* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Quantum Copy-Protection and Quantum Money
Aharonov–Bohm effect wikipedia , lookup
Ensemble interpretation wikipedia , lookup
Wave–particle duality wikipedia , lookup
Theoretical and experimental justification for the Schrödinger equation wikipedia , lookup
Quantum dot cellular automaton wikipedia , lookup
Relativistic quantum mechanics wikipedia , lookup
Renormalization wikipedia , lookup
Renormalization group wikipedia , lookup
Double-slit experiment wikipedia , lookup
Topological quantum field theory wikipedia , lookup
Bell test experiments wikipedia , lookup
Bohr–Einstein debates wikipedia , lookup
Basil Hiley wikipedia , lookup
Scalar field theory wikipedia , lookup
Delayed choice quantum eraser wikipedia , lookup
Quantum decoherence wikipedia , lookup
Density matrix wikipedia , lookup
Particle in a box wikipedia , lookup
Measurement in quantum mechanics wikipedia , lookup
Path integral formulation wikipedia , lookup
Probability amplitude wikipedia , lookup
Quantum electrodynamics wikipedia , lookup
Quantum field theory wikipedia , lookup
Copenhagen interpretation wikipedia , lookup
Coherent states wikipedia , lookup
Hydrogen atom wikipedia , lookup
Quantum entanglement wikipedia , lookup
Quantum dot wikipedia , lookup
Bell's theorem wikipedia , lookup
Quantum fiction wikipedia , lookup
Symmetry in quantum mechanics wikipedia , lookup
Many-worlds interpretation wikipedia , lookup
Orchestrated objective reduction wikipedia , lookup
History of quantum field theory wikipedia , lookup
Quantum computing wikipedia , lookup
EPR paradox wikipedia , lookup
Interpretations of quantum mechanics wikipedia , lookup
Quantum teleportation wikipedia , lookup
Canonical quantization wikipedia , lookup
Quantum machine learning wikipedia , lookup
Quantum group wikipedia , lookup
Quantum state wikipedia , lookup
Quantum cognition wikipedia , lookup
Quantum Copy-Protection and Quantum Money | | | Any humor in this talk is completely unintentional Scott Aaronson (MIT) First Idea in the History of Quantum Info Wiesner 1969 (!): Money that’s physically impossible to counterfeit, assuming only the truth of quantum mechanics SERIAL NUMBER: x POLARIZED QUBITS: |x,1 |x,2 |x,3 |x,4… One By Problem: the No-Cloning Bank has Theorem, to maintain a counterfeiter giant database who doesn’t with classical description |prepared x ever issued know how the |x,iof ’s the were can’tbill duplicate them x,i’s for every Achieves Solution something (BBBW 1982): flat-out Generate impossible the |in thebyclassical applyingworld! a x,i’s pseudorandom function fs :{0,1}n{0,1}m to the serial number x, where s is a seed known only to the bank So Have We Solved the Millennia-Old Problem of Minting Secure Money? (Modulo the engineering difficulties?) (Heisenberg’s Uncertainty Principle beating Newton not only in physics, but even in his later career as Master of the Mint?) Central Drawback of Wiesner and BBBW Schemes: Only the bank can authenticate the money Theorem (A. 2009): To get uncloneable quantum money that anyone can authenticate, we need computational assumptions But OK, why not? (We’d still be doing something amazing) Quantum Software Copy-Protection Observation: If Finally, the customer is able poly(n)computing copies of a serious use to forbuy quantum |f from the software store, then we can only hope for computational security, not information-theoretic We know copy-protection is fundamentally impossible in the classical world (not that that’s stopped people from trying…) Question: Can you have a quantum state |f that lets you efficiently compute an unknown Boolean function f:{0,1}n{0,1}, but can’t be efficiently used to prepare more states that also let you efficiently compute f? A task closely related to quantum money—which like the latter, seems “just on the verge of being possible” This paper initiates the study of quantum money and quantum copy-protection from the standpoint of modern theoretical computer science. Main result: Construction of quantum oracles relative to which publicly-verifiable quantum money, and quantum copy-protection of “arbitrary” software, are indeed possible In other words: there’s no relativizing obstruction to these things OracleDefense1: Any security proof for a real quantum money or copy-protection scheme will need to include our black-box security proof as a special case! OracleDefense2: The black-box security proof is already quite nontrivial! Requires a “Complexity-Theoretic NoCloning Theorem,” explicit quantum t-designs… But what about the real world? Can I at least give candidate schemes that work with no oracle? Scheme for publicly-verifiable quantum money - Based on random stabilizer states - Under continuous assault by Hassidim and Lutomirski (So far, they’ve broken at least five of their own schemes) Schemes for copy-protecting point functions (Functions fs:{0,1}n{0,1} such that f(x)=1 iff x=s) These schemes are provably secure, under the assumption that they can’t be broken Definition of Quantum Money Scheme n: Key size B: Poly(n)-size quantum circuit (the “bank”), which maps a n to a public key e and mixed state secret key s{0,1} If the counterfeiter C also receives s es, then the scheme s is public-key; otherwise private-key A: Poly(n)-size quantum circuit (theit’s “authenticator”), which takes (e,) as input and either accepts or rejects (B,A) has completeness error if for every s, PrAes , s accepts 1 . (B,A) has soundness error if for every poly(n)-size quantum circuit C (the “counterfeiter”) mapping sk to r>k output r 1 r registers s ,…, s , i PrAe , accepts k . i 1 s s Candidate Public-Key Money Scheme The bank generates L random stabilizer states |C1,…,|CL, on n qubits each To verify this banknote, check that sig isfrom a valid Recall: A stabilizer state isfirst a state obtainable |0n 1 0 gates by CNOT, Hadamard, digital and signature of E only 0 i Then apply a random Eij to each |Ci, and check that at Then, forleast each(say) |Ci,athe bank fraction generates random stabilizer 1/2+/4 ofm them accept measurements Ei1,…,Eim, each of which has probability of commuting with |Ci and is otherwise completely random Finally, the bank distributes the following as a banknote: E11 EL1 C1 ,, CL , E , sig E E Lm 1m Quantum Oracle Construction Let’s now give a quantum oracle U, relative to which a public-key quantum money scheme exists unconditionally |e |es| |s s| s n-bit secret Any | orthogonal keys to | U |es| s|NO | | |YES s 3n-bit public n-qubit Haar key random state Everyone (bank, customers, counterfeiters) has same access to U Clear that the bank can prepare banknotes |es|s, and legitimate buyers and sellers can authenticate them Question: Given es, together with |sk for some k=poly(n), can a counterfeiter prepare additional copies of |s by making poly(n) queries to U? “Complexity-Theoretic No-Cloning Theorem” Let | be an n-qubit pure state. Suppose we’re given the initial state |k, as well as an oracle U such that U|=-| U|=| for all | orthogonal to |. Proofand requires generalizing Ambainis’s adversary Then for allmethod, r>k, to prepare r states 1,…, r such that to the case where thequantum r initial state already encodes some algorithm’s about ktarget ,state information i the i 1 we need this many queries to U: 2 2n 2 r r k log k This generalizes both the No-Cloning Theorem and the optimality of Grover’s algorithm! Definition of Quantum Copy-Protection Schemes F: Family of Boolean functions f:{0,1}n{0,1}, together with poly-size “description” df for each fF V: Poly-size quantum circuit (the “vendor”), which maps df to a quantum program f C: Poly-size quantum circuit (the “customer”), which takes (f,x) as input and tries to output f(x) (V,C) has correctness parameter if for all fF and x{0,1}n, Pr C f , x outputs f x 1 . (V,C) has security against a distribution D over F{0,1}n, if for all poly-size quantum circuits P (the “pirate”) mapping fk to r>k output registers f1,…, fr, and all poly-size quantum circuits L (the “freeloader”), r EX f , x ~ D i Pr L f , x outputs f x k 1 r k . i 1 Candidate Scheme for Copy-Protecting Point Functions (thanks to Adam Smith) Goal: A quantum program |s that can be used to recognize a password s{0,1}n, but not to create more quantum programs that efficiently recognize s Possible Solution: 1. Use a pseudorandom generator g:{0,1}n{0,1}m to stretch s to g(s) 2. Interpret g(s) as a description of a quantum circuit Ug(s) 3. Set |s := Ug(s) |0n Given s’, can check whether s’=s by applying Ug(s’)-1 to |s We’d like to give a quantum oracle U, relative to which quantum copy-protection is “generically possible” Obvious obstruction: If F is learnable (that is, any fF can be identified using poly(n) oracle calls), then there’s no hope of copy-protecting F, using quantum mechanics or anything else! Theorem: There exists a quantum oracle U, relative to which any family F of non-learnable, poly-time functions can be quantumly copy-protected, with security , against all pirates mapping k programs to r with (1-2)r > 2k Handwaving Proof Idea Basic idea is the same as in the money case: for each fF, the quantum program |f will be a Haar-random state We’ll “offload all the work to the oracle”: U prepares |f given df, and also computes f(x) given |f|x Let P be a poly-time algorithm P for pirating |f, possibly using U Our job: Construct a simulator, which converts P into a poly-time algorithm for learning fF using oracle access to f (but not using U) The simulator will mock up its own “random” state |, as well as an oracle U’ that computes f(x) given ||x (using oracle access to f) The simulator then runs the pirating algorithm P, but using | and U’ instead of |f and U Suppose the simulated pirate outputs (say) || The Complexity-Theoretic No-Cloning Theorem implies that | can’t have significant overlap with | But | is also a good quantum program for f. Indeed, one can show that | is still a good quantum program, even if we replace U’ by the identity transformation So we’ve succeeded at learning a quantum program for fF, using oracle access to f Problem: In quantum polynomial time, how does one prepare a “random” pure state |? Solution: Explicit Quantum t-Designs (related to Ambainis-Emerson, CCC’07) p 1 2 n e 2ip x / 2 n x xGF 2 n n) where pHence, is a degree-d univariate polynomial over GF(2 provided we choose the degree d to be (and we interpret p(x)larger as an integer in pirating {0,…,2n-1}algorithm’s when necessary) sufficiently than the time, use |inppoly(n,d) in place of |f in Clearlyrunning the |p’s canwe be can prepared time our simulation of the pirating algorithm Lemma: Let E be a quantum algorithm that receives |t as input, and also makes q queries to a quantum oracle that recognizes |. Then provided n t 2q min d / 2, 2 / 2 , 2 4 t 2q EX PrE accepts p EX PrE accepts n p 2 Open Problems Publicly-verifiable quantum money (and copy-protected software) secure under non-tautological assumptions? Copy-protect richer families than point functions? Quantum money and copy-protection relative to a classical oracle? “Unsplittable amplification”? (To avoid k k/2 k/2) Adapt the [GGM] construction of PRFs from PRGs, to work in the presence of quantum adversaries? Information-theoretically secure quantum copy-protection? (In regime where error probability is large enough to allow it)