Download Quantum Copy-Protection and Quantum Money

Quantum Copy-Protection
and Quantum Money
|

|
|

Any humor in this talk is completely unintentional
Scott Aaronson (MIT)
First Idea in the History of Quantum Info
Wiesner 1969 (!): Money that’s physically impossible to
counterfeit, assuming only the truth of quantum mechanics
SERIAL NUMBER: x
POLARIZED QUBITS:
|x,1 |x,2 |x,3 |x,4…
One
By Problem:
the No-Cloning
Bank has
Theorem,
to maintain
a counterfeiter
giant database
who doesn’t
with
classical
description
|prepared
x ever issued
know how
the |x,iof
’s the
were
can’tbill
duplicate
them
x,i’s for every
Achieves
Solution something
(BBBW 1982):
flat-out
Generate
impossible
the |in
thebyclassical
applyingworld!
a
x,i’s
pseudorandom function fs :{0,1}n{0,1}m to the serial
number x, where s is a seed known only to the bank
So Have We Solved the Millennia-Old
Problem of Minting Secure Money?
(Modulo the engineering difficulties?)
(Heisenberg’s Uncertainty Principle
beating Newton not only in
physics, but even in his later career
as Master of the Mint?)
Central Drawback of Wiesner and BBBW Schemes: Only the
bank can authenticate the money
Theorem (A. 2009): To get uncloneable quantum money that
anyone can authenticate, we need computational assumptions
But OK, why not? (We’d still be doing something amazing)
Quantum Software Copy-Protection
Observation: If Finally,
the customer
is able
poly(n)computing
copies of
a serious
use to
forbuy
quantum
|f from the software store, then we can only hope for
computational security, not information-theoretic
We know copy-protection is fundamentally impossible in
the classical world (not that that’s stopped people from trying…)
Question: Can you have a quantum state |f that lets you
efficiently compute an unknown Boolean function
f:{0,1}n{0,1}, but can’t be efficiently used to prepare more
states that also let you efficiently compute f?
A task closely related to quantum money—which like the
latter, seems “just on the verge of being possible”
This paper initiates the study of quantum money and
quantum copy-protection from the standpoint of modern
theoretical computer science.
Main result: Construction of quantum oracles relative to
which publicly-verifiable quantum money, and quantum
copy-protection of “arbitrary” software, are indeed possible
In other words: there’s no relativizing obstruction to these
things
OracleDefense1: Any security proof for a real quantum
money or copy-protection scheme will need to include our
black-box security proof as a special case!
OracleDefense2: The black-box security proof is already
quite nontrivial! Requires a “Complexity-Theoretic NoCloning Theorem,” explicit quantum t-designs…
But what about the real world?
Can I at least give candidate schemes that work with no oracle?
Scheme for publicly-verifiable quantum money
- Based on random stabilizer states
- Under continuous assault by Hassidim and Lutomirski
(So far, they’ve broken at least five of their own schemes)
Schemes for copy-protecting point functions
(Functions fs:{0,1}n{0,1} such that f(x)=1 iff x=s)
These schemes are provably secure, under the
assumption that they can’t be broken
Definition of Quantum Money Scheme
n: Key size
B: Poly(n)-size quantum circuit (the “bank”), which maps a
n to a public key e and mixed state 
secret
key
s{0,1}
If the counterfeiter C also receives
s es, then the scheme
s
is public-key;
otherwise
private-key
A: Poly(n)-size
quantum circuit
(theit’s
“authenticator”),
which takes (e,) as input and either accepts or rejects
(B,A) has completeness error  if for every s,
PrAes ,  s  accepts   1   .
(B,A) has soundness error  if for every poly(n)-size quantum
circuit C (the “counterfeiter”) mapping sk to r>k output
r
1
r
registers s ,…, s ,
i
 PrAe ,  accepts   k   .
i 1
s
s
Candidate Public-Key Money Scheme
The bank generates L random stabilizer states |C1,…,|CL,
on n qubits each
To verify
this banknote,
check
that sig isfrom
a valid
Recall:
A stabilizer
state isfirst
a state
obtainable
|0n
 1 0  gates
by CNOT, Hadamard,
digital
and
signature
of E only


0

i 
Then apply a random Eij to each |Ci, and check that at
Then, forleast
each(say)
|Ci,athe
bank fraction
generates
random
stabilizer
1/2+/4
ofm
them
accept
measurements Ei1,…,Eim, each of which has probability  of
commuting with |Ci and is otherwise completely random
Finally, the bank distributes the following as a banknote:
 E11  EL1 


C1 ,, CL , E      , sig
E


E
Lm 
 1m
Quantum Oracle Construction
Let’s now give a quantum oracle U, relative to which a
public-key quantum money scheme exists unconditionally
|e
|es|
|s
s|
s
n-bit
secret
Any |
orthogonal
keys
to |
U
|es|
 s|NO
|
|
|YES
s
3n-bit public n-qubit Haar
key
random state
Everyone (bank, customers, counterfeiters) has same access to U
Clear that the bank can prepare banknotes |es|s, and
legitimate buyers and sellers can authenticate them
Question: Given es, together with |sk for some k=poly(n), can a
counterfeiter prepare additional copies of |s by making poly(n)
queries to U?
“Complexity-Theoretic No-Cloning Theorem”
Let | be an n-qubit pure state. Suppose we’re given
the initial state |k, as well as an oracle U such that
U|=-|
U|=|
for all |
orthogonal
to |.
Proofand
requires
generalizing
Ambainis’s
adversary
Then for allmethod,
r>k, to prepare
r states
1,…,
r such that
to the case
where
thequantum
r initial state already encodes some
algorithm’s
 about
 ktarget
  ,state
information
i  the

i 1
we need this many queries to U:
  2 2n

 2
r
 r k log k



This generalizes both the No-Cloning Theorem and the
optimality of Grover’s algorithm!
Definition of Quantum Copy-Protection
Schemes
F: Family of Boolean functions f:{0,1}n{0,1}, together with
poly-size “description” df for each fF
V: Poly-size quantum circuit (the “vendor”), which maps df to
a quantum program f
C: Poly-size quantum circuit (the “customer”), which takes
(f,x) as input and tries to output f(x)
(V,C) has correctness parameter  if for all fF and x{0,1}n,


Pr C  f , x  outputs f x   1   .
(V,C) has security  against a distribution D over F{0,1}n, if
for all poly-size quantum circuits P (the “pirate”) mapping
fk to r>k output registers f1,…, fr, and all poly-size
quantum circuits L (the “freeloader”),
r
EX
 f , x ~ D



i
Pr
L


f , x outputs f  x   k  1   r  k .
i 1
Candidate Scheme for Copy-Protecting
Point Functions (thanks to Adam Smith)
Goal: A quantum program |s that can be used to
recognize a password s{0,1}n, but not to create more
quantum programs that efficiently recognize s
Possible Solution:
1. Use a pseudorandom generator g:{0,1}n{0,1}m to
stretch s to g(s)
2. Interpret g(s) as a description of a quantum circuit Ug(s)
3. Set |s := Ug(s) |0n
Given s’, can check whether s’=s by applying Ug(s’)-1 to |s
We’d like to give a quantum oracle U, relative to which
quantum copy-protection is “generically possible”
Obvious obstruction: If F is learnable (that is, any fF can
be identified using poly(n) oracle calls), then there’s no
hope of copy-protecting F, using quantum mechanics or
anything else!
Theorem: There exists a quantum oracle U, relative to
which any family F of non-learnable, poly-time functions
can be quantumly copy-protected, with security , against
all pirates mapping k programs to r with (1-2)r > 2k
Handwaving Proof Idea
Basic idea is the same as in the money case: for each fF,
the quantum program |f will be a Haar-random state
We’ll “offload all the work to the oracle”: U prepares |f
given df, and also computes f(x) given |f|x
Let P be a poly-time algorithm P for pirating |f, possibly
using U
Our job: Construct a simulator, which converts P into a
poly-time algorithm for learning fF using oracle access to
f (but not using U)
The simulator will mock up its own “random” state |, as
well as an oracle U’ that computes f(x) given ||x (using
oracle access to f)
The simulator then runs the pirating algorithm P, but using
| and U’ instead of |f and U
Suppose the simulated pirate outputs (say) ||
The Complexity-Theoretic No-Cloning Theorem implies
that | can’t have significant overlap with |
But | is also a good quantum program for f. Indeed, one
can show that | is still a good quantum program, even if
we replace U’ by the identity transformation
So we’ve succeeded at learning a quantum program for
fF, using oracle access to f
Problem: In quantum polynomial time, how does one
prepare a “random” pure state |?
Solution: Explicit Quantum t-Designs
(related to Ambainis-Emerson, CCC’07)
p 
1
2
n
e
2ip x  / 2 n
 
x
xGF 2 n
n)
where pHence,
is a degree-d
univariate
polynomial
over
GF(2
provided we choose the degree d to be
(and we interpret
p(x)larger
as an integer
in pirating
{0,…,2n-1}algorithm’s
when necessary)
sufficiently
than the
time,
use |inppoly(n,d)
in place of
|f in
Clearlyrunning
the |p’s
canwe
be can
prepared
time
our simulation of the pirating algorithm
Lemma: Let E be a quantum algorithm that receives |t as
input, and also makes q queries to a quantum oracle that
recognizes |. Then provided
n


t  2q  min d / 2, 2 / 2 ,
2


4 t  2q
EX PrE accepts  p  EX PrE accepts   
n
p

2

Open Problems

Publicly-verifiable quantum money (and copy-protected
software) secure under non-tautological assumptions?
Copy-protect richer families than point functions?
Quantum money and copy-protection relative to a classical
oracle?
“Unsplittable amplification”? (To avoid k  k/2  k/2)
Adapt the [GGM] construction of PRFs from PRGs, to work
in the presence of quantum adversaries?
Information-theoretically secure quantum copy-protection?
(In regime where error probability is large enough to allow it)