Log In Sign Up

Impossibility of Quantum Virtual Black-Box Obfuscation of Classical Circuits

Virtual black-box obfuscation is a strong cryptographic primitive: it encrypts a circuit while maintaining its full input/output functionality. A remarkable result by Barak et al. (Crypto 2001) shows that a general obfuscator that obfuscates classical circuits into classical circuits cannot exist. A promising direction that circumvents this impossibility result is to obfuscate classical circuits into quantum states, which would potentially be better capable of hiding information about the obfuscated circuit. We show that, under the assumption that learning-with-errors (LWE) is hard for quantum computers, this quantum variant of virtual black-box obfuscation of classical circuits is generally impossible. On the way, we show that under the presence of dependent classical auxiliary input, even the small class of classical point functions cannot be quantum virtual black-box obfuscated.


page 1

page 2

page 3

page 4


Quantum Cryptography in Algorithmica

We construct a classical oracle relative to which 𝖯 = 𝖭𝖯 yet single-copy...

A Scalable 5,6-Qubit Grover's Quantum Search Algorithm

Recent studies have been spurred on by the promise of advanced quantum c...

Approximating Unitary Preparations of Orthogonal Black Box States

In this paper, I take a step toward answering the following question: fo...

Fast Black-Box Quantum State Preparation

Quantum state preparation is an important ingredient for other higher-le...

Unitarization Through Approximate Basis

In this paper, we introduce the problem of unitarization. Unitarization ...

DNN-Opt: An RL Inspired Optimization for Analog Circuit Sizing using Deep Neural Networks

Analog circuit sizing takes a significant amount of manual effort in a t...

Fiat-Shamir for Proofs Lacks a Proof Even in the Presence of Shared Entanglement

We explore the cryptographic power of arbitrary shared physical resource...

1 Introduction

The obfuscation of a circuit is an object, generally another circuit, that allows a user to evaluate the functionality of the original circuit without learning any additional information about the structure of the circuit. Obfuscation is useful for publishing software without revealing the code, but it also has more fundamental applications in cryptography. For example, the strongest notion called virtual black-box obfuscation can transform any private-key encryption scheme into a public-key scheme. Unfortunately, this notion turns out to be impossible for general circuits [BGI01] – at least, if we require the obfuscation of a circuit to be a circuit itself.

The impossibility result from [BGI01] leaves open an intriguing possibility: what if the obfuscation of a (classical) circuit is allowed to be a quantum state? Could a quantum state contain all the information about a functionality, allowing a user to produce correct outputs, without revealing all that information? This possibility seems hopeful, due to the unrevealing nature of quantum states. However, in this work, we show that virtual-black-box obfuscating classical circuits into quantum states is not possible.

1.1 Related work

Barak et al. defined the notion of virtual black-box (vbb) obfuscation: any information that an adversary can learn about a circuit from its obfuscation can also be learned by a simulator that does not have access to the obfuscation, but only to an oracle for the circuit’s functionality [BGI01]. In this definition, the crucial difference between the adversary and the simulator is that the adversary has access to a short representation of the circuit (namely, the obfuscation), whereas the simulator only has access to an input/output interface that implements the functionality. Some circuit classes allow the adversary to exploit this difference by using the obfuscation as an input value to the circuit itself. Those circuit classes are unobfuscatable in the vbb sense, rendering vbb obfuscation impossible for the general class of circuits in  [BGI01].

In more detail, the impossibility proof in [BGI01] relies on point functions, which output zero everywhere except at a single input value , where they output a string . The circuits in the unobfuscatable class can, depending on the input, do all of the following: (1) apply that point function, (2) return an encryption of , (3) homomorphically evaluate a gate, or (4) check whether a ciphertext decrypts to . An adversary holding the obfuscation is able to divide it into single gates, and can use those to homomorphically evaluate option (1), thereby converting a ciphertext for into a ciphertext for . That way, the adversary can tell whether he is holding an obfuscation with a point function from to , or one with the all-zero function. (In the second case, the homomorphic evaluation would yield a ciphertext for zero, rather than one for .) A simulator, only having access to the input/output behavior, cannot perform the homomorphic evaluation, because it cannot divide the functionality into single gates.

The above construction rules out the existence of an obfuscator that maps classical circuits to classical circuits. It leaves open the possibility an obfuscator that maps classical circuits to quantum states: such a quantum state, together with a fixed public ‘interpreter map’, could be used to evaluate the obfuscated circuit. The possibility of quantum obfuscation was the object of study for Alagic and Fefferman [AF16], who attempted to port the impossibility proof from [BGI01] to the quantum setting. In doing so, they encountered two issues:


Homomorphic evaluation.

The interpreter map, that runs the obfuscation state on a chosen input, is a quantum map. It will likely have quantum states as intermediate states of the computation, so in order to homomorphically run the point function, one needs the ability to evaluate quantum gates on quantum ciphertexts. The unobfuscatable circuit class will thus need to contain quantum circuits to perform homomorphic evaluation steps.


In the construction from [BGI01], the obfuscated circuit needs to be used multiple times: for example, each homomorphic gate evaluation requires a separate call to the obfuscated circuit. If the obfuscation is a (classical or quantum) circuit, this poses no problem, but if it is a quantum state, multiple uses are not guaranteed.

These two issues limit the extent of the impossibility results in [AF16]: they show that it is impossible to vbb obfuscate quantum circuits into reusable obfuscated states (e.g., quantum circuits).

After it became clear [BGI01] that obfuscating all classical circuits is impossible, efforts were made to construct obfuscators for smaller, but still nontrivial, classes of circuits. Successful constructions have been found for several classes of evasive functions, such as point functions [Wee05, CD08] and compute-and-compare functions [WZ17, GKW17]. Currently, no quantum obfuscators are known for circuit classes that cannot be classically obfuscated.

1.2 Our contributions

We strengthen the impossibility of virtual-black-box obfuscation of classical circuits by showing that classical circuits cannot be obfuscated into quantum states. We assume the existence of classical-client quantum fully homomorphic encryption and classical obfuscation of compute-and-compare functions. Both of these can be constructed from the learning-with-errors (LWE) assumption [Mah18, Bra18, WZ17]. The compute-and-compare construction requires the strongest assumption in terms of the LWE parameters.

Theorem (informal).

If LWE is hard for quantum algorithms, then it is impossible to quantum vbb obfuscate the class of polynomial-size classical circuits (even with non-negligible correctness and security error).

Our result uses the same proof strategy as in [BGI01] and [AF16], overcoming the two main issues described above as follows:


Homomorphic evaluation.

The constructions in [BGI01] and  [AF16] rely on the obfuscator to implement the homomorphic evaluations, by obfuscating the functionality “decrypt, then apply a gate, then re-encrypt”. However, by now, we know how to build quantum homomorphic encryption schemes directly [Mah18, Bra18], based on the learning-with-errors (LWE) assumption. Thus, in our construction, we can remove the homomorphic gate evaluation from the obfuscated circuits: the adversary can do the homomorphic evaluation of the point function herself, using a quantum homomorphic encryption scheme. With the homomorphic evaluation removed from it, the class of circuits that we prove impossible to obfuscate can remain classical.


The circuits that we consider are classical and deterministic. Therefore, if the interpreter map is run on an obfuscation state for a circuit , plus a classical input , then by correctness, the result is (close to) a computational-basis state . This output can be copied out to a separate wire without disturbing the state, and the interpreter map can be reversed, recovering the obfuscation to be used again. If the interpreter map is not unitary, then it can be run coherently (i.e., keeping purification registers around instead of measuring wires), and this coherent version can be reversed as long as the purification registers are not measured.

At one point in our proof, we will need to run the interpreter map homomorphically on (an encryption of) and . This may result in a superposition of different ciphertexts for , which cannot cleanly be copied out to a separate wire without entangling that wire with the output. Thus, recovering is not necessarily possible after the homomorphic-evaluation step.

We circumvent this problem by making sure that the homomorphic evaluation occurs last, so that is not needed anymore afterwards. This reordering is achieved by classically obfuscating the part of the circuit that checks whether a ciphertext decrypts to the value . That way, this functionality becomes a constant output value that a user can request and store before performing the homomorphic evaluation, and use afterwards. To obfuscate the decryption check, we use a classical vbb obfsucator for compute-and-compare functions, which relies on a variant of the LWE assumption [WZ17].

Our impossibility result compares to the classical impossibility result from [BGI01] as follows. First, as mentioned, we extend the realm of impossible obfuscators to include obfuscators that produce a quantum state, rather than a classical circuit. Second, the impossibility result from [BGI01] holds under the assumption that one-way functions exist, whereas we require the stronger (but still standard) assumption that learning-with-errors is hard for quantum adversaries. It may be possible to relax this assumption if can be recovered after the homomorphic evaluation. Third, the class of classical circuits that cannot be obfuscated is slightly different: in our work, it does not have the homomorphic-evaluation functionality built into it, and is therefore arguably simpler, strengthening the impossibility result. However, we stress that in both works, the unobfuscatable circuit class itself is somewhat contrived: the main implication is that its superclass is unobfuscatable.

As an intermediate result, we show that it is impossible to vbb obfuscate the more natural class of classical multi-bit-output point functions into a quantum state, if the adversary and simulator have access to auxiliary classical information that contains an encryption of the non-zero input value and an obfuscation of a function depending on the secret key for that encryption.

Theorem (informal).

If LWE is hard for quantum algorithms, then it is impossible to quantum vbb obfuscate multi-bit-output point functions and the all-zero function under the presence of classical dependent auxiliary information (even with non-negligible soundness and security error).

At first glance, that may seem to contradict the construction in [WZ17], where vbb obfuscation for point functions is constructed, even in the presence of dependent auxiliary information. The crucial difference is that the [WZ17] construction only allows a limited dependency of the auxiliary information, whereas in our impossibility proof, the dependence is slightly stronger. This subtle difference seems to indicate that the gap between possibility and impossibility of vbb obfuscation is closing.

1.3 Open questions

The strongest assumption in our work is the existence of the classical vbb obfuscator for compute-and-compare functions, which relies on a variant of LWE. It is necessary because the QFHE evaluation may destroy the obfuscation state when the superposition of output ciphertexts is measured. However, it is not clear if this measurement actually destroys any information on the plaintext level, since the plaintext value is deterministic. Thus, it may be possible to recover the (plaintext) obfuscation state after the QFHE evaluation. In that case, it is not necessary to classically obfuscate the compute-and-compare function: it can simply be part of the quantum-obfuscated functionality.

Other open questions are about possibilities rather than impossibilities. What circuit classes can be vbb obfuscated into quantum states? Is quantum vbb obfuscation stronger than classical vbb obfuscation, in the sense that it can obfuscate circuit classes that classical vbb cannot? Also, the weaker notion of indistinguishability obfuscation (iO) (also introduced in [BGI01]) is not affected by our impossibility result: it may still be possible to classically or quantumly iO obfuscate classical functionalities. Could such a construction be lifted into the quantum realm, so that we can (quantum) iO obfuscate quantum functionalities?

1.4 Structure of this work

In Section 2, we give preliminary definitions of the relevant concepts for this work: (classical and quantum) obfuscation, quantum fully homomorphic encryption, and compute-and-compare functions. We also describe how the input of an (almost) deterministic quantum circuit can be recovered. In Section 3, we prove impossibility of quantum obfuscation of point functions under dependent auxiliary input. Building on the concepts in that section, Section 4 proves our main result, impossibility of quantum obfuscation of classical circuits without any auxiliary input.

2 Preliminaries

2.1 Notation

PPT stands for a probabilistic polynomial-time algorithm, and QPT stands for a quantum polynomial-time algorithm. If a classical or quantum algorithm has oracle access to a classical function , we write . If has access to multiple oracles with separate input/output interfaces, we write, e.g., . A quantum algorithm always has superposition access to its oracle(s).

Let denote an unspecified polynomial . Similarly, let denote an unspecified negligible function , i.e., for all constants there exists an such that for all , . Let denote the all-zero function on input bits: for all .

If is a distribution, we write to signify that is sampled according to . For a finite set , we write to signify that is sampled uniformly at random from the set . Two distribution ensembles and are computationally indistinguishable, written , if no poly-time algorithm can distinguish between a sample from one distribution or the other, i.e., for all PPT ,

We sometimes write if it is clear from which distributions and are sampled. If not even a QPT algorithm can distinguish, the distributions are quantum computationally indistinguishable.

A pure quantum state is written or , and a mixed quantum state is usually denoted by or . As a special case, a computational-basis state is written for some classical string . We sometimes abuse notation and give a classical input to a quantum algorithm , writing : in that case, the algorithm is actually given as input.

and denote the bit-flip gate and phase-flip gate, respectively. If we write for some , we mean that the gate is applied if ; otherwise, identity is applied.

Finally, for a mixed state , let denote the trace norm. The trace distance is a measure for how different to mixed states and are.

2.2 Classical and Quantum Virtual-Black-Box Obfuscation

In this work we consider so-called circuit obfuscators: the functionalities to be hidden are represented by circuits. A virtual-black-box circuit obfuscator hides the functionality in such a way that the obfuscation looks like a “black box”: the only way to get information about its functionality is to evaluate it on an input and observe the output.

Definition 2.1 ([Bgi01, Definition 2.2]).

A classical virtual black-box obfuscator for the circuit class is a probabilistic algorithm such that

  1. (polynomial slowdown) For every circuit , ;

  2. (functional equivalence) For every circuit , the string describes a circuit that computes the same function as ;

  3. (virtual black-box) For any PPT adversary , there exists a PPT simulator such that for all circuits ,

As a variation on the third requirement, one may assume that some auxiliary information (which may depend on the circuit ) is present alongside the obfuscation . In that case, a simulator with access to that auxiliary information should still be able to simulate the adversary’s output distribution:

Definition 2.2 ([Gk05, Definition 3]).

A classical virtual black-box obfuscator w.r.t. dependent auxiliary input for a circuit class is a probabilistic algorithm that satisfies Definition 2.1, with the “virtual black-box” property redefined as follows:

  1. (virtual black-box) For any PPT adversary , there exists a PPT simulator such that for all circuits and all strings (which may depend on ),

In the quantum setting, we consider quantum obfuscators for classical circuit classes: that is, the obfuscation may be a quantum state. We adapt Definition 5 from [AF16], which defines quantum obfuscators for quantum circuits.

Definition 2.3.

A quantum virtual black-box obfuscator for the classical circuit class is a quantum algorithm and a QPT such that

  1. (polynomial expansion) For every circuit , is an

    -qubit quantum state with


  2. (functional equivalence) For every circuit and every input ,

  3. (virtual black-box) For every QPT adversary , there exists a QPT simulator (with superposition access to its oracle) such that for all circuits ,

There are a few differences with the classical definition. First, the obfuscation is a quantum state, and not a (classical or quantum) circuit. Second, due to the probabilistic nature of quantum computation, we allow a negligible error in the functional equivalence. Third, the simulator is slightly more powerful because of its superposition access to the functionality of : a query performs the unitary operation specified by , where is the bit-wise XOR operation. Note that a quantum adversary can always use a (classical or quantum) obfuscation to compute the obfuscated functionality on a superposition of inputs, obtaining a superposition of outputs. For this reason, the simulator gets superposition access to its oracle in the quantum setting. Throughout this work, all oracles supplied to quantum algorithms allow for superposition access.

We can again strengthen the virtual black-box property to include (classical or quantum) dependent auxiliary information: this auxiliary string or state would be provided to both the adversary and the simulator, in the same way as in Definition 2.2.

2.3 Quantum Fully Homomorphic Encryption

A fully homomorphic encryption (FHE) of a message provides privacy by hiding the message, but allows ciphertexts to be transformed in a meaningful way. Given a ciphertext for , some party that only knows the public key can produce a ciphertext for for any efficiently computable function . Any information that is necessary for this transformation is contained in the public key (in particular, we do not make a distinction between the public key and evaluation key).

A quantum fully homomorphic encryption (QFHE) scheme allows quantum computations on encrypted quantum data. From the learning-with-errors assumption, it is possible to construct secure QFHE schemes where all client-side operations (key generation, encryption, and decryption) are classical [Mah18, Bra18].

Definition 2.4.

A quantum fully homomorphic encryption scheme consists of four QPT algorithms

  • Key Generation: produces a public key and a secret key , given a security parameter .

  • Encryption: encrypts a single-bit message . For multi-bit messages , we write to denote the bit-by-bit encryption .

  • Decryption: decrypts a ciphertext into a single-bit message , using the secret key . If is a ciphertext for a multi-bit message, we write for the bit-by-bit decryption.

  • Homomorphic evaluation: takes as input the public key, a classical description of a BQP circuit with input wires and output wires, and a bit-by-bit encrypted ciphertext encrypting bits. It produces a , a sequence of output ciphertexts.

The QFHE schemes from [Mah18, Bra18] encrypt a message

using a quantum one-time-pad with random keys

, attaching classical FHE ciphertexts of the one-time pad keys:

Note that this ciphertext can be classically represented as the tuple , so that encryption may be seen as a classical procedure. Conversely, a classical homomorphic encryption can easily be turned into a valid quantum homomorphic encryption by preparing the state which decrypts to . Thus, it is possible to freely switch back and forth between quantum ciphertexts and classical ciphertexts, as long as the message is known to be classical.

The quantum one-time pad encryption also straightforwardly extends to encrypting general quantum states , rather than only computational-basis states : the quantum one-time pad is simply applied to the state , and the one-time-pad keys encrypted into a computational-basis state as above. Of course, encryption becomes a quantum procedure in this setting. We will use encryption of quantum states in our work, where we supply the encryption of a quantum-state obfuscation as the input to a homomorphic evaluation.

2.4 Point Functions and Compute-and-Compare Functions

The class of compute-and-compare functions, as well as its subclass of point functions, plays an important role in this work. In this section we define these function classes.

Definition 2.5 (Point function).

Let . The point function is defined by


The value is called the target value. Point functions are a special type of compute-and-compare functions, where the function is the identity:

Definition 2.6 (Compute-and-compare function).

Let and . The compute-and-compare function is defined by


One can also consider point functions or compute-and-compare functions with multi-bit output: in that case, the function outputs either some string (instead of 1), or the all-zero string (instead of 0). We denote such functions with and .

2.5 Recovering the Input of a Quantum Circuit

We will consider (efficient) quantum operations as (polynomial-size) circuits, consisting of the following set of basic operations: unitary gates from some fixed constant-size gate set, measurements in the computational basis, and initialization of auxiliary wires in the state.

While unitary gates are always reversible by applying their transpose ( for any unitary ), measurement gates may not be, as they can possibly collapse a state. However, we can effectively delay all measurements in a circuit until the very end, as follows. Define as the unitary that computes coherently: that is, for every computational-basis measurement in on some wire , performs a CNOT operation from onto a fresh auxiliary target wire initialized in the state . The circuit is now equivalent to the following operation: initialize all auxiliary target wires in the state555If, apart from the CNOT targets, the circuit contains any other wires that are initialized in the state inside the circuit, those wires are also considered part of the input of the unitary . They should be initialized to here as well., apply the unitary , and measure all auxiliary target wires in the computational basis.

In this work, we will encounter circuits

which, for specific inputs, yield a specific state in the computational basis with very high probability. In the proof of the following lemma, we specify how to use coherent computation in order to learn the output value while preserving the input quantum state.

Lemma 2.7.

Let be a quantum circuit. There exists an input-recovering circuit such that for all inputs , the following holds: if for some classical string and some , then

The specification of is independent of the specific input state . However, cannot necessarily recover all possible inputs , only those that lead to an almost-classical output.

The input-recovering circuit consists of running coherently, copying out the output register, and reverting the coherent computation of . We formally prove Lemma 2.7 in Appendix A.

3 Impossibility with respect to Dependent Auxiliary Information

In this section, we show impossibility of virtual-black-box quantum obfuscation of classical point functions under dependent auxiliary information. It sets the stage for our main result, Theorem 4.1: there, we get rid of the auxiliary information, but the unobfuscatable function class becomes less natural. Although the result in the current section is perhaps less surprising, the proof contains the most important technical details of our work.

The impossibility result requires two cryptographic primitives, both of which can be built from the the hardness of LWE [Mah18, WZ17, GKW17]: (1) quantum fully homomorphic encryption with classical client-side operations (see Section 2.3), and (2) classical vbb obfuscation of compute-and-compare functions. Our result therefore holds under the assumption that LWE is hard: the least favorable parameters are required for the obfuscation of compute-and-compare functionalities, and are discussed in Section 3.1.

In Section 3.1, we describe the classical obfuscator for compute-and-compare functions that we use. We will apply the construction from [WZ17, GKW17] to a specific class of compute-and-compare functions with a specific type of auxiliary information. In Section 3.2, we use this specific application to define a class of circuits and auxiliary-information strings that is unobfuscatable in the quantum vbb sense. The impossibility proof follows in Section 3.3.

3.1 Classical obfuscation of compute-and-compare functions

The works of [WZ17, GKW17] showed that under the assumption that LWE (with polynomial dimension and exponential modulus in the security parameter ) is hard, it is possible to classically obfuscate compute-and-compare functions [WZ17, GKW17]. We will write “LWE*” to denote their specific variant of the LWE assumption. We note that LWE is known to be at least as hard at worst-case lattice problems [Reg05, PRS17]

. In particular the aforementioned parameter regime translates to the worst-case hardness of the Gap Shortest Vector Problem (GapSVP) with with sub-exponential approximation factor (in the dimension of the lattice). There is currently no known super-polynomial quantum speedup for GapSVP, and the best known quantum (and classical) algorithms require sub-exponential running time.

These works achieve so-called distributional virtual-black-box obfuscation of functions , assuming that the target value has sufficient pseudo-entropy given a description of the function . The obfuscation is even secure in the presence of (dependent) auxiliary information, as long as the pseudo-entropy of the target value remains high, even conditioned on this auxiliary information.

In our construction, we provide a classically-obfuscated compute-and-compare function as auxiliary information to a quantum obfuscation. We will require that the target value of the compute-and-compare function is sufficiently random, even given the rest of the auxiliary information (including the quantum obfuscation).

More specifically, for any IND-secure public-key encryption scheme and fixed bit string , define a distribution ensemble that samples

where is a compute-and-compare function as in Definition 2.6. For each and , the target value is chosen independently from all other information: its pseudo-entropy is , even conditioned on and . Therefore, there exists an obfuscation procedure for this class of compute-and-compare programs that has distributional indistinguishability in the following sense:

Lemma 3.1 (Application of [Wz17, Theorem 5.2]).

Under the LWE* assumption, there exists a classical obfuscation procedure and a (non-uniform) simulator such that for all ,


where as defined above, and is some information that is independent of and (e.g., it may contain the size of the circuit and/or ).

We note that the proof in [WZ17, GKW17] showed a classical reduction from the hardness of distinguishing the aforementioned distributions to the hardness of solving LWE. We note that proofs by (either Karp or Turing) classical polynomial-time reduction from to implies that any solver for can be translated into a solver for with comparable complexity, in particular if the solver for runs in quantum polynomial time then so will the resulting solver for .

As a consequence of Lemma 3.1, we show that it is hard to guess the value of , given only a ciphertext for , and an obfuscation of the compute-and-compare function. Intuitively, since the information is completely independent of the target value , the obfuscation effectively hides the secret key that would be necessary to learn .

Lemma 3.2.

Under the LWE* assumption, there exists a negligible function such that for any QPT algorithm and any ,


Here, the probability is over , , and the execution of .


The result follows almost directly from Lemma 3.1, except that we want to bound the probability that outputs the multi-bit string , whereas Lemma 3.1 only deals with algorithms with a single-bit output.

To bridge the gap, define an algorithm that runs on its input, and compares the output of to : if they are equal, outputs 1; otherwise, it outputs 0.

For any fixed value of , we have


The approximation (*) follows from Lemma 3.1, and holds up to a difference of .

To complete the proof, note that depends neither on nor on . Thus, randomizing over again, and invoking privacy of the encryption, we get


We have thus established that, even in the presence of an obfuscated compute-and-compare function that depends on the secret key, encryptions remain secure. For this security to hold, it is important that the target value is sufficiently independent of the plaintext .

3.2 An unobfuscatable circuit class

In this subsection, we define the class of circuits and auxiliary-information strings that we will prove unobfuscatable. Like in [BGI01], we will exploit the idea that access to an object (circuit or quantum state) that allows the evaluation of a function is more powerful than mere black-box access to the functionality: in particular, it allows us to evaluate the function homomorphically. For this argument to work, it is important that the function is not easily learnable through black-box access. We will use point functions, as in [BGI01]: with black-box access only, it is hard to tell the difference between a point function and the all-zero function , that accepts inputs of length , and always returns .

Consider the class of circuits plus auxiliary information, where


The class contains all -bit point functions, together with an encryption of the point input , and a function that checks whether a ciphertext decrypts to the target value . contains the all-zero function (which is itself a point function), but still with auxiliary information for the possible values of and .

Suppose that some quantum obfuscation exists. We define a QPT algorithm , which expects an obfuscation (or ), together with the classical auxiliary information . On general inputs and of this form, let do as follows:

  1. Run to homomorphically evaluate the interpreter algorithm . If , , and , then this step results in an encryption of with high probability. If , , and , then it results in an encryption of . Note that we use classical and quantum ciphertexts for the QFHE scheme interchangeably here: see Section 2.3 for a justification.

  2. Run on the output of the previous step. If , this will indicate whether the previous step resulted in a ciphertext for or not.

The above algorithm will almost certainly output 1 when given an element from , because of the functional equivalence of the two obfuscations and the correctness of the homomorphic evaluation. Similarly, when given an element from , it will almost certainly output 0. Formally, for all ,


The vastly different output distribution of when given an obfuscation of a point function versus the zero function are due the fact that has an actual representation, , of the function to feed into the interpreter . In the proof in the next subsection, we will see that a simulator, with only black-box access to these functionality, will not be able to make that distinction.

3.3 Impossibility proof

We are now ready to state and prove the impossibility theorem for quantum obfuscation of classical circuits with dependent auxiliary input. We reiterate that the two assumptions (quantum FHE and compute-and-compare obfuscation) can be realized under the LWE* assumption.

Theorem 3.3 (Impossibility of quantum obfuscation w.r.t. auxiliary input).

Suppose that a classical-client quantum fully homomorphic encryption scheme exists that satisfies Definition 2.4, and a classical obfuscation procedure for compute-and-compare functionalities exists that satisfies Lemma 3.1. Then any quantum obfuscator for the class satisfying conditions 1 (polynomial expansion) and 2 (functional equivalence) from Definition 2.3 cannot be virtual black-box under the presence of classical dependent auxiliary input, i.e., cannot satisfy condition 3 from Definition 2.3 where both and get access to a classical string (which may depend on ).

It may seem that the class , consisting of point functions, is classically obfuscatable using from [WZ17, GKW17]. That obfuscation is secure if (wich is the target value if we view as the multi-bit output compute-and-compare function ) is unpredictable given the auxiliary information . On the surface, that seems to be the case: only an encryption of is available in the auxiliary information. However, the secret key is present as part of the compute-and-compare function . That function is obfuscated, but the obfuscation is not secure in the presence of (an obfuscation of) . Thus, the obfuscation result from [WZ17, GKW17] almost applies to the class , but not quite. Hence we are able to prove impossibility of obfuscating it, which we do below.


The proof structure is similar to [BGI01], and is by contradiction: assume that a quantum obfuscation for the class does exist that satisfies all three conditions. We will show that the output distribution of the algorithm defined in Section 3.2 is approximately the same for every element of the class, contradicting Equations 12 and 11.

By the assumption of the existence of a secure quantum obfuscation , there exists a simulator such that


Here, the probability is taken over and . Note that does not depend on , , , or .

In the remainder of this proof we show that for any (independent of , , , ),


from which it can be concluded that


Since Equations 12 and 11 imply that this difference must be at least , Equation 16 yields a contradiction.

To show that Equation (15) holds, i.e., to bound the difference in output probabilities of when given an oracle for versus an oracle for , we employ the one-way to hiding theorem as it is stated in [AHU19, Theorem 3]. It says that there exists a QPT algorithm such that


where is the query depth of . However, by Lemma 3.2, the probability that outputs when given the auxiliary information is negligible in . Granting access to the zero-oracle and the additional input does not increase this probability, since the value of can already be deduced from .

We can thus conclude that the difference in Equation (17) is negligible, and Equation (15) holds, as desired. ∎

We end this section with a few remarks: we describe some variants and generalizations of Theorem 3.3 which almost immediately follow from the presented proof.


The proof for Theorem 3.3 also works if we replace with , the quantum obfuscation we get from the assumption. This adaptation renders a quantum obfuscator for point functions impossible with respect to dependent auxiliary quantum input: a slightly weaker statement, but it does not require the existence of a classical obfuscator for compute-and-compare programs. In particular, the required LWE parameters are better, because we only need the assumption of quantum fully homomorphic encryption.


Even a quantum obfuscator for with non-negligible errors in the functional equivalence and/or the virtual-black-box property would lead to a contradiction in the proof of Theorem 3.3. Concretely, let denote the error for functional equivalence, and denote the error for security in the virtual-black-box sense (they are both in Definition 2.3). The impossibility proof works for any values of such that . So in particular, even a quantum obfuscator with small constant (instead of negligible) errors in both conditions cannot exist.


The bounds in Equations 14 and 13 are necessary to arrive at a contradiction, and we get them by assuming the virtual-black-box property. However, the virtual-black-box property is stronger in the sense that it requires the difference between adversary and simulator to be negligible for any circuit in the class (i.e., in the worst case), whereas Equations 14 and 13 only require the difference to be small on average over the choice for and the auxiliary information. Hence, the notion of obfuscation that we prove impossible is closer to the (weaker) “distributional” virtual black-box [HRSV07], yielding a slightly stronger impossibility result. The same remark applies to the results obtained in [BGI01].

4 Impossibility without Auxiliary Information

In this section, we will show that quantum virtual-black-box obfuscation of classical circuits is impossible even when no auxiliary information is present. We will rely heavily on the class constructed in Section 3, essentially showing how the auxiliary information can be absorbed into the obfuscated circuit. As a result, the unobfuscatable circuit class itself becomes less natural. However, the circuits in the class are still classical polynomial-size circuits. Thus, our theorem implies impossibility of quantum vbb obfuscation of the class of all efficient classical circuits.

The circuit class we consider in this section consists of circuits of the following form:




The input bit is a choice bit: if it is set to 1, the function or is evaluated on the actual input , whereas if it is set to 0, the auxiliary information is retrieved. We can then define the circuit class , where


Note that in all circuits in this class, the auxiliary information is fixed. Hence, when an encryption of is requested by setting , the circuit always returns the same ciphertext (rather than a fresh encryption of every time).

Similarly to the setting with auxiliary input, there exists a QPT algorithm that has extremely different output distributions when given a circuit from versus a circuit from . On an input state , we define as follows:

  1. Run , where is the input-recovering version of the interpreter circuit (see Lemma 2.7). If is an obfuscation of a circuit in , this will result in a state (negligibly close to) . Measure to obtain and interpret it as , i.e., interpret as the public key, as a ciphertext for , and as an obfuscation of a compute-and-compare function.

  2. Run . Similarly to Section 3.2, this will result in a ciphertext for (if was an obfuscation of a circuit in ) or a ciphertext for (if was an obfuscation of a circuit in ).

  3. Run on the output of the previous step. If , this will indicate whether the previous step resulted in a ciphertext for or not.

We are now ready to state our main theorem.

Theorem 4.1 (Impossibility of quantum obfuscation).

Suppose that a classical-client quantum fully homomorphic encryption scheme exists that satisfies Definition 2.4, and a classical obfuscation procedure for compute-and-compare functionalities exists that satisfies Lemma 3.1. Then any quantum obfuscator for the class satisfying conditions 1 (polynomial expansion) and 2 (functional equivalence) from Definition 2.3 cannot be virtual black-box, i.e., satisfy condition 3 from Definition 2.3.

Corollary 4.2.

If the LWE* assumption holds, the class of classical polynomial-size circuits cannot be quantum virtual-black-box obfuscated in the sense of Definition 2.3.

Proof of Theorem 4.1.

We again prove the statement by contradiction, assuming that there does exist an obfuscator that securely obfuscates . By this assumption, there must exist a simulator such that


The output distribution of can be exactly simulated by another simulator, , that has access only to an oracle for or , and gets the auxiliary information as input. can simply run , simulating each oracle query using its own oracle or input, or a combination thereof. We formally show the existence of such an in Lemma B.1.

We can thus conclude that


However, by Equation (15) in the proof of Theorem 3.3, the output distribution of can only differ negligibly between the two different oracles. Thus, we have


This contradicts our observation that on input , will almost always output 1, whereas on input , it will almost always output 0. ∎


We thank Andrea Coladangelo, Urmila Mahadev and Alexander Poremba for useful discussions. CS is supported by a NWO VIDI grant (Project No. 639.022.519). GA acknowledges support from the NSF under grant CCF-1763736, from the U.S. Army Research Office under Grant Number W911NF-20-1-0015, and from the U.S. Department of Energy under Award Number DE-SC0020312. ZB is supported by the Binational Science Foundation (Grant No. 2016726), and by the European Union Horizon 2020 Research and Innovation Program via ERC Project REACT (Grant 756482) and via Project PROMETHEUS (Grant 780701). Part of this work was done while the authors were attending The Quantum Wave in Computing

at the Simons Institute for the Theory of Computing.


  • [AF16] G. Alagic and B. Fefferman. On quantum obfuscation. 2016.
    arXiv: 1602.01771.
  • [AHU19] A. Ambainis, M. Hamburg, and D. Unruh. Quantum security proofs using semi-classical oracles. In Annual International Cryptology Conference, pages 269–295. Springer, 2019.
    DOI: 10.1007/978-3-030-26951-7_10.
  • [BGI01] B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S. Vadhan, and K. Yang. On the (im) possibility of obfuscating programs. In Annual International Cryptology Conference, pages 1–18. Springer, 2001.
    DOI: 10.1007/3-540-44647-8_1.
  • [Bra18] Z. Brakerski. Quantum FHE (almost) as secure as classical. In H. Shacham and A. Boldyreva, editors, Advances in Cryptology - CRYPTO 2018 - 38th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2018, Proceedings, Part III, volume 10993 of Lecture Notes in Computer Science, pages 67–95. Springer, 2018.
    DOI: 10.1007/978-3-319-96878-0_3.
  • [CD08] R. Canetti and R. R. Dakdouk. Obfuscating point functions with multibit output. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 489–508. Springer, 2008.
    DOI: 10.1007/978-3-540-78967-3_28.
  • [GK05] S. Goldwasser and Y. T. Kalai. On the impossibility of obfuscation with auxiliary input. In 46th Annual IEEE Symposium on Foundations of Computer Science (FOCS’05), pages 553–562. IEEE, 2005.
    DOI: 10.1109/SFCS.2005.60.
  • [GKW17] R. Goyal, V. Koppula, and B. Waters. Lockable obfuscation. In 58th Annual IEEE Symposium on Foundations of Computer Science (FOCS ’17), pages 612–621. IEEE, 2017.
    DOI: 10.1109/FOCS.2017.62.
  • [HRSV07] S. Hohenberger, G. N. Rothblum, A. Shelat, and V. Vaikuntanathan. Securely obfuscating re-encryption. In Theory of Cryptography Conference, pages 233–252. Springer, 2007.
    DOI: 10.1007/s00145-010-9077-7.
  • [Mah18] U. Mahadev. Classical homomorphic encryption for quantum circuits. In M. Thorup, editor, 59th IEEE Annual Symposium on Foundations of Computer Science, FOCS 2018, Paris, France, October 7-9, 2018, pages 332–338. IEEE Computer Society, 2018.
    DOI: 10.1109/FOCS.2018.00039.
  • [PRS17] C. Peikert, O. Regev, and N. Stephens-Davidowitz. Pseudorandomness of ring-lwe for any ring and modulus. In H. Hatami, P. McKenzie, and V. King, editors, Proceedings of the 49th Annual ACM SIGACT Symposium on Theory of Computing, STOC 2017, Montreal, QC, Canada, June 19-23, 2017, pages 461–473. ACM, 2017.
    DOI: 10.1145/3055399.3055489.
  • [Reg05] O. Regev. On lattices, learning with errors, random linear codes, and cryptography. In STOC, pages 84–93, 2005.
    DOI: 10.1145/1060590.1060603.
  • [Wee05] H. Wee. On obfuscating point functions. In Proceedings of the thirty-seventh annual ACM symposium on Theory of computing, pages 523–532, 2005.
    DOI: 10.1145/1060590.1060669.
  • [WZ17] D. Wichs and G. Zirdelis. Obfuscating compute-and-compare programs under lwe. In 2017 IEEE 58th Annual Symposium on Foundations of Computer Science (FOCS), pages 600–611. IEEE, 2017.
    DOI: 10.1109/focs.2017.61.

Appendix A Proof of Lemma 2.7


Suppose the circuit contains measurement gates, and initializations of wires in the state. Define the input-recovering circuit as:

  1. Run on input , where is the unitary that coherently executes (as defined in the text above Lemma 2.7).

  2. Copy the wires that are supposed to contain the output into a separate register using CNOTs.

  3. Run to recover the original input, and discard any auxiliary wires.

To see that works as promised, let , , and be such that . If is small, the CNOT in Step 2 does not create a lot of entanglement, since the control wires are (close to) the computational-basis state . The output is therefore (almost) perfectly copied out.

More formally, let denote the state after the application of , that is,


where the are normalization factors, and are density matrices.

Note that if we trace out the auxiliary wires containing and , the remaining state is . By the assumption that for some string , it follows that


For the remaining steps, we use the fact that no unitary can increase the trace distance between two quantum states.

Applying the CNOTs in Step 2 results in a state such that


and therefore Finally, applying on both sides and discarding the auxiliary wires, we get

Appendix B Auxiliary Lemma for Theorem 4.1

Lemma B.1.

Let for , and let . Let be defined by


Then for every QPT , there exists a simulator such that for all of the form described above, and all input states :


Recall that since and are quantum algorithms, they access their oracles in superposition: that is, has access to the map defined by , and has access to the map defined by . The simulator runs on input , and simulates any oracle calls to (on inputs registers and output register ) using two oracle calls to . It only needs to prepare an auxiliary register in the state , and run the following circuit:

To see that this circuit exactly simulates a query to on , consider an arbitrary query state


where is some purifying register. The state on (plus the two auxiliary registers containing and after the above circuit is executed, is equal to


which is exactly the state that would result from a direct query to . ∎