arXiv:1804.05246v3 [quant-ph] 24 May 2019 from iltn h ocoigterm hsdsigihsrela distinguishes This theorem. no-cloning the violating ali lomd at made also is call a nagrtmta urnesta lc ilrtr h stat the return will Alice that at guarantees that algorithm An pnigrtr point return sponding oa gn state a agent local point collaborat- some of At networks through space-time. sites have secure non-overlapping each occupying who agents ing Bob, and Alice ties, w oisof copies two xml,cnie aki hc o a eus toeof one at request may points Bob “call” which two in task a consider example, aea both at made lsia ecito of description classical a sarno tt rw rmteuiomdsrbto on distribution uniform the from drawn state random a is eso fisHletspace Hilbert its of mension ther ak nMnosisaeaentawy osbe ewrite We possible. always not Q are space Minkowski in tasks communications of set valid any returne for is Bob. point from state received return the valid that ensure a to to Alice allows that gorithm h point the u utrtr tt o toeo h ai eunpit.We points. is return task valid the summoning of given one a at wishes, Bob say she to as it state return the must but propagate poin and return manipulate valid more may or Alice one w of set agents, a local determine Alice’s collectively to constraints, s pre-agreed form, isfying pre-agreed in be communications all classical send to agents taken of future often causal are the (which in points pre-agreed further At odfieasmoigts[,2,w osdrtopar- two consider we 2], task[1, summoning a define To h n-umnn hoe”[]sae htsummoning that states [1] theorem” “no-summoning The r ≻ 1 Q c fi scle at called is it if P 2 ≻ to ftesaetm point space-time the if P r P and , 1 iial if similarly ; c rtcl ae nten-umnn hoe a hsb prov be adversaries. thus can non-signalling theorem but no-summoning derived the similarly on be based can protocols t cloning and approximate space-time of of fidelity structure the causal the signa from func follow superluminal location-independent results devices’ of the impossibility about the assumptions from derived be no-superluminal-sig can relativistic the by t and tasks defined theorem summoning imposs cloning of subset the types a including specific for to summoning, he conditions about necessary belonging not results but point, Many him later to points. some known at state, quantum state random the a Alice gives Bob or | 1 ψ and umnn sats ewe w ate,AieadBb ihd with Bob, and Alice parties, two between task a is Summoning i eiee nttt o hoeia hsc,3 aoieS Caroline 31 Physics, Theoretical for Institute Perimeter Q c Q ttesaelk eaae points separated space-like the at i | ψ etefrQatmIfrainadFudtos AT,Cen DAMTP, Foundations, and Information Quantum for Centre c = ≻ ⊁ 2 i c INTRODUCTION c uha loih ol hsgenerate thus would algorithm an such , h hsclfr of form physical The . 1 P r P 2 P i P ic oifraincnpropagate can information no since , utwr neednl fwhether of independently work must umnn,N-inligadRltvsi i Commitment Bit Relativistic and No-Signalling Summoning, huhti sntncsay,Bob’s necessary), not is this though , and , ≻ httesaeb eunda corre- a at returned be state the that 1 | ψ tews;w write we otherwise; P and nvriyo abig,WlefreRa,Cmrde CB3 Cambridge, Road, Wilberforce Cambridge, of University i c o’ oa gn ie Alice’s gives agent local Bob’s , u rmAiesprpcieit perspective Alice’s from but , i H where , Q 2 possible Q r r-ged o knows Bob pre-agreed; are r xhne.I al were calls If exchanged. are  si h aslftr of future causal the in is P r 2 tews.Nw for Now, otherwise. fteei oeal- some is there if  c 1 | ψ Q and i n h di- the and  r r 1 Dtd a 7 2019) 27, May (Dated: 1 P and  tivis- fei- if hich dinKent Adrian out H r c at- ts. 2 2 d e , . . aln rnil.Teipsiiiyo lnn devices cloning of impossibility The principle. nalling eus smd tpeieyoefo r-gedstof set pre-agreed a from one precisely points at call made which in is tasks considered request who a [3], May and Hayden theory by quantum given relativistic of features fundamental ising si h cua)ftr ftesatpoint start the of poi future return (causal) valid the any in that is provided possible always are tasks summonin which mechan in mechanics, classical quantum relativistic non-relativistic and both from theory quantum tic epoue ttecrepnigrtr point return corresponding the at produced be h alpit,te h aki osbei n nyi otwo no if only and if possible is diamonds task causal the then points, call the hwdta,i h tr point start the if that, showed napoiaeqatmcoigipy[]tesum-binding the [6] direc- imply two cloning of bound quantum fidelity one approximate The in [6]. on bit speed committed her light Alice on depending at which tions, state in unknown protocol, the r sends commitment secure unconditionally bit of quantum type most novel ativistic and a simplest is these the choice of Perhaps make striking Bob. to to Alice them force revealing effectively before can they since tions, [5]. ex no-clo theorems few and no-superluminal-signalling a sequence the (with the from follows in steps) condition tra causal diamonds this the of earlier necessity in of the is points Again, sequence call the all the in of that diamond so future any sequence in of ordered point and be return if can possible diamonds is causal It the [5]. if task b the to return of shown version corresponding harder be the strictly that can of this requiring counter-intuitively, one points, Perhaps any call at points. at produced made be be state allows to the task calls summoning of of number type fo natural any code Another efficient more [4]. a task presented this have al. a it et Wu no-cloning imply possibility. the unless directly possible principles is task no-superluminal-signalling the is, That arated. epoete fqatmmaueet.Bud on Bounds summoning measurements. quantum known of sense, properties qualified he this In tioning. i omtetpooosadohrcryptographic other and protocols commitment Bit . epsil,flo ietyfo h unu no- quantum the from directly follow possible, be o ute vdnefrsen umnn ak scharacter- as tasks summoning seeing for evidence Further h osrit nsmoighv rporpi applica- cryptographic have summoning on constraints The re ot,Wtro,O 2 Y,Canada. 2Y5, N2L ON Waterloo, North, treet ln n h rjcinpsuae oehrwith together postulate, projection the and lling blt fursrce umnn ak n the and tasks summoning unrestricted of ibility nscr gis oecasso post-quantum of classes some against secure en omnctosrcie rmBba other at Bob from received communications srbtdntok faet nspace-time. in agents of networks istributed ,a oepit h srqie oreturn to required is She point. some at r, { c r o ahmtclSciences, Mathematical for tre 1 c , . . . , D i W,UK and U.K. 0WA, = n } { eus at request a ; x : r i P  si h aslps fall of past causal the in is x s  c i c P i eurstesaeto state the requires } . r pclk sep- spacelike are r i ≻ c i They . im- s only ning was a e ics el- nd nt g s s - r . 2 security condition The quantum no-signalling principle for an n-partite system 2 composed of non-interacting subsystems states that measure- p0 + p1 ≤ 1+ , (1) ment outcomes on any subset of subsystems are independent d +1 of measurement choices on the others. If we label the mea- where d = dim(H) is the dimension of the Hilbert space of surement choices on subsystem i by Ai, and the outcomes for the unknown state and pb is the probability of Alice success- this choice by ai, then we have fully unveiling bit value b.

Summoning is also a natural primitive in distributed quan- P (ai1 ...aim |Ai1 ...Aim )= P (ai1 ...aim |A1 ...An) . (3) tum computation, in which algorithms may effectively sum- mon a quantum state produced by a subroutine to some com- That is, so long as the subsystems are non-interacting,the out- putation node that depends on other computed or incoming puts for any subset are independent of the inputs for the com- data. plementary subset, regardless of their respective locations in From a fundamental perspective, the (im)possibility of var- space-time. ious summoning tasks may be seen either as results about rel- The no-signalling principle for a generalised non-signalling ativistic quantum theory or as candidate axioms for a reformu- theory extends this to any notional device with localised pairs lation of that theory. They also give a way of exploring and of inputs (generalising measurement choices) and outputs characterising the space of theories generalising relativistic (generalising outcomes). As in the quantum case, this is sup- quantum theory. From a cryptographic perspective, we would posed to hold true regardless of whether the sites of the lo- like to understand precisely which assumptions are neces- calised input/output ports are spacelike separated. General- sary for the security of summoning-based protocols. These ized non-signalling theories may include, for example, the hy- motivations are particularly strong given the relationship be- pothetical bipartite Popescu-Rohrlich boxes [7], which maxi- tween no-summoning theorems and no-signalling, since we mally violate the CHSH inequality, while still precluding sig- know that quantum key distribution and other protocols can nalling between agents at each site. be proven secure based on no-signalling principles alone. In what follows, we characterise that relationship more precisely, and discuss in particular the sense in which summoning-based The no-cloning theorem bit commitment protocols are secure against potentially post- quantum but non-signalling participants. These are partici- The standard derivation of the no-cloning theorem [8, 9] pants who may have access to technology that relies on some assumes a hypothetical quantum cloning device. A quantum unknown theory beyond quantum theory. They may thus be cloning device D should take two input states, a general quan- able to carry out operations that quantum theory suggests is tum state |ψi and a reference state |0i, independent of |ψi. impossible. However, their technology must not allow them Since D follows the laws of quantum theory, it must act lin- to violate a no-signalling principle. Exactly what this implies early. Now we have depends on which no-signalling principle is invoked. We turn ′ ′ ′ next to discussing the relevant possibilities. D |ψi |0i = |ψi |ψi ,D |ψ i |0i = |ψ i |ψ i , (4)

for a faithful cloning device, for any states |ψi and |ψ′i. Sup- NO-SIGNALLING PRINCIPLES AND NO-CLONING pose that hψ′|ψi = 0 and that |φi = a |ψi + b |ψ′i is nor- malised. We also have No-signalling principles D |φi |0i = |φi |φi , (5) The relativistic no-superluminal-signalling principle states that no classical or quantum information can be transmitted which contradicts linearity. at faster than light speed. We can frame this operationally by To derive the no-cloning theorem without appealing to lin- considering a general physical system that includes agents at earity, we need to consider quantum theory as embedded within a more general theory that does not necessarily respect locations P1,...,Pn. Suppose that the agent at each Pi may linearity. We can then consistently consider a hypothetical freely choose inputs labelled by Ai and receive outputs ai, which may probabilistically depend on their and other inputs. post-quantum cloning device D which accepts quantum states |ψi and |0i as inputs, and produces two copies of |ψi as out- Let I = {i1,...,ib} and J = {j1,...jc} be sets of labels puts: of points such that Pik  Pjl for all k ∈ {1,...,b} and l ∈ {1,...,c}. Then we have D |ψi |0i = |ψi |ψi . (6)

P (ai1 ...aib |Ai1 ...Aib )= (2) We will suppose that the cloning device functions in this way p(a ...a |A ...A A ...A c ) . i1 ib i1 ib j1 j independent of the history of the input state. We will also In other words, outputs are independent of spacelike or future suppose that it does not violate any other standard physical inputs. principles: in particular, if it is applied at Q then it does not 3 act retrocausally to influence the outcomes of measurements and cloned) system. As above, different measurement choices at earlier points P ≺ Q. at P produce different ensembles of pure states at Q, which We can now extend the cloning device to a bipartite device correspond to the same mixed state before cloning, but to dis- comprising a maximally entangled quantum state, with a stan- tinguishable mixtures after cloning. The measurement device dard quantum measurement device at one end, and the cloning at Q can distinguish these mixtures. The output (measurement device followed by a standard quantum measurement device outcome) probabilities at Q thus depend on the inputs (mea- at the other end. This extended device accepts classical inputs surement choices) at P , contradicting Eqn. (3). Assuming (measurement choices) and produces classical outputs (mea- that nature is described by a generalized non-signalling the- surement outcomes) at both ends. ory thus gives another reason for excluding cloning or read- If we now further assume that the joint output probabilities out devices, without assuming that their behaviour is location- for this extended device, for any set of inputs, are indepen- independent. dent of the locations of its components, then we can derive a In summary, neither the no-cloning theorem nor crypto- contradiction with the relativistic no-superluminal signalling graphic security proofs based on it can be derived purely from principle. First suppose that the two ends are timelike sep- consistency with special relativity. They require further as- arated, with the cloning device end at point Q and the other sumptions about the behaviour of post-quantum devices avail- end at point P ≺ Q. A complete projective measurement able to participants or adversaries. Although this was noted at P then produces a pure state at Q in any standard version when cryptography based on the no-signalling principle was of quantum theory. The cloning device then clones this pure first introduced [12], it perhaps deserves re-emphasis. state. Different measurement choices at P produce different On the positive side, given these further assumptions, one ensembles of pure states at Q. These ensembles correspond can prove not only the no-cloning theorem, but also quantita- to the same mixed state before cloning, but to distinguishable tive bounds on the optimal fidelities attainable by approximate mixtures after cloning. The measurement device at Q can dis- cloning devices for qubits [10] and qudits [13]. In particular, tinguish these mixtures. Now if we take the first end to be one can show [13] that any approximate universal cloning de- ′ at a point P spacelike separated from Q, by hypothesis the vice that produces output states ρ0 and ρ1 given a pure input output probabilities remain unchanged. This allows measure- qudit state |ψi satisfies the fidelity sum bound ment choices at P ′ to be distinguished by measurements at Q, and so gives superluminal signalling [10]. 2 hψ|ρ0|ψi + hψ|ρ1|ψi≤ 1+ . (7) It is important to note that the assumption of location- d +1 independence is not logically necessary, nor does it fol- low from the relativistic no-superluminal-signalling principle It is worth stressing that (with the given assumptions) this alone. Assuming that quantum states collapse in some well bound applies for any approximate cloning strategy, with any defined and localized way as a result of measurements, one entangled states allowed as input. can consistently extend relativistic quantum theory to include hypothetical devices that read out a classical description of the local reduced density matrix at any given point, i.e. the SUMMONING-BASED BIT COMMITMENTS AND local quantum state that is obtained by taking into account NO-SIGNALLING (only) collapses within the past light cone [11]. This means that measurement events at P , which we take to induce col- We recall now the essential idea of the flying qudit bit com- lapses, are taken into account by the readout device at Q if mitment protocol presented in Ref. [6], in its idealized form. and only if P ≺ Q. Given such a readout device, one can We suppose that space-time is Minkowski and that both par- certainly clone pure quantum states. The device behaves dif- ties, the committer (Alice) and the recipient (Bob), have ar- ferently, when applied to a subsystem of an entangled system, bitrarily efficient technology, limited only by physical princi- depending on whether the second subsystem is measured in- ples. In particular, we assume they both can carry out error- side or outside the past light cone of the point at which the free quantum operations instantaneously and can send clas- device is applies. It thus does not satisfy the assumptions of sical and quantum information at light speed without errors. the previous paragraph. They agree in advance on some space-time point P , to which The discussion above also shows that quantum theory aug- they have independent secure access, where the commitment mented by cloning or readoutdevices is not a generalizednon- will commence. signalling theory. For consider again a maximally entangled We suppose too that Bob can keep a state secure from Alice bipartite quantum system with one subsystem at space-time somewhere in the past of P and arrange to transfer it to her point P and the other at a space-like separated point P ′. Sup- at P . Alice’s operations on the state can then be kept secure pose that the Hamiltonian is zero, and that the subsystem at from Bob unless and until she chooses to return informationto P ′ will propagate undisturbed to point Q ≻ P . Suppose that Bob at some point(s) in the future of P . We also suppose that a measurement device may carry out any complete projective Alice can send any relevant states at light speed in prescribed measurement at P , and that at Q there is a cloning device fol- directions along secure quantum channels, either by ordinary lowed by another measurement device on the joint (original physical transmission or by teleportation. 4

They also agree on a fixed inertial reference frame, and two Security against post-quantum no-superluminal-signalling opposite spatial directions within that frame. For simplicity adversaries? we neglect the y and z coordinates and take the speed of light c = 1. Let P = (0, 0) be the origin in the coordinates (x, t) It is a strong assumption that any post-quantum theory and the opposite two spatial directions be defined by the vec- should be a generalized non-signalling theory satisfying Eqn. tors v0 = (−1, 0) and v1 = (1, 0). (3). So it is natural to ask whether cryptographic security can Before the commitment begins, Bob generates a random be maintained with the weaker assumption that other partici- pure qudit |ψi∈Cd. This is chosen from the uniform distribu- pants or adversaries are able to carry out quantum operations tion, and encoded in some pre-agreed physical system. Again and may also be equipped with post-quantum devices, but do idealizing, we assume the dimensions of this system are neg- not have the power to signal superluminally. It is instructive ligible, and treat it as pointlike. Bob keeps his qudit secure to understand the limitations of this scenario for protocols be- until the point P , where he gives it to Alice. To commit to the tween mistrustful parties capable of quantum operations, such bit i ∈ {0, 1}, Alice sends the state |ψi along a secure chan- as the bit commitment protocol just discussed. nel at light speed in the direction vi. That is, to commit to 0, The relevant participant here is Alice, who begins with a she sends the qudit along the line L0 = {(−t,t),t > 0}; to quantum state at P and may send components along the light- commit to 1, she sends it along the line L1 = {(t,t),t> 0}. like lines PQ0 and PQ1. Without loss of generality we as- For simplicity, we suppose here that Alice directly trans- sume these are the onlycomponents: she could also send com- mits the state along a secure channel. This allows Alice the ponents in other directions, but relativistic no-superluminal- possibility of unveiling her commitment at any point along signalling means that they cannot then influence her states at the transmitted light ray. To unveil the committed bit 0, Alice Q0 or Q1. returns |ψi to Bob at some point Q0 on L0; to unveil the com- At any points X0 and X1 on the lightlike lines, before Al- mitted bit 1, Alice returns |ψi to Bob at some point Q1 on L1. ice has applied any post-quantum devices, the approximate Bob then tests that the returned qudit is |ψi by carrying out cloning fidelity bound again implies that fidelities of the re- the projective measurement defined by Pψ = |ψi hψ| and its spective components ρX0 and ρX1 satisfy complement (I − Pψ). If he gets the outcome corresponding 2 to Pψ, he accepts the commitment as honestly unveiled; if not, hψ|ρX0 |ψi + hψ|ρX1 |ψi≤ 1+ . (11) he has detected Alice cheating. d +1 Now, given any strategy of Alice’s at P , there is an optimal Now, if Alice possesses a classical no-superluminal- state ρ0 she can return to Bob at Q0 to maximise the chance of signalling device, such as a Popescu-Rohrlich box, with input passing his test there, i.e. to maximize the fidelity hψ|ρ0|ψi. and output ports at X0 and X1, and her agents at these sites There is similarly an optimal state ρ1 that she can return at input classical information uncorrelated with their quantum Q1, maximizing hψ|ρ1|ψi. The relativistic no-superluminal- states, she does not alter the fidelities hψ|ρXi |ψi. Any subse- signalling principle implies that her ability to return ρ0 at Q0 quent operation may reduce the fidelities, but cannot increase cannot depend on whether she chooses to return ρ1 at Q1, or them. More generally, any operation involving the quantum vice versa. Hence she may return both (although this violates states and devices with purely classical inputs and outputs the protocol). The bound (7) on the approximate cloning fi- cannot increase the fidelity sum bound (7). To see this, note delities implies that that any such operation could be paralleled by local operations 2 within quantum theory if the two states were held at the same hψ|ρ0|ψi + hψ|ρ1|ψi≤ 1+ . (8) d +1 point, since hypothetical classical devices with separated pairs Since the probability of Alice successfully unveiling the bit of input and output ports are replicable by ordinary probabilis- value b by this strategy is tic classical devices when the ports are all at the same site. We need also to consider the possibility that Alice has no- pb = hψ|ρb|ψi , (9) superluminal signalling devices with quantum inputs and out- this gives the sum-binding security condition for the bit com- puts. At first sight these may seem unthreatening. For ex- mitment protocol ample, while a device that sends the quantum input from X0 to the output at X1 and vice versa would certainly make the 2 p0 + p1 ≤ 1+ . (10) protocol insecure – Alice could freely swap commitments to d +1 0 and 1 – such a device would be signalling. Recall that the bound (7) follows from the relativistic no- However, suppose that Alice’s agents each have local state superluminal-signalling condition together with the location- readout devices, which give Alice’s agent at X0 a classical independence assumption for a device based on a hypotheti- description of the density matrix ρX0 and Alice’s agent at X1 cal post-quantum cloning device applied to one subsystem of a classical description of the density matrix ρX1 . Suppose also a bipartite entangled state. Alternatively, it follows from as- that Alice has carried out an approximate universal cloning at suming that any post-quantum devices operate within a gen- P , creating mixed states ρX0 and ρX1 of the form eralized non-signalling theory. The bit commitment security thus also follows from either of these assumptions. ρXi = pi |ψi hψ| + (1 − pi)I, (12) 5 where 0 < pi < 1. This is possible provided that p0 + p1 ≤ tions is possible (and required) during the protocol. Alice’s 2 1+ d+1 . From these, by applying their readout devices, each agent at P must be able to send the quantum state to either agent can infer |ψi locally. Alice’s outputs at Xi have no de- of the agents at Q0 or Q1; indeed, a general quantum strategy pendence on the inputs at X¯i. Nonetheless, this hypothetical requires her to send quantum information to both. process would violate the security of the commitment to the Fourth, the security proof of the flying qudit protocol can maximum extent possible, since it would give p0 + p1 =2. be extended to generalised no-signalling theories. However, To ensure post-quantum security, our post-quantum theory the protocol is not secure if the committer may have post- thus need assumptions – like those spelled out earlier – that quantum devices that respect the no-superluminal signalling directly preclude state readout devices and other violations of principle, but are otherwise unrestricted. Security proofs re- no-cloning bounds. quire stronger assumptions, such as that the commmitter is restricted to devices allowed by a generalized non-signalling theory. DISCUSSION The same issue arises considering the post-quantum secu- rity of quantum key distribution protocols [12]), which are Classical and quantum relativistic bit commitment pro- secure if a post-quantum eavesdropper is restricted by a gen- tocols have attracted much interest lately, both because of eralised no-signalling theory but not if she is only restricted their theoretical interest and because advances in theory [14] by the no-superluminal-signalling principle. One distinction and practical implementation [15–17] suggest that relativis- is that quantum key distribution is a protocol between mu- tic cryptography may be in widespread use in the forseeable tually trusting parties, Alice and Bob, whereas bit commit- future. ment protocols involve two mistrustful parties. It is true that Much work on these topics is framed in models in which quantum key distribution still involves mistrust, in that Al- two (or more) provers communicate with one (or more) ver- ice and Bob mistrust the eavesdropper, Eve. However, if one ifiers, with the provers being unable to communicate with makes the standard cryptographic assumption that Alice’s and one another during the protocol. Indeed, one round classical Bob’s laboratories are secure, so that information about oper- relativistic bit commitment protocols give a natural physical ations within them cannot propagate to Eve, one can justify a setting in which two (or more) separated provers communi- stronger no-signalling principle [12]. Of course, the strength cate with adjacent verifiers, with the communications timed of this justification may be questioned, given that one is postu- so that the provers cannot communicate between the commit- lating unknown physics that could imply a form of light speed ment and opening phases. The verifiers are also typically un- signalling that cannot be blocked. But in any case, the justifi- able to communicate, but this is less significant given the form cation is not available when one considers protocols between of the protocols, and the verifiers are sometimes considered as two mistrustful parties, such as bit commitment, and wants a single entity when the protocol is not explicitly relativistic. to exclude the possibility that one party (in our case Alice) Within the prover-verifier model, it has been shown that cannot exploit post-quantum operations within her own labo- no single-round two-prover classical bit commitment protocol ratories (which may be connected, forming a single extended can be secure against post-quantum provers who are equipped laboratory). with generalized no-signalling devices [18]. It is interesting Our discussion assumed a background Minkowski space- to compare this result with the signalling-based security proof time, but generalizes to other space-times with standard causal for the protocol discussed above. structure, where the causal relation ≺ is a partial ordering. First, of course, the flying qudit protocol involves quantum Neither standard quantum theory nor the usual form of the rather than classical communication between “provers” (Al- no-superluminal signalling principle hold in space-times with ice’s agents) and “verifiers” (Bob’s agents). closed time-like curves, where two distinct points P and Q Second, as presented, the flying qudit protocol involves may obey both P ≺ Q and Q ≺ P . Formulating consistent three agents for each party. However, a similar secure bit com- theories in this context requires further assumptions (see for mitment protocol can be defined using just two agents apiece. example Ref. [19] for one analysis). The same is true of su- For example, Alice’s agent at P could retain the qudit, while perpositions of space-times with indefinite causal order [20]. remaining stationary in the given frame, to commit to 0, and We leave investigation of these cases for future work. send it to Alice’s agent at Q1 (as before) to commit to 1. They may unveil by returning the qudit at, respectively, (0,t) or Acknowledgments This work was partially sup- (t,t). In this variant, the commitmentis not secure at the point ported by UK Quantum Communications Hub grant no. where the qudit is received, but it becomessecure in the causal EP/M013472/1 and by Perimeter Institute for Theoretical future of (t/2,t/2). Physics. Research at Perimeter Institute is supported by the Third, the original flying qudit protocol illustrates a pos- Government of Canada through Industry Canada and by the sibility in relativistic quantum cryptography that is not mo- Province of Ontario through the Ministry of Research and In- tivated (and so not normally considered) in standard multi- novation. I thank Claude Cr´epeau and Serge Fehr for stimu- prover bit commitment protocols. This is that, while there are lating discussions and the Bellairs Research Institute for hos- three provers, communication between them in some direc- pitality. 6

quantum state on the edge of the no-signaling condition. Phys- ical Review A, 68(3):032313, 2003. [14] Andr´eChailloux and Anthony Leverrier. Relativistic (or 2- [1] Adrian Kent. A no-summoning theorem in relativistic quantum prover 1-round) zero-knowledge protocol for NP secure against theory. Quantum Information Processing, 12:1023–1032, 2013. quantum adversaries. In Annual International Conference [2] Adrian Kent. Quantum tasks in Minkowski space. Classical on the Theory and Applications of Cryptographic Techniques, and Quantum Gravity, 29(22):224013, 2012. pages 369–396. Springer, 2017. [3] Patrick Hayden and Alex May. Summoning information in [15] Tommaso Lunghi, J Kaniewski, F´elix Bussieres, Rapha¨el Houl- spacetime, or where and when can a qubit be? Journal mann, M Tomamichel, A Kent, Nicolas Gisin, S Wehner, and of Physics A: Mathematical and Theoretical, 49(17):175304, Hugo Zbinden. Experimental bit commitment based on quan- 2016. tum communication and special relativity. Physical Review Let- [4] Ya-Dong Wu, Abdullah Khalid, and Barry C Sanders. Effi- ters, 111(18):180504, 2013. cient code for relativistic quantum summoning. New Journal of [16] Yang Liu, Yuan Cao, Marcos Curty, Sheng-Kai Liao, Jian Physics, 20(6):063052, 2018. Wang, Ke Cui, Yu-Huai Li, Ze-Hong Lin, Qi-Chao Sun, Dong- [5] Emily Adlam and Adrian Kent. Quantum paradox of choice: Dong Li, et al. Experimental unconditionally secure bit com- More freedom makes summoning a quantum state harder. Phys- mitment. Physical Review Letters, 112(1):010504, 2014. ical Review A, 93(6):062327, 2016. [17] Ephanielle Verbanis, Anthony Martin, Rapha¨el Houlmann, Gi- [6] Adrian Kent. Unconditionally secure bit commitment with fly- anluca Boso, F´elix Bussi`eres, and Hugo Zbinden. 24-hour rel- ing qudits. New Journal of Physics, 13(11):113015, 2011. ativistic bit commitment. Physical Review Letters, 117(14): [7] Sandu Popescu and Daniel Rohrlich. Quantum nonlocality as 140506, 2016. an axiom. Foundations of Physics, 24(3):379–385, 1994. [18] Serge Fehr and Max Fillinger. Multi-prover commitments [8] William K Wootters and Wojciech H Zurek. A single quantum against non-signaling attacks. In Annual Cryptology Confer- cannot be cloned. Nature, 299( 5886):802–803, 1982. ence, pages 403–421. Springer, 2015. [9] DGBJ Dieks. Communication by EPR devices. Physics Letters [19] Charles H Bennett, Debbie Leung, Graeme Smith, and John A A, 92(6):271–272, 1982. Smolin. Can closed timelike curves or nonlinear quantum me- [10] Nicolas Gisin. Quantum cloning without signaling. Physics chanics improve quantum state discrimination or help solve Letters A, 242(1-2):1–3, 1998. hard problems? Physical Review Letters, 103(17):170502, [11] Adrian Kent. Nonlinearity without superluminality. Physical 2009. Review A, 72(1):012108, 2005. [20] Ognyan Oreshkov, Fabio Costa, and Caslavˇ Brukner. Quantum [12] Jonathan Barrett, Lucien Hardy, and Adrian Kent. No signaling correlations with no causal order. Nature Communications, 3: and quantum key distribution. Physical Review Letters, 95(1): 1092, 2012. 010503, 2005. [13] Patrick Navez and Nicolas J Cerf. Cloning a real d-dimensional