Summoning, No-Signaling and Relativistic Bit Commitments

by   Adrian Kent, et al.

Summoning is a task between two parties, Alice and Bob, with distributed networks of agents in space-time. Bob gives Alice a random quantum state, known to him but not her, at some point. She is required to return the state at some later point, belonging to a subset defined by communications received from Bob at other points. Many results about summoning, including the impossibility of unrestricted summoning tasks and the necessary conditions for specific types of summoning tasks to be possible, follow directly from the quantum no-cloning theorem and the relativistic no-superluminal-signalling principle. The impossibility of cloning devices can be derived from the impossibility of superluminal signalling and the projection postulate, together with assumptions about the devices' location-independent functioning. In this qualified sense, known summoning results follow from the causal structure of space-time and the properties of quantum measurements. Bounds on the fidelity of approximate cloning can be similarly derived. Bit commitment protocols and other cryptographic protocols based on the no-summoning theorem can thus be proven secure against some classes of post-quantum but non-signalling adversaries.



There are no comments yet.


page 1

page 2

page 3

page 4


Experimental implementation of secure anonymous protocols on an eight-user quantum network

Anonymity in networked communication is vital for many privacy-preservin...

A Quantum Router for the Entangled Web

Qubit transmission protocols are presently point-to-point, and thus rest...

Symbolic Abstractions for Quantum Protocol Verification

This technical report explores the use of symbolic model and verifiers t...

Impossibility of composable Oblivious Transfer in relativistic quantum cryptography

We study the cryptographic primitive Oblivious Transfer; a composable co...

Parallel Quantum Pebbling: Analyzing the Post-Quantum Security of iMHFs

The classical (parallel) black pebbling game is a useful abstraction whi...

A Noncoherent Space-Time Code from Quantum Error Correction

In this work, we develop a space-time block code for noncoherent communi...

Quantum Weak Coin Flipping

We investigate weak coin flipping, a fundamental cryptographic primitive...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

To define a summoning taskKent (2013, 2012), we consider two parties, Alice and Bob, who each have networks of collaborating agents occupying non-overlapping secure sites throughout space-time. At some point , Bob’s local agent gives Alice’s local agent a state . The physical form of and the dimension of its Hilbert space are pre-agreed; Bob knows a classical description of

, but from Alice’s perspective it is a random state drawn from the uniform distribution on

. At further pre-agreed points (which are often taken to all be in the causal future of , though this is not necessary), Bob’s agents send classical communications in pre-agreed form, satisfying pre-agreed constraints, to Alice’s local agents, which collectively determine a set of one or more valid return points. Alice may manipulate and propagate the state as she wishes, but must return it to Bob at one of the valid return points. We say a given summoning task is possible if there is some algorithm that allows Alice to ensure that the state is returned to a valid return point for any valid set of communications received from Bob.

The “no-summoning theorem” Kent (2013) states that summoning tasks in Minkowski space are not always possible. We write if the space-time point is in the causal future of the point , and otherwise; we write if either or , and otherrwise. Now, for example, consider a task in which Bob may request at one of two “call” points that the state be returned at a corresponding return point , where and . An algorithm that guarantees that Alice will return the state at if it is called at must work independently of whether a call is also made at , since no information can propagate from to ; similarly if and are exchanged. If calls were made at both and , such an algorithm would thus generate two copies of at the space-like separated points and , violating the no-cloning theorem. This distinguishes relativistic quantum theory from both relativistic classical mechanics and non-relativistic quantum mechanics, in which summoning tasks are always possible provided that any valid return point is in the (causal) future of the start point .

Further evidence for seeing summoning tasks as characterising fundamental features of relativistic quantum theory was given by Hayden and May Hayden and May (2016), who considered tasks in which a request is made at precisely one from a pre-agreed set of call points ; a request at requires the state to be produced at the corresponding return point . They showed that, if the start point is in the causal past of all the call points, then the task is possible if and only if no two causal diamonds are spacelike separated. That is, the task is possible unless the no-cloning and no-superluminal-signalling principles directly imply its impossibility. Wu et al. have presented a more efficient code for this task Wu et al. (2017). Another natural type of summoning task allows any number of calls to be made at call points, requiring that the state be produced at any one of the corresponding return points. Perhaps counter-intuitively, this can be shown to be a strictly harder version of the task Adlam and Kent (2016). It is possible if and only if the causal diamonds can be ordered in sequence so that the return point of any diamond in the sequence is in the causal future of all call points of earlier diamonds in the sequence. Again, the necessity of this condition follows (with a few extra steps) from the no-superluminal-signalling and no-cloning theorems Adlam and Kent (2016).

The constraints on summoning have cryptographic applications, since they can effectively force Alice to make choices before revealing them to Bob. Perhaps the simplest and most striking of these is a novel type of unconditionally secure relativistic quantum bit commitment protocol, in which Alice sends the unknown state at light speed in one of two directions, depending on her committed bit Kent (2011). The fidelity bounds on approximate quantum cloning imply Kent (2011) the sum-binding security condition


where is the dimension of the Hilbert space of the unknown state and

is the probability of Alice successfully unveiling bit value


Summoning is also a natural primitive in distributed quantum computation, in which algorithms may effectively summon a quantum state produced by a subroutine to some computation node that depends on other computed or incoming data.

From a fundamental perspective, the (im)possibility of various summoning tasks may be seen either as results about relativistic quantum theory or as candidate axioms for a reformulation of that theory. They also give a way of exploring and characterising the space of theories generalising relativistic quantum theory. From a cryptographic perspective, we would like to understand precisely which assumptions are necessary for the security of summoning-based protocols. These motivations are particularly strong given the relationship between no-summoning theorems and no-signalling, since we know that quantum key distribution and other protocols can be proven secure based on no-signalling principles alone. In what follows, we characterise that relationship more precisely, and discuss in particular the sense in which summoning-based bit commitment protocols are secure against potentially post-quantum but non-signalling participants. These are participants who may have access to technology that relies on some unknown theory beyond quantum theory. They may thus be able to carry out operations that quantum theory suggests is impossible. However, their technology must not allow them to violate a no-signalling principle. Exactly what this implies depends on which no-signalling principle is invoked. We turn next to discussing the relevant possibilities.

Ii No-signalling principles and no-cloning

ii.1 No-signalling principles

The relativistic no-superluminal-signalling principle states that no classical or quantum information can be transmitted at faster than light speed. We can frame this operationally by considering a general physical system that includes agents at locations . Suppose that the agent at each may freely choose inputs labelled by and receive outputs , which may probabilistically depend on their and other inputs. Let and be sets of labels of points such that for all and . Then we have

In other words, outputs are independent of spacelike or future inputs.

The quantum no-signalling principle for an -partite system composed of non-interacting subsystems states that measurement outcomes on any subset of subsystems are independent of measurement choices on the others. If we label the measurement choices on subsystem by , and the outcomes for this choice by , then we have


That is, so long as the subsystems are non-interacting, the outputs for any subset are independent of the inputs for the complementary subset, regardless of their respective locations in space-time.

The no-signalling principle for a generalised non-signalling theory extends this to any notional device with localised pairs of inputs (generalising measurement choices) and outputs (generalising outcomes). As in the quantum case, this is supposed to hold true regardless of whether the sites of the localised input/output ports are spacelike separated. Generalized non-signalling theories may include, for example, the hypothetical bipartite Popescu-Rohrlich boxes Popescu and Rohrlich (1994), which maximally violate the CHSH inequality, while still precluding signalling between agents at each site.

ii.2 The no-cloning theorem

The standard derivation of the no-cloning theorem Wootters and Zurek (1982); Dieks (1982) assumes a hypothetical quantum cloning device. A quantum cloning device should take two input states, a general quantum state and a reference state , independent of . Since follows the laws of quantum theory, it must act linearly. Now we have


for a faithful cloning device, for any states and . Suppose that and that is normalised. We also have


which contradicts linearity.

To derive the no-cloning theorem without appealing to linearity, we need to consider quantum theory as embedded within a more general theory that does not necessarily respect linearity. We can then consistently consider a hypothetical post-quantum cloning device which accepts quantum states and as inputs, and produces two copies of as outputs:


We will suppose that the cloning device functions in this way independent of the history of the input state. We will also suppose that it does not violate any other standard physical principles: in particular, if it is applied at then it does not act retrocausally to influence the outcomes of measurements at earlier points .

We can now extend the cloning device to a bipartite device comprising a maximally entangled quantum state, with a standard quantum measurement device at one end, and the cloning device followed by a standard quantum measurement device at the other end. This extended device accepts classical inputs (measurement choices) and produces classical outputs (measurement outcomes) at both ends.

If we now further assume that the joint output probabilities for this extended device, for any set of inputs, are independent of the locations of its components, then we can derive a contradiction with the relativistic no-superluminal signalling principle. First suppose that the two ends are timelike separated, with the cloning device end at point and the other end at point . A complete projective measurement at then produces a pure state at in any standard version of quantum theory. The cloning device then clones this pure state. Different measurement choices at produce different ensembles of pure states at . These ensembles correspond to the same mixed state before cloning, but to distinguishable mixtures after cloning. The measurement device at can distinguish these mixtures. Now if we take the first end to be at a point spacelike separated from , by hypothesis the output probabilities remain unchanged. This allows measurement choices at to be distinguished by measurements at , and so gives superluminal signalling Gisin (1998).

It is important to note that the assumption of location-independence is not logically necessary, nor does it follow from the relativistic no-superluminal-signalling principle alone. Assuming that quantum states collapse in some well defined and localized way as a result of measurements, one can consistently extend relativistic quantum theory to include hypothetical devices that read out a classical description of the local reduced density matrix at any given point, i.e. the local quantum state that is obtained by taking into account (only) collapses within the past light cone Kent (2005). This means that measurement events at , which we take to induce collapses, are taken into account by the readout device at if and only if . Given such a readout device, one can certainly clone pure quantum states. The device behaves differently, when applied to a subsystem of an entangled system, depending on whether the second subsystem is measured inside or outside the past light cone of the point at which the device is applies. It thus does not satisfy the assumptions of the previous paragraph.

The discussion above also shows that quantum theory augmented by cloning or readout devices is not a generalized non-signalling theory. For consider again a maximally entangled bipartite quantum system with one subsystem at space-time point and the other at a space-like separated point . Suppose that the Hamiltonian is zero, and that the subsystem at will propagate undisturbed to point . Suppose that a measurement device may carry out any complete projective measurement at , and that at there is a cloning device followed by another measurement device on the joint (original and cloned) system. with the cloning device end at point and the other end at point . As above, different measurement choices at produce different ensembles of pure states at , which correspond to the same mixed state before cloning, but to distinguishable mixtures after cloning. The measurement device at can distinguish these mixtures. The output (measurement outcome) probabilities at thus depend on the inputs (measurement choices) at , contradicting Eqn. (3). Assuming that nature is described by a generalized non-signalling theory thus gives another reason for excluding cloning or readout devices, without assuming that their behaviour is location-independent.

In summary, neither the no-cloning theorem nor cryptographic security proofs based on it can be derived purely from consistency with special relativity. They require further assumptions about the behaviour of post-quantum devices available to participants or adversaries. Although this was noted when cryptography based on the no-signalling principle was first introduced Barrett et al. (2005), it perhaps deserves re-emphasis.

On the positive side, given these further assumptions, one can prove not only the no-cloning theorem, but also quantitative bounds on the optimal fidelities attainable by approximate cloning devices for qubits

Gisin (1998) and qudits Navez and Cerf (2003). In particular, one can show Navez and Cerf (2003) that any approximate universal cloning device that produces output states and given a pure input qudit state satisfies the fidelity sum bound


Iii Summoning-based bit commitments and no-signalling

We recall now the essential idea of the flying qudit bit commitment protocol presented in Ref. Kent (2011), in its idealized form. We suppose that space-time is Minkowski and that both parties, the committer (Alice) and the recipient (Bob), have arbitrarily efficient technology, limited only by physical principles, with error-free and instantaneous operations and error-free communications. They agree in advance on some space-time point , to which they have independent secure access, where the commitment will commence.

We suppose too that Bob can keep a state private somewhere in the past of and arrange to transfer it to Alice at . Alice’s operations on the state can then be kept private unless and until she chooses to return information to Bob at some point(s) in the future of . We also suppose that Alice can send any relevant states at light speed in prescribed directions along secure quantum channels, either by ordinary physical transmission or by teleportation.

They also agree on a fixed inertial reference frame, and two opposite spatial directions within that frame. We suppress the and coordinates for simplicity; we set and take to be the origin in the fixed frame coordinates

and the two spatial directions to be defined by the vectors

and .

Before the commitment, Bob generates a random pure qudit state , chosen from the uniform distribution, encoded in a physical system which (idealizing again) we take to be pointlike. He keeps it private until , where he gives it to Alice. To commit to the bit , Alice sends the state along a secure channel at light speed in the direction , i.e. along the line (for ) or the line (for ).

For simplicity, we consider here the simplest implementation in which the state is directly securely transmitted. Alice can then unveil her commitment at any point along the transmitted light ray. To unveil a , Alice returns to Bob at some point on ; to unveil a , Alice returns to Bob at some point on . Bob then carries out the appropriate projective measurement to verify that the returned qudit is ; if he gets the correct answer, he accepts the commitment as honestly unveiled; if not, he has detected Alice cheating.

Now, given any strategy of Alice’s at , there is an optimal state she can return to Bob at to maximise the chance of passing his test there, i.e. to maximize the fidelity . There is similarly an optimal state that she can return at , maximizing . The relativistic no-superluminal-signalling principle implies that her ability to return at cannot depend on whether she chooses to return at , or vice versa. Hence she may return both (although this violates the protocol). The bound (7) on the approximate cloning fidelities implies that


Since the probability of Alice successfully unveiling the bit value by this strategy is


this gives the sum-binding security condition for the bit commitment protocol


Recall that the bound (7) follows from the relativistic no-superluminal-signalling condition together with the location-independence assumption for a device based on a hypothetical post-quantum cloning device applied to one subsystem of a bipartite entangled state. Alternatively, it follows from assuming that any post-quantum devices operate within a generalized non-signalling theory. The bit commitment security thus also follows from either of these assumptions.

iii.1 Security against post-quantum no-superluminal-signalling adversaries?

It is a strong assumption that any post-quantum theory should be a generalized non-signalling theory satisfying Eqn. (3). So it is natural to ask whether cryptographic security can be maintained with the weaker assumption that other participants or adversaries are able to carry out quantum operations and may also be equipped with post-quantum devices, but do not have the power to signal superluminally. It is instructive to understand the limitations of this scenario for protocols between mistrustful parties capable of quantum operations, such as the bit commitment protocol just discussed.

The relevant participant here is Alice, who begins with a quantum state at and may send components along the lightlike lines and . Without loss of generality we assume these are the only components: she could also send components in other directions, but relativistic no-superluminal-signalling means that they cannot then influence her states at or .

At any points and on the lightlike lines, before Alice has applied any post-quantum devices, the approximate cloning fidelity bound again implies that fidelities of the respective components and satisfy


Now, if Alice possesses a classical no-superluminal-signalling device, such as a Popescu-Rohrlich box, with input and output ports at and , and her agents at these sites input classical information uncorrelated with their quantum states, she does not alter the fidelities . Any subsequent operation may reduce the fidelities, but cannot increase them. More generally, any operation involving the quantum states and devices with purely classical inputs and outputs cannot increase the fidelity sum bound (7). To see this, note that any such operation could be paralleled by local operations within quantum theory if the two states were held at the same point, since hypothetical classical devices with separated pairs of input and output ports are replicable by ordinary probabilistic classical devices when the ports are all at the same site.

We need also to consider the possibility that Alice has no-superluminal signalling devices with quantum inputs and outputs. At first sight these may seem unthreatening. For example, while a device that sends the quantum input from to the output at and vice versa would certainly make the protocol insecure – Alice could freely swap commitments to and – such a device would be signalling.

However, suppose that Alice’s agents each have local state readout devices, which give Alice’s agent at a classical description of the density matrix and Alice’s agent at a classical description of the density matrix . Suppose also that Alice has carried out an approximate universal cloning at , creating mixed states and of the form


where . This is possible provided that . From these, by applying their readout devices, each agent can infer locally. Alice’s outputs at have no dependence on the inputs at . Nonetheless, this hypothetical process would violate the security of the commitment to the maximum extent possible, since it would give .

To ensure post-quantum security, our post-quantum theory thus need assumptions – like those spelled out earlier – that directly preclude state readout devices and other violations of no-cloning bounds.

Iv Discussion

Classical and quantum relativistic bit commitment protocols have attracted much interest lately, both because of their theoretical interest and because advances in theory Chailloux and Leverrier (2017) and practical implementation Lunghi et al. (2013); Verbanis et al. (2016) suggest that relativistic cryptography may be in widespread use in the forseeable future.

Much work on these topics is framed in models in which two (or more) provers communicate with one (or more) verifiers, with the provers being unable to communicate with one another during the protocol. Indeed, one round classical relativistic bit commitment protocols give a natural physical setting in which two (or more) separated provers communicate with adjacent verifiers, with the communications timed so that the provers cannot communicate between the commitment and opening phases. The verifiers are also typically unable to communicate, but this is less significant given the form of the protocols, and the verifiers are sometimes considered as a single entity when the protocol is not explicitly relativistic.

Within the prover-verifier model, it has been shown that no single-round two-prover classical bit commitment protocol can be secure against post-quantum provers who are equipped with generalized no-signalling devices Fehr and Fillinger (2015). It is interesting to compare this result with the signalling-based security proof for the protocol discussed above.

First, of course, the flying qudit protocol involves quantum rather than classical communication between “provers” (Alice’s agents) and “verifiers” (Bob’s agents).

Second, as presented, the flying qudit protocol involves three agents for each party. However, a similar secure bit commitment protocol can be defined using just two agents apiece. For example, Alice’s agent at could retain the qudit, while remaining stationary in the given frame, to commit to , and send it to Alice’s agent at (as before) to commit to . They may unveil by returning the qudit at, respectively, or . In this variant, the commitment is not secure at the point where the qudit is received, but it becomes secure in the causal future of .

Third, the original flying qudit protocol illustrates a possibility in relativistic quantum cryptography that is not motivated (and so not normally considered) in standard multi-prover bit commitment protocols. This is that, while there are three provers, communication between them in some directions is possible (and required) during the protocol. Alice’s agent at must be able to send the quantum state to either of the agents at or ; indeed, a general quantum strategy requires her to send quantum information to both.

Fourth, the security proof of the flying qudit protocol can be extended to generalised no-signalling theories. However, the protocol is not secure if the committer may have post-quantum devices that respect the no-superluminal signalling principle, but are otherwise unrestricted. Security proofs require stronger assumptions, such as that the commmitter is restricted to devices allowed by a generalized non-signalling theory.

The same issue arises considering the post-quantum security of quantum key distribution protocols Barrett et al. (2005)), which are secure if a post-quantum eavesdropper is restricted by a generalised no-signalling theory but not if she is only restricted by the no-superluminal-signalling principle. One distinction is that quantum key distribution is a protocol between mutually trusting parties, Alice and Bob, whereas bit commitment protocols involve two mistrustful parties. It is true that quantum key distribution still involves mistrust, in that Alice and Bob mistrust the eavesdropper, Eve. However, if one makes the standard cryptographic assumption that Alice’s and Bob’s laboratories are secure, so that information about operations within them cannot propagate to Eve, one can justify a stronger no-signalling principle Barrett et al. (2005). Of course, the strength of this justification may be questioned, given that one is postulating unknown physics that could imply a form of light speed signalling that cannot be blocked. But in any case, the justification is not available when one considers protocols between two mistrustful parties, such as bit commitment, and wants to exclude the possibility that one party (in our case Alice) cannot exploit post-quantum operations within her own laboratories (which may be connected, forming a single extended laboratory).

Acknowledgments   This work was partially supported by UK Quantum Communications Hub grant no. EP/M013472/1 and by Perimeter Institute for Theoretical Physics. Research at Perimeter Institute is supported by the Government of Canada through Industry Canada and by the Province of Ontario through the Ministry of Research and Innovation. I thank Claude Crépeau and Serge Fehr for stimulating discussions and the Bellairs Research Institute for hospitality.


  • Kent [2013] Adrian Kent. A no-summoning theorem in relativistic quantum theory. Quantum Information Processing, pages 1–10, 2013.
  • Kent [2012] Adrian Kent. Quantum tasks in Minkowski space. Classical and Quantum Gravity, 29(22):224013, 2012.
  • Hayden and May [2016] Patrick Hayden and Alex May. Summoning information in spacetime, or where and when can a qubit be? Journal of Physics A: Mathematical and Theoretical, 49(17):175304, 2016.
  • Wu et al. [2017] Ya-Dong Wu, Abdullah Khalid, and Barry C Sanders. Efficient code for relativistic quantum summoning. arXiv preprint arXiv:1711.10594, 2017.
  • Adlam and Kent [2016] Emily Adlam and Adrian Kent. Quantum paradox of choice: More freedom makes summoning a quantum state harder. Physical Review A, 93(6):062327, 2016.
  • Kent [2011] Adrian Kent. Unconditionally secure bit commitment with flying qudits. New Journal of Physics, 13(11):113015, 2011.
  • Popescu and Rohrlich [1994] Sandu Popescu and Daniel Rohrlich. Quantum nonlocality as an axiom. Foundations of Physics, 24(3):379–385, 1994.
  • Wootters and Zurek [1982] William K Wootters and Wojciech H Zurek. A single quantum cannot be cloned. Nature, 299( 5886):802–803, 1982.
  • Dieks [1982] DGBJ Dieks. Communication by EPR devices. Physics Letters A, 92(6):271–272, 1982.
  • Gisin [1998] Nicolas Gisin. Quantum cloning without signaling. Physics Letters A, 242(1-2):1–3, 1998.
  • Kent [2005] Adrian Kent. Nonlinearity without superluminality. Physical Review A, 72(1):012108, 2005.
  • Barrett et al. [2005] Jonathan Barrett, Lucien Hardy, and Adrian Kent. No signaling and quantum key distribution. Physical Review Letters, 95(1):010503, 2005.
  • Navez and Cerf [2003] Patrick Navez and Nicolas J Cerf. Cloning a real d-dimensional quantum state on the edge of the no-signaling condition. Physical Review A, 68(3):032313, 2003.
  • Chailloux and Leverrier [2017] André Chailloux and Anthony Leverrier. Relativistic (or 2-prover 1-round) zero-knowledge protocol for NP secure against quantum adversaries. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 369–396. Springer, 2017.
  • Lunghi et al. [2013] Tommaso Lunghi, J Kaniewski, Félix Bussieres, Raphaël Houlmann, M Tomamichel, A Kent, Nicolas Gisin, S Wehner, and Hugo Zbinden. Experimental bit commitment based on quantum communication and special relativity. Physical Review Letters, 111(18):180504, 2013.
  • Verbanis et al. [2016] Ephanielle Verbanis, Anthony Martin, Raphaël Houlmann, Gianluca Boso, Félix Bussières, and Hugo Zbinden. 24-hour relativistic bit commitment. Physical Review Letters, 117(14):140506, 2016.
  • Fehr and Fillinger [2015] Serge Fehr and Max Fillinger. Multi-prover commitments against non-signaling attacks. In Annual Cryptology Conference, pages 403–421. Springer, 2015.