Quantum Copy-Protection and Quantum Money Scott Aaronson (MIT) | | | Any humor in this talk is completely unintentional.

Quantum Copy-Protection and Quantum Money

Scott Aaronson (MIT)

| | | Any humor in this talk is completely unintentional

First Idea in the History of Quantum InfoWiesner 1969 (!): Money that’s physically impossible to counterfeit, assuming only the truth of quantum mechanics

One Problem: Bank has to maintain giant database with classical description of the |x,i’s for every bill x ever issued

Solution (BBBW 1982): Generate the |x,i’s by applying a pseudorandom function fs :{0,1}n{0,1}m to the serial number x, where s is a seed known only to the bank

SERIAL NUMBER: xPOLARIZED QUBITS:|x,1 |x,2 |x,3 |x,4…

By the No-Cloning Theorem, a counterfeiter who doesn’t know how the |x,i’s were prepared can’t duplicate them

Achieves something flat-out impossible in the classical world!

So Have We Solved the Millennia-Old Problem of Minting Secure Money?

(Modulo the engineering difficulties?)

Central Drawback of Wiesner and BBBW Schemes: Only the bank can authenticate the money

Theorem (A. 2009): To get uncloneable quantum money that anyone can authenticate, we need computational assumptions

But OK, why not? (We’d still be doing something amazing)

(Heisenberg’s Uncertainty Principle beating Newton not only in

physics, but even in his later career as Master of the Mint?)

Quantum Software Copy-Protection

A task closely related to quantum money—which like the latter, seems “just on the verge of being possible”

We know copy-protection is fundamentally impossible in the classical world (not that that’s stopped people from trying…)

Finally, a serious use for quantum computing

Question: Can you have a quantum state |f that lets you efficiently compute an unknown Boolean function f:{0,1}n{0,1}, but can’t be efficiently used to prepare more states that also let you efficiently compute f?

Observation: If the customer is able to buy poly(n) copies of |f from the software store, then we can only hope for

computational security, not information-theoretic

This paper initiates the study of quantum money and quantum copy-protection from the standpoint of modern theoretical computer science.

Main result: Construction of quantum oracles relative to which publicly-verifiable quantum money, and quantum copy-protection of “arbitrary” software, are indeed possible

In other words: there’s no relativizing obstruction to these things

OracleDefense1: Any security proof for a real quantum money or copy-protection scheme will need to include our black-box security proof as a special case!

OracleDefense2: The black-box security proof is already quite nontrivial! Requires a “Complexity-Theoretic No-Cloning Theorem,” explicit quantum t-designs…

But what about the real world?Can I at least give candidate schemes that work with no oracle?

Scheme for publicly-verifiable quantum money

- Based on random stabilizer states

- Under continuous assault by Hassidim and Lutomirski(So far, they’ve broken at least five of their own schemes)

Schemes for copy-protecting point functions(Functions fs:{0,1}n{0,1} such that f(x)=1 iff x=s)

These schemes are provably secure, under the assumption that they can’t be broken

Definition of Quantum Money Schemen: Key size

B: Poly(n)-size quantum circuit (the “bank”), which maps a secret key s{0,1}n to a public key es and mixed state s

A: Poly(n)-size quantum circuit (the “authenticator”), which takes (e,) as input and either accepts or rejects

(B,A) has completeness error if for every s,

(B,A) has soundness error if for every poly(n)-size quantum circuit C (the “counterfeiter”) mapping s

k to r>k output registers s

1,…, sr, .accepts ,Pr

1

keAr

i

iss

.1accepts ,Pr sseA

If the counterfeiter C also receives es, then the scheme is public-key; otherwise it’s private-key

Candidate Public-Key Money SchemeThe bank generates L random stabilizer states |C1,…,|CL, on n qubits each

Recall: A stabilizer state is a state obtainable from |0n by CNOT, Hadamard, and gates only

Then, for each |Ci, the bank generates m random stabilizer measurements Ei1,…,Eim, each of which has probability of commuting with |Ci and is otherwise completely random

Finally, the bank distributes the following as a banknote:

i0

01

sig,,,,

1

111

1

Lmm

L

L

EE

EE

ECC

To verify this banknote, first check that sig is a valid digital signature of E

Then apply a random Eij to each |Ci, and check that at least (say) a 1/2+/4 fraction of them accept

Quantum Oracle ConstructionLet’s now give a quantum oracle U, relative to which a public-key quantum money scheme exists unconditionally

U|s |es |s

n-bit secret key

n-qubit Haar random state

3n-bit public key

|es|s |es|s |YES|es|Any | orthogonal

to |s

|es| |NO

Everyone (bank, customers, counterfeiters) has same access to U

Clear that the bank can prepare banknotes |es|s, and legitimate buyers and sellers can authenticate them

Question: Given es, together with |sk for some k=poly(n), can a counterfeiter prepare additional copies of |s by making poly(n) queries to U?

“Complexity-Theoretic No-Cloning Theorem”Let | be an n-qubit pure state. Suppose we’re given

the initial state |k, as well as an oracle U such that U|=-| and U|=| for all | orthogonal to |. Then for all r>k, to prepare r states 1,…, r such that

,1

ki

r

i

we need this many queries to U:

rkkr

n

log

22

2

This generalizes both the No-Cloning Theorem and the optimality of Grover’s algorithm!

Proof requires generalizing Ambainis’s adversary method, to the case where the quantum

algorithm’s initial state already encodes some information about the target state

Definition of Quantum Copy-Protection Schemes

F: Family of Boolean functions f:{0,1}n{0,1}, together with poly-size “description” df for each fF

V: Poly-size quantum circuit (the “vendor”), which maps df to a quantum program f

C: Poly-size quantum circuit (the “customer”), which takes (f,x) as input and tries to output f(x)

(V,C) has correctness parameter if for all fF and x{0,1}n,

(V,C) has security against a distribution D over F{0,1}n, if for all poly-size quantum circuits P (the “pirate”) mapping fk to r>k output registers f

1,…, fr, and all poly-size

quantum circuits L (the “freeloader”),

.1 outputs ,PrEX

1~,

krkxfxLr

i

if

Dxf

.1 outputs ,Pr xfxC f

Candidate Scheme for Copy-Protecting Point Functions (thanks to Adam Smith)

Goal: A quantum program |s that can be used to recognize a password s{0,1}n, but not to create more quantum programs that efficiently recognize s

Possible Solution:

1.Use a pseudorandom generator g:{0,1}n{0,1}m to stretch s to g(s)

2.Interpret g(s) as a description of a quantum circuit Ug(s)

3.Set |s := Ug(s) |0n

Given s’, can check whether s’=s by applying Ug(s’)-1 to |s

We’d like to give a quantum oracle U, relative to which quantum copy-protection is “generically possible”

Obvious obstruction: If F is learnable (that is, any fF can be identified using poly(n) oracle calls), then there’s no hope of copy-protecting F, using quantum mechanics or anything else!

Theorem: There exists a quantum oracle U, relative to which any family F of non-learnable, poly-time functions can be quantumly copy-protected, with security , against all pirates mapping k programs to r with (1-2)r > 2k

Basic idea is the same as in the money case: for each fF, the quantum program |f will be a Haar-random state

We’ll “offload all the work to the oracle”: U prepares |f given df, and also computes f(x) given |f|x

Let P be a poly-time algorithm P for pirating |f, possibly using U

Our job: Construct a simulator, which converts P into a poly-time algorithm for learning fF using oracle access to f (but not using U)

The simulator will mock up its own “random” state |, as well as an oracle U’ that computes f(x) given ||x (using oracle access to f)

Handwaving Proof Idea

The simulator then runs the pirating algorithm P, but using | and U’ instead of |f and U

Suppose the simulated pirate outputs (say) ||

The Complexity-Theoretic No-Cloning Theorem implies that | can’t have significant overlap with |

But | is also a good quantum program for f. Indeed, one can show that | is still a good quantum program, even if we replace U’ by the identity transformation

So we’ve succeeded at learning a quantum program for fF, using oracle access to f

Problem: In quantum polynomial time, how does one prepare a “random” pure state |?

Solution: Explicit Quantum t-Designs(related to Ambainis-Emerson, CCC’07)

Clearly the |p’s can be prepared in poly(n,d) time

where p is a degree-d univariate polynomial over GF(2n)(and we interpret p(x) as an integer in {0,…,2n-1} when necessary)

n

n

GFx

xip

np xe2

2/2

2

1

Lemma: Let E be a quantum algorithm that receives |t as input, and also makes q queries to a quantum oracle that recognizes |. Then provided

np

p

qtEE

2

24 accepts PrEX accepts PrEX

2

,2/2,2/min2 ndqt

Hence, provided we choose the degree d to be sufficiently larger than the pirating algorithm’s

running time, we can use |p in place of |f in our simulation of the pirating algorithm

Publicly-verifiable quantum money (and copy-protected software) secure under non-tautological assumptions?

Copy-protect richer families than point functions?

Quantum money and copy-protection relative to a classical oracle?

“Unsplittable amplification”? (To avoid k k/2 k/2)

Adapt the [GGM] construction of PRFs from PRGs, to work in the presence of quantum adversaries?

Information-theoretically secure quantum copy-protection?(In regime where error probability is large enough to allow it)

Open Problems DUNCE

DUNCE