Simplified instantaneous non-local quantum computation with applications to position-based cryptography

Instantaneous measurements of non-local observables between space-like separated regions can be performed without violating causality. This feat relies on the use of entanglement. Here we propose novel protocols for this task and the related problem of multipartite quantum computation with local operations and a single round of classical communication. Compared to previously known techniques, our protocols reduce the entanglement consumption by an exponential amount. We also prove a linear lower bound on the amount of entanglement required for the implementation of a certain non-local measurement. These results relate to position-based cryptography: an amount of entanglement scaling exponentially in the number of communicated qubits is sufficient to render any such scheme insecure. Furthermore, we show that certain schemes are secure under the assumption that the adversary has less entanglement than a given linear bound and is restricted to classical communication.

It is remarkable that the axioms of quantum mechanics are compatible with the severe restrictions imposed by relativistic causality. From the early days of quantum mechanics, this miraculous fact has repeatedly been called into question and has been a source of great controversy. Arguably the most well-known debate of this kind has centered around the Einstein-Podolsky-Rosen (EPR) paradox [1], which deals with the non-local correlations arising from a bilocal measurement of an entangled state.
A similar discussion originated from concerns about the compatibility of the measurement process with relativistic quantum field theory. In 1931, Landau and Peierls [2] showed that the electromagnetic field strength cannot be accurately measured by means of point-like test charges: an uncertainty relation implies large fluctuations in their positions, which in turn leads to the emission of radiation strongly influencing the field elsewhere. From this result, Landau and Peierls concluded that, quite generally, the standard measurement prescription of quantum mechanics does not apply in a relativistic setting.
Such difficulties reconciling quantum measurements with causality are strikingly apparent when considering nonseparable bilocal measurements (e.g., a von Neumann measurement in the Bell basis of two qubits). The instant collapse of the wavefunction induced by such measurements allows to signal instantly between space-like separated regions (see e.g., [3] for explicit examples). This may suggest that certain non-local observables are not measurable at a well-defined time in a fixed Lorentz frame. As a consequence, one may be led to believe that their expectation values do not carry any physical meaning. As with the EPR paradox, entanglement is at the root of this apparent causal restriction on the set of physically allowed observables, yet in this case, it is the observable (or measurement) instead of the state which is entangled. Somewhat ironically, entanglement also figures prominently in the resolution of this issue.
Landau and Peierls' far-reaching conclusions were soon challenged by Bohr and Rosenfeld [4], who showed how the electromagnetic field strength can be measured using spatially extended charge distributions instead of point-like test charges. Much later, Aharonov and Albert [5,6] proposed a way of measuring certain non-local variables in a manner consistent with causality. This involves the use of prior shared entanglement. A series of subsequent works [7][8][9][10][11] characterizing and extending this kind of instantaneous measurements culminated in a scheme by Vaidman [12], which allows to instantaneously measure any non-local observable. This disproves the stated existence of causality restrictions on non-local measurements.
The basic achievement of such measurement schemes is illustrated in Fig. 1. Two space-like separated observers Alice (A) and Bob (B) sharing a bipartite system AB aim to determine a certain non-local property of their joint state ρ AB = ρ AB (t 0 ) at a specific time t 0 . This property is described by a non-local POVM with operators O = {O γ AB } γ , and their goal is to sample from the probability distribution The apparent causality problem arises when the operators constituting the measurement are non-separable. Vaidman shows that this sampling problem can be solved as follows (see Fig. 1): 2. Alice sends α and Bob sends β to Charlie (a point C in the intersection of the causal cones of A and B).
3. At a later time t > t 0 after reception of the measurement outcomes (α, β), Charlie computes a valueγ by applying some function g to the pair (α, β).
In other words, all measurements are local and instantaneous and performed at time t 0 . The output is a valueγ which is computed at a time t > t 0 at C, but is supposed to pertain to a non-local measurement of ρ AB (t 0 ) at time t 0 . For any POVM {O γ AB } γ , Vaidman constructs local measurements E = {E α AA ′ } α and F = {F β BB ′ } β and a postprocessing function g such that the distribution is close to the distribution (1). Entanglement therefore allows to estimate expectation values of non-local observables at a specific instant in time without violating causality. Beyond realizing the statistics of non-local measurements, Vaidman's scheme also provides an instantaneous implementation of non-local operations. Here the goal is to apply a (non-local) unitary U AB to the joint state ρ AB of Alice and Bob. They are restricted to applying local operations and only a single round of simultaneously passed classical communication, see Fig. 2. This very limited form of interaction acts as a non-signaling constraint and makes this task non-trivial for general unitaries. Again, Vaidman's techniques demonstrate that prior shared entanglement allows to implement such non-local operations. This fact was first recognized in [13], where it was used to address a problem in cryptography.
Explicitly, a general protocol in this model proceeds as follows (see Fig. 2): 1. Alice and Bob simultaneously apply (partial) local measurements Here we have partitioned Alice's complete system AA ′ into subsystems A 1 and A 2 , and similarly for Bob.
2. Alice and Bob then simultaneously communicate α and β to each other. Vaidman's scheme gives, for every unitary U AB , measurements and postprocessing operations such that the final state after these operations is close to U AB ρ AB U † AB . Our focus here is on the amount of shared entanglement required for the implementation of such primitives. Assuming that A and B consist of n qubits each, we give procedures which solve these tasks to arbitrary constant precision while consuming O(n2 8n ) ebits of entanglement. In contrast, earlier schemes based on Vaidman's ideas According to the (communicated) measurement results (α, β), Alice and Bob apply local post-processing operations M α,β and N α,β , respectively. The measurements and postprocessing operations are chosen such that the resulting average stateρAB = α, require an amount of entanglement scaling doubly exponentially with n. Our protocols are considerably simpler because they are based on a modified version of teleportation proposed by Ishizaka and Hiroshima [14,15]. It is worth emphasizing that our procedures only use the POVM {O γ AB } or the unitary U AB as a black box (and do not depend on their particular form), and moreover are universal in the sense that the number of required ebits is independent of the particular measurement or unitary that is implemented. For specific instances, much more efficient schemes are known: in [3], it was shown that it is possible to realize a non-local unitary U by consuming an amount of entanglement exponential in M , where M is the length of a factorization of U = R 1 · · · R M into Pauli rotations {R j } j . Note, however, that for a generic n-qubit unitary, M is exponentially large in n, and then our scheme again provides an exponential saving for a typical unitary.
On the negative side, by constructing a specific example, we show that a linear number of ebits is generally insufficient to perform an instantaneous distributed measurement. This impossibility result improves upon [13], where it is shown that a certain such task cannot be performed without shared entanglement.
Our results significantly tighten previously known upper and lower bounds on the amount of entanglement required for instantaneous non-local measurement and computation, but still leave an exponential gap. We conjecture that the entanglement scaling of our protocols is essentially optimal among protocols which only make black-box use of the unitary or measurement, as explained above.
These results have direct application to position-based quantum cryptography, which attempts to exploit the location of an entity as its only credential. Our techniques show that any such scheme is insecure in the presence of malicious players sharing an amount of entanglement exponential in the number of communicated qubits. This was previously known only when the amount of entanglement is doubly exponential [13].
On the other hand, we prove the security of certain protocols assuming that the adversarial players have less entanglement than a given linear bound and are restricted to classical communication. We show that under these assumptions, certain protocols have exponential soundness, i.e., the adversarial players have a negligible probability of cheating successfully. In contrast, previously known security proofs achieving exponential soundness [13] do not allow any prior entanglement (while also requiring the restriction to classical communication, see discussion after equation (15) below).
We present two types of protocols with exponential soundness assuming limited entanglement and classical communication: the first one relies on the impossibility of implementing a certain high-dimensional instantaneous measurement, whereas the second one is obtained by parallel composition and reduction to the case of adversaries without prior entanglement. The latter scenario was previously analyzed in [13]. It gives rise to a protocol which can be realized using single-qubit manipulations only.
The restriction to (unlimited, but) classical instead of quantum information is natural in the study of resource requirements for instantaneous measurement and computation. Indeed, allowing (unlimited) quantum communication would render instantaneous measurements trivial. Also, given an implementation of an instantaneous quantum computation, quantum communication can easily be traded against a corresponding increase in prior entanglement (using teleportation). However, in position-based quantum cryptography, the restriction to classical communication is less natural: ideally, security should be established even in the case where the adversaries are allowed to communicate an arbitrary amount of quantum information. Such strong results are currently only known with constant soundness and a zero or constant amount of prior entanglement. Establishing similar results for e.g., a linear amount of entanglement and exponential soundness is a major open problem in this context. We briefly discuss the implementation of a bipartite unitary U AB using Vaidman's scheme [12]. While this is not directly needed for the discussion of our scheme, it helps to clarify the nature of our simplifications. In particular, in Section I C, we will discuss how the doubly exponential scaling of the entanglement consumption arises in Vaidman's procedure.
Vaidman's scheme assumes that Alice and Bob share a large supply of EPR pairs . This entanglement can in principle be used for teleportation [17]: to teleport a qubit state |Ψ A to Bob, Alice measures A and her part A ′ of an EPR pair in the Bell basis. She obtains each outcome k ∈ {0, 1, 2, 3} with equal probability 1/4. We will refer to such a measurement as a teleportation measurement. Conditioned on her outcome being k, Bob's register B ′ contains the state σ k |Ψ A , where {σ i } 3 i=0 are the Pauli operators. Standard teleportation then proceeds by Alice sending k to Bob, and Bob applying the correction operation σ k .
Clearly, n shared EPR pairs can be used to teleport an arbitrary n-qubit state |Ψ : Alice's teleportation measurement is a tensor product measurement between each qubit and one half of an EPR pair. It gives each outcome k ∈ {0, 1, 2, 3} n with probability 4 −n . Bob's state in his part of the EPR pairs then ends up being σ k |Ψ A , where σ k = σ k1 ⊗ · · · ⊗ σ kn . Sending k ∈ {0, 1, 2, 3} n to Bob allows him to apply the Pauli correction σ k .
In a setting with free classical communication, applying a unitary to their joint state would easily be achievable using teleportation: Bob teleports n qubits (system B) to Alice using n ebits of entanglement. Alice applies U AB and teleports the system B back to Bob. However, teleportation cannot directly be used for instantaneous non-local computation because outcomes of teleportation measurements cannot be communicated. To get around this problem, Vaidman uses an elaborate recursive technique which we explain in Section I B.
A. Reduction to a state held by one of the parties It is instructive to see that, while teleportation is not directly applicable in the setting of instantaneous measurement, it can nevertheless be used advantageously. In the following we show that in order to implement a bipartite unitary U = U AB applied to a state |Ψ = |Ψ AB ∈ (C 2 ) ⊗n ⊗(C 2 ) ⊗n it suffices to provide a protocol P ′ with the following properties: it proceeds by application of local operations only (no communication is allowed) and after completion of the protocol, Bob holds the state σ s U |Ψ in one of his registers, and Alice and Bob have classical information α and β (measurement outcomes) that together determine s = s(α, β) ∈ {0, 1, 2, 3} 2n . If we design such a P ′ , the procedure of implementing the unitary U on |Ψ is immediate: 1.a Alice and Bob run P ′ , getting classical outcomes (α, β) and the state σ s U |Ψ in Bob's registers B ′ 1 B ′ 2 , where s = (α, β).

1.b
Bob performs a teleportation measurement on B ′ 1 and n EPR pairs shared between Alice and Bob in registers A ′′ : B ′′ . He obtains the outcome v ∈ {0, 1, 2, 3} n .
2 Alice sends α to Bob. Bob sends β and v to Alice.
At the end of this protocol Alice and Bob share U |Ψ in A ′′ : B ′ 2 .

B. Vaidman's recursive scheme
We now show how Vaidman realizes a protocol P ′ as described in the previous section. Even though the final measurements are done instantaneously and simultaneously, it is useful for the construction to think of an interactive procedure. Since no communication is allowed in P ′ and Alice and Bob's measurements commute, this interactive protocol is indeed instantaneous.
In the first round, Bob performs a teleportation measurement on B and his part of n ebits in registers A ′ 1 : B ′ 1 . Conditioned on the outcomes being t 1 ∈ {0, 1, 2, 3} n , Alice now has the state (I A ⊗ σ t1 )|Ψ in AA ′ 1 . Since Alice is ignorant of t 1 , she cannot apply the corresponding correction operation. Instead, she simply applies U (1) = U to her state, and then performs a teleportation measurement between the resulting state and 2n ebits in registers A ′′ 1 : B ′′ 1 shared between Alice and Bob. Denoting by s 1 ∈ {0, 1, 2, 3} 2n be the outcome of Alice's measurement, Bob holds the state σ s1 U (I A ⊗ σ t1 )|Ψ in his register B ′′ 1 , which can be written as Clearly, if t 1 = 0 n , then U (2) s1 (t 1 ) = σ s1 . This means that Bob has a state of the desired form and can stop. In the actual protocol, this means that Bob does not perform further measurements. However, t 1 = 0 n happens only with probability 4 −n .
Vaidman's crucial insight was that it is possible to recursively apply this procedure, essentially attempting to implement U (2) s1 (t 1 ) in the next round. However, this is not entirely straightforward since Bob's measurement outcome t 1 (unlike s 1 ) is unknown to Alice. To get around this, Alice and Bob use, for every possible outcomet 1 of Bob's measurement result, a separate set of 2n ebits in registers A ′ 1,t1 : B ′ 1,t1 for the Bob's teleportation measurements, and 2n ebits in registers A ′′ 1,t1 : B ′′ 1,t1 for Alice's measurements. In essence, this allows Alice to implement operations which effectively depend on the outcomes t 1 of the previous round. She just applies, for eacht 1 , a suitably chosen operation to registers A ′ 1,t1 and A ′′ 1,t1 which may depend ont 1 . Because Bob holds t 1 , he knows which pair (B ′ 1,t1 , B ′′ 1,t1 ) of registers is the relevant one containing the desired state.

C. Entanglement consumption in Vaidman's scheme
The amount of entanglement required in R rounds is roughly proportional to the number of sequences (t 1 , . . . ,t R−1 ) and therefore exponential in R. Since the probability of success in each round (except the first round which is 4 −n ) equals 4 −2n , to reach the success probability 1 − ε, R needs to be roughly log(1/ε) · 2 4n . As a result, the amount of required entanglement for a constant ε is doubly exponential in n.
Clearly, the reason for this unfavorable behavior is the recursive structure of the protocol, which is a consequence of the non-interactive way the teleportation correction operations are dealt with. Our simplified schemes avoid these problems altogether by making use of a different kind of teleportation scheme whose correction operations are in some sense trivial. In particular, the resulting scheme is non-recursive.

II. PORT-BASED TELEPORTATION
In this section, we review a form of teleportation introduced by Ishizaka and Hiroshima [14,15]. To distinguish this kind of teleportation from the better known usual scheme, we borrow from their terminology and call this port-based teleportation.

A. Teleportation without correction
The goal of port-based teleportation is to achieve teleportation with simpler correction operations on Bob's side. Instead of being able to apply arbitrary Pauli operations, we assume that Bob can only perform the arguably simplest imaginable CPTP map depending on classical information. That is, Bob can discard any subsystem of his choosing according to the classical information received from Alice.
Remarkably, teleportation is still possible in this restricted setting using a more intricate measurement on Alice's side. Concretely, Alice wants to teleport a qudit state |Ψ A from her system A ∼ = C d to Bob's system B ∼ = C d . We assume that Alice and Bob share N copies of the maximally entangled state We fix an orthonormal standard basis in each of these spaces. The protocol proposed in [14] then proceeds as follows: She sends the result i to Bob.
where |Φ is the maximally entangled state. Because of the relation [18] (F (E)d + 1)/(d + 1) = Ψ|E(|Ψ Ψ|)|Ψ dΨ , between entanglement fidelity F (E) and the output fidelity averaged over the Haar measure on all pure input states, a lower bound on (6) expresses how well E preserves quantum information for random inputs on average. The following is shown in [14,15].
Due to the importance of port-based teleportation to our schemes for instantaneous computation, we give a detailed derivation of Theorem II.1 in A. Instead of measuring average-case closeness to the identity channel, it is desirable to have worst-case bounds. In other words, we would like to show that the state on B at the end of the port-based teleportation scheme is close to the original input state on A for all inputs. This requires using a distance measure different from the entanglement fidelity (6). A natural distance measure on the set of CPTP maps is the completely bounded trace norm or diamond norm denoted · ⋄ . This norm is defined in terms of the trace norm The trace norm induces a norm where I C k is the identity (super)operator on B(C k ). Given two CPTP maps E : B(A) → B(B) and F : B(A) → B(B), E − F ⋄ is a natural measure of their distance because of the following operational interpretation. The quantity is equal to the probability of successfully distinguishing E from F when a single instance of either one of these channels is provided with equal prior probability. This implies that the diamond-distance can only decrease under composition of maps.
Proof. Consider a superoperator Ω : B(A) → B(B) and let C ∼ = A. The Choi-Jamiolkowski representation [19,20] of Ω is the operator Because J(I C d ) is pure, we can use the general inequality (see e.g., [21]) bounding the distance between a pure state |Ψ and a mixed state ρ. We conclude that The claim then follows from the linearity of the map J, inequality (8) and the following lemma applied to Ω = E |Φ ⊗N − I C d .
Lemma II.3. For every two CPTP maps Ω 1 , Ω 2 : B(A) → B(B) we have Proof. Let Ω = Ω 1 − Ω 2 and C ∼ = A. It is well-known (see e.g., [22]) that for any such Ω On the other hand, for every |Ψ AC there exists M C such that |Ψ AC = I A ⊗ M C |Φ AC , where due to normalization tr M † C M C = dim A. Then we have As a result, where · ∞ denotes the operator norm, and in the last line we use the normalization of M C .

III. PROTOCOLS FOR INSTANTANEOUS MEASUREMENT AND COMPUTATION
Here we propose and analyze two novel protocols for instantaneous measurement and computation. Both protocols depend on a parameter N which captures the amount of entanglement consumed and the accuracy achieved by the protocol. The first protocol π N (O) gives an instantaneous realization of a (non-local) POVM O = {O γ AB } γ . The second protocol π N (U ) implements a non-local unitary U AB . In the following descriptions, we divide up the instantaneous (simultaneous) application of measurements by both Alice and Bob into several stages to simplify the analysis. Note, however, that the actions of Alice and Bob commute and do not have to be performed in the prescribed order.

Upon receiving this classical information, Charlie outputs γ i .
Protocol π N (U ): implementation of a unitary U AB on a state |Ψ AB ∈ (C 2 ) ⊗n ⊗ (C 2 ) ⊗n Alice and Bob share auxiliary systems A ′ A ′′N : B ′ B ′′N as in protocol π N (O). Here we assume that each A ′′ j is partitioned into an A-part and a B-part (with n qubits each), and similarly for B ′′ j . They additionally share, for every j ∈ {1, . . . , N }, n ebits of entanglement in systems A ′′′ j : B ′′′ j . 1(a)-1(b). Execute steps 1(a) and 1(b) of protocol π N (O). 1(c). For every j ∈ {1, . . . , N }, Bob applies U (I⊗σ t ) to B ′′ j . Then he performs a (usual) teleportation measurement between the A-part of B ′′ j and B ′′′ j . Letting v j ∈ {0, 1, 2, 3} n be the outcome of this measurement, systems A ′′′ i and the B-part of B ′′ i now contain (σ vi ⊗ I)U |Ψ (with high fidelity). 2. Alice sends i to Bob, and Bob sends the list {(j, v j )} j to Alice.

Alice discards everything except A ′′′
i , on which she applies σ vi . Bob discards everything except the B-part of B ′′ i .
To quantitatively express the accuracy of these protocols, we use the diamond norm. For this to make sense for POVMs, we regard a POVM E = {E i } i as a CPTP map with output diagonal in the standard basis, i.e., E(ρ) = i tr(E i ρ)|i i|. The following theorem is an easy consequence of Corollary II.2 and the fact that the diamond-distance does not increase under the composition of CPTP maps.
Theorem III.1. The protocols introduced in this section have the following properties for any ε > 0. (ii) Let U = U AB be a bipartite POVM on (C 2 ) ⊗n ⊗ (C 2 ) ⊗n . Set N := 2 8n+4 /ε 2 and let E be the CPTP map defined by protocol π N (U ). Then E approximates U up to accuracy

ebits of entanglement.
These protocols and their analysis can clearly be extended in a straightforward manner to multipartite (i.e., more than bipartite) non-local POVMs and unitaries.

IV. A LOWER BOUND
In this section, we show that there is a measurement on 2n qubits which is not realizable instantaneously with fewer than n/2 ebits of entanglement. Our construction is based on mutually unbiased bases. It is known [23][24][25] that if d = p n is a power of a prime number, then a set of d + 1 pairwise mutually unbiased bases {B a := {|e a x } d x=1 } d a=0 exists in C d . We will assume that d is of this form (specifically d = 2 n ).  Fig. 1

). Then their success probability is upper bounded by
Proof. Because of the linearity of the success probability as a function of the input ensemble, it suffices to prove the bound (9) in the case where Alice and Bob receive |a and |e a x respectively, each with probability 1/d(d + 1). Since Alice's input A is a classical register (containing a), we may assume without loss of generality that her message α to Charlie is determined by measuring the register A ′ using a POVM {E a,α A ′ } α which depends on a. Letting {F β BB ′ } β be Bob's measurement and g be the classical post-processing function, the success probability is equal to Using we have If we show that a,α tr(τ a,α B ′ )|e a g(α,β) e a g(α,β) | B the claim of the theorem follows because It remains to prove (11) for a fixed β. Consider the (not necessarily normalized) vector where R is an auxiliary Hilbert space with orthonormal basis {|a, α R } a,α . Denoting by M the matrix of interest in (11), we have On the other hand, by a simple triangle inequality we obtain that for every matrix (c ij ) i,j , (c ij ) i,j ∞ ≤ (|c ij |) i,j ∞ , where | · | denotes the absolute value of a complex number. Therefore, The first summand can be bounded as To bound the second term, we use the direct sum property C ⊕ D ∞ = max{ C ∞ , D ∞ }, the triangle inequality and the easily verified fact that for real symmetric matrices K and L with nonnegative entries. This gives Combining (IV) and (12) yields (11).
This result may be expressed in terms of the diamond norm. Let {U a } d a=0 be the set of unitaries that rotate the standard basis into a set of such mutually unbiased basis, i.e., U a |x = |e a x and let Then is a POVM that exactly outputs x under a randomly chosen ρ x AB .
Corollary IV.2 (Impossibility of instantaneous measurement). Let M AB = {M x } x be an instantaneous measurement on C d ⊗ C d implemented with shared entanglement η A ′ B ′ as in Fig. 1.
where O AB is the POVM (13).
Proof. Define Then due to the definition of the diamond norm we have where p succ denotes the probability that M AB successfully finds x, and in the last line we use Theorem IV.1.

V. IMPLICATIONS FOR POSITION-BASED QUANTUM CRYPTOGRAPHY
Position-based cryptography revolves around the idea of using the geographical location of an entity as its only credential. One of the most basic position-based primitives is position-verification: Here a prover P tries to convince a set of verifiers {V i } S i=1 that he is at a specific location r 0 ∈ R D in space (D = 3 is of most interest in practice, of course). Proposed protocols for this problem usually assume that the verifiers are located throughout space at different positions r Vi (such that r 0 is e.g., in the convex hull of { r Vi } i ) and have synchronized clocks. They proceed by applying distance bounding techniques [26]: the verifiers send challenges to P and obtain bounds on their distance to P by measuring the time taken for his responses to arrive. All computational processes are assumed to be essentially instantaneous, that is, fast in comparison to the ratio between the desired spatial resolution and the speed of light.
A number of classical protocols for position-verification have been proposed in the past (see e.g., [13] for a list of references), but it was shown in [27] that security is unachievable by any classical protocol without additional assumptions if there are colluding adversaries (at different locations). Position-based quantum cryptography attempts to overcome this impossibility using quantum cryptographic techniques. Its history is somewhat reminiscent of the study of bit commitment: this primitive was also known to be classically unachievable and the use of quantum cryptographic techniques appeared promising for a while. Then, Mayers [28], and Lo and Chau [29] showed that secure bit commitment is generally unachievable in a quantum setting. We refer to [30] for a nice introduction to the basic ideas of position-based quantum cryptography with examples of simple attacks on specific schemes. Further attacks on previously proposed schemes were found by Lau and Lo in [16], and a general impossibility proof was given by Buhrman et al. [13] based on Vaidman's techniques for instantaneous measurements.
The impossibility of secure position-based quantum cryptography has motivated the search for schemes secure under additional assumptions. Since known attacks rely on entanglement shared between colluding adversaries, it is natural to limit the amount of entanglement available to adversaries. In [13], a position-based scheme was shown to be secure under the assumption that the adversaries share no entanglement. In [16], a security proof for a scheme was given that relies on the assumption that the adversaries share entanglement in the form of a two-or three-level system.
Our results on instantaneous quantum computation tighten the impossibility result of [13] by reducing the amount of entanglement required for a successful attack to an exponential (instead of doubly exponential) amount. On the positive side, we provide a single-round protocol which is secure if the adversaries share less entanglement than a given linear bound and are restricted to classical communication. We also relate the security of a protocol in the setting of no prior shared entanglement to its security in the case where the adversaries have a limited amount of entanglement (and are otherwise unrestricted). This implies for example that the multi-round protocol of [13] remains secure even if the adversaries share less than a linear amount of entanglement.
To illustrate the main points, we focus on the problem of position-verification in D = 1 dimension. We assume that the (honest) prover is at a location r 0 between the two verifiers V 1 and V 2 , i.e., r V1 < r 0 < r V2 and wants to convince them of this fact. We consider protocols which satisfy the following correctness condition: if P is located at r 0 , he can always make the verifiers accept. A colluding set of adversaries {P i } M i=1 may try to convince the verifiers that at least one of them is at location r 0 , while in fact, none of them actually is, |rP i − r 0 | > ∆ (where ∆ is the desired spatial resolution). The figure of merit is the soundness of such a protocol. Following [13], we say that a protocol for position-verification is ε-sound if any colluding set of adversaries {P i } M i=1 cannot make the verifiers accept with probability more than ε.
For concreteness, we discuss the following protocol π n for position-verification. It depends on a parameter n and involves, as in Section IV, a set of unitaries {U a } d a=1 taking the computational basis of C d to d mutually unbiased bases, where d = 2 n .
Protocol π n (r 0 ): position-verification proving that P is at r 0 ∈ R V 0 and V 1 are at positions r V0 < r 0 < r V1 and share common (secret) randomness in the form of uniformly distributed bit strings a, x ∈ {0, 1} n .
1. V 0 sends a to P and V 1 prepares the state U a |x and sends it to P . The timing is chosen such that both the classical information and the quantum state arrive at r 0 at the same time.
2. P measures the state in the basis {|e a i } i , getting measurement outcomex ∈ {0, 1} n . He sendsx to both V 0 and V 1 .
3. V 0 and V 1 accept if they receivex at times consistent withx being emitted from r 0 in both directions simultaneously (instantaneously after a and U a |x reach r 0 ), andx = x.
It is easy to check that this protocol is correct in the sense defined above. This and similar protocols have been studied in a series of papers [13,16,[30][31][32]. The motivation for considering such protocols originated from the no-cloning principle. It seems to suggest that to successfully convince the verifiers, some cheating adversaries have to clone the (classical) information x without knowledge of the basis this information is encoded in. It was realized early on, however, that this intuition is misleading because entanglement between colluding adversaries can render such schemes insecure. That is, consider two colluding adversariesP 1 ,P 2 located on either side of r 0 , with r V1 < rP 1 < r 0 < rP 2 < r V2 . We assume that their distance |rP i − r 0 | > ∆ from r 0 is larger than the desired spatial resolution ∆. We further assume that they share entanglement. Specializing the results of [13] to the protocol π n (r 0 ) and using our version of instantaneous computation then gives Lemma V.1. Protocol π n (r 0 ) is not ε-sound againstP 0 andP 1 if they share n 1 + 2 8n+5 (1−ε) 2 ebits of entanglement.
Proof. To attack the protocol,P 0 andP 1 are faced with the analogous challenge as Alice and Bob in the situation described in the proof of Theorem IV.1 (with d = 2 n instead of d + 1 mutually unbiased bases). The soundness parameter ε is equal to the success probability of correctly guessing x based on an instantaneous measurement of their state ρ x AB . Since the non-local POVM O defined by (13) does so with certainty, it suffices to approximate this POVM by an instantaneous measurement with accuracy 1 − ε in diamond norm. The claim therefore follows from Theorem III.1 (i).
In contrast, the results of [13] rely on Vaidman's techniques, and therefore only show insecurity ifP 0 andP 1 share a doubly exponential (in n) amount of entanglement. The same proof technique applies to more general protocols, including multiple parties, see [13].
On the positive side, we prove security of the protocol π n (r 0 ) against adversaries limited as follows: they share fewer than n/2 ebits of entanglement and are restricted to classical communication.
Proof. As in the proof of Lemma V.1, we can upper bound the soundness of the protocol π n (r 0 ) by Alice and Bob's success probability in the setting of Theorem IV.1. Adapting the proof of the latter shows that the upper bound (9) holds even if d = 2 n instead of d + 1 mutually unbiased bases are used. The claim follows immediately.
The protocol π n (r 0 ) may not be very practical if n is large because it requires even honest parties to manipulate n qubits at a time. It has, however, the appealing feature that it consists of only one round of communication between the verifiers and the prover and nevertheless achieves exponential security. In the setting where quantum communication is allowed, we may ask whether and how this degree of security could be achieved with a similar one-round protocol. Answering this may prove challenging because of the locking effect [33].
To obtain a more practical protocol with exponential security, we can consider multi-round protocols: sequential composition decreases the soundness error of a protocol. For example, it is shown in [13] that the protocol π := π 1 (r 0 ) is ε-sound (even when allowing quantum communication) with if there is no shared entanglement betweenP 0 andP 1 . Here we write ∅ to signify absence of entanglement and h(p) = −p log p − (1 − p) log(1 − p) is the binary entropy function. (We point out that similar results were found in [16] for a constant amount of prior entanglement, that is, qubits or qutrits.) Equation (14) implies (see [13,Corollary 2]) that the L-fold sequential composition π •L has exponentially small soundness error if the adversaries share no entanglement and are restricted to classical communication between rounds. The restriction to classical communication is necessary as the adversaries could otherwise distribute and use an arbitrary amount of entanglement in the course of attacking the composed protocol. We now show that sequential composition of a protocol can provide exponential security even in a setting where the adversaries have a linear amount of entanglement. This is based on the following relation between the no-entanglement setting and the case of a limited amount of entanglement.
Lemma V.3. Consider a protocol π achieving position-verification with soundness error ε(π, ∅) in the case where the adversaries share no entanglement. In a setting where the adversaries share an (arbitrary) entangled state η A ′ B ′ , its soundness error ε(π, η A ′ B ′ ) is upper bounded as follows: Proof. Without loss of generality, we may assume that the protocol π takes the following form. In a first step, a quantum state ρ ABST is distributed, with the adversariesP 0 ,P 1 holding A and B, respectively, and the verifiers V 0 and V 1 holding S and T . This step is followed by various (arbitrary) actions of the adversaries alternating with actions of the verifiers as prescribed by the protocol. We can describe this by a CPTP map F acting on the initial state and the entanglement shared by the adversaries. Finally, a binary valued measurement {E, I − E} (where 0 ≤ E ≤ I) is applied to the resulting state. Its outcome determines whether or not the verifiers accept. The soundness error of a protocol π whenP 0 andP 1 have a shared entangled state η A ′ B ′ can then be expressed as Here the maximum is over all CPTP maps compatible with the protocol, i.e., resulting from combining an arbitrary cheating strategy of the adversaries with the fixed actions of the verifiers. We use the same kind of proof strategy as before (cf. (10)), replacing shared entanglement by the completely mixed state. Let F * be the optimal POVM achieving the maximum on the rhs. of (16). Then where θ A ′ B ′ is the completely mixed state on A ′ B ′ . But this expression is equivalent to simply having shared randomness between the adversaries. This implies that tr(EF * (ρ ABST ⊗ θ A ′ B ′ )) ≤ ε(π, ∅) and the claim follows.
Combining (15) with Lemma V.3, we obtain the following statement.
Lemma V.4. Consider two adversaries sharing an arbitrary entangled state η A ′ B ′ on (C 2 ) ⊗k ⊗ (C 2 ) ⊗k and restricted to classical communication. The L-fold sequential composition π 1 (r 0 ) •L of the protocol π 1 (r 0 ) is ε-sound if Lemma V.4 and Lemma V.2 give roughly the same scaling for the maximal amount of tolerable prior entanglement as a function of the soundness parameter. However, the protocol of Lemma V.4 is arguably more practical.
be the average probability of successfully distinguishing the states {η i } N i=1 with uniform prior distribution using this POVM. Let E = E |Φ ⊗N : B(A) → B(B) be the port-based teleportation map (5) associated with the POVM. The entanglement fidelity of this CPTP map satisfies

Proof. Fix an orthonormal basis for systems
We write E A = F B for two operators E A and F B acting on isomorphic Hilbert spaces A and B if their matrix elements in the computational basis coincide.
The entanglement fidelity of E is equal to F (E) = tr P BC (E ⊗ I C )(P AC ) , where P = |Φ Φ| is the projection onto the maximally entangled state |Φ = 1 √ d d i=1 |i |i . Omitting identity operators and tensor products for ease of notation, we have For every operator X we have (X ⊗ I)P = (I ⊗ X T )P and P (I ⊗ X) = P (X T ⊗ I) , where X T is the transpose of matrix X (with respect to the standard basis). Then Reinserting (A3) and using the fact that the partial trace of P is the fully mixed state we obtain

A lower bound on the success probability of the pretty good measurement
Having reduced port-based teleportation to a hypothesis testing problem, it remains to show that there is a suitable POVM solving the latter. Concretely, we need to provide a POVM {E i } N i=1 that distinguishes the family of states {η i } N i=1 , defined by (A1). Ishizaka and Hiroshima [14,15] show that the pretty good measurement does so with sufficiently high success probability Here we rederive and generalize their bound on the quantity (A5): we derive a general lower bound on the success probability of the pretty good measurement for any (uniform) family of states { 1 N , η i } N i=1 (see Lemma A.3 below). We will apply this bound to port-based teleportation in Appendix A 3.
Our main technical tool is the following inequality.
Lemma A.2. Let X and Y be non-negative operators on two (not necessarily identical) Hilbert spaces, satisfying tr X = tr √ Y .

Proof of Theorem II.1
To prove Theorem II.1, we combine the reformulation of Lemma A.1 with the lower bound on the success probability of the pretty good measurement (Lemma A.3).
According to Lemma A.1, we need to consider the problem of distinguishing the states where ρ = I/d is the completely mixed state. We have As a result, for the ensemble averageη = 1 N i η i . Furthermore, we haver = rankη 1 = d N −1 . Using Lemma A.3, we conclude that In particular, according to Lemma A.1, this implies that there is a POVM {E i AA ′N } N i=1 such that the associated CPTP map E |Φ ⊗N achieves port-based teleportation with entanglement fidelity as claimed.