Quantum information has been suggested as a means to prove beyond doubt a person's exact spatial position. But it turns out that all attempts to solve this problem using such an approach are doomed to failure.
On 20 July 1969, millions of people held their breath as they watched, live on television, Neil Armstrong set foot on the Moon. Yet Fox Television has reported that a staggering 20% of Americans have had doubts about the Apollo 11 mission. Could it have been a hoax staged by Hollywood studios here on Earth? An article by Buhrman and collaborators1, published in the CRYPTO 2011 conference proceedings, comes too late to offer a resolution of this dispute, but studies a related fundamental question: is it possible to devise a scheme by which one person can give definitive proof that he (or one of his agents) is at a specific location?
This 'secure positioning' conundrum has been studied for a number of years. However, Chandran and colleagues proved2 in 2009 that any possible scheme purporting to solve the problem could be defeated whenever it is based on classical physics. There was great excitement the following year when researchers3,4 claimed to have obtained perfect solutions to the problem by using the strange and counter-intuitive properties of quantum information. (A US patent had been issued in 2006 for a similar scheme5, but this did not percolate to the academic world until later.) Unfortunately, these solutions (including the earlier patent) can be foiled by even stranger and more counter-intuitive properties of quantum information6. So the race was on within the research community to design a cleverer quantum approach that would be unbreakable. Buhrman and collaborators1 have just crushed this hope by proving that all attempts to solve this problem are doomed to fall prey to attacks based on quantum teleportation7, in which the quantum state of a system is instantaneously transferred from one location to another, albeit encrypted until a classical message has been received.
More formally, secure positioning involves a prover and a set of verifiers. The purpose of the verifiers is to ascertain that the prover is at precisely the position he claims to be. We are not concerned about authenticity in the sense that the prover can be replaced by his trusted agent, in which case the agent must be in the purported position. Notwithstanding recent controversy8, information cannot be transmitted faster than the speed of light, according to Einstein's relativity theory. This makes it easy to ascertain that the prover is no farther than some claimed distance from one fixed verifier, according to the distance-bounding technique9: the verifier sends a random signal to the prover, who has to bounce it back immediately. If the signal comes back within one microsecond (10−6 s), then the prover (or his agent) cannot be more than 150 metres away because it takes light one microsecond to travel the 300-metre return trip.
It is tempting to infer that the prover can be pinned down to a specific position by asking him to simultaneously demonstrate that he is no more than 150 metres from two verifiers set 300 metres apart, one on either side of the purported position. Unfortunately, this simple-minded approach fails if a cheating prover has two agents, each positioned within 150 metres of one of the verifiers. The purported prover's position can be empty (no one landed on the Moon!), yet both verifiers are simultaneously satisfied, not realizing that they are talking to different agents.
A variety of classical schemes can be designed in attempts to circumvent this predicament, but none will work, according to the impossibility proof of Chandran and collaborators2. In general, all such attempts fail because the various agents can copy the information sent to them by some verifiers before forwarding it to other agents (Fig. 1). This is where quantum information comes in. A fundamental property of quantum information is that it cannot be cloned10,11. This gives hope that a well-designed quantum scheme could thwart all possible attacks. Indeed, Chandran and colleagues proposed such a scheme3 in 2010 and 'proved' its correctness. It is informative to explore this doomed attempted solution.
Quantum cryptography12 is powered by the impossibility of distinguishing between photons whose polarization is horizontal, vertical, at a 45° angle or at a −45° angle. However, it is possible to distinguish perfectly either between horizontal and vertical polarizations, or between 45° angle and −45° angle polarizations, by performing a measurement of either the rectilinear or the diagonal type, respectively. Consider now a prover who claims to be in some specific position and two verifiers situated 150 metres away, one on either side of him. We shall distinguish between the quantum verifier, who sends a polarized photon, and the classical verifier, who sends a bit of information. The verifiers have secretly agreed ahead of time on one of these four polarizations, chosen at random. When positioning has to be demonstrated, the quantum verifier prepares the corresponding photon and sends it to the prover. Simultaneously, the classical verifier sends a message to the prover, telling him which type of measurement to perform on the photon. If properly positioned, the prover can measure the photon's polarization accurately and report it back to both verifiers, who will be satisfied provided they both receive the correct response within one microsecond. To circumvent the risk of a purely lucky correct answer chosen at random by cheating agents, the procedure is repeated several times.
It seems that the correct polarization can be obtained in time only at the purported position because one simultaneously needs the photon and knowledge of the proper measurement type in order to succeed. An agent positioned closer to the quantum verifier would learn the measurement type too late to make the measurement and report on time to the classical verifier. A successful cheating strategy seems to require this agent to both keep the photon and forward it to another agent on the other side of the purported position, which is precisely what the no-cloning theorem forbids. It is remarkable that the two cheating agents can nevertheless fool the verifiers with quantum-teleportation techniques7 if they share prior entanglement, a fundamental property of quantum mechanics “that enforces its entire departure from classical lines of thought”, according to Schrödinger13. (See ref. 6 for a detailed description of this attack.)
This teleportation-based approach has been generalized by Buhrman and collaborators1 to defeat any alleged solution to the secure positioning conundrum, although the cheating agents may need to share a large amount of prior entanglement. More recently, a significantly more efficient general attack has been discovered14. On the positive side, Buhrman and colleagues give a provably secure solution under the assumption that the limited technology of would-be cheaters does not allow them to store prior entanglement. Along different lines, a variation on the theme of secure positioning has been proposed, together with a solution and a claimed proof of unconditional security15.
In my view, the most interesting remaining challenge is to design schemes that are provably secure under the assumption that the cheating agents can share a limited but non-zero amount of prior entanglement. So, did the Americans really land on the Moon in 1969? I would bet that they did, even though it is too late to prove it now.