quantum software copy-protection scott aaronson (mit) |
TRANSCRIPT
Quantum SoftwareCopy-Protection
Scott Aaronson (MIT)
|
Many people have a legitimate interest in keeping their intellectual property from
being copied…
“But if quantum mechanics isn’t physics in the usual sense—if it’s not about
matter, or energy, or waves—then what is it about?”
“Well, from my perspective, it’s about
information, probabilities, and observables, and how they relate to each other.”
Classically: Giving someone a program that they can use but not copy is fundamentally impossible
(tell that to Sony/BMG…)
Quantumly: Well, it’s called the “No-Cloning Theorem” for a reason…
Question: Given a Boolean function f:{0,1}n{0,1}, can you give your customers a state |f that lets them evaluate f, but doesn’t let them prepare more states from which f can be evaluated?
“Can they use the state more than once?”Answer: Certainly, if they buy poly(n) copies of it
Note: We’re going to have to make computational assumptions
Example where quantum copy-protection seems possible
Consider the class of point functions: fs(x)=1 if x=s, fs(x)=0 otherwise
Encode s by a permutation such that 2=e. Choose 1,…,k uniformly at random. Then give your customers the following state:
2211
kk
Given any permutation ’, I claim one can use | to test whether ’= with error probability 2-k
On the other hand, | doesn’t seem useful for preparing additional states with the same property
Theorem: This scheme is provably secure, under the assumption that it can’t be broken.
Theorem: This scheme is provably secure, under the assumption that it can’t be broken.
(Assumption is related to, but stronger than, the hardness of the Hidden Subgroup Problem over Sn)
(Assumption is related to, but stronger than, the hardness of the Hidden Subgroup Problem over Sn)
Example where quantum copy-protection is not possible
Let G be a finite group, for which we can efficiently prepare |G (a uniform superposition over the elements)
Let H be a subgroup with |H| |G|/polylog|G|
Given |H, Watrous showed one can efficiently decide membership in H
Given an element xG, check whether H|Hx is 0 or 1
Furthermore: given a program to decide membership in H, one can efficiently prepare |H
First prepare |G, then postselect on membership in H
Conclusion: Any program to decide membership in H can be pirated!
But apparently, only by a “fully quantum pirate”
Speculation: Every class of functions can be quantumly copy-protected, except the ones that can’t for trivial reasons(i.e., the ones that are “quantumly learnable from inputs and outputs”)
Main Result [A. 2034]: There exists a “quantum oracle” relative to which this speculation is correct
Thus, even if it isn’t, we won’t be able to prove that by any “quantumly relativizing technique”
Second application of my proof techniques [Mosca-Stebila]: Provably unforgeable “quantum money”
(Provided there’s a quantum oracle at the cash register)
For each circuit C, choose a “meaningless quantum label” |C uniformly at random
Our quantum oracle will map |C|x|0 to |C|x|C(x)(and also |C|0 to |C|C)
Intuitively, then, having |C is “just the same as” having a black box for C
Goal: Show that if C is not learnable, then |C can’t be pirated
To prove this, we need to construct a simulator, which takes any quantum algorithm that pirates |C, and converts it into an algorithm that learns C
Handwaving Proof Idea
Ingredient #1 in the simulator construction: “Complexity-Theoretic No-Cloning Theorem”
Theorem: Suppose a quantum algorithm is given an n-qubit state |, and can also access a quantum oracle U that “recognizes” | (i.e., U| = -| and U| = | for all |=0). Then the algorithm still needs ~2n/2 queries to U to prepare any state having non-negligible overlap with ||
Observation: Contains both the No-Cloning Theorem and the optimality of Grover search as special cases!
Proof Idea: A new generalization of Ambainis’s quantum adversary method, to the case where the starting state already has some information about the answer
Ingredient #2: Pseudorandom States
Clearly the |p’s can be prepared in polynomial time
Lemma: If p is chosen uniformly at random, then |p “looks like” a completely random n-qubit state- Even if we get polynomially many copies of |p- Even if we query the quantum oracle, which depends on |p
So the simulator can use |p’s in place of |C’s
where p is a degree-d univariate polynomial over GF(2n) for some d=poly(n), and p0(x) is the “leading bit” of p(x)
nGFx
xp
np x2
012
1
Future Directions
Get rid of the oracle!
Clarify the relationship between copy-protection and obfuscation
The “constant error regime”: what is information-theoretically possible?
DUNCE
DUNCE