proof of this theorem relies crucially on the duality theory of cone programming. The interested reader is referred to the book [7].

Theorem 1. For all bank strategies S A , we have
Moreover, (44) and (45) attain an optimal solution (hence the use of "min" instead of "inf" above). For notational simplicity, we will denote We call the original formulation (44) the primal, and the above formulation (45) the dual.
Before showing a proof, we need the lemma below (whose proof can be found in Appendix B).

Lemma 4. For y ∈ int(K
We now prove Theorem 1. Proof. We begin by transforming the optimization problem (44) into a statement about vectors in the finite-dimensional vector space V AA A . We make the vectordiagram associations such that Note these exist by the Riesz-Fréchet Representation Theorem. Thus, (44) can be written in vector form as in (18) and its dual (45) as in (19) when K 1 = K A and K 2 = K AA A . We now show that strong duality holds. As discussed in the paragraph following (11), there are subcausal processes in the interior of the cone. That is, there exists χ ∈ int(K AA A ) satisfying Since for any ν ∈ V A and sufficiently small λ > 0. Thus, there exists a λ > 0 such that λχ ∈ int(K AA A ) and Here, we can think of λ as a scaling factor to pull the processes into the interior of the necessary cones.
On the other hand, By Lemma 4, we can take y ∈ int(K A ) to get that y ∈ int(K AA A * ).
We can repeat the argument above to scale C down (say, by µ > 0) to get that Define λ = 1/µ to get This proves that strong duality holds (recall the definition from Section 4) implying that the primal and dual have the same optimal value and both problems attain an optimal solution. Remark 1. From the proof above, we see that the value α (recall (29)) is attained as well. This is because the above proof easily generalizes to the case where we replace K A * with K A (even the interior points are the same).
We now prove α satisfies the properties required for Lemma 3.

Lemma 5. For all spanning bank strategies S
for allχ ∈ P. Thus we have α A ≤ 1. Letχ ∈ P be an optimal solution to (44) and suppose α A = 1. We see from (53) that In other wordsχ is causal and thus must be in P as well. Since there exists χ ∈ P such that we have α A = 1 as desired.
We now consider the dual problem. Consider an optimal solution to the dual problem y ∈ K A , such that Note that the constraint Now let us consider appending a new system B and a new counterfeiting machine which maps AB to the space AABB. Diagrammatically, it would look like this Note that for any χ AB ∈ P AB , we have that is in P A for any physical map D. This is because it is physically possible for a counterfeiter to do this, and thus must be captured by the set of physical processes P. We use two different choices for D, the bank's strategy C, and the alternative strategy Y , above. With these ideas in hand, we can prove the following lemma. Proof. We prove the m = 2 case for clarity, but the general case follows by repeating the same argument. We consider a pair of bank strategies, S A and S B and show that α AB ≤ α A α B . Consider where χ AB ∈ P is an optimal solution to (29) (which exists by Remark 1). By a trivial diagrammatic rewrite, this is equivalent to As discussed previously, we have the dotted part in the diagram above is in K AA A . Therefore, from (60), we have By another diagrammatic rewrite, we have By repeating the same argument noting the dotted part above is physical, we have From the definition of Y , it is clear that since χ AB is subcausal. This finishes the proof.
The intuition behind this proof is that a counterfeiter could implement the Y B or C B strategy him/herself, and this should not allow him/her to pass the verification on A with higher probability. Also, a counterfeiter trying to cheat the Y strategies is pointless since the Y strategy simply discards the output of any counterfeiting machine.
One thing to note in the proof of Lemma 6 is that we used χ ∈ P and not ã χ ∈ P. This is because the combination of χ and a physical map D must be in the cone K AA A (see (62)). One can show that this is the case for anyχ ∈ P, as χ can be rescaled to belong to P, hence we can repeat the proof to show that α is multiplicative over the theory. This is a stronger claim than the one in the lemma but is not necessary for our main result.
By combining Lemmas 3, 5, and 6, we have the following theorem.
Theorem 2. If WNC holds, then SNC holds. In other words, WNC is necessary and sufficient to make unforgeable money.
By combining this with Corollary 1 we have the following corollary.

Corollary 2.
In any non-classical GPT satisfying the No-Restriction Hypothesis [8] and Tomographic Locality [17], VS is sufficient to make unforgeable money.

Conclusion
In this paper we have considered Wiesner's quantum money scheme in the generalised probabilistic theory framework. We first defined the class of GPTs in which there is potential for unforgeable money, that is, those satisfying the WNC assumption. We then demonstrate that under an assumption of Verification Sharpness, this is equivalent to the inability to broadcast arbitrary causal states -a general feature of non-classical GPTs, for example, those in [4].
To obtain meaningful security however, we require that the probability of successfully counterfeiting can be made arbitrarily close to zero, that is, the assumption of SNC. Demonstrating that this is indeed possible for arbitrary GPTs satisfying WNC is the main result of this paper. That is, we have a dichotomy: for any theory, either practical security is possible or perfect counterfeiting is possible.
It would be interesting to see if this work could be extended in a way similar to the quantum schemes that have been developed in recent years. For example, is it possible to have a purely classical verification scheme in the GPT setting? Would it be possible to have a store merchant be able to verify the money without the need of involving the bank? Both of these are possible in the quantum setting, see [15] and [1], respectively. These scenarios are interesting, but add to the complexity of the problem considerably. As this work shows that GPT money is indeed physically possible in many theories, it paves the way to look at these more elaborate scenarios which are more convenient for the bank.
for all i. VS therefore implies that for all i, we have Using VS again, we have for all i, which is precisely what it means for χ to be able to broadcast all of the states s i .
For the other direction, let us assume there is a channel B which broadcasts the states s i : Therefore we have, for all i: As we know e i are subcausal, we can decompose the discarding map as e i + E i where each E i is a subcausal effect. This gives, for all i: We use the subcausality of B (and the causality of each s i ) to write for all i, since each number is nonnegative. This implies that perfect counterfeiting is possible.

B Proof of Lemma 4
The following well-known fact (see, e.g., [7]) characterises the interior of the dual cone.
We are now ready to prove Lemma 4.
Proof. We want to show that, for χ ∈ K AA A , To do so, however, recall the notion of tomography which is how equality is defined for processes in GPTs. We have two processes f, g : To see this first note that as y is interior, any other state, a ∈ K A belongs to some convex decomposition of y. Therefore we have In particular, we can take a to be the 'marginal' of some bipartite state, s, i.e.
This holds for any state s and any system C so we can rewrite this as Note that the composite of the three discarding effects is the discarding effect for the composite system. This discarding effect is in the interior of K AAC , so any effect e ∈ K AAC can appear in some convex decomposition of the discarding effect. Therefore we have This concludes our proof as this is exactly the condition needed for tomography to show that χ = 0.