Position-Based Quantum Cryptography: Impossibility and Constructions

In this work, we study position-based cryptography in the quantum setting. The aim is to use the geographical position of a party as its only credential. On the negative side, we show that if adversaries are allowed to share an arbitrarily large entangled quantum state, the task of secure position-verification is impossible. To this end, we prove the following very general result. Assume that Alice and Bob hold respectively subsystems A and B of a (possibly) unknown quantum state |ψ〉 ∈ HA ⊗ HB. Their goal is to calculate and share a new state |φ〉 = U |ψ〉, where U is a fixed unitary operation. The question that we ask is how many rounds of mutual communication are needed. It is easy to achieve such a task using two rounds of classical communication, whereas, in general, it is impossible with no communication at all. Surprisingly, in case Alice and Bob share enough entanglement to start with and we allow an arbitrarily small failure probability, we show that the same task can be done using a single round of classical communication in which Alice and Bob exchange two classical messages. Actually, we prove that a relaxed version of the task can be done with no communication at all, where the task is to compute instead a state |φ′〉 that coincides with |φ〉 = U |ψ〉 up to local operations on A and on B, which are determined by classical information held by Alice and Bob. The one-round scheme for the original task then follows as a simple corollary. We also show that these results generalize to more players. As a consequence, we show a generic attack that breaks any position-verification scheme. On the positive side, we show that if adversaries do not share any entangled quantum state but can compute arbitrary quantum operations, secure position-verification is achievable. Jointly, these results suggest the interesting question whether secure position-verification is possible in case of a bounded amount of entanglement. Our positive result can be interpreted as resolving this question in the simplest case, where the bound is set to zero. In models where secure position-verification is achievable, it has a number of interesting applications. For example, it enables secure communication over an insecure channel without having any preshared key, with the guarantee that only a party at a specific location can learn the content of the conversation. More generally, we show that in settings where secure position-verification is achievable, other position-based cryptographic schemes are possible as well, such as secure positionbased authentication and position-based key agreement. ∗Received by the editors March 20, 2013; accepted for publication (in revised form) October 29, 2013; published electronically February 4, 2014. A preliminary version of this paper appeared in Proceedings of the 31st Annual International Conference on Cryptology, 2011 [10]. http://www.siam.org/journals/sicomp/43-1/91368.html †Centrum Wiskunde & Informatica and University of Amsterdam, Amsterdam, The Netherlands ([email protected]). The work of this author was supported by an NWO VICI grant and the EU 7th framework grant QCS. ‡AT&T Labs – Security Research Center ([email protected]). Part of this work was done while the author was at UCLA. The work of this author was supported in part by NSF grants 0716835, 0716389, 0830803, and 0916574. §Centrum Wiskunde & Informatica (CWI), Amsterdam, The Netherlands ([email protected]). ¶Department of Computer Science, UCLA, Los Angeles, CA ([email protected]). The work of this author was supported in part by NSF grants 0716835, 0716389, 0830803, and 0916574. ‖Microsoft Research, Bangalore, India ([email protected]). ∗∗Department of Computer Science and Department of Mathematics, UCLA, Los Angeles, CA ([email protected]). This author’s research was supported in part by NSF grants CNS0830803, CCF-0916574, IIS-1065276, CCF-1016540, CNS-1118126, CNS-1136174; US-Israel BSF grant 2008411; OKAWA Foundation Research Award; IBM Faculty Research Award; Xerox Faculty Research Award; B. John Garrick Foundation Award; Teradata Research Award; and LockheedMartin Corporation Research Award. This material is also based upon work supported by the Defense Advanced Research Projects Agency through the U.S. Office of Naval Research under contract N00014-11-1-0392. ††University of Amsterdam and Centrum Wiskunde & Informatica (CWI), Amsterdam, The Netherlands ([email protected]). The work of this author was supported by an NWO VENI grant. 150 D ow nl oa de d 01 /1 3/ 15 to 1 92 .1 6. 19 1. 14 0. R ed is tr ib ut io n su bj ec t t o SI A M li ce ns e or c op yr ig ht ; s ee h ttp :// w w w .s ia m .o rg /jo ur na ls /o js a. ph p