1 Introduction
The obfuscation of a circuit is an object, generally another circuit, that allows a user to evaluate the functionality of the original circuit without learning any additional information about the structure of the circuit. Obfuscation is useful for publishing software without revealing the code, but it also has more fundamental applications in cryptography. For example, the strongest notion called virtual blackbox obfuscation can transform any privatekey encryption scheme into a publickey scheme. Unfortunately, this notion turns out to be impossible for general circuits [BGI01] – at least, if we require the obfuscation of a circuit to be a circuit itself.
The impossibility result from [BGI01] leaves open an intriguing possibility: what if the obfuscation of a (classical) circuit is allowed to be a quantum state? Could a quantum state contain all the information about a functionality, allowing a user to produce correct outputs, without revealing all that information? This possibility seems hopeful, due to the unrevealing nature of quantum states. However, in this work, we show that virtualblackbox obfuscating classical circuits into quantum states is not possible.
1.1 Related work
Barak et al. defined the notion of virtual blackbox (vbb) obfuscation: any information that an adversary can learn about a circuit from its obfuscation can also be learned by a simulator that does not have access to the obfuscation, but only to an oracle for the circuit’s functionality [BGI01]. In this definition, the crucial difference between the adversary and the simulator is that the adversary has access to a short representation of the circuit (namely, the obfuscation), whereas the simulator only has access to an input/output interface that implements the functionality. Some circuit classes allow the adversary to exploit this difference by using the obfuscation as an input value to the circuit itself. Those circuit classes are unobfuscatable in the vbb sense, rendering vbb obfuscation impossible for the general class of circuits in [BGI01].
In more detail, the impossibility proof in [BGI01] relies on point functions, which output zero everywhere except at a single input value , where they output a string . The circuits in the unobfuscatable class can, depending on the input, do all of the following: (1) apply that point function, (2) return an encryption of , (3) homomorphically evaluate a gate, or (4) check whether a ciphertext decrypts to . An adversary holding the obfuscation is able to divide it into single gates, and can use those to homomorphically evaluate option (1), thereby converting a ciphertext for into a ciphertext for . That way, the adversary can tell whether he is holding an obfuscation with a point function from to , or one with the allzero function. (In the second case, the homomorphic evaluation would yield a ciphertext for zero, rather than one for .) A simulator, only having access to the input/output behavior, cannot perform the homomorphic evaluation, because it cannot divide the functionality into single gates.
The above construction rules out the existence of an obfuscator that maps classical circuits to classical circuits. It leaves open the possibility an obfuscator that maps classical circuits to quantum states: such a quantum state, together with a fixed public ‘interpreter map’, could be used to evaluate the obfuscated circuit. The possibility of quantum obfuscation was the object of study for Alagic and Fefferman [AF16], who attempted to port the impossibility proof from [BGI01] to the quantum setting. In doing so, they encountered two issues:

[style=unboxed,leftmargin=0.5cm]
 Homomorphic evaluation.

The interpreter map, that runs the obfuscation state on a chosen input, is a quantum map. It will likely have quantum states as intermediate states of the computation, so in order to homomorphically run the point function, one needs the ability to evaluate quantum gates on quantum ciphertexts. The unobfuscatable circuit class will thus need to contain quantum circuits to perform homomorphic evaluation steps.
 Reusability.

In the construction from [BGI01], the obfuscated circuit needs to be used multiple times: for example, each homomorphic gate evaluation requires a separate call to the obfuscated circuit. If the obfuscation is a (classical or quantum) circuit, this poses no problem, but if it is a quantum state, multiple uses are not guaranteed.
These two issues limit the extent of the impossibility results in [AF16]: they show that it is impossible to vbb obfuscate quantum circuits into reusable obfuscated states (e.g., quantum circuits).
After it became clear [BGI01] that obfuscating all classical circuits is impossible, efforts were made to construct obfuscators for smaller, but still nontrivial, classes of circuits. Successful constructions have been found for several classes of evasive functions, such as point functions [Wee05, CD08] and computeandcompare functions [WZ17, GKW17]. Currently, no quantum obfuscators are known for circuit classes that cannot be classically obfuscated.
1.2 Our contributions
We strengthen the impossibility of virtualblackbox obfuscation of classical circuits by showing that classical circuits cannot be obfuscated into quantum states. We assume the existence of classicalclient quantum fully homomorphic encryption and classical obfuscation of computeandcompare functions. Both of these can be constructed from the learningwitherrors (LWE) assumption [Mah18, Bra18, WZ17]. The computeandcompare construction requires the strongest assumption in terms of the LWE parameters.
Theorem (informal).
If LWE is hard for quantum algorithms, then it is impossible to quantum vbb obfuscate the class of polynomialsize classical circuits (even with nonnegligible correctness and security error).
Our result uses the same proof strategy as in [BGI01] and [AF16], overcoming the two main issues described above as follows:

[style=unboxed,leftmargin=0.5cm]
 Homomorphic evaluation.

The constructions in [BGI01] and [AF16] rely on the obfuscator to implement the homomorphic evaluations, by obfuscating the functionality “decrypt, then apply a gate, then reencrypt”. However, by now, we know how to build quantum homomorphic encryption schemes directly [Mah18, Bra18], based on the learningwitherrors (LWE) assumption. Thus, in our construction, we can remove the homomorphic gate evaluation from the obfuscated circuits: the adversary can do the homomorphic evaluation of the point function herself, using a quantum homomorphic encryption scheme. With the homomorphic evaluation removed from it, the class of circuits that we prove impossible to obfuscate can remain classical.
 Reusability.

The circuits that we consider are classical and deterministic. Therefore, if the interpreter map is run on an obfuscation state for a circuit , plus a classical input , then by correctness, the result is (close to) a computationalbasis state . This output can be copied out to a separate wire without disturbing the state, and the interpreter map can be reversed, recovering the obfuscation to be used again. If the interpreter map is not unitary, then it can be run coherently (i.e., keeping purification registers around instead of measuring wires), and this coherent version can be reversed as long as the purification registers are not measured.
At one point in our proof, we will need to run the interpreter map homomorphically on (an encryption of) and . This may result in a superposition of different ciphertexts for , which cannot cleanly be copied out to a separate wire without entangling that wire with the output. Thus, recovering is not necessarily possible after the homomorphicevaluation step.
We circumvent this problem by making sure that the homomorphic evaluation occurs last, so that is not needed anymore afterwards. This reordering is achieved by classically obfuscating the part of the circuit that checks whether a ciphertext decrypts to the value . That way, this functionality becomes a constant output value that a user can request and store before performing the homomorphic evaluation, and use afterwards. To obfuscate the decryption check, we use a classical vbb obfsucator for computeandcompare functions, which relies on a variant of the LWE assumption [WZ17].
Our impossibility result compares to the classical impossibility result from [BGI01] as follows. First, as mentioned, we extend the realm of impossible obfuscators to include obfuscators that produce a quantum state, rather than a classical circuit. Second, the impossibility result from [BGI01] holds under the assumption that oneway functions exist, whereas we require the stronger (but still standard) assumption that learningwitherrors is hard for quantum adversaries. It may be possible to relax this assumption if can be recovered after the homomorphic evaluation. Third, the class of classical circuits that cannot be obfuscated is slightly different: in our work, it does not have the homomorphicevaluation functionality built into it, and is therefore arguably simpler, strengthening the impossibility result. However, we stress that in both works, the unobfuscatable circuit class itself is somewhat contrived: the main implication is that its superclass is unobfuscatable.
As an intermediate result, we show that it is impossible to vbb obfuscate the more natural class of classical multibitoutput point functions into a quantum state, if the adversary and simulator have access to auxiliary classical information that contains an encryption of the nonzero input value and an obfuscation of a function depending on the secret key for that encryption.
Theorem (informal).
If LWE is hard for quantum algorithms, then it is impossible to quantum vbb obfuscate multibitoutput point functions and the allzero function under the presence of classical dependent auxiliary information (even with nonnegligible soundness and security error).
At first glance, that may seem to contradict the construction in [WZ17], where vbb obfuscation for point functions is constructed, even in the presence of dependent auxiliary information. The crucial difference is that the [WZ17] construction only allows a limited dependency of the auxiliary information, whereas in our impossibility proof, the dependence is slightly stronger. This subtle difference seems to indicate that the gap between possibility and impossibility of vbb obfuscation is closing.
1.3 Open questions
The strongest assumption in our work is the existence of the classical vbb obfuscator for computeandcompare functions, which relies on a variant of LWE. It is necessary because the QFHE evaluation may destroy the obfuscation state when the superposition of output ciphertexts is measured. However, it is not clear if this measurement actually destroys any information on the plaintext level, since the plaintext value is deterministic. Thus, it may be possible to recover the (plaintext) obfuscation state after the QFHE evaluation. In that case, it is not necessary to classically obfuscate the computeandcompare function: it can simply be part of the quantumobfuscated functionality.
Other open questions are about possibilities rather than impossibilities. What circuit classes can be vbb obfuscated into quantum states? Is quantum vbb obfuscation stronger than classical vbb obfuscation, in the sense that it can obfuscate circuit classes that classical vbb cannot? Also, the weaker notion of indistinguishability obfuscation (iO) (also introduced in [BGI01]) is not affected by our impossibility result: it may still be possible to classically or quantumly iO obfuscate classical functionalities. Could such a construction be lifted into the quantum realm, so that we can (quantum) iO obfuscate quantum functionalities?
1.4 Structure of this work
In Section 2, we give preliminary definitions of the relevant concepts for this work: (classical and quantum) obfuscation, quantum fully homomorphic encryption, and computeandcompare functions. We also describe how the input of an (almost) deterministic quantum circuit can be recovered. In Section 3, we prove impossibility of quantum obfuscation of point functions under dependent auxiliary input. Building on the concepts in that section, Section 4 proves our main result, impossibility of quantum obfuscation of classical circuits without any auxiliary input.
2 Preliminaries
2.1 Notation
PPT stands for a probabilistic polynomialtime algorithm, and QPT stands for a quantum polynomialtime algorithm. If a classical or quantum algorithm has oracle access to a classical function , we write . If has access to multiple oracles with separate input/output interfaces, we write, e.g., . A quantum algorithm always has superposition access to its oracle(s).
Let denote an unspecified polynomial . Similarly, let denote an unspecified negligible function , i.e., for all constants there exists an such that for all , . Let denote the allzero function on input bits: for all .
If is a distribution, we write to signify that is sampled according to . For a finite set , we write to signify that is sampled uniformly at random from the set . Two distribution ensembles and are computationally indistinguishable, written , if no polytime algorithm can distinguish between a sample from one distribution or the other, i.e., for all PPT ,
We sometimes write if it is clear from which distributions and are sampled. If not even a QPT algorithm can distinguish, the distributions are quantum computationally indistinguishable.
A pure quantum state is written or , and a mixed quantum state is usually denoted by or . As a special case, a computationalbasis state is written for some classical string . We sometimes abuse notation and give a classical input to a quantum algorithm , writing : in that case, the algorithm is actually given as input.
and denote the bitflip gate and phaseflip gate, respectively. If we write for some , we mean that the gate is applied if ; otherwise, identity is applied.
Finally, for a mixed state , let denote the trace norm. The trace distance is a measure for how different to mixed states and are.
2.2 Classical and Quantum VirtualBlackBox Obfuscation
In this work we consider socalled circuit obfuscators: the functionalities to be hidden are represented by circuits. A virtualblackbox circuit obfuscator hides the functionality in such a way that the obfuscation looks like a “black box”: the only way to get information about its functionality is to evaluate it on an input and observe the output.
Definition 2.1 ([Bgi01, Definition 2.2]).
A classical virtual blackbox obfuscator for the circuit class is a probabilistic algorithm such that

(polynomial slowdown) For every circuit , ;

(functional equivalence) For every circuit , the string describes a circuit that computes the same function as ;

(virtual blackbox) For any PPT adversary , there exists a PPT simulator such that for all circuits ,
As a variation on the third requirement, one may assume that some auxiliary information (which may depend on the circuit ) is present alongside the obfuscation . In that case, a simulator with access to that auxiliary information should still be able to simulate the adversary’s output distribution:
Definition 2.2 ([Gk05, Definition 3]).
A classical virtual blackbox obfuscator w.r.t. dependent auxiliary input for a circuit class is a probabilistic algorithm that satisfies Definition 2.1, with the “virtual blackbox” property redefined as follows:

(virtual blackbox) For any PPT adversary , there exists a PPT simulator such that for all circuits and all strings (which may depend on ),
In the quantum setting, we consider quantum obfuscators for classical circuit classes: that is, the obfuscation may be a quantum state. We adapt Definition 5 from [AF16], which defines quantum obfuscators for quantum circuits.
Definition 2.3.
A quantum virtual blackbox obfuscator for the classical circuit class is a quantum algorithm and a QPT such that

(functional equivalence) For every circuit and every input ,

(virtual blackbox) For every QPT adversary , there exists a QPT simulator (with superposition access to its oracle) such that for all circuits ,
There are a few differences with the classical definition. First, the obfuscation is a quantum state, and not a (classical or quantum) circuit. Second, due to the probabilistic nature of quantum computation, we allow a negligible error in the functional equivalence. Third, the simulator is slightly more powerful because of its superposition access to the functionality of : a query performs the unitary operation specified by , where is the bitwise XOR operation. Note that a quantum adversary can always use a (classical or quantum) obfuscation to compute the obfuscated functionality on a superposition of inputs, obtaining a superposition of outputs. For this reason, the simulator gets superposition access to its oracle in the quantum setting. Throughout this work, all oracles supplied to quantum algorithms allow for superposition access.
We can again strengthen the virtual blackbox property to include (classical or quantum) dependent auxiliary information: this auxiliary string or state would be provided to both the adversary and the simulator, in the same way as in Definition 2.2.
2.3 Quantum Fully Homomorphic Encryption
A fully homomorphic encryption (FHE) of a message provides privacy by hiding the message, but allows ciphertexts to be transformed in a meaningful way. Given a ciphertext for , some party that only knows the public key can produce a ciphertext for for any efficiently computable function . Any information that is necessary for this transformation is contained in the public key (in particular, we do not make a distinction between the public key and evaluation key).
A quantum fully homomorphic encryption (QFHE) scheme allows quantum computations on encrypted quantum data. From the learningwitherrors assumption, it is possible to construct secure QFHE schemes where all clientside operations (key generation, encryption, and decryption) are classical [Mah18, Bra18].
Definition 2.4.
A quantum fully homomorphic encryption scheme consists of four QPT algorithms

Key Generation: produces a public key and a secret key , given a security parameter .

Encryption: encrypts a singlebit message . For multibit messages , we write to denote the bitbybit encryption .

Decryption: decrypts a ciphertext into a singlebit message , using the secret key . If is a ciphertext for a multibit message, we write for the bitbybit decryption.

Homomorphic evaluation: takes as input the public key, a classical description of a BQP circuit with input wires and output wires, and a bitbybit encrypted ciphertext encrypting bits. It produces a , a sequence of output ciphertexts.
The QFHE schemes from [Mah18, Bra18] encrypt a message
using a quantum onetimepad with random keys
, attaching classical FHE ciphertexts of the onetime pad keys:Note that this ciphertext can be classically represented as the tuple , so that encryption may be seen as a classical procedure. Conversely, a classical homomorphic encryption can easily be turned into a valid quantum homomorphic encryption by preparing the state which decrypts to . Thus, it is possible to freely switch back and forth between quantum ciphertexts and classical ciphertexts, as long as the message is known to be classical.
The quantum onetime pad encryption also straightforwardly extends to encrypting general quantum states , rather than only computationalbasis states : the quantum onetime pad is simply applied to the state , and the onetimepad keys encrypted into a computationalbasis state as above. Of course, encryption becomes a quantum procedure in this setting. We will use encryption of quantum states in our work, where we supply the encryption of a quantumstate obfuscation as the input to a homomorphic evaluation.
2.4 Point Functions and ComputeandCompare Functions
The class of computeandcompare functions, as well as its subclass of point functions, plays an important role in this work. In this section we define these function classes.
Definition 2.5 (Point function).
Let . The point function is defined by
(1) 
The value is called the target value. Point functions are a special type of computeandcompare functions, where the function is the identity:
Definition 2.6 (Computeandcompare function).
Let and . The computeandcompare function is defined by
(2) 
One can also consider point functions or computeandcompare functions with multibit output: in that case, the function outputs either some string (instead of 1), or the allzero string (instead of 0). We denote such functions with and .
2.5 Recovering the Input of a Quantum Circuit
We will consider (efficient) quantum operations as (polynomialsize) circuits, consisting of the following set of basic operations: unitary gates from some fixed constantsize gate set, measurements in the computational basis, and initialization of auxiliary wires in the state.
While unitary gates are always reversible by applying their transpose ( for any unitary ), measurement gates may not be, as they can possibly collapse a state. However, we can effectively delay all measurements in a circuit until the very end, as follows. Define as the unitary that computes coherently: that is, for every computationalbasis measurement in on some wire , performs a CNOT operation from onto a fresh auxiliary target wire initialized in the state . The circuit is now equivalent to the following operation: initialize all auxiliary target wires in the state^{5}^{5}5If, apart from the CNOT targets, the circuit contains any other wires that are initialized in the state inside the circuit, those wires are also considered part of the input of the unitary . They should be initialized to here as well., apply the unitary , and measure all auxiliary target wires in the computational basis.
In this work, we will encounter circuits
which, for specific inputs, yield a specific state in the computational basis with very high probability. In the proof of the following lemma, we specify how to use coherent computation in order to learn the output value while preserving the input quantum state.
Lemma 2.7.
Let be a quantum circuit. There exists an inputrecovering circuit such that for all inputs , the following holds: if for some classical string and some , then
The specification of is independent of the specific input state . However, cannot necessarily recover all possible inputs , only those that lead to an almostclassical output.
The inputrecovering circuit consists of running coherently, copying out the output register, and reverting the coherent computation of . We formally prove Lemma 2.7 in Appendix A.
3 Impossibility with respect to Dependent Auxiliary Information
In this section, we show impossibility of virtualblackbox quantum obfuscation of classical point functions under dependent auxiliary information. It sets the stage for our main result, Theorem 4.1: there, we get rid of the auxiliary information, but the unobfuscatable function class becomes less natural. Although the result in the current section is perhaps less surprising, the proof contains the most important technical details of our work.
The impossibility result requires two cryptographic primitives, both of which can be built from the the hardness of LWE [Mah18, WZ17, GKW17]: (1) quantum fully homomorphic encryption with classical clientside operations (see Section 2.3), and (2) classical vbb obfuscation of computeandcompare functions. Our result therefore holds under the assumption that LWE is hard: the least favorable parameters are required for the obfuscation of computeandcompare functionalities, and are discussed in Section 3.1.
In Section 3.1, we describe the classical obfuscator for computeandcompare functions that we use. We will apply the construction from [WZ17, GKW17] to a specific class of computeandcompare functions with a specific type of auxiliary information. In Section 3.2, we use this specific application to define a class of circuits and auxiliaryinformation strings that is unobfuscatable in the quantum vbb sense. The impossibility proof follows in Section 3.3.
3.1 Classical obfuscation of computeandcompare functions
The works of [WZ17, GKW17] showed that under the assumption that LWE (with polynomial dimension and exponential modulus in the security parameter ) is hard, it is possible to classically obfuscate computeandcompare functions [WZ17, GKW17]. We will write “LWE*” to denote their specific variant of the LWE assumption. We note that LWE is known to be at least as hard at worstcase lattice problems [Reg05, PRS17]
. In particular the aforementioned parameter regime translates to the worstcase hardness of the Gap Shortest Vector Problem (GapSVP) with with subexponential approximation factor (in the dimension of the lattice). There is currently no known superpolynomial quantum speedup for GapSVP, and the best known quantum (and classical) algorithms require subexponential running time.
These works achieve socalled distributional virtualblackbox obfuscation of functions , assuming that the target value has sufficient pseudoentropy given a description of the function . The obfuscation is even secure in the presence of (dependent) auxiliary information, as long as the pseudoentropy of the target value remains high, even conditioned on this auxiliary information.
In our construction, we provide a classicallyobfuscated computeandcompare function as auxiliary information to a quantum obfuscation. We will require that the target value of the computeandcompare function is sufficiently random, even given the rest of the auxiliary information (including the quantum obfuscation).
More specifically, for any INDsecure publickey encryption scheme and fixed bit string , define a distribution ensemble that samples
where is a computeandcompare function as in Definition 2.6. For each and , the target value is chosen independently from all other information: its pseudoentropy is , even conditioned on and . Therefore, there exists an obfuscation procedure for this class of computeandcompare programs that has distributional indistinguishability in the following sense:
Lemma 3.1 (Application of [Wz17, Theorem 5.2]).
Under the LWE* assumption, there exists a classical obfuscation procedure and a (nonuniform) simulator such that for all ,
(3) 
where as defined above, and is some information that is independent of and (e.g., it may contain the size of the circuit and/or ).
We note that the proof in [WZ17, GKW17] showed a classical reduction from the hardness of distinguishing the aforementioned distributions to the hardness of solving LWE. We note that proofs by (either Karp or Turing) classical polynomialtime reduction from to implies that any solver for can be translated into a solver for with comparable complexity, in particular if the solver for runs in quantum polynomial time then so will the resulting solver for .
As a consequence of Lemma 3.1, we show that it is hard to guess the value of , given only a ciphertext for , and an obfuscation of the computeandcompare function. Intuitively, since the information is completely independent of the target value , the obfuscation effectively hides the secret key that would be necessary to learn .
Lemma 3.2.
Under the LWE* assumption, there exists a negligible function such that for any QPT algorithm and any ,
(4) 
Here, the probability is over , , and the execution of .
Proof.
The result follows almost directly from Lemma 3.1, except that we want to bound the probability that outputs the multibit string , whereas Lemma 3.1 only deals with algorithms with a singlebit output.
To bridge the gap, define an algorithm that runs on its input, and compares the output of to : if they are equal, outputs 1; otherwise, it outputs 0.
For any fixed value of , we have
(5)  
(6)  
(7) 
The approximation (*) follows from Lemma 3.1, and holds up to a difference of .
To complete the proof, note that depends neither on nor on . Thus, randomizing over again, and invoking privacy of the encryption, we get
(8) 
∎
We have thus established that, even in the presence of an obfuscated computeandcompare function that depends on the secret key, encryptions remain secure. For this security to hold, it is important that the target value is sufficiently independent of the plaintext .
3.2 An unobfuscatable circuit class
In this subsection, we define the class of circuits and auxiliaryinformation strings that we will prove unobfuscatable. Like in [BGI01], we will exploit the idea that access to an object (circuit or quantum state) that allows the evaluation of a function is more powerful than mere blackbox access to the functionality: in particular, it allows us to evaluate the function homomorphically. For this argument to work, it is important that the function is not easily learnable through blackbox access. We will use point functions, as in [BGI01]: with blackbox access only, it is hard to tell the difference between a point function and the allzero function , that accepts inputs of length , and always returns .
Consider the class of circuits plus auxiliary information, where
(9)  
(10) 
The class contains all bit point functions, together with an encryption of the point input , and a function that checks whether a ciphertext decrypts to the target value . contains the allzero function (which is itself a point function), but still with auxiliary information for the possible values of and .
Suppose that some quantum obfuscation exists. We define a QPT algorithm , which expects an obfuscation (or ), together with the classical auxiliary information . On general inputs and of this form, let do as follows:

Run to homomorphically evaluate the interpreter algorithm . If , , and , then this step results in an encryption of with high probability. If , , and , then it results in an encryption of . Note that we use classical and quantum ciphertexts for the QFHE scheme interchangeably here: see Section 2.3 for a justification.

Run on the output of the previous step. If , this will indicate whether the previous step resulted in a ciphertext for or not.
The above algorithm will almost certainly output 1 when given an element from , because of the functional equivalence of the two obfuscations and the correctness of the homomorphic evaluation. Similarly, when given an element from , it will almost certainly output 0. Formally, for all ,
(11)  
(12) 
The vastly different output distribution of when given an obfuscation of a point function versus the zero function are due the fact that has an actual representation, , of the function to feed into the interpreter . In the proof in the next subsection, we will see that a simulator, with only blackbox access to these functionality, will not be able to make that distinction.
3.3 Impossibility proof
We are now ready to state and prove the impossibility theorem for quantum obfuscation of classical circuits with dependent auxiliary input. We reiterate that the two assumptions (quantum FHE and computeandcompare obfuscation) can be realized under the LWE* assumption.
Theorem 3.3 (Impossibility of quantum obfuscation w.r.t. auxiliary input).
Suppose that a classicalclient quantum fully homomorphic encryption scheme exists that satisfies Definition 2.4, and a classical obfuscation procedure for computeandcompare functionalities exists that satisfies Lemma 3.1. Then any quantum obfuscator for the class satisfying conditions 1 (polynomial expansion) and 2 (functional equivalence) from Definition 2.3 cannot be virtual blackbox under the presence of classical dependent auxiliary input, i.e., cannot satisfy condition 3 from Definition 2.3 where both and get access to a classical string (which may depend on ).
It may seem that the class , consisting of point functions, is classically obfuscatable using from [WZ17, GKW17]. That obfuscation is secure if (wich is the target value if we view as the multibit output computeandcompare function ) is unpredictable given the auxiliary information . On the surface, that seems to be the case: only an encryption of is available in the auxiliary information. However, the secret key is present as part of the computeandcompare function . That function is obfuscated, but the obfuscation is not secure in the presence of (an obfuscation of) . Thus, the obfuscation result from [WZ17, GKW17] almost applies to the class , but not quite. Hence we are able to prove impossibility of obfuscating it, which we do below.
Proof.
The proof structure is similar to [BGI01], and is by contradiction: assume that a quantum obfuscation for the class does exist that satisfies all three conditions. We will show that the output distribution of the algorithm defined in Section 3.2 is approximately the same for every element of the class, contradicting Equations 12 and 11.
By the assumption of the existence of a secure quantum obfuscation , there exists a simulator such that
(13)  
(14) 
Here, the probability is taken over and . Note that does not depend on , , , or .
In the remainder of this proof we show that for any (independent of , , , ),
(15) 
from which it can be concluded that
(16) 
Since Equations 12 and 11 imply that this difference must be at least , Equation 16 yields a contradiction.
To show that Equation (15) holds, i.e., to bound the difference in output probabilities of when given an oracle for versus an oracle for , we employ the oneway to hiding theorem as it is stated in [AHU19, Theorem 3]. It says that there exists a QPT algorithm such that
(17) 
where is the query depth of . However, by Lemma 3.2, the probability that outputs when given the auxiliary information is negligible in . Granting access to the zerooracle and the additional input does not increase this probability, since the value of can already be deduced from .
We end this section with a few remarks: we describe some variants and generalizations of Theorem 3.3 which almost immediately follow from the presented proof.
Remark.
The proof for Theorem 3.3 also works if we replace with , the quantum obfuscation we get from the assumption. This adaptation renders a quantum obfuscator for point functions impossible with respect to dependent auxiliary quantum input: a slightly weaker statement, but it does not require the existence of a classical obfuscator for computeandcompare programs. In particular, the required LWE parameters are better, because we only need the assumption of quantum fully homomorphic encryption.
Remark.
Even a quantum obfuscator for with nonnegligible errors in the functional equivalence and/or the virtualblackbox property would lead to a contradiction in the proof of Theorem 3.3. Concretely, let denote the error for functional equivalence, and denote the error for security in the virtualblackbox sense (they are both in Definition 2.3). The impossibility proof works for any values of such that . So in particular, even a quantum obfuscator with small constant (instead of negligible) errors in both conditions cannot exist.
Remark.
The bounds in Equations 14 and 13 are necessary to arrive at a contradiction, and we get them by assuming the virtualblackbox property. However, the virtualblackbox property is stronger in the sense that it requires the difference between adversary and simulator to be negligible for any circuit in the class (i.e., in the worst case), whereas Equations 14 and 13 only require the difference to be small on average over the choice for and the auxiliary information. Hence, the notion of obfuscation that we prove impossible is closer to the (weaker) “distributional” virtual blackbox [HRSV07], yielding a slightly stronger impossibility result. The same remark applies to the results obtained in [BGI01].
4 Impossibility without Auxiliary Information
In this section, we will show that quantum virtualblackbox obfuscation of classical circuits is impossible even when no auxiliary information is present. We will rely heavily on the class constructed in Section 3, essentially showing how the auxiliary information can be absorbed into the obfuscated circuit. As a result, the unobfuscatable circuit class itself becomes less natural. However, the circuits in the class are still classical polynomialsize circuits. Thus, our theorem implies impossibility of quantum vbb obfuscation of the class of all efficient classical circuits.
The circuit class we consider in this section consists of circuits of the following form:
(18) 
or
(19) 
The input bit is a choice bit: if it is set to 1, the function or is evaluated on the actual input , whereas if it is set to 0, the auxiliary information is retrieved. We can then define the circuit class , where
(20)  
(21) 
Note that in all circuits in this class, the auxiliary information is fixed. Hence, when an encryption of is requested by setting , the circuit always returns the same ciphertext (rather than a fresh encryption of every time).
Similarly to the setting with auxiliary input, there exists a QPT algorithm that has extremely different output distributions when given a circuit from versus a circuit from . On an input state , we define as follows:

Run , where is the inputrecovering version of the interpreter circuit (see Lemma 2.7). If is an obfuscation of a circuit in , this will result in a state (negligibly close to) . Measure to obtain and interpret it as , i.e., interpret as the public key, as a ciphertext for , and as an obfuscation of a computeandcompare function.

Run . Similarly to Section 3.2, this will result in a ciphertext for (if was an obfuscation of a circuit in ) or a ciphertext for (if was an obfuscation of a circuit in ).

Run on the output of the previous step. If , this will indicate whether the previous step resulted in a ciphertext for or not.
We are now ready to state our main theorem.
Theorem 4.1 (Impossibility of quantum obfuscation).
Suppose that a classicalclient quantum fully homomorphic encryption scheme exists that satisfies Definition 2.4, and a classical obfuscation procedure for computeandcompare functionalities exists that satisfies Lemma 3.1. Then any quantum obfuscator for the class satisfying conditions 1 (polynomial expansion) and 2 (functional equivalence) from Definition 2.3 cannot be virtual blackbox, i.e., satisfy condition 3 from Definition 2.3.
Corollary 4.2.
If the LWE* assumption holds, the class of classical polynomialsize circuits cannot be quantum virtualblackbox obfuscated in the sense of Definition 2.3.
Proof of Theorem 4.1.
We again prove the statement by contradiction, assuming that there does exist an obfuscator that securely obfuscates . By this assumption, there must exist a simulator such that
(22)  
(23) 
The output distribution of can be exactly simulated by another simulator, , that has access only to an oracle for or , and gets the auxiliary information as input. can simply run , simulating each oracle query using its own oracle or input, or a combination thereof. We formally show the existence of such an in Lemma B.1.
We can thus conclude that
(24)  
(25) 
However, by Equation (15) in the proof of Theorem 3.3, the output distribution of can only differ negligibly between the two different oracles. Thus, we have
(26) 
This contradicts our observation that on input , will almost always output 1, whereas on input , it will almost always output 0. ∎
Acknowledgements
We thank Andrea Coladangelo, Urmila Mahadev and Alexander Poremba for useful discussions. CS is supported by a NWO VIDI grant (Project No. 639.022.519). GA acknowledges support from the NSF under grant CCF1763736, from the U.S. Army Research Office under Grant Number W911NF2010015, and from the U.S. Department of Energy under Award Number DESC0020312. ZB is supported by the Binational Science Foundation (Grant No. 2016726), and by the European Union Horizon 2020 Research and Innovation Program via ERC Project REACT (Grant 756482) and via Project PROMETHEUS (Grant 780701). Part of this work was done while the authors were attending The Quantum Wave in Computing
at the Simons Institute for the Theory of Computing.
References

[AF16]
G. Alagic and B. Fefferman.
On quantum obfuscation.
2016.
arXiv: 1602.01771. 
[AHU19]
A. Ambainis, M. Hamburg, and D. Unruh.
Quantum security proofs using semiclassical oracles.
In Annual International Cryptology Conference, pages 269–295.
Springer, 2019.
DOI: 10.1007/9783030269517_10. 
[BGI01]
B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S. Vadhan, and
K. Yang.
On the (im) possibility of obfuscating programs.
In Annual International Cryptology Conference, pages 1–18.
Springer, 2001.
DOI: 10.1007/3540446478_1. 
[Bra18]
Z. Brakerski.
Quantum FHE (almost) as secure as classical.
In H. Shacham and A. Boldyreva, editors, Advances in Cryptology
 CRYPTO 2018  38th Annual International Cryptology Conference, Santa
Barbara, CA, USA, August 1923, 2018, Proceedings, Part III, volume 10993
of Lecture Notes in Computer Science, pages 67–95. Springer, 2018.
DOI: 10.1007/9783319968780_3. 
[CD08]
R. Canetti and R. R. Dakdouk.
Obfuscating point functions with multibit output.
In Annual International Conference on the Theory and
Applications of Cryptographic Techniques, pages 489–508. Springer, 2008.
DOI: 10.1007/9783540789673_28. 
[GK05]
S. Goldwasser and Y. T. Kalai.
On the impossibility of obfuscation with auxiliary input.
In 46th Annual IEEE Symposium on Foundations of Computer Science
(FOCS’05), pages 553–562. IEEE, 2005.
DOI: 10.1109/SFCS.2005.60. 
[GKW17]
R. Goyal, V. Koppula, and B. Waters.
Lockable obfuscation.
In 58th Annual IEEE Symposium on Foundations of Computer Science
(FOCS ’17), pages 612–621. IEEE, 2017.
DOI: 10.1109/FOCS.2017.62. 
[HRSV07]
S. Hohenberger, G. N. Rothblum, A. Shelat, and V. Vaikuntanathan.
Securely obfuscating reencryption.
In Theory of Cryptography Conference, pages 233–252. Springer,
2007.
DOI: 10.1007/s0014501090777. 
[Mah18]
U. Mahadev.
Classical homomorphic encryption for quantum circuits.
In M. Thorup, editor, 59th IEEE Annual Symposium on
Foundations of Computer Science, FOCS 2018, Paris, France, October 79,
2018, pages 332–338. IEEE Computer Society, 2018.
DOI: 10.1109/FOCS.2018.00039. 
[PRS17]
C. Peikert, O. Regev, and N. StephensDavidowitz.
Pseudorandomness of ringlwe for any ring and modulus.
In H. Hatami, P. McKenzie, and V. King, editors, Proceedings of
the 49th Annual ACM SIGACT Symposium on Theory of Computing, STOC 2017,
Montreal, QC, Canada, June 1923, 2017, pages 461–473. ACM, 2017.
DOI: 10.1145/3055399.3055489. 
[Reg05]
O. Regev.
On lattices, learning with errors, random linear codes, and
cryptography.
In STOC, pages 84–93, 2005.
DOI: 10.1145/1060590.1060603. 
[Wee05]
H. Wee.
On obfuscating point functions.
In Proceedings of the thirtyseventh annual ACM symposium on
Theory of computing, pages 523–532, 2005.
DOI: 10.1145/1060590.1060669. 
[WZ17]
D. Wichs and G. Zirdelis.
Obfuscating computeandcompare programs under lwe.
In 2017 IEEE 58th Annual Symposium on Foundations of Computer
Science (FOCS), pages 600–611. IEEE, 2017.
DOI: 10.1109/focs.2017.61.
Appendix A Proof of Lemma 2.7
Proof.
Suppose the circuit contains measurement gates, and initializations of wires in the state. Define the inputrecovering circuit as:

Run on input , where is the unitary that coherently executes (as defined in the text above Lemma 2.7).

Copy the wires that are supposed to contain the output into a separate register using CNOTs.

Run to recover the original input, and discard any auxiliary wires.
To see that works as promised, let , , and be such that . If is small, the CNOT in Step 2 does not create a lot of entanglement, since the control wires are (close to) the computationalbasis state . The output is therefore (almost) perfectly copied out.
More formally, let denote the state after the application of , that is,
(27) 
where the are normalization factors, and are density matrices.
Note that if we trace out the auxiliary wires containing and , the remaining state is . By the assumption that for some string , it follows that
(28) 
For the remaining steps, we use the fact that no unitary can increase the trace distance between two quantum states.
Applying the CNOTs in Step 2 results in a state such that
(29) 
and therefore Finally, applying on both sides and discarding the auxiliary wires, we get ∎
Appendix B Auxiliary Lemma for Theorem 4.1
Lemma B.1.
Let for , and let . Let be defined by
(30) 
Then for every QPT , there exists a simulator such that for all of the form described above, and all input states :
(31) 
Proof.
Recall that since and are quantum algorithms, they access their oracles in superposition: that is, has access to the map defined by , and has access to the map defined by . The simulator runs on input , and simulates any oracle calls to (on inputs registers and output register ) using two oracle calls to . It only needs to prepare an auxiliary register in the state , and run the following circuit:
To see that this circuit exactly simulates a query to on , consider an arbitrary query state
(32) 
where is some purifying register. The state on (plus the two auxiliary registers containing and after the above circuit is executed, is equal to
(33)  
(34) 
which is exactly the state that would result from a direct query to . ∎