Practically secure quantum position verification

This protocol has been inspired by the Bennett–Brassard 1984 (BB84) quantum-key-distribution (QKD) protocol [24].

To verify the position of P, the following scheme is employed:

• (a)  
  The verifiers agree on random bits x, θ ∈ {0, 1}. V₀ prepares a qubit in the state

  $$\begin{equation}\vert \psi \rangle ={H}^{\theta }\vert x\rangle \end{equation} \tag{ 5 }$$

  and sends it to P. V₁ sends θ to P, so they arrive at P at the same time. That is, ${\mathsf{i}\mathsf{t}\mathsf{e}\mathsf{m}}_{0}=\left\{\vert \psi \rangle \right\}$ and ${\mathsf{i}\mathsf{t}\mathsf{e}\mathsf{m}}_{1}=\left\{\theta \right\}$.
• (b)  
  As soon as |ψ⟩ and θ arrive, P performs a measurement in the basis {H^θ |0⟩, H^θ |1⟩}, and sends the outcome x' to both V₀ and V₁. The given measurement constitutes $\mathsf{O}\mathsf{p}\mathsf{n}$ and x' is the $\mathsf{R}\mathsf{s}\mathsf{t}$.
• (c)  
  If the verifiers receive x' at the time consistent with the position of P, and x' = x, then they accept; otherwise they reject.

Now, suppose there are two adversaries, E₀ (between V₀ and P) and E₁ (between V₁ and P). Can they fake P? Suppose that the adversaries share no entangled qubits, although they may have qubits in their possession. When V₀ sends |ψ⟩, E₀ will intercept it before P does, but will not be able to do step 2, because she will have to wait for θ to arrive first. By the time it arrives, it will be too late to send any information to V₁ (but not to V₀).

The best strategy is the following, which is based on minimum-error state discrimination [25, 26]. When E₀ receives |ψ⟩ from V₀, she performs a measurement in the basis

$$\begin{equation}\vert {0}^{\prime }\rangle =\mathrm{cos}\enspace \frac{\pi }{8}\vert 0\rangle +\mathrm{sin}\enspace \frac{\pi }{8}\vert 1\rangle ,\qquad \vert {1}^{\prime }\rangle =-\mathrm{sin}\enspace \frac{\pi }{8}\vert 0\rangle +\mathrm{cos}\enspace \frac{\pi }{8}\vert 1\rangle ,\end{equation} \tag{ 6 }$$

and sends the outcome of the measurement to E₁. The probability of success of this optimal strategy is

$$\begin{equation}{\epsilon}={\mathrm{cos}}^{2}\enspace \frac{\pi }{8}=\frac{1}{2}+\frac{1}{2\sqrt{2}}\approx 0.85.\end{equation} \tag{ 7 }$$

As the above is repeated n times, the success probability becomes ⁿ (exponentially small). Notice that the adversaries are not able to make use of the classical information θ available to them. This information would have been useful, had E₀ received it before deciding on what measurement to perform.

However, E₀ can make use of θ when deciding on the measurement, if the adversaries share entangled qubits, because of the possibility of teleportation. Suppose the adversaries share an EPR pair. Then they can fake P following these steps.

• (a)  
  Upon receiving |ψ⟩, E₀ teleports it to E₁. In doing so, E₀ performs Bell measurements with outcome $k=\bar{{k}_{0}{k}_{1}}$, in binary notation. They determine the state E₁ receives (instantaneously) as

  $$\begin{equation}\vert {\phi }_{k}\rangle ={X}^{{k}_{0}}{Z}^{{k}_{1}}\vert \psi \rangle .\end{equation} \tag{ 8 }$$

  Since |ψ⟩ = H^θ |x⟩, for θ = 0, |ϕ_k ⟩ is an eigenstate of Z, whereas for θ = 1, |ϕ_k ⟩ is an eigenstate of X = HZH. We easily obtain

  $$\begin{equation}{H}^{\theta }Z{H}^{\theta }\vert {\phi }_{k}\rangle ={\left(-1\right)}^{x\oplus {k}_{\theta }}\vert {\phi }_{k}\rangle .\end{equation} \tag{ 9 }$$

  E₀ sends the results k of her Bell measurements to E₁.
• (b)  
  At the same time, knowing θ (having received it from V₁), E₁ measures H^θ ZH^θ (i.e., Z, if θ = 0, and X, if θ = 1), and obtains outcome ${\left(-1\right)}^{x\oplus {k}_{\theta }}$. She immediately sends both θ and ${\left(-1\right)}^{x\oplus {k}_{\theta }}$ to E₀.
• (c)  
  Upon receiving the classical information $\left\{\theta ,{\left(-1\right)}^{x\oplus {k}_{\theta }}\right\}$ from E₁, E₀ multiplies ${\left(-1\right)}^{x\oplus {k}_{\theta }}{\left(-1\right)}^{{k}_{\theta }}={\left(-1\right)}^{x}$ to calculate x and send the information to V₀.
• (d)  
  Upon receiving the classical information k from E₀, E₁ multiplies ${\left(-1\right)}^{x\oplus {k}_{\theta }}{\left(-1\right)}^{{k}_{\theta }}={\left(-1\right)}^{x}$ to calculate x and send the information to V₁.

This strategy has 100% probability of success for the adversaries. Thus a single EPR pair among the adversaries is sufficient for breach of security.

The above conclusion on breach of security can be avoided by upgrading |ψ⟩ to an n-qubit state with n > 1. In this case, if the adversaries share m EPR pairs, then the probability of success for the adversaries is given by ${\epsilon}{\leqslant}{2}^{m}\enspace {\mathrm{cos}}^{2n}\enspace \frac{\pi }{8}$, where the additional factor 2^m is due to the availability of the Hilbert space of the entangled pairs. However, realizing such a protocol with multi-qubit states |ψ⟩ is experimentally challenging. Instead, we can modify the above protocol by introducing an additional classical bit of information. In the modified protocol, to verify the position of P, the following scheme is used.

• (a)  
  The verifiers agree on random x, θ₀, θ₁ ∈ {0, 1}. V₀ prepares a qubit in the state

  $$\begin{equation}\vert \psi \rangle ={H}^{{\theta }_{0}\cdot {\theta }_{1}}\vert x\rangle \end{equation} \tag{ 10 }$$

  and sends it to P, along with θ₀. V₁ sends θ₁ to P, so they arrive at P at the same time.
• (b)  
  As soon as |ψ⟩ and θ₀, θ₁ arrive, P computes (classically) θ = θ₀ ⋅θ₁, performs a measurement in the basis {H^θ |0⟩, H^θ |1⟩}, and sends the outcome x' to both V₀ and V₁.
• (c)  
  If the verifiers receive x' at the time consistent with the position of P, and x' = x, then they accept; otherwise they reject.

Unlike the previous protocol, adversaries with a prior single pair of entangled qubits will not be able to break the security of this modified protocol. This is because E₁ has insufficient information to perform the correct measurement on her qubit. E₁ can optimize her measurement, but the adversaries can never achieve a 100% success rate. The adversaries need at least 2 entangled pairs.

Suppose that the adversaries share two EPR pairs, labeled 0 and 1, each in the Bell state (1). Then they can fake P following these steps.

• (a)  
  Upon receiving |ψ⟩ and θ₀, E₀ teleports |ψ⟩ to E₁ using the EPR pair labeled θ₀. In doing so, E₀ performs a Bell measurement with outcome $k=\bar{{k}_{0}{k}_{1}}$, in binary notation. The state E₁ receives (instantaneously) is given by (8). E₀ sends the results k, θ₀ of her Bell measurement to E₁.
• (b)  
  At the same time, knowing θ₁ (having received it from V₁), E₁ measures Z on qubit 0 and ${H}^{{\theta }_{1}}Z{H}^{{\theta }_{1}}$ (i.e., Z, if θ₁ = 0, and X, if θ₁ = 1) on qubit 1. She obtains outcome ${\left(-1\right)}^{x\oplus {k}_{\theta }}$ on the qubit belonging to the EPR pair E₀ used to teleport |ψ⟩, and λ on the other qubit. She immediately sends both θ₁ and $\left({\left(-1\right)}^{x\oplus {k}_{\theta }},\lambda \right)$ to E₀.
• (c)  
  Upon receiving the classical information $\left\{{\theta }_{1},\left({\left(-1\right)}^{x\oplus {k}_{\theta }},\lambda \right)\right\}$ from E₁, E₀ multiplies ${\left(-1\right)}^{x\oplus {k}_{\theta }}{\left(-1\right)}^{{k}_{\theta }}={\left(-1\right)}^{x}$ to calculate x and send the information to V₀. She knows which of the two outcomes λ is, because that is determined by θ₀.
• (d)  
  Upon receiving the classical information k and θ₀ from E₀, E₁ multiplies ${\left(-1\right)}^{x\oplus {k}_{\theta }}{\left(-1\right)}^{{k}_{\theta }}={\left(-1\right)}^{x}$ to calculate x and send the information to V₁. Again, she knows which of the two outcomes λ is, because that is determined by θ₀.

This strategy has 100% probability of success for the adversaries.

This is a scheme making use of entanglement of two qubits received by the prover, and is secure if the adversaries share no EPR pairs [19].

To verify the position of P, the following scheme making use of two qubits is employed:

• (a)  
  The verifiers agree on random x₀, x₁, θ ∈ {0, 1}. V_i prepares a qubit in the state H^θ |x_i ⟩ (i = 0, 1) and sends it to P. Both states arrive at P at the same time.
• (b)  
  P performs a measurement projecting onto the state |Ψ⁺⟩ (2). If the measurement is successful, then he sends z = 1, otherwise he sends z = 0.
• (c)  
  The verifiers accept if the result z of P's measurement is consistent with the states sent by them to P. The verifiers receive z = 1 half of the time, if they send the same state with θ = 0 (different states with θ = 1), and always z = 0 if they send different states with θ = 0 (same state with θ = 1).

It should be noted that it is advantageous for the verifiers if P projects onto both |Ψ⁺⟩ and |Ψ⁻⟩, making it harder for adversaries to mimic P's actions. It is straightforward to extend the analysis presented here to this case. For simplicity, we omit the discussion.

For the security analysis, first let us consider the case when the adversaries do not share any entangled pairs. E₀ intercepts the qubit from V₀ and measures it in the $\left\{\vert {\hat{\mathbf{n}}}_{1}\rangle ,\vert {\hat{\mathbf{n}}}_{2}\rangle \right\}$ basis, where ${\hat{\mathbf{n}}}_{1}\perp {\hat{\mathbf{n}}}_{2}$. Similarly, E₁ intercepts the qubit from V₁ and measures it in the same basis. They communicate their results to each other. If they disagree, they report z = 1 to the verifiers half of the time. If they agree, they report z = 0 to the verifiers.

The probability of error for the adversaries is

$$\begin{equation}{P}_{\text{err}}=\frac{1}{4}\sum\limits _{\theta =0}^{1}\left(\vert \langle 0\vert {H}^{\theta }\vert {\hat{\mathbf{n}}}_{1}\rangle {\vert }^{2}+\vert \langle 1\vert {H}^{\theta }\vert {\hat{\mathbf{n}}}_{2}\rangle {\vert }^{2}\right)\left(\vert \langle 0\vert {H}^{\theta }\vert {\hat{\mathbf{n}}}_{2}\rangle {\vert }^{2}+\vert \langle 1\vert {H}^{\theta }\vert {\hat{\mathbf{n}}}_{1}\rangle {\vert }^{2}\right).\end{equation} \tag{ 11 }$$

Let $\vert {\hat{\mathbf{n}}}_{1}\rangle ={\left(\alpha ,\beta \right)}^{\mathrm{T}}$, |α|² + |β|² = 1, and $\vert {\hat{\mathbf{n}}}_{2}\rangle ={\left(-{\beta }^{{\ast}},{\alpha }^{{\ast}}\right)}^{\mathrm{T}}$. Then

$$\begin{equation}{P}_{\text{err}}=\vert \alpha \beta {\vert }^{2}+\frac{1}{4}\vert \alpha +\beta {\vert }^{2}\vert \alpha -\beta {\vert }^{2}.\end{equation} \tag{ 12 }$$

It is easy to see that

$$\begin{equation}{P}_{\text{err}}=\frac{1}{4}+\vert \enspace \mathfrak{I}{\alpha }^{{\ast}}\beta {\vert }^{2}{\geqslant}\frac{1}{4}.\end{equation} \tag{ 13 }$$

The error is minimized when, e.g., α = 1, β = 0. Correspondingly, the probability of success is

$$\begin{equation}{\epsilon}=1-{P}_{\text{err}}{\leqslant}\frac{3}{4}\enspace .\end{equation} \tag{ 14 }$$

This bound compares favorably to the result (7) for the single-qubit protocol.

Next, suppose that the adversaries share a pair of qubits in the state (1). Once E₀ intercepts the qubit from V₀, she can perform a Bell measurement on her qubit in the pair shared with E₁ and the intercepted qubit, projecting it onto one of the orthogonal states {|Φ⁺⟩, |Φ⁻⟩, |Ψ⁺⟩, |Ψ⁻⟩} (assuming unlimited technological capabilities). E₁ performs a similar measurement on her half of the pair and the qubit she intercepts from V₁. They report the results to each other. They send z = 1 to the verifiers, if E₀ measures |Ψ⁺⟩ and E₁ measures |Φ⁺⟩.

Since

$$\begin{equation}{}_{{V}_{0}{E}_{0}}\langle {{\Psi}}^{+}\vert _{{V}_{1}{E}_{1}}{\langle {{\Phi}}^{+}\vert {{\Phi}}^{+}\rangle }_{{E}_{0}{E}_{1}}={}_{{V}_{0}{V}_{1}}\langle {{\Psi}}^{+}\vert \end{equation} \tag{ 15 }$$

their operation is equivalent to the prover's measurement, and therefore they have 100% probability of success.

Let us introduce two classical bits of information into the protocol, similar to the modified one-qubit protocol. The steps of the protocol are as follows:

• (a)  
  The verifiers agree on random x₀, x₁, θ, y₀, y₁ ∈ {0, 1}. V_i prepares a qubit in the state H^θ |x_i ⟩ and sends it to P, along with y_i (i ∈ {0, 1}). Here, ${\mathsf{i}\mathsf{t}\mathsf{m}}_{i}=\left\{{y}_{i},{H}^{\theta }\vert {x}_{i}\rangle \right\}$, for i ∈ {0, 1}. Both states arrive at P at the same time.
• (b)  
  P computes (classically) y = y₀ ⋅ y₁, and applies H^y to each of the states he receives. Then he performs a measurement projecting onto the state |Ψ⁺⟩ (2), and signals z = 1 or 0 to the verifiers, depending on whether his measurement was successful or not.

Without prior shared entanglement, the adversaries have a success probability given by (14), as before. However, they are no longer able to take advantage of a single shared EPR pair, because they do not have the classical information needed to mimic step 2, and perform the correct Bell measurements. Therefore, they need at least two shared EPR pairs for a security breach.

It appears that the adversaries need a larger number of entangled pairs. Suppose that the adversaries share 5 maximally entangled pairs labeled as a ∈ {0, 1, 2, 3, 4}, each in the Bell state (1), so that the state of the system shared between the adversaries is the tensor product |Φ⁺⟩₁|Φ⁺⟩₂|Φ⁺⟩₃|Φ⁺⟩₄|Φ⁺⟩₅. The adversaries will use them in a complex scheme involving teleportation to fake P. Here are the steps involving pairs with labels as indicated:

• (a)  
  Upon receiving H^θ |x₀⟩ and y₀, E₀ teleports the state to E₁ using the EPR pair labeled a = 0. In doing so, E₀ performs a Bell measurement, and E₁ receives the state

  $$\begin{equation}{X}^{{k}_{0}}{Z}^{{k}_{1}}{H}^{\theta }\vert {x}_{0}\rangle \enspace .\end{equation} \tag{ 16 }$$

  She also sends the classical information $k=\bar{{k}_{0}{k}_{1}}$, as well as y₀ to E₁.
• (b)  
  Upon receiving H^θ |x₁⟩ and y₁, E₁ teleports the state to E₀ using the EPR pair labeled a = 2y₁ + 1. E₀ receives

  $$\begin{equation}{X}^{{k}_{0}^{\prime }}{Z}^{{k}_{1}^{\prime }}{H}^{\theta }\vert {x}_{1}\rangle \enspace .\end{equation} \tag{ 17 }$$

  She also teleports back to E₀ the state (16) using the EPR pair labeled a = 2y₁ + 2. Thus, E₀ receives the state ${X}^{{k}_{0}+{k}_{0}^{{\prime\prime}}}{Z}^{{k}_{1}+{k}_{1}^{{\prime\prime}}}{H}^{\theta }\vert {x}_{0}\rangle$, which can be simplified, if E₀ applies ${X}^{{k}_{0}}{Z}^{{k}_{1}}$ (since k is known to E₀) to

  $$\begin{equation}{X}^{{k}_{0}^{{\prime\prime}}}{Z}^{{k}_{1}^{{\prime\prime}}}{H}^{\theta }\vert {x}_{0}\rangle \enspace .\end{equation} \tag{ 18 }$$

  She also sends the classical information y₁ to E₀.
• (c)  
  E₀ applies ${H}^{{y}_{0}}$ to the channels a = 3, 4, thus effectively applying H^y (y = y₀ ⋅ y₁) to the states she received from E₁. She then performs a Bell measurement on each of the pairs labeled (1, 2) and (3, 4). In each case, she reports success to E₁, if the outcome is |Ψ⁺⟩ (2).
• (d)  
  Upon receiving y₀ and the 'success' report from E₀, E₁ reports z = 0 or 1 to V₁, accordingly, knowing which pair of channels contains the teleported states. At the same time, upon receiving y₁ from E₁, E₀ learns the pair of channels containing the teleported states, and reports z = 0 or 1, accordingly, to V₀.

The above protocol can only succeed if k' = k'' = 0, which occurs with probability $\frac{1}{16}$. The adversaries can increase their odds at the expense of adding EPR pairs. A large number of EPR pairs are needed for 100% success rate [5].

A small number of pairs of entangled qubits shared by the adversaries will not break the security. In fact, it appears that the adversaries need an exponentially large number of entangled pairs. Suppose that the adversaries share 2ⁿ⁺¹ + 1 maximally entangled pairs labeled as a = 0, and (b₀, b ₁), where b₀ ∈ {0, 1}, b ₁ ∈ {0, 1, ..., 2ⁿ − 1}, each in the Bell state (1). Then they can fake P following these steps:

• (a)  
  Upon receiving H^θ |x₀⟩ and y ₀, E₀ teleports the state to E₁ using the EPR pair labeled a = 0. In doing so, E₀ performs a Bell measurement, and E₁ receives the state

  $$\begin{equation}{X}^{{k}_{0}}{Z}^{{k}_{1}}{H}^{\theta }\vert {x}_{0}\rangle \enspace .\end{equation} \tag{ 21 }$$

  She also sends the classical information $k=\bar{{k}_{0}{k}_{1}}$, as well as y ₀ to E₁.
• (b)  
  Upon receiving H^θ |x₁⟩ and y ₁, E₁ teleports the state to E₀ using the EPR pair labeled (b₀, b ₁) = (0, y ₁). E₁ receives

  $$\begin{equation}{X}^{{k}_{0}^{\prime }}{Z}^{{k}_{1}^{\prime }}{H}^{\theta }\vert {x}_{1}\rangle \enspace .\end{equation} \tag{ 22 }$$

  She also teleports back to E₀ the state (16) using the EPR pair labeled (b₀, b ₁) = (1, y ₁). Thus, E₀ receives the state ${X}^{{k}_{0}+{k}_{0}^{{\prime\prime}}}{Z}^{{k}_{1}+{k}_{1}^{{\prime\prime}}}{H}^{\theta }\vert {x}_{0}\rangle$, which can be simplified, if E₀ applies ${X}^{{k}_{0}}{Z}^{{k}_{1}}$ (since k is known to E₀) to

  $$\begin{equation}{X}^{{k}_{0}^{{\prime\prime}}}{Z}^{{k}_{1}^{{\prime\prime}}}{H}^{\theta }\vert {x}_{0}\rangle \enspace .\end{equation} \tag{ 23 }$$

  She also sends the classical information y ₁ to E₀.
• (c)  
  E₀ computes f( y ₀, b ₁) classically and applies ${H}^{f\left({\boldsymbol{y}}_{0},{\boldsymbol{b}}_{1}\right)}$ to each of the (b₀, b ₁) channels, for b₀ = 0, 1, thus effectively applying the desired ${H}^{f\left({\boldsymbol{y}}_{0},{\boldsymbol{y}}_{1}\right)}$ to the states she received from E₁. She then performs a Bell measurement on each of the pairs labeled (b₀, b ₁), b₀ = 0, 1. For each value of b ₁, she reports success to E₁, if the outcome is |Ψ⁺⟩ (2).
• (d)  
  Upon receiving y ₀ and the 'success' report from E₀, E₁ reports z = 0 or 1 to V₁, accordingly, knowing which pair of channels contains the teleported states. At the same time, upon receiving y ₁ from E₁, E₀ learns the pair of channels containing the teleported states, and reports z = 0 or 1, accordingly, to V₀.

The above protocol can only succeed if k' = k'' = 0, which occurs with probability $\frac{1}{16}$. The adversaries can increase their odds at the expense of adding EPR pairs. An exponentially large number of EPR pairs are needed for 100% success rate [5]. Thus, the security of the protocol is breached with a number of EPR pairs shared by the adversaries that grows exponentially with the number of classical bits used in the classical oracle f. It is remarkable that the amount of quantum resources needed by the adversaries in this strategy grows exponentially with the length of the classical information, while the verifiers only need two independent qubits for their protocol.

It should be pointed out that it follows from the discussion in references [13, 18] that whenever the function f (classical oracle) parametrizing the protocol can be computed by a Turing machine using logarithmic space, the adversaries can attack these protocols using EPR pairs whose number grows polynomially with the number of classical bits in f. Hence, it is crucial to ascertain that f is a random oracle.