How to Use Quantum Indistinguishability Obfuscation

TL;DR

The paper introduces quantum state indistinguishability obfuscation (qsiO) as a universal tool to achieve copy protection for general programs, showing that qsiO yields best-possible copy protection whenever copy protection is possible. It provides a concrete construction of qsiO relative to a quantum oracle and then leverages unclonable encryption, including a novel coupled variant (cUE), to extend copy protection to puncturable programs and PRFs. Under standard cryptographic assumptions such as injective one-way functions (and UE), the work proves copy protection results for decision, search, and point-function classes, with a structured toolkit of puncturing, key testing, and UE/cUE reductions. The results offer a principled, general framework for copy protection in the quantum setting and demonstrate practical routes to broadening the scope of protectable functionalities, with significance for secure quantum software distribution and anti-tampering guarantees. The combination of qsiO, puncturing, and unclonable encryption provides a versatile mechanism to achieve provable copy protection under widely believed assumptions.

Abstract

Quantum copy protection, introduced by Aaronson, enables giving out a quantum program-description that cannot be meaningfully duplicated. Despite over a decade of study, copy protection is only known to be possible for a very limited class of programs. As our first contribution, we show how to achieve "best-possible" copy protection for all programs. We do this by introducing quantum state indistinguishability obfuscation (qsiO), a notion of obfuscation for quantum descriptions of classical programs. We show that applying qsiO to a program immediately achieves best-possible copy protection. Our second contribution is to show that, assuming injective one-way functions exist, qsiO is concrete copy protection for a large family of puncturable programs -- significantly expanding the class of copy-protectable programs. A key tool in our proof is a new variant of unclonable encryption (UE) that we call coupled unclonable encryption (cUE). While constructing UE in the standard model remains an important open problem, we are able to build cUE from one-way functions. If we additionally assume the existence of UE, then we can further expand the class of puncturable programs for which qsiO is copy protection. Finally, we construct qsiO relative to an efficient quantum oracle.

Figures (8)

• Figure 1: $\texttt{CP-Expt}_{\mathsf{CP},\mathsf{Adv},\mathop{\mathrm{\mathsf{Ver}}}\nolimits}(\secpar)$. The challenger samples $f \leftarrow \mathop{\mathrm{\mathcal{F}}}\nolimits_\secpar$, creates the quantum implementation $\sigma = \mathsf{CP}(f)$, and sends it to the adversary. The adversary maps this to a state $\rho_{\mathop{\mathrm{\mathcal{A}}}\nolimits\mathop{\mathrm{\mathcal{B}}}\nolimits}$ on the two registers $\mathop{\mathrm{\mathcal{A}}}\nolimits$, $\mathop{\mathrm{\mathcal{B}}}\nolimits$, and sends $\rho_{\mathop{\mathrm{\mathcal{A}}}\nolimits\mathop{\mathrm{\mathcal{B}}}\nolimits}$ back to the challenger, along with (descriptions of) families of quantum circuits $A$ and $B$ on $\mathop{\mathrm{\mathcal{A}}}\nolimits$ and $\mathop{\mathrm{\mathcal{B}}}\nolimits$ respectively. The challenger runs $\mathop{\mathrm{\mathsf{Ver}}}\nolimits_{\secpar}(f,A) \otimes \mathop{\mathrm{\mathsf{Ver}}}\nolimits_{\secpar}(f,B)$ on $\rho_{\mathcal{A, B}}$, and outputs $1$ if both outcomes are $1$.
• Figure 2: $\texttt{Rand-Expt}_{\mathsf{Adv}}(n,\secpar)$. The challenger first generates random strings $x, \theta \leftarrow \{0,1\}^{10n+\secpar}, r^0, s^0 \leftarrow \{0,1\}^n$ and random matrices $U, V \leftarrow \{0,1\}^{n \times (10n+\secpar)}$. It then computes $r^1$ and $s^1$ as $Ux$ and $Vx$ respectively. The challenger samples random bits $a$ and $b$, and sends the state $\ket*{x^\theta}$ along with $r^a$ and $s^b$ to the adversary. The adversary then computes a quantum state $\rho_{\mathop{\mathrm{\mathcal{A}}}\nolimits,\mathop{\mathrm{\mathcal{B}}}\nolimits}$ and circuit descriptions $A$ and $B$, and sends $(A, B, \rho_{\mathop{\mathrm{\mathcal{A}}}\nolimits,\mathop{\mathrm{\mathcal{B}}}\nolimits})$ back to the challenger. The challenger measures $A^{\theta,U}$ and $B^{\theta,V}$ on $\rho_{\mathop{\mathrm{\mathcal{A}}}\nolimits,\mathop{\mathrm{\mathcal{B}}}\nolimits}$, obtaining outcomes $a'$ and $b'$. The adversary wins if $a'=a$ and $b'=b$.
• Figure 3: $\texttt{Search-Expt}_{\mathsf{Adv}}(n,\secpar)$. The challenger generates random strings $x, \theta \leftarrow \{0,1\}^{10n+\secpar}$ and matrices $U, V \leftarrow \{0,1\}^{n \times (10n+\secpar)}$ and sends $\ket*{x^\theta}, Ux, Vx$ to the adversary. The adversary responds with quantum circuits $\tilde{A}, \tilde{B}$ acting on a state $\rho_{\mathop{\mathrm{\mathcal{A}}}\nolimits,\mathop{\mathrm{\mathcal{B}}}\nolimits}$. The challenger measures $\tilde{A}^{\theta,U}$ and $\tilde{B}^{\theta,V}$ on $\rho_{\mathop{\mathrm{\mathcal{A}}}\nolimits,\mathop{\mathrm{\mathcal{B}}}\nolimits}$, obtaining outputs $x_A$ and $x_B$. The adversary wins if $x_A=x_B=x$.
• Figure 4: $\texttt{UE-Expt}_{\enc,\mathsf{Adv}}(\secpar)$. The challenger samples a secret encryption key $\sk$, while the adversary decides on a message $m$ and sends it to the challenger. The resulting internal state of the adversary is $\tau$, which will be provided to the next part of the adversary. The challenger samples a fresh random message $m^0$, sets $m^1 := m$, and encrypts $m^c$ for $c \leftarrow \{0,1\}$ using $\sk$. The challenger sends the encryption $\sigma$ to the adversary, who maps this to a state $\rho_{\mathop{\mathrm{\mathcal{A}}}\nolimits \mathop{\mathrm{\mathcal{B}}}\nolimits}$ on the two registers $\mathop{\mathrm{\mathcal{A}}}\nolimits, \mathop{\mathrm{\mathcal{B}}}\nolimits$ and returns $\rho_{\mathop{\mathrm{\mathcal{A}}}\nolimits \mathop{\mathrm{\mathcal{B}}}\nolimits}$ to the challenger, together with descriptions of (families of) quantum circuits $A$ and $B$ on $\mathop{\mathrm{\mathcal{A}}}\nolimits$ and $\mathop{\mathrm{\mathcal{B}}}\nolimits$, respectively, indexed by keys. The challenger runs $A^\sk$ and $B^\sk$ on $\rho_{\mathop{\mathrm{\mathcal{A}}}\nolimits \mathop{\mathrm{\mathcal{B}}}\nolimits}$, obtaining outcomes $a'$ and $b'$. The adversary wins if $a'=b'=c$.
• Figure 5: $\texttt{cUE-Expt}_{\enc,\mathsf{Adv}}(\secpar)$. The challenger samples encryption keys $\sk_A, \sk_B \leftarrow \{0,1\}^\secpar$. The adversary outputs messages $m_A, m_B$; its internal state $\tau$ will be used later. The challenger generates messages $m_A^0$, $m_B^0$, sets $m_A^1:=m_A$, $m_B^1:=m_B$, and randomly decides bits $a$, $b$. It encrypts $m_A^a, m_B^b$ with $\sk_A, \sk_B$ into $\sigma$ and sends it to the adversary. The adversary, with state $\sigma, \tau$, generates circuit descriptions $A$, $B$, and a state $\rho_{\mathop{\mathrm{\mathcal{A}}}\nolimits,\mathop{\mathrm{\mathcal{B}}}\nolimits}$, and sends them to the challenger. The challenger applies $A^{\sk_A}$ to $\rho_{\mathop{\mathrm{\mathcal{A}}}\nolimits}$, giving $a'$, and $B^{\sk_B}$ to $\rho_{\mathop{\mathrm{\mathcal{B}}}\nolimits}$, giving $b'$. The adversary wins if $a'=a$ and $b'=b$.

Theorems & Definitions (53)

• Remark 1
• Definition 1: Quantum implementation of a classical function
• Definition 2: Quantum state indistinguishability obfuscator ($\pcalgostyle{qsiO}$)
• Definition 3: Copy protection, correctness
• Definition 4: Copy protection, security
• Theorem 1: "Best-possible" copy protection
• proof
• Remark 2
• Theorem 2
• proof