# Quantum Copy-Protection and Quantum Money Scott Aaronson (MIT) | | | Any humor in this talk is completely unintentional.

## Presentation on theme: "Quantum Copy-Protection and Quantum Money Scott Aaronson (MIT) | | | Any humor in this talk is completely unintentional."— Presentation transcript:

Quantum Copy-Protection and Quantum Money Scott Aaronson (MIT) | | | Any humor in this talk is completely unintentional

First Idea in the History of Quantum Info Wiesner 1969 (!): Money thats physically impossible to counterfeit, assuming only the truth of quantum mechanics One Problem: Bank has to maintain giant database with classical description of the | x,i s for every bill x ever issued Solution (BBBW 1982): Generate the | x,i s by applying a pseudorandom function f s :{0,1} n {0,1} m to the serial number x, where s is a seed known only to the bank SERIAL NUMBER: x POLARIZED QUBITS: | x,1 | x,2 | x,3 | x,4 … By the No-Cloning Theorem, a counterfeiter who doesnt know how the | x,i s were prepared cant duplicate them Achieves something flat-out impossible in the classical world!

So Have We Solved the Millennia-Old Problem of Minting Secure Money? (Modulo the engineering difficulties?) Central Drawback of Wiesner and BBBW Schemes: Only the bank can authenticate the money Theorem (A. 2009): To get uncloneable quantum money that anyone can authenticate, we need computational assumptions But OK, why not? (Wed still be doing something amazing) (Heisenbergs Uncertainty Principle beating Newton not only in physics, but even in his later career as Master of the Mint?)

Quantum Software Copy-Protection A task closely related to quantum moneywhich like the latter, seems just on the verge of being possible We know copy-protection is fundamentally impossible in the classical world (not that thats stopped people from trying…) Finally, a serious use for quantum computing Question: Can you have a quantum state | f that lets you efficiently compute an unknown Boolean function f:{0,1} n {0,1}, but cant be efficiently used to prepare more states that also let you efficiently compute f? Observation: If the customer is able to buy poly(n) copies of | f from the software store, then we can only hope for computational security, not information-theoretic

This paper initiates the study of quantum money and quantum copy-protection from the standpoint of modern theoretical computer science. Main result: Construction of quantum oracles relative to which publicly-verifiable quantum money, and quantum copy-protection of arbitrary software, are indeed possible In other words: theres no relativizing obstruction to these things OracleDefense 1 : Any security proof for a real quantum money or copy-protection scheme will need to include our black-box security proof as a special case! OracleDefense 2 : The black-box security proof is already quite nontrivial! Requires a Complexity-Theoretic No- Cloning Theorem, explicit quantum t-designs…

But what about the real world? Can I at least give candidate schemes that work with no oracle? Scheme for publicly-verifiable quantum money - Based on random stabilizer states - Under continuous assault by Hassidim and Lutomirski (So far, theyve broken at least five of their own schemes) Schemes for copy-protecting point functions (Functions f s :{0,1} n {0,1} such that f(x)=1 iff x=s) These schemes are provably secure, under the assumption that they cant be broken

Definition of Quantum Money Scheme n: Key size B: Poly(n)-size quantum circuit (the bank), which maps a secret key s {0,1} n to a public key e s and mixed state s A: Poly(n)-size quantum circuit (the authenticator), which takes (e, ) as input and either accepts or rejects (B,A) has completeness error if for every s, (B,A) has soundness error if for every poly(n)-size quantum circuit C (the counterfeiter) mapping s k to r>k output registers s 1,…, s r, If the counterfeiter C also receives e s, then the scheme is public-key; otherwise its private-key

Candidate Public-Key Money Scheme The bank generates L random stabilizer states |C 1,…,|C L, on n qubits each Recall: A stabilizer state is a state obtainable from |0 n by CNOT, Hadamard, and gates only Then, for each |C i, the bank generates m random stabilizer measurements E i1,…,E im, each of which has probability of commuting with |C i and is otherwise completely random Finally, the bank distributes the following as a banknote: To verify this banknote, first check that sig is a valid digital signature of E Then apply a random E ij to each |C i, and check that at least (say) a 1/2+ /4 fraction of them accept

Quantum Oracle Construction Lets now give a quantum oracle U, relative to which a public-key quantum money scheme exists unconditionally U |s |e s | s n-bit secret key n-qubit Haar random state 3n-bit public key |e s | s |e s | s |YES |e s | Any | orthogonal to | s |e s | |NO Everyone (bank, customers, counterfeiters) has same access to U Clear that the bank can prepare banknotes |e s | s, and legitimate buyers and sellers can authenticate them Question: Given e s, together with | s k for some k=poly(n), can a counterfeiter prepare additional copies of | s by making poly(n) queries to U?

Complexity-Theoretic No-Cloning Theorem Let | be an n-qubit pure state. Suppose were given the initial state | k, as well as an oracle U such that U| =-| and U| =| for all | orthogonal to |. Then for all r>k, to prepare r states 1,…, r such that we need this many queries to U: This generalizes both the No-Cloning Theorem and the optimality of Grovers algorithm! Proof requires generalizing Ambainiss adversary method, to the case where the quantum algorithms initial state already encodes some information about the target state

Definition of Quantum Copy-Protection Schemes F: Family of Boolean functions f:{0,1} n {0,1}, together with poly-size description d f for each f F V: Poly-size quantum circuit (the vendor), which maps d f to a quantum program f C: Poly-size quantum circuit (the customer), which takes ( f,x) as input and tries to output f(x)

(V,C) has correctness parameter if for all f F and x {0,1} n, (V,C) has security against a distribution D over F {0,1} n, if for all poly-size quantum circuits P (the pirate) mapping f k to r>k output registers f 1,…, f r, and all poly-size quantum circuits L (the freeloader),

Candidate Scheme for Copy-Protecting Point Functions (thanks to Adam Smith) Goal: A quantum program | s that can be used to recognize a password s {0,1} n, but not to create more quantum programs that efficiently recognize s Possible Solution: 1.Use a pseudorandom generator g:{0,1} n {0,1} m to stretch s to g(s) 2.Interpret g(s) as a description of a quantum circuit U g(s) 3.Set | s := U g(s) |0 n Given s, can check whether s=s by applying U g(s) -1 to | s

Wed like to give a quantum oracle U, relative to which quantum copy-protection is generically possible Obvious obstruction: If F is learnable (that is, any f F can be identified using poly(n) oracle calls), then theres no hope of copy-protecting F, using quantum mechanics or anything else! Theorem: There exists a quantum oracle U, relative to which any family F of non-learnable, poly-time functions can be quantumly copy-protected, with security, against all pirates mapping k programs to r with (1-2 )r > 2k

Basic idea is the same as in the money case: for each f F, the quantum program | f will be a Haar-random state Well offload all the work to the oracle: U prepares | f given d f, and also computes f(x) given | f |x Let P be a poly-time algorithm P for pirating | f, possibly using U Our job: Construct a simulator, which converts P into a poly-time algorithm for learning f F using oracle access to f (but not using U) The simulator will mock up its own random state |, as well as an oracle U that computes f(x) given | |x (using oracle access to f) Handwaving Proof Idea

The simulator then runs the pirating algorithm P, but using | and U instead of | f and U Suppose the simulated pirate outputs (say) | | The Complexity-Theoretic No-Cloning Theorem implies that | cant have significant overlap with | But | is also a good quantum program for f. Indeed, one can show that | is still a good quantum program, even if we replace U by the identity transformation So weve succeeded at learning a quantum program for f F, using oracle access to f Problem: In quantum polynomial time, how does one prepare a random pure state | ?

Solution: Explicit Quantum t-Designs (related to Ambainis-Emerson, CCC07) Clearly the | p s can be prepared in poly(n,d) time where p is a degree-d univariate polynomial over GF(2 n ) (and we interpret p(x) as an integer in {0,…,2 n-1 } when necessary) Lemma: Let E be a quantum algorithm that receives | t as input, and also makes q queries to a quantum oracle that recognizes |. Then provided Hence, provided we choose the degree d to be sufficiently larger than the pirating algorithms running time, we can use | p in place of | f in our simulation of the pirating algorithm

Publicly-verifiable quantum money (and copy-protected software) secure under non-tautological assumptions? Copy-protect richer families than point functions? Quantum money and copy-protection relative to a classical oracle? Unsplittable amplification? (To avoid k k/2 k/2 ) Adapt the [GGM] construction of PRFs from PRGs, to work in the presence of quantum adversaries? Information-theoretically secure quantum copy-protection? (In regime where error probability is large enough to allow it) Open Problems DUNCE DUNCE

Similar presentations