Localizing and excluding quantum information; or, how to share a quantum secret in spacetime

When can quantum information be localized to each of a collection of spacetime regions, while also excluded from another collection of regions? We answer this question by defining and analyzing the localize-exclude task, in which a quantum system must be localized to a collection of authorized regions while also being excluded from a set of unauthorized regions. This task is a spacetime analogue of quantum secret sharing, with authorized and unauthorized regions replacing authorized and unauthorized sets of parties. Our analysis yields the first quantum secret sharing scheme for arbitrary access structures for which the number of qubits required scales polynomially with the number of authorized sets. We also study a second related task called state-assembly, in which shares of a quantum system are requested at sets of spacetime points. We fully characterize the conditions under which both the localize-exclude and state-assembly tasks can be achieved, and give explicit protocols. Finally, we propose a cryptographic application of these tasks which we call party-independent transfer.


Introduction
The study of the interplay between quantum theory and relativity has recently begun a new chapter with the consideration of quantum information tasks in a Minkowski space background [1,2,3]. For instance, the study of information causality [4] and of causal operators [5] has given further insight into ties between information processing and relativity. Along with other results in this area [6,7,8,9], these can be placed into the general framework of quantum tasks in Minkowski space [10].
One task of particular interest is summoning, defined by Kent [11], where the associated no-summoning theorem is a statement of no-cloning appropriate to the spacetime setting. We have also argued that a generalization of the summoning task [6] provides an operational framework within which to study how quantum information can move through spacetime. The importance of having such a framework is highlighted by recent subtle questions concerning spacetime structure and the no-cloning principle in the context of black holes [12,13]. Understanding how a quantum system may be delocalized in Minkowski space should be a useful step towards understanding such fundamental puzzles.
The study of quantum tasks in Minkowski space has been given a second motivation with the discovery of cryptographic protocols that exploit the properties of either or both of quantum mechanics and special relativity. Bit-commitment is a well-known example [14,15]; other examples include coin flipping [16], key distribution (where signalling constraints enter into some security proofs [17,18]), and two spacetime analogues Figure 1: An example of a localize-exclude task. A single copy of an unknown quantum system is initially localized near the spacetime point s, and needs to be localized to within regions A 1 and A 2 , while avoiding region U 1 . Theorem 8 shows that this is possible to do.
In quantum secret sharing, a central result of quantum cryptography, a quantum system is distributed among many parties such that only certain subsets of parties may collectively use their shares to reconstruct the system. Other subsets of parties are required to not be able to learn any information about the secret from their shares. In the context of quantum tasks in Minkowski space, where the movement of information in spacetime is central, and in the context of relativistic quantum cryptography, it is natural to consider a spacetime generalization of quantum secret sharing.
To do this we replace the notions of authorized and unauthorized sets of parties with authorized and unauthorized spacetime regions. We define the localize-exclude task, where the goal is to move a quantum system through spacetime in such a way that it is localized to each of the authorized regions and excluded from the unauthorized ones. Figure 1 gives a simple example. In theorem 8, we find necessary and sufficient conditions for completing the localize-exclude task. To argue that the localize-exclude task is a natural spacetime generalization of secret sharing, we show in the main text that there is a simple construction that embeds any quantum secret sharing scheme as a localize-exclude task, and that the conditions of this theorem reduce to those for quantum secret sharing in that case.
In the summoning task one party, Bob, puts in requests for the quantum system at certain spacetime points, asking that the system be returned at one of another set of points. The localize-exclude task removes this structure, but adds a notion of unautho-rized region. It is interesting to also consider a task in the request-return setting, but which includes unauthorized regions. In this state-assembly task, we consider many parties Bob i who may each request a share of the quantum system at an associated spacetime region D i . Alice should respond to the collection of requests given by the Bobs in a careful way: she should hand over a collection of shares sufficient to construct a single copy of the system when the collection of requests is authorized, and she should not reveal any information about the system when that collection is unauthorized. The conditions for Alice to complete this task are the same as for localize-exclude in the case of causally separated regions, but differ when non-trivial causal structures are considered. In theorem 13 below we precisely characterize the conditions under which this task can be completed, and describe an explicit protocol for completing it when it is possible.
Together the state-assembly and localize-exclude tasks provide a rich set of scenarios to consider. We suggest party-independent transfer as a potential cryptographic application of this framework, a task where two other parties wish to receive information from Alice and want the information they receive to be both private and independent of their identity. We propose a protocol for completing this task which is built on the state-assembly task. Establishing the security of this protocol we leave to future work.
The layout of this paper is as follows. Section 2 gives the necessary definitions to study localization to arbitrary spacetime regions and proves theorem 8, which characterizes the localize-exclude task. We discuss the relation between localize-exclude and quantum secret sharing in the same section. In section 3 we discuss state-assembly and give its characterization. In section 4 we study the party-independent transfer task. Two appendices are included which clarify the relationship of this work to earlier work on summoning. The first shows that state-assembly is equivalent to a certain summoning task, and the second addresses the points raised by Adlam and Kent [7] against interpreting summoning tasks in terms of the localization of information.
2 Localizing and excluding quantum information 2.1 Localizing quantum information to many regions As a first step towards characterizing the localize-exclude task we discuss the problem of localizing quantum information to a collection of spacetime regions, leaving excluded regions to the next section. To do this we consider the following setting. Alice holds the A subsystem of a pure state |Ψ RA , with A recorded into a collection of classical and quantum systems held within secure laboratories not accessible to her adversary, Bob 1 . We would like to ask where system A is. For instance, Alice might have recorded A into an error-correcting code and distributed the shares of this code to various laboratories.
Further, she might be constantly rerouting these shares between labs, so that shares are held only at certain labs between specified times.
We can ask where the subsystem is in spacetime by temporarily relaxing the security of Alice's labs -we give Bob access to some collection of Alice's labs for certain time intervals. If by accessing these labs Bob is able to prepare the A system (potentially making use of later data processing), we say that system A was localized to the collection of labs and intervals of time Bob accessed. More generally, we can abstract away from the language of labs and time intervals and give a more general definition.
Definition 1 Suppose one party, Alice, holds system A of a quantum state |Ψ AR . Then we say the subsystem A is localized to a spacetime region Σ if a second party, Bob, for whom the state is initially unknown is able to prepare the A system by collecting quantum and classical systems from within Σ, and then applying later data processing.
Conversely, if Bob is unable to learn anything about A we say the system is excluded from Σ. Note that the later data processing referred to in the definition may occur outside of the region Σ. Further, a system may be neither localized nor excluded from a region if partial information about the system is available there.
To be more precise we should specify how it is verified that Bob holds the A system after he has accessed Σ. One natural possibility is to introduce a third party, call him Charlie, who plays the role of a referee. We have Charlie hold both the purifying system R of |Ψ AR as well as a classical description |Ψ AR . To verify Bob holds the system then, we have Bob pass the A system to Charlie, who performs a projective measurement of the AR system in a basis that includes |Ψ AR . If Alice can pass Charlie's test with certainty, we declare that Alice localized the system to Σ. Of course, Alice will also pass this test with some probability so long as Charlie's final state has non-trivial overlap with |Ψ AR 2 . It is interesting to compare this notion of localizing a quantum system to a spacetime region to a notion of spacetime localization based on the summoning task [6]. Perhaps the key distinction is that, in the definition given here, information processing may occur outside the spacetime region in order to prepare the system. This point carries with it certain subtleties that are taken up in appendix A and the discussion. The key advantage of definition 1 however is its applicability to regions of arbitrary shape.
One strategy for hiding a quantum system from Bob would be for Alice to send A into a region Σ, while also sending various decoys A d1 , A d2 , ... so that Bob, though he may collect all of the systems A, A d1 , A d2 , ... is left unsure as to which system to hand to Charlie. This reveals a finer point to definition 1: the system Bob is searching for may enter Σ, but if appropriate classical instructions do not also enter Σ (in this case a label denoting which system actually holds A), then definition 1 says the system is not localized there. To avoid confusion around this point we will always have Alice, at some early time, reveal the classical instructions that constitute her protocol to Bob. The only information Alice will not broadcast is a classical string k (as well as the quantum system itself). As we will see, protocols where Alice holds only a secret key k and reveals all other details to Bob are sufficient to complete any physically possible localize-exclude task, so this restriction on Alice amounts to a useful simplification of notation and language.
In the protocols we construct Alice will encode her quantum system into an errorcorrecting code that corrects erasure errors, and then apply a quantum one-time pad to each of the shares in the quantum code. Alice does not broadcast the classical strings used in the one-time pads; taken together these constitute her secret key k. However, she does reveal her procedure for putting A into an error-correcting code and applying the one-time pad, and reveals the spacetime trajectories of each share in the code. Within this context, Bob reconstructs A by accessing a region Σ whenever a correctable subset of shares in the error-correcting code along with their corresponding classical keys from the the one-time pad pass through Σ.
Definition 1 specifies what is meant by a quantum system being localized to a single spacetime region. To extend this to multiple regions, we define the localize task as follows.
Definition 2 A localize task is a task involving two agencies, Alice and Bob, specified by a tuple {A, s, {A 1 , ..., A n }}, consisting of: In general A may be a subsystem of some overall pure state |Ψ AR . The state on AR is unknown to both Alice and Bob.
• A start point s, at which Alice initially holds system A • A collection of spacetime regions {A 1 , ..., A n }, which we call the authorized regions Alice successfully completes the task if Bob is able to prepare system A after he accesses any one of the A i .
If Alice is able to successfully complete the localize task with regions {A 1 , ..., A n } we say she has localized the system to each of those regions. The authorized regions may be of arbitrary shape and may overlap.
To analyze this task it is useful to introduce some language. We give the following definition which specifies a relation between pairs of spacetime regions.
Definition 3 Two spacetime regions Σ i and Σ j are said to be causally connected if there is a point q i in Σ i and q j in Σ j such that there is a causal curve from q i to q j , or from q j to q i .
We illustrate this definition in figure 2a. If two regions are not causally connected we say they are causally disjoint. In the context of the localize-exclude task discussed in the next section we will also need one further definition relating to spacetime geometry. Figure 2: Two geometric notions used in the text. a) Two causally connected regions. Two spacetime regions Σ i and Σ j are said to be causally connected if there is a point q i in Σ i and q j in Σ j such that there is a causal curve from q i to q j , or from q j to q i . b) The domain of dependence (light grey) of a spacetime region Σ (dark grey). The domain of dependence is defined as the set of all points p in the spacetime such that all causal curves passing through p must also enter Σ.

Definition 4
The domain of dependence of a spacetime region Σ, denoted D(Σ), is the set of all points p such that every causal curve through p must also enter Σ.
This definition is illustrated in figure 2b.
As a first step towards the more general scenario consider the localization of a quantum system to two authorized regions A 1 and A 2 .
Theorem 5 Given a quantum system initially localized near a spacetime point s, the system may be localized to both of the spacetime regions A 1 and A 2 if and only if the following two conditions hold. i. A 1 and A 2 both have a point in the future light cone of s.
ii. A 1 and A 2 are causally connected.
Proof. First, note that if an authorized region is entirely outside the future light cone of the start point then successfully localizing the system to that region would constitute superluminal communication. Thus, the first condition is necessary. To see necessity of the second condition suppose there exists a protocol for localizing a quantum system to two causally disjoint regions A 1 and A 2 . Then by definition it is possible to construct the system by accessing the region A 1 , and by accessing A 2 . By causality however accessing region A 1 cannot affect the system constructed from A 2 , and vice versa, so it would be possible to construct two copies of the quantum system. But this constitutes cloning, so no such protocol can exist.
To understand sufficiency we construct a task with the minimal properties specified by the two assumed conditions. Such a task is shown in figure 3. There, a point Figure 3: An arrangement of two authorized regions that has the minimal requirements to satisfy the conditions of theorem 5. By the first condition A 1 and A 2 are causally connected. This guarantees the existence of a point p 1 in A 1 which is in the causal future of some point p 2 in A 2 (up to relabelling). The second condition gives that each region have at least one point in the future light cone of s. However, the regions A 1 and A 2 may be disconnected (as shown here) and so satisfy this requirement while having the points p 1 , p 2 be outside the future light cone of s. To localize a system A to both regions a maximally entangled state |Ψ + EĒ is shared between s and p 1 . Near to s the A system is teleported using this entanglement, and the entangled system at p 1 is sent to p 2 . Meanwhile, the classical measurement outcomes from the teleportation protocol are sent to the points in A 1 and A 2 which are in the causal future of s. Each region has both the classical measurement outcomes and the entangled particle pass through it, so the A system is localized to each.
is causally connected to p 2 ∈ A 2 , and each of A 1 and A 2 have a point in the future light cone of s. However, p 1 and p 2 sit outside the future light cone of s. Nonetheless it is straightforward to complete such a task. To do so a system E is maximally entangled withĒ, then E is brought to s whileĒ is brought to p 1 . At s, E is used to teleport the A system onto theĒ system. The measurement outcome from the teleportation is sent to A 1 and A 2 from s. Meanwhile,Ē is sent from p 1 to p 2 . Each authorized region contains the classical measurement outcome and the systemĒ, so accessing either region allows reconstruction of A.
We can now move on to understanding localize tasks with arbitrary numbers of authorized regions. We find in particular that it is only the structure of causal connections between pairs of regions and the start point that are needed to characterize a task as possible or impossible. Proof. Necessity of the two conditions follows from the same arguments as in the two region case given as theorem 5: localizing a system to a region outside of its future light cone violates no signaling, and localizing a system to two spacelike separated regions would allow two copies of the system to be produced.
To demonstrate sufficiency we construct an explicit protocol for completing any task satisfying the two conditions. To this end it is useful to introduce a directed graph G which describes the causal structure of the task: for each authorized region A i introduce a vertex, also labelled A i , to the graph. For each pair of regions (A i , A j ) such that there is a point in A j connected by a causal curve to a point in A i introduce a directed edge (A i → A j ). An example of a task and its associated graph is given as figure 4.
From the no-cloning theorem it follows that some quantum information must be shared between every pair of authorized regions. In our construction these quantum systems that move between pairs of authorized regions form the shares of an errorcorrecting code. In particular, for each edge in the graph G we associate one share. In theorem 5 and figure 3 we showed how to localize a quantum system to two authorized regions whenever they share a causal connection. We can execute this protocol on the shares of our error-correcting code to ensure the share associated to edge A i → A j is localized to both A i and A j . To complete the task then, our error-correcting code should have the property that, given any vertex, the set of shares associated to the edges attached to that vertex are sufficient to construct the initial system A. We illustrate the requirement on this code in figure 5.
In fact, given that every pair of vertices in this graph share an edge, which is guaranteed by condition (ii), such error-correcting codes have already been constructed. To encode finite-dimensional quantum systems we constructed such codes using the codeword-stabilized formalism in the context of a similar summoning problem [6]. Constructions for continuous variable systems have also been given [8] and then adapted to the finite-dimensional case [21]. In the code-word stabilized construction a single logical qubit is recorded using 2 physical qubits for each edge in the graph, resulting in a total of 2 n 2 physical qubits for n the number of authorized regions. This result is particularly simple and expected from earlier work on summoning. Indeed, the conditions for summoning to a collection of diamonds are the same as for localizing to a collection of authorized regions (see [6], or appendix A).

Localizing and excluding quantum information
Now that we have an understanding of when and how a quantum system can be localized to many spacetime regions, we can approach the localize-exclude task. This task includes a notion of unauthorized region, a region in spacetime from which the system must be excluded in the sense described in the last section. Further, we will require that accessing an unauthorized region reveals no information about the quantum system. We collect these ideas into the following definition.
Definition 7 A localize-exclude task involves two agencies, Alice and Bob, and is specified by a tuple {A, s, {A 1 , ..., A n }, {U 1 , ..., U m }}, consisting of: i. A quantum system A. In general A may be a subsystem of some overall pure state |Ψ AR . The state on AR is unknown to both Alice and Bob.
ii. A start point s, at which Alice initially holds system A iii. A collection of spacetime regions {A 1 , ..., A n }, which we call the authorized regions Figure 5: Illustration of the functioning of the error-correcting code used in theorem 6. a) A directed graph that describes the causal connections between the authorized regions of a localize task. In this case the task involves four authorized regions. b) To complete the task, we employ an error-correcting code that associates a share to each edge in the corresponding undirected graph. The encoded qubit can be reconstructed from the shares associated with the edges attached to any one vertex, corresponding to the sets of edges crossed by the purple arcs. For a single logical qubit, the shares on each edge consist of two qubits. A detailed construction of the code can be found in [6], and a more efficient version in [21]. For infinite dimensional versions see [8].
iv. A collection of spacetime regions {U 1 , ..., U m }, which we call the unauthorized regions Bob will choose to access one of the A i or U i , and will attempt to construct the quantum system A from his access. Alice successfully completes the task if both (a) Bob is able to construct A when he accesses any one of the A i and (b) Bob learns no information about A if he accesses any one of the U i .
If Alice successfully completes the localize-exclude task, we say she has localized system A to the corresponding authorized regions while excluding it from the unauthorized regions.
As an initial approach to understanding the localize-exclude task we can list off the most basic restrictions that we expect to apply. First, the two restrictions occurring in the context of the localize task are still relevant: the start point should have a point from each authorized region in its future light cone, and there should be no causally disjoint pairs of authorized regions. There are also additional restrictions relating to the unauthorized regions however. In particular, we can never have an authorized region A i be contained in the domain of dependence of an unauthorized region U j , since then all information which enters A i also enters U j . Finally, the start point too should not be contained in the domain of dependence of any unauthorized region. We illustrate each these conditions in figure 6. Remarkably, a localize-exclude task Figure 6: Four impossible localize-exclude tasks: (a) An authorized region is entirely outside the future light cone of s, so system A can't be localized there without violating the no-signalling principle. (b) The initial location of the quantum system is in the domain of dependence of an unauthorized region U 1 , so can be reconstructed from data in U 1 . (c) A quantum system cannot be localized to both the spacetime regions A 1 and A 2 , due to the no-cloning theorem. (d) A quantum system cannot be localized to A 1 without passing through the region U 1 , since there is no causal curve which passes through A 1 and not U 1 . The red shaded region indicates the domain of dependence of the unauthorized region U 1 . The yellow shading indicates the future light cone of the start point.
{A, s, {A 1 , ..., A n }, {U 1 , ..., U m }} will turn out to be possible to complete so long as none of the four situations in figure 6 occur.
As a warm-up to the general case, consider the example given in the introduction as figure 1. There, a single unauthorized region blocks the path between two authorized ones. As we illustrate in figure 7, it is nonetheless possible to complete the task using the quantum one-time pad [22]. Near the start point, a unitary U k is applied to A with k chosen at random. The overall pure state is then U k ⊗ I|Ψ AR . To an observer who is unaware of the key k, the density matrix of the state is . By carefully choosing the set of possible unitaries U k , one can arrange that ρ AR = I A /d A ⊗ ρ R , so that Bob has learned nothing about the A system whenever he does not learn k. This is possible when A consists of n qubits and k consists of 4n bits [22]. Once encoded using the one-time pad, the A system is sent through both authorized regions by allowing it to pass through the unauthorized region. An access to the unauthorized region then only sees the maximally mixed state. The classical key k is also sent to both authorized regions, but along trajectories that avoid the unauthorized one.
A similar technique can be applied to the general case of many authorized and many unauthorized regions. As we show in the proof of theorem 8 given below, the strategy is to first encode the A system into an error-correcting code so that it can be localized to each authorized region. Then each share in that error-correcting code is encoded using a classical string and the quantum one-time pad. We then leverage classical secret sharing to allow us to get the encoding string to the needed authorized regions while avoiding all the unauthorized regions.
We are now ready to state theorem 8 and give the proof. The proof of sufficiency is somewhat lengthy, so we have provided figure 8 which summarizes the key steps taken. Proof. The necessity of conditions (i)(a) and (ii) follow from the same arguments as in theorem 6. To argue the necessity of condition (iii), notice that if A i is contained in the domain of dependence of U j , then the state of the quantum fields within A j is determined by unitary evolution from the fields within U i . Then whenever the A system can be determined from A i it is also possible to recover it from U j . Condition (i)(b) is necessary for the same reason. Figure 7: Illustration of the protocol for completing a localize-exclude task with two authorized regions and one unauthorized region that satisfy the conditions of theorem 8. In the distant past, Alice prepares copies of the classical string k. She brings one copy of k to each of A 1 and A 2 along a path which does not cross U -this is always possible by condition (iii). She must also bring the classical string to the start point s, and encode the A system using the quantum one-time pad [22]. The overall state on A and its purifying system R is then of the form (U k ⊗ I)|Ψ AR . The encoded system A is sent through both authorized regions. By following this protocol both authorized regions contain k and the encoded A system, while the unauthorized region contains the encoded system only.
One-time pad ((m, m)) classical secret sharing scheme .., U m }), to completing n 2 instances of (S ij , s, {A i , A j }, ∅) on quantum shares, and 3m n 2 instances of (k l ij , −∞, R i , U l ) on classical shares, where the region R i may be either the start point or an authorized region. The notation −∞ indicates the share is available at early times. The first step in the protocol is to recycle the error-correcting code from theorem 6 to encode the A system into shares S ij . At the second step, the one-time pad is applied to each of the S ij . This allows the unauthorized regions to be avoided by introducing additional classical shares, but without the need for further uses of quantum error-correcting codes. Figure 9: An example of a localize-exclude task and illustration of the protocol provided by theorem 8 for its completion. Near the start point the system A is encoded using the quantum one-time pad and sent (along the blue curve) through both authorized regions. The string k satisfies k = k 1 ⊕ k 2 , so that k 1 , k 2 form the two shares of a ((2, 2)) secret sharing scheme. k 1 is sent through A 1 and A 2 while avoiding U 1 , while k 2 is sent through A 1 and A 2 while avoiding U 2 . Consequently, each A i contains all of the classical shares k i along with the encoded A system, while each U i is missing one k i .
To demonstrate sufficiency we construct an explicit protocol to complete the task in the case where all three conditions are true. It is useful to recall the notation (A, s, {A 1 , ..., A n }, {U 1 , ..., U m }), which describes a localize-exclude task by specifying the system on which we must complete the task, the start point, authorized regions, and unauthorized regions. As a first step in constructing our protocol, we encode the system A into the error-correcting code used in theorem 6. Using this code and localizing each share in the code to its two associated authorized regions would localize the system to each authorized region. However, here we also need to exclude the system from all of the unauthorized regions. To do this, we will localize each share S ij to A i and A j while also avoiding every unauthorized region. In other words, encoding A into the codeword stabilized code reduces completing the original task to completing the tasks By using the quantum one-time pad and classical secret sharing it is possible to further reduce completing the (S ij , s, In particular, at s use the quantum one-time pad to encode the share S ij using some classical string k ij . We may freely send the encoded share through A i and A j so long as the classical string k ij is kept out of all of the unauthorized regions, and is made available at s, A i , and A j . Thus, To finish the protocol, we first notice that theorem 6 shows that we can complete any task of the form (S ij , s, is also easily handled. Note that since the task is to be completed on a classical string, we can produce three copies of k ij and worry separately about sending the string to s and each of A i and A j , so we have to complete three instances of (k ij , −∞, R, {U 1 , ..., U m }), where R can be s, A i or A j . To complete these, encode k ij into an ((m, m)) secret sharing scheme 4 with shares k l ij . Then complete the tasks (k l ij , −∞, R, U l ). This completes the task with all m unauthorized regions since the classical string is kept out of U l so long as at least one of the shares in the ((m, m)) scheme is.
It remains to complete the tasks of the form (k l ij , −∞, R, U l ). When R is one of the authorized sets, condition (iii) guarantees that R is not in the domain of dependence of U l , which means there is a causal curve passing through R which does not enter U l . To complete the task, simply send k l ij along this curve. When R is the start point s, condition (i)(b) guarantees there is a causal curve passing through s and not U l , so again we can complete this task.
An example of the protocol used in this proof is given as figure 9. Figure 10: Example of the embedding of a secret sharing scheme with arbitrary access structure into a localize-exclude task. We consider a secret sharing scheme that involves three parties, and has authorized sets , with all other subsets of parties deemed unauthorized. In the corresponding localize-exclude task, the three parties become three causally disjoint spacetime regions Σ 1 , Σ 2 and Σ 3 . Further, this localize-exclude task has authorized regions The start point s has been placed at an early enough time that all the Σ i are in its future light cone.
Earlier we mentioned the similarity of conditions (ii) and (iii) to corresponding conditions for quantum secret sharing. A quantum secret sharing scheme [23] is specified by an access structure, with the access structure consisting of subsets of parties deemed authorized and subsets deemed unauthorized. A quantum secret sharing scheme can be constructed under two conditions [23]: (a) (no-cloning) no two authorized sets can be disjoint and (b) (monotonicity) no authorized set can be contained within an unauthorized set. Conditions (ii) and (iii) of the localize-exclude theorem are exactly these conditions rephrased in a context appropriate to spacetime.
Beyond this similarity, we can embed any secret sharing scheme into a localizeexclude task. Consider n parties, Bob 1 ,...,Bob n , who each can potentially access an associated spacetime region Σ i . Take the authorized and unauthorized regions to consist of unions of Σ i 's so that a full authorized region A i can be accessed only if some collection of Bobs agree to cooperate. Choose the regions Σ i to be all causally disjoint. In this setting two authorized regions being causally connected occurs if and only if they share a Σ i . Then condition (ii) of theorem 8, which requires causal connections between authorized regions, reduces to the requirement that every pair of authorized regions share at least one Σ i . This is exactly the no-cloning requirement on secret sharing. Further, condition (iii) reduces to no U i = Σ i1 ∪ ... ∪ Σ in containing as a subset some A j = Σ j1 ∪ ... ∪ Σ j2 under the same restriction of having causally disjoint Σ i . This is just the monotonicity condition on quantum secret sharing schemes. Finally, to embed our quantum secret sharing task into a localize-exclude task we should ensure that condition (i) becomes trivial, which we can do by sending the start point s to an early time. We illustrate the embedding of a secret sharing task into a localize-exclude task in figure 10.
Theorem 8 shows that completing a localize-exclude task with unauthorized regions requires only the same quantum error-correcting code as used in the case with no unauthorized regions. Hiding the system from the unauthorized regions can be accomplished using only the quantum one-time pad and classical secret sharing. This is similar to the approach taken in [24], where quantum error-correcting codes are combined with the quantum one-time pad to yield quantum secret sharing schemes. By using the efficient error-correcting code underlying our protocol however, we arrive at a particularly efficient construction of quantum secret sharing schemes. In particular we find that there is a universal quantum error-correcting code with 2 n 2 shares for n the number of authorized sets which, along with uses of the one-time pad and classical secret sharing, constructs quantum secret sharing schemes with arbitrary access structures. Using Shamir's method [25] to construct the classical secret sharing schemes, the 3m n 2 instances of the ((m, m)) classical scheme will each require O(m log m) bits, where m was the number of unauthorized sets. In total, O(n 2 ) qubits and O(m 2 n 2 log m) classical bits are used in the localize-exclude construction. This provides the first construction of quantum secret sharing schemes using a number of qubits polynomial in the number of authorized sets. Previously, efficient constructions were known for threshold schemes and certain other special access structures. (See, e.g. [26,27,24].) Since the number of unauthorized sets can grow exponentially with n, the classical bits used can be exponentially large. This is to be expected since it is conjectured to be impossible to construct classical secret sharing schemes for arbitrary access structures without consuming exponential resources [28].

State-assembly with authorized regions
In the localize-exclude task Bob can access any one of a set of spacetime regions. Alice, who holds various quantum systems within those regions, is helpless to prevent Bob's access. In an alternative scenario we can have Bob request information from Alice. Alice is free to comply with the request or to reject it, and hand over no information. Certain sets of requests are deemed authorized, others unauthorized. Sets of requests corresponding to authorized sets should result in Alice handing over sufficient information for the system to be reconstructed; requests to unauthorized sets should reveal no information about the system. Considering such scenario's leads us to construct the state-assembly task.
Before giving a precise definition of the task we introduce a few constructions. To specify locations where Bob may request the system we designate certain spacetime points as call points c i . At each call point a bit b i ∈ {0, 1} is revealed to Alice. To each call point there corresponds a return point r i . Together, a call point and the corresponding reveal point define a causal diamond.

Definition 9
The causal diamond D i is defined as the intersection of the points in the past light cone of r i with those in the future light cone of c i .
If b i = 1 we say the diamond D i has been called to. The causal diamond represents the spacetime region in which it is possible to both know that a call was received, and to use this information to influence what is handed over at the corresponding return point.
We can now define the state-assembly task. Alice will receive calls at a subset of the D i . If the set of called to diamonds corresponds to an authorized set, Alice should return quantum systems and classical instructions sufficient to reconstruct A at the associated reveal points r i . If the set of calls corresponds to an unauthorized set, the systems she hands over should reveal no information about A. Further, no set of calls should result in Alice returning systems sufficient to construct two copies of the system.
There are a few points to clarify regarding this definition. First, Alice need not hand the system over at any one of the called to diamonds. Instead the systems she hands over at the called to diamonds should together be sufficient to recover the A system. Second, calls to sets of diamonds not specified as authorized or unauthorized may result in the system being handed over -Alice still completes the task successfully so long as she does not hand over two copies of the system. In state-assembly Alice knows the state |Ψ AR and can potentially prepare many copies of the A system. This differs from the localize-exclude task and earlier work on summoning. However, we have also required that she never hand over more than one copy of A. As discussed in more detail in appendix A, this is actually leads to conditions on state-assembly that are equivalent to having Alice hold an unknown state. We have chosen to discuss this task from the perspective of a known quantum state however as it is more natural in the context of the application given in section 4. x t Figure 11: A state-assembly task with two call-return pairs. A call to c 1 is required to result in the system returned at r 1 , and likewise for c 2 and r 2 (indicated by the black lines), while a call to both shouldn't result in more than one copy of the system being turned over. This task is impossible as shown by theorem 11, because r 2 is outside the future light cone of c 1 and r 1 is outside the future light cone of c 2 . In the language of definitions 9 and 10, c 1 and r 1 form a causal diamond D 1 (shown in blue), and the authorized set A 1 consists of the single diamond D 1 (similarly for c 2 and r 2 ).
Before discussing more general constructions we begin with the simplest stateassembly task, illustrated in figure 11, and prove a no-assembly theorem. In this scenario there are just two authorized sets A 1 and A 2 .
Theorem 11 Consider a state-assembly task with authorized sets A 1 and A 2 which are causally disconnected. Then this assembly task is impossible to complete with a perfect success rate.
Proof. For Alice to successfully complete the assembly task, she must have a protocol which i. Returns sufficient information to construct the system when A 1 or A 2 receive calls. ii. Hand over information sufficient to construct at most one copy of the system for any set of calls.
We can straightforwardly show that any protocol which satisfies the first requirement cannot satisfy the second, and consequently there is no such successful protocol. Indeed, suppose both A 1 and A 2 receive calls. Then since A 1 and A 2 are causally disjoint Alice's agents at the diamonds in A 1 cannot distinguish this situation from one where only A 1 has been called to. By (i) then they hand in sufficient information to construct the system. Similarly, Alice's agents at A 2 will also hand in sufficient information to construct the system. Since Bob may now construct two copies of A, (ii) is violated. We see that completing the assembly task to causally separated regions is impossible. Notice that it is essential that the Bobs may give calls to both diamonds: the possibility of a call to A 1 ∪ A 2 along with the requirement that Alice allow assembly of not more than one copy of the system leads to Alice being unable to complete the task successfully. Next, we look at a wider class of assembly tasks involving an arbitrary number of authorized sets {A i }. ii. Every pair of authorized sets (A i , A j ) are causally connected.
Proof. The first condition is necessary by no-signalling. The necessity of the second condition follows from the same argument as given in theorem 11. We can use theorem 8 to show sufficiency of these conditions. There, we constructed an explicit protocol that localizes the system to each authorized region. In particular, the system is recorded as classical teleportation data and shares in a quantum errorcorrecting code. To complete the assembly task then, Alice should execute the localization protocol from theorem 8, with the authorized sets of diamonds considered as authorized regions. Then to complete the assembly task Alice need only hand over the classical and quantum data in A i when she receives calls there.
Notice that this protocol automatically ensures Bob cannot give calls to receive two copies of the system, since Alice only uses one copy of A.

State-assembly with authorized and unauthorized regions
We can now proceed to characterize the state-assembly tasks with both authorized and unauthorized sets that can be completed by Alice. The difficulty here for Alice is different than in the case of localize-exclude. In localize-exclude, she had to keep the system out of a region U i from an attacker who might gain full access to U i . Now, Alice's labs are secure. However the sets of spacetime points corresponding to an authorized call can be overlapping with those corresponding to an unauthorized call. This means that locally she may not be able to tell an authorized and unauthorized call apart.
To understand under what conditions Alice can avoid an accidental reveal of the system to an unauthorized set of diamonds, we can first consider a task of the form (A, s, A , U ) having one authorized and one unauthorized set of diamonds. In this case, Alice can be successful if either (a) there is a diamond in A which is not in U , since then she can turn over the system at that diamond only when there is a call there or (b) there is a diamond D * in A which, although it is in U , is positioned such that Alice can tell at D * whether the global set of calls is authorized or unauthorized. In particular, this occurs exactly when there is a diamond in U \ A which is causally connected to A . Figure 12 illustrates these two possibilities.
We now state and prove the theorem characterizing the state-assembly tasks with authorized and unauthorized sets of diamonds. ii. Each pair of authorized sets (A a , A b ) is causally connected.
iii. Each pair (A a , U i ) of authorized with unauthorized sets has the property that either Proof. The necessity of conditions (i) and (ii) follow from the same arguments as in theorem 12. To see the necessity of condition (iii), consider that its negation is that both A a ⊂ U i and U i \ A a is not causally connected to A a . Then Alice's agents in the diamonds of A a , should they receive calls, cannot distinguish a call to A a from a call to U i since they are causally disconnected from diamonds in U i \ A a . In order to complete the task, Alice must always hand the system over to A a when she receives a call there. She will then also always hand over the system when the call is to U i , leading to her failing the task. To demonstrate sufficiency we construct an explicit protocol to complete the task in the case where all three conditions are true. Using the error-correcting code constructed from the graph of causal connections (also used in theorems 6, 8, and 12) we can reduce the initial (A, s, {A 1 , ..., A n }, {U 1 , ..., U m }) task to many tasks of the form where the S ij are the shares of the error-correcting code associated to the i − j pair of regions.
To complete the (S ij , s, {A i , A j }, {U 1 , ..., U m }) tasks, we encode the share S ij using the quantum one-time pad with some classical randomness k ij . Now notice that we can complete the (S ij , s, {A i , A j }, {U 1 , ..., U m }) task by completing (S ij , s, {A i , A j }, ∅) on the quantum share S ij and (k ij , s, A i , {U 1 , ..., U m }) and (k ij , s, A j , {U 1 , ..., U m }) on the classical string. Stated another way, the use of the onetime pad lets us ignore avoiding the unauthorized sets when considering the quantum data, and only worry about not handing the classical string over at the unauthorized sets.
To complete the tasks of the form (k ij , s, ((m, m)) classical secret sharing scheme with shares labelled k l ij . Then completing the tasks (k l ij , s, A i , U l ) ensures each share k l ij ends up at A i , so the string k ij can be constructed there along with the quantum share S ij . At the same time, completing the tasks (k l ij , s, A i , U l ) ensures the share k l ij is missing from U l , and since every share k l ij is needed to recover S ij , S ij cannot be decoded there.
To complete these (k, s, is causally connected to A i then send k to any diamond D * in A i which has at least one call point of U i \ A i in its causal past. Then hand over k at D * if there is a call there and no call at the diamonds in U j \ A i . We give a task on four diamonds in figure 13 and demonstrate how to complete it using the protocol constructed in this proof. The state-assembly task seems a less natural extension of quantum secret sharing to spacetime, since condition (iii) differs notably from the corresponding condition in secret sharing. In particular, some allowed state-assembly tasks have unauthorized sets which contain authorized ones, violating the monotonicity requirement of quantum secret sharing [23]. In contrast, the localize-exclude task mimics the monotonicity requirement closely, since the condition there is that (the domain of dependence of) the unauthorized region not contain the authorized region. However, this distinction from secret sharing opens up interesting new possibilities; in the next section we propose a cryptographic task and protocol which exploits the failure of monotonicity in the state-assembly task.

An application: party-independent transfer
As discussed in the introduction, relativistic tasks in Minkowski space have provided an interesting set of tools for the cryptographer. In part, our motivation for considering the state-assembly task with authorized and unauthorized regions is in the hope it will find such application. The state-assembly task includes scenarios with many parties, and allows for a rich array of possible causal structures. Each causal structure translates to Figure 13: An arrangement of causal diamonds on which we can define an assembly task. Define authorized sets A 1 = {D a,1 , D b,1 } and A 2 = {D a,2 , D b,2 } while any set of three or four diamonds is deemed unauthorized. One can check that every unauthorized set has U i \A j causally connected to A j , so theorem 13 gives that this task can be completed. To do so, the initial system A is encoded using the quantum one-time pad and sent towards the pair of diamonds labelled 'a', D a1 and D a2 . It should be handed over at whichever diamond receives a call. The key k from the one-time pad is stored in a ((2, 2)) secret sharing scheme as k = k a ⊕ k b and k a and k b are sent towards the 'a' and 'b' pairs of diamonds respectively. At the 'a' pair of diamonds, k a is returned to D a1 if there is a call there and no call at D a2 , or at D a2 if there is a call there and no call at D a1 . The k b string is returned to D b1 or D b2 using the same logic. If three or four diamonds receive calls, then at least one of the 'a' or 'b' pairs of diamonds will not receive a share of the ((2, 2)) scheme, so Bob will not receive the A system. Notice that the task is possible even though A 1 , A 2 are subsets of the unauthorized sets, violating the monotonicity requirement of quantum secret sharing.
a set of restrictions on which parties can know what, and when, and it seems plausible that these restrictions can be exploited to perform some interesting multiparty task or computation securely. We suspect there are many possible directions to consider, and make a small start at this by suggesting below one particular task. We do not offer complete security arguments for our proposal or careful discussion of the practicality of this task. Our aim is simply to suggest the applicability of the state-assembly task to cryptography.
To motivate the task consider the following scenario. Alice is an employer who wishes to hire either Bob 1 or Bob 2 . Alice is known to be inclined to prejudice, and the Bobs wish to ensure they are paid based on the work done alone, without regard to their identity. An easy solution would be to announce publicly the position's salary, but unfortunately the Bobs are private people. They wish to keep their salaries secret while also having a guarantee of fairness. We define the party-independent transfer task in order to satisfy these two competing needs.
In the party-independent transfer task, we specify that each Bob will give an input X i to Alice. Alice will then output quantum systems S(X 1 , X 2 , a) and T (X 1 , X 2 , a), with one system handed to each of the Bobs, where a is a variable fixed by Alice. The task occurs in a spacetime setting, so in general the X i may be stored as several bits handed over from Bob's agents to Alice's agents at distributed spacetime points. The X i should be distinct. If not, then the protocol aborts.
To meet the needs of our jealousy-prone but private Bobs, and guard against the prejudiced Alice, we need the transfer to have the following properties: i. Party independence: The output systems S and T produced by Alice have the property that S(X 1 , X 2 , a) = T (X 2 , X 1 , a) and S(X 2 , X 1 , a) = T (X 1 , X 2 , a).
In words, we require that the output given to Bob 1 would have been given to Bob 2 had the Bobs reversed their inputs. ii. Fixed: As a set, {S(X 1 , X 2 , a), T (X 1 , X 2 , a)} is determined by the variable a only.
In words, the Bobs' input influences who receives which system only, not which two systems are handed over. iii. Secret: Each Bob does not learn Alice's output to the other Bob. In particular, this requires that Alice not satisfy condition 1 trivially by having S(X 1 , X 2 , a) = T (X 1 , X 2 , a) always.
To assure ourselves completing this task is not trivial consider various naive approaches. We might have Alice share two entangled sets of degrees of freedom, E 1 given to Bob 1 and E 2 given to Bob 2 , onto which she will later teleport T and S, respectively. The Bobs could then exchange degrees of freedom if they decide to reverse the arrangement of who receives which system. This is certainly party-independent, since Alice performs the teleportation without knowing who holds which degrees of freedom. However, the fixed property is violated, as either Bob can act on their degrees of freedom before exchanging it. Another strategy would be to have Alice publicly announce a protocol for preparing each of S and T . Clearly this is fixed and party-independent, but fails to be secret. Finally, Alice could separately hand S to Bob 1 and T to Bob 2 (or vice versa). This would be fixed and secret but not party-independent.
Although the obvious strategies fail, the state-assembly task seems to be well-suited to achieving party-independent transfer. As intuition, we can note that in a stateassembly task Alice's agents, who only have access to local information and not the global set of calls made by the Bobs, may not be aware of who has received the system until a late time when she has been able to collect and compare all of the call data. Further, we have already introduced the notion of an unauthorized set of calls and can hope to exploit this to achieve the secrecy property of party-independent transfer.
Indeed, we can put forward a candidate protocol built on a state-assembly task that seems to achieve all three security requirements of party-independent transfer. Before explaining the protocol however, we need to highlight one feature of the ((2, 3)) secret sharing scheme which will be used. We will use an error-correcting code on three physical qutrits which stores one logical qutrit. The logical states are given by One may check explicitly that there exists a decoding operation U † 12 supported on the first two qutrits such that where By the symmetry in the code, a similar decoding operation exists for any subsystems of two qutrits. We wish to highlight that after the decoding operation is applied, two of the qutrits are left in a maximally entangled state.
To construct the protocol, we will use the arrangement of diamonds shown in figure  14. Bob 1 controls the diamonds D a,1 , D b,1 , D c,1 while Bob 2 controls D a,2 , D b,2 , D c,2 . We consider a scenario where the Bobs choose at random which of them receives which system, although modifications to this are easy. We divide the protocol into a preparation phase, transfer phase, and checking phase for clarity in presentation.

Protocol 14 Compensation protocol
i. Preparation phase (a) Alice prepares a quantum state |Ψ SR , and encodes the S system into the ((2, 3)) secret sharing scheme using the encoding given in equation 2. (b) Bob 1 and Bob 2 execute a coin flipping protocol. The outcome is not revealed to Alice. Without loss of generality, suppose that Bob 1 wins the coin toss, which determines that he should receive S. (c) Bob 1 chooses at random two of the three diamonds he controls and sends calls to each of them. Without loss of generality, we call these diamonds D a,1 and D b,1 . Bob 2 then sends a call to the diamond he controls which is not causally connected to D a,1 or D b,1 , which in this case is D c,2 .
ii. Transfer phase iii. Checking phase (a) Bob 1 applies the decoding map to his two shares, producing |Ψ SR ⊗ |χ where |χ is the maximally entangled state given in equation 4. (b) Bob 2 sends his share of the maximally entangled state to Bob 1 , who then measures the pair jointly to ensure he holds |χ .
In the notation of our security definition, the inputs X i by the Bobs consist of their three output bits X i = {b i,a , b i,b , b i,c }. Before the checking phase, the state is |Ψ SR ⊗ |χ , with the receiving Bob holding S and half the maximally entangled state |χ , and the non-receiving Bob holding the other half of |χ . After the checking phase however one Bob holds only S and the |χ state has been measured. We should then identify the T system of the definition as T = ∅. If we would like both Bobs to receive some quantum system we can run the protocol twice. We can argue for the secret and fixed properties of this protocol. Fixed is clear, since the receiving Bob can reconstruct the system from degrees of freedom that have never been held by the non-receiving Bob. Regarding secrecy, we note that the non-receiving Bob receives only one share of the secret sharing scheme, so learns no information about S. The non-receiving Bob may try to receive additional shares by sending additional calls, but in this case Alice will notice that calls have been made at two causally related diamonds and not hand over any shares to those diamonds.
To argue for party-independence, note that Alice is already limited in her knowledge of who is receiving the system. Although at each pair of diamonds she knows whether she is handing a single share over to Bob 1 or Bob 2 , none of Alice's agents have the global information of which Bob is receiving two shares, and thus the system S. Later on she will be able to collect information from all the call points and determine this, but at the spacetime points of transfer this is not known. Alice might try to have one set of shares which she hands to Bob 1 and a separate set to Bob 2 , but using two unentangled sets of shares for Bob 1 and Bob 2 will lead to a failure in the checking phase. We leave proving or disproving the security of this protocol, which we regard as plausible but not obvious, to future work.
It is perhaps useful to note a connection of classical bit commitment with the partyindependent transfer task. Given a bit commitment scheme which consists of 1) Alice handing a commitment to Bob, then 2) Alice later handing a reveal to Bob, which he uses to access Alice's committed bit, it is possible to construct a party-independent transfer protocol. 5 In particular, Alice publicly announces her commitment to both Bob 1 and Bob 2 , then hands the reveal to only one of the Bobs. However, it is known that there are no unconditionally secure bit commitment schemes of this form [30,31].

Discussion
In our first article on summoning [6], we argued that the summoning task gives an operational setting in which to understand how quantum information can and cannot move through spacetime. That setting was restricted however to asking if a quantum system could be localized to collections of causal diamonds.
In this article we have generalized in a way that allows us to ask if a quantum system is localized to a collection of arbitrary spacetime regions. We have defined the notion of localized by allowing some party with no prior knowledge of the system unrestricted access to the spacetime region. If they can later construct the system then we say it was localized there; if they learn nothing about the system we say it is excluded. This is consistent with our previous definition of localization to a diamond, in that completing the summoning task means in particular that the system was localized to each diamond. However, the notion of localization implied by summoning is stronger than the notion used in this article, since in summoning Alice must perform the data processing needed to construct the system while within the diamond. In the localize task this data processing can occur outside the region.
In the absence of gravity, where there are no known limits on the rate of computation, the strong and weak notions of localization coincide, at least for diamond-shaped regions. In the presence of gravity Lloyd argued there is a limit on computational speed [32] but there are counterexamples to his proposed bound [33]. It is nonetheless plausible that computational speed is limited by quantum gravity, so one can imagine a scenario where a quantum system is localized to a region in the weaker sense (in that it is possible to construct it from systems that pass through that region) but not in the strong sense (in that it is impossible to do so within the spatial-temporal extent of that region due to gravitational constraints on computation). Thus, in the presence of gravity these notions of localization plausibly become distinct. Attempts to resolve fundamental puzzles like the black hole information paradox [34,12,35] have also hinted at this distinction, and indicate that it may be the stronger notion of localization for which the no-cloning theorem applies.
Also in the context of gravity the holographic bound [36] makes tasks with sufficiently small regions or sufficiently large numbers of regions impossible to complete, since it places a limit on how many qubits may be localized to a region of a given area without producing a black hole. Thus, we should understand the theorems given in this work as applying only in the absence of gravity. It would be interesting to perform a detailed study of exceptions to our theorems arising from gravitational physics.
By adding excluded regions to the localize task we have found a natural extension of quantum secret sharing to a spacetime setting. Indeed, the conditions for completing the localize-exclude task have close analogues in the conditions for constructing quantum secret sharing schemes, and we can embed any quantum secret sharing scheme as a carefully chosen localize-exclude task. The conditions on the start point in the localize-exclude task are somewhat awkward from this perspective, but can be seen as corresponding to certain trivial requirements in the secret sharing language.
Since the localize-exclude task corresponds so closely to quantum secret sharing, we might expect that it doesn't provide any new tools for the construction of cryptographic protocols. From this perspective the state-assembly task is more interesting, since there we can have an unauthorized set contain an authorized one. This violates the monotonicity requirement that occurs in both localize-exclude and quantum secret sharing.
We have given one proposed application that exploits this violation of monotonicity: party-independent transfer. This proposal is in need of a more complete study. We have not proven our proposed protocol is secure, nor considered what more practical goals within cryptography this primitive may be used to achieve. It would also be interesting to understand the relation of the proposed party-independent transfer task to established cryptographic primitives. We have already pointed out a connection to bit commitment, but there may also be interesting relations to (for instance) the spacetime analogues of oblivious transfer mentioned in the introduction.

Acknowledgements
This work was started while the authors were at McGill University, and restarted while attending the first It from Qubit summer school at the Perimeter Institute for Theoretical Physics. This work also benefited from the Quantum Physics of Information program held at the Kavli Institute for Theoretical Physics in Santa Barbara, and from a visit by AM to the Stanford Institute for Theoretical Physics.
AM wishes to acknowledge the UBC REX program and his mentees Andrew Chun and Liam Vanderpoel, discussions with whom motivated some of the results given here.
iii. A collection of causal diamonds D i , each of which is defined by a call point c i and return point r i At each call point c i Alice receives a classical bit b i . Alice is guaranteed that exactly one bit will be 1, say b i * = 1, and the remainder will have b j = 0, but does not know the value of i * in advance. To successfully complete the task, Alice should return the system A to the point r i * such that b i * = 1.
To complete the summoning task Alice must send systems sufficient to reconstruct the system through each diamond. Consequently, completing a summoning task with diamonds {D i } also completes an associated localize task with authorized regions A i = D i . However, the reverse is not true: completing the localize task implies some collection of systems inside each authorized region can be used to construct the system, but doesn't require that this reconstruction can take place within the region. For instance, exhibiting the system could require the application of a high complexity circuit, perhaps requiring so many gates that gravitational speed limits would prevent their completion in the required time. Further, localize tasks deal with regions of arbitrary shape, whereas in a summoning task only causal diamond shaped regions are discussed.
The basic restriction on when a summoning task may be completed is the nosummoning theorem [11].
Theorem 16 A single-call single-return summoning task with two diamonds D 1 , D 2 is impossible whenever D 1 and D 2 are causally disjoint.
Proof. Suppose there exists a protocol that returns the system to r 1 when there is a call to c 1 and returns the system to r 2 when there is a call to c 2 . Then we can argue such a protocol can be used to clone a quantum system, and consequently no such protocol can exist. To see this, suppose there is a call to both c 1 and c 2 . Then since D 1 and D 2 are causally disjoint, Alice's agent at D 1 cannot distinguish this case from the case where c 1 receives a call and c 2 does not. By assumption then she returns the system to r 1 . Similarly, Alice's agent at D 2 returns the system at r 2 . Alice has then handed over two copies of the quantum system.
The proof of the no-summoning theorem is similar to the proof of the no-assembly theorem we gave in the main text, see theorem 11. Similar to the localize task, summoning is possible whenever each pair of diamonds are causally connected and every diamond has a point in the future light cone of the start point. We omit the proof of this theorem as it proceeds along now familiar lines: the many diamond case is reduced to a two diamond case by use of an error-correcting code, which  Figure 15: A summoning task on two diamonds in 2 + 1 dimensions. In this task r 1 is in the future light cone of c 2 , but r 2 is not in the future of c 1 . (In all figures, red arrows indicate causal curves.) Additionally, r 1 and r 2 are in the future light cone of s. To complete this summoning task, Alice pre-shares entanglement between s and c 1 . At s, Alice teleports the A system using the shared entanglement and then sends the classical teleportation data to both r 1 and r 2 . At c 1 , Alice routes the entangled particle she holds to r 1 if she receives b 1 = 1, and routes the particle to r 2 otherwise. This example is due to Kent [10].
can be constructed from the graph of causal connections among the regions. In the case of two diamonds we complete the task using the teleportation protocol illustrated in figure 15. The summoning task as given above is "single-call" in that exactly one of the b i = 1, and "single-return" in that the system should be returned in full at the called-to diamond. We can generalize this to allow for Alice to receive many calls (many b i = 1) in two possible ways. First, we might specify that Alice return a subsystem at each calledto diamond such that taken together these subsystems can be used to reproduce the A system. In this case we have weakened the requirement on Alice -she need not hand over the quantum system itself, just quantum information and classical instructions sufficient for Bob to later construct the system. We will refer to this as many-call manyreturn summoning. Alternatively, we can specify that Alice hand over the system itself at one (but any one) of the called-to diamonds. We call this many-call single-return summoning. This second case is treated by Adlam and Kent [7] and discussed further in appendix B. The first case is closely related to the state-assembly task. We elaborate on this relation in the remainder of this section.
We can collect the discussion in the last paragraph into a definition of the many-call many-return summoning task.
Definition 18 A many-call many-return summoning task is a task involving two interacting agencies, Alice and Bob. A task is defined by i. At the call point associated with each diamond Alice receives a bit b i from Bob. Alice has a guarantee that the calls will be to one of the authorized sets of diamonds. Alice is required to return a collection of classical and quantum systems at the associated r i which is sufficient to reconstruct A.
We characterize the many-call many-return summoning tasks which are possible and those which are impossible in the following theorem.

Theorem 19
The many-call many-return summoning task is possible if and only if: i. The return point of at least one diamond from each authorized set is in the causal future of the start point.
ii. Every pair of authorized sets (A i , A j ) is causally connected.
Again we omit the proof, which follows the pattern of using the error-correcting code constructed from the graph of causal connections to reduce the many authorized set case to the two authorized set case. In the case of two authorized sets we use that the sets are causally connected, so in particular there exists a pair of causal diamonds chosen across the sets which are causally connected. We then complete the summoning task on these two diamonds using the teleportation protocol illustrated in figure 15. From theorems 12 and 19 we find that state-assembly and summoning are possible for exactly the same arrangements of authorized sets. This is interesting, as although the tasks are similar they have one key distinction. In summoning Alice holds the A system of an unknown quantum state |Ψ AR , so can't produce copies of the A system due to the linearity of quantum mechanics; in state-assembly Alice holds a known quantum state, but has the additional requirement that she hand over the A system at most once. Thus, in the assembly task the requirement that Alice hand the system over at most once replaces the no-cloning restriction. The system Alice holds is essentially classical, since it is known to her and she may produce an arbitrary number of copies, but this gives her no additional power. In this sense we can view the state-assembly task as a classical analogue of the summoning task 6 .
In the main article we discussed the state-assembly task with unauthorized regions. One could also consider a generalization of the summoning task with unauthorized regions, but this generalization is less well motivated. In particular, in the summoning task Bob both gives the system to Alice and requests it from her. It is unclear in what circumstance Alice would want to hide the system Bob gave to her from Bob when certain sets of calls are made. In the assembly setting this is more natural, since Alice has herself prepared the system and may want to hide it from certain subsets of other parties.

B Many-call single-return summoning
In appendix A we discussed the many-call many-return summoning task, which we found is closely related to the state-assembly task discussed in the main article. Manycall many-return summoning is also interesting from the viewpoint of spacetime localization. In particular, completing the many-call many-return summoning task also completes the localize task. However, a second generalization of summoning to include many-calls is possible: we can consider a task with many calls but a single return, where Alice receives several calls from Bob and must return the system in full at exactly one (but any one) of the called-to diamonds.
We give a definition of the many-call single-return summoning task below.
Definition 20 A many-call single-return summoning task is a task involving two interacting agencies, Alice and Bob, defined by: At the call point associated with each diamond Alice receives a bit b i from Bob. Alice has a guarantee that calls will be to one of the authorized sets. To successfully complete the task, Alice must return the A system at exactly one of the called to diamonds.
As defined here, the many-call single-return summoning task is somewhat more general than the task considered by Adlam and Kent. They considered in particular the case where the set of authorized sets {A 1 , ..., A n } corresponds to every possible subset of the diamonds. We refer to this as unrestricted-call single-return summoning. Adlam and Kent characterized the full set of possible arrangements of diamonds for this unrestricted-call single-return summoning task [7]. We recall their theorem here. ii. For any subset {D i 1 , D i 2 , ..., D in } of diamonds, there is at least one diamond D i * in the subset for which r i * is in the future light cone of all the c i in the subset.
Interestingly, condition (ii) above is stronger than the corresponding condition for summoning with a single call. Adlam and Kent used this fact to argue against our interpretation of summoning in terms of localization of quantum information [7]; they argue that completing the summoning task depends on some resource provided to Alice by  Figure 16: The three diamond task described in text. The known protocol for completing this task makes use of quantum error-correction: The system is encoded into a ((2, 3)) secret sharing scheme with one share sent to each of the call points c i . The shares are then routed to r i+1 mod 3 if b i = 0, and to r i if b i = 1. This task is the simplest example of a summoning task which Alice can complete if there is a guarantee Bob will make only one call, but not if Bob may make an arbitrary number of calls.
Bob -a bit string of the form 000...010...000 -and thus that Alice is not localizing the system to each diamond. Instead, she is only successfully responding to the summons b i = 1 by exploiting her knowledge that certain other calls are b j = 0. The simplest case where the conditions of many-call single-return summoning and those for many-call many-return summoning differ is the three diamond task shown in figure 16. Consider the arrangement of diamonds shown there, and take any set of diamonds to be authorized. Then to complete the many-call many-return task Alice encodes the system A into a ((2, 3)) secret sharing scheme and sends one share to each of the call points c i . She then routes each share according to the bits b i she receives at each point; if b i = 0 she forwards the share to the next return point r i+1 , while if b i = 1 she sends the share to the return point r i . One can readily check that if one or two calls are sent two shares will end up at a single return point, and the system is handed over at a single diamond.
However, if a call is sent to all three diamonds, only one share ends up at each diamond. Indeed, Adlam and Kent showed that the unrestricted-call single-return task is impossible on this three diamond arrangement. This is interesting, but we argue it does not indicate that the system cannot be localized to each diamond, at least using the notion of localized we employ in this article. In the protocol using the ((2, 3)) secret sharing scheme, two shares pass through each diamond when Bob sends no calls. Someone with full access to the region enclosed by any one diamond can gather both these shares from the secret sharing scheme and later use them to construct the system. Thus, in this sense the system is localized to all three diamonds.
When Bob sends a call, however, he may prevent the system from being reproduced in certain diamonds. This is obvious in a more prosaic example: Suppose we have two diamonds, with a diamond D 2 far in the causal future of the diamond D 1 . Then Bob giving a call to D 1 results in Alice handing the system over to Bob there, and so she does not produce the system in diamond D 2 . One thing that is interesting about the three diamond task, as revealed by Adlam and Kent, is that in some cases Bob's calls can prevent the system from being reproduced in any diamond. In particular this can happen in cases with cyclic connections among diamonds, as in the three diamond task.