 The last paper of the session will be on position-based quantum cryptography, impossibility and constructions by Harry Berman, Nishant Chandran, Serge Ferrer, Ran Gellus, Vipul Goyal, Rafael Ostrowski, and Christian Schaffner. And since I'm one of the co-authors, I guess I should give this paper extra time. Christian will give the talk. That's very nice. Thank you very much, people, for introducing your own paper. So we, three guys up here, are Amsterdam-based, and these guys are from UCLA, and you're now with the Microsoft Research in India. Am I gonna see the time? You can turn it on later. So let me take you to another corner on a trip to another corner in the wonderful lands of cryptography, namely to the world of position-based cryptography. And so in position-based cryptography, what is that? So usually in protocols, players use some kind of credential to distinguish themselves from the rest of the world. For example, they know a secret information, such as a digital password, a PIN, or whatever. They know some authenticated information, so they own a passport that has been authenticated by some authority, or they carry around biometric features like fingerprints or iris that can be checked. And the question we wanna ask here in this talk is can the geographical position of a player be used as his only credential? So at first this might look like a bit of a strange question, but think about this scenario here in a bank where we enter the bank and you just talk to the guy behind the counter and you tell him all your financial secrets, basically, and you just trust that guy just because he's standing behind the counter. And somehow, of course, the bank made sure that not just anybody stands there, but basically it's his geographical position that makes you trust that guy. So why not asking this question? So in things that we wanna do, tasks that we're interested in are, for example, secret communication, so say between military bases, you wanna send a message so that it can only be read at one particular position, or say position-based authentication so that only a person at a specified position can actually authenticate a message, so you know that it's coming from that place, or then you can think of like access control features, so for example, you can only print to a particular printer if you're in the neighborhood of that printer, something like that. And a basic task that we wanna investigate is position verification, so basically you can build all these more complicated things based on that, and for everything in this talk, I'm just gonna focus on the case where all the players live in one dimension, say on the line. So we have two verifiers here on the left and the right, and we have a prover in the middle that sits at this specified blue position here, and the goal is for this prover to convince the verifier that she is there and nowhere else. So the crucial assumptions we make in this model is that the communication between the players happens at the speed of light, and that computation that they do, that we will not charge any time, so that's instantaneous compared to the time it takes for the messages to travel, and we assume that the verifiers, they have some back channels where they can coordinate their actions. And the goal, of course, is to do this so that no coalition of fake provers, and fake provers are guys that are not at this claim position but somewhere in between, so those guys, they should not be able to convince the verifiers that they are at this blue position. So that's the goal of position verification. So let's try, let's give you the try with a classical scheme, and I'm gonna denote here downwards, that's kind of the time axis, and one thing we could do is we could just send some classical inputs X and Y both from the verifier and the other verifier towards the prover, and they're timed in a way such they arrive at the same time at the prover. The prover will compute some classical function F of X, Y resulting in classical outputs A and B, and those A's and B's is gonna be returned back to the verifiers, and the verifier, they will take the time that it takes for these messages to travel and check that they arrive on time. So is this a secure protocol? So it's pretty easy to see that no, that this is not good because it's easy to cheat if you set up in between this claim position and the verifiers. What you can do is you just intercept this X that comes along here, and you keep a copy for yourself, and you send another copy of this X to your fellow cheater on the other side, and you just do the same thing here with Y, so you keep a copy of Y for yourself and send one to the other verifier, or to the other cheating prover, and then at this point in time here, you know this guy knows both X and Y, so you can just compute the same function as the honest prover would, so you can compute F of X, Y to obtain the A that is supposed to send this way, so you can just send A here, and here you do the same, you compute F of X, Y, and send the B that way. So in this way, you can make it look like if you were at this blue position, and it turns out that this is actually an inherent problem, so genre and Goyal, Moriarty, and Ostrowski are shown two years ago at crypto here that in general, in the classical world, position verification is impossible. So you can always do that, so here now you have two dimensions, if you have the prover, then they send the verifier, send messages that arrive at the same time, and then you do some computation and return the results, you can always set up in between, on a straight line between this claim position and the verifier, you can intercept everything that comes along, and kind of exchange it with your fellow cheaters, and then using the same resources as the prover, you can just make it look like the verifiers as if you were at the right place, you can reproduce a consistent view, and notice that here also computational assumptions will not help, because you're just using the same resources as the honest guy, so you could do whatever she could do in the middle. So the question we ask here is whether quantum theory is gonna help here, and so let's give that a try as well, so we wanna do position-based quantum position verification, and so what we will do is of course, we equip the player with some quantum technology, and notice we don't need any fancy stuff, we don't need quantum computers to do that, we only need these black boxes here that you can actually buy online, they are produced for example in Switzerland, you can just use quantum key distribution technology, so all you need to do is you need to generate some photons, polarize them in the right way, send them over optical fibers or free space, and then measure them in a particular basis, and that's all stuff that we can actually do, we don't need a quantum computer for that, and the protocol is gonna go as follows, and this verifier here is gonna generate a random qubit, and so these circles here with the arrows, they are gonna denote qubits, and this dotted arrow here is a quantum communication, so here a qubit is sent from that verifier to the proofer, and the other verifier just tells the proofer classically, so this is just a classical bit of information in which basis this original qubit was encoded, and again they time it in a way such that it arrives at the same time at the proofer, and the proofer can do a measurement in that basis, now he has the qubit and he knows in which basis it was encoded, he measures in that basis, and he obtains a bit that he sends back to the verifiers, the verifiers again, they time it, and they make sure that the timing is right compared to the claimed position. So why should that be better? Let's try to attack this one as well, and first of all you can notice that here on this side it's just classical information that you receive, so you could do the same as before, you keep a copy for yourself, and you forward a copy of this basis information to the other guy, but here you gotta be in trouble because what this on this proofer receives is just an unknown qubit, so a qubit in an unknown state, and from the quantum no cloning principle that actually it was also mentioned in previous talk, that states that you cannot just make a perfect copy out of it because that's ideally what you wanna do, you wanna keep one for yourself and measure it once you know in which basis it was encoded in order to reply that bit, and you wanna send a copy also to the other person because the other person also needs to have the qubit to measure and then send B, but however, this is not possible due to the no cloning theorem, so intuitively we should have security. However, turns out that this intuition is not true and now we come to our main result. What we do is we show a general no-go theorem, so we show that position verification and therefore also more complicated tasks is impossible also in the quantum setting, so the intuition I just gave over the last protocol is not true and I'm gonna explain in more details why it doesn't work. So this is kind of the bad news and the good news is that we have some limited possibility results, so if we change the model so that we don't allow arbitrary powers to these cheating provers, then it actually is possible to do this position verification and also more complicated tasks. So if you assume that the adversaries hold no pre-shared entanglement and again, there's something that I'm gonna explain you in a second. So before I go into more details about the result, I wanna give a quick history of position-based quantum cryptography because it's been quite interesting. So it turns out that people have thought about these ideas already quite a while ago. Back in 2003, Kent, Munro and Spiller, they were at that point working at HP Labs. They've thought about these kind of protocols under the name of quantum tagging and in fact, they've obtained a patent in 2006 for a scheme that is not secure but they've never considered it interesting enough to actually publish it in the academic literature so we didn't know about it. Then back last year in March, Malani, an Australian physicist, came up with an idea to do this kind of position verification. However, he proposed some schemes but he did not have formal proofs and then a subset of the current authors in May last year, they also came up with this position verification scheme. They had a rigorous proof but they were basically implicitly assuming that these proofers did not have pre-shared entanglement so this attack was not known to them. And then later when the Kent and Co they saw these two papers on the archive, they said, oh, but we already thought about this. And they put out a paper on the archive again showing that these schemes were actually insecure and they were proposing other schemes that they could not break. And shortly afterwards, there was another paper that basically generalized that attack and again, they proposed new schemes. And so the question was at that point about a year ago, are there any secure schemes? And that's where we kind of came up with our result namely that we show in this paper that no, that it's impossible to have any position-based quantum cryptography in general. After our paper has been out, there were already some follow-up work at the beginning of this year. So some two guys improved the entanglement consumption and then yesterday at the RUM session I already told you about this garden hose model. So that's also some follow-up work to this paper. So let me show you in more detail how this works. So for that I have to explain you what quantum teleportation is. And I'm not gonna go for the Star Trek version. I'm gonna explain you the more physical version and proposed by these guys here actually some of them quite well-known to the crypto community here, at least these two. So this works as follow-up. So we have Alice and Bob. They might be actually pretty far apart from each other but they do share a resource and this is what we call an EPR pair. So these are two qubits that are entangled. They are an entangled state and therefore they have this kind of magic glow between them. So this orange thing stands for the entanglement. And Alice has additionally a qubit and the goal is to teleport that qubit to Bob. Now she can do that by performing a so-called bell measurement on this qubit and on her half of this EPR pair of these entangled qubits. So this is just some particular measurement that will give her a classical outcome. A classical outcome that is distributed uniformly over four possibilities, either it's identity, exit or exit. And now magically, if she does this measurement, then this state that she wants to teleport appears on the other side at Bob. However, it does not appear in clear. It's appearing there in an encrypted form and actually it's the quantum equivalent of the one-time pad, one can see it like that. So this is really perfectly encrypted on Bob's side and only after he learns the sigma, only after he learns what the outcome was of Alice's bell measurement, he can actually unlock the secret so he can undo this encryption and recover the original state. And so that's how quantum teleportation works and notice that it does not contradict relativity theory. So it does not contradict the principle of instantaneous communication. So this state does not immediately appear as soon as Alice measured that, but because Bob has to wait until the classical information sigma arrives. So there's no communication going faster than light because this has to be transmitted classically and only then he is able to reconstruct the original state. So now we can use this teleportation to attack the protocol that I've showed you before. So this was this protocol where we sent just a qubit encoded in one of two possible bases to the prover and here is the classical information and then the prover measures in the right basis. And now if these two players share one EPR pair, they can do the following attack. So Alice, as soon as this qubit flies by her place, she will go and do a bell measurement on these two qubits and that will teleport that qubit over to Bob on Bob's side. However, as I said, it's gonna be encrypted on that side, but Bob and the outcome of the bell measurement is gonna be some classical information sigma and now this classical information can be copied. So Alice will just, let's call her Alice and then this guy Bob, Alice will just keep a copy of sigma for herself and send another copy over to Bob. And Bob now he can measure this qubit that he got from the teleportation in the right basis, the basis that he knows. Again, the outcome will be a classical bit B prime and that he can keep for himself and forward to the other guy. And now you need to understand a little bit of quantum theory to see why this actually work, but basically it turns out that it's enough to know this red sigma and this red B prime in order to reconstruct the original black B. And so therefore you can perfectly break this protocol if you have one entangled pair. So if you have one EPR pair at your disposal, then these two guys can actually again, perfectly reconstruct the view as if they were at the right place. So now our result is actually what we call instantaneous non-local quantum computation. This is a generalization of that attack and it applies to an arbitrary position verification scheme. So in an arbitrary scheme, what you would do, you would send quantum information from both sides. So this is like two quantum parts coming from both sides. Then Alice could apply an arbitrary unitary transform. So an arbitrary quantum operation on the information that she got and then send back the results to the verifier. And they would measure the time. And what we show is that if the adversaries, so if these two guys share a huge amount of entanglements, just enough, then they can actually do a similar thing to before they will perform a pretty complicated measurement on their parts of the entangled state. And thereby, so basically in more details, it works like a clever way of back and forth teleportation. And these ideas have been proposed before by a physicist called Weidmann. And if they do that, it turns out that one simultaneous round of communication, so just communicating classically basically the outcomes of that measurement, that will suffice to actually for them reconstruct the right state after in time to answer that back to the verifiers. So once we have that tool in our hands, this instantaneous non-local quantum computation, we can break any position-based quantum cryptographic scheme. So even if there are multiple rounds, so in a general scheme, you might have something like that, then you have to send that back, and then there's a second round so that maybe you have to keep some state, the prover has to keep some state, and then there's more quantum information coming in. So a multi-round scheme where you have to apply a new transformation and then send that stuff back. But just using the tools from the last slide, so if they have enough entanglement, they can do this and they kind of can cope with the first round, then they can keep some state, and they can then go ahead and communicate again classically, and thereby break any of these schemes. So they can make it look to the verifiers as if they were at the right position. So this is kind of the spirit of our general logo theorem. So now the good news was that if they do not have this resource, so if they do not share any entanglement then the protocol that we had before, then it works. So you can actually formally show the theorem that the success probability of attacking this protocol if you don't share this pre, if you don't pre-share the entanglement is actually at most 85%. So this intuition about the no cloning theorem is right if you don't have to write resources. However, already proving that theorem is far from trivial. So it's actually, you need quite some heavy tools of quantum information theory to show this theorem. And then of course you only have a gap between the honest and dishonest case of 15%. But then you can do sequentially repeat that protocol to amplify that gap to as large as you want. Now, once you can do position verification then you can also do more complicated things like this authentication and QKD but I see even though people was giving me extra time I don't really have time to go into that. So I'm gonna just skip over that. Again, this is something really non-trivial how to extend it once you have position verification to authentication and to quantum key distribution. So I basically just wanna wrap up. We have shown that in the plain model if you don't put any restrictions on the adversaries then it's classically and quantumly impossible to use the prover's locations as it's all credential. However, if you make the restriction that they do not have this pre-shared entanglement then the secure positioning is possible and more complicated things are possible as well. And everything I said also generalizes to higher dimensions. So then of course the open question, the big obvious open question is in this world of having no go theorem versus secure schemes like how much entanglement is really required to break this protocol. So can we have some security if we just put the bound on the amount of entanglement that the adversary can control? And to answer these questions you have to look into many interesting related fields like tropic uncertainty relations. There's some link to the classical complexity theory via this garden hose model that I was talking yesterday and there's connections to non-local games. Thanks for your attention. We have time for maybe one question. So you have Guyanis asking whether the amount of entanglement that we need in our attack is polynomial in the number of qubits that the honest guys are using. I know it's doubly exponential in our attack. So it's really insane. So it's more a possibility result but it has been reduced already to one exponential. And I would conjecture that that's probably the thing that you need if you wanna do a general break then you need some exponential amount. But we don't know how to show this. Yes, so exactly. So what if Guyanis was suggesting that if you make protocol complicated enough then you actually kind of have a possibility because the adversaries would need an exponential amount of entanglement. So in that sense, it does become practical. But I can say that already for a linear amount it's gonna be very hard to control this entanglement. So already then it's actually interesting to look at these kind of protocols. So let's thank the speaker again. Thank you.