Practically secure quantum position verification

We discuss quantum position verification (QPV) protocols in which the verifiers create and send single-qubit states to the prover. QPV protocols using single-qubit states are known to be insecure against adversaries that share a small number of entangled qubits. We introduce QPV protocols that are practically secure: they only require single-qubit states from each of the verifiers, yet their security is broken if the adversaries sharing an impractically large number of entangled qubits employ teleportation-based attacks. These protocols are a modification of known QPV protocols in which we include a classical random oracle without altering the amount of quantum resources needed by the verifiers. We present a cheating strategy that requires a number of entangled qubits shared among the adversaries that grows exponentially with the size of the classical input of the random oracle.


I. INTRODUCTION
Suppose that a security organization would like to identify the position of its spy in a secure location, who could possibly be surrounded by adversaries, before initiating any distant private communication.The security organization could execute a protocol whose task is to use the spatial position of the spy as its only credential that has to be verified by the organization.In general, there are situations, such as in position-based cryptography [1,2], in which it is in the interest of the collaborating parties to authenticate their positions before initiating any secure communication.Protocols to achieve such a task are often called position verification.
In the task of position verification, we assume that a prover P is located at a fixed spatial position pos.There is a set {V i } K−1 i=0 of K verifiers located at different positions.A time-bound interactive protocol is allowed to run between the verifiers and the prover in order for the prover to convince the verifiers of his position credential.All the verifiers can communicate privately among themselves and collectively agree on items that each individual verifier would send to the prover along with the task that the prover has to perform.The prover is expected to send the information obtained at the end of the task performed on the received items within the time limit set by the verifiers, which is typically equal to the time that a signal would take to travel from pos to the farthest verifier.
In this paper, we discuss quantum position verification (QPV) protocols in which the verifiers and the prover employ quantum strategies against adversaries capable of quantum attacks.Our goal is to develop QPV schemes that are practically secure: while the verifiers use a few qubits, the adversaries need an exponentially large amount of resources (shared entanglement and quantum computational power) to break the security of the protocol.The important point to note is that the entanglement distribution over long distances and the storage of entangled qubits are technologically challenging (cf.with Refs.[3,4]) which limit the attacking capability of the adversaries.In this sense, we state that the schemes we have presented are technologically feasible and practically secure.
In 1993, Brands and Chaum [1] introduced the "distance bounding" technique in the classical setting by timing the delay between sending out of a challenge bit from a verifier to the prover and receiving back the corresponding response bit.If the speed of communication is bounded by the speed of light, this technique gives an upper bound on the distance between the prover and the verifier.These ideas were extended in Ref. [2] (in the classical setting) to what is now known as position verification.In particular, in the so-called "Vanilla model", the prover is located at a position pos that lies inside the tetrahedron enclosed by the verifiers.In this model, there is always a possibility that a group of adversaries can collectively disguise themselves as the honest prover by convincing the verifiers of being located at pos even when they are all positioned elsewhere.It is assumed that an adversary can locally store all information she receives, and at the same time share this information with other colluding adversaries located elsewhere.This impossibility result rules out the existence of a secure position verification protocol under classical settings even when one makes computational hardness assumptions on the adversaries [2,5].
A natural question that arises is whether there exists a secure position verification protocol in the quantum setting.One early position-based cryptography protocol in the quantum setting is quantum tagging, first discussed in 2002 and described in a 2006 patent, Ref. [6].Quantum tagging is the task of authenticating the location of a classical tagging device by sending and receiving quantum signals from distant sites.It is assumed that adversaries control the environment, and that their quantum information processing and transmitting power is unbounded.In Ref. [7], several schemes for the quantum tagging task were described, and their security breach using quantum-teleportation-based attacks were discussed.
After the introduction of quantum tagging [6], a few other proposals of secure QPV protocols were discussed in Refs.[5,8,9] 1 .The possibility of "instantaneous measurement" of non-local variables (observables) [10] leads to the breaking down of security of such QPV protocols by colluding adversaries performing teleportation-based attacks [5,11].As it turns out, all of these proposed schemes can be broken by colluding adversaries employing teleportation-based attacks [5,7,12,13].Various other QPV protocols and attack strategies by adversaries have been proposed [13][14][15][16][17][18][19][20] along with a security analysis with different physical constraints on the colluding adversaries, among which Ref. [15] was the first to make use of random oracle in the protocol.Some works have also established lower bounds on the number of entangled pairs required by the adversaries to breach the security of certain QPV protocols [11,[13][14][15]21].
We note, however, that others have argued that quantum location verification protocols do exist for which no undetectable attack is known [22].
An important feature of a QPV protocol is the limited time in which the prover can perform the computations and communicate with the verifiers.This suggests the possibility of strengthening QPV protocols by taking this time limit into account and negating the practical feasibility of teleportation-based attacks by colluding adversaries within the given time limit.As a consequence of such limited-time constraints, it is possible that the adversaries would need to share a very large amount of resources (entangled pairs and quantum computational power) between them for each round of the protocol to breach security, while the verifiers would use only a few low-dimensional quantum states for the protocol.
In this work, we introduce one such protocol by modifying previously-known protocols.Our protocol uses single-qubit states from each verifier and makes use of a classical random oracle held by the verifiers and the prover.By using the best-known teleportation-based attack strategies [5,11], we show that the number of entangled qubits that need to be shared among the adversaries in order to breach security grows exponentially with the size of the classical input of the random oracle.In Section II, we introduce QPV and fix the notation.In Sec-tion II A, we present known QPV protocols that make use of single-qubit states.As a warm-up to the next Section, we also introduce a modification by adding classical information into the protocols which tightens their security.In Section III, we introduce novel QPV protocols by adding a classical random oracle.These protocols appear to be practically secure under the attack of colluding adversaries sharing a large amount of entangled pairs (exponentially growing with the length of classical information), even though each verifier sends just one qubit to the prover to execute the QPV protocol.Finally, in Section IV, we conclude.

II. QUANTUM POSITION VERIFICATION
The goal of a QPV protocol is for a set Ver(K) = {V i } i , i ∈ {0, 1, . . ., K − 1}, of K verifiers to authenticate the spatial position pos of a prover P .The spatial positions of all the parties involved are fixed in time.The prover P is assumed to lie within the convex hull formed from the spatial positions of the verifiers.For all i, let pos i denote the spatial position of V i .All the verifiers can securely communicate among themselves to decide on a list Item = {item i } i of items, where item i corresponds to items that are transmitted from V i to pos.Each item i comprises arrays of classical bits and quantum states.The verifiers and the prover agree upon the set Opn of operations that the prover has to perform based on the elements of Item.All the measurement operations and computations by P are assumed to be instantaneous.The result Rslt at the end of operations instructed in Opn is broadcast to all the verifiers.The information communication, Item and Rslt, between the prover and the verifiers is assumed to take place at the speed c of light.For simplicity, we set c = 1.Then the time taken for information to travel between the verifiers and the prover is equal to the spatial distance between them.Now, suppose that there is a set Adv = {E i } i of colluding adversaries, each E i positioned at pos i between V i and pos.These adversaries want to cheat the verifiers by convincing them of being positioned at pos, even though pos i = pos for all i.We restrict the adversaries to make use of resources available only at their positions pos i for all i.However, they may share nonlocal quantum resources, such as entanglement.They are allowed to collude through classical communication among each other.Classical communication among the adversaries, and between them and the verifiers, is assumed to be at the speed of light.We denote the Euclidean distance between any two spatial positions pos i and pos by dis(pos i , pos).Furthermore, we assume that the spatial distance between V i and pos is the same, i.e., dis(pos i , pos) = d.If the verifiers transmit the information {Item, Opn} at time t towards the prover, then the result Rslt has to arrive back to the verifers at time t + 2d.The verfiers accept the prover's position credential only when the expected result is received from the prover on time.Let us denote this 1−round scheme as QPV[Ver(K), P(pos), Item, Opn, Rslt, d].
The security of a generic QPV protocol is generally analyzed using the completeness and soundness conditions [2,5].QPV[Ver(K), P(pos), Item, Opn, Rslt, d] is said to have perfect completeness if the verifiers always agree with an honest prover P .In other words, if the verifiers accept the prover's position credential of being spatially located at pos with probability 1, then the protocol is said to have perfect completeness.QPV[Ver(K), P(pos), Item, Opn, Rslt, d] is said to be εsound if for any coalition of adversaries {E i } i spatially located at pos i = pos for all i and limited to resources Res that are only locally available at these positions, the verifiers accept with probability at most ε.
For our discussion, we consider quantum position verification protocols QPV[Ver(K),P(pos),Item,Opn,Rslt, d] in one dimension (1-D).We constrain our discussion to qubit systems.For simplicity of discussion, we assume the protocol to have perfect completeness.For the 1-D case, it is sufficient to let K = 2, so that we have two verifiers, V 0 and V 1 , spatially positioned at the two ends of a line, and a prover P at the middle of the line denoted pos, see Fig. 1.The spatial distance between V 0 and V 1 is 2d.The verifiers wish to verify that P is spatially located at pos.Unfortunately, there are two adversaries, E 0 (between V 0 and P ) and E 1 (between V 1 and P ) who will try to fake P .Given the geometrical setting of the verifiers and the prover, the optimal number of adversaries required to analyze the security of the protocol is equal to the number of verifiers.
Let us denote the computational basis of a qubit system by {|0 , |1 }.A two-qubit system in the state will be referred to as an EPR pair.Any two-qubit maximally entangled state is unitarily equivalent to an EPR pair.The four Bell states are The states {|Φ + , |Φ − , |Ψ + , |Ψ − } form an orthonormal basis for the Hilbert space of two-qubit systems.A Bell measurement is defined to be a projective measurement in this basis.We denote the qubit Hadamard transform by H, which is defined by We let X, Y , and Z denote the Pauli operators, where Z = |0 0| − |1 1| and X = HZH [23].
A. Protocols with single-qubit states In this section, we discuss some known 1-D QPV protocols QPV[Ver(2),P(pos),Item,Opn,Rslt, d] and their security breaches that have been discussed in prior work [2,7,8,12,14,15].For the breach of security, a single EPR pair shared among the adversaries suffices.Then, as a warm-up to the implementation of the classical random oracle in the Section III A, we modify these protocols by introducing a single bit of information, and discuss the effect on the quantum resources of the adversaries that are needed for breach of security.
To verify the position of P , the following scheme is employed: 1.The verifiers agree on random bits x, θ ∈ {0, 1}.V 0 prepares a qubit in the state and sends it to P .V 1 sends θ to P , so they arrive at P at the same time.That is, item 0 = {|ψ } and item 1 = {θ}.
2. As soon as |ψ and θ arrive, P performs a measurement in the basis {H θ |0 , H θ |1 }, and sends the outcome x to both V 0 and V 1 .The given measurement consititutes Opn and x is the Rst.

If the verifiers receive
x at the time consistent with the position of P , and x = x, then they accept; otherwise they reject.Now, suppose there are two adversaries, E 0 (between V 0 and P ) and E 1 (between V 1 and P ).Can they fake P ?Suppose that the adversaries share no entangled qubits, although they may have qubits in their possession.When V 0 sends |ψ , E 0 will intercept it before P does, but will not be able to do Step 2, because she will have to wait for θ to arrive first.By the time it arrives, it will be too late to send any information to V 1 (but not to V 0 ).The best strategy is the following, which is based on minimum-error state discrimination [25,26].When E 0 receives |ψ from V 0 , she performs a measurement in the basis (6) and sends the outcome of the measurement to E 1 .The probability of success of this optimal strategy is As the above is repeated n times, the success probability becomes n (exponentially small).Notice that the adversaries are not able to make use of the classical information θ available to them.This information would have been useful, had E 0 received it before deciding on what measurement to perform.
However, E 0 can make use of θ when deciding on the measurement, if the adversaries share entangled qubits, because of the possibility of teleportation.Suppose the adversaries share an EPR pair.Then they can fake P following these steps.
1. Upon receiving |ψ , E 0 teleports it to E 1 .In doing so, E 0 performs Bell measurements with outcome k = k 0 k 1 , in binary notation.They determine the state E 1 receives (instantaneously) as Since |ψ = H θ |x , for θ = 0, |φ k is an eigenstate of Z, whereas for θ = 1, |φ k is an eigenstate of X = HZH.We easily obtain E 0 sends the results k of her Bell measurements to E 1 .

Upon receiving the classical information
x and send the information to V 1 .
This strategy has 100% probability of success for the adversaries.Thus a single EPR pair among the adversaries is sufficient for breach of security.

Modified one-qubit protocol
The above conclusion on breach of security can be avoided by upgrading |ψ to a n-qubit state with n > 1.In this case, if the adversaries share m EPR pairs, then the probability of success for the adversaries is given by ≤ 2 m cos 2n π 8 , where the additional factor 2 m is due to the availability of the Hilbert space of the entangled pairs.However, realizing such a protocol with multiqubit states |ψ is experimentally challenging.Instead, we can modify the above protocol by introducing an additional classical bit of information.In the modified protocol, to verify the position of P , the following scheme is used.
1.The verifiers agree on random x, θ 0 , θ 1 ∈ {0, 1}.V 0 prepares a qubit in the state and sends it to P , along with θ 0 .V 1 sends θ 1 to P , so they arrive at P at the same time.
3. If the verifiers receive x at the time consistent with the position of P , and x = x, then they accept; otherwise they reject.
Unlike the previous protocol, adversaries with a prior single pair of entangled qubits will not be able to break the security of this modified protocol.This is because E 1 has insufficient information to perform the correct measurement on her qubit.E 1 can optimize her measurement, but the adversaries can never achieve a 100% success rate.The adversaries need at least 2 entangled pairs.Suppose that the adversaries share two EPR pairs, labeled 0 and 1, each in the Bell state (1).Then they can fake P following these steps.
1. Upon receiving |ψ and θ 0 , E 0 teleports |ψ to E 1 using the EPR pair labeled θ 0 .In doing so, E 0 performs a Bell measurement with outcome k = k 0 k 1 , in binary notation.The state E 1 receives (instantaneously) is given by ( 8).E 0 sends the results k, θ 0 of her Bell measurement to E 1 .

Upon receiving the classical information
x to calculate x and send the information to V 0 .She knows which of the two outcomes λ is, because that is determined by θ 0 .
4. Upon receiving the classical information k and θ 0 from E 0 , E 1 multiplies (−1) x⊕k θ (−1) k θ = (−1) x to calculate x and send the information to V 1 .Again, she knows which of the two outcomes λ is, because that is determined by θ 0 .
This strategy has 100% probability of success for the adversaries.

Two-qubit protocol
This is a scheme making use of entanglement of two qubits received by the prover, and is secure if the adversaries share no EPR pairs [19].
To verify the position of P , the following scheme making use of two qubits is employed: 1.The verifiers agree on random x 0 , x 1 , θ ∈ {0, 1}.V i prepares a qubit in the state H θ |x i (i = 0, 1) and sends it to P .Both states arrive at P at the same time.
2. P performs a measurement projecting onto the state |Ψ + (2).If the measurement is successful, then he sends z = 1, otherwise he sends z = 0.
3. The verifiers accept if the result z of P 's measurement is consistent with the states sent by them to P .The verifiers receive z = 1 half of the time, if they send the same state with θ = 0 (different states with θ = 1), and always z = 0 if they send different states with θ = 0 (same state with θ = 1).
It should be noted that it is advantageous for the verifiers if P projects onto both |Ψ + and |Ψ − , making it harder for adversaries to mimic P 's actions.It is straightforward to extend the analysis presented here to this case.For simplicity, we omit the discussion.
For the security analysis, first let us consider the case when the adversaries do not share any entangled pairs.E 0 intercepts the qubit from V 0 and measures it in the {|n 1 , |n 2 } basis, where n1 ⊥ n2 .Similarly, E 1 intercepts the qubit from V 1 and measures it in the same basis.They communicate their results to each other.If they disagree, they report z = 1 to the verifiers half of the time.If they agree, they report z = 0 to the verifiers.
Next, suppose that the adversaries share a pair of qubits in the state (1).Once E 0 intercepts the qubit from V 0 , she can perform a Bell measurement on her qubit in the pair shared with E 1 and the intercepted qubit, projecting it onto one of the orthogonal states {|Φ + , |Φ − , |Ψ + , |Ψ − } (assuming unlimited technological capabilities).E 1 performs a similar measurement on her half of the pair and the qubit she intercepts from V 1 .They report the results to each other.They send z = 1 to the verifiers, if E 0 measures |Ψ + and E 1 measures |Φ + .Since their operation is equivalent to the prover's measurement, and therefore they have 100% probability of success.

Modified two-qubit protocol
Let us introduce two classical bits of information into the protocol, similar to the modified one-qubit protocol.The steps of the protocol are as follows: 1.The verifiers agree on random x 0 , x 1 , θ, y 0 , y 1 ∈ {0, 1}.V i prepares a qubit in the state H θ |x i and sends it to P , along with y i (i ∈ {0, 1}).Here, Both states arrive at P at the same time.
2. P computes (classically) y = y 0 •y 1 , and applies H y to each of the states he receives.Then he performs a measurement projecting onto the state |Ψ + (2), and signals z = 1 or 0 to the verifiers, depending on whether his measurement was successful or not.
Without prior shared entanglement, the adversaries have a success probability given by ( 14), as before.However, they are no longer able to take advantage of a single shared EPR pair, because they do not have the classical information needed to mimic step 2, and perform the correct Bell measurements.Therefore, they need at least two shared EPR pairs for a security breach.It appears that the adversaries need a larger number of entangled pairs.Suppose that the adversaries share 5 maximally entangled pairs labeled as a ∈ {0, 1, 2, 3, 4}, each in the Bell state (1), so that the state of the system shared between the adversaries is the tensor product . The adversaries will use them in a complex scheme involving teleportation to fake P .Here are the steps involving pairs with labels as indicated: 1. Upon receiving H θ |x 0 and y 0 , E 0 teleports the state to E 1 using the EPR pair labeled a = 0.In doing so, E 0 performs a Bell measurement, and E 1 receives the state She also sends the classical information k = k 0 k 1 , as well as y 0 to E 1 .
2. Upon receiving H θ |x 1 and y 1 , E 1 teleports the state to E 0 using the EPR pair labeled a = 2y 1 + 1. E 0 receives She also teleports back to E 0 the state ( 16) using the EPR pair labeled a = 2y 1 +2.Thus, E 0 receives the state X k0+k 0 Z k1+k 1 H θ |x 0 , which can be simplified, if E 0 applies X k0 Z k1 (since k is known to E 0 ) to She also sends the classical information y 1 to E 0 .
3. E 0 applies H y0 to the channels a = 3, 4, thus effectively applying H y (y = y 0 • y 1 ) to the states she received from E 1 .She then performs a Bell measurement on each of the pairs labeled (1, 2) and (3,4).In each case, she reports success to 4. Upon receiving y 0 and the "success" report from E 0 , E 1 reports z = 0 or 1 to V 1 , accordingly, knowing which pair of channels contains the teleported states.At the same time, upon receiving y 1 from E 1 , E 0 learns the pair of channels containing the teleported states, and reports z = 0 or 1, accordingly, to V 0 .
The above protocol can only succeed if k = k = 0, which occurs with probability 1  16 .The adversaries can increase their odds at the expense of adding EPR pairs.A large number of EPR pairs are needed for 100 % success rate [5].

III. PROTOCOLS WITH SINGLE-QUBIT STATES AND CLASSICAL RANDOM ORACLE
In this section, we present new schemes for the task of quantum position verification.Taking cue from known protocols discussed in Section II, we would like to have a protocol in which the operations to be performed by an honest prover would require practically large amount of EPR pairs to be shared between them for any be simulated by the colluding adversaries employing best known teleportation-based attacks [11].Here, we present 1-D quantum position verification protocols QPV[Ver(2),P(pos),Item,Opn,Rslt, d] where we make use of classical random oracle accessible to all involved parties.

A. One-qubit protocol with a classical random oracle
This is similar to the protocol in Section II A 2 but with additional (classical) bits of information.This scheme is a variant of a protocol discussed in Ref. [15].Each party has access to a classical random oracle, To verify the position of P , the following scheme is used.
3. If the verifiers receive x at the time consistent with the position of P , and x = x, then they accept; otherwise they reject.
Even though only a single qubit is needed to run this protocol, is it not simple to break its security, even though the adversaries also have access to the classical random oracle.This is due to the fact that for the oracle to be useful, both strings θ 0 , θ 1 are needed to be acted upon simultaneously by the oracle.To compensate, it appears that the adversaries need an exponentially large (2 n ) entangled pairs.Suppose the adversaries share 2 n maximally entangled pairs, i.e.EPR pairs, labeled as a ∈ {0, 1, . . ., 2 n − 1}, each in the Bell state (1).Notice that a can be written as an n-digit number in binary notation (a ∈ {0, 1} n ).Then they can fake P following these steps: 1. Upon receiving |ψ and θ 0 , E 0 teleports |ψ to E 1 using the EPR pair labeled a = θ 0 .In doing so, E 0 performs a Bell measurement with outcome k = k 0 k 1 , in binary notation.The state E 1 receives (instantaneously) is given by ( 8).E 0 sends the result k to E 1 .
4. Upon receiving the classical information k and θ 0 from E 0 , E 1 computes w = f (θ 0 , θ 1 ) and multiplies (−1) x⊕kw (−1) kw = (−1) x to determine x, and sends x to V 1 .Again, E 1 knows which qubits the components of λ correspond to, because they are determined by θ 0 , which she just received.
If E 0 and E 1 share m EPR pairs between them, and 0 ≤ m ≤ 2 n , then their exists a scheme that gives lower bound on the probability with which they can succeed in cheating verifiers to be max{ m 2 n , cos 2 π 8 }.This observation follows from the discussion above and in Section II A 1.

B. Two-qubit protocol with classical random oracle
We allow each party to have access to the classical random oracle (19).The steps of this protocol are as follows: 1.The verifiers agree on random x 0 , x 1 , θ ∈ {0, 1}, and n-digit random numbers y 0 , y 1 ∈ {0, 1} n .V i , for all i ∈ {0, 1}, prepares a qubit in the state H θ |x i , where H is the Hadamard matrix, and sends it to P , along with y i (i ∈ {0, 1}).Here, itm i = {y i , H θ |x i } for i ∈ {0, 1}.Both states as well as the classical information arrive at P at the same time.
2. P computes (classically) w = f (y 0 , y 1 ), and applies H w to each of the states he received.Then he performs a Bell measurement projecting onto the state |Ψ + (2).If the measurement is successful, then he sends z = 1, otherwise he sends z = 0.
3. The verifiers accept if the result z of P 's measurement is consistent with the states sent by them to P .

Scheme to break the security of the protocol
A small number of pairs of entangled qubits shared by the adversaries will not break the security.In fact, it appears that the adversaries need an exponentially large number of entangled pairs.Suppose that the adversaries share 2 n+1 + 1 maximally entangled pairs labeled as a = 0, and (b 0 , b 1 ), where b 0 ∈ {0, 1}, b 1 ∈ {0, 1, . . ., 2 n − 1}, each in the Bell state (1).Then they can fake P following these steps: 1. Upon receiving H θ |x 0 and y 0 , E 0 teleports the state to E 1 using the EPR pair labeled a = 0.In doing so, E 0 performs a Bell measurement, and E 1 receives the state She also sends the classical information k = k 0 k 1 , as well as y 0 to E 1 .
2. Upon receiving H θ |x 1 and y 1 , E 1 teleports the state to E 0 using the EPR pair labeled (b 0 , b 1 ) = (0, y 1 ).E 1 receives She also teleports back to E 0 the state (16) using the EPR pair labeled (b 0 , b 1 ) = (1, y 1 ).Thus, E 0 receives the state X k0+k 0 Z k1+k 1 H θ |x 0 , which can be simplified, if E 0 applies X k0 Z k1 (since k is known to E 0 ) to She also sends the classical information y 1 to E 0 .
3. E 0 computes f (y 0 , b 1 ) classically and applies H f (y0,b1) to each of the (b 0 , b 1 ) channels, for b 0 = 0, 1, thus effectively applying the desired H f (y0,y1) to the states she received from E 1 .She then performs a Bell measurement on each of the pairs labeled (b 0 , b 1 ), b 0 = 0, 1.For each value of b 1 , she reports success to E 1 , if the outcome is |Ψ + (2).
4. Upon receiving y 0 and the "success" report from E 0 , E 1 reports z = 0 or 1 to V 1 , accordingly, knowing which pair of channels contains the teleported states.At the same time, upon receiving y 1 from E 1 , E 0 learns the pair of channels containing the teleported states, and reports z = 0 or 1, accordingly, to V 0 .
The above protocol can only succeed if k = k = 0, which occurs with probability 1  16 .The adversaries can increase their odds at the expense of adding EPR pairs.An exponentially large number of EPR pairs are needed for 100 % success rate [5].Thus, the security of the protocol is breached with a number of EPR pairs shared by the adversaries that grows exponentially with the number of classical bits used in the classical oracle f .It is remarkable that the amount of quantum resources needed by the adversaries in this strategy grows exponentially with the length of the classical information, while the verifiers only need two independent qubits for their protocol.
It should be pointed out that it follows from the discussion in Refs.[13,18] that whenever the function f (classical oracle) parametrizing the protocol can be computed by a Turing machine using logarithmic space, the adversaries can attack these protocols using EPR pairs whose number grows polynomially with the number of classical bits in f .Hence, it is crucial to ascertain that f is a random oracle.

IV. CONCLUSION
We introduced new schemes for quantum position verification protocols by introducing a classical random oracle.We discussed the strategy for security breach by the adversaries sharing EPR pairs based on currently best known teleportation-based attacks.It is known that the entanglement distribution over long distances and the storage of entangled qubits are technologically challenging [3,27].The interaction between the quantum system and the environment can cause loss of information as a result of decoherence, dissipation, or decay phenomena [28][29][30][31].Quantum memories are essential to overcome such losses caused by the environment for the preservation of the entanglement between the quantum systems for the duration longer than the decoherence period [3,4,29].We showed that while the verifiers need to make use of only one or two independent qubits for the verification task, the adversaries need an exponential amount of EPR pairs, depending on the number of classical bits that the verifiers make use of.In this sense, we state that the schemes we have presented are technologically feasible and practically secure.
Finally, we emphasize that our protocol is a variant of the protocol presented in Ref. [15].The novelty of our approach is due to its practicality.It only requires a small amount of quantum resources (qubits), yet its security can only be broken by a prohibitively (at least for current technology) large amount of quantum resources.Further work is needed to provide a formal security proof.Coming up with adversarial strategies to break the protocol with as small an amount of quantum resources as possible is challenging.This makes proving security of QPV schemes, such as the one presented here, a highly non-trivial task.At the same time, it makes our results interesting to those implementing such protocols in practice.