Quantum SoftwareCopy-Protection

Scott Aaronson (MIT)

|

Many people have a legitimate interest in keeping their intellectual property from

being copied…

“But if quantum mechanics isn’t physics in the usual sense—if it’s not about

matter, or energy, or waves—then what is it about?”

“Well, from my perspective, it’s about

information, probabilities, and observables, and how they relate to each other.”

Classically: Giving someone a program that they can use but not copy is fundamentally impossible

(tell that to Sony/BMG…)

Quantumly: Well, it’s called the “No-Cloning Theorem” for a reason…

Question: Given a Boolean function f:{0,1}n{0,1}, can you give your customers a state |f that lets them evaluate f, but doesn’t let them prepare more states from which f can be evaluated?

“Can they use the state more than once?”Answer: Certainly, if they buy poly(n) copies of it

Note: We’re going to have to make computational assumptions

Example where quantum copy-protection seems possible

Consider the class of point functions: fs(x)=1 if x=s, fs(x)=0 otherwise

Encode s by a permutation such that 2=e. Choose 1,…,k uniformly at random. Then give your customers the following state:

2211

kk

Given any permutation ’, I claim one can use | to test whether ’= with error probability 2-k

On the other hand, | doesn’t seem useful for preparing additional states with the same property

Theorem: This scheme is provably secure, under the assumption that it can’t be broken.

Theorem: This scheme is provably secure, under the assumption that it can’t be broken.

(Assumption is related to, but stronger than, the hardness of the Hidden Subgroup Problem over Sn)

(Assumption is related to, but stronger than, the hardness of the Hidden Subgroup Problem over Sn)

Example where quantum copy-protection is not possible

Let G be a finite group, for which we can efficiently prepare |G (a uniform superposition over the elements)

Let H be a subgroup with |H| |G|/polylog|G|

Given |H, Watrous showed one can efficiently decide membership in H

Given an element xG, check whether H|Hx is 0 or 1

Furthermore: given a program to decide membership in H, one can efficiently prepare |H

First prepare |G, then postselect on membership in H

Conclusion: Any program to decide membership in H can be pirated!

But apparently, only by a “fully quantum pirate”

Speculation: Every class of functions can be quantumly copy-protected, except the ones that can’t for trivial reasons(i.e., the ones that are “quantumly learnable from inputs and outputs”)

Main Result [A. 2034]: There exists a “quantum oracle” relative to which this speculation is correct

Thus, even if it isn’t, we won’t be able to prove that by any “quantumly relativizing technique”

Second application of my proof techniques [Mosca-Stebila]: Provably unforgeable “quantum money”

(Provided there’s a quantum oracle at the cash register)

For each circuit C, choose a “meaningless quantum label” |C uniformly at random

Our quantum oracle will map |C|x|0 to |C|x|C(x)(and also |C|0 to |C|C)

Intuitively, then, having |C is “just the same as” having a black box for C

Goal: Show that if C is not learnable, then |C can’t be pirated

To prove this, we need to construct a simulator, which takes any quantum algorithm that pirates |C, and converts it into an algorithm that learns C

Handwaving Proof Idea

Ingredient #1 in the simulator construction: “Complexity-Theoretic No-Cloning Theorem”

Theorem: Suppose a quantum algorithm is given an n-qubit state |, and can also access a quantum oracle U that “recognizes” | (i.e., U| = -| and U| = | for all |=0). Then the algorithm still needs ~2n/2 queries to U to prepare any state having non-negligible overlap with ||

Observation: Contains both the No-Cloning Theorem and the optimality of Grover search as special cases!

Proof Idea: A new generalization of Ambainis’s quantum adversary method, to the case where the starting state already has some information about the answer

Ingredient #2: Pseudorandom States

Clearly the |p’s can be prepared in polynomial time

Lemma: If p is chosen uniformly at random, then |p “looks like” a completely random n-qubit state- Even if we get polynomially many copies of |p- Even if we query the quantum oracle, which depends on |p

So the simulator can use |p’s in place of |C’s

where p is a degree-d univariate polynomial over GF(2n) for some d=poly(n), and p0(x) is the “leading bit” of p(x)

nGFx

xp

np x2

012

1

Future Directions

Get rid of the oracle!

Clarify the relationship between copy-protection and obfuscation

The “constant error regime”: what is information-theoretically possible?

DUNCE

DUNCE