Position-based Quantum Cryptography: From Theory towards Practice Rene Allerstorfer Abstract: With the possible advent of large-scale fault-tolerant quantum computers in the next decades, one has to think about the implications very carefully. One of the most influential task such quantum computers are capable of is breaking currently widely used asymmetric encryption schemes. So for classical cryptographers, quantum computers provide a headache. On the other hand, quantum physics enables new quantum cryptographic protocols that may be able to provide very strong levels of security. For example, quantum key distribution (QKD) in theory gives unconditional and everlasting security (up to certain thresholds on noise) and could therefore make critical processes unhackable, even for quantum computers. This thesis deals with such a new quantum-enabled cryptographic primitive: position-based quantum cryptography (PBQC), and in particular quantum position verification (QPV). A comprehensive literature review of the field is provided in Chapter 3. Whether these types of protocols can achieve a similar security standard as QKD in practice is still open and beyond the scope of this thesis, even though much of the research on QPV is motivated by finding such a secure protocol. If one thinks about actually implementing a QPV protocol, or PBQC, it is also essential to consider practical aspects, like signal errors and losses, and check whether the protocol can deal with those or whether it is broken. These were the main guides in the research of this thesis: better understanding attacks on QPV, thinking about the practicality of QPV protocols and designing QPV protocols accordingly. More fundamentally, this led us to study the interplay between non-locality and interaction in the setting of QPV. First, regarding practicality, we focus on designing and analysing loss-tolerant QPV protocols, mainly thinking about linear-optical hardware for implementations. A detailed study of a practically versatile QPV protocol is given in Chapter 4. There, we introduce a new QPV protocol based on the SWAP test, or, more experimentally speaking, on Hong-Ou-Mandel interference which turns out to be experimentally feasible and flexible. We study it theoretically, establishing full loss tolerance, security against unentangled attackers and parallel repetition. On the negative side, we also provide an efficient entanglement attack. Moreover, we provide a detailed experimental study, modelling imperfections from source to detection to see whether realistic noisy honest statistics still retain security against unentangled attackers, who can take advantage of some of those imperfections. The bottom line we found was that the QPV protocol based on the SWAP test is robust to a level of errors that can be achieved with current technology. However, this protocol can still be efficiently attacked and is not yet the end of the story. In Chapter 6 we provide a solution to the last major practical issue of QPV -- signal loss. A minor modification of the standard structure of QPV, namely introducing a small time delay and a commitment to play from the honest prover, allows us to provably make the transmission loss between the verifiers and the honest party irrelevant for security. Our proof holds in the robust and most general adversarial setting. The idea is to reduce the security of the protocol with commitment to the underlying one without it. This holds if the underlying QPV protocol is state-independent. In particular, it is true for f-BB84 QPV, a protocol that can deal with the other two major issues of QPV -- slow quantum communication and attackers with bounded pre-shared entanglement -- but is not loss tolerant. The corresponding protocol with commitment becomes loss tolerant due to our results in Chapter 6 and thus constitutes the first practically feasible QPV protocol that can deal with all major issues QPV faces for security. We further study experimental aspects of a real implementation and propose a partial linear-optical Bell measurement as the required partial quantum non-demolition measurement. Chapter 7 generalises the well known BB84 QPV protocol to the continuous variable setting. Continuous variable quantum states are simpler to handle and much existing telecommunication infrastructure could be reused for them. We show security against unentangled attackers for a parameter regime of attenuation and excess noise, and provide an entanglement attack. Finally, regarding studying attacks on QPV, we focus on the difference between quantum and classical communication in Chapter 5. First, we prove a new bound on unentangled attacks on QPV based on Bell states, or in other words, how well one can distinguish Bell states with local operations and one round of simultaneous quantum communication. In general, it is a priori not clear whether quantum communication can give any advantage in the constrained setting of QPV attacks. However, a separation was first shown for an entangled input ensemble in a co-authored paper. In Chapter 5 we study the particular task of discriminating an ensemble of quantum states in the two different settings. We characterise perfect discrimination in each scenario and construct ensembles that are discriminable with quantum communication, but not locally, from quantum secret sharing schemes. Moreover, we show an advantage of quantum communication even for a concrete separable input ensemble. Lastly, we identify a certain structure that leads to a necessary condition on the error of the state discrimination, which in turn yields non-zero error lower bounds for certain concrete product state ensembles like the domino states. This structure is related to the structure of the BB84 states and, loosely speaking, any state ensemble that contains four states that look like a generalisation of the BB84 states is subject to the necessary condition on the state discrimination error that we derive.