190 likes | 371 Views
| . | . | . Quantum Copy-Protection and Quantum Money. Scott Aaronson (MIT). Any humor in this talk is completely unintentional. First Idea in the History of Quantum Info.
E N D
| | | Quantum Copy-Protection and Quantum Money Scott Aaronson (MIT) Any humor in this talk is completely unintentional
First Idea in the History of Quantum Info Wiesner 1969 (!): Money that’s physically impossible to counterfeit, assuming only the truth of quantum mechanics SERIAL NUMBER: x POLARIZED QUBITS: |x,1 |x,2 |x,3 |x,4… By the No-Cloning Theorem, a counterfeiter who doesn’t know how the |x,i’s were prepared can’t duplicate them Achieves something flat-out impossible in the classical world! One Problem: Bank has to maintain giant database with classical description of the |x,i’s for every bill x ever issued Solution (BBBW 1982): Generate the |x,i’s by applying a pseudorandom function fs :{0,1}n{0,1}mto the serial number x, where s is a seed known only to the bank
So Have We Solved the Millennia-Old Problem of Minting Secure Money?(Modulo the engineering difficulties?) (Heisenberg’s Uncertainty Principle beating Newton not only in physics, but even in his later career as Master of the Mint?) Central Drawback of Wiesner and BBBW Schemes: Only the bank can authenticate the money Theorem (A. 2009): To get uncloneable quantum money that anyone can authenticate, we need computational assumptions But OK, why not? (We’d still be doing something amazing)
Quantum Software Copy-Protection Observation: If the customer is able to buy poly(n) copies of |f from the software store, then we can only hope for computational security, not information-theoretic Finally, a serious use for quantum computing We know copy-protection is fundamentally impossible in the classical world (not that that’s stopped people from trying…) Question: Can you have a quantum state |f that lets you efficiently compute an unknown Boolean function f:{0,1}n{0,1}, but can’t be efficiently used to prepare more states that also let you efficiently compute f? A task closely related to quantum money—which like the latter, seems “just on the verge of being possible”
This paper initiates the study of quantum money and quantum copy-protection from the standpoint of modern theoretical computer science. Main result: Construction of quantum oracles relative to which publicly-verifiable quantum money, and quantum copy-protection of “arbitrary” software, are indeed possible In other words: there’s no relativizing obstruction to these things OracleDefense1: Any security proof for a real quantum money or copy-protection scheme will need to include our black-box security proof as a special case! OracleDefense2: The black-box security proof is already quite nontrivial! Requires a “Complexity-Theoretic No-Cloning Theorem,” explicit quantum t-designs…
But what about the real world?Can I at least give candidate schemes that work with no oracle? • Scheme for publicly-verifiable quantum money • Based on random stabilizer states • Under continuous assault by Hassidim and Lutomirski(So far, they’ve broken at least five of their own schemes) • Schemes for copy-protecting point functions(Functions fs:{0,1}n{0,1} such that f(x)=1 iff x=s) These schemes are provably secure, under the assumption that they can’t be broken
Definition of Quantum Money Scheme n: Key size B: Poly(n)-size quantum circuit (the “bank”), which maps a secret key s{0,1}n to a public key es and mixed state s A: Poly(n)-size quantum circuit (the “authenticator”), which takes (e,) as input and either accepts or rejects If the counterfeiter C also receives es, then the scheme is public-key; otherwise it’s private-key (B,A) has completeness error if for every s, (B,A) has soundness error if for every poly(n)-size quantum circuit C (the “counterfeiter”) mapping sk to r>k output registers s1,…, sr,
Candidate Public-Key Money Scheme • The bank generates L random stabilizer states |C1,…,|CL, on n qubits each • Recall: A stabilizer state is a state obtainable from |0n by CNOT, Hadamard, and gates only To verify this banknote, first check that sig is a valid digital signature of E Then apply a random Eij to each |Ci, and check that at least (say) a 1/2+/4 fraction of them accept Then, for each |Ci, the bank generates m random stabilizer measurements Ei1,…,Eim, each of which has probability of commuting with |Ci and is otherwise completely random Finally, the bank distributes the following as a banknote:
Quantum Oracle Construction Let’s now give a quantum oracle U, relative to which a public-key quantum money scheme exists unconditionally |es|s |es| |s |es |s |es|s |YES |es| |NO U Any | orthogonal to |s n-bit secret key 3n-bit public key n-qubit Haar random state Everyone (bank, customers, counterfeiters) has same access to U Clear that the bank can prepare banknotes |es|s, and legitimate buyers and sellers can authenticate them Question: Given es, together with |sk for some k=poly(n), can a counterfeiter prepare additional copies of |s by making poly(n) queries to U?
“Complexity-Theoretic No-Cloning Theorem” Let | be an n-qubit pure state. Suppose we’re given the initial state |k, as well as an oracle U such that U|=-| and U|=| for all | orthogonal to |. Then for all r>k, to prepare r states 1,…, r such that Proof requires generalizing Ambainis’s adversary method, to the case where the quantum algorithm’s initial state already encodes some information about the target state we need this many queries to U: This generalizes both the No-Cloning Theorem and the optimality of Grover’s algorithm!
Definition of Quantum Copy-Protection Schemes F: Family of Boolean functions f:{0,1}n{0,1}, together with poly-size “description” df for each fF V: Poly-size quantum circuit (the “vendor”), which maps df to a quantum program f C: Poly-size quantum circuit (the “customer”), which takes (f,x) as input and tries to output f(x)
(V,C) has correctness parameter if for all fF and x{0,1}n, (V,C) has security against a distribution D over F{0,1}n, if for all poly-size quantum circuits P (the “pirate”) mapping fk to r>k output registers f1,…, fr, and all poly-size quantum circuits L (the “freeloader”),
Candidate Scheme for Copy-Protecting Point Functions (thanks to Adam Smith) • Goal: A quantum program |s that can be used to recognize a password s{0,1}n, but not to create more quantum programs that efficiently recognize s • Possible Solution: • Use a pseudorandom generator g:{0,1}n{0,1}m to stretch s to g(s) • Interpret g(s) as a description of a quantum circuit Ug(s) • Set |s :=Ug(s) |0n • Given s’, can check whether s’=s by applying Ug(s’)-1 to |s
We’d like to give a quantum oracle U, relative to which quantum copy-protection is “generically possible” Obvious obstruction: If F is learnable (that is, any fF can be identified using poly(n) oracle calls), then there’s no hope of copy-protecting F, using quantum mechanics or anything else! Theorem: There exists a quantum oracle U, relative to which any family F of non-learnable, poly-time functions can be quantumly copy-protected, with security , against all pirates mapping k programs to r with (1-2)r > 2k
Handwaving Proof Idea Basic idea is the same as in the money case: for each fF, the quantum program |f will be a Haar-random state We’ll “offload all the work to the oracle”: U prepares |f given df, and also computes f(x) given |f|x Let P be a poly-time algorithm P for pirating |f, possibly using U Our job: Construct a simulator, which converts P into a poly-time algorithm for learning fF using oracle access to f (but not using U) The simulator will mock up its own “random” state |, as well as an oracle U’ that computes f(x) given ||x (using oracle access to f)
The simulator then runs the pirating algorithm P, but using | and U’ instead of |f and U Suppose the simulated pirate outputs (say) || The Complexity-Theoretic No-Cloning Theorem implies that | can’t have significant overlap with | But | is also a good quantum program for f. Indeed, one can show that | is still a good quantum program, even if we replace U’ by the identity transformation So we’ve succeeded at learning a quantum program for fF, using oracle access to f Problem: In quantum polynomial time, how does one prepare a “random” pure state |?
Solution: Explicit Quantum t-Designs(related to Ambainis-Emerson, CCC’07) where p is a degree-d univariate polynomial over GF(2n)(and we interpret p(x) as an integer in {0,…,2n-1} when necessary) Hence, provided we choose the degree d to be sufficiently larger than the pirating algorithm’s running time, we can use |p in place of |f in our simulation of the pirating algorithm Clearly the |p’s can be prepared in poly(n,d) time Lemma:Let E be a quantum algorithm that receives |t as input, and also makes q queries to a quantum oracle that recognizes |. Then provided
r r DUNCE DUNCE Open Problems Publicly-verifiable quantum money (and copy-protected software) secure under non-tautological assumptions? Copy-protect richer families than point functions? Quantum money and copy-protection relative to a classical oracle? “Unsplittable amplification”? (To avoid k k/2k/2) Adapt the [GGM] construction of PRFs from PRGs, to work in the presence of quantum adversaries? Information-theoretically secure quantum copy-protection?(In regime where error probability is large enough to allow it)